nettle-3.4.1/0000755000175000017500000000000013401564746012050 5ustar nissenissenettle-3.4.1/nettle-meta-armors.c0000644000175000017500000000251713401564745015740 0ustar nissenisse/* nettle-meta-armors.c Copyright (C) 2011 Daniel Kahn Gillmor This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #undef nettle_armors const struct nettle_armor * const nettle_armors[] = { &nettle_base64, &nettle_base64url, &nettle_base16, NULL }; const struct nettle_armor * const * nettle_get_armors (void) { return nettle_armors; } nettle-3.4.1/configure.ac0000644000175000017500000006715513401564746014354 0ustar nissenissednl -*- mode: shell-script; sh-indentation: 2; -*- dnl Process this file with autoconf to produce a configure script. AC_INIT([nettle], [3.4.1], [nettle-bugs@lists.lysator.liu.se]) AC_PREREQ(2.61) AC_CONFIG_SRCDIR([arcfour.c]) # Needed to stop autoconf from looking for files in parent directories. AC_CONFIG_AUX_DIR([.]) AC_CONFIG_HEADER([config.h]) LIBNETTLE_MAJOR=6 LIBNETTLE_MINOR=5 LIBHOGWEED_MAJOR=4 LIBHOGWEED_MINOR=5 dnl Note double square brackets, for extra m4 quoting. MAJOR_VERSION=`echo $PACKAGE_VERSION | sed 's/^\([[^.]]*\)\..*/\1/'` MINOR_VERSION=`echo $PACKAGE_VERSION | sed 's/^[[^.]]*\.\([[0-9]]*\).*/\1/'` AC_SUBST([MAJOR_VERSION]) AC_SUBST([MINOR_VERSION]) AC_CANONICAL_HOST # Command line options AC_ARG_WITH(include-path, AC_HELP_STRING([--with-include-path], [A colon-separated list of directories to search for include files]),, [with_include_path='']) if test x$with_include_path != x ; then CPPFLAGS="$CPPFLAGS -I`echo $with_include_path | sed 's/:/ -I/g'`" fi AC_ARG_WITH(lib-path, AC_HELP_STRING([--with-lib-path], [A colon-separated list of directories to search for libraries]),, [with_lib_path='']) if test x$with_lib_path != x ; then LDFLAGS="$LDFLAGS -L`echo $with_lib_path | sed 's/:/ -L/g'`" fi AC_ARG_ENABLE(public-key, AC_HELP_STRING([--disable-public-key], [Disable public key algorithms]),, [enable_public_key=yes]) AC_ARG_ENABLE(assembler, AC_HELP_STRING([--disable-assembler],[Disable assembler code]),, [enable_assembler=yes]) AC_ARG_ENABLE(static, AC_HELP_STRING([--disable-static], [Do not build any static library]),, [enable_static=yes]) AC_ARG_ENABLE(shared, AC_HELP_STRING([--disable-shared], [Do not build any shared library]),, [enable_shared=yes]) AC_ARG_ENABLE(pic, AC_HELP_STRING([--disable-pic], [Do not try to compile library files as position independent code]),, [enable_pic=yes]) AC_ARG_ENABLE(openssl, AC_HELP_STRING([--disable-openssl], [Do not include openssl glue in the benchmark program]),, [enable_openssl=yes]) AC_ARG_ENABLE(gcov, AC_HELP_STRING([--enable-gcov], [Instrument for gcov (requires a modern gcc)]),, [enable_gcov=no]) AC_ARG_ENABLE(documentation, AC_HELP_STRING([--disable-documentation], [Omit building and installing the documentation. (default=auto)]),, [enable_documentation=auto]) AC_ARG_ENABLE(fat, AC_HELP_STRING([--enable-fat], [Enable fat library build (default=no)]),, [enable_fat=no]) AC_ARG_ENABLE(arm-neon, AC_HELP_STRING([--enable-arm-neon], [Enable ARM Neon assembly. (default=auto)]),, [enable_arm_neon=auto]) AC_ARG_ENABLE(x86-aesni, AC_HELP_STRING([--enable-x86-aesni], [Enable x86_64 aes instructions. (default=no)]),, [enable_x86_aesni=no]) AC_ARG_ENABLE(mini-gmp, AC_HELP_STRING([--enable-mini-gmp], [Enable mini-gmp, used instead of libgmp.]),, [enable_mini_gmp=no]) if test "x$enable_mini_gmp" = xyes ; then NETTLE_USE_MINI_GMP=1 HOGWEED_EXTRA_SYMBOLS="mpz_*;gmp_*;mpn_*;mp_*;" else NETTLE_USE_MINI_GMP=0 HOGWEED_EXTRA_SYMBOLS="" fi AC_SUBST([NETTLE_USE_MINI_GMP]) AC_SUBST([HOGWEED_EXTRA_SYMBOLS]) LSH_RPATH_INIT([`echo $with_lib_path | sed 's/:/ /g'` \ `echo $exec_prefix | sed "s@^NONE@$prefix/lib@g" | sed "s@^NONE@$ac_default_prefix/lib@g"` \ /usr/local/lib /sw/local/lib /sw/lib \ /usr/gnu/lib /opt/gnu/lib /sw/gnu/lib /usr/freeware/lib /usr/pkg/lib]) # Checks for programs. AC_PROG_CC NETTLE_CHECK_IFUNC # When $CC foo.c -o foo creates both foo and foo.exe, autoconf picks # up the foo.exe and sets exeext to .exe. That is correct for cygwin, # which has some kind of magic link from foo to foo.exe, but not for # rntcl. A better check for the cygwin case would check if the # contents of foo and foo.exe are equal; in the rntcl case, foo is a # sh script, and foo.exe is a windows executable. if test "x$CC" = xrntcl ; then AC_MSG_NOTICE([Compiling with rntcl; clearing EXEEXT and disabling assembler]) ac_exeext='' ac_cv_exeext='' EXEEXT='' enable_assembler=no fi # Used by the testsuite only AC_PROG_CXX AC_LANG_PUSH(C++) AC_TRY_COMPILE([],[return 0;],[IF_CXX=''], [IF_CXX='#']) AC_SUBST([IF_CXX]) AC_LANG_POP LD_VERSION_SCRIPT AC_PROG_MAKE_SET AC_PROG_RANLIB AC_CHECK_TOOL(NM, nm, strings) # Used only for the GNU-stack configure test. AC_CHECK_TOOL(OBJDUMP, objdump, false) AC_CHECK_TOOL(AR, ar, false) if test "x$ac_cv_prog_cc_stdc" = xno ; then AC_ERROR([the C compiler doesn't handle ANSI-C]) #' fi AC_PROG_INSTALL # According to the autoconf manual, needs install-sh from # autoconf-2.60 or automake-1.10 to avoid races. AC_PROG_MKDIR_P AC_PROG_LN_S # Compiler tests for the build system GMP_PROG_CC_FOR_BUILD GMP_PROG_EXEEXT_FOR_BUILD LSH_DEPENDENCY_TRACKING if test x$enable_dependency_tracking = xyes ; then # Since the makefiles use include to get the dependency files, we must # make sure that the files exist. We generate some more files than are # actually needed. AC_CONFIG_COMMANDS([dummy-dep-files], [(cd "$srcdir" && find . '(' -name '*.c' -o -name '*.cxx' ')' -print) \ | sed 's/\.cx*$//' | (while read f; do \ test -f "$f.o.d" || echo > "$f.o.d"; \ done) ]) fi if test "x$enable_gcov" = "xyes"; then CFLAGS="$CFLAGS -ftest-coverage -fprofile-arcs" fi # Checks for typedefs, structures, and compiler characteristics. AC_C_CONST AC_C_INLINE AC_TYPE_UID_T AC_TYPE_SIZE_T AC_HEADER_TIME AC_CHECK_SIZEOF(long) AC_CHECK_SIZEOF(size_t) AC_CHECK_HEADERS([openssl/evp.h openssl/ecdsa.h],, [enable_openssl=no break]) # For use by the testsuite AC_CHECK_HEADERS([valgrind/memcheck.h]) AC_CHECK_HEADERS([dlfcn.h]) AC_CHECK_LIB([dl], [dlopen], [AC_DEFINE([HAVE_LIBDL], 1, [Define to 1 if you have dlopen (with -ldl).])]) LSH_FUNC_ALLOCA LSH_FUNC_STRERROR # getenv_secure is used for fat overrides, # getline is used in the testsuite AC_CHECK_FUNCS(secure_getenv getline) AC_C_BIGENDIAN LSH_GCC_ATTRIBUTES # According to Simon Josefsson, looking for uint32_t and friends in # sys/types.h is needed on some systems, in particular cygwin. AX_CREATE_STDINT_H([nettle-stdint.h], [sys/types.h]) # Check for file locking. We (AC_PROG_CC?) have already checked for # sys/types.h and unistd.h. AC_CACHE_CHECK([for fcntl file locking], nettle_cv_fcntl_locking, [AC_TRY_COMPILE([ #if HAVE_SYS_TYPES_H # include #endif #if HAVE_UNISTD_H # include #endif #include ],[ int op = F_SETLKW; struct flock fl; ], nettle_cv_fcntl_locking=yes, nettle_cv_fcntl_locking=no)]) AH_TEMPLATE([HAVE_FCNTL_LOCKING], [Define if fcntl file locking is available]) if test "x$nettle_cv_fcntl_locking" = "xyes" ; then AC_DEFINE(HAVE_FCNTL_LOCKING) fi # Checks for libraries if test "x$enable_public_key" = "xyes" ; then if test "x$enable_mini_gmp" = "xno" ; then AC_CHECK_LIB(gmp, __gmpn_sec_div_r,, [AC_MSG_WARN( [GNU MP not found, or too old. GMP-6.0 or later is needed, see https://gmplib.org/. Support for public key algorithms will be unavailable.])] enable_public_key=no) # Add -R flags needed to run programs linked with gmp LSH_RPATH_FIX fi fi nettle_cv_gmp_numb_bits=0 if test "x$enable_public_key" = "xyes" ; then # Check for gmp limb size if test "x$enable_mini_gmp" = "xyes" ; then AC_MSG_CHECKING([for mini-gmp limb size]) # With mini-gmp, mp_limb_t is always unsigned long. AC_COMPUTE_INT(nettle_cv_gmp_numb_bits, [(sizeof(unsigned long) * CHAR_BIT)], [#include ], [AC_MSG_FAILURE([cannot find value of GMP_NUMB_BITS])]) AC_MSG_RESULT([$nettle_cv_gmp_numb_bits bits]) else AC_MSG_CHECKING([for GMP limb size]) AC_COMPUTE_INT(nettle_cv_gmp_numb_bits, [GMP_NUMB_BITS], [#include ], [AC_MSG_FAILURE([cannot find value of GMP_NUMB_BITS])]) AC_MSG_RESULT([$nettle_cv_gmp_numb_bits bits]) fi fi # Substituted in Makefile, passed on to the eccdata command. NUMB_BITS="$nettle_cv_gmp_numb_bits" AC_SUBST([NUMB_BITS]) # Substituted in version.h, used only with mini-gmp. if test "x$enable_mini_gmp" = "xyes" ; then GMP_NUMB_BITS="$NUMB_BITS" else GMP_NUMB_BITS="n/a" fi AC_SUBST([GMP_NUMB_BITS]) # Figure out ABI. Currently, configurable only by setting CFLAGS. ABI=standard case "$host_cpu" in [x86_64 | amd64]) AC_TRY_COMPILE([ #if defined(__x86_64__) || defined(__arch64__) #error 64-bit x86 #endif ], [], [ ABI=32 ], [ ABI=64 ]) ;; *sparc*) AC_TRY_COMPILE([ #if defined(__sparcv9) || defined(__arch64__) #error 64-bit sparc #endif ], [], [ ABI=32 ], [ ABI=64 ]) ;; *mips*) AC_TRY_COMPILE([ #if defined(__sgi) && defined(__LP64__) #error 64-bit mips #endif ], [], [ ABI=32 ], [ ABI=64 ]) ;; esac if test "x$ABI" != xstandard ; then AC_MSG_NOTICE([Compiler uses $ABI-bit ABI. To change, set CC.]) if test "$libdir" = '${exec_prefix}/lib' ; then # Try setting a better default case "$host_cpu:$host_os:$ABI" in *:solaris*:32|*:sunos*:32) libdir='${exec_prefix}/lib' ;; *:solaris*:64|*:sunos*:64) libdir='${exec_prefix}/lib/64' ;; # Linux conventions are a mess... According to the Linux File # Hierarchy Standard, all architectures except IA64 puts 32-bit # libraries in lib, and 64-bit in lib64. Some distributions, # e.g., Fedora and Gentoo, adhere to this standard, while at # least Debian has decided to put 64-bit libraries in lib and # 32-bit libraries in lib32. # We try to figure out the convention, except if we're cross # compiling. We use lib${ABI} if /usr/lib${ABI} exists and # appears to not be a symlink to a different name. *:linux*:32|*:linux*:64) if test "$cross_compiling" = yes ; then AC_MSG_WARN([Cross compiling for linux. Can't guess if libraries go in lib${ABI} or lib.]); dnl ' else # The dash builtin pwd tries to be "helpful" and remember # symlink names. Use -P option, and hope it's portable enough. test -d /usr/lib${ABI} \ && (cd /usr/lib${ABI} && pwd -P | grep >/dev/null "/lib${ABI}"'$') \ && libdir='${exec_prefix}/'"lib${ABI}" fi ;; # On freebsd, it seems 32-bit libraries are in lib32, # and 64-bit in lib. Don't know about "kfreebsd", does # it follow the Linux fhs conventions? *:freebsd*:32) libdir='${exec_prefix}/lib32' ;; *:freebsd*:64) libdir='${exec_prefix}/lib' ;; *:irix*:32) libdir='${exec_prefix}/lib32' ;; *:irix*:64) libdir='${exec_prefix}/lib64' ;; *) AC_MSG_WARN([Don't know where to install $ABI-bit libraries on this system.]); dnl ' esac AC_MSG_NOTICE([Libraries to be installed in $libdir.]) fi fi OPT_NETTLE_SOURCES="" # Select assembler code asm_path= if test "x$enable_assembler" = xyes ; then case "$host_cpu" in [i?86* | k[5-8]* | pentium* | athlon]) asm_path=x86 ;; [x86_64 | amd64]) if test "$ABI" = 64 ; then asm_path=x86_64 if test "x$enable_fat" = xyes ; then asm_path="x86_64/fat $asm_path" OPT_NETTLE_SOURCES="fat-x86_64.c $OPT_NETTLE_SOURCES" elif test "x$enable_x86_aesni" = xyes ; then asm_path="x86_64/aesni $asm_path" fi else asm_path=x86 fi ;; *sparc*) if test "$ABI" = 64 ; then asm_path=sparc64 else asm_path=sparc32 fi ;; arm*) asm_path=arm if test "x$enable_fat" = xyes ; then asm_path="arm/fat $asm_path" OPT_NETTLE_SOURCES="fat-arm.c $OPT_NETTLE_SOURCES" else case "$host_cpu" in armv6* | armv7*) NETTLE_CHECK_ARM_NEON asm_path="arm/v6 arm" if test "x$enable_arm_neon" = xyes ; then asm_path="arm/neon $asm_path" fi ;; esac fi ;; *) enable_assembler=no ;; esac fi # Files which replace a C source file (or otherwise don't correspond # to a new object file). asm_replace_list="aes-encrypt-internal.asm aes-decrypt-internal.asm \ arcfour-crypt.asm camellia-crypt-internal.asm \ md5-compress.asm memxor.asm memxor3.asm \ poly1305-internal.asm \ chacha-core-internal.asm \ salsa20-crypt.asm salsa20-core-internal.asm \ serpent-encrypt.asm serpent-decrypt.asm \ sha1-compress.asm sha256-compress.asm sha512-compress.asm \ sha3-permute.asm umac-nh.asm umac-nh-n.asm machine.m4" # Assembler files which generate additional object files if they are used. asm_nettle_optional_list="gcm-hash8.asm cpuid.asm \ aes-encrypt-internal-2.asm aes-decrypt-internal-2.asm memxor-2.asm \ salsa20-core-internal-2.asm sha1-compress-2.asm sha256-compress-2.asm \ sha3-permute-2.asm sha512-compress-2.asm \ umac-nh-n-2.asm umac-nh-2.asm" asm_hogweed_optional_list="" if test "x$enable_public_key" = "xyes" ; then asm_hogweed_optional_list="ecc-192-modp.asm ecc-224-modp.asm \ ecc-25519-modp.asm ecc-256-redc.asm ecc-384-modp.asm ecc-521-modp.asm" fi OPT_NETTLE_OBJS="" OPT_HOGWEED_OBJS="" asm_file_list="" if test "x$enable_assembler" = xyes ; then if test -n "$asm_path"; then AC_MSG_NOTICE([Looking for assembler files in $asm_path.]) for tmp_f in $asm_replace_list ; do for asm_dir in $asm_path ; do if test -f "$srcdir/$asm_dir/$tmp_f"; then asm_file_list="$asm_file_list $tmp_f" AC_CONFIG_LINKS($tmp_f:$asm_dir/$tmp_f) break fi done done dnl Workaround for AC_CONFIG_LINKS, which complains if we use the dnl same destination argument $tmp_f multiple times. for tmp_n in $asm_nettle_optional_list ; do dnl Note extra pair of [] in sed expression tmp_b=`echo "$tmp_n" | sed 's/\.[[^.]]*$//'` for asm_dir in $asm_path ; do if test -f "$srcdir/$asm_dir/$tmp_n"; then asm_file_list="$asm_file_list $tmp_n" AC_CONFIG_LINKS($tmp_n:$asm_dir/$tmp_n) while read tmp_func ; do AC_DEFINE_UNQUOTED(HAVE_NATIVE_$tmp_func) eval HAVE_NATIVE_$tmp_func=yes done <conftest.out if grep _a_global_symbol conftest.out >/dev/null ; then nettle_cv_asm_underscore=yes elif grep a_global_symbol conftest.out >/dev/null ; then nettle_cv_asm_underscore=no else AC_MSG_WARN([nm does not list a_global_symbol at all]) fi], [AC_MSG_WARN([test program with a single global could not be compiled!?])])]) if test x$nettle_cv_asm_underscore = xyes ; then ASM_SYMBOL_PREFIX='_' fi AC_CACHE_CHECK([for ELF-style .type,%function pseudo-ops], [nettle_cv_asm_type_percent_function], [GMP_TRY_ASSEMBLE([ .text .globl foo .type foo,%function foo: .Lend: .size foo, .Lend - foo ], [nettle_cv_asm_type_percent_function=yes], [nettle_cv_asm_type_percent_function=no])]) dnl Needs double quote for the # character AC_CACHE_CHECK([[for ELF-style .type,#function pseudo-ops]], [nettle_cv_asm_type_hash_function], [GMP_TRY_ASSEMBLE([ .text .globl foo .type foo,#function foo: .Lend: .size foo, .Lend - foo ], [nettle_cv_asm_type_hash_function=yes], [nettle_cv_asm_type_hash_function=no])]) if test x$nettle_cv_asm_type_percent_function = xyes ; then ASM_ELF_STYLE='yes' ASM_TYPE_FUNCTION='%function' ASM_TYPE_PROGBITS='%progbits' else if test x$nettle_cv_asm_type_hash_function = xyes ; then ASM_ELF_STYLE='yes' ASM_TYPE_FUNCTION='#function' ASM_TYPE_PROGBITS='#progbits' fi fi AC_CACHE_CHECK([for COFF-style .type directive], [nettle_cv_asm_coff_type], [GMP_TRY_ASSEMBLE([ .text .globl _foo .def _foo .scl 2 .type 32 .endef _foo: ], [nettle_cv_asm_coff_type=yes], [nettle_cv_asm_coff_type=no])]) if test "x$nettle_cv_asm_coff_type" = "xyes" ; then ASM_COFF_STYLE=yes fi AC_CACHE_CHECK([if we should use a .note.GNU-stack section], nettle_cv_asm_gnu_stack, [ # Default nettle_cv_asm_gnu_stack=no cat >conftest.c <&AC_FD_CC $OBJDUMP -x conftest.o | grep '\.note\.GNU-stack' > /dev/null \ && nettle_cv_asm_gnu_stack=yes else cat conftest.out >&AC_FD_CC echo "configure: failed program was:" >&AC_FD_CC cat conftest.s >&AC_FD_CC fi rm -f conftest.*]) if test x$nettle_cv_asm_gnu_stack = xyes ; then ASM_MARK_NOEXEC_STACK='.section .note.GNU-stack,"",TYPE_PROGBITS' fi AC_CACHE_CHECK([if .align assembly directive is logarithmic], [nettle_cv_asm_align_log], [GMP_TRY_ASSEMBLE([ .align 3 ], [nettle_cv_asm_align_log=yes], [nettle_cv_asm_align_log=no])]) ASM_ALIGN_LOG="$nettle_cv_asm_align_log" fi AC_SUBST(ASM_SYMBOL_PREFIX) AC_SUBST(ASM_ELF_STYLE) AC_SUBST(ASM_COFF_STYLE) AC_SUBST(ASM_TYPE_FUNCTION) AC_SUBST(ASM_TYPE_PROGBITS) AC_SUBST(ASM_MARK_NOEXEC_STACK) AC_SUBST(ASM_ALIGN_LOG) AC_SUBST(W64_ABI) AC_SUBST(EMULATOR) AC_SUBST(LIBNETTLE_MAJOR) AC_SUBST(LIBNETTLE_MINOR) AC_SUBST(LIBNETTLE_FORLINK) AC_SUBST(LIBNETTLE_SONAME) AC_SUBST(LIBNETTLE_FILE) AC_SUBST(LIBNETTLE_FILE_SRC) AC_SUBST(LIBNETTLE_LINK) AC_SUBST(LIBNETTLE_LIBS) AC_SUBST(LIBHOGWEED_MAJOR) AC_SUBST(LIBHOGWEED_MINOR) AC_SUBST(LIBHOGWEED_FORLINK) AC_SUBST(LIBHOGWEED_SONAME) AC_SUBST(LIBHOGWEED_FILE) AC_SUBST(LIBHOGWEED_FILE_SRC) AC_SUBST(LIBHOGWEED_LINK) AC_SUBST(LIBHOGWEED_LIBS) AC_PATH_PROG(M4, m4, m4) AH_TEMPLATE([WITH_HOGWEED], [Defined if public key features are enabled]) if test "x$enable_public_key" = xyes ; then AC_DEFINE(WITH_HOGWEED) IF_HOGWEED='' else IF_HOGWEED='#' fi if test "x$enable_static" = xyes ; then IF_STATIC='' else IF_STATIC='#' fi IF_DLOPEN_TEST='#' if test "x$enable_shared" = xyes ; then IF_SHARED='' IF_NOT_SHARED='#' if test "x$ac_cv_lib_dl_dlopen" = xyes ; then IF_DLOPEN_TEST='' fi else IF_SHARED='#' IF_NOT_SHARED='' fi # Documentation tools if test "x$enable_documentation" != "xno"; then AC_PATH_PROG(MAKEINFO, makeinfo, not-found) if test "x$MAKEINFO" != "xnot-found"; then enable_documentation=yes AC_SUBST(MAKEINFO) else if test "x$enable_documentation" == "xauto" ; then enable_documentation=no else AC_MSG_ERROR([Cannot find 'makeinfo', required for documentation.]) fi fi fi if test "x$enable_documentation" = "xyes" ; then IF_DOCUMENTATION='' else IF_DOCUMENTATION='#' fi if test "x$enable_mini_gmp" = "xyes" ; then IF_MINI_GMP='' else IF_MINI_GMP='#' fi AC_SUBST(IF_HOGWEED) AC_SUBST(IF_STATIC) AC_SUBST(IF_SHARED) AC_SUBST(IF_NOT_SHARED) AC_SUBST(IF_DLOPEN_TEST) AC_SUBST(IF_DOCUMENTATION) AC_SUBST(IF_DLL) AC_SUBST(IF_MINI_GMP) OPENSSL_LIBFLAGS='' # Check for openssl's libcrypto (used only for benchmarking) if test x$enable_openssl = xyes ; then AC_CHECK_LIB(crypto, EVP_CIPHER_CTX_new, [OPENSSL_LIBFLAGS='-lcrypto'], [enable_openssl=no]) fi AH_TEMPLATE([WITH_OPENSSL], [Define if you have openssl's libcrypto (used for benchmarking)]) dnl' if test x$enable_openssl = xyes ; then AC_DEFINE(WITH_OPENSSL) fi AC_SUBST(OPENSSL_LIBFLAGS) AH_BOTTOM( [#if defined(__x86_64__) || defined(__arch64__) # define HAVE_NATIVE_64_BIT 1 #else /* Needs include of before use. */ # define HAVE_NATIVE_64_BIT (SIZEOF_LONG * CHAR_BIT >= 64) #endif ]) # clock_gettime is in librt on *-*-osf5.1 and on glibc, so add -lrt to # BENCH_LIBS if needed. On linux (tested on x86_32, 2.6.26), # clock_getres reports ns accuracy, while in a quick test on osf # clock_getres said only 1 millisecond. old_LIBS="$LIBS" AC_SEARCH_LIBS(clock_gettime, rt, [ AC_DEFINE([HAVE_CLOCK_GETTIME],1,[Define if clock_gettime is available])]) BENCH_LIBS="$LIBS" LIBS="$old_LIBS" AC_SUBST(BENCH_LIBS) # Set these flags *last*, or else the test programs won't compile if test x$GCC = xyes ; then # Using -ggdb3 makes (some versions of) Redhat's gcc-2.96 dump core if $CC --version | grep '^2\.96$' 1>/dev/null 2>&1; then true else CFLAGS="$CFLAGS -ggdb3" fi # FIXME: It would be better to actually test if this option works and/or is needed. # Or perhaps use -funsigned-char. if $CC --version | grep 'gcc.* 4\.' 1>/dev/null 2>&1; then CFLAGS="$CFLAGS -Wno-pointer-sign" fi CFLAGS="$CFLAGS -Wall -W \ -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes \ -Wpointer-arith -Wbad-function-cast -Wnested-externs" # Don't enable -Wcast-align as it results in tons of warnings in the # DES code. And when using stdio. # Don't enable -Waggregate-return, as that causes warnings for glibc # inttypes.h. fi AC_CONFIG_FILES([config.make config.m4 Makefile version.h]) AC_CONFIG_FILES([tools/Makefile testsuite/Makefile examples/Makefile]) AC_CONFIG_FILES([nettle.pc hogweed.pc libnettle.map libhogweed.map]) AC_OUTPUT AC_MSG_NOTICE([summary of build options: Version: ${PACKAGE_STRING} Host type: ${host} ABI: ${ABI} Assembly files: ${asm_path:-none} Install prefix: ${prefix} Library directory: ${libdir} Compiler: ${CC} Static libraries: ${enable_static} Shared libraries: ${enable_shared} Public key crypto: ${enable_public_key} Using mini-gmp: ${enable_mini_gmp} Documentation: ${enable_documentation} ]) nettle-3.4.1/dsa-keygen.c0000644000175000017500000000320113401564746014237 0ustar nissenisse/* dsa-keygen.c Generation of DSA keypairs Copyright (C) 2002, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "dsa.h" #include "bignum.h" /* Valid sizes, according to FIPS 186-3 are (1024, 160), (2048, 224), (2048, 256), (3072, 256). Currenty, we use only q_bits of 160 or 256. */ void dsa_generate_keypair (const struct dsa_params *params, mpz_t pub, mpz_t key, void *random_ctx, nettle_random_func *random) { mpz_t r; mpz_init_set(r, params->q); mpz_sub_ui(r, r, 2); nettle_mpz_random(key, random_ctx, random, r); mpz_add_ui(key, key, 1); mpz_powm(pub, params->g, key, params->p); mpz_clear (r); } nettle-3.4.1/asm.m40000644000175000017500000000403513401564746013074 0ustar nissenissedivert(-1) changequote(<,>)dnl dnl (progn (modify-syntax-entry ?< "(>") (modify-syntax-entry ?> ")<") ) dnl FORTRAN style comment character define(, < dnl>)dnl dnl Disable m4 comment processing, since the default, #, is used for dnl constants on some architectures, in particular ARM. changecom()dnl dnl Including files from the srcdir define(, )dnl dnl default definition, changed in fat builds define(, <$1>) define(, fat_transform($1)>) dnl Pseudo ops define(, , COFF_STYLE, yes, <.def $1 .scl 2 .type 32 .endef>, <>)>) define(,<>)dnl define(, <.globl C_NAME($1) DECLARE_FUNC(C_NAME($1)) C_NAME($1):>) define(, ,<>)>) define(, ) define(, , $1, $2, $3, )>) dnl Argument to ALIGN is always in bytes, and converted to a dnl logarithmic .align if necessary. define(, <.align ifelse(ALIGN_LOG,yes,,$1) >) dnl Struct defining macros dnl STRUCTURE(prefix) define(, , 0)define(, <$1>)>)dnl dnl STRUCT(name, size) define(, $1, SOFFSET)dnl define(, eval(SOFFSET + ($2)))>)dnl dnl UCHAR(name) define(, , 1)>)dnl dnl UNSIGNED(name) define(, , 4)>)dnl dnl Offsets in arcfour_ctx STRUCTURE(ARCFOUR) STRUCT(S, 256) UCHAR(I) UCHAR(J) dnl Offsets in aes_table define(AES_SBOX_SIZE, 256)dnl define(AES_TABLE_SIZE, 1024)dnl STRUCTURE(AES) STRUCT(SBOX, AES_SBOX_SIZE) STRUCT(TABLE0, AES_TABLE_SIZE) STRUCT(TABLE1, AES_TABLE_SIZE) STRUCT(TABLE2, AES_TABLE_SIZE) STRUCT(TABLE3, AES_TABLE_SIZE) C For 64-bit implementation STRUCTURE(P1305) STRUCT(R0, 8) STRUCT(R1, 8) STRUCT(S1, 8) STRUCT(PAD, 12) STRUCT(H2, 4) STRUCT(H0, 8) STRUCT(H1, 8) divert nettle-3.4.1/desdata.c0000644000175000017500000001055513401564746013627 0ustar nissenisse/* desdata.c * * Generate tables used by des.c and desCode.h. * */ /* * des - fast & portable DES encryption & decryption. * Copyright (C) 1992 Dana L. How * Please see the file `descore.README' for the complete copyright notice. * */ #include #include "desinfo.h" /* list of weak and semi-weak keys +0 +1 +2 +3 +4 +5 +6 +7 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x1f 0x01 0x1f 0x01 0x0e 0x01 0x0e 0x01 0xe0 0x01 0xe0 0x01 0xf1 0x01 0xf1 0x01 0xfe 0x01 0xfe 0x01 0xfe 0x01 0xfe 0x1f 0x01 0x1f 0x01 0x0e 0x01 0x0e 0x01 0x1f 0x1f 0x1f 0x1f 0x0e 0x0e 0x0e 0x0e 0x1f 0xe0 0x1f 0xe0 0x0e 0xf1 0x0e 0xf1 0x1f 0xfe 0x1f 0xfe 0x0e 0xfe 0x0e 0xfe 0xe0 0x01 0xe0 0x01 0xf1 0x01 0xf1 0x01 0xe0 0x1f 0xe0 0x1f 0xf1 0x0e 0xf1 0x0e 0xe0 0xe0 0xe0 0xe0 0xf1 0xf1 0xf1 0xf1 0xe0 0xfe 0xe0 0xfe 0xf1 0xfe 0xf1 0xfe 0xfe 0x01 0xfe 0x01 0xfe 0x01 0xfe 0x01 0xfe 0x1f 0xfe 0x1f 0xfe 0x0e 0xfe 0x0e 0xfe 0xe0 0xfe 0xe0 0xfe 0xf1 0xfe 0xf1 0xfe 0xfe 0xfe 0xfe 0xfe 0xfe 0xfe 0xfe */ /* key bit order in each method pair: bits 31->00 of 1st, bits 31->00 of 2nd */ /* this does not reflect the rotate of the 2nd word */ #define S(box,bit) (box*6+bit) int korder[] = { S(7, 5), S(7, 4), S(7, 3), S(7, 2), S(7, 1), S(7, 0), S(5, 5), S(5, 4), S(5, 3), S(5, 2), S(5, 1), S(5, 0), S(3, 5), S(3, 4), S(3, 3), S(3, 2), S(3, 1), S(3, 0), S(1, 5), S(1, 4), S(1, 3), S(1, 2), S(1, 1), S(1, 0), S(6, 5), S(6, 4), S(6, 3), S(6, 2), S(6, 1), S(6, 0), S(4, 5), S(4, 4), S(4, 3), S(4, 2), S(4, 1), S(4, 0), S(2, 5), S(2, 4), S(2, 3), S(2, 2), S(2, 1), S(2, 0), S(0, 5), S(0, 4), S(0, 3), S(0, 2), S(0, 1), S(0, 0), }; /* the order in which the algorithm accesses the s boxes */ int sorder[] = { 7, 5, 3, 1, 6, 4, 2, 0, }; int main(int argc, char **argv) { unsigned long d, i, j, k, l, m, n, s; /* Always at least 32 bits */ char b[256], ksr[56]; if (argc <= 1) return 1; switch ( argv[1][0] ) { default: return 1; /* * <<< make the key parity table >>> */ case 'p': printf( "/* automagically produced - do not fuss with this information */\n\n"); /* store parity information */ for ( i = 0; i < 256; i++ ) { j = i; j ^= j >> 4; /* bits 3-0 have pairs */ j ^= j << 2; /* bits 3-2 have quads */ j ^= j << 1; /* bit 3 has the entire eight (no cox) */ b[i] = 8 & ~j; /* 0 is okay and 8 is bad parity */ } /* only these characters can appear in a weak key */ b[0x01] = 1; b[0x0e] = 2; b[0x1f] = 3; b[0xe0] = 4; b[0xf1] = 5; b[0xfe] = 6; /* print it out */ for ( i = 0; i < 256; i++ ) { printf("%d,", b[i]); if ( (i & 31) == 31 ) printf("\n"); } break; /* * <<< make the key usage table >>> */ case 'r': printf("/* automagically made - do not fuss with this */\n\n"); /* KL specifies the initial key bit positions */ for (i = 0; i < 56; i++) ksr[i] = (KL[i] - 1) ^ 7; for (i = 0; i < 16; i++) { /* apply the appropriate number of left shifts */ for (j = 0; j < KS[i]; j++) { m = ksr[ 0]; n = ksr[28]; for (k = 0; k < 27; k++) ksr[k ] = ksr[k + 1], ksr[k + 28] = ksr[k + 29]; ksr[27] = m; ksr[55] = n; } /* output the key bit numbers */ for (j = 0; j < 48; j++) { m = ksr[KC[korder[j]] - 1]; m = (m / 8) * 7 + (m % 8) - 1; m = 55 - m; printf(" %2ld,", (long) m); if ((j % 12) == 11) printf("\n"); } printf("\n"); } break; /* * <<< make the keymap table >>> */ case 'k': printf("/* automagically made - do not fuss with this */\n\n"); for ( i = 0; i <= 7 ; i++ ) { s = sorder[i]; for ( d = 0; d <= 63; d++ ) { /* flip bits */ k = ((d << 5) & 32) | ((d << 3) & 16) | ((d << 1) & 8) | ((d >> 1) & 4) | ((d >> 3) & 2) | ((d >> 5) & 1) ; /* more bit twiddling */ l = ((k << 0) & 32) | /* overlap bit */ ((k << 4) & 16) | /* overlap bit */ ((k >> 1) & 15) ; /* unique bits */ /* look up s box value */ m = SB[s][l]; /* flip bits */ n = ((m << 3) & 8) | ((m << 1) & 4) | ((m >> 1) & 2) | ((m >> 3) & 1) ; /* put in correct nybble */ n <<= (s << 2); /* perform p permutation */ for ( m = j = 0; j < 32; j++ ) if ( n & (1 << (SP[j] - 1)) ) m |= (1UL << j); /* rotate right (alg keeps everything rotated by 1) */ m = (m >> 1) | ((m & 1) << 31); /* print it out */ printf(" 0x%08lx,", m); if ( ( d & 3 ) == 3 ) printf("\n"); } printf("\n"); } break; } return 0; } nettle-3.4.1/gcm-aes128.c0000644000175000017500000000400013401564745013754 0ustar nissenisse/* gcm-aes128.c Galois counter mode using AES128 as the underlying cipher. Copyright (C) 2011, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "gcm.h" void gcm_aes128_set_key(struct gcm_aes128_ctx *ctx, const uint8_t *key) { GCM_SET_KEY(ctx, aes128_set_encrypt_key, aes128_encrypt, key); } void gcm_aes128_set_iv (struct gcm_aes128_ctx *ctx, size_t length, const uint8_t *iv) { GCM_SET_IV (ctx, length, iv); } void gcm_aes128_update (struct gcm_aes128_ctx *ctx, size_t length, const uint8_t *data) { GCM_UPDATE (ctx, length, data); } void gcm_aes128_encrypt(struct gcm_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { GCM_ENCRYPT(ctx, aes128_encrypt, length, dst, src); } void gcm_aes128_decrypt(struct gcm_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { GCM_DECRYPT(ctx, aes128_encrypt, length, dst, src); } void gcm_aes128_digest(struct gcm_aes128_ctx *ctx, size_t length, uint8_t *digest) { GCM_DIGEST(ctx, aes128_encrypt, length, digest); } nettle-3.4.1/sha256-compress.c0000644000175000017500000001436213401564745015062 0ustar nissenisse/* sha256-compress.c The compression function of the sha256 hash function. Copyright (C) 2001, 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #ifndef SHA256_DEBUG # define SHA256_DEBUG 0 #endif #if SHA256_DEBUG # include # define DEBUG(i) \ fprintf(stderr, "%2d: %8x %8x %8x %8x %8x %8x %8x %8x\n", \ i, A, B, C, D ,E, F, G, H) #else # define DEBUG(i) #endif #include #include #include #include "sha2.h" #include "macros.h" /* A block, treated as a sequence of 32-bit words. */ #define SHA256_DATA_LENGTH 16 /* The SHA256 functions. The Choice function is the same as the SHA1 function f1, and the majority function is the same as the SHA1 f3 function. They can be optimized to save one boolean operation each - thanks to Rich Schroeppel, rcs@cs.arizona.edu for discovering this */ /* #define Choice(x,y,z) ( ( (x) & (y) ) | ( ~(x) & (z) ) ) */ #define Choice(x,y,z) ( (z) ^ ( (x) & ( (y) ^ (z) ) ) ) /* #define Majority(x,y,z) ( ((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)) ) */ #define Majority(x,y,z) ( ((x) & (y)) ^ ((z) & ((x) ^ (y))) ) #define S0(x) (ROTL32(30,(x)) ^ ROTL32(19,(x)) ^ ROTL32(10,(x))) #define S1(x) (ROTL32(26,(x)) ^ ROTL32(21,(x)) ^ ROTL32(7,(x))) #define s0(x) (ROTL32(25,(x)) ^ ROTL32(14,(x)) ^ ((x) >> 3)) #define s1(x) (ROTL32(15,(x)) ^ ROTL32(13,(x)) ^ ((x) >> 10)) /* The initial expanding function. The hash function is defined over an 64-word expanded input array W, where the first 16 are copies of the input data, and the remaining 64 are defined by W[ t ] = s1(W[t-2]) + W[t-7] + s0(W[i-15]) + W[i-16] This implementation generates these values on the fly in a circular buffer - thanks to Colin Plumb, colin@nyx10.cs.du.edu for this optimization. */ #define EXPAND(W,i) \ ( W[(i) & 15 ] += (s1(W[((i)-2) & 15]) + W[((i)-7) & 15] + s0(W[((i)-15) & 15])) ) /* The prototype SHA sub-round. The fundamental sub-round is: T1 = h + S1(e) + Choice(e,f,g) + K[t] + W[t] T2 = S0(a) + Majority(a,b,c) a' = T1+T2 b' = a c' = b d' = c e' = d + T1 f' = e g' = f h' = g but this is implemented by unrolling the loop 8 times and renaming the variables ( h, a, b, c, d, e, f, g ) = ( a, b, c, d, e, f, g, h ) each iteration. */ /* It's crucial that DATA is only used once, as that argument will * have side effects. */ #define ROUND(a,b,c,d,e,f,g,h,k,data) do { \ h += S1(e) + Choice(e,f,g) + k + data; \ d += h; \ h += S0(a) + Majority(a,b,c); \ } while (0) /* For fat builds */ #if HAVE_NATIVE_sha256_compress void _nettle_sha256_compress_c(uint32_t *state, const uint8_t *input, const uint32_t *k); #define _nettle_sha256_compress _nettle_sha256_compress_c #endif void _nettle_sha256_compress(uint32_t *state, const uint8_t *input, const uint32_t *k) { uint32_t data[SHA256_DATA_LENGTH]; uint32_t A, B, C, D, E, F, G, H; /* Local vars */ unsigned i; uint32_t *d; for (i = 0; i < SHA256_DATA_LENGTH; i++, input+= 4) { data[i] = READ_UINT32(input); } /* Set up first buffer and local data buffer */ A = state[0]; B = state[1]; C = state[2]; D = state[3]; E = state[4]; F = state[5]; G = state[6]; H = state[7]; /* Heavy mangling */ /* First 16 subrounds that act on the original data */ DEBUG(-1); for (i = 0, d = data; i<16; i+=8, k += 8, d+= 8) { ROUND(A, B, C, D, E, F, G, H, k[0], d[0]); DEBUG(i); ROUND(H, A, B, C, D, E, F, G, k[1], d[1]); DEBUG(i+1); ROUND(G, H, A, B, C, D, E, F, k[2], d[2]); ROUND(F, G, H, A, B, C, D, E, k[3], d[3]); ROUND(E, F, G, H, A, B, C, D, k[4], d[4]); ROUND(D, E, F, G, H, A, B, C, k[5], d[5]); ROUND(C, D, E, F, G, H, A, B, k[6], d[6]); DEBUG(i+6); ROUND(B, C, D, E, F, G, H, A, k[7], d[7]); DEBUG(i+7); } for (; i<64; i += 16, k+= 16) { ROUND(A, B, C, D, E, F, G, H, k[ 0], EXPAND(data, 0)); DEBUG(i); ROUND(H, A, B, C, D, E, F, G, k[ 1], EXPAND(data, 1)); DEBUG(i+1); ROUND(G, H, A, B, C, D, E, F, k[ 2], EXPAND(data, 2)); DEBUG(i+2); ROUND(F, G, H, A, B, C, D, E, k[ 3], EXPAND(data, 3)); DEBUG(i+3); ROUND(E, F, G, H, A, B, C, D, k[ 4], EXPAND(data, 4)); DEBUG(i+4); ROUND(D, E, F, G, H, A, B, C, k[ 5], EXPAND(data, 5)); DEBUG(i+5); ROUND(C, D, E, F, G, H, A, B, k[ 6], EXPAND(data, 6)); DEBUG(i+6); ROUND(B, C, D, E, F, G, H, A, k[ 7], EXPAND(data, 7)); DEBUG(i+7); ROUND(A, B, C, D, E, F, G, H, k[ 8], EXPAND(data, 8)); DEBUG(i+8); ROUND(H, A, B, C, D, E, F, G, k[ 9], EXPAND(data, 9)); DEBUG(i+9); ROUND(G, H, A, B, C, D, E, F, k[10], EXPAND(data, 10)); DEBUG(i+10); ROUND(F, G, H, A, B, C, D, E, k[11], EXPAND(data, 11)); DEBUG(i+11); ROUND(E, F, G, H, A, B, C, D, k[12], EXPAND(data, 12)); DEBUG(i+12); ROUND(D, E, F, G, H, A, B, C, k[13], EXPAND(data, 13)); DEBUG(i+13); ROUND(C, D, E, F, G, H, A, B, k[14], EXPAND(data, 14)); DEBUG(i+14); ROUND(B, C, D, E, F, G, H, A, k[15], EXPAND(data, 15)); DEBUG(i+15); } /* Update state */ state[0] += A; state[1] += B; state[2] += C; state[3] += D; state[4] += E; state[5] += F; state[6] += G; state[7] += H; #if SHA256_DEBUG fprintf(stderr, "99: %8x %8x %8x %8x %8x %8x %8x %8x\n", state[0], state[1], state[2], state[3], state[4], state[5], state[6], state[7]); #endif } nettle-3.4.1/cbc.h0000644000175000017500000000456413401564746012761 0ustar nissenisse/* cbc.h Cipher block chaining mode. Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_CBC_H_INCLUDED #define NETTLE_CBC_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define cbc_encrypt nettle_cbc_encrypt #define cbc_decrypt nettle_cbc_decrypt void cbc_encrypt(const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src); void cbc_decrypt(const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src); #define CBC_CTX(type, size) \ { type ctx; uint8_t iv[size]; } #define CBC_SET_IV(ctx, data) \ memcpy((ctx)->iv, (data), sizeof((ctx)->iv)) /* NOTE: Avoid using NULL, as we don't include anything defining it. */ #define CBC_ENCRYPT(self, f, length, dst, src) \ (0 ? ((f)(&(self)->ctx, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0)) \ : cbc_encrypt((void *) &(self)->ctx, \ (nettle_cipher_func *) (f), \ sizeof((self)->iv), (self)->iv, \ (length), (dst), (src))) #define CBC_DECRYPT(self, f, length, dst, src) \ (0 ? ((f)(&(self)->ctx, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0)) \ : cbc_decrypt((void *) &(self)->ctx, \ (nettle_cipher_func *) (f), \ sizeof((self)->iv), (self)->iv, \ (length), (dst), (src))) #ifdef __cplusplus } #endif #endif /* NETTLE_CBC_H_INCLUDED */ nettle-3.4.1/dsa.c0000644000175000017500000000311313401564746012761 0ustar nissenisse/* dsa.c The DSA publickey algorithm. Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "dsa.h" #include "bignum.h" void dsa_params_init (struct dsa_params *params) { mpz_init(params->p); mpz_init(params->q); mpz_init(params->g); } void dsa_params_clear (struct dsa_params *params) { mpz_clear(params->p); mpz_clear(params->q); mpz_clear(params->g); } void dsa_signature_init(struct dsa_signature *signature) { mpz_init(signature->r); mpz_init(signature->s); } void dsa_signature_clear(struct dsa_signature *signature) { mpz_clear(signature->r); mpz_clear(signature->s); } nettle-3.4.1/sha3-512.c0000644000175000017500000000332013401564745013354 0ustar nissenisse/* sha3-512.c The sha3 hash function, 512 bit output. Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "sha3.h" #include "nettle-write.h" void sha3_512_init (struct sha3_512_ctx *ctx) { memset (ctx, 0, offsetof (struct sha3_512_ctx, block)); } void sha3_512_update (struct sha3_512_ctx *ctx, size_t length, const uint8_t *data) { ctx->index = _sha3_update (&ctx->state, SHA3_512_BLOCK_SIZE, ctx->block, ctx->index, length, data); } void sha3_512_digest(struct sha3_512_ctx *ctx, size_t length, uint8_t *digest) { _sha3_pad (&ctx->state, SHA3_512_BLOCK_SIZE, ctx->block, ctx->index); _nettle_write_le64 (length, digest, ctx->state.a); sha3_512_init (ctx); } nettle-3.4.1/chacha.h0000644000175000017500000000466313401564746013441 0ustar nissenisse/* chacha.h The ChaCha stream cipher. Copyright (C) 2013 Joachim Strömbergson Copyright (C) 2012 Simon Josefsson Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_CHACHA_H_INCLUDED #define NETTLE_CHACHA_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define chacha_set_key nettle_chacha_set_key #define chacha_set_nonce nettle_chacha_set_nonce #define chacha_set_nonce96 nettle_chacha_set_nonce96 #define chacha_crypt nettle_chacha_crypt #define _chacha_core _nettle_chacha_core /* Currently, only 256-bit keys are supported. */ #define CHACHA_KEY_SIZE 32 #define CHACHA_BLOCK_SIZE 64 #define CHACHA_NONCE_SIZE 8 #define CHACHA_NONCE96_SIZE 12 #define _CHACHA_STATE_LENGTH 16 struct chacha_ctx { /* Indices 0-3 holds a constant (SIGMA or TAU). Indices 4-11 holds the key. Indices 12-13 holds the block counter. Indices 14-15 holds the IV: This creates the state matrix: C C C C K K K K K K K K B B I I */ uint32_t state[_CHACHA_STATE_LENGTH]; }; void chacha_set_key(struct chacha_ctx *ctx, const uint8_t *key); void chacha_set_nonce(struct chacha_ctx *ctx, const uint8_t *nonce); void chacha_set_nonce96(struct chacha_ctx *ctx, const uint8_t *nonce); void chacha_crypt(struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void _chacha_core(uint32_t *dst, const uint32_t *src, unsigned rounds); #ifdef __cplusplus } #endif #endif /* NETTLE_CHACHA_H_INCLUDED */ nettle-3.4.1/chacha-crypt.c0000644000175000017500000000402513401564745014562 0ustar nissenisse/* chacha-crypt.c The crypt function in the ChaCha stream cipher. Heavily based on the Salsa20 implementation in Nettle. Copyright (C) 2014 Niels Möller Copyright (C) 2013 Joachim Strömbergson Copyright (C) 2012 Simon Josefsson This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Based on: chacha-ref.c version 2008.01.20. D. J. Bernstein Public domain. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "chacha.h" #include "macros.h" #include "memxor.h" #define CHACHA_ROUNDS 20 void chacha_crypt(struct chacha_ctx *ctx, size_t length, uint8_t *c, const uint8_t *m) { if (!length) return; for (;;) { uint32_t x[_CHACHA_STATE_LENGTH]; _chacha_core (x, ctx->state, CHACHA_ROUNDS); ctx->state[13] += (++ctx->state[12] == 0); /* stopping at 2^70 length per nonce is user's responsibility */ if (length <= CHACHA_BLOCK_SIZE) { memxor3 (c, m, x, length); return; } memxor3 (c, m, x, CHACHA_BLOCK_SIZE); length -= CHACHA_BLOCK_SIZE; c += CHACHA_BLOCK_SIZE; m += CHACHA_BLOCK_SIZE; } } nettle-3.4.1/buffer-init.c0000644000175000017500000000250613401564745014430 0ustar nissenisse/* buffer-init.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "buffer.h" #include "realloc.h" /* This is in a separate file so that we don't link in realloc in * programs that don't need it. */ void nettle_buffer_init(struct nettle_buffer *buffer) { nettle_buffer_init_realloc(buffer, NULL, nettle_realloc); } nettle-3.4.1/md2.c0000644000175000017500000001047613401564745012705 0ustar nissenisse/* md2.c The MD2 hash function, described in RFC 1319. Copyright (C) 2003 Niels Möller, Andreas Sigfridsson This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* This code originates from the Python Cryptography Toolkit, version 1.0.1. Further hacked by Andreas Sigfridsson and Niels Möller. Original license: =================================================================== Distribute and use freely; there are no restrictions on further dissemination and usage except those imposed by the laws of your country of residence. This software is provided "as is" without warranty of fitness for use or suitability for any purpose, express or implied. Use at your own risk or not at all. =================================================================== Incorporating the code into commercial products is permitted; you do not have to make source available or contribute your changes back (though that would be nice). --amk (www.amk.ca) */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "md2.h" #include "macros.h" static const uint8_t S[256] = { 41, 46, 67, 201, 162, 216, 124, 1, 61, 54, 84, 161, 236, 240, 6, 19, 98, 167, 5, 243, 192, 199, 115, 140, 152, 147, 43, 217, 188, 76, 130, 202, 30, 155, 87, 60, 253, 212, 224, 22, 103, 66, 111, 24, 138, 23, 229, 18, 190, 78, 196, 214, 218, 158, 222, 73, 160, 251, 245, 142, 187, 47, 238, 122, 169, 104, 121, 145, 21, 178, 7, 63, 148, 194, 16, 137, 11, 34, 95, 33, 128, 127, 93, 154, 90, 144, 50, 39, 53, 62, 204, 231, 191, 247, 151, 3, 255, 25, 48, 179, 72, 165, 181, 209, 215, 94, 146, 42, 172, 86, 170, 198, 79, 184, 56, 210, 150, 164, 125, 182, 118, 252, 107, 226, 156, 116, 4, 241, 69, 157, 112, 89, 100, 113, 135, 32, 134, 91, 207, 101, 230, 45, 168, 2, 27, 96, 37, 173, 174, 176, 185, 246, 28, 70, 97, 105, 52, 64, 126, 15, 85, 71, 163, 35, 221, 81, 175, 58, 195, 92, 249, 206, 186, 197, 234, 38, 44, 83, 13, 110, 133, 40, 132, 9, 211, 223, 205, 244, 65, 129, 77, 82, 106, 220, 55, 200, 108, 193, 171, 250, 36, 225, 123, 8, 12, 189, 177, 74, 120, 136, 149, 139, 227, 99, 232, 109, 233, 203, 213, 254, 59, 0, 29, 57, 242, 239, 183, 14, 102, 88, 208, 228, 166, 119, 114, 248, 235, 117, 75, 10, 49, 68, 80, 180, 143, 237, 31, 26, 219, 153, 141, 51, 159, 17, 131, 20 }; static void md2_transform(struct md2_ctx *ctx, const uint8_t *data) { unsigned i; uint8_t t; memcpy(ctx->X + 16, data, MD2_BLOCK_SIZE); for (i = 0, t = ctx->C[15]; iX[2 * MD2_BLOCK_SIZE + i] = ctx->X[i] ^ ctx->X[MD2_BLOCK_SIZE + i]; t = (ctx->C[i] ^= S[data[i]^t]); } for (i = t = 0; i< MD2_BLOCK_SIZE + 2; t = (t + i) & 0xff, i++) { unsigned j; for (j = 0; j < 3 * MD2_BLOCK_SIZE; j++) t = (ctx->X[j] ^= S[t]); } } void md2_init(struct md2_ctx *ctx) { memset(ctx, 0, sizeof(*ctx)); } void md2_update(struct md2_ctx *ctx, size_t length, const uint8_t *data) { MD_UPDATE(ctx, length, data, md2_transform, (void)0); } void md2_digest(struct md2_ctx *ctx, size_t length, uint8_t *digest) { unsigned left; assert(length <= MD2_DIGEST_SIZE); left = MD2_BLOCK_SIZE - ctx->index; memset(ctx->block + ctx->index, left, left); md2_transform(ctx, ctx->block); md2_transform(ctx, ctx->C); memcpy(digest, ctx->X, length); md2_init(ctx); } nettle-3.4.1/dsa-gen-params.c0000644000175000017500000000534113401564746015016 0ustar nissenisse/* dsa-gen-params.c Generation of DSA parameters Copyright (C) 2002, 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "dsa.h" #include "bignum.h" #include "nettle-internal.h" /* Valid sizes, according to FIPS 186-3 are (1024, 160), (2048, 224), (2048, 256), (3072, 256). */ int dsa_generate_params(struct dsa_params *params, void *random_ctx, nettle_random_func *random, void *progress_ctx, nettle_progress_func *progress, unsigned p_bits, unsigned q_bits) { mpz_t r; unsigned p0_bits; unsigned a; if (q_bits < 30 || p_bits < q_bits + 30) return 0; mpz_init (r); nettle_random_prime (params->q, q_bits, 0, random_ctx, random, progress_ctx, progress); if (q_bits >= (p_bits + 2)/3) _nettle_generate_pocklington_prime (params->p, r, p_bits, 0, random_ctx, random, params->q, NULL, params->q); else { mpz_t p0, p0q; mpz_init (p0); mpz_init (p0q); p0_bits = (p_bits + 3)/2; nettle_random_prime (p0, p0_bits, 0, random_ctx, random, progress_ctx, progress); if (progress) progress (progress_ctx, 'q'); /* Generate p = 2 r q p0 + 1, such that 2^{n-1} < p < 2^n. */ mpz_mul (p0q, p0, params->q); _nettle_generate_pocklington_prime (params->p, r, p_bits, 0, random_ctx, random, p0, params->q, p0q); mpz_mul (r, r, p0); mpz_clear (p0); mpz_clear (p0q); } if (progress) progress (progress_ctx, 'p'); for (a = 2; ; a++) { mpz_set_ui (params->g, a); mpz_powm (params->g, params->g, r, params->p); if (mpz_cmp_ui (params->g, 1) != 0) break; } mpz_clear (r); if (progress) progress (progress_ctx, 'g'); return 1; } nettle-3.4.1/aes.h0000644000175000017500000001154213401564746012774 0ustar nissenisse/* aes.h The aes/rijndael block cipher. Copyright (C) 2001, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_AES_H_INCLUDED #define NETTLE_AES_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define aes_set_encrypt_key nettle_aes_set_encrypt_key #define aes_set_decrypt_key nettle_aes_set_decrypt_key #define aes_invert_key nettle_aes_invert_key #define aes_encrypt nettle_aes_encrypt #define aes_decrypt nettle_aes_decrypt #define aes128_set_encrypt_key nettle_aes128_set_encrypt_key #define aes128_set_decrypt_key nettle_aes128_set_decrypt_key #define aes128_invert_key nettle_aes128_invert_key #define aes128_encrypt nettle_aes128_encrypt #define aes128_decrypt nettle_aes128_decrypt #define aes192_set_encrypt_key nettle_aes192_set_encrypt_key #define aes192_set_decrypt_key nettle_aes192_set_decrypt_key #define aes192_invert_key nettle_aes192_invert_key #define aes192_encrypt nettle_aes192_encrypt #define aes192_decrypt nettle_aes192_decrypt #define aes256_set_encrypt_key nettle_aes256_set_encrypt_key #define aes256_set_decrypt_key nettle_aes256_set_decrypt_key #define aes256_invert_key nettle_aes256_invert_key #define aes256_encrypt nettle_aes256_encrypt #define aes256_decrypt nettle_aes256_decrypt #define AES_BLOCK_SIZE 16 #define AES128_KEY_SIZE 16 #define AES192_KEY_SIZE 24 #define AES256_KEY_SIZE 32 #define _AES128_ROUNDS 10 #define _AES192_ROUNDS 12 #define _AES256_ROUNDS 14 /* Variable key size between 128 and 256 bits. But the only valid * values are 16 (128 bits), 24 (192 bits) and 32 (256 bits). */ #define AES_MIN_KEY_SIZE AES128_KEY_SIZE #define AES_MAX_KEY_SIZE AES256_KEY_SIZE /* Older nettle-2.7 interface */ #define AES_KEY_SIZE 32 struct aes_ctx { unsigned rounds; /* number of rounds to use for our key size */ uint32_t keys[4*(_AES256_ROUNDS + 1)]; /* maximum size of key schedule */ }; void aes_set_encrypt_key(struct aes_ctx *ctx, size_t length, const uint8_t *key); void aes_set_decrypt_key(struct aes_ctx *ctx, size_t length, const uint8_t *key); void aes_invert_key(struct aes_ctx *dst, const struct aes_ctx *src); void aes_encrypt(const struct aes_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void aes_decrypt(const struct aes_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); struct aes128_ctx { uint32_t keys[4 * (_AES128_ROUNDS + 1)]; }; void aes128_set_encrypt_key(struct aes128_ctx *ctx, const uint8_t *key); void aes128_set_decrypt_key(struct aes128_ctx *ctx, const uint8_t *key); void aes128_invert_key(struct aes128_ctx *dst, const struct aes128_ctx *src); void aes128_encrypt(const struct aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void aes128_decrypt(const struct aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); struct aes192_ctx { uint32_t keys[4 * (_AES192_ROUNDS + 1)]; }; void aes192_set_encrypt_key(struct aes192_ctx *ctx, const uint8_t *key); void aes192_set_decrypt_key(struct aes192_ctx *ctx, const uint8_t *key); void aes192_invert_key(struct aes192_ctx *dst, const struct aes192_ctx *src); void aes192_encrypt(const struct aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void aes192_decrypt(const struct aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); struct aes256_ctx { uint32_t keys[4 * (_AES256_ROUNDS + 1)]; }; void aes256_set_encrypt_key(struct aes256_ctx *ctx, const uint8_t *key); void aes256_set_decrypt_key(struct aes256_ctx *ctx, const uint8_t *key); void aes256_invert_key(struct aes256_ctx *dst, const struct aes256_ctx *src); void aes256_encrypt(const struct aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void aes256_decrypt(const struct aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus } #endif #endif /* NETTLE_AES_H_INCLUDED */ nettle-3.4.1/sha512-256-meta.c0000644000175000017500000000261313401564745014456 0ustar nissenisse/* sha512-256-meta.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "sha2.h" const struct nettle_hash nettle_sha512_256 = { "sha512-256", sizeof(struct sha512_ctx), SHA512_256_DIGEST_SIZE, SHA512_256_BLOCK_SIZE, (nettle_hash_init_func *) sha512_256_init, (nettle_hash_update_func *) sha512_256_update, (nettle_hash_digest_func *) sha512_256_digest }; nettle-3.4.1/aes-invert-internal.c0000644000175000017500000001273013401564745016105 0ustar nissenisse/* aes-invert-internal.c Inverse key setup for the aes/rijndael block cipher. Copyright (C) 2000, 2001, 2002 Rafael R. Sevilla, Niels Möller Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Originally written by Rafael R. Sevilla */ #if HAVE_CONFIG_H # include "config.h" #endif #include "aes-internal.h" #include "macros.h" /* NOTE: We don't include rotated versions of the table. */ static const uint32_t mtable[0x100] = { 0x00000000,0x0b0d090e,0x161a121c,0x1d171b12, 0x2c342438,0x27392d36,0x3a2e3624,0x31233f2a, 0x58684870,0x5365417e,0x4e725a6c,0x457f5362, 0x745c6c48,0x7f516546,0x62467e54,0x694b775a, 0xb0d090e0,0xbbdd99ee,0xa6ca82fc,0xadc78bf2, 0x9ce4b4d8,0x97e9bdd6,0x8afea6c4,0x81f3afca, 0xe8b8d890,0xe3b5d19e,0xfea2ca8c,0xf5afc382, 0xc48cfca8,0xcf81f5a6,0xd296eeb4,0xd99be7ba, 0x7bbb3bdb,0x70b632d5,0x6da129c7,0x66ac20c9, 0x578f1fe3,0x5c8216ed,0x41950dff,0x4a9804f1, 0x23d373ab,0x28de7aa5,0x35c961b7,0x3ec468b9, 0x0fe75793,0x04ea5e9d,0x19fd458f,0x12f04c81, 0xcb6bab3b,0xc066a235,0xdd71b927,0xd67cb029, 0xe75f8f03,0xec52860d,0xf1459d1f,0xfa489411, 0x9303e34b,0x980eea45,0x8519f157,0x8e14f859, 0xbf37c773,0xb43ace7d,0xa92dd56f,0xa220dc61, 0xf66d76ad,0xfd607fa3,0xe07764b1,0xeb7a6dbf, 0xda595295,0xd1545b9b,0xcc434089,0xc74e4987, 0xae053edd,0xa50837d3,0xb81f2cc1,0xb31225cf, 0x82311ae5,0x893c13eb,0x942b08f9,0x9f2601f7, 0x46bde64d,0x4db0ef43,0x50a7f451,0x5baafd5f, 0x6a89c275,0x6184cb7b,0x7c93d069,0x779ed967, 0x1ed5ae3d,0x15d8a733,0x08cfbc21,0x03c2b52f, 0x32e18a05,0x39ec830b,0x24fb9819,0x2ff69117, 0x8dd64d76,0x86db4478,0x9bcc5f6a,0x90c15664, 0xa1e2694e,0xaaef6040,0xb7f87b52,0xbcf5725c, 0xd5be0506,0xdeb30c08,0xc3a4171a,0xc8a91e14, 0xf98a213e,0xf2872830,0xef903322,0xe49d3a2c, 0x3d06dd96,0x360bd498,0x2b1ccf8a,0x2011c684, 0x1132f9ae,0x1a3ff0a0,0x0728ebb2,0x0c25e2bc, 0x656e95e6,0x6e639ce8,0x737487fa,0x78798ef4, 0x495ab1de,0x4257b8d0,0x5f40a3c2,0x544daacc, 0xf7daec41,0xfcd7e54f,0xe1c0fe5d,0xeacdf753, 0xdbeec879,0xd0e3c177,0xcdf4da65,0xc6f9d36b, 0xafb2a431,0xa4bfad3f,0xb9a8b62d,0xb2a5bf23, 0x83868009,0x888b8907,0x959c9215,0x9e919b1b, 0x470a7ca1,0x4c0775af,0x51106ebd,0x5a1d67b3, 0x6b3e5899,0x60335197,0x7d244a85,0x7629438b, 0x1f6234d1,0x146f3ddf,0x097826cd,0x02752fc3, 0x335610e9,0x385b19e7,0x254c02f5,0x2e410bfb, 0x8c61d79a,0x876cde94,0x9a7bc586,0x9176cc88, 0xa055f3a2,0xab58faac,0xb64fe1be,0xbd42e8b0, 0xd4099fea,0xdf0496e4,0xc2138df6,0xc91e84f8, 0xf83dbbd2,0xf330b2dc,0xee27a9ce,0xe52aa0c0, 0x3cb1477a,0x37bc4e74,0x2aab5566,0x21a65c68, 0x10856342,0x1b886a4c,0x069f715e,0x0d927850, 0x64d90f0a,0x6fd40604,0x72c31d16,0x79ce1418, 0x48ed2b32,0x43e0223c,0x5ef7392e,0x55fa3020, 0x01b79aec,0x0aba93e2,0x17ad88f0,0x1ca081fe, 0x2d83bed4,0x268eb7da,0x3b99acc8,0x3094a5c6, 0x59dfd29c,0x52d2db92,0x4fc5c080,0x44c8c98e, 0x75ebf6a4,0x7ee6ffaa,0x63f1e4b8,0x68fcedb6, 0xb1670a0c,0xba6a0302,0xa77d1810,0xac70111e, 0x9d532e34,0x965e273a,0x8b493c28,0x80443526, 0xe90f427c,0xe2024b72,0xff155060,0xf418596e, 0xc53b6644,0xce366f4a,0xd3217458,0xd82c7d56, 0x7a0ca137,0x7101a839,0x6c16b32b,0x671bba25, 0x5638850f,0x5d358c01,0x40229713,0x4b2f9e1d, 0x2264e947,0x2969e049,0x347efb5b,0x3f73f255, 0x0e50cd7f,0x055dc471,0x184adf63,0x1347d66d, 0xcadc31d7,0xc1d138d9,0xdcc623cb,0xd7cb2ac5, 0xe6e815ef,0xede51ce1,0xf0f207f3,0xfbff0efd, 0x92b479a7,0x99b970a9,0x84ae6bbb,0x8fa362b5, 0xbe805d9f,0xb58d5491,0xa89a4f83,0xa397468d, }; #define MIX_COLUMN(T, key) do { \ uint32_t _k, _nk, _t; \ _k = (key); \ _nk = T[_k & 0xff]; \ _k >>= 8; \ _t = T[_k & 0xff]; \ _nk ^= ROTL32(8, _t); \ _k >>= 8; \ _t = T[_k & 0xff]; \ _nk ^= ROTL32(16, _t); \ _k >>= 8; \ _t = T[_k & 0xff]; \ _nk ^= ROTL32(24, _t); \ (key) = _nk; \ } while(0) #define SWAP(a, b) \ do { uint32_t t_swap = (a); (a) = (b); (b) = t_swap; } while(0) void _aes_invert(unsigned rounds, uint32_t *dst, const uint32_t *src) { unsigned i; /* Reverse the order of subkeys, in groups of 4. */ /* FIXME: Instead of reordering the subkeys, change the access order of aes_decrypt, since it's a separate function anyway? */ if (src == dst) { unsigned j, k; for (i = 0, j = rounds * 4; i < j; i += 4, j -= 4) for (k = 0; k<4; k++) SWAP(dst[i+k], dst[j+k]); } else { unsigned k; for (i = 0; i <= rounds * 4; i += 4) for (k = 0; k < 4; k++) dst[i+k] = src[rounds * 4 - i + k]; } /* Transform all subkeys but the first and last. */ for (i = 4; i < 4 * rounds; i++) MIX_COLUMN (mtable, dst[i]); } nettle-3.4.1/dsa.h0000644000175000017500000001323413401564746012773 0ustar nissenisse/* dsa.h The DSA publickey algorithm. Copyright (C) 2002, 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_DSA_H_INCLUDED #define NETTLE_DSA_H_INCLUDED #include "nettle-types.h" #include "bignum.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define dsa_params_init nettle_dsa_params_init #define dsa_params_clear nettle_dsa_params_clear #define dsa_signature_init nettle_dsa_signature_init #define dsa_signature_clear nettle_dsa_signature_clear #define dsa_sign nettle_dsa_sign #define dsa_verify nettle_dsa_verify #define dsa_generate_params nettle_dsa_generate_params #define dsa_generate_keypair nettle_dsa_generate_keypair #define dsa_signature_from_sexp nettle_dsa_signature_from_sexp #define dsa_keypair_to_sexp nettle_dsa_keypair_to_sexp #define dsa_keypair_from_sexp_alist nettle_dsa_keypair_from_sexp_alist #define dsa_sha1_keypair_from_sexp nettle_dsa_sha1_keypair_from_sexp #define dsa_sha256_keypair_from_sexp nettle_dsa_sha256_keypair_from_sexp #define dsa_params_from_der_iterator nettle_dsa_params_from_der_iterator #define dsa_public_key_from_der_iterator nettle_dsa_public_key_from_der_iterator #define dsa_openssl_private_key_from_der_iterator nettle_dsa_openssl_private_key_from_der_iterator #define dsa_openssl_private_key_from_der nettle_openssl_provate_key_from_der #define _dsa_hash _nettle_dsa_hash /* For FIPS approved parameters */ #define DSA_SHA1_MIN_P_BITS 512 #define DSA_SHA1_Q_OCTETS 20 #define DSA_SHA1_Q_BITS 160 #define DSA_SHA256_MIN_P_BITS 1024 #define DSA_SHA256_Q_OCTETS 32 #define DSA_SHA256_Q_BITS 256 struct dsa_params { /* Modulo */ mpz_t p; /* Group order */ mpz_t q; /* Generator */ mpz_t g; }; void dsa_params_init (struct dsa_params *params); void dsa_params_clear (struct dsa_params *params); struct dsa_signature { mpz_t r; mpz_t s; }; /* Calls mpz_init to initialize bignum storage. */ void dsa_signature_init(struct dsa_signature *signature); /* Calls mpz_clear to deallocate bignum storage. */ void dsa_signature_clear(struct dsa_signature *signature); int dsa_sign(const struct dsa_params *params, const mpz_t x, void *random_ctx, nettle_random_func *random, size_t digest_size, const uint8_t *digest, struct dsa_signature *signature); int dsa_verify(const struct dsa_params *params, const mpz_t y, size_t digest_size, const uint8_t *digest, const struct dsa_signature *signature); /* Key generation */ int dsa_generate_params(struct dsa_params *params, void *random_ctx, nettle_random_func *random, void *progress_ctx, nettle_progress_func *progress, unsigned p_bits, unsigned q_bits); void dsa_generate_keypair (const struct dsa_params *params, mpz_t pub, mpz_t key, void *random_ctx, nettle_random_func *random); /* Keys in sexp form. */ struct nettle_buffer; /* Generates a public-key expression if PRIV is NULL .*/ int dsa_keypair_to_sexp(struct nettle_buffer *buffer, const char *algorithm_name, /* NULL means "dsa" */ const struct dsa_params *params, const mpz_t pub, const mpz_t priv); struct sexp_iterator; int dsa_signature_from_sexp(struct dsa_signature *rs, struct sexp_iterator *i, unsigned q_bits); int dsa_keypair_from_sexp_alist(struct dsa_params *params, mpz_t pub, mpz_t priv, unsigned p_max_bits, unsigned q_bits, struct sexp_iterator *i); /* If PRIV is NULL, expect a public-key expression. If PUB is NULL, * expect a private key expression and ignore the parts not needed for * the public key. */ /* Keys must be initialized before calling this function, as usual. */ int dsa_sha1_keypair_from_sexp(struct dsa_params *params, mpz_t pub, mpz_t priv, unsigned p_max_bits, size_t length, const uint8_t *expr); int dsa_sha256_keypair_from_sexp(struct dsa_params *params, mpz_t pub, mpz_t priv, unsigned p_max_bits, size_t length, const uint8_t *expr); /* Keys in X.509 andd OpenSSL format. */ struct asn1_der_iterator; int dsa_params_from_der_iterator(struct dsa_params *params, unsigned max_bits, unsigned q_bits, struct asn1_der_iterator *i); int dsa_public_key_from_der_iterator(const struct dsa_params *params, mpz_t pub, struct asn1_der_iterator *i); int dsa_openssl_private_key_from_der_iterator(struct dsa_params *params, mpz_t pub, mpz_t priv, unsigned p_max_bits, struct asn1_der_iterator *i); int dsa_openssl_private_key_from_der(struct dsa_params *params, mpz_t pub, mpz_t priv, unsigned p_max_bits, size_t length, const uint8_t *data); /* Internal functions. */ void _dsa_hash (mpz_t h, unsigned bit_size, size_t length, const uint8_t *digest); #ifdef __cplusplus } #endif #endif /* NETTLE_DSA_H_INCLUDED */ nettle-3.4.1/chacha-poly1305.h0000644000175000017500000000543113401564746014725 0ustar nissenisse/* chacha-poly1305.h AEAD mechanism based on chacha and poly1305. See draft-agl-tls-chacha20poly1305-04. Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_CHACHA_POLY1305_H_INCLUDED #define NETTLE_CHACHA_POLY1305_H_INCLUDED #include "chacha.h" #include "poly1305.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define chacha_poly1305_set_key nettle_chacha_poly1305_set_key #define chacha_poly1305_set_nonce nettle_chacha_poly1305_set_nonce #define chacha_poly1305_update nettle_chacha_poly1305_update #define chacha_poly1305_decrypt nettle_chacha_poly1305_decrypt #define chacha_poly1305_encrypt nettle_chacha_poly1305_encrypt #define chacha_poly1305_digest nettle_chacha_poly1305_digest #define CHACHA_POLY1305_BLOCK_SIZE 64 /* FIXME: Any need for 128-bit variant? */ #define CHACHA_POLY1305_KEY_SIZE 32 #define CHACHA_POLY1305_NONCE_SIZE CHACHA_NONCE96_SIZE #define CHACHA_POLY1305_DIGEST_SIZE 16 struct chacha_poly1305_ctx { struct chacha_ctx chacha; struct poly1305_ctx poly1305; union nettle_block16 s; uint64_t auth_size; uint64_t data_size; /* poly1305 block */ uint8_t block[POLY1305_BLOCK_SIZE]; unsigned index; }; void chacha_poly1305_set_key (struct chacha_poly1305_ctx *ctx, const uint8_t *key); void chacha_poly1305_set_nonce (struct chacha_poly1305_ctx *ctx, const uint8_t *nonce); void chacha_poly1305_update (struct chacha_poly1305_ctx *ctx, size_t length, const uint8_t *data); void chacha_poly1305_encrypt (struct chacha_poly1305_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void chacha_poly1305_decrypt (struct chacha_poly1305_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void chacha_poly1305_digest (struct chacha_poly1305_ctx *ctx, size_t length, uint8_t *digest); #ifdef __cplusplus } #endif #endif /* NETTLE_CHACHA_POLY1305_H_INCLUDED */ nettle-3.4.1/rsa-sha512-sign-tr.c0000644000175000017500000000372513401564746015372 0ustar nissenisse/* rsa-sha512-sign-tr.c Signatures using RSA and SHA512. Copyright (C) 2001, 2003, 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "bignum.h" #include "pkcs1.h" int rsa_sha512_sign_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, struct sha512_ctx *hash, mpz_t s) { mpz_t m; int res; mpz_init (m); res = (pkcs1_rsa_sha512_encode(m, key->size, hash) && rsa_compute_root_tr (pub, key, random_ctx, random, s, m)); mpz_clear (m); return res; } int rsa_sha512_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, mpz_t s) { mpz_t m; int res; mpz_init (m); res = (pkcs1_rsa_sha512_encode_digest(m, key->size, digest) && rsa_compute_root_tr (pub, key, random_ctx, random, s, m)); mpz_clear (m); return res; } nettle-3.4.1/write-le32.c0000644000175000017500000000302613401564745014111 0ustar nissenisse/* write-le32.c Copyright (C) 2001, 2011 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-write.h" #include "macros.h" void _nettle_write_le32(size_t length, uint8_t *dst, const uint32_t *src) { size_t i; size_t words; unsigned leftover; words = length / 4; leftover = length % 4; for (i = 0; i < words; i++, dst += 4) LE_WRITE_UINT32(dst, src[i]); if (leftover) { uint32_t word; word = src[i]; do { *dst++ = word & 0xff; word >>= 8; } while (--leftover); } } nettle-3.4.1/pkcs1-rsa-sha1.c0000644000175000017500000000542613401564745014660 0ustar nissenisse/* pkcs1-rsa-sha1.c PKCS stuff for rsa-sha1. Copyright (C) 2001, 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "rsa.h" #include "bignum.h" #include "pkcs1.h" #include "gmp-glue.h" /* From pkcs-1v2 * * id-sha1 OBJECT IDENTIFIER ::= * {iso(1) identified-organization(3) oiw(14) secsig(3) * algorithms(2) 26} * * The default hash function is SHA-1: * sha1Identifier ::= AlgorithmIdentifier {id-sha1, NULL} */ static const uint8_t sha1_prefix[] = { /* 15 octets prefix, 20 octets hash, total 35 */ 0x30, 33, /* SEQUENCE */ 0x30, 9, /* SEQUENCE */ 0x06, 5, /* OBJECT IDENTIFIER */ 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0, /* NULL */ 0x04, 20 /* OCTET STRING */ /* Here comes the raw hash value */ }; int pkcs1_rsa_sha1_encode(mpz_t m, size_t key_size, struct sha1_ctx *hash) { uint8_t *p; TMP_GMP_DECL(em, uint8_t); TMP_GMP_ALLOC(em, key_size); p = _pkcs1_signature_prefix(key_size, em, sizeof(sha1_prefix), sha1_prefix, SHA1_DIGEST_SIZE); if (p) { sha1_digest(hash, SHA1_DIGEST_SIZE, p); nettle_mpz_set_str_256_u(m, key_size, em); TMP_GMP_FREE(em); return 1; } else { TMP_GMP_FREE(em); return 0; } } int pkcs1_rsa_sha1_encode_digest(mpz_t m, size_t key_size, const uint8_t *digest) { uint8_t *p; TMP_GMP_DECL(em, uint8_t); TMP_GMP_ALLOC(em, key_size); p = _pkcs1_signature_prefix(key_size, em, sizeof(sha1_prefix), sha1_prefix, SHA1_DIGEST_SIZE); if (p) { memcpy(p, digest, SHA1_DIGEST_SIZE); nettle_mpz_set_str_256_u(m, key_size, em); TMP_GMP_FREE(em); return 1; } else { TMP_GMP_FREE(em); return 0; } } nettle-3.4.1/TODO0000644000175000017500000000121213401564746012534 0ustar nissenissePublic key support, analogous to that provided by RSAREF. Suggested by Dan Egnor. Signatures are done now, but RSA encryption is still missing. References: http://download.gale.org/rsaref20.tar.Z http://www.openssl.org/docs/crypto/evp.html http://www.openssl.org/docs/crypto/rsa.html More feedback modes, in order of decreasing priority: CBC-MAC, OFB, and CFB. Suggested by Rafael 'Dido' Sevilla. References: http://csrc.nist.gov/encryption/modes/Recommendation/Modes01.pdf Valgrind reports errors on the des-compat test program. Investigate. The make rules for building position independent *_p.o files doesn't get dependencies right. nettle-3.4.1/rsa-pkcs1-sign-tr.c0000644000175000017500000000321013401564745015374 0ustar nissenisse/* rsa-pkcs1-sign-tr.c Creating timing resistant RSA signatures. Copyright (C) 2012 Nikos Mavrogiannopoulos This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa.h" #include "pkcs1.h" /* Side-channel resistant version of rsa_pkcs1_sign() */ int rsa_pkcs1_sign_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t length, const uint8_t *digest_info, mpz_t s) { mpz_t m; int ret; mpz_init(m); ret = (pkcs1_rsa_digest_encode (m, key->size, length, digest_info) && rsa_compute_root_tr (pub, key, random_ctx, random, s, m)); mpz_clear(m); return ret; } nettle-3.4.1/eddsa-sign.c0000644000175000017500000000543513401564746014241 0ustar nissenisse/* eddsa-sign.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "eddsa.h" #include "ecc.h" #include "ecc-internal.h" #include "nettle-meta.h" mp_size_t _eddsa_sign_itch (const struct ecc_curve *ecc) { return 5*ecc->p.size + ecc->mul_g_itch; } void _eddsa_sign (const struct ecc_curve *ecc, const struct nettle_hash *H, const uint8_t *pub, void *ctx, const mp_limb_t *k2, size_t length, const uint8_t *msg, uint8_t *signature, mp_limb_t *scratch) { mp_size_t size; size_t nbytes; #define rp scratch #define hp (scratch + size) #define P (scratch + 2*size) #define sp (scratch + 2*size) #define hash ((uint8_t *) (scratch + 3*size)) #define scratch_out (scratch + 5*size) size = ecc->p.size; nbytes = 1 + ecc->p.bit_size / 8; assert (H->digest_size >= 2 * nbytes); H->update (ctx, length, msg); H->digest (ctx, 2*nbytes, hash); _eddsa_hash (&ecc->q, rp, hash); ecc->mul_g (ecc, P, rp, scratch_out); _eddsa_compress (ecc, signature, P, scratch_out); H->update (ctx, nbytes, signature); H->update (ctx, nbytes, pub); H->update (ctx, length, msg); H->digest (ctx, 2*nbytes, hash); _eddsa_hash (&ecc->q, hp, hash); ecc_modq_mul (ecc, sp, hp, k2); ecc_modq_add (ecc, sp, sp, rp); /* FIXME: Can be plain add */ /* FIXME: Special code duplicated in ecc_25519_modq and ecc_eh_to_a. Define a suitable method? */ { unsigned shift; mp_limb_t cy; assert (ecc->p.bit_size == 255); shift = 252 - GMP_NUMB_BITS * (ecc->p.size - 1); cy = mpn_submul_1 (sp, ecc->q.m, ecc->p.size, sp[ecc->p.size-1] >> shift); assert (cy < 2); cnd_add_n (cy, sp, ecc->q.m, ecc->p.size); } mpn_get_base256_le (signature + nbytes, nbytes, sp, ecc->q.size); #undef rp #undef hp #undef P #undef sp #undef hash } nettle-3.4.1/arctwo.c0000644000175000017500000001612313401564745013515 0ustar nissenisse/* arctwo.c The cipher described in rfc2268; aka Ron's Cipher 2. Copyright (C) 2004 Simon Josefsson Copyright (C) 2003 Nikos Mavroyanopoulos Copyright (C) 2004 Free Software Foundation, Inc. Copyright (C) 2004, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* This implementation was written by Nikos Mavroyanopoulos for GNUTLS * as a Libgcrypt module (gnutls/lib/x509/rc2.c) and later adapted for * direct use by Libgcrypt by Werner Koch and later adapted for direct * use by Nettle by Simon Josefsson and Niels Möller. * * The implementation here is based on Peter Gutmann's RRC.2 paper and * RFC 2268. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "arctwo.h" #include "macros.h" static const uint8_t arctwo_sbox[] = { 0xd9, 0x78, 0xf9, 0xc4, 0x19, 0xdd, 0xb5, 0xed, 0x28, 0xe9, 0xfd, 0x79, 0x4a, 0xa0, 0xd8, 0x9d, 0xc6, 0x7e, 0x37, 0x83, 0x2b, 0x76, 0x53, 0x8e, 0x62, 0x4c, 0x64, 0x88, 0x44, 0x8b, 0xfb, 0xa2, 0x17, 0x9a, 0x59, 0xf5, 0x87, 0xb3, 0x4f, 0x13, 0x61, 0x45, 0x6d, 0x8d, 0x09, 0x81, 0x7d, 0x32, 0xbd, 0x8f, 0x40, 0xeb, 0x86, 0xb7, 0x7b, 0x0b, 0xf0, 0x95, 0x21, 0x22, 0x5c, 0x6b, 0x4e, 0x82, 0x54, 0xd6, 0x65, 0x93, 0xce, 0x60, 0xb2, 0x1c, 0x73, 0x56, 0xc0, 0x14, 0xa7, 0x8c, 0xf1, 0xdc, 0x12, 0x75, 0xca, 0x1f, 0x3b, 0xbe, 0xe4, 0xd1, 0x42, 0x3d, 0xd4, 0x30, 0xa3, 0x3c, 0xb6, 0x26, 0x6f, 0xbf, 0x0e, 0xda, 0x46, 0x69, 0x07, 0x57, 0x27, 0xf2, 0x1d, 0x9b, 0xbc, 0x94, 0x43, 0x03, 0xf8, 0x11, 0xc7, 0xf6, 0x90, 0xef, 0x3e, 0xe7, 0x06, 0xc3, 0xd5, 0x2f, 0xc8, 0x66, 0x1e, 0xd7, 0x08, 0xe8, 0xea, 0xde, 0x80, 0x52, 0xee, 0xf7, 0x84, 0xaa, 0x72, 0xac, 0x35, 0x4d, 0x6a, 0x2a, 0x96, 0x1a, 0xd2, 0x71, 0x5a, 0x15, 0x49, 0x74, 0x4b, 0x9f, 0xd0, 0x5e, 0x04, 0x18, 0xa4, 0xec, 0xc2, 0xe0, 0x41, 0x6e, 0x0f, 0x51, 0xcb, 0xcc, 0x24, 0x91, 0xaf, 0x50, 0xa1, 0xf4, 0x70, 0x39, 0x99, 0x7c, 0x3a, 0x85, 0x23, 0xb8, 0xb4, 0x7a, 0xfc, 0x02, 0x36, 0x5b, 0x25, 0x55, 0x97, 0x31, 0x2d, 0x5d, 0xfa, 0x98, 0xe3, 0x8a, 0x92, 0xae, 0x05, 0xdf, 0x29, 0x10, 0x67, 0x6c, 0xba, 0xc9, 0xd3, 0x00, 0xe6, 0xcf, 0xe1, 0x9e, 0xa8, 0x2c, 0x63, 0x16, 0x01, 0x3f, 0x58, 0xe2, 0x89, 0xa9, 0x0d, 0x38, 0x34, 0x1b, 0xab, 0x33, 0xff, 0xb0, 0xbb, 0x48, 0x0c, 0x5f, 0xb9, 0xb1, 0xcd, 0x2e, 0xc5, 0xf3, 0xdb, 0x47, 0xe5, 0xa5, 0x9c, 0x77, 0x0a, 0xa6, 0x20, 0x68, 0xfe, 0x7f, 0xc1, 0xad }; #define rotl16(x,n) (((x) << ((uint16_t)(n))) | ((x) >> (16 - (uint16_t)(n)))) #define rotr16(x,n) (((x) >> ((uint16_t)(n))) | ((x) << (16 - (uint16_t)(n)))) void arctwo_encrypt (struct arctwo_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { FOR_BLOCKS (length, dst, src, ARCTWO_BLOCK_SIZE) { register unsigned i; uint16_t w0, w1, w2, w3; w0 = LE_READ_UINT16 (&src[0]); w1 = LE_READ_UINT16 (&src[2]); w2 = LE_READ_UINT16 (&src[4]); w3 = LE_READ_UINT16 (&src[6]); for (i = 0; i < 16; i++) { register unsigned j = i * 4; /* For some reason I cannot combine those steps. */ w0 += (w1 & ~w3) + (w2 & w3) + ctx->S[j]; w0 = rotl16 (w0, 1); w1 += (w2 & ~w0) + (w3 & w0) + ctx->S[j + 1]; w1 = rotl16 (w1, 2); w2 += (w3 & ~w1) + (w0 & w1) + ctx->S[j + 2]; w2 = rotl16 (w2, 3); w3 += (w0 & ~w2) + (w1 & w2) + ctx->S[j + 3]; w3 = rotl16 (w3, 5); if (i == 4 || i == 10) { w0 += ctx->S[w3 & 63]; w1 += ctx->S[w0 & 63]; w2 += ctx->S[w1 & 63]; w3 += ctx->S[w2 & 63]; } } LE_WRITE_UINT16 (&dst[0], w0); LE_WRITE_UINT16 (&dst[2], w1); LE_WRITE_UINT16 (&dst[4], w2); LE_WRITE_UINT16 (&dst[6], w3); } } void arctwo_decrypt (struct arctwo_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { FOR_BLOCKS (length, dst, src, ARCTWO_BLOCK_SIZE) { register unsigned i; uint16_t w0, w1, w2, w3; w0 = LE_READ_UINT16 (&src[0]); w1 = LE_READ_UINT16 (&src[2]); w2 = LE_READ_UINT16 (&src[4]); w3 = LE_READ_UINT16 (&src[6]); for (i = 16; i-- > 0; ) { register unsigned j = i * 4; w3 = rotr16 (w3, 5); w3 -= (w0 & ~w2) + (w1 & w2) + ctx->S[j + 3]; w2 = rotr16 (w2, 3); w2 -= (w3 & ~w1) + (w0 & w1) + ctx->S[j + 2]; w1 = rotr16 (w1, 2); w1 -= (w2 & ~w0) + (w3 & w0) + ctx->S[j + 1]; w0 = rotr16 (w0, 1); w0 -= (w1 & ~w3) + (w2 & w3) + ctx->S[j]; if (i == 5 || i == 11) { w3 = w3 - ctx->S[w2 & 63]; w2 = w2 - ctx->S[w1 & 63]; w1 = w1 - ctx->S[w0 & 63]; w0 = w0 - ctx->S[w3 & 63]; } } LE_WRITE_UINT16 (&dst[0], w0); LE_WRITE_UINT16 (&dst[2], w1); LE_WRITE_UINT16 (&dst[4], w2); LE_WRITE_UINT16 (&dst[6], w3); } } void arctwo_set_key_ekb (struct arctwo_ctx *ctx, size_t length, const uint8_t *key, unsigned ekb) { size_t i; /* Expanded key, treated as octets */ uint8_t S[128]; uint8_t x; assert (length >= ARCTWO_MIN_KEY_SIZE); assert (length <= ARCTWO_MAX_KEY_SIZE); assert (ekb <= 1024); for (i = 0; i < length; i++) S[i] = key[i]; /* Phase 1: Expand input key to 128 bytes */ for (i = length; i < ARCTWO_MAX_KEY_SIZE; i++) S[i] = arctwo_sbox[(S[i - length] + S[i - 1]) & 255]; S[0] = arctwo_sbox[S[0]]; /* Reduce effective key size to ekb bits, if requested by caller. */ if (ekb > 0 && ekb < 1024) { int len = (ekb + 7) >> 3; i = 128 - len; x = arctwo_sbox[S[i] & (255 >> (7 & -ekb))]; S[i] = x; while (i--) { x = arctwo_sbox[x ^ S[i + len]]; S[i] = x; } } /* Make the expanded key endian independent. */ for (i = 0; i < 64; i++) ctx->S[i] = LE_READ_UINT16(S + i * 2); } void arctwo_set_key (struct arctwo_ctx *ctx, size_t length, const uint8_t *key) { arctwo_set_key_ekb (ctx, length, key, 8 * length); } void arctwo_set_key_gutmann (struct arctwo_ctx *ctx, size_t length, const uint8_t *key) { arctwo_set_key_ekb (ctx, length, key, 0); } void arctwo40_set_key (struct arctwo_ctx *ctx, const uint8_t *key) { arctwo_set_key_ekb (ctx, 5, key, 40); } void arctwo64_set_key (struct arctwo_ctx *ctx, const uint8_t *key) { arctwo_set_key_ekb (ctx, 8, key, 64); } void arctwo128_set_key (struct arctwo_ctx *ctx, const uint8_t *key) { arctwo_set_key_ekb (ctx, 16, key, 128); } void arctwo128_set_key_gutmann (struct arctwo_ctx *ctx, const uint8_t *key) { arctwo_set_key_ekb (ctx, 16, key, 1024); } nettle-3.4.1/rsa.h0000644000175000017500000004136713401564746013021 0ustar nissenisse/* rsa.h The RSA publickey algorithm. Copyright (C) 2001, 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_RSA_H_INCLUDED #define NETTLE_RSA_H_INCLUDED #include "nettle-types.h" #include "bignum.h" #include "md5.h" #include "sha1.h" #include "sha2.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define rsa_public_key_init nettle_rsa_public_key_init #define rsa_public_key_clear nettle_rsa_public_key_clear #define rsa_public_key_prepare nettle_rsa_public_key_prepare #define rsa_private_key_init nettle_rsa_private_key_init #define rsa_private_key_clear nettle_rsa_private_key_clear #define rsa_private_key_prepare nettle_rsa_private_key_prepare #define rsa_pkcs1_verify nettle_rsa_pkcs1_verify #define rsa_pkcs1_sign nettle_rsa_pkcs1_sign #define rsa_pkcs1_sign_tr nettle_rsa_pkcs1_sign_tr #define rsa_md5_sign nettle_rsa_md5_sign #define rsa_md5_sign_tr nettle_rsa_md5_sign_tr #define rsa_md5_verify nettle_rsa_md5_verify #define rsa_sha1_sign nettle_rsa_sha1_sign #define rsa_sha1_sign_tr nettle_rsa_sha1_sign_tr #define rsa_sha1_verify nettle_rsa_sha1_verify #define rsa_sha256_sign nettle_rsa_sha256_sign #define rsa_sha256_sign_tr nettle_rsa_sha256_sign_tr #define rsa_sha256_verify nettle_rsa_sha256_verify #define rsa_sha512_sign nettle_rsa_sha512_sign #define rsa_sha512_sign_tr nettle_rsa_sha512_sign_tr #define rsa_sha512_verify nettle_rsa_sha512_verify #define rsa_md5_sign_digest nettle_rsa_md5_sign_digest #define rsa_md5_sign_digest_tr nettle_rsa_md5_sign_digest_tr #define rsa_md5_verify_digest nettle_rsa_md5_verify_digest #define rsa_sha1_sign_digest nettle_rsa_sha1_sign_digest #define rsa_sha1_sign_digest_tr nettle_rsa_sha1_sign_digest_tr #define rsa_sha1_verify_digest nettle_rsa_sha1_verify_digest #define rsa_sha256_sign_digest nettle_rsa_sha256_sign_digest #define rsa_sha256_sign_digest_tr nettle_rsa_sha256_sign_digest_tr #define rsa_sha256_verify_digest nettle_rsa_sha256_verify_digest #define rsa_sha512_sign_digest nettle_rsa_sha512_sign_digest #define rsa_sha512_sign_digest_tr nettle_rsa_sha512_sign_digest_tr #define rsa_sha512_verify_digest nettle_rsa_sha512_verify_digest #define rsa_pss_sha256_sign_digest_tr nettle_rsa_pss_sha256_sign_digest_tr #define rsa_pss_sha256_verify_digest nettle_rsa_pss_sha256_verify_digest #define rsa_pss_sha384_sign_digest_tr nettle_rsa_pss_sha384_sign_digest_tr #define rsa_pss_sha384_verify_digest nettle_rsa_pss_sha384_verify_digest #define rsa_pss_sha512_sign_digest_tr nettle_rsa_pss_sha512_sign_digest_tr #define rsa_pss_sha512_verify_digest nettle_rsa_pss_sha512_verify_digest #define rsa_encrypt nettle_rsa_encrypt #define rsa_decrypt nettle_rsa_decrypt #define rsa_decrypt_tr nettle_rsa_decrypt_tr #define rsa_sec_decrypt nettle_rsa_sec_decrypt #define rsa_compute_root nettle_rsa_compute_root #define rsa_compute_root_tr nettle_rsa_compute_root_tr #define rsa_generate_keypair nettle_rsa_generate_keypair #define rsa_keypair_to_sexp nettle_rsa_keypair_to_sexp #define rsa_keypair_from_sexp_alist nettle_rsa_keypair_from_sexp_alist #define rsa_keypair_from_sexp nettle_rsa_keypair_from_sexp #define rsa_public_key_from_der_iterator nettle_rsa_public_key_from_der_iterator #define rsa_private_key_from_der_iterator nettle_rsa_private_key_from_der_iterator #define rsa_keypair_from_der nettle_rsa_keypair_from_der #define rsa_keypair_to_openpgp nettle_rsa_keypair_to_openpgp #define _rsa_verify _nettle_rsa_verify #define _rsa_verify_recover _nettle_rsa_verify_recover #define _rsa_check_size _nettle_rsa_check_size #define _rsa_blind _nettle_rsa_blind #define _rsa_unblind _nettle_rsa_unblind /* This limit is somewhat arbitrary. Technically, the smallest modulo which makes sense at all is 15 = 3*5, phi(15) = 8, size 4 bits. But for ridiculously small keys, not all odd e are possible (e.g., for 5 bits, the only possible modulo is 3*7 = 21, phi(21) = 12, and e = 3 don't work). The smallest size that makes sense with pkcs#1, and which allows RSA encryption of one byte messages, is 12 octets, 89 bits. */ #define RSA_MINIMUM_N_OCTETS 12 #define RSA_MINIMUM_N_BITS (8*RSA_MINIMUM_N_OCTETS - 7) struct rsa_public_key { /* Size of the modulo, in octets. This is also the size of all * signatures that are created or verified with this key. */ size_t size; /* Modulo */ mpz_t n; /* Public exponent */ mpz_t e; }; struct rsa_private_key { size_t size; /* d is filled in by the key generation function; otherwise it's * completely unused. */ mpz_t d; /* The two factors */ mpz_t p; mpz_t q; /* d % (p-1), i.e. a e = 1 (mod (p-1)) */ mpz_t a; /* d % (q-1), i.e. b e = 1 (mod (q-1)) */ mpz_t b; /* modular inverse of q , i.e. c q = 1 (mod p) */ mpz_t c; }; /* Signing a message works as follows: * * Store the private key in a rsa_private_key struct. * * Call rsa_private_key_prepare. This initializes the size attribute * to the length of a signature. * * Initialize a hashing context, by callling * md5_init * * Hash the message by calling * md5_update * * Create the signature by calling * rsa_md5_sign * * The signature is represented as a mpz_t bignum. This call also * resets the hashing context. * * When done with the key and signature, don't forget to call * mpz_clear. */ /* Calls mpz_init to initialize bignum storage. */ void rsa_public_key_init(struct rsa_public_key *key); /* Calls mpz_clear to deallocate bignum storage. */ void rsa_public_key_clear(struct rsa_public_key *key); int rsa_public_key_prepare(struct rsa_public_key *key); /* Calls mpz_init to initialize bignum storage. */ void rsa_private_key_init(struct rsa_private_key *key); /* Calls mpz_clear to deallocate bignum storage. */ void rsa_private_key_clear(struct rsa_private_key *key); int rsa_private_key_prepare(struct rsa_private_key *key); /* PKCS#1 style signatures */ int rsa_pkcs1_sign(const struct rsa_private_key *key, size_t length, const uint8_t *digest_info, mpz_t s); int rsa_pkcs1_sign_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t length, const uint8_t *digest_info, mpz_t s); int rsa_pkcs1_verify(const struct rsa_public_key *key, size_t length, const uint8_t *digest_info, const mpz_t signature); int rsa_md5_sign(const struct rsa_private_key *key, struct md5_ctx *hash, mpz_t signature); int rsa_md5_sign_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, struct md5_ctx *hash, mpz_t s); int rsa_md5_verify(const struct rsa_public_key *key, struct md5_ctx *hash, const mpz_t signature); int rsa_sha1_sign(const struct rsa_private_key *key, struct sha1_ctx *hash, mpz_t signature); int rsa_sha1_sign_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, struct sha1_ctx *hash, mpz_t s); int rsa_sha1_verify(const struct rsa_public_key *key, struct sha1_ctx *hash, const mpz_t signature); int rsa_sha256_sign(const struct rsa_private_key *key, struct sha256_ctx *hash, mpz_t signature); int rsa_sha256_sign_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, struct sha256_ctx *hash, mpz_t s); int rsa_sha256_verify(const struct rsa_public_key *key, struct sha256_ctx *hash, const mpz_t signature); int rsa_sha512_sign(const struct rsa_private_key *key, struct sha512_ctx *hash, mpz_t signature); int rsa_sha512_sign_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, struct sha512_ctx *hash, mpz_t s); int rsa_sha512_verify(const struct rsa_public_key *key, struct sha512_ctx *hash, const mpz_t signature); /* Variants taking the digest as argument. */ int rsa_md5_sign_digest(const struct rsa_private_key *key, const uint8_t *digest, mpz_t s); int rsa_md5_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, mpz_t s); int rsa_md5_verify_digest(const struct rsa_public_key *key, const uint8_t *digest, const mpz_t signature); int rsa_sha1_sign_digest(const struct rsa_private_key *key, const uint8_t *digest, mpz_t s); int rsa_sha1_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, mpz_t s); int rsa_sha1_verify_digest(const struct rsa_public_key *key, const uint8_t *digest, const mpz_t signature); int rsa_sha256_sign_digest(const struct rsa_private_key *key, const uint8_t *digest, mpz_t s); int rsa_sha256_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, mpz_t s); int rsa_sha256_verify_digest(const struct rsa_public_key *key, const uint8_t *digest, const mpz_t signature); int rsa_sha512_sign_digest(const struct rsa_private_key *key, const uint8_t *digest, mpz_t s); int rsa_sha512_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, mpz_t s); int rsa_sha512_verify_digest(const struct rsa_public_key *key, const uint8_t *digest, const mpz_t signature); /* PSS style signatures */ int rsa_pss_sha256_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t salt_length, const uint8_t *salt, const uint8_t *digest, mpz_t s); int rsa_pss_sha256_verify_digest(const struct rsa_public_key *key, size_t salt_length, const uint8_t *digest, const mpz_t signature); int rsa_pss_sha384_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t salt_length, const uint8_t *salt, const uint8_t *digest, mpz_t s); int rsa_pss_sha384_verify_digest(const struct rsa_public_key *key, size_t salt_length, const uint8_t *digest, const mpz_t signature); int rsa_pss_sha512_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t salt_length, const uint8_t *salt, const uint8_t *digest, mpz_t s); int rsa_pss_sha512_verify_digest(const struct rsa_public_key *key, size_t salt_length, const uint8_t *digest, const mpz_t signature); /* RSA encryption, using PKCS#1 */ /* These functions uses the v1.5 padding. What should the v2 (OAEP) * functions be called? */ /* Returns 1 on success, 0 on failure, which happens if the * message is too long for the key. */ int rsa_encrypt(const struct rsa_public_key *key, /* For padding */ void *random_ctx, nettle_random_func *random, size_t length, const uint8_t *cleartext, mpz_t cipher); /* Message must point to a buffer of size *LENGTH. KEY->size is enough * for all valid messages. On success, *LENGTH is updated to reflect * the actual length of the message. Returns 1 on success, 0 on * failure, which happens if decryption failed or if the message * didn't fit. */ int rsa_decrypt(const struct rsa_private_key *key, size_t *length, uint8_t *cleartext, const mpz_t ciphertext); /* Timing-resistant version, using randomized RSA blinding. */ int rsa_decrypt_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t *length, uint8_t *message, const mpz_t gibberish); /* like rsa_decrypt_tr but with additional side-channel resistance. * NOTE: the length of the final message must be known in advance. */ int rsa_sec_decrypt(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t length, uint8_t *message, const mpz_t gibberish); /* Compute x, the e:th root of m. Calling it with x == m is allowed. */ void rsa_compute_root(const struct rsa_private_key *key, mpz_t x, const mpz_t m); /* Safer variant, using RSA blinding, and checking the result after CRT. */ int rsa_compute_root_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, mpz_t x, const mpz_t m); /* Key generation */ /* Note that the key structs must be initialized first. */ int rsa_generate_keypair(struct rsa_public_key *pub, struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, void *progress_ctx, nettle_progress_func *progress, /* Desired size of modulo, in bits */ unsigned n_size, /* Desired size of public exponent, in bits. If * zero, the passed in value pub->e is used. */ unsigned e_size); #define RSA_SIGN(key, algorithm, ctx, length, data, signature) ( \ algorithm##_update(ctx, length, data), \ rsa_##algorithm##_sign(key, ctx, signature) \ ) #define RSA_VERIFY(key, algorithm, ctx, length, data, signature) ( \ algorithm##_update(ctx, length, data), \ rsa_##algorithm##_verify(key, ctx, signature) \ ) /* Keys in sexp form. */ struct nettle_buffer; /* Generates a public-key expression if PRIV is NULL .*/ int rsa_keypair_to_sexp(struct nettle_buffer *buffer, const char *algorithm_name, /* NULL means "rsa" */ const struct rsa_public_key *pub, const struct rsa_private_key *priv); struct sexp_iterator; int rsa_keypair_from_sexp_alist(struct rsa_public_key *pub, struct rsa_private_key *priv, unsigned limit, struct sexp_iterator *i); /* If PRIV is NULL, expect a public-key expression. If PUB is NULL, * expect a private key expression and ignore the parts not needed for * the public key. */ /* Keys must be initialized before calling this function, as usual. */ int rsa_keypair_from_sexp(struct rsa_public_key *pub, struct rsa_private_key *priv, unsigned limit, size_t length, const uint8_t *expr); /* Keys in PKCS#1 format. */ struct asn1_der_iterator; int rsa_public_key_from_der_iterator(struct rsa_public_key *pub, unsigned limit, struct asn1_der_iterator *i); int rsa_private_key_from_der_iterator(struct rsa_public_key *pub, struct rsa_private_key *priv, unsigned limit, struct asn1_der_iterator *i); /* For public keys, use PRIV == NULL */ int rsa_keypair_from_der(struct rsa_public_key *pub, struct rsa_private_key *priv, unsigned limit, size_t length, const uint8_t *data); /* OpenPGP format. Experimental interface, subject to change. */ int rsa_keypair_to_openpgp(struct nettle_buffer *buffer, const struct rsa_public_key *pub, const struct rsa_private_key *priv, /* A single user id. NUL-terminated utf8. */ const char *userid); /* Internal functions. */ int _rsa_verify(const struct rsa_public_key *key, const mpz_t m, const mpz_t s); int _rsa_verify_recover(const struct rsa_public_key *key, mpz_t m, const mpz_t s); size_t _rsa_check_size(mpz_t n); /* _rsa_blind and _rsa_unblind are deprecated, unused in the library, and will likely be removed with the next ABI break. */ void _rsa_blind (const struct rsa_public_key *pub, void *random_ctx, nettle_random_func *random, mpz_t c, mpz_t ri); void _rsa_unblind (const struct rsa_public_key *pub, mpz_t c, const mpz_t ri); #ifdef __cplusplus } #endif #endif /* NETTLE_RSA_H_INCLUDED */ nettle-3.4.1/ctr.h0000644000175000017500000000365013401564746013015 0ustar nissenisse/* ctr.h Counter mode, using an network byte order incremented counter, matching the testcases of NIST 800-38A. Copyright (C) 2005 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_CTR_H_INCLUDED #define NETTLE_CTR_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define ctr_crypt nettle_ctr_crypt void ctr_crypt(const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *ctr, size_t length, uint8_t *dst, const uint8_t *src); #define CTR_CTX(type, size) \ { type ctx; uint8_t ctr[size]; } #define CTR_SET_COUNTER(ctx, data) \ memcpy((ctx)->ctr, (data), sizeof((ctx)->ctr)) #define CTR_CRYPT(self, f, length, dst, src) \ (0 ? ((f)(&(self)->ctx, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0)) \ : ctr_crypt((void *) &(self)->ctx, \ (nettle_cipher_func *) (f), \ sizeof((self)->ctr), (self)->ctr, \ (length), (dst), (src))) #ifdef __cplusplus } #endif #endif /* NETTLE_CTR_H_INCLUDED */ nettle-3.4.1/blowfish.c0000644000175000017500000004642413401564745014042 0ustar nissenisse/* blowfish.c The blowfish block cipher. Copyright (C) 2014 Niels Möller Copyright (C) 2010 Simon Josefsson Copyright (C) 1998, 2001, 2002, 2003 Free Software Foundation, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* For a description of the algorithm, see: * Bruce Schneier: Applied Cryptography. John Wiley & Sons, 1996. * ISBN 0-471-11709-9. Pages 336 ff. */ /* This file is derived from cipher/blowfish.c in Libgcrypt v1.4.6. The adaption to Nettle was made by Simon Josefsson on 2010-11-23. Changes include removing the selftest, renaming u32/byte types to uint32_t/uint8_t, renaming BLOWFISH_ROUNDS to _BLOWFISH_ROUNDS (from Nettle's blowfish.h), dropping the libgcrypt wrapper functions, fixing #include's, remove support for non-16 rounds (there are no test vectors), adding FOR_BLOCK iterations, and running indent on the code. */ #if HAVE_CONFIG_H #include "config.h" #endif #include #include "blowfish.h" #include "macros.h" /* precomputed S boxes */ static const struct blowfish_ctx initial_ctx = { { { /* ks0 */ 0xD1310BA6, 0x98DFB5AC, 0x2FFD72DB, 0xD01ADFB7, 0xB8E1AFED, 0x6A267E96, 0xBA7C9045, 0xF12C7F99, 0x24A19947, 0xB3916CF7, 0x0801F2E2, 0x858EFC16, 0x636920D8, 0x71574E69, 0xA458FEA3, 0xF4933D7E, 0x0D95748F, 0x728EB658, 0x718BCD58, 0x82154AEE, 0x7B54A41D, 0xC25A59B5, 0x9C30D539, 0x2AF26013, 0xC5D1B023, 0x286085F0, 0xCA417918, 0xB8DB38EF, 0x8E79DCB0, 0x603A180E, 0x6C9E0E8B, 0xB01E8A3E, 0xD71577C1, 0xBD314B27, 0x78AF2FDA, 0x55605C60, 0xE65525F3, 0xAA55AB94, 0x57489862, 0x63E81440, 0x55CA396A, 0x2AAB10B6, 0xB4CC5C34, 0x1141E8CE, 0xA15486AF, 0x7C72E993, 0xB3EE1411, 0x636FBC2A, 0x2BA9C55D, 0x741831F6, 0xCE5C3E16, 0x9B87931E, 0xAFD6BA33, 0x6C24CF5C, 0x7A325381, 0x28958677, 0x3B8F4898, 0x6B4BB9AF, 0xC4BFE81B, 0x66282193, 0x61D809CC, 0xFB21A991, 0x487CAC60, 0x5DEC8032, 0xEF845D5D, 0xE98575B1, 0xDC262302, 0xEB651B88, 0x23893E81, 0xD396ACC5, 0x0F6D6FF3, 0x83F44239, 0x2E0B4482, 0xA4842004, 0x69C8F04A, 0x9E1F9B5E, 0x21C66842, 0xF6E96C9A, 0x670C9C61, 0xABD388F0, 0x6A51A0D2, 0xD8542F68, 0x960FA728, 0xAB5133A3, 0x6EEF0B6C, 0x137A3BE4, 0xBA3BF050, 0x7EFB2A98, 0xA1F1651D, 0x39AF0176, 0x66CA593E, 0x82430E88, 0x8CEE8619, 0x456F9FB4, 0x7D84A5C3, 0x3B8B5EBE, 0xE06F75D8, 0x85C12073, 0x401A449F, 0x56C16AA6, 0x4ED3AA62, 0x363F7706, 0x1BFEDF72, 0x429B023D, 0x37D0D724, 0xD00A1248, 0xDB0FEAD3, 0x49F1C09B, 0x075372C9, 0x80991B7B, 0x25D479D8, 0xF6E8DEF7, 0xE3FE501A, 0xB6794C3B, 0x976CE0BD, 0x04C006BA, 0xC1A94FB6, 0x409F60C4, 0x5E5C9EC2, 0x196A2463, 0x68FB6FAF, 0x3E6C53B5, 0x1339B2EB, 0x3B52EC6F, 0x6DFC511F, 0x9B30952C, 0xCC814544, 0xAF5EBD09, 0xBEE3D004, 0xDE334AFD, 0x660F2807, 0x192E4BB3, 0xC0CBA857, 0x45C8740F, 0xD20B5F39, 0xB9D3FBDB, 0x5579C0BD, 0x1A60320A, 0xD6A100C6, 0x402C7279, 0x679F25FE, 0xFB1FA3CC, 0x8EA5E9F8, 0xDB3222F8, 0x3C7516DF, 0xFD616B15, 0x2F501EC8, 0xAD0552AB, 0x323DB5FA, 0xFD238760, 0x53317B48, 0x3E00DF82, 0x9E5C57BB, 0xCA6F8CA0, 0x1A87562E, 0xDF1769DB, 0xD542A8F6, 0x287EFFC3, 0xAC6732C6, 0x8C4F5573, 0x695B27B0, 0xBBCA58C8, 0xE1FFA35D, 0xB8F011A0, 0x10FA3D98, 0xFD2183B8, 0x4AFCB56C, 0x2DD1D35B, 0x9A53E479, 0xB6F84565, 0xD28E49BC, 0x4BFB9790, 0xE1DDF2DA, 0xA4CB7E33, 0x62FB1341, 0xCEE4C6E8, 0xEF20CADA, 0x36774C01, 0xD07E9EFE, 0x2BF11FB4, 0x95DBDA4D, 0xAE909198, 0xEAAD8E71, 0x6B93D5A0, 0xD08ED1D0, 0xAFC725E0, 0x8E3C5B2F, 0x8E7594B7, 0x8FF6E2FB, 0xF2122B64, 0x8888B812, 0x900DF01C, 0x4FAD5EA0, 0x688FC31C, 0xD1CFF191, 0xB3A8C1AD, 0x2F2F2218, 0xBE0E1777, 0xEA752DFE, 0x8B021FA1, 0xE5A0CC0F, 0xB56F74E8, 0x18ACF3D6, 0xCE89E299, 0xB4A84FE0, 0xFD13E0B7, 0x7CC43B81, 0xD2ADA8D9, 0x165FA266, 0x80957705, 0x93CC7314, 0x211A1477, 0xE6AD2065, 0x77B5FA86, 0xC75442F5, 0xFB9D35CF, 0xEBCDAF0C, 0x7B3E89A0, 0xD6411BD3, 0xAE1E7E49, 0x00250E2D, 0x2071B35E, 0x226800BB, 0x57B8E0AF, 0x2464369B, 0xF009B91E, 0x5563911D, 0x59DFA6AA, 0x78C14389, 0xD95A537F, 0x207D5BA2, 0x02E5B9C5, 0x83260376, 0x6295CFA9, 0x11C81968, 0x4E734A41, 0xB3472DCA, 0x7B14A94A, 0x1B510052, 0x9A532915, 0xD60F573F, 0xBC9BC6E4, 0x2B60A476, 0x81E67400, 0x08BA6FB5, 0x571BE91F, 0xF296EC6B, 0x2A0DD915, 0xB6636521, 0xE7B9F9B6, 0xFF34052E, 0xC5855664, 0x53B02D5D, 0xA99F8FA1, 0x08BA4799, 0x6E85076A }, { /* ks1 */ 0x4B7A70E9, 0xB5B32944, 0xDB75092E, 0xC4192623, 0xAD6EA6B0, 0x49A7DF7D, 0x9CEE60B8, 0x8FEDB266, 0xECAA8C71, 0x699A17FF, 0x5664526C, 0xC2B19EE1, 0x193602A5, 0x75094C29, 0xA0591340, 0xE4183A3E, 0x3F54989A, 0x5B429D65, 0x6B8FE4D6, 0x99F73FD6, 0xA1D29C07, 0xEFE830F5, 0x4D2D38E6, 0xF0255DC1, 0x4CDD2086, 0x8470EB26, 0x6382E9C6, 0x021ECC5E, 0x09686B3F, 0x3EBAEFC9, 0x3C971814, 0x6B6A70A1, 0x687F3584, 0x52A0E286, 0xB79C5305, 0xAA500737, 0x3E07841C, 0x7FDEAE5C, 0x8E7D44EC, 0x5716F2B8, 0xB03ADA37, 0xF0500C0D, 0xF01C1F04, 0x0200B3FF, 0xAE0CF51A, 0x3CB574B2, 0x25837A58, 0xDC0921BD, 0xD19113F9, 0x7CA92FF6, 0x94324773, 0x22F54701, 0x3AE5E581, 0x37C2DADC, 0xC8B57634, 0x9AF3DDA7, 0xA9446146, 0x0FD0030E, 0xECC8C73E, 0xA4751E41, 0xE238CD99, 0x3BEA0E2F, 0x3280BBA1, 0x183EB331, 0x4E548B38, 0x4F6DB908, 0x6F420D03, 0xF60A04BF, 0x2CB81290, 0x24977C79, 0x5679B072, 0xBCAF89AF, 0xDE9A771F, 0xD9930810, 0xB38BAE12, 0xDCCF3F2E, 0x5512721F, 0x2E6B7124, 0x501ADDE6, 0x9F84CD87, 0x7A584718, 0x7408DA17, 0xBC9F9ABC, 0xE94B7D8C, 0xEC7AEC3A, 0xDB851DFA, 0x63094366, 0xC464C3D2, 0xEF1C1847, 0x3215D908, 0xDD433B37, 0x24C2BA16, 0x12A14D43, 0x2A65C451, 0x50940002, 0x133AE4DD, 0x71DFF89E, 0x10314E55, 0x81AC77D6, 0x5F11199B, 0x043556F1, 0xD7A3C76B, 0x3C11183B, 0x5924A509, 0xF28FE6ED, 0x97F1FBFA, 0x9EBABF2C, 0x1E153C6E, 0x86E34570, 0xEAE96FB1, 0x860E5E0A, 0x5A3E2AB3, 0x771FE71C, 0x4E3D06FA, 0x2965DCB9, 0x99E71D0F, 0x803E89D6, 0x5266C825, 0x2E4CC978, 0x9C10B36A, 0xC6150EBA, 0x94E2EA78, 0xA5FC3C53, 0x1E0A2DF4, 0xF2F74EA7, 0x361D2B3D, 0x1939260F, 0x19C27960, 0x5223A708, 0xF71312B6, 0xEBADFE6E, 0xEAC31F66, 0xE3BC4595, 0xA67BC883, 0xB17F37D1, 0x018CFF28, 0xC332DDEF, 0xBE6C5AA5, 0x65582185, 0x68AB9802, 0xEECEA50F, 0xDB2F953B, 0x2AEF7DAD, 0x5B6E2F84, 0x1521B628, 0x29076170, 0xECDD4775, 0x619F1510, 0x13CCA830, 0xEB61BD96, 0x0334FE1E, 0xAA0363CF, 0xB5735C90, 0x4C70A239, 0xD59E9E0B, 0xCBAADE14, 0xEECC86BC, 0x60622CA7, 0x9CAB5CAB, 0xB2F3846E, 0x648B1EAF, 0x19BDF0CA, 0xA02369B9, 0x655ABB50, 0x40685A32, 0x3C2AB4B3, 0x319EE9D5, 0xC021B8F7, 0x9B540B19, 0x875FA099, 0x95F7997E, 0x623D7DA8, 0xF837889A, 0x97E32D77, 0x11ED935F, 0x16681281, 0x0E358829, 0xC7E61FD6, 0x96DEDFA1, 0x7858BA99, 0x57F584A5, 0x1B227263, 0x9B83C3FF, 0x1AC24696, 0xCDB30AEB, 0x532E3054, 0x8FD948E4, 0x6DBC3128, 0x58EBF2EF, 0x34C6FFEA, 0xFE28ED61, 0xEE7C3C73, 0x5D4A14D9, 0xE864B7E3, 0x42105D14, 0x203E13E0, 0x45EEE2B6, 0xA3AAABEA, 0xDB6C4F15, 0xFACB4FD0, 0xC742F442, 0xEF6ABBB5, 0x654F3B1D, 0x41CD2105, 0xD81E799E, 0x86854DC7, 0xE44B476A, 0x3D816250, 0xCF62A1F2, 0x5B8D2646, 0xFC8883A0, 0xC1C7B6A3, 0x7F1524C3, 0x69CB7492, 0x47848A0B, 0x5692B285, 0x095BBF00, 0xAD19489D, 0x1462B174, 0x23820E00, 0x58428D2A, 0x0C55F5EA, 0x1DADF43E, 0x233F7061, 0x3372F092, 0x8D937E41, 0xD65FECF1, 0x6C223BDB, 0x7CDE3759, 0xCBEE7460, 0x4085F2A7, 0xCE77326E, 0xA6078084, 0x19F8509E, 0xE8EFD855, 0x61D99735, 0xA969A7AA, 0xC50C06C2, 0x5A04ABFC, 0x800BCADC, 0x9E447A2E, 0xC3453484, 0xFDD56705, 0x0E1E9EC9, 0xDB73DBD3, 0x105588CD, 0x675FDA79, 0xE3674340, 0xC5C43465, 0x713E38D8, 0x3D28F89E, 0xF16DFF20, 0x153E21E7, 0x8FB03D4A, 0xE6E39F2B, 0xDB83ADF7 }, { /* ks2 */ 0xE93D5A68, 0x948140F7, 0xF64C261C, 0x94692934, 0x411520F7, 0x7602D4F7, 0xBCF46B2E, 0xD4A20068, 0xD4082471, 0x3320F46A, 0x43B7D4B7, 0x500061AF, 0x1E39F62E, 0x97244546, 0x14214F74, 0xBF8B8840, 0x4D95FC1D, 0x96B591AF, 0x70F4DDD3, 0x66A02F45, 0xBFBC09EC, 0x03BD9785, 0x7FAC6DD0, 0x31CB8504, 0x96EB27B3, 0x55FD3941, 0xDA2547E6, 0xABCA0A9A, 0x28507825, 0x530429F4, 0x0A2C86DA, 0xE9B66DFB, 0x68DC1462, 0xD7486900, 0x680EC0A4, 0x27A18DEE, 0x4F3FFEA2, 0xE887AD8C, 0xB58CE006, 0x7AF4D6B6, 0xAACE1E7C, 0xD3375FEC, 0xCE78A399, 0x406B2A42, 0x20FE9E35, 0xD9F385B9, 0xEE39D7AB, 0x3B124E8B, 0x1DC9FAF7, 0x4B6D1856, 0x26A36631, 0xEAE397B2, 0x3A6EFA74, 0xDD5B4332, 0x6841E7F7, 0xCA7820FB, 0xFB0AF54E, 0xD8FEB397, 0x454056AC, 0xBA489527, 0x55533A3A, 0x20838D87, 0xFE6BA9B7, 0xD096954B, 0x55A867BC, 0xA1159A58, 0xCCA92963, 0x99E1DB33, 0xA62A4A56, 0x3F3125F9, 0x5EF47E1C, 0x9029317C, 0xFDF8E802, 0x04272F70, 0x80BB155C, 0x05282CE3, 0x95C11548, 0xE4C66D22, 0x48C1133F, 0xC70F86DC, 0x07F9C9EE, 0x41041F0F, 0x404779A4, 0x5D886E17, 0x325F51EB, 0xD59BC0D1, 0xF2BCC18F, 0x41113564, 0x257B7834, 0x602A9C60, 0xDFF8E8A3, 0x1F636C1B, 0x0E12B4C2, 0x02E1329E, 0xAF664FD1, 0xCAD18115, 0x6B2395E0, 0x333E92E1, 0x3B240B62, 0xEEBEB922, 0x85B2A20E, 0xE6BA0D99, 0xDE720C8C, 0x2DA2F728, 0xD0127845, 0x95B794FD, 0x647D0862, 0xE7CCF5F0, 0x5449A36F, 0x877D48FA, 0xC39DFD27, 0xF33E8D1E, 0x0A476341, 0x992EFF74, 0x3A6F6EAB, 0xF4F8FD37, 0xA812DC60, 0xA1EBDDF8, 0x991BE14C, 0xDB6E6B0D, 0xC67B5510, 0x6D672C37, 0x2765D43B, 0xDCD0E804, 0xF1290DC7, 0xCC00FFA3, 0xB5390F92, 0x690FED0B, 0x667B9FFB, 0xCEDB7D9C, 0xA091CF0B, 0xD9155EA3, 0xBB132F88, 0x515BAD24, 0x7B9479BF, 0x763BD6EB, 0x37392EB3, 0xCC115979, 0x8026E297, 0xF42E312D, 0x6842ADA7, 0xC66A2B3B, 0x12754CCC, 0x782EF11C, 0x6A124237, 0xB79251E7, 0x06A1BBE6, 0x4BFB6350, 0x1A6B1018, 0x11CAEDFA, 0x3D25BDD8, 0xE2E1C3C9, 0x44421659, 0x0A121386, 0xD90CEC6E, 0xD5ABEA2A, 0x64AF674E, 0xDA86A85F, 0xBEBFE988, 0x64E4C3FE, 0x9DBC8057, 0xF0F7C086, 0x60787BF8, 0x6003604D, 0xD1FD8346, 0xF6381FB0, 0x7745AE04, 0xD736FCCC, 0x83426B33, 0xF01EAB71, 0xB0804187, 0x3C005E5F, 0x77A057BE, 0xBDE8AE24, 0x55464299, 0xBF582E61, 0x4E58F48F, 0xF2DDFDA2, 0xF474EF38, 0x8789BDC2, 0x5366F9C3, 0xC8B38E74, 0xB475F255, 0x46FCD9B9, 0x7AEB2661, 0x8B1DDF84, 0x846A0E79, 0x915F95E2, 0x466E598E, 0x20B45770, 0x8CD55591, 0xC902DE4C, 0xB90BACE1, 0xBB8205D0, 0x11A86248, 0x7574A99E, 0xB77F19B6, 0xE0A9DC09, 0x662D09A1, 0xC4324633, 0xE85A1F02, 0x09F0BE8C, 0x4A99A025, 0x1D6EFE10, 0x1AB93D1D, 0x0BA5A4DF, 0xA186F20F, 0x2868F169, 0xDCB7DA83, 0x573906FE, 0xA1E2CE9B, 0x4FCD7F52, 0x50115E01, 0xA70683FA, 0xA002B5C4, 0x0DE6D027, 0x9AF88C27, 0x773F8641, 0xC3604C06, 0x61A806B5, 0xF0177A28, 0xC0F586E0, 0x006058AA, 0x30DC7D62, 0x11E69ED7, 0x2338EA63, 0x53C2DD94, 0xC2C21634, 0xBBCBEE56, 0x90BCB6DE, 0xEBFC7DA1, 0xCE591D76, 0x6F05E409, 0x4B7C0188, 0x39720A3D, 0x7C927C24, 0x86E3725F, 0x724D9DB9, 0x1AC15BB4, 0xD39EB8FC, 0xED545578, 0x08FCA5B5, 0xD83D7CD3, 0x4DAD0FC4, 0x1E50EF5E, 0xB161E6F8, 0xA28514D9, 0x6C51133C, 0x6FD5C7E7, 0x56E14EC4, 0x362ABFCE, 0xDDC6C837, 0xD79A3234, 0x92638212, 0x670EFA8E, 0x406000E0 }, { /* ks3 */ 0x3A39CE37, 0xD3FAF5CF, 0xABC27737, 0x5AC52D1B, 0x5CB0679E, 0x4FA33742, 0xD3822740, 0x99BC9BBE, 0xD5118E9D, 0xBF0F7315, 0xD62D1C7E, 0xC700C47B, 0xB78C1B6B, 0x21A19045, 0xB26EB1BE, 0x6A366EB4, 0x5748AB2F, 0xBC946E79, 0xC6A376D2, 0x6549C2C8, 0x530FF8EE, 0x468DDE7D, 0xD5730A1D, 0x4CD04DC6, 0x2939BBDB, 0xA9BA4650, 0xAC9526E8, 0xBE5EE304, 0xA1FAD5F0, 0x6A2D519A, 0x63EF8CE2, 0x9A86EE22, 0xC089C2B8, 0x43242EF6, 0xA51E03AA, 0x9CF2D0A4, 0x83C061BA, 0x9BE96A4D, 0x8FE51550, 0xBA645BD6, 0x2826A2F9, 0xA73A3AE1, 0x4BA99586, 0xEF5562E9, 0xC72FEFD3, 0xF752F7DA, 0x3F046F69, 0x77FA0A59, 0x80E4A915, 0x87B08601, 0x9B09E6AD, 0x3B3EE593, 0xE990FD5A, 0x9E34D797, 0x2CF0B7D9, 0x022B8B51, 0x96D5AC3A, 0x017DA67D, 0xD1CF3ED6, 0x7C7D2D28, 0x1F9F25CF, 0xADF2B89B, 0x5AD6B472, 0x5A88F54C, 0xE029AC71, 0xE019A5E6, 0x47B0ACFD, 0xED93FA9B, 0xE8D3C48D, 0x283B57CC, 0xF8D56629, 0x79132E28, 0x785F0191, 0xED756055, 0xF7960E44, 0xE3D35E8C, 0x15056DD4, 0x88F46DBA, 0x03A16125, 0x0564F0BD, 0xC3EB9E15, 0x3C9057A2, 0x97271AEC, 0xA93A072A, 0x1B3F6D9B, 0x1E6321F5, 0xF59C66FB, 0x26DCF319, 0x7533D928, 0xB155FDF5, 0x03563482, 0x8ABA3CBB, 0x28517711, 0xC20AD9F8, 0xABCC5167, 0xCCAD925F, 0x4DE81751, 0x3830DC8E, 0x379D5862, 0x9320F991, 0xEA7A90C2, 0xFB3E7BCE, 0x5121CE64, 0x774FBE32, 0xA8B6E37E, 0xC3293D46, 0x48DE5369, 0x6413E680, 0xA2AE0810, 0xDD6DB224, 0x69852DFD, 0x09072166, 0xB39A460A, 0x6445C0DD, 0x586CDECF, 0x1C20C8AE, 0x5BBEF7DD, 0x1B588D40, 0xCCD2017F, 0x6BB4E3BB, 0xDDA26A7E, 0x3A59FF45, 0x3E350A44, 0xBCB4CDD5, 0x72EACEA8, 0xFA6484BB, 0x8D6612AE, 0xBF3C6F47, 0xD29BE463, 0x542F5D9E, 0xAEC2771B, 0xF64E6370, 0x740E0D8D, 0xE75B1357, 0xF8721671, 0xAF537D5D, 0x4040CB08, 0x4EB4E2CC, 0x34D2466A, 0x0115AF84, 0xE1B00428, 0x95983A1D, 0x06B89FB4, 0xCE6EA048, 0x6F3F3B82, 0x3520AB82, 0x011A1D4B, 0x277227F8, 0x611560B1, 0xE7933FDC, 0xBB3A792B, 0x344525BD, 0xA08839E1, 0x51CE794B, 0x2F32C9B7, 0xA01FBAC9, 0xE01CC87E, 0xBCC7D1F6, 0xCF0111C3, 0xA1E8AAC7, 0x1A908749, 0xD44FBD9A, 0xD0DADECB, 0xD50ADA38, 0x0339C32A, 0xC6913667, 0x8DF9317C, 0xE0B12B4F, 0xF79E59B7, 0x43F5BB3A, 0xF2D519FF, 0x27D9459C, 0xBF97222C, 0x15E6FC2A, 0x0F91FC71, 0x9B941525, 0xFAE59361, 0xCEB69CEB, 0xC2A86459, 0x12BAA8D1, 0xB6C1075E, 0xE3056A0C, 0x10D25065, 0xCB03A442, 0xE0EC6E0E, 0x1698DB3B, 0x4C98A0BE, 0x3278E964, 0x9F1F9532, 0xE0D392DF, 0xD3A0342B, 0x8971F21E, 0x1B0A7441, 0x4BA3348C, 0xC5BE7120, 0xC37632D8, 0xDF359F8D, 0x9B992F2E, 0xE60B6F47, 0x0FE3F11D, 0xE54CDA54, 0x1EDAD891, 0xCE6279CF, 0xCD3E7E6F, 0x1618B166, 0xFD2C1D05, 0x848FD2C5, 0xF6FB2299, 0xF523F357, 0xA6327623, 0x93A83531, 0x56CCCD02, 0xACF08162, 0x5A75EBB5, 0x6E163697, 0x88D273CC, 0xDE966292, 0x81B949D0, 0x4C50901B, 0x71C65614, 0xE6C6C7BD, 0x327A140A, 0x45E1D006, 0xC3F27B9A, 0xC9AA53FD, 0x62A80F00, 0xBB25BFE2, 0x35BDD2F6, 0x71126905, 0xB2040222, 0xB6CBCF7C, 0xCD769C2B, 0x53113EC0, 0x1640E3D3, 0x38ABBD60, 0x2547ADF0, 0xBA38209C, 0xF746CE76, 0x77AFA1C5, 0x20756060, 0x85CBFE4E, 0x8AE88DD8, 0x7AAAF9B0, 0x4CF9AA7E, 0x1948C25C, 0x02FB8A8C, 0x01C36AE4, 0xD6EBE1F9, 0x90D4F869, 0xA65CDEA0, 0x3F09252D, 0xC208E69F, 0xB74E6132, 0xCE77E25B, 0x578FDFE3, 0x3AC372E6 } }, { /* ps */ 0x243F6A88, 0x85A308D3, 0x13198A2E, 0x03707344, 0xA4093822, 0x299F31D0, 0x082EFA98, 0xEC4E6C89, 0x452821E6, 0x38D01377, 0xBE5466CF, 0x34E90C6C, 0xC0AC29B7, 0xC97C50DD, 0x3F84D5B5, 0xB5470917, 0x9216D5D9, 0x8979FB1B } }; /* It's unfortunate to have to pick the bytes apart in the round * function. Werner's gnupg/libgcrypt code took the address of x, and * then read the individual bytes depending on the endianness. But * since xr and xl ought to live in registers, copying via memory is a * bad idea. */ #define F(c, x) \ ((( (c->s[0][(x>>24) &0xff] + c->s[1][(x>>16) & 0xff]) \ ^ c->s[2][(x>>8) & 0xff]) + c->s[3][x & 0xff]) & 0xffffffff) #define R(c, l,r,i) do { l ^= c->p[i]; r ^= F(c,l); } while(0) static void encrypt (const struct blowfish_ctx *ctx, uint32_t * ret_xl, uint32_t * ret_xr) { uint32_t xl, xr; xl = *ret_xl; xr = *ret_xr; R (ctx, xl, xr, 0); R (ctx, xr, xl, 1); R (ctx, xl, xr, 2); R (ctx, xr, xl, 3); R (ctx, xl, xr, 4); R (ctx, xr, xl, 5); R (ctx, xl, xr, 6); R (ctx, xr, xl, 7); R (ctx, xl, xr, 8); R (ctx, xr, xl, 9); R (ctx, xl, xr, 10); R (ctx, xr, xl, 11); R (ctx, xl, xr, 12); R (ctx, xr, xl, 13); R (ctx, xl, xr, 14); R (ctx, xr, xl, 15); xl ^= ctx->p[_BLOWFISH_ROUNDS]; xr ^= ctx->p[_BLOWFISH_ROUNDS + 1]; *ret_xl = xr; *ret_xr = xl; } static void decrypt (const struct blowfish_ctx *ctx, uint32_t * ret_xl, uint32_t * ret_xr) { uint32_t xl, xr; xl = *ret_xl; xr = *ret_xr; R (ctx, xl, xr, 17); R (ctx, xr, xl, 16); R (ctx, xl, xr, 15); R (ctx, xr, xl, 14); R (ctx, xl, xr, 13); R (ctx, xr, xl, 12); R (ctx, xl, xr, 11); R (ctx, xr, xl, 10); R (ctx, xl, xr, 9); R (ctx, xr, xl, 8); R (ctx, xl, xr, 7); R (ctx, xr, xl, 6); R (ctx, xl, xr, 5); R (ctx, xr, xl, 4); R (ctx, xl, xr, 3); R (ctx, xr, xl, 2); xl ^= ctx->p[1]; xr ^= ctx->p[0]; *ret_xl = xr; *ret_xr = xl; } #undef F #undef R void blowfish_encrypt (const struct blowfish_ctx *ctx, size_t length, uint8_t * dst, const uint8_t * src) { FOR_BLOCKS (length, dst, src, BLOWFISH_BLOCK_SIZE) { uint32_t d1, d2; d1 = READ_UINT32(src); d2 = READ_UINT32(src+4); encrypt (ctx, &d1, &d2); dst[0] = (d1 >> 24) & 0xff; dst[1] = (d1 >> 16) & 0xff; dst[2] = (d1 >> 8) & 0xff; dst[3] = d1 & 0xff; dst[4] = (d2 >> 24) & 0xff; dst[5] = (d2 >> 16) & 0xff; dst[6] = (d2 >> 8) & 0xff; dst[7] = d2 & 0xff; } } void blowfish_decrypt (const struct blowfish_ctx *ctx, size_t length, uint8_t * dst, const uint8_t * src) { FOR_BLOCKS (length, dst, src, BLOWFISH_BLOCK_SIZE) { uint32_t d1, d2; d1 = READ_UINT32(src); d2 = READ_UINT32(src+4); decrypt (ctx, &d1, &d2); dst[0] = (d1 >> 24) & 0xff; dst[1] = (d1 >> 16) & 0xff; dst[2] = (d1 >> 8) & 0xff; dst[3] = d1 & 0xff; dst[4] = (d2 >> 24) & 0xff; dst[5] = (d2 >> 16) & 0xff; dst[6] = (d2 >> 8) & 0xff; dst[7] = d2 & 0xff; } } int blowfish_set_key (struct blowfish_ctx *ctx, size_t length, const uint8_t * key) { int i, j; uint32_t data, datal, datar; *ctx = initial_ctx; for (i = j = 0; i < _BLOWFISH_ROUNDS + 2; i++) { data = (key[j] << 24) | (key[(j+1) % length] << 16) | (key[(j+2) % length] << 8) | key[(j+3) % length]; ctx->p[i] ^= data; j = (j + 4) % length; } datal = datar = 0; for (i = 0; i < _BLOWFISH_ROUNDS + 2; i += 2) { encrypt (ctx, &datal, &datar); ctx->p[i] = datal; ctx->p[i + 1] = datar; } for (j = 0; j < 4; j++) for (i = 0; i < 256; i += 2) { encrypt (ctx, &datal, &datar); ctx->s[j][i] = datal; ctx->s[j][i + 1] = datar; } /* Check for weak key. A weak key is a key in which a value in the P-array (here c) occurs more than once per table. */ for (i = 0; i < 255; i++) { for (j = i + 1; j < 256; j++) { if ((ctx->s[0][i] == ctx->s[0][j]) || (ctx->s[1][i] == ctx->s[1][j]) || (ctx->s[2][i] == ctx->s[2][j]) || (ctx->s[3][i] == ctx->s[3][j])) return 0; } } return 1; } int blowfish128_set_key(struct blowfish_ctx *ctx, const uint8_t *key) { return blowfish_set_key (ctx, BLOWFISH128_KEY_SIZE, key); } nettle-3.4.1/nettle-internal.h0000644000175000017500000000675013401564746015336 0ustar nissenisse/* nettle-internal.h Things that are used only by the testsuite and benchmark, and not included in the library. Copyright (C) 2002, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_INTERNAL_H_INCLUDED #define NETTLE_INTERNAL_H_INCLUDED #include "nettle-meta.h" /* Temporary allocation, for systems that don't support alloca. Note * that the allocation requests should always be reasonably small, so * that they can fit on the stack. For non-alloca systems, we use a * fix maximum size, and abort if we ever need anything larger. */ #if HAVE_ALLOCA # define TMP_DECL(name, type, max) type *name # define TMP_ALLOC(name, size) (name = alloca(sizeof (*name) * (size))) #else /* !HAVE_ALLOCA */ # define TMP_DECL(name, type, max) type name[max] # define TMP_ALLOC(name, size) \ do { if ((size) > (sizeof(name) / sizeof(name[0]))) abort(); } while (0) #endif /* Arbitrary limits which apply to systems that don't have alloca */ #define NETTLE_MAX_HASH_BLOCK_SIZE 128 #define NETTLE_MAX_HASH_DIGEST_SIZE 64 #define NETTLE_MAX_HASH_CONTEXT_SIZE (sizeof(struct sha3_224_ctx)) #define NETTLE_MAX_SEXP_ASSOC 17 #define NETTLE_MAX_CIPHER_BLOCK_SIZE 32 /* Doesn't quite fit with the other algorithms, because of the weak * keys. Weak keys are not reported, the functions will simply crash * if you try to use a weak key. */ extern const struct nettle_cipher nettle_des; extern const struct nettle_cipher nettle_des3; extern const struct nettle_cipher nettle_blowfish128; extern const struct nettle_cipher nettle_unified_aes128; extern const struct nettle_cipher nettle_unified_aes192; extern const struct nettle_cipher nettle_unified_aes256; /* Stream ciphers treated as aead algorithms with no authentication. */ extern const struct nettle_aead nettle_arcfour128; extern const struct nettle_aead nettle_chacha; extern const struct nettle_aead nettle_salsa20; extern const struct nettle_aead nettle_salsa20r12; /* Glue to openssl, for comparative benchmarking. Code in * examples/nettle-openssl.c. */ extern void nettle_openssl_init(void); extern const struct nettle_cipher nettle_openssl_aes128; extern const struct nettle_cipher nettle_openssl_aes192; extern const struct nettle_cipher nettle_openssl_aes256; extern const struct nettle_cipher nettle_openssl_blowfish128; extern const struct nettle_cipher nettle_openssl_des; extern const struct nettle_cipher nettle_openssl_cast128; extern const struct nettle_aead nettle_openssl_arcfour128; extern const struct nettle_hash nettle_openssl_md5; extern const struct nettle_hash nettle_openssl_sha1; #endif /* NETTLE_INTERNAL_H_INCLUDED */ nettle-3.4.1/chacha-poly1305-meta.c0000644000175000017500000000334113401564745015641 0ustar nissenisse/* chacha-poly1305-meta.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #include "chacha-poly1305.h" const struct nettle_aead nettle_chacha_poly1305 = { "chacha_poly1305", sizeof(struct chacha_poly1305_ctx), CHACHA_POLY1305_BLOCK_SIZE, CHACHA_POLY1305_KEY_SIZE, CHACHA_POLY1305_NONCE_SIZE, CHACHA_POLY1305_DIGEST_SIZE, (nettle_set_key_func *) chacha_poly1305_set_key, (nettle_set_key_func *) chacha_poly1305_set_key, (nettle_set_key_func *) chacha_poly1305_set_nonce, (nettle_hash_update_func *) chacha_poly1305_update, (nettle_crypt_func *) chacha_poly1305_encrypt, (nettle_crypt_func *) chacha_poly1305_decrypt, (nettle_hash_digest_func *) chacha_poly1305_digest, }; nettle-3.4.1/base64-encode.c0000644000175000017500000001061713401564745014537 0ustar nissenisse/* base64-encode.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "base64.h" #define ENCODE(alphabet,x) ((alphabet)[0x3F & (x)]) static void encode_raw(const char *alphabet, char *dst, size_t length, const uint8_t *src) { const uint8_t *in = src + length; char *out = dst + BASE64_ENCODE_RAW_LENGTH(length); unsigned left_over = length % 3; if (left_over) { in -= left_over; *--out = '='; switch(left_over) { case 1: *--out = '='; *--out = ENCODE(alphabet, (in[0] << 4)); break; case 2: *--out = ENCODE(alphabet, (in[1] << 2)); *--out = ENCODE(alphabet, ((in[0] << 4) | (in[1] >> 4))); break; default: abort(); } *--out = ENCODE(alphabet, (in[0] >> 2)); } while (in > src) { in -= 3; *--out = ENCODE(alphabet, (in[2])); *--out = ENCODE(alphabet, ((in[1] << 2) | (in[2] >> 6))); *--out = ENCODE(alphabet, ((in[0] << 4) | (in[1] >> 4))); *--out = ENCODE(alphabet, (in[0] >> 2)); } assert(in == src); assert(out == dst); } static const char base64_encode_table[64] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "0123456789+/"; void base64_encode_raw(char *dst, size_t length, const uint8_t *src) { encode_raw(base64_encode_table, dst, length, src); } void base64_encode_group(char *dst, uint32_t group) { *dst++ = ENCODE(base64_encode_table, (group >> 18)); *dst++ = ENCODE(base64_encode_table, (group >> 12)); *dst++ = ENCODE(base64_encode_table, (group >> 6)); *dst++ = ENCODE(base64_encode_table, group); } void base64_encode_init(struct base64_encode_ctx *ctx) { ctx->word = ctx->bits = 0; ctx->alphabet = base64_encode_table; } /* Encodes a single byte. */ size_t base64_encode_single(struct base64_encode_ctx *ctx, char *dst, uint8_t src) { unsigned done = 0; unsigned word = ctx->word << 8 | src; unsigned bits = ctx->bits + 8; while (bits >= 6) { bits -= 6; dst[done++] = ENCODE(ctx->alphabet, (word >> bits)); } ctx->bits = bits; ctx->word = word; assert(done <= 2); return done; } /* Returns the number of output characters. DST should point to an * area of size at least BASE64_ENCODE_LENGTH(length). */ size_t base64_encode_update(struct base64_encode_ctx *ctx, char *dst, size_t length, const uint8_t *src) { size_t done = 0; size_t left = length; unsigned left_over; size_t bulk; while (ctx->bits && left) { left--; done += base64_encode_single(ctx, dst + done, *src++); } left_over = left % 3; bulk = left - left_over; if (bulk) { assert(!(bulk % 3)); encode_raw(ctx->alphabet, dst + done, bulk, src); done += BASE64_ENCODE_RAW_LENGTH(bulk); src += bulk; left = left_over; } while (left) { left--; done += base64_encode_single(ctx, dst + done, *src++); } assert(done <= BASE64_ENCODE_LENGTH(length)); return done; } /* DST should point to an area of size at least * BASE64_ENCODE_FINAL_SIZE */ size_t base64_encode_final(struct base64_encode_ctx *ctx, char *dst) { unsigned done = 0; unsigned bits = ctx->bits; if (bits) { dst[done++] = ENCODE(ctx->alphabet, (ctx->word << (6 - ctx->bits))); for (; bits < 6; bits += 2) dst[done++] = '='; ctx->bits = 0; } assert(done <= BASE64_ENCODE_FINAL_LENGTH); return done; } nettle-3.4.1/blowfish.h0000644000175000017500000000450513401564746014042 0ustar nissenisse/* blowfish.h Blowfish block cipher. Copyright (C) 2014 Niels Möller Copyright (C) 1998, 2001 FSF, Ray Dassen, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_BLOWFISH_H_INCLUDED #define NETTLE_BLOWFISH_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define blowfish_set_key nettle_blowfish_set_key #define blowfish128_set_key nettle_blowfish128_set_key #define blowfish_encrypt nettle_blowfish_encrypt #define blowfish_decrypt nettle_blowfish_decrypt #define BLOWFISH_BLOCK_SIZE 8 /* Variable key size between 64 and 448 bits. */ #define BLOWFISH_MIN_KEY_SIZE 8 #define BLOWFISH_MAX_KEY_SIZE 56 /* Default to 128 bits */ #define BLOWFISH_KEY_SIZE 16 #define BLOWFISH128_KEY_SIZE 16 #define _BLOWFISH_ROUNDS 16 struct blowfish_ctx { uint32_t s[4][256]; uint32_t p[_BLOWFISH_ROUNDS+2]; }; /* Returns 0 for weak keys, otherwise 1. */ int blowfish_set_key(struct blowfish_ctx *ctx, size_t length, const uint8_t *key); int blowfish128_set_key(struct blowfish_ctx *ctx, const uint8_t *key); void blowfish_encrypt(const struct blowfish_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void blowfish_decrypt(const struct blowfish_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus } #endif #endif /* NETTLE_BLOWFISH_H_INCLUDED */ nettle-3.4.1/sexp-format.c0000644000175000017500000001466513401564745014474 0ustar nissenisse/* sexp-format.c Writing s-expressions. Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include #include "sexp.h" #include "buffer.h" #include "bignum.h" static unsigned format_prefix(struct nettle_buffer *buffer, size_t length) { size_t digit = 1; unsigned prefix_length = 1; for (;;) { size_t next = digit * 10; if (next > length) break; prefix_length++; digit = next; } if (buffer) { for (; digit; length %= digit, digit /= 10) if (!NETTLE_BUFFER_PUTC(buffer, '0' + length / digit)) return 0; if (!NETTLE_BUFFER_PUTC(buffer, ':')) return 0; } return prefix_length + 1; } static size_t format_string(struct nettle_buffer *buffer, size_t length, const uint8_t *s) { unsigned prefix_length = format_prefix(buffer, length); if (!prefix_length) return 0; if (buffer && !nettle_buffer_write(buffer, length, s)) return 0; return prefix_length + length; } static inline size_t strlen_u8 (const uint8_t *s) { return strlen((const char*) s); } size_t sexp_vformat(struct nettle_buffer *buffer, const char *format, va_list args) { unsigned nesting = 0; size_t done = 0; for (;;) switch (*format++) { default: { const char *start = format - 1; size_t length = 1 + strcspn(format, "()% \t"); size_t output_length = format_string(buffer, length, (const uint8_t *) start); if (!output_length) return 0; done += output_length; format = start + length; break; } case ' ': case '\t': break; case '\0': assert(!nesting); return done; case '(': if (buffer && !NETTLE_BUFFER_PUTC(buffer, '(')) return 0; done++; nesting++; break; case ')': assert (nesting); if (buffer && !NETTLE_BUFFER_PUTC(buffer, ')')) return 0; done++; nesting--; break; case '%': { int nul_flag = 0; if (*format == '0') { format++; nul_flag = 1; } switch (*format++) { default: abort(); case '(': case ')': /* Allow unbalanced parenthesis */ if (buffer && !NETTLE_BUFFER_PUTC(buffer, format[-1])) return 0; done++; break; case 's': { const uint8_t *s; size_t length; size_t output_length; if (nul_flag) { s = va_arg(args, const uint8_t *); length = strlen_u8(s); } else { length = va_arg(args, size_t); s = va_arg(args, const uint8_t *); } output_length = format_string(buffer, length, s); if (!output_length) return 0; done += output_length; break; } case 't': { const uint8_t *s; size_t length; size_t output_length; if (nul_flag) { s = va_arg(args, const uint8_t *); if (!s) break; length = strlen_u8(s); } else { length = va_arg(args, size_t); s = va_arg(args, const uint8_t *); if (!s) break; } if (buffer && !NETTLE_BUFFER_PUTC(buffer, '[')) return 0; done++; output_length = format_string(buffer, length, s); if (!output_length) return 0; done += output_length; if (buffer && !NETTLE_BUFFER_PUTC(buffer, ']')) return 0; done++; break; } case 'l': { const uint8_t *s; size_t length; if (nul_flag) { s = va_arg(args, const uint8_t *); length = strlen_u8(s); } else { length = va_arg(args, size_t); s = va_arg(args, const uint8_t *); } if (buffer && !nettle_buffer_write(buffer, length, s)) return 0; done += length; break; } case 'i': { uint32_t x = va_arg(args, uint32_t); unsigned length; if (x < 0x80) length = 1; else if (x < 0x8000L) length = 2; else if (x < 0x800000L) length = 3; else if (x < 0x80000000L) length = 4; else length = 5; if (buffer && !(NETTLE_BUFFER_PUTC(buffer, '0' + length) && NETTLE_BUFFER_PUTC(buffer, ':'))) return 0; done += (2 + length); if (buffer) switch(length) { case 5: /* Leading byte needed for the sign. */ if (!NETTLE_BUFFER_PUTC(buffer, 0)) return 0; /* Fall through */ case 4: if (!NETTLE_BUFFER_PUTC(buffer, x >> 24)) return 0; /* Fall through */ case 3: if (!NETTLE_BUFFER_PUTC(buffer, (x >> 16) & 0xff)) return 0; /* Fall through */ case 2: if (!NETTLE_BUFFER_PUTC(buffer, (x >> 8) & 0xff)) return 0; /* Fall through */ case 1: if (!NETTLE_BUFFER_PUTC(buffer, x & 0xff)) return 0; break; default: abort(); } break; } case 'b': { mpz_srcptr n = va_arg(args, mpz_srcptr); size_t length; unsigned prefix_length; length = nettle_mpz_sizeinbase_256_s(n); prefix_length = format_prefix(buffer, length); if (!prefix_length) return 0; done += prefix_length; if (buffer) { uint8_t *space = nettle_buffer_space(buffer, length); if (!space) return 0; nettle_mpz_get_str_256(length, space, n); } done += length; break; } } } } } size_t sexp_format(struct nettle_buffer *buffer, const char *format, ...) { va_list args; size_t done; va_start(args, format); done = sexp_vformat(buffer, format, args); va_end(args); return done; } nettle-3.4.1/ccm-aes256.c0000644000175000017500000000623313401564745013764 0ustar nissenisse/* ccm-aes256.c Counter with CBC-MAC mode using AES256 as the underlying cipher. Copyright (C) 2014 Exegin Technologies Limited Copyright (C) 2014 Owen Kirby This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes.h" #include "ccm.h" void ccm_aes256_set_key(struct ccm_aes256_ctx *ctx, const uint8_t *key) { aes256_set_encrypt_key(&ctx->cipher, key); } void ccm_aes256_set_nonce(struct ccm_aes256_ctx *ctx, size_t length, const uint8_t *nonce, size_t authlen, size_t msglen, size_t taglen) { ccm_set_nonce(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes256_encrypt, length, nonce, authlen, msglen, taglen); } void ccm_aes256_update(struct ccm_aes256_ctx *ctx, size_t length, const uint8_t *data) { ccm_update(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes256_encrypt, length, data); } void ccm_aes256_encrypt(struct ccm_aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { ccm_encrypt(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes256_encrypt, length, dst, src); } void ccm_aes256_decrypt(struct ccm_aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { ccm_decrypt(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes256_encrypt, length, dst, src); } void ccm_aes256_digest(struct ccm_aes256_ctx *ctx, size_t length, uint8_t *digest) { ccm_digest(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes256_encrypt, length, digest); } void ccm_aes256_encrypt_message(struct ccm_aes256_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src) { ccm_encrypt_message(&ctx->cipher, (nettle_cipher_func *) aes256_encrypt, nlength, nonce, alength, adata, tlength, clength, dst, src); } int ccm_aes256_decrypt_message(struct ccm_aes256_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src) { return ccm_decrypt_message(&ctx->cipher, (nettle_cipher_func *) aes256_encrypt, nlength, nonce, alength, adata, tlength, mlength, dst, src); } nettle-3.4.1/desCode.h0000644000175000017500000002560613401564746013600 0ustar nissenisse/* desCode.h * */ /* des - fast & portable DES encryption & decryption. * Copyright (C) 1992 Dana L. How * Please see the file `descore.README' for the complete copyright notice. */ #include "des.h" /* optional customization: * the idea here is to alter the code so it will still run correctly * on any machine, but the quickest on the specific machine in mind. * note that these silly tweaks can give you a 15%-20% speed improvement * on the sparc -- it's probably even more significant on the 68000. */ /* take care of machines with incredibly few registers */ #if defined(i386) #define REGISTER /* only x, y, z will be declared register */ #else #define REGISTER register #endif /* i386 */ /* is auto inc/dec faster than 7bit unsigned indexing? */ #if defined(vax) || defined(mc68000) #define FIXR r += 32; #define FIXS s += 8; #define PREV(v,o) *--v #define NEXT(v,o) *v++ #else #define FIXR #define FIXS #define PREV(v,o) v[o] #define NEXT(v,o) v[o] #endif /* if no machine type, default is indexing, 6 registers and cheap literals */ #if !defined(i386) && !defined(vax) && !defined(mc68000) && !defined(sparc) #define vax #endif /* handle a compiler which can't reallocate registers */ /* The BYTE type is used as parameter for the encrypt/decrypt functions. * It's pretty bad to have the function prototypes depend on * a macro definition that the users of the function doesn't * know about. /Niels */ #if 0 /* didn't feel like deleting */ #define SREGFREE ; s = (uint8_t *) D #define DEST s #define D m0 #define BYTE uint32_t #else #define SREGFREE #define DEST d #define D d #define BYTE uint8_t #endif /* handle constants in the optimal way for 386 & vax */ /* 386: we declare 3 register variables (see above) and use 3 more variables; * vax: we use 6 variables, all declared register; * we assume address literals are cheap & unrestricted; * we assume immediate constants are cheap & unrestricted. */ #if defined(i386) || defined(vax) #define MQ0 des_bigmap #define MQ1 (des_bigmap + 64) #define MQ2 (des_bigmap + 128) #define MQ3 (des_bigmap + 192) #define HQ0(z) /* z |= 0x01000000L; */ #define HQ2(z) /* z |= 0x03000200L; */ #define LQ0(z) 0xFCFC & z #define LQ1(z) 0xFCFC & z #define LQ2(z) 0xFCFC & z #define LQ3(z) 0xFCFC & z #define SQ 16 #define MS0 des_keymap #define MS1 (des_keymap + 64) #define MS2 (des_keymap + 128) #define MS3 (des_keymap + 192) #define MS4 (des_keymap + 256) #define MS5 (des_keymap + 320) #define MS6 (des_keymap + 384) #define MS7 (des_keymap + 448) #define HS(z) #define LS0(z) 0xFC & z #define LS1(z) 0xFC & z #define LS2(z) 0xFC & z #define LS3(z) 0xFC & z #define REGQUICK #define SETQUICK #define REGSMALL #define SETSMALL #endif /* defined(i386) || defined(vax) */ /* handle constants in the optimal way for mc68000 */ /* in addition to the core 6 variables, we declare 3 registers holding constants * and 4 registers holding address literals. * at most 6 data values and 5 address values are actively used at once. * we assume address literals are so expensive we never use them; * we assume constant index offsets > 127 are expensive, so they are not used. * we assume all constants are expensive and put them in registers, * including shift counts greater than 8. */ #if defined(mc68000) #define MQ0 m0 #define MQ1 m1 #define MQ2 m2 #define MQ3 m3 #define HQ0(z) #define HQ2(z) #define LQ0(z) k0 & z #define LQ1(z) k0 & z #define LQ2(z) k0 & z #define LQ3(z) k0 & z #define SQ k1 #define MS0 m0 #define MS1 m0 #define MS2 m1 #define MS3 m1 #define MS4 m2 #define MS5 m2 #define MS6 m3 #define MS7 m3 #define HS(z) z |= k0; #define LS0(z) k1 & z #define LS1(z) k2 & z #define LS2(z) k1 & z #define LS3(z) k2 & z #define REGQUICK \ register uint32_t k0, k1; \ register uint32_t *m0, *m1, *m2, *m3; #define SETQUICK \ ; k0 = 0xFCFC \ ; k1 = 16 \ /*k2 = 28 to speed up ROL */ \ ; m0 = des_bigmap \ ; m1 = m0 + 64 \ ; m2 = m1 + 64 \ ; m3 = m2 + 64 #define REGSMALL \ register uint32_t k0, k1, k2; \ register uint32_t *m0, *m1, *m2, *m3; #define SETSMALL \ ; k0 = 0x01000100L \ ; k1 = 0x0FC \ ; k2 = 0x1FC \ ; m0 = des_keymap \ ; m1 = m0 + 128 \ ; m2 = m1 + 128 \ ; m3 = m2 + 128 #endif /* defined(mc68000) */ /* handle constants in the optimal way for sparc */ /* in addition to the core 6 variables, we either declare: * 4 registers holding address literals and 1 register holding a constant, or * 8 registers holding address literals. * up to 14 register variables are declared (sparc has %i0-%i5, %l0-%l7). * we assume address literals are so expensive we never use them; * we assume any constant with >10 bits is expensive and put it in a register, * and any other is cheap and is coded in-line. */ #if defined(sparc) #define MQ0 m0 #define MQ1 m1 #define MQ2 m2 #define MQ3 m3 #define HQ0(z) #define HQ2(z) #define LQ0(z) k0 & z #define LQ1(z) k0 & z #define LQ2(z) k0 & z #define LQ3(z) k0 & z #define SQ 16 #define MS0 m0 #define MS1 m1 #define MS2 m2 #define MS3 m3 #define MS4 m4 #define MS5 m5 #define MS6 m6 #define MS7 m7 #define HS(z) #define LS0(z) 0xFC & z #define LS1(z) 0xFC & z #define LS2(z) 0xFC & z #define LS3(z) 0xFC & z #define REGQUICK \ register uint32_t k0; \ register uint32_t *m0, *m1, *m2, *m3; #define SETQUICK \ ; k0 = 0xFCFC \ ; m0 = des_bigmap \ ; m1 = m0 + 64 \ ; m2 = m1 + 64 \ ; m3 = m2 + 64 #define REGSMALL \ register uint32_t *m0, *m1, *m2, *m3, *m4, *m5, *m6, *m7; #define SETSMALL \ ; m0 = des_keymap \ ; m1 = m0 + 64 \ ; m2 = m1 + 64 \ ; m3 = m2 + 64 \ ; m4 = m3 + 64 \ ; m5 = m4 + 64 \ ; m6 = m5 + 64 \ ; m7 = m6 + 64 #endif /* defined(sparc) */ /* some basic stuff */ /* generate addresses from a base and an index */ /* FIXME: This is used only as *ADD(msi,lsi(z)) or *ADD(mqi,lqi(z)). * Why not use plain indexing instead? /Niels */ #define ADD(b,x) (uint32_t *) ((uint8_t *)b + (x)) /* low level rotate operations */ #define NOP(d,c,o) #define ROL(d,c,o) d = d << c | d >> o #define ROR(d,c,o) d = d >> c | d << o #define ROL1(d) ROL(d, 1, 31) #define ROR1(d) ROR(d, 1, 31) /* elementary swap for doing IP/FP */ #define SWAP(x,y,m,b) \ z = ((x >> b) ^ y) & m; \ x ^= z << b; \ y ^= z /* the following macros contain all the important code fragments */ /* load input data, then setup special registers holding constants */ #define TEMPQUICK(LOAD) \ REGQUICK \ LOAD() \ SETQUICK #define TEMPSMALL(LOAD) \ REGSMALL \ LOAD() \ SETSMALL /* load data */ #define LOADDATA(x,y) \ FIXS \ y = PREV(s, 7); y<<= 8; \ y |= PREV(s, 6); y<<= 8; \ y |= PREV(s, 5); y<<= 8; \ y |= PREV(s, 4); \ x = PREV(s, 3); x<<= 8; \ x |= PREV(s, 2); x<<= 8; \ x |= PREV(s, 1); x<<= 8; \ x |= PREV(s, 0) \ SREGFREE /* load data without initial permutation and put into efficient position */ #define LOADCORE() \ LOADDATA(x, y); \ ROR1(x); \ ROR1(y) /* load data, do the initial permutation and put into efficient position */ #define LOADFIPS() \ LOADDATA(y, x); \ SWAP(x, y, 0x0F0F0F0FL, 004); \ SWAP(y, x, 0x0000FFFFL, 020); \ SWAP(x, y, 0x33333333L, 002); \ SWAP(y, x, 0x00FF00FFL, 010); \ ROR1(x); \ z = (x ^ y) & 0x55555555L; \ y ^= z; \ x ^= z; \ ROR1(y) /* core encryption/decryption operations */ /* S box mapping and P perm */ #define KEYMAPSMALL(x,z,mq0,mq1,hq,lq0,lq1,sq,ms0,ms1,ms2,ms3,hs,ls0,ls1,ls2,ls3)\ hs(z) \ x ^= *ADD(ms3, ls3(z)); \ z>>= 8; \ x ^= *ADD(ms2, ls2(z)); \ z>>= 8; \ x ^= *ADD(ms1, ls1(z)); \ z>>= 8; \ x ^= *ADD(ms0, ls0(z)) /* alternate version: use 64k of tables */ #define KEYMAPQUICK(x,z,mq0,mq1,hq,lq0,lq1,sq,ms0,ms1,ms2,ms3,hs,ls0,ls1,ls2,ls3)\ hq(z) \ x ^= *ADD(mq0, lq0(z)); \ z>>= sq; \ x ^= *ADD(mq1, lq1(z)) /* apply 24 key bits and do the odd s boxes */ #define S7S1(x,y,z,r,m,KEYMAP,LOAD) \ z = LOAD(r, m); \ z ^= y; \ KEYMAP(x,z,MQ0,MQ1,HQ0,LQ0,LQ1,SQ,MS0,MS1,MS2,MS3,HS,LS0,LS1,LS2,LS3) /* apply 24 key bits and do the even s boxes */ #define S6S0(x,y,z,r,m,KEYMAP,LOAD) \ z = LOAD(r, m); \ z ^= y; \ ROL(z, 4, 28); \ KEYMAP(x,z,MQ2,MQ3,HQ2,LQ2,LQ3,SQ,MS4,MS5,MS6,MS7,HS,LS0,LS1,LS2,LS3) /* actual iterations. equivalent except for UPDATE & swapping m and n */ #define ENCR(x,y,z,r,m,n,KEYMAP) \ S7S1(x,y,z,r,m,KEYMAP,NEXT); \ S6S0(x,y,z,r,n,KEYMAP,NEXT) #define DECR(x,y,z,r,m,n,KEYMAP) \ S6S0(x,y,z,r,m,KEYMAP,PREV); \ S7S1(x,y,z,r,n,KEYMAP,PREV) /* write out result in correct byte order */ #define SAVEDATA(x,y) \ NEXT(DEST, 0) = x; x>>= 8; \ NEXT(DEST, 1) = x; x>>= 8; \ NEXT(DEST, 2) = x; x>>= 8; \ NEXT(DEST, 3) = x; \ NEXT(DEST, 4) = y; y>>= 8; \ NEXT(DEST, 5) = y; y>>= 8; \ NEXT(DEST, 6) = y; y>>= 8; \ NEXT(DEST, 7) = y /* write out result */ #define SAVECORE() \ ROL1(x); \ ROL1(y); \ SAVEDATA(y, x) /* do final permutation and write out result */ #define SAVEFIPS() \ ROL1(x); \ z = (x ^ y) & 0x55555555L; \ y ^= z; \ x ^= z; \ ROL1(y); \ SWAP(x, y, 0x00FF00FFL, 010); \ SWAP(y, x, 0x33333333L, 002); \ SWAP(x, y, 0x0000FFFFL, 020); \ SWAP(y, x, 0x0F0F0F0FL, 004); \ SAVEDATA(x, y) /* the following macros contain the encryption/decryption skeletons */ #define ENCRYPT(NAME, TEMP, LOAD, KEYMAP, SAVE) \ \ void \ NAME(REGISTER BYTE *D, \ REGISTER const uint32_t *r, \ REGISTER const uint8_t *s) \ { \ register uint32_t x, y, z; \ \ /* declare temps & load data */ \ TEMP(LOAD); \ \ /* do the 16 iterations */ \ ENCR(x,y,z,r, 0, 1,KEYMAP); \ ENCR(y,x,z,r, 2, 3,KEYMAP); \ ENCR(x,y,z,r, 4, 5,KEYMAP); \ ENCR(y,x,z,r, 6, 7,KEYMAP); \ ENCR(x,y,z,r, 8, 9,KEYMAP); \ ENCR(y,x,z,r,10,11,KEYMAP); \ ENCR(x,y,z,r,12,13,KEYMAP); \ ENCR(y,x,z,r,14,15,KEYMAP); \ ENCR(x,y,z,r,16,17,KEYMAP); \ ENCR(y,x,z,r,18,19,KEYMAP); \ ENCR(x,y,z,r,20,21,KEYMAP); \ ENCR(y,x,z,r,22,23,KEYMAP); \ ENCR(x,y,z,r,24,25,KEYMAP); \ ENCR(y,x,z,r,26,27,KEYMAP); \ ENCR(x,y,z,r,28,29,KEYMAP); \ ENCR(y,x,z,r,30,31,KEYMAP); \ \ /* save result */ \ SAVE(); \ \ return; \ } #define DECRYPT(NAME, TEMP, LOAD, KEYMAP, SAVE) \ \ void \ NAME(REGISTER BYTE *D, \ REGISTER const uint32_t *r, \ REGISTER const uint8_t *s) \ { \ register uint32_t x, y, z; \ \ /* declare temps & load data */ \ TEMP(LOAD); \ \ /* do the 16 iterations */ \ FIXR \ DECR(x,y,z,r,31,30,KEYMAP); \ DECR(y,x,z,r,29,28,KEYMAP); \ DECR(x,y,z,r,27,26,KEYMAP); \ DECR(y,x,z,r,25,24,KEYMAP); \ DECR(x,y,z,r,23,22,KEYMAP); \ DECR(y,x,z,r,21,20,KEYMAP); \ DECR(x,y,z,r,19,18,KEYMAP); \ DECR(y,x,z,r,17,16,KEYMAP); \ DECR(x,y,z,r,15,14,KEYMAP); \ DECR(y,x,z,r,13,12,KEYMAP); \ DECR(x,y,z,r,11,10,KEYMAP); \ DECR(y,x,z,r, 9, 8,KEYMAP); \ DECR(x,y,z,r, 7, 6,KEYMAP); \ DECR(y,x,z,r, 5, 4,KEYMAP); \ DECR(x,y,z,r, 3, 2,KEYMAP); \ DECR(y,x,z,r, 1, 0,KEYMAP); \ \ /* save result */ \ SAVE(); \ \ return; \ } nettle-3.4.1/des3.c0000644000175000017500000000415513401564745013056 0ustar nissenisse/* des3.c Triple DES cipher. Three key encrypt-decrypt-encrypt. Copyright (C) 2001, 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "des.h" /* It's possible to make some more general pipe construction, like the * lsh/src/cascade.c, but as in practice it's never used for anything * like triple DES, it's not worth the effort. */ /* Returns 1 for good keys and 0 for weak keys. */ int des3_set_key(struct des3_ctx *ctx, const uint8_t *key) { unsigned i; int is_good = 1; for (i = 0; i<3; i++, key += DES_KEY_SIZE) if (!des_set_key(&ctx->des[i], key)) is_good = 0; return is_good; } void des3_encrypt(const struct des3_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { des_encrypt(&ctx->des[0], length, dst, src); des_decrypt(&ctx->des[1], length, dst, dst); des_encrypt(&ctx->des[2], length, dst, dst); } void des3_decrypt(const struct des3_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { des_decrypt(&ctx->des[2], length, dst, src); des_encrypt(&ctx->des[1], length, dst, dst); des_decrypt(&ctx->des[0], length, dst, dst); } nettle-3.4.1/serpent-set-key.c0000644000175000017500000002402013401564745015250 0ustar nissenisse/* serpent-set-key.c The serpent block cipher. For more details on this algorithm, see the Serpent website at http://www.cl.cam.ac.uk/~rja14/serpent.html Copyright (C) 2011, 2014 Niels Möller Copyright (C) 2010, 2011 Simon Josefsson Copyright (C) 2003, 2004, 2005 Free Software Foundation, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* This file is derived from cipher/serpent.c in Libgcrypt v1.4.6. The adaption to Nettle was made by Simon Josefsson on 2010-12-07 with final touches on 2011-05-30. Changes include replacing libgcrypt with nettle in the license template, renaming serpent_context to serpent_ctx, renaming u32 to uint32_t, removing libgcrypt stubs and selftests, modifying entry function prototypes, using FOR_BLOCKS to iterate through data in encrypt/decrypt, using LE_READ_UINT32 and LE_WRITE_UINT32 to access data in encrypt/decrypt, and running indent on the code. */ #if HAVE_CONFIG_H #include "config.h" #endif #include #include #include "serpent.h" #include "macros.h" #include "serpent-internal.h" /* Magic number, used during generating of the subkeys. */ #define PHI 0x9E3779B9 /* These are the S-Boxes of Serpent. They are copied from Serpents reference implementation (the optimized one, contained in `floppy2') and are therefore: Copyright (C) 1998 Ross Anderson, Eli Biham, Lars Knudsen. To quote the Serpent homepage (http://www.cl.cam.ac.uk/~rja14/serpent.html): "Serpent is now completely in the public domain, and we impose no restrictions on its use. This was announced on the 21st August at the First AES Candidate Conference. The optimised implementations in the submission package are now under the GNU PUBLIC LICENSE (GPL), although some comments in the code still say otherwise. You are welcome to use Serpent for any application." */ /* FIXME: Except when used within the key schedule, the inputs are not used after the substitution, and hence we could allow them to be destroyed. Can this freedom be used to optimize the sboxes? */ #define SBOX0(type, a, b, c, d, w, x, y, z) \ do { \ type t02, t03, t05, t06, t07, t08, t09; \ type t11, t12, t13, t14, t15, t17, t01; \ t01 = b ^ c ; \ t02 = a | d ; \ t03 = a ^ b ; \ z = t02 ^ t01; \ t05 = c | z ; \ t06 = a ^ d ; \ t07 = b | c ; \ t08 = d & t05; \ t09 = t03 & t07; \ y = t09 ^ t08; \ t11 = t09 & y ; \ t12 = c ^ d ; \ t13 = t07 ^ t11; \ t14 = b & t06; \ t15 = t06 ^ t13; \ w = ~ t15; \ t17 = w ^ t14; \ x = t12 ^ t17; \ } while (0) #define SBOX1(type, a, b, c, d, w, x, y, z) \ do { \ type t02, t03, t04, t05, t06, t07, t08; \ type t10, t11, t12, t13, t16, t17, t01; \ t01 = a | d ; \ t02 = c ^ d ; \ t03 = ~ b ; \ t04 = a ^ c ; \ t05 = a | t03; \ t06 = d & t04; \ t07 = t01 & t02; \ t08 = b | t06; \ y = t02 ^ t05; \ t10 = t07 ^ t08; \ t11 = t01 ^ t10; \ t12 = y ^ t11; \ t13 = b & d ; \ z = ~ t10; \ x = t13 ^ t12; \ t16 = t10 | x ; \ t17 = t05 & t16; \ w = c ^ t17; \ } while (0) #define SBOX2(type, a, b, c, d, w, x, y, z) \ do { \ type t02, t03, t05, t06, t07, t08; \ type t09, t10, t12, t13, t14, t01; \ t01 = a | c ; \ t02 = a ^ b ; \ t03 = d ^ t01; \ w = t02 ^ t03; \ t05 = c ^ w ; \ t06 = b ^ t05; \ t07 = b | t05; \ t08 = t01 & t06; \ t09 = t03 ^ t07; \ t10 = t02 | t09; \ x = t10 ^ t08; \ t12 = a | d ; \ t13 = t09 ^ x ; \ t14 = b ^ t13; \ z = ~ t09; \ y = t12 ^ t14; \ } while (0) #define SBOX3(type, a, b, c, d, w, x, y, z) \ do { \ type t02, t03, t04, t05, t06, t07, t08; \ type t09, t10, t11, t13, t14, t15, t01; \ t01 = a ^ c ; \ t02 = a | d ; \ t03 = a & d ; \ t04 = t01 & t02; \ t05 = b | t03; \ t06 = a & b ; \ t07 = d ^ t04; \ t08 = c | t06; \ t09 = b ^ t07; \ t10 = d & t05; \ t11 = t02 ^ t10; \ z = t08 ^ t09; \ t13 = d | z ; \ t14 = a | t07; \ t15 = b & t13; \ y = t08 ^ t11; \ w = t14 ^ t15; \ x = t05 ^ t04; \ } while (0) #define SBOX4(type, a, b, c, d, w, x, y, z) \ do { \ type t02, t03, t04, t05, t06, t08, t09; \ type t10, t11, t12, t13, t14, t15, t16, t01; \ t01 = a | b ; \ t02 = b | c ; \ t03 = a ^ t02; \ t04 = b ^ d ; \ t05 = d | t03; \ t06 = d & t01; \ z = t03 ^ t06; \ t08 = z & t04; \ t09 = t04 & t05; \ t10 = c ^ t06; \ t11 = b & c ; \ t12 = t04 ^ t08; \ t13 = t11 | t03; \ t14 = t10 ^ t09; \ t15 = a & t05; \ t16 = t11 | t12; \ y = t13 ^ t08; \ x = t15 ^ t16; \ w = ~ t14; \ } while (0) #define SBOX5(type, a, b, c, d, w, x, y, z) \ do { \ type t02, t03, t04, t05, t07, t08, t09; \ type t10, t11, t12, t13, t14, t01; \ t01 = b ^ d ; \ t02 = b | d ; \ t03 = a & t01; \ t04 = c ^ t02; \ t05 = t03 ^ t04; \ w = ~ t05; \ t07 = a ^ t01; \ t08 = d | w ; \ t09 = b | t05; \ t10 = d ^ t08; \ t11 = b | t07; \ t12 = t03 | w ; \ t13 = t07 | t10; \ t14 = t01 ^ t11; \ y = t09 ^ t13; \ x = t07 ^ t08; \ z = t12 ^ t14; \ } while (0) #define SBOX6(type, a, b, c, d, w, x, y, z) \ do { \ type t02, t03, t04, t05, t07, t08, t09, t10; \ type t11, t12, t13, t15, t17, t18, t01; \ t01 = a & d ; \ t02 = b ^ c ; \ t03 = a ^ d ; \ t04 = t01 ^ t02; \ t05 = b | c ; \ x = ~ t04; \ t07 = t03 & t05; \ t08 = b & x ; \ t09 = a | c ; \ t10 = t07 ^ t08; \ t11 = b | d ; \ t12 = c ^ t11; \ t13 = t09 ^ t10; \ y = ~ t13; \ t15 = x & t03; \ z = t12 ^ t07; \ t17 = a ^ b ; \ t18 = y ^ t15; \ w = t17 ^ t18; \ } while (0) #define SBOX7(type, a, b, c, d, w, x, y, z) \ do { \ type t02, t03, t04, t05, t06, t08, t09, t10; \ type t11, t13, t14, t15, t16, t17, t01; \ t01 = a & c ; \ t02 = ~ d ; \ t03 = a & t02; \ t04 = b | t01; \ t05 = a & b ; \ t06 = c ^ t04; \ z = t03 ^ t06; \ t08 = c | z ; \ t09 = d | t05; \ t10 = a ^ t08; \ t11 = t04 & z ; \ x = t09 ^ t10; \ t13 = b ^ x ; \ t14 = t01 ^ x ; \ t15 = c ^ t05; \ t16 = t11 | t13; \ t17 = t02 | t14; \ w = t15 ^ t17; \ y = a ^ t16; \ } while (0) /* Key schedule */ /* Note: Increments k */ #define KS_RECURRENCE(w, i, k) \ do { \ uint32_t _wn = (w)[(i)] ^ (w)[((i)+3)&7] ^ w[((i)+5)&7] \ ^ w[((i)+7)&7] ^ PHI ^ (k)++; \ ((w)[(i)] = ROTL32(11, _wn)); \ } while (0) /* Note: Increments k four times and keys once */ #define KS(keys, s, w, i, k) \ do { \ KS_RECURRENCE(w, (i), (k)); \ KS_RECURRENCE(w, (i)+1, (k)); \ KS_RECURRENCE(w, (i)+2, (k)); \ KS_RECURRENCE(w, (i)+3, (k)); \ SBOX##s(uint32_t, w[(i)],w[(i)+1],w[(i)+2],w[(i)+3], \ (*keys)[0],(*keys)[1],(*keys)[2],(*keys)[3]); \ (keys)++; \ } while (0) /* Pad user key and convert to an array of 8 uint32_t. */ static void serpent_key_pad (const uint8_t *key, unsigned int key_length, uint32_t *w) { unsigned int i; assert (key_length <= SERPENT_MAX_KEY_SIZE); for (i = 0; key_length >= 4; key_length -=4, key += 4) w[i++] = LE_READ_UINT32(key); if (i < 8) { /* Key must be padded according to the Serpent specification. "aabbcc" -> "aabbcc0100...00" -> 0x01ccbbaa. */ uint32_t pad = 0x01; while (key_length > 0) pad = pad << 8 | key[--key_length]; w[i++] = pad; while (i < 8) w[i++] = 0; } } /* Initialize CONTEXT with the key KEY of LENGTH bytes. */ void serpent_set_key (struct serpent_ctx *ctx, size_t length, const uint8_t * key) { uint32_t w[8]; uint32_t (*keys)[4]; unsigned k; serpent_key_pad (key, length, w); /* Derive the 33 subkeys from KEY and store them in SUBKEYS. We do the recurrence in the key schedule using W as a circular buffer of just 8 uint32_t. */ /* FIXME: Would be better to invoke SBOX with scalar variables as arguments, no arrays. To do that, unpack w into separate variables, use temporary variables as the SBOX destination. */ keys = ctx->keys; k = 0; for (;;) { KS(keys, 3, w, 0, k); if (k == 132) break; KS(keys, 2, w, 4, k); KS(keys, 1, w, 0, k); KS(keys, 0, w, 4, k); KS(keys, 7, w, 0, k); KS(keys, 6, w, 4, k); KS(keys, 5, w, 0, k); KS(keys, 4, w, 4, k); } assert (keys == ctx->keys + 33); } void serpent128_set_key (struct serpent_ctx *ctx, const uint8_t *key) { serpent_set_key (ctx, SERPENT128_KEY_SIZE, key); } void serpent192_set_key (struct serpent_ctx *ctx, const uint8_t *key) { serpent_set_key (ctx, SERPENT192_KEY_SIZE, key); } void serpent256_set_key (struct serpent_ctx *ctx, const uint8_t *key) { serpent_set_key (ctx, SERPENT256_KEY_SIZE, key); } nettle-3.4.1/ecc-25519.c0000644000175000017500000002204713401564746013436 0ustar nissenisse/* ecc-25519.c Arithmetic and tables for curve25519, Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc.h" #include "ecc-internal.h" #define USE_REDC 0 #include "ecc-25519.h" #define PHIGH_BITS (GMP_NUMB_BITS * ECC_LIMB_SIZE - 255) #if HAVE_NATIVE_ecc_25519_modp #define ecc_25519_modp nettle_ecc_25519_modp void ecc_25519_modp (const struct ecc_modulo *m, mp_limb_t *rp); #else #if PHIGH_BITS == 0 #error Unsupported limb size */ #endif static void ecc_25519_modp(const struct ecc_modulo *m UNUSED, mp_limb_t *rp) { mp_limb_t hi, cy; cy = mpn_addmul_1 (rp, rp + ECC_LIMB_SIZE, ECC_LIMB_SIZE, (mp_limb_t) 19 << PHIGH_BITS); hi = rp[ECC_LIMB_SIZE-1]; cy = (cy << PHIGH_BITS) + (hi >> (GMP_NUMB_BITS - PHIGH_BITS)); rp[ECC_LIMB_SIZE-1] = (hi & (GMP_NUMB_MASK >> PHIGH_BITS)) + sec_add_1 (rp, rp, ECC_LIMB_SIZE - 1, 19 * cy); } #endif /* HAVE_NATIVE_ecc_25519_modp */ #define QHIGH_BITS (GMP_NUMB_BITS * ECC_LIMB_SIZE - 252) #if QHIGH_BITS == 0 #error Unsupported limb size */ #endif static void ecc_25519_modq (const struct ecc_modulo *q, mp_limb_t *rp) { mp_size_t n; mp_limb_t cy; /* n is the offset where we add in the next term */ for (n = ECC_LIMB_SIZE; n-- > 0;) { cy = mpn_submul_1 (rp + n, q->B_shifted, ECC_LIMB_SIZE, rp[n + ECC_LIMB_SIZE]); /* Top limb of mBmodq_shifted is zero, so we get cy == 0 or 1 */ assert (cy < 2); cnd_add_n (cy, rp+n, q->m, ECC_LIMB_SIZE); } cy = mpn_submul_1 (rp, q->m, ECC_LIMB_SIZE, rp[ECC_LIMB_SIZE-1] >> (GMP_NUMB_BITS - QHIGH_BITS)); assert (cy < 2); cnd_add_n (cy, rp, q->m, ECC_LIMB_SIZE); } /* Needs 2*ecc->size limbs at rp, and 2*ecc->size additional limbs of scratch space. No overlap allowed. */ static void ecc_mod_pow_2kp1 (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *xp, unsigned k, mp_limb_t *tp) { if (k & 1) { ecc_mod_sqr (m, tp, xp); k--; } else { ecc_mod_sqr (m, rp, xp); ecc_mod_sqr (m, tp, rp); k -= 2; } while (k > 0) { ecc_mod_sqr (m, rp, tp); ecc_mod_sqr (m, tp, rp); k -= 2; } ecc_mod_mul (m, rp, tp, xp); } /* Computes a^{(p-5)/8} = a^{2^{252-3}} mod m. Needs 5 * n scratch space. */ static void ecc_mod_pow_252m3 (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t *scratch) { #define a7 scratch #define t0 (scratch + ECC_LIMB_SIZE) #define t1 (scratch + 3*ECC_LIMB_SIZE) /* a^{2^252 - 3} = a^{(p-5)/8}, using the addition chain 2^252 - 3 = 1 + (2^252-4) = 1 + 4 (2^250-1) = 1 + 4 (2^125+1)(2^125-1) = 1 + 4 (2^125+1)(1+2(2^124-1)) = 1 + 4 (2^125+1)(1+2(2^62+1)(2^62-1)) = 1 + 4 (2^125+1)(1+2(2^62+1)(2^31+1)(2^31-1)) = 1 + 4 (2^125+1)(1+2(2^62+1)(2^31+1)(7+8(2^28-1))) = 1 + 4 (2^125+1)(1+2(2^62+1)(2^31+1)(7+8(2^14+1)(2^14-1))) = 1 + 4 (2^125+1)(1+2(2^62+1)(2^31+1)(7+8(2^14+1)(2^7+1)(2^7-1))) = 1 + 4 (2^125+1)(1+2(2^62+1)(2^31+1)(7+8(2^14+1)(2^7+1)(1+2(2^6-1)))) = 1 + 4 (2^125+1)(1+2(2^62+1)(2^31+1)(7+8(2^14+1)(2^7+1)(1+2(2^3+1)*7))) */ ecc_mod_pow_2kp1 (m, t0, ap, 1, t1); /* a^3 */ ecc_mod_sqr (m, rp, t0); /* a^6 */ ecc_mod_mul (m, a7, rp, ap); /* a^7 */ ecc_mod_pow_2kp1 (m, rp, a7, 3, t0); /* a^63 = a^{2^6-1} */ ecc_mod_sqr (m, t0, rp); /* a^{2^7-2} */ ecc_mod_mul (m, rp, t0, ap); /* a^{2^7-1} */ ecc_mod_pow_2kp1 (m, t0, rp, 7, t1); /* a^{2^14-1}*/ ecc_mod_pow_2kp1 (m, rp, t0, 14, t1); /* a^{2^28-1} */ ecc_mod_sqr (m, t0, rp); /* a^{2^29-2} */ ecc_mod_sqr (m, t1, t0); /* a^{2^30-4} */ ecc_mod_sqr (m, t0, t1); /* a^{2^31-8} */ ecc_mod_mul (m, rp, t0, a7); /* a^{2^31-1} */ ecc_mod_pow_2kp1 (m, t0, rp, 31, t1); /* a^{2^62-1} */ ecc_mod_pow_2kp1 (m, rp, t0, 62, t1); /* a^{2^124-1}*/ ecc_mod_sqr (m, t0, rp); /* a^{2^125-2} */ ecc_mod_mul (m, rp, t0, ap); /* a^{2^125-1} */ ecc_mod_pow_2kp1 (m, t0, rp, 125, t1);/* a^{2^250-1} */ ecc_mod_sqr (m, rp, t0); /* a^{2^251-2} */ ecc_mod_sqr (m, t0, rp); /* a^{2^252-4} */ ecc_mod_mul (m, rp, t0, ap); /* a^{2^252-3} */ #undef t0 #undef t1 #undef a7 } /* Needs 5*ECC_LIMB_SIZE scratch space. */ #define ECC_25519_INV_ITCH (5*ECC_LIMB_SIZE) static void ecc_25519_inv (const struct ecc_modulo *p, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t *scratch) { #define t0 scratch /* Addition chain p - 2 = 2^{255} - 21 = 1 + 2 (1 + 4 (2^{252}-3)) */ ecc_mod_pow_252m3 (p, rp, ap, t0); ecc_mod_sqr (p, t0, rp); ecc_mod_sqr (p, rp, t0); ecc_mod_mul (p, t0, ap, rp); ecc_mod_sqr (p, rp, t0); ecc_mod_mul (p, t0, ap, rp); mpn_copyi (rp, t0, ECC_LIMB_SIZE); /* FIXME: Eliminate copy? */ #undef t0 } /* First, do a canonical reduction, then check if zero */ static int ecc_25519_zero_p (const struct ecc_modulo *p, mp_limb_t *xp) { mp_limb_t cy; mp_limb_t w; mp_size_t i; #if PHIGH_BITS > 0 mp_limb_t hi = xp[ECC_LIMB_SIZE-1]; xp[ECC_LIMB_SIZE-1] = (hi & (GMP_NUMB_MASK >> PHIGH_BITS)) + sec_add_1 (xp, xp, ECC_LIMB_SIZE - 1, 19 * (hi >> (GMP_NUMB_BITS - PHIGH_BITS))); #endif cy = mpn_sub_n (xp, xp, p->m, ECC_LIMB_SIZE); cnd_add_n (cy, xp, p->m, ECC_LIMB_SIZE); for (i = 0, w = 0; i < ECC_LIMB_SIZE; i++) w |= xp[i]; return w == 0; } /* Compute x such that x^2 = u/v (mod p). Returns one on success, zero on failure. We use the e = 2 special case of the Shanks-Tonelli algorithm (see http://www.math.vt.edu/people/brown/doc/sqrts.pdf, or Henri Cohen, Computational Algebraic Number Theory, 1.5.1). To avoid a separate inversion, we also use a trick of djb's, to compute the candidate root as x = (u/v)^{(p+3)/8} = u v^3 (u v^7)^{(p-5)/8}. */ #if ECC_SQRT_E != 2 #error Broken curve25519 parameters #endif /* Needs 4*n space + scratch for ecc_mod_pow_252m3. */ #define ECC_25519_SQRT_ITCH (9*ECC_LIMB_SIZE) static int ecc_25519_sqrt(const struct ecc_modulo *p, mp_limb_t *rp, const mp_limb_t *up, const mp_limb_t *vp, mp_limb_t *scratch) { int pos, neg; #define uv3 scratch #define uv7 (scratch + ECC_LIMB_SIZE) #define uv7p (scratch + 2*ECC_LIMB_SIZE) #define v2 (scratch + 2*ECC_LIMB_SIZE) #define uv (scratch + 3*ECC_LIMB_SIZE) #define v4 (scratch + 3*ECC_LIMB_SIZE) #define scratch_out (scratch + 4 * ECC_LIMB_SIZE) #define x2 scratch #define vx2 (scratch + ECC_LIMB_SIZE) #define t0 (scratch + 2*ECC_LIMB_SIZE) /* Live values */ ecc_mod_sqr (p, v2, vp); /* v2 */ ecc_mod_mul (p, uv, up, vp); /* uv, v2 */ ecc_mod_mul (p, uv3, uv, v2); /* uv3, v2 */ ecc_mod_sqr (p, v4, v2); /* uv3, v4 */ ecc_mod_mul (p, uv7, uv3, v4); /* uv3, uv7 */ ecc_mod_pow_252m3 (p, uv7p, uv7, scratch_out); /* uv3, uv7p */ ecc_mod_mul (p, rp, uv7p, uv3); /* none */ /* Check sign. If square root exists, have v x^2 = ±u */ ecc_mod_sqr (p, x2, rp); ecc_mod_mul (p, vx2, x2, vp); ecc_mod_add (p, t0, vx2, up); neg = ecc_25519_zero_p (p, t0); ecc_mod_sub (p, t0, up, vx2); pos = ecc_25519_zero_p (p, t0); ecc_mod_mul (p, t0, rp, ecc_sqrt_z); cnd_copy (neg, rp, t0, ECC_LIMB_SIZE); return pos | neg; #undef uv3 #undef uv7 #undef uv7p #undef v2 #undef v4 #undef scratch_out #undef x2 #undef vx2 #undef t0 } const struct ecc_curve _nettle_curve25519 = { { 255, ECC_LIMB_SIZE, ECC_BMODP_SIZE, 0, ECC_25519_INV_ITCH, ECC_25519_SQRT_ITCH, ecc_p, ecc_Bmodp, ecc_Bmodp_shifted, NULL, ecc_pp1h, ecc_25519_modp, ecc_25519_modp, ecc_25519_inv, ecc_25519_sqrt, }, { 253, ECC_LIMB_SIZE, ECC_BMODQ_SIZE, 0, ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), 0, ecc_q, ecc_Bmodq, ecc_mBmodq_shifted, /* Use q - 2^{252} instead. */ NULL, ecc_qp1h, ecc_25519_modq, ecc_25519_modq, ecc_mod_inv, NULL, }, 0, /* No redc */ ECC_PIPPENGER_K, ECC_PIPPENGER_C, ECC_ADD_EHH_ITCH (ECC_LIMB_SIZE), ECC_MUL_A_EH_ITCH (ECC_LIMB_SIZE), ECC_MUL_G_EH_ITCH (ECC_LIMB_SIZE), ECC_EH_TO_A_ITCH (ECC_LIMB_SIZE, ECC_25519_INV_ITCH), ecc_add_ehh, ecc_mul_a_eh, ecc_mul_g_eh, ecc_eh_to_a, ecc_d, /* Use the Edwards curve constant. */ ecc_g, ecc_edwards, ecc_unit, ecc_table }; nettle-3.4.1/umac96.c0000644000175000017500000000645513401564745013331 0ustar nissenisse/* umac96.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "umac.h" #include "macros.h" void umac96_set_key (struct umac96_ctx *ctx, const uint8_t *key) { _umac_set_key (ctx->l1_key, ctx->l2_key, ctx->l3_key1, ctx->l3_key2, &ctx->pdf_key, key, 3); /* Clear nonce */ memset (ctx->nonce, 0, sizeof(ctx->nonce)); ctx->nonce_length = sizeof(ctx->nonce); /* Initialize buffer */ ctx->count = ctx->index = 0; } void umac96_set_nonce (struct umac96_ctx *ctx, size_t nonce_length, const uint8_t *nonce) { assert (nonce_length > 0); assert (nonce_length <= AES_BLOCK_SIZE); memcpy (ctx->nonce, nonce, nonce_length); memset (ctx->nonce + nonce_length, 0, AES_BLOCK_SIZE - nonce_length); ctx->nonce_length = nonce_length; } #define UMAC96_BLOCK(ctx, block) do { \ uint64_t __umac96_y[3]; \ _umac_nh_n (__umac96_y, 3, ctx->l1_key, UMAC_BLOCK_SIZE, block); \ __umac96_y[0] += 8*UMAC_BLOCK_SIZE; \ __umac96_y[1] += 8*UMAC_BLOCK_SIZE; \ __umac96_y[2] += 8*UMAC_BLOCK_SIZE; \ _umac_l2 (ctx->l2_key, ctx->l2_state, 3, ctx->count++, __umac96_y); \ } while (0) void umac96_update (struct umac96_ctx *ctx, size_t length, const uint8_t *data) { MD_UPDATE (ctx, length, data, UMAC96_BLOCK, (void)0); } void umac96_digest (struct umac96_ctx *ctx, size_t length, uint8_t *digest) { uint32_t tag[4]; unsigned i; assert (length > 0); assert (length <= 12); if (ctx->index > 0 || ctx->count == 0) { /* Zero pad to multiple of 32 */ uint64_t y[3]; unsigned pad = (ctx->index > 0) ? 31 & - ctx->index : 32; memset (ctx->block + ctx->index, 0, pad); _umac_nh_n (y, 3, ctx->l1_key, ctx->index + pad, ctx->block); y[0] += 8 * ctx->index; y[1] += 8 * ctx->index; y[2] += 8 * ctx->index; _umac_l2 (ctx->l2_key, ctx->l2_state, 3, ctx->count++, y); } assert (ctx->count > 0); aes128_encrypt (&ctx->pdf_key, AES_BLOCK_SIZE, (uint8_t *) tag, ctx->nonce); INCREMENT (ctx->nonce_length, ctx->nonce); _umac_l2_final (ctx->l2_key, ctx->l2_state, 3, ctx->count); for (i = 0; i < 3; i++) tag[i] ^= ctx->l3_key2[i] ^ _umac_l3 (ctx->l3_key1 + 8*i, ctx->l2_state + 2*i); memcpy (digest, tag, length); /* Reinitialize */ ctx->count = ctx->index = 0; } nettle-3.4.1/camellia256-crypt.c0000644000175000017500000000314713401564745015363 0ustar nissenisse/* camellia256-crypt.c Crypt function for the camellia block cipher. Copyright (C) 2010, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "camellia-internal.h" /* The main point on this function is to help the assembler implementations of _nettle_camellia_crypt to get the table pointer. For PIC code, the details can be complex and system dependent. */ void camellia256_crypt(const struct camellia256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { assert(!(length % CAMELLIA_BLOCK_SIZE) ); _camellia_crypt(_CAMELLIA256_NKEYS, ctx->keys, &_camellia_table, length, dst, src); } nettle-3.4.1/dsa-sha256-sign.c0000644000175000017500000000362013401564746014730 0ustar nissenisse/* dsa-sha256-sign.c The DSA publickey algorithm, using SHA-256 (FIPS186-3). Copyright (C) 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "dsa-compat.h" int dsa_sha256_sign_digest(const struct dsa_public_key *pub, const struct dsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, struct dsa_signature *signature) { return dsa_sign((const struct dsa_params *) pub, key->x, random_ctx, random, SHA256_DIGEST_SIZE, digest, signature); } int dsa_sha256_sign(const struct dsa_public_key *pub, const struct dsa_private_key *key, void *random_ctx, nettle_random_func *random, struct sha256_ctx *hash, struct dsa_signature *signature) { uint8_t digest[SHA256_DIGEST_SIZE]; sha256_digest(hash, sizeof(digest), digest); return dsa_sign((const struct dsa_params *) pub, key->x, random_ctx, random, sizeof(digest), digest, signature); } nettle-3.4.1/sha1-meta.c0000644000175000017500000000222713401564745013776 0ustar nissenisse/* sha1-meta.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "sha1.h" const struct nettle_hash nettle_sha1 = _NETTLE_HASH(sha1, SHA1); nettle-3.4.1/twofish-meta.c0000644000175000017500000000320313401564745014620 0ustar nissenisse/* twofish-meta.c Copyright (C) 2002, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "twofish.h" #define TWOFISH(bits) { \ "twofish" #bits, \ sizeof(struct twofish_ctx), \ TWOFISH_BLOCK_SIZE, \ TWOFISH ## bits ## _KEY_SIZE, \ (nettle_set_key_func *) twofish ## bits ## _set_key, \ (nettle_set_key_func *) twofish ## bits ## _set_key, \ (nettle_cipher_func *) twofish_encrypt, \ (nettle_cipher_func *) twofish_decrypt \ } const struct nettle_cipher nettle_twofish128 = TWOFISH(128); const struct nettle_cipher nettle_twofish192 = TWOFISH(192); const struct nettle_cipher nettle_twofish256 = TWOFISH(256); nettle-3.4.1/rsa-sha1-sign-tr.c0000644000175000017500000000366713401564746015230 0ustar nissenisse/* rsa-sha1-sign-tr.c Signatures using RSA and SHA1. Copyright (C) 2001, 2003, 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "bignum.h" #include "pkcs1.h" int rsa_sha1_sign_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, struct sha1_ctx *hash, mpz_t s) { mpz_t m; int res; mpz_init (m); res = (pkcs1_rsa_sha1_encode(m, key->size, hash) && rsa_compute_root_tr (pub, key, random_ctx, random, s, m)); mpz_clear (m); return res; } int rsa_sha1_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, mpz_t s) { mpz_t m; int res; mpz_init (m); res = (pkcs1_rsa_sha1_encode_digest(m, key->size, digest) && rsa_compute_root_tr (pub, key, random_ctx, random, s, m)); mpz_clear (m); return res; } nettle-3.4.1/twofish.h0000644000175000017500000000523513401564746013711 0ustar nissenisse/* twofish.h The twofish block cipher. Copyright (C) 2001, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* * Twofish is a 128-bit block cipher that accepts a variable-length * key up to 256 bits, designed by Bruce Schneier and others. See * http://www.counterpane.com/twofish.html for details. */ #ifndef NETTLE_TWOFISH_H_INCLUDED #define NETTLE_TWOFISH_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define twofish_set_key nettle_twofish_set_key #define twofish128_set_key nettle_twofish128_set_key #define twofish192_set_key nettle_twofish192_set_key #define twofish256_set_key nettle_twofish256_set_key #define twofish_encrypt nettle_twofish_encrypt #define twofish_decrypt nettle_twofish_decrypt #define TWOFISH_BLOCK_SIZE 16 /* Variable key size between 128 and 256 bits. But the only valid * values are 16 (128 bits), 24 (192 bits) and 32 (256 bits). */ #define TWOFISH_MIN_KEY_SIZE 16 #define TWOFISH_MAX_KEY_SIZE 32 #define TWOFISH_KEY_SIZE 32 #define TWOFISH128_KEY_SIZE 16 #define TWOFISH192_KEY_SIZE 24 #define TWOFISH256_KEY_SIZE 32 struct twofish_ctx { uint32_t keys[40]; uint32_t s_box[4][256]; }; void twofish_set_key(struct twofish_ctx *ctx, size_t length, const uint8_t *key); void twofish128_set_key(struct twofish_ctx *context, const uint8_t *key); void twofish192_set_key(struct twofish_ctx *context, const uint8_t *key); void twofish256_set_key(struct twofish_ctx *context, const uint8_t *key); void twofish_encrypt(const struct twofish_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void twofish_decrypt(const struct twofish_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus } #endif #endif /* NETTLE_TWOFISH_H_INCLUDED */ nettle-3.4.1/cast128_sboxes.h0000644000175000017500000006275413401564746015007 0ustar nissenisse/* * CAST-128 in C * Written by Steve Reid * 100% Public Domain - no warranty * Released 1997.10.11 */ static const uint32_t cast_sbox1[256] = { 0x30FB40D4, 0x9FA0FF0B, 0x6BECCD2F, 0x3F258C7A, 0x1E213F2F, 0x9C004DD3, 0x6003E540, 0xCF9FC949, 0xBFD4AF27, 0x88BBBDB5, 0xE2034090, 0x98D09675, 0x6E63A0E0, 0x15C361D2, 0xC2E7661D, 0x22D4FF8E, 0x28683B6F, 0xC07FD059, 0xFF2379C8, 0x775F50E2, 0x43C340D3, 0xDF2F8656, 0x887CA41A, 0xA2D2BD2D, 0xA1C9E0D6, 0x346C4819, 0x61B76D87, 0x22540F2F, 0x2ABE32E1, 0xAA54166B, 0x22568E3A, 0xA2D341D0, 0x66DB40C8, 0xA784392F, 0x004DFF2F, 0x2DB9D2DE, 0x97943FAC, 0x4A97C1D8, 0x527644B7, 0xB5F437A7, 0xB82CBAEF, 0xD751D159, 0x6FF7F0ED, 0x5A097A1F, 0x827B68D0, 0x90ECF52E, 0x22B0C054, 0xBC8E5935, 0x4B6D2F7F, 0x50BB64A2, 0xD2664910, 0xBEE5812D, 0xB7332290, 0xE93B159F, 0xB48EE411, 0x4BFF345D, 0xFD45C240, 0xAD31973F, 0xC4F6D02E, 0x55FC8165, 0xD5B1CAAD, 0xA1AC2DAE, 0xA2D4B76D, 0xC19B0C50, 0x882240F2, 0x0C6E4F38, 0xA4E4BFD7, 0x4F5BA272, 0x564C1D2F, 0xC59C5319, 0xB949E354, 0xB04669FE, 0xB1B6AB8A, 0xC71358DD, 0x6385C545, 0x110F935D, 0x57538AD5, 0x6A390493, 0xE63D37E0, 0x2A54F6B3, 0x3A787D5F, 0x6276A0B5, 0x19A6FCDF, 0x7A42206A, 0x29F9D4D5, 0xF61B1891, 0xBB72275E, 0xAA508167, 0x38901091, 0xC6B505EB, 0x84C7CB8C, 0x2AD75A0F, 0x874A1427, 0xA2D1936B, 0x2AD286AF, 0xAA56D291, 0xD7894360, 0x425C750D, 0x93B39E26, 0x187184C9, 0x6C00B32D, 0x73E2BB14, 0xA0BEBC3C, 0x54623779, 0x64459EAB, 0x3F328B82, 0x7718CF82, 0x59A2CEA6, 0x04EE002E, 0x89FE78E6, 0x3FAB0950, 0x325FF6C2, 0x81383F05, 0x6963C5C8, 0x76CB5AD6, 0xD49974C9, 0xCA180DCF, 0x380782D5, 0xC7FA5CF6, 0x8AC31511, 0x35E79E13, 0x47DA91D0, 0xF40F9086, 0xA7E2419E, 0x31366241, 0x051EF495, 0xAA573B04, 0x4A805D8D, 0x548300D0, 0x00322A3C, 0xBF64CDDF, 0xBA57A68E, 0x75C6372B, 0x50AFD341, 0xA7C13275, 0x915A0BF5, 0x6B54BFAB, 0x2B0B1426, 0xAB4CC9D7, 0x449CCD82, 0xF7FBF265, 0xAB85C5F3, 0x1B55DB94, 0xAAD4E324, 0xCFA4BD3F, 0x2DEAA3E2, 0x9E204D02, 0xC8BD25AC, 0xEADF55B3, 0xD5BD9E98, 0xE31231B2, 0x2AD5AD6C, 0x954329DE, 0xADBE4528, 0xD8710F69, 0xAA51C90F, 0xAA786BF6, 0x22513F1E, 0xAA51A79B, 0x2AD344CC, 0x7B5A41F0, 0xD37CFBAD, 0x1B069505, 0x41ECE491, 0xB4C332E6, 0x032268D4, 0xC9600ACC, 0xCE387E6D, 0xBF6BB16C, 0x6A70FB78, 0x0D03D9C9, 0xD4DF39DE, 0xE01063DA, 0x4736F464, 0x5AD328D8, 0xB347CC96, 0x75BB0FC3, 0x98511BFB, 0x4FFBCC35, 0xB58BCF6A, 0xE11F0ABC, 0xBFC5FE4A, 0xA70AEC10, 0xAC39570A, 0x3F04442F, 0x6188B153, 0xE0397A2E, 0x5727CB79, 0x9CEB418F, 0x1CACD68D, 0x2AD37C96, 0x0175CB9D, 0xC69DFF09, 0xC75B65F0, 0xD9DB40D8, 0xEC0E7779, 0x4744EAD4, 0xB11C3274, 0xDD24CB9E, 0x7E1C54BD, 0xF01144F9, 0xD2240EB1, 0x9675B3FD, 0xA3AC3755, 0xD47C27AF, 0x51C85F4D, 0x56907596, 0xA5BB15E6, 0x580304F0, 0xCA042CF1, 0x011A37EA, 0x8DBFAADB, 0x35BA3E4A, 0x3526FFA0, 0xC37B4D09, 0xBC306ED9, 0x98A52666, 0x5648F725, 0xFF5E569D, 0x0CED63D0, 0x7C63B2CF, 0x700B45E1, 0xD5EA50F1, 0x85A92872, 0xAF1FBDA7, 0xD4234870, 0xA7870BF3, 0x2D3B4D79, 0x42E04198, 0x0CD0EDE7, 0x26470DB8, 0xF881814C, 0x474D6AD7, 0x7C0C5E5C, 0xD1231959, 0x381B7298, 0xF5D2F4DB, 0xAB838653, 0x6E2F1E23, 0x83719C9E, 0xBD91E046, 0x9A56456E, 0xDC39200C, 0x20C8C571, 0x962BDA1C, 0xE1E696FF, 0xB141AB08, 0x7CCA89B9, 0x1A69E783, 0x02CC4843, 0xA2F7C579, 0x429EF47D, 0x427B169C, 0x5AC9F049, 0xDD8F0F00, 0x5C8165BF }; static const uint32_t cast_sbox2[256] = { 0x1F201094, 0xEF0BA75B, 0x69E3CF7E, 0x393F4380, 0xFE61CF7A, 0xEEC5207A, 0x55889C94, 0x72FC0651, 0xADA7EF79, 0x4E1D7235, 0xD55A63CE, 0xDE0436BA, 0x99C430EF, 0x5F0C0794, 0x18DCDB7D, 0xA1D6EFF3, 0xA0B52F7B, 0x59E83605, 0xEE15B094, 0xE9FFD909, 0xDC440086, 0xEF944459, 0xBA83CCB3, 0xE0C3CDFB, 0xD1DA4181, 0x3B092AB1, 0xF997F1C1, 0xA5E6CF7B, 0x01420DDB, 0xE4E7EF5B, 0x25A1FF41, 0xE180F806, 0x1FC41080, 0x179BEE7A, 0xD37AC6A9, 0xFE5830A4, 0x98DE8B7F, 0x77E83F4E, 0x79929269, 0x24FA9F7B, 0xE113C85B, 0xACC40083, 0xD7503525, 0xF7EA615F, 0x62143154, 0x0D554B63, 0x5D681121, 0xC866C359, 0x3D63CF73, 0xCEE234C0, 0xD4D87E87, 0x5C672B21, 0x071F6181, 0x39F7627F, 0x361E3084, 0xE4EB573B, 0x602F64A4, 0xD63ACD9C, 0x1BBC4635, 0x9E81032D, 0x2701F50C, 0x99847AB4, 0xA0E3DF79, 0xBA6CF38C, 0x10843094, 0x2537A95E, 0xF46F6FFE, 0xA1FF3B1F, 0x208CFB6A, 0x8F458C74, 0xD9E0A227, 0x4EC73A34, 0xFC884F69, 0x3E4DE8DF, 0xEF0E0088, 0x3559648D, 0x8A45388C, 0x1D804366, 0x721D9BFD, 0xA58684BB, 0xE8256333, 0x844E8212, 0x128D8098, 0xFED33FB4, 0xCE280AE1, 0x27E19BA5, 0xD5A6C252, 0xE49754BD, 0xC5D655DD, 0xEB667064, 0x77840B4D, 0xA1B6A801, 0x84DB26A9, 0xE0B56714, 0x21F043B7, 0xE5D05860, 0x54F03084, 0x066FF472, 0xA31AA153, 0xDADC4755, 0xB5625DBF, 0x68561BE6, 0x83CA6B94, 0x2D6ED23B, 0xECCF01DB, 0xA6D3D0BA, 0xB6803D5C, 0xAF77A709, 0x33B4A34C, 0x397BC8D6, 0x5EE22B95, 0x5F0E5304, 0x81ED6F61, 0x20E74364, 0xB45E1378, 0xDE18639B, 0x881CA122, 0xB96726D1, 0x8049A7E8, 0x22B7DA7B, 0x5E552D25, 0x5272D237, 0x79D2951C, 0xC60D894C, 0x488CB402, 0x1BA4FE5B, 0xA4B09F6B, 0x1CA815CF, 0xA20C3005, 0x8871DF63, 0xB9DE2FCB, 0x0CC6C9E9, 0x0BEEFF53, 0xE3214517, 0xB4542835, 0x9F63293C, 0xEE41E729, 0x6E1D2D7C, 0x50045286, 0x1E6685F3, 0xF33401C6, 0x30A22C95, 0x31A70850, 0x60930F13, 0x73F98417, 0xA1269859, 0xEC645C44, 0x52C877A9, 0xCDFF33A6, 0xA02B1741, 0x7CBAD9A2, 0x2180036F, 0x50D99C08, 0xCB3F4861, 0xC26BD765, 0x64A3F6AB, 0x80342676, 0x25A75E7B, 0xE4E6D1FC, 0x20C710E6, 0xCDF0B680, 0x17844D3B, 0x31EEF84D, 0x7E0824E4, 0x2CCB49EB, 0x846A3BAE, 0x8FF77888, 0xEE5D60F6, 0x7AF75673, 0x2FDD5CDB, 0xA11631C1, 0x30F66F43, 0xB3FAEC54, 0x157FD7FA, 0xEF8579CC, 0xD152DE58, 0xDB2FFD5E, 0x8F32CE19, 0x306AF97A, 0x02F03EF8, 0x99319AD5, 0xC242FA0F, 0xA7E3EBB0, 0xC68E4906, 0xB8DA230C, 0x80823028, 0xDCDEF3C8, 0xD35FB171, 0x088A1BC8, 0xBEC0C560, 0x61A3C9E8, 0xBCA8F54D, 0xC72FEFFA, 0x22822E99, 0x82C570B4, 0xD8D94E89, 0x8B1C34BC, 0x301E16E6, 0x273BE979, 0xB0FFEAA6, 0x61D9B8C6, 0x00B24869, 0xB7FFCE3F, 0x08DC283B, 0x43DAF65A, 0xF7E19798, 0x7619B72F, 0x8F1C9BA4, 0xDC8637A0, 0x16A7D3B1, 0x9FC393B7, 0xA7136EEB, 0xC6BCC63E, 0x1A513742, 0xEF6828BC, 0x520365D6, 0x2D6A77AB, 0x3527ED4B, 0x821FD216, 0x095C6E2E, 0xDB92F2FB, 0x5EEA29CB, 0x145892F5, 0x91584F7F, 0x5483697B, 0x2667A8CC, 0x85196048, 0x8C4BACEA, 0x833860D4, 0x0D23E0F9, 0x6C387E8A, 0x0AE6D249, 0xB284600C, 0xD835731D, 0xDCB1C647, 0xAC4C56EA, 0x3EBD81B3, 0x230EABB0, 0x6438BC87, 0xF0B5B1FA, 0x8F5EA2B3, 0xFC184642, 0x0A036B7A, 0x4FB089BD, 0x649DA589, 0xA345415E, 0x5C038323, 0x3E5D3BB9, 0x43D79572, 0x7E6DD07C, 0x06DFDF1E, 0x6C6CC4EF, 0x7160A539, 0x73BFBE70, 0x83877605, 0x4523ECF1 }; static const uint32_t cast_sbox3[256] = { 0x8DEFC240, 0x25FA5D9F, 0xEB903DBF, 0xE810C907, 0x47607FFF, 0x369FE44B, 0x8C1FC644, 0xAECECA90, 0xBEB1F9BF, 0xEEFBCAEA, 0xE8CF1950, 0x51DF07AE, 0x920E8806, 0xF0AD0548, 0xE13C8D83, 0x927010D5, 0x11107D9F, 0x07647DB9, 0xB2E3E4D4, 0x3D4F285E, 0xB9AFA820, 0xFADE82E0, 0xA067268B, 0x8272792E, 0x553FB2C0, 0x489AE22B, 0xD4EF9794, 0x125E3FBC, 0x21FFFCEE, 0x825B1BFD, 0x9255C5ED, 0x1257A240, 0x4E1A8302, 0xBAE07FFF, 0x528246E7, 0x8E57140E, 0x3373F7BF, 0x8C9F8188, 0xA6FC4EE8, 0xC982B5A5, 0xA8C01DB7, 0x579FC264, 0x67094F31, 0xF2BD3F5F, 0x40FFF7C1, 0x1FB78DFC, 0x8E6BD2C1, 0x437BE59B, 0x99B03DBF, 0xB5DBC64B, 0x638DC0E6, 0x55819D99, 0xA197C81C, 0x4A012D6E, 0xC5884A28, 0xCCC36F71, 0xB843C213, 0x6C0743F1, 0x8309893C, 0x0FEDDD5F, 0x2F7FE850, 0xD7C07F7E, 0x02507FBF, 0x5AFB9A04, 0xA747D2D0, 0x1651192E, 0xAF70BF3E, 0x58C31380, 0x5F98302E, 0x727CC3C4, 0x0A0FB402, 0x0F7FEF82, 0x8C96FDAD, 0x5D2C2AAE, 0x8EE99A49, 0x50DA88B8, 0x8427F4A0, 0x1EAC5790, 0x796FB449, 0x8252DC15, 0xEFBD7D9B, 0xA672597D, 0xADA840D8, 0x45F54504, 0xFA5D7403, 0xE83EC305, 0x4F91751A, 0x925669C2, 0x23EFE941, 0xA903F12E, 0x60270DF2, 0x0276E4B6, 0x94FD6574, 0x927985B2, 0x8276DBCB, 0x02778176, 0xF8AF918D, 0x4E48F79E, 0x8F616DDF, 0xE29D840E, 0x842F7D83, 0x340CE5C8, 0x96BBB682, 0x93B4B148, 0xEF303CAB, 0x984FAF28, 0x779FAF9B, 0x92DC560D, 0x224D1E20, 0x8437AA88, 0x7D29DC96, 0x2756D3DC, 0x8B907CEE, 0xB51FD240, 0xE7C07CE3, 0xE566B4A1, 0xC3E9615E, 0x3CF8209D, 0x6094D1E3, 0xCD9CA341, 0x5C76460E, 0x00EA983B, 0xD4D67881, 0xFD47572C, 0xF76CEDD9, 0xBDA8229C, 0x127DADAA, 0x438A074E, 0x1F97C090, 0x081BDB8A, 0x93A07EBE, 0xB938CA15, 0x97B03CFF, 0x3DC2C0F8, 0x8D1AB2EC, 0x64380E51, 0x68CC7BFB, 0xD90F2788, 0x12490181, 0x5DE5FFD4, 0xDD7EF86A, 0x76A2E214, 0xB9A40368, 0x925D958F, 0x4B39FFFA, 0xBA39AEE9, 0xA4FFD30B, 0xFAF7933B, 0x6D498623, 0x193CBCFA, 0x27627545, 0x825CF47A, 0x61BD8BA0, 0xD11E42D1, 0xCEAD04F4, 0x127EA392, 0x10428DB7, 0x8272A972, 0x9270C4A8, 0x127DE50B, 0x285BA1C8, 0x3C62F44F, 0x35C0EAA5, 0xE805D231, 0x428929FB, 0xB4FCDF82, 0x4FB66A53, 0x0E7DC15B, 0x1F081FAB, 0x108618AE, 0xFCFD086D, 0xF9FF2889, 0x694BCC11, 0x236A5CAE, 0x12DECA4D, 0x2C3F8CC5, 0xD2D02DFE, 0xF8EF5896, 0xE4CF52DA, 0x95155B67, 0x494A488C, 0xB9B6A80C, 0x5C8F82BC, 0x89D36B45, 0x3A609437, 0xEC00C9A9, 0x44715253, 0x0A874B49, 0xD773BC40, 0x7C34671C, 0x02717EF6, 0x4FEB5536, 0xA2D02FFF, 0xD2BF60C4, 0xD43F03C0, 0x50B4EF6D, 0x07478CD1, 0x006E1888, 0xA2E53F55, 0xB9E6D4BC, 0xA2048016, 0x97573833, 0xD7207D67, 0xDE0F8F3D, 0x72F87B33, 0xABCC4F33, 0x7688C55D, 0x7B00A6B0, 0x947B0001, 0x570075D2, 0xF9BB88F8, 0x8942019E, 0x4264A5FF, 0x856302E0, 0x72DBD92B, 0xEE971B69, 0x6EA22FDE, 0x5F08AE2B, 0xAF7A616D, 0xE5C98767, 0xCF1FEBD2, 0x61EFC8C2, 0xF1AC2571, 0xCC8239C2, 0x67214CB8, 0xB1E583D1, 0xB7DC3E62, 0x7F10BDCE, 0xF90A5C38, 0x0FF0443D, 0x606E6DC6, 0x60543A49, 0x5727C148, 0x2BE98A1D, 0x8AB41738, 0x20E1BE24, 0xAF96DA0F, 0x68458425, 0x99833BE5, 0x600D457D, 0x282F9350, 0x8334B362, 0xD91D1120, 0x2B6D8DA0, 0x642B1E31, 0x9C305A00, 0x52BCE688, 0x1B03588A, 0xF7BAEFD5, 0x4142ED9C, 0xA4315C11, 0x83323EC5, 0xDFEF4636, 0xA133C501, 0xE9D3531C, 0xEE353783 }; static const uint32_t cast_sbox4[256] = { 0x9DB30420, 0x1FB6E9DE, 0xA7BE7BEF, 0xD273A298, 0x4A4F7BDB, 0x64AD8C57, 0x85510443, 0xFA020ED1, 0x7E287AFF, 0xE60FB663, 0x095F35A1, 0x79EBF120, 0xFD059D43, 0x6497B7B1, 0xF3641F63, 0x241E4ADF, 0x28147F5F, 0x4FA2B8CD, 0xC9430040, 0x0CC32220, 0xFDD30B30, 0xC0A5374F, 0x1D2D00D9, 0x24147B15, 0xEE4D111A, 0x0FCA5167, 0x71FF904C, 0x2D195FFE, 0x1A05645F, 0x0C13FEFE, 0x081B08CA, 0x05170121, 0x80530100, 0xE83E5EFE, 0xAC9AF4F8, 0x7FE72701, 0xD2B8EE5F, 0x06DF4261, 0xBB9E9B8A, 0x7293EA25, 0xCE84FFDF, 0xF5718801, 0x3DD64B04, 0xA26F263B, 0x7ED48400, 0x547EEBE6, 0x446D4CA0, 0x6CF3D6F5, 0x2649ABDF, 0xAEA0C7F5, 0x36338CC1, 0x503F7E93, 0xD3772061, 0x11B638E1, 0x72500E03, 0xF80EB2BB, 0xABE0502E, 0xEC8D77DE, 0x57971E81, 0xE14F6746, 0xC9335400, 0x6920318F, 0x081DBB99, 0xFFC304A5, 0x4D351805, 0x7F3D5CE3, 0xA6C866C6, 0x5D5BCCA9, 0xDAEC6FEA, 0x9F926F91, 0x9F46222F, 0x3991467D, 0xA5BF6D8E, 0x1143C44F, 0x43958302, 0xD0214EEB, 0x022083B8, 0x3FB6180C, 0x18F8931E, 0x281658E6, 0x26486E3E, 0x8BD78A70, 0x7477E4C1, 0xB506E07C, 0xF32D0A25, 0x79098B02, 0xE4EABB81, 0x28123B23, 0x69DEAD38, 0x1574CA16, 0xDF871B62, 0x211C40B7, 0xA51A9EF9, 0x0014377B, 0x041E8AC8, 0x09114003, 0xBD59E4D2, 0xE3D156D5, 0x4FE876D5, 0x2F91A340, 0x557BE8DE, 0x00EAE4A7, 0x0CE5C2EC, 0x4DB4BBA6, 0xE756BDFF, 0xDD3369AC, 0xEC17B035, 0x06572327, 0x99AFC8B0, 0x56C8C391, 0x6B65811C, 0x5E146119, 0x6E85CB75, 0xBE07C002, 0xC2325577, 0x893FF4EC, 0x5BBFC92D, 0xD0EC3B25, 0xB7801AB7, 0x8D6D3B24, 0x20C763EF, 0xC366A5FC, 0x9C382880, 0x0ACE3205, 0xAAC9548A, 0xECA1D7C7, 0x041AFA32, 0x1D16625A, 0x6701902C, 0x9B757A54, 0x31D477F7, 0x9126B031, 0x36CC6FDB, 0xC70B8B46, 0xD9E66A48, 0x56E55A79, 0x026A4CEB, 0x52437EFF, 0x2F8F76B4, 0x0DF980A5, 0x8674CDE3, 0xEDDA04EB, 0x17A9BE04, 0x2C18F4DF, 0xB7747F9D, 0xAB2AF7B4, 0xEFC34D20, 0x2E096B7C, 0x1741A254, 0xE5B6A035, 0x213D42F6, 0x2C1C7C26, 0x61C2F50F, 0x6552DAF9, 0xD2C231F8, 0x25130F69, 0xD8167FA2, 0x0418F2C8, 0x001A96A6, 0x0D1526AB, 0x63315C21, 0x5E0A72EC, 0x49BAFEFD, 0x187908D9, 0x8D0DBD86, 0x311170A7, 0x3E9B640C, 0xCC3E10D7, 0xD5CAD3B6, 0x0CAEC388, 0xF73001E1, 0x6C728AFF, 0x71EAE2A1, 0x1F9AF36E, 0xCFCBD12F, 0xC1DE8417, 0xAC07BE6B, 0xCB44A1D8, 0x8B9B0F56, 0x013988C3, 0xB1C52FCA, 0xB4BE31CD, 0xD8782806, 0x12A3A4E2, 0x6F7DE532, 0x58FD7EB6, 0xD01EE900, 0x24ADFFC2, 0xF4990FC5, 0x9711AAC5, 0x001D7B95, 0x82E5E7D2, 0x109873F6, 0x00613096, 0xC32D9521, 0xADA121FF, 0x29908415, 0x7FBB977F, 0xAF9EB3DB, 0x29C9ED2A, 0x5CE2A465, 0xA730F32C, 0xD0AA3FE8, 0x8A5CC091, 0xD49E2CE7, 0x0CE454A9, 0xD60ACD86, 0x015F1919, 0x77079103, 0xDEA03AF6, 0x78A8565E, 0xDEE356DF, 0x21F05CBE, 0x8B75E387, 0xB3C50651, 0xB8A5C3EF, 0xD8EEB6D2, 0xE523BE77, 0xC2154529, 0x2F69EFDF, 0xAFE67AFB, 0xF470C4B2, 0xF3E0EB5B, 0xD6CC9876, 0x39E4460C, 0x1FDA8538, 0x1987832F, 0xCA007367, 0xA99144F8, 0x296B299E, 0x492FC295, 0x9266BEAB, 0xB5676E69, 0x9BD3DDDA, 0xDF7E052F, 0xDB25701C, 0x1B5E51EE, 0xF65324E6, 0x6AFCE36C, 0x0316CC04, 0x8644213E, 0xB7DC59D0, 0x7965291F, 0xCCD6FD43, 0x41823979, 0x932BCDF6, 0xB657C34D, 0x4EDFD282, 0x7AE5290C, 0x3CB9536B, 0x851E20FE, 0x9833557E, 0x13ECF0B0, 0xD3FFB372, 0x3F85C5C1, 0x0AEF7ED2 }; static const uint32_t cast_sbox5[256] = { 0x7EC90C04, 0x2C6E74B9, 0x9B0E66DF, 0xA6337911, 0xB86A7FFF, 0x1DD358F5, 0x44DD9D44, 0x1731167F, 0x08FBF1FA, 0xE7F511CC, 0xD2051B00, 0x735ABA00, 0x2AB722D8, 0x386381CB, 0xACF6243A, 0x69BEFD7A, 0xE6A2E77F, 0xF0C720CD, 0xC4494816, 0xCCF5C180, 0x38851640, 0x15B0A848, 0xE68B18CB, 0x4CAADEFF, 0x5F480A01, 0x0412B2AA, 0x259814FC, 0x41D0EFE2, 0x4E40B48D, 0x248EB6FB, 0x8DBA1CFE, 0x41A99B02, 0x1A550A04, 0xBA8F65CB, 0x7251F4E7, 0x95A51725, 0xC106ECD7, 0x97A5980A, 0xC539B9AA, 0x4D79FE6A, 0xF2F3F763, 0x68AF8040, 0xED0C9E56, 0x11B4958B, 0xE1EB5A88, 0x8709E6B0, 0xD7E07156, 0x4E29FEA7, 0x6366E52D, 0x02D1C000, 0xC4AC8E05, 0x9377F571, 0x0C05372A, 0x578535F2, 0x2261BE02, 0xD642A0C9, 0xDF13A280, 0x74B55BD2, 0x682199C0, 0xD421E5EC, 0x53FB3CE8, 0xC8ADEDB3, 0x28A87FC9, 0x3D959981, 0x5C1FF900, 0xFE38D399, 0x0C4EFF0B, 0x062407EA, 0xAA2F4FB1, 0x4FB96976, 0x90C79505, 0xB0A8A774, 0xEF55A1FF, 0xE59CA2C2, 0xA6B62D27, 0xE66A4263, 0xDF65001F, 0x0EC50966, 0xDFDD55BC, 0x29DE0655, 0x911E739A, 0x17AF8975, 0x32C7911C, 0x89F89468, 0x0D01E980, 0x524755F4, 0x03B63CC9, 0x0CC844B2, 0xBCF3F0AA, 0x87AC36E9, 0xE53A7426, 0x01B3D82B, 0x1A9E7449, 0x64EE2D7E, 0xCDDBB1DA, 0x01C94910, 0xB868BF80, 0x0D26F3FD, 0x9342EDE7, 0x04A5C284, 0x636737B6, 0x50F5B616, 0xF24766E3, 0x8ECA36C1, 0x136E05DB, 0xFEF18391, 0xFB887A37, 0xD6E7F7D4, 0xC7FB7DC9, 0x3063FCDF, 0xB6F589DE, 0xEC2941DA, 0x26E46695, 0xB7566419, 0xF654EFC5, 0xD08D58B7, 0x48925401, 0xC1BACB7F, 0xE5FF550F, 0xB6083049, 0x5BB5D0E8, 0x87D72E5A, 0xAB6A6EE1, 0x223A66CE, 0xC62BF3CD, 0x9E0885F9, 0x68CB3E47, 0x086C010F, 0xA21DE820, 0xD18B69DE, 0xF3F65777, 0xFA02C3F6, 0x407EDAC3, 0xCBB3D550, 0x1793084D, 0xB0D70EBA, 0x0AB378D5, 0xD951FB0C, 0xDED7DA56, 0x4124BBE4, 0x94CA0B56, 0x0F5755D1, 0xE0E1E56E, 0x6184B5BE, 0x580A249F, 0x94F74BC0, 0xE327888E, 0x9F7B5561, 0xC3DC0280, 0x05687715, 0x646C6BD7, 0x44904DB3, 0x66B4F0A3, 0xC0F1648A, 0x697ED5AF, 0x49E92FF6, 0x309E374F, 0x2CB6356A, 0x85808573, 0x4991F840, 0x76F0AE02, 0x083BE84D, 0x28421C9A, 0x44489406, 0x736E4CB8, 0xC1092910, 0x8BC95FC6, 0x7D869CF4, 0x134F616F, 0x2E77118D, 0xB31B2BE1, 0xAA90B472, 0x3CA5D717, 0x7D161BBA, 0x9CAD9010, 0xAF462BA2, 0x9FE459D2, 0x45D34559, 0xD9F2DA13, 0xDBC65487, 0xF3E4F94E, 0x176D486F, 0x097C13EA, 0x631DA5C7, 0x445F7382, 0x175683F4, 0xCDC66A97, 0x70BE0288, 0xB3CDCF72, 0x6E5DD2F3, 0x20936079, 0x459B80A5, 0xBE60E2DB, 0xA9C23101, 0xEBA5315C, 0x224E42F2, 0x1C5C1572, 0xF6721B2C, 0x1AD2FFF3, 0x8C25404E, 0x324ED72F, 0x4067B7FD, 0x0523138E, 0x5CA3BC78, 0xDC0FD66E, 0x75922283, 0x784D6B17, 0x58EBB16E, 0x44094F85, 0x3F481D87, 0xFCFEAE7B, 0x77B5FF76, 0x8C2302BF, 0xAAF47556, 0x5F46B02A, 0x2B092801, 0x3D38F5F7, 0x0CA81F36, 0x52AF4A8A, 0x66D5E7C0, 0xDF3B0874, 0x95055110, 0x1B5AD7A8, 0xF61ED5AD, 0x6CF6E479, 0x20758184, 0xD0CEFA65, 0x88F7BE58, 0x4A046826, 0x0FF6F8F3, 0xA09C7F70, 0x5346ABA0, 0x5CE96C28, 0xE176EDA3, 0x6BAC307F, 0x376829D2, 0x85360FA9, 0x17E3FE2A, 0x24B79767, 0xF5A96B20, 0xD6CD2595, 0x68FF1EBF, 0x7555442C, 0xF19F06BE, 0xF9E0659A, 0xEEB9491D, 0x34010718, 0xBB30CAB8, 0xE822FE15, 0x88570983, 0x750E6249, 0xDA627E55, 0x5E76FFA8, 0xB1534546, 0x6D47DE08, 0xEFE9E7D4 }; static const uint32_t cast_sbox6[256] = { 0xF6FA8F9D, 0x2CAC6CE1, 0x4CA34867, 0xE2337F7C, 0x95DB08E7, 0x016843B4, 0xECED5CBC, 0x325553AC, 0xBF9F0960, 0xDFA1E2ED, 0x83F0579D, 0x63ED86B9, 0x1AB6A6B8, 0xDE5EBE39, 0xF38FF732, 0x8989B138, 0x33F14961, 0xC01937BD, 0xF506C6DA, 0xE4625E7E, 0xA308EA99, 0x4E23E33C, 0x79CBD7CC, 0x48A14367, 0xA3149619, 0xFEC94BD5, 0xA114174A, 0xEAA01866, 0xA084DB2D, 0x09A8486F, 0xA888614A, 0x2900AF98, 0x01665991, 0xE1992863, 0xC8F30C60, 0x2E78EF3C, 0xD0D51932, 0xCF0FEC14, 0xF7CA07D2, 0xD0A82072, 0xFD41197E, 0x9305A6B0, 0xE86BE3DA, 0x74BED3CD, 0x372DA53C, 0x4C7F4448, 0xDAB5D440, 0x6DBA0EC3, 0x083919A7, 0x9FBAEED9, 0x49DBCFB0, 0x4E670C53, 0x5C3D9C01, 0x64BDB941, 0x2C0E636A, 0xBA7DD9CD, 0xEA6F7388, 0xE70BC762, 0x35F29ADB, 0x5C4CDD8D, 0xF0D48D8C, 0xB88153E2, 0x08A19866, 0x1AE2EAC8, 0x284CAF89, 0xAA928223, 0x9334BE53, 0x3B3A21BF, 0x16434BE3, 0x9AEA3906, 0xEFE8C36E, 0xF890CDD9, 0x80226DAE, 0xC340A4A3, 0xDF7E9C09, 0xA694A807, 0x5B7C5ECC, 0x221DB3A6, 0x9A69A02F, 0x68818A54, 0xCEB2296F, 0x53C0843A, 0xFE893655, 0x25BFE68A, 0xB4628ABC, 0xCF222EBF, 0x25AC6F48, 0xA9A99387, 0x53BDDB65, 0xE76FFBE7, 0xE967FD78, 0x0BA93563, 0x8E342BC1, 0xE8A11BE9, 0x4980740D, 0xC8087DFC, 0x8DE4BF99, 0xA11101A0, 0x7FD37975, 0xDA5A26C0, 0xE81F994F, 0x9528CD89, 0xFD339FED, 0xB87834BF, 0x5F04456D, 0x22258698, 0xC9C4C83B, 0x2DC156BE, 0x4F628DAA, 0x57F55EC5, 0xE2220ABE, 0xD2916EBF, 0x4EC75B95, 0x24F2C3C0, 0x42D15D99, 0xCD0D7FA0, 0x7B6E27FF, 0xA8DC8AF0, 0x7345C106, 0xF41E232F, 0x35162386, 0xE6EA8926, 0x3333B094, 0x157EC6F2, 0x372B74AF, 0x692573E4, 0xE9A9D848, 0xF3160289, 0x3A62EF1D, 0xA787E238, 0xF3A5F676, 0x74364853, 0x20951063, 0x4576698D, 0xB6FAD407, 0x592AF950, 0x36F73523, 0x4CFB6E87, 0x7DA4CEC0, 0x6C152DAA, 0xCB0396A8, 0xC50DFE5D, 0xFCD707AB, 0x0921C42F, 0x89DFF0BB, 0x5FE2BE78, 0x448F4F33, 0x754613C9, 0x2B05D08D, 0x48B9D585, 0xDC049441, 0xC8098F9B, 0x7DEDE786, 0xC39A3373, 0x42410005, 0x6A091751, 0x0EF3C8A6, 0x890072D6, 0x28207682, 0xA9A9F7BE, 0xBF32679D, 0xD45B5B75, 0xB353FD00, 0xCBB0E358, 0x830F220A, 0x1F8FB214, 0xD372CF08, 0xCC3C4A13, 0x8CF63166, 0x061C87BE, 0x88C98F88, 0x6062E397, 0x47CF8E7A, 0xB6C85283, 0x3CC2ACFB, 0x3FC06976, 0x4E8F0252, 0x64D8314D, 0xDA3870E3, 0x1E665459, 0xC10908F0, 0x513021A5, 0x6C5B68B7, 0x822F8AA0, 0x3007CD3E, 0x74719EEF, 0xDC872681, 0x073340D4, 0x7E432FD9, 0x0C5EC241, 0x8809286C, 0xF592D891, 0x08A930F6, 0x957EF305, 0xB7FBFFBD, 0xC266E96F, 0x6FE4AC98, 0xB173ECC0, 0xBC60B42A, 0x953498DA, 0xFBA1AE12, 0x2D4BD736, 0x0F25FAAB, 0xA4F3FCEB, 0xE2969123, 0x257F0C3D, 0x9348AF49, 0x361400BC, 0xE8816F4A, 0x3814F200, 0xA3F94043, 0x9C7A54C2, 0xBC704F57, 0xDA41E7F9, 0xC25AD33A, 0x54F4A084, 0xB17F5505, 0x59357CBE, 0xEDBD15C8, 0x7F97C5AB, 0xBA5AC7B5, 0xB6F6DEAF, 0x3A479C3A, 0x5302DA25, 0x653D7E6A, 0x54268D49, 0x51A477EA, 0x5017D55B, 0xD7D25D88, 0x44136C76, 0x0404A8C8, 0xB8E5A121, 0xB81A928A, 0x60ED5869, 0x97C55B96, 0xEAEC991B, 0x29935913, 0x01FDB7F1, 0x088E8DFA, 0x9AB6F6F5, 0x3B4CBF9F, 0x4A5DE3AB, 0xE6051D35, 0xA0E1D855, 0xD36B4CF1, 0xF544EDEB, 0xB0E93524, 0xBEBB8FBD, 0xA2D762CF, 0x49C92F54, 0x38B5F331, 0x7128A454, 0x48392905, 0xA65B1DB8, 0x851C97BD, 0xD675CF2F }; static const uint32_t cast_sbox7[256] = { 0x85E04019, 0x332BF567, 0x662DBFFF, 0xCFC65693, 0x2A8D7F6F, 0xAB9BC912, 0xDE6008A1, 0x2028DA1F, 0x0227BCE7, 0x4D642916, 0x18FAC300, 0x50F18B82, 0x2CB2CB11, 0xB232E75C, 0x4B3695F2, 0xB28707DE, 0xA05FBCF6, 0xCD4181E9, 0xE150210C, 0xE24EF1BD, 0xB168C381, 0xFDE4E789, 0x5C79B0D8, 0x1E8BFD43, 0x4D495001, 0x38BE4341, 0x913CEE1D, 0x92A79C3F, 0x089766BE, 0xBAEEADF4, 0x1286BECF, 0xB6EACB19, 0x2660C200, 0x7565BDE4, 0x64241F7A, 0x8248DCA9, 0xC3B3AD66, 0x28136086, 0x0BD8DFA8, 0x356D1CF2, 0x107789BE, 0xB3B2E9CE, 0x0502AA8F, 0x0BC0351E, 0x166BF52A, 0xEB12FF82, 0xE3486911, 0xD34D7516, 0x4E7B3AFF, 0x5F43671B, 0x9CF6E037, 0x4981AC83, 0x334266CE, 0x8C9341B7, 0xD0D854C0, 0xCB3A6C88, 0x47BC2829, 0x4725BA37, 0xA66AD22B, 0x7AD61F1E, 0x0C5CBAFA, 0x4437F107, 0xB6E79962, 0x42D2D816, 0x0A961288, 0xE1A5C06E, 0x13749E67, 0x72FC081A, 0xB1D139F7, 0xF9583745, 0xCF19DF58, 0xBEC3F756, 0xC06EBA30, 0x07211B24, 0x45C28829, 0xC95E317F, 0xBC8EC511, 0x38BC46E9, 0xC6E6FA14, 0xBAE8584A, 0xAD4EBC46, 0x468F508B, 0x7829435F, 0xF124183B, 0x821DBA9F, 0xAFF60FF4, 0xEA2C4E6D, 0x16E39264, 0x92544A8B, 0x009B4FC3, 0xABA68CED, 0x9AC96F78, 0x06A5B79A, 0xB2856E6E, 0x1AEC3CA9, 0xBE838688, 0x0E0804E9, 0x55F1BE56, 0xE7E5363B, 0xB3A1F25D, 0xF7DEBB85, 0x61FE033C, 0x16746233, 0x3C034C28, 0xDA6D0C74, 0x79AAC56C, 0x3CE4E1AD, 0x51F0C802, 0x98F8F35A, 0x1626A49F, 0xEED82B29, 0x1D382FE3, 0x0C4FB99A, 0xBB325778, 0x3EC6D97B, 0x6E77A6A9, 0xCB658B5C, 0xD45230C7, 0x2BD1408B, 0x60C03EB7, 0xB9068D78, 0xA33754F4, 0xF430C87D, 0xC8A71302, 0xB96D8C32, 0xEBD4E7BE, 0xBE8B9D2D, 0x7979FB06, 0xE7225308, 0x8B75CF77, 0x11EF8DA4, 0xE083C858, 0x8D6B786F, 0x5A6317A6, 0xFA5CF7A0, 0x5DDA0033, 0xF28EBFB0, 0xF5B9C310, 0xA0EAC280, 0x08B9767A, 0xA3D9D2B0, 0x79D34217, 0x021A718D, 0x9AC6336A, 0x2711FD60, 0x438050E3, 0x069908A8, 0x3D7FEDC4, 0x826D2BEF, 0x4EEB8476, 0x488DCF25, 0x36C9D566, 0x28E74E41, 0xC2610ACA, 0x3D49A9CF, 0xBAE3B9DF, 0xB65F8DE6, 0x92AEAF64, 0x3AC7D5E6, 0x9EA80509, 0xF22B017D, 0xA4173F70, 0xDD1E16C3, 0x15E0D7F9, 0x50B1B887, 0x2B9F4FD5, 0x625ABA82, 0x6A017962, 0x2EC01B9C, 0x15488AA9, 0xD716E740, 0x40055A2C, 0x93D29A22, 0xE32DBF9A, 0x058745B9, 0x3453DC1E, 0xD699296E, 0x496CFF6F, 0x1C9F4986, 0xDFE2ED07, 0xB87242D1, 0x19DE7EAE, 0x053E561A, 0x15AD6F8C, 0x66626C1C, 0x7154C24C, 0xEA082B2A, 0x93EB2939, 0x17DCB0F0, 0x58D4F2AE, 0x9EA294FB, 0x52CF564C, 0x9883FE66, 0x2EC40581, 0x763953C3, 0x01D6692E, 0xD3A0C108, 0xA1E7160E, 0xE4F2DFA6, 0x693ED285, 0x74904698, 0x4C2B0EDD, 0x4F757656, 0x5D393378, 0xA132234F, 0x3D321C5D, 0xC3F5E194, 0x4B269301, 0xC79F022F, 0x3C997E7E, 0x5E4F9504, 0x3FFAFBBD, 0x76F7AD0E, 0x296693F4, 0x3D1FCE6F, 0xC61E45BE, 0xD3B5AB34, 0xF72BF9B7, 0x1B0434C0, 0x4E72B567, 0x5592A33D, 0xB5229301, 0xCFD2A87F, 0x60AEB767, 0x1814386B, 0x30BCC33D, 0x38A0C07D, 0xFD1606F2, 0xC363519B, 0x589DD390, 0x5479F8E6, 0x1CB8D647, 0x97FD61A9, 0xEA7759F4, 0x2D57539D, 0x569A58CF, 0xE84E63AD, 0x462E1B78, 0x6580F87E, 0xF3817914, 0x91DA55F4, 0x40A230F3, 0xD1988F35, 0xB6E318D2, 0x3FFA50BC, 0x3D40F021, 0xC3C0BDAE, 0x4958C24C, 0x518F36B2, 0x84B1D370, 0x0FEDCE83, 0x878DDADA, 0xF2A279C7, 0x94E01BE8, 0x90716F4B, 0x954B8AA3 }; static const uint32_t cast_sbox8[256] = { 0xE216300D, 0xBBDDFFFC, 0xA7EBDABD, 0x35648095, 0x7789F8B7, 0xE6C1121B, 0x0E241600, 0x052CE8B5, 0x11A9CFB0, 0xE5952F11, 0xECE7990A, 0x9386D174, 0x2A42931C, 0x76E38111, 0xB12DEF3A, 0x37DDDDFC, 0xDE9ADEB1, 0x0A0CC32C, 0xBE197029, 0x84A00940, 0xBB243A0F, 0xB4D137CF, 0xB44E79F0, 0x049EEDFD, 0x0B15A15D, 0x480D3168, 0x8BBBDE5A, 0x669DED42, 0xC7ECE831, 0x3F8F95E7, 0x72DF191B, 0x7580330D, 0x94074251, 0x5C7DCDFA, 0xABBE6D63, 0xAA402164, 0xB301D40A, 0x02E7D1CA, 0x53571DAE, 0x7A3182A2, 0x12A8DDEC, 0xFDAA335D, 0x176F43E8, 0x71FB46D4, 0x38129022, 0xCE949AD4, 0xB84769AD, 0x965BD862, 0x82F3D055, 0x66FB9767, 0x15B80B4E, 0x1D5B47A0, 0x4CFDE06F, 0xC28EC4B8, 0x57E8726E, 0x647A78FC, 0x99865D44, 0x608BD593, 0x6C200E03, 0x39DC5FF6, 0x5D0B00A3, 0xAE63AFF2, 0x7E8BD632, 0x70108C0C, 0xBBD35049, 0x2998DF04, 0x980CF42A, 0x9B6DF491, 0x9E7EDD53, 0x06918548, 0x58CB7E07, 0x3B74EF2E, 0x522FFFB1, 0xD24708CC, 0x1C7E27CD, 0xA4EB215B, 0x3CF1D2E2, 0x19B47A38, 0x424F7618, 0x35856039, 0x9D17DEE7, 0x27EB35E6, 0xC9AFF67B, 0x36BAF5B8, 0x09C467CD, 0xC18910B1, 0xE11DBF7B, 0x06CD1AF8, 0x7170C608, 0x2D5E3354, 0xD4DE495A, 0x64C6D006, 0xBCC0C62C, 0x3DD00DB3, 0x708F8F34, 0x77D51B42, 0x264F620F, 0x24B8D2BF, 0x15C1B79E, 0x46A52564, 0xF8D7E54E, 0x3E378160, 0x7895CDA5, 0x859C15A5, 0xE6459788, 0xC37BC75F, 0xDB07BA0C, 0x0676A3AB, 0x7F229B1E, 0x31842E7B, 0x24259FD7, 0xF8BEF472, 0x835FFCB8, 0x6DF4C1F2, 0x96F5B195, 0xFD0AF0FC, 0xB0FE134C, 0xE2506D3D, 0x4F9B12EA, 0xF215F225, 0xA223736F, 0x9FB4C428, 0x25D04979, 0x34C713F8, 0xC4618187, 0xEA7A6E98, 0x7CD16EFC, 0x1436876C, 0xF1544107, 0xBEDEEE14, 0x56E9AF27, 0xA04AA441, 0x3CF7C899, 0x92ECBAE6, 0xDD67016D, 0x151682EB, 0xA842EEDF, 0xFDBA60B4, 0xF1907B75, 0x20E3030F, 0x24D8C29E, 0xE139673B, 0xEFA63FB8, 0x71873054, 0xB6F2CF3B, 0x9F326442, 0xCB15A4CC, 0xB01A4504, 0xF1E47D8D, 0x844A1BE5, 0xBAE7DFDC, 0x42CBDA70, 0xCD7DAE0A, 0x57E85B7A, 0xD53F5AF6, 0x20CF4D8C, 0xCEA4D428, 0x79D130A4, 0x3486EBFB, 0x33D3CDDC, 0x77853B53, 0x37EFFCB5, 0xC5068778, 0xE580B3E6, 0x4E68B8F4, 0xC5C8B37E, 0x0D809EA2, 0x398FEB7C, 0x132A4F94, 0x43B7950E, 0x2FEE7D1C, 0x223613BD, 0xDD06CAA2, 0x37DF932B, 0xC4248289, 0xACF3EBC3, 0x5715F6B7, 0xEF3478DD, 0xF267616F, 0xC148CBE4, 0x9052815E, 0x5E410FAB, 0xB48A2465, 0x2EDA7FA4, 0xE87B40E4, 0xE98EA084, 0x5889E9E1, 0xEFD390FC, 0xDD07D35B, 0xDB485694, 0x38D7E5B2, 0x57720101, 0x730EDEBC, 0x5B643113, 0x94917E4F, 0x503C2FBA, 0x646F1282, 0x7523D24A, 0xE0779695, 0xF9C17A8F, 0x7A5B2121, 0xD187B896, 0x29263A4D, 0xBA510CDF, 0x81F47C9F, 0xAD1163ED, 0xEA7B5965, 0x1A00726E, 0x11403092, 0x00DA6D77, 0x4A0CDD61, 0xAD1F4603, 0x605BDFB0, 0x9EEDC364, 0x22EBE6A8, 0xCEE7D28A, 0xA0E736A0, 0x5564A6B9, 0x10853209, 0xC7EB8F37, 0x2DE705CA, 0x8951570F, 0xDF09822B, 0xBD691A6C, 0xAA12E4F2, 0x87451C0F, 0xE0F6A27A, 0x3ADA4819, 0x4CF1764F, 0x0D771C2B, 0x67CDB156, 0x350D8384, 0x5938FA0F, 0x42399EF3, 0x36997B07, 0x0E84093D, 0x4AA93E61, 0x8360D87B, 0x1FA98B0C, 0x1149382C, 0xE97625A5, 0x0614D1B7, 0x0E25244B, 0x0C768347, 0x589E8D82, 0x0D2059D1, 0xA466BB1E, 0xF8DA0A82, 0x04F19130, 0xBA6E4EC0, 0x99265164, 0x1EE7230D, 0x50B2AD80, 0xEAEE6801, 0x8DB2A283, 0xEA8BF59E }; nettle-3.4.1/gcm-aes128-meta.c0000644000175000017500000000342613401564745014713 0ustar nissenisse/* gcm-aes128-meta.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #include "gcm.h" static nettle_set_key_func gcm_aes128_set_nonce_wrapper; static void gcm_aes128_set_nonce_wrapper (void *ctx, const uint8_t *nonce) { gcm_aes128_set_iv (ctx, GCM_IV_SIZE, nonce); } const struct nettle_aead nettle_gcm_aes128 = { "gcm_aes128", sizeof(struct gcm_aes128_ctx), GCM_BLOCK_SIZE, AES128_KEY_SIZE, GCM_IV_SIZE, GCM_DIGEST_SIZE, (nettle_set_key_func *) gcm_aes128_set_key, (nettle_set_key_func *) gcm_aes128_set_key, gcm_aes128_set_nonce_wrapper, (nettle_hash_update_func *) gcm_aes128_update, (nettle_crypt_func *) gcm_aes128_encrypt, (nettle_crypt_func *) gcm_aes128_decrypt, (nettle_hash_digest_func *) gcm_aes128_digest, }; nettle-3.4.1/des-compat.c0000644000175000017500000001310213401564745014244 0ustar nissenisse/* des-compat.c The des block cipher, old libdes/openssl-style interface. Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "des-compat.h" #include "cbc.h" #include "macros.h" #include "memxor.h" struct des_compat_des3 { const struct des_ctx *keys[3]; }; static void des_compat_des3_encrypt(struct des_compat_des3 *ctx, size_t length, uint8_t *dst, const uint8_t *src) { nettle_des_encrypt(ctx->keys[0], length, dst, src); nettle_des_decrypt(ctx->keys[1], length, dst, dst); nettle_des_encrypt(ctx->keys[2], length, dst, dst); } static void des_compat_des3_decrypt(struct des_compat_des3 *ctx, size_t length, uint8_t *dst, const uint8_t *src) { nettle_des_decrypt(ctx->keys[2], length, dst, src); nettle_des_encrypt(ctx->keys[1], length, dst, dst); nettle_des_decrypt(ctx->keys[0], length, dst, dst); } void des_ecb3_encrypt(const_des_cblock *src, des_cblock *dst, des_key_schedule k1, des_key_schedule k2, des_key_schedule k3, int enc) { struct des_compat_des3 keys; keys.keys[0] = k1; keys.keys[1] = k2; keys.keys[2] = k3; ((enc == DES_ENCRYPT) ? des_compat_des3_encrypt : des_compat_des3_decrypt) (&keys, DES_BLOCK_SIZE, *dst, *src); } /* If input is not a integral number of blocks, the final block is padded with zeros, no length field or anything like that. That's pretty broken, since it means that "$100" and "$100\0" always have the same checksum, but I think that's how it's supposed to work. */ uint32_t des_cbc_cksum(const uint8_t *src, des_cblock *dst, long length, des_key_schedule ctx, const_des_cblock *iv) { /* FIXME: I'm not entirely sure how this function is supposed to * work, in particular what it should return, and if iv can be * modified. */ uint8_t block[DES_BLOCK_SIZE]; memcpy(block, *iv, DES_BLOCK_SIZE); while (length >= DES_BLOCK_SIZE) { memxor(block, src, DES_BLOCK_SIZE); nettle_des_encrypt(ctx, DES_BLOCK_SIZE, block, block); src += DES_BLOCK_SIZE; length -= DES_BLOCK_SIZE; } if (length > 0) { memxor(block, src, length); nettle_des_encrypt(ctx, DES_BLOCK_SIZE, block, block); } memcpy(*dst, block, DES_BLOCK_SIZE); return LE_READ_UINT32(block + 4); } void des_ncbc_encrypt(const_des_cblock *src, des_cblock *dst, long length, des_key_schedule ctx, des_cblock *iv, int enc) { switch (enc) { case DES_ENCRYPT: nettle_cbc_encrypt(ctx, (nettle_cipher_func *) des_encrypt, DES_BLOCK_SIZE, *iv, length, *dst, *src); break; case DES_DECRYPT: nettle_cbc_decrypt(ctx, (nettle_cipher_func *) des_decrypt, DES_BLOCK_SIZE, *iv, length, *dst, *src); break; default: abort(); } } void des_cbc_encrypt(const_des_cblock *src, des_cblock *dst, long length, des_key_schedule ctx, const_des_cblock *civ, int enc) { des_cblock iv; memcpy(iv, civ, DES_BLOCK_SIZE); des_ncbc_encrypt(src, dst, length, ctx, &iv, enc); } void des_ecb_encrypt(const_des_cblock *src, des_cblock *dst, des_key_schedule ctx, int enc) { ((enc == DES_ENCRYPT) ? nettle_des_encrypt : nettle_des_decrypt) (ctx, DES_BLOCK_SIZE, *dst, *src); } void des_ede3_cbc_encrypt(const_des_cblock *src, des_cblock *dst, long length, des_key_schedule k1, des_key_schedule k2, des_key_schedule k3, des_cblock *iv, int enc) { struct des_compat_des3 keys; keys.keys[0] = k1; keys.keys[1] = k2; keys.keys[2] = k3; switch (enc) { case DES_ENCRYPT: nettle_cbc_encrypt(&keys, (nettle_cipher_func *) des_compat_des3_encrypt, DES_BLOCK_SIZE, *iv, length, *dst, *src); break; case DES_DECRYPT: nettle_cbc_decrypt(&keys, (nettle_cipher_func *) des_compat_des3_decrypt, DES_BLOCK_SIZE, *iv, length, *dst, *src); break; default: abort(); } } int des_set_odd_parity(des_cblock *key) { nettle_des_fix_parity(DES_KEY_SIZE, *key, *key); /* FIXME: What to return? */ return 0; } /* If des_check_key is non-zero, returns * * 0 for ok, -1 for bad parity, and -2 for weak keys. * * If des_check_key is zero (the default), always returns zero. */ int des_check_key = 0; int des_key_sched(const_des_cblock *key, des_key_schedule ctx) { if (des_check_key && !des_check_parity (DES_KEY_SIZE, *key)) /* Bad parity */ return -1; if (!nettle_des_set_key(ctx, *key) && des_check_key) /* Weak key */ return -2; return 0; } int des_is_weak_key(const_des_cblock *key) { struct des_ctx ctx; return !nettle_des_set_key(&ctx, *key); } nettle-3.4.1/aclocal.m40000644000175000017500000011244613401564746013720 0ustar nissenissednl Try to detect the type of the third arg to getsockname() et al AC_DEFUN([LSH_TYPE_SOCKLEN_T], [AH_TEMPLATE([socklen_t], [Length type used by getsockopt]) AC_CACHE_CHECK([for socklen_t in sys/socket.h], ac_cv_type_socklen_t, [AC_EGREP_HEADER(socklen_t, sys/socket.h, [ac_cv_type_socklen_t=yes], [ac_cv_type_socklen_t=no])]) if test $ac_cv_type_socklen_t = no; then AC_MSG_CHECKING(for AIX) AC_EGREP_CPP(yes, [ #ifdef _AIX yes #endif ],[ AC_MSG_RESULT(yes) AC_DEFINE(socklen_t, size_t) ],[ AC_MSG_RESULT(no) AC_DEFINE(socklen_t, int) ]) fi ]) dnl Choose cc flags for compiling position independent code dnl FIXME: Doesn't do the right thing when crosscompiling. AC_DEFUN([LSH_CCPIC], [AC_REQUIRE([AC_CANONICAL_HOST])dnl AC_MSG_CHECKING(CCPIC) AC_CACHE_VAL(lsh_cv_sys_ccpic,[ if test -z "$CCPIC" ; then if test "$GCC" = yes ; then case "$host_os" in bsdi4.*) CCPIC="-fPIC" ;; bsdi*) CCPIC="" ;; darwin*) CCPIC="-fPIC" ;; # Could also use -fpic, depending on the number of symbol references solaris*) CCPIC="-fPIC" ;; cygwin*) CCPIC="" ;; mingw32*) CCPIC="" ;; *) CCPIC="-fpic" ;; esac else case "$host_os" in darwin*) CCPIC="-fPIC" ;; irix*) CCPIC="-share" ;; hpux*) CCPIC="+z"; ;; *freebsd*) CCPIC="-fpic" ;; sco*|sysv4.*) CCPIC="-KPIC -dy -Bdynamic" ;; solaris*) CCPIC="-KPIC -Bdynamic" ;; winnt*) CCPIC="-shared" ;; *) CCPIC="" ;; esac fi fi OLD_CFLAGS="$CFLAGS" CFLAGS="$CFLAGS $CCPIC" AC_TRY_COMPILE([], [exit(0);], lsh_cv_sys_ccpic="$CCPIC", lsh_cv_sys_ccpic='') CFLAGS="$OLD_CFLAGS" ]) CCPIC="$lsh_cv_sys_ccpic" AC_MSG_RESULT($CCPIC)]) dnl LSH_PATH_ADD(path-id, directory) AC_DEFUN([LSH_PATH_ADD], [AC_MSG_CHECKING($2) ac_exists=no if test -d "$2/." ; then ac_real_dir=`cd $2 && pwd` if test -n "$ac_real_dir" ; then ac_exists=yes for old in $1_REAL_DIRS ; do ac_found=no if test x$ac_real_dir = x$old ; then ac_found=yes; break; fi done if test $ac_found = yes ; then AC_MSG_RESULT(already added) else AC_MSG_RESULT(added) # LDFLAGS="$LDFLAGS -L $2" $1_REAL_DIRS="$ac_real_dir [$]$1_REAL_DIRS" $1_DIRS="$2 [$]$1_DIRS" fi fi fi if test $ac_exists = no ; then AC_MSG_RESULT(not found) fi ]) dnl LSH_RPATH_ADD(dir) AC_DEFUN([LSH_RPATH_ADD], [LSH_PATH_ADD(RPATH_CANDIDATE, $1)]) dnl LSH_RPATH_INIT(candidates) AC_DEFUN([LSH_RPATH_INIT], [AC_REQUIRE([AC_CANONICAL_HOST])dnl AC_MSG_CHECKING([for -R flag]) RPATHFLAG='' case "$host_os" in osf1*) RPATHFLAG="-rpath " ;; irix6.*|irix5.*) RPATHFLAG="-rpath " ;; solaris*) if test "$TCC" = "yes"; then # tcc doesn't know about -R RPATHFLAG="-Wl,-R," else RPATHFLAG=-R fi ;; linux*|freebsd*) RPATHFLAG="-Wl,-rpath," ;; *) RPATHFLAG="" ;; esac if test x$RPATHFLAG = x ; then AC_MSG_RESULT(none) else AC_MSG_RESULT([using $RPATHFLAG]) fi RPATH_CANDIDATE_REAL_DIRS='' RPATH_CANDIDATE_DIRS='' AC_MSG_RESULT([Searching for libraries]) for d in $1 ; do LSH_RPATH_ADD($d) done ]) dnl Try to execute a main program, and if it fails, try adding some dnl -R flag. dnl LSH_RPATH_FIX AC_DEFUN([LSH_RPATH_FIX], [if test $cross_compiling = no -a "x$RPATHFLAG" != x ; then ac_success=no AC_TRY_RUN([int main(int argc, char **argv) { return 0; }], ac_success=yes, ac_success=no, :) if test $ac_success = no ; then AC_MSG_CHECKING([Running simple test program failed. Trying -R flags]) dnl echo RPATH_CANDIDATE_DIRS = $RPATH_CANDIDATE_DIRS ac_remaining_dirs='' ac_rpath_save_LDFLAGS="$LDFLAGS" for d in $RPATH_CANDIDATE_DIRS ; do if test $ac_success = yes ; then ac_remaining_dirs="$ac_remaining_dirs $d" else LDFLAGS="$RPATHFLAG$d $LDFLAGS" dnl echo LDFLAGS = $LDFLAGS AC_TRY_RUN([int main(int argc, char **argv) { return 0; }], [ac_success=yes ac_rpath_save_LDFLAGS="$LDFLAGS" AC_MSG_RESULT([adding $RPATHFLAG$d]) ], [ac_remaining_dirs="$ac_remaining_dirs $d"], :) LDFLAGS="$ac_rpath_save_LDFLAGS" fi done RPATH_CANDIDATE_DIRS=$ac_remaining_dirs fi if test $ac_success = no ; then AC_MSG_RESULT(failed) fi fi ]) dnl Like AC_CHECK_LIB, but uses $KRB_LIBS rather than $LIBS. dnl LSH_CHECK_KRB_LIB(LIBRARY, FUNCTION, [, ACTION-IF-FOUND [, dnl ACTION-IF-NOT-FOUND [, OTHER-LIBRARIES]]]) AC_DEFUN([LSH_CHECK_KRB_LIB], [AC_CHECK_LIB([$1], [$2], ifelse([$3], , [[ac_tr_lib=HAVE_LIB`echo $1 | sed -e 's/[^a-zA-Z0-9_]/_/g' \ -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'` AC_DEFINE_UNQUOTED($ac_tr_lib) KRB_LIBS="-l$1 $KRB_LIBS" ]], [$3]), ifelse([$4], , , [$4 ])dnl , [$5 $KRB_LIBS]) ]) dnl LSH_LIB_ARGP(ACTION-IF-OK, ACTION-IF-BAD) AC_DEFUN([LSH_LIB_ARGP], [ ac_argp_save_LIBS="$LIBS" ac_argp_save_LDFLAGS="$LDFLAGS" ac_argp_ok=no # First check if we can link with argp. AC_SEARCH_LIBS(argp_parse, argp, [ LSH_RPATH_FIX AC_CACHE_CHECK([for working argp], lsh_cv_lib_argp_works, [ AC_TRY_RUN( [#include #include static const struct argp_option options[] = { { NULL, 0, NULL, 0, NULL, 0 } }; struct child_state { int n; }; static error_t child_parser(int key, char *arg, struct argp_state *state) { struct child_state *input = (struct child_state *) state->input; switch(key) { default: return ARGP_ERR_UNKNOWN; case ARGP_KEY_END: if (!input->n) input->n = 1; break; } return 0; } const struct argp child_argp = { options, child_parser, NULL, NULL, NULL, NULL, NULL }; struct main_state { struct child_state child; int m; }; static error_t main_parser(int key, char *arg, struct argp_state *state) { struct main_state *input = (struct main_state *) state->input; switch(key) { default: return ARGP_ERR_UNKNOWN; case ARGP_KEY_INIT: state->child_inputs[0] = &input->child; break; case ARGP_KEY_END: if (!input->m) input->m = input->child.n; break; } return 0; } static const struct argp_child main_children[] = { { &child_argp, 0, "", 0 }, { NULL, 0, NULL, 0} }; static const struct argp main_argp = { options, main_parser, NULL, NULL, main_children, NULL, NULL }; int main(int argc, char **argv) { struct main_state input = { { 0 }, 0 }; char *v[2] = { "foo", NULL }; argp_parse(&main_argp, 1, v, 0, NULL, &input); if ( (input.m == 1) && (input.child.n == 1) ) return 0; else return 1; } ], lsh_cv_lib_argp_works=yes, lsh_cv_lib_argp_works=no, lsh_cv_lib_argp_works=no)]) if test x$lsh_cv_lib_argp_works = xyes ; then ac_argp_ok=yes else # Reset link flags LIBS="$ac_argp_save_LIBS" LDFLAGS="$ac_argp_save_LDFLAGS" fi]) if test x$ac_argp_ok = xyes ; then ifelse([$1],, true, [$1]) else ifelse([$2],, true, [$2]) fi ]) dnl LSH_GCC_ATTRIBUTES dnl Check for gcc's __attribute__ construction AC_DEFUN([LSH_GCC_ATTRIBUTES], [AC_CACHE_CHECK(for __attribute__, lsh_cv_c_attribute, [ AC_TRY_COMPILE([ #include static void foo(void) __attribute__ ((noreturn)); static void __attribute__ ((noreturn)) foo(void) { exit(1); } ],[], lsh_cv_c_attribute=yes, lsh_cv_c_attribute=no)]) AH_TEMPLATE([HAVE_GCC_ATTRIBUTE], [Define if the compiler understands __attribute__]) if test "x$lsh_cv_c_attribute" = "xyes"; then AC_DEFINE(HAVE_GCC_ATTRIBUTE) fi AH_BOTTOM( [#if __GNUC__ && HAVE_GCC_ATTRIBUTE # define NORETURN __attribute__ ((__noreturn__)) # define PRINTF_STYLE(f, a) __attribute__ ((__format__ (__printf__, f, a))) # define UNUSED __attribute__ ((__unused__)) #else # define NORETURN # define PRINTF_STYLE(f, a) # define UNUSED #endif ])]) # Check for alloca, and include the standard blurb in config.h AC_DEFUN([LSH_FUNC_ALLOCA], [AC_FUNC_ALLOCA AC_CHECK_HEADERS([malloc.h]) AH_BOTTOM( [/* AIX requires this to be the first thing in the file. */ #ifndef __GNUC__ # if HAVE_ALLOCA_H # include # else # ifdef _AIX #pragma alloca # else # ifndef alloca /* predefined by HP cc +Olibcalls */ char *alloca (); # endif # endif /* Needed for alloca on windows */ # if HAVE_MALLOC_H # include # endif # endif #else /* defined __GNUC__ */ # if HAVE_ALLOCA_H # include # else /* Needed for alloca on windows, also with gcc */ # if HAVE_MALLOC_H # include # endif # endif #endif ])]) AC_DEFUN([LSH_FUNC_STRERROR], [AC_CHECK_FUNCS(strerror) AH_BOTTOM( [#if HAVE_STRERROR #define STRERROR strerror #else #define STRERROR(x) (sys_errlist[x]) #endif ])]) AC_DEFUN([LSH_FUNC_STRSIGNAL], [AC_CHECK_FUNCS(strsignal) AC_CHECK_DECLS([sys_siglist, _sys_siglist]) AH_BOTTOM( [#if HAVE_STRSIGNAL # define STRSIGNAL strsignal #else /* !HAVE_STRSIGNAL */ # if HAVE_DECL_SYS_SIGLIST # define STRSIGNAL(x) (sys_siglist[x]) # else # if HAVE_DECL__SYS_SIGLIST # define STRSIGNAL(x) (_sys_siglist[x]) # else # define STRSIGNAL(x) "Unknown signal" # if __GNUC__ # warning Using dummy STRSIGNAL # endif # endif # endif #endif /* !HAVE_STRSIGNAL */ ])]) dnl LSH_MAKE_CONDITIONAL(symbol, test) AC_DEFUN([LSH_MAKE_CONDITIONAL], [if $2 ; then IF_$1='' UNLESS_$1='# ' else IF_$1='# ' UNLESS_$1='' fi AC_SUBST(IF_$1) AC_SUBST(UNLESS_$1)]) dnl LSH_DEPENDENCY_TRACKING dnl Defines compiler flags DEP_FLAGS to generate dependency dnl information, and DEP_PROCESS that is any shell commands needed for dnl massaging the dependency information further. Dependencies are dnl generated as a side effect of compilation. Dependency files dnl themselves are not treated as targets. AC_DEFUN([LSH_DEPENDENCY_TRACKING], [AC_ARG_ENABLE(dependency_tracking, AC_HELP_STRING([--disable-dependency-tracking], [Disable dependency tracking. Dependency tracking doesn't work with BSD make]),, [enable_dependency_tracking=yes]) DEP_FLAGS='' DEP_PROCESS='true' if test x$enable_dependency_tracking = xyes ; then if test x$GCC = xyes ; then gcc_version=`gcc --version | head -1` case "$gcc_version" in 2.*|*[[!0-9.]]2.*) enable_dependency_tracking=no AC_MSG_WARN([Dependency tracking disabled, gcc-3.x is needed]) ;; *) DEP_FLAGS='-MT $[]@ -MD -MP -MF $[]@.d' DEP_PROCESS='true' ;; esac else enable_dependency_tracking=no AC_MSG_WARN([Dependency tracking disabled]) fi fi if test x$enable_dependency_tracking = xyes ; then DEP_INCLUDE='include ' else DEP_INCLUDE='# ' fi AC_SUBST([DEP_INCLUDE]) AC_SUBST([DEP_FLAGS]) AC_SUBST([DEP_PROCESS])]) dnl GMP_TRY_ASSEMBLE(asm-code,[action-success][,action-fail]) dnl ---------------------------------------------------------- dnl Attempt to assemble the given code. dnl Do "action-success" if this succeeds, "action-fail" if not. dnl dnl conftest.o and conftest.out are available for inspection in dnl "action-success". If either action does a "break" out of a loop then dnl an explicit "rm -f conftest*" will be necessary. dnl dnl This is not unlike AC_TRY_COMPILE, but there's no default includes or dnl anything in "asm-code", everything wanted must be given explicitly. AC_DEFUN([GMP_TRY_ASSEMBLE], [cat >conftest.s <&AC_FD_CC ifelse([$2],,:,[$2]) else cat conftest.out >&AC_FD_CC echo "configure: failed program was:" >&AC_FD_CC cat conftest.s >&AC_FD_CC ifelse([$3],,:,[$3]) fi rm -f conftest* ]) dnl GMP_PROG_CC_FOR_BUILD dnl --------------------- dnl Establish CC_FOR_BUILD, a C compiler for the build system. dnl dnl If CC_FOR_BUILD is set then it's expected to work, likewise the old dnl style HOST_CC, otherwise some likely candidates are tried, the same as dnl configfsf.guess. AC_DEFUN([GMP_PROG_CC_FOR_BUILD], [AC_REQUIRE([AC_PROG_CC]) if test -n "$CC_FOR_BUILD"; then GMP_PROG_CC_FOR_BUILD_WORKS($CC_FOR_BUILD,, [AC_MSG_ERROR([Specified CC_FOR_BUILD doesn't seem to work])]) elif test -n "$HOST_CC"; then GMP_PROG_CC_FOR_BUILD_WORKS($HOST_CC, [CC_FOR_BUILD=$HOST_CC], [AC_MSG_ERROR([Specified HOST_CC doesn't seem to work])]) else if test $cross_compiling = no ; then CC_FOR_BUILD="$CC" else for i in gcc cc c89 c99; do GMP_PROG_CC_FOR_BUILD_WORKS($i, [CC_FOR_BUILD=$i break]) done if test -z "$CC_FOR_BUILD"; then AC_MSG_ERROR([Cannot find a build system compiler]) fi fi if test "$CC_FOR_BUILD" = gcc ; then CC_FOR_BUILD="$CC_FOR_BUILD -O -g" fi fi AC_ARG_VAR(CC_FOR_BUILD,[build system C compiler]) AC_SUBST(CC_FOR_BUILD) ]) dnl GMP_PROG_CC_FOR_BUILD_WORKS(cc/cflags[,[action-if-good][,action-if-bad]]) dnl ------------------------------------------------------------------------- dnl See if the given cc/cflags works on the build system. dnl dnl It seems easiest to just use the default compiler output, rather than dnl figuring out the .exe or whatever at this stage. AC_DEFUN([GMP_PROG_CC_FOR_BUILD_WORKS], [AC_MSG_CHECKING([build system compiler $1]) # remove anything that might look like compiler output to our "||" expression rm -f conftest* a.out b.out a.exe a_out.exe cat >conftest.c <&AC_FD_CC 2>&1; then cc_for_build_works=yes fi fi rm -f conftest* a.out b.out a.exe a_out.exe AC_MSG_RESULT($cc_for_build_works) if test "$cc_for_build_works" = yes; then ifelse([$2],,:,[$2]) else ifelse([$3],,:,[$3]) fi ]) dnl GMP_PROG_EXEEXT_FOR_BUILD dnl ------------------------- dnl Determine EXEEXT_FOR_BUILD, the build system executable suffix. dnl dnl The idea is to find what "-o conftest$foo" will make it possible to run dnl the program with ./conftest. On Unix-like systems this is of course dnl nothing, for DOS it's ".exe", or for a strange RISC OS foreign file dnl system cross compile it can be ",ff8" apparently. Not sure if the dnl latter actually applies to a build-system executable, maybe it doesn't, dnl but it won't hurt to try. AC_DEFUN([GMP_PROG_EXEEXT_FOR_BUILD], [AC_REQUIRE([GMP_PROG_CC_FOR_BUILD]) AC_CACHE_CHECK([for build system executable suffix], gmp_cv_prog_exeext_for_build, [if test $cross_compiling = no ; then gmp_cv_prog_exeext_for_build="$EXEEXT" else cat >conftest.c <&AC_FD_CC; then gmp_cv_prog_exeext_for_build=$i break fi fi done rm -f conftest* if test "${gmp_cv_prog_exeext_for_build+set}" != set; then AC_MSG_ERROR([Cannot determine executable suffix]) fi fi ]) AC_SUBST(EXEEXT_FOR_BUILD,$gmp_cv_prog_exeext_for_build) ]) dnl NETTLE_CHECK_ARM_NEON dnl --------------------- dnl Check if ARM Neon instructions should be used. dnl Obeys enable_arm_neon, which should be set earlier. AC_DEFUN([NETTLE_CHECK_ARM_NEON], [if test "$enable_arm_neon" = auto ; then if test "$cross_compiling" = yes ; then dnl Check if compiler/assembler accepts it, dnl without an explicit .fpu neon directive. AC_CACHE_CHECK([if assembler accepts Neon instructions], nettle_cv_asm_arm_neon, [GMP_TRY_ASSEMBLE([ .text foo: vmlal.u32 q1, d0, d1 ], [nettle_cv_asm_arm_neon=yes], [nettle_cv_asm_arm_neon=no])]) enable_arm_neon="$nettle_cv_asm_arm_neon" else AC_MSG_CHECKING([if /proc/cpuinfo claims neon support]) if grep '^Features.*:.* neon' /proc/cpuinfo >/dev/null ; then enable_arm_neon=yes else enable_arm_neon=no fi AC_MSG_RESULT($enable_arm_neon) fi fi ]) dnl NETTLE_CHECK_IFUNC dnl ------------------ dnl Check if __attribute__ ((ifunc(...))) works AC_DEFUN([NETTLE_CHECK_IFUNC], [AC_REQUIRE([AC_PROG_CC]) AC_CACHE_CHECK([for ifunc support], nettle_cv_link_ifunc, [AC_LINK_IFELSE([AC_LANG_PROGRAM([ static int foo_imp(int x) { return 1; } typedef void void_func (void); static void_func * foo_resolv(void) { return (void_func *) foo_imp; } int foo (int x) __attribute__ ((ifunc("foo_resolv"))); ],[ return foo(0); ])], [nettle_cv_link_ifunc=yes], [nettle_cv_link_ifunc=no])]) AH_TEMPLATE([HAVE_LINK_IFUNC], [Define if compiler and linker supports __attribute__ ifunc]) if test "x$nettle_cv_link_ifunc" = xyes ; then AC_DEFINE(HAVE_LINK_IFUNC) fi ]) dnl @synopsis AX_CREATE_STDINT_H [( HEADER-TO-GENERATE [, HEADERS-TO-CHECK])] dnl dnl the "ISO C9X: 7.18 Integer types " section requires the dnl existence of an include file that defines a set of dnl typedefs, especially uint8_t,int32_t,uintptr_t. dnl Many older installations will not provide this file, but some will dnl have the very same definitions in . In other enviroments dnl we can use the inet-types in which would define the dnl typedefs int8_t and u_int8_t respectivly. dnl dnl This macros will create a local "_stdint.h" or the headerfile given as dnl an argument. In many cases that file will just "#include " dnl or "#include ", while in other environments it will provide dnl the set of basic 'stdint's definitions/typedefs: dnl int8_t,uint8_t,int16_t,uint16_t,int32_t,uint32_t,intptr_t,uintptr_t dnl int_least32_t.. int_fast32_t.. intmax_t dnl which may or may not rely on the definitions of other files, dnl or using the AC_CHECK_SIZEOF macro to determine the actual dnl sizeof each type. dnl dnl if your header files require the stdint-types you will want to create an dnl installable file mylib-int.h that all your other installable header dnl may include. So if you have a library package named "mylib", just use dnl AX_CREATE_STDINT_H(mylib-int.h) dnl in configure.ac and go to install that very header file in Makefile.am dnl along with the other headers (mylib.h) - and the mylib-specific headers dnl can simply use "#include " to obtain the stdint-types. dnl dnl Remember, if the system already had a valid , the generated dnl file will include it directly. No need for fuzzy HAVE_STDINT_H things... dnl dnl @, (status: used on new platforms) (see http://ac-archive.sf.net/gstdint/) dnl @author Guido Draheim AC_DEFUN([AX_CREATE_STDINT_H], [# ------ AX CREATE STDINT H ------------------------------------- AC_MSG_CHECKING([for stdint types]) ac_stdint_h=`echo ifelse($1, , _stdint.h, $1)` # try to shortcircuit - if the default include path of the compiler # can find a "stdint.h" header then we assume that all compilers can. AC_CACHE_VAL([ac_cv_header_stdint_t],[ old_CXXFLAGS="$CXXFLAGS" ; CXXFLAGS="" old_CPPFLAGS="$CPPFLAGS" ; CPPFLAGS="" old_CFLAGS="$CFLAGS" ; CFLAGS="" AC_TRY_COMPILE([#include ],[int_least32_t v = 0;], [ac_cv_stdint_result="(assuming C99 compatible system)" ac_cv_header_stdint_t="stdint.h"; ], [ac_cv_header_stdint_t=""]) CXXFLAGS="$old_CXXFLAGS" CPPFLAGS="$old_CPPFLAGS" CFLAGS="$old_CFLAGS" ]) v="... $ac_cv_header_stdint_h" if test "$ac_stdint_h" = "stdint.h" ; then AC_MSG_RESULT([(are you sure you want them in ./stdint.h?)]) elif test "$ac_stdint_h" = "inttypes.h" ; then AC_MSG_RESULT([(are you sure you want them in ./inttypes.h?)]) elif test "_$ac_cv_header_stdint_t" = "_" ; then AC_MSG_RESULT([(putting them into $ac_stdint_h)$v]) else ac_cv_header_stdint="$ac_cv_header_stdint_t" AC_MSG_RESULT([$ac_cv_header_stdint (shortcircuit)]) fi if test "_$ac_cv_header_stdint_t" = "_" ; then # can not shortcircuit.. dnl .....intro message done, now do a few system checks..... dnl btw, all CHECK_TYPE macros do automatically "DEFINE" a type, therefore dnl we use the autoconf implementation detail _AC CHECK_TYPE_NEW instead inttype_headers=`echo $2 | sed -e 's/,/ /g'` ac_cv_stdint_result="(no helpful system typedefs seen)" AC_CACHE_CHECK([for stdint uintptr_t], [ac_cv_header_stdint_x],[ ac_cv_header_stdint_x="" # the 1997 typedefs (inttypes.h) AC_MSG_RESULT([(..)]) for i in stdint.h inttypes.h sys/inttypes.h $inttype_headers ; do unset ac_cv_type_uintptr_t unset ac_cv_type_uint64_t _AC_CHECK_TYPE_NEW(uintptr_t,[ac_cv_header_stdint_x=$i],dnl continue,[#include <$i>]) AC_CHECK_TYPE(uint64_t,[and64="/uint64_t"],[and64=""],[#include<$i>]) ac_cv_stdint_result="(seen uintptr_t$and64 in $i)" break; done AC_MSG_CHECKING([for stdint uintptr_t]) ]) if test "_$ac_cv_header_stdint_x" = "_" ; then AC_CACHE_CHECK([for stdint uint32_t], [ac_cv_header_stdint_o],[ ac_cv_header_stdint_o="" # the 1995 typedefs (sys/inttypes.h) AC_MSG_RESULT([(..)]) for i in inttypes.h sys/inttypes.h stdint.h $inttype_headers ; do unset ac_cv_type_uint32_t unset ac_cv_type_uint64_t AC_CHECK_TYPE(uint32_t,[ac_cv_header_stdint_o=$i],dnl continue,[#include <$i>]) AC_CHECK_TYPE(uint64_t,[and64="/uint64_t"],[and64=""],[#include<$i>]) ac_cv_stdint_result="(seen uint32_t$and64 in $i)" break; done AC_MSG_CHECKING([for stdint uint32_t]) ]) fi if test "_$ac_cv_header_stdint_x" = "_" ; then if test "_$ac_cv_header_stdint_o" = "_" ; then AC_CACHE_CHECK([for stdint u_int32_t], [ac_cv_header_stdint_u],[ ac_cv_header_stdint_u="" # the BSD typedefs (sys/types.h) AC_MSG_RESULT([(..)]) for i in sys/types.h inttypes.h sys/inttypes.h $inttype_headers ; do unset ac_cv_type_u_int32_t unset ac_cv_type_u_int64_t AC_CHECK_TYPE(u_int32_t,[ac_cv_header_stdint_u=$i],dnl continue,[#include <$i>]) AC_CHECK_TYPE(u_int64_t,[and64="/u_int64_t"],[and64=""],[#include<$i>]) ac_cv_stdint_result="(seen u_int32_t$and64 in $i)" break; done AC_MSG_CHECKING([for stdint u_int32_t]) ]) fi fi dnl if there was no good C99 header file, do some typedef checks... if test "_$ac_cv_header_stdint_x" = "_" ; then AC_MSG_CHECKING([for stdint datatype model]) AC_MSG_RESULT([(..)]) AC_CHECK_SIZEOF(char) AC_CHECK_SIZEOF(short) AC_CHECK_SIZEOF(int) AC_CHECK_SIZEOF(long) AC_CHECK_SIZEOF(void*) ac_cv_stdint_char_model="" ac_cv_stdint_char_model="$ac_cv_stdint_char_model$ac_cv_sizeof_char" ac_cv_stdint_char_model="$ac_cv_stdint_char_model$ac_cv_sizeof_short" ac_cv_stdint_char_model="$ac_cv_stdint_char_model$ac_cv_sizeof_int" ac_cv_stdint_long_model="" ac_cv_stdint_long_model="$ac_cv_stdint_long_model$ac_cv_sizeof_int" ac_cv_stdint_long_model="$ac_cv_stdint_long_model$ac_cv_sizeof_long" ac_cv_stdint_long_model="$ac_cv_stdint_long_model$ac_cv_sizeof_voidp" name="$ac_cv_stdint_long_model" case "$ac_cv_stdint_char_model/$ac_cv_stdint_long_model" in 122/242) name="$name, IP16 (standard 16bit machine)" ;; 122/244) name="$name, LP32 (standard 32bit mac/win)" ;; 122/*) name="$name (unusual int16 model)" ;; 124/444) name="$name, ILP32 (standard 32bit unixish)" ;; 124/488) name="$name, LP64 (standard 64bit unixish)" ;; 124/448) name="$name, LLP64 (unusual 64bit unixish)" ;; 124/*) name="$name (unusual int32 model)" ;; 128/888) name="$name, ILP64 (unusual 64bit numeric)" ;; 128/*) name="$name (unusual int64 model)" ;; 222/*|444/*) name="$name (unusual dsptype)" ;; *) name="$name (very unusal model)" ;; esac AC_MSG_RESULT([combined for stdint datatype model... $name]) fi if test "_$ac_cv_header_stdint_x" != "_" ; then ac_cv_header_stdint="$ac_cv_header_stdint_x" elif test "_$ac_cv_header_stdint_o" != "_" ; then ac_cv_header_stdint="$ac_cv_header_stdint_o" elif test "_$ac_cv_header_stdint_u" != "_" ; then ac_cv_header_stdint="$ac_cv_header_stdint_u" else ac_cv_header_stdint="stddef.h" fi AC_MSG_CHECKING([for extra inttypes in chosen header]) AC_MSG_RESULT([($ac_cv_header_stdint)]) dnl see if int_least and int_fast types are present in _this_ header. unset ac_cv_type_int_least32_t unset ac_cv_type_int_fast32_t AC_CHECK_TYPE(int_least32_t,,,[#include <$ac_cv_header_stdint>]) AC_CHECK_TYPE(int_fast32_t,,,[#include<$ac_cv_header_stdint>]) AC_CHECK_TYPE(intmax_t,,,[#include <$ac_cv_header_stdint>]) fi # shortcircut to system "stdint.h" # ------------------ PREPARE VARIABLES ------------------------------ if test "$GCC" = "yes" ; then ac_cv_stdint_message="using gnu compiler "`$CC --version | head -1` else ac_cv_stdint_message="using $CC" fi AC_MSG_RESULT([make use of $ac_cv_header_stdint in $ac_stdint_h dnl $ac_cv_stdint_result]) # ----------------- DONE inttypes.h checks START header ------------- AC_CONFIG_COMMANDS([$ac_stdint_h],[ AC_MSG_NOTICE(creating $ac_stdint_h : $_ac_stdint_h) ac_stdint=$tmp/_stdint.h echo "#ifndef" $_ac_stdint_h >$ac_stdint echo "#define" $_ac_stdint_h "1" >>$ac_stdint echo "#ifndef" _GENERATED_STDINT_H >>$ac_stdint echo "#define" _GENERATED_STDINT_H '"'$PACKAGE $VERSION'"' >>$ac_stdint echo "/* generated $ac_cv_stdint_message */" >>$ac_stdint if test "_$ac_cv_header_stdint_t" != "_" ; then echo "#define _STDINT_HAVE_STDINT_H" "1" >>$ac_stdint fi cat >>$ac_stdint < #else #include /* .................... configured part ............................ */ STDINT_EOF echo "/* whether we have a C99 compatible stdint header file */" >>$ac_stdint if test "_$ac_cv_header_stdint_x" != "_" ; then ac_header="$ac_cv_header_stdint_x" echo "#define _STDINT_HEADER_INTPTR" '"'"$ac_header"'"' >>$ac_stdint else echo "/* #undef _STDINT_HEADER_INTPTR */" >>$ac_stdint fi echo "/* whether we have a C96 compatible inttypes header file */" >>$ac_stdint if test "_$ac_cv_header_stdint_o" != "_" ; then ac_header="$ac_cv_header_stdint_o" echo "#define _STDINT_HEADER_UINT32" '"'"$ac_header"'"' >>$ac_stdint else echo "/* #undef _STDINT_HEADER_UINT32 */" >>$ac_stdint fi echo "/* whether we have a BSD compatible inet types header */" >>$ac_stdint if test "_$ac_cv_header_stdint_u" != "_" ; then ac_header="$ac_cv_header_stdint_u" echo "#define _STDINT_HEADER_U_INT32" '"'"$ac_header"'"' >>$ac_stdint else echo "/* #undef _STDINT_HEADER_U_INT32 */" >>$ac_stdint fi echo "" >>$ac_stdint if test "_$ac_header" != "_" ; then if test "$ac_header" != "stddef.h" ; then echo "#include <$ac_header>" >>$ac_stdint echo "" >>$ac_stdint fi fi echo "/* which 64bit typedef has been found */" >>$ac_stdint if test "$ac_cv_type_uint64_t" = "yes" ; then echo "#define _STDINT_HAVE_UINT64_T" "1" >>$ac_stdint else echo "/* #undef _STDINT_HAVE_UINT64_T */" >>$ac_stdint fi if test "$ac_cv_type_u_int64_t" = "yes" ; then echo "#define _STDINT_HAVE_U_INT64_T" "1" >>$ac_stdint else echo "/* #undef _STDINT_HAVE_U_INT64_T */" >>$ac_stdint fi echo "" >>$ac_stdint echo "/* which type model has been detected */" >>$ac_stdint if test "_$ac_cv_stdint_char_model" != "_" ; then echo "#define _STDINT_CHAR_MODEL" "$ac_cv_stdint_char_model" >>$ac_stdint echo "#define _STDINT_LONG_MODEL" "$ac_cv_stdint_long_model" >>$ac_stdint else echo "/* #undef _STDINT_CHAR_MODEL // skipped */" >>$ac_stdint echo "/* #undef _STDINT_LONG_MODEL // skipped */" >>$ac_stdint fi echo "" >>$ac_stdint echo "/* whether int_least types were detected */" >>$ac_stdint if test "$ac_cv_type_int_least32_t" = "yes"; then echo "#define _STDINT_HAVE_INT_LEAST32_T" "1" >>$ac_stdint else echo "/* #undef _STDINT_HAVE_INT_LEAST32_T */" >>$ac_stdint fi echo "/* whether int_fast types were detected */" >>$ac_stdint if test "$ac_cv_type_int_fast32_t" = "yes"; then echo "#define _STDINT_HAVE_INT_FAST32_T" "1" >>$ac_stdint else echo "/* #undef _STDINT_HAVE_INT_FAST32_T */" >>$ac_stdint fi echo "/* whether intmax_t type was detected */" >>$ac_stdint if test "$ac_cv_type_intmax_t" = "yes"; then echo "#define _STDINT_HAVE_INTMAX_T" "1" >>$ac_stdint else echo "/* #undef _STDINT_HAVE_INTMAX_T */" >>$ac_stdint fi echo "" >>$ac_stdint cat >>$ac_stdint <= 199901L #define _HAVE_UINT64_T typedef long long int64_t; typedef unsigned long long uint64_t; #elif !defined __STRICT_ANSI__ #if defined _MSC_VER || defined __WATCOMC__ || defined __BORLANDC__ #define _HAVE_UINT64_T typedef __int64 int64_t; typedef unsigned __int64 uint64_t; #elif defined __GNUC__ || defined __MWERKS__ || defined __ELF__ /* note: all ELF-systems seem to have loff-support which needs 64-bit */ #if !defined _NO_LONGLONG #define _HAVE_UINT64_T typedef long long int64_t; typedef unsigned long long uint64_t; #endif #elif defined __alpha || (defined __mips && defined _ABIN32) #if !defined _NO_LONGLONG typedef long int64_t; typedef unsigned long uint64_t; #endif /* compiler/cpu type to define int64_t */ #endif #endif #endif #if defined _STDINT_HAVE_U_INT_TYPES /* int8_t int16_t int32_t defined by inet code, redeclare the u_intXX types */ typedef u_int8_t uint8_t; typedef u_int16_t uint16_t; typedef u_int32_t uint32_t; /* glibc compatibility */ #ifndef __int8_t_defined #define __int8_t_defined #endif #endif #ifdef _STDINT_NEED_INT_MODEL_T /* we must guess all the basic types. Apart from byte-adressable system, */ /* there a few 32-bit-only dsp-systems that we guard with BYTE_MODEL 8-} */ /* (btw, those nibble-addressable systems are way off, or so we assume) */ dnl /* have a look at "64bit and data size neutrality" at */ dnl /* http://unix.org/version2/whatsnew/login_64bit.html */ dnl /* (the shorthand "ILP" types always have a "P" part) */ #if defined _STDINT_BYTE_MODEL #if _STDINT_LONG_MODEL+0 == 242 /* 2:4:2 = IP16 = a normal 16-bit system */ typedef unsigned char uint8_t; typedef unsigned short uint16_t; typedef unsigned long uint32_t; #ifndef __int8_t_defined #define __int8_t_defined typedef char int8_t; typedef short int16_t; typedef long int32_t; #endif #elif _STDINT_LONG_MODEL+0 == 244 || _STDINT_LONG_MODEL == 444 /* 2:4:4 = LP32 = a 32-bit system derived from a 16-bit */ /* 4:4:4 = ILP32 = a normal 32-bit system */ typedef unsigned char uint8_t; typedef unsigned short uint16_t; typedef unsigned int uint32_t; #ifndef __int8_t_defined #define __int8_t_defined typedef char int8_t; typedef short int16_t; typedef int int32_t; #endif #elif _STDINT_LONG_MODEL+0 == 484 || _STDINT_LONG_MODEL+0 == 488 /* 4:8:4 = IP32 = a 32-bit system prepared for 64-bit */ /* 4:8:8 = LP64 = a normal 64-bit system */ typedef unsigned char uint8_t; typedef unsigned short uint16_t; typedef unsigned int uint32_t; #ifndef __int8_t_defined #define __int8_t_defined typedef char int8_t; typedef short int16_t; typedef int int32_t; #endif /* this system has a "long" of 64bit */ #ifndef _HAVE_UINT64_T #define _HAVE_UINT64_T typedef unsigned long uint64_t; typedef long int64_t; #endif #elif _STDINT_LONG_MODEL+0 == 448 /* LLP64 a 64-bit system derived from a 32-bit system */ typedef unsigned char uint8_t; typedef unsigned short uint16_t; typedef unsigned int uint32_t; #ifndef __int8_t_defined #define __int8_t_defined typedef char int8_t; typedef short int16_t; typedef int int32_t; #endif /* assuming the system has a "long long" */ #ifndef _HAVE_UINT64_T #define _HAVE_UINT64_T typedef unsigned long long uint64_t; typedef long long int64_t; #endif #else #define _STDINT_NO_INT32_T #endif #else #define _STDINT_NO_INT8_T #define _STDINT_NO_INT32_T #endif #endif /* * quote from SunOS-5.8 sys/inttypes.h: * Use at your own risk. As of February 1996, the committee is squarely * behind the fixed sized types; the "least" and "fast" types are still being * discussed. The probability that the "fast" types may be removed before * the standard is finalized is high enough that they are not currently * implemented. */ #if defined _STDINT_NEED_INT_LEAST_T typedef int8_t int_least8_t; typedef int16_t int_least16_t; typedef int32_t int_least32_t; #ifdef _HAVE_UINT64_T typedef int64_t int_least64_t; #endif typedef uint8_t uint_least8_t; typedef uint16_t uint_least16_t; typedef uint32_t uint_least32_t; #ifdef _HAVE_UINT64_T typedef uint64_t uint_least64_t; #endif /* least types */ #endif #if defined _STDINT_NEED_INT_FAST_T typedef int8_t int_fast8_t; typedef int int_fast16_t; typedef int32_t int_fast32_t; #ifdef _HAVE_UINT64_T typedef int64_t int_fast64_t; #endif typedef uint8_t uint_fast8_t; typedef unsigned uint_fast16_t; typedef uint32_t uint_fast32_t; #ifdef _HAVE_UINT64_T typedef uint64_t uint_fast64_t; #endif /* fast types */ #endif #ifdef _STDINT_NEED_INTMAX_T #ifdef _HAVE_UINT64_T typedef int64_t intmax_t; typedef uint64_t uintmax_t; #else typedef long intmax_t; typedef unsigned long uintmax_t; #endif #endif #ifdef _STDINT_NEED_INTPTR_T #ifndef __intptr_t_defined #define __intptr_t_defined /* we encourage using "long" to store pointer values, never use "int" ! */ #if _STDINT_LONG_MODEL+0 == 242 || _STDINT_LONG_MODEL+0 == 484 typedef unsigned int uintptr_t; typedef int intptr_t; #elif _STDINT_LONG_MODEL+0 == 244 || _STDINT_LONG_MODEL+0 == 444 typedef unsigned long uintptr_t; typedef long intptr_t; #elif _STDINT_LONG_MODEL+0 == 448 && defined _HAVE_UINT64_T typedef uint64_t uintptr_t; typedef int64_t intptr_t; #else /* matches typical system types ILP32 and LP64 - but not IP16 or LLP64 */ typedef unsigned long uintptr_t; typedef long intptr_t; #endif #endif #endif /* shortcircuit*/ #endif /* once */ #endif #endif STDINT_EOF if cmp -s $ac_stdint_h $ac_stdint 2>/dev/null; then AC_MSG_NOTICE([$ac_stdint_h is unchanged]) else ac_dir=`AS_DIRNAME(["$ac_stdint_h"])` AS_MKDIR_P(["$ac_dir"]) rm -f $ac_stdint_h mv $ac_stdint $ac_stdint_h fi ],[# variables for create stdint.h replacement PACKAGE="$PACKAGE" VERSION="$VERSION" ac_stdint_h="$ac_stdint_h" _ac_stdint_h=AS_TR_CPP(_$PACKAGE-$ac_stdint_h) ac_cv_stdint_message="$ac_cv_stdint_message" ac_cv_header_stdint_t="$ac_cv_header_stdint_t" ac_cv_header_stdint_x="$ac_cv_header_stdint_x" ac_cv_header_stdint_o="$ac_cv_header_stdint_o" ac_cv_header_stdint_u="$ac_cv_header_stdint_u" ac_cv_type_uint64_t="$ac_cv_type_uint64_t" ac_cv_type_u_int64_t="$ac_cv_type_u_int64_t" ac_cv_stdint_char_model="$ac_cv_stdint_char_model" ac_cv_stdint_long_model="$ac_cv_stdint_long_model" ac_cv_type_int_least32_t="$ac_cv_type_int_least32_t" ac_cv_type_int_fast32_t="$ac_cv_type_int_fast32_t" ac_cv_type_intmax_t="$ac_cv_type_intmax_t" ]) ]) # ld-version-script.m4 serial 3 dnl Copyright (C) 2008-2014 Free Software Foundation, Inc. dnl This file is free software; the Free Software Foundation dnl gives unlimited permission to copy and/or distribute it, dnl with or without modifications, as long as this notice is preserved. dnl From Simon Josefsson # FIXME: The test below returns a false positive for mingw # cross-compiles, 'local:' statements does not reduce number of # exported symbols in a DLL. Use --disable-ld-version-script to work # around the problem. # gl_LD_VERSION_SCRIPT # -------------------- # Check if LD supports linker scripts, and define automake conditional # HAVE_LD_VERSION_SCRIPT if so. AC_DEFUN([LD_VERSION_SCRIPT], [ AC_ARG_ENABLE([ld-version-script], AS_HELP_STRING([--enable-ld-version-script], [enable linker version script (default is enabled when possible)]), [have_ld_version_script=$enableval], []) if test -z "$have_ld_version_script"; then AC_MSG_CHECKING([if LD -Wl,--version-script works]) save_LDFLAGS="$LDFLAGS" LDFLAGS="$LDFLAGS -Wl,--version-script=conftest.map" cat > conftest.map < conftest.map <size, length, digest_info) && _rsa_verify (key, m, s)); mpz_clear(m); return res; } nettle-3.4.1/ccm.h0000644000175000017500000002263113401564746012767 0ustar nissenisse/* ccm.h Counter with CBC-MAC mode, specified by NIST, http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf Copyright (C) 2014 Exegin Technologies Limited Copyright (C) 2014 Owen Kirby Contributed to GNU Nettle by Owen Kirby This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* NIST SP800-38C doesn't specify the particular formatting and * counter generation algorithm for CCM, but it does include an * example algorithm. This example has become the de-factor standard, * and has been adopted by both the IETF and IEEE across a wide * variety of protocols. */ #ifndef NETTLE_CCM_H_INCLUDED #define NETTLE_CCM_H_INCLUDED #include "aes.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define ccm_set_nonce nettle_ccm_set_nonce #define ccm_update nettle_ccm_update #define ccm_encrypt nettle_ccm_encrypt #define ccm_decrypt nettle_ccm_decrypt #define ccm_digest nettle_ccm_digest #define ccm_encrypt_message nettle_ccm_encrypt_message #define ccm_decrypt_message nettle_ccm_decrypt_message #define ccm_aes128_set_key nettle_ccm_aes128_set_key #define ccm_aes128_set_nonce nettle_ccm_aes128_set_nonce #define ccm_aes128_update nettle_ccm_aes128_update #define ccm_aes128_encrypt nettle_ccm_aes128_encrypt #define ccm_aes128_decrypt nettle_ccm_aes128_decrypt #define ccm_aes128_digest nettle_ccm_aes128_digest #define ccm_aes128_encrypt_message nettle_ccm_aes128_encrypt_message #define ccm_aes128_decrypt_message nettle_ccm_aes128_decrypt_message #define ccm_aes192_set_key nettle_ccm_aes192_set_key #define ccm_aes192_set_nonce nettle_ccm_aes192_set_nonce #define ccm_aes192_update nettle_ccm_aes192_update #define ccm_aes192_encrypt nettle_ccm_aes192_encrypt #define ccm_aes192_decrypt nettle_ccm_aes192_decrypt #define ccm_aes192_digest nettle_ccm_aes192_digest #define ccm_aes192_encrypt_message nettle_ccm_aes192_encrypt_message #define ccm_aes192_decrypt_message nettle_ccm_aes192_decrypt_message #define ccm_aes256_set_key nettle_ccm_aes256_set_key #define ccm_aes256_set_nonce nettle_ccm_aes256_set_nonce #define ccm_aes256_update nettle_ccm_aes256_update #define ccm_aes256_encrypt nettle_ccm_aes256_encrypt #define ccm_aes256_decrypt nettle_ccm_aes256_decrypt #define ccm_aes256_digest nettle_ccm_aes256_digest #define ccm_aes256_encrypt_message nettle_ccm_aes256_encrypt_message #define ccm_aes256_decrypt_message nettle_ccm_aes256_decrypt_message /* For CCM, the block size of the block cipher shall be 128 bits. */ #define CCM_BLOCK_SIZE 16 #define CCM_DIGEST_SIZE 16 #define CCM_MIN_NONCE_SIZE 7 #define CCM_MAX_NONCE_SIZE 14 /* Maximum cleartext message size, as a function of the nonce size N. The length field is L octets, with L = 15 - N, and then the maximum size M = 2^{8L} - 1. */ #define CCM_MAX_MSG_SIZE(N) \ ((sizeof(size_t) + (N) <= 15) \ ? ~(size_t) 0 \ : ((size_t) 1 << (8*(15 - N))) - 1) /* Per-message state */ struct ccm_ctx { union nettle_block16 ctr; /* Counter for CTR encryption. */ union nettle_block16 tag; /* CBC-MAC message tag. */ /* Length of data processed by the CBC-MAC modulus the block size */ unsigned int blength; }; /* * CCM mode requires the adata and message lengths when building the IV, which * prevents streaming processing and it incompatible with the AEAD API. */ void ccm_set_nonce(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t noncelen, const uint8_t *nonce, size_t authlen, size_t msglen, size_t taglen); void ccm_update(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t length, const uint8_t *data); void ccm_encrypt(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src); void ccm_decrypt(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src); void ccm_digest(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *digest); /* * All-in-one encryption and decryption API: * tlength = sizeof(digest) * mlength = sizeof(cleartext) * clength = sizeof(ciphertext) = mlength + tlength * * The ciphertext will contain the encrypted payload with the message digest * appended to the end. */ void ccm_encrypt_message(const void *cipher, nettle_cipher_func *f, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src); /* * The decryption function will write the plaintext to dst and parse the digest * from the final tlength bytes of the ciphertext. If the digest matched the * value computed during decryption then this will return 1, or it will return * 0 if the digest was invalid. */ int ccm_decrypt_message(const void *cipher, nettle_cipher_func *f, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src); /* CCM Mode with AES-128 */ struct ccm_aes128_ctx { struct ccm_ctx ccm; struct aes128_ctx cipher; }; void ccm_aes128_set_key(struct ccm_aes128_ctx *ctx, const uint8_t *key); void ccm_aes128_set_nonce(struct ccm_aes128_ctx *ctx, size_t length, const uint8_t *nonce, size_t authlen, size_t msglen, size_t taglen); void ccm_aes128_update (struct ccm_aes128_ctx *ctx, size_t length, const uint8_t *data); void ccm_aes128_encrypt(struct ccm_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void ccm_aes128_decrypt(struct ccm_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void ccm_aes128_digest(struct ccm_aes128_ctx *ctx, size_t length, uint8_t *digest); void ccm_aes128_encrypt_message(struct ccm_aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src); int ccm_aes128_decrypt_message(struct ccm_aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src); struct ccm_aes192_ctx { struct ccm_ctx ccm; struct aes192_ctx cipher; }; /* CCM Mode with AES-192 */ void ccm_aes192_set_key(struct ccm_aes192_ctx *ctx, const uint8_t *key); void ccm_aes192_set_nonce(struct ccm_aes192_ctx *ctx, size_t length, const uint8_t *nonce, size_t authlen, size_t msglen, size_t taglen); void ccm_aes192_update(struct ccm_aes192_ctx *ctx, size_t length, const uint8_t *data); void ccm_aes192_encrypt(struct ccm_aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void ccm_aes192_decrypt(struct ccm_aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void ccm_aes192_digest(struct ccm_aes192_ctx *ctx, size_t length, uint8_t *digest); void ccm_aes192_encrypt_message(struct ccm_aes192_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src); int ccm_aes192_decrypt_message(struct ccm_aes192_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src); /* CCM Mode with AES-256 */ struct ccm_aes256_ctx { struct ccm_ctx ccm; struct aes256_ctx cipher; }; void ccm_aes256_set_key(struct ccm_aes256_ctx *ctx, const uint8_t *key); void ccm_aes256_set_nonce(struct ccm_aes256_ctx *ctx, size_t length, const uint8_t *nonce, size_t authlen, size_t msglen, size_t taglen); void ccm_aes256_update(struct ccm_aes256_ctx *ctx, size_t length, const uint8_t *data); void ccm_aes256_encrypt(struct ccm_aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void ccm_aes256_decrypt(struct ccm_aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void ccm_aes256_digest(struct ccm_aes256_ctx *ctx, size_t length, uint8_t *digest); void ccm_aes256_encrypt_message(struct ccm_aes256_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src); int ccm_aes256_decrypt_message(struct ccm_aes256_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus } #endif #endif /* NETTLE_CCM_H_INCLUDED */ nettle-3.4.1/nettle-meta-aeads.c0000644000175000017500000000266313401564745015514 0ustar nissenisse/* nettle-meta-aeads.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #undef nettle_aeads const struct nettle_aead * const nettle_aeads[] = { &nettle_gcm_aes128, &nettle_gcm_aes192, &nettle_gcm_aes256, &nettle_gcm_camellia128, &nettle_gcm_camellia256, &nettle_eax_aes128, &nettle_chacha_poly1305, NULL }; const struct nettle_aead * const * nettle_get_aeads (void) { return nettle_aeads; } nettle-3.4.1/sec-sub-1.c0000644000175000017500000000256013401564746013716 0ustar nissenisse/* sec-sub-1.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc-internal.h" mp_limb_t sec_sub_1 (mp_limb_t *rp, mp_limb_t *ap, mp_size_t n, mp_limb_t b) { mp_size_t i; for (i = 0; i < n; i++) { mp_limb_t a; a = ap[i]; rp[i] = a - b; b = a < b; } return b; } nettle-3.4.1/rsa-sha256-sign.c0000644000175000017500000000335413401564746014752 0ustar nissenisse/* rsa-sha256-sign.c Signatures using RSA and SHA256. Copyright (C) 2001, 2003, 2006 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "bignum.h" #include "pkcs1.h" int rsa_sha256_sign(const struct rsa_private_key *key, struct sha256_ctx *hash, mpz_t s) { if (pkcs1_rsa_sha256_encode(s, key->size, hash)) { rsa_compute_root(key, s, s); return 1; } else { mpz_set_ui(s, 0); return 0; } } int rsa_sha256_sign_digest(const struct rsa_private_key *key, const uint8_t *digest, mpz_t s) { if (pkcs1_rsa_sha256_encode_digest(s, key->size, digest)) { rsa_compute_root(key, s, s); return 1; } else { mpz_set_ui(s, 0); return 0; } } nettle-3.4.1/pgp.h0000644000175000017500000001430113401564746013006 0ustar nissenisse/* pgp.h PGP related functions. Copyright (C) 2001, 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_PGP_H_INCLUDED #define NETTLE_PGP_H_INCLUDED #include #include "nettle-types.h" #include "bignum.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define pgp_put_uint32 nettle_pgp_put_uint32 #define pgp_put_uint16 nettle_pgp_put_uint16 #define pgp_put_mpi nettle_pgp_put_mpi #define pgp_put_string nettle_pgp_put_string #define pgp_put_length nettle_pgp_put_length #define pgp_put_header nettle_pgp_put_header #define pgp_put_header_length nettle_pgp_put_header_length #define pgp_sub_packet_start nettle_pgp_sub_packet_start #define pgp_put_sub_packet nettle_pgp_put_sub_packet #define pgp_sub_packet_end nettle_pgp_sub_packet_end #define pgp_put_public_rsa_key nettle_pgp_put_public_rsa_key #define pgp_put_rsa_sha1_signature nettle_pgp_put_rsa_sha1_signature #define pgp_put_userid nettle_pgp_put_userid #define pgp_crc24 nettle_pgp_crc24 #define pgp_armor nettle_pgp_armor struct nettle_buffer; struct rsa_public_key; struct rsa_private_key; struct sha1_ctx; int pgp_put_uint32(struct nettle_buffer *buffer, uint32_t i); int pgp_put_uint16(struct nettle_buffer *buffer, unsigned i); int pgp_put_mpi(struct nettle_buffer *buffer, const mpz_t x); int pgp_put_string(struct nettle_buffer *buffer, unsigned length, const uint8_t *s); int pgp_put_length(struct nettle_buffer *buffer, unsigned length); int pgp_put_header(struct nettle_buffer *buffer, unsigned tag, unsigned length); void pgp_put_header_length(struct nettle_buffer *buffer, /* start of the header */ unsigned start, unsigned field_size); unsigned pgp_sub_packet_start(struct nettle_buffer *buffer); int pgp_put_sub_packet(struct nettle_buffer *buffer, unsigned type, unsigned length, const uint8_t *data); void pgp_sub_packet_end(struct nettle_buffer *buffer, unsigned start); int pgp_put_public_rsa_key(struct nettle_buffer *, const struct rsa_public_key *key, time_t timestamp); int pgp_put_rsa_sha1_signature(struct nettle_buffer *buffer, const struct rsa_private_key *key, const uint8_t *keyid, unsigned type, struct sha1_ctx *hash); int pgp_put_userid(struct nettle_buffer *buffer, unsigned length, const uint8_t *name); uint32_t pgp_crc24(unsigned length, const uint8_t *data); int pgp_armor(struct nettle_buffer *buffer, const char *tag, unsigned length, const uint8_t *data); /* Values that can be passed to pgp_put_header when the size of the * length field, but not the length itself, is known. Also the minimum length * for the given field size. */ enum pgp_lengths { PGP_LENGTH_ONE_OCTET = 0, PGP_LENGTH_TWO_OCTETS = 192, PGP_LENGTH_FOUR_OCTETS = 8384, }; enum pgp_public_key_algorithm { PGP_RSA = 1, PGP_RSA_ENCRYPT = 2, PGP_RSA_SIGN = 3, PGP_EL_GAMAL_ENCRYPT = 16, PGP_DSA = 17, PGP_EL_GAMAL = 20, }; enum pgp_symmetric_algorithm { PGP_PLAINTEXT = 0, PGP_IDEA = 1, PGP_3DES = 2, PGP_CAST5 = 3, PGP_BLOWFISH = 4, PGP_SAFER_SK = 5, PGP_AES128 = 7, PGP_AES192 = 8, PGP_AES256 = 9, }; enum pgp_compression_algorithm { PGP_UNCOMPRESSED = 0, PGP_ZIP = 1, PGP_ZLIB = 2, }; enum pgp_hash_algorithm { PGP_MD5 = 1, PGP_SHA1 = 2, PGP_RIPEMD = 3, PGP_MD2 = 5, PGP_TIGER192 = 6, PGP_HAVAL = 7, }; enum pgp_tag { PGP_TAG_PUBLIC_SESSION_KEY = 1, PGP_TAG_SIGNATURE = 2, PGP_TAG_SYMMETRIC_SESSION_KEY = 3, PGP_TAG_ONE_PASS_SIGNATURE = 4, PGP_TAG_SECRET_KEY = 5, PGP_TAG_PUBLIC_KEY = 6, PGP_TAG_SECRET_SUBKEY = 7, PGP_TAG_COMPRESSED = 8, PGP_TAG_ENCRYPTED = 9, PGP_TAG_MARKER = 10, PGP_TAG_LITERAL = 11, PGP_TAG_TRUST = 12, PGP_TAG_USERID = 13, PGP_TAG_PUBLIC_SUBKEY = 14, }; enum pgp_signature_type { PGP_SIGN_BINARY = 0, PGP_SIGN_TEXT = 1, PGP_SIGN_STANDALONE = 2, PGP_SIGN_CERTIFICATION = 0x10, PGP_SIGN_CERTIFICATION_PERSONA = 0x11, PGP_SIGN_CERTIFICATION_CASUAL = 0x12, PGP_SIGN_CERTIFICATION_POSITIVE = 0x13, PGP_SIGN_SUBKEY = 0x18, PGP_SIGN_KEY = 0x1f, PGP_SIGN_REVOCATION = 0x20, PGP_SIGN_REVOCATION_SUBKEY = 0x28, PGP_SIGN_REVOCATION_CERTIFICATE = 0x30, PGP_SIGN_TIMESTAMP = 0x40, }; enum pgp_subpacket_tag { PGP_SUBPACKET_CREATION_TIME = 2, PGP_SUBPACKET_SIGNATURE_EXPIRATION_TIME = 3, PGP_SUBPACKET_EXPORTABLE_CERTIFICATION = 4, PGP_SUBPACKET_TRUST_SIGNATURE = 5, PGP_SUBPACKET_REGULAR_EXPRESSION = 6, PGP_SUBPACKET_REVOCABLE = 7, PGP_SUBPACKET_KEY_EXPIRATION_TIME = 9, PGP_SUBPACKET_PLACEHOLDER = 10 , PGP_SUBPACKET_PREFERRED_SYMMETRIC_ALGORITHMS = 11, PGP_SUBPACKET_REVOCATION_KEY = 12, PGP_SUBPACKET_ISSUER_KEY_ID = 16, PGP_SUBPACKET_NOTATION_DATA = 20, PGP_SUBPACKET_PREFERRED_HASH_ALGORITHMS = 21, PGP_SUBPACKET_PREFERRED_COMPRESSION_ALGORITHMS = 22, PGP_SUBPACKET_KEY_SERVER_PREFERENCES = 23, PGP_SUBPACKET_PREFERRED_KEY_SERVER = 24, PGP_SUBPACKET_PRIMARY_USER_ID = 25, PGP_SUBPACKET_POLICY_URL = 26, PGP_SUBPACKET_KEY_FLAGS = 27, PGP_SUBPACKET_SIGNERS_USER_ID = 28, PGP_SUBPACKET_REASON_FOR_REVOCATION = 29, }; #ifdef __cplusplus } #endif #endif /* NETTLE_PGP_H_INCLUDED */ nettle-3.4.1/rsa-md5-sign-tr.c0000644000175000017500000000367113401564746015054 0ustar nissenisse/* rsa-md5-sign-tr.c Signatures using RSA and MD5. Copyright (C) 2001, 2003, 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "bignum.h" #include "pkcs1.h" int rsa_md5_sign_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, struct md5_ctx *hash, mpz_t s) { mpz_t m; int res; mpz_init (m); res = (pkcs1_rsa_md5_encode(m, key->size, hash) && rsa_compute_root_tr (pub, key, random_ctx, random, s, m)); mpz_clear (m); return res; } int rsa_md5_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, mpz_t s) { mpz_t m; int res; mpz_init (m); res = (pkcs1_rsa_md5_encode_digest(m, key->size, digest) && rsa_compute_root_tr (pub, key, random_ctx, random, s, m)); mpz_clear (m); return res; } nettle-3.4.1/gmp-glue.c0000644000175000017500000001553213401564746013737 0ustar nissenisse/* gmp-glue.c Copyright (C) 2013 Niels Möller Copyright (C) 2013 Red Hat This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "gmp-glue.h" #if !GMP_HAVE_mpz_limbs_read /* This implementation tries to make a minimal use of GMP internals. We access and _mp_size and _mp_d, but not _mp_alloc. */ /* Use macros compatible with gmp-impl.h. */ #define ABS(x) ((x) >= 0 ? (x) : -(x)) #define PTR(x) ((x)->_mp_d) #define SIZ(x) ((x)->_mp_size) #define ABSIZ(x) ABS (SIZ (x)) #define MPN_NORMALIZE(xp, xn) do { \ while ( (xn) > 0 && (xp)[xn-1] == 0) \ (xn)--; \ } while (0) /* NOTE: Makes an unnecessary realloc if allocation is already large enough, but looking at _mp_alloc may break in future GMP versions. */ #define MPZ_REALLOC(x, n) \ (ABSIZ(x) >= (n) ? PTR(x) : (_mpz_realloc ((x),(n)), PTR (x))) #define MPZ_NEWALLOC MPZ_REALLOC /* Read access to mpz numbers. */ /* Return limb pointer, for read-only operations. Use mpz_size to get the number of limbs. */ const mp_limb_t * mpz_limbs_read (mpz_srcptr x) { return PTR (x); } /* Write access to mpz numbers. */ /* Get a limb pointer for writing, previous contents may be destroyed. */ mp_limb_t * mpz_limbs_write (mpz_ptr x, mp_size_t n) { assert (n > 0); return MPZ_NEWALLOC (x, n); } /* Get a limb pointer for writing, previous contents is intact. */ mp_limb_t * mpz_limbs_modify (mpz_ptr x, mp_size_t n) { assert (n > 0); return MPZ_REALLOC (x, n); } void mpz_limbs_finish (mpz_ptr x, mp_size_t n) { assert (n >= 0); MPN_NORMALIZE (PTR(x), n); SIZ (x) = n; } /* Needs some ugly casts. */ mpz_srcptr mpz_roinit_n (mpz_ptr x, const mp_limb_t *xp, mp_size_t xs) { mp_size_t xn = ABS (xs); MPN_NORMALIZE (xp, xn); x->_mp_size = xs < 0 ? -xn : xn; x->_mp_alloc = 0; x->_mp_d = (mp_limb_t *) xp; return x; } #endif /* !GMP_HAVE_mpz_limbs_read */ void cnd_swap (mp_limb_t cnd, mp_limb_t *ap, mp_limb_t *bp, mp_size_t n) { mp_limb_t mask = - (mp_limb_t) (cnd != 0); mp_size_t i; for (i = 0; i < n; i++) { mp_limb_t a, b, t; a = ap[i]; b = bp[i]; t = (a ^ b) & mask; ap[i] = a ^ t; bp[i] = b ^ t; } } /* Additional convenience functions. */ int mpz_limbs_cmp (mpz_srcptr a, const mp_limb_t *bp, mp_size_t bn) { mp_size_t an = mpz_size (a); assert (mpz_sgn (a) >= 0); assert (bn >= 0); if (an < bn) return -1; if (an > bn) return 1; if (an == 0) return 0; return mpn_cmp (mpz_limbs_read(a), bp, an); } /* Get a pointer to an n limb area, for read-only operation. n must be greater or equal to the current size, and the mpz is zero-padded if needed. */ const mp_limb_t * mpz_limbs_read_n (mpz_ptr x, mp_size_t n) { mp_size_t xn = mpz_size (x); mp_ptr xp; assert (xn <= n); xp = mpz_limbs_modify (x, n); if (xn < n) mpn_zero (xp + xn, n - xn); return xp; } void mpz_limbs_copy (mp_limb_t *xp, mpz_srcptr x, mp_size_t n) { mp_size_t xn = mpz_size (x); assert (xn <= n); mpn_copyi (xp, mpz_limbs_read (x), xn); if (xn < n) mpn_zero (xp + xn, n - xn); } void mpz_set_n (mpz_t r, const mp_limb_t *xp, mp_size_t xn) { mpn_copyi (mpz_limbs_write (r, xn), xp, xn); mpz_limbs_finish (r, xn); } void mpn_set_base256 (mp_limb_t *rp, mp_size_t rn, const uint8_t *xp, size_t xn) { size_t xi; mp_limb_t out; unsigned bits; for (xi = xn, out = bits = 0; xi > 0 && rn > 0; ) { mp_limb_t in = xp[--xi]; out |= (in << bits) & GMP_NUMB_MASK; bits += 8; if (bits >= GMP_NUMB_BITS) { *rp++ = out; rn--; bits -= GMP_NUMB_BITS; out = in >> (8 - bits); } } if (rn > 0) { *rp++ = out; if (--rn > 0) mpn_zero (rp, rn); } } void mpn_set_base256_le (mp_limb_t *rp, mp_size_t rn, const uint8_t *xp, size_t xn) { size_t xi; mp_limb_t out; unsigned bits; for (xi = 0, out = bits = 0; xi < xn && rn > 0; ) { mp_limb_t in = xp[xi++]; out |= (in << bits) & GMP_NUMB_MASK; bits += 8; if (bits >= GMP_NUMB_BITS) { *rp++ = out; rn--; bits -= GMP_NUMB_BITS; out = in >> (8 - bits); } } if (rn > 0) { *rp++ = out; if (--rn > 0) mpn_zero (rp, rn); } } void mpn_get_base256 (uint8_t *rp, size_t rn, const mp_limb_t *xp, mp_size_t xn) { unsigned bits; mp_limb_t in; for (bits = in = 0; xn > 0 && rn > 0; ) { if (bits >= 8) { rp[--rn] = in; in >>= 8; bits -= 8; } else { uint8_t old = in; in = *xp++; xn--; rp[--rn] = old | (in << bits); in >>= (8 - bits); bits += GMP_NUMB_BITS - 8; } } while (rn > 0) { rp[--rn] = in; in >>= 8; } } void mpn_get_base256_le (uint8_t *rp, size_t rn, const mp_limb_t *xp, mp_size_t xn) { unsigned bits; mp_limb_t in; for (bits = in = 0; xn > 0 && rn > 0; ) { if (bits >= 8) { *rp++ = in; rn--; in >>= 8; bits -= 8; } else { uint8_t old = in; in = *xp++; xn--; *rp++ = old | (in << bits); rn--; in >>= (8 - bits); bits += GMP_NUMB_BITS - 8; } } while (rn > 0) { *rp++ = in; rn--; in >>= 8; } } mp_limb_t * gmp_alloc_limbs (mp_size_t n) { void *(*alloc_func)(size_t); assert (n > 0); mp_get_memory_functions (&alloc_func, NULL, NULL); return (mp_limb_t *) alloc_func ( (size_t) n * sizeof(mp_limb_t)); } void gmp_free_limbs (mp_limb_t *p, mp_size_t n) { void (*free_func)(void *, size_t); assert (n > 0); assert (p != 0); mp_get_memory_functions (NULL, NULL, &free_func); free_func (p, (size_t) n * sizeof(mp_limb_t)); } void * gmp_alloc(size_t n) { void *(*alloc_func)(size_t); assert (n > 0); mp_get_memory_functions(&alloc_func, NULL, NULL); return alloc_func (n); } void gmp_free(void *p, size_t n) { void (*free_func)(void *, size_t); assert (n > 0); assert (p != 0); mp_get_memory_functions (NULL, NULL, &free_func); free_func (p, (size_t) n); } nettle-3.4.1/realloc.h0000644000175000017500000000241713401564746013646 0ustar nissenisse/* realloc.h Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_REALLOC_H_INCLUDED #define NETTLE_REALLOC_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif nettle_realloc_func nettle_realloc; nettle_realloc_func nettle_xrealloc; #ifdef __cplusplus } #endif #endif /* NETTLE_REALLOC_H_INCLUDED */ nettle-3.4.1/ecc-scalar.c0000644000175000017500000000332213401564746014211 0ustar nissenisse/* ecc-scalar.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc.h" #include "ecc-internal.h" void ecc_scalar_init (struct ecc_scalar *s, const struct ecc_curve *ecc) { s->ecc = ecc; s->p = gmp_alloc_limbs (ecc->p.size); } void ecc_scalar_clear (struct ecc_scalar *s) { gmp_free_limbs (s->p, s->ecc->p.size); } int ecc_scalar_set (struct ecc_scalar *s, const mpz_t z) { mp_size_t size = s->ecc->p.size; if (mpz_sgn (z) <= 0 || mpz_limbs_cmp (z, s->ecc->q.m, size) >= 0) return 0; mpz_limbs_copy (s->p, z, size); return 1; } void ecc_scalar_get (const struct ecc_scalar *s, mpz_t z) { mpz_set_n (z, s->p, s->ecc->p.size); } nettle-3.4.1/eddsa-decompress.c0000644000175000017500000000441613401564746015443 0ustar nissenisse/* eddsa-decompress.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "eddsa.h" #include "ecc-internal.h" #include "gmp-glue.h" mp_size_t _eddsa_decompress_itch (const struct ecc_curve *ecc) { return 4*ecc->p.size + ecc->p.sqrt_itch; } int _eddsa_decompress (const struct ecc_curve *ecc, mp_limb_t *p, const uint8_t *cp, mp_limb_t *scratch) { mp_limb_t sign, cy; int res; #define xp p #define yp (p + ecc->p.size) #define y2 scratch #define vp (scratch + ecc->p.size) #define up scratch #define tp (scratch + 2*ecc->p.size) #define scratch_out (scratch + 4*ecc->p.size) sign = cp[ecc->p.bit_size / 8] >> (ecc->p.bit_size & 7); if (sign > 1) return 0; mpn_set_base256_le (yp, ecc->p.size, cp, 1 + ecc->p.bit_size / 8); /* Clear out the sign bit (if it fits) */ yp[ecc->p.size - 1] &= ~(mp_limb_t) 0 >> (ecc->p.size * GMP_NUMB_BITS - ecc->p.bit_size); ecc_modp_sqr (ecc, y2, yp); ecc_modp_mul (ecc, vp, y2, ecc->b); ecc_modp_sub (ecc, vp, vp, ecc->unit); ecc_modp_sub (ecc, up, ecc->unit, y2); res = ecc->p.sqrt (&ecc->p, tp, up, vp, scratch_out); cy = mpn_sub_n (xp, tp, ecc->p.m, ecc->p.size); cnd_copy (cy, xp, tp, ecc->p.size); sign ^= xp[0] & 1; mpn_sub_n (tp, ecc->p.m, xp, ecc->p.size); cnd_copy (sign, xp, tp, ecc->p.size); return res; } nettle-3.4.1/ecc-mul-g.c0000644000175000017500000000557113401564746013775 0ustar nissenisse/* ecc-mul-g.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc.h" #include "ecc-internal.h" void ecc_mul_g (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *np, mp_limb_t *scratch) { /* Scratch need determined by the ecc_add_jja call. Current total is 9 * ecc->p.size, at most 648 bytes. */ #define tp scratch #define scratch_out (scratch + 3*ecc->p.size) unsigned k, c; unsigned i, j; unsigned bit_rows; int is_zero; k = ecc->pippenger_k; c = ecc->pippenger_c; bit_rows = (ecc->p.bit_size + k - 1) / k; mpn_zero (r, 3*ecc->p.size); for (i = k, is_zero = 1; i-- > 0; ) { ecc_dup_jj (ecc, r, r, scratch); for (j = 0; j * c < bit_rows; j++) { unsigned bits; /* Avoid the mp_bitcnt_t type for compatibility with older GMP versions. */ unsigned bit_index; /* Extract c bits from n, stride k, starting at i + kcj, ending at i + k (cj + c - 1)*/ for (bits = 0, bit_index = i + k*(c*j+c); bit_index > i + k*c*j; ) { mp_size_t limb_index; unsigned shift; bit_index -= k; limb_index = bit_index / GMP_NUMB_BITS; if (limb_index >= ecc->p.size) continue; shift = bit_index % GMP_NUMB_BITS; bits = (bits << 1) | ((np[limb_index] >> shift) & 1); } sec_tabselect (tp, 2*ecc->p.size, (ecc->pippenger_table + (2*ecc->p.size * (mp_size_t) j << c)), 1<p.size); cnd_copy (is_zero, r + 2*ecc->p.size, ecc->unit, ecc->p.size); ecc_add_jja (ecc, tp, r, tp, scratch_out); /* Use the sum when valid. ecc_add_jja produced garbage if is_zero != 0 or bits == 0, . */ cnd_copy (bits & (is_zero - 1), r, tp, 3*ecc->p.size); is_zero &= (bits == 0); } } #undef tp #undef scratch_out } nettle-3.4.1/ecc-dup-jj.c0000644000175000017500000000635713401564746014150 0ustar nissenisse/* ecc-dup-jj.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc.h" #include "ecc-internal.h" /* NOTE: Behaviour for corner cases: + p = 0 ==> r = 0, correct! */ void ecc_dup_jj (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, mp_limb_t *scratch) { /* Formulas (from djb, http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b): Computation Operation Live variables delta = z^2 sqr delta gamma = y^2 sqr delta, gamma z' = (y+z)^2-gamma-delta sqr delta, gamma alpha = 3*(x-delta)*(x+delta) mul gamma, beta, alpha beta = x*gamma mul gamma, beta, alpha x' = alpha^2-8*beta sqr gamma, beta, alpha y' = alpha*(4*beta-x')-8*gamma^2 mul, sqr */ #define delta scratch #define gamma (scratch + ecc->p.size) #define beta (scratch + 2*ecc->p.size) #define g2 (scratch + 3*ecc->p.size) #define sum (scratch + 4*ecc->p.size) #define alpha scratch /* Overlap delta */ #define xp p #define yp (p + ecc->p.size) #define zp (p + 2*ecc->p.size) /* delta */ ecc_modp_sqr (ecc, delta, zp); /* gamma */ ecc_modp_sqr (ecc, gamma, yp); /* z'. Can use beta area as scratch. */ ecc_modp_add (ecc, r + 2*ecc->p.size, yp, zp); ecc_modp_sqr (ecc, beta, r + 2*ecc->p.size); ecc_modp_sub (ecc, beta, beta, gamma); ecc_modp_sub (ecc, r + 2*ecc->p.size, beta, delta); /* alpha. Can use beta area as scratch, and overwrite delta. */ ecc_modp_add (ecc, sum, xp, delta); ecc_modp_sub (ecc, delta, xp, delta); ecc_modp_mul (ecc, beta, sum, delta); ecc_modp_mul_1 (ecc, alpha, beta, 3); /* beta */ ecc_modp_mul (ecc, beta, xp, gamma); /* Do gamma^2 and 4*beta early, to get them out of the way. We can then use the old area at gamma as scratch. */ ecc_modp_sqr (ecc, g2, gamma); ecc_modp_mul_1 (ecc, sum, beta, 4); /* x' */ ecc_modp_sqr (ecc, gamma, alpha); /* Overwrites gamma and beta */ ecc_modp_submul_1 (ecc, gamma, sum, 2); mpn_copyi (r, gamma, ecc->p.size); /* y' */ ecc_modp_sub (ecc, sum, sum, r); ecc_modp_mul (ecc, gamma, sum, alpha); ecc_modp_submul_1 (ecc, gamma, g2, 8); mpn_copyi (r + ecc->p.size, gamma, ecc->p.size); } nettle-3.4.1/examples/0000755000175000017500000000000013401564747013667 5ustar nissenissenettle-3.4.1/examples/rsa-encrypt-test0000755000175000017500000000070313401564747017041 0ustar nissenisse#! /bin/sh if [ -z "$srcdir" ] ; then srcdir=`pwd` fi data="$srcdir/nettle-benchmark.c" if [ -x rsa-encrypt$EXEEXT ] ; then if $EMULATOR ./rsa-encrypt -r rsa-decrypt$EXEEXT testkey.pub < "$data" > testciphertext ; then : else exit 1 fi if $EMULATOR ./rsa-decrypt testkey < testciphertext > testcleartext ; then : else exit 1 fi if cmp "$data" testcleartext ; then exit 0 else exit 1 fi else exit 77 fi nettle-3.4.1/examples/teardown-env0000755000175000017500000000033213401564747016224 0ustar nissenisse#! /bin/sh rm -rf testkey testkey.pub testsignature testsignature2 \ testdata testtmp \ testciphertext testcleartext case "$EMULATOR" in wine*) find . -type l -name '*.dll' -exec rm -f '{}' ';' ;; esac nettle-3.4.1/examples/setup-env0000755000175000017500000000044613401564747015547 0ustar nissenisse#! /bin/sh set -e # Workaround, it seems difficult to convince wine to put ../lib into PATH. case "$EMULATOR" in wine*) for f in ../.lib/*.dll ; do ln -sf "$f" . done ;; esac if [ -x rsa-keygen$EXEEXT ] ; then $EMULATOR ./rsa-keygen -r rsa-decrypt$EXEEXT -o testkey || exit 1 fi nettle-3.4.1/examples/rsa-session.h0000644000175000017500000000325113401564747016307 0ustar nissenisse/* Session key definitions for the rsa-encrypt and rsa-decrypt programs. */ #ifndef NETTLE_EXAMPLES_RSA_SESSION_H_INCLUDED #define NETTLE_EXAMPLES_RSA_SESSION_H_INCLUDED #include "aes.h" #include "cbc.h" #include "hmac.h" #define RSA_VERSION 1 /* Encryption program using the following file format: uint32_t version = 1; uint32_t nsize; uint8_t x[nsize]; uint8_t encrypted[n]; uint8_t hmac[SHA1_DIGEST_SIZE]; where x is the data uint32_t version = 1; uint8_t aes_key[AES_KEY_SIZE]; uint8_t iv[AES_BLOCK_SIZE]; uint8_t hmac_key[SHA1_DIGEST_SIZE]; of size (4 + AES_KEY_SIZE + AES_BLOCK_SIZE + SHA1_DIGEST_SIZE) = 72 bytes, encrypted using rsa-pkcs1. The cleartext input is encrypted using aes-cbc. The final block is padded as | data | random octets | padding length | where the last octet is the padding length, a number between 1 and AES_BLOCK_SIZE (inclusive). */ struct rsa_session { struct CBC_CTX(struct aes_ctx, AES_BLOCK_SIZE) aes; struct hmac_sha1_ctx hmac; struct yarrow256_ctx yarrow; }; struct rsa_session_info { /* Version followed by aes key, iv and mac key */ uint8_t key[4 + AES_KEY_SIZE + AES_BLOCK_SIZE + SHA1_DIGEST_SIZE]; }; #define SESSION_VERSION(s) ((s)->key) #define SESSION_AES_KEY(s) ((s)->key + 4) #define SESSION_IV(s) ((s)->key + 4 + AES_KEY_SIZE) #define SESSION_HMAC_KEY(s) ((s)->key + 4 + AES_KEY_SIZE + AES_BLOCK_SIZE) void rsa_session_set_encrypt_key(struct rsa_session *ctx, const struct rsa_session_info *key); void rsa_session_set_decrypt_key(struct rsa_session *ctx, const struct rsa_session_info *key); #endif /* NETTLE_EXAMPLES_RSA_SESSION_H_INCLUDED */ nettle-3.4.1/examples/rsa-keygen.c0000644000175000017500000001107513401564747016104 0ustar nissenisse/* rsa-keygen.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include #include "buffer.h" #include "rsa.h" #include "sexp.h" #include "yarrow.h" #include "io.h" #include "getopt.h" #define DEFAULT_KEYSIZE 2048 #define ESIZE 30 static void progress(void *ctx, int c) { (void) ctx; fputc(c, stderr); } static unsigned long uint_arg (char c, const char *arg) { unsigned long val; char *end; val = strtoul(arg, &end, 0); if (*arg == '\0' || *end != '\0') { werror ("Invalid integer argument for -%c option.\n", c); exit (EXIT_FAILURE); } return val; } int main(int argc, char **argv) { struct yarrow256_ctx yarrow; struct rsa_public_key pub; struct rsa_private_key priv; int c; char *pub_name = NULL; const char *priv_name = NULL; const char *random_name = NULL; struct nettle_buffer pub_buffer; struct nettle_buffer priv_buffer; unsigned long key_size = DEFAULT_KEYSIZE; unsigned long key_e = 0; enum { OPT_HELP = 300 }; static const struct option options[] = { /* Name, args, flag, val */ { "help", no_argument, NULL, OPT_HELP }, { "random", required_argument, NULL, 'r' }, { NULL, 0, NULL, 0} }; while ( (c = getopt_long(argc, argv, "o:r:e:s:", options, NULL)) != -1) switch (c) { case 'o': priv_name = optarg; break; case 'r': random_name = optarg; break; case 's': key_size = uint_arg ('s', optarg); break; case 'e': key_e = uint_arg ('e', optarg); break; case OPT_HELP: printf("FIXME: Usage information.\n"); return EXIT_SUCCESS; case '?': return EXIT_FAILURE; default: abort(); } if (!priv_name) { werror("No filename provided.\n"); return EXIT_FAILURE; } pub_name = xalloc(strlen(priv_name) + 5); sprintf(pub_name, "%s.pub", priv_name); /* NOTE: No sources */ yarrow256_init(&yarrow, 0, NULL); /* Read some data to seed the generator */ if (!simple_random(&yarrow, random_name)) { werror("Initialization of randomness generator failed.\n"); return EXIT_FAILURE; } rsa_public_key_init(&pub); rsa_private_key_init(&priv); if (key_e) mpz_set_ui (pub.e, key_e); if (!rsa_generate_keypair (&pub, &priv, (void *) &yarrow, (nettle_random_func *) yarrow256_random, NULL, progress, key_size, key_e == 0 ? ESIZE : 0)) { werror("Key generation failed.\n"); return EXIT_FAILURE; } nettle_buffer_init(&priv_buffer); nettle_buffer_init(&pub_buffer); if (!rsa_keypair_to_sexp(&pub_buffer, "rsa-pkcs1-sha1", &pub, NULL)) { werror("Formatting public key failed.\n"); return EXIT_FAILURE; } if (!rsa_keypair_to_sexp(&priv_buffer, "rsa-pkcs1-sha1", &pub, &priv)) { werror("Formatting private key failed.\n"); return EXIT_FAILURE; } if (!write_file(pub_name, pub_buffer.size, pub_buffer.contents)) { werror("Failed to write public key: %s\n", strerror(errno)); return EXIT_FAILURE; } /* NOTE: This doesn't set up paranoid access restrictions on the * private key file, like a serious key generation tool would do. */ if (!write_file(priv_name, priv_buffer.size, priv_buffer.contents)) { werror("Failed to write private key: %s\n", strerror(errno)); return EXIT_FAILURE; } nettle_buffer_clear(&priv_buffer); nettle_buffer_clear(&pub_buffer); rsa_public_key_clear(&pub); rsa_private_key_clear(&priv); free (pub_name); return EXIT_SUCCESS; } nettle-3.4.1/examples/rsa-sign.c0000644000175000017500000000405413401564747015561 0ustar nissenisse/* rsa-sign.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include /* string.h must be included before gmp.h */ #include "rsa.h" #include "io.h" int main(int argc, char **argv) { struct rsa_private_key key; struct sha1_ctx hash; mpz_t s; if (argc != 2) { werror("Usage: rsa-sign PRIVATE-KEY < file\n"); return EXIT_FAILURE; } rsa_private_key_init(&key); if (!read_rsa_key(argv[1], NULL, &key)) { werror("Invalid key\n"); return EXIT_FAILURE; } sha1_init(&hash); if (!hash_file(&nettle_sha1, &hash, stdin)) { werror("Failed reading stdin: %s\n", strerror(errno)); return 0; } mpz_init(s); if (!rsa_sha1_sign(&key, &hash, s)) { werror("RSA key too small\n"); return 0; } if (!mpz_out_str(stdout, 16, s)) { werror("Failed writing signature: %s\n", strerror(errno)); return 0; } putchar('\n'); mpz_clear(s); rsa_private_key_clear(&key); return EXIT_SUCCESS; } nettle-3.4.1/examples/ecc-benchmark.c0000644000175000017500000001773613401564747016533 0ustar nissenisse/* ecc-benchmark.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include #include #include "timing.h" #include "../ecc.h" #include "../ecc-internal.h" #include "../gmp-glue.h" #define BENCH_INTERVAL 0.1 static void * xalloc (size_t size) { void *p = malloc (size); if (!p) { fprintf (stderr, "Virtual memory exhausted\n"); abort (); } return p; } static mp_limb_t * xalloc_limbs (mp_size_t size) { return xalloc (size * sizeof(mp_limb_t)); } /* Returns second per function call */ static double time_function(void (*f)(void *arg), void *arg) { unsigned ncalls; double elapsed; /* Warm up */ f(arg); for (ncalls = 10 ;;) { unsigned i; time_start(); for (i = 0; i < ncalls; i++) f(arg); elapsed = time_end(); if (elapsed > BENCH_INTERVAL) break; else if (elapsed < BENCH_INTERVAL / 10) ncalls *= 10; else ncalls *= 2; } return elapsed / ncalls; } #if !NETTLE_USE_MINI_GMP static int modinv_gcd (const struct ecc_curve *ecc, mp_limb_t *rp, mp_limb_t *ap, mp_limb_t *tp) { mp_size_t size = ecc->p.size; mp_limb_t *up = tp; mp_limb_t *vp = tp + size+1; mp_limb_t *gp = tp + 2*(size+1); mp_limb_t *sp = tp + 3*(size+1); mp_size_t gn, sn; mpn_copyi (up, ap, size); mpn_copyi (vp, ecc->p.m, size); gn = mpn_gcdext (gp, sp, &sn, up, size, vp, size); if (gn != 1 || gp[0] != 1) return 0; if (sn < 0) mpn_sub (sp, ecc->p.m, size, sp, -sn); else if (sn < size) /* Zero-pad. */ mpn_zero (sp + sn, size - sn); mpn_copyi (rp, sp, size); return 1; } #endif struct ecc_ctx { const struct ecc_curve *ecc; mp_limb_t *rp; mp_limb_t *ap; mp_limb_t *bp; mp_limb_t *tp; }; static void bench_modp (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; mpn_copyi (ctx->rp, ctx->ap, 2*ctx->ecc->p.size); ctx->ecc->p.mod (&ctx->ecc->p, ctx->rp); } static void bench_reduce (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; mpn_copyi (ctx->rp, ctx->ap, 2*ctx->ecc->p.size); ctx->ecc->p.reduce (&ctx->ecc->p, ctx->rp); } static void bench_modq (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; mpn_copyi (ctx->rp, ctx->ap, 2*ctx->ecc->p.size); ctx->ecc->q.mod(&ctx->ecc->q, ctx->rp); } static void bench_modinv (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; ctx->ecc->p.invert (&ctx->ecc->p, ctx->rp, ctx->ap, ctx->tp); } #if !NETTLE_USE_MINI_GMP static void bench_modinv_gcd (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; mpn_copyi (ctx->rp + ctx->ecc->p.size, ctx->ap, ctx->ecc->p.size); modinv_gcd (ctx->ecc, ctx->rp, ctx->rp + ctx->ecc->p.size, ctx->tp); } #endif #ifdef mpn_sec_powm static void bench_modinv_powm (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; const struct ecc_curve *ecc = ctx->ecc; mp_size_t size = ecc->p.size; mpn_sub_1 (ctx->rp + size, ecc->p.m, size, 2); mpn_sec_powm (ctx->rp, ctx->ap, size, ctx->rp + size, ecc->p.bit_size, ecc->p.m, size, ctx->tp); } #endif static void bench_dup_jj (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; ecc_dup_jj (ctx->ecc, ctx->rp, ctx->ap, ctx->tp); } static void bench_add_jja (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; ecc_add_jja (ctx->ecc, ctx->rp, ctx->ap, ctx->bp, ctx->tp); } static void bench_add_hhh (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; ctx->ecc->add_hhh (ctx->ecc, ctx->rp, ctx->ap, ctx->bp, ctx->tp); } static void bench_mul_g (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; ctx->ecc->mul_g (ctx->ecc, ctx->rp, ctx->ap, ctx->tp); } static void bench_mul_a (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; ctx->ecc->mul (ctx->ecc, ctx->rp, ctx->ap, ctx->bp, ctx->tp); } static void bench_dup_eh (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; ecc_dup_eh (ctx->ecc, ctx->rp, ctx->ap, ctx->tp); } static void bench_add_eh (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; ecc_add_eh (ctx->ecc, ctx->rp, ctx->ap, ctx->bp, ctx->tp); } #if NETTLE_USE_MINI_GMP static void mpn_random (mp_limb_t *xp, mp_size_t n) { mp_size_t i; for (i = 0; i < n; i++) xp[i] = rand(); } #endif static void bench_curve (const struct ecc_curve *ecc) { struct ecc_ctx ctx; double modp, reduce, modq, modinv, modinv_gcd, modinv_powm, dup_jj, add_jja, add_hhh, mul_g, mul_a; mp_limb_t mask; mp_size_t itch; ctx.ecc = ecc; ctx.rp = xalloc_limbs (3*ecc->p.size); ctx.ap = xalloc_limbs (3*ecc->p.size); ctx.bp = xalloc_limbs (3*ecc->p.size); itch = ecc->mul_itch; #ifdef mpn_sec_powm { mp_size_t powm_itch = mpn_sec_powm_itch (ecc->p.size, ecc->p.bit_size, ecc->p.size); if (powm_itch > itch) itch = powm_itch; } #endif ctx.tp = xalloc_limbs (itch); mpn_random (ctx.ap, 3*ecc->p.size); mpn_random (ctx.bp, 3*ecc->p.size); mask = (~(mp_limb_t) 0) >> (ecc->p.size * GMP_NUMB_BITS - ecc->p.bit_size); ctx.ap[ecc->p.size - 1] &= mask; ctx.ap[2*ecc->p.size - 1] &= mask; ctx.ap[3*ecc->p.size - 1] &= mask; ctx.bp[ecc->p.size - 1] &= mask; ctx.bp[2*ecc->p.size - 1] &= mask; ctx.bp[3*ecc->p.size - 1] &= mask; modp = time_function (bench_modp, &ctx); reduce = time_function (bench_reduce, &ctx); modq = time_function (bench_modq, &ctx); modinv = time_function (bench_modinv, &ctx); #if !NETTLE_USE_MINI_GMP modinv_gcd = time_function (bench_modinv_gcd, &ctx); #else modinv_gcd = 0; #endif #ifdef mpn_sec_powm modinv_powm = time_function (bench_modinv_powm, &ctx); #else modinv_powm = 0; #endif if (ecc->p.bit_size == 255) { /* For now, curve25519 is a special case */ dup_jj = time_function (bench_dup_eh, &ctx); add_jja = time_function (bench_add_eh, &ctx); } else { dup_jj = time_function (bench_dup_jj, &ctx); add_jja = time_function (bench_add_jja, &ctx); } add_hhh = time_function (bench_add_hhh, &ctx); mul_g = time_function (bench_mul_g, &ctx); mul_a = time_function (bench_mul_a, &ctx); free (ctx.rp); free (ctx.ap); free (ctx.bp); free (ctx.tp); printf ("%4d %6.4f %6.4f %6.4f %6.2f %6.3f %6.2f %6.3f %6.3f %6.3f %6.1f %6.1f\n", ecc->p.bit_size, 1e6 * modp, 1e6 * reduce, 1e6 * modq, 1e6 * modinv, 1e6 * modinv_gcd, 1e6 * modinv_powm, 1e6 * dup_jj, 1e6 * add_jja, 1e6 * add_hhh, 1e6 * mul_g, 1e6 * mul_a); } const struct ecc_curve * const curves[] = { &nettle_secp_192r1, &nettle_secp_224r1, &_nettle_curve25519, &nettle_secp_256r1, &nettle_secp_384r1, &nettle_secp_521r1, }; #define numberof(x) (sizeof (x) / sizeof ((x)[0])) int main (int argc UNUSED, char **argv UNUSED) { unsigned i; time_init(); printf ("%4s %6s %6s %6s %6s %6s %6s %6s %6s %6s %6s %6s (us)\n", "size", "modp", "reduce", "modq", "modinv", "mi_gcd", "mi_pow", "dup_jj", "ad_jja", "ad_hhh", "mul_g", "mul_a"); for (i = 0; i < numberof (curves); i++) bench_curve (curves[i]); return EXIT_SUCCESS; } nettle-3.4.1/examples/Makefile.in0000644000175000017500000001161513401564747015740 0ustar nissenisse@SET_MAKE@ srcdir = @srcdir@ VPATH = @srcdir@ top_srcdir = @top_srcdir@ include ../config.make PRE_CPPFLAGS = -I.. -I$(top_srcdir) PRE_LDFLAGS = -L.. OPENSSL_LIBFLAGS = @OPENSSL_LIBFLAGS@ BENCH_LIBS = @BENCH_LIBS@ -lm HOGWEED_TARGETS = rsa-keygen$(EXEEXT) rsa-sign$(EXEEXT) \ rsa-verify$(EXEEXT) rsa-encrypt$(EXEEXT) rsa-decrypt$(EXEEXT) \ random-prime$(EXEEXT) \ hogweed-benchmark$(EXEEXT) ecc-benchmark$(EXEEXT) ENC_TARGETS = base16enc$(EXEEXT) base16dec$(EXEEXT) \ base64enc$(EXEEXT) base64dec$(EXEEXT) TARGETS = nettle-benchmark$(EXEEXT) eratosthenes$(EXEEXT) \ $(ENC_TARGETS) @IF_HOGWEED@ $(HOGWEED_TARGETS) SOURCES = nettle-benchmark.c hogweed-benchmark.c ecc-benchmark.c \ eratosthenes.c random-prime.c \ nettle-openssl.c \ io.c read_rsa_key.c \ rsa-encrypt.c rsa-decrypt.c rsa-keygen.c rsa-sign.c rsa-verify.c \ base16enc.c base16dec.c base64enc.c base64dec.c timing.c GETOPT_OBJS = ../getopt.$(OBJEXT) ../getopt1.$(OBJEXT) TS_ALL = rsa-sign-test rsa-verify-test rsa-encrypt-test DISTFILES= $(SOURCES) Makefile.in $(TS_ALL) setup-env teardown-env \ io.h rsa-session.h timing.h all: $(TARGETS) .c.$(OBJEXT): $(COMPILE) -c $< && $(DEP_PROCESS) # NOTE: If we required GNU make, we could use a single rule with $(@F) # or $(notdir $@) ../getopt.$(OBJEXT): ( cd .. && $(MAKE) getopt.$(OBJEXT)) ../getopt1.$(OBJEXT): ( cd .. && $(MAKE) getopt1.$(OBJEXT)) ../nettle-internal.$(OBJEXT): ( cd .. && $(MAKE) nettle-internal.$(OBJEXT)) # For Solaris and BSD make, we have to use an explicit rule for each executable random-prime$(EXEEXT): random-prime.$(OBJEXT) io.$(OBJEXT) $(GETOPT_OBJS) $(LINK) random-prime.$(OBJEXT) io.$(OBJEXT) $(GETOPT_OBJS) \ -lhogweed -lnettle $(LIBS) -o random-prime$(EXEEXT) rsa-keygen$(EXEEXT): rsa-keygen.$(OBJEXT) io.$(OBJEXT) $(GETOPT_OBJS) $(LINK) rsa-keygen.$(OBJEXT) io.$(OBJEXT) $(GETOPT_OBJS) \ -lhogweed -lnettle $(LIBS) -o rsa-keygen$(EXEEXT) rsa-sign$(EXEEXT): rsa-sign.$(OBJEXT) io.$(OBJEXT) read_rsa_key.$(OBJEXT) $(LINK) rsa-sign.$(OBJEXT) io.$(OBJEXT) read_rsa_key.$(OBJEXT) \ -lhogweed -lnettle $(LIBS) -o rsa-sign$(EXEEXT) rsa-verify$(EXEEXT): rsa-verify.$(OBJEXT) io.$(OBJEXT) read_rsa_key.$(OBJEXT) $(LINK) rsa-verify.$(OBJEXT) io.$(OBJEXT) read_rsa_key.$(OBJEXT) \ -lhogweed -lnettle $(LIBS) -o rsa-verify$(EXEEXT) rsa-encrypt$(EXEEXT): rsa-encrypt.$(OBJEXT) io.$(OBJEXT) read_rsa_key.$(OBJEXT) $(GETOPT_OBJS) $(LINK) rsa-encrypt.$(OBJEXT) io.$(OBJEXT) read_rsa_key.$(OBJEXT) \ $(GETOPT_OBJS) \ -lhogweed -lnettle $(LIBS) -o rsa-encrypt$(EXEEXT) rsa-decrypt$(EXEEXT): rsa-decrypt.$(OBJEXT) io.$(OBJEXT) read_rsa_key.$(OBJEXT) $(LINK) rsa-decrypt.$(OBJEXT) io.$(OBJEXT) read_rsa_key.$(OBJEXT) \ -lhogweed -lnettle $(LIBS) -o rsa-decrypt$(EXEEXT) base16enc$(EXEEXT): base16enc.$(OBJEXT) io.$(OBJEXT) $(LINK) base16enc.$(OBJEXT) io.$(OBJEXT) \ -lnettle $(LIBS) -o base16enc$(EXEEXT) base16dec$(EXEEXT): base16dec.$(OBJEXT) io.$(OBJEXT) $(LINK) base16dec.$(OBJEXT) io.$(OBJEXT) \ -lnettle $(LIBS) -o base16dec$(EXEEXT) base64enc$(EXEEXT): base64enc.$(OBJEXT) io.$(OBJEXT) $(LINK) base64enc.$(OBJEXT) io.$(OBJEXT) \ -lnettle $(LIBS) -o base64enc$(EXEEXT) base64dec$(EXEEXT): base64dec.$(OBJEXT) io.$(OBJEXT) $(LINK) base64dec.$(OBJEXT) io.$(OBJEXT) \ -lnettle $(LIBS) -o base64dec$(EXEEXT) eratosthenes$(EXEEXT): eratosthenes.$(OBJEXT) $(GETOPT_OBJS) $(LINK) eratosthenes.$(OBJEXT) $(GETOPT_OBJS) -o eratosthenes$(EXEEXT) BENCH_OBJS = nettle-benchmark.$(OBJEXT) nettle-openssl.$(OBJEXT) \ $(GETOPT_OBJS) ../nettle-internal.$(OBJEXT) timing.$(OBJEXT) nettle-benchmark$(EXEEXT): $(BENCH_OBJS) $(LINK) $(BENCH_OBJS) -lnettle $(BENCH_LIBS) $(OPENSSL_LIBFLAGS) -o nettle-benchmark$(EXEEXT) ECC_BENCH_OBJS = ecc-benchmark.$(OBJEXT) timing.$(OBJEXT) ecc-benchmark$(EXEEXT): $(ECC_BENCH_OBJS) $(LINK) $(ECC_BENCH_OBJS) -lhogweed -lnettle $(BENCH_LIBS) $(LIBS) \ -o ecc-benchmark$(EXEEXT) HOGWEED_BENCH_OBJS = hogweed-benchmark.$(OBJEXT) timing.$(OBJEXT) hogweed-benchmark$(EXEEXT): $(HOGWEED_BENCH_OBJS) $(LINK) $(HOGWEED_BENCH_OBJS) \ -lhogweed -lnettle $(BENCH_LIBS) $(LIBS) $(OPENSSL_LIBFLAGS) \ -o hogweed-benchmark$(EXEEXT) $(TARGETS) : io.$(OBJEXT) ../libnettle.stamp $(HOGWEED_TARGETS): ../libhogweed.stamp # The PATH update is for windows dlls, DYLD_LIBRARY_PATH is for OSX. check: $(TS_ALL) LD_LIBRARY_PATH=../.lib PATH="../.lib:$$PATH" DYLD_LIBRARY_PATH=../.lib \ srcdir="$(srcdir)" EMULATOR="$(EMULATOR)" EXEEXT="$(EXEEXT)" \ "$(top_srcdir)"/run-tests $(TS_ALL) Makefile: $(srcdir)/Makefile.in ../config.status cd .. && $(SHELL) ./config.status examples/$@ install uninstall: true # NOTE: I'd like to use $^, but that's a GNU extension. $? should be # more portable, equivalent for phony targets. distdir: $(DISTFILES) cp $? $(distdir) clean: -rm -f $(TARGETS) *.$(OBJEXT) distclean: clean -rm -f Makefile *.d tags: etags -o $(srcdir)/TAGS --include $(top_srcdir) $(srcdir)/*.c $(srcdir)/*.h @DEP_INCLUDE@ $(SOURCES:.c=.$(OBJEXT).d) nettle-3.4.1/examples/rsa-verify-test0000755000175000017500000000120413401564747016656 0ustar nissenisse#! /bin/sh if [ -z "$srcdir" ] ; then srcdir=`pwd` fi data="$srcdir/nettle-benchmark.c" if [ -x rsa-verify$EXEEXT ] ; then $EMULATOR ./rsa-sign testkey < "$data" > testsignature \ && $EMULATOR ./rsa-verify testkey.pub testsignature < "$data" \ || exit 1; # Try modifying the data sed s/128/129/ < "$data" >testdata if $EMULATOR ./rsa-verify testkey.pub testsignature < testdata 2>/dev/null; then exit 1 fi # Try modifying the signature sed s/1/2/ testsignature2 if $EMULATOR ./rsa-verify testkey.pub testsignature2 < "$data" 2>/dev/null; then exit 1; fi exit 0 else exit 77 fi nettle-3.4.1/examples/rsa-sign-test0000755000175000017500000000036613401564747016322 0ustar nissenisse#! /bin/sh if [ -z "$srcdir" ] ; then srcdir=`pwd` fi data="$srcdir/nettle-benchmark.c" if [ -x rsa-sign$EXEEXT ] ; then if $EMULATOR ./rsa-sign testkey < "$data" > testsignature ; then exit 0; else exit 1 fi else exit 77 fi nettle-3.4.1/examples/timing.c0000644000175000017500000000522413401564747015325 0ustar nissenisse/* timing.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "timing.h" #include #include #include #include #include #include #if HAVE_CLOCK_GETTIME && defined CLOCK_PROCESS_CPUTIME_ID #define TRY_CLOCK_GETTIME 1 struct timespec cgt_start; static void NORETURN PRINTF_STYLE(1,2) die(const char *format, ...) { va_list args; va_start(args, format); vfprintf(stderr, format, args); va_end(args); exit(EXIT_FAILURE); } static int cgt_works_p(void) { struct timespec now; return clock_gettime(CLOCK_PROCESS_CPUTIME_ID, &now) == 0; } static void cgt_time_start(void) { if (clock_gettime(CLOCK_PROCESS_CPUTIME_ID, &cgt_start) < 0) die("clock_gettime failed: %s\n", strerror(errno)); } static double cgt_time_end(void) { struct timespec end; if (clock_gettime(CLOCK_PROCESS_CPUTIME_ID, &end) < 0) die("clock_gettime failed: %s\n", strerror(errno)); return end.tv_sec - cgt_start.tv_sec + 1e-9 * (end.tv_nsec - cgt_start.tv_nsec); } #endif /* !HAVE_CLOCK_GETTIME */ static clock_t clock_start; static void clock_time_start(void) { clock_start = clock(); } static double clock_time_end(void) { return (double) (clock() - (clock_start)) / CLOCKS_PER_SEC; } void (*time_start)(void) = clock_time_start; double (*time_end)(void) = clock_time_end; void time_init(void) { /* Choose timing function */ #if TRY_CLOCK_GETTIME if (cgt_works_p()) { time_start = cgt_time_start; time_end = cgt_time_end; } else { fprintf(stderr, "clock_gettime not working, falling back to clock\n"); time_start = clock_time_start; time_end = clock_time_end; } #endif } nettle-3.4.1/examples/nettle-openssl.c0000644000175000017500000002043113401564747017007 0ustar nissenisse/* nettle-openssl.c Glue that's used only by the benchmark, and subject to change. Copyright (C) 2002, 2017 Niels Möller Copyright (C) 2017 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif /* Openssl glue, for comparative benchmarking only */ #if WITH_OPENSSL /* No ancient ssleay compatibility */ #define NCOMPAT #define OPENSSL_DISABLE_OLD_DES_SUPPORT #include #include #include #include #include #include #include "nettle-internal.h" /* We use Openssl's EVP api for all openssl ciphers. This API selects platform-specific implementations if appropriate, e.g., using x86 AES-NI instructions. */ struct openssl_cipher_ctx { EVP_CIPHER_CTX *evp; }; void nettle_openssl_init(void) { ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); #if OPENSSL_VERSION_NUMBER >= 0x1010000 CONF_modules_load_file(NULL, NULL, 0); #else OPENSSL_config(NULL); #endif } static void openssl_evp_set_encrypt_key(void *p, const uint8_t *key, const EVP_CIPHER *cipher) { struct openssl_cipher_ctx *ctx = p; ctx->evp = EVP_CIPHER_CTX_new(); assert(EVP_EncryptInit_ex(ctx->evp, cipher, NULL, key, NULL) == 1); EVP_CIPHER_CTX_set_padding(ctx->evp, 0); } static void openssl_evp_set_decrypt_key(void *p, const uint8_t *key, const EVP_CIPHER *cipher) { struct openssl_cipher_ctx *ctx = p; ctx->evp = EVP_CIPHER_CTX_new(); assert(EVP_DecryptInit_ex(ctx->evp, cipher, NULL, key, NULL) == 1); EVP_CIPHER_CTX_set_padding(ctx->evp, 0); } static void openssl_evp_encrypt(const void *p, size_t length, uint8_t *dst, const uint8_t *src) { const struct openssl_cipher_ctx *ctx = p; int len; assert(EVP_EncryptUpdate(ctx->evp, dst, &len, src, length) == 1); } static void openssl_evp_decrypt(const void *p, size_t length, uint8_t *dst, const uint8_t *src) { const struct openssl_cipher_ctx *ctx = p; int len; assert(EVP_DecryptUpdate(ctx->evp, dst, &len, src, length) == 1); } /* AES */ static nettle_set_key_func openssl_aes128_set_encrypt_key; static nettle_set_key_func openssl_aes128_set_decrypt_key; static nettle_set_key_func openssl_aes192_set_encrypt_key; static nettle_set_key_func openssl_aes192_set_decrypt_key; static nettle_set_key_func openssl_aes256_set_encrypt_key; static nettle_set_key_func openssl_aes256_set_decrypt_key; static void openssl_aes128_set_encrypt_key(void *ctx, const uint8_t *key) { openssl_evp_set_encrypt_key(ctx, key, EVP_aes_128_ecb()); } static void openssl_aes128_set_decrypt_key(void *ctx, const uint8_t *key) { openssl_evp_set_decrypt_key(ctx, key, EVP_aes_128_ecb()); } static void openssl_aes192_set_encrypt_key(void *ctx, const uint8_t *key) { openssl_evp_set_encrypt_key(ctx, key, EVP_aes_192_ecb()); } static void openssl_aes192_set_decrypt_key(void *ctx, const uint8_t *key) { openssl_evp_set_decrypt_key(ctx, key, EVP_aes_192_ecb()); } static void openssl_aes256_set_encrypt_key(void *ctx, const uint8_t *key) { openssl_evp_set_encrypt_key(ctx, key, EVP_aes_256_ecb()); } static void openssl_aes256_set_decrypt_key(void *ctx, const uint8_t *key) { openssl_evp_set_decrypt_key(ctx, key, EVP_aes_256_ecb()); } const struct nettle_cipher nettle_openssl_aes128 = { "openssl aes128", sizeof(struct openssl_cipher_ctx), 16, 16, openssl_aes128_set_encrypt_key, openssl_aes128_set_decrypt_key, openssl_evp_encrypt, openssl_evp_decrypt }; const struct nettle_cipher nettle_openssl_aes192 = { "openssl aes192", sizeof(struct openssl_cipher_ctx), 16, 24, openssl_aes192_set_encrypt_key, openssl_aes192_set_decrypt_key, openssl_evp_encrypt, openssl_evp_decrypt }; const struct nettle_cipher nettle_openssl_aes256 = { "openssl aes256", sizeof(struct openssl_cipher_ctx), 16, 32, openssl_aes256_set_encrypt_key, openssl_aes256_set_decrypt_key, openssl_evp_encrypt, openssl_evp_decrypt }; /* Arcfour */ static void openssl_arcfour128_set_encrypt_key(void *ctx, const uint8_t *key) { openssl_evp_set_encrypt_key(ctx, key, EVP_rc4()); } static void openssl_arcfour128_set_decrypt_key(void *ctx, const uint8_t *key) { openssl_evp_set_decrypt_key(ctx, key, EVP_rc4()); } const struct nettle_aead nettle_openssl_arcfour128 = { "openssl arcfour128", sizeof(struct openssl_cipher_ctx), 1, 16, 0, 0, openssl_arcfour128_set_encrypt_key, openssl_arcfour128_set_decrypt_key, NULL, NULL, (nettle_crypt_func *)openssl_evp_encrypt, (nettle_crypt_func *)openssl_evp_decrypt, NULL, }; /* Blowfish */ static void openssl_bf128_set_encrypt_key(void *ctx, const uint8_t *key) { openssl_evp_set_encrypt_key(ctx, key, EVP_bf_ecb()); } static void openssl_bf128_set_decrypt_key(void *ctx, const uint8_t *key) { openssl_evp_set_decrypt_key(ctx, key, EVP_bf_ecb()); } const struct nettle_cipher nettle_openssl_blowfish128 = { "openssl bf128", sizeof(struct openssl_cipher_ctx), 8, 16, openssl_bf128_set_encrypt_key, openssl_bf128_set_decrypt_key, openssl_evp_encrypt, openssl_evp_decrypt }; /* DES */ static void openssl_des_set_encrypt_key(void *ctx, const uint8_t *key) { openssl_evp_set_encrypt_key(ctx, key, EVP_des_ecb()); } static void openssl_des_set_decrypt_key(void *ctx, const uint8_t *key) { openssl_evp_set_decrypt_key(ctx, key, EVP_des_ecb()); } const struct nettle_cipher nettle_openssl_des = { "openssl des", sizeof(struct openssl_cipher_ctx), 8, 8, openssl_des_set_encrypt_key, openssl_des_set_decrypt_key, openssl_evp_encrypt, openssl_evp_decrypt }; /* Cast128 */ static void openssl_cast128_set_encrypt_key(void *ctx, const uint8_t *key) { openssl_evp_set_encrypt_key(ctx, key, EVP_cast5_ecb()); } static void openssl_cast128_set_decrypt_key(void *ctx, const uint8_t *key) { openssl_evp_set_decrypt_key(ctx, key, EVP_cast5_ecb()); } const struct nettle_cipher nettle_openssl_cast128 = { "openssl cast128", sizeof(struct openssl_cipher_ctx), 8, 16, openssl_cast128_set_encrypt_key, openssl_cast128_set_decrypt_key, openssl_evp_encrypt, openssl_evp_decrypt }; /* Hash functions */ /* md5 */ static nettle_hash_init_func openssl_md5_init; static void openssl_md5_init(void *ctx) { MD5_Init(ctx); } static nettle_hash_update_func openssl_md5_update; static void openssl_md5_update(void *ctx, size_t length, const uint8_t *src) { MD5_Update(ctx, src, length); } static nettle_hash_digest_func openssl_md5_digest; static void openssl_md5_digest(void *ctx, size_t length, uint8_t *dst) { assert(length == SHA_DIGEST_LENGTH); MD5_Final(dst, ctx); MD5_Init(ctx); } const struct nettle_hash nettle_openssl_md5 = { "openssl md5", sizeof(SHA_CTX), SHA_DIGEST_LENGTH, SHA_CBLOCK, openssl_md5_init, openssl_md5_update, openssl_md5_digest }; /* sha1 */ static nettle_hash_init_func openssl_sha1_init; static void openssl_sha1_init(void *ctx) { SHA1_Init(ctx); } static nettle_hash_update_func openssl_sha1_update; static void openssl_sha1_update(void *ctx, size_t length, const uint8_t *src) { SHA1_Update(ctx, src, length); } static nettle_hash_digest_func openssl_sha1_digest; static void openssl_sha1_digest(void *ctx, size_t length, uint8_t *dst) { assert(length == SHA_DIGEST_LENGTH); SHA1_Final(dst, ctx); SHA1_Init(ctx); } const struct nettle_hash nettle_openssl_sha1 = { "openssl sha1", sizeof(SHA_CTX), SHA_DIGEST_LENGTH, SHA_CBLOCK, openssl_sha1_init, openssl_sha1_update, openssl_sha1_digest }; #endif /* WITH_OPENSSL */ nettle-3.4.1/examples/read_rsa_key.c0000644000175000017500000000301213401564747016457 0ustar nissenisse/* read_rsa_key.c Used by the rsa example programs. Copyright (C) 2002, 2007 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "io.h" #include "rsa.h" /* Split out from io.c, since it depends on hogweed. */ int read_rsa_key(const char *name, struct rsa_public_key *pub, struct rsa_private_key *priv) { unsigned length; uint8_t *buffer; int res; length = read_file(name, 0, &buffer); if (!length) return 0; res = rsa_keypair_from_sexp(pub, priv, 0, length, buffer); free(buffer); return res; } nettle-3.4.1/examples/io.c0000644000175000017500000000720313401564747014444 0ustar nissenisse/* io.c Miscellaneous functions used by the example programs. Copyright (C) 2002, 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include /* For errno and strerror */ #include #include #include "io.h" #define RANDOM_DEVICE "/dev/urandom" #define BUFSIZE 1000 int quiet_flag = 0; void * xalloc(size_t size) { void *p = malloc(size); if (!p) { fprintf(stderr, "Virtual memory exhausted.\n"); abort(); } return p; } void werror(const char *format, ...) { if (!quiet_flag) { va_list args; va_start(args, format); vfprintf(stderr, format, args); va_end(args); } } size_t read_file(const char *name, size_t max_size, uint8_t **contents) { size_t size, done; uint8_t *buffer; FILE *f; f = fopen(name, "rb"); if (!f) { werror("Opening `%s' failed: %s\n", name, strerror(errno)); return 0; } size = 100; for (buffer = NULL, done = 0;; size *= 2) { uint8_t *p; if (max_size && size > max_size) size = max_size; /* Space for terminating NUL */ p = realloc(buffer, size + 1); if (!p) { fail: fclose(f); free(buffer); *contents = NULL; return 0; } buffer = p; done += fread(buffer + done, 1, size - done, f); if (done < size) { /* Short count means EOF or read error */ if (ferror(f)) { fprintf (stderr, "Reading `%s' failed: %s\n", name, strerror(errno)); goto fail; } if (done == 0) /* Treat empty file as error */ goto fail; break; } if (size == max_size) break; } fclose(f); /* NUL-terminate the data. */ buffer[done] = '\0'; *contents = buffer; return done; } int write_data(FILE *f, size_t size, const void *buffer) { size_t res = fwrite(buffer, 1, size, f); return res == size; } int write_file(const char *name, size_t size, const void *buffer) { FILE *f = fopen(name, "wb"); int res; if (!f) return 0; res = write_data(f, size, buffer); return fclose(f) == 0 && res; } int simple_random(struct yarrow256_ctx *ctx, const char *name) { unsigned length; uint8_t *buffer; if (name) length = read_file(name, 0, &buffer); else length = read_file(RANDOM_DEVICE, 20, &buffer); if (!length) return 0; yarrow256_seed(ctx, length, buffer); free(buffer); return 1; } int hash_file(const struct nettle_hash *hash, void *ctx, FILE *f) { for (;;) { uint8_t buffer[BUFSIZE]; size_t res = fread(buffer, 1, sizeof(buffer), f); if (ferror(f)) return 0; hash->update(ctx, res, buffer); if (feof(f)) return 1; } } nettle-3.4.1/examples/rsa-encrypt.c0000644000175000017500000001323113401564747016302 0ustar nissenisse/* rsa-encrypt.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include #include #ifdef WIN32 #include #endif /* string.h must be included before gmp.h */ #include "bignum.h" #include "buffer.h" #include "macros.h" #include "rsa.h" #include "yarrow.h" #include "io.h" #include "rsa-session.h" #include "getopt.h" void rsa_session_set_encrypt_key(struct rsa_session *ctx, const struct rsa_session_info *key) { const uint8_t *aes_key = SESSION_AES_KEY(key); const uint8_t *iv = SESSION_IV(key); const uint8_t *hmac_key = SESSION_HMAC_KEY(key); aes_set_encrypt_key(&ctx->aes.ctx, AES_KEY_SIZE, aes_key); CBC_SET_IV(&ctx->aes, iv); hmac_sha1_set_key(&ctx->hmac, SHA1_DIGEST_SIZE, hmac_key); } static int write_uint32(FILE *f, uint32_t n) { uint8_t buffer[4]; WRITE_UINT32(buffer, n); return write_data(f, sizeof(buffer), buffer); } static int write_version(FILE *f) { return write_uint32(f, 1); } static int write_bignum(FILE *f, mpz_t x) { unsigned size = nettle_mpz_sizeinbase_256_u(x); uint8_t *p; int res; if (!write_uint32(f, size)) return 0; p = xalloc(size); nettle_mpz_get_str_256(size, p, x); res = write_data(f, size, p); free(p); return res; } #define BLOCK_SIZE (AES_BLOCK_SIZE * 100) static int process_file(struct rsa_session *ctx, FILE *in, FILE *out) { uint8_t buffer[BLOCK_SIZE + SHA1_DIGEST_SIZE]; for (;;) { size_t size = fread(buffer, 1, BLOCK_SIZE, in); hmac_sha1_update(&ctx->hmac, size, buffer); if (size < BLOCK_SIZE) { unsigned leftover; unsigned padding; if (ferror(in)) { werror("Reading input failed: %s\n", strerror(errno)); return 0; } leftover = size % AES_BLOCK_SIZE; padding = AES_BLOCK_SIZE - leftover; assert (size + padding <= BLOCK_SIZE); if (padding > 1) yarrow256_random(&ctx->yarrow, padding - 1, buffer + size); size += padding; buffer[size - 1] = padding; CBC_ENCRYPT(&ctx->aes, aes_encrypt, size, buffer, buffer); assert (size + SHA1_DIGEST_SIZE <= sizeof(buffer)); hmac_sha1_digest(&ctx->hmac, SHA1_DIGEST_SIZE, buffer + size); size += SHA1_DIGEST_SIZE; if (!write_data(out, size, buffer)) { werror("Writing output failed: %s\n", strerror(errno)); return 0; } return 1; } CBC_ENCRYPT(&ctx->aes, aes_encrypt, size, buffer, buffer); if (!write_data(out, size, buffer)) { werror("Writing output failed: %s\n", strerror(errno)); return 0; } } } static void usage (FILE *out) { fprintf (out, "Usage: rsa-encrypt [OPTIONS] PUBLIC-KEY < cleartext\n" "Options:\n" " -r, --random=FILE seed file for randomness generator\n" " --help display this help\n"); } int main(int argc, char **argv) { struct rsa_session ctx; struct rsa_session_info info; struct rsa_public_key key; mpz_t x; int c; const char *random_name = NULL; enum { OPT_HELP = 300 }; static const struct option options[] = { /* Name, args, flag, val */ { "help", no_argument, NULL, OPT_HELP }, { "random", required_argument, NULL, 'r' }, { NULL, 0, NULL, 0} }; while ( (c = getopt_long(argc, argv, "o:r:", options, NULL)) != -1) switch (c) { case 'r': random_name = optarg; break; case '?': return EXIT_FAILURE; case OPT_HELP: usage(stdout); return EXIT_SUCCESS; default: abort(); } argv += optind; argc -= optind; if (argc != 1) { usage (stderr); return EXIT_FAILURE; } rsa_public_key_init(&key); if (!read_rsa_key(argv[0], &key, NULL)) { werror("Invalid key\n"); return EXIT_FAILURE; } /* NOTE: No sources */ yarrow256_init(&ctx.yarrow, 0, NULL); /* Read some data to seed the generator */ if (!simple_random(&ctx.yarrow, random_name)) { werror("Initialization of randomness generator failed.\n"); return EXIT_FAILURE; } WRITE_UINT32(SESSION_VERSION(&info), RSA_VERSION); yarrow256_random(&ctx.yarrow, sizeof(info.key) - 4, info.key + 4); rsa_session_set_encrypt_key(&ctx, &info); #ifdef WIN32 _setmode(0, O_BINARY); _setmode(1, O_BINARY); #endif write_version(stdout); mpz_init(x); if (!rsa_encrypt(&key, &ctx.yarrow, (nettle_random_func *) yarrow256_random, sizeof(info.key), info.key, x)) { werror("RSA encryption failed.\n"); return EXIT_FAILURE; } write_bignum(stdout, x); mpz_clear (x); if (!process_file(&ctx, stdin, stdout)) return EXIT_FAILURE; rsa_public_key_clear(&key); return EXIT_SUCCESS; } nettle-3.4.1/examples/base64dec.c0000644000175000017500000000571113401564747015577 0ustar nissenisse/* base64dec -- an decoder for base64 Copyright (C) 2006, 2012 Jeronimo Pellegrini, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #ifdef WIN32 #include #endif #include "base64.h" #include "io.h" #define CHUNK_SIZE 16392 /* The maximum number of bytes generated for each chunk: */ #define DECODED_SIZE BASE64_DECODE_LENGTH(CHUNK_SIZE) /* * Reads base-64 encoded from stdin, writes decoded to stdout. */ int main(int argc UNUSED, char **argv UNUSED) { /* "buffer" will hold the bytes from disk: */ char * buffer = xalloc (CHUNK_SIZE); /* "result" will hold bytes before output: */ uint8_t * result = xalloc (DECODED_SIZE); /* We need a Base64 context for decoding: */ struct base64_decode_ctx b64_ctx; /* Init the context: */ base64_decode_init(&b64_ctx); #ifdef WIN32 _setmode(1, O_BINARY); #endif for (;;) { int nbytes; /* Number of bytes read frmo disk at each iteration */ size_t decoded_bytes; /* Bytes actually generated at each iteration */ nbytes = fread(buffer, 1, CHUNK_SIZE, stdin); if (nbytes < CHUNK_SIZE && ferror(stdin)) { werror ("Error reading file: %s\n", strerror(errno)); return EXIT_FAILURE; } /* Decodes one chunk: */ if (!base64_decode_update(&b64_ctx, &decoded_bytes, result, nbytes, buffer)) { werror ("Error decoding input (not base64?)\n"); return EXIT_FAILURE; } if (!write_data (stdout, decoded_bytes, result)) { werror ("Error writing file: %s\n", strerror(errno)); return EXIT_FAILURE; } if (nbytes < CHUNK_SIZE) { /* Check if decoding finalized OK: */ if (!base64_decode_final(&b64_ctx)) { werror ("Decoding did not finish properly.\n"); return EXIT_FAILURE; } break; } } if (fflush (stdout) != 0) { werror ("Error writing file: %s\n", strerror(errno)); return EXIT_FAILURE; } free (buffer); free (result); return EXIT_SUCCESS; } nettle-3.4.1/examples/rsa-decrypt.c0000644000175000017500000001313713401564747016275 0ustar nissenisse/* rsa-decrypt.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include #ifdef WIN32 #include #endif /* string.h must be included before gmp.h */ #include "aes.h" #include "bignum.h" #include "buffer.h" #include "cbc.h" #include "hmac.h" #include "macros.h" #include "memops.h" #include "rsa.h" #include "yarrow.h" #include "io.h" #include "rsa-session.h" void rsa_session_set_decrypt_key(struct rsa_session *ctx, const struct rsa_session_info *key) { const uint8_t *aes_key = SESSION_AES_KEY(key); const uint8_t *iv = SESSION_IV(key); const uint8_t *hmac_key = SESSION_HMAC_KEY(key); aes_set_decrypt_key(&ctx->aes.ctx, AES_KEY_SIZE, aes_key); CBC_SET_IV(&ctx->aes, iv); hmac_sha1_set_key(&ctx->hmac, SHA1_DIGEST_SIZE, hmac_key); } static int read_uint32(FILE *f, uint32_t *n) { uint8_t buf[4]; if (fread(buf, 1, sizeof(buf), f) != sizeof(buf)) return 0; *n = READ_UINT32(buf); return 1; } static int read_version(FILE *f) { uint32_t version; return read_uint32(f, &version) && version == RSA_VERSION; } static int read_bignum(FILE *f, mpz_t x) { uint32_t size; if (read_uint32(f, &size) && size < 1000) { uint8_t *p = xalloc(size); if (fread(p, 1, size, f) != size) { free(p); return 0; } nettle_mpz_set_str_256_u(x, size, p); free(p); return 1; } return 0; } struct process_ctx { struct CBC_CTX(struct aes_ctx, AES_BLOCK_SIZE) aes; struct hmac_sha1_ctx hmac; struct yarrow256_ctx yarrow; }; #define BUF_SIZE (100 * AES_BLOCK_SIZE) /* Trailing data that needs special processing */ #define BUF_FINAL (AES_BLOCK_SIZE + SHA1_DIGEST_SIZE) static int process_file(struct rsa_session *ctx, FILE *in, FILE *out) { uint8_t buffer[BUF_SIZE + BUF_FINAL]; uint8_t digest[SHA1_DIGEST_SIZE]; size_t size; unsigned padding; size = fread(buffer, 1, BUF_FINAL, in); if (size < BUF_FINAL) { if (ferror(in)) werror("Reading input failed: %s\n", strerror(errno)); else werror("Unexpected EOF on input.\n"); return 0; } do { size = fread(buffer + BUF_FINAL, 1, BUF_SIZE, in); if (size < BUF_SIZE && ferror(in)) { werror("Reading input failed: %s\n", strerror(errno)); return 0; } if (size % AES_BLOCK_SIZE != 0) { werror("Unexpected EOF on input.\n"); return 0; } if (size) { CBC_DECRYPT(&ctx->aes, aes_decrypt, size, buffer, buffer); hmac_sha1_update(&ctx->hmac, size, buffer); if (!write_data(out, size, buffer)) { werror("Writing output failed: %s\n", strerror(errno)); return 0; } memmove(buffer, buffer + size, BUF_FINAL); } } while (size == BUF_SIZE); /* Decrypt final block */ CBC_DECRYPT(&ctx->aes, aes_decrypt, AES_BLOCK_SIZE, buffer, buffer); padding = buffer[AES_BLOCK_SIZE - 1]; if (padding > AES_BLOCK_SIZE) { werror("Decryption failed: Invalid padding.\n"); return 0; } if (padding < AES_BLOCK_SIZE) { unsigned leftover = AES_BLOCK_SIZE - padding; hmac_sha1_update(&ctx->hmac, leftover, buffer); if (!write_data(out, leftover, buffer)) { werror("Writing output failed: %s\n", strerror(errno)); return 0; } } hmac_sha1_digest(&ctx->hmac, SHA1_DIGEST_SIZE, digest); if (!memeql_sec(digest, buffer + AES_BLOCK_SIZE, SHA1_DIGEST_SIZE)) { werror("Decryption failed: Invalid mac.\n"); return 0; } return 1; } int main(int argc, char **argv) { struct rsa_private_key key; struct rsa_session ctx; struct rsa_session_info session; size_t length; mpz_t x; mpz_init(x); if (argc != 2) { werror("Usage: rsa-decrypt PRIVATE-KEY < ciphertext\n"); return EXIT_FAILURE; } rsa_private_key_init(&key); if (!read_rsa_key(argv[1], NULL, &key)) { werror("Invalid key\n"); return EXIT_FAILURE; } #ifdef WIN32 _setmode(0, O_BINARY); _setmode(1, O_BINARY); #endif if (!read_version(stdin)) { werror("Bad version number in input file.\n"); return EXIT_FAILURE; } if (!read_bignum(stdin, x)) { werror("Bad rsa header in input file.\n"); return EXIT_FAILURE; } length = sizeof(session.key); if (!rsa_decrypt(&key, &length, session.key, x) || length != sizeof(session.key)) { werror("Failed to decrypt rsa header in input file.\n"); return EXIT_FAILURE; } mpz_clear(x); rsa_session_set_decrypt_key(&ctx, &session); if (!process_file(&ctx, stdin, stdout)) return EXIT_FAILURE; rsa_private_key_clear(&key); return EXIT_SUCCESS; } nettle-3.4.1/examples/timing.h0000644000175000017500000000232413401564747015330 0ustar nissenisse/* timing.h Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_EXAMPLES_TIMING_H_INCLUDED #define NETTLE_EXAMPLES_TIMING_H_INCLUDED void time_init(void); extern void (*time_start)(void); extern double (*time_end)(void); #endif /* NETTLE_EXAMPLES_TIMING_H_INCLUDED */ nettle-3.4.1/examples/rsa-verify.c0000644000175000017500000000444513401564747016131 0ustar nissenisse/* rsa-verify.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include "rsa.h" #include "io.h" static int read_signature(const char *name, mpz_t s) { uint8_t *buffer; unsigned length; int res; length = read_file(name, 0, &buffer); if (!length) return 0; res = (mpz_set_str(s, (const char *) buffer, 16) == 0); free(buffer); return res; } int main(int argc, char **argv) { struct rsa_public_key key; struct sha1_ctx hash; mpz_t s; if (argc != 3) { werror("Usage: rsa-verify PUBLIC-KEY SIGNATURE-FILE < FILE\n"); return EXIT_FAILURE; } rsa_public_key_init(&key); if (!read_rsa_key(argv[1], &key, NULL)) { werror("Invalid key\n"); return EXIT_FAILURE; } mpz_init(s); if (!read_signature(argv[2], s)) { werror("Failed to read signature file `%s'\n", argv[2]); return EXIT_FAILURE; } sha1_init(&hash); if (!hash_file(&nettle_sha1, &hash, stdin)) { werror("Failed reading stdin: %s\n", strerror(errno)); return 0; } if (!rsa_sha1_verify(&key, &hash, s)) { werror("Invalid signature!\n"); return EXIT_FAILURE; } mpz_clear(s); rsa_public_key_clear(&key); return EXIT_SUCCESS; } nettle-3.4.1/examples/io.h0000644000175000017500000000415313401564747014452 0ustar nissenisse/* io.c Miscellaneous functions used by the example programs. Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_EXAMPLES_IO_H_INCLUDED #define NETTLE_EXAMPLES_IO_H_INCLUDED #include "nettle-meta.h" #include "yarrow.h" #include extern int quiet_flag; void * xalloc(size_t size); void werror(const char *format, ...) PRINTF_STYLE(1, 2); /* If size is > 0, read at most that many bytes. If size == 0, read * until EOF. Allocates the buffer dynamically. An empty file is * treated as an error; return value is zero, and no space is * allocated. The returned data is NUL-terminated, for convenience. */ size_t read_file(const char *name, size_t size, uint8_t **buffer); int write_file(const char *name, size_t size, const void *data); int write_data(FILE *f, size_t size, const void *data); int simple_random(struct yarrow256_ctx *ctx, const char *name); int hash_file(const struct nettle_hash *hash, void *ctx, FILE *f); #if WITH_HOGWEED struct rsa_public_key; struct rsa_private_key; int read_rsa_key(const char *name, struct rsa_public_key *pub, struct rsa_private_key *priv); #endif /* WITH_HOGWEED */ #endif /* NETTLE_EXAMPLES_IO_H_INCLUDED */ nettle-3.4.1/examples/random-prime.c0000644000175000017500000000632613401564747016434 0ustar nissenisse/* random-prime.c Command line tool for prime generation. Copyright (C) 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "bignum.h" #include "yarrow.h" #include "io.h" #include "getopt.h" static void usage(void) { fprintf(stderr, "Usage: random-prime [OPTIONS] bits\n\n" "Options:\n" " --help Display this message.\n" " -v, --verbose Display timing information.\n" " -r, --random FILE Random data to use for seeding.\n"); } int main(int argc, char **argv) { long bits; mpz_t p; struct yarrow256_ctx yarrow; int verbose = 0; const char *random_file = NULL; int c; char *arg_end; clock_t start; clock_t end; enum { OPT_HELP = 300 }; static const struct option options[] = { /* Name, args, flag, val */ { "help", no_argument, NULL, OPT_HELP }, { "verbose", no_argument, NULL, 'v' }, { "random", required_argument, NULL, 'r' }, { NULL, 0, NULL, 0} }; while ( (c = getopt_long(argc, argv, "vr:", options, NULL)) != -1) switch (c) { case 'v': verbose = 1; break; case 'r': random_file = optarg; break; case OPT_HELP: usage(); return EXIT_SUCCESS; case '?': return EXIT_FAILURE; default: abort(); } argc -= optind; argv += optind; if (argc != 1) { usage(); return EXIT_FAILURE; } bits = strtol(argv[0], &arg_end, 0); if (*arg_end || bits < 0) { fprintf(stderr, "Invalid number.\n"); return EXIT_FAILURE; } if (bits < 3) { fprintf(stderr, "Bitsize must be at least 3.\n"); return EXIT_FAILURE; } /* NOTE: No sources */ yarrow256_init(&yarrow, 0, NULL); /* Read some data to seed the generator */ if (!simple_random(&yarrow, random_file)) { werror("Initialization of randomness generator failed.\n"); return EXIT_FAILURE; } mpz_init(p); start = clock(); nettle_random_prime(p, bits, 0, &yarrow, (nettle_random_func *) yarrow256_random, NULL, NULL); end = clock(); mpz_out_str(stdout, 10, p); printf("\n"); if (verbose) fprintf(stderr, "time: %.3g s\n", (double)(end - start) / CLOCKS_PER_SEC); return EXIT_SUCCESS; } nettle-3.4.1/examples/base64enc.c0000644000175000017500000000565413401564747015617 0ustar nissenisse/* base64enc -- an encoder for base64 Copyright (C) 2006, 2012 Jeronimo Pellegrini, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #ifdef WIN32 #include #endif #include "base64.h" #include "io.h" /* The number of bytes read in each iteration, we do one line at a time: */ #define CHUNK_SIZE 54 /* The *maximum* size of an encoded chunk: */ #define ENCODED_SIZE BASE64_ENCODE_LENGTH(CHUNK_SIZE) /* * Reads bytes from standard input and writes base64-encoded * on standard output. */ int main(int argc UNUSED, char **argv UNUSED) { struct base64_encode_ctx b64_ctx; /* Init the context: */ base64_encode_init(&b64_ctx); #ifdef WIN32 _setmode(0, O_BINARY); #endif for (;;) { /* "buffer" will hold the bytes from disk: */ uint8_t buffer[CHUNK_SIZE]; /* "result" is the result vector: */ char result[ENCODED_SIZE + BASE64_ENCODE_FINAL_LENGTH + 1]; unsigned nbytes; /* Number of bytes read from stdin */ int encoded_bytes; /* total number of bytes encoded per iteration */ nbytes = fread(buffer,1,CHUNK_SIZE,stdin); /* We overwrite result with more data */ encoded_bytes = base64_encode_update(&b64_ctx, result, nbytes, buffer); if (nbytes < CHUNK_SIZE) { if (ferror(stdin)) { werror ("Error reading file: %s\n", strerror(errno)); return EXIT_FAILURE; } encoded_bytes += base64_encode_final(&b64_ctx,result + encoded_bytes); result[encoded_bytes++] = '\n'; if (!write_data (stdout, encoded_bytes, result) || fflush (stdout) != 0) { werror ("Error writing file: %s\n", strerror(errno)); return EXIT_FAILURE; } return EXIT_SUCCESS; } /* The result vector is written */ result[encoded_bytes++] = '\n'; if (!write_data (stdout, encoded_bytes, result)) { werror ("Error writing file: %s\n", strerror(errno)); return EXIT_FAILURE; } } } nettle-3.4.1/examples/nettle-benchmark.c0000644000175000017500000004411113401564747017257 0ustar nissenisse/* nettle-benchmark.c Tests the performance of the various algorithms. Copyright (C) 2001, 2010, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include #include #include #include #include "timing.h" #include "aes.h" #include "arcfour.h" #include "blowfish.h" #include "cast128.h" #include "cbc.h" #include "ctr.h" #include "des.h" #include "eax.h" #include "gcm.h" #include "memxor.h" #include "salsa20.h" #include "serpent.h" #include "sha1.h" #include "sha2.h" #include "sha3.h" #include "twofish.h" #include "umac.h" #include "poly1305.h" #include "nettle-meta.h" #include "nettle-internal.h" #include "getopt.h" static double frequency = 0.0; /* Process BENCH_BLOCK bytes at a time, for BENCH_INTERVAL seconds. */ #define BENCH_BLOCK 10240 #define BENCH_INTERVAL 0.1 /* FIXME: Proper configure test for rdtsc? */ #ifndef WITH_CYCLE_COUNTER # if defined(__GNUC__) && (defined(__i386__) || defined(__x86_64__)) # define WITH_CYCLE_COUNTER 1 # else # define WITH_CYCLE_COUNTER 0 # endif #endif #if WITH_CYCLE_COUNTER # if defined(__i386__) #define GET_CYCLE_COUNTER(hi, lo) \ __asm__("xorl %%eax,%%eax\n" \ "movl %%ebx, %%edi\n" \ "cpuid\n" \ "rdtsc\n" \ "movl %%edi, %%ebx\n" \ : "=a" (lo), "=d" (hi) \ : /* No inputs. */ \ : "%edi", "%ecx", "cc") # elif defined(__x86_64__) #define GET_CYCLE_COUNTER(hi, lo) \ __asm__("xorl %%eax,%%eax\n" \ "mov %%rbx, %%r10\n" \ "cpuid\n" \ "rdtsc\n" \ "mov %%r10, %%rbx\n" \ : "=a" (lo), "=d" (hi) \ : /* No inputs. */ \ : "%r10", "%rcx", "cc") # endif #define BENCH_ITERATIONS 10 #endif static void NORETURN PRINTF_STYLE(1,2) die(const char *format, ...) { va_list args; va_start(args, format); vfprintf(stderr, format, args); va_end(args); exit(EXIT_FAILURE); } static double overhead = 0.0; /* Returns second per function call */ static double time_function(void (*f)(void *arg), void *arg) { unsigned ncalls; double elapsed; for (ncalls = 10 ;;) { unsigned i; time_start(); for (i = 0; i < ncalls; i++) f(arg); elapsed = time_end(); if (elapsed > BENCH_INTERVAL) break; else if (elapsed < BENCH_INTERVAL / 10) ncalls *= 10; else ncalls *= 2; } return elapsed / ncalls - overhead; } static void bench_nothing(void *arg UNUSED) { return; } struct bench_memxor_info { void *dst; const void *src; const void *other; }; static void bench_memxor(void *arg) { struct bench_memxor_info *info = arg; memxor (info->dst, info->src, BENCH_BLOCK); } static void bench_memxor3(void *arg) { struct bench_memxor_info *info = arg; memxor3 (info->dst, info->src, info->other, BENCH_BLOCK); } struct bench_hash_info { void *ctx; nettle_hash_update_func *update; const uint8_t *data; }; static void bench_hash(void *arg) { struct bench_hash_info *info = arg; info->update(info->ctx, BENCH_BLOCK, info->data); } struct bench_cipher_info { void *ctx; nettle_cipher_func *crypt; uint8_t *data; }; static void bench_cipher(void *arg) { struct bench_cipher_info *info = arg; info->crypt(info->ctx, BENCH_BLOCK, info->data, info->data); } struct bench_cbc_info { void *ctx; nettle_cipher_func *crypt; uint8_t *data; unsigned block_size; uint8_t *iv; }; static void bench_cbc_encrypt(void *arg) { struct bench_cbc_info *info = arg; cbc_encrypt(info->ctx, info->crypt, info->block_size, info->iv, BENCH_BLOCK, info->data, info->data); } static void bench_cbc_decrypt(void *arg) { struct bench_cbc_info *info = arg; cbc_decrypt(info->ctx, info->crypt, info->block_size, info->iv, BENCH_BLOCK, info->data, info->data); } static void bench_ctr(void *arg) { struct bench_cbc_info *info = arg; ctr_crypt(info->ctx, info->crypt, info->block_size, info->iv, BENCH_BLOCK, info->data, info->data); } struct bench_aead_info { void *ctx; nettle_crypt_func *crypt; nettle_hash_update_func *update; uint8_t *data; }; static void bench_aead_crypt(void *arg) { const struct bench_aead_info *info = arg; info->crypt (info->ctx, BENCH_BLOCK, info->data, info->data); } static void bench_aead_update(void *arg) { const struct bench_aead_info *info = arg; info->update (info->ctx, BENCH_BLOCK, info->data); } /* Set data[i] = floor(sqrt(i)) */ static void init_data(uint8_t *data) { unsigned i,j; for (i = j = 0; i 0.0 ? " cycles/byte cycles/block" : ""); } static void display(const char *name, const char *mode, unsigned block_size, double time) { printf("%18s %11s %7.2f", name, mode, BENCH_BLOCK / (time * 1048576.0)); if (frequency > 0.0) { printf(" %11.2f", time * frequency / BENCH_BLOCK); if (block_size > 0) printf(" %12.2f", time * frequency * block_size / BENCH_BLOCK); } printf("\n"); } static void * xalloc(size_t size) { void *p = malloc(size); if (!p) die("Virtual memory exhausted.\n"); return p; } static void time_overhead(void) { overhead = time_function(bench_nothing, NULL); printf("benchmark call overhead: %7f us", overhead * 1e6); if (frequency > 0.0) printf("%7.2f cycles\n", overhead * frequency); printf("\n"); } static void time_memxor(void) { struct bench_memxor_info info; unsigned long src[BENCH_BLOCK / sizeof(long) + 2]; unsigned long other[BENCH_BLOCK / sizeof(long) + 2]; unsigned long dst[BENCH_BLOCK / sizeof(long) + 1]; info.src = src; info.dst = dst; display ("memxor", "aligned", sizeof(unsigned long), time_function(bench_memxor, &info)); info.src = (const char *) src + 1; display ("memxor", "unaligned", sizeof(unsigned long), time_function(bench_memxor, &info)); info.src = src; info.other = other; display ("memxor3", "aligned", sizeof(unsigned long), time_function(bench_memxor3, &info)); info.other = (const char *) other + 1; display ("memxor3", "unaligned01", sizeof(unsigned long), time_function(bench_memxor3, &info)); info.src = (const char *) src + 1; display ("memxor3", "unaligned11", sizeof(unsigned long), time_function(bench_memxor3, &info)); info.other = (const char *) other + 2; display ("memxor3", "unaligned12", sizeof(unsigned long), time_function(bench_memxor3, &info)); } static void time_hash(const struct nettle_hash *hash) { static uint8_t data[BENCH_BLOCK]; struct bench_hash_info info; info.ctx = xalloc(hash->context_size); info.update = hash->update; info.data = data; init_data(data); hash->init(info.ctx); display(hash->name, "update", hash->block_size, time_function(bench_hash, &info)); free(info.ctx); } static void time_umac(void) { static uint8_t data[BENCH_BLOCK]; struct bench_hash_info info; struct umac32_ctx ctx32; struct umac64_ctx ctx64; struct umac96_ctx ctx96; struct umac128_ctx ctx128; uint8_t key[16]; umac32_set_key (&ctx32, key); info.ctx = &ctx32; info.update = (nettle_hash_update_func *) umac32_update; info.data = data; display("umac32", "update", UMAC_BLOCK_SIZE, time_function(bench_hash, &info)); umac64_set_key (&ctx64, key); info.ctx = &ctx64; info.update = (nettle_hash_update_func *) umac64_update; info.data = data; display("umac64", "update", UMAC_BLOCK_SIZE, time_function(bench_hash, &info)); umac96_set_key (&ctx96, key); info.ctx = &ctx96; info.update = (nettle_hash_update_func *) umac96_update; info.data = data; display("umac96", "update", UMAC_BLOCK_SIZE, time_function(bench_hash, &info)); umac128_set_key (&ctx128, key); info.ctx = &ctx128; info.update = (nettle_hash_update_func *) umac128_update; info.data = data; display("umac128", "update", UMAC_BLOCK_SIZE, time_function(bench_hash, &info)); } static void time_poly1305_aes(void) { static uint8_t data[BENCH_BLOCK]; struct bench_hash_info info; struct poly1305_aes_ctx ctx; uint8_t key[32]; poly1305_aes_set_key (&ctx, key); info.ctx = &ctx; info.update = (nettle_hash_update_func *) poly1305_aes_update; info.data = data; display("poly1305-aes", "update", 1024, time_function(bench_hash, &info)); } static int prefix_p(const char *prefix, const char *s) { size_t i; for (i = 0; prefix[i]; i++) if (prefix[i] != s[i]) return 0; return 1; } static int block_cipher_p(const struct nettle_cipher *cipher) { /* Don't use nettle cbc and ctr for openssl ciphers. */ return cipher->block_size > 0 && !prefix_p("openssl", cipher->name); } static void time_cipher(const struct nettle_cipher *cipher) { void *ctx = xalloc(cipher->context_size); uint8_t *key = xalloc(cipher->key_size); static uint8_t data[BENCH_BLOCK]; printf("\n"); init_data(data); { /* Decent initializers are a GNU extension, so don't use it here. */ struct bench_cipher_info info; info.ctx = ctx; info.crypt = cipher->encrypt; info.data = data; init_key(cipher->key_size, key); cipher->set_encrypt_key(ctx, key); display(cipher->name, "ECB encrypt", cipher->block_size, time_function(bench_cipher, &info)); } { struct bench_cipher_info info; info.ctx = ctx; info.crypt = cipher->decrypt; info.data = data; init_key(cipher->key_size, key); cipher->set_decrypt_key(ctx, key); display(cipher->name, "ECB decrypt", cipher->block_size, time_function(bench_cipher, &info)); } if (block_cipher_p(cipher)) { uint8_t *iv = xalloc(cipher->block_size); /* Do CBC mode */ { struct bench_cbc_info info; info.ctx = ctx; info.crypt = cipher->encrypt; info.data = data; info.block_size = cipher->block_size; info.iv = iv; memset(iv, 0, cipher->block_size); cipher->set_encrypt_key(ctx, key); display(cipher->name, "CBC encrypt", cipher->block_size, time_function(bench_cbc_encrypt, &info)); } { struct bench_cbc_info info; info.ctx = ctx; info.crypt = cipher->decrypt; info.data = data; info.block_size = cipher->block_size; info.iv = iv; memset(iv, 0, cipher->block_size); cipher->set_decrypt_key(ctx, key); display(cipher->name, "CBC decrypt", cipher->block_size, time_function(bench_cbc_decrypt, &info)); } /* Do CTR mode */ { struct bench_cbc_info info; info.ctx = ctx; info.crypt = cipher->encrypt; info.data = data; info.block_size = cipher->block_size; info.iv = iv; memset(iv, 0, cipher->block_size); cipher->set_encrypt_key(ctx, key); display(cipher->name, "CTR", cipher->block_size, time_function(bench_ctr, &info)); } free(iv); } free(ctx); free(key); } static void time_aead(const struct nettle_aead *aead) { void *ctx = xalloc(aead->context_size); uint8_t *key = xalloc(aead->key_size); uint8_t *nonce = xalloc(aead->nonce_size); static uint8_t data[BENCH_BLOCK]; printf("\n"); init_data(data); if (aead->set_nonce) init_nonce (aead->nonce_size, nonce); { /* Decent initializers are a GNU extension, so don't use it here. */ struct bench_aead_info info; info.ctx = ctx; info.crypt = aead->encrypt; info.data = data; init_key(aead->key_size, key); aead->set_encrypt_key(ctx, key); if (aead->set_nonce) aead->set_nonce (ctx, nonce); display(aead->name, "encrypt", aead->block_size, time_function(bench_aead_crypt, &info)); } { struct bench_aead_info info; info.ctx = ctx; info.crypt = aead->decrypt; info.data = data; init_key(aead->key_size, key); aead->set_decrypt_key(ctx, key); if (aead->set_nonce) aead->set_nonce (ctx, nonce); display(aead->name, "decrypt", aead->block_size, time_function(bench_aead_crypt, &info)); } if (aead->update) { struct bench_aead_info info; info.ctx = ctx; info.update = aead->update; info.data = data; aead->set_encrypt_key(ctx, key); if (aead->set_nonce) aead->set_nonce (ctx, nonce); display(aead->name, "update", aead->block_size, time_function(bench_aead_update, &info)); } free(ctx); free(key); free(nonce); } /* Try to get accurate cycle times for assembler functions. */ #if WITH_CYCLE_COUNTER static int compare_double(const void *ap, const void *bp) { double a = *(const double *) ap; double b = *(const double *) bp; if (a < b) return -1; else if (a > b) return 1; else return 0; } #define TIME_CYCLES(t, code) do { \ double tc_count[5]; \ uint32_t tc_start_lo, tc_start_hi, tc_end_lo, tc_end_hi; \ unsigned tc_i, tc_j; \ for (tc_j = 0; tc_j < 5; tc_j++) \ { \ tc_i = 0; \ GET_CYCLE_COUNTER(tc_start_hi, tc_start_lo); \ for (; tc_i < BENCH_ITERATIONS; tc_i++) \ { code; } \ \ GET_CYCLE_COUNTER(tc_end_hi, tc_end_lo); \ \ tc_end_hi -= (tc_start_hi + (tc_start_lo > tc_end_lo)); \ tc_end_lo -= tc_start_lo; \ \ tc_count[tc_j] = ldexp(tc_end_hi, 32) + tc_end_lo; \ } \ qsort(tc_count, 5, sizeof(double), compare_double); \ (t) = tc_count[2] / BENCH_ITERATIONS; \ } while (0) static void bench_sha1_compress(void) { uint32_t state[_SHA1_DIGEST_LENGTH]; uint8_t data[SHA1_BLOCK_SIZE]; double t; TIME_CYCLES (t, _nettle_sha1_compress(state, data)); printf("sha1_compress: %.2f cycles\n", t); } static void bench_salsa20_core(void) { uint32_t state[_SALSA20_INPUT_LENGTH]; double t; TIME_CYCLES (t, _nettle_salsa20_core(state, state, 20)); printf("salsa20_core: %.2f cycles\n", t); } static void bench_sha3_permute(void) { struct sha3_state state; double t; TIME_CYCLES (t, sha3_permute (&state)); printf("sha3_permute: %.2f cycles (%.2f / round)\n", t, t / 24.0); } #else #define bench_sha1_compress() #define bench_salsa20_core() #define bench_sha3_permute() #endif #if WITH_OPENSSL # define OPENSSL(x) x, #else # define OPENSSL(x) #endif int main(int argc, char **argv) { unsigned i; int c; const char *alg; #if WITH_OPENSSL nettle_openssl_init(); #endif const struct nettle_hash *hashes[] = { &nettle_md2, &nettle_md4, &nettle_md5, OPENSSL(&nettle_openssl_md5) &nettle_sha1, OPENSSL(&nettle_openssl_sha1) &nettle_sha224, &nettle_sha256, &nettle_sha384, &nettle_sha512, &nettle_sha512_224, &nettle_sha512_256, &nettle_sha3_224, &nettle_sha3_256, &nettle_sha3_384, &nettle_sha3_512, &nettle_ripemd160, &nettle_gosthash94, NULL }; const struct nettle_cipher *ciphers[] = { &nettle_aes128, &nettle_aes192, &nettle_aes256, OPENSSL(&nettle_openssl_aes128) OPENSSL(&nettle_openssl_aes192) OPENSSL(&nettle_openssl_aes256) &nettle_blowfish128, OPENSSL(&nettle_openssl_blowfish128) &nettle_camellia128, &nettle_camellia192, &nettle_camellia256, &nettle_cast128, OPENSSL(&nettle_openssl_cast128) &nettle_des, OPENSSL(&nettle_openssl_des) &nettle_des3, &nettle_serpent256, &nettle_twofish128, &nettle_twofish192, &nettle_twofish256, NULL }; const struct nettle_aead *aeads[] = { /* Stream ciphers */ &nettle_arcfour128, OPENSSL(&nettle_openssl_arcfour128) &nettle_salsa20, &nettle_salsa20r12, &nettle_chacha, /* Proper AEAD algorithme. */ &nettle_gcm_aes128, &nettle_gcm_aes192, &nettle_gcm_aes256, &nettle_gcm_camellia128, &nettle_gcm_camellia256, &nettle_eax_aes128, &nettle_chacha_poly1305, NULL }; enum { OPT_HELP = 300 }; static const struct option options[] = { /* Name, args, flag, val */ { "help", no_argument, NULL, OPT_HELP }, { "clock-frequency", required_argument, NULL, 'f' }, { NULL, 0, NULL, 0 } }; while ( (c = getopt_long(argc, argv, "f:", options, NULL)) != -1) switch (c) { case 'f': frequency = atof(optarg); if (frequency > 0.0) break; /* Fall through */ case OPT_HELP: printf("Usage: nettle-benchmark [-f clock frequency] [alg]\n"); return EXIT_SUCCESS; case '?': return EXIT_FAILURE; default: abort(); } alg = argv[optind]; time_init(); bench_sha1_compress(); bench_salsa20_core(); bench_sha3_permute(); printf("\n"); time_overhead(); header(); if (!alg || strstr ("memxor", alg)) { time_memxor(); printf("\n"); } for (i = 0; hashes[i]; i++) if (!alg || strstr(hashes[i]->name, alg)) time_hash(hashes[i]); if (!alg || strstr ("umac", alg)) time_umac(); if (!alg || strstr ("poly1305-aes", alg)) time_poly1305_aes(); for (i = 0; ciphers[i]; i++) if (!alg || strstr(ciphers[i]->name, alg)) time_cipher(ciphers[i]); for (i = 0; aeads[i]; i++) if (!alg || strstr(aeads[i]->name, alg)) time_aead(aeads[i]); return 0; } nettle-3.4.1/examples/hogweed-benchmark.c0000644000175000017500000005114313401564747017411 0ustar nissenisse/* hogweed-benchmark.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include #include #include #include "timing.h" #include "dsa.h" #include "rsa.h" #include "curve25519.h" #include "nettle-meta.h" #include "sexp.h" #include "knuth-lfib.h" #include "../ecdsa.h" #include "../ecc-internal.h" #include "../gmp-glue.h" #if WITH_OPENSSL #include #include #include #include #endif #define BENCH_INTERVAL 0.1 static void NORETURN PRINTF_STYLE(1,2) die(const char *format, ...) { va_list args; va_start(args, format); vfprintf(stderr, format, args); va_end(args); exit(EXIT_FAILURE); } static void * xalloc (size_t size) { void *p = malloc (size); if (!p) { fprintf (stderr, "Virtual memory exhausted\n"); abort (); } return p; } static uint8_t * hash_string (const struct nettle_hash *hash, const char *s) { void *ctx = xalloc (hash->context_size); uint8_t *digest = xalloc (hash->digest_size); hash->init (ctx); hash->update (ctx, strlen(s), (const uint8_t *) s); hash->digest (ctx, hash->digest_size, digest); free (ctx); return digest; } struct alg { const char *name; unsigned size; void *(*init) (unsigned size); void (*sign) (void *); void (*verify)(void *); void (*clear) (void *); }; /* Returns second per function call */ static double time_function(void (*f)(void *arg), void *arg) { unsigned ncalls; double elapsed; /* Warm up */ f(arg); for (ncalls = 10 ;;) { unsigned i; time_start(); for (i = 0; i < ncalls; i++) f(arg); elapsed = time_end(); if (elapsed > BENCH_INTERVAL) break; else if (elapsed < BENCH_INTERVAL / 10) ncalls *= 10; else ncalls *= 2; } return elapsed / ncalls; } static void bench_alg (const struct alg *alg) { double sign; double verify; void *ctx; ctx = alg->init(alg->size); if (ctx == NULL) { printf("%15s %4d N/A\n", alg->name, alg->size); return; } sign = time_function (alg->sign, ctx); verify = time_function (alg->verify, ctx); alg->clear (ctx); printf("%15s %4d %9.4f %9.4f\n", alg->name, alg->size, 1e-3/sign, 1e-3/verify); } struct rsa_ctx { struct rsa_public_key pub; struct rsa_private_key key; uint8_t *digest; mpz_t s; }; static void * bench_rsa_init (unsigned size) { unsigned char rsa1024[] = "{KDExOnByaXZhdGUta2V5KDE0OnJzYS1wa2NzMS1zaGExKDE6bjEyOToA90+K5EmjbFJBeJD" " xP2KD2Df+0Twc9425uB+vhqTrVijtd2PnwEQDfR2VoducgkKcXJzYYyCNILQJbFAi2Km/sD" " jImERBqDtaI217Ze+tOKEmImexYTAgFuqEptp2F3M4DqgRQ7s/3nJQ/bPE5Hfi1OZhJSShu" " I80ATTU4fUgrPspKDE6ZTM6AQABKSgxOmQxMjk6APAhKckzvxxkWfHJOpXDACWnaSKcbbvo" " vtWK3pGr/F2ya7CrLtE+uOx5F1sLs9G+/7flCy5k4uNILIYg4VTirZ1zQ8fNKPrjK1VMRls" " JiRRU/0VAs9d7HdncJfs6rbvRQbCRSRYURo4hWir3Lq8V3UUQVBprc4dO+uWmplvwQ5qxKS" " gxOnA2NToA+8aIVkdbk8Jg8dJOuzc7m/hZnwkKSs6eVDw4N/2T0CJKGJYT+B3Ct+fPkxhUR" " ggd2DQ9OpkTra7SXHTNkzdPVSkoMTpxNjU6APt11P8vXNnGYF0OC/cPsR8zhSYuFmtRuX6G" " ES+DdG0VCU07UeNQkok1UoW5sXqY0IGr1jkJq8AMSgKoNbLQ6w8pKDE6YTY0Ohzkxsan/8F" " wQDHgQbrIduXKVXaj0fONzKu8EXOTfUAYf0pdBsOlnq/+QVsPIrS6v7oNHK253YFEG84SdX" " kcktUpKDE6YjY1OgCR+cRtY3RWY+f6/TWK9gwPndv03xpasLWrMm71ky1aSbT9pasS9+opR" " tAiGzthfSbFsBiLQgb3VOr+AeIybT+XKSgxOmM2NDojigqARWN5u1CVDVuD2L2ManpoGiM6" " kQ6FaJjqRjxeRRKFrQxGJa9tM1hqStxokC1oJidgaOLGnn60iwzToug9KSkp}"; unsigned char rsa2048[] = "{KDExOnByaXZhdGUta2V5KDE0OnJzYS1wa2NzMS1zaGExKDE6bjI1NzoAtxWXiglIdunDK48" " 8I0vW0wTqnh/riW9pLk8n1F8MUPBFdhvkkl0bDQqSJPUvSHy+w4fLVwcEzeI4qFyo3b2Avz" " JK20MFbt/WfHD1TbxuK8rNqXyqmqjJ9vgjtV9nPzAz7CM9ogs3/RJHpcfZPQF15ifizleUZ" " aQT0GAXHZL7cePj10yGI2u3hgTkokVzdNC/1T34guKYpErg0pt0B/KejWpsFTb84z3tkR+B" " YVx07p/OoByZwoABgncS/uALl31fRS8jyJ2JqUiZOqe7XoO9hkDHYNCWUGUfNGQ7ZgVp9+e" " NQpracSjrp6Jnrj7r/oxJUx5ZDVNi18AzQadE/oKOrSkoMTplMzoBAAEpKDE6ZDI1NjogBT" " C5vaHk2kF+LtDvw2XRBj0aZq7FHK0ioklvBSicR0l+vKYfSxVeFIk22YLphJfAjtFraRjYA" " Uaze3E1Rt1rkxoweupKV++lWAQvElOaaR/LErirz/Vysjdck1D1ZjLOi+NNofSq2DWbsvY1" " iznZhQRP3lVf6XBls0iXrYs4gb0pBZqXLQW+j9Ihx6eantf1/6ZMKPgCkzcAZ0ABsCfaFSg" " ouNCzilblsgFEspEbb8QqrNQoStS3F/gMwWgDsr3+vQzBqt+7ykWoCJ9wctbYy9kEPq+hX3" " GP0hG6HdS81r9E8pgdf3wloNNMzYUHwn7poXGpOi8tG0pmR56TqD/BKSgxOnAxMjk6AN4AJ" " TiGPm9We2ga3Y0jpTfA3mWpUbhYgaXYLWA1/riniwq16fqxRIkWQT/O2KKpBVe6WSvNYq9u" " lM8N6bdPtDytJs6AOXy0X5vtJ953ZYVMhHbhmUxhIL9I+s0O1+LxMF8b9U4CrFyaTxd8Un/" " FXP1BvYJRrkoup6HYvOlGx36lKSgxOnExMjk6ANMfrfH6z/3o7K56aW6kSiloDDbKZQ0+W5" " 8LzP2ZOBLf6LX6jLhN3olU1Z0KGTM0S/1AxvwGjuRqhu+LcOJ7oUCUH3uusR5c5nSnArYPq" " +0wbco4BQngot/HmGN7U0EDsIWqPt/qoa/b8bCk+TOwJlknNq/PnZU26SPj48XS05lpKSgx" " OmExMjk6AJM2n3gLNW3ZeH5BindkktQU9qWNkV5geqDCaNyrEZ3bpI1WsrEGSj9p3Zz1ipz" " a3msdbLJqQS26c72WKUzg8tFltR0s1HJInjolGtIgdNbfNdwrn9+RbQjL2VyPokOg0wXO4W" " 14wlmqDhax33dRJmfe50964MvaglkGA8fhorrtKSgxOmIxMjk6AKMe+vrX2xRHf3dfxU5jS" " ZmsdqNuxZzx7UB5kazvUU/kCJ1yNH/CSoq5LULkpovVgFDwV84qEwWQ+SjkCBg1hWWsDJc3" " ZkobZUQENigM+72LiYiQt/PlyHI2eRuEEdNN0nm0DFhdpQeHXLoq/RBerYJ8tdgpBYxgnMn" " KLhaOykbhKSgxOmMxMjg6MVlKj2bjb7qFQVkLO1OPg28jSrtRpnQCR+qegN4ZmNam/qbest" " 8yn0JQ6gxX7PvP382+jx7uHHWHYYqPq/Flf8gqtOOcjqS5TJgVHz3F3xHWquo1ZofGtCMro" " Dd2c0xjRjIVGvLV6Ngs+HRdljRav40vRpTyEoEdlzHBQiILesopKSk=}"; struct rsa_ctx *ctx; struct sexp_iterator i; int res; ctx = xalloc(sizeof(*ctx)); rsa_public_key_init (&ctx->pub); rsa_private_key_init (&ctx->key); mpz_init (ctx->s); /* NOTE: Base64-decodes the strings in-place */ if (size == 1024) res = sexp_transport_iterator_first (&i, sizeof(rsa1024) - 1, rsa1024); else if (size == 2048) res = sexp_transport_iterator_first (&i, sizeof(rsa2048) - 1, rsa2048); else die ("Internal error.\n"); if (! (res && sexp_iterator_check_type (&i, "private-key") && sexp_iterator_check_type (&i, "rsa-pkcs1-sha1") && rsa_keypair_from_sexp_alist (&ctx->pub, &ctx->key, 0, &i))) die ("Internal error.\n"); ctx->digest = hash_string (&nettle_sha256, "foo"); rsa_sha256_sign_digest (&ctx->key, ctx->digest, ctx->s); return ctx; } static void bench_rsa_sign (void *p) { struct rsa_ctx *ctx = p; mpz_t s; mpz_init (s); rsa_sha256_sign_digest (&ctx->key, ctx->digest, s); mpz_clear (s); } static void bench_rsa_verify (void *p) { struct rsa_ctx *ctx = p; if (! rsa_sha256_verify_digest (&ctx->pub, ctx->digest, ctx->s)) die ("Internal error, rsa_sha256_verify_digest failed.\n"); } static void bench_rsa_clear (void *p) { struct rsa_ctx *ctx = p; rsa_public_key_clear (&ctx->pub); rsa_private_key_clear (&ctx->key); mpz_clear (ctx->s); free (ctx->digest); free (ctx); } struct dsa_ctx { struct dsa_params params; mpz_t pub; mpz_t key; struct knuth_lfib_ctx lfib; struct dsa_signature s; uint8_t *digest; }; static void * bench_dsa_init (unsigned size) { struct dsa_ctx *ctx; struct sexp_iterator i; unsigned char dsa1024[] = "{KDExOnByaXZhdGUta2V5KDM6ZHNhKDE6cDEyOToA2q4hOXEClLMXXMOl9xaPcGC/GeGmCMv" " VCaaW0uWc50DvvmJDPQPdCehyfZr/1dv2UDbx06TC7ls/IFd+BsDzGBRxqIQ44J20cn+0gt" " NMIXAocE1QhCCFaT5gXrk8zMlqBEGaP3RdpgxNanEXkTj2Wma8r1GtrLX3HPafio62jicpK" " DE6cTIxOgDN9pcW3exdVAesC9WsxwCGoJK24ykoMTpnMTI5OgCJr9DmKdiE0WJZB7HACESv" " Tpg1qZgc8E15byQ+OsHUyOTRrJRTcrgKZJW7dFRJ9cXmyi7XYCd3bJtu/2HRHLY1vd4qMvU" " 7Y8x08ooCoABGV7nGqcmdQfEho1OY6TZh2NikmPKZLeur3PZFpcZ8Dl+KVWtwC55plNC7Om" " iAQy8MaCkoMTp5MTI5OgDakk0LOUQwzOKt9FHOBmBKrWsvTm7549eScTUqH4OMm3btjUsXz" " MmlqEe+imwQCOW/AE3Xw9pXZeETWK0jlLe8k5vnKcNskerFwZ1eQKtOPPQty8IqQ9PEfF6B" " 0oVQiJg2maHUDWFnDkIBd7ZR1z8FnZMUxH9mH4kEUo6YQgtCdykoMTp4MjA6cOl3ijiiMjI" " pesFD8jxESWb2mn8pKSk=}"; ctx = xalloc(sizeof(*ctx)); dsa_params_init (&ctx->params); mpz_init (ctx->pub); mpz_init (ctx->key); dsa_signature_init (&ctx->s); knuth_lfib_init (&ctx->lfib, 1); if (size != 1024) die ("Internal error.\n"); if (! (sexp_transport_iterator_first (&i, sizeof(dsa1024) - 1, dsa1024) && sexp_iterator_check_type (&i, "private-key") && sexp_iterator_check_type (&i, "dsa") && dsa_keypair_from_sexp_alist (&ctx->params, ctx->pub, ctx->key, 0, DSA_SHA1_Q_BITS, &i)) ) die ("Internal error.\n"); ctx->digest = hash_string (&nettle_sha1, "foo"); dsa_sign (&ctx->params, ctx->key, &ctx->lfib, (nettle_random_func *)knuth_lfib_random, SHA1_DIGEST_SIZE, ctx->digest, &ctx->s); return ctx; } static void bench_dsa_sign (void *p) { struct dsa_ctx *ctx = p; struct dsa_signature s; dsa_signature_init (&s); dsa_sign (&ctx->params, ctx->key, &ctx->lfib, (nettle_random_func *)knuth_lfib_random, SHA1_DIGEST_SIZE, ctx->digest, &s); dsa_signature_clear (&s); } static void bench_dsa_verify (void *p) { struct dsa_ctx *ctx = p; if (! dsa_verify (&ctx->params, ctx->pub, SHA1_DIGEST_SIZE, ctx->digest, &ctx->s)) die ("Internal error, dsa_sha1_verify_digest failed.\n"); } static void bench_dsa_clear (void *p) { struct dsa_ctx *ctx = p; dsa_params_clear (&ctx->params); mpz_clear (ctx->pub); mpz_clear (ctx->key); dsa_signature_clear (&ctx->s); free (ctx->digest); free (ctx); } struct ecdsa_ctx { struct ecc_point pub; struct ecc_scalar key; struct knuth_lfib_ctx rctx; unsigned digest_size; uint8_t *digest; struct dsa_signature s; }; static void * bench_ecdsa_init (unsigned size) { struct ecdsa_ctx *ctx; const struct ecc_curve *ecc; const char *xs; const char *ys; const char *zs; mpz_t x, y, z; ctx = xalloc (sizeof(*ctx)); dsa_signature_init (&ctx->s); knuth_lfib_init (&ctx->rctx, 17); switch (size) { case 192: ecc = &nettle_secp_192r1; xs = "8e8e07360350fb6b7ad8370cfd32fa8c6bba785e6e200599"; ys = "7f82ddb58a43d59ff8dc66053002b918b99bd01bd68d6736"; zs = "f2e620e086d658b4b507996988480917640e4dc107808bdd"; ctx->digest = hash_string (&nettle_sha1, "abc"); ctx->digest_size = 20; break; case 224: ecc = &nettle_secp_224r1; xs = "993bf363f4f2bc0f255f22563980449164e9c894d9efd088d7b77334"; ys = "b75fff9849997d02d135140e4d0030944589586e22df1fc4b629082a"; zs = "cdfd01838247f5de3cc70b688418046f10a2bfaca6de9ec836d48c27"; ctx->digest = hash_string (&nettle_sha224, "abc"); ctx->digest_size = 28; break; /* From RFC 4754 */ case 256: ecc = &nettle_secp_256r1; xs = "2442A5CC 0ECD015F A3CA31DC 8E2BBC70 BF42D60C BCA20085 E0822CB0 4235E970"; ys = "6FC98BD7 E50211A4 A27102FA 3549DF79 EBCB4BF2 46B80945 CDDFE7D5 09BBFD7D"; zs = "DC51D386 6A15BACD E33D96F9 92FCA99D A7E6EF09 34E70975 59C27F16 14C88A7F"; ctx->digest = hash_string (&nettle_sha256, "abc"); ctx->digest_size = 32; break; case 384: ecc = &nettle_secp_384r1; xs = "96281BF8 DD5E0525 CA049C04 8D345D30 82968D10 FEDF5C5A CA0C64E6 465A97EA" "5CE10C9D FEC21797 41571072 1F437922"; ys = "447688BA 94708EB6 E2E4D59F 6AB6D7ED FF9301D2 49FE49C3 3096655F 5D502FAD" "3D383B91 C5E7EDAA 2B714CC9 9D5743CA"; zs = "0BEB6466 34BA8773 5D77AE48 09A0EBEA 865535DE 4C1E1DCB 692E8470 8E81A5AF" "62E528C3 8B2A81B3 5309668D 73524D9F"; ctx->digest = hash_string (&nettle_sha384, "abc"); ctx->digest_size = 48; break; case 521: ecc = &nettle_secp_521r1; xs = "0151518F 1AF0F563 517EDD54 85190DF9 5A4BF57B 5CBA4CF2 A9A3F647 4725A35F" "7AFE0A6D DEB8BEDB CD6A197E 592D4018 8901CECD 650699C9 B5E456AE A5ADD190" "52A8"; ys = "006F3B14 2EA1BFFF 7E2837AD 44C9E4FF 6D2D34C7 3184BBAD 90026DD5 E6E85317" "D9DF45CA D7803C6C 20035B2F 3FF63AFF 4E1BA64D 1C077577 DA3F4286 C58F0AEA" "E643"; zs = "0065FDA3 409451DC AB0A0EAD 45495112 A3D813C1 7BFD34BD F8C1209D 7DF58491" "20597779 060A7FF9 D704ADF7 8B570FFA D6F062E9 5C7E0C5D 5481C5B1 53B48B37" "5FA1"; ctx->digest = hash_string (&nettle_sha512, "abc"); ctx->digest_size = 64; break; default: die ("Internal error.\n"); } ecc_point_init (&ctx->pub, ecc); ecc_scalar_init (&ctx->key, ecc); mpz_init_set_str (x, xs, 16); mpz_init_set_str (y, ys, 16); mpz_init_set_str (z, zs, 16); ecc_point_set (&ctx->pub, x, y); ecc_scalar_set (&ctx->key, z); mpz_clear (x); mpz_clear (y); mpz_clear (z); ecdsa_sign (&ctx->key, &ctx->rctx, (nettle_random_func *) knuth_lfib_random, ctx->digest_size, ctx->digest, &ctx->s); return ctx; } static void bench_ecdsa_sign (void *p) { struct ecdsa_ctx *ctx = p; struct dsa_signature s; dsa_signature_init (&s); ecdsa_sign (&ctx->key, &ctx->rctx, (nettle_random_func *) knuth_lfib_random, ctx->digest_size, ctx->digest, &s); dsa_signature_clear (&s); } static void bench_ecdsa_verify (void *p) { struct ecdsa_ctx *ctx = p; if (! ecdsa_verify (&ctx->pub, ctx->digest_size, ctx->digest, &ctx->s)) die ("Internal error, _ecdsa_verify failed.\n"); } static void bench_ecdsa_clear (void *p) { struct ecdsa_ctx *ctx = p; ecc_point_clear (&ctx->pub); ecc_scalar_clear (&ctx->key); dsa_signature_clear (&ctx->s); free (ctx->digest); free (ctx); } #if WITH_OPENSSL struct openssl_rsa_ctx { RSA *key; unsigned char *ref; unsigned char *signature; unsigned int siglen; uint8_t *digest; }; static void * bench_openssl_rsa_init (unsigned size) { struct openssl_rsa_ctx *ctx = xalloc (sizeof (*ctx)); ctx->key = RSA_generate_key (size, 65537, NULL, NULL); ctx->ref = xalloc (RSA_size (ctx->key)); ctx->signature = xalloc (RSA_size (ctx->key)); ctx->digest = hash_string (&nettle_sha1, "foo"); RSA_blinding_off(ctx->key); if (! RSA_sign (NID_sha1, ctx->digest, SHA1_DIGEST_SIZE, ctx->ref, &ctx->siglen, ctx->key)) die ("OpenSSL RSA_sign failed.\n"); return ctx; } static void bench_openssl_rsa_sign (void *p) { const struct openssl_rsa_ctx *ctx = p; unsigned siglen; if (! RSA_sign (NID_sha1, ctx->digest, SHA1_DIGEST_SIZE, ctx->signature, &siglen, ctx->key)) die ("OpenSSL RSA_sign failed.\n"); } static void bench_openssl_rsa_verify (void *p) { const struct openssl_rsa_ctx *ctx = p; if (! RSA_verify (NID_sha1, ctx->digest, SHA1_DIGEST_SIZE, ctx->ref, ctx->siglen, ctx->key)) die ("OpenSSL RSA_verify failed.\n"); } static void bench_openssl_rsa_clear (void *p) { struct openssl_rsa_ctx *ctx = p; RSA_free (ctx->key); free (ctx->ref); free (ctx->signature); free (ctx->digest); free (ctx); } struct openssl_ecdsa_ctx { EC_KEY *key; ECDSA_SIG *signature; unsigned digest_length; uint8_t *digest; }; static void * bench_openssl_ecdsa_init (unsigned size) { struct openssl_ecdsa_ctx *ctx = xalloc (sizeof (*ctx)); switch (size) { case 192: ctx->key = EC_KEY_new_by_curve_name (NID_X9_62_prime192v1); ctx->digest_length = 24; /* truncated */ ctx->digest = hash_string (&nettle_sha224, "abc"); break; case 224: ctx->key = EC_KEY_new_by_curve_name (NID_secp224r1); ctx->digest_length = SHA224_DIGEST_SIZE; ctx->digest = hash_string (&nettle_sha224, "abc"); break; case 256: ctx->key = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1); ctx->digest_length = SHA256_DIGEST_SIZE; ctx->digest = hash_string (&nettle_sha256, "abc"); break; case 384: ctx->key = EC_KEY_new_by_curve_name (NID_secp384r1); ctx->digest_length = SHA384_DIGEST_SIZE; ctx->digest = hash_string (&nettle_sha384, "abc"); break; case 521: ctx->key = EC_KEY_new_by_curve_name (NID_secp521r1); ctx->digest_length = SHA512_DIGEST_SIZE; ctx->digest = hash_string (&nettle_sha512, "abc"); break; default: die ("Internal error.\n"); } /* This curve isn't supported in this build of openssl */ if (ctx->key == NULL) { free(ctx); return NULL; } if (!EC_KEY_generate_key( ctx->key)) die ("Openssl EC_KEY_generate_key failed.\n"); ctx->signature = ECDSA_do_sign (ctx->digest, ctx->digest_length, ctx->key); return ctx; } static void bench_openssl_ecdsa_sign (void *p) { const struct openssl_ecdsa_ctx *ctx = p; ECDSA_SIG *sig = ECDSA_do_sign (ctx->digest, ctx->digest_length, ctx->key); ECDSA_SIG_free (sig); } static void bench_openssl_ecdsa_verify (void *p) { const struct openssl_ecdsa_ctx *ctx = p; if (ECDSA_do_verify (ctx->digest, ctx->digest_length, ctx->signature, ctx->key) != 1) die ("Openssl ECDSA_do_verify failed.\n"); } static void bench_openssl_ecdsa_clear (void *p) { struct openssl_ecdsa_ctx *ctx = p; ECDSA_SIG_free (ctx->signature); EC_KEY_free (ctx->key); free (ctx->digest); free (ctx); } #endif struct curve25519_ctx { uint8_t x[CURVE25519_SIZE]; uint8_t s[CURVE25519_SIZE]; }; static void bench_curve25519_mul_g (void *p) { struct curve25519_ctx *ctx = p; uint8_t q[CURVE25519_SIZE]; curve25519_mul_g (q, ctx->s); } static void bench_curve25519_mul (void *p) { struct curve25519_ctx *ctx = p; uint8_t q[CURVE25519_SIZE]; curve25519_mul (q, ctx->s, ctx->x); } static void bench_curve25519 (void) { double mul_g; double mul; struct knuth_lfib_ctx lfib; struct curve25519_ctx ctx; knuth_lfib_init (&lfib, 2); knuth_lfib_random (&lfib, sizeof(ctx.s), ctx.s); curve25519_mul_g (ctx.x, ctx.s); mul_g = time_function (bench_curve25519_mul_g, &ctx); mul = time_function (bench_curve25519_mul, &ctx); printf("%15s %4d %9.4f %9.4f\n", "curve25519", 255, 1e-3/mul_g, 1e-3/mul); } struct alg alg_list[] = { { "rsa", 1024, bench_rsa_init, bench_rsa_sign, bench_rsa_verify, bench_rsa_clear }, { "rsa", 2048, bench_rsa_init, bench_rsa_sign, bench_rsa_verify, bench_rsa_clear }, #if WITH_OPENSSL { "rsa (openssl)", 1024, bench_openssl_rsa_init, bench_openssl_rsa_sign, bench_openssl_rsa_verify, bench_openssl_rsa_clear }, { "rsa (openssl)", 2048, bench_openssl_rsa_init, bench_openssl_rsa_sign, bench_openssl_rsa_verify, bench_openssl_rsa_clear }, #endif { "dsa", 1024, bench_dsa_init, bench_dsa_sign, bench_dsa_verify, bench_dsa_clear }, #if 0 { "dsa",2048, bench_dsa_init, bench_dsa_sign, bench_dsa_verify, bench_dsa_clear }, #endif { "ecdsa", 192, bench_ecdsa_init, bench_ecdsa_sign, bench_ecdsa_verify, bench_ecdsa_clear }, { "ecdsa", 224, bench_ecdsa_init, bench_ecdsa_sign, bench_ecdsa_verify, bench_ecdsa_clear }, { "ecdsa", 256, bench_ecdsa_init, bench_ecdsa_sign, bench_ecdsa_verify, bench_ecdsa_clear }, { "ecdsa", 384, bench_ecdsa_init, bench_ecdsa_sign, bench_ecdsa_verify, bench_ecdsa_clear }, { "ecdsa", 521, bench_ecdsa_init, bench_ecdsa_sign, bench_ecdsa_verify, bench_ecdsa_clear }, #if WITH_OPENSSL { "ecdsa (openssl)", 192, bench_openssl_ecdsa_init, bench_openssl_ecdsa_sign, bench_openssl_ecdsa_verify, bench_openssl_ecdsa_clear }, { "ecdsa (openssl)", 224, bench_openssl_ecdsa_init, bench_openssl_ecdsa_sign, bench_openssl_ecdsa_verify, bench_openssl_ecdsa_clear }, { "ecdsa (openssl)", 256, bench_openssl_ecdsa_init, bench_openssl_ecdsa_sign, bench_openssl_ecdsa_verify, bench_openssl_ecdsa_clear }, { "ecdsa (openssl)", 384, bench_openssl_ecdsa_init, bench_openssl_ecdsa_sign, bench_openssl_ecdsa_verify, bench_openssl_ecdsa_clear }, { "ecdsa (openssl)", 521, bench_openssl_ecdsa_init, bench_openssl_ecdsa_sign, bench_openssl_ecdsa_verify, bench_openssl_ecdsa_clear }, #endif }; #define numberof(x) (sizeof (x) / sizeof ((x)[0])) int main (int argc, char **argv) { const char *filter = NULL; unsigned i; if (argc > 1) filter = argv[1]; time_init(); printf ("%15s %4s %9s %9s\n", "name", "size", "sign/ms", "verify/ms"); for (i = 0; i < numberof(alg_list); i++) if (!filter || strstr (alg_list[i].name, filter)) bench_alg (&alg_list[i]); if (!filter || strstr("curve25519", filter)) bench_curve25519(); return EXIT_SUCCESS; } nettle-3.4.1/examples/base16enc.c0000644000175000017500000000543713401564747015613 0ustar nissenisse/* base16enc -- an encoder for base16 Copyright (C) 2006, 2012 Jeronimo Pellegrini, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #ifdef WIN32 #include #endif #include "base16.h" #include "io.h" /* The number of bytes read in each iteration, we do one line at a time: */ #define CHUNK_SIZE 36 /* The *maximum* size of an encoded chunk: */ #define ENCODED_SIZE BASE16_ENCODE_LENGTH(CHUNK_SIZE) /* * Reads bytes from standard input and writes base64-encoded * on standard output. */ int main(int argc UNUSED, char **argv UNUSED) { #ifdef WIN32 _setmode(0, O_BINARY); #endif /* There is no context to initialize. */ for (;;) { /* "buffer" will hold the bytes from disk: */ uint8_t buffer[CHUNK_SIZE]; /* "result" will hold bytes before output: */ char result[ENCODED_SIZE + 1]; unsigned nbytes; /* Number of bytes read from stdin */ int encoded_bytes; /* Total number of bytes encoded per iteration */ nbytes = fread(buffer,1,CHUNK_SIZE,stdin); /* We overwrite result with more data */ base16_encode_update(result, nbytes, buffer); encoded_bytes = BASE16_ENCODE_LENGTH(nbytes); result[encoded_bytes++] = '\n'; if (nbytes < CHUNK_SIZE) { if (ferror(stdin)) { werror ("Error reading file: %s\n", strerror(errno)); return EXIT_FAILURE; } if (!write_data (stdout, encoded_bytes, result) || fflush (stdout) != 0) { werror ("Error writing file: %s\n", strerror(errno)); return EXIT_FAILURE; } return EXIT_SUCCESS; } /* The result vector is printed */ if (!write_data(stdout, encoded_bytes, result)) { werror ("Error writing file: %s\n", strerror(errno)); return EXIT_FAILURE; } } } nettle-3.4.1/examples/base16dec.c0000644000175000017500000000571713401564747015602 0ustar nissenisse/* base16dec -- an decoder for base16 Copyright (C) 2006, 2012 Jeronimo Pellegrini, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #ifdef WIN32 #include #endif #include "base16.h" #include "io.h" #define CHUNK_SIZE 16392 /* The maximum number of bytes generated for each chunk: */ #define DECODED_SIZE BASE16_DECODE_LENGTH(CHUNK_SIZE) /* * Reads base-16 encoded from stdin, writes decoded to stdout. */ int main(int argc UNUSED, char **argv UNUSED) { /* "buffer" will hold the bytes from disk: */ char * buffer = xalloc (CHUNK_SIZE); /* "result" will hold bytes before output: */ uint8_t * result = xalloc (DECODED_SIZE); /* We need a Base16 context for decoding: */ struct base16_decode_ctx b16_ctx; /* Init the context: */ base16_decode_init (&b16_ctx); #ifdef WIN32 _setmode(1, O_BINARY); #endif for (;;) { int nbytes; /* Number of bytes read frmo disk at each iteration */ size_t decoded_bytes; /* Bytes actually generated at each iteration */ nbytes = fread(buffer, 1, CHUNK_SIZE, stdin); if (nbytes < CHUNK_SIZE && ferror(stdin)) { werror ("Error reading file: %s\n", strerror(errno)); return EXIT_FAILURE; } /* Decodes one chunk: */ if (!base16_decode_update(&b16_ctx, &decoded_bytes, result, nbytes, buffer)) { werror ("Error decoding input (not base16?)\n"); return EXIT_FAILURE; } if (!write_data (stdout, decoded_bytes, result)) { werror ("Error writing file: %s\n", strerror(errno)); return EXIT_FAILURE; } if (nbytes < CHUNK_SIZE) { /* Check if decoding finalized OK: */ if (!base16_decode_final(&b16_ctx)) { werror("Decoding did not finish properly.\n"); return EXIT_FAILURE; } break; } } if (fflush (stdout) != 0) { werror ("Error writing file: %s\n", strerror(errno)); return EXIT_FAILURE; } free (buffer); free (result); return EXIT_SUCCESS; } nettle-3.4.1/examples/eratosthenes.c0000644000175000017500000002264313401564747016546 0ustar nissenisse/* eratosthenes.c An implementation of the sieve of Eratosthenes, to generate a list of primes. Copyright (C) 2007 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include "getopt.h" #ifdef SIZEOF_LONG # define BITS_PER_LONG (CHAR_BIT * SIZEOF_LONG) # if BITS_PER_LONG > 32 # define NEED_HANDLE_LARGE_LONG 1 # else # define NEED_HANDLE_LARGE_LONG 0 # endif #else # define BITS_PER_LONG (CHAR_BIT * sizeof(unsigned long)) # define NEED_HANDLE_LARGE_LONG 1 #endif static void usage(void) { fprintf(stderr, "Usage: erathostenes [OPTIONS] [LIMIT]\n\n" "Options:\n" " -? Display this message.\n" " -b SIZE Block size.\n" " -v Verbose output.\n" " -s No output.\n"); } static unsigned isqrt(unsigned long n) { unsigned long x; /* FIXME: Better initialization. */ if (n < ULONG_MAX) x = n; else /* Must avoid overflow in the first step. */ x = n-1; for (;;) { unsigned long y = (x + n/x) / 2; if (y >= x) return x; x = y; } } /* Size is in bits */ static unsigned long * vector_alloc(unsigned long size) { unsigned long end = (size + BITS_PER_LONG - 1) / BITS_PER_LONG; unsigned long *vector = malloc (end * sizeof(*vector)); if (!vector) { fprintf(stderr, "Insufficient memory.\n"); exit(EXIT_FAILURE); } return vector; } static void vector_init(unsigned long *vector, unsigned long size) { unsigned long end = (size + BITS_PER_LONG - 1) / BITS_PER_LONG; unsigned long i; for (i = 0; i < end; i++) vector[i] = ~0UL; } static void vector_clear_bits (unsigned long *vector, unsigned long step, unsigned long start, unsigned long size) { unsigned long bit; for (bit = start; bit < size; bit += step) { unsigned long i = bit / BITS_PER_LONG; unsigned long mask = 1L << (bit % BITS_PER_LONG); vector[i] &= ~mask; } } static unsigned find_first_one (unsigned long x) { static const unsigned char table[0x101] = { 15, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 14, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 13, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 12, 0, 0, 0, 0, 0, 0, 0,11, 0, 0, 0,10, 0, 9, 8, 0, 0, 1, 0, 2, 0, 0, 0, 3, 0, 0, 0, 0, 0, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 6, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 7, }; unsigned i = 0; /* Isolate least significant bit */ x &= -x; #if NEED_HANDLE_LARGE_LONG #ifndef SIZEOF_LONG /* Can not be tested by the preprocessor. May generate warnings when long is 32 bits. */ if (BITS_PER_LONG > 32) #endif while (x >= 0x100000000L) { x >>= 32; i += 32; } #endif /* NEED_HANDLE_LARGE_LONG */ if (x >= 0x10000) { x >>= 16; i += 16; } return i + table[128 + (x & 0xff) - (x >> 8)]; } /* Returns size if there's no more bits set */ static unsigned long vector_find_next (const unsigned long *vector, unsigned long bit, unsigned long size) { unsigned long end = (size + BITS_PER_LONG - 1) / BITS_PER_LONG; unsigned long i = bit / BITS_PER_LONG; unsigned long mask = 1L << (bit % BITS_PER_LONG); unsigned long word; if (i >= end) return size; for (word = vector[i] & ~(mask - 1); !word; word = vector[i]) if (++i >= end) return size; /* Next bit is the least significant bit of word */ return i * BITS_PER_LONG + find_first_one(word); } /* For benchmarking, define to do nothing (otherwise, most of the time will be spent converting the output to decimal). */ #define OUTPUT(n) printf("%lu\n", (n)) static long atosize(const char *s) { char *end; long value = strtol(s, &end, 10); if (value <= 0) return 0; /* FIXME: Doesn't check for overflow. */ switch(*end) { default: return 0; case '\0': break; case 'k': case 'K': value <<= 10; break; case 'M': value <<= 20; break; } return value; } int main (int argc, char **argv) { /* Generate all primes p <= limit */ unsigned long limit; unsigned long root; unsigned long limit_nbits; /* Represents numbers up to sqrt(limit) */ unsigned long sieve_nbits; unsigned long *sieve; /* Block for the rest of the sieving. Size should match the cache, the default value corresponds to 64 KB. */ unsigned long block_nbits = 64L << 13; unsigned long block_start_bit; unsigned long *block; unsigned long bit; int silent = 0; int verbose = 0; int c; enum { OPT_HELP = 300 }; static const struct option options[] = { /* Name, args, flag, val */ { "help", no_argument, NULL, OPT_HELP }, { "verbose", no_argument, NULL, 'v' }, { "block-size", required_argument, NULL, 'b' }, { "quiet", required_argument, NULL, 'q' }, { NULL, 0, NULL, 0} }; while ( (c = getopt_long(argc, argv, "svb:", options, NULL)) != -1) switch (c) { case OPT_HELP: usage(); return EXIT_SUCCESS; case 'b': block_nbits = CHAR_BIT * atosize(optarg); if (!block_nbits) { usage(); return EXIT_FAILURE; } break; case 'q': silent = 1; break; case 'v': verbose++; break; case '?': return EXIT_FAILURE; default: abort(); } argc -= optind; argv += optind; if (argc == 0) limit = 1000; else if (argc == 1) { limit = atol(argv[0]); if (limit < 2) return EXIT_SUCCESS; } else { usage(); return EXIT_FAILURE; } root = isqrt(limit); /* Round down to odd */ root = (root - 1) | 1; /* Represents odd numbers from 3 up. */ sieve_nbits = (root - 1) / 2; sieve = vector_alloc(sieve_nbits ); vector_init(sieve, sieve_nbits); if (verbose) fprintf(stderr, "Initial sieve using %lu bits.\n", sieve_nbits); if (!silent) printf("2\n"); if (limit == 2) return EXIT_SUCCESS; for (bit = 0; bit < sieve_nbits; bit = vector_find_next(sieve, bit + 1, sieve_nbits)) { unsigned long n = 3 + 2 * bit; /* First bit to clear corresponds to n^2, which is bit (n^2 - 3) / 2 = (n + 3) * bit + 3 */ unsigned long n2_bit = (n+3)*bit + 3; if (!silent) printf("%lu\n", n); vector_clear_bits (sieve, n, n2_bit, sieve_nbits); } limit_nbits = (limit - 1) / 2; if (sieve_nbits + block_nbits > limit_nbits) block_nbits = limit_nbits - sieve_nbits; if (verbose) { double storage = block_nbits / 8.0; unsigned shift = 0; const char prefix[] = " KMG"; while (storage > 1024 && shift < 3) { storage /= 1024; shift++; } fprintf(stderr, "Blockwise sieving using blocks of %lu bits (%.3g %cByte)\n", block_nbits, storage, prefix[shift]); } block = vector_alloc(block_nbits); for (block_start_bit = bit; block_start_bit < limit_nbits; block_start_bit += block_nbits) { unsigned long block_start; if (block_start_bit + block_nbits > limit_nbits) block_nbits = limit_nbits - block_start_bit; vector_init(block, block_nbits); block_start = 3 + 2*block_start_bit; if (verbose > 1) fprintf(stderr, "Next block, n = %lu\n", block_start); /* Sieve */ for (bit = 0; bit < sieve_nbits; bit = vector_find_next(sieve, bit + 1, sieve_nbits)) { unsigned long n = 3 + 2 * bit; unsigned long sieve_start_bit = (n + 3) * bit + 3; if (sieve_start_bit < block_start_bit) { unsigned long k = (block_start + n - 1) / (2*n); sieve_start_bit = n * k + bit; assert(sieve_start_bit < block_start_bit + n); } assert(sieve_start_bit >= block_start_bit); vector_clear_bits(block, n, sieve_start_bit - block_start_bit, block_nbits); } for (bit = vector_find_next(block, 0, block_nbits); bit < block_nbits; bit = vector_find_next(block, bit + 1, block_nbits)) { unsigned long n = block_start + 2 * bit; if (!silent) printf("%lu\n", n); } } free(sieve); free(block); return EXIT_SUCCESS; } nettle-3.4.1/hmac-md5.c0000644000175000017500000000300013401564745013577 0ustar nissenisse/* hmac-md5.c HMAC-MD5 message authentication code. Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "hmac.h" void hmac_md5_set_key(struct hmac_md5_ctx *ctx, size_t key_length, const uint8_t *key) { HMAC_SET_KEY(ctx, &nettle_md5, key_length, key); } void hmac_md5_update(struct hmac_md5_ctx *ctx, size_t length, const uint8_t *data) { md5_update(&ctx->state, length, data); } void hmac_md5_digest(struct hmac_md5_ctx *ctx, size_t length, uint8_t *digest) { HMAC_DIGEST(ctx, &nettle_md5, length, digest); } nettle-3.4.1/ccm.c0000644000175000017500000002123213401564745012755 0ustar nissenisse/* ccm.c Counter with CBC-MAC mode, specified by NIST, http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf Copyright (C) 2014 Exegin Technologies Limited Copyright (C) 2014 Owen Kirby This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "ccm.h" #include "ctr.h" #include "memops.h" #include "nettle-internal.h" #include "macros.h" /* * The format of the CCM IV (for both CTR and CBC-MAC) is: flags | nonce | count * flags = 1 octet * nonce = N octets * count >= 1 octet * * such that: * sizeof(flags) + sizeof(nonce) + sizeof(count) == 1 block */ #define CCM_FLAG_L 0x07 #define CCM_FLAG_M 0x38 #define CCM_FLAG_ADATA 0x40 #define CCM_FLAG_RESERVED 0x80 #define CCM_FLAG_GET_L(_x_) (((_x_) & CCM_FLAG_L) + 1) #define CCM_FLAG_SET_L(_x_) (((_x_) - 1) & CCM_FLAG_L) #define CCM_FLAG_SET_M(_x_) ((((_x_) - 2) << 2) & CCM_FLAG_M) #define CCM_OFFSET_FLAGS 0 #define CCM_OFFSET_NONCE 1 #define CCM_L_SIZE(_nlen_) (CCM_BLOCK_SIZE - CCM_OFFSET_NONCE - (_nlen_)) /* * The data input to the CBC-MAC: L(a) | adata | padding | plaintext | padding * * blength is the length of data that has been added to the CBC-MAC modulus the * cipher block size. If the value of blength is non-zero then some data has * been XOR'ed into the CBC-MAC, and we will need to pad the block (XOR with 0), * and iterate the cipher one more time. * * The end of adata is detected implicitly by the first call to the encrypt() * and decrypt() functions, and will call ccm_pad() to insert the padding if * necessary. Because of the underlying CTR encryption, the encrypt() and * decrypt() functions must be called with a multiple of the block size and * therefore blength should be zero on all but the first call. * * Likewise, the end of the plaintext is implicitly determined by the first call * to the digest() function, which will pad if the final CTR encryption was not * a multiple of the block size. */ static void ccm_pad(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f) { if (ctx->blength) f(cipher, CCM_BLOCK_SIZE, ctx->tag.b, ctx->tag.b); ctx->blength = 0; } static void ccm_build_iv(uint8_t *iv, size_t noncelen, const uint8_t *nonce, uint8_t flags, size_t count) { unsigned int i; /* Sanity check the nonce length. */ assert(noncelen >= CCM_MIN_NONCE_SIZE); assert(noncelen <= CCM_MAX_NONCE_SIZE); /* Generate the IV */ iv[CCM_OFFSET_FLAGS] = flags | CCM_FLAG_SET_L(CCM_L_SIZE(noncelen)); memcpy(&iv[CCM_OFFSET_NONCE], nonce, noncelen); for (i=(CCM_BLOCK_SIZE - 1); i >= (CCM_OFFSET_NONCE + noncelen); i--) { iv[i] = count & 0xff; count >>= 8; } /* Ensure the count was not truncated. */ assert(!count); } void ccm_set_nonce(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t length, const uint8_t *nonce, size_t authlen, size_t msglen, size_t taglen) { /* Generate the IV for the CTR and CBC-MAC */ ctx->blength = 0; ccm_build_iv(ctx->tag.b, length, nonce, CCM_FLAG_SET_M(taglen), msglen); ccm_build_iv(ctx->ctr.b, length, nonce, 0, 1); /* If no auth data, encrypt B0 and skip L(a) */ if (!authlen) { f(cipher, CCM_BLOCK_SIZE, ctx->tag.b, ctx->tag.b); return; } /* Encrypt B0 (with the adata flag), and input L(a) to the CBC-MAC. */ ctx->tag.b[CCM_OFFSET_FLAGS] |= CCM_FLAG_ADATA; f(cipher, CCM_BLOCK_SIZE, ctx->tag.b, ctx->tag.b); #if SIZEOF_SIZE_T > 4 if (authlen >= (0x01ULL << 32)) { /* Encode L(a) as 0xff || 0xff || <64-bit integer> */ ctx->tag.b[ctx->blength++] ^= 0xff; ctx->tag.b[ctx->blength++] ^= 0xff; ctx->tag.b[ctx->blength++] ^= (authlen >> 56) & 0xff; ctx->tag.b[ctx->blength++] ^= (authlen >> 48) & 0xff; ctx->tag.b[ctx->blength++] ^= (authlen >> 40) & 0xff; ctx->tag.b[ctx->blength++] ^= (authlen >> 32) & 0xff; ctx->tag.b[ctx->blength++] ^= (authlen >> 24) & 0xff; ctx->tag.b[ctx->blength++] ^= (authlen >> 16) & 0xff; } else #endif if (authlen >= ((0x1ULL << 16) - (0x1ULL << 8))) { /* Encode L(a) as 0xff || 0xfe || <32-bit integer> */ ctx->tag.b[ctx->blength++] ^= 0xff; ctx->tag.b[ctx->blength++] ^= 0xfe; ctx->tag.b[ctx->blength++] ^= (authlen >> 24) & 0xff; ctx->tag.b[ctx->blength++] ^= (authlen >> 16) & 0xff; } ctx->tag.b[ctx->blength++] ^= (authlen >> 8) & 0xff; ctx->tag.b[ctx->blength++] ^= (authlen >> 0) & 0xff; } void ccm_update(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t length, const uint8_t *data) { const uint8_t *end = data + length; /* If we don't have enough to fill a block, save the data for later. */ if ((ctx->blength + length) < CCM_BLOCK_SIZE) { memxor(&ctx->tag.b[ctx->blength], data, length); ctx->blength += length; return; } /* Process a partially filled block. */ if (ctx->blength) { memxor(&ctx->tag.b[ctx->blength], data, CCM_BLOCK_SIZE - ctx->blength); data += (CCM_BLOCK_SIZE - ctx->blength); f(cipher, CCM_BLOCK_SIZE, ctx->tag.b, ctx->tag.b); } /* Process full blocks. */ while ((data + CCM_BLOCK_SIZE) < end) { memxor(ctx->tag.b, data, CCM_BLOCK_SIZE); f(cipher, CCM_BLOCK_SIZE, ctx->tag.b, ctx->tag.b); data += CCM_BLOCK_SIZE; } /* while */ /* Save leftovers for later. */ ctx->blength = (end - data); if (ctx->blength) memxor(&ctx->tag.b, data, ctx->blength); } /* * Because of the underlying CTR mode encryption, when called multiple times * the data in intermediate calls must be provided in multiples of the block * size. */ void ccm_encrypt(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src) { ccm_pad(ctx, cipher, f); ccm_update(ctx, cipher, f, length, src); ctr_crypt(cipher, f, CCM_BLOCK_SIZE, ctx->ctr.b, length, dst, src); } /* * Because of the underlying CTR mode decryption, when called multiple times * the data in intermediate calls must be provided in multiples of the block * size. */ void ccm_decrypt(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src) { ctr_crypt(cipher, f, CCM_BLOCK_SIZE, ctx->ctr.b, length, dst, src); ccm_pad(ctx, cipher, f); ccm_update(ctx, cipher, f, length, dst); } void ccm_digest(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *digest) { int i = CCM_BLOCK_SIZE - CCM_FLAG_GET_L(ctx->ctr.b[CCM_OFFSET_FLAGS]); assert(length <= CCM_BLOCK_SIZE); while (i < CCM_BLOCK_SIZE) ctx->ctr.b[i++] = 0; ccm_pad(ctx, cipher, f); ctr_crypt(cipher, f, CCM_BLOCK_SIZE, ctx->ctr.b, length, digest, ctx->tag.b); } void ccm_encrypt_message(const void *cipher, nettle_cipher_func *f, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src) { struct ccm_ctx ctx; uint8_t *tag = dst + (clength-tlength); assert(clength >= tlength); ccm_set_nonce(&ctx, cipher, f, nlength, nonce, alength, clength-tlength, tlength); ccm_update(&ctx, cipher, f, alength, adata); ccm_encrypt(&ctx, cipher, f, clength-tlength, dst, src); ccm_digest(&ctx, cipher, f, tlength, tag); } int ccm_decrypt_message(const void *cipher, nettle_cipher_func *f, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src) { struct ccm_ctx ctx; uint8_t tag[CCM_BLOCK_SIZE]; ccm_set_nonce(&ctx, cipher, f, nlength, nonce, alength, mlength, tlength); ccm_update(&ctx, cipher, f, alength, adata); ccm_decrypt(&ctx, cipher, f, mlength, dst, src); ccm_digest(&ctx, cipher, f, tlength, tag); return memeql_sec(tag, src + mlength, tlength); } nettle-3.4.1/arcfour-crypt.c0000644000175000017500000000304513401564745015015 0ustar nissenisse/* arcfour-crypt.c The arcfour/rc4 stream cipher. Copyright (C) 2001, 2004 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "arcfour.h" void arcfour_crypt(struct arcfour_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { register uint8_t i, j; register int si, sj; i = ctx->i; j = ctx->j; while(length--) { i++; i &= 0xff; si = ctx->S[i]; j += si; j &= 0xff; sj = ctx->S[i] = ctx->S[j]; ctx->S[j] = si; *dst++ = *src++ ^ ctx->S[ (si + sj) & 0xff ]; } ctx->i = i; ctx->j = j; } nettle-3.4.1/poly1305.h0000644000175000017500000000717013401564746013522 0ustar nissenisse/* poly1305.h Poly1305 message authentication code. Copyright (C) 2013 Nikos Mavrogiannopoulos Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_POLY1305_H_INCLUDED #define NETTLE_POLY1305_H_INCLUDED #include "aes.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define poly1305_set_key nettle_poly1305_set_key #define poly1305_digest nettle_poly1305_digest #define _poly1305_block _nettle_poly1305_block #define poly1305_aes_set_key nettle_poly1305_aes_set_key #define poly1305_aes_set_nonce nettle_poly1305_aes_set_nonce #define poly1305_aes_update nettle_poly1305_aes_update #define poly1305_aes_digest nettle_poly1305_aes_digest /* Low level functions/macros for the poly1305 construction. */ #define POLY1305_DIGEST_SIZE 16 #define POLY1305_BLOCK_SIZE 16 #define POLY1305_KEY_SIZE 16 struct poly1305_ctx { /* Key, 128-bit value and some cached multiples. */ union { uint32_t r32[6]; uint64_t r64[3]; } r; uint32_t s32[3]; /* State, represented as words of 26, 32 or 64 bits, depending on implementation. */ /* High bits first, to maintain alignment. */ uint32_t hh; union { uint32_t h32[4]; uint64_t h64[2]; } h; }; /* Low-level internal interface. */ void poly1305_set_key(struct poly1305_ctx *ctx, const uint8_t key[POLY1305_KEY_SIZE]); /* Extracts digest, and adds it to s, the encrypted nonce. */ void poly1305_digest (struct poly1305_ctx *ctx, union nettle_block16 *s); /* Internal function. Process one block. */ void _poly1305_block (struct poly1305_ctx *ctx, const uint8_t *m, unsigned high); /* poly1305-aes */ #define POLY1305_AES_KEY_SIZE 32 #define POLY1305_AES_DIGEST_SIZE 16 #define POLY1305_AES_NONCE_SIZE 16 struct poly1305_aes_ctx { /* Keep aes context last, to make it possible to use a general poly1305_update if other variants are added. */ struct poly1305_ctx pctx; uint8_t block[POLY1305_BLOCK_SIZE]; unsigned index; uint8_t nonce[POLY1305_BLOCK_SIZE]; struct aes128_ctx aes; }; /* Also initialize the nonce to zero. */ void poly1305_aes_set_key (struct poly1305_aes_ctx *ctx, const uint8_t *key); /* Optional, if not used, messages get incrementing nonces starting from zero. */ void poly1305_aes_set_nonce (struct poly1305_aes_ctx *ctx, const uint8_t *nonce); /* Update is not aes-specific, but since this is the only implemented variant, we need no more general poly1305_update. */ void poly1305_aes_update (struct poly1305_aes_ctx *ctx, size_t length, const uint8_t *data); /* Also increments the nonce */ void poly1305_aes_digest (struct poly1305_aes_ctx *ctx, size_t length, uint8_t *digest); #ifdef __cplusplus } #endif #endif /* NETTLE_POLY1305_H_INCLUDED */ nettle-3.4.1/ed25519-sha512-pubkey.c0000644000175000017500000000322613401564746015513 0ustar nissenisse/* ed25519-sha512-pubkey.c Copyright (C) 2014, 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "eddsa.h" #include "ecc-internal.h" #include "sha2.h" void ed25519_sha512_public_key (uint8_t *pub, const uint8_t *priv) { const struct ecc_curve *ecc = &_nettle_curve25519; struct sha512_ctx ctx; uint8_t digest[SHA512_DIGEST_SIZE]; mp_size_t itch = ecc->q.size + _eddsa_public_key_itch (ecc); mp_limb_t *scratch = gmp_alloc_limbs (itch); #define k scratch #define scratch_out (scratch + ecc->q.size) _eddsa_expand_key (ecc, &nettle_sha512, &ctx, priv, digest, k); _eddsa_public_key (ecc, k, pub, scratch_out); gmp_free_limbs (scratch, itch); #undef k #undef scratch_out } nettle-3.4.1/aes-encrypt-table.c0000644000175000017500000003536213401564745015543 0ustar nissenisse/* aes-encrypt-table.c Encryption table for the aes/rijndael block cipher. Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "aes-internal.h" /* Tables are assembled using little-endian byte order, including the * pre-rotated variants. Generated by aesdata.c. * * Note that AES is byte order agnostic, we only need to be consistent * and use the same byteorder when processing key, cleartext and * ciphertext bytes. * * Little-endian means that the first row of the AES state arrays * occupy the least significant byte of the words, which is also * consistent with the row numbering. */ const struct aes_table _aes_encrypt_table = { /* sbox */ { 0x63,0x7c,0x77,0x7b,0xf2,0x6b,0x6f,0xc5, 0x30,0x01,0x67,0x2b,0xfe,0xd7,0xab,0x76, 0xca,0x82,0xc9,0x7d,0xfa,0x59,0x47,0xf0, 0xad,0xd4,0xa2,0xaf,0x9c,0xa4,0x72,0xc0, 0xb7,0xfd,0x93,0x26,0x36,0x3f,0xf7,0xcc, 0x34,0xa5,0xe5,0xf1,0x71,0xd8,0x31,0x15, 0x04,0xc7,0x23,0xc3,0x18,0x96,0x05,0x9a, 0x07,0x12,0x80,0xe2,0xeb,0x27,0xb2,0x75, 0x09,0x83,0x2c,0x1a,0x1b,0x6e,0x5a,0xa0, 0x52,0x3b,0xd6,0xb3,0x29,0xe3,0x2f,0x84, 0x53,0xd1,0x00,0xed,0x20,0xfc,0xb1,0x5b, 0x6a,0xcb,0xbe,0x39,0x4a,0x4c,0x58,0xcf, 0xd0,0xef,0xaa,0xfb,0x43,0x4d,0x33,0x85, 0x45,0xf9,0x02,0x7f,0x50,0x3c,0x9f,0xa8, 0x51,0xa3,0x40,0x8f,0x92,0x9d,0x38,0xf5, 0xbc,0xb6,0xda,0x21,0x10,0xff,0xf3,0xd2, 0xcd,0x0c,0x13,0xec,0x5f,0x97,0x44,0x17, 0xc4,0xa7,0x7e,0x3d,0x64,0x5d,0x19,0x73, 0x60,0x81,0x4f,0xdc,0x22,0x2a,0x90,0x88, 0x46,0xee,0xb8,0x14,0xde,0x5e,0x0b,0xdb, 0xe0,0x32,0x3a,0x0a,0x49,0x06,0x24,0x5c, 0xc2,0xd3,0xac,0x62,0x91,0x95,0xe4,0x79, 0xe7,0xc8,0x37,0x6d,0x8d,0xd5,0x4e,0xa9, 0x6c,0x56,0xf4,0xea,0x65,0x7a,0xae,0x08, 0xba,0x78,0x25,0x2e,0x1c,0xa6,0xb4,0xc6, 0xe8,0xdd,0x74,0x1f,0x4b,0xbd,0x8b,0x8a, 0x70,0x3e,0xb5,0x66,0x48,0x03,0xf6,0x0e, 0x61,0x35,0x57,0xb9,0x86,0xc1,0x1d,0x9e, 0xe1,0xf8,0x98,0x11,0x69,0xd9,0x8e,0x94, 0x9b,0x1e,0x87,0xe9,0xce,0x55,0x28,0xdf, 0x8c,0xa1,0x89,0x0d,0xbf,0xe6,0x42,0x68, 0x41,0x99,0x2d,0x0f,0xb0,0x54,0xbb,0x16, }, { /* dtable */ { 0xa56363c6,0x847c7cf8,0x997777ee,0x8d7b7bf6, 0x0df2f2ff,0xbd6b6bd6,0xb16f6fde,0x54c5c591, 0x50303060,0x03010102,0xa96767ce,0x7d2b2b56, 0x19fefee7,0x62d7d7b5,0xe6abab4d,0x9a7676ec, 0x45caca8f,0x9d82821f,0x40c9c989,0x877d7dfa, 0x15fafaef,0xeb5959b2,0xc947478e,0x0bf0f0fb, 0xecadad41,0x67d4d4b3,0xfda2a25f,0xeaafaf45, 0xbf9c9c23,0xf7a4a453,0x967272e4,0x5bc0c09b, 0xc2b7b775,0x1cfdfde1,0xae93933d,0x6a26264c, 0x5a36366c,0x413f3f7e,0x02f7f7f5,0x4fcccc83, 0x5c343468,0xf4a5a551,0x34e5e5d1,0x08f1f1f9, 0x937171e2,0x73d8d8ab,0x53313162,0x3f15152a, 0x0c040408,0x52c7c795,0x65232346,0x5ec3c39d, 0x28181830,0xa1969637,0x0f05050a,0xb59a9a2f, 0x0907070e,0x36121224,0x9b80801b,0x3de2e2df, 0x26ebebcd,0x6927274e,0xcdb2b27f,0x9f7575ea, 0x1b090912,0x9e83831d,0x742c2c58,0x2e1a1a34, 0x2d1b1b36,0xb26e6edc,0xee5a5ab4,0xfba0a05b, 0xf65252a4,0x4d3b3b76,0x61d6d6b7,0xceb3b37d, 0x7b292952,0x3ee3e3dd,0x712f2f5e,0x97848413, 0xf55353a6,0x68d1d1b9,0x00000000,0x2cededc1, 0x60202040,0x1ffcfce3,0xc8b1b179,0xed5b5bb6, 0xbe6a6ad4,0x46cbcb8d,0xd9bebe67,0x4b393972, 0xde4a4a94,0xd44c4c98,0xe85858b0,0x4acfcf85, 0x6bd0d0bb,0x2aefefc5,0xe5aaaa4f,0x16fbfbed, 0xc5434386,0xd74d4d9a,0x55333366,0x94858511, 0xcf45458a,0x10f9f9e9,0x06020204,0x817f7ffe, 0xf05050a0,0x443c3c78,0xba9f9f25,0xe3a8a84b, 0xf35151a2,0xfea3a35d,0xc0404080,0x8a8f8f05, 0xad92923f,0xbc9d9d21,0x48383870,0x04f5f5f1, 0xdfbcbc63,0xc1b6b677,0x75dadaaf,0x63212142, 0x30101020,0x1affffe5,0x0ef3f3fd,0x6dd2d2bf, 0x4ccdcd81,0x140c0c18,0x35131326,0x2fececc3, 0xe15f5fbe,0xa2979735,0xcc444488,0x3917172e, 0x57c4c493,0xf2a7a755,0x827e7efc,0x473d3d7a, 0xac6464c8,0xe75d5dba,0x2b191932,0x957373e6, 0xa06060c0,0x98818119,0xd14f4f9e,0x7fdcdca3, 0x66222244,0x7e2a2a54,0xab90903b,0x8388880b, 0xca46468c,0x29eeeec7,0xd3b8b86b,0x3c141428, 0x79dedea7,0xe25e5ebc,0x1d0b0b16,0x76dbdbad, 0x3be0e0db,0x56323264,0x4e3a3a74,0x1e0a0a14, 0xdb494992,0x0a06060c,0x6c242448,0xe45c5cb8, 0x5dc2c29f,0x6ed3d3bd,0xefacac43,0xa66262c4, 0xa8919139,0xa4959531,0x37e4e4d3,0x8b7979f2, 0x32e7e7d5,0x43c8c88b,0x5937376e,0xb76d6dda, 0x8c8d8d01,0x64d5d5b1,0xd24e4e9c,0xe0a9a949, 0xb46c6cd8,0xfa5656ac,0x07f4f4f3,0x25eaeacf, 0xaf6565ca,0x8e7a7af4,0xe9aeae47,0x18080810, 0xd5baba6f,0x887878f0,0x6f25254a,0x722e2e5c, 0x241c1c38,0xf1a6a657,0xc7b4b473,0x51c6c697, 0x23e8e8cb,0x7cdddda1,0x9c7474e8,0x211f1f3e, 0xdd4b4b96,0xdcbdbd61,0x868b8b0d,0x858a8a0f, 0x907070e0,0x423e3e7c,0xc4b5b571,0xaa6666cc, 0xd8484890,0x05030306,0x01f6f6f7,0x120e0e1c, 0xa36161c2,0x5f35356a,0xf95757ae,0xd0b9b969, 0x91868617,0x58c1c199,0x271d1d3a,0xb99e9e27, 0x38e1e1d9,0x13f8f8eb,0xb398982b,0x33111122, 0xbb6969d2,0x70d9d9a9,0x898e8e07,0xa7949433, 0xb69b9b2d,0x221e1e3c,0x92878715,0x20e9e9c9, 0x49cece87,0xff5555aa,0x78282850,0x7adfdfa5, 0x8f8c8c03,0xf8a1a159,0x80898909,0x170d0d1a, 0xdabfbf65,0x31e6e6d7,0xc6424284,0xb86868d0, 0xc3414182,0xb0999929,0x772d2d5a,0x110f0f1e, 0xcbb0b07b,0xfc5454a8,0xd6bbbb6d,0x3a16162c, }, #if !AES_SMALL { 0x6363c6a5,0x7c7cf884,0x7777ee99,0x7b7bf68d, 0xf2f2ff0d,0x6b6bd6bd,0x6f6fdeb1,0xc5c59154, 0x30306050,0x01010203,0x6767cea9,0x2b2b567d, 0xfefee719,0xd7d7b562,0xabab4de6,0x7676ec9a, 0xcaca8f45,0x82821f9d,0xc9c98940,0x7d7dfa87, 0xfafaef15,0x5959b2eb,0x47478ec9,0xf0f0fb0b, 0xadad41ec,0xd4d4b367,0xa2a25ffd,0xafaf45ea, 0x9c9c23bf,0xa4a453f7,0x7272e496,0xc0c09b5b, 0xb7b775c2,0xfdfde11c,0x93933dae,0x26264c6a, 0x36366c5a,0x3f3f7e41,0xf7f7f502,0xcccc834f, 0x3434685c,0xa5a551f4,0xe5e5d134,0xf1f1f908, 0x7171e293,0xd8d8ab73,0x31316253,0x15152a3f, 0x0404080c,0xc7c79552,0x23234665,0xc3c39d5e, 0x18183028,0x969637a1,0x05050a0f,0x9a9a2fb5, 0x07070e09,0x12122436,0x80801b9b,0xe2e2df3d, 0xebebcd26,0x27274e69,0xb2b27fcd,0x7575ea9f, 0x0909121b,0x83831d9e,0x2c2c5874,0x1a1a342e, 0x1b1b362d,0x6e6edcb2,0x5a5ab4ee,0xa0a05bfb, 0x5252a4f6,0x3b3b764d,0xd6d6b761,0xb3b37dce, 0x2929527b,0xe3e3dd3e,0x2f2f5e71,0x84841397, 0x5353a6f5,0xd1d1b968,0x00000000,0xededc12c, 0x20204060,0xfcfce31f,0xb1b179c8,0x5b5bb6ed, 0x6a6ad4be,0xcbcb8d46,0xbebe67d9,0x3939724b, 0x4a4a94de,0x4c4c98d4,0x5858b0e8,0xcfcf854a, 0xd0d0bb6b,0xefefc52a,0xaaaa4fe5,0xfbfbed16, 0x434386c5,0x4d4d9ad7,0x33336655,0x85851194, 0x45458acf,0xf9f9e910,0x02020406,0x7f7ffe81, 0x5050a0f0,0x3c3c7844,0x9f9f25ba,0xa8a84be3, 0x5151a2f3,0xa3a35dfe,0x404080c0,0x8f8f058a, 0x92923fad,0x9d9d21bc,0x38387048,0xf5f5f104, 0xbcbc63df,0xb6b677c1,0xdadaaf75,0x21214263, 0x10102030,0xffffe51a,0xf3f3fd0e,0xd2d2bf6d, 0xcdcd814c,0x0c0c1814,0x13132635,0xececc32f, 0x5f5fbee1,0x979735a2,0x444488cc,0x17172e39, 0xc4c49357,0xa7a755f2,0x7e7efc82,0x3d3d7a47, 0x6464c8ac,0x5d5dbae7,0x1919322b,0x7373e695, 0x6060c0a0,0x81811998,0x4f4f9ed1,0xdcdca37f, 0x22224466,0x2a2a547e,0x90903bab,0x88880b83, 0x46468cca,0xeeeec729,0xb8b86bd3,0x1414283c, 0xdedea779,0x5e5ebce2,0x0b0b161d,0xdbdbad76, 0xe0e0db3b,0x32326456,0x3a3a744e,0x0a0a141e, 0x494992db,0x06060c0a,0x2424486c,0x5c5cb8e4, 0xc2c29f5d,0xd3d3bd6e,0xacac43ef,0x6262c4a6, 0x919139a8,0x959531a4,0xe4e4d337,0x7979f28b, 0xe7e7d532,0xc8c88b43,0x37376e59,0x6d6ddab7, 0x8d8d018c,0xd5d5b164,0x4e4e9cd2,0xa9a949e0, 0x6c6cd8b4,0x5656acfa,0xf4f4f307,0xeaeacf25, 0x6565caaf,0x7a7af48e,0xaeae47e9,0x08081018, 0xbaba6fd5,0x7878f088,0x25254a6f,0x2e2e5c72, 0x1c1c3824,0xa6a657f1,0xb4b473c7,0xc6c69751, 0xe8e8cb23,0xdddda17c,0x7474e89c,0x1f1f3e21, 0x4b4b96dd,0xbdbd61dc,0x8b8b0d86,0x8a8a0f85, 0x7070e090,0x3e3e7c42,0xb5b571c4,0x6666ccaa, 0x484890d8,0x03030605,0xf6f6f701,0x0e0e1c12, 0x6161c2a3,0x35356a5f,0x5757aef9,0xb9b969d0, 0x86861791,0xc1c19958,0x1d1d3a27,0x9e9e27b9, 0xe1e1d938,0xf8f8eb13,0x98982bb3,0x11112233, 0x6969d2bb,0xd9d9a970,0x8e8e0789,0x949433a7, 0x9b9b2db6,0x1e1e3c22,0x87871592,0xe9e9c920, 0xcece8749,0x5555aaff,0x28285078,0xdfdfa57a, 0x8c8c038f,0xa1a159f8,0x89890980,0x0d0d1a17, 0xbfbf65da,0xe6e6d731,0x424284c6,0x6868d0b8, 0x414182c3,0x999929b0,0x2d2d5a77,0x0f0f1e11, 0xb0b07bcb,0x5454a8fc,0xbbbb6dd6,0x16162c3a, },{ 0x63c6a563,0x7cf8847c,0x77ee9977,0x7bf68d7b, 0xf2ff0df2,0x6bd6bd6b,0x6fdeb16f,0xc59154c5, 0x30605030,0x01020301,0x67cea967,0x2b567d2b, 0xfee719fe,0xd7b562d7,0xab4de6ab,0x76ec9a76, 0xca8f45ca,0x821f9d82,0xc98940c9,0x7dfa877d, 0xfaef15fa,0x59b2eb59,0x478ec947,0xf0fb0bf0, 0xad41ecad,0xd4b367d4,0xa25ffda2,0xaf45eaaf, 0x9c23bf9c,0xa453f7a4,0x72e49672,0xc09b5bc0, 0xb775c2b7,0xfde11cfd,0x933dae93,0x264c6a26, 0x366c5a36,0x3f7e413f,0xf7f502f7,0xcc834fcc, 0x34685c34,0xa551f4a5,0xe5d134e5,0xf1f908f1, 0x71e29371,0xd8ab73d8,0x31625331,0x152a3f15, 0x04080c04,0xc79552c7,0x23466523,0xc39d5ec3, 0x18302818,0x9637a196,0x050a0f05,0x9a2fb59a, 0x070e0907,0x12243612,0x801b9b80,0xe2df3de2, 0xebcd26eb,0x274e6927,0xb27fcdb2,0x75ea9f75, 0x09121b09,0x831d9e83,0x2c58742c,0x1a342e1a, 0x1b362d1b,0x6edcb26e,0x5ab4ee5a,0xa05bfba0, 0x52a4f652,0x3b764d3b,0xd6b761d6,0xb37dceb3, 0x29527b29,0xe3dd3ee3,0x2f5e712f,0x84139784, 0x53a6f553,0xd1b968d1,0x00000000,0xedc12ced, 0x20406020,0xfce31ffc,0xb179c8b1,0x5bb6ed5b, 0x6ad4be6a,0xcb8d46cb,0xbe67d9be,0x39724b39, 0x4a94de4a,0x4c98d44c,0x58b0e858,0xcf854acf, 0xd0bb6bd0,0xefc52aef,0xaa4fe5aa,0xfbed16fb, 0x4386c543,0x4d9ad74d,0x33665533,0x85119485, 0x458acf45,0xf9e910f9,0x02040602,0x7ffe817f, 0x50a0f050,0x3c78443c,0x9f25ba9f,0xa84be3a8, 0x51a2f351,0xa35dfea3,0x4080c040,0x8f058a8f, 0x923fad92,0x9d21bc9d,0x38704838,0xf5f104f5, 0xbc63dfbc,0xb677c1b6,0xdaaf75da,0x21426321, 0x10203010,0xffe51aff,0xf3fd0ef3,0xd2bf6dd2, 0xcd814ccd,0x0c18140c,0x13263513,0xecc32fec, 0x5fbee15f,0x9735a297,0x4488cc44,0x172e3917, 0xc49357c4,0xa755f2a7,0x7efc827e,0x3d7a473d, 0x64c8ac64,0x5dbae75d,0x19322b19,0x73e69573, 0x60c0a060,0x81199881,0x4f9ed14f,0xdca37fdc, 0x22446622,0x2a547e2a,0x903bab90,0x880b8388, 0x468cca46,0xeec729ee,0xb86bd3b8,0x14283c14, 0xdea779de,0x5ebce25e,0x0b161d0b,0xdbad76db, 0xe0db3be0,0x32645632,0x3a744e3a,0x0a141e0a, 0x4992db49,0x060c0a06,0x24486c24,0x5cb8e45c, 0xc29f5dc2,0xd3bd6ed3,0xac43efac,0x62c4a662, 0x9139a891,0x9531a495,0xe4d337e4,0x79f28b79, 0xe7d532e7,0xc88b43c8,0x376e5937,0x6ddab76d, 0x8d018c8d,0xd5b164d5,0x4e9cd24e,0xa949e0a9, 0x6cd8b46c,0x56acfa56,0xf4f307f4,0xeacf25ea, 0x65caaf65,0x7af48e7a,0xae47e9ae,0x08101808, 0xba6fd5ba,0x78f08878,0x254a6f25,0x2e5c722e, 0x1c38241c,0xa657f1a6,0xb473c7b4,0xc69751c6, 0xe8cb23e8,0xdda17cdd,0x74e89c74,0x1f3e211f, 0x4b96dd4b,0xbd61dcbd,0x8b0d868b,0x8a0f858a, 0x70e09070,0x3e7c423e,0xb571c4b5,0x66ccaa66, 0x4890d848,0x03060503,0xf6f701f6,0x0e1c120e, 0x61c2a361,0x356a5f35,0x57aef957,0xb969d0b9, 0x86179186,0xc19958c1,0x1d3a271d,0x9e27b99e, 0xe1d938e1,0xf8eb13f8,0x982bb398,0x11223311, 0x69d2bb69,0xd9a970d9,0x8e07898e,0x9433a794, 0x9b2db69b,0x1e3c221e,0x87159287,0xe9c920e9, 0xce8749ce,0x55aaff55,0x28507828,0xdfa57adf, 0x8c038f8c,0xa159f8a1,0x89098089,0x0d1a170d, 0xbf65dabf,0xe6d731e6,0x4284c642,0x68d0b868, 0x4182c341,0x9929b099,0x2d5a772d,0x0f1e110f, 0xb07bcbb0,0x54a8fc54,0xbb6dd6bb,0x162c3a16, },{ 0xc6a56363,0xf8847c7c,0xee997777,0xf68d7b7b, 0xff0df2f2,0xd6bd6b6b,0xdeb16f6f,0x9154c5c5, 0x60503030,0x02030101,0xcea96767,0x567d2b2b, 0xe719fefe,0xb562d7d7,0x4de6abab,0xec9a7676, 0x8f45caca,0x1f9d8282,0x8940c9c9,0xfa877d7d, 0xef15fafa,0xb2eb5959,0x8ec94747,0xfb0bf0f0, 0x41ecadad,0xb367d4d4,0x5ffda2a2,0x45eaafaf, 0x23bf9c9c,0x53f7a4a4,0xe4967272,0x9b5bc0c0, 0x75c2b7b7,0xe11cfdfd,0x3dae9393,0x4c6a2626, 0x6c5a3636,0x7e413f3f,0xf502f7f7,0x834fcccc, 0x685c3434,0x51f4a5a5,0xd134e5e5,0xf908f1f1, 0xe2937171,0xab73d8d8,0x62533131,0x2a3f1515, 0x080c0404,0x9552c7c7,0x46652323,0x9d5ec3c3, 0x30281818,0x37a19696,0x0a0f0505,0x2fb59a9a, 0x0e090707,0x24361212,0x1b9b8080,0xdf3de2e2, 0xcd26ebeb,0x4e692727,0x7fcdb2b2,0xea9f7575, 0x121b0909,0x1d9e8383,0x58742c2c,0x342e1a1a, 0x362d1b1b,0xdcb26e6e,0xb4ee5a5a,0x5bfba0a0, 0xa4f65252,0x764d3b3b,0xb761d6d6,0x7dceb3b3, 0x527b2929,0xdd3ee3e3,0x5e712f2f,0x13978484, 0xa6f55353,0xb968d1d1,0x00000000,0xc12ceded, 0x40602020,0xe31ffcfc,0x79c8b1b1,0xb6ed5b5b, 0xd4be6a6a,0x8d46cbcb,0x67d9bebe,0x724b3939, 0x94de4a4a,0x98d44c4c,0xb0e85858,0x854acfcf, 0xbb6bd0d0,0xc52aefef,0x4fe5aaaa,0xed16fbfb, 0x86c54343,0x9ad74d4d,0x66553333,0x11948585, 0x8acf4545,0xe910f9f9,0x04060202,0xfe817f7f, 0xa0f05050,0x78443c3c,0x25ba9f9f,0x4be3a8a8, 0xa2f35151,0x5dfea3a3,0x80c04040,0x058a8f8f, 0x3fad9292,0x21bc9d9d,0x70483838,0xf104f5f5, 0x63dfbcbc,0x77c1b6b6,0xaf75dada,0x42632121, 0x20301010,0xe51affff,0xfd0ef3f3,0xbf6dd2d2, 0x814ccdcd,0x18140c0c,0x26351313,0xc32fecec, 0xbee15f5f,0x35a29797,0x88cc4444,0x2e391717, 0x9357c4c4,0x55f2a7a7,0xfc827e7e,0x7a473d3d, 0xc8ac6464,0xbae75d5d,0x322b1919,0xe6957373, 0xc0a06060,0x19988181,0x9ed14f4f,0xa37fdcdc, 0x44662222,0x547e2a2a,0x3bab9090,0x0b838888, 0x8cca4646,0xc729eeee,0x6bd3b8b8,0x283c1414, 0xa779dede,0xbce25e5e,0x161d0b0b,0xad76dbdb, 0xdb3be0e0,0x64563232,0x744e3a3a,0x141e0a0a, 0x92db4949,0x0c0a0606,0x486c2424,0xb8e45c5c, 0x9f5dc2c2,0xbd6ed3d3,0x43efacac,0xc4a66262, 0x39a89191,0x31a49595,0xd337e4e4,0xf28b7979, 0xd532e7e7,0x8b43c8c8,0x6e593737,0xdab76d6d, 0x018c8d8d,0xb164d5d5,0x9cd24e4e,0x49e0a9a9, 0xd8b46c6c,0xacfa5656,0xf307f4f4,0xcf25eaea, 0xcaaf6565,0xf48e7a7a,0x47e9aeae,0x10180808, 0x6fd5baba,0xf0887878,0x4a6f2525,0x5c722e2e, 0x38241c1c,0x57f1a6a6,0x73c7b4b4,0x9751c6c6, 0xcb23e8e8,0xa17cdddd,0xe89c7474,0x3e211f1f, 0x96dd4b4b,0x61dcbdbd,0x0d868b8b,0x0f858a8a, 0xe0907070,0x7c423e3e,0x71c4b5b5,0xccaa6666, 0x90d84848,0x06050303,0xf701f6f6,0x1c120e0e, 0xc2a36161,0x6a5f3535,0xaef95757,0x69d0b9b9, 0x17918686,0x9958c1c1,0x3a271d1d,0x27b99e9e, 0xd938e1e1,0xeb13f8f8,0x2bb39898,0x22331111, 0xd2bb6969,0xa970d9d9,0x07898e8e,0x33a79494, 0x2db69b9b,0x3c221e1e,0x15928787,0xc920e9e9, 0x8749cece,0xaaff5555,0x50782828,0xa57adfdf, 0x038f8c8c,0x59f8a1a1,0x09808989,0x1a170d0d, 0x65dabfbf,0xd731e6e6,0x84c64242,0xd0b86868, 0x82c34141,0x29b09999,0x5a772d2d,0x1e110f0f, 0x7bcbb0b0,0xa8fc5454,0x6dd6bbbb,0x2c3a1616, }, #endif /* !AES_SMALL */ } }; nettle-3.4.1/chacha-set-nonce.c0000644000175000017500000000361613401564745015321 0ustar nissenisse/* chacha-set-nonce.c Setting the nonce the ChaCha stream cipher. Based on the Salsa20 implementation in Nettle. Copyright (C) 2013 Joachim Strömbergon Copyright (C) 2012 Simon Josefsson Copyright (C) 2012, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Based on: ChaCha specification (doc id: 4027b5256e17b9796842e6d0f68b0b5e) and reference implementation dated 2008.01.20 D. J. Bernstein Public domain. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "chacha.h" #include "macros.h" void chacha_set_nonce(struct chacha_ctx *ctx, const uint8_t *nonce) { ctx->state[12] = 0; ctx->state[13] = 0; ctx->state[14] = LE_READ_UINT32(nonce + 0); ctx->state[15] = LE_READ_UINT32(nonce + 4); } void chacha_set_nonce96(struct chacha_ctx *ctx, const uint8_t *nonce) { ctx->state[12] = 0; ctx->state[13] = LE_READ_UINT32(nonce + 0); ctx->state[14] = LE_READ_UINT32(nonce + 4); ctx->state[15] = LE_READ_UINT32(nonce + 8); } nettle-3.4.1/aes128-meta.c0000644000175000017500000000265513401564745014152 0ustar nissenisse/* aes128-meta.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #include "aes.h" const struct nettle_cipher nettle_aes128 = { "aes128", sizeof(struct aes128_ctx), AES_BLOCK_SIZE, AES128_KEY_SIZE, (nettle_set_key_func *) aes128_set_encrypt_key, (nettle_set_key_func *) aes128_set_decrypt_key, (nettle_cipher_func *) aes128_encrypt, (nettle_cipher_func *) aes128_decrypt }; nettle-3.4.1/sparc64/0000755000175000017500000000000013401564746013332 5ustar nissenissenettle-3.4.1/sparc64/aes-decrypt-internal.asm0000644000175000017500000000730613401564746020074 0ustar nissenisseC sparc64/aes-decrypt-internal.asm ifelse(< Copyright (C) 2002, 2005, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) C The only difference between this code and the sparc32 code is the C frame offsets, and the magic BIAS when accessing the stack (which C doesn't matter, since we don't access any data on the stack). C Use the same AES macros as on sparc32. include_src() C Arguments define(,<%i0>) define(, <%i1>) define(, <%i2>) define(,<%i3>) define(, <%i4>) define(, <%i5>) C AES state, two copies for unrolling define(, <%l0>) define(, <%l1>) define(, <%l2>) define(, <%l3>) define(, <%l4>) define(, <%l5>) define(, <%l6>) define(, <%l7>) C %o0-%03 are used for loop invariants T0-T3 define(, <%o4>) define(, <%o5>) C %g1, %g2, %g3 are TMP1, TMP2 and TMP3 C The sparc64 stack frame looks like C C %fp - 8: OS-dependent link field C %fp - 16: OS-dependent link field C %fp - 192: OS register save area (22*8 == 176 bytes) define(, 192) .file "aes-decrypt-internal.asm" C _aes_decrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .section ".text" .align 16 .proc 020 PROLOGUE(_nettle_aes_decrypt) save %sp, -FRAME_SIZE, %sp cmp LENGTH, 0 be .Lend C Loop invariants add T, AES_TABLE0, T0 add T, AES_TABLE1, T1 add T, AES_TABLE2, T2 add T, AES_TABLE3, T3 C Must be even, and includes the final round srl ROUNDS, 1, ROUNDS C Last two rounds handled specially sub ROUNDS, 1, ROUNDS .Lblock_loop: C Read src, and add initial subkey mov KEYS, KEY AES_LOAD(0, SRC, KEY, W0) AES_LOAD(1, SRC, KEY, W1) AES_LOAD(2, SRC, KEY, W2) AES_LOAD(3, SRC, KEY, W3) mov ROUNDS, COUNT add SRC, 16, SRC add KEY, 16, KEY .Lround_loop: C The AES_ROUND macro uses T0,... T3 C Transform W -> X AES_ROUND(0, W0, W3, W2, W1, KEY, X0) AES_ROUND(1, W1, W0, W3, W2, KEY, X1) AES_ROUND(2, W2, W1, W0, W3, KEY, X2) AES_ROUND(3, W3, W2, W1, W0, KEY, X3) C Transform X -> W AES_ROUND(4, X0, X3, X2, X1, KEY, W0) AES_ROUND(5, X1, X0, X3, X2, KEY, W1) AES_ROUND(6, X2, X1, X0, X3, KEY, W2) AES_ROUND(7, X3, X2, X1, X0, KEY, W3) subcc COUNT, 1, COUNT bne .Lround_loop add KEY, 32, KEY C Penultimate round AES_ROUND(0, W0, W3, W2, W1, KEY, X0) AES_ROUND(1, W1, W0, W3, W2, KEY, X1) AES_ROUND(2, W2, W1, W0, W3, KEY, X2) AES_ROUND(3, W3, W2, W1, W0, KEY, X3) add KEY, 16, KEY C Final round AES_FINAL_ROUND(0, T, X0, X3, X2, X1, KEY, DST) AES_FINAL_ROUND(1, T, X1, X0, X3, X2, KEY, DST) AES_FINAL_ROUND(2, T, X2, X1, X0, X3, KEY, DST) AES_FINAL_ROUND(3, T, X3, X2, X1, X0, KEY, DST) subcc LENGTH, 16, LENGTH bne .Lblock_loop add DST, 16, DST .Lend: ret restore EPILOGUE(_nettle_aes_decrypt) nettle-3.4.1/sparc64/machine.m40000644000175000017500000000015313401564746015177 0ustar nissenissedefine(, 2047) C Magic stack bias for the Sparc64 ABI .register %g2,#scratch .register %g3,#scratch nettle-3.4.1/sparc64/arcfour-crypt.asm0000644000175000017500000001060113401564746016632 0ustar nissenisseC sparc64/arcfour-crypt.asm ifelse(< Copyright (C) 2002, 2005 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) C Define to YES, to enable the complex code to special case SRC C and DST with compatible alignment. define(, ) C Registers define(, <%i0>) define(,<%i1>) define(, <%i2>) define(, <%i3>) define(, <%i4>) define(, <%i5>) define(, <%g1>) define(, <%g2>) define(, <%g3>) define(, <%o0>) define(, <%o1>) define(, <%o2>) define(, <%o3>) C Computes the next byte of the key stream. As input, i must C already point to the index for the current access, the index C for the next access is stored in ni. The resulting key byte is C stored in res. C ARCFOUR_BYTE(i, ni, res) define(, < ldub [CTX + $1], SI add $1, 1, $2 add J, SI, J and J, 0xff, J ldub [CTX + J], SJ and $2, 0xff, $2 stb SI, [CTX + J] add SI, SJ, SI and SI, 0xff, SI stb SJ, [CTX + $1] ldub [CTX + SI], $3 >)dnl define(, 192) .file "arcfour-crypt.asm" C arcfour_crypt(struct arcfour_ctx *ctx, C size_t length, uint8_t *dst, C const uint8_t *src) .section ".text" .align 16 .proc 020 PROLOGUE(nettle_arcfour_crypt) save %sp, -FRAME_SIZE, %sp cmp LENGTH, 0 be .Lend nop C Load both I and J lduh [CTX + ARCFOUR_I], I1 and I1, 0xff, J srl I1, 8, I1 C We want an even address for DST andcc DST, 1, %g0 add I1, 1 ,I1 beq .Laligned2 and I1, 0xff, I1 mov I1, I2 ldub [SRC], DATA ARCFOUR_BYTE(I2, I1, TMP) subcc LENGTH, 1, LENGTH add SRC, 1, SRC xor DATA, TMP, DATA stb DATA, [DST] beq .Ldone add DST, 1, DST .Laligned2: cmp LENGTH, 2 blu .Lfinal1 C Harmless delay slot instruction andcc DST, 2, %g0 beq .Laligned4 nop ldub [SRC], DATA ARCFOUR_BYTE(I1, I2, TMP) ldub [SRC + 1], TMP2 add SRC, 2, SRC xor DATA, TMP, DATA sll DATA, 8, DATA ARCFOUR_BYTE(I2, I1, TMP) xor TMP2, TMP, TMP subcc LENGTH, 2, LENGTH or DATA, TMP, DATA sth DATA, [DST] beq .Ldone add DST, 2, DST .Laligned4: cmp LENGTH, 4 blu .Lfinal2 C Harmless delay slot instruction srl LENGTH, 2, N .Loop: C Main loop, with aligned writes C FIXME: Could check if SRC is aligned, and C use 32-bit reads in that case. ldub [SRC], DATA ARCFOUR_BYTE(I1, I2, TMP) ldub [SRC + 1], TMP2 xor TMP, DATA, DATA sll DATA, 8, DATA ARCFOUR_BYTE(I2, I1, TMP) xor TMP2, TMP, TMP ldub [SRC + 2], TMP2 or TMP, DATA, DATA sll DATA, 8, DATA ARCFOUR_BYTE(I1, I2, TMP) xor TMP2, TMP, TMP ldub [SRC + 3], TMP2 or TMP, DATA, DATA sll DATA, 8, DATA ARCFOUR_BYTE(I2, I1, TMP) xor TMP2, TMP, TMP or TMP, DATA, DATA subcc N, 1, N add SRC, 4, SRC st DATA, [DST] bne .Loop add DST, 4, DST andcc LENGTH, 3, LENGTH beq .Ldone nop .Lfinal2: C DST address must be 2-aligned cmp LENGTH, 2 blu .Lfinal1 nop ldub [SRC], DATA ARCFOUR_BYTE(I1, I2, TMP) ldub [SRC + 1], TMP2 add SRC, 2, SRC xor DATA, TMP, DATA sll DATA, 8, DATA ARCFOUR_BYTE(I2, I1, TMP) xor TMP2, TMP, TMP or DATA, TMP, DATA sth DATA, [DST] beq .Ldone add DST, 2, DST .Lfinal1: mov I1, I2 ldub [SRC], DATA ARCFOUR_BYTE(I2, I1, TMP) xor DATA, TMP, DATA stb DATA, [DST] .Ldone: C Save back I and J sll I2, 8, I2 or I2, J, I2 stuh I2, [CTX + ARCFOUR_I] .Lend: ret restore EPILOGUE(nettle_arcfour_crypt) C Stats for AES 128 on sellafield.lysator.liu.se (UE450, 296 MHz) C 1: nettle-1.13 C-code C 2: New assembler code (basically the same as for sparc32) C MB/s cycles/byte C 1: 3.6 77.7 C 2: 21.8 13.0 nettle-3.4.1/sparc64/aes-encrypt-internal.asm0000644000175000017500000000773113401564746020110 0ustar nissenisseC sparc64/aes-encrypt-internal.asm ifelse(< Copyright (C) 2002, 2005, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) C The only difference between this code and the sparc32 code is the C frame offsets, and the magic BIAS when accessing the stack (which C doesn't matter, since we don't access any data on the stack). C Use the same AES macros as on sparc32. include_src() C Arguments define(,<%i0>) define(, <%i1>) define(, <%i2>) define(,<%i3>) define(, <%i4>) define(, <%i5>) C AES state, two copies for unrolling define(, <%l0>) define(, <%l1>) define(, <%l2>) define(, <%l3>) define(, <%l4>) define(, <%l5>) define(, <%l6>) define(, <%l7>) C %o0-%03 are used for loop invariants T0-T3 define(, <%o4>) define(, <%o5>) C %g1, %g2, %g3 are TMP1, TMP2 and TMP3 C The sparc64 stack frame looks like C C %fp - 8: OS-dependent link field C %fp - 16: OS-dependent link field C %fp - 192: OS register save area (22*8 == 176 bytes) define(, 192) .file "aes-encrypt-internal.asm" C _aes_encrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .section ".text" .align 16 .proc 020 PROLOGUE(_nettle_aes_encrypt) save %sp, -FRAME_SIZE, %sp cmp LENGTH, 0 be .Lend C Loop invariants add T, AES_TABLE0, T0 add T, AES_TABLE1, T1 add T, AES_TABLE2, T2 add T, AES_TABLE3, T3 C Must be even, and includes the final round srl ROUNDS, 1, ROUNDS C Last two rounds handled specially sub ROUNDS, 1, ROUNDS .Lblock_loop: C Read src, and add initial subkey mov KEYS, KEY AES_LOAD(0, SRC, KEY, W0) AES_LOAD(1, SRC, KEY, W1) AES_LOAD(2, SRC, KEY, W2) AES_LOAD(3, SRC, KEY, W3) mov ROUNDS, COUNT add SRC, 16, SRC add KEY, 16, KEY .Lround_loop: C The AES_ROUND macro uses T0,... T3 C Transform W -> X AES_ROUND(0, W0, W1, W2, W3, KEY, X0) AES_ROUND(1, W1, W2, W3, W0, KEY, X1) AES_ROUND(2, W2, W3, W0, W1, KEY, X2) AES_ROUND(3, W3, W0, W1, W2, KEY, X3) C Transform X -> W AES_ROUND(4, X0, X1, X2, X3, KEY, W0) AES_ROUND(5, X1, X2, X3, X0, KEY, W1) AES_ROUND(6, X2, X3, X0, X1, KEY, W2) AES_ROUND(7, X3, X0, X1, X2, KEY, W3) subcc COUNT, 1, COUNT bne .Lround_loop add KEY, 32, KEY C Penultimate round AES_ROUND(0, W0, W1, W2, W3, KEY, X0) AES_ROUND(1, W1, W2, W3, W0, KEY, X1) AES_ROUND(2, W2, W3, W0, W1, KEY, X2) AES_ROUND(3, W3, W0, W1, W2, KEY, X3) add KEY, 16, KEY C Final round AES_FINAL_ROUND(0, T, X0, X1, X2, X3, KEY, DST) AES_FINAL_ROUND(1, T, X1, X2, X3, X0, KEY, DST) AES_FINAL_ROUND(2, T, X2, X3, X0, X1, KEY, DST) AES_FINAL_ROUND(3, T, X3, X0, X1, X2, KEY, DST) subcc LENGTH, 16, LENGTH bne .Lblock_loop add DST, 16, DST .Lend: ret restore EPILOGUE(_nettle_aes_encrypt) C Stats for AES 128 on sellafield.lysator.liu.se (UE450, 296 MHz) C 1. nettle-1.13 C-code (nettle-1.13 assembler was broken for sparc64) C 2. New C-code C 3. New assembler code (basically the same as for sparc32) C MB/s cycles/block C 1 0.8 5781 C 2 1.8 2460 C 3 8.2 548 nettle-3.4.1/aes-decrypt-internal.c0000644000175000017500000000521113401564745016244 0ustar nissenisse/* aes-decrypt-internal.c Decryption function for the aes/rijndael block cipher. Copyright 2002, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes-internal.h" #include "macros.h" void _nettle_aes_decrypt(unsigned rounds, const uint32_t *keys, const struct aes_table *T, size_t length, uint8_t *dst, const uint8_t *src) { FOR_BLOCKS(length, dst, src, AES_BLOCK_SIZE) { uint32_t w0, w1, w2, w3; /* working ciphertext */ uint32_t t0, t1, t2, t3; unsigned i; /* Get clear text, using little-endian byte order. * Also XOR with the first subkey. */ w0 = LE_READ_UINT32(src) ^ keys[0]; w1 = LE_READ_UINT32(src + 4) ^ keys[1]; w2 = LE_READ_UINT32(src + 8) ^ keys[2]; w3 = LE_READ_UINT32(src + 12) ^ keys[3]; for (i = 1; i < rounds; i++) { t0 = AES_ROUND(T, w0, w3, w2, w1, keys[4*i]); t1 = AES_ROUND(T, w1, w0, w3, w2, keys[4*i + 1]); t2 = AES_ROUND(T, w2, w1, w0, w3, keys[4*i + 2]); t3 = AES_ROUND(T, w3, w2, w1, w0, keys[4*i + 3]); /* We could unroll the loop twice, to avoid these assignments. If all eight variables fit in registers, that should give a slight speedup. */ w0 = t0; w1 = t1; w2 = t2; w3 = t3; } /* Final round */ t0 = AES_FINAL_ROUND(T, w0, w3, w2, w1, keys[4*i]); t1 = AES_FINAL_ROUND(T, w1, w0, w3, w2, keys[4*i + 1]); t2 = AES_FINAL_ROUND(T, w2, w1, w0, w3, keys[4*i + 2]); t3 = AES_FINAL_ROUND(T, w3, w2, w1, w0, keys[4*i + 3]); LE_WRITE_UINT32(dst, t0); LE_WRITE_UINT32(dst + 4, t1); LE_WRITE_UINT32(dst + 8, t2); LE_WRITE_UINT32(dst + 12, t3); } } nettle-3.4.1/aes192-set-encrypt-key.c0000644000175000017500000000237113401564745016263 0ustar nissenisse/* aes192-set-encrypt-key.c Copyright (C) 2013, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes-internal.h" void aes192_set_encrypt_key(struct aes192_ctx *ctx, const uint8_t *key) { _aes_set_key (_AES192_ROUNDS, AES192_KEY_SIZE / 4, ctx->keys, key); } nettle-3.4.1/ecc-256.c0000644000175000017500000001420013401564746013255 0ustar nissenisse/* ecc-256.c Compile time constant (but machine dependent) tables. Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc.h" #include "ecc-internal.h" #if HAVE_NATIVE_ecc_256_redc # define USE_REDC 1 #else # define USE_REDC (ECC_REDC_SIZE != 0) #endif #include "ecc-256.h" #if HAVE_NATIVE_ecc_256_redc # define ecc_256_redc nettle_ecc_256_redc void ecc_256_redc (const struct ecc_modulo *p, mp_limb_t *rp); #else /* !HAVE_NATIVE_ecc_256_redc */ # if ECC_REDC_SIZE > 0 # define ecc_256_redc ecc_pp1_redc # elif ECC_REDC_SIZE == 0 # define ecc_256_redc NULL # else # error Configuration error # endif #endif /* !HAVE_NATIVE_ecc_256_redc */ #if ECC_BMODP_SIZE < ECC_LIMB_SIZE #define ecc_256_modp ecc_mod #define ecc_256_modq ecc_mod #elif GMP_NUMB_BITS == 64 static void ecc_256_modp (const struct ecc_modulo *p, mp_limb_t *rp) { mp_limb_t u1, u0; mp_size_t n; n = 2*p->size; u1 = rp[--n]; u0 = rp[n-1]; /* This is not particularly fast, but should work well with assembly implementation. */ for (; n >= p->size; n--) { mp_limb_t q2, q1, q0, t, cy; /* = v * u1 + , with v = 2^32 - 1: +---+---+ | u1| u0| +---+---+ |-u1| +-+-+-+ | u1| +---+-+-+-+-+ | q2| q1| q0| +---+---+---+ */ q1 = u1 - (u1 > u0); q0 = u0 - u1; t = u1 << 32; q0 += t; t = (u1 >> 32) + (q0 < t) + 1; q1 += t; q2 = q1 < t; /* Compute candidate remainder */ u1 = u0 + (q1 << 32) - q1; t = -(mp_limb_t) (u1 > q0); u1 -= t & 0xffffffff; q1 += t; q2 += t + (q1 < t); assert (q2 < 2); /* n-1 n-2 n-3 n-4 +---+---+---+---+ | u1| u0| u low | +---+---+---+---+ - | q1(2^96-1)| +-------+---+ |q2(2^.)| +-------+ We multiply by two low limbs of p, 2^96 - 1, so we could use shifts rather than mul. */ t = mpn_submul_1 (rp + n - 4, p->m, 2, q1); t += cnd_sub_n (q2, rp + n - 3, p->m, 1); t += (-q2) & 0xffffffff; u0 = rp[n-2]; cy = (u0 < t); u0 -= t; t = (u1 < cy); u1 -= cy; cy = cnd_add_n (t, rp + n - 4, p->m, 2); u0 += cy; u1 += (u0 < cy); u1 -= (-t) & 0xffffffff; } rp[2] = u0; rp[3] = u1; } static void ecc_256_modq (const struct ecc_modulo *q, mp_limb_t *rp) { mp_limb_t u2, u1, u0; mp_size_t n; n = 2*q->size; u2 = rp[--n]; u1 = rp[n-1]; /* This is not particularly fast, but should work well with assembly implementation. */ for (; n >= q->size; n--) { mp_limb_t q2, q1, q0, t, c1, c0; u0 = rp[n-2]; /* = v * u2 + , same method as above. +---+---+ | u2| u1| +---+---+ |-u2| +-+-+-+ | u2| +---+-+-+-+-+ | q2| q1| q0| +---+---+---+ */ q1 = u2 - (u2 > u1); q0 = u1 - u2; t = u2 << 32; q0 += t; t = (u2 >> 32) + (q0 < t) + 1; q1 += t; q2 = q1 < t; /* Compute candidate remainder, - * (2^128 - 2^96 + 2^64 - 1) + 2^64 q2 + (2^96 - 2^64 + 1) q1 (mod 2^128) +---+---+ | u1| u0| +---+---+ | q2| q1| +---+---+ |-q1| +-+-+-+ | q1| --+-+-+-+---+ | u2| u1| +---+---+ */ u2 = u1 + q2 - q1; u1 = u0 + q1; u2 += (u1 < q1); u2 += (q1 << 32); t = -(mp_limb_t) (u2 >= q0); q1 += t; q2 += t + (q1 < t); u1 += t; u2 += (t << 32) + (u1 < t); assert (q2 < 2); c0 = cnd_sub_n (q2, rp + n - 3, q->m, 1); c0 += (-q2) & q->m[1]; t = mpn_submul_1 (rp + n - 4, q->m, 2, q1); c0 += t; c1 = c0 < t; /* Construct underflow condition. */ c1 += (u1 < c0); t = - (mp_limb_t) (u2 < c1); u1 -= c0; u2 -= c1; /* Conditional add of p */ u1 += t; u2 += (t<<32) + (u1 < t); t = cnd_add_n (t, rp + n - 4, q->m, 2); u1 += t; u2 += (u1 < t); } rp[2] = u1; rp[3] = u2; } #else #error Unsupported parameters #endif const struct ecc_curve nettle_secp_256r1 = { { 256, ECC_LIMB_SIZE, ECC_BMODP_SIZE, ECC_REDC_SIZE, ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), 0, ecc_p, ecc_Bmodp, ecc_Bmodp_shifted, ecc_redc_ppm1, ecc_pp1h, ecc_256_modp, USE_REDC ? ecc_256_redc : ecc_256_modp, ecc_mod_inv, NULL, }, { 256, ECC_LIMB_SIZE, ECC_BMODQ_SIZE, 0, ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), 0, ecc_q, ecc_Bmodq, ecc_Bmodq_shifted, NULL, ecc_qp1h, ecc_256_modq, ecc_256_modq, ecc_mod_inv, NULL, }, USE_REDC, ECC_PIPPENGER_K, ECC_PIPPENGER_C, ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE), ECC_MUL_A_ITCH (ECC_LIMB_SIZE), ECC_MUL_G_ITCH (ECC_LIMB_SIZE), ECC_J_TO_A_ITCH (ECC_LIMB_SIZE), ecc_add_jjj, ecc_mul_a, ecc_mul_g, ecc_j_to_a, ecc_b, ecc_g, NULL, ecc_unit, ecc_table }; const struct ecc_curve *nettle_get_secp_256r1(void) { return &nettle_secp_256r1; } nettle-3.4.1/umac-l2.c0000644000175000017500000000667613401564745013472 0ustar nissenisse/* umac-l2.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "umac.h" #include "macros.h" /* Same mask applied to low and high halves */ #define KEY_MASK 0x01ffffffUL #if WORDS_BIGENDIAN #define BE_SWAP32(x) x #else #define BE_SWAP32(x) \ ((ROTL32(8, x) & 0x00FF00FFUL) | \ (ROTL32(24, x) & 0xFF00FF00UL)) #endif void _umac_l2_init (unsigned size, uint32_t *k) { unsigned i; for (i = 0; i < size; i++) { uint32_t w = k[i]; w = BE_SWAP32 (w); k[i] = w & KEY_MASK; } } void _umac_l2(const uint32_t *key, uint64_t *state, unsigned n, uint64_t count, const uint64_t *m) { uint64_t *prev = state + 2*n; unsigned i; if (count == 0) memcpy (prev, m, n * sizeof(*m)); else if (count == 1) for (i = 0; i < n; i++, key += 6) { uint64_t y = _umac_poly64 (key[0], key[1], 1, prev[i]); state[2*i+1] = _umac_poly64 (key[0], key[1], y, m[i]); } else if (count < UMAC_POLY64_BLOCKS) for (i = 0; i < n; i++, key += 6) state[2*i+1] = _umac_poly64 (key[0], key[1], state[2*i+1], m[i]); else if (count % 2 == 0) { if (count == UMAC_POLY64_BLOCKS) for (i = 0, key += 2; i < n; i++, key += 6) { uint64_t y = state[2*i+1]; if (y >= UMAC_P64) y -= UMAC_P64; state[2*i] = 0; state[2*i+1] = 1; _umac_poly128 (key, state + 2*i, 0, y); } memcpy (prev, m, n * sizeof(*m)); } else for (i = 0, key += 2; i < n; i++, key += 6) _umac_poly128 (key, state + 2*i, prev[i], m[i]); } void _umac_l2_final(const uint32_t *key, uint64_t *state, unsigned n, uint64_t count) { uint64_t *prev = state + 2*n; unsigned i; assert (count > 0); if (count == 1) for (i = 0; i < n; i++) { *state++ = 0; *state++ = *prev++; } else if (count <= UMAC_POLY64_BLOCKS) for (i = 0; i < n; i++) { uint64_t y; *state++ = 0; y = *state; if (y >= UMAC_P64) y -= UMAC_P64; *state++ = y; } else { uint64_t pad = (uint64_t) 1 << 63; if (count % 2 == 1) for (i = 0, key += 2; i < n; i++, key += 6) _umac_poly128 (key, state + 2*i, prev[i], pad); else for (i = 0, key += 2; i < n; i++, key += 6) _umac_poly128 (key, state + 2*i, pad, 0); for (i = 0; i < n; i++, state += 2) { uint64_t yh, yl; yh = state[0]; yl = state[1]; if (yh == UMAC_P128_HI && yl >= UMAC_P128_LO) { state[0] = 0; state[1] = yl -= UMAC_P128_LO; } } } } nettle-3.4.1/cast128-meta.c0000644000175000017500000000262313401564745014327 0ustar nissenisse/* cast128-meta.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "cast128.h" const struct nettle_cipher nettle_cast128 = { "cast128", sizeof(struct cast128_ctx), CAST128_BLOCK_SIZE, CAST128_KEY_SIZE, (nettle_set_key_func *) cast128_set_key, (nettle_set_key_func *) cast128_set_key, (nettle_cipher_func *) cast128_encrypt, (nettle_cipher_func *) cast128_decrypt }; nettle-3.4.1/hmac-sha512.c0000644000175000017500000000306013401564745014123 0ustar nissenisse/* hmac-sha512.c HMAC-SHA512 message authentication code. Copyright (C) 2003, 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "hmac.h" void hmac_sha512_set_key(struct hmac_sha512_ctx *ctx, size_t key_length, const uint8_t *key) { HMAC_SET_KEY(ctx, &nettle_sha512, key_length, key); } void hmac_sha512_update(struct hmac_sha512_ctx *ctx, size_t length, const uint8_t *data) { sha512_update(&ctx->state, length, data); } void hmac_sha512_digest(struct hmac_sha512_ctx *ctx, size_t length, uint8_t *digest) { HMAC_DIGEST(ctx, &nettle_sha512, length, digest); } nettle-3.4.1/sexp.c0000644000175000017500000002047013401564745013175 0ustar nissenisse/* sexp.c Parsing s-expressions. Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "sexp.h" #include "macros.h" #include "nettle-internal.h" /* Initializes the iterator, but one has to call next to get to the * first element. */ static void sexp_iterator_init(struct sexp_iterator *iterator, unsigned length, const uint8_t *input) { iterator->length = length; iterator->buffer = input; iterator->pos = 0; iterator->level = 0; iterator->type = SEXP_END; /* Value doesn't matter */ iterator->display_length = 0; iterator->display = NULL; iterator->atom_length = 0; iterator->atom = NULL; } #define EMPTY(i) ((i)->pos == (i)->length) #define NEXT(i) ((i)->buffer[(i)->pos++]) static int sexp_iterator_simple(struct sexp_iterator *iterator, size_t *size, const uint8_t **string) { unsigned length = 0; uint8_t c; if (EMPTY(iterator)) return 0; c = NEXT(iterator); if (EMPTY(iterator)) return 0; if (c >= '1' && c <= '9') do { length = length * 10 + (c - '0'); if (length > (iterator->length - iterator->pos)) return 0; if (EMPTY(iterator)) return 0; c = NEXT(iterator); } while (c >= '0' && c <= '9'); else if (c == '0') /* There can be only one */ c = NEXT(iterator); else return 0; if (c != ':') return 0; *size = length; *string = iterator->buffer + iterator->pos; iterator->pos += length; return 1; } /* All these functions return 1 on success, 0 on failure */ /* Look at the current position in the data. Sets iterator->type, and * ignores the old value. */ static int sexp_iterator_parse(struct sexp_iterator *iterator) { iterator->start = iterator->pos; if (EMPTY(iterator)) { if (iterator->level) return 0; iterator->type = SEXP_END; return 1; } switch (iterator->buffer[iterator->pos]) { case '(': /* A list */ iterator->type = SEXP_LIST; return 1; case ')': if (!iterator->level) return 0; iterator->pos++; iterator->type = SEXP_END; return 1; case '[': /* Atom with display type */ iterator->pos++; if (!sexp_iterator_simple(iterator, &iterator->display_length, &iterator->display)) return 0; if (EMPTY(iterator) || NEXT(iterator) != ']') return 0; break; default: /* Must be either a decimal digit or a syntax error. * Errors are detected by sexp_iterator_simple. */ iterator->display_length = 0; iterator->display = NULL; break; } iterator->type = SEXP_ATOM; return sexp_iterator_simple(iterator, &iterator->atom_length, &iterator->atom); } int sexp_iterator_first(struct sexp_iterator *iterator, size_t length, const uint8_t *input) { sexp_iterator_init(iterator, length, input); return sexp_iterator_parse(iterator); } int sexp_iterator_next(struct sexp_iterator *iterator) { switch (iterator->type) { case SEXP_END: return 1; case SEXP_LIST: /* Skip this list */ return sexp_iterator_enter_list(iterator) && sexp_iterator_exit_list(iterator); case SEXP_ATOM: /* iterator->pos should already point at the start of the next * element. */ return sexp_iterator_parse(iterator); } /* If we get here, we have a bug. */ abort(); } /* Current element must be a list. */ int sexp_iterator_enter_list(struct sexp_iterator *iterator) { if (iterator->type != SEXP_LIST) return 0; if (EMPTY(iterator) || NEXT(iterator) != '(') /* Internal error */ abort(); iterator->level++; return sexp_iterator_parse(iterator); } /* Skips the rest of the current list */ int sexp_iterator_exit_list(struct sexp_iterator *iterator) { if (!iterator->level) return 0; while(iterator->type != SEXP_END) if (!sexp_iterator_next(iterator)) return 0; iterator->level--; return sexp_iterator_parse(iterator); } #if 0 /* What's a reasonable interface for this? */ int sexp_iterator_exit_lists(struct sexp_iterator *iterator, unsigned level) { assert(iterator->level >= level); while (iterator->level > level) if (!sexp_iterator_exit_list(iterator)) return 0; return 1; } #endif const uint8_t * sexp_iterator_subexpr(struct sexp_iterator *iterator, size_t *length) { size_t start = iterator->start; if (!sexp_iterator_next(iterator)) return 0; *length = iterator->start - start; return iterator->buffer + start; } int sexp_iterator_get_uint32(struct sexp_iterator *iterator, uint32_t *x) { if (iterator->type == SEXP_ATOM && !iterator->display && iterator->atom_length && iterator->atom[0] < 0x80) { size_t length = iterator->atom_length; const uint8_t *p = iterator->atom; /* Skip leading zeros. */ while(length && !*p) { length--; p++; } switch(length) { case 0: *x = 0; break; case 1: *x = p[0]; break; case 2: *x = READ_UINT16(p); break; case 3: *x = READ_UINT24(p); break; case 4: *x = READ_UINT32(p); break; default: return 0; } return sexp_iterator_next(iterator); } return 0; } int sexp_iterator_check_type(struct sexp_iterator *iterator, const char *type) { return (sexp_iterator_enter_list(iterator) && iterator->type == SEXP_ATOM && !iterator->display && strlen(type) == iterator->atom_length && !memcmp(type, iterator->atom, iterator->atom_length) && sexp_iterator_next(iterator)); } const char * sexp_iterator_check_types(struct sexp_iterator *iterator, unsigned ntypes, const char * const *types) { if (sexp_iterator_enter_list(iterator) && iterator->type == SEXP_ATOM && !iterator->display) { unsigned i; for (i = 0; iatom_length && !memcmp(types[i], iterator->atom, iterator->atom_length)) return sexp_iterator_next(iterator) ? types[i] : NULL; } return NULL; } int sexp_iterator_assoc(struct sexp_iterator *iterator, unsigned nkeys, const char * const *keys, struct sexp_iterator *values) { TMP_DECL(found, int, NETTLE_MAX_SEXP_ASSOC); unsigned nfound; unsigned i; TMP_ALLOC(found, nkeys); for (i = 0; itype) { case SEXP_LIST: if (!sexp_iterator_enter_list(iterator)) return 0; if (iterator->type == SEXP_ATOM && !iterator->display) { /* Compare to the given keys */ for (i = 0; iatom_length && !memcmp(keys[i], iterator->atom, iterator->atom_length)) { if (found[i]) /* We don't allow duplicates */ return 0; /* Advance to point to value */ if (!sexp_iterator_next(iterator)) return 0; found[i] = 1; nfound++; /* Record this position. */ values[i] = *iterator; break; } } } if (!sexp_iterator_exit_list(iterator)) return 0; break; case SEXP_ATOM: /* Just ignore */ if (!sexp_iterator_next(iterator)) return 0; break; case SEXP_END: return sexp_iterator_exit_list(iterator) && (nfound == nkeys); default: abort(); } } } nettle-3.4.1/rsa-sha1-sign.c0000644000175000017500000000335013401564746014572 0ustar nissenisse/* rsa-sha1-sign.c Signatures using RSA and SHA1. Copyright (C) 2001, 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "bignum.h" #include "pkcs1.h" int rsa_sha1_sign(const struct rsa_private_key *key, struct sha1_ctx *hash, mpz_t s) { if (pkcs1_rsa_sha1_encode(s, key->size, hash)) { rsa_compute_root(key, s, s); return 1; } else { mpz_set_ui(s, 0); return 0; } } int rsa_sha1_sign_digest(const struct rsa_private_key *key, const uint8_t *digest, mpz_t s) { if (pkcs1_rsa_sha1_encode_digest(s, key->size, digest)) { rsa_compute_root(key, s, s); return 1; } else { mpz_set_ui(s, 0); return 0; } } nettle-3.4.1/rsa-sec-decrypt.c0000644000175000017500000000400313401564746015216 0ustar nissenisse/* rsa-sec-decrypt.c RSA decryption, using randomized RSA blinding to be more resistant to side-channel attacks like timing attacks or cache based memory access measurements. Copyright (C) 2001, 2012 Niels Möller, Nikos Mavrogiannopoulos Copyright (C) 2018 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa.h" #include "rsa-internal.h" #include "gmp-glue.h" int rsa_sec_decrypt(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t length, uint8_t *message, const mpz_t gibberish) { TMP_GMP_DECL (m, mp_limb_t); TMP_GMP_DECL (em, uint8_t); int res; TMP_GMP_ALLOC (m, mpz_size(pub->n)); TMP_GMP_ALLOC (em, key->size); res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m, mpz_limbs_read(gibberish), mpz_size(gibberish)); mpn_get_base256 (em, key->size, m, mpz_size(pub->n)); res &= _pkcs1_sec_decrypt (length, message, key->size, em); TMP_GMP_FREE (em); TMP_GMP_FREE (m); return res; } nettle-3.4.1/salsa20-crypt.c0000644000175000017500000000353013401564745014620 0ustar nissenisse/* salsa20-crypt.c The Salsa20 stream cipher. Copyright (C) 2012 Simon Josefsson This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Based on: salsa20-ref.c version 20051118 D. J. Bernstein Public domain. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "salsa20.h" #include "macros.h" #include "memxor.h" void salsa20_crypt(struct salsa20_ctx *ctx, size_t length, uint8_t *c, const uint8_t *m) { if (!length) return; for (;;) { uint32_t x[_SALSA20_INPUT_LENGTH]; _salsa20_core (x, ctx->input, 20); ctx->input[9] += (++ctx->input[8] == 0); /* stopping at 2^70 length per nonce is user's responsibility */ if (length <= SALSA20_BLOCK_SIZE) { memxor3 (c, m, x, length); return; } memxor3 (c, m, x, SALSA20_BLOCK_SIZE); length -= SALSA20_BLOCK_SIZE; c += SALSA20_BLOCK_SIZE; m += SALSA20_BLOCK_SIZE; } } nettle-3.4.1/rsa-sec-compute-root.c0000644000175000017500000001333313401564745016206 0ustar nissenisse/* rsa-sec-compute-root.c Side-channel silent RSA root computation. Copyright (C) 2018 Niels Möller Copyright (C) 2018 Red Hat, Inc This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "rsa-internal.h" #include "gmp-glue.h" #if !NETTLE_USE_MINI_GMP #define MAX(a, b) ((a) > (b) ? (a) : (b)) /* Like mpn_sec_mul_itch, monotonously increasing in operand sizes. */ static mp_size_t sec_mul_itch (mp_size_t an, mp_size_t bn) { if (an >= bn) return mpn_sec_mul_itch (an, bn); else return mpn_sec_mul_itch (bn, an); } /* Writes an + bn limbs to the rp area */ static void sec_mul (mp_limb_t *rp, const mp_limb_t *ap, mp_size_t an, const mp_limb_t *bp, mp_size_t bn, mp_limb_t *scratch) { if (an >= bn) mpn_sec_mul (rp, ap, an, bp, bn, scratch); else mpn_sec_mul (rp, bp, bn, ap, an, scratch); } static mp_size_t sec_mod_mul_itch (mp_size_t an, mp_size_t bn, mp_size_t mn) { mp_size_t mul_itch = sec_mul_itch (an, bn); mp_size_t mod_itch = mpn_sec_div_r_itch (an + bn, mn); return MAX(mul_itch, mod_itch); } /* Sets r <-- a b % m. Needs space for an + bn limbs at rp. It is required than an + bn >= mn. */ static void sec_mod_mul (mp_limb_t *rp, const mp_limb_t *ap, mp_size_t an, const mp_limb_t *bp, mp_size_t bn, const mp_limb_t *mp, mp_size_t mn, mp_limb_t *scratch) { assert (an + bn >= mn); sec_mul (rp, ap, an, bp, bn, scratch); mpn_sec_div_r (rp, an + bn, mp, mn, scratch); } static mp_size_t sec_powm_itch (mp_size_t bn, mp_size_t en, mp_size_t mn) { mp_size_t mod_itch = bn + mpn_sec_div_r_itch (bn, mn); mp_size_t pow_itch = mn + mpn_sec_powm_itch (mn, en * GMP_NUMB_BITS, mn); return MAX (mod_itch, pow_itch); } /* Sets r <-- b ^ e % m. Performs an initial reduction b mod m, and requires bn >= mn. */ static void sec_powm (mp_limb_t *rp, const mp_limb_t *bp, mp_size_t bn, const mp_limb_t *ep, mp_size_t en, const mp_limb_t *mp, mp_size_t mn, mp_limb_t *scratch) { assert (bn >= mn); assert (en <= mn); mpn_copyi (scratch, bp, bn); mpn_sec_div_r (scratch, bn, mp, mn, scratch + bn); mpn_sec_powm (rp, scratch, mn, ep, en * GMP_NUMB_BITS, mp, mn, scratch + mn); } mp_size_t _rsa_sec_compute_root_itch (const struct rsa_private_key *key) { mp_size_t nn = NETTLE_OCTET_SIZE_TO_LIMB_SIZE (key->size); mp_size_t pn = mpz_size (key->p); mp_size_t qn = mpz_size (key->q); mp_size_t an = mpz_size (key->a); mp_size_t bn = mpz_size (key->b); mp_size_t cn = mpz_size (key->c); mp_size_t powm_p_itch = sec_powm_itch (nn, an, pn); mp_size_t powm_q_itch = sec_powm_itch (nn, bn, qn); mp_size_t mod_mul_itch = cn + MAX(pn, qn) + sec_mod_mul_itch (MAX(pn, qn), cn, pn); mp_size_t mul_itch = sec_mul_itch (qn, pn); mp_size_t add_1_itch = mpn_sec_add_1_itch (nn - qn); /* pn + qn for the product q * r_mod_p' */ mp_size_t itch = pn + qn + MAX (mul_itch, add_1_itch); itch = MAX (itch, powm_p_itch); itch = MAX (itch, powm_q_itch); itch = MAX (itch, mod_mul_itch); /* pn + qn for the r_mod_p and r_mod_q temporaries. */ return pn + qn + itch; } void _rsa_sec_compute_root (const struct rsa_private_key *key, mp_limb_t *rp, const mp_limb_t *mp, mp_limb_t *scratch) { mp_size_t nn = NETTLE_OCTET_SIZE_TO_LIMB_SIZE (key->size); /* The common case is pn = qn. This function would be simpler if we * could require that pn >= qn. */ const mp_limb_t *pp = mpz_limbs_read (key->p); const mp_limb_t *qp = mpz_limbs_read (key->q); mp_size_t pn = mpz_size (key->p); mp_size_t qn = mpz_size (key->q); mp_size_t an = mpz_size (key->a); mp_size_t bn = mpz_size (key->b); mp_size_t cn = mpz_size (key->c); mp_limb_t *r_mod_p = scratch; mp_limb_t *r_mod_q = scratch + pn; mp_limb_t *scratch_out = r_mod_q + qn; mp_limb_t cy; assert (pn <= nn); assert (qn <= nn); assert (an <= pn); assert (bn <= qn); assert (cn <= pn); /* Compute r_mod_p = m^d % p = (m%p)^a % p */ sec_powm (r_mod_p, mp, nn, mpz_limbs_read (key->a), an, pp, pn, scratch_out); /* Compute r_mod_q = m^d % q = (m%q)^b % q */ sec_powm (r_mod_q, mp, nn, mpz_limbs_read (key->b), bn, qp, qn, scratch_out); /* Set r_mod_p' = r_mod_p * c % p - r_mod_q * c % p . */ sec_mod_mul (scratch_out, r_mod_p, pn, mpz_limbs_read (key->c), cn, pp, pn, scratch_out + cn + pn); mpn_copyi (r_mod_p, scratch_out, pn); sec_mod_mul (scratch_out, r_mod_q, qn, mpz_limbs_read (key->c), cn, pp, pn, scratch_out + cn + qn); cy = mpn_sub_n (r_mod_p, r_mod_p, scratch_out, pn); cnd_add_n (cy, r_mod_p, pp, pn); /* Finally, compute x = r_mod_q + q r_mod_p' */ sec_mul (scratch_out, qp, qn, r_mod_p, pn, scratch_out + pn + qn); cy = mpn_add_n (rp, scratch_out, r_mod_q, qn); mpn_sec_add_1 (rp + qn, scratch_out + qn, nn - qn, cy, scratch_out + pn + qn); } #endif nettle-3.4.1/dsa-sign.c0000644000175000017500000000463113401564746013725 0ustar nissenisse/* dsa-sign.c The DSA publickey algorithm. Copyright (C) 2002, 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "dsa.h" #include "bignum.h" int dsa_sign(const struct dsa_params *params, const mpz_t x, void *random_ctx, nettle_random_func *random, size_t digest_size, const uint8_t *digest, struct dsa_signature *signature) { mpz_t k; mpz_t h; mpz_t tmp; int res; /* Check that p is odd, so that invalid keys don't result in a crash inside mpz_powm_sec. */ if (mpz_even_p (params->p)) return 0; /* Select k, 0q); mpz_sub_ui(tmp, tmp, 1); mpz_init(k); nettle_mpz_random(k, random_ctx, random, tmp); mpz_add_ui(k, k, 1); /* Compute r = (g^k (mod p)) (mod q) */ mpz_powm_sec(tmp, params->g, k, params->p); mpz_fdiv_r(signature->r, tmp, params->q); /* Compute hash */ mpz_init(h); _dsa_hash (h, mpz_sizeinbase(params->q, 2), digest_size, digest); /* Compute k^-1 (mod q) */ if (mpz_invert(k, k, params->q)) { /* Compute signature s = k^-1 (h + xr) (mod q) */ mpz_mul(tmp, signature->r, x); mpz_fdiv_r(tmp, tmp, params->q); mpz_add(tmp, tmp, h); mpz_mul(tmp, tmp, k); mpz_fdiv_r(signature->s, tmp, params->q); res = 1; } else /* What do we do now? The key is invalid. */ res = 0; mpz_clear(k); mpz_clear(h); mpz_clear(tmp); return res; } nettle-3.4.1/memxor.c0000644000175000017500000000776413401564745013540 0ustar nissenisse/* memxor.c Copyright (C) 2010, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Implementation inspired by memcmp in glibc, contributed to the FSF by Torbjorn Granlund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "memxor.h" #include "memxor-internal.h" #define WORD_T_THRESH 16 /* XOR word-aligned areas. n is the number of words, not bytes. */ static void memxor_common_alignment (word_t *dst, const word_t *src, size_t n) { /* FIXME: Require n > 0? */ /* FIXME: Unroll four times, like memcmp? Probably not worth the effort. */ if (n & 1) { n--; dst[n] ^= src[n]; } while (n >= 2) { n -= 2; dst[n+1] ^= src[n+1]; dst[n] ^= src[n]; } } /* XOR *un-aligned* src-area onto aligned dst area. n is number of words, not bytes. Assumes we can read complete words at the start and end of the src operand. */ static void memxor_different_alignment (word_t *dst, const unsigned char *src, size_t n) { int shl, shr; const word_t *src_word; unsigned offset = ALIGN_OFFSET (src); word_t s0, s1; assert (n > 0); shl = CHAR_BIT * offset; shr = CHAR_BIT * (sizeof(word_t) - offset); src_word = (const word_t *) ((uintptr_t) src & -sizeof(word_t)); /* Read top offset bytes, in native byte order. */ READ_PARTIAL (s0, (unsigned char *) &src_word[n], offset); #ifdef WORDS_BIGENDIAN s0 <<= shr; /* FIXME: Eliminate this shift? */ #endif /* Do n-1 regular iterations */ if (n & 1) s1 = s0; else { n--; s1 = src_word[n]; dst[n] ^= MERGE (s1, shl, s0, shr); } assert (n & 1); while (n > 2) { n -= 2; s0 = src_word[n+1]; dst[n+1] ^= MERGE(s0, shl, s1, shr); s1 = src_word[n]; /* FIXME: Overread on last iteration */ dst[n] ^= MERGE(s1, shl, s0, shr); } assert (n == 1); /* Read low wordsize - offset bytes */ READ_PARTIAL (s0, src, sizeof(word_t) - offset); #ifndef WORDS_BIGENDIAN s0 <<= shl; /* FIXME: eliminate shift? */ #endif /* !WORDS_BIGENDIAN */ dst[0] ^= MERGE(s0, shl, s1, shr); } /* Performance, Intel SU1400 (x86_64): 0.25 cycles/byte aligned, 0.45 cycles/byte unaligned. */ /* XOR LEN bytes starting at SRCADDR onto DESTADDR. Result undefined if the source overlaps with the destination. Return DESTADDR. */ void * memxor(void *dst_in, const void *src_in, size_t n) { unsigned char *dst = dst_in; const unsigned char *src = src_in; if (n >= WORD_T_THRESH) { unsigned i; unsigned offset; size_t nwords; /* There are at least some bytes to compare. No need to test for N == 0 in this alignment loop. */ for (i = ALIGN_OFFSET(dst + n); i > 0; i--) { n--; dst[n] ^= src[n]; } offset = ALIGN_OFFSET(src + n); nwords = n / sizeof (word_t); n %= sizeof (word_t); if (offset) memxor_different_alignment ((word_t *) (dst+n), src+n, nwords); else memxor_common_alignment ((word_t *) (dst+n), (const word_t *) (src+n), nwords); } while (n > 0) { n--; dst[n] ^= src[n]; } return dst; } nettle-3.4.1/rsa-keygen.c0000644000175000017500000001140413401564746014261 0ustar nissenisse/* rsa-keygen.c Generation of RSA keypairs Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "rsa.h" #include "bignum.h" #ifndef DEBUG # define DEBUG 0 #endif #if DEBUG # include #endif int rsa_generate_keypair(struct rsa_public_key *pub, struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, void *progress_ctx, nettle_progress_func *progress, unsigned n_size, unsigned e_size) { mpz_t p1; mpz_t q1; mpz_t phi; mpz_t tmp; if (e_size) { /* We should choose e randomly. Is the size reasonable? */ if ((e_size < 16) || (e_size >= n_size) ) return 0; } else { /* We have a fixed e. Check that it makes sense */ /* It must be odd */ if (!mpz_tstbit(pub->e, 0)) return 0; /* And 3 or larger */ if (mpz_cmp_ui(pub->e, 3) < 0) return 0; /* And size less than n */ if (mpz_sizeinbase(pub->e, 2) >= n_size) return 0; } if (n_size < RSA_MINIMUM_N_BITS) return 0; mpz_init(p1); mpz_init(q1); mpz_init(phi); mpz_init(tmp); /* Generate primes */ for (;;) { /* Generate p, such that gcd(p-1, e) = 1 */ for (;;) { nettle_random_prime(key->p, (n_size+1)/2, 1, random_ctx, random, progress_ctx, progress); mpz_sub_ui(p1, key->p, 1); /* If e was given, we must chose p such that p-1 has no factors in * common with e. */ if (e_size) break; mpz_gcd(tmp, pub->e, p1); if (mpz_cmp_ui(tmp, 1) == 0) break; else if (progress) progress(progress_ctx, 'c'); } if (progress) progress(progress_ctx, '\n'); /* Generate q, such that gcd(q-1, e) = 1 */ for (;;) { nettle_random_prime(key->q, n_size/2, 1, random_ctx, random, progress_ctx, progress); /* Very unlikely. */ if (mpz_cmp (key->q, key->p) == 0) continue; mpz_sub_ui(q1, key->q, 1); /* If e was given, we must chose q such that q-1 has no factors in * common with e. */ if (e_size) break; mpz_gcd(tmp, pub->e, q1); if (mpz_cmp_ui(tmp, 1) == 0) break; else if (progress) progress(progress_ctx, 'c'); } /* Now we have the primes. Is the product of the right size? */ mpz_mul(pub->n, key->p, key->q); assert (mpz_sizeinbase(pub->n, 2) == n_size); if (progress) progress(progress_ctx, '\n'); /* c = q^{-1} (mod p) */ if (mpz_invert(key->c, key->q, key->p)) /* This should succeed everytime. But if it doesn't, * we try again. */ break; else if (progress) progress(progress_ctx, '?'); } mpz_mul(phi, p1, q1); /* If we didn't have a given e, generate one now. */ if (e_size) { int retried = 0; for (;;) { nettle_mpz_random_size(pub->e, random_ctx, random, e_size); /* Make sure it's odd and that the most significant bit is * set */ mpz_setbit(pub->e, 0); mpz_setbit(pub->e, e_size - 1); /* Needs gmp-3, or inverse might be negative. */ if (mpz_invert(key->d, pub->e, phi)) break; if (progress) progress(progress_ctx, 'e'); retried = 1; } if (retried && progress) progress(progress_ctx, '\n'); } else { /* Must always succeed, as we already that e * doesn't have any common factor with p-1 or q-1. */ int res = mpz_invert(key->d, pub->e, phi); assert(res); } /* Done! Almost, we must compute the auxillary private values. */ /* a = d % (p-1) */ mpz_fdiv_r(key->a, key->d, p1); /* b = d % (q-1) */ mpz_fdiv_r(key->b, key->d, q1); /* c was computed earlier */ pub->size = key->size = (n_size + 7) / 8; assert(pub->size >= RSA_MINIMUM_N_OCTETS); mpz_clear(p1); mpz_clear(q1); mpz_clear(phi); mpz_clear(tmp); return 1; } nettle-3.4.1/x86_64/0000755000175000017500000000000013401564746013006 5ustar nissenissenettle-3.4.1/x86_64/aes-decrypt-internal.asm0000644000175000017500000000652613401564746017553 0ustar nissenisseC x86_64/aes-decrypt-internal.asm ifelse(< Copyright (C) 2001, 2002, 2005, Rafael R. Sevilla, Niels Möller Copyright (C) 2008, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) include_src() C Register usage: C AES state, use two of them define(,<%eax>) define(,<%ebx>) define(,<%ecx>) define(,<%edx>) define(,<%r10d>) define(,<%r11d>) define(,<%r12d>) C Input argument define(, <%rdi>) define(, <%rsi>) define(, <%rdx>) define(,<%rcx>) define(, <%r8>) define(, <%r9>) define(, <%r13>) define(,<%r14>) define(, <%r15>) C Must correspond to an old-style register, for movzb from %ah--%dh to C work. define(,<%rbp>) .file "aes-decrypt-internal.asm" C _aes_decrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .text ALIGN(16) PROLOGUE(_nettle_aes_decrypt) W64_ENTRY(6, 0) test PARAM_LENGTH, PARAM_LENGTH jz .Lend C save all registers that need to be saved push %rbx push %rbp push %r12 push %r13 push %r14 push %r15 subl $1, XREG(ROUNDS) push ROUNDS C Rounds at (%rsp) mov PARAM_TABLE, TABLE mov PARAM_LENGTH, LENGTH shr $4, LENGTH .Lblock_loop: mov KEYS, KEY AES_LOAD(SA, SB, SC, SD, SRC, KEY) add $16, SRC C Increment src pointer movl (%rsp), XREG(ROUNDS) add $16, KEY C point to next key ALIGN(16) .Lround_loop: AES_ROUND(TABLE, SA,SD,SC,SB, TA, TMP) AES_ROUND(TABLE, SB,SA,SD,SC, TB, TMP) AES_ROUND(TABLE, SC,SB,SA,SD, TC, TMP) AES_ROUND(TABLE, SD,SC,SB,SA, SD, TMP) movl TA, SA movl TB, SB movl TC, SC xorl (KEY),SA C add current session key to plaintext xorl 4(KEY),SB xorl 8(KEY),SC xorl 12(KEY),SD add $16, KEY C point to next key decl XREG(ROUNDS) jnz .Lround_loop C last round AES_FINAL_ROUND(SA,SD,SC,SB, TABLE, TA, TMP) AES_FINAL_ROUND(SB,SA,SD,SC, TABLE, TB, TMP) AES_FINAL_ROUND(SC,SB,SA,SD, TABLE, TC, TMP) AES_FINAL_ROUND(SD,SC,SB,SA, TABLE, SD, TMP) C Inverse S-box substitution mov $3, XREG(ROUNDS) .Lsubst: AES_SUBST_BYTE(TA,TB,TC,SD, TABLE, TMP) decl XREG(ROUNDS) jnz .Lsubst C Add last subkey, and store decrypted data AES_STORE(TA,TB,TC,SD, KEY, DST) add $16, DST dec LENGTH jnz .Lblock_loop lea 8(%rsp), %rsp C Drop ROUNDS pop %r15 pop %r14 pop %r13 pop %r12 pop %rbp pop %rbx .Lend: W64_EXIT(6, 0) ret EPILOGUE(_nettle_aes_decrypt) nettle-3.4.1/x86_64/ecc-256-redc.asm0000644000175000017500000000466613401564746015503 0ustar nissenisseC x86_64/ecc-256-redc.asm ifelse(< Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) .file "ecc-256-redc.asm" define(, <%rsi>) define(, <%rdi>) C Overlaps unused modulo input define(, <%rcx>) define(, <%rax>) define(, <%rdx>) define(, <%r8>) define(, <%r9>) define(, <%r10>) define(, <%r11>) define(, <%r12>) define(, <%rbx>) define(, <%rbp>) C FOLD(x), sets (F3,F2,F1,F0) <-- (x << 224) - (x << 128) - (x<<32) define(, < mov $1, F2 mov $1, F3 shl <$>32, F2 shr <$>32, F3 xor F0,F0 xor F1,F1 sub F2, F0 sbb F3, F1 sbb $1, F2 sbb <$>0, F3 >) PROLOGUE(nettle_ecc_256_redc) W64_ENTRY(2, 0) C save all registers that need to be saved push %rbx push %rbp push %r12 mov (RP), U0 FOLD(U0) mov 8(RP), U1 mov 16(RP), U2 mov 24(RP), U3 sub F0, U1 sbb F1, U2 sbb F2, U3 sbb F3, U0 C Add in later FOLD(U1) mov 32(RP), U4 sub F0, U2 sbb F1, U3 sbb F2, U4 sbb F3, U1 FOLD(U2) mov 40(RP), U5 sub F0, U3 sbb F1, U4 sbb F2, U5 sbb F3, U2 FOLD(U3) mov 48(RP), U6 sub F0, U4 sbb F1, U5 sbb F2, U6 sbb F3, U3 add U4, U0 adc U5, U1 adc U6, U2 adc 56(RP), U3 C If carry, we need to add in C 2^256 - p = <0xfffffffe, 0xff..ff, 0xffffffff00000000, 1> sbb F2, F2 mov F2, F0 mov F2, F1 mov XREG(F2), XREG(F3) neg F0 shl $32, F1 and $-2, XREG(F3) add F0, U0 mov U0, (RP) adc F1, U1 mov U1, 8(RP) adc F2, U2 mov U2, 16(RP) adc F3, U3 mov U3, 24(RP) pop %r12 pop %rbp pop %rbx W64_EXIT(2, 0) ret EPILOGUE(nettle_ecc_256_redc) nettle-3.4.1/x86_64/salsa20-crypt.asm0000644000175000017500000001212113401564746016111 0ustar nissenisseC x86_64/salsa20-crypt.asm ifelse(< Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) define(, <%rdi>) define(, <%rsi>) define(, <%rdx>) define(, <%rcx>) define(, <%r8>) define(, <%r9>) define(, <%xmm0>) define(, <%xmm1>) define(, <%xmm2>) define(, <%xmm3>) define(, <%xmm4>) define(, <%xmm5>) define(, <%xmm6>) define(, <%xmm7>) define(, <%xmm8>) define(, <%rax>) include_src() C Possible improvements: C C Do two blocks (or more) at a time in parallel, to avoid limitations C due to data dependencies. C C Avoid redoing the permutation of the input for each block (all but C the two counter words are constant). Could also keep the input in C registers. .file "salsa20-crypt.asm" C salsa20_crypt(struct salsa20_ctx *ctx, size_t length, C uint8_t *dst, const uint8_t *src) .text ALIGN(16) PROLOGUE(nettle_salsa20_crypt) W64_ENTRY(4, 9) test LENGTH, LENGTH jz .Lend C Load mask registers mov $-1, XREG(COUNT) movd XREG(COUNT), M0101 pshufd $0x09, M0101, M0011 C 01 01 00 00 pshufd $0x41, M0101, M0110 C 01 00 00 01 pshufd $0x22, M0101, M0101 C 01 00 01 00 .Lblock_loop: movups (CTX), X0 movups 16(CTX), X1 movups 32(CTX), X2 movups 48(CTX), X3 C On input, each xmm register is one row. We start with C C 0 1 2 3 C K K K C 4 5 6 7 K C I I C 8 9 10 11 B B C K C 12 13 14 15 K K K C C C Diagrams are in little-endian order, with least significant word to C the left. We rotate the columns, to get instead C C 0 5 10 15 C C C C C 4 9 14 3 K B K K C 8 13 2 7 B K K I C 12 1 6 11 K K I K C C The original rows are now diagonals. SWAP(X0, X1, M0101) SWAP(X2, X3, M0101) SWAP(X1, X3, M0110) SWAP(X0, X2, M0011) movl $10, XREG(COUNT) ALIGN(16) .Loop: QROUND(X0, X1, X2, X3) C For the row operations, we first rotate the rows, to get C C 0 5 10 15 C 3 4 9 14 C 2 7 8 13 C 1 6 11 12 C C Now the original rows are turned into into columns. (This C SIMD hack described in djb's papers). pshufd $0x93, X1, X1 C 11 00 01 10 (least sign. left) pshufd $0x4e, X2, X2 C 10 11 00 01 pshufd $0x39, X3, X3 C 01 10 11 00 QROUND(X0, X3, X2, X1) C Inverse rotation of the rows pshufd $0x39, X1, X1 C 01 10 11 00 pshufd $0x4e, X2, X2 C 10 11 00 01 pshufd $0x93, X3, X3 C 11 00 01 10 decl XREG(COUNT) jnz .Loop SWAP(X0, X2, M0011) SWAP(X1, X3, M0110) SWAP(X0, X1, M0101) SWAP(X2, X3, M0101) movups (CTX), T0 movups 16(CTX), T1 paddd T0, X0 paddd T1, X1 movups 32(CTX), T0 movups 48(CTX), T1 paddd T0, X2 paddd T1, X3 C Increment block counter incq 32(CTX) cmp $64, LENGTH jc .Lfinal_xor movups 48(SRC), T1 pxor T1, X3 movups X3, 48(DST) .Lxor3: movups 32(SRC), T0 pxor T0, X2 movups X2, 32(DST) .Lxor2: movups 16(SRC), T1 pxor T1, X1 movups X1, 16(DST) .Lxor1: movups (SRC), T0 pxor T0, X0 movups X0, (DST) lea 64(SRC), SRC lea 64(DST), DST sub $64, LENGTH ja .Lblock_loop .Lend: W64_EXIT(4, 9) ret .Lfinal_xor: cmp $32, LENGTH jz .Lxor2 jc .Llt32 cmp $48, LENGTH jz .Lxor3 jc .Llt48 movaps X3, T0 call .Lpartial jmp .Lxor3 .Llt48: movaps X2, T0 call .Lpartial jmp .Lxor2 .Llt32: cmp $16, LENGTH jz .Lxor1 jc .Llt16 movaps X1, T0 call .Lpartial jmp .Lxor1 .Llt16: movaps X0, T0 call .Lpartial jmp .Lend .Lpartial: mov LENGTH, POS and $-16, POS test $8, LENGTH jz .Llt8 C This "movd" instruction should assemble to C 66 49 0f 7e e0 movq %xmm4,%r8 C Apparently, assemblers treat movd and movq (with the C arguments we use) in the same way, except for osx, which C barfs at movq. movd T0, T64 xor (SRC, POS), T64 mov T64, (DST, POS) lea 8(POS), POS pshufd $0xee, T0, T0 C 10 11 10 11 .Llt8: C And this is also really a movq. movd T0, T64 test $4, LENGTH jz .Llt4 mov XREG(T64), XREG(COUNT) xor (SRC, POS), XREG(COUNT) mov XREG(COUNT), (DST, POS) lea 4(POS), POS shr $32, T64 .Llt4: test $2, LENGTH jz .Llt2 mov WREG(T64), WREG(COUNT) xor (SRC, POS), WREG(COUNT) mov WREG(COUNT), (DST, POS) lea 2(POS), POS shr $16, XREG(T64) .Llt2: test $1, LENGTH jz .Lret xor (SRC, POS), LREG(T64) mov LREG(T64), (DST, POS) .Lret: ret EPILOGUE(nettle_salsa20_crypt) nettle-3.4.1/x86_64/ecc-25519-modp-mul.asm0000644000175000017500000001075413401564746016464 0ustar nissenisseC x86_64/ecc-25519-modp-mul.asm ifelse(< Copyright (C) 2016 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) .file "ecc-25519-modp-mul.asm" C Input parameters (curve pointer in %rdi is ignored) define(, <%rsi>) define(, <%rdx> define(, <%rcx> define(, <%rbp>) define(, <%rdi>) define(, <%r8>) define(, <%r9>) define(, <%r10>) define(, <%r11>) define(

, <%r12>) define(

, <%r13>) define(, <%r14>) define(, <%r15>) define(, <%rsi>) C Overlaps RP C modp_mul (curve, rp, ap, bp) PROLOGUE(nettle_ecc_25519_modp_mul) W64_ENTRY(4, 0) push %rbx push %rbp push %r12 push %r13 push %r14 push %r15 push RP C Accumulate {H2, R4} = a0 b4 + a1 b3 + a2 b2 + a3 b1 + a4 b0 C {H1, R3} = a0 b3 + a1 b2 + a2 b1 + a3 b0 + 19 a4 b4 C {H0, R2} = a0 b2 + a1 b1 + a2 b0 + 19 (a3 b4 + a4 b3) mov (AP), T mov 32(BP), %rax mul T mov %rax, R4 mov %rdx, H2 mov 24(BP), %rax mul T mov %rax, R3, mov %rdx, H1 mov 16(BP), %rax mul T mov %rax, R2 mov %rdx, H0 mov 8(AP), T mov 24(BP), %rax mul T add %rax, R4 adc %rdx, H2 mov 16(BP), %rax mul T add %rax, R3 adc %rdx, H1 mov 8(BP), %rax mul T add %rax, R2 adc %rdx, H0 mov 16(AP), T mov 16(BP), %rax mul T add %rax, R4 adc %rdx, H2 mov 8(BP), %rax mul T add %rax, R3 adc %rdx, H1 mov (BP), %rax mul T add %rax, R2 adc %rdx, H0 mov 24(AP), A3 mov 8(BP), %rax mul A3 add %rax, R4 adc %rdx, H2 mov (BP), %rax mul A3 imul $19, A3 add %rax, R3 adc %rdx, H1 mov 32(BP), %rax mul A3 add %rax, R2 adc %rdx, H0 mov 32(AP), A4 mov (BP), %rax mul A4 imul $19, a4 add %rax, R4 adc %rdx, H2 mov 32(BP), %rax mul A4 add %rax, R3 adc %rdx, H1 mov 24(BP), %rax mul A4 add %rax, R2 adc %rdx, H0 C Propagate R2, H0 mov R2, T shr $51, T shl $13, H0 or T, H0 add H0, R3 adc $0, H1 C Propagate R3, H1 mov R3, T shr $51, T shl $13, H1 or T, H1 add H1, R4 adc $0, H2 C Propagate R4, H2, and fold into R0 mov R4, R0 shr $51, R0 shl $13, H2 or H2, R0 imul $19, R0 C Accumulate {H1, R1} = a0 b1 + a1 b0 + 19 (a2 b4 + a3 b3 + a4 b2) C {H0, R0} = a0 b0 + 19 (a1 b4 + a2 b3 + a3 b2 + a4 b1) C + folded high part of R4 mov (AP), T mov 8(BP), %rax mul T mov %rax, R1 mov %rdx, H1 mov (BP), %rax mul T xor H0, H0 add %rax, R0 adc %rdx, H0 mov 8(AP), T mov (BP), %rax mul T imul $19, T add %rax, R1 adc %rdx, H1 mov 32(BP), %rax mul T add %rax, R0 adc %rdx, H0 mov 16(AP), T imul $19, T mov 32(BP), %rax mul T add %rax, R1 adc %rdx, H1 mov 24(BP), %rax mul T add %rax, R0 adc %rdx, H0 mov 24(BP), %rax mul A3 add %rax, R1 adc %rdx, H1 mov 16(BP), %rax mul A3 add %rax, R0 adc %rdx, H0 mov 16(BP), %rax mul A4 add %rax, R1 adc %rdx, H1 mov 8(BP), %rax mul A4 add %rax, R0 adc %rdx, H0 C Propagate R0, H0 mov R0, T shr $51, T shl $13, H0 or H0, T add T, R1 adc $0, H1 C Load mask, use H0 mov $0x7ffffffffffff, H0 C Mask out high parts of R2, R3 and R4, already propagated. and H0, R2 and H0, R3 and H0, R4 C Propagate R1, H1 mov R1, T shr $51, T shl $13, H1 or H1, T add T, R2 pop RP C Overlapped T, which is no longer used. C H1 is a larger than 51 bits, so keep propagating. mov R2, H2 shr $51, H2 add H2, R3 C R3 might be slightly above 51 bits. and H0, R0 mov R0, (RP) and H0, R1 mov R1, 8(RP) and H0, R2 mov R2, 16(RP) mov R3, 24(RP) mov r4, 32(RP) pop %r15 pop %r14 pop %r13 pop %r12 pop %rbp pop %rbx W64_EXIT(4, 0) ret EPILOGUE(nettle_ecc_25519_modp_mul) PROLOGUE(nettle_ecc_25519_modp_sqr) EPILOGUE(nettle_ecc_25519_modp_sqr) nettle-3.4.1/x86_64/md5-compress.asm0000644000175000017500000001351513401564746016033 0ustar nissenisseC x86_64/md5-compress.asm ifelse(< Copyright (C) 2005, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) C Registers: define(, <%rdi>) define(, <%rsi>) define(,<%rax>) define(,<%rbx>) define(,<%rcx>) define(,<%rbp>) define(, <%r8>) C F1(x,y,z) = (z ^ (x & (y ^ z))) define(, < movl XREG($3), XREG(TMP) xorl XREG($2), XREG(TMP) andl XREG($1), XREG(TMP) xorl XREG($3), XREG(TMP)>) define(,) C F3(x,y,z) = x ^ y ^ z define(,< movl XREG($1), XREG(TMP) xorl XREG($2), XREG(TMP) xorl XREG($3), XREG(TMP)>) C F4(x,y,z) = y ^ (x | ~z) define(,< movl XREG($3), XREG(TMP) notl XREG(TMP) orl XREG($1), XREG(TMP) xorl XREG($2), XREG(TMP)>) C Index to 4*i, or to the empty string if zero define(,) C ROUND(f, w, x, y, z, k, data, s): C w += f(x,y,z) + data + k C w <<< s C w += x define(,< addl <$>$7, XREG($2) $1($3, $4, $5) addl $6, XREG($2) addl XREG(TMP), XREG($2) roll <$>$8, XREG($2) addl XREG($3), XREG($2)>) .file "md5-compress.asm" C _nettle_md5_compress(uint32_t *state, uint8_t *input) .text ALIGN(16) PROLOGUE(_nettle_md5_compress) W64_ENTRY(2,0) C save all registers that need to be saved push %rbp push %rbx C load the state vector movl (STATE), XREG(SA) movl 4(STATE), XREG(SB) movl 8(STATE), XREG(SC) movl 12(STATE), XREG(SD) ROUND(, SA, SB, SC, SD, REF( 0), 0xd76aa478, 7) ROUND(, SD, SA, SB, SC, REF( 1), 0xe8c7b756, 12) ROUND(, SC, SD, SA, SB, REF( 2), 0x242070db, 17) ROUND(, SB, SC, SD, SA, REF( 3), 0xc1bdceee, 22) ROUND(, SA, SB, SC, SD, REF( 4), 0xf57c0faf, 7) ROUND(, SD, SA, SB, SC, REF( 5), 0x4787c62a, 12) ROUND(, SC, SD, SA, SB, REF( 6), 0xa8304613, 17) ROUND(, SB, SC, SD, SA, REF( 7), 0xfd469501, 22) ROUND(, SA, SB, SC, SD, REF( 8), 0x698098d8, 7) ROUND(, SD, SA, SB, SC, REF( 9), 0x8b44f7af, 12) ROUND(, SC, SD, SA, SB, REF(10), 0xffff5bb1, 17) ROUND(, SB, SC, SD, SA, REF(11), 0x895cd7be, 22) ROUND(, SA, SB, SC, SD, REF(12), 0x6b901122, 7) ROUND(, SD, SA, SB, SC, REF(13), 0xfd987193, 12) ROUND(, SC, SD, SA, SB, REF(14), 0xa679438e, 17) ROUND(, SB, SC, SD, SA, REF(15), 0x49b40821, 22) ROUND(, SA, SB, SC, SD, REF( 1), 0xf61e2562, 5) ROUND(, SD, SA, SB, SC, REF( 6), 0xc040b340, 9) ROUND(, SC, SD, SA, SB, REF(11), 0x265e5a51, 14) ROUND(, SB, SC, SD, SA, REF( 0), 0xe9b6c7aa, 20) ROUND(, SA, SB, SC, SD, REF( 5), 0xd62f105d, 5) ROUND(, SD, SA, SB, SC, REF(10), 0x02441453, 9) ROUND(, SC, SD, SA, SB, REF(15), 0xd8a1e681, 14) ROUND(, SB, SC, SD, SA, REF( 4), 0xe7d3fbc8, 20) ROUND(, SA, SB, SC, SD, REF( 9), 0x21e1cde6, 5) ROUND(, SD, SA, SB, SC, REF(14), 0xc33707d6, 9) ROUND(, SC, SD, SA, SB, REF( 3), 0xf4d50d87, 14) ROUND(, SB, SC, SD, SA, REF( 8), 0x455a14ed, 20) ROUND(, SA, SB, SC, SD, REF(13), 0xa9e3e905, 5) ROUND(, SD, SA, SB, SC, REF( 2), 0xfcefa3f8, 9) ROUND(, SC, SD, SA, SB, REF( 7), 0x676f02d9, 14) ROUND(, SB, SC, SD, SA, REF(12), 0x8d2a4c8a, 20) ROUND(, SA, SB, SC, SD, REF( 5), 0xfffa3942, 4) ROUND(, SD, SA, SB, SC, REF( 8), 0x8771f681, 11) ROUND(, SC, SD, SA, SB, REF(11), 0x6d9d6122, 16) ROUND(, SB, SC, SD, SA, REF(14), 0xfde5380c, 23) ROUND(, SA, SB, SC, SD, REF( 1), 0xa4beea44, 4) ROUND(, SD, SA, SB, SC, REF( 4), 0x4bdecfa9, 11) ROUND(, SC, SD, SA, SB, REF( 7), 0xf6bb4b60, 16) ROUND(, SB, SC, SD, SA, REF(10), 0xbebfbc70, 23) ROUND(, SA, SB, SC, SD, REF(13), 0x289b7ec6, 4) ROUND(, SD, SA, SB, SC, REF( 0), 0xeaa127fa, 11) ROUND(, SC, SD, SA, SB, REF( 3), 0xd4ef3085, 16) ROUND(, SB, SC, SD, SA, REF( 6), 0x04881d05, 23) ROUND(, SA, SB, SC, SD, REF( 9), 0xd9d4d039, 4) ROUND(, SD, SA, SB, SC, REF(12), 0xe6db99e5, 11) ROUND(, SC, SD, SA, SB, REF(15), 0x1fa27cf8, 16) ROUND(, SB, SC, SD, SA, REF( 2), 0xc4ac5665, 23) ROUND(, SA, SB, SC, SD, REF( 0), 0xf4292244, 6) ROUND(, SD, SA, SB, SC, REF( 7), 0x432aff97, 10) ROUND(, SC, SD, SA, SB, REF(14), 0xab9423a7, 15) ROUND(, SB, SC, SD, SA, REF( 5), 0xfc93a039, 21) ROUND(, SA, SB, SC, SD, REF(12), 0x655b59c3, 6) ROUND(, SD, SA, SB, SC, REF( 3), 0x8f0ccc92, 10) ROUND(, SC, SD, SA, SB, REF(10), 0xffeff47d, 15) ROUND(, SB, SC, SD, SA, REF( 1), 0x85845dd1, 21) ROUND(, SA, SB, SC, SD, REF( 8), 0x6fa87e4f, 6) ROUND(, SD, SA, SB, SC, REF(15), 0xfe2ce6e0, 10) ROUND(, SC, SD, SA, SB, REF( 6), 0xa3014314, 15) ROUND(, SB, SC, SD, SA, REF(13), 0x4e0811a1, 21) ROUND(, SA, SB, SC, SD, REF( 4), 0xf7537e82, 6) ROUND(, SD, SA, SB, SC, REF(11), 0xbd3af235, 10) ROUND(, SC, SD, SA, SB, REF( 2), 0x2ad7d2bb, 15) ROUND(, SB, SC, SD, SA, REF( 9), 0xeb86d391, 21) C Update the state vector addl XREG(SA), (STATE) addl XREG(SB), 4(STATE) addl XREG(SC), 8(STATE) addl XREG(SD), 12(STATE) pop %rbx pop %rbp W64_EXIT(2,0) ret EPILOGUE(_nettle_md5_compress) nettle-3.4.1/x86_64/gcm-hash8.asm0000644000175000017500000001463013401564746015273 0ustar nissenisseC x86_64/gcm-hash8.asm ifelse(< Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) C Register usage: define(, <%rdi>) define(, <%rsi>) define(, <%rdx>) define(, <%rcx>) define(, <%rax>) define(, <%rbx>) define(, <%ebp>) define(, <%r8>) define(, <%r9>) define(, <%r10>) define(, <%r11>) define(, <%r12>) define(, <%r13>) .file "gcm-hash8.asm" C void gcm_hash (const struct gcm_key *key, union gcm_block *x, C size_t length, const uint8_t *data) .text ALIGN(16) PROLOGUE(_nettle_gcm_hash8) W64_ENTRY(4, 0) push %rbx push %rbp push %r12 push %r13 sub $16, LENGTH lea .Lshift_table(%rip), SHIFT_TABLE mov (XP), X0 mov 8(XP), X1 jc .Lfinal ALIGN(16) .Lblock_loop: xor (SRC), X0 xor 8(SRC), X1 .Lblock_mul: rol $8, X1 movzbl LREG(X1), XREG(T1) shl $4, T1 mov (KEY, T1), Z0 mov 8(KEY, T1), Z1 C shift Z1, Z0, transforming C +-----------------------+-----------------------+ C |15 14 13 12 11 10 09 08|07 06 05 04 03 02 01 00| C +-----------------------+-----------------------+ C into C +-----------------------+-----------------------+ C |14 13 12 11 10 09 08 07|06 05 04 03 02 01 00 | C +-----------------------+-----------------+-----+ C xor |T[15]| C +-----+ mov $7, CNT ALIGN(16) .Loop_X1: mov Z1, T1 shr $56, T1 shl $8, Z1 mov Z0, T0 shl $8, Z0 shr $56, T0 movzwl (SHIFT_TABLE, T1, 2), XREG(T1) xor T1, Z0 rol $8, X1 movzbl LREG(X1), XREG(T2) shl $4, T2 xor (KEY, T2), Z0 add T0, Z1 xor 8(KEY, T2), Z1 decl CNT jne .Loop_X1 mov $7, CNT ALIGN(16) .Loop_X0: mov Z1, T1 shr $56, T1 shl $8, Z1 mov Z0, T0 shl $8, Z0 shr $56, T0 movzwl (SHIFT_TABLE, T1, 2), XREG(T1) xor T1, Z0 rol $8, X0 movzbl LREG(X0), XREG(T2) shl $4, T2 xor (KEY, T2), Z0 add T0, Z1 xor 8(KEY, T2), Z1 decl CNT jne .Loop_X0 mov Z1, T1 shr $56, T1 shl $8, Z1 mov Z0, T0 shl $8, Z0 shr $56, T0 movzwl (SHIFT_TABLE, T1, 2), XREG(T1) xor T1, Z0 rol $8, X0 movzbl LREG(X0), XREG(T2) shl $4, T2 mov (KEY, T2), X0 xor Z0, X0 add T0, Z1 mov 8(KEY, T2), X1 xor Z1, X1 add $16, SRC sub $16, LENGTH jnc .Lblock_loop .Lfinal: add $16, LENGTH jnz .Lpartial mov X0, (XP) mov X1, 8(XP) pop %r13 pop %r12 pop %rbp pop %rbx W64_EXIT(4, 0) ret .Lpartial: C Read and xor partial block, then jump back into the loop C with LENGTH == 0. cmp $8, LENGTH jc .Llt8 C 8 <= LENGTH < 16 xor (SRC), X0 add $8, SRC sub $8, LENGTH jz .Lblock_mul call .Lread_bytes xor T0, X1 jmp .Lblock_mul .Llt8: C 0 < LENGTH < 8 call .Lread_bytes xor T0, X0 jmp .Lblock_mul C Read 0 < LENGTH < 8 bytes at SRC, result in T0 .Lread_bytes: xor T0, T0 sub $1, SRC ALIGN(16) .Lread_loop: shl $8, T0 orb (SRC, LENGTH), LREG(T0) .Lread_next: sub $1, LENGTH jnz .Lread_loop ret EPILOGUE(_nettle_gcm_hash8) define(, <0x$2$1>) RODATA ALIGN(2) C NOTE: Sun/Oracle assembler doesn't support ".short". C Using ".value" seems more portable. .Lshift_table: .value W(00,00),W(01,c2),W(03,84),W(02,46),W(07,08),W(06,ca),W(04,8c),W(05,4e) .value W(0e,10),W(0f,d2),W(0d,94),W(0c,56),W(09,18),W(08,da),W(0a,9c),W(0b,5e) .value W(1c,20),W(1d,e2),W(1f,a4),W(1e,66),W(1b,28),W(1a,ea),W(18,ac),W(19,6e) .value W(12,30),W(13,f2),W(11,b4),W(10,76),W(15,38),W(14,fa),W(16,bc),W(17,7e) .value W(38,40),W(39,82),W(3b,c4),W(3a,06),W(3f,48),W(3e,8a),W(3c,cc),W(3d,0e) .value W(36,50),W(37,92),W(35,d4),W(34,16),W(31,58),W(30,9a),W(32,dc),W(33,1e) .value W(24,60),W(25,a2),W(27,e4),W(26,26),W(23,68),W(22,aa),W(20,ec),W(21,2e) .value W(2a,70),W(2b,b2),W(29,f4),W(28,36),W(2d,78),W(2c,ba),W(2e,fc),W(2f,3e) .value W(70,80),W(71,42),W(73,04),W(72,c6),W(77,88),W(76,4a),W(74,0c),W(75,ce) .value W(7e,90),W(7f,52),W(7d,14),W(7c,d6),W(79,98),W(78,5a),W(7a,1c),W(7b,de) .value W(6c,a0),W(6d,62),W(6f,24),W(6e,e6),W(6b,a8),W(6a,6a),W(68,2c),W(69,ee) .value W(62,b0),W(63,72),W(61,34),W(60,f6),W(65,b8),W(64,7a),W(66,3c),W(67,fe) .value W(48,c0),W(49,02),W(4b,44),W(4a,86),W(4f,c8),W(4e,0a),W(4c,4c),W(4d,8e) .value W(46,d0),W(47,12),W(45,54),W(44,96),W(41,d8),W(40,1a),W(42,5c),W(43,9e) .value W(54,e0),W(55,22),W(57,64),W(56,a6),W(53,e8),W(52,2a),W(50,6c),W(51,ae) .value W(5a,f0),W(5b,32),W(59,74),W(58,b6),W(5d,f8),W(5c,3a),W(5e,7c),W(5f,be) .value W(e1,00),W(e0,c2),W(e2,84),W(e3,46),W(e6,08),W(e7,ca),W(e5,8c),W(e4,4e) .value W(ef,10),W(ee,d2),W(ec,94),W(ed,56),W(e8,18),W(e9,da),W(eb,9c),W(ea,5e) .value W(fd,20),W(fc,e2),W(fe,a4),W(ff,66),W(fa,28),W(fb,ea),W(f9,ac),W(f8,6e) .value W(f3,30),W(f2,f2),W(f0,b4),W(f1,76),W(f4,38),W(f5,fa),W(f7,bc),W(f6,7e) .value W(d9,40),W(d8,82),W(da,c4),W(db,06),W(de,48),W(df,8a),W(dd,cc),W(dc,0e) .value W(d7,50),W(d6,92),W(d4,d4),W(d5,16),W(d0,58),W(d1,9a),W(d3,dc),W(d2,1e) .value W(c5,60),W(c4,a2),W(c6,e4),W(c7,26),W(c2,68),W(c3,aa),W(c1,ec),W(c0,2e) .value W(cb,70),W(ca,b2),W(c8,f4),W(c9,36),W(cc,78),W(cd,ba),W(cf,fc),W(ce,3e) .value W(91,80),W(90,42),W(92,04),W(93,c6),W(96,88),W(97,4a),W(95,0c),W(94,ce) .value W(9f,90),W(9e,52),W(9c,14),W(9d,d6),W(98,98),W(99,5a),W(9b,1c),W(9a,de) .value W(8d,a0),W(8c,62),W(8e,24),W(8f,e6),W(8a,a8),W(8b,6a),W(89,2c),W(88,ee) .value W(83,b0),W(82,72),W(80,34),W(81,f6),W(84,b8),W(85,7a),W(87,3c),W(86,fe) .value W(a9,c0),W(a8,02),W(aa,44),W(ab,86),W(ae,c8),W(af,0a),W(ad,4c),W(ac,8e) .value W(a7,d0),W(a6,12),W(a4,54),W(a5,96),W(a0,d8),W(a1,1a),W(a3,5c),W(a2,9e) .value W(b5,e0),W(b4,22),W(b6,64),W(b7,a6),W(b2,e8),W(b3,2a),W(b1,6c),W(b0,ae) .value W(bb,f0),W(ba,32),W(b8,74),W(b9,b6),W(bc,f8),W(bd,3a),W(bf,7c),W(be,be) nettle-3.4.1/x86_64/sha256-compress.asm0000644000175000017500000001115013401564746016347 0ustar nissenisseC x86_64/sha256-compress.asm ifelse(< Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) .file "sha256-compress.asm" define(, <%rdi>) define(, <%rsi>) define(, <%rdx>) define(, <%eax>) define(, <%ebx>) define(, <%ecx>) define(, <%r8d>) define(, <%r9d>) define(, <%r10d>) define(, <%r11d>) define(, <%r12d>) define(, <%r13d>) define(, <%edi>) C Overlap STATE define(, <%r14>) define(, <%r15d>) define(, < movl OFFSET($1)(%rsp), W movl OFFSET(eval(($1 + 14) % 16))(%rsp), T0 movl T0, T1 shrl <$>10, T0 roll <$>13, T1 xorl T1, T0 roll <$>2, T1 xorl T1, T0 addl T0, W movl OFFSET(eval(($1 + 1) % 16))(%rsp), T0 movl T0, T1 shrl <$>3, T0 roll <$>14, T1 xorl T1, T0 roll <$>11, T1 xorl T1, T0 addl T0, W addl OFFSET(eval(($1 + 9) % 16))(%rsp), W movl W, OFFSET($1)(%rsp) >) C ROUND(A,B,C,D,E,F,G,H,K) C C H += S1(E) + Choice(E,F,G) + K + W C D += H C H += S0(A) + Majority(A,B,C) C C Where C C S1(E) = E<<<26 ^ E<<<21 ^ E<<<7 C S0(A) = A<<<30 ^ A<<<19 ^ A<<<10 C Choice (E, F, G) = G^(E&(F^G)) C Majority (A,B,C) = (A&B) + (C&(A^B)) define(, < movl $5, T0 movl $5, T1 roll <$>7, T0 roll <$>21, T1 xorl T0, T1 roll <$>19, T0 xorl T0, T1 addl W, $8 addl T1, $8 movl $7, T0 xorl $6, T0 andl $5, T0 xorl $7, T0 addl OFFSET($9)(K,COUNT,4), $8 addl T0, $8 addl $8, $4 movl $1, T0 movl $1, T1 roll <$>10, T0 roll <$>19, T1 xorl T0, T1 roll <$>20, T0 xorl T0, T1 addl T1, $8 movl $1, T0 movl $1, T1 andl $2, T0 xorl $2, T1 addl T0, $8 andl $3, T1 addl T1, $8 >) define(, < movl OFFSET($1)(INPUT, COUNT, 4), W bswapl W movl W, OFFSET($1)(%rsp, COUNT, 4) >) C void C _nettle_sha256_compress(uint32_t *state, const uint8_t *input, const uint32_t *k) .text ALIGN(16) PROLOGUE(_nettle_sha256_compress) W64_ENTRY(3, 0) sub $120, %rsp mov %rbx, 64(%rsp) mov STATE, 72(%rsp) C Save state, to free a register mov %rbp, 80(%rsp) mov %r12, 88(%rsp) mov %r13, 96(%rsp) mov %r14, 104(%rsp) mov %r15, 112(%rsp) movl (STATE), SA movl 4(STATE), SB movl 8(STATE), SC movl 12(STATE), SD movl 16(STATE), SE movl 20(STATE), SF movl 24(STATE), SG movl 28(STATE), SH xor COUNT, COUNT ALIGN(16) .Loop1: NOEXPN(0) ROUND(SA,SB,SC,SD,SE,SF,SG,SH,0) NOEXPN(1) ROUND(SH,SA,SB,SC,SD,SE,SF,SG,1) NOEXPN(2) ROUND(SG,SH,SA,SB,SC,SD,SE,SF,2) NOEXPN(3) ROUND(SF,SG,SH,SA,SB,SC,SD,SE,3) NOEXPN(4) ROUND(SE,SF,SG,SH,SA,SB,SC,SD,4) NOEXPN(5) ROUND(SD,SE,SF,SG,SH,SA,SB,SC,5) NOEXPN(6) ROUND(SC,SD,SE,SF,SG,SH,SA,SB,6) NOEXPN(7) ROUND(SB,SC,SD,SE,SF,SG,SH,SA,7) add $8, COUNT cmp $16, COUNT jne .Loop1 .Loop2: EXPN( 0) ROUND(SA,SB,SC,SD,SE,SF,SG,SH,0) EXPN( 1) ROUND(SH,SA,SB,SC,SD,SE,SF,SG,1) EXPN( 2) ROUND(SG,SH,SA,SB,SC,SD,SE,SF,2) EXPN( 3) ROUND(SF,SG,SH,SA,SB,SC,SD,SE,3) EXPN( 4) ROUND(SE,SF,SG,SH,SA,SB,SC,SD,4) EXPN( 5) ROUND(SD,SE,SF,SG,SH,SA,SB,SC,5) EXPN( 6) ROUND(SC,SD,SE,SF,SG,SH,SA,SB,6) EXPN( 7) ROUND(SB,SC,SD,SE,SF,SG,SH,SA,7) EXPN( 8) ROUND(SA,SB,SC,SD,SE,SF,SG,SH,8) EXPN( 9) ROUND(SH,SA,SB,SC,SD,SE,SF,SG,9) EXPN(10) ROUND(SG,SH,SA,SB,SC,SD,SE,SF,10) EXPN(11) ROUND(SF,SG,SH,SA,SB,SC,SD,SE,11) EXPN(12) ROUND(SE,SF,SG,SH,SA,SB,SC,SD,12) EXPN(13) ROUND(SD,SE,SF,SG,SH,SA,SB,SC,13) EXPN(14) ROUND(SC,SD,SE,SF,SG,SH,SA,SB,14) EXPN(15) ROUND(SB,SC,SD,SE,SF,SG,SH,SA,15) add $16, COUNT cmp $64, COUNT jne .Loop2 mov 72(%rsp), STATE addl SA, (STATE) addl SB, 4(STATE) addl SC, 8(STATE) addl SD, 12(STATE) addl SE, 16(STATE) addl SF, 20(STATE) addl SG, 24(STATE) addl SH, 28(STATE) mov 64(%rsp), %rbx mov 80(%rsp), %rbp mov 88(%rsp), %r12 mov 96(%rsp), %r13 mov 104(%rsp),%r14 mov 112(%rsp),%r15 add $120, %rsp W64_EXIT(3, 0) ret EPILOGUE(_nettle_sha256_compress) nettle-3.4.1/x86_64/ecc-192-modp.asm0000644000175000017500000000356313401564746015517 0ustar nissenisseC x86_64/ecc-192-modp.asm ifelse(< Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) .file "ecc-192-modp.asm" define(, <%rsi>) define(, <%rdi>) C Overlaps unused modulo input define(, <%rcx>) define(, <%rdx>) define(, <%r8>) define(, <%r9>) define(, <%r10>) define(, <%r11>) C ecc_192_modp (const struct ecc_modulo *m, mp_limb_t *rp) .text ALIGN(16) PROLOGUE(nettle_ecc_192_modp) W64_ENTRY(2, 0) mov 16(RP), T2 mov 24(RP), T3 mov 40(RP), H xor C1, C1 xor C2, C2 add H, T2 adc H, T3 C Carry to be added in at T1 and T2 setc LREG(C2) mov 8(RP), T1 mov 32(RP), H adc H, T1 adc H, T2 C Carry to be added in at T0 and T1 setc LREG(C1) mov (RP), T0 adc T3, T0 adc T3, T1 adc $0, C2 C Add in C1 and C2 add C1, T1 adc C2, T2 setc LREG(C1) C Fold final carry. adc $0, T0 adc C1, T1 adc $0, T2 mov T0, (RP) mov T1, 8(RP) mov T2, 16(RP) W64_EXIT(2, 0) ret EPILOGUE(nettle_ecc_192_modp) nettle-3.4.1/x86_64/aes.m40000644000175000017500000000552413401564746014026 0ustar nissenissednl LREG(reg) gives the 8-bit register corresponding to the given 32-bit register. define(,)dnl define(,) define(,)dnl dnl AES_LOAD(a, b, c, d, src, key) dnl Loads the next block of data from src, and add the subkey pointed dnl to by key. dnl Note that x86 allows unaligned accesses. dnl Would it be preferable to interleave the loads and stores? define(, < movl ($5),$1 movl 4($5),$2 movl 8($5),$3 movl 12($5),$4 xorl ($6),$1 xorl 4($6),$2 xorl 8($6),$3 xorl 12($6),$4>)dnl dnl AES_STORE(a, b, c, d, key, dst) dnl Adds the subkey to a, b, c, d, dnl and stores the result in the area pointed to by dst. dnl Note that x86 allows unaligned accesses. dnl Would it be preferable to interleave the loads and stores? define(, < xorl ($5),$1 xorl 4($5),$2 xorl 8($5),$3 xorl 12($5),$4 movl $1,($6) movl $2,4($6) movl $3,8($6) movl $4,12($6)>)dnl dnl AES_ROUND(table,a,b,c,d,out,ptr) dnl Computes one word of the AES round. Leaves result in $6. define(, < movzb LREG($2), $7 movl AES_TABLE0 ($1, $7, 4),$6 movzb HREG($3), XREG($7) xorl AES_TABLE1 ($1, $7, 4),$6 movl $4,XREG($7) shr <$>16,$7 and <$>0xff,$7 xorl AES_TABLE2 ($1, $7, 4),$6 movl $5,XREG($7) shr <$>24,$7 xorl AES_TABLE3 ($1, $7, 4),$6>)dnl dnl AES_FINAL_ROUND(a, b, c, d, table, out, tmp) dnl Computes one word of the final round. Leaves result in $6. Also dnl performs the first substitution step, on the least significant dnl byte, and rotates 8 bits. define(, < movzb LREG($1),$7 movzbl ($5, $7), $6 movl $2,XREG($7) andl <$>0x0000ff00,XREG($7) orl XREG($7), $6 movl $3,XREG($7) andl <$>0x00ff0000,XREG($7) orl XREG($7), $6 movl $4,XREG($7) andl <$>0xff000000,XREG($7) orl XREG($7), $6 roll <$>8, $6>)dnl dnl AES_SUBST_BYTE(A, B, C, D, table, tmp) dnl Substitutes the least significant byte of dnl each of eax, ebx, ecx and edx, and also rotates dnl the words one byte to the left. dnl Uses that AES_SBOX == 0 define(, < movzb LREG($1),$6 movb ($5, $6),LREG($1) roll <$>8,$1 movzb LREG($2),$6 movb ($5, $6),LREG($2) roll <$>8,$2 movzb LREG($3),$6 movb ($5, $6),LREG($3) roll <$>8,$3 movzb LREG($4),$6 movb ($5, $6),LREG($4) roll <$>8,$4>)dnl nettle-3.4.1/x86_64/machine.m40000644000175000017500000000725613401564746014666 0ustar nissenisseC OFFSET(i) C Expands to 4*i, or to the empty string if i is zero define(, ) C OFFSET64(i) C Expands to 8*i, or to the empty string if i is zero define(, ) dnl LREG(reg) gives the 8-bit register corresponding to the given 64-bit register. define(,)dnl define(,)dnl define(,)dnl define(,)dnl dnl W64_ENTRY(nargs, xmm_used) define(, < changequote([,])dnl ifelse(<<<<<<<<<<<<<<<<<< ignored; only for balancing) ifelse(W64_ABI,yes,[ dnl unconditionally push %rdi, making %rsp 16-byte aligned push %rdi dnl Save %xmm6, ..., if needed ifelse(eval($2 > 6), 1, [ sub [$]eval(16*($2 - 6)), %rsp movdqa %xmm6, 0(%rsp) ]) ifelse(eval($2 > 7), 1, [ movdqa %xmm7, 16(%rsp) ]) ifelse(eval($2 > 8), 1, [ movdqa %xmm8, 32(%rsp) ]) ifelse(eval($2 > 9), 1, [ movdqa %xmm9, 48(%rsp) ]) ifelse(eval($2 > 10), 1, [ movdqa %xmm10, 64(%rsp) ]) ifelse(eval($2 > 11), 1, [ movdqa %xmm11, 80(%rsp) ]) ifelse(eval($2 > 12), 1, [ movdqa %xmm12, 96(%rsp) ]) ifelse(eval($2 > 13), 1, [ movdqa %xmm13, 112(%rsp) ]) ifelse(eval($2 > 14), 1, [ movdqa %xmm14, 128(%rsp) ]) ifelse(eval($2 > 15), 1, [ movdqa %xmm15, 144(%rsp) ]) dnl Move around arguments ifelse(eval($1 >= 1), 1, [ mov %rcx, %rdi ]) ifelse(eval($1 >= 2), 1, [ dnl NOTE: Breaks 16-byte %rsp alignment push %rsi mov %rdx, %rsi ]) ifelse(eval($1 >= 3), 1, [ mov %r8, %rdx ]) ifelse(eval($1 >= 4), 1, [ mov %r9, %rcx ]) ifelse(eval($1 >= 5), 1, [ mov ifelse(eval($2 > 6), 1, eval(16*($2-6)+56),56)(%rsp), %r8 ]) ifelse(eval($1 >= 6), 1, [ mov ifelse(eval($2 > 6), 1, eval(16*($2-6)+64),64)(%rsp), %r9 ]) ]) changequote(<,>)dnl >) dnl W64_EXIT(nargs, xmm_used) define(, < changequote([,])dnl ifelse(<<<<<<<<<<< ignored; only for balancing) ifelse(W64_ABI,yes,[ ifelse(eval($1 >= 2), 1, [ pop %rsi ]) ifelse(eval($2 > 15), 1, [ movdqa 144(%rsp), %xmm15 ]) ifelse(eval($2 > 14), 1, [ movdqa 128(%rsp), %xmm14 ]) ifelse(eval($2 > 13), 1, [ movdqa 112(%rsp), %xmm13 ]) ifelse(eval($2 > 12), 1, [ movdqa 96(%rsp), %xmm12 ]) ifelse(eval($2 > 11), 1, [ movdqa 80(%rsp), %xmm11 ]) ifelse(eval($2 > 10), 1, [ movdqa 64(%rsp), %xmm10 ]) ifelse(eval($2 > 9), 1, [ movdqa 48(%rsp), %xmm9 ]) ifelse(eval($2 > 8), 1, [ movdqa 32(%rsp), %xmm8 ]) ifelse(eval($2 > 7), 1, [ movdqa 16(%rsp), %xmm7 ]) ifelse(eval($2 > 6), 1, [ movdqa (%rsp), %xmm6 add [$]eval(16*($2 - 6)), %rsp ]) pop %rdi ]) changequote(<,>)dnl >) nettle-3.4.1/x86_64/camellia-crypt-internal.asm0000644000175000017500000000777713401564746020252 0ustar nissenisseC x86_64/camellia-crypt-internal.asm ifelse(< Copyright (C) 2010, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) C Performance, cycles per block C C Intel SU4100 C C asm C Camellia-128 415 347 C Camellia-256 543 461 C Register usage: define(, <%rdi>) define(, <%rsi>) define(

, <%rdx>) define(, <%rcx>) define(, <%r8>) define(, <%r9>) C Camellia state define(, <%rax>) define(, <%rbx>) C callee-save define(, <%r13>) C callee-save define(, <%rbp>) C callee-save define(, <%r10>) define(, <%r11>) define(, <%r12>) C callee-save define(, <(TABLE,$1,4)>) define(, <1024(TABLE,$1,4)>) define(, <2048(TABLE,$1,4)>) define(, <3072(TABLE,$1,4)>) C ROUND(x, y, key-offset) define(, < C Byte 0,1 movzbl LREG($1), XREG(TMP) movl SP1110(TMP), XREG(IR) movzbl HREG($1), XREG(TMP) xorl SP4404(TMP), XREG(IR) ror <$>32, $1 C Byte 4,5 movzbl LREG($1), XREG(TMP) movl SP4404(TMP), XREG(IL) movzbl HREG($1), XREG(TMP) xorl SP3033(TMP), XREG(IL) rol <$>16, $1 C Byte 2,3 movzbl LREG($1), XREG(TMP) xorl SP3033(TMP), XREG(IR) movzbl HREG($1), XREG(TMP) xorl SP0222(TMP), XREG(IR) ror <$>32, $1 C Byte 6,7 movzbl LREG($1), XREG(TMP) xorl SP0222(TMP), XREG(IL) movzbl HREG($1), XREG(TMP) xorl SP1110(TMP), XREG(IL) ror <$>16, $1 C 76543210 xorl XREG(IL), XREG(IR) rorl <$>8, XREG(IL) xorl XREG(IR), XREG(IL) shl <$>32, IR or IL, IR xor $3(KEY), $2 xor IR, $2 >) C FL(x, key-offset) define(, < mov $1, TMP shr <$>32, TMP andl $2 + 4(KEY), XREG(TMP) roll <$>1, XREG(TMP) C xorl XREG(TMP), XREG($1) xor TMP, $1 movl $2(KEY), XREG(TMP) orl XREG($1), XREG(TMP) shl <$>32, TMP xor TMP, $1 >) C FLINV(x0, key-offset) define(, < movl $2(KEY), XREG(TMP) orl XREG($1), XREG(TMP) shl <$>32, TMP xor TMP, $1 mov $1, TMP shr <$>32, TMP andl $2 + 4(KEY), XREG(TMP) roll <$>1, XREG(TMP) C xorl XREG(TMP), XREG($1) xor TMP, $1 >) .file "camellia-crypt-internal.asm" C _camellia_crypt(unsigned nkeys, const uint64_t *keys, C const struct camellia_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .text ALIGN(16) PROLOGUE(_nettle_camellia_crypt) W64_ENTRY(6, 0) test LENGTH, LENGTH jz .Lend push %rbx push %rbp push %r12 push %r13 sub $8, NKEYS .Lblock_loop: C Load data, note that we'll happily do unaligned loads mov (SRC), I0 bswap I0 mov 8(SRC), I1 bswap I1 add $16, SRC mov XREG(NKEYS), XREG(CNT) mov KEYS, KEY C Whitening using first subkey xor (KEY), I0 add $8, KEY ROUND(I0, I1, 0) ROUND(I1, I0, 8) ROUND(I0, I1, 16) ROUND(I1, I0, 24) ROUND(I0, I1, 32) ROUND(I1, I0, 40) .Lround_loop: add $64, KEY FL(I0, -16) FLINV(I1, -8) ROUND(I0, I1, 0) ROUND(I1, I0, 8) ROUND(I0, I1, 16) ROUND(I1, I0, 24) ROUND(I0, I1, 32) ROUND(I1, I0, 40) sub $8, CNT ja .Lround_loop bswap I0 mov I0, 8(DST) xor 48(KEY), I1 bswap I1 mov I1, (DST) add $16, DST sub $16, LENGTH ja .Lblock_loop pop %r13 pop %r12 pop %rbp pop %rbx .Lend: W64_EXIT(6, 0) ret EPILOGUE(_nettle_camellia_crypt) nettle-3.4.1/x86_64/sha1-compress.asm0000644000175000017500000001732713401564746016207 0ustar nissenisseC x86_64/sha1-compress.asm ifelse(< Copyright (C) 2004, 2008, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) C Register usage. KVALUE and INPUT share a register. define(,<%eax>)dnl define(,<%r8d>)dnl define(,<%ecx>)dnl define(,<%edx>)dnl define(,<%r9d>)dnl define(,<%rsp>)dnl define(,<%r10d>)dnl define(,<%r11d>)dnl define(, <%esi>)dnl C Arguments define(,<%rdi>)dnl define(,<%rsi>)dnl C Constants define(, <<$>0x5A827999>)dnl C Rounds 0-19 define(, <<$>0x6ED9EBA1>)dnl C Rounds 20-39 define(, <<$>0x8F1BBCDC>)dnl C Rounds 40-59 define(, <<$>0xCA62C1D6>)dnl C Rounds 60-79 C Reads the input into register, byteswaps it, and stores it in the DATA array. C SWAP(index, register) define(, < movl OFFSET($1)(INPUT), $2 bswap $2 movl $2, OFFSET($1) (DATA) >)dnl C The f functions, C C f1(x,y,z) = z ^ (x & (y ^ z)) C f2(x,y,z) = x ^ y ^ z C f3(x,y,z) = (x & y) | (z & (x | y)) C = (x & (y ^ z)) + (y & z) C f4 = f2 C This form for f3 was suggested by George Spelvin. The terms can be C added into the result one at a time, saving one temporary. C expand(i) is the expansion function C C W[i] = (W[i - 16] ^ W[i - 14] ^ W[i - 8] ^ W[i - 3]) <<< 1 C C where W[i] is stored in DATA[i mod 16]. C The form of one sha1 round is C C a' = e + a <<< 5 + f( b, c, d ) + k + w; C b' = a; C c' = b <<< 30; C d' = c; C e' = d; C C where <<< denotes rotation. We permute our variables, so that we C instead get C C e += a <<< 5 + f( b, c, d ) + k + w; C b <<<= 30 dnl ROUND_F1(a, b, c, d, e, i) define(, < movl OFFSET(eval($6 % 16)) (DATA), T1 xorl OFFSET(eval(($6 + 2) % 16)) (DATA), T1 xorl OFFSET(eval(($6 + 8) % 16)) (DATA), T1 xorl OFFSET(eval(($6 + 13) % 16)) (DATA), T1 roll <$>1, T1 movl T1, OFFSET(eval($6 % 16)) (DATA) movl $4, T2 xorl $3, T2 andl $2, T2 xorl $4, T2 roll <$>30, $2 addl T1, $5 addl KVALUE, $5 movl $1, T1 roll <$>5, T1 addl T1, $5 addl T2, $5 >) dnl ROUND_F1_NOEXP(a, b, c, d, e, i) define(, < movl $4, T2 xorl $3, T2 movl $1, T1 andl $2, T2 addl OFFSET($6) (DATA), $5 xorl $4, T2 addl T2, $5 roll <$>30, $2 roll <$>5, T1 addl T1, $5 addl KVALUE, $5 >) dnl ROUND_F2(a, b, c, d, e, i) define(, < movl OFFSET(eval($6 % 16)) (DATA), T1 xorl OFFSET(eval(($6 + 2) % 16)) (DATA), T1 xorl OFFSET(eval(($6 + 8) % 16)) (DATA), T1 xorl OFFSET(eval(($6 + 13) % 16)) (DATA), T1 roll <$>1, T1 movl T1, OFFSET(eval($6 % 16)) (DATA) movl $4, T2 xorl $3, T2 xorl $2, T2 roll <$>30, $2 addl T1, $5 addl KVALUE, $5 movl $1, T1 roll <$>5, T1 addl T1, $5 addl T2, $5 >) dnl ROUND_F3(a, b, c, d, e, i) define(, < movl OFFSET(eval($6 % 16)) (DATA), T1 xorl OFFSET(eval(($6 + 2) % 16)) (DATA), T1 xorl OFFSET(eval(($6 + 8) % 16)) (DATA), T1 xorl OFFSET(eval(($6 + 13) % 16)) (DATA), T1 roll <$>1, T1 movl T1, OFFSET(eval($6 % 16)) (DATA) movl $4, T2 andl $3, T2 addl T1, $5 addl KVALUE, $5 movl $4, T1 xorl $3, T1 andl $2, T1 addl T2, $5 roll <$>30, $2 movl $1, T2 roll <$>5, T2 addl T1, $5 addl T2, $5 >) .file "sha1-compress.asm" C _nettle_sha1_compress(uint32_t *state, uint8_t *input) .text ALIGN(16) PROLOGUE(_nettle_sha1_compress) C save all registers that need to be saved W64_ENTRY(2, 0) sub $64, %rsp C %rsp = W C Load and byteswap data SWAP( 0, SA) SWAP( 1, SB) SWAP( 2, SC) SWAP( 3, SD) SWAP( 4, SA) SWAP( 5, SB) SWAP( 6, SC) SWAP( 7, SD) SWAP( 8, SA) SWAP( 9, SB) SWAP(10, SC) SWAP(11, SD) SWAP(12, SA) SWAP(13, SB) SWAP(14, SC) SWAP(15, SD) C Load the state vector movl (STATE), SA movl 4(STATE), SB movl 8(STATE), SC movl 12(STATE), SD movl 16(STATE), SE movl K1VALUE, KVALUE ROUND_F1_NOEXP(SA, SB, SC, SD, SE, 0) ROUND_F1_NOEXP(SE, SA, SB, SC, SD, 1) ROUND_F1_NOEXP(SD, SE, SA, SB, SC, 2) ROUND_F1_NOEXP(SC, SD, SE, SA, SB, 3) ROUND_F1_NOEXP(SB, SC, SD, SE, SA, 4) ROUND_F1_NOEXP(SA, SB, SC, SD, SE, 5) ROUND_F1_NOEXP(SE, SA, SB, SC, SD, 6) ROUND_F1_NOEXP(SD, SE, SA, SB, SC, 7) ROUND_F1_NOEXP(SC, SD, SE, SA, SB, 8) ROUND_F1_NOEXP(SB, SC, SD, SE, SA, 9) ROUND_F1_NOEXP(SA, SB, SC, SD, SE, 10) ROUND_F1_NOEXP(SE, SA, SB, SC, SD, 11) ROUND_F1_NOEXP(SD, SE, SA, SB, SC, 12) ROUND_F1_NOEXP(SC, SD, SE, SA, SB, 13) ROUND_F1_NOEXP(SB, SC, SD, SE, SA, 14) ROUND_F1_NOEXP(SA, SB, SC, SD, SE, 15) ROUND_F1(SE, SA, SB, SC, SD, 16) ROUND_F1(SD, SE, SA, SB, SC, 17) ROUND_F1(SC, SD, SE, SA, SB, 18) ROUND_F1(SB, SC, SD, SE, SA, 19) movl K2VALUE, KVALUE ROUND_F2(SA, SB, SC, SD, SE, 20) ROUND_F2(SE, SA, SB, SC, SD, 21) ROUND_F2(SD, SE, SA, SB, SC, 22) ROUND_F2(SC, SD, SE, SA, SB, 23) ROUND_F2(SB, SC, SD, SE, SA, 24) ROUND_F2(SA, SB, SC, SD, SE, 25) ROUND_F2(SE, SA, SB, SC, SD, 26) ROUND_F2(SD, SE, SA, SB, SC, 27) ROUND_F2(SC, SD, SE, SA, SB, 28) ROUND_F2(SB, SC, SD, SE, SA, 29) ROUND_F2(SA, SB, SC, SD, SE, 30) ROUND_F2(SE, SA, SB, SC, SD, 31) ROUND_F2(SD, SE, SA, SB, SC, 32) ROUND_F2(SC, SD, SE, SA, SB, 33) ROUND_F2(SB, SC, SD, SE, SA, 34) ROUND_F2(SA, SB, SC, SD, SE, 35) ROUND_F2(SE, SA, SB, SC, SD, 36) ROUND_F2(SD, SE, SA, SB, SC, 37) ROUND_F2(SC, SD, SE, SA, SB, 38) ROUND_F2(SB, SC, SD, SE, SA, 39) movl K3VALUE, KVALUE ROUND_F3(SA, SB, SC, SD, SE, 40) ROUND_F3(SE, SA, SB, SC, SD, 41) ROUND_F3(SD, SE, SA, SB, SC, 42) ROUND_F3(SC, SD, SE, SA, SB, 43) ROUND_F3(SB, SC, SD, SE, SA, 44) ROUND_F3(SA, SB, SC, SD, SE, 45) ROUND_F3(SE, SA, SB, SC, SD, 46) ROUND_F3(SD, SE, SA, SB, SC, 47) ROUND_F3(SC, SD, SE, SA, SB, 48) ROUND_F3(SB, SC, SD, SE, SA, 49) ROUND_F3(SA, SB, SC, SD, SE, 50) ROUND_F3(SE, SA, SB, SC, SD, 51) ROUND_F3(SD, SE, SA, SB, SC, 52) ROUND_F3(SC, SD, SE, SA, SB, 53) ROUND_F3(SB, SC, SD, SE, SA, 54) ROUND_F3(SA, SB, SC, SD, SE, 55) ROUND_F3(SE, SA, SB, SC, SD, 56) ROUND_F3(SD, SE, SA, SB, SC, 57) ROUND_F3(SC, SD, SE, SA, SB, 58) ROUND_F3(SB, SC, SD, SE, SA, 59) movl K4VALUE, KVALUE ROUND_F2(SA, SB, SC, SD, SE, 60) ROUND_F2(SE, SA, SB, SC, SD, 61) ROUND_F2(SD, SE, SA, SB, SC, 62) ROUND_F2(SC, SD, SE, SA, SB, 63) ROUND_F2(SB, SC, SD, SE, SA, 64) ROUND_F2(SA, SB, SC, SD, SE, 65) ROUND_F2(SE, SA, SB, SC, SD, 66) ROUND_F2(SD, SE, SA, SB, SC, 67) ROUND_F2(SC, SD, SE, SA, SB, 68) ROUND_F2(SB, SC, SD, SE, SA, 69) ROUND_F2(SA, SB, SC, SD, SE, 70) ROUND_F2(SE, SA, SB, SC, SD, 71) ROUND_F2(SD, SE, SA, SB, SC, 72) ROUND_F2(SC, SD, SE, SA, SB, 73) ROUND_F2(SB, SC, SD, SE, SA, 74) ROUND_F2(SA, SB, SC, SD, SE, 75) ROUND_F2(SE, SA, SB, SC, SD, 76) ROUND_F2(SD, SE, SA, SB, SC, 77) ROUND_F2(SC, SD, SE, SA, SB, 78) ROUND_F2(SB, SC, SD, SE, SA, 79) C Update the state vector addl SA, (STATE) addl SB, 4(STATE) addl SC, 8(STATE) addl SD, 12(STATE) addl SE, 16(STATE) add $64, %rsp W64_EXIT(2, 0) ret EPILOGUE(_nettle_sha1_compress) nettle-3.4.1/x86_64/aesni/0000755000175000017500000000000013401564746014105 5ustar nissenissenettle-3.4.1/x86_64/aesni/aes-decrypt-internal.asm0000644000175000017500000000460513401564746020646 0ustar nissenisseC x86_64/aesni/aes-decrypt-internal.asm ifelse(< Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) C Input argument define(, <%rdi>) define(, <%rsi>) C define(
, <%rdx>) C Unused here define(,<%rcx>) define(, <%r8>) define(, <%r9>) C Round counter define(, <%rdx>) C Subkey pointer define(, <%rax>) dnl aesdec %xmm1, %xmm0 define(, <.byte 0x66, 0x0f, 0x38, 0xde, 0xc1>) dnl aesdeclast %xmm1, %xmm0 define(, <.byte 0x66, 0x0f, 0x38, 0xdf, 0xc1>) .file "aes-decrypt-internal.asm" C _aes_decrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .text ALIGN(16) PROLOGUE(_nettle_aes_decrypt) W64_ENTRY(6, 2) shr $4, LENGTH test LENGTH, LENGTH jz .Lend decl XREG(ROUNDS) .Lblock_loop: mov ROUNDS, CNT mov KEYS, KEY movups (SRC), %xmm0 C FIXME: Better alignment of subkeys, so we can use movaps. movups (KEY), %xmm1 pxor %xmm1, %xmm0 C FIXME: Could use some unrolling. Also all subkeys fit in C registers, so they could be loaded once (on W64 we would C need to save and restore some xmm registers, though). .Lround_loop: add $16, KEY movups (KEY), %xmm1 AESDEC C %xmm1, %xmm0 decl XREG(CNT) jnz .Lround_loop movups 16(KEY), %xmm1 AESDECLAST C %xmm1, %xmm0 movups %xmm0, (DST) add $16, SRC add $16, DST dec LENGTH jnz .Lblock_loop .Lend: W64_EXIT(6, 2) ret EPILOGUE(_nettle_aes_decrypt) nettle-3.4.1/x86_64/aesni/aes-encrypt-internal.asm0000644000175000017500000000460613401564746020661 0ustar nissenisseC x86_64/aesni/aes-encrypt-internal.asm ifelse(< Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) C Input argument define(, <%rdi>) define(, <%rsi>) C define(
, <%rdx>) C Unused here define(,<%rcx>) define(, <%r8>) define(, <%r9>) C Round counter define(, <%rdx>) C Subkey pointer define(, <%rax>) dnl aesenc %xmm1, %xmm0 define(, <.byte 0x66, 0x0f, 0x38, 0xdc, 0xc1>) dnl aesenclast %xmm1, %xmm0 define(, <.byte 0x66, 0x0f, 0x38, 0xdd, 0xc1>) .file "aes-encrypt-internal.asm" C _aes_encrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .text ALIGN(16) PROLOGUE(_nettle_aes_encrypt) W64_ENTRY(6, 2) shr $4, LENGTH test LENGTH, LENGTH jz .Lend decl XREG(ROUNDS) .Lblock_loop: mov ROUNDS, CNT mov KEYS, KEY movups (SRC), %xmm0 C FIXME: Better alignment of subkeys, so we can use movaps. movups (KEY), %xmm1 pxor %xmm1, %xmm0 C FIXME: Could use some unrolling. Also all subkeys fit in C registers, so they could be loaded once (on W64 we would C need to save and restore some xmm registers, though). .Lround_loop: add $16, KEY movups (KEY), %xmm1 AESENC C %xmm1, %xmm0 decl XREG(CNT) jnz .Lround_loop movups 16(KEY), %xmm1 AESENCLAST C %xmm1, %xmm0 movups %xmm0, (DST) add $16, SRC add $16, DST dec LENGTH jnz .Lblock_loop .Lend: W64_EXIT(6, 2) ret EPILOGUE(_nettle_aes_encrypt) nettle-3.4.1/x86_64/serpent.m40000644000175000017500000000462013401564746014732 0ustar nissenisseC x86_64/serpent.m4 ifelse(< Copyright (C) 2011 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) C WROL(count, w) define(, < movdqa $2, T0 pslld <$>$1, $2 psrld <$>eval(32 - $1), T0 por T0, $2 >) C Note: Diagrams use little-endian representation, with least C significant word to the left. C Transpose values from: C +----+----+----+----+ C x0: | a0 | a1 | a2 | a3 | C x1: | b0 | b1 | b2 | b3 | C x2: | c0 | c1 | c2 | c3 | C x3: | d0 | d1 | d2 | d3 | C +----+----+----+----+ C To: C +----+----+----+----+ C x0: | a0 | b0 | c0 | d0 | C x1: | a1 | b1 | c1 | d1 | C x2: | a2 | b2 | c2 | d2 | C x3: | a3 | b3 | c3 | d3 | C +----+----+----+----+ define(, < movdqa $1, T0 punpcklqdq $3, T0 C |a0 a1 c0 c1| punpckhqdq $3, $1 C |a2 a3 c2 c3| pshufd <$>0xd8, T0, T0 C |a0 c0 a1 c1| pshufd <$>0xd8, $1, T1 C |a2 c2 a3 c3| movdqa $2, T2 punpcklqdq $4, T2 C |b0 b1 d0 11| punpckhqdq $4, $2 C |b2 b3 d2 d3| pshufd <$>0xd8, T2, T2 C |b0 d0 b1 d1| pshufd <$>0xd8, $2, T3 C |b2 d2 b3 d3| movdqa T0, $1 punpckldq T2, $1 C |a0 b0 c0 d0| movdqa T0, $2 punpckhdq T2, $2 C |a1 b1 c1 d1| movdqa T1, $3 punpckldq T3, $3 C |a2 b2 c2 d2| movdqa T1, $4 punpckhdq T3, $4 C |a3 b3 c3 d3| >) C FIXME: Arrange 16-byte alignment, so we can use movaps? define(, < movups $1(CTX, CNT), T0 pshufd <$>0x55, T0, T1 pshufd <$>0xaa, T0, T2 pxor T1, $3 pxor T2, $4 pshufd <$>0xff, T0, T1 pshufd <$>0x00, T0, T0 pxor T1, $5 pxor T0, $2 >) nettle-3.4.1/x86_64/memxor3.asm0000644000175000017500000001157413401564746015112 0ustar nissenisseC x86_64/memxor3.asm ifelse(< Copyright (C) 2010, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) C Register usage: define(, <%rax>) C Originally in %rdi define(, <%rsi>) define(, <%rdx>) define(, <%r10>) define(, <%r8>) define(, <%r9>) define(, <%rdi>) define(, <%r11>) define(, <%rdi>) C Overlaps with CNT define(, ) .file "memxor3.asm" .text C memxor3(void *dst, const void *a, const void *b, size_t n) C %rdi %rsi %rdx %rcx ALIGN(16) PROLOGUE(nettle_memxor3) W64_ENTRY(4, 0) C %cl needed for shift count, so move away N mov %rcx, N .Lmemxor3_entry: test N, N C Get number of unaligned bytes at the end C %rdi is used as CNT, %rax as DST and as return value mov %rdi, %rax jz .Ldone add N, CNT and $7, CNT jz .Laligned cmp $8, N jc .Lfinal_next C FIXME: Instead of this loop, could try cmov with memory C destination, as a sequence of one 8-bit, one 16-bit and one C 32-bit operations. (Except that cmov can't do 8-bit ops, so C that step has to use a conditional). .Lalign_loop: sub $1, N movb (AP, N), LREG(TMP) xorb (BP, N), LREG(TMP) movb LREG(TMP), (DST, N) sub $1, CNT jnz .Lalign_loop .Laligned: ifelse(USE_SSE2, yes, < cmp $16, N jnc .Lsse2_case >) C Check for the case that AP and BP have the same alignment, C but different from DST. mov AP, TMP sub BP, TMP test $7, TMP jnz .Lno_shift_case mov AP, %rcx sub DST, %rcx and $7, %rcx jz .Lno_shift_case sub %rcx, AP sub %rcx, BP shl $3, %rcx C Unrolling, with aligned values alternating in S0 and S1 test $8, N jnz .Lshift_odd mov (AP, N), S1 xor (BP, N), S1 jmp .Lshift_next .Lshift_odd: mov -8(AP, N), S1 mov (AP, N), S0 xor -8(BP, N), S1 xor (BP, N), S0 mov S1, TMP shr %cl, TMP neg %cl shl %cl, S0 neg %cl or S0, TMP mov TMP, -8(DST, N) sub $8, N jz .Ldone jmp .Lshift_next ALIGN(16) .Lshift_loop: mov 8(AP, N), S0 xor 8(BP, N), S0 mov S0, TMP shr %cl, TMP neg %cl shl %cl, S1 neg %cl or S1, TMP mov TMP, 8(DST, N) mov (AP, N), S1 xor (BP, N), S1 mov S1, TMP shr %cl, TMP neg %cl shl %cl, S0 neg %cl or S0, TMP mov TMP, (DST, N) .Lshift_next: sub $16, N C FIXME: Handle the case N == 16 specially, C like in the non-shifted case? C ja .Lshift_loop C jz .Ldone jnc .Lshift_loop add $15, N jnc .Ldone shr $3, %rcx add %rcx, AP add %rcx, BP jmp .Lfinal_loop .Lno_shift_case: C Next destination word is -8(DST, N) C Setup for unrolling test $8, N jz .Lword_next sub $8, N jz .Lone_word mov (AP, N), TMP xor (BP, N), TMP mov TMP, (DST, N) jmp .Lword_next ALIGN(16) .Lword_loop: mov 8(AP, N), TMP mov (AP, N), TMP2 xor 8(BP, N), TMP xor (BP, N), TMP2 mov TMP, 8(DST, N) mov TMP2, (DST, N) .Lword_next: sub $16, N ja .Lword_loop C Not zero and no carry jnz .Lfinal C Final operation is word aligned mov 8(AP, N), TMP xor 8(BP, N), TMP mov TMP, 8(DST, N) .Lone_word: mov (AP, N), TMP xor (BP, N), TMP mov TMP, (DST, N) C ENTRY might have been 3 args, too, but it doesn't matter for the exit W64_EXIT(4, 0) ret .Lfinal: add $15, N .Lfinal_loop: movb (AP, N), LREG(TMP) xorb (BP, N), LREG(TMP) movb LREG(TMP), (DST, N) .Lfinal_next: sub $1, N jnc .Lfinal_loop .Ldone: C ENTRY might have been 3 args, too, but it doesn't matter for the exit W64_EXIT(4, 0) ret ifelse(USE_SSE2, yes, < .Lsse2_case: lea (DST, N), TMP test $8, TMP jz .Lsse2_next sub $8, N mov (AP, N), TMP xor (BP, N), TMP mov TMP, (DST, N) jmp .Lsse2_next ALIGN(16) .Lsse2_loop: movdqu (AP, N), %xmm0 movdqu (BP, N), %xmm1 pxor %xmm0, %xmm1 movdqa %xmm1, (DST, N) .Lsse2_next: sub $16, N ja .Lsse2_loop C FIXME: See if we can do a full word first, before the C byte-wise final loop. jnz .Lfinal C Final operation is aligned movdqu (AP), %xmm0 movdqu (BP), %xmm1 pxor %xmm0, %xmm1 movdqa %xmm1, (DST) C ENTRY might have been 3 args, too, but it doesn't matter for the exit W64_EXIT(4, 0) ret >) EPILOGUE(nettle_memxor3) nettle-3.4.1/x86_64/umac-nh-n.asm0000644000175000017500000001253713401564746015303 0ustar nissenisseC x86_64/umac-nh-n.asm ifelse(< Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) define(, <%rdi>) define(, <%rsi>) define(, <%rdx>) define(, <%rcx>) define(, <%r8>) define(, <%xmm0>) define(, <%xmm1>) define(, <%xmm2>) define(, <%xmm3>) define(, <%xmm4>) define(, <%xmm5>) define(, <%xmm6>) define(, <%xmm7>) define(, <%xmm8>) define(, <%xmm9>) define(, <%xmm10>) define(, <%xmm11>) define(, <%xmm12>) define(, <%xmm13>) C Copy [0,1,2,3] to [1,1,3,3] define(, 0xf5,>) C FIXME: Would be nice if we could force the key array to be 16-byte C aligned. .file "umac-nh-n.asm" C umac_nh_n(uint64_t *out, unsigned n, const uint32_t *key, C unsigned length, const uint8_t *msg) .text ALIGN(16) PROLOGUE(_nettle_umac_nh_n) W64_ENTRY(5, 14) pxor XY0, XY0 cmp $3, ITERS jc .Lnh2 je .Lnh3 .Lnh4: movups (KEY), XK0 movups 16(KEY), XT2 movups 32(KEY), XK2 lea 48(KEY), KEY C Leave XK2 untouched, and put permuted keys in XK0, XK1, XT2, XT3 movaps XK0, XT0 movaps XK0, XK1 punpcklqdq XT2, XK0 C [0,1,4,5] punpckhqdq XT2, XK1 C [2,3,6,7] movaps XT2, XT3 punpcklqdq XK2, XT2 C [4,5, 8, 9] punpckhqdq XK2, XT3 C [6,7,10,11] movaps XY0, XY1 .Loop4: movups (MSG), XT0 movups 16(MSG), XT1 pshufd $0xee, XT1, XM3 C [6,7,6,7] pshufd $0x44, XT1, XM2 C [4,5,4,5] pshufd $0xee, XT0, XM1 C [2,3,2,3] pshufd $0x44, XT0, XM0 C [0,1,0,1] paddd XM0, XK0 paddd XM1, XK1 paddd XM2, XT2 paddd XM3, XT3 HI2LO XK0, XT0 HI2LO XT2, XT1 pmuludq XK0, XT2 pmuludq XT0, XT1 paddq XT2, XY0 paddq XT1, XY0 HI2LO XK1, XT0 HI2LO XT3, XT1 pmuludq XK1, XT3 pmuludq XT0, XT1 paddq XT3, XY0 paddq XT1, XY0 movaps XK2, XK0 movaps XK2, XK1 movups (KEY), XT2 movups 16(KEY), XK2 punpcklqdq XT2, XK0 C [ 8, 9,12,13] punpckhqdq XT2, XK1 C [10,11,14,15] movaps XT2, XT3 punpcklqdq XK2, XT2 C [12,13,16,17] punpckhqdq XK2, XT3 C [14,15,18,19] paddd XK0, XM0 paddd XK1, XM1 paddd XT2, XM2 paddd XT3, XM3 HI2LO XM0, XT0 HI2LO XM2, XT1 pmuludq XM0, XM2 pmuludq XT0, XT1 paddq XM2, XY1 paddq XT1, XY1 HI2LO XM1, XT0 HI2LO XM3, XT1 pmuludq XM1, XM3 pmuludq XT0, XT1 paddq XM3, XY1 paddq XT1, XY1 subl $32, XREG(LENGTH) lea 32(MSG), MSG lea 32(KEY), KEY ja .Loop4 movups XY0, (OUT) movups XY1, 16(OUT) W64_EXIT(5, 14) ret .Lnh3: movups (KEY), XK0 movups 16(KEY), XK1 movaps XY0, XY1 .Loop3: lea 32(KEY), KEY movups (MSG), XT0 movups 16(MSG), XT1 movups (KEY), XK2 movups 16(KEY), XK3 pshufd $0xee, XT1, XM3 C [6,7,6,7] pshufd $0x44, XT1, XM2 C [4,5,4,5] pshufd $0xee, XT0, XM1 C [2,3,2,3] pshufd $0x44, XT0, XM0 C [0,1,0,1] C Iteration 2 paddd XK2, XT0 paddd XK3, XT1 HI2LO XT0, XT2 HI2LO XT1, XT3 pmuludq XT0, XT1 pmuludq XT2, XT3 paddq XT1, XY1 paddq XT3, XY1 C Iteration 0,1 movaps XK0, XT0 punpcklqdq XK1, XK0 C [0,1,4,5] punpckhqdq XK1, XT0 C [2,3,6,7] paddd XK0, XM0 paddd XT0, XM1 movaps XK2, XK0 movaps XK1, XT0 punpcklqdq XK2, XK1 C [4,5,8,9] punpckhqdq XK2, XT0 C [6,7,10,11] paddd XK1, XM2 paddd XT0, XM3 HI2LO XM0, XT0 HI2LO XM2, XT1 pmuludq XM0, XM2 pmuludq XT0, XT1 paddq XM2, XY0 paddq XT1, XY0 HI2LO XM1, XT0 HI2LO XM3, XT1 pmuludq XM1, XM3 pmuludq XT0, XT1 paddq XM3, XY0 paddq XT1, XY0 subl $32, XREG(LENGTH) lea 32(MSG), MSG movaps XK2, XK0 movaps XK3, XK1 ja .Loop3 pshufd $0xe, XY1, XT0 paddq XT0, XY1 movups XY0, (OUT) movlpd XY1, 16(OUT) W64_EXIT(5, 14) ret .Lnh2: C Explode message as [0,1,0,1] [2,3,2,3] [4,5,4,5] [6,7, 6, 7] C Interleave keys as [0,1,4,5] [2,3,6,7] [4,5,8,9] [7,8,10,11] movups (KEY), XK0 lea 16(KEY), KEY .Loop2: movups (MSG), XM0 movups 16(MSG), XM1 pshufd $0xee, XM1, XM3 C [6,7,6,7] pshufd $0x44, XM1, XM2 C [4,5,4,5] pshufd $0xee, XM0, XM1 C [2,3,2,3] pshufd $0x44, XM0, XM0 C [0,1,0,1] movups (KEY), XK1 movups 16(KEY), XK2 movaps XK0, XT0 punpcklqdq XK1, XK0 C [0,1,4,5] punpckhqdq XK1, XT0 C [2,3,6,7] paddd XK0, XM0 paddd XT0, XM1 movaps XK2, XK0 movaps XK1, XT0 punpcklqdq XK2, XK1 C [4,5,8,9] punpckhqdq XK2, XT0 C [6,7,10,11] paddd XK1, XM2 paddd XT0, XM3 HI2LO XM0, XT0 HI2LO XM2, XT1 pmuludq XM0, XM2 pmuludq XT0, XT1 paddq XM2, XY0 paddq XT1, XY0 HI2LO XM1, XT0 HI2LO XM3, XT1 pmuludq XM1, XM3 pmuludq XT0, XT1 paddq XM3, XY0 paddq XT1, XY0 subl $32, XREG(LENGTH) lea 32(MSG), MSG lea 32(KEY), KEY ja .Loop2 movups XY0, (OUT) .Lend: W64_EXIT(5, 14) ret EPILOGUE(_nettle_umac_nh_n) nettle-3.4.1/x86_64/sha3-permute.asm0000644000175000017500000002465013401564746016034 0ustar nissenisseC x86_64/sha3-permute.asm ifelse(< Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) define(, <%rdi>) C 25 64-bit values, 200 bytes. define(, <%r8>) C Avoid clobbering %rsi, for W64. define(, <%rax>) define(, <%xmm0>) define(, <%xmm1>) define(, <%rcx>) define(, <%xmm2>) define(, <%xmm3>) define(, <%rdx>) define(, <%xmm4>) define(, <%xmm5>) define(, <%rbp>) define(, <%xmm6>) define(, <%xmm7>) define(, <%r9>) define(, <%xmm8>) define(, <%xmm9>) define(, <%r10>) define(, <%xmm10>) define(, <%xmm11>) define(, <%r11>) define(, <%xmm12>) define(, <%xmm13>) C Wide temporaries define(, <%xmm14>) define(, <%xmm15>) define(, <%xmm12>) C Overlap D12 define(, <%xmm13>) C Overlap D34 define(, <%r12>) define(, <%r13>) define(, <%r11>) C Overlap D0 define(, <%r10>) C Overlap C0 define(, <%r14>) define(, ) define(, ) define(, 0x4e,>) define(, ) C MOVQ(src, dst), for moves between a general register and an xmm C register. ifelse(DIRECT_MOVQ, yes, < C movq calls that are equal to the corresponding movd, C where the Apple assembler requires them to be written as movd. define(, ) >, < C Moving via (cached) memory is generally faster. define(, < movq $1, (CTX) movq (CTX), $2 >)>) C ROTL64(rot, register, temp) C Caller needs to or together the result. define(, < movdqa $2, $3 psllq <$>$1, $2 psrlq <$>eval(64-$1), $3 >) .file "sha3-permute.asm" C sha3_permute(struct sha3_state *ctx) .text ALIGN(16) PROLOGUE(nettle_sha3_permute) W64_ENTRY(1, 16) push %rbp push %r12 push %r13 push %r14 movl $24, XREG(COUNT) lea .rc-8(%rip), RC movq STATE(0), A00 movups STATE(1), A0102 movups STATE(3), A0304 movq A00, C0 movq STATE(5), A05 movdqa A0102, C12 movups STATE(6), A0607 movdqa A0304, C34 movups STATE(8), A0809 xorq A05, C0 movq STATE(10), A10 pxor A0607, C12 movups STATE(11), A1112 pxor A0809, C34 movups STATE(13), A1314 xorq A10, C0 movq STATE(15), A15 pxor A1112, C12 movups STATE(16), A1617 pxor A1314, C34 movups STATE(18), A1819 xorq A15, C0 movq STATE(20), A20 pxor A1617, C12 movups STATE(21), A2122 pxor A1819, C34 movups STATE(23), A2324 xorq A20, C0 pxor A2122, C12 pxor A2324, C34 ALIGN(16) .Loop: C The theta step. Combine parity bits, then xor to state. C D0 = C4 ^ (C1 <<< 1) C D1 = C0 ^ (C2 <<< 1) C D2 = C1 ^ (C3 <<< 1) C D3 = C2 ^ (C4 <<< 1) C D4 = C3 ^ (C0 <<< 1) C Shift the words around, putting (C0, C1) in D12, (C2, C3) in C D34, and (C4, C0) in C34. C Notes on "unpack" instructions: C punpckhqdq 01, 23 gives 31 C punpcklqdq 01, 23 gives 20 SWAP64 C34, C34 C Holds C4, C3 movdqa C12, D34 MOVQ(C0, D12) punpcklqdq C12, D12 C Holds C0, C1 punpckhqdq C34, D34 C Holds C2, C3 punpcklqdq D12, C34 C Holds C4, C0 MOVQ(C34, D0) MOVQ(C12, T0) rolq $1, T0 xorq T0, D0 C Can use C12 as temporary movdqa D34, W0 movdqa D34, W1 psllq $1, W0 psrlq $63, W1 pxor W0, D12 pxor W1, D12 C Done D12 movdqa C34, C12 psrlq $63, C34 psllq $1, C12 pxor C34, D34 pxor C12, D34 C Done D34 xorq D0, A00 xorq D0, A05 xorq D0, A10 xorq D0, A15 xorq D0, A20 pxor D12, A0102 pxor D12, A0607 pxor D12, A1112 pxor D12, A1617 pxor D12, A2122 pxor D34, A0304 pxor D34, A0809 pxor D34, A1314 pxor D34, A1819 pxor D34, A2324 C theta step done, no C, D or W temporaries alive. C rho and pi steps. When doing the permutations, also C transpose the matrix. C The combined permutation + transpose gives the following C cycles (rotation counts in parenthesis) C 0 <- 0(0) C 1 <- 3(28) <- 4(27) <- 2(62) <- 1(1) C 5 <- 6(44) <- 9(20) <- 8(55) <- 5(36) C 7 <- 7(6) C 10 <- 12(43) <- 13(25) <- 11(10) <- 10(3) C 14 <- 14(39) C 15 <- 18(21) <- 17(15) <- 19(8) <- 15(41) C 16 <- 16(45) C 20 <- 24(14) <- 21(2) <- 22(61) <- 20(18) C 23 <- 23(56) C Do the 1,2,3,4 row. First rotate, then permute. movdqa A0102, W0 movdqa A0102, W1 movdqa A0102, W2 psllq $1, A0102 psrlq $63, W0 psllq $62, W1 por A0102, W0 C rotl 1 (A01) psrlq $2, W2 por W1, W2 C rotl 62 (A02) movdqa A0304, A0102 movdqa A0304, W1 psllq $28, A0102 psrlq $36, W1 por W1, A0102 C rotl 28 (A03) movdqa A0304, W1 psllq $27, A0304 psrlq $37, W1 por W1, A0304 C rotl 27 (A04) punpcklqdq W0, A0102 punpckhqdq W2, A0304 C 5 <- 6(44) <- 9(20) <- 8(55) <- 5(36) C 7 <- 7(6) C __ _______ C _ L' ` L_ __` C |5| |6|7| |8|9| C `-_________-^`-^ rolq $36, A05 MOVQ(A05, W0) MOVQ(A0607, A05) rolq $44, A05 C Done A05 ROTL64(6, A0607, W1) por A0607, W1 movdqa A0809, A0607 ROTL64(20, A0607, W2) por W2, A0607 punpckhqdq W1, A0607 C Done A0607 ROTL64(55, A0809, W1) por A0809, W1 movdqa W0, A0809 punpcklqdq W1, A0809 C Done 0809 C 10 <- 12(43) <- 13(25) <- 11(10) <- 10(3) C 14 <- 14(39) C _____ ___ C __L' __`_L_ `_____ C |10| |11|12| |13|14| C `-___-^`-______-^ C rolq $42, A10 C 42 + 25 = 3 (mod 64) SWAP64 A1112, W0 MOVQ(A10, A1112) MOVQ(W0, A10) rolq $43, A10 C Done A10 punpcklqdq A1314, A1112 ROTL64(25, A1112, W1) por W1, A1112 C Done A1112 ROTL64(39, A1314, W2) por A1314, W2 ROTL64(10, W0, A1314) por W0, A1314 punpckhqdq W2, A1314 C Done A1314 C 15 <- 18(21) <- 17(15) <- 19(8) <- 15(41) C 16 <- 16(45) C _____________ C / _______ C _L' ____L' | `_ C |15| |16|17| |18|19| C \ `_____-^ ^ C \_________________/ SWAP64 A1819, W0 rolq $41, A15 MOVQ(A15, W1) MOVQ(A1819, A15) rolq $21, A15 C Done A15 SWAP64 A1617, A1819 ROTL64(45, A1617, W2) por W2, A1617 ROTL64(8, W0, W3) por W3, W0 punpcklqdq W0, A1617 C Done A1617 ROTL64(15, A1819, W2) por W2, A1819 punpcklqdq W1, A1819 C Done A1819 C 20 <- 24(14) <- 21(2) <- 22(61) <- 20(18) C 23 <- 23(56) C _______________ C / \ C _L' _L'\_ ___`_ C |20| |21|22| |23|24| C \ `__ ^________-^ C \_______/ rolq $18, A20 MOVQ(A20, W0) SWAP64 A2324, W1 movd W1, A20 rolq $14, A20 C Done A20 ROTL64(56, A2324, W1) por W1, A2324 movdqa A2122, W2 ROTL64(2, W2, W1) por W1, W2 punpcklqdq W2, A2324 C Done A2324 ROTL64(61, A2122, W1) por W1, A2122 psrldq $8, A2122 punpcklqdq W0, A2122 C Done A2122 C chi step. With the transposed matrix, applied independently C to each column. movq A05, T0 notq T0 andq A10, T0 movq A10, T1 notq T1 andq A15, T1 movq A15, T2 notq T2 andq A20, T2 xorq T2, A10 movq A20, T3 notq T3 andq A00, T3 xorq T3, A15 movq A00, T2 notq T2 andq A05, T2 xorq T2, A20 xorq T0, A00 xorq T1, A05 movdqa A0607, W0 pandn A1112, W0 movdqa A1112, W1 pandn A1617, W1 movdqa A1617, W2 pandn A2122, W2 pxor W2, A1112 movdqa A2122, W3 pandn A0102, W3 pxor W3, A1617 movdqa A0102, W2 pandn A0607, W2 pxor W2, A2122 pxor W0, A0102 pxor W1, A0607 movdqa A0809, W0 pandn A1314, W0 movdqa A1314, W1 pandn A1819, W1 movdqa A1819, W2 pandn A2324, W2 pxor W2, A1314 movdqa A2324, W3 pandn A0304, W3 pxor W3, A1819 movdqa A0304, W2 pandn A0809, W2 pxor W2, A2324 pxor W0, A0304 pxor W1, A0809 xorq (RC, COUNT, 8), A00 C Transpose. C Swap (A05, A10) <-> A0102, and (A15, A20) <-> A0304, C and also copy to C12 and C34 while at it. MOVQ(A05, C12) MOVQ(A15, C34) MOVQ(A10, W0) MOVQ(A20, W1) movq A00, C0 punpcklqdq W0, C12 punpcklqdq W1, C34 MOVQ(A0102, A05) MOVQ(A0304, A15) psrldq $8, A0102 psrldq $8, A0304 xorq A05, C0 xorq A15, C0 MOVQ(A0102, A10) MOVQ(A0304, A20) movdqa C12, A0102 movdqa C34, A0304 C Transpose (A0607, A1112) movdqa A0607, W0 punpcklqdq A1112, A0607 xorq A10, C0 xorq A20, C0 punpckhqdq W0, A1112 SWAP64 A1112, A1112 C Transpose (A1819, A2324) movdqa A1819, W0 punpcklqdq A2324, A1819 pxor A0607, C12 pxor A1112, C12 punpckhqdq W0, A2324 SWAP64 A2324, A2324 C Transpose (A0809, A1314) and (A1617, A2122), and swap movdqa A0809, W0 movdqa A1314, W1 movdqa A1617, A0809 movdqa A2122, A1314 pxor A1819, C34 pxor A2324, C34 punpcklqdq A2122, A0809 punpckhqdq A1617, A1314 SWAP64 A1314, A1314 movdqa W0, A1617 movdqa W1, A2122 pxor A0809, C34 pxor A1314, C34 punpcklqdq W1, A1617 punpckhqdq W0, A2122 SWAP64 A2122, A2122 decl XREG(COUNT) pxor A1617, C12 pxor A2122, C12 jnz .Loop movq A00, STATE(0) movups A0102, STATE(1) movups A0304, STATE(3) movq A05, STATE(5) movups A0607, STATE(6) movups A0809, STATE(8) movq A10, STATE(10) movups A1112, STATE(11) movups A1314, STATE(13) movq A15, STATE(15) movups A1617, STATE(16) movups A1819, STATE(18) movq A20, STATE(20) movups A2122, STATE(21) movups A2324, STATE(23) pop %r14 pop %r13 pop %r12 pop %rbp W64_EXIT(1, 16) ret EPILOGUE(nettle_sha3_permute) ALIGN(16) .rc: C In reverse order .quad 0x8000000080008008 .quad 0x0000000080000001 .quad 0x8000000000008080 .quad 0x8000000080008081 .quad 0x800000008000000A .quad 0x000000000000800A .quad 0x8000000000000080 .quad 0x8000000000008002 .quad 0x8000000000008003 .quad 0x8000000000008089 .quad 0x800000000000008B .quad 0x000000008000808B .quad 0x000000008000000A .quad 0x0000000080008009 .quad 0x0000000000000088 .quad 0x000000000000008A .quad 0x8000000000008009 .quad 0x8000000080008081 .quad 0x0000000080000001 .quad 0x000000000000808B .quad 0x8000000080008000 .quad 0x800000000000808A .quad 0x0000000000008082 .quad 0x0000000000000001 nettle-3.4.1/x86_64/ecc-384-modp.asm0000644000175000017500000000767213401564746015527 0ustar nissenisseC x86_64/ecc-384-modp.asm ifelse(< Copyright (C) 2013, 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) .file "ecc-384-modp.asm" define(, <%rsi>) define(, <%rax>) define(, <%rbx>) define(, <%rcx>) define(, <%rdx>) define(, <%rbp>) define(, <%rdi>) define(, <%r8>) define(, <%r9>) define(

, <%r10>) define(

, <%r11>) define(

, <%r12>) define(

, <%r13>) define(

, <%r14>) define(, <%r15>) define(, H5) C Overlap define(, RP) C Overlap PROLOGUE(nettle_ecc_384_modp) W64_ENTRY(2, 0) push %rbx push %rbp push %r12 push %r13 push %r14 push %r15 C First get top 2 limbs, which need folding twice. C B^10 = B^6 + B^4 + 2^32 (B-1)B^4. C We handle the terms as follow: C C B^6: Folded immediatly. C C B^4: Delayed, added in in the next folding. C C 2^32(B-1) B^4: Low half limb delayed until the next C folding. Top 1.5 limbs subtracted and shifter now, resulting C in 2.5 limbs. The low limb saved in D5, high 1.5 limbs added C in. mov 80(RP), H4 mov 88(RP), H5 C Shift right 32 bits, into H1, H0 mov H4, H0 mov H5, H1 mov H5, D5 shr $32, H1 shl $32, D5 shr $32, H0 or D5, H0 C H1 H0 C - H1 H0 C -------- C H1 H0 D5 mov H0, D5 neg D5 sbb H1, H0 sbb $0, H1 xor C2, C2 add H4, H0 adc H5, H1 adc $0, C2 C Add in to high part add 48(RP), H0 adc 56(RP), H1 adc $0, C2 C Do C2 later C +1 term mov (RP), T0 add H0, T0 mov 8(RP), T1 adc H1, T1 mov 16(RP), T2 mov 64(RP), H2 adc H2, T2 mov 24(RP), T3 mov 72(RP), H3 adc H3, T3 mov 32(RP), T4 adc H4, T4 mov 40(RP), T5 adc H5, T5 sbb C0, C0 neg C0 C FIXME: Switch sign of C0? push RP C +B^2 term add H0, T2 adc H1, T3 adc H2, T4 adc H3, T5 adc $0, C0 C Shift left, including low half of H4 mov H3, TMP shl $32, H4 shr $32, TMP or TMP, H4 mov H2, TMP shl $32, H3 shr $32, TMP or TMP, H3 mov H1, TMP shl $32, H2 shr $32, TMP or TMP, H2 mov H0, TMP shl $32, H1 shr $32, TMP or TMP, H1 shl $32, H0 C H4 H3 H2 H1 H0 0 C - H4 H3 H2 H1 H0 C --------------- C H4 H3 H2 H1 H0 TMP mov H0, TMP neg TMP sbb H1, H0 sbb H2, H1 sbb H3, H2 sbb H4, H3 sbb $0, H4 add TMP, T0 adc H0, T1 adc H1, T2 adc H2, T3 adc H3, T4 adc H4, T5 adc $0, C0 C Remains to add in C2 and C0 C Set H1, H0 = (2^96 - 2^32 + 1) C0 mov C0, H0 mov C0, H1 shl $32, H1 sub H1, H0 sbb $0, H1 C Set H3, H2 = (2^96 - 2^32 + 1) C2 mov C2, H2 mov C2, H3 shl $32, H3 sub H3, H2 sbb $0, H3 add C0, H2 C No carry. Could use lea trick xor C0, C0 add H0, T0 adc H1, T1 adc H2, T2 adc H3, T3 adc C2, T4 adc D5, T5 C Value delayed from initial folding adc $0, C0 C Use sbb and switch sign? C Final unlikely carry mov C0, H0 mov C0, H1 shl $32, H1 sub H1, H0 sbb $0, H1 pop RP add H0, T0 mov T0, (RP) adc H1, T1 mov T1, 8(RP) adc C0, T2 mov T2, 16(RP) adc $0, T3 mov T3, 24(RP) adc $0, T4 mov T4, 32(RP) adc $0, T5 mov T5, 40(RP) pop %r15 pop %r14 pop %r13 pop %r12 pop %rbp pop %rbx W64_EXIT(2, 0) ret EPILOGUE(nettle_ecc_384_modp) nettle-3.4.1/x86_64/salsa20-core-internal.asm0000644000175000017500000000507413401564746017523 0ustar nissenisseC x86_64/salsa20-core-internal.asm ifelse(< Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) define(, <%rdi>) define(, <%rsi>) define(, <%rdx>) define(, <%xmm0>) define(, <%xmm1>) define(, <%xmm2>) define(, <%xmm3>) define(, <%xmm4>) define(, <%xmm5>) define(, <%xmm6>) define(, <%xmm7>) define(, <%xmm8>) include_src() C _salsa20_core(uint32_t *dst, const uint32_t *src, unsigned rounds) .text ALIGN(16) PROLOGUE(_nettle_salsa20_core) W64_ENTRY(3, 9) C Load mask registers mov $-1, %eax movd %eax, M0101 pshufd $0x09, M0101, M0011 C 01 01 00 00 pshufd $0x41, M0101, M0110 C 01 00 00 01 pshufd $0x22, M0101, M0101 C 01 00 01 00 movups (SRC), X0 movups 16(SRC), X1 movups 32(SRC), X2 movups 48(SRC), X3 C The original rows are now diagonals. SWAP(X0, X1, M0101) SWAP(X2, X3, M0101) SWAP(X1, X3, M0110) SWAP(X0, X2, M0011) shrl $1, XREG(COUNT) ALIGN(16) .Loop: QROUND(X0, X1, X2, X3) pshufd $0x93, X1, X1 C 11 00 01 10 (least sign. left) pshufd $0x4e, X2, X2 C 10 11 00 01 pshufd $0x39, X3, X3 C 01 10 11 00 QROUND(X0, X3, X2, X1) C Inverse rotation of the rows pshufd $0x39, X1, X1 C 01 10 11 00 pshufd $0x4e, X2, X2 C 10 11 00 01 pshufd $0x93, X3, X3 C 11 00 01 10 decl XREG(COUNT) jnz .Loop SWAP(X0, X2, M0011) SWAP(X1, X3, M0110) SWAP(X0, X1, M0101) SWAP(X2, X3, M0101) movups (SRC), T0 movups 16(SRC), T1 paddd T0, X0 paddd T1, X1 movups X0,(DST) movups X1,16(DST) movups 32(SRC), T0 movups 48(SRC), T1 paddd T0, X2 paddd T1, X3 movups X2,32(DST) movups X3,48(DST) W64_EXIT(3, 9) ret EPILOGUE(_nettle_salsa20_core) nettle-3.4.1/x86_64/fat/0000755000175000017500000000000013401564746013560 5ustar nissenissenettle-3.4.1/x86_64/fat/aes-encrypt-internal-2.asm0000644000175000017500000000216613401564746020472 0ustar nissenisseC x86_64/fat/aes-encrypt-internal-2.asm ifelse(< Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) define(, <$1_aesni>) include_src() nettle-3.4.1/x86_64/fat/aes-decrypt-internal.asm0000644000175000017500000000215713401564746020321 0ustar nissenisseC x86_64/fat/aes-decrypt-internal.asm ifelse(< Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) define(, <$1_x86_64>) include_src() nettle-3.4.1/x86_64/fat/aes-decrypt-internal-2.asm0000644000175000017500000000216613401564746020460 0ustar nissenisseC x86_64/fat/aes-decrypt-internal-2.asm ifelse(< Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) define(, <$1_aesni>) include_src() nettle-3.4.1/x86_64/fat/cpuid.asm0000644000175000017500000000256013401564746015371 0ustar nissenisseC x86_64/fat/cpuid.asm ifelse(< Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) C Input argument C cpuid input: %edi C output pointer: %rsi .file "cpuid.asm" C void _nettle_cpuid(uint32_t in, uint32_t *out) .text ALIGN(16) PROLOGUE(_nettle_cpuid) W64_ENTRY(2) push %rbx movl %edi, %eax cpuid mov %eax, (%rsi) mov %ebx, 4(%rsi) mov %ecx, 8(%rsi) mov %edx, 12(%rsi) pop %rbx W64_EXIT(2) ret EPILOGUE(_nettle_cpuid) nettle-3.4.1/x86_64/fat/aes-encrypt-internal.asm0000644000175000017500000000215713401564746020333 0ustar nissenisseC x86_64/fat/aes-encrypt-internal.asm ifelse(< Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) define(, <$1_x86_64>) include_src() nettle-3.4.1/x86_64/fat/memxor-2.asm0000644000175000017500000000215713401564746015735 0ustar nissenisseC x86_64/fat/memxor-2.asm ifelse(< Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) define(, <_$1_sse2>) define(, ) include_src() nettle-3.4.1/x86_64/fat/memxor.asm0000644000175000017500000000212413401564746015570 0ustar nissenisseC x86_64/fat/memxor.asm ifelse(< Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) define(, <_$1_x86_64>) include_src() nettle-3.4.1/x86_64/aes-encrypt-internal.asm0000644000175000017500000000651713401564746017565 0ustar nissenisseC x86_64/aes-encrypt-internal.asm ifelse(< Copyright (C) 2001, 2002, 2005, Rafael R. Sevilla, Niels Möller Copyright (C) 2008, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) include_src() C Register usage: C AES state, use two of them define(,<%eax>) define(,<%ebx>) define(,<%ecx>) define(,<%edx>) define(,<%r10d>) define(,<%r11d>) define(,<%r12d>) C Input argument define(, <%rdi>) define(, <%rsi>) define(, <%rdx>) define(,<%rcx>) define(, <%r8>) define(, <%r9>) define(
, <%r13>) define(,<%r14>) define(, <%r15>) C Must correspond to an old-style register, for movzb from %ah--%dh to C work. define(,<%rbp>) .file "aes-encrypt-internal.asm" C _aes_encrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .text ALIGN(16) PROLOGUE(_nettle_aes_encrypt) W64_ENTRY(6, 0) test PARAM_LENGTH, PARAM_LENGTH jz .Lend C save all registers that need to be saved push %rbx push %rbp push %r12 push %r13 push %r14 push %r15 subl $1, XREG(ROUNDS) push ROUNDS C Rounds at (%rsp) mov PARAM_TABLE, TABLE mov PARAM_LENGTH, LENGTH shr $4, LENGTH .Lblock_loop: mov KEYS, KEY AES_LOAD(SA, SB, SC, SD, SRC, KEY) add $16, SRC C Increment src pointer movl (%rsp), XREG(ROUNDS) add $16, KEY C point to next key ALIGN(16) .Lround_loop: AES_ROUND(TABLE, SA,SB,SC,SD, TA, TMP) AES_ROUND(TABLE, SB,SC,SD,SA, TB, TMP) AES_ROUND(TABLE, SC,SD,SA,SB, TC, TMP) AES_ROUND(TABLE, SD,SA,SB,SC, SD, TMP) movl TA, SA movl TB, SB movl TC, SC xorl (KEY),SA C add current session key to plaintext xorl 4(KEY),SB xorl 8(KEY),SC xorl 12(KEY),SD add $16, KEY C point to next key decl XREG(ROUNDS) jnz .Lround_loop C last round AES_FINAL_ROUND(SA,SB,SC,SD, TABLE, TA, TMP) AES_FINAL_ROUND(SB,SC,SD,SA, TABLE, TB, TMP) AES_FINAL_ROUND(SC,SD,SA,SB, TABLE, TC, TMP) AES_FINAL_ROUND(SD,SA,SB,SC, TABLE, SD, TMP) C S-box substitution mov $3, XREG(ROUNDS) .Lsubst: AES_SUBST_BYTE(TA,TB,TC,SD, TABLE, TMP) decl XREG(ROUNDS) jnz .Lsubst C Add last subkey, and store encrypted data AES_STORE(TA,TB,TC,SD, KEY, DST) add $16, DST dec LENGTH jnz .Lblock_loop lea 8(%rsp), %rsp C Drop ROUNDS pop %r15 pop %r14 pop %r13 pop %r12 pop %rbp pop %rbx .Lend: W64_EXIT(6, 0) ret EPILOGUE(_nettle_aes_encrypt) nettle-3.4.1/x86_64/sha512-compress.asm0000644000175000017500000001107013401564746016343 0ustar nissenisseC x86_64/sha512-compress.asm ifelse(< Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) .file "sha512-compress.asm" define(, <%rdi>) define(, <%rsi>) define(, <%rdx>) define(, <%rax>) define(, <%rbx>) define(, <%rcx>) define(, <%r8>) define(, <%r9>) define(, <%r10>) define(, <%r11>) define(, <%r12>) define(, <%r13>) define(, <%rdi>) C Overlap STATE define(, <%r14>) define(, <%r15>) define(, < mov OFFSET64($1)(%rsp), W mov OFFSET64(eval(($1 + 14) % 16))(%rsp), T0 mov T0, T1 shr <$>6, T0 rol <$>3, T1 xor T1, T0 rol <$>42, T1 xor T1, T0 add T0, W mov OFFSET64(eval(($1 + 1) % 16))(%rsp), T0 mov T0, T1 shr <$>7, T0 rol <$>56, T1 xor T1, T0 rol <$>7, T1 xor T1, T0 add T0, W add OFFSET64(eval(($1 + 9) % 16))(%rsp), W mov W, OFFSET64($1)(%rsp) >) C ROUND(A,B,C,D,E,F,G,H,K) C C H += S1(E) + Choice(E,F,G) + K + W C D += H C H += S0(A) + Majority(A,B,C) C C Where C C S1(E) = E<<<50 ^ E<<<46 ^ E<<<23 C S0(A) = A<<<36 ^ A<<<30 ^ A<<<25 C Choice (E, F, G) = G^(E&(F^G)) C Majority (A,B,C) = (A&B) + (C&(A^B)) define(, < mov $5, T0 mov $5, T1 rol <$>23, T0 rol <$>46, T1 xor T0, T1 rol <$>27, T0 xor T0, T1 add W, $8 add T1, $8 mov $7, T0 xor $6, T0 and $5, T0 xor $7, T0 add OFFSET64($9)(K,COUNT,8), $8 add T0, $8 add $8, $4 mov $1, T0 mov $1, T1 rol <$>25, T0 rol <$>30, T1 xor T0, T1 rol <$>11, T0 xor T0, T1 add T1, $8 mov $1, T0 mov $1, T1 and $2, T0 xor $2, T1 add T0, $8 and $3, T1 add T1, $8 >) define(, < mov OFFSET64($1)(INPUT, COUNT, 8), W bswap W mov W, OFFSET64($1)(%rsp, COUNT, 8) >) C void C _nettle_sha512_compress(uint64_t *state, const uint8_t *input, const uint64_t *k) .text ALIGN(16) PROLOGUE(_nettle_sha512_compress) W64_ENTRY(3, 0) sub $184, %rsp mov %rbx, 128(%rsp) mov STATE, 136(%rsp) C Save state, to free a register mov %rbp, 144(%rsp) mov %r12, 152(%rsp) mov %r13, 160(%rsp) mov %r14, 168(%rsp) mov %r15, 176(%rsp) mov (STATE), SA mov 8(STATE), SB mov 16(STATE), SC mov 24(STATE), SD mov 32(STATE), SE mov 40(STATE), SF mov 48(STATE), SG mov 56(STATE), SH xor COUNT, COUNT ALIGN(16) .Loop1: NOEXPN(0) ROUND(SA,SB,SC,SD,SE,SF,SG,SH,0) NOEXPN(1) ROUND(SH,SA,SB,SC,SD,SE,SF,SG,1) NOEXPN(2) ROUND(SG,SH,SA,SB,SC,SD,SE,SF,2) NOEXPN(3) ROUND(SF,SG,SH,SA,SB,SC,SD,SE,3) NOEXPN(4) ROUND(SE,SF,SG,SH,SA,SB,SC,SD,4) NOEXPN(5) ROUND(SD,SE,SF,SG,SH,SA,SB,SC,5) NOEXPN(6) ROUND(SC,SD,SE,SF,SG,SH,SA,SB,6) NOEXPN(7) ROUND(SB,SC,SD,SE,SF,SG,SH,SA,7) add $8, COUNT cmp $16, COUNT jne .Loop1 .Loop2: EXPN( 0) ROUND(SA,SB,SC,SD,SE,SF,SG,SH,0) EXPN( 1) ROUND(SH,SA,SB,SC,SD,SE,SF,SG,1) EXPN( 2) ROUND(SG,SH,SA,SB,SC,SD,SE,SF,2) EXPN( 3) ROUND(SF,SG,SH,SA,SB,SC,SD,SE,3) EXPN( 4) ROUND(SE,SF,SG,SH,SA,SB,SC,SD,4) EXPN( 5) ROUND(SD,SE,SF,SG,SH,SA,SB,SC,5) EXPN( 6) ROUND(SC,SD,SE,SF,SG,SH,SA,SB,6) EXPN( 7) ROUND(SB,SC,SD,SE,SF,SG,SH,SA,7) EXPN( 8) ROUND(SA,SB,SC,SD,SE,SF,SG,SH,8) EXPN( 9) ROUND(SH,SA,SB,SC,SD,SE,SF,SG,9) EXPN(10) ROUND(SG,SH,SA,SB,SC,SD,SE,SF,10) EXPN(11) ROUND(SF,SG,SH,SA,SB,SC,SD,SE,11) EXPN(12) ROUND(SE,SF,SG,SH,SA,SB,SC,SD,12) EXPN(13) ROUND(SD,SE,SF,SG,SH,SA,SB,SC,13) EXPN(14) ROUND(SC,SD,SE,SF,SG,SH,SA,SB,14) EXPN(15) ROUND(SB,SC,SD,SE,SF,SG,SH,SA,15) add $16, COUNT cmp $80, COUNT jne .Loop2 mov 136(%rsp), STATE add SA, (STATE) add SB, 8(STATE) add SC, 16(STATE) add SD, 24(STATE) add SE, 32(STATE) add SF, 40(STATE) add SG, 48(STATE) add SH, 56(STATE) mov 128(%rsp), %rbx mov 144(%rsp), %rbp mov 152(%rsp), %r12 mov 160(%rsp), %r13 mov 168(%rsp),%r14 mov 176(%rsp),%r15 add $184, %rsp W64_EXIT(3, 0) ret EPILOGUE(_nettle_sha512_compress) nettle-3.4.1/x86_64/chacha-core-internal.asm0000644000175000017500000000502013401564746017454 0ustar nissenisseC x86_64/chacha-core-internal.asm ifelse(< Copyright (C) 2012, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) define(, <%rdi>) define(, <%rsi>) define(, <%rdx>) define(, <%xmm0>) define(, <%xmm1>) define(, <%xmm2>) define(, <%xmm3>) define(, <%xmm4>) define(, <%xmm5>) define(, ) C ROTL_BY_16(REG, TMP) ifelse(USE_PSHUFW, , < define(, < pshufhw <$>0xb1, $1, $1 pshuflw <$>0xb1, $1, $1 >)>, < define(, < pslld <$>16, $1 psrld <$>16, $2 por $2, $1 >) >) C QROUND define(, < paddd X1, X0 pxor X0, X3 movaps X3, T0 ROTL_BY_16(X3, T0) paddd X3, X2 pxor X2, X1 movaps X1, T0 pslld <$>12, X1 psrld <$>20, T0 por T0, X1 paddd X1, X0 pxor X0, X3 movaps X3, T0 pslld <$>8, X3 psrld <$>24, T0 por T0, X3 paddd X3, X2 pxor X2, X1 movaps X1, T0 pslld <$>7, X1 psrld <$>25, T0 por T0, X1 >) C _chacha_core(uint32_t *dst, const uint32_t *src, unsigned rounds) .text ALIGN(16) PROLOGUE(_nettle_chacha_core) W64_ENTRY(3, 6) movups (SRC), X0 movups 16(SRC), X1 movups 32(SRC), X2 movups 48(SRC), X3 shrl $1, XREG(COUNT) ALIGN(16) .Loop: QROUND(X0, X1, X2, X3) pshufd $0x39, X1, X1 pshufd $0x4e, X2, X2 pshufd $0x93, X3, X3 QROUND(X0, X1, X2, X3) pshufd $0x93, X1, X1 pshufd $0x4e, X2, X2 pshufd $0x39, X3, X3 decl XREG(COUNT) jnz .Loop movups (SRC), T0 movups 16(SRC), T1 paddd T0, X0 paddd T1, X1 movups X0,(DST) movups X1,16(DST) movups 32(SRC), T0 movups 48(SRC), T1 paddd T0, X2 paddd T1, X3 movups X2,32(DST) movups X3,48(DST) W64_EXIT(3, 6) ret EPILOGUE(_nettle_chacha_core) nettle-3.4.1/x86_64/ecc-224-modp.asm0000644000175000017500000000516213401564746015510 0ustar nissenisseC x86_64/ecc-224-modp.asm ifelse(< Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) .file "ecc-224-modp.asm" GMP_NUMB_BITS(64) define(, <%rsi>) define(, <%rdi>) C Overlaps unused modulo input define(, <%rcx>) define(, <%rax>) define(

, <%rdx>) define(

, <%r8>) define(, <%r9>) define(, <%r10>) define(, <%r11>) C ecc_224_modp (const struct ecc_modulo *m, mp_limb_t *rp) PROLOGUE(nettle_ecc_224_modp) W64_ENTRY(2, 0) mov 48(RP), H0 mov 56(RP), H1 C Set (F2,F1,F0) <-- (H1,H0) << 32 mov H0, F0 mov H0, F1 shl $32, F0 shr $32, F1 mov H1, F2 mov H1, T0 shl $32, T0 shr $32, F2 or T0, F1 xor H2, H2 mov 16(RP), T0 mov 24(RP), T1 sub F0, T0 sbb F1, T1 sbb F2, H0 sbb $0, H1 C No further borrow adc 32(RP), H0 adc 40(RP), H1 adc $0, H2 C Set (F2,F1,F0) <-- (H2,H1,H0) << 32 C To free registers, add in T1, T0 as soon as H0, H1 have been copied mov H0, F0 mov H0, F1 add T0, H0 mov H1, F2 mov H1, T0 adc T1, H1 mov H2, T1 adc $0, H2 C Shift 32 bits shl $32, F0 shr $32, F1 shl $32, T0 shr $32, F2 shl $32, T1 or T0, F1 or T1, F2 mov (RP), T0 mov 8(RP), T1 sub F0, T0 sbb F1, T1 sbb F2, H0 sbb $0, H1 sbb $0, H2 C We now have H2, H1, H0, T1, T0, with 33 bits left to reduce C Set F0 <-- (H2, H1) >> 32 C Set (F2,F1) <-- (H2, H1 & 0xffffffff00000000) C H1 <-- H1 & 0xffffffff mov H1, F0 mov H1, F1 mov H2, F2 movl XREG(H1), XREG(H1) C Clears high 32 bits sub H1, F1 C Clears low 32 bits shr $32, F0 shl $32, H2 or H2, F0 sub F0, T0 sbb $0, F1 sbb $0, F2 add F1, T1 adc F2, H0 adc $0, H1 mov T0, (RP) mov T1, 8(RP) mov H0, 16(RP) mov H1, 24(RP) W64_EXIT(2, 0) ret EPILOGUE(nettle_ecc_224_modp) nettle-3.4.1/x86_64/salsa20.m40000644000175000017500000000143013401564746014513 0ustar nissenisseC Needs T0 and T1 C QROUND(x0, x1, x2, x3) define(, < movaps $4, T0 C 0 paddd $1, T0 C 1 movaps T0, T1 C 2 pslld <$>7, T0 C 2 psrld <$>25, T1 C 3 pxor T0, $2 C 3 pxor T1, $2 C 4 movaps $1, T0 C 0 paddd $2, T0 C 5 movaps T0, T1 C 6 pslld <$>9, T0 C 6 psrld <$>23, T1 C 7 pxor T0, $3 C 7 pxor T1, $3 C 8 movaps $2, T0 C 0 paddd $3, T0 C 9 movaps T0, T1 C 10 pslld <$>13, T0 C 10 psrld <$>19, T1 C 11 pxor T0, $4 C 11 pxor T1, $4 C 12 movaps $3, T0 C 0 paddd $4, T0 C 13 movaps T0, T1 C 14 pslld <$>18, T0 C 14 psrld <$>14, T1 C 15 pxor T0, $1 C 15 pxor T1, $1 C 16 >) C SWAP(x0, x1, mask) C Swaps bits in x0 and x1, with bits selected by the mask define(, < movaps $1, T0 pxor $2, $1 pand $3, $1 pxor $1, $2 pxor T0, $1 >) nettle-3.4.1/x86_64/poly1305-internal.asm0000644000175000017500000000762713401564746016632 0ustar nissenisseC x86_64/poly1305-internal.asm ifelse(< Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) .file "poly1305-internal.asm" C Registers mainly used by poly1305_block define(, <%rdi>) define(, <%rcx>) define(, <%rsi>) define(, <%r8>) define(, <%r9>) define(

, <%r10>) define(

, <%r11>) C poly1305_set_key(struct poly1305_ctx *ctx, const uint8_t key[16]) .text C Registers: C %rdi: ctx C %rsi: key C %r8: mask ALIGN(16) PROLOGUE(nettle_poly1305_set_key) W64_ENTRY(2,0) mov $0x0ffffffc0fffffff, %r8 mov (%rsi), %rax and %r8, %rax and $-4, %r8 mov %rax, (CTX) mov 8(%rsi), %rax and %r8, %rax mov %rax, P1305_R1 (CTX) shr $2, %rax imul $5, %rax mov %rax, P1305_S1 (CTX) xor XREG(%rax), XREG(%rax) mov %rax, P1305_H0 (CTX) mov %rax, P1305_H1 (CTX) mov XREG(%rax), P1305_H2 (CTX) W64_EXIT(2,0) ret EPILOGUE(nettle_poly1305_set_key) C 64-bit multiplication mod 2^130 - 5 C C (x_0 + B x_1 + B^2 x_2) * (r_0 + B r_1) = C 1 B B^2 B^3 C x_0 r_0 C x_0 r_1 C x_1 r_0 C x_1 r_1 C x_2 r_0 C x_2 r_1 C Then r_1 B^2 = r_1/4 (2^130) = 5/4 r_1. C and r_1 B^3 = 5/4 B r_1 C So we get C C x_0 r_0 + x_1 (5/4 r_1) + B (x_0 r_1 + x_1 r_0 + x_2 5/4 r_1 + B x_2 r_0) C 1 B B^2 B^3 C x_0 r_0 C x_1 r'_1 C x_0 r_1 C x_1 r_0 C x_2 r'_1 C x_2 r_0 C _poly1305_block (struct poly1305_ctx *ctx, const uint8_t m[16], unsigned hi) PROLOGUE(_nettle_poly1305_block) W64_ENTRY(3, 0) mov (%rsi), T0 mov 8(%rsi), T1 mov XREG(%rdx), XREG(T2) C Registers: C Inputs: CTX, T0, T1, T2, C Outputs: H0, H1, H2, stored into the context. add P1305_H0 (CTX), T0 adc P1305_H1 (CTX), T1 adc P1305_H2 (CTX), XREG(T2) mov P1305_R0 (CTX), %rax mul T0 C x0*r0 mov %rax, H0 mov %rdx, H1 mov P1305_S1 (CTX), %rax C 5/4 r1 mov %rax, H2 mul T1 C x1*r1' imul T2, H2 C x2*r1' imul P1305_R0 (CTX), T2 C x2*r0 add %rax, H0 adc %rdx, H1 mov P1305_R0 (CTX), %rax mul T1 C x1*r0 add %rax, H2 adc %rdx, T2 mov P1305_R1 (CTX), %rax mul T0 C x0*r1 add %rax, H2 adc %rdx, T2 mov T2, %rax shr $2, %rax imul $5, %rax and $3, XREG(T2) add %rax, H0 adc H2, H1 adc $0, XREG(T2) mov H0, P1305_H0 (CTX) mov H1, P1305_H1 (CTX) mov XREG(T2), P1305_H2 (CTX) W64_EXIT(3, 0) ret EPILOGUE(_nettle_poly1305_block) C poly1305_digest (struct poly1305_ctx *ctx, uint8_t *s) C Registers: C %rdi: ctx C %rsi: s PROLOGUE(nettle_poly1305_digest) W64_ENTRY(2, 0) mov P1305_H0 (CTX), H0 mov P1305_H1 (CTX), H1 mov P1305_H2 (CTX), XREG(H2) mov XREG(H2), XREG(%rax) shr $2, XREG(%rax) and $3, H2 imul $5, XREG(%rax) add %rax, H0 adc $0, H1 adc $0, XREG(H2) C Use %rax instead of %rsi define(, <%rax>) C Add 5, use result if >= 2^130 mov $5, T0 xor T1, T1 add H0, T0 adc H1, T1 adc $0, XREG(H2) cmp $4, XREG(H2) cmovnc T0, H0 cmovnc T1, H1 add H0, (%rsi) adc H1, 8(%rsi) xor XREG(%rax), XREG(%rax) mov %rax, P1305_H0 (CTX) mov %rax, P1305_H1 (CTX) mov XREG(%rax), P1305_H2 (CTX) W64_EXIT(2, 0) ret nettle-3.4.1/x86_64/serpent-decrypt.asm0000644000175000017500000002446013401564746016646 0ustar nissenisseC x86_64/serpent-decrypt.asm ifelse(< Copyright (C) 2011 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) include_src() C Register usage: C Single block serpent state, two copies define(, <%eax>) define(, <%ebx>) define(, <%ebp>) define(, <%r8d>) define(, <%r9d>) define(, <%r10d>) define(, <%r11d>) define(, <%r12d>) C Quadruple block serpent state, two copies define(, <%xmm0>) define(, <%xmm1>) define(, <%xmm2>) define(, <%xmm3>) define(, <%xmm4>) define(, <%xmm5>) define(, <%xmm6>) define(, <%xmm7>) define(, <%xmm8>) define(, <%xmm9>) define(, <%xmm10>) define(, <%xmm11>) define(, <%xmm12>) C Arguments define(, <%rdi>) define(, <%rsi>) define(, <%rdx>) define(, <%rcx>) define(, <%r13>) define(, <%r14d>) C SBOX macros. Inputs $1 - $4 (destroyed), outputs $5 - $8 define(, < mov $1, $5 xor $3, $5 mov $1, $7 or $2, $7 mov $3, $6 xor $4, $6 xor $6, $7 and $3, $6 or $2, $3 xor $4, $2 or $1, $6 and $3, $2 xor $2, $6 or $7, $1 xor $6, $1 mov $7, $2 and $1, $2 not $7 or $7, $4 xor $3, $4 mov $1, $8 xor $4, $8 or $4, $2 xor $2, $5 >) define(, < mov $2, $6 or $4, $6 xor $3, $6 mov $1, $8 xor $2, $8 mov $1, $5 or $6, $5 and $8, $5 xor $5, $2 xor $6, $8 and $4, $2 mov $1, $7 and $3, $7 or $7, $6 or $4, $7 xor $5, $7 not $7 xor $2, $6 xor $6, $5 xor $3, $5 or $7, $1 xor $1, $5 >) define(, < mov $1, $5 xor $4, $5 mov $3, $7 xor $4, $7 mov $2, $6 or $7, $6 xor $6, $5 mov $4, $6 or $5, $6 and $2, $6 not $4 mov $1, $8 or $3, $8 and $8, $7 xor $7, $6 and $2, $8 and $3, $1 or $4, $1 xor $1, $8 and $8, $3 xor $1, $3 mov $5, $7 xor $6, $7 xor $3, $7 >) define(, < mov $3, $8 or $4, $8 mov $2, $5 and $8, $5 mov $1, $7 or $4, $7 mov $3, $6 xor $7, $6 xor $6, $5 xor $1, $4 xor $4, $8 xor $2, $7 and $6, $7 xor $4, $7 xor $1, $6 or $5, $4 and $4, $6 xor $2, $6 and $7, $1 or $2, $1 xor $1, $8 >) define(, < mov $3, $6 xor $4, $6 mov $3, $7 or $4, $7 xor $2, $7 or $4, $2 mov $1, $5 xor $7, $5 xor $7, $4 and $1, $7 xor $7, $6 xor $1, $7 or $3, $7 and $2, $1 mov $1, $8 xor $4, $8 not $1 or $6, $1 xor $1, $5 xor $2, $1 xor $1, $7 >) define(, < mov $1, $6 and $4, $6 mov $3, $8 xor $6, $8 mov $2, $5 and $8, $5 mov $1, $7 xor $4, $7 xor $2, $4 xor $7, $5 and $1, $3 and $5, $1 or $2, $3 xor $5, $6 xor $3, $6 mov $5, $7 or $6, $7 xor $8, $7 xor $4, $7 not $2 or $1, $2 xor $2, $8 >) define(, < mov $1, $7 xor $3, $7 not $3 mov $2, $5 xor $4, $5 mov $1, $6 or $3, $6 xor $5, $6 mov $2, $8 and $7, $8 or $4, $8 or $3, $4 or $2, $3 and $1, $3 mov $3, $5 xor $8, $5 not $5 and $7, $8 xor $3, $8 xor $6, $1 xor $1, $8 and $5, $2 xor $2, $7 xor $4, $7 >) define(, < mov $1, $8 and $2, $8 mov $2, $7 xor $4, $7 or $8, $7 mov $1, $6 or $4, $6 and $3, $6 xor $6, $7 or $3, $8 mov $1, $5 or $2, $5 and $4, $5 xor $5, $8 xor $2, $5 mov $4, $6 xor $8, $6 not $6 or $5, $6 xor $3, $5 xor $1, $6 or $6, $4 xor $4, $5 >) define(, < rol <$>10, $3 rol <$>27, $1 mov $2, TMP32 shl <$>7, TMP32 xor $4, $3 xor TMP32, $3 xor $2, $1 xor $4, $1 rol <$>25, $4 rol <$>31, $2 mov $1, TMP32 shl <$>3, TMP32 xor $3, $4 xor TMP32, $4 xor $1, $2 xor $3, $2 rol <$>29, $3 rol <$>19, $1 >) define(, < pxor MINUS1, $1 >) define(, < movdqa $1, $5 pxor $3, $5 movdqa $1, $7 por $2, $7 movdqa $3, $6 pxor $4, $6 pxor $6, $7 pand $3, $6 por $2, $3 pxor $4, $2 por $1, $6 pand $3, $2 pxor $2, $6 por $7, $1 pxor $6, $1 movdqa $7, $2 pand $1, $2 PNOT($7) por $7, $4 pxor $3, $4 movdqa $1, $8 pxor $4, $8 por $4, $2 pxor $2, $5 >) define(, < movdqa $2, $6 por $4, $6 pxor $3, $6 movdqa $1, $8 pxor $2, $8 movdqa $1, $5 por $6, $5 pand $8, $5 pxor $5, $2 pxor $6, $8 pand $4, $2 movdqa $1, $7 pand $3, $7 por $7, $6 por $4, $7 pxor $5, $7 PNOT($7) pxor $2, $6 pxor $6, $5 pxor $3, $5 por $7, $1 pxor $1, $5 >) define(, < movdqa $1, $5 pxor $4, $5 movdqa $3, $7 pxor $4, $7 movdqa $2, $6 por $7, $6 pxor $6, $5 movdqa $4, $6 por $5, $6 pand $2, $6 PNOT($4) movdqa $1, $8 por $3, $8 pand $8, $7 pxor $7, $6 pand $2, $8 pand $3, $1 por $4, $1 pxor $1, $8 pand $8, $3 pxor $1, $3 movdqa $5, $7 pxor $6, $7 pxor $3, $7 >) define(, < movdqa $3, $8 por $4, $8 movdqa $2, $5 pand $8, $5 movdqa $1, $7 por $4, $7 movdqa $3, $6 pxor $7, $6 pxor $6, $5 pxor $1, $4 pxor $4, $8 pxor $2, $7 pand $6, $7 pxor $4, $7 pxor $1, $6 por $5, $4 pand $4, $6 pxor $2, $6 pand $7, $1 por $2, $1 pxor $1, $8 >) define(, < movdqa $3, $6 pxor $4, $6 movdqa $3, $7 por $4, $7 pxor $2, $7 por $4, $2 movdqa $1, $5 pxor $7, $5 pxor $7, $4 pand $1, $7 pxor $7, $6 pxor $1, $7 por $3, $7 pand $2, $1 movdqa $1, $8 pxor $4, $8 PNOT($1) por $6, $1 pxor $1, $5 pxor $2, $1 pxor $1, $7 >) define(, < movdqa $1, $6 pand $4, $6 movdqa $3, $8 pxor $6, $8 movdqa $2, $5 pand $8, $5 movdqa $1, $7 pxor $4, $7 pxor $2, $4 pxor $7, $5 pand $1, $3 pand $5, $1 por $2, $3 pxor $5, $6 pxor $3, $6 movdqa $5, $7 por $6, $7 pxor $8, $7 pxor $4, $7 PNOT($2) por $1, $2 pxor $2, $8 >) define(, < movdqa $1, $7 pxor $3, $7 PNOT($3) movdqa $2, $5 pxor $4, $5 movdqa $1, $6 por $3, $6 pxor $5, $6 movdqa $2, $8 pand $7, $8 por $4, $8 por $3, $4 por $2, $3 pand $1, $3 movdqa $3, $5 pxor $8, $5 PNOT($5) pand $7, $8 pxor $3, $8 pxor $6, $1 pxor $1, $8 pand $5, $2 pxor $2, $7 pxor $4, $7 >) define(, < movdqa $1, $8 pand $2, $8 movdqa $2, $7 pxor $4, $7 por $8, $7 movdqa $1, $6 por $4, $6 pand $3, $6 pxor $6, $7 por $3, $8 movdqa $1, $5 por $2, $5 pand $4, $5 pxor $5, $8 pxor $2, $5 movdqa $4, $6 pxor $8, $6 PNOT($6) por $5, $6 pxor $3, $5 pxor $1, $6 por $6, $4 pxor $4, $5 >) define(, < WROL(10, $3) WROL(27, $1) movdqa $2, T0 pslld <$>7, T0 pxor $4, $3 pxor T0, $3 pxor $2, $1 pxor $4, $1 WROL(25, $4) WROL(31, $2) movdqa $1, T0 pslld <$>3, T0 pxor $3, $4 pxor T0, $4 pxor $1, $2 pxor $3, $2 WROL(29, $3) WROL(19, $1) >) .file "serpent-decrypt.asm" C serpent_decrypt(struct serpent_context *ctx, C size_t length, uint8_t *dst, C const uint8_t *src) .text ALIGN(16) PROLOGUE(nettle_serpent_decrypt) C save all registers that need to be saved W64_ENTRY(4, 13) push %rbx push %rbp push %r12 push %r13 push %r14 lea (SRC, N), SRC lea (DST, N), DST neg N jz .Lend cmp $-64, N ja .Lblock_loop pcmpeqd MINUS1, MINUS1 .Lwblock_loop: movups (SRC, N), X0 movups 16(SRC, N), X1 movups 32(SRC, N), X2 movups 48(SRC, N), X3 WTRANSPOSE(X0,X1,X2,X3) mov $384, CNT C FIXME: CNT known, no index register needed WKEYXOR(128, X0,X1,X2,X3) jmp .Lwround_start ALIGN(16) .Lwround_loop: WLTI(X0,X1,X2,X3) .Lwround_start: WSBOX7I(X0,X1,X2,X3, Y0,Y1,Y2,Y3) WKEYXOR(112, Y0,Y1,Y2,Y3) WLTI(Y0,Y1,Y2,Y3) WSBOX6I(Y0,Y1,Y2,Y3, X0,X1,X2,X3) WKEYXOR(96, X0,X1,X2,X3) WLTI(X0,X1,X2,X3) WSBOX5I(X0,X1,X2,X3, Y0,Y1,Y2,Y3) WKEYXOR(80, Y0,Y1,Y2,Y3) WLTI(Y0,Y1,Y2,Y3) WSBOX4I(Y0,Y1,Y2,Y3, X0,X1,X2,X3) WKEYXOR(64, X0,X1,X2,X3) WLTI(X0,X1,X2,X3) WSBOX3I(X0,X1,X2,X3, Y0,Y1,Y2,Y3) WKEYXOR(48, Y0,Y1,Y2,Y3) WLTI(Y0,Y1,Y2,Y3) WSBOX2I(Y0,Y1,Y2,Y3, X0,X1,X2,X3) WKEYXOR(32, X0,X1,X2,X3) WLTI(X0,X1,X2,X3) WSBOX1I(X0,X1,X2,X3, Y0,Y1,Y2,Y3) WKEYXOR(16, Y0,Y1,Y2,Y3) WLTI(Y0,Y1,Y2,Y3) WSBOX0I(Y0,Y1,Y2,Y3, X0,X1,X2,X3) WKEYXOR(, X0,X1,X2,X3) sub $128, CNT jnc .Lwround_loop WTRANSPOSE(X0,X1,X2,X3) movups X0, (DST, N) movups X1, 16(DST, N) movups X2, 32(DST, N) movups X3, 48(DST, N) C FIXME: Adjust N, so we can use just jnc without an extra cmp. add $64, N jz .Lend cmp $-64, N jbe .Lwblock_loop .Lblock_loop: movl (SRC, N), x0 movl 4(SRC, N), x1 movl 8(SRC, N), x2 movl 12(SRC, N), x3 xor 512(CTX), x0 xor 516(CTX), x1 xor 520(CTX), x2 xor 524(CTX), x3 mov $384, CNT jmp .Lround_start ALIGN(16) .Lround_loop: LTI(x0,x1,x2,x3) .Lround_start: SBOX7I(x0,x1,x2,x3, y0,y1,y2,y3) xor 112(CTX, CNT), y0 xor 116(CTX, CNT), y1 xor 120(CTX, CNT), y2 xor 124(CTX, CNT), y3 LTI(y0,y1,y2,y3) SBOX6I(y0,y1,y2,y3, x0,x1,x2,x3) xor 96(CTX, CNT), x0 xor 100(CTX, CNT), x1 xor 104(CTX, CNT), x2 xor 108(CTX, CNT), x3 LTI(x0,x1,x2,x3) SBOX5I(x0,x1,x2,x3, y0,y1,y2,y3) xor 80(CTX, CNT), y0 xor 84(CTX, CNT), y1 xor 88(CTX, CNT), y2 xor 92(CTX, CNT), y3 LTI(y0,y1,y2,y3) SBOX4I(y0,y1,y2,y3, x0,x1,x2,x3) xor 64(CTX, CNT), x0 xor 68(CTX, CNT), x1 xor 72(CTX, CNT), x2 xor 76(CTX, CNT), x3 LTI(x0,x1,x2,x3) SBOX3I(x0,x1,x2,x3, y0,y1,y2,y3) xor 48(CTX, CNT), y0 xor 52(CTX, CNT), y1 xor 56(CTX, CNT), y2 xor 60(CTX, CNT), y3 LTI(y0,y1,y2,y3) SBOX2I(y0,y1,y2,y3, x0,x1,x2,x3) xor 32(CTX, CNT), x0 xor 36(CTX, CNT), x1 xor 40(CTX, CNT), x2 xor 44(CTX, CNT), x3 LTI(x0,x1,x2,x3) SBOX1I(x0,x1,x2,x3, y0,y1,y2,y3) xor 16(CTX, CNT), y0 xor 20(CTX, CNT), y1 xor 24(CTX, CNT), y2 xor 28(CTX, CNT), y3 LTI(y0,y1,y2,y3) SBOX0I(y0,y1,y2,y3, x0,x1,x2,x3) xor (CTX, CNT), x0 xor 4(CTX, CNT), x1 xor 8(CTX, CNT), x2 xor 12(CTX, CNT), x3 sub $128, CNT jnc .Lround_loop movl x0, (DST, N) movl x1, 4(DST, N) movl x2, 8(DST, N) movl x3, 12(DST, N) add $16, N jnc .Lblock_loop .Lend: pop %r14 pop %r13 pop %r12 pop %rbp pop %rbx W64_EXIT(4, 13) ret nettle-3.4.1/x86_64/umac-nh.asm0000644000175000017500000000371213401564746015043 0ustar nissenisseC x86_64/umac-nh.asm ifelse(< Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) define(, <%rdi>) define(, <%rsi>) define(, <%rdx>) define(, <%xmm0>) define(, <%xmm1>) define(, <%xmm2>) define(, <%xmm3>) define(, <%xmm4>) define(, <%xmm5>) define(, <%xmm6>) C FIXME: Would be nice if we could force the key array to be 16-byte C aligned. .file "umac-nh.asm" C umac_nh(const uint32_t *key, unsigned length, const uint8_t *msg) .text ALIGN(16) PROLOGUE(_nettle_umac_nh) W64_ENTRY(3, 7) pxor XY, XY .Loop: movups (KEY), XK0 movups 16(KEY), XK1 movups (MSG), XA movups 16(MSG), XB paddd XK0, XA paddd XK1, XB pshufd $0x31, XA, XT0 pshufd $0x31, XB, XT1 pmuludq XT0, XT1 paddq XT1, XY pmuludq XA, XB paddq XB, XY C Length is only 32 bits subl $32, XREG(LENGTH) lea 32(KEY), KEY lea 32(MSG), MSG ja .Loop pshufd $0xe, XY, XT0 paddq XT0, XY C Really a movq, but write as movd to please Apple's assembler movd XY, %rax W64_EXIT(3, 7) ret EPILOGUE(_nettle_umac_nh) nettle-3.4.1/x86_64/memxor.asm0000644000175000017500000000640013401564746015017 0ustar nissenisseC x86_64/memxor.asm ifelse(< Copyright (C) 2010, 2014, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) C Register usage: define(, <%rax>) C Originally in %rdi define(, <%rsi>) define(, <%rdx>) define(, <%r8>) define(, <%r9>) define(, <%rdi>) define(, <%r11>) define(, <%rdi>) C Overlaps with CNT define(, ) .file "memxor.asm" .text C memxor(void *dst, const void *src, size_t n) C %rdi %rsi %rdx ALIGN(16) PROLOGUE(nettle_memxor) W64_ENTRY(3, 0) test N, N C Get number of unaligned bytes at the end C %rdi is used as CNT, %rax as DST and as return value mov %rdi, %rax jz .Ldone add N, CNT and $7, CNT jz .Laligned cmp $8, N jc .Lfinal_next C FIXME: Instead of this loop, could try cmov with memory C destination, as a sequence of one 8-bit, one 16-bit and one C 32-bit operations. (Except that cmov can't do 8-bit ops, so C that step has to use a conditional). .Lalign_loop: sub $1, N movb (SRC, N), LREG(TMP) xorb LREG(TMP), (DST, N) sub $1, CNT jnz .Lalign_loop .Laligned: ifdef(, < cmp $16, N jnc .Lsse2_case >) C Next destination word is -8(DST, N) C Setup for unrolling test $8, N jz .Lword_next sub $8, N jz .Lone_word mov (SRC, N), TMP xor TMP, (DST, N) jmp .Lword_next ALIGN(16) .Lword_loop: mov 8(SRC, N), TMP mov (SRC, N), TMP2 xor TMP, 8(DST, N) xor TMP2, (DST, N) .Lword_next: sub $16, N ja .Lword_loop C Not zero and no carry jnz .Lfinal C Final operation is word aligned mov 8(SRC, N), TMP xor TMP, 8(DST, N) .Lone_word: mov (SRC, N), TMP xor TMP, (DST, N) W64_EXIT(3, 0) ret .Lfinal: add $15, N .Lfinal_loop: movb (SRC, N), LREG(TMP) xorb LREG(TMP), (DST, N) .Lfinal_next: sub $1, N jnc .Lfinal_loop .Ldone: W64_EXIT(3, 0) ret ifdef(, < .Lsse2_case: lea (DST, N), TMP test $8, TMP jz .Lsse2_next sub $8, N mov (SRC, N), TMP xor TMP, (DST, N) jmp .Lsse2_next ALIGN(16) .Lsse2_loop: movdqu (SRC, N), %xmm0 movdqa (DST, N), %xmm1 pxor %xmm0, %xmm1 movdqa %xmm1, (DST, N) .Lsse2_next: sub $16, N ja .Lsse2_loop C FIXME: See if we can do a full word first, before the C byte-wise final loop. jnz .Lfinal C Final operation is aligned movdqu (SRC), %xmm0 movdqa (DST), %xmm1 pxor %xmm0, %xmm1 movdqa %xmm1, (DST) W64_EXIT(3, 0) ret >) EPILOGUE(nettle_memxor) nettle-3.4.1/x86_64/ecc-25519-modp.asm0000644000175000017500000000376713401564746015677 0ustar nissenisseC x86_64/ecc-25519-modp.asm ifelse(< Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) .file "ecc-25519-modp.asm" define(, <%rsi>) define(, <%rdi>) C Overlaps unused modulo input define(, <%rcx>) define(, <%r8>) define(, <%r9>) define(, <%r10>) define(, <%r11>) define(, <%rbx>) PROLOGUE(nettle_ecc_25519_modp) W64_ENTRY(2, 0) push %rbx C First fold the limbs affecting bit 255 mov 56(RP), %rax mov $38, M mul M mov 24(RP), U3 xor T0, T0 add %rax, U3 adc %rdx, T0 mov 40(RP), %rax C Do this early as possible mul M add U3, U3 adc T0, T0 shr U3 C Undo shift, clear high bit C Fold the high limb again, together with RP[5] imul $19, T0 mov (RP), U0 mov 8(RP), U1 mov 16(RP), U2 add T0, U0 adc %rax, U1 mov 32(RP), %rax adc %rdx, U2 adc $0, U3 C Fold final two limbs, RP[4] and RP[6] mul M mov %rax, T0 mov 48(RP), %rax mov %rdx, T1 mul M add T0, U0 mov U0, (RP) adc T1, U1 mov U1, 8(RP) adc %rax, U2 mov U2, 16(RP) adc %rdx, U3 mov U3, 24(RP) pop %rbx W64_EXIT(2, 0) ret EPILOGUE(nettle_ecc_25519_modp) nettle-3.4.1/x86_64/sha1-compress-sse.asm0000644000175000017500000000321113401564746016762 0ustar nissenisseC x86_64/sha1-compress.asm ifelse(< Copyright (C) 2004, 2008, 2013, 2018 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) C Register usage. C Arguments define(,<%rdi>)dnl define(,<%rsi>)dnl C Constants define(, <0x5A827999>)dnl C Rounds 0-19 define(, <0x6ED9EBA1>)dnl C Rounds 20-39 define(, <0x8F1BBCDC>)dnl C Rounds 40-59 define(, <0xCA62C1D6>)dnl C Rounds 60-79 .file "sha1-compress.asm" C _nettle_sha1_compress(uint32_t *state, uint8_t *input) .text ALIGN(16) PROLOGUE(_nettle_sha1_compress) C save all registers that need to be saved XXX movups (INPUT), W0 movups 16(INPUT), W1 movups 32(INPUT), W2 movups 48(INPUT), W3 ret EPILOGUE(_nettle_sha1_compress) nettle-3.4.1/x86_64/serpent-encrypt.asm0000644000175000017500000002776613401564746016674 0ustar nissenisseC x86_64/serpent-encrypt.asm ifelse(< Copyright (C) 2011 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) include_src() C Register usage: C Single block serpent state, two copies define(, <%eax>) define(, <%ebx>) define(, <%ebp>) define(, <%r8d>) define(, <%r9d>) define(, <%r10d>) define(, <%r11d>) define(, <%r12d>) C Quadruple block serpent state, two copies define(, <%xmm0>) define(, <%xmm1>) define(, <%xmm2>) define(, <%xmm3>) define(, <%xmm4>) define(, <%xmm5>) define(, <%xmm6>) define(, <%xmm7>) define(, <%xmm8>) define(, <%xmm9>) define(, <%xmm10>) define(, <%xmm11>) define(, <%xmm12>) C Arguments define(, <%rdi>) define(, <%rsi>) define(, <%rdx>) define(, <%rcx>) define(, <%r13>) define(, <%r14d>) C SBOX macros. Inputs $1 - $4 (destroyed), outputs $5 - $8 define(, < mov $2, $8 C y3 = x1 ^ x2 xor $3, $8 mov $1, $5 C y0 = x0 | x3 or $4, $5 mov $1, $6 C y1 = x0 ^ x1 xor $2, $6 xor $5, $8 C y3 ^= y0 mov $3, $7 C y2 = x2 | y3 or $8, $7 xor $4, $1 C x0 ^= x3 and $4, $7 C y2 &= x3 xor $3, $4 C x3 ^= x2 or $2, $3 C x2 |= x1 mov $6, $5 C y0 = y1 & x2 and $3, $5 xor $5, $7 C y2 ^= y0 and $7, $5 C y0 &= y2 xor $3, $5 C y0 ^= x2 and $1, $2 C x1 &= x0 xor $1, $5 C y0 ^= x0 not $5 C y0 = ~y0 mov $5, $6 C y1 = y0 ^ x1 xor $2, $6 xor $4, $6 C y1 ^= x3 >) define(, < mov $1, $6 C y1 = x0 | x3 or $4, $6 mov $3, $7 C y2 = x2 ^ x3 xor $4, $7 mov $2, $5 C y0 = ~x1 not $5 mov $1, $8 C y3 = x0 ^ x2 xor $3, $8 or $1, $5 C y0 |= x0 and $4, $8 C y3 &= x3 mov $6, $1 C x0 = y1 & y2 and $7, $1 or $2, $8 C y3 |= x1 xor $5, $7 C y2 ^= y0 xor $1, $8 C y3 ^= x0 mov $6, $1 C x0 = y1 ^ y3 xor $8, $1 xor $7, $1 C x0 ^= y2 mov $2, $6 C y1 = x1 & x3 and $4, $6 xor $1, $6 C y1 ^= x0 mov $6, $4 C x3 = y1 | y3 or $8, $4 not $8 C y3 = ~y3 and $4, $5 C y0 &= x3 xor $3, $5 C y0 ^= x2 >) define(, < mov $1, $7 C y2 = x1 | x2 or $3, $7 mov $1, $6 xor $2, $6 mov $4, $8 xor $7, $8 mov $6, $5 xor $8, $5 or $1, $4 xor $5, $3 mov $2, $1 xor $3, $1 or $2, $3 and $7, $1 xor $3, $8 or $8, $6 xor $1, $6 mov $8, $7 xor $6, $7 xor $2, $7 not $8 xor $4, $7 >) define(, < mov $1, $6 xor $3, $6 mov $1, $5 or $4, $5 mov $1, $8 and $4, $8 and $5, $6 or $2, $8 mov $1, $7 and $2, $7 or $3, $7 mov $4, $3 xor $6, $3 xor $8, $6 or $3, $1 xor $2, $3 and $4, $8 xor $8, $5 mov $7, $8 xor $3, $8 xor $5, $7 or $8, $4 and $4, $2 mov $1, $5 xor $2, $5 >) define(, < mov $1, $8 or $2, $8 mov $2, $7 or $3, $7 xor $1, $7 and $4, $8 mov $2, $5 xor $4, $5 or $7, $4 and $4, $1 and $3, $2 xor $8, $3 xor $7, $8 or $2, $7 mov $8, $6 and $5, $6 xor $6, $7 xor $5, $6 or $2, $6 xor $1, $6 and $4, $5 xor $3, $5 not $5 >) define(, < mov $2, $5 or $4, $5 xor $3, $5 mov $2, $3 xor $4, $3 mov $1, $7 xor $3, $7 and $3, $1 xor $1, $5 mov $2, $8 or $7, $8 or $5, $2 not $5 or $5, $1 xor $3, $8 xor $1, $8 mov $4, $6 or $5, $6 xor $6, $4 xor $7, $6 or $4, $7 xor $2, $7 >) define(, < mov $1, $5 xor $4, $5 mov $1, $6 and $4, $6 mov $1, $7 or $3, $7 or $2, $4 xor $3, $4 xor $2, $1 mov $2, $8 or $3, $8 xor $2, $3 and $5, $8 xor $3, $6 not $6 and $6, $5 and $6, $2 xor $8, $2 xor $4, $8 xor $2, $7 not $7 xor $7, $5 xor $1, $5 >) define(, < mov $1, $5 and $3, $5 mov $2, $8 or $5, $8 C t04 xor $3, $8 mov $4, $6 not $6 C t02 and $1, $6 xor $6, $8 mov $3, $6 or $8, $6 xor $1, $6 mov $1, $7 and $2, $7 xor $7, $3 or $4, $7 xor $7, $6 mov $2, $7 or $5, $7 C t04 and $8, $7 xor $6, $2 or $2, $7 xor $1, $7 xor $6, $5 not $4 C t02 or $4, $5 xor $3, $5 >) define(, < rol <$>13, $1 rol <$>3, $3 xor $1, $2 xor $3, $2 mov $1, TMP32 shl <$>3, TMP32 xor $3, $4 xor TMP32, $4 rol $2 rol <$>7, $4 xor $2, $1 xor $4, $1 mov $2, TMP32 shl <$>7, TMP32 xor $4, $3 xor TMP32, $3 rol <$>5, $1 rol <$>22, $3 >) C Parallel operation on four blocks at a time. C pnot instruction is missing. For lack of a spare register, XOR with C constant in memory. define(, < pxor MINUS1, $1 >) define(, < movdqa $2, $8 C y3 = x1 ^ x2 pxor $3, $8 movdqa $1, $5 C y0 = x0 | x3 por $4, $5 movdqa $1, $6 C y1 = x0 ^ x1 pxor $2, $6 pxor $5, $8 C y3 ^= y0 movdqa $3, $7 C y2 = x2 | y3 por $8, $7 pxor $4, $1 C x0 ^= x3 pand $4, $7 C y2 &= x3 pxor $3, $4 C x3 ^= x2 por $2, $3 C x2 |= x1 movdqa $6, $5 C y0 = y1 & x2 pand $3, $5 pxor $5, $7 C y2 ^= y0 pand $7, $5 C y0 &= y2 pxor $3, $5 C y0 ^= x2 pand $1, $2 C x1 &= x0 pxor $1, $5 C y0 ^= x0 PNOT($5) C y0 = ~y0 movdqa $5, $6 C y1 = y0 ^ x1 pxor $2, $6 pxor $4, $6 C y1 ^= x3 >) define(, < movdqa $1, $6 C y1 = x0 | x3 por $4, $6 movdqa $3, $7 C y2 = x2 ^ x3 pxor $4, $7 movdqa $2, $5 C y0 = ~x1 PNOT($5) movdqa $1, $8 C y3 = x0 ^ x2 pxor $3, $8 por $1, $5 C y0 |= x0 pand $4, $8 C y3 &= x3 movdqa $6, $1 C x0 = y1 & y2 pand $7, $1 por $2, $8 C y3 |= x1 pxor $5, $7 C y2 ^= y0 pxor $1, $8 C y3 ^= x0 movdqa $6, $1 C x0 = y1 ^ y3 pxor $8, $1 pxor $7, $1 C x0 ^= y2 movdqa $2, $6 C y1 = x1 & x3 pand $4, $6 pxor $1, $6 C y1 ^= x0 movdqa $6, $4 C x3 = y1 | y3 por $8, $4 PNOT($8) C y3 = ~y3 pand $4, $5 C y0 &= x3 pxor $3, $5 C y0 ^= x2 >) define(, < movdqa $1, $7 C y2 = x1 | x2 por $3, $7 movdqa $1, $6 pxor $2, $6 movdqa $4, $8 pxor $7, $8 movdqa $6, $5 pxor $8, $5 por $1, $4 pxor $5, $3 movdqa $2, $1 pxor $3, $1 por $2, $3 pand $7, $1 pxor $3, $8 por $8, $6 pxor $1, $6 movdqa $8, $7 pxor $6, $7 pxor $2, $7 PNOT($8) pxor $4, $7 >) define(, < movdqa $1, $6 pxor $3, $6 movdqa $1, $5 por $4, $5 movdqa $1, $8 pand $4, $8 pand $5, $6 por $2, $8 movdqa $1, $7 pand $2, $7 por $3, $7 movdqa $4, $3 pxor $6, $3 pxor $8, $6 por $3, $1 pxor $2, $3 pand $4, $8 pxor $8, $5 movdqa $7, $8 pxor $3, $8 pxor $5, $7 por $8, $4 pand $4, $2 movdqa $1, $5 pxor $2, $5 >) define(, < movdqa $1, $8 por $2, $8 movdqa $2, $7 por $3, $7 pxor $1, $7 pand $4, $8 movdqa $2, $5 pxor $4, $5 por $7, $4 pand $4, $1 pand $3, $2 pxor $8, $3 pxor $7, $8 por $2, $7 movdqa $8, $6 pand $5, $6 pxor $6, $7 pxor $5, $6 por $2, $6 pxor $1, $6 pand $4, $5 pxor $3, $5 PNOT($5) >) define(, < movdqa $2, $5 por $4, $5 pxor $3, $5 movdqa $2, $3 pxor $4, $3 movdqa $1, $7 pxor $3, $7 pand $3, $1 pxor $1, $5 movdqa $2, $8 por $7, $8 por $5, $2 PNOT($5) por $5, $1 pxor $3, $8 pxor $1, $8 movdqa $4, $6 por $5, $6 pxor $6, $4 pxor $7, $6 por $4, $7 pxor $2, $7 >) define(, < movdqa $1, $5 pxor $4, $5 movdqa $1, $6 pand $4, $6 movdqa $1, $7 por $3, $7 por $2, $4 pxor $3, $4 pxor $2, $1 movdqa $2, $8 por $3, $8 pxor $2, $3 pand $5, $8 pxor $3, $6 PNOT($6) pand $6, $5 pand $6, $2 pxor $8, $2 pxor $4, $8 pxor $2, $7 PNOT($7) pxor $7, $5 pxor $1, $5 >) define(, < movdqa $1, $5 pand $3, $5 movdqa $2, $8 por $5, $8 C t04 pxor $3, $8 movdqa $4, $6 pandn $1, $6 C t02 implicit pxor $6, $8 movdqa $3, $6 por $8, $6 pxor $1, $6 movdqa $1, $7 pand $2, $7 pxor $7, $3 por $4, $7 pxor $7, $6 movdqa $2, $7 por $5, $7 C t04 pand $8, $7 pxor $6, $2 por $2, $7 pxor $1, $7 pxor $6, $5 PNOT($4) C t02 por $4, $5 pxor $3, $5 >) C WLT(x0, x1, x2, x3) define(, < WROL(13, $1) WROL(3, $3) pxor $1, $2 pxor $3, $2 movdqa $1, T0 pslld <$>3, T0 pxor $3, $4 pxor T0, $4 WROL(1, $2) WROL(7, $4) pxor $2, $1 pxor $4, $1 movdqa $2, T0 pslld <$>7, T0 pxor $4, $3 pxor T0, $3 WROL(5, $1) WROL(22, $3) >) .file "serpent-encrypt.asm" C serpent_encrypt(struct serpent_context *ctx, C size_t length, uint8_t *dst, C const uint8_t *src) .text ALIGN(16) PROLOGUE(nettle_serpent_encrypt) C save all registers that need to be saved W64_ENTRY(4, 13) push %rbx push %rbp push %r12 push %r13 push %r14 lea (SRC, N), SRC lea (DST, N), DST neg N jz .Lend C Point at the final subkey. lea 512(CTX), CTX cmp $-64, N ja .Lblock_loop pcmpeqd MINUS1, MINUS1 .Lwblock_loop: movups (SRC, N), X0 movups 16(SRC, N), X1 movups 32(SRC, N), X2 movups 48(SRC, N), X3 WTRANSPOSE(X0, X1, X2, X3) mov $-512, CNT jmp .Lwround_start ALIGN(16) .Lwround_loop: WLT(X0,X1,X2,X3) .Lwround_start: WKEYXOR(, X0,X1,X2,X3) WSBOX0(X0,X1,X2,X3, Y0,Y1,Y2,Y3) WLT(Y0,Y1,Y2,Y3) WKEYXOR(16, Y0,Y1,Y2,Y3) WSBOX1(Y0,Y1,Y2,Y3, X0,X1,X2,X3) WLT(X0,X1,X2,X3) WKEYXOR(32, X0,X1,X2,X3) WSBOX2(X0,X1,X2,X3, Y0,Y1,Y2,Y3) WLT(Y0,Y1,Y2,Y3) WKEYXOR(48, Y0,Y1,Y2,Y3) WSBOX3(Y0,Y1,Y2,Y3, X0,X1,X2,X3) WLT(X0,X1,X2,X3) WKEYXOR(64, X0,X1,X2,X3) WSBOX4(X0,X1,X2,X3, Y0,Y1,Y2,Y3) WLT(Y0,Y1,Y2,Y3) WKEYXOR(80, Y0,Y1,Y2,Y3) WSBOX5(Y0,Y1,Y2,Y3, X0,X1,X2,X3) WLT(X0,X1,X2,X3) WKEYXOR(96, X0,X1,X2,X3) WSBOX6(X0,X1,X2,X3, Y0,Y1,Y2,Y3) WLT(Y0,Y1,Y2,Y3) WKEYXOR(112, Y0,Y1,Y2,Y3) WSBOX7(Y0,Y1,Y2,Y3, X0,X1,X2,X3) add $128, CNT jnz .Lwround_loop C FIXME: CNT known to be zero, no index register needed WKEYXOR(, X0,X1,X2,X3) WTRANSPOSE(X0,X1,X2,X3) movups X0, (DST, N) movups X1, 16(DST, N) movups X2, 32(DST, N) movups X3, 48(DST, N) C FIXME: Adjust N, so we can use just jnc without an extra cmp. add $64, N jz .Lend cmp $-64, N jbe .Lwblock_loop C The single-block loop here is slightly slower than the double-block C loop in serpent-encrypt.c. C FIXME: Should use non-sse2 code only if we have a single block left. C With two or three blocks, it should be better to do them in C parallell. .Lblock_loop: movl (SRC, N), x0 movl 4(SRC, N), x1 movl 8(SRC, N), x2 movl 12(SRC, N), x3 mov $-512, CNT jmp .Lround_start ALIGN(16) .Lround_loop: LT(x0,x1,x2,x3) .Lround_start: xor (CTX, CNT), x0 xor 4(CTX, CNT), x1 xor 8(CTX, CNT), x2 xor 12(CTX, CNT), x3 SBOX0(x0,x1,x2,x3, y0,y1,y2,y3) LT(y0,y1,y2,y3) xor 16(CTX, CNT), y0 xor 20(CTX, CNT), y1 xor 24(CTX, CNT), y2 xor 28(CTX, CNT), y3 SBOX1(y0,y1,y2,y3, x0,x1,x2,x3) LT(x0,x1,x2,x3) xor 32(CTX, CNT), x0 xor 36(CTX, CNT), x1 xor 40(CTX, CNT), x2 xor 44(CTX, CNT), x3 SBOX2(x0,x1,x2,x3, y0,y1,y2,y3) LT(y0,y1,y2,y3) xor 48(CTX, CNT), y0 xor 52(CTX, CNT), y1 xor 56(CTX, CNT), y2 xor 60(CTX, CNT), y3 SBOX3(y0,y1,y2,y3, x0,x1,x2,x3) LT(x0,x1,x2,x3) xor 64(CTX, CNT), x0 xor 68(CTX, CNT), x1 xor 72(CTX, CNT), x2 xor 76(CTX, CNT), x3 SBOX4(x0,x1,x2,x3, y0,y1,y2,y3) LT(y0,y1,y2,y3) xor 80(CTX, CNT), y0 xor 84(CTX, CNT), y1 xor 88(CTX, CNT), y2 xor 92(CTX, CNT), y3 SBOX5(y0,y1,y2,y3, x0,x1,x2,x3) LT(x0,x1,x2,x3) xor 96(CTX, CNT), x0 xor 100(CTX, CNT), x1 xor 104(CTX, CNT), x2 xor 108(CTX, CNT), x3 SBOX6(x0,x1,x2,x3, y0,y1,y2,y3) LT(y0,y1,y2,y3) xor 112(CTX, CNT), y0 xor 116(CTX, CNT), y1 xor 120(CTX, CNT), y2 xor 124(CTX, CNT), y3 SBOX7(y0,y1,y2,y3, x0,x1,x2,x3) add $128, CNT jnz .Lround_loop C Apply final subkey. xor (CTX, CNT), x0 xor 4(CTX, CNT), x1 xor 8(CTX, CNT), x2 xor 12(CTX, CNT), x3 movl x0, (DST, N) movl x1, 4(DST, N) movl x2, 8(DST, N) movl x3, 12(DST, N) add $16, N jnc .Lblock_loop .Lend: pop %r14 pop %r13 pop %r12 pop %rbp pop %rbx W64_EXIT(4, 13) ret nettle-3.4.1/x86_64/ecc-521-modp.asm0000644000175000017500000000527413401564746015514 0ustar nissenisseC x86_64/ecc-521-modp.asm ifelse(< Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) .file "ecc-521-modp.asm" GMP_NUMB_BITS(64) define(, <%rsi>) define(, <%rax>) define(, <%rbx>) define(, <%rcx>) define(, <%rdx>) define(, <%rbp>) define(, <%rdi>) define(, <%r8>) define(, <%r9>) define(, <%r10>) define(, <%r11>) define(, <%r12>) define(, <%r13>) PROLOGUE(nettle_ecc_521_modp) W64_ENTRY(2, 0) push %rbx push %rbp push %r12 push %r13 C Read top 17 limbs, shift left 55 bits mov 72(RP), U1 mov U1, U0 shl $55, U0 shr $9, U1 mov 80(RP), U2 mov U2, T0 shr $9, U2 shl $55, T0 or T0, U1 mov 88(RP), U3 mov U3, T0 shr $9, U3 shl $55, T0 or T0, U2 mov 96(RP), U4 mov U4, T0 shr $9, U4 shl $55, T0 or T0, U3 mov 104(RP), U5 mov U5, T0 shr $9, U5 shl $55, T0 or T0, U4 mov 112(RP), U6 mov U6, T0 shr $9, U6 shl $55, T0 or T0, U5 mov 120(RP), U7 mov U7, T0 shr $9, U7 shl $55, T0 or T0, U6 mov 128(RP), U8 mov U8, T0 shr $9, U8 shl $55, T0 or T0, U7 mov 136(RP), U9 mov U9, T0 shr $9, U9 shl $55, T0 or T0, U8 add (RP), U0 adc 8(RP), U1 adc 16(RP), U2 adc 24(RP), U3 adc 32(RP), U4 adc 40(RP), U5 adc 48(RP), U6 adc 56(RP), U7 adc 64(RP), U8 adc $0, U9 C Top limbs are . Keep low 9 bits of 8, and fold the C top bits (at most 65 bits). mov U8, T0 shr $9, T0 and $0x1ff, U8 mov U9, T1 shl $55, U9 shr $9, T1 or U9, T0 add T0, U0 mov U0, (RP) adc T1, U1 mov U1, 8(RP) adc $0, U2 mov U2, 16(RP) adc $0, U3 mov U3, 24(RP) adc $0, U4 mov U4, 32(RP) adc $0, U5 mov U5, 40(RP) adc $0, U6 mov U6, 48(RP) adc $0, U7 mov U7, 56(RP) adc $0, U8 mov U8, 64(RP) pop %r13 pop %r12 pop %rbp pop %rbx W64_EXIT(2, 0) ret EPILOGUE(nettle_ecc_521_modp) nettle-3.4.1/camellia-absorb.c0000644000175000017500000001001313401564745015223 0ustar nissenisse/* camellia-absorb.c Final key setup processing for the camellia block cipher. Copyright (C) 2006,2007 NTT (Nippon Telegraph and Telephone Corporation). Copyright (C) 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* * Algorithm Specification * http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html */ /* Based on camellia.c ver 1.2.0, see http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/camellia-LGPL-1.2.0.tar.gz. */ #if HAVE_CONFIG_H # include "config.h" #endif /* For CHAR_BIT, needed by HAVE_NATIVE_64_BIT */ #include #include "camellia-internal.h" #include "macros.h" void _camellia_absorb(unsigned nkeys, uint64_t *dst, uint64_t *subkey) { uint64_t kw2, kw4; uint32_t dw, tl, tr; unsigned i; /* At this point, the subkey array contains the subkeys as described in the spec, 26 for short keys and 34 for large keys. */ /* absorb kw2 to other subkeys */ kw2 = subkey[1]; subkey[3] ^= kw2; subkey[5] ^= kw2; subkey[7] ^= kw2; for (i = 8; i < nkeys; i += 8) { /* FIXME: gcc for x86_32 is smart enough to fetch the 32 low bits and xor the result into the 32 high bits, but it still generates worse code than for explicit 32-bit operations. */ kw2 ^= (kw2 & ~subkey[i+1]) << 32; dw = (kw2 & subkey[i+1]) >> 32; kw2 ^= ROTL32(1, dw); subkey[i+3] ^= kw2; subkey[i+5] ^= kw2; subkey[i+7] ^= kw2; } subkey[i] ^= kw2; /* absorb kw4 to other subkeys */ kw4 = subkey[nkeys + 1]; for (i = nkeys - 8; i > 0; i -= 8) { subkey[i+6] ^= kw4; subkey[i+4] ^= kw4; subkey[i+2] ^= kw4; kw4 ^= (kw4 & ~subkey[i]) << 32; dw = (kw4 & subkey[i]) >> 32; kw4 ^= ROTL32(1, dw); } subkey[6] ^= kw4; subkey[4] ^= kw4; subkey[2] ^= kw4; subkey[0] ^= kw4; /* key XOR is end of F-function */ dst[0] = subkey[0] ^ subkey[2]; dst[1] = subkey[3]; dst[2] = subkey[2] ^ subkey[4]; dst[3] = subkey[3] ^ subkey[5]; dst[4] = subkey[4] ^ subkey[6]; dst[5] = subkey[5] ^ subkey[7]; for (i = 8; i < nkeys; i += 8) { tl = (subkey[i+2] >> 32) ^ (subkey[i+2] & ~subkey[i]); dw = tl & (subkey[i] >> 32); tr = subkey[i+2] ^ ROTL32(1, dw); dst[i-2] = subkey[i-2] ^ ( ((uint64_t) tl << 32) | tr); dst[i-1] = subkey[i]; dst[i] = subkey[i+1]; tl = (subkey[i-1] >> 32) ^ (subkey[i-1] & ~subkey[i+1]); dw = tl & (subkey[i+1] >> 32); tr = subkey[i-1] ^ ROTL32(1, dw); dst[i+1] = subkey[i+3] ^ ( ((uint64_t) tl << 32) | tr); dst[i+2] = subkey[i+2] ^ subkey[i+4]; dst[i+3] = subkey[i+3] ^ subkey[i+5]; dst[i+4] = subkey[i+4] ^ subkey[i+6]; dst[i+5] = subkey[i+5] ^ subkey[i+7]; } dst[i-2] = subkey[i-2]; dst[i-1] = subkey[i] ^ subkey[i-1]; #if !HAVE_NATIVE_64_BIT for (i = 0; i < nkeys; i += 8) { /* apply the inverse of the last half of F-function */ CAMELLIA_F_HALF_INV(dst[i+1]); CAMELLIA_F_HALF_INV(dst[i+2]); CAMELLIA_F_HALF_INV(dst[i+3]); CAMELLIA_F_HALF_INV(dst[i+4]); CAMELLIA_F_HALF_INV(dst[i+5]); CAMELLIA_F_HALF_INV(dst[i+6]); } #endif } nettle-3.4.1/nettle.html0000644000175000017500000155634613401564746014255 0ustar nissenisse Nettle: a low-level cryptographic library

Nettle: a low-level cryptographic library

Table of Contents

Next: , Previous: , Up: (dir)   [Contents][Index]

Nettle

This document describes the Nettle low-level cryptographic library. You can use the library directly from your C programs, or write or use an object-oriented wrapper for your favorite language or application.

This manual is for the Nettle library (version 3.4), a low-level cryptographic library.

Originally written 2001 by Niels Möller, updated 2017.

This manual is placed in the public domain. You may freely copy it, in whole or in part, with or without modification. Attribution is appreciated, but not required.

Introduction:  What is Nettle?
Copyright:  Your rights.
Conventions:  General interface conventions.
Example:  An example program.
Linking:  Linking with libnettle and libhogweed.
Reference:  All Nettle functions and features.
Nettle soup:  For the serious nettle hacker.
Installation:  How to install Nettle.
Index:  Function and concept index. 


 — The Detailed Node Listing —

Reference
Hash functions:  
Cipher functions:  
Cipher modes:  
Keyed hash functions:  
Key derivation functions:  
Public-key algorithms:  
Randomness:  
ASCII encoding:  
Miscellaneous functions:  
Compatibility functions:   

Hash functions
Recommended hash functions:  
Legacy hash functions:  
nettle_hash abstraction:   

Cipher modes
CBC:  
CTR:  
CFB:  
GCM:  
CCM:   

Keyed Hash Functions
HMAC:  
UMAC:   

Public-key algorithms
RSA:  The RSA public key algorithm.
DSA:  The DSA digital signature algorithm.
Elliptic curves:  Elliptic curves and ECDSA 

Elliptic curves
Side-channel silence:  
ECDSA:  
Curve 25519:  

Next: , Previous: , Up: Top   [Contents][Index]

1 Introduction

Nettle is a cryptographic library that is designed to fit easily in more or less any context: In crypto toolkits for object-oriented languages (C++, Python, Pike, ...), in applications like LSH or GNUPG, or even in kernel space. In most contexts, you need more than the basic cryptographic algorithms, you also need some way to keep track of available algorithms, their properties and variants. You often have some algorithm selection process, often dictated by a protocol you want to implement.

And as the requirements of applications differ in subtle and not so subtle ways, an API that fits one application well can be a pain to use in a different context. And that is why there are so many different cryptographic libraries around.

Nettle tries to avoid this problem by doing one thing, the low-level crypto stuff, and providing a simple but general interface to it. In particular, Nettle doesn’t do algorithm selection. It doesn’t do memory allocation. It doesn’t do any I/O.

The idea is that one can build several application and context specific interfaces on top of Nettle, and share the code, test cases, benchmarks, documentation, etc. Examples are the Nettle module for the Pike language, and LSH, which both use an object-oriented abstraction on top of the library.

This manual explains how to use the Nettle library. It also tries to provide some background on the cryptography, and advice on how to best put it to use.

Next: , Previous: , Up: Top   [Contents][Index]

2 Copyright

Nettle is dual licenced under the GNU General Public License version 2 or later, and the GNU Lesser General Public License version 3 or later. When using Nettle, you must comply fully with all conditions of at least one of these licenses. A few of the individual files are licensed under more permissive terms, or in the public domain. To find the current status of particular files, you have to read the copyright notices at the top of the files.

This manual is in the public domain. You may freely copy it in whole or in part, e.g., into documentation of programs that build on Nettle. Attribution, as well as contribution of improvements to the text, is of course appreciated, but it is not required.

A list of the supported algorithms, their origins, and exceptions to the above licensing:

AES

The implementation of the AES cipher (also known as rijndael) is written by Rafael Sevilla. Assembler for x86 by Rafael Sevilla and Niels Möller, Sparc assembler by Niels Möller.

ARCFOUR

The implementation of the ARCFOUR (also known as RC4) cipher is written by Niels Möller.

ARCTWO

The implementation of the ARCTWO (also known as RC2) cipher is written by Nikos Mavroyanopoulos and modified by Werner Koch and Simon Josefsson.

BLOWFISH

The implementation of the BLOWFISH cipher is written by Werner Koch, copyright owned by the Free Software Foundation. Also hacked by Simon Josefsson and Niels Möller.

CAMELLIA

The C implementation is by Nippon Telegraph and Telephone Corporation (NTT), heavily modified by Niels Möller. Assembler for x86 and x86_64 by Niels Möller.

CAST128

The implementation of the CAST128 cipher is written by Steve Reid. Released into the public domain.

CHACHA

Implemented by Joachim Strömbergson, based on the implementation of SALSA20 (see below). Assembly for x86_64 by Niels Möller.

DES

The implementation of the DES cipher is written by Dana L. How, and released under the LGPL, version 2 or later.

GOSTHASH94

The C implementation of the GOST94 message digest is written by Aleksey Kravchenko and was ported from the rhash library by Nikos Mavrogiannopoulos. It is released under the MIT license.

MD2

The implementation of MD2 is written by Andrew Kuchling, and hacked some by Andreas Sigfridsson and Niels Möller. Python Cryptography Toolkit license (essentially public domain).

MD4

This is almost the same code as for MD5 below, with modifications by Marcus Comstedt. Released into the public domain.

MD5

The implementation of the MD5 message digest is written by Colin Plumb. It has been hacked some more by Andrew Kuchling and Niels Möller. Released into the public domain.

PBKDF2

The C implementation of PBKDF2 is based on earlier work for Shishi and GnuTLS by Simon Josefsson.

RIPEMD160

The implementation of RIPEMD160 message digest is based on the code in libgcrypt, copyright owned by the Free Software Foundation. Ported to Nettle by Andres Mejia.

SALSA20

The C implementation of SALSA20 is based on D. J. Bernstein’s reference implementation (in the public domain), adapted to Nettle by Simon Josefsson, and heavily modified by Niels Möller. Assembly for x86_64 and ARM by Niels Möller.

SERPENT

The implementation of the SERPENT cipher is based on the code in libgcrypt, copyright owned by the Free Software Foundation. Adapted to Nettle by Simon Josefsson and heavily modified by Niels Möller. Assembly for x86_64 by Niels Möller.

POLY1305

Based on the implementation by Andrew M. (floodyberry), modified by Nikos Mavrogiannopoulos and Niels Möller. Assembly for x86_64 by Niels Möller.

SHA1

The C implementation of the SHA1 message digest is written by Peter Gutmann, and hacked some more by Andrew Kuchling and Niels Möller. Released into the public domain. Assembler for x86, x86_64 and ARM by Niels Möller, released under the LGPL.

SHA2

Written by Niels Möller, using Peter Gutmann’s SHA1 code as a model.

SHA3

Written by Niels Möller.

TWOFISH

The implementation of the TWOFISH cipher is written by Ruud de Rooij.

UMAC

Written by Niels Möller.

RSA

Written by Niels Möller. Uses the GMP library for bignum operations.

DSA

Written by Niels Möller. Uses the GMP library for bignum operations.

ECDSA

Written by Niels Möller. Uses the GMP library for bignum operations. Development of Nettle’s ECC support was funded by the .SE Internet Fund.

Next: , Previous: , Up: Top   [Contents][Index]

3 Conventions

For each supported algorithm, there is an include file that defines a context struct, a few constants, and declares functions for operating on the context. The context struct encapsulates all information needed by the algorithm, and it can be copied or moved in memory with no unexpected effects.

For consistency, functions for different algorithms are very similar, but there are some differences, for instance reflecting if the key setup or encryption function differ for encryption and decryption, and whether or not key setup can fail. There are also differences between algorithms that don’t show in function prototypes, but which the application must nevertheless be aware of. There is no big difference between the functions for stream ciphers and for block ciphers, although they should be used quite differently by the application.

If your application uses more than one algorithm of the same type, you should probably create an interface that is tailor-made for your needs, and then write a few lines of glue code on top of Nettle.

By convention, for an algorithm named foo, the struct tag for the context struct is foo_ctx, constants and functions uses prefixes like FOO_BLOCK_SIZE (a constant) and foo_set_key (a function).

In all functions, strings are represented with an explicit length, of type size_t, and a pointer of type uint8_t * or const uint8_t *. For functions that transform one string to another, the argument order is length, destination pointer and source pointer. Source and destination areas are usually of the same length. When they differ, e.g., for ccm_encrypt_message, the length argument specifies the size of the destination area. Source and destination pointers may be equal, so that you can process strings in place, but source and destination areas must not overlap in any other way.

Many of the functions lack return value and can never fail. Those functions which can fail, return one on success and zero on failure.

Next: , Previous: , Up: Top   [Contents][Index]

4 Example

A simple example program that reads a file from standard input and writes its SHA1 check-sum on standard output should give the flavor of Nettle. 

#include <stdio.h>
#include <stdlib.h>

#include <nettle/sha1.h>

#define BUF_SIZE 1000

static void
display_hex(unsigned length, uint8_t *data)
{
  unsigned i;

  for (i = 0; i<length; i++)
    printf("%02x ", data[i]);

  printf("\n");
}

int
main(int argc, char **argv)
{
  struct sha1_ctx ctx;
  uint8_t buffer[BUF_SIZE];
  uint8_t digest[SHA1_DIGEST_SIZE];
  
  sha1_init(&ctx);
  for (;;)
  {
    int done = fread(buffer, 1, sizeof(buffer), stdin);
    sha1_update(&ctx, done, buffer);
    if (done < sizeof(buffer))
      break;
  }
  if (ferror(stdin))
    return EXIT_FAILURE;

  sha1_digest(&ctx, SHA1_DIGEST_SIZE, digest);

  display_hex(SHA1_DIGEST_SIZE, digest);
  return EXIT_SUCCESS;  
}

On a typical Unix system, this program can be compiled and linked with the command line 

gcc sha-example.c -o sha-example -lnettle

Next: , Previous: , Up: Top   [Contents][Index]

5 Linking

Nettle actually consists of two libraries, libnettle and libhogweed. The libhogweed library contains those functions of Nettle that uses bignum operations, and depends on the GMP library. With this division, linking works the same for both static and dynamic libraries.

If an application uses only the symmetric crypto algorithms of Nettle (i.e., block ciphers, hash functions, and the like), it’s sufficient to link with -lnettle. If an application also uses public-key algorithms, the recommended linker flags are -lhogweed -lnettle -lgmp. If the involved libraries are installed as dynamic libraries, it may be sufficient to link with just -lhogweed, and the loader will resolve the dependencies automatically.

Next: , Previous: , Up: Top   [Contents][Index]

6 Reference

This chapter describes all the Nettle functions, grouped by family.

Hash functions:  
Cipher functions:  
Cipher modes:  
Authenticated encryption:  
Keyed hash functions:  
Key derivation functions:  
Public-key algorithms:  
Randomness:  
ASCII encoding:  
Miscellaneous functions:  
Compatibility functions:  

Next: , Previous: , Up: Reference   [Contents][Index]

6.1 Hash functions

A cryptographic hash function is a function that takes variable size strings, and maps them to strings of fixed, short, length. There are naturally lots of collisions, as there are more possible 1MB files than 20 byte strings. But the function is constructed such that is hard to find the collisions. More precisely, a cryptographic hash function H should have the following properties:

One-way

Given a hash value H(x) it is hard to find a string x that hashes to that value.

Collision-resistant

It is hard to find two different strings, x and y, such that H(x) = H(y).

Hash functions are useful as building blocks for digital signatures, message authentication codes, pseudo random generators, association of unique ids to documents, and many other things.

The most commonly used hash functions are MD5 and SHA1. Unfortunately, both these fail the collision-resistance requirement; cryptologists have found ways to construct colliding inputs. The recommended hash functions for new applications are SHA2 (with main variants SHA256 and SHA512). At the time of this writing (Autumn 2015), SHA3 has recently been standardized, and the new SHA3 and other top SHA3 candidates may also be reasonable alternatives.

Recommended hash functions:  
Legacy hash functions:  
nettle_hash abstraction:  

Next: , Up: Hash functions   [Contents][Index]

6.1.1 Recommended hash functions

The following hash functions have no known weaknesses, and are suitable for new applications. The SHA2 family of hash functions were specified by NIST, intended as a replacement for SHA1.

6.1.1.1 SHA256

SHA256 is a member of the SHA2 family. It outputs hash values of 256 bits, or 32 octets. Nettle defines SHA256 in <nettle/sha2.h>.

Context struct: struct sha256_ctx
Constant: SHA256_DIGEST_SIZE

The size of a SHA256 digest, i.e. 32.

Constant: SHA256_BLOCK_SIZE

The internal block size of SHA256. Useful for some special constructions, in particular HMAC-SHA256.

Function: void sha256_init (struct sha256_ctx *ctx)

Initialize the SHA256 state.

Function: void sha256_update (struct sha256_ctx *ctx, size_t length, const uint8_t *data)

Hash some more data.

Function: void sha256_digest (struct sha256_ctx *ctx, size_t length, uint8_t *digest)

Performs final processing and extracts the message digest, writing it to digest. length may be smaller than SHA256_DIGEST_SIZE, in which case only the first length octets of the digest are written.

This function also resets the context in the same way as sha256_init.

Earlier versions of nettle defined SHA256 in the header file <nettle/sha.h>, which is now deprecated, but kept for compatibility.

6.1.1.2 SHA224

SHA224 is a variant of SHA256, with a different initial state, and with the output truncated to 224 bits, or 28 octets. Nettle defines SHA224 in <nettle/sha2.h> (and in <nettle/sha.h>, for backwards compatibility).

Context struct: struct sha224_ctx
Constant: SHA224_DIGEST_SIZE

The size of a SHA224 digest, i.e. 28.

Constant: SHA224_BLOCK_SIZE

The internal block size of SHA224. Useful for some special constructions, in particular HMAC-SHA224.

Function: void sha224_init (struct sha224_ctx *ctx)

Initialize the SHA224 state.

Function: void sha224_update (struct sha224_ctx *ctx, size_t length, const uint8_t *data)

Hash some more data.

Function: void sha224_digest (struct sha224_ctx *ctx, size_t length, uint8_t *digest)

Performs final processing and extracts the message digest, writing it to digest. length may be smaller than SHA224_DIGEST_SIZE, in which case only the first length octets of the digest are written.

This function also resets the context in the same way as sha224_init.

6.1.1.3 SHA512

SHA512 is a larger sibling to SHA256, with a very similar structure but with both the output and the internal variables of twice the size. The internal variables are 64 bits rather than 32, making it significantly slower on 32-bit computers. It outputs hash values of 512 bits, or 64 octets. Nettle defines SHA512 in <nettle/sha2.h> (and in <nettle/sha.h>, for backwards compatibility).

Context struct: struct sha512_ctx
Constant: SHA512_DIGEST_SIZE

The size of a SHA512 digest, i.e. 64.

Constant: SHA512_BLOCK_SIZE

The internal block size of SHA512, 128. Useful for some special constructions, in particular HMAC-SHA512.

Function: void sha512_init (struct sha512_ctx *ctx)

Initialize the SHA512 state.

Function: void sha512_update (struct sha512_ctx *ctx, size_t length, const uint8_t *data)

Hash some more data.

Function: void sha512_digest (struct sha512_ctx *ctx, size_t length, uint8_t *digest)

Performs final processing and extracts the message digest, writing it to digest. length may be smaller than SHA512_DIGEST_SIZE, in which case only the first length octets of the digest are written.

This function also resets the context in the same way as sha512_init.

6.1.1.4 SHA384 and other variants of SHA512

Several variants of SHA512 have been defined, with a different initial state, and with the output truncated to shorter length than 512 bits. Naming is a bit confused, these algorithms are called SHA512-224, SHA512-256 and SHA384, for output sizes of 224, 256 and 384 bits, respectively. Nettle defines these in <nettle/sha2.h> (and in <nettle/sha.h>, for backwards compatibility).

Context struct: struct sha512_224_ctx
Context struct: struct sha512_256_ctx
Context struct: struct sha384_ctx

These context structs are all the same as sha512_ctx. They are defined as simple preprocessor aliases, which may cause some problems if used as identifiers for other purposes. So avoid doing that.

Constant: SHA512_224_DIGEST_SIZE
Constant: SHA512_256_DIGEST_SIZE
Constant: SHA384_DIGEST_SIZE

The digest size for each variant, i.e., 28, 32, and 48, respectively.

Constant: SHA512_224_BLOCK_SIZE
Constant: SHA512_256_BLOCK_SIZE
Constant: SHA384_BLOCK_SIZE

The internal block size, same as SHA512_BLOCK_SIZE, i.e., 128. Useful for some special constructions, in particular HMAC-SHA384.

Function: void sha512_224_init (struct sha512_224_ctx *ctx)
Function: void sha512_256_init (struct sha512_256_ctx *ctx)
Function: void sha384_init (struct sha384_ctx *ctx)

Initialize the context struct.

Function: void sha512_224_update (struct sha512_224_ctx *ctx, size_t length, const uint8_t *data)
Function: void sha512_256_update (struct sha512_256_ctx *ctx, size_t length, const uint8_t *data)
Function: void sha384_update (struct sha384_ctx *ctx, size_t length, const uint8_t *data)

Hash some more data. These are all aliases for sha512_update, which does the same thing.

Function: void sha512_224_digest (struct sha512_224_ctx *ctx, size_t length, uint8_t *digest)
Function: void sha512_256_digest (struct sha512_256_ctx *ctx, size_t length, uint8_t *digest)
Function: void sha384_digest (struct sha384_ctx *ctx, size_t length, uint8_t *digest)

Performs final processing and extracts the message digest, writing it to digest. length may be smaller than the specified digest size, in which case only the first length octets of the digest are written.

These function also reset the context in the same way as the corresponding init function.

6.1.1.5 SHA3-224

The SHA3 hash functions were specified by NIST in response to weaknesses in SHA1, and doubts about SHA2 hash functions which structurally are very similar to SHA1. SHA3 is a result of a competition, where the winner, also known as Keccak, was designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. It is structurally very different from all widely used earlier hash functions. Like SHA2, there are several variants, with output sizes of 224, 256, 384 and 512 bits (28, 32, 48 and 64 octets, respectively). In August 2015, it was formally standardized by NIST, as FIPS 202, http://dx.doi.org/10.6028/NIST.FIPS.202.

Note that the SHA3 implementation in earlier versions of Nettle was based on the specification at the time Keccak was announced as the winner of the competition, which is incompatible with the final standard and hence with current versions of Nettle. The nette/sha3.h defines a preprocessor symbol NETTLE_SHA3_FIPS202 to indicate conformance with the standard.

Constant: NETTLE_SHA3_FIPS202

Defined to 1 in Nettle versions supporting FIPS 202. Undefined in earlier versions.

Nettle defines SHA3-224 in <nettle/sha3.h>.

Context struct: struct sha3_224_ctx
Constant: SHA3_224_DIGEST_SIZE

The size of a SHA3_224 digest, i.e., 28.

Constant: SHA3_224_BLOCK_SIZE

The internal block size of SHA3_224.

Function: void sha3_224_init (struct sha3_224_ctx *ctx)

Initialize the SHA3-224 state.

Function: void sha3_224_update (struct sha3_224_ctx *ctx, size_t length, const uint8_t *data)

Hash some more data.

Function: void sha3_224_digest (struct sha3_224_ctx *ctx, size_t length, uint8_t *digest)

Performs final processing and extracts the message digest, writing it to digest. length may be smaller than SHA3_224_DIGEST_SIZE, in which case only the first length octets of the digest are written.

This function also resets the context.

6.1.1.6 SHA3-256

This is SHA3 with 256-bit output size, and possibly the most useful of the SHA3 hash functions.

Nettle defines SHA3-256 in <nettle/sha3.h>.

Context struct: struct sha3_256_ctx
Constant: SHA3_256_DIGEST_SIZE

The size of a SHA3_256 digest, i.e., 32.

Constant: SHA3_256_BLOCK_SIZE

The internal block size of SHA3_256.

Function: void sha3_256_init (struct sha3_256_ctx *ctx)

Initialize the SHA3-256 state.

Function: void sha3_256_update (struct sha3_256_ctx *ctx, size_t length, const uint8_t *data)

Hash some more data.

Function: void sha3_256_digest (struct sha3_256_ctx *ctx, size_t length, uint8_t *digest)

Performs final processing and extracts the message digest, writing it to digest. length may be smaller than SHA3_256_DIGEST_SIZE, in which case only the first length octets of the digest are written.

This function also resets the context.

6.1.1.7 SHA3-384

This is SHA3 with 384-bit output size.

Nettle defines SHA3-384 in <nettle/sha3.h>.

Context struct: struct sha3_384_ctx
Constant: SHA3_384_DIGEST_SIZE

The size of a SHA3_384 digest, i.e., 48.

Constant: SHA3_384_BLOCK_SIZE

The internal block size of SHA3_384.

Function: void sha3_384_init (struct sha3_384_ctx *ctx)

Initialize the SHA3-384 state.

Function: void sha3_384_update (struct sha3_384_ctx *ctx, size_t length, const uint8_t *data)

Hash some more data.

Function: void sha3_384_digest (struct sha3_384_ctx *ctx, size_t length, uint8_t *digest)

Performs final processing and extracts the message digest, writing it to digest. length may be smaller than SHA3_384_DIGEST_SIZE, in which case only the first length octets of the digest are written.

This function also resets the context.

6.1.1.8 SHA3-512

This is SHA3 with 512-bit output size.

Nettle defines SHA3-512 in <nettle/sha3.h>.

Context struct: struct sha3_512_ctx
Constant: SHA3_512_DIGEST_SIZE

The size of a SHA3_512 digest, i.e. 64.

Constant: SHA3_512_BLOCK_SIZE

The internal block size of SHA3_512.

Function: void sha3_512_init (struct sha3_512_ctx *ctx)

Initialize the SHA3-512 state.

Function: void sha3_512_update (struct sha3_512_ctx *ctx, size_t length, const uint8_t *data)

Hash some more data.

Function: void sha3_512_digest (struct sha3_512_ctx *ctx, size_t length, uint8_t *digest)

Performs final processing and extracts the message digest, writing it to digest. length may be smaller than SHA3_512_DIGEST_SIZE, in which case only the first length octets of the digest are written.

This function also resets the context.

Next: , Previous: , Up: Hash functions   [Contents][Index]

6.1.2 Legacy hash functions

The hash functions in this section all have some known weaknesses, and should be avoided for new applications. These hash functions are mainly useful for compatibility with old applications and protocols. Some are still considered safe as building blocks for particular constructions, e.g., there seems to be no known attacks against HMAC-SHA1 or even HMAC-MD5. In some important cases, use of a “legacy” hash function does not in itself make the application insecure; if a known weakness is relevant depends on how the hash function is used, and on the threat model.

6.1.2.1 MD5

MD5 is a message digest function constructed by Ronald Rivest, and described in RFC 1321. It outputs message digests of 128 bits, or 16 octets. Nettle defines MD5 in <nettle/md5.h>.

Context struct: struct md5_ctx
Constant: MD5_DIGEST_SIZE

The size of an MD5 digest, i.e. 16.

Constant: MD5_BLOCK_SIZE

The internal block size of MD5. Useful for some special constructions, in particular HMAC-MD5.

Function: void md5_init (struct md5_ctx *ctx)

Initialize the MD5 state.

Function: void md5_update (struct md5_ctx *ctx, size_t length, const uint8_t *data)

Hash some more data.

Function: void md5_digest (struct md5_ctx *ctx, size_t length, uint8_t *digest)

Performs final processing and extracts the message digest, writing it to digest. length may be smaller than MD5_DIGEST_SIZE, in which case only the first length octets of the digest are written.

This function also resets the context in the same way as md5_init.

The normal way to use MD5 is to call the functions in order: First md5_init, then md5_update zero or more times, and finally md5_digest. After md5_digest, the context is reset to its initial state, so you can start over calling md5_update to hash new data.

To start over, you can call md5_init at any time.

6.1.2.2 MD2

MD2 is another hash function of Ronald Rivest’s, described in RFC 1319. It outputs message digests of 128 bits, or 16 octets. Nettle defines MD2 in <nettle/md2.h>.

Context struct: struct md2_ctx
Constant: MD2_DIGEST_SIZE

The size of an MD2 digest, i.e. 16.

Constant: MD2_BLOCK_SIZE

The internal block size of MD2.

Function: void md2_init (struct md2_ctx *ctx)

Initialize the MD2 state.

Function: void md2_update (struct md2_ctx *ctx, size_t length, const uint8_t *data)

Hash some more data.

Function: void md2_digest (struct md2_ctx *ctx, size_t length, uint8_t *digest)

Performs final processing and extracts the message digest, writing it to digest. length may be smaller than MD2_DIGEST_SIZE, in which case only the first length octets of the digest are written.

This function also resets the context in the same way as md2_init.

6.1.2.3 MD4

MD4 is a predecessor of MD5, described in RFC 1320. Like MD5, it is constructed by Ronald Rivest. It outputs message digests of 128 bits, or 16 octets. Nettle defines MD4 in <nettle/md4.h>. Use of MD4 is not recommended, but it is sometimes needed for compatibility with existing applications and protocols.

Context struct: struct md4_ctx
Constant: MD4_DIGEST_SIZE

The size of an MD4 digest, i.e. 16.

Constant: MD4_BLOCK_SIZE

The internal block size of MD4.

Function: void md4_init (struct md4_ctx *ctx)

Initialize the MD4 state.

Function: void md4_update (struct md4_ctx *ctx, size_t length, const uint8_t *data)

Hash some more data.

Function: void md4_digest (struct md4_ctx *ctx, size_t length, uint8_t *digest)

Performs final processing and extracts the message digest, writing it to digest. length may be smaller than MD4_DIGEST_SIZE, in which case only the first length octets of the digest are written.

This function also resets the context in the same way as md4_init.

6.1.2.4 RIPEMD160

RIPEMD160 is a hash function designed by Hans Dobbertin, Antoon Bosselaers, and Bart Preneel, as a strengthened version of RIPEMD (which, like MD4 and MD5, fails the collision-resistance requirement). It produces message digests of 160 bits, or 20 octets. Nettle defined RIPEMD160 in nettle/ripemd160.h.

Context struct: struct ripemd160_ctx
Constant: RIPEMD160_DIGEST_SIZE

The size of a RIPEMD160 digest, i.e. 20.

Constant: RIPEMD160_BLOCK_SIZE

The internal block size of RIPEMD160.

Function: void ripemd160_init (struct ripemd160_ctx *ctx)

Initialize the RIPEMD160 state.

Function: void ripemd160_update (struct ripemd160_ctx *ctx, size_t length, const uint8_t *data)

Hash some more data.

Function: void ripemd160_digest (struct ripemd160_ctx *ctx, size_t length, uint8_t *digest)

Performs final processing and extracts the message digest, writing it to digest. length may be smaller than RIPEMD160_DIGEST_SIZE, in which case only the first length octets of the digest are written.

This function also resets the context in the same way as ripemd160_init.

6.1.2.5 SHA1

SHA1 is a hash function specified by NIST (The U.S. National Institute for Standards and Technology). It outputs hash values of 160 bits, or 20 octets. Nettle defines SHA1 in <nettle/sha1.h> (and in <nettle/sha.h>, for backwards compatibility).

Context struct: struct sha1_ctx
Constant: SHA1_DIGEST_SIZE

The size of a SHA1 digest, i.e. 20.

Constant: SHA1_BLOCK_SIZE

The internal block size of SHA1. Useful for some special constructions, in particular HMAC-SHA1.

Function: void sha1_init (struct sha1_ctx *ctx)

Initialize the SHA1 state.

Function: void sha1_update (struct sha1_ctx *ctx, size_t length, const uint8_t *data)

Hash some more data.

Function: void sha1_digest (struct sha1_ctx *ctx, size_t length, uint8_t *digest)

Performs final processing and extracts the message digest, writing it to digest. length may be smaller than SHA1_DIGEST_SIZE, in which case only the first length octets of the digest are written.

This function also resets the context in the same way as sha1_init.

6.1.2.6 GOSTHASH94

The GOST94 or GOST R 34.11-94 hash algorithm is a Soviet-era algorithm used in Russian government standards (see RFC 4357). It outputs message digests of 256 bits, or 32 octets. Nettle defines GOSTHASH94 in <nettle/gosthash94.h>.

Context struct: struct gosthash94_ctx
Constant: GOSTHASH94_DIGEST_SIZE

The size of a GOSTHASH94 digest, i.e. 32.

Constant: GOSTHASH94_BLOCK_SIZE

The internal block size of GOSTHASH94, i.e., 32.

Function: void gosthash94_init (struct gosthash94_ctx *ctx)

Initialize the GOSTHASH94 state.

Function: void gosthash94_update (struct gosthash94_ctx *ctx, size_t length, const uint8_t *data)

Hash some more data.

Function: void gosthash94_digest (struct gosthash94_ctx *ctx, size_t length, uint8_t *digest)

Performs final processing and extracts the message digest, writing it to digest. length may be smaller than GOSTHASH94_DIGEST_SIZE, in which case only the first length octets of the digest are written.

This function also resets the context in the same way as gosthash94_init.

Previous: , Up: Hash functions   [Contents][Index]

6.1.3 The struct nettle_hash abstraction

Nettle includes a struct including information about the supported hash functions. It is defined in <nettle/nettle-meta.h>, and is used by Nettle’s implementation of HMAC (see Keyed hash functions).

Meta struct: struct nettle_hash name context_size digest_size block_size init update digest

The last three attributes are function pointers, of types nettle_hash_init_func *, nettle_hash_update_func *, and nettle_hash_digest_func *. The first argument to these functions is void * pointer to a context struct, which is of size context_size.

Constant Struct: struct nettle_hash nettle_md2
Constant Struct: struct nettle_hash nettle_md4
Constant Struct: struct nettle_hash nettle_md5
Constant Struct: struct nettle_hash nettle_ripemd160
Constant Struct: struct nettle_hash nettle_sha1
Constant Struct: struct nettle_hash nettle_sha224
Constant Struct: struct nettle_hash nettle_sha256
Constant Struct: struct nettle_hash nettle_sha384
Constant Struct: struct nettle_hash nettle_sha512
Constant Struct: struct nettle_hash nettle_sha3_256
Constant Struct: struct nettle_hash nettle_gosthash94

These are all the hash functions that Nettle implements.

Nettle also exports a list of all these hashes.

Function: const struct nettle_hash **nettle_get_hashes(void)

Returns a NULL-terminated list of pointers to supported hash functions. This list can be used to dynamically enumerate or search the supported algorithms.

Macro: nettle_hashes

A macro expanding to a call to nettle_get_hashes, so that one could write, e.g., nettle_hashes[0]->name for the name of the first hash function on the list. In earlier versions, this was not a macro but the actual array of pointers. However, referring directly to the array makes the array size leak into the ABI in some cases.

Next: , Previous: , Up: Reference   [Contents][Index]

6.2 Cipher functions

A cipher is a function that takes a message or plaintext and a secret key and transforms it to a ciphertext. Given only the ciphertext, but not the key, it should be hard to find the plaintext. Given matching pairs of plaintext and ciphertext, it should be hard to find the key.

There are two main classes of ciphers: Block ciphers and stream ciphers.

A block cipher can process data only in fixed size chunks, called blocks. Typical block sizes are 8 or 16 octets. To encrypt arbitrary messages, you usually have to pad it to an integral number of blocks, split it into blocks, and then process each block. The simplest way is to process one block at a time, independent of each other. That mode of operation is called ECB, Electronic Code Book mode. However, using ECB is usually a bad idea. For a start, plaintext blocks that are equal are transformed to ciphertext blocks that are equal; that leaks information about the plaintext. Usually you should apply the cipher is some “feedback mode”, CBC (Cipher Block Chaining) and CTR (Counter mode) being two of of the most popular. See See Cipher modes, for information on how to apply CBC and CTR with Nettle.

A stream cipher can be used for messages of arbitrary length. A typical stream cipher is a keyed pseudo-random generator. To encrypt a plaintext message of n octets, you key the generator, generate n octets of pseudo-random data, and XOR it with the plaintext. To decrypt, regenerate the same stream using the key, XOR it to the ciphertext, and the plaintext is recovered.

Caution: The first rule for this kind of cipher is the same as for a One Time Pad: never ever use the same key twice.

A common misconception is that encryption, by itself, implies authentication. Say that you and a friend share a secret key, and you receive an encrypted message. You apply the key, and get a plaintext message that makes sense to you. Can you then be sure that it really was your friend that wrote the message you’re reading? The answer is no. For example, if you were using a block cipher in ECB mode, an attacker may pick up the message on its way, and reorder, delete or repeat some of the blocks. Even if the attacker can’t decrypt the message, he can change it so that you are not reading the same message as your friend wrote. If you are using a block cipher in CBC mode rather than ECB, or are using a stream cipher, the possibilities for this sort of attack are different, but the attacker can still make predictable changes to the message.

It is recommended to always use an authentication mechanism in addition to encrypting the messages. Popular choices are Message Authentication Codes like HMAC-SHA1 (see Keyed hash functions), or digital signatures like RSA.

Some ciphers have so called “weak keys”, keys that results in undesirable structure after the key setup processing, and should be avoided. In Nettle, most key setup functions have no return value, but for ciphers with weak keys, the return value indicates whether or not the given key is weak. For good keys, key setup returns 1, and for weak keys, it returns 0. When possible, avoid algorithms that have weak keys. There are several good ciphers that don’t have any weak keys.

To encrypt a message, you first initialize a cipher context for encryption or decryption with a particular key. You then use the context to process plaintext or ciphertext messages. The initialization is known as key setup. With Nettle, it is recommended to use each context struct for only one direction, even if some of the ciphers use a single key setup function that can be used for both encryption and decryption.

6.2.1 AES

AES is a block cipher, specified by NIST as a replacement for the older DES standard. The standard is the result of a competition between cipher designers. The winning design, also known as RIJNDAEL, was constructed by Joan Daemen and Vincent Rijnmen.

Like all the AES candidates, the winning design uses a block size of 128 bits, or 16 octets, and three possible key-size, 128, 192 and 256 bits (16, 24 and 32 octets) being the allowed key sizes. It does not have any weak keys. Nettle defines AES in <nettle/aes.h>, and there is one context struct for each key size. (Earlier versions of Nettle used a single context struct, struct aes_ctx, for all key sizes. This interface kept for backwards compatibility).

Context struct: struct aes128_ctx
Context struct: struct aes192_ctx
Context struct: struct aes256_ctx
Context struct: struct aes_ctx

Alternative struct, for the old AES interface.

Constant: AES_BLOCK_SIZE

The AES block-size, 16.

Constant: AES128_KEY_SIZE
Constant: AES192_KEY_SIZE
Constant: AES256_KEY_SIZE
Constant: AES_MIN_KEY_SIZE
Constant: AES_MAX_KEY_SIZE
Constant: AES_KEY_SIZE

Default AES key size, 32.

Function: void aes128_set_encrypt_key (struct aes128_ctx *ctx, const uint8_t *key)
Function: void aes128_set_decrypt_key (struct aes128_ctx *ctx, const uint8_t *key)
Function: void aes192_set_encrypt_key (struct aes192_ctx *ctx, const uint8_t *key)
Function: void aes192_set_decrypt_key (struct aes192_ctx *ctx, const uint8_t *key)
Function: void aes256_set_encrypt_key (struct aes256_ctx *ctx, const uint8_t *key)
Function: void aes256_set_decrypt_key (struct aes256_ctx *ctx, const uint8_t *key)
Function: void aes_set_encrypt_key (struct aes_ctx *ctx, size_t length, const uint8_t *key)
Function: void aes_set_decrypt_key (struct aes_ctx *ctx, size_t length, const uint8_t *key)

Initialize the cipher, for encryption or decryption, respectively.

Function: void aes128_invert_key (struct aes128_ctx *dst, const struct aes128_ctx *src)
Function: void aes192_invert_key (struct aes192_ctx *dst, const struct aes192_ctx *src)
Function: void aes256_invert_key (struct aes256_ctx *dst, const struct aes256_ctx *src)
Function: void aes_invert_key (struct aes_ctx *dst, const struct aes_ctx *src)

Given a context src initialized for encryption, initializes the context struct dst for decryption, using the same key. If the same context struct is passed for both src and dst, it is converted in place. These functions are mainly useful for applications which needs to both encrypt and decrypt using the same key, because calling, e.g., aes128_set_encrypt_key and aes128_invert_key, is more efficient than calling aes128_set_encrypt_key and aes128_set_decrypt_key.

Function: void aes128_encrypt (struct aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void aes192_encrypt (struct aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void aes256_encrypt (struct aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void aes_encrypt (struct aes_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encryption function. length must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. src and dst may be equal, but they must not overlap in any other way.

Function: void aes128_decrypt (struct aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void aes192_decrypt (struct aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void aes256_decrypt (struct aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void aes_decrypt (struct aes_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Analogous to the encryption functions above.

6.2.2 ARCFOUR

ARCFOUR is a stream cipher, also known under the trade marked name RC4, and it is one of the fastest ciphers around. A problem is that the key setup of ARCFOUR is quite weak, you should never use keys with structure, keys that are ordinary passwords, or sequences of keys like “secret:1”, “secret:2”, .... If you have keys that don’t look like random bit strings, and you want to use ARCFOUR, always hash the key before feeding it to ARCFOUR. Furthermore, the initial bytes of the generated key stream leak information about the key; for this reason, it is recommended to discard the first 512 bytes of the key stream. 

/* A more robust key setup function for ARCFOUR */
void
arcfour_set_key_hashed(struct arcfour_ctx *ctx,
                       size_t length, const uint8_t *key)
{
  struct sha256_ctx hash;
  uint8_t digest[SHA256_DIGEST_SIZE];
  uint8_t buffer[0x200];

  sha256_init(&hash);
  sha256_update(&hash, length, key);
  sha256_digest(&hash, SHA256_DIGEST_SIZE, digest);

  arcfour_set_key(ctx, SHA256_DIGEST_SIZE, digest);
  arcfour_crypt(ctx, sizeof(buffer), buffer, buffer);
}

Nettle defines ARCFOUR in <nettle/arcfour.h>.

Context struct: struct arcfour_ctx
Constant: ARCFOUR_MIN_KEY_SIZE

Minimum key size, 1.

Constant: ARCFOUR_MAX_KEY_SIZE

Maximum key size, 256.

Constant: ARCFOUR_KEY_SIZE

Default ARCFOUR key size, 16.

Function: void arcfour_set_key (struct arcfour_ctx *ctx, size_t length, const uint8_t *key)

Initialize the cipher. The same function is used for both encryption and decryption.

Function: void arcfour_crypt (struct arcfour_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encrypt some data. The same function is used for both encryption and decryption. Unlike the block ciphers, this function modifies the context, so you can split the data into arbitrary chunks and encrypt them one after another. The result is the same as if you had called arcfour_crypt only once with all the data.

6.2.3 ARCTWO

ARCTWO (also known as the trade marked name RC2) is a block cipher specified in RFC 2268. Nettle also include a variation of the ARCTWO set key operation that lack one step, to be compatible with the reverse engineered RC2 cipher description, as described in a Usenet post to sci.crypt by Peter Gutmann.

ARCTWO uses a block size of 64 bits, and variable key-size ranging from 1 to 128 octets. Besides the key, ARCTWO also has a second parameter to key setup, the number of effective key bits, ekb. This parameter can be used to artificially reduce the key size. In practice, ekb is usually set equal to the input key size. Nettle defines ARCTWO in <nettle/arctwo.h>.

We do not recommend the use of ARCTWO; the Nettle implementation is provided primarily for interoperability with existing applications and standards.

Context struct: struct arctwo_ctx
Constant: ARCTWO_BLOCK_SIZE

The ARCTWO block-size, 8.

Constant: ARCTWO_MIN_KEY_SIZE
Constant: ARCTWO_MAX_KEY_SIZE
Constant: ARCTWO_KEY_SIZE

Default ARCTWO key size, 8.

Function: void arctwo_set_key_ekb (struct arctwo_ctx *ctx, size_t length, const uint8_t *key, unsigned ekb)
Function: void arctwo_set_key (struct arctwo_ctx *ctx, size_t length, const uint8_t *key)
Function: void arctwo_set_key_gutmann (struct arctwo_ctx *ctx, size_t length, const uint8_t *key)

Initialize the cipher. The same function is used for both encryption and decryption. The first function is the most general one, which lets you provide both the variable size key, and the desired effective key size (in bits). The maximum value for ekb is 1024, and for convenience, ekb = 0 has the same effect as ekb = 1024.

arctwo_set_key(ctx, length, key) is equivalent to arctwo_set_key_ekb(ctx, length, key, 8*length), and arctwo_set_key_gutmann(ctx, length, key) is equivalent to arctwo_set_key_ekb(ctx, length, key, 1024)

Function: void arctwo_encrypt (struct arctwo_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encryption function. length must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. src and dst may be equal, but they must not overlap in any other way.

Function: void arctwo_decrypt (struct arctwo_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Analogous to arctwo_encrypt

6.2.4 BLOWFISH

BLOWFISH is a block cipher designed by Bruce Schneier. It uses a block size of 64 bits (8 octets), and a variable key size, up to 448 bits. It has some weak keys. Nettle defines BLOWFISH in <nettle/blowfish.h>.

Context struct: struct blowfish_ctx
Constant: BLOWFISH_BLOCK_SIZE

The BLOWFISH block-size, 8.

Constant: BLOWFISH_MIN_KEY_SIZE

Minimum BLOWFISH key size, 8.

Constant: BLOWFISH_MAX_KEY_SIZE

Maximum BLOWFISH key size, 56.

Constant: BLOWFISH_KEY_SIZE

Default BLOWFISH key size, 16.

Function: int blowfish_set_key (struct blowfish_ctx *ctx, size_t length, const uint8_t *key)

Initialize the cipher. The same function is used for both encryption and decryption. Checks for weak keys, returning 1 for good keys and 0 for weak keys. Applications that don’t care about weak keys can ignore the return value.

blowfish_encrypt or blowfish_decrypt with a weak key will crash with an assert violation.

Function: void blowfish_encrypt (struct blowfish_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encryption function. length must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. src and dst may be equal, but they must not overlap in any other way.

Function: void blowfish_decrypt (struct blowfish_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Analogous to blowfish_encrypt

6.2.5 Camellia

Camellia is a block cipher developed by Mitsubishi and Nippon Telegraph and Telephone Corporation, described in RFC3713. It is recommended by some Japanese and European authorities as an alternative to AES, and it is one of the selected algorithms in the New European Schemes for Signatures, Integrity and Encryption (NESSIE) project. The algorithm is patented. The implementation in Nettle is derived from the implementation released by NTT under the GNU LGPL (v2.1 or later), and relies on the implicit patent license of the LGPL. There is also a statement of royalty-free licensing for Camellia at http://www.ntt.co.jp/news/news01e/0104/010417.html, but this statement has some limitations which seem problematic for free software.

Camellia uses a the same block size and key sizes as AES: The block size is 128 bits (16 octets), and the supported key sizes are 128, 192, and 256 bits. The variants with 192 and 256 bit keys are identical, except for the key setup. Nettle defines Camellia in <nettle/camellia.h>, and there is one context struct for each key size. (Earlier versions of Nettle used a single context struct, struct camellia_ctx, for all key sizes. This interface kept for backwards compatibility).

Context struct: struct camellia128_ctx
Context struct: struct camellia192_ctx
Context struct: struct camellia256_ctx

Contexts structs. Actually, camellia192_ctx is an alias for camellia256_ctx.

Context struct: struct camellia_ctx

Alternative struct, for the old Camellia interface.

Constant: CAMELLIA_BLOCK_SIZE

The CAMELLIA block-size, 16.

Constant: CAMELLIA128_KEY_SIZE
Constant: CAMELLIA192_KEY_SIZE
Constant: CAMELLIA256_KEY_SIZE
Constant: CAMELLIA_MIN_KEY_SIZE
Constant: CAMELLIA_MAX_KEY_SIZE
Constant: CAMELLIA_KEY_SIZE

Default CAMELLIA key size, 32.

Function: void camellia128_set_encrypt_key (struct camellia128_ctx *ctx, const uint8_t *key)
Function: void camellia128_set_decrypt_key (struct camellia128_ctx *ctx, const uint8_t *key)
Function: void camellia192_set_encrypt_key (struct camellia192_ctx *ctx, const uint8_t *key)
Function: void camellia192_set_decrypt_key (struct camellia192_ctx *ctx, const uint8_t *key)
Function: void camellia256_set_encrypt_key (struct camellia256_ctx *ctx, const uint8_t *key)
Function: void camellia256_set_decrypt_key (struct camellia256_ctx *ctx, const uint8_t *key)
Function: void camellia_set_encrypt_key (struct camellia_ctx *ctx, size_t length, const uint8_t *key)
Function: void camellia_set_decrypt_key (struct camellia_ctx *ctx, size_t length, const uint8_t *key)

Initialize the cipher, for encryption or decryption, respectively.

Function: void camellia128_invert_key (struct camellia128_ctx *dst, const struct camellia128_ctx *src)
Function: void camellia192_invert_key (struct camellia192_ctx *dst, const struct camellia192_ctx *src)
Function: void camellia256_invert_key (struct camellia256_ctx *dst, const struct camellia256_ctx *src)
Function: void camellia_invert_key (struct camellia_ctx *dst, const struct camellia_ctx *src)

Given a context src initialized for encryption, initializes the context struct dst for decryption, using the same key. If the same context struct is passed for both src and dst, it is converted in place. These functions are mainly useful for applications which needs to both encrypt and decrypt using the same key.

Function: void camellia128_crypt (struct camellia128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void camellia192_crypt (struct camellia192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void camellia256_crypt (struct camellia256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void camellia_crypt (struct camellia_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

The same function is used for both encryption and decryption. length must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. src and dst may be equal, but they must not overlap in any other way.

6.2.6 CAST128

CAST-128 is a block cipher, specified in RFC 2144. It uses a 64 bit (8 octets) block size, and a variable key size of up to 128 bits. Nettle defines cast128 in <nettle/cast128.h>.

Context struct: struct cast128_ctx
Constant: CAST128_BLOCK_SIZE

The CAST128 block-size, 8.

Constant: CAST128_MIN_KEY_SIZE

Minimum CAST128 key size, 5.

Constant: CAST128_MAX_KEY_SIZE

Maximum CAST128 key size, 16.

Constant: CAST128_KEY_SIZE

Default CAST128 key size, 16.

Function: void cast128_set_key (struct cast128_ctx *ctx, size_t length, const uint8_t *key)

Initialize the cipher. The same function is used for both encryption and decryption.

Function: void cast128_encrypt (struct cast128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encryption function. length must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. src and dst may be equal, but they must not overlap in any other way.

Function: void cast128_decrypt (struct cast128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Analogous to cast128_encrypt

6.2.7 ChaCha

ChaCha is a variant of the stream cipher Salsa20, also designed by D. J. Bernstein. For more information on Salsa20, see below. Nettle defines ChaCha in <nettle/chacha.h>.

Context struct: struct chacha_ctx
Constant: CHACHA_KEY_SIZE

ChaCha key size, 32.

Constant: CHACHA_BLOCK_SIZE

ChaCha block size, 64.

Constant: CHACHA_NONCE_SIZE

Size of the nonce, 8.

Function: void chacha_set_key (struct chacha_ctx *ctx, const uint8_t *key)

Initialize the cipher. The same function is used for both encryption and decryption. Before using the cipher, you must also call chacha_set_nonce, see below.

Function: void chacha_set_nonce (struct chacha_ctx *ctx, const uint8_t *nonce)

Sets the nonce. It is always of size CHACHA_NONCE_SIZE, 8 octets. This function also initializes the block counter, setting it to zero.

Function: void chacha_crypt (struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encrypts or decrypts the data of a message, using ChaCha. When a message is encrypted using a sequence of calls to chacha_crypt, all but the last call must use a length that is a multiple of CHACHA_BLOCK_SIZE.

6.2.8 DES

DES is the old Data Encryption Standard, specified by NIST. It uses a block size of 64 bits (8 octets), and a key size of 56 bits. However, the key bits are distributed over 8 octets, where the least significant bit of each octet may be used for parity. A common way to use DES is to generate 8 random octets in some way, then set the least significant bit of each octet to get odd parity, and initialize DES with the resulting key.

The key size of DES is so small that keys can be found by brute force, using specialized hardware or lots of ordinary work stations in parallel. One shouldn’t be using plain DES at all today, if one uses DES at all one should be using “triple DES”, see DES3 below.

DES also has some weak keys. Nettle defines DES in <nettle/des.h>.

Context struct: struct des_ctx
Constant: DES_BLOCK_SIZE

The DES block-size, 8.

Constant: DES_KEY_SIZE

DES key size, 8.

Function: int des_set_key (struct des_ctx *ctx, const uint8_t *key)

Initialize the cipher. The same function is used for both encryption and decryption. Parity bits are ignored. Checks for weak keys, returning 1 for good keys and 0 for weak keys. Applications that don’t care about weak keys can ignore the return value.

Function: void des_encrypt (struct des_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encryption function. length must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. src and dst may be equal, but they must not overlap in any other way.

Function: void des_decrypt (struct des_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Analogous to des_encrypt

Function: int des_check_parity (size_t length, const uint8_t *key);

Checks that the given key has correct, odd, parity. Returns 1 for correct parity, and 0 for bad parity.

Function: void des_fix_parity (size_t length, uint8_t *dst, const uint8_t *src)

Adjusts the parity bits to match DES’s requirements. You need this function if you have created a random-looking string by a key agreement protocol, and want to use it as a DES key. dst and src may be equal.

6.2.9 DES3

The inadequate key size of DES has already been mentioned. One way to increase the key size is to pipe together several DES boxes with independent keys. It turns out that using two DES ciphers is not as secure as one might think, even if the key size of the combination is a respectable 112 bits.

The standard way to increase DES’s key size is to use three DES boxes. The mode of operation is a little peculiar: the middle DES box is wired in the reverse direction. To encrypt a block with DES3, you encrypt it using the first 56 bits of the key, then decrypt it using the middle 56 bits of the key, and finally encrypt it again using the last 56 bits of the key. This is known as “ede” triple-DES, for “encrypt-decrypt-encrypt”.

The “ede” construction provides some backward compatibility, as you get plain single DES simply by feeding the same key to all three boxes. That should help keeping down the gate count, and the price, of hardware circuits implementing both plain DES and DES3.

DES3 has a key size of 168 bits, but just like plain DES, useless parity bits are inserted, so that keys are represented as 24 octets (192 bits). As a 112 bit key is large enough to make brute force attacks impractical, some applications uses a “two-key” variant of triple-DES. In this mode, the same key bits are used for the first and the last DES box in the pipe, while the middle box is keyed independently. The two-key variant is believed to be secure, i.e. there are no known attacks significantly better than brute force.

Naturally, it’s simple to implement triple-DES on top of Nettle’s DES functions. Nettle includes an implementation of three-key “ede” triple-DES, it is defined in the same place as plain DES, <nettle/des.h>.

Context struct: struct des3_ctx
Constant: DES3_BLOCK_SIZE

The DES3 block-size is the same as DES_BLOCK_SIZE, 8.

Constant: DES3_KEY_SIZE

DES key size, 24.

Function: int des3_set_key (struct des3_ctx *ctx, const uint8_t *key)

Initialize the cipher. The same function is used for both encryption and decryption. Parity bits are ignored. Checks for weak keys, returning 1 if all three keys are good keys, and 0 if one or more key is weak. Applications that don’t care about weak keys can ignore the return value.

For random-looking strings, you can use des_fix_parity to adjust the parity bits before calling des3_set_key.

Function: void des3_encrypt (struct des3_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encryption function. length must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. src and dst may be equal, but they must not overlap in any other way.

Function: void des3_decrypt (struct des3_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Analogous to des_encrypt

6.2.10 Salsa20

Salsa20 is a fairly recent stream cipher designed by D. J. Bernstein. It is built on the observation that a cryptographic hash function can be used for encryption: Form the hash input from the secret key and a counter, xor the hash output and the first block of the plaintext, then increment the counter to process the next block (similar to CTR mode, see see CTR). Bernstein defined an encryption algorithm, Snuffle, in this way to ridicule United States export restrictions which treated hash functions as nice and harmless, but ciphers as dangerous munitions.

Salsa20 uses the same idea, but with a new specialized hash function to mix key, block counter, and a couple of constants. It’s also designed for speed; on x86_64, it is currently the fastest cipher offered by nettle. It uses a block size of 512 bits (64 octets) and there are two specified key sizes, 128 and 256 bits (16 and 32 octets).

Caution: The hash function used in Salsa20 is not directly applicable for use as a general hash function. It’s not collision resistant if arbitrary inputs are allowed, and furthermore, the input and output is of fixed size.

When using Salsa20 to process a message, one specifies both a key and a nonce, the latter playing a similar rôle to the initialization vector (IV) used with CBC or CTR mode. One can use the same key for several messages, provided one uses a unique random iv for each message. The iv is 64 bits (8 octets). The block counter is initialized to zero for each message, and is also 64 bits (8 octets). Nettle defines Salsa20 in <nettle/salsa20.h>.

Context struct: struct salsa20_ctx
Constant: SALSA20_128_KEY_SIZE
Constant: SALSA20_256_KEY_SIZE

The two supported key sizes, 16 and 32 octets.

Constant: SALSA20_KEY_SIZE

Recommended key size, 32.

Constant: SALSA20_BLOCK_SIZE

Salsa20 block size, 64.

Constant: SALSA20_NONCE_SIZE

Size of the nonce, 8.

Function: void salsa20_128_set_key (struct salsa20_ctx *ctx, const uint8_t *key)
Function: void salsa20_256_set_key (struct salsa20_ctx *ctx, const uint8_t *key)
Function: void salsa20_set_key (struct salsa20_ctx *ctx, size_t length, const uint8_t *key)

Initialize the cipher. The same function is used for both encryption and decryption. salsa20_128_set_key and salsa20_128_set_key use a fix key size each, 16 and 32 octets, respectively. The function salsa20_set_key is provided for backwards compatibility, and the length argument must be either 16 or 32. Before using the cipher, you must also call salsa20_set_nonce, see below.

Function: void salsa20_set_nonce (struct salsa20_ctx *ctx, const uint8_t *nonce)

Sets the nonce. It is always of size SALSA20_NONCE_SIZE, 8 octets. This function also initializes the block counter, setting it to zero.

Function: void salsa20_crypt (struct salsa20_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encrypts or decrypts the data of a message, using salsa20. When a message is encrypted using a sequence of calls to salsa20_crypt, all but the last call must use a length that is a multiple of SALSA20_BLOCK_SIZE.

The full salsa20 cipher uses 20 rounds of mixing. Variants of Salsa20 with fewer rounds are possible, and the 12-round variant is specified by eSTREAM, see http://www.ecrypt.eu.org/stream/finallist.html. Nettle calls this variant salsa20r12. It uses the same context struct and key setup as the full salsa20 cipher, but a separate function for encryption and decryption.

Function: void salsa20r12_crypt (struct salsa20_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encrypts or decrypts the data of a message, using salsa20 reduced to 12 rounds.

6.2.11 SERPENT

SERPENT is one of the AES finalists, designed by Ross Anderson, Eli Biham and Lars Knudsen. Thus, the interface and properties are similar to AES’. One peculiarity is that it is quite pointless to use it with anything but the maximum key size, smaller keys are just padded to larger ones. Nettle defines SERPENT in <nettle/serpent.h>.

Context struct: struct serpent_ctx
Constant: SERPENT_BLOCK_SIZE

The SERPENT block-size, 16.

Constant: SERPENT_MIN_KEY_SIZE

Minimum SERPENT key size, 16.

Constant: SERPENT_MAX_KEY_SIZE

Maximum SERPENT key size, 32.

Constant: SERPENT_KEY_SIZE

Default SERPENT key size, 32.

Function: void serpent_set_key (struct serpent_ctx *ctx, size_t length, const uint8_t *key)

Initialize the cipher. The same function is used for both encryption and decryption.

Function: void serpent_encrypt (struct serpent_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encryption function. length must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. src and dst may be equal, but they must not overlap in any other way.

Function: void serpent_decrypt (struct serpent_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Analogous to serpent_encrypt

6.2.12 TWOFISH

Another AES finalist, this one designed by Bruce Schneier and others. Nettle defines it in <nettle/twofish.h>.

Context struct: struct twofish_ctx
Constant: TWOFISH_BLOCK_SIZE

The TWOFISH block-size, 16.

Constant: TWOFISH_MIN_KEY_SIZE

Minimum TWOFISH key size, 16.

Constant: TWOFISH_MAX_KEY_SIZE

Maximum TWOFISH key size, 32.

Constant: TWOFISH_KEY_SIZE

Default TWOFISH key size, 32.

Function: void twofish_set_key (struct twofish_ctx *ctx, size_t length, const uint8_t *key)

Initialize the cipher. The same function is used for both encryption and decryption.

Function: void twofish_encrypt (struct twofish_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encryption function. length must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. src and dst may be equal, but they must not overlap in any other way.

Function: void twofish_decrypt (struct twofish_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Analogous to twofish_encrypt

6.2.13 The struct nettle_cipher abstraction

Nettle includes a struct including information about some of the more regular cipher functions. It can be useful for applications that need a simple way to handle various algorithms. Nettle defines these structs in <nettle/nettle-meta.h>.

Meta struct: struct nettle_cipher name context_size block_size key_size set_encrypt_key set_decrypt_key encrypt decrypt

The last four attributes are function pointers, of types nettle_set_key_func * and nettle_cipher_func *. The first argument to these functions is a const void * pointer to a context struct, which is of size context_size.

Constant Struct: struct nettle_cipher nettle_aes128
Constant Struct: struct nettle_cipher nettle_aes192
Constant Struct: struct nettle_cipher nettle_aes256
Constant Struct: struct nettle_cipher nettle_arctwo40
Constant Struct: struct nettle_cipher nettle_arctwo64
Constant Struct: struct nettle_cipher nettle_arctwo128
Constant Struct: struct nettle_cipher nettle_arctwo_gutmann128
Constant Struct: struct nettle_cipher nettle_arcfour128
Constant Struct: struct nettle_cipher nettle_camellia128
Constant Struct: struct nettle_cipher nettle_camellia192
Constant Struct: struct nettle_cipher nettle_camellia256
Constant Struct: struct nettle_cipher nettle_cast128
Constant Struct: struct nettle_cipher nettle_serpent128
Constant Struct: struct nettle_cipher nettle_serpent192
Constant Struct: struct nettle_cipher nettle_serpent256
Constant Struct: struct nettle_cipher nettle_twofish128
Constant Struct: struct nettle_cipher nettle_twofish192
Constant Struct: struct nettle_cipher nettle_twofish256

Nettle includes such structs for all the regular ciphers, i.e. ones without weak keys or other oddities.

Nettle also exports a list of all these ciphers without weak keys or other oddities.

Function: const struct nettle_cipher **nettle_get_ciphers(void)

Returns a NULL-terminated list of pointers to supported block ciphers. This list can be used to dynamically enumerate or search the supported algorithms.

Macro: nettle_ciphers

A macro expanding to a call to nettle_get_ciphers. In earlier versions, this was not a macro but the actual array of pointers.

Next: , Previous: , Up: Reference   [Contents][Index]

6.3 Cipher modes

Cipher modes of operation specifies the procedure to use when encrypting a message that is larger than the cipher’s block size. As explained in See Cipher functions, splitting the message into blocks and processing them independently with the block cipher (Electronic Code Book mode, ECB), leaks information.

Besides ECB, Nettle provides several other modes of operation: Cipher Block Chaining (CBC), Counter mode (CTR), Cipher Feedback (CFB) and a couple of AEAD modes (see Authenticated encryption). CBC is widely used, but there are a few subtle issues of information leakage, see, e.g., SSH CBC vulnerability. Today, CTR is usually preferred over CBC.

Modes like CBC, CTR and CFB provide no message authentication, and should always be used together with a MAC (see Keyed hash functions) or signature to authenticate the message.

CBC:  
CTR:  
CFB:  

Next: , Previous: , Up: Cipher modes   [Contents][Index]

6.3.1 Cipher Block Chaining

When using CBC mode, plaintext blocks are not encrypted independently of each other, like in Electronic Cook Book mode. Instead, when encrypting a block in CBC mode, the previous ciphertext block is XORed with the plaintext before it is fed to the block cipher. When encrypting the first block, a random block called an IV, or Initialization Vector, is used as the “previous ciphertext block”. The IV should be chosen randomly, but it need not be kept secret, and can even be transmitted in the clear together with the encrypted data.

In symbols, if E_k is the encryption function of a block cipher, and IV is the initialization vector, then n plaintext blocks M_1,… M_n are transformed into n ciphertext blocks C_1,… C_n as follows: 

C_1 = E_k(IV  XOR M_1)
C_2 = E_k(C_1 XOR M_2)

…

C_n = E_k(C_(n-1) XOR M_n)

Nettle’s includes two functions for applying a block cipher in Cipher Block Chaining (CBC) mode, one for encryption and one for decryption. These functions uses void * to pass cipher contexts around.

Function: void cbc_encrypt (const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src)
Function: void cbc_decrypt (const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src)

Applies the encryption or decryption function f in CBC mode. The final ciphertext block processed is copied into iv before returning, so that a large message can be processed by a sequence of calls to cbc_encrypt. The function f is of type

void f (void *ctx, size_t length, uint8_t dst, const uint8_t *src),

and the cbc_encrypt and cbc_decrypt functions pass their argument ctx on to f.

There are also some macros to help use these functions correctly.

Macro: CBC_CTX (context_type, block_size)

Expands to 

{
   context_type ctx;
   uint8_t iv[block_size];
}

It can be used to define a CBC context struct, either directly, 

struct CBC_CTX(struct aes_ctx, AES_BLOCK_SIZE) ctx;

or to give it a struct tag, 

struct aes_cbc_ctx CBC_CTX (struct aes_ctx, AES_BLOCK_SIZE);
Macro: CBC_SET_IV (ctx, iv)

First argument is a pointer to a context struct as defined by CBC_CTX, and the second is a pointer to an Initialization Vector (IV) that is copied into that context.

Macro: CBC_ENCRYPT (ctx, f, length, dst, src)
Macro: CBC_DECRYPT (ctx, f, length, dst, src)

A simpler way to invoke cbc_encrypt and cbc_decrypt. The first argument is a pointer to a context struct as defined by CBC_CTX, and the second argument is an encryption or decryption function following Nettle’s conventions. The last three arguments define the source and destination area for the operation.

These macros use some tricks to make the compiler display a warning if the types of f and ctx don’t match, e.g. if you try to use an struct aes_ctx context with the des_encrypt function.

Next: , Previous: , Up: Cipher modes   [Contents][Index]

6.3.2 Counter mode

Counter mode (CTR) uses the block cipher as a keyed pseudo-random generator. The output of the generator is XORed with the data to be encrypted. It can be understood as a way to transform a block cipher to a stream cipher.

The message is divided into n blocks M_1,… M_n, where M_n is of size m which may be smaller than the block size. Except for the last block, all the message blocks must be of size equal to the cipher’s block size.

If E_k is the encryption function of a block cipher, IC is the initial counter, then the n plaintext blocks are transformed into n ciphertext blocks C_1,… C_n as follows: 

C_1 = E_k(IC) XOR M_1
C_2 = E_k(IC + 1) XOR M_2

…

C_(n-1) = E_k(IC + n - 2) XOR M_(n-1)
C_n = E_k(IC + n - 1) [1..m] XOR M_n

The IC is the initial value for the counter, it plays a similar rôle as the IV for CBC. When adding, IC + x, IC is interpreted as an integer, in network byte order. For the last block, E_k(IC + n - 1) [1..m] means that the cipher output is truncated to m bytes.

Function: void ctr_crypt (const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *ctr, size_t length, uint8_t *dst, const uint8_t *src)

Applies the encryption function f in CTR mode. Note that for CTR mode, encryption and decryption is the same operation, and hence f should always be the encryption function for the underlying block cipher.

When a message is encrypted using a sequence of calls to ctr_crypt, all but the last call must use a length that is a multiple of the block size.

Like for CBC, there are also a couple of helper macros.

Macro: CTR_CTX (context_type, block_size)

Expands to 

{
   context_type ctx;
   uint8_t ctr[block_size];
}
Macro: CTR_SET_COUNTER (ctx, iv)

First argument is a pointer to a context struct as defined by CTR_CTX, and the second is a pointer to an initial counter that is copied into that context.

Macro: CTR_CRYPT (ctx, f, length, dst, src)

A simpler way to invoke ctr_crypt. The first argument is a pointer to a context struct as defined by CTR_CTX, and the second argument is an encryption function following Nettle’s conventions. The last three arguments define the source and destination area for the operation.

Previous: , Up: Cipher modes   [Contents][Index]

6.3.3 Cipher Feedback mode

Cipher Feedback mode (CFB) being a close relative to both CBC mode and CTR mode borrows some characteristics from stream ciphers.

The message is divided into n blocks M_1,… M_n, where M_n is of size m which may be smaller than the block size. Except for the last block, all the message blocks must be of size equal to the cipher’s block size.

If E_k is the encryption function of a block cipher, IV is the initialization vector, then the n plaintext blocks are transformed into n ciphertext blocks C_1,… C_n as follows: 

C_1 = E_k(IV) XOR M_1
C_2 = E_k(C_1) XOR M_2

…

C_(n-1) = E_k(C_(n - 2)) XOR M_(n-1)
C_n = E_k(C_(n - 1)) [1..m] XOR M_n

Nettle’s includes two functions for applying a block cipher in Cipher Feedback (CFB) mode, one for encryption and one for decryption. These functions uses void * to pass cipher contexts around.

Function: void cfb_encrypt (const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src)
Function: void cfb_decrypt (const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src)

Applies the encryption or decryption function f in CFB mode. The final ciphertext block processed is copied into iv before returning, so that a large message can be processed by a sequence of calls to cfb_encrypt. Note that for CFB mode internally uses encryption only function and hence f should always be the encryption function for the underlying block cipher.

When a message is encrypted using a sequence of calls to cfb_encrypt, all but the last call must use a length that is a multiple of the block size.

Like for CBC, there are also a couple of helper macros.

Macro: CFB_CTX (context_type, block_size)

Expands to 

{
   context_type ctx;
   uint8_t iv[block_size];
}
Macro: CFB_SET_IV(ctx, iv)

First argument is a pointer to a context struct as defined by CFB_CTX, and the second is a pointer to an initialization vector that is copied into that context.

Macro: CFB_ENCRYPT (ctx, f, length, dst, src)

A simpler way to invoke cfb_encrypt. The first argument is a pointer to a context struct as defined by CFB_CTX, and the second argument is an encryption function following Nettle’s conventions. The last three arguments define the source and destination area for the operation.

Macro: CFB_DECRYPT (ctx, f, length, dst, src)

A simpler way to invoke cfb_decrypt. The first argument is a pointer to a context struct as defined by CFB_CTX, and the second argument is an encryption function following Nettle’s conventions. The last three arguments define the source and destination area for the operation.

Next: , Previous: , Up: Reference   [Contents][Index]

6.4 Authenticated encryption with associated data

Since there are some subtle design choices to be made when combining a block cipher mode with out authentication with a MAC. In recent years, several constructions that combine encryption and authentication have been defined. These constructions typically also have an additional input, the “associated data”, which is authenticated but not included with the message. A simple example is an implicit message number which is available at both sender and receiver, and which needs authentication in order to detect deletions or replay of messages. This family of building blocks are therefore called AEAD, Authenticated encryption with associated data.

The aim is to provide building blocks that it is easier for designers of protocols and applications to use correctly. There is also some potential for improved performance, if encryption and authentication can be done in a single step, although that potential is not realized for the constructions currently supported by Nettle.

For encryption, the inputs are:

  • The key, which can be used for many messages.
  • A nonce, which must be unique for each message using the same key.
  • Additional associated data to be authenticated, but not included in the message.
  • The cleartext message to be encrypted.

The outputs are:

  • The ciphertext, of the same size as the cleartext.
  • A digest or “authentication tag”.

Decryption works the same, but with cleartext and ciphertext interchanged. All currently supported AEAD algorithms always use the encryption function of the underlying block cipher, for both encryption and decryption.

Usually, the authentication tag should be appended at the end of the ciphertext, producing an encrypted message which is slightly longer than the cleartext. However, Nettle’s low level AEAD functions produce the authentication tag as a separate output for both encryption and decryption.

Both associated data and the message data (cleartext or ciphertext) can be processed incrementally. In general, all associated data must be processed before the message data, and all calls but the last one must use a length that is a multiple of the block size, although some AEAD may implement more liberal conventions. The CCM mode is a bit special in that it requires the message lengths up front, other AEAD constructions don’t have this restriction.

The supported AEAD constructions are Galois/Counter mode (GCM), EAX, ChaCha-Poly1305, and Counter with CBC-MAC (CCM). There are some weaknesses in GCM authentication, see http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf. CCM and EAX use the same building blocks, but the EAX design is cleaner and avoids a couple of inconveniences of CCM. Therefore, EAX seems like a good conservative choice. The more recent ChaCha-Poly1305 may also be an attractive but more adventurous alternative, in particular if performance is important.

EAX:  
GCM:  
CCM:  
ChaCha-Poly1305:  
nettle_aead abstraction:  

Next: , Previous: , Up: Authenticated encryption   [Contents][Index]

6.4.1 EAX

The EAX mode is an AEAD mode whichcombines CTR mode encryption, See CTR, with a message authentication based on CBC, See CBC. The implementation in Nettle is restricted to ciphers with a block size of 128 bits (16 octets). EAX was defined as a reaction to the CCM mode, See CCM, which uses the same primitives but has some undesirable and inelegant properties.

EAX supports arbitrary nonce size; it’s even possible to use an empty nonce in case only a single message is encrypted for each key.

Nettle’s support for EAX consists of a low-level general interface, some convenience macros, and specific functions for EAX using AES-128 as the underlying cipher. These interfaces are defined in <nettle/eax.h>

6.4.1.1 General EAX interface

Context struct: struct eax_key

EAX state which depends only on the key, but not on the nonce or the message.

Context struct: struct eax_ctx

Holds state corresponding to a particular message.

Constant: EAX_BLOCK_SIZE

EAX’s block size, 16.

Constant: EAX_DIGEST_SIZE

Size of the EAX digest, also 16.

Function: void eax_set_key (struct eax_key *key, const void *cipher, nettle_cipher_func *f)

Initializes key. cipher gives a context struct for the underlying cipher, which must have been previously initialized for encryption, and f is the encryption function.

Function: void eax_set_nonce (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t nonce_length, const uint8_t *nonce)

Initializes ctx for processing a new message, using the given nonce.

Function: void eax_update (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t data_length, const uint8_t *data)

Process associated data for authentication. All but the last call for each message must use a length that is a multiple of the block size. Unlike many other AEAD constructions, for EAX it’s not necessary to complete the processing of all associated data before encrypting or decrypting the message data.

Function: void eax_encrypt (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src)
Function: void eax_decrypt (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src)

Encrypts or decrypts the data of a message. cipher is the context struct for the underlying cipher and f is the encryption function. All but the last call for each message must use a length that is a multiple of the block size.

Function: void eax_digest (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *digest);

Extracts the message digest (also known “authentication tag”). This is the final operation when processing a message. If length is smaller than EAX_DIGEST_SIZE, only the first length octets of the digest are written.

6.4.1.2 EAX helper macros

The following macros are defined.

Macro: EAX_CTX (context_type)

This defines an all-in-one context struct, including the context of the underlying cipher and all EAX state. It expands to 

{
   struct eax_key key;
   struct eax_ctx eax;
   context_type cipher;
}

For all these macros, ctx, is a context struct as defined by EAX_CTX, and encrypt is the encryption function of the underlying cipher.

Macro: EAX_SET_KEY (ctx, set_key, encrypt, key)

set_key is the function for setting the encryption key for the underlying cipher, and key is the key.

Macro: EAX_SET_NONCE (ctx, encrypt, length, nonce)

Sets the nonce to be used for the message.

Macro: EAX_UPDATE (ctx, encrypt, length, data)

Process associated data for authentication.

Macro: EAX_ENCRYPT (ctx, encrypt, length, dst, src)
Macro: EAX_DECRYPT (ctx, encrypt, length, dst, src)

Process message data for encryption or decryption.

Macro: EAX_DIGEST (ctx, encrypt, length, digest)

Extract te authentication tag for the message.

6.4.1.3 EAX-AES128 interface

The following functions implement EAX using AES-128 as the underlying cipher.

Context struct: struct eax_aes128_ctx

The context struct, defined using EAX_CTX.

Function: void eax_aes128_set_key (struct eax_aes128_ctx *ctx, const uint8_t *key)

Initializes ctx using the given key.

Function: void eax_aes128_set_nonce (struct eax_aes128_ctx *ctx, size_t length, const uint8_t *iv)

Initializes the per-message state, using the given nonce.

Function: void eax_aes128_update (struct eax_aes128_ctx *ctx, size_t length, const uint8_t *data)

Process associated data for authentication. All but the last call for each message must use a length that is a multiple of the block size.

Function: void eax_aes128_encrypt (struct eax_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void eax_aes128_decrypt (struct eax_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encrypts or decrypts the data of a message. All but the last call for each message must use a length that is a multiple of the block size.

Function: void eax_aes128_digest (struct eax_aes128_ctx *ctx, size_t length, uint8_t *digest);

Extracts the message digest (also known “authentication tag”). This is the final operation when processing a message. If length is smaller than EAX_DIGEST_SIZE, only the first length octets of the digest are written.

Next: , Previous: , Up: Authenticated encryption   [Contents][Index]

6.4.2 Galois counter mode

Galois counter mode is an AEAD constructions combining counter mode with message authentication based on universal hashing. The main objective of the design is to provide high performance for hardware implementations, where other popular MAC algorithms (see Keyed hash functions) become a bottleneck for high-speed hardware implementations. It was proposed by David A. McGrew and John Viega in 2005, and recommended by NIST in 2007, NIST Special Publication 800-38D. It is constructed on top of a block cipher which must have a block size of 128 bits.

The authentication in GCM has some known weaknesses, see http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf. In particular, don’t use GCM with short authentication tags.

Nettle’s support for GCM consists of a low-level general interface, some convenience macros, and specific functions for GCM using AES or Camellia as the underlying cipher. These interfaces are defined in <nettle/gcm.h>

6.4.2.1 General GCM interface

Context struct: struct gcm_key

Message independent hash sub-key, and related tables.

Context struct: struct gcm_ctx

Holds state corresponding to a particular message.

Constant: GCM_BLOCK_SIZE

GCM’s block size, 16.

Constant: GCM_DIGEST_SIZE

Size of the GCM digest, also 16.

Constant: GCM_IV_SIZE

Recommended size of the IV, 12. Arbitrary sizes are allowed.

Function: void gcm_set_key (struct gcm_key *key, const void *cipher, nettle_cipher_func *f)

Initializes key. cipher gives a context struct for the underlying cipher, which must have been previously initialized for encryption, and f is the encryption function.

Function: void gcm_set_iv (struct gcm_ctx *ctx, const struct gcm_key *key, size_t length, const uint8_t *iv)

Initializes ctx using the given IV. The key argument is actually needed only if length differs from GCM_IV_SIZE.

Function: void gcm_update (struct gcm_ctx *ctx, const struct gcm_key *key, size_t length, const uint8_t *data)

Provides associated data to be authenticated. If used, must be called before gcm_encrypt or gcm_decrypt. All but the last call for each message must use a length that is a multiple of the block size.

Function: void gcm_encrypt (struct gcm_ctx *ctx, const struct gcm_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src)
Function: void gcm_decrypt (struct gcm_ctx *ctx, const struct gcm_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src)

Encrypts or decrypts the data of a message. cipher is the context struct for the underlying cipher and f is the encryption function. All but the last call for each message must use a length that is a multiple of the block size.

Function: void gcm_digest (struct gcm_ctx *ctx, const struct gcm_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *digest)

Extracts the message digest (also known “authentication tag”). This is the final operation when processing a message. It’s strongly recommended that length is GCM_DIGEST_SIZE, but if you provide a smaller value, only the first length octets of the digest are written.

To encrypt a message using GCM, first initialize a context for the underlying block cipher with a key to use for encryption. Then call the above functions in the following order: gcm_set_key, gcm_set_iv, gcm_update, gcm_encrypt, gcm_digest. The decryption procedure is analogous, just calling gcm_decrypt instead of gcm_encrypt (note that GCM decryption still uses the encryption function of the underlying block cipher). To process a new message, using the same key, call gcm_set_iv with a new iv.

6.4.2.2 GCM helper macros

The following macros are defined.

Macro: GCM_CTX (context_type)

This defines an all-in-one context struct, including the context of the underlying cipher, the hash sub-key, and the per-message state. It expands to 

{
   struct gcm_key key; 
   struct gcm_ctx gcm;
   context_type cipher;
}

Example use: 

struct gcm_aes128_ctx GCM_CTX(struct aes128_ctx);

The following macros operate on context structs of this form.

Macro: GCM_SET_KEY (ctx, set_key, encrypt, key)

First argument, ctx, is a context struct as defined by GCM_CTX. set_key and encrypt are functions for setting the encryption key and for encrypting data using the underlying cipher.

Macro: GCM_SET_IV (ctx, length, data)

First argument is a context struct as defined by GCM_CTX. length and data give the initialization vector (IV).

Macro: GCM_UPDATE (ctx, length, data)

Simpler way to call gcm_update. First argument is a context struct as defined by GCM_CTX

Macro: GCM_ENCRYPT (ctx, encrypt, length, dst, src)
Macro: GCM_DECRYPT (ctx, encrypt, length, dst, src)
Macro: GCM_DIGEST (ctx, encrypt, length, digest)

Simpler way to call gcm_encrypt, gcm_decrypt or gcm_digest. First argument is a context struct as defined by GCM_CTX. Second argument, encrypt, is the encryption function of the underlying cipher.

6.4.2.3 GCM-AES interface

The following functions implement the common case of GCM using AES as the underlying cipher. The variants with a specific AES flavor are recommended, while the fucntinos using struct gcm_aes_ctx are kept for compatibility with older versiosn of Nettle.

Context struct: struct gcm_aes128_ctx
Context struct: struct gcm_aes192_ctx
Context struct: struct gcm_aes256_ctx

Context structs, defined using GCM_CTX.

Context struct: struct gcm_aes_ctx

Alternative context struct, usign the old AES interface.

Function: void gcm_aes128_set_key (struct gcm_aes128_ctx *ctx, const uint8_t *key)
Function: void gcm_aes192_set_key (struct gcm_aes192_ctx *ctx, const uint8_t *key)
Function: void gcm_aes256_set_key (struct gcm_aes256_ctx *ctx, const uint8_t *key)

Initializes ctx using the given key.

Function: void gcm_aes_set_key (struct gcm_aes_ctx *ctx, size_t length, const uint8_t *key)

Corresponding function, using the old AES interface. All valid AES key sizes can be used.

Function: void gcm_aes128_set_iv (struct gcm_aes128_ctx *ctx, size_t length, const uint8_t *iv)
Function: void gcm_aes192_set_iv (struct gcm_aes192_ctx *ctx, size_t length, const uint8_t *iv)
Function: void gcm_aes256_set_iv (struct gcm_aes256_ctx *ctx, size_t length, const uint8_t *iv)
Function: void gcm_aes_set_iv (struct gcm_aes_ctx *ctx, size_t length, const uint8_t *iv)

Initializes the per-message state, using the given IV.

Function: void gcm_aes128_update (struct gcm_aes128_ctx *ctx, size_t length, const uint8_t *data)
Function: void gcm_aes192_update (struct gcm_aes192_ctx *ctx, size_t length, const uint8_t *data)
Function: void gcm_aes256_update (struct gcm_aes256_ctx *ctx, size_t length, const uint8_t *data)
Function: void gcm_aes_update (struct gcm_aes_ctx *ctx, size_t length, const uint8_t *data)

Provides associated data to be authenticated. If used, must be called before gcm_aes_encrypt or gcm_aes_decrypt. All but the last call for each message must use a length that is a multiple of the block size.

Function: void gcm_aes128_encrypt (struct gcm_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void gcm_aes192_encrypt (struct gcm_aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void gcm_aes256_encrypt (struct gcm_aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void gcm_aes_encrypt (struct gcm_aes_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void gcm_aes128_decrypt (struct gcm_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void gcm_aes192_decrypt (struct gcm_aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void gcm_aes256_decrypt (struct gcm_aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void gcm_aes_decrypt (struct gcm_aes_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encrypts or decrypts the data of a message. All but the last call for each message must use a length that is a multiple of the block size.

Function: void gcm_aes128_digest (struct gcm_aes128_ctx *ctx, size_t length, uint8_t *digest)
Function: void gcm_aes192_digest (struct gcm_aes192_ctx *ctx, size_t length, uint8_t *digest)
Function: void gcm_aes256_digest (struct gcm_aes256_ctx *ctx, size_t length, uint8_t *digest)
Function: void gcm_aes_digest (struct gcm_aes_ctx *ctx, size_t length, uint8_t *digest)

Extracts the message digest (also known “authentication tag”). This is the final operation when processing a message. It’s strongly recommended that length is GCM_DIGEST_SIZE, but if you provide a smaller value, only the first length octets of the digest are written.

6.4.2.4 GCM-Camellia interface

The following functions implement the case of GCM using Camellia as the underlying cipher.

Context struct: struct gcm_camellia128_ctx
Context struct: struct gcm_camellia256_ctx

Context structs, defined using GCM_CTX.

Function: void gcm_camellia128_set_key (struct gcm_camellia128_ctx *ctx, const uint8_t *key)
Function: void gcm_camellia256_set_key (struct gcm_camellia256_ctx *ctx, const uint8_t *key)

Initializes ctx using the given key.

Function: void gcm_camellia128_set_iv (struct gcm_camellia128_ctx *ctx, size_t length, const uint8_t *iv)
Function: void gcm_camellia256_set_iv (struct gcm_camellia256_ctx *ctx, size_t length, const uint8_t *iv)

Initializes the per-message state, using the given IV.

Function: void gcm_camellia128_update (struct gcm_camellia128_ctx *ctx, size_t length, const uint8_t *data)
Function: void gcm_camellia256_update (struct gcm_camellia256_ctx *ctx, size_t length, const uint8_t *data)

Provides associated data to be authenticated. If used, must be called before gcm_camellia_encrypt or gcm_camellia_decrypt. All but the last call for each message must use a length that is a multiple of the block size.

Function: void gcm_camellia128_encrypt (struct gcm_camellia128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void gcm_camellia256_encrypt (struct gcm_camellia256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void gcm_camellia128_decrypt (struct gcm_camellia128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void gcm_camellia256_decrypt (struct gcm_camellia256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encrypts or decrypts the data of a message. All but the last call for each message must use a length that is a multiple of the block size.

Function: void gcm_camellia128_digest (struct gcm_camellia128_ctx *ctx, size_t length, uint8_t *digest)
Function: void gcm_camellia192_digest (struct gcm_camellia192_ctx *ctx, size_t length, uint8_t *digest)
Function: void gcm_camellia256_digest (struct gcm_camellia256_ctx *ctx, size_t length, uint8_t *digest)
Function: void gcm_camellia_digest (struct gcm_camellia_ctx *ctx, size_t length, uint8_t *digest)

Extracts the message digest (also known “authentication tag”). This is the final operation when processing a message. It’s strongly recommended that length is GCM_DIGEST_SIZE, but if you provide a smaller value, only the first length octets of the digest are written.

Next: , Previous: , Up: Authenticated encryption   [Contents][Index]

6.4.3 Counter with CBC-MAC mode

CCM mode is a combination of counter mode with message authentication based on cipher block chaining, the same building blocks as EAX, see EAX. It is constructed on top of a block cipher which must have a block size of 128 bits. CCM mode is recommended by NIST in NIST Special Publication 800-38C. Nettle’s support for CCM consists of a low-level general interface, a message encryption and authentication interface, and specific functions for CCM using AES as the underlying block cipher. These interfaces are defined in <nettle/ccm.h>.

In CCM, the length of the message must be known before processing. The maximum message size depends on the size of the nonce, since the message size is encoded in a field which must fit in a single block, together with the nonce and a flag byte. E.g., with a nonce size of 12 octets, there are three octets left for encoding the message length, the maximum message length is 2^24 - 1 octets.

CCM mode encryption operates as follows:

  • The nonce and message length are concatenated to create B_0 = flags | nonce | mlength
  • The authenticated data and plaintext is formatted into the string B = L(adata) | adata | padding | plaintext | padding with padding being the shortest string of zero bytes such that the length of the string is a multiple of the block size, and L(adata) is an encoding of the length of adata.
  • The string B is separated into blocks B_1 ... B_n
  • The authentication tag T is calculated as T=0, for i=0 to n, do T = E_k(B_i XOR T)
  • An initial counter is then initialized from the nonce to create IC = flags | nonce | padding, where padding is the shortest string of zero bytes such that IC is exactly one block in length.
  • The authentication tag is encrypted using using CTR mode: MAC = E_k(IC) XOR T
  • The plaintext is then encrypted using CTR mode with an initial counter of IC+1.

CCM mode decryption operates similarly, except that the ciphertext and MAC are first decrypted using CTR mode to retreive the plaintext and authentication tag. The authentication tag can then be recalucated from the authenticated data and plantext, and compared to the value in the message to check for authenticity.

6.4.3.1 General CCM interface

For all of the functions in the CCM interface, cipher is the context struct for the underlying cipher and f is the encryption function. The cipher’s encryption key must be set before calling any of the CCM functions. The cipher’s decryption function and key are never used.

Context struct: struct ccm_ctx

Holds state corresponding to a particular message.

Constant: CCM_BLOCK_SIZE

CCM’s block size, 16.

Constant: CCM_DIGEST_SIZE

Size of the CCM digest, 16.

Constant: CCM_MIN_NONCE_SIZE
Constant: CCM_MAX_NONCE_SIZE

The the minimum and maximum sizes for an CCM nonce, 7 and 14, respectively.

Macro: CCM_MAX_MSG_SIZE (nonce_size)

The largest allowed plaintext length, when using CCM with a nonce of the given size.

Function: void ccm_set_nonce (struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t noncelen, const uint8_t *nonce, size_t authlen, size_t msglen, size_t taglen)

Initializes ctx using the given nonce and the sizes of the authenticated data, message, and MAC to be processed.

Function: void ccm_update (struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t length, const uint8_t *data)

Provides associated data to be authenticated. Must be called after ccm_set_nonce, and before ccm_encrypt, ccm_decrypt, or ccm_digest.

Function: void ccm_encrypt (struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src)
Function: void ccm_decrypt (struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src)

Encrypts or decrypts the message data. Must be called after ccm_set_nonce and before ccm_digest. All but the last call for each message must use a length that is a multiple of the block size.

Function: void ccm_digest (struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *digest)

Extracts the message digest (also known “authentication tag”). This is the final operation when processing a message. length is usually equal to the taglen parameter supplied to ccm_set_nonce, but if you provide a smaller value, only the first length octets of the digest are written.

To encrypt a message using the general CCM interface, set the message nonce and length using ccm_set_nonce and then call ccm_update to generate the digest of any authenticated data. After all of the authenticated data has been digested use ccm_encrypt to encrypt the plaintext. Finally, use ccm_digest to return the encrypted MAC.

To decrypt a message, use ccm_set_nonce and ccm_update the same as you would for encryption, and then call ccm_decrypt to decrypt the ciphertext. After decrypting the ciphertext ccm_digest will return the encrypted MAC which should be identical to the MAC in the received message.

6.4.3.2 CCM message interface

The CCM message fuctions provides a simple interface that will perform authentication and message encryption in a single function call. The length of the cleartext is given by mlength and the length of the ciphertext is given by clength, always exactly tlength bytes longer than the corresponding plaintext. The length argument passed to a function is always the size for the result, clength for the encryption functions, and mlength for the decryption functions.

Function: void ccm_encrypt_message (void *cipher, nettle_cipher_func *f, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src)

Computes the message digest from the adata and src parameters, encrypts the plaintext from src, appends the encrypted MAC to ciphertext and outputs it to dst.

Function: int ccm_decrypt_message (void *cipher, nettle_cipher_func *f, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src)

Decrypts the ciphertext from src, outputs the plaintext to dst, recalculates the MAC from adata and the plaintext, and compares it to the final tlength bytes of src. If the values of the received and calculated MACs are equal, this will return 1 indicating a valid and authenticated message. Otherwise, this function will return zero.

6.4.3.3 CCM-AES interface

The AES CCM functions provide an API for using CCM mode with the AES block ciphers. The parameters all have the same meaning as the general and message interfaces, except that the cipher, f, and ctx parameters are replaced with an AES context structure, and a set-key function must be called before using any of the other functions in this interface.

Context struct: struct ccm_aes128_ctx

Holds state corresponding to a particular message encrypted using the AES-128 block cipher.

Context struct: struct ccm_aes192_ctx

Holds state corresponding to a particular message encrypted using the AES-192 block cipher.

Context struct: struct ccm_aes256_ctx

Holds state corresponding to a particular message encrypted using the AES-256 block cipher.

Function: void ccm_aes128_set_key (struct ccm_aes128_ctx *ctx, const uint8_t *key)
Function: void ccm_aes192_set_key (struct ccm_aes192_ctx *ctx, const uint8_t *key)
Function: void ccm_aes256_set_key (struct ccm_aes256_ctx *ctx, const uint8_t *key)

Initializes the encryption key for the AES block cipher. One of these functions must be called before any of the other functions in the AES CCM interface.

Function: void ccm_aes128_set_nonce (struct ccm_aes128_ctx *ctx, size_t noncelen, const uint8_t *nonce, size_t authlen, size_t msglen, size_t taglen)
Function: void ccm_aes192_set_nonce (struct ccm_aes192_ctx *ctx, size_t noncelen, const uint8_t *nonce, size_t authlen, size_t msglen, size_t taglen)
Function: void ccm_aes256_set_nonce (struct ccm_aes256_ctx *ctx, size_t noncelen, const uint8_t *nonce, size_t authlen, size_t msglen, size_t taglen)

These are identical to ccm_set_nonce, except that cipher, f, and ctx are replaced with a context structure.

Function: void ccm_aes128_update (struct ccm_aes128_ctx *ctx, size_t length, const uint8_t *data)
Function: void ccm_aes192_update (struct ccm_aes192_ctx *ctx, size_t length, const uint8_t *data)
Function: void ccm_aes256_update (struct ccm_aes256_ctx *ctx, size_t length, const uint8_t *data)

These are identical to ccm_set_update, except that cipher, f, and ctx are replaced with a context structure.

Function: void ccm_aes128_encrypt (struct ccm_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void ccm_aes192_encrypt (struct ccm_aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void ccm_aes256_encrypt (struct ccm_aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void ccm_aes128_decrypt (struct ccm_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void ccm_aes192_decrypt (struct ccm_aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void ccm_aes256_decrypt (struct ccm_aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

These are identical to ccm_set_encrypt and ccm_set_decrypt, except that cipher, f, and ctx are replaced with a context structure.

Function: void ccm_aes128_digest (struct ccm_aes128_ctx *ctx, size_t length, uint8_t *digest)
Function: void ccm_aes192_digest (struct ccm_aes192_ctx *ctx, size_t length, uint8_t *digest)
Function: void ccm_aes256_digest (struct ccm_aes256_ctx *ctx, size_t length, uint8_t *digest)

These are identical to ccm_set_digest, except that cipher, f, and ctx are replaced with a context structure.

Function: void ccm_aes128_encrypt_message (struct ccm_aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src)
Function: void ccm_aes192_encrypt_message (struct ccm_aes192_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src)
Function: void ccm_aes256_encrypt_message (struct ccm_aes256_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src)
Function: int ccm_aes128_decrypt_message (struct ccm_aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src)
Function: int ccm_aes192_decrypt_message (struct ccm_aes192_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src)
Function: int ccm_aes192_decrypt_message (struct ccm_aes256_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src)

These are identical to ccm_encrypt_message and ccm_decrypt_message except that cipher and f are replaced with a context structure.

Next: , Previous: , Up: Authenticated encryption   [Contents][Index]

6.4.4 ChaCha-Poly1305

ChaCha-Poly1305 is a combination of the ChaCha stream cipher and the poly1305 message authentication code (see Poly1305). It originates from the NaCl cryptographic library by D. J. Bernstein et al, which defines a similar construction but with Salsa20 instead of ChaCha.

Nettle’s implementation ChaCha-Poly1305 should be considered experimental. At the time of this writing, there is no authoritative specification for ChaCha-Poly1305, and a couple of different incompatible variants. Nettle implements it using the original definition of ChaCha, with 64 bits (8 octets) each for the nonce and the block counter. Some protocols prefer to use nonces of 12 bytes, and it’s a small change to ChaCha to use the upper 32 bits of the block counter as a nonce, instead limiting message size to 2^32 blocks or 256 GBytes, but that variant is currently not supported.

For ChaCha-Poly1305, the ChaCha cipher is initialized with a key, of 256 bits, and a per-message nonce. The first block of the key stream (counter all zero) is set aside for the authentication subkeys. Of this 64-octet block, the first 16 octets specify the poly1305 evaluation point, and the next 16 bytes specify the value to add in for the final digest. The final 32 bytes of this block are unused. Note that unlike poly1305-aes, the evaluation point depends on the nonce. This is preferable, because it leaks less information in case the attacker for some reason is lucky enough to forge a valid authentication tag, and observe (from the receiver’s behaviour) that the forgery succeeded.

The ChaCha key stream, starting with counter value 1, is then used to encrypt the message. For authentication, poly1305 is applied to the concatenation of the associated data, the cryptotext, and the lengths of the associated data and the message, each a 64-bit number (eight octets, little-endian). Nettle defines ChaCha-Poly1305 in <nettle/chacha-poly1305.h>.

Constant: CHACHA_POLY1305_BLOCK_SIZE

Same as the ChaCha block size, 64.

Constant: CHACHA_POLY1305_KEY_SIZE

ChaCha-Poly1305 key size, 32.

Constant: CHACHA_POLY1305_NONCE_SIZE

Same as the ChaCha nonce size, 16.

Constant: CHACHA_POLY1305_DIGEST_SIZE

Digest size, 16.

Context struct: struct chacha_poly1305_ctx
Function: void chacha_poly1305_set_key (struct chacha_poly1305_ctx *ctx, const uint8_t *key)

Initializes ctx using the given key. Before using the context, you must also call chacha_poly1305_set_nonce, see below.

Function: void chacha_poly1305_set_nonce (struct chacha_poly1305_ctx *ctx, const uint8_t *nonce)

Initializes the per-message state, using the given nonce.

Function: void chacha_poly1305_update (struct chacha_poly1305_ctx *ctx, size_t length, const uint8_t *data)

Process associated data for authentication.

Function: void chacha_poly1305_encrypt (struct chacha_poly1305_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void chacha_poly1305_decrypt (struct chacha_poly1305_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encrypts or decrypts the data of a message. All but the last call for each message must use a length that is a multiple of the block size.

Function: void chacha_poly1305_digest (struct chacha_poly1305_ctx *ctx, size_t length, uint8_t *digest)

Extracts the message digest (also known “authentication tag”). This is the final operation when processing a message. If length is smaller than CHACHA_POLY1305_DIGEST_SIZE, only the first length octets of the digest are written.

Previous: , Up: Authenticated encryption   [Contents][Index]

6.4.5 The struct nettle_aead abstraction

Nettle includes a struct including information about the supported hash functions. It is defined in <nettle/nettle-meta.h>.

Meta struct: struct nettle_aead name context_size block_size key_size nonce_size digest_size set_encrypt_key set_decrypt_key set_nonce update encrypt decrypt digest

The last seven attributes are function pointers.

Constant Struct: struct nettle_aead nettle_gcm_aes128
Constant Struct: struct nettle_aead nettle_gcm_aes192
Constant Struct: struct nettle_aead nettle_gcm_aes256
Constant Struct: struct nettle_aead nettle_gcm_camellia128
Constant Struct: struct nettle_aead nettle_gcm_camellia256
Constant Struct: struct nettle_aead nettle_eax_aes128
Constant Struct: struct nettle_aead nettle_chacha_poly1305

These are most of the AEAD constructions that Nettle implements. Note that CCM is missing; it requirement that the message size is specified in advance makes it incompatible with the nettle_aead abstraction.

Nettle also exports a list of all these constructions.

Function: const struct nettle_aead **nettle_get_aeads(void)

Returns a NULL-terminated list of pointers to supported algorithms.This list can be used to dynamically enumerate or search the supported algorithms.

Macro: nettle_aeads

A macro expanding to a call to nettle_get_aeads. In earlier versions, this was not a macro but the actual array of pointers.

Next: , Previous: , Up: Reference   [Contents][Index]

6.5 Keyed Hash Functions

A keyed hash function, or Message Authentication Code (MAC) is a function that takes a key and a message, and produces fixed size MAC. It should be hard to compute a message and a matching MAC without knowledge of the key. It should also be hard to compute the key given only messages and corresponding MACs.

Keyed hash functions are useful primarily for message authentication, when Alice and Bob shares a secret: The sender, Alice, computes the MAC and attaches it to the message. The receiver, Bob, also computes the MAC of the message, using the same key, and compares that to Alice’s value. If they match, Bob can be assured that the message has not been modified on its way from Alice.

However, unlike digital signatures, this assurance is not transferable. Bob can’t show the message and the MAC to a third party and prove that Alice sent that message. Not even if he gives away the key to the third party. The reason is that the same key is used on both sides, and anyone knowing the key can create a correct MAC for any message. If Bob believes that only he and Alice knows the key, and he knows that he didn’t attach a MAC to a particular message, he knows it must be Alice who did it. However, the third party can’t distinguish between a MAC created by Alice and one created by Bob.

Keyed hash functions are typically a lot faster than digital signatures as well.

HMAC:  
UMAC:  
Poly1305:  

Next: , Previous: , Up: Keyed hash functions   [Contents][Index]

6.5.1 HMAC

One can build keyed hash functions from ordinary hash functions. Older constructions simply concatenate secret key and message and hashes that, but such constructions have weaknesses. A better construction is HMAC, described in RFC 2104.

For an underlying hash function H, with digest size l and internal block size b, HMAC-H is constructed as follows: From a given key k, two distinct subkeys k_i and k_o are constructed, both of length b. The HMAC-H of a message m is then computed as H(k_o | H(k_i | m)), where | denotes string concatenation.

HMAC keys can be of any length, but it is recommended to use keys of length l, the digest size of the underlying hash function H. Keys that are longer than b are shortened to length l by hashing with H, so arbitrarily long keys aren’t very useful.

Nettle’s HMAC functions are defined in <nettle/hmac.h>. There are abstract functions that use a pointer to a struct nettle_hash to represent the underlying hash function and void * pointers that point to three different context structs for that hash function. There are also concrete functions for HMAC-MD5, HMAC-RIPEMD160 HMAC-SHA1, HMAC-SHA256, and HMAC-SHA512. First, the abstract functions:

Function: void hmac_set_key (void *outer, void *inner, void *state, const struct nettle_hash *H, size_t length, const uint8_t *key)

Initializes the three context structs from the key. The outer and inner contexts corresponds to the subkeys k_o and k_i. state is used for hashing the message, and is initialized as a copy of the inner context.

Function: void hmac_update (void *state, const struct nettle_hash *H, size_t length, const uint8_t *data)

This function is called zero or more times to process the message. Actually, hmac_update(state, H, length, data) is equivalent to H->update(state, length, data), so if you wish you can use the ordinary update function of the underlying hash function instead.

Function: void hmac_digest (const void *outer, const void *inner, void *state, const struct nettle_hash *H, size_t length, uint8_t *digest)

Extracts the MAC of the message, writing it to digest. outer and inner are not modified. length is usually equal to H->digest_size, but if you provide a smaller value, only the first length octets of the MAC are written.

This function also resets the state context so that you can start over processing a new message (with the same key).

Like for CBC, there are some macros to help use these functions correctly.

Macro: HMAC_CTX (type)

Expands to 

{
   type outer;
   type inner;
   type state;
}

It can be used to define a HMAC context struct, either directly, 

struct HMAC_CTX(struct md5_ctx) ctx;

or to give it a struct tag, 

struct hmac_md5_ctx HMAC_CTX (struct md5_ctx);
Macro: HMAC_SET_KEY (ctx, H, length, key)

ctx is a pointer to a context struct as defined by HMAC_CTX, H is a pointer to a const struct nettle_hash describing the underlying hash function (so it must match the type of the components of ctx). The last two arguments specify the secret key.

Macro: HMAC_DIGEST (ctx, H, length, digest)

ctx is a pointer to a context struct as defined by HMAC_CTX, H is a pointer to a const struct nettle_hash describing the underlying hash function. The last two arguments specify where the digest is written.

Note that there is no HMAC_UPDATE macro; simply call hmac_update function directly, or the update function of the underlying hash function.

6.5.2 Concrete HMAC functions

Now we come to the specialized HMAC functions, which are easier to use than the general HMAC functions.

6.5.2.1 HMAC-MD5

Context struct: struct hmac_md5_ctx
Function: void hmac_md5_set_key (struct hmac_md5_ctx *ctx, size_t key_length, const uint8_t *key)

Initializes the context with the key.

Function: void hmac_md5_update (struct hmac_md5_ctx *ctx, size_t length, const uint8_t *data)

Process some more data.

Function: void hmac_md5_digest (struct hmac_md5_ctx *ctx, size_t length, uint8_t *digest)

Extracts the MAC, writing it to digest. length may be smaller than MD5_DIGEST_SIZE, in which case only the first length octets of the MAC are written.

This function also resets the context for processing new messages, with the same key.

6.5.2.2 HMAC-RIPEMD160

Context struct: struct hmac_ripemd160_ctx
Function: void hmac_ripemd160_set_key (struct hmac_ripemd160_ctx *ctx, size_t key_length, const uint8_t *key)

Initializes the context with the key.

Function: void hmac_ripemd160_update (struct hmac_ripemd160_ctx *ctx, size_t length, const uint8_t *data)

Process some more data.

Function: void hmac_ripemd160_digest (struct hmac_ripemd160_ctx *ctx, size_t length, uint8_t *digest)

Extracts the MAC, writing it to digest. length may be smaller than RIPEMD160_DIGEST_SIZE, in which case only the first length octets of the MAC are written.

This function also resets the context for processing new messages, with the same key.

6.5.2.3 HMAC-SHA1

Context struct: struct hmac_sha1_ctx
Function: void hmac_sha1_set_key (struct hmac_sha1_ctx *ctx, size_t key_length, const uint8_t *key)

Initializes the context with the key.

Function: void hmac_sha1_update (struct hmac_sha1_ctx *ctx, size_t length, const uint8_t *data)

Process some more data.

Function: void hmac_sha1_digest (struct hmac_sha1_ctx *ctx, size_t length, uint8_t *digest)

Extracts the MAC, writing it to digest. length may be smaller than SHA1_DIGEST_SIZE, in which case only the first length octets of the MAC are written.

This function also resets the context for processing new messages, with the same key.

6.5.2.4 HMAC-SHA256

Context struct: struct hmac_sha256_ctx
Function: void hmac_sha256_set_key (struct hmac_sha256_ctx *ctx, size_t key_length, const uint8_t *key)

Initializes the context with the key.

Function: void hmac_sha256_update (struct hmac_sha256_ctx *ctx, size_t length, const uint8_t *data)

Process some more data.

Function: void hmac_sha256_digest (struct hmac_sha256_ctx *ctx, size_t length, uint8_t *digest)

Extracts the MAC, writing it to digest. length may be smaller than SHA256_DIGEST_SIZE, in which case only the first length octets of the MAC are written.

This function also resets the context for processing new messages, with the same key.

6.5.2.5 HMAC-SHA512

Context struct: struct hmac_sha512_ctx
Function: void hmac_sha512_set_key (struct hmac_sha512_ctx *ctx, size_t key_length, const uint8_t *key)

Initializes the context with the key.

Function: void hmac_sha512_update (struct hmac_sha512_ctx *ctx, size_t length, const uint8_t *data)

Process some more data.

Function: void hmac_sha512_digest (struct hmac_sha512_ctx *ctx, size_t length, uint8_t *digest)

Extracts the MAC, writing it to digest. length may be smaller than SHA512_DIGEST_SIZE, in which case only the first length octets of the MAC are written.

This function also resets the context for processing new messages, with the same key.

Next: , Previous: , Up: Keyed hash functions   [Contents][Index]

6.5.3 UMAC

UMAC is a message authentication code based on universal hashing, and designed for high performance on modern processors (in contrast to GCM, See GCM, which is designed primarily for hardware performance). On processors with good integer multiplication performance, it can be 10 times faster than SHA256 and SHA512. UMAC is specified in RFC 4418.

The secret key is always 128 bits (16 octets). The key is used as an encryption key for the AES block cipher. This cipher is used in counter mode to generate various internal subkeys needed in UMAC. Messages are of arbitrary size, and for each message, UMAC also needs a unique nonce. Nonce values must not be reused for two messages with the same key, but they need not be kept secret.

The nonce must be at least one octet, and at most 16; nonces shorter than 16 octets are zero-padded. Nettle’s implementation of UMAC increments the nonce automatically for each message, so explicitly setting the nonce for each message is optional. This auto-increment uses network byte order and it takes the length of the nonce into account. E.g., if the initial nonce is “abc” (3 octets), this value is zero-padded to 16 octets for the first message. For the next message, the nonce is incremented to “abd”, and this incremented value is zero-padded to 16 octets.

UMAC is defined in four variants, for different output sizes: 32 bits (4 octets), 64 bits (8 octets), 96 bits (12 octets) and 128 bits (16 octets), corresponding to different trade-offs between speed and security. Using a shorter output size sometimes (but not always!) gives the same result as using a longer output size and truncating the result. So it is important to use the right variant. For consistency with other hash and MAC functions, Nettle’s _digest functions for UMAC accept a length parameter so that the output can be truncated to any desired size, but it is recommended to stick to the specified output size and select the umac variant corresponding to the desired size.

The internal block size of UMAC is 1024 octets, and it also generates more than 1024 bytes of subkeys. This makes the size of the context struct quite a bit larger than other hash functions and MAC algorithms in Nettle.

Nettle defines UMAC in <nettle/umac.h>.

Context struct: struct umac32_ctx
Context struct: struct umac64_ctx
Context struct: struct umac96_ctx
Context struct: struct umac128_ctx

Each UMAC variant uses its own context struct.

Constant: UMAC_KEY_SIZE

The UMAC key size, 16.

Constant: UMAC_MIN_NONCE_SIZE
Constant: UMAC_MAX_NONCE_SIZE

The the minimum and maximum sizes for an UMAC nonce, 1 and 16, respectively.

Constant: UMAC32_DIGEST_SIZE

The size of an UMAC32 digest, 4.

Constant: UMAC64_DIGEST_SIZE

The size of an UMAC64 digest, 8.

Constant: UMAC96_DIGEST_SIZE

The size of an UMAC96 digest, 12.

Constant: UMAC128_DIGEST_SIZE

The size of an UMAC128 digest, 16.

Constant: UMAC_BLOCK_SIZE

The internal block size of UMAC.

Function: void umac32_set_key (struct umac32_ctx *ctx, const uint8_t *key)
Function: void umac64_set_key (struct umac64_ctx *ctx, const uint8_t *key)
Function: void umac96_set_key (struct umac96_ctx *ctx, const uint8_t *key)
Function: void umac128_set_key (struct umac128_ctx *ctx, const uint8_t *key)

These functions initialize the UMAC context struct. They also initialize the nonce to zero (with length 16, for auto-increment).

Function: void umac32_set_nonce (struct umac32_ctx *ctx, size_t length, const uint8_t *nonce)
Function: void umac64_set_nonce (struct umac64_ctx *ctx, size_t length, const uint8_t *nonce)
Function: void umac96_set_nonce (struct umac96_ctx *ctx, size_t length, const uint8_t *nonce)
Function: void umac128_set_nonce (struct umac128_ctx *ctx, size_t length, const uint8_t *nonce)

Sets the nonce to be used for the next message. In general, nonces should be set before processing of the message. This is not strictly required for UMAC (the nonce only affects the final processing generating the digest), but it is nevertheless recommended that this function is called before the first _update call for the message.

Function: void umac32_update (struct umac32_ctx *ctx, size_t length, const uint8_t *data)
Function: void umac64_update (struct umac64_ctx *ctx, size_t length, const uint8_t *data)
Function: void umac96_update (struct umac96_ctx *ctx, size_t length, const uint8_t *data)
Function: void umac128_update (struct umac128_ctx *ctx, size_t length, const uint8_t *data)

These functions are called zero or more times to process the message.

Function: void umac32_digest (struct umac32_ctx *ctx, size_t length, uint8_t *digest)
Function: void umac64_digest (struct umac64_ctx *ctx, size_t length, uint8_t *digest)
Function: void umac96_digest (struct umac96_ctx *ctx, size_t length, uint8_t *digest)
Function: void umac128_digest (struct umac128_ctx *ctx, size_t length, uint8_t *digest)

Extracts the MAC of the message, writing it to digest. length is usually equal to the specified output size, but if you provide a smaller value, only the first length octets of the MAC are written. These functions reset the context for processing of a new message with the same key. The nonce is incremented as described above, the new value is used unless you call the _set_nonce function explicitly for each message.

Previous: , Up: Keyed hash functions   [Contents][Index]

6.5.4 Poly1305

Poly1305-AES is a message authentication code designed by D. J. Bernstein. It treats the message as a polynomial modulo the prime number 2^130 - 5.

The key, 256 bits, consists of two parts, where the first half is an AES-128 key, and the second half specifies the point where the polynomial is evaluated. Of the latter half, 22 bits are set to zero, to enable high-performance implementation, leaving 106 bits for specifying an evaluation point r. For each message, one must also provide a 128-bit nonce. The nonce is encrypted using the AES key, and that’s the only thing AES is used for.

The message is split into 128-bit chunks (with final chunk possibly being shorter), each read as a little-endian integer. Each chunk has a one-bit appended at the high end. The resulting integers are treated as polynomial coefficients modulo 2^130 - 5, and the polynomial is evaluated at the point r. Finally, this value is reduced modulo 2^128, and added (also modulo 2^128) to the encrypted nonce, to produce an 128-bit authenticator for the message. See http://cr.yp.to/mac/poly1305-20050329.pdf for further details.

Clearly, variants using a different cipher than AES could be defined. Another variant is the ChaCha-Poly1305 AEAD construction (see ChaCha-Poly1305). Nettle defines Poly1305-AES in nettle/poly1305.h.

Constant: POLY1305_AES_KEY_SIZE

Key size, 32 octets.

Constant: POLY1305_AES_DIGEST_SIZE

Size of the digest or “authenticator”, 16 octets.

Constant: POLY1305_AES_NONCE_SIZE

Nonce size, 16 octets.

Context struct: struct poly1305_aes_ctx

The poly1305-aes context struct.

Function: void poly1305_aes_set_key (struct poly1305_aes_ctx *ctx, const uint8_t *key)

Initialize the context struct. Also sets the nonce to zero.

Function: void poly1305_aes_set_nonce (struct poly1305_aes_ctx *ctx, const uint8_t *nonce)

Sets the nonce. Calling this function is optional, since the nonce is incremented automatically for each message.

Function: void poly1305_aes_update (struct poly1305_aes_ctx *ctx, size_t length, const uint8_t *data)

Process more data.

Function: void poly1305_aes_digest (struct poly1305_aes_ctx *ctx, size_t length, uint8_t *digest)

Extracts the digest. If length is smaller than POLY1305_AES_DIGEST_SIZE, only the first length octets are written. Also increments the nonce, and prepares the context for processing a new message.

Next: , Previous: , Up: Reference   [Contents][Index]

6.6 Key derivation Functions

A key derivation function (KDF) is a function that from a given symmetric key derives other symmetric keys. A sub-class of KDFs is the password-based key derivation functions (PBKDFs), which take as input a password or passphrase, and its purpose is typically to strengthen it and protect against certain pre-computation attacks by using salting and expensive computation.

6.6.1 HKDF: HMAC-based Extract-and-Expand

HKDF is a key derivation function used as a building block of higher-level protocols like TLS 1.3. It is a derivation function based on HMAC described in RFC 5869, and is split into two logical modules, called ’extract’ and ’expand’. The extract module takes an initial secret and a random salt to "extract" a fixed-length pseudorandom key (PRK). The second stage takes as input the previous PRK and some informational data (e.g., text) and expands them into multiple keys.

Nettle’s HKDF functions are defined in <nettle/hkdf.h>. There are two abstract functions for the extract and expand operations that operate on any HMAC implemented via the nettle_hash_update_func, and nettle_hash_digest_func interfaces.

Function: void hkdf_extract (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size,size_t secret_size, const uint8_t *secret, uint8_t *dst)

Extract a Pseudorandom Key (PRK) from a secret and a salt according to HKDF. The HMAC must have been initialized, with its key being the salt for the Extract operation. This function will call the update and digest functions passing the mac_ctx context parameter as an argument in order to compute digest of size digest_size. Inputs are the secret secret of length secret_length. The output length is fixed to digest_size octets, thus the output buffer dst must have room for at least digest_size octets.

Function: void hkdf_expand (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, size_t info_size, const uint8_t *info, size_t length, uint8_t *dst)

Expand a Pseudorandom Key (PRK) to an arbitrary size according to HKDF. The HMAC must have been initialized, with its key being the PRK from the Extract operation. This function will call the update and digest functions passing the mac_ctx context parameter as an argument in order to compute digest of size digest_size. Inputs are the info info of length info_length, and the desired derived output length length. The output buffer is dst which must have room for at least length octets.

6.6.2 PBKDF2

The most well known PBKDF is the PKCS #5 PBKDF2 described in RFC 2898 which uses a pseudo-random function such as HMAC-SHA1.

Nettle’s PBKDF2 functions are defined in <nettle/pbkdf2.h>. There is an abstract function that operate on any PRF implemented via the nettle_hash_update_func, nettle_hash_digest_func interfaces. There is also helper macros and concrete functions PBKDF2-HMAC-SHA1 and PBKDF2-HMAC-SHA256. First, the abstract function:

Function: void pbkdf2 (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst)

Derive symmetric key from a password according to PKCS #5 PBKDF2. The PRF is assumed to have been initialized and this function will call the update and digest functions passing the mac_ctx context parameter as an argument in order to compute digest of size digest_size. Inputs are the salt salt of length salt_length, the iteration counter iterations (> 0), and the desired derived output length length. The output buffer is dst which must have room for at least length octets.

Like for CBC and HMAC, there is a macro to help use the function correctly.

Macro: PBKDF2 (ctx, update, digest, digest_size, iterations, salt_length, salt, length, dst)

ctx is a pointer to a context struct passed to the update and digest functions (of the types nettle_hash_update_func and nettle_hash_digest_func respectively) to implement the underlying PRF with digest size of digest_size. Inputs are the salt salt of length salt_length, the iteration counter iterations (> 0), and the desired derived output length length. The output buffer is dst which must have room for at least length octets.

6.6.3 Concrete PBKDF2 functions

Now we come to the specialized PBKDF2 functions, which are easier to use than the general PBKDF2 function.

6.6.3.1 PBKDF2-HMAC-SHA1

Function: void pbkdf2_hmac_sha1 (size_t key_length, const uint8_t *key, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst)

PBKDF2 with HMAC-SHA1. Derive length bytes of key into buffer dst using the password key of length key_length and salt salt of length salt_length, with iteration counter iterations (> 0). The output buffer is dst which must have room for at least length octets.

6.6.3.2 PBKDF2-HMAC-SHA256

Function: void pbkdf2_hmac_sha256 (size_t key_length, const uint8_t *key, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst)

PBKDF2 with HMAC-SHA256. Derive length bytes of key into buffer dst using the password key of length key_length and salt salt of length salt_length, with iteration counter iterations (> 0). The output buffer is dst which must have room for at least length octets.

Next: , Previous: , Up: Reference   [Contents][Index]

6.7 Public-key algorithms

Nettle uses GMP, the GNU bignum library, for all calculations with large numbers. In order to use the public-key features of Nettle, you must install GMP, at least version 3.0, before compiling Nettle, and you need to link your programs with -lhogweed -lnettle -lgmp.

The concept of Public-key encryption and digital signatures was discovered by Whitfield Diffie and Martin E. Hellman and described in a paper 1976. In traditional, “symmetric”, cryptography, sender and receiver share the same keys, and these keys must be distributed in a secure way. And if there are many users or entities that need to communicate, each pair needs a shared secret key known by nobody else.

Public-key cryptography uses trapdoor one-way functions. A one-way function is a function F such that it is easy to compute the value F(x) for any x, but given a value y, it is hard to compute a corresponding x such that y = F(x). Two examples are cryptographic hash functions, and exponentiation in certain groups.

A trapdoor one-way function is a function F that is one-way, unless one knows some secret information about F. If one knows the secret, it is easy to compute both F and it’s inverse. If this sounds strange, look at the RSA example below.

Two important uses for one-way functions with trapdoors are public-key encryption, and digital signatures. The public-key encryption functions in Nettle are not yet documented; the rest of this chapter is about digital signatures.

To use a digital signature algorithm, one must first create a key-pair: A public key and a corresponding private key. The private key is used to sign messages, while the public key is used for verifying that that signatures and messages match. Some care must be taken when distributing the public key; it need not be kept secret, but if a bad guy is able to replace it (in transit, or in some user’s list of known public keys), bad things may happen.

There are two operations one can do with the keys. The signature operation takes a message and a private key, and creates a signature for the message. A signature is some string of bits, usually at most a few thousand bits or a few hundred octets. Unlike paper-and-ink signatures, the digital signature depends on the message, so one can’t cut it out of context and glue it to a different message.

The verification operation takes a public key, a message, and a string that is claimed to be a signature on the message, and returns true or false. If it returns true, that means that the three input values matched, and the verifier can be sure that someone went through with the signature operation on that very message, and that the “someone” also knows the private key corresponding to the public key.

The desired properties of a digital signature algorithm are as follows: Given the public key and pairs of messages and valid signatures on them, it should be hard to compute the private key, and it should also be hard to create a new message and signature that is accepted by the verification operation.

Besides signing meaningful messages, digital signatures can be used for authorization. A server can be configured with a public key, such that any client that connects to the service is given a random nonce message. If the server gets a reply with a correct signature matching the nonce message and the configured public key, the client is granted access. So the configuration of the server can be understood as “grant access to whoever knows the private key corresponding to this particular public key, and to no others”.

RSA:  The RSA public key algorithm.
DSA:  The DSA digital signature algorithm.
Elliptic curves:  Elliptic curves and ECDSA

Next: , Previous: , Up: Public-key algorithms   [Contents][Index]

6.7.1 RSA

The RSA algorithm was the first practical digital signature algorithm that was constructed. It was described 1978 in a paper by Ronald Rivest, Adi Shamir and L.M. Adleman, and the technique was also patented in the USA in 1983. The patent expired on September 20, 2000, and since that day, RSA can be used freely, even in the USA.

It’s remarkably simple to describe the trapdoor function behind RSA. The “one-way”-function used is 

F(x) = x^e mod n

I.e. raise x to the e’th power, while discarding all multiples of n. The pair of numbers n and e is the public key. e can be quite small, even e = 3 has been used, although slightly larger numbers are recommended. n should be about 2000 bits or larger.

If n is large enough, and properly chosen, the inverse of F, the computation of e’th roots modulo n, is very difficult. But, where’s the trapdoor?

Let’s first look at how RSA key-pairs are generated. First n is chosen as the product of two large prime numbers p and q of roughly the same size (so if n is 2000 bits, p and q are about 1000 bits each). One also computes the number phi = (p-1)(q-1), in mathematical speak, phi is the order of the multiplicative group of integers modulo n.

Next, e is chosen. It must have no factors in common with phi (in particular, it must be odd), but can otherwise be chosen more or less randomly. e = 65537 is a popular choice, because it makes raising to the e’th power particularly efficient, and being prime, it usually has no factors common with phi.

Finally, a number d, d < n is computed such that e d mod phi = 1. It can be shown that such a number exists (this is why e and phi must have no common factors), and that for all x, 

(x^e)^d mod n = x^(ed) mod n = (x^d)^e mod n = x

Using Euclid’s algorithm, d can be computed quite easily from phi and e. But it is still hard to get d without knowing phi, which depends on the factorization of n.

So d is the trapdoor, if we know d and y = F(x), we can recover x as y^d mod n. d is also the private half of the RSA key-pair.

The most common signature operation for RSA is defined in PKCS#1, a specification by RSA Laboratories. The message to be signed is first hashed using a cryptographic hash function, e.g. MD5 or SHA1. Next, some padding, the ASN.1 “Algorithm Identifier” for the hash function, and the message digest itself, are concatenated and converted to a number x. The signature is computed from x and the private key as s = x^d mod n1. The signature, s is a number of about the same size of n, and it usually encoded as a sequence of octets, most significant octet first.

The verification operation is straight-forward, x is computed from the message in the same way as above. Then s^e mod n is computed, the operation returns true if and only if the result equals x.

The RSA algorithm can also be used for encryption. RSA encryption uses the public key (n,e) to compute the ciphertext m^e mod n. The PKCS#1 padding scheme will use at least 8 random and non-zero octets, using m of the form [00 02 padding 00 plaintext]. It is required that m < n, and therefor the plaintext must be smaller than the octet size of the modulo n, with some margin.

To decrypt the message, one needs the private key to compute m = c^e mod n followed by checking and removing the padding.

6.7.1.1 Nettle’s RSA support

Nettle represents RSA keys using two structures that contain large numbers (of type mpz_t).

Context struct: rsa_public_key size n e

size is the size, in octets, of the modulo, and is used internally. n and e is the public key.

Context struct: rsa_private_key size d p q a b c

size is the size, in octets, of the modulo, and is used internally. d is the secret exponent, but it is not actually used when signing. Instead, the factors p and q, and the parameters a, b and c are used. They are computed from p, q and e such that a e mod (p - 1) = 1, b e mod (q - 1) = 1, c q mod p = 1.

Before use, these structs must be initialized by calling one of

Function: void rsa_public_key_init (struct rsa_public_key *pub)
Function: void rsa_private_key_init (struct rsa_private_key *key)

Calls mpz_init on all numbers in the key struct.

and when finished with them, the space for the numbers must be deallocated by calling one of

Function: void rsa_public_key_clear (struct rsa_public_key *pub)
Function: void rsa_private_key_clear (struct rsa_private_key *key)

Calls mpz_clear on all numbers in the key struct.

In general, Nettle’s RSA functions deviates from Nettle’s “no memory allocation”-policy. Space for all the numbers, both in the key structs above, and temporaries, are allocated dynamically. For information on how to customize allocation, see See GMP Allocation in GMP Manual.

When you have assigned values to the attributes of a key, you must call

Function: int rsa_public_key_prepare (struct rsa_public_key *pub)
Function: int rsa_private_key_prepare (struct rsa_private_key *key)

Computes the octet size of the key (stored in the size attribute, and may also do other basic sanity checks. Returns one if successful, or zero if the key can’t be used, for instance if the modulo is smaller than the minimum size needed for RSA operations specified by PKCS#1.

For each operation using the private key, there are two variants, e.g., rsa_sha256_sign and rsa_sha256_sign_tr. The former function is older, and it should be avoided, because it provides no defenses against side-channel attacks. The latter function use randomized RSA blinding, which defends against timing attacks using chosen-ciphertext, and it also checks the correctness of the private key computation using the public key, which defends against software or hardware errors which could leak the private key.

Before signing or verifying a message, you first hash it with the appropriate hash function. You pass the hash function’s context struct to the RSA signature function, and it will extract the message digest and do the rest of the work. There are also alternative functions that take the hash digest as argument.

There is currently no support for using SHA224 or SHA384 with RSA signatures, since there’s no gain in either computation time nor message size compared to using SHA256 and SHA512, respectively.

Creating an RSA signature is done with one of the following functions:

Function: int rsa_md5_sign_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, struct md5_ctx *hash, mpz_t signature)
Function: int rsa_sha1_sign_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, struct sha1_ctx *hash, mpz_t signature)
Function: int rsa_sha256_sign_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, struct sha256_ctx *hash, mpz_t signature)
Function: int rsa_sha512_sign_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, struct sha512_ctx *hash, mpz_t signature)

The signature is stored in signature (which must have been mpz_init’ed earlier). The hash context is reset so that it can be used for new messages. The random_ctx and random pointers are used to generate the RSA blinding. Returns one on success, or zero on failure. Signing fails if an error in the computation was detected, or if the key is too small for the given hash size, e.g., it’s not possible to create a signature using SHA512 and a 512-bit RSA key.

Function: int rsa_md5_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, mpz_t signature)
Function: int rsa_sha1_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, mpz_t signature)
Function: int rsa_sha256_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, mpz_t signature)
Function: int rsa_sha512_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, mpz_t signature)

Creates a signature from the given hash digest. digest should point to a digest of size MD5_DIGEST_SIZE, SHA1_DIGEST_SIZE, SHA256_DIGEST_SIZE, or SHA512_DIGEST_SIZErespectively. The signature is stored in signature (which must have been mpz_init:ed earlier). Returns one on success, or zero on failure.

Function: int rsa_pkcs1_sign_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t length, const uint8_t *digest_info, mpz_t signature)

Similar to the above _sign_digest_tr functions, but the input is not the plain hash digest, but a PKCS#1 “DigestInfo”, an ASN.1 DER-encoding of the digest together with an object identifier for the used hash algorithm.

Function: int rsa_md5_sign (const struct rsa_private_key *key, struct md5_ctx *hash, mpz_t signature)
Function: int rsa_sha1_sign (const struct rsa_private_key *key, struct sha1_ctx *hash, mpz_t signature)
Function: int rsa_sha256_sign (const struct rsa_private_key *key, struct sha256_ctx *hash, mpz_t signature)
Function: int rsa_sha512_sign (const struct rsa_private_key *key, struct sha512_ctx *hash, mpz_t signature)

The signature is stored in signature (which must have been mpz_init’ed earlier). The hash context is reset so that it can be used for new messages. Returns one on success, or zero on failure. Signing fails if the key is too small for the given hash size, e.g., it’s not possible to create a signature using SHA512 and a 512-bit RSA key.

Function: int rsa_md5_sign_digest (const struct rsa_private_key *key, const uint8_t *digest, mpz_t signature)
Function: int rsa_sha1_sign_digest (const struct rsa_private_key *key, const uint8_t *digest, mpz_t signature);
Function: int rsa_sha256_sign_digest (const struct rsa_private_key *key, const uint8_t *digest, mpz_t signature);
Function: int rsa_sha512_sign_digest (const struct rsa_private_key *key, const uint8_t *digest, mpz_t signature);

Creates a signature from the given hash digest; otherwise analoguous to the above signing functions. digest should point to a digest of size MD5_DIGEST_SIZE, SHA1_DIGEST_SIZE, SHA256_DIGEST_SIZE, or SHA512_DIGEST_SIZE, respectively. The signature is stored in signature (which must have been mpz_init:ed earlier). Returns one on success, or zero on failure.

Function: int rsa_pkcs1_sign(const struct rsa_private_key *key, size_t length, const uint8_t *digest_info, mpz_t s)

Similar to the above _sign_digest functions, but the input is not the plain hash digest, but a PKCS#1 “DigestInfo”, an ASN.1 DER-encoding of the digest together with an object identifier for the used hash algorithm.

Verifying an RSA signature is done with one of the following functions:

Function: int rsa_md5_verify (const struct rsa_public_key *key, struct md5_ctx *hash, const mpz_t signature)
Function: int rsa_sha1_verify (const struct rsa_public_key *key, struct sha1_ctx *hash, const mpz_t signature)
Function: int rsa_sha256_verify (const struct rsa_public_key *key, struct sha256_ctx *hash, const mpz_t signature)
Function: int rsa_sha512_verify (const struct rsa_public_key *key, struct sha512_ctx *hash, const mpz_t signature)

Returns 1 if the signature is valid, or 0 if it isn’t. In either case, the hash context is reset so that it can be used for new messages.

Function: int rsa_md5_verify_digest (const struct rsa_public_key *key, const uint8_t *digest, const mpz_t signature)
Function: int rsa_sha1_verify_digest (const struct rsa_public_key *key, const uint8_t *digest, const mpz_t signature)
Function: int rsa_sha256_verify_digest (const struct rsa_public_key *key, const uint8_t *digest, const mpz_t signature)
Function: int rsa_sha512_verify_digest (const struct rsa_public_key *key, const uint8_t *digest, const mpz_t signature)

Returns 1 if the signature is valid, or 0 if it isn’t. digest should point to a digest of size MD5_DIGEST_SIZE, SHA1_DIGEST_SIZE, SHA256_DIGEST_SIZE, or SHA512_DIGEST_SIZE respectively.

Function: int rsa_pkcs1_verify(const struct rsa_public_key *key, size_t length, const uint8_t *digest_info, const mpz_t signature)

Similar to the above _verify_digest functions, but the input is not the plain hash digest, but a PKCS#1 “DigestInfo”, and ASN.1 DER-encoding of the digest together with an object identifier for the used hash algorithm.

While the above functions for the RSA signature operations use the PKCS#1 padding scheme, Nettle also provides the variants based on the PSS padding scheme, specified in RFC 3447. These variants take advantage of a randomly choosen salt value, which could enhance the security by causing output to be different for equivalent inputs. However, assuming the same security level as inverting the RSA algorithm, a longer salt value does not always mean a better security http://www.iacr.org/archive/eurocrypt2002/23320268/coron.pdf. The typical choices of the length are between 0 and the digest size of the underlying hash function.

Creating an RSA signature with the PSS padding scheme is done with one of the following functions:

Function: int rsa_pss_sha256_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t salt_length, const uint8_t *salt, const uint8_t *digest, mpz_t signature)
Function: int rsa_pss_sha384_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t salt_length, const uint8_t *salt, const uint8_t *digest, mpz_t signature)
Function: int rsa_pss_sha512_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t salt_length, const uint8_t *salt, const uint8_t *digest, mpz_t signature)

Creates a signature using the PSS padding scheme. salt should point to a salt string of size salt_length. digest should point to a digest of size SHA256_DIGEST_SIZE, SHA384_DIGEST_SIZE, or SHA512_DIGEST_SIZErespectively. The signature is stored in signature (which must have been mpz_init:ed earlier). Returns one on success, or zero on failure.

Verifying an RSA signature with the PSS padding scheme is done with one of the following functions:

Function: int rsa_pss_sha256_verify_digest (const struct rsa_public_key *key, size_t salt_length, const uint8_t *digest, const mpz_t signature)
Function: int rsa_pss_sha384_verify_digest (const struct rsa_public_key *key, size_t salt_length, const uint8_t *digest, const mpz_t signature)
Function: int rsa_pss_sha512_verify_digest (const struct rsa_public_key *key, size_t salt_length, const uint8_t *digest, const mpz_t signature)

Returns 1 if the signature is valid, or 0 if it isn’t. digest should point to a digest of size SHA256_DIGEST_SIZE, SHA384_DIGEST_SIZE, or SHA512_DIGEST_SIZE respectively.

The following function is used to encrypt a clear text message using RSA.

Function: int rsa_encrypt (const struct rsa_public_key *key, void *random_ctx, nettle_random_func *random, size_t length, const uint8_t *cleartext, mpz_t ciphertext)

Returns 1 on success, 0 on failure. If the message is too long then this will lead to a failure.

The following function is used to decrypt a cipher text message using RSA.

Function: int rsa_decrypt (const struct rsa_private_key *key, size_t *length, uint8_t *cleartext, const mpz_t ciphertext)

Returns 1 on success, 0 on failure. Causes of failure include decryption failing or the resulting message being to large. The message buffer pointed to by cleartext must be of size *length. After decryption, *length will be updated with the size of the message.

There is also a timing resistant version of decryption that utilizes randomized RSA blinding.

Function: int rsa_decrypt_tr (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t *length, uint8_t *message, const mpz_t ciphertext)

Returns 1 on success, 0 on failure.

If you need to use the RSA trapdoor, the private key, in a way that isn’t supported by the above functions Nettle also includes a function that computes x^d mod n and nothing more, using the CRT optimization.

Function: int rsa_compute_root_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, mpz_t x, const mpz_t m)

Computes x = m^d. Returns one on success, or zero if a failure in the computation was detected.

Function: void rsa_compute_root (struct rsa_private_key *key, mpz_t x, const mpz_t m)

Computes x = m^d.

At last, how do you create new keys?

Function: int rsa_generate_keypair (struct rsa_public_key *pub, struct rsa_private_key *key, void *random_ctx, nettle_random_func random, void *progress_ctx, nettle_progress_func progress, unsigned n_size, unsigned e_size);

There are lots of parameters. pub and key is where the resulting key pair is stored. The structs should be initialized, but you don’t need to call rsa_public_key_prepare or rsa_private_key_prepare after key generation.

random_ctx and random is a randomness generator. random(random_ctx, length, dst) should generate length random octets and store them at dst. For advice, see See Randomness.

progress and progress_ctx can be used to get callbacks during the key generation process, in order to uphold an illusion of progress. progress can be NULL, in that case there are no callbacks.

size_n is the desired size of the modulo, in bits. If size_e is non-zero, it is the desired size of the public exponent and a random exponent of that size is selected. But if e_size is zero, it is assumed that the caller has already chosen a value for e, and stored it in pub. Returns one on success, and zero on failure. The function can fail for example if if n_size is too small, or if e_size is zero and pub->e is an even number.

Next: , Previous: , Up: Public-key algorithms   [Contents][Index]

6.7.2 DSA

The DSA digital signature algorithm is more complex than RSA. It was specified during the early 1990s, and in 1994 NIST published FIPS 186 which is the authoritative specification. Sometimes DSA is referred to using the acronym DSS, for Digital Signature Standard. The most recent revision of the specification, FIPS186-3, was issued in 2009, and it adds support for larger hash functions than sha1.

For DSA, the underlying mathematical problem is the computation of discrete logarithms. The public key consists of a large prime p, a small prime q which is a factor of p-1, a number g which generates a subgroup of order q modulo p, and an element y in that subgroup.

In the original DSA, the size of q is fixed to 160 bits, to match with the SHA1 hash algorithm. The size of p is in principle unlimited, but the standard specifies only nine specific sizes: 512 + l*64, where l is between 0 and 8. Thus, the maximum size of p is 1024 bits, and sizes less than 1024 bits are considered obsolete and not secure.

The subgroup requirement means that if you compute 

g^t mod p

for all possible integers t, you will get precisely q distinct values.

The private key is a secret exponent x, such that 

g^x = y mod p

In mathematical speak, x is the discrete logarithm of y mod p, with respect to the generator g. The size of x will also be about the same size as q. The security of the DSA algorithm relies on the difficulty of the discrete logarithm problem. Current algorithms to compute discrete logarithms in this setting, and hence crack DSA, are of two types. The first type works directly in the (multiplicative) group of integers mod p. The best known algorithm of this type is the Number Field Sieve, and it’s complexity is similar to the complexity of factoring numbers of the same size as p. The other type works in the smaller q-sized subgroup generated by g, which has a more difficult group structure. One good algorithm is Pollard-rho, which has complexity sqrt(q).

The important point is that security depends on the size of both p and q, and they should be chosen so that the difficulty of both discrete logarithm methods are comparable. Today, the security margin of the original DSA may be uncomfortably small. Using a p of 1024 bits implies that cracking using the number field sieve is expected to take about the same time as factoring a 1024-bit RSA modulo, and using a q of size 160 bits implies that cracking using Pollard-rho will take roughly 2^80 group operations. With the size of q fixed, tied to the SHA1 digest size, it may be tempting to increase the size of p to, say, 4096 bits. This will provide excellent resistance against attacks like the number field sieve which works in the large group. But it will do very little to defend against Pollard-rho attacking the small subgroup; the attacker is slowed down at most by a single factor of 10 due to the more expensive group operation. And the attacker will surely choose the latter attack.

The signature generation algorithm is randomized; in order to create a DSA signature, you need a good source for random numbers (see Randomness). Let us describe the common case of a 160-bit q.

To create a signature, one starts with the hash digest of the message, h, which is a 160 bit number, and a random number k, 0<k<q, also 160 bits. Next, one computes 

r = (g^k mod p) mod q
s = k^-1 (h + x r) mod q

The signature is the pair (r, s), two 160 bit numbers. Note the two different mod operations when computing r, and the use of the secret exponent x.

To verify a signature, one first checks that 0 < r,s < q, and then one computes backwards, 

w = s^-1 mod q
v = (g^(w h) y^(w r) mod p) mod q

The signature is valid if v = r. This works out because w = s^-1 mod q = k (h + x r)^-1 mod q, so that 

g^(w h) y^(w r) = g^(w h) (g^x)^(w r) = g^(w (h + x r)) = g^k

When reducing mod q this yields r. Note that when verifying a signature, we don’t know either k or x: those numbers are secret.

If you can choose between RSA and DSA, which one is best? Both are believed to be secure. DSA gained popularity in the late 1990s, as a patent free alternative to RSA. Now that the RSA patents have expired, there’s no compelling reason to want to use DSA. Today, the original DSA key size does not provide a large security margin, and it should probably be phased out together with RSA keys of 1024 bits. Using the revised DSA algorithm with a larger hash function, in particular, SHA256, a 256-bit q, and p of size 2048 bits or more, should provide for a more comfortable security margin, but these variants are not yet in wide use.

DSA signatures are smaller than RSA signatures, which is important for some specialized applications.

From a practical point of view, DSA’s need for a good randomness source is a serious disadvantage. If you ever use the same k (and r) for two different message, you leak your private key.

6.7.2.1 Nettle’s DSA support

Like for RSA, Nettle represents DSA keys using two structures, containing values of type mpz_t. For information on how to customize allocation, see See GMP Allocation in GMP Manual. Nettle’s DSA interface is defined in <nettle/dsa.h>.

A DSA group is represented using the following struct.

Context struct: dsa_params p q g

Parameters of the DSA group.

Function: void dsa_params_init (struct dsa_params *params)

Calls mpz_init on all numbers in the struct.

Function: void dsa_params_clear (struct dsa_params *paramsparams)

Calls mpz_clear on all numbers in the struct.

Function: int dsa_generate_params (struct dsa_params *params, void *random_ctx, nettle_random_func *random, void *progress_ctx, nettle_progress_func *progress, unsigned p_bits, unsigned q_bits)

Generates paramaters of a new group. The params struct should be initialized before you call this function.

random_ctx and random is a randomness generator. random(random_ctx, length, dst) should generate length random octets and store them at dst. For advice, see See Randomness.

progress and progress_ctx can be used to get callbacks during the key generation process, in order to uphold an illusion of progress. progress can be NULL, in that case there are no callbacks.

p_bits and q_bits are the desired sizes of p and q. To generate keys that conform to the original DSA standard, you must use q_bits = 160 and select p_bits of the form p_bits = 512 + l*64, for 0 <= l <= 8, where the smaller sizes are no longer recommended, so you should most likely stick to p_bits = 1024. Non-standard sizes are possible, in particular p_bits larger than 1024, although DSA implementations can not in general be expected to support such keys. Also note that using very large p_bits, with q_bits fixed at 160, doesn’t make much sense, because the security is also limited by the size of the smaller prime. To generate DSA keys for use with SHA256, use q_bits = 256 and, e.g., p_bits = 2048.

Returns one on success, and zero on failure. The function will fail if q_bits is too small, or too close to p_bits.

Signatures are represented using the structure below.

Context struct: dsa_signature r s
Function: void dsa_signature_init (struct dsa_signature *signature)
Function: void dsa_signature_clear (struct dsa_signature *signature)

You must call dsa_signature_init before creating or using a signature, and call dsa_signature_clear when you are finished with it.

Keys are represented as bignums, of type mpz_t. A public keys represent a group element, and is of the same size as p, while a private key is an exponent, of the same size as q.

Function: int dsa_sign (const struct dsa_params *params, const mpz_t x, void *random_ctx, nettle_random_func *random, size_t digest_size, const uint8_t *digest, struct dsa_signature *signature)

Creates a signature from the given hash digest, using the private key x. random_ctx and random is a randomness generator. random(random_ctx, length, dst) should generate length random octets and store them at dst. For advice, see See Randomness. Returns one on success, or zero on failure. Signing can fail only if the key is invalid, so that inversion modulo q fails.

Function: int dsa_verify (const struct dsa_params *params, const mpz_t y, size_t digest_size, const uint8_t *digest, const struct dsa_signature *signature)

Verifies a signature, using the public key y. Returns 1 if the signature is valid, otherwise 0.

To generate a keypair, first generate a DSA group using dsa_generate_params. A keypair in this group is then created using

Function: void dsa_generate_keypair (const struct dsa_params *params, mpz_t pub, mpz_t key, void *random_ctx, nettle_random_func *random)

Generates a new keypair, using the group params. The public key is stored in pub, and the private key in key. Both variables must be initialized using mpz_init before this call.

random_ctx and random is a randomness generator. random(random_ctx, length, dst) should generate length random octets and store them at dst. For advice, see See Randomness.

6.7.2.2 Old, deprecated, DSA interface

Versions before nettle-3.0 used a different interface for DSA signatures, where the group parameters and the public key was packed together as struct dsa_public_key. Most of this interface is kept for backwards compatibility, and declared in nettle/dsa-compat.h. Below is the old documentation. The old and new interface use distinct names and don’t confict, with one exception: The key generation function. The nettle/dsa-compat.h redefines dsa_generate_keypair as an alias for dsa_compat_generate_keypair, compatible with the old interface and documented below.

The old DSA functions are very similar to the corresponding RSA functions, but there are a few differences pointed out below. For a start, there are no functions corresponding to rsa_public_key_prepare and rsa_private_key_prepare.

Context struct: dsa_public_key p q g y

The public parameters described above.

Context struct: dsa_private_key x

The private key x.

Before use, these structs must be initialized by calling one of

Function: void dsa_public_key_init (struct dsa_public_key *pub)
Function: void dsa_private_key_init (struct dsa_private_key *key)

Calls mpz_init on all numbers in the key struct.

When finished with them, the space for the numbers must be deallocated by calling one of

Function: void dsa_public_key_clear (struct dsa_public_key *pub)
Function: void dsa_private_key_clear (struct dsa_private_key *key)

Calls mpz_clear on all numbers in the key struct.

Signatures are represented using struct dsa_signature, described earlier.

For signing, you need to provide both the public and the private key (unlike RSA, where the private key struct includes all information needed for signing), and a source for random numbers. Signatures can use the SHA1 or the SHA256 hash function, although the implementation of DSA with SHA256 should be considered somewhat experimental due to lack of official test vectors and interoperability testing.

Function: int dsa_sha1_sign (const struct dsa_public_key *pub, const struct dsa_private_key *key, void *random_ctx, nettle_random_func random, struct sha1_ctx *hash, struct dsa_signature *signature)
Function: int dsa_sha1_sign_digest (const struct dsa_public_key *pub, const struct dsa_private_key *key, void *random_ctx, nettle_random_func random, const uint8_t *digest, struct dsa_signature *signature)
Function: int dsa_sha256_sign (const struct dsa_public_key *pub, const struct dsa_private_key *key, void *random_ctx, nettle_random_func random, struct sha256_ctx *hash, struct dsa_signature *signature)
Function: int dsa_sha256_sign_digest (const struct dsa_public_key *pub, const struct dsa_private_key *key, void *random_ctx, nettle_random_func random, const uint8_t *digest, struct dsa_signature *signature)

Creates a signature from the given hash context or digest. random_ctx and random is a randomness generator. random(random_ctx, length, dst) should generate length random octets and store them at dst. For advice, see See Randomness. Returns one on success, or zero on failure. Signing fails if the key size and the hash size don’t match.

Verifying signatures is a little easier, since no randomness generator is needed. The functions are

Function: int dsa_sha1_verify (const struct dsa_public_key *key, struct sha1_ctx *hash, const struct dsa_signature *signature)
Function: int dsa_sha1_verify_digest (const struct dsa_public_key *key, const uint8_t *digest, const struct dsa_signature *signature)
Function: int dsa_sha256_verify (const struct dsa_public_key *key, struct sha256_ctx *hash, const struct dsa_signature *signature)
Function: int dsa_sha256_verify_digest (const struct dsa_public_key *key, const uint8_t *digest, const struct dsa_signature *signature)

Verifies a signature. Returns 1 if the signature is valid, otherwise 0.

Key generation uses mostly the same parameters as the corresponding RSA function.

Function: int dsa_compat_generate_keypair (struct dsa_public_key *pub, struct dsa_private_key *key, void *random_ctx, nettle_random_func random, void *progress_ctx, nettle_progress_func progress, unsigned p_bits, unsigned q_bits)

pub and key is where the resulting key pair is stored. The structs should be initialized before you call this function.

random_ctx and random is a randomness generator. random(random_ctx, length, dst) should generate length random octets and store them at dst. For advice, see See Randomness.

progress and progress_ctx can be used to get callbacks during the key generation process, in order to uphold an illusion of progress. progress can be NULL, in that case there are no callbacks.

p_bits and q_bits are the desired sizes of p and q. See dsa_generate_keypair for details.

Previous: , Up: Public-key algorithms   [Contents][Index]

6.7.3 Elliptic curves

For cryptographic purposes, an elliptic curve is a mathematical group of points, and computing logarithms in this group is computationally difficult problem. Nettle uses additive notation for elliptic curve groups. If P and Q are two points, and k is an integer, the point sum, P + Q, and the multiple k P can be computed efficiently, but given only two points P and Q, finding an integer k such that Q = k P is the elliptic curve discrete logarithm problem.

Nettle supports standard curves which are all of the form y^2 = x^3 - 3 x + b (mod p), i.e., the points have coordinates (x,y), both considered as integers modulo a specified prime p. Curves are represented as a struct ecc_curve. It also supports curve25519, which uses a different form of curve. Supported curves are declared in <nettle/ecc-curve.h>, e.g., call nettle_get_secp_256r1 for a standardized curve using the 256-bit prime p = 2^{256} - 2^{224} + 2^{192} + 2^{96} - 1. The contents of these structs is not visible to nettle users. The “bitsize of the curve” is used as a shorthand for the bitsize of the curve’s prime p, e.g., 256 bits for the SECP 256R1 curve.

Side-channel silence:  
ECDSA:  
Curve 25519:  

Next: , Up: Elliptic curves   [Contents][Index]

6.7.3.1 Side-channel silence

Nettle’s implementation of the elliptic curve operations is intended to be side-channel silent. The side-channel attacks considered are:

  • Timing attacks If the timing of operations depends on secret values, an attacker interacting with your system can measure the response time, and infer information about your secrets, e.g., a private signature key.
  • Attacks using memory caches Assume you have some secret data on a multi-user system, and that this data is properly protected so that other users get no direct access to it. If you have a process operating on the secret data, and this process does memory accesses depending on the data, e.g, an internal lookup table in some cryptographic algorithm, an attacker running a separate process on the same system may use behavior of internal CPU caches to get information about your secrets. This type of attack can even cross virtual machine boundaries.

Nettle’s ECC implementation is designed to be side-channel silent, and not leak any information to these attacks. Timing and memory accesses depend only on the size of the input data and its location in memory, not on the actual data bits. This implies a performance penalty in several of the building blocks.

Next: , Previous: , Up: Elliptic curves   [Contents][Index]

6.7.3.2 ECDSA

ECDSA is a variant of the DSA digital signature scheme (see DSA), which works over an elliptic curve group rather than over a (subgroup of) integers modulo p. Like DSA, creating a signature requires a unique random nonce (repeating the nonce with two different messages reveals the private key, and any leak or bias in the generation of the nonce also leaks information about the key).

Unlike DSA, signatures are in general not tied to any particular hash function or even hash size. Any hash function can be used, and the hash value is truncated or padded as needed to get a size matching the curve being used. It is recommended to use a strong cryptographic hash function with digest size close to the bit size of the curve, e.g., SHA256 is a reasonable choice when using ECDSA signature over the curve secp256r1. A protocol or application using ECDSA has to specify which curve and which hash function to use, or provide some mechanism for negotiating.

Nettle defines ECDSA in <nettle/ecdsa.h>. We first need to define the data types used to represent public and private keys.

struct: struct ecc_point

Represents a point on an elliptic curve. In particular, it is used to represent an ECDSA public key.

Function: void ecc_point_init (struct ecc_point *p, const struct ecc_curve *ecc)

Initializes p to represent points on the given curve ecc. Allocates storage for the coordinates, using the same allocation functions as GMP.

Function: void ecc_point_clear (struct ecc_point *p)

Deallocate storage.

Function: int ecc_point_set (struct ecc_point *p, const mpz_t x, const mpz_t y)

Check that the given coordinates represent a point on the curve. If so, the coordinates are copied and converted to internal representation, and the function returns 1. Otherwise, it returns 0. Currently, the infinity point (or zero point, with additive notation) is not allowed.

Function: void ecc_point_get (const struct ecc_point *p, mpz_t x, mpz_t y)

Extracts the coordinate of the point p. The output parameters x or y may be NULL if the caller doesn’t want that coordinate.

struct: struct ecc_scalar

Represents an integer in the range 0 < x < group order, where the “group order” refers to the order of an ECC group. In particular, it is used to represent an ECDSA private key.

Function: void ecc_scalar_init (struct ecc_scalar *s, const struct ecc_curve *ecc)

Initializes s to represent a scalar suitable for the given curve ecc. Allocates storage using the same allocation functions as GMP.

Function: void ecc_scalar_clear (struct ecc_scalar *s)

Deallocate storage.

Function: int ecc_scalar_set (struct ecc_scalar *s, const mpz_t z)

Check that z is in the correct range. If so, copies the value to s and returns 1, otherwise returns 0.

Function: void ecc_scalar_get (const struct ecc_scalar *s, mpz_t z)

Extracts the scalar, in GMP mpz_t representation.

To create and verify ECDSA signatures, the following functions are used.

Function: void ecdsa_sign (const struct ecc_scalar *key, void *random_ctx, nettle_random_func *random, size_t digest_length, const uint8_t *digest, struct dsa_signature *signature)

Uses the private key key to create a signature on digest. random_ctx and random is a randomness generator. random(random_ctx, length, dst) should generate length random octets and store them at dst. The signature is stored in signature, in the same was as for plain DSA.

Function: int ecdsa_verify (const struct ecc_point *pub, size_t length, const uint8_t *digest, const struct dsa_signature *signature)

Uses the public key pub to verify that signature is a valid signature for the message digest digest (of length octets). Returns 1 if the signature is valid, otherwise 0.

Finally, generating a new ECDSA key pair:

Function: void ecdsa_generate_keypair (struct ecc_point *pub, struct ecc_scalar *key, void *random_ctx, nettle_random_func *random);

pub and key is where the resulting key pair is stored. The structs should be initialized, for the desired ECC curve, before you call this function.

random_ctx and random is a randomness generator. random(random_ctx, length, dst) should generate length random octets and store them at dst. For advice, see See Randomness.

Previous: , Up: Elliptic curves   [Contents][Index]

6.7.3.3 Curve25519

Curve25519 is an elliptic curve of Montgomery type, y^2 = x^3 + 486662 x^2 + x (mod p), with p = 2^255 - 19. Montgomery curves have the advantage of simple and efficient point addition based on the x-coordinate only. This particular curve was proposed by D. J. Bernstein in 2006, for fast Diffie-Hellman key exchange, and is also described in RFC 7748. The group generator is defined by x = 9 (there are actually two points with x = 9, differing by the sign of the y-coordinate, but that doesn’t matter for the curve25519 operations which work with the x-coordinate only).

The curve25519 functions are defined as operations on octet strings, representing 255-bit scalars or x-coordinates, in little-endian byte order. The most significant input bit, i.e, the most significant bit of the last octet, is always ignored.

For scalars, in addition, the least significant three bits are ignored, and treated as zero, and the second most significant bit is ignored too, and treated as one. Then the scalar input string always represents 8 times a number in the range 2^251 <= s < 2^252.

Of all the possible input strings, only about half correspond to x-coordinates of points on curve25519, i.e., a value x for which the the curve equation can be solved for y. The other half correspond to points on a related “twist curve”. The function curve25519_mul uses a Montgomery ladder for the scalar multiplication, as suggested in the curve25519 literature, and required by RFC 7748. The output is therefore well defined for all possible inputs, no matter if the input string represents a valid point on the curve or not.

Note that the curve25519 implementation in earlier versions of Nettle deviates slightly from RFC 7748, in that bit 255 of the x coordinate of the point input to curve25519_mul was not ignored. The nette/curve25519.h defines a preprocessor symbol NETTLE_CURVE25519_RFC7748 to indicate conformance with the standard.

Nettle defines Curve 25519 in <nettle/curve25519.h>.

Constant: NETTLE_CURVE25519_RFC7748

Defined to 1 in Nettle versions conforming to RFC 7748. Undefined in earlier versions.

Constant: CURVE25519_SIZE

The size of the strings representing curve25519 points and scalars, 32.

Function: void curve25519_mul_g (uint8_t *q, const uint8_t *n)

Computes Q = N G, where G is the group generator and N is an integer. The input argument n and the output argument q use a little-endian representation of the scalar and the x-coordinate, respectively. They are both of size CURVE25519_SIZE.

This function is intended to be compatible with the function crypto_scalar_mult_base in the NaCl library.

Function: void curve25519_mul (uint8_t *q, const uint8_t *n, const uint8_t *p)

Computes Q = N P, where P is an input point and N is an integer. The input arguments n and p and the output argument q use a little-endian representation of the scalar and the x-coordinates, respectively. They are all of size CURVE25519_SIZE.

This function is intended to be compatible with the function crypto_scalar_mult in the NaCl library.

6.7.3.4 EdDSA

EdDSA is a signature scheme proposed by D. J. Bernstein et al. in 2011. It is defined using a “Twisted Edwards curve”, of the form -x^2 + y^2 = 1 + d x^2 y^2. The specific signature scheme Ed25519 uses a curve which is equivalent to curve25519: The two groups used differ only by a simple change of coordinates, so that the discrete logarithm problem is of equal difficulty in both groups.

Unlike other signature schemes in Nettle, the input to the EdDSA sign and verify functions is the possibly large message itself, not a hash digest. EdDSA is a variant of Schnorr signatures, where the message is hashed together with other data during the signature process, providing resilience to hash-collisions: A successful attack finding collisions in the hash function does not automatically translate into an attack to forge signatures. EdDSA also avoids the use of a randomness source by generating the needed signature nonce from a hash of the private key and the message, which means that the message is actually hashed twice when creating a signature. If signing huge messages, it is possible to hash the message first and pass the short message digest as input to the sign and verify functions, however, the resilience to hash collision is then lost.

Constant: ED25519_KEY_SIZE

The size of a private or public Ed25519 key, 32 octets.

Constant: ED25519_SIGNATURE_SIZE

The size of an Ed25519 signature, 64 octets.

Function: void ed25519_sha512_public_key (uint8_t *pub, const uint8_t *priv)

Computes the public key corresponding to the given private key. Both input and output are of size ED25519_KEY_SIZE.

Function: void ed25519_sha512_sign (const uint8_t *pub, const uint8_t *priv, size_t length, const uint8_t *msg, uint8_t *signature)

Signs a message using the provided key pair.

Function: int ed25519_sha512_verify (const uint8_t *pub, size_t length, const uint8_t *msg, const uint8_t *signature)

Verifies a message using the provided public key. Returns 1 if the signature is valid, otherwise 0.

Next: , Previous: , Up: Reference   [Contents][Index]

6.8 Randomness

A crucial ingredient in many cryptographic contexts is randomness: Let p be a random prime, choose a random initialization vector iv, a random key k and a random exponent e, etc. In the theories, it is assumed that you have plenty of randomness around. If this assumption is not true in practice, systems that are otherwise perfectly secure, can be broken. Randomness has often turned out to be the weakest link in the chain.

In non-cryptographic applications, such as games as well as scientific simulation, a good randomness generator usually means a generator that has good statistical properties, and is seeded by some simple function of things like the current time, process id, and host name.

However, such a generator is inadequate for cryptography, for at least two reasons:

  • It’s too easy for an attacker to guess the initial seed. Even if it will take some 2^32 tries before he guesses right, that’s far too easy. For example, if the process id is 16 bits, the resolution of “current time” is one second, and the attacker knows what day the generator was seeded, there are only about 2^32 possibilities to try if all possible values for the process id and time-of-day are tried.
  • The generator output reveals too much. By observing only a small segment of the generator’s output, its internal state can be recovered, and from there, all previous output and all future output can be computed by the attacker.

A randomness generator that is used for cryptographic purposes must have better properties. Let’s first look at the seeding, as the issues here are mostly independent of the rest of the generator. The initial state of the generator (its seed) must be unguessable by the attacker. So what’s unguessable? It depends on what the attacker already knows. The concept used in information theory to reason about such things is called “entropy”, or “conditional entropy” (not to be confused with the thermodynamic concept with the same name). A reasonable requirement is that the seed contains a conditional entropy of at least some 80-100 bits. This property can be explained as follows: Allow the attacker to ask n yes-no-questions, of his own choice, about the seed. If the attacker, using this question-and-answer session, as well as any other information he knows about the seeding process, still can’t guess the seed correctly, then the conditional entropy is more than n bits.

Let’s look at an example. Say information about timing of received network packets is used in the seeding process. If there is some random network traffic going on, this will contribute some bits of entropy or “unguessability” to the seed. However, if the attacker can listen in to the local network, or if all but a small number of the packets were transmitted by machines that the attacker can monitor, this additional information makes the seed easier for the attacker to figure out. Even if the information is exactly the same, the conditional entropy, or unguessability, is smaller for an attacker that knows some of it already before the hypothetical question-and-answer session.

Seeding of good generators is usually based on several sources. The key point here is that the amount of unguessability that each source contributes, depends on who the attacker is. Some sources that have been used are:

High resolution timing of i/o activities

Such as completed blocks from spinning hard disks, network packets, etc. Getting access to such information is quite system dependent, and not all systems include suitable hardware. If available, it’s one of the better randomness source one can find in a digital, mostly predictable, computer.

User activity

Timing and contents of user interaction events is another popular source that is available for interactive programs (even if I suspect that it is sometimes used in order to make the user feel good, not because the quality of the input is needed or used properly). Obviously, not available when a machine is unattended. Also beware of networks: User interaction that happens across a long serial cable, TELNET session, or even SSH session may be visible to an attacker, in full or partially.

Audio input

Any room, or even a microphone input that’s left unconnected, is a source of some random background noise, which can be fed into the seeding process.

Specialized hardware

Hardware devices with the sole purpose of generating random data have been designed. They range from radioactive samples with an attached Geiger counter, to amplification of the inherent noise in electronic components such as diodes and resistors, to low-frequency sampling of chaotic systems. Hashing successive images of a Lava lamp is a spectacular example of the latter type.

Secret information

Secret information, such as user passwords or keys, or private files stored on disk, can provide some unguessability. A problem is that if the information is revealed at a later time, the unguessability vanishes. Another problem is that this kind of information tends to be fairly constant, so if you rely on it and seed your generator regularly, you risk constructing almost similar seeds or even constructing the same seed more than once.

For all practical sources, it’s difficult but important to provide a reliable lower bound on the amount of unguessability that it provides. Two important points are to make sure that the attacker can’t observe your sources (so if you like the Lava lamp idea, remember that you have to get your own lamp, and not put it by a window or anywhere else where strangers can see it), and that hardware failures are detected. What if the bulb in the Lava lamp, which you keep locked into a cupboard following the above advice, breaks after a few months?

So let’s assume that we have been able to find an unguessable seed, which contains at least 80 bits of conditional entropy, relative to all attackers that we care about (typically, we must at the very least assume that no attacker has root privileges on our machine).

How do we generate output from this seed, and how much can we get? Some generators (notably the Linux /dev/random generator) tries to estimate available entropy and restrict the amount of output. The goal is that if you read 128 bits from /dev/random, you should get 128 “truly random” bits. This is a property that is useful in some specialized circumstances, for instance when generating key material for a one time pad, or when working with unconditional blinding, but in most cases, it doesn’t matter much. For most application, there’s no limit on the amount of useful “random” data that we can generate from a small seed; what matters is that the seed is unguessable and that the generator has good cryptographic properties.

At the heart of all generators lies its internal state. Future output is determined by the internal state alone. Let’s call it the generator’s key. The key is initialized from the unguessable seed. Important properties of a generator are:

Key-hiding

An attacker observing the output should not be able to recover the generator’s key.

Independence of outputs

Observing some of the output should not help the attacker to guess previous or future output.

Forward secrecy

Even if an attacker compromises the generator’s key, he should not be able to guess the generator output before the key compromise.

Recovery from key compromise

If an attacker compromises the generator’s key, he can compute all future output. This is inevitable if the generator is seeded only once, at startup. However, the generator can provide a reseeding mechanism, to achieve recovery from key compromise. More precisely: If the attacker compromises the key at a particular time t_1, there is another later time t_2, such that if the attacker observes all output generated between t_1 and t_2, he still can’t guess what output is generated after t_2.

Nettle includes one randomness generator that is believed to have all the above properties, and two simpler ones.

ARCFOUR, like any stream cipher, can be used as a randomness generator. Its output should be of reasonable quality, if the seed is hashed properly before it is used with arcfour_set_key. There’s no single natural way to reseed it, but if you need reseeding, you should be using Yarrow instead.

The “lagged Fibonacci” generator in <nettle/knuth-lfib.h> is a fast generator with good statistical properties, but is not for cryptographic use, and therefore not documented here. It is included mostly because the Nettle test suite needs to generate some test data from a small seed.

The recommended generator to use is Yarrow, described below.

6.8.1 Yarrow

Yarrow is a family of pseudo-randomness generators, designed for cryptographic use, by John Kelsey, Bruce Schneier and Niels Ferguson. Yarrow-160 is described in a paper at http://www.counterpane.com/yarrow.html, and it uses SHA1 and triple-DES, and has a 160-bit internal state. Nettle implements Yarrow-256, which is similar, but uses SHA256 and AES to get an internal state of 256 bits.

Yarrow was an almost finished project, the paper mentioned above is the closest thing to a specification for it, but some smaller details are left out. There is no official reference implementation or test cases. This section includes an overview of Yarrow, but for the details of Yarrow-256, as implemented by Nettle, you have to consult the source code. Maybe a complete specification can be written later.

Yarrow can use many sources (at least two are needed for proper reseeding), and two randomness “pools”, referred to as the “slow pool” and the “fast pool”. Input from the sources is fed alternatingly into the two pools. When one of the sources has contributed 100 bits of entropy to the fast pool, a “fast reseed” happens and the fast pool is mixed into the internal state. When at least two of the sources have contributed at least 160 bits each to the slow pool, a “slow reseed” takes place. The contents of both pools are mixed into the internal state. These procedures should ensure that the generator will eventually recover after a key compromise.

The output is generated by using AES to encrypt a counter, using the generator’s current key. After each request for output, another 256 bits are generated which replace the key. This ensures forward secrecy.

Yarrow can also use a seed file to save state across restarts. Yarrow is seeded by either feeding it the contents of the previous seed file, or feeding it input from its sources until a slow reseed happens.

Nettle defines Yarrow-256 in <nettle/yarrow.h>.

Context struct: struct yarrow256_ctx
Context struct: struct yarrow_source

Information about a single source.

Constant: YARROW256_SEED_FILE_SIZE

Recommended size of the Yarrow-256 seed file.

Function: void yarrow256_init (struct yarrow256_ctx *ctx, unsigned nsources, struct yarrow_source *sources)

Initializes the yarrow context, and its nsources sources. It’s possible to call it with nsources=0 and sources=NULL, if you don’t need the update features.

Function: void yarrow256_seed (struct yarrow256_ctx *ctx, size_t length, uint8_t *seed_file)

Seeds Yarrow-256 from a previous seed file. length should be at least YARROW256_SEED_FILE_SIZE, but it can be larger.

The generator will trust you that the seed_file data really is unguessable. After calling this function, you must overwrite the old seed file with newly generated data from yarrow256_random. If it’s possible for several processes to read the seed file at about the same time, access must be coordinated using some locking mechanism.

Function: int yarrow256_update (struct yarrow256_ctx *ctx, unsigned source, unsigned entropy, size_t length, const uint8_t *data)

Updates the generator with data from source SOURCE (an index that must be smaller than the number of sources). entropy is your estimated lower bound for the entropy in the data, measured in bits. Calling update with zero entropy is always safe, no matter if the data is random or not.

Returns 1 if a reseed happened, in which case an application using a seed file may want to generate new seed data with yarrow256_random and overwrite the seed file. Otherwise, the function returns 0.

Function: void yarrow256_random (struct yarrow256_ctx *ctx, size_t length, uint8_t *dst)

Generates length octets of output. The generator must be seeded before you call this function.

If you don’t need forward secrecy, e.g. if you need non-secret randomness for initialization vectors or padding, you can gain some efficiency by buffering, calling this function for reasonably large blocks of data, say 100-1000 octets at a time.

Function: int yarrow256_is_seeded (struct yarrow256_ctx *ctx)

Returns 1 if the generator is seeded and ready to generate output, otherwise 0.

Function: unsigned yarrow256_needed_sources (struct yarrow256_ctx *ctx)

Returns the number of sources that must reach the threshold before a slow reseed will happen. Useful primarily when the generator is unseeded.

Function: void yarrow256_fast_reseed (struct yarrow256_ctx *ctx)
Function: void yarrow256_slow_reseed (struct yarrow256_ctx *ctx)

Causes a fast or slow reseed to take place immediately, regardless of the current entropy estimates of the two pools. Use with care.

Nettle includes an entropy estimator for one kind of input source: User keyboard input.

Context struct: struct yarrow_key_event_ctx

Information about recent key events.

Function: void yarrow_key_event_init (struct yarrow_key_event_ctx *ctx)

Initializes the context.

Function: unsigned yarrow_key_event_estimate (struct yarrow_key_event_ctx *ctx, unsigned key, unsigned time)

key is the id of the key (ASCII value, hardware key code, X keysym, …, it doesn’t matter), and time is the timestamp of the event. The time must be given in units matching the resolution by which you read the clock. If you read the clock with microsecond precision, time should be provided in units of microseconds. But if you use gettimeofday on a typical Unix system where the clock ticks 10 or so microseconds at a time, time should be given in units of 10 microseconds.

Returns an entropy estimate, in bits, suitable for calling yarrow256_update. Usually, 0, 1 or 2 bits.

Next: , Previous: , Up: Reference   [Contents][Index]

6.9 ASCII encoding

Encryption will transform your data from text into binary format, and that may be a problem if, for example, you want to send the data as if it was plain text in an email, or store it along with descriptive text in a file. You may then use an encoding from binary to text: each binary byte is translated into a number of bytes of plain text.

A base-N encoding of data is one representation of data that only uses N different symbols (instead of the 256 possible values of a byte).

The base64 encoding will always use alphanumeric (upper and lower case) characters and the ’+’, ’/’ and ’=’ symbols to represent the data. Four output characters are generated for each three bytes of input. In case the length of the input is not a multiple of three, padding characters are added at the end. There’s also a “URL safe” variant, which is useful for encoding binary data into URLs and filenames. See RFC 4648.

The base16 encoding, also known as “hexadecimal”, uses the decimal digits and the letters from A to F. Two hexadecimal digits are generated for each input byte.

Nettle supports both base64 and base16 encoding and decoding.

Encoding and decoding uses a context struct to maintain its state (with the exception of base16 encoding, which doesn’t need any). To encode or decode the data, first initialize the context, then call the update function as many times as necessary, and complete the operation by calling the final function.

The following functions can be used to perform base64 encoding and decoding. They are defined in <nettle/base64.h>.

Context struct: struct base64_encode_ctx
Function: void base64_encode_init (struct base64_encode_ctx *ctx)
Function: void base64url_encode_init (struct base64_encode_ctx *ctx)

Initializes a base64 context. This is necessary before starting an encoding session. base64_encode_init selects the standard base64 alphabet, while base64url_encode_init selects the URL safe alphabet.

Function: size_t base64_encode_single (struct base64_encode_ctx *ctx, uint8_t *dst, uint8_t src)

Encodes a single byte. Returns amount of output (always 1 or 2).

Macro: BASE64_ENCODE_LENGTH (length)

The maximum number of output bytes when passing length input bytes to base64_encode_update.

Function: size_t base64_encode_update (struct base64_encode_ctx *ctx, uint8_t *dst, size_t length, const uint8_t *src)

After ctx is initialized, this function may be called to encode length bytes from src. The result will be placed in dst, and the return value will be the number of bytes generated. Note that dst must be at least of size BASE64_ENCODE_LENGTH(length).

Constant: BASE64_ENCODE_FINAL_LENGTH

The maximum amount of output from base64_encode_final.

Function: size_t base64_encode_final (struct base64_encode_ctx *ctx, uint8_t *dst)

After calling base64_encode_update one or more times, this function should be called to generate the final output bytes, including any needed paddding. The return value is the number of output bytes generated.

Context struct: struct base64_decode_ctx
Function: void base64_decode_init (struct base64_decode_ctx *ctx)
Function: void base64url_decode_init (struct base64_decode_ctx *ctx)

Initializes a base64 decoding context. This is necessary before starting a decoding session. base64_decode_init selects the standard base64 alphabet, while base64url_decode_init selects the URL safe alphabet.

Function: int base64_decode_single (struct base64_decode_ctx *ctx, uint8_t *dst, uint8_t src)

Decodes a single byte (src) and stores the result in dst. Returns amount of output (0 or 1), or -1 on errors.

Macro: BASE64_DECODE_LENGTH (length)

The maximum number of output bytes when passing length input bytes to base64_decode_update.

Function: void base64_decode_update (struct base64_decode_ctx *ctx, size_t *dst_length, uint8_t *dst, size_t src_length, const uint8_t *src)

After ctx is initialized, this function may be called to decode src_length bytes from src. dst should point to an area of size at least BASE64_DECODE_LENGTH(src_length). The amount of data generated is returned in *dst_length. Returns 1 on success and 0 on error.

Function: int base64_decode_final (struct base64_decode_ctx *ctx)

Check that final padding is correct. Returns 1 on success, and 0 on error.

Similarly to the base64 functions, the following functions perform base16 encoding, and are defined in <nettle/base16.h>. Note that there is no encoding context necessary for doing base16 encoding.

Function: void base16_encode_single (uint8_t *dst, uint8_t src)

Encodes a single byte. Always stores two digits in dst[0] and dst[1].

Macro: BASE16_ENCODE_LENGTH (length)

The number of output bytes when passing length input bytes to base16_encode_update.

Function: void base16_encode_update (uint8_t *dst, size_t length, const uint8_t *src)

Always stores BASE16_ENCODE_LENGTH(length) digits in dst.

Context struct: struct base16_decode_ctx
Function: void base16_decode_init (struct base16_decode_ctx *ctx)

Initializes a base16 decoding context. This is necessary before starting a decoding session.

Function: int base16_decode_single (struct base16_decode_ctx *ctx, uint8_t *dst, uint8_t src)

Decodes a single byte from src into dst. Returns amount of output (0 or 1), or -1 on errors.

Macro: BASE16_DECODE_LENGTH (length)

The maximum number of output bytes when passing length input bytes to base16_decode_update.

Function: int base16_decode_update (struct base16_decode_ctx *ctx, size_t *dst_length, uint8_t *dst, size_t src_length, const uint8_t *src)

After ctx is initialized, this function may be called to decode src_length bytes from src. dst should point to an area of size at least BASE16_DECODE_LENGTH(src_length). The amount of data generated is returned in *dst_length. Returns 1 on success and 0 on error.

Function: int base16_decode_final (struct base16_decode_ctx *ctx)

Checks that the end of data is correct (i.e., an even number of hexadecimal digits have been seen). Returns 1 on success, and 0 on error.

Next: , Previous: , Up: Reference   [Contents][Index]

6.10 Miscellaneous functions

Function: void * memxor (void *dst, const void *src, size_t n)

XORs the source area on top of the destination area. The interface doesn’t follow the Nettle conventions, because it is intended to be similar to the ANSI-C memcpy function.

Function: void * memxor3 (void *dst, const void *a, const void *b, size_t n)

Like memxor, but takes two source areas and separate destination area.

Function: int memeql_sec (const void *a, const void *b, size_t n)

Side-channel silent comparison of the n bytes at a and b. I.e., instructions executed and memory accesses are identical no matter where the areas differ, see Side-channel silence. Return non-zero if the areas are equal, and zero if they differ.

These functions are declared in <nettle/memops.h>. For compatibility with earlier versions of Nettle, memxor and memxor3 are also declared in <nettle/memxor.h>.

Previous: , Up: Reference   [Contents][Index]

6.11 Compatibility functions

For convenience, Nettle includes alternative interfaces to some algorithms, for compatibility with some other popular crypto toolkits. These are not fully documented here; refer to the source or to the documentation for the original implementation.

MD5 is defined in [RFC 1321], which includes a reference implementation. Nettle defines a compatible interface to MD5 in <nettle/md5-compat.h>. This file defines the typedef MD5_CTX, and declares the functions MD5Init, MD5Update and MD5Final.

Eric Young’s “libdes” (also part of OpenSSL) is a quite popular DES implementation. Nettle includes a subset if its interface in <nettle/des-compat.h>. This file defines the typedefs des_key_schedule and des_cblock, two constants DES_ENCRYPT and DES_DECRYPT, and declares one global variable des_check_key, and the functions des_cbc_cksum des_cbc_encrypt, des_ecb2_encrypt, des_ecb3_encrypt, des_ecb_encrypt, des_ede2_cbc_encrypt, des_ede3_cbc_encrypt, des_is_weak_key, des_key_sched, des_ncbc_encrypt des_set_key, and des_set_odd_parity.

Next: , Previous: , Up: Top   [Contents][Index]

7 Traditional Nettle Soup

For the serious nettle hacker, here is a recipe for nettle soup. 4 servings.

  • 1 liter fresh nettles (urtica dioica)
  • 2 tablespoons butter
  • 3 tablespoons flour
  • 1 liter stock (meat or vegetable)
  • 1/2 teaspoon salt
  • a tad white pepper
  • some cream or milk

Gather 1 liter fresh nettles. Use gloves! Small, tender shoots are preferable but the tops of larger nettles can also be used.

Rinse the nettles very well. Boil them for 10 minutes in lightly salted water. Strain the nettles and save the water. Hack the nettles. Melt the butter and mix in the flour. Dilute with stock and the nettle-water you saved earlier. Add the hacked nettles. If you wish you can add some milk or cream at this stage. Bring to a boil and let boil for a few minutes. Season with salt and pepper.

Serve with boiled egg-halves.

Next: , Previous: , Up: Top   [Contents][Index]

8 Installation

Nettle uses autoconf. To build it, unpack the source and run 

./configure
make
make check
make install

to install it under the default prefix, /usr/local. Using GNU make is strongly recommended. By default, both static and shared libraries are built and installed.

To get a list of configure options, use ./configure --help. Some of the more interesting are:

--enable-fat

Include multiple versions of certain functions in the library, and select the ones to use at run-time, depending on available processor features. Supported for ARM and x86_64.

--enable-mini-gmp

Use the smaller and slower “mini-gmp” implementation of the bignum functions needed for public-key cryptography, instead of the real GNU GMP library. This option is intended primarily for smaller embedded systems. Note that builds using mini-gmp are not binary compatible with regular builds of Nettle, and more likely to leak side-channel information.

--disable-shared

Omit building the shared libraries.

--disable-dependency-tracking

Disable the automatic dependency tracking. You will likely need this option to be able to build with BSD make.

Previous: , Up: Top   [Contents][Index]

Function and Concept Index

Jump to:   A   B   C   D   E   G   H   K   M   N   O   P   R   S   T   U   Y  
Index Entry  Section
A
AEAD: Authenticated encryption
aes128_decrypt: Cipher functions
aes128_encrypt: Cipher functions
aes128_invert_key: Cipher functions
aes128_set_decrypt_key: Cipher functions
aes128_set_encrypt_key: Cipher functions
aes192_decrypt: Cipher functions
aes192_encrypt: Cipher functions
aes192_invert_key: Cipher functions
aes192_set_decrypt_key: Cipher functions
aes192_set_encrypt_key: Cipher functions
aes256_decrypt: Cipher functions
aes256_encrypt: Cipher functions
aes256_invert_key: Cipher functions
aes256_set_decrypt_key: Cipher functions
aes256_set_encrypt_key: Cipher functions
aes_decrypt: Cipher functions
aes_encrypt: Cipher functions
aes_invert_key: Cipher functions
aes_set_decrypt_key: Cipher functions
aes_set_encrypt_key: Cipher functions
arcfour_crypt: Cipher functions
arcfour_set_key: Cipher functions
arctwo_decrypt: Cipher functions
arctwo_encrypt: Cipher functions
arctwo_set_key: Cipher functions
arctwo_set_key_ekb: Cipher functions
arctwo_set_key_gutmann: Cipher functions
Authenticated encryption: Authenticated encryption
B
base16_decode_final: ASCII encoding
base16_decode_init: ASCII encoding
BASE16_DECODE_LENGTH: ASCII encoding
base16_decode_single: ASCII encoding
base16_decode_update: ASCII encoding
BASE16_ENCODE_LENGTH: ASCII encoding
base16_encode_single: ASCII encoding
base16_encode_update: ASCII encoding
base64url_decode_init: ASCII encoding
base64url_encode_init: ASCII encoding
base64_decode_final: ASCII encoding
base64_decode_init: ASCII encoding
BASE64_DECODE_LENGTH: ASCII encoding
base64_decode_single: ASCII encoding
base64_decode_update: ASCII encoding
base64_encode_final: ASCII encoding
base64_encode_init: ASCII encoding
BASE64_ENCODE_LENGTH: ASCII encoding
base64_encode_single: ASCII encoding
base64_encode_update: ASCII encoding
Block Cipher: Cipher functions
blowfish_decrypt: Cipher functions
blowfish_encrypt: Cipher functions
blowfish_set_key: Cipher functions
C
camellia128_crypt: Cipher functions
camellia128_invert_key: Cipher functions
camellia128_set_decrypt_key: Cipher functions
camellia128_set_encrypt_key: Cipher functions
camellia192_crypt: Cipher functions
camellia192_invert_key: Cipher functions
camellia192_set_decrypt_key: Cipher functions
camellia192_set_encrypt_key: Cipher functions
camellia256_crypt: Cipher functions
camellia256_invert_key: Cipher functions
camellia256_set_decrypt_key: Cipher functions
camellia256_set_encrypt_key: Cipher functions
camellia_crypt: Cipher functions
camellia_invert_key: Cipher functions
camellia_set_decrypt_key: Cipher functions
camellia_set_encrypt_key: Cipher functions
cast128_decrypt: Cipher functions
cast128_encrypt: Cipher functions
cast128_set_key: Cipher functions
CBC Mode: CBC
CBC_CTX: CBC
cbc_decrypt: CBC
CBC_DECRYPT: CBC
cbc_encrypt: CBC
CBC_ENCRYPT: CBC
CBC_SET_IV: CBC
CCM Mode: CCM
ccm_aes128_decrypt: CCM
ccm_aes128_decrypt_message: CCM
ccm_aes128_digest: CCM
ccm_aes128_encrypt: CCM
ccm_aes128_encrypt_message: CCM
ccm_aes128_set_key: CCM
ccm_aes128_set_nonce: CCM
ccm_aes128_update: CCM
ccm_aes192_decrypt: CCM
ccm_aes192_decrypt_message: CCM
ccm_aes192_decrypt_message: CCM
ccm_aes192_digest: CCM
ccm_aes192_encrypt: CCM
ccm_aes192_encrypt_message: CCM
ccm_aes192_set_key: CCM
ccm_aes192_set_nonce: CCM
ccm_aes192_update: CCM
ccm_aes256_decrypt: CCM
ccm_aes256_digest: CCM
ccm_aes256_encrypt: CCM
ccm_aes256_encrypt_message: CCM
ccm_aes256_set_key: CCM
ccm_aes256_set_nonce: CCM
ccm_aes256_update: CCM
ccm_decrypt: CCM
ccm_decrypt_message: CCM
ccm_digest: CCM
ccm_encrypt: CCM
ccm_encrypt_message: CCM
CCM_MAX_MSG_SIZE: CCM
ccm_set_nonce: CCM
ccm_update: CCM
CFB Mode: CFB
CFB_CTX: CFB
cfb_decrypt: CFB
CFB_DECRYPT: CFB
cfb_encrypt: CFB
CFB_ENCRYPT: CFB
CFB_SET_IV(ctx,: CFB
chacha_crypt: Cipher functions
chacha_poly1305_decrypt: ChaCha-Poly1305
chacha_poly1305_digest: ChaCha-Poly1305
chacha_poly1305_encrypt: ChaCha-Poly1305
chacha_poly1305_set_key: ChaCha-Poly1305
chacha_poly1305_set_nonce: ChaCha-Poly1305
chacha_poly1305_update: ChaCha-Poly1305
chacha_set_key: Cipher functions
chacha_set_nonce: Cipher functions
Cipher: Cipher functions
Cipher Block Chaining: CBC
Cipher Feedback Mode: CFB
Collision-resistant: Hash functions
Conditional entropy: Randomness
Counter Mode: CTR
Counter with CBC-MAC Mode: CCM
CTR Mode: CTR
ctr_crypt: CTR
CTR_CRYPT: CTR
CTR_CTX: CTR
CTR_SET_COUNTER: CTR
Curve 25519: Curve 25519
curve25519_mul: Curve 25519
curve25519_mul_g: Curve 25519
D
des3_decrypt: Cipher functions
des3_encrypt: Cipher functions
des3_set_key: Cipher functions
des_check_parity: Cipher functions
des_decrypt: Cipher functions
des_encrypt: Cipher functions
des_fix_parity: Cipher functions
des_set_key: Cipher functions
dsa_compat_generate_keypair: DSA
dsa_generate_keypair: DSA
dsa_generate_params: DSA
dsa_params_clear: DSA
dsa_params_init: DSA
dsa_private_key_clear: DSA
dsa_private_key_init: DSA
dsa_public_key_clear: DSA
dsa_public_key_init: DSA
dsa_sha1_sign: DSA
dsa_sha1_sign_digest: DSA
dsa_sha1_verify: DSA
dsa_sha1_verify_digest: DSA
dsa_sha256_sign: DSA
dsa_sha256_sign_digest: DSA
dsa_sha256_verify: DSA
dsa_sha256_verify_digest: DSA
dsa_sign: DSA
dsa_signature_clear: DSA
dsa_signature_init: DSA
dsa_verify: DSA
E
eax_aes128_decrypt: EAX
eax_aes128_digest: EAX
eax_aes128_encrypt: EAX
eax_aes128_set_key: EAX
eax_aes128_set_nonce: EAX
eax_aes128_update: EAX
EAX_CTX: EAX
eax_decrypt: EAX
EAX_DECRYPT: EAX
eax_digest: EAX
EAX_DIGEST: EAX
eax_encrypt: EAX
EAX_ENCRYPT: EAX
eax_set_key: EAX
EAX_SET_KEY: EAX
eax_set_nonce: EAX
EAX_SET_NONCE: EAX
eax_update: EAX
EAX_UPDATE: EAX
ecc_point_clear: ECDSA
ecc_point_get: ECDSA
ecc_point_init: ECDSA
ecc_point_set: ECDSA
ecc_scalar_clear: ECDSA
ecc_scalar_get: ECDSA
ecc_scalar_init: ECDSA
ecc_scalar_set: ECDSA
ecdsa_generate_keypair: ECDSA
ecdsa_sign: ECDSA
ecdsa_verify: ECDSA
ed25519_sha512_public_key: Curve 25519
ed25519_sha512_sign: Curve 25519
ed25519_sha512_verify: Curve 25519
eddsa: Curve 25519
Entropy: Randomness
G
Galois Counter Mode: GCM
GCM: GCM
gcm_aes128_decrypt: GCM
gcm_aes128_digest: GCM
gcm_aes128_encrypt: GCM
gcm_aes128_set_iv: GCM
gcm_aes128_set_key: GCM
gcm_aes128_update: GCM
gcm_aes192_decrypt: GCM
gcm_aes192_digest: GCM
gcm_aes192_encrypt: GCM
gcm_aes192_set_iv: GCM
gcm_aes192_set_key: GCM
gcm_aes192_update: GCM
gcm_aes256_decrypt: GCM
gcm_aes256_digest: GCM
gcm_aes256_encrypt: GCM
gcm_aes256_set_iv: GCM
gcm_aes256_set_key: GCM
gcm_aes256_update: GCM
gcm_aes_decrypt: GCM
gcm_aes_digest: GCM
gcm_aes_encrypt: GCM
gcm_aes_set_iv: GCM
gcm_aes_set_key: GCM
gcm_aes_update: GCM
gcm_camellia128_decrypt: GCM
gcm_camellia128_digest: GCM
gcm_camellia128_encrypt: GCM
gcm_camellia128_set_iv: GCM
gcm_camellia128_set_key: GCM
gcm_camellia128_update: GCM
gcm_camellia192_digest: GCM
gcm_camellia256_decrypt: GCM
gcm_camellia256_digest: GCM
gcm_camellia256_encrypt: GCM
gcm_camellia256_set_iv: GCM
gcm_camellia256_set_key: GCM
gcm_camellia256_update: GCM
gcm_camellia_digest: GCM
GCM_CTX: GCM
gcm_decrypt: GCM
GCM_DECRYPT: GCM
gcm_digest: GCM
GCM_DIGEST: GCM
gcm_encrypt: GCM
GCM_ENCRYPT: GCM
gcm_set_iv: GCM
GCM_SET_IV: GCM
gcm_set_key: GCM
GCM_SET_KEY: GCM
gcm_update: GCM
GCM_UPDATE: GCM
gosthash94_digest: Legacy hash functions
gosthash94_init: Legacy hash functions
gosthash94_update: Legacy hash functions
H
Hash function: Hash functions
HKDF: Key derivation functions
hkdf_expand: Key derivation functions
hkdf_extract: Key derivation functions
HMAC: HMAC
HMAC_CTX: HMAC
hmac_digest: HMAC
HMAC_DIGEST: HMAC
hmac_md5_digest: HMAC
hmac_md5_set_key: HMAC
hmac_md5_update: HMAC
hmac_ripemd160_digest: HMAC
hmac_ripemd160_set_key: HMAC
hmac_ripemd160_update: HMAC
hmac_set_key: HMAC
HMAC_SET_KEY: HMAC
hmac_sha1_digest: HMAC
hmac_sha1_set_key: HMAC
hmac_sha1_update: HMAC
hmac_sha256_digest: HMAC
hmac_sha256_set_key: HMAC
hmac_sha256_update: HMAC
hmac_sha512_digest: HMAC
hmac_sha512_set_key: HMAC
hmac_sha512_update: HMAC
hmac_update: HMAC
K
KDF: Key derivation functions
Key Derivation Function: Key derivation functions
Keyed Hash Function: Keyed hash functions
M
MAC: Keyed hash functions
md2_digest: Legacy hash functions
md2_init: Legacy hash functions
md2_update: Legacy hash functions
md4_digest: Legacy hash functions
md4_init: Legacy hash functions
md4_update: Legacy hash functions
md5_digest: Legacy hash functions
md5_init: Legacy hash functions
md5_update: Legacy hash functions
memeql_sec: Miscellaneous functions
memxor: Miscellaneous functions
memxor3: Miscellaneous functions
Message Authentication Code: Keyed hash functions
N
nettle_aead: nettle_aead abstraction
nettle_aeads: nettle_aead abstraction
nettle_aeads: nettle_aead abstraction
nettle_cipher: Cipher functions
nettle_ciphers: Cipher functions
nettle_ciphers: Cipher functions
nettle_get_aeads: nettle_aead abstraction
nettle_get_ciphers: Cipher functions
nettle_get_hashes: nettle_hash abstraction
nettle_hash: nettle_hash abstraction
nettle_hashes: nettle_hash abstraction
nettle_hashes: nettle_hash abstraction
O
One-way: Hash functions
One-way function: Public-key algorithms
P
Password Based Key Derivation Function: Key derivation functions
PBKDF: Key derivation functions
pbkdf2: Key derivation functions
PBKDF2: Key derivation functions
pbkdf2_hmac_sha1: Key derivation functions
pbkdf2_hmac_sha256: Key derivation functions
PKCS #5: Key derivation functions
poly1305_aes_digest: Poly1305
poly1305_aes_set_key: Poly1305
poly1305_aes_set_nonce: Poly1305
poly1305_aes_update: Poly1305
Public Key Cryptography: Public-key algorithms
R
Randomness: Randomness
ripemd160_digest: Legacy hash functions
ripemd160_init: Legacy hash functions
ripemd160_update: Legacy hash functions
rsa_compute_root: RSA
rsa_compute_root_tr(const: RSA
rsa_decrypt: RSA
rsa_decrypt_tr: RSA
rsa_encrypt: RSA
rsa_generate_keypair: RSA
rsa_md5_sign: RSA
rsa_md5_sign_digest: RSA
rsa_md5_sign_digest_tr(const: RSA
rsa_md5_sign_tr(const: RSA
rsa_md5_verify: RSA
rsa_md5_verify_digest: RSA
rsa_pkcs1_sign(const: RSA
rsa_pkcs1_sign_tr(const: RSA
rsa_pkcs1_verify(const: RSA
rsa_private_key_clear: RSA
rsa_private_key_init: RSA
rsa_private_key_prepare: RSA
rsa_pss_sha256_sign_digest_tr(const: RSA
rsa_pss_sha256_verify_digest: RSA
rsa_pss_sha384_sign_digest_tr(const: RSA
rsa_pss_sha384_verify_digest: RSA
rsa_pss_sha512_sign_digest_tr(const: RSA
rsa_pss_sha512_verify_digest: RSA
rsa_public_key_clear: RSA
rsa_public_key_init: RSA
rsa_public_key_prepare: RSA
rsa_sha1_sign: RSA
rsa_sha1_sign_digest: RSA
rsa_sha1_sign_digest_tr(const: RSA
rsa_sha1_sign_tr(const: RSA
rsa_sha1_verify: RSA
rsa_sha1_verify_digest: RSA
rsa_sha256_sign: RSA
rsa_sha256_sign_digest: RSA
rsa_sha256_sign_digest_tr(const: RSA
rsa_sha256_sign_tr(const: RSA
rsa_sha256_verify: RSA
rsa_sha256_verify_digest: RSA
rsa_sha512_sign: RSA
rsa_sha512_sign_digest: RSA
rsa_sha512_sign_digest_tr(const: RSA
rsa_sha512_sign_tr(const: RSA
rsa_sha512_verify: RSA
rsa_sha512_verify_digest: RSA
S
salsa20r12_crypt: Cipher functions
salsa20_128_set_key: Cipher functions
salsa20_256_set_key: Cipher functions
salsa20_crypt: Cipher functions
salsa20_set_key: Cipher functions
salsa20_set_nonce: Cipher functions
serpent_decrypt: Cipher functions
serpent_encrypt: Cipher functions
serpent_set_key: Cipher functions
sha1_digest: Legacy hash functions
sha1_init: Legacy hash functions
sha1_update: Legacy hash functions
sha224_digest: Recommended hash functions
sha224_init: Recommended hash functions
sha224_update: Recommended hash functions
sha256_digest: Recommended hash functions
sha256_init: Recommended hash functions
sha256_update: Recommended hash functions
SHA3: Recommended hash functions
sha384_digest: Recommended hash functions
sha384_init: Recommended hash functions
sha384_update: Recommended hash functions
sha3_224_digest: Recommended hash functions
sha3_224_init: Recommended hash functions
sha3_224_update: Recommended hash functions
sha3_256_digest: Recommended hash functions
sha3_256_init: Recommended hash functions
sha3_256_update: Recommended hash functions
sha3_384_digest: Recommended hash functions
sha3_384_init: Recommended hash functions
sha3_384_update: Recommended hash functions
sha3_512_digest: Recommended hash functions
sha3_512_init: Recommended hash functions
sha3_512_update: Recommended hash functions
sha512_224_digest: Recommended hash functions
sha512_224_init: Recommended hash functions
sha512_224_update: Recommended hash functions
sha512_256_digest: Recommended hash functions
sha512_256_init: Recommended hash functions
sha512_256_update: Recommended hash functions
sha512_digest: Recommended hash functions
sha512_init: Recommended hash functions
sha512_update: Recommended hash functions
Side-channel attack: Side-channel silence
Stream Cipher: Cipher functions
struct: nettle_hash abstraction
struct: Cipher functions
struct: nettle_aead abstraction
T
twofish_decrypt: Cipher functions
twofish_encrypt: Cipher functions
twofish_set_key: Cipher functions
U
UMAC: UMAC
umac128_digest: UMAC
umac128_set_key: UMAC
umac128_set_nonce: UMAC
umac128_update: UMAC
umac32_digest: UMAC
umac32_set_key: UMAC
umac32_set_nonce: UMAC
umac32_update: UMAC
umac64_digest: UMAC
umac64_set_key: UMAC
umac64_set_nonce: UMAC
umac64_update: UMAC
umac96_digest: UMAC
umac96_set_key: UMAC
umac96_set_nonce: UMAC
umac96_update: UMAC
Y
yarrow256_fast_reseed: Randomness
yarrow256_init: Randomness
yarrow256_is_seeded: Randomness
yarrow256_needed_sources: Randomness
yarrow256_random: Randomness
yarrow256_seed: Randomness
yarrow256_slow_reseed: Randomness
yarrow256_update: Randomness
yarrow_key_event_estimate: Randomness
yarrow_key_event_init: Randomness
Jump to:   A   B   C   D   E   G   H   K   M   N   O   P   R   S   T   U   Y  

  [Contents][Index]

Footnotes

(1)

Actually, the computation is not done like this, it is done more efficiently using p, q and the Chinese remainder theorem (CRT). But the result is the same.

nettle-3.4.1/ctr.c0000644000175000017500000000626013401564745013007 0ustar nissenisse/* ctr.c Cipher counter mode. Copyright (C) 2005 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "ctr.h" #include "macros.h" #include "memxor.h" #include "nettle-internal.h" #define NBLOCKS 4 void ctr_crypt(const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *ctr, size_t length, uint8_t *dst, const uint8_t *src) { if (src != dst) { if (length == block_size) { f(ctx, block_size, dst, ctr); INCREMENT(block_size, ctr); memxor(dst, src, block_size); } else { size_t left; uint8_t *p; for (p = dst, left = length; left >= block_size; left -= block_size, p += block_size) { memcpy (p, ctr, block_size); INCREMENT(block_size, ctr); } f(ctx, length - left, dst, dst); memxor(dst, src, length - left); if (left) { TMP_DECL(buffer, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE); TMP_ALLOC(buffer, block_size); f(ctx, block_size, buffer, ctr); INCREMENT(block_size, ctr); memxor3(dst + length - left, src + length - left, buffer, left); } } } else { if (length > block_size) { TMP_DECL(buffer, uint8_t, NBLOCKS * NETTLE_MAX_CIPHER_BLOCK_SIZE); size_t chunk = NBLOCKS * block_size; TMP_ALLOC(buffer, chunk); for (; length >= chunk; length -= chunk, src += chunk, dst += chunk) { unsigned n; uint8_t *p; for (n = 0, p = buffer; n < NBLOCKS; n++, p += block_size) { memcpy (p, ctr, block_size); INCREMENT(block_size, ctr); } f(ctx, chunk, buffer, buffer); memxor(dst, buffer, chunk); } if (length > 0) { /* Final, possibly partial, blocks */ for (chunk = 0; chunk < length; chunk += block_size) { memcpy (buffer + chunk, ctr, block_size); INCREMENT(block_size, ctr); } f(ctx, chunk, buffer, buffer); memxor3(dst, src, buffer, length); } } else if (length > 0) { TMP_DECL(buffer, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE); TMP_ALLOC(buffer, block_size); f(ctx, block_size, buffer, ctr); INCREMENT(block_size, ctr); memxor3(dst, src, buffer, length); } } } nettle-3.4.1/serpent-internal.h0000644000175000017500000000554713401564746015526 0ustar nissenisse/* serpent-internal-h The serpent block cipher. For more details on this algorithm, see the Serpent website at http://www.cl.cam.ac.uk/~rja14/serpent.html Copyright (C) 2011 Niels Möller Copyright (C) 2010, 2011 Simon Josefsson Copyright (C) 2003, 2004, 2005 Free Software Foundation, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* This file is derived from cipher/serpent.c in Libgcrypt v1.4.6. The adaption to Nettle was made by Simon Josefsson on 2010-12-07 with final touches on 2011-05-30. Changes include replacing libgcrypt with nettle in the license template, renaming serpent_context to serpent_ctx, renaming u32 to uint32_t, removing libgcrypt stubs and selftests, modifying entry function prototypes, using FOR_BLOCKS to iterate through data in encrypt/decrypt, using LE_READ_UINT32 and LE_WRITE_UINT32 to access data in encrypt/decrypt, and running indent on the code. */ #ifndef NETTLE_SERPENT_INTERNAL_H_INCLUDED #define NETTLE_SERPENT_INTERNAL_H_INCLUDED #define KEYXOR(x0,x1,x2,x3, subkey) \ do { \ (x0) ^= (subkey)[0]; \ (x1) ^= (subkey)[1]; \ (x2) ^= (subkey)[2]; \ (x3) ^= (subkey)[3]; \ } while (0) #if HAVE_NATIVE_64_BIT /* Operate independently on both halves of a 64-bit word. */ #define DROTL32(n,x) \ (((x) << (n) & ~((((uint64_t) 1 << (n))-1) << 32)) \ |(((x) >> (32-(n))) & ~((((uint64_t) 1 << (32-(n)))-1) << (n)))) #define KEYXOR64(x0,x1,x2,x3, subkey) \ do { \ uint64_t _sk; \ _sk = (subkey)[0]; _sk |= _sk << 32; (x0) ^= _sk; \ _sk = (subkey)[1]; _sk |= _sk << 32; (x1) ^= _sk; \ _sk = (subkey)[2]; _sk |= _sk << 32; (x2) ^= _sk; \ _sk = (subkey)[3]; _sk |= _sk << 32; (x3) ^= _sk; \ } while (0) #define DRSHIFT32(n,x) \ ( ((x) << (n)) & ~((((uint64_t) 1 << (n)) - 1) << 32)) #endif /* HAVE_NATIVE_64_BIT */ #endif /* NETTLE_SERPENT_INTERNAL_H_INCLUDED */ nettle-3.4.1/gcm-aes256.c0000644000175000017500000000377513401564745014000 0ustar nissenisse/* gcm-aes256.c Galois counter mode using AES256 as the underlying cipher. Copyright (C) 2011, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "gcm.h" void gcm_aes256_set_key(struct gcm_aes256_ctx *ctx, const uint8_t *key) { GCM_SET_KEY(ctx, aes256_set_encrypt_key, aes256_encrypt, key); } void gcm_aes256_set_iv (struct gcm_aes256_ctx *ctx, size_t length, const uint8_t *iv) { GCM_SET_IV (ctx, length, iv); } void gcm_aes256_update (struct gcm_aes256_ctx *ctx, size_t length, const uint8_t *data) { GCM_UPDATE (ctx, length, data); } void gcm_aes256_encrypt(struct gcm_aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { GCM_ENCRYPT(ctx, aes256_encrypt, length, dst, src); } void gcm_aes256_decrypt(struct gcm_aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { GCM_DECRYPT(ctx, aes256_encrypt, length, dst, src); } void gcm_aes256_digest(struct gcm_aes256_ctx *ctx, size_t length, uint8_t *digest) { GCM_DIGEST(ctx, aes256_encrypt, length, digest); } nettle-3.4.1/sha1-compress.c0000644000175000017500000002453213401564745014706 0ustar nissenisse/* sha1-compress.c The compression function of the sha1 hash function. Copyright (C) 2001, 2004 Peter Gutmann, Andrew Kuchling, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Here's the first paragraph of Peter Gutmann's posting, * <30ajo5$oe8@ccu2.auckland.ac.nz>: * * The following is my SHA (FIPS 180) code updated to allow use of the "fixed" * SHA, thanks to Jim Gillogly and an anonymous contributor for the information on * what's changed in the new version. The fix is a simple change which involves * adding a single rotate in the initial expansion function. It is unknown * whether this is an optimal solution to the problem which was discovered in the * SHA or whether it's simply a bandaid which fixes the problem with a minimum of * effort (for example the reengineering of a great many Capstone chips). */ #if HAVE_CONFIG_H # include "config.h" #endif #ifndef SHA1_DEBUG # define SHA1_DEBUG 0 #endif #if SHA1_DEBUG # include # define DEBUG(i) \ fprintf(stderr, "%2d: %8x %8x %8x %8x %8x\n", i, A, B, C, D ,E) #else # define DEBUG(i) #endif #include #include #include #include "sha1.h" #include "macros.h" /* A block, treated as a sequence of 32-bit words. */ #define SHA1_DATA_LENGTH 16 /* The SHA f()-functions. The f1 and f3 functions can be optimized to save one boolean operation each - thanks to Rich Schroeppel, rcs@cs.arizona.edu for discovering this */ /* FIXME: Can save a temporary in f3 by using ( (x & y) + (z & (x ^ y)) ), and then, in the round, compute one of the terms and add it into the destination word before computing the second term. Credits to George Spelvin for pointing this out. Unfortunately, gcc doesn't seem to be smart enough to take advantage of this. */ /* #define f1(x,y,z) ( ( x & y ) | ( ~x & z ) ) Rounds 0-19 */ #define f1(x,y,z) ( z ^ ( x & ( y ^ z ) ) ) /* Rounds 0-19 */ #define f2(x,y,z) ( x ^ y ^ z ) /* Rounds 20-39 */ /* #define f3(x,y,z) ( ( x & y ) | ( x & z ) | ( y & z ) ) Rounds 40-59 */ #define f3(x,y,z) ( ( x & y ) | ( z & ( x | y ) ) ) /* Rounds 40-59 */ #define f4 f2 /* The SHA Mysterious Constants */ #define K1 0x5A827999L /* Rounds 0-19 */ #define K2 0x6ED9EBA1L /* Rounds 20-39 */ #define K3 0x8F1BBCDCL /* Rounds 40-59 */ #define K4 0xCA62C1D6L /* Rounds 60-79 */ /* The initial expanding function. The hash function is defined over an 80-word expanded input array W, where the first 16 are copies of the input data, and the remaining 64 are defined by W[ i ] = W[ i - 16 ] ^ W[ i - 14 ] ^ W[ i - 8 ] ^ W[ i - 3 ] This implementation generates these values on the fly in a circular buffer - thanks to Colin Plumb, colin@nyx10.cs.du.edu for this optimization. The updated SHA changes the expanding function by adding a rotate of 1 bit. Thanks to Jim Gillogly, jim@rand.org, and an anonymous contributor for this information */ #define expand(W,i) ( W[ i & 15 ] = \ ROTL32( 1, ( W[ i & 15 ] ^ W[ (i - 14) & 15 ] ^ \ W[ (i - 8) & 15 ] ^ W[ (i - 3) & 15 ] ) ) ) /* The prototype SHA sub-round. The fundamental sub-round is: a' = e + ROTL32( 5, a ) + f( b, c, d ) + k + data; b' = a; c' = ROTL32( 30, b ); d' = c; e' = d; but this is implemented by unrolling the loop 5 times and renaming the variables ( e, a, b, c, d ) = ( a', b', c', d', e' ) each iteration. This code is then replicated 20 times for each of the 4 functions, using the next 20 values from the W[] array each time */ #define subRound(a, b, c, d, e, f, k, data) \ ( e += ROTL32( 5, a ) + f( b, c, d ) + k + data, b = ROTL32( 30, b ) ) /* For fat builds */ #if HAVE_NATIVE_sha1_compress void _nettle_sha1_compress_c(uint32_t *state, const uint8_t *input); #define _nettle_sha1_compress _nettle_sha1_compress_c #endif /* Perform the SHA transformation. Note that this code, like MD5, seems to break some optimizing compilers due to the complexity of the expressions and the size of the basic block. It may be necessary to split it into sections, e.g. based on the four subrounds. */ void _nettle_sha1_compress(uint32_t *state, const uint8_t *input) { uint32_t data[SHA1_DATA_LENGTH]; uint32_t A, B, C, D, E; /* Local vars */ int i; for (i = 0; i < SHA1_DATA_LENGTH; i++, input+= 4) { data[i] = READ_UINT32(input); } /* Set up first buffer and local data buffer */ A = state[0]; B = state[1]; C = state[2]; D = state[3]; E = state[4]; DEBUG(-1); /* Heavy mangling, in 4 sub-rounds of 20 interations each. */ subRound( A, B, C, D, E, f1, K1, data[ 0] ); DEBUG(0); subRound( E, A, B, C, D, f1, K1, data[ 1] ); DEBUG(1); subRound( D, E, A, B, C, f1, K1, data[ 2] ); subRound( C, D, E, A, B, f1, K1, data[ 3] ); subRound( B, C, D, E, A, f1, K1, data[ 4] ); subRound( A, B, C, D, E, f1, K1, data[ 5] ); subRound( E, A, B, C, D, f1, K1, data[ 6] ); subRound( D, E, A, B, C, f1, K1, data[ 7] ); subRound( C, D, E, A, B, f1, K1, data[ 8] ); subRound( B, C, D, E, A, f1, K1, data[ 9] ); subRound( A, B, C, D, E, f1, K1, data[10] ); subRound( E, A, B, C, D, f1, K1, data[11] ); subRound( D, E, A, B, C, f1, K1, data[12] ); subRound( C, D, E, A, B, f1, K1, data[13] ); subRound( B, C, D, E, A, f1, K1, data[14] ); subRound( A, B, C, D, E, f1, K1, data[15] ); DEBUG(15); subRound( E, A, B, C, D, f1, K1, expand( data, 16 ) ); DEBUG(16); subRound( D, E, A, B, C, f1, K1, expand( data, 17 ) ); DEBUG(17); subRound( C, D, E, A, B, f1, K1, expand( data, 18 ) ); DEBUG(18); subRound( B, C, D, E, A, f1, K1, expand( data, 19 ) ); DEBUG(19); subRound( A, B, C, D, E, f2, K2, expand( data, 20 ) ); DEBUG(20); subRound( E, A, B, C, D, f2, K2, expand( data, 21 ) ); DEBUG(21); subRound( D, E, A, B, C, f2, K2, expand( data, 22 ) ); subRound( C, D, E, A, B, f2, K2, expand( data, 23 ) ); subRound( B, C, D, E, A, f2, K2, expand( data, 24 ) ); subRound( A, B, C, D, E, f2, K2, expand( data, 25 ) ); subRound( E, A, B, C, D, f2, K2, expand( data, 26 ) ); subRound( D, E, A, B, C, f2, K2, expand( data, 27 ) ); subRound( C, D, E, A, B, f2, K2, expand( data, 28 ) ); subRound( B, C, D, E, A, f2, K2, expand( data, 29 ) ); subRound( A, B, C, D, E, f2, K2, expand( data, 30 ) ); subRound( E, A, B, C, D, f2, K2, expand( data, 31 ) ); subRound( D, E, A, B, C, f2, K2, expand( data, 32 ) ); subRound( C, D, E, A, B, f2, K2, expand( data, 33 ) ); subRound( B, C, D, E, A, f2, K2, expand( data, 34 ) ); subRound( A, B, C, D, E, f2, K2, expand( data, 35 ) ); subRound( E, A, B, C, D, f2, K2, expand( data, 36 ) ); subRound( D, E, A, B, C, f2, K2, expand( data, 37 ) ); subRound( C, D, E, A, B, f2, K2, expand( data, 38 ) ); DEBUG(38); subRound( B, C, D, E, A, f2, K2, expand( data, 39 ) ); DEBUG(39); subRound( A, B, C, D, E, f3, K3, expand( data, 40 ) ); DEBUG(40); subRound( E, A, B, C, D, f3, K3, expand( data, 41 ) ); DEBUG(41); subRound( D, E, A, B, C, f3, K3, expand( data, 42 ) ); subRound( C, D, E, A, B, f3, K3, expand( data, 43 ) ); subRound( B, C, D, E, A, f3, K3, expand( data, 44 ) ); subRound( A, B, C, D, E, f3, K3, expand( data, 45 ) ); subRound( E, A, B, C, D, f3, K3, expand( data, 46 ) ); subRound( D, E, A, B, C, f3, K3, expand( data, 47 ) ); subRound( C, D, E, A, B, f3, K3, expand( data, 48 ) ); subRound( B, C, D, E, A, f3, K3, expand( data, 49 ) ); subRound( A, B, C, D, E, f3, K3, expand( data, 50 ) ); subRound( E, A, B, C, D, f3, K3, expand( data, 51 ) ); subRound( D, E, A, B, C, f3, K3, expand( data, 52 ) ); subRound( C, D, E, A, B, f3, K3, expand( data, 53 ) ); subRound( B, C, D, E, A, f3, K3, expand( data, 54 ) ); subRound( A, B, C, D, E, f3, K3, expand( data, 55 ) ); subRound( E, A, B, C, D, f3, K3, expand( data, 56 ) ); subRound( D, E, A, B, C, f3, K3, expand( data, 57 ) ); subRound( C, D, E, A, B, f3, K3, expand( data, 58 ) ); DEBUG(58); subRound( B, C, D, E, A, f3, K3, expand( data, 59 ) ); DEBUG(59); subRound( A, B, C, D, E, f4, K4, expand( data, 60 ) ); DEBUG(60); subRound( E, A, B, C, D, f4, K4, expand( data, 61 ) ); DEBUG(61); subRound( D, E, A, B, C, f4, K4, expand( data, 62 ) ); subRound( C, D, E, A, B, f4, K4, expand( data, 63 ) ); subRound( B, C, D, E, A, f4, K4, expand( data, 64 ) ); subRound( A, B, C, D, E, f4, K4, expand( data, 65 ) ); subRound( E, A, B, C, D, f4, K4, expand( data, 66 ) ); subRound( D, E, A, B, C, f4, K4, expand( data, 67 ) ); subRound( C, D, E, A, B, f4, K4, expand( data, 68 ) ); subRound( B, C, D, E, A, f4, K4, expand( data, 69 ) ); subRound( A, B, C, D, E, f4, K4, expand( data, 70 ) ); subRound( E, A, B, C, D, f4, K4, expand( data, 71 ) ); subRound( D, E, A, B, C, f4, K4, expand( data, 72 ) ); subRound( C, D, E, A, B, f4, K4, expand( data, 73 ) ); subRound( B, C, D, E, A, f4, K4, expand( data, 74 ) ); subRound( A, B, C, D, E, f4, K4, expand( data, 75 ) ); subRound( E, A, B, C, D, f4, K4, expand( data, 76 ) ); subRound( D, E, A, B, C, f4, K4, expand( data, 77 ) ); subRound( C, D, E, A, B, f4, K4, expand( data, 78 ) ); DEBUG(78); subRound( B, C, D, E, A, f4, K4, expand( data, 79 ) ); DEBUG(79); /* Build message digest */ state[0] += A; state[1] += B; state[2] += C; state[3] += D; state[4] += E; #if SHA1_DEBUG fprintf(stderr, "99: %8x %8x %8x %8x %8x\n", state[0], state[1], state[2], state[3], state[4]); #endif } nettle-3.4.1/memxor3.c0000644000175000017500000001571313401564745013614 0ustar nissenisse/* memxor3.c Copyright (C) 2010, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Implementation inspired by memcmp in glibc, contributed to the FSF by Torbjorn Granlund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "memxor.h" #include "memxor-internal.h" #define WORD_T_THRESH 16 /* XOR word-aligned areas. n is the number of words, not bytes. */ static void memxor3_common_alignment (word_t *dst, const word_t *a, const word_t *b, size_t n) { /* FIXME: Require n > 0? */ if (n & 1) { n--; dst[n] = a[n] ^ b[n]; } while (n > 0) { n -= 2; dst[n+1] = a[n+1] ^ b[n+1]; dst[n] = a[n] ^ b[n]; } } static void memxor3_different_alignment_b (word_t *dst, const word_t *a, const unsigned char *b, unsigned offset, size_t n) { int shl, shr; const word_t *b_word; word_t s0, s1; assert (n > 0); shl = CHAR_BIT * offset; shr = CHAR_BIT * (sizeof(word_t) - offset); b_word = (const word_t *) ((uintptr_t) b & -sizeof(word_t)); /* Read top offset bytes, in native byte order. */ READ_PARTIAL (s0, (unsigned char *) &b_word[n], offset); #ifdef WORDS_BIGENDIAN s0 <<= shr; #endif if (n & 1) s1 = s0; else { n--; s1 = b_word[n]; dst[n] = a[n] ^ MERGE (s1, shl, s0, shr); } while (n > 2) { n -= 2; s0 = b_word[n+1]; dst[n+1] = a[n+1] ^ MERGE(s0, shl, s1, shr); s1 = b_word[n]; dst[n] = a[n] ^ MERGE(s1, shl, s0, shr); } assert (n == 1); /* Read low wordsize - offset bytes */ READ_PARTIAL (s0, b, sizeof(word_t) - offset); #ifndef WORDS_BIGENDIAN s0 <<= shl; #endif /* !WORDS_BIGENDIAN */ dst[0] = a[0] ^ MERGE(s0, shl, s1, shr); } static void memxor3_different_alignment_ab (word_t *dst, const unsigned char *a, const unsigned char *b, unsigned offset, size_t n) { int shl, shr; const word_t *a_word; const word_t *b_word; word_t s0, s1, t; assert (n > 0); shl = CHAR_BIT * offset; shr = CHAR_BIT * (sizeof(word_t) - offset); a_word = (const word_t *) ((uintptr_t) a & -sizeof(word_t)); b_word = (const word_t *) ((uintptr_t) b & -sizeof(word_t)); /* Read top offset bytes, in native byte order. */ READ_PARTIAL (s0, (unsigned char *) &a_word[n], offset); READ_PARTIAL (t, (unsigned char *) &b_word[n], offset); s0 ^= t; #ifdef WORDS_BIGENDIAN s0 <<= shr; #endif if (n & 1) s1 = s0; else { n--; s1 = a_word[n] ^ b_word[n]; dst[n] = MERGE (s1, shl, s0, shr); } while (n > 2) { n -= 2; s0 = a_word[n+1] ^ b_word[n+1]; dst[n+1] = MERGE(s0, shl, s1, shr); s1 = a_word[n] ^ b_word[n]; dst[n] = MERGE(s1, shl, s0, shr); } assert (n == 1); /* Read low wordsize - offset bytes */ READ_PARTIAL (s0, a, sizeof(word_t) - offset); READ_PARTIAL (t, b, sizeof(word_t) - offset); s0 ^= t; #ifndef WORDS_BIGENDIAN s0 <<= shl; #endif /* !WORDS_BIGENDIAN */ dst[0] = MERGE(s0, shl, s1, shr); } static void memxor3_different_alignment_all (word_t *dst, const unsigned char *a, const unsigned char *b, unsigned a_offset, unsigned b_offset, size_t n) { int al, ar, bl, br; const word_t *a_word; const word_t *b_word; word_t a0, a1, b0, b1; al = CHAR_BIT * a_offset; ar = CHAR_BIT * (sizeof(word_t) - a_offset); bl = CHAR_BIT * b_offset; br = CHAR_BIT * (sizeof(word_t) - b_offset); a_word = (const word_t *) ((uintptr_t) a & -sizeof(word_t)); b_word = (const word_t *) ((uintptr_t) b & -sizeof(word_t)); /* Read top offset bytes, in native byte order. */ READ_PARTIAL (a0, (unsigned char *) &a_word[n], a_offset); READ_PARTIAL (b0, (unsigned char *) &b_word[n], b_offset); #ifdef WORDS_BIGENDIAN a0 <<= ar; b0 <<= br; #endif if (n & 1) { a1 = a0; b1 = b0; } else { n--; a1 = a_word[n]; b1 = b_word[n]; dst[n] = MERGE (a1, al, a0, ar) ^ MERGE (b1, bl, b0, br); } while (n > 2) { n -= 2; a0 = a_word[n+1]; b0 = b_word[n+1]; dst[n+1] = MERGE(a0, al, a1, ar) ^ MERGE(b0, bl, b1, br); a1 = a_word[n]; b1 = b_word[n]; dst[n] = MERGE(a1, al, a0, ar) ^ MERGE(b1, bl, b0, br); } assert (n == 1); /* Read low wordsize - offset bytes */ READ_PARTIAL (a0, a, sizeof(word_t) - a_offset); READ_PARTIAL (b0, b, sizeof(word_t) - b_offset); #ifndef WORDS_BIGENDIAN a0 <<= al; b0 <<= bl; #endif /* !WORDS_BIGENDIAN */ dst[0] = MERGE(a0, al, a1, ar) ^ MERGE(b0, bl, b1, br); } /* Current implementation processes data in descending order, to support overlapping operation with one of the sources overlapping the start of the destination area. This feature is used only internally by cbc decrypt, and it is not advertised or documented to nettle users. */ void * memxor3(void *dst_in, const void *a_in, const void *b_in, size_t n) { unsigned char *dst = dst_in; const unsigned char *a = a_in; const unsigned char *b = b_in; if (n >= WORD_T_THRESH) { unsigned i; unsigned a_offset; unsigned b_offset; size_t nwords; for (i = ALIGN_OFFSET(dst + n); i > 0; i--) { n--; dst[n] = a[n] ^ b[n]; } a_offset = ALIGN_OFFSET(a + n); b_offset = ALIGN_OFFSET(b + n); nwords = n / sizeof (word_t); n %= sizeof (word_t); if (a_offset == b_offset) { if (!a_offset) memxor3_common_alignment((word_t *) (dst + n), (const word_t *) (a + n), (const word_t *) (b + n), nwords); else memxor3_different_alignment_ab((word_t *) (dst + n), a + n, b + n, a_offset, nwords); } else if (!a_offset) memxor3_different_alignment_b((word_t *) (dst + n), (const word_t *) (a + n), b + n, b_offset, nwords); else if (!b_offset) memxor3_different_alignment_b((word_t *) (dst + n), (const word_t *) (b + n), a + n, a_offset, nwords); else memxor3_different_alignment_all((word_t *) (dst + n), a + n, b + n, a_offset, b_offset, nwords); } while (n-- > 0) dst[n] = a[n] ^ b[n]; return dst; } nettle-3.4.1/asn1.h0000644000175000017500000001017113401564746013063 0ustar nissenisse/* asn1.h Limited support for ASN.1 DER decoding. Copyright (C) 2005 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_ASN1_H_INCLUDED #define NETTLE_ASN1_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define asn1_der_iterator_first nettle_asn1_der_iterator_first #define asn1_der_iterator_next nettle_asn1_der_iterator_next #define asn1_der_decode_constructed nettle_asn1_der_decode_constructed #define asn1_der_decode_constructed_last nettle_asn1_der_decode_constructed_last #define asn1_der_decode_bitstring nettle_asn1_der_decode_bitstring #define asn1_der_decode_bitstring_last nettle_asn1_der_decode_bitstring_last #define asn1_der_get_uint32 nettle_asn1_der_get_uint32 #define asn1_der_get_bignum nettle_asn1_der_get_bignum /* enum asn1_type keeps the class number and the constructive in bits 13-14, and the constructive flag in bit 12. The remaining 14 bits are the tag (although currently, only tags in the range 0-30 are supported). */ enum { ASN1_TYPE_CONSTRUCTED = 1 << 12, ASN1_CLASS_UNIVERSAL = 0, ASN1_CLASS_APPLICATION = 1 << 13, ASN1_CLASS_CONTEXT_SPECIFIC = 2 << 13, ASN1_CLASS_PRIVATE = 3 << 13, ASN1_CLASS_MASK = 3 << 13, ASN1_CLASS_SHIFT = 13, }; enum asn1_type { ASN1_BOOLEAN = 1, ASN1_INTEGER = 2, ASN1_BITSTRING = 3, ASN1_OCTETSTRING = 4, ASN1_NULL = 5, ASN1_IDENTIFIER = 6, ASN1_REAL = 9, ASN1_ENUMERATED = 10, ASN1_UTF8STRING = 12, ASN1_SEQUENCE = 16 | ASN1_TYPE_CONSTRUCTED, ASN1_SET = 17 | ASN1_TYPE_CONSTRUCTED, ASN1_PRINTABLESTRING = 19, ASN1_TELETEXSTRING = 20, ASN1_IA5STRING = 22, ASN1_UTC = 23, ASN1_UNIVERSALSTRING = 28, ASN1_BMPSTRING = 30, }; enum asn1_iterator_result { ASN1_ITERATOR_ERROR, ASN1_ITERATOR_PRIMITIVE, ASN1_ITERATOR_CONSTRUCTED, ASN1_ITERATOR_END, }; /* Parsing DER objects. */ struct asn1_der_iterator { size_t buffer_length; const uint8_t *buffer; /* Next object to parse. */ size_t pos; enum asn1_type type; /* Pointer to the current object */ size_t length; const uint8_t *data; }; /* Initializes the iterator. */ enum asn1_iterator_result asn1_der_iterator_first(struct asn1_der_iterator *iterator, size_t length, const uint8_t *input); enum asn1_iterator_result asn1_der_iterator_next(struct asn1_der_iterator *iterator); /* Starts parsing of a constructed object. */ enum asn1_iterator_result asn1_der_decode_constructed(struct asn1_der_iterator *i, struct asn1_der_iterator *contents); /* For the common case that we have a sequence at the end of the object. Checks that the current object is the final one, and then reinitializes the iterator to parse its ontents. */ enum asn1_iterator_result asn1_der_decode_constructed_last(struct asn1_der_iterator *i); enum asn1_iterator_result asn1_der_decode_bitstring(struct asn1_der_iterator *i, struct asn1_der_iterator *contents); enum asn1_iterator_result asn1_der_decode_bitstring_last(struct asn1_der_iterator *i); /* All these functions return 1 on success, 0 on failure */ int asn1_der_get_uint32(struct asn1_der_iterator *i, uint32_t *x); #ifdef __cplusplus } #endif #endif /* NETTLE_ASN1_H_INCLUDED */ nettle-3.4.1/sexp2dsa.c0000644000175000017500000000715713401564746013757 0ustar nissenisse/* sexp2dsa.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "dsa.h" #include "bignum.h" #include "sexp.h" #define GET(x, l, v) \ do { \ if (!nettle_mpz_set_sexp((x), (l), (v)) \ || mpz_sgn(x) <= 0) \ return 0; \ } while(0) /* Iterator should point past the algorithm tag, e.g. * * (public-key (dsa (p |xxxx|) ...) * ^ here */ int dsa_keypair_from_sexp_alist(struct dsa_params *params, mpz_t pub, mpz_t priv, unsigned p_max_bits, unsigned q_bits, struct sexp_iterator *i) { static const char * const names[5] = { "p", "q", "g", "y", "x" }; struct sexp_iterator values[5]; unsigned nvalues = priv ? 5 : 4; unsigned p_bits; if (!sexp_iterator_assoc(i, nvalues, names, values)) return 0; GET(params->p, p_max_bits, &values[0]); p_bits = mpz_sizeinbase (params->p, 2); GET(params->q, q_bits ? q_bits : p_bits, &values[1]); if (q_bits > 0 && mpz_sizeinbase(params->q, 2) != q_bits) return 0; if (mpz_cmp (params->q, params->p) >= 0) return 0; GET(params->g, p_bits, &values[2]); if (mpz_cmp (params->g, params->p) >= 0) return 0; GET(pub, p_bits, &values[3]); if (mpz_cmp (pub, params->p) >= 0) return 0; if (priv) { GET(priv, mpz_sizeinbase (params->q, 2), &values[4]); if (mpz_cmp (priv, params->q) >= 0) return 0; } return 1; } int dsa_sha1_keypair_from_sexp(struct dsa_params *params, mpz_t pub, mpz_t priv, unsigned p_max_bits, size_t length, const uint8_t *expr) { struct sexp_iterator i; return sexp_iterator_first(&i, length, expr) && sexp_iterator_check_type(&i, priv ? "private-key" : "public-key") && sexp_iterator_check_type(&i, "dsa") && dsa_keypair_from_sexp_alist(params, pub, priv, p_max_bits, DSA_SHA1_Q_BITS, &i); } int dsa_sha256_keypair_from_sexp(struct dsa_params *params, mpz_t pub, mpz_t priv, unsigned p_max_bits, size_t length, const uint8_t *expr) { struct sexp_iterator i; return sexp_iterator_first(&i, length, expr) && sexp_iterator_check_type(&i, priv ? "private-key" : "public-key") && sexp_iterator_check_type(&i, "dsa-sha256") && dsa_keypair_from_sexp_alist(params, pub, priv, p_max_bits, DSA_SHA256_Q_BITS, &i); } int dsa_signature_from_sexp(struct dsa_signature *rs, struct sexp_iterator *i, unsigned q_bits) { static const char * const names[2] = { "r", "s" }; struct sexp_iterator values[2]; if (!sexp_iterator_assoc(i, 2, names, values)) return 0; GET(rs->r, q_bits, &values[0]); GET(rs->s, q_bits, &values[1]); return 1; } nettle-3.4.1/ecc-192.c0000644000175000017500000000753313401564746013267 0ustar nissenisse/* ecc-192.c Compile time constant (but machine dependent) tables. Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include /* FIXME: Remove ecc.h include, once prototypes of more internal functions are moved to ecc-internal.h */ #include "ecc.h" #include "ecc-internal.h" #define USE_REDC 0 #include "ecc-192.h" #if HAVE_NATIVE_ecc_192_modp #define ecc_192_modp nettle_ecc_192_modp void ecc_192_modp (const struct ecc_modulo *m, mp_limb_t *rp); /* Use that p = 2^{192} - 2^64 - 1, to eliminate 128 bits at a time. */ #elif GMP_NUMB_BITS == 32 /* p is 6 limbs, p = B^6 - B^2 - 1 */ static void ecc_192_modp (const struct ecc_modulo *m UNUSED, mp_limb_t *rp) { mp_limb_t cy; /* Reduce from 12 to 9 limbs (top limb small)*/ cy = mpn_add_n (rp + 2, rp + 2, rp + 8, 4); cy = sec_add_1 (rp + 6, rp + 6, 2, cy); cy += mpn_add_n (rp + 4, rp + 4, rp + 8, 4); assert (cy <= 2); rp[8] = cy; /* Reduce from 9 to 6 limbs */ cy = mpn_add_n (rp, rp, rp + 6, 3); cy = sec_add_1 (rp + 3, rp + 3, 2, cy); cy += mpn_add_n (rp + 2, rp + 2, rp + 6, 3); cy = sec_add_1 (rp + 5, rp + 5, 1, cy); assert (cy <= 1); cy = cnd_add_n (cy, rp, ecc_Bmodp, 6); assert (cy == 0); } #elif GMP_NUMB_BITS == 64 /* p is 3 limbs, p = B^3 - B - 1 */ static void ecc_192_modp (const struct ecc_modulo *m UNUSED, mp_limb_t *rp) { mp_limb_t cy; /* Reduce from 6 to 5 limbs (top limb small)*/ cy = mpn_add_n (rp + 1, rp + 1, rp + 4, 2); cy = sec_add_1 (rp + 3, rp + 3, 1, cy); cy += mpn_add_n (rp + 2, rp + 2, rp + 4, 2); assert (cy <= 2); rp[4] = cy; /* Reduce from 5 to 4 limbs (high limb small) */ cy = mpn_add_n (rp, rp, rp + 3, 2); cy = sec_add_1 (rp + 2, rp + 2, 1, cy); cy += mpn_add_n (rp + 1, rp + 1, rp + 3, 2); assert (cy <= 1); cy = cnd_add_n (cy, rp, ecc_Bmodp, 3); assert (cy == 0); } #else #define ecc_192_modp ecc_mod #endif const struct ecc_curve nettle_secp_192r1 = { { 192, ECC_LIMB_SIZE, ECC_BMODP_SIZE, ECC_REDC_SIZE, ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), 0, ecc_p, ecc_Bmodp, ecc_Bmodp_shifted, ecc_redc_ppm1, ecc_pp1h, ecc_192_modp, ecc_192_modp, ecc_mod_inv, NULL, }, { 192, ECC_LIMB_SIZE, ECC_BMODQ_SIZE, 0, ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), 0, ecc_q, ecc_Bmodq, ecc_Bmodq_shifted, NULL, ecc_qp1h, ecc_mod, ecc_mod, ecc_mod_inv, NULL, }, USE_REDC, ECC_PIPPENGER_K, ECC_PIPPENGER_C, ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE), ECC_MUL_A_ITCH (ECC_LIMB_SIZE), ECC_MUL_G_ITCH (ECC_LIMB_SIZE), ECC_J_TO_A_ITCH (ECC_LIMB_SIZE), ecc_add_jjj, ecc_mul_a, ecc_mul_g, ecc_j_to_a, ecc_b, ecc_g, NULL, ecc_unit, ecc_table }; const struct ecc_curve *nettle_get_secp_192r1(void) { return &nettle_secp_192r1; } nettle-3.4.1/ecc-eh-to-a.c0000644000175000017500000000454213401564746014203 0ustar nissenisse/* ecc-eh-to-a.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc.h" #include "ecc-internal.h" /* Convert from homogeneous coordinates on the Edwards curve to affine coordinates. */ void ecc_eh_to_a (const struct ecc_curve *ecc, int op, mp_limb_t *r, const mp_limb_t *p, mp_limb_t *scratch) { #define izp scratch #define tp (scratch + ecc->p.size) #define xp p #define yp (p + ecc->p.size) #define zp (p + 2*ecc->p.size) mp_limb_t cy; /* Needs 2*size + scratch for the invert call. */ ecc->p.invert (&ecc->p, izp, zp, tp + ecc->p.size); ecc_modp_mul (ecc, tp, xp, izp); cy = mpn_sub_n (r, tp, ecc->p.m, ecc->p.size); cnd_copy (cy, r, tp, ecc->p.size); if (op) { /* Skip y coordinate */ if (op > 1) { /* Reduce modulo q. FIXME: Hardcoded for curve25519, duplicates end of ecc_25519_modq. FIXME: Is this needed at all? Full reduction mod p is maybe sufficient. */ unsigned shift; assert (ecc->p.bit_size == 255); shift = 252 - GMP_NUMB_BITS * (ecc->p.size - 1); cy = mpn_submul_1 (r, ecc->q.m, ecc->p.size, r[ecc->p.size-1] >> shift); assert (cy < 2); cnd_add_n (cy, r, ecc->q.m, ecc->p.size); } return; } ecc_modp_mul (ecc, tp, yp, izp); cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size); cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size); } nettle-3.4.1/eax.c0000644000175000017500000001164413401564745012776 0ustar nissenisse/* eax.c EAX mode, see http://www.cs.ucdavis.edu/~rogaway/papers/eax.pdf Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "eax.h" #include "ctr.h" #include "memxor.h" static void omac_init (union nettle_block16 *state, unsigned t) { memset (state->b, 0, EAX_BLOCK_SIZE - 1); state->b[EAX_BLOCK_SIZE - 1] = t; } /* Almost the same as gcm_gf_add */ static void block16_xor (union nettle_block16 *dst, const union nettle_block16 *src) { dst->w[0] ^= src->w[0]; dst->w[1] ^= src->w[1]; #if SIZEOF_LONG == 4 dst->w[2] ^= src->w[2]; dst->w[3] ^= src->w[3]; #endif } static void omac_update (union nettle_block16 *state, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t length, const uint8_t *data) { for (; length >= EAX_BLOCK_SIZE; length -= EAX_BLOCK_SIZE, data += EAX_BLOCK_SIZE) { f (cipher, EAX_BLOCK_SIZE, state->b, state->b); memxor (state->b, data, EAX_BLOCK_SIZE); } if (length > 0) { /* Allowed only for the last call */ f (cipher, EAX_BLOCK_SIZE, state->b, state->b); memxor (state->b, data, length); state->b[length] ^= 0x80; /* XOR with (P ^ B), since the digest processing * unconditionally XORs with B */ block16_xor (state, &key->pad_partial); } } static void omac_final (union nettle_block16 *state, const struct eax_key *key, const void *cipher, nettle_cipher_func *f) { block16_xor (state, &key->pad_block); f (cipher, EAX_BLOCK_SIZE, state->b, state->b); } /* Allows r == a */ static void gf2_double (uint8_t *r, const uint8_t *a) { unsigned high = - (a[0] >> 7); unsigned i; /* Shift left */ for (i = 0; i < EAX_BLOCK_SIZE - 1; i++) r[i] = (a[i] << 1) + (a[i+1] >> 7); /* Wrap around for x^{128} = x^7 + x^2 + x + 1 */ r[EAX_BLOCK_SIZE - 1] = (a[EAX_BLOCK_SIZE - 1] << 1) ^ (high & 0x87); } void eax_set_key (struct eax_key *key, const void *cipher, nettle_cipher_func *f) { static const union nettle_block16 zero_block; f (cipher, EAX_BLOCK_SIZE, key->pad_block.b, zero_block.b); gf2_double (key->pad_block.b, key->pad_block.b); gf2_double (key->pad_partial.b, key->pad_block.b); block16_xor (&key->pad_partial, &key->pad_block); } void eax_set_nonce (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t nonce_length, const uint8_t *nonce) { omac_init (&eax->omac_nonce, 0); omac_update (&eax->omac_nonce, key, cipher, f, nonce_length, nonce); omac_final (&eax->omac_nonce, key, cipher, f); memcpy (eax->ctr.b, eax->omac_nonce.b, EAX_BLOCK_SIZE); omac_init (&eax->omac_data, 1); omac_init (&eax->omac_message, 2); } void eax_update (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t data_length, const uint8_t *data) { omac_update (&eax->omac_data, key, cipher, f, data_length, data); } void eax_encrypt (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src) { ctr_crypt (cipher, f, EAX_BLOCK_SIZE, eax->ctr.b, length, dst, src); omac_update (&eax->omac_message, key, cipher, f, length, dst); } void eax_decrypt (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src) { omac_update (&eax->omac_message, key, cipher, f, length, src); ctr_crypt (cipher, f, EAX_BLOCK_SIZE, eax->ctr.b, length, dst, src); } void eax_digest (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *digest) { assert (length > 0); assert (length <= EAX_BLOCK_SIZE); omac_final (&eax->omac_data, key, cipher, f); omac_final (&eax->omac_message, key, cipher, f); block16_xor (&eax->omac_nonce, &eax->omac_data); memxor3 (digest, eax->omac_nonce.b, eax->omac_message.b, length); } nettle-3.4.1/rsa-sign.c0000644000175000017500000001067213401564745013744 0ustar nissenisse/* rsa-sign.c Creating RSA signatures. Copyright (C) 2001, 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "rsa-internal.h" #include "gmp-glue.h" void rsa_private_key_init(struct rsa_private_key *key) { mpz_init(key->d); mpz_init(key->p); mpz_init(key->q); mpz_init(key->a); mpz_init(key->b); mpz_init(key->c); /* Not really necessary, but it seems cleaner to initialize all the * storage. */ key->size = 0; } void rsa_private_key_clear(struct rsa_private_key *key) { mpz_clear(key->d); mpz_clear(key->p); mpz_clear(key->q); mpz_clear(key->a); mpz_clear(key->b); mpz_clear(key->c); } int rsa_private_key_prepare(struct rsa_private_key *key) { mpz_t n; /* A key is invalid if the sizes of q and c are smaller than * the size of n, we rely on that property in calculations so * fail early if that happens. */ if (mpz_size (key->q) + mpz_size (key->c) < mpz_size(key->p)) return 0; /* The size of the product is the sum of the sizes of the factors, * or sometimes one less. It's possible but tricky to compute the * size without computing the full product. */ mpz_init(n); mpz_mul(n, key->p, key->q); key->size = _rsa_check_size(n); mpz_clear(n); return (key->size > 0); } #if NETTLE_USE_MINI_GMP /* Computing an rsa root. */ void rsa_compute_root(const struct rsa_private_key *key, mpz_t x, const mpz_t m) { mpz_t xp; /* modulo p */ mpz_t xq; /* modulo q */ mpz_init(xp); mpz_init(xq); /* Compute xq = m^d % q = (m%q)^b % q */ mpz_fdiv_r(xq, m, key->q); mpz_powm_sec(xq, xq, key->b, key->q); /* Compute xp = m^d % p = (m%p)^a % p */ mpz_fdiv_r(xp, m, key->p); mpz_powm_sec(xp, xp, key->a, key->p); /* Set xp' = (xp - xq) c % p. */ mpz_sub(xp, xp, xq); mpz_mul(xp, xp, key->c); mpz_fdiv_r(xp, xp, key->p); /* Finally, compute x = xq + q xp' * * To prove that this works, note that * * xp = x + i p, * xq = x + j q, * c q = 1 + k p * * for some integers i, j and k. Now, for some integer l, * * xp' = (xp - xq) c + l p * = (x + i p - (x + j q)) c + l p * = (i p - j q) c + l p * = (i c + l) p - j (c q) * = (i c + l) p - j (1 + kp) * = (i c + l - j k) p - j * * which shows that xp' = -j (mod p). We get * * xq + q xp' = x + j q + (i c + l - j k) p q - j q * = x + (i c + l - j k) p q * * so that * * xq + q xp' = x (mod pq) * * We also get 0 <= xq + q xp' < p q, because * * 0 <= xq < q and 0 <= xp' < p. */ mpz_mul(x, key->q, xp); mpz_add(x, x, xq); mpz_clear(xp); mpz_clear(xq); } #else /* !NETTLE_USE_MINI_GMP */ /* Computing an rsa root. */ void rsa_compute_root(const struct rsa_private_key *key, mpz_t x, const mpz_t m) { TMP_GMP_DECL (scratch, mp_limb_t); TMP_GMP_DECL (ml, mp_limb_t); mp_limb_t *xl; size_t key_size; key_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size); assert(mpz_size (m) <= key_size); /* we need a copy because m can be shorter than key_size, * but _rsa_sec_compute_root expect all inputs to be * normalized to a key_size long buffer length */ TMP_GMP_ALLOC (ml, key_size); mpz_limbs_copy(ml, m, key_size); TMP_GMP_ALLOC (scratch, _rsa_sec_compute_root_itch(key)); xl = mpz_limbs_write (x, key_size); _rsa_sec_compute_root (key, xl, ml, scratch); mpz_limbs_finish (x, key_size); TMP_GMP_FREE (ml); TMP_GMP_FREE (scratch); } #endif /* !NETTLE_USE_MINI_GMP */ nettle-3.4.1/ecdsa.h0000644000175000017500000000555413401564746013311 0ustar nissenisse/* ecdsa.h Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #ifndef NETTLE_ECDSA_H_INCLUDED #define NETTLE_ECDSA_H_INCLUDED #include "ecc.h" #include "dsa.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define ecdsa_sign nettle_ecdsa_sign #define ecdsa_verify nettle_ecdsa_verify #define ecdsa_generate_keypair nettle_ecdsa_generate_keypair #define ecc_ecdsa_sign nettle_ecc_ecdsa_sign #define ecc_ecdsa_sign_itch nettle_ecc_ecdsa_sign_itch #define ecc_ecdsa_verify nettle_ecc_ecdsa_verify #define ecc_ecdsa_verify_itch nettle_ecc_ecdsa_verify_itch /* High level ECDSA functions. * * A public key is represented as a struct ecc_point, and a private * key as a struct ecc_scalar. FIXME: Introduce some aliases? */ void ecdsa_sign (const struct ecc_scalar *key, void *random_ctx, nettle_random_func *random, size_t digest_length, const uint8_t *digest, struct dsa_signature *signature); int ecdsa_verify (const struct ecc_point *pub, size_t length, const uint8_t *digest, const struct dsa_signature *signature); void ecdsa_generate_keypair (struct ecc_point *pub, struct ecc_scalar *key, void *random_ctx, nettle_random_func *random); /* Low-level ECDSA functions. */ mp_size_t ecc_ecdsa_sign_itch (const struct ecc_curve *ecc); void ecc_ecdsa_sign (const struct ecc_curve *ecc, const mp_limb_t *zp, /* Random nonce, must be invertible mod ecc group order. */ const mp_limb_t *kp, size_t length, const uint8_t *digest, mp_limb_t *rp, mp_limb_t *sp, mp_limb_t *scratch); mp_size_t ecc_ecdsa_verify_itch (const struct ecc_curve *ecc); int ecc_ecdsa_verify (const struct ecc_curve *ecc, const mp_limb_t *pp, /* Public key */ size_t length, const uint8_t *digest, const mp_limb_t *rp, const mp_limb_t *sp, mp_limb_t *scratch); #ifdef __cplusplus } #endif #endif /* NETTLE_ECDSA_H_INCLUDED */ nettle-3.4.1/ed25519-sha512-verify.c0000644000175000017500000000342113401564746015515 0ustar nissenisse/* ed25519-sha512-verify.c Copyright (C) 2014, 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "eddsa.h" #include "ecc-internal.h" #include "sha2.h" int ed25519_sha512_verify (const uint8_t *pub, size_t length, const uint8_t *msg, const uint8_t *signature) { const struct ecc_curve *ecc = &_nettle_curve25519; mp_size_t itch = 3*ecc->p.size + _eddsa_verify_itch (ecc); mp_limb_t *scratch = gmp_alloc_limbs (itch); struct sha512_ctx ctx; int res; #define A scratch #define scratch_out (scratch + 3*ecc->p.size) res = (_eddsa_decompress (ecc, A, pub, scratch_out) && _eddsa_verify (ecc, &nettle_sha512, pub, A, &ctx, length, msg, signature, scratch_out)); gmp_free_limbs (scratch, itch); return res; #undef A #undef scratch_out } nettle-3.4.1/eddsa-compress.c0000644000175000017500000000353413401564746015132 0ustar nissenisse/* eddsa-compress.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "eddsa.h" #include "ecc-internal.h" #include "gmp-glue.h" mp_size_t _eddsa_compress_itch (const struct ecc_curve *ecc) { return 2*ecc->p.size + ecc->h_to_a_itch; } void _eddsa_compress (const struct ecc_curve *ecc, uint8_t *r, mp_limb_t *p, mp_limb_t *scratch) { #define xp scratch #define yp (scratch + ecc->p.size) #define scratch_out (scratch + 2*ecc->p.size) ecc->h_to_a (ecc, 0, xp, p, scratch_out); /* Encoding is the y coordinate and an appended "sign" bit, which is the low bit of x. Bit order is not specified explicitly, but for little-endian encoding, it makes most sense to append the bit after the most significant bit of y. */ mpn_get_base256_le (r, 1 + ecc->p.bit_size / 8, yp, ecc->p.size); r[ecc->p.bit_size / 8] += (xp[0] & 1) << (ecc->p.bit_size & 7); } nettle-3.4.1/aes192-set-decrypt-key.c0000644000175000017500000000262613401564745016254 0ustar nissenisse/* aes192-set-decrypt-key.c Copyright (C) 2013, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes-internal.h" #include "macros.h" void aes192_invert_key (struct aes192_ctx *dst, const struct aes192_ctx *src) { _aes_invert (_AES192_ROUNDS, dst->keys, src->keys); } void aes192_set_decrypt_key(struct aes192_ctx *ctx, const uint8_t *key) { aes192_set_encrypt_key (ctx, key); aes192_invert_key (ctx, ctx); } nettle-3.4.1/yarrow_key_event.c0000644000175000017500000000413413401564745015611 0ustar nissenisse/* yarrow_key_event.c Example entropy estimator for key-like input events. Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "yarrow.h" void yarrow_key_event_init(struct yarrow_key_event_ctx *ctx) { unsigned i; ctx->index = 0; ctx->previous = 0; for (i = 0; i < YARROW_KEY_EVENT_BUFFER; i++) ctx->chars[i] = 0; } unsigned yarrow_key_event_estimate(struct yarrow_key_event_ctx *ctx, unsigned key, unsigned time) { unsigned entropy = 0; unsigned i; /* Look at timing first. */ if (ctx->previous && (time > ctx->previous) ) { if ( (time - ctx->previous) >= 256) entropy++; } ctx->previous = time; if (!key) return entropy; for (i = 0; i < YARROW_KEY_EVENT_BUFFER; i++) if (key == ctx->chars[i]) /* This is a recent character. Ignore it. */ return entropy; /* Count one bit of entropy, unless this was one of the initial 16 * characters. */ if (ctx->chars[ctx->index]) entropy++; /* Remember the character. */ ctx->chars[ctx->index] = key; ctx->index = (ctx->index + 1) % YARROW_KEY_EVENT_BUFFER; return entropy; } nettle-3.4.1/pss-mgf1.c0000644000175000017500000000356313401564745013657 0ustar nissenisse/* pss-mgf1.c PKCS#1 mask generation function 1, used in RSA-PSS (RFC-3447). Copyright (C) 2017 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "pss-mgf1.h" #include #include #include "nettle-internal.h" #include "macros.h" void pss_mgf1(const void *seed, const struct nettle_hash *hash, size_t length, uint8_t *mask) { TMP_DECL(h, uint8_t, NETTLE_MAX_HASH_DIGEST_SIZE); TMP_DECL(state, uint8_t, NETTLE_MAX_HASH_CONTEXT_SIZE); size_t i; uint8_t c[4]; TMP_ALLOC(h, hash->digest_size); TMP_ALLOC(state, hash->context_size); for (i = 0;; i++, mask += hash->digest_size, length -= hash->digest_size) { WRITE_UINT32(c, i); memcpy(state, seed, hash->context_size); hash->update(state, 4, c); if (length <= hash->digest_size) { hash->digest(state, length, mask); return; } hash->digest(state, hash->digest_size, mask); } } nettle-3.4.1/desinfo.h0000644000175000017500000000666413401564746013664 0ustar nissenisse/* desinfo.h * * Tables describing DES rather than just this implementation. * These are used in desdata but NOT in runtime code. * */ /* des - fast & portable DES encryption & decryption. * Copyright (C) 1992 Dana L. How * Please see the file `descore.README' for the complete copyright notice. */ /* the initial permutation, E selection, and final permutation are hardwired */ /* Key Load: how to load the shift register from the user key */ unsigned char KL[] = { 57, 49, 41, 33, 25, 17, 9, 1, 58, 50, 42, 34, 26, 18, 10, 2, 59, 51, 43, 35, 27, 19, 11, 3, 60, 52, 44, 36, 63, 55, 47, 39, 31, 23, 15, 7, 62, 54, 46, 38, 30, 22, 14, 6, 61, 53, 45, 37, 29, 21, 13, 5, 28, 20, 12, 4, }; /* Key Shift: how many times to shift the key shift register */ unsigned char KS[] = { 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1, }; /* Key Choose: which key bits from shift reg are used in the key schedule */ unsigned char KC[] = { 14, 17, 11, 24, 1, 5, 3, 28, 15, 6, 21, 10, 23, 19, 12, 4, 26, 8, 16, 7, 27, 20, 13, 2, 41, 52, 31, 37, 47, 55, 30, 40, 51, 45, 33, 48, 44, 49, 39, 56, 34, 53, 46, 42, 50, 36, 29, 32, }; /* S Boxes */ unsigned char SB[8][64] = { { 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7, 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8, 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0, 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13, },{ 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10, 3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5, 0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15, 13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9, },{ 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8, 13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1, 13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7, 1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12, },{ 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15, 13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9, 10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4, 3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14, },{ 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9, 14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6, 4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14, 11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3, },{ 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11, 10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8, 9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6, 4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13, },{ 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1, 13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6, 1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2, 6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12, },{ 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7, 1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2, 7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8, 2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11 } }; /* Sbox Permutation */ char SP[] = { 16, 7, 20, 21, 29, 12, 28, 17, 1, 15, 23, 26, 5, 18, 31, 10, 2, 8, 24, 14, 32, 27, 3, 9, 19, 13, 30, 6, 22, 11, 4, 25, }; nettle-3.4.1/rotors.h0000644000175000017500000000620213401564746013551 0ustar nissenisse/* automagically made - do not fuss with this */ 34, 13, 5, 46, 47, 18, 32, 41, 11, 53, 33, 20, 14, 36, 30, 24, 49, 2, 15, 37, 42, 50, 0, 21, 38, 48, 6, 26, 39, 4, 52, 25, 12, 27, 31, 40, 1, 17, 28, 29, 23, 51, 35, 7, 3, 22, 9, 43, 41, 20, 12, 53, 54, 25, 39, 48, 18, 31, 40, 27, 21, 43, 37, 0, 1, 9, 22, 44, 49, 2, 7, 28, 45, 55, 13, 33, 46, 11, 6, 32, 19, 34, 38, 47, 8, 24, 35, 36, 30, 3, 42, 14, 10, 29, 16, 50, 55, 34, 26, 38, 11, 39, 53, 5, 32, 45, 54, 41, 35, 2, 51, 14, 15, 23, 36, 3, 8, 16, 21, 42, 6, 12, 27, 47, 31, 25, 20, 46, 33, 48, 52, 4, 22, 7, 49, 50, 44, 17, 1, 28, 24, 43, 30, 9, 12, 48, 40, 52, 25, 53, 38, 19, 46, 6, 11, 55, 49, 16, 10, 28, 29, 37, 50, 17, 22, 30, 35, 1, 20, 26, 41, 4, 45, 39, 34, 31, 47, 5, 13, 18, 36, 21, 8, 9, 3, 0, 15, 42, 7, 2, 44, 23, 26, 5, 54, 13, 39, 38, 52, 33, 31, 20, 25, 12, 8, 30, 24, 42, 43, 51, 9, 0, 36, 44, 49, 15, 34, 40, 55, 18, 6, 53, 48, 45, 4, 19, 27, 32, 50, 35, 22, 23, 17, 14, 29, 1, 21, 16, 3, 37, 40, 19, 11, 27, 53, 52, 13, 47, 45, 34, 39, 26, 22, 44, 7, 1, 2, 10, 23, 14, 50, 3, 8, 29, 48, 54, 12, 32, 20, 38, 5, 6, 18, 33, 41, 46, 9, 49, 36, 37, 0, 28, 43, 15, 35, 30, 17, 51, 54, 33, 25, 41, 38, 13, 27, 4, 6, 48, 53, 40, 36, 3, 21, 15, 16, 24, 37, 28, 9, 17, 22, 43, 5, 11, 26, 46, 34, 52, 19, 20, 32, 47, 55, 31, 23, 8, 50, 51, 14, 42, 2, 29, 49, 44, 0, 10, 11, 47, 39, 55, 52, 27, 41, 18, 20, 5, 38, 54, 50, 17, 35, 29, 30, 7, 51, 42, 23, 0, 36, 2, 19, 25, 40, 31, 48, 13, 33, 34, 46, 4, 12, 45, 37, 22, 9, 10, 28, 1, 16, 43, 8, 3, 14, 24, 18, 54, 46, 5, 6, 34, 48, 25, 27, 12, 45, 4, 2, 24, 42, 36, 37, 14, 3, 49, 30, 7, 43, 9, 26, 32, 47, 38, 55, 20, 40, 41, 53, 11, 19, 52, 44, 29, 16, 17, 35, 8, 23, 50, 15, 10, 21, 0, 32, 11, 31, 19, 20, 48, 5, 39, 41, 26, 6, 18, 16, 7, 1, 50, 51, 28, 17, 8, 44, 21, 2, 23, 40, 46, 4, 52, 12, 34, 54, 55, 38, 25, 33, 13, 3, 43, 30, 0, 49, 22, 37, 9, 29, 24, 35, 14, 46, 25, 45, 33, 34, 5, 19, 53, 55, 40, 20, 32, 30, 21, 15, 9, 10, 42, 0, 22, 3, 35, 16, 37, 54, 31, 18, 13, 26, 48, 11, 12, 52, 39, 47, 27, 17, 2, 44, 14, 8, 36, 51, 23, 43, 7, 49, 28, 31, 39, 6, 47, 48, 19, 33, 38, 12, 54, 34, 46, 44, 35, 29, 23, 24, 1, 14, 36, 17, 49, 30, 51, 11, 45, 32, 27, 40, 5, 25, 26, 13, 53, 4, 41, 0, 16, 3, 28, 22, 50, 10, 37, 2, 21, 8, 42, 45, 53, 20, 4, 5, 33, 47, 52, 26, 11, 48, 31, 3, 49, 43, 37, 7, 15, 28, 50, 0, 8, 44, 10, 25, 6, 46, 41, 54, 19, 39, 40, 27, 38, 18, 55, 14, 30, 17, 42, 36, 9, 24, 51, 16, 35, 22, 1, 6, 38, 34, 18, 19, 47, 4, 13, 40, 25, 5, 45, 17, 8, 2, 51, 21, 29, 42, 9, 14, 22, 3, 24, 39, 20, 31, 55, 11, 33, 53, 54, 41, 52, 32, 12, 28, 44, 0, 1, 50, 23, 7, 10, 30, 49, 36, 15, 20, 52, 48, 32, 33, 4, 18, 27, 54, 39, 19, 6, 0, 22, 16, 10, 35, 43, 1, 23, 28, 36, 17, 7, 53, 34, 45, 12, 25, 47, 38, 11, 55, 13, 46, 26, 42, 3, 14, 15, 9, 37, 21, 24, 44, 8, 50, 29, 27, 6, 55, 39, 40, 11, 25, 34, 4, 46, 26, 13, 7, 29, 23, 17, 42, 50, 8, 30, 35, 43, 24, 14, 31, 41, 52, 19, 32, 54, 45, 18, 5, 20, 53, 33, 49, 10, 21, 22, 16, 44, 28, 0, 51, 15, 2, 36, nettle-3.4.1/pss-mgf1.h0000644000175000017500000000271113401564746013657 0ustar nissenisse/* pss-mgf1.h PKCS#1 mask generation function 1, used in RSA-PSS (RFC-3447). Copyright (C) 2017 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_PSS_MGF1_H_INCLUDED #define NETTLE_PSS_MGF1_H_INCLUDED #include "nettle-meta.h" #include "sha1.h" #include "sha2.h" #ifdef __cplusplus extern "C" { #endif /* Namespace mangling */ #define pss_mgf1 nettle_pss_mgf1 void pss_mgf1(const void *seed, const struct nettle_hash *hash, size_t length, uint8_t *mask); #ifdef __cplusplus } #endif #endif /* NETTLE_PSS_MGF1_H_INCLUDED */ nettle-3.4.1/sha3-256.c0000644000175000017500000000332313401564745013364 0ustar nissenisse/* sha3-256.c The sha3 hash function, 256 bit output. Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "sha3.h" #include "nettle-write.h" void sha3_256_init (struct sha3_256_ctx *ctx) { memset (ctx, 0, offsetof (struct sha3_256_ctx, block)); } void sha3_256_update (struct sha3_256_ctx *ctx, size_t length, const uint8_t *data) { ctx->index = _sha3_update (&ctx->state, SHA3_256_BLOCK_SIZE, ctx->block, ctx->index, length, data); } void sha3_256_digest(struct sha3_256_ctx *ctx, size_t length, uint8_t *digest) { _sha3_pad (&ctx->state, SHA3_256_BLOCK_SIZE, ctx->block, ctx->index); _nettle_write_le64 (length, digest, ctx->state.a); sha3_256_init (ctx); } nettle-3.4.1/ecdsa-verify.c0000644000175000017500000000427113401564746014601 0ustar nissenisse/* ecc-ecdsa-verify.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "ecdsa.h" #include "gmp-glue.h" int ecdsa_verify (const struct ecc_point *pub, size_t length, const uint8_t *digest, const struct dsa_signature *signature) { mp_limb_t size = ecc_size (pub->ecc); mp_size_t itch = 2*size + ecc_ecdsa_verify_itch (pub->ecc); /* For ECC_MUL_A_WBITS == 0, at most 1512 bytes. With ECC_MUL_A_WBITS == 4, currently needs 67 * ecc->size, at most 4824 bytes. Don't use stack allocation for this. */ mp_limb_t *scratch; int res; #define rp scratch #define sp (scratch + size) #define scratch_out (scratch + 2*size) if (mpz_sgn (signature->r) <= 0 || mpz_size (signature->r) > size || mpz_sgn (signature->s) <= 0 || mpz_size (signature->s) > size) return 0; scratch = gmp_alloc_limbs (itch); mpz_limbs_copy (rp, signature->r, size); mpz_limbs_copy (sp, signature->s, size); res = ecc_ecdsa_verify (pub->ecc, pub->p, length, digest, rp, sp, scratch_out); gmp_free_limbs (scratch, itch); return res; #undef rp #undef sp #undef scratch_out } nettle-3.4.1/buffer.h0000644000175000017500000000531013401564746013471 0ustar nissenisse/* buffer.h A bare-bones string stream. Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_BUFFER_H_INCLUDED #define NETTLE_BUFFER_H_INCLUDED #include "realloc.h" #ifdef __cplusplus extern "C" { #endif struct nettle_buffer { uint8_t *contents; /* Allocated size */ size_t alloc; void *realloc_ctx; nettle_realloc_func *realloc; /* Current size */ size_t size; }; /* Initializes a buffer that uses plain realloc */ void nettle_buffer_init(struct nettle_buffer *buffer); void nettle_buffer_init_realloc(struct nettle_buffer *buffer, void *realloc_ctx, nettle_realloc_func *realloc); /* Initializes a buffer of fix size */ void nettle_buffer_init_size(struct nettle_buffer *buffer, size_t length, uint8_t *space); void nettle_buffer_clear(struct nettle_buffer *buffer); /* Resets the buffer, without freeing the buffer space. */ void nettle_buffer_reset(struct nettle_buffer *buffer); int nettle_buffer_grow(struct nettle_buffer *buffer, size_t length); #define NETTLE_BUFFER_PUTC(buffer, c) \ ( (((buffer)->size < (buffer)->alloc) || nettle_buffer_grow((buffer), 1)) \ && ((buffer)->contents[(buffer)->size++] = (c), 1) ) int nettle_buffer_write(struct nettle_buffer *buffer, size_t length, const uint8_t *data); /* Like nettle_buffer_write, but instead of copying data to the * buffer, it returns a pointer to the area where the caller can copy * the data. The pointer is valid only until the next call that can * reallocate the buffer. */ uint8_t * nettle_buffer_space(struct nettle_buffer *buffer, size_t length); /* Copy the contents of SRC to the end of DST. */ int nettle_buffer_copy(struct nettle_buffer *dst, const struct nettle_buffer *src); #ifdef __cplusplus } #endif #endif /* NETTLE_BUFFER_H_INCLUDED */ nettle-3.4.1/salsa20.h0000644000175000017500000000564413401564746013477 0ustar nissenisse/* salsa20.h The Salsa20 stream cipher. Copyright (C) 2012 Simon Josefsson Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_SALSA20_H_INCLUDED #define NETTLE_SALSA20_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define salsa20_set_key nettle_salsa20_set_key #define salsa20_128_set_key nettle_salsa20_128_set_key #define salsa20_256_set_key nettle_salsa20_256_set_key #define salsa20_set_nonce nettle_salsa20_set_nonce #define salsa20_crypt nettle_salsa20_crypt #define _salsa20_core _nettle_salsa20_core #define salsa20r12_crypt nettle_salsa20r12_crypt /* Alias for backwards compatibility */ #define salsa20_set_iv nettle_salsa20_set_nonce /* In octets.*/ #define SALSA20_128_KEY_SIZE 16 #define SALSA20_256_KEY_SIZE 32 #define SALSA20_BLOCK_SIZE 64 #define SALSA20_NONCE_SIZE 8 #define SALSA20_IV_SIZE SALSA20_NONCE_SIZE /* Aliases */ #define SALSA20_MIN_KEY_SIZE 16 #define SALSA20_MAX_KEY_SIZE 32 #define SALSA20_KEY_SIZE 32 #define _SALSA20_INPUT_LENGTH 16 struct salsa20_ctx { /* Indices 1-4 and 11-14 holds the key (two identical copies for the shorter key size), indices 0, 5, 10, 15 are constant, indices 6, 7 are the IV, and indices 8, 9 are the block counter: C K K K K C I I B B C K K K K C */ uint32_t input[_SALSA20_INPUT_LENGTH]; }; void salsa20_128_set_key(struct salsa20_ctx *ctx, const uint8_t *key); void salsa20_256_set_key(struct salsa20_ctx *ctx, const uint8_t *key); void salsa20_set_key(struct salsa20_ctx *ctx, size_t length, const uint8_t *key); void salsa20_set_nonce(struct salsa20_ctx *ctx, const uint8_t *nonce); void salsa20_crypt(struct salsa20_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void salsa20r12_crypt(struct salsa20_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void _salsa20_core(uint32_t *dst, const uint32_t *src, unsigned rounds); #ifdef __cplusplus } #endif #endif /* NETTLE_SALSA20_H_INCLUDED */ nettle-3.4.1/pgp-encode.c0000644000175000017500000002312613401564746014241 0ustar nissenisse/* pgp-encode.c PGP related functions. Copyright (C) 2001, 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "pgp.h" #include "base64.h" #include "buffer.h" #include "macros.h" #include "rsa.h" int pgp_put_uint32(struct nettle_buffer *buffer, uint32_t i) { uint8_t *p = nettle_buffer_space(buffer, 4); if (!p) return 0; WRITE_UINT32(p, i); return 1; } int pgp_put_uint16(struct nettle_buffer *buffer, unsigned i) { uint8_t *p = nettle_buffer_space(buffer, 2); if (!p) return 0; WRITE_UINT16(p, i); return 1; } int pgp_put_mpi(struct nettle_buffer *buffer, const mpz_t x) { unsigned bits = mpz_sizeinbase(x, 2); unsigned octets = (bits + 7) / 8; uint8_t *p; /* FIXME: What's the correct representation of zero? */ if (!pgp_put_uint16(buffer, bits)) return 0; p = nettle_buffer_space(buffer, octets); if (!p) return 0; nettle_mpz_get_str_256(octets, p, x); return 1; } int pgp_put_string(struct nettle_buffer *buffer, unsigned length, const uint8_t *s) { return nettle_buffer_write(buffer, length, s); } #if 0 static unsigned length_field(unsigned length) { if (length < PGP_LENGTH_TWO_OCTET) return 1; else if (length < PGP_LENGTH_FOUR_OCTETS) return 2; else return 4; } #endif /* bodyLen = ((1st_octet - 192) << 8) + (2nd_octet) + 192 * ==> bodyLen - 192 + 192 << 8 = (1st_octet << 8) + (2nd_octet) */ #define LENGTH_TWO_OFFSET (192 * 255) int pgp_put_length(struct nettle_buffer *buffer, unsigned length) { if (length < PGP_LENGTH_TWO_OCTETS) return NETTLE_BUFFER_PUTC(buffer, length); else if (length < PGP_LENGTH_FOUR_OCTETS) return pgp_put_uint16(buffer, length + LENGTH_TWO_OFFSET); else return NETTLE_BUFFER_PUTC(buffer, 0xff) && pgp_put_uint32(buffer, length); } /* Uses the "new" packet format */ int pgp_put_header(struct nettle_buffer *buffer, unsigned tag, unsigned length) { assert(tag < 0x40); return (NETTLE_BUFFER_PUTC(buffer, 0xC0 | tag) && pgp_put_length(buffer, length)); } /* FIXME: Should we abort or return error if the length and the field * size don't match? */ void pgp_put_header_length(struct nettle_buffer *buffer, /* start of the header */ unsigned start, unsigned field_size) { unsigned length; switch (field_size) { case 1: length = buffer->size - (start + 2); assert(length < PGP_LENGTH_TWO_OCTETS); buffer->contents[start + 1] = length; break; case 2: length = buffer->size - (start + 3); assert(length < PGP_LENGTH_FOUR_OCTETS && length >= PGP_LENGTH_TWO_OCTETS); WRITE_UINT16(buffer->contents + start + 1, length + LENGTH_TWO_OFFSET); break; case 4: length = buffer->size - (start + 5); WRITE_UINT32(buffer->contents + start + 2, length); break; default: abort(); } } int pgp_put_userid(struct nettle_buffer *buffer, unsigned length, const uint8_t *name) { return (pgp_put_header(buffer, PGP_TAG_USERID, length) && pgp_put_string(buffer, length, name)); } unsigned pgp_sub_packet_start(struct nettle_buffer *buffer) { return nettle_buffer_space(buffer, 2) ? buffer->size : 0; } int pgp_put_sub_packet(struct nettle_buffer *buffer, unsigned type, unsigned length, const uint8_t *data) { return (pgp_put_length(buffer, length + 1) && NETTLE_BUFFER_PUTC(buffer, type) && pgp_put_string(buffer, length, data)); } void pgp_sub_packet_end(struct nettle_buffer *buffer, unsigned start) { unsigned length; assert(start >= 2); assert(start <= buffer->size); length = buffer->size - start; WRITE_UINT32(buffer->contents + start - 2, length); } int pgp_put_public_rsa_key(struct nettle_buffer *buffer, const struct rsa_public_key *pub, time_t timestamp) { /* Public key packet, version 4 */ unsigned start; unsigned length; /* Size of packet is 16 + the size of e and n */ length = (4 * 4 + nettle_mpz_sizeinbase_256_u(pub->n) + nettle_mpz_sizeinbase_256_u(pub->e)); if (!pgp_put_header(buffer, PGP_TAG_PUBLIC_KEY, length)) return 0; start = buffer->size; if (! (pgp_put_header(buffer, PGP_TAG_PUBLIC_KEY, /* Assume that we need two octets */ PGP_LENGTH_TWO_OCTETS) && pgp_put_uint32(buffer, 4) /* Version */ && pgp_put_uint32(buffer, timestamp)/* Time stamp */ && pgp_put_uint32(buffer, PGP_RSA) /* Algorithm */ && pgp_put_mpi(buffer, pub->n) && pgp_put_mpi(buffer, pub->e)) ) return 0; assert(buffer->size == start + length); return 1; } int pgp_put_rsa_sha1_signature(struct nettle_buffer *buffer, const struct rsa_private_key *key, const uint8_t *keyid, unsigned type, struct sha1_ctx *hash) { unsigned signature_start = buffer->size; unsigned hash_end; unsigned sub_packet_start; uint8_t trailer[6]; mpz_t s; /* Signature packet. The packet could reasonably be both smaller and * larger than 192, so for simplicity we use the 4 octet header * form. */ if (! (pgp_put_header(buffer, PGP_TAG_SIGNATURE, PGP_LENGTH_FOUR_OCTETS) && NETTLE_BUFFER_PUTC(buffer, 4) /* Version */ && NETTLE_BUFFER_PUTC(buffer, type) /* Could also be PGP_RSA_SIGN */ && NETTLE_BUFFER_PUTC(buffer, PGP_RSA) && NETTLE_BUFFER_PUTC(buffer, PGP_SHA1) && pgp_put_uint16(buffer, 0))) /* Hashed subpacket length */ return 0; hash_end = buffer->size; sha1_update(hash, hash_end - signature_start, buffer->contents + signature_start); trailer[0] = 4; trailer[1] = 0xff; WRITE_UINT32(trailer + 2, buffer->size - signature_start); sha1_update(hash, sizeof(trailer), trailer); { struct sha1_ctx hcopy = *hash; uint8_t *p = nettle_buffer_space(buffer, 2); if (!p) return 0; sha1_digest(&hcopy, 2, p); } /* One "sub-packet" field with the issuer keyid */ sub_packet_start = pgp_sub_packet_start(buffer); if (!sub_packet_start) return 0; if (pgp_put_sub_packet(buffer, PGP_SUBPACKET_ISSUER_KEY_ID, 8, keyid)) { pgp_sub_packet_end(buffer, sub_packet_start); return 0; } mpz_init(s); if (!(rsa_sha1_sign(key, hash, s) && pgp_put_mpi(buffer, s))) { mpz_clear(s); return 0; } mpz_clear(s); pgp_put_header_length(buffer, signature_start, 4); return 1; } #define CRC24_INIT 0x0b704ceL #define CRC24_POLY 0x1864cfbL uint32_t pgp_crc24(unsigned length, const uint8_t *data) { uint32_t crc = CRC24_INIT; unsigned i; for (i = 0; i= BINARY_PER_LINE; length -= BINARY_PER_LINE, data += BINARY_PER_LINE) { unsigned done; char *p = (char *) nettle_buffer_space(buffer, TEXT_PER_LINE); if (!p) return 0; done = base64_encode_update(&ctx, p, BINARY_PER_LINE, data); assert(done <= TEXT_PER_LINE); /* FIXME: Create some official way to do this */ buffer->size -= (TEXT_PER_LINE - done); if (!NETTLE_BUFFER_PUTC(buffer, '\n')) return 0; } if (length) { unsigned text_size = BASE64_ENCODE_LENGTH(length) + BASE64_ENCODE_FINAL_LENGTH; unsigned done; char *p = (char *) nettle_buffer_space(buffer, text_size); if (!p) return 0; done = base64_encode_update(&ctx, p, length, data); done += base64_encode_final(&ctx, p + done); /* FIXME: Create some official way to do this */ buffer->size -= (text_size - done); if (!NETTLE_BUFFER_PUTC(buffer, '\n')) return 0; } /* Checksum */ if (!NETTLE_BUFFER_PUTC(buffer, '=')) return 0; { char *p = (char *) nettle_buffer_space(buffer, 4); if (!p) return 0; base64_encode_group(p, crc); } return (write_string(buffer, "\nBEGIN PGP ") && write_string(buffer, tag) && NETTLE_BUFFER_PUTC(buffer, '\n')); } nettle-3.4.1/rsa-md5-sign.c0000644000175000017500000000333713401564746014430 0ustar nissenisse/* rsa-md5-sign.c Signatures using RSA and MD5. Copyright (C) 2001, 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "bignum.h" #include "pkcs1.h" int rsa_md5_sign(const struct rsa_private_key *key, struct md5_ctx *hash, mpz_t s) { if (pkcs1_rsa_md5_encode(s, key->size, hash)) { rsa_compute_root(key, s, s); return 1; } else { mpz_set_ui(s, 0); return 0; } } int rsa_md5_sign_digest(const struct rsa_private_key *key, const uint8_t *digest, mpz_t s) { if (pkcs1_rsa_md5_encode_digest(s, key->size, digest)) { rsa_compute_root(key, s, s); return 1; } else { mpz_set_ui(s, 0); return 0; } } nettle-3.4.1/ripemd160-meta.c0000644000175000017500000000225713401564745014654 0ustar nissenisse/* ripemd160-meta.c Copyright (C) 2011 Andres Mejia This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "ripemd160.h" const struct nettle_hash nettle_ripemd160 = _NETTLE_HASH(ripemd160, RIPEMD160); nettle-3.4.1/ecc-point.c0000644000175000017500000000553513401564746014105 0ustar nissenisse/* ecc-point.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc.h" #include "ecc-internal.h" void ecc_point_init (struct ecc_point *p, const struct ecc_curve *ecc) { p->ecc = ecc; p->p = gmp_alloc_limbs (2*ecc->p.size); } void ecc_point_clear (struct ecc_point *p) { gmp_free_limbs (p->p, 2*p->ecc->p.size); } int ecc_point_set (struct ecc_point *p, const mpz_t x, const mpz_t y) { mp_size_t size; mpz_t lhs, rhs; mpz_t t; int res; size = p->ecc->p.size; if (mpz_sgn (x) < 0 || mpz_limbs_cmp (x, p->ecc->p.m, size) >= 0 || mpz_sgn (y) < 0 || mpz_limbs_cmp (y, p->ecc->p.m, size) >= 0) return 0; mpz_init (lhs); mpz_init (rhs); mpz_mul (lhs, y, y); if (p->ecc->p.bit_size == 255) { /* ed25519 special case. FIXME: Do in some cleaner way? */ mpz_t x2; mpz_init (x2); mpz_mul (x2, x, x); mpz_mul (rhs, x2, lhs); /* Check that -x^2 + y^2 = 1 - (121665/121666) x^2 y^2 or 121666 (1 + x^2 - y^2) = 121665 x^2 y^2 */ mpz_sub (lhs, x2, lhs); mpz_add_ui (lhs, lhs, 1); mpz_mul_ui (lhs, lhs, 121666); mpz_mul_ui (rhs, rhs, 121665); mpz_clear (x2); } else { /* Check that y^2 = x^3 - 3*x + b (mod p) */ mpz_mul (rhs, x, x); mpz_sub_ui (rhs, rhs, 3); mpz_mul (rhs, rhs, x); mpz_add (rhs, rhs, mpz_roinit_n (t, p->ecc->b, size)); } res = mpz_congruent_p (lhs, rhs, mpz_roinit_n (t, p->ecc->p.m, size)); mpz_clear (lhs); mpz_clear (rhs); if (!res) return 0; mpz_limbs_copy (p->p, x, size); mpz_limbs_copy (p->p + size, y, size); return 1; } void ecc_point_get (const struct ecc_point *p, mpz_t x, mpz_t y) { mp_size_t size = p->ecc->p.size; if (x) mpz_set_n (x, p->p, size); if (y) mpz_set_n (y, p->p + size, size); } nettle-3.4.1/version.h.in0000644000175000017500000000326313401564746014317 0ustar nissenisse/* version.h Information about library version. Copyright (C) 2015 Red Hat, Inc. Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_VERSION_H_INCLUDED #define NETTLE_VERSION_H_INCLUDED #ifdef __cplusplus extern "C" { #endif /* Individual version numbers in decimal */ #define NETTLE_VERSION_MAJOR @MAJOR_VERSION@ #define NETTLE_VERSION_MINOR @MINOR_VERSION@ #define NETTLE_USE_MINI_GMP @NETTLE_USE_MINI_GMP@ /* We need a preprocessor constant for GMP_NUMB_BITS, simply using sizeof(mp_limb_t) * CHAR_BIT is not good enough. */ #if NETTLE_USE_MINI_GMP # define GMP_NUMB_BITS @GMP_NUMB_BITS@ #endif int nettle_version_major (void); int nettle_version_minor (void); #ifdef __cplusplus } #endif #endif /* NETTLE_VERSION_H_INCLUDED */ nettle-3.4.1/ccm-aes128.c0000644000175000017500000000624213401564745013762 0ustar nissenisse/* ccm-aes128.c Counter with CBC-MAC mode using AES128 as the underlying cipher. Copyright (C) 2014 Exegin Technologies Limited Copyright (C) 2014 Owen Kirby This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes.h" #include "ccm.h" void ccm_aes128_set_key(struct ccm_aes128_ctx *ctx, const uint8_t *key) { aes128_set_encrypt_key(&ctx->cipher, key); } void ccm_aes128_set_nonce(struct ccm_aes128_ctx *ctx, size_t length, const uint8_t *nonce, size_t authlen, size_t msglen, size_t taglen) { ccm_set_nonce(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes128_encrypt, length, nonce, authlen, msglen, taglen); } void ccm_aes128_update(struct ccm_aes128_ctx *ctx, size_t length, const uint8_t *data) { ccm_update(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes128_encrypt, length, data); } void ccm_aes128_encrypt(struct ccm_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { ccm_encrypt(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes128_encrypt, length, dst, src); } void ccm_aes128_decrypt(struct ccm_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { ccm_decrypt(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes128_encrypt, length, dst, src); } void ccm_aes128_digest(struct ccm_aes128_ctx *ctx, size_t length, uint8_t *digest) { ccm_digest(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes128_encrypt, length, digest); } void ccm_aes128_encrypt_message(struct ccm_aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src) { ccm_encrypt_message(&ctx->cipher, (nettle_cipher_func *) aes128_encrypt, nlength, nonce, alength, adata, tlength, clength, dst, src); } int ccm_aes128_decrypt_message(struct ccm_aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src) { return ccm_decrypt_message(&ctx->cipher, (nettle_cipher_func *) aes128_encrypt, nlength, nonce, alength, adata, tlength, mlength, dst, src); } nettle-3.4.1/camellia-invert-key.c0000644000175000017500000000275513401564745016066 0ustar nissenisse/* camellia-invert-key.c Inverting a key means reversing order of subkeys. Copyright (C) 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "camellia-internal.h" #define SWAP(a, b) \ do { uint64_t t_swap = (a); (a) = (b); (b) = t_swap; } while(0) void _camellia_invert_key(unsigned nkeys, uint64_t *dst, const uint64_t *src) { unsigned i; if (dst == src) for (i = 0; i < nkeys - 1 - i; i++) SWAP (dst[i], dst[nkeys - 1- i]); else for (i = 0; i < nkeys; i++) dst[i] = src[nkeys - 1 - i]; } nettle-3.4.1/gmp-glue.h0000644000175000017500000001221013401564746013732 0ustar nissenisse/* gmp-glue.h Copyright (C) 2013 Niels Möller Copyright (C) 2013 Red Hat This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_GMP_GLUE_H_INCLUDED #define NETTLE_GMP_GLUE_H_INCLUDED #include "bignum.h" #ifdef mpz_limbs_read #define GMP_HAVE_mpz_limbs_read 1 #else #define GMP_HAVE_mpz_limbs_read 0 #endif /* Name mangling. */ #if !GMP_HAVE_mpz_limbs_read #define mpz_limbs_read _nettle_mpz_limbs_read #define mpz_limbs_write _nettle_mpz_limbs_write #define mpz_limbs_modify _nettle_mpz_limbs_modify #define mpz_limbs_finish _nettle_mpz_limbs_finish #define mpz_roinit_n _nettle_mpz_roinit_n #endif #define cnd_swap _nettle_cnd_swap #define mpz_limbs_cmp _nettle_mpz_limbs_cmp #define mpz_limbs_read_n _nettle_mpz_limbs_read_n #define mpz_limbs_copy _nettle_mpz_limbs_copy #define mpz_set_n _nettle_mpz_set_n #define mpn_set_base256 _nettle_mpn_set_base256 #define mpn_set_base256_le _nettle_mpn_set_base256_le #define mpn_get_base256 _nettle_mpn_get_base256 #define mpn_get_base256_le _nettle_mpn_get_base256_le #define gmp_alloc_limbs _nettle_gmp_alloc_limbs #define gmp_free_limbs _nettle_gmp_free_limbs #define gmp_free _nettle_gmp_free #define gmp_alloc _nettle_gmp_alloc #define TMP_GMP_DECL(name, type) type *name; \ size_t tmp_##name##_size #define TMP_GMP_ALLOC(name, size) do { \ tmp_##name##_size = (size); \ (name) = gmp_alloc(sizeof (*name) * (size)); \ } while (0) #define TMP_GMP_FREE(name) (gmp_free(name, tmp_##name##_size)) /* Use only in-place operations, so we can fall back to addmul_1/submul_1 */ #ifdef mpn_cnd_add_n # define cnd_add_n(cnd, rp, ap, n) mpn_cnd_add_n ((cnd), (rp), (rp), (ap), (n)) # define cnd_sub_n(cnd, rp, ap, n) mpn_cnd_sub_n ((cnd), (rp), (rp), (ap), (n)) #else # define cnd_add_n(cnd, rp, ap, n) mpn_addmul_1 ((rp), (ap), (n), (cnd) != 0) # define cnd_sub_n(cnd, rp, ap, n) mpn_submul_1 ((rp), (ap), (n), (cnd) != 0) #endif #define NETTLE_OCTET_SIZE_TO_LIMB_SIZE(n) \ (((n) * 8 + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS) /* Some functions for interfacing between mpz and mpn code. Signs of the mpz numbers are generally ignored. */ #if !GMP_HAVE_mpz_limbs_read /* Read access to mpz numbers. */ /* Return limb pointer, for read-only operations. Use mpz_size to get the number of limbs. */ const mp_limb_t * mpz_limbs_read (const mpz_srcptr x); /* Write access to mpz numbers. */ /* Get a limb pointer for writing, previous contents may be destroyed. */ mp_limb_t * mpz_limbs_write (mpz_ptr x, mp_size_t n); /* Get a limb pointer for writing, previous contents is intact. */ mp_limb_t * mpz_limbs_modify (mpz_ptr x, mp_size_t n); /* Update size. */ void mpz_limbs_finish (mpz_ptr x, mp_size_t n); /* Using an mpn number as an mpz. Can be used for read-only access only. x must not be cleared or reallocated. */ mpz_srcptr mpz_roinit_n (mpz_ptr x, const mp_limb_t *xp, mp_size_t xs); #endif /* !GMP_HAVE_mpz_limbs_read */ void cnd_swap (mp_limb_t cnd, mp_limb_t *ap, mp_limb_t *bp, mp_size_t n); /* Convenience functions */ int mpz_limbs_cmp (mpz_srcptr a, const mp_limb_t *bp, mp_size_t bn); /* Get a pointer to an n limb area, for read-only operation. n must be greater or equal to the current size, and the mpz is zero-padded if needed. */ const mp_limb_t * mpz_limbs_read_n (mpz_ptr x, mp_size_t n); /* Copy limbs, with zero-padding. */ /* FIXME: Reorder arguments, on the theory that the first argument of an _mpz_* function should be an mpz_t? Or rename to _mpz_get_limbs, with argument order consistent with mpz_get_*. */ void mpz_limbs_copy (mp_limb_t *xp, mpz_srcptr x, mp_size_t n); void mpz_set_n (mpz_t r, const mp_limb_t *xp, mp_size_t xn); /* Like mpn_set_str, but always writes rn limbs. If input is larger, higher bits are ignored. */ void mpn_set_base256 (mp_limb_t *rp, mp_size_t rn, const uint8_t *xp, size_t xn); void mpn_set_base256_le (mp_limb_t *rp, mp_size_t rn, const uint8_t *xp, size_t xn); void mpn_get_base256 (uint8_t *rp, size_t rn, const mp_limb_t *xp, mp_size_t xn); void mpn_get_base256_le (uint8_t *rp, size_t rn, const mp_limb_t *xp, mp_size_t xn); mp_limb_t * gmp_alloc_limbs (mp_size_t n); void gmp_free_limbs (mp_limb_t *p, mp_size_t n); void *gmp_alloc(size_t n); void gmp_free(void *p, size_t n); #endif /* NETTLE_GMP_GLUE_H_INCLUDED */ nettle-3.4.1/sha3-512-meta.c0000644000175000017500000000224713401564745014307 0ustar nissenisse/* sha3-512-meta.c Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "sha3.h" const struct nettle_hash nettle_sha3_512 = _NETTLE_HASH(sha3_512, SHA3_512); nettle-3.4.1/base64url-meta.c0000644000175000017500000000347313401564745014755 0ustar nissenisse/* base64url-meta.c Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "base64.h" /* Same as the macros with the same name */ static nettle_armor_length_func base64url_encode_length; static size_t base64url_encode_length(size_t length) { return BASE64_ENCODE_LENGTH(length); } static nettle_armor_length_func base64url_decode_length; static size_t base64url_decode_length(size_t length) { return BASE64_DECODE_LENGTH(length); } #define base64url_encode_ctx base64_encode_ctx #define base64url_encode_update base64_encode_update #define base64url_encode_final base64_encode_final #define base64url_decode_ctx base64_decode_ctx #define base64url_decode_update base64_decode_update #define base64url_decode_final base64_decode_final const struct nettle_armor nettle_base64url = _NETTLE_ARMOR(base64url, BASE64); nettle-3.4.1/sexp-transport.c0000644000175000017500000000604113401564745015225 0ustar nissenisse/* sexp-transport.c Parsing s-expressions in transport format. Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "sexp.h" #include "base64.h" /* NOTE: Decodes the input string in place */ int sexp_transport_iterator_first(struct sexp_iterator *iterator, size_t length, uint8_t *input) { /* We first base64 decode any transport encoded sexp at the start of * the input. */ size_t in = 0; size_t out = 0; while (in < length) switch(input[in]) { case ' ': /* SPC, TAB, LF, CR */ case '\t': case '\n': case '\r': in++; break; case ';': /* Comments */ while (++in < length && input[in] != '\n') ; break; case '{': { /* Found transport encoding */ struct base64_decode_ctx ctx; size_t coded_length; size_t end; for (end = ++in; end < length && input[end] != '}'; end++) ; if (end == length) return 0; base64_decode_init(&ctx); if (base64_decode_update(&ctx, &coded_length, input + out, end - in, (const char*) (input + in)) && base64_decode_final(&ctx)) { out += coded_length; in = end + 1; } else return 0; break; } default: /* Expression isn't in transport encoding. Rest of the input * should be in canonical encoding. */ goto transport_done; } transport_done: /* Here, we have two, possibly empty, input parts in canonical * encoding: * * 0...out-1, in...length -1 * * If the input was already in canonical encoding, out = 0 and in = * amount of leading space. * * If all input was in transport encoding, in == length. */ if (!out) { input += in; length -= in; } else if (in == length) length = out; else if (out == in) /* Unusual case, nothing happens */ ; else { /* Both parts non-empty */ assert(out < in); memmove(input + out, input + in, length - in); length -= (in - out); } return sexp_iterator_first(iterator, length, input); } nettle-3.4.1/des.c0000644000175000017500000001653513401564745013000 0ustar nissenisse/* des.c The des block cipher. Copyright (C) 2001, 2010 Niels Möller Copyright (C) 1992 Dana L. How This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* des - fast & portable DES encryption & decryption. * Copyright (C) 1992 Dana L. How * Please see the file `descore.README' for the complete copyright notice. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "des.h" #include "desCode.h" /* various tables */ static const uint32_t des_keymap[] = { #include "keymap.h" }; static const uint8_t rotors[] = { #include "rotors.h" }; static ENCRYPT(DesSmallFipsEncrypt,TEMPSMALL, LOADFIPS,KEYMAPSMALL,SAVEFIPS) static DECRYPT(DesSmallFipsDecrypt,TEMPSMALL, LOADFIPS,KEYMAPSMALL,SAVEFIPS) /* If parity bits are used, keys should have odd parity. We use a small table, to not waste any memory on this fairly obscure DES feature. */ static const unsigned parity_16[16] = { 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0 }; #define PARITY(x) (parity_16[(x)&0xf] ^ parity_16[((x)>>4) & 0xf]) int des_check_parity(size_t length, const uint8_t *key) { size_t i; for (i = 0; i> 1; int8_t k1 = key[1] >> 1; unsigned hash = asso_values[k1 + 1] + asso_values[k0]; const int8_t *candidate; if (hash > 25) return 0; candidate = weak_key_hash[hash]; if (k0 != candidate[0] || k1 != candidate[1]) return 0; if ( (key[2] >> 1) != k0 || (key[3] >> 1) != k1) return 0; k0 = key[4] >> 1; k1 = key[5] >> 1; if (k0 != candidate[2] || k1 != candidate[3]) return 0; if ( (key[6] >> 1) != k0 || (key[7] >> 1) != k1) return 0; return 1; } int des_set_key(struct des_ctx *ctx, const uint8_t *key) { register uint32_t n, w; register char * b0, * b1; char bits0[56], bits1[56]; uint32_t *method; const uint8_t *k; /* explode the bits */ n = 56; b0 = bits0; b1 = bits1; k = key; do { w = (256 | *k++) << 2; do { --n; b1[n] = 8 & w; w >>= 1; b0[n] = 4 & w; } while ( w >= 16 ); } while ( n ); /* put the bits in the correct places */ n = 16; k = rotors; method = ctx->key; do { w = (b1[k[ 0 ]] | b0[k[ 1 ]]) << 4; w |= (b1[k[ 2 ]] | b0[k[ 3 ]]) << 2; w |= b1[k[ 4 ]] | b0[k[ 5 ]]; w <<= 8; w |= (b1[k[ 6 ]] | b0[k[ 7 ]]) << 4; w |= (b1[k[ 8 ]] | b0[k[ 9 ]]) << 2; w |= b1[k[10 ]] | b0[k[11 ]]; w <<= 8; w |= (b1[k[12 ]] | b0[k[13 ]]) << 4; w |= (b1[k[14 ]] | b0[k[15 ]]) << 2; w |= b1[k[16 ]] | b0[k[17 ]]; w <<= 8; w |= (b1[k[18 ]] | b0[k[19 ]]) << 4; w |= (b1[k[20 ]] | b0[k[21 ]]) << 2; w |= b1[k[22 ]] | b0[k[23 ]]; method[0] = w; w = (b1[k[ 0+24]] | b0[k[ 1+24]]) << 4; w |= (b1[k[ 2+24]] | b0[k[ 3+24]]) << 2; w |= b1[k[ 4+24]] | b0[k[ 5+24]]; w <<= 8; w |= (b1[k[ 6+24]] | b0[k[ 7+24]]) << 4; w |= (b1[k[ 8+24]] | b0[k[ 9+24]]) << 2; w |= b1[k[10+24]] | b0[k[11+24]]; w <<= 8; w |= (b1[k[12+24]] | b0[k[13+24]]) << 4; w |= (b1[k[14+24]] | b0[k[15+24]]) << 2; w |= b1[k[16+24]] | b0[k[17+24]]; w <<= 8; w |= (b1[k[18+24]] | b0[k[19+24]]) << 4; w |= (b1[k[20+24]] | b0[k[21+24]]) << 2; w |= b1[k[22+24]] | b0[k[23+24]]; ROR(w, 4, 28); /* could be eliminated */ method[1] = w; k += 48; method += 2; } while ( --n ); return !des_weak_p (key); } void des_encrypt(const struct des_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { assert(!(length % DES_BLOCK_SIZE)); while (length) { DesSmallFipsEncrypt(dst, ctx->key, src); length -= DES_BLOCK_SIZE; src += DES_BLOCK_SIZE; dst += DES_BLOCK_SIZE; } } void des_decrypt(const struct des_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { assert(!(length % DES_BLOCK_SIZE)); while (length) { DesSmallFipsDecrypt(dst, ctx->key, src); length -= DES_BLOCK_SIZE; src += DES_BLOCK_SIZE; dst += DES_BLOCK_SIZE; } } nettle-3.4.1/descore.README0000644000175000017500000003516613401564746014366 0ustar nissenissedes - fast & portable DES encryption & decryption. Copyright (C) 1992 Dana L. How This program is free software; you can redistribute it and/or modify it under the terms of the GNU Library General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public License for more details. You should have received a copy of the GNU Library General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02111-1301 USA Author's address: how@isl.stanford.edu ==>> To compile after untarring/unsharring, just `make' <<== This package was designed with the following goals: 1. Highest possible encryption/decryption PERFORMANCE. 2. PORTABILITY to any byte-addressable machine with a 32bit unsigned C type 3. Plug-compatible replacement for KERBEROS's low-level routines. performance comparison to other available des code which i could compile on a SPARCStation 1 (cc -O4): this code (byte-order independent): 30us per encryption (options: 64k tables, no IP/FP) 33us per encryption (options: 64k tables, FIPS standard bit ordering) 45us per encryption (options: 2k tables, no IP/FP) 49us per encryption (options: 2k tables, FIPS standard bit ordering) 275us to set a new key (uses 1k of key tables) this has the quickest encryption/decryption routines i've seen. since i was interested in fast des filters rather than crypt(3) and password cracking, i haven't really bothered yet to speed up the key setting routine. also, i have no interest in re-implementing all the other junk in the mit kerberos des library, so i've just provided my routines with little stub interfaces so they can be used as drop-in replacements with mit's code or any of the mit- compatible packages below. (note that the first two timings above are highly variable because of cache effects). kerberos des replacement from australia: 68us per encryption (uses 2k of tables) 96us to set a new key (uses 2.25k of key tables) this is a very nice package which implements the most important of the optimizations which i did in my encryption routines. it's a bit weak on common low-level optimizations which is why it's 39%-106% slower. because he was interested in fast crypt(3) and password-cracking applications, he also used the same ideas to speed up the key-setting routines with impressive results. (at some point i may do the same in my package). he also implements the rest of the mit des library. (code from eay@psych.psy.uq.oz.au via comp.sources.misc) fast crypt(3) package from denmark: the des routine here is buried inside a loop to do the crypt function and i didn't feel like ripping it out and measuring performance. his code takes 26 sparc instructions to compute one des iteration; above, Quick (64k) takes 21 and Small (2k) takes 37. he claims to use 280k of tables but the iteration calculation seems to use only 128k. his tables and code are machine independent. (code from glad@daimi.aau.dk via alt.sources or comp.sources.misc) swedish reimplementation of Kerberos des library 108us per encryption (uses 34k worth of tables) 134us to set a new key (uses 32k of key tables to get this speed!) the tables used seem to be machine-independent; he seems to have included a lot of special case code so that, e.g., `long' loads can be used instead of 4 `char' loads when the machine's architecture allows it. (code obtained from chalmers.se:pub/des) crack 3.3c package from england: as in crypt above, the des routine is buried in a loop. it's also very modified for crypt. his iteration code uses 16k of tables and appears to be slow. (code obtained from aem@aber.ac.uk via alt.sources or comp.sources.misc) ``highly optimized'' and tweaked Kerberos/Athena code (byte-order dependent): 165us per encryption (uses 6k worth of tables) 478us to set a new key (uses <1k of key tables) so despite the comments in this code, it was possible to get faster code AND smaller tables, as well as making the tables machine-independent. (code obtained from prep.ai.mit.edu) UC Berkeley code (depends on machine-endedness): 226us per encryption 10848us to set a new key table sizes are unclear, but they don't look very small (code obtained from wuarchive.wustl.edu) motivation and history a while ago i wanted some des routines and the routines documented on sun's man pages either didn't exist or dumped core. i had heard of kerberos, and knew that it used des, so i figured i'd use its routines. but once i got it and looked at the code, it really set off a lot of pet peeves - it was too convoluted, the code had been written without taking advantage of the regular structure of operations such as IP, E, and FP (i.e. the author didn't sit down and think before coding), it was excessively slow, the author had attempted to clarify the code by adding MORE statements to make the data movement more `consistent' instead of simplifying his implementation and cutting down on all data movement (in particular, his use of L1, R1, L2, R2), and it was full of idiotic `tweaks' for particular machines which failed to deliver significant speedups but which did obfuscate everything. so i took the test data from his verification program and rewrote everything else. a while later i ran across the great crypt(3) package mentioned above. the fact that this guy was computing 2 sboxes per table lookup rather than one (and using a MUCH larger table in the process) emboldened me to do the same - it was a trivial change from which i had been scared away by the larger table size. in his case he didn't realize you don't need to keep the working data in TWO forms, one for easy use of half the sboxes in indexing, the other for easy use of the other half; instead you can keep it in the form for the first half and use a simple rotate to get the other half. this means i have (almost) half the data manipulation and half the table size. in fairness though he might be encoding something particular to crypt(3) in his tables - i didn't check. i'm glad that i implemented it the way i did, because this C version is portable (the ifdef's are performance enhancements) and it is faster than versions hand-written in assembly for the sparc! porting notes one thing i did not want to do was write an enormous mess which depended on endedness and other machine quirks, and which necessarily produced different code and different lookup tables for different machines. see the kerberos code for an example of what i didn't want to do; all their endedness-specific `optimizations' obfuscate the code and in the end were slower than a simpler machine independent approach. however, there are always some portability considerations of some kind, and i have included some options for varying numbers of register variables. perhaps some will still regard the result as a mess! 1) i assume everything is byte addressable, although i don't actually depend on the byte order, and that bytes are 8 bits. i assume word pointers can be freely cast to and from char pointers. note that 99% of C programs make these assumptions. i always use unsigned char's if the high bit could be set. 2) the typedef `word' means a 32 bit unsigned integral type. if `unsigned long' is not 32 bits, change the typedef in desCore.h. i assume sizeof(word) == 4 EVERYWHERE. the (worst-case) cost of my NOT doing endedness-specific optimizations in the data loading and storing code surrounding the key iterations is less than 12%. also, there is the added benefit that the input and output work areas do not need to be word-aligned. OPTIONAL performance optimizations 1) you should define one of `i386,' `vax,' `mc68000,' or `sparc,' whichever one is closest to the capabilities of your machine. see the start of desCode.h to see exactly what this selection implies. note that if you select the wrong one, the des code will still work; these are just performance tweaks. 2) for those with functional `asm' keywords: you should change the ROR and ROL macros to use machine rotate instructions if you have them. this will save 2 instructions and a temporary per use, or about 32 to 40 instructions per en/decryption. these optimizations are all rather persnickety, yet with them you should be able to get performance equal to assembly-coding, except that: 1) with the lack of a bit rotate operator in C, rotates have to be synthesized from shifts. so access to `asm' will speed things up if your machine has rotates, as explained above in (3). 2) if your machine has less than 12 32-bit registers i doubt your compiler will generate good code. `i386' tries to configure the code for a 386 by only declaring 3 registers (it appears that gcc can use ebx, esi and edi to hold register variables). however, if you like assembly coding, the 386 does have 7 32-bit registers, and if you use ALL of them, use `scaled by 8' address modes with displacement and other tricks, you can get reasonable routines for DesQuickCore... with about 250 instructions apiece. For DesSmall... it will help to rearrange des_keymap, i.e., now the sbox # is the high part of the index and the 6 bits of data is the low part; it helps to exchange these. since i have no way to conveniently test it i have not provided my shoehorned 386 version. coding notes the en/decryption routines each use 6 necessary register variables, with 4 being actively used at once during the inner iterations. if you don't have 4 register variables get a new machine. up to 8 more registers are used to hold constants in some configurations. i assume that the use of a constant is more expensive than using a register: a) additionally, i have tried to put the larger constants in registers. registering priority was by the following: anything more than 12 bits (bad for RISC and CISC) greater than 127 in value (can't use movq or byte immediate on CISC) 9-127 (may not be able to use CISC shift immediate or add/sub quick), 1-8 were never registered, being the cheapest constants. b) the compiler may be too stupid to realize table and table+256 should be assigned to different constant registers and instead repetitively do the arithmetic, so i assign these to explicit `m' register variables when possible and helpful. i assume that indexing is cheaper or equivalent to auto increment/decrement, where the index is 7 bits unsigned or smaller. this assumption is reversed for 68k and vax. i assume that addresses can be cheaply formed from two registers, or from a register and a small constant. i never use the `two registers and offset' form you see in some CISC machines. all index scaling is done explicitly - no hidden shifts by log2(sizeof). the code is written so that even a dumb compiler should never need more than one hidden temporary, increasing the chance that everything will fit in the registers. KEEP THIS MORE SUBTLE POINT IN MIND IF YOU REWRITE ANYTHING. special efficient data format bits are manipulated in this arrangement most of the time (S7 S5 S3 S1): 003130292827xxxx242322212019xxxx161514131211xxxx080706050403xxxx (the x bits are still there, i'm just emphasizing where the S boxes are). bits are rotated left 4 when computing S6 S4 S2 S0: 282726252423xxxx201918171615xxxx121110090807xxxx040302010031xxxx the rightmost two bits are usually cleared so the lower byte can be used as an index into an sbox mapping table. the next two x'd bits are set to various values to access different parts of the tables. how to use the routines datatypes: pointer to 8 byte area of type DesData used to hold keys and input/output blocks to des. pointer to 128 byte area of type DesKeys used to hold full 768-bit key. must be long-aligned. DesQuickInit() call this before using any other routine with `Quick' in its name. it generates the special 64k table these routines need. DesQuickDone() frees this table DesMethod(m, k) m points to a 128byte block, k points to an 8 byte des key which must have odd parity (or -1 is returned) and which must not be a (semi-)weak key (or -2 is returned). normally DesMethod() returns 0. m is filled in from k so that when one of the routines below is called with m, the routine will act like standard des en/decryption with the key k. if you use DesMethod, you supply a standard 56bit key; however, if you fill in m yourself, you will get a 768bit key - but then it won't be standard. it's 768bits not 1024 because the least significant two bits of each byte are not used. and yes, each byte controls a specific sbox during a specific iteration. NOTE: actually, every other word has been rotated right 4 bits to reduce the number of temporaries needed when the key is used. you really shouldn't use the 768bit format directly; i should provide a routine that converts 128 6-bit bytes (specified in S-box mapping order or something) into the right format for you. this would entail some byte concatenation and rotation. Des{Small|Quick}{Fips|Core}{Encrypt|Decrypt}(d, m, s) performs des on the 8 bytes at s into the 8 bytes at d. (d,s: char *). uses m as a 768bit key as explained above. the Encrypt|Decrypt choice is obvious. Fips|Core determines whether a completely standard FIPS initial and final permutation is done; if not, then the data is loaded and stored in a nonstandard bit order (FIPS w/o IP/FP). Fips slows down Quick by 10%, Small by 9%. Small|Quick determines whether you use the normal routine or the crazy quick one which gobbles up 64k more of memory. Small is 50% slower then Quick, but Quick needs 32 times as much memory. Quick is included for programs that do nothing but DES, e.g., encryption filters, etc. Getting it to compile on your machine there are no machine-dependencies in the code (see porting), except perhaps the `now()' macro in desTest.c. ALL generated tables are machine independent. you should edit the Makefile with the appropriate optimization flags for your compiler (MAX optimization). Speeding up kerberos (and/or its des library) note that i have included a kerberos-compatible interface in desUtil.c through the functions des_key_sched() and des_ecb_encrypt(). to use these with kerberos or kerberos-compatible code put desCore.a ahead of the kerberos-compatible library on your linker's command line. you should not need to #include desCore.h; just include the header file provided with the kerberos library. Other uses the macros in desCode.h would be very useful for putting inline des functions in more complicated encryption routines. nettle-3.4.1/aes-set-decrypt-key.c0000644000175000017500000000315313401564745016014 0ustar nissenisse/* aes-set-decrypt-key.c Inverse key setup for the aes/rijndael block cipher. Copyright (C) 2000, 2001, 2002 Rafael R. Sevilla, Niels Möller Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "aes-internal.h" void aes_invert_key(struct aes_ctx *dst, const struct aes_ctx *src) { _aes_invert (src->rounds, dst->keys, src->keys); dst->rounds = src->rounds; } void aes_set_decrypt_key(struct aes_ctx *ctx, size_t keysize, const uint8_t *key) { /* We first create subkeys for encryption, * then modify the subkeys for decryption. */ aes_set_encrypt_key(ctx, keysize, key); aes_invert_key(ctx, ctx); } nettle-3.4.1/pss.h0000644000175000017500000000316113401564746013027 0ustar nissenisse/* pss.h PKCS#1 RSA-PSS (RFC-3447). Copyright (C) 2017 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_PSS_H_INCLUDED #define NETTLE_PSS_H_INCLUDED #include "nettle-types.h" #include "bignum.h" #ifdef __cplusplus extern "C" { #endif /* Namespace mangling */ #define pss_encode_mgf1 nettle_pss_encode_mgf1 #define pss_verify_mgf1 nettle_pss_verify_mgf1 int pss_encode_mgf1(mpz_t m, size_t bits, const struct nettle_hash *hash, size_t salt_length, const uint8_t *salt, const uint8_t *digest); int pss_verify_mgf1(const mpz_t m, size_t bits, const struct nettle_hash *hash, size_t salt_length, const uint8_t *digest); #ifdef __cplusplus } #endif #endif /* NETTLE_PSS_H_INCLUDED */ nettle-3.4.1/ecc-mul-a.c0000644000175000017500000001132613401564746013762 0ustar nissenisse/* ecc-mul-a.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc.h" #include "ecc-internal.h" /* Binary algorithm needs 6*ecc->p.size + scratch for ecc_add_jja. Current total is 12 ecc->p.size, at most 864 bytes. Window algorithm needs (3<p.size for the table, 3*ecc->p.size for a temporary point, and scratch for ecc_add_jjj. */ #if ECC_MUL_A_WBITS == 0 void ecc_mul_a (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *np, const mp_limb_t *p, mp_limb_t *scratch) { #define tp scratch #define pj (scratch + 3*ecc->p.size) #define scratch_out (scratch + 6*ecc->p.size) int is_zero; unsigned i; ecc_a_to_j (ecc, pj, p); mpn_zero (r, 3*ecc->p.size); for (i = ecc->p.size, is_zero = 1; i-- > 0; ) { mp_limb_t w = np[i]; mp_limb_t bit; for (bit = (mp_limb_t) 1 << (GMP_NUMB_BITS - 1); bit > 0; bit >>= 1) { int digit; ecc_dup_jj (ecc, r, r, scratch_out); ecc_add_jja (ecc, tp, r, pj, scratch_out); digit = (w & bit) > 0; /* If is_zero is set, r is the zero point, and ecc_add_jja produced garbage. */ cnd_copy (is_zero, tp, pj, 3*ecc->p.size); is_zero &= ~digit; /* If we had a one-bit, use the sum. */ cnd_copy (digit, r, tp, 3*ecc->p.size); } } } #else /* ECC_MUL_A_WBITS > 1 */ #define TABLE_SIZE (1U << ECC_MUL_A_WBITS) #define TABLE_MASK (TABLE_SIZE - 1) #define TABLE(j) (table + (j) * 3*ecc->p.size) static void table_init (const struct ecc_curve *ecc, mp_limb_t *table, unsigned bits, const mp_limb_t *p, mp_limb_t *scratch) { unsigned size = 1 << bits; unsigned j; mpn_zero (TABLE(0), 3*ecc->p.size); ecc_a_to_j (ecc, TABLE(1), p); for (j = 2; j < size; j += 2) { ecc_dup_jj (ecc, TABLE(j), TABLE(j/2), scratch); ecc_add_jja (ecc, TABLE(j+1), TABLE(j), TABLE(1), scratch); } } void ecc_mul_a (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *np, const mp_limb_t *p, mp_limb_t *scratch) { #define tp scratch #define table (scratch + 3*ecc->p.size) mp_limb_t *scratch_out = table + (3*ecc->p.size << ECC_MUL_A_WBITS); int is_zero = 0; /* Avoid the mp_bitcnt_t type for compatibility with older GMP versions. */ unsigned blocks = (ecc->p.bit_size + ECC_MUL_A_WBITS - 1) / ECC_MUL_A_WBITS; unsigned bit_index = (blocks-1) * ECC_MUL_A_WBITS; mp_size_t limb_index = bit_index / GMP_NUMB_BITS; unsigned shift = bit_index % GMP_NUMB_BITS; mp_limb_t w, bits; table_init (ecc, table, ECC_MUL_A_WBITS, p, scratch_out); w = np[limb_index]; bits = w >> shift; if (limb_index < ecc->p.size - 1) bits |= np[limb_index + 1] << (GMP_NUMB_BITS - shift); assert (bits < TABLE_SIZE); sec_tabselect (r, 3*ecc->p.size, table, TABLE_SIZE, bits); is_zero = (bits == 0); for (;;) { unsigned j; if (shift >= ECC_MUL_A_WBITS) { shift -= ECC_MUL_A_WBITS; bits = w >> shift; } else { if (limb_index == 0) { assert (shift == 0); break; } bits = w << (ECC_MUL_A_WBITS - shift); w = np[--limb_index]; shift = shift + GMP_NUMB_BITS - ECC_MUL_A_WBITS; bits |= w >> shift; } for (j = 0; j < ECC_MUL_A_WBITS; j++) ecc_dup_jj (ecc, r, r, scratch_out); bits &= TABLE_MASK; sec_tabselect (tp, 3*ecc->p.size, table, TABLE_SIZE, bits); cnd_copy (is_zero, r, tp, 3*ecc->p.size); ecc_add_jjj (ecc, tp, tp, r, scratch_out); /* Use the sum when valid. ecc_add_jja produced garbage if is_zero != 0 or bits == 0, . */ cnd_copy (bits & (is_zero - 1), r, tp, 3*ecc->p.size); is_zero &= (bits == 0); } #undef table #undef tp } #endif /* ECC_MUL_A_WBITS > 1 */ nettle-3.4.1/camellia256-set-decrypt-key.c0000644000175000017500000000323013401564745017244 0ustar nissenisse/* camellia256-set-decrypt-key.c Inverse key setup for the camellia block cipher. Copyright (C) 2010, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "camellia-internal.h" void camellia256_invert_key(struct camellia256_ctx *dst, const struct camellia256_ctx *src) { _camellia_invert_key (_CAMELLIA256_NKEYS, dst->keys, src->keys); } void camellia256_set_decrypt_key(struct camellia256_ctx *ctx, const uint8_t *key) { camellia256_set_encrypt_key(ctx, key); camellia256_invert_key(ctx, ctx); } void camellia192_set_decrypt_key(struct camellia256_ctx *ctx, const uint8_t *key) { camellia192_set_encrypt_key(ctx, key); camellia256_invert_key(ctx, ctx); } nettle-3.4.1/sha3-224.c0000644000175000017500000000332013401564745013354 0ustar nissenisse/* sha3-224.c The sha3 hash function, 224 bit output. Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "sha3.h" #include "nettle-write.h" void sha3_224_init (struct sha3_224_ctx *ctx) { memset (ctx, 0, offsetof (struct sha3_224_ctx, block)); } void sha3_224_update (struct sha3_224_ctx *ctx, size_t length, const uint8_t *data) { ctx->index = _sha3_update (&ctx->state, SHA3_224_BLOCK_SIZE, ctx->block, ctx->index, length, data); } void sha3_224_digest(struct sha3_224_ctx *ctx, size_t length, uint8_t *digest) { _sha3_pad (&ctx->state, SHA3_224_BLOCK_SIZE, ctx->block, ctx->index); _nettle_write_le64 (length, digest, ctx->state.a); sha3_224_init (ctx); } nettle-3.4.1/sha512-meta.c0000644000175000017500000000224513401564745014145 0ustar nissenisse/* sha512-meta.c Copyright (C) 2002, 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "sha2.h" const struct nettle_hash nettle_sha512 = _NETTLE_HASH(sha512, SHA512); nettle-3.4.1/rsa-sha256-verify.c0000644000175000017500000000334213401564746015313 0ustar nissenisse/* rsa-sha256-verify.c Verifying signatures created with RSA and SHA256. Copyright (C) 2001, 2003, 2006 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "bignum.h" #include "pkcs1.h" int rsa_sha256_verify(const struct rsa_public_key *key, struct sha256_ctx *hash, const mpz_t s) { int res; mpz_t m; mpz_init(m); res = (pkcs1_rsa_sha256_encode(m, key->size, hash) &&_rsa_verify(key, m, s)); mpz_clear(m); return res; } int rsa_sha256_verify_digest(const struct rsa_public_key *key, const uint8_t *digest, const mpz_t s) { int res; mpz_t m; mpz_init(m); res = (pkcs1_rsa_sha256_encode_digest(m, key->size, digest) && _rsa_verify(key, m, s)); mpz_clear(m); return res; } nettle-3.4.1/ecc-hash.c0000644000175000017500000000362313401564746013673 0ustar nissenisse/* ecdsa-hash.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc-internal.h" /* Convert hash value to an integer. If the digest is larger than the ecc bit size, then we must truncate it and use the leftmost bits. */ /* NOTE: We don't considered the hash value to be secret, so it's ok if the running time of this conversion depends on h. Requires m->size + 1 limbs, the extra limb may be needed for unusual limb sizes. */ void ecc_hash (const struct ecc_modulo *m, mp_limb_t *hp, size_t length, const uint8_t *digest) { if (length > ((size_t) m->bit_size + 7) / 8) length = (m->bit_size + 7) / 8; mpn_set_base256 (hp, m->size + 1, digest, length); if (8 * length > m->bit_size) /* We got a few extra bits, at the low end. Discard them. */ mpn_rshift (hp, hp, m->size + 1, 8*length - m->bit_size); } nettle-3.4.1/nettle-meta.h0000644000175000017500000002046213401564746014444 0ustar nissenisse/* nettle-meta.h Information about algorithms. Copyright (C) 2002, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_META_H_INCLUDED #define NETTLE_META_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif struct nettle_cipher { const char *name; unsigned context_size; /* Zero for stream ciphers */ unsigned block_size; /* Suggested key size; other sizes are sometimes possible. */ unsigned key_size; nettle_set_key_func *set_encrypt_key; nettle_set_key_func *set_decrypt_key; nettle_cipher_func *encrypt; nettle_cipher_func *decrypt; }; /* FIXME: Rename with leading underscore, but keep current name (and size!) for now, for ABI compatibility with nettle-3.1, soname libnettle.so.6. */ /* null-terminated list of ciphers implemented by this version of nettle */ extern const struct nettle_cipher * const nettle_ciphers[]; const struct nettle_cipher * const * #ifdef __GNUC__ __attribute__((pure)) #endif nettle_get_ciphers (void); #define nettle_ciphers (nettle_get_ciphers()) extern const struct nettle_cipher nettle_aes128; extern const struct nettle_cipher nettle_aes192; extern const struct nettle_cipher nettle_aes256; extern const struct nettle_cipher nettle_camellia128; extern const struct nettle_cipher nettle_camellia192; extern const struct nettle_cipher nettle_camellia256; extern const struct nettle_cipher nettle_cast128; extern const struct nettle_cipher nettle_serpent128; extern const struct nettle_cipher nettle_serpent192; extern const struct nettle_cipher nettle_serpent256; extern const struct nettle_cipher nettle_twofish128; extern const struct nettle_cipher nettle_twofish192; extern const struct nettle_cipher nettle_twofish256; extern const struct nettle_cipher nettle_arctwo40; extern const struct nettle_cipher nettle_arctwo64; extern const struct nettle_cipher nettle_arctwo128; extern const struct nettle_cipher nettle_arctwo_gutmann128; struct nettle_hash { const char *name; /* Size of the context struct */ unsigned context_size; /* Size of digests */ unsigned digest_size; /* Internal block size */ unsigned block_size; nettle_hash_init_func *init; nettle_hash_update_func *update; nettle_hash_digest_func *digest; }; #define _NETTLE_HASH(name, NAME) { \ #name, \ sizeof(struct name##_ctx), \ NAME##_DIGEST_SIZE, \ NAME##_BLOCK_SIZE, \ (nettle_hash_init_func *) name##_init, \ (nettle_hash_update_func *) name##_update, \ (nettle_hash_digest_func *) name##_digest \ } /* FIXME: Rename with leading underscore, but keep current name (and size!) for now, for ABI compatibility with nettle-3.1, soname libnettle.so.6. */ /* null-terminated list of digests implemented by this version of nettle */ extern const struct nettle_hash * const nettle_hashes[]; const struct nettle_hash * const * #ifdef __GNUC__ __attribute__((pure)) #endif nettle_get_hashes (void); #define nettle_hashes (nettle_get_hashes()) const struct nettle_hash * nettle_lookup_hash (const char *name); extern const struct nettle_hash nettle_md2; extern const struct nettle_hash nettle_md4; extern const struct nettle_hash nettle_md5; extern const struct nettle_hash nettle_gosthash94; extern const struct nettle_hash nettle_ripemd160; extern const struct nettle_hash nettle_sha1; extern const struct nettle_hash nettle_sha224; extern const struct nettle_hash nettle_sha256; extern const struct nettle_hash nettle_sha384; extern const struct nettle_hash nettle_sha512; extern const struct nettle_hash nettle_sha512_224; extern const struct nettle_hash nettle_sha512_256; extern const struct nettle_hash nettle_sha3_224; extern const struct nettle_hash nettle_sha3_256; extern const struct nettle_hash nettle_sha3_384; extern const struct nettle_hash nettle_sha3_512; struct nettle_aead { const char *name; unsigned context_size; /* Block size for encrypt and decrypt. */ unsigned block_size; unsigned key_size; unsigned nonce_size; unsigned digest_size; nettle_set_key_func *set_encrypt_key; nettle_set_key_func *set_decrypt_key; nettle_set_key_func *set_nonce; nettle_hash_update_func *update; nettle_crypt_func *encrypt; nettle_crypt_func *decrypt; /* FIXME: Drop length argument? */ nettle_hash_digest_func *digest; }; /* FIXME: Rename with leading underscore, but keep current name (and size!) for now, for ABI compatibility with nettle-3.1, soname libnettle.so.6. */ /* null-terminated list of aead constructions implemented by this version of nettle */ extern const struct nettle_aead * const nettle_aeads[]; const struct nettle_aead * const * #ifdef __GNUC__ __attribute__((pure)) #endif nettle_get_aeads (void); #define nettle_aeads (nettle_get_aeads()) extern const struct nettle_aead nettle_gcm_aes128; extern const struct nettle_aead nettle_gcm_aes192; extern const struct nettle_aead nettle_gcm_aes256; extern const struct nettle_aead nettle_gcm_camellia128; extern const struct nettle_aead nettle_gcm_camellia256; extern const struct nettle_aead nettle_eax_aes128; extern const struct nettle_aead nettle_chacha_poly1305; struct nettle_armor { const char *name; unsigned encode_context_size; unsigned decode_context_size; unsigned encode_final_length; nettle_armor_init_func *encode_init; nettle_armor_length_func *encode_length; nettle_armor_encode_update_func *encode_update; nettle_armor_encode_final_func *encode_final; nettle_armor_init_func *decode_init; nettle_armor_length_func *decode_length; nettle_armor_decode_update_func *decode_update; nettle_armor_decode_final_func *decode_final; }; #define _NETTLE_ARMOR(name, NAME) { \ #name, \ sizeof(struct name##_encode_ctx), \ sizeof(struct name##_decode_ctx), \ NAME##_ENCODE_FINAL_LENGTH, \ (nettle_armor_init_func *) name##_encode_init, \ (nettle_armor_length_func *) name##_encode_length, \ (nettle_armor_encode_update_func *) name##_encode_update, \ (nettle_armor_encode_final_func *) name##_encode_final, \ (nettle_armor_init_func *) name##_decode_init, \ (nettle_armor_length_func *) name##_decode_length, \ (nettle_armor_decode_update_func *) name##_decode_update, \ (nettle_armor_decode_final_func *) name##_decode_final, \ } #define _NETTLE_ARMOR_0(name, NAME) { \ #name, \ 0, \ sizeof(struct name##_decode_ctx), \ NAME##_ENCODE_FINAL_LENGTH, \ (nettle_armor_init_func *) name##_encode_init, \ (nettle_armor_length_func *) name##_encode_length, \ (nettle_armor_encode_update_func *) name##_encode_update, \ (nettle_armor_encode_final_func *) name##_encode_final, \ (nettle_armor_init_func *) name##_decode_init, \ (nettle_armor_length_func *) name##_decode_length, \ (nettle_armor_decode_update_func *) name##_decode_update, \ (nettle_armor_decode_final_func *) name##_decode_final, \ } /* FIXME: Rename with leading underscore, but keep current name (and size!) for now, for ABI compatibility with nettle-3.1, soname libnettle.so.6. */ /* null-terminated list of armor schemes implemented by this version of nettle */ extern const struct nettle_armor * const nettle_armors[]; const struct nettle_armor * const * #ifdef __GNUC__ __attribute__((pure)) #endif nettle_get_armors (void); #define nettle_armors (nettle_get_armors()) extern const struct nettle_armor nettle_base64; extern const struct nettle_armor nettle_base64url; extern const struct nettle_armor nettle_base16; #ifdef __cplusplus } #endif #endif /* NETTLE_META_H_INCLUDED */ nettle-3.4.1/dsa-verify.c0000644000175000017500000000472713401564746014277 0ustar nissenisse/* dsa-verify.c The DSA publickey algorithm. Copyright (C) 2002, 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "dsa.h" #include "bignum.h" int dsa_verify(const struct dsa_params *params, const mpz_t y, size_t digest_size, const uint8_t *digest, const struct dsa_signature *signature) { mpz_t w; mpz_t tmp; mpz_t v; int res; /* Check that r and s are in the proper range */ if (mpz_sgn(signature->r) <= 0 || mpz_cmp(signature->r, params->q) >= 0) return 0; if (mpz_sgn(signature->s) <= 0 || mpz_cmp(signature->s, params->q) >= 0) return 0; mpz_init(w); /* Compute w = s^-1 (mod q) */ /* NOTE: In gmp-2, mpz_invert sometimes generates negative inverses, * so we need gmp-3 or better. */ if (!mpz_invert(w, signature->s, params->q)) { mpz_clear(w); return 0; } mpz_init(tmp); mpz_init(v); /* The message digest */ _dsa_hash (tmp, mpz_sizeinbase (params->q, 2), digest_size, digest); /* v = g^{w * h (mod q)} (mod p) */ mpz_mul(tmp, tmp, w); mpz_fdiv_r(tmp, tmp, params->q); mpz_powm(v, params->g, tmp, params->p); /* y^{w * r (mod q) } (mod p) */ mpz_mul(tmp, signature->r, w); mpz_fdiv_r(tmp, tmp, params->q); mpz_powm(tmp, y, tmp, params->p); /* v = (g^{w * h} * y^{w * r} (mod p) ) (mod q) */ mpz_mul(v, v, tmp); mpz_fdiv_r(v, v, params->p); mpz_fdiv_r(v, v, params->q); res = !mpz_cmp(v, signature->r); mpz_clear(w); mpz_clear(tmp); mpz_clear(v); return res; } nettle-3.4.1/curve25519-mul.c0000644000175000017500000001120513401564746014540 0ustar nissenisse/* curve25519-mul.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "curve25519.h" #include "ecc.h" #include "ecc-internal.h" /* Intended to be compatible with NaCl's crypto_scalarmult. */ void curve25519_mul (uint8_t *q, const uint8_t *n, const uint8_t *p) { const struct ecc_curve *ecc = &_nettle_curve25519; mp_size_t itch; mp_limb_t *scratch; int i; mp_limb_t cy; /* FIXME: Could save some more scratch space, e.g., by letting BB overlap C, D, and CB overlap A, D. And possibly reusing some of x2, z2, x3, z3. */ #define x1 scratch #define x2 (scratch + ecc->p.size) #define z2 (scratch + 2*ecc->p.size) #define x3 (scratch + 3*ecc->p.size) #define z3 (scratch + 4*ecc->p.size) #define A (scratch + 5*ecc->p.size) #define B (scratch + 6*ecc->p.size) #define C (scratch + 7*ecc->p.size) #define D (scratch + 8*ecc->p.size) #define AA (scratch + 9*ecc->p.size) #define BB (scratch +10*ecc->p.size) #define E (scratch + 10*ecc->p.size) /* Overlap BB */ #define DA (scratch + 9*ecc->p.size) /* Overlap AA */ #define CB (scratch + 10*ecc->p.size) /* Overlap BB */ itch = ecc->p.size * 12; scratch = gmp_alloc_limbs (itch); /* Note that 255 % GMP_NUMB_BITS == 0 isn't supported, so x1 always holds at least 256 bits. */ mpn_set_base256_le (x1, ecc->p.size, p, CURVE25519_SIZE); /* Clear bit 255, as required by RFC 7748. */ x1[255/GMP_NUMB_BITS] &= ~((mp_limb_t) 1 << (255 % GMP_NUMB_BITS)); /* Initialize, x2 = x1, z2 = 1 */ mpn_copyi (x2, x1, ecc->p.size); z2[0] = 1; mpn_zero (z2+1, ecc->p.size - 1); /* Get x3, z3 from doubling. Since bit 254 is forced to 1. */ ecc_modp_add (ecc, A, x2, z2); ecc_modp_sub (ecc, B, x2, z2); ecc_modp_sqr (ecc, AA, A); ecc_modp_sqr (ecc, BB, B); ecc_modp_mul (ecc, x3, AA, BB); ecc_modp_sub (ecc, E, AA, BB); ecc_modp_addmul_1 (ecc, AA, E, 121665); ecc_modp_mul (ecc, z3, E, AA); for (i = 253; i >= 3; i--) { int bit = (n[i/8] >> (i & 7)) & 1; cnd_swap (bit, x2, x3, 2*ecc->p.size); /* Formulas from draft-turner-thecurve25519function-00-Mont. We compute new coordinates in memory-address order, since mul and sqr clobbers higher limbs. */ ecc_modp_add (ecc, A, x2, z2); ecc_modp_sub (ecc, B, x2, z2); ecc_modp_sqr (ecc, AA, A); ecc_modp_sqr (ecc, BB, B); ecc_modp_mul (ecc, x2, AA, BB); /* Last use of BB */ ecc_modp_sub (ecc, E, AA, BB); ecc_modp_addmul_1 (ecc, AA, E, 121665); ecc_modp_add (ecc, C, x3, z3); ecc_modp_sub (ecc, D, x3, z3); ecc_modp_mul (ecc, z2, E, AA); /* Last use of E and AA */ ecc_modp_mul (ecc, DA, D, A); /* Last use of D, A. FIXME: could let CB overlap. */ ecc_modp_mul (ecc, CB, C, B); ecc_modp_add (ecc, C, DA, CB); ecc_modp_sqr (ecc, x3, C); ecc_modp_sub (ecc, C, DA, CB); ecc_modp_sqr (ecc, DA, C); ecc_modp_mul (ecc, z3, DA, x1); /* FIXME: Could be combined with the loop's initial cnd_swap. */ cnd_swap (bit, x2, x3, 2*ecc->p.size); } /* Do the 3 low zero bits, just duplicating x2 */ for ( ; i >= 0; i--) { ecc_modp_add (ecc, A, x2, z2); ecc_modp_sub (ecc, B, x2, z2); ecc_modp_sqr (ecc, AA, A); ecc_modp_sqr (ecc, BB, B); ecc_modp_mul (ecc, x2, AA, BB); ecc_modp_sub (ecc, E, AA, BB); ecc_modp_addmul_1 (ecc, AA, E, 121665); ecc_modp_mul (ecc, z2, E, AA); } ecc->p.invert (&ecc->p, x3, z2, z3 + ecc->p.size); ecc_modp_mul (ecc, z3, x2, x3); cy = mpn_sub_n (x2, z3, ecc->p.m, ecc->p.size); cnd_copy (cy, x2, z3, ecc->p.size); mpn_get_base256_le (q, CURVE25519_SIZE, x2, ecc->p.size); gmp_free_limbs (scratch, itch); } nettle-3.4.1/rsa2openpgp.c0000644000175000017500000000546213401564746014463 0ustar nissenisse/* rsa2openpgp.c Converting rsa keys to OpenPGP format. Copyright (C) 2001, 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "rsa.h" #include "buffer.h" #include "pgp.h" /* According to RFC 2440, a public key consists of the following packets: * * Public key packet * * Zero or more revocation signatures * * One or more User ID packets * * After each User ID packet, zero or more signature packets * * Zero or more Subkey packets * * After each Subkey packet, one signature packet, optionally a * revocation. * * Currently, we generate a public key packet, a single user id, and a * signature. */ int rsa_keypair_to_openpgp(struct nettle_buffer *buffer, const struct rsa_public_key *pub, const struct rsa_private_key *priv, /* A single user id. NUL-terminated utf8. */ const char *userid) { time_t now = time(NULL); unsigned key_start; unsigned userid_start; struct sha1_ctx key_hash; struct sha1_ctx signature_hash; uint8_t fingerprint[SHA1_DIGEST_SIZE]; key_start = buffer->size; if (!pgp_put_public_rsa_key(buffer, pub, now)) return 0; /* userid packet */ userid_start = buffer->size; if (!pgp_put_userid(buffer, strlen(userid), (const uint8_t *) userid)) return 0; /* FIXME: We hash the key first, and then the user id. Is this right? */ sha1_init(&key_hash); sha1_update(&key_hash, userid_start - key_start, buffer->contents + key_start); signature_hash = key_hash; sha1_digest(&key_hash, sizeof(fingerprint), fingerprint); sha1_update(&signature_hash, buffer->size - userid_start, buffer->contents + userid_start); return pgp_put_rsa_sha1_signature(buffer, priv, fingerprint + SHA1_DIGEST_SIZE - 8, PGP_SIGN_CERTIFICATION, &signature_hash); } nettle-3.4.1/COPYINGv30000644000175000017500000010451613401564746013363 0ustar nissenisse GNU GENERAL PUBLIC LICENSE Version 3, 29 June 2007 Copyright (C) 2007 Free Software Foundation, Inc. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The GNU General Public License is a free, copyleft license for software and other kinds of works. The licenses for most software and other practical works are designed to take away your freedom to share and change the works. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change all versions of a program--to make sure it remains free software for all its users. We, the Free Software Foundation, use the GNU General Public License for most of our software; it applies also to any other work released this way by its authors. You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for them if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs, and that you know you can do these things. To protect your rights, we need to prevent others from denying you these rights or asking you to surrender the rights. Therefore, you have certain responsibilities if you distribute copies of the software, or if you modify it: responsibilities to respect the freedom of others. For example, if you distribute copies of such a program, whether gratis or for a fee, you must pass on to the recipients the same freedoms that you received. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. Developers that use the GNU GPL protect your rights with two steps: (1) assert copyright on the software, and (2) offer you this License giving you legal permission to copy, distribute and/or modify it. For the developers' and authors' protection, the GPL clearly explains that there is no warranty for this free software. For both users' and authors' sake, the GPL requires that modified versions be marked as changed, so that their problems will not be attributed erroneously to authors of previous versions. Some devices are designed to deny users access to install or run modified versions of the software inside them, although the manufacturer can do so. This is fundamentally incompatible with the aim of protecting users' freedom to change the software. The systematic pattern of such abuse occurs in the area of products for individuals to use, which is precisely where it is most unacceptable. Therefore, we have designed this version of the GPL to prohibit the practice for those products. If such problems arise substantially in other domains, we stand ready to extend this provision to those domains in future versions of the GPL, as needed to protect the freedom of users. Finally, every program is threatened constantly by software patents. States should not allow patents to restrict development and use of software on general-purpose computers, but in those that do, we wish to avoid the special danger that patents applied to a free program could make it effectively proprietary. To prevent this, the GPL assures that patents cannot be used to render the program non-free. The precise terms and conditions for copying, distribution and modification follow. TERMS AND CONDITIONS 0. Definitions. "This License" refers to version 3 of the GNU General Public License. "Copyright" also means copyright-like laws that apply to other kinds of works, such as semiconductor masks. "The Program" refers to any copyrightable work licensed under this License. Each licensee is addressed as "you". "Licensees" and "recipients" may be individuals or organizations. To "modify" a work means to copy from or adapt all or part of the work in a fashion requiring copyright permission, other than the making of an exact copy. The resulting work is called a "modified version" of the earlier work or a work "based on" the earlier work. A "covered work" means either the unmodified Program or a work based on the Program. To "propagate" a work means to do anything with it that, without permission, would make you directly or secondarily liable for infringement under applicable copyright law, except executing it on a computer or modifying a private copy. Propagation includes copying, distribution (with or without modification), making available to the public, and in some countries other activities as well. To "convey" a work means any kind of propagation that enables other parties to make or receive copies. Mere interaction with a user through a computer network, with no transfer of a copy, is not conveying. An interactive user interface displays "Appropriate Legal Notices" to the extent that it includes a convenient and prominently visible feature that (1) displays an appropriate copyright notice, and (2) tells the user that there is no warranty for the work (except to the extent that warranties are provided), that licensees may convey the work under this License, and how to view a copy of this License. If the interface presents a list of user commands or options, such as a menu, a prominent item in the list meets this criterion. 1. Source Code. The "source code" for a work means the preferred form of the work for making modifications to it. "Object code" means any non-source form of a work. A "Standard Interface" means an interface that either is an official standard defined by a recognized standards body, or, in the case of interfaces specified for a particular programming language, one that is widely used among developers working in that language. The "System Libraries" of an executable work include anything, other than the work as a whole, that (a) is included in the normal form of packaging a Major Component, but which is not part of that Major Component, and (b) serves only to enable use of the work with that Major Component, or to implement a Standard Interface for which an implementation is available to the public in source code form. A "Major Component", in this context, means a major essential component (kernel, window system, and so on) of the specific operating system (if any) on which the executable work runs, or a compiler used to produce the work, or an object code interpreter used to run it. The "Corresponding Source" for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. However, it does not include the work's System Libraries, or general-purpose tools or generally available free programs which are used unmodified in performing those activities but which are not part of the work. For example, Corresponding Source includes interface definition files associated with source files for the work, and the source code for shared libraries and dynamically linked subprograms that the work is specifically designed to require, such as by intimate data communication or control flow between those subprograms and other parts of the work. The Corresponding Source need not include anything that users can regenerate automatically from other parts of the Corresponding Source. The Corresponding Source for a work in source code form is that same work. 2. Basic Permissions. All rights granted under this License are granted for the term of copyright on the Program, and are irrevocable provided the stated conditions are met. This License explicitly affirms your unlimited permission to run the unmodified Program. The output from running a covered work is covered by this License only if the output, given its content, constitutes a covered work. This License acknowledges your rights of fair use or other equivalent, as provided by copyright law. You may make, run and propagate covered works that you do not convey, without conditions so long as your license otherwise remains in force. You may convey covered works to others for the sole purpose of having them make modifications exclusively for you, or provide you with facilities for running those works, provided that you comply with the terms of this License in conveying all material for which you do not control copyright. Those thus making or running the covered works for you must do so exclusively on your behalf, under your direction and control, on terms that prohibit them from making any copies of your copyrighted material outside their relationship with you. Conveying under any other circumstances is permitted solely under the conditions stated below. Sublicensing is not allowed; section 10 makes it unnecessary. 3. Protecting Users' Legal Rights From Anti-Circumvention Law. No covered work shall be deemed part of an effective technological measure under any applicable law fulfilling obligations under article 11 of the WIPO copyright treaty adopted on 20 December 1996, or similar laws prohibiting or restricting circumvention of such measures. When you convey a covered work, you waive any legal power to forbid circumvention of technological measures to the extent such circumvention is effected by exercising rights under this License with respect to the covered work, and you disclaim any intention to limit operation or modification of the work as a means of enforcing, against the work's users, your or third parties' legal rights to forbid circumvention of technological measures. 4. Conveying Verbatim Copies. You may convey verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice; keep intact all notices stating that this License and any non-permissive terms added in accord with section 7 apply to the code; keep intact all notices of the absence of any warranty; and give all recipients a copy of this License along with the Program. You may charge any price or no price for each copy that you convey, and you may offer support or warranty protection for a fee. 5. Conveying Modified Source Versions. You may convey a work based on the Program, or the modifications to produce it from the Program, in the form of source code under the terms of section 4, provided that you also meet all of these conditions: a) The work must carry prominent notices stating that you modified it, and giving a relevant date. b) The work must carry prominent notices stating that it is released under this License and any conditions added under section 7. This requirement modifies the requirement in section 4 to "keep intact all notices". c) You must license the entire work, as a whole, under this License to anyone who comes into possession of a copy. This License will therefore apply, along with any applicable section 7 additional terms, to the whole of the work, and all its parts, regardless of how they are packaged. This License gives no permission to license the work in any other way, but it does not invalidate such permission if you have separately received it. d) If the work has interactive user interfaces, each must display Appropriate Legal Notices; however, if the Program has interactive interfaces that do not display Appropriate Legal Notices, your work need not make them do so. A compilation of a covered work with other separate and independent works, which are not by their nature extensions of the covered work, and which are not combined with it such as to form a larger program, in or on a volume of a storage or distribution medium, is called an "aggregate" if the compilation and its resulting copyright are not used to limit the access or legal rights of the compilation's users beyond what the individual works permit. Inclusion of a covered work in an aggregate does not cause this License to apply to the other parts of the aggregate. 6. Conveying Non-Source Forms. You may convey a covered work in object code form under the terms of sections 4 and 5, provided that you also convey the machine-readable Corresponding Source under the terms of this License, in one of these ways: a) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by the Corresponding Source fixed on a durable physical medium customarily used for software interchange. b) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by a written offer, valid for at least three years and valid for as long as you offer spare parts or customer support for that product model, to give anyone who possesses the object code either (1) a copy of the Corresponding Source for all the software in the product that is covered by this License, on a durable physical medium customarily used for software interchange, for a price no more than your reasonable cost of physically performing this conveying of source, or (2) access to copy the Corresponding Source from a network server at no charge. c) Convey individual copies of the object code with a copy of the written offer to provide the Corresponding Source. This alternative is allowed only occasionally and noncommercially, and only if you received the object code with such an offer, in accord with subsection 6b. d) Convey the object code by offering access from a designated place (gratis or for a charge), and offer equivalent access to the Corresponding Source in the same way through the same place at no further charge. You need not require recipients to copy the Corresponding Source along with the object code. If the place to copy the object code is a network server, the Corresponding Source may be on a different server (operated by you or a third party) that supports equivalent copying facilities, provided you maintain clear directions next to the object code saying where to find the Corresponding Source. Regardless of what server hosts the Corresponding Source, you remain obligated to ensure that it is available for as long as needed to satisfy these requirements. e) Convey the object code using peer-to-peer transmission, provided you inform other peers where the object code and Corresponding Source of the work are being offered to the general public at no charge under subsection 6d. A separable portion of the object code, whose source code is excluded from the Corresponding Source as a System Library, need not be included in conveying the object code work. A "User Product" is either (1) a "consumer product", which means any tangible personal property which is normally used for personal, family, or household purposes, or (2) anything designed or sold for incorporation into a dwelling. In determining whether a product is a consumer product, doubtful cases shall be resolved in favor of coverage. For a particular product received by a particular user, "normally used" refers to a typical or common use of that class of product, regardless of the status of the particular user or of the way in which the particular user actually uses, or expects or is expected to use, the product. A product is a consumer product regardless of whether the product has substantial commercial, industrial or non-consumer uses, unless such uses represent the only significant mode of use of the product. "Installation Information" for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source. The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made. If you convey an object code work under this section in, or with, or specifically for use in, a User Product, and the conveying occurs as part of a transaction in which the right of possession and use of the User Product is transferred to the recipient in perpetuity or for a fixed term (regardless of how the transaction is characterized), the Corresponding Source conveyed under this section must be accompanied by the Installation Information. But this requirement does not apply if neither you nor any third party retains the ability to install modified object code on the User Product (for example, the work has been installed in ROM). The requirement to provide Installation Information does not include a requirement to continue to provide support service, warranty, or updates for a work that has been modified or installed by the recipient, or for the User Product in which it has been modified or installed. Access to a network may be denied when the modification itself materially and adversely affects the operation of the network or violates the rules and protocols for communication across the network. Corresponding Source conveyed, and Installation Information provided, in accord with this section must be in a format that is publicly documented (and with an implementation available to the public in source code form), and must require no special password or key for unpacking, reading or copying. 7. Additional Terms. "Additional permissions" are terms that supplement the terms of this License by making exceptions from one or more of its conditions. Additional permissions that are applicable to the entire Program shall be treated as though they were included in this License, to the extent that they are valid under applicable law. If additional permissions apply only to part of the Program, that part may be used separately under those permissions, but the entire Program remains governed by this License without regard to the additional permissions. When you convey a copy of a covered work, you may at your option remove any additional permissions from that copy, or from any part of it. (Additional permissions may be written to require their own removal in certain cases when you modify the work.) You may place additional permissions on material, added by you to a covered work, for which you have or can give appropriate copyright permission. Notwithstanding any other provision of this License, for material you add to a covered work, you may (if authorized by the copyright holders of that material) supplement the terms of this License with terms: a) Disclaiming warranty or limiting liability differently from the terms of sections 15 and 16 of this License; or b) Requiring preservation of specified reasonable legal notices or author attributions in that material or in the Appropriate Legal Notices displayed by works containing it; or c) Prohibiting misrepresentation of the origin of that material, or requiring that modified versions of such material be marked in reasonable ways as different from the original version; or d) Limiting the use for publicity purposes of names of licensors or authors of the material; or e) Declining to grant rights under trademark law for use of some trade names, trademarks, or service marks; or f) Requiring indemnification of licensors and authors of that material by anyone who conveys the material (or modified versions of it) with contractual assumptions of liability to the recipient, for any liability that these contractual assumptions directly impose on those licensors and authors. All other non-permissive additional terms are considered "further restrictions" within the meaning of section 10. If the Program as you received it, or any part of it, contains a notice stating that it is governed by this License along with a term that is a further restriction, you may remove that term. If a license document contains a further restriction but permits relicensing or conveying under this License, you may add to a covered work material governed by the terms of that license document, provided that the further restriction does not survive such relicensing or conveying. If you add terms to a covered work in accord with this section, you must place, in the relevant source files, a statement of the additional terms that apply to those files, or a notice indicating where to find the applicable terms. Additional terms, permissive or non-permissive, may be stated in the form of a separately written license, or stated as exceptions; the above requirements apply either way. 8. Termination. You may not propagate or modify a covered work except as expressly provided under this License. Any attempt otherwise to propagate or modify it is void, and will automatically terminate your rights under this License (including any patent licenses granted under the third paragraph of section 11). However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation. Moreover, your license from a particular copyright holder is reinstated permanently if the copyright holder notifies you of the violation by some reasonable means, this is the first time you have received notice of violation of this License (for any work) from that copyright holder, and you cure the violation prior to 30 days after your receipt of the notice. Termination of your rights under this section does not terminate the licenses of parties who have received copies or rights from you under this License. If your rights have been terminated and not permanently reinstated, you do not qualify to receive new licenses for the same material under section 10. 9. Acceptance Not Required for Having Copies. You are not required to accept this License in order to receive or run a copy of the Program. Ancillary propagation of a covered work occurring solely as a consequence of using peer-to-peer transmission to receive a copy likewise does not require acceptance. However, nothing other than this License grants you permission to propagate or modify any covered work. These actions infringe copyright if you do not accept this License. Therefore, by modifying or propagating a covered work, you indicate your acceptance of this License to do so. 10. Automatic Licensing of Downstream Recipients. Each time you convey a covered work, the recipient automatically receives a license from the original licensors, to run, modify and propagate that work, subject to this License. You are not responsible for enforcing compliance by third parties with this License. An "entity transaction" is a transaction transferring control of an organization, or substantially all assets of one, or subdividing an organization, or merging organizations. If propagation of a covered work results from an entity transaction, each party to that transaction who receives a copy of the work also receives whatever licenses to the work the party's predecessor in interest had or could give under the previous paragraph, plus a right to possession of the Corresponding Source of the work from the predecessor in interest, if the predecessor has it or can get it with reasonable efforts. You may not impose any further restrictions on the exercise of the rights granted or affirmed under this License. For example, you may not impose a license fee, royalty, or other charge for exercise of rights granted under this License, and you may not initiate litigation (including a cross-claim or counterclaim in a lawsuit) alleging that any patent claim is infringed by making, using, selling, offering for sale, or importing the Program or any portion of it. 11. Patents. A "contributor" is a copyright holder who authorizes use under this License of the Program or a work on which the Program is based. The work thus licensed is called the contributor's "contributor version". A contributor's "essential patent claims" are all patent claims owned or controlled by the contributor, whether already acquired or hereafter acquired, that would be infringed by some manner, permitted by this License, of making, using, or selling its contributor version, but do not include claims that would be infringed only as a consequence of further modification of the contributor version. For purposes of this definition, "control" includes the right to grant patent sublicenses in a manner consistent with the requirements of this License. Each contributor grants you a non-exclusive, worldwide, royalty-free patent license under the contributor's essential patent claims, to make, use, sell, offer for sale, import and otherwise run, modify and propagate the contents of its contributor version. In the following three paragraphs, a "patent license" is any express agreement or commitment, however denominated, not to enforce a patent (such as an express permission to practice a patent or covenant not to sue for patent infringement). To "grant" such a patent license to a party means to make such an agreement or commitment not to enforce a patent against the party. If you convey a covered work, knowingly relying on a patent license, and the Corresponding Source of the work is not available for anyone to copy, free of charge and under the terms of this License, through a publicly available network server or other readily accessible means, then you must either (1) cause the Corresponding Source to be so available, or (2) arrange to deprive yourself of the benefit of the patent license for this particular work, or (3) arrange, in a manner consistent with the requirements of this License, to extend the patent license to downstream recipients. "Knowingly relying" means you have actual knowledge that, but for the patent license, your conveying the covered work in a country, or your recipient's use of the covered work in a country, would infringe one or more identifiable patents in that country that you have reason to believe are valid. If, pursuant to or in connection with a single transaction or arrangement, you convey, or propagate by procuring conveyance of, a covered work, and grant a patent license to some of the parties receiving the covered work authorizing them to use, propagate, modify or convey a specific copy of the covered work, then the patent license you grant is automatically extended to all recipients of the covered work and works based on it. A patent license is "discriminatory" if it does not include within the scope of its coverage, prohibits the exercise of, or is conditioned on the non-exercise of one or more of the rights that are specifically granted under this License. You may not convey a covered work if you are a party to an arrangement with a third party that is in the business of distributing software, under which you make payment to the third party based on the extent of your activity of conveying the work, and under which the third party grants, to any of the parties who would receive the covered work from you, a discriminatory patent license (a) in connection with copies of the covered work conveyed by you (or copies made from those copies), or (b) primarily for and in connection with specific products or compilations that contain the covered work, unless you entered into that arrangement, or that patent license was granted, prior to 28 March 2007. Nothing in this License shall be construed as excluding or limiting any implied license or other defenses to infringement that may otherwise be available to you under applicable patent law. 12. No Surrender of Others' Freedom. If conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot convey a covered work so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not convey it at all. For example, if you agree to terms that obligate you to collect a royalty for further conveying from those to whom you convey the Program, the only way you could satisfy both those terms and this License would be to refrain entirely from conveying the Program. 13. Use with the GNU Affero General Public License. Notwithstanding any other provision of this License, you have permission to link or combine any covered work with a work licensed under version 3 of the GNU Affero General Public License into a single combined work, and to convey the resulting work. The terms of this License will continue to apply to the part which is the covered work, but the special requirements of the GNU Affero General Public License, section 13, concerning interaction through a network will apply to the combination as such. 14. Revised Versions of this License. The Free Software Foundation may publish revised and/or new versions of the GNU General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies that a certain numbered version of the GNU General Public License "or any later version" applies to it, you have the option of following the terms and conditions either of that numbered version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of the GNU General Public License, you may choose any version ever published by the Free Software Foundation. If the Program specifies that a proxy can decide which future versions of the GNU General Public License can be used, that proxy's public statement of acceptance of a version permanently authorizes you to choose that version for the Program. Later license versions may give you additional or different permissions. However, no additional obligations are imposed on any author or copyright holder as a result of your choosing to follow a later version. 15. Disclaimer of Warranty. THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 16. Limitation of Liability. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 17. Interpretation of Sections 15 and 16. If the disclaimer of warranty and limitation of liability provided above cannot be given local legal effect according to their terms, reviewing courts shall apply local law that most closely approximates an absolute waiver of all civil liability in connection with the Program, unless a warranty or assumption of liability accompanies a copy of the Program in return for a fee. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively state the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . Also add information on how to contact you by electronic and paper mail. If the program does terminal interaction, make it output a short notice like this when it starts in an interactive mode: Copyright (C) This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, your program's commands might be different; for a GUI interface, you would use an "about box". You should also get your employer (if you work as a programmer) or school, if any, to sign a "copyright disclaimer" for the program, if necessary. For more information on this, and how to apply and follow the GNU GPL, see . The GNU General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Lesser General Public License instead of this License. But first, please read . nettle-3.4.1/stamp-h.in0000644000175000017500000000001213401564746013742 0ustar nissenissetimestamp nettle-3.4.1/ecc-521.c0000644000175000017500000000620713401564746013260 0ustar nissenisse/* ecc-521.c Compile time constant (but machine dependent) tables. Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc.h" #include "ecc-internal.h" #define USE_REDC 0 #include "ecc-521.h" #if HAVE_NATIVE_ecc_521_modp #define ecc_521_modp nettle_ecc_521_modp void ecc_521_modp (const struct ecc_modulo *m, mp_limb_t *rp); #else #define B_SHIFT (521 % GMP_NUMB_BITS) #define BMODP_SHIFT (GMP_NUMB_BITS - B_SHIFT) #define BMODP ((mp_limb_t) 1 << BMODP_SHIFT) /* Result may be *slightly* larger than 2^521 */ static void ecc_521_modp (const struct ecc_modulo *m UNUSED, mp_limb_t *rp) { /* FIXME: Should use mpn_addlsh_n_ip1 */ mp_limb_t hi; /* Reduce from 2*ECC_LIMB_SIZE to ECC_LIMB_SIZE + 1 */ rp[ECC_LIMB_SIZE] = mpn_addmul_1 (rp, rp + ECC_LIMB_SIZE, ECC_LIMB_SIZE, BMODP); hi = mpn_addmul_1 (rp, rp + ECC_LIMB_SIZE, 1, BMODP); hi = sec_add_1 (rp + 1, rp + 1, ECC_LIMB_SIZE - 1, hi); /* Combine hi with top bits, and add in. */ hi = (hi << BMODP_SHIFT) | (rp[ECC_LIMB_SIZE-1] >> B_SHIFT); rp[ECC_LIMB_SIZE-1] = (rp[ECC_LIMB_SIZE-1] & (((mp_limb_t) 1 << B_SHIFT)-1)) + sec_add_1 (rp, rp, ECC_LIMB_SIZE - 1, hi); } #endif const struct ecc_curve nettle_secp_521r1 = { { 521, ECC_LIMB_SIZE, ECC_BMODP_SIZE, ECC_REDC_SIZE, ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), 0, ecc_p, ecc_Bmodp, ecc_Bmodp_shifted, ecc_redc_ppm1, ecc_pp1h, ecc_521_modp, ecc_521_modp, ecc_mod_inv, NULL, }, { 521, ECC_LIMB_SIZE, ECC_BMODQ_SIZE, 0, ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), 0, ecc_q, ecc_Bmodq, ecc_Bmodq_shifted, NULL, ecc_qp1h, ecc_mod, ecc_mod, ecc_mod_inv, NULL, }, USE_REDC, ECC_PIPPENGER_K, ECC_PIPPENGER_C, ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE), ECC_MUL_A_ITCH (ECC_LIMB_SIZE), ECC_MUL_G_ITCH (ECC_LIMB_SIZE), ECC_J_TO_A_ITCH (ECC_LIMB_SIZE), ecc_add_jjj, ecc_mul_a, ecc_mul_g, ecc_j_to_a, ecc_b, ecc_g, NULL, ecc_unit, ecc_table }; const struct ecc_curve *nettle_get_secp_521r1(void) { return &nettle_secp_521r1; } nettle-3.4.1/.bootstrap0000755000175000017500000000004313401564746014066 0ustar nissenisse#! /bin/sh autoconf && autoheader nettle-3.4.1/sha-example.c0000644000175000017500000000127713401564746014427 0ustar nissenisse#include #include #include #define BUF_SIZE 1000 static void display_hex(unsigned length, uint8_t *data) { unsigned i; for (i = 0; i&2 exit 1;; esac continue;; -o) chowncmd="$chownprog $2" shift shift continue;; -s) stripcmd=$stripprog shift continue;; -t) dstarg=$2 shift shift continue;; -T) no_target_directory=true shift continue;; --version) echo "$0 $scriptversion"; exit $?;; --) shift break;; -*) echo "$0: invalid option: $1" >&2 exit 1;; *) break;; esac done if test $# -ne 0 && test -z "$dir_arg$dstarg"; then # When -d is used, all remaining arguments are directories to create. # When -t is used, the destination is already specified. # Otherwise, the last argument is the destination. Remove it from $@. for arg do if test -n "$dstarg"; then # $@ is not empty: it contains at least $arg. set fnord "$@" "$dstarg" shift # fnord fi shift # arg dstarg=$arg done fi if test $# -eq 0; then if test -z "$dir_arg"; then echo "$0: no input file specified." >&2 exit 1 fi # It's OK to call `install-sh -d' without argument. # This can happen when creating conditional directories. exit 0 fi if test -z "$dir_arg"; then trap '(exit $?); exit' 1 2 13 15 # Set umask so as not to create temps with too-generous modes. # However, 'strip' requires both read and write access to temps. case $mode in # Optimize common cases. *644) cp_umask=133;; *755) cp_umask=22;; *[0-7]) if test -z "$stripcmd"; then u_plus_rw= else u_plus_rw='% 200' fi cp_umask=`expr '(' 777 - $mode % 1000 ')' $u_plus_rw`;; *) if test -z "$stripcmd"; then u_plus_rw= else u_plus_rw=,u+rw fi cp_umask=$mode$u_plus_rw;; esac fi for src do # Protect names starting with `-'. case $src in -*) src=./$src ;; esac if test -n "$dir_arg"; then dst=$src dstdir=$dst test -d "$dstdir" dstdir_status=$? else # Waiting for this to be detected by the "$cpprog $src $dsttmp" command # might cause directories to be created, which would be especially bad # if $src (and thus $dsttmp) contains '*'. if test ! -f "$src" && test ! -d "$src"; then echo "$0: $src does not exist." >&2 exit 1 fi if test -z "$dstarg"; then echo "$0: no destination specified." >&2 exit 1 fi dst=$dstarg # Protect names starting with `-'. case $dst in -*) dst=./$dst ;; esac # If destination is a directory, append the input filename; won't work # if double slashes aren't ignored. if test -d "$dst"; then if test -n "$no_target_directory"; then echo "$0: $dstarg: Is a directory" >&2 exit 1 fi dstdir=$dst dst=$dstdir/`basename "$src"` dstdir_status=0 else # Prefer dirname, but fall back on a substitute if dirname fails. dstdir=` (dirname "$dst") 2>/dev/null || expr X"$dst" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$dst" : 'X\(//\)[^/]' \| \ X"$dst" : 'X\(//\)$' \| \ X"$dst" : 'X\(/\)' \| . 2>/dev/null || echo X"$dst" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q' ` test -d "$dstdir" dstdir_status=$? fi fi obsolete_mkdir_used=false if test $dstdir_status != 0; then case $posix_mkdir in '') # Create intermediate dirs using mode 755 as modified by the umask. # This is like FreeBSD 'install' as of 1997-10-28. umask=`umask` case $stripcmd.$umask in # Optimize common cases. *[2367][2367]) mkdir_umask=$umask;; .*0[02][02] | .[02][02] | .[02]) mkdir_umask=22;; *[0-7]) mkdir_umask=`expr $umask + 22 \ - $umask % 100 % 40 + $umask % 20 \ - $umask % 10 % 4 + $umask % 2 `;; *) mkdir_umask=$umask,go-w;; esac # With -d, create the new directory with the user-specified mode. # Otherwise, rely on $mkdir_umask. if test -n "$dir_arg"; then mkdir_mode=-m$mode else mkdir_mode= fi posix_mkdir=false case $umask in *[123567][0-7][0-7]) # POSIX mkdir -p sets u+wx bits regardless of umask, which # is incompatible with FreeBSD 'install' when (umask & 300) != 0. ;; *) tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$ trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit $ret' 0 if (umask $mkdir_umask && exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1 then if test -z "$dir_arg" || { # Check for POSIX incompatibilities with -m. # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or # other-writeable bit of parent directory when it shouldn't. # FreeBSD 6.1 mkdir -m -p sets mode of existing directory. ls_ld_tmpdir=`ls -ld "$tmpdir"` case $ls_ld_tmpdir in d????-?r-*) different_mode=700;; d????-?--*) different_mode=755;; *) false;; esac && $mkdirprog -m$different_mode -p -- "$tmpdir" && { ls_ld_tmpdir_1=`ls -ld "$tmpdir"` test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1" } } then posix_mkdir=: fi rmdir "$tmpdir/d" "$tmpdir" else # Remove any dirs left behind by ancient mkdir implementations. rmdir ./$mkdir_mode ./-p ./-- 2>/dev/null fi trap '' 0;; esac;; esac if $posix_mkdir && ( umask $mkdir_umask && $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir" ) then : else # The umask is ridiculous, or mkdir does not conform to POSIX, # or it failed possibly due to a race condition. Create the # directory the slow way, step by step, checking for races as we go. case $dstdir in /*) prefix=/ ;; -*) prefix=./ ;; *) prefix= ;; esac case $posix_glob in '') if (set -f) 2>/dev/null; then posix_glob=true else posix_glob=false fi ;; esac oIFS=$IFS IFS=/ $posix_glob && set -f set fnord $dstdir shift $posix_glob && set +f IFS=$oIFS prefixes= for d do test -z "$d" && continue prefix=$prefix$d if test -d "$prefix"; then prefixes= else if $posix_mkdir; then (umask=$mkdir_umask && $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break # Don't fail if two instances are running concurrently. test -d "$prefix" || exit 1 else case $prefix in *\'*) qprefix=`echo "$prefix" | sed "s/'/'\\\\\\\\''/g"`;; *) qprefix=$prefix;; esac prefixes="$prefixes '$qprefix'" fi fi prefix=$prefix/ done if test -n "$prefixes"; then # Don't fail if two instances are running concurrently. (umask $mkdir_umask && eval "\$doit_exec \$mkdirprog $prefixes") || test -d "$dstdir" || exit 1 obsolete_mkdir_used=true fi fi fi if test -n "$dir_arg"; then { test -z "$chowncmd" || $doit $chowncmd "$dst"; } && { test -z "$chgrpcmd" || $doit $chgrpcmd "$dst"; } && { test "$obsolete_mkdir_used$chowncmd$chgrpcmd" = false || test -z "$chmodcmd" || $doit $chmodcmd $mode "$dst"; } || exit 1 else # Make a couple of temp file names in the proper directory. dsttmp=$dstdir/_inst.$$_ rmtmp=$dstdir/_rm.$$_ # Trap to clean up those temp files at exit. trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0 # Copy the file name to the temp name. (umask $cp_umask && $doit_exec $cpprog "$src" "$dsttmp") && # and set any options; do chmod last to preserve setuid bits. # # If any of these fail, we abort the whole thing. If we want to # ignore errors from any of these, just make sure not to ignore # errors from the above "$doit $cpprog $src $dsttmp" command. # { test -z "$chowncmd" || $doit $chowncmd "$dsttmp"; } \ && { test -z "$chgrpcmd" || $doit $chgrpcmd "$dsttmp"; } \ && { test -z "$stripcmd" || $doit $stripcmd "$dsttmp"; } \ && { test -z "$chmodcmd" || $doit $chmodcmd $mode "$dsttmp"; } && # Now rename the file to the real destination. { $doit $mvcmd -f "$dsttmp" "$dst" 2>/dev/null \ || { # The rename failed, perhaps because mv can't rename something else # to itself, or perhaps because mv is so ancient that it does not # support -f. # Now remove or move aside any old file at destination location. # We try this two ways since rm can't unlink itself on some # systems and the destination file might be busy for other # reasons. In this case, the final cleanup might fail but the new # file should still install successfully. { if test -f "$dst"; then $doit $rmcmd -f "$dst" 2>/dev/null \ || { $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null \ && { $doit $rmcmd -f "$rmtmp" 2>/dev/null; :; }; }\ || { echo "$0: cannot unlink or rename $dst" >&2 (exit 1); exit 1 } else : fi } && # Now rename the file to the real destination. $doit $mvcmd "$dsttmp" "$dst" } } || exit 1 trap '' 0 fi done # Local variables: # eval: (add-hook 'write-file-hooks 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" # time-stamp-end: "$" # End: nettle-3.4.1/version.c0000644000175000017500000000230413401564745013677 0ustar nissenisse/* version.c Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "version.h" int nettle_version_major (void) { return NETTLE_VERSION_MAJOR; } int nettle_version_minor (void) { return NETTLE_VERSION_MINOR; } nettle-3.4.1/salsa20r12-crypt.c0000644000175000017500000000356013401564745015150 0ustar nissenisse/* salsa20r12-crypt.c The Salsa20 stream cipher, reduced round variant. Copyright (C) 2013 Nikos Mavrogiannopoulos This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Based on: salsa20-ref.c version 20051118 D. J. Bernstein Public domain. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "salsa20.h" #include "macros.h" #include "memxor.h" void salsa20r12_crypt(struct salsa20_ctx *ctx, size_t length, uint8_t *c, const uint8_t *m) { uint32_t x[_SALSA20_INPUT_LENGTH]; if (!length) return; for (;;) { _salsa20_core (x, ctx->input, 12); ctx->input[9] += (++ctx->input[8] == 0); /* stopping at 2^70 length per nonce is user's responsibility */ if (length <= SALSA20_BLOCK_SIZE) { memxor3 (c, m, x, length); return; } memxor3 (c, m, x, SALSA20_BLOCK_SIZE); length -= SALSA20_BLOCK_SIZE; c += SALSA20_BLOCK_SIZE; m += SALSA20_BLOCK_SIZE; } } nettle-3.4.1/hmac-ripemd160.c0000644000175000017500000000312413401564745014630 0ustar nissenisse/* hmac-ripemd160.c HMAC-RIPEMD160 message authentication code. Copyright (C) 2011 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "hmac.h" void hmac_ripemd160_set_key(struct hmac_ripemd160_ctx *ctx, size_t key_length, const uint8_t *key) { HMAC_SET_KEY(ctx, &nettle_ripemd160, key_length, key); } void hmac_ripemd160_update(struct hmac_ripemd160_ctx *ctx, size_t length, const uint8_t *data) { ripemd160_update(&ctx->state, length, data); } void hmac_ripemd160_digest(struct hmac_ripemd160_ctx *ctx, size_t length, uint8_t *digest) { HMAC_DIGEST(ctx, &nettle_ripemd160, length, digest); } nettle-3.4.1/memops.h0000644000175000017500000000277013401564746013527 0ustar nissenisse/* memops.h Copyright (C) 2016 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_MEMOPS_H_INCLUDED #define NETTLE_MEMOPS_H_INCLUDED #include "memxor.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define cnd_memcpy nettle_cnd_memcpy #define memeql_sec nettle_memeql_sec int memeql_sec (const void *a, const void *b, size_t n); /* Side-channel silent conditional memcpy. cnd must be 0 (nop) or 1 (copy). */ void cnd_memcpy(int cnd, volatile void *dst, const volatile void *src, size_t n); #ifdef __cplusplus } #endif #endif /* NETTLE_MEMOPS_H_INCLUDED */ nettle-3.4.1/ecc-add-eh.c0000644000175000017500000000556513401564746014101 0ustar nissenisse/* ecc-add-eh.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc.h" #include "ecc-internal.h" /* Add two points on an Edwards curve, with result and first point in homogeneous coordinates. */ void ecc_add_eh (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch) { #define x1 p #define y1 (p + ecc->p.size) #define z1 (p + 2*ecc->p.size) #define x2 q #define y2 (q + ecc->p.size) #define x3 r #define y3 (r + ecc->p.size) #define z3 (r + 2*ecc->p.size) /* Formulas (from djb, http://www.hyperelliptic.org/EFD/g1p/auto-edwards-projective.html#doubling-dbl-2007-bl): Computation Operation Live variables C = x1*x2 mul C D = y1*y2 mul C, D T = (x1+y1)(x2+y2) - C - D C, D, T E = b*C*D 2 mul C, E, T (Replace C <-- D - C) B = z1^2 sqr B, C, E, T F = B - E B, C, E, F, T G = B + E C, F, G, T x3 = z1*F*T 3 mul C, F, G, T y3 = z1*G*(D-C) 2 mul F, G z3 = F*G mul */ #define C (scratch) #define D (scratch + 1*ecc->p.size) #define T (scratch + 2*ecc->p.size) #define E (scratch + 3*ecc->p.size) #define B (scratch + 4*ecc->p.size) #define F D #define G E ecc_modp_mul (ecc, C, x1, x2); ecc_modp_mul (ecc, D, y1, y2); ecc_modp_add (ecc, x3, x1, y1); ecc_modp_add (ecc, y3, x2, y2); ecc_modp_mul (ecc, T, x3, y3); ecc_modp_sub (ecc, T, T, C); ecc_modp_sub (ecc, T, T, D); ecc_modp_mul (ecc, x3, C, D); ecc_modp_mul (ecc, E, x3, ecc->b); ecc_modp_add (ecc, C, D, C); /* ! */ ecc_modp_sqr (ecc, B, z1); ecc_modp_sub (ecc, F, B, E); ecc_modp_add (ecc, G, B, E); /* x3 */ ecc_modp_mul (ecc, B, G, T); /* ! */ ecc_modp_mul (ecc, x3, B, z1); /* y3 */ ecc_modp_mul (ecc, B, F, z1); /* ! */ ecc_modp_mul (ecc, y3, B, C); /* Clobbers z1 in case r == p. */ /* z3 */ ecc_modp_mul (ecc, B, F, G); mpn_copyi (z3, B, ecc->p.size); } nettle-3.4.1/Makefile.in0000644000175000017500000005423113401564746014122 0ustar nissenisse# Nettle Makefile @SET_MAKE@ srcdir = @srcdir@ VPATH = @srcdir@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = $(INSTALL_PROGRAM) -s MKDIR_P = @MKDIR_P@ OPT_NETTLE_OBJS = @OPT_NETTLE_OBJS@ OPT_HOGWEED_OBJS = @OPT_HOGWEED_OBJS@ OPT_NETTLE_SOURCES = @OPT_NETTLE_SOURCES@ SUBDIRS = tools testsuite examples include config.make PRE_CPPFLAGS = -I. EXTRA_CFLAGS = $(CCPIC) # FIXME: Add configuration of LIBEXT? LIBTARGETS = @IF_STATIC@ libnettle.a @IF_HOGWEED@ libhogweed.a SHLIBTARGETS = @IF_SHARED@ $(LIBNETTLE_FORLINK) @IF_HOGWEED@ $(LIBHOGWEED_FORLINK) getopt_SOURCES = getopt.c getopt1.c getopt_TARGETS = $(getopt_SOURCES:.c=.$(OBJEXT)) internal_SOURCES = nettle-internal.c internal_TARGETS = $(internal_SOURCES:.c=.$(OBJEXT)) TARGETS = aesdata$(EXEEXT_FOR_BUILD) desdata$(EXEEXT_FOR_BUILD) \ twofishdata$(EXEEXT_FOR_BUILD) shadata$(EXEEXT_FOR_BUILD) \ gcmdata$(EXEEXT_FOR_BUILD) \ $(getopt_TARGETS) $(internal_TARGETS) \ $(LIBTARGETS) $(SHLIBTARGETS) DOCTARGETS = @IF_DOCUMENTATION@ nettle.info nettle.html nettle.pdf PKGCONFIG_FILES = nettle.pc @IF_HOGWEED@ hogweed.pc pkgconfigdir = $(libdir)/pkgconfig all check install uninstall: $(MAKE) $@-here set -e; for d in $(SUBDIRS); do \ echo "Making $@ in $$d" ; (cd $$d && $(MAKE) $@); done clean distclean mostlyclean maintainer-clean tags: set -e; for d in $(SUBDIRS); do \ echo "Making $@ in $$d" ; (cd $$d && $(MAKE) $@); done $(MAKE) $@-here check-here: true # FIXME: Remove. These targets aren't supported, but they are expected by the # automake generated Makefiles in the lsh build. dvi installcheck uninstallcheck: true all-here: $(TARGETS) $(DOCTARGETS) nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c \ aes-encrypt-internal.c aes-encrypt.c aes-encrypt-table.c \ aes-invert-internal.c aes-set-key-internal.c \ aes-set-encrypt-key.c aes-set-decrypt-key.c \ aes128-set-encrypt-key.c aes128-set-decrypt-key.c \ aes128-meta.c \ aes192-set-encrypt-key.c aes192-set-decrypt-key.c \ aes192-meta.c \ aes256-set-encrypt-key.c aes256-set-decrypt-key.c \ aes256-meta.c \ arcfour.c arcfour-crypt.c \ arctwo.c arctwo-meta.c blowfish.c \ base16-encode.c base16-decode.c base16-meta.c \ base64-encode.c base64-decode.c base64-meta.c \ base64url-encode.c base64url-decode.c base64url-meta.c \ buffer.c buffer-init.c \ camellia-crypt-internal.c camellia-table.c \ camellia-absorb.c camellia-invert-key.c \ camellia128-set-encrypt-key.c camellia128-crypt.c \ camellia128-set-decrypt-key.c \ camellia128-meta.c \ camellia192-meta.c \ camellia256-set-encrypt-key.c camellia256-crypt.c \ camellia256-set-decrypt-key.c \ camellia256-meta.c \ cast128.c cast128-meta.c cbc.c \ ccm.c ccm-aes128.c ccm-aes192.c ccm-aes256.c cfb.c \ cnd-memcpy.c \ chacha-crypt.c chacha-core-internal.c \ chacha-poly1305.c chacha-poly1305-meta.c \ chacha-set-key.c chacha-set-nonce.c \ ctr.c des.c des3.c des-compat.c \ eax.c eax-aes128.c eax-aes128-meta.c \ gcm.c gcm-aes.c \ gcm-aes128.c gcm-aes128-meta.c \ gcm-aes192.c gcm-aes192-meta.c \ gcm-aes256.c gcm-aes256-meta.c \ gcm-camellia128.c gcm-camellia128-meta.c \ gcm-camellia256.c gcm-camellia256-meta.c \ gosthash94.c gosthash94-meta.c \ hmac.c hmac-md5.c hmac-ripemd160.c hmac-sha1.c \ hmac-sha224.c hmac-sha256.c hmac-sha384.c hmac-sha512.c \ knuth-lfib.c hkdf.c \ md2.c md2-meta.c md4.c md4-meta.c \ md5.c md5-compress.c md5-compat.c md5-meta.c \ memeql-sec.c memxor.c memxor3.c \ nettle-lookup-hash.c \ nettle-meta-aeads.c nettle-meta-armors.c \ nettle-meta-ciphers.c nettle-meta-hashes.c \ pbkdf2.c pbkdf2-hmac-sha1.c pbkdf2-hmac-sha256.c \ poly1305-aes.c poly1305-internal.c \ realloc.c \ ripemd160.c ripemd160-compress.c ripemd160-meta.c \ salsa20-core-internal.c \ salsa20-crypt.c salsa20r12-crypt.c salsa20-set-key.c \ salsa20-set-nonce.c \ salsa20-128-set-key.c salsa20-256-set-key.c \ sha1.c sha1-compress.c sha1-meta.c \ sha256.c sha256-compress.c sha224-meta.c sha256-meta.c \ sha512.c sha512-compress.c sha384-meta.c sha512-meta.c \ sha512-224-meta.c sha512-256-meta.c \ sha3.c sha3-permute.c \ sha3-224.c sha3-224-meta.c sha3-256.c sha3-256-meta.c \ sha3-384.c sha3-384-meta.c sha3-512.c sha3-512-meta.c\ serpent-set-key.c serpent-encrypt.c serpent-decrypt.c \ serpent-meta.c \ twofish.c twofish-meta.c \ umac-nh.c umac-nh-n.c umac-l2.c umac-l3.c \ umac-poly64.c umac-poly128.c umac-set-key.c \ umac32.c umac64.c umac96.c umac128.c \ version.c \ write-be32.c write-le32.c write-le64.c \ yarrow256.c yarrow_key_event.c hogweed_SOURCES = sexp.c sexp-format.c \ sexp-transport.c sexp-transport-format.c \ bignum.c bignum-random.c bignum-random-prime.c \ sexp2bignum.c \ pkcs1.c pkcs1-encrypt.c pkcs1-decrypt.c \ pkcs1-sec-decrypt.c \ pkcs1-rsa-digest.c pkcs1-rsa-md5.c pkcs1-rsa-sha1.c \ pkcs1-rsa-sha256.c pkcs1-rsa-sha512.c \ pss.c pss-mgf1.c \ rsa.c rsa-sign.c rsa-sign-tr.c rsa-verify.c \ rsa-sec-compute-root.c \ rsa-pkcs1-sign.c rsa-pkcs1-sign-tr.c rsa-pkcs1-verify.c \ rsa-md5-sign.c rsa-md5-sign-tr.c rsa-md5-verify.c \ rsa-sha1-sign.c rsa-sha1-sign-tr.c rsa-sha1-verify.c \ rsa-sha256-sign.c rsa-sha256-sign-tr.c rsa-sha256-verify.c \ rsa-sha512-sign.c rsa-sha512-sign-tr.c rsa-sha512-verify.c \ rsa-pss-sha256-sign-tr.c rsa-pss-sha256-verify.c \ rsa-pss-sha512-sign-tr.c rsa-pss-sha512-verify.c \ rsa-encrypt.c rsa-decrypt.c \ rsa-sec-decrypt.c rsa-decrypt-tr.c \ rsa-keygen.c rsa-blind.c \ rsa2sexp.c sexp2rsa.c \ dsa.c dsa-compat.c dsa-compat-keygen.c dsa-gen-params.c \ dsa-sign.c dsa-verify.c dsa-keygen.c dsa-hash.c \ dsa-sha1-sign.c dsa-sha1-verify.c \ dsa-sha256-sign.c dsa-sha256-verify.c \ dsa2sexp.c sexp2dsa.c \ pgp-encode.c rsa2openpgp.c \ der-iterator.c der2rsa.c der2dsa.c \ sec-add-1.c sec-sub-1.c sec-tabselect.c \ gmp-glue.c cnd-copy.c \ ecc-mod.c ecc-mod-inv.c \ ecc-mod-arith.c ecc-pp1-redc.c ecc-pm1-redc.c \ ecc-192.c ecc-224.c ecc-256.c ecc-384.c ecc-521.c \ ecc-25519.c \ ecc-size.c ecc-j-to-a.c ecc-a-to-j.c \ ecc-dup-jj.c ecc-add-jja.c ecc-add-jjj.c \ ecc-eh-to-a.c \ ecc-dup-eh.c ecc-add-eh.c ecc-add-ehh.c \ ecc-mul-g-eh.c ecc-mul-a-eh.c \ ecc-mul-g.c ecc-mul-a.c ecc-hash.c ecc-random.c \ ecc-point.c ecc-scalar.c ecc-point-mul.c ecc-point-mul-g.c \ ecc-ecdsa-sign.c ecdsa-sign.c \ ecc-ecdsa-verify.c ecdsa-verify.c ecdsa-keygen.c \ curve25519-mul-g.c curve25519-mul.c curve25519-eh-to-x.c \ eddsa-compress.c eddsa-decompress.c eddsa-expand.c \ eddsa-hash.c eddsa-pubkey.c eddsa-sign.c eddsa-verify.c \ ed25519-sha512-pubkey.c \ ed25519-sha512-sign.c ed25519-sha512-verify.c OPT_SOURCES = fat-x86_64.c fat-arm.c mini-gmp.c HEADERS = aes.h arcfour.h arctwo.h asn1.h blowfish.h \ base16.h base64.h bignum.h buffer.h camellia.h cast128.h \ cbc.h ccm.h cfb.h chacha.h chacha-poly1305.h ctr.h \ curve25519.h des.h des-compat.h dsa.h dsa-compat.h eax.h \ ecc-curve.h ecc.h ecdsa.h eddsa.h \ gcm.h gosthash94.h hmac.h \ knuth-lfib.h hkdf.h \ macros.h \ md2.h md4.h \ md5.h md5-compat.h \ memops.h memxor.h \ nettle-meta.h nettle-types.h \ pbkdf2.h \ pgp.h pkcs1.h pss.h pss-mgf1.h realloc.h ripemd160.h rsa.h \ salsa20.h sexp.h \ serpent.h sha.h sha1.h sha2.h sha3.h twofish.h \ umac.h yarrow.h poly1305.h INSTALL_HEADERS = $(HEADERS) nettle-stdint.h version.h @IF_MINI_GMP@ mini-gmp.h SOURCES = $(nettle_SOURCES) $(hogweed_SOURCES) \ $(getopt_SOURCES) $(internal_SOURCES) \ $(OPT_SOURCES) \ aesdata.c desdata.c twofishdata.c shadata.c gcmdata.c eccdata.c # NOTE: This list must include all source files, with no duplicates, # independently of which source files are included in the build. DISTFILES = $(SOURCES) $(HEADERS) getopt.h getopt_int.h \ .bootstrap run-tests \ aclocal.m4 configure.ac \ configure stamp-h.in version.h.in \ libnettle.map.in libhogweed.map.in \ config.guess config.sub install-sh texinfo.tex \ config.h.in config.m4.in config.make.in Makefile.in \ README CONTRIBUTING.md AUTHORS COPYING.LESSERv3 COPYINGv2 COPYINGv3 \ INSTALL NEWS TODO ChangeLog \ nettle.pc.in hogweed.pc.in \ $(des_headers) descore.README \ aes-internal.h camellia-internal.h serpent-internal.h \ cast128_sboxes.h desinfo.h desCode.h \ memxor-internal.h nettle-internal.h nettle-write.h \ rsa-internal.h \ gmp-glue.h ecc-internal.h fat-setup.h \ mini-gmp.h asm.m4 \ nettle.texinfo nettle.info nettle.html nettle.pdf sha-example.c # Rules building static libraries nettle_OBJS = $(nettle_SOURCES:.c=.$(OBJEXT)) \ $(OPT_NETTLE_SOURCES:.c=.$(OBJEXT)) $(OPT_NETTLE_OBJS) hogweed_OBJS = $(hogweed_SOURCES:.c=.$(OBJEXT)) \ $(OPT_HOGWEED_OBJS) @IF_MINI_GMP@ mini-gmp.$(OBJEXT) libnettle.a: $(nettle_OBJS) -rm -f $@ $(AR) $(ARFLAGS) $@ $(nettle_OBJS) $(RANLIB) $@ echo nettle > libnettle.stamp libhogweed.a: $(hogweed_OBJS) -rm -f $@ $(AR) $(ARFLAGS) $@ $(hogweed_OBJS) $(RANLIB) $@ echo hogweed > libhogweed.stamp .c.$(OBJEXT): $(COMPILE) -c $< \ && $(DEP_PROCESS) # Rules building shared libraries. $(LIBNETTLE_FORLINK): $(nettle_OBJS) $(LIBNETTLE_LINK) $(nettle_OBJS) @EXTRA_LINKER_FLAGS@ -o $@ $(LIBNETTLE_LIBS) -mkdir .lib 2>/dev/null (cd .lib \ && rm -f $(LIBNETTLE_FORLINK) \ && $(LN_S) ../$(LIBNETTLE_FORLINK) $(LIBNETTLE_FORLINK) \ && [ -z "$(LIBNETTLE_SONAME)" ] \ || { rm -f $(LIBNETTLE_SONAME) \ && $(LN_S) $(LIBNETTLE_FORLINK) $(LIBNETTLE_SONAME) ; } ) echo nettle > libnettle.stamp $(LIBHOGWEED_FORLINK): $(hogweed_OBJS) $(LIBNETTLE_FORLINK) $(LIBHOGWEED_LINK) $(hogweed_OBJS) @EXTRA_HOGWEED_LINKER_FLAGS@ -o $@ $(LIBHOGWEED_LIBS) -mkdir .lib 2>/dev/null (cd .lib \ && rm -f $(LIBHOGWEED_FORLINK) \ && $(LN_S) ../$(LIBHOGWEED_FORLINK) $(LIBHOGWEED_FORLINK) \ && [ -z "$(LIBHOGWEED_SONAME)" ] \ || { rm -f $(LIBHOGWEED_SONAME) \ && $(LN_S) $(LIBHOGWEED_FORLINK) $(LIBHOGWEED_SONAME) ; } ) echo hogweed > libhogweed.stamp # For Solaris and BSD make, we have to use an explicit rule for each # executable. Avoid object file targets to make it easy to run the # right compiler. aesdata$(EXEEXT_FOR_BUILD): aesdata.c $(CC_FOR_BUILD) `test -f aesdata.c || echo '$(srcdir)/'`aesdata.c \ -o aesdata$(EXEEXT_FOR_BUILD) desdata$(EXEEXT_FOR_BUILD): desdata.c $(CC_FOR_BUILD) `test -f desdata.c || echo '$(srcdir)/'`desdata.c \ -o desdata$(EXEEXT_FOR_BUILD) twofishdata$(EXEEXT_FOR_BUILD): twofishdata.c $(CC_FOR_BUILD) `test -f twofishdata.c || echo '$(srcdir)/'`twofishdata.c \ -o twofishdata$(EXEEXT_FOR_BUILD) shadata$(EXEEXT_FOR_BUILD): shadata.c $(CC_FOR_BUILD) `test -f shadata.c || echo '$(srcdir)/'`shadata.c -lm \ -o shadata$(EXEEXT_FOR_BUILD) gcmdata$(EXEEXT_FOR_BUILD): gcmdata.c $(CC_FOR_BUILD) `test -f gcmdata.c || echo '$(srcdir)/'`gcmdata.c \ -o gcmdata$(EXEEXT_FOR_BUILD) eccdata$(EXEEXT_FOR_BUILD): eccdata.c mini-gmp.c mini-gmp.h $(CC_FOR_BUILD) `test -f eccdata.c || echo '$(srcdir)/'`eccdata.c \ -o eccdata$(EXEEXT_FOR_BUILD) # desCore rules # It seems using $(srcdir)/ doesn't work with GNU make 3.79.1 # des_headers = $(srcdir)/rotors.h $(srcdir)/keymap.h des_headers = rotors.h keymap.h # Generate DES headers. $(des_headers): desdata.c $(MAKE) desdata$(EXEEXT_FOR_BUILD) f="$(srcdir)/`basename $@`"; \ ./desdata$(EXEEXT_FOR_BUILD) $(@F) > $${f}T; \ test -s $${f}T && mv -f $${f}T $$f des.$(OBJEXT): des.c des.h $(des_headers) # Generate ECC files. # Some possible choices for 192: # k = 15, c = 4, 64 entries, ~3 KB # k = 20, c = 6, 128 entries, ~6 KB # k = 10, c = 6, 256 entries, ~12 KB # k = 7, c = 6, 320 entries, ~15 KB # k = 9, c = 7, 512 entries, ~24 KB ecc-192.h: eccdata.stamp ./eccdata$(EXEEXT_FOR_BUILD) 192 7 6 $(NUMB_BITS) > $@T && mv $@T $@ # Some possible choices for 224: # k = 18, c = 4, 64 entries, ~4 KB # k = 24, c = 6, 128 entries, ~8 KB # k = 12, c = 6, 256 entries, ~16 KB # k = 8, c = 6, 320 entries, ~20 KB # k = 10, c = 7, 512 entries, ~32 KB ecc-224.h: eccdata.stamp ./eccdata$(EXEEXT_FOR_BUILD) 224 12 6 $(NUMB_BITS) > $@T && mv $@T $@ # Some possible choices for 256: # k = 20, c = 4, 64 entries, ~4 KB # k = 27, c = 6, 128 entries, ~8 KB # k = 14, c = 6, 256 entries, ~16 KB # k = 9, c = 6, 320 entries, ~20 KB # k = 12, c = 7, 512 entries, ~32 KB ecc-256.h: eccdata.stamp ./eccdata$(EXEEXT_FOR_BUILD) 256 14 6 $(NUMB_BITS) > $@T && mv $@T $@ # Some possible choices for 384: # k = 31, c = 4, 64 entries, ~6 KB # k = 41, c = 6, 128 entries, ~12 KB # k = 20, c = 6, 256 entries, ~24 KB # k = 14, c = 6, 320 entries, ~30 KB # k = 18, c = 7, 512 entries, ~48 KB ecc-384.h: eccdata.stamp ./eccdata$(EXEEXT_FOR_BUILD) 384 41 6 $(NUMB_BITS) > $@T && mv $@T $@ # Some possible choices for 521: # k = 42, c = 4, 64 entries, ~9 KB # k = 56, c = 6, 128 entries, ~18 KB # k = 28, c = 6, 256 entries, ~35 KB # k = 19, c = 6, 320 entries, ~44 KB # k = 24, c = 7, 512 entries, ~70 KB ecc-521.h: eccdata.stamp ./eccdata$(EXEEXT_FOR_BUILD) 521 56 6 $(NUMB_BITS) > $@T && mv $@T $@ ecc-25519.h: eccdata.stamp ./eccdata$(EXEEXT_FOR_BUILD) 255 14 6 $(NUMB_BITS) > $@T && mv $@T $@ eccdata.stamp: eccdata.c $(MAKE) eccdata$(EXEEXT_FOR_BUILD) echo stamp > eccdata.stamp ecc-192.$(OBJEXT): ecc-192.h ecc-224.$(OBJEXT): ecc-224.h ecc-256.$(OBJEXT): ecc-256.h ecc-384.$(OBJEXT): ecc-384.h ecc-521.$(OBJEXT): ecc-521.h ecc-25519.$(OBJEXT): ecc-25519.h .asm.$(OBJEXT): $(srcdir)/asm.m4 machine.m4 config.m4 $(M4) $(srcdir)/asm.m4 machine.m4 config.m4 $< >$*.s $(COMPILE) -c $*.s @echo "$@ : $< $(srcdir)/asm.m4 machine.m4 config.m4" >$@.d # Texinfo rules .texinfo.info: cd $(srcdir) && $(MAKEINFO) --output $@ `basename "$<"` .texinfo.html: cd $(srcdir) && $(MAKEINFO) --html --no-split \ --output $@T `basename "$<"` \ && test -s $@T && mv -f $@T $@ .texinfo.dvi: cd $(srcdir) && texi2dvi -b `basename "$<"` .dvi.ps: cd $(srcdir) && dvips -Ppdf -G0 -o `basename "$<" .dvi`.ps `basename "$<"` # Avoid rebuilding .dvi and .ps files when the .texinfo source is unchanged. PS2PDFFLAGS=-dCompatibilityLevel=1.3 -dMAxSubsetPct=100 -dSubsetFonts=true -dEmbedAllFonts=true .texinfo.pdf: $(MAKE) `basename "$<" .texinfo`.ps cd $(srcdir) && ps2pdf $(PS2PDFFLAGS) `basename "$<" .texinfo`.ps # Configure-related rules, mostly copied from the autoconf manual. No # $(srcdir) prefixes on the targets, though. configure: configure.ac aclocal.m4 cd $(srcdir) && $(AUTOCONF) # autoheader might not change config.h.in, so touch a stamp file. config.h.in: stamp-h.in stamp-h.in: configure.ac aclocal.m4 cd $(srcdir) && $(AUTOHEADER) echo timestamp > $(srcdir)/stamp-h.in config.status: configure ./config.status --recheck config.h: stamp-h stamp-h: config.h.in config.status ./config.status config.h echo timestamp > stamp-h Makefile: Makefile.in config.status ./config.status $@ config.make: config.make.in config.status ./config.status $@ config.m4: config.m4.in config.status ./config.status $@ nettle.pc: nettle.pc.in config.status ./config.status $@ hogweed.pc: hogweed.pc.in config.status ./config.status $@ version.h: version.h.in config.status ./config.status $@ # Installation install-doc: @IF_DOCUMENTATION@ install-info install-here: install-doc install-headers install-static install-pkgconfig \ @IF_SHARED@ install-shared-nettle @IF_HOGWEED@ install-shared-hogweed install-static: $(LIBTARGETS) $(MKDIR_P) $(DESTDIR)$(libdir) for f in $(LIBTARGETS); do \ $(INSTALL_DATA) $$f $(DESTDIR)$(libdir) ; \ done install-dll-nettle: $(MKDIR_P) $(DESTDIR)$(bindir) $(INSTALL_DATA) $(LIBNETTLE_FORLINK) $(DESTDIR)$(bindir)/$(LIBNETTLE_FORLINK) install-shared-nettle: $(LIBNETTLE_FORLINK) @IF_DLL@ install-dll-nettle $(MKDIR_P) $(DESTDIR)$(libdir) $(INSTALL_DATA) $(LIBNETTLE_FILE_SRC) $(DESTDIR)$(libdir)/$(LIBNETTLE_FILE) [ -z "$(LIBNETTLE_SONAME)" ] \ || (cd $(DESTDIR)$(libdir) \ && rm -f $(LIBNETTLE_SONAME) $(LIBNETTLE_FORLINK) \ && $(LN_S) $(LIBNETTLE_FILE) $(LIBNETTLE_SONAME) \ && $(LN_S) $(LIBNETTLE_FILE) $(LIBNETTLE_FORLINK)) install-dll-hogweed: $(MKDIR_P) $(DESTDIR)$(bindir) $(INSTALL_DATA) $(LIBHOGWEED_FORLINK) $(DESTDIR)$(bindir)/$(LIBHOGWEED_FORLINK) install-shared-hogweed: $(LIBHOGWEED_FORLINK) @IF_DLL@ install-dll-hogweed $(MKDIR_P) $(DESTDIR)$(libdir) $(INSTALL_DATA) $(LIBHOGWEED_FILE_SRC) $(DESTDIR)$(libdir)/$(LIBHOGWEED_FILE) [ -z "$(LIBHOGWEED_SONAME)" ] \ || (cd $(DESTDIR)$(libdir) \ && rm -f $(LIBHOGWEED_SONAME) $(LIBHOGWEED_FORLINK) \ && $(LN_S) $(LIBHOGWEED_FILE) $(LIBHOGWEED_SONAME) \ && $(LN_S) $(LIBHOGWEED_FILE) $(LIBHOGWEED_FORLINK)) # I'd like to use makes VPATH search to locate the files to be # installed. But it seems most make programs don't set $<, $^, $? and # friends for ordinary explicit rules. install-info: nettle.info $(MKDIR_P) $(DESTDIR)$(infodir) f=nettle.info ; \ [ -f $$f ] || f="$(srcdir)/$$f" ; \ $(INSTALL_DATA) "$$f" $(DESTDIR)$(infodir) ; \ if (install-info --version && \ install-info --version 2>&1 | sed 1q | grep -i -v debian) >/dev/null 2>&1; then \ install-info --info-dir="$(DESTDIR)$(infodir)" "$$f" ; \ else : ; fi # NOTE: I'd like to use $^, but that's a GNU extension. $? should be # more portable, and equivalent for phony targets. install-headers: $(INSTALL_HEADERS) $(MKDIR_P) $(DESTDIR)$(includedir)/nettle for f in $(INSTALL_HEADERS) ; do \ if [ -f "$$f" ] ; then \ $(INSTALL_DATA) "$$f" $(DESTDIR)$(includedir)/nettle ; \ else \ $(INSTALL_DATA) "$(srcdir)/$$f" $(DESTDIR)$(includedir)/nettle ; \ fi ; done install-pkgconfig: $(PKGCONFIG_FILES) $(MKDIR_P) $(DESTDIR)$(pkgconfigdir) for f in $(PKGCONFIG_FILES) ; do \ $(INSTALL_DATA) "$$f" $(DESTDIR)$(pkgconfigdir) ; \ done # Uninstall uninstall-here: uninstall-info uninstall-headers uninstall-static \ uninstall-pkgconfig @IF_SHARED@ uninstall-shared uninstall-static: for f in $(LIBTARGETS) ; do \ rm -f $(DESTDIR)$(libdir)/$$f ; \ done uninstall-headers: for f in $(INSTALL_HEADERS) ; do \ rm -f $(DESTDIR)$(includedir)/nettle/$$f ; \ done uninstall-info: if (install-info --version && \ install-info --version 2>&1 | sed 1q | grep -i -v debian) >/dev/null 2>&1; then \ install-info --info-dir="$(DESTDIR)$(infodir)" --remove "$(DESTDIR)$(infodir)"/nettle.info ; \ else : ; fi -rm -f $(DESTDIR)$(infodir)/nettle.info # FIXME: Leaves the links around uninstall-shared: uninstall-shared-nettle @IF_HOGWEED@ uninstall-shared-hogweed uninstall-dll-nettle: rm -f $(DESTDIR)$(bindir)/$(LIBNETTLE_FORLINK) uninstall-shared-nettle: @IF_DLL@ uninstall-dll-nettle rm -f $(DESTDIR)$(libdir)/$(LIBNETTLE_FILE) [ -z "$(LIBNETTLE_SONAME)" ] \ || rm -f $(LIBNETTLE_SONAME) $(LIBNETTLE_FORLINK) uninstall-dll-hogweed: rm -f $(DESTDIR)$(bindir)/$(LIBHOGWEED_FORLINK) uninstall-shared-hogweed: @IF_DLL@ uninstall-dll-hogweed rm -f $(DESTDIR)$(libdir)/$(LIBHOGWEED_FILE) [ -z "$(LIBHOGWEED_SONAME)" ] \ || rm -f $(LIBHOGWEED_SONAME) $(LIBHOGWEED_FORLINK) uninstall-pkgconfig: for f in $(PKGCONFIG_FILES) ; do \ rm -f $(DESTDIR)$(pkgconfigdir)/$$f ; \ done # Distribution distdir = $(PACKAGE_NAME)-$(PACKAGE_VERSION) top_distdir = $(distdir) # NOTE: We should handle both absolute and relative $destdir. distdir: $(DISTFILES) rm -rf "$(distdir)" mkdir "$(distdir)" set -e; for f in $(DISTFILES) ; do \ if [ -f "$$f" ] ; then cp "$$f" "$(distdir)" ; \ else cp "$(srcdir)/$$f" "$(distdir)" ; \ fi ; \ done set -e; for d in sparc32 sparc64 x86 \ x86_64 x86_64/aesni x86_64/fat \ arm arm/neon arm/v6 arm/fat ; do \ mkdir "$(distdir)/$$d" ; \ find "$(srcdir)/$$d" -maxdepth 1 '(' -name '*.asm' -o -name '*.m4' ')' \ -exec cp '{}' "$(distdir)/$$d" ';' ; \ done set -e; for d in $(SUBDIRS); do \ sd="$(distdir)/$$d" ; \ mkdir "$$sd" && $(MAKE) -C $$d distdir="`cd $$sd && pwd`" $@ ; \ done dist: distdir tar cf - $(distdir) | gzip -c >$(distdir).tar.gz rm -rf $(distdir) rm_distcheck = test ! -d distcheck-tmp \ || { find distcheck-tmp -type d ! -perm -200 -exec chmod u+w {} ';' \ && rm -fr distcheck-tmp; }; distcheck: dist $(rm_distcheck) mkdir distcheck-tmp gzip -d < $(distdir).tar.gz \ | { cd distcheck-tmp && tar xf - && chmod -R a-w $(distdir) ; } mkdir distcheck-tmp/build mkdir distcheck-tmp/install cd distcheck-tmp/build && ../$(distdir)/configure --prefix="`cd ../install && pwd`" cd distcheck-tmp/build && $(MAKE) cd distcheck-tmp/build && $(MAKE) check cd distcheck-tmp/build && $(MAKE) install cd distcheck-tmp/build && $(MAKE) uninstall cd distcheck-tmp && find install -type f -print > leftover-install-files @test `cat distcheck-tmp/leftover-install-files | wc -l` -le 1 \ || { echo "ERROR: files left after uninstall:" ; \ cat distcheck-tmp/leftover-install-files ; \ exit 1; } chmod -R a-w distcheck-tmp/install mkdir distcheck-tmp/destdir destdir="`cd distcheck-tmp/destdir && pwd`" \ && cd distcheck-tmp/build \ && $(MAKE) install DESTDIR="$$destdir" \ && $(MAKE) uninstall DESTDIR="$$destdir" cd distcheck-tmp && find destdir -type f -print > leftover-destdir-files @test `cat distcheck-tmp/leftover-destdir-files | wc -l` -le 1 \ || { echo "ERROR: destdir files left after uninstall:" ; \ cat distcheck-tmp/leftover-destdir-files ; \ exit 1; } cd distcheck-tmp/build && $(MAKE) dist cd distcheck-tmp/build && rm *.gz cd distcheck-tmp/build && $(MAKE) distclean cd distcheck-tmp && find build -type f -print > leftover-build-files @test `cat distcheck-tmp/leftover-build-files | wc -l` -eq 0 \ || { echo "ERROR: files left in build directory after distclean:" ; \ cat distcheck-tmp/leftover-build-files ; \ exit 1; } $(rm_distcheck) clean-here: -rm -f $(TARGETS) *.$(OBJEXT) *.s *.so *.dll *.a \ ecc-192.h ecc-224.h ecc-256.h ecc-384.h ecc-521.h ecc-25519.h \ eccdata$(EXEEXT_FOR_BUILD) eccdata.stamp -rm -rf .lib libnettle.stamp libhogweed.stamp distclean-here: clean-here -rm -f config.h stamp-h config.log config.status machine.m4 \ config.make config.m4 Makefile nettle-stdint.h version.h \ nettle.pc hogweed.pc libnettle.map libhogweed.map \ *.asm *.d maintainer-clean-here: -rm -f $(DOCTARGETS) *.dvi *.ps tags-here: etags -o $(srcdir)/TAGS $(srcdir)/*.c $(srcdir)/*.h DEP_FILES = $(SOURCES:.c=.$(OBJEXT).d) @DEP_INCLUDE@ $(DEP_FILES) nettle-3.4.1/ecc-224.c0000644000175000017500000000511113401564746013251 0ustar nissenisse/* ecc-224.c Compile time constant (but machine dependent) tables. Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc.h" #include "ecc-internal.h" #if HAVE_NATIVE_ecc_224_modp #define USE_REDC 0 #define ecc_224_modp nettle_ecc_224_modp void ecc_224_modp (const struct ecc_modulo *m, mp_limb_t *rp); #else #define USE_REDC (ECC_REDC_SIZE != 0) #define ecc_224_modp ecc_mod #endif #include "ecc-224.h" #if ECC_REDC_SIZE < 0 # define ecc_224_redc ecc_pm1_redc #elif ECC_REDC_SIZE == 0 # define ecc_224_redc NULL #else # error Configuration error #endif const struct ecc_curve nettle_secp_224r1 = { { 224, ECC_LIMB_SIZE, ECC_BMODP_SIZE, -ECC_REDC_SIZE, ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), 0, ecc_p, ecc_Bmodp, ecc_Bmodp_shifted, ecc_redc_ppm1, ecc_pp1h, ecc_224_modp, USE_REDC ? ecc_224_redc : ecc_224_modp, ecc_mod_inv, NULL, }, { 224, ECC_LIMB_SIZE, ECC_BMODQ_SIZE, 0, ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), 0, ecc_q, ecc_Bmodq, ecc_Bmodq_shifted, NULL, ecc_qp1h, ecc_mod, ecc_mod, ecc_mod_inv, NULL, }, USE_REDC, ECC_PIPPENGER_K, ECC_PIPPENGER_C, ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE), ECC_MUL_A_ITCH (ECC_LIMB_SIZE), ECC_MUL_G_ITCH (ECC_LIMB_SIZE), ECC_J_TO_A_ITCH (ECC_LIMB_SIZE), ecc_add_jjj, ecc_mul_a, ecc_mul_g, ecc_j_to_a, ecc_b, ecc_g, NULL, ecc_unit, ecc_table }; const struct ecc_curve *nettle_get_secp_224r1(void) { return &nettle_secp_224r1; } nettle-3.4.1/base16-decode.c0000644000175000017500000000607413401564745014524 0ustar nissenisse/* base16-encode.c Hex decoding. Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "base16.h" void base16_decode_init(struct base16_decode_ctx *ctx) { ctx->word = ctx->bits = 0; } enum { HEX_INVALID = -1, HEX_SPACE=-2 }; static const signed char hex_decode_table[0x80] = { -1, -1, -1, -1, -1, -1, -1, -1, -1, -2, -2, -1, -1, -2, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -2, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, -1, -1, -1, -1, -1, -1, -1, 10, 11, 12, 13, 14, 15, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 10, 11, 12, 13, 14, 15, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, }; /* Decodes a single byte. Returns amount of output (0 or 1), or -1 on * errors. */ int base16_decode_single(struct base16_decode_ctx *ctx, uint8_t *dst, char src) { /* Avoid signed char for indexing. */ unsigned char usrc = src; int digit; if (usrc >= 0x80) return -1; digit = hex_decode_table[usrc]; switch (digit) { case -1: return -1; case -2: return 0; default: assert(digit >= 0); assert(digit < 0x10); if (ctx->bits) { *dst = (ctx->word << 4) | digit; ctx->bits = 0; return 1; } else { ctx->word = digit; ctx->bits = 4; return 0; } } } int base16_decode_update(struct base16_decode_ctx *ctx, size_t *dst_length, uint8_t *dst, size_t src_length, const char *src) { size_t done; size_t i; for (i = done = 0; ibits == 0; } nettle-3.4.1/rsa-pss-sha256-verify.c0000644000175000017500000000305613401564746016120 0ustar nissenisse/* rsa-pss-sha256-verify.c Verifying signatures created with RSA and SHA-256, with PSS padding. Copyright (C) 2017 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa.h" #include "bignum.h" #include "pss.h" int rsa_pss_sha256_verify_digest(const struct rsa_public_key *key, size_t salt_length, const uint8_t *digest, const mpz_t signature) { int res; mpz_t m; mpz_init (m); res = (_rsa_verify_recover(key, m, signature) && pss_verify_mgf1(m, mpz_sizeinbase(key->n, 2) - 1, &nettle_sha256, salt_length, digest)); mpz_clear (m); return res; } nettle-3.4.1/sha256-meta.c0000644000175000017500000000223713401564745014153 0ustar nissenisse/* sha256-meta.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "sha2.h" const struct nettle_hash nettle_sha256 = _NETTLE_HASH(sha256, SHA256); nettle-3.4.1/ecc-point-mul.c0000644000175000017500000000322613401564746014673 0ustar nissenisse/* ecc-point-mul.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc.h" #include "ecc-internal.h" void ecc_point_mul (struct ecc_point *r, const struct ecc_scalar *n, const struct ecc_point *p) { const struct ecc_curve *ecc = r->ecc; mp_limb_t size = ecc->p.size; mp_size_t itch = 3*size + ecc->mul_itch; mp_limb_t *scratch = gmp_alloc_limbs (itch); assert (n->ecc == ecc); assert (p->ecc == ecc); ecc->mul (ecc, scratch, n->p, p->p, scratch + 3*size); ecc->h_to_a (ecc, 0, r->p, scratch, scratch + 3*size); gmp_free_limbs (scratch, itch); } nettle-3.4.1/eddsa-verify.c0000644000175000017500000000661713401564746014610 0ustar nissenisse/* eddsa-verify.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "eddsa.h" #include "ecc.h" #include "ecc-internal.h" #include "nettle-meta.h" /* Checks if x1/z1 == x2/z2 (mod p). Assumes z1 and z2 are non-zero. */ static int equal_h (const struct ecc_modulo *p, const mp_limb_t *x1, const mp_limb_t *z1, const mp_limb_t *x2, const mp_limb_t *z2, mp_limb_t *scratch) { #define t0 scratch #define t1 (scratch + p->size) ecc_mod_mul (p, t0, x1, z2); if (mpn_cmp (t0, p->m, p->size) >= 0) mpn_sub_n (t0, t0, p->m, p->size); ecc_mod_mul (p, t1, x2, z1); if (mpn_cmp (t1, p->m, p->size) >= 0) mpn_sub_n (t1, t1, p->m, p->size); return mpn_cmp (t0, t1, p->size) == 0; #undef t0 #undef t1 } mp_size_t _eddsa_verify_itch (const struct ecc_curve *ecc) { return 8*ecc->p.size + ecc->mul_itch; } int _eddsa_verify (const struct ecc_curve *ecc, const struct nettle_hash *H, const uint8_t *pub, const mp_limb_t *A, void *ctx, size_t length, const uint8_t *msg, const uint8_t *signature, mp_limb_t *scratch) { size_t nbytes; #define R scratch #define sp (scratch + 2*ecc->p.size) #define hp (scratch + 3*ecc->p.size) #define P (scratch + 5*ecc->p.size) #define scratch_out (scratch + 8*ecc->p.size) #define S R #define hash ((uint8_t *) P) nbytes = 1 + ecc->p.bit_size / 8; /* Could maybe save some storage by delaying the R and S operations, but it makes sense to check them for validity up front. */ if (!_eddsa_decompress (ecc, R, signature, R+2*ecc->p.size)) return 0; mpn_set_base256_le (sp, ecc->q.size, signature + nbytes, nbytes); /* Check that s < q */ if (mpn_cmp (sp, ecc->q.m, ecc->q.size) >= 0) return 0; H->init (ctx); H->update (ctx, nbytes, signature); H->update (ctx, nbytes, pub); H->update (ctx, length, msg); H->digest (ctx, 2*nbytes, hash); _eddsa_hash (&ecc->q, hp, hash); /* Compute h A + R - s G, which should be the neutral point */ ecc->mul (ecc, P, hp, A, scratch_out); ecc_add_eh (ecc, P, P, R, scratch_out); /* Move out of the way. */ mpn_copyi (hp, sp, ecc->q.size); ecc->mul_g (ecc, S, hp, scratch_out); return equal_h (&ecc->p, P, P + 2*ecc->p.size, S, S + 2*ecc->p.size, scratch_out) && equal_h (&ecc->p, P + ecc->p.size, P + 2*ecc->p.size, S + ecc->p.size, S + 2*ecc->p.size, scratch_out); #undef R #undef sp #undef hp #undef P #undef S } nettle-3.4.1/salsa20-set-nonce.c0000644000175000017500000000266213401564745015357 0ustar nissenisse/* salsa20-set-nonce.c The Salsa20 stream cipher. Copyright (C) 2012 Simon Josefsson, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Based on: salsa20-ref.c version 20051118 D. J. Bernstein Public domain. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "salsa20.h" #include "macros.h" void salsa20_set_nonce(struct salsa20_ctx *ctx, const uint8_t *nonce) { ctx->input[6] = LE_READ_UINT32(nonce + 0); ctx->input[7] = LE_READ_UINT32(nonce + 4); ctx->input[8] = 0; ctx->input[9] = 0; } nettle-3.4.1/gosthash94-meta.c0000644000175000017500000000231613401564745015136 0ustar nissenisse/* gosthash94-meta.c Copyright (C) 2012 Nikos Mavrogiannopoulos, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "gosthash94.h" const struct nettle_hash nettle_gosthash94 = _NETTLE_HASH(gosthash94, GOSTHASH94); nettle-3.4.1/ecc-ecdsa-verify.c0000644000175000017500000001034513401564746015330 0ustar nissenisse/* ecc-ecdsa-verify.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "ecdsa.h" #include "ecc-internal.h" /* Low-level ECDSA verify */ /* FIXME: Use mpn_zero_p. */ static int zero_p (const mp_limb_t *xp, mp_size_t n) { while (n > 0) if (xp[--n] > 0) return 0; return 1; } static int ecdsa_in_range (const struct ecc_curve *ecc, const mp_limb_t *xp) { return !zero_p (xp, ecc->p.size) && mpn_cmp (xp, ecc->q.m, ecc->p.size) < 0; } mp_size_t ecc_ecdsa_verify_itch (const struct ecc_curve *ecc) { /* Largest storage need is for the ecc->mul call. */ return 5*ecc->p.size + ecc->mul_itch; } /* FIXME: Use faster primitives, not requiring side-channel silence. */ int ecc_ecdsa_verify (const struct ecc_curve *ecc, const mp_limb_t *pp, /* Public key */ size_t length, const uint8_t *digest, const mp_limb_t *rp, const mp_limb_t *sp, mp_limb_t *scratch) { /* Procedure, according to RFC 6090, "KT-I". q denotes the group order. 1. Check 0 < r, s < q. 2. s' <-- s^{-1} (mod q) 3. u1 <-- h * s' (mod q) 4. u2 <-- r * s' (mod q) 5. R = u1 G + u2 Y 6. Signature is valid if R_x = r (mod q). */ #define P2 scratch #define u1 (scratch + 3*ecc->p.size) #define u2 (scratch + 4*ecc->p.size) #define P1 (scratch + 4*ecc->p.size) #define sinv (scratch) #define hp (scratch + ecc->p.size) if (! (ecdsa_in_range (ecc, rp) && ecdsa_in_range (ecc, sp))) return 0; /* FIXME: Micro optimizations: Either simultaneous multiplication. Or convert to projective coordinates (can be done without division, I think), and write an ecc_add_ppp. */ /* Compute sinv */ ecc->q.invert (&ecc->q, sinv, sp, sinv + 2*ecc->p.size); /* u1 = h / s, P1 = u1 * G */ ecc_hash (&ecc->q, hp, length, digest); ecc_modq_mul (ecc, u1, hp, sinv); /* u2 = r / s, P2 = u2 * Y */ ecc_modq_mul (ecc, u2, rp, sinv); /* Total storage: 5*ecc->p.size + ecc->mul_itch */ ecc->mul (ecc, P2, u2, pp, u2 + ecc->p.size); /* u = 0 can happen only if h = 0 or h = q, which is extremely unlikely. */ if (!zero_p (u1, ecc->p.size)) { /* Total storage: 7*ecc->p.size + ecc->mul_g_itch (ecc->p.size) */ ecc->mul_g (ecc, P1, u1, P1 + 3*ecc->p.size); /* NOTE: ecc_add_jjj and/or ecc_j_to_a will produce garbage in case u1 G = +/- u2 V. However, anyone who gets his or her hands on a signature where this happens during verification, can also get the private key as z = +/- u1 / u_2 (mod q). And then it doesn't matter very much if verification of signatures with that key succeeds or fails. u1 G = - u2 V can never happen for a correctly generated signature, since it implies k = 0. u1 G = u2 V is possible, if we are unlucky enough to get h / s_1 = z. Hitting that is about as unlikely as finding the private key by guessing. */ /* Total storage: 6*ecc->p.size + ecc->add_hhh_itch */ ecc->add_hhh (ecc, P1, P1, P2, P1 + 3*ecc->p.size); } /* x coordinate only, modulo q */ ecc->h_to_a (ecc, 2, P2, P1, P1 + 3*ecc->p.size); return (mpn_cmp (rp, P2, ecc->p.size) == 0); #undef P2 #undef P1 #undef sinv #undef u2 #undef hp #undef u1 } nettle-3.4.1/macros.h0000644000175000017500000001621513401564746013512 0ustar nissenisse/* macros.h Copyright (C) 2001, 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_MACROS_H_INCLUDED #define NETTLE_MACROS_H_INCLUDED /* Reads a 64-bit integer, in network, big-endian, byte order */ #define READ_UINT64(p) \ ( (((uint64_t) (p)[0]) << 56) \ | (((uint64_t) (p)[1]) << 48) \ | (((uint64_t) (p)[2]) << 40) \ | (((uint64_t) (p)[3]) << 32) \ | (((uint64_t) (p)[4]) << 24) \ | (((uint64_t) (p)[5]) << 16) \ | (((uint64_t) (p)[6]) << 8) \ | ((uint64_t) (p)[7])) #define WRITE_UINT64(p, i) \ do { \ (p)[0] = ((i) >> 56) & 0xff; \ (p)[1] = ((i) >> 48) & 0xff; \ (p)[2] = ((i) >> 40) & 0xff; \ (p)[3] = ((i) >> 32) & 0xff; \ (p)[4] = ((i) >> 24) & 0xff; \ (p)[5] = ((i) >> 16) & 0xff; \ (p)[6] = ((i) >> 8) & 0xff; \ (p)[7] = (i) & 0xff; \ } while(0) /* Reads a 32-bit integer, in network, big-endian, byte order */ #define READ_UINT32(p) \ ( (((uint32_t) (p)[0]) << 24) \ | (((uint32_t) (p)[1]) << 16) \ | (((uint32_t) (p)[2]) << 8) \ | ((uint32_t) (p)[3])) #define WRITE_UINT32(p, i) \ do { \ (p)[0] = ((i) >> 24) & 0xff; \ (p)[1] = ((i) >> 16) & 0xff; \ (p)[2] = ((i) >> 8) & 0xff; \ (p)[3] = (i) & 0xff; \ } while(0) /* Analogous macros, for 24 and 16 bit numbers */ #define READ_UINT24(p) \ ( (((uint32_t) (p)[0]) << 16) \ | (((uint32_t) (p)[1]) << 8) \ | ((uint32_t) (p)[2])) #define WRITE_UINT24(p, i) \ do { \ (p)[0] = ((i) >> 16) & 0xff; \ (p)[1] = ((i) >> 8) & 0xff; \ (p)[2] = (i) & 0xff; \ } while(0) #define READ_UINT16(p) \ ( (((uint32_t) (p)[0]) << 8) \ | ((uint32_t) (p)[1])) #define WRITE_UINT16(p, i) \ do { \ (p)[0] = ((i) >> 8) & 0xff; \ (p)[1] = (i) & 0xff; \ } while(0) /* And the other, little-endian, byteorder */ #define LE_READ_UINT64(p) \ ( (((uint64_t) (p)[7]) << 56) \ | (((uint64_t) (p)[6]) << 48) \ | (((uint64_t) (p)[5]) << 40) \ | (((uint64_t) (p)[4]) << 32) \ | (((uint64_t) (p)[3]) << 24) \ | (((uint64_t) (p)[2]) << 16) \ | (((uint64_t) (p)[1]) << 8) \ | ((uint64_t) (p)[0])) #define LE_WRITE_UINT64(p, i) \ do { \ (p)[7] = ((i) >> 56) & 0xff; \ (p)[6] = ((i) >> 48) & 0xff; \ (p)[5] = ((i) >> 40) & 0xff; \ (p)[4] = ((i) >> 32) & 0xff; \ (p)[3] = ((i) >> 24) & 0xff; \ (p)[2] = ((i) >> 16) & 0xff; \ (p)[1] = ((i) >> 8) & 0xff; \ (p)[0] = (i) & 0xff; \ } while (0) #define LE_READ_UINT32(p) \ ( (((uint32_t) (p)[3]) << 24) \ | (((uint32_t) (p)[2]) << 16) \ | (((uint32_t) (p)[1]) << 8) \ | ((uint32_t) (p)[0])) #define LE_WRITE_UINT32(p, i) \ do { \ (p)[3] = ((i) >> 24) & 0xff; \ (p)[2] = ((i) >> 16) & 0xff; \ (p)[1] = ((i) >> 8) & 0xff; \ (p)[0] = (i) & 0xff; \ } while(0) /* Analogous macros, for 16 bit numbers */ #define LE_READ_UINT16(p) \ ( (((uint32_t) (p)[1]) << 8) \ | ((uint32_t) (p)[0])) #define LE_WRITE_UINT16(p, i) \ do { \ (p)[1] = ((i) >> 8) & 0xff; \ (p)[0] = (i) & 0xff; \ } while(0) /* Macro to make it easier to loop over several blocks. */ #define FOR_BLOCKS(length, dst, src, blocksize) \ assert( !((length) % (blocksize))); \ for (; (length); ((length) -= (blocksize), \ (dst) += (blocksize), \ (src) += (blocksize)) ) /* The masking of the right shift is needed to allow n == 0 (using just 32 - n and 64 - n results in undefined behaviour). Most uses of these macros use a constant and non-zero rotation count. */ #define ROTL32(n,x) (((x)<<(n)) | ((x)>>((-(n)&31)))) #define ROTL64(n,x) (((x)<<(n)) | ((x)>>((-(n))&63))) /* Requires that size > 0 */ #define INCREMENT(size, ctr) \ do { \ unsigned increment_i = (size) - 1; \ if (++(ctr)[increment_i] == 0) \ while (increment_i > 0 \ && ++(ctr)[--increment_i] == 0 ) \ ; \ } while (0) /* Helper macro for Merkle-Damgård hash functions. Assumes the context structs includes the following fields: uint8_t block[...]; // Buffer holding one block unsigned int index; // Index into block */ /* Currently used by sha512 (and sha384) only. */ #define MD_INCR(ctx) ((ctx)->count_high += !++(ctx)->count_low) /* Takes the compression function f as argument. NOTE: also clobbers length and data. */ #define MD_UPDATE(ctx, length, data, f, incr) \ do { \ if ((ctx)->index) \ { \ /* Try to fill partial block */ \ unsigned __md_left = sizeof((ctx)->block) - (ctx)->index; \ if ((length) < __md_left) \ { \ memcpy((ctx)->block + (ctx)->index, (data), (length)); \ (ctx)->index += (length); \ goto __md_done; /* Finished */ \ } \ else \ { \ memcpy((ctx)->block + (ctx)->index, (data), __md_left); \ \ f((ctx), (ctx)->block); \ (incr); \ \ (data) += __md_left; \ (length) -= __md_left; \ } \ } \ while ((length) >= sizeof((ctx)->block)) \ { \ f((ctx), (data)); \ (incr); \ \ (data) += sizeof((ctx)->block); \ (length) -= sizeof((ctx)->block); \ } \ memcpy ((ctx)->block, (data), (length)); \ (ctx)->index = (length); \ __md_done: \ ; \ } while (0) /* Pads the block to a block boundary with the bit pattern 1 0*, leaving size octets for the length field at the end. If needed, compresses the block and starts a new one. */ #define MD_PAD(ctx, size, f) \ do { \ unsigned __md_i; \ __md_i = (ctx)->index; \ \ /* Set the first char of padding to 0x80. This is safe since there \ is always at least one byte free */ \ \ assert(__md_i < sizeof((ctx)->block)); \ (ctx)->block[__md_i++] = 0x80; \ \ if (__md_i > (sizeof((ctx)->block) - (size))) \ { /* No room for length in this block. Process it and \ pad with another one */ \ memset((ctx)->block + __md_i, 0, sizeof((ctx)->block) - __md_i); \ \ f((ctx), (ctx)->block); \ __md_i = 0; \ } \ memset((ctx)->block + __md_i, 0, \ sizeof((ctx)->block) - (size) - __md_i); \ \ } while (0) #endif /* NETTLE_MACROS_H_INCLUDED */ nettle-3.4.1/rsa-internal.h0000644000175000017500000000506413401564746014625 0ustar nissenisse/* rsa-internal.h The RSA publickey algorithm. Copyright (C) 2001, 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_RSA_INTERNAL_H_INCLUDED #define NETTLE_RSA_INTERNAL_H_INCLUDED #include "nettle-types.h" #include "rsa.h" #define _rsa_sec_compute_root_itch _nettle_rsa_sec_compute_root_itch #define _rsa_sec_compute_root _nettle_rsa_sec_compute_root #define _rsa_sec_compute_root_tr _nettle_rsa_sec_compute_root_tr #define _pkcs1_sec_decrypt _nettle_pkcs1_sec_decrypt #define _pkcs1_sec_decrypt_variable _nettle_pkcs1_sec_decrypt_variable /* side-channel silent root computation */ mp_size_t _rsa_sec_compute_root_itch(const struct rsa_private_key *key); void _rsa_sec_compute_root(const struct rsa_private_key *key, mp_limb_t *rp, const mp_limb_t *mp, mp_limb_t *scratch); /* Safe side-channel silent variant, using RSA blinding, and checking the * result after CRT. */ int _rsa_sec_compute_root_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, mp_limb_t *x, const mp_limb_t *m, size_t mn); /* additional resistance to memory access side-channel attacks. * Note: message buffer is returned unchanged on error */ int _pkcs1_sec_decrypt (size_t length, uint8_t *message, size_t padded_message_length, const volatile uint8_t *padded_message); int _pkcs1_sec_decrypt_variable(size_t *length, uint8_t *message, size_t padded_message_length, const volatile uint8_t *padded_message); #endif /* NETTLE_RSA_INTERNAL_H_INCLUDED */ nettle-3.4.1/rsa-blind.c0000644000175000017500000000361313401564746014072 0ustar nissenisse/* rsa-blind.c RSA blinding. Used for resistance to timing-attacks. Copyright (C) 2001, 2012 Niels Möller, Nikos Mavrogiannopoulos This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa.h" #include "bignum.h" /* Blinds the c, by computing c *= r^e (mod n), for a random r. Also returns the inverse (ri), for use by rsa_unblind. */ void _rsa_blind (const struct rsa_public_key *pub, void *random_ctx, nettle_random_func *random, mpz_t c, mpz_t ri) { mpz_t r; mpz_init(r); /* c = c*(r^e) * ri = r^(-1) */ do { nettle_mpz_random(r, random_ctx, random, pub->n); /* invert r */ } while (!mpz_invert (ri, r, pub->n)); /* c = c*(r^e) mod n */ mpz_powm_sec(r, r, pub->e, pub->n); mpz_mul(c, c, r); mpz_fdiv_r(c, c, pub->n); mpz_clear(r); } /* c *= ri mod n */ void _rsa_unblind (const struct rsa_public_key *pub, mpz_t c, const mpz_t ri) { mpz_mul(c, c, ri); mpz_fdiv_r(c, c, pub->n); } nettle-3.4.1/pkcs1-encrypt.c0000644000175000017500000000431613401564745014722 0ustar nissenisse/* pkcs1-encrypt.c The RSA publickey algorithm. PKCS#1 encryption. Copyright (C) 2001, 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "pkcs1.h" #include "bignum.h" #include "gmp-glue.h" int pkcs1_encrypt (size_t key_size, /* For padding */ void *random_ctx, nettle_random_func *random, size_t length, const uint8_t *message, mpz_t m) { TMP_GMP_DECL(em, uint8_t); size_t padding; size_t i; /* The message is encoded as a string of the same length as the * modulo n, of the form * * 00 02 pad 00 message * * where padding should be at least 8 pseudorandomly generated * *non-zero* octets. */ if (length + 11 > key_size) /* Message too long for this key. */ return 0; /* At least 8 octets of random padding */ padding = key_size - length - 3; assert(padding >= 8); TMP_GMP_ALLOC(em, key_size - 1); em[0] = 2; random(random_ctx, padding, em + 1); /* Replace 0-octets with 1 */ for (i = 0; i * 100% Public Domain - no warranty * Released 1997.10.11 */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "cast128.h" #include "cast128_sboxes.h" #include "macros.h" #define CAST_SMALL_KEY 10 #define S1 cast_sbox1 #define S2 cast_sbox2 #define S3 cast_sbox3 #define S4 cast_sbox4 #define S5 cast_sbox5 #define S6 cast_sbox6 #define S7 cast_sbox7 #define S8 cast_sbox8 /* Macros to access 8-bit bytes out of a 32-bit word */ #define B0(x) ( (uint8_t) (x>>24) ) #define B1(x) ( (uint8_t) ((x>>16)&0xff) ) #define B2(x) ( (uint8_t) ((x>>8)&0xff) ) #define B3(x) ( (uint8_t) ((x)&0xff) ) /* NOTE: Depends on ROTL32 supporting a zero shift count. */ /* CAST-128 uses three different round functions */ #define F1(l, r, i) do { \ t = ctx->Km[i] + r; \ t = ROTL32(ctx->Kr[i], t); \ l ^= ((S1[B0(t)] ^ S2[B1(t)]) - S3[B2(t)]) + S4[B3(t)]; \ } while (0) #define F2(l, r, i) do { \ t = ctx->Km[i] ^ r; \ t = ROTL32( ctx->Kr[i], t); \ l ^= ((S1[B0(t)] - S2[B1(t)]) + S3[B2(t)]) ^ S4[B3(t)]; \ } while (0) #define F3(l, r, i) do { \ t = ctx->Km[i] - r; \ t = ROTL32(ctx->Kr[i], t); \ l ^= ((S1[B0(t)] + S2[B1(t)]) ^ S3[B2(t)]) - S4[B3(t)]; \ } while (0) /***** Encryption Function *****/ void cast128_encrypt(const struct cast128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { FOR_BLOCKS(length, dst, src, CAST128_BLOCK_SIZE) { uint32_t t, l, r; /* Get inblock into l,r */ l = READ_UINT32(src); r = READ_UINT32(src+4); /* Do the work */ F1(l, r, 0); F2(r, l, 1); F3(l, r, 2); F1(r, l, 3); F2(l, r, 4); F3(r, l, 5); F1(l, r, 6); F2(r, l, 7); F3(l, r, 8); F1(r, l, 9); F2(l, r, 10); F3(r, l, 11); /* Only do full 16 rounds if key length > 80 bits */ if (ctx->rounds & 16) { F1(l, r, 12); F2(r, l, 13); F3(l, r, 14); F1(r, l, 15); } /* Put l,r into outblock */ WRITE_UINT32(dst, r); WRITE_UINT32(dst + 4, l); } } /***** Decryption Function *****/ void cast128_decrypt(const struct cast128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { FOR_BLOCKS(length, dst, src, CAST128_BLOCK_SIZE) { uint32_t t, l, r; /* Get inblock into l,r */ r = READ_UINT32(src); l = READ_UINT32(src+4); /* Do the work */ /* Only do full 16 rounds if key length > 80 bits */ if (ctx->rounds & 16) { F1(r, l, 15); F3(l, r, 14); F2(r, l, 13); F1(l, r, 12); } F3(r, l, 11); F2(l, r, 10); F1(r, l, 9); F3(l, r, 8); F2(r, l, 7); F1(l, r, 6); F3(r, l, 5); F2(l, r, 4); F1(r, l, 3); F3(l, r, 2); F2(r, l, 1); F1(l, r, 0); /* Put l,r into outblock */ WRITE_UINT32(dst, l); WRITE_UINT32(dst + 4, r); } } /***** Key Schedule *****/ #define SET_KM(i, k) ctx->Km[i] = (k) #define SET_KR(i, k) ctx->Kr[i] = (k) & 31 #define EXPAND(set, full) do { \ z0 = x0 ^ S5[B1(x3)] ^ S6[B3(x3)] ^ S7[B0(x3)] ^ S8[B2(x3)] ^ S7[B0(x2)]; \ z1 = x2 ^ S5[B0(z0)] ^ S6[B2(z0)] ^ S7[B1(z0)] ^ S8[B3(z0)] ^ S8[B2(x2)]; \ z2 = x3 ^ S5[B3(z1)] ^ S6[B2(z1)] ^ S7[B1(z1)] ^ S8[B0(z1)] ^ S5[B1(x2)]; \ z3 = x1 ^ S5[B2(z2)] ^ S6[B1(z2)] ^ S7[B3(z2)] ^ S8[B0(z2)] ^ S6[B3(x2)]; \ \ set(0, S5[B0(z2)] ^ S6[B1(z2)] ^ S7[B3(z1)] ^ S8[B2(z1)] ^ S5[B2(z0)]); \ set(1, S5[B2(z2)] ^ S6[B3(z2)] ^ S7[B1(z1)] ^ S8[B0(z1)] ^ S6[B2(z1)]); \ set(2, S5[B0(z3)] ^ S6[B1(z3)] ^ S7[B3(z0)] ^ S8[B2(z0)] ^ S7[B1(z2)]); \ set(3, S5[B2(z3)] ^ S6[B3(z3)] ^ S7[B1(z0)] ^ S8[B0(z0)] ^ S8[B0(z3)]); \ \ x0 = z2 ^ S5[B1(z1)] ^ S6[B3(z1)] ^ S7[B0(z1)] ^ S8[B2(z1)] ^ S7[B0(z0)]; \ x1 = z0 ^ S5[B0(x0)] ^ S6[B2(x0)] ^ S7[B1(x0)] ^ S8[B3(x0)] ^ S8[B2(z0)]; \ x2 = z1 ^ S5[B3(x1)] ^ S6[B2(x1)] ^ S7[B1(x1)] ^ S8[B0(x1)] ^ S5[B1(z0)]; \ x3 = z3 ^ S5[B2(x2)] ^ S6[B1(x2)] ^ S7[B3(x2)] ^ S8[B0(x2)] ^ S6[B3(z0)]; \ \ set(4, S5[B3(x0)] ^ S6[B2(x0)] ^ S7[B0(x3)] ^ S8[B1(x3)] ^ S5[B0(x2)]); \ set(5, S5[B1(x0)] ^ S6[B0(x0)] ^ S7[B2(x3)] ^ S8[B3(x3)] ^ S6[B1(x3)]); \ set(6, S5[B3(x1)] ^ S6[B2(x1)] ^ S7[B0(x2)] ^ S8[B1(x2)] ^ S7[B3(x0)]); \ set(7, S5[B1(x1)] ^ S6[B0(x1)] ^ S7[B2(x2)] ^ S8[B3(x2)] ^ S8[B3(x1)]); \ \ z0 = x0 ^ S5[B1(x3)] ^ S6[B3(x3)] ^ S7[B0(x3)] ^ S8[B2(x3)] ^ S7[B0(x2)]; \ z1 = x2 ^ S5[B0(z0)] ^ S6[B2(z0)] ^ S7[B1(z0)] ^ S8[B3(z0)] ^ S8[B2(x2)]; \ z2 = x3 ^ S5[B3(z1)] ^ S6[B2(z1)] ^ S7[B1(z1)] ^ S8[B0(z1)] ^ S5[B1(x2)]; \ z3 = x1 ^ S5[B2(z2)] ^ S6[B1(z2)] ^ S7[B3(z2)] ^ S8[B0(z2)] ^ S6[B3(x2)]; \ \ set(8, S5[B3(z0)] ^ S6[B2(z0)] ^ S7[B0(z3)] ^ S8[B1(z3)] ^ S5[B1(z2)]); \ set(9, S5[B1(z0)] ^ S6[B0(z0)] ^ S7[B2(z3)] ^ S8[B3(z3)] ^ S6[B0(z3)]); \ set(10, S5[B3(z1)] ^ S6[B2(z1)] ^ S7[B0(z2)] ^ S8[B1(z2)] ^ S7[B2(z0)]); \ set(11, S5[B1(z1)] ^ S6[B0(z1)] ^ S7[B2(z2)] ^ S8[B3(z2)] ^ S8[B2(z1)]); \ \ x0 = z2 ^ S5[B1(z1)] ^ S6[B3(z1)] ^ S7[B0(z1)] ^ S8[B2(z1)] ^ S7[B0(z0)]; \ x1 = z0 ^ S5[B0(x0)] ^ S6[B2(x0)] ^ S7[B1(x0)] ^ S8[B3(x0)] ^ S8[B2(z0)]; \ x2 = z1 ^ S5[B3(x1)] ^ S6[B2(x1)] ^ S7[B1(x1)] ^ S8[B0(x1)] ^ S5[B1(z0)]; \ x3 = z3 ^ S5[B2(x2)] ^ S6[B1(x2)] ^ S7[B3(x2)] ^ S8[B0(x2)] ^ S6[B3(z0)]; \ if (full) \ { \ set(12, S5[B0(x2)] ^ S6[B1(x2)] ^ S7[B3(x1)] ^ S8[B2(x1)] ^ S5[B3(x0)]); \ set(13, S5[B2(x2)] ^ S6[B3(x2)] ^ S7[B1(x1)] ^ S8[B0(x1)] ^ S6[B3(x1)]); \ set(14, S5[B0(x3)] ^ S6[B1(x3)] ^ S7[B3(x0)] ^ S8[B2(x0)] ^ S7[B0(x2)]); \ set(15, S5[B2(x3)] ^ S6[B3(x3)] ^ S7[B1(x0)] ^ S8[B0(x0)] ^ S8[B1(x3)]); \ } \ } while (0) void cast5_set_key(struct cast128_ctx *ctx, size_t length, const uint8_t *key) { uint32_t x0, x1, x2, x3, z0, z1, z2, z3; uint32_t w; int full; assert (length >= CAST5_MIN_KEY_SIZE); assert (length <= CAST5_MAX_KEY_SIZE); full = (length > CAST_SMALL_KEY); x0 = READ_UINT32 (key); /* Read final word, possibly zero-padded. */ switch (length & 3) { case 0: w = READ_UINT32 (key + length - 4); break; case 3: w = READ_UINT24 (key + length - 3) << 8; break; case 2: w = READ_UINT16 (key + length - 2) << 16; break; case 1: w = (uint32_t) key[length - 1] << 24; break; } if (length <= 8) { x1 = w; x2 = x3 = 0; } else { x1 = READ_UINT32 (key + 4); if (length <= 12) { x2 = w; x3 = 0; } else { x2 = READ_UINT32 (key + 8); x3 = w; } } EXPAND(SET_KM, full); EXPAND(SET_KR, full); ctx->rounds = full ? 16 : 12; } void cast128_set_key(struct cast128_ctx *ctx, const uint8_t *key) { cast5_set_key (ctx, CAST128_KEY_SIZE, key); } nettle-3.4.1/realloc.c0000644000175000017500000000320513401564745013634 0ustar nissenisse/* realloc.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "realloc.h" /* NOTE: Calling libc realloc with size == 0 is not required to totally free the object, it is allowed to return a valid pointer. */ void * nettle_realloc(void *ctx UNUSED, void *p, size_t length) { if (length > 0) return realloc(p, length); free(p); return NULL; } void * nettle_xrealloc(void *ctx UNUSED, void *p, size_t length) { if (length > 0) { void *n = realloc(p, length); if (!n) { fprintf(stderr, "Virtual memory exhausted.\n"); abort(); } return n; } free(p); return NULL; } nettle-3.4.1/sparc32/0000755000175000017500000000000013401564746013325 5ustar nissenissenettle-3.4.1/sparc32/aes-decrypt-internal.asm0000644000175000017500000000670013401564746020064 0ustar nissenisseC sparc32/aes-decrypt-internal.asm ifelse(< Copyright (C) 2002, 2005, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) include_src() C Arguments define(,<%i0>) define(, <%i1>) define(, <%i2>) define(,<%i3>) define(, <%i4>) define(, <%i5>) C AES state, two copies for unrolling define(, <%l0>) define(, <%l1>) define(, <%l2>) define(, <%l3>) define(, <%l4>) define(, <%l5>) define(, <%l6>) define(, <%l7>) C %o0-%03 are used for loop invariants T0-T3 define(, <%o4>) define(, <%o5>) C %g1, %g2, %g3 are TMP1, TMP2 and TMP3 C The sparc32 stack frame looks like C C %fp - 4: OS-dependent link field C %fp - 8: OS-dependent link field C %fp - 104: OS register save area. define(, 104) .file "aes-decrypt-internal.asm" C _aes_decrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .section ".text" .align 16 .proc 020 PROLOGUE(_nettle_aes_decrypt) save %sp, -FRAME_SIZE, %sp cmp LENGTH, 0 be .Lend C Loop invariants add T, AES_TABLE0, T0 add T, AES_TABLE1, T1 add T, AES_TABLE2, T2 add T, AES_TABLE3, T3 C Must be even, and includes the final round srl ROUNDS, 1, ROUNDS C Last two rounds handled specially sub ROUNDS, 1, ROUNDS .Lblock_loop: C Read src, and add initial subkey mov KEYS, KEY AES_LOAD(0, SRC, KEY, W0) AES_LOAD(1, SRC, KEY, W1) AES_LOAD(2, SRC, KEY, W2) AES_LOAD(3, SRC, KEY, W3) mov ROUNDS, COUNT add SRC, 16, SRC add KEY, 16, KEY .Lround_loop: C The AES_ROUND macro uses T0,... T3 C Transform W -> X AES_ROUND(0, W0, W3, W2, W1, KEY, X0) AES_ROUND(1, W1, W0, W3, W2, KEY, X1) AES_ROUND(2, W2, W1, W0, W3, KEY, X2) AES_ROUND(3, W3, W2, W1, W0, KEY, X3) C Transform X -> W AES_ROUND(4, X0, X3, X2, X1, KEY, W0) AES_ROUND(5, X1, X0, X3, X2, KEY, W1) AES_ROUND(6, X2, X1, X0, X3, KEY, W2) AES_ROUND(7, X3, X2, X1, X0, KEY, W3) subcc COUNT, 1, COUNT bne .Lround_loop add KEY, 32, KEY C Penultimate round AES_ROUND(0, W0, W3, W2, W1, KEY, X0) AES_ROUND(1, W1, W0, W3, W2, KEY, X1) AES_ROUND(2, W2, W1, W0, W3, KEY, X2) AES_ROUND(3, W3, W2, W1, W0, KEY, X3) add KEY, 16, KEY C Final round AES_FINAL_ROUND(0, T, X0, X3, X2, X1, KEY, DST) AES_FINAL_ROUND(1, T, X1, X0, X3, X2, KEY, DST) AES_FINAL_ROUND(2, T, X2, X1, X0, X3, KEY, DST) AES_FINAL_ROUND(3, T, X3, X2, X1, X0, KEY, DST) subcc LENGTH, 16, LENGTH bne .Lblock_loop add DST, 16, DST .Lend: ret restore EPILOGUE(_nettle_aes_decrypt) nettle-3.4.1/sparc32/aes.m40000644000175000017500000000413013401564746014335 0ustar nissenisseC Used as temporaries by the AES macros define(, <%g1>) define(, <%g2>) define(, <%g3>) C Loop invariants used by AES_ROUND define(, <%o0>) define(, <%o1>) define(, <%o2>) define(, <%o3>) C AES_LOAD(i, src, key, res) define(, < ldub [$2 + 4*$1], $4 ldub [$2 + 4*$1 + 1], TMP1 ldub [$2 + 4*$1 + 2], TMP2 sll TMP1, 8, TMP1 or $4, TMP1, $4 ldub [$2 + 4*$1+3], TMP1 sll TMP2, 16, TMP2 or $4, TMP2, $4 sll TMP1, 24, TMP1 C Get subkey ld [$3 + 4*$1], TMP2 or $4, TMP1, $4 xor $4, TMP2, $4>)dnl C AES_ROUND(i, a, b, c, d, key, res) C Computes one word of the AES round C FIXME: Could use registers pointing directly to the four tables C FIXME: Needs better instruction scheduling, and perhaps more temporaries C Alternatively, we can use a single table and some rotations define(, < and $2, 0xff, TMP1 C 0 srl $3, 6, TMP2 C 1 sll TMP1, 2, TMP1 C 0 and TMP2, 0x3fc, TMP2 C 1 ld [T0 + TMP1], $7 C 0 E0 srl $4, 14, TMP1 C 2 ld [T1 + TMP2], TMP2 C 1 and TMP1, 0x3fc, TMP1 C 2 xor $7, TMP2, $7 C 1 E1 srl $5, 22, TMP2 C 3 ld [T2 + TMP1], TMP1 C 2 and TMP2, 0x3fc, TMP2 C 3 xor $7, TMP1, $7 C 2 E2 ld [$6 + 4*$1], TMP1 C 4 ld [T3 + TMP2], TMP2 C 3 xor $7, TMP1, $7 C 4 E4 xor $7, TMP2, $7 C 3 E3 >)dnl C AES_FINAL_ROUND(i, T, a, b, c, d, key, dst) C Compute one word in the final round function. Output is converted to C octets and stored at dst. Relies on AES_SBOX being zero. define(, < C Load subkey ld [$7 + 4*$1], TMP3 and $3, 0xff, TMP1 C 0 srl $4, 8, TMP2 C 1 ldub [T + TMP1], TMP1 C 0 and TMP2, 0xff, TMP2 C 1 xor TMP3, TMP1, TMP1 C 0 ldub [T + TMP2], TMP2 C 1 stb TMP1, [$8 + 4*$1] C 0 E0 srl $5, 16, TMP1 C 2 srl TMP3, 8, TMP3 C 1 and TMP1, 0xff, TMP1 C 2 xor TMP3, TMP2, TMP2 C 1 ldub [T + TMP1], TMP1 C 2 stb TMP2, [$8 + 4*$1 + 1] C 1 E1 srl $6, 24, TMP2 C 3 srl TMP3, 8, TMP3 C 2 ldub [T + TMP2], TMP2 C 3 xor TMP3, TMP1, TMP1 C 2 srl TMP3, 8, TMP3 C 3 stb TMP1, [$8 + 4*$1 + 2] C 2 E2 xor TMP3, TMP2, TMP2 C 3 stb TMP2, [$8 + 4*$1 + 3] C 3 E3 >) nettle-3.4.1/sparc32/machine.m40000644000175000017500000000000013401564746015161 0ustar nissenissenettle-3.4.1/sparc32/arcfour-crypt.asm0000644000175000017500000001152513401564746016633 0ustar nissenisseC sparc32/arcfour-crypt.asm ifelse(< Copyright (C) 2002, 2005 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) C Define to YES, to enable the complex code to special case SRC C and DST with compatible alignment. define(, ) C Registers define(, <%i0>) define(,<%i1>) define(, <%i2>) define(, <%i3>) define(, <%i4>) define(, <%i5>) define(, <%g1>) define(, <%g2>) define(, <%g3>) define(, <%o0>) define(, <%o1>) define(, <%o2>) define(, <%o3>) C Computes the next byte of the key stream. As input, i must C already point to the index for the current access, the index C for the next access is stored in ni. The resulting key byte is C stored in res. C ARCFOUR_BYTE(i, ni, res) define(, < ldub [CTX + $1], SI add $1, 1, $2 add J, SI, J and J, 0xff, J ldub [CTX + J], SJ and $2, 0xff, $2 stb SI, [CTX + J] add SI, SJ, SI and SI, 0xff, SI stb SJ, [CTX + $1] ldub [CTX + SI], $3 >)dnl C FIXME: Consider using the callers window define(, 104) .file "arcfour-crypt.asm" C arcfour_crypt(struct arcfour_ctx *ctx, C size_t length, uint8_t *dst, C const uint8_t *src) .section ".text" .align 16 .proc 020 PROLOGUE(nettle_arcfour_crypt) save %sp, -FRAME_SIZE, %sp cmp LENGTH, 0 be .Lend nop C Load both I and J lduh [CTX + ARCFOUR_I], I1 and I1, 0xff, J srl I1, 8, I1 C We want an even address for DST andcc DST, 1, %g0 add I1, 1 ,I1 beq .Laligned2 and I1, 0xff, I1 mov I1, I2 ldub [SRC], DATA ARCFOUR_BYTE(I2, I1, TMP) subcc LENGTH, 1, LENGTH add SRC, 1, SRC xor DATA, TMP, DATA stb DATA, [DST] beq .Ldone add DST, 1, DST .Laligned2: cmp LENGTH, 2 blu .Lfinal1 C Harmless delay slot instruction andcc DST, 2, %g0 beq .Laligned4 nop ldub [SRC], DATA ARCFOUR_BYTE(I1, I2, TMP) ldub [SRC + 1], TMP2 add SRC, 2, SRC xor DATA, TMP, DATA sll DATA, 8, DATA ARCFOUR_BYTE(I2, I1, TMP) xor TMP2, TMP, TMP subcc LENGTH, 2, LENGTH or DATA, TMP, DATA sth DATA, [DST] beq .Ldone add DST, 2, DST .Laligned4: cmp LENGTH, 4 blu .Lfinal2 C Harmless delay slot instruction srl LENGTH, 2, N .Loop: C Main loop, with aligned writes C FIXME: Could check if SRC is aligned, and C use 32-bit reads in that case. ldub [SRC], DATA ARCFOUR_BYTE(I1, I2, TMP) ldub [SRC + 1], TMP2 xor TMP, DATA, DATA sll DATA, 8, DATA ARCFOUR_BYTE(I2, I1, TMP) xor TMP2, TMP, TMP ldub [SRC + 2], TMP2 or TMP, DATA, DATA sll DATA, 8, DATA ARCFOUR_BYTE(I1, I2, TMP) xor TMP2, TMP, TMP ldub [SRC + 3], TMP2 or TMP, DATA, DATA sll DATA, 8, DATA ARCFOUR_BYTE(I2, I1, TMP) xor TMP2, TMP, TMP or TMP, DATA, DATA subcc N, 1, N add SRC, 4, SRC st DATA, [DST] bne .Loop add DST, 4, DST andcc LENGTH, 3, LENGTH beq .Ldone nop .Lfinal2: C DST address must be 2-aligned cmp LENGTH, 2 blu .Lfinal1 nop ldub [SRC], DATA ARCFOUR_BYTE(I1, I2, TMP) ldub [SRC + 1], TMP2 add SRC, 2, SRC xor DATA, TMP, DATA sll DATA, 8, DATA ARCFOUR_BYTE(I2, I1, TMP) xor TMP2, TMP, TMP or DATA, TMP, DATA sth DATA, [DST] beq .Ldone add DST, 2, DST .Lfinal1: mov I1, I2 ldub [SRC], DATA ARCFOUR_BYTE(I2, I1, TMP) xor DATA, TMP, DATA stb DATA, [DST] .Ldone: C Save back I and J sll I2, 8, I2 or I2, J, I2 stuh I2, [CTX + ARCFOUR_I] .Lend: ret restore EPILOGUE(nettle_arcfour_crypt) C Some stats from adriana.lysator.liu.se (SS1000E, 85 MHz), for AES 128 C 1: nettle-1.13 C-code C 2: First working version of the assembler code C 3: Moved load of source byte C 4: Better instruction scheduling C 5: Special case SRC and DST with compatible alignment C 6: After bugfix (reorder of ld [CTX+SI+SJ] and st [CTX + SI]) C 7: Unrolled only twice, with byte-accesses C 8: Unrolled, using 8-bit reads and aligned 32-bit writes. C MB/s cycles/byte Code size (bytes) C 1: 6.6 12.4 132 C 2: 5.6 14.5 116 C 3: 6.0 13.5 116 C 4: 6.5 12.4 116 C 5: 7.9 10.4 496 C 6: 8.3 9.7 496 C 7: 6.7 12.1 268 C 8: 8.3 9.8 768 nettle-3.4.1/sparc32/aes-encrypt-internal.asm0000644000175000017500000001030013401564746020065 0ustar nissenisseC sparc32/aes-encrypt-internal.asm ifelse(< Copyright (C) 2002, 2005, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) include_src() C Arguments define(,<%i0>) define(, <%i1>) define(, <%i2>) define(,<%i3>) define(, <%i4>) define(, <%i5>) C AES state, two copies for unrolling define(, <%l0>) define(, <%l1>) define(, <%l2>) define(, <%l3>) define(, <%l4>) define(, <%l5>) define(, <%l6>) define(, <%l7>) C %o0-%03 are used for loop invariants T0-T3 define(, <%o4>) define(, <%o5>) C %g1, %g2, %g3 are TMP1, TMP2 and TMP3 C I'm still slightly confused by the frame layout, specified in C "SYSTEM V APPLICATION BINARY INTERFACE SPARC Processor Supplement". C However, Sun's cc generates a 104 byte stack frame for a function C with no local variables, so that should be good enough for us too. C The sparc32 stack frame looks like C C %fp - 4: OS-dependent link field C %fp - 8: OS-dependent link field C %fp - 104: OS register save area define(, 104) .file "aes-encrypt-internal.asm" C _aes_encrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .section ".text" .align 16 .proc 020 PROLOGUE(_nettle_aes_encrypt) save %sp, -FRAME_SIZE, %sp cmp LENGTH, 0 be .Lend C Loop invariants add T, AES_TABLE0, T0 add T, AES_TABLE1, T1 add T, AES_TABLE2, T2 add T, AES_TABLE3, T3 C Must be even, and includes the final round srl ROUNDS, 1, ROUNDS C Last two rounds handled specially sub ROUNDS, 1, ROUNDS .Lblock_loop: C Read src, and add initial subkey mov KEYS, KEY AES_LOAD(0, SRC, KEY, W0) AES_LOAD(1, SRC, KEY, W1) AES_LOAD(2, SRC, KEY, W2) AES_LOAD(3, SRC, KEY, W3) mov ROUNDS, COUNT add SRC, 16, SRC add KEY, 16, KEY .Lround_loop: C The AES_ROUND macro uses T0,... T3 C Transform W -> X AES_ROUND(0, W0, W1, W2, W3, KEY, X0) AES_ROUND(1, W1, W2, W3, W0, KEY, X1) AES_ROUND(2, W2, W3, W0, W1, KEY, X2) AES_ROUND(3, W3, W0, W1, W2, KEY, X3) C Transform X -> W AES_ROUND(4, X0, X1, X2, X3, KEY, W0) AES_ROUND(5, X1, X2, X3, X0, KEY, W1) AES_ROUND(6, X2, X3, X0, X1, KEY, W2) AES_ROUND(7, X3, X0, X1, X2, KEY, W3) subcc COUNT, 1, COUNT bne .Lround_loop add KEY, 32, KEY C Penultimate round AES_ROUND(0, W0, W1, W2, W3, KEY, X0) AES_ROUND(1, W1, W2, W3, W0, KEY, X1) AES_ROUND(2, W2, W3, W0, W1, KEY, X2) AES_ROUND(3, W3, W0, W1, W2, KEY, X3) add KEY, 16, KEY C Final round AES_FINAL_ROUND(0, T, X0, X1, X2, X3, KEY, DST) AES_FINAL_ROUND(1, T, X1, X2, X3, X0, KEY, DST) AES_FINAL_ROUND(2, T, X2, X3, X0, X1, KEY, DST) AES_FINAL_ROUND(3, T, X3, X0, X1, X2, KEY, DST) subcc LENGTH, 16, LENGTH bne .Lblock_loop add DST, 16, DST .Lend: ret restore EPILOGUE(_nettle_aes_encrypt) C Some stats from adriana.lysator.liu.se (SS1000$, 85 MHz), for AES 128 C 1: nettle-1.13 C-code C 2: nettle-1.13 assembler C 3: New C-code C 4: New assembler, first correct version C 5: New assembler, with basic scheduling of AES_ROUND. C 6: New assembpler, with loop invariants T0-T3. C 7: New assembler, with basic scheduling also of AES_FINAL_ROUND. C MB/s cycles/block Code size (bytes) C 1 1.2 1107 592 C 2 2.3 572 1032 C 3 2.1 627 C 4 1.8 722 C 5 2.6 496 C 6 3.0 437 C 7 3.1 415 1448 nettle-3.4.1/gcm-camellia256-meta.c0000644000175000017500000000354113401564745015712 0ustar nissenisse/* gcm-camellia256-meta.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #include "gcm.h" static nettle_set_key_func gcm_camellia256_set_nonce_wrapper; static void gcm_camellia256_set_nonce_wrapper (void *ctx, const uint8_t *nonce) { gcm_camellia256_set_iv (ctx, GCM_IV_SIZE, nonce); } const struct nettle_aead nettle_gcm_camellia256 = { "gcm_camellia256", sizeof(struct gcm_camellia256_ctx), GCM_BLOCK_SIZE, CAMELLIA256_KEY_SIZE, GCM_IV_SIZE, GCM_DIGEST_SIZE, (nettle_set_key_func *) gcm_camellia256_set_key, (nettle_set_key_func *) gcm_camellia256_set_key, gcm_camellia256_set_nonce_wrapper, (nettle_hash_update_func *) gcm_camellia256_update, (nettle_crypt_func *) gcm_camellia256_encrypt, (nettle_crypt_func *) gcm_camellia256_decrypt, (nettle_hash_digest_func *) gcm_camellia256_digest, }; nettle-3.4.1/sha512-224-meta.c0000644000175000017500000000261313401564745014451 0ustar nissenisse/* sha512-224-meta.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "sha2.h" const struct nettle_hash nettle_sha512_224 = { "sha512-224", sizeof(struct sha512_ctx), SHA512_224_DIGEST_SIZE, SHA512_224_BLOCK_SIZE, (nettle_hash_init_func *) sha512_224_init, (nettle_hash_update_func *) sha512_224_update, (nettle_hash_digest_func *) sha512_224_digest }; nettle-3.4.1/dsa-compat-keygen.c0000644000175000017500000000425613401564746015533 0ustar nissenisse/* dsa-compat-keygen.c Generation of DSA keypairs Copyright (C) 2002, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "dsa-compat.h" #include "bignum.h" /* Undo name mangling */ #undef dsa_generate_keypair #define dsa_generate_keypair nettle_dsa_generate_keypair /* Valid sizes, according to FIPS 186-3 are (1024, 160), (2048, 224), (2048, 256), (3072, 256). */ int dsa_compat_generate_keypair(struct dsa_public_key *pub, struct dsa_private_key *key, void *random_ctx, nettle_random_func *random, void *progress_ctx, nettle_progress_func *progress, unsigned p_bits, unsigned q_bits) { struct dsa_params *params; switch (q_bits) { case 160: if (p_bits < DSA_SHA1_MIN_P_BITS) return 0; break; case 224: case 256: if (p_bits < DSA_SHA256_MIN_P_BITS) return 0; break; default: return 0; } /* NOTE: Depends on identical layout! */ params = (struct dsa_params *) pub; if (!dsa_generate_params (params, random_ctx, random, progress_ctx, progress, p_bits, q_bits)) return 0; dsa_generate_keypair (params, pub->y, key->x, random_ctx, random); return 1; } nettle-3.4.1/hmac.h0000644000175000017500000001324213401564746013133 0ustar nissenisse/* hmac.h HMAC message authentication code (RFC-2104). Copyright (C) 2001, 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_HMAC_H_INCLUDED #define NETTLE_HMAC_H_INCLUDED #include "nettle-meta.h" #include "md5.h" #include "ripemd160.h" #include "sha1.h" #include "sha2.h" #ifdef __cplusplus extern "C" { #endif /* Namespace mangling */ #define hmac_set_key nettle_hmac_set_key #define hmac_update nettle_hmac_update #define hmac_digest nettle_hmac_digest #define hmac_md5_set_key nettle_hmac_md5_set_key #define hmac_md5_update nettle_hmac_md5_update #define hmac_md5_digest nettle_hmac_md5_digest #define hmac_ripemd160_set_key nettle_hmac_ripemd160_set_key #define hmac_ripemd160_update nettle_hmac_ripemd160_update #define hmac_ripemd160_digest nettle_hmac_ripemd160_digest #define hmac_sha1_set_key nettle_hmac_sha1_set_key #define hmac_sha1_update nettle_hmac_sha1_update #define hmac_sha1_digest nettle_hmac_sha1_digest #define hmac_sha224_set_key nettle_hmac_sha224_set_key #define hmac_sha224_digest nettle_hmac_sha224_digest #define hmac_sha256_set_key nettle_hmac_sha256_set_key #define hmac_sha256_update nettle_hmac_sha256_update #define hmac_sha256_digest nettle_hmac_sha256_digest #define hmac_sha384_set_key nettle_hmac_sha384_set_key #define hmac_sha384_digest nettle_hmac_sha384_digest #define hmac_sha512_set_key nettle_hmac_sha512_set_key #define hmac_sha512_update nettle_hmac_sha512_update #define hmac_sha512_digest nettle_hmac_sha512_digest void hmac_set_key(void *outer, void *inner, void *state, const struct nettle_hash *hash, size_t length, const uint8_t *key); /* This function is not strictly needed, it's s just the same as the * hash update function. */ void hmac_update(void *state, const struct nettle_hash *hash, size_t length, const uint8_t *data); void hmac_digest(const void *outer, const void *inner, void *state, const struct nettle_hash *hash, size_t length, uint8_t *digest); #define HMAC_CTX(type) \ { type outer; type inner; type state; } #define HMAC_SET_KEY(ctx, hash, length, key) \ hmac_set_key( &(ctx)->outer, &(ctx)->inner, &(ctx)->state, \ (hash), (length), (key) ) #define HMAC_DIGEST(ctx, hash, length, digest) \ hmac_digest( &(ctx)->outer, &(ctx)->inner, &(ctx)->state, \ (hash), (length), (digest) ) /* HMAC using specific hash functions */ /* hmac-md5 */ struct hmac_md5_ctx HMAC_CTX(struct md5_ctx); void hmac_md5_set_key(struct hmac_md5_ctx *ctx, size_t key_length, const uint8_t *key); void hmac_md5_update(struct hmac_md5_ctx *ctx, size_t length, const uint8_t *data); void hmac_md5_digest(struct hmac_md5_ctx *ctx, size_t length, uint8_t *digest); /* hmac-ripemd160 */ struct hmac_ripemd160_ctx HMAC_CTX(struct ripemd160_ctx); void hmac_ripemd160_set_key(struct hmac_ripemd160_ctx *ctx, size_t key_length, const uint8_t *key); void hmac_ripemd160_update(struct hmac_ripemd160_ctx *ctx, size_t length, const uint8_t *data); void hmac_ripemd160_digest(struct hmac_ripemd160_ctx *ctx, size_t length, uint8_t *digest); /* hmac-sha1 */ struct hmac_sha1_ctx HMAC_CTX(struct sha1_ctx); void hmac_sha1_set_key(struct hmac_sha1_ctx *ctx, size_t key_length, const uint8_t *key); void hmac_sha1_update(struct hmac_sha1_ctx *ctx, size_t length, const uint8_t *data); void hmac_sha1_digest(struct hmac_sha1_ctx *ctx, size_t length, uint8_t *digest); /* hmac-sha256 */ struct hmac_sha256_ctx HMAC_CTX(struct sha256_ctx); void hmac_sha256_set_key(struct hmac_sha256_ctx *ctx, size_t key_length, const uint8_t *key); void hmac_sha256_update(struct hmac_sha256_ctx *ctx, size_t length, const uint8_t *data); void hmac_sha256_digest(struct hmac_sha256_ctx *ctx, size_t length, uint8_t *digest); /* hmac-sha224 */ #define hmac_sha224_ctx hmac_sha256_ctx void hmac_sha224_set_key(struct hmac_sha224_ctx *ctx, size_t key_length, const uint8_t *key); #define hmac_sha224_update nettle_hmac_sha256_update void hmac_sha224_digest(struct hmac_sha224_ctx *ctx, size_t length, uint8_t *digest); /* hmac-sha512 */ struct hmac_sha512_ctx HMAC_CTX(struct sha512_ctx); void hmac_sha512_set_key(struct hmac_sha512_ctx *ctx, size_t key_length, const uint8_t *key); void hmac_sha512_update(struct hmac_sha512_ctx *ctx, size_t length, const uint8_t *data); void hmac_sha512_digest(struct hmac_sha512_ctx *ctx, size_t length, uint8_t *digest); /* hmac-sha384 */ #define hmac_sha384_ctx hmac_sha512_ctx void hmac_sha384_set_key(struct hmac_sha512_ctx *ctx, size_t key_length, const uint8_t *key); #define hmac_sha384_update nettle_hmac_sha512_update void hmac_sha384_digest(struct hmac_sha512_ctx *ctx, size_t length, uint8_t *digest); #ifdef __cplusplus } #endif #endif /* NETTLE_HMAC_H_INCLUDED */ nettle-3.4.1/eddsa.h0000644000175000017500000000766113401564746013313 0ustar nissenisse/* eddsa.h Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_EDDSA_H #define NETTLE_EDDSA_H #include "nettle-types.h" #include "bignum.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define ed25519_sha512_set_private_key nettle_ed25519_sha512_set_private_key #define ed25519_sha512_public_key nettle_ed25519_sha512_public_key #define ed25519_sha512_sign nettle_ed25519_sha512_sign #define ed25519_sha512_verify nettle_ed25519_sha512_verify #define _eddsa_compress _nettle_eddsa_compress #define _eddsa_compress_itch _nettle_eddsa_compress_itch #define _eddsa_decompress _nettle_eddsa_decompress #define _eddsa_decompress_itch _nettle_eddsa_decompress_itch #define _eddsa_hash _nettle_eddsa_hash #define _eddsa_expand_key _nettle_eddsa_expand_key #define _eddsa_sign _nettle_eddsa_sign #define _eddsa_sign_itch _nettle_eddsa_sign_itch #define _eddsa_verify _nettle_eddsa_verify #define _eddsa_verify_itch _nettle_eddsa_verify_itch #define _eddsa_public_key_itch _nettle_eddsa_public_key_itch #define _eddsa_public_key _nettle_eddsa_public_key #define ED25519_KEY_SIZE 32 #define ED25519_SIGNATURE_SIZE 64 void ed25519_sha512_public_key (uint8_t *pub, const uint8_t *priv); void ed25519_sha512_sign (const uint8_t *pub, const uint8_t *priv, size_t length, const uint8_t *msg, uint8_t *signature); int ed25519_sha512_verify (const uint8_t *pub, size_t length, const uint8_t *msg, const uint8_t *signature); /* Low-level internal functions */ struct ecc_curve; struct ecc_modulo; mp_size_t _eddsa_compress_itch (const struct ecc_curve *ecc); void _eddsa_compress (const struct ecc_curve *ecc, uint8_t *r, mp_limb_t *p, mp_limb_t *scratch); mp_size_t _eddsa_decompress_itch (const struct ecc_curve *ecc); int _eddsa_decompress (const struct ecc_curve *ecc, mp_limb_t *p, const uint8_t *cp, mp_limb_t *scratch); void _eddsa_hash (const struct ecc_modulo *m, mp_limb_t *rp, const uint8_t *digest); mp_size_t _eddsa_sign_itch (const struct ecc_curve *ecc); void _eddsa_sign (const struct ecc_curve *ecc, const struct nettle_hash *H, const uint8_t *pub, void *ctx, const mp_limb_t *k2, size_t length, const uint8_t *msg, uint8_t *signature, mp_limb_t *scratch); mp_size_t _eddsa_verify_itch (const struct ecc_curve *ecc); int _eddsa_verify (const struct ecc_curve *ecc, const struct nettle_hash *H, const uint8_t *pub, const mp_limb_t *A, void *ctx, size_t length, const uint8_t *msg, const uint8_t *signature, mp_limb_t *scratch); void _eddsa_expand_key (const struct ecc_curve *ecc, const struct nettle_hash *H, void *ctx, const uint8_t *key, uint8_t *digest, mp_limb_t *k2); mp_size_t _eddsa_public_key_itch (const struct ecc_curve *ecc); void _eddsa_public_key (const struct ecc_curve *ecc, const mp_limb_t *k, uint8_t *pub, mp_limb_t *scratch); #ifdef __cplusplus } #endif #endif /* NETTLE_EDDSA_H */ nettle-3.4.1/md5-compat.h0000644000175000017500000000306113401564746014167 0ustar nissenisse/* md5-compat.h The md5 hash function, RFC 1321-style interface. Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_MD5_COMPAT_H_INCLUDED #define NETTLE_MD5_COMPAT_H_INCLUDED #include "md5.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define MD5Init nettle_MD5Init #define MD5Update nettle_MD5Update #define MD5Final nettle_MD5Final typedef struct md5_ctx MD5_CTX; void MD5Init(MD5_CTX *ctx); void MD5Update(MD5_CTX *ctx, const unsigned char *data, unsigned int length); void MD5Final(unsigned char *out, MD5_CTX *ctx); #ifdef __cplusplus } #endif #endif /* NETTLE_MD5_COMPAT_H_INCLUDED */ nettle-3.4.1/chacha-poly1305.c0000644000175000017500000001013713401564745014716 0ustar nissenisse/* chacha-poly1305.c AEAD mechanism based on chacha and poly1305. Copyright (C) 2014, 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* This implements chacha-poly1305 according to draft-irtf-cfrg-chacha20-poly1305-08. The inputs to poly1305 are: associated data zero padding ciphertext zero padding length of associated data (64-bit, little endian) length of ciphertext (64-bit, little endian) where the padding fields are 0-15 zero bytes, filling up to a 16-byte boundary. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "chacha-poly1305.h" #include "macros.h" #define CHACHA_ROUNDS 20 /* FIXME: Also set nonce to zero, and implement nonce auto-increment? */ void chacha_poly1305_set_key (struct chacha_poly1305_ctx *ctx, const uint8_t *key) { chacha_set_key (&ctx->chacha, key); } void chacha_poly1305_set_nonce (struct chacha_poly1305_ctx *ctx, const uint8_t *nonce) { union { uint32_t x[_CHACHA_STATE_LENGTH]; uint8_t subkey[32]; } u; chacha_set_nonce96 (&ctx->chacha, nonce); /* Generate authentication key */ _chacha_core (u.x, ctx->chacha.state, CHACHA_ROUNDS); poly1305_set_key (&ctx->poly1305, u.subkey); /* For final poly1305 processing */ memcpy (ctx->s.b, u.subkey + 16, 16); /* Increment block count */ ctx->chacha.state[12] = 1; ctx->auth_size = ctx->data_size = ctx->index = 0; } /* FIXME: Duplicated in poly1305-aes128.c */ #define COMPRESS(ctx, data) _poly1305_block(&(ctx)->poly1305, (data), 1) static void poly1305_update (struct chacha_poly1305_ctx *ctx, size_t length, const uint8_t *data) { MD_UPDATE (ctx, length, data, COMPRESS, (void) 0); } static void poly1305_pad (struct chacha_poly1305_ctx *ctx) { if (ctx->index) { memset (ctx->block + ctx->index, 0, POLY1305_BLOCK_SIZE - ctx->index); _poly1305_block(&ctx->poly1305, ctx->block, 1); ctx->index = 0; } } void chacha_poly1305_update (struct chacha_poly1305_ctx *ctx, size_t length, const uint8_t *data) { assert (ctx->data_size == 0); poly1305_update (ctx, length, data); ctx->auth_size += length; } void chacha_poly1305_encrypt (struct chacha_poly1305_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { if (!length) return; assert (ctx->data_size % CHACHA_POLY1305_BLOCK_SIZE == 0); poly1305_pad (ctx); chacha_crypt (&ctx->chacha, length, dst, src); poly1305_update (ctx, length, dst); ctx->data_size += length; } void chacha_poly1305_decrypt (struct chacha_poly1305_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { if (!length) return; assert (ctx->data_size % CHACHA_POLY1305_BLOCK_SIZE == 0); poly1305_pad (ctx); poly1305_update (ctx, length, src); chacha_crypt (&ctx->chacha, length, dst, src); ctx->data_size += length; } void chacha_poly1305_digest (struct chacha_poly1305_ctx *ctx, size_t length, uint8_t *digest) { uint8_t buf[16]; poly1305_pad (ctx); LE_WRITE_UINT64 (buf, ctx->auth_size); LE_WRITE_UINT64 (buf + 8, ctx->data_size); _poly1305_block (&ctx->poly1305, buf, 1); poly1305_digest (&ctx->poly1305, &ctx->s); memcpy (digest, &ctx->s.b, length); } nettle-3.4.1/README0000644000175000017500000000433313401564746012733 0ustar nissenisseWhat is GNU Nettle? A quote from the introduction in the Nettle Manual: Nettle is a cryptographic library that is designed to fit easily in more or less any context: In crypto toolkits for object-oriented languages (C++, Python, Pike, ...), in applications like LSH or GNUPG, or even in kernel space. In most contexts, you need more than the basic cryptographic algorithms, you also need some way to keep track of available algorithms, their properties and variants. You often have some algorithm selection process, often dictated by a protocol you want to implement. And as the requirements of applications differ in subtle and not so subtle ways, an API that fits one application well can be a pain to use in a different context. And that is why there are so many different cryptographic libraries around. Nettle tries to avoid this problem by doing one thing, the low-level crypto stuff, and providing a simple but general interface to it. In particular, Nettle doesn't do algorithm selection. It doesn't do memory allocation. It doesn't do any I/O. The idea is that one can build several application and context specific interfaces on top of Nettle, and share the code, test cases, benchmarks, documentation, etc. Examples are the Nettle module for the Pike language, and LSH, which both use an object-oriented abstraction on top of the library. GNU Nettle is free software; you can redistribute it and/or modify it under the terms contained in the files COPYING* (see the manual for information on how these licenses apply). If you have downloaded a Nettle release, build it with the usual ./configure && make && make check && make install (see the INSTALL file for further instructions). You can also get Nettle from git, see http://www.lysator.liu.se/~nisse/nettle/ for current instructions. In particular, you need to run the ./.bootstrap script after checkout and before running ./configure. Read the manual. Mail me if you have any questions or suggestions. You may want to subscribe to the nettle-bugs mailing list. See . See CONTRIBUTING.md for information on contibuting patches. Happy hacking, /Niels Möller nettle-3.4.1/sha256.c0000644000175000017500000001054513401564745013230 0ustar nissenisse/* sha256.c The sha256 hash function. See http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Modelled after the sha1.c code by Peter Gutmann. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "sha2.h" #include "macros.h" #include "nettle-write.h" /* Generated by the shadata program. */ static const uint32_t K[64] = { 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL, }; #define COMPRESS(ctx, data) (_nettle_sha256_compress((ctx)->state, (data), K)) /* Initialize the SHA values */ void sha256_init(struct sha256_ctx *ctx) { /* Initial values, also generated by the shadata program. */ static const uint32_t H0[_SHA256_DIGEST_LENGTH] = { 0x6a09e667UL, 0xbb67ae85UL, 0x3c6ef372UL, 0xa54ff53aUL, 0x510e527fUL, 0x9b05688cUL, 0x1f83d9abUL, 0x5be0cd19UL, }; memcpy(ctx->state, H0, sizeof(H0)); /* Initialize bit count */ ctx->count = 0; /* Initialize buffer */ ctx->index = 0; } void sha256_update(struct sha256_ctx *ctx, size_t length, const uint8_t *data) { MD_UPDATE (ctx, length, data, COMPRESS, ctx->count++); } static void sha256_write_digest(struct sha256_ctx *ctx, size_t length, uint8_t *digest) { uint64_t bit_count; assert(length <= SHA256_DIGEST_SIZE); MD_PAD(ctx, 8, COMPRESS); /* There are 512 = 2^9 bits in one block */ bit_count = (ctx->count << 9) | (ctx->index << 3); /* This is slightly inefficient, as the numbers are converted to big-endian format, and will be converted back by the compression function. It's probably not worth the effort to fix this. */ WRITE_UINT64(ctx->block + (SHA256_BLOCK_SIZE - 8), bit_count); COMPRESS(ctx, ctx->block); _nettle_write_be32(length, digest, ctx->state); } void sha256_digest(struct sha256_ctx *ctx, size_t length, uint8_t *digest) { sha256_write_digest(ctx, length, digest); sha256_init(ctx); } /* sha224 variant. */ void sha224_init(struct sha256_ctx *ctx) { /* Initial values. Low 32 bits of the initial values for sha384. */ static const uint32_t H0[_SHA256_DIGEST_LENGTH] = { 0xc1059ed8, 0x367cd507, 0x3070dd17, 0xf70e5939, 0xffc00b31, 0x68581511, 0x64f98fa7, 0xbefa4fa4, }; memcpy(ctx->state, H0, sizeof(H0)); /* Initialize bit count */ ctx->count = 0; /* Initialize buffer */ ctx->index = 0; } void sha224_digest(struct sha256_ctx *ctx, size_t length, uint8_t *digest) { sha256_write_digest(ctx, length, digest); sha224_init(ctx); } nettle-3.4.1/md5-compress.c0000644000175000017500000001357613401564745014545 0ustar nissenisse/* md5-compress.c The compression function for the md5 hash function. Copyright (C) 2001, 2005 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Based on public domain code hacked by Colin Plumb, Andrew Kuchling, and * Niels Möller. */ #if HAVE_CONFIG_H # include "config.h" #endif #ifndef MD5_DEBUG # define MD5_DEBUG 0 #endif #if MD5_DEBUG # include # define DEBUG(i) \ fprintf(stderr, "%2d: %8x %8x %8x %8x\n", i, a, b, c, d) #else # define DEBUG(i) #endif #include #include #include #include "md5.h" #include "macros.h" /* A block, treated as a sequence of 32-bit words. */ #define MD5_DATA_LENGTH 16 /* MD5 functions */ #define F1(x, y, z) ((z) ^ ((x) & ((y) ^ (z)))) #define F2(x, y, z) F1((z), (x), (y)) #define F3(x, y, z) ((x) ^ (y) ^ (z)) #define F4(x, y, z) ((y) ^ ((x) | ~(z))) #define ROUND(f, w, x, y, z, data, s) \ ( w += f(x, y, z) + data, w = w<>(32-s), w += x ) /* Perform the MD5 transformation on one full block of 16 32-bit * words. * * Compresses 20 (_MD5_DIGEST_LENGTH + MD5_DATA_LENGTH) words into 4 * (_MD5_DIGEST_LENGTH) words. */ void _nettle_md5_compress(uint32_t *digest, const uint8_t *input) { uint32_t data[MD5_DATA_LENGTH]; uint32_t a, b, c, d; unsigned i; for (i = 0; i < MD5_DATA_LENGTH; i++, input += 4) data[i] = LE_READ_UINT32(input); a = digest[0]; b = digest[1]; c = digest[2]; d = digest[3]; DEBUG(-1); ROUND(F1, a, b, c, d, data[ 0] + 0xd76aa478, 7); DEBUG(0); ROUND(F1, d, a, b, c, data[ 1] + 0xe8c7b756, 12); DEBUG(1); ROUND(F1, c, d, a, b, data[ 2] + 0x242070db, 17); ROUND(F1, b, c, d, a, data[ 3] + 0xc1bdceee, 22); ROUND(F1, a, b, c, d, data[ 4] + 0xf57c0faf, 7); ROUND(F1, d, a, b, c, data[ 5] + 0x4787c62a, 12); ROUND(F1, c, d, a, b, data[ 6] + 0xa8304613, 17); ROUND(F1, b, c, d, a, data[ 7] + 0xfd469501, 22); ROUND(F1, a, b, c, d, data[ 8] + 0x698098d8, 7); ROUND(F1, d, a, b, c, data[ 9] + 0x8b44f7af, 12); ROUND(F1, c, d, a, b, data[10] + 0xffff5bb1, 17); ROUND(F1, b, c, d, a, data[11] + 0x895cd7be, 22); ROUND(F1, a, b, c, d, data[12] + 0x6b901122, 7); ROUND(F1, d, a, b, c, data[13] + 0xfd987193, 12); ROUND(F1, c, d, a, b, data[14] + 0xa679438e, 17); ROUND(F1, b, c, d, a, data[15] + 0x49b40821, 22); DEBUG(15); ROUND(F2, a, b, c, d, data[ 1] + 0xf61e2562, 5); DEBUG(16); ROUND(F2, d, a, b, c, data[ 6] + 0xc040b340, 9); DEBUG(17); ROUND(F2, c, d, a, b, data[11] + 0x265e5a51, 14); ROUND(F2, b, c, d, a, data[ 0] + 0xe9b6c7aa, 20); ROUND(F2, a, b, c, d, data[ 5] + 0xd62f105d, 5); ROUND(F2, d, a, b, c, data[10] + 0x02441453, 9); ROUND(F2, c, d, a, b, data[15] + 0xd8a1e681, 14); ROUND(F2, b, c, d, a, data[ 4] + 0xe7d3fbc8, 20); ROUND(F2, a, b, c, d, data[ 9] + 0x21e1cde6, 5); ROUND(F2, d, a, b, c, data[14] + 0xc33707d6, 9); ROUND(F2, c, d, a, b, data[ 3] + 0xf4d50d87, 14); ROUND(F2, b, c, d, a, data[ 8] + 0x455a14ed, 20); ROUND(F2, a, b, c, d, data[13] + 0xa9e3e905, 5); ROUND(F2, d, a, b, c, data[ 2] + 0xfcefa3f8, 9); ROUND(F2, c, d, a, b, data[ 7] + 0x676f02d9, 14); ROUND(F2, b, c, d, a, data[12] + 0x8d2a4c8a, 20); DEBUG(31); ROUND(F3, a, b, c, d, data[ 5] + 0xfffa3942, 4); DEBUG(32); ROUND(F3, d, a, b, c, data[ 8] + 0x8771f681, 11); DEBUG(33); ROUND(F3, c, d, a, b, data[11] + 0x6d9d6122, 16); ROUND(F3, b, c, d, a, data[14] + 0xfde5380c, 23); ROUND(F3, a, b, c, d, data[ 1] + 0xa4beea44, 4); ROUND(F3, d, a, b, c, data[ 4] + 0x4bdecfa9, 11); ROUND(F3, c, d, a, b, data[ 7] + 0xf6bb4b60, 16); ROUND(F3, b, c, d, a, data[10] + 0xbebfbc70, 23); ROUND(F3, a, b, c, d, data[13] + 0x289b7ec6, 4); ROUND(F3, d, a, b, c, data[ 0] + 0xeaa127fa, 11); ROUND(F3, c, d, a, b, data[ 3] + 0xd4ef3085, 16); ROUND(F3, b, c, d, a, data[ 6] + 0x04881d05, 23); ROUND(F3, a, b, c, d, data[ 9] + 0xd9d4d039, 4); ROUND(F3, d, a, b, c, data[12] + 0xe6db99e5, 11); ROUND(F3, c, d, a, b, data[15] + 0x1fa27cf8, 16); ROUND(F3, b, c, d, a, data[ 2] + 0xc4ac5665, 23); DEBUG(47); ROUND(F4, a, b, c, d, data[ 0] + 0xf4292244, 6); DEBUG(48); ROUND(F4, d, a, b, c, data[ 7] + 0x432aff97, 10); DEBUG(49); ROUND(F4, c, d, a, b, data[14] + 0xab9423a7, 15); ROUND(F4, b, c, d, a, data[ 5] + 0xfc93a039, 21); ROUND(F4, a, b, c, d, data[12] + 0x655b59c3, 6); ROUND(F4, d, a, b, c, data[ 3] + 0x8f0ccc92, 10); ROUND(F4, c, d, a, b, data[10] + 0xffeff47d, 15); ROUND(F4, b, c, d, a, data[ 1] + 0x85845dd1, 21); ROUND(F4, a, b, c, d, data[ 8] + 0x6fa87e4f, 6); ROUND(F4, d, a, b, c, data[15] + 0xfe2ce6e0, 10); ROUND(F4, c, d, a, b, data[ 6] + 0xa3014314, 15); ROUND(F4, b, c, d, a, data[13] + 0x4e0811a1, 21); ROUND(F4, a, b, c, d, data[ 4] + 0xf7537e82, 6); ROUND(F4, d, a, b, c, data[11] + 0xbd3af235, 10); ROUND(F4, c, d, a, b, data[ 2] + 0x2ad7d2bb, 15); ROUND(F4, b, c, d, a, data[ 9] + 0xeb86d391, 21); DEBUG(63); digest[0] += a; digest[1] += b; digest[2] += c; digest[3] += d; #if MD5_DEBUG fprintf(stderr, "99: %8x %8x %8x %8x\n", digest[0], digest[1], digest[2], digest[3]); #endif } nettle-3.4.1/der2rsa.c0000644000175000017500000000740413401564746013563 0ustar nissenisse/* der2rsa.c Decoding of keys in PKCS#1 format. Copyright (C) 2005 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa.h" #include "bignum.h" #include "asn1.h" #define GET(i, x, l) \ (asn1_der_iterator_next((i)) == ASN1_ITERATOR_PRIMITIVE \ && (i)->type == ASN1_INTEGER \ && asn1_der_get_bignum((i), (x), (l)) \ && mpz_sgn((x)) > 0) int rsa_public_key_from_der_iterator(struct rsa_public_key *pub, unsigned limit, struct asn1_der_iterator *i) { /* RSAPublicKey ::= SEQUENCE { modulus INTEGER, -- n publicExponent INTEGER -- e } */ return (i->type == ASN1_SEQUENCE && asn1_der_decode_constructed_last(i) == ASN1_ITERATOR_PRIMITIVE && asn1_der_get_bignum(i, pub->n, limit) && mpz_sgn(pub->n) > 0 && GET(i, pub->e, limit) && asn1_der_iterator_next(i) == ASN1_ITERATOR_END && rsa_public_key_prepare(pub)); } int rsa_private_key_from_der_iterator(struct rsa_public_key *pub, struct rsa_private_key *priv, unsigned limit, struct asn1_der_iterator *i) { /* RSAPrivateKey ::= SEQUENCE { version Version, modulus INTEGER, -- n publicExponent INTEGER, -- e privateExponent INTEGER, -- d prime1 INTEGER, -- p prime2 INTEGER, -- q exponent1 INTEGER, -- d mod (p-1) exponent2 INTEGER, -- d mod (q-1) coefficient INTEGER, -- (inverse of q) mod p otherPrimeInfos OtherPrimeInfos OPTIONAL } */ uint32_t version; if (i->type != ASN1_SEQUENCE) return 0; if (asn1_der_decode_constructed_last(i) == ASN1_ITERATOR_PRIMITIVE && i->type == ASN1_INTEGER && asn1_der_get_uint32(i, &version) && version <= 1 && GET(i, pub->n, limit) && GET(i, pub->e, limit) && rsa_public_key_prepare(pub) && GET(i, priv->d, limit) && GET(i, priv->p, limit) && GET(i, priv->q, limit) && GET(i, priv->a, limit) && GET(i, priv->b, limit) && GET(i, priv->c, limit) && rsa_private_key_prepare(priv)) { if (version == 1) { /* otherPrimeInfos must be present. We ignore the contents */ if (!(asn1_der_iterator_next(i) == ASN1_ITERATOR_CONSTRUCTED && i->type == ASN1_SEQUENCE)) return 0; } return (asn1_der_iterator_next(i) == ASN1_ITERATOR_END); } return 0; } int rsa_keypair_from_der(struct rsa_public_key *pub, struct rsa_private_key *priv, unsigned limit, size_t length, const uint8_t *data) { struct asn1_der_iterator i; enum asn1_iterator_result res; res = asn1_der_iterator_first(&i, length, data); if (res != ASN1_ITERATOR_CONSTRUCTED) return 0; if (priv) return rsa_private_key_from_der_iterator(pub, priv, limit, &i); else return rsa_public_key_from_der_iterator(pub, limit, &i); } nettle-3.4.1/ecc-add-jja.c0000644000175000017500000000663613401564746014251 0ustar nissenisse/* ecc-add-jj.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc.h" #include "ecc-internal.h" /* NOTE: Behaviour for corner cases: + p = 0 ==> r = 0 (invalid except if also q = 0) + q = 0 ==> r = invalid + p = -q ==> r = 0, correct! + p = q ==> r = 0, invalid */ void ecc_add_jja (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch) { /* Formulas, from djb, http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b): Computation Operation Live variables ZZ = Z_1^2 sqr ZZ H = X_2*ZZ - X_1 mul (djb: U_2) ZZ, H HH = H^2 sqr ZZ, H, HH ZZZ = ZZ*Z_1 mul ZZ, H, HH, ZZZ Z_3 = (Z_1+H)^2-ZZ-HH sqr H, HH, ZZZ W = 2 (Y_2*ZZZ - Y_1) mul (djb: S_2) H, HH, W I = 4*HH H, W, I J = H*I mul W, I, J V = X_1*I mul W, J, V X_3 = W^2-J-2*V sqr W, J, V Y_3 = W*(V-X_3)-2*Y_1*J mul, mul */ #define zz scratch #define h (scratch + ecc->p.size) #define hh (scratch + 2*ecc->p.size) #define w (scratch + 3*ecc->p.size) #define j (scratch + 4*ecc->p.size) #define v scratch #define x1 p #define y1 (p + ecc->p.size) #define z1 (p + 2*ecc->p.size) #define x2 q #define y2 (q + ecc->p.size) /* zz */ ecc_modp_sqr (ecc, zz, z1); /* h*/ ecc_modp_mul (ecc, h, x2, zz); ecc_modp_sub (ecc, h, h, x1); /* hh */ ecc_modp_sqr (ecc, hh, h); /* Do z^3 early, store at w. */ ecc_modp_mul (ecc, w, zz, z1); /* z_3, use j area for scratch */ ecc_modp_add (ecc, r + 2*ecc->p.size, p + 2*ecc->p.size, h); ecc_modp_sqr (ecc, j, r + 2*ecc->p.size); ecc_modp_sub (ecc, j, j, zz); ecc_modp_sub (ecc, r + 2*ecc->p.size, j, hh); /* w */ ecc_modp_mul (ecc, j, y2, w); ecc_modp_sub (ecc, w, j, y1); ecc_modp_mul_1 (ecc, w, w, 2); /* i replaces hh, j */ ecc_modp_mul_1 (ecc, hh, hh, 4); ecc_modp_mul (ecc, j, hh, h); /* v */ ecc_modp_mul (ecc, v, x1, hh); /* x_3, use (h, hh) as sqratch */ ecc_modp_sqr (ecc, h, w); ecc_modp_sub (ecc, r, h, j); ecc_modp_submul_1 (ecc, r, v, 2); /* y_3, use (h, hh) as sqratch */ ecc_modp_mul (ecc, h, y1, j); /* frees j */ ecc_modp_sub (ecc, r + ecc->p.size, v, r); ecc_modp_mul (ecc, j, r + ecc->p.size, w); ecc_modp_submul_1 (ecc, j, h, 2); mpn_copyi (r + ecc->p.size, j, ecc->p.size); } nettle-3.4.1/camellia192-meta.c0000644000175000017500000000274613401564745015153 0ustar nissenisse/* camellia192-meta.c Copyright (C) 2010, 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #include "camellia.h" const struct nettle_cipher nettle_camellia192 = { "camellia192", sizeof(struct camellia256_ctx), CAMELLIA_BLOCK_SIZE, CAMELLIA192_KEY_SIZE, (nettle_set_key_func *) camellia192_set_encrypt_key, (nettle_set_key_func *) camellia192_set_decrypt_key, (nettle_cipher_func *) camellia256_crypt, (nettle_cipher_func *) camellia256_crypt }; nettle-3.4.1/arcfour.c0000644000175000017500000000342013401564745013653 0ustar nissenisse/* arcfour.c The arcfour/rc4 stream cipher. Copyright (C) 2001, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "arcfour.h" #define SWAP(a,b) do { int _t = a; a = b; b = _t; } while(0) void arcfour_set_key(struct arcfour_ctx *ctx, size_t length, const uint8_t *key) { unsigned i, j, k; assert(length >= ARCFOUR_MIN_KEY_SIZE); assert(length <= ARCFOUR_MAX_KEY_SIZE); /* Initialize context */ for (i = 0; i<256; i++) ctx->S[i] = i; for (i = j = k = 0; i<256; i++) { j += ctx->S[i] + key[k]; j &= 0xff; SWAP(ctx->S[i], ctx->S[j]); /* Repeat key as needed */ k = (k + 1) % length; } ctx->i = ctx->j = 0; } void arcfour128_set_key(struct arcfour_ctx *ctx, const uint8_t *key) { arcfour_set_key (ctx, ARCFOUR128_KEY_SIZE, key); } nettle-3.4.1/dsa-hash.c0000644000175000017500000000317413401564746013711 0ustar nissenisse/* dsa-hash.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "dsa.h" #include "bignum.h" /* Convert hash value to an integer. The general description of DSA in FIPS186-3 allows both larger and smaller q; in the the latter case, the hash must be truncated to the right number of bits. */ void _dsa_hash (mpz_t h, unsigned bit_size, size_t length, const uint8_t *digest) { if (length > (bit_size + 7) / 8) length = (bit_size + 7) / 8; nettle_mpz_set_str_256_u(h, length, digest); if (8 * length > bit_size) /* We got a few extra bits, at the low end. Discard them. */ mpz_tdiv_q_2exp (h, h, 8*length - bit_size); } nettle-3.4.1/ecc-ecdsa-sign.c0000644000175000017500000000530613401564746014765 0ustar nissenisse/* ecc-ecdsa-sign.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "ecdsa.h" #include "ecc-internal.h" /* Low-level ECDSA signing */ mp_size_t ecc_ecdsa_sign_itch (const struct ecc_curve *ecc) { /* Needs 3*ecc->p.size + scratch for ecc->mul_g. Currently same for ecc_mul_g and ecc_mul_g_eh. */ return ECC_ECDSA_SIGN_ITCH (ecc->p.size); } /* NOTE: Caller should check if r or s is zero. */ void ecc_ecdsa_sign (const struct ecc_curve *ecc, const mp_limb_t *zp, /* Random nonce, must be invertible mod ecc group order. */ const mp_limb_t *kp, size_t length, const uint8_t *digest, mp_limb_t *rp, mp_limb_t *sp, mp_limb_t *scratch) { #define P scratch #define kinv scratch /* Needs 5*ecc->p.size for computation */ #define hp (scratch + ecc->p.size) /* NOTE: ecc->p.size + 1 limbs! */ #define tp (scratch + 2*ecc->p.size) /* Procedure, according to RFC 6090, "KT-I". q denotes the group order. 1. k <-- uniformly random, 0 < k < q 2. R <-- (r_x, r_y) = k g 3. s1 <-- r_x mod q 4. s2 <-- (h + z*s1)/k mod q. */ ecc->mul_g (ecc, P, kp, P + 3*ecc->p.size); /* x coordinate only, modulo q */ ecc->h_to_a (ecc, 2, rp, P, P + 3*ecc->p.size); /* Invert k, uses 4 * ecc->p.size including scratch */ ecc->q.invert (&ecc->q, kinv, kp, tp); /* NOTE: Also clobbers hp */ /* Process hash digest */ ecc_hash (&ecc->q, hp, length, digest); ecc_modq_mul (ecc, tp, zp, rp); ecc_modq_add (ecc, hp, hp, tp); ecc_modq_mul (ecc, tp, hp, kinv); mpn_copyi (sp, tp, ecc->p.size); #undef P #undef hp #undef kinv #undef tp } nettle-3.4.1/ecc-j-to-a.c0000644000175000017500000000634013401564746014036 0ustar nissenisse/* ecc-j-to-a.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc.h" #include "ecc-internal.h" void ecc_j_to_a (const struct ecc_curve *ecc, int op, mp_limb_t *r, const mp_limb_t *p, mp_limb_t *scratch) { #define izp scratch #define up (scratch + 2*ecc->p.size) #define iz2p (scratch + ecc->p.size) #define iz3p (scratch + 2*ecc->p.size) #define izBp (scratch + 3*ecc->p.size) #define tp scratch mp_limb_t cy; if (ecc->use_redc) { /* Set v = (r_z / B^2)^-1, r_x = p_x v^2 / B^3 = ((v/B * v)/B * p_x)/B r_y = p_y v^3 / B^4 = (((v/B * v)/B * v)/B * p_y)/B */ mpn_copyi (up, p + 2*ecc->p.size, ecc->p.size); mpn_zero (up + ecc->p.size, ecc->p.size); ecc->p.reduce (&ecc->p, up); mpn_zero (up + ecc->p.size, ecc->p.size); ecc->p.reduce (&ecc->p, up); ecc->p.invert (&ecc->p, izp, up, up + ecc->p.size); /* Divide this common factor by B */ mpn_copyi (izBp, izp, ecc->p.size); mpn_zero (izBp + ecc->p.size, ecc->p.size); ecc->p.reduce (&ecc->p, izBp); ecc_modp_mul (ecc, iz2p, izp, izBp); } else { /* Set s = p_z^{-1}, r_x = p_x s^2, r_y = p_y s^3 */ mpn_copyi (up, p+2*ecc->p.size, ecc->p.size); /* p_z */ ecc->p.invert (&ecc->p, izp, up, up + ecc->p.size); ecc_modp_sqr (ecc, iz2p, izp); } ecc_modp_mul (ecc, iz3p, iz2p, p); /* ecc_modp (and ecc_modp_mul) may return a value up to 2p - 1, so do a conditional subtraction. */ cy = mpn_sub_n (r, iz3p, ecc->p.m, ecc->p.size); cnd_copy (cy, r, iz3p, ecc->p.size); if (op) { /* Skip y coordinate */ if (op > 1) { /* Also reduce the x coordinate mod ecc->q. It should already be < 2*ecc->q, so one subtraction should suffice. */ cy = mpn_sub_n (scratch, r, ecc->q.m, ecc->p.size); cnd_copy (cy == 0, r, scratch, ecc->p.size); } return; } ecc_modp_mul (ecc, iz3p, iz2p, izp); ecc_modp_mul (ecc, tp, iz3p, p + ecc->p.size); /* And a similar subtraction. */ cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size); cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size); #undef izp #undef up #undef iz2p #undef iz3p #undef tp } nettle-3.4.1/ecc-add-ehh.c0000644000175000017500000000612713401564746014244 0ustar nissenisse/* ecc-add-ehh.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc.h" #include "ecc-internal.h" /* Add two points on an Edwards curve, in homogeneous coordinates */ void ecc_add_ehh (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch) { #define x1 p #define y1 (p + ecc->p.size) #define z1 (p + 2*ecc->p.size) #define x2 q #define y2 (q + ecc->p.size) #define z2 (q + 2*ecc->p.size) #define x3 r #define y3 (r + ecc->p.size) #define z3 (r + 2*ecc->p.size) /* Formulas (from djb, http://www.hyperelliptic.org/EFD/g1p/auto-edwards-projective.html#addition-add-2007-bl): Computation Operation Live variables C = x1*x2 mul C D = y1*y2 mul C, D T = (x1+y1)(x2+y2) - C - D, mul C, D, T E = b*C*D 2 mul C, E, T (Replace C <-- D - C) A = z1*z2 mul A, C, E, T B = A^2 sqr A, B, C, E, T F = B - E A, B, C, E, F, T G = B + E A, C, F, G, T x3 = A*F*T 2 mul A, C, G y3 = A*G*(D-C) 2 mul F, G z3 = F*G mul But when working with the twist curve, we have to negate the factor C = x1*x2. We change subtract to add in the y3 expression, and swap F and G. */ #define C scratch #define D (scratch + ecc->p.size) #define T (scratch + 2*ecc->p.size) #define E (scratch + 3*ecc->p.size) #define A (scratch + 4*ecc->p.size) #define B (scratch + 5*ecc->p.size) #define F D #define G E ecc_modp_mul (ecc, C, x1, x2); ecc_modp_mul (ecc, D, y1, y2); ecc_modp_add (ecc, A, x1, y1); ecc_modp_add (ecc, B, x2, y2); ecc_modp_mul (ecc, T, A, B); ecc_modp_sub (ecc, T, T, C); ecc_modp_sub (ecc, T, T, D); ecc_modp_mul (ecc, x3, C, D); ecc_modp_mul (ecc, E, x3, ecc->b); ecc_modp_add (ecc, C, D, C); /* ! */ ecc_modp_mul (ecc, A, z1, z2); ecc_modp_sqr (ecc, B, A); ecc_modp_sub (ecc, F, B, E); ecc_modp_add (ecc, G, B, E); /* x3 */ ecc_modp_mul (ecc, B, G, T); /* ! */ ecc_modp_mul (ecc, x3, B, A); /* y3 */ ecc_modp_mul (ecc, B, F, C); /* ! */ ecc_modp_mul (ecc, y3, B, A); /* z3 */ ecc_modp_mul (ecc, B, F, G); mpn_copyi (z3, B, ecc->p.size); } nettle-3.4.1/camellia256-set-encrypt-key.c0000644000175000017500000001012113401564745017253 0ustar nissenisse/* camellia256-set-encrypt-key.c Key setup for the camellia block cipher. Copyright (C) 2006,2007 NTT (Nippon Telegraph and Telephone Corporation). Copyright (C) 2010, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* * Algorithm Specification * http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html */ /* Based on camellia.c ver 1.2.0, see http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/camellia-LGPL-1.2.0.tar.gz. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "camellia-internal.h" #include "macros.h" static void _camellia256_set_encrypt_key (struct camellia256_ctx *ctx, uint64_t k0, uint64_t k1, uint64_t k2, uint64_t k3) { uint64_t subkey[_CAMELLIA256_NKEYS + 2]; uint64_t w; /* generate KL dependent subkeys */ subkey[0] = k0; subkey[1] = k1; ROTL128(45, k0, k1); subkey[12] = k0; subkey[13] = k1; ROTL128(15, k0, k1); subkey[16] = k0; subkey[17] = k1; ROTL128(17, k0, k1); subkey[22] = k0; subkey[23] = k1; ROTL128(34, k0, k1); subkey[30] = k0; subkey[31] = k1; /* generate KR dependent subkeys */ ROTL128(15, k2, k3); subkey[4] = k2; subkey[5] = k3; ROTL128(15, k2, k3); subkey[8] = k2; subkey[9] = k3; ROTL128(30, k2, k3); subkey[18] = k2; subkey[19] = k3; ROTL128(34, k2, k3); subkey[26] = k2; subkey[27] = k3; ROTL128(34, k2, k3); /* generate KA */ /* The construction of KA is done as D1 = (KL ^ KR) >> 64 D2 = (KL ^ KR) & MASK64 W = F(D1, SIGMA1) D2 = D2 ^ W D1 = F(D2, SIGMA2) ^ (KR >> 64) D2 = F(D1, SIGMA3) ^ W ^ (KR & MASK64) D1 = D1 ^ F(W, SIGMA2) D2 = D2 ^ F(D1, SIGMA3) D1 = D1 ^ F(D2, SIGMA4) */ k0 = subkey[0] ^ k2; k1 = subkey[1] ^ k3; CAMELLIA_F(k0, SIGMA1, w); k1 ^= w; CAMELLIA_F(k1, SIGMA2, k0); k0 ^= k2; CAMELLIA_F(k0, SIGMA3, k1); k1 ^= w ^ k3; CAMELLIA_F(k1, SIGMA4, w); k0 ^= w; /* generate KB */ k2 ^= k0; k3 ^= k1; CAMELLIA_F(k2, SIGMA5, w); k3 ^= w; CAMELLIA_F(k3, SIGMA6, w); k2 ^= w; /* generate KA dependent subkeys */ ROTL128(15, k0, k1); subkey[6] = k0; subkey[7] = k1; ROTL128(30, k0, k1); subkey[14] = k0; subkey[15] = k1; ROTL128(32, k0, k1); subkey[24] = k0; subkey[25] = k1; ROTL128(17, k0, k1); subkey[28] = k0; subkey[29] = k1; /* generate KB dependent subkeys */ subkey[2] = k2; subkey[3] = k3; ROTL128(30, k2, k3); subkey[10] = k2; subkey[11] = k3; ROTL128(30, k2, k3); subkey[20] = k2; subkey[21] = k3; ROTL128(51, k2, k3); subkey[32] = k2; subkey[33] = k3; /* Common final processing */ _camellia_absorb (_CAMELLIA256_NKEYS, ctx->keys, subkey); } void camellia256_set_encrypt_key(struct camellia256_ctx *ctx, const uint8_t *key) { uint64_t k0, k1, k2, k3; k0 = READ_UINT64(key); k1 = READ_UINT64(key + 8); k2 = READ_UINT64(key + 16); k3 = READ_UINT64(key + 24); _camellia256_set_encrypt_key (ctx, k0, k1, k2, k3); } void camellia192_set_encrypt_key(struct camellia256_ctx *ctx, const uint8_t *key) { uint64_t k0, k1, k2; k0 = READ_UINT64(key); k1 = READ_UINT64(key + 8); k2 = READ_UINT64(key + 16); _camellia256_set_encrypt_key (ctx, k0, k1, k2, ~k2); } nettle-3.4.1/gcm-camellia128-meta.c0000644000175000017500000000354113401564745015710 0ustar nissenisse/* gcm-camellia128-meta.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #include "gcm.h" static nettle_set_key_func gcm_camellia128_set_nonce_wrapper; static void gcm_camellia128_set_nonce_wrapper (void *ctx, const uint8_t *nonce) { gcm_camellia128_set_iv (ctx, GCM_IV_SIZE, nonce); } const struct nettle_aead nettle_gcm_camellia128 = { "gcm_camellia128", sizeof(struct gcm_camellia128_ctx), GCM_BLOCK_SIZE, CAMELLIA128_KEY_SIZE, GCM_IV_SIZE, GCM_DIGEST_SIZE, (nettle_set_key_func *) gcm_camellia128_set_key, (nettle_set_key_func *) gcm_camellia128_set_key, gcm_camellia128_set_nonce_wrapper, (nettle_hash_update_func *) gcm_camellia128_update, (nettle_crypt_func *) gcm_camellia128_encrypt, (nettle_crypt_func *) gcm_camellia128_decrypt, (nettle_hash_digest_func *) gcm_camellia128_digest, }; nettle-3.4.1/getopt1.c0000644000175000017500000001111613401564746013577 0ustar nissenisse/* getopt_long and getopt_long_only entry points for GNU getopt. Copyright (C) 1987-2014 Free Software Foundation, Inc. This file is part of the GNU C Library. The GNU C Library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. The GNU C Library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with the GNU C Library; if not, see . */ #ifdef HAVE_CONFIG_H #include #endif #ifdef _LIBC # include #else # include "getopt.h" #endif #include "getopt_int.h" #include /* Comment out all this code if we are using the GNU C Library, and are not actually compiling the library itself. This code is part of the GNU C Library, but also included in many other GNU distributions. Compiling and linking in this code is a waste when using the GNU C library (especially if it is a shared library). Rather than having every GNU program understand `configure --with-gnu-libc' and omit the object files, it is simpler to just do this in the source for each such file. */ #define GETOPT_INTERFACE_VERSION 2 #if !defined _LIBC && defined __GLIBC__ && __GLIBC__ >= 2 #include #if _GNU_GETOPT_INTERFACE_VERSION == GETOPT_INTERFACE_VERSION #define ELIDE_CODE #endif #endif #ifndef ELIDE_CODE /* This needs to come after some library #include to get __GNU_LIBRARY__ defined. */ #ifdef __GNU_LIBRARY__ #include #endif #ifndef NULL #define NULL 0 #endif int getopt_long (int argc, char *const *argv, const char *options, const struct option *long_options, int *opt_index) { return _getopt_internal (argc, argv, options, long_options, opt_index, 0, 0); } int _getopt_long_r (int argc, char *const *argv, const char *options, const struct option *long_options, int *opt_index, struct _getopt_data *d) { return _getopt_internal_r (argc, argv, options, long_options, opt_index, 0, d, 0); } /* Like getopt_long, but '-' as well as '--' can indicate a long option. If an option that starts with '-' (not '--') doesn't match a long option, but does match a short option, it is parsed as a short option instead. */ int getopt_long_only (int argc, char *const *argv, const char *options, const struct option *long_options, int *opt_index) { return _getopt_internal (argc, argv, options, long_options, opt_index, 1, 0); } int _getopt_long_only_r (int argc, char *const *argv, const char *options, const struct option *long_options, int *opt_index, struct _getopt_data *d) { return _getopt_internal_r (argc, argv, options, long_options, opt_index, 1, d, 0); } #endif /* Not ELIDE_CODE. */ #ifdef TEST #include int main (int argc, char **argv) { int c; int digit_optind = 0; while (1) { int this_option_optind = optind ? optind : 1; int option_index = 0; static struct option long_options[] = { {"add", 1, 0, 0}, {"append", 0, 0, 0}, {"delete", 1, 0, 0}, {"verbose", 0, 0, 0}, {"create", 0, 0, 0}, {"file", 1, 0, 0}, {0, 0, 0, 0} }; c = getopt_long (argc, argv, "abc:d:0123456789", long_options, &option_index); if (c == -1) break; switch (c) { case 0: printf ("option %s", long_options[option_index].name); if (optarg) printf (" with arg %s", optarg); printf ("\n"); break; case '0': case '1': case '2': case '3': case '4': case '5': case '6': case '7': case '8': case '9': if (digit_optind != 0 && digit_optind != this_option_optind) printf ("digits occur in two different argv-elements.\n"); digit_optind = this_option_optind; printf ("option %c\n", c); break; case 'a': printf ("option a\n"); break; case 'b': printf ("option b\n"); break; case 'c': printf ("option c with value `%s'\n", optarg); break; case 'd': printf ("option d with value `%s'\n", optarg); break; case '?': break; default: printf ("?? getopt returned character code 0%o ??\n", c); } } if (optind < argc) { printf ("non-option ARGV-elements: "); while (optind < argc) printf ("%s ", argv[optind++]); printf ("\n"); } exit (0); } #endif /* TEST */ nettle-3.4.1/umac-nh.c0000644000175000017500000000402713401564745013546 0ustar nissenisse/* umac-nh.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "umac.h" #include "macros.h" /* For fat builds */ #if HAVE_NATIVE_umac_nh uint64_t _nettle_umac_nh_c (const uint32_t *key, unsigned length, const uint8_t *msg); #define _nettle_umac_nh _nettle_umac_nh_c #endif uint64_t _umac_nh (const uint32_t *key, unsigned length, const uint8_t *msg) { uint64_t y; assert (length > 0); assert (length <= 1024); assert (length % 32 == 0); for (y = 0; length > 0; length -= 32, msg += 32, key += 8) { uint32_t a, b; a = LE_READ_UINT32 (msg) + key[0]; b = LE_READ_UINT32 (msg + 16) + key[4]; y += (uint64_t) a * b; a = LE_READ_UINT32 (msg + 4) + key[1]; b = LE_READ_UINT32 (msg + 20) + key[5]; y += (uint64_t) a * b; a = LE_READ_UINT32 (msg + 8) + key[2]; b = LE_READ_UINT32 (msg + 24) + key[6]; y += (uint64_t) a * b; a = LE_READ_UINT32 (msg + 12) + key[3]; b = LE_READ_UINT32 (msg + 28) + key[7]; y += (uint64_t) a * b; } return y; } nettle-3.4.1/pbkdf2-hmac-sha256.c0000644000175000017500000000304113401564745015275 0ustar nissenisse/* pbkdf2-hmac-sha256.c PKCS #5 PBKDF2 used with HMAC-SHA256, see RFC 2898. Copyright (C) 2012 Simon Josefsson This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "pbkdf2.h" #include "hmac.h" void pbkdf2_hmac_sha256 (size_t key_length, const uint8_t *key, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst) { struct hmac_sha256_ctx sha256ctx; hmac_sha256_set_key (&sha256ctx, key_length, key); PBKDF2 (&sha256ctx, hmac_sha256_update, hmac_sha256_digest, SHA256_DIGEST_SIZE, iterations, salt_length, salt, length, dst); } nettle-3.4.1/pkcs1-rsa-sha256.c0000644000175000017500000000556113401564745015034 0ustar nissenisse/* pkcs1-rsa-sha256.c PKCS stuff for rsa-sha256. Copyright (C) 2001, 2003, 2006 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "rsa.h" #include "bignum.h" #include "pkcs1.h" #include "gmp-glue.h" /* From RFC 3447, Public-Key Cryptography Standards (PKCS) #1: RSA * Cryptography Specifications Version 2.1. * * id-sha256 OBJECT IDENTIFIER ::= * {joint-iso-itu-t(2) country(16) us(840) organization(1) * gov(101) csor(3) nistalgorithm(4) hashalgs(2) 1} */ static const uint8_t sha256_prefix[] = { /* 19 octets prefix, 32 octets hash, total 51 */ 0x30, 49, /* SEQUENCE */ 0x30, 13, /* SEQUENCE */ 0x06, 9, /* OBJECT IDENTIFIER */ 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0, /* NULL */ 0x04, 32 /* OCTET STRING */ /* Here comes the raw hash value */ }; int pkcs1_rsa_sha256_encode(mpz_t m, size_t key_size, struct sha256_ctx *hash) { uint8_t *p; TMP_GMP_DECL(em, uint8_t); TMP_GMP_ALLOC(em, key_size); p = _pkcs1_signature_prefix(key_size, em, sizeof(sha256_prefix), sha256_prefix, SHA256_DIGEST_SIZE); if (p) { sha256_digest(hash, SHA256_DIGEST_SIZE, p); nettle_mpz_set_str_256_u(m, key_size, em); TMP_GMP_FREE(em); return 1; } else { TMP_GMP_FREE(em); return 0; } } int pkcs1_rsa_sha256_encode_digest(mpz_t m, size_t key_size, const uint8_t *digest) { uint8_t *p; TMP_GMP_DECL(em, uint8_t); TMP_GMP_ALLOC(em, key_size); p = _pkcs1_signature_prefix(key_size, em, sizeof(sha256_prefix), sha256_prefix, SHA256_DIGEST_SIZE); if (p) { memcpy(p, digest, SHA256_DIGEST_SIZE); nettle_mpz_set_str_256_u(m, key_size, em); TMP_GMP_FREE(em); return 1; } else { TMP_GMP_FREE(em); return 0; } } nettle-3.4.1/salsa20-256-set-key.c0000644000175000017500000000354013401564745015353 0ustar nissenisse/* salsa20-256-set-key.c The Salsa20 stream cipher. Key setup for 128-bit keys. Copyright (C) 2012 Simon Josefsson Copyright (C) 2012-2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Based on: salsa20-ref.c version 20051118 D. J. Bernstein Public domain. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "salsa20.h" #include "macros.h" void salsa20_256_set_key(struct salsa20_ctx *ctx, const uint8_t *key) { ctx->input[1] = LE_READ_UINT32(key + 0); ctx->input[2] = LE_READ_UINT32(key + 4); ctx->input[3] = LE_READ_UINT32(key + 8); ctx->input[4] = LE_READ_UINT32(key + 12); ctx->input[11] = LE_READ_UINT32(key + 16); ctx->input[12] = LE_READ_UINT32(key + 20); ctx->input[13] = LE_READ_UINT32(key + 24); ctx->input[14] = LE_READ_UINT32(key + 28); /* "expand 32-byte k" */ ctx->input[0] = 0x61707865; ctx->input[5] = 0x3320646e; ctx->input[10] = 0x79622d32; ctx->input[15] = 0x6b206574; } nettle-3.4.1/rsa-decrypt-tr.c0000644000175000017500000000375513401564746015106 0ustar nissenisse/* rsa-decrypt-tr.c RSA decryption, using randomized RSA blinding to be more resistant to timing attacks. Copyright (C) 2001, 2012 Niels Möller, Nikos Mavrogiannopoulos This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa.h" #include "rsa-internal.h" #include "gmp-glue.h" int rsa_decrypt_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t *length, uint8_t *message, const mpz_t gibberish) { TMP_GMP_DECL (m, mp_limb_t); TMP_GMP_DECL (em, uint8_t); mp_size_t key_limb_size; int res; key_limb_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size); TMP_GMP_ALLOC (m, key_limb_size); TMP_GMP_ALLOC (em, key->size); res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m, mpz_limbs_read(gibberish), mpz_size(gibberish)); mpn_get_base256 (em, key->size, m, key_limb_size); res &= _pkcs1_sec_decrypt_variable (length, message, key->size, em); TMP_GMP_FREE (em); TMP_GMP_FREE (m); return res; } nettle-3.4.1/bignum.c0000644000175000017500000000755413401564745013507 0ustar nissenisse/* bignum.c Bignum operations that are missing from gmp. Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "bignum.h" /* Two's complement negation means that -x = ~x + 1, ~x = -(x+1), * and we use that x = ~~x = ~(-x-1). * * Examples: * * x ~x = -x+1 ~~x = x * -1 0 ff * -2 1 fe * -7f 7e 81 * -80 7f 80 * -81 80 ff7f */ /* Including extra sign bit, if needed. Also one byte for zero. */ size_t nettle_mpz_sizeinbase_256_s(const mpz_t x) { if (mpz_sgn(x) >= 0) return 1 + mpz_sizeinbase(x, 2) / 8; else { /* We'll output ~~x, so we need as many bits as for ~x */ size_t size; mpz_t c; mpz_init(c); mpz_com(c, x); /* Same as c = - x - 1 = |x| + 1 */ size = 1 + mpz_sizeinbase(c,2) / 8; mpz_clear(c); return size; } } size_t nettle_mpz_sizeinbase_256_u(const mpz_t x) { return (mpz_sizeinbase(x,2) + 7) / 8; } static void nettle_mpz_to_octets(size_t length, uint8_t *s, const mpz_t x, uint8_t sign) { uint8_t *dst = s + length - 1; size_t size = mpz_size(x); size_t i; for (i = 0; i>= 8; length--; } } if (length) memset(s, sign, length); } void nettle_mpz_get_str_256(size_t length, uint8_t *s, const mpz_t x) { if (!length) { /* x must be zero */ assert(!mpz_sgn(x)); return; } if (mpz_sgn(x) >= 0) { assert(nettle_mpz_sizeinbase_256_u(x) <= length); nettle_mpz_to_octets(length, s, x, 0); } else { mpz_t c; mpz_init(c); mpz_com(c, x); assert(nettle_mpz_sizeinbase_256_u(c) <= length); nettle_mpz_to_octets(length, s, c, 0xff); mpz_clear(c); } } /* Converting from strings */ /* mpz_import was introduced in GMP-4.1 */ #define nettle_mpz_from_octets(x, length, s) \ mpz_import((x), (length), 1, 1, 0, 0, (s)) void nettle_mpz_set_str_256_u(mpz_t x, size_t length, const uint8_t *s) { nettle_mpz_from_octets(x, length, s); } void nettle_mpz_init_set_str_256_u(mpz_t x, size_t length, const uint8_t *s) { mpz_init(x); nettle_mpz_from_octets(x, length, s); } void nettle_mpz_set_str_256_s(mpz_t x, size_t length, const uint8_t *s) { if (!length) { mpz_set_ui(x, 0); return; } nettle_mpz_from_octets(x, length, s); if (s[0] & 0x80) { mpz_t t; mpz_init_set_ui(t, 1); mpz_mul_2exp(t, t, length*8); mpz_sub(x, x, t); mpz_clear(t); } } void nettle_mpz_init_set_str_256_s(mpz_t x, size_t length, const uint8_t *s) { mpz_init(x); nettle_mpz_set_str_256_s(x, length, s); } nettle-3.4.1/ecc-mod-arith.c0000644000175000017500000000636013401564746014635 0ustar nissenisse/* ecc-mod-arith.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc-internal.h" /* Routines for modp arithmetic. All values are ecc->size limbs, but not necessarily < p. */ void ecc_mod_add (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *bp) { mp_limb_t cy; cy = mpn_add_n (rp, ap, bp, m->size); cy = cnd_add_n (cy, rp, m->B, m->size); cy = cnd_add_n (cy, rp, m->B, m->size); assert (cy == 0); } void ecc_mod_sub (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *bp) { mp_limb_t cy; cy = mpn_sub_n (rp, ap, bp, m->size); cy = cnd_sub_n (cy, rp, m->B, m->size); cy = cnd_sub_n (cy, rp, m->B, m->size); assert (cy == 0); } void ecc_mod_mul_1 (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t b) { mp_limb_t hi; assert (b <= 0xffffffff); hi = mpn_mul_1 (rp, ap, m->size, b); hi = mpn_addmul_1 (rp, m->B, m->size, hi); assert (hi <= 1); hi = cnd_add_n (hi, rp, m->B, m->size); /* Sufficient if b < B^size / p */ assert (hi == 0); } void ecc_mod_addmul_1 (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t b) { mp_limb_t hi; assert (b <= 0xffffffff); hi = mpn_addmul_1 (rp, ap, m->size, b); hi = mpn_addmul_1 (rp, m->B, m->size, hi); assert (hi <= 1); hi = cnd_add_n (hi, rp, m->B, m->size); /* Sufficient roughly if b < B^size / p */ assert (hi == 0); } void ecc_mod_submul_1 (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t b) { mp_limb_t hi; assert (b <= 0xffffffff); hi = mpn_submul_1 (rp, ap, m->size, b); hi = mpn_submul_1 (rp, m->B, m->size, hi); assert (hi <= 1); hi = cnd_sub_n (hi, rp, m->B, m->size); /* Sufficient roughly if b < B^size / p */ assert (hi == 0); } /* NOTE: mul and sqr needs 2*m->size limbs at rp */ void ecc_mod_mul (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *bp) { mpn_mul_n (rp, ap, bp, m->size); m->reduce (m, rp); } void ecc_mod_sqr (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap) { mpn_sqr (rp, ap, m->size); m->reduce (m, rp); } nettle-3.4.1/sexp2bignum.c0000644000175000017500000000316613401564745014464 0ustar nissenisse/* sexp2bignum.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "sexp.h" #include "bignum.h" int nettle_mpz_set_sexp(mpz_t x, unsigned limit, struct sexp_iterator *i) { if (i->type == SEXP_ATOM && i->atom_length && !i->display) { /* Allow some extra here, for leading sign octets. */ if (limit && (8 * i->atom_length > (16 + limit))) return 0; nettle_mpz_set_str_256_s(x, i->atom_length, i->atom); /* FIXME: How to interpret a limit for negative numbers? */ if (limit && mpz_sizeinbase(x, 2) > limit) return 0; return sexp_iterator_next(i); } else return 0; } nettle-3.4.1/ecdsa-sign.c0000644000175000017500000000427313401564746014237 0ustar nissenisse/* ecdsa-sign.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "ecdsa.h" #include "ecc-internal.h" #include "nettle-internal.h" void ecdsa_sign (const struct ecc_scalar *key, void *random_ctx, nettle_random_func *random, size_t digest_length, const uint8_t *digest, struct dsa_signature *signature) { /* At most 936 bytes. */ TMP_DECL(k, mp_limb_t, ECC_MAX_SIZE + ECC_ECDSA_SIGN_ITCH (ECC_MAX_SIZE)); mp_limb_t size = key->ecc->p.size; mp_limb_t *rp = mpz_limbs_write (signature->r, size); mp_limb_t *sp = mpz_limbs_write (signature->s, size); TMP_ALLOC (k, size + ECC_ECDSA_SIGN_ITCH (size)); /* Timing reveals the number of rounds through this loop, but the timing is still independent of the secret k finally used. */ do { ecc_mod_random (&key->ecc->q, k, random_ctx, random, k + size); ecc_ecdsa_sign (key->ecc, key->p, k, digest_length, digest, rp, sp, k + size); mpz_limbs_finish (signature->r, size); mpz_limbs_finish (signature->s, size); } while (mpz_sgn (signature->r) == 0 || mpz_sgn (signature->s) == 0); } nettle-3.4.1/nettle-lookup-hash.c0000644000175000017500000000254213401564745015741 0ustar nissenisse/* nettle-lookup-hash.c Copyright (C) 2016 Niels Möller. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "nettle-meta.h" #undef nettle_hashes const struct nettle_hash * nettle_lookup_hash (const char *name) { unsigned i; for (i = 0; nettle_hashes[i]; i++) if (!strcmp (name, nettle_hashes[i]->name)) return nettle_hashes[i]; return NULL; } nettle-3.4.1/sha512.c0000644000175000017500000001774613401564745013235 0ustar nissenisse/* sha512.c The sha512 hash function. See http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf Copyright (C) 2001, 2010 Niels Möller Copyright (C) 2014 Joachim Strömbergson This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Modelled after the sha1.c code by Peter Gutmann. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "sha2.h" #include "macros.h" /* Generated by the gp script { print("obase=16"); for (i = 1,80, root = prime(i)^(1/3); fraction = root - floor(root); print(floor(2^64 * fraction)); ); quit(); } piped through |grep -v '^[' | bc \ |awk '{printf("0x%sULL,%s", $1, NR%3 == 0 ? "\n" : "");}' to convert it to hex. */ static const uint64_t K[80] = { 0x428A2F98D728AE22ULL,0x7137449123EF65CDULL, 0xB5C0FBCFEC4D3B2FULL,0xE9B5DBA58189DBBCULL, 0x3956C25BF348B538ULL,0x59F111F1B605D019ULL, 0x923F82A4AF194F9BULL,0xAB1C5ED5DA6D8118ULL, 0xD807AA98A3030242ULL,0x12835B0145706FBEULL, 0x243185BE4EE4B28CULL,0x550C7DC3D5FFB4E2ULL, 0x72BE5D74F27B896FULL,0x80DEB1FE3B1696B1ULL, 0x9BDC06A725C71235ULL,0xC19BF174CF692694ULL, 0xE49B69C19EF14AD2ULL,0xEFBE4786384F25E3ULL, 0x0FC19DC68B8CD5B5ULL,0x240CA1CC77AC9C65ULL, 0x2DE92C6F592B0275ULL,0x4A7484AA6EA6E483ULL, 0x5CB0A9DCBD41FBD4ULL,0x76F988DA831153B5ULL, 0x983E5152EE66DFABULL,0xA831C66D2DB43210ULL, 0xB00327C898FB213FULL,0xBF597FC7BEEF0EE4ULL, 0xC6E00BF33DA88FC2ULL,0xD5A79147930AA725ULL, 0x06CA6351E003826FULL,0x142929670A0E6E70ULL, 0x27B70A8546D22FFCULL,0x2E1B21385C26C926ULL, 0x4D2C6DFC5AC42AEDULL,0x53380D139D95B3DFULL, 0x650A73548BAF63DEULL,0x766A0ABB3C77B2A8ULL, 0x81C2C92E47EDAEE6ULL,0x92722C851482353BULL, 0xA2BFE8A14CF10364ULL,0xA81A664BBC423001ULL, 0xC24B8B70D0F89791ULL,0xC76C51A30654BE30ULL, 0xD192E819D6EF5218ULL,0xD69906245565A910ULL, 0xF40E35855771202AULL,0x106AA07032BBD1B8ULL, 0x19A4C116B8D2D0C8ULL,0x1E376C085141AB53ULL, 0x2748774CDF8EEB99ULL,0x34B0BCB5E19B48A8ULL, 0x391C0CB3C5C95A63ULL,0x4ED8AA4AE3418ACBULL, 0x5B9CCA4F7763E373ULL,0x682E6FF3D6B2B8A3ULL, 0x748F82EE5DEFB2FCULL,0x78A5636F43172F60ULL, 0x84C87814A1F0AB72ULL,0x8CC702081A6439ECULL, 0x90BEFFFA23631E28ULL,0xA4506CEBDE82BDE9ULL, 0xBEF9A3F7B2C67915ULL,0xC67178F2E372532BULL, 0xCA273ECEEA26619CULL,0xD186B8C721C0C207ULL, 0xEADA7DD6CDE0EB1EULL,0xF57D4F7FEE6ED178ULL, 0x06F067AA72176FBAULL,0x0A637DC5A2C898A6ULL, 0x113F9804BEF90DAEULL,0x1B710B35131C471BULL, 0x28DB77F523047D84ULL,0x32CAAB7B40C72493ULL, 0x3C9EBE0A15C9BEBCULL,0x431D67C49C100D4CULL, 0x4CC5D4BECB3E42B6ULL,0x597F299CFC657E2AULL, 0x5FCB6FAB3AD6FAECULL,0x6C44198C4A475817ULL, }; #define COMPRESS(ctx, data) (_nettle_sha512_compress((ctx)->state, (data), K)) void sha512_init(struct sha512_ctx *ctx) { /* Initial values, generated by the gp script { for (i = 1,8, root = prime(i)^(1/2); fraction = root - floor(root); print(floor(2^64 * fraction)); ); } . */ static const uint64_t H0[_SHA512_DIGEST_LENGTH] = { 0x6A09E667F3BCC908ULL,0xBB67AE8584CAA73BULL, 0x3C6EF372FE94F82BULL,0xA54FF53A5F1D36F1ULL, 0x510E527FADE682D1ULL,0x9B05688C2B3E6C1FULL, 0x1F83D9ABFB41BD6BULL,0x5BE0CD19137E2179ULL, }; memcpy(ctx->state, H0, sizeof(H0)); /* Initialize bit count */ ctx->count_low = ctx->count_high = 0; /* Initialize buffer */ ctx->index = 0; } void sha512_update(struct sha512_ctx *ctx, size_t length, const uint8_t *data) { MD_UPDATE (ctx, length, data, COMPRESS, MD_INCR(ctx)); } static void sha512_write_digest(struct sha512_ctx *ctx, size_t length, uint8_t *digest) { uint64_t high, low; unsigned i; unsigned words; unsigned leftover; assert(length <= SHA512_DIGEST_SIZE); MD_PAD(ctx, 16, COMPRESS); /* There are 1024 = 2^10 bits in one block */ high = (ctx->count_high << 10) | (ctx->count_low >> 54); low = (ctx->count_low << 10) | (ctx->index << 3); /* This is slightly inefficient, as the numbers are converted to big-endian format, and will be converted back by the compression function. It's probably not worth the effort to fix this. */ WRITE_UINT64(ctx->block + (SHA512_BLOCK_SIZE - 16), high); WRITE_UINT64(ctx->block + (SHA512_BLOCK_SIZE - 8), low); COMPRESS(ctx, ctx->block); words = length / 8; leftover = length % 8; for (i = 0; i < words; i++, digest += 8) WRITE_UINT64(digest, ctx->state[i]); if (leftover) { /* Truncate to the right size */ uint64_t word = ctx->state[i] >> (8*(8 - leftover)); do { digest[--leftover] = word & 0xff; word >>= 8; } while (leftover); } } void sha512_digest(struct sha512_ctx *ctx, size_t length, uint8_t *digest) { assert(length <= SHA512_DIGEST_SIZE); sha512_write_digest(ctx, length, digest); sha512_init(ctx); } /* sha384 variant. */ void sha384_init(struct sha512_ctx *ctx) { /* Initial values, generated by the gp script { for (i = 9,16, root = prime(i)^(1/2); fraction = root - floor(root); print(floor(2^64 * fraction)); ); } . */ static const uint64_t H0[_SHA512_DIGEST_LENGTH] = { 0xCBBB9D5DC1059ED8ULL, 0x629A292A367CD507ULL, 0x9159015A3070DD17ULL, 0x152FECD8F70E5939ULL, 0x67332667FFC00B31ULL, 0x8EB44A8768581511ULL, 0xDB0C2E0D64F98FA7ULL, 0x47B5481DBEFA4FA4ULL, }; memcpy(ctx->state, H0, sizeof(H0)); /* Initialize bit count */ ctx->count_low = ctx->count_high = 0; /* Initialize buffer */ ctx->index = 0; } void sha384_digest(struct sha512_ctx *ctx, size_t length, uint8_t *digest) { assert(length <= SHA384_DIGEST_SIZE); sha512_write_digest(ctx, length, digest); sha384_init(ctx); } /* sha-512/224 variant. */ void sha512_224_init(struct sha512_224_ctx *ctx) { static const uint64_t H0[_SHA512_DIGEST_LENGTH] = { 0x8c3d37c819544da2ULL, 0x73e1996689dcd4d6ULL, 0x1dfab7ae32ff9c82ULL, 0x679dd514582f9fcfULL, 0x0f6d2b697bd44da8ULL, 0x77e36f7304c48942ULL, 0x3f9d85a86a1d36c8ULL, 0x1112e6ad91d692a1ULL, }; memcpy(ctx->state, H0, sizeof(H0)); /* Initialize bit count */ ctx->count_low = ctx->count_high = 0; /* Initialize buffer */ ctx->index = 0; } void sha512_224_digest(struct sha512_224_ctx *ctx, size_t length, uint8_t *digest) { assert(length <= SHA224_DIGEST_SIZE); sha512_write_digest(ctx, length, digest); sha512_224_init(ctx); } /* sha-512/256 variant. */ void sha512_256_init(struct sha512_256_ctx *ctx) { static const uint64_t H0[_SHA512_DIGEST_LENGTH] = { 0x22312194fc2bf72cULL, 0x9f555fa3c84c64c2ULL, 0x2393b86b6f53b151ULL, 0x963877195940eabdULL, 0x96283ee2a88effe3ULL, 0xbe5e1e2553863992ULL, 0x2b0199fc2c85b8aaULL, 0x0eb72ddc81c52ca2ULL, }; memcpy(ctx->state, H0, sizeof(H0)); /* Initialize bit count */ ctx->count_low = ctx->count_high = 0; /* Initialize buffer */ ctx->index = 0; } void sha512_256_digest(struct sha512_256_ctx *ctx, size_t length, uint8_t *digest) { assert(length <= SHA256_DIGEST_SIZE); sha512_write_digest(ctx, length, digest); sha512_256_init(ctx); } nettle-3.4.1/rsa-pss-sha512-sign-tr.c0000644000175000017500000000430213401564746016165 0ustar nissenisse/* rsa-pss-sha512-sign-tr.c Signatures using RSA and SHA-384/SHA-512, with PSS padding. Copyright (C) 2017 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa.h" #include "bignum.h" #include "pss.h" int rsa_pss_sha384_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t salt_length, const uint8_t *salt, const uint8_t *digest, mpz_t s) { mpz_t m; int res; mpz_init (m); res = (pss_encode_mgf1(m, mpz_sizeinbase(pub->n, 2) - 1, &nettle_sha384, salt_length, salt, digest) && rsa_compute_root_tr (pub, key, random_ctx, random, s, m)); mpz_clear (m); return res; } int rsa_pss_sha512_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t salt_length, const uint8_t *salt, const uint8_t *digest, mpz_t s) { mpz_t m; int res; mpz_init (m); res = (pss_encode_mgf1(m, mpz_sizeinbase(pub->n, 2) - 1, &nettle_sha512, salt_length, salt, digest) && rsa_compute_root_tr (pub, key, random_ctx, random, s, m)); mpz_clear (m); return res; } nettle-3.4.1/tools/0000755000175000017500000000000013401564746013210 5ustar nissenissenettle-3.4.1/tools/nettle-pbkdf2.c0000644000175000017500000001147513401564746016025 0ustar nissenisse/* nettle-pbkdf2.c Command-line tool for pbkdf2 hashing. Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include "pbkdf2.h" #include "base16.h" #include "getopt.h" #include "misc.h" #define DEFAULT_ITERATIONS 10000 #define DEFAULT_LENGTH 16 static void usage (FILE *f) { fprintf(f, "Usage: nettle-pbkdf2 [OPTIONS] SALT\n" "Options:\n" " --help Show this help.\n" " -V, --version Show version information.\n" " -i, --iterations=COUNT Desired iteration count (default %d).\n" " -l, --length=LENGTH Desired output length (octets, default %d)\n" " --raw Raw binary output.\n" " --hex-salt Use hex encoding for the salt.\n", DEFAULT_ITERATIONS, DEFAULT_LENGTH); } #define MAX_PASSWORD 1024 int main (int argc, char **argv) { unsigned iterations = DEFAULT_ITERATIONS; unsigned output_length = DEFAULT_LENGTH; char password[MAX_PASSWORD]; size_t password_length; uint8_t *output; size_t salt_length; char *salt; int raw = 0; int hex_salt = 0; int c; enum { OPT_HELP = 0x300, OPT_RAW, OPT_HEX_SALT }; static const struct option options[] = { /* Name, args, flag, val */ { "help", no_argument, NULL, OPT_HELP }, { "version", no_argument, NULL, 'V' }, { "length", required_argument, NULL, 'l' }, { "iterations", required_argument, NULL, 'i' }, { "raw", no_argument, NULL, OPT_RAW }, { "hex-salt", no_argument, NULL, OPT_HEX_SALT }, { NULL, 0, NULL, 0 } }; while ( (c = getopt_long(argc, argv, "Vl:i:", options, NULL)) != -1) switch (c) { default: abort(); case '?': usage (stderr); return EXIT_FAILURE; case OPT_HELP: usage (stdout); return EXIT_SUCCESS; case 'V': printf("nettle-pbkdf2 (" PACKAGE_STRING ")\n"); return EXIT_SUCCESS; case 'l': { int arg; arg = atoi (optarg); if (arg <= 0) die ("Invalid length argument: `%s'\n", optarg); output_length = arg; } break; case 'i': { int arg; arg = atoi (optarg); if (arg <= 0) die ("Invalid iteration count: `%s'\n", optarg); iterations = arg; } break; case OPT_RAW: raw = 1; break; case OPT_HEX_SALT: hex_salt = 1; break; } argv += optind; argc -= optind; if (argc != 1) { usage (stderr); return EXIT_FAILURE; } salt = strdup (argv[0]); salt_length = strlen(argv[0]); if (hex_salt) { struct base16_decode_ctx base16; base16_decode_init (&base16); if (!base16_decode_update (&base16, &salt_length, (uint8_t *) salt, salt_length, salt) || !base16_decode_final (&base16)) die ("Invalid salt (expecting hex encoding).\n"); } password_length = fread (password, 1, sizeof(password), stdin); if (password_length == sizeof(password)) die ("Password input too long. Current limit is %d characters.\n", (int) sizeof(password) - 1); if (ferror (stdin)) die ("Reading password input failed: %s.\n", strerror (errno)); output = xalloc (output_length); pbkdf2_hmac_sha256 (password_length, (const uint8_t *) password, iterations, salt_length, (const uint8_t*) salt, output_length, output); free (salt); if (raw) fwrite (output, output_length, 1, stdout); else { unsigned i; char hex[BASE16_ENCODE_LENGTH(8) + 1]; for (i = 0; i + 8 < output_length; i += 8) { base16_encode_update(hex, 8, output + i); hex[BASE16_ENCODE_LENGTH(8)] = 0; printf("%s%c", hex, i % 64 == 56 ? '\n' : ' '); } base16_encode_update(hex, output_length - i, output + i); hex[BASE16_ENCODE_LENGTH(output_length - i)] = 0; printf("%s\n", hex); } free (output); if (fflush(stdout) != 0 ) die("Write failed: %s\n", STRERROR(errno)); return EXIT_SUCCESS; } nettle-3.4.1/tools/input.c0000644000175000017500000002200213401564746014507 0ustar nissenisse/* input.c Copyright (C) 2002, 2003, 2008 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include "input.h" void sexp_input_init(struct sexp_input *input, FILE *f) { input->f = f; input->coding = NULL; } static void sexp_get_raw_char(struct sexp_input *input) { int c = getc(input->f); if (c < 0) { if (ferror(input->f)) die("Read error: %s\n", strerror(errno)); input->ctype = SEXP_EOF_CHAR; } else { input->ctype = SEXP_NORMAL_CHAR; input->c = c; } } void sexp_get_char(struct sexp_input *input) { if (input->coding) for (;;) { size_t done; sexp_get_raw_char(input); if (input->ctype == SEXP_EOF_CHAR) die("Unexpected end of file in coded data.\n"); if (input->c == input->terminator) { input->ctype = SEXP_END_CHAR; return; } done = 1; /* Decodes in place. Should always work, when we decode one * character at a time. */ if (!input->coding->decode_update(&input->state, &done, &input->c, 1, (const char*) &input->c)) die("Invalid coded data.\n"); if (done) return; } else sexp_get_raw_char(input); } static uint8_t sexp_next_char(struct sexp_input *input) { sexp_get_char(input); if (input->ctype != SEXP_NORMAL_CHAR) die("Unexpected end of file.\n"); return input->c; } static void sexp_push_char(struct sexp_input *input, struct nettle_buffer *string) { assert(input->ctype == SEXP_NORMAL_CHAR); if (!NETTLE_BUFFER_PUTC(string, input->c)) die("Virtual memory exhasuted.\n"); } static void sexp_input_start_coding(struct sexp_input *input, const struct nettle_armor *coding, uint8_t terminator) { assert(!input->coding); input->coding = coding; input->coding->decode_init(&input->state); input->terminator = terminator; } static void sexp_input_end_coding(struct sexp_input *input) { assert(input->coding); if (!input->coding->decode_final(&input->state)) die("Invalid coded data.\n"); input->coding = NULL; } /* Return 0 at end-of-string */ static int sexp_get_quoted_char(struct sexp_input *input) { sexp_next_char(input); switch (input->c) { default: return 1; case '\"': return 0; case '\\': sexp_next_char(input); switch (input->c) { case 'b': input->c = '\b'; return 1; case 't': input->c = '\t'; return 1; case 'n': input->c = '\n'; return 1; case 'f': input->c = '\f'; return 1; case 'r': input->c = '\r'; return 1; case '\\': input->c = '\\'; return 1; case 'o': case 'x': /* FIXME: Not implemnted */ abort(); case '\n': if (sexp_next_char(input) == '\r') sexp_next_char(input); break; case '\r': if (sexp_next_char(input) == '\n') sexp_next_char(input); break; } return 1; } } static void sexp_get_token_string(struct sexp_input *input, struct nettle_buffer *string) { assert(!input->coding); assert(input->ctype == SEXP_NORMAL_CHAR); if (!TOKEN_CHAR(input->c)) die("Invalid token.\n"); do { sexp_push_char(input, string); sexp_get_char(input); } while (input->ctype == SEXP_NORMAL_CHAR && TOKEN_CHAR(input->c)); assert (string->size); } static void sexp_get_string(struct sexp_input *input, struct nettle_buffer *string) { nettle_buffer_reset(string); input->token = SEXP_STRING; switch (input->c) { case '\"': while (sexp_get_quoted_char(input)) sexp_push_char(input, string); sexp_get_char(input); break; case '#': sexp_input_start_coding(input, &nettle_base16, '#'); goto decode; case '|': sexp_input_start_coding(input, &nettle_base64, '|'); decode: for (;;) { sexp_get_char(input); switch (input->ctype) { case SEXP_NORMAL_CHAR: sexp_push_char(input, string); break; case SEXP_EOF_CHAR: die("Unexpected end of file in coded string.\n"); case SEXP_END_CHAR: sexp_input_end_coding(input); sexp_get_char(input); return; } } break; default: sexp_get_token_string(input, string); break; } } static void sexp_get_string_length(struct sexp_input *input, enum sexp_mode mode, struct nettle_buffer *string) { unsigned length; nettle_buffer_reset(string); input->token = SEXP_STRING; length = input->c - '0'; if (!length) /* There must be no more digits */ sexp_next_char(input); else { assert(length < 10); /* Get rest of digits */ for (;;) { sexp_next_char(input); if (input->c < '0' || input->c > '9') break; /* FIXME: Check for overflow? */ length = length * 10 + input->c - '0'; } } if (input->c == ':') /* Verbatim */ for (; length; length--) { sexp_next_char(input); sexp_push_char(input, string); } else if (mode != SEXP_ADVANCED) die("Encountered advanced string in canonical mode.\n"); else switch(input->c) { case '"': for (; length; length--) if (sexp_get_quoted_char(input)) sexp_push_char(input, string); else die("Unexpected end of string.\n"); if (sexp_get_quoted_char(input)) die("Quoted string longer than expected.\n"); break; case '#': sexp_input_start_coding(input, &nettle_base16, '#'); goto decode; case '|': sexp_input_start_coding(input, &nettle_base64, '|'); decode: for (; length; length--) { sexp_next_char(input); sexp_push_char(input, string); } sexp_get_char(input); if (input->ctype != SEXP_END_CHAR) die("Coded string too long.\n"); sexp_input_end_coding(input); break; default: die("Invalid string.\n"); } /* Skip the ending character. */ sexp_get_char(input); } static void sexp_get_comment(struct sexp_input *input, struct nettle_buffer *string) { nettle_buffer_reset(string); assert(input->ctype == SEXP_NORMAL_CHAR); assert(input->c == ';'); do { sexp_push_char(input, string); sexp_get_raw_char(input); } while (input->ctype == SEXP_NORMAL_CHAR && input->c != '\n'); input->token = SEXP_COMMENT; } /* When called, input->c should be the first character of the current * token. * * When returning, input->c should be the first character of the next * token. */ void sexp_get_token(struct sexp_input *input, enum sexp_mode mode, struct nettle_buffer *string) { for(;;) switch(input->ctype) { case SEXP_EOF_CHAR: input->token = SEXP_EOF; return; case SEXP_END_CHAR: input->token = SEXP_CODING_END; sexp_input_end_coding(input); sexp_get_char(input); return; case SEXP_NORMAL_CHAR: switch(input->c) { case '0': case '1': case '2': case '3': case '4': case '5': case '6': case '7': case '8': case '9': sexp_get_string_length(input, mode, string); return; case '(': input->token = SEXP_LIST_START; sexp_get_char(input); return; case ')': input->token = SEXP_LIST_END; sexp_get_char(input); return; case '[': input->token = SEXP_DISPLAY_START; sexp_get_char(input); return; case ']': input->token = SEXP_DISPLAY_END; sexp_get_char(input); return; case '{': if (mode == SEXP_CANONICAL) die("Unexpected transport data in canonical mode.\n"); sexp_input_start_coding(input, &nettle_base64, '}'); sexp_get_char(input); input->token = SEXP_TRANSPORT_START; return; case ' ': /* SPC, TAB, LF, CR */ case '\t': case '\n': case '\r': if (mode == SEXP_CANONICAL) die("Whitespace encountered in canonical mode.\n"); sexp_get_char(input); break; case ';': /* Comments */ if (mode == SEXP_CANONICAL) die("Comment encountered in canonical mode.\n"); sexp_get_comment(input, string); return; default: /* Ought to be a string */ if (mode != SEXP_ADVANCED) die("Encountered advanced string in canonical mode.\n"); sexp_get_string(input, string); return; } } } nettle-3.4.1/tools/misc.h0000644000175000017500000000366213401564746014323 0ustar nissenisse/* misc.h Copyright (C) 2002, 2003, 2008, 2011 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_TOOLS_MISC_H_INCLUDED #define NETTLE_TOOLS_MISC_H_INCLUDED #if HAVE_CONFIG_H # include "config.h" #endif void die(const char *format, ...) PRINTF_STYLE (1, 2) NORETURN; void werror(const char *format, ...) PRINTF_STYLE (1, 2); void * xalloc(size_t size); enum sexp_mode { SEXP_CANONICAL = 0, SEXP_ADVANCED = 1, SEXP_TRANSPORT = 2, }; enum sexp_token { SEXP_STRING, SEXP_DISPLAY, /* Constructed by sexp_parse */ SEXP_COMMENT, SEXP_LIST_START, SEXP_LIST_END, SEXP_EOF, /* The below types are internal to the input parsing, only * returned by sexp_get_token. sexp_parse should never return a * token of these types. */ SEXP_DISPLAY_START, SEXP_DISPLAY_END, SEXP_TRANSPORT_START, SEXP_CODING_END, }; extern const char sexp_token_chars[0x80]; #define TOKEN_CHAR(c) ((c) < 0x80 && sexp_token_chars[(c)]) #endif /* NETTLE_TOOLS_MISC_H_INCLUDED */ nettle-3.4.1/tools/input.h0000644000175000017500000000376613401564746014534 0ustar nissenisse/* input.h Copyright (C) 2002, 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_TOOLS_INPUT_H_INCLUDED #define NETTLE_TOOLS_INPUT_H_INCLUDED #include "misc.h" #include "base16.h" #include "base64.h" #include "buffer.h" #include "nettle-meta.h" #include /* Special marks in the input stream */ enum sexp_char_type { SEXP_NORMAL_CHAR = 0, SEXP_EOF_CHAR, SEXP_END_CHAR, }; struct sexp_input { FILE *f; /* Character stream, consisting of ordinary characters, * SEXP_EOF_CHAR, and SEXP_END_CHAR. */ enum sexp_char_type ctype; uint8_t c; const struct nettle_armor *coding; union { struct base64_decode_ctx base64; struct base16_decode_ctx hex; } state; /* Terminator for current coding */ uint8_t terminator; /* Type of current token */ enum sexp_token token; }; void sexp_input_init(struct sexp_input *input, FILE *f); void sexp_get_char(struct sexp_input *input); void sexp_get_token(struct sexp_input *input, enum sexp_mode mode, struct nettle_buffer *string); #endif /* NETTLE_TOOLS_INPUT_H_INCLUDED */ nettle-3.4.1/tools/misc.c0000644000175000017500000000420213401564746014305 0ustar nissenisse/* misc.c Copyright (C) 2002, 2003, 2011 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "misc.h" void die(const char *format, ...) { va_list args; va_start(args, format); vfprintf(stderr, format, args); va_end(args); exit(EXIT_FAILURE); } void werror(const char *format, ...) { va_list args; va_start(args, format); vfprintf(stderr, format, args); va_end(args); } void * xalloc(size_t size) { void *p = malloc(size); if (!p) { fprintf(stderr, "Virtual memory exhausted.\n"); abort(); } return p; } const char sexp_token_chars[0x80] = { /* 0, ... 0x1f */ 0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0, /* SPC ! " # $ % & ' ( ) * + , - . / */ 0,0,0,0,0,0,0,0, 0,0,1,1,0,1,1,1, /* 0 1 2 3 4 5 6 7 8 9 : ; < = > ? */ 1,1,1,1,1,1,1,1, 1,1,1,0,0,1,0,0, /* @ A ... O */ 0,1,1,1,1,1,1,1, 1,1,1,1,1,1,1,1, /* P ... Z [ \ ] ^ _ */ 1,1,1,1,1,1,1,1, 1,1,1,0,0,0,0,1, /* ` a, ... o */ 0,1,1,1,1,1,1,1, 1,1,1,1,1,1,1,1, /* p ... z { | } ~ DEL */ 1,1,1,1,1,1,1,1, 1,1,1,0,0,0,0,0, }; nettle-3.4.1/tools/output.h0000644000175000017500000000461113401564746014723 0ustar nissenisse/* output.h Copyright (C) 2002, 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_TOOLS_OUTPUT_H_INCLUDED #define NETTLE_TOOLS_OUTPUT_H_INCLUDED #include "misc.h" #include "base64.h" #include "buffer.h" #include "nettle-meta.h" #include struct sexp_output { FILE *f; unsigned line_width; const struct nettle_armor *coding; unsigned coding_indent; int prefer_hex; const struct nettle_hash *hash; void *ctx; /* NOTE: There's no context for hex encoding, the state argument to encode_update is ignored */ struct base64_decode_ctx base64; unsigned pos; int soft_newline; }; void sexp_output_init(struct sexp_output *output, FILE *f, unsigned width, int prefer_hex); void sexp_output_hash_init(struct sexp_output *output, const struct nettle_hash *hash, void *ctx); void sexp_put_newline(struct sexp_output *output, unsigned indent); void sexp_put_soft_newline(struct sexp_output *output, unsigned indent); void sexp_put_char(struct sexp_output *output, uint8_t c); void sexp_put_data(struct sexp_output *output, unsigned length, const uint8_t *data); void sexp_put_code_start(struct sexp_output *output, const struct nettle_armor *coding); void sexp_put_code_end(struct sexp_output *output); void sexp_put_string(struct sexp_output *output, enum sexp_mode mode, struct nettle_buffer *string); void sexp_put_digest(struct sexp_output *output); #endif /* NETTLE_TOOLS_OUTPUT_H_INCLUDED */ nettle-3.4.1/tools/Makefile.in0000644000175000017500000000540313401564746015257 0ustar nissenisse@SET_MAKE@ srcdir = @srcdir@ VPATH = @srcdir@ top_srcdir = @top_srcdir@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = $(INSTALL_PROGRAM) -s MKDIR_P = @MKDIR_P@ include ../config.make PRE_CPPFLAGS = -I.. -I$(top_srcdir) PRE_LDFLAGS = -L.. HOGWEED_TARGETS = pkcs1-conv$(EXEEXT) TARGETS = sexp-conv$(EXEEXT) nettle-hash$(EXEEXT) nettle-pbkdf2$(EXEEXT) \ nettle-lfib-stream$(EXEEXT) \ @IF_HOGWEED@ $(HOGWEED_TARGETS) all: $(TARGETS) getopt_OBJS = ../getopt.$(OBJEXT) ../getopt1.$(OBJEXT) sexp_conv_SOURCES = sexp-conv.c input.c output.c parse.c misc.c pkcs1_conv_SOURCES = pkcs1-conv.c misc.c nettle_hash_SOURCES = nettle-hash.c misc.c nettle_pbkdf2_SOURCES = nettle-pbkdf2.c misc.c SOURCES = $(sexp_conv_SOURCES) nettle-hash.c nettle-lfib-stream.c pkcs1-conv.c nettle-pbkdf2.c DISTFILES = $(SOURCES) Makefile.in input.h misc.h output.h parse.h sexp_conv_OBJS = $(sexp_conv_SOURCES:.c=.$(OBJEXT)) $(getopt_OBJS) sexp-conv$(EXEEXT): $(sexp_conv_OBJS) ../libnettle.stamp $(LINK) $(sexp_conv_OBJS) -lnettle $(LIBS) -o $@ nettle-lfib-stream$(EXEEXT): nettle-lfib-stream.$(OBJEXT) ../libnettle.stamp $(LINK) nettle-lfib-stream.$(OBJEXT) -lnettle $(LIBS) -o $@ pkcs1_conv_OBJS = $(pkcs1_conv_SOURCES:.c=.$(OBJEXT)) $(getopt_OBJS) pkcs1-conv$(EXEEXT): $(pkcs1_conv_OBJS) ../libnettle.stamp ../libhogweed.stamp $(LINK) $(pkcs1_conv_OBJS) -lhogweed -lnettle $(LIBS) -o $@ # FIXME: Avoid linking with gmp nettle_hash_OBJS = $(nettle_hash_SOURCES:.c=.$(OBJEXT)) $(getopt_OBJS) nettle-hash$(EXEEXT): $(nettle_hash_OBJS) ../libnettle.stamp $(LINK) $(nettle_hash_OBJS) -lnettle -o $@ nettle_pbkdf2_OBJS = $(nettle_pbkdf2_SOURCES:.c=.$(OBJEXT)) $(getopt_OBJS) nettle-pbkdf2$(EXEEXT): $(nettle_pbkdf2_OBJS) ../libnettle.stamp $(LINK) $(nettle_pbkdf2_OBJS) -lnettle -o $@ .c.$(OBJEXT): $(COMPILE) -c $< && $(DEP_PROCESS) # NOTE: If we required GNU make, we could use a single rule with $(@F) # or $(notdir $@) ../getopt.$(OBJEXT): ( cd .. && $(MAKE) getopt.$(OBJEXT)) ../getopt1.$(OBJEXT): ( cd .. && $(MAKE) getopt1.$(OBJEXT)) Makefile: $(srcdir)/Makefile.in ../config.status cd .. && $(SHELL) ./config.status tools/$@ check: true install: $(TARGETS) $(MKDIR_P) $(DESTDIR)$(bindir) for f in $(TARGETS) ; do \ $(INSTALL_PROGRAM) $$f $(DESTDIR)$(bindir) ; \ done uninstall: for f in $(TARGETS) ; do \ rm -f $(DESTDIR)$(bindir)/$$f ; \ done # NOTE: I'd like to use $^, but that's a GNU extension. $? should be # more portable, equivalent for phony targets. distdir: $(DISTFILES) cp $? $(distdir) clean: -rm -f $(TARGETS) *.o distclean: clean -rm -f Makefile *.d tags: etags -o $(srcdir)/TAGS --include $(top_srcdir) $(srcdir)/*.c $(srcdir)/*.h @DEP_INCLUDE@ $(SOURCES:.c=.$(OBJEXT).d) nettle-3.4.1/tools/output.c0000644000175000017500000001517613401564746014726 0ustar nissenisse/* output.c Copyright (C) 2002, 2003, 2009 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include #include "output.h" /* For TMP_ALLOC */ #include "nettle-internal.h" void sexp_output_init(struct sexp_output *output, FILE *f, unsigned width, int prefer_hex) { output->f = f; output->line_width = width; output->coding = NULL; output->prefer_hex = prefer_hex; output->hash = NULL; output->ctx = NULL; output->pos = 0; output->soft_newline = 0; } void sexp_output_hash_init(struct sexp_output *output, const struct nettle_hash *hash, void *ctx) { output->hash = hash; output->ctx = ctx; hash->init(ctx); } static void sexp_put_raw_char(struct sexp_output *output, uint8_t c) { if (putc(c, output->f) < 0) die("Write failed: %s\n", strerror(errno)); output->pos++; output->soft_newline = 0; } void sexp_put_newline(struct sexp_output *output, unsigned indent) { if (output->soft_newline) output->soft_newline = 0; else { unsigned i; sexp_put_raw_char(output, '\n'); output->pos = 0; for(i = 0; i < indent; i++) sexp_put_raw_char(output, ' '); output->pos = indent; } } /* Put a newline, but only if it is followed by another newline, collaps to one newline only. */ void sexp_put_soft_newline(struct sexp_output *output, unsigned indent) { sexp_put_newline(output, indent); output->soft_newline = 1; } void sexp_put_char(struct sexp_output *output, uint8_t c) { if (output->coding) { /* Two is enough for both base16 and base64. */ char encoded[2]; unsigned done; unsigned i; done = output->coding->encode_update(&output->base64, encoded, 1, &c); assert(done <= sizeof(encoded)); for (i = 0; iline_width && output->pos >= output->line_width && output->pos >= (output->coding_indent + 10)) sexp_put_newline(output, output->coding_indent); sexp_put_raw_char(output, encoded[i]); } } else if (output->hash) output->hash->update(output->ctx, 1, &c); else sexp_put_raw_char(output, c); } void sexp_put_data(struct sexp_output *output, unsigned length, const uint8_t *data) { unsigned i; for (i = 0; i length) break; digit = next; } for (; digit; length %= digit, digit /= 10) sexp_put_char(output, '0' + length / digit); } void sexp_put_code_start(struct sexp_output *output, const struct nettle_armor *coding) { assert(!output->coding); output->coding_indent = output->pos; output->coding = coding; output->coding->encode_init(&output->base64); } void sexp_put_code_end(struct sexp_output *output) { /* Enough for both hex and base64 */ char encoded[BASE64_ENCODE_FINAL_LENGTH]; unsigned done; assert(output->coding); done = output->coding->encode_final(&output->base64, encoded); assert(done <= sizeof(encoded)); output->coding = NULL; sexp_put_data(output, done, (const uint8_t*) encoded); } void sexp_put_string(struct sexp_output *output, enum sexp_mode mode, struct nettle_buffer *string) { if (!string->size) sexp_put_data(output, 2, (const uint8_t *) ((mode == SEXP_ADVANCED) ? "\"\"": "0:")); else if (mode == SEXP_ADVANCED) { unsigned i; int token = (string->contents[0] < '0' || string->contents[0] > '9'); int quote_friendly = 1; #define CONTROL_SIZE 0x20 static const char escape_names[CONTROL_SIZE] = { 0,0,0,0,0,0,0,0, 'b','t','n',0,'f','r',0,0, 0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0 }; for (i = 0; isize; i++) { uint8_t c = string->contents[i]; if (token & !TOKEN_CHAR(c)) token = 0; if (quote_friendly) { if (c >= 0x7f) quote_friendly = 0; else if (c < CONTROL_SIZE && !escape_names[c]) quote_friendly = 0; } } if (token) sexp_put_data(output, string->size, string->contents); else if (quote_friendly) { sexp_put_char(output, '"'); for (i = 0; isize; i++) { int escape = 0; uint8_t c = string->contents[i]; assert(c < 0x7f); if (c == '\\' || c == '"') escape = 1; else if (c < CONTROL_SIZE) { escape = 1; c = escape_names[c]; assert(c); } if (escape) sexp_put_char(output, '\\'); sexp_put_char(output, c); } sexp_put_char(output, '"'); } else { uint8_t delimiter; const struct nettle_armor *coding; if (output->prefer_hex) { delimiter = '#'; coding = &nettle_base16; } else { delimiter = '|'; coding = &nettle_base64; } sexp_put_char(output, delimiter); sexp_put_code_start(output, coding); sexp_put_data(output, string->size, string->contents); sexp_put_code_end(output); sexp_put_char(output, delimiter); } #undef CONTROL_SIZE } else { sexp_put_length(output, string->size); sexp_put_char(output, ':'); sexp_put_data(output, string->size, string->contents); } } void sexp_put_digest(struct sexp_output *output) { TMP_DECL(digest, uint8_t, NETTLE_MAX_HASH_DIGEST_SIZE); TMP_ALLOC(digest, output->hash->digest_size); assert(output->hash); output->hash->digest(output->ctx, output->hash->digest_size, digest); sexp_put_code_start(output, &nettle_base16); sexp_put_data(output, output->hash->digest_size, digest); sexp_put_code_end(output); } nettle-3.4.1/tools/nettle-lfib-stream.c0000644000175000017500000000373213401564746017057 0ustar nissenisse/* lfib-stream.c Generates a pseudorandom stream, using the Knuth lfib (non-cryptographic) pseudorandom generator. Copyright (C) 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "knuth-lfib.h" #include #include #include #include #define BUFSIZE 500 static void usage(void) { fprintf(stderr, "Usage: lfib-stream [SEED]\n"); } int main(int argc, char **argv) { struct knuth_lfib_ctx ctx; uint32_t seed; if (argc == 1) seed = time(NULL); else if (argc == 2) { seed = atoi(argv[1]); if (!seed) { usage(); return EXIT_FAILURE; } } else { usage(); return EXIT_FAILURE; } knuth_lfib_init(&ctx, seed); for (;;) { uint8_t buffer[BUFSIZE]; knuth_lfib_random(&ctx, sizeof(buffer), buffer); if (fwrite(buffer, 1, sizeof(buffer), stdout) < sizeof(buffer) || fflush(stdout) < 0) return EXIT_FAILURE; } /* Not reached. This program is usually terminated by SIGPIPE */ } nettle-3.4.1/tools/parse.h0000644000175000017500000000363713401564746014504 0ustar nissenisse/* parse.h Copyright (C) 2002, 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_TOOLS_PARSE_H_INCLUDED #define NETTLE_TOOLS_PARSE_H_INCLUDED #include "misc.h" #include "buffer.h" struct sexp_compound_token { enum sexp_token type; struct nettle_buffer display; struct nettle_buffer string; }; void sexp_compound_token_init(struct sexp_compound_token *token); void sexp_compound_token_clear(struct sexp_compound_token *token); struct sexp_parser { struct sexp_input *input; enum sexp_mode mode; /* Nesting level of lists. Transport encoding counts as one * level of nesting. */ unsigned level; /* The nesting level where the transport encoding occured. * Zero if we're not currently using tranport encoding. */ unsigned transport; }; void sexp_parse_init(struct sexp_parser *parser, struct sexp_input *input, enum sexp_mode mode); void sexp_parse(struct sexp_parser *parser, struct sexp_compound_token *token); #endif /* NETTLE_TOOLS_PARSE_H_INCLUDED */ nettle-3.4.1/tools/nettle-hash.c0000644000175000017500000001306113401564746015571 0ustar nissenisse/* nettle-hash.c General hashing tool. Copyright (C) 2011, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include "nettle-meta.h" #include "base16.h" #include "getopt.h" #include "misc.h" #define BUFSIZE 16384 static void list_algorithms (void) { unsigned i; const struct nettle_hash *alg; printf ("%10s digestsize (internal block size, context size), in units of octets\n", "name"); for (i = 0; (alg = nettle_hashes[i]); i++) printf ("%10s %d (%d, %d)\n", alg->name, alg->digest_size, alg->block_size, alg->context_size); }; /* Also in examples/io.c */ static int hash_file(const struct nettle_hash *hash, void *ctx, FILE *f) { for (;;) { uint8_t buffer[BUFSIZE]; size_t res = fread(buffer, 1, sizeof(buffer), f); if (ferror(f)) return 0; hash->update(ctx, res, buffer); if (feof(f)) return 1; } } static int digest_file(const struct nettle_hash *alg, unsigned digest_length, int raw, FILE *f) { void *ctx; uint8_t *digest; ctx = xalloc(alg->context_size); alg->init(ctx); if (!hash_file (alg, ctx, f)) { free (ctx); return 0; } digest = xalloc(digest_length); alg->digest(ctx, digest_length, digest); free(ctx); if (raw) fwrite (digest, digest_length, 1, stdout); else { unsigned i; char hex[BASE16_ENCODE_LENGTH(8) + 1]; for (i = 0; i + 8 < digest_length; i += 8) { base16_encode_update(hex, 8, digest + i); hex[BASE16_ENCODE_LENGTH(8)] = 0; printf("%s ", hex); } base16_encode_update(hex, digest_length - i, digest + i); hex[BASE16_ENCODE_LENGTH(digest_length - i)] = 0; printf("%s %s\n", hex, alg->name); } free(digest); return 1; } static void usage (FILE *f) { fprintf(f, "Usage: nettle-hash -a ALGORITHM [OPTIONS] [FILE ...]\n" "Options:\n" " --help Show this help.\n" " -V, --version Show version information.\n" " --list List supported hash algorithms.\n" " -a, --algorithm=ALG Hash algorithm to use.\n" " -l, --length=LENGTH Desired digest length (octets)\n" " --raw Raw binary output.\n"); } /* FIXME: Be more compatible with md5sum and sha1sum. Options -c (check), -b (binary), -t (text), and output format with hex hash sum, optional star (meaning binary mode), and file name. */ int main (int argc, char **argv) { const char *alg_name = NULL; const struct nettle_hash *alg; unsigned length = 0; int raw = 0; int c; enum { OPT_HELP = 0x300, OPT_RAW, OPT_LIST }; static const struct option options[] = { /* Name, args, flag, val */ { "help", no_argument, NULL, OPT_HELP }, { "version", no_argument, NULL, 'V' }, { "algorithm", required_argument, NULL, 'a' }, { "length", required_argument, NULL, 'l' }, { "list", no_argument, NULL, OPT_LIST }, { "raw", no_argument, NULL, OPT_RAW }, { NULL, 0, NULL, 0 } }; while ( (c = getopt_long(argc, argv, "Va:l:", options, NULL)) != -1) switch (c) { default: abort(); case '?': usage (stderr); return EXIT_FAILURE; case OPT_HELP: usage (stdout); return EXIT_SUCCESS; case 'V': printf("nettle-hash (" PACKAGE_STRING ")\n"); return EXIT_SUCCESS; case 'a': alg_name = optarg; break; case 'l': { int arg; arg = atoi (optarg); if (arg <= 0) die ("Invalid length argument: `%s'\n", optarg); length = arg; } break; case OPT_RAW: raw = 1; break; case OPT_LIST: list_algorithms(); return EXIT_SUCCESS; } if (!alg_name) die("Algorithm argument (-a option) is mandatory.\n" "See nettle-hash --help for further information.\n"); alg = nettle_lookup_hash (alg_name); if (!alg) die("Hash algorithm `%s' not supported or .\n" "Use nettle-hash --list to list available algorithms.\n", alg_name); if (length == 0) length = alg->digest_size; else if (length > alg->digest_size) die ("Length argument %d too large for selected algorithm.\n", length); argv += optind; argc -= optind; if (argc == 0) digest_file (alg, length, raw, stdin); else { int i; for (i = 0; i < argc; i++) { FILE *f = fopen (argv[i], "rb"); if (!f) die ("Cannot open `%s': %s\n", argv[i], STRERROR(errno)); printf("%s: ", argv[i]); if (!digest_file (alg, length, raw, f)) die("Reading `%s' failed: %s\n", argv[i], STRERROR(errno)); fclose(f); } } if (fflush(stdout) != 0 ) die("Write failed: %s\n", STRERROR(errno)); return EXIT_SUCCESS; } nettle-3.4.1/tools/pkcs1-conv.c0000644000175000017500000003646113401564746015352 0ustar nissenisse/* pkcs1-conv.c Converting pkcs#1 and related keys to sexp format. Copyright (C) 2005, 2009 Niels Möller, Magnus Holmgren Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include "asn1.h" #include "base64.h" #include "buffer.h" #include "rsa.h" #include "dsa.h" #include "getopt.h" #include "misc.h" enum object_type { /* Use a range of values which also work as option id:s */ RSA_PRIVATE_KEY = 0x200, RSA_PUBLIC_KEY, DSA_PRIVATE_KEY, /* DSA public keys only supported as part of a SubjectPublicKeyInfo, i.e., the GENERAL_PUBLIC_KEY case. */ GENERAL_PUBLIC_KEY, }; static int write_file(struct nettle_buffer *buffer, FILE *f) { size_t res = fwrite(buffer->contents, 1, buffer->size, f); if (res < buffer->size) { werror("Write failed: %s.\n", strerror(errno)); return 0; } else return 1; } /* Return 1 on success, 0 on error, -1 on eof */ static int read_line(struct nettle_buffer *buffer, FILE *f) { int c; while ((c = getc(f)) != EOF) { if (!NETTLE_BUFFER_PUTC(buffer, c)) return 0; if (c == '\n') return 1; } if (ferror(f)) { werror("Read failed: %s\n", strerror(errno)); return 0; } else return -1; } static int read_file(struct nettle_buffer *buffer, FILE *f) { int c; while ((c = getc(f)) != EOF) if (!NETTLE_BUFFER_PUTC(buffer, c)) return 0; if (ferror(f)) { werror("Read failed: %s\n", strerror(errno)); return 0; } else return 1; } static const uint8_t pem_start_pattern[11] = "-----BEGIN "; static const uint8_t pem_end_pattern[9] = "-----END "; static const uint8_t pem_trailer_pattern[5] = "-----"; static const char pem_ws[33] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 0, 0, /* \t, \n, \v, \f, \r */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1 /* SPC */ }; #define PEM_IS_SPACE(c) ((c) < sizeof(pem_ws) && pem_ws[(c)]) /* Returns 1 on match, otherwise 0. */ static int match_pem_start(size_t length, const uint8_t *line, size_t *marker_start, size_t *marker_length) { while (length > 0 && PEM_IS_SPACE(line[length - 1])) length--; if (length > (sizeof(pem_start_pattern) + sizeof(pem_trailer_pattern)) && memcmp(line, pem_start_pattern, sizeof(pem_start_pattern)) == 0 && memcmp(line + length - sizeof(pem_trailer_pattern), pem_trailer_pattern, sizeof(pem_trailer_pattern)) == 0) { *marker_start = 11; *marker_length = length - (sizeof(pem_start_pattern) + sizeof(pem_trailer_pattern)); return 1; } else return 0; } /* Returns 1 on match, -1 if the line is of the right form except for the marker, otherwise 0. */ static int match_pem_end(size_t length, const uint8_t *line, size_t marker_length, const uint8_t *marker) { while (length > 0 && PEM_IS_SPACE(line[length - 1])) length--; if (length > (sizeof(pem_end_pattern) + sizeof(pem_trailer_pattern)) && memcmp(line, pem_end_pattern, sizeof(pem_end_pattern)) == 0 && memcmp(line + length - sizeof(pem_trailer_pattern), pem_trailer_pattern, sizeof(pem_trailer_pattern)) == 0) { /* Right form. Check marker */ if (length == marker_length + (sizeof(pem_end_pattern) + sizeof(pem_trailer_pattern)) && memcmp(line + sizeof(pem_end_pattern), marker, marker_length) == 0) return 1; else return -1; } else return 0; } struct pem_info { /* The FOO part in "-----BEGIN FOO-----" */ size_t marker_start; size_t marker_length; size_t data_start; size_t data_length; }; static int read_pem(struct nettle_buffer *buffer, FILE *f, struct pem_info *info) { /* Find start line */ for (;;) { int res; nettle_buffer_reset(buffer); res = read_line(buffer, f); if (res != 1) return res; if (match_pem_start(buffer->size, buffer->contents, &info->marker_start, &info->marker_length)) break; } /* NUL-terminate the marker. Don't care to check for embedded NULs. */ buffer->contents[info->marker_start + info->marker_length] = 0; info->data_start = buffer->size; for (;;) { size_t line_start = buffer->size; if (read_line(buffer, f) != 1) return 0; switch (match_pem_end(buffer->size - line_start, buffer->contents + line_start, info->marker_length, buffer->contents + info->marker_start)) { case 0: break; case -1: werror("PEM END line doesn't match BEGIN.\n"); return 0; case 1: /* Return base 64 data; let caller do the decoding */ info->data_length = line_start - info->data_start; return 1; } } } static inline int base64_decode_in_place (struct base64_decode_ctx *ctx, size_t *dst_length, size_t length, uint8_t *data) { return base64_decode_update (ctx, dst_length, data, length, (const char *) data); } static int decode_base64(struct nettle_buffer *buffer, size_t start, size_t *length) { struct base64_decode_ctx ctx; base64_decode_init(&ctx); /* Decode in place */ if (base64_decode_in_place(&ctx, length, *length, buffer->contents + start) && base64_decode_final(&ctx)) return 1; else { werror("Invalid base64 date.\n"); return 0; } } static int convert_rsa_public_key(struct nettle_buffer *buffer, size_t length, const uint8_t *data) { struct rsa_public_key pub; int res; rsa_public_key_init(&pub); if (rsa_keypair_from_der(&pub, NULL, 0, length, data)) { /* Reuses the buffer */ nettle_buffer_reset(buffer); res = rsa_keypair_to_sexp(buffer, NULL, &pub, NULL); } else { werror("Invalid PKCS#1 public key.\n"); res = 0; } rsa_public_key_clear(&pub); return res; } static int convert_rsa_private_key(struct nettle_buffer *buffer, size_t length, const uint8_t *data) { struct rsa_public_key pub; struct rsa_private_key priv; int res; rsa_public_key_init(&pub); rsa_private_key_init(&priv); if (rsa_keypair_from_der(&pub, &priv, 0, length, data)) { /* Reuses the buffer */ nettle_buffer_reset(buffer); res = rsa_keypair_to_sexp(buffer, NULL, &pub, &priv); } else { werror("Invalid PKCS#1 private key.\n"); res = 0; } rsa_public_key_clear(&pub); rsa_private_key_clear(&priv); return res; } static int convert_dsa_private_key(struct nettle_buffer *buffer, size_t length, const uint8_t *data) { struct dsa_params params; mpz_t pub; mpz_t priv; int res; dsa_params_init (¶ms); mpz_init (pub); mpz_init (priv); if (dsa_openssl_private_key_from_der(¶ms, pub, priv, 0, length, data)) { /* Reuses the buffer */ nettle_buffer_reset(buffer); res = dsa_keypair_to_sexp(buffer, NULL, ¶ms, pub, priv); } else { werror("Invalid OpenSSL private key.\n"); res = 0; } dsa_params_clear (¶ms); mpz_clear (pub); mpz_clear (priv); return res; } /* Returns 1 on success, 0 on error, and -1 for unsupported algorithms. */ static int convert_public_key(struct nettle_buffer *buffer, size_t length, const uint8_t *data) { /* SubjectPublicKeyInfo ::= SEQUENCE { algorithm AlgorithmIdentifier, subjectPublicKey BIT STRING } AlgorithmIdentifier ::= SEQUENCE { algorithm OBJECT IDENTIFIER, parameters OPTIONAL } */ struct asn1_der_iterator i; struct asn1_der_iterator j; int res = 0; if (asn1_der_iterator_first(&i, length, data) == ASN1_ITERATOR_CONSTRUCTED && i.type == ASN1_SEQUENCE && asn1_der_decode_constructed_last(&i) == ASN1_ITERATOR_CONSTRUCTED && i.type == ASN1_SEQUENCE /* Use the j iterator to parse the algorithm identifier */ && asn1_der_decode_constructed(&i, &j) == ASN1_ITERATOR_PRIMITIVE && j.type == ASN1_IDENTIFIER && asn1_der_iterator_next(&i) == ASN1_ITERATOR_PRIMITIVE && i.type == ASN1_BITSTRING /* Use i to parse the object wrapped in the bit string.*/ && asn1_der_decode_bitstring_last(&i)) { /* pkcs-1 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) modules(0) pkcs-1(1) } -- -- When rsaEncryption is used in an AlgorithmIdentifier the -- parameters MUST be present and MUST be NULL. -- rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1 } */ static const uint8_t id_rsaEncryption[9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01 }; /* -- -- When dsa is used in an AlgorithmIdentifier the -- parameters MUST be present and MUST NOT be NULL. -- dsa OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 1 } */ static const uint8_t id_dsa[7] = { 0x2A, 0x86, 0x48, 0xCE, 0x38, 0x04, 0x01 }; switch (j.length) { unknown: default: werror("SubjectPublicKeyInfo: Unsupported algorithm.\n"); res = -1; break; case 7: if (memcmp(j.data, id_dsa, 7) == 0) { if (asn1_der_iterator_next(&j) == ASN1_ITERATOR_CONSTRUCTED && asn1_der_decode_constructed_last(&j) == ASN1_ITERATOR_PRIMITIVE) { struct dsa_params params; mpz_t pub; dsa_params_init (¶ms); mpz_init (pub); if (dsa_params_from_der_iterator(¶ms, 0, 0, &i) && dsa_public_key_from_der_iterator(¶ms, pub, &j)) { nettle_buffer_reset(buffer); res = dsa_keypair_to_sexp(buffer, NULL, ¶ms, pub, NULL) > 0; } dsa_params_clear(¶ms); mpz_clear(pub); } if (!res) werror("SubjectPublicKeyInfo: Invalid DSA key.\n"); break; } else goto unknown; case 9: if (memcmp(j.data, id_rsaEncryption, 9) == 0) { if (asn1_der_iterator_next(&j) == ASN1_ITERATOR_PRIMITIVE && j.type == ASN1_NULL && j.length == 0 && asn1_der_iterator_next(&j) == ASN1_ITERATOR_END) { struct rsa_public_key pub; rsa_public_key_init(&pub); if (rsa_public_key_from_der_iterator(&pub, 0, &i)) { nettle_buffer_reset(buffer); res = rsa_keypair_to_sexp(buffer, NULL, &pub, NULL) > 0; } rsa_public_key_clear(&pub); } if (!res) werror("SubjectPublicKeyInfo: Invalid RSA key.\n"); break; } else goto unknown; } } else werror("SubjectPublicKeyInfo: Invalid object.\n"); return res; } /* NOTE: Destroys contents of buffer */ /* Returns 1 on success, 0 on error, and -1 for unsupported algorithms. */ static int convert_type(struct nettle_buffer *buffer, enum object_type type, size_t length, const uint8_t *data) { int res; switch(type) { default: abort(); case GENERAL_PUBLIC_KEY: res = convert_public_key(buffer, length, data); break; case RSA_PUBLIC_KEY: res = convert_rsa_public_key(buffer, length, data); break; case RSA_PRIVATE_KEY: res = convert_rsa_private_key(buffer, length, data); break; case DSA_PRIVATE_KEY: res = convert_dsa_private_key(buffer, length, data); break; } if (res > 0) res = write_file(buffer, stdout); return res; } static int convert_file(struct nettle_buffer *buffer, FILE *f, enum object_type type, int base64) { if (type) { read_file(buffer, f); if (base64 && !decode_base64(buffer, 0, &buffer->size)) return 0; if (convert_type(buffer, type, buffer->size, buffer->contents) != 1) return 0; return 1; } else { /* PEM processing */ for (;;) { struct pem_info info; const uint8_t *marker; nettle_buffer_reset(buffer); switch (read_pem(buffer, f, &info)) { default: return 0; case 1: break; case -1: /* EOF */ return 1; } if (!decode_base64(buffer, info.data_start, &info.data_length)) return 0; marker = buffer->contents + info.marker_start; type = 0; switch (info.marker_length) { case 10: if (memcmp(marker, "PUBLIC KEY", 10) == 0) type = GENERAL_PUBLIC_KEY; break; case 14: if (memcmp(marker, "RSA PUBLIC KEY", 14) == 0) type = RSA_PUBLIC_KEY; break; case 15: if (memcmp(marker, "RSA PRIVATE KEY", 15) == 0) type = RSA_PRIVATE_KEY; else if (memcmp(marker, "DSA PRIVATE KEY", 15) == 0) type = DSA_PRIVATE_KEY; break; } if (!type) werror("Ignoring unsupported object type `%s'.\n", marker); else if (convert_type(buffer, type, info.data_length, buffer->contents + info.data_start) != 1) return 0; } } } int main(int argc, char **argv) { struct nettle_buffer buffer; enum object_type type = 0; int base64 = 0; int c; enum { OPT_HELP = 0x300, OPT_PRIVATE_RSA = RSA_PRIVATE_KEY, OPT_PUBLIC_RSA = RSA_PUBLIC_KEY, OPT_PRIVATE_DSA = DSA_PRIVATE_KEY, OPT_PUBLIC_KEY = GENERAL_PUBLIC_KEY, }; static const struct option options[] = { /* Name, args, flag, val */ { "help", no_argument, NULL, OPT_HELP }, { "version", no_argument, NULL, 'V' }, { "private-rsa-key", no_argument, NULL, OPT_PRIVATE_RSA }, { "public-rsa-key", no_argument, NULL, OPT_PUBLIC_RSA }, { "private-dsa-key", no_argument, NULL, OPT_PRIVATE_DSA }, { "public-key-info", no_argument, NULL, OPT_PUBLIC_KEY }, { "base-64", no_argument, NULL, 'b' }, { NULL, 0, NULL, 0 } }; while ( (c = getopt_long(argc, argv, "Vb", options, NULL)) != -1) { switch (c) { default: abort(); case 'b': base64 = 1; break; case OPT_PRIVATE_RSA: case OPT_PUBLIC_RSA: case OPT_PRIVATE_DSA: case OPT_PUBLIC_KEY: /* Same values as the type codes. */ type = c; break; case OPT_HELP: printf("FIXME: Usage information.\n"); return EXIT_SUCCESS; case '?': return EXIT_FAILURE; case 'V': printf("pkcs1-conv (" PACKAGE_STRING ")\n"); return EXIT_SUCCESS; } } nettle_buffer_init_realloc(&buffer, NULL, nettle_xrealloc); if (optind == argc) { if (!convert_file(&buffer, stdin, type, base64)) return EXIT_FAILURE; } else { int i; const char *mode = (type || base64) ? "r" : "rb"; for (i = optind; i < argc; i++) { FILE *f = fopen(argv[i], mode); if (!f) die("Failed to open `%s': %s.\n", argv[i], strerror(errno)); if (!convert_file(&buffer, f, type, base64)) return EXIT_FAILURE; fclose(f); } } nettle_buffer_clear (&buffer); return EXIT_SUCCESS; } nettle-3.4.1/tools/sexp-conv.c0000644000175000017500000002712113401564746015301 0ustar nissenisse/* sexp-conv.c Conversion tool for handling the different flavours of sexp syntax. Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include #if HAVE_FCNTL_LOCKING # if HAVE_SYS_TYPES_H # include # endif # if HAVE_UNISTD_H # include # endif # include #endif #include "buffer.h" #include "nettle-meta.h" #include "getopt.h" #include "input.h" #include "output.h" #include "parse.h" #define BUG_ADDRESS "nettle-bugs@lists.lysator.liu.se" /* Conversion functions. */ /* Should be called with input->token being the first token of the * expression, to be converted, and return with input->token being the * last token of the expression. */ static void sexp_convert_item(struct sexp_parser *parser, struct sexp_compound_token *token, struct sexp_output *output, enum sexp_mode mode_out, unsigned indent) { if (mode_out == SEXP_TRANSPORT) { sexp_put_char(output, '{'); sexp_put_code_start(output, &nettle_base64); sexp_convert_item(parser, token, output, SEXP_CANONICAL, 0); sexp_put_code_end(output); sexp_put_char(output, '}'); } else switch(token->type) { case SEXP_LIST_END: die("Unmatched end of list.\n"); case SEXP_EOF: die("Unexpected end of file.\n"); case SEXP_CODING_END: die("Unexpected end of coding.\n"); case SEXP_LIST_START: { unsigned item; sexp_put_char(output, '('); for (item = 0; sexp_parse(parser, token), token->type != SEXP_LIST_END; item++) { if (mode_out == SEXP_ADVANCED) { /* FIXME: Adapt pretty printing to handle a big first * element. */ switch (item) { case 0: if (token->type == SEXP_COMMENT) { indent = output->pos; /* Disable the indentation setup for next item */ item++; } break; case 1: sexp_put_char(output, ' '); indent = output->pos; break; default: sexp_put_newline(output, indent); break; } } sexp_convert_item(parser, token, output, mode_out, indent); } sexp_put_char(output, ')'); break; } case SEXP_STRING: sexp_put_string(output, mode_out, &token->string); break; case SEXP_DISPLAY: sexp_put_char(output, '['); sexp_put_string(output, mode_out, &token->display); sexp_put_char(output, ']'); sexp_put_string(output, mode_out, &token->string); break; case SEXP_COMMENT: if (mode_out == SEXP_ADVANCED) { sexp_put_data(output, token->string.size, token->string.contents); sexp_put_soft_newline(output, indent); } break; default: /* Internal error */ abort(); } } /* Argument parsing and main program */ /* The old lsh sexp-conv program took the following options: * * Usage: sexp-conv [OPTION...] * Conversion: sexp-conv [options] OUTPUT * or: sexp-conv [OPTION...] * Fingerprinting: sexp-conv --raw-hash [ --hash=ALGORITHM ] * mode = SEXP_ADVANCED; o->prefer_hex = 0; o->once = 0; o->lock = 0; o->hash = NULL; o->width = 72; for (;;) { static const struct nettle_hash *hashes[] = { &nettle_md5, &nettle_sha1, &nettle_sha256, NULL }; static const struct option options[] = { /* Name, args, flag, val */ { "help", no_argument, NULL, OPT_HELP }, { "version", no_argument, NULL, 'V' }, { "once", no_argument, NULL, OPT_ONCE }, { "syntax", required_argument, NULL, 's' }, { "hash", optional_argument, NULL, OPT_HASH }, { "raw-hash", optional_argument, NULL, OPT_HASH }, { "width", required_argument, NULL, 'w' }, #if HAVE_FCNTL_LOCKING { "lock", no_argument, NULL, OPT_LOCK }, #endif #if 0 /* Not yet implemented */ { "replace", required_argument, NULL, OPT_REPLACE }, { "select", required_argument, NULL, OPT_SELECT }, { "spki-hash", optional_argument, NULL, OPT_SPKI_HASH }, #endif { NULL, 0, NULL, 0 } }; int c; int option_index = 0; unsigned i; c = getopt_long(argc, argv, "Vs:w:", options, &option_index); switch (c) { default: abort(); case -1: if (optind != argc) die("sexp-conv: Command line takes no arguments, only options.\n"); return; case '?': exit(EXIT_FAILURE); case 'w': { char *end; int width = strtol(optarg, &end , 0); if (!*optarg || *end || width < 0) die("sexp-conv: Invalid width `%s'.\n", optarg); o->width = width; break; } case 's': if (o->hash) werror("sexp-conv: Combining --hash and -s usually makes no sense.\n"); if (match_argument(optarg, "advanced")) o->mode = SEXP_ADVANCED; else if (match_argument(optarg, "transport")) o->mode = SEXP_TRANSPORT; else if (match_argument(optarg, "canonical")) o->mode = SEXP_CANONICAL; else if (match_argument(optarg, "hex")) { o->mode = SEXP_ADVANCED; o->prefer_hex = 1; } else die("Available syntax variants: advanced, transport, canonical\n"); break; case OPT_ONCE: o->once = 1; break; case OPT_HASH: o->mode = SEXP_CANONICAL; if (!optarg) o->hash = &nettle_sha1; else for (i = 0;; i++) { if (!hashes[i]) die("sexp_conv: Unknown hash algorithm `%s'\n", optarg); if (match_argument(optarg, hashes[i]->name)) { o->hash = hashes[i]; break; } } break; #if HAVE_FCNTL_LOCKING case OPT_LOCK: o->lock = 1; break; #endif case OPT_HELP: printf("Usage: sexp-conv [OPTION...]\n" " Conversion: sexp-conv [OPTION...] name); } printf(" (default is sha1).\n" " -s, --syntax=SYNTAX The syntax used for the output. Available\n" " variants: advanced, hex, transport, canonical\n" " --once Process only the first s-expression.\n" " -w, --width=WIDTH Linewidth for base64 encoded data.\n" " Zero means no limit.\n" #if HAVE_FCNTL_LOCKING " --lock Lock output file.\n" #endif " --raw-hash Alias for --hash, for compatibility\n" " with lsh-1.x.\n\n" "Report bugs to " BUG_ADDRESS ".\n"); exit(EXIT_SUCCESS); case 'V': printf("sexp-conv (" PACKAGE_STRING ")\n"); exit (EXIT_SUCCESS); } } } int main(int argc, char **argv) { struct conv_options options; struct sexp_input input; struct sexp_parser parser; struct sexp_compound_token token; struct sexp_output output; parse_options(&options, argc, argv); sexp_input_init(&input, stdin); sexp_parse_init(&parser, &input, SEXP_ADVANCED); sexp_compound_token_init(&token); sexp_output_init(&output, stdout, options.width, options.prefer_hex); #if HAVE_FCNTL_LOCKING if (options.lock) { struct flock fl; memset(&fl, 0, sizeof(fl)); fl.l_type = F_WRLCK; fl.l_whence = SEEK_SET; fl.l_start = 0; fl.l_len = 0; /* Means entire file. */ if (fcntl(STDOUT_FILENO, F_SETLKW, &fl) == -1) die("Locking output file failed: %s\n", strerror(errno)); } #endif /* HAVE_FCNTL_LOCKING */ if (options.hash) { /* Leaks the context, but that doesn't matter */ void *ctx = xalloc(options.hash->context_size); sexp_output_hash_init(&output, options.hash, ctx); } sexp_get_char(&input); sexp_parse(&parser, &token); if (token.type == SEXP_EOF) { if (options.once) die("sexp-conv: No input expression.\n"); return EXIT_SUCCESS; } do { sexp_convert_item(&parser, &token, &output, options.mode, 0); if (options.hash) { sexp_put_digest(&output); sexp_put_newline(&output, 0); } else if (options.mode != SEXP_CANONICAL) sexp_put_newline(&output, 0); sexp_parse(&parser, &token); } while (!options.once && token.type != SEXP_EOF); sexp_compound_token_clear(&token); if (fflush(output.f) < 0) die("Final fflush failed: %s.\n", strerror(errno)); return EXIT_SUCCESS; } nettle-3.4.1/tools/parse.c0000644000175000017500000001040213401564746014463 0ustar nissenisse/* parse.c Copyright (C) 2002, 2003, 2008 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "parse.h" #include "input.h" void sexp_compound_token_init(struct sexp_compound_token *token) { token->type = 0; nettle_buffer_init(&token->display); nettle_buffer_init(&token->string); } void sexp_compound_token_clear(struct sexp_compound_token *token) { nettle_buffer_clear(&token->display); nettle_buffer_clear(&token->string); } void sexp_parse_init(struct sexp_parser *parser, struct sexp_input *input, enum sexp_mode mode) { parser->input = input; parser->mode = mode; /* Start counting with 1 for the top level, to make comparisons * between transport and level simpler. * * FIXME: Is that trick ugly? */ parser->level = 1; parser->transport = 0; } /* Get next token, and check that it is of the expected kind. */ static void sexp_check_token(struct sexp_parser *parser, enum sexp_token token, struct nettle_buffer *string) { sexp_get_token(parser->input, parser->transport ? SEXP_CANONICAL : parser->mode, string); if (parser->input->token != token) die("Syntax error.\n"); } /* Performs further processing of the input, in particular display * types and transport decoding. * * This is complicated a little by the requirement that a * transport-encoded block, {xxxxx}, must include exactly one * expression. We check at the end of strings and list whether or not * we should expect a SEXP_CODING_END as the next token. */ void sexp_parse(struct sexp_parser *parser, struct sexp_compound_token *token) { for (;;) { sexp_get_token(parser->input, parser->transport ? SEXP_CANONICAL : parser->mode, &token->string); switch(parser->input->token) { case SEXP_LIST_END: if (parser->level == parser->transport) die("Unmatched end of list in transport encoded data.\n"); parser->level--; if (!parser->level) die("Unmatched end of list.\n"); token->type = SEXP_LIST_END; check_transport_end: if (parser->level == parser->transport) { sexp_check_token(parser, SEXP_CODING_END, &token->string); assert(parser->transport); assert(parser->level == parser->transport); parser->level--; parser->transport = 0; } return; case SEXP_EOF: if (parser->level > 1) die("Unexpected end of file.\n"); token->type = SEXP_EOF; return; case SEXP_LIST_START: parser->level++; token->type = SEXP_LIST_START; return; case SEXP_DISPLAY_START: sexp_check_token(parser, SEXP_STRING, &token->display); sexp_check_token(parser, SEXP_DISPLAY_END, &token->display); sexp_check_token(parser, SEXP_STRING, &token->string); token->type = SEXP_DISPLAY; goto check_transport_end; case SEXP_STRING: token->type = SEXP_STRING; goto check_transport_end; case SEXP_COMMENT: token->type = SEXP_COMMENT; return; case SEXP_TRANSPORT_START: if (parser->mode == SEXP_CANONICAL) die("Base64 not allowed in canonical mode.\n"); parser->level++; parser->transport = parser->level; continue; case SEXP_CODING_END: die("Unexpected end of transport encoding.\n"); case SEXP_DISPLAY_END: die("Unexpected end of display tag.\n"); case SEXP_DISPLAY: /* Internal error. */ abort(); } } } nettle-3.4.1/md5-meta.c0000644000175000017500000000222213401564745013622 0ustar nissenisse/* md5-meta.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "md5.h" const struct nettle_hash nettle_md5 = _NETTLE_HASH(md5, MD5); nettle-3.4.1/x86/0000755000175000017500000000000013401564746012475 5ustar nissenissenettle-3.4.1/x86/aes-decrypt-internal.asm0000644000175000017500000000773313401564746017243 0ustar nissenisseC x86/aes-decrypt-internal.asm ifelse(< Copyright (C) 2001, 2002, 2005, Rafael R. Sevilla, Niels Möller Copyright (C) 2008, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) include_src() C Register usage: C AES state define(,<%eax>) define(,<%ebx>) define(,<%ecx>) define(,<%edx>) C Primary use of these registers. They're also used temporarily for other things. define(,<%ebp>) define(,<%edi>) define(,<%esi>) define(, <40(%esp)>) define(, <44(%esp)>) define(, <48(%esp)>) define(, <52(%esp)>) define(, <56(%esp)>) define(, <60(%esp)>) define(, <16(%esp)>) define(, <12(%esp)>) define(, <8(%esp)>) define(, <4(%esp)>) define(, <(%esp)>) C The aes state is kept in %eax, %ebx, %ecx and %edx C C %esi is used as temporary, to point to the input, and to the C subkeys, etc. C C %ebp is used as the round counter, and as a temporary in the final round. C C %edi is a temporary, often used as an accumulator. .file "aes-decrypt-internal.asm" C _aes_decrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .text ALIGN(16) PROLOGUE(_nettle_aes_decrypt) C save all registers that need to be saved pushl %ebx C 20(%esp) pushl %ebp C 16(%esp) pushl %esi C 12(%esp) pushl %edi C 8(%esp) subl $20, %esp C loop counter and save area for the key pointer movl PARAM_LENGTH, %ebp testl %ebp,%ebp jz .Lend shrl $4, PARAM_LENGTH subl $1, PARAM_ROUNDS .Lblock_loop: movl PARAM_KEYS, KEY C address of subkeys movl PARAM_SRC, TMP C address of plaintext AES_LOAD(SA, SB, SC, SD, TMP, KEY) addl $16, PARAM_SRC C Increment src pointer movl PARAM_TABLE, T movl PARAM_ROUNDS, TMP C Loop counter on stack movl TMP, FRAME_COUNT addl $16,KEY C point to next key movl KEY,FRAME_KEY ALIGN(16) .Lround_loop: AES_ROUND(T, SA,SD,SC,SB, TMP, KEY) movl TMP, TA AES_ROUND(T, SB,SA,SD,SC, TMP, KEY) movl TMP, TB AES_ROUND(T, SC,SB,SA,SD, TMP, KEY) movl TMP, TC AES_ROUND(T, SD,SC,SB,SA, SD, KEY) movl TA, SA movl TB, SB movl TC, SC movl FRAME_KEY, KEY xorl (KEY),SA C add current session key to plaintext xorl 4(KEY),SB xorl 8(KEY),SC xorl 12(KEY),SD addl $16,FRAME_KEY C point to next key decl FRAME_COUNT jnz .Lround_loop C last round AES_FINAL_ROUND(SA,SD,SC,SB,T, TMP, KEY) movl TMP, TA AES_FINAL_ROUND(SB,SA,SD,SC,T, TMP, KEY) movl TMP, TB AES_FINAL_ROUND(SC,SB,SA,SD,T, TMP, KEY) movl TMP, TC AES_FINAL_ROUND(SD,SC,SB,SA,T, SD, KEY) movl TA, SA movl TB, SB movl TC, SC C Inverse S-box substitution mov $3,TMP .Lsubst: AES_SUBST_BYTE(SA,SB,SC,SD, T, KEY) decl TMP jnz .Lsubst C Add last subkey, and store decrypted data movl PARAM_DST,TMP movl FRAME_KEY, KEY AES_STORE(SA,SB,SC,SD, KEY, TMP) addl $16, PARAM_DST C Increment destination pointer decl PARAM_LENGTH jnz .Lblock_loop .Lend: addl $20, %esp popl %edi popl %esi popl %ebp popl %ebx ret EPILOGUE(_nettle_aes_decrypt) nettle-3.4.1/x86/md5-compress.asm0000644000175000017500000001434613401564746015525 0ustar nissenisseC x86/md5-compress.asm ifelse(< Copyright (C) 2005, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) C Register usage define(,<%eax>) define(,<%ebx>) define(,<%ecx>) define(,<%edx>) define(,<%ebp>) define(,<%esi>) C %edi is unused C F1(x,y,z) = (z ^ (x & (y ^ z))) define(, < movl $3, TMP xorl $2, TMP andl $1, TMP xorl $3, TMP>) define(,) C F3(x,y,z) = x ^ y ^ z define(,< movl $1, TMP xorl $2, TMP xorl $3, TMP>) C F4(x,y,z) = y ^ (x | ~z) define(,< movl $3, TMP notl TMP orl $1, TMP xorl $2, TMP>) define(,) C ROUND(f, w, x, y, z, k, data, s): C w += f(x,y,z) + data + k C w <<< s C w += x define(,< addl $7, $2 $1($3, $4, $5) addl $6, $2 addl TMP, $2 roll <$>$8, $2 addl $3, $2>) .file "md5-compress.asm" C _nettle_md5_compress(uint32_t *state, uint8_t *data) .text ALIGN(16) PROLOGUE(_nettle_md5_compress) C save all registers that need to be saved C 24(%esp) input C 20(%esp) state C 16(%esp) Return address pushl %ebx C 12(%esp) pushl %ebp C 8(%esp) pushl %esi C 4(%esp) pushl %edi C (%esp) C load the state vector movl 20(%esp),TMP movl (TMP), SA movl 4(TMP), SB movl 8(TMP), SC movl 12(TMP), SD C Pointer to source data. C Note that if unaligned, we suffer unaligned accesses movl 24(%esp), INPUT ROUND(, SA, SB, SC, SD, REF( 0), $0xd76aa478, 7) ROUND(, SD, SA, SB, SC, REF( 1), $0xe8c7b756, 12) ROUND(, SC, SD, SA, SB, REF( 2), $0x242070db, 17) ROUND(, SB, SC, SD, SA, REF( 3), $0xc1bdceee, 22) ROUND(, SA, SB, SC, SD, REF( 4), $0xf57c0faf, 7) ROUND(, SD, SA, SB, SC, REF( 5), $0x4787c62a, 12) ROUND(, SC, SD, SA, SB, REF( 6), $0xa8304613, 17) ROUND(, SB, SC, SD, SA, REF( 7), $0xfd469501, 22) ROUND(, SA, SB, SC, SD, REF( 8), $0x698098d8, 7) ROUND(, SD, SA, SB, SC, REF( 9), $0x8b44f7af, 12) ROUND(, SC, SD, SA, SB, REF(10), $0xffff5bb1, 17) ROUND(, SB, SC, SD, SA, REF(11), $0x895cd7be, 22) ROUND(, SA, SB, SC, SD, REF(12), $0x6b901122, 7) ROUND(, SD, SA, SB, SC, REF(13), $0xfd987193, 12) ROUND(, SC, SD, SA, SB, REF(14), $0xa679438e, 17) ROUND(, SB, SC, SD, SA, REF(15), $0x49b40821, 22) ROUND(, SA, SB, SC, SD, REF( 1), $0xf61e2562, 5) ROUND(, SD, SA, SB, SC, REF( 6), $0xc040b340, 9) ROUND(, SC, SD, SA, SB, REF(11), $0x265e5a51, 14) ROUND(, SB, SC, SD, SA, REF( 0), $0xe9b6c7aa, 20) ROUND(, SA, SB, SC, SD, REF( 5), $0xd62f105d, 5) ROUND(, SD, SA, SB, SC, REF(10), $0x02441453, 9) ROUND(, SC, SD, SA, SB, REF(15), $0xd8a1e681, 14) ROUND(, SB, SC, SD, SA, REF( 4), $0xe7d3fbc8, 20) ROUND(, SA, SB, SC, SD, REF( 9), $0x21e1cde6, 5) ROUND(, SD, SA, SB, SC, REF(14), $0xc33707d6, 9) ROUND(, SC, SD, SA, SB, REF( 3), $0xf4d50d87, 14) ROUND(, SB, SC, SD, SA, REF( 8), $0x455a14ed, 20) ROUND(, SA, SB, SC, SD, REF(13), $0xa9e3e905, 5) ROUND(, SD, SA, SB, SC, REF( 2), $0xfcefa3f8, 9) ROUND(, SC, SD, SA, SB, REF( 7), $0x676f02d9, 14) ROUND(, SB, SC, SD, SA, REF(12), $0x8d2a4c8a, 20) ROUND(, SA, SB, SC, SD, REF( 5), $0xfffa3942, 4) ROUND(, SD, SA, SB, SC, REF( 8), $0x8771f681, 11) ROUND(, SC, SD, SA, SB, REF(11), $0x6d9d6122, 16) ROUND(, SB, SC, SD, SA, REF(14), $0xfde5380c, 23) ROUND(, SA, SB, SC, SD, REF( 1), $0xa4beea44, 4) ROUND(, SD, SA, SB, SC, REF( 4), $0x4bdecfa9, 11) ROUND(, SC, SD, SA, SB, REF( 7), $0xf6bb4b60, 16) ROUND(, SB, SC, SD, SA, REF(10), $0xbebfbc70, 23) ROUND(, SA, SB, SC, SD, REF(13), $0x289b7ec6, 4) ROUND(, SD, SA, SB, SC, REF( 0), $0xeaa127fa, 11) ROUND(, SC, SD, SA, SB, REF( 3), $0xd4ef3085, 16) ROUND(, SB, SC, SD, SA, REF( 6), $0x04881d05, 23) ROUND(, SA, SB, SC, SD, REF( 9), $0xd9d4d039, 4) ROUND(, SD, SA, SB, SC, REF(12), $0xe6db99e5, 11) ROUND(, SC, SD, SA, SB, REF(15), $0x1fa27cf8, 16) ROUND(, SB, SC, SD, SA, REF( 2), $0xc4ac5665, 23) ROUND(, SA, SB, SC, SD, REF( 0), $0xf4292244, 6) ROUND(, SD, SA, SB, SC, REF( 7), $0x432aff97, 10) ROUND(, SC, SD, SA, SB, REF(14), $0xab9423a7, 15) ROUND(, SB, SC, SD, SA, REF( 5), $0xfc93a039, 21) ROUND(, SA, SB, SC, SD, REF(12), $0x655b59c3, 6) ROUND(, SD, SA, SB, SC, REF( 3), $0x8f0ccc92, 10) ROUND(, SC, SD, SA, SB, REF(10), $0xffeff47d, 15) ROUND(, SB, SC, SD, SA, REF( 1), $0x85845dd1, 21) ROUND(, SA, SB, SC, SD, REF( 8), $0x6fa87e4f, 6) ROUND(, SD, SA, SB, SC, REF(15), $0xfe2ce6e0, 10) ROUND(, SC, SD, SA, SB, REF( 6), $0xa3014314, 15) ROUND(, SB, SC, SD, SA, REF(13), $0x4e0811a1, 21) ROUND(, SA, SB, SC, SD, REF( 4), $0xf7537e82, 6) ROUND(, SD, SA, SB, SC, REF(11), $0xbd3af235, 10) ROUND(, SC, SD, SA, SB, REF( 2), $0x2ad7d2bb, 15) ROUND(, SB, SC, SD, SA, REF( 9), $0xeb86d391, 21) C Update the state vector movl 20(%esp),TMP addl SA, (TMP) addl SB, 4(TMP) addl SC, 8(TMP) addl SD, 12(TMP) popl %edi popl %esi popl %ebp popl %ebx ret EPILOGUE(_nettle_md5_compress) nettle-3.4.1/x86/aes.m40000644000175000017500000000366613401564746013522 0ustar nissenissednl AES_LOAD(a, b, c, d, src, key) dnl Loads the next block of data from src, and add the subkey pointed dnl to by key. dnl Note that x86 allows unaligned accesses. dnl Would it be preferable to interleave the loads and stores? define(, < movl ($5),$1 movl 4($5),$2 movl 8($5),$3 movl 12($5),$4 xorl ($6),$1 xorl 4($6),$2 xorl 8($6),$3 xorl 12($6),$4>)dnl dnl AES_STORE(a, b, c, d, key, dst) dnl Adds the subkey to a, b, c, d, dnl and stores the result in the area pointed to by dst. dnl Note that x86 allows unaligned accesses. dnl Would it be preferable to interleave the loads and stores? define(, < xorl ($5),$1 xorl 4($5),$2 xorl 8($5),$3 xorl 12($5),$4 movl $1,($6) movl $2,4($6) movl $3,8($6) movl $4,12($6)>)dnl dnl AES_ROUND(table,a,b,c,d,out,ptr) dnl Computes one word of the AES round. Leaves result in $6. define(, < movzbl LREG($2), $7 movl AES_TABLE0 ($1, $7, 4),$6 movzbl HREG($3), $7 xorl AES_TABLE1 ($1, $7, 4),$6 movl $4,$7 shrl <$>16,$7 andl <$>0xff,$7 xorl AES_TABLE2 ($1, $7, 4),$6 movl $5,$7 shrl <$>24,$7 xorl AES_TABLE3 ($1, $7, 4),$6>)dnl dnl AES_FINAL_ROUND(a, b, c, d, table, out, tmp) dnl Computes one word of the final round. dnl Note that we have to quote $ in constants. define(, < movzbl LREG($1),$6 movzbl ($5, $6), $6 movl $2,$7 andl <$>0x0000ff00,$7 orl $7, $6 movl $3,$7 andl <$>0x00ff0000,$7 orl $7, $6 movl $4,$7 andl <$>0xff000000,$7 orl $7, $6 roll <$>8, $6>)dnl dnl AES_SUBST_BYTE(A, B, C, D, table, ptr) dnl Substitutes the least significant byte of dnl each of eax, ebx, ecx and edx, and also rotates dnl the words one byte to the left. dnl Uses that AES_SBOX == 0 define(, < movzbl LREG($1),$6 movb ($5, $6),LREG($1) roll <$>8,$1 movzbl LREG($2),$6 movb ($5, $6),LREG($2) roll <$>8,$2 movzbl LREG($3),$6 movb ($5, $6),LREG($3) roll <$>8,$3 movzbl LREG($4),$6 movb ($5, $6),LREG($4) roll <$>8,$4>)dnl nettle-3.4.1/x86/machine.m40000644000175000017500000000057413401564746014351 0ustar nissenisseC OFFSET(i) C Expands to 4*i, or to the empty string if i is zero define(, ) dnl LREG(reg) gives the 8-bit register corresponding to the given 32-bit register. define(,)dnl define(,)dnl nettle-3.4.1/x86/camellia-crypt-internal.asm0000644000175000017500000001111213401564746017713 0ustar nissenisseC x86/camellia-crypt-internal.asm ifelse(< Copyright (C) 2010, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) C Register usage: C Camellia state, 128-bit value in little endian order. C L0, H0 corresponds to D1 in the spec and i0 in the C implementation. C while L1, H1 corresponds to D2/i1. define(,<%eax>) define(,<%ebx>) define(,<%ecx>) define(

,<%edx>) define(,<%ebp>) define(,<%esi>) define(,<%edi>) C Locals on the stack define(, <(%esp)>) define(, <4(%esp)>) define(, <8(%esp)>) define(, <12(%esp)>) define(, <16(%esp)>) C Arguments on stack. define(, <40(%esp)>) define(, <44(%esp)>) define(, <48(%esp)>) define(, <52(%esp)>) define(, <56(%esp)>) define(, <60(%esp)>) define(, <(T,$1,4)>) define(, <1024(T,$1,4)>) define(, <2048(T,$1,4)>) define(, <3072(T,$1,4)>) C ROUND(xl, xh, yl, yh, key-offset) C xl and xh are rotated 16 bits at the end C yl and yh are read from stack, and left in registers define(, < movzbl LREG($1), TMP movl SP1110(TMP), $4 movzbl HREG($1), TMP xorl SP4404(TMP), $4 roll <$>16, $1 movzbl LREG($2), TMP movl SP4404(TMP), $3 movzbl HREG($2), TMP xorl SP3033(TMP), $3 roll <$>16, $2 movzbl LREG($1), TMP xorl SP3033(TMP), $4 movzbl HREG($1), TMP xorl SP0222(TMP), $4 movzbl LREG($2), TMP xorl SP0222(TMP), $3 movzbl HREG($2), TMP xorl SP1110(TMP), $3 xorl $5(KEY), $4 xorl $5 + 4(KEY), $3 xorl $3, $4 rorl <$>8, $3 xorl $4, $3 xorl FRAME_$3, $3 xorl FRAME_$4, $4 >) C Six rounds, with inputs and outputs in registers. define(, < movl L0, FRAME_L0 movl H0, FRAME_H0 movl L1, FRAME_L1 movl H1, FRAME_H1 ROUND(L0,H0,,

,0) movl L1, FRAME_L1 movl H1, FRAME_H1 ROUND(L1,H1,,,8) movl L0, FRAME_L0 movl H0, FRAME_H0 ROUND(L0,H0,,

,16) movl L1, FRAME_L1 movl H1, FRAME_H1 ROUND(L1,H1,,,24) movl L0, FRAME_L0 movl H0, FRAME_H0 ROUND(L0,H0,,

,32) ROUND(L1,H1,,,40) roll <$>16, L1 roll <$>16, H1 >) C FL(x0, x1, key-offset) define(, < movl $3 + 4(KEY), TMP andl $2, TMP roll <$>1, TMP xorl TMP, $1 movl $3(KEY), TMP orl $1, TMP xorl TMP, $2 >) C FLINV(x0, x1, key-offset) define(, < movl $3(KEY), TMP orl $1, TMP xorl TMP, $2 movl $3 + 4(KEY), TMP andl $2, TMP roll <$>1, TMP xorl TMP, $1 >) .file "camellia-crypt-internal.asm" C _camellia_crypt(unsigned nkeys, const uint64_t *keys, C const struct camellia_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .text ALIGN(16) PROLOGUE(_nettle_camellia_crypt) C save all registers that need to be saved pushl %ebx C 32(%esp) pushl %ebp C 28(%esp) pushl %esi C 24(%esp) pushl %edi C 20(%esp) subl $20, %esp movl FRAME_LENGTH, %ebp testl %ebp,%ebp jz .Lend .Lblock_loop: C Load data, note that we'll happily do unaligned loads movl FRAME_SRC, TMP movl (TMP), H0 bswap H0 movl 4(TMP), L0 bswap L0 movl 8(TMP), H1 bswap H1 movl 12(TMP), L1 bswap L1 addl $16, FRAME_SRC movl FRAME_KEYS, KEY movl FRAME_NKEYS, TMP subl $8, TMP movl TMP, FRAME_CNT xorl (KEY), L0 xorl 4(KEY), H0 addl $8, KEY movl FRAME_TABLE, T ROUND6 .Lround_loop: addl $64, KEY FL(L0, H0, -16) FLINV(L1, H1, -8) ROUND6 subl $8, FRAME_CNT ja .Lround_loop movl FRAME_DST, TMP bswap H0 movl H0,8(TMP) bswap L0 movl L0,12(TMP) xorl 52(KEY), H1 bswap H1 movl H1, 0(TMP) xorl 48(KEY), L1 bswap L1 movl L1, 4(TMP) addl $16, FRAME_DST subl $16, FRAME_LENGTH ja .Lblock_loop .Lend: addl $20, %esp popl %edi popl %esi popl %ebp popl %ebx ret EPILOGUE(_nettle_camellia_crypt) nettle-3.4.1/x86/arcfour-crypt.asm0000644000175000017500000000567213401564746016011 0ustar nissenisseC x86/arcfour-crypt.asm ifelse(< Copyright (C) 2004, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) .file "arcfour-crypt.asm" C arcfour_crypt(struct arcfour_ctx *ctx, C size_t length, uint8_t *dst, C const uint8_t *src) .text ALIGN(16) PROLOGUE(nettle_arcfour_crypt) C save all registers that need to be saved pushl %ebx C 12(%esp) pushl %ebp C 8(%esp) pushl %esi C 4(%esp) pushl %edi C 0(%esp) C Input arguments: C ctx = 20(%esp) C length = 24(%esp) C dst = 28(%esp) C src = 32(%esp) C Register usage: C %ebp = ctx C %esi = src C %edi = dst C %edx = loop counter C %eax = i C %ebx = j C %cl = si C %ch = sj movl 24(%esp), %edx C length movl 20(%esp), %ebp C ctx movl 28(%esp), %edi C dst movl 32(%esp), %esi C src lea (%edx, %edi), %edi lea (%edx, %esi), %esi negl %edx jnc .Lend movzbl ARCFOUR_I (%ebp), %eax C i movzbl ARCFOUR_J (%ebp), %ebx C j incb %al sarl $1, %edx jc .Lloop_odd ALIGN(16) .Lloop: movb (%ebp, %eax), %cl C si. addb %cl, %bl movb (%ebp, %ebx), %ch C sj movb %ch, (%ebp, %eax) C S[i] = sj incl %eax movzbl %al, %eax movb %cl, (%ebp, %ebx) C S[j] = si addb %ch, %cl movzbl %cl, %ecx C Clear, so it can be used C for indexing. movb (%ebp, %ecx), %cl xorb (%esi, %edx, 2), %cl movb %cl, (%edi, %edx, 2) C FIXME: Could exchange cl and ch in the second half C and try to interleave instructions better. .Lloop_odd: movb (%ebp, %eax), %cl C si. addb %cl, %bl movb (%ebp, %ebx), %ch C sj movb %ch, (%ebp, %eax) C S[i] = sj incl %eax movzbl %al, %eax movb %cl, (%ebp, %ebx) C S[j] = si addb %ch, %cl movzbl %cl, %ecx C Clear, so it can be used C for indexing. movb (%ebp, %ecx), %cl xorb 1(%esi, %edx, 2), %cl incl %edx movb %cl, -1(%edi, %edx, 2) jnz .Lloop C .Lloop_done: decb %al movb %al, ARCFOUR_I (%ebp) C Store the new i and j. movb %bl, ARCFOUR_J (%ebp) .Lend: popl %edi popl %esi popl %ebp popl %ebx ret EPILOGUE(nettle_arcfour_crypt) nettle-3.4.1/x86/sha1-compress.asm0000644000175000017500000007216413401564746015676 0ustar nissenisseC x86/sha1-compress.asm ifelse(< Copyright (C) 2004, 2009 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) C Register usage define(,<%eax>) define(,<%ebx>) define(,<%ecx>) define(,<%edx>) define(,<%ebp>) define(,<%esp>) define(,<%edi>) define(,<%esi>) C Constants define(, <0x5A827999>) C Rounds 0-19 define(, <0x6ED9EBA1>) C Rounds 20-39 define(, <0x8F1BBCDC>) C Rounds 40-59 define(, <0xCA62C1D6>) C Rounds 60-79 C Reads the input via T2 into register, byteswaps it, and stores it in the DATA array. C SWAP(index, register) define(, < movl OFFSET($1)(T2), $2 bswap $2 movl $2, OFFSET($1) (DATA) >)dnl C The f functions, C C f1(x,y,z) = z ^ (x & (y ^ z)) C f2(x,y,z) = x ^ y ^ z C f3(x,y,z) = (x & (y ^ z)) + (y & z) C f4 = f2 C This form for f3 was suggested by George Spelvin. The terms can be C added into the result one at a time, saving one temporary. C The form of one sha1 round is C C a' = e + a <<< 5 + f( b, c, d ) + k + w; C b' = a; C c' = b <<< 30; C d' = c; C e' = d; C C where <<< denotes rotation. We permute our variables, so that we C instead get C C e += a <<< 5 + f( b, c, d ) + k + w; C b <<<= 30 dnl ROUND_F1(a, b, c, d, e, i) define(, < mov OFFSET(eval($6 % 16)) (DATA), T1 xor OFFSET(eval(($6 + 2) % 16)) (DATA), T1 xor OFFSET(eval(($6 + 8) % 16)) (DATA), T1 xor OFFSET(eval(($6 + 13) % 16)) (DATA), T1 rol <$>1, T1 mov T1, OFFSET(eval($6 % 16)) (DATA) mov $4, T2 xor $3, T2 and $2, T2 xor $4, T2 rol <$>30, $2 lea K1VALUE (T1, $5), $5 mov $1, T1 rol <$>5, T1 add T1, $5 add T2, $5 >) dnl ROUND_F1_NOEXP(a, b, c, d, e, i) define(, < mov $4, T2 xor $3, T2 mov $1, T1 and $2, T2 add OFFSET($6) (DATA), $5 xor $4, T2 add T2, $5 rol <$>30, $2 rol <$>5, T1 lea K1VALUE (T1, $5), $5 >) dnl ROUND_F2(a, b, c, d, e, i, k) define(, < mov OFFSET(eval($6 % 16)) (DATA), T1 xor OFFSET(eval(($6 + 2) % 16)) (DATA), T1 xor OFFSET(eval(($6 + 8) % 16)) (DATA), T1 xor OFFSET(eval(($6 + 13) % 16)) (DATA), T1 rol <$>1, T1 mov T1, OFFSET(eval($6 % 16)) (DATA) mov $4, T2 xor $3, T2 xor $2, T2 rol <$>30, $2 lea $7 (T1, $5), $5 mov $1, T1 rol <$>5, T1 add T1, $5 add T2, $5 >) dnl ROUND_F3(a, b, c, d, e, i) define(, < mov OFFSET(eval($6 % 16)) (DATA), T1 xor OFFSET(eval(($6 + 2) % 16)) (DATA), T1 xor OFFSET(eval(($6 + 8) % 16)) (DATA), T1 xor OFFSET(eval(($6 + 13) % 16)) (DATA), T1 rol <$>1, T1 mov T1, OFFSET(eval($6 % 16)) (DATA) mov $4, T2 and $3, T2 lea K3VALUE (T1, $5), $5 mov $4, T1 xor $3, T1 and $2, T1 add T2, $5 rol <$>30, $2 mov $1, T2 rol <$>5, T2 add T1, $5 add T2, $5 >) .file "sha1-compress.asm" C _nettle_sha1_compress(uint32_t *state, uint8_t *data) .text PROLOGUE(_nettle_sha1_compress) C save all registers that need to be saved C 88(%esp) data C 84(%esp) state C 80(%esp) Return address pushl %ebx C 76(%esp) pushl %ebp C 72(%esp) pushl %esi C 68(%esp) pushl %edi C 64(%esp) subl $64, %esp C %esp = W C Loop-mixed to 520 cycles (for the complete function call) on C AMD K7. ALIGN(32) mov 88(%esp), T2 mov OFFSET(2)(T2), %ecx mov OFFSET(0)(T2), %eax bswap %ecx bswap %eax mov %ecx, OFFSET(2) (DATA) mov %eax, OFFSET(0) (DATA) mov OFFSET(3)(T2), %edx mov OFFSET(6)(T2), %ecx mov OFFSET(4)(T2), %eax mov OFFSET(1)(T2), %ebx bswap %ebx bswap %eax bswap %ecx mov %ecx, OFFSET(6) (DATA) mov %eax, OFFSET(4) (DATA) bswap %edx mov %edx, OFFSET(3) (DATA) mov %ebx, OFFSET(1) (DATA) mov OFFSET(10)(T2), %ecx mov OFFSET(8)(T2), %eax mov OFFSET(7)(T2), %edx bswap %eax bswap %edx mov %edx, OFFSET(7) (DATA) mov OFFSET(5)(T2), %ebx mov %eax, OFFSET(8) (DATA) mov OFFSET(11)(T2), %edx bswap %ecx bswap %edx mov OFFSET(12)(T2), %eax bswap %ebx mov %ecx, OFFSET(10) (DATA) mov %ebx, OFFSET(5) (DATA) mov %edx, OFFSET(11) (DATA) mov OFFSET(15)(T2), %edx mov 84(%esp),T1 mov OFFSET(9)(T2), %ebx bswap %edx bswap %ebx bswap %eax mov OFFSET(14)(T2), %ecx mov %edx, OFFSET(15) (DATA) bswap %ecx mov %ecx, OFFSET(14) (DATA) mov %ebx, OFFSET(9) (DATA) mov OFFSET(13)(T2), %ebx mov 12(T1), SD bswap %ebx mov %ebx, OFFSET(13) (DATA) mov 8(T1), SC mov 16(T1), SE mov 4(T1), SB mov SD, T2 add OFFSET(0) (DATA), SE xor SC, T2 mov %eax, OFFSET(12) (DATA) mov (T1), SA and SB, T2 xor SD, T2 rol $30, SB add T2, SE mov SA, T1 mov SC, T2 add OFFSET(1) (DATA), SD rol $5, T1 xor SB, T2 and SA, T2 xor SC, T2 lea K1VALUE (T1, SE), SE add T2, SD mov SB, T2 rol $30, SA xor SA, T2 and SE, T2 mov SE, T1 add OFFSET(2) (DATA), SC rol $30, SE xor SB, T2 rol $5, T1 lea K1VALUE (T1, SD), SD mov SD, T1 rol $5, T1 add T2, SC mov SA, T2 xor SE, T2 lea K1VALUE (T1, SC), SC and SD, T2 xor SA, T2 add OFFSET(3) (DATA), SB mov SC, T1 add T2, SB mov SE, T2 rol $30, SD xor SD, T2 and SC, T2 rol $5, T1 xor SE, T2 add OFFSET(4) (DATA), SA lea K1VALUE (T1, SB), SB add T2, SA rol $30, SC mov SD, T2 xor SC, T2 and SB, T2 mov SB, T1 rol $5, T1 add OFFSET(5) (DATA), SE rol $30, SB xor SD, T2 add T2, SE mov SC, T2 xor SB, T2 lea K1VALUE (T1, SA), SA mov SA, T1 add OFFSET(6) (DATA), SD and SA, T2 rol $5, T1 xor SC, T2 lea K1VALUE (T1, SE), SE rol $30, SA add T2, SD mov SB, T2 mov SE, T1 xor SA, T2 and SE, T2 rol $5, T1 lea K1VALUE (T1, SD), SD xor SB, T2 add OFFSET(7) (DATA), SC rol $30, SE add OFFSET(8) (DATA), SB mov SD, T1 add T2, SC mov SA, T2 xor SE, T2 rol $5, T1 and SD, T2 lea K1VALUE (T1, SC), SC xor SA, T2 add T2, SB mov SE, T2 mov SC, T1 rol $30, SD xor SD, T2 rol $5, T1 lea K1VALUE (T1, SB), SB and SC, T2 xor SE, T2 add OFFSET(10) (DATA), SE add OFFSET(9) (DATA), SA mov SB, T1 add T2, SA rol $5, T1 lea K1VALUE (T1, SA), SA mov SD, T2 rol $30, SC xor SC, T2 and SB, T2 xor SD, T2 rol $30, SB add T2, SE mov SC, T2 mov SA, T1 xor SB, T2 add OFFSET(11) (DATA), SD and SA, T2 rol $30, SA rol $5, T1 xor SC, T2 lea K1VALUE (T1, SE), SE add T2, SD mov SB, T2 xor SA, T2 mov SE, T1 rol $5, T1 and SE, T2 lea K1VALUE (T1, SD), SD xor SB, T2 add OFFSET(12) (DATA), SC add T2, SC rol $30, SE mov SA, T2 xor SE, T2 mov SD, T1 rol $5, T1 and SD, T2 add OFFSET(13) (DATA), SB lea K1VALUE (T1, SC), SC xor SA, T2 add T2, SB mov SE, T2 rol $30, SD xor SD, T2 and SC, T2 mov SC, T1 rol $5, T1 rol $30, SC add OFFSET(14) (DATA), SA xor SE, T2 add T2, SA mov SD, T2 xor SC, T2 lea K1VALUE (T1, SB), SB and SB, T2 mov SB, T1 rol $5, T1 lea K1VALUE (T1, SA), SA mov SA, T1 xor SD, T2 add OFFSET(15) (DATA), SE add T2, SE rol $5, T1 lea K1VALUE (T1, SE), SE mov OFFSET(0) (DATA), T1 xor OFFSET(2) (DATA), T1 mov SC, T2 xor OFFSET(8) (DATA), T1 xor OFFSET(13) (DATA), T1 rol $30, SB xor SB, T2 and SA, T2 xor SC, T2 rol $1, T1 lea K1VALUE (T1, T2), T2 mov T1, OFFSET(0) (DATA) mov SE, T1 rol $5, T1 add T1, SD mov OFFSET(1) (DATA), T1 xor OFFSET(3) (DATA), T1 rol $30, SA add T2, SD mov SB, T2 xor SA, T2 and SE, T2 xor OFFSET(9) (DATA), T1 xor OFFSET(14) (DATA), T1 xor SB, T2 rol $1, T1 mov T1, OFFSET(1) (DATA) lea K1VALUE (T1, T2), T2 mov SD, T1 rol $5, T1 add T1, SC mov OFFSET(2) (DATA), T1 xor OFFSET(4) (DATA), T1 rol $30, SE add T2, SC mov SA, T2 xor SE, T2 xor OFFSET(10) (DATA), T1 xor OFFSET(15) (DATA), T1 and SD, T2 rol $1, T1 xor SA, T2 mov T1, OFFSET(2) (DATA) lea K1VALUE (T1, T2), T2 mov SC, T1 rol $30, SD rol $5, T1 add T1, SB add T2, SB mov SE, T2 mov OFFSET(3) (DATA), T1 xor SD, T2 xor OFFSET(5) (DATA), T1 and SC, T2 xor SE, T2 xor OFFSET(11) (DATA), T1 xor OFFSET(0) (DATA), T1 rol $1, T1 mov T1, OFFSET(3) (DATA) lea K1VALUE (T1, T2), T2 mov SB, T1 rol $5, T1 add T1, SA mov OFFSET(4) (DATA), T1 xor OFFSET(6) (DATA), T1 rol $30, SC xor OFFSET(12) (DATA), T1 add T2, SA xor OFFSET(1) (DATA), T1 mov SD, T2 xor SC, T2 rol $1, T1 xor SB, T2 lea K2VALUE (T1, T2), T2 mov T1, OFFSET(4) (DATA) mov SA, T1 rol $5, T1 add T1, SE mov OFFSET(5) (DATA), T1 add T2, SE mov SC, T2 xor OFFSET(7) (DATA), T1 rol $30, SB xor OFFSET(13) (DATA), T1 xor SB, T2 xor OFFSET(2) (DATA), T1 xor SA, T2 rol $1, T1 mov T1, OFFSET(5) (DATA) lea K2VALUE (T1, T2), T2 mov SE, T1 rol $5, T1 add T1, SD mov OFFSET(6) (DATA), T1 xor OFFSET(8) (DATA), T1 add T2, SD rol $30, SA xor OFFSET(14) (DATA), T1 mov SB, T2 xor OFFSET(3) (DATA), T1 xor SA, T2 rol $1, T1 xor SE, T2 lea K2VALUE (T1, T2), T2 mov T1, OFFSET(6) (DATA) mov SD, T1 rol $5, T1 add T1, SC add T2, SC mov SA, T2 rol $30, SE mov OFFSET(7) (DATA), T1 xor OFFSET(9) (DATA), T1 xor SE, T2 xor OFFSET(15) (DATA), T1 xor OFFSET(4) (DATA), T1 xor SD, T2 rol $1, T1 lea K2VALUE (T1, T2), T2 mov T1, OFFSET(7) (DATA) mov SC, T1 rol $5, T1 add T1, SB mov OFFSET(8) (DATA), T1 xor OFFSET(10) (DATA), T1 add T2, SB rol $30, SD mov SE, T2 xor OFFSET(0) (DATA), T1 xor OFFSET(5) (DATA), T1 xor SD, T2 xor SC, T2 rol $1, T1 mov T1, OFFSET(8) (DATA) lea K2VALUE (T1, T2), T2 mov SB, T1 rol $5, T1 add T1, SA mov OFFSET(9) (DATA), T1 xor OFFSET(11) (DATA), T1 xor OFFSET(1) (DATA), T1 add T2, SA xor OFFSET(6) (DATA), T1 mov SD, T2 rol $1, T1 rol $30, SC xor SC, T2 mov T1, OFFSET(9) (DATA) xor SB, T2 lea K2VALUE (T1, T2), T2 mov SA, T1 rol $5, T1 add T1, SE mov OFFSET(10) (DATA), T1 xor OFFSET(12) (DATA), T1 xor OFFSET(2) (DATA), T1 add T2, SE mov SC, T2 rol $30, SB xor OFFSET(7) (DATA), T1 xor SB, T2 rol $1, T1 xor SA, T2 lea K2VALUE (T1, T2), T2 mov T1, OFFSET(10) (DATA) mov SE, T1 rol $5, T1 add T1, SD mov OFFSET(11) (DATA), T1 xor OFFSET(13) (DATA), T1 rol $30, SA xor OFFSET(3) (DATA), T1 add T2, SD xor OFFSET(8) (DATA), T1 mov SB, T2 xor SA, T2 rol $1, T1 mov T1, OFFSET(11) (DATA) xor SE, T2 lea K2VALUE (T1, T2), T2 mov SD, T1 rol $5, T1 add T1, SC mov OFFSET(12) (DATA), T1 xor OFFSET(14) (DATA), T1 rol $30, SE add T2, SC xor OFFSET(4) (DATA), T1 mov SA, T2 xor OFFSET(9) (DATA), T1 xor SE, T2 rol $1, T1 xor SD, T2 mov T1, OFFSET(12) (DATA) lea K2VALUE (T1, T2), T2 mov SC, T1 rol $5, T1 add T1, SB rol $30, SD mov OFFSET(13) (DATA), T1 xor OFFSET(15) (DATA), T1 add T2, SB mov SE, T2 xor OFFSET(5) (DATA), T1 xor SD, T2 xor OFFSET(10) (DATA), T1 xor SC, T2 rol $1, T1 lea K2VALUE (T1, T2), T2 mov T1, OFFSET(13) (DATA) mov SB, T1 rol $5, T1 add T1, SA add T2, SA mov SD, T2 mov OFFSET(14) (DATA), T1 xor OFFSET(0) (DATA), T1 rol $30, SC xor OFFSET(6) (DATA), T1 xor OFFSET(11) (DATA), T1 xor SC, T2 xor SB, T2 rol $1, T1 lea K2VALUE (T1, T2), T2 mov T1, OFFSET(14) (DATA) mov SA, T1 rol $5, T1 add T1, SE mov OFFSET(15) (DATA), T1 xor OFFSET(1) (DATA), T1 add T2, SE mov SC, T2 rol $30, SB xor SB, T2 xor OFFSET(7) (DATA), T1 xor OFFSET(12) (DATA), T1 xor SA, T2 rol $1, T1 mov T1, OFFSET(15) (DATA) lea K2VALUE (T1, T2), T2 mov SE, T1 rol $5, T1 add T1, SD mov OFFSET(0) (DATA), T1 xor OFFSET(2) (DATA), T1 xor OFFSET(8) (DATA), T1 add T2, SD mov SB, T2 rol $30, SA xor SA, T2 xor OFFSET(13) (DATA), T1 rol $1, T1 xor SE, T2 mov T1, OFFSET(0) (DATA) lea K2VALUE (T1, T2), T2 mov SD, T1 rol $5, T1 add T1, SC mov OFFSET(1) (DATA), T1 xor OFFSET(3) (DATA), T1 add T2, SC mov SA, T2 rol $30, SE xor SE, T2 xor OFFSET(9) (DATA), T1 xor OFFSET(14) (DATA), T1 rol $1, T1 xor SD, T2 lea K2VALUE (T1, T2), T2 mov T1, OFFSET(1) (DATA) mov SC, T1 rol $5, T1 add T1, SB mov OFFSET(2) (DATA), T1 rol $30, SD xor OFFSET(4) (DATA), T1 add T2, SB mov SE, T2 xor OFFSET(10) (DATA), T1 xor OFFSET(15) (DATA), T1 xor SD, T2 xor SC, T2 rol $1, T1 mov T1, OFFSET(2) (DATA) lea K2VALUE (T1, T2), T2 mov SB, T1 rol $5, T1 add T1, SA mov OFFSET(3) (DATA), T1 xor OFFSET(5) (DATA), T1 xor OFFSET(11) (DATA), T1 xor OFFSET(0) (DATA), T1 add T2, SA rol $30, SC mov SD, T2 xor SC, T2 rol $1, T1 xor SB, T2 lea K2VALUE (T1, T2), T2 mov T1, OFFSET(3) (DATA) mov SA, T1 rol $5, T1 rol $30, SB add T1, SE mov OFFSET(4) (DATA), T1 add T2, SE xor OFFSET(6) (DATA), T1 xor OFFSET(12) (DATA), T1 xor OFFSET(1) (DATA), T1 mov SC, T2 xor SB, T2 rol $1, T1 xor SA, T2 lea K2VALUE (T1, T2), T2 mov T1, OFFSET(4) (DATA) mov SE, T1 rol $5, T1 add T1, SD add T2, SD mov OFFSET(5) (DATA), T1 mov SB, T2 rol $30, SA xor SA, T2 xor SE, T2 xor OFFSET(7) (DATA), T1 xor OFFSET(13) (DATA), T1 xor OFFSET(2) (DATA), T1 rol $1, T1 mov T1, OFFSET(5) (DATA) lea K2VALUE (T1, T2), T2 mov SD, T1 rol $5, T1 add T1, SC mov OFFSET(6) (DATA), T1 xor OFFSET(8) (DATA), T1 add T2, SC xor OFFSET(14) (DATA), T1 xor OFFSET(3) (DATA), T1 rol $1, T1 mov T1, OFFSET(6) (DATA) mov SA, T2 rol $30, SE xor SE, T2 xor SD, T2 lea K2VALUE (T1, T2), T2 mov SC, T1 rol $5, T1 add T1, SB add T2, SB mov OFFSET(7) (DATA), T1 mov SE, T2 rol $30, SD xor OFFSET(9) (DATA), T1 xor SD, T2 xor SC, T2 xor OFFSET(15) (DATA), T1 xor OFFSET(4) (DATA), T1 rol $1, T1 mov T1, OFFSET(7) (DATA) lea K2VALUE (T1, T2), T2 mov SB, T1 rol $5, T1 add T1, SA mov OFFSET(8) (DATA), T1 xor OFFSET(10) (DATA), T1 rol $30, SC xor OFFSET(0) (DATA), T1 add T2, SA mov SD, T2 xor OFFSET(5) (DATA), T1 rol $1, T1 and SC, T2 mov T1, OFFSET(8) (DATA) lea K3VALUE (T1, T2), T1 add T1, SE mov SA, T1 mov SD, T2 xor SC, T2 and SB, T2 rol $30, SB rol $5, T1 add T1, SE mov OFFSET(9) (DATA), T1 xor OFFSET(11) (DATA), T1 xor OFFSET(1) (DATA), T1 add T2, SE mov SC, T2 xor OFFSET(6) (DATA), T1 rol $1, T1 and SB, T2 mov T1, OFFSET(9) (DATA) lea K3VALUE (T1, T2), T1 add T1, SD mov SC, T2 xor SB, T2 mov SE, T1 rol $5, T1 add T1, SD mov OFFSET(10) (DATA), T1 and SA, T2 add T2, SD xor OFFSET(12) (DATA), T1 xor OFFSET(2) (DATA), T1 rol $30, SA mov SB, T2 and SA, T2 xor OFFSET(7) (DATA), T1 rol $1, T1 mov T1, OFFSET(10) (DATA) lea K3VALUE (T1, T2), T1 add T1, SC mov SD, T1 rol $5, T1 mov SB, T2 add T1, SC mov OFFSET(11) (DATA), T1 xor SA, T2 xor OFFSET(13) (DATA), T1 xor OFFSET(3) (DATA), T1 and SE, T2 xor OFFSET(8) (DATA), T1 add T2, SC rol $1, T1 mov SA, T2 mov T1, OFFSET(11) (DATA) rol $30, SE and SE, T2 lea K3VALUE (T1, T2), T1 add T1, SB mov SA, T2 mov SC, T1 xor SE, T2 rol $5, T1 add T1, SB mov OFFSET(12) (DATA), T1 xor OFFSET(14) (DATA), T1 xor OFFSET(4) (DATA), T1 xor OFFSET(9) (DATA), T1 and SD, T2 rol $30, SD add T2, SB rol $1, T1 mov T1, OFFSET(12) (DATA) mov SE, T2 and SD, T2 lea K3VALUE (T1, T2), T1 add T1, SA mov SB, T1 rol $5, T1 add T1, SA mov OFFSET(13) (DATA), T1 xor OFFSET(15) (DATA), T1 mov SE, T2 xor OFFSET(5) (DATA), T1 xor SD, T2 and SC, T2 xor OFFSET(10) (DATA), T1 add T2, SA rol $1, T1 rol $30, SC mov T1, OFFSET(13) (DATA) mov SD, T2 and SC, T2 lea K3VALUE (T1, T2), T1 mov SD, T2 add T1, SE mov SA, T1 rol $5, T1 add T1, SE mov OFFSET(14) (DATA), T1 xor OFFSET(0) (DATA), T1 xor SC, T2 and SB, T2 xor OFFSET(6) (DATA), T1 rol $30, SB xor OFFSET(11) (DATA), T1 rol $1, T1 add T2, SE mov SC, T2 mov T1, OFFSET(14) (DATA) and SB, T2 lea K3VALUE (T1, T2), T1 mov SC, T2 add T1, SD mov SE, T1 xor SB, T2 rol $5, T1 add T1, SD mov OFFSET(15) (DATA), T1 xor OFFSET(1) (DATA), T1 and SA, T2 xor OFFSET(7) (DATA), T1 xor OFFSET(12) (DATA), T1 add T2, SD rol $30, SA mov SB, T2 rol $1, T1 mov T1, OFFSET(15) (DATA) and SA, T2 lea K3VALUE (T1, T2), T1 add T1, SC mov SD, T1 mov SB, T2 rol $5, T1 add T1, SC mov OFFSET(0) (DATA), T1 xor SA, T2 xor OFFSET(2) (DATA), T1 xor OFFSET(8) (DATA), T1 xor OFFSET(13) (DATA), T1 and SE, T2 add T2, SC rol $30, SE rol $1, T1 mov T1, OFFSET(0) (DATA) mov SA, T2 and SE, T2 lea K3VALUE (T1, T2), T1 add T1, SB mov SC, T1 mov SA, T2 xor SE, T2 rol $5, T1 add T1, SB mov OFFSET(1) (DATA), T1 xor OFFSET(3) (DATA), T1 xor OFFSET(9) (DATA), T1 and SD, T2 xor OFFSET(14) (DATA), T1 add T2, SB rol $30, SD mov SE, T2 rol $1, T1 and SD, T2 mov T1, OFFSET(1) (DATA) lea K3VALUE (T1, T2), T1 add T1, SA mov SB, T1 rol $5, T1 add T1, SA mov SE, T2 mov OFFSET(2) (DATA), T1 xor SD, T2 xor OFFSET(4) (DATA), T1 xor OFFSET(10) (DATA), T1 and SC, T2 add T2, SA xor OFFSET(15) (DATA), T1 rol $30, SC mov SD, T2 rol $1, T1 mov T1, OFFSET(2) (DATA) and SC, T2 lea K3VALUE (T1, T2), T1 add T1, SE mov SA, T1 rol $5, T1 add T1, SE mov OFFSET(3) (DATA), T1 xor OFFSET(5) (DATA), T1 xor OFFSET(11) (DATA), T1 xor OFFSET(0) (DATA), T1 mov SD, T2 rol $1, T1 xor SC, T2 and SB, T2 mov T1, OFFSET(3) (DATA) rol $30, SB add T2, SE mov SC, T2 and SB, T2 lea K3VALUE (T1, T2), T1 add T1, SD mov SE, T1 mov SC, T2 rol $5, T1 add T1, SD mov OFFSET(4) (DATA), T1 xor OFFSET(6) (DATA), T1 xor SB, T2 and SA, T2 add T2, SD mov SB, T2 xor OFFSET(12) (DATA), T1 rol $30, SA and SA, T2 xor OFFSET(1) (DATA), T1 rol $1, T1 mov T1, OFFSET(4) (DATA) lea K3VALUE (T1, T2), T1 add T1, SC mov SD, T1 rol $5, T1 add T1, SC mov OFFSET(5) (DATA), T1 xor OFFSET(7) (DATA), T1 mov SB, T2 xor OFFSET(13) (DATA), T1 xor SA, T2 xor OFFSET(2) (DATA), T1 and SE, T2 rol $30, SE add T2, SC rol $1, T1 mov SA, T2 mov T1, OFFSET(5) (DATA) and SE, T2 lea K3VALUE (T1, T2), T1 add T1, SB mov SA, T2 mov SC, T1 rol $5, T1 add T1, SB xor SE, T2 and SD, T2 mov OFFSET(6) (DATA), T1 xor OFFSET(8) (DATA), T1 xor OFFSET(14) (DATA), T1 xor OFFSET(3) (DATA), T1 rol $1, T1 add T2, SB rol $30, SD mov SE, T2 and SD, T2 mov T1, OFFSET(6) (DATA) lea K3VALUE (T1, T2), T1 add T1, SA mov SB, T1 rol $5, T1 add T1, SA mov OFFSET(7) (DATA), T1 xor OFFSET(9) (DATA), T1 mov SE, T2 xor SD, T2 xor OFFSET(15) (DATA), T1 and SC, T2 rol $30, SC add T2, SA mov SD, T2 xor OFFSET(4) (DATA), T1 rol $1, T1 and SC, T2 mov T1, OFFSET(7) (DATA) lea K3VALUE (T1, T2), T1 add T1, SE mov SA, T1 rol $5, T1 mov SD, T2 add T1, SE mov OFFSET(8) (DATA), T1 xor OFFSET(10) (DATA), T1 xor SC, T2 xor OFFSET(0) (DATA), T1 and SB, T2 add T2, SE xor OFFSET(5) (DATA), T1 rol $30, SB mov SC, T2 and SB, T2 rol $1, T1 mov T1, OFFSET(8) (DATA) lea K3VALUE (T1, T2), T1 add T1, SD mov SE, T1 rol $5, T1 mov SC, T2 xor SB, T2 add T1, SD and SA, T2 mov OFFSET(9) (DATA), T1 rol $30, SA xor OFFSET(11) (DATA), T1 xor OFFSET(1) (DATA), T1 add T2, SD mov SB, T2 and SA, T2 xor OFFSET(6) (DATA), T1 rol $1, T1 mov T1, OFFSET(9) (DATA) lea K3VALUE (T1, T2), T1 add T1, SC mov SD, T1 rol $5, T1 mov SB, T2 xor SA, T2 and SE, T2 add T1, SC mov OFFSET(10) (DATA), T1 xor OFFSET(12) (DATA), T1 xor OFFSET(2) (DATA), T1 add T2, SC mov SA, T2 rol $30, SE xor OFFSET(7) (DATA), T1 rol $1, T1 and SE, T2 mov T1, OFFSET(10) (DATA) lea K3VALUE (T1, T2), T1 mov SA, T2 xor SE, T2 add T1, SB mov SC, T1 rol $5, T1 add T1, SB mov OFFSET(11) (DATA), T1 xor OFFSET(13) (DATA), T1 xor OFFSET(3) (DATA), T1 xor OFFSET(8) (DATA), T1 and SD, T2 add T2, SB mov SE, T2 rol $1, T1 mov T1, OFFSET(11) (DATA) rol $30, SD and SD, T2 lea K3VALUE (T1, T2), T1 mov SE, T2 add T1, SA xor SD, T2 mov SB, T1 and SC, T2 rol $30, SC rol $5, T1 add T1, SA mov OFFSET(12) (DATA), T1 xor OFFSET(14) (DATA), T1 add T2, SA mov SD, T2 xor OFFSET(4) (DATA), T1 xor OFFSET(9) (DATA), T1 rol $1, T1 mov T1, OFFSET(12) (DATA) xor SC, T2 xor SB, T2 lea K4VALUE (T1, T2), T2 mov SA, T1 rol $5, T1 add T1, SE mov OFFSET(13) (DATA), T1 xor OFFSET(15) (DATA), T1 add T2, SE rol $30, SB mov SC, T2 xor OFFSET(5) (DATA), T1 xor SB, T2 xor OFFSET(10) (DATA), T1 rol $1, T1 mov T1, OFFSET(13) (DATA) xor SA, T2 lea K4VALUE (T1, T2), T2 mov SE, T1 rol $5, T1 add T1, SD mov OFFSET(14) (DATA), T1 xor OFFSET(0) (DATA), T1 rol $30, SA add T2, SD mov SB, T2 xor SA, T2 xor SE, T2 xor OFFSET(6) (DATA), T1 xor OFFSET(11) (DATA), T1 rol $1, T1 lea K4VALUE (T1, T2), T2 mov T1, OFFSET(14) (DATA) mov SD, T1 rol $5, T1 add T1, SC add T2, SC mov OFFSET(15) (DATA), T1 mov SA, T2 rol $30, SE xor OFFSET(1) (DATA), T1 xor OFFSET(7) (DATA), T1 xor SE, T2 xor SD, T2 xor OFFSET(12) (DATA), T1 rol $1, T1 mov T1, OFFSET(15) (DATA) lea K4VALUE (T1, T2), T2 mov SC, T1 rol $5, T1 add T1, SB mov OFFSET(0) (DATA), T1 add T2, SB xor OFFSET(2) (DATA), T1 mov SE, T2 rol $30, SD xor OFFSET(8) (DATA), T1 xor SD, T2 xor OFFSET(13) (DATA), T1 xor SC, T2 rol $1, T1 lea K4VALUE (T1, T2), T2 mov T1, OFFSET(0) (DATA) mov SB, T1 rol $5, T1 add T1, SA mov OFFSET(1) (DATA), T1 rol $30, SC xor OFFSET(3) (DATA), T1 xor OFFSET(9) (DATA), T1 xor OFFSET(14) (DATA), T1 add T2, SA mov SD, T2 xor SC, T2 rol $1, T1 xor SB, T2 lea K4VALUE (T1, T2), T2 mov T1, OFFSET(1) (DATA) mov SA, T1 rol $5, T1 add T1, SE mov OFFSET(2) (DATA), T1 rol $30, SB xor OFFSET(4) (DATA), T1 add T2, SE mov SC, T2 xor SB, T2 xor OFFSET(10) (DATA), T1 xor OFFSET(15) (DATA), T1 xor SA, T2 rol $1, T1 lea K4VALUE (T1, T2), T2 mov T1, OFFSET(2) (DATA) mov SE, T1 rol $5, T1 add T1, SD mov OFFSET(3) (DATA), T1 xor OFFSET(5) (DATA), T1 xor OFFSET(11) (DATA), T1 xor OFFSET(0) (DATA), T1 rol $30, SA add T2, SD mov SB, T2 rol $1, T1 mov T1, OFFSET(3) (DATA) xor SA, T2 xor SE, T2 lea K4VALUE (T1, T2), T2 mov SD, T1 rol $5, T1 add T1, SC mov OFFSET(4) (DATA), T1 add T2, SC rol $30, SE xor OFFSET(6) (DATA), T1 mov SA, T2 xor OFFSET(12) (DATA), T1 xor SE, T2 xor OFFSET(1) (DATA), T1 rol $1, T1 xor SD, T2 lea K4VALUE (T1, T2), T2 mov T1, OFFSET(4) (DATA) mov SC, T1 rol $5, T1 add T1, SB rol $30, SD mov OFFSET(5) (DATA), T1 add T2, SB xor OFFSET(7) (DATA), T1 xor OFFSET(13) (DATA), T1 mov SE, T2 xor SD, T2 xor OFFSET(2) (DATA), T1 xor SC, T2 rol $1, T1 mov T1, OFFSET(5) (DATA) lea K4VALUE (T1, T2), T2 mov SB, T1 rol $5, T1 add T1, SA mov OFFSET(6) (DATA), T1 xor OFFSET(8) (DATA), T1 xor OFFSET(14) (DATA), T1 add T2, SA xor OFFSET(3) (DATA), T1 mov SD, T2 rol $30, SC rol $1, T1 xor SC, T2 mov T1, OFFSET(6) (DATA) xor SB, T2 lea K4VALUE (T1, T2), T2 mov SA, T1 rol $5, T1 add T1, SE add T2, SE mov OFFSET(7) (DATA), T1 xor OFFSET(9) (DATA), T1 xor OFFSET(15) (DATA), T1 rol $30, SB xor OFFSET(4) (DATA), T1 mov SC, T2 rol $1, T1 mov T1, OFFSET(7) (DATA) xor SB, T2 xor SA, T2 lea K4VALUE (T1, T2), T2 mov SE, T1 rol $5, T1 add T1, SD rol $30, SA mov OFFSET(8) (DATA), T1 xor OFFSET(10) (DATA), T1 add T2, SD xor OFFSET(0) (DATA), T1 xor OFFSET(5) (DATA), T1 rol $1, T1 mov SB, T2 mov T1, OFFSET(8) (DATA) xor SA, T2 xor SE, T2 lea K4VALUE (T1, T2), T2 mov SD, T1 rol $5, T1 add T1, SC add T2, SC mov SA, T2 mov OFFSET(9) (DATA), T1 rol $30, SE xor OFFSET(11) (DATA), T1 xor OFFSET(1) (DATA), T1 xor OFFSET(6) (DATA), T1 xor SE, T2 xor SD, T2 rol $1, T1 lea K4VALUE (T1, T2), T2 mov T1, OFFSET(9) (DATA) mov SC, T1 rol $5, T1 add T1, SB rol $30, SD mov OFFSET(10) (DATA), T1 xor OFFSET(12) (DATA), T1 xor OFFSET(2) (DATA), T1 add T2, SB mov SE, T2 xor SD, T2 xor SC, T2 xor OFFSET(7) (DATA), T1 rol $1, T1 mov T1, OFFSET(10) (DATA) lea K4VALUE (T1, T2), T2 mov SB, T1 rol $5, T1 add T1, SA mov OFFSET(11) (DATA), T1 xor OFFSET(13) (DATA), T1 xor OFFSET(3) (DATA), T1 add T2, SA mov SD, T2 rol $30, SC xor SC, T2 xor OFFSET(8) (DATA), T1 rol $1, T1 xor SB, T2 lea K4VALUE (T1, T2), T2 mov T1, OFFSET(11) (DATA) mov SA, T1 rol $5, T1 add T1, SE mov OFFSET(12) (DATA), T1 add T2, SE xor OFFSET(14) (DATA), T1 rol $30, SB mov SC, T2 xor OFFSET(4) (DATA), T1 xor SB, T2 xor SA, T2 xor OFFSET(9) (DATA), T1 rol $1, T1 lea K4VALUE (T1, T2), T2 mov T1, OFFSET(12) (DATA) mov SE, T1 rol $5, T1 add T1, SD add T2, SD rol $30, SA mov OFFSET(13) (DATA), T1 xor OFFSET(15) (DATA), T1 mov SB, T2 xor OFFSET(5) (DATA), T1 xor SA, T2 xor OFFSET(10) (DATA), T1 xor SE, T2 rol $1, T1 lea K4VALUE (T1, T2), T2 mov T1, OFFSET(13) (DATA) mov SD, T1 rol $5, T1 add T1, SC mov OFFSET(14) (DATA), T1 xor OFFSET(0) (DATA), T1 xor OFFSET(6) (DATA), T1 add T2, SC rol $30, SE mov SA, T2 xor SE, T2 xor OFFSET(11) (DATA), T1 xor SD, T2 rol $1, T1 lea K4VALUE (T1, T2), T2 mov T1, OFFSET(14) (DATA) mov SC, T1 rol $5, T1 add T1, SB mov OFFSET(15) (DATA), T1 xor OFFSET(1) (DATA), T1 xor OFFSET(7) (DATA), T1 rol $30, SD add T2, SB xor OFFSET(12) (DATA), T1 mov SE, T2 xor SD, T2 rol $1, T1 xor SC, T2 lea K4VALUE (T1, T2), T2 rol $30, SC mov T1, OFFSET(15) (DATA) mov SB, T1 rol $5, T1 add T1, SA add T2, SA C C Load and byteswap data C movl 88(%esp), T2 C C SWAP( 0, %eax) SWAP( 1, %ebx) SWAP( 2, %ecx) SWAP( 3, %edx) C SWAP( 4, %eax) SWAP( 5, %ebx) SWAP( 6, %ecx) SWAP( 7, %edx) C SWAP( 8, %eax) SWAP( 9, %ebx) SWAP(10, %ecx) SWAP(11, %edx) C SWAP(12, %eax) SWAP(13, %ebx) SWAP(14, %ecx) SWAP(15, %edx) C C C load the state vector C movl 84(%esp),T1 C movl (T1), SA C movl 4(T1), SB C movl 8(T1), SC C movl 12(T1), SD C movl 16(T1), SE C C ROUND_F1_NOEXP(SA, SB, SC, SD, SE, 0) C ROUND_F1_NOEXP(SE, SA, SB, SC, SD, 1) C ROUND_F1_NOEXP(SD, SE, SA, SB, SC, 2) C ROUND_F1_NOEXP(SC, SD, SE, SA, SB, 3) C ROUND_F1_NOEXP(SB, SC, SD, SE, SA, 4) C C ROUND_F1_NOEXP(SA, SB, SC, SD, SE, 5) C ROUND_F1_NOEXP(SE, SA, SB, SC, SD, 6) C ROUND_F1_NOEXP(SD, SE, SA, SB, SC, 7) C ROUND_F1_NOEXP(SC, SD, SE, SA, SB, 8) C ROUND_F1_NOEXP(SB, SC, SD, SE, SA, 9) C C ROUND_F1_NOEXP(SA, SB, SC, SD, SE, 10) C ROUND_F1_NOEXP(SE, SA, SB, SC, SD, 11) C ROUND_F1_NOEXP(SD, SE, SA, SB, SC, 12) C ROUND_F1_NOEXP(SC, SD, SE, SA, SB, 13) C ROUND_F1_NOEXP(SB, SC, SD, SE, SA, 14) C C ROUND_F1_NOEXP(SA, SB, SC, SD, SE, 15) C ROUND_F1(SE, SA, SB, SC, SD, 16) C ROUND_F1(SD, SE, SA, SB, SC, 17) C ROUND_F1(SC, SD, SE, SA, SB, 18) C ROUND_F1(SB, SC, SD, SE, SA, 19) C C ROUND_F2(SA, SB, SC, SD, SE, 20, K2VALUE) C ROUND_F2(SE, SA, SB, SC, SD, 21, K2VALUE) C ROUND_F2(SD, SE, SA, SB, SC, 22, K2VALUE) C ROUND_F2(SC, SD, SE, SA, SB, 23, K2VALUE) C ROUND_F2(SB, SC, SD, SE, SA, 24, K2VALUE) C C ROUND_F2(SA, SB, SC, SD, SE, 25, K2VALUE) C ROUND_F2(SE, SA, SB, SC, SD, 26, K2VALUE) C ROUND_F2(SD, SE, SA, SB, SC, 27, K2VALUE) C ROUND_F2(SC, SD, SE, SA, SB, 28, K2VALUE) C ROUND_F2(SB, SC, SD, SE, SA, 29, K2VALUE) C C ROUND_F2(SA, SB, SC, SD, SE, 30, K2VALUE) C ROUND_F2(SE, SA, SB, SC, SD, 31, K2VALUE) C ROUND_F2(SD, SE, SA, SB, SC, 32, K2VALUE) C ROUND_F2(SC, SD, SE, SA, SB, 33, K2VALUE) C ROUND_F2(SB, SC, SD, SE, SA, 34, K2VALUE) C C ROUND_F2(SA, SB, SC, SD, SE, 35, K2VALUE) C ROUND_F2(SE, SA, SB, SC, SD, 36, K2VALUE) C ROUND_F2(SD, SE, SA, SB, SC, 37, K2VALUE) C ROUND_F2(SC, SD, SE, SA, SB, 38, K2VALUE) C ROUND_F2(SB, SC, SD, SE, SA, 39, K2VALUE) C C ROUND_F3(SA, SB, SC, SD, SE, 40) C ROUND_F3(SE, SA, SB, SC, SD, 41) C ROUND_F3(SD, SE, SA, SB, SC, 42) C ROUND_F3(SC, SD, SE, SA, SB, 43) C ROUND_F3(SB, SC, SD, SE, SA, 44) C C ROUND_F3(SA, SB, SC, SD, SE, 45) C ROUND_F3(SE, SA, SB, SC, SD, 46) C ROUND_F3(SD, SE, SA, SB, SC, 47) C ROUND_F3(SC, SD, SE, SA, SB, 48) C ROUND_F3(SB, SC, SD, SE, SA, 49) C C ROUND_F3(SA, SB, SC, SD, SE, 50) C ROUND_F3(SE, SA, SB, SC, SD, 51) C ROUND_F3(SD, SE, SA, SB, SC, 52) C ROUND_F3(SC, SD, SE, SA, SB, 53) C ROUND_F3(SB, SC, SD, SE, SA, 54) C C ROUND_F3(SA, SB, SC, SD, SE, 55) C ROUND_F3(SE, SA, SB, SC, SD, 56) C ROUND_F3(SD, SE, SA, SB, SC, 57) C ROUND_F3(SC, SD, SE, SA, SB, 58) C ROUND_F3(SB, SC, SD, SE, SA, 59) C C ROUND_F2(SA, SB, SC, SD, SE, 60, K4VALUE) C ROUND_F2(SE, SA, SB, SC, SD, 61, K4VALUE) C ROUND_F2(SD, SE, SA, SB, SC, 62, K4VALUE) C ROUND_F2(SC, SD, SE, SA, SB, 63, K4VALUE) C ROUND_F2(SB, SC, SD, SE, SA, 64, K4VALUE) C C ROUND_F2(SA, SB, SC, SD, SE, 65, K4VALUE) C ROUND_F2(SE, SA, SB, SC, SD, 66, K4VALUE) C ROUND_F2(SD, SE, SA, SB, SC, 67, K4VALUE) C ROUND_F2(SC, SD, SE, SA, SB, 68, K4VALUE) C ROUND_F2(SB, SC, SD, SE, SA, 69, K4VALUE) C C ROUND_F2(SA, SB, SC, SD, SE, 70, K4VALUE) C ROUND_F2(SE, SA, SB, SC, SD, 71, K4VALUE) C ROUND_F2(SD, SE, SA, SB, SC, 72, K4VALUE) C ROUND_F2(SC, SD, SE, SA, SB, 73, K4VALUE) C ROUND_F2(SB, SC, SD, SE, SA, 74, K4VALUE) C C ROUND_F2(SA, SB, SC, SD, SE, 75, K4VALUE) C ROUND_F2(SE, SA, SB, SC, SD, 76, K4VALUE) C ROUND_F2(SD, SE, SA, SB, SC, 77, K4VALUE) C ROUND_F2(SC, SD, SE, SA, SB, 78, K4VALUE) C ROUND_F2(SB, SC, SD, SE, SA, 79, K4VALUE) C Update the state vector movl 84(%esp),T1 addl SA, (T1) addl SB, 4(T1) addl SC, 8(T1) addl SD, 12(T1) addl SE, 16(T1) addl $64, %esp popl %edi popl %esi popl %ebp popl %ebx ret EPILOGUE(_nettle_sha1_compress) C TODO: C * Extend loopmixer so that it can exploit associativity, and for C example reorder C C add %eax, %ebx C add %ecx, %ebx C * Use mmx instructions for the data expansion, doing two words at a C time. nettle-3.4.1/x86/aes-encrypt-internal.asm0000644000175000017500000000772713401564746017260 0ustar nissenisseC x86/aes-encrypt-internal.asm ifelse(< Copyright (C) 2001, 2002, 2005, Rafael R. Sevilla, Niels Möller Copyright (C) 2008, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) include_src() C Register usage: C AES state define(,<%eax>) define(,<%ebx>) define(,<%ecx>) define(,<%edx>) C Primary use of these registers. They're also used temporarily for other things. define(,<%ebp>) define(,<%edi>) define(,<%esi>) define(, <40(%esp)>) define(, <44(%esp)>) define(, <48(%esp)>) define(, <52(%esp)>) define(, <56(%esp)>) define(, <60(%esp)>) define(, <16(%esp)>) define(, <12(%esp)>) define(, <8(%esp)>) define(, <4(%esp)>) define(, <(%esp)>) C The aes state is kept in %eax, %ebx, %ecx and %edx C C %esi is used as temporary, to point to the input, and to the C subkeys, etc. C C %ebp is used as the round counter, and as a temporary in the final round. C C %edi is a temporary, often used as an accumulator. .file "aes-encrypt-internal.asm" C _aes_encrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .text ALIGN(16) PROLOGUE(_nettle_aes_encrypt) C save all registers that need to be saved pushl %ebx C 20(%esp) pushl %ebp C 16(%esp) pushl %esi C 12(%esp) pushl %edi C 8(%esp) subl $20, %esp C loop counter and save area for the key pointer movl PARAM_LENGTH, %ebp testl %ebp,%ebp jz .Lend shrl $4, PARAM_LENGTH subl $1, PARAM_ROUNDS .Lblock_loop: movl PARAM_KEYS, KEY C address of subkeys movl PARAM_SRC, TMP C address of plaintext AES_LOAD(SA, SB, SC, SD, TMP, KEY) addl $16, PARAM_SRC C Increment src pointer movl PARAM_TABLE, T movl PARAM_ROUNDS, TMP C Loop counter on stack movl TMP, FRAME_COUNT addl $16,KEY C point to next key movl KEY,FRAME_KEY ALIGN(16) .Lround_loop: AES_ROUND(T, SA,SB,SC,SD, TMP, KEY) movl TMP, TA AES_ROUND(T, SB,SC,SD,SA, TMP, KEY) movl TMP, TB AES_ROUND(T, SC,SD,SA,SB, TMP, KEY) movl TMP, TC AES_ROUND(T, SD,SA,SB,SC, SD, KEY) movl TA, SA movl TB, SB movl TC, SC movl FRAME_KEY, KEY xorl (KEY),SA C add current session key to plaintext xorl 4(KEY),SB xorl 8(KEY),SC xorl 12(KEY),SD addl $16,FRAME_KEY C point to next key decl FRAME_COUNT jnz .Lround_loop C last round AES_FINAL_ROUND(SA,SB,SC,SD, T, TMP, KEY) movl TMP, TA AES_FINAL_ROUND(SB,SC,SD,SA, T, TMP, KEY) movl TMP, TB AES_FINAL_ROUND(SC,SD,SA,SB, T, TMP, KEY) movl TMP, TC AES_FINAL_ROUND(SD,SA,SB,SC, T, SD, KEY) movl TA, SA movl TB, SB movl TC, SC C S-box substitution mov $3,TMP .Lsubst: AES_SUBST_BYTE(SA,SB,SC,SD, T, KEY) decl TMP jnz .Lsubst C Add last subkey, and store encrypted data movl PARAM_DST,TMP movl FRAME_KEY, KEY AES_STORE(SA,SB,SC,SD, KEY, TMP) addl $16, PARAM_DST C Increment destination pointer decl PARAM_LENGTH jnz .Lblock_loop .Lend: addl $20, %esp popl %edi popl %esi popl %ebp popl %ebx ret EPILOGUE(_nettle_aes_encrypt) nettle-3.4.1/hmac.c0000644000175000017500000000567413401564745013137 0ustar nissenisse/* hmac.c HMAC message authentication code (RFC-2104). Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include /* Needed for alloca on freebsd */ #include #include #include "hmac.h" #include "memxor.h" #include "nettle-internal.h" #define IPAD 0x36 #define OPAD 0x5c void hmac_set_key(void *outer, void *inner, void *state, const struct nettle_hash *hash, size_t key_length, const uint8_t *key) { TMP_DECL(pad, uint8_t, NETTLE_MAX_HASH_BLOCK_SIZE); TMP_ALLOC(pad, hash->block_size); hash->init(outer); hash->init(inner); if (key_length > hash->block_size) { /* Reduce key to the algorithm's hash size. Use the area pointed * to by state for the temporary state. */ TMP_DECL(digest, uint8_t, NETTLE_MAX_HASH_DIGEST_SIZE); TMP_ALLOC(digest, hash->digest_size); hash->init(state); hash->update(state, key_length, key); hash->digest(state, hash->digest_size, digest); key = digest; key_length = hash->digest_size; } assert(key_length <= hash->block_size); memset(pad, OPAD, hash->block_size); memxor(pad, key, key_length); hash->update(outer, hash->block_size, pad); memset(pad, IPAD, hash->block_size); memxor(pad, key, key_length); hash->update(inner, hash->block_size, pad); memcpy(state, inner, hash->context_size); } void hmac_update(void *state, const struct nettle_hash *hash, size_t length, const uint8_t *data) { hash->update(state, length, data); } void hmac_digest(const void *outer, const void *inner, void *state, const struct nettle_hash *hash, size_t length, uint8_t *dst) { TMP_DECL(digest, uint8_t, NETTLE_MAX_HASH_DIGEST_SIZE); TMP_ALLOC(digest, hash->digest_size); hash->digest(state, hash->digest_size, digest); memcpy(state, outer, hash->context_size); hash->update(state, hash->digest_size, digest); hash->digest(state, length, dst); memcpy(state, inner, hash->context_size); } nettle-3.4.1/umac-l3.c0000644000175000017500000000423013401564745013453 0ustar nissenisse/* umac-l3.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "umac.h" #include "macros.h" /* 2^36 - 5 */ #define P 0x0000000FFFFFFFFBULL #if WORDS_BIGENDIAN #define BE_SWAP64(x) x #else #define BE_SWAP64(x) \ (((x & 0xff) << 56) \ | ((x & 0xff00) << 40) \ | ((x & 0xff0000) << 24) \ | ((x & 0xff000000) << 8) \ | ((x >> 8) & 0xff000000) \ | ((x >> 24) & 0xff0000) \ | ((x >> 40) & 0xff00) \ | (x >> 56) ) #endif void _umac_l3_init (unsigned size, uint64_t *k) { unsigned i; for (i = 0; i < size; i++) { uint64_t w = k[i]; w = BE_SWAP64 (w); k[i] = w % P; } } static uint64_t umac_l3_word (const uint64_t *k, uint64_t w) { unsigned i; uint64_t y; /* Since it's easiest to process the input word from the low end, * loop over keys in reverse order. */ for (i = y = 0; i < 4; i++, w >>= 16) y += (w & 0xffff) * k[3-i]; return y; } uint32_t _umac_l3 (const uint64_t *key, const uint64_t *m) { uint32_t y = (umac_l3_word (key, m[0]) + umac_l3_word (key + 4, m[1])) % P; #if !WORDS_BIGENDIAN y = ((ROTL32(8, y) & 0x00FF00FFUL) | (ROTL32(24, y) & 0xFF00FF00UL)); #endif return y; } nettle-3.4.1/keymap.h0000644000175000017500000001427213401564746013515 0ustar nissenisse/* automagically made - do not fuss with this */ 0x02080008, 0x02082000, 0x00002008, 0x00000000, 0x02002000, 0x00080008, 0x02080000, 0x02082008, 0x00000008, 0x02000000, 0x00082000, 0x00002008, 0x00082008, 0x02002008, 0x02000008, 0x02080000, 0x00002000, 0x00082008, 0x00080008, 0x02002000, 0x02082008, 0x02000008, 0x00000000, 0x00082000, 0x02000000, 0x00080000, 0x02002008, 0x02080008, 0x00080000, 0x00002000, 0x02082000, 0x00000008, 0x00080000, 0x00002000, 0x02000008, 0x02082008, 0x00002008, 0x02000000, 0x00000000, 0x00082000, 0x02080008, 0x02002008, 0x02002000, 0x00080008, 0x02082000, 0x00000008, 0x00080008, 0x02002000, 0x02082008, 0x00080000, 0x02080000, 0x02000008, 0x00082000, 0x00002008, 0x02002008, 0x02080000, 0x00000008, 0x02082000, 0x00082008, 0x00000000, 0x02000000, 0x02080008, 0x00002000, 0x00082008, 0x08000004, 0x00020004, 0x00000000, 0x08020200, 0x00020004, 0x00000200, 0x08000204, 0x00020000, 0x00000204, 0x08020204, 0x00020200, 0x08000000, 0x08000200, 0x08000004, 0x08020000, 0x00020204, 0x00020000, 0x08000204, 0x08020004, 0x00000000, 0x00000200, 0x00000004, 0x08020200, 0x08020004, 0x08020204, 0x08020000, 0x08000000, 0x00000204, 0x00000004, 0x00020200, 0x00020204, 0x08000200, 0x00000204, 0x08000000, 0x08000200, 0x00020204, 0x08020200, 0x00020004, 0x00000000, 0x08000200, 0x08000000, 0x00000200, 0x08020004, 0x00020000, 0x00020004, 0x08020204, 0x00020200, 0x00000004, 0x08020204, 0x00020200, 0x00020000, 0x08000204, 0x08000004, 0x08020000, 0x00020204, 0x00000000, 0x00000200, 0x08000004, 0x08000204, 0x08020200, 0x08020000, 0x00000204, 0x00000004, 0x08020004, 0x80040100, 0x01000100, 0x80000000, 0x81040100, 0x00000000, 0x01040000, 0x81000100, 0x80040000, 0x01040100, 0x81000000, 0x01000000, 0x80000100, 0x81000000, 0x80040100, 0x00040000, 0x01000000, 0x81040000, 0x00040100, 0x00000100, 0x80000000, 0x00040100, 0x81000100, 0x01040000, 0x00000100, 0x80000100, 0x00000000, 0x80040000, 0x01040100, 0x01000100, 0x81040000, 0x81040100, 0x00040000, 0x81040000, 0x80000100, 0x00040000, 0x81000000, 0x00040100, 0x01000100, 0x80000000, 0x01040000, 0x81000100, 0x00000000, 0x00000100, 0x80040000, 0x00000000, 0x81040000, 0x01040100, 0x00000100, 0x01000000, 0x81040100, 0x80040100, 0x00040000, 0x81040100, 0x80000000, 0x01000100, 0x80040100, 0x80040000, 0x00040100, 0x01040000, 0x81000100, 0x80000100, 0x01000000, 0x81000000, 0x01040100, 0x04010801, 0x00000000, 0x00010800, 0x04010000, 0x04000001, 0x00000801, 0x04000800, 0x00010800, 0x00000800, 0x04010001, 0x00000001, 0x04000800, 0x00010001, 0x04010800, 0x04010000, 0x00000001, 0x00010000, 0x04000801, 0x04010001, 0x00000800, 0x00010801, 0x04000000, 0x00000000, 0x00010001, 0x04000801, 0x00010801, 0x04010800, 0x04000001, 0x04000000, 0x00010000, 0x00000801, 0x04010801, 0x00010001, 0x04010800, 0x04000800, 0x00010801, 0x04010801, 0x00010001, 0x04000001, 0x00000000, 0x04000000, 0x00000801, 0x00010000, 0x04010001, 0x00000800, 0x04000000, 0x00010801, 0x04000801, 0x04010800, 0x00000800, 0x00000000, 0x04000001, 0x00000001, 0x04010801, 0x00010800, 0x04010000, 0x04010001, 0x00010000, 0x00000801, 0x04000800, 0x04000801, 0x00000001, 0x04010000, 0x00010800, 0x00000400, 0x00000020, 0x00100020, 0x40100000, 0x40100420, 0x40000400, 0x00000420, 0x00000000, 0x00100000, 0x40100020, 0x40000020, 0x00100400, 0x40000000, 0x00100420, 0x00100400, 0x40000020, 0x40100020, 0x00000400, 0x40000400, 0x40100420, 0x00000000, 0x00100020, 0x40100000, 0x00000420, 0x40100400, 0x40000420, 0x00100420, 0x40000000, 0x40000420, 0x40100400, 0x00000020, 0x00100000, 0x40000420, 0x00100400, 0x40100400, 0x40000020, 0x00000400, 0x00000020, 0x00100000, 0x40100400, 0x40100020, 0x40000420, 0x00000420, 0x00000000, 0x00000020, 0x40100000, 0x40000000, 0x00100020, 0x00000000, 0x40100020, 0x00100020, 0x00000420, 0x40000020, 0x00000400, 0x40100420, 0x00100000, 0x00100420, 0x40000000, 0x40000400, 0x40100420, 0x40100000, 0x00100420, 0x00100400, 0x40000400, 0x00800000, 0x00001000, 0x00000040, 0x00801042, 0x00801002, 0x00800040, 0x00001042, 0x00801000, 0x00001000, 0x00000002, 0x00800002, 0x00001040, 0x00800042, 0x00801002, 0x00801040, 0x00000000, 0x00001040, 0x00800000, 0x00001002, 0x00000042, 0x00800040, 0x00001042, 0x00000000, 0x00800002, 0x00000002, 0x00800042, 0x00801042, 0x00001002, 0x00801000, 0x00000040, 0x00000042, 0x00801040, 0x00801040, 0x00800042, 0x00001002, 0x00801000, 0x00001000, 0x00000002, 0x00800002, 0x00800040, 0x00800000, 0x00001040, 0x00801042, 0x00000000, 0x00001042, 0x00800000, 0x00000040, 0x00001002, 0x00800042, 0x00000040, 0x00000000, 0x00801042, 0x00801002, 0x00801040, 0x00000042, 0x00001000, 0x00001040, 0x00801002, 0x00800040, 0x00000042, 0x00000002, 0x00001042, 0x00801000, 0x00800002, 0x10400000, 0x00404010, 0x00000010, 0x10400010, 0x10004000, 0x00400000, 0x10400010, 0x00004010, 0x00400010, 0x00004000, 0x00404000, 0x10000000, 0x10404010, 0x10000010, 0x10000000, 0x10404000, 0x00000000, 0x10004000, 0x00404010, 0x00000010, 0x10000010, 0x10404010, 0x00004000, 0x10400000, 0x10404000, 0x00400010, 0x10004010, 0x00404000, 0x00004010, 0x00000000, 0x00400000, 0x10004010, 0x00404010, 0x00000010, 0x10000000, 0x00004000, 0x10000010, 0x10004000, 0x00404000, 0x10400010, 0x00000000, 0x00404010, 0x00004010, 0x10404000, 0x10004000, 0x00400000, 0x10404010, 0x10000000, 0x10004010, 0x10400000, 0x00400000, 0x10404010, 0x00004000, 0x00400010, 0x10400010, 0x00004010, 0x00400010, 0x00000000, 0x10404000, 0x10000010, 0x10400000, 0x10004010, 0x00000010, 0x00404000, 0x00208080, 0x00008000, 0x20200000, 0x20208080, 0x00200000, 0x20008080, 0x20008000, 0x20200000, 0x20008080, 0x00208080, 0x00208000, 0x20000080, 0x20200080, 0x00200000, 0x00000000, 0x20008000, 0x00008000, 0x20000000, 0x00200080, 0x00008080, 0x20208080, 0x00208000, 0x20000080, 0x00200080, 0x20000000, 0x00000080, 0x00008080, 0x20208000, 0x00000080, 0x20200080, 0x20208000, 0x00000000, 0x00000000, 0x20208080, 0x00200080, 0x20008000, 0x00208080, 0x00008000, 0x20000080, 0x00200080, 0x20208000, 0x00000080, 0x00008080, 0x20200000, 0x20008080, 0x20000000, 0x20200000, 0x00208000, 0x20208080, 0x00008080, 0x00208000, 0x20200080, 0x00200000, 0x20000080, 0x20008000, 0x00000000, 0x00008000, 0x00200000, 0x20200080, 0x00208080, 0x20000000, 0x20208000, 0x00000080, 0x20008080, nettle-3.4.1/sha384-meta.c0000644000175000017500000000224513401564745014154 0ustar nissenisse/* sha384-meta.c Copyright (C) 2002, 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "sha2.h" const struct nettle_hash nettle_sha384 = _NETTLE_HASH(sha384, SHA384); nettle-3.4.1/nettle-write.h0000644000175000017500000000330413401564746014644 0ustar nissenisse/* nettle-write.h Internal functions to write out word-sized data to byte arrays. Copyright (C) 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_WRITE_H_INCLUDED #define NETTLE_WRITE_H_INCLUDED /* For size_t */ #include #include "nettle-stdint.h" /* Write the word array at SRC to the byte array at DST, using little endian (le) or big endian (be) byte order, and truncating the result to LENGTH bytes. */ /* FIXME: Use a macro shortcut to memcpy for native endianness. */ void _nettle_write_be32(size_t length, uint8_t *dst, const uint32_t *src); void _nettle_write_le32(size_t length, uint8_t *dst, const uint32_t *src); void _nettle_write_le64(size_t length, uint8_t *dst, const uint64_t *src); #endif /* NETTLE_WRITE_H_INCLUDED */ nettle-3.4.1/pbkdf2.h0000644000175000017500000000461213401564746013374 0ustar nissenisse/* pbkdf2.h PKCS #5 password-based key derivation function PBKDF2, see RFC 2898. Copyright (C) 2012 Simon Josefsson This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_PBKDF2_H_INCLUDED #define NETTLE_PBKDF2_H_INCLUDED #include "nettle-meta.h" #ifdef __cplusplus extern "C" { #endif /* Namespace mangling */ #define pbkdf2 nettle_pbkdf2 #define pbkdf2_hmac_sha1 nettle_pbkdf2_hmac_sha1 #define pbkdf2_hmac_sha256 nettle_pbkdf2_hmac_sha256 void pbkdf2 (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst); #define PBKDF2(ctx, update, digest, digest_size, \ iterations, salt_length, salt, length, dst) \ (0 ? ((update)((ctx), 0, (uint8_t *) 0), \ (digest)((ctx), 0, (uint8_t *) 0)) \ : pbkdf2 ((ctx), \ (nettle_hash_update_func *)(update), \ (nettle_hash_digest_func *)(digest), \ (digest_size), (iterations), \ (salt_length), (salt), (length), (dst))) /* PBKDF2 with specific PRFs. */ void pbkdf2_hmac_sha1 (size_t key_length, const uint8_t *key, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst); void pbkdf2_hmac_sha256 (size_t key_length, const uint8_t *key, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst); #ifdef __cplusplus } #endif #endif /* NETTLE_PBKDF2_H_INCLUDED */ nettle-3.4.1/ecc-size.c0000644000175000017500000000274213401564746013723 0ustar nissenisse/* ecc-size.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc.h" #include "ecc-internal.h" unsigned ecc_bit_size (const struct ecc_curve *ecc) { return ecc->p.bit_size; } mp_size_t ecc_size (const struct ecc_curve *ecc) { return ecc->p.size; } mp_size_t ecc_size_a (const struct ecc_curve *ecc) { return 2*ecc->p.size; } mp_size_t ecc_size_j (const struct ecc_curve *ecc) { return 3*ecc->p.size; } nettle-3.4.1/testsuite/0000755000175000017500000000000013401564746014101 5ustar nissenissenettle-3.4.1/testsuite/sha1-huge-test.c0000644000175000017500000000054713401564746017012 0ustar nissenisse#include "testutils.h" void test_main(void) { /* Hashes 10 000 000 x 30 000 bytes > 64 * 2^32. This overflows the low word of the block counter. This test vector is not cross checked with any other sha1 implementation. */ test_hash_large(&nettle_sha1, 10000000, 30000, 'a', SHEX("0ba79364dc64648f 2074fb4bc5c28bcf" "b7a787b0")); } nettle-3.4.1/testsuite/gosthash94-test.c0000644000175000017500000000125313401564746017220 0ustar nissenisse#include "testutils.h" #include "gosthash94.h" /* Using test vectors from Wikipedia article on GOST */ void test_main(void) { test_hash(&nettle_gosthash94, SDATA("The quick brown fox jumps over the lazy dog"), SHEX("77b7fa410c9ac58a25f49bca7d0468c9296529315eaca76bd1a10f376d1f4294")); test_hash(&nettle_gosthash94, SDATA("message digest"), SHEX("ad4434ecb18f2c99b60cbe59ec3d2469582b65273f48de72db2fde16a4889a4d")); test_hash(&nettle_gosthash94, SDATA("a"), SHEX("d42c539e367c66e9c88a801f6649349c21871b4344c6a573f849fdce62f314dd")); test_hash(&nettle_gosthash94, SDATA(""), SHEX("ce85b99cc46752fffee35cab9a7b0278abb4c2d2055cff685af4912c49490f8d")); } nettle-3.4.1/testsuite/curve25519-dh-test.c0000644000175000017500000001072013401564746017345 0ustar nissenisse/* curve25519-dh-test.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #include "testutils.h" #include "curve25519.h" static void test_g (const uint8_t *s, const uint8_t *r) { uint8_t p[CURVE25519_SIZE]; curve25519_mul_g (p, s); if (!MEMEQ (CURVE25519_SIZE, p, r)) { printf ("curve25519_mul_g failure:\ns = "); print_hex (CURVE25519_SIZE, s); printf ("\np = "); print_hex (CURVE25519_SIZE, p); printf (" (bad)\nr = "); print_hex (CURVE25519_SIZE, r); printf (" (expected)\n"); abort (); } } static void test_a (const uint8_t *s, const uint8_t *b, const uint8_t *r) { uint8_t p[CURVE25519_SIZE]; curve25519_mul (p, s, b); if (!MEMEQ (CURVE25519_SIZE, p, r)) { printf ("curve25519_mul failure:\ns = "); print_hex (CURVE25519_SIZE, s); printf ("\nb = "); print_hex (CURVE25519_SIZE, b); printf ("\np = "); print_hex (CURVE25519_SIZE, p); printf (" (bad)\nr = "); print_hex (CURVE25519_SIZE, r); printf (" (expected)\n"); abort (); } } void test_main (void) { /* From RFC 7748. */ test_g (H("77076d0a7318a57d3c16c17251b26645" "df4c2f87ebc0992ab177fba51db92c2a"), H("8520f0098930a754748b7ddcb43ef75a" "0dbf3a0d26381af4eba4a98eaa9b4e6a")); test_g (H("5dab087e624a8a4b79e17f8b83800ee6" "6f3bb1292618b6fd1c2f8b27ff88e0eb"), H("de9edb7d7b7dc1b4d35b61c2ece43537" "3f8343c85b78674dadfc7e146f882b4f")); test_a (H("77076d0a7318a57d3c16c17251b26645" "df4c2f87ebc0992ab177fba51db92c2a"), H("de9edb7d7b7dc1b4d35b61c2ece43537" "3f8343c85b78674dadfc7e146f882b4f"), H("4a5d9d5ba4ce2de1728e3bf480350f25" "e07e21c947d19e3376f09b3c1e161742")); test_a (H("5dab087e624a8a4b79e17f8b83800ee6" "6f3bb1292618b6fd1c2f8b27ff88e0eb"), H("8520f0098930a754748b7ddcb43ef75a" "0dbf3a0d26381af4eba4a98eaa9b4e6a"), H("4a5d9d5ba4ce2de1728e3bf480350f25" "e07e21c947d19e3376f09b3c1e161742")); /* Check that the least significant three bits (first octet) of the scalar are ignored by mul_g. */ test_g (H("70076d0a7318a57d3c16c17251b26645" "df4c2f87ebc0992ab177fba51db92c2a"), H("8520f0098930a754748b7ddcb43ef75a" "0dbf3a0d26381af4eba4a98eaa9b4e6a")); /* Check that the most significant two bits (last octet) of the scalar are ignored by mul_g. */ test_g (H("5dab087e624a8a4b79e17f8b83800ee6" "6f3bb1292618b6fd1c2f8b27ff88e02b"), H("de9edb7d7b7dc1b4d35b61c2ece43537" "3f8343c85b78674dadfc7e146f882b4f")); /* Check that the least significant three bits (first octet) of the scalar are ignored by mul_a. */ test_a (H("5aab087e624a8a4b79e17f8b83800ee6" "6f3bb1292618b6fd1c2f8b27ff88e0eb"), H("8520f0098930a754748b7ddcb43ef75a" "0dbf3a0d26381af4eba4a98eaa9b4e6a"), H("4a5d9d5ba4ce2de1728e3bf480350f25" "e07e21c947d19e3376f09b3c1e161742")); /* Check that the most significant two bits (last octet) of the scalar are ignored by mul_g. */ test_a (H("77076d0a7318a57d3c16c17251b26645" "df4c2f87ebc0992ab177fba51db92cea"), H("de9edb7d7b7dc1b4d35b61c2ece43537" "3f8343c85b78674dadfc7e146f882b4f"), H("4a5d9d5ba4ce2de1728e3bf480350f25" "e07e21c947d19e3376f09b3c1e161742")); /* Check that the most significant bit (last octet) of the x coordinate is ignored. */ test_a (H("77076d0a7318a57d3c16c17251b26645" "df4c2f87ebc0992ab177fba51db92c2a"), H("de9edb7d7b7dc1b4d35b61c2ece43537" "3f8343c85b78674dadfc7e146f882bcf"), H("4a5d9d5ba4ce2de1728e3bf480350f25" "e07e21c947d19e3376f09b3c1e161742")); } nettle-3.4.1/testsuite/ecc-dup-test.c0000644000175000017500000000201313401564746016536 0ustar nissenisse#include "testutils.h" void test_main (void) { unsigned i; for (i = 0; ecc_curves[i]; i++) { const struct ecc_curve *ecc = ecc_curves[i]; mp_limb_t *g = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *p = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *scratch = xalloc_limbs (ECC_DUP_EH_ITCH(ecc->p.size));; if (ecc->p.bit_size == 255) { mp_limb_t *z = xalloc_limbs (ecc_size_j (ecc)); /* Zero point has x = 0, y = 1, z = 1 */ mpn_zero (z, 3*ecc->p.size); z[ecc->p.size] = z[2*ecc->p.size] = 1; ecc_a_to_j (ecc, g, ecc->g); ecc_dup_eh (ecc, p, z, scratch); test_ecc_mul_h (i, 0, p); ecc_dup_eh (ecc, p, g, scratch); test_ecc_mul_h (i, 2, p); ecc_dup_eh (ecc, p, p, scratch); test_ecc_mul_h (i, 4, p); free (z); } else { ecc_a_to_j (ecc, g, ecc->g); ecc_dup_jj (ecc, p, g, scratch); test_ecc_mul_h (i, 2, p); ecc_dup_jj (ecc, p, p, scratch); test_ecc_mul_h (i, 4, p); } free (p); free (g); free (scratch); } } nettle-3.4.1/testsuite/ecc-mul-g-test.c0000644000175000017500000000271213401564746016775 0ustar nissenisse#include "testutils.h" void test_main (void) { gmp_randstate_t rands; mpz_t r; unsigned i; gmp_randinit_default (rands); mpz_init (r); for (i = 0; ecc_curves[i]; i++) { const struct ecc_curve *ecc = ecc_curves[i]; mp_size_t size = ecc_size (ecc); mp_limb_t *p = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *q = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *n = xalloc_limbs (size); mp_limb_t *scratch = xalloc_limbs (ecc->mul_g_itch); mpn_zero (n, size); n[0] = 1; ecc->mul_g (ecc, p, n, scratch); ecc->h_to_a (ecc, 0, p, p, scratch); if (mpn_cmp (p, ecc->g, 2*size) != 0) { fprintf (stderr, "ecc->mul_g with n = 1 failed.\n"); abort (); } for (n[0] = 2; n[0] <= 4; n[0]++) { ecc->mul_g (ecc, p, n, scratch); test_ecc_mul_h (i, n[0], p); } /* (order - 1) * g = - g */ mpn_sub_1 (n, ecc->q.m, size, 1); ecc->mul_g (ecc, p, n, scratch); ecc->h_to_a (ecc, 0, p, p, scratch); if (ecc->p.bit_size == 255) /* For edwards curves, - (x,y ) == (-x, y). FIXME: Swap x and y, to get identical negation? */ mpn_sub_n (p, ecc->p.m, p, size); else mpn_sub_n (p + size, ecc->p.m, p + size, size); if (mpn_cmp (p, ecc->g, 2*size) != 0) { fprintf (stderr, "ecc->mul_g with n = order - 1 failed.\n"); abort (); } free (n); free (p); free (q); free (scratch); } mpz_clear (r); gmp_randclear (rands); } nettle-3.4.1/testsuite/rsa2sexp-test.c0000644000175000017500000000573713401564746017005 0ustar nissenisse#include "testutils.h" #include "buffer.h" void test_main(void) { struct rsa_public_key pub; struct rsa_private_key priv; struct nettle_buffer buffer; rsa_public_key_init(&pub); rsa_private_key_init(&priv); mpz_set_str(pub.n, "085c3408989acae4faec3cbbad91c90d34c1d259cd74121a" "36f38b0b51424a9b2be514a04377113a6cdafe79dd7d5f2e" "cc8b5e9661189b86a7b22239907c25", 16); mpz_set_str(pub.e, "36ad4b1d", 16); ASSERT(rsa_public_key_prepare(&pub)); mpz_set_str(priv.d, "06ee6d4ff3c239e408150daf8117abfa36a40ad4455d9059" "a86d52f33a2de07418a0a699594588c64810248c9412d554" "f74af947c73c32007e87c92f0937ed", 16); mpz_set_str(priv.p, "03259879b24315e9cf14254824c7935d807cdb6990f414a0" "f65e6065130a611f", 16); mpz_set_str(priv.q, "02a81ba73bad45fc73b36deffce52d1b73e0747f4d8a8264" "8cecd310448ea63b", 16); mpz_set_str(priv.a, "026cbdad5dd0046e093f060ecd5b4ac918e098b0278bb752" "b7cadd6a8944f0b9", 16); mpz_set_str(priv.b, "0148751e622d6d58e3bb094afd6edacf7370351d068e2ce9" "f565c5528c4a7473", 16); mpz_set_str(priv.c, "f8a458ea73a018dc6fa56863e3bc6de405f364f77dee6f09" "62679ea1a8282e", 16); ASSERT(rsa_private_key_prepare(&priv)); nettle_buffer_init(&buffer); ASSERT(rsa_keypair_to_sexp(&buffer, "rsa", &pub, &priv)); if (verbose) { printf("private:"); print_hex(buffer.size, buffer.contents); } ASSERT(MEMEQ(buffer.size, buffer.contents, H("2831313a707269766174652d6b657928" "333a72736128313a6e36333a085c3408" "989acae4faec3cbbad91c90d34c1d259" "cd74121a36f38b0b51424a9b2be514a0" "4377113a6cdafe79dd7d5f2ecc8b5e96" "61189b86a7b22239907c252928313a65" "343a36ad4b1d2928313a6436333a06ee" "6d4ff3c239e408150daf8117abfa36a4" "0ad4455d9059a86d52f33a2de07418a0" "a699594588c64810248c9412d554f74a" "f947c73c32007e87c92f0937ed292831" "3a7033323a03259879b24315e9cf1425" "4824c7935d807cdb6990f414a0f65e60" "65130a611f2928313a7133323a02a81b" "a73bad45fc73b36deffce52d1b73e074" "7f4d8a82648cecd310448ea63b292831" "3a6133323a026cbdad5dd0046e093f06" "0ecd5b4ac918e098b0278bb752b7cadd" "6a8944f0b92928313a6233323a014875" "1e622d6d58e3bb094afd6edacf737035" "1d068e2ce9f565c5528c4a7473292831" "3a6333323a00f8a458ea73a018dc6fa5" "6863e3bc6de405f364f77dee6f096267" "9ea1a8282e292929"))); nettle_buffer_clear(&buffer); ASSERT(rsa_keypair_to_sexp(&buffer, NULL, &pub, NULL)); if (verbose) { printf("public:"); print_hex(buffer.size, buffer.contents); } ASSERT(MEMEQ(buffer.size, buffer.contents, H("2831303a7075626c69632d6b65792839" "3a7273612d706b63733128313a6e3633" "3a085c3408989acae4faec3cbbad91c9" "0d34c1d259cd74121a36f38b0b51424a" "9b2be514a04377113a6cdafe79dd7d5f" "2ecc8b5e9661189b86a7b22239907c25" "2928313a65343a36ad4b1d292929"))); nettle_buffer_clear(&buffer); rsa_public_key_clear(&pub); rsa_private_key_clear(&priv); } nettle-3.4.1/testsuite/ecdsa-keygen-test.c0000644000175000017500000000644513401564746017572 0ustar nissenisse#include "testutils.h" #include "knuth-lfib.h" /* Check if y^2 = x^3 - 3x + b */ static int ecc_valid_p (struct ecc_point *pub) { mpz_t t, x, y; mpz_t lhs, rhs; int res; mp_size_t size; size = pub->ecc->p.size; /* First check range */ if (mpn_cmp (pub->p, pub->ecc->p.m, size) >= 0 || mpn_cmp (pub->p + size, pub->ecc->p.m, size) >= 0) return 0; mpz_init (lhs); mpz_init (rhs); mpz_roinit_n (x, pub->p, size); mpz_roinit_n (y, pub->p + size, size); mpz_mul (lhs, y, y); if (pub->ecc->p.bit_size == 255) { /* Check that 121666 (1 + x^2 - y^2) = 121665 x^2 y^2 */ mpz_t x2; mpz_init (x2); mpz_mul (x2, x, x); /* x^2 */ mpz_mul (rhs, x2, lhs); /* x^2 y^2 */ mpz_sub (lhs, x2, lhs); /* x^2 - y^2 */ mpz_add_ui (lhs, lhs, 1); /* 1 + x^2 - y^2 */ mpz_mul_ui (lhs, lhs, 121666); mpz_mul_ui (rhs, rhs, 121665); mpz_clear (x2); } else { /* Check y^2 = x^3 - 3 x + b */ mpz_mul (rhs, x, x); mpz_sub_ui (rhs, rhs, 3); mpz_mul (rhs, rhs, x); mpz_add (rhs, rhs, mpz_roinit_n (t, pub->ecc->b, size)); } res = mpz_congruent_p (lhs, rhs, mpz_roinit_n (t, pub->ecc->p.m, size)); mpz_clear (lhs); mpz_clear (rhs); return res; } void test_main (void) { unsigned i; struct knuth_lfib_ctx rctx; struct dsa_signature signature; struct tstring *digest; knuth_lfib_init (&rctx, 4711); dsa_signature_init (&signature); digest = SHEX (/* sha256("abc") */ "BA7816BF 8F01CFEA 414140DE 5DAE2223" "B00361A3 96177A9C B410FF61 F20015AD"); for (i = 0; ecc_curves[i]; i++) { const struct ecc_curve *ecc = ecc_curves[i]; struct ecc_point pub; struct ecc_scalar key; if (verbose) fprintf (stderr, "Curve %d\n", ecc->p.bit_size); ecc_point_init (&pub, ecc); ecc_scalar_init (&key, ecc); ecdsa_generate_keypair (&pub, &key, &rctx, (nettle_random_func *) knuth_lfib_random); if (verbose) { fprintf (stderr, "Public key:\nx = "); write_mpn (stderr, 16, pub.p, ecc->p.size); fprintf (stderr, "\ny = "); write_mpn (stderr, 16, pub.p + ecc->p.size, ecc->p.size); fprintf (stderr, "\nPrivate key: "); write_mpn (stderr, 16, key.p, ecc->p.size); fprintf (stderr, "\n"); } if (!ecc_valid_p (&pub)) die ("ecdsa_generate_keypair produced an invalid point.\n"); ecdsa_sign (&key, &rctx, (nettle_random_func *) knuth_lfib_random, digest->length, digest->data, &signature); if (!ecdsa_verify (&pub, digest->length, digest->data, &signature)) die ("ecdsa_verify failed.\n"); digest->data[3] ^= 17; if (ecdsa_verify (&pub, digest->length, digest->data, &signature)) die ("ecdsa_verify returned success with invalid digest.\n"); digest->data[3] ^= 17; mpz_combit (signature.r, 117); if (ecdsa_verify (&pub, digest->length, digest->data, &signature)) die ("ecdsa_verify returned success with invalid signature.r.\n"); mpz_combit (signature.r, 117); mpz_combit (signature.s, 93); if (ecdsa_verify (&pub, digest->length, digest->data, &signature)) die ("ecdsa_verify returned success with invalid signature.s.\n"); ecc_point_clear (&pub); ecc_scalar_clear (&key); } dsa_signature_clear (&signature); } nettle-3.4.1/testsuite/des-test.c0000644000175000017500000000635713401564746016010 0ustar nissenisse#include "testutils.h" #include "nettle-internal.h" #include "des.h" static void test_des(const struct tstring *key, int expected_parity, const struct tstring *cleartext, const struct tstring *ciphertext) { struct des_ctx ctx; uint8_t *data; size_t length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; ASSERT (key->length == DES_KEY_SIZE); data = xalloc(length); ASSERT (des_check_parity(8, key->data) == expected_parity); ASSERT (des_set_key(&ctx, key->data)); des_encrypt(&ctx, length, data, cleartext->data); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "Encrypt failed:\nInput:"); tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } des_decrypt(&ctx, length, data, data); if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "Decrypt failed:\nInput:"); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } free(data); } static void test_weak(const struct tstring *key) { struct des_ctx ctx; ASSERT (key->length == DES_KEY_SIZE); ASSERT (des_set_key(&ctx, key->data) == 0); } void test_main(void) { /* From Applied Cryptography */ test_des(SHEX("01234567 89ABCDEF"), 1, SHEX("01234567 89ABCDE7"), SHEX("C9574425 6A5ED31D")); test_des(SHEX("01 01 01 01 01 01 01 80"), 1, SHEX("00 00 00 00 00 00 00 00"), SHEX("9C C6 2D F4 3B 6E ED 74")); test_des(SHEX("80 01 01 01 01 01 01 01"), 1, SHEX("00 00 00 00 00 00 00 40"), SHEX("A3 80 E0 2A 6B E5 46 96")); test_des(SHEX("08 19 2A 3B 4C 5D 6E 7F"), 1, SHEX("00 00 00 00 00 00 00 00"), SHEX("25 DD AC 3E 96 17 64 67")); test_des(SHEX("01 23 45 67 89 AB CD EF"), 1, SDATA("Now is t"), SHEX("3F A4 0E 8A 98 4D 48 15")); /* Same key, but with one bad parity bit, */ test_des(SHEX("01 23 45 66 89 AB CD EF"), 0, SDATA("Now is t"), SHEX("3F A4 0E 8A 98 4D 48 15")); /* Parity check */ { const struct tstring *s = SHEX("01 01 01 01 01 01 01 00"); ASSERT (des_check_parity(s->length, s->data) == 0); } /* The four weak keys */ test_weak(SHEX("01 01 01 01 01 01 01 01")); test_weak(SHEX("FE FE FE FE FE FE FE FE")); test_weak(SHEX("1F 1F 1F 1F 0E 0E 0E 0E")); test_weak(SHEX("E0 E0 E0 E0 F1 F1 F1 F1")); /* Same weak key, but different parity. */ test_weak(SHEX("E0 E0 E0 E0 F0 F1 F1 F1")); /* The six pairs of semiweak keys */ test_weak(SHEX("01 FE 01 FE 01 FE 01 FE")); test_weak(SHEX("FE 01 FE 01 FE 01 FE 01")); test_weak(SHEX("1F E0 1F E0 0E F1 0E F1")); test_weak(SHEX("E0 1F E0 1F F1 0E F1 0E")); test_weak(SHEX("01 E0 01 E0 01 F1 01 F1")); test_weak(SHEX("E0 01 E0 01 F1 01 F1 01")); test_weak(SHEX("1F FE 1F FE 0E FE 0E FE")); test_weak(SHEX("FE 1F FE 1F FE 0E FE 0E")); test_weak(SHEX("01 1F 01 1F 01 0E 01 0E")); test_weak(SHEX("1F 01 1F 01 0E 01 0E 01")); test_weak(SHEX("E0 FE E0 FE F1 FE F1 FE")); test_weak(SHEX("FE E0 FE E0 FE F1 FE F1")); } nettle-3.4.1/testsuite/teardown-env0000755000175000017500000000025513401564746016442 0ustar nissenisse#! /bin/sh rm -rf testkey.priv testkey.pub testtmp testsignature testsignature2 case "$EMULATOR" in wine*) find . -type l -name '*.dll' -exec rm -f '{}' ';' ;; esac nettle-3.4.1/testsuite/ecc-mod-test.c0000644000175000017500000001257013401564746016536 0ustar nissenisse#include "testutils.h" #include #include #include static void ref_mod (mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *mp, mp_size_t mn) { mpz_t r, a, m; mpz_init (r); mpz_mod (r, mpz_roinit_n (a, ap, 2*mn), mpz_roinit_n (m, mp, mn)); mpz_limbs_copy (rp, r, mn); mpz_clear (r); } #define MAX_ECC_SIZE (1 + 521 / GMP_NUMB_BITS) #define MAX_SIZE (2*MAX_ECC_SIZE) #define COUNT 50000 static void test_one(const char *name, const struct ecc_modulo *m, const mpz_t r) { mp_limb_t a[MAX_SIZE]; mp_limb_t t[MAX_SIZE]; mp_limb_t ref[MAX_SIZE]; mpz_limbs_copy (a, r, 2*m->size); ref_mod (ref, a, m->m, m->size); mpn_copyi (t, a, 2*m->size); m->mod (m, t); if (mpn_cmp (t, m->m, m->size) >= 0) mpn_sub_n (t, t, m->m, m->size); if (mpn_cmp (t, ref, m->size)) { fprintf (stderr, "m->mod %s failed: bit_size = %u\n", name, m->bit_size); fprintf (stderr, "a = "); mpn_out_str (stderr, 16, a, 2*m->size); fprintf (stderr, "\nt = "); mpn_out_str (stderr, 16, t, m->size); fprintf (stderr, " (bad)\nref = "); mpn_out_str (stderr, 16, ref, m->size); fprintf (stderr, "\n"); abort (); } if (m->B_size < m->size) { mpn_copyi (t, a, 2*m->size); ecc_mod (m, t); if (mpn_cmp (t, m->m, m->size) >= 0) mpn_sub_n (t, t, m->m, m->size); if (mpn_cmp (t, ref, m->size)) { fprintf (stderr, "ecc_mod %s failed: bit_size = %u\n", name, m->bit_size); fprintf (stderr, "a = "); mpn_out_str (stderr, 16, a, 2*m->size); fprintf (stderr, "\nt = "); mpn_out_str (stderr, 16, t, m->size); fprintf (stderr, " (bad)\nref = "); mpn_out_str (stderr, 16, ref, m->size); fprintf (stderr, "\n"); abort (); } } } static void test_modulo (gmp_randstate_t rands, const char *name, const struct ecc_modulo *m, unsigned count) { mpz_t r; unsigned j; mpz_init (r); for (j = 0; j < count; j++) { if (j & 1) mpz_rrandomb (r, rands, 2*m->size * GMP_NUMB_BITS); else mpz_urandomb (r, rands, 2*m->size * GMP_NUMB_BITS); test_one (name, m, r); } mpz_clear (r); } static void test_fixed (void) { mpz_t r; mpz_init (r); /* Triggered a bug reported by Hanno Böck. */ mpz_set_str (r, "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFF001C2C00", 16); mpz_mul_2exp (r, r, 256); test_one ("p", &nettle_secp_256r1.p, r); test_one ("q", &nettle_secp_256r1.q, r); mpz_set_str (r, "ffffffff00000001fffffffeffffffffffffffffffffffffffffffc0000000000007ffffffffffffffffffffffffffff00000000000000000fffffffffffffff", 16); test_one ("p", &nettle_secp_256r1.p, r); test_one ("q", &nettle_secp_256r1.q, r); /* Triggered a bug reported by Hanno Böck. */ mpz_set_str (r, "4c9000000000000000000000000000000000000000000000004a604db486e000000000000000000000000000000000000000121025be29575adb2c8ffffffffffffffffffffffffffffffffffffffffffffffffffffffff", 16); test_one ("p", &nettle_secp_384r1.p, r); test_one ("q", &nettle_secp_384r1.q, r); /* Triggered a carry bug in development version. */ mpz_set_str (r, "e64a84643150260640e4677c19ffc4faef06042132b86af6e9ee33fe1850222e57a514d5f1d6d444008bb896a96a43d5629945e57548f5e12f66be132b24110cbb2df6d7d3dd3aaadc98b0bbf29573843ad72e57f59fc5d4f56cc599da18bb99", 16); test_one ("p", &nettle_secp_384r1.p, r); test_one ("q", &nettle_secp_384r1.q, r); mpz_clear (r); } static void test_patterns (const char *name, const struct ecc_modulo *m) { mpz_t r; unsigned j; mpz_init (r); for (j = m->bit_size; j < 2*m->bit_size; j++) { mpz_set_ui (r, 1); mpz_mul_2exp (r, r, j); test_one (name, m, r); } mpz_clear (r); } #if !NETTLE_USE_MINI_GMP static void get_random_seed(mpz_t seed) { struct timeval tv; FILE *f; f = fopen ("/dev/urandom", "rb"); if (f) { uint8_t buf[8]; size_t res; setbuf (f, NULL); res = fread (&buf, sizeof(buf), 1, f); fclose(f); if (res == 1) { nettle_mpz_set_str_256_u (seed, sizeof(buf), buf); return; } fprintf (stderr, "Read of /dev/urandom failed: %s\n", strerror (errno)); } gettimeofday(&tv, NULL); mpz_set_ui (seed, tv.tv_sec); mpz_mul_ui (seed, seed, 1000000UL); mpz_add_ui (seed, seed, tv.tv_usec); } #endif /* !NETTLE_USE_MINI_GMP */ void test_main (void) { const char *nettle_test_seed; gmp_randstate_t rands; unsigned count = COUNT; unsigned i; gmp_randinit_default (rands); test_fixed (); for (i = 0; ecc_curves[i]; i++) { test_patterns ("p", &ecc_curves[i]->p); test_patterns ("q", &ecc_curves[i]->p); } #if !NETTLE_USE_MINI_GMP nettle_test_seed = getenv ("NETTLE_TEST_SEED"); if (nettle_test_seed && *nettle_test_seed) { mpz_t seed; mpz_init (seed); if (mpz_set_str (seed, nettle_test_seed, 0) < 0 || mpz_sgn (seed) < 0) die ("Invalid NETTLE_TEST_SEED: %s\n", nettle_test_seed); if (mpz_sgn (seed) == 0) get_random_seed (seed); fprintf (stderr, "Using NETTLE_TEST_SEED="); mpz_out_str (stderr, 10, seed); fprintf (stderr, "\n"); gmp_randseed (rands, seed); mpz_clear (seed); count *= 20; } #endif /* !NETTLE_USE_MINI_GMP */ for (i = 0; ecc_curves[i]; i++) { test_modulo (rands, "p", &ecc_curves[i]->p, count); test_modulo (rands, "q", &ecc_curves[i]->q, count); } gmp_randclear (rands); } nettle-3.4.1/testsuite/dsa-keygen-test.c0000644000175000017500000000313313401564746017251 0ustar nissenisse#include "testutils.h" #include "knuth-lfib.h" static void progress(void *ctx UNUSED, int c) { fputc(c, stderr); } void test_main(void) { struct dsa_public_key pub; struct dsa_private_key key; struct dsa_params *params; struct knuth_lfib_ctx lfib; dsa_private_key_init(&key); dsa_public_key_init(&pub); knuth_lfib_init(&lfib, 13); params = (struct dsa_params *) &pub; ASSERT (dsa_compat_generate_keypair(&pub, &key, &lfib, (nettle_random_func *) knuth_lfib_random, NULL, verbose ? progress : NULL, 1024, 160)); test_dsa_key(params, pub.y, key.x, 160); test_dsa160(&pub, &key, NULL); ASSERT (dsa_compat_generate_keypair(&pub, &key, &lfib, (nettle_random_func *) knuth_lfib_random, NULL, verbose ? progress : NULL, 2048, 256)); test_dsa_key(params, pub.y, key.x, 256); test_dsa256(&pub, &key, NULL); ASSERT (dsa_compat_generate_keypair(&pub, &key, &lfib, (nettle_random_func *) knuth_lfib_random, NULL, verbose ? progress : NULL, 2048, 224)); test_dsa_key(params, pub.y, key.x, 224); test_dsa256(&pub, &key, NULL); /* Test with large q */ if (!dsa_generate_params (params, &lfib, (nettle_random_func *) knuth_lfib_random, NULL, verbose ? progress : NULL, 1024, 768)) FAIL(); dsa_generate_keypair (params, pub.y, key.x, &lfib, (nettle_random_func *) knuth_lfib_random); test_dsa_key(params, pub.y, key.x, 768); test_dsa256(&pub, &key, NULL); dsa_public_key_clear(&pub); dsa_private_key_clear(&key); } nettle-3.4.1/testsuite/pss-test.c0000644000175000017500000000504313401564746016031 0ustar nissenisse#include "testutils.h" #include "pss.h" void test_main(void) { struct tstring *salt; struct tstring *digest; mpz_t m; mpz_t expected; /* From ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1d2-vec.zip */ mpz_init(m); mpz_init(expected); salt = SHEX("e3b5d5d002c1bce50c2b65ef88a188d83bce7e61"); digest = SHEX("37b66ae0445843353d47ecb0b4fd14c110e62d6a"); ASSERT(pss_encode_mgf1(m, 1024, &nettle_sha1, salt->length, salt->data, digest->data)); mpz_set_str(expected, "66e4672e836ad121ba244bed6576b867d9a447c28a6e66a5b87dee" "7fbc7e65af5057f86fae8984d9ba7f969ad6fe02a4d75f7445fefd" "d85b6d3a477c28d24ba1e3756f792dd1dce8ca94440ecb5279ecd3" "183a311fc896da1cb39311af37ea4a75e24bdbfd5c1da0de7cecdf" "1a896f9d8bc816d97cd7a2c43bad546fbe8cfebc", 16); ASSERT(mpz_cmp(m, expected) == 0); mpz_add_ui(m, m, 2); ASSERT(!pss_verify_mgf1(m, 1024, &nettle_sha1, salt->length, digest->data)); mpz_sub_ui(m, m, 2); ASSERT(pss_verify_mgf1(m, 1024, &nettle_sha1, salt->length, digest->data)); mpz_clear(m); mpz_clear(expected); /* Test with our own data. */ mpz_init(m); mpz_init(expected); salt = SHEX("11223344556677889900"); /* From sha256-test.c */ digest = SHEX("ba7816bf8f01cfea 414140de5dae2223" "b00361a396177a9c b410ff61f20015ad"); mpz_set_str(expected, "76b9a52705c8382c5367732f993184eff340b6305c9f73e7e308c8" "004fcc15cbbaab01e976bae4b774628595379a2d448a36b3ea6fa8" "353b97eeea7bdac93b4b7807ac98cd4b3bebfb31f3718e1dd3625f" "227fbb8696606498e7070e21c3cbbd7386ea20eb81ac7927e0c6d1" "d7788826a63af767f301bcc05dd65b00da862cbc", 16); /* Try bad salt */ salt->data[6] = 0x00; ASSERT(pss_encode_mgf1(m, 1024, &nettle_sha256, salt->length, salt->data, digest->data)); ASSERT(mpz_cmp(m, expected) != 0); /* Try the good salt */ salt->data[6] = 0x77; ASSERT(pss_encode_mgf1(m, 1024, &nettle_sha256, salt->length, salt->data, digest->data)); ASSERT(mpz_cmp(m, expected) == 0); /* Try bad message */ mpz_add_ui(m, m, 2); ASSERT(!pss_verify_mgf1(m, 1024, &nettle_sha256, salt->length, digest->data)); /* Try the good message */ mpz_sub_ui(m, m, 2); ASSERT(pss_verify_mgf1(m, 1024, &nettle_sha256, salt->length, digest->data)); /* Try bad digest */ digest->data[17] = 0x00; ASSERT(!pss_verify_mgf1(m, 1024, &nettle_sha256, salt->length, digest->data)); /* Try the good digest */ digest->data[17] = 0x03; ASSERT(pss_verify_mgf1(m, 1024, &nettle_sha256, salt->length, digest->data)); mpz_clear(m); mpz_clear(expected); } nettle-3.4.1/testsuite/ecdh-test.c0000644000175000017500000002072013401564746016126 0ustar nissenisse/* ecdh-test.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #include "testutils.h" static void set_point (struct ecc_point *p, const char *x, const char *y) { mpz_t X, Y; mpz_init_set_str (X, x, 0); mpz_init_set_str (Y, y, 0); if (!ecc_point_set (p, X, Y)) die ("Test point not on curve!\n"); mpz_clear (X); mpz_clear (Y); } static void set_scalar (struct ecc_scalar *s, const char *x) { mpz_t X; mpz_init_set_str (X, x, 0); ecc_scalar_set (s, X); mpz_clear (X); } static void check_point (const char *name, const char *label, const struct ecc_point *P, const struct ecc_point *R) { mpz_t px, py, rx, ry; mpz_init (px); mpz_init (py); mpz_init (rx); mpz_init (ry); ecc_point_get (P, px, py); ecc_point_get (R, rx, ry); /* FIXME: Should have a public point compare function */ if (mpz_cmp (px, rx) != 0 || mpz_cmp (py, ry) != 0) { fprintf (stderr, "Failed %s %s\np_x = ", name, label); mpz_out_str (stderr, 10, px); fprintf (stderr, "\nr_x = "); mpz_out_str (stderr, 10, rx); fprintf (stderr, " (expected)\np_y = "); mpz_out_str (stderr, 10, py); fprintf (stderr, "\nr_y = "); mpz_out_str (stderr, 10, ry); fprintf (stderr, " (expected)\n"); abort (); } mpz_clear (px); mpz_clear (py); mpz_clear (rx); mpz_clear (ry); } static void test_dh (const char *name, const struct ecc_curve *ecc, const char *a_priv, const char *ax, const char *ay, const char *b_priv, const char *bx, const char *by, const char *sx, const char *sy) { struct ecc_point A, B, S, T; struct ecc_scalar A_priv, B_priv; ecc_scalar_init (&A_priv, ecc); set_scalar (&A_priv, a_priv); ecc_point_init (&A, ecc); set_point (&A, ax, ay); ecc_scalar_init (&B_priv, ecc); set_scalar (&B_priv, b_priv); ecc_point_init (&B, ecc); set_point (&B, bx, by); ecc_point_init (&S, ecc); set_point (&S, sx, sy); ecc_point_init (&T, ecc); ecc_point_mul_g (&T, &A_priv); check_point (name, "a g", &T, &A); ecc_point_mul (&T, &B_priv, &T); check_point (name, "b (a g)", &T, &S); ecc_point_mul_g (&T, &B_priv); check_point (name, "b g", &T, &B); ecc_point_mul (&T, &A_priv, &T); check_point (name, "a (b g)", &T, &S); ecc_scalar_clear (&A_priv); ecc_scalar_clear (&B_priv); ecc_point_clear (&A); ecc_point_clear (&B); ecc_point_clear (&S); ecc_point_clear (&T); } void test_main(void) { test_dh ("secp-192r1", &nettle_secp_192r1, "3406157206141798348095184987208239421004566462391397236532", "1050363442265225480786760666329560655512990381040021438562", "5298249600854377235107392014200406283816103564916230704184", "738368960171459956677260317271477822683777845013274506165", "2585840779771604687467445319428618542927556223024046979917", "293088185788565313717816218507714888251468410990708684573", "149293809021051532782730990145509724807636529827149481690", "2891131861147398318714693938158856874319184314120776776192"); test_dh ("secp-224r1", &nettle_secp_224r1, "1321072106881784386340709783538698930880431939595776773514895067682", "6768311794185371282972144247871764855860666277647541840973645586477", "2880077809069104378181313860274147139049600284805670362929579614547", "13934723037778859565852601874354272638301919827851286722006496784914", "373124771833407982305885866158843810218322878380632071540538232035", "24223309755162432227459925493224336241652868856405241018762887667883", "8330362698029245839097779050425944245826040430538860338085968752913", "24167244512472228715617822000878192535267113543393576038737592837010"); test_dh ("secp-256r1", &nettle_secp_256r1, "94731533361265297353914491124013058635674217345912524033267198103710636378786", "22441589863306126152768848344973918725077248391248404659242620344938484650846", "8673475622926171928656873398933611700804732317466515884933832073457396747355", "97657865959185011849283028361556797595752581630732610898393589042714626616209", "18453500628354973083413728373777272885280811435138222441593126858566687017580", "14365748655141740924607822284126054269177292284541187981786689038777833170313", "102958799567030688009123101477538973715497039396202015119148334812951370853564", "29188877854984806245046208182450375893010623119030341548941791125497546766367"); test_dh ("secp-384r1", &nettle_secp_384r1, "39086550219018474560700767788227987514008150214902287969462741484831311917159729009715909108606822193356890811565070", "15536343869384820642787280162462493474000839389760580357050317691132784247078954166759523572989472049798969369413707", "23268351460749985365652822073294615614961429585671989812206213135127969284347174876010177880230302801199500921999966", "36869963309577906178833120963925446333578086292605692048464445726274368063284094788012795873582576522541658781990645", "6571571183519639697971973492227725184968062063941037806786906539419849188357322949908539215960508669158121817812397", "36555212611228586427448926841660565534959679681904941933188284044726925984417589749068550977832780023128545833460008", "27780263733159299625371532605243698753833039933618994121416145881861678645978369807598146716869504289033472077532789", "12327518461490664021199432424728005314646140038116972426756705356672414772151215711157356913456651047992140493843405"); test_dh ("secp-521r1", &nettle_secp_521r1, "1177787298234877762125077260641419691552146813662613924864132680693789861345339466386194840381422980702458955378518702648732728796955434922249345867267377826", "3168153642368000846168628288850857848098131369578410603904155841373678828215434925507474033105518841999665785152501356092020415699294327720257651796364374116", "278603899104240796379373331240296114411332466119196525390128418935585486485808560319073463912513286987331907013829243645911963547435764718505394265715321106", "4632844957395758597246278843156350179301194123641664447791935593091018103746003967476919616681982477804041933745387575872964923485212972039478646226080044590", "3278857364905061449863537070675297207767865967146919975942590789168732752489407699106980407552332044280575891715425195464227794423128203118286002006478070253", "4488572162727491199625798812850846214916160870437505769058530973184916706326908828109446998319674522651965593412129100088877891410841200092694907512496020182", "2126311732129869456512627735193938710331935978955001830871465201548004444073866677974896970734635601049909886616595755762740651165670628002084824920216966370", "4803556648772727869384704240411011976585308117802975396033423138930126997561438092192867119930177133880625991019440171972612468402200399449807843995563872782"); /* NOTE: This isn't the standard way to do curve25519 diffie-hellman, but it tests that the ecc_point interface works also with curve25519. */ test_dh ("curve25519", &_nettle_curve25519, "238301186166219052901200372289459967515481170332211409964804596991365959539", "14283836751943535877833976277675258994717521964638468784408792140505262281235", "43912344711849354965202408139054167824861850336739416536288592824181793690574", "3795950278952272509684177709511717492358770264218705926196469999516028451559", "9468726108732441384988851273894214794301501512287024874346147472389705411936", "38072138078045635808869930165213470653418146012939584392304609812494425185763", "10481077163111981870382976851703705086808805457403127024129174358161599078055", "29260211489972704256554624312266763530759418996739976957020673870747051409679"); } nettle-3.4.1/testsuite/setup-env0000755000175000017500000000027313401564746015757 0ustar nissenisse#! /bin/sh set -e # Workaround, it seems difficult to convince wine to put ../lib into PATH. case "$EMULATOR" in wine*) for f in ../.lib/*.dll ; do ln -sf "$f" . done ;; esac nettle-3.4.1/testsuite/eddsa-verify-test.c0000644000175000017500000001130613401564746017605 0ustar nissenisse/* eddsa-verify-test.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #include "testutils.h" #include "eddsa.h" static void test_eddsa (const struct ecc_curve *ecc, const struct nettle_hash *H, const uint8_t *pub, const struct tstring *msg, const uint8_t *signature) { mp_limb_t *A = xalloc_limbs (ecc_size_a (ecc)); mp_limb_t *scratch = xalloc_limbs (_eddsa_verify_itch (ecc)); size_t nbytes = 1 + ecc->p.bit_size / 8; uint8_t *cmsg = xalloc (msg->length); uint8_t *csignature = xalloc (2*nbytes); void *ctx = xalloc (H->context_size); if (!_eddsa_decompress (ecc, A, pub, scratch)) die ("Invalid eddsa public key.\n"); memcpy (csignature, signature, 2*nbytes); if (!_eddsa_verify (ecc, H, pub, A, ctx, msg->length, msg->data, csignature, scratch)) { fprintf (stderr, "eddsa_verify failed with valid signature.\n"); fail: fprintf (stderr, "bit_size = %u\npub = ", ecc->p.bit_size); print_hex (nbytes, pub); fprintf (stderr, "\nmsg = "); tstring_print_hex (msg); fprintf (stderr, "\nsign = "); print_hex (2*nbytes, csignature); fprintf (stderr, "\n"); abort(); } memcpy (csignature, signature, 2*nbytes); csignature[nbytes/3] ^= 0x40; if (_eddsa_verify (ecc, H, pub, A, ctx, msg->length, msg->data, csignature, scratch)) { fprintf (stderr, "ecdsa_verify unexpectedly succeeded with invalid signature r.\n"); goto fail; } memcpy (csignature, signature, 2*nbytes); csignature[5*nbytes/3] ^= 0x8; if (_eddsa_verify (ecc, H, pub, A, ctx, msg->length, msg->data, csignature, scratch)) { fprintf (stderr, "ecdsa_verify unexpectedly succeeded with invalid signature s.\n"); goto fail; } if (msg->length == 0) { if (_eddsa_verify (ecc, H, pub, A, ctx, LDATA("foo"), signature, scratch)) { fprintf (stderr, "ecdsa_verify unexpectedly succeeded with different message.\n"); goto fail; } } else { if (_eddsa_verify (ecc, H, pub, A, ctx, msg->length - 1, msg->data, signature, scratch)) { fprintf (stderr, "ecdsa_verify unexpectedly succeeded with truncated message.\n"); goto fail; } memcpy (cmsg, msg->data, msg->length); cmsg[2*msg->length / 3] ^= 0x20; if (_eddsa_verify (ecc, H, pub, A, ctx, msg->length, cmsg, signature, scratch)) { fprintf (stderr, "ecdsa_verify unexpectedly succeeded with modified message.\n"); goto fail; } } free (A); free (scratch); free (cmsg); free (csignature); free (ctx); } void test_main (void) { test_eddsa (&_nettle_curve25519, &nettle_sha512, H("d75a980182b10ab7 d54bfed3c964073a" "0ee172f3daa62325 af021a68f707511a"), SHEX(""), H("e5564300c360ac72 9086e2cc806e828a" "84877f1eb8e5d974 d873e06522490155" "5fb8821590a33bac c61e39701cf9b46b" "d25bf5f0595bbe24 655141438e7a100b")); test_eddsa (&_nettle_curve25519, &nettle_sha512, H("3d4017c3e843895a 92b70aa74d1b7ebc" "9c982ccf2ec4968c c0cd55f12af4660c"), SHEX("72"), H("92a009a9f0d4cab8 720e820b5f642540" "a2b27b5416503f8f b3762223ebdb69da" "085ac1e43e15996e 458f3613d0f11d8c" "387b2eaeb4302aee b00d291612bb0c00")); test_eddsa (&_nettle_curve25519, &nettle_sha512, H("1ed506485b09a645 0be7c9337d9fe87e" "f99c96f8bd11cd63 1ca160d0fd73067e"), SHEX("fbed2a7df418ec0e 8036312ec239fcee" "6ef97dc8c2df1f2e 14adee287808b788" "a6072143b851d975 c8e8a0299df846b1" "9113e38cee83da71 ea8e9bd6f57bdcd3" "557523f4feb616ca a595aea01eb0b3d4" "90b99b525ea4fbb9 258bc7fbb0deea8f" "568cb2"), H("cbef65b6f3fd5809 69fc3340cfae4f7c" "99df1340cce54626 183144ef46887163" "4b0a5c0033534108 e1c67c0dc99d3014" "f01084e98c95e101 4b309b1dbb2e6704")); } nettle-3.4.1/testsuite/ecdsa-verify-test.c0000644000175000017500000001220313401564746017601 0ustar nissenisse#include "testutils.h" static void test_ecdsa (const struct ecc_curve *ecc, /* Public key */ const char *xs, const char *ys, /* Hash */ struct tstring *h, /* Valid signature */ const char *r, const char *s) { struct ecc_point pub; struct dsa_signature signature; mpz_t x, y; ecc_point_init (&pub, ecc); dsa_signature_init (&signature); mpz_init_set_str (x, xs, 16); mpz_init_set_str (y, ys, 16); if (!ecc_point_set (&pub, x, y)) die ("ecc_point_set failed.\n"); mpz_set_str (signature.r, r, 16); mpz_set_str (signature.s, s, 16); if (!ecdsa_verify (&pub, h->length, h->data, &signature)) { fprintf (stderr, "ecdsa_verify failed with valid signature.\n"); fail: fprintf (stderr, "bit_size = %u\nx = ", ecc->p.bit_size); mpz_out_str (stderr, 16, x); fprintf (stderr, "\ny = "); mpz_out_str (stderr, 16, y); fprintf (stderr, "\ndigest "); print_hex (h->length, h->data); fprintf (stderr, "r = "); mpz_out_str (stderr, 16, signature.r); fprintf (stderr, "\ns = "); mpz_out_str (stderr, 16, signature.s); fprintf (stderr, "\n"); abort(); } mpz_combit (signature.r, ecc->p.bit_size / 3); if (ecdsa_verify (&pub, h->length, h->data, &signature)) { fprintf (stderr, "ecdsa_verify unexpectedly succeeded with invalid signature.\n"); goto fail; } mpz_combit (signature.r, ecc->p.bit_size / 3); mpz_combit (signature.s, 4*ecc->p.bit_size / 5); if (ecdsa_verify (&pub, h->length, h->data, &signature)) { fprintf (stderr, "ecdsa_verify unexpectedly succeeded with invalid signature.\n"); goto fail; } mpz_combit (signature.s, 4*ecc->p.bit_size / 5); h->data[2*h->length / 3] ^= 0x40; if (ecdsa_verify (&pub, h->length, h->data, &signature)) { fprintf (stderr, "ecdsa_verify unexpectedly succeeded with invalid signature.\n"); goto fail; } h->data[2*h->length / 3] ^= 0x40; if (!ecdsa_verify (&pub, h->length, h->data, &signature)) { fprintf (stderr, "ecdsa_verify failed, internal testsuite error.\n"); goto fail; } ecc_point_clear (&pub); dsa_signature_clear (&signature); mpz_clear (x); mpz_clear (y); } void test_main (void) { /* From RFC 4754 */ test_ecdsa (&nettle_secp_256r1, "2442A5CC 0ECD015F A3CA31DC 8E2BBC70" "BF42D60C BCA20085 E0822CB0 4235E970", /* x */ "6FC98BD7 E50211A4 A27102FA 3549DF79" "EBCB4BF2 46B80945 CDDFE7D5 09BBFD7D", /* y */ SHEX("BA7816BF 8F01CFEA 414140DE 5DAE2223" "B00361A3 96177A9C B410FF61 F20015AD"), /* h */ "CB28E099 9B9C7715 FD0A80D8 E47A7707" "9716CBBF 917DD72E 97566EA1 C066957C", /* r */ "86FA3BB4 E26CAD5B F90B7F81 899256CE" "7594BB1E A0C89212 748BFF3B 3D5B0315"); /* s */ test_ecdsa (&nettle_secp_384r1, "96281BF8 DD5E0525 CA049C04 8D345D30" "82968D10 FEDF5C5A CA0C64E6 465A97EA" "5CE10C9D FEC21797 41571072 1F437922", /* x */ "447688BA 94708EB6 E2E4D59F 6AB6D7ED" "FF9301D2 49FE49C3 3096655F 5D502FAD" "3D383B91 C5E7EDAA 2B714CC9 9D5743CA", /* y */ SHEX("CB00753F 45A35E8B B5A03D69 9AC65007" "272C32AB 0EDED163 1A8B605A 43FF5BED" "8086072B A1E7CC23 58BAECA1 34C825A7"), /* h */ "FB017B91 4E291494 32D8BAC2 9A514640" "B46F53DD AB2C6994 8084E293 0F1C8F7E" "08E07C9C 63F2D21A 07DCB56A 6AF56EB3", /* r */ "B263A130 5E057F98 4D38726A 1B468741" "09F417BC A112674C 528262A4 0A629AF1" "CBB9F516 CE0FA7D2 FF630863 A00E8B9F"); /* s*/ test_ecdsa (&nettle_secp_521r1, "0151518F 1AF0F563 517EDD54 85190DF9" "5A4BF57B 5CBA4CF2 A9A3F647 4725A35F" "7AFE0A6D DEB8BEDB CD6A197E 592D4018" "8901CECD 650699C9 B5E456AE A5ADD190" "52A8", /* x */ "006F3B14 2EA1BFFF 7E2837AD 44C9E4FF" "6D2D34C7 3184BBAD 90026DD5 E6E85317" "D9DF45CA D7803C6C 20035B2F 3FF63AFF" "4E1BA64D 1C077577 DA3F4286 C58F0AEA" "E643", /* y */ SHEX("DDAF35A1 93617ABA CC417349 AE204131" "12E6FA4E 89A97EA2 0A9EEEE6 4B55D39A" "2192992A 274FC1A8 36BA3C23 A3FEEBBD" "454D4423 643CE80E 2A9AC94F A54CA49F"), /* h */ "0154FD38 36AF92D0 DCA57DD5 341D3053" "988534FD E8318FC6 AAAAB68E 2E6F4339" "B19F2F28 1A7E0B22 C269D93C F8794A92" "78880ED7 DBB8D936 2CAEACEE 54432055" "2251", /* r */ "017705A7 030290D1 CEB605A9 A1BB03FF" "9CDD521E 87A696EC 926C8C10 C8362DF4" "97536710 1F67D1CF 9BCCBF2F 3D239534" "FA509E70 AAC851AE 01AAC68D 62F86647" "2660"); /* s */ test_ecdsa (&_nettle_curve25519, /* Public key corresponding to the key in ecdsa-sign-test */ "59f8f317fd5f4e82 c02f8d4dec665fe1" "230f83b8572638e1 b2ac34a30028e24d", /* x */ "1902a72dc1a6525a 811b9c1845978d56" "fd97dce5e278ebdd ec695349d7e41498", /* y */ SHEX("e99df2a098c3c590 ea1e1db6d9547339" "ae760d5331496119 5d967fd881e3b0f5"), /* h */ " 515c3a485f57432 0daf3353a0d08110" "64157c556296de09 4132f74865961b37", /* r */ " 78f23367291b01 3fc430fb09322d95" "4384723649868d8e 88effc7ac8b141d7"); /* s */ } nettle-3.4.1/testsuite/umac-test.c0000644000175000017500000003752013401564746016156 0ustar nissenisse#include "testutils.h" #include "umac.h" /* FIXME: Missing tests: Getting to unlikely cases in the poly64 and poly128 operations. */ static void update (void *ctx, nettle_hash_update_func *f, const struct tstring *msg, size_t length) { for (; length > msg->length; length -= msg->length) f(ctx, msg->length, msg->data); f(ctx, length, msg->data); } static void check_digest (const char *name, void *ctx, nettle_hash_digest_func *f, const struct tstring *msg, size_t length, size_t tag_length, const uint8_t *ref) { uint8_t tag[16]; f(ctx, tag_length, tag); if (memcmp (tag, ref, tag_length) != 0) { printf ("%s failed\n", name); printf ("msg: "); print_hex (msg->length, msg->data); printf ("length: %lu\n", (unsigned long) length); printf ("tag: "); print_hex (tag_length, tag); printf ("ref: "); print_hex (tag_length, ref); abort (); } } static void test_umac (const struct tstring *key, const struct tstring *nonce, const struct tstring *msg, size_t length, const struct tstring *ref32, const struct tstring *ref64, const struct tstring *ref128) { struct umac32_ctx ctx32; struct umac64_ctx ctx64; struct umac96_ctx ctx96; struct umac128_ctx ctx128; ASSERT (key->length == UMAC_KEY_SIZE); ASSERT (ref32->length == 4); ASSERT (ref64->length == 8); ASSERT (ref128->length == 16); umac32_set_key (&ctx32, key->data); umac32_set_nonce (&ctx32, nonce->length, nonce->data); update(&ctx32, (nettle_hash_update_func *) umac32_update, msg, length); check_digest ("umac32", &ctx32, (nettle_hash_digest_func *) umac32_digest, msg, length, 4, ref32->data); umac64_set_key (&ctx64, key->data); umac64_set_nonce (&ctx64, nonce->length, nonce->data); update(&ctx64, (nettle_hash_update_func *) umac64_update, msg, length); check_digest ("umac64", &ctx64, (nettle_hash_digest_func *) umac64_digest, msg, length, 8, ref64->data); umac96_set_key (&ctx96, key->data); umac96_set_nonce (&ctx96, nonce->length, nonce->data); update(&ctx96, (nettle_hash_update_func *) umac96_update, msg, length); check_digest ("umac96", &ctx96, (nettle_hash_digest_func *) umac96_digest, msg, length, 12, ref128->data); umac128_set_key (&ctx128, key->data); umac128_set_nonce (&ctx128, nonce->length, nonce->data); update(&ctx128, (nettle_hash_update_func *) umac128_update, msg, length); check_digest ("umac128", &ctx128, (nettle_hash_digest_func *) umac128_digest, msg, length, 16, ref128->data); } static void test_align(const struct tstring *key, const struct tstring *nonce, const struct tstring *msg, size_t length, const struct tstring *ref32, const struct tstring *ref64, const struct tstring *ref128) { uint8_t *buffer = xalloc(length + 16); unsigned offset; for (offset = 0; offset < 16; offset++) { struct umac32_ctx ctx32; struct umac64_ctx ctx64; struct umac96_ctx ctx96; struct umac128_ctx ctx128; uint8_t *input; size_t i; memset(buffer, 17, length + 16); input = buffer + offset; for (i = 0; i + msg->length < length; i += msg->length) memcpy (input + i, msg->data, msg->length); memcpy (input + i, msg->data, length - i); umac32_set_key (&ctx32, key->data); umac32_set_nonce (&ctx32, nonce->length, nonce->data); umac32_update(&ctx32, length, input); check_digest ("umac32 (alignment)", &ctx32, (nettle_hash_digest_func *) umac32_digest, msg, length, 4, ref32->data); umac64_set_key (&ctx64, key->data); umac64_set_nonce (&ctx64, nonce->length, nonce->data); umac64_update(&ctx64, length, input); check_digest ("umac64 (alignment)", &ctx64, (nettle_hash_digest_func *) umac64_digest, msg, length, 8, ref64->data); umac96_set_key (&ctx96, key->data); umac96_set_nonce (&ctx96, nonce->length, nonce->data); umac96_update(&ctx96, length, input); check_digest ("umac96 (alignment)", &ctx96, (nettle_hash_digest_func *) umac96_digest, msg, length, 12, ref128->data); umac128_set_key (&ctx128, key->data); umac128_set_nonce (&ctx128, nonce->length, nonce->data); umac128_update(&ctx128, length, input); check_digest ("umac128 (alignment)", &ctx128, (nettle_hash_digest_func *) umac128_digest, msg, length, 16, ref128->data); } free (buffer); } static void test_incr (const struct tstring *key, const struct tstring *nonce, unsigned count, const struct tstring *msg, const struct tstring *ref32, const struct tstring *ref64, const struct tstring *ref128) { struct umac32_ctx ctx32; struct umac64_ctx ctx64; struct umac96_ctx ctx96; struct umac128_ctx ctx128; unsigned i; ASSERT (key->length == UMAC_KEY_SIZE); ASSERT (ref32->length == 4 * count); ASSERT (ref64->length == 8 * count); ASSERT (ref128->length == 16 * count); umac32_set_key (&ctx32, key->data); umac64_set_key (&ctx64, key->data); umac96_set_key (&ctx96, key->data); umac128_set_key (&ctx128, key->data); if (nonce) { umac32_set_nonce (&ctx32, nonce->length, nonce->data); umac64_set_nonce (&ctx64, nonce->length, nonce->data); umac96_set_nonce (&ctx96, nonce->length, nonce->data); umac128_set_nonce (&ctx128, nonce->length, nonce->data); } for (i = 0; i < count; i++) { umac32_update (&ctx32, msg->length, msg->data); check_digest ("umac32 incr", &ctx32, (nettle_hash_digest_func *) umac32_digest, msg, i, 4, ref32->data + 4*i); umac64_update (&ctx64, msg->length, msg->data); check_digest ("umac64 incr", &ctx64, (nettle_hash_digest_func *) umac64_digest, msg, i, 8, ref64->data + 8*i); umac96_update (&ctx96, msg->length, msg->data); check_digest ("umac96 incr", &ctx96, (nettle_hash_digest_func *) umac96_digest, msg, i, 12, ref128->data + 16*i); umac128_update (&ctx128, msg->length, msg->data); check_digest ("umac128 incr", &ctx128, (nettle_hash_digest_func *) umac128_digest, msg, i, 16, ref128->data + 16*i); } } void test_main(void) { /* From RFC 4418 (except that it lacks the last 32 bits of 128-bit tags) */ test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghi"), SDATA(""), 0, SHEX("113145FB"), SHEX("6E155FAD26900BE1"), SHEX("32fedb100c79ad58f07ff7643cc60465")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghi"), SDATA("a"), 3, SHEX("3B91D102"), SHEX("44B5CB542F220104"), SHEX("185e4fe905cba7bd85e4c2dc3d117d8d")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghi"), SDATA("a"), 1<<10, SHEX("599B350B"), SHEX("26BF2F5D60118BD9"), SHEX("7a54abe04af82d60fb298c3cbd195bcb")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghi"), SDATA("aaaaaaaa"), 1<<15, SHEX("58DCF532"), SHEX("27F8EF643B0D118D"), SHEX("7b136bd911e4b734286ef2be501f2c3c")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghi"), SDATA("aaaaaaaa"), 1<<20, SHEX("DB6364D1"), SHEX("A4477E87E9F55853"), SHEX("f8acfa3ac31cfeea047f7b115b03bef5")); /* Needs POLY128 */ /* For the 'a' * 2^25 testcase, see errata http://fastcrypto.org/umac/rfc4418.errata.txt */ test_umac (SDATA("abcdefghijklmnop"), SDATA ("bcdefghi"), SDATA ("aaaaaaaa"), 1<<25, SHEX("85EE5CAE"), SHEX("FACA46F856E9B45F"), SHEX("a621c2457c0012e64f3fdae9e7e1870c")); test_umac (SDATA("abcdefghijklmnop"), SDATA ("bcdefghi"), SDATA ("abc"), 3, SHEX("ABF3A3A0"), SHEX("D4D7B9F6BD4FBFCF"), SHEX("883c3d4b97a61976ffcf232308cba5a5")); test_umac (SDATA("abcdefghijklmnop"), SDATA ("bcdefghi"), SDATA ("abc"), 1500, SHEX("ABEB3C8B"), SHEX("D4CF26DDEFD5C01A"), SHEX("8824a260c53c66a36c9260a62cb83aa1")); test_incr (SDATA("abcdefghijklmnop"), NULL, 6, SDATA("zero"), SHEX("a0e94011 8c6fea51 6d897143 db1b28c5 a75e23b7 44ea26be"), SHEX("a0e940111c9c2cd5 6d8971434be8ee41 c9c9aef87e2be502" "a0a112b593656107 a75e23b7d419e03a 950526f26a8cc07a"), SHEX("a0e940111c9c2cd5fa59090e3ac2061f" "cbbf18b799fd0f4afb9216e52a89f247" "c9c9aef87e2be50237716af8e24f8959" "d6e96ef461f54d1c85aa66cbd76ca336" "a75e23b7d419e03a02d55ebf1ba62824" "2e63031d182a59b84f148d9a91de70a3")); test_incr (SDATA("abcdefghijklmnop"), SDATA("a"), 5, SDATA("nonce-a"), SHEX("81b4ac24 b7e8aad0 f70246fe 0595f0bf a8e9fe85"), SHEX("b7e8aad0da6e7f99 138814c6a03bdadf fb77dd1cd4c7074f" "0595f0bf8585c7e2 817c0b7757cb60f7"), SHEX("d7604bffb5e368da5fe564da0068d2cc" "138814c6a03bdadff7f1666e1bd881aa" "86a016d9e67957c8ab5ebb78a673e4e9" "0595f0bf8585c7e28dfab00598d4e612" "3266ec16a9d85b4f0dc74ec8272238a9")); test_incr (SDATA("abcdefghijklmnop"), SHEX("beafcafe"), 5, SDATA("nonce-beaf-cafe"), SHEX("f19d9dc1 4604a56a 4ba9420e da86ff71 77facd79"), SHEX("9e878413aa079032 9cfd7af0bb107748 4ba9420e55b6ba13" "77facd797b686e24 9000c0de4f5f7236"), SHEX("9e878413aa0790329604f3b6ae980e58" "f2b2dd5dab08bb3bc5e9a83e1b4ab2e7" "4ba9420e55b6ba137d03443f6ee01734" "2721ca2e1bcda53a54ae65e0da139c0d" "9000c0de4f5f7236b81ae1a52e78a821")); /* Tests exercising various sizes of nonce and data: All nonce lengths from 1 to 16 bytes. Data sizes chosen for testing for various off-by-one errors, 0, 1, 2, 3, 4, 1020, 1021, 1022, 1023, 1024, 1025, 1026, 1027, 2046, 2047, 2048, 2049, 2050 16777212, 16777213, 16777214, 16777215, 16777216, 16777217, 16778239, 16778240, 16778241, 16778242, 16778243, 16778244 */ test_umac (SDATA("abcdefghijklmnop"), SDATA("b"), SDATA("defdefdefdefdef"), 0, SHEX("3a58486b"), SHEX("9e38f67da91a08d9"), SHEX("9e38f67da91a08d9c980f4db4089c877")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bc"), SDATA("defdefdefdefdef"), 1, SHEX("d86b1512"), SHEX("fb0e207971b8e66a"), SHEX("ef406c2ec70d0222f59e860eabb79ed0")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcd"), SDATA("defdefdefdefdef"), 2, SHEX("1ae6e02d"), SHEX("1ae6e02d73aa9ab2"), SHEX("1ae6e02d73aa9ab2a27fb89e014dc07b")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcde"), SDATA("defdefdefdefdef"), 3, SHEX("e8c1eb59"), SHEX("c81cf22342e84302"), SHEX("82626d0d575e01038e5e2cc6408216f5")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdef"), SDATA("defdefdefdefdef"), 4, SHEX("8950f0d3"), SHEX("aba003e7bd673cc3"), SHEX("aba003e7bd673cc368ba8513cecf2e7c")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefg"), SDATA("defdefdefdefdef"), 1020, SHEX("7412167c"), SHEX("f98828a161bb4ae3"), SHEX("d8b4811f747d588d7a913360960de7cf")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefgh"), SDATA("defdefdefdefdef"), 1021, SHEX("2d54936b"), SHEX("2d54936be5bff72d"), SHEX("2d54936be5bff72d2e1052361163b474")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghi"), SDATA("defdefdefdefdef"), 1022, SHEX("53ca8dd2"), SHEX("2cee9784556387b3"), SHEX("700513397f8a210a98938d3e7ac3bd88")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghij"), SDATA("defdefdefdefdef"), 1023, SHEX("26cc58df"), SHEX("24ac4284ca371f42"), SHEX("24ac4284ca371f4280f60bd274633d67")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghijk"), SDATA("defdefdefdefdef"), 1024, SHEX("3cada45a"), SHEX("64c6a0fd14615a76"), SHEX("abc223116cedd2db5af365e641a97539")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghijkl"), SDATA("defdefdefdefdef"), 1025, SHEX("93251e18"), SHEX("93251e18e56bbdc4"), SHEX("93251e18e56bbdc457de556f95c59931")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghijklm"), SDATA("defdefdefdefdef"), 1026, SHEX("24a4c3ab"), SHEX("5d98bd8dfaf16352"), SHEX("c1298672e52386753383a15ed58c0e42")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghijklmn"), SDATA("defdefdefdefdef"), 1027, SHEX("e7e98945"), SHEX("5b0557c9fdcf661b"), SHEX("5b0557c9fdcf661b1758efc603516ebe")); /* Test varying the alignment of the buffer eventually passed to _umac_nh and _umac_nh_n. */ test_align (SDATA("abcdefghijklmnop"), SDATA("bcdefghijk"), SDATA("defdefdefdefdef"), 1024, SHEX("3cada45a"), SHEX("64c6a0fd14615a76"), SHEX("abc223116cedd2db5af365e641a97539")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghijklmno"), SDATA("defdefdefdefdef"), 2046, SHEX("e12ddc9f"), SHEX("65e85d47447c2277"), SHEX("16bb5183017826ed47c9995c1e5834f3")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghijklmnop"), SDATA("defdefdefdefdef"), 2047, SHEX("34d723a6"), SHEX("34d723a6cb1676d3"), SHEX("34d723a6cb1676d3547a5064dc5b0a37")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghijklmnopq"), SDATA("defdefdefdefdef"), 2048, SHEX("21fd8802"), SHEX("3968d5d0af147884"), SHEX("84565620def1e3a614d274e87626f215")); test_umac (SDATA("abcdefghijklmnop"), SDATA("b"), SDATA("defdefdefdefdef"), 2049, SHEX("097e5abd"), SHEX("ad1ee4ab606061c5"), SHEX("ad1ee4ab606061c55e0d2ecfee59940a")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bc"), SDATA("defdefdefdefdef"), 2050, SHEX("a03a7fe9"), SHEX("835f4a8242100055"), SHEX("971106d5f4a5e41dce40a91704cfe1f3")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcd"), SDATA("defdefdefdefdef"), 16777212, SHEX("7ef41cf3"), SHEX("7ef41cf351960aaf"), SHEX("7ef41cf351960aaf729bb19fcee7d8c4")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcde"), SDATA("defdefdefdefdef"), 16777213, SHEX("8bf81932"), SHEX("ab250048807ff640"), SHEX("e15b9f6695c9b441de035e9b10b8ac32")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdef"), SDATA("defdefdefdefdef"), 16777214, SHEX("ddb2f0ab"), SHEX("ff42039fcfe1248e"), SHEX("ff42039fcfe1248e36c19efed14d7140")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefg"), SDATA("defdefdefdefdef"), 16777215, SHEX("e67ad507"), SHEX("6be0ebda623d76df"), SHEX("4adc426477fb64b1ce5afd76d505f048")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefgh"), SDATA("defdefdefdefdef"), 16777216, SHEX("42d8562a"), SHEX("42d8562a224a9e9a"), SHEX("42d8562a224a9e9a75c2f85d39462d07")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghi"), SDATA("defdefdefdefdef"), 16777217, SHEX("486b138d"), SHEX("374f09dbb0b84b88"), SHEX("6ba48d669a51ed3195ebc2aa562ee71b")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghij"), SDATA("defdefdefdefdef"), 16778239, SHEX("850cb2c5"), SHEX("876ca89ed045777b"), SHEX("876ca89ed045777bf7efa7934e1758c2")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghijk"), SDATA("defdefdefdefdef"), 16778240, SHEX("b9fc4f81"), SHEX("e1974b26fb35f2c6"), SHEX("2e93c8ca83b97a6b1a21082e2a4c540d")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghijkl"), SDATA("defdefdefdefdef"), 16778241, SHEX("ffced8f2"), SHEX("ffced8f2494d85bf"), SHEX("ffced8f2494d85bf0cb39408ddfe0295")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghijklm"), SDATA("defdefdefdefdef"), 16778242, SHEX("1c99c5fb"), SHEX("65a5bbdda3b85368"), SHEX("f9148022bc6ab64f019e9db83704c17b")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghijklmn"), SDATA("defdefdefdefdef"), 16778243, SHEX("ec304be9"), SHEX("50dc9565fbfc4884"), SHEX(" 50dc9565fbfc48844a4be34403804605")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghijklmno"), SDATA("defdefdefdefdef"), 16778244, SHEX("8034e26f"), SHEX("04f163b7c2d5d849"), SHEX("77a26f7387d1dcd39378a3220652cff7")); } nettle-3.4.1/testsuite/ripemd160-test.c0000644000175000017500000000215613401564746016735 0ustar nissenisse#include "testutils.h" #include "ripemd160.h" void test_main(void) { test_hash(&nettle_ripemd160, SDATA(""), SHEX("9c1185a5c5e9fc54612808977ee8f548b2258d31")); test_hash(&nettle_ripemd160, SDATA("a"), SHEX("0bdc9d2d256b3ee9daae347be6f4dc835a467ffe")); test_hash(&nettle_ripemd160, SDATA("abc"), SHEX("8eb208f7e05d987a9b044a8e98c6b087f15a0bfc")); test_hash(&nettle_ripemd160, SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("f71c27109c692c1b56bbdceb5b9d2865b3708dbc")); test_hash(&nettle_ripemd160, SDATA("message digest"), SHEX("5d0689ef49d2fae572b881b123a85ffa21595f36")); test_hash(&nettle_ripemd160, SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz0123456789"), SHEX("b0e20b6e3116640286ed3a87a5713079b21f5189")); test_hash(&nettle_ripemd160, SDATA("1234567890123456789012345678901234567890" "1234567890123456789012345678901234567890"), SHEX("9b752e45573d4b39f4dbd3323cab82bf63326bfb")); /* Additional test vector, from Daniel Kahn Gillmor */ test_hash(&nettle_ripemd160, SDATA("38"), SHEX("6b2d075b1cd34cd1c3e43a995f110c55649dad0e")); } nettle-3.4.1/testsuite/eddsa-sign-test.c0000644000175000017500000001111313401564746017235 0ustar nissenisse/* eddsa-sign-test.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #include "testutils.h" #include "eddsa.h" static void test_eddsa_sign (const struct ecc_curve *ecc, const struct nettle_hash *H, const struct tstring *public, const struct tstring *private, const struct tstring *msg, const struct tstring *ref) { mp_limb_t *scratch = xalloc_limbs (_eddsa_sign_itch (ecc)); size_t nbytes = 1 + ecc->p.bit_size / 8; uint8_t *signature = xalloc (2*nbytes); void *ctx = xalloc (H->context_size); uint8_t *public_out = xalloc (nbytes); uint8_t *digest = xalloc (2*nbytes); const uint8_t *k1 = digest + nbytes; mp_limb_t *k2 = xalloc_limbs (ecc->p.size); ASSERT (public->length == nbytes); ASSERT (private->length == nbytes); ASSERT (ref->length == 2*nbytes); _eddsa_expand_key (ecc, H, ctx, private->data, digest, k2); _eddsa_public_key (ecc, k2, public_out, scratch); if (!MEMEQ (nbytes, public_out, public->data)) { fprintf (stderr, "Bad public key from _eddsa_expand_key + _eddsa_public_key.\n"); fprintf (stderr, "got:"); print_hex (nbytes, public_out); fprintf (stderr, "\nref:"); tstring_print_hex (public); fprintf (stderr, "\n"); abort (); } H->update (ctx, nbytes, k1); _eddsa_sign (ecc, H, public->data, ctx, k2, msg->length, msg->data, signature, scratch); if (!MEMEQ (2*nbytes, signature, ref->data)) { fprintf (stderr, "Bad _eddsa_sign output.\n"); fprintf (stderr, "Public key:"); tstring_print_hex (public); fprintf (stderr, "\nPrivate key:"); tstring_print_hex (private); fprintf (stderr, "\nk2:"); mpn_out_str (stderr, 16, k2, ecc->p.size); fprintf (stderr, "\nMessage (length %u):", (unsigned) msg->length); tstring_print_hex (msg); fprintf (stderr, "\ngot:"); print_hex (2*nbytes, signature); fprintf (stderr, "\nref:"); tstring_print_hex (ref); fprintf (stderr, "\n"); abort (); } free (scratch); free (signature); free (ctx); free (digest); free (k2); free (public_out); } void test_main (void) { /* Based on a few of the test vectors at http://ed25519.cr.yp.to/python/sign.input */ test_eddsa_sign (&_nettle_curve25519, &nettle_sha512, SHEX("d75a980182b10ab7 d54bfed3c964073a" "0ee172f3daa62325 af021a68f707511a"), SHEX("9d61b19deffd5a60 ba844af492ec2cc4" "4449c5697b326919 703bac031cae7f60"), SHEX(""), SHEX("e5564300c360ac72 9086e2cc806e828a" "84877f1eb8e5d974 d873e06522490155" "5fb8821590a33bac c61e39701cf9b46b" "d25bf5f0595bbe24 655141438e7a100b")); test_eddsa_sign (&_nettle_curve25519, &nettle_sha512, SHEX("3d4017c3e843895a 92b70aa74d1b7ebc" "9c982ccf2ec4968c c0cd55f12af4660c"), SHEX("4ccd089b28ff96da 9db6c346ec114e0f" "5b8a319f35aba624 da8cf6ed4fb8a6fb"), SHEX("72"), SHEX("92a009a9f0d4cab8 720e820b5f642540" "a2b27b5416503f8f b3762223ebdb69da" "085ac1e43e15996e 458f3613d0f11d8c" "387b2eaeb4302aee b00d291612bb0c00")); test_eddsa_sign (&_nettle_curve25519, &nettle_sha512, SHEX("1ed506485b09a645 0be7c9337d9fe87e" "f99c96f8bd11cd63 1ca160d0fd73067e"), SHEX("f215d34fe2d757cf f9cf5c05430994de" "587987ce45cb0459 f61ec6c825c62259"), SHEX("fbed2a7df418ec0e 8036312ec239fcee" "6ef97dc8c2df1f2e 14adee287808b788" "a6072143b851d975 c8e8a0299df846b1" "9113e38cee83da71 ea8e9bd6f57bdcd3" "557523f4feb616ca a595aea01eb0b3d4" "90b99b525ea4fbb9 258bc7fbb0deea8f" "568cb2"), SHEX("cbef65b6f3fd5809 69fc3340cfae4f7c" "99df1340cce54626 183144ef46887163" "4b0a5c0033534108 e1c67c0dc99d3014" "f01084e98c95e101 4b309b1dbb2e6704")); } nettle-3.4.1/testsuite/meta-aead-test.c0000644000175000017500000000124013401564746017035 0ustar nissenisse#include "testutils.h" #include "nettle-internal.h" #include "nettle-meta.h" const char* aeads[] = { "gcm_aes128", "gcm_aes192", "gcm_aes256", "gcm_camellia128", "gcm_camellia256", "eax_aes128", "chacha_poly1305", }; void test_main(void) { int i,j; int count = sizeof(aeads)/sizeof(*aeads); for (i = 0; i < count; i++) { for (j = 0; NULL != nettle_aeads[j]; j++) { if (0 == strcmp(aeads[i], nettle_aeads[j]->name)) break; } ASSERT(NULL != nettle_aeads[j]); /* make sure we found a matching aead */ } j = 0; while (NULL != nettle_aeads[j]) j++; ASSERT(j == count); /* we are not missing testing any aeads */ } nettle-3.4.1/testsuite/cast128-test.c0000644000175000017500000000344013401564746016410 0ustar nissenisse#include "testutils.h" #include "cast128.h" static void test_cast5(const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext) { struct cast128_ctx ctx; uint8_t *data = xalloc(cleartext->length); size_t length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; cast5_set_key(&ctx, key->length, key->data); cast128_encrypt(&ctx, length, data, cleartext->data); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "Encrypt failed:\nInput:"); tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } cast5_set_key(&ctx, key->length, key->data); cast128_decrypt(&ctx, length, data, data); if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "Decrypt failed:\nInput:"); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } free(data); } void test_main(void) { /* Test vectors from B.1. Single Plaintext-Key-Ciphertext Sets, RFC * 2144 */ /* 128 bit key */ test_cipher(&nettle_cast128, SHEX("01 23 45 67 12 34 56 78" "23 45 67 89 34 56 78 9A"), SHEX("01 23 45 67 89 AB CD EF"), SHEX("23 8B 4F E5 84 7E 44 B2")); /* 80 bit key */ test_cast5(SHEX("01 23 45 67 12 34 56 78 23 45"), SHEX("01 23 45 67 89 AB CD EF"), SHEX("EB 6A 71 1A 2C 02 27 1B")); /* 40 bit key */ test_cast5(SHEX("01 23 45 67 12"), SHEX("01 23 45 67 89 AB CD EF"), SHEX("7A C8 16 D1 6E 9B 30 2E")); } nettle-3.4.1/testsuite/twofish-test.c0000644000175000017500000000136013401564746016705 0ustar nissenisse#include "testutils.h" #include "twofish.h" void test_main(void) { /* 128 bit key */ test_cipher(&nettle_twofish128, SHEX("0000000000000000 0000000000000000"), SHEX("0000000000000000 0000000000000000"), SHEX("9F589F5CF6122C32 B6BFEC2F2AE8C35A")); /* 192 bit key */ test_cipher(&nettle_twofish192, SHEX("0123456789ABCDEF FEDCBA9876543210" "0011223344556677"), SHEX("0000000000000000 0000000000000000"), SHEX("CFD1D2E5A9BE9CDF 501F13B892BD2248")); /* 256 bit key */ test_cipher(&nettle_twofish256, SHEX("0123456789ABCDEF FEDCBA9876543210" "0011223344556677 8899AABBCCDDEEFF"), SHEX("0000000000000000 0000000000000000"), SHEX("37527BE0052334B8 9F0CFCCAE87CFA20")); } nettle-3.4.1/testsuite/sha1-test.c0000644000175000017500000000477313401564746016071 0ustar nissenisse#include "testutils.h" void test_main(void) { test_hash(&nettle_sha1, SDATA(""), SHEX("DA39A3EE5E6B4B0D 3255BFEF95601890 AFD80709")); test_hash(&nettle_sha1, SDATA("a"), SHEX("86F7E437FAA5A7FC E15D1DDCB9EAEAEA 377667B8")); test_hash(&nettle_sha1, SDATA("abc"), SHEX("A9993E364706816A BA3E25717850C26C 9CD0D89D")); test_hash(&nettle_sha1, SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("32D10C7B8CF96570 CA04CE37F2A19D84 240D3A89")); test_hash(&nettle_sha1, SDATA("message digest"), SHEX("C12252CEDA8BE899 4D5FA0290A47231C 1D16AAE3")); test_hash(&nettle_sha1, SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz0123456789"), SHEX("761C457BF73B14D2 7E9E9265C46F4B4D DA11F940")); test_hash(&nettle_sha1, SDATA("1234567890123456789012345678901234567890" "1234567890123456789012345678901234567890"), SHEX("50ABF5706A150990 A08B2C5EA40FA0E5 85554732")); /* Additional test vector, from Daniel Kahn Gillmor */ test_hash(&nettle_sha1, SDATA("38"), SHEX("5b384ce32d8cdef02bc3a139d4cac0a22bb029e8")); } /* These are intermediate values for the single sha1_compress call that results from the first testcase, SHA1(""). Each row is the values for A, B, C, D, E after the i:th round. The row i = -1 gives the initial values, and i = 99 gives the output values. i A B C D E -1: 67452301 efcdab89 98badcfe 10325476 c3d2e1f0 0: 67452301 7bf36ae2 98badcfe 10325476 1fb498b3 1: 59d148c0 7bf36ae2 98badcfe 5d43e370 1fb498b3 15: 40182905 4544b22e a13017ac ab703832 d8fd6547 16: 50060a41 4544b22e a13017ac 6bf9173 d8fd6547 17: 50060a41 4544b22e 28a9520e 6bf9173 f63f5951 18: 50060a41 b3088dd 28a9520e c1afe45c f63f5951 19: e758e8da b3088dd 8a2a5483 c1afe45c f63f5951 20: e758e8da 42cc2237 8a2a5483 c1afe45c 90eb9850 21: b9d63a36 42cc2237 8a2a5483 7dbb787d 90eb9850 38: e47bc31 62273351 b201788b 413c1d9a 2aeeae62 39: 9bdbdd71 62273351 ec805e22 413c1d9a 2aeeae62 40: 9bdbdd71 5889ccd4 ec805e22 413c1d9a 95aa398b 41: 66f6f75c 5889ccd4 ec805e22 5e28e858 95aa398b 58: 2164303a 982bcbca e1afab22 c5a3382e af9292fa 59: 9b9d2913 982bcbca b86beac8 c5a3382e af9292fa 60: 9b9d2913 a60af2f2 b86beac8 c5a3382e d37db937 61: e6e74a44 a60af2f2 b86beac8 85b9d227 d37db937 78: c57a6345 6e9d9f84 666b8bc6 852dc41a ec052519 79: 72f480ed 6e9d9f84 999ae2f1 852dc41a ec052519 99: da39a3ee 5e6b4b0d 3255bfef 95601890 afd80709 */ nettle-3.4.1/testsuite/rsa-encrypt-test.c0000644000175000017500000000636713401564746017505 0ustar nissenisse#include "testutils.h" #include "rsa.h" #include "knuth-lfib.h" void test_main(void) { struct rsa_public_key pub; struct rsa_private_key key; struct knuth_lfib_ctx lfib; /* FIXME: How is this spelled? */ const unsigned char msg[] = "Squemish ossifrage"; size_t msg_length = LLENGTH(msg); uint8_t *decrypted; size_t decrypted_length; uint8_t after; mpz_t gibberish; rsa_private_key_init(&key); rsa_public_key_init(&pub); mpz_init(gibberish); knuth_lfib_init(&lfib, 17); test_rsa_set_key_1(&pub, &key); if (verbose) fprintf(stderr, "msg: `%s', length = %d\n", msg, (int) msg_length); ASSERT(msg_length <= key.size); ASSERT(rsa_encrypt(&pub, &lfib, (nettle_random_func *) knuth_lfib_random, msg_length, msg, gibberish)); if (verbose) { fprintf(stderr, "encrypted: "); mpz_out_str(stderr, 10, gibberish); } decrypted = xalloc(key.size + 1); knuth_lfib_random (&lfib, msg_length + 1, decrypted); after = decrypted[msg_length]; decrypted_length = msg_length - 1; ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, gibberish)); decrypted_length = msg_length; ASSERT(rsa_decrypt(&key, &decrypted_length, decrypted, gibberish)); ASSERT(decrypted_length == msg_length); ASSERT(MEMEQ(msg_length, msg, decrypted)); ASSERT(decrypted[msg_length] == after); knuth_lfib_random (&lfib, key.size + 1, decrypted); after = decrypted[key.size]; decrypted_length = key.size; ASSERT(rsa_decrypt(&key, &decrypted_length, decrypted, gibberish)); ASSERT(decrypted_length == msg_length); ASSERT(MEMEQ(msg_length, msg, decrypted)); ASSERT(decrypted[key.size] == after); knuth_lfib_random (&lfib, msg_length + 1, decrypted); after = decrypted[msg_length]; decrypted_length = msg_length; ASSERT(rsa_decrypt_tr(&pub, &key, &lfib, (nettle_random_func *) knuth_lfib_random, &decrypted_length, decrypted, gibberish)); ASSERT(decrypted_length == msg_length); ASSERT(MEMEQ(msg_length, msg, decrypted)); ASSERT(decrypted[msg_length] == after); /* test side channel resistant variant */ knuth_lfib_random (&lfib, msg_length + 1, decrypted); after = decrypted[msg_length]; decrypted_length = msg_length; ASSERT(rsa_sec_decrypt(&pub, &key, &lfib, (nettle_random_func *) knuth_lfib_random, decrypted_length, decrypted, gibberish)); ASSERT(MEMEQ(msg_length, msg, decrypted)); ASSERT(decrypted[msg_length] == after); /* test invalid length to rsa_sec_decrypt */ knuth_lfib_random (&lfib, msg_length + 1, decrypted); decrypted_length = msg_length - 1; after = decrypted[decrypted_length] = 'X'; decrypted[0] = 'A'; ASSERT(!rsa_sec_decrypt(&pub, &key, &lfib, (nettle_random_func *) knuth_lfib_random, decrypted_length, decrypted, gibberish)); ASSERT(decrypted[decrypted_length] == after); ASSERT(decrypted[0] == 'A'); /* Test invalid key. */ mpz_add_ui (key.q, key.q, 2); decrypted_length = key.size; ASSERT(!rsa_decrypt_tr(&pub, &key, &lfib, (nettle_random_func *) knuth_lfib_random, &decrypted_length, decrypted, gibberish)); rsa_private_key_clear(&key); rsa_public_key_clear(&pub); mpz_clear(gibberish); free(decrypted); } nettle-3.4.1/testsuite/sha3-512-test.c0000644000175000017500000034637613401564746016410 0ustar nissenisse#include "testutils.h" void test_main(void) { /* Extracted from ShortMsgKAT_512.txt using sha3.awk. */ test_hash(&nettle_sha3_512, /* 0 octets */ SHEX(""), SHEX("A69F73CCA23A9AC5C8B567DC185A756E97C982164FE25859E0D1DCC1475C80A615B2123AF1F5F94C11E3E9402C3AC558F500199D95B6D3E301758586281DCD26")); test_hash(&nettle_sha3_512, /* 1 octets */ SHEX("CC"), SHEX("3939FCC8B57B63612542DA31A834E5DCC36E2EE0F652AC72E02624FA2E5ADEECC7DD6BB3580224B4D6138706FC6E80597B528051230B00621CC2B22999EAA205")); test_hash(&nettle_sha3_512, /* 2 octets */ SHEX("41FB"), SHEX("AA092865A40694D91754DBC767B5202C546E226877147A95CB8B4C8F8709FE8CD6905256B089DA37896EA5CA19D2CD9AB94C7192FC39F7CD4D598975A3013C69")); test_hash(&nettle_sha3_512, /* 3 octets */ SHEX("1F877C"), SHEX("CB20DCF54955F8091111688BECCEF48C1A2F0D0608C3A575163751F002DB30F40F2F671834B22D208591CFAF1F5ECFE43C49863A53B3225BDFD7C6591BA7658B")); test_hash(&nettle_sha3_512, /* 4 octets */ SHEX("C1ECFDFC"), SHEX("D4B4BDFEF56B821D36F4F70AB0D231B8D0C9134638FD54C46309D14FADA92A2840186EED5415AD7CF3969BDFBF2DAF8CCA76ABFE549BE6578C6F4143617A4F1A")); test_hash(&nettle_sha3_512, /* 5 octets */ SHEX("21F134AC57"), SHEX("584219A84E8796076BF1178B14B9D1E2F96A4B4EF11F10CC516FBE1A29639D6BA74FB92815F9E3C5192ED4DCA20AEA5B109D52237C9956401FD44B221F82AB37")); test_hash(&nettle_sha3_512, /* 6 octets */ SHEX("C6F50BB74E29"), SHEX("4345B92A2AB7EADB6A24EE1D175AC258CCF2F694AC09EC9D47399E4D96F61F30B322C5438C51BACD0D597D00471A41ED8E9C9F146BBC807E6BC385F850FBABFE")); test_hash(&nettle_sha3_512, /* 7 octets */ SHEX("119713CC83EEEF"), SHEX("50081C93BF73ECC54A5FFE43FC14F8BAEEDBE7DA0302AC984C9E668389886BD064BAB26DDCB616EB4E0E726042B19F3FD50BDD0D2C5B34892E00E6F399DE254F")); test_hash(&nettle_sha3_512, /* 8 octets */ SHEX("4A4F202484512526"), SHEX("150D787D6EB49670C2A4CCD17E6CCE7A04C1FE30FCE03D1EF2501752D92AE04CB345FD42E51038C83B2B4F8FD438D1B4B55CC588C6B913132F1A658FB122CB52")); test_hash(&nettle_sha3_512, /* 9 octets */ SHEX("1F66AB4185ED9B6375"), SHEX("A13C951C6C51F236A0197A29A8994B1C7294E17BA518ED1029D6F54AD739D8765920281BBB854D16FBB60E0385AFD6E6E433E63AAA77E73B8BEE7FDE569D6875")); test_hash(&nettle_sha3_512, /* 10 octets */ SHEX("EED7422227613B6F53C9"), SHEX("5A566FB181BE53A4109275537D80E5FD0F314D68884529CA66B8B0E9F240A673B64B28FFFE4C1EC4A5CEF0F430229C5757EBD172B4B0B68A81D8C58A9E96E164")); test_hash(&nettle_sha3_512, /* 11 octets */ SHEX("EAEED5CDFFD89DECE455F1"), SHEX("7C77E30ECE98EF88964458683C5E0287B5896E166CCCA71D2BFD8D8BBC6D6FE589A0225EB1D6AA7B220F1410C9A9EC0672CCDDAA1732C3E2877FB5D232C2A428")); test_hash(&nettle_sha3_512, /* 12 octets */ SHEX("5BE43C90F22902E4FE8ED2D3"), SHEX("F5DF5952924E933330BD5BD7627A62C3672F24A4991DADAF78816E023769C91D1910537F9C19FCDE60FA6DE927982DD5F5970F74E30F2B040F67348A3394C48C")); test_hash(&nettle_sha3_512, /* 13 octets */ SHEX("A746273228122F381C3B46E4F1"), SHEX("80A1317EC534ED48D8A813E0BCA0CEE04F705A2F86352306A932EDC548B9A8F1CF79F95027F43BDADA8213449C54F68F4DD800B15C4ABAD87AD7A3B371A7C918")); test_hash(&nettle_sha3_512, /* 14 octets */ SHEX("3C5871CD619C69A63B540EB5A625"), SHEX("54C274C3DDF26D824F5FDFCB349A600890057EB2E2022245CBB8BDC0D2240CFA8348F02191FABC0E10F9287185211C9F569132EE6DDE4C396668B4BB50AEFC3F")); test_hash(&nettle_sha3_512, /* 15 octets */ SHEX("FA22874BCC068879E8EF11A69F0722"), SHEX("00767236A7352551B283A8ECF4C79274F8C4CEA553AB43FC71CF22FB2F6865AD02C88BF0092F213057340C85A5318F62F4991C00C63CB0558CBCF13D6D84E73D")); test_hash(&nettle_sha3_512, /* 16 octets */ SHEX("52A608AB21CCDD8A4457A57EDE782176"), SHEX("001618372E75147AF90C0CF16C3BBDAA069DDBC62483B392D028DED49F75084A5DFCC53AECD9F57DDBB73DAA041FD71089D8FB5EDF6CFAF6F1E4E25AD3DE266C")); test_hash(&nettle_sha3_512, /* 17 octets */ SHEX("82E192E4043DDCD12ECF52969D0F807EED"), SHEX("9644E3C90B67E22124E96DFEDCE53D33C460F132868F0975D18B22CFD59F637DD85AA405E39808A45570A498C0B8F2CBA59F8E1437EAEF89F20B88298ADFA2DE")); test_hash(&nettle_sha3_512, /* 18 octets */ SHEX("75683DCB556140C522543BB6E9098B21A21E"), SHEX("4739994390728F4A938DF7B3201CD63771858453F0FF1DDE9A2B9C38A27A0F6C868460D00EE03DDCB0F063F5F8BB7CB0959B7A222259DA0F2C57FA400B50985B")); test_hash(&nettle_sha3_512, /* 19 octets */ SHEX("06E4EFE45035E61FAAF4287B4D8D1F12CA97E5"), SHEX("AF69A46527C17117E6DFF32CBA289EDDD1EECDA13E5313E46678EB8006E7639854C3970DFEB4D907DB1151C1C5EE25CA6F195B09CA5A5CC97A4D64AC4C75578E")); test_hash(&nettle_sha3_512, /* 20 octets */ SHEX("E26193989D06568FE688E75540AEA06747D9F851"), SHEX("191CEF1C6AA009B1ABA674BE2B3F0DA418FDF9E6A7ECF2BE42AC14F7D6E07331425133A83B4E0161CC7DEBF9DCD7FE3787DCB6622A38475189EDFE1DE6B053D6")); test_hash(&nettle_sha3_512, /* 21 octets */ SHEX("D8DC8FDEFBDCE9D44E4CBAFE78447BAE3B5436102A"), SHEX("A60D7587424B7242D93BCCE515F1C75AE2BE7710F72ED3F4E5EA8BC2BA8D64099FE42B88A295E12FDAFAB441D772C4A9A7D794B27788EDEA271571A04305F253")); test_hash(&nettle_sha3_512, /* 22 octets */ SHEX("57085FD7E14216AB102D8317B0CB338A786D5FC32D8F"), SHEX("09FCAD97EA3CB6B7FC61580DE0968D238006B7E71F0BD58ABA2AA9D4ADB855D7606E7632138CCC0AA065CA0B92422262E029DA17D73CD3011FF285706C7FC1AE")); test_hash(&nettle_sha3_512, /* 23 octets */ SHEX("A05404DF5DBB57697E2C16FA29DEFAC8AB3560D6126FA0"), SHEX("F61FAAB080CF9A5F75407B081A03DEF4F49A601A2BB832E8C6401BE0C98B3CEB3F75C922A91BD5060B3217F737404EF4612B9A009B69CA648B1E37B2ED49229D")); test_hash(&nettle_sha3_512, /* 24 octets */ SHEX("AECBB02759F7433D6FCB06963C74061CD83B5B3FFA6F13C6"), SHEX("51DE0A622FC6FC702C7C2DB5CCB05CA0DDF792986E44B4D336A7A5DAF19A20A371D9BF7DDE822ECDD0A4CE28E4A0B46FE51A2AABEFA7865807EF3D3B1887F14D")); test_hash(&nettle_sha3_512, /* 25 octets */ SHEX("AAFDC9243D3D4A096558A360CC27C8D862F0BE73DB5E88AA55"), SHEX("6286C3DB87D3B45CFD4DE85A7ADD18E07AE22F1F0F4675E1D4E1FC77633734D7962818A9F3B96B37FE774FC26DEA787485317B9622275F63A7DD6D62D650D307")); test_hash(&nettle_sha3_512, /* 26 octets */ SHEX("7BC84867F6F9E9FDC3E1046CAE3A52C77ED485860EE260E30B15"), SHEX("8146C43A0FFE481872142F56A9CEA44332EDC76B4E99C2BDC39D7F80B2A6B554C7598F09855BF7ABC5E6C048BE76F5F369EBB2884E6E37F186E8719DF3D523E4")); test_hash(&nettle_sha3_512, /* 27 octets */ SHEX("FAC523575A99EC48279A7A459E98FF901918A475034327EFB55843"), SHEX("4B86FBF9DFB6767EB660AF9C30983ED65B6FD051247AB54767DFB49530EB3C01014EB26DF63E536CF55E0BCE2F62654FB2FCE3839B4BFD301570B1AB794DF67D")); test_hash(&nettle_sha3_512, /* 28 octets */ SHEX("0F8B2D8FCFD9D68CFFC17CCFB117709B53D26462A3F346FB7C79B85E"), SHEX("21132FC11F6040AD493D627027C752CE29816589DE7BE78562914B63D1A9219803DDBD9673AA749F37FF4D6E1B5AE2A12633BA8B0C9994E031EBF6C42E58A793")); test_hash(&nettle_sha3_512, /* 29 octets */ SHEX("A963C3E895FF5A0BE4824400518D81412F875FA50521E26E85EAC90C04"), SHEX("8A5374D92FF9A58E0451E609AA5C0C5C172BB2068C80562D0324F9CB6A037436910C6593F950C44374B4E5BF6F6D3A436ECE6DAAEB56D147D8CD839CCA35EAC3")); test_hash(&nettle_sha3_512, /* 30 octets */ SHEX("03A18688B10CC0EDF83ADF0A84808A9718383C4070C6C4F295098699AC2C"), SHEX("71025D089A39D27327C46C27BD4E7565DDBF9C286F185A08178601C3BAB4667F368A3A8BDDACF25B2B0AA5C9E0CD6C87DC32C854027A8954B5C6AFD3A85097AC")); test_hash(&nettle_sha3_512, /* 31 octets */ SHEX("84FB51B517DF6C5ACCB5D022F8F28DA09B10232D42320FFC32DBECC3835B29"), SHEX("DC29EB7130812A652AF3FF9B77629684634502EA6667E7E9F80090EC2A9D690C8C9A78645FB04D9CD269E706EE2C96E74207FBBDA559DC285C9BC52F15A256CA")); test_hash(&nettle_sha3_512, /* 32 octets */ SHEX("9F2FCC7C90DE090D6B87CD7E9718C1EA6CB21118FC2D5DE9F97E5DB6AC1E9C10"), SHEX("B087C90421AEBF87911647DE9D465CBDA166B672EC47CCD4054A7135A1EF885E7903B52C3F2C3FE722B1C169297A91B82428956A02C631A2240F12162C7BC726")); test_hash(&nettle_sha3_512, /* 33 octets */ SHEX("DE8F1B3FAA4B7040ED4563C3B8E598253178E87E4D0DF75E4FF2F2DEDD5A0BE046"), SHEX("D2A95C6FC0F39C8F7A86C4DD6261A79C940FCB313BCFBA9BF71527F5BC70EF827CD97DFA18280E5DDEE5CCBC1D63CE88CE2BCDD82DAB610F79867A7C20B11E4F")); test_hash(&nettle_sha3_512, /* 34 octets */ SHEX("62F154EC394D0BC757D045C798C8B87A00E0655D0481A7D2D9FB58D93AEDC676B5A0"), SHEX("AF8C0FBD72B3F807DB95C9231BC4E93153DC6608B22F4707316AAB3D69AF0E63291B569F118B5C9E693C5BAC4630C4A923A4743581246AD3446DDA4F9076FDDB")); test_hash(&nettle_sha3_512, /* 35 octets */ SHEX("B2DCFE9FF19E2B23CE7DA2A4207D3E5EC7C6112A8A22AEC9675A886378E14E5BFBAD4E"), SHEX("BFC7D968D45342069807C5F1B96425CFFFE99ED136D47665E902E026C118701BB7C3E7FD691785115CFDB2EF235A66BCC1384A1D088B8CCA90D9D560913549DE")); test_hash(&nettle_sha3_512, /* 36 octets */ SHEX("47F5697AC8C31409C0868827347A613A3562041C633CF1F1F86865A576E02835ED2C2492"), SHEX("9A348540AB669CDD8914426FBBAD192BA0DB16583E8D4E867B66CC78C6496E4D83DDBF7B972B0668DF7903B0FE9AB82B65153F947CF2AF2591121C9D1A78E515")); test_hash(&nettle_sha3_512, /* 37 octets */ SHEX("512A6D292E67ECB2FE486BFE92660953A75484FF4C4F2ECA2B0AF0EDCDD4339C6B2EE4E542"), SHEX("FFDB649D1AA7FF269B9BB0AE6192F7BCBC06612528DF0E68521D5C891E9BBA129271A07DC56393BB21218F5E2FB92CFFF833432066AA6380F3557A0748E65B33")); test_hash(&nettle_sha3_512, /* 38 octets */ SHEX("973CF2B4DCF0BFA872B41194CB05BB4E16760A1840D8343301802576197EC19E2A1493D8F4FB"), SHEX("9665808D39B4BECFDD9AA8020A0A72CFD4F823A15D670D51278A4AE95507E16020AEDED6E6C0E2DAB0BAD890A9E7552403D2AA8D1EBC0B8EAEC9A3A8DBB2A9EF")); test_hash(&nettle_sha3_512, /* 39 octets */ SHEX("80BEEBCD2E3F8A9451D4499961C9731AE667CDC24EA020CE3B9AA4BBC0A7F79E30A934467DA4B0"), SHEX("7ABA6B9F8F18D9D72B883EB988A5F4FFCC0217A3DA316AFF11B38976E90B0736CB000F522DBF2DDCBB61BA4BF44C356EC5B46FC86A5133F971A94FE2A9983260")); test_hash(&nettle_sha3_512, /* 40 octets */ SHEX("7ABAA12EC2A7347674E444140AE0FB659D08E1C66DECD8D6EAE925FA451D65F3C0308E29446B8ED3"), SHEX("589C46625A6AC9A2C9C9A884F427C3C032887AE53A69932B72E1E3796BB9568929D163395A3AA8B2AB23C564937CD729206D9B62CC60353B68A69A739616EB35")); test_hash(&nettle_sha3_512, /* 41 octets */ SHEX("C88DEE9927679B8AF422ABCBACF283B904FF31E1CAC58C7819809F65D5807D46723B20F67BA610C2B7"), SHEX("F7CD8737A1AB36B37612E57D1E5A3D4A269D18CF2CB7644A12540E3B184631794EC1A1DA118A109AEF514DB3590FE27BE0752EC0826ACAF458FB0A754BDC51F1")); test_hash(&nettle_sha3_512, /* 42 octets */ SHEX("01E43FE350FCEC450EC9B102053E6B5D56E09896E0DDD9074FE138E6038210270C834CE6EADC2BB86BF6"), SHEX("B21BDEDE484CA18F672058667CB2F2DC922C44351E95C2CDA75AF7E45577BF50E3F203139F6262279ADFC3221B94A072641F8BDB55DCC02F21D0879EB5E7466A")); test_hash(&nettle_sha3_512, /* 43 octets */ SHEX("337023370A48B62EE43546F17C4EF2BF8D7ECD1D49F90BAB604B839C2E6E5BD21540D29BA27AB8E309A4B7"), SHEX("DB56265B9346968A390E9841D5B7878A158BAED946068E808E456735A67E49220FAB66239D5D506DD75A58F2C56E25C9C105A3827C1434C67255CFC9101A5D09")); test_hash(&nettle_sha3_512, /* 44 octets */ SHEX("6892540F964C8C74BD2DB02C0AD884510CB38AFD4438AF31FC912756F3EFEC6B32B58EBC38FC2A6B913596A8"), SHEX("4C825FD9A795CCD20A0892DA1572B9B1F70BA05FF2D2DA3A4726A74F9AB5323CCBC4290459C1BB46F0A1E1FFC357FF4766F4F4879DAA91D31ECA986AA30C7B00")); test_hash(&nettle_sha3_512, /* 45 octets */ SHEX("F5961DFD2B1FFFFDA4FFBF30560C165BFEDAB8CE0BE525845DEB8DC61004B7DB38467205F5DCFB34A2ACFE96C0"), SHEX("8445A05766A30DDD0080589F8E8CBF7EC59FB7A3CE73C0209791B19CF712CF1635D63C8356822272309C6B9F01637088878DBFFBEDB26D2A566185225C4DA56B")); test_hash(&nettle_sha3_512, /* 46 octets */ SHEX("CA061A2EB6CEED8881CE2057172D869D73A1951E63D57261384B80CEB5451E77B06CF0F5A0EA15CA907EE1C27EBA"), SHEX("2DC25165CF317ED7DE2B4F2FD0995D7785978CA8581EA8033E912F2E44EE613DEBFC5535C48D63838F325D1416B9180C20BDE82614504B7161F9860530ECA70C")); test_hash(&nettle_sha3_512, /* 47 octets */ SHEX("1743A77251D69242750C4F1140532CD3C33F9B5CCDF7514E8584D4A5F9FBD730BCF84D0D4726364B9BF95AB251D9BB"), SHEX("CB6110A02D7CA636463F6E3502CCF0173B000482C7E002AD9277C1D10317BDDEBC3DA7F91D0173E3E2F9552BDFDEA4DD1AFBF7508B096AAB1804921E95754E78")); test_hash(&nettle_sha3_512, /* 48 octets */ SHEX("D8FABA1F5194C4DB5F176FABFFF856924EF627A37CD08CF55608BBA8F1E324D7C7F157298EABC4DCE7D89CE5162499F9"), SHEX("7EF3A2894C6ECBC4201B15348F90671515ACCBA3C8166621F864A9184BF08C3F5A895F6B599D3CB41F20A8A1DF25AE84F1A6D7C8DE74FB7CEF48F7E96FDE8D43")); test_hash(&nettle_sha3_512, /* 49 octets */ SHEX("BE9684BE70340860373C9C482BA517E899FC81BAAA12E5C6D7727975D1D41BA8BEF788CDB5CF4606C9C1C7F61AED59F97D"), SHEX("39C7AE0F80129D9D2980A6246E2B6F10A39EFAFD694DED12A6089509D95ECE506DC38C0A9DE487D9D401DB1F15193404911069533BCAE4C48C53F27BEE3CE0AC")); test_hash(&nettle_sha3_512, /* 50 octets */ SHEX("7E15D2B9EA74CA60F66C8DFAB377D9198B7B16DEB6A1BA0EA3C7EE2042F89D3786E779CF053C77785AA9E692F821F14A7F51"), SHEX("9B8A7D2F8519AD6DC3D2BC5B696B354C5A8B4796402CE1242C52638EEA6893A1269820A642BC9EFE56CD7E26DC46E97A7FC58FAF3F1A7A25F86ECDC1F2F17E64")); test_hash(&nettle_sha3_512, /* 51 octets */ SHEX("9A219BE43713BD578015E9FDA66C0F2D83CAC563B776AB9F38F3E4F7EF229CB443304FBA401EFB2BDBD7ECE939102298651C86"), SHEX("B5CEEF23F56BE807B616C7FDA4867A1D12D0A16845459FC704CE631AD3279AB222DCA7ADDAE595D289CBA8996D46655FA9B6BE58700302E655C51C825F31BB2E")); test_hash(&nettle_sha3_512, /* 52 octets */ SHEX("C8F2B693BD0D75EF99CAEBDC22ADF4088A95A3542F637203E283BBC3268780E787D68D28CC3897452F6A22AA8573CCEBF245972A"), SHEX("143D024FA75C8D46273589B8F78432D49EF14178E4AAA27DC366C9CB787F24B73F4197A722F13031181A6FA6E4F66127893DA7B23A579BB93FE7D737A4194093")); test_hash(&nettle_sha3_512, /* 53 octets */ SHEX("EC0F99711016C6A2A07AD80D16427506CE6F441059FD269442BAAA28C6CA037B22EEAC49D5D894C0BF66219F2C08E9D0E8AB21DE52"), SHEX("0F48D008DD3AA630E8261658A55B565B6773992426B08592B4C1D77A58B067F05E25974E501628A2DB632F2DDDD73673119ADA5674D0CE92C7AA908B9E9C435E")); test_hash(&nettle_sha3_512, /* 54 octets */ SHEX("0DC45181337CA32A8222FE7A3BF42FC9F89744259CFF653504D6051FE84B1A7FFD20CB47D4696CE212A686BB9BE9A8AB1C697B6D6A33"), SHEX("297498639FC7AA4152654E468E08F29AFFD7061D44E3F532BE4BAC169C877A2EA7B4D70D6BC0F678BE08AA064258EF57111310D13B889712D06530B690841DBE")); test_hash(&nettle_sha3_512, /* 55 octets */ SHEX("DE286BA4206E8B005714F80FB1CDFAEBDE91D29F84603E4A3EBC04686F99A46C9E880B96C574825582E8812A26E5A857FFC6579F63742F"), SHEX("1B6DA16151FCD18383372683480119A304796B2A5E54F7EDC6C7BC86817359E73F6FC5587C77BFC71B56EC67905FA7F15193F9F13CFA190BC7B05503A5782C8A")); test_hash(&nettle_sha3_512, /* 56 octets */ SHEX("EEBCC18057252CBF3F9C070F1A73213356D5D4BC19AC2A411EC8CDEEE7A571E2E20EAF61FD0C33A0FFEB297DDB77A97F0A415347DB66BCAF"), SHEX("B2F40935E7C9018814C4E2721D9B5AEEED3370690378E472BD29F227442CA4942B06189C346FDA498123ECE59018E42C8B7EE38191F97789B4AA93223A8D80EF")); test_hash(&nettle_sha3_512, /* 57 octets */ SHEX("416B5CDC9FE951BD361BD7ABFC120A5054758EBA88FDD68FD84E39D3B09AC25497D36B43CBE7B85A6A3CEBDA8DB4E5549C3EE51BB6FCB6AC1E"), SHEX("C8D242FB5FF1C6CD11A040AEAF35CC09E355A975E04DED1D8341878BED5DFF8BBBD1B69F4D122CE53309AC08753B95D2A57721DFD12E70A8EF12E11E16DE0FD9")); test_hash(&nettle_sha3_512, /* 58 octets */ SHEX("5C5FAF66F32E0F8311C32E8DA8284A4ED60891A5A7E50FB2956B3CBAA79FC66CA376460E100415401FC2B8518C64502F187EA14BFC9503759705"), SHEX("D1D5D5DD7D196B87BE4A38F2D9B4A69DF9DFE0A6E8CE71B08CF22C7F670ECF273EAF395D12FC63E1741DEF113CC7104970194A7C7C807E5319D7BB702F20B568")); test_hash(&nettle_sha3_512, /* 59 octets */ SHEX("7167E1E02BE1A7CA69D788666F823AE4EEF39271F3C26A5CF7CEE05BCA83161066DC2E217B330DF821103799DF6D74810EED363ADC4AB99F36046A"), SHEX("D812470B2D135B6E1BC0C85DC0652BF9F6C2F9EE707A2E667181CC9F689BC7DF9CC999B08716868AFAC78244B151B725A027D9250AB7A073A469E7F09BDB0B55")); test_hash(&nettle_sha3_512, /* 60 octets */ SHEX("2FDA311DBBA27321C5329510FAE6948F03210B76D43E7448D1689A063877B6D14C4F6D0EAA96C150051371F7DD8A4119F7DA5C483CC3E6723C01FB7D"), SHEX("203EF6BB5132A9D44EAE93C7202B1469C2C2B93706D0A31B29223C411A39550F60F39B9556FD040BFB5F9F7099313B8874C8ED677CFC5F93D9A2941A9B0139DE")); test_hash(&nettle_sha3_512, /* 61 octets */ SHEX("95D1474A5AAB5D2422ACA6E481187833A6212BD2D0F91451A67DD786DFC91DFED51B35F47E1DEB8A8AB4B9CB67B70179CC26F553AE7B569969CE151B8D"), SHEX("23BEAD09707A77B295FD22FE001282338C2D368302A05FB114BA2A012C4DEFCF06F3887D6DB7A0A1DE04BC399BDE92D6BE71904A9AA7B92BEDFA0203F1D8B06F")); test_hash(&nettle_sha3_512, /* 62 octets */ SHEX("C71BD7941F41DF044A2927A8FF55B4B467C33D089F0988AA253D294ADDBDB32530C0D4208B10D9959823F0C0F0734684006DF79F7099870F6BF53211A88D"), SHEX("93A8DB85774B321090801DF4DC3CC75E94AF63FF6DCF50BD210E5B65FB35E1BEAEDED55602EB32380726029834982D77B434E94179D0A3EE1059345910EE1DCC")); test_hash(&nettle_sha3_512, /* 63 octets */ SHEX("F57C64006D9EA761892E145C99DF1B24640883DA79D9ED5262859DCDA8C3C32E05B03D984F1AB4A230242AB6B78D368DC5AAA1E6D3498D53371E84B0C1D4BA"), SHEX("3B7D98FF3152B2024AAD4FA0B40DC642E842D453305ECEF278574E386172F3C164E4EFB9C2951A23FC73D83C16B4900FB92AEB8EFE06B58F918BC4A481E4C238")); test_hash(&nettle_sha3_512, /* 64 octets */ SHEX("E926AE8B0AF6E53176DBFFCC2A6B88C6BD765F939D3D178A9BDE9EF3AA131C61E31C1E42CDFAF4B4DCDE579A37E150EFBEF5555B4C1CB40439D835A724E2FAE7"), SHEX("EB5067BF762A291CF258AD69A816A0B089E0BD44F8E5B74CF60BCE64734E59853CCB8D091CD2E33F90AA063FB7942CF5965D459200144C1A0801ABD69A9A094A")); test_hash(&nettle_sha3_512, /* 65 octets */ SHEX("16E8B3D8F988E9BB04DE9C96F2627811C973CE4A5296B4772CA3EEFEB80A652BDF21F50DF79F32DB23F9F73D393B2D57D9A0297F7A2F2E79CFDA39FA393DF1AC00"), SHEX("B0E23D600BA4215F79D50047BBFED50DF7D6E769514D796AFD166DEECA88BD1CBE0AFC72A41E0317A223225B4F5882F723AFCBA3AF7C457EB525946DA6C53BB0")); test_hash(&nettle_sha3_512, /* 66 octets */ SHEX("FC424EEB27C18A11C01F39C555D8B78A805B88DBA1DC2A42ED5E2C0EC737FF68B2456D80EB85E11714FA3F8EABFB906D3C17964CB4F5E76B29C1765DB03D91BE37FC"), SHEX("83021062117DA99327E521D7C91331208BF3F0A972A6C755ECA46760C0984871FE03724A51FB5441C3CDD3D24FA1B8127510D6A42CFE18B08E8096ED702EF33C")); test_hash(&nettle_sha3_512, /* 67 octets */ SHEX("ABE3472B54E72734BDBA7D9158736464251C4F21B33FBBC92D7FAC9A35C4E3322FF01D2380CBAA4EF8FB07D21A2128B7B9F5B6D9F34E13F39C7FFC2E72E47888599BA5"), SHEX("BCA9F06B6B9AB8F76C4F3DBE677D5B4B3103423644484C77CDD8C5DD6C1A0BF717C76E83DA9B2B4EDFE4CC133C1FC86396E8C3A9E42FDD20519FCAA19969189F")); test_hash(&nettle_sha3_512, /* 68 octets */ SHEX("36F9F0A65F2CA498D739B944D6EFF3DA5EBBA57E7D9C41598A2B0E4380F3CF4B479EC2348D015FFE6256273511154AFCF3B4B4BF09D6C4744FDD0F62D75079D440706B05"), SHEX("DCDF7617F79DA8475B3A4DB1306C9CAF87F1AE85EC97721892D8E20D0E54EC82EE7A0F2D17F21A61AECD89A6C4CF5019D7B8077447EFE03DEF5208010A8A1E84")); test_hash(&nettle_sha3_512, /* 69 octets */ SHEX("ABC87763CAE1CA98BD8C5B82CABA54AC83286F87E9610128AE4DE68AC95DF5E329C360717BD349F26B872528492CA7C94C2C1E1EF56B74DBB65C2AC351981FDB31D06C77A4"), SHEX("9B8C7142180F0ED85359B6D186AE05B77B2DB7C3E1F066392E733B7EEFFD7C11F7A6C0C570273A1F3FEA1A0929D017C7A4FA00175B5ABA76861BCA7EE806458B")); test_hash(&nettle_sha3_512, /* 70 octets */ SHEX("94F7CA8E1A54234C6D53CC734BB3D3150C8BA8C5F880EAB8D25FED13793A9701EBE320509286FD8E422E931D99C98DA4DF7E70AE447BAB8CFFD92382D8A77760A259FC4FBD72"), SHEX("3AB73A0A75B997C0EE8329C33E6EF1389E9821711867F775AF29517EDFFBE410D037143C6431FDED3D8CE728086C3512E94F038B9243B50CB820DC2445535D91")); test_hash(&nettle_sha3_512, /* 71 octets */ SHEX("13BD2811F6ED2B6F04FF3895ACEED7BEF8DCD45EB121791BC194A0F806206BFFC3B9281C2B308B1A729CE008119DD3066E9378ACDCC50A98A82E20738800B6CDDBE5FE9694AD6D"), SHEX("DEF4AB6CDA8839729A03E000846604B17F03C5D5D7EC23C483670A13E11573C1E9347A63EC69A5ABB21305F9382ECDAAABC6850F92840E86F88F4DABFCD93CC0")); test_hash(&nettle_sha3_512, /* 72 octets */ SHEX("1EED9CBA179A009EC2EC5508773DD305477CA117E6D569E66B5F64C6BC64801CE25A8424CE4A26D575B8A6FB10EAD3FD1992EDDDEEC2EBE7150DC98F63ADC3237EF57B91397AA8A7"), SHEX("A3E168B0D6C143EE9E17EAE92930B97E6600356B73AEBB5D68005DD1D07494451A37052F7B39FF030C1AE1D7EFC4E0C3667EB7A76C627EC14354C4F6A796E2C6")); test_hash(&nettle_sha3_512, /* 73 octets */ SHEX("BA5B67B5EC3A3FFAE2C19DD8176A2EF75C0CD903725D45C9CB7009A900C0B0CA7A2967A95AE68269A6DBF8466C7B6844A1D608AC661F7EFF00538E323DB5F2C644B78B2D48DE1A08AA"), SHEX("635741B37F66CD5CE4DBD1F78ACCD907F96146E770B239046AFB9181910B612D0E65841FF866806EED83C3AE7012FC55E42C3FFC9C6E3D03CE2870442F293AB4")); test_hash(&nettle_sha3_512, /* 74 octets */ SHEX("0EFA26AC5673167DCACAB860932ED612F65FF49B80FA9AE65465E5542CB62075DF1C5AE54FBA4DB807BE25B070033EFA223BDD5B1D3C94C6E1909C02B620D4B1B3A6C9FED24D70749604"), SHEX("D6299A21CB1B31F0A6EB67D82D4E738249013B75C9BCB4A4FE419036A6043A7103E9CA9B7D25759177C4B64001377093CF39F35C9B1625C6819369FA375FA49D")); test_hash(&nettle_sha3_512, /* 75 octets */ SHEX("BBFD933D1FD7BF594AC7F435277DC17D8D5A5B8E4D13D96D2F64E771ABBD51A5A8AEA741BECCBDDB177BCEA05243EBD003CFDEAE877CCA4DA94605B67691919D8B033F77D384CA01593C1B"), SHEX("07F0A184734BA4BB721F36D7B1B383F6BF99CD5F75941ECF1FF2B325F03AF970D1DB1F035975702093F59A7610BF054D12017ECD6109177CF061AB1496F87860")); test_hash(&nettle_sha3_512, /* 76 octets */ SHEX("90078999FD3C35B8AFBF4066CBDE335891365F0FC75C1286CDD88FA51FAB94F9B8DEF7C9AC582A5DBCD95817AFB7D1B48F63704E19C2BAA4DF347F48D4A6D603013C23F1E9611D595EBAC37C"), SHEX("89070B8B1E322CCF9D6307EDC11FC34E13874C4977DA9F6035D06FAF647D7F7D54B8250B541744298AACD4C54D9B41B4085DD35C491A461D504BDB42FC12F03C")); test_hash(&nettle_sha3_512, /* 77 octets */ SHEX("64105ECA863515C20E7CFBAA0A0B8809046164F374D691CDBD6508AAABC1819F9AC84B52BAFC1B0FE7CDDBC554B608C01C8904C669D8DB316A0953A4C68ECE324EC5A49FFDB59A1BD6A292AA0E"), SHEX("6C3FBE32556445DAD430CF15FE1243B6AB44349EEC2BE1132B0680E5EDF0B08B55F1ABE473439C5E0750132996195FD120C267B9100C47777B339132EC34CC80")); test_hash(&nettle_sha3_512, /* 78 octets */ SHEX("D4654BE288B9F3B711C2D02015978A8CC57471D5680A092AA534F7372C71CEAAB725A383C4FCF4D8DEAA57FCA3CE056F312961ECCF9B86F14981BA5BED6AB5B4498E1F6C82C6CAE6FC14845B3C8A"), SHEX("6AE3E656CF94DB10AE3C185362A6625CEC53E0BA4DC7D1608A3F2FCA3C4F31F89FE1B06FE9CA345E3F5E967A3EBCF6A1A16E24521D5C4690D9B642483AC7A896")); test_hash(&nettle_sha3_512, /* 79 octets */ SHEX("12D9394888305AC96E65F2BF0E1B18C29C90FE9D714DD59F651F52B88B3008C588435548066EA2FC4C101118C91F32556224A540DE6EFDDBCA296EF1FB00341F5B01FECFC146BDB251B3BDAD556CD2"), SHEX("ADA8E78CE3E6D447BA2B7DCF98718FE7D43B38D68117E5779A41EDD8FA72198E3B3C1C0215925BC9D007FD2C355EDD668A0C27EF0FF89F76CF85363D4C9EE001")); test_hash(&nettle_sha3_512, /* 80 octets */ SHEX("871A0D7A5F36C3DA1DFCE57ACD8AB8487C274FAD336BC137EBD6FF4658B547C1DCFAB65F037AA58F35EF16AFF4ABE77BA61F65826F7BE681B5B6D5A1EA8085E2AE9CD5CF0991878A311B549A6D6AF230"), SHEX("3569D9A08DFB0001BE713940C464C119F5A4C1B9FF97D8297D04C7B2DCE2D684AEE16443C32E5BB2355AC8A336249D1BAAEAB4FBD04AB982D6B178DD0A5B5BC8")); test_hash(&nettle_sha3_512, /* 81 octets */ SHEX("E90B4FFEF4D457BC7711FF4AA72231CA25AF6B2E206F8BF859D8758B89A7CD36105DB2538D06DA83BAD5F663BA11A5F6F61F236FD5F8D53C5E89F183A3CEC615B50C7C681E773D109FF7491B5CC22296C5"), SHEX("1343E3CD162D7986431BABE66383B84029665691E36CAF97CDACA17EE9E97D74201D2A828D72E9FBBD5E07831D90F09EAF3C863BD102CDB1EDEBC8AD58A53ECE")); test_hash(&nettle_sha3_512, /* 82 octets */ SHEX("E728DE62D75856500C4C77A428612CD804F30C3F10D36FB219C5CA0AA30726AB190E5F3F279E0733D77E7267C17BE27D21650A9A4D1E32F649627638DBADA9702C7CA303269ED14014B2F3CF8B894EAC8554"), SHEX("BBA01DBEA9660F9C2AD74460B67A82440701EB995143FFCF7434B5D2DE4E35C82CC757DF776D46199DD8E7355AEB1F42A88F6F0BB50FD239C73898156E4DDBBC")); test_hash(&nettle_sha3_512, /* 83 octets */ SHEX("6348F229E7B1DF3B770C77544E5166E081850FA1C6C88169DB74C76E42EB983FACB276AD6A0D1FA7B50D3E3B6FCD799EC97470920A7ABED47D288FF883E24CA21C7F8016B93BB9B9E078BDB9703D2B781B616E"), SHEX("3268BC24E29392DDA1677B7A3CE3111994482D17BAD1C150AC885F1D29C308657C69FD4F7CE5967D04FCCB920DACB00D0CE09536EE92A6664CB20E692D91D8CE")); test_hash(&nettle_sha3_512, /* 84 octets */ SHEX("4B127FDE5DE733A1680C2790363627E63AC8A3F1B4707D982CAEA258655D9BF18F89AFE54127482BA01E08845594B671306A025C9A5C5B6F93B0A39522DC877437BE5C2436CBF300CE7AB6747934FCFC30AEAAF6"), SHEX("EC13E390FA65FDC11054E32C9F5BF5E6E97FBC34C28089346FF22D9762BEBF6A14FA7F9C2E6643D1ED7EC6925D0FA2098F8149058E99D02AD5CB61B4CCBA6467")); test_hash(&nettle_sha3_512, /* 85 octets */ SHEX("08461F006CFF4CC64B752C957287E5A0FAABC05C9BFF89D23FD902D324C79903B48FCB8F8F4B01F3E4DDB483593D25F000386698F5ADE7FAADE9615FDC50D32785EA51D49894E45BAA3DC707E224688C6408B68B11"), SHEX("6FD5A334D4B7F9C72A8DB1292CC8F19BF2A00F5C226C1636248024723CB876070A9657F48AB3B1D4229202B7BBC64053A48C3FF6B93AB11A2AF3237721C9CC09")); test_hash(&nettle_sha3_512, /* 86 octets */ SHEX("68C8F8849B120E6E0C9969A5866AF591A829B92F33CD9A4A3196957A148C49138E1E2F5C7619A6D5EDEBE995ACD81EC8BB9C7B9CFCA678D081EA9E25A75D39DB04E18D475920CE828B94E72241F24DB72546B352A0E4"), SHEX("016C80CBABED07C50F2C1B677C43E52DE8D11751E54E596E0C04B3837A7E34A9FF5D2E98E7C58182879C15847D18DCE88EA900337BC448112E98CE1118820C58")); test_hash(&nettle_sha3_512, /* 87 octets */ SHEX("B8D56472954E31FB54E28FCA743F84D8DC34891CB564C64B08F7B71636DEBD64CA1EDBDBA7FC5C3E40049CE982BBA8C7E0703034E331384695E9DE76B5104F2FBC4535ECBEEBC33BC27F29F18F6F27E8023B0FBB6F563C"), SHEX("A4E85FF86482C10C6AAABC79A573CBF89A0A927110D755F22B529BD7CF3F6CC6CB9861E509657242A78B0C0AF78FF97ABCC1A8388270D6C8D302D45C9BA58404")); test_hash(&nettle_sha3_512, /* 88 octets */ SHEX("0D58AC665FA84342E60CEFEE31B1A4EACDB092F122DFC68309077AED1F3E528F578859EE9E4CEFB4A728E946324927B675CD4F4AC84F64DB3DACFE850C1DD18744C74CECCD9FE4DC214085108F404EAB6D8F452B5442A47D"), SHEX("B97AFB77D39F8904AE8A5129A7DDC8EC9290AC40356E1B53DD057FA7584BA31AFAF9EF5B657097FC115EAA33E7EDE36DD00832D677EBD07C34B071E73580DD3A")); test_hash(&nettle_sha3_512, /* 89 octets */ SHEX("1755E2D2E5D1C1B0156456B539753FF416651D44698E87002DCF61DCFA2B4E72F264D9AD591DF1FDEE7B41B2EB00283C5AEBB3411323B672EAA145C5125185104F20F335804B02325B6DEA65603F349F4D5D8B782DD3469CCD"), SHEX("AB2FC59A43A2666C9206B9317479285E660B670C6F111F999556E8151E0EB8D12BC82C9A7E7B3F8D6F382A8D96775EA417F754FF552E1BAC271FBD08240F1B86")); test_hash(&nettle_sha3_512, /* 90 octets */ SHEX("B180DE1A611111EE7584BA2C4B020598CD574AC77E404E853D15A101C6F5A2E5C801D7D85DC95286A1804C870BB9F00FD4DCB03AA8328275158819DCAD7253F3E3D237AEAA7979268A5DB1C6CE08A9EC7C2579783C8AFC1F91A7"), SHEX("0A673AF84E2D2317B80A873BFE38B252872708B38AF9B956E3554AC2DCE2F77C815593D99930E7AA666C57B59730712E5C4A9B57849EDDD712A378040EB824D8")); test_hash(&nettle_sha3_512, /* 91 octets */ SHEX("CF3583CBDFD4CBC17063B1E7D90B02F0E6E2EE05F99D77E24E560392535E47E05077157F96813544A17046914F9EFB64762A23CF7A49FE52A0A4C01C630CFE8727B81FB99A89FF7CC11DCA5173057E0417B8FE7A9EFBA6D95C555F"), SHEX("1D34645463EBBD932C730E593D9C108AA86807DB6785F05C4CE80F3E8302F87EFBCCB1AB884E25F1DCD5485D385502995E7ABE2EF11BD3469E036D7EB93B4F39")); test_hash(&nettle_sha3_512, /* 92 octets */ SHEX("072FC02340EF99115BAD72F92C01E4C093B9599F6CFC45CB380EE686CB5EB019E806AB9BD55E634AB10AA62A9510CC0672CD3EDDB589C7DF2B67FCD3329F61B1A4441ECA87A33C8F55DA4FBBAD5CF2B2527B8E983BB31A2FADEC7523"), SHEX("3F57FA915A782E3CC69815BA219F42AA2C222CD7F309F10AF843384B3D3939AA0B92DD9571686C7961E06BFEE818127FC5B5F32C67F4AA2AF10D4FA38F65E90D")); test_hash(&nettle_sha3_512, /* 93 octets */ SHEX("76EECF956A52649F877528146DE33DF249CD800E21830F65E90F0F25CA9D6540FDE40603230ECA6760F1139C7F268DEBA2060631EEA92B1FFF05F93FD5572FBE29579ECD48BC3A8D6C2EB4A6B26E38D6C5FBF2C08044AEEA470A8F2F26"), SHEX("151382CA35FB20B895A9DC074D687F2F335EAF57456D357A685EF752DA59174D3F239AA9E04F142138D9413B21904665EF4DF2F63E663B490383660481F78362")); test_hash(&nettle_sha3_512, /* 94 octets */ SHEX("7ADC0B6693E61C269F278E6944A5A2D8300981E40022F839AC644387BFAC9086650085C2CDC585FEA47B9D2E52D65A2B29A7DC370401EF5D60DD0D21F9E2B90FAE919319B14B8C5565B0423CEFB827D5F1203302A9D01523498A4DB10374"), SHEX("23AA4B74C54E8F450054B6ABDBC6F6C3E44366AFCEC099B155775DE040BF3B9CDD0B875F9D490FAA694F18CCBFFEC6CAB7DE57A59EC6327240AC59D62D50B21C")); test_hash(&nettle_sha3_512, /* 95 octets */ SHEX("E1FFFA9826CCE8B86BCCEFB8794E48C46CDF372013F782ECED1E378269B7BE2B7BF51374092261AE120E822BE685F2E7A83664BCFBE38FE8633F24E633FFE1988E1BC5ACF59A587079A57A910BDA60060E85B5F5B6F776F0529639D9CCE4BD"), SHEX("3605CEC16A7AA8B2525479FCC1295411B6A952DCE233C9ACC856D6D17C9812C920178500CD0028B5998D07046C6A5CF398EE1EC97DF9182C33FCA86647861878")); test_hash(&nettle_sha3_512, /* 96 octets */ SHEX("69F9ABBA65592EE01DB4DCE52DBAB90B08FC04193602792EE4DAA263033D59081587B09BBE49D0B49C9825D22840B2FF5D9C5155F975F8F2C2E7A90C75D2E4A8040FE39F63BBAFB403D9E28CC3B86E04E394A9C9E8065BD3C85FA9F0C7891600"), SHEX("C5A526D75816D41B53BF164B0467E0B80A9984D1830EDB9D49F7EC3ECFEFB01A2C824A0F645753AA463D567CB2782AFCB2B2C2102EA664C56998F79062636FC1")); test_hash(&nettle_sha3_512, /* 97 octets */ SHEX("38A10A352CA5AEDFA8E19C64787D8E9C3A75DBF3B8674BFAB29B5DBFC15A63D10FAE66CD1A6E6D2452D557967EAAD89A4C98449787B0B3164CA5B717A93F24EB0B506CEB70CBBCB8D72B2A72993F909AAD92F044E0B5A2C9AC9CB16A0CA2F81F49"), SHEX("B239941A31100AB1B24AF2D1FEF149DBA300105A31B72A8F217E306A0602D722CCD593A23E6539D3E4195A7E12CA19AE2BAE8B8399F7A9D50DB30216E973F2BF")); test_hash(&nettle_sha3_512, /* 98 octets */ SHEX("6D8C6E449BC13634F115749C248C17CD148B72157A2C37BF8969EA83B4D6BA8C0EE2711C28EE11495F43049596520CE436004B026B6C1F7292B9C436B055CBB72D530D860D1276A1502A5140E3C3F54A93663E4D20EDEC32D284E25564F624955B52"), SHEX("D6AB0D0B416D1BBC85479F9850585761B91775A60307AFACF70943FEB58657740FE35DC760AB9CFA672C6B5552AA67BFA1F0D6A6F943B3912C229B8E0155C002")); test_hash(&nettle_sha3_512, /* 99 octets */ SHEX("6EFCBCAF451C129DBE00B9CEF0C3749D3EE9D41C7BD500ADE40CDC65DEDBBBADB885A5B14B32A0C0D087825201E303288A733842FA7E599C0C514E078F05C821C7A4498B01C40032E9F1872A1C925FA17CE253E8935E4C3C71282242CB716B2089CCC1"), SHEX("BC0A28450368C288013E2EB1196E58933CE05869CB55FA2BDA61D9D92F83B903E59DDE0B927CA6DBC46F5AF2EB7E8831E8668888BFEA46D78F4D274818D56328")); test_hash(&nettle_sha3_512, /* 100 octets */ SHEX("433C5303131624C0021D868A30825475E8D0BD3052A022180398F4CA4423B98214B6BEAAC21C8807A2C33F8C93BD42B092CC1B06CEDF3224D5ED1EC29784444F22E08A55AA58542B524B02CD3D5D5F6907AFE71C5D7462224A3F9D9E53E7E0846DCBB4CE"), SHEX("7820A20056DF741E19FF4D150663488CF86F936353E99E25B93220F5230BFBC13363B458D6DB92F9D211D705362B01782EC118ACFE53BAE4C6AC2C7E5D0111FB")); test_hash(&nettle_sha3_512, /* 101 octets */ SHEX("A873E0C67CA639026B6683008F7AA6324D4979550E9BCE064CA1E1FB97A30B147A24F3F666C0A72D71348EDE701CF2D17E2253C34D1EC3B647DBCEF2F879F4EB881C4830B791378C901EB725EA5C172316C6D606E0AF7DF4DF7F76E490CD30B2BADF45685F"), SHEX("0984A43286A3CB22FB59F7880E114E23E3AD3B0D43025F3987D0AA6FA8E53E6066F80F4769241DCD062431C7F6712C57C6E3275ED3F2BC591DB6DC20E5BE0953")); test_hash(&nettle_sha3_512, /* 102 octets */ SHEX("006917B64F9DCDF1D2D87C8A6173B64F6587168E80FAA80F82D84F60301E561E312D9FBCE62F39A6FB476E01E925F26BCC91DE621449BE6504C504830AAE394096C8FC7694651051365D4EE9070101EC9B68086F2EA8F8AB7B811EA8AD934D5C9B62C60A4771"), SHEX("A6300497F650859CD744679885CD5437A64CC3961574DCCE65E1611616A9F97190F39130BA532094BD62464D0B8B52297A2C9C279B2C9860C072CD44449A9CDF")); test_hash(&nettle_sha3_512, /* 103 octets */ SHEX("F13C972C52CB3CC4A4DF28C97F2DF11CE089B815466BE88863243EB318C2ADB1A417CB1041308598541720197B9B1CB5BA2318BD5574D1DF2174AF14884149BA9B2F446D609DF240CE335599957B8EC80876D9A085AE084907BC5961B20BF5F6CA58D5DAB38ADB"), SHEX("E2052884D112238807C02C135247F76E0E394BD6583BA83ED2731CF68F057276272B891A761CDEC6D8AD2E3F33E86AE9D9A234682BCE7A53816235692D2CF821")); test_hash(&nettle_sha3_512, /* 104 octets */ SHEX("E35780EB9799AD4C77535D4DDB683CF33EF367715327CF4C4A58ED9CBDCDD486F669F80189D549A9364FA82A51A52654EC721BB3AAB95DCEB4A86A6AFA93826DB923517E928F33E3FBA850D45660EF83B9876ACCAFA2A9987A254B137C6E140A21691E1069413848"), SHEX("FF6A7D0EFEA45E5F0ABCB173FCE2BE76B52D0F3FC363AFE31D219472742D73E56CEE2AB91A94D41335C4FA25CBDD6EBD1A087637CAA25099D5A9D60693CF62B9")); test_hash(&nettle_sha3_512, /* 105 octets */ SHEX("64EC021C9585E01FFE6D31BB50D44C79B6993D72678163DB474947A053674619D158016ADB243F5C8D50AA92F50AB36E579FF2DABB780A2B529370DAA299207CFBCDD3A9A25006D19C4F1FE33E4B1EAEC315D8C6EE1E730623FD1941875B924EB57D6D0C2EDC4E78D6"), SHEX("4183F96759E7C0628F2FC81979274F42111A43BD5DBB3685BB21704CE6B0ED3D164DECF28A3A991B303E1D7B86E2B175BA89945A8524F9C9318F12B160A1E4D1")); test_hash(&nettle_sha3_512, /* 106 octets */ SHEX("5954BAB512CF327D66B5D9F296180080402624AD7628506B555EEA8382562324CF452FBA4A2130DE3E165D11831A270D9CB97CE8C2D32A96F50D71600BB4CA268CF98E90D6496B0A6619A5A8C63DB6D8A0634DFC6C7EC8EA9C006B6C456F1B20CD19E781AF20454AC880"), SHEX("940C6F0BACF11E4B045F432003F889278709F9C3D8E420C9A17155F57E776D72B4306BBA4ADF721708F6EF457444AB12238372E207AB41D5EF5A68529ED0B26C")); test_hash(&nettle_sha3_512, /* 107 octets */ SHEX("03D9F92B2C565709A568724A0AFF90F8F347F43B02338F94A03ED32E6F33666FF5802DA4C81BDCE0D0E86C04AFD4EDC2FC8B4141C2975B6F07639B1994C973D9A9AFCE3D9D365862003498513BFA166D2629E314D97441667B007414E739D7FEBF0FE3C32C17AA188A8683"), SHEX("172F0C680310375156911C07B1819F0B9D124514EC2C3750CB2E39926A28A4636AB7ECDCDD9D6A960D16C864DD585645D87F145C5B315381F356656D617FE97D")); test_hash(&nettle_sha3_512, /* 108 octets */ SHEX("F31E8B4F9E0621D531D22A380BE5D9ABD56FAEC53CBD39B1FAB230EA67184440E5B1D15457BD25F56204FA917FA48E669016CB48C1FFC1E1E45274B3B47379E00A43843CF8601A5551411EC12503E5AAC43D8676A1B2297EC7A0800DBFEE04292E937F21C005F17411473041"), SHEX("410DBAA5E3453F2DAFCE135DC014F28FBF693C84EB7D4BECB80A3DB32E16E89062B3FF59C1DFDFAB32D84D20284632A2AC7F8F88D4B7023F879463BA18FF6553")); test_hash(&nettle_sha3_512, /* 109 octets */ SHEX("758EA3FEA738973DB0B8BE7E599BBEF4519373D6E6DCD7195EA885FC991D896762992759C2A09002912FB08E0CB5B76F49162AEB8CF87B172CF3AD190253DF612F77B1F0C532E3B5FC99C2D31F8F65011695A087A35EE4EEE5E334C369D8EE5D29F695815D866DA99DF3F79403"), SHEX("F93A099159C39617B75B188D527FC4DB287CBB4FDDDBA5AD4DCB4CFFC4DC59762BBC41A58D3A788EAE152AEA024BC4CC4F29FC7B8AB68065A68650A04B51818A")); test_hash(&nettle_sha3_512, /* 110 octets */ SHEX("47C6E0C2B74948465921868804F0F7BD50DD323583DC784F998A93CD1CA4C6EF84D41DC81C2C40F34B5BEE6A93867B3BDBA0052C5F59E6F3657918C382E771D33109122CC8BB0E1E53C4E3D13B43CE44970F5E0C079D2AD7D7A3549CD75760C21BB15B447589E86E8D76B1E9CED2"), SHEX("05E69984EE99AA2BC851083AA44EE56FEEF86C45888867CDCDD0C7A8049080AE7858B93C19953A881BE5C036BD8FE83628C2E3AA9939A288B4AC4BC2876C2FBC")); test_hash(&nettle_sha3_512, /* 111 octets */ SHEX("F690A132AB46B28EDFA6479283D6444E371C6459108AFD9C35DBD235E0B6B6FF4C4EA58E7554BD002460433B2164CA51E868F7947D7D7A0D792E4ABF0BE5F450853CC40D85485B2B8857EA31B5EA6E4CCFA2F3A7EF3380066D7D8979FDAC618AAD3D7E886DEA4F005AE4AD05E5065F"), SHEX("BE22F3E253C2563C3353E693D2D5A65DC6BAC2CBCDA8E43E8584F9D851E602D4374936403FD688F0135E363DE8099F249DD21C61695C109C27ED5F4F4C1808BF")); test_hash(&nettle_sha3_512, /* 112 octets */ SHEX("58D6A99BC6458824B256916770A8417040721CCCFD4B79EACD8B65A3767CE5BA7E74104C985AC56B8CC9AEBD16FEBD4CDA5ADB130B0FF2329CC8D611EB14DAC268A2F9E633C99DE33997FEA41C52A7C5E1317D5B5DAED35EBA7D5A60E45D1FA7EAABC35F5C2B0A0F2379231953322C4E"), SHEX("1D1836C4E2C3EB27A74A9CD600C064391BD9EDD45464A5795182C8794748BA51A345C6FAE2B91F5758401E4F427D50B6882B1DF0977976C2C9432C1A9B3AE03F")); test_hash(&nettle_sha3_512, /* 113 octets */ SHEX("BEFAB574396D7F8B6705E2D5B58B2C1C820BB24E3F4BAE3E8FBCD36DBF734EE14E5D6AB972AEDD3540235466E825850EE4C512EA9795ABFD33F330D9FD7F79E62BBB63A6EA85DE15BEAEEA6F8D204A28956059E2632D11861DFB0E65BC07AC8A159388D5C3277E227286F65FF5E5B5AEC1"), SHEX("CB0D33C173C765BBA3714D56A4CF48FD6320AB8C5317E7AB1A46472AFB756232CD27F51473DCF9BD7DAC1AA7F669353FD8F3D27D17D3FE3EB3386876ECA38A85")); test_hash(&nettle_sha3_512, /* 114 octets */ SHEX("8E58144FA9179D686478622CE450C748260C95D1BA43B8F9B59ABECA8D93488DA73463EF40198B4D16FB0B0707201347E0506FF19D01BEA0F42B8AF9E71A1F1BD168781069D4D338FDEF00BF419FBB003031DF671F4A37979564F69282DE9C65407847DD0DA505AB1641C02DEA4F0D834986"), SHEX("B579AD0C750B91E0671BB7F0482A519835D155AE1A4DB92112E66FBD158835E0C29E2F122A8C54C530F92633F6EC7B222CA3CED45B4B5A24426D99C59C1B6609")); test_hash(&nettle_sha3_512, /* 115 octets */ SHEX("B55C10EAE0EC684C16D13463F29291BF26C82E2FA0422A99C71DB4AF14DD9C7F33EDA52FD73D017CC0F2DBE734D831F0D820D06D5F89DACC485739144F8CFD4799223B1AFF9031A105CB6A029BA71E6E5867D85A554991C38DF3C9EF8C1E1E9A7630BE61CAABCA69280C399C1FB7A12D12AEFC"), SHEX("689C878D8A44C79EAF0579DC96C0E7FE7D33491F59A6058BEE60E14B8006BDF6A6070B2B6D3BB6D7C31CCAE09EC403DF49DD12BA72C8532A8E476B4B415D8369")); test_hash(&nettle_sha3_512, /* 116 octets */ SHEX("2EEEA693F585F4ED6F6F8865BBAE47A6908AECD7C429E4BEC4F0DE1D0CA0183FA201A0CB14A529B7D7AC0E6FF6607A3243EE9FB11BCF3E2304FE75FFCDDD6C5C2E2A4CD45F63C962D010645058D36571404A6D2B4F44755434D76998E83409C3205AA1615DB44057DB991231D2CB42624574F545"), SHEX("4E4DC49E414C794A4B6D8D2093FEAB46D91321CFD089B1FD8CB5154F3E342645F6233A9216DB04F080E5AF8B156E782AD16E0B15D814173E78FCF5E7CF8EA51F")); test_hash(&nettle_sha3_512, /* 117 octets */ SHEX("DAB11DC0B047DB0420A585F56C42D93175562852428499F66A0DB811FCDDDAB2F7CDFFED1543E5FB72110B64686BC7B6887A538AD44C050F1E42631BC4EC8A9F2A047163D822A38989EE4AAB01B4C1F161B062D873B1CFA388FD301514F62224157B9BEF423C7783B7AAC8D30D65CD1BBA8D689C2D"), SHEX("2C8F456F9091517CAFA9DF1D09EE621EDFEB2C00DAB944355D592DFDA128F837228578E3965D3767959D3CDDE4E7B67E02241F28C5417E33EA74E39032F938EA")); test_hash(&nettle_sha3_512, /* 118 octets */ SHEX("42E99A2F80AEE0E001279A2434F731E01D34A44B1A8101726921C0590C30F3120EB83059F325E894A5AC959DCA71CE2214799916424E859D27D789437B9D27240BF8C35ADBAFCECC322B48AA205B293962D858652ABACBD588BCF6CBC388D0993BD622F96ED54614C25B6A9AA527589EAAFFCF17DDF7"), SHEX("3AE18402AD4123AF1AD868450591C46F66431D422A29D932DF94AF9AB3E256F806575B3EB0D24EDC7531725E0336847B2E571AE667B619A9D79A3E168948AF5D")); test_hash(&nettle_sha3_512, /* 119 octets */ SHEX("3C9B46450C0F2CAE8E3823F8BDB4277F31B744CE2EB17054BDDC6DFF36AF7F49FB8A2320CC3BDF8E0A2EA29AD3A55DE1165D219ADEDDB5175253E2D1489E9B6FDD02E2C3D3A4B54D60E3A47334C37913C5695378A669E9B72DEC32AF5434F93F46176EBF044C4784467C700470D0C0B40C8A088C815816"), SHEX("6F3E1294B67D875165FD09DD493DD55924E9E28E53AFA2DA80916D7D54E19C1705121D617E53F56EBA4767D6435E986FEEAEB965EC4956FD3C02DE1288FBC661")); test_hash(&nettle_sha3_512, /* 120 octets */ SHEX("D1E654B77CB155F5C77971A64DF9E5D34C26A3CAD6C7F6B300D39DEB1910094691ADAA095BE4BA5D86690A976428635D5526F3E946F7DC3BD4DBC78999E653441187A81F9ADCD5A3C5F254BC8256B0158F54673DCC1232F6E918EBFC6C51CE67EAEB042D9F57EEC4BFE910E169AF78B3DE48D137DF4F2840"), SHEX("AA3398BC7DAEB4F22CA6D1937B0C6097A49ADB6DBC03FC0F5226A644F217296BF55747269B861FC7B22BC5956CE3D8DA28E9F25D8C9599BC653CD0EE0C852473")); test_hash(&nettle_sha3_512, /* 121 octets */ SHEX("626F68C18A69A6590159A9C46BE03D5965698F2DAC3DE779B878B3D9C421E0F21B955A16C715C1EC1E22CE3EB645B8B4F263F60660EA3028981EEBD6C8C3A367285B691C8EE56944A7CD1217997E1D9C21620B536BDBD5DE8925FF71DEC6FBC06624AB6B21E329813DE90D1E572DFB89A18120C3F606355D25"), SHEX("8BCBBE36DBE305FBB558EA46721D25DE7AAB7898E583E8BDF26701224387C524C683475C242C7DE090608A4F17663D217276F94F4188B942A03039B5E38D6AE3")); test_hash(&nettle_sha3_512, /* 122 octets */ SHEX("651A6FB3C4B80C7C68C6011675E6094EB56ABF5FC3057324EBC6477825061F9F27E7A94633ABD1FA598A746E4A577CAF524C52EC1788471F92B8C37F23795CA19D559D446CAB16CBCDCE90B79FA1026CEE77BF4AB1B503C5B94C2256AD75B3EAC6FD5DCB96ACA4B03A834BFB4E9AF988CECBF2AE597CB9097940"), SHEX("4782DFCAB650E7A8DAE9A010CB002DD0373BFBD31247FA9860876D7FFFD2D57C355F2054CB2EFEB45C5871F284F46B025798344A3719EFAB34D15152DD0BBC6C")); test_hash(&nettle_sha3_512, /* 123 octets */ SHEX("8AAF072FCE8A2D96BC10B3C91C809EE93072FB205CA7F10ABD82ECD82CF040B1BC49EA13D1857815C0E99781DE3ADBB5443CE1C897E55188CEAF221AA9681638DE05AE1B322938F46BCE51543B57ECDB4C266272259D1798DE13BE90E10EFEC2D07484D9B21A3870E2AA9E06C21AA2D0C9CF420080A80A91DEE16F"), SHEX("A4D538E449E2B3EBF9AAFC88D29E514BA0D2C8DE2706F3F6FA5A2C4F95F5DB5BAB59C1A69C16E4859A19730ABB2E6BF06152445EDA80E3BE5CE652023EA57E5E")); test_hash(&nettle_sha3_512, /* 124 octets */ SHEX("53F918FD00B1701BD504F8CDEA803ACCA21AC18C564AB90C2A17DA592C7D69688F6580575395551E8CD33E0FEF08CA6ED4588D4D140B3E44C032355DF1C531564D7F4835753344345A6781E11CD5E095B73DF5F82C8AE3AD00877936896671E947CC52E2B29DCD463D90A0C9929128DA222B5A211450BBC0E02448E2"), SHEX("8732D243F1B3349F900DF430659B9AB9ED99F626AD35CB2084B57D60E5A5B47213AD213859CD40964C5A267C236D0E38167525F778E67E37D4F623A8884128ED")); test_hash(&nettle_sha3_512, /* 125 octets */ SHEX("A64599B8A61B5CCEC9E67AED69447459C8DA3D1EC6C7C7C82A7428B9B584FA67E90F68E2C00FBBED4613666E5168DA4A16F395F7A3C3832B3B134BFC9CBAA95D2A0FE252F44AC6681EB6D40AB91C1D0282FED6701C57463D3C5F2BB8C6A7301FB4576AA3B5F15510DB8956FF77478C26A7C09BEA7B398CFC83503F538E"), SHEX("97DC2606E14F7BFFF1FCA497965E36CAA3A81CFD6459D0254529F64DA40FFE7442C08A151D6CEE3B46BF3414E80110A0F71EEE44D7940027DEE90E919E498D65")); test_hash(&nettle_sha3_512, /* 126 octets */ SHEX("0E3AB0E054739B00CDB6A87BD12CAE024B54CB5E550E6C425360C2E87E59401F5EC24EF0314855F0F56C47695D56A7FB1417693AF2A1ED5291F2FEE95F75EED54A1B1C2E81226FBFF6F63ADE584911C71967A8EB70933BC3F5D15BC91B5C2644D9516D3C3A8C154EE48E118BD1442C043C7A0DBA5AC5B1D5360AAE5B9065"), SHEX("DE5978EACE4E51F7D289F2BEFBECB3AAC8E9CAD48FA0F7310C673D52BBCAEEBDE49CB5A76D334D6DFDD51AC1AB24E9E1CDC915069DBDDB3D2E30B0B0C26B3EE1")); test_hash(&nettle_sha3_512, /* 127 octets */ SHEX("A62FC595B4096E6336E53FCDFC8D1CC175D71DAC9D750A6133D23199EAAC288207944CEA6B16D27631915B4619F743DA2E30A0C00BBDB1BBB35AB852EF3B9AEC6B0A8DCC6E9E1ABAA3AD62AC0A6C5DE765DE2C3711B769E3FDE44A74016FFF82AC46FA8F1797D3B2A726B696E3DEA5530439ACEE3A45C2A51BC32DD055650B"), SHEX("33ABCA29A8A7094CFB10BE4A80E81F8001EBB933C0D4B98A695B22AB553F94F07646ABCE6ADF491817D17B78C40747D56FAF88A613138CA0E596636C672397B4")); test_hash(&nettle_sha3_512, /* 128 octets */ SHEX("2B6DB7CED8665EBE9DEB080295218426BDAA7C6DA9ADD2088932CDFFBAA1C14129BCCDD70F369EFB149285858D2B1D155D14DE2FDB680A8B027284055182A0CAE275234CC9C92863C1B4AB66F304CF0621CD54565F5BFF461D3B461BD40DF28198E3732501B4860EADD503D26D6E69338F4E0456E9E9BAF3D827AE685FB1D817"), SHEX("4FAB45806B4628068458B5D0A2D4BF101B8BFC9276EF86AD5D883765C43F72CE8A5F7B4C5B535A915130BB185E699AB62228014E54DF790C0E93AADBE7E39E19")); test_hash(&nettle_sha3_512, /* 129 octets */ SHEX("10DB509B2CDCABA6C062AE33BE48116A29EB18E390E1BBADA5CA0A2718AFBCD23431440106594893043CC7F2625281BF7DE2655880966A23705F0C5155C2F5CCA9F2C2142E96D0A2E763B70686CD421B5DB812DACED0C6D65035FDE558E94F26B3E6DDE5BD13980CC80292B723013BD033284584BFF27657871B0CF07A849F4AE2"), SHEX("5F0BFB4146910CF0C320364B6AD8A02B0966229AB2676D9670F0DD241E8104DB02797EEFEA0B9CABBE90A44757B033755925B2FCCF3A00054F9AE8FBCEF752A8")); test_hash(&nettle_sha3_512, /* 130 octets */ SHEX("9334DE60C997BDA6086101A6314F64E4458F5FF9450C509DF006E8C547983C651CA97879175AABA0C539E82D05C1E02C480975CBB30118121061B1EBAC4F8D9A3781E2DB6B18042E01ECF9017A64A0E57447EC7FCBE6A7F82585F7403EE2223D52D37B4BF426428613D6B4257980972A0ACAB508A7620C1CB28EB4E9D30FC41361EC"), SHEX("D38EF3B12EAA0BF62A75B6B63CFF3C9EF171DE1B75F5D02629365BCFE65BA7DDD30FCEF7FEBB82F19F9BEDCC1CC4C679B4292EA62C2A90A7562DA9A1318FE278")); test_hash(&nettle_sha3_512, /* 131 octets */ SHEX("E88AB086891693AA535CEB20E64C7AB97C7DD3548F3786339897A5F0C39031549CA870166E477743CCFBE016B4428D89738E426F5FFE81626137F17AECFF61B72DBEE2DC20961880CFE281DFAB5EE38B1921881450E16032DE5E4D55AD8D4FCA609721B0692BAC79BE5A06E177FE8C80C0C83519FB3347DE9F43D5561CB8107B9B5EDC"), SHEX("60C95C274F99B8643A186344BC01D1279010BE55D1BE76F4E6F919F6B54D335EE0E1CA92133F3D7A2520CD82C4000E15EFED8D8A66F31B16B0977C63DE1BEB05")); test_hash(&nettle_sha3_512, /* 132 octets */ SHEX("FD19E01A83EB6EC810B94582CB8FBFA2FCB992B53684FB748D2264F020D3B960CB1D6B8C348C2B54A9FCEA72330C2AAA9A24ECDB00C436ABC702361A82BB8828B85369B8C72ECE0082FE06557163899C2A0EFA466C33C04343A839417057399A63A3929BE1EE4805D6CE3E5D0D0967FE9004696A5663F4CAC9179006A2CEB75542D75D68"), SHEX("9385D0ED9E73498E24B8C6E746A1C6BE8011EE30FCAC9BA17224EE2012378522C78F8737A224621FBA19C42040C5C7F38AC07B40E0E75EBC59D17975EE85D655")); test_hash(&nettle_sha3_512, /* 133 octets */ SHEX("59AE20B6F7E0B3C7A989AFB28324A40FCA25D8651CF1F46AE383EF6D8441587AA1C04C3E3BF88E8131CE6145CFB8973D961E8432B202FA5AF3E09D625FAAD825BC19DA9B5C6C20D02ABDA2FCC58B5BD3FE507BF201263F30543819510C12BC23E2DDB4F711D087A86EDB1B355313363A2DE996B891025E147036087401CCF3CA7815BF3C49"), SHEX("7487164D408874AFDF07EBDADE8C62E756147BEAB3238B8738AEED927F54FE6D33AF3917D4E181B50CBC88A379C73585F9FBA4C1B67B4BE449004EA0F66D11AD")); test_hash(&nettle_sha3_512, /* 134 octets */ SHEX("77EE804B9F3295AB2362798B72B0A1B2D3291DCEB8139896355830F34B3B328561531F8079B79A6E9980705150866402FDC176C05897E359A6CB1A7AB067383EB497182A7E5AEF7038E4C96D133B2782917417E391535B5E1B51F47D8ED7E4D4025FE98DC87B9C1622614BFF3D1029E68E372DE719803857CA52067CDDAAD958951CB2068CC6"), SHEX("0F41AB2D10C51E28638DAD178655F160B2F753DB44EED6CE4104693CC4A938D887617774AFECB33B890EE7FC577656CE168EEA42C604D152B952C9B772C9B530")); test_hash(&nettle_sha3_512, /* 135 octets */ SHEX("B771D5CEF5D1A41A93D15643D7181D2A2EF0A8E84D91812F20ED21F147BEF732BF3A60EF4067C3734B85BC8CD471780F10DC9E8291B58339A677B960218F71E793F2797AEA349406512829065D37BB55EA796FA4F56FD8896B49B2CD19B43215AD967C712B24E5032D065232E02C127409D2ED4146B9D75D763D52DB98D949D3B0FED6A8052FBB"), SHEX("7575A1FB4FC9A8F9C0466BD5FCA496D1CB78696773A212A5F62D02D14E3259D192A87EBA4407DD83893527331407B6DADAAD920DBC46489B677493CE5F20B595")); test_hash(&nettle_sha3_512, /* 136 octets */ SHEX("B32D95B0B9AAD2A8816DE6D06D1F86008505BD8C14124F6E9A163B5A2ADE55F835D0EC3880EF50700D3B25E42CC0AF050CCD1BE5E555B23087E04D7BF9813622780C7313A1954F8740B6EE2D3F71F768DD417F520482BD3A08D4F222B4EE9DBD015447B33507DD50F3AB4247C5DE9A8ABD62A8DECEA01E3B87C8B927F5B08BEB37674C6F8E380C04"), SHEX("2E293765022D48996CE8EFF0BE54E87EFB94A14C72DE5ACD10D0EB5ECE029CADFA3BA17A40B2FFA2163991B17786E51CABA79E5E0FFD34CF085E2A098BE8BACB")); test_hash(&nettle_sha3_512, /* 137 octets */ SHEX("04410E31082A47584B406F051398A6ABE74E4DA59BB6F85E6B49E8A1F7F2CA00DFBA5462C2CD2BFDE8B64FB21D70C083F11318B56A52D03B81CAC5EEC29EB31BD0078B6156786DA3D6D8C33098C5C47BB67AC64DB14165AF65B44544D806DDE5F487D5373C7F9792C299E9686B7E5821E7C8E2458315B996B5677D926DAC57B3F22DA873C601016A0D"), SHEX("BE8E14B6757FFE53C9B75F6DDE9A7B6C40474041DE83D4A60645A826D7AF1ABE1EEFCB7B74B62CA6A514E5F2697D585BFECECE12931BBE1D4ED7EBF7B0BE660E")); test_hash(&nettle_sha3_512, /* 138 octets */ SHEX("8B81E9BADDE026F14D95C019977024C9E13DB7A5CD21F9E9FC491D716164BBACDC7060D882615D411438AEA056C340CDF977788F6E17D118DE55026855F93270472D1FD18B9E7E812BAE107E0DFDE7063301B71F6CFE4E225CAB3B232905A56E994F08EE2891BA922D49C3DAFEB75F7C69750CB67D822C96176C46BD8A29F1701373FB09A1A6E3C7158F"), SHEX("6C7E64EE0D826073D4F44BCF1586A83BACF3E2E138DFDB65B8B8B35FD7DAE300EA6E32C6245CCA27C674FEB2196755945AB7C5DCE99EAB9158A75518AC27C431")); test_hash(&nettle_sha3_512, /* 139 octets */ SHEX("FA6EED24DA6666A22208146B19A532C2EC9BA94F09F1DEF1E7FC13C399A48E41ACC2A589D099276296348F396253B57CB0E40291BD282773656B6E0D8BEA1CDA084A3738816A840485FCF3FB307F777FA5FEAC48695C2AF4769720258C77943FB4556C362D9CBA8BF103AEB9034BAA8EA8BFB9C4F8E6742CE0D52C49EA8E974F339612E830E9E7A9C29065"), SHEX("5842D4DA2C309D9B2AA7CFAE702262F770A8E646620D65C17271416E9D7981FF93D228CD60DC1CC16921020D841E439E87F085E503D466C904ABF8CDD5ECCAA9")); test_hash(&nettle_sha3_512, /* 140 octets */ SHEX("9BB4AF1B4F09C071CE3CAFA92E4EB73CE8A6F5D82A85733440368DEE4EB1CBC7B55AC150773B6FE47DBE036C45582ED67E23F4C74585DAB509DF1B83610564545642B2B1EC463E18048FC23477C6B2AA035594ECD33791AF6AF4CBC2A1166ABA8D628C57E707F0B0E8707CAF91CD44BDB915E0296E0190D56D33D8DDE10B5B60377838973C1D943C22ED335E"), SHEX("F8B24527B5C84CA9A702DB2F535F78ED0323C2932A255DB24F872551CA7F5C0482B3690C62EEC8AD69308DB2D72308C4D615CDE3835B39B4F6FF115466F32763")); test_hash(&nettle_sha3_512, /* 141 octets */ SHEX("2167F02118CC62043E9091A647CADBED95611A521FE0D64E8518F16C808AB297725598AE296880A773607A798F7C3CFCE80D251EBEC6885015F9ABF7EAABAE46798F82CB5926DE5C23F44A3F9F9534B3C6F405B5364C2F8A8BDC5CA49C749BED8CE4BA48897062AE8424CA6DDE5F55C0E42A95D1E292CA54FB46A84FBC9CD87F2D0C9E7448DE3043AE22FDD229"), SHEX("08C6E3938DE48171A99646BD090B7D53FF422AE63F99850032BD131AC7BDFBA8F83466AD31FAD3169D8A320FD9548BDFF2C40BA20E0D031A8054019C40ED2662")); test_hash(&nettle_sha3_512, /* 142 octets */ SHEX("94B7FA0BC1C44E949B1D7617D31B4720CBE7CA57C6FA4F4094D4761567E389ECC64F6968E4064DF70DF836A47D0C713336B5028B35930D29EB7A7F9A5AF9AD5CF441745BAEC9BB014CEEFF5A41BA5C1CE085FEB980BAB9CF79F2158E03EF7E63E29C38D7816A84D4F71E0F548B7FC316085AE38A060FF9B8DEC36F91AD9EBC0A5B6C338CBB8F6659D342A24368CF"), SHEX("6978AD4BC4F0FC44C35C6691CA46627D840BAA572DE9B0216673C988197191CDF812CF21920E052CC9CE1D507D1BA7DB6F151D01620ADA702DC637BF90809C19")); test_hash(&nettle_sha3_512, /* 143 octets */ SHEX("EA40E83CB18B3A242C1ECC6CCD0B7853A439DAB2C569CFC6DC38A19F5C90ACBF76AEF9EA3742FF3B54EF7D36EB7CE4FF1C9AB3BC119CFF6BE93C03E208783335C0AB8137BE5B10CDC66FF3F89A1BDDC6A1EED74F504CBE7290690BB295A872B9E3FE2CEE9E6C67C41DB8EFD7D863CF10F840FE618E7936DA3DCA5CA6DF933F24F6954BA0801A1294CD8D7E66DFAFEC"), SHEX("3A8E938C45F3F177991296B24565D9A6605516615D96A062C8BE53A0D6C5A6487BE35D2A8F3CF6620D0C2DBA2C560D68295F284BE7F82F3B92919033C9CE5D80")); test_hash(&nettle_sha3_512, /* 144 octets */ SHEX("157D5B7E4507F66D9A267476D33831E7BB768D4D04CC3438DA12F9010263EA5FCAFBDE2579DB2F6B58F911D593D5F79FB05FE3596E3FA80FF2F761D1B0E57080055C118C53E53CDB63055261D7C9B2B39BD90ACC32520CBBDBDA2C4FD8856DBCEE173132A2679198DAF83007A9B5C51511AE49766C792A29520388444EBEFE28256FB33D4260439CBA73A9479EE00C63"), SHEX("FE45289874879720CE2A844AE34BB73522775DCB6019DCD22B8885994672A0889C69E8115C641DC8B83E39F7311815A164DC46E0BA2FCA344D86D4BC2EF2532C")); test_hash(&nettle_sha3_512, /* 145 octets */ SHEX("836B34B515476F613FE447A4E0C3F3B8F20910AC89A3977055C960D2D5D2B72BD8ACC715A9035321B86703A411DDE0466D58A59769672AA60AD587B8481DE4BBA552A1645779789501EC53D540B904821F32B0BD1855B04E4848F9F8CFE9EBD8911BE95781A759D7AD9724A7102DBE576776B7C632BC39B9B5E19057E226552A5994C1DBB3B5C7871A11F5537011044C53"), SHEX("AFF61C6E11B98E55AC213B1A0BC7DE0405221AC5EFB1229842E4614F4A029C9BD14A0ED7FD99AF3681429F3F309FDB53166AA9A3CD9F1F1223D04B4A9015E94A")); test_hash(&nettle_sha3_512, /* 146 octets */ SHEX("CC7784A4912A7AB5AD3620AAB29BA87077CD3CB83636ADC9F3DC94F51EDF521B2161EF108F21A0A298557981C0E53CE6CED45BDF782C1EF200D29BAB81DD6460586964EDAB7CEBDBBEC75FD7925060F7DA2B853B2B089588FA0F8C16EC6498B14C55DCEE335CB3A91D698E4D393AB8E8EAC0825F8ADEBEEE196DF41205C011674E53426CAA453F8DE1CBB57932B0B741D4C6"), SHEX("26410E1A0D1E3659438DDDB2953EB3AA082CEB02A327FA0098574D89F9236F5DFF9C17DEF37F6CE4B5DC1EE5F23F578FE191EE8B51F1B8034BCBBBB7B6A500A5")); test_hash(&nettle_sha3_512, /* 147 octets */ SHEX("7639B461FFF270B2455AC1D1AFCE782944AEA5E9087EB4A39EB96BB5C3BAAF0E868C8526D3404F9405E79E77BFAC5FFB89BF1957B523E17D341D7323C302EA7083872DD5E8705694ACDDA36D5A1B895AAA16ECA6104C82688532C8BFE1790B5DC9F4EC5FE95BAED37E1D287BE710431F1E5E8EE105BC42ED37D74B1E55984BF1C09FE6A1FA13EF3B96FAEAED6A2A1950A12153"), SHEX("5015DA2A2E1661D3A52A65D19F02933029839F72717A77B5045198665093F944CFF85E094D418396A51C574157EED9FB6BDD4ECA53278FAB62AF699B53C82F58")); test_hash(&nettle_sha3_512, /* 148 octets */ SHEX("EB6513FC61B30CFBA58D4D7E80F94D14589090CF1D80B1DF2E68088DC6104959BA0D583D585E9578AB0AEC0CF36C48435EB52ED9AB4BBCE7A5ABE679C97AE2DBE35E8CC1D45B06DDA3CF418665C57CBEE4BBB47FA4CAF78F4EE656FEC237FE4EEBBAFA206E1EF2BD0EE4AE71BD0E9B2F54F91DAADF1FEBFD7032381D636B733DCB3BF76FB14E23AFF1F68ED3DBCF75C9B99C6F26"), SHEX("B27828CFEBCF4D896EABF1F84D079827B7DCC7F308A20476474DE518829A89AAC3DC50272CFA976B0B5819C45C9EEFC51B87A27D11C9E5F9579121125A887542")); test_hash(&nettle_sha3_512, /* 149 octets */ SHEX("1594D74BF5DDE444265D4C04DAD9721FF3E34CBF622DAF341FE16B96431F6C4DF1F760D34F296EB97D98D560AD5286FEC4DCE1724F20B54FD7DF51D4BF137ADD656C80546FB1BF516D62EE82BAA992910EF4CC18B70F3F8698276FCFB44E0EC546C2C39CFD8EE91034FF9303058B4252462F86C823EB15BF481E6B79CC3A02218595B3658E8B37382BD5048EAED5FD02C37944E73B"), SHEX("42FC06DCF99B4E804BB349101B46D6A6A7366E47555406EA554248BAEF52E17AFA40829F5709D07FF407881DF106F156CA735622B0F051D8C372F6E811CDAE25")); test_hash(&nettle_sha3_512, /* 150 octets */ SHEX("4CFA1278903026F66FEDD41374558BE1B585D03C5C55DAC94361DF286D4BD39C7CB8037ED3B267B07C346626449D0CC5B0DD2CF221F7E4C3449A4BE99985D2D5E67BFF2923357DDEAB5ABCB4619F3A3A57B2CF928A022EB27676C6CF805689004FCA4D41EA6C2D0A4789C7605F7BB838DD883B3AD3E6027E775BCF262881428099C7FFF95B14C095EA130E0B9938A5E22FC52650F591"), SHEX("0CA89C9B7273DE384FF33F1BACBB8505628C4D3E30350B335361563AD416ADA523122D37ACBEC57721F7BC5D9B049E1F4FE3C4CFE047E33A0E448EF5D5536CF0")); test_hash(&nettle_sha3_512, /* 151 octets */ SHEX("D3E65CB92CFA79662F6AF493D696A07CCF32AAADCCEFF06E73E8D9F6F909209E66715D6E978788C49EFB9087B170ECF3AA86D2D4D1A065AE0EFC8924F365D676B3CB9E2BEC918FD96D0B43DEE83727C9A93BF56CA2B2E59ADBA85696546A815067FC7A78039629D4948D157E7B0D826D1BF8E81237BAB7321312FDAA4D521744F988DB6FDF04549D0FDCA393D639C729AF716E9C8BBA48"), SHEX("78C59A8CDF4D1D07A66BB2FAA7FFA2112D5C0FCABF7E3589E97623BDB922AF9AF24918C2CCFCE2B880BF64145C70DC9A4FDE78FDF0918DD2CE5FEA9CF99ACD41")); test_hash(&nettle_sha3_512, /* 152 octets */ SHEX("842CC583504539622D7F71E7E31863A2B885C56A0BA62DB4C2A3F2FD12E79660DC7205CA29A0DC0A87DB4DC62EE47A41DB36B9DDB3293B9AC4BAAE7DF5C6E7201E17F717AB56E12CAD476BE49608AD2D50309E7D48D2D8DE4FA58AC3CFEAFEEE48C0A9EEC88498E3EFC51F54D300D828DDDCCB9D0B06DD021A29CF5CB5B2506915BEB8A11998B8B886E0F9B7A80E97D91A7D01270F9A7717"), SHEX("CF4D52D20272DE014D367310775287EE5E5CB34CF9AF78E65D1D1FE7FB1F13B62DD9B83C382BAA6AB4F6949478C8598FEF78E8D535311FC19808CB75E22DADED")); test_hash(&nettle_sha3_512, /* 153 octets */ SHEX("6C4B0A0719573E57248661E98FEBE326571F9A1CA813D3638531AE28B4860F23C3A3A8AC1C250034A660E2D71E16D3ACC4BF9CE215C6F15B1C0FC7E77D3D27157E66DA9CEEC9258F8F2BF9E02B4AC93793DD6E29E307EDE3695A0DF63CBDC0FC66FB770813EB149CA2A916911BEE4902C47C7802E69E405FE3C04CEB5522792A5503FA829F707272226621F7C488A7698C0D69AA561BE9F378"), SHEX("33D632E403C9F9A9349B28AA4821A12B1DB557D8928003D30C57D701CFF1C49BAC9472CECFF450E4D91D36C6CD78221790EFF6F0FBF498034014CBBACE5DCF09")); test_hash(&nettle_sha3_512, /* 154 octets */ SHEX("51B7DBB7CE2FFEB427A91CCFE5218FD40F9E0B7E24756D4C47CD55606008BDC27D16400933906FD9F30EFFDD4880022D081155342AF3FB6CD53672AB7FB5B3A3BCBE47BE1FD3A2278CAE8A5FD61C1433F7D350675DD21803746CADCA574130F01200024C6340AB0CC2CF74F2234669F34E9009EF2EB94823D62B31407F4BA46F1A1EEC41641E84D77727B59E746B8A671BEF936F05BE820759FA"), SHEX("954C709ABCB0BB881592D93F5C2463CE8C060AD1DF3053302EA7B19F2B47BCF0FE359A832F9A865A8D3DBD3BE598DFD6D0FC1C574ECA0AEC78D8E3288399BE05")); test_hash(&nettle_sha3_512, /* 155 octets */ SHEX("83599D93F5561E821BD01A472386BC2FF4EFBD4AED60D5821E84AAE74D8071029810F5E286F8F17651CD27DA07B1EB4382F754CD1C95268783AD09220F5502840370D494BEB17124220F6AFCE91EC8A0F55231F9652433E5CE3489B727716CF4AEBA7DCDA20CD29AA9A859201253F948DD94395ABA9E3852BD1D60DDA7AE5DC045B283DA006E1CBAD83CC13292A315DB5553305C628DD091146597"), SHEX("A337062F5E5C9C35341A51224F2A59E6CF919A63BF59A6CFCE261194BBD660F28C2948D03CDCE5C7C151EC05B42AADD83051A16A62F0C7DF39AAA4EFC82CE4D3")); test_hash(&nettle_sha3_512, /* 156 octets */ SHEX("2BE9BF526C9D5A75D565DD11EF63B979D068659C7F026C08BEA4AF161D85A462D80E45040E91F4165C074C43AC661380311A8CBED59CC8E4C4518E80CD2C78AB1CABF66BFF83EAB3A80148550307310950D034A6286C93A1ECE8929E6385C5E3BB6EA8A7C0FB6D6332E320E71CC4EB462A2A62E2BFE08F0CCAD93E61BEDB5DD0B786A728AB666F07E0576D189C92BF9FB20DCA49AC2D3956D47385E2"), SHEX("43E9D0EA8E526E83234D7B63D8244C7E7B12AE2ACC8082F986367268F10156574300172873845B207A7252624246E7D32CE0F7282E00C4552F6180F34E590E2E")); test_hash(&nettle_sha3_512, /* 157 octets */ SHEX("CA76D3A12595A817682617006848675547D3E8F50C2210F9AF906C0E7CE50B4460186FE70457A9E879E79FD4D1A688C70A347361C847BA0DD6AA52936EAF8E58A1BE2F5C1C704E20146D366AEB3853BED9DE9BEFE9569AC8AAEA37A9FB7139A1A1A7D5C748605A8DEFB297869EBEDD71D615A5DA23496D11E11ABBB126B206FA0A7797EE7DE117986012D0362DCEF775C2FE145ADA6BDA1CCB326BF644"), SHEX("F7DA8D1E49D0D964400EE40F9C88E07025A8B0B00CADC624A63E2EA85B1598E22C8802BE0C1FF368519549A752E02546093D3B984E24600BA2AB7C792B9E074A")); test_hash(&nettle_sha3_512, /* 158 octets */ SHEX("F76B85DC67421025D64E93096D1D712B7BAF7FB001716F02D33B2160C2C882C310EF13A576B1C2D30EF8F78EF8D2F465007109AAD93F74CB9E7D7BEF7C9590E8AF3B267C89C15DB238138C45833C98CC4A471A7802723EF4C744A853CF80A0C2568DD4ED58A2C9644806F42104CEE53628E5BDF7B63B0B338E931E31B87C24B146C6D040605567CEEF5960DF9E022CB469D4C787F4CBA3C544A1AC91F95F"), SHEX("D9A42761F980C78C36CF54C4207B0A62954E15A907A7CEA149B37A4E0A6376202FF8F12E16EBAD3AECC7FF3A9D6AD093B068DFE272E3B9646B1AEDC04961DC81")); test_hash(&nettle_sha3_512, /* 159 octets */ SHEX("25B8C9C032EA6BCD733FFC8718FBB2A503A4EA8F71DEA1176189F694304F0FF68E862A8197B839957549EF243A5279FC2646BD4C009B6D1EDEBF24738197ABB4C992F6B1DC9BA891F570879ACCD5A6B18691A93C7D0A8D38F95B639C1DAEB48C4C2F15CCF5B9D508F8333C32DE78781B41850F261B855C4BEBCC125A380C54D501C5D3BD07E6B52102116088E53D76583B0161E2A58D0778F091206AABD5A1"), SHEX("BB65D8943413CEF89FDB05B35A55EC7503E4546A50FC3ECC825DABC1A1DAE6C771BB197F323625877E0BCCAA41253C99B6692976B99FC687B0B6B3E9AAB478C4")); test_hash(&nettle_sha3_512, /* 160 octets */ SHEX("21CFDC2A7CCB7F331B3D2EEFFF37E48AD9FA9C788C3F3C200E0173D99963E1CBCA93623B264E920394AE48BB4C3A5BB96FFBC8F0E53F30E22956ADABC2765F57FB761E147ECBF8567533DB6E50C8A1F894310A94EDF806DD8CA6A0E141C0FA7C9FAE6C6AE65F18C93A8529E6E5B553BF55F25BE2E80A9882BD37F145FECBEB3D447A3C4E46C21524CC55CDD62F521AB92A8BA72B897996C49BB273198B7B1C9E"), SHEX("540DF22180B69B9A83306619B2CA8CD8E07A34BBEB2219AC7CF88B468A947C4448489B303BD65506C9E1CE59348A9D863AAB5154848E95B5389783F6F5FB6AD8")); test_hash(&nettle_sha3_512, /* 161 octets */ SHEX("4E452BA42127DCC956EF4F8F35DD68CB225FB73B5BC7E1EC5A898BBA2931563E74FAFF3B67314F241EC49F4A7061E3BD0213AE826BAB380F1F14FAAB8B0EFDDD5FD1BB49373853A08F30553D5A55CCBBB8153DE4704F29CA2BDEEF0419468E05DD51557CCC80C0A96190BBCC4D77ECFF21C66BDF486459D427F986410F883A80A5BCC32C20F0478BB9A97A126FC5F95451E40F292A4614930D054C851ACD019CCF"), SHEX("062E4A11A79FDB9CBC3A0E4C5F9875CAAA568BC713066E02D2A9CA4D27886CE23F70083A2BF4D0E7C55B120FE6D197203DC1C2FD3469112A08836727859E1F83")); test_hash(&nettle_sha3_512, /* 162 octets */ SHEX("FA85671DF7DADF99A6FFEE97A3AB9991671F5629195049880497487867A6C446B60087FAC9A0F2FCC8E3B24E97E42345B93B5F7D3691829D3F8CCD4BB36411B85FC2328EB0C51CB3151F70860AD3246CE0623A8DC8B3C49F958F8690F8E3860E71EB2B1479A5CEA0B3F8BEFD87ACAF5362435EAECCB52F38617BC6C5C2C6E269EAD1FBD69E941D4AD2012DA2C5B21BCFBF98E4A77AB2AF1F3FDA3233F046D38F1DC8"), SHEX("9E1C6EE0C47B2D2CB77F602CAB53AC4C69C69778297894554196CB58060332C9FD8923F45C4B8EC26E16A5D04E6307FB99850A4540EA83E3F2626F3343E97225")); test_hash(&nettle_sha3_512, /* 163 octets */ SHEX("E90847AE6797FBC0B6B36D6E588C0A743D725788CA50B6D792352EA8294F5BA654A15366B8E1B288D84F5178240827975A763BC45C7B0430E8A559DF4488505E009C63DA994F1403F407958203CEBB6E37D89C94A5EACF6039A327F6C4DBBC7A2A307D976AA39E41AF6537243FC218DFA6AB4DD817B6A397DF5CA69107A9198799ED248641B63B42CB4C29BFDD7975AC96EDFC274AC562D0474C60347A078CE4C25E88"), SHEX("F18F0B072A6BF608A6C7420E891BE3795A6D19BA3E1276C826F1AE775CF125E428AE1A397CFD074BE0CD24F7100F51800F14471CCF4F485A6571E2B32E02611F")); test_hash(&nettle_sha3_512, /* 164 octets */ SHEX("F6D5C2B6C93954FC627602C00C4CA9A7D3ED12B27173F0B2C9B0E4A5939398A665E67E69D0B12FB7E4CEB253E8083D1CEB724AC07F009F094E42F2D6F2129489E846EAFF0700A8D4453EF453A3EDDC18F408C77A83275617FABC4EA3A2833AA73406C0E966276079D38E8E38539A70E194CC5513AAA457C699383FD1900B1E72BDFB835D1FD321B37BA80549B078A49EA08152869A918CA57F5B54ED71E4FD3AC5C06729"), SHEX("2859A3165F38CB59DE4275658BBAE9A0AD647D972CF98FA0EEC4C07EE75D576DBF9F5DD19A881DB4E4F7DB31EC0D77165911329CBE8A46D14D3EA7FDCB8A5C80")); test_hash(&nettle_sha3_512, /* 165 octets */ SHEX("CF8562B1BED89892D67DDAAF3DEEB28246456E972326DBCDB5CF3FB289ACA01E68DA5D59896E3A6165358B071B304D6AB3D018944BE5049D5E0E2BB819ACF67A6006111089E6767132D72DD85BEDDCBB2D64496DB0CC92955AB4C6234F1EEA24F2D51483F2E209E4589BF9519FAC51B4D061E801125E605F8093BB6997BC163D551596FE4AB7CFAE8FB9A90F6980480CE0C229FD1675409BD788354DAF316240CFE0AF93EB"), SHEX("9281BD03FE95545E5321A91A0AD8FA75A005B928C83450DF657419870C4E980E32484FCF1F598702ED20404FECE48A2EE9DBCF22120654AE402951605BED197E")); test_hash(&nettle_sha3_512, /* 166 octets */ SHEX("2ACE31ABB0A2E3267944D2F75E1559985DB7354C6E605F18DC8470423FCA30B7331D9B33C4A4326783D1CAAE1B4F07060EFF978E4746BF0C7E30CD61040BD5EC2746B29863EB7F103EBDA614C4291A805B6A4C8214230564A0557BC7102E0BD3ED23719252F7435D64D210EE2AAFC585BE903FA41E1968C50FD5D5367926DF7A05E3A42CF07E656FF92DE73B036CF8B19898C0CB34557C0C12C2D8B84E91181AF467BC75A9D1"), SHEX("6CA7023E20735624E83995A9E8AEBA66B9BC8D0A30DF67108EFF8AEDEB3B3CA484457BD0277C2552CBC7D63DC87EB556F2199C54EA73BAE647764DE18489B1F1")); test_hash(&nettle_sha3_512, /* 167 octets */ SHEX("0D8D09AED19F1013969CE5E7EB92F83A209AE76BE31C754844EA9116CEB39A22EBB6003017BBCF26555FA6624185187DB8F0CB3564B8B1C06BF685D47F3286EDA20B83358F599D2044BBF0583FAB8D78F854FE0A596183230C5EF8E54426750EAF2CC4E29D3BDD037E734D863C2BD9789B4C243096138F7672C232314EFFDFC6513427E2DA76916B5248933BE312EB5DDE4CF70804FB258AC5FB82D58D08177AC6F4756017FFF5"), SHEX("A965E699C1FFAEE369B3651C3A318582AE329AE51E6CCFB5275F58F748CEDB8F6B8434FAC4A1135AD9B555AA8CC1FF99A2220CBE83BFC1C374FFC927BB00ABD3")); test_hash(&nettle_sha3_512, /* 168 octets */ SHEX("C3236B73DEB7662BF3F3DAA58F137B358BA610560EF7455785A9BEFDB035A066E90704F929BD9689CEF0CE3BDA5ACF4480BCEB8D09D10B098AD8500D9B6071DFC3A14AF6C77511D81E3AA8844986C3BEA6F469F9E02194C92868CD5F51646256798FF0424954C1434BDFED9FACB390B07D342E992936E0F88BFD0E884A0DDB679D0547CCDEC6384285A45429D115AC7D235A717242021D1DC35641F5F0A48E8445DBA58E6CB2C8EA"), SHEX("4B44EC2D1848D0EC43AB0793390D24535F3328AD23C5F8FC43F5579BD16D84BBA08B233B0B5E24E22BF6CA2DEFEACA16BB98F8CDEAF26EECF2FC94AFE4604CF4")); test_hash(&nettle_sha3_512, /* 169 octets */ SHEX("B39FEB8283EADC63E8184B51DF5AE3FD41AAC8A963BB0BE1CD08AA5867D8D910C669221E73243360646F6553D1CA05A84E8DC0DE05B6419EC349CA994480193D01C92525F3FB3DCEFB08AFC6D26947BDBBFD85193F53B50609C6140905C53A6686B58E53A319A57B962331EDE98149AF3DE3118A819DA4D76706A0424B4E1D2910B0ED26AF61D150EBCB46595D4266A0BD7F651BA47D0C7F179CA28545007D92E8419D48FDFBD744CE"), SHEX("73169F0BE264565E45FB8F4665753E55F240846EB0D481CEF0274E4A3D859521767D9F675C0628DDCE155267BA686F2142805713F20C4C25E0B24398C65E3480")); test_hash(&nettle_sha3_512, /* 170 octets */ SHEX("A983D54F503803E8C7999F4EDBBE82E9084F422143A932DDDDC47A17B0B7564A7F37A99D0786E99476428D29E29D3C197A72BFAB1342C12A0FC4787FD7017D7A6174049EA43B5779169EF7472BDBBD941DCB82FC73AAC45A8A94C9F2BD3477F61FD3B796F02A1B8264A214C6FEA74B7051B226C722099EC7883A462B83B6AFDD4009248B8A237F605FE5A08FE7D8B45321421EBBA67BD70A0B00DDBF94BAAB7F359D5D1EEA105F28DCFB"), SHEX("9E1C196CB73D1EFA288D63902C64CE1A340BCDB8197F4AFECB1118DADD0D076B5FB7F6F809666CC58D2A8C1A68C65D0E91554C41D083F56D7B3DD37DF1B6C494")); test_hash(&nettle_sha3_512, /* 171 octets */ SHEX("E4D1C1897A0A866CE564635B74222F9696BF2C7F640DD78D7E2ACA66E1B61C642BB03EA7536AAE597811E9BF4A7B453EDE31F97B46A5F0EF51A071A2B3918DF16B152519AE3776F9F1EDAB4C2A377C3292E96408359D3613844D5EB393000283D5AD3401A318B12FD1474B8612F2BB50FB6A8B9E023A54D7DDE28C43D6D8854C8D9D1155935C199811DBFC87E9E0072E90EB88681CC7529714F8FB8A2C9D88567ADFB974EE205A9BF7B848"), SHEX("0C429CC164253C09538668135C9436FDBC79DA8E1FBE92E7BBC6EB30627591E7347CCB43F7AEC2D37FF3DABCFC9FA0C80629937C0C177C1C7ED0FC76A15DF075")); test_hash(&nettle_sha3_512, /* 172 octets */ SHEX("B10C59723E3DCADD6D75DF87D0A1580E73133A9B7D00CB95EC19F5547027323BE75158B11F80B6E142C6A78531886D9047B08E551E75E6261E79785366D7024BD7CD9CF322D9BE7D57FB661069F2481C7BB759CD71B4B36CA2BC2DF6D3A328FAEBDB995A9794A8D72155ED551A1F87C80BF6059B43FC764900B18A1C2441F7487743CF84E565F61F8DD2ECE6B6CCC9444049197AAAF53E926FBEE3BFCA8BE588EC77F29D211BE89DE18B15F6"), SHEX("700112FA90A1A2FD039A41B6485401634E757840E422AEB4A236634958192FFB2F2DDFA2253FC1ECB211C7E036098B714E62F7BF2B6975B1E95FAA9B8D02A73A")); test_hash(&nettle_sha3_512, /* 173 octets */ SHEX("DB11F609BABA7B0CA634926B1DD539C8CBADA24967D7ADD4D9876F77C2D80C0F4DCEFBD7121548373582705CCA2495BD2A43716FE64ED26D059CFB566B3364BD49EE0717BDD9810DD14D8FAD80DBBDC4CAFB37CC60FB0FE2A80FB4541B8CA9D59DCE457738A9D3D8F641AF8C3FD6DA162DC16FC01AAC527A4A0255B4D231C0BE50F44F0DB0B713AF03D968FE7F0F61ED0824C55C4B5265548FEBD6AAD5C5EEDF63EFE793489C39B8FD29D104CE"), SHEX("901C6D85509F01A47EA2E2792A5DB728EA39E5703EEDEAE41365EDF10A866B922B1093E52E687E312DB129DA1F053EF6848CB0B314C9A3A999EB3E75E14C9CC2")); test_hash(&nettle_sha3_512, /* 174 octets */ SHEX("BEBD4F1A84FC8B15E4452A54BD02D69E304B7F32616AADD90537937106AE4E28DE9D8AAB02D19BC3E2FDE1D651559E296453E4DBA94370A14DBBB2D1D4E2022302EE90E208321EFCD8528AD89E46DC839EA9DF618EA8394A6BFF308E7726BAE0C19BCD4BE52DA6258E2EF4E96AA21244429F49EF5CB486D7FF35CAC1BACB7E95711944BCCB2AB34700D42D1EB38B5D536B947348A458EDE3DC6BD6EC547B1B0CAE5B257BE36A7124E1060C170FFA"), SHEX("4CC9A61FFE08984417712B80F962365AF36ED66A8AAB2A788D22A5C6B23962D23584638E712E9183C0A271383DB0877F722D399116F9BEF79A56AB096EF21749")); test_hash(&nettle_sha3_512, /* 175 octets */ SHEX("5ACA56A03A13784BDC3289D9364F79E2A85C12276B49B92DB0ADAA4F206D5028F213F678C3510E111F9DC4C1C1F8B6ACB17A6413AA227607C515C62A733817BA5E762CC6748E7E0D6872C984D723C9BB3B117EB8963185300A80BFA65CDE495D70A46C44858605FCCBED086C2B45CEF963D33294DBE9706B13AF22F1B7C4CD5A001CFEC251FBA18E722C6E1C4B1166918B4F6F48A98B64B3C07FC86A6B17A6D0480AB79D4E6415B520F1C484D675B1"), SHEX("B36EA56BB6BF80D91D5A605F8409AE6B7D879EC40815B35C664CC6B01BF6C718AD464F15C34DD1315A79A5456B6C3F8ED89E60390BC71EF747E12CDC77706245")); test_hash(&nettle_sha3_512, /* 176 octets */ SHEX("A5AAD0E4646A32C85CFCAC73F02FC5300F1982FABB2F2179E28303E447854094CDFC854310E5C0F60993CEFF54D84D6B46323D930ADB07C17599B35B505F09E784BCA5985E0172257797FB53649E2E9723EFD16865C31B5C3D5113B58BB0BFC8920FABDDA086D7537E66D709D050BD14D0C960873F156FAD5B3D3840CDFCDC9BE6AF519DB262A27F40896AB25CC39F96984D650611C0D5A3080D5B3A1BF186ABD42956588B3B58CD948970D298776060"), SHEX("8ECB8F622DAB7087E9A95CD0341192FEA6B1C956DF9AD3DED823948B7849C4F3150C9559520953EBDE98ED76F6E43BFE4FB25FDA712525C6D3DAA80323BE8E4A")); test_hash(&nettle_sha3_512, /* 177 octets */ SHEX("06CBBE67E94A978203EAD6C057A1A5B098478B4B4CBEF5A97E93C8E42F5572713575FC2A884531D7622F8F879387A859A80F10EF02708CD8F7413AB385AFC357678B9578C0EBF641EF076A1A30F1F75379E9DCB2A885BDD295905EE80C0168A62A9597D10CF12DD2D8CEE46645C7E5A141F6E0E23AA482ABE5661C16E69EF1E28371E2E236C359BA4E92C25626A7B7FF13F6EA4AE906E1CFE163E91719B1F750A96CBDE5FBC953D9E576CD216AFC90323A"), SHEX("519215DA34ACFCD62DD617ECD5978365417D57C2671A7B48655B89F448B23B128D3AD04910A1BBBDC00E954A1E49765176A8ACA4C37D56ABF0E0B72E331A8D7C")); test_hash(&nettle_sha3_512, /* 178 octets */ SHEX("F1C528CF7739874707D4D8AD5B98F7C77169DE0B57188DF233B2DC8A5B31EDA5DB4291DD9F68E6BAD37B8D7F6C9C0044B3BF74BBC3D7D1798E138709B0D75E7C593D3CCCDC1B20C7174B4E692ADD820ACE262D45CCFAE2077E878796347168060A162ECCA8C38C1A88350BD63BB539134F700FD4ADDD5959E255337DAA06BC86358FABCBEFDFB5BC889783D843C08AADC6C4F6C36F65F156E851C9A0F917E4A367B5AD93D874812A1DE6A7B93CD53AD97232"), SHEX("0D1C1AD4E1CFEFEE854C4A739A0342E39D700DBAF4891978D7C839E87C680717D63AB4AA1ED7EB657CED9F8D2CF47204262E609610842FC5B219ACFF7EB188C4")); test_hash(&nettle_sha3_512, /* 179 octets */ SHEX("9D9F3A7ECD51B41F6572FD0D0881E30390DFB780991DAE7DB3B47619134718E6F987810E542619DFAA7B505C76B7350C6432D8BF1CFEBDF1069B90A35F0D04CBDF130B0DFC7875F4A4E62CDB8E525AADD7CE842520A482AC18F09442D78305FE85A74E39E760A4837482ED2F437DD13B2EC1042AFCF9DECDC3E877E50FF4106AD10A525230D11920324A81094DA31DEAB6476AA42F20C84843CFC1C58545EE80352BDD3740DD6A16792AE2D86F11641BB717C2"), SHEX("0A5D9EF40BA2B98EDBD7918CC6779483A1A00BD94CC1E1495495CAF6CD47C6239571C3828F4565A0D53786781D712C10EF7333227F651974628887D442A5EF9D")); test_hash(&nettle_sha3_512, /* 180 octets */ SHEX("5179888724819FBAD3AFA927D3577796660E6A81C52D98E9303261D5A4A83232F6F758934D50AA83FF9E20A5926DFEBAAC49529D006EB923C5AE5048ED544EC471ED7191EDF46363383824F915769B3E688094C682B02151E5EE01E510B431C8865AFF8B6B6F2F59CB6D129DA79E97C6D2B8FA6C6DA3F603199D2D1BCAB547682A81CD6CF65F6551121391D78BCC23B5BD0E922EC6D8BF97C952E84DD28AEF909ABA31EDB903B28FBFC33B7703CD996215A11238"), SHEX("EA83DE9AE057701F6EC68FF67E92E0334C18EBB79AF1953C2514408D58E69F105441642A1D5B7D6010F7CB15D131DD531855CA337A7B0B794FA6D6923F017AFA")); test_hash(&nettle_sha3_512, /* 181 octets */ SHEX("576EF3520D30B7A4899B8C0D5E359E45C5189ADD100E43BE429A02FB3DE5FF4F8FD0E79D9663ACCA72CD29C94582B19292A557C5B1315297D168FBB54E9E2ECD13809C2B5FCE998EDC6570545E1499DBE7FB74D47CD7F35823B212B05BF3F5A79CAA34224FDD670D335FCB106F5D92C3946F44D3AFCBAE2E41AC554D8E6759F332B76BE89A0324AA12C5482D1EA3EE89DED4936F3E3C080436F539FA137E74C6D3389BDF5A45074C47BC7B20B0948407A66D855E2F"), SHEX("6651C25D33D10B72535F1DB26A1DFE2EB99CDD505448018589B5B88B7CAB63EB439C31A474C6F1191DF14EFC7D0665CC7B82A7DC54A7C6B0C2FD1F75C30D6872")); test_hash(&nettle_sha3_512, /* 182 octets */ SHEX("0DF2152FA4F4357C8741529DD77E783925D3D76E95BAFA2B542A2C33F3D1D117D159CF473F82310356FEE4C90A9E505E70F8F24859656368BA09381FA245EB6C3D763F3093F0C89B972E66B53D59406D9F01AEA07F8B3B615CAC4EE4D05F542E7D0DAB45D67CCCCD3A606CCBEB31EA1FA7005BA07176E60DAB7D78F6810EF086F42F08E595F0EC217372B98970CC6321576D92CE38F7C397A403BADA1548D205C343AC09DECA86325373C3B76D9F32028FEA8EB32515"), SHEX("A754652247F7285CE2DD8A10035C69961E4F9C025E1FD087CBD3126E049A9E832C3F3A491FCDE338B8C01946CDD7DEC32A8FD7ED1CB3045BCAF3398905B1BB42")); test_hash(&nettle_sha3_512, /* 183 octets */ SHEX("3E15350D87D6EBB5C8AD99D42515CFE17980933C7A8F6B8BBBF0A63728CEFAAD2052623C0BD5931839112A48633FB3C2004E0749C87A41B26A8B48945539D1FF41A4B269462FD199BFECD45374756F55A9116E92093AC99451AEFB2AF9FD32D6D7F5FBC7F7A540D5097C096EBC3B3A721541DE073A1CC02F7FB0FB1B9327FB0B1218CA49C9487AB5396622A13AE546C97ABDEF6B56380DDA7012A8384091B6656D0AB272D363CEA78163FF765CDD13AB1738B940D16CAE"), SHEX("FC1127F6650F32638453AB773F5CE60F9F6165BC9928EFF18C7A3281540C7A615D2D62A92E557D4A1EC1229E84819D2DBF06CED4DE0FF90040ECB961D678E181")); test_hash(&nettle_sha3_512, /* 184 octets */ SHEX("C38D6B0B757CB552BE40940ECE0009EF3B0B59307C1451686F1A22702922800D58BCE7A636C1727EE547C01B214779E898FC0E560F8AE7F61BEF4D75EAA696B921FD6B735D171535E9EDD267C192B99880C87997711002009095D8A7A437E258104A41A505E5EF71E5613DDD2008195F0C574E6BA3FE40099CFA116E5F1A2FA8A6DA04BADCB4E2D5D0DE31FDC4800891C45781A0AAC7C907B56D631FCA5CE8B2CDE620D11D1777ED9FA603541DE794DDC5758FCD5FAD78C0"), SHEX("43C21BCCAC7ACEE8ED437B874ED7CDF20EA2E9DC98AB82124610DC4F8416248B51309045CDFBCE92EFA9E56C5B36D6E5D27580319CE69C22E5D6C87E551EED4A")); test_hash(&nettle_sha3_512, /* 185 octets */ SHEX("8D2DE3F0B37A6385C90739805B170057F091CD0C7A0BC951540F26A5A75B3E694631BB64C7635EED316F51318E9D8DE13C70A2ABA04A14836855F35E480528B776D0A1E8A23B547C8B8D6A0D09B241D3BE9377160CCA4E6793D00A515DC2992CB7FC741DACA171431DA99CCE6F7789F129E2AC5CF65B40D703035CD2185BB936C82002DAF8CBC27A7A9E554B06196630446A6F0A14BA155ED26D95BD627B7205C072D02B60DB0FD7E49EA058C2E0BA202DAFF0DE91E845CF79"), SHEX("893934B8C630A9BF713C64FFD1128EAC75D1CEFDEF6642FB27F20CB56694C2FA8BA6EFCF3E0E56C7789CFAAC6B2F7B247DEA8367FFD269E74B9CDFB0537031EA")); test_hash(&nettle_sha3_512, /* 186 octets */ SHEX("C464BBDAD275C50DCD983B65AD1019B9FF85A1E71C807F3204BB2C921DC31FBCD8C5FC45868AE9EF85B6C9B83BBA2A5A822201ED68586EC5EC27FB2857A5D1A2D09D09115F22DCC39FE61F5E1BA0FF6E8B4ACB4C6DA748BE7F3F0839739394FF7FA8E39F7F7E84A33C3866875C01BCB1263C9405D91908E9E0B50E7459FABB63D8C6BBB73D8E3483C099B55BC30FF092FF68B6ADEDFD477D63570C9F5515847F36E24BA0B705557130CEC57EBAD1D0B31A378E91894EE26E3A04"), SHEX("B4CB58D8497978916DC362D37ADE12C7A0D8FE3B08B370659B27218291E04EF343095A91887B040984CB80B0C8611FD12C18EAD37B95320D59EDDB32113E42A4")); test_hash(&nettle_sha3_512, /* 187 octets */ SHEX("8B8D68BB8A75732FE272815A68A1C9C5AA31B41DEDC8493E76525D1D013D33CEBD9E21A5BB95DB2616976A8C07FCF411F5F6BC6F7E0B57ACA78CC2790A6F9B898858AC9C79B165FF24E66677531E39F572BE5D81EB3264524181115F32780257BFB9AEEC6AF12AF28E587CAC068A1A2953B59AD680F4C245B2E3EC36F59940D37E1D3DB38E13EDB29B5C0F404F6FF87F80FC8BE7A225FF22FBB9C8B6B1D7330C57840D24BC75B06B80D30DAD6806544D510AF6C4785E823AC3E0B8"), SHEX("35C3F8F0DC28608EC942CB6287482219B42B2EBCBAD92B4C34E77E21B7D93B0E85EBF483DB2D4A979C48E58F746AC3DCF563CA7E1B2940371D8D83BF0795EC45")); test_hash(&nettle_sha3_512, /* 188 octets */ SHEX("6B018710446F368E7421F1BC0CCF562D9C1843846BC8D98D1C9BF7D9D6FCB48BFC3BF83B36D44C4FA93430AF75CD190BDE36A7F92F867F58A803900DF8018150384D85D82132F123006AC2AEBA58E02A037FE6AFBD65ECA7C44977DD3DC74F48B6E7A1BFD5CC4DCF24E4D52E92BD4455848E4928B0EAC8B7476FE3CC03E862AA4DFF4470DBFED6DE48E410F25096487ECFC32A27277F3F5023B2725ADE461B1355889554A8836C9CF53BD767F5737D55184EEA1AB3F53EDD0976C485"), SHEX("B90E0CC6BC53182C4F2D17AA51391C8250C3032A12DAF2FCC641B49AA81ED9449403567B75D4121376DD8CC2D2BDBAFA456308AD7C0C13BA85619D75350727E3")); test_hash(&nettle_sha3_512, /* 189 octets */ SHEX("C9534A24714BD4BE37C88A3DA1082EDA7CABD154C309D7BD670DCCD95AA535594463058A29F79031D6ECAA9F675D1211E9359BE82669A79C855EA8D89DD38C2C761DDD0EC0CE9E97597432E9A1BEAE062CDD71EDFDFD464119BE9E69D18A7A7FD7CE0E2106F0C8B0ABF4715E2CA48EF9F454DC203C96656653B727083513F8EFB86E49C513BB758B3B052FE21F1C05BB33C37129D6CC81F1AEF6ADC45B0E8827A830FE545CF57D0955802C117D23CCB55EA28F95C0D8C2F9C5A242B33F"), SHEX("99497355AE1791799D11536C73605CDD1496C74E3E930B6272A103C3AA8C984D2D74B01AE72C94F2A4D3A069EAC6E00984D21EAE3DD7B32AD082B396601093BA")); test_hash(&nettle_sha3_512, /* 190 octets */ SHEX("07906C87297B867ABF4576E9F3CC7F82F22B154AFCBF293B9319F1B0584DA6A40C27B32E0B1B7F412C4F1B82480E70A9235B12EC27090A5A33175A2BB28D8ADC475CEFE33F7803F8CE27967217381F02E67A3B4F84A71F1C5228E0C2AD971373F6F672624FCEA8D1A9F85170FAD30FA0BBD25035C3B41A6175D467998BD1215F6F3866F53847F9CF68EF3E2FBB54BC994DE2302B829C5EEA68EC441FCBAFD7D16AE4FE9FFF98BF00E5BC2AD54DD91FF9FDA4DD77B6C754A91955D1FBAAD0"), SHEX("C98265396F3278FC532125DED097A6851FC5BF37CA32EC26F43E64874241309F568A217119BA984C54099F8899AC94B7900A4DD9D3877E18371F5DAFD1921F08")); test_hash(&nettle_sha3_512, /* 191 octets */ SHEX("588E94B9054ABC2189DF69B8BA34341B77CDD528E7860E5DEFCAA79B0C9A452AD4B82AA306BE84536EB7CEDCBE058D7B84A6AEF826B028B8A0271B69AC3605A9635EA9F5EA0AA700F3EB7835BC54611B922964300C953EFE7491E3677C2CEBE0822E956CD16433B02C68C4A23252C3F9E151A416B4963257B783E038F6B4D5C9F110F871652C7A649A7BCEDCBCCC6F2D0725BB903CC196BA76C76AA9F10A190B1D1168993BAA9FFC96A1655216773458BEC72B0E39C9F2C121378FEAB4E76A"), SHEX("FC03BE193A5ED0E6B3502661C2D9E4E2A503CF3FDB231526A90C3C4C26089C787EE6CBF50D90AF61C17C5DF0B29C373B426740CD0D6FC370DE64EB2164BBAEB2")); test_hash(&nettle_sha3_512, /* 192 octets */ SHEX("08959A7E4BAAE874928813364071194E2939772F20DB7C3157078987C557C2A6D5ABE68D520EEF3DC491692E1E21BCD880ADEBF63BB4213B50897FA005256ED41B5690F78F52855C8D9168A4B666FCE2DA2B456D7A7E7C17AB5F2FB1EE90B79E698712E963715983FD07641AE4B4E9DC73203FAC1AE11FA1F8C7941FCC82EAB247ADDB56E2638447E9D609E610B60CE086656AAEBF1DA3C8A231D7D94E2FD0AFE46B391FF14A72EAEB3F44AD4DF85866DEF43D4781A0B3578BC996C87970B132"), SHEX("FB9C3A9183B6D251BF61FAF1843455CB9C1BE35EABDC131D5BF38E98337934968291E9D6DC104374BC234FF22CC23CD6F338E7A3B019CDC9DF6E3750B6B01FDE")); test_hash(&nettle_sha3_512, /* 193 octets */ SHEX("CB2A234F45E2ECD5863895A451D389A369AAB99CFEF0D5C9FFCA1E6E63F763B5C14FB9B478313C8E8C0EFEB3AC9500CF5FD93791B789E67EAC12FD038E2547CC8E0FC9DB591F33A1E4907C64A922DDA23EC9827310B306098554A4A78F050262DB5B545B159E1FF1DCA6EB734B872343B842C57EAFCFDA8405EEDBB48EF32E99696D135979235C3A05364E371C2D76F1902F1D83146DF9495C0A6C57D7BF9EE77E80F9787AEE27BE1FE126CDC9EF893A4A7DCBBC367E40FE4E1EE90B42EA25AF01"), SHEX("F7965B71198636F162D5A4E08D73E8C8A9AC1ADDBDFD7C180C489CCA7360B3FEE3A4286154460BF867923B348BFE32E79D9139A0CB52C46FA20785FAEAE0A8BC")); test_hash(&nettle_sha3_512, /* 194 octets */ SHEX("D16BEADF02AB1D4DC6F88B8C4554C51E866DF830B89C06E786A5F8757E8909310AF51C840EFE8D20B35331F4355D80F73295974653DDD620CDDE4730FB6C8D0D2DCB2B45D92D4FBDB567C0A3E86BD1A8A795AF26FBF29FC6C65941CDDB090FF7CD230AC5268AB4606FCCBA9EDED0A2B5D014EE0C34F0B2881AC036E24E151BE89EEB6CD9A7A790AFCCFF234D7CB11B99EBF58CD0C589F20BDAC4F9F0E28F75E3E04E5B3DEBCE607A496D848D67FA7B49132C71B878FD5557E082A18ECA1FBDA94D4B"), SHEX("5337477487A0AF43EB7B995293CA2BEF6EAB2432B1333DCAEAD7064406E22861FCEA623FD8B85B30465787352A36C943610F1458FD22E3F55DDD195A6ACAA374")); test_hash(&nettle_sha3_512, /* 195 octets */ SHEX("8F65F6BC59A85705016E2BAE7FE57980DE3127E5AB275F573D334F73F8603106EC3553016608EF2DD6E69B24BE0B7113BF6A760BA6E9CE1C48F9E186012CF96A1D4849D75DF5BB8315387FD78E9E153E76F8BA7EC6C8849810F59FB4BB9B004318210B37F1299526866F44059E017E22E96CBE418699D014C6EA01C9F0038B10299884DBEC3199BB05ADC94E955A1533219C1115FED0E5F21228B071F40DD57C4240D98D37B73E412FE0FA4703120D7C0C67972ED233E5DEB300A22605472FA3A3BA86"), SHEX("28AB5C6298A602AE51EEEC4080245F7CA10F9A8C304F22B5AA88D0E49226C01C2FD3CC5D8E99309767816E4F6D52719876065495DDB61DD113CFFF06B11D8604")); test_hash(&nettle_sha3_512, /* 196 octets */ SHEX("84891E52E0D451813210C3FD635B39A03A6B7A7317B221A7ABC270DFA946C42669AACBBBDF801E1584F330E28C729847EA14152BD637B3D0F2B38B4BD5BF9C791C58806281103A3EABBAEDE5E711E539E6A8B2CF297CF351C078B4FA8F7F35CF61BEBF8814BF248A01D41E86C5715EA40C63F7375379A7EB1D78F27622FB468AB784AAABA4E534A6DFD1DF6FA15511341E725ED2E87F98737CCB7B6A6DFAE416477472B046BF1811187D151BFA9F7B2BF9ACDB23A3BE507CDF14CFDF517D2CB5FB9E4AB6"), SHEX("2AEEAC015D93245F6BF727CD182894097B902CD407D7E0DD06DA1A63F4451C657FF39F925E7C8A894AE593D11EBC2D5D1DE3D9A18018806719277D993F7FABED")); test_hash(&nettle_sha3_512, /* 197 octets */ SHEX("FDD7A9433A3B4AFABD7A3A5E3457E56DEBF78E84B7A0B0CA0E8C6D53BD0C2DAE31B2700C6128334F43981BE3B213B1D7A118D59C7E6B6493A86F866A1635C12859CFB9AD17460A77B4522A5C1883C3D6ACC86E6162667EC414E9A104AA892053A2B1D72165A855BACD8FAF8034A5DD9B716F47A0818C09BB6BAF22AA503C06B4CA261F557761989D2AFBD88B6A678AD128AF68672107D0F1FC73C5CA740459297B3292B281E93BCEB761BDE7221C3A55708E5EC84472CDDCAA84ECF23723CC0991355C6280"), SHEX("D0A119617B7E30C2A85ECBB3BBF325DDD589431C8C2E2F9FC6E324A6ED8BAF11870A80556CC0688FEE4DB70F22B9424B4F37A0F1E7EA314684DA31BF473B3F34")); test_hash(&nettle_sha3_512, /* 198 octets */ SHEX("70A40BFBEF92277A1AAD72F6B79D0177197C4EBD432668CFEC05D099ACCB651062B5DFF156C0B27336687A94B26679CFDD9DAF7AD204338DD9C4D14114033A5C225BD11F217B5F4732DA167EE3F939262D4043FC9CBA92303B7B5E96AEA12ADDA64859DF4B86E9EE0B58E39091E6B188B408AC94E1294A8911245EE361E60E601EFF58D1D37639F3753BEC80EBB4EFDE25817436076623FC65415FE51D1B0280366D12C554D86743F3C3B6572E400361A60726131441BA493A83FBE9AFDA90F7AF1AE717238D"), SHEX("1C88789885DCCC9AE81029ACF0B6C9D083CDB9774C345F1C755E54C45E9AF63A70DC2ABAEFEB1AD416F1BD3D9B69D4C4404D22C85E636A4703769C0112B550B8")); test_hash(&nettle_sha3_512, /* 199 octets */ SHEX("74356E449F4BF8644F77B14F4D67CB6BD9C1F5AE357621D5B8147E562B65C66585CAF2E491B48529A01A34D226D436959153815380D5689E30B35357CDAC6E08D3F2B0E88E200600D62BD9F5EAF488DF86A4470EA227006182E44809009868C4C280C43D7D64A5268FA719074960087B3A6ABC837882F882C837834535929389A12B2C78187E2EA07EF8B8EEF27DC85002C3AE35F1A50BEE6A1C48BA7E175F3316670B27983472AA6A61EED0A683A39EE323080620EA44A9F74411AE5CE99030528F9AB49C79F2"), SHEX("F52D7DD7FF248A1BCA7B714F14A79DF5766FD67C0031A471CC509F3516D7C348C33F7D4B1CA331B9323896B7074E10A891CEA851F9AC20245812B8CFAA556352")); test_hash(&nettle_sha3_512, /* 200 octets */ SHEX("8C3798E51BC68482D7337D3ABB75DC9FFE860714A9AD73551E120059860DDE24AB87327222B64CF774415A70F724CDF270DE3FE47DDA07B61C9EF2A3551F45A5584860248FABDE676E1CD75F6355AA3EAEABE3B51DC813D9FB2EAA4F0F1D9F834D7CAD9C7C695AE84B329385BC0BEF895B9F1EDF44A03D4B410CC23A79A6B62E4F346A5E8DD851C2857995DDBF5B2D717AEB847310E1F6A46AC3D26A7F9B44985AF656D2B7C9406E8A9E8F47DCB4EF6B83CAACF9AEFB6118BFCFF7E44BEF6937EBDDC89186839B77"), SHEX("A8AEE42A77C9B6387DC97319581959D9BD878D061487FD069ACA04D6F84D347E23587A6C7C56329B2DF88C56C7100ED51ACE5B5F778D65478F059CAFD6C098FD")); test_hash(&nettle_sha3_512, /* 201 octets */ SHEX("FA56BF730C4F8395875189C10C4FB251605757A8FECC31F9737E3C2503B02608E6731E85D7A38393C67DE516B85304824BFB135E33BF22B3A23B913BF6ACD2B7AB85198B8187B2BCD454D5E3318CACB32FD6261C31AE7F6C54EF6A7A2A4C9F3ECB81CE3555D4F0AD466DD4C108A90399D70041997C3B25345A9653F3C9A6711AB1B91D6A9D2216442DA2C973CBD685EE7643BFD77327A2F7AE9CB283620A08716DFB462E5C1D65432CA9D56A90E811443CD1ECB8F0DE179C9CB48BA4F6FEC360C66F252F6E64EDC96B"), SHEX("4B961C4BB6035E7BDDA2E1A3B6F9CD52D1789866044C4A925693BEA88F65D046238BBEB4E7D3B060E47288041407392B291AE610BA70D6B4D64E74E7A7D0256F")); test_hash(&nettle_sha3_512, /* 202 octets */ SHEX("B6134F9C3E91DD8000740D009DD806240811D51AB1546A974BCB18D344642BAA5CD5903AF84D58EC5BA17301D5EC0F10CCD0509CBB3FD3FFF9172D193AF0F782252FD1338C7244D40E0E42362275B22D01C4C3389F19DD69BDF958EBE28E31A4FFE2B5F18A87831CFB7095F58A87C9FA21DB72BA269379B2DC2384B3DA953C7925761FED324620ACEA435E52B424A7723F6A2357374157A34CD8252351C25A1B232826CEFE1BD3E70FFC15A31E7C0598219D7F00436294D11891B82497BC78AA5363892A2495DF8C1EEF"), SHEX("C0515B65B640B3FFD0A1582A54F4C8FB35C109B7FB472666E043D3C00AE3E0E0FA156C4CEFB46B5B7B4C0E480623E1A26018BDAEDC3E27D9C0D44C3E1D862015")); test_hash(&nettle_sha3_512, /* 203 octets */ SHEX("C941CDB9C28AB0A791F2E5C8E8BB52850626AA89205BEC3A7E22682313D198B1FA33FC7295381354858758AE6C8EC6FAC3245C6E454D16FA2F51C4166FAB51DF272858F2D603770C40987F64442D487AF49CD5C3991CE858EA2A60DAB6A65A34414965933973AC2457089E359160B7CDEDC42F29E10A91921785F6B7224EE0B349393CDCFF6151B50B377D609559923D0984CDA6000829B916AB6896693EF6A2199B3C22F7DC5500A15B8258420E314C222BC000BC4E5413E6DD82C993F8330F5C6D1BE4BC79F08A1A0A46"), SHEX("45C584564D9E0B8239CC1284939BA407A8E5E981691EAB6A04D9354C9C855E400B3037151122CED237636E61A7FF2905E0213A6D07306C459E2189E3E6A9E0B8")); test_hash(&nettle_sha3_512, /* 204 octets */ SHEX("4499EFFFAC4BCEA52747EFD1E4F20B73E48758BE915C88A1FFE5299B0B005837A46B2F20A9CB3C6E64A9E3C564A27C0F1C6AD1960373036EC5BFE1A8FC6A435C2185ED0F114C50E8B3E4C7ED96B06A036819C9463E864A58D6286F785E32A804443A56AF0B4DF6ABC57ED5C2B185DDEE8489EA080DEEEE66AA33C2E6DAB36251C402682B6824821F998C32163164298E1FAFD31BABBCFFB594C91888C6219079D907FDB438ED89529D6D96212FD55ABE20399DBEFD342248507436931CDEAD496EB6E4A80358ACC78647D043"), SHEX("136723350857E03756F02E60451A28E711611927B8136DCFF3E567DC618FF36B3100737C9781B9C84A576745C1E6BE030DAC8803A71464AF39DB94D00253AF3E")); test_hash(&nettle_sha3_512, /* 205 octets */ SHEX("EECBB8FDFA4DA62170FD06727F697D81F83F601FF61E478105D3CB7502F2C89BF3E8F56EDD469D049807A38882A7EEFBC85FC9A950952E9FA84B8AFEBD3CE782D4DA598002827B1EB98882EA1F0A8F7AA9CE013A6E9BC462FB66C8D4A18DA21401E1B93356EB12F3725B6DB1684F2300A98B9A119E5D27FF704AFFB618E12708E77E6E5F34139A5A41131FD1D6336C272A8FC37080F041C71341BEE6AB550CB4A20A6DDB6A8E0299F2B14BC730C54B8B1C1C487B494BDCCFD3A53535AB2F231590BF2C4062FD2AD58F906A2D0D"), SHEX("C0F7713AA021A04525F751722A9AE5C4C7934D0A286F1FB05823D86A96251C04DECD960D8D4D66E2C565E6207A49612E1EFDE386536854B6AB9A4807B0A145BE")); test_hash(&nettle_sha3_512, /* 206 octets */ SHEX("E64F3E4ACE5C8418D65FEC2BC5D2A303DD458034736E3B0DF719098BE7A206DEAF52D6BA82316CAF330EF852375188CDE2B39CC94AA449578A7E2A8E3F5A9D68E816B8D16889FBC0EBF0939D04F63033AE9AE2BDAB73B88C26D6BD25EE460EE1EF58FB0AFA92CC539F8C76D3D097E7A6A63EBB9B5887EDF3CF076028C5BBD5B9DB3211371AD3FE121D4E9BF44229F4E1ECF5A0F9F0EBA4D5CEB72878AB22C3F0EB5A625323AC66F7061F4A81FAC834471E0C59553F108475FE290D43E6A055AE3EE46FB67422F814A68C4BE3E8C9"), SHEX("FE1CB67D77FB463F77747FED292A989A341044A8B65FA1DF1441AA41A5C795916626E0E479FD0BA7F9B1DC15FED245B99598D35359834E8FD25CF19685219BE2")); test_hash(&nettle_sha3_512, /* 207 octets */ SHEX("D2CB2D733033F9E91395312808383CC4F0CA974E87EC68400D52E96B3FA6984AC58D9AD0938DDE5A973008D818C49607D9DE2284E7618F1B8AED8372FBD52ED54557AF4220FAC09DFA8443011699B97D743F8F2B1AEF3537EBB45DCC9E13DFB438428EE190A4EFDB3CAEB7F3933117BF63ABDC7E57BEB4171C7E1AD260AB0587806C4D137B6316B50ABC9CCE0DFF3ACADA47BBB86BE777E617BBE578FF4519844DB360E0A96C6701290E76BB95D26F0F804C8A4F2717EAC4E7DE9F2CFF3BBC55A17E776C0D02856032A6CD10AD2838"), SHEX("4043CDD3F0EA793E49A8EC382F8071F6020B529CF8C82E969429117B362129B7689D3F1EA7FF77EE50263CECDAC5A43AA2AEE97CF3E665CCF535F6DE65AD0100")); test_hash(&nettle_sha3_512, /* 208 octets */ SHEX("F2998955613DD414CC111DF5CE30A995BB792E260B0E37A5B1D942FE90171A4AC2F66D4928D7AD377F4D0554CBF4C523D21F6E5F379D6F4B028CDCB9B1758D3B39663242FF3CB6EDE6A36A6F05DB3BC41E0D861B384B6DEC58BB096D0A422FD542DF175E1BE1571FB52AE66F2D86A2F6824A8CFAACBAC4A7492AD0433EEB15454AF8F312B3B2A577750E3EFBD370E8A8CAC1582581971FBA3BA4BD0D76E718DACF8433D33A59D287F8CC92234E7A271041B526E389EFB0E40B6A18B3AAF658E82ED1C78631FD23B4C3EB27C3FAEC8685"), SHEX("7392BD445F58CD5D7D3CA98579CBAA9A9437D0C95E7932B4004117F207F8AA39156BC42537B0C790150D443C2D68C2C43E362DF9D019601797162E63076936C3")); test_hash(&nettle_sha3_512, /* 209 octets */ SHEX("447797E2899B72A356BA55BF4DF3ACCA6CDB1041EB477BD1834A9F9ACBC340A294D729F2F97DF3A610BE0FF15EDB9C6D5DB41644B9874360140FC64F52AA03F0286C8A640670067A84E017926A70438DB1BB361DEFEE7317021425F8821DEF26D1EFD77FC853B818545D055ADC9284796E583C76E6FE74C9AC2587AA46AA8F8804F2FEB5836CC4B3ABABAB8429A5783E17D5999F32242EB59EF30CD7ADABC16D72DBDB097623047C98989F88D14EAF02A7212BE16EC2D07981AAA99949DDF89ECD90333A77BC4E1988A82ABF7C7CAF3291"), SHEX("9FF0F0D70CA076CA44C353A3C678C2095C89F619BB53EC9CB4888E2F14E50FBC146A7B521356369F1B9D5665836E45D5400F9856CC6DA3B3AFE6F3B0471FC9C6")); test_hash(&nettle_sha3_512, /* 210 octets */ SHEX("9F2C18ADE9B380C784E170FB763E9AA205F64303067EB1BCEA93DF5DAC4BF5A2E00B78195F808DF24FC76E26CB7BE31DC35F0844CDED1567BBA29858CFFC97FB29010331B01D6A3FB3159CC1B973D255DA9843E34A0A4061CABDB9ED37F241BFABB3C20D32743F4026B59A4CCC385A2301F83C0B0A190B0F2D01ACB8F0D41111E10F2F4E149379275599A52DC089B35FDD5234B0CFB7B6D8AEBD563CA1FA653C5C021DFD6F5920E6F18BFAFDBECBF0AB00281333ED50B9A999549C1C8F8C63D7626C48322E9791D5FF72294049BDE91E73F8"), SHEX("A981FAA9D3CAC492B2FA078D1158F81248DF8DB36ACBD5BAD3A6C633BBE500EB481D2937BEEE9A76C84EDCDFA0F997EDCE708F07851422A7597E2463FC1912CD")); test_hash(&nettle_sha3_512, /* 211 octets */ SHEX("AE159F3FA33619002AE6BCCE8CBBDD7D28E5ED9D61534595C4C9F43C402A9BB31F3B301CBFD4A43CE4C24CD5C9849CC6259ECA90E2A79E01FFBAC07BA0E147FA42676A1D668570E0396387B5BCD599E8E66AAED1B8A191C5A47547F61373021FA6DEADCB55363D233C24440F2C73DBB519F7C9FA5A8962EFD5F6252C0407F190DFEFAD707F3C7007D69FF36B8489A5B6B7C557E79DD4F50C06511F599F56C896B35C917B63BA35C6FF8092BAF7D1658E77FC95D8A6A43EEB4C01F33F03877F92774BE89C1114DD531C011E53A34DC248A2F0E6"), SHEX("89025C13BC6B61A1BFADB1D37D676E49E6754E9DFC00D52C5EF13BA57C845D14AC75D5AE6F06714028103C3424717F4C2FBF6D88D055690987620AC5B440576A")); test_hash(&nettle_sha3_512, /* 212 octets */ SHEX("3B8E97C5FFC2D6A40FA7DE7FCEFC90F3B12C940E7AB415321E29EE692DFAC799B009C99DCDDB708FCE5A178C5C35EE2B8617143EDC4C40B4D313661F49ABDD93CEA79D117518805496FE6ACF292C4C2A1F76B403A97D7C399DAF85B46AD84E16246C67D6836757BDE336C290D5D401E6C1386AB32797AF6BB251E9B2D8FE754C47482B72E0B394EAB76916126FD68EA7D65EB93D59F5B4C5AC40F7C3B37E7F3694F29424C24AF8C8F0EF59CD9DBF1D28E0E10F799A6F78CAD1D45B9DB3D7DEE4A7059ABE99182714983B9C9D44D7F5643596D4F3"), SHEX("1545D8334836F7436F77F21532F5D3058E351DB8357EFC1E089583A0C40AD3A6AF5F2FEE793D3FE1B4721F6817A373499B20912A35C4609FA9D84BD274E978FC")); test_hash(&nettle_sha3_512, /* 213 octets */ SHEX("3434EC31B10FAFDBFEEC0DD6BD94E80F7BA9DCA19EF075F7EB017512AF66D6A4BCF7D16BA0819A1892A6372F9B35BCC7CA8155EE19E8428BC22D214856ED5FA9374C3C09BDE169602CC219679F65A1566FC7316F4CC3B631A18FB4449FA6AFA16A3DB2BC4212EFF539C67CF184680826535589C7111D73BFFCE431B4C40492E763D9279560AAA38EB2DC14A212D723F994A1FE656FF4DD14551CE4E7C621B2AA5604A10001B2878A897A28A08095C325E10A26D2FB1A75BFD64C250309BB55A44F23BBAC0D5516A1C687D3B41EF2FBBF9CC56D4739"), SHEX("AFAF201BA353316C1A7B810F120CFF941BB658B0763EEF59433403D8313B8F00BF18177898AE71907D3B524E68BB028EA1442866856111B12089BCBED177FD46")); test_hash(&nettle_sha3_512, /* 214 octets */ SHEX("7C7953D81C8D208FD1C97681D48F49DD003456DE60475B84070EF4847C333B74575B1FC8D2A186964485A3B8634FEAA3595AAA1A2F4595A7D6B6153563DEE31BBAC443C8A33EED6D5D956A980A68366C2527B550EE950250DFB691EACBD5D56AE14B970668BE174C89DF2FEA43AE52F13142639C884FD62A3683C0C3792F0F24AB1318BCB27E21F4737FAB62C77EA38BC8FD1CF41F7DAB64C13FEBE7152BF5BB7AB5A78F5346D43CC741CB6F72B7B8980F268B68BF62ABDFB1577A52438FE14B591498CC95F071228460C7C5D5CEB4A7BDE588E7F21C"), SHEX("3FB4F21A231973D2247F206D47B19EE1551647FD4D4F21FBCD6F653577C1AC69EAE4DB432C0234ACBE17B2CED0238A56ACC34D7BB82FBC190903035B7C538857")); test_hash(&nettle_sha3_512, /* 215 octets */ SHEX("7A6A4F4FDC59A1D223381AE5AF498D74B7252ECF59E389E49130C7EAEE626E7BD9897EFFD92017F4CCDE66B0440462CDEDFD352D8153E6A4C8D7A0812F701CC737B5178C2556F07111200EB627DBC299CAA792DFA58F35935299FA3A3519E9B03166DFFA159103FFA35E8577F7C0A86C6B46FE13DB8E2CDD9DCFBA85BDDDCCE0A7A8E155F81F712D8E9FE646153D3D22C811BD39F830433B2213DD46301941B59293FD0A33E2B63ADBD95239BC01315C46FDB678875B3C81E053A40F581CFBEC24A1404B1671A1B88A6D06120229518FB13A74CA0AC5AE"), SHEX("0B1C53E68667314B5F3F0F30E25C622B1A86D10701D4A0473FD40F22C50ACB47D63EAFA582A2FBE5453A3F73BFBCA923680F4C2C7F99C98388C07DDD7AFF2C6E")); test_hash(&nettle_sha3_512, /* 216 octets */ SHEX("D9FAA14CEBE9B7DE551B6C0765409A33938562013B5E8E0E1E0A6418DF7399D0A6A771FB81C3CA9BD3BB8E2951B0BC792525A294EBD1083688806FE5E7F1E17FD4E3A41D00C89E8FCF4A363CAEDB1ACB558E3D562F1302B3D83BB886ED27B76033798131DAB05B4217381EAAA7BA15EC820BB5C13B516DD640EAEC5A27D05FDFCA0F35B3A5312146806B4C0275BCD0AAA3B2017F346975DB566F9B4D137F4EE10644C2A2DA66DEECA5342E236495C3C6280528BFD32E90AF4CD9BB908F34012B52B4BC56D48CC8A6B59BAB014988EABD12E1A0A1C2E170E7"), SHEX("D836D0CE3A28AD71C3A876796BF65AAB838D84E4802ED49AC04484AE06AA08ED31DEB5C38C1022F0ACEED49CB58E38D3AAB09EFECED9349FDC33379251259826")); test_hash(&nettle_sha3_512, /* 217 octets */ SHEX("2D8427433D0C61F2D96CFE80CF1E932265A191365C3B61AAA3D6DCC039F6BA2AD52A6A8CC30FC10F705E6B7705105977FA496C1C708A277A124304F1FC40911E7441D1B5E77B951AAD7B01FD5DB1B377D165B05BBF898042E39660CAF8B279FE5229D1A8DB86C0999ED65E53D01CCBC4B43173CCF992B3A14586F6BA42F5FE30AFA8AE40C5DF29966F9346DA5F8B35F16A1DE3AB6DE0F477D8D8660918060E88B9B9E9CA6A4207033B87A812DBF5544D39E4882010F82B6CE005F8E8FF6FE3C3806BC2B73C2B83AFB704345629304F9F86358712E9FAE3CA3E"), SHEX("61B8A7520DAB4D395044B1A9CCC4F5263EDAE0325767E3D2A0EF225933A81F7E3796280870DBDAB8457D585C4106315B537653DC3D77E915100F421DB39F43B3")); test_hash(&nettle_sha3_512, /* 218 octets */ SHEX("5E19D97887FCAAC0387E22C6F803C34A3DACD2604172433F7A8A7A526CA4A2A1271ECFC5D5D7BE5AC0D85D921095350DFC65997D443C21C8094E0A3FEFD2961BCB94AED03291AE310CCDA75D8ACE4BC7D89E7D3E5D1650BDA5D668B8B50BFC8E608E184F4D3A9A2BADC4FF5F07E0C0BC8A9F2E0B2A26FD6D8C550008FAAAB75FD71AF2A424BEC9A7CD9D83FAD4C8E9319115656A8717D3B523A68FF8004258B9990ED362308461804BA3E3A7E92D8F2FFAE5C2FBA55BA5A3C27C0A2F71BD711D2FE1799C2ADB31B200035481E9EE5C4ADF2AB9C0FA50B23975CF"), SHEX("B847B292818E800BAA415C2521A8158A6AB749934DB693D0D2E4613CDAE60BD56075CF2C29F587DC3530164190BC2C02D97CA32347FA2AA431E511BB7D1C87E8")); test_hash(&nettle_sha3_512, /* 219 octets */ SHEX("C8E976AB4638909387CE3B8D4E510C3230E5690E02C45093B1D297910ABC481E56EEA0F296F98379DFC9080AF69E73B2399D1C143BEE80AE1328162CE1BA7F6A8374679B20AACD380EB4E61382C99998704D62701AFA914F9A2705CDB065885F50D086C3EB5753700C387118BB142F3E6DA1E988DFB31AC75D7368931E45D1391A274B22F83CEB072F9BCABC0B216685BFD789F5023971024B1878A205442522F9EA7D8797A4102A3DF41703768251FD5E017C85D1200A464118AA35654E7CA39F3C375B8EF8CBE7534DBC64BC20BEFB417CF60EC92F63D9EE7397"), SHEX("95ED6D8567774E66404FC32B7A01E1C625FC8322AB9BE0CD7C936731638B04C09748973D95665A35B218D1531411F3AA5E5C47E65D857A43783E2BD3C9D29005")); test_hash(&nettle_sha3_512, /* 220 octets */ SHEX("7145FA124B7429A1FC2231237A949BA7201BCC1822D3272DE005B682398196C25F7E5CC2F289FBF44415F699CB7FE6757791B1443410234AE061EDF623359E2B4E32C19BF88450432DD01CAA5EB16A1DC378F391CA5E3C4E5F356728BDDD4975DB7C890DA8BBC84CC73FF244394D0D48954978765E4A00B593F70F2CA082673A261ED88DBCEF1127728D8CD89BC2C597E9102CED6010F65FA75A14EBE467FA57CE3BD4948B6867D74A9DF5C0EC6F530CBF2EE61CE6F06BC8F2864DFF5583776B31DF8C7FFCB61428A56BF7BD37188B4A5123BBF338393AF46EDA85E6"), SHEX("98350793FC1540AE72757C2D1BA0FA34DF1923C987F365752788E3C65931746C36D13FD293DB8EA1B6374872CCF74E9B0CFF67C6DEBB4263390CD96E2BDD864F")); test_hash(&nettle_sha3_512, /* 221 octets */ SHEX("7FDFADCC9D29BAD23AE038C6C65CDA1AEF757221B8872ED3D75FF8DF7DA0627D266E224E812C39F7983E4558BFD0A1F2BEF3FEB56BA09120EF762917B9C093867948547AEE98600D10D87B20106878A8D22C64378BF634F7F75900C03986B077B0BF8B740A82447B61B99FEE5376C5EB6680EC9E3088F0BDD0C56883413D60C1357D3C811950E5890E7600103C916341B80C743C6A852B7B4FB60C3BA21F3BC15B8382437A68454779CF3CD7F9F90CCC8EF28D0B706535B1E4108EB5627BB45D719CB046839AEE311CA1ABDC8319E050D67972CB35A6B1601B25DBF487"), SHEX("C2493D60E1EFA6B472933EDE64D1F49EFF773635F66C6454E57E47935A0F4C5B94548DA5C369BDAC7146E54F017C3FD674CE32F8D95151C7CBC3E3BBA3EBE0D3")); test_hash(&nettle_sha3_512, /* 222 octets */ SHEX("988638219FD3095421F826F56E4F09E356296B628C3CE6930C9F2E758FD1A80C8273F2F61E4DAAE65C4F110D3E7CA0965AC7D24E34C0DC4BA2D6FF0BF5BBE93B3585F354D7543CB542A1AA54674D375077F2D360A8F4D42F3DB131C3B7AB7306267BA107659864A90C8C909460A73621D1F5D9D3FD95BEB19B23DB1CB6C0D0FBA91D36891529B8BD8263CAA1BAB56A4AFFAED44962DF096D8D5B1EB845EF31188B3E10F1AF811A13F156BEB7A288AAE593EBD1471B624AA1A7C6ADF01E2200B3D72D88A3AED3100C88231E41EFC376906F0B580DC895F080FDA5741DB1CB"), SHEX("70D7BA6585CD2EF91BB261025F9DCC80F8359C9DC30C7C2961F0D1F6057B9C44E3AA67A4BC00F137886E3CF1316D75F8EBF651C79DF9A99CABD0383008372016")); test_hash(&nettle_sha3_512, /* 223 octets */ SHEX("5AAB62756D307A669D146ABA988D9074C5A159B3DE85151A819B117CA1FF6597F6156E80FDD28C9C3176835164D37DA7DA11D94E09ADD770B68A6E081CD22CA0C004BFE7CD283BF43A588DA91F509B27A6584C474A4A2F3EE0F1F56447379240A5AB1FB77FDCA49B305F07BA86B62756FB9EFB4FC225C86845F026EA542076B91A0BC2CDD136E122C659BE259D98E5841DF4C2F60330D4D8CDEE7BF1A0A244524EECC68FF2AEF5BF0069C9E87A11C6E519DE1A4062A10C83837388F7EF58598A3846F49D499682B683C4A062B421594FAFBC1383C943BA83BDEF515EFCF10D"), SHEX("B50D0DA9B3DB1545CC1D2F35465C74D07543B3564249F12C546A08797EEA73326CE624203A3D25C92CE636BCCE86DA9CB9F39BC755EC0F39C090A0E8A72DA70B")); test_hash(&nettle_sha3_512, /* 224 octets */ SHEX("47B8216AA0FBB5D67966F2E82C17C07AA2D6327E96FCD83E3DE7333689F3EE79994A1BF45082C4D725ED8D41205CB5BCDF5C341F77FACB1DA46A5B9B2CBC49EADF786BCD881F371A95FA17DF73F606519AEA0FF79D5A11427B98EE7F13A5C00637E2854134691059839121FEA9ABE2CD1BCBBBF27C74CAF3678E05BFB1C949897EA01F56FFA4DAFBE8644611685C617A3206C7A7036E4AC816799F693DAFE7F19F303CE4EBA09D21E03610201BFC665B72400A547A1E00FA9B7AD8D84F84B34AEF118515E74DEF11B9188BD1E1F97D9A12C30132EC2806339BDADACDA2FD8B78"), SHEX("83752A88C915D4193296725DECC50C9C05D25D6BBD9AF2E0EF06286ECFEE961DE959BEDBB130704D432C2BC89930208F450E0A022661724043D268CB24E7FC47")); test_hash(&nettle_sha3_512, /* 225 octets */ SHEX("8CFF1F67FE53C098896D9136389BD8881816CCAB34862BB67A656E3D98896F3CE6FFD4DA73975809FCDF9666760D6E561C55238B205D8049C1CEDEEF374D1735DAA533147BFA960B2CCE4A4F254176BB4D1BD1E89654432B8DBE1A135C42115B394B024856A2A83DC85D6782BE4B444239567CCEC4B184D4548EAE3FF6A192F343292BA2E32A0F267F31CC26719EB85245D415FB897AC2DA433EE91A99424C9D7F1766A44171D1651001C38FC79294ACCC68CEB5665D36218454D3BA169AE058A831338C17743603F81EE173BFC0927464F9BD728DEE94C6AEAB7AAE6EE3A627E8"), SHEX("7288424BA855A76C7480B606F8F32E94396799BAB8BB3FC8FD21D180966C64971071E2645622524EC7D1645EEA7B7C1FA21F7F5B6B90F3E5BEB99222F05EA905")); test_hash(&nettle_sha3_512, /* 226 octets */ SHEX("EACD07971CFF9B9939903F8C1D8CBB5D4DB1B548A85D04E037514A583604E787F32992BF2111B97AC5E8A938233552731321522AB5E8583561260B7D13EBEEF785B23A41FD8576A6DA764A8ED6D822D4957A545D5244756C18AA80E1AAD4D1F9C20D259DEE1711E2CC8FD013169FB7CC4CE38B362F8E0936AE9198B7E838DCEA4F7A5B9429BB3F6BBCF2DC92565E3676C1C5E6EB3DD2A0F86AA23EDD3D0891F197447692794B3DFA269611AD97F72B795602B4FDB198F3FD3EB41B415064256E345E8D8C51C555DC8A21904A9B0F1AD0EFFAB7786AAC2DA3B196507E9F33CA356427"), SHEX("E9399376D89C4DD4464E45825F4302CDCCD4C41DB4E8951BE17BCC6451858332398B7E4E7F5EEE6830C715451E4AACDB179DD5247BA6D5728CBD4060AEB77CB9")); test_hash(&nettle_sha3_512, /* 227 octets */ SHEX("23AC4E9A42C6EF45C3336CE6DFC2FF7DE8884CD23DC912FEF0F7756C09D335C189F3AD3A23697ABDA851A81881A0C8CCAFC980AB2C702564C2BE15FE4C4B9F10DFB2248D0D0CB2E2887FD4598A1D4ACDA897944A2FFC580FF92719C95CF2AA42DC584674CB5A9BC5765B9D6DDF5789791D15F8DD925AA12BFFAFBCE60827B490BB7DF3DDA6F2A143C8BF96ABC903D83D59A791E2D62814A89B8080A28060568CF24A80AE61179FE84E0FFAD00388178CB6A617D37EFD54CC01970A4A41D1A8D3DDCE46EDBBA4AB7C90AD565398D376F431189CE8C1C33E132FEAE6A8CD17A61C630012"), SHEX("CCEA447EFE6F8B06AC42076280377635F5FD0767F4AF8B245FE63B79FE4974E9156744E60E98D12018214C39F8A826D506D0D5948645E9F883C208D37D927A41")); test_hash(&nettle_sha3_512, /* 228 octets */ SHEX("0172DF732282C9D488669C358E3492260CBE91C95CFBC1E3FEA6C4B0EC129B45F242ACE09F152FC6234E1BEE8AAB8CD56E8B486E1DCBA9C05407C2F95DA8D8F1C0AF78EE2ED82A3A79EC0CB0709396EE62AADB84F8A4EE8A7CCCA3C1EE84E302A09EA802204AFECF04097E67D0F8E8A9D2651126C0A598A37081E42D168B0AE8A71951C524259E4E2054E535B779679BDADE566FE55700858618E626B4A0FAF895BCCE9011504A49E05FD56127EAE3D1F8917AFB548ECADABDA1020111FEC9314C413498A360B08640549A22CB23C731ACE743252A8227A0D2689D4C6001606678DFB921"), SHEX("7E03FCE3B67EBB28308823F56AA93DBB4D9EFDBD93300D97B1F99EFCB82C3684C5A5A5AA64E7A34C69B89399CAB05F22E8E88607B863336E4CBF8CF6E74B98C1")); test_hash(&nettle_sha3_512, /* 229 octets */ SHEX("3875B9240CF3E0A8B59C658540F26A701CF188496E2C2174788B126FD29402D6A75453BA0635284D08835F40051A2A9683DC92AFB9383719191231170379BA6F4ADC816FECBB0F9C446B785BF520796841E58878B73C58D3EBB097CE4761FDEABE15DE2F319DFBAF1742CDEB389559C788131A6793E193856661376C81CE9568DA19AA6925B47FFD77A43C7A0E758C37D69254909FF0FBD415EF8EB937BCD49F91468B49974C07DC819ABD67395DB0E05874FF83DDDAB895344ABD0E7111B2DF9E58D76D85AD98106B36295826BE04D435615595605E4B4BB824B33C4AFEB5E7BB0D19F909"), SHEX("6A457AE74F89C42BBD2BD2EBFFFBD71F036FF7B76C4AFDDFFBD52F32E588A9543CED09DA9A3E130AC1A19EF1ACB2FA68AC41917ED6BAD37A60982B16B5EB4FF3")); test_hash(&nettle_sha3_512, /* 230 octets */ SHEX("747CC1A59FEFBA94A9C75BA866C30DC5C1CB0C0F8E9361D98484956DD5D1A40F6184AFBE3DAC9F76028D1CAECCFBF69199C6CE2B4C092A3F4D2A56FE5A33A00757F4D7DEE5DFB0524311A97AE0668A47971B95766E2F6DD48C3F57841F91F04A00AD5EA70F2D479A2620DC5CD78EAAB3A3B011719B7E78D19DDF70D9423798AF77517EBC55392FCD01FC600D8D466B9E7A7A85BF33F9CC5419E9BD874DDFD60981150DDAF8D7FEBAA4374F0872A5628D318000311E2F5655365AD4D407C20E5C04DF17A222E7DEEC79C5AB1116D8572F91CD06E1CCC7CED53736FC867FD49ECEBE6BF8082E8A"), SHEX("91B8CD795D1A6828601E00DB0C91FF9A6F837444F53FCF89E990B88F5F3E34EB490E72A1795FAB84F78DA3F7AFC89896C7CDE5865D1BCD74D5639E4903C683FE")); test_hash(&nettle_sha3_512, /* 231 octets */ SHEX("57AF971FCCAEC97435DC2EC9EF0429BCEDC6B647729EA168858A6E49AC1071E706F4A5A645CA14E8C7746D65511620682C906C8B86EC901F3DDED4167B3F00B06CBFAC6AEE3728051B3E5FF10B4F9ED8BD0B8DA94303C833755B3CA3AEDDF0B54BC8D6632138B5D25BAB03D17B3458A9D782108006F5BB7DE75B5C0BA854B423D8BB801E701E99DC4FEAAD59BC1C7112453B04D33EA3635639FB802C73C2B71D58A56BBD671B18FE34ED2E3DCA38827D63FDB1D4FB3285405004B2B3E26081A8FF08CD6D2B08F8E7B7E90A2AB1ED7A41B1D0128522C2F8BFF56A7FE67969422CE839A9D4608F03"), SHEX("7635D79C1B32E4934EB0090C6D46C0B240F626C77D84F8EABF571BA8FDE924F4A1CF456704B101F667F912DEDBBCBEFF2180A419A68C7B790BA606E6602D5115")); test_hash(&nettle_sha3_512, /* 232 octets */ SHEX("04E16DEDC1227902BAAF332D3D08923601BDD64F573FAA1BB7201918CFE16B1E10151DAE875DA0C0D63C59C3DD050C4C6A874011B018421AFC4623AB0381831B2DA2A8BA42C96E4F70864AC44E106F94311051E74C77C1291BF5DB9539E69567BF6A11CF6932BBBAD33F8946BF5814C066D851633D1A513510039B349939BFD42B858C21827C8FF05F1D09B1B0765DC78A135B5CA4DFBA0801BCADDFA175623C8B647EACFB4444B85A44F73890607D06D507A4F8393658788669F6EF4DEB58D08C50CA0756D5E2F49D1A7AD73E0F0B3D3B5F090ACF622B1878C59133E4A848E05153592EA81C6FBF"), SHEX("DDD0C521ED60C55F65BAE241A9072D7F6F6CCA7F64624EC92C037BF8BC16F0602E75EE46879AF41F3EFF5CE235905F3856A031C3CC90A4851F4CD8463AAE6DE8")); test_hash(&nettle_sha3_512, /* 233 octets */ SHEX("7C815C384EEE0F288ECE27CCED52A01603127B079C007378BC5D1E6C5E9E6D1C735723ACBBD5801AC49854B2B569D4472D33F40BBB8882956245C366DC3582D71696A97A4E19557E41E54DEE482A14229005F93AFD2C4A7D8614D10A97A9DFA07F7CD946FA45263063DDD29DB8F9E34DB60DAA32684F0072EA2A9426ECEBFA5239FB67F29C18CBAA2AF6ED4BF4283936823AC1790164FEC5457A9CBA7C767CA59392D94CAB7448F50EB34E9A93A80027471CE59736F099C886DEA1AB4CBA4D89F5FC7AE2F21CCD27F611ECA4626B2D08DC22382E92C1EFB2F6AFDC8FDC3D2172604F5035C46B8197D3"), SHEX("C84C03564D024F90560001CA4CEF867AF77999943E313CA17328756C43D2FE31CF98812D3A7AAB1535C28ED29D692DB4824E8D6DCE06C9994DBCBE0F82633FBE")); test_hash(&nettle_sha3_512, /* 234 octets */ SHEX("E29D505158DBDD937D9E3D2145658EE6F5992A2FC790F4F608D9CDB44A091D5B94B88E81FAC4FDF5C49442F13B911C55886469629551189EAFF62488F1A479B7DB11A1560E198DDCCCCF50159093425FF7F1CB8D1D1246D0978764087D6BAC257026B090EFAE8CEC5F22B6F21C59ACE1AC7386F5B8837CA6A12B6FBF5534DD0560EF05CA78104D3B943DDB220FEAEC89AA5E692A00F822A2AB9A2FE60350D75E7BE16FF2526DC643872502D01F42F188ABED0A6E9A6F5FD0D1CE7D5755C9FFA66B0AF0B20BD806F08E06156690D81AC811778CA3DAC2C249B96002017FCE93E507E3B953ACF99964B847"), SHEX("B4563191675191ED4D6107E52FA15ADC9D70642358D8C3E34DF10274E25D373FD8D19E92472B823E28BBDD1D541A95FDDD0D43C79FCB3BA18A7EC038D3EF69A6")); test_hash(&nettle_sha3_512, /* 235 octets */ SHEX("D85588696F576E65ECA0155F395F0CFACD83F36A99111ED5768DF2D116D2121E32357BA4F54EDE927F189F297D3A97FAD4E9A0F5B41D8D89DD7FE20156799C2B7B6BF9C957BA0D6763F5C3BC5129747BBB53652B49290CFF1C87E2CDF2C4B95D8AAEE09BC8FBFA6883E62D237885810491BFC101F1D8C636E3D0EDE838AD05C207A3DF4FAD76452979EB99F29AFAECEDD1C63B8D36CF378454A1BB67A741C77AC6B6B3F95F4F02B64DABC15438613EA49750DF42EE90101F115AA9ABB9FF64324DDE9DABBB01054E1BD6B4BCDC7930A44C2300D87CA78C06924D0323AD7887E46C90E8C4D100ACD9EED21E"), SHEX("A30BD80CB3ACB3BFA7E037A3D0D2500974D71957F68135133020C32EB4D688F132D0FB045BE027F124B3D935CB889E3CBC4A4A420026BB2AC2A4B1B15C57BB64")); test_hash(&nettle_sha3_512, /* 236 octets */ SHEX("3A12F8508B40C32C74492B66323375DCFE49184C78F73179F3314B79E63376B8AC683F5A51F1534BD729B02B04D002F55CBD8E8FC9B5EC1EA6BBE6A0D0E7431518E6BA45D124035F9D3DCE0A8BB7BF1430A9F657E0B4EA9F20EB20C786A58181A1E20A96F1628F8728A13BDF7A4B4B32FC8AA7054CC4881AE7FA19AFA65C6C3EE1B3ADE3192AF42054A8A911B8EC1826865D46D93F1E7C5E2B7813C92A506E53886F3D4701BB93D2A681AD109C845904BB861AF8AF0646B6E399B38B614051D34F6842563A0F37EC00CB3D865FC5D746C4987DE2A65071100883A2A9C7A2BFE1E2DD603D9EA24DC7C5FD06BE"), SHEX("4A5809E457F54D9C7E8209F6C482D52A4EFE6D8A20C4C6FBA83687294929232D25CD7BF511D8E6FBF272E983F07D044F8723098D7A381F04E957B0787087EF02")); test_hash(&nettle_sha3_512, /* 237 octets */ SHEX("1861EDCE46FA5AD17E1FF1DEAE084DEC580F97D0A67885DFE834B9DFAC1AE076742CE9E267512CA51F6DF5A455AF0C5FD6ABF94ACEA103A3370C354485A7846FB84F3AC7C2904B5B2FBF227002CE512133BB7E1C4E50057BFD1E44DB33C7CDB969A99E284B184F50A14B068A1FC5009D9B298DBE92239572A7627AAC02ABE8F3E3B473417F36D4D2505D16B7577F4526C9D94A270A2DFE450D06DA8F6FA956879A0A55CFE99E742EA555EA477BA3E9B44CCD508C375423611AF92E55345DC215779B2D5119EBA49C71D49B9FE3F1569FA24E5CA3E332D042422A8B8158D3EC66A80012976F31FFDF305F0C9C5E"), SHEX("A79016C34BEE41AB5CB10278478A5B55D07C2E0831835DDE6F8FF8DAFAC37A5F88FBA07CCEFFE35849DBD123B06DF2335B002645D078FE1B08843C257A1BBE56")); test_hash(&nettle_sha3_512, /* 238 octets */ SHEX("08D0FFDE3A6E4EF65608EA672E4830C12943D7187CCFF08F4941CFC13E545F3B9C7AD5EEBBE2B01642B486CAF855C2C73F58C1E4E3391DA8E2D63D96E15FD84953AE5C231911B00AD6050CD7AAFDAAC9B0F663AE6AAB45519D0F5391A541707D479034E73A6AD805AE3598096AF078F1393301493D663DD71F83869CA27BA508B7E91E81E128C1716DC3ACFE3084B2201E04CF8006617EECF1B640474A5D45CFDE9F4D3EF92D6D055B909892194D8A8218DB6D8203A84261D200D71473D7488F3427416B6896C137D455F231071CACBC86E0415AB88AEC841D96B7B8AF41E05BB461A40645BF176601F1E760DE5F"), SHEX("603F7B09565634D4410B574A4DC9EA467437964517E5EFA51A362A30E8C632C55162A3351BB5532E40948AA9A1E3A8786C0422AEC3EC338C7F4B57679200452B")); test_hash(&nettle_sha3_512, /* 239 octets */ SHEX("D782ABB72A5BE3392757BE02D3E45BE6E2099D6F000D042C8A543F50ED6EBC055A7F133B0DD8E9BC348536EDCAAE2E12EC18E8837DF7A1B3C87EC46D50C241DEE820FD586197552DC20BEEA50F445A07A38F1768A39E2B2FF05DDDEDF751F1DEF612D2E4D810DAA3A0CC904516F9A43AF660315385178A529E51F8AAE141808C8BC5D7B60CAC26BB984AC1890D0436EF780426C547E94A7B08F01ACBFC4A3825EAE04F520A9016F2FB8BF5165ED12736FC71E36A49A73614739EAA3EC834069B1B40F1350C2B3AB885C02C640B9F7686ED5F99527E41CFCD796FE4C256C9173186C226169FF257954EBDA81C0E5F99"), SHEX("1018692D530C55BAA580AE1E7384351100D4637CD33869C71E6076A3D4E310D964B81D593E89718845AC7A89E8AD5073506427C6C8F7FADFA0C5DC3CFAA5D924")); test_hash(&nettle_sha3_512, /* 240 octets */ SHEX("5FCE8109A358570E40983E1184E541833BB9091E280F258CFB144387B05D190E431CB19BAA67273BA0C58ABE91308E1844DCD0B3678BAA42F335F2FA05267A0240B3C718A5942B3B3E3BFA98A55C25A1466E8D7A603722CB2BBF03AFA54CD769A99F310735EE5A05DAE2C22D397BD95635F58C48A67F90E1B73AAFCD3F82117F0166657838691005B18DA6F341D6E90FC1CDB352B30FAE45D348294E501B63252DE14740F2B85AE5299DDEC3172DE8B6D0BA219A20A23BB5E10FF434D39DB3F583305E9F5C039D98569E377B75A70AB837D1DF269B8A4B566F40BB91B577455FD3C356C914FA06B9A7CE24C7317A172D"), SHEX("E3C0EAFFC3567BD72CC02150A75F32DDE53DE2652C5313EB3E97018ADDDF629DA01D97D0A9E2519451A7292F5DE00EE4456FE6E4F14F96D5DE7E6F174EDB28C4")); test_hash(&nettle_sha3_512, /* 241 octets */ SHEX("6172F1971A6E1E4E6170AFBAD95D5FEC99BF69B24B674BC17DD78011615E502DE6F56B86B1A71D3F4348087218AC7B7D09302993BE272E4A591968AEF18A1262D665610D1070EE91CC8DA36E1F841A69A7A682C580E836941D21D909A3AFC1F0B963E1CA5AB193E124A1A53DF1C587470E5881FB54DAE1B0D840F0C8F9D1B04C645BA1041C7D8DBF22030A623AA15638B3D99A2C400FF76F3252079AF88D2B37F35EE66C1AD7801A28D3D388AC450B97D5F0F79E4541755356B3B1A5696B023F39AB7AB5F28DF4202936BC97393B93BC915CB159EA1BD7A0A414CB4B7A1AC3AF68F50D79F0C9C7314E750F7D02FAA58BFA"), SHEX("192AE7A0F7A816FD3D4020BDDCF2AAF52A64E6384DCA527F33AF4EE69099DCA97B890A99CFAB9D904A35F2707856696C30C6432DF70A6CEF704BB268055A6D07")); test_hash(&nettle_sha3_512, /* 242 octets */ SHEX("5668ECD99DFBE215C4118398AC9C9EAF1A1433FAB4CCDD3968064752B625EA944731F75D48A27D047D67547F14DD0FFAA55FA5E29F7AF0D161D85EAFC4F2029B717C918EAB9D304543290BDBA7158B68020C0BA4E079BC95B5BC0FC044A992B94B4CCD3BD66D0EABB5DBBAB904D62E00752C4E3B0091D773BCF4C14B4377DA3EFFF824B1CB2FA01B32D1E46C909E626ED2DAE920F4C7DBEB635BC754FACBD8D49BEBA3F23C1C41CCBFCD0EE0C114E69737F5597C0BF1D859F0C767E18002AE8E39C26261FFDE2920D3D0BAF0E906138696CFE5B7E32B600F45DF3AAA39932F3A7DF95B60FA8712A2271FCAF3911CE7B511B1"), SHEX("6BCD7E7C359FDD93A56D79F97FC2D534619F14FE443AC8C9E042C5105FBAF2777718DE07424A62333FFD43A501A8544449A7CAC3C8D821E380B0CB8172B9493B")); test_hash(&nettle_sha3_512, /* 243 octets */ SHEX("03D625488354DF30E3F875A68EDFCF340E8366A8E1AB67F9D5C5486A96829DFAC0578289082B2A62117E1CF418B43B90E0ADC881FC6AE8105C888E9ECD21AEA1C9AE1A4038DFD17378FED71D02AE492087D7CDCD98F746855227967CB1AB4714261EE3BEAD3F4DB118329D3EBEF4BC48A875C19BA763966DA0EBEA800E01B2F50B00E9DD4CACA6DCB314D00184EF71EA2391D760C950710DB4A70F9212FFC54861F9DC752CE18867B8AD0C48DF8466EF7231E7AC567F0EB55099E622EBB86CB237520190A61C66AD34F1F4E289CB3282AE3EAAC6152ED24D2C92BAE5A7658252A53C49B7B02DFE54FDB2E90074B6CF310AC661"), SHEX("1FCD1E38AB03C750366CF86DD72EC3BF22F5BBF7FEA0149D31B6A67B68B537B59BA37917FD88CED9AA8D2941A65F552B7928B3785C66D640F3B74AF039ED18CE")); test_hash(&nettle_sha3_512, /* 244 octets */ SHEX("2EDC282FFB90B97118DD03AAA03B145F363905E3CBD2D50ECD692B37BF000185C651D3E9726C690D3773EC1E48510E42B17742B0B0377E7DE6B8F55E00A8A4DB4740CEE6DB0830529DD19617501DC1E9359AA3BCF147E0A76B3AB70C4984C13E339E6806BB35E683AF8527093670859F3D8A0FC7D493BCBA6BB12B5F65E71E705CA5D6C948D66ED3D730B26DB395B3447737C26FAD089AA0AD0E306CB28BF0ACF106F89AF3745F0EC72D534968CCA543CD2CA50C94B1456743254E358C1317C07A07BF2B0ECA438A709367FAFC89A57239028FC5FECFD53B8EF958EF10EE0608B7F5CB9923AD97058EC067700CC746C127A61EE3"), SHEX("F39EF0626D3FBD9CD435A93E7EEE41E4A2FF5362F56C988B20870A3BEFA50470DC5FABE39895C0761289FAFD9147ABAB02561F300D0CEB9A732E14CA887CAF18")); test_hash(&nettle_sha3_512, /* 245 octets */ SHEX("90B28A6AA1FE533915BCB8E81ED6CACDC10962B7FF82474F845EEB86977600CF70B07BA8E3796141EE340E3FCE842A38A50AFBE90301A3BDCC591F2E7D9DE53E495525560B908C892439990A2CA2679C5539FFDF636777AD9C1CDEF809CDA9E8DCDB451ABB9E9C17EFA4379ABD24B182BD981CAFC792640A183B61694301D04C5B3EAAD694A6BD4CC06EF5DA8FA23B4FA2A64559C5A68397930079D250C51BCF00E2B16A6C49171433B0AADFD80231276560B80458DD77089B7A1BBCC9E7E4B9F881EACD6C92C4318348A13F4914EB27115A1CFC5D16D7FD94954C3532EFACA2CAB025103B2D02C6FD71DA3A77F417D7932685888A"), SHEX("81E8B59DDCD24811B405F7529DA125F0DC19AE21E8795CE9E6692DAB645B7959446ADCAA3061DC4642A51D8A562EFB03A7680AF0F52C01406D5C213EAAC6BE55")); test_hash(&nettle_sha3_512, /* 246 octets */ SHEX("2969447D175490F2AA9BB055014DBEF2E6854C95F8D60950BFE8C0BE8DE254C26B2D31B9E4DE9C68C9ADF49E4EE9B1C2850967F29F5D08738483B417BB96B2A56F0C8ACA632B552059C59AAC3F61F7B45C966B75F1D9931FF4E596406378CEE91AAA726A3A84C33F37E9CDBE626B5745A0B06064A8A8D56E53AAF102D23DD9DF0A3FDF7A638509A6761A33FA42FA8DDBD8E16159C93008B53765019C3F0E9F10B144CE2AC57F5D7297F9C9949E4FF68B70D339F87501CE8550B772F32C6DA8AD2CE2100A895D8B08FA1EEAD7C376B407709703C510B50F87E73E43F8E7348F87C3832A547EF2BBE5799ABEDCF5E1F372EA809233F006"), SHEX("63424B09069FBD2D0FAC00805AAD07FD56E30BB8116B5476AE90BF6ACEC84C3B45368A9EBB7FCEA8D65965F52514A2A59A06E6E06B07DC6AEE7F756BFC188E25")); test_hash(&nettle_sha3_512, /* 247 octets */ SHEX("721645633A44A2C78B19024EAECF58575AB23C27190833C26875DC0F0D50B46AEA9C343D82EA7D5B3E50EC700545C615DAEAEA64726A0F05607576DCD396D812B03FB6551C641087856D050B10E6A4D5577B82A98AFB89CEE8594C9DC19E79FEFF0382FCFD127F1B803A4B9946F4AC9A4378E1E6E041B1389A53E3450CD32D9D2941B0CBABDB50DA8EA2513145164C3AB6BCBD251C448D2D4B087AC57A59C2285D564F16DA4ED5E607ED979592146FFB0EF3F3DB308FB342DF5EB5924A48256FC763141A278814C82D6D6348577545870AE3A83C7230AC02A1540FE1798F7EF09E335A865A2AE0949B21E4F748FB8A51F44750E213A8FB"), SHEX("1E709FB3501FA818F57E70C365DB45CCF2EB8A8FA66DE9B5F211D6F0CC9722ADE963C965AD5F6937BA62EDC2D8983843E0F3679D9C97B30CD54F2409DDA5F474")); test_hash(&nettle_sha3_512, /* 248 octets */ SHEX("6B860D39725A14B498BB714574B4D37CA787404768F64C648B1751B353AC92BAC2C3A28EA909FDF0423336401A02E63EC24325300D823B6864BB701F9D7C7A1F8EC9D0AE3584AA6DD62EA1997CD831B4BABD9A4DA50932D4EFDA745C61E4130890E156AEE6113716DAF95764222A91187DB2EFFEA49D5D0596102D619BD26A616BBFDA8335505FBB0D90B4C180D1A2335B91538E1668F9F9642790B4E55F9CAB0FE2BDD2935D001EE6419ABAB5457880D0DBFF20ED8758F4C20FE759EFB33141CF0E892587FE8187E5FBC57786B7E8B089612C936DFC03D27EFBBE7C8673F1606BD51D5FF386F4A7AB68EDF59F385EB1291F117BFE717399"), SHEX("5B9F0C544627FAADEA82825A569DA33A75C5DA6CC169926DE0556A737E4DAA07ABF1DC3DB0704F5D67FCBC4CB62AAC442ECEC867A2C16846F1D53D205CB872AC")); test_hash(&nettle_sha3_512, /* 249 octets */ SHEX("6A01830AF3889A25183244DECB508BD01253D5B508AB490D3124AFBF42626B2E70894E9B562B288D0A2450CFACF14A0DDAE5C04716E5A0082C33981F6037D23D5E045EE1EF2283FB8B6378A914C5D9441627A722C282FF452E25A7EA608D69CEE4393A0725D17963D0342684F255496D8A18C2961145315130549311FC07F0312FB78E6077334F87EAA873BEE8AA95698996EB21375EB2B4EF53C14401207DEB4568398E5DD9A7CF97E8C9663E23334B46912F8344C19EFCF8C2BA6F04325F1A27E062B62A58D0766FC6DB4D2C6A1928604B0175D872D16B7908EBC041761187CC785526C2A3873FEAC3A642BB39F5351550AF9770C328AF7B"), SHEX("930AB42A9F5F5BC5F2222C748F2478A00F40C3B6D6487D6D7ED0D71100F40FCBB2C66566EA26AD0A417629F5A61DCA411CCD21F7367D308F3B1B24901824FA9B")); test_hash(&nettle_sha3_512, /* 250 octets */ SHEX("B3C5E74B69933C2533106C563B4CA20238F2B6E675E8681E34A389894785BDADE59652D4A73D80A5C85BD454FD1E9FFDAD1C3815F5038E9EF432AAC5C3C4FE840CC370CF86580A6011778BBEDAF511A51B56D1A2EB68394AA299E26DA9ADA6A2F39B9FAFF7FBA457689B9C1A577B2A1E505FDF75C7A0A64B1DF81B3A356001BF0DF4E02A1FC59F651C9D585EC6224BB279C6BEBA2966E8882D68376081B987468E7AED1EF90EBD090AE825795CDCA1B4F09A979C8DFC21A48D8A53CDBB26C4DB547FC06EFE2F9850EDD2685A4661CB4911F165D4B63EF25B87D0A96D3DFF6AB0758999AAD214D07BD4F133A6734FDE445FE474711B69A98F7E2B"), SHEX("08203943C58210D3F82758272BEFBB9234FE913409A07944645959B1A6AF2F4363ABD7451232623DAA8E65C87F34939C140608950FBDBBE83D66407944F5423A")); test_hash(&nettle_sha3_512, /* 251 octets */ SHEX("83AF34279CCB5430FEBEC07A81950D30F4B66F484826AFEE7456F0071A51E1BBC55570B5CC7EC6F9309C17BF5BEFDD7C6BA6E968CF218A2B34BD5CF927AB846E38A40BBD81759E9E33381016A755F699DF35D660007B5EADF292FEEFB735207EBF70B5BD17834F7BFA0E16CB219AD4AF524AB1EA37334AA66435E5D397FC0A065C411EBBCE32C240B90476D307CE802EC82C1C49BC1BEC48C0675EC2A6C6F3ED3E5B741D13437095707C565E10D8A20B8C20468FF9514FCF31B4249CD82DCEE58C0A2AF538B291A87E3390D737191A07484A5D3F3FB8C8F15CE056E5E5F8FEBE5E1FB59D6740980AA06CA8A0C20F5712B4CDE5D032E92AB89F0AE1"), SHEX("A24DD6A50333F289C175CD4EC185DA9906E38C287A339DC4DEFAFD71B2EA32A6F6AEFE758E25FC8F043E806F1B2EE019E13B85536CD3EFAA2A9B5994FCAE4788")); test_hash(&nettle_sha3_512, /* 252 octets */ SHEX("A7ED84749CCC56BB1DFBA57119D279D412B8A986886D810F067AF349E8749E9EA746A60B03742636C464FC1EE233ACC52C1983914692B64309EDFDF29F1AB912EC3E8DA074D3F1D231511F5756F0B6EEAD3E89A6A88FE330A10FACE267BFFBFC3E3090C7FD9A850561F363AD75EA881E7244F80FF55802D5EF7A1A4E7B89FCFA80F16DF54D1B056EE637E6964B9E0FFD15B6196BDD7DB270C56B47251485348E49813B4EB9ED122A01B3EA45AD5E1A929DF61D5C0F3E77E1FDC356B63883A60E9CBB9FC3E00C2F32DBD469659883F690C6772E335F617BC33F161D6F6984252EE12E62B6000AC5231E0C9BC65BE223D8DFD94C5004A101AF9FD6C0FB"), SHEX("CD1ED5FFF6FA3D453872510B6B2712EC9C6EBA9543734D88511ED475905E123ED6EF6624F220445FE89C257A9F9C5166A2772EF768B50E9290FB1D4761ECA6C8")); test_hash(&nettle_sha3_512, /* 253 octets */ SHEX("A6FE30DCFCDA1A329E82AB50E32B5F50EB25C873C5D2305860A835AECEE6264AA36A47429922C4B8B3AFD00DA16035830EDB897831C4E7B00F2C23FC0B15FDC30D85FB70C30C431C638E1A25B51CAF1D7E8B050B7F89BFB30F59F0F20FECFF3D639ABC4255B3868FC45DD81E47EB12AB40F2AAC735DF5D1DC1AD997CEFC4D836B854CEE9AC02900036F3867FE0D84AFFF37BDE3308C2206C62C4743375094108877C73B87B2546FE05EA137BEDFC06A2796274099A0D554DA8F7D7223A48CBF31B7DECAA1EBC8B145763E3673168C1B1B715C1CD99ECD3DDB238B06049885ECAD9347C2436DFF32C771F34A38587A44A82C5D3D137A03CAA27E66C8FF6"), SHEX("CFAA0EB1C9F02C0469EEFB31A1A53CA1A4765F78EC171CF15DA7D5C512817B8BF7D7CD7B1416B3DE2BBA05EDFB0B493495AC2107A4B686D5DD8D6AD41B4AA3D7")); test_hash(&nettle_sha3_512, /* 254 octets */ SHEX("83167FF53704C3AA19E9FB3303539759C46DD4091A52DDAE9AD86408B69335989E61414BC20AB4D01220E35241EFF5C9522B079FBA597674C8D716FE441E566110B6211531CECCF8FD06BC8E511D00785E57788ED9A1C5C73524F01830D2E1148C92D0EDC97113E3B7B5CD3049627ABDB8B39DD4D6890E0EE91993F92B03354A88F52251C546E64434D9C3D74544F23FB93E5A2D2F1FB15545B4E1367C97335B0291944C8B730AD3D4789273FA44FB98D78A36C3C3764ABEEAC7C569C1E43A352E5B770C3504F87090DEE075A1C4C85C0C39CF421BDCC615F9EFF6CB4FE6468004AECE5F30E1ECC6DB22AD9939BB2B0CCC96521DFBF4AE008B5B46BC006E"), SHEX("2BE71EE9ACE2DBCFD43D6D020C07244554DAC8A2CF1571D0FA1D004933739E8978323056797E04C333F5BF187E64F1D881E502672567F204DE0E73CE26E7190D")); test_hash(&nettle_sha3_512, /* 255 octets */ SHEX("3A3A819C48EFDE2AD914FBF00E18AB6BC4F14513AB27D0C178A188B61431E7F5623CB66B23346775D386B50E982C493ADBBFC54B9A3CD383382336A1A0B2150A15358F336D03AE18F666C7573D55C4FD181C29E6CCFDE63EA35F0ADF5885CFC0A3D84A2B2E4DD24496DB789E663170CEF74798AA1BBCD4574EA0BBA40489D764B2F83AADC66B148B4A0CD95246C127D5871C4F11418690A5DDF01246A0C80A43C70088B6183639DCFDA4125BD113A8F49EE23ED306FAAC576C3FB0C1E256671D817FC2534A52F5B439F72E424DE376F4C565CCA82307DD9EF76DA5B7C4EB7E085172E328807C02D011FFBF33785378D79DC266F6A5BE6BB0E4A92ECEEBAEB1"), SHEX("6E8B8BD195BDD560689AF2348BDC74AB7CD05ED8B9A57711E9BE71E9726FDA4591FEE12205EDACAF82FFBBAF16DFF9E702A708862080166C2FF6BA379BC7FFC2")); } nettle-3.4.1/testsuite/serpent-test.c0000644000175000017500000002601213401564746016703 0ustar nissenisse#include "testutils.h" #include "serpent.h" static const struct tstring * tstring_hex_reverse (const char *hex) { struct tstring *s = tstring_hex (hex); uint8_t *p; size_t length, i; length = s->length; p = s->data; for (i = 0; i < (length+1)/2; i++) { uint8_t t = p[i]; p[i] = p[length - 1 - i]; p[length - 1 - i] = t; } return s; } #define RHEX(x) tstring_hex_reverse(x) /* For testing unusual key sizes. */ static void test_serpent(const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext) { struct serpent_ctx ctx; uint8_t *data = xalloc(cleartext->length); size_t length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; serpent_set_key(&ctx, key->length, key->data); serpent_encrypt(&ctx, length, data, cleartext->data); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "Encrypt failed:\nInput:"); tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } serpent_set_key(&ctx, key->length, key->data); serpent_decrypt(&ctx, length, data, data); if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "Decrypt failed:\nInput:"); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } free(data); } void test_main(void) { /* From libgcrypt */ test_cipher(&nettle_serpent128, SHEX("0000000000000000 0000000000000000"), SHEX("D29D576FCEA3A3A7 ED9099F29273D78E"), SHEX("B2288B968AE8B086 48D1CE9606FD992D")); test_cipher(&nettle_serpent192, SHEX("0000000000000000 0000000000000000 0000000000000000"), SHEX("D29D576FCEABA3A7 ED9899F2927BD78E"), SHEX("130E353E1037C224 05E8FAEFB2C3C3E9")); test_cipher(&nettle_serpent256, SHEX("0000000000000000 0000000000000000" "0000000000000000 0000000000000000"), SHEX("D095576FCEA3E3A7 ED98D9F29073D78E"), SHEX("B90EE5862DE69168 F2BDD5125B45472B")); test_cipher(&nettle_serpent256, SHEX("0000000000000000 0000000000000000" "0000000000000000 0000000000000000"), SHEX("0000000001000000 0200000003000000"), SHEX("2061A42782BD52EC 691EC383B03BA77C")); /* The first test for each key size from the ecb_vk.txt and ecb_vt.txt * files in the serpent package. */ /* NOTE: These vectors uses strange byte-reversed order of inputs and outputs. */ /* 128 bit key */ /* vk, 1 */ test_cipher(&nettle_serpent128, RHEX("8000000000000000 0000000000000000"), RHEX("0000000000000000 0000000000000000"), RHEX("49AFBFAD9D5A3405 2CD8FFA5986BD2DD")); /* vt, 1 */ test_cipher(&nettle_serpent128, RHEX("0000000000000000 0000000000000000"), RHEX("8000000000000000 0000000000000000"), RHEX("10B5FFB720B8CB90 02A1142B0BA2E94A")); /* 192 bit key */ /* vk, 1 */ test_cipher(&nettle_serpent192, RHEX("8000000000000000 0000000000000000" "0000000000000000"), RHEX("0000000000000000 0000000000000000"), RHEX("E78E5402C7195568 AC3678F7A3F60C66")); /* vt, 1 */ test_cipher(&nettle_serpent192, RHEX("0000000000000000 0000000000000000" "0000000000000000"), RHEX("8000000000000000 0000000000000000"), RHEX("B10B271BA25257E1 294F2B51F076D0D9")); /* 256 bit key */ /* vk, 1 */ test_cipher(&nettle_serpent256, RHEX("8000000000000000 0000000000000000" "0000000000000000 0000000000000000"), RHEX("0000000000000000 0000000000000000"), RHEX("ABED96E766BF28CB C0EBD21A82EF0819")); /* vt, 1 */ test_cipher(&nettle_serpent256, RHEX("0000000000000000 0000000000000000" "0000000000000000 0000000000000000"), RHEX("8000000000000000 0000000000000000"), RHEX("DA5A7992B1B4AE6F 8C004BC8A7DE5520")); /* Test vectors from http://www.cs.technion.ac.il/~biham/Reports/Serpent/ */ /* serpent128 */ /* Set 4, vector# 0 */ test_cipher(&nettle_serpent128, SHEX("000102030405060708090A0B0C0D0E0F"), SHEX("00112233445566778899AABBCCDDEEFF"), SHEX("563E2CF8740A27C164804560391E9B27")); /* Set 4, vector# 1 */ test_cipher(&nettle_serpent128, SHEX("2BD6459F82C5B300952C49104881FF48"), SHEX("EA024714AD5C4D84EA024714AD5C4D84"), SHEX("92D7F8EF2C36C53409F275902F06539F")); /* serpent192 */ /* Set 4, vector# 0 */ test_cipher(&nettle_serpent192, SHEX("000102030405060708090A0B0C0D0E0F1011121314151617"), SHEX("00112233445566778899AABBCCDDEEFF"), SHEX("6AB816C82DE53B93005008AFA2246A02")); /* Set 4, vector# 1 */ test_cipher(&nettle_serpent192, SHEX("2BD6459F82C5B300952C49104881FF482BD6459F82C5B300"), SHEX("EA024714AD5C4D84EA024714AD5C4D84"), SHEX("827B18C2678A239DFC5512842000E204")); /* serpent256 */ /* Set 4, vector# 0 */ test_cipher(&nettle_serpent256, SHEX("000102030405060708090A0B0C0D0E0F" "101112131415161718191A1B1C1D1E1F"), SHEX("00112233445566778899AABBCCDDEEFF"), SHEX("2868B7A2D28ECD5E4FDEFAC3C4330074")); /* Set 4, vector# 1 */ test_cipher(&nettle_serpent256, SHEX("2BD6459F82C5B300952C49104881FF48" "2BD6459F82C5B300952C49104881FF48"), SHEX("EA024714AD5C4D84EA024714AD5C4D84"), SHEX("3E507730776B93FDEA661235E1DD99F0")); /* Test key padding. We use nettle_serpent256, which actually works also with key sizes smaller than 32 bytes. */ test_cipher(&nettle_serpent256, SHEX("00112233440100000000000000000000" "00000000000000000000000000000000"), SHEX("0000000001000000 0200000003000000"), SHEX("C1415AC653FD7C7F D917482EE8EBFE25")); /* Tests with various key sizes. Currrently, key sizes smaller than SERPENT_MIN_KEY_SIZE bytes (128 bits) are not publicly supported. */ test_serpent(SHEX("0011223344"), SHEX("0000000001000000 0200000003000000"), SHEX("C1415AC653FD7C7F D917482EE8EBFE25")); test_serpent(SHEX("00112233445566778899aabbccddeeff" "00010000000000000000000000000000"), SHEX("0000000001000000 0200000003000000"), SHEX("8EB9C958EAFFDF42 009755D7B6458838")); test_serpent(SHEX("00112233445566778899aabbccddeeff" "00"), SHEX("0000000001000000 0200000003000000"), SHEX("8EB9C958EAFFDF42 009755D7B6458838")); test_serpent(SHEX("00112233445566778899aabbccddeeff" "00112201000000000000000000000000"), SHEX("0000000001000000 0200000003000000"), SHEX("C8A078D8212AC96D 9060E30EC5CBB5C7")); test_serpent(SHEX("00112233445566778899aabbccddeeff" "001122"), SHEX("0000000001000000 0200000003000000"), SHEX("C8A078D8212AC96D 9060E30EC5CBB5C7")); /* Test with multiple blocks. */ test_cipher(&nettle_serpent128, SHEX("e87450aa0fd87293fd0371483a459bd2"), SHEX("a78a7a8d392f629d bd13674c8dce6fa2"), SHEX("b3d488986c80dea7 c5ebdab4907871c9")); test_cipher(&nettle_serpent128, SHEX("e87450aa0fd87293fd0371483a459bd2"), SHEX("a78a7a8d392f629d bd13674c8dce6fa2" "930c74dec02a11d8 c80d90b5e5c887a7"), SHEX("b3d488986c80dea7 c5ebdab4907871c9" "a4b92b13b79afb37 5518b01bfd706a37")); test_cipher(&nettle_serpent128, SHEX("e87450aa0fd87293fd0371483a459bd2"), SHEX("a78a7a8d392f629d bd13674c8dce6fa2" "930c74dec02a11d8 c80d90b5e5c887a7" "83c92a921b5b2028 d9cb313a5f07ab09"), SHEX("b3d488986c80dea7 c5ebdab4907871c9" "a4b92b13b79afb37 5518b01bfd706a37" "8e44c2d463df4531 165461699edbad03")); test_cipher(&nettle_serpent128, SHEX("91c8e949e12f0e38 7b2473238a3df1b6"), SHEX("00000000 00000001 00000002 00000003" "00000004 00000005 00000006 00000007" "00000008 00000009 0000000a 0000000b" "0000000c 0000000d 0000000e 0000000f"), SHEX("2db9f0a39d4f31a4 b1a83cd1032fe1bd" "3606caa84a220b1b f6f43ff80a831203" "8c6c8d2793dc10b3 904d30e194f086a6" "b2f3e932b9b3f8d1 d4d074f7bd1ff7a3")); test_cipher(&nettle_serpent128, SHEX("e87450aa0fd87293fd0371483a459bd2"), SHEX("a78a7a8d392f629d bd13674c8dce6fa2" "930c74dec02a11d8 c80d90b5e5c887a7" "83c92a921b5b2028 d9cb313a5f07ab09" "672eadf1624a2ed0 c42d1b08b076f75a"), SHEX("b3d488986c80dea7 c5ebdab4907871c9" "a4b92b13b79afb37 5518b01bfd706a37" "8e44c2d463df4531 165461699edbad03" "30ac8c52697102ae 3b725dba79ceb250")); test_cipher(&nettle_serpent128, SHEX("e87450aa0fd87293fd0371483a459bd2"), SHEX("a78a7a8d392f629d bd13674c8dce6fa2" "930c74dec02a11d8 c80d90b5e5c887a7" "83c92a921b5b2028 d9cb313a5f07ab09" "672eadf1624a2ed0 c42d1b08b076f75a" "7378272aa57ad7c8 803e326689541266"), SHEX("b3d488986c80dea7 c5ebdab4907871c9" "a4b92b13b79afb37 5518b01bfd706a37" "8e44c2d463df4531 165461699edbad03" "30ac8c52697102ae 3b725dba79ceb250" "d308b83478e86dbb 629f18736cca042f")); test_cipher(&nettle_serpent128, SHEX("e87450aa0fd87293fd0371483a459bd2"), SHEX("a78a7a8d392f629d bd13674c8dce6fa2" "930c74dec02a11d8 c80d90b5e5c887a7" "83c92a921b5b2028 d9cb313a5f07ab09" "672eadf1624a2ed0 c42d1b08b076f75a" "7378272aa57ad7c8 803e326689541266" "b7a2efda5721776f 4113d63a702ac3ae"), SHEX("b3d488986c80dea7 c5ebdab4907871c9" "a4b92b13b79afb37 5518b01bfd706a37" "8e44c2d463df4531 165461699edbad03" "30ac8c52697102ae 3b725dba79ceb250" "d308b83478e86dbb 629f18736cca042f" "006b89e494469adf 0ee78c60684dff86")); test_cipher(&nettle_serpent128, SHEX("e87450aa0fd87293fd0371483a459bd2"), SHEX("a78a7a8d392f629d bd13674c8dce6fa2" "930c74dec02a11d8 c80d90b5e5c887a7" "83c92a921b5b2028 d9cb313a5f07ab09" "672eadf1624a2ed0 c42d1b08b076f75a" "7378272aa57ad7c8 803e326689541266" "b7a2efda5721776f 4113d63a702ac3ae" "cd1be7bbfad74819 644617f8656e9e5b"), SHEX("b3d488986c80dea7 c5ebdab4907871c9" "a4b92b13b79afb37 5518b01bfd706a37" "8e44c2d463df4531 165461699edbad03" "30ac8c52697102ae 3b725dba79ceb250" "d308b83478e86dbb 629f18736cca042f" "006b89e494469adf 0ee78c60684dff86" "5f2c99908ee77ffe aea3d30cb78a1ce1")); test_cipher(&nettle_serpent128, SHEX("e87450aa0fd87293fd0371483a459bd2"), SHEX("a78a7a8d392f629d bd13674c8dce6fa2" "930c74dec02a11d8 c80d90b5e5c887a7" "83c92a921b5b2028 d9cb313a5f07ab09" "672eadf1624a2ed0 c42d1b08b076f75a" "7378272aa57ad7c8 803e326689541266" "b7a2efda5721776f 4113d63a702ac3ae" "cd1be7bbfad74819 644617f8656e9e5b" "34d449409c1f850a 4cb6700d6ef3405f"), SHEX("b3d488986c80dea7 c5ebdab4907871c9" "a4b92b13b79afb37 5518b01bfd706a37" "8e44c2d463df4531 165461699edbad03" "30ac8c52697102ae 3b725dba79ceb250" "d308b83478e86dbb 629f18736cca042f" "006b89e494469adf 0ee78c60684dff86" "5f2c99908ee77ffe aea3d30cb78a1ce1" "ebe855dd51532477 4d2d55969e032e6c")); } nettle-3.4.1/testsuite/test-rules.stamp0000644000175000017500000000000613401564746017252 0ustar nissenissestamp nettle-3.4.1/testsuite/memxor-test.c0000644000175000017500000001353013401564746016533 0ustar nissenisse#include "testutils.h" #include "memxor.h" #define MAX_SIZE 256 #define ALIGN_SIZE 16 #if HAVE_VALGRIND_MEMCHECK_H # include # define ROUND_DOWN(x) ((x) & (-ALIGN_SIZE)) # define ROUND_UP(x) ROUND_DOWN((x)+(ALIGN_SIZE-1)) enum mark_type { MARK_SRC, MARK_DST }; static void test_mark (enum mark_type type, const uint8_t *block, size_t block_size, const uint8_t *p, size_t size) { VALGRIND_MAKE_MEM_NOACCESS(block, p - block); if (type == MARK_DST) VALGRIND_MAKE_MEM_UNDEFINED(p, size); VALGRIND_MAKE_MEM_NOACCESS(p + size, (block + block_size) - (p + size)); } #define test_unmark(block, size) \ VALGRIND_MAKE_MEM_DEFINED((block), (size)) #else # define test_mark(type, block, block_size, start, size) # define test_unmark(block, size) #endif static uint8_t * set_align(uint8_t *buf, unsigned align) { unsigned offset; /* An extra redzone char at the beginning */ buf++; offset = (uintptr_t) (buf) % ALIGN_SIZE; if (offset < align) buf += (align - offset); else if (offset > align) buf += (align + ALIGN_SIZE - offset); return buf; } static void test_memxor (const uint8_t *a, const uint8_t *b, const uint8_t *c, size_t size, unsigned align_dst, unsigned align_src) { uint8_t dst_buf[MAX_SIZE + ALIGN_SIZE + 1]; uint8_t src_buf[MAX_SIZE + ALIGN_SIZE + 1]; uint8_t *dst = set_align (dst_buf, align_dst); uint8_t *src = set_align (src_buf, align_src); if (verbose) fprintf(stderr, "size = %d, align_dst = %d, align_src = %d\n", (int) size, align_dst, align_src); memcpy (dst, a, size); dst[-1] = 17; dst[size] = 17; memcpy (src, b, size); test_mark (MARK_SRC, src_buf, sizeof (src_buf), src, size); test_mark (MARK_SRC, dst_buf, sizeof (dst_buf), dst, size); memxor (dst, src, size); ASSERT (MEMEQ (size, dst, c)); test_unmark(src_buf, sizeof (src_buf)); test_unmark(dst_buf, sizeof (src_buf)); ASSERT (dst[-1] == 17); ASSERT (dst[size] == 17); } static void test_memxor3 (const uint8_t *ain, const uint8_t *bin, const uint8_t *c, size_t size, unsigned align_dst, unsigned align_a, unsigned align_b) { uint8_t dst_buf[MAX_SIZE + ALIGN_SIZE + 1]; uint8_t a_buf[MAX_SIZE + ALIGN_SIZE + 1]; uint8_t b_buf[MAX_SIZE + ALIGN_SIZE + 1]; uint8_t *dst = set_align (dst_buf, align_dst); uint8_t *a = set_align (a_buf, align_a); uint8_t *b = set_align (b_buf, align_b); if (verbose) fprintf(stderr, "size = %d, align_dst = %d, align_a = %d, align_b = %d\n", (int) size, align_dst, align_a, align_b); memset (dst, 0, size); dst[-1] = 17; dst[size] = 17; memcpy (a, ain, size); memcpy (b, bin, size); test_mark (MARK_SRC, a_buf, sizeof(a_buf), a, size); test_mark (MARK_SRC, b_buf, sizeof(b_buf), b, size); test_mark (MARK_DST, dst_buf, sizeof(dst_buf), dst, size); memxor3 (dst, a, b, size); ASSERT (MEMEQ (size, dst, c)); test_unmark (a_buf, sizeof(a_buf)); test_unmark (b_buf, sizeof(b_buf)); test_unmark (dst_buf, sizeof(dst_buf)); ASSERT (dst[-1] == 17); ASSERT (dst[size] == 17); } void test_main(void) { const uint8_t *a = H("ecc8737f 38f2f9e8 86b9d84c 42a9c7ef" "27a50860 49c6be97 c5cc6c35 3981b367" "f8b4397b 951e3b2f 35749fe1 25884fa6" "9361c97a ab1c6cce 494efb5a 1f108411" "21dc6386 e81b2410 2f04c29d e0ca1135" "c9f96f2e bb5b2e2d 8cb45df9 50c4755a" "362b7ead 4b930010 cbc69834 66221ba8" "c0b8d7ac 7ec3b700 6bdb1a3b 599f3e76" "a7e66a29 ee1fb98c 60a66c9e 0a1d9c49" "6367afc7 362d6ae1 f8799443 17e2b1a1" "ff1cc03c 9e2728ca a1f6598f 5a61bd56" "0826effc f3499da7 119249b6 fd643cd4" "2e7c74b0 f775fda4 a5617138 1e8520bf" "f17de57a decc36b6 9eceee6e d448f592" "be77a67a 1b91a5b3 62fab868 dcb046f6" "394b5335 b2eaa351 fc4456e4 35bb9c54"); const uint8_t *b = H("cac458ad fe87e226 6cb0ce3d cfa5cb3b" "963d0034 5811bb9e acf4675b 7464f800" "4b1bcff2 b2fa5dd0 0576aea6 888b8150" "bcba48f1 49bc33d2 e138b0d0 a29b486e" "f7e143c6 f9959596 6aaa4493 b0bea6f8" "1d778513 a3bfec7e 70cfe6a7 e31ad041" "5fe3371b 63aba991 dab9a3db 66310ebc" "24c2765d a722a131 2fc4d366 1f2e3388" "7e5b26d5 7b34bf4c 655d19da d1335362" "2fbc0d5d cc68c811 ef735c20 352986ef" "f47ac5c9 afa77f5a 20da6dd3 eb9dfb34" "0cdbf792 caf0d633 61d908da a4c0f2a9" "be7a573e 3b8d161c 47fc19be e47d7edc" "e5f00dae f64cbbb4 a081e1f0 381833d8" "30d302ff eed61887 3390d6b2 0048ac32" "9c6b2981 a224dcc1 6b1feebe 15834b1a"); const uint8_t *c = H("260c2bd2 c6751bce ea091671 8d0c0cd4" "b1980854 11d70509 69380b6e 4de54b67" "b3aff689 27e466ff 30023147 ad03cef6" "2fdb818b e2a05f1c a8764b8a bd8bcc7f" "d63d2040 118eb186 45ae860e 5074b7cd" "d48eea3d 18e4c253 fc7bbb5e b3dea51b" "69c849b6 2838a981 117f3bef 00131514" "e47aa1f1 d9e11631 441fc95d 46b10dfe" "d9bd4cfc 952b06c0 05fb7544 db2ecf2b" "4cdba29a fa45a2f0 170ac863 22cb374e" "0b6605f5 31805790 812c345c b1fc4662" "04fd186e 39b94b94 704b416c 59a4ce7d" "9006238e ccf8ebb8 e29d6886 faf85e63" "148de8d4 28808d02 3e4f0f9e ec50c64a" "8ea4a485 f547bd34 516a6eda dcf8eac4" "a5207ab4 10ce7f90 975bb85a 2038d74e"); const int size[] = { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 23, 24, 25, 30, 31, 32, 33, 34, 35, 36, 37, 250, 251, 252, 253,254, 255, 256, -1 }; unsigned i, align_dst, align_a, align_b; for (i = 0; size[i] >= 0; i++) for (align_dst = 0; align_dst < ALIGN_SIZE; align_dst++) for (align_a = 0; align_a < ALIGN_SIZE; align_a++) { test_memxor (a, b, c, size[i], align_dst, align_a); for (align_b = 0; align_b < ALIGN_SIZE; align_b++) test_memxor3 (a, b, c, size[i], align_dst, align_a, align_b); } } nettle-3.4.1/testsuite/Makefile.in0000644000175000017500000001304513401564746016151 0ustar nissenisse@SET_MAKE@ srcdir = @srcdir@ VPATH = @srcdir@ top_srcdir = @top_srcdir@ include ../config.make PRE_CPPFLAGS = -I.. -I$(top_srcdir) PRE_LDFLAGS = -L.. TS_NETTLE_SOURCES = aes-test.c arcfour-test.c arctwo-test.c \ blowfish-test.c cast128-test.c \ base16-test.c base64-test.c \ camellia-test.c chacha-test.c \ cnd-memcpy-test.c \ des-test.c des3-test.c des-compat-test.c \ md2-test.c md4-test.c md5-test.c md5-compat-test.c \ memeql-test.c memxor-test.c gosthash94-test.c \ ripemd160-test.c hkdf-test.c \ salsa20-test.c \ sha1-test.c sha224-test.c sha256-test.c \ sha384-test.c sha512-test.c sha512-224-test.c sha512-256-test.c \ sha3-permute-test.c sha3-224-test.c sha3-256-test.c \ sha3-384-test.c sha3-512-test.c \ serpent-test.c twofish-test.c version-test.c \ knuth-lfib-test.c \ cbc-test.c cfb-test.c ctr-test.c gcm-test.c eax-test.c ccm-test.c \ poly1305-test.c chacha-poly1305-test.c \ hmac-test.c umac-test.c \ meta-hash-test.c meta-cipher-test.c\ meta-aead-test.c meta-armor-test.c \ buffer-test.c yarrow-test.c pbkdf2-test.c TS_HOGWEED_SOURCES = sexp-test.c sexp-format-test.c \ rsa2sexp-test.c sexp2rsa-test.c \ bignum-test.c random-prime-test.c \ pkcs1-test.c pkcs1-sec-decrypt-test.c \ pss-test.c rsa-sign-tr-test.c \ pss-mgf1-test.c rsa-pss-sign-tr-test.c \ rsa-test.c rsa-encrypt-test.c rsa-keygen-test.c \ rsa-sec-decrypt-test.c \ rsa-compute-root-test.c \ dsa-test.c dsa-keygen-test.c \ curve25519-dh-test.c \ ecc-mod-test.c ecc-modinv-test.c ecc-redc-test.c \ ecc-sqrt-test.c \ ecc-dup-test.c ecc-add-test.c \ ecc-mul-g-test.c ecc-mul-a-test.c \ ecdsa-sign-test.c ecdsa-verify-test.c \ ecdsa-keygen-test.c ecdh-test.c \ eddsa-compress-test.c eddsa-sign-test.c \ eddsa-verify-test.c ed25519-test.c TS_SOURCES = $(TS_NETTLE_SOURCES) $(TS_HOGWEED_SOURCES) CXX_SOURCES = cxx-test.cxx TS_NETTLE = $(TS_NETTLE_SOURCES:.c=$(EXEEXT)) TS_HOGWEED = $(TS_HOGWEED_SOURCES:.c=$(EXEEXT)) TS_C = $(TS_NETTLE) @IF_HOGWEED@ $(TS_HOGWEED) TS_CXX = @IF_CXX@ $(CXX_SOURCES:.cxx=$(EXEEXT)) TARGETS = $(TS_C) $(TS_CXX) TS_SH = sexp-conv-test pkcs1-conv-test nettle-pbkdf2-test symbols-test TS_ALL = $(TARGETS) $(TS_SH) @IF_DLOPEN_TEST@ dlopen-test$(EXEEXT) EXTRA_SOURCES = sha1-huge-test.c EXTRA_TARGETS = $(EXTRA_SOURCES:.c=$(EXEEXT)) # Includes all C source files, regardless of configuration SOURCES = $(TS_SOURCES) $(EXTRA_SOURCES) testutils.c dlopen-test.c DISTFILES = $(SOURCES) $(CXX_SOURCES) Makefile.in .test-rules.make \ test-rules.stamp \ $(TS_SH) setup-env teardown-env \ gold-bug.txt testutils.h sha3.awk all: $(EXTRA_TARGETS) .c.$(OBJEXT): $(COMPILE) -c $< && $(DEP_PROCESS) .SUFFIXES: .cxx .cxx.$(OBJEXT): $(COMPILE_CXX) -c $< && $(DEP_PROCESS) # BSD (and Solaris) make doesn't allow extra dependencies together one # single-suffix rules, which makes it impossible or almost impossible # to use suffix rules to build the test executables. So we use an # explicit rule for each and every executable. LIB_HOGWEED = @IF_HOGWEED@ -lhogweed TEST_OBJS = testutils.$(OBJEXT) ../nettle-internal.$(OBJEXT) \ $(LIB_HOGWEED) -lnettle $(LIBS) ../nettle-internal.$(OBJEXT): ( cd .. && $(MAKE) nettle-internal.$(OBJEXT) ) # Special target, to omit linking with libnettle dlopen-test$(EXEEXT): dlopen-test.$(OBJEXT) testutils.$(OBJEXT) $(LINK) dlopen-test.$(OBJEXT) -ldl -o dlopen-test$(EXEEXT) .PHONY: test-rules test-rules: (for f in $(TS_NETTLE) $(TS_HOGWEED) $(EXTRA_TARGETS) ; do \ echo $$f'$$(EXEEXT): '$$f'.$$(OBJEXT)' ; \ echo ' $$(LINK) '$$f'.$$(OBJEXT) $$(TEST_OBJS) -o '$$f'$$(EXEEXT)' ; \ echo ; \ done ; \ for f in $(TS_CXX) ; do \ echo $$f'$$(EXEEXT): '$$f'.$$(OBJEXT)' ; \ echo ' $$(LINK_CXX) '$$f'.$$(OBJEXT) $$(TEST_OBJS) -o '$$f'$$(EXEEXT)' ; \ echo ; \ done) > $(srcdir)/.test-rules.make $(srcdir)/.test-rules.make: $(srcdir)/test-rules.stamp # Updates the stamp file *first*, so that this rule isn't triggered # again and again by the recursive $(MAKE). $(srcdir)/test-rules.stamp: Makefile.in echo stamp > $(srcdir)/test-rules.stamp $(MAKE) test-rules include $(srcdir)/.test-rules.make $(TARGETS) $(EXTRA_TARGETS): testutils.$(OBJEXT) ../nettle-internal.$(OBJEXT) \ ../libnettle.stamp @IF_HOGWEED@ ../libhogweed.stamp # For use as, e.g., # # make check EMULATOR='$(VALGRIND)' # make check EMULATOR='$(VALGRIND) --log-fd=3' 3>valgrind.log # --partial-loads-ok=yes is needed for memxor's handling of unaligned # data. VALGRIND = valgrind --error-exitcode=1 --leak-check=full --show-reachable=yes @IF_ASM@ --partial-loads-ok=yes # The PATH update is for windows dlls, DYLD_LIBRARY_PATH is for OSX. check: $(TS_ALL) LD_LIBRARY_PATH=../.lib PATH="../.lib:$$PATH" DYLD_LIBRARY_PATH=../.lib \ srcdir="$(srcdir)" \ EMULATOR="$(EMULATOR)" NM="$(NM)" EXEEXT="$(EXEEXT)" \ $(top_srcdir)/run-tests $(TS_ALL) Makefile: $(srcdir)/Makefile.in ../config.status cd .. && $(SHELL) ./config.status testsuite/$@ install uninstall: true distdir: $(DISTFILES) cp $? $(distdir) clean: -rm -f $(TARGETS) $(EXTRA_TARGETS) dlopen-test$(EXEEXT) \ *.o test.in test1.out test2.out distclean: clean -rm -f Makefile *.d tags: etags -o $(srcdir)/TAGS --include $(top_srcdir) $(srcdir)/*.c $(srcdir)/*.h # Includes dependency files for everything, including objects which # the current configuration will not build. DEP_FILES = $(SOURCES:.c=.$(OBJEXT).d) $(CXX_SOURCES:.cxx=.$(OBJEXT).d) @DEP_INCLUDE@ $(DEP_FILES) nettle-3.4.1/testsuite/cbc-test.c0000644000175000017500000002432113401564746015753 0ustar nissenisse#include "testutils.h" #include "aes.h" #include "cbc.h" #include "knuth-lfib.h" /* Test with more data and inplace decryption, to check that the * cbc_decrypt buffering works. */ #define CBC_BULK_DATA 0x2710 /* 10000 */ static void test_cbc_bulk(void) { struct knuth_lfib_ctx random; uint8_t clear[CBC_BULK_DATA]; uint8_t cipher[CBC_BULK_DATA + 1]; const uint8_t *key = H("966c7bf00bebe6dc 8abd37912384958a" "743008105a08657d dcaad4128eee38b3"); const uint8_t *start_iv = H("11adbff119749103 207619cfa0e8d13a"); const uint8_t *end_iv = H("c7a42a569b421224 d0c23e52f46f97f5"); struct CBC_CTX(struct aes_ctx, AES_BLOCK_SIZE) aes; knuth_lfib_init(&random, CBC_BULK_DATA); knuth_lfib_random(&random, CBC_BULK_DATA, clear); /* Byte that should not be overwritten */ cipher[CBC_BULK_DATA] = 17; aes_set_encrypt_key(&aes.ctx, 32, key); CBC_SET_IV(&aes, start_iv); CBC_ENCRYPT(&aes, aes_encrypt, CBC_BULK_DATA, cipher, clear); ASSERT(cipher[CBC_BULK_DATA] == 17); if (verbose) { printf("IV after bulk encryption: "); print_hex(AES_BLOCK_SIZE, aes.iv); printf("\n"); } ASSERT(MEMEQ(AES_BLOCK_SIZE, aes.iv, end_iv)); /* Decrypt, in place */ aes_set_decrypt_key(&aes.ctx, 32, key); CBC_SET_IV(&aes, start_iv); CBC_DECRYPT(&aes, aes_decrypt, CBC_BULK_DATA, cipher, cipher); ASSERT(cipher[CBC_BULK_DATA] == 17); if (verbose) { printf("IV after bulk decryption: "); print_hex(AES_BLOCK_SIZE, aes.iv); printf("\n"); } ASSERT (MEMEQ(AES_BLOCK_SIZE, aes.iv, end_iv)); ASSERT (MEMEQ(CBC_BULK_DATA, clear, cipher)); } void test_main(void) { /* Intermediate values: * iv XOR first message block: * "a5 ce 55 d4 21 15 a1 c6 4a a4 0c b2 ca a6 d1 37" * First ciphertext block, c1: * "1f 94 fc 85 f2 36 21 06 4a ea e3 c9 cc 38 01 0e" * c1 XOR second message block: * "3f e0 94 ec 81 16 4e 68 26 93 c3 a6 a2 5b 64 2f" * Second ciphertext block, c1: * "7b f6 5f c5 02 59 2e 71 af bf 34 87 c0 36 2a 16" */ test_cipher_cbc(&nettle_aes256, SHEX("8d ae 93 ff fc 78 c9 44" "2a bd 0c 1e 68 bc a6 c7" "05 c7 84 e3 5a a9 11 8b" "d3 16 aa 54 9b 44 08 9e"), SDATA("Listen, I'll say this only once!"), SHEX("1f 94 fc 85 f2 36 21 06" "4a ea e3 c9 cc 38 01 0e" "7b f6 5f c5 02 59 2e 71" "af bf 34 87 c0 36 2a 16"), SHEX("e9 a7 26 a0 44 7b 8d e6 03 83 60 de ea d5 b0 4e")); /* From NIST spec 800-38a on AES modes. * * F.2 CBC Example Vectors * F.2.1 CBC-AES128.Encrypt */ /* Intermediate values, blocks input to AES: * * 6bc0bce12a459991e134741a7f9e1925 * d86421fb9f1a1eda505ee1375746972c * 604ed7ddf32efdff7020d0238b7c2a5d * 8521f2fd3c8eef2cdc3da7e5c44ea206 */ test_cipher_cbc(&nettle_aes128, SHEX("2b7e151628aed2a6abf7158809cf4f3c"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("7649abac8119b246cee98e9b12e9197d" "5086cb9b507219ee95db113a917678b2" "73bed6b8e3c1743b7116e69e22229516" "3ff1caa1681fac09120eca307586e1a7"), SHEX("000102030405060708090a0b0c0d0e0f")); /* F.2.3 CBC-AES192.Encrypt */ /* Intermediate values, blcoks input to AES: * * 6bc0bce12a459991e134741a7f9e1925 * e12f97e55dbfcfa1efcf7796da0fffb9 * 8411b1ef0e2109e5001cf96f256346b5 * a1840065cdb4e1f7d282fbd7db9d35f0 */ test_cipher_cbc(&nettle_aes192, SHEX("8e73b0f7da0e6452c810f32b809079e5" "62f8ead2522c6b7b"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("4f021db243bc633d7178183a9fa071e8" "b4d9ada9ad7dedf4e5e738763f69145a" "571b242012fb7ae07fa9baac3df102e0" "08b0e27988598881d920a9e64f5615cd"), SHEX("000102030405060708090a0b0c0d0e0f")); /* F.2.5 CBC-AES256.Encrypt */ /* Intermediate values, blcoks input to AES: * * 6bc0bce12a459991e134741a7f9e1925 * 5ba1c653c8e65d26e929c4571ad47587 * ac3452d0dd87649c8264b662dc7a7e92 * cf6d172c769621d8081ba318e24f2371 */ test_cipher_cbc(&nettle_aes256, SHEX("603deb1015ca71be2b73aef0857d7781" "1f352c073b6108d72d9810a30914dff4"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("f58c4c04d6e5f1ba779eabfb5f7bfbd6" "9cfc4e967edb808d679f777bc6702c7d" "39f23369a9d9bacfa530e26304231461" "b2eb05e2c39be9fcda6c19078c6a9d1b"), SHEX("000102030405060708090a0b0c0d0e0f")); test_cbc_bulk(); } /* IV 000102030405060708090a0b0c0d0e0f Block #1 Plaintext 6bc1bee22e409f96e93d7e117393172a Input Block 6bc0bce12a459991e134741a7f9e1925 Output Block 7649abac8119b246cee98e9b12e9197d Ciphertext 7649abac8119b246cee98e9b12e9197d Block #2 Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Input Block d86421fb9f1a1eda505ee1375746972c Output Block 5086cb9b507219ee95db113a917678b2 Ciphertext 5086cb9b507219ee95db113a917678b2 Block #3 Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Input Block 604ed7ddf32efdff7020d0238b7c2a5d Output Block 73bed6b8e3c1743b7116e69e22229516 Ciphertext 73bed6b8e3c1743b7116e69e22229516 Block #4 Plaintext f69f2445df4f9b17ad2b417be66c3710 Input Block 8521f2fd3c8eef2cdc3da7e5c44ea206 Output Block 3ff1caa1681fac09120eca307586e1a7 Ciphertext 3ff1caa1681fac09120eca307586e1a7 F.2.2 CBC-AES128.Decrypt Key 2b7e151628aed2a6abf7158809cf4f3c IV 000102030405060708090a0b0c0d0e0f Block #1 Ciphertext 7649abac8119b246cee98e9b12e9197d Input Block 7649abac8119b246cee98e9b12e9197d Output Block 6bc0bce12a459991e134741a7f9e1925 Plaintext 6bc1bee22e409f96e93d7e117393172a Block #2 Ciphertext 5086cb9b507219ee95db113a917678b2 Input Block 5086cb9b507219ee95db113a917678b2 Output Block d86421fb9f1a1eda505ee1375746972c Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Block #3 Ciphertext 73bed6b8e3c1743b7116e69e22229516 Input Block 73bed6b8e3c1743b7116e69e22229516 Output Block 604ed7ddf32efdff7020d0238b7c2a5d Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Block #4 Ciphertext 3ff1caa1681fac09120eca307586e1a7 Input Block 3ff1caa1681fac09120eca307586e1a7 Output Block 8521f2fd3c8eef2cdc3da7e5c44ea206 Plaintext f69f2445df4f9b17ad2b417be66c3710 F.2.3 CBC-AES192.Encrypt Key 8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b IV 000102030405060708090a0b0c0d0e0f Block #1 Plaintext 6bc1bee22e409f96e93d7e117393172a Input Block 6bc0bce12a459991e134741a7f9e1925 Output Block 4f021db243bc633d7178183a9fa071e8 Ciphertext 4f021db243bc633d7178183a9fa071e8 Block #2 Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Input Block e12f97e55dbfcfa1efcf7796da0fffb9 Output Block b4d9ada9ad7dedf4e5e738763f69145a Ciphertext b4d9ada9ad7dedf4e5e738763f69145a Block #3 Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Input Block 8411b1ef0e2109e5001cf96f256346b5 Output Block 571b242012fb7ae07fa9baac3df102e0 Ciphertext 571b242012fb7ae07fa9baac3df102e0 Block #4 Plaintext f69f2445df4f9b17ad2b417be66c3710 Input Block a1840065cdb4e1f7d282fbd7db9d35f0 Output Block 08b0e27988598881d920a9e64f5615cd Ciphertext 08b0e27988598881d920a9e64f5615cd F.2.4 CBC-AES192.Decrypt Key 8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b IV 000102030405060708090a0b0c0d0e0f Block #1 Ciphertext 4f021db243bc633d7178183a9fa071e8 Input Block 4f021db243bc633d7178183a9fa071e8 Output Block 6bc0bce12a459991e134741a7f9e1925 Plaintext 6bc1bee22e409f96e93d7e117393172a Block #2 Ciphertext b4d9ada9ad7dedf4e5e738763f69145a Input Block b4d9ada9ad7dedf4e5e738763f69145a Output Block e12f97e55dbfcfa1efcf7796da0fffb9 Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Block #3 Ciphertext 571b242012fb7ae07fa9baac3df102e0 Input Block 571b242012fb7ae07fa9baac3df102e0 Output Block 8411b1ef0e2109e5001cf96f256346b5 Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Block #4 Ciphertext 08b0e27988598881d920a9e64f5615cd Input Block 08b0e27988598881d920a9e64f5615cd Output Block a1840065cdb4e1f7d282fbd7db9d35f0 Plaintext f69f2445df4f9b17ad2b417be66c3710 F.2.5 CBC-AES256.Encrypt Key 603deb1015ca71be2b73aef0857d7781 1f352c073b6108d72d9810a30914dff4 IV 000102030405060708090a0b0c0d0e0f Block #1 Plaintext 6bc1bee22e409f96e93d7e117393172a Input Block 6bc0bce12a459991e134741a7f9e1925 Output Block f58c4c04d6e5f1ba779eabfb5f7bfbd6 Ciphertext f58c4c04d6e5f1ba779eabfb5f7bfbd6 Block #2 Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Input Block 5ba1c653c8e65d26e929c4571ad47587 Output Block 9cfc4e967edb808d679f777bc6702c7d Ciphertext 9cfc4e967edb808d679f777bc6702c7d Block #3 Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Input Block ac3452d0dd87649c8264b662dc7a7e92 Output Block 39f23369a9d9bacfa530e26304231461 Ciphertext 39f23369a9d9bacfa530e26304231461 Block #4 Plaintext f69f2445df4f9b17ad2b417be66c3710 Input Block cf6d172c769621d8081ba318e24f2371 Output Block b2eb05e2c39be9fcda6c19078c6a9d1b Ciphertext b2eb05e2c39be9fcda6c19078c6a9d1b F.2.6 CBC-AES256.Decrypt Key 603deb1015ca71be2b73aef0857d7781 1f352c073b6108d72d9810a30914dff4 IV 000102030405060708090a0b0c0d0e0f Block #1 Ciphertext f58c4c04d6e5f1ba779eabfb5f7bfbd6 Input Block f58c4c04d6e5f1ba779eabfb5f7bfbd6 Output Block 6bc0bce12a459991e134741a7f9e1925 Plaintext 6bc1bee22e409f96e93d7e117393172a Block #2 Ciphertext 9cfc4e967edb808d679f777bc6702c7d Input Block 9cfc4e967edb808d679f777bc6702c7d Output Block 5ba1c653c8e65d26e929c4571ad47587 Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Block #3 Ciphertext 39f23369a9d9bacfa530e26304231461 Input Block 39f23369a9d9bacfa530e26304231461 Output Block ac3452d0dd87649c8264b662dc7a7e92 Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Block #4 Ciphertext b2eb05e2c39be9fcda6c19078c6a9d1b Input Block b2eb05e2c39be9fcda6c19078c6a9d1b Output Block cf6d172c769621d8081ba318e24f2371 Plaintext f69f2445df4f9b17ad2b417be66c3710 */ nettle-3.4.1/testsuite/sexp-conv-test0000755000175000017500000000475613401564746016742 0ustar nissenisse#! /bin/sh if [ -z "$srcdir" ] ; then srcdir=`pwd` fi print_raw () { printf "%s" "$1" > "$2" } print_nl () { printf "%s\n" "$1" > "$2" } test_advanced () { print_raw "$1" test.in if $EMULATOR ../tools/sexp-conv -s advanced test1.out ; then true else exit 1 fi print_nl "$2" test2.out if cmp test1.out test2.out ; then true else exit 1; fi } test_advanced_hex () { print_raw "$1" test.in if $EMULATOR ../tools/sexp-conv -s hex test1.out ; then true else exit 1 fi print_nl "$2" test2.out if cmp test1.out test2.out ; then true else exit 1; fi } test_transport () { print_raw "$1" test.in if $EMULATOR ../tools/sexp-conv -s transport test1.out ; then true else exit 1 fi print_nl "$2" test2.out if cmp test1.out test2.out ; then true else exit 1; fi } test_canonical () { print_raw "$1" test.in if $EMULATOR ../tools/sexp-conv -s canonical test1.out ; then true else exit 1 fi print_raw "$2" test2.out if cmp test1.out test2.out ; then true else exit 1; fi } test_advanced '0:' '""' test_advanced '3:foo' 'foo' test_advanced '12:fooooooooooo' 'fooooooooooo' test_advanced '10:fooooooooo' 'fooooooooo' test_advanced '4:3des' '"3des"' test_advanced '"foo"' 'foo' test_advanced '4:foo ' '"foo\n"' # Having the string end with a \ breaks with sysv echo. \x seems harmless. test_advanced '3:"\x' '"\"\\x"' test_advanced '()' '()' test_advanced '(foo bar baz)' '(foo bar baz)' test_advanced '; comment ()' '; comment ()' test_advanced '(foo ; gazonk bar)' '(foo ; gazonk bar)' test_advanced '(foo[bar]foo)' '(foo [bar]foo)' test_advanced '(#aabb#)' '(|qrs=|)' test_advanced '(|qrs=|)' '(|qrs=|)' test_advanced_hex '(|qrs=|)' '(#aabb#)' test_advanced_hex '(#aabb#)' '(#aabb#)' test_advanced_hex '{MToR}' '#11#' test_advanced_hex '|EQ==|' '#11#' test_transport '0:' '{MDo=}' test_transport '()' '{KCk=}' test_transport '1:A' '{MTpB}' test_transport 'foo' '{Mzpmb28=}' test_transport '(foo bar baz)' '{KDM6Zm9vMzpiYXIzOmJheik=}' test_canonical '""' '0:' test_canonical '{MDo=}' '0:' test_canonical '{KCk=}' '()' test_canonical '{MTpB}' '1:A' test_canonical 'foo' '3:foo' test_canonical 'fooooooooooo' '12:fooooooooooo' test_canonical 'fooooooooo' '10:fooooooooo' test_canonical '(foo bar baz)' '(3:foo3:bar3:baz)' test_canonical '{KDM6Zm9vMzpiYXIzOmJheik=}' '(3:foo3:bar3:baz)' exit 0 nettle-3.4.1/testsuite/poly1305-test.c0000644000175000017500000000475013401564746016524 0ustar nissenisse#include "testutils.h" #include "poly1305.h" static void update (void *ctx, nettle_hash_update_func *f, const struct tstring *msg, unsigned length) { for (; length > msg->length; length -= msg->length) f(ctx, msg->length, msg->data); f(ctx, length, msg->data); } static void check_digest (const char *name, void *ctx, nettle_hash_digest_func *f, const struct tstring *msg, unsigned length, unsigned tag_length, const uint8_t *ref) { uint8_t tag[16]; f(ctx, tag_length, tag); if (memcmp (tag, ref, tag_length) != 0) { printf ("%s failed\n", name); printf ("msg: "); print_hex (msg->length, msg->data); printf ("length: %u\n", length); printf ("tag: "); print_hex (tag_length, tag); printf ("ref: "); print_hex (tag_length, ref); abort (); } } static void test_poly1305 (const struct tstring *key, const struct tstring *nonce, const struct tstring *msg, unsigned length, const struct tstring *ref) { struct poly1305_aes_ctx ctx; ASSERT (key->length == POLY1305_AES_KEY_SIZE); ASSERT (ref->length == POLY1305_AES_DIGEST_SIZE); poly1305_aes_set_key (&ctx, key->data); poly1305_aes_set_nonce (&ctx, nonce->data); update(&ctx, (nettle_hash_update_func *) poly1305_aes_update, msg, length); check_digest ("poly1305-aes", &ctx, (nettle_hash_digest_func *) poly1305_aes_digest, msg, length, 16, ref->data); } void test_main(void) { /* From Bernstein's paper. */ test_poly1305 (SHEX("75deaa25c09f208e1dc4ce6b5cad3fbfa0f3080000f46400d0c7e9076c834403"), SHEX("61ee09218d29b0aaed7e154a2c5509cc"), SHEX(""), 0, SHEX("dd3fab2251f11ac759f0887129cc2ee7")); test_poly1305 (SHEX("ec074c835580741701425b623235add6851fc40c3467ac0be05cc20404f3f700"), SHEX("fb447350c4e868c52ac3275cf9d4327e"), SHEX("f3f6"), 2, SHEX("f4c633c3044fc145f84f335cb81953de")); test_poly1305 (SHEX("6acb5f61a7176dd320c5c1eb2edcdc74" "48443d0bb0d21109c89a100b5ce2c208"), SHEX("ae212a55399729595dea458bc621ff0e"), SHEX("663cea190ffb83d89593f3f476b6bc24" "d7e679107ea26adb8caf6652d0656136"), 32, SHEX("0ee1c16bb73f0f4fd19881753c01cdbe")); test_poly1305 (SHEX("e1a5668a4d5b66a5f68cc5424ed5982d12976a08c4426d0ce8a82407c4f48207"), SHEX("9ae831e743978d3a23527c7128149e3a"), SHEX("ab0812724a7f1e342742cbed374d94d136c6b8795d45b3819830f2c04491" "faf0990c62e48b8018b2c3e4a0fa3134cb67fa83e158c994d961c4cb2109" "5c1bf9"), 63, SHEX("5154ad0d2cb26e01274fc51148491f1b")); } nettle-3.4.1/testsuite/rsa-test.c0000644000175000017500000001464613401564746016022 0ustar nissenisse#include "testutils.h" void test_main(void) { struct rsa_public_key pub; struct rsa_private_key key; mpz_t expected; mpz_init(expected); rsa_private_key_init(&key); rsa_public_key_init(&pub); test_rsa_set_key_1(&pub, &key); /* Test md5 signatures */ mpz_set_str(expected, "53bf517009fa956e" "3daa6adc95e8663d" "3759002f488bbbad" "e49f62792d85dbcc" "293f68e2b68ef89a" "c5bd42d98f845325" "3e6c1b76fc337db5" "e0053f255c55faf3" "eb6cc568ad7f5013" "5b269a64acb9eaa7" "b7f09d9bd90310e6" "4c58f6dbe673ada2" "67c97a9d99e19f9d" "87960d9ce3f0d5ce" "84f401fe7e10fa24" "28b9bffcf9", 16); test_rsa_md5(&pub, &key, expected); /* Test sha1 signature */ mpz_set_str(expected, "129b405ed85db88c" "55d35344c4b52854" "496516b4d63d8211" "80a0c24d6ced9047" "33065a564bbd33d0" "a5cdfd204b9c6d15" "78337207c2f1662d" "c73906c7a0f2bf5c" "af92cef9121957b1" "dcb111ff47b92389" "888e384d0cfd1b1e" "e5d7003a8feff3fd" "dd6a71d242a79272" "25234d67ba369441" "c12ae555c697754e" "a17f93fa92", 16); test_rsa_sha1(&pub, &key, expected); mpz_set_str(expected, "13f9e43f7a401a73" "0a74985c01520d76" "bf5f2e2dff91e93b" "9267d8c388d6937b" "d4bc6f1fa31618a9" "b5e3a1a875af72f5" "0e805dbfebdf4348" "7d49763f0b365e78" "d2c0ea8fb3785897" "782289a58f998907" "248c9cdf2c643d7e" "6ba6b55026227773" "6f19caa69c4fc6d7" "7e2e5d4cd6b7a82b" "900d201ffd000448" "685e5a4f3e", 16); test_rsa_sha256(&pub, &key, expected); mpz_set_str(expected, "06327f717f43bcf3" "5994e567e8241963" "8c22e1057a7771e7" "a665bb7441a39cc8" "7762f6b1a459cae3" "281462ed3f6aec48" "15c2365797a02af6" "8a603adf276c46f6" "e6afb25d07c57f47" "c516aff84abda629" "cc83d9364eb3616d" "7d4ddf0e9a25fac5" "7d56a252b0cb7b1f" "8266b525e9b893af" "116e7845c0969a9f" "603e2543f3", 16); test_rsa_sha512(&pub, &key, expected); /* Test detection of invalid keys with even modulo */ mpz_clrbit (pub.n, 0); ASSERT (!rsa_public_key_prepare (&pub)); mpz_clrbit (key.p, 0); ASSERT (!rsa_private_key_prepare (&key)); /* 777-bit key, generated by * * lsh-keygen -a rsa -l 777 -f advanced-hex * * Interesting because the size of n doesn't equal the sum of the * sizes of p and q. * * (private-key (rsa-pkcs1 * (n #013b04440e3eef25 d51c738d508a7fa8 b3445180c342af0f * 4cb5a789047300e2 cfc5c5450974cfc2 448aeaaa7f43c374 * c9a3b038b181f2d1 0f1a2327fd2c087b a49bf1086969fd2c * d1df3fd69f81fa4b 162cc8bbb363fc95 b7b24b9c53d0c67e * f52b#) * (e #3f1a012d#) * (d #f9bae89dacca6cca c21e0412b4df8355 6fe7c5322bbae8ad * 3f11494fd12bc076 d4a7da3050fe109d 2074db09cc6a93b4 * 745479522558379e a0ddfa74f86c9e9e a22c3b0e93d51447 * 0feb38105dd35395 63b91ee32776f40c 67b2a175690f7abb * 25#) * (p #0b73c990eeda0a2a 2c26416052c85560 0c5c0f5ce86a8326 * 166acea91786237a 7ff884e66dbfdd3a ab9d9801414c1506 * 8b#) * (q #1b81c19a62802a41 9c99283331b0badb 08eb0c25ffce0fbf * 50017850036f32f3 2132a845b91a5236 61f7b451d587383f * e1#) * (a #0a912fc93a6cca6b 3521725a3065b3be 3c9745e29c93303d * 7d29316c6cafa4a2 89945f964fcdea59 1f9d248b0b6734be * c9#) * (b #1658eca933251813 1eb19c77aba13d73 e0b8f4ce986d7615 * 764c6b0b03c18146 46b7f332c43e05c5 351e09006979ca5b * 05#) * (c #0114720dace7b27f 2bf2850c1804869f 79a0aad0ec02e6b4 * 05e1831619db2f10 bb9b6a8fd5c95df2 eb78f303ea0c0cc8 * 06#))) */ mpz_set_str(pub.n, "013b04440e3eef25" "d51c738d508a7fa8" "b3445180c342af0f" "4cb5a789047300e2" "cfc5c5450974cfc2" "448aeaaa7f43c374" "c9a3b038b181f2d1" "0f1a2327fd2c087b" "a49bf1086969fd2c" "d1df3fd69f81fa4b" "162cc8bbb363fc95" "b7b24b9c53d0c67e" "f52b", 16); mpz_set_str(pub.e, "3f1a012d", 16); ASSERT (rsa_public_key_prepare(&pub)); mpz_set_str(key.p, "0b73c990eeda0a2a" "2c26416052c85560" "0c5c0f5ce86a8326" "166acea91786237a" "7ff884e66dbfdd3a" "ab9d9801414c1506" "8b", 16); mpz_set_str(key.q, "1b81c19a62802a41" "9c99283331b0badb" "08eb0c25ffce0fbf" "50017850036f32f3" "2132a845b91a5236" "61f7b451d587383f" "e1", 16); mpz_set_str(key.a, "0a912fc93a6cca6b" "3521725a3065b3be" "3c9745e29c93303d" "7d29316c6cafa4a2" "89945f964fcdea59" "1f9d248b0b6734be" "c9", 16); mpz_set_str(key.b, "1658eca933251813" "1eb19c77aba13d73" "e0b8f4ce986d7615" "764c6b0b03c18146" "46b7f332c43e05c5" "351e09006979ca5b" "05", 16); mpz_set_str(key.c, "0114720dace7b27f" "2bf2850c1804869f" "79a0aad0ec02e6b4" "05e1831619db2f10" "bb9b6a8fd5c95df2" "eb78f303ea0c0cc8" "06", 16); ASSERT (rsa_private_key_prepare(&key)); ASSERT (pub.size == key.size); /* Test md5 signatures */ mpz_set_str(expected, "011b939f6fbacf7f" "7d3217b022d07477" "e582e34d4bbddd4c" "31520647417fc8a6" "18b2e196d799cedd" "d8f5c062fd796b0f" "72ab46db2ac6ec74" "39d856be3f746cc4" "3e0a15429954736a" "60a8b3c6ea93d2cb" "c69085c307d72517" "07d43bf97a3b51eb" "9e89", 16); test_rsa_md5(&pub, &key, expected); /* Test sha1 signature */ mpz_set_str(expected, "648c49e0ed045547" "08381d0bcd03b7bd" "b0f80a0e9030525d" "234327a1c96b8660" "f1c01c6f15ae76d0" "4f53a53806b7e4db" "1f789e6e89b538f6" "88fcbd2caa6abef0" "5432d52f3de463a4" "a9e6de94f1b7bb68" "3c07edf0924fc93f" "56e1a0dba8f7491c" "5c", 16); test_rsa_sha1(&pub, &key, expected); mpz_set_str(expected, "d759bb28b4d249a2" "f8b67bdbb1ab7f50" "c88712fbcabc2956" "1ec6ca3f8fdafe7a" "38433d7da287b8f7" "87857274c1640b2b" "e652cd89c501d570" "3980a0af5c6bb60c" "f84feab25b099d06" "e2519accb73dac43" "fb8bdad28835f3bd" "84c43678fe2ef41f" "af", 16); test_rsa_sha256(&pub, &key, expected); mpz_set_str(expected, "f761aae6273d6149" "06d8c208fb2897ca" "d798a46af4985b86" "51d51e6a3e11cbe0" "84f18ba8979c0f54" "11493f7c6e770560" "03db2146b4dbcaa6" "4aae2e02aab9ff7b" "1ddf77dc72145cf1" "c26ebde7c708cdc1" "62e167a7ac33967b" "386a40ea4a988d17" "47", 16); test_rsa_sha512(&pub, &key, expected); rsa_private_key_clear(&key); rsa_public_key_clear(&pub); mpz_clear(expected); } nettle-3.4.1/testsuite/sexp2rsa-test.c0000644000175000017500000000236013401564746016772 0ustar nissenisse#include "testutils.h" void test_main(void) { struct rsa_public_key pub; struct rsa_private_key priv; const struct tstring *sexp; rsa_public_key_init(&pub); rsa_private_key_init(&priv); sexp = SHEX("2831313a707269766174652d6b657928" "333a72736128313a6e36333a085c3408" "989acae4faec3cbbad91c90d34c1d259" "cd74121a36f38b0b51424a9b2be514a0" "4377113a6cdafe79dd7d5f2ecc8b5e96" "61189b86a7b22239907c252928313a65" "343a36ad4b1d2928313a6436333a06ee" "6d4ff3c239e408150daf8117abfa36a4" "0ad4455d9059a86d52f33a2de07418a0" "a699594588c64810248c9412d554f74a" "f947c73c32007e87c92f0937ed292831" "3a7033323a03259879b24315e9cf1425" "4824c7935d807cdb6990f414a0f65e60" "65130a611f2928313a7133323a02a81b" "a73bad45fc73b36deffce52d1b73e074" "7f4d8a82648cecd310448ea63b292831" "3a6133323a026cbdad5dd0046e093f06" "0ecd5b4ac918e098b0278bb752b7cadd" "6a8944f0b92928313a6233323a014875" "1e622d6d58e3bb094afd6edacf737035" "1d068e2ce9f565c5528c4a7473292831" "3a6333323a00f8a458ea73a018dc6fa5" "6863e3bc6de405f364f77dee6f096267" "9ea1a8282e292929"); ASSERT(rsa_keypair_from_sexp (&pub, &priv, 0, sexp->length, sexp->data)); test_rsa_key(&pub, &priv); rsa_public_key_clear(&pub); rsa_private_key_clear(&priv); } nettle-3.4.1/testsuite/rsa-pss-sign-tr-test.c0000644000175000017500000003027113401564746020176 0ustar nissenisse#include "testutils.h" #include "knuth-lfib.h" #include "nettle-internal.h" #define SALT "This is a magic salt" #define MSG1 "None so blind as those who will not see" #define MSG2 "Fortune knocks once at every man's door" typedef int (*test_pss_sign_tr_func) (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t salt_length, const uint8_t *salt, const uint8_t *digest, mpz_t s); typedef int (*test_pss_verify_func) (const struct rsa_public_key *key, size_t salt_length, const uint8_t *digest, const mpz_t signature); static void test_rsa_pss_sign_tr(struct rsa_public_key *pub, struct rsa_private_key *key, test_pss_sign_tr_func sign_tr_func, test_pss_verify_func verify_func, void *ctx, const struct nettle_hash *hash, size_t salt_length, const uint8_t *salt, size_t length, const uint8_t *message, mpz_t expected) { mpz_t signature; struct knuth_lfib_ctx lfib; uint8_t digest[NETTLE_MAX_HASH_DIGEST_SIZE]; uint8_t bad_digest[NETTLE_MAX_HASH_DIGEST_SIZE]; knuth_lfib_init(&lfib, 1111); hash->init(ctx); hash->update(ctx, length, message); hash->digest(ctx, hash->digest_size, digest); mpz_init(signature); mpz_set_ui (signature, 17); /* Try bad private key */ mpz_add_ui(key->p, key->p, 2); ASSERT(!sign_tr_func(pub, key, &lfib, (nettle_random_func *) knuth_lfib_random, salt_length, salt, digest, signature)); mpz_sub_ui(key->p, key->p, 2); ASSERT(!mpz_cmp_ui(signature, 17)); /* Try the good private key */ ASSERT(sign_tr_func(pub, key, &lfib, (nettle_random_func *) knuth_lfib_random, salt_length, salt, digest, signature)); if (verbose) { fprintf(stderr, "rsa-pss-tr signature: "); mpz_out_str(stderr, 16, signature); fprintf(stderr, "\nrsa-pss-tr expected: "); mpz_out_str(stderr, 16, expected); fprintf(stderr, "\n"); } ASSERT (mpz_cmp(signature, expected) == 0); /* Try bad digest */ memset(bad_digest, 0x17, sizeof(bad_digest)); ASSERT (!verify_func(pub, salt_length, bad_digest, signature)); /* Try the good digest */ ASSERT (verify_func(pub, salt_length, digest, signature)); /* Try bad signature */ mpz_combit(signature, 17); ASSERT (!verify_func(pub, salt_length, digest, signature)); mpz_clear(signature); } void test_main(void) { struct rsa_public_key pub; struct rsa_private_key key; struct sha256_ctx sha256ctx; struct sha384_ctx sha384ctx; struct sha512_ctx sha512ctx; mpz_t p1; mpz_t q1; struct tstring *salt; struct tstring *msg; mpz_t expected; mpz_init(expected); mpz_init(p1); mpz_init(q1); rsa_private_key_init(&key); rsa_public_key_init(&pub); test_rsa_set_key_1(&pub, &key); /* Test signatures */ mpz_set_str(expected, "25e6ce0cc00e917e177a09cb4dfd843d104c179b71aded60e68ebc" "ca2cabb1e51502adf28e53fa7ede42619f21a1162755b9658edf88" "a038bb4fea2bb73306fb384d5785c1a8c98a255277c91a4f88ddd3" "52ebdc78f71f7e62b7a870dac4ab25f1004453457e831a1572f7c9" "23fcc48e3b69db582127d14471c7195dce", 16); test_rsa_pss_sign_tr(&pub, &key, rsa_pss_sha256_sign_digest_tr, rsa_pss_sha256_verify_digest, &sha256ctx, &nettle_sha256, LDATA(SALT), LDATA(MSG1), expected); mpz_set_str(expected, "52f4393ccc92b5672dd3cfd8624765d3a4cdb50c7a92060c33b4663" "fa545b32ce56ec8cd44fe9720df301906ae40921e844b6d80331194" "972f98e309c937c887c53da940778f29d52dd9489e6016a07e9aa16" "b1ea8fefc0860ad69068ad6f94a4b0c8fc8a0797b08c58cf4a8df90" "ee1375feedf7bf73f16ebb2d1cc7e4", 16); test_rsa_pss_sign_tr(&pub, &key, rsa_pss_sha256_sign_digest_tr, rsa_pss_sha256_verify_digest, &sha256ctx, &nettle_sha256, LDATA(SALT), LDATA(MSG2), expected); /* 777-bit key, generated by * * lsh-keygen -a rsa -l 777 -f advanced-hex * * Interesting because the size of n doesn't equal the sum of the * sizes of p and q. * * (private-key (rsa-pkcs1 * (n #013b04440e3eef25 d51c738d508a7fa8 b3445180c342af0f * 4cb5a789047300e2 cfc5c5450974cfc2 448aeaaa7f43c374 * c9a3b038b181f2d1 0f1a2327fd2c087b a49bf1086969fd2c * d1df3fd69f81fa4b 162cc8bbb363fc95 b7b24b9c53d0c67e * f52b#) * (e #3f1a012d#) * (d #f9bae89dacca6cca c21e0412b4df8355 6fe7c5322bbae8ad * 3f11494fd12bc076 d4a7da3050fe109d 2074db09cc6a93b4 * 745479522558379e a0ddfa74f86c9e9e a22c3b0e93d51447 * 0feb38105dd35395 63b91ee32776f40c 67b2a175690f7abb * 25#) * (p #0b73c990eeda0a2a 2c26416052c85560 0c5c0f5ce86a8326 * 166acea91786237a 7ff884e66dbfdd3a ab9d9801414c1506 * 8b#) * (q #1b81c19a62802a41 9c99283331b0badb 08eb0c25ffce0fbf * 50017850036f32f3 2132a845b91a5236 61f7b451d587383f * e1#) * (a #0a912fc93a6cca6b 3521725a3065b3be 3c9745e29c93303d * 7d29316c6cafa4a2 89945f964fcdea59 1f9d248b0b6734be * c9#) * (b #1658eca933251813 1eb19c77aba13d73 e0b8f4ce986d7615 * 764c6b0b03c18146 46b7f332c43e05c5 351e09006979ca5b * 05#) * (c #0114720dace7b27f 2bf2850c1804869f 79a0aad0ec02e6b4 * 05e1831619db2f10 bb9b6a8fd5c95df2 eb78f303ea0c0cc8 * 06#))) */ mpz_set_str(pub.n, "013b04440e3eef25" "d51c738d508a7fa8" "b3445180c342af0f" "4cb5a789047300e2" "cfc5c5450974cfc2" "448aeaaa7f43c374" "c9a3b038b181f2d1" "0f1a2327fd2c087b" "a49bf1086969fd2c" "d1df3fd69f81fa4b" "162cc8bbb363fc95" "b7b24b9c53d0c67e" "f52b", 16); mpz_set_str(pub.e, "3f1a012d", 16); ASSERT (rsa_public_key_prepare(&pub)); mpz_set_str(key.p, "0b73c990eeda0a2a" "2c26416052c85560" "0c5c0f5ce86a8326" "166acea91786237a" "7ff884e66dbfdd3a" "ab9d9801414c1506" "8b", 16); mpz_set_str(key.q, "1b81c19a62802a41" "9c99283331b0badb" "08eb0c25ffce0fbf" "50017850036f32f3" "2132a845b91a5236" "61f7b451d587383f" "e1", 16); mpz_set_str(key.a, "0a912fc93a6cca6b" "3521725a3065b3be" "3c9745e29c93303d" "7d29316c6cafa4a2" "89945f964fcdea59" "1f9d248b0b6734be" "c9", 16); mpz_set_str(key.b, "1658eca933251813" "1eb19c77aba13d73" "e0b8f4ce986d7615" "764c6b0b03c18146" "46b7f332c43e05c5" "351e09006979ca5b" "05", 16); mpz_set_str(key.c, "0114720dace7b27f" "2bf2850c1804869f" "79a0aad0ec02e6b4" "05e1831619db2f10" "bb9b6a8fd5c95df2" "eb78f303ea0c0cc8" "06", 16); ASSERT (rsa_private_key_prepare(&key)); ASSERT (pub.size == key.size); /* Test signatures */ mpz_set_str(expected, "1a4d28331341cabf7ac85bc59a58d439b7ec2c607c6a74e35b5909" "1dfa3d9de9fde93e4a431f0f768bec07c39995d253209f86e3dc84" "037ecd5d23d963fab4fa8a001e018d82cb19d743a94ba7dc7a821e" "87b72e67a0fe058f956208f7060dc104", 16); test_rsa_pss_sign_tr(&pub, &key, rsa_pss_sha256_sign_digest_tr, rsa_pss_sha256_verify_digest, &sha256ctx, &nettle_sha256, LDATA(SALT), LDATA(MSG1), expected); /* From FIPS 186-2 */ mpz_set_str(pub.n, "be499b5e7f06c83f" "a0293e31465c8eb6" "b58af920bae52a7b" "5b9bfeb7aa72db12" "64112eb3fd431d31" "a2a7e50941566929" "494a0e891ed56139" "18b4b51b0d1fb977" "83b26acf7d0f384c" "fb35f4d2824f5dd3" "80623a26bf180b63" "961c619dcdb20cae" "406f22f6e276c80a" "37259490cfeb72c1" "a71a84f1846d3308" "77ba3e3101ec9c7b" , 16); mpz_set_str(pub.e, "11", 16); ASSERT (rsa_public_key_prepare(&pub)); mpz_set_str(key.p, "e7a80c5d211c06ac" "b900939495f26d36" "5fc2b4825b75e356" "f89003eaa5931e6b" "e5c3f7e6a633ad59" "db6289d06c354c23" "5e739a1e3f3d39fb" "40d1ffb9cb44288f", 16); mpz_set_str(key.q, "d248aa248000f720" "258742da67b71194" "0c8f76e1ecd52b67" "a6ffe1e49354d66f" "f84fa601804743f5" "838da2ed4693a5a2" "8658d6528cc1803b" "f6c8dc73c5230b55", 16); mpz_set_str(key.d, "0d0f17362bdad181" "db4e1fe03e8de1a3" "208989914e14bf26" "9558826bfa20faf4" "b68dba6bb989a01f" "03a21c44665dc5f6" "48cb5b59b954eb10" "77a80263bd22cdfb" "88d39164b7404f4f" "1106ee01cf60b776" "95748d8fdaf9fd42" "8963fe75144010b1" "934c8e26a8823967" "2cf49b3422a07c4d" "834ba208d570fe40" "8e7095c90547e68d", 16); /* a = d % (p-1) */ mpz_sub_ui(p1, key.p, 1); mpz_fdiv_r(key.a, key.d, p1); mpz_clear(p1); /* b = d % (q-1) */ mpz_sub_ui(q1, key.q, 1); mpz_fdiv_r(key.b, key.d, q1); mpz_clear(q1); /* c = q^{-1} (mod p) */ mpz_invert(key.c, key.q, key.p); ASSERT (rsa_private_key_prepare(&key)); ASSERT (pub.size == key.size); mpz_set_str(expected, "11e169f2fd40b07641b9768a2ab19965fb6c27f10fcf0323fcc6d1" "2eb4f1c06b330ddaa1ea504407afa29de9ebe0374fe9d1e7d0ffbd" "5fc1cf3a3446e4145415d2ab24f789b3464c5c43a256bbc1d692cf" "7f04801dac5bb401a4a03ab7d5728a860c19e1a4dc797ca542c820" "3cec2e601eb0c51f567f2eda022b0b9ebddeeefa", 16); salt = SHEX("11223344555432167890"); msg = SHEX("c7f5270fca725f9bd19f519a8d7cca3cc5c079024029f3bae510f9" "b02140fe238908e4f6c18f07a89c687c8684669b1f1db2baf9251a" "3c829faccb493084e16ec9e28d58868074a5d6221667dd6e528d16" "fe2c9f3db4cfaf6c4dce8c8439af38ceaaaa9ce2ecae7bc8f4a5a5" "5e3bf96df9cd575c4f9cb327951b8cdfe4087168"); test_rsa_pss_sign_tr(&pub, &key, rsa_pss_sha256_sign_digest_tr, rsa_pss_sha256_verify_digest, &sha256ctx, &nettle_sha256, salt->length, salt->data, msg->length, msg->data, expected); mpz_set_str(expected, "b281ad934b2775c0cba5fb10aa574d2ed85c7f99b942b78e497024" "80069362ed394baded55e56cfcbe7b0b8d2217a05a60e1acd725cb" "09060dfac585bc2132b99b41cdbd530c69d17cdbc84bc6b9830fc7" "dc8e1b2412cfe06dcf8c1a0cc3453f93f25ebf10cb0c90334fac57" "3f449138616e1a194c67f44efac34cc07a526267", 16); test_rsa_pss_sign_tr(&pub, &key, rsa_pss_sha384_sign_digest_tr, rsa_pss_sha384_verify_digest, &sha384ctx, &nettle_sha384, salt->length, salt->data, msg->length, msg->data, expected); mpz_set_str(expected, "8ffc38f9b820ef6b080fd2ec7de5626c658d79056f3edf610a295b" "7b0546f73e01ffdf4d0070ebf79c33fd86c2d608be9438b3d420d0" "9535b97cd3d846ecaf8f6551cdf93197e9f8fb048044473ab41a80" "1e9f7fc983c62b324361dade9f71a65952bd35c59faaa4d6ff462f" "68a6c4ec0b428aa47336f2178aeb276136563b7d", 16); test_rsa_pss_sign_tr(&pub, &key, rsa_pss_sha512_sign_digest_tr, rsa_pss_sha512_verify_digest, &sha512ctx, &nettle_sha512, salt->length, salt->data, msg->length, msg->data, expected); /* The public key n for this test is of size k = 1017 bits, and the pss "em" value is limited to k - 1 = 1016 bits or 127 octets. The alleged signature below results in a 1017 bit number during the signature verification, which is too large, and used to result in an assertion failure when attempting to convert the number to a 127 octet string. */ mpz_set_str(pub.n, "1d64559685aad3490e976b48aacf442ecee847268f882341eafe78" "a0ca4ef88f66edbaf55b70e5285cc117aa9ceb322a4227c17e9e89" "27bf38e5672faecf79e2983d92766fbb6624522f072ae0e4e46d37" "052ce1e5745c2dd8fd67de3862e4711161e359b96bda85911ebf4e" "6ce1bea625970269c77004a3cb03f9c382c5f79", 16); mpz_set_str(pub.e, "10001", 16); ASSERT (rsa_public_key_prepare(&pub)); msg = SHEX("7f85e4909ff7bb29536e540a53031ef03ddcb129e553a43273fa1f" "ed28c22a8b57c7bde101ff746f335ba69b29642019"); /* Alleged signature, resulting in a too large m. */ mpz_set_str(expected, "000000000000000000000000000000000000000000000000000000" "000000000000000000000000000000000000000000000005ffff05" "000000000000000000000000000000000000000000000000000000" "000000000000000000000000000000000000000000000000000000" "0000000000000000000000000000000000000000", 16); ASSERT(!rsa_pss_sha384_verify_digest(&pub, 48, msg->data, expected)); rsa_private_key_clear(&key); rsa_public_key_clear(&pub); mpz_clear(expected); } nettle-3.4.1/testsuite/ecc-redc-test.c0000644000175000017500000000503013401564746016665 0ustar nissenisse#include "testutils.h" static void ref_redc (mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *mp, mp_size_t mn) { mpz_t t; mpz_t m, a; mp_size_t an; mpz_init (t); mpz_setbit (t, mn * GMP_NUMB_BITS); mpz_roinit_n (m, mp, mn); an = 2*mn; while (an > 0 && ap[an-1] == 0) an--; mpz_roinit_n (a, ap, an); mpz_invert (t, t, m); mpz_mul (t, t, a); mpz_mod (t, t, m); mpz_limbs_copy (rp, t, mn); mpz_clear (t); } #define MAX_ECC_SIZE (1 + 521 / GMP_NUMB_BITS) #define MAX_SIZE (2*MAX_ECC_SIZE) #define COUNT 50000 void test_main (void) { gmp_randstate_t rands; mp_limb_t a[MAX_SIZE]; mp_limb_t m[MAX_SIZE]; mp_limb_t ref[MAX_SIZE]; unsigned i; mpz_t r; gmp_randinit_default (rands); mpz_init (r); for (i = 0; ecc_curves[i]; i++) { const struct ecc_curve *ecc = ecc_curves[i]; unsigned j; for (j = 0; j < COUNT; j++) { if (j & 1) mpz_rrandomb (r, rands, 2*ecc->p.size * GMP_NUMB_BITS); else mpz_urandomb (r, rands, 2*ecc->p.size * GMP_NUMB_BITS); mpz_limbs_copy (a, r, 2*ecc->p.size); ref_redc (ref, a, ecc->p.m, ecc->p.size); if (ecc->p.reduce != ecc->p.mod) { mpn_copyi (m, a, 2*ecc->p.size); ecc->p.reduce (&ecc->p, m); if (mpn_cmp (m, ecc->p.m, ecc->p.size) >= 0) mpn_sub_n (m, m, ecc->p.m, ecc->p.size); if (mpn_cmp (m, ref, ecc->p.size)) { fprintf (stderr, "ecc->p.reduce failed: bit_size = %u\n", ecc->p.bit_size); fprintf (stderr, "a = "); mpn_out_str (stderr, 16, a, 2*ecc->p.size); fprintf (stderr, "\nm = "); mpn_out_str (stderr, 16, m, ecc->p.size); fprintf (stderr, " (bad)\nref = "); mpn_out_str (stderr, 16, ref, ecc->p.size); fprintf (stderr, "\n"); abort (); } } if (ecc->p.redc_size != 0) { mpn_copyi (m, a, 2*ecc->p.size); if (ecc->p.m[0] == 1) ecc_pm1_redc (&ecc->p, m); else ecc_pp1_redc (&ecc->p, m); if (mpn_cmp (m, ecc->p.m, ecc->p.size) >= 0) mpn_sub_n (m, m, ecc->p.m, ecc->p.size); if (mpn_cmp (m, ref, ecc->p.size)) { fprintf (stderr, "ecc_p%c1_redc failed: bit_size = %u\n", (ecc->p.m[0] == 1) ? 'm' : 'p', ecc->p.bit_size); fprintf (stderr, "a = "); mpn_out_str (stderr, 16, a, 2*ecc->p.size); fprintf (stderr, "\nm = "); mpn_out_str (stderr, 16, m, ecc->p.size); fprintf (stderr, " (bad)\nref = "); mpn_out_str (stderr, 16, ref, ecc->p.size); fprintf (stderr, "\n"); abort (); } } } } mpz_clear (r); gmp_randclear (rands); } nettle-3.4.1/testsuite/camellia-test.c0000644000175000017500000000662113401564746016776 0ustar nissenisse#include "testutils.h" #include "camellia.h" static void test_invert(const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext) { uint8_t *data; size_t length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; data = xalloc(length); if (key->length == 16) { struct camellia128_ctx encrypt; struct camellia128_ctx decrypt; camellia128_set_encrypt_key (&encrypt, key->data); camellia128_crypt (&encrypt, length, data, cleartext->data); if (!MEMEQ(length, data, ciphertext->data)) { fail_encrypt: tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } camellia128_invert_key (&decrypt, &encrypt); camellia128_crypt (&decrypt, length, data, data); } else { struct camellia256_ctx encrypt; struct camellia256_ctx decrypt; if (key->length == 24) camellia192_set_encrypt_key (&encrypt, key->data); else if (key->length == 32) camellia256_set_encrypt_key (&encrypt, key->data); else abort (); camellia256_crypt (&encrypt, length, data, cleartext->data); if (!MEMEQ(length, data, ciphertext->data)) goto fail_encrypt; camellia256_invert_key (&decrypt, &encrypt); camellia256_crypt (&decrypt, length, data, data); } if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "test_invert: Decrypt failed:\nInput:"); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } free (data); } void test_main(void) { /* Test vectors from RFC 3713 */ /* 128 bit keys */ test_cipher(&nettle_camellia128, SHEX("01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10"), SHEX("01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10"), SHEX("67 67 31 38 54 96 69 73 08 57 06 56 48 ea be 43")); /* 192 bit keys */ test_cipher(&nettle_camellia192, SHEX("01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10" "00 11 22 33 44 55 66 77"), SHEX("01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10"), SHEX("b4 99 34 01 b3 e9 96 f8 4e e5 ce e7 d7 9b 09 b9")); /* 256 bit keys */ test_cipher(&nettle_camellia256, SHEX("01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10" "00 11 22 33 44 55 66 77 88 99 aa bb cc dd ee ff"), SHEX("01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10"), SHEX("9a cc 23 7d ff 16 d7 6c 20 ef 7c 91 9e 3a 75 09")); /* Test camellia_invert_key with src != dst */ test_invert(SHEX("01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10"), SHEX("01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10"), SHEX("67 67 31 38 54 96 69 73 08 57 06 56 48 ea be 43")); test_invert(SHEX("01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10" "00 11 22 33 44 55 66 77"), SHEX("01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10"), SHEX("b4 99 34 01 b3 e9 96 f8 4e e5 ce e7 d7 9b 09 b9")); test_invert(SHEX("01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10" "00 11 22 33 44 55 66 77 88 99 aa bb cc dd ee ff"), SHEX("01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10"), SHEX("9a cc 23 7d ff 16 d7 6c 20 ef 7c 91 9e 3a 75 09")); } nettle-3.4.1/testsuite/nettle-pbkdf2-test0000755000175000017500000000134213401564746017445 0ustar nissenisse#! /bin/sh if [ -z "$srcdir" ] ; then srcdir=`pwd` fi test_pbkdf2 () { password="$1" salt="$2" iters="$3" expected="$4" # Relies on division rounding down; breaks if # $expected contains more than one space. length=`expr "$expected" : '.*' / 2` # Delete carriage return characters, needed when testing with # wine. printf "%s" "$password" | $EMULATOR ../tools/nettle-pbkdf2 \ -i "$iters" -l "$length" "$salt" | tr -d '\r' > test1.out echo "$expected" | tr -d '\r' > test2.out if cmp test1.out test2.out ; then true else exit 1; fi } test_pbkdf2 passwd salt 1 "55ac046e56e3089f ec1691c22544b605" test_pbkdf2 Password NaCl 80000 "4ddcd8f60b98be21 830cee5ef22701f9" exit 0 nettle-3.4.1/testsuite/sha3-permute-test.c0000644000175000017500000000416213401564746017542 0ustar nissenisse#include "testutils.h" #include "sha3.h" static void display (const struct sha3_state *state) { unsigned x, y; for (x = 0; x < 5; x++) { for (y = 0; y < 5; y++) /* Is there a simple and *portable* way to print uint64_t? */ printf ("%8lx%08lx ", (unsigned long) (state->a[x +5*y] >> 32), (unsigned long) (state->a[x+5*y] & 0xffffffff)); printf("\n"); } } void test_main(void) { /* From KeccakPermutationIntermediateValues.txt */ static const struct sha3_state s1 = { { 0xF1258F7940E1DDE7ULL, 0x84D5CCF933C0478AULL, 0xD598261EA65AA9EEULL, 0xBD1547306F80494DULL, 0x8B284E056253D057ULL, 0xFF97A42D7F8E6FD4ULL, 0x90FEE5A0A44647C4ULL, 0x8C5BDA0CD6192E76ULL, 0xAD30A6F71B19059CULL, 0x30935AB7D08FFC64ULL, 0xEB5AA93F2317D635ULL, 0xA9A6E6260D712103ULL, 0x81A57C16DBCF555FULL, 0x43B831CD0347C826ULL, 0x01F22F1A11A5569FULL, 0x05E5635A21D9AE61ULL, 0x64BEFEF28CC970F2ULL, 0x613670957BC46611ULL, 0xB87C5A554FD00ECBULL, 0x8C3EE88A1CCF32C8ULL, 0x940C7922AE3A2614ULL, 0x1841F924A2C509E4ULL, 0x16F53526E70465C2ULL, 0x75F644E97F30A13BULL, 0xEAF1FF7B5CECA249ULL, } }; static const struct sha3_state s2 = { { 0x2D5C954DF96ECB3CULL, 0x6A332CD07057B56DULL, 0x093D8D1270D76B6CULL, 0x8A20D9B25569D094ULL, 0x4F9C4F99E5E7F156ULL, 0xF957B9A2DA65FB38ULL, 0x85773DAE1275AF0DULL, 0xFAF4F247C3D810F7ULL, 0x1F1B9EE6F79A8759ULL, 0xE4FECC0FEE98B425ULL, 0x68CE61B6B9CE68A1ULL, 0xDEEA66C4BA8F974FULL, 0x33C43D836EAFB1F5ULL, 0xE00654042719DBD9ULL, 0x7CF8A9F009831265ULL, 0xFD5449A6BF174743ULL, 0x97DDAD33D8994B40ULL, 0x48EAD5FC5D0BE774ULL, 0xE3B8C8EE55B7B03CULL, 0x91A0226E649E42E9ULL, 0x900E3129E7BADD7BULL, 0x202A9EC5FAA3CCE8ULL, 0x5B3402464E1C3DB6ULL, 0x609F4E62A44C1059ULL, 0x20D06CD26A8FBF5CULL, } }; struct sha3_state state; memset (&state, 0, sizeof(state)); sha3_permute (&state); if (!MEMEQ (sizeof(state), &state.a, &s1)) { printf("Got:\n"); display (&state); printf("Ref:\n"); display (&s1); FAIL(); } sha3_permute (&state); if (!MEMEQ (sizeof(state), &state.a, &s2)) { printf("Got:\n"); display (&state); printf("Ref:\n"); display (&s2); FAIL(); } } nettle-3.4.1/testsuite/ecdsa-sign-test.c0000644000175000017500000001256113401564746017244 0ustar nissenisse#include "testutils.h" static void test_ecdsa (const struct ecc_curve *ecc, /* Private key */ const char *sz, /* Random nonce */ const char *sk, /* Hash */ const struct tstring *h, /* Expected signature */ const char *r, const char *s) { struct dsa_signature ref; mpz_t z; mpz_t k; mp_limb_t *rp = xalloc_limbs (ecc->p.size); mp_limb_t *sp = xalloc_limbs (ecc->p.size); mp_limb_t *scratch = xalloc_limbs (ecc_ecdsa_sign_itch (ecc)); dsa_signature_init (&ref); mpz_init_set_str (z, sz, 16); mpz_init_set_str (k, sk, 16); ecc_ecdsa_sign (ecc, mpz_limbs_read_n (z, ecc->p.size), mpz_limbs_read_n (k, ecc->p.size), h->length, h->data, rp, sp, scratch); mpz_set_str (ref.r, r, 16); mpz_set_str (ref.s, s, 16); if (mpz_limbs_cmp (ref.r, rp, ecc->p.size) != 0 || mpz_limbs_cmp (ref.s, sp, ecc->p.size) != 0) { fprintf (stderr, "_ecdsa_sign failed, bit_size = %u\n", ecc->p.bit_size); fprintf (stderr, "r = "); write_mpn (stderr, 16, rp, ecc->p.size); fprintf (stderr, "\ns = "); write_mpn (stderr, 16, sp, ecc->p.size); fprintf (stderr, "\nref.r = "); mpz_out_str (stderr, 16, ref.r); fprintf (stderr, "\nref.s = "); mpz_out_str (stderr, 16, ref.s); fprintf (stderr, "\n"); abort(); } free (rp); free (sp); free (scratch); dsa_signature_clear (&ref); mpz_clear (k); mpz_clear (z); } void test_main (void) { /* Test cases for the smaller groups, verified with a proof-of-concept implementation done for Yubico AB. */ test_ecdsa (&nettle_secp_192r1, "DC51D3866A15BACDE33D96F992FCA99D" "A7E6EF0934E70975", /* z */ "9E56F509196784D963D1C0A401510EE7" "ADA3DCC5DEE04B15", /* k */ SHEX("BA7816BF8F01CFEA414140DE5DAE2223" "B00361A396177A9C"), /* h */ "8c478db6a5c131540cebc739f9c0a9a8" "c720c2abdd14a891", /* r */ "a91fb738f9f175d72f9c98527e881c36" "8de68cb55ffe589"); /* s */ test_ecdsa (&nettle_secp_224r1, "446df0a771ed58403ca9cb316e617f6b" "158420465d00a69601e22858", /* z */ "4c13f1905ad7eb201178bc08e0c9267b" "4751c15d5e1831ca214c33f4", /* z */ SHEX("1b28a611fe62ab3649350525d06703ba" "4b979a1e543566fd5caa85c6"), /* h */ "2cc280778f3d067df6d3adbe3a6aad63" "bc75f08f5c5f915411902a99", /* r */ "d0f069fd0f108eb07b7bbc54c8d6c88d" "f2715c38a95c31a2b486995f"); /* s */ /* From RFC 4754 */ test_ecdsa (&nettle_secp_256r1, "DC51D386 6A15BACD E33D96F9 92FCA99D" "A7E6EF09 34E70975 59C27F16 14C88A7F", /* z */ "9E56F509 196784D9 63D1C0A4 01510EE7" "ADA3DCC5 DEE04B15 4BF61AF1 D5A6DECE", /* k */ SHEX("BA7816BF 8F01CFEA 414140DE 5DAE2223" "B00361A3 96177A9C B410FF61 F20015AD"), /* h */ "CB28E099 9B9C7715 FD0A80D8 E47A7707" "9716CBBF 917DD72E 97566EA1 C066957C", /* r */ "86FA3BB4 E26CAD5B F90B7F81 899256CE" "7594BB1E A0C89212 748BFF3B 3D5B0315"); /* s */ test_ecdsa (&nettle_secp_384r1, "0BEB6466 34BA8773 5D77AE48 09A0EBEA" "865535DE 4C1E1DCB 692E8470 8E81A5AF" "62E528C3 8B2A81B3 5309668D 73524D9F", /* z */ "B4B74E44 D71A13D5 68003D74 89908D56" "4C7761E2 29C58CBF A1895009 6EB7463B" "854D7FA9 92F934D9 27376285 E63414FA", /* k */ SHEX("CB00753F 45A35E8B B5A03D69 9AC65007" "272C32AB 0EDED163 1A8B605A 43FF5BED" "8086072B A1E7CC23 58BAECA1 34C825A7"), /* h */ "FB017B91 4E291494 32D8BAC2 9A514640" "B46F53DD AB2C6994 8084E293 0F1C8F7E" "08E07C9C 63F2D21A 07DCB56A 6AF56EB3", /* r */ "B263A130 5E057F98 4D38726A 1B468741" "09F417BC A112674C 528262A4 0A629AF1" "CBB9F516 CE0FA7D2 FF630863 A00E8B9F"); /* s*/ test_ecdsa (&nettle_secp_521r1, "0065FDA3 409451DC AB0A0EAD 45495112" "A3D813C1 7BFD34BD F8C1209D 7DF58491" "20597779 060A7FF9 D704ADF7 8B570FFA" "D6F062E9 5C7E0C5D 5481C5B1 53B48B37" "5FA1", /* z */ "00C1C2B3 05419F5A 41344D7E 4359933D" "734096F5 56197A9B 244342B8 B62F46F9" "373778F9 DE6B6497 B1EF825F F24F42F9" "B4A4BD73 82CFC337 8A540B1B 7F0C1B95" "6C2F", /* k */ SHEX("DDAF35A1 93617ABA CC417349 AE204131" "12E6FA4E 89A97EA2 0A9EEEE6 4B55D39A" "2192992A 274FC1A8 36BA3C23 A3FEEBBD" "454D4423 643CE80E 2A9AC94F A54CA49F"), /* h */ "0154FD38 36AF92D0 DCA57DD5 341D3053" "988534FD E8318FC6 AAAAB68E 2E6F4339" "B19F2F28 1A7E0B22 C269D93C F8794A92" "78880ED7 DBB8D936 2CAEACEE 54432055" "2251", /* r */ "017705A7 030290D1 CEB605A9 A1BB03FF" "9CDD521E 87A696EC 926C8C10 C8362DF4" "97536710 1F67D1CF 9BCCBF2F 3D239534" "FA509E70 AAC851AE 01AAC68D 62F86647" "2660"); /* s */ /* Non-standard ecdsa using curve25519. Not interop-tested with anything else. */ test_ecdsa (&_nettle_curve25519, "1db511101b8fd16f e0212c5679ef53f3" "323bde77f9efa442 617314d576d1dbcb", /* z */ "aa2fa8facfdc3a99 ec466d41a2c9211c" "e62e1706f54037ff 8486e26153b0fa79", /* k */ SHEX("e99df2a098c3c590 ea1e1db6d9547339" "ae760d5331496119 5d967fd881e3b0f5"), /* h */ " 515c3a485f57432 0daf3353a0d08110" "64157c556296de09 4132f74865961b37", /* r */ " 78f23367291b01 3fc430fb09322d95" "4384723649868d8e 88effc7ac8b141d7"); /* s */ } nettle-3.4.1/testsuite/bignum-test.c0000644000175000017500000000403513401564746016505 0ustar nissenisse#include "testutils.h" #if HAVE_CONFIG_H #include "config.h" #endif #include #include #if WITH_HOGWEED #include "bignum.h" static void test_bignum(const char *hex, const struct tstring *base256) { mpz_t a; mpz_t b; uint8_t *buf; mpz_init_set_str(a, hex, 16); nettle_mpz_init_set_str_256_s(b, base256->length, base256->data); ASSERT(mpz_cmp(a, b) == 0); buf = xalloc(base256->length + 1); memset(buf, 17, base256->length + 1); nettle_mpz_get_str_256(base256->length, buf, a); ASSERT(MEMEQ(base256->length, buf, base256->data)); ASSERT(buf[base256->length] == 17); mpz_clear(a); mpz_clear(b); free(buf); } static void test_size(long x, unsigned size) { mpz_t t; mpz_init_set_si(t, x); ASSERT(nettle_mpz_sizeinbase_256_s(t) == size); mpz_clear(t); } #endif /* WITH_HOGWEED */ void test_main(void) { #if WITH_HOGWEED test_size(0, 1); test_size(1, 1); test_size(0x7f, 1); test_size(0x80, 2); test_size(0x81, 2); test_size(0xff, 2); test_size(0x100, 2); test_size(0x101, 2); test_size(0x1111, 2); test_size(0x7fff, 2); test_size(0x8000, 3); test_size(0x8001, 3); test_size(- 1, 1); /* ff */ test_size(- 0x7f, 1); /* 81 */ test_size(- 0x80, 1); /* 80 */ test_size(- 0x81, 2); /* ff7f */ test_size(- 0xff, 2); /* ff01 */ test_size(- 0x100, 2); /* ff00 */ test_size(- 0x101, 2); /* feff */ test_size(- 0x1111, 2); /* eeef */ test_size(- 0x7fff, 2); /* 8001 */ test_size(- 0x8000, 2); /* 8000 */ test_size(- 0x8001, 3); /* ff7fff */ test_bignum("0", SHEX("00")); test_bignum("010203040506", SHEX("010203040506")); test_bignum("80010203040506", SHEX("0080010203040506")); test_bignum( "-1", SHEX( "ff")); test_bignum( "-7f", SHEX( "81")); test_bignum( "-80", SHEX( "80")); test_bignum( "-81", SHEX( "ff7f")); test_bignum("-7fff", SHEX( "8001")); test_bignum("-8000", SHEX( "8000")); test_bignum("-8001", SHEX("ff7fff")); #else /* !WITH_HOGWEED */ SKIP(); #endif /* !WITH_HOGWEED */ } nettle-3.4.1/testsuite/pkcs1-sec-decrypt-test.c0000644000175000017500000000444513401564746020472 0ustar nissenisse#include "testutils.h" #include "rsa.h" #include "rsa-internal.h" #if HAVE_VALGRIND_MEMCHECK_H # include static int pkcs1_decrypt_for_test(size_t msg_len, uint8_t *msg, size_t pad_len, uint8_t *pad) { int ret; VALGRIND_MAKE_MEM_UNDEFINED (msg, msg_len); VALGRIND_MAKE_MEM_UNDEFINED (pad, pad_len); ret = _pkcs1_sec_decrypt (msg_len, msg, pad_len, pad); VALGRIND_MAKE_MEM_DEFINED (msg, msg_len); VALGRIND_MAKE_MEM_DEFINED (pad, pad_len); VALGRIND_MAKE_MEM_DEFINED (&ret, sizeof (ret)); return ret; } #else #define pkcs1_decrypt_for_test _pkcs1_sec_decrypt #endif void test_main(void) { uint8_t pad[128]; uint8_t buffer[] = "\x00\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" "\x00\x53\x49\x47\x4e\x45\x44\x20\x4d\x45\x53\x53\x41\x47\x45\x2e"; uint8_t message[15]; memcpy(pad, buffer, 128); memset (message, 'A', 15); ASSERT (pkcs1_decrypt_for_test(15, message, 128, pad) == 1); ASSERT (memcmp (message, "SIGNED MESSAGE.", 15) == 0); /* break format byte 1 */ memcpy(pad, buffer, 128); pad[0] = 1; memset (message, 'B', 15); ASSERT (pkcs1_decrypt_for_test(15, message, 128, pad) == 0); ASSERT (memcmp (message, "BBBBBBBBBBBBBBB", 15) == 0); /* break format byte 2 */ memcpy(pad, buffer, 128); pad[1] = 1; memset (message, 'C', 15); ASSERT (pkcs1_decrypt_for_test(15, message, 128, pad) == 0); ASSERT (memcmp (message, "CCCCCCCCCCCCCCC", 15) == 0); /* break padding */ memcpy(pad, buffer, 128); pad[24] = 0; memset (message, 'D', 15); ASSERT (pkcs1_decrypt_for_test(15, message, 128, pad) == 0); ASSERT (memcmp (message, "DDDDDDDDDDDDDDD", 15) == 0); /* break terminator */ memcpy(pad, buffer, 128); pad[112] = 1; memset (message, 'E', 15); ASSERT (pkcs1_decrypt_for_test(15, message, 128, pad) == 0); ASSERT (memcmp (message, "EEEEEEEEEEEEEEE", 15) == 0); } nettle-3.4.1/testsuite/base64-test.c0000644000175000017500000001071013401564746016305 0ustar nissenisse#include "testutils.h" #include "base64.h" #include "knuth-lfib.h" static void test_fuzz_once(struct base64_encode_ctx *encode, struct base64_decode_ctx *decode, size_t size, const uint8_t *input) { size_t base64_len = BASE64_ENCODE_RAW_LENGTH (size); size_t out_len; char *base64 = xalloc (base64_len + 2); uint8_t *decoded = xalloc (size + 2); *base64++ = 0x12; base64[base64_len] = 0x34; *decoded++ = 0x56; decoded[size] = 0x78; out_len = base64_encode_update(encode, base64, size, input); ASSERT (out_len <= base64_len); out_len += base64_encode_final(encode, base64 + out_len); ASSERT (out_len == base64_len); ASSERT (base64[-1] == 0x12); ASSERT (base64[base64_len] == 0x34); ASSERT(base64_decode_update(decode, &out_len, decoded, base64_len, base64)); ASSERT(base64_decode_final(decode)); ASSERT (out_len == size); ASSERT (decoded[-1] == 0x56); ASSERT (decoded[size] == 0x78); ASSERT(MEMEQ(size, input, decoded)); free (base64 - 1); free (decoded - 1); } static void test_fuzz(void) { /* Fuzz a round-trip through both encoder and decoder */ struct base64_encode_ctx encode; struct base64_decode_ctx decode; unsigned i; size_t length; uint8_t input[1024]; struct knuth_lfib_ctx rand_ctx; knuth_lfib_init(&rand_ctx, 39854); for (i = 0; i < 10000; i++) { length = i % sizeof(input); /* length could be 0, which is fine we need to test that case too */ knuth_lfib_random(&rand_ctx, length, input); base64_encode_init(&encode); base64_decode_init(&decode); test_fuzz_once(&encode, &decode, length, input); base64url_encode_init(&encode); base64url_decode_init(&decode); test_fuzz_once(&encode, &decode, length, input); } } static inline void base64_encode_in_place (size_t length, uint8_t *data) { base64_encode_raw ((char *) data, length, data); } static inline int base64_decode_in_place (struct base64_decode_ctx *ctx, size_t *dst_length, size_t length, uint8_t *data) { return base64_decode_update (ctx, dst_length, data, length, (const char *) data); } void test_main(void) { ASSERT(BASE64_ENCODE_LENGTH(0) == 0); /* At most 4 bits */ ASSERT(BASE64_ENCODE_LENGTH(1) == 2); /* At most 12 bits */ ASSERT(BASE64_ENCODE_LENGTH(2) == 3); /* At most 20 bits */ ASSERT(BASE64_ENCODE_LENGTH(3) == 4); /* At most 28 bits */ ASSERT(BASE64_ENCODE_LENGTH(4) == 6); /* At most 36 bits */ ASSERT(BASE64_ENCODE_LENGTH(5) == 7); /* At most 44 bits */ ASSERT(BASE64_ENCODE_LENGTH(12) == 16); /* At most 100 bits */ ASSERT(BASE64_ENCODE_LENGTH(13) == 18); /* At most 108 bits */ ASSERT(BASE64_DECODE_LENGTH(0) == 0); /* At most 6 bits */ ASSERT(BASE64_DECODE_LENGTH(1) == 1); /* At most 12 bits */ ASSERT(BASE64_DECODE_LENGTH(2) == 2); /* At most 18 bits */ ASSERT(BASE64_DECODE_LENGTH(3) == 3); /* At most 24 bits */ ASSERT(BASE64_DECODE_LENGTH(4) == 3); /* At most 30 bits */ test_armor(&nettle_base64, LDATA(""), ""); test_armor(&nettle_base64, LDATA("H"), "SA=="); test_armor(&nettle_base64, LDATA("He"), "SGU="); test_armor(&nettle_base64, LDATA("Hel"), "SGVs"); test_armor(&nettle_base64, LDATA("Hell"), "SGVsbA=="); test_armor(&nettle_base64, LDATA("Hello"), "SGVsbG8="); test_armor(&nettle_base64, LDATA("Hello\0"), "SGVsbG8A"); test_armor(&nettle_base64, LDATA("Hello?>>>"), "SGVsbG8/Pj4+"); test_armor(&nettle_base64, LDATA("\xff\xff\xff\xff"), "/////w=="); test_armor(&nettle_base64url, LDATA(""), ""); test_armor(&nettle_base64url, LDATA("H"), "SA=="); test_armor(&nettle_base64url, LDATA("He"), "SGU="); test_armor(&nettle_base64url, LDATA("Hel"), "SGVs"); test_armor(&nettle_base64url, LDATA("Hell"), "SGVsbA=="); test_armor(&nettle_base64url, LDATA("Hello"), "SGVsbG8="); test_armor(&nettle_base64url, LDATA("Hello\0"), "SGVsbG8A"); test_armor(&nettle_base64url, LDATA("Hello?>>>"), "SGVsbG8_Pj4-"); test_armor(&nettle_base64url, LDATA("\xff\xff\xff\xff"), "_____w=="); { /* Test overlapping areas */ uint8_t buffer[] = "Helloxxxx"; struct base64_decode_ctx ctx; size_t dst_length; ASSERT(BASE64_ENCODE_RAW_LENGTH(5) == 8); base64_encode_in_place(5, buffer); ASSERT(MEMEQ(9, buffer, "SGVsbG8=x")); base64_decode_init(&ctx); dst_length = 0; /* Output parameter only. */ ASSERT(base64_decode_in_place(&ctx, &dst_length, 8, buffer)); ASSERT(dst_length == 5); ASSERT(MEMEQ(9, buffer, "HelloG8=x")); } test_fuzz (); } nettle-3.4.1/testsuite/base16-test.c0000644000175000017500000000140713401564746016305 0ustar nissenisse#include "testutils.h" #include "base16.h" void test_main(void) { ASSERT(BASE16_ENCODE_LENGTH(0) == 0); ASSERT(BASE16_ENCODE_LENGTH(1) == 2); ASSERT(BASE16_ENCODE_LENGTH(2) == 4); ASSERT(BASE16_DECODE_LENGTH(0) == 0); ASSERT(BASE16_DECODE_LENGTH(1) == 1); ASSERT(BASE16_DECODE_LENGTH(2) == 1); ASSERT(BASE16_DECODE_LENGTH(3) == 2); ASSERT(BASE16_DECODE_LENGTH(4) == 2); test_armor(&nettle_base16, LDATA(""), ""); test_armor(&nettle_base16, LDATA("H"), "48"); test_armor(&nettle_base16, LDATA("He"), "4865"); test_armor(&nettle_base16, LDATA("Hel"), "48656c"); test_armor(&nettle_base16, LDATA("Hell"), "48656c6c"); test_armor(&nettle_base16, LDATA("Hello"), "48656c6c6f"); test_armor(&nettle_base16, LDATA("Hello\0"), "48656c6c6f00"); } nettle-3.4.1/testsuite/chacha-poly1305-test.c0000644000175000017500000000213213401564746017721 0ustar nissenisse#include "testutils.h" #include "nettle-internal.h" void test_main(void) { /* From draft-irtf-cfrg-chacha20-poly1305-08 */ test_aead (&nettle_chacha_poly1305, NULL, SHEX("8081828384858687 88898a8b8c8d8e8f" "9091929394959697 98999a9b9c9d9e9f"), SHEX("50515253c0c1c2c3 c4c5c6c7"), SHEX("4c61646965732061 6e642047656e746c" "656d656e206f6620 74686520636c6173" "73206f6620273939 3a20496620492063" "6f756c64206f6666 657220796f75206f" "6e6c79206f6e6520 74697020666f7220" "7468652066757475 72652c2073756e73" "637265656e20776f 756c642062652069" "742e"), SHEX("d31a8d34648e60db7b86afbc53ef7ec2" "a4aded51296e08fea9e2b5a736ee62d6" "3dbea45e8ca9671282fafb69da92728b" "1a71de0a9e060b2905d6a5b67ecd3b36" "92ddbd7f2d778b8c9803aee328091b58" "fab324e4fad675945585808b4831d7bc" "3ff4def08e4b7a9de576d26586cec64b" "6116"), /* The draft splits the nonce into a "common part" and an iv, and it seams the "common part" is the first 4 bytes. */ SHEX("0700000040414243 44454647"), SHEX("1ae10b594f09e26a 7e902ecbd0600691")); } nettle-3.4.1/testsuite/arcfour-test.c0000644000175000017500000001144113401564746016664 0ustar nissenisse#include "testutils.h" #include "arcfour.h" static void test_arcfour(const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext) { size_t block; struct arcfour_ctx ctx; uint8_t *data; size_t length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; data = xalloc(length + 1); for (block = 1; block <= length; block++) { size_t i; memset(data, 0x17, length + 1); arcfour_set_key(&ctx, key->length, key->data); for (i = 0; i + block < length; i += block) { arcfour_crypt(&ctx, block, data + i, cleartext->data + i); ASSERT (data[i + block] == 0x17); } arcfour_crypt(&ctx, length - i, data + i, cleartext->data + i); ASSERT (data[length] == 0x17); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "Encrypt failed, block size %lu\nInput:", (unsigned long) block); tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } } arcfour_set_key(&ctx, key->length, key->data); arcfour_crypt(&ctx, length, data, data); ASSERT (data[length] == 0x17); if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "Decrypt failed\nInput:"); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } free(data); } void test_main(void) { test_arcfour(SHEX("01234567 89ABCDEF 00000000 00000000"), SHEX("01234567 89ABCDEF"), SHEX("69723659 1B5242B1")); /* More data. This ensures that we get some collisions between the S accesses at index i,j and the access at si + sj. I.e. the cases where the ordering of loads and stores matter. */ test_arcfour(SHEX("aaaaaaaa bbbbbbbb cccccccc dddddddd"), SHEX("00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000"), SHEX("a2b35dc7 bf95ae1e 1c432d15 f4fb8c1c" "f264e1d0 bd090831 6caa7d17 5401ae67" "3cfbd140 fd3dee42 1012d674 2fb69fa3" "6522631e bb3d4703 535de1ce 4a81ddce" "5780cfe0 b5fc9fae ebe14c96 26451bd9" "992f2204 119cbe37 cbdc453c 7afa08c7" "1380ccf8 48f81e53 a535cdfb 96c64faa" "c3f759d0 fa1ff920 008d95cf 39d52324" "d0aac3f9 749b22e2 6a065145 06fb249d" "ffb8e05e cb0381fe 5346a04a 63dac61c" "10b6683e 3ab427de d4c6bc60 6366545e" "77d0e121 96037717 a745d49e e72a70aa" "a50a612d 879b0580 fd4a89ae 3ee49871" "2cf6c98d a62dfbc7 d7b2d901 2c3aaf27" "42b7e089 ef2466ac 450b440c 138daa1a" "cf9ebef6 f66a7a64 2677b213 06640130" "de6651df 0065180d 4db366ba 9c377712" "53d21cac 82ed72a4 c6c4d81e 4375fea3" "1f935909 95322c83 13c64d8e 829c93a6" "d540a1b3 20f41541 96800888 1a7afc9b" "e39e89fc 3ac78be5 cdbbf774 33c36863" "da2a3b1b d06e54a9 aa4b7edd 70b34941" "b886f7db f36c3def f9fc4c80 7ce55ea5" "98a7257b f68a9e1d caf4bfd6 43bd9853" "c966629d 54e34221 6e140780 d48c69bb" "5e77e886 86f2ebcb 807732d5 d29bc384" "a4ca1c31 c7c1b5b9 85dbfcf1 8d845905" "a0ff487a b4a3f252 a75caebf 857ba48b" "613e3067 92cada3e 0e07f599 2f4794f3" "af01f15a 491732fb 22aa09a3 d2e1e408" "fe94bdb4 993c68b1 1bb79eb1 bb7ec446" "760ef7bf 2caa8713 479760e5 a6e143cd")); } nettle-3.4.1/testsuite/salsa20-test.c0000644000175000017500000003151713401564746016476 0ustar nissenisse#include "testutils.h" #include "salsa20.h" #include "memxor.h" static int memzero_p (const uint8_t *p, size_t n) { size_t i; for (i = 0; i < n; i++) if (p[i]) return 0; return 1; } /* The ecrypt testcases encrypt 512 zero bytes (8 blocks), then give the xor of all blocks, and the data for block 0 (0-63), 3,4 (192-319), 7 (448-511) */ #define STREAM_LENGTH 512 static void test_salsa20_stream(const struct tstring *key, const struct tstring *iv, const struct tstring *ciphertext, const struct tstring *xor_ref) { struct salsa20_ctx ctx; uint8_t data[STREAM_LENGTH + 1]; uint8_t stream[STREAM_LENGTH + 1]; uint8_t xor[SALSA20_BLOCK_SIZE]; size_t j; ASSERT (iv->length == SALSA20_IV_SIZE); ASSERT (ciphertext->length == 4*SALSA20_BLOCK_SIZE); ASSERT (xor_ref->length == SALSA20_BLOCK_SIZE); salsa20_set_key(&ctx, key->length, key->data); salsa20_set_iv(&ctx, iv->data); memset(stream, 0, STREAM_LENGTH + 1); salsa20_crypt(&ctx, STREAM_LENGTH, stream, stream); if (stream[STREAM_LENGTH]) { fprintf(stderr, "Stream of %d bytes wrote too much!\n", STREAM_LENGTH); FAIL(); } if (!MEMEQ (64, stream, ciphertext->data)) { fprintf(stderr, "Error failed, offset 0:\n"); fprintf(stderr, "\nOutput: "); print_hex(64, stream); fprintf(stderr, "\nExpected:"); print_hex(64, ciphertext->data); fprintf(stderr, "\n"); FAIL(); } if (!MEMEQ (128, stream + 192, ciphertext->data + 64)) { fprintf(stderr, "Error failed, offset 192:\n"); fprintf(stderr, "\nOutput: "); print_hex(128, stream + 192); fprintf(stderr, "\nExpected:"); print_hex(64, ciphertext->data + 64); fprintf(stderr, "\n"); FAIL(); } if (!MEMEQ (64, stream + 448, ciphertext->data + 192)) { fprintf(stderr, "Error failed, offset 448:\n"); fprintf(stderr, "\nOutput: "); print_hex(64, stream + 448); fprintf(stderr, "\nExpected:"); print_hex(64, ciphertext->data + 192); fprintf(stderr, "\n"); FAIL(); } memxor3 (xor, stream, stream + SALSA20_BLOCK_SIZE, SALSA20_BLOCK_SIZE); for (j = 2*SALSA20_BLOCK_SIZE; j < STREAM_LENGTH; j += SALSA20_BLOCK_SIZE) memxor (xor, stream + j, SALSA20_BLOCK_SIZE); if (!MEMEQ (SALSA20_BLOCK_SIZE, xor, xor_ref->data)) { fprintf(stderr, "Error failed, bad xor 448:\n"); fprintf(stderr, "\nOutput: "); print_hex(SALSA20_BLOCK_SIZE, xor); fprintf(stderr, "\nExpected:"); print_hex(SALSA20_BLOCK_SIZE, xor_ref->data); fprintf(stderr, "\n"); FAIL(); } for (j = 1; j <= STREAM_LENGTH; j++) { memset(data, 0, STREAM_LENGTH + 1); salsa20_set_iv(&ctx, iv->data); salsa20_crypt(&ctx, j, data, data); if (!MEMEQ(j, data, stream)) { fprintf(stderr, "Encrypt failed for length %lu:\n", (unsigned long) j); fprintf(stderr, "\nOutput: "); print_hex(j, data); fprintf(stderr, "\nExpected:"); print_hex(j, stream); fprintf(stderr, "\n"); FAIL(); } if (!memzero_p (data + j, STREAM_LENGTH + 1 - j)) { fprintf(stderr, "Encrypt failed for length %lu, wrote too much:\n", (unsigned long) j); fprintf(stderr, "\nOutput: "); print_hex(STREAM_LENGTH + 1 - j, data + j); fprintf(stderr, "\n"); FAIL(); } } } typedef void salsa20_func(struct salsa20_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); static void _test_salsa20(salsa20_func *crypt, const struct tstring *key, const struct tstring *iv, const struct tstring *cleartext, const struct tstring *ciphertext) { struct salsa20_ctx ctx; uint8_t *data; size_t length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; ASSERT (iv->length == SALSA20_IV_SIZE); data = xalloc(length + 1); salsa20_set_key(&ctx, key->length, key->data); salsa20_set_iv(&ctx, iv->data); data[length] = 17; crypt(&ctx, length, data, cleartext->data); if (data[length] != 17) { fprintf(stderr, "Encrypt of %lu bytes wrote too much!\nInput:", (unsigned long) length); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "Encrypt failed:\nInput:"); tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } salsa20_set_key(&ctx, key->length, key->data); salsa20_set_iv(&ctx, iv->data); crypt(&ctx, length, data, data); if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "Decrypt failed:\nInput:"); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } free(data); } #define test_salsa20(key, iv, cleartext, ciphertext) \ _test_salsa20 (salsa20_crypt, (key), (iv), (cleartext), (ciphertext)) #define test_salsa20r12(key, iv, cleartext, ciphertext) \ _test_salsa20 (salsa20r12_crypt, (key), (iv), (cleartext), (ciphertext)) void test_main(void) { /* http://www.ecrypt.eu.org/stream/svn/viewcvs.cgi/ecrypt/trunk/submissions/salsa20/reduced/12-rounds/verified.test-vectors?logsort=rev&rev=210&view=markup */ test_salsa20r12(SHEX("80000000 00000000 00000000 00000000"), SHEX("00000000 00000000"), SHEX("00000000 00000000"), SHEX("FC207DBF C76C5E17")); test_salsa20r12(SHEX("00400000 00000000 00000000 00000000"), SHEX("00000000 00000000"), SHEX("00000000 00000000"), SHEX("6C11A3F9 5FEC7F48")); test_salsa20r12(SHEX("09090909090909090909090909090909"), SHEX("0000000000000000"), SHEX("00000000 00000000"), SHEX("78E11FC3 33DEDE88")); test_salsa20r12(SHEX("1B1B1B1B1B1B1B1B1B1B1B1B1B1B1B1B"), SHEX("00000000 00000000"), SHEX("00000000 00000000"), SHEX("A6747461 1DF551FF")); test_salsa20r12(SHEX("80000000000000000000000000000000" "00000000000000000000000000000000"), SHEX("00000000 00000000"), SHEX("00000000 00000000"), SHEX("AFE411ED 1C4E07E4")); test_salsa20r12(SHEX("0053A6F94C9FF24598EB3E91E4378ADD" "3083D6297CCF2275C81B6EC11467BA0D"), SHEX("0D74DB42A91077DE"), SHEX("00000000 00000000"), SHEX("52E20CF8 775AE882")); /* http://www.ecrypt.eu.org/stream/svn/viewcvs.cgi/ecrypt/trunk/submissions/salsa20/full/verified.test-vectors?logsort=rev&rev=210&view=markup */ test_salsa20(SHEX("80000000 00000000 00000000 00000000"), SHEX("00000000 00000000"), SHEX("00000000 00000000"), SHEX("4DFA5E48 1DA23EA0")); test_salsa20(SHEX("00000000 00000000 00000000 00000000"), SHEX("80000000 00000000"), SHEX("00000000 00000000"), SHEX("B66C1E44 46DD9557")); test_salsa20(SHEX("0053A6F94C9FF24598EB3E91E4378ADD"), SHEX("0D74DB42A91077DE"), SHEX("00000000 00000000"), SHEX("05E1E7BE B697D999")); test_salsa20(SHEX("80000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000"), SHEX("00000000 00000000"), SHEX("00000000 00000000"), SHEX("E3BE8FDD 8BECA2E3")); test_salsa20(SHEX("00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000"), SHEX("80000000 00000000"), SHEX("00000000 00000000"), SHEX("2ABA3DC45B494700")); test_salsa20(SHEX("0053A6F94C9FF24598EB3E91E4378ADD" "3083D6297CCF2275C81B6EC11467BA0D"), SHEX("0D74DB42A91077DE"), SHEX("00000000 00000000"), SHEX("F5FAD53F 79F9DF58")); test_salsa20_stream(SHEX("80000000000000000000000000000000"), SHEX("00000000 00000000"), SHEX("4DFA5E481DA23EA09A31022050859936" "DA52FCEE218005164F267CB65F5CFD7F" "2B4F97E0FF16924A52DF269515110A07" "F9E460BC65EF95DA58F740B7D1DBB0AA" "DA9C1581F429E0A00F7D67E23B730676" "783B262E8EB43A25F55FB90B3E753AEF" "8C6713EC66C51881111593CCB3E8CB8F" "8DE124080501EEEB389C4BCB6977CF95" "7D5789631EB4554400E1E025935DFA7B" "3E9039D61BDC58A8697D36815BF1985C" "EFDF7AE112E5BB81E37ECF0616CE7147" "FC08A93A367E08631F23C03B00A8DA2F" "B375703739DACED4DD4059FD71C3C47F" "C2F9939670FAD4A46066ADCC6A564578" "3308B90FFB72BE04A6B147CBE38CC0C3" "B9267C296A92A7C69873F9F263BE9703"), SHEX("F7A274D268316790A67EC058F45C0F2A" "067A99FCDE6236C0CEF8E056349FE54C" "5F13AC74D2539570FD34FEAB06C57205" "3949B59585742181A5A760223AFA22D4")); test_salsa20_stream(SHEX("48494A4B4C4D4E4F5051525354555657" "58595A5B5C5D5E5F6061626364656667"), SHEX("0000000000000000"), SHEX("53AD3698A011F779AD71030F3EFBEBA0" "A7EE3C55789681B1591EF33A7BE521ED" "68FC36E58F53FFD6E1369B00E390E973" "F656ACB097E0D603BE59A0B8F7975B98" "A04698274C6AC6EC03F66ED3F94C08B7" "9FFDBF2A1610E6F5814905E73AD6D0D2" "8164EEB8450D8ED0BB4B644761B43512" "52DD5DDF00C31E3DABA0BC17691CCFDC" "B826C7F071E796D34E3BFFB3C96E76A1" "209388392806947C7F19B86D379FA3AE" "DFCD19EBF49803DACC6E577E5B97B0F6" "D2036B6624D8196C96FCF02C865D30C1" "B505D41E2C207FA1C0A0E93413DDCFFC" "9BECA8030AFFAC2466E56482DA0EF428" "E63880B5021D3051F18679505A2B9D4F" "9B2C5A2D271D276DE3F51DBEBA934436"), SHEX("7849651A820B1CDFE36D5D6632716534" "E0635EDEFD538122D80870B60FB055DB" "637C7CA2B78B116F83AFF46E40F8F71D" "4CD6D2E1B750D5E011D1DF2E80F7210A")); } /* Intermediate values for the first salsa20 test case. 0: 61707865 80 0 0 0 3120646e 0 0 0 0 79622d36 80 0 0 0 6b206574 1: 50e6ebaf 3093463d f190e454 9032fa35 b83c32b0 7fdf3d47 eff21454 a6bf53f6 59562a33 90327718 9bc1ab3d 49c5665e 4b9c6232 a5b70d82 b1169b3c 8273a766 2: 877140ed bc61b44d 60af1c4e 8a219997 dfa36b55 9dc00f65 e245efc8 ece54d32 72a63aac c0dc93d7 a1cd6536 b3d44ccb 8ebd332b c4022fa0 5d4ff16b 65f222e 3: 26693f1 c7ef1593 549a3a3 9396e54a c899675e 1f815f3 47c648d ebbc01 67f6ac0c d03d4afa 810d422e e7fd3e5b 8cd07539 3eb6917b 54e58e29 ef2c818d 4: 1dff67e3 39538859 717137d4 b935012 f279ff60 26098b57 4cc2cc68 752f0a9c f62fef8b a3028de7 74c726e7 42bbaa73 85d7ae1b 36e9c191 791019b1 82263e6a 5: 5058d8b0 d3e44dcf 10bb47b1 7b673ef0 19f30031 111e4716 ec0295bc 6fd5bf67 12ffc7e4 d8b55c8 170d410 dd715714 dcd50b85 1f2bfff6 bde9be51 dbcb0b76 6: bc9cffbc 33ef9daa 8057f2b9 896b4878 705ae8b d14227c3 64a13629 112fc18c bfe180ad eaf359a0 68467f43 a365bb13 6b1e849 e6cc8032 70e6c3fe cb0a55bb 7: 8d90ced2 54d545b4 85be446e b1632f4f a071ac6a 90e0a919 33e1e736 ca25d574 a2b9cc17 7211ef22 c6d499c3 83fdd462 69a1c02c 4ee14ab4 33c7598 6c536d35 8: 27885144 2d2a552b f3f9bf1b 33ebeb6b 104b8b7a a96110e 9acb26ae 9dba5b23 be384f78 4cdf3afc ef04b59d f0b9a6fe ae50a69b 6c6ea81 f11fe33a 5abcb2ae 9: 3b2388b1 a820e0d9 1f008910 88c73d4e fc306490 8188ba2d d0cae010 9a65a2e4 cf53e73f acec2667 4b870ab0 6cbfe29b 27295feb 2a801ee 16f1c6fe 4f40ae38 10: 6d52785f 5d421f38 d44f5a20 a7ec3b7c c6a5c6cb f2a38eca c45beae 69415ff 93bbc87e cad09b7b c4627081 55276967 3e13c4d8 aa4e20f4 2a485bf2 bcdbfc61 11: 5136a836 dd9db9bc 50366ca5 a65edf75 75bb5d1e 6bd4e822 cb52477c 7323b939 881133b8 38079a5c 14e61ea3 632aa57 ac091b61 fc1c6ca1 7e5fcc1a 329a1938 12: 5e0ca897 175e6c47 7a1e9674 609ad5a ac25229b 49de7bae 370e70c f8bde5e7 21f81ab3 e6130800 9e2a3e8f 70eed5f1 d0fbb239 d78a8ea6 b644390a 2c582e03 13: 99fc90d3 f3e42871 78784440 a5885714 28084a8c 27900f47 e453b985 39b7ca44 81e5dbf 7860f2b0 693f4da0 74c5ce19 5f2d43d a9563322 7bd6f4da 4d2e97f5 14: 25571a99 3197dbee 50a1c7d7 91f0e753 2528837d 56153f81 287f5022 270918e4 42764fa3 fea16e5b 9ec649fe a4e5e669 8734b3d9 6fc1ae8a b79a8a04 af160a85 15: 34b906a6 3f56196a 6b690cbf 6c08907a 60cfba2b 819592a7 3c9b803a 1a3ce6d2 fdfc6af 282cd998 ad20e9ec a0c76a1 772ffdcc ebf39c76 15579a67 dada9ba0 16: 3d87b380 5f9d893a c676cd97 e6d2b4b8 7d6ca34a 1dc97a79 e3de94b bccb03cd 12e2a81b 23b00e62 74d433a6 acedb4cb 6e34fe34 f4c034e4 b3349639 f6ac0473 17: e014e81d 916efb68 d833f0c9 2a0e2be9 a334791f 71573537 d5c5cb06 c8abbb8c 6abb97da 9031d7dc 9bea8440 90030a9c 6c2bdf8a 2649fbf 3a3aeef8 ee0d66c8 18: e9fb1dd3 80e4f86d 2bf2e408 d1809e73 20872c8d d93bc116 9012e00c 1c813d8e 45aa03ae 7136cba6 a6b85fc3 9e2d048a 48013f9e 1f2853d3 854c21d b9cdfb3c 19: 3d47db86 8392cea8 2cf87621 2cff7d58 dea99415 5800a055 e3661354 86701443 cc9d23f 616a0a0b 836c1eb9 6c1e72e7 24cba2f0 54be11a6 6dcb2586 a5663106 20: e6ee81e8 a03ea19d 2002319a 36998550 eefc52da e4e51bb3 b67c264f 7ffd5c5f e0974f2b 4a9216ff 1bc4b21c 70a1095 bc60e4f9 da95ef65 b740f758 3f90765d */ nettle-3.4.1/testsuite/ecc-modinv-test.c0000644000175000017500000000632613401564746017255 0ustar nissenisse#include "testutils.h" static int ref_modinv (mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *mp, mp_size_t mn) { mpz_t g, s, a, m; int res; mpz_init (g); mpz_init (s); mpz_roinit_n (a, ap, mn); mpz_roinit_n (m, mp, mn); mpz_gcdext (g, s, NULL, a, m); if (mpz_cmp_ui (g, 1) == 0) { if (mpz_sgn (s) < 0) { mpz_add (s, s, m); ASSERT (mpz_sgn (s) > 0); } mpz_limbs_copy (rp, s, mn); res = 1; } else res = 0; mpz_clear (g); mpz_clear (s); return res; } static int zero_p (const struct ecc_modulo *m, const mp_limb_t *xp) { return mpn_zero_p (xp, m->size) || mpn_cmp (xp, m->m, m->size) == 0; } #define MAX_ECC_SIZE (1 + 521 / GMP_NUMB_BITS) #define COUNT 500 static void test_modulo (gmp_randstate_t rands, const char *name, const struct ecc_modulo *m) { mp_limb_t *a; mp_limb_t *ai; mp_limb_t *ref; mp_limb_t *scratch; unsigned j; mpz_t r; mpz_init (r); a = xalloc_limbs (m->size); ai = xalloc_limbs (2*m->size); ref = xalloc_limbs (m->size);; scratch = xalloc_limbs (m->invert_itch); /* Check behaviour for zero input */ mpn_zero (a, m->size); memset (ai, 17, m->size * sizeof(*ai)); m->invert (m, ai, a, scratch); if (!zero_p (m, ai)) { fprintf (stderr, "%s->invert failed for zero input (bit size %u):\n", name, m->bit_size); fprintf (stderr, "p = "); mpn_out_str (stderr, 16, m->m, m->size); fprintf (stderr, "\nt = "); mpn_out_str (stderr, 16, ai, m->size); fprintf (stderr, " (bad)\n"); abort (); } /* Check behaviour for a = m */ memset (ai, 17, m->size * sizeof(*ai)); m->invert (m, ai, m->m, scratch); if (!zero_p (m, ai)) { fprintf (stderr, "%s->invert failed for a = p input (bit size %u):\n", name, m->bit_size); fprintf (stderr, "p = "); mpn_out_str (stderr, 16, m->m, m->size); fprintf (stderr, "\nt = "); mpn_out_str (stderr, 16, ai, m->size); fprintf (stderr, " (bad)\n"); abort (); } for (j = 0; j < COUNT; j++) { if (j & 1) mpz_rrandomb (r, rands, m->size * GMP_NUMB_BITS); else mpz_urandomb (r, rands, m->size * GMP_NUMB_BITS); mpz_limbs_copy (a, r, m->size); if (!ref_modinv (ref, a, m->m, m->size)) { if (verbose) fprintf (stderr, "Test %u (bit size %u) not invertible mod %s.\n", j, m->bit_size, name); continue; } m->invert (m, ai, a, scratch); if (mpn_cmp (ref, ai, m->size)) { fprintf (stderr, "%s->invert failed (test %u, bit size %u):\n", name, j, m->bit_size); fprintf (stderr, "a = "); mpz_out_str (stderr, 16, r); fprintf (stderr, "\np = "); mpn_out_str (stderr, 16, m->m, m->size); fprintf (stderr, "\nt = "); mpn_out_str (stderr, 16, ai, m->size); fprintf (stderr, " (bad)\nr = "); mpn_out_str (stderr, 16, ref, m->size); abort (); } } mpz_clear (r); free (a); free (ai); free (ref); free (scratch); } void test_main (void) { gmp_randstate_t rands; unsigned i; gmp_randinit_default (rands); for (i = 0; ecc_curves[i]; i++) { test_modulo (rands, "p", &ecc_curves[i]->p); test_modulo (rands, "q", &ecc_curves[i]->q); } gmp_randclear (rands); } nettle-3.4.1/testsuite/ecc-sqrt-test.c0000644000175000017500000000735713401564746016757 0ustar nissenisse/* ecc-sqrt.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #include "testutils.h" #define COUNT 5000 #if NETTLE_USE_MINI_GMP /* Implements Legendre symbol only, requiring that p is an odd prime */ static int mpz_ui_kronecker (mp_limb_t ul, const mpz_t p) { mpz_t t, u; int r; mpz_init_set_ui (u, ul); mpz_init_set (t, p); mpz_sub_ui (t, t, 1); mpz_tdiv_q_2exp (t, t, 1); mpz_powm (t, u, t, p); r = mpz_cmp_ui (t, 1); if (r < 0) r = 0; else if (r == 0) r = 1; else { mpz_sub (t, p, t); ASSERT (mpz_cmp_ui (t, 1) == 0); r = -1; } mpz_clear (t); mpz_clear (u); return r; } #endif /* NETTLE_USE_MINI_GMP */ static void test_modulo (gmp_randstate_t rands, const struct ecc_modulo *m) { mpz_t u; mpz_t v; mpz_t p; mpz_t r; mpz_t t; unsigned z, i; mp_limb_t *up; mp_limb_t *vp; mp_limb_t *rp; mp_limb_t *scratch; mpz_init (u); mpz_init (v); mpz_init (t); mpz_roinit_n (p, m->m, m->size); up = xalloc_limbs (m->size); vp = xalloc_limbs (m->size); rp = xalloc_limbs (2*m->size); scratch = xalloc_limbs (m->sqrt_itch); /* Find a non-square */ for (z = 2; mpz_ui_kronecker (z, p) != -1; z++) ; if (verbose) fprintf(stderr, "Non square: %d\n", z); for (i = 0; i < COUNT; i++) { if (i & 1) { mpz_rrandomb (u, rands, m->bit_size); mpz_rrandomb (v, rands, m->bit_size); } else { mpz_urandomb (u, rands, m->bit_size); mpz_urandomb (v, rands, m->bit_size); } mpz_limbs_copy (up, u, m->size); mpz_limbs_copy (vp, v, m->size); if (!m->sqrt (m, rp, up, vp, scratch)) { mpz_mul_ui (u, u, z); mpz_mod (u, u, p); mpz_limbs_copy (up, u, m->size); if (!m->sqrt (m, rp, up, vp, scratch)) { fprintf (stderr, "m->sqrt returned failure, bit_size = %d\n" "u = 0x", m->bit_size); mpz_out_str (stderr, 16, u); fprintf (stderr, "\nv = 0x"); mpz_out_str (stderr, 16, v); fprintf (stderr, "\n"); abort (); } } /* Check that r^2 v = u */ mpz_roinit_n (r, rp, m->size); mpz_mul (t, r, r); mpz_mul (t, t, v); if (!mpz_congruent_p (t, u, p)) { fprintf (stderr, "m->sqrt gave incorrect result, bit_size = %d\n" "u = 0x", m->bit_size); mpz_out_str (stderr, 16, u); fprintf (stderr, "\nv = 0x"); mpz_out_str (stderr, 16, v); fprintf (stderr, "\nr = 0x"); mpz_out_str (stderr, 16, r); fprintf (stderr, "\n"); abort (); } } mpz_clear (u); mpz_clear (v); mpz_clear (t); free (up); free (vp); free (rp); free (scratch); } void test_main (void) { gmp_randstate_t rands; unsigned i; gmp_randinit_default (rands); for (i = 0; ecc_curves[i]; i++) { if (ecc_curves[i]->p.sqrt) test_modulo (rands, &ecc_curves[i]->p); } gmp_randclear (rands); } nettle-3.4.1/testsuite/ccm-test.c0000644000175000017500000006515513401564746016000 0ustar nissenisse/* ccm-test.c Self-test and vectors for CCM mode ciphers using AES-128 and AES-256. Copyright (C) 2014 Exegin Technologies Limited Copyright (C) 2014 Owen Kirby This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* The * test vectors have been collected from the following standards: * NIST SP800-38C * RFC 3610 * IEEE 802.15.4-2011 * IEEE P1619.1/D22 July 2007 (draft version) */ #include "testutils.h" #include "aes.h" #include "ccm.h" #include "knuth-lfib.h" static void test_compare_results(const char *name, const struct tstring *adata, /* Expected results. */ const struct tstring *e_clear, const struct tstring *e_cipher, /* Actual results. */ const void *clear, const void *cipher, const void *digest) /* digest optional. */ { int tlength = (e_cipher->length - e_clear->length); if (digest && tlength && !MEMEQ(tlength, e_cipher->data + e_clear->length, digest)) { fprintf(stderr, "%s digest failed:\nAdata:", name); tstring_print_hex(adata); fprintf(stderr, "\nInput: "); tstring_print_hex(e_clear); fprintf(stderr, "\nOutput: "); print_hex(tlength, digest); fprintf(stderr, "\nExpected:"); print_hex(tlength, e_cipher->data + e_clear->length); fprintf(stderr, "\n"); FAIL(); } if (!MEMEQ(e_cipher->length, e_cipher->data, cipher)) { fprintf(stderr, "%s: encryption failed\nAdata: ", name); tstring_print_hex(adata); fprintf(stderr, "\nInput: "); tstring_print_hex(e_clear); fprintf(stderr, "\nOutput: "); print_hex(e_cipher->length, cipher); fprintf(stderr, "\nExpected:"); tstring_print_hex(e_cipher); fprintf(stderr, "\n"); FAIL(); } if (!MEMEQ(e_clear->length, e_clear->data, clear)) { fprintf(stderr, "%s decrypt failed:\nAdata:", name); tstring_print_hex(adata); fprintf(stderr, "\nInput: "); tstring_print_hex(e_cipher); fprintf(stderr, "\nOutput: "); print_hex(e_clear->length, clear); fprintf(stderr, "\nExpected:"); tstring_print_hex(e_clear); fprintf(stderr, "\n"); FAIL(); } } /* test_compare_results */ static void test_cipher_ccm(const struct nettle_cipher *cipher, const struct tstring *key, const struct tstring *nonce, const struct tstring *authdata, int repeat, const struct tstring *cleartext, const struct tstring *ciphertext) { void *ctx = xalloc(cipher->context_size); uint8_t *en_data; uint8_t *de_data; uint8_t *en_digest; uint8_t de_digest[CCM_BLOCK_SIZE]; size_t tlength; struct ccm_ctx ccm; int i; ASSERT (key->length == cipher->key_size); ASSERT (cleartext->length <= ciphertext->length); ASSERT ((cleartext->length + CCM_BLOCK_SIZE) >= ciphertext->length); tlength = ciphertext->length - cleartext->length; de_data = xalloc(cleartext->length); en_data = xalloc(ciphertext->length); en_digest = en_data + cleartext->length; cipher->set_encrypt_key(ctx, key->data); /* Encrypt using the incremental API. */ ccm_set_nonce(&ccm, ctx, cipher->encrypt, nonce->length, nonce->data, authdata->length * repeat, cleartext->length, tlength); for (i = 0; i < repeat; i++) { ccm_update(&ccm, ctx, cipher->encrypt, authdata->length, authdata->data); } ccm_encrypt(&ccm, ctx, cipher->encrypt, cleartext->length, en_data, cleartext->data); ccm_digest(&ccm, ctx, cipher->encrypt, tlength, en_digest); /* Decrypt using the incremental API. */ ccm_set_nonce(&ccm, ctx, cipher->encrypt, nonce->length, nonce->data, authdata->length * repeat, cleartext->length, tlength); for (i = 0; i < repeat; i++) { ccm_update(&ccm, ctx, cipher->encrypt, authdata->length, authdata->data); } ccm_decrypt(&ccm, ctx, cipher->encrypt, cleartext->length, de_data, ciphertext->data); ccm_digest(&ccm, ctx, cipher->encrypt, tlength, de_digest); /* Compare results using the generic API. */ test_compare_results("CCM", authdata, cleartext, ciphertext, de_data, en_data, de_digest); /* Ensure we get the same answers using the all-in-one API. */ if (repeat <= 1) { int ret; memset(de_data, 0, cleartext->length); memset(en_data, 0, ciphertext->length); memset(de_digest, 0, sizeof(de_digest)); ccm_encrypt_message(ctx, cipher->encrypt, nonce->length, nonce->data, authdata->length, authdata->data, tlength, ciphertext->length, en_data, cleartext->data); ret = ccm_decrypt_message(ctx, cipher->encrypt, nonce->length, nonce->data, authdata->length, authdata->data, tlength, cleartext->length, de_data, ciphertext->data); if (ret != 1) fprintf(stderr, "ccm_decrypt_message failed to validate message\n"); test_compare_results("CCM_MSG", authdata, cleartext, ciphertext, de_data, en_data, NULL); /* Ensure that we can detect corrupted message or tag data. */ if (tlength) { en_data[0] ^= 1; ret = ccm_decrypt_message(ctx, cipher->encrypt, nonce->length, nonce->data, authdata->length, authdata->data, tlength, cleartext->length, de_data, en_data); if (ret != 0) fprintf(stderr, "ccm_decrypt_message failed to detect corrupted message\n"); } /* Ensure we can detect corrupted adata. */ if (tlength && authdata->length) { ret = ccm_decrypt_message(ctx, cipher->encrypt, nonce->length, nonce->data, authdata->length-1, authdata->data, tlength, cleartext->length, de_data, ciphertext->data); if (ret != 0) fprintf(stderr, "ccm_decrypt_message failed to detect corrupted message\n"); } } /* Ensure we get the same answers using the per-cipher API. */ if (cipher == &nettle_aes128) { struct ccm_aes128_ctx aes; memset(de_data, 0, cleartext->length); memset(en_data, 0, ciphertext->length); memset(de_digest, 0, sizeof(de_digest)); /* AES-128 encrypt. */ ccm_aes128_set_key(&aes, key->data); ccm_aes128_set_nonce(&aes, nonce->length, nonce->data, authdata->length * repeat, cleartext->length, tlength); for (i = 0; i < repeat; i++) { ccm_aes128_update(&aes, authdata->length, authdata->data); } ccm_aes128_encrypt(&aes, cleartext->length, en_data, cleartext->data); ccm_aes128_digest(&aes, tlength, en_digest); /* AES-128 decrypt. */ ccm_aes128_set_nonce(&aes, nonce->length, nonce->data, authdata->length * repeat, cleartext->length, tlength); for (i = 0; i < repeat; i++) { ccm_aes128_update(&aes, authdata->length, authdata->data); } ccm_aes128_decrypt(&aes, cleartext->length, de_data, ciphertext->data); ccm_aes128_digest(&aes, tlength, de_digest); test_compare_results("CCM_AES_128", authdata, cleartext, ciphertext, de_data, en_data, de_digest); } /* TODO: I couldn't find any test cases for CCM-AES-192 */ if (cipher == &nettle_aes256) { struct ccm_aes256_ctx aes; memset(de_data, 0, cleartext->length); memset(en_data, 0, ciphertext->length); memset(de_digest, 0, sizeof(de_digest)); /* AES-256 encrypt. */ ccm_aes256_set_key(&aes, key->data); ccm_aes256_set_nonce(&aes, nonce->length, nonce->data, authdata->length * repeat, cleartext->length, tlength); for (i = 0; i < repeat; i++) { ccm_aes256_update(&aes, authdata->length, authdata->data); } ccm_aes256_encrypt(&aes, cleartext->length, en_data, cleartext->data); ccm_aes256_digest(&aes, tlength, en_digest); /* AES-256 decrypt. */ ccm_aes256_set_nonce(&aes, nonce->length, nonce->data, authdata->length * repeat, cleartext->length, tlength); for (i = 0; i < repeat; i++) { ccm_aes256_update(&aes, authdata->length, authdata->data); } ccm_aes256_decrypt(&aes, cleartext->length, de_data, ciphertext->data); ccm_aes256_digest(&aes, tlength, de_digest); test_compare_results("CCM_AES_256", authdata, cleartext, ciphertext, de_data, en_data, de_digest); } free(ctx); free(en_data); free(de_data); } void test_main(void) { /* Create a pattern of 00010203 04050607 08090a00b 0c0d0e0f ... */ struct tstring *adata; unsigned int i; adata = tstring_alloc(256); for (i=0; ilength; i++) adata->data[i] = (i & 0xff); /* From NIST spec 800-38C on AES modes. * * Appendix C: Example Vectors */ /* * C.1 Example 1 * Klen = 128, Tlen = 32, Nlen = 56, Alen = 64, Plen = 32 */ test_cipher_ccm(&nettle_aes128, SHEX("404142434445464748494a4b4c4d4e4f"), SHEX("10111213141516"), SHEX("0001020304050607"), 1, SHEX("20212223"), SHEX("7162015b" "4dac255d")); /* * C.2 Example 2 * Klen = 128, Tlen = 48, Nlen = 64, Alen = 128, Plen = 128 */ test_cipher_ccm(&nettle_aes128, SHEX("404142434445464748494a4b4c4d4e4f"), SHEX("1011121314151617"), SHEX("000102030405060708090a0b0c0d0e0f"), 1, SHEX("202122232425262728292a2b2c2d2e2f"), SHEX("d2a1f0e051ea5f62081a7792073d593d" "1fc64fbfaccd")); /* * C.3 Example 3 * Klen = 128, Tlen = 64, Nlen = 96, Alen = 160, Plen = 192 */ test_cipher_ccm(&nettle_aes128, SHEX("404142434445464748494a4b4c4d4e4f"), SHEX("101112131415161718191a1b"), SHEX("000102030405060708090a0b0c0d0e0f" "10111213"), 1, SHEX("202122232425262728292a2b2c2d2e2f" "3031323334353637"), SHEX("e3b201a9f5b71a7a9b1ceaeccd97e70b" "6176aad9a4428aa5 484392fbc1b09951")); /* * C.4 Example 4 * Klen = 128, Tlen = 112, Nlen = 104, Alen = 524288, Plen = 256 * A = 00010203 04050607 08090a0b 0c0d0e0f * 10111213 ... */ test_cipher_ccm(&nettle_aes128, SHEX("404142434445464748494a4b4c4d4e4f"), SHEX("101112131415161718191a1b1c"), adata, 256, SHEX("202122232425262728292a2b2c2d2e2f" "303132333435363738393a3b3c3d3e3f"), SHEX("69915dad1e84c6376a68c2967e4dab61" "5ae0fd1faec44cc484828529463ccf72" "b4ac6bec93e8598e7f0dadbcea5b")); /* From RFC 3610 * * Section 8: Test Vectors * Packet Vector #1 */ test_cipher_ccm(&nettle_aes128, SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), SHEX("00 00 00 03 02 01 00 A0 A1 A2 A3 A4 A5"), SHEX("00 01 02 03 04 05 06 07"), 1, SHEX("08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E"), SHEX("58 8C 97 9A 61 C6 63 D2 F0 66 D0 C2 C0 F9 89 80 6D 5F 6B 61 DA C3 84" "17 E8 D1 2C FD F9 26 E0")); /* * Packet Vector #2 */ test_cipher_ccm(&nettle_aes128, SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), SHEX("00 00 00 04 03 02 01 A0 A1 A2 A3 A4 A5"), SHEX("00 01 02 03 04 05 06 07"), 1, SHEX("08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F"), SHEX("72 C9 1A 36 E1 35 F8 CF 29 1C A8 94 08 5C 87 E3 CC 15 C4 39 C9 E4 3A 3B" "A0 91 D5 6E 10 40 09 16")); /* * Packet Vector #3 */ test_cipher_ccm(&nettle_aes128, SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), SHEX("00 00 00 05 04 03 02 A0 A1 A2 A3 A4 A5"), SHEX("00 01 02 03 04 05 06 07"), 1, SHEX("08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20"), SHEX("51 B1 E5 F4 4A 19 7D 1D A4 6B 0F 8E 2D 28 2A E8 71 E8 38 BB 64 DA 85 96 57" "4A DA A7 6F BD 9F B0 C5")); /* * Packet Vector #4 */ test_cipher_ccm(&nettle_aes128, SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), SHEX("00 00 00 06 05 04 03 A0 A1 A2 A3 A4 A5"), SHEX("00 01 02 03 04 05 06 07 08 09 0A 0B"), 1, SHEX("0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E"), SHEX("A2 8C 68 65 93 9A 9A 79 FA AA 5C 4C 2A 9D 4A 91 CD AC 8C" "96 C8 61 B9 C9 E6 1E F1")); /* * Packet Vector #5 */ test_cipher_ccm(&nettle_aes128, SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), SHEX("00 00 00 07 06 05 04 A0 A1 A2 A3 A4 A5"), SHEX("00 01 02 03 04 05 06 07 08 09 0A 0B"), 1, SHEX("0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F"), SHEX("DC F1 FB 7B 5D 9E 23 FB 9D 4E 13 12 53 65 8A D8 6E BD CA 3E" "51 E8 3F 07 7D 9C 2D 93")); /* * Packet Vector #6 */ test_cipher_ccm(&nettle_aes128, SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), SHEX("00 00 00 08 07 06 05 A0 A1 A2 A3 A4 A5"), SHEX("00 01 02 03 04 05 06 07 08 09 0A 0B"), 1, SHEX("0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20"), SHEX("6F C1 B0 11 F0 06 56 8B 51 71 A4 2D 95 3D 46 9B 25 70 A4 BD 87" "40 5A 04 43 AC 91 CB 94")); /* * Packet Vector #7 */ test_cipher_ccm(&nettle_aes128, SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), SHEX("00 00 00 09 08 07 06 A0 A1 A2 A3 A4 A5"), SHEX("00 01 02 03 04 05 06 07"), 1, SHEX("08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E"), SHEX("01 35 D1 B2 C9 5F 41 D5 D1 D4 FE C1 85 D1 66 B8 09 4E 99 9D FE D9 6C" "04 8C 56 60 2C 97 AC BB 74 90")); /* * Packet Vector #8 */ test_cipher_ccm(&nettle_aes128, SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), SHEX("00 00 00 0A 09 08 07 A0 A1 A2 A3 A4 A5"), SHEX("00 01 02 03 04 05 06 07"), 1, SHEX("08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F"), SHEX("7B 75 39 9A C0 83 1D D2 F0 BB D7 58 79 A2 FD 8F 6C AE 6B 6C D9 B7 DB 24" "C1 7B 44 33 F4 34 96 3F 34 B4")); /* * Packet Vector #9 */ test_cipher_ccm(&nettle_aes128, SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), SHEX("00 00 00 0B 0A 09 08 A0 A1 A2 A3 A4 A5"), SHEX("00 01 02 03 04 05 06 07"), 1, SHEX("08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20"), SHEX("82 53 1A 60 CC 24 94 5A 4B 82 79 18 1A B5 C8 4D F2 1C E7 F9 B7 3F 42 E1 97" "EA 9C 07 E5 6B 5E B1 7E 5F 4E")); /* * Packet Vector #10 */ test_cipher_ccm(&nettle_aes128, SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), SHEX("00 00 00 0C 0B 0A 09 A0 A1 A2 A3 A4 A5"), SHEX("00 01 02 03 04 05 06 07 08 09 0A 0B"), 1, SHEX("0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E"), SHEX("07 34 25 94 15 77 85 15 2B 07 40 98 33 0A BB 14 1B 94 7B" "56 6A A9 40 6B 4D 99 99 88 DD")); /* * Packet Vector #11 */ test_cipher_ccm(&nettle_aes128, SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), SHEX("00 00 00 0D 0C 0B 0A A0 A1 A2 A3 A4 A5"), SHEX("00 01 02 03 04 05 06 07 08 09 0A 0B"), 1, SHEX("0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F"), SHEX("67 6B B2 03 80 B0 E3 01 E8 AB 79 59 0A 39 6D A7 8B 83 49 34" "F5 3A A2 E9 10 7A 8B 6C 02 2C")); /* * Packet Vector #12 */ test_cipher_ccm(&nettle_aes128, SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), SHEX("00 00 00 0E 0D 0C 0B A0 A1 A2 A3 A4 A5"), SHEX("00 01 02 03 04 05 06 07 08 09 0A 0B"), 1, SHEX("0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20"), SHEX("C0 FF A0 D6 F0 5B DB 67 F2 4D 43 A4 33 8D 2A A4 BE D7 B2 0E 43" "CD 1A A3 16 62 E7 AD 65 D6 DB")); /* * Packet Vector #13 */ test_cipher_ccm(&nettle_aes128, SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), SHEX("00 41 2B 4E A9 CD BE 3C 96 96 76 6C FA"), SHEX("0B E1 A8 8B AC E0 18 B1"), 1, SHEX("08 E8 CF 97 D8 20 EA 25 84 60 E9 6A D9 CF 52 89 05 4D 89 5C EA C4 7C"), SHEX("4C B9 7F 86 A2 A4 68 9A 87 79 47 AB 80 91 EF 53 86 A6 FF BD D0 80 F8" "E7 8C F7 CB 0C DD D7 B3")); /* * Packet Vector #14 */ test_cipher_ccm(&nettle_aes128, SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), SHEX("00 33 56 8E F7 B2 63 3C 96 96 76 6C FA"), SHEX("63 01 8F 76 DC 8A 1B CB"), 1, SHEX("90 20 EA 6F 91 BD D8 5A FA 00 39 BA 4B AF F9 BF B7 9C 70 28 94 9C D0 EC"), SHEX("4C CB 1E 7C A9 81 BE FA A0 72 6C 55 D3 78 06 12 98 C8 5C 92 81 4A BC 33" "C5 2E E8 1D 7D 77 C0 8A")); /* * Packet Vector #15 */ test_cipher_ccm(&nettle_aes128, SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), SHEX("00 10 3F E4 13 36 71 3C 96 96 76 6C FA"), SHEX("AA 6C FA 36 CA E8 6B 40"), 1, SHEX("B9 16 E0 EA CC 1C 00 D7 DC EC 68 EC 0B 3B BB 1A 02 DE 8A 2D 1A A3 46 13 2E"), SHEX("B1 D2 3A 22 20 DD C0 AC 90 0D 9A A0 3C 61 FC F4 A5 59 A4 41 77 67 08 97 08" "A7 76 79 6E DB 72 35 06")); /* * Packet Vector #16 */ test_cipher_ccm(&nettle_aes128, SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), SHEX("00 76 4C 63 B8 05 8E 3C 96 96 76 6C FA"), SHEX("D0 D0 73 5C 53 1E 1B EC F0 49 C2 44"), 1, SHEX("12 DA AC 56 30 EF A5 39 6F 77 0C E1 A6 6B 21 F7 B2 10 1C"), SHEX("14 D2 53 C3 96 7B 70 60 9B 7C BB 7C 49 91 60 28 32 45 26" "9A 6F 49 97 5B CA DE AF")); /* * Packet Vector #17 */ test_cipher_ccm(&nettle_aes128, SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), SHEX("00 F8 B6 78 09 4E 3B 3C 96 96 76 6C FA"), SHEX("77 B6 0F 01 1C 03 E1 52 58 99 BC AE"), 1, SHEX("E8 8B 6A 46 C7 8D 63 E5 2E B8 C5 46 EF B5 DE 6F 75 E9 CC 0D"), SHEX("55 45 FF 1A 08 5E E2 EF BF 52 B2 E0 4B EE 1E 23 36 C7 3E 3F" "76 2C 0C 77 44 FE 7E 3C")); /* * Packet Vector #18 */ test_cipher_ccm(&nettle_aes128, SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), SHEX("00 D5 60 91 2D 3F 70 3C 96 96 76 6C FA"), SHEX("CD 90 44 D2 B7 1F DB 81 20 EA 60 C0"), 1, SHEX("64 35 AC BA FB 11 A8 2E 2F 07 1D 7C A4 A5 EB D9 3A 80 3B A8 7F"), SHEX("00 97 69 EC AB DF 48 62 55 94 C5 92 51 E6 03 57 22 67 5E 04 C8" "47 09 9E 5A E0 70 45 51")); /* * Packet Vector #19 */ test_cipher_ccm(&nettle_aes128, SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), SHEX("00 42 FF F8 F1 95 1C 3C 96 96 76 6C FA"), SHEX("D8 5B C7 E6 9F 94 4F B8"), 1, SHEX("8A 19 B9 50 BC F7 1A 01 8E 5E 67 01 C9 17 87 65 98 09 D6 7D BE DD 18"), SHEX("BC 21 8D AA 94 74 27 B6 DB 38 6A 99 AC 1A EF 23 AD E0 B5 29 39 CB 6A" "63 7C F9 BE C2 40 88 97 C6 BA")); /* * Packet Vector #20 */ test_cipher_ccm(&nettle_aes128, SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), SHEX("00 92 0F 40 E5 6C DC 3C 96 96 76 6C FA"), SHEX("74 A0 EB C9 06 9F 5B 37"), 1, SHEX("17 61 43 3C 37 C5 A3 5F C1 F3 9F 40 63 02 EB 90 7C 61 63 BE 38 C9 84 37"), SHEX("58 10 E6 FD 25 87 40 22 E8 03 61 A4 78 E3 E9 CF 48 4A B0 4F 44 7E FF F6" "F0 A4 77 CC 2F C9 BF 54 89 44")); /* * Packet Vector #21 */ test_cipher_ccm(&nettle_aes128, SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), SHEX("00 27 CA 0C 71 20 BC 3C 96 96 76 6C FA"), SHEX("44 A3 AA 3A AE 64 75 CA"), 1, SHEX("A4 34 A8 E5 85 00 C6 E4 15 30 53 88 62 D6 86 EA 9E 81 30 1B 5A E4 22 6B FA"), SHEX("F2 BE ED 7B C5 09 8E 83 FE B5 B3 16 08 F8 E2 9C 38 81 9A 89 C8 E7 76 F1 54" "4D 41 51 A4 ED 3A 8B 87 B9 CE")); /* * Packet Vector #22 */ test_cipher_ccm(&nettle_aes128, SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), SHEX("00 5B 8C CB CD 9A F8 3C 96 96 76 6C FA"), SHEX("EC 46 BB 63 B0 25 20 C3 3C 49 FD 70"), 1, SHEX("B9 6B 49 E2 1D 62 17 41 63 28 75 DB 7F 6C 92 43 D2 D7 C2"), SHEX("31 D7 50 A0 9D A3 ED 7F DD D4 9A 20 32 AA BF 17 EC 8E BF" "7D 22 C8 08 8C 66 6B E5 C1 97")); /* * Packet Vector #23 */ test_cipher_ccm(&nettle_aes128, SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), SHEX("00 3E BE 94 04 4B 9A 3C 96 96 76 6C FA"), SHEX("47 A6 5A C7 8B 3D 59 42 27 E8 5E 71"), 1, SHEX("E2 FC FB B8 80 44 2C 73 1B F9 51 67 C8 FF D7 89 5E 33 70 76"), SHEX("E8 82 F1 DB D3 8C E3 ED A7 C2 3F 04 DD 65 07 1E B4 13 42 AC" "DF 7E 00 DC CE C7 AE 52 98 7D")); /* * Packet Vector #24 */ test_cipher_ccm(&nettle_aes128, SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), SHEX("00 8D 49 3B 30 AE 8B 3C 96 96 76 6C FA"), SHEX("6E 37 A6 EF 54 6D 95 5D 34 AB 60 59"), 1, SHEX("AB F2 1C 0B 02 FE B8 8F 85 6D F4 A3 73 81 BC E3 CC 12 85 17 D4"), SHEX("F3 29 05 B8 8A 64 1B 04 B9 C9 FF B5 8C C3 90 90 0F 3D A1 2A B1" "6D CE 9E 82 EF A1 6D A6 20 59")); /* From IEEE 802.15.4-2011 * * Annex C: Test vectors for cryptographic building blocks * C.2.1 MAC beacon frame */ test_cipher_ccm(&nettle_aes128, SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), SHEX("AC DE 48 00 00 00 00 01 00 00 00 05 02"), SHEX("08 D0 84 21 43 01 00 00 00 00 48 DE AC 02 05 00 00 00 55 CF 00 00 51 52 53 54"), 1, SHEX(""), SHEX("22 3B C1 EC 84 1A B5 53")); /* * C.2.2 MAC data frame */ test_cipher_ccm(&nettle_aes128, SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), SHEX("AC DE 48 00 00 00 00 01 00 00 00 05 04"), SHEX("69 DC 84 21 43 02 00 00 00 00 48 DE AC 01 00 00 00 00 48 DE AC 04 05 00 00 00"), 1, SHEX("61 62 63 64"), SHEX("D4 3E 02 2B")); /* * C.2.3 MAC command frame */ test_cipher_ccm(&nettle_aes128, SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), SHEX("AC DE 48 00 00 00 00 01 00 00 00 05 06"), SHEX("2B DC 84 21 43 02 00 0000 00 48 DE AC FF FF 01 00 00 00 00 48 DE AC 06 05 00 00 00 01"), 1, SHEX("CE"), SHEX("D8 4F DE 52 90 61 F9 C6 F1")); /* From IEEE P1619.1/D22 July 2007 (draft version) * * Annex D: Test Vectors * D.2.1 CCM-128-AES-256 test vector 1 */ test_cipher_ccm(&nettle_aes256, SHEX("0000000000000000000000000000000000000000000000000000000000000000"), SHEX("000000000000000000000000"), SHEX(""), 0, SHEX("00000000000000000000000000000000"), SHEX("c1944044c8e7aa95d2de9513c7f3dd8c" "4b0a3e5e51f151eb0ffae7c43d010fdb")); /* * D.2.2 CCM-128-AES-256 test vector 2 */ test_cipher_ccm(&nettle_aes256, SHEX("0000000000000000000000000000000000000000000000000000000000000000"), SHEX("000000000000000000000000"), SHEX("00000000000000000000000000000000"), 1, SHEX(""), SHEX("904704e89fb216443cb9d584911fc3c2")); /* * D.2.3 CCM-128-AES-256 test vector 3 */ test_cipher_ccm(&nettle_aes256, SHEX("0000000000000000000000000000000000000000000000000000000000000000"), SHEX("000000000000000000000000"), SHEX("00000000000000000000000000000000"), 1, SHEX("00000000000000000000000000000000"), SHEX("c1944044c8e7aa95d2de9513c7f3dd8c" "87314e9c1fa01abe6a6415943dc38521")); /* * D.2.4 CCM-128-AES-256 test vector 4 */ test_cipher_ccm(&nettle_aes256, SHEX("fb7615b23d80891dd470980bc79584c8b2fb64ce60978f4d17fce45a49e830b7"), SHEX("dbd1a3636024b7b402da7d6f"), SHEX(""), 0, SHEX("a845348ec8c5b5f126f50e76fefd1b1e"), SHEX("cc881261c6a7fa72b96a1739176b277f" "3472e1145f2c0cbe146349062cf0e423")); /* * D.2.5 CCM-128-AES-256 test vector 5 */ test_cipher_ccm(&nettle_aes256, SHEX("404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f"), SHEX("101112131415161718191a1b"), SHEX("000102030405060708090a0b0c0d0e0f10111213"), 1, SHEX("202122232425262728292a2b2c2d2e2f3031323334353637"), SHEX("04f883aeb3bd0730eaf50bb6de4fa2212034e4e41b0e75e5" "9bba3f3a107f3239bd63902923f80371")); /* * D.2.6 CCM-128-AES-256 test vector 6 */ test_cipher_ccm(&nettle_aes256, SHEX("404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f"), SHEX("101112131415161718191a1b"), adata, 256, SHEX("202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f"), SHEX("04f883aeb3bd0730eaf50bb6de4fa2212034e4e41b0e75e577f6bf2422c0f6d2" "3376d2cf256ef613c56454cbb5265834")); /* * D.2.7 CCM-128-AES-256 test vector 7 */ test_cipher_ccm(&nettle_aes256, SHEX("404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f"), SHEX("101112131415161718191a1b"), SHEX("202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f"), 1, SHEX("000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f" "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f" "404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f" "606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f" "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f" "a0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebf" "c0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedf" "e0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff"), SHEX("24d8a38e939d2710cad52b96fe6f82010014c4c43b2e55c557d69f0402e0d6f2" "06c53d6cbd3f1c3c6de5dcdcad9fb74f25741dea741149fe4278a0cc24741e86" "58cc0523b8d7838c60fb1de4b7c3941f5b26dea9322aa29656ec37ac18a9b108" "a6f38b7917f5a9c398838b22afbd17252e96694a9e6237964a0eae21c0a6e152" "15a0e82022926be97268249599e456e05029c3ebc07d78fc5b4a0862e04e68c2" "9514c7bdafc4b52e04833bf30622e4eb42504a44a9dcbc774752de7bb82891ad" "1eba9dc3281422a8aba8654268d3d9c81705f4c5a531ef856df5609a159af738" "eb753423ed2001b8f20c23725f2bef18c409f7e52132341f27cb8f0e79894dd9" "ebb1fa9d28ccfe21bdfea7e6d91e0bab")); /* * D.2.8 CCM-128-AES-256 test vector 8 */ test_cipher_ccm(&nettle_aes256, SHEX("fb7615b23d80891dd470980bc79584c8b2fb64ce6097878d17fce45a49e830b7"), SHEX("dbd1a3636024b7b402da7d6f"), SHEX("36"), 1, SHEX("a9"), SHEX("9d3261b1cf931431e99a32806738ecbd2a")); /* * D.2.9 CCM-128-AES-256 test vector 9 */ test_cipher_ccm(&nettle_aes256, SHEX("f8d476cfd646ea6c2384cb1c27d6195dfef1a9f37b9c8d21a79c21f8cb90d289"), SHEX("dbd1a3636024b7b402da7d6f"), SHEX("7bd859a247961a21823b380e9fe8b65082ba61d3"), 1, SHEX("90ae61cf7baebd4cade494c54a29ae70269aec71"), SHEX("6c05313e45dc8ec10bea6c670bd94f31569386a6" "8f3829e8e76ee23c04f566189e63c686")); } nettle-3.4.1/testsuite/hmac-test.c0000644000175000017500000007136213401564746016143 0ustar nissenisse#include "testutils.h" #include "hmac.h" #define HMAC_TEST(alg, key, msg, mac) \ do { \ struct hmac_##alg##_ctx ctx; \ \ hmac_##alg##_set_key(&ctx, key->length, key->data); \ hmac_##alg##_update(&ctx, msg->length, msg->data); \ digest[mac->length] = 17; \ hmac_##alg##_digest(&ctx, mac->length, digest); \ ASSERT(MEMEQ (mac->length, digest, mac->data)); \ ASSERT(digest[mac->length] == 17); \ } while (0) void test_main(void) { /* sha512's digests are longest */ uint8_t digest[SHA512_DIGEST_SIZE+1]; memset(digest, 0, sizeof(digest)); /* Test vectors for md5, from RFC-2202 */ /* md5 - 1 */ HMAC_TEST(md5, SHEX("0b0b0b0b0b0b0b0b 0b0b0b0b0b0b0b0b"), SDATA("Hi There"), SHEX("9294727a3638bb1c 13f48ef8158bfc9d")); /* md5 - 2 */ HMAC_TEST(md5, SDATA("Jefe"), SDATA("what do ya want for nothing?"), SHEX("750c783e6ab0b503 eaa86e310a5db738")); /* md5 - 3 */ HMAC_TEST(md5, SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), SHEX("dddddddddddddddd dddddddddddddddd" "dddddddddddddddd dddddddddddddddd" "dddddddddddddddd dddddddddddddddd" "dddd"), SHEX("56be34521d144c88 dbb8c733f0e8b3f6")); /* md5 - 4 */ HMAC_TEST(md5, SHEX("0102030405060708 090a0b0c0d0e0f10" "1112131415161718 19"), SHEX("cdcdcdcdcdcdcdcd cdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcd cdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcd cdcdcdcdcdcdcdcd" "cdcd"), SHEX("697eaf0aca3a3aea 3a75164746ffaa79")); /* md5 - 5 */ HMAC_TEST(md5, SHEX("0c0c0c0c0c0c0c0c 0c0c0c0c0c0c0c0c"), SDATA("Test With Truncation"), SHEX("56461ef2342edc00 f9bab995")); /* md5 - 6 */ HMAC_TEST(md5, SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), SDATA("Test Using Larger Than Block-Size Key - Hash Key First"), SHEX("6b1ab7fe4bd7bf8f 0b62e6ce61b9d0cd")); /* md5 - 7 */ HMAC_TEST(md5, SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), SDATA("Test Using Larger Than Block-Size Key and Larger " "Than One Block-Size Data"), SHEX("6f630fad67cda0ee 1fb1f562db3aa53e")); /* Additional test vectors, from Daniel Kahn Gillmor */ HMAC_TEST(md5, SDATA("monkey monkey monkey monkey"), SDATA(""), SHEX("e84db42a188813f30a15e611d64c7869")); HMAC_TEST(md5, SDATA("monkey monkey monkey monkey"), SDATA("a"), SHEX("123662062e67c2aab371cc49db0df134")); HMAC_TEST(md5, SDATA("monkey monkey monkey monkey"), SDATA("38"), SHEX("0a46cc10a49d4b7025c040c597bf5d76")); HMAC_TEST(md5, SDATA("monkey monkey monkey monkey"), SDATA("abc"), SHEX("d1f4d89f0e8b2b6ed0623c99ec298310")); HMAC_TEST(md5, SDATA("monkey monkey monkey monkey"), SDATA("message digest"), SHEX("1627207b9bed5009a4f6e9ca8d2ca01e")); HMAC_TEST(md5, SDATA("monkey monkey monkey monkey"), SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("922aae6ab3b3a29202e21ce5f916ae9a")); HMAC_TEST(md5, SDATA("monkey monkey monkey monkey"), SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"), SHEX("ede9cb83679ba82d88fbeae865b3f8fc")); HMAC_TEST(md5, SDATA("monkey monkey monkey monkey"), SDATA("12345678901234567890123456789012345678901234567890123456789012345678901234567890"), SHEX("939dd45512ee3a594b6654f6b8de27f7")); /* Test vectors for ripemd160, from http://homes.esat.kuleuven.be/~bosselae/ripemd160.html */ HMAC_TEST(ripemd160, SHEX("00112233445566778899aabbccddeeff01234567"), SDATA(""), SHEX("cf387677bfda8483e63b57e06c3b5ecd8b7fc055")); HMAC_TEST(ripemd160, SHEX("00112233445566778899aabbccddeeff01234567"), SDATA("a"), SHEX("0d351d71b78e36dbb7391c810a0d2b6240ddbafc")); HMAC_TEST(ripemd160, SHEX("00112233445566778899aabbccddeeff01234567"), SDATA("abc"), SHEX("f7ef288cb1bbcc6160d76507e0a3bbf712fb67d6")); HMAC_TEST(ripemd160, SHEX("00112233445566778899aabbccddeeff01234567"), SDATA("message digest"), SHEX("f83662cc8d339c227e600fcd636c57d2571b1c34")); HMAC_TEST(ripemd160, SHEX("00112233445566778899aabbccddeeff01234567"), SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("843d1c4eb880ac8ac0c9c95696507957d0155ddb")); HMAC_TEST(ripemd160, SHEX("00112233445566778899aabbccddeeff01234567"), SDATA("abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"), SHEX("60f5ef198a2dd5745545c1f0c47aa3fb5776f881")); HMAC_TEST(ripemd160, SHEX("00112233445566778899aabbccddeeff01234567"), SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"), SHEX("e49c136a9e5627e0681b808a3b97e6a6e661ae79")); /* Other key */ HMAC_TEST(ripemd160, SHEX("0123456789abcdeffedcba987654321000112233"), SDATA(""), SHEX("fe69a66c7423eea9c8fa2eff8d9dafb4f17a62f5")); HMAC_TEST(ripemd160, SHEX("0123456789abcdeffedcba987654321000112233"), SDATA("a"), SHEX("85743e899bc82dbfa36faaa7a25b7cfd372432cd")); HMAC_TEST(ripemd160, SHEX("0123456789abcdeffedcba987654321000112233"), SDATA("abc"), SHEX("6e4afd501fa6b4a1823ca3b10bd9aa0ba97ba182")); HMAC_TEST(ripemd160, SHEX("0123456789abcdeffedcba987654321000112233"), SDATA("message digest"), SHEX("2e066e624badb76a184c8f90fba053330e650e92")); HMAC_TEST(ripemd160, SHEX("0123456789abcdeffedcba987654321000112233"), SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("07e942aa4e3cd7c04dedc1d46e2e8cc4c741b3d9")); HMAC_TEST(ripemd160, SHEX("0123456789abcdeffedcba987654321000112233"), SDATA("abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"), SHEX("b6582318ddcfb67a53a67d676b8ad869aded629a")); HMAC_TEST(ripemd160, SHEX("0123456789abcdeffedcba987654321000112233"), SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"), SHEX("f1be3ee877703140d34f97ea1ab3a07c141333e2")); /* Test vectors for sha1, from RFC-2202 */ /* sha1 - 1 */ HMAC_TEST(sha1, SHEX("0b0b0b0b0b0b0b0b 0b0b0b0b0b0b0b0b 0b0b0b0b"), SDATA("Hi There"), SHEX("b617318655057264 e28bc0b6fb378c8e f146be00")); /* sha1 - 2 */ HMAC_TEST(sha1, SDATA("Jefe"), SDATA("what do ya want for nothing?"), SHEX("effcdf6ae5eb2fa2 d27416d5f184df9c 259a7c79")); /* sha1 - 3 */ HMAC_TEST(sha1, SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa aaaaaaaa"), SHEX("dddddddddddddddd dddddddddddddddd" "dddddddddddddddd dddddddddddddddd" "dddddddddddddddd dddddddddddddddd" "dddd"), SHEX("125d7342b9ac11cd 91a39af48aa17b4f 63f175d3")); /* sha1 - 4 */ HMAC_TEST(sha1, SHEX("0102030405060708 090a0b0c0d0e0f10" "1112131415161718 19"), SHEX("cdcdcdcdcdcdcdcd cdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcd cdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcd cdcdcdcdcdcdcdcd" "cdcd"), SHEX("4c9007f4026250c6 bc8414f9bf50c86c 2d7235da")); /* sha1 - 5 */ HMAC_TEST(sha1, SHEX("0c0c0c0c0c0c0c0c 0c0c0c0c0c0c0c0c 0c0c0c0c"), SDATA("Test With Truncation"), SHEX("4c1a03424b55e07f e7f27be1")); /* sha1 - 6 */ HMAC_TEST(sha1, SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), SDATA("Test Using Larger Than Block-Size Key - Hash Key First"), SHEX("aa4ae5e15272d00e 95705637ce8a3b55 ed402112")); /* sha1 - 7 */ HMAC_TEST(sha1, SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), SDATA("Test Using Larger Than Block-Size Key and Larger " "Than One Block-Size Data"), SHEX("e8e99d0f45237d78 6d6bbaa7965c7808 bbff1a91")); /* Additional test vectors, from Daniel Kahn Gillmor */ HMAC_TEST(md5, SDATA("monkey monkey monkey monkey"), SDATA(""), SHEX("e84db42a188813f30a15e611d64c7869")); HMAC_TEST(md5, SDATA("monkey monkey monkey monkey"), SDATA("a"), SHEX("123662062e67c2aab371cc49db0df134")); HMAC_TEST(md5, SDATA("monkey monkey monkey monkey"), SDATA("38"), SHEX("0a46cc10a49d4b7025c040c597bf5d76")); HMAC_TEST(md5, SDATA("monkey monkey monkey monkey"), SDATA("abc"), SHEX("d1f4d89f0e8b2b6ed0623c99ec298310")); HMAC_TEST(md5, SDATA("monkey monkey monkey monkey"), SDATA("message digest"), SHEX("1627207b9bed5009a4f6e9ca8d2ca01e")); HMAC_TEST(md5, SDATA("monkey monkey monkey monkey"), SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("922aae6ab3b3a29202e21ce5f916ae9a")); HMAC_TEST(md5, SDATA("monkey monkey monkey monkey"), SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"), SHEX("ede9cb83679ba82d88fbeae865b3f8fc")); HMAC_TEST(md5, SDATA("monkey monkey monkey monkey"), SDATA("12345678901234567890123456789012345678901234567890123456789012345678901234567890"), SHEX("939dd45512ee3a594b6654f6b8de27f7")); /* Test vectors for sha224, from RFC 4231 */ HMAC_TEST(sha224, SHEX("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b" "0b0b0b0b"), SDATA("Hi There"), SHEX("896fb1128abbdf196832107cd49df33f" "47b4b1169912ba4f53684b22")); HMAC_TEST(sha224, SDATA("Jefe"), SDATA("what do ya want for nothing?"), SHEX("a30e01098bc6dbbf45690f3a7e9e6d0f" "8bbea2a39e6148008fd05e44")); HMAC_TEST(sha224, SHEX("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaa"), SHEX("dddddddddddddddddddddddddddddddd" "dddddddddddddddddddddddddddddddd" "dddddddddddddddddddddddddddddddd" "dddd"), SHEX("7fb3cb3588c6c1f6ffa9694d7d6ad264" "9365b0c1f65d69d1ec8333ea")); HMAC_TEST(sha224, SHEX("0102030405060708090a0b0c0d0e0f10" "111213141516171819"), SHEX("cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd" "cdcd"), SHEX("6c11506874013cac6a2abc1bb382627c" "ec6a90d86efc012de7afec5a")); HMAC_TEST(sha224, SHEX("0c0c0c0c0c0c0c0c 0c0c0c0c0c0c0c0c 0c0c0c0c"), SDATA("Test With Truncation"), SHEX("0e2aea68a90c8d37c988bcdb9fca6fa8")); HMAC_TEST(sha224, SHEX("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaa"), SDATA("Test Using Larger Than Block-Size Key - Hash Key First"), SHEX("95e9a0db962095adaebe9b2d6f0dbce2" "d499f112f2d2b7273fa6870e")); HMAC_TEST(sha224, SHEX("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaa"), SDATA("This is a test using a larger than block-size ke" "y and a larger than block-size data. The key nee" "ds to be hashed before being used by the HMAC al" "gorithm."), SHEX("3a854166ac5d9f023f54d517d0b39dbd" "946770db9c2b95c9f6f565d1")); /* Additional test vectors, from Daniel Kahn Gillmor */ HMAC_TEST(sha224, SDATA("monkey monkey monkey monkey"), SDATA(""), SHEX("d12a49ae38177ffeaa548b2148bb5238" "60849772d9391e675b103d89")); HMAC_TEST(sha224, SDATA("monkey monkey monkey monkey"), SDATA("a"), SHEX("b04ff8522f904f553970bfa8ad3f0086" "bce1e8580affd8a12c94e31a")); HMAC_TEST(sha224, SDATA("monkey monkey monkey monkey"), SDATA("38"), SHEX("afcfb5511f710334f9350f57faec3c08" "764b4bd126a6840f4347f116")); HMAC_TEST(sha224, SDATA("monkey monkey monkey monkey"), SDATA("abc"), SHEX("9df9907af127900c909376893565c6cf" "2d7db244fdc4277da1e0b679")); HMAC_TEST(sha224, SDATA("monkey monkey monkey monkey"), SDATA("message digest"), SHEX("254ebf6b8ddd7a3271b3d9aca1699b0c" "0bfb7df61e8a114922c88d27")); HMAC_TEST(sha224, SDATA("monkey monkey monkey monkey"), SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("6ec5bffba5880c3234a6cf257816e4d5" "35ab178a7f12929769e378fb")); HMAC_TEST(sha224, SDATA("monkey monkey monkey monkey"), SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"), SHEX("5f768179dbb29ca722875d0f461a2e2f" "597d0210340a84df1a8e9c63")); HMAC_TEST(sha224, SDATA("monkey monkey monkey monkey"), SDATA("12345678901234567890123456789012345678901234567890123456789012345678901234567890"), SHEX("c7667b0d7e56b2b4f6fcc1d8da9e22da" "a1556f44c47132a87303c6a2")); /* Test vectors for sha256, from RFC 4231 */ HMAC_TEST(sha256, SHEX("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b" "0b0b0b0b"), SDATA("Hi There"), SHEX("b0344c61d8db38535ca8afceaf0bf12b" "881dc200c9833da726e9376c2e32cff7")); HMAC_TEST(sha256, SDATA("Jefe"), SDATA("what do ya want for nothing?"), SHEX("5bdcc146bf60754e6a042426089575c7" "5a003f089d2739839dec58b964ec3843")); HMAC_TEST(sha256, SHEX("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaa"), SHEX("dddddddddddddddddddddddddddddddd" "dddddddddddddddddddddddddddddddd" "dddddddddddddddddddddddddddddddd" "dddd"), SHEX("773ea91e36800e46854db8ebd09181a7" "2959098b3ef8c122d9635514ced565fe")); HMAC_TEST(sha256, SHEX("0102030405060708090a0b0c0d0e0f10" "111213141516171819"), SHEX("cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd" "cdcd"), SHEX("82558a389a443c0ea4cc819899f2083a" "85f0faa3e578f8077a2e3ff46729665b")); HMAC_TEST(sha256, SHEX("0c0c0c0c0c0c0c0c 0c0c0c0c0c0c0c0c 0c0c0c0c"), SDATA("Test With Truncation"), SHEX("a3b6167473100ee06e0c796c2955552b")); HMAC_TEST(sha256, SHEX("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaa"), SDATA("Test Using Larger Than Block-Size Key - Hash Key First"), SHEX("60e431591ee0b67f0d8a26aacbf5b77f" "8e0bc6213728c5140546040f0ee37f54")); HMAC_TEST(sha256, SHEX("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaa"), SDATA("This is a test using a larger than block-size ke" "y and a larger than block-size data. The key nee" "ds to be hashed before being used by the HMAC al" "gorithm."), SHEX("9b09ffa71b942fcb27635fbcd5b0e944" "bfdc63644f0713938a7f51535c3a35e2")); /* Additional test vectors for sha256, from draft-ietf-ipsec-ciph-sha-256-01.txt */ /* Test Case #1: HMAC-SHA-256 with 3-byte input and 32-byte key */ HMAC_TEST(sha256, SHEX("0102030405060708 090a0b0c0d0e0f10" "1112131415161718 191a1b1c1d1e1f20"), SDATA("abc"), SHEX("a21b1f5d4cf4f73a 4dd939750f7a066a" "7f98cc131cb16a66 92759021cfab8181")); /* Test Case #2: HMAC-SHA-256 with 56-byte input and 32-byte key */ HMAC_TEST(sha256, SHEX("0102030405060708 090a0b0c0d0e0f10" "1112131415161718 191a1b1c1d1e1f20"), SDATA("abcdbcdecdefdefgefghfghighijhijk" "ijkljklmklmnlmnomnopnopq"), SHEX("104fdc1257328f08 184ba73131c53cae" "e698e36119421149 ea8c712456697d30")); /* Test Case #3: HMAC-SHA-256 with 112-byte (multi-block) input and 32-byte key */ HMAC_TEST(sha256, SHEX("0102030405060708 090a0b0c0d0e0f10" "1112131415161718 191a1b1c1d1e1f20"), SDATA("abcdbcdecdefdefgefghfghighijhijk" "ijkljklmklmnlmnomnopnopqabcdbcde" "cdefdefgefghfghighijhijkijkljklm" "klmnlmnomnopnopq"), SHEX("470305fc7e40fe34 d3eeb3e773d95aab" "73acf0fd060447a5 eb4595bf33a9d1a3")); /* Test Case #4: HMAC-SHA-256 with 8-byte input and 32-byte key */ HMAC_TEST(sha256, SHEX("0b0b0b0b0b0b0b0b 0b0b0b0b0b0b0b0b" "0b0b0b0b0b0b0b0b 0b0b0b0b0b0b0b0b"), SDATA("Hi There"), SHEX("198a607eb44bfbc6 9903a0f1cf2bbdc5" "ba0aa3f3d9ae3c1c 7a3b1696a0b68cf7")); /* Test Case #6: HMAC-SHA-256 with 50-byte input and 32-byte key */ HMAC_TEST(sha256, SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), SHEX("dddddddddddddddd dddddddddddddddd" "dddddddddddddddd dddddddddddddddd" "dddddddddddddddd dddddddddddddddd" "dddd"), SHEX("cdcb1220d1ecccea 91e53aba3092f962" "e549fe6ce9ed7fdc 43191fbde45c30b0")); /* Test Case #7: HMAC-SHA-256 with 50-byte input and 37-byte key */ HMAC_TEST(sha256, SHEX("0102030405060708 090a0b0c0d0e0f10" "1112131415161718 191a1b1c1d1e1f20" "2122232425"), SHEX("cdcdcdcdcdcdcdcd cdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcd cdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcd cdcdcdcdcdcdcdcd" "cdcd"), SHEX("d4633c17f6fb8d74 4c66dee0f8f07455" "6ec4af55ef079985 41468eb49bd2e917")); /* Test Case #8: HMAC-SHA-256 with 20-byte input and 32-byte key */ HMAC_TEST(sha256, SHEX("0c0c0c0c0c0c0c0c 0c0c0c0c0c0c0c0c" "0c0c0c0c0c0c0c0c 0c0c0c0c0c0c0c0c"), SDATA("Test With Truncation"), SHEX("7546af01841fc09b 1ab9c3749a5f1c17")); /* Test Case #9: HMAC-SHA-256 with 54-byte input and 80-byte key */ HMAC_TEST(sha256, SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), SDATA("Test Using Larger Than Block-Size Key - Hash Key First"), SHEX("6953025ed96f0c09 f80a96f78e6538db" "e2e7b820e3dd970e 7ddd39091b32352f")); /* Test Case #10: HMAC-SHA-256 with 73-byte (multi-block) input and 80-byte key */ HMAC_TEST(sha256, SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), SDATA("Test Using Larger Than Block-Size Key and Larger Than One Block-Size Data"), SHEX("6355ac22e890d0a3 c8481a5ca4825bc8" "84d3e7a1ff98a2fc 2ac7d8e064c3b2e6")); /* Additional test vectors, from Daniel Kahn Gillmor */ HMAC_TEST(sha256, SDATA("monkey monkey monkey monkey"), SDATA(""), SHEX("5c780648c90d121c50091c3a0c3afc1f" "4ab847528005d99d9821ad3f341b651a")); HMAC_TEST(sha256, SDATA("monkey monkey monkey monkey"), SDATA("a"), SHEX("6142364c0646b0cfe426866f21d613e0" "55a136a7d9b45d85685e080a09cec463")); HMAC_TEST(sha256, SDATA("monkey monkey monkey monkey"), SDATA("38"), SHEX("e49aa7839977e130ad87b63da9d4eb7b" "263cd5a27c54a7604b6044eb35901171")); HMAC_TEST(sha256, SDATA("monkey monkey monkey monkey"), SDATA("abc"), SHEX("e5ef49f545c7af933a9d18c7c562bc91" "08583fd5cf00d9e0db351d6d8f8e41bc")); HMAC_TEST(sha256, SDATA("monkey monkey monkey monkey"), SDATA("message digest"), SHEX("373b04877180fea27a41a8fb8f88201c" "a6268411ee3c80b01a424483eb9156e1")); HMAC_TEST(sha256, SDATA("monkey monkey monkey monkey"), SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("eb5945d56eefbdb41602946ea6448d53" "86b08d7d801a87f439fab52f8bb9736e")); HMAC_TEST(sha256, SDATA("monkey monkey monkey monkey"), SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"), SHEX("3798f363c57afa6edaffe39016ca7bad" "efd1e670afb0e3987194307dec3197db")); HMAC_TEST(sha256, SDATA("monkey monkey monkey monkey"), SDATA("12345678901234567890123456789012345678901234567890123456789012345678901234567890"), SHEX("c89a7039a62985ff813fe4509b918a43" "6d7b1ffd8778e2c24dec464849fb6128")); /* Test vectors for sha384, from RFC 4231 */ HMAC_TEST(sha384, SHEX("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b" "0b0b0b0b"), SDATA("Hi There"), SHEX("afd03944d84895626b0825f4ab46907f" "15f9dadbe4101ec682aa034c7cebc59c" "faea9ea9076ede7f4af152e8b2fa9cb6")); HMAC_TEST(sha384, SDATA("Jefe"), SDATA("what do ya want for nothing?"), SHEX("af45d2e376484031617f78d2b58a6b1b" "9c7ef464f5a01b47e42ec3736322445e" "8e2240ca5e69e2c78b3239ecfab21649")); HMAC_TEST(sha384, SHEX("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaa"), SHEX("dddddddddddddddddddddddddddddddd" "dddddddddddddddddddddddddddddddd" "dddddddddddddddddddddddddddddddd" "dddd"), SHEX("88062608d3e6ad8a0aa2ace014c8a86f" "0aa635d947ac9febe83ef4e55966144b" "2a5ab39dc13814b94e3ab6e101a34f27")); HMAC_TEST(sha384, SHEX("0102030405060708090a0b0c0d0e0f10" "111213141516171819"), SHEX("cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd" "cdcd"), SHEX("3e8a69b7783c25851933ab6290af6ca7" "7a9981480850009cc5577c6e1f573b4e" "6801dd23c4a7d679ccf8a386c674cffb")); HMAC_TEST(sha384, SHEX("0c0c0c0c0c0c0c0c 0c0c0c0c0c0c0c0c 0c0c0c0c"), SDATA("Test With Truncation"), SHEX("3abf34c3503b2a23a46efc619baef897")); HMAC_TEST(sha384, SHEX("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaa"), SDATA("Test Using Larger Than Block-Size Key - Hash Key First"), SHEX("4ece084485813e9088d2c63a041bc5b4" "4f9ef1012a2b588f3cd11f05033ac4c6" "0c2ef6ab4030fe8296248df163f44952")); HMAC_TEST(sha384, SHEX("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaa"), SDATA("This is a test using a larger than block-size ke" "y and a larger than block-size data. The key nee" "ds to be hashed before being used by the HMAC al" "gorithm."), SHEX("6617178e941f020d351e2f254e8fd32c" "602420feb0b8fb9adccebb82461e99c5" "a678cc31e799176d3860e6110c46523e")); /* Test vectors for sha512, from RFC 4231 */ HMAC_TEST(sha512, SHEX("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b" "0b0b0b0b"), SDATA("Hi There"), SHEX("87aa7cdea5ef619d4ff0b4241a1d6cb0" "2379f4e2ce4ec2787ad0b30545e17cde" "daa833b7d6b8a702038b274eaea3f4e4" "be9d914eeb61f1702e696c203a126854")); HMAC_TEST(sha512, SDATA("Jefe"), SDATA("what do ya want for nothing?"), SHEX("164b7a7bfcf819e2e395fbe73b56e0a3" "87bd64222e831fd610270cd7ea250554" "9758bf75c05a994a6d034f65f8f0e6fd" "caeab1a34d4a6b4b636e070a38bce737")); HMAC_TEST(sha512, SHEX("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaa"), SHEX("dddddddddddddddddddddddddddddddd" "dddddddddddddddddddddddddddddddd" "dddddddddddddddddddddddddddddddd" "dddd"), SHEX("fa73b0089d56a284efb0f0756c890be9" "b1b5dbdd8ee81a3655f83e33b2279d39" "bf3e848279a722c806b485a47e67c807" "b946a337bee8942674278859e13292fb")); HMAC_TEST(sha512, SHEX("0102030405060708090a0b0c0d0e0f10" "111213141516171819"), SHEX("cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd" "cdcd"), SHEX("b0ba465637458c6990e5a8c5f61d4af7" "e576d97ff94b872de76f8050361ee3db" "a91ca5c11aa25eb4d679275cc5788063" "a5f19741120c4f2de2adebeb10a298dd")); HMAC_TEST(sha512, SHEX("0c0c0c0c0c0c0c0c 0c0c0c0c0c0c0c0c 0c0c0c0c"), SDATA("Test With Truncation"), SHEX("415fad6271580a531d4179bc891d87a6")); HMAC_TEST(sha512, SHEX("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaa"), SDATA("Test Using Larger Than Block-Size Key - Hash Key First"), SHEX("80b24263c7c1a3ebb71493c1dd7be8b4" "9b46d1f41b4aeec1121b013783f8f352" "6b56d037e05f2598bd0fd2215d6a1e52" "95e64f73f63f0aec8b915a985d786598")); HMAC_TEST(sha512, SHEX("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaa"), SDATA("This is a test using a larger than block-size ke" "y and a larger than block-size data. The key nee" "ds to be hashed before being used by the HMAC al" "gorithm."), SHEX("e37b6a775dc87dbaa4dfa9f96e5e3ffd" "debd71f8867289865df5a32d20cdc944" "b6022cac3c4982b10d5eeb55c3e4de15" "134676fb6de0446065c97440fa8c6a58")); /* Additional test vectors, from Daniel Kahn Gillmor */ HMAC_TEST(sha512, SDATA("monkey monkey monkey monkey"), SDATA(""), SHEX("34316413c2d6940572d0bbbf099d529d" "148b424533cf562bc1b365f530e21a31" "799fc51cef78060cc6f448a8e5d780c2" "6cdf20d4c3e6f27fe5ef576bbd05e855")); HMAC_TEST(sha512, SDATA("monkey monkey monkey monkey"), SDATA("a"), SHEX("cf1948507378bc3ab58cb6ec87f4d456" "b90d3298395c29873f1ded1e111b50fe" "c336ed24684bf19716efc309212f37aa" "715cfb9ecccf3af13691ded167b4b336")); HMAC_TEST(sha512, SDATA("monkey monkey monkey monkey"), SDATA("38"), SHEX("b8201784216ce01b83cdd282616c6e89" "644c6dfd1269ed8580bbc39b92add364" "c2b2a2018cffb1915e8625e473b67d0f" "e54a50e475dfa0e2b1a97bac1383792c")); HMAC_TEST(sha512, SDATA("monkey monkey monkey monkey"), SDATA("abc"), SHEX("f097ee08b8c44e847a384f9fd645e35e" "4816baa9791ba39d3dc611210500b044" "873ee296bf1047dc06daa201a5767192" "5b73b4ea59c60114881c8287d0699c83")); HMAC_TEST(sha512, SDATA("monkey monkey monkey monkey"), SDATA("message digest"), SHEX("921a441a884b83c76a8526da8e60d60d" "17ded4eee5c29375e0d93717669a4c3e" "eba7473e95f7c1a2a85afc24a0adbc4d" "6c2bdd6ca6cab8b18d19f82d4a6c51bc")); HMAC_TEST(sha512, SDATA("monkey monkey monkey monkey"), SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("640054c96f35815095617d0a8c956066" "1a6ff46bfb39110333b2c52c8866abfb" "59d9152c9b0948c1ed65c3fd72a8fb82" "190acc8830770afe5b0c5b6414c75a77")); HMAC_TEST(sha512, SDATA("monkey monkey monkey monkey"), SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"), SHEX("835a4f5b3750b4c1fccfa88da2f746a4" "900160c9f18964309bb736c13b59491b" "8e32d37b724cc5aebb0f554c6338a3b5" "94c4ba26862b2dadb59b7ede1d08d53e")); HMAC_TEST(sha512, SDATA("monkey monkey monkey monkey"), SDATA("12345678901234567890123456789012345678901234567890123456789012345678901234567890"), SHEX("fdf83dc879e3476c8e8aceff2bf6fece" "2e4f39c7e1a167845465bb549dfa5ffe" "997e6c7cf3720eae51ed2b00ad2a8225" "375092290edfa9d48ec7e4bc8e276088")); /* Additional test vectors, from draft-kelly-ipsec-ciph-sha2-01.txt */ /* Test case AUTH512-1: */ HMAC_TEST(sha512, SHEX("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b" "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b" "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b" "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"), SDATA("Hi There"), SHEX("637edc6e01dce7e6742a99451aae82df" "23da3e92439e590e43e761b33e910fb8" "ac2878ebd5803f6f0b61dbce5e251ff8" "789a4722c1be65aea45fd464e89f8f5b")); /* Test case AUTH512-2: */ HMAC_TEST(sha512, SDATA("JefeJefeJefeJefe" "JefeJefeJefeJefe" "JefeJefeJefeJefe" "JefeJefeJefeJefe"), SDATA("what do ya want for nothing?"), SHEX("cb370917ae8a7ce28cfd1d8f4705d614" "1c173b2a9362c15df235dfb251b15454" "6aa334ae9fb9afc2184932d8695e397b" "fa0ffb93466cfcceaae38c833b7dba38")); /* Test case AUTH512-3: */ HMAC_TEST(sha512, SHEX("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"), SHEX("dddddddddddddddddddddddddddddddd" "dddddddddddddddddddddddddddddddd" "dddddddddddddddddddddddddddddddd" "dddd"), SHEX("2ee7acd783624ca9398710f3ee05ae41" "b9f9b0510c87e49e586cc9bf961733d8" "623c7b55cebefccf02d5581acc1c9d5f" "b1ff68a1de45509fbe4da9a433922655")); /* Test case AUTH512-3 from same document seems broken. */ } nettle-3.4.1/testsuite/hkdf-test.c0000644000175000017500000001332613401564746016143 0ustar nissenisse#include "testutils.h" #include "hkdf.h" #include "hmac.h" static void test_hkdf_sha256(const struct tstring *ikm, const struct tstring *salt, const struct tstring *info, const struct tstring *extract_output, const struct tstring *expand_output) { struct hmac_sha256_ctx ctx; uint8_t prk[SHA256_DIGEST_SIZE]; uint8_t *buffer = xalloc(expand_output->length); hmac_sha256_set_key(&ctx, salt->length, salt->data); hkdf_extract(&ctx, (nettle_hash_update_func*) hmac_sha256_update, (nettle_hash_digest_func*) hmac_sha256_digest, SHA256_DIGEST_SIZE, ikm->length, ikm->data, prk); if (MEMEQ(SHA256_DIGEST_SIZE, prk, extract_output->data) == 0) { fprintf(stdout, "\nGot:\n"); print_hex(SHA256_DIGEST_SIZE, prk); fprintf(stdout, "\nExpected:\n"); print_hex(extract_output->length, extract_output->data); abort(); } hmac_sha256_set_key(&ctx, SHA256_DIGEST_SIZE, prk); hkdf_expand(&ctx, (nettle_hash_update_func*) hmac_sha256_update, (nettle_hash_digest_func*) hmac_sha256_digest, SHA256_DIGEST_SIZE, info->length, info->data, expand_output->length, buffer); if (MEMEQ(expand_output->length, expand_output->data, buffer) == 0) { fprintf(stdout, "\nGot:\n"); print_hex(expand_output->length, buffer); fprintf(stdout, "\nExpected:\n"); print_hex(expand_output->length, expand_output->data); abort(); } free(buffer); } static void test_hkdf_sha1(const struct tstring *ikm, const struct tstring *salt, const struct tstring *info, const struct tstring *extract_output, const struct tstring *expand_output) { struct hmac_sha1_ctx ctx; uint8_t prk[SHA1_DIGEST_SIZE]; uint8_t *buffer = xalloc(expand_output->length); hmac_sha1_set_key(&ctx, salt->length, salt->data); hkdf_extract(&ctx, (nettle_hash_update_func*) hmac_sha1_update, (nettle_hash_digest_func*) hmac_sha1_digest, SHA1_DIGEST_SIZE, ikm->length, ikm->data, prk); if (MEMEQ(SHA1_DIGEST_SIZE, prk, extract_output->data) == 0) { fprintf(stdout, "\nGot:\n"); print_hex(SHA1_DIGEST_SIZE, prk); fprintf(stdout, "\nExpected:\n"); print_hex(extract_output->length, extract_output->data); abort(); } hmac_sha1_set_key(&ctx, SHA1_DIGEST_SIZE, prk); hkdf_expand(&ctx, (nettle_hash_update_func*) hmac_sha1_update, (nettle_hash_digest_func*) hmac_sha1_digest, SHA1_DIGEST_SIZE, info->length, info->data, expand_output->length, buffer); if (MEMEQ(expand_output->length, expand_output->data, buffer) == 0) { fprintf(stdout, "\nGot:\n"); print_hex(expand_output->length, buffer); fprintf(stdout, "\nExpected:\n"); print_hex(expand_output->length, expand_output->data); abort(); } free(buffer); } void test_main(void) { /* HKDF test vectors from RFC5869 */ test_hkdf_sha256(SHEX("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"), SHEX("000102030405060708090a0b0c"), SHEX("f0f1f2f3f4f5f6f7f8f9"), SHEX("077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5"), SHEX("3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865")); test_hkdf_sha256(SHEX("000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f"), SHEX("606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf"), SHEX("b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff"), SHEX("06a6b88c5853361a06104c9ceb35b45cef760014904671014a193f40c15fc244"), SHEX("b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71cc30c58179ec3e87c14c01d5c1f3434f1d87")); test_hkdf_sha256(SHEX("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"), SDATA(""), SDATA(""), SHEX("19ef24a32c717b167f33a91d6f648bdf96596776afdb6377ac434c1c293ccb04"), SHEX("8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d9d201395faa4b61a96c8")); test_hkdf_sha1(SHEX("0b0b0b0b0b0b0b0b0b0b0b"), SHEX("000102030405060708090a0b0c"), SHEX("f0f1f2f3f4f5f6f7f8f9"), SHEX("9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba243"), SHEX("085a01ea1b10f36933068b56efa5ad81a4f14b822f5b091568a9cdd4f155fda2c22e422478d305f3f896")); test_hkdf_sha1(SHEX("000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f"), SHEX("606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf"), SHEX("b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff"), SHEX("8adae09a2a307059478d309b26c4115a224cfaf6"), SHEX("0bd770a74d1160f7c9f12cd5912a06ebff6adcae899d92191fe4305673ba2ffe8fa3f1a4e5ad79f3f334b3b202b2173c486ea37ce3d397ed034c7f9dfeb15c5e927336d0441f4c4300e2cff0d0900b52d3b4")); test_hkdf_sha1(SHEX("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"), SDATA(""), SDATA(""), SHEX("da8c8a73c7fa77288ec6f5e7c297786aa0d32d01"), SHEX("0ac1af7002b3d761d1e55298da9d0506b9ae52057220a306e07b6b87e8df21d0ea00033de03984d34918")); test_hkdf_sha1(SHEX("0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c"), SHEX(""), SHEX(""), SHEX("2adccada18779e7c2077ad2eb19d3f3e731385dd"), SHEX("2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48")); } nettle-3.4.1/testsuite/buffer-test.c0000644000175000017500000000114713401564746016476 0ustar nissenisse#include "testutils.h" #include "buffer.h" void test_main(void) { struct nettle_buffer buffer; uint8_t s[5]; nettle_buffer_init(&buffer); ASSERT(nettle_buffer_write(&buffer, LDATA("foo"))); ASSERT(NETTLE_BUFFER_PUTC(&buffer, 'x')); ASSERT(buffer.size == 4); ASSERT(buffer.alloc >= 4); ASSERT(MEMEQ(4, buffer.contents, "foox")); nettle_buffer_clear(&buffer); nettle_buffer_init_size(&buffer, sizeof(s), s); ASSERT(buffer.alloc == sizeof(s)); ASSERT(nettle_buffer_write(&buffer, LDATA("foo"))); ASSERT(buffer.size == 3); ASSERT(!nettle_buffer_write(&buffer, LDATA("bar"))); } nettle-3.4.1/testsuite/sha3.awk0000755000175000017500000000073513401564746015453 0ustar nissenisse#! /usr/bin/awk -f # This script is used to process the Keccak testvectors, originally # we used http://keccak.noekeon.org/KeccakKAT-3.zip. # For the updated NIST version, test vectors can be found at # https://github.com/gvanas/KeccakCodePackage/tree/master/TestVectors /^Len/ { len = $3 } /^Msg/ { msg = $3 } /^MD/ { md = $3; if (len % 8 == 0) printf("test_hash(&nettle_sha3_xxx, /* %d octets */\nSHEX(\"%s\"),\nSHEX(\"%s\"));\n", len / 8, len ? msg : "", md); } nettle-3.4.1/testsuite/sha512-256-test.c0000644000175000017500000000105513401564746016540 0ustar nissenisse#include "testutils.h" void test_main(void) { /* From http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/SHA_All.pdf */ test_hash(&nettle_sha512_256, SDATA("abc"), SHEX("53048E26 81941EF9 9B2E29B7 6B4C7DAB" "E4C2D0C6 34FC6D46 E0E2F131 07E7AF23")); test_hash(&nettle_sha512_256, SDATA("abcdefghbcdefghicdefghijdefghijk" "efghijklfghijklmghijklmnhijklmno" "ijklmnopjklmnopqklmnopqrlmnopqrs" "mnopqrstnopqrstu"), SHEX("3928E184 FB8690F8 40DA3988 121D31BE" "65CB9D3E F83EE614 6FEAC861 E19B563A")); } nettle-3.4.1/testsuite/md2-test.c0000644000175000017500000000160113401564746015702 0ustar nissenisse#include "testutils.h" #include "md2.h" void test_main(void) { /* Testcases from RFC 1319 */ test_hash(&nettle_md2, SDATA(""), SHEX("8350e5a3e24c153df2275c9f80692773")); test_hash(&nettle_md2, SDATA("a"), SHEX("32ec01ec4a6dac72c0ab96fb34c0b5d1")); test_hash(&nettle_md2, SDATA("abc"), SHEX("da853b0d3f88d99b30283a69e6ded6bb")); test_hash(&nettle_md2, SDATA("message digest"), SHEX("ab4f496bfb2a530b219ff33031fe06b0")); test_hash(&nettle_md2, SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("4e8ddff3650292ab5a4108c3aa47940b")); test_hash(&nettle_md2, SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" "0123456789"), SHEX("da33def2a42df13975352846c30338cd")); test_hash(&nettle_md2, SDATA("1234567890123456789012345678901234567890" "1234567890123456789012345678901234567890"), SHEX("d5976f79d83d3a0dc9806c3c66f3efd8")); } nettle-3.4.1/testsuite/blowfish-test.c0000644000175000017500000000263613401564746017046 0ustar nissenisse#include "testutils.h" #include "nettle-internal.h" #include "blowfish.h" static void test_blowfish(const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext) { struct blowfish_ctx ctx; uint8_t *data = xalloc(cleartext->length); size_t length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; blowfish_set_key(&ctx, key->length, key->data); blowfish_encrypt(&ctx, length, data, cleartext->data); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "Encrypt failed:\nInput:"); tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } blowfish_set_key(&ctx, key->length, key->data); blowfish_decrypt(&ctx, length, data, data); if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "Decrypt failed:\nInput:"); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } free(data); } void test_main(void) { /* 208 bit key. Test from GNUPG. */ test_blowfish(SDATA("abcdefghijklmnopqrstuvwxyz"), SDATA("BLOWFISH"), SHEX("32 4E D0 FE F4 13 A2 03")); } nettle-3.4.1/testsuite/rsa-keygen-test.c0000644000175000017500000000420713401564746017272 0ustar nissenisse#include "testutils.h" #include "knuth-lfib.h" static void progress(void *ctx UNUSED, int c) { fputc(c, stderr); } void test_main(void) { struct rsa_public_key pub; struct rsa_private_key key; struct knuth_lfib_ctx lfib; mpz_t expected; mpz_init(expected); rsa_private_key_init(&key); rsa_public_key_init(&pub); /* Generate a 1024 bit key with random e */ knuth_lfib_init(&lfib, 13); ASSERT (rsa_generate_keypair(&pub, &key, &lfib, (nettle_random_func *) knuth_lfib_random, NULL, verbose ? progress : NULL, 1024, 50)); test_rsa_key(&pub, &key); mpz_set_str(expected, "31ee088024b66f28" "e182fa07e60f7864" "636eea21cf74c804" "02a9c29ebd00933d" "8fae3ddf029d18e0" "1b5498c70a4b68fd" "d3135748424e8caf" "43ee86068f250c92" "8da001d09f68c433" "96f2c2a42eaed7e5" "8934a052faa38b2c" "f2ac04cc91bd0d15" "4f60b16dc9045b08" "2ea1372717fd7f9c" "1e9cc383b7d5b909" "72e3126df060ef79" , 16); test_rsa_md5(&pub, &key, expected); /* Generate a 2000 bit key with fixed e */ knuth_lfib_init(&lfib, 17); mpz_set_ui(pub.e, 17); ASSERT (rsa_generate_keypair(&pub, &key, &lfib, (nettle_random_func *) knuth_lfib_random, NULL, verbose ? progress : NULL, 2000, 0)); test_rsa_key(&pub, &key); mpz_set_str(expected, "892ef7cda3b0b501" "85de20b93340316e" "b35ac9c193f1f5a3" "9e6c1c327b9c36b8" "d4f1d41653b48fbd" "0c49e48bbdc46ced" "13b3f6426e8a1780" "55b9077ba59ce748" "a325563c3b4bdf78" "acdcdd556f5de3cf" "70257c3b334ba360" "5625ebda869c8058" "b95b40c1e75eb91b" "776e83c0224757c6" "b61266cb1739df1a" "c7fcc09194c575b5" "af4f3eb8e3aa3900" "22b72fb6e950c355" "88743bab32c3a214" "ea5865e2f5c41d67" "12e745496890fc9d" "7944a759f39d7b57" "e365d8d3f6ac2dd4" "052b6a2e58a6af82" "b0d67e7fe09045d9" "bc965e260cf3c9a9" "3bfaa09bdd076dc2" "c0ab48ce5b67105c" "cad90dcfc11cd713" "e64478d2d7ea42dd" "fd040793c487588d" "6218" , 16); test_rsa_sha1(&pub, &key, expected); rsa_private_key_clear(&key); rsa_public_key_clear(&pub); mpz_clear(expected); } nettle-3.4.1/testsuite/des-compat-test.c0000644000175000017500000006506113401564746017266 0ustar nissenisse/* crypto/des/destest.c */ /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ #include #include #include #include "des-compat.h" #include "testutils.h" /* tisk tisk - the test keys don't all have odd parity :-( */ /* test data */ #define NUM_TESTS 34 static const_des_cblock key_data[NUM_TESTS] = { {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, {0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF}, {0x30,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, {0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11}, {0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF}, {0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11}, {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, {0xFE,0xDC,0xBA,0x98,0x76,0x54,0x32,0x10}, {0x7C,0xA1,0x10,0x45,0x4A,0x1A,0x6E,0x57}, {0x01,0x31,0xD9,0x61,0x9D,0xC1,0x37,0x6E}, {0x07,0xA1,0x13,0x3E,0x4A,0x0B,0x26,0x86}, {0x38,0x49,0x67,0x4C,0x26,0x02,0x31,0x9E}, {0x04,0xB9,0x15,0xBA,0x43,0xFE,0xB5,0xB6}, {0x01,0x13,0xB9,0x70,0xFD,0x34,0xF2,0xCE}, {0x01,0x70,0xF1,0x75,0x46,0x8F,0xB5,0xE6}, {0x43,0x29,0x7F,0xAD,0x38,0xE3,0x73,0xFE}, {0x07,0xA7,0x13,0x70,0x45,0xDA,0x2A,0x16}, {0x04,0x68,0x91,0x04,0xC2,0xFD,0x3B,0x2F}, {0x37,0xD0,0x6B,0xB5,0x16,0xCB,0x75,0x46}, {0x1F,0x08,0x26,0x0D,0x1A,0xC2,0x46,0x5E}, {0x58,0x40,0x23,0x64,0x1A,0xBA,0x61,0x76}, {0x02,0x58,0x16,0x16,0x46,0x29,0xB0,0x07}, {0x49,0x79,0x3E,0xBC,0x79,0xB3,0x25,0x8F}, {0x4F,0xB0,0x5E,0x15,0x15,0xAB,0x73,0xA7}, {0x49,0xE9,0x5D,0x6D,0x4C,0xA2,0x29,0xBF}, {0x01,0x83,0x10,0xDC,0x40,0x9B,0x26,0xD6}, {0x1C,0x58,0x7F,0x1C,0x13,0x92,0x4F,0xEF}, {0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01}, {0x1F,0x1F,0x1F,0x1F,0x0E,0x0E,0x0E,0x0E}, {0xE0,0xFE,0xE0,0xFE,0xF1,0xFE,0xF1,0xFE}, {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, {0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF}, {0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF}, {0xFE,0xDC,0xBA,0x98,0x76,0x54,0x32,0x10}}; static unsigned char plain_data[NUM_TESTS][8]={ {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, {0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF}, {0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x01}, {0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11}, {0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11}, {0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF}, {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, {0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF}, {0x01,0xA1,0xD6,0xD0,0x39,0x77,0x67,0x42}, {0x5C,0xD5,0x4C,0xA8,0x3D,0xEF,0x57,0xDA}, {0x02,0x48,0xD4,0x38,0x06,0xF6,0x71,0x72}, {0x51,0x45,0x4B,0x58,0x2D,0xDF,0x44,0x0A}, {0x42,0xFD,0x44,0x30,0x59,0x57,0x7F,0xA2}, {0x05,0x9B,0x5E,0x08,0x51,0xCF,0x14,0x3A}, {0x07,0x56,0xD8,0xE0,0x77,0x47,0x61,0xD2}, {0x76,0x25,0x14,0xB8,0x29,0xBF,0x48,0x6A}, {0x3B,0xDD,0x11,0x90,0x49,0x37,0x28,0x02}, {0x26,0x95,0x5F,0x68,0x35,0xAF,0x60,0x9A}, {0x16,0x4D,0x5E,0x40,0x4F,0x27,0x52,0x32}, {0x6B,0x05,0x6E,0x18,0x75,0x9F,0x5C,0xCA}, {0x00,0x4B,0xD6,0xEF,0x09,0x17,0x60,0x62}, {0x48,0x0D,0x39,0x00,0x6E,0xE7,0x62,0xF2}, {0x43,0x75,0x40,0xC8,0x69,0x8F,0x3C,0xFA}, {0x07,0x2D,0x43,0xA0,0x77,0x07,0x52,0x92}, {0x02,0xFE,0x55,0x77,0x81,0x17,0xF1,0x2A}, {0x1D,0x9D,0x5C,0x50,0x18,0xF7,0x28,0xC2}, {0x30,0x55,0x32,0x28,0x6D,0x6F,0x29,0x5A}, {0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF}, {0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF}, {0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF}, {0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF}, {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, {0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF}}; static unsigned char cipher_data[NUM_TESTS][8]={ {0x8C,0xA6,0x4D,0xE9,0xC1,0xB1,0x23,0xA7}, {0x73,0x59,0xB2,0x16,0x3E,0x4E,0xDC,0x58}, {0x95,0x8E,0x6E,0x62,0x7A,0x05,0x55,0x7B}, {0xF4,0x03,0x79,0xAB,0x9E,0x0E,0xC5,0x33}, {0x17,0x66,0x8D,0xFC,0x72,0x92,0x53,0x2D}, {0x8A,0x5A,0xE1,0xF8,0x1A,0xB8,0xF2,0xDD}, {0x8C,0xA6,0x4D,0xE9,0xC1,0xB1,0x23,0xA7}, {0xED,0x39,0xD9,0x50,0xFA,0x74,0xBC,0xC4}, {0x69,0x0F,0x5B,0x0D,0x9A,0x26,0x93,0x9B}, {0x7A,0x38,0x9D,0x10,0x35,0x4B,0xD2,0x71}, {0x86,0x8E,0xBB,0x51,0xCA,0xB4,0x59,0x9A}, {0x71,0x78,0x87,0x6E,0x01,0xF1,0x9B,0x2A}, {0xAF,0x37,0xFB,0x42,0x1F,0x8C,0x40,0x95}, {0x86,0xA5,0x60,0xF1,0x0E,0xC6,0xD8,0x5B}, {0x0C,0xD3,0xDA,0x02,0x00,0x21,0xDC,0x09}, {0xEA,0x67,0x6B,0x2C,0xB7,0xDB,0x2B,0x7A}, {0xDF,0xD6,0x4A,0x81,0x5C,0xAF,0x1A,0x0F}, {0x5C,0x51,0x3C,0x9C,0x48,0x86,0xC0,0x88}, {0x0A,0x2A,0xEE,0xAE,0x3F,0xF4,0xAB,0x77}, {0xEF,0x1B,0xF0,0x3E,0x5D,0xFA,0x57,0x5A}, {0x88,0xBF,0x0D,0xB6,0xD7,0x0D,0xEE,0x56}, {0xA1,0xF9,0x91,0x55,0x41,0x02,0x0B,0x56}, {0x6F,0xBF,0x1C,0xAF,0xCF,0xFD,0x05,0x56}, {0x2F,0x22,0xE4,0x9B,0xAB,0x7C,0xA1,0xAC}, {0x5A,0x6B,0x61,0x2C,0xC2,0x6C,0xCE,0x4A}, {0x5F,0x4C,0x03,0x8E,0xD1,0x2B,0x2E,0x41}, {0x63,0xFA,0xC0,0xD0,0x34,0xD9,0xF7,0x93}, {0x61,0x7B,0x3A,0x0C,0xE8,0xF0,0x71,0x00}, {0xDB,0x95,0x86,0x05,0xF8,0xC8,0xC6,0x06}, {0xED,0xBF,0xD1,0xC6,0x6C,0x29,0xCC,0xC7}, {0x35,0x55,0x50,0xB2,0x15,0x0E,0x24,0x51}, {0xCA,0xAA,0xAF,0x4D,0xEA,0xF1,0xDB,0xAE}, {0xD5,0xD4,0x4F,0xF7,0x20,0x68,0x3D,0x0D}, {0x2A,0x2B,0xB0,0x08,0xDF,0x97,0xC2,0xF2}}; static unsigned char cipher_ecb2[NUM_TESTS-1][8]={ {0x92,0x95,0xB5,0x9B,0xB3,0x84,0x73,0x6E}, {0x19,0x9E,0x9D,0x6D,0xF3,0x9A,0xA8,0x16}, {0x2A,0x4B,0x4D,0x24,0x52,0x43,0x84,0x27}, {0x35,0x84,0x3C,0x01,0x9D,0x18,0xC5,0xB6}, {0x4A,0x5B,0x2F,0x42,0xAA,0x77,0x19,0x25}, {0xA0,0x6B,0xA9,0xB8,0xCA,0x5B,0x17,0x8A}, {0xAB,0x9D,0xB7,0xFB,0xED,0x95,0xF2,0x74}, {0x3D,0x25,0x6C,0x23,0xA7,0x25,0x2F,0xD6}, {0xB7,0x6F,0xAB,0x4F,0xBD,0xBD,0xB7,0x67}, {0x8F,0x68,0x27,0xD6,0x9C,0xF4,0x1A,0x10}, {0x82,0x57,0xA1,0xD6,0x50,0x5E,0x81,0x85}, {0xA2,0x0F,0x0A,0xCD,0x80,0x89,0x7D,0xFA}, {0xCD,0x2A,0x53,0x3A,0xDB,0x0D,0x7E,0xF3}, {0xD2,0xC2,0xBE,0x27,0xE8,0x1B,0x68,0xE3}, {0xE9,0x24,0xCF,0x4F,0x89,0x3C,0x5B,0x0A}, {0xA7,0x18,0xC3,0x9F,0xFA,0x9F,0xD7,0x69}, {0x77,0x2C,0x79,0xB1,0xD2,0x31,0x7E,0xB1}, {0x49,0xAB,0x92,0x7F,0xD0,0x22,0x00,0xB7}, {0xCE,0x1C,0x6C,0x7D,0x85,0xE3,0x4A,0x6F}, {0xBE,0x91,0xD6,0xE1,0x27,0xB2,0xE9,0x87}, {0x70,0x28,0xAE,0x8F,0xD1,0xF5,0x74,0x1A}, {0xAA,0x37,0x80,0xBB,0xF3,0x22,0x1D,0xDE}, {0xA6,0xC4,0xD2,0x5E,0x28,0x93,0xAC,0xB3}, {0x22,0x07,0x81,0x5A,0xE4,0xB7,0x1A,0xAD}, {0xDC,0xCE,0x05,0xE7,0x07,0xBD,0xF5,0x84}, {0x26,0x1D,0x39,0x2C,0xB3,0xBA,0xA5,0x85}, {0xB4,0xF7,0x0F,0x72,0xFB,0x04,0xF0,0xDC}, {0x95,0xBA,0xA9,0x4E,0x87,0x36,0xF2,0x89}, {0xD4,0x07,0x3A,0xF1,0x5A,0x17,0x82,0x0E}, {0xEF,0x6F,0xAF,0xA7,0x66,0x1A,0x7E,0x89}, {0xC1,0x97,0xF5,0x58,0x74,0x8A,0x20,0xE7}, {0x43,0x34,0xCF,0xDA,0x22,0xC4,0x86,0xC8}, {0x08,0xD7,0xB4,0xFB,0x62,0x9D,0x08,0x85}}; static const_des_cblock cbc_key = {0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef}; static const_des_cblock cbc2_key = {0xf0,0xe1,0xd2,0xc3,0xb4,0xa5,0x96,0x87}; static const_des_cblock cbc3_key = {0xfe,0xdc,0xba,0x98,0x76,0x54,0x32,0x10}; static const_des_cblock cbc_iv = {0xfe,0xdc,0xba,0x98,0x76,0x54,0x32,0x10}; static const_des_cblock cbc_data[4] ={ "7654321 ", "Now is t", "he time ", "for " }; static unsigned char cbc_ok[32]={ 0xcc,0xd1,0x73,0xff,0xab,0x20,0x39,0xf4, 0xac,0xd8,0xae,0xfd,0xdf,0xd8,0xa1,0xeb, 0x46,0x8e,0x91,0x15,0x78,0x88,0xba,0x68, 0x1d,0x26,0x93,0x97,0xf7,0xfe,0x62,0xb4}; #if 0 static unsigned char xcbc_ok[32]={ 0x86,0x74,0x81,0x0D,0x61,0xA4,0xA5,0x48, 0xB9,0x93,0x03,0xE1,0xB8,0xBB,0xBD,0xBD, 0x64,0x30,0x0B,0xB9,0x06,0x65,0x81,0x76, 0x04,0x1D,0x77,0x62,0x17,0xCA,0x2B,0xD2, }; #endif static unsigned char cbc3_ok[32]={ 0x3F,0xE3,0x01,0xC9,0x62,0xAC,0x01,0xD0, 0x22,0x13,0x76,0x3C,0x1C,0xBD,0x4C,0xDC, 0x79,0x96,0x57,0xC0,0x64,0xEC,0xF5,0xD4, 0x1C,0x67,0x38,0x12,0xCF,0xDE,0x96,0x75}; #if 0 static unsigned char pcbc_ok[32]={ 0xcc,0xd1,0x73,0xff,0xab,0x20,0x39,0xf4, 0x6d,0xec,0xb4,0x70,0xa0,0xe5,0x6b,0x15, 0xae,0xa6,0xbf,0x61,0xed,0x7d,0x9c,0x9f, 0xf7,0x17,0x46,0x3b,0x8a,0xb3,0xcc,0x88}; #endif #if 0 static unsigned char cfb_key[8]={0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef}; static unsigned char cfb_iv[8]={0x12,0x34,0x56,0x78,0x90,0xab,0xcd,0xef}; static unsigned char cfb_buf1[40],cfb_buf2[40],cfb_tmp[8]; static unsigned char plain[24]= { 0x4e,0x6f,0x77,0x20,0x69,0x73, 0x20,0x74,0x68,0x65,0x20,0x74, 0x69,0x6d,0x65,0x20,0x66,0x6f, 0x72,0x20,0x61,0x6c,0x6c,0x20 }; static unsigned char cfb_cipher8[24]= { 0xf3,0x1f,0xda,0x07,0x01,0x14, 0x62,0xee,0x18,0x7f,0x43,0xd8, 0x0a,0x7c,0xd9,0xb5,0xb0,0xd2, 0x90,0xda,0x6e,0x5b,0x9a,0x87 }; static unsigned char cfb_cipher16[24]={ 0xF3,0x09,0x87,0x87,0x7F,0x57, 0xF7,0x3C,0x36,0xB6,0xDB,0x70, 0xD8,0xD5,0x34,0x19,0xD3,0x86, 0xB2,0x23,0xB7,0xB2,0xAD,0x1B }; static unsigned char cfb_cipher32[24]={ 0xF3,0x09,0x62,0x49,0xA4,0xDF, 0xA4,0x9F,0x33,0xDC,0x7B,0xAD, 0x4C,0xC8,0x9F,0x64,0xE4,0x53, 0xE5,0xEC,0x67,0x20,0xDA,0xB6 }; static unsigned char cfb_cipher48[24]={ 0xF3,0x09,0x62,0x49,0xC7,0xF4, 0x30,0xB5,0x15,0xEC,0xBB,0x85, 0x97,0x5A,0x13,0x8C,0x68,0x60, 0xE2,0x38,0x34,0x3C,0xDC,0x1F }; static unsigned char cfb_cipher64[24]={ 0xF3,0x09,0x62,0x49,0xC7,0xF4, 0x6E,0x51,0xA6,0x9E,0x83,0x9B, 0x1A,0x92,0xF7,0x84,0x03,0x46, 0x71,0x33,0x89,0x8E,0xA6,0x22 }; static unsigned char ofb_key[8]={0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef}; static unsigned char ofb_iv[8]={0x12,0x34,0x56,0x78,0x90,0xab,0xcd,0xef}; static unsigned char ofb_buf1[24],ofb_buf2[24],ofb_tmp[8]; static unsigned char ofb_cipher[24]= { 0xf3,0x09,0x62,0x49,0xc7,0xf4,0x6e,0x51, 0x35,0xf2,0x4a,0x24,0x2e,0xeb,0x3d,0x3f, 0x3d,0x6d,0x5b,0xe3,0x25,0x5a,0xf8,0xc3 }; #endif DES_LONG cbc_cksum_ret=0xB462FEF7L; unsigned char cbc_cksum_data[8]={0x1D,0x26,0x93,0x97,0xf7,0xfe,0x62,0xb4}; #ifndef NOPROTO static char *pt(const unsigned char *p); #if 0 static int cfb_test(int bits, unsigned char *cfb_cipher); static int cfb64_test(unsigned char *cfb_cipher); static int ede_cfb64_test(unsigned char *cfb_cipher); #endif #else static char *pt(); static int cfb_test(); static int cfb64_test(); static int ede_cfb64_test(); #endif void test_main(void) { int i,j,err=0; des_cblock in, out, outin, iv3; des_key_schedule ks,ks2,ks3; des_cblock cbc_in[5]; des_cblock cbc_out[5]; DES_LONG cs; unsigned char cret[8]; #if 0 unsigned char qret[4][4]; DES_LONG lqret[4]; int num; char *str; #endif if (verbose) printf("Doing ecb\n"); for (i=0; i>4)&0xf]; ret[i*2+1]=f[p[i]&0xf]; } ret[16]='\0'; return(ret); } #ifndef LIBDES_LIT #if 0 static int cfb_test(bits, cfb_cipher) int bits; unsigned char *cfb_cipher; { des_key_schedule ks; int i,err=0; des_key_sched((C_Block *)cfb_key,ks); memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv)); des_cfb_encrypt(plain,cfb_buf1,bits,(long)sizeof(plain),ks, (C_Block *)cfb_tmp,DES_ENCRYPT); if (memcmp(cfb_cipher,cfb_buf1,sizeof(plain)) != 0) { err=1; printf("cfb_encrypt encrypt error\n"); for (i=0; i<24; i+=8) printf("%s\n",pt(&(cfb_buf1[i]))); } memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv)); des_cfb_encrypt(cfb_buf1,cfb_buf2,bits,(long)sizeof(plain),ks, (C_Block *)cfb_tmp,DES_DECRYPT); if (memcmp(plain,cfb_buf2,sizeof(plain)) != 0) { err=1; printf("cfb_encrypt decrypt error\n"); for (i=0; i<24; i+=8) printf("%s\n",pt(&(cfb_buf1[i]))); } return(err); } static int cfb64_test(cfb_cipher) unsigned char *cfb_cipher; { des_key_schedule ks; int err=0,i,n; des_key_sched((C_Block *)cfb_key,ks); memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv)); n=0; des_cfb64_encrypt(plain,cfb_buf1,(long)12,ks, (C_Block *)cfb_tmp,&n,DES_ENCRYPT); des_cfb64_encrypt(&(plain[12]),&(cfb_buf1[12]), (long)sizeof(plain)-12,ks, (C_Block *)cfb_tmp,&n,DES_ENCRYPT); if (memcmp(cfb_cipher,cfb_buf1,sizeof(plain)) != 0) { err=1; printf("cfb_encrypt encrypt error\n"); for (i=0; i<24; i+=8) printf("%s\n",pt(&(cfb_buf1[i]))); } memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv)); n=0; des_cfb64_encrypt(cfb_buf1,cfb_buf2,(long)17,ks, (C_Block *)cfb_tmp,&n,DES_DECRYPT); des_cfb64_encrypt(&(cfb_buf1[17]),&(cfb_buf2[17]), (long)sizeof(plain)-17,ks, (C_Block *)cfb_tmp,&n,DES_DECRYPT); if (memcmp(plain,cfb_buf2,sizeof(plain)) != 0) { err=1; printf("cfb_encrypt decrypt error\n"); for (i=0; i<24; i+=8) printf("%s\n",pt(&(cfb_buf2[i]))); } return(err); } static int ede_cfb64_test(cfb_cipher) unsigned char *cfb_cipher; { des_key_schedule ks; int err=0,i,n; des_key_sched((C_Block *)cfb_key,ks); memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv)); n=0; des_ede3_cfb64_encrypt(plain,cfb_buf1,(long)12,ks,ks,ks, (C_Block *)cfb_tmp,&n,DES_ENCRYPT); des_ede3_cfb64_encrypt(&(plain[12]),&(cfb_buf1[12]), (long)sizeof(plain)-12,ks,ks,ks, (C_Block *)cfb_tmp,&n,DES_ENCRYPT); if (memcmp(cfb_cipher,cfb_buf1,sizeof(plain)) != 0) { err=1; printf("ede_cfb_encrypt encrypt error\n"); for (i=0; i<24; i+=8) printf("%s\n",pt(&(cfb_buf1[i]))); } memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv)); n=0; des_ede3_cfb64_encrypt(cfb_buf1,cfb_buf2,(long)17,ks,ks,ks, (C_Block *)cfb_tmp,&n,DES_DECRYPT); des_ede3_cfb64_encrypt(&(cfb_buf1[17]),&(cfb_buf2[17]), (long)sizeof(plain)-17,ks,ks,ks, (C_Block *)cfb_tmp,&n,DES_DECRYPT); if (memcmp(plain,cfb_buf2,sizeof(plain)) != 0) { err=1; printf("ede_cfb_encrypt decrypt error\n"); for (i=0; i<24; i+=8) printf("%s\n",pt(&(cfb_buf2[i]))); } return(err); } #endif #endif /* LIBDES_LIT */ nettle-3.4.1/testsuite/symbols-test0000755000175000017500000000257413401564746016504 0ustar nissenisse#! /bin/sh # Check that all exported symbols use the nettle prefix. if [ -z "$srcdir" ] ; then srcdir=`pwd` fi : ${NM:=nm} # * nm on aix seems to generate bogus output including random binary # data. Using -g is a workaround to get rid of that. But nm -g # doesn't work on Solaris-2.4, so try nm -g first, and plain nm if # -g isn't recognized. # # * gcc on x86 generates functions like __i686.get_pc_thunk.bx in pic # code. # * LLVM shipped with Xcode/CLT 10+ on macOS builds the symbol # ____chkstk_darwin into the majority of binaries/libraries, including # both the libraries checked here. ( $NM -g ../libnettle.a || $NM ../libnettle.a ) \ | grep ' [DRT] ' | egrep -v '( |^|\.)(\.?_?(_?nettle_)|get_pc_thunk|(_*chkstk_darwin))' \ | sort -k3 > test1.out if [ -s test1.out ] ; then echo Exported symbols in libnettle.a, lacking the nettle prefix: cat test1.out exit 1 fi if [ -s ../libhogweed.a ] ; then PATTERN='\.?_?_?nettle_|get_pc_thunk|(_*chkstk_darwin)' if grep '^#define.*NETTLE_USE_MINI_GMP.*1$' ../version.h >/dev/null ; then PATTERN="$PATTERN|_?(mp_|mpz_|mpn_)" fi ( $NM -g ../libhogweed.a || $NM ../libhogweed.a ) \ | grep ' [DRT] ' | egrep -v "( |^|\.)($PATTERN)" \ | sort -k3 > test1.out if [ -s test1.out ] ; then echo Exported symbols in libhogweed.a, lacking the nettle prefix: cat test1.out exit 1 fi fi exit 0 nettle-3.4.1/testsuite/md4-test.c0000644000175000017500000000247013401564746015711 0ustar nissenisse#include "testutils.h" #include "md4.h" void test_main(void) { /* Testcases from RFC 1320 */ test_hash(&nettle_md4, SDATA(""), SHEX("31d6cfe0d16ae931b73c59d7e0c089c0")); test_hash(&nettle_md4, SDATA("a"), SHEX("bde52cb31de33e46245e05fbdbd6fb24")); test_hash(&nettle_md4, SDATA("abc"), SHEX("a448017aaf21d8525fc10ae87aa6729d")); test_hash(&nettle_md4, SDATA("message digest"), SHEX("d9130a8164549fe818874806e1c7014b")); test_hash(&nettle_md4, SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("d79e1c308aa5bbcdeea8ed63df412da9")); test_hash(&nettle_md4, SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" "0123456789"), SHEX("043f8582f241db351ce627e153e7f0e4")); test_hash(&nettle_md4, SDATA("12345678901234567890123456789012345678901234567890" "123456789012345678901234567890"), SHEX("e33b4ddc9c38f2199c3e7b164fcc0536")); /* Additional test vectors, from Daniel Kahn Gillmor */ test_hash(&nettle_md4, SDATA("38"), SHEX("ae9c7ebfb68ea795483d270f5934b71d")); test_hash(&nettle_md4, SDATA("abc"), SHEX("a448017aaf21d8525fc10ae87aa6729d")); test_hash(&nettle_md4, SDATA("message digest"), SHEX("d9130a8164549fe818874806e1c7014b")); test_hash(&nettle_md4, SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("d79e1c308aa5bbcdeea8ed63df412da9")); } nettle-3.4.1/testsuite/gold-bug.txt0000644000175000017500000022531713401564746016354 0ustar nissenisseEdgar Allan Poe The Gold-Bug What ho! what ho! this fellow is dancing mad! He hath been bitten by the Tarantula. --All in the Wrong. Many years ago, I contracted an intimacy with a Mr. William Legrand. He was of an ancient Huguenot family, and had once been wealthy: but a series of misfortunes had reduced him to want. To avoid the mortification consequent upon his disasters, he left New Orleans, the city of his forefathers, and took up his residence at Sullivan's Island, near Charleston, South Carolina. This island is a very singular one. It consists of little else than the sea sand, and is about three miles long. Its breadth at no point exceeds a quarter of a mile. It is separated from the mainland by a scarcely perceptible creek, oozing its way through a wilderness of reeds and slime, a favorite resort of the marsh hen. The vegetation, as might be supposed, is scant, or at least dwarfish. No trees of any magnitude are to be seen. Near the western extremity, where Fort Moultrie stands, and where are some miserable frame buildings, tenanted, during summer, by the fugitives from Charleston dust and fever, may be found, indeed, the bristly palmetto; but the whole island, with the exception of this western point, and a line of hard, white beach on the seacoast, is covered with a dense undergrowth of the sweet myrtle so much prized by the horticulturists of England. The shrub here often attains the height of fifteen or twenty feet, and forms an almost impenetrable coppice, burdening the air with its fragrance. In the inmost recesses of this coppice, not far from the eastern or more remote end of the island, Legrand had built himself a small hut, which he occupied when I first, by mere accident, made his acquaintance. This soon ripened into friendship--for there was much in the recluse to excite interest and esteem. I found him well educated, with unusual powers of mind, but infected with misanthropy, and subject to perverse moods of alternate enthusiasm and melancholy. He had with him many books, but rarely employed them. His chief amusements were gunning and fishing, or sauntering along the beach and through the myrtles, in quest of shells or entomological specimens--his collection of the latter might have been envied by a Swammerdamm. In these excursions he was usually accompanied by an old negro, called Jupiter, who had been manumitted before the reverses of the family, but who could be induced, neither by threats nor by promises, to abandon what he considered his right of attendance upon the footsteps of his young "Massa Will." It is not improbable that the relatives of Legrand, conceiving him to be somewhat unsettled in intellect, had contrived to instill this obstinacy into Jupiter, with a view to the supervision and guardianship of the wanderer. The winters in the latitude of Sullivan's Island are seldom very severe, and in the fall of the year it is a rare event indeed when a fire is considered necessary. About the middle of October, 18--, there occurred, however, a day of remarkable chilliness. Just before sunset I scrambled my way through the evergreens to the hut of my friend, whom I had not visited for several weeks--my residence being, at that time, in Charleston, a distance of nine miles from the island, while the facilities of passage and repassage were very far behind those of the present day. Upon reaching the hut I rapped, as was my custom, and getting no reply, sought for the key where I knew it was secreted, unlocked the door, and went in. A fine fire was blazing upon the hearth. It was a novelty, and by no means an ungrateful one. I threw off an overcoat, took an armchair by the crackling logs, and awaited patiently the arrival of my hosts. Soon after dark they arrived, and gave me a most cordial welcome. Jupiter, grinning from ear to ear, bustled about to prepare some marsh hens for supper. Legrand was in one of his fits--how else shall I term them?--of enthusiasm. He had found an unknown bivalve, forming a new genus, and, more than this, he had hunted down and secured, with Jupiter's assistance, a scarabaeus which he believed to be totally new, but in respect to which he wished to have my opinion on the morrow. "And why not to-night?" I asked, rubbing my hands over the blaze, and wishing the whole tribe of scarabaei at the devil. "Ah, if I had only known you were here!" said Legrand, "but it's so long since I saw you; and how could I foresee that you would pay me a visit this very night of all others? As I was coming home I met Lieutenant G----, from the fort, and, very foolishly, I lent him the bug; so it will be impossible for you to see it until the morning. Stay here to-night, and I will send Jup down for it at sunrise. It is the loveliest thing in creation!" "What?--sunrise?" "Nonsense! no!--the bug. It is of a brilliant gold color--about the size of a large hickory nut--with two jet black spots near one extremity of the back, and another, somewhat longer, at the other. The antennae are--" "Dey ain't NO tin in him, Massa Will, I keep a tellin' on you," here interrupted Jupiter; "de bug is a goole-bug, solid, ebery bit of him, inside and all, sep him wing--neber feel half so hebby a bug in my life." "Well, suppose it is, Jup," replied Legrand, somewhat more earnestly, it seemed to me, than the case demanded; "is that any reason for your letting the birds burn? The color"--here he turned to me--"is really almost enough to warrant Jupiter's idea. You never saw a more brilliant metallic luster than the scales emit-- but of this you cannot judge till to-morrow. In the meantime I can give you some idea of the shape." Saying this, he seated himself at a small table, on which were a pen and ink, but no paper. He looked for some in a drawer, but found none. "Never mind," he said at length, "this will answer;" and he drew from his waistcoat pocket a scrap of what I took to be very dirty foolscap, and made upon it a rough drawing with the pen. While he did this, I retained my seat by the fire, for I was still chilly. When the design was complete, he handed it to me without rising. As I received it, a loud growl was heard, succeeded by a scratching at the door. Jupiter opened it, and a large Newfoundland, belonging to Legrand, rushed in, leaped upon my shoulders, and loaded me with caresses; for I had shown him much attention during previous visits. When his gambols were over, I looked at the paper, and, to speak the truth, found myself not a little puzzled at what my friend had depicted. "Well!" I said, after contemplating it for some minutes, "this IS a strange scarabaeus, I must confess; new to me; never saw anything like it before--unless it was a skull, or a death's head, which it more nearly resembles than anything else that has come under MY observation." "A death's head!" echoed Legrand. "Oh--yes--well, it has something of that appearance upon paper, no doubt. The two upper black spots look like eyes, eh? and the longer one at the bottom like a mouth-- and then the shape of the whole is oval." "Perhaps so," said I; "but, Legrand, I fear you are no artist. I must wait until I see the beetle itself, if I am to form any idea of its personal appearance." "Well, I don't know," said he, a little nettled, "I draw tolerably-- SHOULD do it at least--have had good masters, and flatter myself that I am not quite a blockhead." "But, my dear fellow, you are joking then," said I, "this is a very passable SKULL--indeed, I may say that it is a very EXCELLENT skull, according to the vulgar notions about such specimens of physiology--and your scarabaeus must be the queerest scarabaeus in the world if it resembles it. Why, we may get up a very thrilling bit of superstition upon this hint. I presume you will call the bug Scarabaeus caput hominis, or something of that kind--there are many similar titles in the Natural Histories. But where are the antennae you spoke of?" "The antennae!" said Legrand, who seemed to be getting unaccountably warm upon the subject; "I am sure you must see the antennae. I made them as distinct as they are in the original insect, and I presume that is sufficient." "Well, well," I said, "perhaps you have--still I don't see them;" and I handed him the paper without additional remark, not wishing to ruffle his temper; but I was much surprised at the turn affairs had taken; his ill humor puzzled me--and, as for the drawing of the beetle, there were positively NO antennae visible, and the whole DID bear a very close resemblance to the ordinary cuts of a death's head. He received the paper very peevishly, and was about to crumple it, apparently to throw it in the fire, when a casual glance at the design seemed suddenly to rivet his attention. In an instant his face grew violently red--in another excessively pale. For some minutes he continued to scrutinize the drawing minutely where he sat. At length he arose, took a candle from the table, and proceeded to seat himself upon a sea chest in the farthest corner of the room. Here again he made an anxious examination of the paper, turning it in all directions. He said nothing, however, and his conduct greatly astonished me; yet I thought it prudent not to exacerbate the growing moodiness of his temper by any comment. Presently he took from his coat pocket a wallet, placed the paper carefully in it, and deposited both in a writing desk, which he locked. He now grew more composed in his demeanor; but his original air of enthusiasm had quite disappeared. Yet he seemed not so much sulky as abstracted. As the evening wore away he became more and more absorbed in reverie, from which no sallies of mine could arouse him. It had been my intention to pass the night at the hut, as I had frequently done before, but, seeing my host in this mood, I deemed it proper to take leave. He did not press me to remain, but, as I departed, he shook my hand with even more than his usual cordiality. It was about a month after this (and during the interval I had seen nothing of Legrand) when I received a visit, at Charleston, from his man, Jupiter. I had never seen the good old negro look so dispirited, and I feared that some serious disaster had befallen my friend. "Well, Jup," said I, "what is the matter now?--how is your master?" "Why, to speak the troof, massa, him not so berry well as mought be." "Not well! I am truly sorry to hear it. What does he complain of?" "Dar! dot's it!--him neber 'plain of notin'--but him berry sick for all dat." "VERY sick, Jupiter!--why didn't you say so at once? Is he confined to bed?" "No, dat he aint!--he aint 'fin'd nowhar--dat's just whar de shoe pinch--my mind is got to be berry hebby 'bout poor Massa Will." "Jupiter, I should like to understand what it is you are talking about. You say your master is sick. Hasn't he told you what ails him?" "Why, massa, 'taint worf while for to git mad about de matter-- Massa Will say noffin at all aint de matter wid him--but den what make him go about looking dis here way, wid he head down and he soldiers up, and as white as a goose? And den he keep a syphon all de time--" "Keeps a what, Jupiter?" "Keeps a syphon wid de figgurs on de slate--de queerest figgurs I ebber did see. Ise gittin' to be skeered, I tell you. Hab for to keep mighty tight eye 'pon him 'noovers. Todder day he gib me slip 'fore de sun up and was gone de whole ob de blessed day. I had a big stick ready cut for to gib him deuced good beating when he did come--but Ise sich a fool dat I hadn't de heart arter all--he looked so berry poorly." "Eh?--what?--ah yes!--upon the whole I think you had better not be too severe with the poor fellow--don't flog him, Jupiter--he can't very well stand it--but can you form no idea of what has occasioned this illness, or rather this change of conduct? Has anything unpleasant happened since I saw you?" "No, massa, dey aint bin noffin onpleasant SINCE den--'twas 'FORE den I'm feared--'twas de berry day you was dare." "How? what do you mean." "Why, massa, I mean de bug--dare now." "The what?" "De bug--I'm berry sartin dat Massa Will bin bit somewhere 'bout de head by dat goole-bug." "And what cause have you, Jupiter, for such a supposition?" "Claws enuff, massa, and mouff, too. I nebber did see sich a deuced bug--he kick and he bite eberyting what cum near him. Massa Will cotch him fuss, but had for to let him go 'gin mighty quick, I tell you--den was de time he must ha' got de bite. I didn't like de look ob de bug mouff, myself, nohow, so I wouldn't take hold oh him wid my finger, but I cotch him wid a piece oh paper dat I found. I rap him up in de paper and stuff a piece of it in he mouff--dat was de way." "And you think, then, that your master was really bitten by the beetle, and that the bite made him sick?" "I don't think noffin about it--I nose it. What make him dream 'bout de goole so much, if 'taint cause he bit by the goole-bug? Ise heered 'bout dem goole-bugs 'fore dis." "But how do you know he dreams about gold?" "How I know? why, 'cause he talk about it in he sleep--dat's how I nose." "Well, Jup, perhaps you are right; but to what fortunate circumstance am I to attribute the honor of a visit from you to- day?" "What de matter, massa?" "Did you bring any message from Mr. Legrand?" "No, massa, I bring dis here pissel;" and here Jupiter handed me a note which ran thus: "MY DEAR ---- "Why have I not seen you for so long a time? I hope you have not been so foolish as to take offense at any little brusquerie of mine; but no, that is improbable. "Since I saw you I have had great cause for anxiety. I have something to tell you, yet scarcely know how to tell it, or whether I should tell it at all. "I have not been quite well for some days past, and poor old Jup annoys me, almost beyond endurance, by his well-meant attentions. Would you believe it?--he had prepared a huge stick, the other day, with which to chastise me for giving him the slip, and spending the day, solus, among the hills on the mainland. I verily believe that my ill looks alone saved me a flogging. "I have made no addition to my cabinet since we met. "If you can, in any way, make it convenient, come over with Jupiter. DO come. I wish to see you TO-NIGHT, upon business of importance. I assure you that it is of the HIGHEST importance. "Ever yours, "WILLIAM LEGRAND." There was something in the tone of this note which gave me great uneasiness. Its whole style differed materially from that of Legrand. What could he be dreaming of? What new crotchet possessed his excitable brain? What "business of the highest importance" could HE possibly have to transact? Jupiter's account of him boded no good. I dreaded lest the continued pressure of misfortune had, at length, fairly unsettled the reason of my friend. Without a moment's hesitation, therefore, I prepared to accompany the negro. Upon reaching the wharf, I noticed a scythe and three spades, all apparently new, lying in the bottom of the boat in which we were to embark. "What is the meaning of all this, Jup?" I inquired. "Him syfe, massa, and spade." "Very true; but what are they doing here?" "Him de syfe and de spade what Massa Will sis 'pon my buying for him in de town, and de debbil's own lot of money I had to gib for em." "But what, in the name of all that is mysterious, is your 'Massa Will' going to do with scythes and spades?" "Dat's more dan I know, and debbil take me if I don't b'lieve 'tis more dan he know too. But it's all cum ob de bug." Finding that no satisfaction was to be obtained of Jupiter, whose whole intellect seemed to be absorbed by "de bug," I now stepped into the boat, and made sail. With a fair and strong breeze we soon ran into the little cove to the northward of Fort Moultrie, and a walk of some two miles brought us to the hut. It was about three in the afternoon when we arrived. Legrand had been awaiting us in eager expectation. He grasped my hand with a nervous empressement which alarmed me and strengthened the suspicions already entertained. His countenance was pale even to ghastliness, and his deep-set eyes glared with unnatural luster. After some inquiries respecting his health, I asked him, not knowing what better to say, if he had yet obtained the scarabaeus from Lieutenant G----. "Oh, yes," he replied, coloring violently, "I got it from him the next morning. Nothing should tempt me to part with that scarabaeus. Do you know that Jupiter is quite right about it?" "In what way?" I asked, with a sad foreboding at heart. "In supposing it to be a bug of REAL GOLD." He said this with an air of profound seriousness, and I felt inexpressibly shocked. "This bug is to make my fortune," he continued, with a triumphant smile; "to reinstate me in my family possessions. Is it any wonder, then, that I prize it? Since Fortune has thought fit to bestow it upon me, I have only to use it properly, and I shall arrive at the gold of which it is the index. Jupiter, bring me that scarabaeus!" "What! de bug, massa? I'd rudder not go fer trubble dat bug; you mus' git him for your own self." Hereupon Legrand arose, with a grave and stately air, and brought me the beetle from a glass case in which it was enclosed. It was a beautiful scarabaeus, and, at that time, unknown to naturalists--of course a great prize in a scientific point of view. There were two round black spots near one extremity of the back, and a long one near the other. The scales were exceedingly hard and glossy, with all the appearance of burnished gold. The weight of the insect was very remarkable, and, taking all things into consideration, I could hardly blame Jupiter for his opinion respecting it; but what to make of Legrand's concordance with that opinion, I could not, for the life of me, tell. "I sent for you," said he, in a grandiloquent tone, when I had completed my examination of the beetle, "I sent for you that I might have your counsel and assistance in furthering the views of Fate and of the bug--" "My dear Legrand," I cried, interrupting him, "you are certainly unwell, and had better use some little precautions. You shall go to bed, and I will remain with you a few days, until you get over this. You are feverish and--" "Feel my pulse," said he. I felt it, and, to say the truth, found not the slightest indication of fever. "But you may be ill and yet have no fever. Allow me this once to prescribe for you. In the first place go to bed. In the next--" "You are mistaken," he interposed, "I am as well as I can expect to be under the excitement which I suffer. If you really wish me well, you will relieve this excitement." "And how is this to be done?" "Very easily. Jupiter and myself are going upon an expedition into the hills, upon the mainland, and, in this expedition, we shall need the aid of some person in whom we can confide. You are the only one we can trust. Whether we succeed or fail, the excitement which you now perceive in me will be equally allayed." "I am anxious to oblige you in any way," I replied; "but do you mean to say that this infernal beetle has any connection with your expedition into the hills?" "It has." "Then, Legrand, I can become a party to no such absurd proceeding." "I am sorry--very sorry--for we shall have to try it by ourselves." "Try it by yourselves! The man is surely mad!--but stay!--how long do you propose to be absent?" "Probably all night. We shall start immediately, and be back, at all events, by sunrise." "And will you promise me, upon your honor, that when this freak of yours is over, and the bug business (good God!) settled to your satisfaction, you will then return home and follow my advice implicitly, as that of your physician?" "Yes; I promise; and now let us be off, for we have no time to lose." With a heavy heart I accompanied my friend. We started about four o'clock--Legrand, Jupiter, the dog, and myself. Jupiter had with him the scythe and spades--the whole of which he insisted upon carrying--more through fear, it seemed to me, of trusting either of the implements within reach of his master, than from any excess of industry or complaisance. His demeanor was dogged in the extreme, and "dat deuced bug" were the sole words which escaped his lips during the journey. For my own part, I had charge of a couple of dark lanterns, while Legrand contented himself with the scarabaeus, which he carried attached to the end of a bit of whipcord; twirling it to and fro, with the air of a conjurer, as he went. When I observed this last, plain evidence of my friend's aberration of mind, I could scarcely refrain from tears. I thought it best, however, to humor his fancy, at least for the present, or until I could adopt some more energetic measures with a chance of success. In the meantime I endeavored, but all in vain, to sound him in regard to the object of the expedition. Having succeeded in inducing me to accompany him, he seemed unwilling to hold conversation upon any topic of minor importance, and to all my questions vouchsafed no other reply than "we shall see!" We crossed the creek at the head of the island by means of a skiff, and, ascending the high grounds on the shore of the mainland, proceeded in a northwesterly direction, through a tract of country excessively wild and desolate, where no trace of a human footstep was to be seen. Legrand led the way with decision; pausing only for an instant, here and there, to consult what appeared to be certain landmarks of his own contrivance upon a former occasion. In this manner we journeyed for about two hours, and the sun was just setting when we entered a region infinitely more dreary than any yet seen. It was a species of table-land, near the summit of an almost inaccessible hill, densely wooded from base to pinnacle, and interspersed with huge crags that appeared to lie loosely upon the soil, and in many cases were prevented from precipitating themselves into the valleys below, merely by the support of the trees against which they reclined. Deep ravines, in various directions, gave an air of still sterner solemnity to the scene. The natural platform to which we had clambered was thickly overgrown with brambles, through which we soon discovered that it would have been impossible to force our way but for the scythe; and Jupiter, by direction of his master, proceeded to clear for us a path to the foot of an enormously tall tulip tree, which stood, with some eight or ten oaks, upon the level, and far surpassed them all, and all other trees which I had then ever seen, in the beauty of its foliage and form, in the wide spread of its branches, and in the general majesty of its appearance. When we reached this tree, Legrand turned to Jupiter, and asked him if he thought he could climb it. The old man seemed a little staggered by the question, and for some moments made no reply. At length he approached the huge trunk, walked slowly around it, and examined it with minute attention. When he had completed his scrutiny, he merely said: "Yes, massa, Jup climb any tree he ebber see in he life." "Then up with you as soon as possible, for it will soon be too dark to see what we are about." "How far mus' go up, massa?" inquired Jupiter. "Get up the main trunk first, and then I will tell you which way to go--and here--stop! take this beetle with you." "De bug, Massa Will!--de goole-bug!" cried the negro, drawing back in dismay--"what for mus' tote de bug way up de tree?--d--n if I do!" "If you are afraid, Jup, a great big negro like you, to take hold of a harmless little dead beetle, why you can carry it up by this string--but, if you do not take it up with you in some way, I shall be under the necessity of breaking your head with this shovel." "What de matter now, massa?" said Jup, evidently shamed into compliance; "always want for to raise fuss wid old nigger. Was only funnin anyhow. ME feered de bug! what I keer for de bug?" Here he took cautiously hold of the extreme end of the string, and, maintaining the insect as far from his person as circumstances would permit, prepared to ascend the tree. In youth, the tulip tree, or Liriodendron tulipiferum, the most magnificent of American foresters, has a trunk peculiarly smooth, and often rises to a great height without lateral branches; but, in its riper age, the bark becomes gnarled and uneven, while many short limbs make their appearance on the stem. Thus the difficulty of ascension, in the present case, lay more in semblance than in reality. Embracing the huge cylinder, as closely as possible, with his arms and knees, seizing with his hands some projections, and resting his naked toes upon others, Jupiter, after one or two narrow escapes from falling, at length wriggled himself into the first great fork, and seemed to consider the whole business as virtually accomplished. The RISK of the achievement was, in fact, now over, although the climber was some sixty or seventy feet from the ground. "Which way mus' go now, Massa Will?" he asked. "Keep up the largest branch--the one on this side," said Legrand. The negro obeyed him promptly, and apparently with but little trouble; ascending higher and higher, until no glimpse of his squat figure could be obtained through the dense foliage which enveloped it. Presently his voice was heard in a sort of halloo. "How much fudder is got to go?" "How high up are you?" asked Legrand. "Ebber so fur," replied the negro; "can see de sky fru de top oh de tree." "Never mind the sky, but attend to what I say. Look down the trunk and count the limbs below you on this side. How many limbs have you passed?" "One, two, tree, four, fibe--I done pass fibe big limb, massa, 'pon dis side." "Then go one limb higher." In a few minutes the voice was heard again, announcing that the seventh limb was attained. "Now, Jup," cried Legrand, evidently much excited, "I want you to work your way out upon that limb as far as you can. If you see anything strange let me know." By this time what little doubt I might have entertained of my poor friend's insanity was put finally at rest. I had no alternative but to conclude him stricken with lunacy, and I became seriously anxious about getting him home. While I was pondering upon what was best to be done, Jupiter's voice was again heard. "Mos feered for to ventur pon dis limb berry far--'tis dead limb putty much all de way." "Did you say it was a DEAD limb, Jupiter?" cried Legrand in a quavering voice. "Yes, massa, him dead as de door-nail--done up for sartin--done departed dis here life." "What in the name of heaven shall I do?" asked Legrand, seemingly in the greatest distress. "Do!" said I, glad of an opportunity to interpose a word, "why come home and go to bed. Come now!--that's a fine fellow. It's getting late, and, besides, you remember your promise." "Jupiter," cried he, without heeding me in the least, "do you hear me?" "Yes, Massa Will, hear you ebber so plain." "Try the wood well, then, with your knife, and see if you think it VERY rotten." "Him rotten, massa, sure nuff," replied the negro in a few moments, "but not so berry rotten as mought be. Mought venture out leetle way pon de limb by myself, dat's true." "By yourself!--what do you mean?" "Why, I mean de bug. 'Tis BERRY hebby bug. Spose I drop him down fuss, an den de limb won't break wid just de weight of one nigger." "You infernal scoundrel!" cried Legrand, apparently much relieved, "what do you mean by telling me such nonsense as that? As sure as you drop that beetle I'll break your neck. Look here, Jupiter, do you hear me?" "Yes, massa, needn't hollo at poor nigger dat style." "Well! now listen!--if you will venture out on the limb as far as you think safe, and not let go the beetle, I'll make you a present of a silver dollar as soon as you get down." "I'm gwine, Massa Will--deed I is," replied the negro very promptly--"mos out to the eend now." "OUT TO THE END!" here fairly screamed Legrand; "do you say you are out to the end of that limb?" "Soon be to de eend, massa--o-o-o-o-oh! Lor-gol-a-marcy! what IS dis here pon de tree?" "Well!" cried Legrand, highly delighted, "what is it?" "Why 'taint noffin but a skull--somebody bin lef him head up de tree, and de crows done gobble ebery bit ob de meat off." "A skull, you say!--very well,--how is it fastened to the limb?-- what holds it on?" "Sure nuff, massa; mus look. Why dis berry curious sarcumstance, pon my word--dare's a great big nail in de skull, what fastens ob it on to de tree." "Well now, Jupiter, do exactly as I tell you--do you hear?" "Yes, massa." "Pay attention, then--find the left eye of the skull." "Hum! hoo! dat's good! why dey ain't no eye lef at all." "Curse your stupidity! do you know your right hand from your left?" "Yes, I knows dat--knows all about dat--'tis my lef hand what I chops de wood wid." "To be sure! you are left-handed; and your left eye is on the same side as your left hand. Now, I suppose, you can find the left eye of the skull, or the place where the left eye has been. Have you found it?" Here was a long pause. At length the negro asked: "Is de lef eye of de skull pon de same side as de lef hand of de skull too?--cause de skull aint got not a bit oh a hand at all-- nebber mind! I got de lef eye now--here de lef eye! what mus do wid it?" Let the beetle drop through it, as far as the string will reach-- but be careful and not let go your hold of the string." "All dat done, Massa Will; mighty easy ting for to put de bug fru de hole--look out for him dare below!" During this colloquy no portion of Jupiter's person could be seen; but the beetle, which he had suffered to descend, was now visible at the end of the string, and glistened, like a globe of burnished gold, in the last rays of the setting sun, some of which still faintly illumined the eminence upon which we stood. The scarabaeus hung quite clear of any branches, and, if allowed to fall, would have fallen at our feet. Legrand immediately took the scythe, and cleared with it a circular space, three or four yards in diameter, just beneath the insect, and, having accomplished this, ordered Jupiter to let go the string and come down from the tree. Driving a peg, with great nicety, into the ground, at the precise spot where the beetle fell, my friend now produced from his pocket a tape measure. Fastening one end of this at that point of the trunk of the tree which was nearest the peg, he unrolled it till it reached the peg and thence further unrolled it, in the direction already established by the two points of the tree and the peg, for the distance of fifty feet--Jupiter clearing away the brambles with the scythe. At the spot thus attained a second peg was driven, and about this, as a center, a rude circle, about four feet in diameter, described. Taking now a spade himself, and giving one to Jupiter and one to me, Legrand begged us to set about digging as quickly as possible. To speak the truth, I had no especial relish for such amusement at any time, and, at that particular moment, would willingly have declined it; for the night was coming on, and I felt much fatigued with the exercise already taken; but I saw no mode of escape, and was fearful of disturbing my poor friend's equanimity by a refusal. Could I have depended, indeed, upon Jupiter's aid, I would have had no hesitation in attempting to get the lunatic home by force; but I was too well assured of the old negro's disposition, to hope that he would assist me, under any circumstances, in a personal contest with his master. I made no doubt that the latter had been infected with some of the innumerable Southern superstitions about money buried, and that his fantasy had received confirmation by the finding of the scarabaeus, or, perhaps, by Jupiter's obstinacy in maintaining it to be "a bug of real gold." A mind disposed to lunacy would readily be led away by such suggestions--especially if chiming in with favorite preconceived ideas--and then I called to mind the poor fellow's speech about the beetle's being "the index of his fortune." Upon the whole, I was sadly vexed and puzzled, but, at length, I concluded to make a virtue of necessity--to dig with a good will, and thus the sooner to convince the visionary, by ocular demonstration, of the fallacy of the opinion he entertained. The lanterns having been lit, we all fell to work with a zeal worthy a more rational cause; and, as the glare fell upon our persons and implements, I could not help thinking how picturesque a group we composed, and how strange and suspicious our labors must have appeared to any interloper who, by chance, might have stumbled upon our whereabouts. We dug very steadily for two hours. Little was said; and our chief embarrassment lay in the yelpings of the dog, who took exceeding interest in our proceedings. He, at length, became so obstreperous that we grew fearful of his giving the alarm to some stragglers in the vicinity,--or, rather, this was the apprehension of Legrand;-- for myself, I should have rejoiced at any interruption which might have enabled me to get the wanderer home. The noise was, at length, very effectually silenced by Jupiter, who, getting out of the hole with a dogged air of deliberation, tied the brute's mouth up with one of his suspenders, and then returned, with a grave chuckle, to his task. When the time mentioned had expired, we had reached a depth of five feet, and yet no signs of any treasure became manifest. A general pause ensued, and I began to hope that the farce was at an end. Legrand, however, although evidently much disconcerted, wiped his brow thoughtfully and recommenced. We had excavated the entire circle of four feet diameter, and now we slightly enlarged the limit, and went to the farther depth of two feet. Still nothing appeared. The gold-seeker, whom I sincerely pitied, at length clambered from the pit, with the bitterest disappointment imprinted upon every feature, and proceeded, slowly and reluctantly, to put on his coat, which he had thrown off at the beginning of his labor. In the meantime I made no remark. Jupiter, at a signal from his master, began to gather up his tools. This done, and the dog having been unmuzzled, we turned in profound silence toward home. We had taken, perhaps, a dozen steps in this direction, when, with a loud oath, Legrand strode up to Jupiter, and seized him by the collar. The astonished negro opened his eyes and mouth to the fullest extent, let fall the spades, and fell upon his knees. "You scoundrel!" said Legrand, hissing out the syllables from between his clenched teeth--"you infernal black villain!--speak, I tell you!--answer me this instant, without prevarication!--which-- which is your left eye?" "Oh, my golly, Massa Will! aint dis here my lef eye for sartain?" roared the terrified Jupiter, placing his hand upon his RIGHT organ of vision, and holding it there with a desperate pertinacity, as if in immediate, dread of his master's attempt at a gouge. "I thought so!--I knew it! hurrah!" vociferated Legrand, letting the negro go and executing a series of curvets and caracols, much to the astonishment of his valet, who, arising from his knees, looked, mutely, from his master to myself, and then from myself to his master. "Come! we must go back," said the latter, "the game's not up yet;" and he again led the way to the tulip tree. "Jupiter," said he, when we reached its foot, "come here! was the skull nailed to the limb with the face outward, or with the face to the limb?" "De face was out, massa, so dat de crows could get at de eyes good, widout any trouble." "Well, then, was it this eye or that through which you dropped the beetle?" here Legrand touched each of Jupiter's eyes. "'Twas dis eye, massa--de lef eye--jis as you tell me," and here it was his right eye that the negro indicated. "That will do--we must try it again." Here my friend, about whose madness I now saw, or fancied that I saw, certain indications of method, removed the peg which marked the spot where the beetle fell, to a spot about three inches to the westward of its former position. Taking, now, the tape measure from the nearest point of the trunk to the peg, as before, and continuing the extension in a straight line to the distance of fifty feet, a spot was indicated, removed, by several yards, from the point at which we had been digging. Around the new position a circle, somewhat larger than in the former instance, was now described, and we again set to work with the spade. I was dreadfully weary, but, scarcely understanding what had occasioned the change in my thoughts, I felt no longer any great aversion from the labor imposed. I had become most unaccountably interested--nay, even excited. Perhaps there was something, amid all the extravagant demeanor of Legrand--some air of forethought, or of deliberation, which impressed me. I dug eagerly, and now and then caught myself actually looking, with something that very much resembled expectation, for the fancied treasure, the vision of which had demented my unfortunate companion. At a period when such vagaries of thought most fully possessed me, and when we had been at work perhaps an hour and a half, we were again interrupted by the violent howlings of the dog. His uneasiness, in the first instance, had been, evidently, but the result of playfulness or caprice, but he now assumed a bitter and serious tone. Upon Jupiter's again attempting to muzzle him, he made furious resistance, and, leaping into the hole, tore up the mold frantically with his claws. In a few seconds he had uncovered a mass of human bones, forming two complete skeletons, intermingled with several buttons of metal, and what appeared to be the dust of decayed woolen. One or two strokes of a spade upturned the blade of a large Spanish knife, and, as we dug farther, three or four loose pieces of gold and silver coin came to light. At sight of these the joy of Jupiter could scarcely be restrained, but the countenance of his master wore an air of extreme disappointment. He urged us, however, to continue our exertions, and the words were hardly uttered when I stumbled and fell forward, having caught the toe of my boot in a large ring of iron that lay half buried in the loose earth. We now worked in earnest, and never did I pass ten minutes of more intense excitement. During this interval we had fairly unearthed an oblong chest of wood, which, from its perfect preservation and wonderful hardness, had plainly been subjected to some mineralizing process--perhaps that of the bichloride of mercury. This box was three feet and a half long, three feet broad, and two and a half feet deep. It was firmly secured by bands of wrought iron, riveted, and forming a kind of open trelliswork over the whole. On each side of the chest, near the top, were three rings of iron--six in all--by means of which a firm hold could be obtained by six persons. Our utmost united endeavors served only to disturb the coffer very slightly in its bed. We at once saw the impossibility of removing so great a weight. Luckily, the sole fastenings of the lid consisted of two sliding bolts. These we drew back--trembling and panting with anxiety. In an instant, a treasure of incalculable value lay gleaming before us. As the rays of the lanterns fell within the pit, there flashed upward a glow and a glare, from a confused heap of gold and of jewels, that absolutely dazzled our eyes. I shall not pretend to describe the feelings with which I gazed. Amazement was, of course, predominant. Legrand appeared exhausted with excitement, and spoke very few words. Jupiter's countenance wore, for some minutes, as deadly a pallor as it is possible, in the nature of things, for any negro's visage to assume. He seemed stupefied--thunderstricken. Presently he fell upon his knees in the pit, and burying his naked arms up to the elbows in gold, let them there remain, as if enjoying the luxury of a bath. At length, with a deep sigh, he exclaimed, as if in a soliloquy: "And dis all cum of de goole-bug! de putty goole-bug! de poor little goole-bug, what I boosed in that sabage kind oh style! Ain't you shamed oh yourself, nigger?--answer me dat!" It became necessary, at last, that I should arouse both master and valet to the expediency of removing the treasure. It was growing late, and it behooved us to make exertion, that we might get everything housed before daylight. It was difficult to say what should he done, and much time was spent in deliberation--so confused were the ideas of all. We, finally, lightened the box by removing two thirds of its contents, when we were enabled, with some trouble, to raise it from the hole. The articles taken out were deposited among the brambles, and the dog left to guard them, with strict orders from Jupiter neither, upon any pretense, to stir from the spot, nor to open his mouth until our return. We then hurriedly made for home with the chest; reaching the hut in safety, but after excessive toil, at one o'clock in the morning. Worn out as we were, it was not in human nature to do more immediately. We rested until two, and had supper; starting for the hills immediately afterwards, armed with three stout sacks, which, by good luck, were upon the premises. A little before four we arrived at the pit, divided the remainder of the booty, as equally as might be, among us, and, leaving the holes unfilled, again set out for the hut, at which, for the second time, we deposited our golden burdens, just as the first faint streaks of the dawn gleamed from over the treetops in the east. We were now thoroughly broken down; but the intense excitement of the time denied us repose. After an unquiet slumber of some three or four hours' duration, we arose, as if by preconcert, to make examination of our treasure. The chest had been full to the brim, and we spent the whole day, and the greater part of the next night, in a scrutiny of its contents. There had been nothing like order or arrangement. Everything had been heaped in promiscuously. Having assorted all with care, we found ourselves possessed of even vaster wealth than we had at first supposed. In coin there was rather more than four hundred and fifty thousand dollars--estimating the value of the pieces, as accurately as we could, by the tables of the period. There was not a particle of silver. All was gold of antique date and of great variety--French, Spanish, and German money, with a few English guineas, and some counters, of which we had never seen specimens before. There were several very large and heavy coins, so worn that we could make nothing of their inscriptions. There was no American money. The value of the jewels we found more difficulty in estimating. There were diamonds--some of them exceedingly large and fine--a hundred and ten in all, and not one of them small; eighteen rubies of remarkable brilliancy;--three hundred and ten emeralds, all very beautiful; and twenty-one sapphires, with an opal. These stones had all been broken from their settings and thrown loose in the chest. The settings themselves, which we picked out from among the other gold, appeared to have been beaten up with hammers, as if to prevent identification. Besides all this, there was a vast quantity of solid gold ornaments; nearly two hundred massive finger and ears rings; rich chains--thirty of these, if I remember; eighty-three very large and heavy crucifixes; five gold censers of great value; a prodigious golden punch bowl, ornamented with richly chased vine leaves and Bacchanalian figures; with two sword handles exquisitely embossed, and many other smaller articles which I cannot recollect. The weight of these valuables exceeded three hundred and fifty pounds avoirdupois; and in this estimate I have not included one hundred and ninety-seven superb gold watches; three of the number being worth each five hundred dollars, if one. Many of them were very old, and as timekeepers valueless; the works having suffered, more or less, from corrosion--but all were richly jeweled and in cases of great worth. We estimated the entire contents of the chest, that night, at a million and a half of dollars; and upon the subsequent disposal of the trinkets and jewels (a few being retained for our own use), it was found that we had greatly undervalued the treasure. When, at length, we had concluded our examination, and the intense excitement of the time had, in some measure, subsided, Legrand, who saw that I was dying with impatience for a solution of this most extraordinary riddle, entered into a full detail of all the circumstances connected with it. "You remember," said he, "the night when I handed you the rough sketch I had made of the scarabaeus. You recollect, also, that I became quite vexed at you for insisting that my drawing resembled a death's head. When you first made this assertion I thought you were jesting; but afterwards I called to mind the peculiar spots on the back of the insect, and admitted to myself that your remark had some little foundation in fact. Still, the sneer at my graphic powers irritated me--for I am considered a good artist--and, therefore, when you handed me the scrap of parchment, I was about to crumple it up and throw it angrily into the fire." "The scrap of paper, you mean," said I. "No; it had much of the appearance of paper, and at first I supposed it to be such, but when I came to draw upon it, I discovered it at once to be a piece of very thin parchment. It was quite dirty, you remember. Well, as I was in the very act of crumpling it up, my glance fell upon the sketch at which you had been looking, and you may imagine my astonishment when I perceived, in fact, the figure of a death's head just where, it seemed to me, I had made the drawing of the beetle. For a moment I was too much amazed to think with accuracy. I knew that my design was very different in detail from this--although there was a certain similarity in general outline. Presently I took a candle, and seating myself at the other end of the room, proceeded to scrutinize the parchment more closely. Upon turning it over, I saw my own sketch upon the reverse, just as I had made it. My first idea, now, was mere surprise at the really remarkable similarity of outline--at the singular coincidence involved in the fact that, unknown to me, there should have been a skull upon the other side of the parchment, immediately beneath my figure of the scarabaeus, and that this skull, not only in outline, but in size, should so closely resemble my drawing. I say the singularity of this coincidence absolutely stupefied me for a time. This is the usual effect of such coincidences. The mind struggles to establish a connection--a sequence of cause and effect--and, being unable to do so, suffers a species of temporary paralysis. But, when I recovered from this stupor, there dawned upon me gradually a conviction which startled me even far more than the coincidence. I began distinctly, positively, to remember that there had been NO drawing upon the parchment, when I made my sketch of the scarabaeus. I became perfectly certain of this; for I recollected turning up first one side and then the other, in search of the cleanest spot. Had the skull been then there, of course I could not have failed to notice it. Here was indeed a mystery which I felt it impossible to explain; but, even at that early moment, there seemed to glimmer, faintly, within the most remote and secret chambers of my intellect, a glow-wormlike conception of that truth which last night's adventure brought to so magnificent a demonstration. I arose at once, and putting the parchment securely away, dismissed all further reflection until I should be alone. "When you had gone, and when Jupiter was fast asleep, I betook myself to a more methodical investigation of the affair. In the first place I considered the manner in which the parchment had come into my possession. The spot where we discovered the scarabaeus was on the coast of the mainland, about a mile eastward of the island, and but a short distance above high-water mark. Upon my taking hold of it, it gave me a sharp bite, which caused me to let it drop. Jupiter, with his accustomed caution, before seizing the insect, which had flown toward him, looked about him for a leaf, or something of that nature, by which to take hold of it. It was at this moment that his eyes, and mine also, fell upon the scrap of parchment, which I then supposed to be paper. It was lying half buried in the sand, a corner sticking up. Near the spot where we found it, I observed the remnants of the hull of what appeared to have been a ship's longboat. The wreck seemed to have been there for a very great while, for the resemblance to boat timbers could scarcely be traced. "Well, Jupiter picked up the parchment, wrapped the beetle in it, and gave it to me. Soon afterwards we turned to go home, and on the way met Lieutenant G----. I showed him the insect, and he begged me to let him take it to the fort. Upon my consenting, he thrust it forthwith into his waistcoat pocket, without the parchment in which it had been wrapped, and which I had continued to hold in my hand during his inspection. Perhaps he dreaded my changing my mind, and thought it best to make sure of the prize at once--you know how enthusiastic he is on all subjects connected with Natural History. At the same time, without being conscious of it, I must have deposited the parchment in my own pocket. "You remember that when I went to the table, for the purpose of making a sketch of the beetle, I found no paper where it was usually kept. I looked in the drawer, and found none there. I searched my pockets, hoping to find an old letter, when my hand fell upon the parchment. I thus detail the precise mode in which it came into my possession, for the circumstances impressed me with peculiar force. "No doubt you will think me fanciful--but I had already established a kind of CONNECTION. I had put together two links of a great chain. There was a boat lying upon a seacoast, and not far from the boat was a parchment--NOT A PAPER--with a skull depicted upon it. You will, of course, ask 'where is the connection?' I reply that the skull, or death's head, is the well-known emblem of the pirate. The flag of the death's head is hoisted in all engagements. "I have said that the scrap was parchment, and not paper. Parchment is durable--almost imperishable. Matters of little moment are rarely consigned to parchment; since, for the mere ordinary purposes of drawing or writing, it is not nearly so well adapted as paper. This reflection suggested some meaning--some relevancy--in the death's head. I did not fail to observe, also, the FORM of the parchment. Although one of its corners had been, by some accident, destroyed, it could be seen that the original form was oblong. It was just such a slip, indeed, as might have been chosen for a memorandum--for a record of something to be long remembered, and carefully preserved." "But," I interposed, "you say that the skull was NOT upon the parchment when you made the drawing of the beetle. How then do you trace any connection between the boat and the skull--since this latter, according to your own admission, must have been designed (God only knows how or by whom) at some period subsequent to your sketching the scarabaeus?" "Ah, hereupon turns the whole mystery; although the secret, at this point, I had comparatively little difficulty in solving. My steps were sure, and could afford but a single result. I reasoned, for example, thus: When I drew the scarabaeus, there was no skull apparent upon the parchment. When I had completed the drawing I gave it to you, and observed you narrowly until you returned it. YOU, therefore, did not design the skull, and no one else was present to do it. Then it was not done by human agency. And nevertheless it was done. "At this stage of my reflections I endeavored to remember, and DID remember, with entire distinctness, every incident which occurred about the period in question. The weather was chilly (oh, rare and happy accident!), and a fire was blazing upon the hearth. I was heated with exercise and sat near the table. You, however, had drawn a chair close to the chimney. Just as I placed the parchment in your hand, and as you were in the act of inspecting it, Wolf, the Newfoundland, entered, and leaped upon your shoulders. With your left hand you caressed him and kept him off, while your right, holding the parchment, was permitted to fall listlessly between your knees, and in close proximity to the fire. At one moment I thought the blaze had caught it, and was about to caution you, but, before I could speak, you had withdrawn it, and were engaged in its examination. When I considered all these particulars, I doubted not for a moment that HEAT had been the agent in bringing to light, upon the parchment, the skull which I saw designed upon it. You are well aware that chemical preparations exist, and have existed time out of mind, by means of which it is possible to write upon either paper or vellum, so that the characters shall become visible only when subjected to the action of fire. Zaffre, digested in aqua regia, and diluted with four times its weight of water, is sometimes employed; a green tint results. The regulus of cobalt, dissolved in spirit of niter, gives a red. These colors disappear at longer or shorter intervals after the material written upon cools, but again become apparent upon the reapplication of heat. "I now scrutinized the death's head with care. Its outer edges-- the edges of the drawing nearest the edge of the vellum--were far more DISTINCT than the others. It was clear that the action of the caloric had been imperfect or unequal. I immediately kindled a fire, and subjected every portion of the parchment to a glowing heat. At first, the only effect was the strengthening of the faint lines in the skull; but, upon persevering in the experiment, there became visible, at the corner of the slip, diagonally opposite to the spot in which the death's head was delineated, the figure of what I at first supposed to be a goat. A closer scrutiny, however, satisfied me that it was intended for a kid." "Ha! ha!" said I, "to be sure I have no right to laugh at you--a million and a half of money is too serious a matter for mirth--but you are not about to establish a third link in your chain--you will not find any especial connection between your pirates and a goat-- pirates, you know, have nothing to do with goats; they appertain to the farming interest." "But I have just said that the figure was NOT that of a goat." "Well, a kid then--pretty much the same thing." "Pretty much, but not altogether," said Legrand. "You may have heard of one CAPTAIN Kidd. I at once looked upon the figure of the animal as a kind of punning or hieroglyphical signature. I say signature; because its position upon the vellum suggested this idea. The death's head at the corner diagonally opposite, had, in the same manner, the air of a stamp, or seal. But I was sorely put out by the absence of all else--of the body to my imagined instrument--of the text for my context." "I presume you expected to find a letter between the stamp and the signature." "Something of that kind. The fact is, I felt irresistibly impressed with a presentiment of some vast good fortune impending. I can scarcely say why. Perhaps, after all, it was rather a desire than an actual belief;--but do you know that Jupiter's silly words, about the bug being of solid gold, had a remarkable effect upon my fancy? And then the series of accidents and coincidents--these were so VERY extraordinary. Do you observe how mere an accident it was that these events should have occurred upon the SOLE day of all the year in which it has been, or may be sufficiently cool for fire, and that without the fire, or without the intervention of the dog at the precise moment in which he appeared, I should never have become aware of the death's head, and so never the possessor of the treasure?" "But proceed--I am all impatience." "Well; you have heard, of course, the many stories current--the thousand vague rumors afloat about money buried, somewhere upon the Atlantic coast, by Kidd and his associates. These rumors must have had some foundation in fact. And that the rumors have existed so long and so continuous, could have resulted, it appeared to me, only from the circumstance of the buried treasures still REMAINING entombed. Had Kidd concealed his plunder for a time, and afterwards reclaimed it, the rumors would scarcely have reached us in their present unvarying form. You will observe that the stories told are all about money-seekers, not about money-finders. Had the pirate recovered his money, there the affair would have dropped. It seemed to me that some accident--say the loss of a memorandum indicating its locality--had deprived him of the means of recovering it, and that this accident had become known to his followers, who otherwise might never have heard that the treasure had been concealed at all, and who, busying themselves in vain, because unguided, attempts to regain it, had given first birth, and then universal currency, to the reports which are now so common. Have you ever heard of any important treasure being unearthed along the coast?" "Never." "But that Kidd's accumulations were immense, is well known. I took it for granted, therefore, that the earth still held them; and you will scarcely be surprised when I tell you that I felt a hope, nearly amounting to certainty, that the parchment so strangely found involved a lost record of the place of deposit." "But how did you proceed?" "I held the vellum again to the fire, after increasing the heat, but nothing appeared. I now thought it possible that the coating of dirt might have something to do with the failure: so I carefully rinsed the parchment by pouring warm water over it, and, having done this, I placed it in a tin pan, with the skull downward, and put the pan upon a furnace of lighted charcoal. In a few minutes, the pan having become thoroughly heated, I removed the slip, and, to my inexpressible joy, found it spotted, in several places, with what appeared to be figures arranged in lines. Again I placed it in the pan, and suffered it to remain another minute. Upon taking it off, the whole was just as you see it now." Here Legrand, having reheated the parchment, submitted it to my inspection. The following characters were rudely traced, in a red tint, between the death's head and the goat: "53++!305))6*;4826)4+)4+).;806*;48!8]60))85;1+8*:+(;:+*8!83(88)5*!; 46(;88*96*?;8)*+(;485);5*!2:*+(;4956*2(5*-4)8]8*;4069285);)6!8)4++; 1(+9;48081;8:8+1;48!85;4)485!528806*81(+9;48;(88;4(+?34;48)4+;161;: 188;+?;" "But," said I, returning him the slip, "I am as much in the dark as ever. Were all the jewels of Golconda awaiting me upon my solution of this enigma, I am quite sure that I should be unable to earn them." "And yet," said Legrand, "the solution is by no means so difficult as you might be led to imagine from the first hasty inspection of the characters. These characters, as anyone might readily guess, form a cipher--that is to say, they convey a meaning; but then from what is known of Kidd, I could not suppose him capable of constructing any of the more abstruse cryptographs. I made up my mind, at once, that this was of a simple species--such, however, as would appear, to the crude intellect of the sailor, absolutely insoluble without the key." "And you really solved it?" "Readily; I have solved others of an abstruseness ten thousand times greater. Circumstances, and a certain bias of mind, have led me to take interest in such riddles, and it may well be doubted whether human ingenuity can construct an enigma of the kind which human ingenuity may not, by proper application, resolve. In fact, having once established connected and legible characters, I scarcely gave a thought to the mere difficulty of developing their import. "In the present case--indeed in all cases of secret writing--the first question regards the LANGUAGE of the cipher; for the principles of solution, so far, especially, as the more simple ciphers are concerned, depend upon, and are varied by, the genius of the particular idiom. In general, there is no alternative but experiment (directed by probabilities) of every tongue known to him who attempts the solution, until the true one be attained. But, with the cipher now before us, all difficulty was removed by the signature. The pun upon the word 'Kidd' is appreciable in no other language than the English. But for this consideration I should have begun my attempts with the Spanish and French, as the tongues in which a secret of this kind would most naturally have been written by a pirate of the Spanish main. As it was, I assumed the cryptograph to be English. "You observe there are no divisions between the words. Had there been divisions the task would have been comparatively easy. In such cases I should have commenced with a collation and analysis of the shorter words, and, had a word of a single letter occurred, as is most likely, (a or I, for example,) I should have considered the solution as assured. But, there being no division, my first step was to ascertain the predominant letters, as well as the least frequent. Counting all, I constructed a table thus: Of the character 8 there are 33. ; " 26. 4 " 19. +) " 16. * " 13. 5 " 12. 6 " 11. !1 " 8. 0 " 6. 92 " 5. :3 " 4. ? " 3. ] " 2. -. " 1. "Now, in English, the letter which most frequently occurs is e. Afterwards, the succession runs thus: a o i d h n r s t u y c f g l m w b k p q x z. E predominates so remarkably, that an individual sentence of any length is rarely seen, in which it is not the prevailing character. "Here, then, we have, in the very beginning, the groundwork for something more than a mere guess. The general use which may be made of the table is obvious--but, in this particular cipher, we shall only very partially require its aid. As our predominant character is 8, we will commence by assuming it as the e of the natural alphabet. To verify the supposition, let us observe if the 8 be seen often in couples--for e is doubled with great frequency in English--in such words, for example, as 'meet,' 'fleet,' 'speed,' 'seen,' 'been,' 'agree,' etc. In the present instance we see it doubled no less than five times, although the cryptograph is brief. "Let us assume 8, then, as e. Now, of all WORDS in the language, 'the' is most usual; let us see, therefore, whether there are not repetitions of any three characters, in the same order of collocation, the last of them being 8. If we discover repetitions of such letters, so arranged, they will most probably represent the word 'the.' Upon inspection, we find no less than seven such arrangements, the characters being ;48. We may, therefore, assume that ; represents t, 4 represents h, and 8 represents e--the last being now well confirmed. Thus a great step has been taken. "But, having established a single word, we are enabled to establish a vastly important point; that is to say, several commencements and terminations of other words. Let us refer, for example, to the last instance but one, in which the combination ;48 occurs--not far from the end of the cipher. We know that the ; immediately ensuing is the commencement of a word, and, of the six characters succeeding this 'the,' we are cognizant of no less than five. Let us set these characters down, thus, by the letters we know them to represent, leaving a space for the unknown-- t eeth. "Here we are enabled, at once, to discard the 'th,' as forming no portion of the word commencing with the first t; since, by experiment of the entire alphabet for a letter adapted to the vacancy, we perceive that no word can be formed of which this th can be a part. We are thus narrowed into t ee, and, going through the alphabet, if necessary, as before, we arrive at the word 'tree,' as the sole possible reading. We thus gain another letter, r, represented by (, with the words 'the tree' in juxtaposition. "Looking beyond these words, for a short distance, we again see the combination ;48, and employ it by way of TERMINATION to what immediately precedes. We have thus this arrangement: the tree ;4(4+?34 the, or, substituting the natural letters, where known, it reads thus: the tree thr+?3h the. "Now, if, in place of the unknown characters, we leave blank spaces, or substitute dots, we read thus: the tree thr...h the, when the word 'through' makes itself evident at once. But this discovery gives us three new letters, o, u, and g, represented by +, ?, and 3. "Looking now, narrowly, through the cipher for combinations of known characters, we find, not very far from the beginning, this arrangement, 83(88, or egree, which plainly, is the conclusion of the word 'degree,' and gives us another letter, d, represented by !. "Four letters beyond the word 'degree,' we perceive the combination ;46(;88. "Translating the known characters, and representing the unknown by dots, as before, we read thus: th.rtee, an arrangement immediately suggestive of the word thirteen,' and again furnishing us with two new characters, i and n, represented by 6 and *. "Referring, now, to the beginning of the cryptograph, we find the combination, 53++!. "Translating as before, we obtain .good, which assures us that the first letter is A, and that the first two words are 'A good.' "It is now time that we arrange our key, as far as discovered, in a tabular form, to avoid confusion. It will stand thus: 5 represents a ! " d 8 " e 3 " g 4 " h 6 " i * " n + " o ( " r ; " t ? " u "We have, therefore, no less than eleven of the most important letters represented, and it will be unnecessary to proceed with the details of the solution. I have said enough to convince you that ciphers of this nature are readily soluble, and to give you some insight into the rationale of their development. But be assured that the specimen before us appertains to the very simplest species of cryptograph. It now only remains to give you the full translation of the characters upon the parchment, as unriddled. Here it is: "'A good glass in the bishop's hostel in the devil's seat forty-one degrees and thirteen minutes northeast and by north main branch seventh limb east side shoot from the left eye of the death's head a bee-line from the tree through the shot fifty feet out.'" "But," said I, "the enigma seems still in as bad a condition as ever. How is it possible to extort a meaning from all this jargon about 'devil's seats,' 'death's heads,' and 'bishop's hostels'?" "I confess," replied Legrand, "that the matter still wears a serious aspect, when regarded with a casual glance. My first endeavor was to divide the sentence into the natural division intended by the cryptographist." "You mean, to punctuate it?" "Something of that kind." "But how was it possible to effect this?" "I reflected that it had been a POINT with the writer to run his words together without division, so as to increase the difficulty of solution. Now, a not overacute man, in pursuing such an object, would be nearly certain to overdo the matter. When, in the course of his composition, he arrived at a break in his subject which would naturally require a pause, or a point, he would be exceedingly apt to run his characters, at this place, more than usually close together. If you will observe the MS., in the present instance, you will easily detect five such cases of unusual crowding. Acting upon this hint I made the division thus: "'A good glass in the bishop's hostel in the devil's seat--forty- one degrees and thirteen minutes--northeast and by north--main branch seventh limb east side--shoot from the left eye of the death's head--a bee-line from the tree through the shot fifty feet out.'" "Even this division," said I, "leaves me still in the dark." "It left me also in the dark," replied Legrand, "for a few days; during which I made diligent inquiry in the neighborhood of Sullivan's Island, for any building which went by name of the 'Bishop's Hotel'; for, of course, I dropped the obsolete word 'hostel.' Gaining no information on the subject, I was on the point of extending my sphere of search, and proceeding in a more systematic manner, when, one morning, it entered into my head, quite suddenly, that this 'Bishop's Hostel' might have some reference to an old family, of the name of Bessop, which, time out of mind, had held possession of an ancient manor house, about four miles to the northward of the island. I accordingly went over to the plantation, and reinstituted my inquiries among the older negroes of the place. At length one of the most aged of the women said that she had heard of such a place as Bessop's Castle, and thought that she could guide me to it, but that it was not a castle, nor a tavern, but a high rock. "I offered to pay her well for her trouble, and, after some demur, she consented to accompany me to the spot. We found it without much difficulty, when, dismissing her, I proceeded to examine the place. The 'castle' consisted of an irregular assemblage of cliffs and rocks--one of the latter being quite remarkable for its height as well as for its insulated and artificial appearance. I clambered to its apex, and then felt much at a loss as to what should be next done. "While I was busied in reflection, my eyes fell upon a narrow ledge in the eastern face of the rock, perhaps a yard below the summit upon which I stood. This ledge projected about eighteen inches, and was not more than a foot wide, while a niche in the cliff just above it gave it a rude resemblance to one of the hollow-backed chairs used by our ancestors. I made no doubt that here was the 'devil's seat' alluded to in the MS., and now I seemed to grasp the full secret of the riddle. "The 'good glass,' I knew, could have reference to nothing but a telescope; for the word 'glass' is rarely employed in any other sense by seamen. Now here, I at once saw, was a telescope to be used, and a definite point of view, ADMITTING NO VARIATION, from which to use it. Nor did I hesitate to believe that the phrases, 'forty-one degrees and thirteen minutes,' and 'northeast and by north,' were intended as directions for the leveling of the glass. Greatly excited by these discoveries, I hurried home, procured a telescope, and returned to the rock. "I let myself down to the ledge, and found that it was impossible to retain a seat upon it except in one particular position. This fact confirmed my preconceived idea. I proceeded to use the glass. Of course, the 'forty-one degrees and thirteen minutes' could allude to nothing but elevation above the visible horizon, since the horizontal direction was clearly indicated by the words, 'northeast and by north.' This latter direction I at once established by means of a pocket compass; then, pointing the glass as nearly at an angle of forty-one degrees of elevation as I could do it by guess, I moved it cautiously up or down, until my attention was arrested by a circular rift or opening in the foliage of a large tree that overtopped its fellows in the distance. In the center of this rift I perceived a white spot, but could not, at first, distinguish what it was. Adjusting the focus of the telescope, I again looked, and now made it out to be a human skull. "Upon this discovery I was so sanguine as to consider the enigma solved; for the phrase 'main branch, seventh limb, east side,' could refer only to the position of the skull upon the tree, while 'shoot from the left eye of the death's head' admitted, also, of but one interpretation, in regard to a search for buried treasure. I perceived that the design was to drop a bullet from the left eye of the skull, and that a bee-line, or, in other words, a straight line, drawn from the nearest point of the trunk 'through the shot' (or the spot where the bullet fell), and thence extended to a distance of fifty feet, would indicate a definite point--and beneath this point I thought it at least POSSIBLE that a deposit of value lay concealed." "All this," I said, "is exceedingly clear, and, although ingenious, still simple and explicit. When you left the Bishop's Hotel, what then?" "Why, having carefully taken the bearings of the tree, I turned homeward. The instant that I left 'the devil's seat,' however, the circular rift vanished; nor could I get a glimpse of it afterwards, turn as I would. What seems to me the chief ingenuity in this whole business, is the fact (for repeated experiment has convinced me it IS a fact) that the circular opening in question is visible from no other attainable point of view than that afforded by the narrow ledge upon the face of the rock. "In this expedition to the 'Bishop's Hotel' I had been attended by Jupiter, who had, no doubt, observed, for some weeks past, the abstraction of my demeanor, and took especial care not to leave me alone. But, on the next day, getting up very early, I contrived to give him the slip, and went into the hills in search of the tree. After much toil I found it. When I came home at night my valet proposed to give me a flogging. With the rest of the adventure I believe you are as well acquainted as myself." "I suppose," said I, "you missed the spot, in the first attempt at digging, through Jupiter's stupidity in letting the bug fall through the right instead of through the left eye of the skull." "Precisely. This mistake made a difference of about two inches and a half in the 'shot'--that is to say, in the position of the peg nearest the tree; and had the treasure been BENEATH the 'shot,' the error would have been of little moment; but 'the shot,' together with the nearest point of the tree, were merely two points for the establishment of a line of direction; of course the error, however trivial in the beginning, increased as we proceeded with the line, and by the time we had gone fifty feet threw us quite off the scent. But for my deep-seated impressions that treasure was here somewhere actually buried, we might have had all our labor in vain." "But your grandiloquence, and your conduct in swinging the beetle-- how excessively odd! I was sure you were mad. And why did you insist upon letting fall the bug, instead of a bullet, from the skull?" "Why, to be frank, I felt somewhat annoyed by your evident suspicions touching my sanity, and so resolved to punish you quietly, in my own way, by a little bit of sober mystification. For this reason I swung the beetle, and for this reason I let it fall from the tree. An observation of yours about its great weight suggested the latter idea." "Yes, I perceive; and now there is only one point which puzzles me. What are we to make of the skeletons found in the hole?" "That is a question I am no more able to answer than yourself. There seems, however, only one plausible way of accounting for them--and yet it is dreadful to believe in such atrocity as my suggestion would imply. It is clear that Kidd--if Kidd indeed secreted this treasure, which I doubt not--it is clear that he must have had assistance in the labor. But this labor concluded, he may have thought it expedient to remove all participants in his secret. Perhaps a couple of blows with a mattock were sufficient, while his coadjutors were busy in the pit; perhaps it required a dozen--who shall tell?" nettle-3.4.1/testsuite/pbkdf2-test.c0000644000175000017500000001033113401564746016370 0ustar nissenisse#include "testutils.h" #include "hmac.h" #include "pbkdf2.h" /* NOTE: The salt argument is expected to expand to length, data */ #define PBKDF2_TEST(ctx, update, digest, size, c, salt, expect) \ do { \ dk[expect->length] = 17; \ PBKDF2 (ctx, update, digest, size, c, salt, expect->length, dk); \ ASSERT(MEMEQ (expect->length, dk, expect->data)); \ ASSERT(dk[expect->length] == 17); \ } while (0) #define PBKDF2_HMAC_TEST(f, key, c, salt, expect) \ do { \ dk[expect->length] = 17; \ f (key, c, salt, expect->length, dk); \ ASSERT(MEMEQ (expect->length, dk, expect->data)); \ ASSERT(dk[expect->length] == 17); \ } while (0) #define MAX_DKLEN SHA512_DIGEST_SIZE void test_main (void) { uint8_t dk[MAX_DKLEN + 1]; struct hmac_sha1_ctx sha1ctx; struct hmac_sha256_ctx sha256ctx; struct hmac_sha512_ctx sha512ctx; /* Test vectors for PBKDF2 from RFC 6070. */ hmac_sha1_set_key (&sha1ctx, LDATA("password")); PBKDF2_TEST (&sha1ctx, hmac_sha1_update, hmac_sha1_digest, SHA1_DIGEST_SIZE, 1, LDATA("salt"), SHEX("0c60c80f961f0e71f3a9b524af6012062fe037a6")); PBKDF2_TEST (&sha1ctx, hmac_sha1_update, hmac_sha1_digest, SHA1_DIGEST_SIZE, 2, LDATA("salt"), SHEX("ea6c014dc72d6f8ccd1ed92ace1d41f0d8de8957")); PBKDF2_TEST (&sha1ctx, hmac_sha1_update, hmac_sha1_digest, SHA1_DIGEST_SIZE, 4096, LDATA("salt"), SHEX("4b007901b765489abead49d926f721d065a429c1")); #if 0 /* too slow */ PBKDF2_TEST (&sha1ctx, hmac_sha1_update, hmac_sha1_digest, SHA1_DIGEST_SIZE, 16777216, LDATA("salt"), SHEX("eefe3d61cd4da4e4e9945b3d6ba2158c2634e984")); #endif hmac_sha1_set_key (&sha1ctx, LDATA("passwordPASSWORDpassword")); PBKDF2_TEST (&sha1ctx, hmac_sha1_update, hmac_sha1_digest, SHA1_DIGEST_SIZE, 4096, LDATA("saltSALTsaltSALTsaltSALTsaltSALTsalt"), SHEX("3d2eec4fe41c849b80c8d83662c0e44a8b291a964cf2f07038")); hmac_sha1_set_key (&sha1ctx, LDATA("pass\0word")); PBKDF2_TEST (&sha1ctx, hmac_sha1_update, hmac_sha1_digest, SHA1_DIGEST_SIZE, 4096, LDATA("sa\0lt"), SHEX("56fa6aa75548099dcc37d7f03425e0c3")); /* PBKDF2-HMAC-SHA-256 test vectors confirmed with another implementation. */ hmac_sha256_set_key (&sha256ctx, LDATA("passwd")); PBKDF2_TEST (&sha256ctx, hmac_sha256_update, hmac_sha256_digest, SHA256_DIGEST_SIZE, 1, LDATA("salt"), SHEX("55ac046e56e3089fec1691c22544b605")); hmac_sha256_set_key (&sha256ctx, LDATA("Password")); PBKDF2_TEST (&sha256ctx, hmac_sha256_update, hmac_sha256_digest, SHA256_DIGEST_SIZE, 80000, LDATA("NaCl"), SHEX("4ddcd8f60b98be21830cee5ef22701f9")); /* PBKDF2-HMAC-SHA-512 test vectors confirmed with another implementation (python-pbkdf2). >>> from pbkdf2 import PBKDF2 >>> import hmac as HMAC >>> from hashlib import sha512 as SHA512 >>> PBKDF2("password", "salt", 50, macmodule=HMAC, digestmodule=SHA512).read(64).encode('hex') */ hmac_sha512_set_key (&sha512ctx, LDATA("password")); PBKDF2_TEST (&sha512ctx, hmac_sha512_update, hmac_sha512_digest, SHA512_DIGEST_SIZE, 1, LDATA("NaCL"), SHEX("73decfa58aa2e84f94771a75736bb88bd3c7b38270cfb50cb390ed78b305656af8148e52452b2216b2b8098b761fc6336060a09f76415e9f71ea47f9e9064306")); hmac_sha512_set_key (&sha512ctx, LDATA("pass\0word")); PBKDF2_TEST (&sha512ctx, hmac_sha512_update, hmac_sha512_digest, SHA512_DIGEST_SIZE, 1, LDATA("sa\0lt"), SHEX("71a0ec842abd5c678bcfd145f09d83522f93361560563c4d0d63b88329871090e76604a49af08fe7c9f57156c8790996b20f06bc535e5ab5440df7e878296fa7")); hmac_sha512_set_key (&sha512ctx, LDATA("passwordPASSWORDpassword")); PBKDF2_TEST (&sha512ctx, hmac_sha512_update, hmac_sha512_digest, SHA512_DIGEST_SIZE, 50, LDATA("salt\0\0\0"), SHEX("016871a4c4b75f96857fd2b9f8ca28023b30ee2a39f5adcac8c9375f9bda1ccd1b6f0b2fc3adda505412e79d890056c62e524c7d51154b1a8534575bd02dee39")); /* Test convenience functions. */ PBKDF2_HMAC_TEST(pbkdf2_hmac_sha1, LDATA("password"), 1, LDATA("salt"), SHEX("0c60c80f961f0e71f3a9b524af6012062fe037a6")); PBKDF2_HMAC_TEST(pbkdf2_hmac_sha256, LDATA("passwd"), 1, LDATA("salt"), SHEX("55ac046e56e3089fec1691c22544b605")); } nettle-3.4.1/testsuite/ed25519-test.c0000644000175000017500000001246213401564746016225 0ustar nissenisse/* ed25519-test.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #include "testutils.h" #include #include "eddsa.h" #include "base16.h" static void decode_hex (size_t length, uint8_t *dst, const char *src) { struct base16_decode_ctx ctx; size_t out_size; base16_decode_init (&ctx); ASSERT (base16_decode_update (&ctx, &out_size, dst, 2*length, src)); ASSERT (out_size == length); ASSERT (base16_decode_final (&ctx)); } /* Processes a single line in the format of http://ed25519.cr.yp.to/python/sign.input: sk pk : pk : m : s m : where sk (secret key) and pk (public key) are 32 bytes each, m is variable size, and s is 64 bytes. All values hex encoded. */ static void test_one (const char *line) { const char *p; const char *mp; uint8_t sk[ED25519_KEY_SIZE]; uint8_t pk[ED25519_KEY_SIZE]; uint8_t t[ED25519_KEY_SIZE]; uint8_t s[ED25519_SIGNATURE_SIZE]; uint8_t *msg; size_t msg_size; uint8_t s2[ED25519_SIGNATURE_SIZE]; decode_hex (ED25519_KEY_SIZE, sk, line); p = strchr (line, ':'); ASSERT (p == line + 128); p++; decode_hex (ED25519_KEY_SIZE, pk, p); p = strchr (p, ':'); ASSERT (p == line + 193); mp = ++p; p = strchr (p, ':'); ASSERT (p); ASSERT ((p - mp) % 2 == 0); msg_size = (p - mp) / 2; decode_hex (ED25519_SIGNATURE_SIZE, s, p+1); msg = xalloc (msg_size + 1); msg[msg_size] = 'x'; decode_hex (msg_size, msg, mp); ed25519_sha512_public_key (t, sk); ASSERT (MEMEQ(ED25519_KEY_SIZE, t, pk)); ed25519_sha512_sign (pk, sk, msg_size, msg, s2); ASSERT (MEMEQ (ED25519_SIGNATURE_SIZE, s, s2)); ASSERT (ed25519_sha512_verify (pk, msg_size, msg, s)); s2[ED25519_SIGNATURE_SIZE/3] ^= 0x40; ASSERT (!ed25519_sha512_verify (pk, msg_size, msg, s2)); memcpy (s2, s, ED25519_SIGNATURE_SIZE); s2[2*ED25519_SIGNATURE_SIZE/3] ^= 0x40; ASSERT (!ed25519_sha512_verify (pk, msg_size, msg, s2)); ASSERT (!ed25519_sha512_verify (pk, msg_size + 1, msg, s)); if (msg_size > 0) { msg[msg_size-1] ^= 0x20; ASSERT (!ed25519_sha512_verify (pk, msg_size, msg, s)); } free (msg); } #ifndef HAVE_GETLINE static ssize_t getline(char **lineptr, size_t *n, FILE *f) { size_t i; int c; if (!*lineptr) { *n = 500; *lineptr = xalloc (*n); } i = 0; do { c = getc(f); if (c < 0) { if (i > 0) break; return -1; } (*lineptr) [i++] = c; if (i == *n) { *n *= 2; *lineptr = realloc (*lineptr, *n); if (!*lineptr) die ("Virtual memory exhausted.\n"); } } while (c != '\n'); (*lineptr) [i] = 0; return i; } #endif void test_main(void) { const char *input = getenv ("ED25519_SIGN_INPUT"); if (input) { size_t buf_size; char *buf; FILE *f = fopen (input, "r"); if (!f) die ("Opening input file '%s' failed: %s\n", input, strerror (errno)); for (buf = NULL; getline (&buf, &buf_size, f) >= 0; ) test_one (buf); free (buf); fclose (f); } else { /* First few lines only */ test_one ("9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a:d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a::e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b:"); test_one ("4ccd089b28ff96da9db6c346ec114e0f5b8a319f35aba624da8cf6ed4fb8a6fb3d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c:3d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c:72:92a009a9f0d4cab8720e820b5f642540a2b27b5416503f8fb3762223ebdb69da085ac1e43e15996e458f3613d0f11d8c387b2eaeb4302aeeb00d291612bb0c0072:"); test_one ("c5aa8df43f9f837bedb7442f31dcb7b166d38535076f094b85ce3a2e0b4458f7fc51cd8e6218a1a38da47ed00230f0580816ed13ba3303ac5deb911548908025:fc51cd8e6218a1a38da47ed00230f0580816ed13ba3303ac5deb911548908025:af82:6291d657deec24024827e69c3abe01a30ce548a284743a445e3680d7db5ac3ac18ff9b538d16f290ae67f760984dc6594a7c15e9716ed28dc027beceea1ec40aaf82:"); test_one ("0d4a05b07352a5436e180356da0ae6efa0345ff7fb1572575772e8005ed978e9e61a185bcef2613a6c7cb79763ce945d3b245d76114dd440bcf5f2dc1aa57057:e61a185bcef2613a6c7cb79763ce945d3b245d76114dd440bcf5f2dc1aa57057:cbc77b:d9868d52c2bebce5f3fa5a79891970f309cb6591e3e1702a70276fa97c24b3a8e58606c38c9758529da50ee31b8219cba45271c689afa60b0ea26c99db19b00ccbc77b:"); } } nettle-3.4.1/testsuite/cnd-memcpy-test.c0000644000175000017500000000221113401564746017252 0ustar nissenisse#include "testutils.h" #include "knuth-lfib.h" #include "memops.h" #if HAVE_VALGRIND_MEMCHECK_H # include static void cnd_memcpy_for_test(int cnd, void *dst, const void *src, size_t n) { /* Makes valgrind trigger on any branches depending on the input data. */ VALGRIND_MAKE_MEM_UNDEFINED (dst, n); VALGRIND_MAKE_MEM_UNDEFINED (src, n); VALGRIND_MAKE_MEM_UNDEFINED (&cnd, sizeof(cnd)); cnd_memcpy (cnd, dst, src, n); VALGRIND_MAKE_MEM_DEFINED (src, n); VALGRIND_MAKE_MEM_DEFINED (dst, n); } #else #define cnd_memcpy_for_test cnd_memcpy #endif #define MAX_SIZE 50 void test_main(void) { uint8_t src[MAX_SIZE]; uint8_t dst[MAX_SIZE]; uint8_t res[MAX_SIZE]; struct knuth_lfib_ctx random_ctx; knuth_lfib_init (&random_ctx, 11); size_t size; for (size = 1; size < 50; size++) { knuth_lfib_random (&random_ctx, size, src); knuth_lfib_random (&random_ctx, size, dst); memcpy (res, dst, size); cnd_memcpy_for_test (0, res, src, size); ASSERT (memcmp (res, dst, size) == 0); cnd_memcpy_for_test (1, res, src, size); ASSERT (memcmp (res, src, size) == 0); } } nettle-3.4.1/testsuite/dsa-test.c0000644000175000017500000012536713401564746016007 0ustar nissenisse#include "testutils.h" void test_main(void) { struct dsa_public_key pub; struct dsa_private_key key; struct dsa_signature signature; struct dsa_params *params = (struct dsa_params *) &pub; dsa_public_key_init(&pub); dsa_private_key_init(&key); dsa_signature_init(&signature); mpz_set_str(pub.p, "83d9a7c2ce2a9179f43cdb3bffe7de0f0eef26dd5dfae44d" "531bc0de45634d2c07cb929b0dbe10da580070e6abfbb841" "5c44bff570b8ad779df653aad97dc7bdeb815d7e88103e61" "606ed3d8a295fbfd340d2d49e220833ebace5511e22c4f02" "97ed351e9948fa848e9c8fadb7b47bcc47def4255b5e1d5e" "10215b3b55a0b85f", 16); mpz_set_str(pub.q, "8266e0deaf46020ba48d410ca580f3a978629b5d", 16); mpz_set_str(pub.g, "30d34bb9f376bec947154afe4076bc7d359c9d32f5471ddb" "be8d6a941c47fa9dc4f32573151dbb4aa59eb989b74ac36b" "b6310a5e8b580501655d91f393daa193ae1303049b87febb" "093dc0404b53b4c5da2463300f9c5b156d788c4ace8ecbb9" "dd00c18d99537f255ac025d074d894a607cbe3023a1276ef" "556916a33f7de543", 16); mpz_set_str(pub.y, "64402048b27f39f404a546a84909c9c0e9e2dd153a849946" "1062892598d30af27ae3cefc2b700fb6d077390a83bdcad7" "8a1299487c9623bb62af0c85a3df9ef1ee2c0d66658e1fd3" "283b5407f6cd30ee7e6154fad41a6a8b0f5c86c5accc1127" "bf7c9a5d6badcb012180cb62a55c5e17d6d3528cdbe002cc" "ee131c1b86867f7a", 16); mpz_set_str(key.x, "56c6efaf878d06eef21dc070fab71da6ec1e30a6", 16); test_dsa_key(params, pub.y, key.x, 160); mpz_set_str(signature.r, "180342f8d4fb5bd0311ebf205bdee6e556014eaf", 16); mpz_set_str(signature.s, "392dc6566b2735531a8460966171464ef7ddfe12", 16); test_dsa160(&pub, &key, &signature); mpz_set_str(pub.p, "fda45d8f1df8f2b84fb3cf9ae69f93b087d98bea282f643e" "23472c5b57605952010e4c846d711f2783e8ad4e1447698e" "2e328fdb1d411ccb0f3caef5b8fc0b9dcecfadf022ecc7de" "5c153c8f10fe88d63abf7d296ad485dfd6eead595fc1c36b" "8bd42e8668b55b2bb0f1a6aecbe678df504880de2481a5e4" "97d1b7d92ee48ffeb083a1833094a0418ec0d914409c720c" "87ea63c164ec448c471b574a8f88073ebeb44dc6d6b98260" "46126f03022ff04dcb6a2381a09b0a227d3c57cfbfd48e4a" "19cbb0a35242c9e234ebe105ae26cab01ede40aa2869fad8" "6bff57a19ec87b8de294ca03269c268c10813f18169beac5" "ac97c0e748ccb244282c50c670e1bccb", 16); mpz_set_str(pub.q, "bd612630da4d930779a32546dc413efd299111b443c7355d" "65d991163cc3cd9d", 16); mpz_set_str(pub.g, "050c56e14adb03e47d3902852f5b21c96c28a2aa89619c8b" "78a98aa5083700994f99184588d2cefaf2a3ea213dd2d084" "0e682a52357d5fefaef44520622f021855744d638e792f21" "89543f9770aa1960da4d7b325a37a2922b035c8da3d71543" "5d7a6ddefc62e84fe76fecbbf9667c6a1781a84aa434548b" "bdc315f2fb0a420d65c1f72911845b148e994660138052a1" "fce1c6f933be155b2af8c0177277cd3b75d9477ddbcb77bc" "f5cccea915a2f3750ba41f337edd44f768cb3d24b17e299d" "5cebe5e78cbaf5ad41e815edfc71df3131bd5359c653a224" "bd3ac6a27bad7efff11b24fad0109ee26e4df76fc99e150d" "666a9294bab8a03f113d228bfad349f4", 16); mpz_set_str(pub.y, "da7f9abb0b554afaa926c9cffa897239bfdbc58ed9981748" "edb1e38f42dea0560a407a48b509a5cb460bf31dee9057a0" "b41d468698fa82ff03c47e8f3f6564c74d6f1daa5f84ad25" "b937317f861fa68c19e20d6b855e85cd94d5af95b968416e" "6d43711f24d5497f018b7627d2bed25dc793ddb897fdcc34" "5d183e43a80205483dea7a12185be3b185a7d84d3385b962" "4485882722d177ccd8f49c5b519fb96b9b59fcfc63422f25" "88fb8ff00bce46acb7c80d105c31414ecf5be0a0dad975bd" "dcd83d6f063f9bce562fdd5b68e18fc2159dbb2457adc7a7" "ee5bc0796eff370908f866a41b9a8873f89e1904925141f8" "e574df25bd869f43a184a804e8ce5fcc", 16); mpz_set_str(key.x, "39f84f88569da55c6bee7e18175b539ea9b7ee24fabd85a7" "1fa8c93b7181545b", 16); test_dsa_key(params, pub.y, key.x, 256); mpz_set_str(signature.r, "03fe95c9dbbe1be019d7914e45c37c70" "0f499f559312a59f3bc5037f51d3f74c", 16); mpz_set_str(signature.s, "839dbee8d30e6b0cc349528f900f30ee" "6d4ce9864332d07c87b5a98bd75dbdbb", 16); test_dsa256(&pub, &key, &signature); /* Some of the test vectors from http://csrc.nist.gov/groups/STM/cavp/documents/dss/186-3dsatestvectors.zip */ /* L=1024, N=160, SHA-1 */ mpz_set_str(pub.p, "a8f9cd201e5e35d892f85f80e4db2599a5676a3b1d4f1903" "30ed3256b26d0e80a0e49a8fffaaad2a24f472d2573241d4" "d6d6c7480c80b4c67bb4479c15ada7ea8424d2502fa01472" "e760241713dab025ae1b02e1703a1435f62ddf4ee4c1b664" "066eb22f2e3bf28bb70a2a76e4fd5ebe2d1229681b5b0643" "9ac9c7e9d8bde283", 16); mpz_set_str(pub.q, "f85f0f83ac4df7ea0cdf8f469bfeeaea14156495", 16); mpz_set_str(pub.g, "2b3152ff6c62f14622b8f48e59f8af46883b38e79b8c74de" "eae9df131f8b856e3ad6c8455dab87cc0da8ac973417ce4f" "7878557d6cdf40b35b4a0ca3eb310c6a95d68ce284ad4e25" "ea28591611ee08b8444bd64b25f3f7c572410ddfb39cc728" "b9c936f85f419129869929cdb909a6a3a99bbe0892163681" "71bd0ba81de4fe33", 16); mpz_set_str(pub.y, "313fd9ebca91574e1c2eebe1517c57e0c21b0209872140c5" "328761bbb2450b33f1b18b409ce9ab7c4cd8fda3391e8e34" "868357c199e16a6b2eba06d6749def791d79e95d3a4d09b2" "4c392ad89dbf100995ae19c01062056bb14bce005e8731ef" "de175f95b975089bdcdaea562b32786d96f5a31aedf75364" "008ad4fffebb970b", 16); mpz_set_str(signature.r, "50ed0e810e3f1c7cb6ac62332058448bd8b284c0", 16); mpz_set_str(signature.s, "c6aded17216b46b7e4b6f2a97c1ad7cc3da83fde", 16); test_dsa_verify(params, pub.y, &nettle_sha1, SHEX("3b46736d559bd4e0c2c1b2553a33ad3c6cf23cac998d3d0c" "0e8fa4b19bca06f2f386db2dcff9dca4f40ad8f561ffc308" "b46c5f31a7735b5fa7e0f9e6cb512e63d7eea05538d66a75" "cd0d4234b5ccf6c1715ccaaf9cdc0a2228135f716ee9bdee" "7fc13ec27a03a6d11c5c5b3685f51900b1337153bc6c4e8f" "52920c33fa37f4e7"), &signature); mpz_set_str(pub.y, "29bdd759aaa62d4bf16b4861c81cf42eac2e1637b9ecba51" "2bdbc13ac12a80ae8de2526b899ae5e4a231aef884197c94" "4c732693a634d7659abc6975a773f8d3cd5a361fe2492386" "a3c09aaef12e4a7e73ad7dfc3637f7b093f2c40d6223a195" "c136adf2ea3fbf8704a675aa7817aa7ec7f9adfb2854d4e0" "5c3ce7f76560313b", 16); mpz_set_str(signature.r, "a26c00b5750a2d27fe7435b93476b35438b4d8ab", 16); mpz_set_str(signature.s, "61c9bfcb2938755afa7dad1d1e07c6288617bf70", 16); test_dsa_verify(params, pub.y, &nettle_sha1, SHEX("d2bcb53b044b3e2e4b61ba2f91c0995fb83a6a97525e6644" "1a3b489d9594238bc740bdeea0f718a769c977e2de003877" "b5d7dc25b182ae533db33e78f2c3ff0645f2137abc137d4e" "7d93ccf24f60b18a820bc07c7b4b5fe08b4f9e7d21b256c1" "8f3b9d49acc4f93e2ce6f3754c7807757d2e1176042612cb" "32fc3f4f70700e25"), &signature); /* L=1024, N=160, SHA-224 */ mpz_set_str(pub.p, "8b9b32f5ba38faad5e0d506eb555540d0d7963195558ca30" "8b7466228d92a17b3b14b8e0ab77a9f3b2959a09848aa69f" "8df92cd9e9edef0adf792ce77bfceccadd9352700ca5faec" "f181fa0c326db1d6e5d352458011e51bd3248f4e3bd7c820" "d7e0a81932aca1eba390175e53eada197223674e3900263e" "90f72d94e7447bff", 16); mpz_set_str(pub.q, "bc550e965647fb3a20f245ec8475624abbb26edd", 16); mpz_set_str(pub.g, "11333a931fba503487777376859fdc12f7c687b0948ae889" "d287f1b7a712ad220ae4f1ce379d0dbb5c9abf419621f005" "fc123c327e5055d1850634c36d397e689e111d598c1c3636" "b940c84f42f436846e8e7fcad9012ceda398720f32fffd1a" "45ab6136ce417069207ac140675b8f86dd063915ae6f62b0" "cec729fbd509ac17", 16); mpz_set_str(pub.y, "7e339f3757450390160e02291559f30bed0b2d758c5ccc2d" "8d456232bb435ae49de7e7957e3aad9bfdcf6fd5d9b6ee3b" "521bc2229a8421dc2aa59b9952345a8fc1de49b348003a9b" "18da642d7f6f56e3bc665131ae9762088a93786f7b4b72a4" "bcc308c67e2532a3a5bf09652055cc26bf3b18833598cffd" "7011f2285f794557", 16); mpz_set_str(signature.r, "afee719e7f848b54349ccc3b4fb26065833a4d8e", 16); mpz_set_str(signature.s, "734efe992256f31325e749bc32a24a1f957b3a1b", 16); test_dsa_verify(params, pub.y, &nettle_sha224, SHEX("fb2128052509488cad0745ed3e6312850dd96ddaf791f1e6" "24e22a6b9beaa65319c325c78ef59cacba0ccfa722259f24" "f92c17b77a8f6d8e97c93d880d2d8dbbbedcf6acefa06b0e" "476ca2013d0394bd90d56c10626ef43cea79d1ef0bc7ac45" "2bf9b9acaef70325e055ac006d34024b32204abea4be5faa" "e0a6d46d365ed0d9"), &signature); /* L=1024, N=160, SHA-256 */ mpz_set_str(pub.p, "cba13e533637c37c0e80d9fcd052c1e41a88ac325c4ebe13" "b7170088d54eef4881f3d35eae47c210385a8485d2423a64" "da3ffda63a26f92cf5a304f39260384a9b7759d8ac1adc81" "d3f8bfc5e6cb10efb4e0f75867f4e848d1a338586dd0648f" "eeb163647ffe7176174370540ee8a8f588da8cc143d939f7" "0b114a7f981b8483", 16); mpz_set_str(pub.q, "95031b8aa71f29d525b773ef8b7c6701ad8a5d99", 16); mpz_set_str(pub.g, "45bcaa443d4cd1602d27aaf84126edc73bd773de6ece15e9" "7e7fef46f13072b7adcaf7b0053cf4706944df8c4568f26c" "997ee7753000fbe477a37766a4e970ff40008eb900b9de4b" "5f9ae06e06db6106e78711f3a67feca74dd5bddcdf675ae4" "014ee9489a42917fbee3bb9f2a24df67512c1c35c97bfbf2" "308eaacd28368c5c", 16); mpz_set_str(pub.y, "4cd6178637d0f0de1488515c3b12e203a3c0ca652f2fe30d" "088dc7278a87affa634a727a721932d671994a958a0f8922" "3c286c3a9b10a96560542e2626b72e0cd28e5133fb57dc23" "8b7fab2de2a49863ecf998751861ae668bf7cad136e6933f" "57dfdba544e3147ce0e7370fa6e8ff1de690c51b4aeedf04" "85183889205591e8", 16); mpz_set_str(signature.r, "76683a085d6742eadf95a61af75f881276cfd26a", 16); mpz_set_str(signature.s, "3b9da7f9926eaaad0bebd4845c67fcdb64d12453", 16); test_dsa_verify(params, pub.y, &nettle_sha256, SHEX("812172f09cbae62517804885754125fc6066e9a902f9db20" "41eeddd7e8da67e4a2e65d0029c45ecacea6002f9540eb10" "04c883a8f900fd84a98b5c449ac49c56f3a91d8bed3f08f4" "27935fbe437ce46f75cd666a0707265c61a096698dc2f36b" "28c65ec7b6e475c8b67ddfb444b2ee6a984e9d6d15233e25" "e44bd8d7924d129d"), &signature); /* L=2048, N=224, SHA-1 */ mpz_set_str(pub.p, "f2d39ed3062b13c916273600a0f2a029e86d7a4b9217b4f1" "815bf2b24d9710a57ab33f997294b014585b8d0198dfdccb" "cd75314da5ff85aa344b45adaeaa979b51a312a7bfa94472" "fb633f1a6f156bb4458867dfd38403f06b851f00fe2d3484" "077bded71ab7513d04a140220575fb693395480e4c8402b7" "a46cec2d37a778c305accd1f13e9f62e865315f4b22cc467" "c8986ec8e4961ddf810566b0c4ee369ac6aa15e43f474400" "5826f5bde8071a19e30b6909aac4b3d174237270dad02799" "d09b8a2cc5f22e66894b5422228b2c234f11f5a771c5b89c" "f465a2acecbbeeaa1725fe8f9b59422be8991052cb556ddf" "2c8ce8fa9206dbf39feadc194e00f8e5", 16); mpz_set_str(pub.q, "8000000000000000c118f49835e4ef733c4d15800fcf059e884d31b1", 16); mpz_set_str(pub.g, "e3a93c09da6f560e4d483a382a4c546f2335c36a4c35ac14" "63c08a3e6dd415df56fdc537f25fd5372be63e4f5300780b" "782f1acd01c8b4eb33414615fd0ea82573acba7ef83f5a94" "3854151afc2d7dfe121fb8cd03335b065b549c5dcc606be9" "052483bc284e12ac3c8dba09b426e08402030e70bc1cc2bf" "8957c4ba0630f3f32ad689389ac47443176063f247d9e229" "6b3ea5b5bc2335828ea1a080ed35918dee212fd031279d1b" "894f01afec523833669eac031a420e540ba1320a59c424a3" "e5849a460a56bcb001647885b1433c4f992971746bfe2977" "ce7259c550b551a6c35761e4a41af764e8d92132fcc0a59d" "1684eab90d863f29f41cf7578faa908c", 16); mpz_set_str(pub.y, "289ff18c32a56bb0b8839370647683a38a5a7e291410b932" "07212adc8088d30f93e9e4abc523f3d46936e7d5c90d8874" "2b36afd37563408f15c8c1a4f7ac24bf05f01008ffee70c8" "825d57c3a9308bad8a095af2b53b2dda3cbed846d95e301e" "b9b84766415d11f6c33209a0d28571096ab04a79aa0dc465" "997529686b68e887cd8a205c2dc8195aef0422eba9979f54" "9ac85548e419413643b7244361153ada1480d238cd00dc16" "527938955548dd5d027ded1029eeeb8ed6c61b4cd59341d8" "b15466e9da890a989996f4d7691e6072de136af28b5874bf" "08bd1f8a60cfb1c00888132909f515e04bce81b02951aa41" "baac68ffdb8c5dc77a1d32d8f2c10dd7", 16); mpz_set_str(signature.r, "45df2f423e94bf155dd4e1d9e63f315ea606dd38527d4cf6328738c8", 16); mpz_set_str(signature.s, "59b3e8efa5bc0ccbf4a3cbb6515c4b9bf784cfacdcc101dc9f81d31f", 16); test_dsa_verify(params, pub.y, &nettle_sha1, SHEX("edc6fd9b6c6e8a59f283016f7f29ee16deeaa609b5737927" "162aef34fed985d0bcb550275637ba67831a2d4efccb3529" "6dfe730f4a0b4f4728d1d7d1bb8f4a36238a5c94311fa113" "4a93a6b4de39c085e9f60ae4e237c0416d58042bb36baa38" "cba8c896295b745d5376fd8ce42eb6ee5a1b38f87716b265" "b76e58cfb24a9170"), &signature); /* L=2048, N=224, SHA-224 */ mpz_set_str(pub.p, "aa815c9db1c4d3d2773c7d0d4d1da75ecfc4a39e97d5fa19" "1ffec8b1490a290ce335e5ce87ea620a8a17de0bb64714e2" "ec840bf00e6ebdb4ffb4e324ca07c3c8717309af1410362a" "772c9add838b2b0cae1e90ab448adabdacd2e5df59c4187a" "32a23719d6c57e9400885383bf8f066f23b941920d54c35b" "4f7cc5044f3b40f17046956307b748e840732844d00a9ce6" "ec5714293b6265147f15c67f4be38b082b55fdeadb612468" "9fb76f9d25cc28b8eaa98b562d5c1011e0dcf9b39923240d" "332d89dc9603b7bddd0c70b83caa2905631b1c83cabbae6c" "0c0c2efe8f58131ed8351bf93e875f6a73a93cbad470141a" "2687fbacf2d71c8ddee971ad660729ad", 16); mpz_set_str(pub.q, "ea347e90be7c2875d1fe1db622b4763837c5e27a6037310348c1aa11", 16); mpz_set_str(pub.g, "2042094ccbc8b8723fc928c12fda671b83295e99c743576f" "44504be1186323319b5002d24f173df909ea241d6ea52899" "04ee4636204b2fbe94b068fe093f7962579549551d3af219" "ad8ed19939eff86bcec834de2f2f78596e89e7cb52c524e1" "77098a56c232eb1f563aa84bc6b026deee6ff51cb441e080" "f2dafaea1ced86427d1c346be55c66803d4b76d133cd445b" "4c3482fa415023463c9bf30f2f784223e26057d3aa0d7fbb" "660630c52e49d4a0325c7389e072aa349f13c966e159752f" "bb71e9336890f93243fa6e72d299365ee5b3fe266ebf1110" "568fee4425c847b50210bd484b97431a42856adca3e7d1a9" "c9c675c7e266918320dd5a78a48c48a9", 16); mpz_set_str(pub.y, "1ae10c786ad0902c5c685dae5c7121418a377b888b5f2f2b" "c76623570fd62bcb190b471ad5359c5f062f8819289e956d" "8aa6f90d1f8cf1ee72d3a1bdfd56c478dc29a19c4569b5a6" "0e3a8f34f60656eac5b25dde5514a5c67b675423204f6cca" "f0990617cc7355b9d3ed868978a252020a769ed59a6edaa6" "efe3377eef45f3f6f3e64179cc7db8b143fb835c5d71bfcf" "a1e2a9049bccf7fe9ab57546220fe3f4b7521c861739d138" "507e81a46a6993605441dcb90d6ee4afbc42cabe90a25444" "4968109d7edd9694a023239f1d56175dd1fac115915e24fa" "b563f4fc3f269bed2f300832d112596485a711417aa73bb4" "ac72a651a1fa5baed3636c720d397008", 16); mpz_set_str(signature.r, "65102e8f64ecb11f06017b1a0c0def3c29897c277c4a948b1f4da6b9", 16); mpz_set_str(signature.s, "21ad0abb27bd3c21166cb96aef70c0dbd5f3079cab0dd543d4125bd1", 16); test_dsa_verify(params, pub.y, &nettle_sha224, SHEX("e920fc1610718f2b0213d301c0092a51f3c6b0107bbbd824" "3a9689c044e2d142f202d9d195a5faef4be5acadc9ff6f7d" "2261e58b517139bcb9489b110423c2e59eb181294ffdae8a" "ad0e624fab974c97f9f5e7dc19d678a9cb3429cf05ec5090" "72856f5adfec6e29bafe8e5ba95593e612843e343111d88a" "1eaff7dc0a2e277f"), &signature); /* mod = L=2048, N=224, SHA-256 */ mpz_set_str(pub.p, "a4c7eaab42c4c73b757770916489f17cd50725cd0a4bc4e1" "cf67f763b8c1de2d6dab9856baafb008f365b18a42e14dc5" "1f350b88eca0209c5aa4fd71a7a96c765f5901c21e720570" "d7837bec7c76d2e49344731ca39405d0a879b9e0dcd1a812" "5fd130ec1e783e654b94e3002e6b629e904ab3877867720c" "bd54b4270a9e15cd028c7cc796f06c272a660951928fdbeb" "2dca061b41e932257305742ff16e2f429191d5e5f1a6ddf6" "e78c5d7722cff80a9c0bd5c8d7aeba8c04438992b075e307" "c1534c49ad380f477f5f7987dc172c161dca38dcaf3fb384" "6c72c9119a5299adc748951b3dce0d00d4a9013800b20082" "03b72465bc6a84ae059a30c4522dea57", 16); mpz_set_str(pub.q, "ce89fe332b8e4eb3d1e8ddcea5d163a5bc13b63f16993755427aef43", 16); mpz_set_str(pub.g, "8c465edf5a180730291e080dfc5385397a5006450dba2efe" "0129264fbd897bb5579ca0eab19aa278220424724b4f2a6f" "6ee6328432abf661380646097233505339c5519d357d7112" "b6eec938b85d5aa75cc2e38092f0a530acb54e50fe82c4d5" "62fb0f3036b80b30334023ebbe6637a0010b00c7db863711" "68563671e1e0f028aedbd45d2d572621a609982a073e51aa" "e27707afbeef29e2ecee84d7a6d5da382be3a35f42b6c668" "49202ab19d025b869d08776476d1ab981475ad2ad2f3e6fd" "07e30696d90a626816df60d6ca7afd7b482f942f83b45cc8" "2933731f87faee320900f2aa3e70b1867e1430e40be67c07" "f9290299ef067b8b24a7515b3f992c07", 16); mpz_set_str(pub.y, "748a40237211a2d9852596e7a891f43d4eb0ee48826c9cfb" "336bbb68dbe5a5e16b2e1271d4d13de03644bb85ef6be523" "a4d4d88415bcd596ba8e0a3c4f6439e981ed013d7d9c7033" "6febf7d420cfed02c267457bb3f3e7c82145d2af54830b94" "2ec74a5d503e4226cd25dd75decd3f50f0a858155d7be799" "410836ddc559ce99e1ae513808fdaeac34843dd7258f16f6" "7f19205f6f139251a4186da8496d5e90d3fecf8ed10be6c2" "5ff5eb33d960c9a8f4c581c8c724ca43b761e9fdb5af66bf" "fb9d2ebb11a6b504a1fbe4f834ecb6ac254cab513e943b9a" "953a7084b3305c661bfad434f6a835503c9ade7f4a57f5c9" "65ec301ecde938ee31b4deb038af97b3", 16); mpz_set_str(signature.r, "9c5fa46879ddaf5c14f07dfb5320715f67a6fec179e3ad53342fb6d1", 16); mpz_set_str(signature.s, "c3e17e7b3c4d0ac8d49f4dd0f04c16a094f42da0afcc6c90f5f1bbc8", 16); test_dsa_verify(params, pub.y, &nettle_sha256, SHEX("cec8d2843dee7cb5f9119b75562585e05c5ce2f4e6457e9b" "cc3c1c781ccd2c0442b6282aea610f7161dcede176e77486" "1f7d2691be6c894ac3ebf80c0fab21e52a3e63ae0b350257" "62ccd6c9e1fecc7f9fe00aa55c0c3ae33ae88f66187f9598" "eba9f863171f3f56484625bf39d883427349b8671d9bb7d3" "96180694e5b546ae"), &signature); /* L=2048, N=256, SHA-1 */ mpz_set_str(pub.p, "c1a59d215573949e0b20a974c2edf2e3137ff2463062f75f" "1d13df12aba1076bb2d013402b60af6c187fb0fa362167c9" "76c2617c726f9077f09e18c11b60f65008825bd6c02a1f57" "d3eb0ad41cd547de43d87f2525f971d42b306506e7ca03be" "63b35f4ada172d0a06924440a14250d7822ac2d5aeafed46" "19e79d4158a7d5eb2d9f023db181a8f094b2c6cb87cb8535" "416ac19813f07144660c557745f44a01c6b1029092c129b0" "d27183e82c5a21a80177ee7476eb95c466fb472bd3d2dc28" "6ce25847e93cbfa9ad39cc57035d0c7b64b926a9c7f5a7b2" "bc5abcbfbdc0b0e3fede3c1e02c44afc8aefc7957da07a0e" "5fd12339db8667616f62286df80d58ab", 16); mpz_set_str(pub.q, "8000000000000000000000001bd62c65e8b87c89797f8f0c" "bfa55e4a6810e2c7", 16); mpz_set_str(pub.g, "aea5878740f1424d3c6ea9c6b4799615d2749298a17e2620" "7f76cef340ddd390e1b1ad6b6c0010ad015a103342ddd452" "cac024b36e42d9b8ed52fafae7a1d3ce9e4b21f910d1356e" "b163a3e5a8184c781bf14492afa2e4b0a56d8884fd01a628" "b9662739c42e5c5795ade2f5f27e6de1d963917ce8806fc4" "0d021cd87aa3aa3a9e4f0c2c4c45d2959b2578b2fb1a2229" "c37e181059b9d5e7b7862fa82e2377a49ed0f9dca820a581" "4079dd6610714efaf8b0cc683d8e72e4c884e6f9d4946b3e" "8d4cbb92adbbe7d4c47cc30be7f8c37ca81883a1aac68600" "59ff4640a29ccae73de20b12e63b00a88b2ee9ba94b75eb4" "0a656e15d9ec83731c85d0effcb9ef9f", 16); mpz_set_str(pub.y, "880e17c4ae8141750609d8251c0bbd7acf6d0b460ed3688e" "9a5f990e6c4b5b00875da750e0228a04102a35f57e74b8d2" "f9b6950f0d1db8d302c5c90a5b8786a82c68ff5b17a57a75" "8496c5f8053e4484a253d9942204d9a1109f4bd2a3ec311a" "60cf69c685b586d986f565d33dbf5aab7091e31aa4102c4f" "4b53fbf872d700156465b6c075e7f778471a23502dc0fee4" "1b271c837a1c26691699f3550d060a331099f64837cddec6" "9caebf51bf4ec9f36f2a220fe773cb4d3c02d0446ddd4613" "3532ef1c3c69d432e303502bd05a75279a7809a742ac4a78" "72b07f1908654049419350e37a95f2ef33361d8d8736d408" "3dc14c0bb972e14d4c7b97f3ddfccaef", 16); mpz_set_str(signature.r, "363e01c564f380a27d7d23b207af3f961d48fc0995487f60" "052775d724ab3d10", 16); mpz_set_str(signature.s, "4916d91b2927294e429d537c06dd2463d1845018cca2873e" "90a6c837b445fdde", 16); test_dsa_verify(params, pub.y, &nettle_sha1, SHEX("de3605dbefde353cbe05e0d6098647b6d041460dfd4c0003" "12be1afe7551fd3b93fed76a9763c34e004564b8f7dcacbd" "99e85030632c94e9b0a032046523b7aacdf934a2dbbdcfce" "efe66b4e3d1cb29e994ff3a4648a8edd9d58ed71f12399d9" "0624789c4e0eebb0fbd5080f7d730f875a1f290749334cb4" "05e9fd2ae1b4ed65"), &signature); /* L=2048, N=256, SHA-224 */ mpz_set_str(pub.p, "d02276ebf3c22ffd666983183a47ae94c9bccbcbf95ddcb4" "91d1f7ce643549199992d37c79e7b032d26ed031b6ba4489" "f3125826fafb2726a98333ebd9abdde592d8693d9859536d" "9cc3841a1d24e044d35aced6136256fc6d6b615cf4f4163a" "a381eb2b4c480825a8eccc56d8ddcf5fe637e38ad9b2974b" "d2cf68bf271e0d067d2465a8b6b660524f0082598945ada5" "8ea649b9804eb4753408c2c59768c46abb82e3295f3d9ca4" "69f84cc187f572dc4b5a3b39346ec839dfad6f07d6d1f0e2" "15209bb0ecc05c767cf2e7943ac9cfb02eee1e9ef5946e8c" "e88316b5e15fdcf95a132ef2e4bb0817136528cfa5dd9653" "2f9c3abe5c421620edb6bcbd52234ca9", 16); mpz_set_str(pub.q, "8000000012997e8285e4089708f528070c6d7af8a0bd0140" "9e7a079cdb6fc5bb", 16); mpz_set_str(pub.g, "778453049ef262147fed7b59b0ee6764607c51e7b5b5fc6f" "ea7a7a7b1dd6bb283f4a9ae98efd3964b1556758cb15b2a5" "3af8619e74d85898bec77d3b3f382494ae5961a13ffc745d" "a386182291519800f99dd710e00aeb15adee088e2798ee2e" "46f598526cf0f4667055d1ba009750041dc5cdd2725ff1d9" "7dd340c8518af7671b87d39d67aeced84b66f84e0701efc8" "2a5c9ef954ee576d24c385b14d63037f0d866fd424b4975b" "dd5485ed740cb932e843f906683f7c7b2c74775d901c361b" "847b519c0da699638da40bd736b783d2710b2c2cc26ef912" "71bf4e2c1929f876e902e2057164223bc78d6a2b9f6c0c7a" "7cb85922f7d6c4287ae23861f8128848", 16); mpz_set_str(pub.y, "7bb31e98c7a0437f978a73d5dcfbdfbb09cc2499dfaf1eb5" "256bccd6358cabb5f67d04a42823463b7e957f2b9213f1fa" "8e5a98d614484701abb8c7d67641fe6ed06fa4527b493dda" "b2e74640fde3de70da693f1db2b8e26417040af0eea6cab4" "51a795a52e187d2ee241b93f65c86c6d66f45834cce165ac" "5eb670d4f0095c23ce9757e3bdc636f991ee0073d90a0920" "2edb35cc3ea1cf9adca1617fa0bffd9c126229a604a1d3bf" "4931ddf0b9942dfc8a2f8c09fcc97032564a79ae1ebe1e2c" "e49ff57839e7c43fa60b1603d15a450898aa4e4a1ee80657" "94126d64f013367096a83686b9f158c33b10f5f3b36cf1f6" "358b3f34f84b101dc26d3db68bcc95c8", 16); mpz_set_str(signature.r, "059bee9e708b7f20c3f791a640edee964e0aa672893c4847" "99715817b3a8f6d4", 16); mpz_set_str(signature.s, "4bd41c84a724cc86e4f0194ec0fbf379e654d0d7f6a1f08b" "d468139422a5c353", 16); test_dsa_verify(params, pub.y, &nettle_sha224, SHEX("39f2d8d503aae8cd17854456ecfad49a18900d4375412bc6" "89181ed9c2ccafea98dca689a72dc75e5367d3d3abfc2169" "700d5891cff70f69d9aca093b061b9f5057f94636bc27831" "15254344fb12e33b167272e198838a8728e7744ea9a2e824" "8e34d5906e298302472637b879de91c1a6f9f331a5cf98a5" "af29132990d27416"), &signature); /* L=2048, N=256, SHA-256 */ mpz_set_str(pub.p, "a8adb6c0b4cf9588012e5deff1a871d383e0e2a85b5e8e03" "d814fe13a059705e663230a377bf7323a8fa117100200bfd" "5adf857393b0bbd67906c081e585410e38480ead51684dac" "3a38f7b64c9eb109f19739a4517cd7d5d6291e8af20a3fbf" "17336c7bf80ee718ee087e322ee41047dabefbcc34d10b66" "b644ddb3160a28c0639563d71993a26543eadb7718f317bf" "5d9577a6156561b082a10029cd44012b18de6844509fe058" "ba87980792285f2750969fe89c2cd6498db3545638d5379d" "125dccf64e06c1af33a6190841d223da1513333a7c9d7846" "2abaab31b9f96d5f34445ceb6309f2f6d2c8dde06441e879" "80d303ef9a1ff007e8be2f0be06cc15f", 16); mpz_set_str(pub.q, "e71f8567447f42e75f5ef85ca20fe557ab0343d37ed09edc" "3f6e68604d6b9dfb", 16); mpz_set_str(pub.g, "5ba24de9607b8998e66ce6c4f812a314c6935842f7ab54cd" "82b19fa104abfb5d84579a623b2574b37d22ccae9b3e415e" "48f5c0f9bcbdff8071d63b9bb956e547af3a8df99e5d3061" "979652ff96b765cb3ee493643544c75dbe5bb39834531952" "a0fb4b0378b3fcbb4c8b5800a5330392a2a04e700bb6ed7e" "0b85795ea38b1b962741b3f33b9dde2f4ec1354f09e2eb78" "e95f037a5804b6171659f88715ce1a9b0cc90c27f35ef2f1" "0ff0c7c7a2bb0154d9b8ebe76a3d764aa879af372f4240de" "8347937e5a90cec9f41ff2f26b8da9a94a225d1a913717d7" "3f10397d2183f1ba3b7b45a68f1ff1893caf69a827802f7b" "6a48d51da6fbefb64fd9a6c5b75c4561", 16); mpz_set_str(pub.y, "5a55dceddd1134ee5f11ed85deb4d634a3643f5f36dc3a70" "689256469a0b651ad22880f14ab85719434f9c0e407e60ea" "420e2a0cd29422c4899c416359dbb1e592456f2b3cce2332" "59c117542fd05f31ea25b015d9121c890b90e0bad033be13" "68d229985aac7226d1c8c2eab325ef3b2cd59d3b9f7de7db" "c94af1a9339eb430ca36c26c46ecfa6c5481711496f624e1" "88ad7540ef5df26f8efacb820bd17a1f618acb50c9bc197d" "4cb7ccac45d824a3bf795c234b556b06aeb9291734532520" "84003f69fe98045fe74002ba658f93475622f76791d9b262" "3d1b5fff2cc16844746efd2d30a6a8134bfc4c8cc80a4610" "7901fb973c28fc553130f3286c1489da", 16); mpz_set_str(signature.r, "633055e055f237c38999d81c397848c38cce80a55b649d9e" "7905c298e2a51447", 16); mpz_set_str(signature.s, "2bbf68317660ec1e4b154915027b0bc00ee19cfc0bf75d01" "930504f2ce10a8b0", 16); test_dsa_verify(params, pub.y, &nettle_sha256, SHEX("4e3a28bcf90d1d2e75f075d9fbe55b36c5529b17bc3a9cca" "ba6935c9e20548255b3dfae0f91db030c12f2c344b3a29c4" "151c5b209f5e319fdf1c23b190f64f1fe5b330cb7c8fa952" "f9d90f13aff1cb11d63181da9efc6f7e15bfed4862d1a62c" "7dcf3ba8bf1ff304b102b1ec3f1497dddf09712cf323f561" "0a9d10c3d9132659"), &signature); /* L=2048, N=256, SHA-384 */ mpz_set_str(pub.p, "a6167c16fff74e29342b8586aed3cd896f7b1635a2286ff1" "6fdff41a06317ca6b05ca2ba7c060ad6db1561621ccb0c40" "b86a03619bfff32e204cbd90b79dcb5f86ebb493e3bd1988" "d8097fa23fa4d78fb3cddcb00c466423d8fa719873c37645" "fe4eecc57171bbedfe56fa9474c96385b8ba378c79972d7a" "aae69a2ba64cde8e5654f0f7b74550cd3447e7a472a33b40" "37db468dde31c348aa25e82b7fc41b837f7fc226a6103966" "ecd8f9d14c2d3149556d43829f137451b8d20f8520b0ce8e" "3d705f74d0a57ea872c2bdee9714e0b63906cddfdc28b677" "7d19325000f8ed5278ec5d912d102109319cba3b6469d467" "2909b4f0dbeec0bbb634b551ba0cf213", 16); mpz_set_str(pub.q, "8427529044d214c07574f7b359c2e01c23fd97701b328ac8" "c1385b81c5373895", 16); mpz_set_str(pub.g, "6fc232415c31200cf523af3483f8e26ace808d2f1c6a8b86" "3ab042cc7f6b7144b2d39472c3cb4c7681d0732843503d8f" "858cbe476e6740324aaa295950105978c335069b919ff9a6" "ff4b410581b80712fe5d3e04ddb4dfd26d5e7fbca2b0c52d" "8d404343d57b2f9b2a26daa7ece30ceab9e1789f9751aaa9" "387049965af32650c6ca5b374a5ae70b3f98e053f51857d6" "bbb17a670e6eaaf89844d641e1e13d5a1b24d053dc6b8fd1" "01c624786951927e426310aba9498a0042b3dc7bbc59d705" "f80d9b807de415f7e94c5cf9d789992d3bb8336d1d808cb8" "6b56dde09d934bb527033922de14bf307376ab7d22fbcd61" "6f9eda479ab214a17850bdd0802a871c", 16); mpz_set_str(pub.y, "5ca7151bca0e457bbc46f59f71d81ab16688dc0eb7e4d17b" "166c3326c5b12c5bdebb3613224d1a754023c50b83cb5ecc" "139096cef28933b3b12ca31038e4089383597c59cc27b902" "be5da62cae7da5f4af90e9410ed1604082e2e38e25eb0b78" "dfac0aeb2ad3b19dc23539d2bcd755db1cc6c9805a7dd109" "e1c98667a5b9d52b21c2772121b8d0d2b246e5fd3da80728" "e85bbf0d7067d1c6baa64394a29e7fcbf80842bd4ab02b35" "d83f59805a104e0bd69d0079a065f59e3e6f21573a00da99" "0b72ea537fa98caaa0a58800a7e7a0623e263d4fca65ebb8" "eded46efdfe7db92c9ebd38062d8f12534f015b186186ee2" "361d62c24e4f22b3e95da0f9062ce04d", 16); mpz_set_str(signature.r, "4fd8f25c059030027381d4167c3174b6be0088c15f0a573d" "7ebd05960f5a1eb2", 16); mpz_set_str(signature.s, "5f56869cee7bf64fec5d5d6ea15bb1fa1169003a87eccc16" "21b90a1b892226f2", 16); test_dsa_verify(params, pub.y, &nettle_sha384, SHEX("8c78cffdcf25d8230b835b30512684c9b252115870b603d1" "b4ba2eb5d35b33f26d96b684126ec34fff67dfe5c8c856ac" "fe3a9ff45ae11d415f30449bcdc3bf9a9fb5a7e48afeaba6" "d0b0fc9bce0197eb2bf7a840249d4e550c5a25dc1c71370e" "67933edad2362fae6fad1efba5c08dc1931ca2841b44b78c" "0c63a1665ffac860"), &signature); /* L=3072, N=256, SHA-1 */ mpz_set_str(pub.p, "fd5a6c56dd290f7dd84a29de17126eb4e4487b3eff0a44ab" "e5c59792d2e1200b9c3db44d528b9f7d2248032e4ba0f7bf" "c4fafc706be511db2276c0b7ecffd38da2e1c2f237a75390" "c1e4d3239cba8e20e55840ecb05df5f01a1b6977ad1906f2" "cb544ccfb93b901ad0966b1832ad2dab526244a3156c905c" "01ac51cb73b9dcd9860d56175a425d846485d9b1f44a8a0c" "2578e6cf61947bc1a1392fdd320b16a9d70455fe436f2d47" "ded8e8e605f7486eb578ea7fc4ffd13c07f9996af159fd41" "1e9451403278dd1141a8c926b35c96384bbd6bee09c46f44" "c36b1ffc7197f5e925dbe0544a68e6ab8c18e426a466b392" "f9c27dd79fefa9ca163cc5a375539a8559f277f657a535d1" "964c6a5e91683ef5698ebaa01ef818dbf72cb04c3ff092d1" "88866f25cd405108f566b087f73d2d5beb51fac6de84ae51" "61a66af9602c7e4bfc146f4820bdfc092faeac69133e4a08" "a5b202a12498a22e57bad54674ed4b510109d52b5f74e70e" "1f6f82161718cd4cf00cc9f1958acc8bddcdfbd1fbe46cd1", 16); mpz_set_str(pub.q, "800000000000000000000000334a26dd8f49c6811ce81bb1" "342b06e980f64b75", 16); mpz_set_str(pub.g, "99ab030a21a5c9818174872167641c81c1e03c9b274cfbc2" "7bc472542927766de5fa0539b3b73f3f16ac866a9aec8b44" "5ded97fbff08834ed98c77e7fc89e5dc657bef766ff7fbf8" "e76873e17bee412762d56fe1141760ab4d25bafd4b6ef25b" "49a3506632d1f8e10770930760ec1325932c5a4baf9e9015" "4264ddf442ec5c41fed95d11525151dbcfb3758149bad81c" "62b9cff7816b8f953b8b7c022590d1584e921dc955f5328a" "c72983ed5cf0d04056fe0d531e62f8f6c9ab3c0fcd44e148" "60b7311d2561c77c1d32f6c69dc8f77968c9d881ad9db5e0" "c114fda8628bca0335eb7fb9e15e625aabab58fc01194c81" "bf6fb2ce54077b82250e57c6a7b25deb6ee39d4b686a5c30" "7a7612b2d85ee92512413dea297e44f317be7ceb70a3328a" "f0b401001a418562b8ffe4e9771b4b4a8e0b40c791349d5d" "4e459fe620a1a2fc72e2f6ca28567d4c2632bbde1b49864c" "06bb12619f132c1da8f571ef613eac739f66ab3914cb3fa1" "ab86e05e5082ebaa24ebeea4cf51beefc27df512fe3fee7d", 16); mpz_set_str(pub.y, "e7c2ee18c3aa362c0182c6a56c2584628083c73e045beda8" "d653690c9c2f6544edf9702c57c455273905336a5f517110" "7a313cd7d0b0f50f8d3342c60219f22a9023394059d05f46" "4c4496d55dab6eb0898527ff4cf5678e7b5bfb5e18d92c4a" "9d73288cce14530fc4702f6d0397ec39a880c4a72d358730" "c56633386ede028023c1791f3164d1574e7823c79b8a3ca1" "343ea166ba6f02b7ff7e9ef2198db107f7cc159f3b6a1c00" "a78c355c566deb0ac6fde3f633cb9177a1fbc6c1766ca021" "d5fec470101abb440d2f06982181a8c92b7cdd765336b9a1" "e1ab70283d6db0a963fb648c37c4e29a74c37577291049ab" "47cdbc104c04db966681ea8ebb9f00cf4c4a546211737957" "5fbda4b801979451fa94b19b4e93656705c0f734f3e0914b" "b96c1e2b8a0fb68faf14296efdf3300ad95bcde8b67cc4b2" "6e6488eef925cfaeac6f0d6567e8b41355f89d1c2b8fe687" "bfa2df5e287e1305b89b8c388c26196090ac0351abc561aa" "dc797da8ccea4146c3e96095ebce353e0da4c55019052caa", 16); mpz_set_str(signature.r, "21ca148cdf44be4ae93b2f353b8e512d03ad96dafa80623f" "de4922a95f032732", 16); mpz_set_str(signature.s, "73e48b77a3aa44307483c2dd895cb51db2112177c185c59c" "b1dcff32fda02a4f", 16); test_dsa_verify(params, pub.y, &nettle_sha1, SHEX("ca84af5c9adbc0044db00d7acfb1b493aab0388ffbad47b3" "8cd3e9e3111cfe2cda2a45f751c46862f05bdcec4b698adf" "d2e1606e484c3be4ac0c379d4fbc7c2cda43e922811d7f6c" "33040e8e65d5f317684b90e26387cf931fe7c2f515058d75" "3b08137ff2c6b79c910de8283149e6872cb66f7e02e66f23" "71785129569362f1"), &signature); /* L=3072, N=256, SHA-256 */ mpz_set_str(pub.p, "c7b86d7044218e367453d210e76433e4e27a983db1c560bb" "9755a8fb7d819912c56cfe002ab1ff3f72165b943c0b28ed" "46039a07de507d7a29f738603decd1270380a41f971f2592" "661a64ba2f351d9a69e51a888a05156b7fe1563c4b77ee93" "a44949138438a2ab8bdcfc49b4e78d1cde766e5498476005" "7d76cd740c94a4dd25a46aa77b18e9d707d6738497d4eac3" "64f4792d9766a16a0e234807e96b8c64d404bbdb876e39b5" "799ef53fe6cb9bab62ef19fdcc2bdd905beda13b9ef7ac35" "f1f557cb0dc458c019e2bc19a9f5dfc1e4eca9e6d4665641" "24304a31f038605a3e342da01be1c2b545610edd2c1397a3" "c8396588c6329efeb4e165af5b368a39a88e4888e39f40bb" "3de4eb1416672f999fead37aef1ca9643ff32cdbc0fcebe6" "28d7e46d281a989d43dd21432151af68be3f6d56acfbdb6c" "97d87fcb5e6291bf8b4ee1275ae0eb4383cc753903c8d29f" "4adb6a547e405decdff288c5f6c7aa30dcb12f84d392493a" "70933317c0f5e6552601fae18f17e6e5bb6bf396d32d8ab9", 16); mpz_set_str(pub.q, "876fa09e1dc62b236ce1c3155ba48b0ccfda29f3ac5a97f7" "ffa1bd87b68d2a4b", 16); mpz_set_str(pub.g, "110afebb12c7f862b6de03d47fdbc3326e0d4d31b12a8ca9" "5b2dee2123bcc667d4f72c1e7209767d2721f95fbd9a4d03" "236d54174fbfaff2c4ff7deae4738b20d9f37bf0a1134c28" "8b420af0b5792e47a92513c0413f346a4edbab2c45bdca13" "f5341c2b55b8ba54932b9217b5a859e553f14bb8c120fbb9" "d99909dff5ea68e14b379964fd3f3861e5ba5cc970c4a180" "eef54428703961021e7bd68cb637927b8cbee6805fa27285" "bfee4d1ef70e02c1a18a7cd78bef1dd9cdad45dde9cd6907" "55050fc4662937ee1d6f4db12807ccc95bc435f11b71e708" "6048b1dab5913c6055012de82e43a4e50cf93feff5dcab81" "4abc224c5e0025bd868c3fc592041bba04747c10af513fc3" "6e4d91c63ee5253422cf4063398d77c52fcb011427cbfcfa" "67b1b2c2d1aa4a3da72645cb1c767036054e2f31f88665a5" "4461c885fb3219d5ad8748a01158f6c7c0df5a8c908ba8c3" "e536822428886c7b500bbc15b49df746b9de5a78fe3b4f69" "91d0110c3cbff458039dc36261cf46af4bc2515368f4abb7", 16); mpz_set_str(pub.y, "456a105c713566234838bc070b8a751a0b57767cb75e9911" "4a1a46641e11da1fa9f22914d808ad7148612c1ea55d2530" "1781e9ae0c9ae36a69d87ba039ec7cd864c3ad094873e6e5" "6709fd10d966853d611b1cff15d37fdee424506c184d62c7" "033358be78c2250943b6f6d043d63b317de56e5ad8d1fd97" "dd355abe96452f8e435485fb3b907b51900aa3f24418df50" "b4fcdafbf6137548c39373b8bc4ba3dabb4746ebd17b87fc" "d6a2f197c107b18ec5b465e6e4cb430d9c0ce78da5988441" "054a370792b730da9aba41a3169af26176f74e6f7c0c9c9b" "55b62bbe7ce38d4695d48157e660c2acb63f482f55418150" "e5fee43ace84c540c3ba7662ae80835c1a2d51890ea96ba2" "06427c41ef8c38aa07d2a365e7e58380d8f4782e22ac2101" "af732ee22758337b253637838e16f50f56d313d07981880d" "685557f7d79a6db823c61f1bb3dbc5d50421a4843a6f2969" "0e78aa0f0cff304231818b81fc4a243fc00f09a54c466d6a" "8c73d32a55e1abd5ec8b4e1afa32a79b01df85a81f3f5cfe", 16); mpz_set_str(signature.r, "53bae6c6f336e2eb311c1e92d95fc449a929444ef81ec427" "9660b200d59433de", 16); mpz_set_str(signature.s, "49f3a74e953e77a7941af3aefeef4ed499be209976a0edb3" "fa5e7cb961b0c112", 16); test_dsa_verify(params, pub.y, &nettle_sha256, SHEX("cb06e02234263c22b80e832d6dc5a1bee5ea8af3bc2da752" "441c04027f176158bfe68372bd67f84d489c0d49b07d4025" "962976be60437be1a2d01d3be0992afa5abe0980e26a9da4" "ae72f827b423665195cc4eed6fe85c335b32d9c03c945a86" "e7fa99373f0a30c6eca938b3afb6dff67adb8bece6f8cfec" "4b6a12ea281e2323"), &signature); /* L=3072, N=256, SHA-384 */ mpz_set_str(pub.p, "a410d23ed9ad9964d3e401cb9317a25213f75712acbc5c12" "191abf3f1c0e723e2333b49eb1f95b0f9748d952f04a5ae3" "58859d384403ce364aa3f58dd9769909b45048548c55872a" "6afbb3b15c54882f96c20df1b2df164f0bac849ca17ad2df" "63abd75c881922e79a5009f00b7d631622e90e7fa4e98061" "8575e1d6bd1a72d5b6a50f4f6a68b793937c4af95fc11541" "759a1736577d9448b87792dff07232415512e933755e1225" "0d466e9cc8df150727d747e51fea7964158326b1365d580c" "b190f4518291598221fdf36c6305c8b8a8ed05663dd7b006" "e945f592abbecae460f77c71b6ec649d3fd5394202ed7bbb" "d040f7b8fd57cb06a99be254fa25d71a3760734046c2a0db" "383e02397913ae67ce65870d9f6c6f67a9d00497be1d763b" "21937cf9cbf9a24ef97bbcaa07916f8894e5b7fb03258821" "ac46140965b23c5409ca49026efb2bf95bce025c4183a5f6" "59bf6aaeef56d7933bb29697d7d541348c871fa01f869678" "b2e34506f6dc0a4c132b689a0ed27dc3c8d53702aa584877", 16); mpz_set_str(pub.q, "abc67417725cf28fc7640d5de43825f416ebfa80e191c42e" "e886303338f56045", 16); mpz_set_str(pub.g, "867d5fb72f5936d1a14ed3b60499662f3124686ef108c5b3" "da6663a0e86197ec2cc4c9460193a74ff16028ac9441b0c7" "d27c2272d483ac7cd794d598416c4ff9099a61679d417d47" "8ce5dd974bf349a14575afe74a88b12dd5f6d1cbd3f91ddd" "597ed68e79eba402613130c224b94ac28714a1f1c552475a" "5d29cfcdd8e08a6b1d65661e28ef313514d1408f5abd3e06" "ebe3a7d814d1ede316bf495273ca1d574f42b482eea30db5" "3466f454b51a175a0b89b3c05dda006e719a2e6371669080" "d768cc038cdfb8098e9aad9b8d83d4b759f43ac9d22b353e" "d88a33723550150de0361b7a376f37b45d437f71cb711f28" "47de671ad1059516a1d45755224a15d37b4aeada3f58c69a" "136daef0636fe38e3752064afe598433e80089fda24b144a" "462734bef8f77638845b00e59ce7fa4f1daf487a2cada11e" "aba72bb23e1df6b66a183edd226c440272dd9b06bec0e57f" "1a0822d2e00212064b6dba64562085f5a75929afa5fe509e" "0b78e630aaf12f91e4980c9b0d6f7e059a2ea3e23479d930", 16); mpz_set_str(pub.y, "1f0a5c75e7985d6e70e4fbfda51a10b925f6accb600d7c65" "10db90ec367b93bb069bd286e8f979b22ef0702f717a8755" "c18309c87dae3fe82cc3dc8f4b7aa3d5f3876f4d4b3eb68b" "fe910c43076d6cd0d39fc88dde78f09480db55234e6c8ca5" "9fe2700efec04feee6b4e8ee2413721858be7190dbe905f4" "56edcab55b2dc2916dc1e8731988d9ef8b619abcf8955aa9" "60ef02b3f02a8dc649369222af50f1338ed28d667f3f10ca" "e2a3c28a3c1d08df639c81ada13c8fd198c6dae3d62a3fe9" "f04c985c65f610c06cb8faea68edb80de6cf07a8e89c0021" "8185a952b23572e34df07ce5b4261e5de427eb503ee1baf5" "992db6d438b47434c40c22657bc163e7953fa33eff39dc27" "34607039aadd6ac27e4367131041f845ffa1a13f556bfba2" "307a5c78f2ccf11298c762e08871968e48dc3d1569d09965" "cd09da43cf0309a16af1e20fee7da3dc21b364c4615cd512" "3fa5f9b23cfc4ffd9cfdcea670623840b062d4648d2eba78" "6ad3f7ae337a4284324ace236f9f7174fbf442b99043002f", 16); mpz_set_str(signature.r, "7695698a14755db4206e850b4f5f19c540b07d07e08aac59" "1e20081646e6eedc", 16); mpz_set_str(signature.s, "3dae01154ecff7b19007a953f185f0663ef7f2537f0b15e0" "4fb343c961f36de2", 16); test_dsa_verify(params, pub.y, &nettle_sha384, SHEX("ed9a64d3109ef8a9292956b946873ca4bd887ce624b81be8" "1b82c69c67aaddf5655f70fe4768114db2834c71787f858e" "5165da1a7fa961d855ad7e5bc4b7be31b97dbe770798ef79" "66152b14b86ae35625a28aee5663b9ef3067cbdfbabd8719" "7e5c842d3092eb88dca57c6c8ad4c00a19ddf2e1967b59bd" "06ccaef933bc28e7"), &signature); /* L=3072, N=256, SHA-512 */ mpz_set_str(pub.p, "c1d0a6d0b5ed615dee76ac5a60dd35ecb000a202063018b1" "ba0a06fe7a00f765db1c59a680cecfe3ad41475badb5ad50" "b6147e2596b88d34656052aca79486ea6f6ec90b23e363f3" "ab8cdc8b93b62a070e02688ea877843a4685c2ba6db111e9" "addbd7ca4bce65bb10c9ceb69bf806e2ebd7e54edeb7f996" "a65c907b50efdf8e575bae462a219c302fef2ae81d73cee7" "5274625b5fc29c6d60c057ed9e7b0d46ad2f57fe01f82323" "0f31422722319ce0abf1f141f326c00fbc2be4cdb8944b6f" "d050bd300bdb1c5f4da72537e553e01d51239c4d461860f1" "fb4fd8fa79f5d5263ff62fed7008e2e0a2d36bf7b9062d0d" "75db226c3464b67ba24101b085f2c670c0f87ae530d98ee6" "0c5472f4aa15fb25041e19106354da06bc2b1d322d40ed97" "b21fd1cdad3025c69da6ce9c7ddf3dcf1ea4d56577bfdec2" "3071c1f05ee4077b5391e9a404eaffe12d1ea62d06acd6bf" "19e91a158d2066b4cd20e4c4e52ffb1d5204cd022bc7108f" "2c799fb468866ef1cb09bce09dfd49e4740ff8140497be61", 16); mpz_set_str(pub.q, "bf65441c987b7737385eadec158dd01614da6f15386248e59f3cddbefc8e9dd1", 16); mpz_set_str(pub.g, "c02ac85375fab80ba2a784b94e4d145b3be0f92090eba17b" "d12358cf3e03f4379584f8742252f76b1ede3fc37281420e" "74a963e4c088796ff2bab8db6e9a4530fc67d51f88b905ab" "43995aab46364cb40c1256f0466f3dbce36203ef228b35e9" "0247e95e5115e831b126b628ee984f349911d30ffb9d613b" "50a84dfa1f042ba536b82d5101e711c629f9f2096dc834de" "ec63b70f2a2315a6d27323b995aa20d3d0737075186f5049" "af6f512a0c38a9da06817f4b619b94520edfac85c4a6e2e1" "86225c95a04ec3c3422b8deb284e98d24b31465802008a09" "7c25969e826c2baa59d2cba33d6c1d9f3962330c1fcda7cf" "b18508fea7d0555e3a169daed353f3ee6f4bb30244319161" "dff6438a37ca793b24bbb1b1bc2194fc6e6ef60278157899" "cb03c5dd6fc91a836eb20a25c09945643d95f7bd50d20668" "4d6ffc14d16d82d5f781225bff908392a5793b803f9b70b4" "dfcb394f9ed81c18e391a09eb3f93a032d81ba670cabfd6f" "64aa5e3374cb7c2029f45200e4f0bfd820c8bd58dc5eeb34", 16); mpz_set_str(pub.y, "6da54f2b0ddb4dcce2da1edfa16ba84953d8429ce60cd111" "a5c65edcf7ba5b8d9387ab6881c24880b2afbdb437e9ed7f" "fb8e96beca7ea80d1d90f24d546112629df5c9e9661742cc" "872fdb3d409bc77b75b17c7e6cfff86261071c4b5c9f9898" "be1e9e27349b933c34fb345685f8fc6c12470d124cecf51b" "5d5adbf5e7a2490f8d67aac53a82ed6a2110686cf631c348" "bcbc4cf156f3a6980163e2feca72a45f6b3d68c10e5a2283" "b470b7292674490383f75fa26ccf93c0e1c8d0628ca35f2f" "3d9b6876505d118988957237a2fc8051cb47b410e8b7a619" "e73b1350a9f6a260c5f16841e7c4db53d8eaa0b4708d62f9" "5b2a72e2f04ca14647bca6b5e3ee707fcdf758b925eb8d4e" "6ace4fc7443c9bc5819ff9e555be098aa055066828e21b81" "8fedc3aac517a0ee8f9060bd86e0d4cce212ab6a3a243c5e" "c0274563353ca7103af085e8f41be524fbb75cda88903907" "df94bfd69373e288949bd0626d85c1398b3073a139d5c747" "d24afdae7a3e745437335d0ee993eef36a3041c912f7eb58", 16); mpz_set_str(signature.r, "a40a6c905654c55fc58e99c7d1a3feea2c5be64823d4086c" "e811f334cfdc448d", 16); mpz_set_str(signature.s, "6478050977ec585980454e0a2f26a03037b921ca588a78a4" "daff7e84d49a8a6c", 16); test_dsa_verify(params, pub.y, &nettle_sha512, SHEX("494180eed0951371bbaf0a850ef13679df49c1f13fe3770b" "6c13285bf3ad93dc4ab018aab9139d74200808e9c55bf883" "00324cc697efeaa641d37f3acf72d8c97bff0182a35b9401" "50c98a03ef41a3e1487440c923a988e53ca3ce883a2fb532" "bb7441c122f1dc2f9d0b0bc07f26ba29a35cdf0da846a9d8" "eab405cbf8c8e77f"), &signature); dsa_public_key_clear(&pub); dsa_private_key_clear(&key); dsa_signature_clear(&signature); } nettle-3.4.1/testsuite/eddsa-compress-test.c0000644000175000017500000000554113401564746020140 0ustar nissenisse/* eddsa-compress-test.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #include "testutils.h" #include "eddsa.h" #define COUNT 1000 void test_main (void) { const struct ecc_curve *ecc = &_nettle_curve25519; gmp_randstate_t rands; mp_size_t size, itch; mpz_t zp, t; mp_limb_t *s; mp_limb_t *p; mp_limb_t *pa1; mp_limb_t *pa2; mp_limb_t *scratch; size_t clen; uint8_t *c; unsigned j; gmp_randinit_default (rands); size = ecc_size (ecc); clen = 1 + ecc->p.bit_size / 8; mpz_roinit_n (zp, ecc->p.m, size); mpz_init (t); s = xalloc_limbs (size); p = xalloc_limbs (ecc_size_j (ecc)); pa1 = xalloc_limbs (ecc_size_a (ecc)); pa2 = xalloc_limbs (ecc_size_a (ecc)); c = xalloc (clen); itch = _eddsa_decompress_itch (ecc); if (itch < ecc->mul_g_itch) itch = ecc->mul_g_itch; scratch = xalloc_limbs (itch); for (j = 0; j < COUNT; j++) { mpz_t x1, y1, x2, y2; mpz_urandomb (t, rands, ecc->q.bit_size); mpz_limbs_copy (s, t, ecc->q.size); ecc->mul_g (ecc, p, s, scratch); _eddsa_compress (ecc, c, p, scratch); ecc->h_to_a (ecc, 0, pa1, p, scratch); _eddsa_decompress (ecc, pa2, c, scratch); mpz_roinit_n (x1, pa1, size); mpz_roinit_n (y1, pa1 + size, size); mpz_roinit_n (x2, pa2, size); mpz_roinit_n (y2, pa2 + size, size); if (!(mpz_congruent_p (x1, x2, zp) && mpz_congruent_p (y1, y2, zp))) { fprintf (stderr, "eddsa compression failed:\nc = "); print_hex (clen, c); fprintf (stderr, "\np1 = 0x"); mpz_out_str (stderr, 16, x1); fprintf (stderr, ",\n 0x"); mpz_out_str (stderr, 16, y1); fprintf (stderr, "\np2 = 0x"); mpz_out_str (stderr, 16, x2); fprintf (stderr, ",\n 0x"); mpz_out_str (stderr, 16, y2); fprintf (stderr, "\n"); abort (); } } mpz_clear (t); free (s); free (p); free (c); free (pa1); free (pa2); free (scratch); gmp_randclear (rands); } nettle-3.4.1/testsuite/knuth-lfib-test.c0000644000175000017500000000046713401564746017274 0ustar nissenisse#include "testutils.h" #include "knuth-lfib.h" void test_main(void) { struct knuth_lfib_ctx ctx; uint32_t a[2009]; uint32_t x; unsigned m; knuth_lfib_init(&ctx, 310952); for (m = 0; m<2009; m++) knuth_lfib_get_array(&ctx, 1009, a); x = knuth_lfib_get(&ctx); ASSERT (x == 461390032); } nettle-3.4.1/testsuite/sha3-224-test.c0000644000175000017500000030237613401564746016400 0ustar nissenisse#include "testutils.h" void test_main(void) { /* Extracted from ShortMsgKAT_224.txt using sha3.awk. */ test_hash(&nettle_sha3_224, /* 0 octets */ SHEX(""), SHEX("6B4E03423667DBB73B6E15454F0EB1ABD4597F9A1B078E3F5B5A6BC7")); test_hash(&nettle_sha3_224, /* 1 octets */ SHEX("CC"), SHEX("DF70ADC49B2E76EEE3A6931B93FA41841C3AF2CDF5B32A18B5478C39")); test_hash(&nettle_sha3_224, /* 2 octets */ SHEX("41FB"), SHEX("BFF295861DAEDF33E70519B1E2BCB4C2E9FE3364D789BC3B17301C15")); test_hash(&nettle_sha3_224, /* 3 octets */ SHEX("1F877C"), SHEX("14889DF49C076A9AF2F4BCB16339BCC45A24EBF9CE4DCDCE7EC17217")); test_hash(&nettle_sha3_224, /* 4 octets */ SHEX("C1ECFDFC"), SHEX("A33C58DF8A8026F0F9591966BD6D00EED3B1E829580AB9BE268CAF39")); test_hash(&nettle_sha3_224, /* 5 octets */ SHEX("21F134AC57"), SHEX("10E580A32199596169331AD43CFCF10264F81565037040028A06B458")); test_hash(&nettle_sha3_224, /* 6 octets */ SHEX("C6F50BB74E29"), SHEX("FE52C30C95C1E5193207E97D355FDE09453482708C0876AA961508F0")); test_hash(&nettle_sha3_224, /* 7 octets */ SHEX("119713CC83EEEF"), SHEX("8B449849CB7C4776C593DE58FD5C2E322CB5316BE08A75057A01ED6A")); test_hash(&nettle_sha3_224, /* 8 octets */ SHEX("4A4F202484512526"), SHEX("01386CDD70589B3B34941EFE16B85071E9BA948179922044F640868E")); test_hash(&nettle_sha3_224, /* 9 octets */ SHEX("1F66AB4185ED9B6375"), SHEX("86953D0864019C81FD3A805357A162FD76A13A7CBF6FF0D635015D0E")); test_hash(&nettle_sha3_224, /* 10 octets */ SHEX("EED7422227613B6F53C9"), SHEX("E56FC2A5A58709031DF02A2E46AD95F93583E2745630540D8D97F703")); test_hash(&nettle_sha3_224, /* 11 octets */ SHEX("EAEED5CDFFD89DECE455F1"), SHEX("1D783C37C32A2B71B504BCAA05FC00B639F1FAE7E8D8E3F3BC49F041")); test_hash(&nettle_sha3_224, /* 12 octets */ SHEX("5BE43C90F22902E4FE8ED2D3"), SHEX("54C7E4BF3C73E192ADE223DFEA86F2D04ACF953612731958F854C7BD")); test_hash(&nettle_sha3_224, /* 13 octets */ SHEX("A746273228122F381C3B46E4F1"), SHEX("77E51CEADA2AA1CBBF95ACD821008B57E946F7940223B19F0C53E62E")); test_hash(&nettle_sha3_224, /* 14 octets */ SHEX("3C5871CD619C69A63B540EB5A625"), SHEX("9ED59ED155E97154E067FA0F5A130839B57BDBDA6FEB82DABE006F00")); test_hash(&nettle_sha3_224, /* 15 octets */ SHEX("FA22874BCC068879E8EF11A69F0722"), SHEX("81B3E56CFEEE8E9138D3BFE24BB7CCDFD4B50D0B8CA11AE7D4B0C960")); test_hash(&nettle_sha3_224, /* 16 octets */ SHEX("52A608AB21CCDD8A4457A57EDE782176"), SHEX("B1571BED52E54EEF377D99DF7BE4BC6682C43387F2BF9ACC92DF608F")); test_hash(&nettle_sha3_224, /* 17 octets */ SHEX("82E192E4043DDCD12ECF52969D0F807EED"), SHEX("08045CF78D238D56972F1C850414BC404FC6DCB11F8D8210D034C610")); test_hash(&nettle_sha3_224, /* 18 octets */ SHEX("75683DCB556140C522543BB6E9098B21A21E"), SHEX("9FFD840C550AD23971EB5CE89AE2FD6222ABFB7F0AAFD7EB0005716B")); test_hash(&nettle_sha3_224, /* 19 octets */ SHEX("06E4EFE45035E61FAAF4287B4D8D1F12CA97E5"), SHEX("72DECB5EA1B25A2DAAEB234A8D96E0F57211426666A2EE76B2385C62")); test_hash(&nettle_sha3_224, /* 20 octets */ SHEX("E26193989D06568FE688E75540AEA06747D9F851"), SHEX("A589936370A3D20039C469D44A1C26E62823AB28CC50175A9897F98E")); test_hash(&nettle_sha3_224, /* 21 octets */ SHEX("D8DC8FDEFBDCE9D44E4CBAFE78447BAE3B5436102A"), SHEX("96F43401AD49C58D887020F395BDD01F6DAD04128A85B17780408C37")); test_hash(&nettle_sha3_224, /* 22 octets */ SHEX("57085FD7E14216AB102D8317B0CB338A786D5FC32D8F"), SHEX("A3A0F0C552E7CD2723FE22E1D5719E213D9A3DA1DB99E32EFFFD0F46")); test_hash(&nettle_sha3_224, /* 23 octets */ SHEX("A05404DF5DBB57697E2C16FA29DEFAC8AB3560D6126FA0"), SHEX("E991F4A14B56DC6B224EF352AE8BC8CAE8B1AF1C25C6733DFB7FFE1F")); test_hash(&nettle_sha3_224, /* 24 octets */ SHEX("AECBB02759F7433D6FCB06963C74061CD83B5B3FFA6F13C6"), SHEX("718866C21CBE3F291364C07B36078A6BF0B8258B0EC155E2E2B1AF23")); test_hash(&nettle_sha3_224, /* 25 octets */ SHEX("AAFDC9243D3D4A096558A360CC27C8D862F0BE73DB5E88AA55"), SHEX("23606D06FD8F87C2205ABB5FD04C33EBA30509955200566A0F772B49")); test_hash(&nettle_sha3_224, /* 26 octets */ SHEX("7BC84867F6F9E9FDC3E1046CAE3A52C77ED485860EE260E30B15"), SHEX("05935F0AD2264475DF34FA96F6A9118C32B217E86169EB7ADE4E2FDB")); test_hash(&nettle_sha3_224, /* 27 octets */ SHEX("FAC523575A99EC48279A7A459E98FF901918A475034327EFB55843"), SHEX("FBEC83CBDB6D08C7BFDDC2E37F73B16DC92926A5C23DAB41DEEBFB1B")); test_hash(&nettle_sha3_224, /* 28 octets */ SHEX("0F8B2D8FCFD9D68CFFC17CCFB117709B53D26462A3F346FB7C79B85E"), SHEX("1E693B0BCE2372550DAEF35B14F13AB43441ED6742DEE3E86FD1D8EF")); test_hash(&nettle_sha3_224, /* 29 octets */ SHEX("A963C3E895FF5A0BE4824400518D81412F875FA50521E26E85EAC90C04"), SHEX("1781F1344DC17F678571F4E5DF3998B1D38B1D83602B53B9B6F283D6")); test_hash(&nettle_sha3_224, /* 30 octets */ SHEX("03A18688B10CC0EDF83ADF0A84808A9718383C4070C6C4F295098699AC2C"), SHEX("03B74B7D8FC1F23F76BAB2B6C35F292C15506DE64978FCF6D9973FCE")); test_hash(&nettle_sha3_224, /* 31 octets */ SHEX("84FB51B517DF6C5ACCB5D022F8F28DA09B10232D42320FFC32DBECC3835B29"), SHEX("6A6857FBA903B9DA2753690C39C548BE008E22EBB372EEAA16C85918")); test_hash(&nettle_sha3_224, /* 32 octets */ SHEX("9F2FCC7C90DE090D6B87CD7E9718C1EA6CB21118FC2D5DE9F97E5DB6AC1E9C10"), SHEX("887921848AD98458F3DB3E0ECD5AD5DB1F0BF9F2D0CA08601074D597")); test_hash(&nettle_sha3_224, /* 33 octets */ SHEX("DE8F1B3FAA4B7040ED4563C3B8E598253178E87E4D0DF75E4FF2F2DEDD5A0BE046"), SHEX("E0573AD706B44D8C4D204F884B95AB18913E76F41CF29A16DBE34794")); test_hash(&nettle_sha3_224, /* 34 octets */ SHEX("62F154EC394D0BC757D045C798C8B87A00E0655D0481A7D2D9FB58D93AEDC676B5A0"), SHEX("BA31233099055483C99F7AD82D0D24AF487ED4B53FFF1A892A55DDB3")); test_hash(&nettle_sha3_224, /* 35 octets */ SHEX("B2DCFE9FF19E2B23CE7DA2A4207D3E5EC7C6112A8A22AEC9675A886378E14E5BFBAD4E"), SHEX("BEFAA1CB47CF78DDD4E096B861BC340B776F52E351EBE378ADE305BA")); test_hash(&nettle_sha3_224, /* 36 octets */ SHEX("47F5697AC8C31409C0868827347A613A3562041C633CF1F1F86865A576E02835ED2C2492"), SHEX("F1E7A1B28EA4D6FB86570F66911E3258C3F49F891654FBCE9BC79B8B")); test_hash(&nettle_sha3_224, /* 37 octets */ SHEX("512A6D292E67ECB2FE486BFE92660953A75484FF4C4F2ECA2B0AF0EDCDD4339C6B2EE4E542"), SHEX("C2B31746446934FE29E84CFB5C25B03BE33E9004F74E91C1AF0DB789")); test_hash(&nettle_sha3_224, /* 38 octets */ SHEX("973CF2B4DCF0BFA872B41194CB05BB4E16760A1840D8343301802576197EC19E2A1493D8F4FB"), SHEX("3A80645FE4271346AAEDC3AE5011B75DF163FAD3EE6128D87F3D9DA3")); test_hash(&nettle_sha3_224, /* 39 octets */ SHEX("80BEEBCD2E3F8A9451D4499961C9731AE667CDC24EA020CE3B9AA4BBC0A7F79E30A934467DA4B0"), SHEX("3C5EBE43A2571BCEF25E4EA67A4CA9838770D23599059955AF93FF83")); test_hash(&nettle_sha3_224, /* 40 octets */ SHEX("7ABAA12EC2A7347674E444140AE0FB659D08E1C66DECD8D6EAE925FA451D65F3C0308E29446B8ED3"), SHEX("AF71DAB0F33D3B48733AD6335CA609398D894E6FA96F5510AE73E5D2")); test_hash(&nettle_sha3_224, /* 41 octets */ SHEX("C88DEE9927679B8AF422ABCBACF283B904FF31E1CAC58C7819809F65D5807D46723B20F67BA610C2B7"), SHEX("DD7512DAA0C634CC1588870B84691D7DE2C182E5570D57868E7DDA5D")); test_hash(&nettle_sha3_224, /* 42 octets */ SHEX("01E43FE350FCEC450EC9B102053E6B5D56E09896E0DDD9074FE138E6038210270C834CE6EADC2BB86BF6"), SHEX("6CB4F9292BA33CA8D293B7A7EF76619E77309BA2178CD4A130BF9218")); test_hash(&nettle_sha3_224, /* 43 octets */ SHEX("337023370A48B62EE43546F17C4EF2BF8D7ECD1D49F90BAB604B839C2E6E5BD21540D29BA27AB8E309A4B7"), SHEX("A9B8435E55FC50FE935EC96798A629C13E856C3C5CFD248126976E0D")); test_hash(&nettle_sha3_224, /* 44 octets */ SHEX("6892540F964C8C74BD2DB02C0AD884510CB38AFD4438AF31FC912756F3EFEC6B32B58EBC38FC2A6B913596A8"), SHEX("93E79850622B91F729AB056EA402E27F01B5323158111B29362A96D5")); test_hash(&nettle_sha3_224, /* 45 octets */ SHEX("F5961DFD2B1FFFFDA4FFBF30560C165BFEDAB8CE0BE525845DEB8DC61004B7DB38467205F5DCFB34A2ACFE96C0"), SHEX("7E51D5531382490670115DE13137CB3ADB6E7621B7D9ECA8170FAA96")); test_hash(&nettle_sha3_224, /* 46 octets */ SHEX("CA061A2EB6CEED8881CE2057172D869D73A1951E63D57261384B80CEB5451E77B06CF0F5A0EA15CA907EE1C27EBA"), SHEX("95C35037A8076926FC5C421C35160AC5FE533A2782F20F2D3F4B1B7D")); test_hash(&nettle_sha3_224, /* 47 octets */ SHEX("1743A77251D69242750C4F1140532CD3C33F9B5CCDF7514E8584D4A5F9FBD730BCF84D0D4726364B9BF95AB251D9BB"), SHEX("BF024A4FE480636118FCC85B807704D59B64D16A150AA53CDE41F030")); test_hash(&nettle_sha3_224, /* 48 octets */ SHEX("D8FABA1F5194C4DB5F176FABFFF856924EF627A37CD08CF55608BBA8F1E324D7C7F157298EABC4DCE7D89CE5162499F9"), SHEX("B7A51FBB084DEEB55136EFD7260E5B112E3C40D1A2D14B142DF930DF")); test_hash(&nettle_sha3_224, /* 49 octets */ SHEX("BE9684BE70340860373C9C482BA517E899FC81BAAA12E5C6D7727975D1D41BA8BEF788CDB5CF4606C9C1C7F61AED59F97D"), SHEX("61CF830A2C4F8F48BC643F97A25F822C013F73BDF4CB4194BC8D55DF")); test_hash(&nettle_sha3_224, /* 50 octets */ SHEX("7E15D2B9EA74CA60F66C8DFAB377D9198B7B16DEB6A1BA0EA3C7EE2042F89D3786E779CF053C77785AA9E692F821F14A7F51"), SHEX("D87F62EA811A2F6BF3C5FDE13475B9C676620C0184F87149DC8686C8")); test_hash(&nettle_sha3_224, /* 51 octets */ SHEX("9A219BE43713BD578015E9FDA66C0F2D83CAC563B776AB9F38F3E4F7EF229CB443304FBA401EFB2BDBD7ECE939102298651C86"), SHEX("028A639C7EC0BA1DCEC0B689AA26E2C0167622462669A5C52031602B")); test_hash(&nettle_sha3_224, /* 52 octets */ SHEX("C8F2B693BD0D75EF99CAEBDC22ADF4088A95A3542F637203E283BBC3268780E787D68D28CC3897452F6A22AA8573CCEBF245972A"), SHEX("908EF28AB2B6CBB449B9AF7FA78B3D90E019C3916562EB4819A0C87F")); test_hash(&nettle_sha3_224, /* 53 octets */ SHEX("EC0F99711016C6A2A07AD80D16427506CE6F441059FD269442BAAA28C6CA037B22EEAC49D5D894C0BF66219F2C08E9D0E8AB21DE52"), SHEX("6AC84149F890E1352C6D7397DAC3B3773947B3757E8ED4EC059EF899")); test_hash(&nettle_sha3_224, /* 54 octets */ SHEX("0DC45181337CA32A8222FE7A3BF42FC9F89744259CFF653504D6051FE84B1A7FFD20CB47D4696CE212A686BB9BE9A8AB1C697B6D6A33"), SHEX("45DA27715CD75F5875BEB7D914CF7488240D1B1F975D430D2F49E9BF")); test_hash(&nettle_sha3_224, /* 55 octets */ SHEX("DE286BA4206E8B005714F80FB1CDFAEBDE91D29F84603E4A3EBC04686F99A46C9E880B96C574825582E8812A26E5A857FFC6579F63742F"), SHEX("63AFBABBEC072140DFCEFE64CF7BC9534DCA10956042E31DBE58D0A5")); test_hash(&nettle_sha3_224, /* 56 octets */ SHEX("EEBCC18057252CBF3F9C070F1A73213356D5D4BC19AC2A411EC8CDEEE7A571E2E20EAF61FD0C33A0FFEB297DDB77A97F0A415347DB66BCAF"), SHEX("6487193D9CBE593B3DAA50D4DFDF7DD2612300BB93CB39E3EEFA1AFA")); test_hash(&nettle_sha3_224, /* 57 octets */ SHEX("416B5CDC9FE951BD361BD7ABFC120A5054758EBA88FDD68FD84E39D3B09AC25497D36B43CBE7B85A6A3CEBDA8DB4E5549C3EE51BB6FCB6AC1E"), SHEX("0DEC25BE3277E27D4F784AD5FF8F79D61D9A309BD693513ACBEED12F")); test_hash(&nettle_sha3_224, /* 58 octets */ SHEX("5C5FAF66F32E0F8311C32E8DA8284A4ED60891A5A7E50FB2956B3CBAA79FC66CA376460E100415401FC2B8518C64502F187EA14BFC9503759705"), SHEX("130B67C6D1A5616227ABD73ABF6FEB70FCE1D5A4BF3338C6DCCB39D5")); test_hash(&nettle_sha3_224, /* 59 octets */ SHEX("7167E1E02BE1A7CA69D788666F823AE4EEF39271F3C26A5CF7CEE05BCA83161066DC2E217B330DF821103799DF6D74810EED363ADC4AB99F36046A"), SHEX("3ABB5ACB8485E20BB620D4A030B9C25D3156A9B26893AE007C79F305")); test_hash(&nettle_sha3_224, /* 60 octets */ SHEX("2FDA311DBBA27321C5329510FAE6948F03210B76D43E7448D1689A063877B6D14C4F6D0EAA96C150051371F7DD8A4119F7DA5C483CC3E6723C01FB7D"), SHEX("922E216529A95305307E908C69367EBB9AD931ECA314563AC36AAB80")); test_hash(&nettle_sha3_224, /* 61 octets */ SHEX("95D1474A5AAB5D2422ACA6E481187833A6212BD2D0F91451A67DD786DFC91DFED51B35F47E1DEB8A8AB4B9CB67B70179CC26F553AE7B569969CE151B8D"), SHEX("C72E93A2C39ABCD90AB11CD3F15D59DA3C23C0F17C4E26C9C5890887")); test_hash(&nettle_sha3_224, /* 62 octets */ SHEX("C71BD7941F41DF044A2927A8FF55B4B467C33D089F0988AA253D294ADDBDB32530C0D4208B10D9959823F0C0F0734684006DF79F7099870F6BF53211A88D"), SHEX("CCCC3B59F28C3FC462DC0A696150F5AEA62DA0ABA97C476BD0D866C1")); test_hash(&nettle_sha3_224, /* 63 octets */ SHEX("F57C64006D9EA761892E145C99DF1B24640883DA79D9ED5262859DCDA8C3C32E05B03D984F1AB4A230242AB6B78D368DC5AAA1E6D3498D53371E84B0C1D4BA"), SHEX("28CFD0C6F0208D24AAA69E6C39F5257C13303E91C2D683A9AF29B973")); test_hash(&nettle_sha3_224, /* 64 octets */ SHEX("E926AE8B0AF6E53176DBFFCC2A6B88C6BD765F939D3D178A9BDE9EF3AA131C61E31C1E42CDFAF4B4DCDE579A37E150EFBEF5555B4C1CB40439D835A724E2FAE7"), SHEX("C154607F986F9BF902D831293C8386D36B201EABA6F6FB0B678B4B81")); test_hash(&nettle_sha3_224, /* 65 octets */ SHEX("16E8B3D8F988E9BB04DE9C96F2627811C973CE4A5296B4772CA3EEFEB80A652BDF21F50DF79F32DB23F9F73D393B2D57D9A0297F7A2F2E79CFDA39FA393DF1AC00"), SHEX("95E87AC90F541AB90CBCF7FD7E0E0C152CEF78D5EE1830E9ED8A1ED7")); test_hash(&nettle_sha3_224, /* 66 octets */ SHEX("FC424EEB27C18A11C01F39C555D8B78A805B88DBA1DC2A42ED5E2C0EC737FF68B2456D80EB85E11714FA3F8EABFB906D3C17964CB4F5E76B29C1765DB03D91BE37FC"), SHEX("35BD7D02541D6D4B10ACE6029A24C07A38FD563ABA227F0F776EA5E2")); test_hash(&nettle_sha3_224, /* 67 octets */ SHEX("ABE3472B54E72734BDBA7D9158736464251C4F21B33FBBC92D7FAC9A35C4E3322FF01D2380CBAA4EF8FB07D21A2128B7B9F5B6D9F34E13F39C7FFC2E72E47888599BA5"), SHEX("99DECB8CF1D474970B3CFA87FA462B75E3287B98B4BE4093429E22D6")); test_hash(&nettle_sha3_224, /* 68 octets */ SHEX("36F9F0A65F2CA498D739B944D6EFF3DA5EBBA57E7D9C41598A2B0E4380F3CF4B479EC2348D015FFE6256273511154AFCF3B4B4BF09D6C4744FDD0F62D75079D440706B05"), SHEX("8C20FD3D8E08235B01727A4DF44D86E71E824F14B0C2FE4E8DA7F1BB")); test_hash(&nettle_sha3_224, /* 69 octets */ SHEX("ABC87763CAE1CA98BD8C5B82CABA54AC83286F87E9610128AE4DE68AC95DF5E329C360717BD349F26B872528492CA7C94C2C1E1EF56B74DBB65C2AC351981FDB31D06C77A4"), SHEX("E29E68439AECDE56F5297FB935DC7DBE63D61CE360A19629195BD8AA")); test_hash(&nettle_sha3_224, /* 70 octets */ SHEX("94F7CA8E1A54234C6D53CC734BB3D3150C8BA8C5F880EAB8D25FED13793A9701EBE320509286FD8E422E931D99C98DA4DF7E70AE447BAB8CFFD92382D8A77760A259FC4FBD72"), SHEX("5D2164DA84E7707CD1E789711A664AB2EBCF66EBA899A909A1D0CBEC")); test_hash(&nettle_sha3_224, /* 71 octets */ SHEX("13BD2811F6ED2B6F04FF3895ACEED7BEF8DCD45EB121791BC194A0F806206BFFC3B9281C2B308B1A729CE008119DD3066E9378ACDCC50A98A82E20738800B6CDDBE5FE9694AD6D"), SHEX("FA263B093EA3F96B52DB6251EA25A5254ADA5B54D476CB0794D38889")); test_hash(&nettle_sha3_224, /* 72 octets */ SHEX("1EED9CBA179A009EC2EC5508773DD305477CA117E6D569E66B5F64C6BC64801CE25A8424CE4A26D575B8A6FB10EAD3FD1992EDDDEEC2EBE7150DC98F63ADC3237EF57B91397AA8A7"), SHEX("D803E320A9865EBF3555E8A3E3134768A2EE1B3E59FA15F35C2EC550")); test_hash(&nettle_sha3_224, /* 73 octets */ SHEX("BA5B67B5EC3A3FFAE2C19DD8176A2EF75C0CD903725D45C9CB7009A900C0B0CA7A2967A95AE68269A6DBF8466C7B6844A1D608AC661F7EFF00538E323DB5F2C644B78B2D48DE1A08AA"), SHEX("102925B63B3E9395F88124C3BFA777F29A5B41C13B62ADD7C271CD6E")); test_hash(&nettle_sha3_224, /* 74 octets */ SHEX("0EFA26AC5673167DCACAB860932ED612F65FF49B80FA9AE65465E5542CB62075DF1C5AE54FBA4DB807BE25B070033EFA223BDD5B1D3C94C6E1909C02B620D4B1B3A6C9FED24D70749604"), SHEX("6C4E83CD9258205F3C2BCF64149F4ACDCEE7742CB2D36038537171BD")); test_hash(&nettle_sha3_224, /* 75 octets */ SHEX("BBFD933D1FD7BF594AC7F435277DC17D8D5A5B8E4D13D96D2F64E771ABBD51A5A8AEA741BECCBDDB177BCEA05243EBD003CFDEAE877CCA4DA94605B67691919D8B033F77D384CA01593C1B"), SHEX("C74C9EBB2EF9A9822A6228BD1186DCC4411BC59EC938DF27E54B0815")); test_hash(&nettle_sha3_224, /* 76 octets */ SHEX("90078999FD3C35B8AFBF4066CBDE335891365F0FC75C1286CDD88FA51FAB94F9B8DEF7C9AC582A5DBCD95817AFB7D1B48F63704E19C2BAA4DF347F48D4A6D603013C23F1E9611D595EBAC37C"), SHEX("D23420F9985D66F097D43A0FB2434149D2B33F21B5BAD6CFC250E072")); test_hash(&nettle_sha3_224, /* 77 octets */ SHEX("64105ECA863515C20E7CFBAA0A0B8809046164F374D691CDBD6508AAABC1819F9AC84B52BAFC1B0FE7CDDBC554B608C01C8904C669D8DB316A0953A4C68ECE324EC5A49FFDB59A1BD6A292AA0E"), SHEX("102EDD2E946F33DD7AA553EA4CE4E659C7B240E1E28BC66200845D87")); test_hash(&nettle_sha3_224, /* 78 octets */ SHEX("D4654BE288B9F3B711C2D02015978A8CC57471D5680A092AA534F7372C71CEAAB725A383C4FCF4D8DEAA57FCA3CE056F312961ECCF9B86F14981BA5BED6AB5B4498E1F6C82C6CAE6FC14845B3C8A"), SHEX("7C8EB98B7338403C013D65C0B5BB4B5D2CBF539CB1109CF447FA6650")); test_hash(&nettle_sha3_224, /* 79 octets */ SHEX("12D9394888305AC96E65F2BF0E1B18C29C90FE9D714DD59F651F52B88B3008C588435548066EA2FC4C101118C91F32556224A540DE6EFDDBCA296EF1FB00341F5B01FECFC146BDB251B3BDAD556CD2"), SHEX("C7B07DE91EFCE42DAB78199EE2EB3014A494994236A12B3DE2330C25")); test_hash(&nettle_sha3_224, /* 80 octets */ SHEX("871A0D7A5F36C3DA1DFCE57ACD8AB8487C274FAD336BC137EBD6FF4658B547C1DCFAB65F037AA58F35EF16AFF4ABE77BA61F65826F7BE681B5B6D5A1EA8085E2AE9CD5CF0991878A311B549A6D6AF230"), SHEX("2FCEF2594AE855DE4FC66DCCC517A659118B3A9F2E5FE638980ADBFB")); test_hash(&nettle_sha3_224, /* 81 octets */ SHEX("E90B4FFEF4D457BC7711FF4AA72231CA25AF6B2E206F8BF859D8758B89A7CD36105DB2538D06DA83BAD5F663BA11A5F6F61F236FD5F8D53C5E89F183A3CEC615B50C7C681E773D109FF7491B5CC22296C5"), SHEX("D45873F0453CBF38156A1384E33E5C76588B7BFB48A709B3943D9186")); test_hash(&nettle_sha3_224, /* 82 octets */ SHEX("E728DE62D75856500C4C77A428612CD804F30C3F10D36FB219C5CA0AA30726AB190E5F3F279E0733D77E7267C17BE27D21650A9A4D1E32F649627638DBADA9702C7CA303269ED14014B2F3CF8B894EAC8554"), SHEX("3543ADD5B7EDFC83AFE7C1F2D55140AEDB858304628109FD077B3860")); test_hash(&nettle_sha3_224, /* 83 octets */ SHEX("6348F229E7B1DF3B770C77544E5166E081850FA1C6C88169DB74C76E42EB983FACB276AD6A0D1FA7B50D3E3B6FCD799EC97470920A7ABED47D288FF883E24CA21C7F8016B93BB9B9E078BDB9703D2B781B616E"), SHEX("36784F114958D8B5B625DD89A4E3973A113E5D1610DFA55B4FB45AEC")); test_hash(&nettle_sha3_224, /* 84 octets */ SHEX("4B127FDE5DE733A1680C2790363627E63AC8A3F1B4707D982CAEA258655D9BF18F89AFE54127482BA01E08845594B671306A025C9A5C5B6F93B0A39522DC877437BE5C2436CBF300CE7AB6747934FCFC30AEAAF6"), SHEX("4187FEAED4FBD3D505A96A8D60668A88172E4F7C8451A4A6802C5747")); test_hash(&nettle_sha3_224, /* 85 octets */ SHEX("08461F006CFF4CC64B752C957287E5A0FAABC05C9BFF89D23FD902D324C79903B48FCB8F8F4B01F3E4DDB483593D25F000386698F5ADE7FAADE9615FDC50D32785EA51D49894E45BAA3DC707E224688C6408B68B11"), SHEX("6E4766DB4E9D1102CEE6DFE0AE2221321B9C0FE707F0A7825D7557EC")); test_hash(&nettle_sha3_224, /* 86 octets */ SHEX("68C8F8849B120E6E0C9969A5866AF591A829B92F33CD9A4A3196957A148C49138E1E2F5C7619A6D5EDEBE995ACD81EC8BB9C7B9CFCA678D081EA9E25A75D39DB04E18D475920CE828B94E72241F24DB72546B352A0E4"), SHEX("E1FC972BFB294185F1980CA2938655FB583E812AD3D64FA5A4CF703E")); test_hash(&nettle_sha3_224, /* 87 octets */ SHEX("B8D56472954E31FB54E28FCA743F84D8DC34891CB564C64B08F7B71636DEBD64CA1EDBDBA7FC5C3E40049CE982BBA8C7E0703034E331384695E9DE76B5104F2FBC4535ECBEEBC33BC27F29F18F6F27E8023B0FBB6F563C"), SHEX("F6F28E3B65B684C9D9506061980046061390CCDE2458A20F9B086BE5")); test_hash(&nettle_sha3_224, /* 88 octets */ SHEX("0D58AC665FA84342E60CEFEE31B1A4EACDB092F122DFC68309077AED1F3E528F578859EE9E4CEFB4A728E946324927B675CD4F4AC84F64DB3DACFE850C1DD18744C74CECCD9FE4DC214085108F404EAB6D8F452B5442A47D"), SHEX("F686D2B1386B02B08F6B02BD5D50206D5E138440CB0D93EBCC3B32A7")); test_hash(&nettle_sha3_224, /* 89 octets */ SHEX("1755E2D2E5D1C1B0156456B539753FF416651D44698E87002DCF61DCFA2B4E72F264D9AD591DF1FDEE7B41B2EB00283C5AEBB3411323B672EAA145C5125185104F20F335804B02325B6DEA65603F349F4D5D8B782DD3469CCD"), SHEX("46483375D112FC2BE7F611BE4B98DFADA38892C43CEFA586726B48BB")); test_hash(&nettle_sha3_224, /* 90 octets */ SHEX("B180DE1A611111EE7584BA2C4B020598CD574AC77E404E853D15A101C6F5A2E5C801D7D85DC95286A1804C870BB9F00FD4DCB03AA8328275158819DCAD7253F3E3D237AEAA7979268A5DB1C6CE08A9EC7C2579783C8AFC1F91A7"), SHEX("E1E9AD568AE5B0D9731400BA4FC7DF0321A04EA41393BA6979C7179C")); test_hash(&nettle_sha3_224, /* 91 octets */ SHEX("CF3583CBDFD4CBC17063B1E7D90B02F0E6E2EE05F99D77E24E560392535E47E05077157F96813544A17046914F9EFB64762A23CF7A49FE52A0A4C01C630CFE8727B81FB99A89FF7CC11DCA5173057E0417B8FE7A9EFBA6D95C555F"), SHEX("133F31D9FBC1B2A33F1C98BFE21E129E0716A69EE27408743FFF17AC")); test_hash(&nettle_sha3_224, /* 92 octets */ SHEX("072FC02340EF99115BAD72F92C01E4C093B9599F6CFC45CB380EE686CB5EB019E806AB9BD55E634AB10AA62A9510CC0672CD3EDDB589C7DF2B67FCD3329F61B1A4441ECA87A33C8F55DA4FBBAD5CF2B2527B8E983BB31A2FADEC7523"), SHEX("31328F04CA64E8521A36A8943C33CEB95BE1B9080F4533D6DA07606D")); test_hash(&nettle_sha3_224, /* 93 octets */ SHEX("76EECF956A52649F877528146DE33DF249CD800E21830F65E90F0F25CA9D6540FDE40603230ECA6760F1139C7F268DEBA2060631EEA92B1FFF05F93FD5572FBE29579ECD48BC3A8D6C2EB4A6B26E38D6C5FBF2C08044AEEA470A8F2F26"), SHEX("ADD374B1D279469C08E7B27AE3FF1B04C3D0FB3EF6E59AA3AF86660B")); test_hash(&nettle_sha3_224, /* 94 octets */ SHEX("7ADC0B6693E61C269F278E6944A5A2D8300981E40022F839AC644387BFAC9086650085C2CDC585FEA47B9D2E52D65A2B29A7DC370401EF5D60DD0D21F9E2B90FAE919319B14B8C5565B0423CEFB827D5F1203302A9D01523498A4DB10374"), SHEX("FED7FDE894D92CC3BB68FCC396B5EB00C4156F04FC9CED99D12CFA5B")); test_hash(&nettle_sha3_224, /* 95 octets */ SHEX("E1FFFA9826CCE8B86BCCEFB8794E48C46CDF372013F782ECED1E378269B7BE2B7BF51374092261AE120E822BE685F2E7A83664BCFBE38FE8633F24E633FFE1988E1BC5ACF59A587079A57A910BDA60060E85B5F5B6F776F0529639D9CCE4BD"), SHEX("17FC0327DE474C78F538B4F3981674FF470AA42EF3B82C0CC34DE6DA")); test_hash(&nettle_sha3_224, /* 96 octets */ SHEX("69F9ABBA65592EE01DB4DCE52DBAB90B08FC04193602792EE4DAA263033D59081587B09BBE49D0B49C9825D22840B2FF5D9C5155F975F8F2C2E7A90C75D2E4A8040FE39F63BBAFB403D9E28CC3B86E04E394A9C9E8065BD3C85FA9F0C7891600"), SHEX("88FEFBE8995E296A9DEE4DA2B414D5A7E134045639A6B176C2D736ED")); test_hash(&nettle_sha3_224, /* 97 octets */ SHEX("38A10A352CA5AEDFA8E19C64787D8E9C3A75DBF3B8674BFAB29B5DBFC15A63D10FAE66CD1A6E6D2452D557967EAAD89A4C98449787B0B3164CA5B717A93F24EB0B506CEB70CBBCB8D72B2A72993F909AAD92F044E0B5A2C9AC9CB16A0CA2F81F49"), SHEX("C002732F6F38AB83828921F5FCB4A8CE1FC561B0E9FA214C5FF02192")); test_hash(&nettle_sha3_224, /* 98 octets */ SHEX("6D8C6E449BC13634F115749C248C17CD148B72157A2C37BF8969EA83B4D6BA8C0EE2711C28EE11495F43049596520CE436004B026B6C1F7292B9C436B055CBB72D530D860D1276A1502A5140E3C3F54A93663E4D20EDEC32D284E25564F624955B52"), SHEX("44E9002F9D97D98BB439AFC361F93BB959523E73136A2C65B2E2B066")); test_hash(&nettle_sha3_224, /* 99 octets */ SHEX("6EFCBCAF451C129DBE00B9CEF0C3749D3EE9D41C7BD500ADE40CDC65DEDBBBADB885A5B14B32A0C0D087825201E303288A733842FA7E599C0C514E078F05C821C7A4498B01C40032E9F1872A1C925FA17CE253E8935E4C3C71282242CB716B2089CCC1"), SHEX("2BFF16CBA9E50762D2288EB780078462C086F4CBF59479F5387A0B27")); test_hash(&nettle_sha3_224, /* 100 octets */ SHEX("433C5303131624C0021D868A30825475E8D0BD3052A022180398F4CA4423B98214B6BEAAC21C8807A2C33F8C93BD42B092CC1B06CEDF3224D5ED1EC29784444F22E08A55AA58542B524B02CD3D5D5F6907AFE71C5D7462224A3F9D9E53E7E0846DCBB4CE"), SHEX("5EFDC3CAA22EE2C2EB632D4C6645CE3EC63960DFD69A04BBE01156C5")); test_hash(&nettle_sha3_224, /* 101 octets */ SHEX("A873E0C67CA639026B6683008F7AA6324D4979550E9BCE064CA1E1FB97A30B147A24F3F666C0A72D71348EDE701CF2D17E2253C34D1EC3B647DBCEF2F879F4EB881C4830B791378C901EB725EA5C172316C6D606E0AF7DF4DF7F76E490CD30B2BADF45685F"), SHEX("E8FB64A74387C9A3E1AC4ABC82D3591B6B349F2E5CDE6584D8D7C371")); test_hash(&nettle_sha3_224, /* 102 octets */ SHEX("006917B64F9DCDF1D2D87C8A6173B64F6587168E80FAA80F82D84F60301E561E312D9FBCE62F39A6FB476E01E925F26BCC91DE621449BE6504C504830AAE394096C8FC7694651051365D4EE9070101EC9B68086F2EA8F8AB7B811EA8AD934D5C9B62C60A4771"), SHEX("DB224BCCF5CA86DFBA3EA372E2269750B532409EA004E82D4B5835E8")); test_hash(&nettle_sha3_224, /* 103 octets */ SHEX("F13C972C52CB3CC4A4DF28C97F2DF11CE089B815466BE88863243EB318C2ADB1A417CB1041308598541720197B9B1CB5BA2318BD5574D1DF2174AF14884149BA9B2F446D609DF240CE335599957B8EC80876D9A085AE084907BC5961B20BF5F6CA58D5DAB38ADB"), SHEX("4E28867DCEF3A7B759CA24D8107BEB0CBF9DB0F10A3C410A9B4BA8C8")); test_hash(&nettle_sha3_224, /* 104 octets */ SHEX("E35780EB9799AD4C77535D4DDB683CF33EF367715327CF4C4A58ED9CBDCDD486F669F80189D549A9364FA82A51A52654EC721BB3AAB95DCEB4A86A6AFA93826DB923517E928F33E3FBA850D45660EF83B9876ACCAFA2A9987A254B137C6E140A21691E1069413848"), SHEX("5C0C2DF13A1FD6762B6E50FB3E080E649C3A7A8DDA415C42FB637136")); test_hash(&nettle_sha3_224, /* 105 octets */ SHEX("64EC021C9585E01FFE6D31BB50D44C79B6993D72678163DB474947A053674619D158016ADB243F5C8D50AA92F50AB36E579FF2DABB780A2B529370DAA299207CFBCDD3A9A25006D19C4F1FE33E4B1EAEC315D8C6EE1E730623FD1941875B924EB57D6D0C2EDC4E78D6"), SHEX("36F5630EC2829B0FBAD84F150932E46647EDCC454E06B23166661D60")); test_hash(&nettle_sha3_224, /* 106 octets */ SHEX("5954BAB512CF327D66B5D9F296180080402624AD7628506B555EEA8382562324CF452FBA4A2130DE3E165D11831A270D9CB97CE8C2D32A96F50D71600BB4CA268CF98E90D6496B0A6619A5A8C63DB6D8A0634DFC6C7EC8EA9C006B6C456F1B20CD19E781AF20454AC880"), SHEX("DAC2594BCD357E63928A21E98348F27D0FA2C70EB07C7E8E93D6D84E")); test_hash(&nettle_sha3_224, /* 107 octets */ SHEX("03D9F92B2C565709A568724A0AFF90F8F347F43B02338F94A03ED32E6F33666FF5802DA4C81BDCE0D0E86C04AFD4EDC2FC8B4141C2975B6F07639B1994C973D9A9AFCE3D9D365862003498513BFA166D2629E314D97441667B007414E739D7FEBF0FE3C32C17AA188A8683"), SHEX("24970DF3CF8C9E30DCBE661817FF74538AD43BC90B149ED7CAB7811B")); test_hash(&nettle_sha3_224, /* 108 octets */ SHEX("F31E8B4F9E0621D531D22A380BE5D9ABD56FAEC53CBD39B1FAB230EA67184440E5B1D15457BD25F56204FA917FA48E669016CB48C1FFC1E1E45274B3B47379E00A43843CF8601A5551411EC12503E5AAC43D8676A1B2297EC7A0800DBFEE04292E937F21C005F17411473041"), SHEX("AD9BF420D2B570EBE7923A76B253F156F3513712955BCBB9A87394DB")); test_hash(&nettle_sha3_224, /* 109 octets */ SHEX("758EA3FEA738973DB0B8BE7E599BBEF4519373D6E6DCD7195EA885FC991D896762992759C2A09002912FB08E0CB5B76F49162AEB8CF87B172CF3AD190253DF612F77B1F0C532E3B5FC99C2D31F8F65011695A087A35EE4EEE5E334C369D8EE5D29F695815D866DA99DF3F79403"), SHEX("2F60928263FE1D5FA5136DA8DE1D2C3B60BD4B700A3E2C256E9536EF")); test_hash(&nettle_sha3_224, /* 110 octets */ SHEX("47C6E0C2B74948465921868804F0F7BD50DD323583DC784F998A93CD1CA4C6EF84D41DC81C2C40F34B5BEE6A93867B3BDBA0052C5F59E6F3657918C382E771D33109122CC8BB0E1E53C4E3D13B43CE44970F5E0C079D2AD7D7A3549CD75760C21BB15B447589E86E8D76B1E9CED2"), SHEX("BFB40F7E7F81F2FEC7644E08FBC99C768ADC6314B8CCD833332F1BF8")); test_hash(&nettle_sha3_224, /* 111 octets */ SHEX("F690A132AB46B28EDFA6479283D6444E371C6459108AFD9C35DBD235E0B6B6FF4C4EA58E7554BD002460433B2164CA51E868F7947D7D7A0D792E4ABF0BE5F450853CC40D85485B2B8857EA31B5EA6E4CCFA2F3A7EF3380066D7D8979FDAC618AAD3D7E886DEA4F005AE4AD05E5065F"), SHEX("190E9FDA8A7D78343FF24ADE9FEE69650C7631AD6329D17D4BD575DB")); test_hash(&nettle_sha3_224, /* 112 octets */ SHEX("58D6A99BC6458824B256916770A8417040721CCCFD4B79EACD8B65A3767CE5BA7E74104C985AC56B8CC9AEBD16FEBD4CDA5ADB130B0FF2329CC8D611EB14DAC268A2F9E633C99DE33997FEA41C52A7C5E1317D5B5DAED35EBA7D5A60E45D1FA7EAABC35F5C2B0A0F2379231953322C4E"), SHEX("E26CD20B87083CB9F246D216E3DA51EF7C5519B483DB439D37256DBE")); test_hash(&nettle_sha3_224, /* 113 octets */ SHEX("BEFAB574396D7F8B6705E2D5B58B2C1C820BB24E3F4BAE3E8FBCD36DBF734EE14E5D6AB972AEDD3540235466E825850EE4C512EA9795ABFD33F330D9FD7F79E62BBB63A6EA85DE15BEAEEA6F8D204A28956059E2632D11861DFB0E65BC07AC8A159388D5C3277E227286F65FF5E5B5AEC1"), SHEX("6CAF807F6ABC1A7721A5F209FC09FD00474B9E2A77EF7B57E1320271")); test_hash(&nettle_sha3_224, /* 114 octets */ SHEX("8E58144FA9179D686478622CE450C748260C95D1BA43B8F9B59ABECA8D93488DA73463EF40198B4D16FB0B0707201347E0506FF19D01BEA0F42B8AF9E71A1F1BD168781069D4D338FDEF00BF419FBB003031DF671F4A37979564F69282DE9C65407847DD0DA505AB1641C02DEA4F0D834986"), SHEX("64CD5291A1A0807BA7C14103A0F46C636795F8F8D3A12E59E88D9C51")); test_hash(&nettle_sha3_224, /* 115 octets */ SHEX("B55C10EAE0EC684C16D13463F29291BF26C82E2FA0422A99C71DB4AF14DD9C7F33EDA52FD73D017CC0F2DBE734D831F0D820D06D5F89DACC485739144F8CFD4799223B1AFF9031A105CB6A029BA71E6E5867D85A554991C38DF3C9EF8C1E1E9A7630BE61CAABCA69280C399C1FB7A12D12AEFC"), SHEX("29491256A80BF1A9325348B5841EDC726FA8A53117268C47F74B5E49")); test_hash(&nettle_sha3_224, /* 116 octets */ SHEX("2EEEA693F585F4ED6F6F8865BBAE47A6908AECD7C429E4BEC4F0DE1D0CA0183FA201A0CB14A529B7D7AC0E6FF6607A3243EE9FB11BCF3E2304FE75FFCDDD6C5C2E2A4CD45F63C962D010645058D36571404A6D2B4F44755434D76998E83409C3205AA1615DB44057DB991231D2CB42624574F545"), SHEX("A523449B770A8DE3B39CD446046149FEAEE327D6D5B39929B9AAC915")); test_hash(&nettle_sha3_224, /* 117 octets */ SHEX("DAB11DC0B047DB0420A585F56C42D93175562852428499F66A0DB811FCDDDAB2F7CDFFED1543E5FB72110B64686BC7B6887A538AD44C050F1E42631BC4EC8A9F2A047163D822A38989EE4AAB01B4C1F161B062D873B1CFA388FD301514F62224157B9BEF423C7783B7AAC8D30D65CD1BBA8D689C2D"), SHEX("ABB2FCE213CE164C94AB7A763C21F638A3BB8D72F802DEADACC023AE")); test_hash(&nettle_sha3_224, /* 118 octets */ SHEX("42E99A2F80AEE0E001279A2434F731E01D34A44B1A8101726921C0590C30F3120EB83059F325E894A5AC959DCA71CE2214799916424E859D27D789437B9D27240BF8C35ADBAFCECC322B48AA205B293962D858652ABACBD588BCF6CBC388D0993BD622F96ED54614C25B6A9AA527589EAAFFCF17DDF7"), SHEX("C40D969F7218D71B904C4E4EACEB0473BA0A2E7339649DA5DFEB8938")); test_hash(&nettle_sha3_224, /* 119 octets */ SHEX("3C9B46450C0F2CAE8E3823F8BDB4277F31B744CE2EB17054BDDC6DFF36AF7F49FB8A2320CC3BDF8E0A2EA29AD3A55DE1165D219ADEDDB5175253E2D1489E9B6FDD02E2C3D3A4B54D60E3A47334C37913C5695378A669E9B72DEC32AF5434F93F46176EBF044C4784467C700470D0C0B40C8A088C815816"), SHEX("2EB28FDF458D4FECB5B441D910B576F630E666BBF30AAC90AB64425B")); test_hash(&nettle_sha3_224, /* 120 octets */ SHEX("D1E654B77CB155F5C77971A64DF9E5D34C26A3CAD6C7F6B300D39DEB1910094691ADAA095BE4BA5D86690A976428635D5526F3E946F7DC3BD4DBC78999E653441187A81F9ADCD5A3C5F254BC8256B0158F54673DCC1232F6E918EBFC6C51CE67EAEB042D9F57EEC4BFE910E169AF78B3DE48D137DF4F2840"), SHEX("A3387B2FA23A13BFAE77895F1F93935A0710EE3A027FF0D6399D8ECC")); test_hash(&nettle_sha3_224, /* 121 octets */ SHEX("626F68C18A69A6590159A9C46BE03D5965698F2DAC3DE779B878B3D9C421E0F21B955A16C715C1EC1E22CE3EB645B8B4F263F60660EA3028981EEBD6C8C3A367285B691C8EE56944A7CD1217997E1D9C21620B536BDBD5DE8925FF71DEC6FBC06624AB6B21E329813DE90D1E572DFB89A18120C3F606355D25"), SHEX("75755F46C2FC86BD4AAE75919C6CA5B1A7375E466CA3170F70EEE490")); test_hash(&nettle_sha3_224, /* 122 octets */ SHEX("651A6FB3C4B80C7C68C6011675E6094EB56ABF5FC3057324EBC6477825061F9F27E7A94633ABD1FA598A746E4A577CAF524C52EC1788471F92B8C37F23795CA19D559D446CAB16CBCDCE90B79FA1026CEE77BF4AB1B503C5B94C2256AD75B3EAC6FD5DCB96ACA4B03A834BFB4E9AF988CECBF2AE597CB9097940"), SHEX("7184C69EE1C43FD564102CD68EF898D5D0D8264B9B0D044691BC18AF")); test_hash(&nettle_sha3_224, /* 123 octets */ SHEX("8AAF072FCE8A2D96BC10B3C91C809EE93072FB205CA7F10ABD82ECD82CF040B1BC49EA13D1857815C0E99781DE3ADBB5443CE1C897E55188CEAF221AA9681638DE05AE1B322938F46BCE51543B57ECDB4C266272259D1798DE13BE90E10EFEC2D07484D9B21A3870E2AA9E06C21AA2D0C9CF420080A80A91DEE16F"), SHEX("F50CF78FF46513C905399CC2510681A90CE089FCED40FBC9CF218CA4")); test_hash(&nettle_sha3_224, /* 124 octets */ SHEX("53F918FD00B1701BD504F8CDEA803ACCA21AC18C564AB90C2A17DA592C7D69688F6580575395551E8CD33E0FEF08CA6ED4588D4D140B3E44C032355DF1C531564D7F4835753344345A6781E11CD5E095B73DF5F82C8AE3AD00877936896671E947CC52E2B29DCD463D90A0C9929128DA222B5A211450BBC0E02448E2"), SHEX("F2AABE18D7B4DD8E4DC0AC8DCF4E9019C7C9AF33D4B952DA41219FE5")); test_hash(&nettle_sha3_224, /* 125 octets */ SHEX("A64599B8A61B5CCEC9E67AED69447459C8DA3D1EC6C7C7C82A7428B9B584FA67E90F68E2C00FBBED4613666E5168DA4A16F395F7A3C3832B3B134BFC9CBAA95D2A0FE252F44AC6681EB6D40AB91C1D0282FED6701C57463D3C5F2BB8C6A7301FB4576AA3B5F15510DB8956FF77478C26A7C09BEA7B398CFC83503F538E"), SHEX("AC5D00D177E71D7B9A97270E6200E4D3D07851EB2E58B12BE0BEED95")); test_hash(&nettle_sha3_224, /* 126 octets */ SHEX("0E3AB0E054739B00CDB6A87BD12CAE024B54CB5E550E6C425360C2E87E59401F5EC24EF0314855F0F56C47695D56A7FB1417693AF2A1ED5291F2FEE95F75EED54A1B1C2E81226FBFF6F63ADE584911C71967A8EB70933BC3F5D15BC91B5C2644D9516D3C3A8C154EE48E118BD1442C043C7A0DBA5AC5B1D5360AAE5B9065"), SHEX("CB7979B4C6C2826CDEF7E1AADA85F8C4546DD59D29FC0AEA444F8077")); test_hash(&nettle_sha3_224, /* 127 octets */ SHEX("A62FC595B4096E6336E53FCDFC8D1CC175D71DAC9D750A6133D23199EAAC288207944CEA6B16D27631915B4619F743DA2E30A0C00BBDB1BBB35AB852EF3B9AEC6B0A8DCC6E9E1ABAA3AD62AC0A6C5DE765DE2C3711B769E3FDE44A74016FFF82AC46FA8F1797D3B2A726B696E3DEA5530439ACEE3A45C2A51BC32DD055650B"), SHEX("F9D8CCF6684693C40C81EBBD006C49984FBAF3A2B2E905ABE60765DD")); test_hash(&nettle_sha3_224, /* 128 octets */ SHEX("2B6DB7CED8665EBE9DEB080295218426BDAA7C6DA9ADD2088932CDFFBAA1C14129BCCDD70F369EFB149285858D2B1D155D14DE2FDB680A8B027284055182A0CAE275234CC9C92863C1B4AB66F304CF0621CD54565F5BFF461D3B461BD40DF28198E3732501B4860EADD503D26D6E69338F4E0456E9E9BAF3D827AE685FB1D817"), SHEX("ED1F6387A7BE090277B65A5FCD7040C7BE0EEAF0FD7F14968097873B")); test_hash(&nettle_sha3_224, /* 129 octets */ SHEX("10DB509B2CDCABA6C062AE33BE48116A29EB18E390E1BBADA5CA0A2718AFBCD23431440106594893043CC7F2625281BF7DE2655880966A23705F0C5155C2F5CCA9F2C2142E96D0A2E763B70686CD421B5DB812DACED0C6D65035FDE558E94F26B3E6DDE5BD13980CC80292B723013BD033284584BFF27657871B0CF07A849F4AE2"), SHEX("0A27CE6973CB22A8B10057A8E7A654058B71E6D8C69C653415FF0C81")); test_hash(&nettle_sha3_224, /* 130 octets */ SHEX("9334DE60C997BDA6086101A6314F64E4458F5FF9450C509DF006E8C547983C651CA97879175AABA0C539E82D05C1E02C480975CBB30118121061B1EBAC4F8D9A3781E2DB6B18042E01ECF9017A64A0E57447EC7FCBE6A7F82585F7403EE2223D52D37B4BF426428613D6B4257980972A0ACAB508A7620C1CB28EB4E9D30FC41361EC"), SHEX("BE3BE49980F43FB6598BE921D7D8FDA1F397F605D9708C5D125C4E9F")); test_hash(&nettle_sha3_224, /* 131 octets */ SHEX("E88AB086891693AA535CEB20E64C7AB97C7DD3548F3786339897A5F0C39031549CA870166E477743CCFBE016B4428D89738E426F5FFE81626137F17AECFF61B72DBEE2DC20961880CFE281DFAB5EE38B1921881450E16032DE5E4D55AD8D4FCA609721B0692BAC79BE5A06E177FE8C80C0C83519FB3347DE9F43D5561CB8107B9B5EDC"), SHEX("932137BF2CD32DDFD3BA80C525268730B6F7458601B5296AEB325183")); test_hash(&nettle_sha3_224, /* 132 octets */ SHEX("FD19E01A83EB6EC810B94582CB8FBFA2FCB992B53684FB748D2264F020D3B960CB1D6B8C348C2B54A9FCEA72330C2AAA9A24ECDB00C436ABC702361A82BB8828B85369B8C72ECE0082FE06557163899C2A0EFA466C33C04343A839417057399A63A3929BE1EE4805D6CE3E5D0D0967FE9004696A5663F4CAC9179006A2CEB75542D75D68"), SHEX("796698CE24EFCDA8214D161138F3C7DA6D7615E4CF1DAC63B69941F9")); test_hash(&nettle_sha3_224, /* 133 octets */ SHEX("59AE20B6F7E0B3C7A989AFB28324A40FCA25D8651CF1F46AE383EF6D8441587AA1C04C3E3BF88E8131CE6145CFB8973D961E8432B202FA5AF3E09D625FAAD825BC19DA9B5C6C20D02ABDA2FCC58B5BD3FE507BF201263F30543819510C12BC23E2DDB4F711D087A86EDB1B355313363A2DE996B891025E147036087401CCF3CA7815BF3C49"), SHEX("B216930E158D65FB1FF424F9EAB6CD28996231EF5EE1D65DBE29D370")); test_hash(&nettle_sha3_224, /* 134 octets */ SHEX("77EE804B9F3295AB2362798B72B0A1B2D3291DCEB8139896355830F34B3B328561531F8079B79A6E9980705150866402FDC176C05897E359A6CB1A7AB067383EB497182A7E5AEF7038E4C96D133B2782917417E391535B5E1B51F47D8ED7E4D4025FE98DC87B9C1622614BFF3D1029E68E372DE719803857CA52067CDDAAD958951CB2068CC6"), SHEX("AF6C676A62288B2D25A862F8866B262A74E3D2A0D414B966CE601E14")); test_hash(&nettle_sha3_224, /* 135 octets */ SHEX("B771D5CEF5D1A41A93D15643D7181D2A2EF0A8E84D91812F20ED21F147BEF732BF3A60EF4067C3734B85BC8CD471780F10DC9E8291B58339A677B960218F71E793F2797AEA349406512829065D37BB55EA796FA4F56FD8896B49B2CD19B43215AD967C712B24E5032D065232E02C127409D2ED4146B9D75D763D52DB98D949D3B0FED6A8052FBB"), SHEX("418C83EB01881B4F38544665201DD05C939CA047D31834F637342342")); test_hash(&nettle_sha3_224, /* 136 octets */ SHEX("B32D95B0B9AAD2A8816DE6D06D1F86008505BD8C14124F6E9A163B5A2ADE55F835D0EC3880EF50700D3B25E42CC0AF050CCD1BE5E555B23087E04D7BF9813622780C7313A1954F8740B6EE2D3F71F768DD417F520482BD3A08D4F222B4EE9DBD015447B33507DD50F3AB4247C5DE9A8ABD62A8DECEA01E3B87C8B927F5B08BEB37674C6F8E380C04"), SHEX("64D78817714FE05272D3805E6E19056B1649036CDCD5094FD1CC890A")); test_hash(&nettle_sha3_224, /* 137 octets */ SHEX("04410E31082A47584B406F051398A6ABE74E4DA59BB6F85E6B49E8A1F7F2CA00DFBA5462C2CD2BFDE8B64FB21D70C083F11318B56A52D03B81CAC5EEC29EB31BD0078B6156786DA3D6D8C33098C5C47BB67AC64DB14165AF65B44544D806DDE5F487D5373C7F9792C299E9686B7E5821E7C8E2458315B996B5677D926DAC57B3F22DA873C601016A0D"), SHEX("2C4E7C537D0E2AF2261A669BC24BD0DF16D2C72A7F98D7A5EF6A8150")); test_hash(&nettle_sha3_224, /* 138 octets */ SHEX("8B81E9BADDE026F14D95C019977024C9E13DB7A5CD21F9E9FC491D716164BBACDC7060D882615D411438AEA056C340CDF977788F6E17D118DE55026855F93270472D1FD18B9E7E812BAE107E0DFDE7063301B71F6CFE4E225CAB3B232905A56E994F08EE2891BA922D49C3DAFEB75F7C69750CB67D822C96176C46BD8A29F1701373FB09A1A6E3C7158F"), SHEX("DF1FCB80AB380CA33BDB61F96ADAB334937E190F03C1B78B219E50F8")); test_hash(&nettle_sha3_224, /* 139 octets */ SHEX("FA6EED24DA6666A22208146B19A532C2EC9BA94F09F1DEF1E7FC13C399A48E41ACC2A589D099276296348F396253B57CB0E40291BD282773656B6E0D8BEA1CDA084A3738816A840485FCF3FB307F777FA5FEAC48695C2AF4769720258C77943FB4556C362D9CBA8BF103AEB9034BAA8EA8BFB9C4F8E6742CE0D52C49EA8E974F339612E830E9E7A9C29065"), SHEX("0DD77ADA384CAB6A7ACED19CFC8048C2566D4303E2010C98D16A0516")); test_hash(&nettle_sha3_224, /* 140 octets */ SHEX("9BB4AF1B4F09C071CE3CAFA92E4EB73CE8A6F5D82A85733440368DEE4EB1CBC7B55AC150773B6FE47DBE036C45582ED67E23F4C74585DAB509DF1B83610564545642B2B1EC463E18048FC23477C6B2AA035594ECD33791AF6AF4CBC2A1166ABA8D628C57E707F0B0E8707CAF91CD44BDB915E0296E0190D56D33D8DDE10B5B60377838973C1D943C22ED335E"), SHEX("B256D0D6B6D6A72E113D105AD9601C91933D53B20A30D8E2CF33F96D")); test_hash(&nettle_sha3_224, /* 141 octets */ SHEX("2167F02118CC62043E9091A647CADBED95611A521FE0D64E8518F16C808AB297725598AE296880A773607A798F7C3CFCE80D251EBEC6885015F9ABF7EAABAE46798F82CB5926DE5C23F44A3F9F9534B3C6F405B5364C2F8A8BDC5CA49C749BED8CE4BA48897062AE8424CA6DDE5F55C0E42A95D1E292CA54FB46A84FBC9CD87F2D0C9E7448DE3043AE22FDD229"), SHEX("B95F72512546E4AF685931246717BC482BFE922789A26EEF01BDE82D")); test_hash(&nettle_sha3_224, /* 142 octets */ SHEX("94B7FA0BC1C44E949B1D7617D31B4720CBE7CA57C6FA4F4094D4761567E389ECC64F6968E4064DF70DF836A47D0C713336B5028B35930D29EB7A7F9A5AF9AD5CF441745BAEC9BB014CEEFF5A41BA5C1CE085FEB980BAB9CF79F2158E03EF7E63E29C38D7816A84D4F71E0F548B7FC316085AE38A060FF9B8DEC36F91AD9EBC0A5B6C338CBB8F6659D342A24368CF"), SHEX("628238A9532727CC83F8FDCED11D138A17EEE4822C5D3549157D6D5E")); test_hash(&nettle_sha3_224, /* 143 octets */ SHEX("EA40E83CB18B3A242C1ECC6CCD0B7853A439DAB2C569CFC6DC38A19F5C90ACBF76AEF9EA3742FF3B54EF7D36EB7CE4FF1C9AB3BC119CFF6BE93C03E208783335C0AB8137BE5B10CDC66FF3F89A1BDDC6A1EED74F504CBE7290690BB295A872B9E3FE2CEE9E6C67C41DB8EFD7D863CF10F840FE618E7936DA3DCA5CA6DF933F24F6954BA0801A1294CD8D7E66DFAFEC"), SHEX("AB0FD308590574D6F6130232D9FAFA9FFCFEA78579A6A8F67C590420")); test_hash(&nettle_sha3_224, /* 144 octets */ SHEX("157D5B7E4507F66D9A267476D33831E7BB768D4D04CC3438DA12F9010263EA5FCAFBDE2579DB2F6B58F911D593D5F79FB05FE3596E3FA80FF2F761D1B0E57080055C118C53E53CDB63055261D7C9B2B39BD90ACC32520CBBDBDA2C4FD8856DBCEE173132A2679198DAF83007A9B5C51511AE49766C792A29520388444EBEFE28256FB33D4260439CBA73A9479EE00C63"), SHEX("D5134200DC98F4CA480CD24D24497737252B55977AE5A869BA27089D")); test_hash(&nettle_sha3_224, /* 145 octets */ SHEX("836B34B515476F613FE447A4E0C3F3B8F20910AC89A3977055C960D2D5D2B72BD8ACC715A9035321B86703A411DDE0466D58A59769672AA60AD587B8481DE4BBA552A1645779789501EC53D540B904821F32B0BD1855B04E4848F9F8CFE9EBD8911BE95781A759D7AD9724A7102DBE576776B7C632BC39B9B5E19057E226552A5994C1DBB3B5C7871A11F5537011044C53"), SHEX("494CBC9B649E48EC5AD7364AEB9C8EDF4A4F400789EF203F7B818A44")); test_hash(&nettle_sha3_224, /* 146 octets */ SHEX("CC7784A4912A7AB5AD3620AAB29BA87077CD3CB83636ADC9F3DC94F51EDF521B2161EF108F21A0A298557981C0E53CE6CED45BDF782C1EF200D29BAB81DD6460586964EDAB7CEBDBBEC75FD7925060F7DA2B853B2B089588FA0F8C16EC6498B14C55DCEE335CB3A91D698E4D393AB8E8EAC0825F8ADEBEEE196DF41205C011674E53426CAA453F8DE1CBB57932B0B741D4C6"), SHEX("7FF8A28AB12074102AEF3EFB8904284B617237322A2BF701C9FCFEFC")); test_hash(&nettle_sha3_224, /* 147 octets */ SHEX("7639B461FFF270B2455AC1D1AFCE782944AEA5E9087EB4A39EB96BB5C3BAAF0E868C8526D3404F9405E79E77BFAC5FFB89BF1957B523E17D341D7323C302EA7083872DD5E8705694ACDDA36D5A1B895AAA16ECA6104C82688532C8BFE1790B5DC9F4EC5FE95BAED37E1D287BE710431F1E5E8EE105BC42ED37D74B1E55984BF1C09FE6A1FA13EF3B96FAEAED6A2A1950A12153"), SHEX("50CDBEAB4BBAA0861F3E364AF520F9D8B54E79E3871ABCA7BBB2BAE5")); test_hash(&nettle_sha3_224, /* 148 octets */ SHEX("EB6513FC61B30CFBA58D4D7E80F94D14589090CF1D80B1DF2E68088DC6104959BA0D583D585E9578AB0AEC0CF36C48435EB52ED9AB4BBCE7A5ABE679C97AE2DBE35E8CC1D45B06DDA3CF418665C57CBEE4BBB47FA4CAF78F4EE656FEC237FE4EEBBAFA206E1EF2BD0EE4AE71BD0E9B2F54F91DAADF1FEBFD7032381D636B733DCB3BF76FB14E23AFF1F68ED3DBCF75C9B99C6F26"), SHEX("29B6B523C82F499078C73630BA38227BBD08EF1A2D67B425C058DEF5")); test_hash(&nettle_sha3_224, /* 149 octets */ SHEX("1594D74BF5DDE444265D4C04DAD9721FF3E34CBF622DAF341FE16B96431F6C4DF1F760D34F296EB97D98D560AD5286FEC4DCE1724F20B54FD7DF51D4BF137ADD656C80546FB1BF516D62EE82BAA992910EF4CC18B70F3F8698276FCFB44E0EC546C2C39CFD8EE91034FF9303058B4252462F86C823EB15BF481E6B79CC3A02218595B3658E8B37382BD5048EAED5FD02C37944E73B"), SHEX("93CE0C8D4355300D4E63D6599129DEA7420E5B609DBB35BE432B12B5")); test_hash(&nettle_sha3_224, /* 150 octets */ SHEX("4CFA1278903026F66FEDD41374558BE1B585D03C5C55DAC94361DF286D4BD39C7CB8037ED3B267B07C346626449D0CC5B0DD2CF221F7E4C3449A4BE99985D2D5E67BFF2923357DDEAB5ABCB4619F3A3A57B2CF928A022EB27676C6CF805689004FCA4D41EA6C2D0A4789C7605F7BB838DD883B3AD3E6027E775BCF262881428099C7FFF95B14C095EA130E0B9938A5E22FC52650F591"), SHEX("D02896D957B599869F2B2A4992A49EEF7AB1308F456C78C809BDAC88")); test_hash(&nettle_sha3_224, /* 151 octets */ SHEX("D3E65CB92CFA79662F6AF493D696A07CCF32AAADCCEFF06E73E8D9F6F909209E66715D6E978788C49EFB9087B170ECF3AA86D2D4D1A065AE0EFC8924F365D676B3CB9E2BEC918FD96D0B43DEE83727C9A93BF56CA2B2E59ADBA85696546A815067FC7A78039629D4948D157E7B0D826D1BF8E81237BAB7321312FDAA4D521744F988DB6FDF04549D0FDCA393D639C729AF716E9C8BBA48"), SHEX("181E2301F629A569271BB740D32B1D3BD25ACB179E9AEBEF98009ED4")); test_hash(&nettle_sha3_224, /* 152 octets */ SHEX("842CC583504539622D7F71E7E31863A2B885C56A0BA62DB4C2A3F2FD12E79660DC7205CA29A0DC0A87DB4DC62EE47A41DB36B9DDB3293B9AC4BAAE7DF5C6E7201E17F717AB56E12CAD476BE49608AD2D50309E7D48D2D8DE4FA58AC3CFEAFEEE48C0A9EEC88498E3EFC51F54D300D828DDDCCB9D0B06DD021A29CF5CB5B2506915BEB8A11998B8B886E0F9B7A80E97D91A7D01270F9A7717"), SHEX("5CD017B269A6366C789D9CECAEF3EE9C3575181A084266D78A028DB7")); test_hash(&nettle_sha3_224, /* 153 octets */ SHEX("6C4B0A0719573E57248661E98FEBE326571F9A1CA813D3638531AE28B4860F23C3A3A8AC1C250034A660E2D71E16D3ACC4BF9CE215C6F15B1C0FC7E77D3D27157E66DA9CEEC9258F8F2BF9E02B4AC93793DD6E29E307EDE3695A0DF63CBDC0FC66FB770813EB149CA2A916911BEE4902C47C7802E69E405FE3C04CEB5522792A5503FA829F707272226621F7C488A7698C0D69AA561BE9F378"), SHEX("AC280A211C98A07F6FCBB719F250E3E5A6BA2C93A833976C9F3147EB")); test_hash(&nettle_sha3_224, /* 154 octets */ SHEX("51B7DBB7CE2FFEB427A91CCFE5218FD40F9E0B7E24756D4C47CD55606008BDC27D16400933906FD9F30EFFDD4880022D081155342AF3FB6CD53672AB7FB5B3A3BCBE47BE1FD3A2278CAE8A5FD61C1433F7D350675DD21803746CADCA574130F01200024C6340AB0CC2CF74F2234669F34E9009EF2EB94823D62B31407F4BA46F1A1EEC41641E84D77727B59E746B8A671BEF936F05BE820759FA"), SHEX("C284C9308A28B6D29CCAA7853F8C41BADCDDBC1AA4E99481A6EE2F4D")); test_hash(&nettle_sha3_224, /* 155 octets */ SHEX("83599D93F5561E821BD01A472386BC2FF4EFBD4AED60D5821E84AAE74D8071029810F5E286F8F17651CD27DA07B1EB4382F754CD1C95268783AD09220F5502840370D494BEB17124220F6AFCE91EC8A0F55231F9652433E5CE3489B727716CF4AEBA7DCDA20CD29AA9A859201253F948DD94395ABA9E3852BD1D60DDA7AE5DC045B283DA006E1CBAD83CC13292A315DB5553305C628DD091146597"), SHEX("3D9A979B34D45569E1C98D09DC62D03616C0251C41A8B90138750F1E")); test_hash(&nettle_sha3_224, /* 156 octets */ SHEX("2BE9BF526C9D5A75D565DD11EF63B979D068659C7F026C08BEA4AF161D85A462D80E45040E91F4165C074C43AC661380311A8CBED59CC8E4C4518E80CD2C78AB1CABF66BFF83EAB3A80148550307310950D034A6286C93A1ECE8929E6385C5E3BB6EA8A7C0FB6D6332E320E71CC4EB462A2A62E2BFE08F0CCAD93E61BEDB5DD0B786A728AB666F07E0576D189C92BF9FB20DCA49AC2D3956D47385E2"), SHEX("8DDC9F1E0F94C1247A67D6119A9169762C6C7F1EC7F611D61353AB30")); test_hash(&nettle_sha3_224, /* 157 octets */ SHEX("CA76D3A12595A817682617006848675547D3E8F50C2210F9AF906C0E7CE50B4460186FE70457A9E879E79FD4D1A688C70A347361C847BA0DD6AA52936EAF8E58A1BE2F5C1C704E20146D366AEB3853BED9DE9BEFE9569AC8AAEA37A9FB7139A1A1A7D5C748605A8DEFB297869EBEDD71D615A5DA23496D11E11ABBB126B206FA0A7797EE7DE117986012D0362DCEF775C2FE145ADA6BDA1CCB326BF644"), SHEX("46EDA2622D49B9148B40B6014C75A4086EB9DD4740F0DD591ACA53B2")); test_hash(&nettle_sha3_224, /* 158 octets */ SHEX("F76B85DC67421025D64E93096D1D712B7BAF7FB001716F02D33B2160C2C882C310EF13A576B1C2D30EF8F78EF8D2F465007109AAD93F74CB9E7D7BEF7C9590E8AF3B267C89C15DB238138C45833C98CC4A471A7802723EF4C744A853CF80A0C2568DD4ED58A2C9644806F42104CEE53628E5BDF7B63B0B338E931E31B87C24B146C6D040605567CEEF5960DF9E022CB469D4C787F4CBA3C544A1AC91F95F"), SHEX("57CFA137968C39EAA12533044B8265BB903EC16C8D17B6CF1F106C57")); test_hash(&nettle_sha3_224, /* 159 octets */ SHEX("25B8C9C032EA6BCD733FFC8718FBB2A503A4EA8F71DEA1176189F694304F0FF68E862A8197B839957549EF243A5279FC2646BD4C009B6D1EDEBF24738197ABB4C992F6B1DC9BA891F570879ACCD5A6B18691A93C7D0A8D38F95B639C1DAEB48C4C2F15CCF5B9D508F8333C32DE78781B41850F261B855C4BEBCC125A380C54D501C5D3BD07E6B52102116088E53D76583B0161E2A58D0778F091206AABD5A1"), SHEX("8730C219E19D9D37CB7A63A4DDD55E84DCB0236EF7C8828B2A23C9B9")); test_hash(&nettle_sha3_224, /* 160 octets */ SHEX("21CFDC2A7CCB7F331B3D2EEFFF37E48AD9FA9C788C3F3C200E0173D99963E1CBCA93623B264E920394AE48BB4C3A5BB96FFBC8F0E53F30E22956ADABC2765F57FB761E147ECBF8567533DB6E50C8A1F894310A94EDF806DD8CA6A0E141C0FA7C9FAE6C6AE65F18C93A8529E6E5B553BF55F25BE2E80A9882BD37F145FECBEB3D447A3C4E46C21524CC55CDD62F521AB92A8BA72B897996C49BB273198B7B1C9E"), SHEX("61C01FB4A010F319D193CB6D36063751950A1A8F93539BEA32F84EA1")); test_hash(&nettle_sha3_224, /* 161 octets */ SHEX("4E452BA42127DCC956EF4F8F35DD68CB225FB73B5BC7E1EC5A898BBA2931563E74FAFF3B67314F241EC49F4A7061E3BD0213AE826BAB380F1F14FAAB8B0EFDDD5FD1BB49373853A08F30553D5A55CCBBB8153DE4704F29CA2BDEEF0419468E05DD51557CCC80C0A96190BBCC4D77ECFF21C66BDF486459D427F986410F883A80A5BCC32C20F0478BB9A97A126FC5F95451E40F292A4614930D054C851ACD019CCF"), SHEX("1459044DF9C26F5E240F6A6B9380734CAD84B6592FC9693DDD9F974E")); test_hash(&nettle_sha3_224, /* 162 octets */ SHEX("FA85671DF7DADF99A6FFEE97A3AB9991671F5629195049880497487867A6C446B60087FAC9A0F2FCC8E3B24E97E42345B93B5F7D3691829D3F8CCD4BB36411B85FC2328EB0C51CB3151F70860AD3246CE0623A8DC8B3C49F958F8690F8E3860E71EB2B1479A5CEA0B3F8BEFD87ACAF5362435EAECCB52F38617BC6C5C2C6E269EAD1FBD69E941D4AD2012DA2C5B21BCFBF98E4A77AB2AF1F3FDA3233F046D38F1DC8"), SHEX("EB5CC00173239851F3960EDAC336005109189DFC04B29CA4CDDE5BC1")); test_hash(&nettle_sha3_224, /* 163 octets */ SHEX("E90847AE6797FBC0B6B36D6E588C0A743D725788CA50B6D792352EA8294F5BA654A15366B8E1B288D84F5178240827975A763BC45C7B0430E8A559DF4488505E009C63DA994F1403F407958203CEBB6E37D89C94A5EACF6039A327F6C4DBBC7A2A307D976AA39E41AF6537243FC218DFA6AB4DD817B6A397DF5CA69107A9198799ED248641B63B42CB4C29BFDD7975AC96EDFC274AC562D0474C60347A078CE4C25E88"), SHEX("A640D4841390F47DC47D4BFCF130FCF51C5F2D491F91C13374CE5965")); test_hash(&nettle_sha3_224, /* 164 octets */ SHEX("F6D5C2B6C93954FC627602C00C4CA9A7D3ED12B27173F0B2C9B0E4A5939398A665E67E69D0B12FB7E4CEB253E8083D1CEB724AC07F009F094E42F2D6F2129489E846EAFF0700A8D4453EF453A3EDDC18F408C77A83275617FABC4EA3A2833AA73406C0E966276079D38E8E38539A70E194CC5513AAA457C699383FD1900B1E72BDFB835D1FD321B37BA80549B078A49EA08152869A918CA57F5B54ED71E4FD3AC5C06729"), SHEX("85BB3ED98C4808D8F67C722C9119C54E6543B29E57BD4FB5CBC878C7")); test_hash(&nettle_sha3_224, /* 165 octets */ SHEX("CF8562B1BED89892D67DDAAF3DEEB28246456E972326DBCDB5CF3FB289ACA01E68DA5D59896E3A6165358B071B304D6AB3D018944BE5049D5E0E2BB819ACF67A6006111089E6767132D72DD85BEDDCBB2D64496DB0CC92955AB4C6234F1EEA24F2D51483F2E209E4589BF9519FAC51B4D061E801125E605F8093BB6997BC163D551596FE4AB7CFAE8FB9A90F6980480CE0C229FD1675409BD788354DAF316240CFE0AF93EB"), SHEX("50B7D0ACB93211E0FC935F970BC43A00BE829D6B3C137D4A7E3B2BC1")); test_hash(&nettle_sha3_224, /* 166 octets */ SHEX("2ACE31ABB0A2E3267944D2F75E1559985DB7354C6E605F18DC8470423FCA30B7331D9B33C4A4326783D1CAAE1B4F07060EFF978E4746BF0C7E30CD61040BD5EC2746B29863EB7F103EBDA614C4291A805B6A4C8214230564A0557BC7102E0BD3ED23719252F7435D64D210EE2AAFC585BE903FA41E1968C50FD5D5367926DF7A05E3A42CF07E656FF92DE73B036CF8B19898C0CB34557C0C12C2D8B84E91181AF467BC75A9D1"), SHEX("7CDC1782B39FC0EEB1F874D97C88051CF10508E0875FA173AC41CC8E")); test_hash(&nettle_sha3_224, /* 167 octets */ SHEX("0D8D09AED19F1013969CE5E7EB92F83A209AE76BE31C754844EA9116CEB39A22EBB6003017BBCF26555FA6624185187DB8F0CB3564B8B1C06BF685D47F3286EDA20B83358F599D2044BBF0583FAB8D78F854FE0A596183230C5EF8E54426750EAF2CC4E29D3BDD037E734D863C2BD9789B4C243096138F7672C232314EFFDFC6513427E2DA76916B5248933BE312EB5DDE4CF70804FB258AC5FB82D58D08177AC6F4756017FFF5"), SHEX("EE5D508A4E75900193E99A04B8D838A18DEDFCC431E7AF3182A47DD6")); test_hash(&nettle_sha3_224, /* 168 octets */ SHEX("C3236B73DEB7662BF3F3DAA58F137B358BA610560EF7455785A9BEFDB035A066E90704F929BD9689CEF0CE3BDA5ACF4480BCEB8D09D10B098AD8500D9B6071DFC3A14AF6C77511D81E3AA8844986C3BEA6F469F9E02194C92868CD5F51646256798FF0424954C1434BDFED9FACB390B07D342E992936E0F88BFD0E884A0DDB679D0547CCDEC6384285A45429D115AC7D235A717242021D1DC35641F5F0A48E8445DBA58E6CB2C8EA"), SHEX("5942BA8B58A355F2AEF07E29F8F9971301E877FA32D7025DF552B1EB")); test_hash(&nettle_sha3_224, /* 169 octets */ SHEX("B39FEB8283EADC63E8184B51DF5AE3FD41AAC8A963BB0BE1CD08AA5867D8D910C669221E73243360646F6553D1CA05A84E8DC0DE05B6419EC349CA994480193D01C92525F3FB3DCEFB08AFC6D26947BDBBFD85193F53B50609C6140905C53A6686B58E53A319A57B962331EDE98149AF3DE3118A819DA4D76706A0424B4E1D2910B0ED26AF61D150EBCB46595D4266A0BD7F651BA47D0C7F179CA28545007D92E8419D48FDFBD744CE"), SHEX("29240A9E973888B98A3A836933855D41D8ABB6C3806A626C3DF18F6C")); test_hash(&nettle_sha3_224, /* 170 octets */ SHEX("A983D54F503803E8C7999F4EDBBE82E9084F422143A932DDDDC47A17B0B7564A7F37A99D0786E99476428D29E29D3C197A72BFAB1342C12A0FC4787FD7017D7A6174049EA43B5779169EF7472BDBBD941DCB82FC73AAC45A8A94C9F2BD3477F61FD3B796F02A1B8264A214C6FEA74B7051B226C722099EC7883A462B83B6AFDD4009248B8A237F605FE5A08FE7D8B45321421EBBA67BD70A0B00DDBF94BAAB7F359D5D1EEA105F28DCFB"), SHEX("9AF178B1DD3CEFC96227A289175BB61D9F6B0B352D7804F5E07EA45D")); test_hash(&nettle_sha3_224, /* 171 octets */ SHEX("E4D1C1897A0A866CE564635B74222F9696BF2C7F640DD78D7E2ACA66E1B61C642BB03EA7536AAE597811E9BF4A7B453EDE31F97B46A5F0EF51A071A2B3918DF16B152519AE3776F9F1EDAB4C2A377C3292E96408359D3613844D5EB393000283D5AD3401A318B12FD1474B8612F2BB50FB6A8B9E023A54D7DDE28C43D6D8854C8D9D1155935C199811DBFC87E9E0072E90EB88681CC7529714F8FB8A2C9D88567ADFB974EE205A9BF7B848"), SHEX("F543B4D423EAAC86338BB6D8C6181AD6DC0A25733953CED7EB8377F3")); test_hash(&nettle_sha3_224, /* 172 octets */ SHEX("B10C59723E3DCADD6D75DF87D0A1580E73133A9B7D00CB95EC19F5547027323BE75158B11F80B6E142C6A78531886D9047B08E551E75E6261E79785366D7024BD7CD9CF322D9BE7D57FB661069F2481C7BB759CD71B4B36CA2BC2DF6D3A328FAEBDB995A9794A8D72155ED551A1F87C80BF6059B43FC764900B18A1C2441F7487743CF84E565F61F8DD2ECE6B6CCC9444049197AAAF53E926FBEE3BFCA8BE588EC77F29D211BE89DE18B15F6"), SHEX("77B4079EEE9D9E3FDA051EE0CA430B4DF011D056612C1AF446A187C2")); test_hash(&nettle_sha3_224, /* 173 octets */ SHEX("DB11F609BABA7B0CA634926B1DD539C8CBADA24967D7ADD4D9876F77C2D80C0F4DCEFBD7121548373582705CCA2495BD2A43716FE64ED26D059CFB566B3364BD49EE0717BDD9810DD14D8FAD80DBBDC4CAFB37CC60FB0FE2A80FB4541B8CA9D59DCE457738A9D3D8F641AF8C3FD6DA162DC16FC01AAC527A4A0255B4D231C0BE50F44F0DB0B713AF03D968FE7F0F61ED0824C55C4B5265548FEBD6AAD5C5EEDF63EFE793489C39B8FD29D104CE"), SHEX("987D30120C9AA4964650A6A730E99C86F7FBDDB4EA8D6B4815EE4EBF")); test_hash(&nettle_sha3_224, /* 174 octets */ SHEX("BEBD4F1A84FC8B15E4452A54BD02D69E304B7F32616AADD90537937106AE4E28DE9D8AAB02D19BC3E2FDE1D651559E296453E4DBA94370A14DBBB2D1D4E2022302EE90E208321EFCD8528AD89E46DC839EA9DF618EA8394A6BFF308E7726BAE0C19BCD4BE52DA6258E2EF4E96AA21244429F49EF5CB486D7FF35CAC1BACB7E95711944BCCB2AB34700D42D1EB38B5D536B947348A458EDE3DC6BD6EC547B1B0CAE5B257BE36A7124E1060C170FFA"), SHEX("46193359397BC3EACD69BFF410203583382DE93ECC4D80DCFB4FC51D")); test_hash(&nettle_sha3_224, /* 175 octets */ SHEX("5ACA56A03A13784BDC3289D9364F79E2A85C12276B49B92DB0ADAA4F206D5028F213F678C3510E111F9DC4C1C1F8B6ACB17A6413AA227607C515C62A733817BA5E762CC6748E7E0D6872C984D723C9BB3B117EB8963185300A80BFA65CDE495D70A46C44858605FCCBED086C2B45CEF963D33294DBE9706B13AF22F1B7C4CD5A001CFEC251FBA18E722C6E1C4B1166918B4F6F48A98B64B3C07FC86A6B17A6D0480AB79D4E6415B520F1C484D675B1"), SHEX("0BC29107C7E25D44F8CE83A415B1DE5DF38A6719769606762B7192C2")); test_hash(&nettle_sha3_224, /* 176 octets */ SHEX("A5AAD0E4646A32C85CFCAC73F02FC5300F1982FABB2F2179E28303E447854094CDFC854310E5C0F60993CEFF54D84D6B46323D930ADB07C17599B35B505F09E784BCA5985E0172257797FB53649E2E9723EFD16865C31B5C3D5113B58BB0BFC8920FABDDA086D7537E66D709D050BD14D0C960873F156FAD5B3D3840CDFCDC9BE6AF519DB262A27F40896AB25CC39F96984D650611C0D5A3080D5B3A1BF186ABD42956588B3B58CD948970D298776060"), SHEX("B485644C32283B280179F7C9714350F0B3ACFD7C45A247BF3B6CDB07")); test_hash(&nettle_sha3_224, /* 177 octets */ SHEX("06CBBE67E94A978203EAD6C057A1A5B098478B4B4CBEF5A97E93C8E42F5572713575FC2A884531D7622F8F879387A859A80F10EF02708CD8F7413AB385AFC357678B9578C0EBF641EF076A1A30F1F75379E9DCB2A885BDD295905EE80C0168A62A9597D10CF12DD2D8CEE46645C7E5A141F6E0E23AA482ABE5661C16E69EF1E28371E2E236C359BA4E92C25626A7B7FF13F6EA4AE906E1CFE163E91719B1F750A96CBDE5FBC953D9E576CD216AFC90323A"), SHEX("F384542499EFD23381DEBCD9124C539C40BFA70E517280F56A0920E1")); test_hash(&nettle_sha3_224, /* 178 octets */ SHEX("F1C528CF7739874707D4D8AD5B98F7C77169DE0B57188DF233B2DC8A5B31EDA5DB4291DD9F68E6BAD37B8D7F6C9C0044B3BF74BBC3D7D1798E138709B0D75E7C593D3CCCDC1B20C7174B4E692ADD820ACE262D45CCFAE2077E878796347168060A162ECCA8C38C1A88350BD63BB539134F700FD4ADDD5959E255337DAA06BC86358FABCBEFDFB5BC889783D843C08AADC6C4F6C36F65F156E851C9A0F917E4A367B5AD93D874812A1DE6A7B93CD53AD97232"), SHEX("D12E3884BC8CF9175D1778E8A3AAA119E4A897738F8D81B1278BC448")); test_hash(&nettle_sha3_224, /* 179 octets */ SHEX("9D9F3A7ECD51B41F6572FD0D0881E30390DFB780991DAE7DB3B47619134718E6F987810E542619DFAA7B505C76B7350C6432D8BF1CFEBDF1069B90A35F0D04CBDF130B0DFC7875F4A4E62CDB8E525AADD7CE842520A482AC18F09442D78305FE85A74E39E760A4837482ED2F437DD13B2EC1042AFCF9DECDC3E877E50FF4106AD10A525230D11920324A81094DA31DEAB6476AA42F20C84843CFC1C58545EE80352BDD3740DD6A16792AE2D86F11641BB717C2"), SHEX("D8A348264D48045D4482F3FE002C1A1F36D4DF0D5E47FAC5125C7947")); test_hash(&nettle_sha3_224, /* 180 octets */ SHEX("5179888724819FBAD3AFA927D3577796660E6A81C52D98E9303261D5A4A83232F6F758934D50AA83FF9E20A5926DFEBAAC49529D006EB923C5AE5048ED544EC471ED7191EDF46363383824F915769B3E688094C682B02151E5EE01E510B431C8865AFF8B6B6F2F59CB6D129DA79E97C6D2B8FA6C6DA3F603199D2D1BCAB547682A81CD6CF65F6551121391D78BCC23B5BD0E922EC6D8BF97C952E84DD28AEF909ABA31EDB903B28FBFC33B7703CD996215A11238"), SHEX("6865464C6A230B4BF64BA33BF97459D1D22DAFB19E08F4B7DACE02FF")); test_hash(&nettle_sha3_224, /* 181 octets */ SHEX("576EF3520D30B7A4899B8C0D5E359E45C5189ADD100E43BE429A02FB3DE5FF4F8FD0E79D9663ACCA72CD29C94582B19292A557C5B1315297D168FBB54E9E2ECD13809C2B5FCE998EDC6570545E1499DBE7FB74D47CD7F35823B212B05BF3F5A79CAA34224FDD670D335FCB106F5D92C3946F44D3AFCBAE2E41AC554D8E6759F332B76BE89A0324AA12C5482D1EA3EE89DED4936F3E3C080436F539FA137E74C6D3389BDF5A45074C47BC7B20B0948407A66D855E2F"), SHEX("19D33CD354A13AB2A44044154BD865F117EF8A887FBD0570A8A4CA80")); test_hash(&nettle_sha3_224, /* 182 octets */ SHEX("0DF2152FA4F4357C8741529DD77E783925D3D76E95BAFA2B542A2C33F3D1D117D159CF473F82310356FEE4C90A9E505E70F8F24859656368BA09381FA245EB6C3D763F3093F0C89B972E66B53D59406D9F01AEA07F8B3B615CAC4EE4D05F542E7D0DAB45D67CCCCD3A606CCBEB31EA1FA7005BA07176E60DAB7D78F6810EF086F42F08E595F0EC217372B98970CC6321576D92CE38F7C397A403BADA1548D205C343AC09DECA86325373C3B76D9F32028FEA8EB32515"), SHEX("E438AE4153463B333AE4FE57BF131505C8C04A534A39A20574155E49")); test_hash(&nettle_sha3_224, /* 183 octets */ SHEX("3E15350D87D6EBB5C8AD99D42515CFE17980933C7A8F6B8BBBF0A63728CEFAAD2052623C0BD5931839112A48633FB3C2004E0749C87A41B26A8B48945539D1FF41A4B269462FD199BFECD45374756F55A9116E92093AC99451AEFB2AF9FD32D6D7F5FBC7F7A540D5097C096EBC3B3A721541DE073A1CC02F7FB0FB1B9327FB0B1218CA49C9487AB5396622A13AE546C97ABDEF6B56380DDA7012A8384091B6656D0AB272D363CEA78163FF765CDD13AB1738B940D16CAE"), SHEX("454796C7219C6F7E88508DFC13668B81748211BD016D84B59293B445")); test_hash(&nettle_sha3_224, /* 184 octets */ SHEX("C38D6B0B757CB552BE40940ECE0009EF3B0B59307C1451686F1A22702922800D58BCE7A636C1727EE547C01B214779E898FC0E560F8AE7F61BEF4D75EAA696B921FD6B735D171535E9EDD267C192B99880C87997711002009095D8A7A437E258104A41A505E5EF71E5613DDD2008195F0C574E6BA3FE40099CFA116E5F1A2FA8A6DA04BADCB4E2D5D0DE31FDC4800891C45781A0AAC7C907B56D631FCA5CE8B2CDE620D11D1777ED9FA603541DE794DDC5758FCD5FAD78C0"), SHEX("CE158AED6ED3C9D4432E2422AF8D255AB1F3898F6F5B5C5A1478552C")); test_hash(&nettle_sha3_224, /* 185 octets */ SHEX("8D2DE3F0B37A6385C90739805B170057F091CD0C7A0BC951540F26A5A75B3E694631BB64C7635EED316F51318E9D8DE13C70A2ABA04A14836855F35E480528B776D0A1E8A23B547C8B8D6A0D09B241D3BE9377160CCA4E6793D00A515DC2992CB7FC741DACA171431DA99CCE6F7789F129E2AC5CF65B40D703035CD2185BB936C82002DAF8CBC27A7A9E554B06196630446A6F0A14BA155ED26D95BD627B7205C072D02B60DB0FD7E49EA058C2E0BA202DAFF0DE91E845CF79"), SHEX("A0A21D95E640F13B25652484E244BE1B373E9B0609B685EFCE48107A")); test_hash(&nettle_sha3_224, /* 186 octets */ SHEX("C464BBDAD275C50DCD983B65AD1019B9FF85A1E71C807F3204BB2C921DC31FBCD8C5FC45868AE9EF85B6C9B83BBA2A5A822201ED68586EC5EC27FB2857A5D1A2D09D09115F22DCC39FE61F5E1BA0FF6E8B4ACB4C6DA748BE7F3F0839739394FF7FA8E39F7F7E84A33C3866875C01BCB1263C9405D91908E9E0B50E7459FABB63D8C6BBB73D8E3483C099B55BC30FF092FF68B6ADEDFD477D63570C9F5515847F36E24BA0B705557130CEC57EBAD1D0B31A378E91894EE26E3A04"), SHEX("CA8CB1359F0B05E2FF9414CCE0DE6D2CB4D05B08354C2119A87342CA")); test_hash(&nettle_sha3_224, /* 187 octets */ SHEX("8B8D68BB8A75732FE272815A68A1C9C5AA31B41DEDC8493E76525D1D013D33CEBD9E21A5BB95DB2616976A8C07FCF411F5F6BC6F7E0B57ACA78CC2790A6F9B898858AC9C79B165FF24E66677531E39F572BE5D81EB3264524181115F32780257BFB9AEEC6AF12AF28E587CAC068A1A2953B59AD680F4C245B2E3EC36F59940D37E1D3DB38E13EDB29B5C0F404F6FF87F80FC8BE7A225FF22FBB9C8B6B1D7330C57840D24BC75B06B80D30DAD6806544D510AF6C4785E823AC3E0B8"), SHEX("0DDDD152CF063F0F505B518EB8DB755704F45C9735780EC3A898A923")); test_hash(&nettle_sha3_224, /* 188 octets */ SHEX("6B018710446F368E7421F1BC0CCF562D9C1843846BC8D98D1C9BF7D9D6FCB48BFC3BF83B36D44C4FA93430AF75CD190BDE36A7F92F867F58A803900DF8018150384D85D82132F123006AC2AEBA58E02A037FE6AFBD65ECA7C44977DD3DC74F48B6E7A1BFD5CC4DCF24E4D52E92BD4455848E4928B0EAC8B7476FE3CC03E862AA4DFF4470DBFED6DE48E410F25096487ECFC32A27277F3F5023B2725ADE461B1355889554A8836C9CF53BD767F5737D55184EEA1AB3F53EDD0976C485"), SHEX("57397BB1F84711641E94F413F5D73556B96BA5CFE15F709528626D07")); test_hash(&nettle_sha3_224, /* 189 octets */ SHEX("C9534A24714BD4BE37C88A3DA1082EDA7CABD154C309D7BD670DCCD95AA535594463058A29F79031D6ECAA9F675D1211E9359BE82669A79C855EA8D89DD38C2C761DDD0EC0CE9E97597432E9A1BEAE062CDD71EDFDFD464119BE9E69D18A7A7FD7CE0E2106F0C8B0ABF4715E2CA48EF9F454DC203C96656653B727083513F8EFB86E49C513BB758B3B052FE21F1C05BB33C37129D6CC81F1AEF6ADC45B0E8827A830FE545CF57D0955802C117D23CCB55EA28F95C0D8C2F9C5A242B33F"), SHEX("68F6AC4289FD5214263130830FDA4DA601B88B1F8533EAC07A0338D9")); test_hash(&nettle_sha3_224, /* 190 octets */ SHEX("07906C87297B867ABF4576E9F3CC7F82F22B154AFCBF293B9319F1B0584DA6A40C27B32E0B1B7F412C4F1B82480E70A9235B12EC27090A5A33175A2BB28D8ADC475CEFE33F7803F8CE27967217381F02E67A3B4F84A71F1C5228E0C2AD971373F6F672624FCEA8D1A9F85170FAD30FA0BBD25035C3B41A6175D467998BD1215F6F3866F53847F9CF68EF3E2FBB54BC994DE2302B829C5EEA68EC441FCBAFD7D16AE4FE9FFF98BF00E5BC2AD54DD91FF9FDA4DD77B6C754A91955D1FBAAD0"), SHEX("F145C45212392894E7F1C4E52728470F8A2D961514869990EFBE8232")); test_hash(&nettle_sha3_224, /* 191 octets */ SHEX("588E94B9054ABC2189DF69B8BA34341B77CDD528E7860E5DEFCAA79B0C9A452AD4B82AA306BE84536EB7CEDCBE058D7B84A6AEF826B028B8A0271B69AC3605A9635EA9F5EA0AA700F3EB7835BC54611B922964300C953EFE7491E3677C2CEBE0822E956CD16433B02C68C4A23252C3F9E151A416B4963257B783E038F6B4D5C9F110F871652C7A649A7BCEDCBCCC6F2D0725BB903CC196BA76C76AA9F10A190B1D1168993BAA9FFC96A1655216773458BEC72B0E39C9F2C121378FEAB4E76A"), SHEX("38CE7100E92EE4B65CC831915A06CFC2101990CB68E1004F7E9017D4")); test_hash(&nettle_sha3_224, /* 192 octets */ SHEX("08959A7E4BAAE874928813364071194E2939772F20DB7C3157078987C557C2A6D5ABE68D520EEF3DC491692E1E21BCD880ADEBF63BB4213B50897FA005256ED41B5690F78F52855C8D9168A4B666FCE2DA2B456D7A7E7C17AB5F2FB1EE90B79E698712E963715983FD07641AE4B4E9DC73203FAC1AE11FA1F8C7941FCC82EAB247ADDB56E2638447E9D609E610B60CE086656AAEBF1DA3C8A231D7D94E2FD0AFE46B391FF14A72EAEB3F44AD4DF85866DEF43D4781A0B3578BC996C87970B132"), SHEX("BD63CA84DAC8BC586D0F0BE352DBBBA1F4CB430DEAA8119B8DA13C06")); test_hash(&nettle_sha3_224, /* 193 octets */ SHEX("CB2A234F45E2ECD5863895A451D389A369AAB99CFEF0D5C9FFCA1E6E63F763B5C14FB9B478313C8E8C0EFEB3AC9500CF5FD93791B789E67EAC12FD038E2547CC8E0FC9DB591F33A1E4907C64A922DDA23EC9827310B306098554A4A78F050262DB5B545B159E1FF1DCA6EB734B872343B842C57EAFCFDA8405EEDBB48EF32E99696D135979235C3A05364E371C2D76F1902F1D83146DF9495C0A6C57D7BF9EE77E80F9787AEE27BE1FE126CDC9EF893A4A7DCBBC367E40FE4E1EE90B42EA25AF01"), SHEX("7EE4EAEA6127C68EFCE66991B8F0851FE072DF3B1E0B5D07E3A4BE06")); test_hash(&nettle_sha3_224, /* 194 octets */ SHEX("D16BEADF02AB1D4DC6F88B8C4554C51E866DF830B89C06E786A5F8757E8909310AF51C840EFE8D20B35331F4355D80F73295974653DDD620CDDE4730FB6C8D0D2DCB2B45D92D4FBDB567C0A3E86BD1A8A795AF26FBF29FC6C65941CDDB090FF7CD230AC5268AB4606FCCBA9EDED0A2B5D014EE0C34F0B2881AC036E24E151BE89EEB6CD9A7A790AFCCFF234D7CB11B99EBF58CD0C589F20BDAC4F9F0E28F75E3E04E5B3DEBCE607A496D848D67FA7B49132C71B878FD5557E082A18ECA1FBDA94D4B"), SHEX("7F3EE578B0410687EAF536F9EC7D654B75F504C104B78793C4CF90D5")); test_hash(&nettle_sha3_224, /* 195 octets */ SHEX("8F65F6BC59A85705016E2BAE7FE57980DE3127E5AB275F573D334F73F8603106EC3553016608EF2DD6E69B24BE0B7113BF6A760BA6E9CE1C48F9E186012CF96A1D4849D75DF5BB8315387FD78E9E153E76F8BA7EC6C8849810F59FB4BB9B004318210B37F1299526866F44059E017E22E96CBE418699D014C6EA01C9F0038B10299884DBEC3199BB05ADC94E955A1533219C1115FED0E5F21228B071F40DD57C4240D98D37B73E412FE0FA4703120D7C0C67972ED233E5DEB300A22605472FA3A3BA86"), SHEX("C9C26396E560CD1E6824D9E56E179FCC8AAC4C0D932F7632BA594D4C")); test_hash(&nettle_sha3_224, /* 196 octets */ SHEX("84891E52E0D451813210C3FD635B39A03A6B7A7317B221A7ABC270DFA946C42669AACBBBDF801E1584F330E28C729847EA14152BD637B3D0F2B38B4BD5BF9C791C58806281103A3EABBAEDE5E711E539E6A8B2CF297CF351C078B4FA8F7F35CF61BEBF8814BF248A01D41E86C5715EA40C63F7375379A7EB1D78F27622FB468AB784AAABA4E534A6DFD1DF6FA15511341E725ED2E87F98737CCB7B6A6DFAE416477472B046BF1811187D151BFA9F7B2BF9ACDB23A3BE507CDF14CFDF517D2CB5FB9E4AB6"), SHEX("EF30652E3C6EA4EC214472BF96E5F30DCA1D31A78EB422734615EAF1")); test_hash(&nettle_sha3_224, /* 197 octets */ SHEX("FDD7A9433A3B4AFABD7A3A5E3457E56DEBF78E84B7A0B0CA0E8C6D53BD0C2DAE31B2700C6128334F43981BE3B213B1D7A118D59C7E6B6493A86F866A1635C12859CFB9AD17460A77B4522A5C1883C3D6ACC86E6162667EC414E9A104AA892053A2B1D72165A855BACD8FAF8034A5DD9B716F47A0818C09BB6BAF22AA503C06B4CA261F557761989D2AFBD88B6A678AD128AF68672107D0F1FC73C5CA740459297B3292B281E93BCEB761BDE7221C3A55708E5EC84472CDDCAA84ECF23723CC0991355C6280"), SHEX("5A964BF38EB347684220A3E83EB1EFCB641C8F911CB068A774B25B8C")); test_hash(&nettle_sha3_224, /* 198 octets */ SHEX("70A40BFBEF92277A1AAD72F6B79D0177197C4EBD432668CFEC05D099ACCB651062B5DFF156C0B27336687A94B26679CFDD9DAF7AD204338DD9C4D14114033A5C225BD11F217B5F4732DA167EE3F939262D4043FC9CBA92303B7B5E96AEA12ADDA64859DF4B86E9EE0B58E39091E6B188B408AC94E1294A8911245EE361E60E601EFF58D1D37639F3753BEC80EBB4EFDE25817436076623FC65415FE51D1B0280366D12C554D86743F3C3B6572E400361A60726131441BA493A83FBE9AFDA90F7AF1AE717238D"), SHEX("07413665EDCB8A35021874984910B498CF74823050640243AE7C84CD")); test_hash(&nettle_sha3_224, /* 199 octets */ SHEX("74356E449F4BF8644F77B14F4D67CB6BD9C1F5AE357621D5B8147E562B65C66585CAF2E491B48529A01A34D226D436959153815380D5689E30B35357CDAC6E08D3F2B0E88E200600D62BD9F5EAF488DF86A4470EA227006182E44809009868C4C280C43D7D64A5268FA719074960087B3A6ABC837882F882C837834535929389A12B2C78187E2EA07EF8B8EEF27DC85002C3AE35F1A50BEE6A1C48BA7E175F3316670B27983472AA6A61EED0A683A39EE323080620EA44A9F74411AE5CE99030528F9AB49C79F2"), SHEX("FCC9EAD160832F5F0FAFED6381AFD57FE1335FBFB05B7FB1F0075D37")); test_hash(&nettle_sha3_224, /* 200 octets */ SHEX("8C3798E51BC68482D7337D3ABB75DC9FFE860714A9AD73551E120059860DDE24AB87327222B64CF774415A70F724CDF270DE3FE47DDA07B61C9EF2A3551F45A5584860248FABDE676E1CD75F6355AA3EAEABE3B51DC813D9FB2EAA4F0F1D9F834D7CAD9C7C695AE84B329385BC0BEF895B9F1EDF44A03D4B410CC23A79A6B62E4F346A5E8DD851C2857995DDBF5B2D717AEB847310E1F6A46AC3D26A7F9B44985AF656D2B7C9406E8A9E8F47DCB4EF6B83CAACF9AEFB6118BFCFF7E44BEF6937EBDDC89186839B77"), SHEX("EC5C6DB60B0834FB2E0E7106AEEAFB9E614BE093C847018214D8A5DB")); test_hash(&nettle_sha3_224, /* 201 octets */ SHEX("FA56BF730C4F8395875189C10C4FB251605757A8FECC31F9737E3C2503B02608E6731E85D7A38393C67DE516B85304824BFB135E33BF22B3A23B913BF6ACD2B7AB85198B8187B2BCD454D5E3318CACB32FD6261C31AE7F6C54EF6A7A2A4C9F3ECB81CE3555D4F0AD466DD4C108A90399D70041997C3B25345A9653F3C9A6711AB1B91D6A9D2216442DA2C973CBD685EE7643BFD77327A2F7AE9CB283620A08716DFB462E5C1D65432CA9D56A90E811443CD1ECB8F0DE179C9CB48BA4F6FEC360C66F252F6E64EDC96B"), SHEX("0D5F6DE16B7CBBA49C28654F2AE98163257E7B6B500A3801EEF0733F")); test_hash(&nettle_sha3_224, /* 202 octets */ SHEX("B6134F9C3E91DD8000740D009DD806240811D51AB1546A974BCB18D344642BAA5CD5903AF84D58EC5BA17301D5EC0F10CCD0509CBB3FD3FFF9172D193AF0F782252FD1338C7244D40E0E42362275B22D01C4C3389F19DD69BDF958EBE28E31A4FFE2B5F18A87831CFB7095F58A87C9FA21DB72BA269379B2DC2384B3DA953C7925761FED324620ACEA435E52B424A7723F6A2357374157A34CD8252351C25A1B232826CEFE1BD3E70FFC15A31E7C0598219D7F00436294D11891B82497BC78AA5363892A2495DF8C1EEF"), SHEX("7B7E1FC4D3833ED87FD166F909F5C2566DC0E95B17AC834F1E9E3DAD")); test_hash(&nettle_sha3_224, /* 203 octets */ SHEX("C941CDB9C28AB0A791F2E5C8E8BB52850626AA89205BEC3A7E22682313D198B1FA33FC7295381354858758AE6C8EC6FAC3245C6E454D16FA2F51C4166FAB51DF272858F2D603770C40987F64442D487AF49CD5C3991CE858EA2A60DAB6A65A34414965933973AC2457089E359160B7CDEDC42F29E10A91921785F6B7224EE0B349393CDCFF6151B50B377D609559923D0984CDA6000829B916AB6896693EF6A2199B3C22F7DC5500A15B8258420E314C222BC000BC4E5413E6DD82C993F8330F5C6D1BE4BC79F08A1A0A46"), SHEX("C6AC9D5464855E5C2F83F2A56F9A992137DA47EC05C541295F8C43E7")); test_hash(&nettle_sha3_224, /* 204 octets */ SHEX("4499EFFFAC4BCEA52747EFD1E4F20B73E48758BE915C88A1FFE5299B0B005837A46B2F20A9CB3C6E64A9E3C564A27C0F1C6AD1960373036EC5BFE1A8FC6A435C2185ED0F114C50E8B3E4C7ED96B06A036819C9463E864A58D6286F785E32A804443A56AF0B4DF6ABC57ED5C2B185DDEE8489EA080DEEEE66AA33C2E6DAB36251C402682B6824821F998C32163164298E1FAFD31BABBCFFB594C91888C6219079D907FDB438ED89529D6D96212FD55ABE20399DBEFD342248507436931CDEAD496EB6E4A80358ACC78647D043"), SHEX("4EE2F93C18974D978DD3A1CBF8B1DAC473807067B8807D026182B901")); test_hash(&nettle_sha3_224, /* 205 octets */ SHEX("EECBB8FDFA4DA62170FD06727F697D81F83F601FF61E478105D3CB7502F2C89BF3E8F56EDD469D049807A38882A7EEFBC85FC9A950952E9FA84B8AFEBD3CE782D4DA598002827B1EB98882EA1F0A8F7AA9CE013A6E9BC462FB66C8D4A18DA21401E1B93356EB12F3725B6DB1684F2300A98B9A119E5D27FF704AFFB618E12708E77E6E5F34139A5A41131FD1D6336C272A8FC37080F041C71341BEE6AB550CB4A20A6DDB6A8E0299F2B14BC730C54B8B1C1C487B494BDCCFD3A53535AB2F231590BF2C4062FD2AD58F906A2D0D"), SHEX("D64AEE17ED8E2B85E6B097DB49554D356F032A34A15B7E844EC8D889")); test_hash(&nettle_sha3_224, /* 206 octets */ SHEX("E64F3E4ACE5C8418D65FEC2BC5D2A303DD458034736E3B0DF719098BE7A206DEAF52D6BA82316CAF330EF852375188CDE2B39CC94AA449578A7E2A8E3F5A9D68E816B8D16889FBC0EBF0939D04F63033AE9AE2BDAB73B88C26D6BD25EE460EE1EF58FB0AFA92CC539F8C76D3D097E7A6A63EBB9B5887EDF3CF076028C5BBD5B9DB3211371AD3FE121D4E9BF44229F4E1ECF5A0F9F0EBA4D5CEB72878AB22C3F0EB5A625323AC66F7061F4A81FAC834471E0C59553F108475FE290D43E6A055AE3EE46FB67422F814A68C4BE3E8C9"), SHEX("1BDDC92BE89A672C1BD956B450B9D7B47B4BB0BC58AC51F15F7E054D")); test_hash(&nettle_sha3_224, /* 207 octets */ SHEX("D2CB2D733033F9E91395312808383CC4F0CA974E87EC68400D52E96B3FA6984AC58D9AD0938DDE5A973008D818C49607D9DE2284E7618F1B8AED8372FBD52ED54557AF4220FAC09DFA8443011699B97D743F8F2B1AEF3537EBB45DCC9E13DFB438428EE190A4EFDB3CAEB7F3933117BF63ABDC7E57BEB4171C7E1AD260AB0587806C4D137B6316B50ABC9CCE0DFF3ACADA47BBB86BE777E617BBE578FF4519844DB360E0A96C6701290E76BB95D26F0F804C8A4F2717EAC4E7DE9F2CFF3BBC55A17E776C0D02856032A6CD10AD2838"), SHEX("0C8AC240170C6546DEBF4BFB5B38F8F30EA5DC6EF86C166E8E136D6B")); test_hash(&nettle_sha3_224, /* 208 octets */ SHEX("F2998955613DD414CC111DF5CE30A995BB792E260B0E37A5B1D942FE90171A4AC2F66D4928D7AD377F4D0554CBF4C523D21F6E5F379D6F4B028CDCB9B1758D3B39663242FF3CB6EDE6A36A6F05DB3BC41E0D861B384B6DEC58BB096D0A422FD542DF175E1BE1571FB52AE66F2D86A2F6824A8CFAACBAC4A7492AD0433EEB15454AF8F312B3B2A577750E3EFBD370E8A8CAC1582581971FBA3BA4BD0D76E718DACF8433D33A59D287F8CC92234E7A271041B526E389EFB0E40B6A18B3AAF658E82ED1C78631FD23B4C3EB27C3FAEC8685"), SHEX("2FD9FDFD244B0A7342F886B87B3DDDCE54C8870FB26A71A8F6520231")); test_hash(&nettle_sha3_224, /* 209 octets */ SHEX("447797E2899B72A356BA55BF4DF3ACCA6CDB1041EB477BD1834A9F9ACBC340A294D729F2F97DF3A610BE0FF15EDB9C6D5DB41644B9874360140FC64F52AA03F0286C8A640670067A84E017926A70438DB1BB361DEFEE7317021425F8821DEF26D1EFD77FC853B818545D055ADC9284796E583C76E6FE74C9AC2587AA46AA8F8804F2FEB5836CC4B3ABABAB8429A5783E17D5999F32242EB59EF30CD7ADABC16D72DBDB097623047C98989F88D14EAF02A7212BE16EC2D07981AAA99949DDF89ECD90333A77BC4E1988A82ABF7C7CAF3291"), SHEX("1B6BE19D72199BF75FD4075E54975AFA0433B9BF515BD300CE543D41")); test_hash(&nettle_sha3_224, /* 210 octets */ SHEX("9F2C18ADE9B380C784E170FB763E9AA205F64303067EB1BCEA93DF5DAC4BF5A2E00B78195F808DF24FC76E26CB7BE31DC35F0844CDED1567BBA29858CFFC97FB29010331B01D6A3FB3159CC1B973D255DA9843E34A0A4061CABDB9ED37F241BFABB3C20D32743F4026B59A4CCC385A2301F83C0B0A190B0F2D01ACB8F0D41111E10F2F4E149379275599A52DC089B35FDD5234B0CFB7B6D8AEBD563CA1FA653C5C021DFD6F5920E6F18BFAFDBECBF0AB00281333ED50B9A999549C1C8F8C63D7626C48322E9791D5FF72294049BDE91E73F8"), SHEX("A46B89B64B0C7930DD45F5B2582FD79C7AD90A58C94C52F9BFA55CFC")); test_hash(&nettle_sha3_224, /* 211 octets */ SHEX("AE159F3FA33619002AE6BCCE8CBBDD7D28E5ED9D61534595C4C9F43C402A9BB31F3B301CBFD4A43CE4C24CD5C9849CC6259ECA90E2A79E01FFBAC07BA0E147FA42676A1D668570E0396387B5BCD599E8E66AAED1B8A191C5A47547F61373021FA6DEADCB55363D233C24440F2C73DBB519F7C9FA5A8962EFD5F6252C0407F190DFEFAD707F3C7007D69FF36B8489A5B6B7C557E79DD4F50C06511F599F56C896B35C917B63BA35C6FF8092BAF7D1658E77FC95D8A6A43EEB4C01F33F03877F92774BE89C1114DD531C011E53A34DC248A2F0E6"), SHEX("21F0D8855387241D71A712E5F5682C156B9FD2AA6284294718853F0A")); test_hash(&nettle_sha3_224, /* 212 octets */ SHEX("3B8E97C5FFC2D6A40FA7DE7FCEFC90F3B12C940E7AB415321E29EE692DFAC799B009C99DCDDB708FCE5A178C5C35EE2B8617143EDC4C40B4D313661F49ABDD93CEA79D117518805496FE6ACF292C4C2A1F76B403A97D7C399DAF85B46AD84E16246C67D6836757BDE336C290D5D401E6C1386AB32797AF6BB251E9B2D8FE754C47482B72E0B394EAB76916126FD68EA7D65EB93D59F5B4C5AC40F7C3B37E7F3694F29424C24AF8C8F0EF59CD9DBF1D28E0E10F799A6F78CAD1D45B9DB3D7DEE4A7059ABE99182714983B9C9D44D7F5643596D4F3"), SHEX("82EE85541D7A5B2A2B290003C3EE46574D58A7DDD54FBC210F8FEA57")); test_hash(&nettle_sha3_224, /* 213 octets */ SHEX("3434EC31B10FAFDBFEEC0DD6BD94E80F7BA9DCA19EF075F7EB017512AF66D6A4BCF7D16BA0819A1892A6372F9B35BCC7CA8155EE19E8428BC22D214856ED5FA9374C3C09BDE169602CC219679F65A1566FC7316F4CC3B631A18FB4449FA6AFA16A3DB2BC4212EFF539C67CF184680826535589C7111D73BFFCE431B4C40492E763D9279560AAA38EB2DC14A212D723F994A1FE656FF4DD14551CE4E7C621B2AA5604A10001B2878A897A28A08095C325E10A26D2FB1A75BFD64C250309BB55A44F23BBAC0D5516A1C687D3B41EF2FBBF9CC56D4739"), SHEX("278DD8A3F3208191CFF658B8D6DB35E133A16E47AA375EDB92C6A737")); test_hash(&nettle_sha3_224, /* 214 octets */ SHEX("7C7953D81C8D208FD1C97681D48F49DD003456DE60475B84070EF4847C333B74575B1FC8D2A186964485A3B8634FEAA3595AAA1A2F4595A7D6B6153563DEE31BBAC443C8A33EED6D5D956A980A68366C2527B550EE950250DFB691EACBD5D56AE14B970668BE174C89DF2FEA43AE52F13142639C884FD62A3683C0C3792F0F24AB1318BCB27E21F4737FAB62C77EA38BC8FD1CF41F7DAB64C13FEBE7152BF5BB7AB5A78F5346D43CC741CB6F72B7B8980F268B68BF62ABDFB1577A52438FE14B591498CC95F071228460C7C5D5CEB4A7BDE588E7F21C"), SHEX("B50527711C047DEF70B17CF20F970BED79C1C1B95275C2784C3903DE")); test_hash(&nettle_sha3_224, /* 215 octets */ SHEX("7A6A4F4FDC59A1D223381AE5AF498D74B7252ECF59E389E49130C7EAEE626E7BD9897EFFD92017F4CCDE66B0440462CDEDFD352D8153E6A4C8D7A0812F701CC737B5178C2556F07111200EB627DBC299CAA792DFA58F35935299FA3A3519E9B03166DFFA159103FFA35E8577F7C0A86C6B46FE13DB8E2CDD9DCFBA85BDDDCCE0A7A8E155F81F712D8E9FE646153D3D22C811BD39F830433B2213DD46301941B59293FD0A33E2B63ADBD95239BC01315C46FDB678875B3C81E053A40F581CFBEC24A1404B1671A1B88A6D06120229518FB13A74CA0AC5AE"), SHEX("F77CB5275212C92FA0DAD921B65F50814822E3D6D584C89528990F02")); test_hash(&nettle_sha3_224, /* 216 octets */ SHEX("D9FAA14CEBE9B7DE551B6C0765409A33938562013B5E8E0E1E0A6418DF7399D0A6A771FB81C3CA9BD3BB8E2951B0BC792525A294EBD1083688806FE5E7F1E17FD4E3A41D00C89E8FCF4A363CAEDB1ACB558E3D562F1302B3D83BB886ED27B76033798131DAB05B4217381EAAA7BA15EC820BB5C13B516DD640EAEC5A27D05FDFCA0F35B3A5312146806B4C0275BCD0AAA3B2017F346975DB566F9B4D137F4EE10644C2A2DA66DEECA5342E236495C3C6280528BFD32E90AF4CD9BB908F34012B52B4BC56D48CC8A6B59BAB014988EABD12E1A0A1C2E170E7"), SHEX("76CA9E685DFADC67576D44E8C1A82E8CF7E92FB0A81FE49E21108E09")); test_hash(&nettle_sha3_224, /* 217 octets */ SHEX("2D8427433D0C61F2D96CFE80CF1E932265A191365C3B61AAA3D6DCC039F6BA2AD52A6A8CC30FC10F705E6B7705105977FA496C1C708A277A124304F1FC40911E7441D1B5E77B951AAD7B01FD5DB1B377D165B05BBF898042E39660CAF8B279FE5229D1A8DB86C0999ED65E53D01CCBC4B43173CCF992B3A14586F6BA42F5FE30AFA8AE40C5DF29966F9346DA5F8B35F16A1DE3AB6DE0F477D8D8660918060E88B9B9E9CA6A4207033B87A812DBF5544D39E4882010F82B6CE005F8E8FF6FE3C3806BC2B73C2B83AFB704345629304F9F86358712E9FAE3CA3E"), SHEX("ABD313BC70B7FAB0EBC167D739B54C97389E752EE1A313B12673F51C")); test_hash(&nettle_sha3_224, /* 218 octets */ SHEX("5E19D97887FCAAC0387E22C6F803C34A3DACD2604172433F7A8A7A526CA4A2A1271ECFC5D5D7BE5AC0D85D921095350DFC65997D443C21C8094E0A3FEFD2961BCB94AED03291AE310CCDA75D8ACE4BC7D89E7D3E5D1650BDA5D668B8B50BFC8E608E184F4D3A9A2BADC4FF5F07E0C0BC8A9F2E0B2A26FD6D8C550008FAAAB75FD71AF2A424BEC9A7CD9D83FAD4C8E9319115656A8717D3B523A68FF8004258B9990ED362308461804BA3E3A7E92D8F2FFAE5C2FBA55BA5A3C27C0A2F71BD711D2FE1799C2ADB31B200035481E9EE5C4ADF2AB9C0FA50B23975CF"), SHEX("F79F6356328C580B811FEA81C5ED90A303CAF34A09BEB143BE450D42")); test_hash(&nettle_sha3_224, /* 219 octets */ SHEX("C8E976AB4638909387CE3B8D4E510C3230E5690E02C45093B1D297910ABC481E56EEA0F296F98379DFC9080AF69E73B2399D1C143BEE80AE1328162CE1BA7F6A8374679B20AACD380EB4E61382C99998704D62701AFA914F9A2705CDB065885F50D086C3EB5753700C387118BB142F3E6DA1E988DFB31AC75D7368931E45D1391A274B22F83CEB072F9BCABC0B216685BFD789F5023971024B1878A205442522F9EA7D8797A4102A3DF41703768251FD5E017C85D1200A464118AA35654E7CA39F3C375B8EF8CBE7534DBC64BC20BEFB417CF60EC92F63D9EE7397"), SHEX("299D62F8DF5EADE6871883B033B830A9952A74B12F3D55AF798C6997")); test_hash(&nettle_sha3_224, /* 220 octets */ SHEX("7145FA124B7429A1FC2231237A949BA7201BCC1822D3272DE005B682398196C25F7E5CC2F289FBF44415F699CB7FE6757791B1443410234AE061EDF623359E2B4E32C19BF88450432DD01CAA5EB16A1DC378F391CA5E3C4E5F356728BDDD4975DB7C890DA8BBC84CC73FF244394D0D48954978765E4A00B593F70F2CA082673A261ED88DBCEF1127728D8CD89BC2C597E9102CED6010F65FA75A14EBE467FA57CE3BD4948B6867D74A9DF5C0EC6F530CBF2EE61CE6F06BC8F2864DFF5583776B31DF8C7FFCB61428A56BF7BD37188B4A5123BBF338393AF46EDA85E6"), SHEX("82BA2B8D65E14FDAC51F609F888881DB8070A0B70D7892C009A1AD28")); test_hash(&nettle_sha3_224, /* 221 octets */ SHEX("7FDFADCC9D29BAD23AE038C6C65CDA1AEF757221B8872ED3D75FF8DF7DA0627D266E224E812C39F7983E4558BFD0A1F2BEF3FEB56BA09120EF762917B9C093867948547AEE98600D10D87B20106878A8D22C64378BF634F7F75900C03986B077B0BF8B740A82447B61B99FEE5376C5EB6680EC9E3088F0BDD0C56883413D60C1357D3C811950E5890E7600103C916341B80C743C6A852B7B4FB60C3BA21F3BC15B8382437A68454779CF3CD7F9F90CCC8EF28D0B706535B1E4108EB5627BB45D719CB046839AEE311CA1ABDC8319E050D67972CB35A6B1601B25DBF487"), SHEX("F8E5218DB087D38B1C773247FC22704C1FBDB20B1500E26AFA0B7572")); test_hash(&nettle_sha3_224, /* 222 octets */ SHEX("988638219FD3095421F826F56E4F09E356296B628C3CE6930C9F2E758FD1A80C8273F2F61E4DAAE65C4F110D3E7CA0965AC7D24E34C0DC4BA2D6FF0BF5BBE93B3585F354D7543CB542A1AA54674D375077F2D360A8F4D42F3DB131C3B7AB7306267BA107659864A90C8C909460A73621D1F5D9D3FD95BEB19B23DB1CB6C0D0FBA91D36891529B8BD8263CAA1BAB56A4AFFAED44962DF096D8D5B1EB845EF31188B3E10F1AF811A13F156BEB7A288AAE593EBD1471B624AA1A7C6ADF01E2200B3D72D88A3AED3100C88231E41EFC376906F0B580DC895F080FDA5741DB1CB"), SHEX("FA602F09B28F8679771E9C3966032B80FA2F0F33E84F3ED69BE7AE9C")); test_hash(&nettle_sha3_224, /* 223 octets */ SHEX("5AAB62756D307A669D146ABA988D9074C5A159B3DE85151A819B117CA1FF6597F6156E80FDD28C9C3176835164D37DA7DA11D94E09ADD770B68A6E081CD22CA0C004BFE7CD283BF43A588DA91F509B27A6584C474A4A2F3EE0F1F56447379240A5AB1FB77FDCA49B305F07BA86B62756FB9EFB4FC225C86845F026EA542076B91A0BC2CDD136E122C659BE259D98E5841DF4C2F60330D4D8CDEE7BF1A0A244524EECC68FF2AEF5BF0069C9E87A11C6E519DE1A4062A10C83837388F7EF58598A3846F49D499682B683C4A062B421594FAFBC1383C943BA83BDEF515EFCF10D"), SHEX("C8D7568889DD6FCBC3B8874ED79051875D3CE29102DF0C5DAC8AEB8A")); test_hash(&nettle_sha3_224, /* 224 octets */ SHEX("47B8216AA0FBB5D67966F2E82C17C07AA2D6327E96FCD83E3DE7333689F3EE79994A1BF45082C4D725ED8D41205CB5BCDF5C341F77FACB1DA46A5B9B2CBC49EADF786BCD881F371A95FA17DF73F606519AEA0FF79D5A11427B98EE7F13A5C00637E2854134691059839121FEA9ABE2CD1BCBBBF27C74CAF3678E05BFB1C949897EA01F56FFA4DAFBE8644611685C617A3206C7A7036E4AC816799F693DAFE7F19F303CE4EBA09D21E03610201BFC665B72400A547A1E00FA9B7AD8D84F84B34AEF118515E74DEF11B9188BD1E1F97D9A12C30132EC2806339BDADACDA2FD8B78"), SHEX("D83B06D509D332164087C0C3FA50B2264CB27F66D746B0470166CBC2")); test_hash(&nettle_sha3_224, /* 225 octets */ SHEX("8CFF1F67FE53C098896D9136389BD8881816CCAB34862BB67A656E3D98896F3CE6FFD4DA73975809FCDF9666760D6E561C55238B205D8049C1CEDEEF374D1735DAA533147BFA960B2CCE4A4F254176BB4D1BD1E89654432B8DBE1A135C42115B394B024856A2A83DC85D6782BE4B444239567CCEC4B184D4548EAE3FF6A192F343292BA2E32A0F267F31CC26719EB85245D415FB897AC2DA433EE91A99424C9D7F1766A44171D1651001C38FC79294ACCC68CEB5665D36218454D3BA169AE058A831338C17743603F81EE173BFC0927464F9BD728DEE94C6AEAB7AAE6EE3A627E8"), SHEX("386147B0CF2365346E9846D3F3A7DCEEB6E3665BA7D1593C08B2B582")); test_hash(&nettle_sha3_224, /* 226 octets */ SHEX("EACD07971CFF9B9939903F8C1D8CBB5D4DB1B548A85D04E037514A583604E787F32992BF2111B97AC5E8A938233552731321522AB5E8583561260B7D13EBEEF785B23A41FD8576A6DA764A8ED6D822D4957A545D5244756C18AA80E1AAD4D1F9C20D259DEE1711E2CC8FD013169FB7CC4CE38B362F8E0936AE9198B7E838DCEA4F7A5B9429BB3F6BBCF2DC92565E3676C1C5E6EB3DD2A0F86AA23EDD3D0891F197447692794B3DFA269611AD97F72B795602B4FDB198F3FD3EB41B415064256E345E8D8C51C555DC8A21904A9B0F1AD0EFFAB7786AAC2DA3B196507E9F33CA356427"), SHEX("A69C0C18A712408D8FA2389ACABC3BF6F6412F69783E9F37960D0B56")); test_hash(&nettle_sha3_224, /* 227 octets */ SHEX("23AC4E9A42C6EF45C3336CE6DFC2FF7DE8884CD23DC912FEF0F7756C09D335C189F3AD3A23697ABDA851A81881A0C8CCAFC980AB2C702564C2BE15FE4C4B9F10DFB2248D0D0CB2E2887FD4598A1D4ACDA897944A2FFC580FF92719C95CF2AA42DC584674CB5A9BC5765B9D6DDF5789791D15F8DD925AA12BFFAFBCE60827B490BB7DF3DDA6F2A143C8BF96ABC903D83D59A791E2D62814A89B8080A28060568CF24A80AE61179FE84E0FFAD00388178CB6A617D37EFD54CC01970A4A41D1A8D3DDCE46EDBBA4AB7C90AD565398D376F431189CE8C1C33E132FEAE6A8CD17A61C630012"), SHEX("0699FD35416D83791DC8E656F22718B09DA9E3DF6E7F37A250E22DCD")); test_hash(&nettle_sha3_224, /* 228 octets */ SHEX("0172DF732282C9D488669C358E3492260CBE91C95CFBC1E3FEA6C4B0EC129B45F242ACE09F152FC6234E1BEE8AAB8CD56E8B486E1DCBA9C05407C2F95DA8D8F1C0AF78EE2ED82A3A79EC0CB0709396EE62AADB84F8A4EE8A7CCCA3C1EE84E302A09EA802204AFECF04097E67D0F8E8A9D2651126C0A598A37081E42D168B0AE8A71951C524259E4E2054E535B779679BDADE566FE55700858618E626B4A0FAF895BCCE9011504A49E05FD56127EAE3D1F8917AFB548ECADABDA1020111FEC9314C413498A360B08640549A22CB23C731ACE743252A8227A0D2689D4C6001606678DFB921"), SHEX("BF6A3598A15E28B776229F4D124D403FAD9D0FBC2B7668C95D8B5046")); test_hash(&nettle_sha3_224, /* 229 octets */ SHEX("3875B9240CF3E0A8B59C658540F26A701CF188496E2C2174788B126FD29402D6A75453BA0635284D08835F40051A2A9683DC92AFB9383719191231170379BA6F4ADC816FECBB0F9C446B785BF520796841E58878B73C58D3EBB097CE4761FDEABE15DE2F319DFBAF1742CDEB389559C788131A6793E193856661376C81CE9568DA19AA6925B47FFD77A43C7A0E758C37D69254909FF0FBD415EF8EB937BCD49F91468B49974C07DC819ABD67395DB0E05874FF83DDDAB895344ABD0E7111B2DF9E58D76D85AD98106B36295826BE04D435615595605E4B4BB824B33C4AFEB5E7BB0D19F909"), SHEX("56F8E9F69A399E528996C463D65F20DB41406533C7DF2BA1AFA2494A")); test_hash(&nettle_sha3_224, /* 230 octets */ SHEX("747CC1A59FEFBA94A9C75BA866C30DC5C1CB0C0F8E9361D98484956DD5D1A40F6184AFBE3DAC9F76028D1CAECCFBF69199C6CE2B4C092A3F4D2A56FE5A33A00757F4D7DEE5DFB0524311A97AE0668A47971B95766E2F6DD48C3F57841F91F04A00AD5EA70F2D479A2620DC5CD78EAAB3A3B011719B7E78D19DDF70D9423798AF77517EBC55392FCD01FC600D8D466B9E7A7A85BF33F9CC5419E9BD874DDFD60981150DDAF8D7FEBAA4374F0872A5628D318000311E2F5655365AD4D407C20E5C04DF17A222E7DEEC79C5AB1116D8572F91CD06E1CCC7CED53736FC867FD49ECEBE6BF8082E8A"), SHEX("9904D57DEDB935427F235A0009612235F14E9426B218E028F87B3C0C")); test_hash(&nettle_sha3_224, /* 231 octets */ SHEX("57AF971FCCAEC97435DC2EC9EF0429BCEDC6B647729EA168858A6E49AC1071E706F4A5A645CA14E8C7746D65511620682C906C8B86EC901F3DDED4167B3F00B06CBFAC6AEE3728051B3E5FF10B4F9ED8BD0B8DA94303C833755B3CA3AEDDF0B54BC8D6632138B5D25BAB03D17B3458A9D782108006F5BB7DE75B5C0BA854B423D8BB801E701E99DC4FEAAD59BC1C7112453B04D33EA3635639FB802C73C2B71D58A56BBD671B18FE34ED2E3DCA38827D63FDB1D4FB3285405004B2B3E26081A8FF08CD6D2B08F8E7B7E90A2AB1ED7A41B1D0128522C2F8BFF56A7FE67969422CE839A9D4608F03"), SHEX("FF7013679AB2BE65AEDD09739F56F8DD0072738B86E71A2470476C8C")); test_hash(&nettle_sha3_224, /* 232 octets */ SHEX("04E16DEDC1227902BAAF332D3D08923601BDD64F573FAA1BB7201918CFE16B1E10151DAE875DA0C0D63C59C3DD050C4C6A874011B018421AFC4623AB0381831B2DA2A8BA42C96E4F70864AC44E106F94311051E74C77C1291BF5DB9539E69567BF6A11CF6932BBBAD33F8946BF5814C066D851633D1A513510039B349939BFD42B858C21827C8FF05F1D09B1B0765DC78A135B5CA4DFBA0801BCADDFA175623C8B647EACFB4444B85A44F73890607D06D507A4F8393658788669F6EF4DEB58D08C50CA0756D5E2F49D1A7AD73E0F0B3D3B5F090ACF622B1878C59133E4A848E05153592EA81C6FBF"), SHEX("9DFB6A854A33914EAE1596DCD2BE363A96E7E088BE520F60E5A65C7F")); test_hash(&nettle_sha3_224, /* 233 octets */ SHEX("7C815C384EEE0F288ECE27CCED52A01603127B079C007378BC5D1E6C5E9E6D1C735723ACBBD5801AC49854B2B569D4472D33F40BBB8882956245C366DC3582D71696A97A4E19557E41E54DEE482A14229005F93AFD2C4A7D8614D10A97A9DFA07F7CD946FA45263063DDD29DB8F9E34DB60DAA32684F0072EA2A9426ECEBFA5239FB67F29C18CBAA2AF6ED4BF4283936823AC1790164FEC5457A9CBA7C767CA59392D94CAB7448F50EB34E9A93A80027471CE59736F099C886DEA1AB4CBA4D89F5FC7AE2F21CCD27F611ECA4626B2D08DC22382E92C1EFB2F6AFDC8FDC3D2172604F5035C46B8197D3"), SHEX("C27E80C373B216703D3D9E67223CFC5497C3E74455D49B049AE3F5F4")); test_hash(&nettle_sha3_224, /* 234 octets */ SHEX("E29D505158DBDD937D9E3D2145658EE6F5992A2FC790F4F608D9CDB44A091D5B94B88E81FAC4FDF5C49442F13B911C55886469629551189EAFF62488F1A479B7DB11A1560E198DDCCCCF50159093425FF7F1CB8D1D1246D0978764087D6BAC257026B090EFAE8CEC5F22B6F21C59ACE1AC7386F5B8837CA6A12B6FBF5534DD0560EF05CA78104D3B943DDB220FEAEC89AA5E692A00F822A2AB9A2FE60350D75E7BE16FF2526DC643872502D01F42F188ABED0A6E9A6F5FD0D1CE7D5755C9FFA66B0AF0B20BD806F08E06156690D81AC811778CA3DAC2C249B96002017FCE93E507E3B953ACF99964B847"), SHEX("3A189630F53C567B1C1825794D50DEF901A00E7F3728ECF2BBE00D90")); test_hash(&nettle_sha3_224, /* 235 octets */ SHEX("D85588696F576E65ECA0155F395F0CFACD83F36A99111ED5768DF2D116D2121E32357BA4F54EDE927F189F297D3A97FAD4E9A0F5B41D8D89DD7FE20156799C2B7B6BF9C957BA0D6763F5C3BC5129747BBB53652B49290CFF1C87E2CDF2C4B95D8AAEE09BC8FBFA6883E62D237885810491BFC101F1D8C636E3D0EDE838AD05C207A3DF4FAD76452979EB99F29AFAECEDD1C63B8D36CF378454A1BB67A741C77AC6B6B3F95F4F02B64DABC15438613EA49750DF42EE90101F115AA9ABB9FF64324DDE9DABBB01054E1BD6B4BCDC7930A44C2300D87CA78C06924D0323AD7887E46C90E8C4D100ACD9EED21E"), SHEX("2585BD8D9158D6952BEE95B004F5FED70FAF061B68AB2D6A40469BE7")); test_hash(&nettle_sha3_224, /* 236 octets */ SHEX("3A12F8508B40C32C74492B66323375DCFE49184C78F73179F3314B79E63376B8AC683F5A51F1534BD729B02B04D002F55CBD8E8FC9B5EC1EA6BBE6A0D0E7431518E6BA45D124035F9D3DCE0A8BB7BF1430A9F657E0B4EA9F20EB20C786A58181A1E20A96F1628F8728A13BDF7A4B4B32FC8AA7054CC4881AE7FA19AFA65C6C3EE1B3ADE3192AF42054A8A911B8EC1826865D46D93F1E7C5E2B7813C92A506E53886F3D4701BB93D2A681AD109C845904BB861AF8AF0646B6E399B38B614051D34F6842563A0F37EC00CB3D865FC5D746C4987DE2A65071100883A2A9C7A2BFE1E2DD603D9EA24DC7C5FD06BE"), SHEX("7E64F3C5895D0586CC5B543B27DE1B66A935171E2E7F3CA48DD3718E")); test_hash(&nettle_sha3_224, /* 237 octets */ SHEX("1861EDCE46FA5AD17E1FF1DEAE084DEC580F97D0A67885DFE834B9DFAC1AE076742CE9E267512CA51F6DF5A455AF0C5FD6ABF94ACEA103A3370C354485A7846FB84F3AC7C2904B5B2FBF227002CE512133BB7E1C4E50057BFD1E44DB33C7CDB969A99E284B184F50A14B068A1FC5009D9B298DBE92239572A7627AAC02ABE8F3E3B473417F36D4D2505D16B7577F4526C9D94A270A2DFE450D06DA8F6FA956879A0A55CFE99E742EA555EA477BA3E9B44CCD508C375423611AF92E55345DC215779B2D5119EBA49C71D49B9FE3F1569FA24E5CA3E332D042422A8B8158D3EC66A80012976F31FFDF305F0C9C5E"), SHEX("0F837708E010375AF87F75415ED69988FE60EB2F2669AD051FA99727")); test_hash(&nettle_sha3_224, /* 238 octets */ SHEX("08D0FFDE3A6E4EF65608EA672E4830C12943D7187CCFF08F4941CFC13E545F3B9C7AD5EEBBE2B01642B486CAF855C2C73F58C1E4E3391DA8E2D63D96E15FD84953AE5C231911B00AD6050CD7AAFDAAC9B0F663AE6AAB45519D0F5391A541707D479034E73A6AD805AE3598096AF078F1393301493D663DD71F83869CA27BA508B7E91E81E128C1716DC3ACFE3084B2201E04CF8006617EECF1B640474A5D45CFDE9F4D3EF92D6D055B909892194D8A8218DB6D8203A84261D200D71473D7488F3427416B6896C137D455F231071CACBC86E0415AB88AEC841D96B7B8AF41E05BB461A40645BF176601F1E760DE5F"), SHEX("C79DE39778593810C03583D5962B36E04F343653074766D157A15993")); test_hash(&nettle_sha3_224, /* 239 octets */ SHEX("D782ABB72A5BE3392757BE02D3E45BE6E2099D6F000D042C8A543F50ED6EBC055A7F133B0DD8E9BC348536EDCAAE2E12EC18E8837DF7A1B3C87EC46D50C241DEE820FD586197552DC20BEEA50F445A07A38F1768A39E2B2FF05DDDEDF751F1DEF612D2E4D810DAA3A0CC904516F9A43AF660315385178A529E51F8AAE141808C8BC5D7B60CAC26BB984AC1890D0436EF780426C547E94A7B08F01ACBFC4A3825EAE04F520A9016F2FB8BF5165ED12736FC71E36A49A73614739EAA3EC834069B1B40F1350C2B3AB885C02C640B9F7686ED5F99527E41CFCD796FE4C256C9173186C226169FF257954EBDA81C0E5F99"), SHEX("95CC811CC56521A40E3CED8D9A230E2101E8061FB01E388B9964BF29")); test_hash(&nettle_sha3_224, /* 240 octets */ SHEX("5FCE8109A358570E40983E1184E541833BB9091E280F258CFB144387B05D190E431CB19BAA67273BA0C58ABE91308E1844DCD0B3678BAA42F335F2FA05267A0240B3C718A5942B3B3E3BFA98A55C25A1466E8D7A603722CB2BBF03AFA54CD769A99F310735EE5A05DAE2C22D397BD95635F58C48A67F90E1B73AAFCD3F82117F0166657838691005B18DA6F341D6E90FC1CDB352B30FAE45D348294E501B63252DE14740F2B85AE5299DDEC3172DE8B6D0BA219A20A23BB5E10FF434D39DB3F583305E9F5C039D98569E377B75A70AB837D1DF269B8A4B566F40BB91B577455FD3C356C914FA06B9A7CE24C7317A172D"), SHEX("2EBE13F12EC43E3F6B0506D7AB216E1C311394F7C89D69A920CD00C0")); test_hash(&nettle_sha3_224, /* 241 octets */ SHEX("6172F1971A6E1E4E6170AFBAD95D5FEC99BF69B24B674BC17DD78011615E502DE6F56B86B1A71D3F4348087218AC7B7D09302993BE272E4A591968AEF18A1262D665610D1070EE91CC8DA36E1F841A69A7A682C580E836941D21D909A3AFC1F0B963E1CA5AB193E124A1A53DF1C587470E5881FB54DAE1B0D840F0C8F9D1B04C645BA1041C7D8DBF22030A623AA15638B3D99A2C400FF76F3252079AF88D2B37F35EE66C1AD7801A28D3D388AC450B97D5F0F79E4541755356B3B1A5696B023F39AB7AB5F28DF4202936BC97393B93BC915CB159EA1BD7A0A414CB4B7A1AC3AF68F50D79F0C9C7314E750F7D02FAA58BFA"), SHEX("820101F5435D86E19BEC58ED0E1C7E630FE82DD92D7704E414802A16")); test_hash(&nettle_sha3_224, /* 242 octets */ SHEX("5668ECD99DFBE215C4118398AC9C9EAF1A1433FAB4CCDD3968064752B625EA944731F75D48A27D047D67547F14DD0FFAA55FA5E29F7AF0D161D85EAFC4F2029B717C918EAB9D304543290BDBA7158B68020C0BA4E079BC95B5BC0FC044A992B94B4CCD3BD66D0EABB5DBBAB904D62E00752C4E3B0091D773BCF4C14B4377DA3EFFF824B1CB2FA01B32D1E46C909E626ED2DAE920F4C7DBEB635BC754FACBD8D49BEBA3F23C1C41CCBFCD0EE0C114E69737F5597C0BF1D859F0C767E18002AE8E39C26261FFDE2920D3D0BAF0E906138696CFE5B7E32B600F45DF3AAA39932F3A7DF95B60FA8712A2271FCAF3911CE7B511B1"), SHEX("B1CF54F51F81FDB5B649BB6115126149296278BFF3D5395CF5F112D4")); test_hash(&nettle_sha3_224, /* 243 octets */ SHEX("03D625488354DF30E3F875A68EDFCF340E8366A8E1AB67F9D5C5486A96829DFAC0578289082B2A62117E1CF418B43B90E0ADC881FC6AE8105C888E9ECD21AEA1C9AE1A4038DFD17378FED71D02AE492087D7CDCD98F746855227967CB1AB4714261EE3BEAD3F4DB118329D3EBEF4BC48A875C19BA763966DA0EBEA800E01B2F50B00E9DD4CACA6DCB314D00184EF71EA2391D760C950710DB4A70F9212FFC54861F9DC752CE18867B8AD0C48DF8466EF7231E7AC567F0EB55099E622EBB86CB237520190A61C66AD34F1F4E289CB3282AE3EAAC6152ED24D2C92BAE5A7658252A53C49B7B02DFE54FDB2E90074B6CF310AC661"), SHEX("B602722D1B9F31B9C5091E0FF720F1D1A8A51EB6F95ED3B412DE063D")); test_hash(&nettle_sha3_224, /* 244 octets */ SHEX("2EDC282FFB90B97118DD03AAA03B145F363905E3CBD2D50ECD692B37BF000185C651D3E9726C690D3773EC1E48510E42B17742B0B0377E7DE6B8F55E00A8A4DB4740CEE6DB0830529DD19617501DC1E9359AA3BCF147E0A76B3AB70C4984C13E339E6806BB35E683AF8527093670859F3D8A0FC7D493BCBA6BB12B5F65E71E705CA5D6C948D66ED3D730B26DB395B3447737C26FAD089AA0AD0E306CB28BF0ACF106F89AF3745F0EC72D534968CCA543CD2CA50C94B1456743254E358C1317C07A07BF2B0ECA438A709367FAFC89A57239028FC5FECFD53B8EF958EF10EE0608B7F5CB9923AD97058EC067700CC746C127A61EE3"), SHEX("1368454E849F2D2299077F40826B4072E6FEE49B2062CB8E3B4523C9")); test_hash(&nettle_sha3_224, /* 245 octets */ SHEX("90B28A6AA1FE533915BCB8E81ED6CACDC10962B7FF82474F845EEB86977600CF70B07BA8E3796141EE340E3FCE842A38A50AFBE90301A3BDCC591F2E7D9DE53E495525560B908C892439990A2CA2679C5539FFDF636777AD9C1CDEF809CDA9E8DCDB451ABB9E9C17EFA4379ABD24B182BD981CAFC792640A183B61694301D04C5B3EAAD694A6BD4CC06EF5DA8FA23B4FA2A64559C5A68397930079D250C51BCF00E2B16A6C49171433B0AADFD80231276560B80458DD77089B7A1BBCC9E7E4B9F881EACD6C92C4318348A13F4914EB27115A1CFC5D16D7FD94954C3532EFACA2CAB025103B2D02C6FD71DA3A77F417D7932685888A"), SHEX("5765B70574F93341C1CC4ACB34F645B5D97B81D4CE8F38C3862F6C19")); test_hash(&nettle_sha3_224, /* 246 octets */ SHEX("2969447D175490F2AA9BB055014DBEF2E6854C95F8D60950BFE8C0BE8DE254C26B2D31B9E4DE9C68C9ADF49E4EE9B1C2850967F29F5D08738483B417BB96B2A56F0C8ACA632B552059C59AAC3F61F7B45C966B75F1D9931FF4E596406378CEE91AAA726A3A84C33F37E9CDBE626B5745A0B06064A8A8D56E53AAF102D23DD9DF0A3FDF7A638509A6761A33FA42FA8DDBD8E16159C93008B53765019C3F0E9F10B144CE2AC57F5D7297F9C9949E4FF68B70D339F87501CE8550B772F32C6DA8AD2CE2100A895D8B08FA1EEAD7C376B407709703C510B50F87E73E43F8E7348F87C3832A547EF2BBE5799ABEDCF5E1F372EA809233F006"), SHEX("B8FB318245B4042222B4063A053F15DA6B894F22736F3F9E26F72175")); test_hash(&nettle_sha3_224, /* 247 octets */ SHEX("721645633A44A2C78B19024EAECF58575AB23C27190833C26875DC0F0D50B46AEA9C343D82EA7D5B3E50EC700545C615DAEAEA64726A0F05607576DCD396D812B03FB6551C641087856D050B10E6A4D5577B82A98AFB89CEE8594C9DC19E79FEFF0382FCFD127F1B803A4B9946F4AC9A4378E1E6E041B1389A53E3450CD32D9D2941B0CBABDB50DA8EA2513145164C3AB6BCBD251C448D2D4B087AC57A59C2285D564F16DA4ED5E607ED979592146FFB0EF3F3DB308FB342DF5EB5924A48256FC763141A278814C82D6D6348577545870AE3A83C7230AC02A1540FE1798F7EF09E335A865A2AE0949B21E4F748FB8A51F44750E213A8FB"), SHEX("353622E92C7907F5563BAF8F4E7AF0C2F872F4FB583B01AF9EB3D907")); test_hash(&nettle_sha3_224, /* 248 octets */ SHEX("6B860D39725A14B498BB714574B4D37CA787404768F64C648B1751B353AC92BAC2C3A28EA909FDF0423336401A02E63EC24325300D823B6864BB701F9D7C7A1F8EC9D0AE3584AA6DD62EA1997CD831B4BABD9A4DA50932D4EFDA745C61E4130890E156AEE6113716DAF95764222A91187DB2EFFEA49D5D0596102D619BD26A616BBFDA8335505FBB0D90B4C180D1A2335B91538E1668F9F9642790B4E55F9CAB0FE2BDD2935D001EE6419ABAB5457880D0DBFF20ED8758F4C20FE759EFB33141CF0E892587FE8187E5FBC57786B7E8B089612C936DFC03D27EFBBE7C8673F1606BD51D5FF386F4A7AB68EDF59F385EB1291F117BFE717399"), SHEX("87215AF73D5CDE98B355479AFB82A511180B7DC3D5342C88E133AED8")); test_hash(&nettle_sha3_224, /* 249 octets */ SHEX("6A01830AF3889A25183244DECB508BD01253D5B508AB490D3124AFBF42626B2E70894E9B562B288D0A2450CFACF14A0DDAE5C04716E5A0082C33981F6037D23D5E045EE1EF2283FB8B6378A914C5D9441627A722C282FF452E25A7EA608D69CEE4393A0725D17963D0342684F255496D8A18C2961145315130549311FC07F0312FB78E6077334F87EAA873BEE8AA95698996EB21375EB2B4EF53C14401207DEB4568398E5DD9A7CF97E8C9663E23334B46912F8344C19EFCF8C2BA6F04325F1A27E062B62A58D0766FC6DB4D2C6A1928604B0175D872D16B7908EBC041761187CC785526C2A3873FEAC3A642BB39F5351550AF9770C328AF7B"), SHEX("25AE852DBA36B8D58A94DD5CFD8345141FF57E7DB7D7816C4F7252BB")); test_hash(&nettle_sha3_224, /* 250 octets */ SHEX("B3C5E74B69933C2533106C563B4CA20238F2B6E675E8681E34A389894785BDADE59652D4A73D80A5C85BD454FD1E9FFDAD1C3815F5038E9EF432AAC5C3C4FE840CC370CF86580A6011778BBEDAF511A51B56D1A2EB68394AA299E26DA9ADA6A2F39B9FAFF7FBA457689B9C1A577B2A1E505FDF75C7A0A64B1DF81B3A356001BF0DF4E02A1FC59F651C9D585EC6224BB279C6BEBA2966E8882D68376081B987468E7AED1EF90EBD090AE825795CDCA1B4F09A979C8DFC21A48D8A53CDBB26C4DB547FC06EFE2F9850EDD2685A4661CB4911F165D4B63EF25B87D0A96D3DFF6AB0758999AAD214D07BD4F133A6734FDE445FE474711B69A98F7E2B"), SHEX("ECE0394418F066F55023797551E06F6A7D1645682AA4D9DD75AF8E76")); test_hash(&nettle_sha3_224, /* 251 octets */ SHEX("83AF34279CCB5430FEBEC07A81950D30F4B66F484826AFEE7456F0071A51E1BBC55570B5CC7EC6F9309C17BF5BEFDD7C6BA6E968CF218A2B34BD5CF927AB846E38A40BBD81759E9E33381016A755F699DF35D660007B5EADF292FEEFB735207EBF70B5BD17834F7BFA0E16CB219AD4AF524AB1EA37334AA66435E5D397FC0A065C411EBBCE32C240B90476D307CE802EC82C1C49BC1BEC48C0675EC2A6C6F3ED3E5B741D13437095707C565E10D8A20B8C20468FF9514FCF31B4249CD82DCEE58C0A2AF538B291A87E3390D737191A07484A5D3F3FB8C8F15CE056E5E5F8FEBE5E1FB59D6740980AA06CA8A0C20F5712B4CDE5D032E92AB89F0AE1"), SHEX("84A4BD2E3FA26C4FB01FE81953398F5B4B5704944354B51B887FD990")); test_hash(&nettle_sha3_224, /* 252 octets */ SHEX("A7ED84749CCC56BB1DFBA57119D279D412B8A986886D810F067AF349E8749E9EA746A60B03742636C464FC1EE233ACC52C1983914692B64309EDFDF29F1AB912EC3E8DA074D3F1D231511F5756F0B6EEAD3E89A6A88FE330A10FACE267BFFBFC3E3090C7FD9A850561F363AD75EA881E7244F80FF55802D5EF7A1A4E7B89FCFA80F16DF54D1B056EE637E6964B9E0FFD15B6196BDD7DB270C56B47251485348E49813B4EB9ED122A01B3EA45AD5E1A929DF61D5C0F3E77E1FDC356B63883A60E9CBB9FC3E00C2F32DBD469659883F690C6772E335F617BC33F161D6F6984252EE12E62B6000AC5231E0C9BC65BE223D8DFD94C5004A101AF9FD6C0FB"), SHEX("170C413863D9F4E8C0B87A8532416B10A69C348D3A144658EAEEF0ED")); test_hash(&nettle_sha3_224, /* 253 octets */ SHEX("A6FE30DCFCDA1A329E82AB50E32B5F50EB25C873C5D2305860A835AECEE6264AA36A47429922C4B8B3AFD00DA16035830EDB897831C4E7B00F2C23FC0B15FDC30D85FB70C30C431C638E1A25B51CAF1D7E8B050B7F89BFB30F59F0F20FECFF3D639ABC4255B3868FC45DD81E47EB12AB40F2AAC735DF5D1DC1AD997CEFC4D836B854CEE9AC02900036F3867FE0D84AFFF37BDE3308C2206C62C4743375094108877C73B87B2546FE05EA137BEDFC06A2796274099A0D554DA8F7D7223A48CBF31B7DECAA1EBC8B145763E3673168C1B1B715C1CD99ECD3DDB238B06049885ECAD9347C2436DFF32C771F34A38587A44A82C5D3D137A03CAA27E66C8FF6"), SHEX("D8C257DB76536F7EF1DCFB24976EB716D9491CD8651E0254E7C4A5BB")); test_hash(&nettle_sha3_224, /* 254 octets */ SHEX("83167FF53704C3AA19E9FB3303539759C46DD4091A52DDAE9AD86408B69335989E61414BC20AB4D01220E35241EFF5C9522B079FBA597674C8D716FE441E566110B6211531CECCF8FD06BC8E511D00785E57788ED9A1C5C73524F01830D2E1148C92D0EDC97113E3B7B5CD3049627ABDB8B39DD4D6890E0EE91993F92B03354A88F52251C546E64434D9C3D74544F23FB93E5A2D2F1FB15545B4E1367C97335B0291944C8B730AD3D4789273FA44FB98D78A36C3C3764ABEEAC7C569C1E43A352E5B770C3504F87090DEE075A1C4C85C0C39CF421BDCC615F9EFF6CB4FE6468004AECE5F30E1ECC6DB22AD9939BB2B0CCC96521DFBF4AE008B5B46BC006E"), SHEX("F81D8EE40869BB38A13A4F75588FA3308068DD1CDC27267D66FAC198")); test_hash(&nettle_sha3_224, /* 255 octets */ SHEX("3A3A819C48EFDE2AD914FBF00E18AB6BC4F14513AB27D0C178A188B61431E7F5623CB66B23346775D386B50E982C493ADBBFC54B9A3CD383382336A1A0B2150A15358F336D03AE18F666C7573D55C4FD181C29E6CCFDE63EA35F0ADF5885CFC0A3D84A2B2E4DD24496DB789E663170CEF74798AA1BBCD4574EA0BBA40489D764B2F83AADC66B148B4A0CD95246C127D5871C4F11418690A5DDF01246A0C80A43C70088B6183639DCFDA4125BD113A8F49EE23ED306FAAC576C3FB0C1E256671D817FC2534A52F5B439F72E424DE376F4C565CCA82307DD9EF76DA5B7C4EB7E085172E328807C02D011FFBF33785378D79DC266F6A5BE6BB0E4A92ECEEBAEB1"), SHEX("94689EA9F347DDA8DD798A858605868743C6BD03A6A65C6085D52BED")); } nettle-3.4.1/testsuite/cfb-test.c0000644000175000017500000002211113401564746015751 0ustar nissenisse#include "testutils.h" #include "aes.h" #include "cfb.h" #include "knuth-lfib.h" /* Test with more data and inplace decryption, to check that the * cfb_decrypt buffering works. */ #define CFB_BULK_DATA 10000 static void test_cfb_bulk(void) { struct knuth_lfib_ctx random; uint8_t clear[CFB_BULK_DATA]; uint8_t cipher[CFB_BULK_DATA + 1]; const uint8_t *key = H("966c7bf00bebe6dc 8abd37912384958a" "743008105a08657d dcaad4128eee38b3"); const uint8_t *start_iv = H("11adbff119749103 207619cfa0e8d13a"); const uint8_t *end_iv = H("1fd0a9189b8480b7 b06a2b36ef5943ba"); struct CFB_CTX(struct aes_ctx, AES_BLOCK_SIZE) aes; knuth_lfib_init(&random, CFB_BULK_DATA); knuth_lfib_random(&random, CFB_BULK_DATA, clear); /* Byte that should not be overwritten */ cipher[CFB_BULK_DATA] = 17; aes_set_encrypt_key(&aes.ctx, 32, key); CFB_SET_IV(&aes, start_iv); CFB_ENCRYPT(&aes, aes_encrypt, CFB_BULK_DATA, cipher, clear); ASSERT(cipher[CFB_BULK_DATA] == 17); if (verbose) { printf("IV after bulk encryption: "); print_hex(AES_BLOCK_SIZE, aes.iv); printf("\n"); } ASSERT(MEMEQ(AES_BLOCK_SIZE, aes.iv, end_iv)); /* Decrypt, in place */ aes_set_encrypt_key(&aes.ctx, 32, key); CFB_SET_IV(&aes, start_iv); CFB_DECRYPT(&aes, aes_encrypt, CFB_BULK_DATA, cipher, cipher); ASSERT(cipher[CFB_BULK_DATA] == 17); if (verbose) { printf("IV after bulk decryption: "); print_hex(AES_BLOCK_SIZE, aes.iv); printf("\n"); } ASSERT (MEMEQ(AES_BLOCK_SIZE, aes.iv, end_iv)); ASSERT (MEMEQ(CFB_BULK_DATA, clear, cipher)); } void test_main(void) { /* From NIST spec 800-38a on AES modes. * * F.3 CFB Example Vectors * F.3.13 CFB128-AES128.Encrypt */ /* Intermediate values, blocks input to AES: * * 000102030405060708090a0b0c0d0e0f * 3b3fd92eb72dad20333449f8e83cfb4a * c8a64537a0b3a93fcde3cdad9f1ce58b * 26751f67a3cbb140b1808cf187a4f4df */ test_cipher_cfb(&nettle_aes128, SHEX("2b7e151628aed2a6abf7158809cf4f3c"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("3b3fd92eb72dad20333449f8e83cfb4a" "c8a64537a0b3a93fcde3cdad9f1ce58b" "26751f67a3cbb140b1808cf187a4f4df" "c04b05357c5d1c0eeac4c66f9ff7f2e6"), SHEX("000102030405060708090a0b0c0d0e0f")); /* F.3.15 CFB128-AES192.Encrypt */ /* Intermediate values, blocks input to AES: * * 000102030405060708090a0b0c0d0e0f * cdc80d6fddf18cab34c25909c99a4174 * 67ce7f7f81173621961a2b70171d3d7a * 2e1e8a1dd59b88b1c8e60fed1efac4c9 */ test_cipher_cfb(&nettle_aes192, SHEX("8e73b0f7da0e6452c810f32b809079e5" "62f8ead2522c6b7b"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("cdc80d6fddf18cab34c25909c99a4174" "67ce7f7f81173621961a2b70171d3d7a" "2e1e8a1dd59b88b1c8e60fed1efac4c9" "c05f9f9ca9834fa042ae8fba584b09ff"), SHEX("000102030405060708090a0b0c0d0e0f")); /* F.3.17 CFB128-AES256.Encrypt */ /* Intermediate values, blcoks input to AES: * * 000102030405060708090a0b0c0d0e0f * dc7e84bfda79164b7ecd8486985d3860 * 39ffed143b28b1c832113c6331e5407b * df10132415e54b92a13ed0a8267ae2f9 */ test_cipher_cfb(&nettle_aes256, SHEX("603deb1015ca71be2b73aef0857d7781" "1f352c073b6108d72d9810a30914dff4"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("dc7e84bfda79164b7ecd8486985d3860" "39ffed143b28b1c832113c6331e5407b" "df10132415e54b92a13ed0a8267ae2f9" "75a385741ab9cef82031623d55b1e471"), SHEX("000102030405060708090a0b0c0d0e0f")); test_cfb_bulk(); } /* F.3.13 CFB128-AES128.Encrypt Key 2b7e151628aed2a6abf7158809cf4f3c IV 000102030405060708090a0b0c0d0e0f Segment #1 Input Block 000102030405060708090a0b0c0d0e0f Output Block 50fe67cc996d32b6da0937e99bafec60 Plaintext 6bc1bee22e409f96e93d7e117393172a Ciphertext 3b3fd92eb72dad20333449f8e83cfb4a Segment #2 Input Block 3b3fd92eb72dad20333449f8e83cfb4a Output Block 668bcf60beb005a35354a201dab36bda Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Ciphertext c8a64537a0b3a93fcde3cdad9f1ce58b Segment #3 Input Block c8a64537a0b3a93fcde3cdad9f1ce58b Output Block 16bd032100975551547b4de89daea630 Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Ciphertext 26751f67a3cbb140b1808cf187a4f4df Segment #4 Input Block 26751f67a3cbb140b1808cf187a4f4df Output Block 36d42170a312871947ef8714799bc5f6 Plaintext f69f2445df4f9b17ad2b417be66c3710 Ciphertext c04b05357c5d1c0eeac4c66f9ff7f2e6 F.3.14 CFB128-AES128.Decrypt Key 2b7e151628aed2a6abf7158809cf4f3c IV 000102030405060708090a0b0c0d0e0f Segment #1 Input Block 000102030405060708090a0b0c0d0e0f Output Block 50fe67cc996d32b6da0937e99bafec60 Ciphertext 3b3fd92eb72dad20333449f8e83cfb4a Plaintext 6bc1bee22e409f96e93d7e117393172a Segment #2 Input Block 3b3fd92eb72dad20333449f8e83cfb4a Output Block 668bcf60beb005a35354a201dab36bda Ciphertext c8a64537a0b3a93fcde3cdad9f1ce58b Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Segment #3 Input Block c8a64537a0b3a93fcde3cdad9f1ce58b Output Block 16bd032100975551547b4de89daea630 Ciphertext 26751f67a3cbb140b1808cf187a4f4df Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Segment #4 Input Block 26751f67a3cbb140b1808cf187a4f4df Output Block 36d42170a312871947ef8714799bc5f6 Ciphertext c04b05357c5d1c0eeac4c66f9ff7f2e6 Plaintext f69f2445df4f9b17ad2b417be66c3710 F.3.15 CFB128-AES192.Encrypt Key 8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b 000102030405060708090a0b0c0d0e0f Segment #1 50 IV Input Block 000102030405060708090a0b0c0d0e0f Output Block a609b38df3b1133dddff2718ba09565e Plaintext 6bc1bee22e409f96e93d7e117393172a Ciphertext cdc80d6fddf18cab34c25909c99a4174 Segment #2 Input Block cdc80d6fddf18cab34c25909c99a4174 Output Block c9e3f5289f149abd08ad44dc52b2b32b Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Ciphertext 67ce7f7f81173621961a2b70171d3d7a Segment #3 Input Block 67ce7f7f81173621961a2b70171d3d7a Output Block 1ed6965b76c76ca02d1dcef404f09626 Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Ciphertext 2e1e8a1dd59b88b1c8e60fed1efac4c9 Segment #4 Input Block 2e1e8a1dd59b88b1c8e60fed1efac4c9 Output Block 36c0bbd976ccd4b7ef85cec1be273eef Plaintext f69f2445df4f9b17ad2b417be66c3710 Ciphertext c05f9f9ca9834fa042ae8fba584b09ff F.3.16 CFB128-AES192.Decrypt Key 8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b IV 000102030405060708090a0b0c0d0e0f Segment #1 Input Block 000102030405060708090a0b0c0d0e0f Output Block a609b38df3b1133dddff2718ba09565e Ciphertext cdc80d6fddf18cab34c25909c99a4174 Plaintext 6bc1bee22e409f96e93d7e117393172a Segment #2 Input Block cdc80d6fddf18cab34c25909c99a4174 Output Block c9e3f5289f149abd08ad44dc52b2b32b Ciphertext 67ce7f7f81173621961a2b70171d3d7a Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Segment #3 Input Block 67ce7f7f81173621961a2b70171d3d7a Output Block 1ed6965b76c76ca02d1dcef404f09626 Ciphertext 2e1e8a1dd59b88b1c8e60fed1efac4c9 Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Segment #4 Input Block 2e1e8a1dd59b88b1c8e60fed1efac4c9 Output Block 36c0bbd976ccd4b7ef85cec1be273eef Ciphertext c05f9f9ca9834fa042ae8fba584b09ff Plaintext f69f2445df4f9b17ad2b417be66c3710 F.3.17 CFB128-AES256.Encrypt Key 603deb1015ca71be2b73aef0857d7781 1f352c073b6108d72d9810a30914dff4 IV 000102030405060708090a0b0c0d0e0f Segment #1 Input Block 000102030405060708090a0b0c0d0e0f Output Block b7bf3a5df43989dd97f0fa97ebce2f4a Plaintext 6bc1bee22e409f96e93d7e117393172a Ciphertext dc7e84bfda79164b7ecd8486985d3860 Segment #2 Input Block dc7e84bfda79164b7ecd8486985d3860 Output Block 97d26743252b1d54aca653cf744ace2a Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Ciphertext 39ffed143b28b1c832113c6331e5407b Segment #3 Input Block 39ffed143b28b1c832113c6331e5407b Output Block efd80f62b6b9af8344c511b13c70b016 Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Ciphertext df10132415e54b92a13ed0a8267ae2f9 Segment #4 Input Block df10132415e54b92a13ed0a8267ae2f9 Output Block 833ca131c5f655ef8d1a2346b3ddd361 Plaintext f69f2445df4f9b17ad2b417be66c3710 Ciphertext 75a385741ab9cef82031623d55b1e471 F.3.18 CFB128-AES256.Decrypt Key 603deb1015ca71be2b73aef0857d7781 1f352c073b6108d72d9810a30914dff4 IV 000102030405060708090a0b0c0d0e0f Segment #1 Input Block 000102030405060708090a0b0c0d0e0f Output Block b7bf3a5df43989dd97f0fa97ebce2f4a Ciphertext dc7e84bfda79164b7ecd8486985d3860 Plaintext 6bc1bee22e409f96e93d7e117393172a Segment #2 Input Block dc7e84bfda79164b7ecd8486985d3860 Output Block 97d26743252b1d54aca653cf744ace2a Ciphertext 39ffed143b28b1c832113c6331e5407b Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Segment #3 Input Block 39ffed143b28b1c832113c6331e5407b Output Block efd80f62b6b9af8344c511b13c70b016 Ciphertext df10132415e54b92a13ed0a8267ae2f9 Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Segment #4 Input Block df10132415e54b92a13ed0a8267ae2f9 Output Block 833ca131c5f655ef8d1a2346b3ddd361 Ciphertext 75a385741ab9cef82031623d55b1e471 Plaintext f69f2445df4f9b17ad2b417be66c3710 */ nettle-3.4.1/testsuite/testutils.h0000644000175000017500000001564313401564746016323 0ustar nissenisse#ifndef NETTLE_TESTUTILS_H_INCLUDED #define NETTLE_TESTUTILS_H_INCLUDED /* config.h should usually be first in each .c file. This is an exception, include it here to reduce clutter in the test cases. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include "nettle-types.h" #include "version.h" #if WITH_HOGWEED # include "rsa.h" # include "dsa-compat.h" # include "ecc-curve.h" # include "ecc.h" # include "ecc-internal.h" # include "ecdsa.h" # include "gmp-glue.h" # if NETTLE_USE_MINI_GMP # include "knuth-lfib.h" # endif /* Undo dsa-compat name mangling */ #undef dsa_generate_keypair #define dsa_generate_keypair nettle_dsa_generate_keypair #endif /* WITH_HOGWEED */ #include "nettle-meta.h" /* Forward declare */ struct nettle_aead; #ifdef __cplusplus extern "C" { #endif void die(const char *format, ...) PRINTF_STYLE (1, 2) NORETURN; void * xalloc(size_t size); struct tstring { struct tstring *next; size_t length; uint8_t data[1]; }; struct tstring * tstring_alloc (size_t length); void tstring_clear(void); struct tstring * tstring_data(size_t length, const uint8_t *data); struct tstring * tstring_hex(const char *hex); void tstring_print_hex(const struct tstring *s); /* Decodes a NUL-terminated hex string. */ void print_hex(size_t length, const uint8_t *data); /* The main program */ void test_main(void); extern int verbose; /* FIXME: When interface stabilizes, move to nettle-meta.h */ struct nettle_mac { const char *name; /* Size of the context struct */ unsigned context_size; /* Size of digests */ unsigned digest_size; /* Suggested key size; other sizes are sometimes possible. */ unsigned key_size; nettle_set_key_func *set_key; nettle_hash_update_func *update; nettle_hash_digest_func *digest; }; #define _NETTLE_HMAC(name, NAME, keysize) { \ #name, \ sizeof(struct hmac_##name##_ctx), \ NAME##_DIGEST_SIZE, \ NAME##_DIGEST_SIZE, \ hmac_##name##_set_key, \ hmac_##name##_update, \ hmac_##name##_digest, \ } /* Test functions deallocate their inputs when finished.*/ void test_cipher(const struct nettle_cipher *cipher, const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext); void test_cipher_cbc(const struct nettle_cipher *cipher, const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext, const struct tstring *iv); void test_cipher_cfb(const struct nettle_cipher *cipher, const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext, const struct tstring *iv); void test_cipher_ctr(const struct nettle_cipher *cipher, const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext, const struct tstring *iv); void test_cipher_stream(const struct nettle_cipher *cipher, const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext); void test_aead(const struct nettle_aead *aead, nettle_hash_update_func *set_nonce, const struct tstring *key, const struct tstring *authtext, const struct tstring *cleartext, const struct tstring *ciphertext, const struct tstring *nonce, const struct tstring *digest); void test_hash(const struct nettle_hash *hash, const struct tstring *msg, const struct tstring *digest); void test_hash_large(const struct nettle_hash *hash, size_t count, size_t length, uint8_t c, const struct tstring *digest); void test_armor(const struct nettle_armor *armor, size_t data_length, const uint8_t *data, const char *ascii); #if WITH_HOGWEED #if NETTLE_USE_MINI_GMP typedef struct knuth_lfib_ctx gmp_randstate_t[1]; void gmp_randinit_default (struct knuth_lfib_ctx *ctx); #define gmp_randclear(state) void mpz_urandomb (mpz_t r, struct knuth_lfib_ctx *ctx, mp_bitcnt_t bits); /* This is cheating */ #define mpz_rrandomb mpz_urandomb /* mini-gmp defines this function (in the GMP library, it was added in gmp in version 6.1.0). */ #define mpn_zero_p mpn_zero_p #endif /* NETTLE_USE_MINI_GMP */ #ifndef mpn_zero_p int mpn_zero_p (mp_srcptr ap, mp_size_t n); #endif void mpn_out_str (FILE *f, int base, const mp_limb_t *xp, mp_size_t xn); mp_limb_t * xalloc_limbs (mp_size_t n); void write_mpn (FILE *f, int base, const mp_limb_t *xp, mp_size_t n); void test_rsa_set_key_1(struct rsa_public_key *pub, struct rsa_private_key *key); void test_rsa_md5(struct rsa_public_key *pub, struct rsa_private_key *key, mpz_t expected); void test_rsa_sha1(struct rsa_public_key *pub, struct rsa_private_key *key, mpz_t expected); void test_rsa_sha256(struct rsa_public_key *pub, struct rsa_private_key *key, mpz_t expected); void test_rsa_sha512(struct rsa_public_key *pub, struct rsa_private_key *key, mpz_t expected); void test_rsa_key(struct rsa_public_key *pub, struct rsa_private_key *key); void test_dsa160(const struct dsa_public_key *pub, const struct dsa_private_key *key, const struct dsa_signature *expected); void test_dsa256(const struct dsa_public_key *pub, const struct dsa_private_key *key, const struct dsa_signature *expected); #if 0 void test_dsa_sign(const struct dsa_public_key *pub, const struct dsa_private_key *key, const struct nettle_hash *hash, const struct dsa_signature *expected); #endif void test_dsa_verify(const struct dsa_params *params, const mpz_t pub, const struct nettle_hash *hash, struct tstring *msg, const struct dsa_signature *ref); void test_dsa_key(const struct dsa_params *params, const mpz_t pub, const mpz_t key, unsigned q_size); extern const struct ecc_curve * const ecc_curves[]; struct ecc_ref_point { const char *x; const char *y; }; void test_ecc_point (const struct ecc_curve *ecc, const struct ecc_ref_point *ref, const mp_limb_t *p); void test_ecc_mul_a (unsigned curve, unsigned n, const mp_limb_t *p); void test_ecc_mul_h (unsigned curve, unsigned n, const mp_limb_t *p); #endif /* WITH_HOGWEED */ /* String literal of type unsigned char. The GNUC version is safer. */ #if __GNUC__ #define US(s) ({ static const unsigned char us_s[] = s; us_s; }) #else #define US(s) ((const uint8_t *) (s)) #endif /* LDATA needs to handle NUL characters. */ #define LLENGTH(x) (sizeof(x) - 1) #define LDATA(x) LLENGTH(x), US(x) #define LDUP(x) strlen(x), strdup(x) #define SHEX(x) (tstring_hex(x)) #define SDATA(x) ((const struct tstring *)tstring_data(LLENGTH(x), US(x))) #define H(x) (SHEX(x)->data) #define MEMEQ(length, a, b) (!memcmp((a), (b), (length))) #define FAIL() abort() #define SKIP() exit(77) #define ASSERT(x) do { \ if (!(x)) \ { \ fprintf(stderr, "Assert failed: %s:%d: %s\n", \ __FILE__, __LINE__, #x); \ FAIL(); \ } \ } while(0) #ifdef __cplusplus } #endif #endif /* NETTLE_TESTUTILS_H_INCLUDED */ nettle-3.4.1/testsuite/sha384-test.c0000644000175000017500000000365213401564746016242 0ustar nissenisse#include "testutils.h" void test_main(void) { test_hash(&nettle_sha384, SDATA("abc"), SHEX("cb00753f45a35e8b b5a03d699ac65007" "272c32ab0eded163 1a8b605a43ff5bed" "8086072ba1e7cc23 58baeca134c825a7")); test_hash(&nettle_sha384, SDATA("abcdefghbcdefghicdefghijdefg" "hijkefghijklfghijklmghijklmn" "hijklmnoijklmnopjklmnopqklmn" "opqrlmnopqrsmnopqrstnopqrstu"), SHEX("09330c33f71147e8 3d192fc782cd1b47" "53111b173b3b05d2 2fa08086e3b0f712" "fcc7c71a557e2db9 66c3e9fa91746039")); /* Additional test vectors, from Daniel Kahn Gillmor */ test_hash(&nettle_sha384, SDATA(""), SHEX("38b060a751ac9638 4cd9327eb1b1e36a" "21fdb71114be0743 4c0cc7bf63f6e1da" "274edebfe76f65fb d51ad2f14898b95b")); test_hash(&nettle_sha384, SDATA("a"), SHEX("54a59b9f22b0b808 80d8427e548b7c23" "abd873486e1f035d ce9cd697e8517503" "3caa88e6d57bc35e fae0b5afd3145f31")); test_hash(&nettle_sha384, SDATA("38"), SHEX("c071d202ad950b6a 04a5f15c24596a99" "3af8b212467958d5 70a3ffd478006063" "8e3a3d06637691d3 012bd31122071b2c")); test_hash(&nettle_sha384, SDATA("message digest"), SHEX("473ed35167ec1f5d 8e550368a3db39be" "54639f828868e945 4c239fc8b52e3c61" "dbd0d8b4de1390c2 56dcbb5d5fd99cd5")); test_hash(&nettle_sha384, SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("feb67349df3db6f5 924815d6c3dc133f" "091809213731fe5c 7b5f4999e463479f" "f2877f5f2936fa63 bb43784b12f3ebb4")); test_hash(&nettle_sha384, SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdef" "ghijklmnopqrstuvwxyz0123456789"), SHEX("1761336e3f7cbfe5 1deb137f026f89e0" "1a448e3b1fafa640 39c1464ee8732f11" "a5341a6f41e0c202 294736ed64db1a84")); test_hash(&nettle_sha384, SDATA("12345678901234567890123456789012" "34567890123456789012345678901234" "5678901234567890"), SHEX("b12932b0627d1c06 0942f54477641556" "55bd4da0c9afa6dd 9b9ef53129af1b8f" "b0195996d2de9ca0 df9d821ffee67026")); } nettle-3.4.1/testsuite/pkcs1-conv-test0000755000175000017500000000403013401564746016765 0ustar nissenisse#! /bin/sh if [ -z "$srcdir" ] ; then srcdir=`pwd` fi [ -x ../tools/pkcs1-conv$EXEEXT ] || exit 77 # Private RSA key, generated by openssl $EMULATOR ../tools/pkcs1-conv >testkey.priv <testkey.pub <testtmp < testsignature # Signature on the data "gazonk\n", using sha1 and the above key cat > testsignature2 < #include "testutils.h" #include "md5.h" /* Test C++ linkage */ void test_main(void) { struct md5_ctx md5; uint8_t digest[MD5_DIGEST_SIZE]; md5_init (&md5); md5_update (&md5, 14, reinterpret_cast ("message digest")); md5_digest (&md5, MD5_DIGEST_SIZE, digest); ASSERT (MEMEQ (MD5_DIGEST_SIZE, digest, H("F96B697D7CB7938D 525A2F31AAF161D0"))); #if WITH_PUBLIC_KEY struct rsa_public_key pub; struct rsa_private_key key; mpz_t expected; mpz_init(expected); rsa_private_key_init(&key); rsa_public_key_init(&pub); mpz_set_str(pub.n, "69abd505285af665" "36ddc7c8f027e6f0" "ed435d6748b16088" "4fd60842b3a8d7fb" "bd8a3c98f0cc50ae" "4f6a9f7dd73122cc" "ec8afa3f77134406" "f53721973115fc2d" "8cfbba23b145f28d" "84f81d3b6ae8ce1e" "2850580c026e809b" "cfbb52566ea3a3b3" "df7edf52971872a7" "e35c1451b8636d22" "279a8fb299368238" "e545fbb4cf", 16); mpz_set_str(pub.e, "0db2ad57", 16); ASSERT (rsa_public_key_prepare(&pub)); mpz_set_str(key.p, "0a66399919be4b4d" "e5a78c5ea5c85bf9" "aba8c013cb4a8732" "14557a12bd67711e" "bb4073fd39ad9a86" "f4e80253ad809e5b" "f2fad3bc37f6f013" "273c9552c9f489", 16); mpz_set_str(key.q, "0a294f069f118625" "f5eae2538db9338c" "776a298eae953329" "9fd1eed4eba04e82" "b2593bc98ba8db27" "de034da7daaea795" "2d55b07b5f9a5875" "d1ca5f6dcab897", 16); mpz_set_str(key.a, "011b6c48eb592eee" "e85d1bb35cfb6e07" "344ea0b5e5f03a28" "5b405396cbc78c5c" "868e961db160ba8d" "4b984250930cf79a" "1bf8a9f28963de53" "128aa7d690eb87", 16); mpz_set_str(key.b, "0409ecf3d2557c88" "214f1af5e1f17853" "d8b2d63782fa5628" "60cf579b0833b7ff" "5c0529f2a97c6452" "2fa1a8878a9635ab" "ce56debf431bdec2" "70b308fa5bf387", 16); mpz_set_str(key.c, "04e103ee925cb5e6" "6653949fa5e1a462" "c9e65e1adcd60058" "e2df9607cee95fa8" "daec7a389a7d9afc" "8dd21fef9d83805a" "40d46f49676a2f6b" "2926f70c572c00", 16); ASSERT (rsa_private_key_prepare(&key)); ASSERT (pub.size == key.size); mpz_set_str(expected, "53bf517009fa956e" "3daa6adc95e8663d" "3759002f488bbbad" "e49f62792d85dbcc" "293f68e2b68ef89a" "c5bd42d98f845325" "3e6c1b76fc337db5" "e0053f255c55faf3" "eb6cc568ad7f5013" "5b269a64acb9eaa7" "b7f09d9bd90310e6" "4c58f6dbe673ada2" "67c97a9d99e19f9d" "87960d9ce3f0d5ce" "84f401fe7e10fa24" "28b9bffcf9", 16); mpz_t signature; mpz_init(signature); /* Create signature */ md5_update (&md5, 39, reinterpret_cast ("The magic words are squeamish ossifrage")); ASSERT (rsa_md5_sign (&key, &md5, signature)); /* Verify it */ md5_update (&md5, 39, reinterpret_cast ("The magic words are squeamish ossifrage")); ASSERT (rsa_md5_verify (&pub, &md5, signature)); /* Try bad data */ md5_update (&md5, 39, reinterpret_cast ("The magik words are squeamish ossifrage")); ASSERT (!rsa_md5_verify (&pub, &md5, signature)); #endif /* WITH_PUBLIC_KEY */ } nettle-3.4.1/testsuite/.test-rules.make0000644000175000017500000002576613401564746017145 0ustar nissenisseaes-test$(EXEEXT): aes-test.$(OBJEXT) $(LINK) aes-test.$(OBJEXT) $(TEST_OBJS) -o aes-test$(EXEEXT) arcfour-test$(EXEEXT): arcfour-test.$(OBJEXT) $(LINK) arcfour-test.$(OBJEXT) $(TEST_OBJS) -o arcfour-test$(EXEEXT) arctwo-test$(EXEEXT): arctwo-test.$(OBJEXT) $(LINK) arctwo-test.$(OBJEXT) $(TEST_OBJS) -o arctwo-test$(EXEEXT) blowfish-test$(EXEEXT): blowfish-test.$(OBJEXT) $(LINK) blowfish-test.$(OBJEXT) $(TEST_OBJS) -o blowfish-test$(EXEEXT) cast128-test$(EXEEXT): cast128-test.$(OBJEXT) $(LINK) cast128-test.$(OBJEXT) $(TEST_OBJS) -o cast128-test$(EXEEXT) base16-test$(EXEEXT): base16-test.$(OBJEXT) $(LINK) base16-test.$(OBJEXT) $(TEST_OBJS) -o base16-test$(EXEEXT) base64-test$(EXEEXT): base64-test.$(OBJEXT) $(LINK) base64-test.$(OBJEXT) $(TEST_OBJS) -o base64-test$(EXEEXT) camellia-test$(EXEEXT): camellia-test.$(OBJEXT) $(LINK) camellia-test.$(OBJEXT) $(TEST_OBJS) -o camellia-test$(EXEEXT) chacha-test$(EXEEXT): chacha-test.$(OBJEXT) $(LINK) chacha-test.$(OBJEXT) $(TEST_OBJS) -o chacha-test$(EXEEXT) cnd-memcpy-test$(EXEEXT): cnd-memcpy-test.$(OBJEXT) $(LINK) cnd-memcpy-test.$(OBJEXT) $(TEST_OBJS) -o cnd-memcpy-test$(EXEEXT) des-test$(EXEEXT): des-test.$(OBJEXT) $(LINK) des-test.$(OBJEXT) $(TEST_OBJS) -o des-test$(EXEEXT) des3-test$(EXEEXT): des3-test.$(OBJEXT) $(LINK) des3-test.$(OBJEXT) $(TEST_OBJS) -o des3-test$(EXEEXT) des-compat-test$(EXEEXT): des-compat-test.$(OBJEXT) $(LINK) des-compat-test.$(OBJEXT) $(TEST_OBJS) -o des-compat-test$(EXEEXT) md2-test$(EXEEXT): md2-test.$(OBJEXT) $(LINK) md2-test.$(OBJEXT) $(TEST_OBJS) -o md2-test$(EXEEXT) md4-test$(EXEEXT): md4-test.$(OBJEXT) $(LINK) md4-test.$(OBJEXT) $(TEST_OBJS) -o md4-test$(EXEEXT) md5-test$(EXEEXT): md5-test.$(OBJEXT) $(LINK) md5-test.$(OBJEXT) $(TEST_OBJS) -o md5-test$(EXEEXT) md5-compat-test$(EXEEXT): md5-compat-test.$(OBJEXT) $(LINK) md5-compat-test.$(OBJEXT) $(TEST_OBJS) -o md5-compat-test$(EXEEXT) memeql-test$(EXEEXT): memeql-test.$(OBJEXT) $(LINK) memeql-test.$(OBJEXT) $(TEST_OBJS) -o memeql-test$(EXEEXT) memxor-test$(EXEEXT): memxor-test.$(OBJEXT) $(LINK) memxor-test.$(OBJEXT) $(TEST_OBJS) -o memxor-test$(EXEEXT) gosthash94-test$(EXEEXT): gosthash94-test.$(OBJEXT) $(LINK) gosthash94-test.$(OBJEXT) $(TEST_OBJS) -o gosthash94-test$(EXEEXT) ripemd160-test$(EXEEXT): ripemd160-test.$(OBJEXT) $(LINK) ripemd160-test.$(OBJEXT) $(TEST_OBJS) -o ripemd160-test$(EXEEXT) hkdf-test$(EXEEXT): hkdf-test.$(OBJEXT) $(LINK) hkdf-test.$(OBJEXT) $(TEST_OBJS) -o hkdf-test$(EXEEXT) salsa20-test$(EXEEXT): salsa20-test.$(OBJEXT) $(LINK) salsa20-test.$(OBJEXT) $(TEST_OBJS) -o salsa20-test$(EXEEXT) sha1-test$(EXEEXT): sha1-test.$(OBJEXT) $(LINK) sha1-test.$(OBJEXT) $(TEST_OBJS) -o sha1-test$(EXEEXT) sha224-test$(EXEEXT): sha224-test.$(OBJEXT) $(LINK) sha224-test.$(OBJEXT) $(TEST_OBJS) -o sha224-test$(EXEEXT) sha256-test$(EXEEXT): sha256-test.$(OBJEXT) $(LINK) sha256-test.$(OBJEXT) $(TEST_OBJS) -o sha256-test$(EXEEXT) sha384-test$(EXEEXT): sha384-test.$(OBJEXT) $(LINK) sha384-test.$(OBJEXT) $(TEST_OBJS) -o sha384-test$(EXEEXT) sha512-test$(EXEEXT): sha512-test.$(OBJEXT) $(LINK) sha512-test.$(OBJEXT) $(TEST_OBJS) -o sha512-test$(EXEEXT) sha512-224-test$(EXEEXT): sha512-224-test.$(OBJEXT) $(LINK) sha512-224-test.$(OBJEXT) $(TEST_OBJS) -o sha512-224-test$(EXEEXT) sha512-256-test$(EXEEXT): sha512-256-test.$(OBJEXT) $(LINK) sha512-256-test.$(OBJEXT) $(TEST_OBJS) -o sha512-256-test$(EXEEXT) sha3-permute-test$(EXEEXT): sha3-permute-test.$(OBJEXT) $(LINK) sha3-permute-test.$(OBJEXT) $(TEST_OBJS) -o sha3-permute-test$(EXEEXT) sha3-224-test$(EXEEXT): sha3-224-test.$(OBJEXT) $(LINK) sha3-224-test.$(OBJEXT) $(TEST_OBJS) -o sha3-224-test$(EXEEXT) sha3-256-test$(EXEEXT): sha3-256-test.$(OBJEXT) $(LINK) sha3-256-test.$(OBJEXT) $(TEST_OBJS) -o sha3-256-test$(EXEEXT) sha3-384-test$(EXEEXT): sha3-384-test.$(OBJEXT) $(LINK) sha3-384-test.$(OBJEXT) $(TEST_OBJS) -o sha3-384-test$(EXEEXT) sha3-512-test$(EXEEXT): sha3-512-test.$(OBJEXT) $(LINK) sha3-512-test.$(OBJEXT) $(TEST_OBJS) -o sha3-512-test$(EXEEXT) serpent-test$(EXEEXT): serpent-test.$(OBJEXT) $(LINK) serpent-test.$(OBJEXT) $(TEST_OBJS) -o serpent-test$(EXEEXT) twofish-test$(EXEEXT): twofish-test.$(OBJEXT) $(LINK) twofish-test.$(OBJEXT) $(TEST_OBJS) -o twofish-test$(EXEEXT) version-test$(EXEEXT): version-test.$(OBJEXT) $(LINK) version-test.$(OBJEXT) $(TEST_OBJS) -o version-test$(EXEEXT) knuth-lfib-test$(EXEEXT): knuth-lfib-test.$(OBJEXT) $(LINK) knuth-lfib-test.$(OBJEXT) $(TEST_OBJS) -o knuth-lfib-test$(EXEEXT) cbc-test$(EXEEXT): cbc-test.$(OBJEXT) $(LINK) cbc-test.$(OBJEXT) $(TEST_OBJS) -o cbc-test$(EXEEXT) cfb-test$(EXEEXT): cfb-test.$(OBJEXT) $(LINK) cfb-test.$(OBJEXT) $(TEST_OBJS) -o cfb-test$(EXEEXT) ctr-test$(EXEEXT): ctr-test.$(OBJEXT) $(LINK) ctr-test.$(OBJEXT) $(TEST_OBJS) -o ctr-test$(EXEEXT) gcm-test$(EXEEXT): gcm-test.$(OBJEXT) $(LINK) gcm-test.$(OBJEXT) $(TEST_OBJS) -o gcm-test$(EXEEXT) eax-test$(EXEEXT): eax-test.$(OBJEXT) $(LINK) eax-test.$(OBJEXT) $(TEST_OBJS) -o eax-test$(EXEEXT) ccm-test$(EXEEXT): ccm-test.$(OBJEXT) $(LINK) ccm-test.$(OBJEXT) $(TEST_OBJS) -o ccm-test$(EXEEXT) poly1305-test$(EXEEXT): poly1305-test.$(OBJEXT) $(LINK) poly1305-test.$(OBJEXT) $(TEST_OBJS) -o poly1305-test$(EXEEXT) chacha-poly1305-test$(EXEEXT): chacha-poly1305-test.$(OBJEXT) $(LINK) chacha-poly1305-test.$(OBJEXT) $(TEST_OBJS) -o chacha-poly1305-test$(EXEEXT) hmac-test$(EXEEXT): hmac-test.$(OBJEXT) $(LINK) hmac-test.$(OBJEXT) $(TEST_OBJS) -o hmac-test$(EXEEXT) umac-test$(EXEEXT): umac-test.$(OBJEXT) $(LINK) umac-test.$(OBJEXT) $(TEST_OBJS) -o umac-test$(EXEEXT) meta-hash-test$(EXEEXT): meta-hash-test.$(OBJEXT) $(LINK) meta-hash-test.$(OBJEXT) $(TEST_OBJS) -o meta-hash-test$(EXEEXT) meta-cipher-test$(EXEEXT): meta-cipher-test.$(OBJEXT) $(LINK) meta-cipher-test.$(OBJEXT) $(TEST_OBJS) -o meta-cipher-test$(EXEEXT) meta-aead-test$(EXEEXT): meta-aead-test.$(OBJEXT) $(LINK) meta-aead-test.$(OBJEXT) $(TEST_OBJS) -o meta-aead-test$(EXEEXT) meta-armor-test$(EXEEXT): meta-armor-test.$(OBJEXT) $(LINK) meta-armor-test.$(OBJEXT) $(TEST_OBJS) -o meta-armor-test$(EXEEXT) buffer-test$(EXEEXT): buffer-test.$(OBJEXT) $(LINK) buffer-test.$(OBJEXT) $(TEST_OBJS) -o buffer-test$(EXEEXT) yarrow-test$(EXEEXT): yarrow-test.$(OBJEXT) $(LINK) yarrow-test.$(OBJEXT) $(TEST_OBJS) -o yarrow-test$(EXEEXT) pbkdf2-test$(EXEEXT): pbkdf2-test.$(OBJEXT) $(LINK) pbkdf2-test.$(OBJEXT) $(TEST_OBJS) -o pbkdf2-test$(EXEEXT) sexp-test$(EXEEXT): sexp-test.$(OBJEXT) $(LINK) sexp-test.$(OBJEXT) $(TEST_OBJS) -o sexp-test$(EXEEXT) sexp-format-test$(EXEEXT): sexp-format-test.$(OBJEXT) $(LINK) sexp-format-test.$(OBJEXT) $(TEST_OBJS) -o sexp-format-test$(EXEEXT) rsa2sexp-test$(EXEEXT): rsa2sexp-test.$(OBJEXT) $(LINK) rsa2sexp-test.$(OBJEXT) $(TEST_OBJS) -o rsa2sexp-test$(EXEEXT) sexp2rsa-test$(EXEEXT): sexp2rsa-test.$(OBJEXT) $(LINK) sexp2rsa-test.$(OBJEXT) $(TEST_OBJS) -o sexp2rsa-test$(EXEEXT) bignum-test$(EXEEXT): bignum-test.$(OBJEXT) $(LINK) bignum-test.$(OBJEXT) $(TEST_OBJS) -o bignum-test$(EXEEXT) random-prime-test$(EXEEXT): random-prime-test.$(OBJEXT) $(LINK) random-prime-test.$(OBJEXT) $(TEST_OBJS) -o random-prime-test$(EXEEXT) pkcs1-test$(EXEEXT): pkcs1-test.$(OBJEXT) $(LINK) pkcs1-test.$(OBJEXT) $(TEST_OBJS) -o pkcs1-test$(EXEEXT) pkcs1-sec-decrypt-test$(EXEEXT): pkcs1-sec-decrypt-test.$(OBJEXT) $(LINK) pkcs1-sec-decrypt-test.$(OBJEXT) $(TEST_OBJS) -o pkcs1-sec-decrypt-test$(EXEEXT) pss-test$(EXEEXT): pss-test.$(OBJEXT) $(LINK) pss-test.$(OBJEXT) $(TEST_OBJS) -o pss-test$(EXEEXT) rsa-sign-tr-test$(EXEEXT): rsa-sign-tr-test.$(OBJEXT) $(LINK) rsa-sign-tr-test.$(OBJEXT) $(TEST_OBJS) -o rsa-sign-tr-test$(EXEEXT) pss-mgf1-test$(EXEEXT): pss-mgf1-test.$(OBJEXT) $(LINK) pss-mgf1-test.$(OBJEXT) $(TEST_OBJS) -o pss-mgf1-test$(EXEEXT) rsa-pss-sign-tr-test$(EXEEXT): rsa-pss-sign-tr-test.$(OBJEXT) $(LINK) rsa-pss-sign-tr-test.$(OBJEXT) $(TEST_OBJS) -o rsa-pss-sign-tr-test$(EXEEXT) rsa-test$(EXEEXT): rsa-test.$(OBJEXT) $(LINK) rsa-test.$(OBJEXT) $(TEST_OBJS) -o rsa-test$(EXEEXT) rsa-encrypt-test$(EXEEXT): rsa-encrypt-test.$(OBJEXT) $(LINK) rsa-encrypt-test.$(OBJEXT) $(TEST_OBJS) -o rsa-encrypt-test$(EXEEXT) rsa-keygen-test$(EXEEXT): rsa-keygen-test.$(OBJEXT) $(LINK) rsa-keygen-test.$(OBJEXT) $(TEST_OBJS) -o rsa-keygen-test$(EXEEXT) rsa-sec-decrypt-test$(EXEEXT): rsa-sec-decrypt-test.$(OBJEXT) $(LINK) rsa-sec-decrypt-test.$(OBJEXT) $(TEST_OBJS) -o rsa-sec-decrypt-test$(EXEEXT) rsa-compute-root-test$(EXEEXT): rsa-compute-root-test.$(OBJEXT) $(LINK) rsa-compute-root-test.$(OBJEXT) $(TEST_OBJS) -o rsa-compute-root-test$(EXEEXT) dsa-test$(EXEEXT): dsa-test.$(OBJEXT) $(LINK) dsa-test.$(OBJEXT) $(TEST_OBJS) -o dsa-test$(EXEEXT) dsa-keygen-test$(EXEEXT): dsa-keygen-test.$(OBJEXT) $(LINK) dsa-keygen-test.$(OBJEXT) $(TEST_OBJS) -o dsa-keygen-test$(EXEEXT) curve25519-dh-test$(EXEEXT): curve25519-dh-test.$(OBJEXT) $(LINK) curve25519-dh-test.$(OBJEXT) $(TEST_OBJS) -o curve25519-dh-test$(EXEEXT) ecc-mod-test$(EXEEXT): ecc-mod-test.$(OBJEXT) $(LINK) ecc-mod-test.$(OBJEXT) $(TEST_OBJS) -o ecc-mod-test$(EXEEXT) ecc-modinv-test$(EXEEXT): ecc-modinv-test.$(OBJEXT) $(LINK) ecc-modinv-test.$(OBJEXT) $(TEST_OBJS) -o ecc-modinv-test$(EXEEXT) ecc-redc-test$(EXEEXT): ecc-redc-test.$(OBJEXT) $(LINK) ecc-redc-test.$(OBJEXT) $(TEST_OBJS) -o ecc-redc-test$(EXEEXT) ecc-sqrt-test$(EXEEXT): ecc-sqrt-test.$(OBJEXT) $(LINK) ecc-sqrt-test.$(OBJEXT) $(TEST_OBJS) -o ecc-sqrt-test$(EXEEXT) ecc-dup-test$(EXEEXT): ecc-dup-test.$(OBJEXT) $(LINK) ecc-dup-test.$(OBJEXT) $(TEST_OBJS) -o ecc-dup-test$(EXEEXT) ecc-add-test$(EXEEXT): ecc-add-test.$(OBJEXT) $(LINK) ecc-add-test.$(OBJEXT) $(TEST_OBJS) -o ecc-add-test$(EXEEXT) ecc-mul-g-test$(EXEEXT): ecc-mul-g-test.$(OBJEXT) $(LINK) ecc-mul-g-test.$(OBJEXT) $(TEST_OBJS) -o ecc-mul-g-test$(EXEEXT) ecc-mul-a-test$(EXEEXT): ecc-mul-a-test.$(OBJEXT) $(LINK) ecc-mul-a-test.$(OBJEXT) $(TEST_OBJS) -o ecc-mul-a-test$(EXEEXT) ecdsa-sign-test$(EXEEXT): ecdsa-sign-test.$(OBJEXT) $(LINK) ecdsa-sign-test.$(OBJEXT) $(TEST_OBJS) -o ecdsa-sign-test$(EXEEXT) ecdsa-verify-test$(EXEEXT): ecdsa-verify-test.$(OBJEXT) $(LINK) ecdsa-verify-test.$(OBJEXT) $(TEST_OBJS) -o ecdsa-verify-test$(EXEEXT) ecdsa-keygen-test$(EXEEXT): ecdsa-keygen-test.$(OBJEXT) $(LINK) ecdsa-keygen-test.$(OBJEXT) $(TEST_OBJS) -o ecdsa-keygen-test$(EXEEXT) ecdh-test$(EXEEXT): ecdh-test.$(OBJEXT) $(LINK) ecdh-test.$(OBJEXT) $(TEST_OBJS) -o ecdh-test$(EXEEXT) eddsa-compress-test$(EXEEXT): eddsa-compress-test.$(OBJEXT) $(LINK) eddsa-compress-test.$(OBJEXT) $(TEST_OBJS) -o eddsa-compress-test$(EXEEXT) eddsa-sign-test$(EXEEXT): eddsa-sign-test.$(OBJEXT) $(LINK) eddsa-sign-test.$(OBJEXT) $(TEST_OBJS) -o eddsa-sign-test$(EXEEXT) eddsa-verify-test$(EXEEXT): eddsa-verify-test.$(OBJEXT) $(LINK) eddsa-verify-test.$(OBJEXT) $(TEST_OBJS) -o eddsa-verify-test$(EXEEXT) ed25519-test$(EXEEXT): ed25519-test.$(OBJEXT) $(LINK) ed25519-test.$(OBJEXT) $(TEST_OBJS) -o ed25519-test$(EXEEXT) sha1-huge-test$(EXEEXT): sha1-huge-test.$(OBJEXT) $(LINK) sha1-huge-test.$(OBJEXT) $(TEST_OBJS) -o sha1-huge-test$(EXEEXT) cxx-test$(EXEEXT): cxx-test.$(OBJEXT) $(LINK_CXX) cxx-test.$(OBJEXT) $(TEST_OBJS) -o cxx-test$(EXEEXT) nettle-3.4.1/testsuite/memeql-test.c0000644000175000017500000000217013401564746016502 0ustar nissenisse#include "testutils.h" #include "knuth-lfib.h" #include "memops.h" #if HAVE_VALGRIND_MEMCHECK_H # include static int memeql_sec_for_test(const void *a, const void *b, size_t n) { int res; /* Makes valgrind trigger on any branches depending on the input data. */ VALGRIND_MAKE_MEM_UNDEFINED (a, n); VALGRIND_MAKE_MEM_UNDEFINED (b, n); res = memeql_sec (a, b, n); VALGRIND_MAKE_MEM_DEFINED (&res, sizeof(res)); return res; } #else #define memeql_sec_for_test memeql_sec #endif #define MAX_SIZE 50 void test_main(void) { uint8_t orig[MAX_SIZE]; uint8_t a[MAX_SIZE]; uint8_t b[MAX_SIZE]; struct knuth_lfib_ctx random_ctx; knuth_lfib_init (&random_ctx, 11); size_t size; for (size = 0; size < 50; size++) { size_t i; uint8_t bit; knuth_lfib_random (&random_ctx, size, orig); memcpy (a, orig, size); memcpy (b, orig, size); ASSERT (memeql_sec_for_test (a, b, size)); for (i = 0; i < size; i++) for (bit = 0x80; bit; bit >>= 1) { b[i] = orig[i] ^ bit; ASSERT (!memeql_sec_for_test (a, b, size)); b[i] = orig[i]; } } } nettle-3.4.1/testsuite/meta-armor-test.c0000644000175000017500000000106513401564746017270 0ustar nissenisse#include "testutils.h" #include "nettle-meta.h" const char* armors[] = { "base16", "base64", "base64url", }; void test_main(void) { int i,j; int count = sizeof(armors)/sizeof(*armors); for (i = 0; i < count; i++) { for (j = 0; NULL != nettle_armors[j]; j++) { if (0 == strcmp(armors[i], nettle_armors[j]->name)) break; } ASSERT(NULL != nettle_armors[j]); /* make sure we found a matching armor */ } j = 0; while (NULL != nettle_armors[j]) j++; ASSERT(j == count); /* we are not missing testing any armors */ } nettle-3.4.1/testsuite/ecc-mul-a-test.c0000644000175000017500000000507713401564746016776 0ustar nissenisse#include "testutils.h" void test_main (void) { gmp_randstate_t rands; mpz_t r; unsigned i; gmp_randinit_default (rands); mpz_init (r); for (i = 0; ecc_curves[i]; i++) { const struct ecc_curve *ecc = ecc_curves[i]; mp_size_t size = ecc_size (ecc); mp_limb_t *p = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *q = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *n = xalloc_limbs (size); mp_limb_t *scratch = xalloc_limbs (ecc->mul_itch); unsigned j; mpn_zero (n, size); n[0] = 1; ecc->mul (ecc, p, n, ecc->g, scratch); ecc->h_to_a (ecc, 0, p, p, scratch); if (mpn_cmp (p, ecc->g, 2*size) != 0) die ("curve %d: ecc->mul with n = 1 failed.\n", ecc->p.bit_size); for (n[0] = 2; n[0] <= 4; n[0]++) { ecc->mul (ecc, p, n, ecc->g, scratch); test_ecc_mul_h (i, n[0], p); } /* (order - 1) * g = - g */ mpn_sub_1 (n, ecc->q.m, size, 1); ecc->mul (ecc, p, n, ecc->g, scratch); ecc->h_to_a (ecc, 0, p, p, scratch); if (ecc->p.bit_size == 255) /* For edwards curves, - (x,y ) == (-x, y). FIXME: Swap x and y, to get identical negation? */ mpn_sub_n (p, ecc->p.m, p, size); else mpn_sub_n (p + size, ecc->p.m, p + size, size); if (mpn_cmp (p, ecc->g, 2*size) != 0) { fprintf (stderr, "ecc->mul with n = order - 1 failed.\n"); abort (); } mpn_zero (n, size); for (j = 0; j < 100; j++) { if (j & 1) mpz_rrandomb (r, rands, size * GMP_NUMB_BITS); else mpz_urandomb (r, rands, size * GMP_NUMB_BITS); /* Reduce so that (almost surely) n < q */ mpz_limbs_copy (n, r, size); n[size - 1] %= ecc->q.m[size - 1]; ecc->mul (ecc, p, n, ecc->g, scratch); ecc->h_to_a (ecc, 0, p, p, scratch); ecc->mul_g (ecc, q, n, scratch); ecc->h_to_a (ecc, 0, q, q, scratch); if (mpn_cmp (p, q, 2*size)) { fprintf (stderr, "Different results from ecc->mul and ecc->mul_g.\n" " bits = %u\n", ecc->p.bit_size); fprintf (stderr, " n = "); mpn_out_str (stderr, 16, n, size); fprintf (stderr, "\np = "); mpn_out_str (stderr, 16, p, size); fprintf (stderr, ",\n "); mpn_out_str (stderr, 16, p + size, size); fprintf (stderr, "\nq = "); mpn_out_str (stderr, 16, q, size); fprintf (stderr, ",\n "); mpn_out_str (stderr, 16, q + size, size); fprintf (stderr, "\n"); abort (); } } free (n); free (p); free (q); free (scratch); } mpz_clear (r); gmp_randclear (rands); } nettle-3.4.1/testsuite/yarrow-test.c0000644000175000017500000001060713401564746016551 0ustar nissenisse#include "testutils.h" #include "yarrow.h" #include "knuth-lfib.h" #include "macros.h" #include #include #include #include #include /* Lagged fibonacci sequence as described in Knuth 3.6 */ struct knuth_lfib_ctx lfib; static int get_event(FILE *f, struct sha256_ctx *hash, unsigned *key, unsigned *time) { static int t = 0; uint8_t buf[1]; int c = getc(f); if (c == EOF) return 0; buf[0] = c; sha256_update(hash, sizeof(buf), buf); *key = c; t += (knuth_lfib_get(&lfib) % 10000); *time = t; return 1; } static FILE * open_file(const char *name) { /* Tries opening the file in $srcdir, if set, otherwise the current * working directory */ const char *srcdir = getenv("srcdir"); if (srcdir && srcdir[0]) { FILE *f; char *buf = xalloc(strlen(name) + strlen(srcdir) + 10); sprintf(buf, "%s/%s", srcdir, name); f = fopen(buf, "r"); free(buf); return f; } /* Opens the file in text mode. */ return fopen(name, "r"); } void test_main(void) { FILE *input; struct yarrow256_ctx yarrow; struct yarrow_key_event_ctx estimator; struct yarrow_source sources[2]; struct sha256_ctx output_hash; struct sha256_ctx input_hash; uint8_t digest[SHA256_DIGEST_SIZE]; uint8_t seed_file[YARROW256_SEED_FILE_SIZE]; const uint8_t *expected_output = H("dd304aacac3dc95e 70d684a642967c89" "58501f7c8eb88b79 43b2ffccde6f0f79"); const uint8_t *expected_input = H("e0596cf006025506 65d1195f32a87e4a" "5c354910dfbd0a31 e2105b262f5ce3d8"); const uint8_t *expected_seed_file = H("b03518f32b1084dd 983e6a445d47bb6f" "13bb7b998740d570 503d6aaa62e28901"); unsigned c; unsigned t; unsigned processed = 0; unsigned output = 0; unsigned i; static const char unsigned zeroes[100]; yarrow256_init(&yarrow, 2, sources); yarrow_key_event_init(&estimator); sha256_init(&input_hash); sha256_init(&output_hash); knuth_lfib_init(&lfib, 31416); /* Fake input to source 0 */ yarrow256_update(&yarrow, 0, 200, sizeof(zeroes), zeroes); if (verbose) printf("source 0 entropy: %d\n", sources[0].estimate[YARROW_SLOW]); ASSERT(!yarrow256_is_seeded(&yarrow)); input = open_file("gold-bug.txt"); if (!input) { fprintf(stderr, "Couldn't open `gold-bug.txt', errno = %d\n", errno); FAIL(); } while (get_event(input, &input_hash, &c, &t)) { uint8_t buf[8]; processed++; WRITE_UINT32(buf, c); WRITE_UINT32(buf + 4, t); yarrow256_update(&yarrow, 1, yarrow_key_event_estimate(&estimator, c, t), sizeof(buf), buf); if (yarrow256_is_seeded(&yarrow)) { static const unsigned sizes[4] = { 1, 16, 500, 37 }; unsigned size = sizes[processed % 4]; uint8_t buf[500]; if (verbose && !output) printf("Generator was seeded after %d events\n", processed); yarrow256_random(&yarrow, size, buf); sha256_update(&output_hash, size, buf); if (verbose) { printf("%02x ", buf[0]); if (! (processed % 16)) printf("\n"); } output += size; } } fclose(input); if (verbose) { printf("\n"); for (i = 0; i<2; i++) printf("source %d, (fast, slow) entropy: (%d, %d)\n", i, sources[i].estimate[YARROW_FAST], sources[i].estimate[YARROW_SLOW]); printf("Processed input: %d octets\n", processed); printf(" sha256:"); } sha256_digest(&input_hash, sizeof(digest), digest); if (verbose) { print_hex(sizeof(digest), digest); printf("\n"); } ASSERT (memcmp(digest, expected_input, sizeof(digest)) == 0); yarrow256_random(&yarrow, sizeof(seed_file), seed_file); if (verbose) { printf("New seed file: "); print_hex(sizeof(seed_file), seed_file); printf("\n"); } ASSERT (memcmp(seed_file, expected_seed_file, sizeof(seed_file)) == 0); if (verbose) { printf("Generated output: %d octets\n", output); printf(" sha256:"); } sha256_digest(&output_hash, sizeof(digest), digest); if (verbose) { print_hex(sizeof(digest), digest); printf("\n"); } ASSERT (memcmp(digest, expected_output, sizeof(digest)) == 0); } nettle-3.4.1/testsuite/md5-test.c0000644000175000017500000001046013401564746015710 0ustar nissenisse#include "testutils.h" #include "md5.h" void test_main(void) { test_hash(&nettle_md5, SDATA(""), SHEX("D41D8CD98F00B204 E9800998ECF8427E")); test_hash(&nettle_md5, SDATA("a"), SHEX("0CC175B9C0F1B6A8 31C399E269772661")); test_hash(&nettle_md5, SDATA("abc"), SHEX("900150983cd24fb0 D6963F7D28E17F72")); test_hash(&nettle_md5, SDATA("message digest"), SHEX("F96B697D7CB7938D 525A2F31AAF161D0")); test_hash(&nettle_md5, SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("C3FCD3D76192E400 7DFB496CCA67E13B")); test_hash(&nettle_md5, SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "0123456789"), SHEX("D174AB98D277D9F5 A5611C2C9F419D9F")); test_hash(&nettle_md5, SDATA("1234567890123456789012345678901234567890" "1234567890123456789012345678901234567890"), SHEX("57EDF4A22BE3C955 AC49DA2E2107B67A")); /* Additional test vector, from Daniel Kahn Gillmor */ test_hash(&nettle_md5, SDATA("38"), SHEX("a5771bce93e200c3 6f7cd9dfd0e5deaa")); /* Collisions, reported by Xiaoyun Wang1, Dengguo Feng2, Xuejia Lai3, Hongbo Yu1, http://eprint.iacr.org/2004/199. */ #define M0 \ /* vv */ \ "d131dd02 c5e6eec4 693d9a06 98aff95c 2fcab5 87 12467eab 4004583e b8fb7f89" \ "55ad3406 09f4b302 83e48883 25 71 415a 085125e8 f7cdc99f d91dbd f2 80373c5b" \ /* ^^ ^^ */ #define M1 \ /* vv */ \ "d131dd02 c5e6eec4 693d9a06 98aff95c 2fcab5 07 12467eab 4004583e b8fb7f89" \ "55ad3406 09f4b302 83e48883 25 f1 415a 085125e8 f7cdc99f d91dbd 72 80373c5b" \ /* ^^ ^^ */ #define N0 \ /* vv */ \ "960b1dd1 dc417b9c e4d897f4 5a6555d5 35739a c7 f0ebfd0c 3029f166 d109b18f" \ "75277f79 30d55ceb 22e8adba 79 cc 155c ed74cbdd 5fc5d36d b19b0a d8 35cca7e3" \ /* ^^ ^^ */ #define N1 \ /* vv */ \ "960b1dd1 dc417b9c e4d897f4 5a6555d5 35739a 47 f0ebfd0c 3029f166 d109b18f" \ "75277f79 30d55ceb 22e8adba 79 4c 155c ed74cbdd 5fc5d36d b19b0a 58 35cca7e3" \ /* ^^ ^^ */ /* Note: The checksum in the paper, 1f160396 efc71ff4 bcff659f bf9d0fa3, is incorrect. */ #define H0 "a4c0d35c 95a63a80 5915367d cfe6b751" #define N2 \ /* vv */ \ "d8823e31 56348f5b ae6dacd4 36c919c6 dd53e2 b4 87da03fd 02396306 d248cda0" \ "e99f3342 0f577ee8 ce54b670 80 a8 0d1e c69821bc b6a88393 96f965 2b 6ff72a70" \ /* ^^ ^^ */ #define N3 \ /* vv */ \ "d8823e31 56348f5b ae6dacd4 36c919c6 dd53e2 34 87da03fd 02396306 d248cda0" \ "e99f3342 0f577ee8 ce54b670 80 28 0d1e c69821bc b6a88393 96f965 ab 6ff72a70" \ /* ^^ ^^ */ /* Note: Also different from the checksum in the paper */ #define H1 "79054025 255fb1a2 6e4bc422 aef54eb4" test_hash(&nettle_md5, SHEX(M0 N0), SHEX(H0)); test_hash(&nettle_md5, SHEX(M1 N1), SHEX(H0)); test_hash(&nettle_md5, SHEX(M0 N2), SHEX(H1)); test_hash(&nettle_md5, SHEX(M1 N3), SHEX(H1)); } /* Intermediate values for the single _nettle_md5_compress call for the first test case. Each row gives the values for a, b, c, d after the i:th round. The row i = -1 gives the initial values, and i = 99 gives the output values. i a b c d -1: 67452301 efcdab89 98badcfe 10325476 0: a5202774 efcdab89 98badcfe 10325476 1: a5202774 efcdab89 98badcfe f59592dd 15: f56c7cf1 d6819c6a 5aa53f75 374943a7 16: 1c7d7513 d6819c6a 5aa53f75 374943a7 17: 1c7d7513 d6819c6a 5aa53f75 7bd57a3a 31: 13707036 a2205f1f 1c31c384 ae7813db 32: df63eaa1 a2205f1f 1c31c384 ae7813db 33: df63eaa1 a2205f1f 1c31c384 c3689f5b 47: 3f55edfd ca7d2dbd 68d84ea2 22a31f54 48: 93aa2577 ca7d2dbd 68d84ea2 22a31f54 49: 93aa2577 ca7d2dbd 68d84ea2 1688dc85 63: 7246fad3 14e45506 ff4ea3eb 6e10a476 99: d98c1dd4 4b2008f 980980e9 7e42f8ec */ nettle-3.4.1/testsuite/md5-compat-test.c0000644000175000017500000000265413401564746017177 0ustar nissenisse#include "testutils.h" #include "md5-compat.h" void test_main(void) { MD5_CTX ctx; unsigned char digest[MD5_DIGEST_SIZE]; MD5Init(&ctx); MD5Final(digest, &ctx); ASSERT(MEMEQ(MD5_DIGEST_SIZE, digest, H("D41D8CD98F00B204 E9800998ECF8427E"))); MD5Init(&ctx); MD5Update(&ctx, US("a"), 1); MD5Final(digest, &ctx); ASSERT(MEMEQ(MD5_DIGEST_SIZE, digest, H("0CC175B9C0F1B6A8 31C399E269772661"))); MD5Init(&ctx); MD5Update(&ctx, US("abc"), 3); MD5Final(digest, &ctx); ASSERT(MEMEQ(MD5_DIGEST_SIZE, digest, H("900150983cd24fb0 D6963F7D28E17F72"))); MD5Init(&ctx); MD5Update(&ctx, US("message digest"), 14); MD5Final(digest, &ctx); ASSERT(MEMEQ(MD5_DIGEST_SIZE, digest, H("F96B697D7CB7938D 525A2F31AAF161D0"))); MD5Init(&ctx); MD5Update(&ctx, US("abcdefghijklmnopqrstuvwxyz"), 26); MD5Final(digest, &ctx); ASSERT(MEMEQ(MD5_DIGEST_SIZE, digest, H("C3FCD3D76192E400 7DFB496CCA67E13B"))); MD5Init(&ctx); MD5Update(&ctx, US("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"), 62); MD5Final(digest, &ctx); ASSERT(MEMEQ(MD5_DIGEST_SIZE, digest, H("D174AB98D277D9F5 A5611C2C9F419D9F"))); MD5Init(&ctx); MD5Update(&ctx, US("1234567890123456789012345678901234567890" "1234567890123456789012345678901234567890"), 80); MD5Final(digest, &ctx); ASSERT(MEMEQ(MD5_DIGEST_SIZE, digest, H("57EDF4A22BE3C955 AC49DA2E2107B67A"))); } nettle-3.4.1/testsuite/pss-mgf1-test.c0000644000175000017500000000247413401564746016666 0ustar nissenisse#include "testutils.h" #include "pss-mgf1.h" void test_main(void) { struct sha1_ctx sha1ctx; struct sha256_ctx sha256ctx; const struct tstring *seed, *expected; uint8_t mask[120]; /* From ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1d2-vec.zip */ seed = SHEX("df1a896f9d8bc816d97cd7a2c43bad54" "6fbe8cfe"); expected = SHEX("66e4672e836ad121ba244bed6576b867d9a447c28a6e66a5b87dee" "7fbc7e65af5057f86fae8984d9ba7f969ad6fe02a4d75f7445fefd" "d85b6d3a477c28d24ba1e3756f792dd1dce8ca94440ecb5279ecd3" "183a311fc89739a96643136e8b0f465e87a4535cd4c59b10028d"); sha1_init(&sha1ctx); sha1_update(&sha1ctx, seed->length, seed->data); pss_mgf1(&sha1ctx, &nettle_sha1, expected->length, mask); ASSERT(MEMEQ (expected->length, mask, expected->data)); /* Test with our own data. */ seed = SDATA("abc"); expected = SHEX("cf2db1ac9867debdf8ce91f99f141e5544bf26ca36b3fd4f8e4035" "eec42cab0d46c386ebccef82ba0bb0b095aaa5548b03cdff695187" "1c6fb505af68af688332f885d324a47d2145a3d8392c37978d7dc9" "84c95728950c4cf3de6becc59e60ea506951bd40e6de3863095064" "3ab2edbb47dc66cb54beb2d1"); sha256_init(&sha256ctx); sha256_update(&sha256ctx, seed->length, seed->data); pss_mgf1(&sha256ctx, &nettle_sha256, expected->length, mask); ASSERT(MEMEQ (expected->length, mask, expected->data)); } nettle-3.4.1/testsuite/pkcs1-test.c0000644000175000017500000000053013401564746016241 0ustar nissenisse#include "testutils.h" #include "pkcs1.h" void test_main(void) { uint8_t buffer[16]; uint8_t expected[16] = { 0, 1, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0, 'a', 'b', 'c' }; _pkcs1_signature_prefix(sizeof(buffer), buffer, LDATA("abc"), 0); ASSERT(MEMEQ(sizeof(buffer), buffer, expected)); } nettle-3.4.1/testsuite/meta-cipher-test.c0000644000175000017500000000143513401564746017423 0ustar nissenisse#include "testutils.h" #include "nettle-meta.h" const char* ciphers[] = { "aes128", "aes192", "aes256", "arctwo40", "arctwo64", "arctwo128", "arctwo_gutmann128", "camellia128", "camellia192", "camellia256", "cast128", "serpent128", "serpent192", "serpent256", "twofish128", "twofish192", "twofish256" }; void test_main(void) { int i,j; int count = sizeof(ciphers)/sizeof(*ciphers); for (i = 0; i < count; i++) { for (j = 0; NULL != nettle_ciphers[j]; j++) { if (0 == strcmp(ciphers[i], nettle_ciphers[j]->name)) break; } ASSERT(NULL != nettle_ciphers[j]); /* make sure we found a matching cipher */ } j = 0; while (NULL != nettle_ciphers[j]) j++; ASSERT(j == count); /* we are not missing testing any ciphers */ } nettle-3.4.1/testsuite/sha256-test.c0000644000175000017500000001457613401564746016247 0ustar nissenisse#include "testutils.h" void test_main(void) { /* From FIPS180-2 */ test_hash(&nettle_sha256, SDATA("abc"), SHEX("ba7816bf8f01cfea 414140de5dae2223" "b00361a396177a9c b410ff61f20015ad")); test_hash(&nettle_sha256, SDATA("abcdbcdecdefdefgefghfghighij" "hijkijkljklmklmnlmnomnopnopq"), SHEX("248d6a61d20638b8 e5c026930c3e6039" "a33ce45964ff2167 f6ecedd419db06c1")); test_hash(&nettle_sha256, SDATA("abcdefghbcdefghicdefghijdefg" "hijkefghijklfghijklmghijklmn" "hijklmnoijklmnopjklmnopqklmn" "opqrlmnopqrsmnopqrstnopqrstu"), SHEX("cf5b16a778af8380 036ce59e7b049237" "0b249b11e8f07a51 afac45037afee9d1")); /* Additional test vectors, from Daniel Kahn Gillmor */ test_hash(&nettle_sha256, SDATA(""), SHEX("e3b0c44298fc1c14 9afbf4c8996fb924" "27ae41e4649b934c a495991b7852b855")); test_hash(&nettle_sha256, SDATA("a"), SHEX("ca978112ca1bbdca fac231b39a23dc4d" "a786eff8147c4e72 b9807785afee48bb")); test_hash(&nettle_sha256, SDATA("38"), SHEX("aea92132c4cbeb26 3e6ac2bf6c183b5d" "81737f179f21efdc 5863739672f0f470")); test_hash(&nettle_sha256, SDATA("message digest"), SHEX("f7846f55cf23e14e ebeab5b4e1550cad" "5b509e3348fbc4ef a3a1413d393cb650")); test_hash(&nettle_sha256, SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("71c480df93d6ae2f 1efad1447c66c952" "5e316218cf51fc8d 9ed832f2daf18b73")); test_hash(&nettle_sha256, SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdef" "ghijklmnopqrstuvwxyz0123456789"), SHEX("db4bfcbd4da0cd85 a60c3c37d3fbd880" "5c77f15fc6b1fdfe 614ee0a7c8fdb4c0")); test_hash(&nettle_sha256, SDATA("12345678901234567890123456789012" "34567890123456789012345678901234" "5678901234567890"), SHEX("f371bc4a311f2b00 9eef952dd83ca80e" "2b60026c8e935592 d0f9c308453c813e")); } /* These are intermediate values for the single sha1_compress call that results from the first testcase, SHA256("abc"). Each row are the values for A, B, C, D, E, F, G, H after the i:th round. The row i = -1 gives the initial values, and i = 99 gives the output values. -1: 6a09e667 bb67ae85 3c6ef372 a54ff53a 510e527f 9b05688c 1f83d9ab 5be0cd19 0: 6a09e667 bb67ae85 3c6ef372 fa2a4622 510e527f 9b05688c 1f83d9ab 5d6aebcd 1: 6a09e667 bb67ae85 78ce7989 fa2a4622 510e527f 9b05688c 5a6ad9ad 5d6aebcd 6: 24e00850 e5030380 2b4209f5 4409a6a d550f666 9b27a401 714260ad 43ada245 7: 85a07b5f e5030380 2b4209f5 4409a6a c657a79 9b27a401 714260ad 43ada245 8: 85a07b5f e5030380 2b4209f5 32ca2d8c c657a79 9b27a401 714260ad 8e04ecb9 9: 85a07b5f e5030380 1cc92596 32ca2d8c c657a79 9b27a401 8c87346b 8e04ecb9 14: 816fd6e9 c0645fde d932eb16 87912990 f71fc5a9 b92f20c 745a48de 1e578218 15: b0fa238e c0645fde d932eb16 87912990 7590dcd b92f20c 745a48de 1e578218 16: b0fa238e c0645fde d932eb16 8034229c 7590dcd b92f20c 745a48de 21da9a9b 17: b0fa238e c0645fde 846ee454 8034229c 7590dcd b92f20c c2fbd9d1 21da9a9b 18: b0fa238e cc899961 846ee454 8034229c 7590dcd fe777bbf c2fbd9d1 21da9a9b 19: b0638179 cc899961 846ee454 8034229c e1f20c33 fe777bbf c2fbd9d1 21da9a9b 20: b0638179 cc899961 846ee454 9dc68b63 e1f20c33 fe777bbf c2fbd9d1 8ada8930 21: b0638179 cc899961 c2606d6d 9dc68b63 e1f20c33 fe777bbf e1257970 8ada8930 22: b0638179 a7a3623f c2606d6d 9dc68b63 e1f20c33 49f5114a e1257970 8ada8930 23: c5d53d8d a7a3623f c2606d6d 9dc68b63 aa47c347 49f5114a e1257970 8ada8930 24: c5d53d8d a7a3623f c2606d6d 2823ef91 aa47c347 49f5114a e1257970 1c2c2838 25: c5d53d8d a7a3623f 14383d8e 2823ef91 aa47c347 49f5114a cde8037d 1c2c2838 26: c5d53d8d c74c6516 14383d8e 2823ef91 aa47c347 b62ec4bc cde8037d 1c2c2838 27: edffbff8 c74c6516 14383d8e 2823ef91 77d37528 b62ec4bc cde8037d 1c2c2838 28: edffbff8 c74c6516 14383d8e 363482c9 77d37528 b62ec4bc cde8037d 6112a3b7 29: edffbff8 c74c6516 a0060b30 363482c9 77d37528 b62ec4bc ade79437 6112a3b7 30: edffbff8 ea992a22 a0060b30 363482c9 77d37528 109ab3a ade79437 6112a3b7 31: 73b33bf5 ea992a22 a0060b30 363482c9 ba591112 109ab3a ade79437 6112a3b7 32: 73b33bf5 ea992a22 a0060b30 9cd9f5f6 ba591112 109ab3a ade79437 98e12507 33: 73b33bf5 ea992a22 59249dd3 9cd9f5f6 ba591112 109ab3a fe604df5 98e12507 34: 73b33bf5 85f3833 59249dd3 9cd9f5f6 ba591112 a9a7738c fe604df5 98e12507 35: f4b002d6 85f3833 59249dd3 9cd9f5f6 65a0cfe4 a9a7738c fe604df5 98e12507 36: f4b002d6 85f3833 59249dd3 41a65cb1 65a0cfe4 a9a7738c fe604df5 772a26b 37: f4b002d6 85f3833 34df1604 41a65cb1 65a0cfe4 a9a7738c a507a53d 772a26b 38: f4b002d6 6dc57a8a 34df1604 41a65cb1 65a0cfe4 f0781bc8 a507a53d 772a26b 39: 79ea687a 6dc57a8a 34df1604 41a65cb1 1efbc0a0 f0781bc8 a507a53d 772a26b 40: 79ea687a 6dc57a8a 34df1604 26352d63 1efbc0a0 f0781bc8 a507a53d d6670766 41: 79ea687a 6dc57a8a 838b2711 26352d63 1efbc0a0 f0781bc8 df46652f d6670766 42: 79ea687a decd4715 838b2711 26352d63 1efbc0a0 17aa0dfe df46652f d6670766 43: fda24c2e decd4715 838b2711 26352d63 9d4baf93 17aa0dfe df46652f d6670766 44: fda24c2e decd4715 838b2711 26628815 9d4baf93 17aa0dfe df46652f a80f11f0 45: fda24c2e decd4715 72ab4b91 26628815 9d4baf93 17aa0dfe b7755da1 a80f11f0 46: fda24c2e a14c14b0 72ab4b91 26628815 9d4baf93 d57b94a9 b7755da1 a80f11f0 47: 4172328d a14c14b0 72ab4b91 26628815 fecf0bc6 d57b94a9 b7755da1 a80f11f0 48: 4172328d a14c14b0 72ab4b91 bd714038 fecf0bc6 d57b94a9 b7755da1 5757ceb 49: 4172328d a14c14b0 6e5c390c bd714038 fecf0bc6 d57b94a9 f11bfaa8 5757ceb 50: 4172328d 52f1ccf7 6e5c390c bd714038 fecf0bc6 7a0508a1 f11bfaa8 5757ceb 51: 49231c1e 52f1ccf7 6e5c390c bd714038 886e7a22 7a0508a1 f11bfaa8 5757ceb 52: 49231c1e 52f1ccf7 6e5c390c 101fd28f 886e7a22 7a0508a1 f11bfaa8 529e7d00 53: 49231c1e 52f1ccf7 f5702fdb 101fd28f 886e7a22 7a0508a1 9f4787c3 529e7d00 54: 49231c1e 3ec45cdb f5702fdb 101fd28f 886e7a22 e50e1b4f 9f4787c3 529e7d00 55: 38cc9913 3ec45cdb f5702fdb 101fd28f 54cb266b e50e1b4f 9f4787c3 529e7d00 56: 38cc9913 3ec45cdb f5702fdb 9b5e906c 54cb266b e50e1b4f 9f4787c3 fcd1887b 57: 38cc9913 3ec45cdb 7e44008e 9b5e906c 54cb266b e50e1b4f c062d46f fcd1887b 58: 38cc9913 6d83bfc6 7e44008e 9b5e906c 54cb266b ffb70472 c062d46f fcd1887b 59: b21bad3d 6d83bfc6 7e44008e 9b5e906c b6ae8fff ffb70472 c062d46f fcd1887b 60: b21bad3d 6d83bfc6 7e44008e b85e2ce9 b6ae8fff ffb70472 c062d46f 961f4894 61: b21bad3d 6d83bfc6 4d24d6c b85e2ce9 b6ae8fff ffb70472 948d25b6 961f4894 62: b21bad3d d39a2165 4d24d6c b85e2ce9 b6ae8fff fb121210 948d25b6 961f4894 63: 506e3058 d39a2165 4d24d6c b85e2ce9 5ef50f24 fb121210 948d25b6 961f4894 99: ba7816bf 8f01cfea 414140de 5dae2223 b00361a3 96177a9c b410ff61 f20015ad */ nettle-3.4.1/testsuite/chacha-test.c0000644000175000017500000005236213401564746016441 0ustar nissenisse/* chacha-test.c Test program for the ChaCha stream cipher implementation. Copyright (C) 2013 Joachim Strömbergson Copyright (C) 2012, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #include "testutils.h" #include "chacha.h" static void test_chacha(const struct tstring *key, const struct tstring *nonce, const struct tstring *expected, unsigned rounds) { struct chacha_ctx ctx; ASSERT (key->length == CHACHA_KEY_SIZE); chacha_set_key (&ctx, key->data); if (rounds == 20) { uint8_t *data = xalloc (expected->length + 2); size_t length; data++; for (length = 1; length <= expected->length; length++) { data[-1] = 17; memset (data, 0, length); data[length] = 17; if (nonce->length == CHACHA_NONCE_SIZE) chacha_set_nonce(&ctx, nonce->data); else if (nonce->length == CHACHA_NONCE96_SIZE) { chacha_set_nonce96(&ctx, nonce->data); /* Use initial counter 1, for draft-irtf-cfrg-chacha20-poly1305-08 test cases. */ ctx.state[12]++; } else die ("Bad nonce size %u.\n", (unsigned) nonce->length); chacha_crypt (&ctx, length, data, data); ASSERT (data[-1] == 17); ASSERT (data[length] == 17); if (!MEMEQ(length, data, expected->data)) { printf("Error, length %u, expected:\n", (unsigned) length); print_hex (length, expected->data); printf("Got:\n"); print_hex(length, data); FAIL (); } } if (verbose) { printf("Result after encryption:\n"); print_hex(expected->length, data); } free (data - 1); } else { /* Uses the _chacha_core function to be able to test different numbers of rounds. */ uint32_t out[_CHACHA_STATE_LENGTH]; ASSERT (expected->length == CHACHA_BLOCK_SIZE); ASSERT (nonce->length == CHACHA_NONCE_SIZE); chacha_set_nonce(&ctx, nonce->data); _chacha_core (out, ctx.state, rounds); if (!MEMEQ(CHACHA_BLOCK_SIZE, out, expected->data)) { printf("Error, expected:\n"); tstring_print_hex (expected); printf("Got:\n"); print_hex(CHACHA_BLOCK_SIZE, (uint8_t *) out); FAIL (); } if (verbose) { printf("Result after encryption:\n"); print_hex(CHACHA_BLOCK_SIZE, (uint8_t *) out); } } } void test_main(void) { /* Test vectors from draft-strombergson-chacha-test-vectors */ #if 0 /* TC1: All zero key and IV. 128 bit key and 8 rounds. */ test_chacha (SHEX("0000000000000000 0000000000000000"), SHEX("0000000000000000"), SHEX("e28a5fa4a67f8c5d efed3e6fb7303486" "aa8427d31419a729 572d777953491120" "b64ab8e72b8deb85 cd6aea7cb6089a10" "1824beeb08814a42 8aab1fa2c816081b"), 8); test_chacha (SHEX("0000000000000000 0000000000000000"), SHEX("0000000000000000"), SHEX("e1047ba9476bf8ff 312c01b4345a7d8c" "a5792b0ad467313f 1dc412b5fdce3241" "0dea8b68bd774c36 a920f092a04d3f95" "274fbeff97bc8491 fcef37f85970b450"), 12); test_chacha (SHEX("0000000000000000 0000000000000000"), SHEX("0000000000000000"), SHEX("89670952608364fd 00b2f90936f031c8" "e756e15dba04b849 3d00429259b20f46" "cc04f111246b6c2c e066be3bfb32d9aa" "0fddfbc12123d4b9 e44f34dca05a103f" "6cd135c2878c832b 5896b134f6142a9d" "4d8d0d8f1026d20a 0a81512cbce6e975" "8a7143d021978022 a384141a80cea306" "2f41f67a752e66ad 3411984c787e30ad"), 20); #endif test_chacha (SHEX("0000000000000000 0000000000000000" "0000000000000000 0000000000000000"), SHEX("0000000000000000"), SHEX("3e00ef2f895f40d6 7f5bb8e81f09a5a1" "2c840ec3ce9a7f3b 181be188ef711a1e" "984ce172b9216f41 9f445367456d5619" "314a42a3da86b001 387bfdb80e0cfe42" /* "d2aefa0deaa5c151 bf0adb6c01f2a5ad" "c0fd581259f9a2aa dcf20f8fd566a26b" "5032ec38bbc5da98 ee0c6f568b872a65" "a08abf251deb21bb 4b56e5d8821e68aa" */), 8); test_chacha (SHEX("0000000000000000 0000000000000000" "0000000000000000 0000000000000000"), SHEX("0000000000000000"), SHEX("9bf49a6a0755f953 811fce125f2683d5" "0429c3bb49e07414 7e0089a52eae155f" "0564f879d27ae3c0 2ce82834acfa8c79" "3a629f2ca0de6919 610be82f411326be" /* "0bd58841203e74fe 86fc71338ce0173d" "c628ebb719bdcbcc 151585214cc089b4" "42258dcda14cf111 c602b8971b8cc843" "e91e46ca905151c0 2744a6b017e69316" */), 12); test_chacha (SHEX("0000000000000000 0000000000000000" "0000000000000000 0000000000000000"), SHEX("0000000000000000"), SHEX("76b8e0ada0f13d90 405d6ae55386bd28" "bdd219b8a08ded1a a836efcc8b770dc7" "da41597c5157488d 7724e03fb8d84a37" "6a43b8f41518a11c c387b669b2ee6586" "9f07e7be5551387a 98ba977c732d080d" "cb0f29a048e36569 12c6533e32ee7aed" "29b721769ce64e43 d57133b074d839d5" "31ed1f28510afb45 ace10a1f4b794d6f"), 20); /* TC2: Single bit in key set. All zero IV */ #if 0 test_chacha (SHEX("0100000000000000 0000000000000000"), SHEX("0000000000000000"), SHEX("03a7669888605a07 65e8357475e58673" "f94fc8161da76c2a 3aa2f3caf9fe5449" "e0fcf38eb882656a f83d430d410927d5" "5c972ac4c92ab9da 3713e19f761eaa14"), 8); test_chacha (SHEX("0100000000000000 0000000000000000"), SHEX("0000000000000000"), SHEX("2a865a3b8999fa83 ae8aacf33fc6be4f" "32c8aa9762738d26 963270052f4eef8b" "86af758f7867560a f6d0eeb973b5542b" "b24c8abceac8b1f3 6d026963d6c8a9b2"), 12); test_chacha (SHEX("0100000000000000 0000000000000000"), SHEX("0000000000000000"), SHEX("ae56060d04f5b597 897ff2af1388dbce" "ff5a2a4920335dc1 7a3cb1b1b10fbe70" "ece8f4864d8c7cdf 0076453a8291c7db" "eb3aa9c9d10e8ca3 6be4449376ed7c42" "fc3d471c34a36fbb f616bc0a0e7c5230" "30d944f43ec3e78d d6a12466547cb4f7" "b3cebd0a5005e762 e562d1375b7ac445" "93a991b85d1a60fb a2035dfaa2a642d5"), 20); #endif test_chacha (SHEX("0100000000000000 0000000000000000" "0000000000000000 0000000000000000"), SHEX("0000000000000000"), SHEX("cf5ee9a0494aa961 3e05d5ed725b804b" "12f4a465ee635acc 3a311de8740489ea" "289d04f43c7518db 56eb4433e498a123" "8cd8464d3763ddbb 9222ee3bd8fae3c8"), 8); test_chacha (SHEX("0100000000000000 0000000000000000" "0000000000000000 0000000000000000"), SHEX("0000000000000000"), SHEX("12056e595d56b0f6 eef090f0cd25a209" "49248c2790525d0f 930218ff0b4ddd10" "a6002239d9a454e2 9e107a7d06fefdfe" "f0210feba044f9f2 9b1772c960dc29c0"), 12); test_chacha (SHEX("0100000000000000 0000000000000000" "0000000000000000 0000000000000000"), SHEX("0000000000000000"), SHEX("c5d30a7ce1ec1193 78c84f487d775a85" "42f13ece238a9455 e8229e888de85bbd" "29eb63d0a17a5b99 9b52da22be4023eb" "07620a54f6fa6ad8 737b71eb0464dac0" "10f656e6d1fd5505 3e50c4875c9930a3" "3f6d0263bd14dfd6 ab8c70521c19338b" "2308b95cf8d0bb7d 202d2102780ea352" "8f1cb48560f76b20 f382b942500fceac"), 20); /* TC3: Single bit in IV set. All zero key */ #if 0 test_chacha (SHEX("0000000000000000 0000000000000000"), SHEX("0100000000000000"), SHEX("25f5bec6683916ff 44bccd12d102e692" "176663f4cac53e71 9509ca74b6b2eec8" "5da4236fb2990201 2adc8f0d86c8187d" "25cd1c486966930d 0204c4ee88a6ab35"), 8); test_chacha (SHEX("0000000000000000 0000000000000000"), SHEX("0100000000000000"), SHEX("91cdb2f180bc89cf e86b8b6871cd6b3a" "f61abf6eba01635d b619c40a0b2e19ed" "fa8ce5a9bd7f53cc 2c9bcfea181e9754" "a9e245731f658cc2 82c2ae1cab1ae02c"), 12); test_chacha (SHEX("0000000000000000 0000000000000000"), SHEX("0100000000000000"), SHEX("1663879eb3f2c994 9e2388caa343d361" "bb132771245ae6d0 27ca9cb010dc1fa7" "178dc41f8278bc1f 64b3f12769a24097" "f40d63a86366bdb3 6ac08abe60c07fe8" "b057375c89144408 cc744624f69f7f4c" "cbd93366c92fc4df cada65f1b959d8c6" "4dfc50de711fb464 16c2553cc60f21bb" "fd006491cb17888b 4fb3521c4fdd8745"), 20); #endif test_chacha (SHEX("0000000000000000 0000000000000000" "0000000000000000 0000000000000000"), SHEX("0100000000000000"), SHEX("2b8f4bb3798306ca 5130d47c4f8d4ed1" "3aa0edccc1be6942 090faeeca0d7599b" "7ff0fe616bb25aa0 153ad6fdc88b9549" "03c22426d478b97b 22b8f9b1db00cf06"), 8); test_chacha (SHEX("0000000000000000 0000000000000000" "0000000000000000 0000000000000000"), SHEX("0100000000000000"), SHEX("64b8bdf87b828c4b 6dbaf7ef698de03d" "f8b33f635714418f 9836ade59be12969" "46c953a0f38ecffc 9ecb98e81d5d99a5" "edfc8f9a0a45b9e4 1ef3b31f028f1d0f"), 12); test_chacha (SHEX("0000000000000000 0000000000000000" "0000000000000000 0000000000000000"), SHEX("0100000000000000"), SHEX("ef3fdfd6c61578fb f5cf35bd3dd33b80" "09631634d21e42ac 33960bd138e50d32" "111e4caf237ee53c a8ad6426194a8854" "5ddc497a0b466e7d 6bbdb0041b2f586b" "5305e5e44aff19b2 35936144675efbe4" "409eb7e8e5f1430f 5f5836aeb49bb532" "8b017c4b9dc11f8a 03863fa803dc71d5" "726b2b6b31aa3270 8afe5af1d6b69058"), 20); /* TC4: All bits in key and IV are set. */ #if 0 test_chacha (SHEX("ffffffffffffffff ffffffffffffffff"), SHEX("ffffffffffffffff"), SHEX("2204d5b81ce66219 3e00966034f91302" "f14a3fb047f58b6e 6ef0d72113230416" "3e0fb640d76ff9c3 b9cd99996e6e38fa" "d13f0e31c82244d3 3abbc1b11e8bf12d"), 8); test_chacha (SHEX("ffffffffffffffff ffffffffffffffff"), SHEX("ffffffffffffffff"), SHEX("60e349e60c38b328 c4baab90d44a7c72" "7662770d36350d65 a1433bd92b00ecf4" "83d5597d7a616258 ec3c5d5b30e1c5c8" "5c5dfe2f92423b8e 36870f3185b6add9"), 12); test_chacha (SHEX("ffffffffffffffff ffffffffffffffff"), SHEX("ffffffffffffffff"), SHEX("992947c3966126a0 e660a3e95db048de" "091fb9e0185b1e41 e41015bb7ee50150" "399e4760b262f9d5 3f26d8dd19e56f5c" "506ae0c3619fa67f b0c408106d0203ee" "40ea3cfa61fa32a2 fda8d1238a2135d9" "d4178775240f9900 7064a6a7f0c731b6" "7c227c52ef796b6b ed9f9059ba0614bc" "f6dd6e38917f3b15 0e576375be50ed67"), 20); #endif test_chacha (SHEX("ffffffffffffffff ffffffffffffffff" "ffffffffffffffff ffffffffffffffff"), SHEX("ffffffffffffffff"), SHEX("e163bbf8c9a739d1 8925ee8362dad2cd" "c973df05225afb2a a26396f2a9849a4a" "445e0547d31c1623 c537df4ba85c70a9" "884a35bcbf3dfab0 77e98b0f68135f54"), 8); test_chacha (SHEX("ffffffffffffffff ffffffffffffffff" "ffffffffffffffff ffffffffffffffff"), SHEX("ffffffffffffffff"), SHEX("04bf88dae8e47a22 8fa47b7e6379434b" "a664a7d28f4dab84 e5f8b464add20c3a" "caa69c5ab221a23a 57eb5f345c96f4d1" "322d0a2ff7a9cd43 401cd536639a615a"), 12); test_chacha (SHEX("ffffffffffffffff ffffffffffffffff" "ffffffffffffffff ffffffffffffffff"), SHEX("ffffffffffffffff"), SHEX("d9bf3f6bce6ed0b5 4254557767fb5744" "3dd4778911b60605 5c39cc25e674b836" "3feabc57fde54f79 0c52c8ae43240b79" "d49042b777bfd6cb 80e931270b7f50eb" "5bac2acd86a836c5 dc98c116c1217ec3" "1d3a63a9451319f0 97f3b4d6dab07787" "19477d24d24b403a 12241d7cca064f79" "0f1d51ccaff6b166 7d4bbca1958c4306"), 20); /* TC5: Every even bit set in key and IV. */ #if 0 test_chacha (SHEX("5555555555555555 5555555555555555"), SHEX("5555555555555555"), SHEX("f0a23bc36270e18e d0691dc384374b9b" "2c5cb60110a03f56 fa48a9fbbad961aa" "6bab4d892e96261b 6f1a0919514ae56f" "86e066e17c71a417 6ac684af1c931996"), 8); test_chacha (SHEX("5555555555555555 5555555555555555"), SHEX("5555555555555555"), SHEX("90ec7a49ee0b20a8 08af3d463c1fac6c" "2a7c897ce8f6e60d 793b62ddbebcf980" "ac917f091e52952d b063b1d2b947de04" "aac087190ca99a35 b5ea501eb535d570"), 12); test_chacha (SHEX("5555555555555555 5555555555555555"), SHEX("5555555555555555"), SHEX("357d7d94f966778f 5815a2051dcb0413" "3b26b0ead9f57dd0 9927837bc3067e4b" "6bf299ad81f7f50c 8da83c7810bfc17b" "b6f4813ab6c32695 7045fd3fd5e19915" "ec744a6b9bf8cbdc b36d8b6a5499c68a" "08ef7be6cc1e93f2 f5bcd2cad4e47c18" "a3e5d94b5666382c 6d130d822dd56aac" "b0f8195278e7b292 495f09868ddf12cc"), 20); #endif test_chacha (SHEX("5555555555555555 5555555555555555" "5555555555555555 5555555555555555"), SHEX("5555555555555555"), SHEX("7cb78214e4d3465b 6dc62cf7a1538c88" "996952b4fb72cb61 05f1243ce3442e29" "75a59ebcd2b2a598 290d7538491fe65b" "dbfefd060d887981 20a70d049dc2677d"), 8); test_chacha (SHEX("5555555555555555 5555555555555555" "5555555555555555 5555555555555555"), SHEX("5555555555555555"), SHEX("a600f07727ff93f3 da00dd74cc3e8bfb" "5ca7302f6a0a2944 953de00450eecd40" "b860f66049f2eaed 63b2ef39cc310d2c" "488f5d9a241b615d c0ab70f921b91b95"), 12); test_chacha (SHEX("5555555555555555 5555555555555555" "5555555555555555 5555555555555555"), SHEX("5555555555555555"), SHEX("bea9411aa453c543 4a5ae8c92862f564" "396855a9ea6e22d6 d3b50ae1b3663311" "a4a3606c671d605c e16c3aece8e61ea1" "45c59775017bee2f a6f88afc758069f7" "e0b8f676e644216f 4d2a3422d7fa36c6" "c4931aca950e9da4 2788e6d0b6d1cd83" "8ef652e97b145b14 871eae6c6804c700" "4db5ac2fce4c68c7 26d004b10fcaba86"), 20); /* TC6: Every odd bit set in key and IV. */ #if 0 test_chacha (SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), SHEX("aaaaaaaaaaaaaaaa"), SHEX("312d95c0bc38eff4 942db2d50bdc500a" "30641ef7132db1a8 ae838b3bea3a7ab0" "3815d7a4cc09dbf5 882a3433d743aced" "48136ebab7329950 6855c0f5437a36c6"), 8); test_chacha (SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), SHEX("aaaaaaaaaaaaaaaa"), SHEX("057fe84fead13c24 b76bb2a6fdde66f2" "688e8eb6268275c2 2c6bcb90b85616d7" "fe4d3193a1036b70 d7fb864f01453641" "851029ecdb60ac38 79f56496f16213f4"), 12); test_chacha (SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), SHEX("aaaaaaaaaaaaaaaa"), SHEX("fc79acbd58526103 862776aab20f3b7d" "8d3149b2fab65766 299316b6e5b16684" "de5de548c1b7d083 efd9e3052319e0c6" "254141da04a6586d f800f64d46b01c87" "1f05bc67e07628eb e6f6865a2177e0b6" "6a558aa7cc1e8ff1 a98d27f7071f8335" "efce4537bb0ef7b5 73b32f32765f2900" "7da53bba62e7a44d 006f41eb28fe15d6"), 20); #endif test_chacha (SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), SHEX("aaaaaaaaaaaaaaaa"), SHEX("40f9ab86c8f9a1a0 cdc05a75e5531b61" "2d71ef7f0cf9e387 df6ed6972f0aae21" "311aa581f816c90e 8a99de990b6b95aa" "c92450f4e1127126 67b804c99e9c6eda"), 8); test_chacha (SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), SHEX("aaaaaaaaaaaaaaaa"), SHEX("856505b01d3b47aa e03d6a97aa0f033a" "9adcc94377babd86 08864fb3f625b6e3" "14f086158f9f725d 811eeb953b7f7470" "76e4c3f639fa841f ad6c9a709e621397"), 12); test_chacha (SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), SHEX("aaaaaaaaaaaaaaaa"), SHEX("9aa2a9f656efde5a a7591c5fed4b35ae" "a2895dec7cb4543b 9e9f21f5e7bcbcf3" "c43c748a970888f8 248393a09d43e0b7" "e164bc4d0b0fb240 a2d72115c4808906" "72184489440545d0 21d97ef6b693dfe5" "b2c132d47e6f041c 9063651f96b623e6" "2a11999a23b6f7c4 61b2153026ad5e86" "6a2e597ed07b8401 dec63a0934c6b2a9"), 20); /* TC7: Sequence patterns in key and IV. */ #if 0 test_chacha (SHEX("0011223344556677 8899aabbccddeeff"), SHEX("0f1e2d3c4b5a6978"), SHEX("29560d280b452840 0a8f4b795369fb3a" "01105599e9f1ed58 279cfc9ece2dc5f9" "9f1c2e52c98238f5 42a5c0a881d850b6" "15d3acd9fbdb026e 9368565da50e0d49"), 8); test_chacha (SHEX("0011223344556677 8899aabbccddeeff"), SHEX("0f1e2d3c4b5a6978"), SHEX("5eddc2d9428fceee c50a52a964eae0ff" "b04b2de006a9b04c ff368ffa921116b2" "e8e264babd2efa0d e43ef2e3b6d065e8" "f7c0a17837b0a40e b0e2c7a3742c8753"), 12); test_chacha (SHEX("0011223344556677 8899aabbccddeeff"), SHEX("0f1e2d3c4b5a6978"), SHEX("d1abf630467eb4f6 7f1cfb47cd626aae" "8afedbbe4ff8fc5f e9cfae307e74ed45" "1f1404425ad2b545 69d5f18148939971" "abb8fafc88ce4ac7 fe1c3d1f7a1eb7ca" "e76ca87b61a97135 41497760dd9ae059" "350cad0dcedfaa80 a883119a1a6f987f" "d1ce91fd8ee08280 34b411200a9745a2" "85554475d12afc04 887fef3516d12a2c"), 20); #endif test_chacha (SHEX("0011223344556677 8899aabbccddeeff" "ffeeddccbbaa9988 7766554433221100"), SHEX("0f1e2d3c4b5a6978"), SHEX("db43ad9d1e842d12 72e4530e276b3f56" "8f8859b3f7cf6d9d 2c74fa53808cb515" "7a8ebf46ad3dcc4b 6c7dadde131784b0" "120e0e22f6d5f9ff a7407d4a21b695d9"), 8); test_chacha (SHEX("0011223344556677 8899aabbccddeeff" "ffeeddccbbaa9988 7766554433221100"), SHEX("0f1e2d3c4b5a6978"), SHEX("7ed12a3a63912ae9 41ba6d4c0d5e862e" "568b0e5589346935 505f064b8c2698db" "f7d850667d8e67be 639f3b4f6a16f92e" "65ea80f6c7429445 da1fc2c1b9365040"), 12); test_chacha (SHEX("0011223344556677 8899aabbccddeeff" "ffeeddccbbaa9988 7766554433221100"), SHEX("0f1e2d3c4b5a6978"), SHEX("9fadf409c00811d0 0431d67efbd88fba" "59218d5d6708b1d6 85863fabbb0e961e" "ea480fd6fb532bfd 494b215101505742" "3ab60a63fe4f55f7 a212e2167ccab931" "fbfd29cf7bc1d279 eddf25dd316bb884" "3d6edee0bd1ef121 d12fa17cbc2c574c" "ccab5e275167b08b d686f8a09df87ec3" "ffb35361b94ebfa1 3fec0e4889d18da5"), 20); /* TC8: hashed string patterns */ #if 0 test_chacha(SHEX("c46ec1b18ce8a878 725a37e780dfb735"), SHEX("1ada31d5cf688221"), SHEX("6a870108859f6791 18f3e205e2a56a68" "26ef5a60a4102ac8 d4770059fcb7c7ba" "e02f5ce004a6bfbb ea53014dd82107c0" "aa1c7ce11b7d78f2 d50bd3602bbd2594"), 8); test_chacha(SHEX("c46ec1b18ce8a878 725a37e780dfb735"), SHEX("1ada31d5cf688221"), SHEX("b02bd81eb55c8f68 b5e9ca4e307079bc" "225bd22007eddc67 02801820709ce098" "07046a0d2aa552bf dbb49466176d56e3" "2d519e10f5ad5f27 46e241e09bdf9959"), 12); test_chacha(SHEX("c46ec1b18ce8a878 725a37e780dfb735"), SHEX("1ada31d5cf688221"), SHEX("826abdd84460e2e9 349f0ef4af5b179b" "426e4b2d109a9c5b b44000ae51bea90a" "496beeef62a76850 ff3f0402c4ddc99f" "6db07f151c1c0dfa c2e56565d6289625" "5b23132e7b469c7b fb88fa95d44ca5ae" "3e45e848a4108e98 bad7a9eb15512784" "a6a9e6e591dce674 120acaf9040ff50f" "f3ac30ccfb5e1420 4f5e4268b90a8804"), 20); #endif test_chacha(SHEX("c46ec1b18ce8a878 725a37e780dfb735" "1f68ed2e194c79fb c6aebee1a667975d"), SHEX("1ada31d5cf688221"), SHEX("838751b42d8ddd8a 3d77f48825a2ba75" "2cf4047cb308a597 8ef274973be374c9" "6ad848065871417b 08f034e681fe46a9" "3f7d5c61d1306614 d4aaf257a7cff08b"), 8); test_chacha(SHEX("c46ec1b18ce8a878 725a37e780dfb735" "1f68ed2e194c79fb c6aebee1a667975d"), SHEX("1ada31d5cf688221"), SHEX("1482072784bc6d06 b4e73bdc118bc010" "3c7976786ca918e0 6986aa251f7e9cc1" "b2749a0a16ee83b4 242d2e99b08d7c20" "092b80bc466c8728 3b61b1b39d0ffbab"), 12); test_chacha(SHEX("c46ec1b18ce8a878 725a37e780dfb735" "1f68ed2e194c79fb c6aebee1a667975d"), SHEX("1ada31d5cf688221"), SHEX("f63a89b75c2271f9 368816542ba52f06" "ed49241792302b00 b5e8f80ae9a473af" "c25b218f519af0fd d406362e8d69de7f" "54c604a6e00f353f 110f771bdca8ab92" "e5fbc34e60a1d9a9 db17345b0a402736" "853bf910b060bdf1 f897b6290f01d138" "ae2c4c90225ba9ea 14d518f55929dea0" "98ca7a6ccfe61227 053c84e49a4a3332"), 20); /* From draft-irtf-cfrg-chacha20-poly1305-08, with 96-bit nonce */ test_chacha(SHEX("0001020304050607 08090a0b0c0d0e0f" "1011121314151617 18191a1b1c1d1e1f"), SHEX("000000090000004a 00000000"), SHEX("10f1e7e4d13b5915 500fdd1fa32071c4" "c7d1f4c733c06803 0422aa9ac3d46c4e" "d2826446079faa09 14c2d705d98b02a2" "b5129cd1de164eb9 cbd083e8a2503c4e"), 20); } nettle-3.4.1/testsuite/version-test.c0000644000175000017500000000245113401564746016711 0ustar nissenisse/* version-test.c Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #include "testutils.h" void test_main (void) { /* This also checks that we don't by accident link with a different version of nettle which is installed on the system. */ ASSERT (nettle_version_major () == NETTLE_VERSION_MAJOR); ASSERT (nettle_version_minor () == NETTLE_VERSION_MINOR); } nettle-3.4.1/testsuite/sexp-format-test.c0000644000175000017500000001013613401564746017470 0ustar nissenisse#include "testutils.h" #include "sexp.h" #include "buffer.h" #if WITH_HOGWEED # include "bignum.h" #endif void test_main(void) { struct nettle_buffer buffer; { const char e[] = "(3:foo(3:bar17:xxxxxxxxxxxxxxxxx))"; nettle_buffer_init(&buffer); ASSERT(sexp_format(&buffer, "(%0s(%0s%0s))", "foo", "bar", "xxxxxxxxxxxxxxxxx") == strlen(e)); ASSERT(sexp_format(NULL, "(%0s(%0s%0s))", "foo", "bar", "xxxxxxxxxxxxxxxxx") == strlen(e)); ASSERT(buffer.size == strlen(e)); ASSERT(MEMEQ(buffer.size, buffer.contents, e)); nettle_buffer_clear(&buffer); } { const char e[] = "{KDM6Zm9vKDM6YmFyMTc6eHh4eHh4eHh4eHh4eHh4eHgpKQ==}"; nettle_buffer_init(&buffer); ASSERT(sexp_transport_format(&buffer, "(%0s(%0s%0s))", "foo", "bar", "xxxxxxxxxxxxxxxxx") == strlen(e)); ASSERT(sexp_transport_format(NULL, "(%0s(%0s%0s))", "foo", "bar", "xxxxxxxxxxxxxxxxx") == strlen(e)); ASSERT(buffer.size == strlen(e)); ASSERT(MEMEQ(buffer.size, buffer.contents, e)); nettle_buffer_clear(&buffer); } { const char e[] = "1:\0""1:a2:bc3:def4:ghij5:\x00\xDE\xAD\xBE\xEF"; nettle_buffer_init(&buffer); ASSERT(sexp_format(&buffer, "%i%i%i%i%i%i", 0, 0x61, 0x6263, 0x646566, 0x6768696a, 0xDEADBEEF) == LLENGTH(e)); ASSERT(buffer.size == LLENGTH(e)); ASSERT(MEMEQ(buffer.size, buffer.contents, e)); nettle_buffer_clear(&buffer); } { const char e[] = "(3:foo(4:bar))"; nettle_buffer_init(&buffer); ASSERT(sexp_format(&buffer, "(%0s%l)", "foo", (size_t) 7, "(4:bar)") == strlen(e)); ASSERT(buffer.size == strlen(e)); ASSERT(MEMEQ(buffer.size, buffer.contents, e)); nettle_buffer_clear(&buffer); } { const char e[] = "([1:t]3:foo3:bar[6:gazonk]3:baz1:q)"; nettle_buffer_init(&buffer); ASSERT(sexp_format(&buffer, "(%0t%0s%0s%0t%0s%0t%0s)", "t", "foo", "bar", "gazonk", "baz", NULL, "q") == strlen(e)); ASSERT(MEMEQ(buffer.size, buffer.contents, e)); nettle_buffer_clear(&buffer); } /* Try literals */ { const char e[] = "(3:foo(3:bar17:xxxxxxxxxxxxxxxxx))"; nettle_buffer_init(&buffer); ASSERT(sexp_format(&buffer, "(%0s(bar%0s))", "foo", "xxxxxxxxxxxxxxxxx") == strlen(e)); ASSERT(sexp_format(NULL, "(%0s(bar %0s))", "foo", "xxxxxxxxxxxxxxxxx") == strlen(e)); ASSERT(buffer.size == strlen(e)); ASSERT(MEMEQ(buffer.size, buffer.contents, e)); nettle_buffer_clear(&buffer); } { const char e[] = "(3:foo(3:bar17:xxxxxxxxxxxxxxxxx))"; nettle_buffer_init(&buffer); ASSERT(sexp_format(&buffer, "(%0s(bar xxxxxxxxxxxxxxxxx))", "foo") == strlen(e)); ASSERT(sexp_format(NULL, "(%0s(bar xxxxxxxxxxxxxxxxx))", "foo") == strlen(e)); ASSERT(buffer.size == strlen(e)); ASSERT(MEMEQ(buffer.size, buffer.contents, e)); nettle_buffer_clear(&buffer); } /* Literal parenthesis */ { const char e[] = ")3:foo(3:bar"; nettle_buffer_init(&buffer); ASSERT(sexp_format(&buffer, "%)foo%(%s", (size_t) 3, "bar") == strlen(e)); ASSERT(sexp_format(NULL, "%)foo%(%s", (size_t) 3, "bar") == strlen(e)); ASSERT(buffer.size == strlen(e)); ASSERT(MEMEQ(buffer.size, buffer.contents, e)); nettle_buffer_clear(&buffer); } #if WITH_HOGWEED { mpz_t x; mpz_t y; mpz_t z; const char e[] = "(3:foo(3:bar1:\xff""11:abcdefghijk13:\0\x81""abcdefghijk))"; mpz_init_set_si(x, -1); nettle_mpz_init_set_str_256_u(y, 11, US("abcdefghijk")); nettle_mpz_init_set_str_256_u(z, 12, US("\x81""abcdefghijk")); nettle_buffer_init(&buffer); ASSERT(sexp_format(&buffer, "(%0s(%0s%b%b%b))", "foo", "bar", x, y, z) == LLENGTH(e)); ASSERT(sexp_format(NULL, "(%0s(%0s%b%b%b))", "foo", "bar", x, y, z) == LLENGTH(e)); ASSERT(buffer.size == LLENGTH(e)); ASSERT(MEMEQ(buffer.size, buffer.contents, e)); nettle_buffer_clear(&buffer); mpz_clear(x); mpz_clear(y); mpz_clear(z); } #endif /* WITH_HOGWEED */ } nettle-3.4.1/testsuite/sha3-384-test.c0000644000175000017500000032637613401564746016415 0ustar nissenisse#include "testutils.h" void test_main(void) { /* Extracted from ShortMsgKAT_384.txt using sha3.awk. */ test_hash(&nettle_sha3_384, /* 0 octets */ SHEX(""), SHEX("0C63A75B845E4F7D01107D852E4C2485C51A50AAAA94FC61995E71BBEE983A2AC3713831264ADB47FB6BD1E058D5F004")); test_hash(&nettle_sha3_384, /* 1 octets */ SHEX("CC"), SHEX("5EE7F374973CD4BB3DC41E3081346798497FF6E36CB9352281DFE07D07FC530CA9AD8EF7AAD56EF5D41BE83D5E543807")); test_hash(&nettle_sha3_384, /* 2 octets */ SHEX("41FB"), SHEX("1DD81609DCC290EFFD7AC0A95D4A20821580E56BD50DBD843920650BE7A80A1719577DA337CFDF86E51C764CAA2E10BD")); test_hash(&nettle_sha3_384, /* 3 octets */ SHEX("1F877C"), SHEX("14F6F486FB98ED46A4A198040DA8079E79E448DAACEBE905FB4CF0DF86EF2A7151F62FE095BF8516EB0677FE607734E2")); test_hash(&nettle_sha3_384, /* 4 octets */ SHEX("C1ECFDFC"), SHEX("D92BBD604BDD24B9889508F8558B13E96595AC90BC8A441DAF9B51D6ABC14FFD0835FB9366E3912504264CE87E421CB8")); test_hash(&nettle_sha3_384, /* 5 octets */ SHEX("21F134AC57"), SHEX("E248D6FF342D35A30EC230BA51CDB161025D6F1C251ACA6AE3531F0682C164A1FC0725B1BEFF808A200C131557A22809")); test_hash(&nettle_sha3_384, /* 6 octets */ SHEX("C6F50BB74E29"), SHEX("D6DD2ED08C1F644857A15DAFAF80538BEE597278C9ABE047BFBABFB8B1FCB7543E80AE9F7143D00F4DAAF39B138AB3FF")); test_hash(&nettle_sha3_384, /* 7 octets */ SHEX("119713CC83EEEF"), SHEX("49CA1EB8D71D1FDC7A72DAA320C8F9CA543671C2CB8FE9B2638A8416DF50A790A50D0BB6B88741D7816D6061F46AEA89")); test_hash(&nettle_sha3_384, /* 8 octets */ SHEX("4A4F202484512526"), SHEX("89DBF4C39B8FB46FDF0A6926CEC0355A4BDBF9C6A446E140B7C8BD08FF6F489F205DAF8EFFE160F437F67491EF897C23")); test_hash(&nettle_sha3_384, /* 9 octets */ SHEX("1F66AB4185ED9B6375"), SHEX("D6154641D7D9DF62F0CEDC2BD64EE82412B3A80F6EACE7C45F9703373379007EABF592D2D2116E093DC33DCBBA4649E9")); test_hash(&nettle_sha3_384, /* 10 octets */ SHEX("EED7422227613B6F53C9"), SHEX("2EE5DF2591CFC4CB1E1D0BD8B28727F0FA5359A75F7819A92A3CB80DDB5708E4705177B981396B4818D11E3CA615EC93")); test_hash(&nettle_sha3_384, /* 11 octets */ SHEX("EAEED5CDFFD89DECE455F1"), SHEX("786C3F73FB092BE184FC2B19F5920F3D94F25D4523165AE82F9B39B2C724FD62DC9A3263091A239D5EF1AD562DD4FD26")); test_hash(&nettle_sha3_384, /* 12 octets */ SHEX("5BE43C90F22902E4FE8ED2D3"), SHEX("79188139EC2CAD8D197D308B806CF383782C29A8C27EE29C5E31425B2DD18B2F5F491FBFB38D7078F58510125C064A0A")); test_hash(&nettle_sha3_384, /* 13 octets */ SHEX("A746273228122F381C3B46E4F1"), SHEX("0C82B8C75C5D540E7D624928281FBA8B8D0B1583D74F3F0EA4F200F1CE5475149C282E05DB695DC67BAF42DEFFDC3F55")); test_hash(&nettle_sha3_384, /* 14 octets */ SHEX("3C5871CD619C69A63B540EB5A625"), SHEX("830D2325C001623EDFEA97EA1D0E65982D4ED7ABB8E64EA61C85E9BC1882D11FC4153C30BE63FC66F5FBCE74BB394596")); test_hash(&nettle_sha3_384, /* 15 octets */ SHEX("FA22874BCC068879E8EF11A69F0722"), SHEX("1DBE1BC60A9C6FBE10A727E2A6D397930D547AD2C390286948C3167EE77FF6E275EC8431C5AD4B4E4E5AE67A4BC88D05")); test_hash(&nettle_sha3_384, /* 16 octets */ SHEX("52A608AB21CCDD8A4457A57EDE782176"), SHEX("FEEE2EF332515284E0BA247C62F264199044D03877C58E54B51A62E39E91C27AAAE384837EB9D479B4C0308CFC6B779B")); test_hash(&nettle_sha3_384, /* 17 octets */ SHEX("82E192E4043DDCD12ECF52969D0F807EED"), SHEX("1888E953727CB837DE40C69869560C20729C50638E4561B385937BFC4C297E789EA6C03EFCF2DF3290B1FD36BE268C32")); test_hash(&nettle_sha3_384, /* 18 octets */ SHEX("75683DCB556140C522543BB6E9098B21A21E"), SHEX("30DE7B544265422CE689E667F48498F455E8BF1055653F21294EAD7D2E898B05FA75EECA46DC2575C475C480AA49CA62")); test_hash(&nettle_sha3_384, /* 19 octets */ SHEX("06E4EFE45035E61FAAF4287B4D8D1F12CA97E5"), SHEX("041B7C89BD4B582A7D20E579C6FDB18BA0C1251DABACC687AF448EB49151BBC04ADCB81D797D4BC51F03BFFF230FFCC6")); test_hash(&nettle_sha3_384, /* 20 octets */ SHEX("E26193989D06568FE688E75540AEA06747D9F851"), SHEX("EAF751EE6E75AA2C56453F316C019BDA7D7AE1FDA03B79AC413BB1F2840D58AAAAC77F2DC106D22F1A71157F9F841C4B")); test_hash(&nettle_sha3_384, /* 21 octets */ SHEX("D8DC8FDEFBDCE9D44E4CBAFE78447BAE3B5436102A"), SHEX("16C4A7F7E8BA7EA13C59576BE602F885E21BE7C34B3AC05CAC4262BAAD8AA3F95BD9260F13F08550CE331EC773BA758C")); test_hash(&nettle_sha3_384, /* 22 octets */ SHEX("57085FD7E14216AB102D8317B0CB338A786D5FC32D8F"), SHEX("5119A4FC11DAF2EF5DEB7AEB35549162D9AFC827392A8868E7F8594A5C194D9C8F6A430CB386B8D825CC6DAB4EDB742A")); test_hash(&nettle_sha3_384, /* 23 octets */ SHEX("A05404DF5DBB57697E2C16FA29DEFAC8AB3560D6126FA0"), SHEX("A91F0170457E78B3BB15B0BDC0FF4EFE8D7313D2725D8E8DB875BCAFBC11314126559F45E86E78136EB214FF02764CAB")); test_hash(&nettle_sha3_384, /* 24 octets */ SHEX("AECBB02759F7433D6FCB06963C74061CD83B5B3FFA6F13C6"), SHEX("98FE81746CCF7CFE5571D6D8B09943ECAE44F606444F9DABF1A57FE4E871F6962266D18652FD4EEBDBE492CFC5B2B21F")); test_hash(&nettle_sha3_384, /* 25 octets */ SHEX("AAFDC9243D3D4A096558A360CC27C8D862F0BE73DB5E88AA55"), SHEX("3DD9054C105C40798DF45CFB5880F97A9536FA7BD13F1D816B8EE887FCBAFC102A7D4BDE9FE6E265538EEC2525B50D89")); test_hash(&nettle_sha3_384, /* 26 octets */ SHEX("7BC84867F6F9E9FDC3E1046CAE3A52C77ED485860EE260E30B15"), SHEX("DECD778B89B4295072DBF98689E2EB6066E406356EA4B7CAD550019F4A2ABB25163E9571D0ADB9ADC6A802B7E03C152C")); test_hash(&nettle_sha3_384, /* 27 octets */ SHEX("FAC523575A99EC48279A7A459E98FF901918A475034327EFB55843"), SHEX("37F14B317D46BDB3E5DD6F68986A08A098C46B9D85D1F254A17878C008F97926C8A13C3838721CFE3A58076F3992F26C")); test_hash(&nettle_sha3_384, /* 28 octets */ SHEX("0F8B2D8FCFD9D68CFFC17CCFB117709B53D26462A3F346FB7C79B85E"), SHEX("641A7AF13B889D1A0F1AA3E4E4FF8CC5903C47E1A52BDEA257D80E37E596564AB33EEAD06717CDB6B706CB6986293D4F")); test_hash(&nettle_sha3_384, /* 29 octets */ SHEX("A963C3E895FF5A0BE4824400518D81412F875FA50521E26E85EAC90C04"), SHEX("122B8B86103FE3C18FF28178A256ACB0CAB8518338D2CBA697E3F560ECFEE09B024B97D8D1F69632AD1F2C5F5628D3EF")); test_hash(&nettle_sha3_384, /* 30 octets */ SHEX("03A18688B10CC0EDF83ADF0A84808A9718383C4070C6C4F295098699AC2C"), SHEX("F35A292E197007E28CE652A067173F3659C51B70438AA9E433081D3DF71B4A11E3F3BE5AF32E2C08D23A0B44E30B0BDF")); test_hash(&nettle_sha3_384, /* 31 octets */ SHEX("84FB51B517DF6C5ACCB5D022F8F28DA09B10232D42320FFC32DBECC3835B29"), SHEX("2EA596B446D5CCD8F0927A2E3790911E00F1F52CFBFC41F12290CBACD1C903C74DEEF840FD1398E12EE863ACD92BAEBF")); test_hash(&nettle_sha3_384, /* 32 octets */ SHEX("9F2FCC7C90DE090D6B87CD7E9718C1EA6CB21118FC2D5DE9F97E5DB6AC1E9C10"), SHEX("BAAE7AAED4FBF42F9316C7E8F722EEB06A598B509F184B22FBD5A81C93D95FFF711F5DE90847B3248B6DF76CABCE07EE")); test_hash(&nettle_sha3_384, /* 33 octets */ SHEX("DE8F1B3FAA4B7040ED4563C3B8E598253178E87E4D0DF75E4FF2F2DEDD5A0BE046"), SHEX("32CFC8A18A7116D4B9029051941808C3B332EFDB132C515F9110E19B8354355D94616C9965BC2D1F2489F8452AF7FB2F")); test_hash(&nettle_sha3_384, /* 34 octets */ SHEX("62F154EC394D0BC757D045C798C8B87A00E0655D0481A7D2D9FB58D93AEDC676B5A0"), SHEX("73443EA38A8801395C044E3CBECD45DD62D6E304C5440FA9FE9651A438C010A76712759BE20681F1416661E746E5EB77")); test_hash(&nettle_sha3_384, /* 35 octets */ SHEX("B2DCFE9FF19E2B23CE7DA2A4207D3E5EC7C6112A8A22AEC9675A886378E14E5BFBAD4E"), SHEX("6E82F460660F3D2CC33AA59A37F325EED0133FE29A9CB428A3C22572B6BF6C5DA2D0D4645C49135653A049795D4E2AD0")); test_hash(&nettle_sha3_384, /* 36 octets */ SHEX("47F5697AC8C31409C0868827347A613A3562041C633CF1F1F86865A576E02835ED2C2492"), SHEX("229160A61CF2842B37EA85788BB1CE8294DED9EAD266359D61DF3D6DF98EE155ED03AB1A51D6291B41680A00553298EB")); test_hash(&nettle_sha3_384, /* 37 octets */ SHEX("512A6D292E67ECB2FE486BFE92660953A75484FF4C4F2ECA2B0AF0EDCDD4339C6B2EE4E542"), SHEX("F5D838DEDF07AC3A5646221ADC6CA59045976DF9C33367FDAA0BE3AFC57EEF0D434EE92CD618B3FA26C7EABD18D78772")); test_hash(&nettle_sha3_384, /* 38 octets */ SHEX("973CF2B4DCF0BFA872B41194CB05BB4E16760A1840D8343301802576197EC19E2A1493D8F4FB"), SHEX("D41A324A1739BBCFC983A2B250750A1117E57BD26512CC5DCA7066D8B972AD9EB0BB3C7E36B9B84FC0E8129B69CD3847")); test_hash(&nettle_sha3_384, /* 39 octets */ SHEX("80BEEBCD2E3F8A9451D4499961C9731AE667CDC24EA020CE3B9AA4BBC0A7F79E30A934467DA4B0"), SHEX("170D73BAF77EAE7A852A1BB19BA6665F9EF425A66F2649E959B5CAA82D01FDB89C8C7FA6F40702F7C3391B146F6FA33E")); test_hash(&nettle_sha3_384, /* 40 octets */ SHEX("7ABAA12EC2A7347674E444140AE0FB659D08E1C66DECD8D6EAE925FA451D65F3C0308E29446B8ED3"), SHEX("A8F4A60A8FF5B3EBB4EADB9C46F1F403AB7FF632C7A11F80FC9153858B484291B3936713076955207D0C7E1964DC1346")); test_hash(&nettle_sha3_384, /* 41 octets */ SHEX("C88DEE9927679B8AF422ABCBACF283B904FF31E1CAC58C7819809F65D5807D46723B20F67BA610C2B7"), SHEX("5815D78ACA9600632239B7CE8385D7E837F883857601EFB78F9C2DAC9A96AE0BFD107526F268D06FB4227D4774A9E727")); test_hash(&nettle_sha3_384, /* 42 octets */ SHEX("01E43FE350FCEC450EC9B102053E6B5D56E09896E0DDD9074FE138E6038210270C834CE6EADC2BB86BF6"), SHEX("A5D91B01650D24B4753F41871FA700E997D5F1EF9C06D8F9B3A9B2D318716408E1566BB04B49B84E77F5F73D8F640541")); test_hash(&nettle_sha3_384, /* 43 octets */ SHEX("337023370A48B62EE43546F17C4EF2BF8D7ECD1D49F90BAB604B839C2E6E5BD21540D29BA27AB8E309A4B7"), SHEX("C7BA066881DB931E9C674D74CE2309B3002C6D5BC22056C454261CDBC5D93FE310EADD755E41FB1D789FDB9A73FDA28F")); test_hash(&nettle_sha3_384, /* 44 octets */ SHEX("6892540F964C8C74BD2DB02C0AD884510CB38AFD4438AF31FC912756F3EFEC6B32B58EBC38FC2A6B913596A8"), SHEX("A52CA3413BB83934B1EAD4686F639B90C5EE3CB5BE7E29A1A5293C868441D79BE2EF246B427FFCF0568D4D01BE54FF0D")); test_hash(&nettle_sha3_384, /* 45 octets */ SHEX("F5961DFD2B1FFFFDA4FFBF30560C165BFEDAB8CE0BE525845DEB8DC61004B7DB38467205F5DCFB34A2ACFE96C0"), SHEX("13E60554FA18CEF87CEABE147541886D97C2FB5F40F163D953306D2A26B013B33CB202D78AEF49FD47E7EC1C745920CD")); test_hash(&nettle_sha3_384, /* 46 octets */ SHEX("CA061A2EB6CEED8881CE2057172D869D73A1951E63D57261384B80CEB5451E77B06CF0F5A0EA15CA907EE1C27EBA"), SHEX("E4E03CCBA92BBD28182D005F69DE4E71C61C62CD323DECFB2ADDBEEFF7EE74933AA7A167E4E1DBB3DF7E5C91184F2D88")); test_hash(&nettle_sha3_384, /* 47 octets */ SHEX("1743A77251D69242750C4F1140532CD3C33F9B5CCDF7514E8584D4A5F9FBD730BCF84D0D4726364B9BF95AB251D9BB"), SHEX("9B26E9BF13B6FC33FD335DF976C8E1B781C800895EBD72E34F96EB875B41F04AAEE825CD8F0EB6C43D803F4E6EF688A9")); test_hash(&nettle_sha3_384, /* 48 octets */ SHEX("D8FABA1F5194C4DB5F176FABFFF856924EF627A37CD08CF55608BBA8F1E324D7C7F157298EABC4DCE7D89CE5162499F9"), SHEX("A127FEFCDD240F762CCE3F5F1551FC7E1CDEBC7950D1CD94C6888F490CB2285A10FD0EE797B168C5CA4761FA232AAF05")); test_hash(&nettle_sha3_384, /* 49 octets */ SHEX("BE9684BE70340860373C9C482BA517E899FC81BAAA12E5C6D7727975D1D41BA8BEF788CDB5CF4606C9C1C7F61AED59F97D"), SHEX("FEB5A24EDB05BEF846B0A1F3F48DA212DFC2D0BAC746890D4AD72FBE3A7B4FF8E2B542B827779467122271B1E0DF2BD2")); test_hash(&nettle_sha3_384, /* 50 octets */ SHEX("7E15D2B9EA74CA60F66C8DFAB377D9198B7B16DEB6A1BA0EA3C7EE2042F89D3786E779CF053C77785AA9E692F821F14A7F51"), SHEX("8DA4F3D1A13197171B02E1CCB07BF51CDBABD833FDC3C3797A113CFA5C71795782C47CE36C389FBAD461D0D5B59CA684")); test_hash(&nettle_sha3_384, /* 51 octets */ SHEX("9A219BE43713BD578015E9FDA66C0F2D83CAC563B776AB9F38F3E4F7EF229CB443304FBA401EFB2BDBD7ECE939102298651C86"), SHEX("D19FE4A5F93BCD483DAA7AF8CB636807962D40AF9A507DC4FA4E1FD480A6E8FA3C25FA30EB6B74979EE456C1644A5C1D")); test_hash(&nettle_sha3_384, /* 52 octets */ SHEX("C8F2B693BD0D75EF99CAEBDC22ADF4088A95A3542F637203E283BBC3268780E787D68D28CC3897452F6A22AA8573CCEBF245972A"), SHEX("63FF3053ACE687FB91070CA7FC6A51C259E13DA8AC0DD741AB36D1FA930E3BB9AC6A1FAD654F7238CFC4485C5F9F8252")); test_hash(&nettle_sha3_384, /* 53 octets */ SHEX("EC0F99711016C6A2A07AD80D16427506CE6F441059FD269442BAAA28C6CA037B22EEAC49D5D894C0BF66219F2C08E9D0E8AB21DE52"), SHEX("39DDE02A319B5E869F4C51A1D30FF4D4D88EBE504C54F155AA5FAD3316404FDBD1918074D35D14BAC88D6F359108A1DC")); test_hash(&nettle_sha3_384, /* 54 octets */ SHEX("0DC45181337CA32A8222FE7A3BF42FC9F89744259CFF653504D6051FE84B1A7FFD20CB47D4696CE212A686BB9BE9A8AB1C697B6D6A33"), SHEX("1959378F32117E58C0141160E16FACFE336590196BE805D149EB5AEEA641F9BB119B3EDDFEFD817701C82D2F528B823E")); test_hash(&nettle_sha3_384, /* 55 octets */ SHEX("DE286BA4206E8B005714F80FB1CDFAEBDE91D29F84603E4A3EBC04686F99A46C9E880B96C574825582E8812A26E5A857FFC6579F63742F"), SHEX("7B172A9BB311B1375E15ECE1C1E8F092BECFAFEC9F3144E93F596EB7E6ABFB34FCEDB08EDA7883EBBF40038B7A754F9F")); test_hash(&nettle_sha3_384, /* 56 octets */ SHEX("EEBCC18057252CBF3F9C070F1A73213356D5D4BC19AC2A411EC8CDEEE7A571E2E20EAF61FD0C33A0FFEB297DDB77A97F0A415347DB66BCAF"), SHEX("6BA32ECAAA0AA9C59E72173F2A7816AC51F313C467A017190DB9832C6311EC23B8D56B7B220FA09A9081962EFED5183E")); test_hash(&nettle_sha3_384, /* 57 octets */ SHEX("416B5CDC9FE951BD361BD7ABFC120A5054758EBA88FDD68FD84E39D3B09AC25497D36B43CBE7B85A6A3CEBDA8DB4E5549C3EE51BB6FCB6AC1E"), SHEX("55FDF2EC27D334B5B59EFB9B6D518E25BE0F5FF6379F7B97945F3E1235EC70295B39EBEABF70FCAF1E61EDB1C21A4C06")); test_hash(&nettle_sha3_384, /* 58 octets */ SHEX("5C5FAF66F32E0F8311C32E8DA8284A4ED60891A5A7E50FB2956B3CBAA79FC66CA376460E100415401FC2B8518C64502F187EA14BFC9503759705"), SHEX("D51A3F33919FE5DA0EFEA6EDAD201F01FA8416C385A89D96DF743D243A6AABA5B7690D187B95CAFFDACD1E85F56B813B")); test_hash(&nettle_sha3_384, /* 59 octets */ SHEX("7167E1E02BE1A7CA69D788666F823AE4EEF39271F3C26A5CF7CEE05BCA83161066DC2E217B330DF821103799DF6D74810EED363ADC4AB99F36046A"), SHEX("F1D6E8F95C497D5BEAFB4215E07CDB59E0E3709CF561618F67E301931D204C6CE477E0F750099584B645E2F718650813")); test_hash(&nettle_sha3_384, /* 60 octets */ SHEX("2FDA311DBBA27321C5329510FAE6948F03210B76D43E7448D1689A063877B6D14C4F6D0EAA96C150051371F7DD8A4119F7DA5C483CC3E6723C01FB7D"), SHEX("B1D347D057CCD72867B12BF00BF511F87DEFCD0FA6ADADAF4BB1AD790F06ECBB1F4488A0319B05C46A7874857370CE76")); test_hash(&nettle_sha3_384, /* 61 octets */ SHEX("95D1474A5AAB5D2422ACA6E481187833A6212BD2D0F91451A67DD786DFC91DFED51B35F47E1DEB8A8AB4B9CB67B70179CC26F553AE7B569969CE151B8D"), SHEX("4F192EDFA54FECE64AC0B3EC9E120B291ADE99948805A87BBB04947E928BB5EBA87E2EE599960C436EA7C7884187E78C")); test_hash(&nettle_sha3_384, /* 62 octets */ SHEX("C71BD7941F41DF044A2927A8FF55B4B467C33D089F0988AA253D294ADDBDB32530C0D4208B10D9959823F0C0F0734684006DF79F7099870F6BF53211A88D"), SHEX("75E23FED3B59DB6B1D3378B7E8772642CBBFF7710D8A91B249BB6C68E384CD416F19AC1E8ED92B71D0CA303D247EE9BD")); test_hash(&nettle_sha3_384, /* 63 octets */ SHEX("F57C64006D9EA761892E145C99DF1B24640883DA79D9ED5262859DCDA8C3C32E05B03D984F1AB4A230242AB6B78D368DC5AAA1E6D3498D53371E84B0C1D4BA"), SHEX("C8D1E6BE5485FC13BF433F11A580ABBE89B12A66D0E5CB141E1D62CDC6A367725793FB25840B36CB7003F2E7DF3E5F2F")); test_hash(&nettle_sha3_384, /* 64 octets */ SHEX("E926AE8B0AF6E53176DBFFCC2A6B88C6BD765F939D3D178A9BDE9EF3AA131C61E31C1E42CDFAF4B4DCDE579A37E150EFBEF5555B4C1CB40439D835A724E2FAE7"), SHEX("423BA134D3BCB5E440AC83372C7EDDBA3AE3BDDF1222F505C19CDE246AD76A2B0D07239A54E1D0934C9B3D29D49E5FBD")); test_hash(&nettle_sha3_384, /* 65 octets */ SHEX("16E8B3D8F988E9BB04DE9C96F2627811C973CE4A5296B4772CA3EEFEB80A652BDF21F50DF79F32DB23F9F73D393B2D57D9A0297F7A2F2E79CFDA39FA393DF1AC00"), SHEX("662C4851D311A786DE4CDA7E9EA1EFF0BFA462761FF6CF804E591ED9A15B0DC93A2BB6A6CFFDC8D7D23A233A52C86EAD")); test_hash(&nettle_sha3_384, /* 66 octets */ SHEX("FC424EEB27C18A11C01F39C555D8B78A805B88DBA1DC2A42ED5E2C0EC737FF68B2456D80EB85E11714FA3F8EABFB906D3C17964CB4F5E76B29C1765DB03D91BE37FC"), SHEX("5F54B1DAFA67ED9B498125E064F0B07F54E754E3F30720DD4A471E9BB6E307F05FB69BC81D391F503C95C3BB671E6973")); test_hash(&nettle_sha3_384, /* 67 octets */ SHEX("ABE3472B54E72734BDBA7D9158736464251C4F21B33FBBC92D7FAC9A35C4E3322FF01D2380CBAA4EF8FB07D21A2128B7B9F5B6D9F34E13F39C7FFC2E72E47888599BA5"), SHEX("A21B55DED8FE41FB2B193FA490420A8B62FCAE9A185DA85E253DAEFE85270B6904BA4ECC76BB5128926FFF9D79F728AD")); test_hash(&nettle_sha3_384, /* 68 octets */ SHEX("36F9F0A65F2CA498D739B944D6EFF3DA5EBBA57E7D9C41598A2B0E4380F3CF4B479EC2348D015FFE6256273511154AFCF3B4B4BF09D6C4744FDD0F62D75079D440706B05"), SHEX("341BE5677A05EED816A219669D680BBF185B31CF3EB0D289F90210FB1A7940D9BFF4909320AE4E3B7274E5BE479C46F1")); test_hash(&nettle_sha3_384, /* 69 octets */ SHEX("ABC87763CAE1CA98BD8C5B82CABA54AC83286F87E9610128AE4DE68AC95DF5E329C360717BD349F26B872528492CA7C94C2C1E1EF56B74DBB65C2AC351981FDB31D06C77A4"), SHEX("D70F78894E292B075A0FE56FB952B2CE87A94CA029347159FBB12B22103DD4DC4C265B7AE88950CCA89C40B531437AA4")); test_hash(&nettle_sha3_384, /* 70 octets */ SHEX("94F7CA8E1A54234C6D53CC734BB3D3150C8BA8C5F880EAB8D25FED13793A9701EBE320509286FD8E422E931D99C98DA4DF7E70AE447BAB8CFFD92382D8A77760A259FC4FBD72"), SHEX("89BD6B7CC9ADDDFFE46BF85C56B8CE66E1B1B46969B197ADBF2E34B7059D8BB05F9F53BD1A58A7E0A66E5EF208BF5695")); test_hash(&nettle_sha3_384, /* 71 octets */ SHEX("13BD2811F6ED2B6F04FF3895ACEED7BEF8DCD45EB121791BC194A0F806206BFFC3B9281C2B308B1A729CE008119DD3066E9378ACDCC50A98A82E20738800B6CDDBE5FE9694AD6D"), SHEX("AE651EF50A20B0F496F104F56F845206ED544B28D0374CBB779146DFF2EA5894EB29301FE33872F9B299A79C0C0F28C4")); test_hash(&nettle_sha3_384, /* 72 octets */ SHEX("1EED9CBA179A009EC2EC5508773DD305477CA117E6D569E66B5F64C6BC64801CE25A8424CE4A26D575B8A6FB10EAD3FD1992EDDDEEC2EBE7150DC98F63ADC3237EF57B91397AA8A7"), SHEX("A842918DFBBF3BFFCCC527B6DD2C0DF4EB3F100F0692727DA77DAF44A654876013B37031C493AC18950003EEBD107A29")); test_hash(&nettle_sha3_384, /* 73 octets */ SHEX("BA5B67B5EC3A3FFAE2C19DD8176A2EF75C0CD903725D45C9CB7009A900C0B0CA7A2967A95AE68269A6DBF8466C7B6844A1D608AC661F7EFF00538E323DB5F2C644B78B2D48DE1A08AA"), SHEX("20D16CC6AF5B4D5AECCEAD09F300B1DC1DA93A608370EE0B2CF15C316508B5EF8C9BE27D0F7288617B1E529FC2932038")); test_hash(&nettle_sha3_384, /* 74 octets */ SHEX("0EFA26AC5673167DCACAB860932ED612F65FF49B80FA9AE65465E5542CB62075DF1C5AE54FBA4DB807BE25B070033EFA223BDD5B1D3C94C6E1909C02B620D4B1B3A6C9FED24D70749604"), SHEX("69A3BB36F52EB650C6E8242DB05659573AF811A1A5DB908F773D65E74D327F5B65303DD0DD9BD07FF100D050E46FE97D")); test_hash(&nettle_sha3_384, /* 75 octets */ SHEX("BBFD933D1FD7BF594AC7F435277DC17D8D5A5B8E4D13D96D2F64E771ABBD51A5A8AEA741BECCBDDB177BCEA05243EBD003CFDEAE877CCA4DA94605B67691919D8B033F77D384CA01593C1B"), SHEX("D239F2FA1675A1A031E2F6E8A53D6E2F37D081CDB029727B3ACBDD7CBFC7D3581BDE8D3068AA9A300AE12B7245124508")); test_hash(&nettle_sha3_384, /* 76 octets */ SHEX("90078999FD3C35B8AFBF4066CBDE335891365F0FC75C1286CDD88FA51FAB94F9B8DEF7C9AC582A5DBCD95817AFB7D1B48F63704E19C2BAA4DF347F48D4A6D603013C23F1E9611D595EBAC37C"), SHEX("2F8D747DDF64320297B44F8547EF42FCE78A48F0A59A18DB1CFB9F43C049628F97C0BB93ADAAB9617155272424F74027")); test_hash(&nettle_sha3_384, /* 77 octets */ SHEX("64105ECA863515C20E7CFBAA0A0B8809046164F374D691CDBD6508AAABC1819F9AC84B52BAFC1B0FE7CDDBC554B608C01C8904C669D8DB316A0953A4C68ECE324EC5A49FFDB59A1BD6A292AA0E"), SHEX("714BE6F2F934E0B6FD69E392D99ACC98592B015E48A1637262F99286502B06774783BB9F371C760C3EB78AEADFBD0DF0")); test_hash(&nettle_sha3_384, /* 78 octets */ SHEX("D4654BE288B9F3B711C2D02015978A8CC57471D5680A092AA534F7372C71CEAAB725A383C4FCF4D8DEAA57FCA3CE056F312961ECCF9B86F14981BA5BED6AB5B4498E1F6C82C6CAE6FC14845B3C8A"), SHEX("22A41B117464F7F49682E8139A0D5BD23FE00D1190B1B419F27B490B729B56BBA9DE649DD7C988B6B308038661E1C362")); test_hash(&nettle_sha3_384, /* 79 octets */ SHEX("12D9394888305AC96E65F2BF0E1B18C29C90FE9D714DD59F651F52B88B3008C588435548066EA2FC4C101118C91F32556224A540DE6EFDDBCA296EF1FB00341F5B01FECFC146BDB251B3BDAD556CD2"), SHEX("77780F3646D288291790F2A5F4AA9C98A64A1115306994CD65C7620DDE06D35117CE4B79DAE08B5B4E798459010941BB")); test_hash(&nettle_sha3_384, /* 80 octets */ SHEX("871A0D7A5F36C3DA1DFCE57ACD8AB8487C274FAD336BC137EBD6FF4658B547C1DCFAB65F037AA58F35EF16AFF4ABE77BA61F65826F7BE681B5B6D5A1EA8085E2AE9CD5CF0991878A311B549A6D6AF230"), SHEX("5CED3B7368582DD6DEBFE41D6AFFD82B72894B51FF4C4ACCBA09C595B36E23E347AB4BAAB0E5191D86E26E6596D62E23")); test_hash(&nettle_sha3_384, /* 81 octets */ SHEX("E90B4FFEF4D457BC7711FF4AA72231CA25AF6B2E206F8BF859D8758B89A7CD36105DB2538D06DA83BAD5F663BA11A5F6F61F236FD5F8D53C5E89F183A3CEC615B50C7C681E773D109FF7491B5CC22296C5"), SHEX("1410EF9ABB8D98B1C65E113A61915B0E6933BC59DA31C8FCC39B7165E715919184375D822A07C778F63431BE2AEECD99")); test_hash(&nettle_sha3_384, /* 82 octets */ SHEX("E728DE62D75856500C4C77A428612CD804F30C3F10D36FB219C5CA0AA30726AB190E5F3F279E0733D77E7267C17BE27D21650A9A4D1E32F649627638DBADA9702C7CA303269ED14014B2F3CF8B894EAC8554"), SHEX("330ED51B045471DEA8CFF26510D68494611ECFD614D49E5A9CC8846A132519BBCF49907691AC5ACCFC0528DA0C14D49E")); test_hash(&nettle_sha3_384, /* 83 octets */ SHEX("6348F229E7B1DF3B770C77544E5166E081850FA1C6C88169DB74C76E42EB983FACB276AD6A0D1FA7B50D3E3B6FCD799EC97470920A7ABED47D288FF883E24CA21C7F8016B93BB9B9E078BDB9703D2B781B616E"), SHEX("387111A206FC6488F78D41786886A9E5EC9F73E1131D92F290F68512320A408D5F63EAA5ABA32D9853EB11B5B0887E62")); test_hash(&nettle_sha3_384, /* 84 octets */ SHEX("4B127FDE5DE733A1680C2790363627E63AC8A3F1B4707D982CAEA258655D9BF18F89AFE54127482BA01E08845594B671306A025C9A5C5B6F93B0A39522DC877437BE5C2436CBF300CE7AB6747934FCFC30AEAAF6"), SHEX("78573F5D075200D3823194A71E55880F4FE78489234DBF3DF3E3734CBCAE8DC1D8C1AE95F9EFA9903DC4C4581B59DDDE")); test_hash(&nettle_sha3_384, /* 85 octets */ SHEX("08461F006CFF4CC64B752C957287E5A0FAABC05C9BFF89D23FD902D324C79903B48FCB8F8F4B01F3E4DDB483593D25F000386698F5ADE7FAADE9615FDC50D32785EA51D49894E45BAA3DC707E224688C6408B68B11"), SHEX("FDFE4F1B034733C2C94A7B36E2B52774A95C2BDE22FCDDFCEF52F7FEF7C67F08E2F7B9B8967E447F76EF91960DA76288")); test_hash(&nettle_sha3_384, /* 86 octets */ SHEX("68C8F8849B120E6E0C9969A5866AF591A829B92F33CD9A4A3196957A148C49138E1E2F5C7619A6D5EDEBE995ACD81EC8BB9C7B9CFCA678D081EA9E25A75D39DB04E18D475920CE828B94E72241F24DB72546B352A0E4"), SHEX("48D66A4165AA54528ECE89BD9AA00EAB196F32DFDC4D76F236655835527AAA1642E6BF4EDF24F030F5EEEF07FA40F5D2")); test_hash(&nettle_sha3_384, /* 87 octets */ SHEX("B8D56472954E31FB54E28FCA743F84D8DC34891CB564C64B08F7B71636DEBD64CA1EDBDBA7FC5C3E40049CE982BBA8C7E0703034E331384695E9DE76B5104F2FBC4535ECBEEBC33BC27F29F18F6F27E8023B0FBB6F563C"), SHEX("3C2575372CE1F380A6E66BB075FBAE98FC2E6D3D267A20FF0313ABC3DE252E03FD5BDFA8BC2B79FC874CCDA4ABDBB4A6")); test_hash(&nettle_sha3_384, /* 88 octets */ SHEX("0D58AC665FA84342E60CEFEE31B1A4EACDB092F122DFC68309077AED1F3E528F578859EE9E4CEFB4A728E946324927B675CD4F4AC84F64DB3DACFE850C1DD18744C74CECCD9FE4DC214085108F404EAB6D8F452B5442A47D"), SHEX("0EE6AECA8DD80B74225AC4882E2BC1E6819C9B94F0D0BC0A1E21AABF4B11CB74DB4734BC8D1179D7DCEF535BE9F3DA28")); test_hash(&nettle_sha3_384, /* 89 octets */ SHEX("1755E2D2E5D1C1B0156456B539753FF416651D44698E87002DCF61DCFA2B4E72F264D9AD591DF1FDEE7B41B2EB00283C5AEBB3411323B672EAA145C5125185104F20F335804B02325B6DEA65603F349F4D5D8B782DD3469CCD"), SHEX("8027E5044923F8EEE1DF184865CD97B635A78DA199FD80AD3D343A5AE03D1B165E58D1B0BD093EF916A16D6641BDA17C")); test_hash(&nettle_sha3_384, /* 90 octets */ SHEX("B180DE1A611111EE7584BA2C4B020598CD574AC77E404E853D15A101C6F5A2E5C801D7D85DC95286A1804C870BB9F00FD4DCB03AA8328275158819DCAD7253F3E3D237AEAA7979268A5DB1C6CE08A9EC7C2579783C8AFC1F91A7"), SHEX("796818E047913D5AFB4AE4C5B7C5D5EF699A3A9EBEFB44462EE8FE603CA5628973369E4A9D8E10115FDD75C89707A8F9")); test_hash(&nettle_sha3_384, /* 91 octets */ SHEX("CF3583CBDFD4CBC17063B1E7D90B02F0E6E2EE05F99D77E24E560392535E47E05077157F96813544A17046914F9EFB64762A23CF7A49FE52A0A4C01C630CFE8727B81FB99A89FF7CC11DCA5173057E0417B8FE7A9EFBA6D95C555F"), SHEX("1E96EFF62E9F464B4802972FDAC77C3EA1131B2822619D2C5D863E357D0945C17F93EDE66AF05D46E63C2857A54F67F4")); test_hash(&nettle_sha3_384, /* 92 octets */ SHEX("072FC02340EF99115BAD72F92C01E4C093B9599F6CFC45CB380EE686CB5EB019E806AB9BD55E634AB10AA62A9510CC0672CD3EDDB589C7DF2B67FCD3329F61B1A4441ECA87A33C8F55DA4FBBAD5CF2B2527B8E983BB31A2FADEC7523"), SHEX("4CC41C2FB7D71DA1AD36D18029F755DAF342E732EC31F0C06E27091307718ACB53FA113AE508DF38B8C96834DE33F9F1")); test_hash(&nettle_sha3_384, /* 93 octets */ SHEX("76EECF956A52649F877528146DE33DF249CD800E21830F65E90F0F25CA9D6540FDE40603230ECA6760F1139C7F268DEBA2060631EEA92B1FFF05F93FD5572FBE29579ECD48BC3A8D6C2EB4A6B26E38D6C5FBF2C08044AEEA470A8F2F26"), SHEX("9A8D4B560421C82991BDFCA0898A29A59BDB09D20F8A5B279096723BAB382789F081EAD50D273ECA436C526ABA6D5CFC")); test_hash(&nettle_sha3_384, /* 94 octets */ SHEX("7ADC0B6693E61C269F278E6944A5A2D8300981E40022F839AC644387BFAC9086650085C2CDC585FEA47B9D2E52D65A2B29A7DC370401EF5D60DD0D21F9E2B90FAE919319B14B8C5565B0423CEFB827D5F1203302A9D01523498A4DB10374"), SHEX("367CB3FE03A3CBB50FAE1FE7EA883A0AE53CBE772F709DC5505F3C907564C08FC49707CFF9639B25C746B6039FF48AE9")); test_hash(&nettle_sha3_384, /* 95 octets */ SHEX("E1FFFA9826CCE8B86BCCEFB8794E48C46CDF372013F782ECED1E378269B7BE2B7BF51374092261AE120E822BE685F2E7A83664BCFBE38FE8633F24E633FFE1988E1BC5ACF59A587079A57A910BDA60060E85B5F5B6F776F0529639D9CCE4BD"), SHEX("BBBD05D69D7A082FCDA8ED535D7E4E5DE1377BD91E72D42DC95295C9DB780169E2F9620EC7A5AFF959FF2D946FD20A72")); test_hash(&nettle_sha3_384, /* 96 octets */ SHEX("69F9ABBA65592EE01DB4DCE52DBAB90B08FC04193602792EE4DAA263033D59081587B09BBE49D0B49C9825D22840B2FF5D9C5155F975F8F2C2E7A90C75D2E4A8040FE39F63BBAFB403D9E28CC3B86E04E394A9C9E8065BD3C85FA9F0C7891600"), SHEX("BE8BEC0C2EC721E0C326037CE86A1518FB395C3A9802DE01C3E234268EBB9AC9A39A6E404F25FB7FEBDCF1F7F25DC083")); test_hash(&nettle_sha3_384, /* 97 octets */ SHEX("38A10A352CA5AEDFA8E19C64787D8E9C3A75DBF3B8674BFAB29B5DBFC15A63D10FAE66CD1A6E6D2452D557967EAAD89A4C98449787B0B3164CA5B717A93F24EB0B506CEB70CBBCB8D72B2A72993F909AAD92F044E0B5A2C9AC9CB16A0CA2F81F49"), SHEX("2AEEAF292AD625221BA79A621217FD1B3F8978BA83FE7FF13B38574FCFAFFBD207298854B6F9C27D6677494204221FDA")); test_hash(&nettle_sha3_384, /* 98 octets */ SHEX("6D8C6E449BC13634F115749C248C17CD148B72157A2C37BF8969EA83B4D6BA8C0EE2711C28EE11495F43049596520CE436004B026B6C1F7292B9C436B055CBB72D530D860D1276A1502A5140E3C3F54A93663E4D20EDEC32D284E25564F624955B52"), SHEX("9A1761C5759CE67C9C093EC5C831C1FF7CAB64AC7C8002066EDCAED044DEF57CEA3EF6BE98578363D2CE3D1F5BA448F8")); test_hash(&nettle_sha3_384, /* 99 octets */ SHEX("6EFCBCAF451C129DBE00B9CEF0C3749D3EE9D41C7BD500ADE40CDC65DEDBBBADB885A5B14B32A0C0D087825201E303288A733842FA7E599C0C514E078F05C821C7A4498B01C40032E9F1872A1C925FA17CE253E8935E4C3C71282242CB716B2089CCC1"), SHEX("4A24A1AF68DB65C3977431EE81092C776F7CB33D6F08940100EA240A2D1F8623A41D07CE9937BCBEC8CA1072A1A78E8B")); test_hash(&nettle_sha3_384, /* 100 octets */ SHEX("433C5303131624C0021D868A30825475E8D0BD3052A022180398F4CA4423B98214B6BEAAC21C8807A2C33F8C93BD42B092CC1B06CEDF3224D5ED1EC29784444F22E08A55AA58542B524B02CD3D5D5F6907AFE71C5D7462224A3F9D9E53E7E0846DCBB4CE"), SHEX("928E94D19FC60065A5EF7E48018387C80F2D350F306D0F610173719D5C874D4A8ACC340FEAD4BE357E1F78124198AD77")); test_hash(&nettle_sha3_384, /* 101 octets */ SHEX("A873E0C67CA639026B6683008F7AA6324D4979550E9BCE064CA1E1FB97A30B147A24F3F666C0A72D71348EDE701CF2D17E2253C34D1EC3B647DBCEF2F879F4EB881C4830B791378C901EB725EA5C172316C6D606E0AF7DF4DF7F76E490CD30B2BADF45685F"), SHEX("78A18D62F8A7EFF5C6DD75B8CB073FD30EE68C878C2EC58AAD1C5DD0EB0AE43698A617BB0C670FCE2AA098E0ADF425B2")); test_hash(&nettle_sha3_384, /* 102 octets */ SHEX("006917B64F9DCDF1D2D87C8A6173B64F6587168E80FAA80F82D84F60301E561E312D9FBCE62F39A6FB476E01E925F26BCC91DE621449BE6504C504830AAE394096C8FC7694651051365D4EE9070101EC9B68086F2EA8F8AB7B811EA8AD934D5C9B62C60A4771"), SHEX("EEEB56C3E54FA833B985EFA5923C3F0225F419664CEDD898C79F64D72D2AD4B125A38BE0201846C442EAF0051D516DC9")); test_hash(&nettle_sha3_384, /* 103 octets */ SHEX("F13C972C52CB3CC4A4DF28C97F2DF11CE089B815466BE88863243EB318C2ADB1A417CB1041308598541720197B9B1CB5BA2318BD5574D1DF2174AF14884149BA9B2F446D609DF240CE335599957B8EC80876D9A085AE084907BC5961B20BF5F6CA58D5DAB38ADB"), SHEX("0A834E111B4E840E787C19748465A47D88B3F0F3DAAF15DB25536BDC6078FA9C05E6C953830274223968847DA8BFD20D")); test_hash(&nettle_sha3_384, /* 104 octets */ SHEX("E35780EB9799AD4C77535D4DDB683CF33EF367715327CF4C4A58ED9CBDCDD486F669F80189D549A9364FA82A51A52654EC721BB3AAB95DCEB4A86A6AFA93826DB923517E928F33E3FBA850D45660EF83B9876ACCAFA2A9987A254B137C6E140A21691E1069413848"), SHEX("D1C0FA85C8D183BEFF99AD9D752B263E286B477F79F0710B010317017397813344B99DAF3BB7B1BC5E8D722BAC85943A")); test_hash(&nettle_sha3_384, /* 105 octets */ SHEX("64EC021C9585E01FFE6D31BB50D44C79B6993D72678163DB474947A053674619D158016ADB243F5C8D50AA92F50AB36E579FF2DABB780A2B529370DAA299207CFBCDD3A9A25006D19C4F1FE33E4B1EAEC315D8C6EE1E730623FD1941875B924EB57D6D0C2EDC4E78D6"), SHEX("6AEDCF4426B2483C0D0D04695BCC052BEDD04FA4D17A1BBB2797F6272FA476BFC138E4091409FEB1AC0E8BFF350A6663")); test_hash(&nettle_sha3_384, /* 106 octets */ SHEX("5954BAB512CF327D66B5D9F296180080402624AD7628506B555EEA8382562324CF452FBA4A2130DE3E165D11831A270D9CB97CE8C2D32A96F50D71600BB4CA268CF98E90D6496B0A6619A5A8C63DB6D8A0634DFC6C7EC8EA9C006B6C456F1B20CD19E781AF20454AC880"), SHEX("ACB7013CE75124388187DC0E7430CB74A314D601B6C8D7A7DE5CF03197A84F7874FF058808575CB2F10185F561BB06B1")); test_hash(&nettle_sha3_384, /* 107 octets */ SHEX("03D9F92B2C565709A568724A0AFF90F8F347F43B02338F94A03ED32E6F33666FF5802DA4C81BDCE0D0E86C04AFD4EDC2FC8B4141C2975B6F07639B1994C973D9A9AFCE3D9D365862003498513BFA166D2629E314D97441667B007414E739D7FEBF0FE3C32C17AA188A8683"), SHEX("F947469DB712EA26F25F709FF7879136EA2A79E0A2D0ED5EE4ADF0E167F106BC410C93AE1D986EC211E0FD9A40741857")); test_hash(&nettle_sha3_384, /* 108 octets */ SHEX("F31E8B4F9E0621D531D22A380BE5D9ABD56FAEC53CBD39B1FAB230EA67184440E5B1D15457BD25F56204FA917FA48E669016CB48C1FFC1E1E45274B3B47379E00A43843CF8601A5551411EC12503E5AAC43D8676A1B2297EC7A0800DBFEE04292E937F21C005F17411473041"), SHEX("65989BF4EBBF4C21B3DD34551D3F6167910236671BB7F348DC552ADB8028A468FA40EF4A8C1227A1A41C28105E64AC20")); test_hash(&nettle_sha3_384, /* 109 octets */ SHEX("758EA3FEA738973DB0B8BE7E599BBEF4519373D6E6DCD7195EA885FC991D896762992759C2A09002912FB08E0CB5B76F49162AEB8CF87B172CF3AD190253DF612F77B1F0C532E3B5FC99C2D31F8F65011695A087A35EE4EEE5E334C369D8EE5D29F695815D866DA99DF3F79403"), SHEX("B77A69E373AF0F733CDAD399C9B12642A046E1A7893D3382943A8367D37740DF53916F6DAF90517B39621C14343754A2")); test_hash(&nettle_sha3_384, /* 110 octets */ SHEX("47C6E0C2B74948465921868804F0F7BD50DD323583DC784F998A93CD1CA4C6EF84D41DC81C2C40F34B5BEE6A93867B3BDBA0052C5F59E6F3657918C382E771D33109122CC8BB0E1E53C4E3D13B43CE44970F5E0C079D2AD7D7A3549CD75760C21BB15B447589E86E8D76B1E9CED2"), SHEX("3D14B6FAE6156E7876367897A49269181EA58CC3CA9621C0F81D6A5FB6F615680D909B29F6AF7E62FAD04D70046BE997")); test_hash(&nettle_sha3_384, /* 111 octets */ SHEX("F690A132AB46B28EDFA6479283D6444E371C6459108AFD9C35DBD235E0B6B6FF4C4EA58E7554BD002460433B2164CA51E868F7947D7D7A0D792E4ABF0BE5F450853CC40D85485B2B8857EA31B5EA6E4CCFA2F3A7EF3380066D7D8979FDAC618AAD3D7E886DEA4F005AE4AD05E5065F"), SHEX("456AD01908E187CA2CE9E7A4DAED8788C909E9BC974EFD1C9A44AC36DB9B6DA985C947C7E0A47AB27BF10CD760FA48AF")); test_hash(&nettle_sha3_384, /* 112 octets */ SHEX("58D6A99BC6458824B256916770A8417040721CCCFD4B79EACD8B65A3767CE5BA7E74104C985AC56B8CC9AEBD16FEBD4CDA5ADB130B0FF2329CC8D611EB14DAC268A2F9E633C99DE33997FEA41C52A7C5E1317D5B5DAED35EBA7D5A60E45D1FA7EAABC35F5C2B0A0F2379231953322C4E"), SHEX("C26BDAC454E1ADC0D090D0C5254A29966611B6673014CBACA24D26B6F63EC7E8F993BA3DF7DF89770E902D5F6574F6A8")); test_hash(&nettle_sha3_384, /* 113 octets */ SHEX("BEFAB574396D7F8B6705E2D5B58B2C1C820BB24E3F4BAE3E8FBCD36DBF734EE14E5D6AB972AEDD3540235466E825850EE4C512EA9795ABFD33F330D9FD7F79E62BBB63A6EA85DE15BEAEEA6F8D204A28956059E2632D11861DFB0E65BC07AC8A159388D5C3277E227286F65FF5E5B5AEC1"), SHEX("1D85BF9AA2B6DCC3105E7D7F91069F01E4C998D6F03B77650D75839D65A7A049196FD935AFEFFDEB657BC8F96B7C17B5")); test_hash(&nettle_sha3_384, /* 114 octets */ SHEX("8E58144FA9179D686478622CE450C748260C95D1BA43B8F9B59ABECA8D93488DA73463EF40198B4D16FB0B0707201347E0506FF19D01BEA0F42B8AF9E71A1F1BD168781069D4D338FDEF00BF419FBB003031DF671F4A37979564F69282DE9C65407847DD0DA505AB1641C02DEA4F0D834986"), SHEX("085CFA581CF3F4F19416BEE3ED5AC2544662AA51BDF1D2E348D9BCC27343487DF20B18D9F6FB64565868504A6805D176")); test_hash(&nettle_sha3_384, /* 115 octets */ SHEX("B55C10EAE0EC684C16D13463F29291BF26C82E2FA0422A99C71DB4AF14DD9C7F33EDA52FD73D017CC0F2DBE734D831F0D820D06D5F89DACC485739144F8CFD4799223B1AFF9031A105CB6A029BA71E6E5867D85A554991C38DF3C9EF8C1E1E9A7630BE61CAABCA69280C399C1FB7A12D12AEFC"), SHEX("376088F09039CAA40BF19FF5E5F193FC9ECB6116A0ACB3237AAAB6CD807BD7AF45D804D837A18D2BD9A8C3DAA3A1D153")); test_hash(&nettle_sha3_384, /* 116 octets */ SHEX("2EEEA693F585F4ED6F6F8865BBAE47A6908AECD7C429E4BEC4F0DE1D0CA0183FA201A0CB14A529B7D7AC0E6FF6607A3243EE9FB11BCF3E2304FE75FFCDDD6C5C2E2A4CD45F63C962D010645058D36571404A6D2B4F44755434D76998E83409C3205AA1615DB44057DB991231D2CB42624574F545"), SHEX("CD40B35FBD90B04D0641F71088F7C6159D8EB16DE8AAE09F355877A0333B53150B81D36C5C2446BF5AC462EF84D4E572")); test_hash(&nettle_sha3_384, /* 117 octets */ SHEX("DAB11DC0B047DB0420A585F56C42D93175562852428499F66A0DB811FCDDDAB2F7CDFFED1543E5FB72110B64686BC7B6887A538AD44C050F1E42631BC4EC8A9F2A047163D822A38989EE4AAB01B4C1F161B062D873B1CFA388FD301514F62224157B9BEF423C7783B7AAC8D30D65CD1BBA8D689C2D"), SHEX("DB14442400597871FA56D10F53BE7BB4002C44624C44E89C99B95122676A76FF28840285239E2E4FBFB751E4179577D8")); test_hash(&nettle_sha3_384, /* 118 octets */ SHEX("42E99A2F80AEE0E001279A2434F731E01D34A44B1A8101726921C0590C30F3120EB83059F325E894A5AC959DCA71CE2214799916424E859D27D789437B9D27240BF8C35ADBAFCECC322B48AA205B293962D858652ABACBD588BCF6CBC388D0993BD622F96ED54614C25B6A9AA527589EAAFFCF17DDF7"), SHEX("4509ADB6177BC6DEBCA7E36948F07001159A57EC8CCA2B76C770735C5BCCC679DA6AB4E64D915D0E1A754C3FDA11B524")); test_hash(&nettle_sha3_384, /* 119 octets */ SHEX("3C9B46450C0F2CAE8E3823F8BDB4277F31B744CE2EB17054BDDC6DFF36AF7F49FB8A2320CC3BDF8E0A2EA29AD3A55DE1165D219ADEDDB5175253E2D1489E9B6FDD02E2C3D3A4B54D60E3A47334C37913C5695378A669E9B72DEC32AF5434F93F46176EBF044C4784467C700470D0C0B40C8A088C815816"), SHEX("193AF71BDD228AB3E8AE50E1B1CBF1984B0AF92AAC5A71CBE618AFD4187DED6B461411A39E72EA4E213FE0A5231C498D")); test_hash(&nettle_sha3_384, /* 120 octets */ SHEX("D1E654B77CB155F5C77971A64DF9E5D34C26A3CAD6C7F6B300D39DEB1910094691ADAA095BE4BA5D86690A976428635D5526F3E946F7DC3BD4DBC78999E653441187A81F9ADCD5A3C5F254BC8256B0158F54673DCC1232F6E918EBFC6C51CE67EAEB042D9F57EEC4BFE910E169AF78B3DE48D137DF4F2840"), SHEX("3E419569A4197BB71BAF416B38772EEDD9C1D5A3252111609F0FF8A18A749D5A56143A14925A82CD35C44400A49AFDFB")); test_hash(&nettle_sha3_384, /* 121 octets */ SHEX("626F68C18A69A6590159A9C46BE03D5965698F2DAC3DE779B878B3D9C421E0F21B955A16C715C1EC1E22CE3EB645B8B4F263F60660EA3028981EEBD6C8C3A367285B691C8EE56944A7CD1217997E1D9C21620B536BDBD5DE8925FF71DEC6FBC06624AB6B21E329813DE90D1E572DFB89A18120C3F606355D25"), SHEX("6215C070D0CB388A134766035C4BA95143E608D15CAF742796304FFA1A62E55660AB9AB1F6538B4AF1F3EA89BE7D51FF")); test_hash(&nettle_sha3_384, /* 122 octets */ SHEX("651A6FB3C4B80C7C68C6011675E6094EB56ABF5FC3057324EBC6477825061F9F27E7A94633ABD1FA598A746E4A577CAF524C52EC1788471F92B8C37F23795CA19D559D446CAB16CBCDCE90B79FA1026CEE77BF4AB1B503C5B94C2256AD75B3EAC6FD5DCB96ACA4B03A834BFB4E9AF988CECBF2AE597CB9097940"), SHEX("0E27ABAD85255A66217722B7D4E032BF29F638BAE965B99F8EAF309071FF8C107F5B6BBB6AB1985228E697DE60595DF6")); test_hash(&nettle_sha3_384, /* 123 octets */ SHEX("8AAF072FCE8A2D96BC10B3C91C809EE93072FB205CA7F10ABD82ECD82CF040B1BC49EA13D1857815C0E99781DE3ADBB5443CE1C897E55188CEAF221AA9681638DE05AE1B322938F46BCE51543B57ECDB4C266272259D1798DE13BE90E10EFEC2D07484D9B21A3870E2AA9E06C21AA2D0C9CF420080A80A91DEE16F"), SHEX("AB9FD51B3AA4CD944ABB6CDB063708B2D1203D65A1A2EBB48E0C19722A18B9EF54D7A11F7684462B995B6D38CDDC0463")); test_hash(&nettle_sha3_384, /* 124 octets */ SHEX("53F918FD00B1701BD504F8CDEA803ACCA21AC18C564AB90C2A17DA592C7D69688F6580575395551E8CD33E0FEF08CA6ED4588D4D140B3E44C032355DF1C531564D7F4835753344345A6781E11CD5E095B73DF5F82C8AE3AD00877936896671E947CC52E2B29DCD463D90A0C9929128DA222B5A211450BBC0E02448E2"), SHEX("03945325AC50E56BC8B515576529ABAA9A22BC2A7CED9142A75CE939A388AF0022A4E75A33964BBB3580564E0AF809D3")); test_hash(&nettle_sha3_384, /* 125 octets */ SHEX("A64599B8A61B5CCEC9E67AED69447459C8DA3D1EC6C7C7C82A7428B9B584FA67E90F68E2C00FBBED4613666E5168DA4A16F395F7A3C3832B3B134BFC9CBAA95D2A0FE252F44AC6681EB6D40AB91C1D0282FED6701C57463D3C5F2BB8C6A7301FB4576AA3B5F15510DB8956FF77478C26A7C09BEA7B398CFC83503F538E"), SHEX("59126910A3462E3B7AC22892F637D87D90686BC0A9BBD4A32E2C4C71A168BA685F2184560E125DB3DC23D90B9E820F1A")); test_hash(&nettle_sha3_384, /* 126 octets */ SHEX("0E3AB0E054739B00CDB6A87BD12CAE024B54CB5E550E6C425360C2E87E59401F5EC24EF0314855F0F56C47695D56A7FB1417693AF2A1ED5291F2FEE95F75EED54A1B1C2E81226FBFF6F63ADE584911C71967A8EB70933BC3F5D15BC91B5C2644D9516D3C3A8C154EE48E118BD1442C043C7A0DBA5AC5B1D5360AAE5B9065"), SHEX("D3239A33BAA55B0F21169E0FDE6114B08106BAF3F4BA0CA19D7B5CF44030057AC672CE529EB0F3BDA36819967819AAFA")); test_hash(&nettle_sha3_384, /* 127 octets */ SHEX("A62FC595B4096E6336E53FCDFC8D1CC175D71DAC9D750A6133D23199EAAC288207944CEA6B16D27631915B4619F743DA2E30A0C00BBDB1BBB35AB852EF3B9AEC6B0A8DCC6E9E1ABAA3AD62AC0A6C5DE765DE2C3711B769E3FDE44A74016FFF82AC46FA8F1797D3B2A726B696E3DEA5530439ACEE3A45C2A51BC32DD055650B"), SHEX("38A11581D874A574929C51F8DCC9E501900743864AEC3AC0889E62C1071CA5F8B6CCF9C0BDB3BB365916EB4340973DC7")); test_hash(&nettle_sha3_384, /* 128 octets */ SHEX("2B6DB7CED8665EBE9DEB080295218426BDAA7C6DA9ADD2088932CDFFBAA1C14129BCCDD70F369EFB149285858D2B1D155D14DE2FDB680A8B027284055182A0CAE275234CC9C92863C1B4AB66F304CF0621CD54565F5BFF461D3B461BD40DF28198E3732501B4860EADD503D26D6E69338F4E0456E9E9BAF3D827AE685FB1D817"), SHEX("8FD01909381EB713803419361D8E82E92476A08EDCC225BB8A135D215CB48D07B074624FCF2E73E666DBA59334719839")); test_hash(&nettle_sha3_384, /* 129 octets */ SHEX("10DB509B2CDCABA6C062AE33BE48116A29EB18E390E1BBADA5CA0A2718AFBCD23431440106594893043CC7F2625281BF7DE2655880966A23705F0C5155C2F5CCA9F2C2142E96D0A2E763B70686CD421B5DB812DACED0C6D65035FDE558E94F26B3E6DDE5BD13980CC80292B723013BD033284584BFF27657871B0CF07A849F4AE2"), SHEX("5D7DC5FC9DE88B1C0C46AA6D49273505FF7A76A179E31AB5D976A69D89B83DFA6DEAE9E1B93440EC055DE1CC824D6B15")); test_hash(&nettle_sha3_384, /* 130 octets */ SHEX("9334DE60C997BDA6086101A6314F64E4458F5FF9450C509DF006E8C547983C651CA97879175AABA0C539E82D05C1E02C480975CBB30118121061B1EBAC4F8D9A3781E2DB6B18042E01ECF9017A64A0E57447EC7FCBE6A7F82585F7403EE2223D52D37B4BF426428613D6B4257980972A0ACAB508A7620C1CB28EB4E9D30FC41361EC"), SHEX("3D6BBA145D7E69DBBB0F099D47A1F2138D4A00F26B07C62CF38471F0FB9CA022C61F7A769013A9BD8D5D87D8E01D9B4D")); test_hash(&nettle_sha3_384, /* 131 octets */ SHEX("E88AB086891693AA535CEB20E64C7AB97C7DD3548F3786339897A5F0C39031549CA870166E477743CCFBE016B4428D89738E426F5FFE81626137F17AECFF61B72DBEE2DC20961880CFE281DFAB5EE38B1921881450E16032DE5E4D55AD8D4FCA609721B0692BAC79BE5A06E177FE8C80C0C83519FB3347DE9F43D5561CB8107B9B5EDC"), SHEX("FBCEF80DD06E7E0B3B7A5485CA5BC2B388CB91A2890F181C857B3E0ABEFD6065499D82DD55F3FCD17E351C0A3636B859")); test_hash(&nettle_sha3_384, /* 132 octets */ SHEX("FD19E01A83EB6EC810B94582CB8FBFA2FCB992B53684FB748D2264F020D3B960CB1D6B8C348C2B54A9FCEA72330C2AAA9A24ECDB00C436ABC702361A82BB8828B85369B8C72ECE0082FE06557163899C2A0EFA466C33C04343A839417057399A63A3929BE1EE4805D6CE3E5D0D0967FE9004696A5663F4CAC9179006A2CEB75542D75D68"), SHEX("338AACBAC8AC5BCC13FAFC0EC6D2ECF4A871F9B09D7B1BC5BD6F8D7C9DD1354B8E28C68158A36551DDDAB8B684579EE1")); test_hash(&nettle_sha3_384, /* 133 octets */ SHEX("59AE20B6F7E0B3C7A989AFB28324A40FCA25D8651CF1F46AE383EF6D8441587AA1C04C3E3BF88E8131CE6145CFB8973D961E8432B202FA5AF3E09D625FAAD825BC19DA9B5C6C20D02ABDA2FCC58B5BD3FE507BF201263F30543819510C12BC23E2DDB4F711D087A86EDB1B355313363A2DE996B891025E147036087401CCF3CA7815BF3C49"), SHEX("FFC98D84C268BD09CAD09CD7B4BF9D35EDE97EC55885E839E557D21ECC0E28A855000386E68FAAE3E64A19B443B2587D")); test_hash(&nettle_sha3_384, /* 134 octets */ SHEX("77EE804B9F3295AB2362798B72B0A1B2D3291DCEB8139896355830F34B3B328561531F8079B79A6E9980705150866402FDC176C05897E359A6CB1A7AB067383EB497182A7E5AEF7038E4C96D133B2782917417E391535B5E1B51F47D8ED7E4D4025FE98DC87B9C1622614BFF3D1029E68E372DE719803857CA52067CDDAAD958951CB2068CC6"), SHEX("471465890C3B9C03EDFBF0F6883D565740BADA3B7628AD6A27F729C35C1A8666953E8B99D2C89EDE0BD2D5D70FDEF11B")); test_hash(&nettle_sha3_384, /* 135 octets */ SHEX("B771D5CEF5D1A41A93D15643D7181D2A2EF0A8E84D91812F20ED21F147BEF732BF3A60EF4067C3734B85BC8CD471780F10DC9E8291B58339A677B960218F71E793F2797AEA349406512829065D37BB55EA796FA4F56FD8896B49B2CD19B43215AD967C712B24E5032D065232E02C127409D2ED4146B9D75D763D52DB98D949D3B0FED6A8052FBB"), SHEX("0F8BA7214DE0E3A9E13C282BFA09CEA782C31C052F516D0AAA403D97716E0D08B1F7F9BB4085B555740C813C4ECE1B90")); test_hash(&nettle_sha3_384, /* 136 octets */ SHEX("B32D95B0B9AAD2A8816DE6D06D1F86008505BD8C14124F6E9A163B5A2ADE55F835D0EC3880EF50700D3B25E42CC0AF050CCD1BE5E555B23087E04D7BF9813622780C7313A1954F8740B6EE2D3F71F768DD417F520482BD3A08D4F222B4EE9DBD015447B33507DD50F3AB4247C5DE9A8ABD62A8DECEA01E3B87C8B927F5B08BEB37674C6F8E380C04"), SHEX("CAD2D28FBDCC3A5D71FB3ADCEEC52313AD41D4FF1F915CAA34EE127839DBF2E9A7B06E1C4ECD6255926C16C06E51EFD0")); test_hash(&nettle_sha3_384, /* 137 octets */ SHEX("04410E31082A47584B406F051398A6ABE74E4DA59BB6F85E6B49E8A1F7F2CA00DFBA5462C2CD2BFDE8B64FB21D70C083F11318B56A52D03B81CAC5EEC29EB31BD0078B6156786DA3D6D8C33098C5C47BB67AC64DB14165AF65B44544D806DDE5F487D5373C7F9792C299E9686B7E5821E7C8E2458315B996B5677D926DAC57B3F22DA873C601016A0D"), SHEX("5B192EBAB47215A8E9FB8E4D561B220B1DC36707A3F085F7BB0175335C393251E3467F945570420C743365D0F09B9E09")); test_hash(&nettle_sha3_384, /* 138 octets */ SHEX("8B81E9BADDE026F14D95C019977024C9E13DB7A5CD21F9E9FC491D716164BBACDC7060D882615D411438AEA056C340CDF977788F6E17D118DE55026855F93270472D1FD18B9E7E812BAE107E0DFDE7063301B71F6CFE4E225CAB3B232905A56E994F08EE2891BA922D49C3DAFEB75F7C69750CB67D822C96176C46BD8A29F1701373FB09A1A6E3C7158F"), SHEX("DF6F80B6D56CFFA8545A27A245A50E6C2D117FC3598F465B6CD78560F4B3C7D2123F28F67CA9E65BFE0B7F566C57B9EF")); test_hash(&nettle_sha3_384, /* 139 octets */ SHEX("FA6EED24DA6666A22208146B19A532C2EC9BA94F09F1DEF1E7FC13C399A48E41ACC2A589D099276296348F396253B57CB0E40291BD282773656B6E0D8BEA1CDA084A3738816A840485FCF3FB307F777FA5FEAC48695C2AF4769720258C77943FB4556C362D9CBA8BF103AEB9034BAA8EA8BFB9C4F8E6742CE0D52C49EA8E974F339612E830E9E7A9C29065"), SHEX("CE97E9DF08789D84151A95C8134F0DB74E5D4E076E0C15966825C371B79B3192FD7C9C6BDAE86B775804B5363D1152C7")); test_hash(&nettle_sha3_384, /* 140 octets */ SHEX("9BB4AF1B4F09C071CE3CAFA92E4EB73CE8A6F5D82A85733440368DEE4EB1CBC7B55AC150773B6FE47DBE036C45582ED67E23F4C74585DAB509DF1B83610564545642B2B1EC463E18048FC23477C6B2AA035594ECD33791AF6AF4CBC2A1166ABA8D628C57E707F0B0E8707CAF91CD44BDB915E0296E0190D56D33D8DDE10B5B60377838973C1D943C22ED335E"), SHEX("89BF889FBD7A384290D3B1D52709DBA686351E53937630B7C7F01BCDDA19B1517D317D65E799E686C71A0AB4D65B60B8")); test_hash(&nettle_sha3_384, /* 141 octets */ SHEX("2167F02118CC62043E9091A647CADBED95611A521FE0D64E8518F16C808AB297725598AE296880A773607A798F7C3CFCE80D251EBEC6885015F9ABF7EAABAE46798F82CB5926DE5C23F44A3F9F9534B3C6F405B5364C2F8A8BDC5CA49C749BED8CE4BA48897062AE8424CA6DDE5F55C0E42A95D1E292CA54FB46A84FBC9CD87F2D0C9E7448DE3043AE22FDD229"), SHEX("5D40E392C2E5B29C80C2D760A93AA1E193472D7EE59E203DD478FE24C5A6264E2873AF31ABDE81827862901AE59571BB")); test_hash(&nettle_sha3_384, /* 142 octets */ SHEX("94B7FA0BC1C44E949B1D7617D31B4720CBE7CA57C6FA4F4094D4761567E389ECC64F6968E4064DF70DF836A47D0C713336B5028B35930D29EB7A7F9A5AF9AD5CF441745BAEC9BB014CEEFF5A41BA5C1CE085FEB980BAB9CF79F2158E03EF7E63E29C38D7816A84D4F71E0F548B7FC316085AE38A060FF9B8DEC36F91AD9EBC0A5B6C338CBB8F6659D342A24368CF"), SHEX("7C63A0DC1C39CF4FAB2D22F62C1B00757AA4B89ED0D7128DA243D9082AD0C78784AC24DF34F5AB30375F1D581E7420BD")); test_hash(&nettle_sha3_384, /* 143 octets */ SHEX("EA40E83CB18B3A242C1ECC6CCD0B7853A439DAB2C569CFC6DC38A19F5C90ACBF76AEF9EA3742FF3B54EF7D36EB7CE4FF1C9AB3BC119CFF6BE93C03E208783335C0AB8137BE5B10CDC66FF3F89A1BDDC6A1EED74F504CBE7290690BB295A872B9E3FE2CEE9E6C67C41DB8EFD7D863CF10F840FE618E7936DA3DCA5CA6DF933F24F6954BA0801A1294CD8D7E66DFAFEC"), SHEX("ED085D830AFD2D8F79627281C2A8163C391FEC2C58268F66F74CFF9751BB29E0D071EA8FD2FCF943020D0AD758281BFD")); test_hash(&nettle_sha3_384, /* 144 octets */ SHEX("157D5B7E4507F66D9A267476D33831E7BB768D4D04CC3438DA12F9010263EA5FCAFBDE2579DB2F6B58F911D593D5F79FB05FE3596E3FA80FF2F761D1B0E57080055C118C53E53CDB63055261D7C9B2B39BD90ACC32520CBBDBDA2C4FD8856DBCEE173132A2679198DAF83007A9B5C51511AE49766C792A29520388444EBEFE28256FB33D4260439CBA73A9479EE00C63"), SHEX("29124752CCD4AC724A9C3D53B0B352AF2DBD76729F8C5C648B1E9D77819F32E2A7DE0E15286478A24DF9BB370F855C1C")); test_hash(&nettle_sha3_384, /* 145 octets */ SHEX("836B34B515476F613FE447A4E0C3F3B8F20910AC89A3977055C960D2D5D2B72BD8ACC715A9035321B86703A411DDE0466D58A59769672AA60AD587B8481DE4BBA552A1645779789501EC53D540B904821F32B0BD1855B04E4848F9F8CFE9EBD8911BE95781A759D7AD9724A7102DBE576776B7C632BC39B9B5E19057E226552A5994C1DBB3B5C7871A11F5537011044C53"), SHEX("FAEAB5687F39EC9894C5CCFFB57E82A84BBB7D493CC6AFC03D07AC7B4F181E61639B9A4771C99985ED7FA1773E1CA3F4")); test_hash(&nettle_sha3_384, /* 146 octets */ SHEX("CC7784A4912A7AB5AD3620AAB29BA87077CD3CB83636ADC9F3DC94F51EDF521B2161EF108F21A0A298557981C0E53CE6CED45BDF782C1EF200D29BAB81DD6460586964EDAB7CEBDBBEC75FD7925060F7DA2B853B2B089588FA0F8C16EC6498B14C55DCEE335CB3A91D698E4D393AB8E8EAC0825F8ADEBEEE196DF41205C011674E53426CAA453F8DE1CBB57932B0B741D4C6"), SHEX("E4E352B1D2D987A37C831629FE0C6AB9EAB2C35E401D1B5F443ADC54A96EF3C91D0876CCF46ADEF819C460369136DA87")); test_hash(&nettle_sha3_384, /* 147 octets */ SHEX("7639B461FFF270B2455AC1D1AFCE782944AEA5E9087EB4A39EB96BB5C3BAAF0E868C8526D3404F9405E79E77BFAC5FFB89BF1957B523E17D341D7323C302EA7083872DD5E8705694ACDDA36D5A1B895AAA16ECA6104C82688532C8BFE1790B5DC9F4EC5FE95BAED37E1D287BE710431F1E5E8EE105BC42ED37D74B1E55984BF1C09FE6A1FA13EF3B96FAEAED6A2A1950A12153"), SHEX("6C288FE4A74F0ED1B36D12F2DB697FBC44017BB57D38C9EBD45F5A8B4FEB59148060AE4BA1FFA162E10E6916CEA1A794")); test_hash(&nettle_sha3_384, /* 148 octets */ SHEX("EB6513FC61B30CFBA58D4D7E80F94D14589090CF1D80B1DF2E68088DC6104959BA0D583D585E9578AB0AEC0CF36C48435EB52ED9AB4BBCE7A5ABE679C97AE2DBE35E8CC1D45B06DDA3CF418665C57CBEE4BBB47FA4CAF78F4EE656FEC237FE4EEBBAFA206E1EF2BD0EE4AE71BD0E9B2F54F91DAADF1FEBFD7032381D636B733DCB3BF76FB14E23AFF1F68ED3DBCF75C9B99C6F26"), SHEX("E1B6DAC3F138B5F336F1F75894F825FFC197836C92BF359B55BB2A78239F24F9C4AA1E063C9C2B273B9CFA766FBFBAE5")); test_hash(&nettle_sha3_384, /* 149 octets */ SHEX("1594D74BF5DDE444265D4C04DAD9721FF3E34CBF622DAF341FE16B96431F6C4DF1F760D34F296EB97D98D560AD5286FEC4DCE1724F20B54FD7DF51D4BF137ADD656C80546FB1BF516D62EE82BAA992910EF4CC18B70F3F8698276FCFB44E0EC546C2C39CFD8EE91034FF9303058B4252462F86C823EB15BF481E6B79CC3A02218595B3658E8B37382BD5048EAED5FD02C37944E73B"), SHEX("6E07B59E93B22475633B5BA1AA6891119CFF690697AC679E9349E8694C654074D965F0C32FF517B10EE8F6993F6E4646")); test_hash(&nettle_sha3_384, /* 150 octets */ SHEX("4CFA1278903026F66FEDD41374558BE1B585D03C5C55DAC94361DF286D4BD39C7CB8037ED3B267B07C346626449D0CC5B0DD2CF221F7E4C3449A4BE99985D2D5E67BFF2923357DDEAB5ABCB4619F3A3A57B2CF928A022EB27676C6CF805689004FCA4D41EA6C2D0A4789C7605F7BB838DD883B3AD3E6027E775BCF262881428099C7FFF95B14C095EA130E0B9938A5E22FC52650F591"), SHEX("19EB2E15262A839538846F7252676971207913279B9AE9B6BA3650D8F3A8E558B13C35B31F1AB7429E376255338C4AA2")); test_hash(&nettle_sha3_384, /* 151 octets */ SHEX("D3E65CB92CFA79662F6AF493D696A07CCF32AAADCCEFF06E73E8D9F6F909209E66715D6E978788C49EFB9087B170ECF3AA86D2D4D1A065AE0EFC8924F365D676B3CB9E2BEC918FD96D0B43DEE83727C9A93BF56CA2B2E59ADBA85696546A815067FC7A78039629D4948D157E7B0D826D1BF8E81237BAB7321312FDAA4D521744F988DB6FDF04549D0FDCA393D639C729AF716E9C8BBA48"), SHEX("F4DA80B26FB5E6F7E5DFE47128EEE095D46D9ACEFBE76F74EFBC8A1AD68E8456634E9376025648EF7A3350299F366E29")); test_hash(&nettle_sha3_384, /* 152 octets */ SHEX("842CC583504539622D7F71E7E31863A2B885C56A0BA62DB4C2A3F2FD12E79660DC7205CA29A0DC0A87DB4DC62EE47A41DB36B9DDB3293B9AC4BAAE7DF5C6E7201E17F717AB56E12CAD476BE49608AD2D50309E7D48D2D8DE4FA58AC3CFEAFEEE48C0A9EEC88498E3EFC51F54D300D828DDDCCB9D0B06DD021A29CF5CB5B2506915BEB8A11998B8B886E0F9B7A80E97D91A7D01270F9A7717"), SHEX("BDBA7838A1E7A601D559F49EC1323B7C5FABE1E109FDCAFF3F7865F9AF4196ABBF60AC123097A7B860FE438684355EB0")); test_hash(&nettle_sha3_384, /* 153 octets */ SHEX("6C4B0A0719573E57248661E98FEBE326571F9A1CA813D3638531AE28B4860F23C3A3A8AC1C250034A660E2D71E16D3ACC4BF9CE215C6F15B1C0FC7E77D3D27157E66DA9CEEC9258F8F2BF9E02B4AC93793DD6E29E307EDE3695A0DF63CBDC0FC66FB770813EB149CA2A916911BEE4902C47C7802E69E405FE3C04CEB5522792A5503FA829F707272226621F7C488A7698C0D69AA561BE9F378"), SHEX("96DFE9996BFFA5E5D83C39B11F47F12D11210F7D4300B7180D1891EAAA7FE4809F9489B1E2407FF87FB2628DDF1FC020")); test_hash(&nettle_sha3_384, /* 154 octets */ SHEX("51B7DBB7CE2FFEB427A91CCFE5218FD40F9E0B7E24756D4C47CD55606008BDC27D16400933906FD9F30EFFDD4880022D081155342AF3FB6CD53672AB7FB5B3A3BCBE47BE1FD3A2278CAE8A5FD61C1433F7D350675DD21803746CADCA574130F01200024C6340AB0CC2CF74F2234669F34E9009EF2EB94823D62B31407F4BA46F1A1EEC41641E84D77727B59E746B8A671BEF936F05BE820759FA"), SHEX("79CF2A3017F82693C0A531A367186D055FCE63081EDF980C6A0B967B6ECCE75D635B98485E9B6B285B08336FF34E61C9")); test_hash(&nettle_sha3_384, /* 155 octets */ SHEX("83599D93F5561E821BD01A472386BC2FF4EFBD4AED60D5821E84AAE74D8071029810F5E286F8F17651CD27DA07B1EB4382F754CD1C95268783AD09220F5502840370D494BEB17124220F6AFCE91EC8A0F55231F9652433E5CE3489B727716CF4AEBA7DCDA20CD29AA9A859201253F948DD94395ABA9E3852BD1D60DDA7AE5DC045B283DA006E1CBAD83CC13292A315DB5553305C628DD091146597"), SHEX("0ED3CA1620CE3A923A22E9D13BBF7543ACEE05F66B67E6D6F435BC513F4698949C27528068F892F0871916FE2D0433C3")); test_hash(&nettle_sha3_384, /* 156 octets */ SHEX("2BE9BF526C9D5A75D565DD11EF63B979D068659C7F026C08BEA4AF161D85A462D80E45040E91F4165C074C43AC661380311A8CBED59CC8E4C4518E80CD2C78AB1CABF66BFF83EAB3A80148550307310950D034A6286C93A1ECE8929E6385C5E3BB6EA8A7C0FB6D6332E320E71CC4EB462A2A62E2BFE08F0CCAD93E61BEDB5DD0B786A728AB666F07E0576D189C92BF9FB20DCA49AC2D3956D47385E2"), SHEX("69A27BBF080E015592893D3B55D1957D267784569923A466165A6FB129613D8EA6F610F3760E349D46B09277CB854546")); test_hash(&nettle_sha3_384, /* 157 octets */ SHEX("CA76D3A12595A817682617006848675547D3E8F50C2210F9AF906C0E7CE50B4460186FE70457A9E879E79FD4D1A688C70A347361C847BA0DD6AA52936EAF8E58A1BE2F5C1C704E20146D366AEB3853BED9DE9BEFE9569AC8AAEA37A9FB7139A1A1A7D5C748605A8DEFB297869EBEDD71D615A5DA23496D11E11ABBB126B206FA0A7797EE7DE117986012D0362DCEF775C2FE145ADA6BDA1CCB326BF644"), SHEX("E9C8830140629669A1DC5C8EE27BE669B7122F4DC88224635CDE334AD99615F3FDC4869E56263E3C7F4420736F714E26")); test_hash(&nettle_sha3_384, /* 158 octets */ SHEX("F76B85DC67421025D64E93096D1D712B7BAF7FB001716F02D33B2160C2C882C310EF13A576B1C2D30EF8F78EF8D2F465007109AAD93F74CB9E7D7BEF7C9590E8AF3B267C89C15DB238138C45833C98CC4A471A7802723EF4C744A853CF80A0C2568DD4ED58A2C9644806F42104CEE53628E5BDF7B63B0B338E931E31B87C24B146C6D040605567CEEF5960DF9E022CB469D4C787F4CBA3C544A1AC91F95F"), SHEX("4DF060276105BF002F8E9F3F08D5B51F7C2ADFE5AAB9A1A683C053E045C89A883028B1093461368262EA85F5239AC7B1")); test_hash(&nettle_sha3_384, /* 159 octets */ SHEX("25B8C9C032EA6BCD733FFC8718FBB2A503A4EA8F71DEA1176189F694304F0FF68E862A8197B839957549EF243A5279FC2646BD4C009B6D1EDEBF24738197ABB4C992F6B1DC9BA891F570879ACCD5A6B18691A93C7D0A8D38F95B639C1DAEB48C4C2F15CCF5B9D508F8333C32DE78781B41850F261B855C4BEBCC125A380C54D501C5D3BD07E6B52102116088E53D76583B0161E2A58D0778F091206AABD5A1"), SHEX("816AA6DB9B663288E5F932F0FEAFF0EE7875C3B3E6FBAC0CDDC458BD646371969CF50D2D0942FCC7403573B01B05B455")); test_hash(&nettle_sha3_384, /* 160 octets */ SHEX("21CFDC2A7CCB7F331B3D2EEFFF37E48AD9FA9C788C3F3C200E0173D99963E1CBCA93623B264E920394AE48BB4C3A5BB96FFBC8F0E53F30E22956ADABC2765F57FB761E147ECBF8567533DB6E50C8A1F894310A94EDF806DD8CA6A0E141C0FA7C9FAE6C6AE65F18C93A8529E6E5B553BF55F25BE2E80A9882BD37F145FECBEB3D447A3C4E46C21524CC55CDD62F521AB92A8BA72B897996C49BB273198B7B1C9E"), SHEX("125B51C253391677C59C0332C6A13D07DE55EAB80857593F0839A56FA678C5E2F7CB2F934ABE5E5887804AAB5D8F13E1")); test_hash(&nettle_sha3_384, /* 161 octets */ SHEX("4E452BA42127DCC956EF4F8F35DD68CB225FB73B5BC7E1EC5A898BBA2931563E74FAFF3B67314F241EC49F4A7061E3BD0213AE826BAB380F1F14FAAB8B0EFDDD5FD1BB49373853A08F30553D5A55CCBBB8153DE4704F29CA2BDEEF0419468E05DD51557CCC80C0A96190BBCC4D77ECFF21C66BDF486459D427F986410F883A80A5BCC32C20F0478BB9A97A126FC5F95451E40F292A4614930D054C851ACD019CCF"), SHEX("130C4B06A55F11C80C41608ADFD7B4CE8795871BCF16900F20D2751E123B41D3B2048FD05267C2F9653ECE3630BDD330")); test_hash(&nettle_sha3_384, /* 162 octets */ SHEX("FA85671DF7DADF99A6FFEE97A3AB9991671F5629195049880497487867A6C446B60087FAC9A0F2FCC8E3B24E97E42345B93B5F7D3691829D3F8CCD4BB36411B85FC2328EB0C51CB3151F70860AD3246CE0623A8DC8B3C49F958F8690F8E3860E71EB2B1479A5CEA0B3F8BEFD87ACAF5362435EAECCB52F38617BC6C5C2C6E269EAD1FBD69E941D4AD2012DA2C5B21BCFBF98E4A77AB2AF1F3FDA3233F046D38F1DC8"), SHEX("3EA0FA3FC035EA40CBBE9A3C1C6F7E5A437BA20F26736F2895F81D53BEC92A186E74762910C4AA62565373D38B28D5FD")); test_hash(&nettle_sha3_384, /* 163 octets */ SHEX("E90847AE6797FBC0B6B36D6E588C0A743D725788CA50B6D792352EA8294F5BA654A15366B8E1B288D84F5178240827975A763BC45C7B0430E8A559DF4488505E009C63DA994F1403F407958203CEBB6E37D89C94A5EACF6039A327F6C4DBBC7A2A307D976AA39E41AF6537243FC218DFA6AB4DD817B6A397DF5CA69107A9198799ED248641B63B42CB4C29BFDD7975AC96EDFC274AC562D0474C60347A078CE4C25E88"), SHEX("7C1F1A46E409046B5A314767E8B7E7B1D9A92931443C5D02A581371B380AFA1867E554C3F7DF2E4557ACFD9F8E230C44")); test_hash(&nettle_sha3_384, /* 164 octets */ SHEX("F6D5C2B6C93954FC627602C00C4CA9A7D3ED12B27173F0B2C9B0E4A5939398A665E67E69D0B12FB7E4CEB253E8083D1CEB724AC07F009F094E42F2D6F2129489E846EAFF0700A8D4453EF453A3EDDC18F408C77A83275617FABC4EA3A2833AA73406C0E966276079D38E8E38539A70E194CC5513AAA457C699383FD1900B1E72BDFB835D1FD321B37BA80549B078A49EA08152869A918CA57F5B54ED71E4FD3AC5C06729"), SHEX("2AD23817002C8F0089D423760F5569EB67CBEED2F0F2AA12F8EDE7856EE22AA6EB684F86AE91741A4AA3C80AC97C4A0B")); test_hash(&nettle_sha3_384, /* 165 octets */ SHEX("CF8562B1BED89892D67DDAAF3DEEB28246456E972326DBCDB5CF3FB289ACA01E68DA5D59896E3A6165358B071B304D6AB3D018944BE5049D5E0E2BB819ACF67A6006111089E6767132D72DD85BEDDCBB2D64496DB0CC92955AB4C6234F1EEA24F2D51483F2E209E4589BF9519FAC51B4D061E801125E605F8093BB6997BC163D551596FE4AB7CFAE8FB9A90F6980480CE0C229FD1675409BD788354DAF316240CFE0AF93EB"), SHEX("D34974759C6A4AA9D1A4ED3DE341A2BA022DF127BE92EB0BBC1900EB5AC7B8AFE909B52DA5714668C3C4B7DB939F2436")); test_hash(&nettle_sha3_384, /* 166 octets */ SHEX("2ACE31ABB0A2E3267944D2F75E1559985DB7354C6E605F18DC8470423FCA30B7331D9B33C4A4326783D1CAAE1B4F07060EFF978E4746BF0C7E30CD61040BD5EC2746B29863EB7F103EBDA614C4291A805B6A4C8214230564A0557BC7102E0BD3ED23719252F7435D64D210EE2AAFC585BE903FA41E1968C50FD5D5367926DF7A05E3A42CF07E656FF92DE73B036CF8B19898C0CB34557C0C12C2D8B84E91181AF467BC75A9D1"), SHEX("0FB38AE233520D4F57469463E1E68D5518EA4E965755C03AD458DD285AFB2DF518C3D389BD361CBDCE46B654631A18C2")); test_hash(&nettle_sha3_384, /* 167 octets */ SHEX("0D8D09AED19F1013969CE5E7EB92F83A209AE76BE31C754844EA9116CEB39A22EBB6003017BBCF26555FA6624185187DB8F0CB3564B8B1C06BF685D47F3286EDA20B83358F599D2044BBF0583FAB8D78F854FE0A596183230C5EF8E54426750EAF2CC4E29D3BDD037E734D863C2BD9789B4C243096138F7672C232314EFFDFC6513427E2DA76916B5248933BE312EB5DDE4CF70804FB258AC5FB82D58D08177AC6F4756017FFF5"), SHEX("CB8F1CC9EB72465176B97B6226A87E69D77C65190114CCE1F830A3DFEFA5A8A278D5CF594B173AC58C06EC74958FF8C6")); test_hash(&nettle_sha3_384, /* 168 octets */ SHEX("C3236B73DEB7662BF3F3DAA58F137B358BA610560EF7455785A9BEFDB035A066E90704F929BD9689CEF0CE3BDA5ACF4480BCEB8D09D10B098AD8500D9B6071DFC3A14AF6C77511D81E3AA8844986C3BEA6F469F9E02194C92868CD5F51646256798FF0424954C1434BDFED9FACB390B07D342E992936E0F88BFD0E884A0DDB679D0547CCDEC6384285A45429D115AC7D235A717242021D1DC35641F5F0A48E8445DBA58E6CB2C8EA"), SHEX("87776D7022DC18592B578C534E2FCF57946E0F74C47DF85612F89C6593FD50A9E445C048D6CDA9A1D1D10EA3B3C973D0")); test_hash(&nettle_sha3_384, /* 169 octets */ SHEX("B39FEB8283EADC63E8184B51DF5AE3FD41AAC8A963BB0BE1CD08AA5867D8D910C669221E73243360646F6553D1CA05A84E8DC0DE05B6419EC349CA994480193D01C92525F3FB3DCEFB08AFC6D26947BDBBFD85193F53B50609C6140905C53A6686B58E53A319A57B962331EDE98149AF3DE3118A819DA4D76706A0424B4E1D2910B0ED26AF61D150EBCB46595D4266A0BD7F651BA47D0C7F179CA28545007D92E8419D48FDFBD744CE"), SHEX("83F4442147FEFC8E5BAD3E9EE4C6661A771AE8C87458AB67153DECD35DAF6756EEF28E4AE72E65EBFAE08886A6E773E0")); test_hash(&nettle_sha3_384, /* 170 octets */ SHEX("A983D54F503803E8C7999F4EDBBE82E9084F422143A932DDDDC47A17B0B7564A7F37A99D0786E99476428D29E29D3C197A72BFAB1342C12A0FC4787FD7017D7A6174049EA43B5779169EF7472BDBBD941DCB82FC73AAC45A8A94C9F2BD3477F61FD3B796F02A1B8264A214C6FEA74B7051B226C722099EC7883A462B83B6AFDD4009248B8A237F605FE5A08FE7D8B45321421EBBA67BD70A0B00DDBF94BAAB7F359D5D1EEA105F28DCFB"), SHEX("51358159074D960C0B9D73D5F12AFDAFB8F5D7905BDA62379A6E0D6727D03EFD26EEA51B434368E2E566CB4747D0BA35")); test_hash(&nettle_sha3_384, /* 171 octets */ SHEX("E4D1C1897A0A866CE564635B74222F9696BF2C7F640DD78D7E2ACA66E1B61C642BB03EA7536AAE597811E9BF4A7B453EDE31F97B46A5F0EF51A071A2B3918DF16B152519AE3776F9F1EDAB4C2A377C3292E96408359D3613844D5EB393000283D5AD3401A318B12FD1474B8612F2BB50FB6A8B9E023A54D7DDE28C43D6D8854C8D9D1155935C199811DBFC87E9E0072E90EB88681CC7529714F8FB8A2C9D88567ADFB974EE205A9BF7B848"), SHEX("3ECEA8CAF0D8EFA42D54AC5EF36E624237D9F5508ED6FCB6434D67F3FB788C538C635798F52B2F073A4A7376FD31C4A3")); test_hash(&nettle_sha3_384, /* 172 octets */ SHEX("B10C59723E3DCADD6D75DF87D0A1580E73133A9B7D00CB95EC19F5547027323BE75158B11F80B6E142C6A78531886D9047B08E551E75E6261E79785366D7024BD7CD9CF322D9BE7D57FB661069F2481C7BB759CD71B4B36CA2BC2DF6D3A328FAEBDB995A9794A8D72155ED551A1F87C80BF6059B43FC764900B18A1C2441F7487743CF84E565F61F8DD2ECE6B6CCC9444049197AAAF53E926FBEE3BFCA8BE588EC77F29D211BE89DE18B15F6"), SHEX("A8876FE4652ACF72DCC8FD5133E5D4CA4E3766AB987CF66EAE5E3770E252D2FD2A890525016623EE69064690828C727B")); test_hash(&nettle_sha3_384, /* 173 octets */ SHEX("DB11F609BABA7B0CA634926B1DD539C8CBADA24967D7ADD4D9876F77C2D80C0F4DCEFBD7121548373582705CCA2495BD2A43716FE64ED26D059CFB566B3364BD49EE0717BDD9810DD14D8FAD80DBBDC4CAFB37CC60FB0FE2A80FB4541B8CA9D59DCE457738A9D3D8F641AF8C3FD6DA162DC16FC01AAC527A4A0255B4D231C0BE50F44F0DB0B713AF03D968FE7F0F61ED0824C55C4B5265548FEBD6AAD5C5EEDF63EFE793489C39B8FD29D104CE"), SHEX("6A09735736780F199D75C60903AA24D7F8AA17516690854F7522EF0BBF47D41CBDC8BDB2CB2F3C5596510539677607E9")); test_hash(&nettle_sha3_384, /* 174 octets */ SHEX("BEBD4F1A84FC8B15E4452A54BD02D69E304B7F32616AADD90537937106AE4E28DE9D8AAB02D19BC3E2FDE1D651559E296453E4DBA94370A14DBBB2D1D4E2022302EE90E208321EFCD8528AD89E46DC839EA9DF618EA8394A6BFF308E7726BAE0C19BCD4BE52DA6258E2EF4E96AA21244429F49EF5CB486D7FF35CAC1BACB7E95711944BCCB2AB34700D42D1EB38B5D536B947348A458EDE3DC6BD6EC547B1B0CAE5B257BE36A7124E1060C170FFA"), SHEX("83FC2B91AB81D4B15363F15E53BF639063BAC55502B4421CF9A53BCAB9FF47FD77DE5AC6934F67A412EA1910FAD67768")); test_hash(&nettle_sha3_384, /* 175 octets */ SHEX("5ACA56A03A13784BDC3289D9364F79E2A85C12276B49B92DB0ADAA4F206D5028F213F678C3510E111F9DC4C1C1F8B6ACB17A6413AA227607C515C62A733817BA5E762CC6748E7E0D6872C984D723C9BB3B117EB8963185300A80BFA65CDE495D70A46C44858605FCCBED086C2B45CEF963D33294DBE9706B13AF22F1B7C4CD5A001CFEC251FBA18E722C6E1C4B1166918B4F6F48A98B64B3C07FC86A6B17A6D0480AB79D4E6415B520F1C484D675B1"), SHEX("77C0480B91F32EF809D8C23AB236581F0BCA8B9447A4D36228052B3ABB6AB69C61D19D720486A3FF497A4673B84CB951")); test_hash(&nettle_sha3_384, /* 176 octets */ SHEX("A5AAD0E4646A32C85CFCAC73F02FC5300F1982FABB2F2179E28303E447854094CDFC854310E5C0F60993CEFF54D84D6B46323D930ADB07C17599B35B505F09E784BCA5985E0172257797FB53649E2E9723EFD16865C31B5C3D5113B58BB0BFC8920FABDDA086D7537E66D709D050BD14D0C960873F156FAD5B3D3840CDFCDC9BE6AF519DB262A27F40896AB25CC39F96984D650611C0D5A3080D5B3A1BF186ABD42956588B3B58CD948970D298776060"), SHEX("781466E257D2FA594E39DC220A260C7478D2158BB70E426F9E9587F5A51A7C29FDC7AF23E7AB9C774E33C08AB38CEDB7")); test_hash(&nettle_sha3_384, /* 177 octets */ SHEX("06CBBE67E94A978203EAD6C057A1A5B098478B4B4CBEF5A97E93C8E42F5572713575FC2A884531D7622F8F879387A859A80F10EF02708CD8F7413AB385AFC357678B9578C0EBF641EF076A1A30F1F75379E9DCB2A885BDD295905EE80C0168A62A9597D10CF12DD2D8CEE46645C7E5A141F6E0E23AA482ABE5661C16E69EF1E28371E2E236C359BA4E92C25626A7B7FF13F6EA4AE906E1CFE163E91719B1F750A96CBDE5FBC953D9E576CD216AFC90323A"), SHEX("51BEBFB5AAFE777F390E2851B7EB9AA3809194FE3BA1689ABEE7E43D44A5874E0C252793DFD42C1270C63C407AEF6780")); test_hash(&nettle_sha3_384, /* 178 octets */ SHEX("F1C528CF7739874707D4D8AD5B98F7C77169DE0B57188DF233B2DC8A5B31EDA5DB4291DD9F68E6BAD37B8D7F6C9C0044B3BF74BBC3D7D1798E138709B0D75E7C593D3CCCDC1B20C7174B4E692ADD820ACE262D45CCFAE2077E878796347168060A162ECCA8C38C1A88350BD63BB539134F700FD4ADDD5959E255337DAA06BC86358FABCBEFDFB5BC889783D843C08AADC6C4F6C36F65F156E851C9A0F917E4A367B5AD93D874812A1DE6A7B93CD53AD97232"), SHEX("FCDF0032F34BA6C42D679B182D07B10F4DFF2189B0A5EF6642FBB71B16F910E3240ED9B502B1C6B395BEE74AD0FB4191")); test_hash(&nettle_sha3_384, /* 179 octets */ SHEX("9D9F3A7ECD51B41F6572FD0D0881E30390DFB780991DAE7DB3B47619134718E6F987810E542619DFAA7B505C76B7350C6432D8BF1CFEBDF1069B90A35F0D04CBDF130B0DFC7875F4A4E62CDB8E525AADD7CE842520A482AC18F09442D78305FE85A74E39E760A4837482ED2F437DD13B2EC1042AFCF9DECDC3E877E50FF4106AD10A525230D11920324A81094DA31DEAB6476AA42F20C84843CFC1C58545EE80352BDD3740DD6A16792AE2D86F11641BB717C2"), SHEX("92AADC02BB9795A48B031034EE6AB873DF481D232932FB5FD6C3762E50E58DA46D1F5E5E874597F15C83127F0A3042B1")); test_hash(&nettle_sha3_384, /* 180 octets */ SHEX("5179888724819FBAD3AFA927D3577796660E6A81C52D98E9303261D5A4A83232F6F758934D50AA83FF9E20A5926DFEBAAC49529D006EB923C5AE5048ED544EC471ED7191EDF46363383824F915769B3E688094C682B02151E5EE01E510B431C8865AFF8B6B6F2F59CB6D129DA79E97C6D2B8FA6C6DA3F603199D2D1BCAB547682A81CD6CF65F6551121391D78BCC23B5BD0E922EC6D8BF97C952E84DD28AEF909ABA31EDB903B28FBFC33B7703CD996215A11238"), SHEX("0D0CCDBFEB0A933F211EAA94EB452900324340505CCF8DB7AD93E976271F812FB8907805F6313D0B0931F5C9203BDBA5")); test_hash(&nettle_sha3_384, /* 181 octets */ SHEX("576EF3520D30B7A4899B8C0D5E359E45C5189ADD100E43BE429A02FB3DE5FF4F8FD0E79D9663ACCA72CD29C94582B19292A557C5B1315297D168FBB54E9E2ECD13809C2B5FCE998EDC6570545E1499DBE7FB74D47CD7F35823B212B05BF3F5A79CAA34224FDD670D335FCB106F5D92C3946F44D3AFCBAE2E41AC554D8E6759F332B76BE89A0324AA12C5482D1EA3EE89DED4936F3E3C080436F539FA137E74C6D3389BDF5A45074C47BC7B20B0948407A66D855E2F"), SHEX("FEF6B1F27B0CEBC4568588E627D28DD569A58A8F9A51A1D2887B40F5547B2C67C71917BE998D1987AC78E9077CC790AB")); test_hash(&nettle_sha3_384, /* 182 octets */ SHEX("0DF2152FA4F4357C8741529DD77E783925D3D76E95BAFA2B542A2C33F3D1D117D159CF473F82310356FEE4C90A9E505E70F8F24859656368BA09381FA245EB6C3D763F3093F0C89B972E66B53D59406D9F01AEA07F8B3B615CAC4EE4D05F542E7D0DAB45D67CCCCD3A606CCBEB31EA1FA7005BA07176E60DAB7D78F6810EF086F42F08E595F0EC217372B98970CC6321576D92CE38F7C397A403BADA1548D205C343AC09DECA86325373C3B76D9F32028FEA8EB32515"), SHEX("E9957732E7DAB64550F003EE6D0353AE89BDC6D69D05766024CFF189E4FC8FAA41DB72954E8E5AC0B29265C8F785E737")); test_hash(&nettle_sha3_384, /* 183 octets */ SHEX("3E15350D87D6EBB5C8AD99D42515CFE17980933C7A8F6B8BBBF0A63728CEFAAD2052623C0BD5931839112A48633FB3C2004E0749C87A41B26A8B48945539D1FF41A4B269462FD199BFECD45374756F55A9116E92093AC99451AEFB2AF9FD32D6D7F5FBC7F7A540D5097C096EBC3B3A721541DE073A1CC02F7FB0FB1B9327FB0B1218CA49C9487AB5396622A13AE546C97ABDEF6B56380DDA7012A8384091B6656D0AB272D363CEA78163FF765CDD13AB1738B940D16CAE"), SHEX("98D73B3555F003058F7B5A145D89FAEC46C17099A354EF3834A20142DBD50A0E8054598CE7941BF5DD4DF7CCF218F02F")); test_hash(&nettle_sha3_384, /* 184 octets */ SHEX("C38D6B0B757CB552BE40940ECE0009EF3B0B59307C1451686F1A22702922800D58BCE7A636C1727EE547C01B214779E898FC0E560F8AE7F61BEF4D75EAA696B921FD6B735D171535E9EDD267C192B99880C87997711002009095D8A7A437E258104A41A505E5EF71E5613DDD2008195F0C574E6BA3FE40099CFA116E5F1A2FA8A6DA04BADCB4E2D5D0DE31FDC4800891C45781A0AAC7C907B56D631FCA5CE8B2CDE620D11D1777ED9FA603541DE794DDC5758FCD5FAD78C0"), SHEX("3795DE490F43B9899947C1C305C30E26331BA0E611DCE7961172B2E4299932147BC9E241C32E61FA964D4F436ECCFD37")); test_hash(&nettle_sha3_384, /* 185 octets */ SHEX("8D2DE3F0B37A6385C90739805B170057F091CD0C7A0BC951540F26A5A75B3E694631BB64C7635EED316F51318E9D8DE13C70A2ABA04A14836855F35E480528B776D0A1E8A23B547C8B8D6A0D09B241D3BE9377160CCA4E6793D00A515DC2992CB7FC741DACA171431DA99CCE6F7789F129E2AC5CF65B40D703035CD2185BB936C82002DAF8CBC27A7A9E554B06196630446A6F0A14BA155ED26D95BD627B7205C072D02B60DB0FD7E49EA058C2E0BA202DAFF0DE91E845CF79"), SHEX("E9F289E671541FEC4599915A0D9935BF5C20A12C203BCDE88A46EAF5CAB2D437F9FCDEF67B98768BB80C9A874B3F46C7")); test_hash(&nettle_sha3_384, /* 186 octets */ SHEX("C464BBDAD275C50DCD983B65AD1019B9FF85A1E71C807F3204BB2C921DC31FBCD8C5FC45868AE9EF85B6C9B83BBA2A5A822201ED68586EC5EC27FB2857A5D1A2D09D09115F22DCC39FE61F5E1BA0FF6E8B4ACB4C6DA748BE7F3F0839739394FF7FA8E39F7F7E84A33C3866875C01BCB1263C9405D91908E9E0B50E7459FABB63D8C6BBB73D8E3483C099B55BC30FF092FF68B6ADEDFD477D63570C9F5515847F36E24BA0B705557130CEC57EBAD1D0B31A378E91894EE26E3A04"), SHEX("88C23BE040BE64D23AEE8D7EE962228A6F07831B0E05FBE2F25F07729F00C2C617EB6975F57B3F17DD540E8EBCA654A9")); test_hash(&nettle_sha3_384, /* 187 octets */ SHEX("8B8D68BB8A75732FE272815A68A1C9C5AA31B41DEDC8493E76525D1D013D33CEBD9E21A5BB95DB2616976A8C07FCF411F5F6BC6F7E0B57ACA78CC2790A6F9B898858AC9C79B165FF24E66677531E39F572BE5D81EB3264524181115F32780257BFB9AEEC6AF12AF28E587CAC068A1A2953B59AD680F4C245B2E3EC36F59940D37E1D3DB38E13EDB29B5C0F404F6FF87F80FC8BE7A225FF22FBB9C8B6B1D7330C57840D24BC75B06B80D30DAD6806544D510AF6C4785E823AC3E0B8"), SHEX("6C42DEE61CD97C50F5340CF4DC4F7E319FB5FAC7A26B41DEE66D789804BD1FEF1EF2911643C9C1E2C0485C979B36D927")); test_hash(&nettle_sha3_384, /* 188 octets */ SHEX("6B018710446F368E7421F1BC0CCF562D9C1843846BC8D98D1C9BF7D9D6FCB48BFC3BF83B36D44C4FA93430AF75CD190BDE36A7F92F867F58A803900DF8018150384D85D82132F123006AC2AEBA58E02A037FE6AFBD65ECA7C44977DD3DC74F48B6E7A1BFD5CC4DCF24E4D52E92BD4455848E4928B0EAC8B7476FE3CC03E862AA4DFF4470DBFED6DE48E410F25096487ECFC32A27277F3F5023B2725ADE461B1355889554A8836C9CF53BD767F5737D55184EEA1AB3F53EDD0976C485"), SHEX("720150FD5A1CF94A42F922EFCBB723FF948F74CA6D0A3F399AC54DA8B3BC07F39E6E2979C16C875866CF2F584CA7F2DB")); test_hash(&nettle_sha3_384, /* 189 octets */ SHEX("C9534A24714BD4BE37C88A3DA1082EDA7CABD154C309D7BD670DCCD95AA535594463058A29F79031D6ECAA9F675D1211E9359BE82669A79C855EA8D89DD38C2C761DDD0EC0CE9E97597432E9A1BEAE062CDD71EDFDFD464119BE9E69D18A7A7FD7CE0E2106F0C8B0ABF4715E2CA48EF9F454DC203C96656653B727083513F8EFB86E49C513BB758B3B052FE21F1C05BB33C37129D6CC81F1AEF6ADC45B0E8827A830FE545CF57D0955802C117D23CCB55EA28F95C0D8C2F9C5A242B33F"), SHEX("FA6F90935843D4F58E77CABE4BA662B4FABC1732725FAF952EEED70FA0AAD6A98FE67F3B6736A1C8F7C5BED4D9B017E0")); test_hash(&nettle_sha3_384, /* 190 octets */ SHEX("07906C87297B867ABF4576E9F3CC7F82F22B154AFCBF293B9319F1B0584DA6A40C27B32E0B1B7F412C4F1B82480E70A9235B12EC27090A5A33175A2BB28D8ADC475CEFE33F7803F8CE27967217381F02E67A3B4F84A71F1C5228E0C2AD971373F6F672624FCEA8D1A9F85170FAD30FA0BBD25035C3B41A6175D467998BD1215F6F3866F53847F9CF68EF3E2FBB54BC994DE2302B829C5EEA68EC441FCBAFD7D16AE4FE9FFF98BF00E5BC2AD54DD91FF9FDA4DD77B6C754A91955D1FBAAD0"), SHEX("4E2832FEE290D1917C15B31893F6578C1299445B99BC48708E13348A11EB2F27FE217A63F532583793D18CDECCAA78B9")); test_hash(&nettle_sha3_384, /* 191 octets */ SHEX("588E94B9054ABC2189DF69B8BA34341B77CDD528E7860E5DEFCAA79B0C9A452AD4B82AA306BE84536EB7CEDCBE058D7B84A6AEF826B028B8A0271B69AC3605A9635EA9F5EA0AA700F3EB7835BC54611B922964300C953EFE7491E3677C2CEBE0822E956CD16433B02C68C4A23252C3F9E151A416B4963257B783E038F6B4D5C9F110F871652C7A649A7BCEDCBCCC6F2D0725BB903CC196BA76C76AA9F10A190B1D1168993BAA9FFC96A1655216773458BEC72B0E39C9F2C121378FEAB4E76A"), SHEX("1FB97D6F42480E9F13C934C4A874877A808F1D73314C544D8570C0749F20FA35F53A0C0BDA1F10D1A10A029ABBB50BC7")); test_hash(&nettle_sha3_384, /* 192 octets */ SHEX("08959A7E4BAAE874928813364071194E2939772F20DB7C3157078987C557C2A6D5ABE68D520EEF3DC491692E1E21BCD880ADEBF63BB4213B50897FA005256ED41B5690F78F52855C8D9168A4B666FCE2DA2B456D7A7E7C17AB5F2FB1EE90B79E698712E963715983FD07641AE4B4E9DC73203FAC1AE11FA1F8C7941FCC82EAB247ADDB56E2638447E9D609E610B60CE086656AAEBF1DA3C8A231D7D94E2FD0AFE46B391FF14A72EAEB3F44AD4DF85866DEF43D4781A0B3578BC996C87970B132"), SHEX("86B3C81AA398C8819AFC4F282DFBCE24F4192B2530C267A78373D253C35C1DCC4F40835529563FD42A33FD2CBD680515")); test_hash(&nettle_sha3_384, /* 193 octets */ SHEX("CB2A234F45E2ECD5863895A451D389A369AAB99CFEF0D5C9FFCA1E6E63F763B5C14FB9B478313C8E8C0EFEB3AC9500CF5FD93791B789E67EAC12FD038E2547CC8E0FC9DB591F33A1E4907C64A922DDA23EC9827310B306098554A4A78F050262DB5B545B159E1FF1DCA6EB734B872343B842C57EAFCFDA8405EEDBB48EF32E99696D135979235C3A05364E371C2D76F1902F1D83146DF9495C0A6C57D7BF9EE77E80F9787AEE27BE1FE126CDC9EF893A4A7DCBBC367E40FE4E1EE90B42EA25AF01"), SHEX("A6BF548AB19FF60D6A8729FA62FDC9B59237843739AFFF877233ED374BCF70A017126974C2D1A3222D8D906BE850A25D")); test_hash(&nettle_sha3_384, /* 194 octets */ SHEX("D16BEADF02AB1D4DC6F88B8C4554C51E866DF830B89C06E786A5F8757E8909310AF51C840EFE8D20B35331F4355D80F73295974653DDD620CDDE4730FB6C8D0D2DCB2B45D92D4FBDB567C0A3E86BD1A8A795AF26FBF29FC6C65941CDDB090FF7CD230AC5268AB4606FCCBA9EDED0A2B5D014EE0C34F0B2881AC036E24E151BE89EEB6CD9A7A790AFCCFF234D7CB11B99EBF58CD0C589F20BDAC4F9F0E28F75E3E04E5B3DEBCE607A496D848D67FA7B49132C71B878FD5557E082A18ECA1FBDA94D4B"), SHEX("BA7D3B6AF5966C8C2723B1318820505D040DA810126ABC3E65088DC421E46D3E54DD31777C539AE083B7B8A4E2303836")); test_hash(&nettle_sha3_384, /* 195 octets */ SHEX("8F65F6BC59A85705016E2BAE7FE57980DE3127E5AB275F573D334F73F8603106EC3553016608EF2DD6E69B24BE0B7113BF6A760BA6E9CE1C48F9E186012CF96A1D4849D75DF5BB8315387FD78E9E153E76F8BA7EC6C8849810F59FB4BB9B004318210B37F1299526866F44059E017E22E96CBE418699D014C6EA01C9F0038B10299884DBEC3199BB05ADC94E955A1533219C1115FED0E5F21228B071F40DD57C4240D98D37B73E412FE0FA4703120D7C0C67972ED233E5DEB300A22605472FA3A3BA86"), SHEX("48CA5912C111DB667A77BE7C77F841E8B37130248377A19CD2FA3CD2EEC48B337CFE07C290F2690AD49E79CE3A9F9E53")); test_hash(&nettle_sha3_384, /* 196 octets */ SHEX("84891E52E0D451813210C3FD635B39A03A6B7A7317B221A7ABC270DFA946C42669AACBBBDF801E1584F330E28C729847EA14152BD637B3D0F2B38B4BD5BF9C791C58806281103A3EABBAEDE5E711E539E6A8B2CF297CF351C078B4FA8F7F35CF61BEBF8814BF248A01D41E86C5715EA40C63F7375379A7EB1D78F27622FB468AB784AAABA4E534A6DFD1DF6FA15511341E725ED2E87F98737CCB7B6A6DFAE416477472B046BF1811187D151BFA9F7B2BF9ACDB23A3BE507CDF14CFDF517D2CB5FB9E4AB6"), SHEX("4B3849B0916DD445B1856E1B908C414C752D280DE2183DD1F0193E73FD1BC02198599502391E8CA48D65E610D6EDCD8E")); test_hash(&nettle_sha3_384, /* 197 octets */ SHEX("FDD7A9433A3B4AFABD7A3A5E3457E56DEBF78E84B7A0B0CA0E8C6D53BD0C2DAE31B2700C6128334F43981BE3B213B1D7A118D59C7E6B6493A86F866A1635C12859CFB9AD17460A77B4522A5C1883C3D6ACC86E6162667EC414E9A104AA892053A2B1D72165A855BACD8FAF8034A5DD9B716F47A0818C09BB6BAF22AA503C06B4CA261F557761989D2AFBD88B6A678AD128AF68672107D0F1FC73C5CA740459297B3292B281E93BCEB761BDE7221C3A55708E5EC84472CDDCAA84ECF23723CC0991355C6280"), SHEX("02C90820D5FA9A91072991E87BFEEC7F18315F8CA1908EDBF19886C4CA5BD54AB9EC96A6AB7B815B58538F088867030F")); test_hash(&nettle_sha3_384, /* 198 octets */ SHEX("70A40BFBEF92277A1AAD72F6B79D0177197C4EBD432668CFEC05D099ACCB651062B5DFF156C0B27336687A94B26679CFDD9DAF7AD204338DD9C4D14114033A5C225BD11F217B5F4732DA167EE3F939262D4043FC9CBA92303B7B5E96AEA12ADDA64859DF4B86E9EE0B58E39091E6B188B408AC94E1294A8911245EE361E60E601EFF58D1D37639F3753BEC80EBB4EFDE25817436076623FC65415FE51D1B0280366D12C554D86743F3C3B6572E400361A60726131441BA493A83FBE9AFDA90F7AF1AE717238D"), SHEX("75967501FF781EFC3C9D597179C8CCAEE4373D9BF6AA6A5BED5118303EDC8B7478A47F2CEAF0A6B5B7224E53D5F1CDB3")); test_hash(&nettle_sha3_384, /* 199 octets */ SHEX("74356E449F4BF8644F77B14F4D67CB6BD9C1F5AE357621D5B8147E562B65C66585CAF2E491B48529A01A34D226D436959153815380D5689E30B35357CDAC6E08D3F2B0E88E200600D62BD9F5EAF488DF86A4470EA227006182E44809009868C4C280C43D7D64A5268FA719074960087B3A6ABC837882F882C837834535929389A12B2C78187E2EA07EF8B8EEF27DC85002C3AE35F1A50BEE6A1C48BA7E175F3316670B27983472AA6A61EED0A683A39EE323080620EA44A9F74411AE5CE99030528F9AB49C79F2"), SHEX("298387BA8A3EB88EE36B4206E54193BC5857F2A303CE41DFF7C3BD53EF7EE3D34AE7E0C714311A7BD8D25502CAB414B7")); test_hash(&nettle_sha3_384, /* 200 octets */ SHEX("8C3798E51BC68482D7337D3ABB75DC9FFE860714A9AD73551E120059860DDE24AB87327222B64CF774415A70F724CDF270DE3FE47DDA07B61C9EF2A3551F45A5584860248FABDE676E1CD75F6355AA3EAEABE3B51DC813D9FB2EAA4F0F1D9F834D7CAD9C7C695AE84B329385BC0BEF895B9F1EDF44A03D4B410CC23A79A6B62E4F346A5E8DD851C2857995DDBF5B2D717AEB847310E1F6A46AC3D26A7F9B44985AF656D2B7C9406E8A9E8F47DCB4EF6B83CAACF9AEFB6118BFCFF7E44BEF6937EBDDC89186839B77"), SHEX("27CEF65D1AECB7051BAD55DA0D601BC9D7A16D938A5715374A43109DD41B5C27D26C91CB44E4B47002D9B90ABA0584D1")); test_hash(&nettle_sha3_384, /* 201 octets */ SHEX("FA56BF730C4F8395875189C10C4FB251605757A8FECC31F9737E3C2503B02608E6731E85D7A38393C67DE516B85304824BFB135E33BF22B3A23B913BF6ACD2B7AB85198B8187B2BCD454D5E3318CACB32FD6261C31AE7F6C54EF6A7A2A4C9F3ECB81CE3555D4F0AD466DD4C108A90399D70041997C3B25345A9653F3C9A6711AB1B91D6A9D2216442DA2C973CBD685EE7643BFD77327A2F7AE9CB283620A08716DFB462E5C1D65432CA9D56A90E811443CD1ECB8F0DE179C9CB48BA4F6FEC360C66F252F6E64EDC96B"), SHEX("4AC9BDFD9F717D01598908BA457627D3AF7C8123F7110DD7FDB40E91EE6CAC201A8B728A384E663890847DFD4DE7FA76")); test_hash(&nettle_sha3_384, /* 202 octets */ SHEX("B6134F9C3E91DD8000740D009DD806240811D51AB1546A974BCB18D344642BAA5CD5903AF84D58EC5BA17301D5EC0F10CCD0509CBB3FD3FFF9172D193AF0F782252FD1338C7244D40E0E42362275B22D01C4C3389F19DD69BDF958EBE28E31A4FFE2B5F18A87831CFB7095F58A87C9FA21DB72BA269379B2DC2384B3DA953C7925761FED324620ACEA435E52B424A7723F6A2357374157A34CD8252351C25A1B232826CEFE1BD3E70FFC15A31E7C0598219D7F00436294D11891B82497BC78AA5363892A2495DF8C1EEF"), SHEX("F03FA03E4CF9C23443D7DBDBB66D9ABBAFEFB6500143FF0BFB5D7D6CA2BF1D7CD043A7BA7EFB48F15EBC68D1F94598E7")); test_hash(&nettle_sha3_384, /* 203 octets */ SHEX("C941CDB9C28AB0A791F2E5C8E8BB52850626AA89205BEC3A7E22682313D198B1FA33FC7295381354858758AE6C8EC6FAC3245C6E454D16FA2F51C4166FAB51DF272858F2D603770C40987F64442D487AF49CD5C3991CE858EA2A60DAB6A65A34414965933973AC2457089E359160B7CDEDC42F29E10A91921785F6B7224EE0B349393CDCFF6151B50B377D609559923D0984CDA6000829B916AB6896693EF6A2199B3C22F7DC5500A15B8258420E314C222BC000BC4E5413E6DD82C993F8330F5C6D1BE4BC79F08A1A0A46"), SHEX("9C779D981F9B7E491FF868BE22B37FA9DF72DE55672A0226A821B29C045DF4FF788FA7271D557EF6025EEA255809F241")); test_hash(&nettle_sha3_384, /* 204 octets */ SHEX("4499EFFFAC4BCEA52747EFD1E4F20B73E48758BE915C88A1FFE5299B0B005837A46B2F20A9CB3C6E64A9E3C564A27C0F1C6AD1960373036EC5BFE1A8FC6A435C2185ED0F114C50E8B3E4C7ED96B06A036819C9463E864A58D6286F785E32A804443A56AF0B4DF6ABC57ED5C2B185DDEE8489EA080DEEEE66AA33C2E6DAB36251C402682B6824821F998C32163164298E1FAFD31BABBCFFB594C91888C6219079D907FDB438ED89529D6D96212FD55ABE20399DBEFD342248507436931CDEAD496EB6E4A80358ACC78647D043"), SHEX("2C0BC54A67B00AD703FC595751074C4E447EFDE00CAAF8C8FCADF5768C330B6C7F1918F044F5C5C55810D078534A7BB3")); test_hash(&nettle_sha3_384, /* 205 octets */ SHEX("EECBB8FDFA4DA62170FD06727F697D81F83F601FF61E478105D3CB7502F2C89BF3E8F56EDD469D049807A38882A7EEFBC85FC9A950952E9FA84B8AFEBD3CE782D4DA598002827B1EB98882EA1F0A8F7AA9CE013A6E9BC462FB66C8D4A18DA21401E1B93356EB12F3725B6DB1684F2300A98B9A119E5D27FF704AFFB618E12708E77E6E5F34139A5A41131FD1D6336C272A8FC37080F041C71341BEE6AB550CB4A20A6DDB6A8E0299F2B14BC730C54B8B1C1C487B494BDCCFD3A53535AB2F231590BF2C4062FD2AD58F906A2D0D"), SHEX("2DB19CA557723CD3C17E7D8140CA301A5A2CB77E3F1F595F5B850A78943C7F36FC37056DCF2BADB90DDA77BFA969C0AA")); test_hash(&nettle_sha3_384, /* 206 octets */ SHEX("E64F3E4ACE5C8418D65FEC2BC5D2A303DD458034736E3B0DF719098BE7A206DEAF52D6BA82316CAF330EF852375188CDE2B39CC94AA449578A7E2A8E3F5A9D68E816B8D16889FBC0EBF0939D04F63033AE9AE2BDAB73B88C26D6BD25EE460EE1EF58FB0AFA92CC539F8C76D3D097E7A6A63EBB9B5887EDF3CF076028C5BBD5B9DB3211371AD3FE121D4E9BF44229F4E1ECF5A0F9F0EBA4D5CEB72878AB22C3F0EB5A625323AC66F7061F4A81FAC834471E0C59553F108475FE290D43E6A055AE3EE46FB67422F814A68C4BE3E8C9"), SHEX("71E5DD0755CF8B82BC79AED6FB61C9E4FF8361C9AFC5AD980808A8BC480E09D59B234074472851080714E0275CE72DC5")); test_hash(&nettle_sha3_384, /* 207 octets */ SHEX("D2CB2D733033F9E91395312808383CC4F0CA974E87EC68400D52E96B3FA6984AC58D9AD0938DDE5A973008D818C49607D9DE2284E7618F1B8AED8372FBD52ED54557AF4220FAC09DFA8443011699B97D743F8F2B1AEF3537EBB45DCC9E13DFB438428EE190A4EFDB3CAEB7F3933117BF63ABDC7E57BEB4171C7E1AD260AB0587806C4D137B6316B50ABC9CCE0DFF3ACADA47BBB86BE777E617BBE578FF4519844DB360E0A96C6701290E76BB95D26F0F804C8A4F2717EAC4E7DE9F2CFF3BBC55A17E776C0D02856032A6CD10AD2838"), SHEX("51F951B8F1013BA9BCED90478E248CD89D4DEBC6A19CEB6EF81BA1A5D8D3339D426D50A94C7CE3D143C45DECCEF94965")); test_hash(&nettle_sha3_384, /* 208 octets */ SHEX("F2998955613DD414CC111DF5CE30A995BB792E260B0E37A5B1D942FE90171A4AC2F66D4928D7AD377F4D0554CBF4C523D21F6E5F379D6F4B028CDCB9B1758D3B39663242FF3CB6EDE6A36A6F05DB3BC41E0D861B384B6DEC58BB096D0A422FD542DF175E1BE1571FB52AE66F2D86A2F6824A8CFAACBAC4A7492AD0433EEB15454AF8F312B3B2A577750E3EFBD370E8A8CAC1582581971FBA3BA4BD0D76E718DACF8433D33A59D287F8CC92234E7A271041B526E389EFB0E40B6A18B3AAF658E82ED1C78631FD23B4C3EB27C3FAEC8685"), SHEX("210EBC1556E31A27EAF60A5FE3E181135C5EA117E3FF21AF2D04BEAB9A243FFFF632E3D7778F9A6D0304C1ACF3659A3C")); test_hash(&nettle_sha3_384, /* 209 octets */ SHEX("447797E2899B72A356BA55BF4DF3ACCA6CDB1041EB477BD1834A9F9ACBC340A294D729F2F97DF3A610BE0FF15EDB9C6D5DB41644B9874360140FC64F52AA03F0286C8A640670067A84E017926A70438DB1BB361DEFEE7317021425F8821DEF26D1EFD77FC853B818545D055ADC9284796E583C76E6FE74C9AC2587AA46AA8F8804F2FEB5836CC4B3ABABAB8429A5783E17D5999F32242EB59EF30CD7ADABC16D72DBDB097623047C98989F88D14EAF02A7212BE16EC2D07981AAA99949DDF89ECD90333A77BC4E1988A82ABF7C7CAF3291"), SHEX("F5F659F6999BAD8CDC77C42901A8D64C1FA827F7848985136140BF5D4B3BBB3D964D2D8156F9FD02B6D382BC8410A88E")); test_hash(&nettle_sha3_384, /* 210 octets */ SHEX("9F2C18ADE9B380C784E170FB763E9AA205F64303067EB1BCEA93DF5DAC4BF5A2E00B78195F808DF24FC76E26CB7BE31DC35F0844CDED1567BBA29858CFFC97FB29010331B01D6A3FB3159CC1B973D255DA9843E34A0A4061CABDB9ED37F241BFABB3C20D32743F4026B59A4CCC385A2301F83C0B0A190B0F2D01ACB8F0D41111E10F2F4E149379275599A52DC089B35FDD5234B0CFB7B6D8AEBD563CA1FA653C5C021DFD6F5920E6F18BFAFDBECBF0AB00281333ED50B9A999549C1C8F8C63D7626C48322E9791D5FF72294049BDE91E73F8"), SHEX("B151BF98C52F63F294A4B1E990C86CB73C4BDD476B25C138CA66B2BA08447540B0A787DFDDAA3D38AF44CA8EBBED74D8")); test_hash(&nettle_sha3_384, /* 211 octets */ SHEX("AE159F3FA33619002AE6BCCE8CBBDD7D28E5ED9D61534595C4C9F43C402A9BB31F3B301CBFD4A43CE4C24CD5C9849CC6259ECA90E2A79E01FFBAC07BA0E147FA42676A1D668570E0396387B5BCD599E8E66AAED1B8A191C5A47547F61373021FA6DEADCB55363D233C24440F2C73DBB519F7C9FA5A8962EFD5F6252C0407F190DFEFAD707F3C7007D69FF36B8489A5B6B7C557E79DD4F50C06511F599F56C896B35C917B63BA35C6FF8092BAF7D1658E77FC95D8A6A43EEB4C01F33F03877F92774BE89C1114DD531C011E53A34DC248A2F0E6"), SHEX("47D74FDD9A19A5389313610643FA859FF0BD7B583B099FDDB9C980DCC000AFEB639DD99071EA31976DA35B7BC949BD4E")); test_hash(&nettle_sha3_384, /* 212 octets */ SHEX("3B8E97C5FFC2D6A40FA7DE7FCEFC90F3B12C940E7AB415321E29EE692DFAC799B009C99DCDDB708FCE5A178C5C35EE2B8617143EDC4C40B4D313661F49ABDD93CEA79D117518805496FE6ACF292C4C2A1F76B403A97D7C399DAF85B46AD84E16246C67D6836757BDE336C290D5D401E6C1386AB32797AF6BB251E9B2D8FE754C47482B72E0B394EAB76916126FD68EA7D65EB93D59F5B4C5AC40F7C3B37E7F3694F29424C24AF8C8F0EF59CD9DBF1D28E0E10F799A6F78CAD1D45B9DB3D7DEE4A7059ABE99182714983B9C9D44D7F5643596D4F3"), SHEX("9B809198DCCE24175E33098331D3A402A821AE9326E72775AAE34D1A9BB53D2B57863905CFD60543BBC42B454007C315")); test_hash(&nettle_sha3_384, /* 213 octets */ SHEX("3434EC31B10FAFDBFEEC0DD6BD94E80F7BA9DCA19EF075F7EB017512AF66D6A4BCF7D16BA0819A1892A6372F9B35BCC7CA8155EE19E8428BC22D214856ED5FA9374C3C09BDE169602CC219679F65A1566FC7316F4CC3B631A18FB4449FA6AFA16A3DB2BC4212EFF539C67CF184680826535589C7111D73BFFCE431B4C40492E763D9279560AAA38EB2DC14A212D723F994A1FE656FF4DD14551CE4E7C621B2AA5604A10001B2878A897A28A08095C325E10A26D2FB1A75BFD64C250309BB55A44F23BBAC0D5516A1C687D3B41EF2FBBF9CC56D4739"), SHEX("93C9834501FC728508A15EB9205E678983F3BDB0BA447EE739AE5082DB37F2F2D485088130E0B1CBF0039D18BDF429F7")); test_hash(&nettle_sha3_384, /* 214 octets */ SHEX("7C7953D81C8D208FD1C97681D48F49DD003456DE60475B84070EF4847C333B74575B1FC8D2A186964485A3B8634FEAA3595AAA1A2F4595A7D6B6153563DEE31BBAC443C8A33EED6D5D956A980A68366C2527B550EE950250DFB691EACBD5D56AE14B970668BE174C89DF2FEA43AE52F13142639C884FD62A3683C0C3792F0F24AB1318BCB27E21F4737FAB62C77EA38BC8FD1CF41F7DAB64C13FEBE7152BF5BB7AB5A78F5346D43CC741CB6F72B7B8980F268B68BF62ABDFB1577A52438FE14B591498CC95F071228460C7C5D5CEB4A7BDE588E7F21C"), SHEX("C0AD8C3E7EA595104D4BC0A08DCBC85042ED50DD8D9B01AB47C9F066F91AD3BFFEDE4107F1EB1F5B61CA7D4091D68327")); test_hash(&nettle_sha3_384, /* 215 octets */ SHEX("7A6A4F4FDC59A1D223381AE5AF498D74B7252ECF59E389E49130C7EAEE626E7BD9897EFFD92017F4CCDE66B0440462CDEDFD352D8153E6A4C8D7A0812F701CC737B5178C2556F07111200EB627DBC299CAA792DFA58F35935299FA3A3519E9B03166DFFA159103FFA35E8577F7C0A86C6B46FE13DB8E2CDD9DCFBA85BDDDCCE0A7A8E155F81F712D8E9FE646153D3D22C811BD39F830433B2213DD46301941B59293FD0A33E2B63ADBD95239BC01315C46FDB678875B3C81E053A40F581CFBEC24A1404B1671A1B88A6D06120229518FB13A74CA0AC5AE"), SHEX("AA8DAA02ABCBC5A4B3003BFF5CBC2C84594C5A0F84BD449A1A56BE59566E13EC6803010D422A4C244B99812F4537C93D")); test_hash(&nettle_sha3_384, /* 216 octets */ SHEX("D9FAA14CEBE9B7DE551B6C0765409A33938562013B5E8E0E1E0A6418DF7399D0A6A771FB81C3CA9BD3BB8E2951B0BC792525A294EBD1083688806FE5E7F1E17FD4E3A41D00C89E8FCF4A363CAEDB1ACB558E3D562F1302B3D83BB886ED27B76033798131DAB05B4217381EAAA7BA15EC820BB5C13B516DD640EAEC5A27D05FDFCA0F35B3A5312146806B4C0275BCD0AAA3B2017F346975DB566F9B4D137F4EE10644C2A2DA66DEECA5342E236495C3C6280528BFD32E90AF4CD9BB908F34012B52B4BC56D48CC8A6B59BAB014988EABD12E1A0A1C2E170E7"), SHEX("CAEB4F829A925679416F7CB177ED4C99721B851AB59D52979BFEC6D2AAA1E602F4310B15624F9D7BF2D351DB73BFB5EA")); test_hash(&nettle_sha3_384, /* 217 octets */ SHEX("2D8427433D0C61F2D96CFE80CF1E932265A191365C3B61AAA3D6DCC039F6BA2AD52A6A8CC30FC10F705E6B7705105977FA496C1C708A277A124304F1FC40911E7441D1B5E77B951AAD7B01FD5DB1B377D165B05BBF898042E39660CAF8B279FE5229D1A8DB86C0999ED65E53D01CCBC4B43173CCF992B3A14586F6BA42F5FE30AFA8AE40C5DF29966F9346DA5F8B35F16A1DE3AB6DE0F477D8D8660918060E88B9B9E9CA6A4207033B87A812DBF5544D39E4882010F82B6CE005F8E8FF6FE3C3806BC2B73C2B83AFB704345629304F9F86358712E9FAE3CA3E"), SHEX("FC1FC7F19F6C9D0AD1462B24C121C89B01B4E083EDAD02A8DBDEB990D98CAFE0AFE01E2EBA646872CD816B5203EE8A87")); test_hash(&nettle_sha3_384, /* 218 octets */ SHEX("5E19D97887FCAAC0387E22C6F803C34A3DACD2604172433F7A8A7A526CA4A2A1271ECFC5D5D7BE5AC0D85D921095350DFC65997D443C21C8094E0A3FEFD2961BCB94AED03291AE310CCDA75D8ACE4BC7D89E7D3E5D1650BDA5D668B8B50BFC8E608E184F4D3A9A2BADC4FF5F07E0C0BC8A9F2E0B2A26FD6D8C550008FAAAB75FD71AF2A424BEC9A7CD9D83FAD4C8E9319115656A8717D3B523A68FF8004258B9990ED362308461804BA3E3A7E92D8F2FFAE5C2FBA55BA5A3C27C0A2F71BD711D2FE1799C2ADB31B200035481E9EE5C4ADF2AB9C0FA50B23975CF"), SHEX("84803E50DEC901FF930C8A76EBC1F98EC72874DEEF0D249020B1DBEB4EA7D8C7DA4761EDE077158460E054A7F71D1994")); test_hash(&nettle_sha3_384, /* 219 octets */ SHEX("C8E976AB4638909387CE3B8D4E510C3230E5690E02C45093B1D297910ABC481E56EEA0F296F98379DFC9080AF69E73B2399D1C143BEE80AE1328162CE1BA7F6A8374679B20AACD380EB4E61382C99998704D62701AFA914F9A2705CDB065885F50D086C3EB5753700C387118BB142F3E6DA1E988DFB31AC75D7368931E45D1391A274B22F83CEB072F9BCABC0B216685BFD789F5023971024B1878A205442522F9EA7D8797A4102A3DF41703768251FD5E017C85D1200A464118AA35654E7CA39F3C375B8EF8CBE7534DBC64BC20BEFB417CF60EC92F63D9EE7397"), SHEX("05586BCB8077E19F3F43015216D623B1439C49ECDD3C53255553E9133FD1A9008891520D2EEBE5684C546028CA2CDDFE")); test_hash(&nettle_sha3_384, /* 220 octets */ SHEX("7145FA124B7429A1FC2231237A949BA7201BCC1822D3272DE005B682398196C25F7E5CC2F289FBF44415F699CB7FE6757791B1443410234AE061EDF623359E2B4E32C19BF88450432DD01CAA5EB16A1DC378F391CA5E3C4E5F356728BDDD4975DB7C890DA8BBC84CC73FF244394D0D48954978765E4A00B593F70F2CA082673A261ED88DBCEF1127728D8CD89BC2C597E9102CED6010F65FA75A14EBE467FA57CE3BD4948B6867D74A9DF5C0EC6F530CBF2EE61CE6F06BC8F2864DFF5583776B31DF8C7FFCB61428A56BF7BD37188B4A5123BBF338393AF46EDA85E6"), SHEX("A200D8EF3D120B917561EDC8420BDE022B3ACE792925C8FABF25AD9B0FA676D2260ABD8098F383C0F93043D5D3F56C47")); test_hash(&nettle_sha3_384, /* 221 octets */ SHEX("7FDFADCC9D29BAD23AE038C6C65CDA1AEF757221B8872ED3D75FF8DF7DA0627D266E224E812C39F7983E4558BFD0A1F2BEF3FEB56BA09120EF762917B9C093867948547AEE98600D10D87B20106878A8D22C64378BF634F7F75900C03986B077B0BF8B740A82447B61B99FEE5376C5EB6680EC9E3088F0BDD0C56883413D60C1357D3C811950E5890E7600103C916341B80C743C6A852B7B4FB60C3BA21F3BC15B8382437A68454779CF3CD7F9F90CCC8EF28D0B706535B1E4108EB5627BB45D719CB046839AEE311CA1ABDC8319E050D67972CB35A6B1601B25DBF487"), SHEX("A8905D1E9F4FC96F2D769D31C9A120DE43A0B20115C8D17BF0313206EB9CD87AE41DF2D444C9D75F9366998263D61C07")); test_hash(&nettle_sha3_384, /* 222 octets */ SHEX("988638219FD3095421F826F56E4F09E356296B628C3CE6930C9F2E758FD1A80C8273F2F61E4DAAE65C4F110D3E7CA0965AC7D24E34C0DC4BA2D6FF0BF5BBE93B3585F354D7543CB542A1AA54674D375077F2D360A8F4D42F3DB131C3B7AB7306267BA107659864A90C8C909460A73621D1F5D9D3FD95BEB19B23DB1CB6C0D0FBA91D36891529B8BD8263CAA1BAB56A4AFFAED44962DF096D8D5B1EB845EF31188B3E10F1AF811A13F156BEB7A288AAE593EBD1471B624AA1A7C6ADF01E2200B3D72D88A3AED3100C88231E41EFC376906F0B580DC895F080FDA5741DB1CB"), SHEX("88249AF84A7F1E49D144869A3D4FE8AA6E1A4874EE467BC99E9C33E2105AF2D097417D6B78537925392DB2C5CB1E0B92")); test_hash(&nettle_sha3_384, /* 223 octets */ SHEX("5AAB62756D307A669D146ABA988D9074C5A159B3DE85151A819B117CA1FF6597F6156E80FDD28C9C3176835164D37DA7DA11D94E09ADD770B68A6E081CD22CA0C004BFE7CD283BF43A588DA91F509B27A6584C474A4A2F3EE0F1F56447379240A5AB1FB77FDCA49B305F07BA86B62756FB9EFB4FC225C86845F026EA542076B91A0BC2CDD136E122C659BE259D98E5841DF4C2F60330D4D8CDEE7BF1A0A244524EECC68FF2AEF5BF0069C9E87A11C6E519DE1A4062A10C83837388F7EF58598A3846F49D499682B683C4A062B421594FAFBC1383C943BA83BDEF515EFCF10D"), SHEX("C46122D00B61E79DF025A4D525B8A602C7AC004304A993872E3A8AA37FC0E8EAAE5FAD9A220C5C6AFBD5A4783680013A")); test_hash(&nettle_sha3_384, /* 224 octets */ SHEX("47B8216AA0FBB5D67966F2E82C17C07AA2D6327E96FCD83E3DE7333689F3EE79994A1BF45082C4D725ED8D41205CB5BCDF5C341F77FACB1DA46A5B9B2CBC49EADF786BCD881F371A95FA17DF73F606519AEA0FF79D5A11427B98EE7F13A5C00637E2854134691059839121FEA9ABE2CD1BCBBBF27C74CAF3678E05BFB1C949897EA01F56FFA4DAFBE8644611685C617A3206C7A7036E4AC816799F693DAFE7F19F303CE4EBA09D21E03610201BFC665B72400A547A1E00FA9B7AD8D84F84B34AEF118515E74DEF11B9188BD1E1F97D9A12C30132EC2806339BDADACDA2FD8B78"), SHEX("ABA0EE3C16D3DC753F6E466C33A998A73282C0DBEAF51324979A58437636886E5521B567C9A62D405EE558FFEBAE91BC")); test_hash(&nettle_sha3_384, /* 225 octets */ SHEX("8CFF1F67FE53C098896D9136389BD8881816CCAB34862BB67A656E3D98896F3CE6FFD4DA73975809FCDF9666760D6E561C55238B205D8049C1CEDEEF374D1735DAA533147BFA960B2CCE4A4F254176BB4D1BD1E89654432B8DBE1A135C42115B394B024856A2A83DC85D6782BE4B444239567CCEC4B184D4548EAE3FF6A192F343292BA2E32A0F267F31CC26719EB85245D415FB897AC2DA433EE91A99424C9D7F1766A44171D1651001C38FC79294ACCC68CEB5665D36218454D3BA169AE058A831338C17743603F81EE173BFC0927464F9BD728DEE94C6AEAB7AAE6EE3A627E8"), SHEX("28B37125F233BA8D527E5284A16E6EFE9AE84D3EBC6EE4C88AEE0AB165C111A32FF2CDCC4213AC3267B0546DC0D74C84")); test_hash(&nettle_sha3_384, /* 226 octets */ SHEX("EACD07971CFF9B9939903F8C1D8CBB5D4DB1B548A85D04E037514A583604E787F32992BF2111B97AC5E8A938233552731321522AB5E8583561260B7D13EBEEF785B23A41FD8576A6DA764A8ED6D822D4957A545D5244756C18AA80E1AAD4D1F9C20D259DEE1711E2CC8FD013169FB7CC4CE38B362F8E0936AE9198B7E838DCEA4F7A5B9429BB3F6BBCF2DC92565E3676C1C5E6EB3DD2A0F86AA23EDD3D0891F197447692794B3DFA269611AD97F72B795602B4FDB198F3FD3EB41B415064256E345E8D8C51C555DC8A21904A9B0F1AD0EFFAB7786AAC2DA3B196507E9F33CA356427"), SHEX("258988E54D66E0C53B263BA68D9E3AA47D278DF87C51219CCE6F2547281EA6581540E28C1D7E069254791F0D385EA694")); test_hash(&nettle_sha3_384, /* 227 octets */ SHEX("23AC4E9A42C6EF45C3336CE6DFC2FF7DE8884CD23DC912FEF0F7756C09D335C189F3AD3A23697ABDA851A81881A0C8CCAFC980AB2C702564C2BE15FE4C4B9F10DFB2248D0D0CB2E2887FD4598A1D4ACDA897944A2FFC580FF92719C95CF2AA42DC584674CB5A9BC5765B9D6DDF5789791D15F8DD925AA12BFFAFBCE60827B490BB7DF3DDA6F2A143C8BF96ABC903D83D59A791E2D62814A89B8080A28060568CF24A80AE61179FE84E0FFAD00388178CB6A617D37EFD54CC01970A4A41D1A8D3DDCE46EDBBA4AB7C90AD565398D376F431189CE8C1C33E132FEAE6A8CD17A61C630012"), SHEX("F6A9399B482A3A5EA6FE79A2DB7BAE7E588C9B7DA03DD85C120112FDBC234350529A1F37ABBEBEB770299E141EEA7BA3")); test_hash(&nettle_sha3_384, /* 228 octets */ SHEX("0172DF732282C9D488669C358E3492260CBE91C95CFBC1E3FEA6C4B0EC129B45F242ACE09F152FC6234E1BEE8AAB8CD56E8B486E1DCBA9C05407C2F95DA8D8F1C0AF78EE2ED82A3A79EC0CB0709396EE62AADB84F8A4EE8A7CCCA3C1EE84E302A09EA802204AFECF04097E67D0F8E8A9D2651126C0A598A37081E42D168B0AE8A71951C524259E4E2054E535B779679BDADE566FE55700858618E626B4A0FAF895BCCE9011504A49E05FD56127EAE3D1F8917AFB548ECADABDA1020111FEC9314C413498A360B08640549A22CB23C731ACE743252A8227A0D2689D4C6001606678DFB921"), SHEX("C0F957E52E40F9B8EA945D40779286F7257AD463A934B049DF40C31D3547AEF41AEA2DD981FD2579327229B54EE04E66")); test_hash(&nettle_sha3_384, /* 229 octets */ SHEX("3875B9240CF3E0A8B59C658540F26A701CF188496E2C2174788B126FD29402D6A75453BA0635284D08835F40051A2A9683DC92AFB9383719191231170379BA6F4ADC816FECBB0F9C446B785BF520796841E58878B73C58D3EBB097CE4761FDEABE15DE2F319DFBAF1742CDEB389559C788131A6793E193856661376C81CE9568DA19AA6925B47FFD77A43C7A0E758C37D69254909FF0FBD415EF8EB937BCD49F91468B49974C07DC819ABD67395DB0E05874FF83DDDAB895344ABD0E7111B2DF9E58D76D85AD98106B36295826BE04D435615595605E4B4BB824B33C4AFEB5E7BB0D19F909"), SHEX("779EECF39311318051BF73C441FB799708912049E28DF3FADDE449E4CD820CC4CA1BD0F8513927D9A64F5D34FAABA039")); test_hash(&nettle_sha3_384, /* 230 octets */ SHEX("747CC1A59FEFBA94A9C75BA866C30DC5C1CB0C0F8E9361D98484956DD5D1A40F6184AFBE3DAC9F76028D1CAECCFBF69199C6CE2B4C092A3F4D2A56FE5A33A00757F4D7DEE5DFB0524311A97AE0668A47971B95766E2F6DD48C3F57841F91F04A00AD5EA70F2D479A2620DC5CD78EAAB3A3B011719B7E78D19DDF70D9423798AF77517EBC55392FCD01FC600D8D466B9E7A7A85BF33F9CC5419E9BD874DDFD60981150DDAF8D7FEBAA4374F0872A5628D318000311E2F5655365AD4D407C20E5C04DF17A222E7DEEC79C5AB1116D8572F91CD06E1CCC7CED53736FC867FD49ECEBE6BF8082E8A"), SHEX("3D6495EB3DA4E81D3470A050F416E2C8ABF657A26D4FD64AF35735B5782B611FB798A72FE7A61CE79D0496F69654CC80")); test_hash(&nettle_sha3_384, /* 231 octets */ SHEX("57AF971FCCAEC97435DC2EC9EF0429BCEDC6B647729EA168858A6E49AC1071E706F4A5A645CA14E8C7746D65511620682C906C8B86EC901F3DDED4167B3F00B06CBFAC6AEE3728051B3E5FF10B4F9ED8BD0B8DA94303C833755B3CA3AEDDF0B54BC8D6632138B5D25BAB03D17B3458A9D782108006F5BB7DE75B5C0BA854B423D8BB801E701E99DC4FEAAD59BC1C7112453B04D33EA3635639FB802C73C2B71D58A56BBD671B18FE34ED2E3DCA38827D63FDB1D4FB3285405004B2B3E26081A8FF08CD6D2B08F8E7B7E90A2AB1ED7A41B1D0128522C2F8BFF56A7FE67969422CE839A9D4608F03"), SHEX("F8188EAFD0E2F9C7F44E70B38DB1FE3E12B1469739CA6A13ED5A8661673A318296FFAF8D37F6FCEC22A2D00EEE2ABEBA")); test_hash(&nettle_sha3_384, /* 232 octets */ SHEX("04E16DEDC1227902BAAF332D3D08923601BDD64F573FAA1BB7201918CFE16B1E10151DAE875DA0C0D63C59C3DD050C4C6A874011B018421AFC4623AB0381831B2DA2A8BA42C96E4F70864AC44E106F94311051E74C77C1291BF5DB9539E69567BF6A11CF6932BBBAD33F8946BF5814C066D851633D1A513510039B349939BFD42B858C21827C8FF05F1D09B1B0765DC78A135B5CA4DFBA0801BCADDFA175623C8B647EACFB4444B85A44F73890607D06D507A4F8393658788669F6EF4DEB58D08C50CA0756D5E2F49D1A7AD73E0F0B3D3B5F090ACF622B1878C59133E4A848E05153592EA81C6FBF"), SHEX("7D83C3F2265C90FEF4BC6BD0D17A218F0E196489CB2D8455BBEE80AB989FFEA46DE753346EDBD5C88448FEDB0D4AAD4D")); test_hash(&nettle_sha3_384, /* 233 octets */ SHEX("7C815C384EEE0F288ECE27CCED52A01603127B079C007378BC5D1E6C5E9E6D1C735723ACBBD5801AC49854B2B569D4472D33F40BBB8882956245C366DC3582D71696A97A4E19557E41E54DEE482A14229005F93AFD2C4A7D8614D10A97A9DFA07F7CD946FA45263063DDD29DB8F9E34DB60DAA32684F0072EA2A9426ECEBFA5239FB67F29C18CBAA2AF6ED4BF4283936823AC1790164FEC5457A9CBA7C767CA59392D94CAB7448F50EB34E9A93A80027471CE59736F099C886DEA1AB4CBA4D89F5FC7AE2F21CCD27F611ECA4626B2D08DC22382E92C1EFB2F6AFDC8FDC3D2172604F5035C46B8197D3"), SHEX("FCC5FCFEF5BA874A317B73C9B1B4CF6877373D41F0B8080A5D4F021E0D67F3B9F8CCAACFD4244FC10BA58B3A470DB48B")); test_hash(&nettle_sha3_384, /* 234 octets */ SHEX("E29D505158DBDD937D9E3D2145658EE6F5992A2FC790F4F608D9CDB44A091D5B94B88E81FAC4FDF5C49442F13B911C55886469629551189EAFF62488F1A479B7DB11A1560E198DDCCCCF50159093425FF7F1CB8D1D1246D0978764087D6BAC257026B090EFAE8CEC5F22B6F21C59ACE1AC7386F5B8837CA6A12B6FBF5534DD0560EF05CA78104D3B943DDB220FEAEC89AA5E692A00F822A2AB9A2FE60350D75E7BE16FF2526DC643872502D01F42F188ABED0A6E9A6F5FD0D1CE7D5755C9FFA66B0AF0B20BD806F08E06156690D81AC811778CA3DAC2C249B96002017FCE93E507E3B953ACF99964B847"), SHEX("9B336B4C2B530F65C01AF3F0A46CF1B626D5DBF1B2E50F790B9F34CCA367315FDFBF7D9619CDA4DA22E39F9315303816")); test_hash(&nettle_sha3_384, /* 235 octets */ SHEX("D85588696F576E65ECA0155F395F0CFACD83F36A99111ED5768DF2D116D2121E32357BA4F54EDE927F189F297D3A97FAD4E9A0F5B41D8D89DD7FE20156799C2B7B6BF9C957BA0D6763F5C3BC5129747BBB53652B49290CFF1C87E2CDF2C4B95D8AAEE09BC8FBFA6883E62D237885810491BFC101F1D8C636E3D0EDE838AD05C207A3DF4FAD76452979EB99F29AFAECEDD1C63B8D36CF378454A1BB67A741C77AC6B6B3F95F4F02B64DABC15438613EA49750DF42EE90101F115AA9ABB9FF64324DDE9DABBB01054E1BD6B4BCDC7930A44C2300D87CA78C06924D0323AD7887E46C90E8C4D100ACD9EED21E"), SHEX("CAC442227F10C4935D42C2914043167890C3EE1F4556D38D20767E8402AEC4D70111F2034276E90F28102DE634E26AFD")); test_hash(&nettle_sha3_384, /* 236 octets */ SHEX("3A12F8508B40C32C74492B66323375DCFE49184C78F73179F3314B79E63376B8AC683F5A51F1534BD729B02B04D002F55CBD8E8FC9B5EC1EA6BBE6A0D0E7431518E6BA45D124035F9D3DCE0A8BB7BF1430A9F657E0B4EA9F20EB20C786A58181A1E20A96F1628F8728A13BDF7A4B4B32FC8AA7054CC4881AE7FA19AFA65C6C3EE1B3ADE3192AF42054A8A911B8EC1826865D46D93F1E7C5E2B7813C92A506E53886F3D4701BB93D2A681AD109C845904BB861AF8AF0646B6E399B38B614051D34F6842563A0F37EC00CB3D865FC5D746C4987DE2A65071100883A2A9C7A2BFE1E2DD603D9EA24DC7C5FD06BE"), SHEX("05E3FB83EE8D609874D5935283702F29E5E896BB090C48033489295989C45DD2C06F5BD558B6BC786AB1251F75664B06")); test_hash(&nettle_sha3_384, /* 237 octets */ SHEX("1861EDCE46FA5AD17E1FF1DEAE084DEC580F97D0A67885DFE834B9DFAC1AE076742CE9E267512CA51F6DF5A455AF0C5FD6ABF94ACEA103A3370C354485A7846FB84F3AC7C2904B5B2FBF227002CE512133BB7E1C4E50057BFD1E44DB33C7CDB969A99E284B184F50A14B068A1FC5009D9B298DBE92239572A7627AAC02ABE8F3E3B473417F36D4D2505D16B7577F4526C9D94A270A2DFE450D06DA8F6FA956879A0A55CFE99E742EA555EA477BA3E9B44CCD508C375423611AF92E55345DC215779B2D5119EBA49C71D49B9FE3F1569FA24E5CA3E332D042422A8B8158D3EC66A80012976F31FFDF305F0C9C5E"), SHEX("6E463C7FB5CF436B1444921AFE76D2FA4E7A23EDFC9D496AF1DC7E78A0173D797EFF80F2BB32CFD34DAF5633C4E6BCD6")); test_hash(&nettle_sha3_384, /* 238 octets */ SHEX("08D0FFDE3A6E4EF65608EA672E4830C12943D7187CCFF08F4941CFC13E545F3B9C7AD5EEBBE2B01642B486CAF855C2C73F58C1E4E3391DA8E2D63D96E15FD84953AE5C231911B00AD6050CD7AAFDAAC9B0F663AE6AAB45519D0F5391A541707D479034E73A6AD805AE3598096AF078F1393301493D663DD71F83869CA27BA508B7E91E81E128C1716DC3ACFE3084B2201E04CF8006617EECF1B640474A5D45CFDE9F4D3EF92D6D055B909892194D8A8218DB6D8203A84261D200D71473D7488F3427416B6896C137D455F231071CACBC86E0415AB88AEC841D96B7B8AF41E05BB461A40645BF176601F1E760DE5F"), SHEX("90457E3D33FCE103420056A1C712441E04856B17CF37A4E133841E6D9A944B5EBEF98CB1C1CCD575632CD3B5C177669E")); test_hash(&nettle_sha3_384, /* 239 octets */ SHEX("D782ABB72A5BE3392757BE02D3E45BE6E2099D6F000D042C8A543F50ED6EBC055A7F133B0DD8E9BC348536EDCAAE2E12EC18E8837DF7A1B3C87EC46D50C241DEE820FD586197552DC20BEEA50F445A07A38F1768A39E2B2FF05DDDEDF751F1DEF612D2E4D810DAA3A0CC904516F9A43AF660315385178A529E51F8AAE141808C8BC5D7B60CAC26BB984AC1890D0436EF780426C547E94A7B08F01ACBFC4A3825EAE04F520A9016F2FB8BF5165ED12736FC71E36A49A73614739EAA3EC834069B1B40F1350C2B3AB885C02C640B9F7686ED5F99527E41CFCD796FE4C256C9173186C226169FF257954EBDA81C0E5F99"), SHEX("E5FC73C70028D1B82A9AA976D34F5FC72916839027038E79DF2E29149E861F09A41A8203CE922203F710964B4F5BEC2E")); test_hash(&nettle_sha3_384, /* 240 octets */ SHEX("5FCE8109A358570E40983E1184E541833BB9091E280F258CFB144387B05D190E431CB19BAA67273BA0C58ABE91308E1844DCD0B3678BAA42F335F2FA05267A0240B3C718A5942B3B3E3BFA98A55C25A1466E8D7A603722CB2BBF03AFA54CD769A99F310735EE5A05DAE2C22D397BD95635F58C48A67F90E1B73AAFCD3F82117F0166657838691005B18DA6F341D6E90FC1CDB352B30FAE45D348294E501B63252DE14740F2B85AE5299DDEC3172DE8B6D0BA219A20A23BB5E10FF434D39DB3F583305E9F5C039D98569E377B75A70AB837D1DF269B8A4B566F40BB91B577455FD3C356C914FA06B9A7CE24C7317A172D"), SHEX("B0A1BBA912DAA6D80EDC6519B501B629456394D7BDA24D46AFC9FC1D93A0B5962FA4F95214273290D32B3EAEFF6F9DFE")); test_hash(&nettle_sha3_384, /* 241 octets */ SHEX("6172F1971A6E1E4E6170AFBAD95D5FEC99BF69B24B674BC17DD78011615E502DE6F56B86B1A71D3F4348087218AC7B7D09302993BE272E4A591968AEF18A1262D665610D1070EE91CC8DA36E1F841A69A7A682C580E836941D21D909A3AFC1F0B963E1CA5AB193E124A1A53DF1C587470E5881FB54DAE1B0D840F0C8F9D1B04C645BA1041C7D8DBF22030A623AA15638B3D99A2C400FF76F3252079AF88D2B37F35EE66C1AD7801A28D3D388AC450B97D5F0F79E4541755356B3B1A5696B023F39AB7AB5F28DF4202936BC97393B93BC915CB159EA1BD7A0A414CB4B7A1AC3AF68F50D79F0C9C7314E750F7D02FAA58BFA"), SHEX("FCE4637898BA0CBD9D7B636FEBDDC02A435901CBBEF8BF76D3E866D97D55354B71FC12E67A09E793D749316D714FE08C")); test_hash(&nettle_sha3_384, /* 242 octets */ SHEX("5668ECD99DFBE215C4118398AC9C9EAF1A1433FAB4CCDD3968064752B625EA944731F75D48A27D047D67547F14DD0FFAA55FA5E29F7AF0D161D85EAFC4F2029B717C918EAB9D304543290BDBA7158B68020C0BA4E079BC95B5BC0FC044A992B94B4CCD3BD66D0EABB5DBBAB904D62E00752C4E3B0091D773BCF4C14B4377DA3EFFF824B1CB2FA01B32D1E46C909E626ED2DAE920F4C7DBEB635BC754FACBD8D49BEBA3F23C1C41CCBFCD0EE0C114E69737F5597C0BF1D859F0C767E18002AE8E39C26261FFDE2920D3D0BAF0E906138696CFE5B7E32B600F45DF3AAA39932F3A7DF95B60FA8712A2271FCAF3911CE7B511B1"), SHEX("2B5471FAE3805852F4CF39541F8A0A3774818F79FE50476E225D89B62E43BE3255E96D19CBC334AEF04192840F075C7D")); test_hash(&nettle_sha3_384, /* 243 octets */ SHEX("03D625488354DF30E3F875A68EDFCF340E8366A8E1AB67F9D5C5486A96829DFAC0578289082B2A62117E1CF418B43B90E0ADC881FC6AE8105C888E9ECD21AEA1C9AE1A4038DFD17378FED71D02AE492087D7CDCD98F746855227967CB1AB4714261EE3BEAD3F4DB118329D3EBEF4BC48A875C19BA763966DA0EBEA800E01B2F50B00E9DD4CACA6DCB314D00184EF71EA2391D760C950710DB4A70F9212FFC54861F9DC752CE18867B8AD0C48DF8466EF7231E7AC567F0EB55099E622EBB86CB237520190A61C66AD34F1F4E289CB3282AE3EAAC6152ED24D2C92BAE5A7658252A53C49B7B02DFE54FDB2E90074B6CF310AC661"), SHEX("D4D3B49878AEC72E2E7FAFB687DA7EFE242CB60ADF5C65C577C444CFC95A2A2EC670000C8A78898A07400E3502D73F27")); test_hash(&nettle_sha3_384, /* 244 octets */ SHEX("2EDC282FFB90B97118DD03AAA03B145F363905E3CBD2D50ECD692B37BF000185C651D3E9726C690D3773EC1E48510E42B17742B0B0377E7DE6B8F55E00A8A4DB4740CEE6DB0830529DD19617501DC1E9359AA3BCF147E0A76B3AB70C4984C13E339E6806BB35E683AF8527093670859F3D8A0FC7D493BCBA6BB12B5F65E71E705CA5D6C948D66ED3D730B26DB395B3447737C26FAD089AA0AD0E306CB28BF0ACF106F89AF3745F0EC72D534968CCA543CD2CA50C94B1456743254E358C1317C07A07BF2B0ECA438A709367FAFC89A57239028FC5FECFD53B8EF958EF10EE0608B7F5CB9923AD97058EC067700CC746C127A61EE3"), SHEX("FE1C2143F2957819DF9C9DD05D004BE0E557EED8C5A2B7CE457D5856132B1C43EECEC36AD704A930A85485A34C3860FE")); test_hash(&nettle_sha3_384, /* 245 octets */ SHEX("90B28A6AA1FE533915BCB8E81ED6CACDC10962B7FF82474F845EEB86977600CF70B07BA8E3796141EE340E3FCE842A38A50AFBE90301A3BDCC591F2E7D9DE53E495525560B908C892439990A2CA2679C5539FFDF636777AD9C1CDEF809CDA9E8DCDB451ABB9E9C17EFA4379ABD24B182BD981CAFC792640A183B61694301D04C5B3EAAD694A6BD4CC06EF5DA8FA23B4FA2A64559C5A68397930079D250C51BCF00E2B16A6C49171433B0AADFD80231276560B80458DD77089B7A1BBCC9E7E4B9F881EACD6C92C4318348A13F4914EB27115A1CFC5D16D7FD94954C3532EFACA2CAB025103B2D02C6FD71DA3A77F417D7932685888A"), SHEX("4D1F626688E6899B5FCCD47FAAB45E96C61E169869CABEF40283B2418DFB2888FB80CC9F2C526497C50C5244784F195C")); test_hash(&nettle_sha3_384, /* 246 octets */ SHEX("2969447D175490F2AA9BB055014DBEF2E6854C95F8D60950BFE8C0BE8DE254C26B2D31B9E4DE9C68C9ADF49E4EE9B1C2850967F29F5D08738483B417BB96B2A56F0C8ACA632B552059C59AAC3F61F7B45C966B75F1D9931FF4E596406378CEE91AAA726A3A84C33F37E9CDBE626B5745A0B06064A8A8D56E53AAF102D23DD9DF0A3FDF7A638509A6761A33FA42FA8DDBD8E16159C93008B53765019C3F0E9F10B144CE2AC57F5D7297F9C9949E4FF68B70D339F87501CE8550B772F32C6DA8AD2CE2100A895D8B08FA1EEAD7C376B407709703C510B50F87E73E43F8E7348F87C3832A547EF2BBE5799ABEDCF5E1F372EA809233F006"), SHEX("A063D778B0A2A11D3A9CBA425EE5938FCAA6E2BF1F30A665FA811601444D5749AFA18766DB5F0426C5B8392238B7862E")); test_hash(&nettle_sha3_384, /* 247 octets */ SHEX("721645633A44A2C78B19024EAECF58575AB23C27190833C26875DC0F0D50B46AEA9C343D82EA7D5B3E50EC700545C615DAEAEA64726A0F05607576DCD396D812B03FB6551C641087856D050B10E6A4D5577B82A98AFB89CEE8594C9DC19E79FEFF0382FCFD127F1B803A4B9946F4AC9A4378E1E6E041B1389A53E3450CD32D9D2941B0CBABDB50DA8EA2513145164C3AB6BCBD251C448D2D4B087AC57A59C2285D564F16DA4ED5E607ED979592146FFB0EF3F3DB308FB342DF5EB5924A48256FC763141A278814C82D6D6348577545870AE3A83C7230AC02A1540FE1798F7EF09E335A865A2AE0949B21E4F748FB8A51F44750E213A8FB"), SHEX("470EE6D35157846890A01B3809EB923CC45DFFF2FCA2826F458325466C983B1C64BEA38BCAECA921C90DD00432ECCF89")); test_hash(&nettle_sha3_384, /* 248 octets */ SHEX("6B860D39725A14B498BB714574B4D37CA787404768F64C648B1751B353AC92BAC2C3A28EA909FDF0423336401A02E63EC24325300D823B6864BB701F9D7C7A1F8EC9D0AE3584AA6DD62EA1997CD831B4BABD9A4DA50932D4EFDA745C61E4130890E156AEE6113716DAF95764222A91187DB2EFFEA49D5D0596102D619BD26A616BBFDA8335505FBB0D90B4C180D1A2335B91538E1668F9F9642790B4E55F9CAB0FE2BDD2935D001EE6419ABAB5457880D0DBFF20ED8758F4C20FE759EFB33141CF0E892587FE8187E5FBC57786B7E8B089612C936DFC03D27EFBBE7C8673F1606BD51D5FF386F4A7AB68EDF59F385EB1291F117BFE717399"), SHEX("A8F0A3C89CF7E56ACC18ACE1638BCF133094FD9F75F05677C3CD0ED3614A593CBCEB09C78C86E350FD07FF4429A6A165")); test_hash(&nettle_sha3_384, /* 249 octets */ SHEX("6A01830AF3889A25183244DECB508BD01253D5B508AB490D3124AFBF42626B2E70894E9B562B288D0A2450CFACF14A0DDAE5C04716E5A0082C33981F6037D23D5E045EE1EF2283FB8B6378A914C5D9441627A722C282FF452E25A7EA608D69CEE4393A0725D17963D0342684F255496D8A18C2961145315130549311FC07F0312FB78E6077334F87EAA873BEE8AA95698996EB21375EB2B4EF53C14401207DEB4568398E5DD9A7CF97E8C9663E23334B46912F8344C19EFCF8C2BA6F04325F1A27E062B62A58D0766FC6DB4D2C6A1928604B0175D872D16B7908EBC041761187CC785526C2A3873FEAC3A642BB39F5351550AF9770C328AF7B"), SHEX("C8A9A24464F21B133EBE20BA421A81EE34DCEACD5F04DCFB66D219F7F4145633692C572B63007834A406ECFB938A14F6")); test_hash(&nettle_sha3_384, /* 250 octets */ SHEX("B3C5E74B69933C2533106C563B4CA20238F2B6E675E8681E34A389894785BDADE59652D4A73D80A5C85BD454FD1E9FFDAD1C3815F5038E9EF432AAC5C3C4FE840CC370CF86580A6011778BBEDAF511A51B56D1A2EB68394AA299E26DA9ADA6A2F39B9FAFF7FBA457689B9C1A577B2A1E505FDF75C7A0A64B1DF81B3A356001BF0DF4E02A1FC59F651C9D585EC6224BB279C6BEBA2966E8882D68376081B987468E7AED1EF90EBD090AE825795CDCA1B4F09A979C8DFC21A48D8A53CDBB26C4DB547FC06EFE2F9850EDD2685A4661CB4911F165D4B63EF25B87D0A96D3DFF6AB0758999AAD214D07BD4F133A6734FDE445FE474711B69A98F7E2B"), SHEX("91BADA31B57A4BF3D2EB19A34FF921DB10BD6406191486D25D5CA4DE5E00B5E2815DAE741064E5B877AC57511B949F91")); test_hash(&nettle_sha3_384, /* 251 octets */ SHEX("83AF34279CCB5430FEBEC07A81950D30F4B66F484826AFEE7456F0071A51E1BBC55570B5CC7EC6F9309C17BF5BEFDD7C6BA6E968CF218A2B34BD5CF927AB846E38A40BBD81759E9E33381016A755F699DF35D660007B5EADF292FEEFB735207EBF70B5BD17834F7BFA0E16CB219AD4AF524AB1EA37334AA66435E5D397FC0A065C411EBBCE32C240B90476D307CE802EC82C1C49BC1BEC48C0675EC2A6C6F3ED3E5B741D13437095707C565E10D8A20B8C20468FF9514FCF31B4249CD82DCEE58C0A2AF538B291A87E3390D737191A07484A5D3F3FB8C8F15CE056E5E5F8FEBE5E1FB59D6740980AA06CA8A0C20F5712B4CDE5D032E92AB89F0AE1"), SHEX("F310E80951C7BB6395CA168AAE7EC42DEFF6C4CD3F5BE9C8B49B85B405F731911AE8267FFEBD543DBDF409EC20A858D2")); test_hash(&nettle_sha3_384, /* 252 octets */ SHEX("A7ED84749CCC56BB1DFBA57119D279D412B8A986886D810F067AF349E8749E9EA746A60B03742636C464FC1EE233ACC52C1983914692B64309EDFDF29F1AB912EC3E8DA074D3F1D231511F5756F0B6EEAD3E89A6A88FE330A10FACE267BFFBFC3E3090C7FD9A850561F363AD75EA881E7244F80FF55802D5EF7A1A4E7B89FCFA80F16DF54D1B056EE637E6964B9E0FFD15B6196BDD7DB270C56B47251485348E49813B4EB9ED122A01B3EA45AD5E1A929DF61D5C0F3E77E1FDC356B63883A60E9CBB9FC3E00C2F32DBD469659883F690C6772E335F617BC33F161D6F6984252EE12E62B6000AC5231E0C9BC65BE223D8DFD94C5004A101AF9FD6C0FB"), SHEX("CFD05E080994FC6D7AEF2D8C6E44D8A5E90F5A231676E0FAE0D2B8CE162CA9D06712580C99997A7709A06180DD42FB91")); test_hash(&nettle_sha3_384, /* 253 octets */ SHEX("A6FE30DCFCDA1A329E82AB50E32B5F50EB25C873C5D2305860A835AECEE6264AA36A47429922C4B8B3AFD00DA16035830EDB897831C4E7B00F2C23FC0B15FDC30D85FB70C30C431C638E1A25B51CAF1D7E8B050B7F89BFB30F59F0F20FECFF3D639ABC4255B3868FC45DD81E47EB12AB40F2AAC735DF5D1DC1AD997CEFC4D836B854CEE9AC02900036F3867FE0D84AFFF37BDE3308C2206C62C4743375094108877C73B87B2546FE05EA137BEDFC06A2796274099A0D554DA8F7D7223A48CBF31B7DECAA1EBC8B145763E3673168C1B1B715C1CD99ECD3DDB238B06049885ECAD9347C2436DFF32C771F34A38587A44A82C5D3D137A03CAA27E66C8FF6"), SHEX("8FA26DD5A54BF94A037A165EC5CE3ED86147A08DCFE3B48818B0C0BEEEFA33B145323B598F761DE2B639D05127F1CF3E")); test_hash(&nettle_sha3_384, /* 254 octets */ SHEX("83167FF53704C3AA19E9FB3303539759C46DD4091A52DDAE9AD86408B69335989E61414BC20AB4D01220E35241EFF5C9522B079FBA597674C8D716FE441E566110B6211531CECCF8FD06BC8E511D00785E57788ED9A1C5C73524F01830D2E1148C92D0EDC97113E3B7B5CD3049627ABDB8B39DD4D6890E0EE91993F92B03354A88F52251C546E64434D9C3D74544F23FB93E5A2D2F1FB15545B4E1367C97335B0291944C8B730AD3D4789273FA44FB98D78A36C3C3764ABEEAC7C569C1E43A352E5B770C3504F87090DEE075A1C4C85C0C39CF421BDCC615F9EFF6CB4FE6468004AECE5F30E1ECC6DB22AD9939BB2B0CCC96521DFBF4AE008B5B46BC006E"), SHEX("283FD61D1E50572EF403BF9C554D76D694A54F902C49795D1CF506F0EE263E7BA994F72BDC4732531FA7194257F2DFDA")); test_hash(&nettle_sha3_384, /* 255 octets */ SHEX("3A3A819C48EFDE2AD914FBF00E18AB6BC4F14513AB27D0C178A188B61431E7F5623CB66B23346775D386B50E982C493ADBBFC54B9A3CD383382336A1A0B2150A15358F336D03AE18F666C7573D55C4FD181C29E6CCFDE63EA35F0ADF5885CFC0A3D84A2B2E4DD24496DB789E663170CEF74798AA1BBCD4574EA0BBA40489D764B2F83AADC66B148B4A0CD95246C127D5871C4F11418690A5DDF01246A0C80A43C70088B6183639DCFDA4125BD113A8F49EE23ED306FAAC576C3FB0C1E256671D817FC2534A52F5B439F72E424DE376F4C565CCA82307DD9EF76DA5B7C4EB7E085172E328807C02D011FFBF33785378D79DC266F6A5BE6BB0E4A92ECEEBAEB1"), SHEX("128DC611762BE9B135B3739484CFAADCA7481D68514F3DFD6F5D78BB1863AE68130835CDC7061A7ED964B32F1DB75EE1")); } nettle-3.4.1/testsuite/sexp-test.c0000644000175000017500000000610213401564746016200 0ustar nissenisse#include "testutils.h" #include "sexp.h" void test_main(void) { struct sexp_iterator i; uint32_t x; ASSERT(sexp_iterator_first(&i, LDATA(""))); ASSERT(i.type == SEXP_END); ASSERT(sexp_iterator_first(&i, LDATA("()"))); ASSERT(i.type == SEXP_LIST && sexp_iterator_enter_list(&i) && i.type == SEXP_END && sexp_iterator_exit_list(&i) && i.type == SEXP_END); ASSERT(sexp_iterator_first(&i, LDATA("("))); ASSERT(i.type == SEXP_LIST && !sexp_iterator_enter_list(&i)); /* Check integers. */ ASSERT(sexp_iterator_first(&i, LDATA("1:\0" "1:\x11" "2:\x00\x11" "2:\x00\x80" "5:\x00\xaa\xbb\xcc\xdd"))); ASSERT(sexp_iterator_get_uint32(&i, &x) && x == 0); ASSERT(sexp_iterator_get_uint32(&i, &x) && x == 0x11); ASSERT(sexp_iterator_get_uint32(&i, &x) && x == 0x11); ASSERT(sexp_iterator_get_uint32(&i, &x) && x == 0x80); ASSERT(sexp_iterator_get_uint32(&i, &x) && x == 0xaabbccdd); ASSERT(sexp_iterator_first(&i, LDATA("3:foo0:[3:bar]12:xxxxxxxxxxxx"))); ASSERT(i.type == SEXP_ATOM && !i.display_length && !i.display && i.atom_length == 3 && MEMEQ(3, "foo", i.atom) && sexp_iterator_next(&i) && i.type == SEXP_ATOM && !i.display_length && !i.display && !i.atom_length && i.atom && sexp_iterator_next(&i) && i.type == SEXP_ATOM && i.display_length == 3 && MEMEQ(3, "bar", i.display) && i.atom_length == 12 && MEMEQ(12, "xxxxxxxxxxxx", i.atom) && sexp_iterator_next(&i) && i.type == SEXP_END); /* Same data, transport encoded. */ { struct tstring *s = tstring_data(LDATA("{Mzpmb28=} {MDo=} {WzM6YmFyXTEyOnh4eHh4eHh4eHh4eA==}")); ASSERT(sexp_transport_iterator_first (&i, s->length, s->data)); ASSERT(i.type == SEXP_ATOM && !i.display_length && !i.display && i.atom_length == 3 && MEMEQ(3, "foo", i.atom) && sexp_iterator_next(&i) && i.type == SEXP_ATOM && !i.display_length && !i.display && !i.atom_length && i.atom && sexp_iterator_next(&i) && i.type == SEXP_ATOM && i.display_length == 3 && MEMEQ(3, "bar", i.display) && i.atom_length == 12 && MEMEQ(12, "xxxxxxxxxxxx", i.atom) && sexp_iterator_next(&i) && i.type == SEXP_END); } { static const char * const keys[2] = { "n", "e" }; struct sexp_iterator v[2]; ASSERT(sexp_iterator_first(&i, LDATA("((1:n2:xx3:foo)0:(1:y)(1:e))"))); ASSERT(sexp_iterator_enter_list(&i) && sexp_iterator_assoc(&i, 2, keys, v)); ASSERT(v[0].type == SEXP_ATOM && !v[0].display_length && !v[0].display && v[0].atom_length == 2 && MEMEQ(2, "xx", v[0].atom) && sexp_iterator_next(&v[0]) && v[0].type == SEXP_ATOM && !v[0].display_length && !v[0].display && v[0].atom_length == 3 && MEMEQ(3, "foo", v[0].atom) && sexp_iterator_next(&v[0]) && v[0].type == SEXP_END); ASSERT(v[1].type == SEXP_END); ASSERT(sexp_iterator_first(&i, LDATA("((1:n))"))); ASSERT(sexp_iterator_enter_list(&i) && !sexp_iterator_assoc(&i, 2, keys, v)); ASSERT(sexp_iterator_first(&i, LDATA("((1:n)(1:n3:foo))"))); ASSERT(sexp_iterator_enter_list(&i) && !sexp_iterator_assoc(&i, 2, keys, v)); } } nettle-3.4.1/testsuite/arctwo-test.c0000644000175000017500000000672413401564746016532 0ustar nissenisse/* arctwo-test.c Copyright (C) 2004 Simon Josefsson Copyright (C) 2004 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #include "testutils.h" #include "arctwo.h" /* For tests with obscure values of ebk. */ static void test_arctwo(unsigned ekb, const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext) { struct arctwo_ctx ctx; uint8_t *data; size_t length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; data = xalloc(length); arctwo_set_key_ekb(&ctx, key->length, key->data, ekb); arctwo_encrypt(&ctx, length, data, cleartext->data); ASSERT(MEMEQ(length, data, ciphertext->data)); arctwo_decrypt(&ctx, length, data, data); ASSERT(MEMEQ(length, data, cleartext->data)); free(data); } void test_main(void) { /* Test vectors from Peter Gutmann's paper. */ test_cipher(&nettle_arctwo_gutmann128, SHEX("00000000 00000000 00000000 00000000"), SHEX("00000000 00000000"), SHEX("1c198a83 8df028b7")); test_cipher(&nettle_arctwo_gutmann128, SHEX("00010203 04050607 08090a0b 0c0d0e0f"), SHEX("00000000 00000000"), SHEX("50dc0162 bd757f31")); /* This one was checked against libmcrypt's RFC2268. */ test_cipher(&nettle_arctwo_gutmann128, SHEX("30000000 00000000 00000000 00000000"), SHEX("10000000 00000000"), SHEX("8fd10389 336bf95e")); /* Test vectors from RFC 2268. */ test_cipher(&nettle_arctwo64, SHEX("ffffffff ffffffff"), SHEX("ffffffff ffffffff"), SHEX("278b27e4 2e2f0d49")); test_cipher(&nettle_arctwo64, SHEX("30000000 00000000"), SHEX("10000000 00000001"), SHEX("30649edf 9be7d2c2")); test_cipher(&nettle_arctwo128, SHEX("88bca90e 90875a7f 0f79c384 627bafb2"), SHEX("00000000 00000000"), SHEX("2269552a b0f85ca6")); /* More obscure tests from RFC 2286 */ test_arctwo(63, SHEX("00000000 00000000"), SHEX("00000000 00000000"), SHEX("ebb773f9 93278eff")); test_arctwo(64, SHEX("88"), SHEX("00000000 00000000"), SHEX("61a8a244 adacccf0")); test_arctwo(64, SHEX("88bca90e 90875a"), SHEX("00000000 00000000"), SHEX("6ccf4308 974c267f")); test_arctwo(64, SHEX("88bca90e 90875a7f 0f79c384 627bafb2"), SHEX("00000000 00000000"), SHEX("1a807d27 2bbe5db1")); test_arctwo(129, SHEX("88bca90e 90875a7f 0f79c384 627bafb2" "16f80a6f 85920584 c42fceb0 be255daf 1e"), SHEX("00000000 00000000"), SHEX("5b78d3a4 3dfff1f1")); } nettle-3.4.1/testsuite/sha224-test.c0000644000175000017500000000306713401564746016233 0ustar nissenisse#include "testutils.h" void test_main(void) { /* From FIPS180-2 addendum (http://csrc.nist.gov/publications/fips/fips180-2/fips180-2withchangenotice.pdf) */ test_hash(&nettle_sha224, SDATA("abc"), SHEX("23097d22 3405d822 8642a477 bda255b3" "2aadbce4 bda0b3f7 e36c9da7")); test_hash(&nettle_sha224, SDATA("abcdbcdecdefdefgefghfghighij" "hijkijkljklmklmnlmnomnopnopq"), SHEX("75388b16 512776cc 5dba5da1 fd890150" "b0c6455c b4f58b19 52522525")); /* Additional test vectors, from Daniel Kahn Gillmor */ test_hash(&nettle_sha224, SDATA(""), SHEX("d14a028c2a3a2bc9 476102bb288234c4" "15a2b01f828ea62a c5b3e42f")); test_hash(&nettle_sha224, SDATA("a"), SHEX("abd37534c7d9a2ef b9465de931cd7055" "ffdb8879563ae980 78d6d6d5")); test_hash(&nettle_sha224, SDATA("38"), SHEX("4cfca6da32da6471 98225460722b7ea1" "284f98c4b179e8db ae3f93d5")); test_hash(&nettle_sha224, SDATA("message digest"), SHEX("2cb21c83ae2f004d e7e81c3c7019cbcb" "65b71ab656b22d6d 0c39b8eb")); test_hash(&nettle_sha224, SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("45a5f72c39c5cff2 522eb3429799e49e" "5f44b356ef926bcf 390dccc2")); test_hash(&nettle_sha224, SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdef" "ghijklmnopqrstuvwxyz0123456789"), SHEX("bff72b4fcb7d75e5 632900ac5f90d219" "e05e97a7bde72e74 0db393d9")); test_hash(&nettle_sha224, SDATA("12345678901234567890123456789012" "34567890123456789012345678901234" "5678901234567890"), SHEX("b50aecbe4e9bb0b5 7bc5f3ae760a8e01" "db24f203fb3cdcd1 3148046e")); } nettle-3.4.1/testsuite/meta-hash-test.c0000644000175000017500000000144013401564746017070 0ustar nissenisse#include "testutils.h" #include "nettle-internal.h" #include "nettle-meta.h" /* For NETTLE_MAX_HASH_CONTEXT_SIZE */ #include "sha3.h" const char* hashes[] = { "md2", "md4", "md5", "ripemd160", "sha1", "sha224", "sha256", "sha384", "sha512", "sha3_224", "sha3_256", "sha3_384", "sha3_512", }; void test_main(void) { int i; int count = sizeof(hashes)/sizeof(*hashes); for (i = 0; i < count; i++) { /* make sure we found a matching hash */ ASSERT(nettle_lookup_hash(hashes[i]) != NULL); } for (i = 0; NULL != nettle_hashes[i]; i++) { ASSERT(nettle_hashes[i]->digest_size <= NETTLE_MAX_HASH_DIGEST_SIZE); ASSERT(nettle_hashes[i]->context_size <= NETTLE_MAX_HASH_CONTEXT_SIZE); } ASSERT(i == count); /* we are not missing testing any hashes */ } nettle-3.4.1/testsuite/ecc-add-test.c0000644000175000017500000000400413401564746016500 0ustar nissenisse#include "testutils.h" void test_main (void) { unsigned i; for (i = 0; ecc_curves[i]; i++) { const struct ecc_curve *ecc = ecc_curves[i]; mp_limb_t *g = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *g2 = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *g3 = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *p = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *scratch = xalloc_limbs (ECC_ADD_JJJ_ITCH(ecc->p.size)); if (ecc->p.bit_size == 255) { mp_limb_t *z = xalloc_limbs (ecc_size_j (ecc)); /* Zero point has x = 0, y = 1, z = 1 */ mpn_zero (z, 3*ecc->p.size); z[ecc->p.size] = z[2*ecc->p.size] = 1; ecc_a_to_j (ecc, g, ecc->g); ecc_add_ehh (ecc, p, z, z, scratch); test_ecc_mul_h (i, 0, p); ecc_add_eh (ecc, p, z, z, scratch); test_ecc_mul_h (i, 0, p); ecc_add_ehh (ecc, p, g, p, scratch); test_ecc_mul_h (i, 1, p); ecc_add_eh (ecc, p, z, g, scratch); test_ecc_mul_h (i, 1, p); ecc_add_ehh (ecc, g2, g, p, scratch); test_ecc_mul_h (i, 2, g2); ecc_add_eh (ecc, g2, g, g, scratch); test_ecc_mul_h (i, 2, g2); ecc_add_ehh (ecc, g3, g, g2, scratch); test_ecc_mul_h (i, 3, g3); ecc_add_eh (ecc, g3, g2, g, scratch); test_ecc_mul_h (i, 3, g3); ecc_add_ehh (ecc, p, g, g3, scratch); test_ecc_mul_h (i, 4, p); ecc_add_eh (ecc, p, g3, g, scratch); test_ecc_mul_h (i, 4, p); ecc_add_ehh (ecc, p, g2, g2, scratch); test_ecc_mul_h (i, 4, p); free (z); } else { ecc_a_to_j (ecc, g, ecc->g); ecc_dup_jj (ecc, g2, g, scratch); test_ecc_mul_h (i, 2, g2); ecc_add_jjj (ecc, g3, g, g2, scratch); test_ecc_mul_h (i, 3, g3); ecc_add_jjj (ecc, g3, g2, g, scratch); test_ecc_mul_h (i, 3, g3); ecc_add_jjj (ecc, p, g, g3, scratch); test_ecc_mul_h (i, 4, p); ecc_add_jjj (ecc, p, g3, g, scratch); test_ecc_mul_h (i, 4, p); ecc_dup_jj (ecc, p, g2, scratch); test_ecc_mul_h (i, 4, p); } free (g); free (g2); free (g3); free (p); free (scratch); } } nettle-3.4.1/testsuite/sha3-256-test.c0000644000175000017500000030637613401564746016411 0ustar nissenisse#include "testutils.h" void test_main(void) { /* Extracted from ShortMsgKAT_256.txt using sha3.awk. */ test_hash(&nettle_sha3_256, /* 0 octets */ SHEX(""), SHEX("A7FFC6F8BF1ED76651C14756A061D662F580FF4DE43B49FA82D80A4B80F8434A")); test_hash(&nettle_sha3_256, /* 1 octets */ SHEX("CC"), SHEX("677035391CD3701293D385F037BA32796252BB7CE180B00B582DD9B20AAAD7F0")); test_hash(&nettle_sha3_256, /* 2 octets */ SHEX("41FB"), SHEX("39F31B6E653DFCD9CAED2602FD87F61B6254F581312FB6EEEC4D7148FA2E72AA")); test_hash(&nettle_sha3_256, /* 3 octets */ SHEX("1F877C"), SHEX("BC22345E4BD3F792A341CF18AC0789F1C9C966712A501B19D1B6632CCD408EC5")); test_hash(&nettle_sha3_256, /* 4 octets */ SHEX("C1ECFDFC"), SHEX("C5859BE82560CC8789133F7C834A6EE628E351E504E601E8059A0667FF62C124")); test_hash(&nettle_sha3_256, /* 5 octets */ SHEX("21F134AC57"), SHEX("55BD9224AF4EED0D121149E37FF4D7DD5BE24BD9FBE56E0171E87DB7A6F4E06D")); test_hash(&nettle_sha3_256, /* 6 octets */ SHEX("C6F50BB74E29"), SHEX("AE0CBC757D4AB088E172ABFD8746289950F92D38A25295658DBF744B5635AF04")); test_hash(&nettle_sha3_256, /* 7 octets */ SHEX("119713CC83EEEF"), SHEX("E340C9A44373EFCC212F3CB66A047AC34C87FF1C58C4A14B16A2BFC34698BB1D")); test_hash(&nettle_sha3_256, /* 8 octets */ SHEX("4A4F202484512526"), SHEX("BA4FB009D57A5CEB85FC64D54E5C55A55854B41CC47AD15294BC41F32165DFBA")); test_hash(&nettle_sha3_256, /* 9 octets */ SHEX("1F66AB4185ED9B6375"), SHEX("B9886EF905C8BDD272EDA8298865E0769869F1C964460D1AA9D7A0C687707CCD")); test_hash(&nettle_sha3_256, /* 10 octets */ SHEX("EED7422227613B6F53C9"), SHEX("FAB8F88D3191E21A725B21C63A02CAD3FA7C450EF8584B94CFA382F393422455")); test_hash(&nettle_sha3_256, /* 11 octets */ SHEX("EAEED5CDFFD89DECE455F1"), SHEX("9363ACD3F48BB91A8998AA0E8DF75C971770A16A71E7D2334409734CD7D0A9EE")); test_hash(&nettle_sha3_256, /* 12 octets */ SHEX("5BE43C90F22902E4FE8ED2D3"), SHEX("16932F6F65DEAAD5780E25AB410C66B0E4198EBA9F4ED1A25EE24F7879FAEFE2")); test_hash(&nettle_sha3_256, /* 13 octets */ SHEX("A746273228122F381C3B46E4F1"), SHEX("1C28100E0EF50671C7EA3E024FA3BA9DA2EBDDB4DE264C3A2426C36AD3F91C61")); test_hash(&nettle_sha3_256, /* 14 octets */ SHEX("3C5871CD619C69A63B540EB5A625"), SHEX("8183BE4875FAB7EC5F99ED94F5F900CF1D6B953D8F71E1E7CC008687980E613A")); test_hash(&nettle_sha3_256, /* 15 octets */ SHEX("FA22874BCC068879E8EF11A69F0722"), SHEX("3B1A6D21FE44691DAC4EB7C593A6D8523CB606E63CF00E94D711A574248DACA5")); test_hash(&nettle_sha3_256, /* 16 octets */ SHEX("52A608AB21CCDD8A4457A57EDE782176"), SHEX("2C7E7CB356FDC68EC8927E499D2A6BAE2B781817919C829EBBE8225BAED46967")); test_hash(&nettle_sha3_256, /* 17 octets */ SHEX("82E192E4043DDCD12ECF52969D0F807EED"), SHEX("C7B12EFF692D842110CC39AC60616707ACB3F9B0F1CB361B94577EFC529CA26C")); test_hash(&nettle_sha3_256, /* 18 octets */ SHEX("75683DCB556140C522543BB6E9098B21A21E"), SHEX("493EBAEBC04776F4E067555AFA09B58C850FDF1B0E22D4BF006CE41C091DC762")); test_hash(&nettle_sha3_256, /* 19 octets */ SHEX("06E4EFE45035E61FAAF4287B4D8D1F12CA97E5"), SHEX("1D01F3120ECFBDD28DCE44317666CF864F52391B9ECA3843DB45667C2E0A98AD")); test_hash(&nettle_sha3_256, /* 20 octets */ SHEX("E26193989D06568FE688E75540AEA06747D9F851"), SHEX("2C1E61E5D45203F27B86F1293A80BAB34192DAF42B8623B12005B2FB1C18ACB1")); test_hash(&nettle_sha3_256, /* 21 octets */ SHEX("D8DC8FDEFBDCE9D44E4CBAFE78447BAE3B5436102A"), SHEX("AD0E3F29767067E929D1CECD95582DF8F2A9BEB92EAA27EEB315F620365A9244")); test_hash(&nettle_sha3_256, /* 22 octets */ SHEX("57085FD7E14216AB102D8317B0CB338A786D5FC32D8F"), SHEX("2B4EB5DE20E86074CABB55BFA63A5C8C6AE15679302061845B9CF233E17C906B")); test_hash(&nettle_sha3_256, /* 23 octets */ SHEX("A05404DF5DBB57697E2C16FA29DEFAC8AB3560D6126FA0"), SHEX("6AE04C6C6F3651F1F64C0AD69733990B41747C93F87ACB813BB25BB1FC0EFF07")); test_hash(&nettle_sha3_256, /* 24 octets */ SHEX("AECBB02759F7433D6FCB06963C74061CD83B5B3FFA6F13C6"), SHEX("40F9F55BC55DA466BC3DC1F89835A64094572DE73D64ED6646A1D3B667BE70A9")); test_hash(&nettle_sha3_256, /* 25 octets */ SHEX("AAFDC9243D3D4A096558A360CC27C8D862F0BE73DB5E88AA55"), SHEX("C64BECF7B75FC885D5853924F2B7D37ABCEFD3DA126BB817697E1A09152B1EBE")); test_hash(&nettle_sha3_256, /* 26 octets */ SHEX("7BC84867F6F9E9FDC3E1046CAE3A52C77ED485860EE260E30B15"), SHEX("57D46A6BC8FAB33601538DAD27F98C66443032CC3912434C28EB88D0AF44C52C")); test_hash(&nettle_sha3_256, /* 27 octets */ SHEX("FAC523575A99EC48279A7A459E98FF901918A475034327EFB55843"), SHEX("7C956503D5B4DBB764FF8E66FA74CE0F9132DA90EA3543F669C9DD08E413E33C")); test_hash(&nettle_sha3_256, /* 28 octets */ SHEX("0F8B2D8FCFD9D68CFFC17CCFB117709B53D26462A3F346FB7C79B85E"), SHEX("6DE164A9626D5A4F54D854AC158994F35A8E362ECC753F55182790934A2E0D06")); test_hash(&nettle_sha3_256, /* 29 octets */ SHEX("A963C3E895FF5A0BE4824400518D81412F875FA50521E26E85EAC90C04"), SHEX("B760312BD1B279FC672479D21C5ED349E5FE96F08940237B4515452721C49A16")); test_hash(&nettle_sha3_256, /* 30 octets */ SHEX("03A18688B10CC0EDF83ADF0A84808A9718383C4070C6C4F295098699AC2C"), SHEX("94FC255DE4EF19C0DA4B09B2E2FAC21F20048B46F17C30685ABE40D5C743F375")); test_hash(&nettle_sha3_256, /* 31 octets */ SHEX("84FB51B517DF6C5ACCB5D022F8F28DA09B10232D42320FFC32DBECC3835B29"), SHEX("39A4A0FFC4603698AE0A4F3D24B1BC42AC7A2D7D923E7A5D602453E82D5323C5")); test_hash(&nettle_sha3_256, /* 32 octets */ SHEX("9F2FCC7C90DE090D6B87CD7E9718C1EA6CB21118FC2D5DE9F97E5DB6AC1E9C10"), SHEX("2F1A5F7159E34EA19CDDC70EBF9B81F1A66DB40615D7EAD3CC1F1B954D82A3AF")); test_hash(&nettle_sha3_256, /* 33 octets */ SHEX("DE8F1B3FAA4B7040ED4563C3B8E598253178E87E4D0DF75E4FF2F2DEDD5A0BE046"), SHEX("1C57FE0E38CD3A124EAA6CD87F70A079BCCC073A341E8C0EB1976FB3A3F7B774")); test_hash(&nettle_sha3_256, /* 34 octets */ SHEX("62F154EC394D0BC757D045C798C8B87A00E0655D0481A7D2D9FB58D93AEDC676B5A0"), SHEX("A905603B186EF4F2D5B2D1BCFDA504C68ED5EB9B0C7B7EA2A001575F5AA69E68")); test_hash(&nettle_sha3_256, /* 35 octets */ SHEX("B2DCFE9FF19E2B23CE7DA2A4207D3E5EC7C6112A8A22AEC9675A886378E14E5BFBAD4E"), SHEX("FFFD39F7C451788EB0316F429EA0A7C0AC8091657ACA28F1560ED5775E8C4C12")); test_hash(&nettle_sha3_256, /* 36 octets */ SHEX("47F5697AC8C31409C0868827347A613A3562041C633CF1F1F86865A576E02835ED2C2492"), SHEX("6F55BECD168E0939BA2FA090257B1727FC66491A44493279A5BEACB9E3435324")); test_hash(&nettle_sha3_256, /* 37 octets */ SHEX("512A6D292E67ECB2FE486BFE92660953A75484FF4C4F2ECA2B0AF0EDCDD4339C6B2EE4E542"), SHEX("84649BFFCD48527B9288E8DA5F52FBAB2604DC5A91C4B0B87D477DBD7B40B6AE")); test_hash(&nettle_sha3_256, /* 38 octets */ SHEX("973CF2B4DCF0BFA872B41194CB05BB4E16760A1840D8343301802576197EC19E2A1493D8F4FB"), SHEX("D4055B4E3E2AEA1C67CC99FD409D574E53E1E296CF9EEF73C472AB92A6CB6609")); test_hash(&nettle_sha3_256, /* 39 octets */ SHEX("80BEEBCD2E3F8A9451D4499961C9731AE667CDC24EA020CE3B9AA4BBC0A7F79E30A934467DA4B0"), SHEX("5694CA2F3B9962226A87163AB38325BCDC898A732DFEB2C36DB4EB88616B8741")); test_hash(&nettle_sha3_256, /* 40 octets */ SHEX("7ABAA12EC2A7347674E444140AE0FB659D08E1C66DECD8D6EAE925FA451D65F3C0308E29446B8ED3"), SHEX("8CF287AD03AB4A74086620CFA4CCE74F48FA5CDB15EC02B1F721736A4F849E60")); test_hash(&nettle_sha3_256, /* 41 octets */ SHEX("C88DEE9927679B8AF422ABCBACF283B904FF31E1CAC58C7819809F65D5807D46723B20F67BA610C2B7"), SHEX("C5D5AF22A4DF9ACD0C056FA30D8E240B679A20D4D2630260F779FF815CA82D7D")); test_hash(&nettle_sha3_256, /* 42 octets */ SHEX("01E43FE350FCEC450EC9B102053E6B5D56E09896E0DDD9074FE138E6038210270C834CE6EADC2BB86BF6"), SHEX("0AC75279ADFF65660464550A283FECD4E0610D88F35574C3D7AC5D22262A2FE8")); test_hash(&nettle_sha3_256, /* 43 octets */ SHEX("337023370A48B62EE43546F17C4EF2BF8D7ECD1D49F90BAB604B839C2E6E5BD21540D29BA27AB8E309A4B7"), SHEX("81917AE290DBBA17289A8A67E5C2E8B12D3DDE0EFE9F990198A1763FF4F3DDA7")); test_hash(&nettle_sha3_256, /* 44 octets */ SHEX("6892540F964C8C74BD2DB02C0AD884510CB38AFD4438AF31FC912756F3EFEC6B32B58EBC38FC2A6B913596A8"), SHEX("138E75E72FDDD927E591315AF8D3ABA280EFA36230A3309A97BCDE5A78C31589")); test_hash(&nettle_sha3_256, /* 45 octets */ SHEX("F5961DFD2B1FFFFDA4FFBF30560C165BFEDAB8CE0BE525845DEB8DC61004B7DB38467205F5DCFB34A2ACFE96C0"), SHEX("21BCDAD3FEF3E5B859CB0912A2991EFA661BAD812747292EF0F79A8FCC6B4E98")); test_hash(&nettle_sha3_256, /* 46 octets */ SHEX("CA061A2EB6CEED8881CE2057172D869D73A1951E63D57261384B80CEB5451E77B06CF0F5A0EA15CA907EE1C27EBA"), SHEX("8D6FD9C559B0B4948F91337916084C0082A16A0755B0A00811096E973E48B3C8")); test_hash(&nettle_sha3_256, /* 47 octets */ SHEX("1743A77251D69242750C4F1140532CD3C33F9B5CCDF7514E8584D4A5F9FBD730BCF84D0D4726364B9BF95AB251D9BB"), SHEX("1DD23AE7AADD61E712BDD82BD60A70DD9D66C9FD79DBFD8669E3EAABF7901CDC")); test_hash(&nettle_sha3_256, /* 48 octets */ SHEX("D8FABA1F5194C4DB5F176FABFFF856924EF627A37CD08CF55608BBA8F1E324D7C7F157298EABC4DCE7D89CE5162499F9"), SHEX("34F8607EC10C092C1BA0B6565CE6197062C4E1A35A8E8C723E48A2D2416C3790")); test_hash(&nettle_sha3_256, /* 49 octets */ SHEX("BE9684BE70340860373C9C482BA517E899FC81BAAA12E5C6D7727975D1D41BA8BEF788CDB5CF4606C9C1C7F61AED59F97D"), SHEX("19A8577FC90FAE5D6A6B2E0C1FF155515502CFA1757029C09BEBBFA263D9A363")); test_hash(&nettle_sha3_256, /* 50 octets */ SHEX("7E15D2B9EA74CA60F66C8DFAB377D9198B7B16DEB6A1BA0EA3C7EE2042F89D3786E779CF053C77785AA9E692F821F14A7F51"), SHEX("9D9DBB4CE7D01D009E72A66051ACC16805E49F598CBE430C5D4C22A881A64B3F")); test_hash(&nettle_sha3_256, /* 51 octets */ SHEX("9A219BE43713BD578015E9FDA66C0F2D83CAC563B776AB9F38F3E4F7EF229CB443304FBA401EFB2BDBD7ECE939102298651C86"), SHEX("13F0D951B64481135466CFCCBE52418CC1D03FB16B5B696C35D724F6F55CBB6D")); test_hash(&nettle_sha3_256, /* 52 octets */ SHEX("C8F2B693BD0D75EF99CAEBDC22ADF4088A95A3542F637203E283BBC3268780E787D68D28CC3897452F6A22AA8573CCEBF245972A"), SHEX("FB2FE7B00B75C42305CF31DE14D98F904E8C46DC57BB6F94C282CA8C13DC45DB")); test_hash(&nettle_sha3_256, /* 53 octets */ SHEX("EC0F99711016C6A2A07AD80D16427506CE6F441059FD269442BAAA28C6CA037B22EEAC49D5D894C0BF66219F2C08E9D0E8AB21DE52"), SHEX("D54CBF7D5C80AE11A0D0BAD4E95AB18B5F07C970621F3936447A48EEF818D06E")); test_hash(&nettle_sha3_256, /* 54 octets */ SHEX("0DC45181337CA32A8222FE7A3BF42FC9F89744259CFF653504D6051FE84B1A7FFD20CB47D4696CE212A686BB9BE9A8AB1C697B6D6A33"), SHEX("FF050A45ADEEF4CFC7D964102BA877C80320A37794893E6865965EC2547CD4C9")); test_hash(&nettle_sha3_256, /* 55 octets */ SHEX("DE286BA4206E8B005714F80FB1CDFAEBDE91D29F84603E4A3EBC04686F99A46C9E880B96C574825582E8812A26E5A857FFC6579F63742F"), SHEX("1BC1BCC70F638958DB1006AF37B02EBD8954EC59B3ACBAD12EACEDBC5B21E908")); test_hash(&nettle_sha3_256, /* 56 octets */ SHEX("EEBCC18057252CBF3F9C070F1A73213356D5D4BC19AC2A411EC8CDEEE7A571E2E20EAF61FD0C33A0FFEB297DDB77A97F0A415347DB66BCAF"), SHEX("F7BDE239AD087AA7DABE42CC4D3C49380A026CD239A7FAAF34A2233469A44A4D")); test_hash(&nettle_sha3_256, /* 57 octets */ SHEX("416B5CDC9FE951BD361BD7ABFC120A5054758EBA88FDD68FD84E39D3B09AC25497D36B43CBE7B85A6A3CEBDA8DB4E5549C3EE51BB6FCB6AC1E"), SHEX("EF845AAC2AAF0A793108204FF380E0A30F2558E7ACDE4531AB22F8EC79E26A69")); test_hash(&nettle_sha3_256, /* 58 octets */ SHEX("5C5FAF66F32E0F8311C32E8DA8284A4ED60891A5A7E50FB2956B3CBAA79FC66CA376460E100415401FC2B8518C64502F187EA14BFC9503759705"), SHEX("26DB514E01E034C678B636D40BA367DA2F37F67078BB576FF2B8559B3517484D")); test_hash(&nettle_sha3_256, /* 59 octets */ SHEX("7167E1E02BE1A7CA69D788666F823AE4EEF39271F3C26A5CF7CEE05BCA83161066DC2E217B330DF821103799DF6D74810EED363ADC4AB99F36046A"), SHEX("5DBD4B558463196211465C1FC32401FC2D8E41EBC5E6BADD1D8F7C4F090F728F")); test_hash(&nettle_sha3_256, /* 60 octets */ SHEX("2FDA311DBBA27321C5329510FAE6948F03210B76D43E7448D1689A063877B6D14C4F6D0EAA96C150051371F7DD8A4119F7DA5C483CC3E6723C01FB7D"), SHEX("355C79FD6E6FA88ED402B6979FDE1ED805498ABEB101F4231B5D64D1439D552D")); test_hash(&nettle_sha3_256, /* 61 octets */ SHEX("95D1474A5AAB5D2422ACA6E481187833A6212BD2D0F91451A67DD786DFC91DFED51B35F47E1DEB8A8AB4B9CB67B70179CC26F553AE7B569969CE151B8D"), SHEX("3D9C9BF09D88211C7E0056112D073EE85D00ACAA4DA7A668FA017B3273CD4D4B")); test_hash(&nettle_sha3_256, /* 62 octets */ SHEX("C71BD7941F41DF044A2927A8FF55B4B467C33D089F0988AA253D294ADDBDB32530C0D4208B10D9959823F0C0F0734684006DF79F7099870F6BF53211A88D"), SHEX("67980D28E2E658E7A24A2593A28167A13D907D06F47729D47CA4FE1772F8B3DF")); test_hash(&nettle_sha3_256, /* 63 octets */ SHEX("F57C64006D9EA761892E145C99DF1B24640883DA79D9ED5262859DCDA8C3C32E05B03D984F1AB4A230242AB6B78D368DC5AAA1E6D3498D53371E84B0C1D4BA"), SHEX("A8DF6B76DF41994F7593F1A81967E77EE180E31183D1C4A569DB854E61E99B05")); test_hash(&nettle_sha3_256, /* 64 octets */ SHEX("E926AE8B0AF6E53176DBFFCC2A6B88C6BD765F939D3D178A9BDE9EF3AA131C61E31C1E42CDFAF4B4DCDE579A37E150EFBEF5555B4C1CB40439D835A724E2FAE7"), SHEX("27A6441EE939B46E2C378D7AFEB0E891C47A28120E488EFF0AB71AF08788CEB3")); test_hash(&nettle_sha3_256, /* 65 octets */ SHEX("16E8B3D8F988E9BB04DE9C96F2627811C973CE4A5296B4772CA3EEFEB80A652BDF21F50DF79F32DB23F9F73D393B2D57D9A0297F7A2F2E79CFDA39FA393DF1AC00"), SHEX("C4BB067383002DB44CA773918BB74104B604A583E12B06BE56C270F8B43512F2")); test_hash(&nettle_sha3_256, /* 66 octets */ SHEX("FC424EEB27C18A11C01F39C555D8B78A805B88DBA1DC2A42ED5E2C0EC737FF68B2456D80EB85E11714FA3F8EABFB906D3C17964CB4F5E76B29C1765DB03D91BE37FC"), SHEX("AE773915CA642D80413330C9E0EE9BD06653C0023C5C0277100F3B1526EAA51D")); test_hash(&nettle_sha3_256, /* 67 octets */ SHEX("ABE3472B54E72734BDBA7D9158736464251C4F21B33FBBC92D7FAC9A35C4E3322FF01D2380CBAA4EF8FB07D21A2128B7B9F5B6D9F34E13F39C7FFC2E72E47888599BA5"), SHEX("1CF9D6CE9CB658556B76CD7EBA3E51393699AD500B1AB3F56172748DB7F59667")); test_hash(&nettle_sha3_256, /* 68 octets */ SHEX("36F9F0A65F2CA498D739B944D6EFF3DA5EBBA57E7D9C41598A2B0E4380F3CF4B479EC2348D015FFE6256273511154AFCF3B4B4BF09D6C4744FDD0F62D75079D440706B05"), SHEX("8D60E889E2B1020DAD4B523301F5F6BBAB6C781AF276085AF6765546FCFB95AC")); test_hash(&nettle_sha3_256, /* 69 octets */ SHEX("ABC87763CAE1CA98BD8C5B82CABA54AC83286F87E9610128AE4DE68AC95DF5E329C360717BD349F26B872528492CA7C94C2C1E1EF56B74DBB65C2AC351981FDB31D06C77A4"), SHEX("DD4FF4B530552F48AF9A7530A6464819ED1A5B733084F709E41DAF1ACB35ECFD")); test_hash(&nettle_sha3_256, /* 70 octets */ SHEX("94F7CA8E1A54234C6D53CC734BB3D3150C8BA8C5F880EAB8D25FED13793A9701EBE320509286FD8E422E931D99C98DA4DF7E70AE447BAB8CFFD92382D8A77760A259FC4FBD72"), SHEX("7AC8D4BB53FC434DD8712DAEFEB474668F541418E6F617DBA523D8392EB0766E")); test_hash(&nettle_sha3_256, /* 71 octets */ SHEX("13BD2811F6ED2B6F04FF3895ACEED7BEF8DCD45EB121791BC194A0F806206BFFC3B9281C2B308B1A729CE008119DD3066E9378ACDCC50A98A82E20738800B6CDDBE5FE9694AD6D"), SHEX("F7B0E15A63232A2B800B23B311D357617DDFD1293E1FFE3F772692ADE3427152")); test_hash(&nettle_sha3_256, /* 72 octets */ SHEX("1EED9CBA179A009EC2EC5508773DD305477CA117E6D569E66B5F64C6BC64801CE25A8424CE4A26D575B8A6FB10EAD3FD1992EDDDEEC2EBE7150DC98F63ADC3237EF57B91397AA8A7"), SHEX("B3D05AF7E8C406A7C2709223791D3F5F4B3129329993220053A36293AC2B0E06")); test_hash(&nettle_sha3_256, /* 73 octets */ SHEX("BA5B67B5EC3A3FFAE2C19DD8176A2EF75C0CD903725D45C9CB7009A900C0B0CA7A2967A95AE68269A6DBF8466C7B6844A1D608AC661F7EFF00538E323DB5F2C644B78B2D48DE1A08AA"), SHEX("6C47E2EA4BA29E17792DEFC4B707754C4664BDE15168A5100BF881EC7C02B258")); test_hash(&nettle_sha3_256, /* 74 octets */ SHEX("0EFA26AC5673167DCACAB860932ED612F65FF49B80FA9AE65465E5542CB62075DF1C5AE54FBA4DB807BE25B070033EFA223BDD5B1D3C94C6E1909C02B620D4B1B3A6C9FED24D70749604"), SHEX("82A66BED668DCC14AF12C14C976CE650049E9D1D9969B83D1DD3B6F1C07D252B")); test_hash(&nettle_sha3_256, /* 75 octets */ SHEX("BBFD933D1FD7BF594AC7F435277DC17D8D5A5B8E4D13D96D2F64E771ABBD51A5A8AEA741BECCBDDB177BCEA05243EBD003CFDEAE877CCA4DA94605B67691919D8B033F77D384CA01593C1B"), SHEX("2F21D07D7B10683B9AC7A63E9FCC70CF9F887CB905F9BFF5332551288B288524")); test_hash(&nettle_sha3_256, /* 76 octets */ SHEX("90078999FD3C35B8AFBF4066CBDE335891365F0FC75C1286CDD88FA51FAB94F9B8DEF7C9AC582A5DBCD95817AFB7D1B48F63704E19C2BAA4DF347F48D4A6D603013C23F1E9611D595EBAC37C"), SHEX("80202F01E7140DB4FEE490DCC50AFAFDF6A48CA33D362C7875B8E8DB9C9D0655")); test_hash(&nettle_sha3_256, /* 77 octets */ SHEX("64105ECA863515C20E7CFBAA0A0B8809046164F374D691CDBD6508AAABC1819F9AC84B52BAFC1B0FE7CDDBC554B608C01C8904C669D8DB316A0953A4C68ECE324EC5A49FFDB59A1BD6A292AA0E"), SHEX("B2330A189047E3117479A2F20B3407A7D119E4AD431FE06FF1FF2A106F2AB3A2")); test_hash(&nettle_sha3_256, /* 78 octets */ SHEX("D4654BE288B9F3B711C2D02015978A8CC57471D5680A092AA534F7372C71CEAAB725A383C4FCF4D8DEAA57FCA3CE056F312961ECCF9B86F14981BA5BED6AB5B4498E1F6C82C6CAE6FC14845B3C8A"), SHEX("BB9B9BB685C241F8D63FDBF0DBAABCEF7075ADD7BA405A2FFFE7AD5B23E021C7")); test_hash(&nettle_sha3_256, /* 79 octets */ SHEX("12D9394888305AC96E65F2BF0E1B18C29C90FE9D714DD59F651F52B88B3008C588435548066EA2FC4C101118C91F32556224A540DE6EFDDBCA296EF1FB00341F5B01FECFC146BDB251B3BDAD556CD2"), SHEX("F8316A367AA0316DA3562F319D522E81F4A8BD2E2108D2532126F4A903704BA3")); test_hash(&nettle_sha3_256, /* 80 octets */ SHEX("871A0D7A5F36C3DA1DFCE57ACD8AB8487C274FAD336BC137EBD6FF4658B547C1DCFAB65F037AA58F35EF16AFF4ABE77BA61F65826F7BE681B5B6D5A1EA8085E2AE9CD5CF0991878A311B549A6D6AF230"), SHEX("89E3EBD02B229CD759612A5521D867AB2A1594BC0B1FE6A78B7954CCC84CAF03")); test_hash(&nettle_sha3_256, /* 81 octets */ SHEX("E90B4FFEF4D457BC7711FF4AA72231CA25AF6B2E206F8BF859D8758B89A7CD36105DB2538D06DA83BAD5F663BA11A5F6F61F236FD5F8D53C5E89F183A3CEC615B50C7C681E773D109FF7491B5CC22296C5"), SHEX("2E7CC875305EA6BB9C2FC770B9D84FD93B96405DF9B93307F6B5DE26E135724C")); test_hash(&nettle_sha3_256, /* 82 octets */ SHEX("E728DE62D75856500C4C77A428612CD804F30C3F10D36FB219C5CA0AA30726AB190E5F3F279E0733D77E7267C17BE27D21650A9A4D1E32F649627638DBADA9702C7CA303269ED14014B2F3CF8B894EAC8554"), SHEX("ECAB75F28A728429CB433EC13310D1B850CCF522C38D2FA6DFA489963D6D6CA7")); test_hash(&nettle_sha3_256, /* 83 octets */ SHEX("6348F229E7B1DF3B770C77544E5166E081850FA1C6C88169DB74C76E42EB983FACB276AD6A0D1FA7B50D3E3B6FCD799EC97470920A7ABED47D288FF883E24CA21C7F8016B93BB9B9E078BDB9703D2B781B616E"), SHEX("021C9459D1451F3DA4C07C029A8681945C87C5BEBC6C30DA1D95C5C49D8AB95C")); test_hash(&nettle_sha3_256, /* 84 octets */ SHEX("4B127FDE5DE733A1680C2790363627E63AC8A3F1B4707D982CAEA258655D9BF18F89AFE54127482BA01E08845594B671306A025C9A5C5B6F93B0A39522DC877437BE5C2436CBF300CE7AB6747934FCFC30AEAAF6"), SHEX("4642E21622F15B09B9413659680116BF2F96CAC2384B8C79F1328D5DD36D7A01")); test_hash(&nettle_sha3_256, /* 85 octets */ SHEX("08461F006CFF4CC64B752C957287E5A0FAABC05C9BFF89D23FD902D324C79903B48FCB8F8F4B01F3E4DDB483593D25F000386698F5ADE7FAADE9615FDC50D32785EA51D49894E45BAA3DC707E224688C6408B68B11"), SHEX("8DAA47C3572157266AD0276D5926AFF2872F06B0CD7B974A80D7A6827D41D782")); test_hash(&nettle_sha3_256, /* 86 octets */ SHEX("68C8F8849B120E6E0C9969A5866AF591A829B92F33CD9A4A3196957A148C49138E1E2F5C7619A6D5EDEBE995ACD81EC8BB9C7B9CFCA678D081EA9E25A75D39DB04E18D475920CE828B94E72241F24DB72546B352A0E4"), SHEX("345365232CE9AFC655DCE4BAC23F43C8ACBDF9016D4BC2344BE8D396A4919C34")); test_hash(&nettle_sha3_256, /* 87 octets */ SHEX("B8D56472954E31FB54E28FCA743F84D8DC34891CB564C64B08F7B71636DEBD64CA1EDBDBA7FC5C3E40049CE982BBA8C7E0703034E331384695E9DE76B5104F2FBC4535ECBEEBC33BC27F29F18F6F27E8023B0FBB6F563C"), SHEX("F52E102E57293878C28F29DEB47792324FE455A62FA7441AABCC16A9CFC40FFA")); test_hash(&nettle_sha3_256, /* 88 octets */ SHEX("0D58AC665FA84342E60CEFEE31B1A4EACDB092F122DFC68309077AED1F3E528F578859EE9E4CEFB4A728E946324927B675CD4F4AC84F64DB3DACFE850C1DD18744C74CECCD9FE4DC214085108F404EAB6D8F452B5442A47D"), SHEX("2B89AA88B1B7F9F8EA461C4C5CAE4829125F45F5697DEADB8DB2E964524C0D91")); test_hash(&nettle_sha3_256, /* 89 octets */ SHEX("1755E2D2E5D1C1B0156456B539753FF416651D44698E87002DCF61DCFA2B4E72F264D9AD591DF1FDEE7B41B2EB00283C5AEBB3411323B672EAA145C5125185104F20F335804B02325B6DEA65603F349F4D5D8B782DD3469CCD"), SHEX("3F3092365982C0B4278055BEEE9032FF9D1060E03C3B087E1A6197DEFC707E1A")); test_hash(&nettle_sha3_256, /* 90 octets */ SHEX("B180DE1A611111EE7584BA2C4B020598CD574AC77E404E853D15A101C6F5A2E5C801D7D85DC95286A1804C870BB9F00FD4DCB03AA8328275158819DCAD7253F3E3D237AEAA7979268A5DB1C6CE08A9EC7C2579783C8AFC1F91A7"), SHEX("3C74AAE2F340A24178CBAB51004CBA1AAC3D91133C300715EA82C177269C0556")); test_hash(&nettle_sha3_256, /* 91 octets */ SHEX("CF3583CBDFD4CBC17063B1E7D90B02F0E6E2EE05F99D77E24E560392535E47E05077157F96813544A17046914F9EFB64762A23CF7A49FE52A0A4C01C630CFE8727B81FB99A89FF7CC11DCA5173057E0417B8FE7A9EFBA6D95C555F"), SHEX("0157C4BA44618DED11E9800AFA07A0D5B6C711FC16A576C5EDB71C4CC6894F82")); test_hash(&nettle_sha3_256, /* 92 octets */ SHEX("072FC02340EF99115BAD72F92C01E4C093B9599F6CFC45CB380EE686CB5EB019E806AB9BD55E634AB10AA62A9510CC0672CD3EDDB589C7DF2B67FCD3329F61B1A4441ECA87A33C8F55DA4FBBAD5CF2B2527B8E983BB31A2FADEC7523"), SHEX("8D53DBA107AAACB8422D6667F6778839F8965F8E4C8F4A851284CC91168A9030")); test_hash(&nettle_sha3_256, /* 93 octets */ SHEX("76EECF956A52649F877528146DE33DF249CD800E21830F65E90F0F25CA9D6540FDE40603230ECA6760F1139C7F268DEBA2060631EEA92B1FFF05F93FD5572FBE29579ECD48BC3A8D6C2EB4A6B26E38D6C5FBF2C08044AEEA470A8F2F26"), SHEX("5163F02233E332AD9BE32C2346C9FCFE39AFA5FBE9BC1CFEB92F4920155B20EC")); test_hash(&nettle_sha3_256, /* 94 octets */ SHEX("7ADC0B6693E61C269F278E6944A5A2D8300981E40022F839AC644387BFAC9086650085C2CDC585FEA47B9D2E52D65A2B29A7DC370401EF5D60DD0D21F9E2B90FAE919319B14B8C5565B0423CEFB827D5F1203302A9D01523498A4DB10374"), SHEX("FAAF0E95217CA4B1568751EF2E4CD341D9EC33E16600BF09B92C6F1A6DF84D2E")); test_hash(&nettle_sha3_256, /* 95 octets */ SHEX("E1FFFA9826CCE8B86BCCEFB8794E48C46CDF372013F782ECED1E378269B7BE2B7BF51374092261AE120E822BE685F2E7A83664BCFBE38FE8633F24E633FFE1988E1BC5ACF59A587079A57A910BDA60060E85B5F5B6F776F0529639D9CCE4BD"), SHEX("B2C175D9D92AAA9EE72672F995B8DFD2DAAF6555A0327A508218A9B447F00BE8")); test_hash(&nettle_sha3_256, /* 96 octets */ SHEX("69F9ABBA65592EE01DB4DCE52DBAB90B08FC04193602792EE4DAA263033D59081587B09BBE49D0B49C9825D22840B2FF5D9C5155F975F8F2C2E7A90C75D2E4A8040FE39F63BBAFB403D9E28CC3B86E04E394A9C9E8065BD3C85FA9F0C7891600"), SHEX("FB5388122306D37CEE790CAD1D3CDDBA8E9A93D5F9D78288B052482739C883FD")); test_hash(&nettle_sha3_256, /* 97 octets */ SHEX("38A10A352CA5AEDFA8E19C64787D8E9C3A75DBF3B8674BFAB29B5DBFC15A63D10FAE66CD1A6E6D2452D557967EAAD89A4C98449787B0B3164CA5B717A93F24EB0B506CEB70CBBCB8D72B2A72993F909AAD92F044E0B5A2C9AC9CB16A0CA2F81F49"), SHEX("1C2F8D418FF6718B18DD4C756DCC8ED0F4755E8C22497A6CC19F8D7AE7FD2DA7")); test_hash(&nettle_sha3_256, /* 98 octets */ SHEX("6D8C6E449BC13634F115749C248C17CD148B72157A2C37BF8969EA83B4D6BA8C0EE2711C28EE11495F43049596520CE436004B026B6C1F7292B9C436B055CBB72D530D860D1276A1502A5140E3C3F54A93663E4D20EDEC32D284E25564F624955B52"), SHEX("7EA8116E6434C1CAA049069DBBD9B6F0E9DC6CDFD6A889343D3B2652803078FC")); test_hash(&nettle_sha3_256, /* 99 octets */ SHEX("6EFCBCAF451C129DBE00B9CEF0C3749D3EE9D41C7BD500ADE40CDC65DEDBBBADB885A5B14B32A0C0D087825201E303288A733842FA7E599C0C514E078F05C821C7A4498B01C40032E9F1872A1C925FA17CE253E8935E4C3C71282242CB716B2089CCC1"), SHEX("736D888751FAAC4D8E78B45B95ABB15D40D98D8038C7225BE0F523D5439EA5B6")); test_hash(&nettle_sha3_256, /* 100 octets */ SHEX("433C5303131624C0021D868A30825475E8D0BD3052A022180398F4CA4423B98214B6BEAAC21C8807A2C33F8C93BD42B092CC1B06CEDF3224D5ED1EC29784444F22E08A55AA58542B524B02CD3D5D5F6907AFE71C5D7462224A3F9D9E53E7E0846DCBB4CE"), SHEX("90E10B1CA8D352794D7DBD7BAE410BEF25F0EC7D080E053F48674237E33EA45F")); test_hash(&nettle_sha3_256, /* 101 octets */ SHEX("A873E0C67CA639026B6683008F7AA6324D4979550E9BCE064CA1E1FB97A30B147A24F3F666C0A72D71348EDE701CF2D17E2253C34D1EC3B647DBCEF2F879F4EB881C4830B791378C901EB725EA5C172316C6D606E0AF7DF4DF7F76E490CD30B2BADF45685F"), SHEX("8A0A8D6D55CCCBE05EC74DC273B16D66C9B9006665EECB5B6023D2EA39C64554")); test_hash(&nettle_sha3_256, /* 102 octets */ SHEX("006917B64F9DCDF1D2D87C8A6173B64F6587168E80FAA80F82D84F60301E561E312D9FBCE62F39A6FB476E01E925F26BCC91DE621449BE6504C504830AAE394096C8FC7694651051365D4EE9070101EC9B68086F2EA8F8AB7B811EA8AD934D5C9B62C60A4771"), SHEX("122895D63AA6030FC8F23940C528E7A5D9C7FB170A79FE7BC42360CE50E25B7A")); test_hash(&nettle_sha3_256, /* 103 octets */ SHEX("F13C972C52CB3CC4A4DF28C97F2DF11CE089B815466BE88863243EB318C2ADB1A417CB1041308598541720197B9B1CB5BA2318BD5574D1DF2174AF14884149BA9B2F446D609DF240CE335599957B8EC80876D9A085AE084907BC5961B20BF5F6CA58D5DAB38ADB"), SHEX("3E04EE539505C52D814CAB3C5CDD7DF2D6EEE627EA44188153EA6B8C8BE5F6C2")); test_hash(&nettle_sha3_256, /* 104 octets */ SHEX("E35780EB9799AD4C77535D4DDB683CF33EF367715327CF4C4A58ED9CBDCDD486F669F80189D549A9364FA82A51A52654EC721BB3AAB95DCEB4A86A6AFA93826DB923517E928F33E3FBA850D45660EF83B9876ACCAFA2A9987A254B137C6E140A21691E1069413848"), SHEX("E360B424A5C06704D148352E04F4651F8D3B385C01F24FDA09D266D4ED7FF662")); test_hash(&nettle_sha3_256, /* 105 octets */ SHEX("64EC021C9585E01FFE6D31BB50D44C79B6993D72678163DB474947A053674619D158016ADB243F5C8D50AA92F50AB36E579FF2DABB780A2B529370DAA299207CFBCDD3A9A25006D19C4F1FE33E4B1EAEC315D8C6EE1E730623FD1941875B924EB57D6D0C2EDC4E78D6"), SHEX("0D3BECB9E1B4AE1F15C9EE98732B4796E99FD799F76ED7332A68AB36C77A1EF9")); test_hash(&nettle_sha3_256, /* 106 octets */ SHEX("5954BAB512CF327D66B5D9F296180080402624AD7628506B555EEA8382562324CF452FBA4A2130DE3E165D11831A270D9CB97CE8C2D32A96F50D71600BB4CA268CF98E90D6496B0A6619A5A8C63DB6D8A0634DFC6C7EC8EA9C006B6C456F1B20CD19E781AF20454AC880"), SHEX("3AADD7E2086D383832489AA3088E903F5C6FA8E38DF2CF876E0B4DCDDCA5C923")); test_hash(&nettle_sha3_256, /* 107 octets */ SHEX("03D9F92B2C565709A568724A0AFF90F8F347F43B02338F94A03ED32E6F33666FF5802DA4C81BDCE0D0E86C04AFD4EDC2FC8B4141C2975B6F07639B1994C973D9A9AFCE3D9D365862003498513BFA166D2629E314D97441667B007414E739D7FEBF0FE3C32C17AA188A8683"), SHEX("715CED5776A802EB8EE02C9D46543FF46FE7A9CD192FA7D4FFB6E81427FE1B71")); test_hash(&nettle_sha3_256, /* 108 octets */ SHEX("F31E8B4F9E0621D531D22A380BE5D9ABD56FAEC53CBD39B1FAB230EA67184440E5B1D15457BD25F56204FA917FA48E669016CB48C1FFC1E1E45274B3B47379E00A43843CF8601A5551411EC12503E5AAC43D8676A1B2297EC7A0800DBFEE04292E937F21C005F17411473041"), SHEX("DDE61F8BE25B8B23E1212C1C0B8A85A0D02D8548BB17D377133E3C06DDB58CA2")); test_hash(&nettle_sha3_256, /* 109 octets */ SHEX("758EA3FEA738973DB0B8BE7E599BBEF4519373D6E6DCD7195EA885FC991D896762992759C2A09002912FB08E0CB5B76F49162AEB8CF87B172CF3AD190253DF612F77B1F0C532E3B5FC99C2D31F8F65011695A087A35EE4EEE5E334C369D8EE5D29F695815D866DA99DF3F79403"), SHEX("059F2BEDF4A6EEFB95FC5C0AE17556CE8BDDC5E1880FAB2F688A03A46BB28C5F")); test_hash(&nettle_sha3_256, /* 110 octets */ SHEX("47C6E0C2B74948465921868804F0F7BD50DD323583DC784F998A93CD1CA4C6EF84D41DC81C2C40F34B5BEE6A93867B3BDBA0052C5F59E6F3657918C382E771D33109122CC8BB0E1E53C4E3D13B43CE44970F5E0C079D2AD7D7A3549CD75760C21BB15B447589E86E8D76B1E9CED2"), SHEX("125B0EE7870A6F7EB4FD965D9E0B90D79FFFBC54A2018F4C68224682F3603F3F")); test_hash(&nettle_sha3_256, /* 111 octets */ SHEX("F690A132AB46B28EDFA6479283D6444E371C6459108AFD9C35DBD235E0B6B6FF4C4EA58E7554BD002460433B2164CA51E868F7947D7D7A0D792E4ABF0BE5F450853CC40D85485B2B8857EA31B5EA6E4CCFA2F3A7EF3380066D7D8979FDAC618AAD3D7E886DEA4F005AE4AD05E5065F"), SHEX("9A78E0B5A34CBF1716F14CF7B67EFDC4540A75CC646538A11A8EFD9D7CD7529F")); test_hash(&nettle_sha3_256, /* 112 octets */ SHEX("58D6A99BC6458824B256916770A8417040721CCCFD4B79EACD8B65A3767CE5BA7E74104C985AC56B8CC9AEBD16FEBD4CDA5ADB130B0FF2329CC8D611EB14DAC268A2F9E633C99DE33997FEA41C52A7C5E1317D5B5DAED35EBA7D5A60E45D1FA7EAABC35F5C2B0A0F2379231953322C4E"), SHEX("42305A251A8009EDFD62C7D91910B96B9B5DD8FDA5B1326FE41EF6EEF978D1BE")); test_hash(&nettle_sha3_256, /* 113 octets */ SHEX("BEFAB574396D7F8B6705E2D5B58B2C1C820BB24E3F4BAE3E8FBCD36DBF734EE14E5D6AB972AEDD3540235466E825850EE4C512EA9795ABFD33F330D9FD7F79E62BBB63A6EA85DE15BEAEEA6F8D204A28956059E2632D11861DFB0E65BC07AC8A159388D5C3277E227286F65FF5E5B5AEC1"), SHEX("6B9E8F3E82EA174EBC88A53C5DED06271D38F79E9CEC571A9D195EF549102EB8")); test_hash(&nettle_sha3_256, /* 114 octets */ SHEX("8E58144FA9179D686478622CE450C748260C95D1BA43B8F9B59ABECA8D93488DA73463EF40198B4D16FB0B0707201347E0506FF19D01BEA0F42B8AF9E71A1F1BD168781069D4D338FDEF00BF419FBB003031DF671F4A37979564F69282DE9C65407847DD0DA505AB1641C02DEA4F0D834986"), SHEX("358DE4C1ED30F48B084F961F653FEBC69318F93883612D5A04B9139A14EC702E")); test_hash(&nettle_sha3_256, /* 115 octets */ SHEX("B55C10EAE0EC684C16D13463F29291BF26C82E2FA0422A99C71DB4AF14DD9C7F33EDA52FD73D017CC0F2DBE734D831F0D820D06D5F89DACC485739144F8CFD4799223B1AFF9031A105CB6A029BA71E6E5867D85A554991C38DF3C9EF8C1E1E9A7630BE61CAABCA69280C399C1FB7A12D12AEFC"), SHEX("4A7BD18AE10EB9458924AA5CA00D3F634AB9753628107F15FF2BF24CCD3B94F4")); test_hash(&nettle_sha3_256, /* 116 octets */ SHEX("2EEEA693F585F4ED6F6F8865BBAE47A6908AECD7C429E4BEC4F0DE1D0CA0183FA201A0CB14A529B7D7AC0E6FF6607A3243EE9FB11BCF3E2304FE75FFCDDD6C5C2E2A4CD45F63C962D010645058D36571404A6D2B4F44755434D76998E83409C3205AA1615DB44057DB991231D2CB42624574F545"), SHEX("9889E4B3B1294A01556FA9DE6A6A508A9A763D5133FDCD4937B6BB23CA3E1901")); test_hash(&nettle_sha3_256, /* 117 octets */ SHEX("DAB11DC0B047DB0420A585F56C42D93175562852428499F66A0DB811FCDDDAB2F7CDFFED1543E5FB72110B64686BC7B6887A538AD44C050F1E42631BC4EC8A9F2A047163D822A38989EE4AAB01B4C1F161B062D873B1CFA388FD301514F62224157B9BEF423C7783B7AAC8D30D65CD1BBA8D689C2D"), SHEX("3D02B41985BDD1835CB474FB364C25C2CCA9DA0ED2FBBAB75524B410903815B9")); test_hash(&nettle_sha3_256, /* 118 octets */ SHEX("42E99A2F80AEE0E001279A2434F731E01D34A44B1A8101726921C0590C30F3120EB83059F325E894A5AC959DCA71CE2214799916424E859D27D789437B9D27240BF8C35ADBAFCECC322B48AA205B293962D858652ABACBD588BCF6CBC388D0993BD622F96ED54614C25B6A9AA527589EAAFFCF17DDF7"), SHEX("1CD92039BE4580C686796D5900EED431EBAD6EA566E9244E76BA6873EFCB49AB")); test_hash(&nettle_sha3_256, /* 119 octets */ SHEX("3C9B46450C0F2CAE8E3823F8BDB4277F31B744CE2EB17054BDDC6DFF36AF7F49FB8A2320CC3BDF8E0A2EA29AD3A55DE1165D219ADEDDB5175253E2D1489E9B6FDD02E2C3D3A4B54D60E3A47334C37913C5695378A669E9B72DEC32AF5434F93F46176EBF044C4784467C700470D0C0B40C8A088C815816"), SHEX("680C70B243163BE6E58ED3B8E2D85E6894E5E89501C444C8C0A2D776ACAD8599")); test_hash(&nettle_sha3_256, /* 120 octets */ SHEX("D1E654B77CB155F5C77971A64DF9E5D34C26A3CAD6C7F6B300D39DEB1910094691ADAA095BE4BA5D86690A976428635D5526F3E946F7DC3BD4DBC78999E653441187A81F9ADCD5A3C5F254BC8256B0158F54673DCC1232F6E918EBFC6C51CE67EAEB042D9F57EEC4BFE910E169AF78B3DE48D137DF4F2840"), SHEX("D65E823D2CE4EFFB9B27DBBF6EFCDA738AD152FBB12D2108D2EC6D050A3FB295")); test_hash(&nettle_sha3_256, /* 121 octets */ SHEX("626F68C18A69A6590159A9C46BE03D5965698F2DAC3DE779B878B3D9C421E0F21B955A16C715C1EC1E22CE3EB645B8B4F263F60660EA3028981EEBD6C8C3A367285B691C8EE56944A7CD1217997E1D9C21620B536BDBD5DE8925FF71DEC6FBC06624AB6B21E329813DE90D1E572DFB89A18120C3F606355D25"), SHEX("CE6D2DD8D5441FC15B888FED72061E129125431BEDEA32E00EE0A7655C06C358")); test_hash(&nettle_sha3_256, /* 122 octets */ SHEX("651A6FB3C4B80C7C68C6011675E6094EB56ABF5FC3057324EBC6477825061F9F27E7A94633ABD1FA598A746E4A577CAF524C52EC1788471F92B8C37F23795CA19D559D446CAB16CBCDCE90B79FA1026CEE77BF4AB1B503C5B94C2256AD75B3EAC6FD5DCB96ACA4B03A834BFB4E9AF988CECBF2AE597CB9097940"), SHEX("280713C0FA7160289FBFEE5AA580AD82512839153DAE47DE0D154384A4D8B3ED")); test_hash(&nettle_sha3_256, /* 123 octets */ SHEX("8AAF072FCE8A2D96BC10B3C91C809EE93072FB205CA7F10ABD82ECD82CF040B1BC49EA13D1857815C0E99781DE3ADBB5443CE1C897E55188CEAF221AA9681638DE05AE1B322938F46BCE51543B57ECDB4C266272259D1798DE13BE90E10EFEC2D07484D9B21A3870E2AA9E06C21AA2D0C9CF420080A80A91DEE16F"), SHEX("721FD872696F21DEAA9595C0CEE7BC07249601927C96A65826B4887CDBA1AE96")); test_hash(&nettle_sha3_256, /* 124 octets */ SHEX("53F918FD00B1701BD504F8CDEA803ACCA21AC18C564AB90C2A17DA592C7D69688F6580575395551E8CD33E0FEF08CA6ED4588D4D140B3E44C032355DF1C531564D7F4835753344345A6781E11CD5E095B73DF5F82C8AE3AD00877936896671E947CC52E2B29DCD463D90A0C9929128DA222B5A211450BBC0E02448E2"), SHEX("B53AF8620B39CAD2D698A176A070AEAA9FB67BD0335C3485A3B6C73A71DC5C5C")); test_hash(&nettle_sha3_256, /* 125 octets */ SHEX("A64599B8A61B5CCEC9E67AED69447459C8DA3D1EC6C7C7C82A7428B9B584FA67E90F68E2C00FBBED4613666E5168DA4A16F395F7A3C3832B3B134BFC9CBAA95D2A0FE252F44AC6681EB6D40AB91C1D0282FED6701C57463D3C5F2BB8C6A7301FB4576AA3B5F15510DB8956FF77478C26A7C09BEA7B398CFC83503F538E"), SHEX("78A18BF0A52E6F77F15F7FFE4CA3C999E57E1C3F6BF10950581F403450EDB797")); test_hash(&nettle_sha3_256, /* 126 octets */ SHEX("0E3AB0E054739B00CDB6A87BD12CAE024B54CB5E550E6C425360C2E87E59401F5EC24EF0314855F0F56C47695D56A7FB1417693AF2A1ED5291F2FEE95F75EED54A1B1C2E81226FBFF6F63ADE584911C71967A8EB70933BC3F5D15BC91B5C2644D9516D3C3A8C154EE48E118BD1442C043C7A0DBA5AC5B1D5360AAE5B9065"), SHEX("A7F0151EEE6B21FE827E69256D560E1EA8D939B80962FC7FA8610AC189402AD2")); test_hash(&nettle_sha3_256, /* 127 octets */ SHEX("A62FC595B4096E6336E53FCDFC8D1CC175D71DAC9D750A6133D23199EAAC288207944CEA6B16D27631915B4619F743DA2E30A0C00BBDB1BBB35AB852EF3B9AEC6B0A8DCC6E9E1ABAA3AD62AC0A6C5DE765DE2C3711B769E3FDE44A74016FFF82AC46FA8F1797D3B2A726B696E3DEA5530439ACEE3A45C2A51BC32DD055650B"), SHEX("0A09C4B18F5117F0E45D43E235BB14E55B162E99EB3744165196D04A854229F9")); test_hash(&nettle_sha3_256, /* 128 octets */ SHEX("2B6DB7CED8665EBE9DEB080295218426BDAA7C6DA9ADD2088932CDFFBAA1C14129BCCDD70F369EFB149285858D2B1D155D14DE2FDB680A8B027284055182A0CAE275234CC9C92863C1B4AB66F304CF0621CD54565F5BFF461D3B461BD40DF28198E3732501B4860EADD503D26D6E69338F4E0456E9E9BAF3D827AE685FB1D817"), SHEX("B7D031AA69B7B4D26A35B896D761314F1D61EB12DCC1E72AAF61B9CD48003AF9")); test_hash(&nettle_sha3_256, /* 129 octets */ SHEX("10DB509B2CDCABA6C062AE33BE48116A29EB18E390E1BBADA5CA0A2718AFBCD23431440106594893043CC7F2625281BF7DE2655880966A23705F0C5155C2F5CCA9F2C2142E96D0A2E763B70686CD421B5DB812DACED0C6D65035FDE558E94F26B3E6DDE5BD13980CC80292B723013BD033284584BFF27657871B0CF07A849F4AE2"), SHEX("EC0858C9D017A2D3727CAADE7E4872684F17B822CAFECDA445A15CF30FAC8CF0")); test_hash(&nettle_sha3_256, /* 130 octets */ SHEX("9334DE60C997BDA6086101A6314F64E4458F5FF9450C509DF006E8C547983C651CA97879175AABA0C539E82D05C1E02C480975CBB30118121061B1EBAC4F8D9A3781E2DB6B18042E01ECF9017A64A0E57447EC7FCBE6A7F82585F7403EE2223D52D37B4BF426428613D6B4257980972A0ACAB508A7620C1CB28EB4E9D30FC41361EC"), SHEX("71E1D610B576063F2B12F691220BEADF506BEC0A3A086BBE5864FB54F93DB556")); test_hash(&nettle_sha3_256, /* 131 octets */ SHEX("E88AB086891693AA535CEB20E64C7AB97C7DD3548F3786339897A5F0C39031549CA870166E477743CCFBE016B4428D89738E426F5FFE81626137F17AECFF61B72DBEE2DC20961880CFE281DFAB5EE38B1921881450E16032DE5E4D55AD8D4FCA609721B0692BAC79BE5A06E177FE8C80C0C83519FB3347DE9F43D5561CB8107B9B5EDC"), SHEX("72A8A7493309080ACCCA2A2A21D641F2B9685B7362BE496DC7BC330659F8CFE1")); test_hash(&nettle_sha3_256, /* 132 octets */ SHEX("FD19E01A83EB6EC810B94582CB8FBFA2FCB992B53684FB748D2264F020D3B960CB1D6B8C348C2B54A9FCEA72330C2AAA9A24ECDB00C436ABC702361A82BB8828B85369B8C72ECE0082FE06557163899C2A0EFA466C33C04343A839417057399A63A3929BE1EE4805D6CE3E5D0D0967FE9004696A5663F4CAC9179006A2CEB75542D75D68"), SHEX("AF19E988D37E2577DA4F43463789B73625D354FCCCBD10CD2C61FBDC8BB01827")); test_hash(&nettle_sha3_256, /* 133 octets */ SHEX("59AE20B6F7E0B3C7A989AFB28324A40FCA25D8651CF1F46AE383EF6D8441587AA1C04C3E3BF88E8131CE6145CFB8973D961E8432B202FA5AF3E09D625FAAD825BC19DA9B5C6C20D02ABDA2FCC58B5BD3FE507BF201263F30543819510C12BC23E2DDB4F711D087A86EDB1B355313363A2DE996B891025E147036087401CCF3CA7815BF3C49"), SHEX("F1E9B9CEF2B37E4EC3A0FCD5EFF5BF7E3D49100AEBF018DC92FB6A40E4297704")); test_hash(&nettle_sha3_256, /* 134 octets */ SHEX("77EE804B9F3295AB2362798B72B0A1B2D3291DCEB8139896355830F34B3B328561531F8079B79A6E9980705150866402FDC176C05897E359A6CB1A7AB067383EB497182A7E5AEF7038E4C96D133B2782917417E391535B5E1B51F47D8ED7E4D4025FE98DC87B9C1622614BFF3D1029E68E372DE719803857CA52067CDDAAD958951CB2068CC6"), SHEX("DD3EBE0CCA0CAD3AF72AF73FB49D40DBDCC4B1F1FF465CCAEFE672F77992ACA0")); test_hash(&nettle_sha3_256, /* 135 octets */ SHEX("B771D5CEF5D1A41A93D15643D7181D2A2EF0A8E84D91812F20ED21F147BEF732BF3A60EF4067C3734B85BC8CD471780F10DC9E8291B58339A677B960218F71E793F2797AEA349406512829065D37BB55EA796FA4F56FD8896B49B2CD19B43215AD967C712B24E5032D065232E02C127409D2ED4146B9D75D763D52DB98D949D3B0FED6A8052FBB"), SHEX("A19EEE92BB2097B64E823D597798AA18BE9B7C736B8059ABFD6779AC35AC81B5")); test_hash(&nettle_sha3_256, /* 136 octets */ SHEX("B32D95B0B9AAD2A8816DE6D06D1F86008505BD8C14124F6E9A163B5A2ADE55F835D0EC3880EF50700D3B25E42CC0AF050CCD1BE5E555B23087E04D7BF9813622780C7313A1954F8740B6EE2D3F71F768DD417F520482BD3A08D4F222B4EE9DBD015447B33507DD50F3AB4247C5DE9A8ABD62A8DECEA01E3B87C8B927F5B08BEB37674C6F8E380C04"), SHEX("DF673F4105379FF6B755EEAB20CEB0DC77B5286364FE16C59CC8A907AFF07732")); test_hash(&nettle_sha3_256, /* 137 octets */ SHEX("04410E31082A47584B406F051398A6ABE74E4DA59BB6F85E6B49E8A1F7F2CA00DFBA5462C2CD2BFDE8B64FB21D70C083F11318B56A52D03B81CAC5EEC29EB31BD0078B6156786DA3D6D8C33098C5C47BB67AC64DB14165AF65B44544D806DDE5F487D5373C7F9792C299E9686B7E5821E7C8E2458315B996B5677D926DAC57B3F22DA873C601016A0D"), SHEX("D52432CF3B6B4B949AA848E058DCD62D735E0177279222E7AC0AF8504762FAA0")); test_hash(&nettle_sha3_256, /* 138 octets */ SHEX("8B81E9BADDE026F14D95C019977024C9E13DB7A5CD21F9E9FC491D716164BBACDC7060D882615D411438AEA056C340CDF977788F6E17D118DE55026855F93270472D1FD18B9E7E812BAE107E0DFDE7063301B71F6CFE4E225CAB3B232905A56E994F08EE2891BA922D49C3DAFEB75F7C69750CB67D822C96176C46BD8A29F1701373FB09A1A6E3C7158F"), SHEX("07E65754D62E01B9A049D15DEC0D09C02F479CA2AEB4B18E37070B20F85A1B26")); test_hash(&nettle_sha3_256, /* 139 octets */ SHEX("FA6EED24DA6666A22208146B19A532C2EC9BA94F09F1DEF1E7FC13C399A48E41ACC2A589D099276296348F396253B57CB0E40291BD282773656B6E0D8BEA1CDA084A3738816A840485FCF3FB307F777FA5FEAC48695C2AF4769720258C77943FB4556C362D9CBA8BF103AEB9034BAA8EA8BFB9C4F8E6742CE0D52C49EA8E974F339612E830E9E7A9C29065"), SHEX("17A461B8EE507ABCFED51A50EF14891309FE402C569D94394CA7A3031BEFCD50")); test_hash(&nettle_sha3_256, /* 140 octets */ SHEX("9BB4AF1B4F09C071CE3CAFA92E4EB73CE8A6F5D82A85733440368DEE4EB1CBC7B55AC150773B6FE47DBE036C45582ED67E23F4C74585DAB509DF1B83610564545642B2B1EC463E18048FC23477C6B2AA035594ECD33791AF6AF4CBC2A1166ABA8D628C57E707F0B0E8707CAF91CD44BDB915E0296E0190D56D33D8DDE10B5B60377838973C1D943C22ED335E"), SHEX("A03C6B5B51AE4AA00912AF1CFB6C7B960EF58036156497CC567B1369149A5949")); test_hash(&nettle_sha3_256, /* 141 octets */ SHEX("2167F02118CC62043E9091A647CADBED95611A521FE0D64E8518F16C808AB297725598AE296880A773607A798F7C3CFCE80D251EBEC6885015F9ABF7EAABAE46798F82CB5926DE5C23F44A3F9F9534B3C6F405B5364C2F8A8BDC5CA49C749BED8CE4BA48897062AE8424CA6DDE5F55C0E42A95D1E292CA54FB46A84FBC9CD87F2D0C9E7448DE3043AE22FDD229"), SHEX("14C69C5EABDEFC9E3A1461A379EC92C32BC6B69071029CB3655159DB1A5251A7")); test_hash(&nettle_sha3_256, /* 142 octets */ SHEX("94B7FA0BC1C44E949B1D7617D31B4720CBE7CA57C6FA4F4094D4761567E389ECC64F6968E4064DF70DF836A47D0C713336B5028B35930D29EB7A7F9A5AF9AD5CF441745BAEC9BB014CEEFF5A41BA5C1CE085FEB980BAB9CF79F2158E03EF7E63E29C38D7816A84D4F71E0F548B7FC316085AE38A060FF9B8DEC36F91AD9EBC0A5B6C338CBB8F6659D342A24368CF"), SHEX("3CBE06887C8AE360E957EB08CA577834C457FADF418D0CB73967FA827A22A4D7")); test_hash(&nettle_sha3_256, /* 143 octets */ SHEX("EA40E83CB18B3A242C1ECC6CCD0B7853A439DAB2C569CFC6DC38A19F5C90ACBF76AEF9EA3742FF3B54EF7D36EB7CE4FF1C9AB3BC119CFF6BE93C03E208783335C0AB8137BE5B10CDC66FF3F89A1BDDC6A1EED74F504CBE7290690BB295A872B9E3FE2CEE9E6C67C41DB8EFD7D863CF10F840FE618E7936DA3DCA5CA6DF933F24F6954BA0801A1294CD8D7E66DFAFEC"), SHEX("E58A947E98D6DD7E932D2FE02D9992E6118C0C2C606BDCDA06E7943D2C95E0E5")); test_hash(&nettle_sha3_256, /* 144 octets */ SHEX("157D5B7E4507F66D9A267476D33831E7BB768D4D04CC3438DA12F9010263EA5FCAFBDE2579DB2F6B58F911D593D5F79FB05FE3596E3FA80FF2F761D1B0E57080055C118C53E53CDB63055261D7C9B2B39BD90ACC32520CBBDBDA2C4FD8856DBCEE173132A2679198DAF83007A9B5C51511AE49766C792A29520388444EBEFE28256FB33D4260439CBA73A9479EE00C63"), SHEX("A936FB9AF87FB67857B3EAD5C76226AD84DA47678F3C2FFE5A39FDB5F7E63FFB")); test_hash(&nettle_sha3_256, /* 145 octets */ SHEX("836B34B515476F613FE447A4E0C3F3B8F20910AC89A3977055C960D2D5D2B72BD8ACC715A9035321B86703A411DDE0466D58A59769672AA60AD587B8481DE4BBA552A1645779789501EC53D540B904821F32B0BD1855B04E4848F9F8CFE9EBD8911BE95781A759D7AD9724A7102DBE576776B7C632BC39B9B5E19057E226552A5994C1DBB3B5C7871A11F5537011044C53"), SHEX("3A654B88F88086C2751EDAE6D39248143CF6235C6B0B7969342C45A35194B67E")); test_hash(&nettle_sha3_256, /* 146 octets */ SHEX("CC7784A4912A7AB5AD3620AAB29BA87077CD3CB83636ADC9F3DC94F51EDF521B2161EF108F21A0A298557981C0E53CE6CED45BDF782C1EF200D29BAB81DD6460586964EDAB7CEBDBBEC75FD7925060F7DA2B853B2B089588FA0F8C16EC6498B14C55DCEE335CB3A91D698E4D393AB8E8EAC0825F8ADEBEEE196DF41205C011674E53426CAA453F8DE1CBB57932B0B741D4C6"), SHEX("19A3CB3E8551F08FBBA5DB614E268F63D1F6A0C3689BBE973D59D35BB4F455D0")); test_hash(&nettle_sha3_256, /* 147 octets */ SHEX("7639B461FFF270B2455AC1D1AFCE782944AEA5E9087EB4A39EB96BB5C3BAAF0E868C8526D3404F9405E79E77BFAC5FFB89BF1957B523E17D341D7323C302EA7083872DD5E8705694ACDDA36D5A1B895AAA16ECA6104C82688532C8BFE1790B5DC9F4EC5FE95BAED37E1D287BE710431F1E5E8EE105BC42ED37D74B1E55984BF1C09FE6A1FA13EF3B96FAEAED6A2A1950A12153"), SHEX("CA8CFB13973FF8597D6AAA806BD32E82F4EA68BAC3FB543F26687DE4B9CBE8BD")); test_hash(&nettle_sha3_256, /* 148 octets */ SHEX("EB6513FC61B30CFBA58D4D7E80F94D14589090CF1D80B1DF2E68088DC6104959BA0D583D585E9578AB0AEC0CF36C48435EB52ED9AB4BBCE7A5ABE679C97AE2DBE35E8CC1D45B06DDA3CF418665C57CBEE4BBB47FA4CAF78F4EE656FEC237FE4EEBBAFA206E1EF2BD0EE4AE71BD0E9B2F54F91DAADF1FEBFD7032381D636B733DCB3BF76FB14E23AFF1F68ED3DBCF75C9B99C6F26"), SHEX("9AE670FA85AB5C6B3BC76797CF24CD385110708137B6F8EFD8D1A21C39881C18")); test_hash(&nettle_sha3_256, /* 149 octets */ SHEX("1594D74BF5DDE444265D4C04DAD9721FF3E34CBF622DAF341FE16B96431F6C4DF1F760D34F296EB97D98D560AD5286FEC4DCE1724F20B54FD7DF51D4BF137ADD656C80546FB1BF516D62EE82BAA992910EF4CC18B70F3F8698276FCFB44E0EC546C2C39CFD8EE91034FF9303058B4252462F86C823EB15BF481E6B79CC3A02218595B3658E8B37382BD5048EAED5FD02C37944E73B"), SHEX("E32DF6218BA75FD4788A7E5727A7D68C5829C49346683FC213E433AF3DBA5AB5")); test_hash(&nettle_sha3_256, /* 150 octets */ SHEX("4CFA1278903026F66FEDD41374558BE1B585D03C5C55DAC94361DF286D4BD39C7CB8037ED3B267B07C346626449D0CC5B0DD2CF221F7E4C3449A4BE99985D2D5E67BFF2923357DDEAB5ABCB4619F3A3A57B2CF928A022EB27676C6CF805689004FCA4D41EA6C2D0A4789C7605F7BB838DD883B3AD3E6027E775BCF262881428099C7FFF95B14C095EA130E0B9938A5E22FC52650F591"), SHEX("028173E3C6C392E5D13AF748F3788D43449BC5DD5953124EA5EDF3930275F665")); test_hash(&nettle_sha3_256, /* 151 octets */ SHEX("D3E65CB92CFA79662F6AF493D696A07CCF32AAADCCEFF06E73E8D9F6F909209E66715D6E978788C49EFB9087B170ECF3AA86D2D4D1A065AE0EFC8924F365D676B3CB9E2BEC918FD96D0B43DEE83727C9A93BF56CA2B2E59ADBA85696546A815067FC7A78039629D4948D157E7B0D826D1BF8E81237BAB7321312FDAA4D521744F988DB6FDF04549D0FDCA393D639C729AF716E9C8BBA48"), SHEX("97450FC46F2E5DF8F81623B1CCA43FA50F51EA735E4421D7DFF66314D8E211BC")); test_hash(&nettle_sha3_256, /* 152 octets */ SHEX("842CC583504539622D7F71E7E31863A2B885C56A0BA62DB4C2A3F2FD12E79660DC7205CA29A0DC0A87DB4DC62EE47A41DB36B9DDB3293B9AC4BAAE7DF5C6E7201E17F717AB56E12CAD476BE49608AD2D50309E7D48D2D8DE4FA58AC3CFEAFEEE48C0A9EEC88498E3EFC51F54D300D828DDDCCB9D0B06DD021A29CF5CB5B2506915BEB8A11998B8B886E0F9B7A80E97D91A7D01270F9A7717"), SHEX("AB4E5A70390577F8AE260D53CB0E70914F8B9398ABAA841F7807F1476046C64F")); test_hash(&nettle_sha3_256, /* 153 octets */ SHEX("6C4B0A0719573E57248661E98FEBE326571F9A1CA813D3638531AE28B4860F23C3A3A8AC1C250034A660E2D71E16D3ACC4BF9CE215C6F15B1C0FC7E77D3D27157E66DA9CEEC9258F8F2BF9E02B4AC93793DD6E29E307EDE3695A0DF63CBDC0FC66FB770813EB149CA2A916911BEE4902C47C7802E69E405FE3C04CEB5522792A5503FA829F707272226621F7C488A7698C0D69AA561BE9F378"), SHEX("8118F2C157DF1250DB43B31183F442F89B322E496918838C5B668F9647AC6D6B")); test_hash(&nettle_sha3_256, /* 154 octets */ SHEX("51B7DBB7CE2FFEB427A91CCFE5218FD40F9E0B7E24756D4C47CD55606008BDC27D16400933906FD9F30EFFDD4880022D081155342AF3FB6CD53672AB7FB5B3A3BCBE47BE1FD3A2278CAE8A5FD61C1433F7D350675DD21803746CADCA574130F01200024C6340AB0CC2CF74F2234669F34E9009EF2EB94823D62B31407F4BA46F1A1EEC41641E84D77727B59E746B8A671BEF936F05BE820759FA"), SHEX("736E30ACCC5559188412C797A1A5BE61D1F90F149401F631597944155A85FAF7")); test_hash(&nettle_sha3_256, /* 155 octets */ SHEX("83599D93F5561E821BD01A472386BC2FF4EFBD4AED60D5821E84AAE74D8071029810F5E286F8F17651CD27DA07B1EB4382F754CD1C95268783AD09220F5502840370D494BEB17124220F6AFCE91EC8A0F55231F9652433E5CE3489B727716CF4AEBA7DCDA20CD29AA9A859201253F948DD94395ABA9E3852BD1D60DDA7AE5DC045B283DA006E1CBAD83CC13292A315DB5553305C628DD091146597"), SHEX("9599DEECCC698A24A461A7419E91939C741613F4CE887DBA89DC7E327C51F5BF")); test_hash(&nettle_sha3_256, /* 156 octets */ SHEX("2BE9BF526C9D5A75D565DD11EF63B979D068659C7F026C08BEA4AF161D85A462D80E45040E91F4165C074C43AC661380311A8CBED59CC8E4C4518E80CD2C78AB1CABF66BFF83EAB3A80148550307310950D034A6286C93A1ECE8929E6385C5E3BB6EA8A7C0FB6D6332E320E71CC4EB462A2A62E2BFE08F0CCAD93E61BEDB5DD0B786A728AB666F07E0576D189C92BF9FB20DCA49AC2D3956D47385E2"), SHEX("BE0D871606A4C129CEF616F438600D5CBC0E9F49D2ADC8A86571C192361C3F4F")); test_hash(&nettle_sha3_256, /* 157 octets */ SHEX("CA76D3A12595A817682617006848675547D3E8F50C2210F9AF906C0E7CE50B4460186FE70457A9E879E79FD4D1A688C70A347361C847BA0DD6AA52936EAF8E58A1BE2F5C1C704E20146D366AEB3853BED9DE9BEFE9569AC8AAEA37A9FB7139A1A1A7D5C748605A8DEFB297869EBEDD71D615A5DA23496D11E11ABBB126B206FA0A7797EE7DE117986012D0362DCEF775C2FE145ADA6BDA1CCB326BF644"), SHEX("4D30600C60ED94A0D2BCC17571A19BD0170CDACAC78D0421E0BBAE2A36A48B6D")); test_hash(&nettle_sha3_256, /* 158 octets */ SHEX("F76B85DC67421025D64E93096D1D712B7BAF7FB001716F02D33B2160C2C882C310EF13A576B1C2D30EF8F78EF8D2F465007109AAD93F74CB9E7D7BEF7C9590E8AF3B267C89C15DB238138C45833C98CC4A471A7802723EF4C744A853CF80A0C2568DD4ED58A2C9644806F42104CEE53628E5BDF7B63B0B338E931E31B87C24B146C6D040605567CEEF5960DF9E022CB469D4C787F4CBA3C544A1AC91F95F"), SHEX("3BD6FB72764F7AD4391B7B40AEA424ABD5F5561AC56F9E072C753D6090FA4BFB")); test_hash(&nettle_sha3_256, /* 159 octets */ SHEX("25B8C9C032EA6BCD733FFC8718FBB2A503A4EA8F71DEA1176189F694304F0FF68E862A8197B839957549EF243A5279FC2646BD4C009B6D1EDEBF24738197ABB4C992F6B1DC9BA891F570879ACCD5A6B18691A93C7D0A8D38F95B639C1DAEB48C4C2F15CCF5B9D508F8333C32DE78781B41850F261B855C4BEBCC125A380C54D501C5D3BD07E6B52102116088E53D76583B0161E2A58D0778F091206AABD5A1"), SHEX("6689BB25BAEE0C582F8F1B0C87073BE366644DA859313BECF446435D2F6E899E")); test_hash(&nettle_sha3_256, /* 160 octets */ SHEX("21CFDC2A7CCB7F331B3D2EEFFF37E48AD9FA9C788C3F3C200E0173D99963E1CBCA93623B264E920394AE48BB4C3A5BB96FFBC8F0E53F30E22956ADABC2765F57FB761E147ECBF8567533DB6E50C8A1F894310A94EDF806DD8CA6A0E141C0FA7C9FAE6C6AE65F18C93A8529E6E5B553BF55F25BE2E80A9882BD37F145FECBEB3D447A3C4E46C21524CC55CDD62F521AB92A8BA72B897996C49BB273198B7B1C9E"), SHEX("2628DDC7758208AA9F1E49497224EB268C6D2BCDAAB4820DE9C16A65C6F6017A")); test_hash(&nettle_sha3_256, /* 161 octets */ SHEX("4E452BA42127DCC956EF4F8F35DD68CB225FB73B5BC7E1EC5A898BBA2931563E74FAFF3B67314F241EC49F4A7061E3BD0213AE826BAB380F1F14FAAB8B0EFDDD5FD1BB49373853A08F30553D5A55CCBBB8153DE4704F29CA2BDEEF0419468E05DD51557CCC80C0A96190BBCC4D77ECFF21C66BDF486459D427F986410F883A80A5BCC32C20F0478BB9A97A126FC5F95451E40F292A4614930D054C851ACD019CCF"), SHEX("DF448936EE72D9FE6CCFB37D183AAFDDC7908E016271AFA81EC083A10A144F5D")); test_hash(&nettle_sha3_256, /* 162 octets */ SHEX("FA85671DF7DADF99A6FFEE97A3AB9991671F5629195049880497487867A6C446B60087FAC9A0F2FCC8E3B24E97E42345B93B5F7D3691829D3F8CCD4BB36411B85FC2328EB0C51CB3151F70860AD3246CE0623A8DC8B3C49F958F8690F8E3860E71EB2B1479A5CEA0B3F8BEFD87ACAF5362435EAECCB52F38617BC6C5C2C6E269EAD1FBD69E941D4AD2012DA2C5B21BCFBF98E4A77AB2AF1F3FDA3233F046D38F1DC8"), SHEX("2BB4CEC22A4FECD83FBBBAD1E3835343E36C6CB66C26964A432EC4C70F3E17B4")); test_hash(&nettle_sha3_256, /* 163 octets */ SHEX("E90847AE6797FBC0B6B36D6E588C0A743D725788CA50B6D792352EA8294F5BA654A15366B8E1B288D84F5178240827975A763BC45C7B0430E8A559DF4488505E009C63DA994F1403F407958203CEBB6E37D89C94A5EACF6039A327F6C4DBBC7A2A307D976AA39E41AF6537243FC218DFA6AB4DD817B6A397DF5CA69107A9198799ED248641B63B42CB4C29BFDD7975AC96EDFC274AC562D0474C60347A078CE4C25E88"), SHEX("1462F2EA1C3580C0A2E8C0B30C27A608D82CD707F6D1A0AAD5CC7C3D1B8D6C30")); test_hash(&nettle_sha3_256, /* 164 octets */ SHEX("F6D5C2B6C93954FC627602C00C4CA9A7D3ED12B27173F0B2C9B0E4A5939398A665E67E69D0B12FB7E4CEB253E8083D1CEB724AC07F009F094E42F2D6F2129489E846EAFF0700A8D4453EF453A3EDDC18F408C77A83275617FABC4EA3A2833AA73406C0E966276079D38E8E38539A70E194CC5513AAA457C699383FD1900B1E72BDFB835D1FD321B37BA80549B078A49EA08152869A918CA57F5B54ED71E4FD3AC5C06729"), SHEX("617B412ED64F56D6DB36B7E52EAD618D95A091D65052C3F376A532D8BBDAF7C7")); test_hash(&nettle_sha3_256, /* 165 octets */ SHEX("CF8562B1BED89892D67DDAAF3DEEB28246456E972326DBCDB5CF3FB289ACA01E68DA5D59896E3A6165358B071B304D6AB3D018944BE5049D5E0E2BB819ACF67A6006111089E6767132D72DD85BEDDCBB2D64496DB0CC92955AB4C6234F1EEA24F2D51483F2E209E4589BF9519FAC51B4D061E801125E605F8093BB6997BC163D551596FE4AB7CFAE8FB9A90F6980480CE0C229FD1675409BD788354DAF316240CFE0AF93EB"), SHEX("82C541EA5CB15D1A4125F536825938C2358EEC2BDDC5D1CC4042DE3AF036CA55")); test_hash(&nettle_sha3_256, /* 166 octets */ SHEX("2ACE31ABB0A2E3267944D2F75E1559985DB7354C6E605F18DC8470423FCA30B7331D9B33C4A4326783D1CAAE1B4F07060EFF978E4746BF0C7E30CD61040BD5EC2746B29863EB7F103EBDA614C4291A805B6A4C8214230564A0557BC7102E0BD3ED23719252F7435D64D210EE2AAFC585BE903FA41E1968C50FD5D5367926DF7A05E3A42CF07E656FF92DE73B036CF8B19898C0CB34557C0C12C2D8B84E91181AF467BC75A9D1"), SHEX("684BB7932433218C616F0590B039CEFAC972828470647D1591CEAC889C893272")); test_hash(&nettle_sha3_256, /* 167 octets */ SHEX("0D8D09AED19F1013969CE5E7EB92F83A209AE76BE31C754844EA9116CEB39A22EBB6003017BBCF26555FA6624185187DB8F0CB3564B8B1C06BF685D47F3286EDA20B83358F599D2044BBF0583FAB8D78F854FE0A596183230C5EF8E54426750EAF2CC4E29D3BDD037E734D863C2BD9789B4C243096138F7672C232314EFFDFC6513427E2DA76916B5248933BE312EB5DDE4CF70804FB258AC5FB82D58D08177AC6F4756017FFF5"), SHEX("508B2AF376BA6467CF982C767C848D2BDA8D068A53416F074A0C98C473D02F6B")); test_hash(&nettle_sha3_256, /* 168 octets */ SHEX("C3236B73DEB7662BF3F3DAA58F137B358BA610560EF7455785A9BEFDB035A066E90704F929BD9689CEF0CE3BDA5ACF4480BCEB8D09D10B098AD8500D9B6071DFC3A14AF6C77511D81E3AA8844986C3BEA6F469F9E02194C92868CD5F51646256798FF0424954C1434BDFED9FACB390B07D342E992936E0F88BFD0E884A0DDB679D0547CCDEC6384285A45429D115AC7D235A717242021D1DC35641F5F0A48E8445DBA58E6CB2C8EA"), SHEX("55E228BCBDA7061642D004373D4E6407B72A37381D1BEFFCBFBF9F5F6EA093EA")); test_hash(&nettle_sha3_256, /* 169 octets */ SHEX("B39FEB8283EADC63E8184B51DF5AE3FD41AAC8A963BB0BE1CD08AA5867D8D910C669221E73243360646F6553D1CA05A84E8DC0DE05B6419EC349CA994480193D01C92525F3FB3DCEFB08AFC6D26947BDBBFD85193F53B50609C6140905C53A6686B58E53A319A57B962331EDE98149AF3DE3118A819DA4D76706A0424B4E1D2910B0ED26AF61D150EBCB46595D4266A0BD7F651BA47D0C7F179CA28545007D92E8419D48FDFBD744CE"), SHEX("0523C09BBCFFE418D3FCD22C6ABF95ABFB38F94CE5562B8BFCD2EEA9FB729041")); test_hash(&nettle_sha3_256, /* 170 octets */ SHEX("A983D54F503803E8C7999F4EDBBE82E9084F422143A932DDDDC47A17B0B7564A7F37A99D0786E99476428D29E29D3C197A72BFAB1342C12A0FC4787FD7017D7A6174049EA43B5779169EF7472BDBBD941DCB82FC73AAC45A8A94C9F2BD3477F61FD3B796F02A1B8264A214C6FEA74B7051B226C722099EC7883A462B83B6AFDD4009248B8A237F605FE5A08FE7D8B45321421EBBA67BD70A0B00DDBF94BAAB7F359D5D1EEA105F28DCFB"), SHEX("DCBC258241ADED3799996C2AD6ED0E3D74CFCC67749D3480B2A9A78E5F8AFF82")); test_hash(&nettle_sha3_256, /* 171 octets */ SHEX("E4D1C1897A0A866CE564635B74222F9696BF2C7F640DD78D7E2ACA66E1B61C642BB03EA7536AAE597811E9BF4A7B453EDE31F97B46A5F0EF51A071A2B3918DF16B152519AE3776F9F1EDAB4C2A377C3292E96408359D3613844D5EB393000283D5AD3401A318B12FD1474B8612F2BB50FB6A8B9E023A54D7DDE28C43D6D8854C8D9D1155935C199811DBFC87E9E0072E90EB88681CC7529714F8FB8A2C9D88567ADFB974EE205A9BF7B848"), SHEX("CBE8318E7B2FE72BFCD2530CCCECEA4018B1587F483B73F50CE5E84CED65E093")); test_hash(&nettle_sha3_256, /* 172 octets */ SHEX("B10C59723E3DCADD6D75DF87D0A1580E73133A9B7D00CB95EC19F5547027323BE75158B11F80B6E142C6A78531886D9047B08E551E75E6261E79785366D7024BD7CD9CF322D9BE7D57FB661069F2481C7BB759CD71B4B36CA2BC2DF6D3A328FAEBDB995A9794A8D72155ED551A1F87C80BF6059B43FC764900B18A1C2441F7487743CF84E565F61F8DD2ECE6B6CCC9444049197AAAF53E926FBEE3BFCA8BE588EC77F29D211BE89DE18B15F6"), SHEX("8CEA2960087048E6E6D47E31554F305FCC81E03E90BA8F8332DD86C6B6B38E03")); test_hash(&nettle_sha3_256, /* 173 octets */ SHEX("DB11F609BABA7B0CA634926B1DD539C8CBADA24967D7ADD4D9876F77C2D80C0F4DCEFBD7121548373582705CCA2495BD2A43716FE64ED26D059CFB566B3364BD49EE0717BDD9810DD14D8FAD80DBBDC4CAFB37CC60FB0FE2A80FB4541B8CA9D59DCE457738A9D3D8F641AF8C3FD6DA162DC16FC01AAC527A4A0255B4D231C0BE50F44F0DB0B713AF03D968FE7F0F61ED0824C55C4B5265548FEBD6AAD5C5EEDF63EFE793489C39B8FD29D104CE"), SHEX("44E276991E5382BD7EB5ADCF1F79362804D346BEDFC6916F4DCA4B57240E9C99")); test_hash(&nettle_sha3_256, /* 174 octets */ SHEX("BEBD4F1A84FC8B15E4452A54BD02D69E304B7F32616AADD90537937106AE4E28DE9D8AAB02D19BC3E2FDE1D651559E296453E4DBA94370A14DBBB2D1D4E2022302EE90E208321EFCD8528AD89E46DC839EA9DF618EA8394A6BFF308E7726BAE0C19BCD4BE52DA6258E2EF4E96AA21244429F49EF5CB486D7FF35CAC1BACB7E95711944BCCB2AB34700D42D1EB38B5D536B947348A458EDE3DC6BD6EC547B1B0CAE5B257BE36A7124E1060C170FFA"), SHEX("80891A086AF385025068799F192411C689CC4E0D9A59F3F41DBB02A343F1A759")); test_hash(&nettle_sha3_256, /* 175 octets */ SHEX("5ACA56A03A13784BDC3289D9364F79E2A85C12276B49B92DB0ADAA4F206D5028F213F678C3510E111F9DC4C1C1F8B6ACB17A6413AA227607C515C62A733817BA5E762CC6748E7E0D6872C984D723C9BB3B117EB8963185300A80BFA65CDE495D70A46C44858605FCCBED086C2B45CEF963D33294DBE9706B13AF22F1B7C4CD5A001CFEC251FBA18E722C6E1C4B1166918B4F6F48A98B64B3C07FC86A6B17A6D0480AB79D4E6415B520F1C484D675B1"), SHEX("77DDF034B7DFD6B292AA3B0C1E552F47B1D8C23078042CC58BB3DD4720B9EE4D")); test_hash(&nettle_sha3_256, /* 176 octets */ SHEX("A5AAD0E4646A32C85CFCAC73F02FC5300F1982FABB2F2179E28303E447854094CDFC854310E5C0F60993CEFF54D84D6B46323D930ADB07C17599B35B505F09E784BCA5985E0172257797FB53649E2E9723EFD16865C31B5C3D5113B58BB0BFC8920FABDDA086D7537E66D709D050BD14D0C960873F156FAD5B3D3840CDFCDC9BE6AF519DB262A27F40896AB25CC39F96984D650611C0D5A3080D5B3A1BF186ABD42956588B3B58CD948970D298776060"), SHEX("23D2688D867A18040E82F7876ACF04DC3A9C0140FEDD93EBE7ADF920B2F83DA4")); test_hash(&nettle_sha3_256, /* 177 octets */ SHEX("06CBBE67E94A978203EAD6C057A1A5B098478B4B4CBEF5A97E93C8E42F5572713575FC2A884531D7622F8F879387A859A80F10EF02708CD8F7413AB385AFC357678B9578C0EBF641EF076A1A30F1F75379E9DCB2A885BDD295905EE80C0168A62A9597D10CF12DD2D8CEE46645C7E5A141F6E0E23AA482ABE5661C16E69EF1E28371E2E236C359BA4E92C25626A7B7FF13F6EA4AE906E1CFE163E91719B1F750A96CBDE5FBC953D9E576CD216AFC90323A"), SHEX("2DF666FC5D4EAD1C3B10B9F8D4BB81AEA4F93D3873D5CE5CFBAC4B69435E1B7C")); test_hash(&nettle_sha3_256, /* 178 octets */ SHEX("F1C528CF7739874707D4D8AD5B98F7C77169DE0B57188DF233B2DC8A5B31EDA5DB4291DD9F68E6BAD37B8D7F6C9C0044B3BF74BBC3D7D1798E138709B0D75E7C593D3CCCDC1B20C7174B4E692ADD820ACE262D45CCFAE2077E878796347168060A162ECCA8C38C1A88350BD63BB539134F700FD4ADDD5959E255337DAA06BC86358FABCBEFDFB5BC889783D843C08AADC6C4F6C36F65F156E851C9A0F917E4A367B5AD93D874812A1DE6A7B93CD53AD97232"), SHEX("AF0C5474528032E2629B8FBB0E34405F7F251D41E73B5667BE3C07CCB2C1C953")); test_hash(&nettle_sha3_256, /* 179 octets */ SHEX("9D9F3A7ECD51B41F6572FD0D0881E30390DFB780991DAE7DB3B47619134718E6F987810E542619DFAA7B505C76B7350C6432D8BF1CFEBDF1069B90A35F0D04CBDF130B0DFC7875F4A4E62CDB8E525AADD7CE842520A482AC18F09442D78305FE85A74E39E760A4837482ED2F437DD13B2EC1042AFCF9DECDC3E877E50FF4106AD10A525230D11920324A81094DA31DEAB6476AA42F20C84843CFC1C58545EE80352BDD3740DD6A16792AE2D86F11641BB717C2"), SHEX("9BBEF7A75391354A388AAA7CA035DC62D3231B80091BB7748F76E52D8E9F20F0")); test_hash(&nettle_sha3_256, /* 180 octets */ SHEX("5179888724819FBAD3AFA927D3577796660E6A81C52D98E9303261D5A4A83232F6F758934D50AA83FF9E20A5926DFEBAAC49529D006EB923C5AE5048ED544EC471ED7191EDF46363383824F915769B3E688094C682B02151E5EE01E510B431C8865AFF8B6B6F2F59CB6D129DA79E97C6D2B8FA6C6DA3F603199D2D1BCAB547682A81CD6CF65F6551121391D78BCC23B5BD0E922EC6D8BF97C952E84DD28AEF909ABA31EDB903B28FBFC33B7703CD996215A11238"), SHEX("B108457A6BD331BE43C9FE1E2A02E8C744C2BCC927A9C3C486F110DCCF907F6B")); test_hash(&nettle_sha3_256, /* 181 octets */ SHEX("576EF3520D30B7A4899B8C0D5E359E45C5189ADD100E43BE429A02FB3DE5FF4F8FD0E79D9663ACCA72CD29C94582B19292A557C5B1315297D168FBB54E9E2ECD13809C2B5FCE998EDC6570545E1499DBE7FB74D47CD7F35823B212B05BF3F5A79CAA34224FDD670D335FCB106F5D92C3946F44D3AFCBAE2E41AC554D8E6759F332B76BE89A0324AA12C5482D1EA3EE89DED4936F3E3C080436F539FA137E74C6D3389BDF5A45074C47BC7B20B0948407A66D855E2F"), SHEX("A61109838DFA5B146DF4E6C3BDBC7A477BE36B6228EBD91025012AF4CC0EB409")); test_hash(&nettle_sha3_256, /* 182 octets */ SHEX("0DF2152FA4F4357C8741529DD77E783925D3D76E95BAFA2B542A2C33F3D1D117D159CF473F82310356FEE4C90A9E505E70F8F24859656368BA09381FA245EB6C3D763F3093F0C89B972E66B53D59406D9F01AEA07F8B3B615CAC4EE4D05F542E7D0DAB45D67CCCCD3A606CCBEB31EA1FA7005BA07176E60DAB7D78F6810EF086F42F08E595F0EC217372B98970CC6321576D92CE38F7C397A403BADA1548D205C343AC09DECA86325373C3B76D9F32028FEA8EB32515"), SHEX("4F0F30C890B0AB404961158573538FE9A2B234B94A0991F26D5EA04FDDC9C565")); test_hash(&nettle_sha3_256, /* 183 octets */ SHEX("3E15350D87D6EBB5C8AD99D42515CFE17980933C7A8F6B8BBBF0A63728CEFAAD2052623C0BD5931839112A48633FB3C2004E0749C87A41B26A8B48945539D1FF41A4B269462FD199BFECD45374756F55A9116E92093AC99451AEFB2AF9FD32D6D7F5FBC7F7A540D5097C096EBC3B3A721541DE073A1CC02F7FB0FB1B9327FB0B1218CA49C9487AB5396622A13AE546C97ABDEF6B56380DDA7012A8384091B6656D0AB272D363CEA78163FF765CDD13AB1738B940D16CAE"), SHEX("85459CFB0289599CDD67C473A0BA6DA616C608E367F58C50A03562424DCF1D06")); test_hash(&nettle_sha3_256, /* 184 octets */ SHEX("C38D6B0B757CB552BE40940ECE0009EF3B0B59307C1451686F1A22702922800D58BCE7A636C1727EE547C01B214779E898FC0E560F8AE7F61BEF4D75EAA696B921FD6B735D171535E9EDD267C192B99880C87997711002009095D8A7A437E258104A41A505E5EF71E5613DDD2008195F0C574E6BA3FE40099CFA116E5F1A2FA8A6DA04BADCB4E2D5D0DE31FDC4800891C45781A0AAC7C907B56D631FCA5CE8B2CDE620D11D1777ED9FA603541DE794DDC5758FCD5FAD78C0"), SHEX("5539D2E52A5A1BB3C246B0158356E2B2782FC13C10248937A0C4A40B091F6247")); test_hash(&nettle_sha3_256, /* 185 octets */ SHEX("8D2DE3F0B37A6385C90739805B170057F091CD0C7A0BC951540F26A5A75B3E694631BB64C7635EED316F51318E9D8DE13C70A2ABA04A14836855F35E480528B776D0A1E8A23B547C8B8D6A0D09B241D3BE9377160CCA4E6793D00A515DC2992CB7FC741DACA171431DA99CCE6F7789F129E2AC5CF65B40D703035CD2185BB936C82002DAF8CBC27A7A9E554B06196630446A6F0A14BA155ED26D95BD627B7205C072D02B60DB0FD7E49EA058C2E0BA202DAFF0DE91E845CF79"), SHEX("6D63419207B99D4DB1ADD795D852A8DAAC11B789AF0C7D6353036CB23F6428B4")); test_hash(&nettle_sha3_256, /* 186 octets */ SHEX("C464BBDAD275C50DCD983B65AD1019B9FF85A1E71C807F3204BB2C921DC31FBCD8C5FC45868AE9EF85B6C9B83BBA2A5A822201ED68586EC5EC27FB2857A5D1A2D09D09115F22DCC39FE61F5E1BA0FF6E8B4ACB4C6DA748BE7F3F0839739394FF7FA8E39F7F7E84A33C3866875C01BCB1263C9405D91908E9E0B50E7459FABB63D8C6BBB73D8E3483C099B55BC30FF092FF68B6ADEDFD477D63570C9F5515847F36E24BA0B705557130CEC57EBAD1D0B31A378E91894EE26E3A04"), SHEX("D2090DAE0FC201B2B9C03DD482A8EB1FFD3CF70C55F98D6F39A41B8BDAC27A17")); test_hash(&nettle_sha3_256, /* 187 octets */ SHEX("8B8D68BB8A75732FE272815A68A1C9C5AA31B41DEDC8493E76525D1D013D33CEBD9E21A5BB95DB2616976A8C07FCF411F5F6BC6F7E0B57ACA78CC2790A6F9B898858AC9C79B165FF24E66677531E39F572BE5D81EB3264524181115F32780257BFB9AEEC6AF12AF28E587CAC068A1A2953B59AD680F4C245B2E3EC36F59940D37E1D3DB38E13EDB29B5C0F404F6FF87F80FC8BE7A225FF22FBB9C8B6B1D7330C57840D24BC75B06B80D30DAD6806544D510AF6C4785E823AC3E0B8"), SHEX("C9E8F96BA75EAF371DCA35DC69138ECA8CB3F2823F3BE551D9DC8AA6A4ED4169")); test_hash(&nettle_sha3_256, /* 188 octets */ SHEX("6B018710446F368E7421F1BC0CCF562D9C1843846BC8D98D1C9BF7D9D6FCB48BFC3BF83B36D44C4FA93430AF75CD190BDE36A7F92F867F58A803900DF8018150384D85D82132F123006AC2AEBA58E02A037FE6AFBD65ECA7C44977DD3DC74F48B6E7A1BFD5CC4DCF24E4D52E92BD4455848E4928B0EAC8B7476FE3CC03E862AA4DFF4470DBFED6DE48E410F25096487ECFC32A27277F3F5023B2725ADE461B1355889554A8836C9CF53BD767F5737D55184EEA1AB3F53EDD0976C485"), SHEX("233B0BC28143C32A668B0AB5D76BE5712C0387056FB0E79F2C2F7F1C31E4A86A")); test_hash(&nettle_sha3_256, /* 189 octets */ SHEX("C9534A24714BD4BE37C88A3DA1082EDA7CABD154C309D7BD670DCCD95AA535594463058A29F79031D6ECAA9F675D1211E9359BE82669A79C855EA8D89DD38C2C761DDD0EC0CE9E97597432E9A1BEAE062CDD71EDFDFD464119BE9E69D18A7A7FD7CE0E2106F0C8B0ABF4715E2CA48EF9F454DC203C96656653B727083513F8EFB86E49C513BB758B3B052FE21F1C05BB33C37129D6CC81F1AEF6ADC45B0E8827A830FE545CF57D0955802C117D23CCB55EA28F95C0D8C2F9C5A242B33F"), SHEX("B79B5F8182D3FB4ABAB63E7CB26A8E0865AE8D79BD4C514AD8917D5ECB7FED8F")); test_hash(&nettle_sha3_256, /* 190 octets */ SHEX("07906C87297B867ABF4576E9F3CC7F82F22B154AFCBF293B9319F1B0584DA6A40C27B32E0B1B7F412C4F1B82480E70A9235B12EC27090A5A33175A2BB28D8ADC475CEFE33F7803F8CE27967217381F02E67A3B4F84A71F1C5228E0C2AD971373F6F672624FCEA8D1A9F85170FAD30FA0BBD25035C3B41A6175D467998BD1215F6F3866F53847F9CF68EF3E2FBB54BC994DE2302B829C5EEA68EC441FCBAFD7D16AE4FE9FFF98BF00E5BC2AD54DD91FF9FDA4DD77B6C754A91955D1FBAAD0"), SHEX("F680198DE2943D20E9D809FD8312D674C9A250DA22BA6E920E408F6F2C0E0739")); test_hash(&nettle_sha3_256, /* 191 octets */ SHEX("588E94B9054ABC2189DF69B8BA34341B77CDD528E7860E5DEFCAA79B0C9A452AD4B82AA306BE84536EB7CEDCBE058D7B84A6AEF826B028B8A0271B69AC3605A9635EA9F5EA0AA700F3EB7835BC54611B922964300C953EFE7491E3677C2CEBE0822E956CD16433B02C68C4A23252C3F9E151A416B4963257B783E038F6B4D5C9F110F871652C7A649A7BCEDCBCCC6F2D0725BB903CC196BA76C76AA9F10A190B1D1168993BAA9FFC96A1655216773458BEC72B0E39C9F2C121378FEAB4E76A"), SHEX("A190DD73556086EA70BC31022D6A4F95D89DC099E2030C19311CC8988281278F")); test_hash(&nettle_sha3_256, /* 192 octets */ SHEX("08959A7E4BAAE874928813364071194E2939772F20DB7C3157078987C557C2A6D5ABE68D520EEF3DC491692E1E21BCD880ADEBF63BB4213B50897FA005256ED41B5690F78F52855C8D9168A4B666FCE2DA2B456D7A7E7C17AB5F2FB1EE90B79E698712E963715983FD07641AE4B4E9DC73203FAC1AE11FA1F8C7941FCC82EAB247ADDB56E2638447E9D609E610B60CE086656AAEBF1DA3C8A231D7D94E2FD0AFE46B391FF14A72EAEB3F44AD4DF85866DEF43D4781A0B3578BC996C87970B132"), SHEX("21166064C52B588C1EC7EA6DF1905A2B59BAD499B470F308A26B6E354DDFE58F")); test_hash(&nettle_sha3_256, /* 193 octets */ SHEX("CB2A234F45E2ECD5863895A451D389A369AAB99CFEF0D5C9FFCA1E6E63F763B5C14FB9B478313C8E8C0EFEB3AC9500CF5FD93791B789E67EAC12FD038E2547CC8E0FC9DB591F33A1E4907C64A922DDA23EC9827310B306098554A4A78F050262DB5B545B159E1FF1DCA6EB734B872343B842C57EAFCFDA8405EEDBB48EF32E99696D135979235C3A05364E371C2D76F1902F1D83146DF9495C0A6C57D7BF9EE77E80F9787AEE27BE1FE126CDC9EF893A4A7DCBBC367E40FE4E1EE90B42EA25AF01"), SHEX("051E19906464EC7FDC3D37EE3BCEF63438EC5EDBEA5AA202A24B7F7190B689E0")); test_hash(&nettle_sha3_256, /* 194 octets */ SHEX("D16BEADF02AB1D4DC6F88B8C4554C51E866DF830B89C06E786A5F8757E8909310AF51C840EFE8D20B35331F4355D80F73295974653DDD620CDDE4730FB6C8D0D2DCB2B45D92D4FBDB567C0A3E86BD1A8A795AF26FBF29FC6C65941CDDB090FF7CD230AC5268AB4606FCCBA9EDED0A2B5D014EE0C34F0B2881AC036E24E151BE89EEB6CD9A7A790AFCCFF234D7CB11B99EBF58CD0C589F20BDAC4F9F0E28F75E3E04E5B3DEBCE607A496D848D67FA7B49132C71B878FD5557E082A18ECA1FBDA94D4B"), SHEX("18FE66C0CD095C9CC811F5410B5CFDC1B152AE3CAB0C3328974E7D4BBEB40053")); test_hash(&nettle_sha3_256, /* 195 octets */ SHEX("8F65F6BC59A85705016E2BAE7FE57980DE3127E5AB275F573D334F73F8603106EC3553016608EF2DD6E69B24BE0B7113BF6A760BA6E9CE1C48F9E186012CF96A1D4849D75DF5BB8315387FD78E9E153E76F8BA7EC6C8849810F59FB4BB9B004318210B37F1299526866F44059E017E22E96CBE418699D014C6EA01C9F0038B10299884DBEC3199BB05ADC94E955A1533219C1115FED0E5F21228B071F40DD57C4240D98D37B73E412FE0FA4703120D7C0C67972ED233E5DEB300A22605472FA3A3BA86"), SHEX("BDB42638921199D604294B5578CEBACCDF132E1D7AF7675B7768E50553FCB604")); test_hash(&nettle_sha3_256, /* 196 octets */ SHEX("84891E52E0D451813210C3FD635B39A03A6B7A7317B221A7ABC270DFA946C42669AACBBBDF801E1584F330E28C729847EA14152BD637B3D0F2B38B4BD5BF9C791C58806281103A3EABBAEDE5E711E539E6A8B2CF297CF351C078B4FA8F7F35CF61BEBF8814BF248A01D41E86C5715EA40C63F7375379A7EB1D78F27622FB468AB784AAABA4E534A6DFD1DF6FA15511341E725ED2E87F98737CCB7B6A6DFAE416477472B046BF1811187D151BFA9F7B2BF9ACDB23A3BE507CDF14CFDF517D2CB5FB9E4AB6"), SHEX("CBD88209B530018A856C5C2321D7E485511CA1513661F1FDE1FA06F4603DE117")); test_hash(&nettle_sha3_256, /* 197 octets */ SHEX("FDD7A9433A3B4AFABD7A3A5E3457E56DEBF78E84B7A0B0CA0E8C6D53BD0C2DAE31B2700C6128334F43981BE3B213B1D7A118D59C7E6B6493A86F866A1635C12859CFB9AD17460A77B4522A5C1883C3D6ACC86E6162667EC414E9A104AA892053A2B1D72165A855BACD8FAF8034A5DD9B716F47A0818C09BB6BAF22AA503C06B4CA261F557761989D2AFBD88B6A678AD128AF68672107D0F1FC73C5CA740459297B3292B281E93BCEB761BDE7221C3A55708E5EC84472CDDCAA84ECF23723CC0991355C6280"), SHEX("F0C4C1374F33A91DC657F8A3FA51763CBD0FBA1CAFDD2C595ED302AAB1AB75A9")); test_hash(&nettle_sha3_256, /* 198 octets */ SHEX("70A40BFBEF92277A1AAD72F6B79D0177197C4EBD432668CFEC05D099ACCB651062B5DFF156C0B27336687A94B26679CFDD9DAF7AD204338DD9C4D14114033A5C225BD11F217B5F4732DA167EE3F939262D4043FC9CBA92303B7B5E96AEA12ADDA64859DF4B86E9EE0B58E39091E6B188B408AC94E1294A8911245EE361E60E601EFF58D1D37639F3753BEC80EBB4EFDE25817436076623FC65415FE51D1B0280366D12C554D86743F3C3B6572E400361A60726131441BA493A83FBE9AFDA90F7AF1AE717238D"), SHEX("F2157C165EEBDFD04451E9E6CF0B112BB148EB9C40E8B2427EE8EA57E60D5DD6")); test_hash(&nettle_sha3_256, /* 199 octets */ SHEX("74356E449F4BF8644F77B14F4D67CB6BD9C1F5AE357621D5B8147E562B65C66585CAF2E491B48529A01A34D226D436959153815380D5689E30B35357CDAC6E08D3F2B0E88E200600D62BD9F5EAF488DF86A4470EA227006182E44809009868C4C280C43D7D64A5268FA719074960087B3A6ABC837882F882C837834535929389A12B2C78187E2EA07EF8B8EEF27DC85002C3AE35F1A50BEE6A1C48BA7E175F3316670B27983472AA6A61EED0A683A39EE323080620EA44A9F74411AE5CE99030528F9AB49C79F2"), SHEX("0836ABBF77EF78E162DE8FB664B9996D5A03919B741EB4A3F02E7B97826569FA")); test_hash(&nettle_sha3_256, /* 200 octets */ SHEX("8C3798E51BC68482D7337D3ABB75DC9FFE860714A9AD73551E120059860DDE24AB87327222B64CF774415A70F724CDF270DE3FE47DDA07B61C9EF2A3551F45A5584860248FABDE676E1CD75F6355AA3EAEABE3B51DC813D9FB2EAA4F0F1D9F834D7CAD9C7C695AE84B329385BC0BEF895B9F1EDF44A03D4B410CC23A79A6B62E4F346A5E8DD851C2857995DDBF5B2D717AEB847310E1F6A46AC3D26A7F9B44985AF656D2B7C9406E8A9E8F47DCB4EF6B83CAACF9AEFB6118BFCFF7E44BEF6937EBDDC89186839B77"), SHEX("84970C79316E89B70E2B186A69DB1A4C3E33C7A376B45C1B79BD346DD33EF4CE")); test_hash(&nettle_sha3_256, /* 201 octets */ SHEX("FA56BF730C4F8395875189C10C4FB251605757A8FECC31F9737E3C2503B02608E6731E85D7A38393C67DE516B85304824BFB135E33BF22B3A23B913BF6ACD2B7AB85198B8187B2BCD454D5E3318CACB32FD6261C31AE7F6C54EF6A7A2A4C9F3ECB81CE3555D4F0AD466DD4C108A90399D70041997C3B25345A9653F3C9A6711AB1B91D6A9D2216442DA2C973CBD685EE7643BFD77327A2F7AE9CB283620A08716DFB462E5C1D65432CA9D56A90E811443CD1ECB8F0DE179C9CB48BA4F6FEC360C66F252F6E64EDC96B"), SHEX("06ED2EBC419D053949E88CC9C040B1EBCE74375AD0CE09C0CD4D562C62F8497D")); test_hash(&nettle_sha3_256, /* 202 octets */ SHEX("B6134F9C3E91DD8000740D009DD806240811D51AB1546A974BCB18D344642BAA5CD5903AF84D58EC5BA17301D5EC0F10CCD0509CBB3FD3FFF9172D193AF0F782252FD1338C7244D40E0E42362275B22D01C4C3389F19DD69BDF958EBE28E31A4FFE2B5F18A87831CFB7095F58A87C9FA21DB72BA269379B2DC2384B3DA953C7925761FED324620ACEA435E52B424A7723F6A2357374157A34CD8252351C25A1B232826CEFE1BD3E70FFC15A31E7C0598219D7F00436294D11891B82497BC78AA5363892A2495DF8C1EEF"), SHEX("CF9060AF3E4ED47316ACF51E5B92123CDC4827BD4AEF991588DCD8078B9EEA40")); test_hash(&nettle_sha3_256, /* 203 octets */ SHEX("C941CDB9C28AB0A791F2E5C8E8BB52850626AA89205BEC3A7E22682313D198B1FA33FC7295381354858758AE6C8EC6FAC3245C6E454D16FA2F51C4166FAB51DF272858F2D603770C40987F64442D487AF49CD5C3991CE858EA2A60DAB6A65A34414965933973AC2457089E359160B7CDEDC42F29E10A91921785F6B7224EE0B349393CDCFF6151B50B377D609559923D0984CDA6000829B916AB6896693EF6A2199B3C22F7DC5500A15B8258420E314C222BC000BC4E5413E6DD82C993F8330F5C6D1BE4BC79F08A1A0A46"), SHEX("63E407300F99FF2360F02AAE0ADA35F6C1A90AED2C63282B23A7990BAE307254")); test_hash(&nettle_sha3_256, /* 204 octets */ SHEX("4499EFFFAC4BCEA52747EFD1E4F20B73E48758BE915C88A1FFE5299B0B005837A46B2F20A9CB3C6E64A9E3C564A27C0F1C6AD1960373036EC5BFE1A8FC6A435C2185ED0F114C50E8B3E4C7ED96B06A036819C9463E864A58D6286F785E32A804443A56AF0B4DF6ABC57ED5C2B185DDEE8489EA080DEEEE66AA33C2E6DAB36251C402682B6824821F998C32163164298E1FAFD31BABBCFFB594C91888C6219079D907FDB438ED89529D6D96212FD55ABE20399DBEFD342248507436931CDEAD496EB6E4A80358ACC78647D043"), SHEX("427741570D5E21590E5045A8450216365BA95C2E72455A3DBD694F13155DE1B7")); test_hash(&nettle_sha3_256, /* 205 octets */ SHEX("EECBB8FDFA4DA62170FD06727F697D81F83F601FF61E478105D3CB7502F2C89BF3E8F56EDD469D049807A38882A7EEFBC85FC9A950952E9FA84B8AFEBD3CE782D4DA598002827B1EB98882EA1F0A8F7AA9CE013A6E9BC462FB66C8D4A18DA21401E1B93356EB12F3725B6DB1684F2300A98B9A119E5D27FF704AFFB618E12708E77E6E5F34139A5A41131FD1D6336C272A8FC37080F041C71341BEE6AB550CB4A20A6DDB6A8E0299F2B14BC730C54B8B1C1C487B494BDCCFD3A53535AB2F231590BF2C4062FD2AD58F906A2D0D"), SHEX("B5E60A019E8414D470AE702738BC358F1C80BB6FF7BDE4F2DBB56C299C764B16")); test_hash(&nettle_sha3_256, /* 206 octets */ SHEX("E64F3E4ACE5C8418D65FEC2BC5D2A303DD458034736E3B0DF719098BE7A206DEAF52D6BA82316CAF330EF852375188CDE2B39CC94AA449578A7E2A8E3F5A9D68E816B8D16889FBC0EBF0939D04F63033AE9AE2BDAB73B88C26D6BD25EE460EE1EF58FB0AFA92CC539F8C76D3D097E7A6A63EBB9B5887EDF3CF076028C5BBD5B9DB3211371AD3FE121D4E9BF44229F4E1ECF5A0F9F0EBA4D5CEB72878AB22C3F0EB5A625323AC66F7061F4A81FAC834471E0C59553F108475FE290D43E6A055AE3EE46FB67422F814A68C4BE3E8C9"), SHEX("C986BDAE9B13FBC92793619E4970ABC33398F2B5A57A6CBB40A622592E2695DF")); test_hash(&nettle_sha3_256, /* 207 octets */ SHEX("D2CB2D733033F9E91395312808383CC4F0CA974E87EC68400D52E96B3FA6984AC58D9AD0938DDE5A973008D818C49607D9DE2284E7618F1B8AED8372FBD52ED54557AF4220FAC09DFA8443011699B97D743F8F2B1AEF3537EBB45DCC9E13DFB438428EE190A4EFDB3CAEB7F3933117BF63ABDC7E57BEB4171C7E1AD260AB0587806C4D137B6316B50ABC9CCE0DFF3ACADA47BBB86BE777E617BBE578FF4519844DB360E0A96C6701290E76BB95D26F0F804C8A4F2717EAC4E7DE9F2CFF3BBC55A17E776C0D02856032A6CD10AD2838"), SHEX("224C7FC8A0EC3895E8969CE7C7F7ECAA54FE2EEC9AB3120726106F22AA297541")); test_hash(&nettle_sha3_256, /* 208 octets */ SHEX("F2998955613DD414CC111DF5CE30A995BB792E260B0E37A5B1D942FE90171A4AC2F66D4928D7AD377F4D0554CBF4C523D21F6E5F379D6F4B028CDCB9B1758D3B39663242FF3CB6EDE6A36A6F05DB3BC41E0D861B384B6DEC58BB096D0A422FD542DF175E1BE1571FB52AE66F2D86A2F6824A8CFAACBAC4A7492AD0433EEB15454AF8F312B3B2A577750E3EFBD370E8A8CAC1582581971FBA3BA4BD0D76E718DACF8433D33A59D287F8CC92234E7A271041B526E389EFB0E40B6A18B3AAF658E82ED1C78631FD23B4C3EB27C3FAEC8685"), SHEX("FAF5E3B7A64629FFEEE07A67ED77A3A4F67F18C9381FE9B19F6EE601F5FB99AF")); test_hash(&nettle_sha3_256, /* 209 octets */ SHEX("447797E2899B72A356BA55BF4DF3ACCA6CDB1041EB477BD1834A9F9ACBC340A294D729F2F97DF3A610BE0FF15EDB9C6D5DB41644B9874360140FC64F52AA03F0286C8A640670067A84E017926A70438DB1BB361DEFEE7317021425F8821DEF26D1EFD77FC853B818545D055ADC9284796E583C76E6FE74C9AC2587AA46AA8F8804F2FEB5836CC4B3ABABAB8429A5783E17D5999F32242EB59EF30CD7ADABC16D72DBDB097623047C98989F88D14EAF02A7212BE16EC2D07981AAA99949DDF89ECD90333A77BC4E1988A82ABF7C7CAF3291"), SHEX("A8A98E6B3A005FCB319FEE58C5457D04B69D59F53873F6FCC6065D68F880833F")); test_hash(&nettle_sha3_256, /* 210 octets */ SHEX("9F2C18ADE9B380C784E170FB763E9AA205F64303067EB1BCEA93DF5DAC4BF5A2E00B78195F808DF24FC76E26CB7BE31DC35F0844CDED1567BBA29858CFFC97FB29010331B01D6A3FB3159CC1B973D255DA9843E34A0A4061CABDB9ED37F241BFABB3C20D32743F4026B59A4CCC385A2301F83C0B0A190B0F2D01ACB8F0D41111E10F2F4E149379275599A52DC089B35FDD5234B0CFB7B6D8AEBD563CA1FA653C5C021DFD6F5920E6F18BFAFDBECBF0AB00281333ED50B9A999549C1C8F8C63D7626C48322E9791D5FF72294049BDE91E73F8"), SHEX("C89F2B346127EAB9E28095DC44918C1A1AAEAE04861C1DD0144A1EE07F823C18")); test_hash(&nettle_sha3_256, /* 211 octets */ SHEX("AE159F3FA33619002AE6BCCE8CBBDD7D28E5ED9D61534595C4C9F43C402A9BB31F3B301CBFD4A43CE4C24CD5C9849CC6259ECA90E2A79E01FFBAC07BA0E147FA42676A1D668570E0396387B5BCD599E8E66AAED1B8A191C5A47547F61373021FA6DEADCB55363D233C24440F2C73DBB519F7C9FA5A8962EFD5F6252C0407F190DFEFAD707F3C7007D69FF36B8489A5B6B7C557E79DD4F50C06511F599F56C896B35C917B63BA35C6FF8092BAF7D1658E77FC95D8A6A43EEB4C01F33F03877F92774BE89C1114DD531C011E53A34DC248A2F0E6"), SHEX("E7A81ACBEF35D7B24B706549B41ABD82628CCFF9ACF41F2C8ADD28743688AE01")); test_hash(&nettle_sha3_256, /* 212 octets */ SHEX("3B8E97C5FFC2D6A40FA7DE7FCEFC90F3B12C940E7AB415321E29EE692DFAC799B009C99DCDDB708FCE5A178C5C35EE2B8617143EDC4C40B4D313661F49ABDD93CEA79D117518805496FE6ACF292C4C2A1F76B403A97D7C399DAF85B46AD84E16246C67D6836757BDE336C290D5D401E6C1386AB32797AF6BB251E9B2D8FE754C47482B72E0B394EAB76916126FD68EA7D65EB93D59F5B4C5AC40F7C3B37E7F3694F29424C24AF8C8F0EF59CD9DBF1D28E0E10F799A6F78CAD1D45B9DB3D7DEE4A7059ABE99182714983B9C9D44D7F5643596D4F3"), SHEX("D81249143A69EA1C9DC168B55FFE06D46D0FBC007065110353D76C6CCE4FFE66")); test_hash(&nettle_sha3_256, /* 213 octets */ SHEX("3434EC31B10FAFDBFEEC0DD6BD94E80F7BA9DCA19EF075F7EB017512AF66D6A4BCF7D16BA0819A1892A6372F9B35BCC7CA8155EE19E8428BC22D214856ED5FA9374C3C09BDE169602CC219679F65A1566FC7316F4CC3B631A18FB4449FA6AFA16A3DB2BC4212EFF539C67CF184680826535589C7111D73BFFCE431B4C40492E763D9279560AAA38EB2DC14A212D723F994A1FE656FF4DD14551CE4E7C621B2AA5604A10001B2878A897A28A08095C325E10A26D2FB1A75BFD64C250309BB55A44F23BBAC0D5516A1C687D3B41EF2FBBF9CC56D4739"), SHEX("AA8BBD4812142211212763BF8EE4D6E0AADAFE5E528AEA1FB1BE118806E49F66")); test_hash(&nettle_sha3_256, /* 214 octets */ SHEX("7C7953D81C8D208FD1C97681D48F49DD003456DE60475B84070EF4847C333B74575B1FC8D2A186964485A3B8634FEAA3595AAA1A2F4595A7D6B6153563DEE31BBAC443C8A33EED6D5D956A980A68366C2527B550EE950250DFB691EACBD5D56AE14B970668BE174C89DF2FEA43AE52F13142639C884FD62A3683C0C3792F0F24AB1318BCB27E21F4737FAB62C77EA38BC8FD1CF41F7DAB64C13FEBE7152BF5BB7AB5A78F5346D43CC741CB6F72B7B8980F268B68BF62ABDFB1577A52438FE14B591498CC95F071228460C7C5D5CEB4A7BDE588E7F21C"), SHEX("4089B181DF5ECA5F14DAB1057AAAEECABA15F200FDDA0DE49357D6196FAAB44B")); test_hash(&nettle_sha3_256, /* 215 octets */ SHEX("7A6A4F4FDC59A1D223381AE5AF498D74B7252ECF59E389E49130C7EAEE626E7BD9897EFFD92017F4CCDE66B0440462CDEDFD352D8153E6A4C8D7A0812F701CC737B5178C2556F07111200EB627DBC299CAA792DFA58F35935299FA3A3519E9B03166DFFA159103FFA35E8577F7C0A86C6B46FE13DB8E2CDD9DCFBA85BDDDCCE0A7A8E155F81F712D8E9FE646153D3D22C811BD39F830433B2213DD46301941B59293FD0A33E2B63ADBD95239BC01315C46FDB678875B3C81E053A40F581CFBEC24A1404B1671A1B88A6D06120229518FB13A74CA0AC5AE"), SHEX("DEBF59BB233D05549853804FC67840821BD5802F87FC8A915B710D3E82070950")); test_hash(&nettle_sha3_256, /* 216 octets */ SHEX("D9FAA14CEBE9B7DE551B6C0765409A33938562013B5E8E0E1E0A6418DF7399D0A6A771FB81C3CA9BD3BB8E2951B0BC792525A294EBD1083688806FE5E7F1E17FD4E3A41D00C89E8FCF4A363CAEDB1ACB558E3D562F1302B3D83BB886ED27B76033798131DAB05B4217381EAAA7BA15EC820BB5C13B516DD640EAEC5A27D05FDFCA0F35B3A5312146806B4C0275BCD0AAA3B2017F346975DB566F9B4D137F4EE10644C2A2DA66DEECA5342E236495C3C6280528BFD32E90AF4CD9BB908F34012B52B4BC56D48CC8A6B59BAB014988EABD12E1A0A1C2E170E7"), SHEX("0FDBA1C79F55F233A1217F522D6C81F777F330FADB565E1171F39E1788913342")); test_hash(&nettle_sha3_256, /* 217 octets */ SHEX("2D8427433D0C61F2D96CFE80CF1E932265A191365C3B61AAA3D6DCC039F6BA2AD52A6A8CC30FC10F705E6B7705105977FA496C1C708A277A124304F1FC40911E7441D1B5E77B951AAD7B01FD5DB1B377D165B05BBF898042E39660CAF8B279FE5229D1A8DB86C0999ED65E53D01CCBC4B43173CCF992B3A14586F6BA42F5FE30AFA8AE40C5DF29966F9346DA5F8B35F16A1DE3AB6DE0F477D8D8660918060E88B9B9E9CA6A4207033B87A812DBF5544D39E4882010F82B6CE005F8E8FF6FE3C3806BC2B73C2B83AFB704345629304F9F86358712E9FAE3CA3E"), SHEX("ED45A06E95A6539270B02290D71005F01C55BA077414C3BCDB379537E6DBEFC9")); test_hash(&nettle_sha3_256, /* 218 octets */ SHEX("5E19D97887FCAAC0387E22C6F803C34A3DACD2604172433F7A8A7A526CA4A2A1271ECFC5D5D7BE5AC0D85D921095350DFC65997D443C21C8094E0A3FEFD2961BCB94AED03291AE310CCDA75D8ACE4BC7D89E7D3E5D1650BDA5D668B8B50BFC8E608E184F4D3A9A2BADC4FF5F07E0C0BC8A9F2E0B2A26FD6D8C550008FAAAB75FD71AF2A424BEC9A7CD9D83FAD4C8E9319115656A8717D3B523A68FF8004258B9990ED362308461804BA3E3A7E92D8F2FFAE5C2FBA55BA5A3C27C0A2F71BD711D2FE1799C2ADB31B200035481E9EE5C4ADF2AB9C0FA50B23975CF"), SHEX("37E7CF6A9A31B0982B2479432B7838657741B0EE79ADDA1B287550EB325C78CC")); test_hash(&nettle_sha3_256, /* 219 octets */ SHEX("C8E976AB4638909387CE3B8D4E510C3230E5690E02C45093B1D297910ABC481E56EEA0F296F98379DFC9080AF69E73B2399D1C143BEE80AE1328162CE1BA7F6A8374679B20AACD380EB4E61382C99998704D62701AFA914F9A2705CDB065885F50D086C3EB5753700C387118BB142F3E6DA1E988DFB31AC75D7368931E45D1391A274B22F83CEB072F9BCABC0B216685BFD789F5023971024B1878A205442522F9EA7D8797A4102A3DF41703768251FD5E017C85D1200A464118AA35654E7CA39F3C375B8EF8CBE7534DBC64BC20BEFB417CF60EC92F63D9EE7397"), SHEX("373704F641FAF2B918E22E9142ABF6B4AC71B6883AC4D7A075F626E947837D3F")); test_hash(&nettle_sha3_256, /* 220 octets */ SHEX("7145FA124B7429A1FC2231237A949BA7201BCC1822D3272DE005B682398196C25F7E5CC2F289FBF44415F699CB7FE6757791B1443410234AE061EDF623359E2B4E32C19BF88450432DD01CAA5EB16A1DC378F391CA5E3C4E5F356728BDDD4975DB7C890DA8BBC84CC73FF244394D0D48954978765E4A00B593F70F2CA082673A261ED88DBCEF1127728D8CD89BC2C597E9102CED6010F65FA75A14EBE467FA57CE3BD4948B6867D74A9DF5C0EC6F530CBF2EE61CE6F06BC8F2864DFF5583776B31DF8C7FFCB61428A56BF7BD37188B4A5123BBF338393AF46EDA85E6"), SHEX("EE5994B3D32BDAE58E72566FC24B886461217FDD7273E1608F0B2926B7923546")); test_hash(&nettle_sha3_256, /* 221 octets */ SHEX("7FDFADCC9D29BAD23AE038C6C65CDA1AEF757221B8872ED3D75FF8DF7DA0627D266E224E812C39F7983E4558BFD0A1F2BEF3FEB56BA09120EF762917B9C093867948547AEE98600D10D87B20106878A8D22C64378BF634F7F75900C03986B077B0BF8B740A82447B61B99FEE5376C5EB6680EC9E3088F0BDD0C56883413D60C1357D3C811950E5890E7600103C916341B80C743C6A852B7B4FB60C3BA21F3BC15B8382437A68454779CF3CD7F9F90CCC8EF28D0B706535B1E4108EB5627BB45D719CB046839AEE311CA1ABDC8319E050D67972CB35A6B1601B25DBF487"), SHEX("6A584F9F4ACD8FC8E15DACD326291FE9311C20987225C51CF4251E52B47FA223")); test_hash(&nettle_sha3_256, /* 222 octets */ SHEX("988638219FD3095421F826F56E4F09E356296B628C3CE6930C9F2E758FD1A80C8273F2F61E4DAAE65C4F110D3E7CA0965AC7D24E34C0DC4BA2D6FF0BF5BBE93B3585F354D7543CB542A1AA54674D375077F2D360A8F4D42F3DB131C3B7AB7306267BA107659864A90C8C909460A73621D1F5D9D3FD95BEB19B23DB1CB6C0D0FBA91D36891529B8BD8263CAA1BAB56A4AFFAED44962DF096D8D5B1EB845EF31188B3E10F1AF811A13F156BEB7A288AAE593EBD1471B624AA1A7C6ADF01E2200B3D72D88A3AED3100C88231E41EFC376906F0B580DC895F080FDA5741DB1CB"), SHEX("4F92839CDDB0DF31D16A0DB53BBE07698A7C1912D5590D21155D45DB1B48CAB4")); test_hash(&nettle_sha3_256, /* 223 octets */ SHEX("5AAB62756D307A669D146ABA988D9074C5A159B3DE85151A819B117CA1FF6597F6156E80FDD28C9C3176835164D37DA7DA11D94E09ADD770B68A6E081CD22CA0C004BFE7CD283BF43A588DA91F509B27A6584C474A4A2F3EE0F1F56447379240A5AB1FB77FDCA49B305F07BA86B62756FB9EFB4FC225C86845F026EA542076B91A0BC2CDD136E122C659BE259D98E5841DF4C2F60330D4D8CDEE7BF1A0A244524EECC68FF2AEF5BF0069C9E87A11C6E519DE1A4062A10C83837388F7EF58598A3846F49D499682B683C4A062B421594FAFBC1383C943BA83BDEF515EFCF10D"), SHEX("EAFD661F343AE834C621E074AC6903A2E3E6324F365B3432DFFA732F477AC129")); test_hash(&nettle_sha3_256, /* 224 octets */ SHEX("47B8216AA0FBB5D67966F2E82C17C07AA2D6327E96FCD83E3DE7333689F3EE79994A1BF45082C4D725ED8D41205CB5BCDF5C341F77FACB1DA46A5B9B2CBC49EADF786BCD881F371A95FA17DF73F606519AEA0FF79D5A11427B98EE7F13A5C00637E2854134691059839121FEA9ABE2CD1BCBBBF27C74CAF3678E05BFB1C949897EA01F56FFA4DAFBE8644611685C617A3206C7A7036E4AC816799F693DAFE7F19F303CE4EBA09D21E03610201BFC665B72400A547A1E00FA9B7AD8D84F84B34AEF118515E74DEF11B9188BD1E1F97D9A12C30132EC2806339BDADACDA2FD8B78"), SHEX("3DCEC669C5D0176B1BDC002728D242C587DDA03B3ABFA6074523D3FAEF4820BE")); test_hash(&nettle_sha3_256, /* 225 octets */ SHEX("8CFF1F67FE53C098896D9136389BD8881816CCAB34862BB67A656E3D98896F3CE6FFD4DA73975809FCDF9666760D6E561C55238B205D8049C1CEDEEF374D1735DAA533147BFA960B2CCE4A4F254176BB4D1BD1E89654432B8DBE1A135C42115B394B024856A2A83DC85D6782BE4B444239567CCEC4B184D4548EAE3FF6A192F343292BA2E32A0F267F31CC26719EB85245D415FB897AC2DA433EE91A99424C9D7F1766A44171D1651001C38FC79294ACCC68CEB5665D36218454D3BA169AE058A831338C17743603F81EE173BFC0927464F9BD728DEE94C6AEAB7AAE6EE3A627E8"), SHEX("4BDF731BBB3D0E2AB0EB3D972123A7A0A085E8A98AC6AF8ADBD335B37275DDFF")); test_hash(&nettle_sha3_256, /* 226 octets */ SHEX("EACD07971CFF9B9939903F8C1D8CBB5D4DB1B548A85D04E037514A583604E787F32992BF2111B97AC5E8A938233552731321522AB5E8583561260B7D13EBEEF785B23A41FD8576A6DA764A8ED6D822D4957A545D5244756C18AA80E1AAD4D1F9C20D259DEE1711E2CC8FD013169FB7CC4CE38B362F8E0936AE9198B7E838DCEA4F7A5B9429BB3F6BBCF2DC92565E3676C1C5E6EB3DD2A0F86AA23EDD3D0891F197447692794B3DFA269611AD97F72B795602B4FDB198F3FD3EB41B415064256E345E8D8C51C555DC8A21904A9B0F1AD0EFFAB7786AAC2DA3B196507E9F33CA356427"), SHEX("47F904FEEA607225CAB2E3C52748878964BFEDCFE068727DE610F63421367BCF")); test_hash(&nettle_sha3_256, /* 227 octets */ SHEX("23AC4E9A42C6EF45C3336CE6DFC2FF7DE8884CD23DC912FEF0F7756C09D335C189F3AD3A23697ABDA851A81881A0C8CCAFC980AB2C702564C2BE15FE4C4B9F10DFB2248D0D0CB2E2887FD4598A1D4ACDA897944A2FFC580FF92719C95CF2AA42DC584674CB5A9BC5765B9D6DDF5789791D15F8DD925AA12BFFAFBCE60827B490BB7DF3DDA6F2A143C8BF96ABC903D83D59A791E2D62814A89B8080A28060568CF24A80AE61179FE84E0FFAD00388178CB6A617D37EFD54CC01970A4A41D1A8D3DDCE46EDBBA4AB7C90AD565398D376F431189CE8C1C33E132FEAE6A8CD17A61C630012"), SHEX("324937607D9F16AF815701749F0377B3281AF9C5BB565D6F2B9611532B6BF044")); test_hash(&nettle_sha3_256, /* 228 octets */ SHEX("0172DF732282C9D488669C358E3492260CBE91C95CFBC1E3FEA6C4B0EC129B45F242ACE09F152FC6234E1BEE8AAB8CD56E8B486E1DCBA9C05407C2F95DA8D8F1C0AF78EE2ED82A3A79EC0CB0709396EE62AADB84F8A4EE8A7CCCA3C1EE84E302A09EA802204AFECF04097E67D0F8E8A9D2651126C0A598A37081E42D168B0AE8A71951C524259E4E2054E535B779679BDADE566FE55700858618E626B4A0FAF895BCCE9011504A49E05FD56127EAE3D1F8917AFB548ECADABDA1020111FEC9314C413498A360B08640549A22CB23C731ACE743252A8227A0D2689D4C6001606678DFB921"), SHEX("B984C2D6B6FDC28574AAD551FC16B68F85BF6CC480A15C128AE5616561D46721")); test_hash(&nettle_sha3_256, /* 229 octets */ SHEX("3875B9240CF3E0A8B59C658540F26A701CF188496E2C2174788B126FD29402D6A75453BA0635284D08835F40051A2A9683DC92AFB9383719191231170379BA6F4ADC816FECBB0F9C446B785BF520796841E58878B73C58D3EBB097CE4761FDEABE15DE2F319DFBAF1742CDEB389559C788131A6793E193856661376C81CE9568DA19AA6925B47FFD77A43C7A0E758C37D69254909FF0FBD415EF8EB937BCD49F91468B49974C07DC819ABD67395DB0E05874FF83DDDAB895344ABD0E7111B2DF9E58D76D85AD98106B36295826BE04D435615595605E4B4BB824B33C4AFEB5E7BB0D19F909"), SHEX("91A5B9FC2DCC5FAEDA57D2E7A41E922DC32D572AEBDF6D54CB8C3AE4245E8565")); test_hash(&nettle_sha3_256, /* 230 octets */ SHEX("747CC1A59FEFBA94A9C75BA866C30DC5C1CB0C0F8E9361D98484956DD5D1A40F6184AFBE3DAC9F76028D1CAECCFBF69199C6CE2B4C092A3F4D2A56FE5A33A00757F4D7DEE5DFB0524311A97AE0668A47971B95766E2F6DD48C3F57841F91F04A00AD5EA70F2D479A2620DC5CD78EAAB3A3B011719B7E78D19DDF70D9423798AF77517EBC55392FCD01FC600D8D466B9E7A7A85BF33F9CC5419E9BD874DDFD60981150DDAF8D7FEBAA4374F0872A5628D318000311E2F5655365AD4D407C20E5C04DF17A222E7DEEC79C5AB1116D8572F91CD06E1CCC7CED53736FC867FD49ECEBE6BF8082E8A"), SHEX("97DCA1050A465B60E91EBE26E29ADB5A286A0582EEE2E89B8B901954293F6146")); test_hash(&nettle_sha3_256, /* 231 octets */ SHEX("57AF971FCCAEC97435DC2EC9EF0429BCEDC6B647729EA168858A6E49AC1071E706F4A5A645CA14E8C7746D65511620682C906C8B86EC901F3DDED4167B3F00B06CBFAC6AEE3728051B3E5FF10B4F9ED8BD0B8DA94303C833755B3CA3AEDDF0B54BC8D6632138B5D25BAB03D17B3458A9D782108006F5BB7DE75B5C0BA854B423D8BB801E701E99DC4FEAAD59BC1C7112453B04D33EA3635639FB802C73C2B71D58A56BBD671B18FE34ED2E3DCA38827D63FDB1D4FB3285405004B2B3E26081A8FF08CD6D2B08F8E7B7E90A2AB1ED7A41B1D0128522C2F8BFF56A7FE67969422CE839A9D4608F03"), SHEX("6D033D85DAED3366D5F7D5E4F03B3D05B65778EEEA074B0C683CFFCD6F51D5BD")); test_hash(&nettle_sha3_256, /* 232 octets */ SHEX("04E16DEDC1227902BAAF332D3D08923601BDD64F573FAA1BB7201918CFE16B1E10151DAE875DA0C0D63C59C3DD050C4C6A874011B018421AFC4623AB0381831B2DA2A8BA42C96E4F70864AC44E106F94311051E74C77C1291BF5DB9539E69567BF6A11CF6932BBBAD33F8946BF5814C066D851633D1A513510039B349939BFD42B858C21827C8FF05F1D09B1B0765DC78A135B5CA4DFBA0801BCADDFA175623C8B647EACFB4444B85A44F73890607D06D507A4F8393658788669F6EF4DEB58D08C50CA0756D5E2F49D1A7AD73E0F0B3D3B5F090ACF622B1878C59133E4A848E05153592EA81C6FBF"), SHEX("01EBBB73410EEBAC665C3B40063D001F43DBE9D1722EB323FE08763D7FF0616C")); test_hash(&nettle_sha3_256, /* 233 octets */ SHEX("7C815C384EEE0F288ECE27CCED52A01603127B079C007378BC5D1E6C5E9E6D1C735723ACBBD5801AC49854B2B569D4472D33F40BBB8882956245C366DC3582D71696A97A4E19557E41E54DEE482A14229005F93AFD2C4A7D8614D10A97A9DFA07F7CD946FA45263063DDD29DB8F9E34DB60DAA32684F0072EA2A9426ECEBFA5239FB67F29C18CBAA2AF6ED4BF4283936823AC1790164FEC5457A9CBA7C767CA59392D94CAB7448F50EB34E9A93A80027471CE59736F099C886DEA1AB4CBA4D89F5FC7AE2F21CCD27F611ECA4626B2D08DC22382E92C1EFB2F6AFDC8FDC3D2172604F5035C46B8197D3"), SHEX("8D3A49CB572AB99C9BF0231366BB017C9ADF25479D35443A971E45787E738CE5")); test_hash(&nettle_sha3_256, /* 234 octets */ SHEX("E29D505158DBDD937D9E3D2145658EE6F5992A2FC790F4F608D9CDB44A091D5B94B88E81FAC4FDF5C49442F13B911C55886469629551189EAFF62488F1A479B7DB11A1560E198DDCCCCF50159093425FF7F1CB8D1D1246D0978764087D6BAC257026B090EFAE8CEC5F22B6F21C59ACE1AC7386F5B8837CA6A12B6FBF5534DD0560EF05CA78104D3B943DDB220FEAEC89AA5E692A00F822A2AB9A2FE60350D75E7BE16FF2526DC643872502D01F42F188ABED0A6E9A6F5FD0D1CE7D5755C9FFA66B0AF0B20BD806F08E06156690D81AC811778CA3DAC2C249B96002017FCE93E507E3B953ACF99964B847"), SHEX("FBB5A0AB1A3B4C4FA56ADB1C9531EB9979C554903053013C20FEFD3F57B5CCDB")); test_hash(&nettle_sha3_256, /* 235 octets */ SHEX("D85588696F576E65ECA0155F395F0CFACD83F36A99111ED5768DF2D116D2121E32357BA4F54EDE927F189F297D3A97FAD4E9A0F5B41D8D89DD7FE20156799C2B7B6BF9C957BA0D6763F5C3BC5129747BBB53652B49290CFF1C87E2CDF2C4B95D8AAEE09BC8FBFA6883E62D237885810491BFC101F1D8C636E3D0EDE838AD05C207A3DF4FAD76452979EB99F29AFAECEDD1C63B8D36CF378454A1BB67A741C77AC6B6B3F95F4F02B64DABC15438613EA49750DF42EE90101F115AA9ABB9FF64324DDE9DABBB01054E1BD6B4BCDC7930A44C2300D87CA78C06924D0323AD7887E46C90E8C4D100ACD9EED21E"), SHEX("6B3DCC7AC6A5CB85B67FC71B4055D3798134DEEF26FD3EB03A042E0DAA35CC85")); test_hash(&nettle_sha3_256, /* 236 octets */ SHEX("3A12F8508B40C32C74492B66323375DCFE49184C78F73179F3314B79E63376B8AC683F5A51F1534BD729B02B04D002F55CBD8E8FC9B5EC1EA6BBE6A0D0E7431518E6BA45D124035F9D3DCE0A8BB7BF1430A9F657E0B4EA9F20EB20C786A58181A1E20A96F1628F8728A13BDF7A4B4B32FC8AA7054CC4881AE7FA19AFA65C6C3EE1B3ADE3192AF42054A8A911B8EC1826865D46D93F1E7C5E2B7813C92A506E53886F3D4701BB93D2A681AD109C845904BB861AF8AF0646B6E399B38B614051D34F6842563A0F37EC00CB3D865FC5D746C4987DE2A65071100883A2A9C7A2BFE1E2DD603D9EA24DC7C5FD06BE"), SHEX("5D1DBA8F1584AC3F36B3AC925EC13AC284013B9664965AB6265B942466B5D8EC")); test_hash(&nettle_sha3_256, /* 237 octets */ SHEX("1861EDCE46FA5AD17E1FF1DEAE084DEC580F97D0A67885DFE834B9DFAC1AE076742CE9E267512CA51F6DF5A455AF0C5FD6ABF94ACEA103A3370C354485A7846FB84F3AC7C2904B5B2FBF227002CE512133BB7E1C4E50057BFD1E44DB33C7CDB969A99E284B184F50A14B068A1FC5009D9B298DBE92239572A7627AAC02ABE8F3E3B473417F36D4D2505D16B7577F4526C9D94A270A2DFE450D06DA8F6FA956879A0A55CFE99E742EA555EA477BA3E9B44CCD508C375423611AF92E55345DC215779B2D5119EBA49C71D49B9FE3F1569FA24E5CA3E332D042422A8B8158D3EC66A80012976F31FFDF305F0C9C5E"), SHEX("89C6C86DB0A889AA67D8CB085F9F4312645972D977C5B952D9F6243D7D3BE4D5")); test_hash(&nettle_sha3_256, /* 238 octets */ SHEX("08D0FFDE3A6E4EF65608EA672E4830C12943D7187CCFF08F4941CFC13E545F3B9C7AD5EEBBE2B01642B486CAF855C2C73F58C1E4E3391DA8E2D63D96E15FD84953AE5C231911B00AD6050CD7AAFDAAC9B0F663AE6AAB45519D0F5391A541707D479034E73A6AD805AE3598096AF078F1393301493D663DD71F83869CA27BA508B7E91E81E128C1716DC3ACFE3084B2201E04CF8006617EECF1B640474A5D45CFDE9F4D3EF92D6D055B909892194D8A8218DB6D8203A84261D200D71473D7488F3427416B6896C137D455F231071CACBC86E0415AB88AEC841D96B7B8AF41E05BB461A40645BF176601F1E760DE5F"), SHEX("AC02432A5541C26238C6F99FADB2B23B5FFCAD8F04BD4C3B9A6620CAB1266E6B")); test_hash(&nettle_sha3_256, /* 239 octets */ SHEX("D782ABB72A5BE3392757BE02D3E45BE6E2099D6F000D042C8A543F50ED6EBC055A7F133B0DD8E9BC348536EDCAAE2E12EC18E8837DF7A1B3C87EC46D50C241DEE820FD586197552DC20BEEA50F445A07A38F1768A39E2B2FF05DDDEDF751F1DEF612D2E4D810DAA3A0CC904516F9A43AF660315385178A529E51F8AAE141808C8BC5D7B60CAC26BB984AC1890D0436EF780426C547E94A7B08F01ACBFC4A3825EAE04F520A9016F2FB8BF5165ED12736FC71E36A49A73614739EAA3EC834069B1B40F1350C2B3AB885C02C640B9F7686ED5F99527E41CFCD796FE4C256C9173186C226169FF257954EBDA81C0E5F99"), SHEX("F55AA01DEAB12148E35759DB818F1059351165E9E6F93D342F0ABFCA102E0801")); test_hash(&nettle_sha3_256, /* 240 octets */ SHEX("5FCE8109A358570E40983E1184E541833BB9091E280F258CFB144387B05D190E431CB19BAA67273BA0C58ABE91308E1844DCD0B3678BAA42F335F2FA05267A0240B3C718A5942B3B3E3BFA98A55C25A1466E8D7A603722CB2BBF03AFA54CD769A99F310735EE5A05DAE2C22D397BD95635F58C48A67F90E1B73AAFCD3F82117F0166657838691005B18DA6F341D6E90FC1CDB352B30FAE45D348294E501B63252DE14740F2B85AE5299DDEC3172DE8B6D0BA219A20A23BB5E10FF434D39DB3F583305E9F5C039D98569E377B75A70AB837D1DF269B8A4B566F40BB91B577455FD3C356C914FA06B9A7CE24C7317A172D"), SHEX("7C0BDA7CB42DADBD037F50A5F27E3AB5DA258D4670F1BEA90154C87C98136BA1")); test_hash(&nettle_sha3_256, /* 241 octets */ SHEX("6172F1971A6E1E4E6170AFBAD95D5FEC99BF69B24B674BC17DD78011615E502DE6F56B86B1A71D3F4348087218AC7B7D09302993BE272E4A591968AEF18A1262D665610D1070EE91CC8DA36E1F841A69A7A682C580E836941D21D909A3AFC1F0B963E1CA5AB193E124A1A53DF1C587470E5881FB54DAE1B0D840F0C8F9D1B04C645BA1041C7D8DBF22030A623AA15638B3D99A2C400FF76F3252079AF88D2B37F35EE66C1AD7801A28D3D388AC450B97D5F0F79E4541755356B3B1A5696B023F39AB7AB5F28DF4202936BC97393B93BC915CB159EA1BD7A0A414CB4B7A1AC3AF68F50D79F0C9C7314E750F7D02FAA58BFA"), SHEX("F60C53BA2132293B881F0513E7AB47FE9746ED4A6AC9CADE61E6D802D5872372")); test_hash(&nettle_sha3_256, /* 242 octets */ SHEX("5668ECD99DFBE215C4118398AC9C9EAF1A1433FAB4CCDD3968064752B625EA944731F75D48A27D047D67547F14DD0FFAA55FA5E29F7AF0D161D85EAFC4F2029B717C918EAB9D304543290BDBA7158B68020C0BA4E079BC95B5BC0FC044A992B94B4CCD3BD66D0EABB5DBBAB904D62E00752C4E3B0091D773BCF4C14B4377DA3EFFF824B1CB2FA01B32D1E46C909E626ED2DAE920F4C7DBEB635BC754FACBD8D49BEBA3F23C1C41CCBFCD0EE0C114E69737F5597C0BF1D859F0C767E18002AE8E39C26261FFDE2920D3D0BAF0E906138696CFE5B7E32B600F45DF3AAA39932F3A7DF95B60FA8712A2271FCAF3911CE7B511B1"), SHEX("1C66B9A7C50ED77D179A0C437D5890C9835A13F90A73A01332AB0731A41A115E")); test_hash(&nettle_sha3_256, /* 243 octets */ SHEX("03D625488354DF30E3F875A68EDFCF340E8366A8E1AB67F9D5C5486A96829DFAC0578289082B2A62117E1CF418B43B90E0ADC881FC6AE8105C888E9ECD21AEA1C9AE1A4038DFD17378FED71D02AE492087D7CDCD98F746855227967CB1AB4714261EE3BEAD3F4DB118329D3EBEF4BC48A875C19BA763966DA0EBEA800E01B2F50B00E9DD4CACA6DCB314D00184EF71EA2391D760C950710DB4A70F9212FFC54861F9DC752CE18867B8AD0C48DF8466EF7231E7AC567F0EB55099E622EBB86CB237520190A61C66AD34F1F4E289CB3282AE3EAAC6152ED24D2C92BAE5A7658252A53C49B7B02DFE54FDB2E90074B6CF310AC661"), SHEX("48A00BA224AC5558F41A79F52137DB9182A93F1045D43789E5913D7BE40408C2")); test_hash(&nettle_sha3_256, /* 244 octets */ SHEX("2EDC282FFB90B97118DD03AAA03B145F363905E3CBD2D50ECD692B37BF000185C651D3E9726C690D3773EC1E48510E42B17742B0B0377E7DE6B8F55E00A8A4DB4740CEE6DB0830529DD19617501DC1E9359AA3BCF147E0A76B3AB70C4984C13E339E6806BB35E683AF8527093670859F3D8A0FC7D493BCBA6BB12B5F65E71E705CA5D6C948D66ED3D730B26DB395B3447737C26FAD089AA0AD0E306CB28BF0ACF106F89AF3745F0EC72D534968CCA543CD2CA50C94B1456743254E358C1317C07A07BF2B0ECA438A709367FAFC89A57239028FC5FECFD53B8EF958EF10EE0608B7F5CB9923AD97058EC067700CC746C127A61EE3"), SHEX("240A85EAF7F3016C192AD5E17E5F93B643FE3EDBA719F423693A34DA3784827A")); test_hash(&nettle_sha3_256, /* 245 octets */ SHEX("90B28A6AA1FE533915BCB8E81ED6CACDC10962B7FF82474F845EEB86977600CF70B07BA8E3796141EE340E3FCE842A38A50AFBE90301A3BDCC591F2E7D9DE53E495525560B908C892439990A2CA2679C5539FFDF636777AD9C1CDEF809CDA9E8DCDB451ABB9E9C17EFA4379ABD24B182BD981CAFC792640A183B61694301D04C5B3EAAD694A6BD4CC06EF5DA8FA23B4FA2A64559C5A68397930079D250C51BCF00E2B16A6C49171433B0AADFD80231276560B80458DD77089B7A1BBCC9E7E4B9F881EACD6C92C4318348A13F4914EB27115A1CFC5D16D7FD94954C3532EFACA2CAB025103B2D02C6FD71DA3A77F417D7932685888A"), SHEX("2AA9D0A1D9B9B691B4B8641E68D454D2D9C34CE43A5B55DD57590716B8A46CF7")); test_hash(&nettle_sha3_256, /* 246 octets */ SHEX("2969447D175490F2AA9BB055014DBEF2E6854C95F8D60950BFE8C0BE8DE254C26B2D31B9E4DE9C68C9ADF49E4EE9B1C2850967F29F5D08738483B417BB96B2A56F0C8ACA632B552059C59AAC3F61F7B45C966B75F1D9931FF4E596406378CEE91AAA726A3A84C33F37E9CDBE626B5745A0B06064A8A8D56E53AAF102D23DD9DF0A3FDF7A638509A6761A33FA42FA8DDBD8E16159C93008B53765019C3F0E9F10B144CE2AC57F5D7297F9C9949E4FF68B70D339F87501CE8550B772F32C6DA8AD2CE2100A895D8B08FA1EEAD7C376B407709703C510B50F87E73E43F8E7348F87C3832A547EF2BBE5799ABEDCF5E1F372EA809233F006"), SHEX("58C469E1A76835CC1A897B885B1B2A33B0AABCE4CFBB65523D2E0D08D6D1A413")); test_hash(&nettle_sha3_256, /* 247 octets */ SHEX("721645633A44A2C78B19024EAECF58575AB23C27190833C26875DC0F0D50B46AEA9C343D82EA7D5B3E50EC700545C615DAEAEA64726A0F05607576DCD396D812B03FB6551C641087856D050B10E6A4D5577B82A98AFB89CEE8594C9DC19E79FEFF0382FCFD127F1B803A4B9946F4AC9A4378E1E6E041B1389A53E3450CD32D9D2941B0CBABDB50DA8EA2513145164C3AB6BCBD251C448D2D4B087AC57A59C2285D564F16DA4ED5E607ED979592146FFB0EF3F3DB308FB342DF5EB5924A48256FC763141A278814C82D6D6348577545870AE3A83C7230AC02A1540FE1798F7EF09E335A865A2AE0949B21E4F748FB8A51F44750E213A8FB"), SHEX("6C8DF81B1E1ED70A5413368018DB9628B0E0B4563423C051A54D000AADDE0C06")); test_hash(&nettle_sha3_256, /* 248 octets */ SHEX("6B860D39725A14B498BB714574B4D37CA787404768F64C648B1751B353AC92BAC2C3A28EA909FDF0423336401A02E63EC24325300D823B6864BB701F9D7C7A1F8EC9D0AE3584AA6DD62EA1997CD831B4BABD9A4DA50932D4EFDA745C61E4130890E156AEE6113716DAF95764222A91187DB2EFFEA49D5D0596102D619BD26A616BBFDA8335505FBB0D90B4C180D1A2335B91538E1668F9F9642790B4E55F9CAB0FE2BDD2935D001EE6419ABAB5457880D0DBFF20ED8758F4C20FE759EFB33141CF0E892587FE8187E5FBC57786B7E8B089612C936DFC03D27EFBBE7C8673F1606BD51D5FF386F4A7AB68EDF59F385EB1291F117BFE717399"), SHEX("108FFF41D5BCF654071B4414E666FDEBBE878C309D6DDC90AFAF5C61DF8559F0")); test_hash(&nettle_sha3_256, /* 249 octets */ SHEX("6A01830AF3889A25183244DECB508BD01253D5B508AB490D3124AFBF42626B2E70894E9B562B288D0A2450CFACF14A0DDAE5C04716E5A0082C33981F6037D23D5E045EE1EF2283FB8B6378A914C5D9441627A722C282FF452E25A7EA608D69CEE4393A0725D17963D0342684F255496D8A18C2961145315130549311FC07F0312FB78E6077334F87EAA873BEE8AA95698996EB21375EB2B4EF53C14401207DEB4568398E5DD9A7CF97E8C9663E23334B46912F8344C19EFCF8C2BA6F04325F1A27E062B62A58D0766FC6DB4D2C6A1928604B0175D872D16B7908EBC041761187CC785526C2A3873FEAC3A642BB39F5351550AF9770C328AF7B"), SHEX("751EAAAFA4AEC8ACD26606D6439C55B5C66EC7DB807579EDC68994B300F7A077")); test_hash(&nettle_sha3_256, /* 250 octets */ SHEX("B3C5E74B69933C2533106C563B4CA20238F2B6E675E8681E34A389894785BDADE59652D4A73D80A5C85BD454FD1E9FFDAD1C3815F5038E9EF432AAC5C3C4FE840CC370CF86580A6011778BBEDAF511A51B56D1A2EB68394AA299E26DA9ADA6A2F39B9FAFF7FBA457689B9C1A577B2A1E505FDF75C7A0A64B1DF81B3A356001BF0DF4E02A1FC59F651C9D585EC6224BB279C6BEBA2966E8882D68376081B987468E7AED1EF90EBD090AE825795CDCA1B4F09A979C8DFC21A48D8A53CDBB26C4DB547FC06EFE2F9850EDD2685A4661CB4911F165D4B63EF25B87D0A96D3DFF6AB0758999AAD214D07BD4F133A6734FDE445FE474711B69A98F7E2B"), SHEX("90C2D5F8E26B0BDDEA719064BB02A6242F2CC5A42936B14FE17F861B47B7E186")); test_hash(&nettle_sha3_256, /* 251 octets */ SHEX("83AF34279CCB5430FEBEC07A81950D30F4B66F484826AFEE7456F0071A51E1BBC55570B5CC7EC6F9309C17BF5BEFDD7C6BA6E968CF218A2B34BD5CF927AB846E38A40BBD81759E9E33381016A755F699DF35D660007B5EADF292FEEFB735207EBF70B5BD17834F7BFA0E16CB219AD4AF524AB1EA37334AA66435E5D397FC0A065C411EBBCE32C240B90476D307CE802EC82C1C49BC1BEC48C0675EC2A6C6F3ED3E5B741D13437095707C565E10D8A20B8C20468FF9514FCF31B4249CD82DCEE58C0A2AF538B291A87E3390D737191A07484A5D3F3FB8C8F15CE056E5E5F8FEBE5E1FB59D6740980AA06CA8A0C20F5712B4CDE5D032E92AB89F0AE1"), SHEX("3298A95CFE59B9D6CAB99C36DC1324194C09F97F08944A02D9574BBCA3186B41")); test_hash(&nettle_sha3_256, /* 252 octets */ SHEX("A7ED84749CCC56BB1DFBA57119D279D412B8A986886D810F067AF349E8749E9EA746A60B03742636C464FC1EE233ACC52C1983914692B64309EDFDF29F1AB912EC3E8DA074D3F1D231511F5756F0B6EEAD3E89A6A88FE330A10FACE267BFFBFC3E3090C7FD9A850561F363AD75EA881E7244F80FF55802D5EF7A1A4E7B89FCFA80F16DF54D1B056EE637E6964B9E0FFD15B6196BDD7DB270C56B47251485348E49813B4EB9ED122A01B3EA45AD5E1A929DF61D5C0F3E77E1FDC356B63883A60E9CBB9FC3E00C2F32DBD469659883F690C6772E335F617BC33F161D6F6984252EE12E62B6000AC5231E0C9BC65BE223D8DFD94C5004A101AF9FD6C0FB"), SHEX("1C4172928CB10E16AB3CDB33F815103B000A6C7D62376CAD29AF03F4B2B0E103")); test_hash(&nettle_sha3_256, /* 253 octets */ SHEX("A6FE30DCFCDA1A329E82AB50E32B5F50EB25C873C5D2305860A835AECEE6264AA36A47429922C4B8B3AFD00DA16035830EDB897831C4E7B00F2C23FC0B15FDC30D85FB70C30C431C638E1A25B51CAF1D7E8B050B7F89BFB30F59F0F20FECFF3D639ABC4255B3868FC45DD81E47EB12AB40F2AAC735DF5D1DC1AD997CEFC4D836B854CEE9AC02900036F3867FE0D84AFFF37BDE3308C2206C62C4743375094108877C73B87B2546FE05EA137BEDFC06A2796274099A0D554DA8F7D7223A48CBF31B7DECAA1EBC8B145763E3673168C1B1B715C1CD99ECD3DDB238B06049885ECAD9347C2436DFF32C771F34A38587A44A82C5D3D137A03CAA27E66C8FF6"), SHEX("F5CFB4DF3F7C5A778F38A3B43B26479A0E8A49030C59AC19FB0CFA806081CA4A")); test_hash(&nettle_sha3_256, /* 254 octets */ SHEX("83167FF53704C3AA19E9FB3303539759C46DD4091A52DDAE9AD86408B69335989E61414BC20AB4D01220E35241EFF5C9522B079FBA597674C8D716FE441E566110B6211531CECCF8FD06BC8E511D00785E57788ED9A1C5C73524F01830D2E1148C92D0EDC97113E3B7B5CD3049627ABDB8B39DD4D6890E0EE91993F92B03354A88F52251C546E64434D9C3D74544F23FB93E5A2D2F1FB15545B4E1367C97335B0291944C8B730AD3D4789273FA44FB98D78A36C3C3764ABEEAC7C569C1E43A352E5B770C3504F87090DEE075A1C4C85C0C39CF421BDCC615F9EFF6CB4FE6468004AECE5F30E1ECC6DB22AD9939BB2B0CCC96521DFBF4AE008B5B46BC006E"), SHEX("06AB8FDBE4DCE935E42003C17FF60BA236F43A843995B7FEF3A29DFE0C82F1D4")); test_hash(&nettle_sha3_256, /* 255 octets */ SHEX("3A3A819C48EFDE2AD914FBF00E18AB6BC4F14513AB27D0C178A188B61431E7F5623CB66B23346775D386B50E982C493ADBBFC54B9A3CD383382336A1A0B2150A15358F336D03AE18F666C7573D55C4FD181C29E6CCFDE63EA35F0ADF5885CFC0A3D84A2B2E4DD24496DB789E663170CEF74798AA1BBCD4574EA0BBA40489D764B2F83AADC66B148B4A0CD95246C127D5871C4F11418690A5DDF01246A0C80A43C70088B6183639DCFDA4125BD113A8F49EE23ED306FAAC576C3FB0C1E256671D817FC2534A52F5B439F72E424DE376F4C565CCA82307DD9EF76DA5B7C4EB7E085172E328807C02D011FFBF33785378D79DC266F6A5BE6BB0E4A92ECEEBAEB1"), SHEX("C11F3522A8FB7B3532D80B6D40023A92B489ADDAD93BF5D64B23F35E9663521C")); } nettle-3.4.1/testsuite/dlopen-test.c0000644000175000017500000000130313401564746016500 0ustar nissenisse#include "testutils.h" #include "version.h" #if HAVE_DLFCN_H #include #endif int main (int argc UNUSED, char **argv UNUSED) { #if HAVE_LIBDL void *handle = dlopen ("../libnettle.so", RTLD_NOW); int (*get_version)(void); if (!handle) { fprintf (stderr, "dlopen failed: %s\n", dlerror()); FAIL (); } get_version = (int(*)(void)) dlsym (handle, "nettle_version_minor"); if (!get_version) { fprintf (stderr, "dlsym failed: %s\n", dlerror()); FAIL (); } if (get_version() != NETTLE_VERSION_MINOR) { fprintf (stderr, "unexpected nettle version\n"); FAIL (); } dlclose (handle); return EXIT_SUCCESS; #else SKIP(); #endif } nettle-3.4.1/testsuite/eax-test.c0000644000175000017500000000603713401564746016005 0ustar nissenisse#include "testutils.h" #include "nettle-internal.h" void test_main(void) { /* From the EAX specification, http://www.cs.ucdavis.edu/~rogaway/papers/eax.pdf */ test_aead(&nettle_eax_aes128, NULL, SHEX("233952DEE4D5ED5F9B9C6D6FF80FF478"), /* key */ SHEX("6BFB914FD07EAE6B"), /* auth data */ SHEX(""), /* plaintext */ SHEX(""), /* ciphertext */ SHEX("62EC67F9C3A4A407FCB2A8C49031A8B3"), /* nonce */ SHEX("E037830E8389F27B025A2D6527E79D01")); /* tag */ test_aead(&nettle_eax_aes128, NULL, SHEX("91945D3F4DCBEE0BF45EF52255F095A4"), SHEX("FA3BFD4806EB53FA"), SHEX("F7FB"), SHEX("19DD"), SHEX("BECAF043B0A23D843194BA972C66DEBD"), SHEX("5C4C9331049D0BDAB0277408F67967E5")); test_aead(&nettle_eax_aes128, NULL, SHEX("01F74AD64077F2E704C0F60ADA3DD523"), SHEX("234A3463C1264AC6"), SHEX("1A47CB4933"), SHEX("D851D5BAE0"), SHEX("70C3DB4F0D26368400A10ED05D2BFF5E"), SHEX("3A59F238A23E39199DC9266626C40F80")); test_aead(&nettle_eax_aes128, NULL, SHEX("D07CF6CBB7F313BDDE66B727AFD3C5E8"), SHEX("33CCE2EABFF5A79D"), SHEX("481C9E39B1"), SHEX("632A9D131A"), SHEX("8408DFFF3C1A2B1292DC199E46B7D617"), SHEX("D4C168A4225D8E1FF755939974A7BEDE")); test_aead(&nettle_eax_aes128, NULL, SHEX("35B6D0580005BBC12B0587124557D2C2"), SHEX("AEB96EAEBE2970E9"), SHEX("40D0C07DA5E4"), SHEX("071DFE16C675"), SHEX("FDB6B06676EEDC5C61D74276E1F8E816"), SHEX("CB0677E536F73AFE6A14B74EE49844DD")); test_aead(&nettle_eax_aes128, NULL, SHEX("BD8E6E11475E60B268784C38C62FEB22"), SHEX("D4482D1CA78DCE0F"), SHEX("4DE3B35C3FC039245BD1FB7D"), SHEX("835BB4F15D743E350E728414"), SHEX("6EAC5C93072D8E8513F750935E46DA1B"), SHEX("ABB8644FD6CCB86947C5E10590210A4F")); test_aead(&nettle_eax_aes128, NULL, SHEX("7C77D6E813BED5AC98BAA417477A2E7D"), SHEX("65D2017990D62528"), SHEX("8B0A79306C9CE7ED99DAE4F87F8DD61636"), SHEX("02083E3979DA014812F59F11D52630DA30"), SHEX("1A8C98DCD73D38393B2BF1569DEEFC19"), SHEX("137327D10649B0AA6E1C181DB617D7F2")); test_aead(&nettle_eax_aes128, NULL, SHEX("5FFF20CAFAB119CA2FC73549E20F5B0D"), SHEX("54B9F04E6A09189A"), SHEX("1BDA122BCE8A8DBAF1877D962B8592DD2D56"), SHEX("2EC47B2C4954A489AFC7BA4897EDCDAE8CC3"), SHEX("DDE59B97D722156D4D9AFF2BC7559826"), SHEX("3B60450599BD02C96382902AEF7F832A")); test_aead(&nettle_eax_aes128, NULL, SHEX("A4A4782BCFFD3EC5E7EF6D8C34A56123"), SHEX("899A175897561D7E"), SHEX("6CF36720872B8513F6EAB1A8A44438D5EF11"), SHEX("0DE18FD0FDD91E7AF19F1D8EE8733938B1E8"), SHEX("B781FCF2F75FA5A8DE97A9CA48E522EC"), SHEX("E7F6D2231618102FDB7FE55FF1991700")); test_aead(&nettle_eax_aes128, NULL, SHEX("8395FCF1E95BEBD697BD010BC766AAC3"), SHEX("126735FCC320D25A"), SHEX("CA40D7446E545FFAED3BD12A740A659FFBBB3CEAB7"), SHEX("CB8920F87A6C75CFF39627B56E3ED197C552D295A7"), SHEX("22E7ADD93CFC6393C57EC0B3C17D6B44"), SHEX("CFC46AFC253B4652B1AF3795B124AB6E")); } nettle-3.4.1/testsuite/rsa-sec-decrypt-test.c0000644000175000017500000000774413401564746020243 0ustar nissenisse#include "testutils.h" #include "rsa.h" #include "knuth-lfib.h" #if HAVE_VALGRIND_MEMCHECK_H # include #define MARK_MPZ_LIMBS_UNDEFINED(parm) \ VALGRIND_MAKE_MEM_UNDEFINED (mpz_limbs_read (parm), \ mpz_size (parm) * sizeof (mp_limb_t)) #define MARK_MPZ_LIMBS_DEFINED(parm) \ VALGRIND_MAKE_MEM_DEFINED (mpz_limbs_read (parm), \ mpz_size (parm) * sizeof (mp_limb_t)) static int rsa_decrypt_for_test(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t length, uint8_t *message, const mpz_t gibberish) { int ret; /* Makes valgrind trigger on any branches depending on the input data. Except that (i) we have to allow rsa_sec_compute_root_tr to check that p and q are odd, (ii) mpn_sec_div_r may leak information about the most significant bits of p and q, due to normalization check and table lookup in invert_limb, and (iii) mpn_sec_powm may leak information about the least significant bits of p and q, due to table lookup in binvert_limb. */ VALGRIND_MAKE_MEM_UNDEFINED (message, length); MARK_MPZ_LIMBS_UNDEFINED(gibberish); MARK_MPZ_LIMBS_UNDEFINED(key->a); MARK_MPZ_LIMBS_UNDEFINED(key->b); MARK_MPZ_LIMBS_UNDEFINED(key->c); VALGRIND_MAKE_MEM_UNDEFINED(mpz_limbs_read (key->p) + 1, (mpz_size (key->p) - 3) * sizeof(mp_limb_t)); VALGRIND_MAKE_MEM_UNDEFINED(mpz_limbs_read (key->q) + 1, (mpz_size (key->q) - 3) * sizeof(mp_limb_t)); ret = rsa_sec_decrypt (pub, key, random_ctx, random, length, message, gibberish); VALGRIND_MAKE_MEM_DEFINED (message, length); VALGRIND_MAKE_MEM_DEFINED (&ret, sizeof(ret)); MARK_MPZ_LIMBS_DEFINED(gibberish); MARK_MPZ_LIMBS_DEFINED(key->a); MARK_MPZ_LIMBS_DEFINED(key->b); MARK_MPZ_LIMBS_DEFINED(key->c); MARK_MPZ_LIMBS_DEFINED(key->p); MARK_MPZ_LIMBS_DEFINED(key->q); return ret; } #else #define rsa_decrypt_for_test rsa_sec_decrypt #endif #define PAYLOAD_SIZE 50 void test_main(void) { struct rsa_public_key pub; struct rsa_private_key key; struct knuth_lfib_ctx random_ctx; uint8_t plaintext[PAYLOAD_SIZE]; uint8_t decrypted[PAYLOAD_SIZE]; uint8_t verifybad[PAYLOAD_SIZE]; unsigned n_size = 1024; mpz_t gibberish; mpz_t garbage; rsa_private_key_init(&key); rsa_public_key_init(&pub); mpz_init(gibberish); mpz_init(garbage); knuth_lfib_init (&random_ctx, 19); memset(verifybad, 'A', PAYLOAD_SIZE); for (size_t size = 1; size < 51; size++) { ASSERT (rsa_generate_keypair(&pub, &key, &random_ctx, (nettle_random_func *) knuth_lfib_random, NULL, NULL, n_size, 17)); /* the next key will be 19 bits larger */ n_size += 19; knuth_lfib_random (&random_ctx, PAYLOAD_SIZE, plaintext); ASSERT(rsa_encrypt(&pub, &random_ctx, (nettle_random_func *) knuth_lfib_random, PAYLOAD_SIZE, plaintext, gibberish)); /* good decryption */ ASSERT (rsa_decrypt_for_test (&pub, &key, &random_ctx, (nettle_random_func *) knuth_lfib_random, PAYLOAD_SIZE, decrypted, gibberish) == 1); ASSERT (MEMEQ (PAYLOAD_SIZE, plaintext, decrypted)); /* bad one */ memcpy(decrypted, verifybad, PAYLOAD_SIZE); nettle_mpz_random_size(garbage, &random_ctx, (nettle_random_func *) knuth_lfib_random, mpz_sizeinbase(gibberish, 2)); ASSERT (rsa_decrypt_for_test (&pub, &key, &random_ctx, (nettle_random_func *) knuth_lfib_random, PAYLOAD_SIZE, decrypted, garbage) == 0); ASSERT (MEMEQ (PAYLOAD_SIZE, verifybad, decrypted)); } rsa_private_key_clear(&key); rsa_public_key_clear(&pub); mpz_clear(gibberish); mpz_clear(garbage); } nettle-3.4.1/testsuite/rsa-sign-tr-test.c0000644000175000017500000001410213401564746017366 0ustar nissenisse#include "testutils.h" #include "knuth-lfib.h" #define MSG1 "None so blind as those who will not see" #define MSG2 "Fortune knocks once at every man's door" static void test_rsa_sign_tr(struct rsa_public_key *pub, struct rsa_private_key *key, unsigned di_length, const uint8_t *di, mpz_t expected) { mpz_t signature; struct knuth_lfib_ctx lfib; knuth_lfib_init(&lfib, 1111); mpz_init(signature); mpz_set_ui (signature, 17); /* Try bad private key */ mpz_add_ui(key->p, key->p, 2); ASSERT(!rsa_pkcs1_sign_tr(pub, key, &lfib, (nettle_random_func *) knuth_lfib_random, di_length, di, signature)); mpz_sub_ui(key->p, key->p, 2); ASSERT(!mpz_cmp_ui(signature, 17)); /* Try the good private key */ ASSERT(rsa_pkcs1_sign_tr(pub, key, &lfib, (nettle_random_func *) knuth_lfib_random, di_length, di, signature)); if (verbose) { fprintf(stderr, "rsa-pkcs1-tr signature: "); mpz_out_str(stderr, 16, signature); fprintf(stderr, "\nrsa-pkcs1-tr expected: "); mpz_out_str(stderr, 16, expected); fprintf(stderr, "\n"); } ASSERT (mpz_cmp(signature, expected) == 0); /* Try bad data */ ASSERT (!rsa_pkcs1_verify(pub, 16, (void*)"The magick words", signature)); /* Try correct data */ ASSERT (rsa_pkcs1_verify(pub, di_length, di, signature)); /* Try bad signature */ mpz_combit(signature, 17); ASSERT (!rsa_pkcs1_verify(pub, di_length, di, signature)); mpz_clear(signature); } void test_main(void) { struct rsa_public_key pub; struct rsa_private_key key; mpz_t expected; mpz_init(expected); rsa_private_key_init(&key); rsa_public_key_init(&pub); test_rsa_set_key_1(&pub, &key); /* Test signatures */ mpz_set_str(expected, "23bd361a622bc35450a30ae332d8dad050c6bad5cae0b61c5bee29" "db876d7fe098472fc7933f2cc1121c0fc8a414c71a98189c66077b" "fe3d58d08dc242bbcfdf2c905b91de0e479a8b4b159a45fe1789db" "abdaf88aa704e7558f24f5a0be382619758061cde89e9c730ac6db" "ef005bfad5a936633e3dfccc37b2214e2", 16); test_rsa_sign_tr(&pub, &key, LDATA(MSG1), expected); mpz_set_str(expected, "15bd817f53501f8eb6693283004546ba14f19dd4da742b1e30a7b2" "1db309cd3f36f821f565d31c1ed2df8b6648dd8bdb218f841f5506" "a437825999aaf3ef77dff9a1fc7631ce0e99f851f4166ae67caed9" "820a764e44274a898ddd72f4c7115ba49d332f4fa929ee6dce4d61" "39fef8d8d25d4c9ff857689846e5cac26d", 16); test_rsa_sign_tr(&pub, &key, LDATA(MSG2), expected); /* 777-bit key, generated by * * lsh-keygen -a rsa -l 777 -f advanced-hex * * Interesting because the size of n doesn't equal the sum of the * sizes of p and q. * * (private-key (rsa-pkcs1 * (n #013b04440e3eef25 d51c738d508a7fa8 b3445180c342af0f * 4cb5a789047300e2 cfc5c5450974cfc2 448aeaaa7f43c374 * c9a3b038b181f2d1 0f1a2327fd2c087b a49bf1086969fd2c * d1df3fd69f81fa4b 162cc8bbb363fc95 b7b24b9c53d0c67e * f52b#) * (e #3f1a012d#) * (d #f9bae89dacca6cca c21e0412b4df8355 6fe7c5322bbae8ad * 3f11494fd12bc076 d4a7da3050fe109d 2074db09cc6a93b4 * 745479522558379e a0ddfa74f86c9e9e a22c3b0e93d51447 * 0feb38105dd35395 63b91ee32776f40c 67b2a175690f7abb * 25#) * (p #0b73c990eeda0a2a 2c26416052c85560 0c5c0f5ce86a8326 * 166acea91786237a 7ff884e66dbfdd3a ab9d9801414c1506 * 8b#) * (q #1b81c19a62802a41 9c99283331b0badb 08eb0c25ffce0fbf * 50017850036f32f3 2132a845b91a5236 61f7b451d587383f * e1#) * (a #0a912fc93a6cca6b 3521725a3065b3be 3c9745e29c93303d * 7d29316c6cafa4a2 89945f964fcdea59 1f9d248b0b6734be * c9#) * (b #1658eca933251813 1eb19c77aba13d73 e0b8f4ce986d7615 * 764c6b0b03c18146 46b7f332c43e05c5 351e09006979ca5b * 05#) * (c #0114720dace7b27f 2bf2850c1804869f 79a0aad0ec02e6b4 * 05e1831619db2f10 bb9b6a8fd5c95df2 eb78f303ea0c0cc8 * 06#))) */ mpz_set_str(pub.n, "013b04440e3eef25" "d51c738d508a7fa8" "b3445180c342af0f" "4cb5a789047300e2" "cfc5c5450974cfc2" "448aeaaa7f43c374" "c9a3b038b181f2d1" "0f1a2327fd2c087b" "a49bf1086969fd2c" "d1df3fd69f81fa4b" "162cc8bbb363fc95" "b7b24b9c53d0c67e" "f52b", 16); mpz_set_str(pub.e, "3f1a012d", 16); ASSERT (rsa_public_key_prepare(&pub)); mpz_set_str(key.p, "0b73c990eeda0a2a" "2c26416052c85560" "0c5c0f5ce86a8326" "166acea91786237a" "7ff884e66dbfdd3a" "ab9d9801414c1506" "8b", 16); mpz_set_str(key.q, "1b81c19a62802a41" "9c99283331b0badb" "08eb0c25ffce0fbf" "50017850036f32f3" "2132a845b91a5236" "61f7b451d587383f" "e1", 16); mpz_set_str(key.a, "0a912fc93a6cca6b" "3521725a3065b3be" "3c9745e29c93303d" "7d29316c6cafa4a2" "89945f964fcdea59" "1f9d248b0b6734be" "c9", 16); mpz_set_str(key.b, "1658eca933251813" "1eb19c77aba13d73" "e0b8f4ce986d7615" "764c6b0b03c18146" "46b7f332c43e05c5" "351e09006979ca5b" "05", 16); mpz_set_str(key.c, "0114720dace7b27f" "2bf2850c1804869f" "79a0aad0ec02e6b4" "05e1831619db2f10" "bb9b6a8fd5c95df2" "eb78f303ea0c0cc8" "06", 16); ASSERT (rsa_private_key_prepare(&key)); ASSERT (pub.size == key.size); /* Test signatures */ mpz_set_str(expected, "5493d4d774d03f54de2e9bef6818b74a8e22bbe9628b6dec3f178d" "cc0090dab933a0f24bc9ac8aec949558868ea4f8e29d0248e70717" "6c113e8fbd9f1428c45a120378e32febffd4e9aca8102081bb5b90" "0f2914395a220823b700dbd7bd32646e", 16); test_rsa_sign_tr(&pub, &key, LDATA(MSG1), expected); /* Test sha1 signature */ mpz_set_str(expected, "126bbd3d9e8649187069d8b6f0f43bd234a53249f765f616647049" "ca49b2c4cc8049440d5a9f1d10fcdf162b40afd9b761bcd30e2c60" "133b2c6f0504fe447038422b835d35448acb0881e894144e4ccaea" "59ce8dd16d3540fcbb84ebd1c5fb37510", 16); test_rsa_sign_tr(&pub, &key, LDATA(MSG2), expected); rsa_private_key_clear(&key); rsa_public_key_clear(&pub); mpz_clear(expected); } nettle-3.4.1/testsuite/rsa-compute-root-test.c0000644000175000017500000001305613401564746020447 0ustar nissenisse#include "testutils.h" #include #include #include #include #include "rsa.h" #define KEY_COUNT 20 #define COUNT 100 static void random_fn (void *ctx, size_t n, uint8_t *dst) { gmp_randstate_t *rands = (gmp_randstate_t *)ctx; mpz_t r; mpz_init (r); mpz_urandomb (r, *rands, n*8); nettle_mpz_get_str_256 (n, dst, r); mpz_clear (r); } static void test_one (gmp_randstate_t *rands, struct rsa_public_key *pub, struct rsa_private_key *key, mpz_t plaintext) { mpz_t ciphertext; mpz_t decrypted; mpz_init (ciphertext); mpz_init (decrypted); mpz_powm (ciphertext, plaintext, pub->e, pub->n); rsa_compute_root_tr (pub, key, rands, random_fn, decrypted, ciphertext); if (mpz_cmp (plaintext, decrypted)) { fprintf (stderr, "rsa_compute_root_tr failed\n"); fprintf(stderr, "Public key: size=%lu\n n:", pub->size); mpz_out_str (stderr, 10, pub->n); fprintf(stderr, "\n e:"); mpz_out_str (stderr, 10, pub->e); fprintf(stderr, "\nPrivate key: size=%lu\n p:", key->size); mpz_out_str (stderr, 10, key->p); fprintf(stderr, "\n q:"); mpz_out_str (stderr, 10, key->q); fprintf(stderr, "\n a:"); mpz_out_str (stderr, 10, key->a); fprintf(stderr, "\n b:"); mpz_out_str (stderr, 10, key->b); fprintf(stderr, "\n c:"); mpz_out_str (stderr, 10, key->c); fprintf(stderr, "\n d:"); mpz_out_str (stderr, 10, key->d); fprintf(stderr, "\n"); fprintf (stderr, "plaintext(%lu) = ", mpz_sizeinbase (plaintext, 2)); mpz_out_str (stderr, 10, plaintext); fprintf (stderr, "\n"); fprintf (stderr, "ciphertext(%lu) = ", mpz_sizeinbase (ciphertext, 2)); mpz_out_str (stderr, 10, ciphertext); fprintf (stderr, "\n"); fprintf (stderr, "decrypted(%lu) = ", mpz_sizeinbase (decrypted, 2)); mpz_out_str (stderr, 10, decrypted); fprintf (stderr, "\n"); abort(); } mpz_clear (ciphertext); mpz_clear (decrypted); } #if !NETTLE_USE_MINI_GMP /* We want to generate keypairs that are not "standard" but have more size * variance between q and p. * Function is otherwise the same as standard rsa_generate_keypair() */ static void generate_keypair (gmp_randstate_t rands, struct rsa_public_key *pub, struct rsa_private_key *key) { unsigned long int psize; unsigned long int qsize; mpz_t p1; mpz_t q1; mpz_t phi; mpz_t tmp; mpz_init (p1); mpz_init (q1); mpz_init (phi); mpz_init (tmp); psize = 100 + gmp_urandomm_ui (rands, 400); qsize = 100 + gmp_urandomm_ui (rands, 400); mpz_set_ui (pub->e, 65537); for (;;) { for (;;) { mpz_rrandomb (key->p, rands, psize); mpz_nextprime (key->p, key->p); mpz_sub_ui (p1, key->p, 1); mpz_gcd (tmp, pub->e, p1); if (mpz_cmp_ui (tmp, 1) == 0) break; } for (;;) { mpz_rrandomb (key->q, rands, qsize); mpz_nextprime (key->q, key->q); mpz_sub_ui (q1, key->q, 1); mpz_gcd (tmp, pub->e, q1); if (mpz_cmp_ui (tmp, 1) == 0) break; } if (mpz_invert (key->c, key->q, key->p)) break; } mpz_mul(phi, p1, q1); assert (mpz_invert(key->d, pub->e, phi)); mpz_fdiv_r (key->a, key->d, p1); mpz_fdiv_r (key->b, key->d, q1); mpz_mul (pub->n, key->p, key->q); pub->size = key->size = mpz_size(pub->n) * sizeof(mp_limb_t); mpz_clear (tmp); mpz_clear (phi); mpz_clear (q1); mpz_clear (p1); } #endif #if !NETTLE_USE_MINI_GMP static void get_random_seed(mpz_t seed) { struct timeval tv; FILE *f; f = fopen ("/dev/urandom", "rb"); if (f) { uint8_t buf[8]; size_t res; setbuf (f, NULL); res = fread (&buf, sizeof(buf), 1, f); fclose(f); if (res == 1) { nettle_mpz_set_str_256_u (seed, sizeof(buf), buf); return; } fprintf (stderr, "Read of /dev/urandom failed: %s\n", strerror (errno)); } gettimeofday(&tv, NULL); mpz_set_ui (seed, tv.tv_sec); mpz_mul_ui (seed, seed, 1000000UL); mpz_add_ui (seed, seed, tv.tv_usec); } #endif /* !NETTLE_USE_MINI_GMP */ void test_main (void) { const char *nettle_test_seed; gmp_randstate_t rands; struct rsa_public_key pub; struct rsa_private_key key; mpz_t plaintext; unsigned i, j; rsa_private_key_init(&key); rsa_public_key_init(&pub); mpz_init (plaintext); gmp_randinit_default (rands); #if !NETTLE_USE_MINI_GMP nettle_test_seed = getenv ("NETTLE_TEST_SEED"); if (nettle_test_seed && *nettle_test_seed) { mpz_t seed; mpz_init (seed); if (mpz_set_str (seed, nettle_test_seed, 0) < 0 || mpz_sgn (seed) < 0) die ("Invalid NETTLE_TEST_SEED: %s\n", nettle_test_seed); if (mpz_sgn (seed) == 0) get_random_seed (seed); fprintf (stderr, "Using NETTLE_TEST_SEED="); mpz_out_str (stderr, 10, seed); fprintf (stderr, "\n"); gmp_randseed (rands, seed); mpz_clear (seed); } #endif for (j = 0; j < KEY_COUNT; j++) { #if !NETTLE_USE_MINI_GMP generate_keypair(rands, &pub, &key); #else rsa_generate_keypair(&pub, &key, &rands, random_fn, NULL, NULL, 512, 16); #endif /* !NETTLE_USE_MINI_GMP */ for (i = 0; i < COUNT; i++) { mpz_urandomb(plaintext, rands, mpz_sizeinbase(pub.n, 2) - 1); test_one(&rands, &pub, &key, plaintext); } for (i = 0; i < COUNT; i++) { mpz_rrandomb(plaintext, rands, mpz_sizeinbase(pub.n, 2) - 1); test_one(&rands, &pub, &key, plaintext); } } mpz_clear (plaintext); rsa_public_key_clear (&pub); rsa_private_key_clear (&key); gmp_randclear (rands); } nettle-3.4.1/testsuite/aes-test.c0000644000175000017500000001746513401564746016007 0ustar nissenisse#include "testutils.h" #include "aes.h" #include "nettle-internal.h" static void test_invert(const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext) { struct aes_ctx encrypt; struct aes_ctx decrypt; uint8_t *data = xalloc(cleartext->length); size_t length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; aes_set_encrypt_key (&encrypt, key->length, key->data); aes_encrypt (&encrypt, length, data, cleartext->data); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "test_invert: Encrypt failed:\nInput:"); tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } aes_invert_key (&decrypt, &encrypt); aes_decrypt (&decrypt, length, data, data); if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "test_invert: Decrypt failed:\nInput:"); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } free (data); } /* Old, unified, interface */ static nettle_set_key_func unified_aes128_set_encrypt_key; static nettle_set_key_func unified_aes128_set_encrypt_key; static nettle_set_key_func unified_aes192_set_encrypt_key; static nettle_set_key_func unified_aes192_set_encrypt_key; static nettle_set_key_func unified_aes256_set_encrypt_key; static nettle_set_key_func unified_aes256_set_encrypt_key; static void unified_aes128_set_encrypt_key (void *ctx, const uint8_t *key) { aes_set_encrypt_key (ctx, AES128_KEY_SIZE, key); } static void unified_aes128_set_decrypt_key (void *ctx, const uint8_t *key) { aes_set_decrypt_key (ctx, AES128_KEY_SIZE, key); } static void unified_aes192_set_encrypt_key (void *ctx, const uint8_t *key) { aes_set_encrypt_key (ctx, AES192_KEY_SIZE, key); } static void unified_aes192_set_decrypt_key (void *ctx, const uint8_t *key) { aes_set_decrypt_key (ctx, AES192_KEY_SIZE, key); } static void unified_aes256_set_encrypt_key (void *ctx, const uint8_t *key) { aes_set_encrypt_key (ctx, AES256_KEY_SIZE, key); } static void unified_aes256_set_decrypt_key (void *ctx, const uint8_t *key) { aes_set_decrypt_key (ctx, AES256_KEY_SIZE, key); } #define UNIFIED_AES(bits) { \ "unified-aes" #bits, sizeof(struct aes_ctx), \ AES_BLOCK_SIZE, AES ## bits ## _KEY_SIZE, \ unified_aes ## bits ##_set_encrypt_key, \ unified_aes ## bits ##_set_decrypt_key, \ (nettle_cipher_func *) aes_encrypt, \ (nettle_cipher_func *) aes_decrypt, \ } const struct nettle_cipher nettle_unified_aes128 = UNIFIED_AES(128); const struct nettle_cipher nettle_unified_aes192 = UNIFIED_AES(192); const struct nettle_cipher nettle_unified_aes256 = UNIFIED_AES(256); static void test_cipher2(const struct nettle_cipher *c1, const struct nettle_cipher *c2, const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext) { test_cipher (c1, key, cleartext, ciphertext); test_cipher (c2, key, cleartext, ciphertext); } void test_main(void) { /* Test both the new interface and the older unified interface. */ /* 128 bit keys */ test_cipher2(&nettle_aes128, &nettle_unified_aes128, SHEX("0001020305060708 0A0B0C0D0F101112"), SHEX("506812A45F08C889 B97F5980038B8359"), SHEX("D8F532538289EF7D 06B506A4FD5BE9C9")); test_cipher2(&nettle_aes128, &nettle_unified_aes128, SHEX("14151617191A1B1C 1E1F202123242526"), SHEX("5C6D71CA30DE8B8B 00549984D2EC7D4B"), SHEX("59AB30F4D4EE6E4F F9907EF65B1FB68C")); test_cipher2(&nettle_aes128, &nettle_unified_aes128, SHEX("28292A2B2D2E2F30 323334353738393A"), SHEX("53F3F4C64F8616E4 E7C56199F48F21F6"), SHEX("BF1ED2FCB2AF3FD4 1443B56D85025CB1")); test_cipher2(&nettle_aes128, &nettle_unified_aes128, SHEX("A0A1A2A3A5A6A7A8 AAABACADAFB0B1B2"), SHEX("F5F4F7F684878689 A6A7A0A1D2CDCCCF"), SHEX("CE52AF650D088CA5 59425223F4D32694")); /* 192 bit keys */ test_cipher2(&nettle_aes192, &nettle_unified_aes192, SHEX("0001020305060708 0A0B0C0D0F101112" "14151617191A1B1C"), SHEX("2D33EEF2C0430A8A 9EBF45E809C40BB6"), SHEX("DFF4945E0336DF4C 1C56BC700EFF837F")); /* 256 bit keys */ test_cipher2(&nettle_aes256, &nettle_unified_aes256, SHEX("0001020305060708 0A0B0C0D0F101112" "14151617191A1B1C 1E1F202123242526"), SHEX("834EADFCCAC7E1B30664B1ABA44815AB"), SHEX("1946DABF6A03A2A2 C3D0B05080AED6FC")); /* This test case has been problematic with the CBC test case */ test_cipher2(&nettle_aes256, &nettle_unified_aes256, SHEX("8d ae 93 ff fc 78 c9 44" "2a bd 0c 1e 68 bc a6 c7" "05 c7 84 e3 5a a9 11 8b" "d3 16 aa 54 9b 44 08 9e"), SHEX("a5 ce 55 d4 21 15 a1 c6 4a a4 0c b2 ca a6 d1 37"), /* In the cbc test, I once got the bad value * "b2 a0 6c d2 2f df 7d 2c 26 d2 42 88 8f 20 74 a2" */ SHEX("1f 94 fc 85 f2 36 21 06" "4a ea e3 c9 cc 38 01 0e")); /* From draft NIST spec on AES modes. * * F.1 ECB Example Vectors * F.1.1 ECB-AES128-Encrypt */ test_cipher2(&nettle_aes128, &nettle_unified_aes128, SHEX("2b7e151628aed2a6abf7158809cf4f3c"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("3ad77bb40d7a3660a89ecaf32466ef97" "f5d3d58503b9699de785895a96fdbaaf" "43b1cd7f598ece23881b00e3ed030688" "7b0c785e27e8ad3f8223207104725dd4")); /* F.1.3 ECB-AES192-Encrypt */ test_cipher2(&nettle_aes192, &nettle_unified_aes192, SHEX("8e73b0f7da0e6452c810f32b809079e5 62f8ead2522c6b7b"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("bd334f1d6e45f25ff712a214571fa5cc" "974104846d0ad3ad7734ecb3ecee4eef" "ef7afd2270e2e60adce0ba2face6444e" "9a4b41ba738d6c72fb16691603c18e0e")); /* F.1.5 ECB-AES256-Encrypt */ test_cipher2(&nettle_aes256, &nettle_unified_aes256, SHEX("603deb1015ca71be2b73aef0857d7781" "1f352c073b6108d72d9810a30914dff4"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("f3eed1bdb5d2a03c064b5a7e3db181f8" "591ccb10d410ed26dc5ba74a31362870" "b6ed21b99ca6f4f9f153e7b1beafed1d" "23304b7a39f9f3ff067d8d8f9e24ecc7")); /* Test aes_invert_key with src != dst */ test_invert(SHEX("0001020305060708 0A0B0C0D0F101112"), SHEX("506812A45F08C889 B97F5980038B8359"), SHEX("D8F532538289EF7D 06B506A4FD5BE9C9")); test_invert(SHEX("0001020305060708 0A0B0C0D0F101112" "14151617191A1B1C"), SHEX("2D33EEF2C0430A8A 9EBF45E809C40BB6"), SHEX("DFF4945E0336DF4C 1C56BC700EFF837F")); test_invert(SHEX("0001020305060708 0A0B0C0D0F101112" "14151617191A1B1C 1E1F202123242526"), SHEX("834EADFCCAC7E1B30664B1ABA44815AB"), SHEX("1946DABF6A03A2A2 C3D0B05080AED6FC")); } /* Internal state for the first test case: 0: a7106950 81cf0e5a 8d5574b3 4b929b0c 1: aa1e31c4 c19a8917 12282e4 b23e51eb 2: 14be6dac fede8fdc 8fb98878 a27dfb5c 3: e80a6f32 431515bb 72e8a651 7daf188b 4: c50438c0 d464b2b6 76b875e9 b2b5f574 5: d81ab740 746b4d89 ff033aac 44d5ffa2 6: 52e6bb4a edadc170 24867df4 6e2ad5d5 7: ab1c7365 64d09f00 7718d521 46a3df32 8: f1eaad16 1aefdfb 7ba5724d d8499631 9: 1020300 2030001 3000102 10203 99: 5332f5d8 7def8982 a406b506 c9e95bfd */ nettle-3.4.1/testsuite/gcm-test.c0000644000175000017500000005036113401564746015775 0ustar nissenisse#include "testutils.h" #include "nettle-internal.h" #include "gcm.h" static void test_gcm_hash (const struct tstring *msg, const struct tstring *ref) { struct gcm_aes128_ctx ctx; const uint8_t z16[16] = { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 }; uint8_t digest[16]; ASSERT (ref->length == sizeof(digest)); gcm_aes128_set_key (&ctx, z16); gcm_aes128_set_iv (&ctx, 16, z16); gcm_aes128_update (&ctx, msg->length, msg->data); gcm_aes128_digest (&ctx, sizeof(digest), digest); if (!MEMEQ (ref->length, ref->data, digest)) { fprintf (stderr, "gcm_hash failed, msg: %s\nOutput: ", msg->data); print_hex (16, digest); fprintf(stderr, "Expected:"); tstring_print_hex(ref); fprintf(stderr, "\n"); FAIL(); } } static nettle_set_key_func gcm_unified_aes128_set_key; static nettle_set_key_func gcm_unified_aes128_set_iv; static void gcm_unified_aes128_set_key (void *ctx, const uint8_t *key) { gcm_aes_set_key (ctx, AES128_KEY_SIZE, key); } static void gcm_unified_aes128_set_iv (void *ctx, const uint8_t *iv) { gcm_aes_set_iv (ctx, GCM_IV_SIZE, iv); } static const struct nettle_aead nettle_gcm_unified_aes128 = { "gcm-aes128", sizeof (struct gcm_aes_ctx), GCM_BLOCK_SIZE, AES128_KEY_SIZE, GCM_IV_SIZE, GCM_DIGEST_SIZE, (nettle_set_key_func *) gcm_unified_aes128_set_key, (nettle_set_key_func *) gcm_unified_aes128_set_key, (nettle_set_key_func *) gcm_unified_aes128_set_iv, (nettle_hash_update_func *) gcm_aes_update, (nettle_crypt_func *) gcm_aes_encrypt, (nettle_crypt_func *) gcm_aes_decrypt, (nettle_hash_digest_func *) gcm_aes_digest }; void test_main(void) { /* * GCM-AES Test Vectors from * http://www.cryptobarn.com/papers/gcm-spec.pdf */ /* Test case 1 */ test_aead(&nettle_gcm_aes128, NULL, SHEX("00000000000000000000000000000000"), /* key */ SHEX(""), /* auth data */ SHEX(""), /* plaintext */ SHEX(""), /* ciphertext*/ SHEX("000000000000000000000000"), /* IV */ SHEX("58e2fccefa7e3061367f1d57a4e7455a")); /* tag */ /* Test case 2 */ test_aead(&nettle_gcm_aes128, NULL, SHEX("00000000000000000000000000000000"), SHEX(""), SHEX("00000000000000000000000000000000"), SHEX("0388dace60b6a392f328c2b971b2fe78"), SHEX("000000000000000000000000"), SHEX("ab6e47d42cec13bdf53a67b21257bddf")); /* Test case 3 */ test_aead(&nettle_gcm_aes128, NULL, SHEX("feffe9928665731c6d6a8f9467308308"), SHEX(""), SHEX("d9313225f88406e5a55909c5aff5269a" "86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525" "b16aedf5aa0de657ba637b391aafd255"), SHEX("42831ec2217774244b7221b784d0d49c" "e3aa212f2c02a4e035c17e2329aca12e" "21d514b25466931c7d8f6a5aac84aa05" "1ba30b396a0aac973d58e091473f5985"), SHEX("cafebabefacedbaddecaf888"), SHEX("4d5c2af327cd64a62cf35abd2ba6fab4")); /* Test case 4 */ test_aead(&nettle_gcm_aes128, NULL, SHEX("feffe9928665731c6d6a8f9467308308"), SHEX("feedfacedeadbeeffeedfacedeadbeef" "abaddad2"), SHEX("d9313225f88406e5a55909c5aff5269a" "86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525" "b16aedf5aa0de657ba637b39"), SHEX("42831ec2217774244b7221b784d0d49c" "e3aa212f2c02a4e035c17e2329aca12e" "21d514b25466931c7d8f6a5aac84aa05" "1ba30b396a0aac973d58e091"), SHEX("cafebabefacedbaddecaf888"), SHEX("5bc94fbc3221a5db94fae95ae7121a47")); /* Test case 5 */ test_aead(&nettle_gcm_aes128, (nettle_hash_update_func *) gcm_aes128_set_iv, SHEX("feffe9928665731c6d6a8f9467308308"), SHEX("feedfacedeadbeeffeedfacedeadbeef" "abaddad2"), SHEX("d9313225f88406e5a55909c5aff5269a" "86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525" "b16aedf5aa0de657ba637b39"), SHEX("61353b4c2806934a777ff51fa22a4755" "699b2a714fcdc6f83766e5f97b6c7423" "73806900e49f24b22b097544d4896b42" "4989b5e1ebac0f07c23f4598"), SHEX("cafebabefacedbad"), SHEX("3612d2e79e3b0785561be14aaca2fccb")); /* Test case 6 */ test_aead(&nettle_gcm_aes128, (nettle_hash_update_func *) gcm_aes128_set_iv, SHEX("feffe9928665731c6d6a8f9467308308"), SHEX("feedfacedeadbeeffeedfacedeadbeef" "abaddad2"), SHEX("d9313225f88406e5a55909c5aff5269a" "86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525" "b16aedf5aa0de657ba637b39"), SHEX("8ce24998625615b603a033aca13fb894" "be9112a5c3a211a8ba262a3cca7e2ca7" "01e4a9a4fba43c90ccdcb281d48c7c6f" "d62875d2aca417034c34aee5"), SHEX("9313225df88406e555909c5aff5269aa" "6a7a9538534f7da1e4c303d2a318a728" "c3c0c95156809539fcf0e2429a6b5254" "16aedbf5a0de6a57a637b39b"), SHEX("619cc5aefffe0bfa462af43c1699d050")); /* Same test, but with old gcm_aes interface */ test_aead(&nettle_gcm_unified_aes128, (nettle_hash_update_func *) gcm_aes_set_iv, SHEX("feffe9928665731c6d6a8f9467308308"), SHEX("feedfacedeadbeeffeedfacedeadbeef" "abaddad2"), SHEX("d9313225f88406e5a55909c5aff5269a" "86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525" "b16aedf5aa0de657ba637b39"), SHEX("8ce24998625615b603a033aca13fb894" "be9112a5c3a211a8ba262a3cca7e2ca7" "01e4a9a4fba43c90ccdcb281d48c7c6f" "d62875d2aca417034c34aee5"), SHEX("9313225df88406e555909c5aff5269aa" "6a7a9538534f7da1e4c303d2a318a728" "c3c0c95156809539fcf0e2429a6b5254" "16aedbf5a0de6a57a637b39b"), SHEX("619cc5aefffe0bfa462af43c1699d050")); /* Test case 7 */ test_aead(&nettle_gcm_aes192, NULL, SHEX("00000000000000000000000000000000" "0000000000000000"), SHEX(""), SHEX(""), SHEX(""), SHEX("000000000000000000000000"), SHEX("cd33b28ac773f74ba00ed1f312572435")); /* Test case 8 */ test_aead(&nettle_gcm_aes192, NULL, SHEX("00000000000000000000000000000000" "0000000000000000"), SHEX(""), SHEX("00000000000000000000000000000000"), SHEX("98e7247c07f0fe411c267e4384b0f600"), SHEX("000000000000000000000000"), SHEX("2ff58d80033927ab8ef4d4587514f0fb")); /* Test case 9 */ test_aead(&nettle_gcm_aes192, NULL, SHEX("feffe9928665731c6d6a8f9467308308" "feffe9928665731c"), SHEX(""), SHEX("d9313225f88406e5a55909c5aff5269a" "86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525" "b16aedf5aa0de657ba637b391aafd255"), SHEX("3980ca0b3c00e841eb06fac4872a2757" "859e1ceaa6efd984628593b40ca1e19c" "7d773d00c144c525ac619d18c84a3f47" "18e2448b2fe324d9ccda2710acade256"), SHEX("cafebabefacedbaddecaf888"), SHEX("9924a7c8587336bfb118024db8674a14")); /* Test case 10 */ test_aead(&nettle_gcm_aes192, NULL, SHEX("feffe9928665731c6d6a8f9467308308" "feffe9928665731c"), SHEX("feedfacedeadbeeffeedfacedeadbeef" "abaddad2"), SHEX("d9313225f88406e5a55909c5aff5269a" "86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525" "b16aedf5aa0de657ba637b39"), SHEX("3980ca0b3c00e841eb06fac4872a2757" "859e1ceaa6efd984628593b40ca1e19c" "7d773d00c144c525ac619d18c84a3f47" "18e2448b2fe324d9ccda2710"), SHEX("cafebabefacedbaddecaf888"), SHEX("2519498e80f1478f37ba55bd6d27618c")); /* Test case 11 */ test_aead(&nettle_gcm_aes192, (nettle_hash_update_func *) gcm_aes192_set_iv, SHEX("feffe9928665731c6d6a8f9467308308" "feffe9928665731c"), SHEX("feedfacedeadbeeffeedfacedeadbeef" "abaddad2"), SHEX("d9313225f88406e5a55909c5aff5269a" "86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525" "b16aedf5aa0de657ba637b39"), SHEX("0f10f599ae14a154ed24b36e25324db8" "c566632ef2bbb34f8347280fc4507057" "fddc29df9a471f75c66541d4d4dad1c9" "e93a19a58e8b473fa0f062f7"), SHEX("cafebabefacedbad"), SHEX("65dcc57fcf623a24094fcca40d3533f8")); /* Test case 12 */ test_aead(&nettle_gcm_aes192, (nettle_hash_update_func *) gcm_aes192_set_iv, SHEX("feffe9928665731c6d6a8f9467308308" "feffe9928665731c"), SHEX("feedfacedeadbeeffeedfacedeadbeef" "abaddad2"), SHEX("d9313225f88406e5a55909c5aff5269a" "86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525" "b16aedf5aa0de657ba637b39"), SHEX("d27e88681ce3243c4830165a8fdcf9ff" "1de9a1d8e6b447ef6ef7b79828666e45" "81e79012af34ddd9e2f037589b292db3" "e67c036745fa22e7e9b7373b"), SHEX("9313225df88406e555909c5aff5269aa" "6a7a9538534f7da1e4c303d2a318a728" "c3c0c95156809539fcf0e2429a6b5254" "16aedbf5a0de6a57a637b39b"), SHEX("dcf566ff291c25bbb8568fc3d376a6d9")); /* Test case 13 */ test_aead(&nettle_gcm_aes256, NULL, SHEX("00000000000000000000000000000000" "00000000000000000000000000000000"), SHEX(""), SHEX(""), SHEX(""), SHEX("000000000000000000000000"), SHEX("530f8afbc74536b9a963b4f1c4cb738b")); /* Test case 14 */ test_aead(&nettle_gcm_aes256, NULL, SHEX("00000000000000000000000000000000" "00000000000000000000000000000000"), SHEX(""), SHEX("00000000000000000000000000000000"), SHEX("cea7403d4d606b6e074ec5d3baf39d18"), SHEX("000000000000000000000000"), SHEX("d0d1c8a799996bf0265b98b5d48ab919")); /* Test case 15 */ test_aead(&nettle_gcm_aes256, NULL, SHEX("feffe9928665731c6d6a8f9467308308" "feffe9928665731c6d6a8f9467308308"), SHEX(""), SHEX("d9313225f88406e5a55909c5aff5269a" "86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525" "b16aedf5aa0de657ba637b391aafd255"), SHEX("522dc1f099567d07f47f37a32a84427d" "643a8cdcbfe5c0c97598a2bd2555d1aa" "8cb08e48590dbb3da7b08b1056828838" "c5f61e6393ba7a0abcc9f662898015ad"), SHEX("cafebabefacedbaddecaf888"), SHEX("b094dac5d93471bdec1a502270e3cc6c")); /* Test case 16 */ test_aead(&nettle_gcm_aes256, NULL, SHEX("feffe9928665731c6d6a8f9467308308" "feffe9928665731c6d6a8f9467308308"), SHEX("feedfacedeadbeeffeedfacedeadbeef" "abaddad2"), SHEX("d9313225f88406e5a55909c5aff5269a" "86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525" "b16aedf5aa0de657ba637b39"), SHEX("522dc1f099567d07f47f37a32a84427d" "643a8cdcbfe5c0c97598a2bd2555d1aa" "8cb08e48590dbb3da7b08b1056828838" "c5f61e6393ba7a0abcc9f662"), SHEX("cafebabefacedbaddecaf888"), SHEX("76fc6ece0f4e1768cddf8853bb2d551b")); /* Test case 17 */ test_aead(&nettle_gcm_aes256, (nettle_hash_update_func *) gcm_aes256_set_iv, SHEX("feffe9928665731c6d6a8f9467308308" "feffe9928665731c6d6a8f9467308308"), SHEX("feedfacedeadbeeffeedfacedeadbeef" "abaddad2"), SHEX("d9313225f88406e5a55909c5aff5269a" "86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525" "b16aedf5aa0de657ba637b39"), SHEX("c3762df1ca787d32ae47c13bf19844cb" "af1ae14d0b976afac52ff7d79bba9de0" "feb582d33934a4f0954cc2363bc73f78" "62ac430e64abe499f47c9b1f"), SHEX("cafebabefacedbad"), SHEX("3a337dbf46a792c45e454913fe2ea8f2")); /* Test case 18 */ test_aead(&nettle_gcm_aes256, (nettle_hash_update_func *) gcm_aes256_set_iv, SHEX("feffe9928665731c6d6a8f9467308308" "feffe9928665731c6d6a8f9467308308"), SHEX("feedfacedeadbeeffeedfacedeadbeef" "abaddad2"), SHEX("d9313225f88406e5a55909c5aff5269a" "86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525" "b16aedf5aa0de657ba637b39"), SHEX("5a8def2f0c9e53f1f75d7853659e2a20" "eeb2b22aafde6419a058ab4f6f746bf4" "0fc0c3b780f244452da3ebf1c5d82cde" "a2418997200ef82e44ae7e3f"), SHEX("9313225df88406e555909c5aff5269aa" "6a7a9538534f7da1e4c303d2a318a728" "c3c0c95156809539fcf0e2429a6b5254" "16aedbf5a0de6a57a637b39b"), SHEX("a44a8266ee1c8eb0c8b5d4cf5ae9f19a")); /* * GCM-Camellia Test Vectors obtained from the authors */ /* Test case 1 */ test_aead(&nettle_gcm_camellia128, (nettle_hash_update_func *) gcm_camellia128_set_iv, SHEX("00000000000000000000000000000000"), /* key */ SHEX(""), /* auth data */ SHEX(""), /* plaintext */ SHEX(""), /* ciphertext*/ SHEX("000000000000000000000000"), /* IV */ SHEX("f5574acc3148dfcb9015200631024df9")); /* tag */ /* Test case 3 */ test_aead(&nettle_gcm_camellia128, (nettle_hash_update_func *) gcm_camellia128_set_iv, SHEX("feffe9928665731c6d6a8f9467308308"), /* key */ SHEX(""), /* auth data */ SHEX("d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255"), /* plaintext */ SHEX("d0d94a13b632f337a0cc9955b94fa020c815f903aab12f1efaf2fe9d90f729a6" "cccbfa986ef2ff2c33de418d9a2529091cf18fe652c1cfde13f8260614bab815"), /* ciphertext*/ SHEX("cafebabefacedbaddecaf888"), /* IV */ SHEX("86e318012dd8329dc9dae6a170f61b24")); /* tag */ /* Test case 4 */ test_aead(&nettle_gcm_camellia128, (nettle_hash_update_func *) gcm_camellia128_set_iv, SHEX("feffe9928665731c6d6a8f9467308308"), /* key */ SHEX("feedfacedeadbeeffeedfacedeadbeefabaddad2"), /* auth data */ SHEX("d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39"), /* plaintext */ SHEX("d0d94a13b632f337a0cc9955b94fa020c815f903aab12f1efaf2fe9d90f729a6" "cccbfa986ef2ff2c33de418d9a2529091cf18fe652c1cfde13f82606"), /* ciphertext*/ SHEX("cafebabefacedbaddecaf888"), /* IV */ SHEX("9f458869431576ea6a095456ec6b8101")); /* tag */ /* Test case 5 */ test_aead(&nettle_gcm_camellia128, (nettle_hash_update_func *) gcm_camellia128_set_iv, SHEX("feffe9928665731c6d6a8f9467308308"), /* key */ SHEX("feedfacedeadbeeffeedfacedeadbeefabaddad2"), /* auth data */ SHEX("d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39"), /* plaintext */ SHEX("28fd7434d5cd424a5353818fc21a982460d20cf632eb1e6c4fbfca17d5abcf6a" "52111086162fe9570e7774c7a912aca3dfa10067ddaad40688645bdd"), /* ciphertext*/ SHEX("cafebabefacedbad"), /* IV */ SHEX("e86f8f2e730c49d536f00fb5225d28b1")); /* tag */ /* Test case 6 */ test_aead(&nettle_gcm_camellia128, (nettle_hash_update_func *) gcm_camellia128_set_iv, SHEX("feffe9928665731c6d6a8f9467308308"), /* key */ SHEX("feedfacedeadbeeffeedfacedeadbeefabaddad2"), /* auth data */ SHEX("d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39"), /* plaintext */ SHEX("2e582b8417c93f2ff4f6f7ee3c361e4496e710ee12433baa964987d02f42953e" "402e6f4af407fe08cd2f35123696014c34db19128df4056faebcd647"), /* ciphertext*/ SHEX("9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728" "c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b"), /* IV */ SHEX("ceae5569b2af8641572622731aed3e53")); /* tag */ /* gcm-camellia256 */ /* Test case 13 */ test_aead(&nettle_gcm_camellia256, (nettle_hash_update_func *) gcm_camellia256_set_iv, SHEX("0000000000000000 0000000000000000" "0000000000000000 0000000000000000"), /* key */ SHEX(""), /* auth data */ SHEX(""), /* plaintext */ SHEX(""), /* ciphertext */ SHEX("000000000000000000000000"), /* iv */ SHEX("9cdb269b5d293bc5db9c55b057d9b591")); /* tag */ /* Test case 14 */ test_aead(&nettle_gcm_camellia256, (nettle_hash_update_func *) gcm_camellia256_set_iv, SHEX("0000000000000000 0000000000000000" "0000000000000000 0000000000000000"), /* key */ SHEX(""), /* auth data */ SHEX("0000000000000000 0000000000000000"), /* plaintext */ SHEX("3d4b2cde666761ba 5dfb305178e667fb"), /* ciphertext */ SHEX("000000000000000000000000"), /* iv */ SHEX("284b63bb143c40ce100fb4dea6bb617b")); /* tag */ /* Test case 15 */ test_aead(&nettle_gcm_camellia256, (nettle_hash_update_func *) gcm_camellia256_set_iv, SHEX("feffe9928665731c 6d6a8f9467308308" "feffe9928665731c 6d6a8f9467308308"), /* key */ SHEX(""), /* auth data */ SHEX("d9313225f88406e5 a55909c5aff5269a" "86a7a9531534f7da 2e4c303d8a318a72" "1c3c0c9595680953 2fcf0e2449a6b525" "b16aedf5aa0de657 ba637b391aafd255"), /* plaintext */ SHEX("ad142c11579dd95e 41f3c1f324dabc25" "5864d920f1b65759 d8f560d4948d4477" "58dfdcf77aa9f625 81c7ff572a037f81" "0cb1a9c4b3ca6ed6 38179b776549e092"), /* ciphertext */ SHEX("cafebabefacedbaddecaf888"), /* iv */ SHEX("c912686270a2b9966415fca3be75c468")); /* tag */ /* Test case 16 */ test_aead(&nettle_gcm_camellia256, (nettle_hash_update_func *) gcm_camellia256_set_iv, SHEX("feffe9928665731c 6d6a8f9467308308" "feffe9928665731c 6d6a8f9467308308"), /* key */ SHEX("feedfacedeadbeef feedfacedeadbeef" "abaddad2"), /* auth data */ SHEX("d9313225f88406e5 a55909c5aff5269a" "86a7a9531534f7da 2e4c303d8a318a72" "1c3c0c9595680953 2fcf0e2449a6b525" "b16aedf5aa0de657 ba637b39"), /* plaintext */ SHEX("ad142c11579dd95e 41f3c1f324dabc25" "5864d920f1b65759 d8f560d4948d4477" "58dfdcf77aa9f625 81c7ff572a037f81" "0cb1a9c4b3ca6ed6 38179b77"), /* ciphertext */ SHEX("cafebabefacedbaddecaf888"), /* iv */ SHEX("4e4b178d8fe26fdc95e2e7246dd94bec")); /* tag */ /* Test case 17 */ test_aead(&nettle_gcm_camellia256, (nettle_hash_update_func *) gcm_camellia256_set_iv, SHEX("feffe9928665731c 6d6a8f9467308308" "feffe9928665731c 6d6a8f9467308308"), /* key */ SHEX("feedfacedeadbeef feedfacedeadbeef" "abaddad2"), /* auth data */ SHEX("d9313225f88406e5 a55909c5aff5269a" "86a7a9531534f7da 2e4c303d8a318a72" "1c3c0c9595680953 2fcf0e2449a6b525" "b16aedf5aa0de657 ba637b39"), /* plaintext */ SHEX("6ca95fbb7d16577a 9ef2fded94dc85b5" "d40c629f6bef2c64 9888e3cbb0ededc7" "810c04b12c2983bb bbc482e16e45c921" "5ae12c15c55f2f48 09d06652"), /* ciphertext */ SHEX("cafebabefacedbad"), /* iv */ SHEX("e6472b8ebd331bfcc7c0fa63ce094461")); /* tag */ /* Test case 18 */ test_aead(&nettle_gcm_camellia256, (nettle_hash_update_func *) gcm_camellia256_set_iv, SHEX("feffe9928665731c 6d6a8f9467308308" "feffe9928665731c 6d6a8f9467308308"), /* key */ SHEX("feedfacedeadbeef feedfacedeadbeef" "abaddad2"), /* auth data */ SHEX("d9313225f88406e5 a55909c5aff5269a" "86a7a9531534f7da 2e4c303d8a318a72" "1c3c0c9595680953 2fcf0e2449a6b525" "b16aedf5aa0de657 ba637b39"), /* plaintext */ SHEX("e0cddd7564d09c4d c522dd65949262bb" "f9dcdb07421cf67f 3032becb7253c284" "a16e5bf0f556a308 043f53fab9eebb52" "6be7f7ad33d697ac 77c67862"), /* ciphertext */ SHEX("9313225df88406e5 55909c5aff5269aa" "6a7a9538534f7da1 e4c303d2a318a728" "c3c0c95156809539 fcf0e2429a6b5254" "16aedbf5a0de6a57 a637b39b"), /* iv */ SHEX("5791883f822013f8bd136fc36fb9946b")); /* tag */ /* Test gcm_hash, with varying message size, keys and iv all zero. Not compared to any other implementation. */ test_gcm_hash (SDATA("a"), SHEX("1521c9a442bbf63b 2293a21d4874a5fd")); test_gcm_hash (SDATA("ab"), SHEX("afb4592d2c7c1687 37f27271ee30412a")); test_gcm_hash (SDATA("abc"), SHEX("9543ca3e1662ba03 9a921ec2a20769be")); test_gcm_hash (SDATA("abcd"), SHEX("8f041cc12bcb7e1b 0257a6da22ee1185")); test_gcm_hash (SDATA("abcde"), SHEX("0b2376e5fed58ffb 717b520c27cd5c35")); test_gcm_hash (SDATA("abcdef"), SHEX("9679497a1eafa161 4942963380c1a76f")); test_gcm_hash (SDATA("abcdefg"), SHEX("83862e40339536bc 723d9817f7df8282")); test_gcm_hash (SDATA("abcdefgh"), SHEX("b73bcc4d6815c4dc d7424a04e61b87c5")); test_gcm_hash (SDATA("abcdefghi"), SHEX("8e7846a383f0b3b2 07b01160a5ef993d")); test_gcm_hash (SDATA("abcdefghij"), SHEX("37651643b6f8ecac 4ea1b320e6ea308c")); test_gcm_hash (SDATA("abcdefghijk"), SHEX("c1ce10106ee23286 f00513f55e2226b0")); test_gcm_hash (SDATA("abcdefghijkl"), SHEX("c6a3e32a90196cdf b2c7a415d637e6ca")); test_gcm_hash (SDATA("abcdefghijklm"), SHEX("6cca29389d4444fa 3d20e65497088fd8")); test_gcm_hash (SDATA("abcdefghijklmn"), SHEX("19476a997ec0a824 2022db0f0e8455ce")); test_gcm_hash (SDATA("abcdefghijklmno"), SHEX("f66931cee7eadcbb d42753c3ac3c4c16")); test_gcm_hash (SDATA("abcdefghijklmnop"), SHEX("a79699ce8bed61f9 b8b1b4c5abb1712e")); test_gcm_hash (SDATA("abcdefghijklmnopq"), SHEX("65f8245330febf15 6fd95e324304c258")); test_gcm_hash (SDATA("abcdefghijklmnopqr"), SHEX("d07259e85d4fc998 5a662eed41c8ed1d")); } nettle-3.4.1/testsuite/des3-test.c0000644000175000017500000000070113401564746016056 0ustar nissenisse#include "testutils.h" #include "nettle-internal.h" #include "des.h" void test_main(void) { /* Intermediate values: * After first DES encryption: "cd ea 2a 20 c2 e0 9e 48" * After second DES decryption: "69 52 6e 95 8b ea 49 bd" */ test_cipher(&nettle_des3, SHEX("3e 0b 10 b0 5d 49 c2 54" "6b 46 e0 75 8a 91 61 85" "cb 04 07 d3 20 16 cb a2"), SDATA("Now is t"), SHEX("0a 5d b5 2d 85 74 d1 c9")); } nettle-3.4.1/testsuite/ctr-test.c0000644000175000017500000001763513401564746016026 0ustar nissenisse#include "testutils.h" #include "aes.h" #include "ctr.h" void test_main(void) { /* From NIST spec 800-38a on AES modes, * * http://csrc.nist.gov/CryptoToolkit/modes/800-38_Series_Publications/SP800-38A.pdf * * F.5 CTR Example Vectors */ /* Zero-length data. Exposes bug reported by Tim Kosse, where ctr_crypt increment the ctr when it shouldn't. */ test_cipher_ctr(&nettle_aes128, SHEX("2b7e151628aed2a6abf7158809cf4f3c"), SHEX(""), SHEX(""), SHEX("f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff")); /* F.5.1 CTR-AES128.Encrypt */ test_cipher_ctr(&nettle_aes128, SHEX("2b7e151628aed2a6abf7158809cf4f3c"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("874d6191b620e3261bef6864990db6ce" "9806f66b7970fdff8617187bb9fffdff" "5ae4df3edbd5d35e5b4f09020db03eab" "1e031dda2fbe03d1792170a0f3009cee"), SHEX("f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff")); /* F.5.3 CTR-AES192.Encrypt */ test_cipher_ctr(&nettle_aes192, SHEX("8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("1abc932417521ca24f2b0459fe7e6e0b" "090339ec0aa6faefd5ccc2c6f4ce8e94" "1e36b26bd1ebc670d1bd1d665620abf7" "4f78a7f6d29809585a97daec58c6b050"), SHEX("f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff")); /* F.5.5 CTR-AES256.Encrypt */ test_cipher_ctr(&nettle_aes256, SHEX("603deb1015ca71be2b73aef0857d7781" "1f352c073b6108d72d9810a30914dff4"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("601ec313775789a5b7a7f504bbf3d228" "f443e3ca4d62b59aca84e990cacaf5c5" "2b0930daa23de94ce87017ba2d84988d" "dfc9c58db67aada613c2dd08457941a6"), SHEX("f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff")); } /* F.5.1 CTR-AES128.Encrypt Key 2b7e151628aed2a6abf7158809cf4f3c Init. Counter f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff Block #1 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff Output Block ec8cdf7398607cb0f2d21675ea9ea1e4 Plaintext 6bc1bee22e409f96e93d7e117393172a Ciphertext 874d6191b620e3261bef6864990db6ce Block #2 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff00 Output Block 362b7c3c6773516318a077d7fc5073ae Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Ciphertext 9806f66b7970fdff8617187bb9fffdff Block #3 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff01 Output Block 6a2cc3787889374fbeb4c81b17ba6c44 Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Ciphertext 5ae4df3edbd5d35e5b4f09020db03eab Block #4 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff02 Output Block e89c399ff0f198c6d40a31db156cabfe Plaintext f69f2445df4f9b17ad2b417be66c3710 Ciphertext 1e031dda2fbe03d1792170a0f3009cee F.5.2 CTR-AES128.Decrypt Key 2b7e151628aed2a6abf7158809cf4f3c Init. Counter f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff Block #1 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff Output Block ec8cdf7398607cb0f2d21675ea9ea1e4 Ciphertext 874d6191b620e3261bef6864990db6ce Plaintext 6bc1bee22e409f96e93d7e117393172a Block #2 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff00 Output Block 362b7c3c6773516318a077d7fc5073ae Ciphertext 9806f66b7970fdff8617187bb9fffdff Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Block #3 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff01 Output Block 6a2cc3787889374fbeb4c81b17ba6c44 Ciphertext 5ae4df3edbd5d35e5b4f09020db03eab Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Block #4 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff02 Output Block e89c399ff0f198c6d40a31db156cabfe Ciphertext 1e031dda2fbe03d1792170a0f3009cee Plaintext f69f2445df4f9b17ad2b417be66c3710 F.5.3 CTR-AES192.Encrypt Key 8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b Init. Counter f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff Block #1 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff Output Block 717d2dc639128334a6167a488ded7921 Plaintext 6bc1bee22e409f96e93d7e117393172a Ciphertext 1abc932417521ca24f2b0459fe7e6e0b Block #2 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff00 Output Block a72eb3bb14a556734b7bad6ab16100c5 Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Ciphertext 090339ec0aa6faefd5ccc2c6f4ce8e94 Block #3 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff01 Output Block 2efeae2d72b722613446dc7f4c2af918 Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Ciphertext 1e36b26bd1ebc670d1bd1d665620abf7 Block #4 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff02 Output Block b9e783b30dd7924ff7bc9b97beaa8740 Plaintext f69f2445df4f9b17ad2b417be66c3710 Ciphertext 4f78a7f6d29809585a97daec58c6b050 F.5.4 CTR-AES192.Decrypt Key 8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b Init. Counter f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff Block #1 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff Output Block 717d2dc639128334a6167a488ded7921 Ciphertext 1abc932417521ca24f2b0459fe7e6e0b Plaintext 6bc1bee22e409f96e93d7e117393172a Block #2 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff00 Output Block a72eb3bb14a556734b7bad6ab16100c5 Ciphertext 090339ec0aa6faefd5ccc2c6f4ce8e94 Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Block #3 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff01 Output Block 2efeae2d72b722613446dc7f4c2af918 Ciphertext 1e36b26bd1ebc670d1bd1d665620abf7 Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Block #4 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff02 Output Block b9e783b30dd7924ff7bc9b97beaa8740 Ciphertext 4f78a7f6d29809585a97daec58c6b050 Plaintext f69f2445df4f9b17ad2b417be66c3710 F.5.5 CTR-AES256.Encrypt Key 603deb1015ca71be2b73aef0857d7781 1f352c073b6108d72d9810a30914dff4 Init. Counter f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff Block #1 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff Output Block 0bdf7df1591716335e9a8b15c860c502 Plaintext 6bc1bee22e409f96e93d7e117393172a Ciphertext 601ec313775789a5b7a7f504bbf3d228 Block #2 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff00 Output Block 5a6e699d536119065433863c8f657b94 Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Ciphertext f443e3ca4d62b59aca84e990cacaf5c5 Block #3 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff01 Output Block 1bc12c9c01610d5d0d8bd6a3378eca62 Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Ciphertext 2b0930daa23de94ce87017ba2d84988d Block #4 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff02 Output Block 2956e1c8693536b1bee99c73a31576b6 Plaintext f69f2445df4f9b17ad2b417be66c3710 Ciphertext dfc9c58db67aada613c2dd08457941a6 F.5.6 CTR-AES256.Decrypt Key 603deb1015ca71be2b73aef0857d7781 1f352c073b6108d72d9810a30914dff4 Init. Counter f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff Block #1 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff Output Block 0bdf7df1591716335e9a8b15c860c502 Ciphertext 601ec313775789a5b7a7f504bbf3d228 Plaintext 6bc1bee22e409f96e93d7e117393172a Block #2 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff00 Output Block 5a6e699d536119065433863c8f657b94 Ciphertext f443e3ca4d62b59aca84e990cacaf5c5 Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Block #3 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff01 Output Block 1bc12c9c01610d5d0d8bd6a3378eca62 Ciphertext 2b0930daa23de94ce87017ba2d84988d Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Block #4 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff02 Output Block 2956e1c8693536b1bee99c73a31576b6 Ciphertext dfc9c58db67aada613c2dd08457941a6 Plaintext f69f2445df4f9b17ad2b417be66c3710 */ nettle-3.4.1/testsuite/random-prime-test.c0000644000175000017500000000102013401564746017605 0ustar nissenisse#include "testutils.h" #include "knuth-lfib.h" void test_main(void) { struct knuth_lfib_ctx lfib; mpz_t p; unsigned bits; knuth_lfib_init(&lfib, 17); mpz_init(p); for (bits = 6; bits < 1000; bits = bits + 1 + bits/20) { if (verbose) fprintf(stderr, "bits = %d\n", bits); nettle_random_prime(p, bits, 0, &lfib, (nettle_random_func *) knuth_lfib_random, NULL, NULL); ASSERT (mpz_sizeinbase (p, 2) == bits); ASSERT (mpz_probab_prime_p(p, 25)); } mpz_clear(p); } nettle-3.4.1/testsuite/sha512-224-test.c0000644000175000017500000000103313401564746016527 0ustar nissenisse#include "testutils.h" void test_main(void) { /* From http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/SHA_All.pdf */ test_hash(&nettle_sha512_224, SDATA("abc"), SHEX("4634270F 707B6A54 DAAE7530 460842E2" "0E37ED26 5CEEE9A4 3E8924AA")); test_hash(&nettle_sha512_224, SDATA("abcdefghbcdefghicdefghijdefghijk" "efghijklfghijklmghijklmnhijklmno" "ijklmnopjklmnopqklmnopqrlmnopqrs" "mnopqrstnopqrstu"), SHEX("23FEC5BB 94D60B23 30819264 0B0C4533" "35D66473 4FE40E72 68674AF9")); } nettle-3.4.1/testsuite/sha512-test.c0000644000175000017500000002022313401564746016224 0ustar nissenisse#include "testutils.h" void test_main(void) { test_hash(&nettle_sha512, SDATA("abc"), SHEX("ddaf35a193617aba cc417349ae204131" "12e6fa4e89a97ea2 0a9eeee64b55d39a" "2192992a274fc1a8 36ba3c23a3feebbd" "454d4423643ce80e 2a9ac94fa54ca49f")); test_hash(&nettle_sha512, SDATA("abcdefghbcdefghicdefghijdefg" "hijkefghijklfghijklmghijklmn" "hijklmnoijklmnopjklmnopqklmn" "opqrlmnopqrsmnopqrstnopqrstu"), SHEX("8e959b75dae313da 8cf4f72814fc143f" "8f7779c6eb9f7fa1 7299aeadb6889018" "501d289e4900f7e4 331b99dec4b5433a" "c7d329eeb6dd2654 5e96e55b874be909")); /* NESSIE, Set 1, vector #6 */ test_hash(&nettle_sha512, SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "0123456789"), SHEX("1E07BE23C26A86EA37EA810C8EC78093" "52515A970E9253C26F536CFC7A9996C4" "5C8370583E0A78FA4A90041D71A4CEAB" "7423F19C71B9D5A3E01249F0BEBD5894")); /* NESSIE, Set 1, vector #7 */ test_hash(&nettle_sha512, SDATA("1234567890123456789012345678901234567890" "1234567890123456789012345678901234567890"), SHEX("72EC1EF1124A45B047E8B7C75A932195" "135BB61DE24EC0D1914042246E0AEC3A" "2354E093D76F3048B456764346900CB1" "30D2A4FD5DD16ABB5E30BCB850DEE843")); /* Variants longer than one block (128 bytes), to test varying alignment. */ test_hash(&nettle_sha512, SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "0123456789" "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "0123456789" "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "0123456789"), SHEX("5338370f5655f4da14572d4fb471539b" "201485ecfb3d3204048dc6b83e61fab5" "05bcbbd73e644a1a5d159a32a0889cf3" "c9591b69b26d31be56c68838ce3cd63d")); test_hash(&nettle_sha512, SDATA("1234567890123456789012345678901234567890" "1234567890123456789012345678901234567890" "1234567890123456789012345678901234567890" "1234567890123456789012345678901234567890" "1234567890123456789012345678901234567890" "1234567890123456789012345678901234567890" "1234567890123456789012345678901234567890" "1234567890123456789012345678901234567890") , SHEX("33f8901b053e4cc677d3cb4122d96ad9" "b96b13bf76194cf962488bb4de4998a7" "1455cb31582db527adf77a485b81cf5b" "722a5e8638eb6be487400f3aec006e7c")); /* Additional test vectors, from Daniel Kahn Gillmor */ test_hash(&nettle_sha512, SDATA(""), SHEX("cf83e1357eefb8bd f1542850d66d8007" "d620e4050b5715dc 83f4a921d36ce9ce" "47d0d13c5d85f2b0 ff8318d2877eec2f" "63b931bd47417a81 a538327af927da3e")); test_hash(&nettle_sha512, SDATA("a"), SHEX("1f40fc92da241694 750979ee6cf582f2" "d5d7d28e18335de0 5abc54d0560e0f53" "02860c652bf08d56 0252aa5e74210546" "f369fbbbce8c12cf c7957b2652fe9a75")); test_hash(&nettle_sha512, SDATA("38"), SHEX("caae34a5e8103126 8bcdaf6f1d8c04d3" "7b7f2c349afb705b 575966f63e2ebf0f" "d910c3b05160ba08 7ab7af35d40b7c71" "9c53cd8b947c9611 1f64105fd45cc1b2")); test_hash(&nettle_sha512, SDATA("message digest"), SHEX("107dbf389d9e9f71 a3a95f6c055b9251" "bc5268c2be16d6c1 3492ea45b0199f33" "09e16455ab1e9611 8e8a905d5597b720" "38ddb372a8982604 6de66687bb420e7c")); test_hash(&nettle_sha512, SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("4dbff86cc2ca1bae 1e16468a05cb9881" "c97f1753bce36190 34898faa1aabe429" "955a1bf8ec483d74 21fe3c1646613a59" "ed5441fb0f321389 f77f48a879c7b1f1")); test_hash(&nettle_sha512, SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdef" "ghijklmnopqrstuvwxyz0123456789"), SHEX("1e07be23c26a86ea 37ea810c8ec78093" "52515a970e9253c2 6f536cfc7a9996c4" "5c8370583e0a78fa 4a90041d71a4ceab" "7423f19c71b9d5a3 e01249f0bebd5894")); test_hash(&nettle_sha512, SDATA("12345678901234567890123456789012" "34567890123456789012345678901234" "5678901234567890"), SHEX("72ec1ef1124a45b0 47e8b7c75a932195" "135bb61de24ec0d1 914042246e0aec3a" "2354e093d76f3048 b456764346900cb1" "30d2a4fd5dd16abb 5e30bcb850dee843")); } /* For first test case. -1: 6a09e667f3bcc908 bb67ae8584caa73b 3c6ef372fe94f82b a54ff53a5f1d36f1 510e527fade682d1 9b05688c2b3e6c1f 1f83d9abfb41bd6b 5be0cd19137e2179 0: 6a09e667f3bcc908 bb67ae8584caa73b 3c6ef372fe94f82b 58cb02347ab51f91 510e527fade682d1 9b05688c2b3e6c1f 1f83d9abfb41bd6b f6afceb8bcfcddf5 1: 6a09e667f3bcc908 bb67ae8584caa73b c3d4ebfd48650ffa 58cb02347ab51f91 510e527fade682d1 9b05688c2b3e6c1f 1320f8c9fb872cc0 f6afceb8bcfcddf5 6: b47b4bb1928990e c4875b0c7abc076b af573b02403e89cd b680953951604860 5a83cb3e80050e82 5a6c781f54dcc00c 96f60209b6dc35ba 745aca4a342ed2e2 7: 8093d195e0054fa3 c4875b0c7abc076b af573b02403e89cd b680953951604860 86f67263a0f0ec0a 5a6c781f54dcc00c 96f60209b6dc35ba 745aca4a342ed2e2 8: 8093d195e0054fa3 c4875b0c7abc076b af573b02403e89cd d0403c398fc40002 86f67263a0f0ec0a 5a6c781f54dcc00c 96f60209b6dc35ba f1eca5544cb89225 9: 8093d195e0054fa3 c4875b0c7abc076b 91f460be46c52 d0403c398fc40002 86f67263a0f0ec0a 5a6c781f54dcc00c 81782d4a5db48f03 f1eca5544cb89225 14: 475975b91a7a462c fa967eed85a08028 44249631255d2ca0 5e41214388186c14 db0a9963f80c2eaa 874bfe5f6aae9f2f 860acf9effba6f61 cdf3bff2883fc9d9 15: ae07c86b1181c75 fa967eed85a08028 44249631255d2ca0 5e41214388186c14 a77b7c035dd4c161 874bfe5f6aae9f2f 860acf9effba6f61 cdf3bff2883fc9d9 16: ae07c86b1181c75 fa967eed85a08028 44249631255d2ca0 2deecc6b39d64d78 a77b7c035dd4c161 874bfe5f6aae9f2f 860acf9effba6f61 caf81a425d800537 17: ae07c86b1181c75 fa967eed85a08028 f47e8353f8047455 2deecc6b39d64d78 a77b7c035dd4c161 874bfe5f6aae9f2f 4725be249ad19e6b caf81a425d800537 18: ae07c86b1181c75 29695fd88d81dbd0 f47e8353f8047455 2deecc6b39d64d78 a77b7c035dd4c161 3c4b4104168e3edb 4725be249ad19e6b caf81a425d800537 30: 9068a4e255a0dac 4c4fbbb75f1873a6 74bf40f869094c63 e62349090f47d30a eab4a9e5771b8d09 73e025d91b9efea3 f0aec2fe1437f085 fcdf99710f21584 31: ff4d3f1f0d46a736 4c4fbbb75f1873a6 74bf40f869094c63 e62349090f47d30a 3cd388e119e8162e 73e025d91b9efea3 f0aec2fe1437f085 fcdf99710f21584 32: ff4d3f1f0d46a736 4c4fbbb75f1873a6 74bf40f869094c63 e1034573654a106f 3cd388e119e8162e 73e025d91b9efea3 f0aec2fe1437f085 a0509015ca08c8d4 33: ff4d3f1f0d46a736 4c4fbbb75f1873a6 efabbd8bf47c041a e1034573654a106f 3cd388e119e8162e 73e025d91b9efea3 60d4e6995ed91fe6 a0509015ca08c8d4 34: ff4d3f1f0d46a736 fbae670fa780fd3 efabbd8bf47c041a e1034573654a106f 3cd388e119e8162e 2c59ec7743632621 60d4e6995ed91fe6 a0509015ca08c8d4 46: cc5100997f5710f2 f61e672694de2d67 21fbadbabab5ac6 c47c9d5c7ea8a234 35d7e7f41defcbd5 c6bc35740d8daa9a e95c2a57572d64d9 858d832ae0e8911c 47: 6b69fc1bb482feac f61e672694de2d67 21fbadbabab5ac6 c47c9d5c7ea8a234 35264334c03ac8ad c6bc35740d8daa9a e95c2a57572d64d9 858d832ae0e8911c 48: 6b69fc1bb482feac f61e672694de2d67 21fbadbabab5ac6 271580ed6c3e5650 35264334c03ac8ad c6bc35740d8daa9a e95c2a57572d64d9 571f323d96b3a047 49: 6b69fc1bb482feac f61e672694de2d67 dfe091dab182e645 271580ed6c3e5650 35264334c03ac8ad c6bc35740d8daa9a ca9bd862c5050918 571f323d96b3a047 50: 6b69fc1bb482feac 7a0d8ef821c5e1a dfe091dab182e645 271580ed6c3e5650 35264334c03ac8ad 813a43dd2c502043 ca9bd862c5050918 571f323d96b3a047 62: 4797cde4ed370692 a81dedbb9f19e643 cfcd928c5424e2b6 3857dfd2fc37d3ba 2c074484ef1eac8c 84058865d60a05fa 9aee5bda1644de5 a6af4e9c9f807e51 63: ab44e86276478d85 a81dedbb9f19e643 cfcd928c5424e2b6 3857dfd2fc37d3ba cd881ee59ca6bc53 84058865d60a05fa 9aee5bda1644de5 a6af4e9c9f807e51 64: ab44e86276478d85 a81dedbb9f19e643 cfcd928c5424e2b6 aa84b086688a5c45 cd881ee59ca6bc53 84058865d60a05fa 9aee5bda1644de5 5a806d7e9821a501 65: ab44e86276478d85 a81dedbb9f19e643 3b5fed0d6a1f96e1 aa84b086688a5c45 cd881ee59ca6bc53 84058865d60a05fa eeb9c21bb0102598 5a806d7e9821a501 66: ab44e86276478d85 29fab5a7bff53366 3b5fed0d6a1f96e1 aa84b086688a5c45 cd881ee59ca6bc53 46c4210ab2cc155d eeb9c21bb0102598 5a806d7e9821a501 78: 995019a6ff3ba3de 10d9c4c4295599f6 d67806db8b148677 654ef9abec389ca9 c8960e6be864b916 9bb4d39778c07f9e 25c96a7768fb2aa3 ceb9fc3691ce8326 79: 73a54f399fa4b1b2 10d9c4c4295599f6 d67806db8b148677 654ef9abec389ca9 d08446aa79693ed7 9bb4d39778c07f9e 25c96a7768fb2aa3 ceb9fc3691ce8326 99: ddaf35a193617aba cc417349ae204131 12e6fa4e89a97ea2 a9eeee64b55d39a 2192992a274fc1a8 36ba3c23a3feebbd 454d4423643ce80e 2a9ac94fa54ca49f */ nettle-3.4.1/testsuite/testutils.c0000644000175000017500000012237013401564746016312 0ustar nissenisse/* testutils.c */ #include "testutils.h" #include "base16.h" #include "cbc.h" #include "cfb.h" #include "ctr.h" #include "knuth-lfib.h" #include "macros.h" #include "nettle-internal.h" #include #include void die(const char *format, ...) { va_list args; va_start(args, format); vfprintf(stderr, format, args); va_end(args); abort (); } void * xalloc(size_t size) { void *p = malloc(size); if (size && !p) { fprintf(stderr, "Virtual memory exhausted.\n"); abort(); } return p; } static struct tstring *tstring_first = NULL; struct tstring * tstring_alloc (size_t length) { struct tstring *s = xalloc(sizeof(struct tstring) + length); s->length = length; s->next = tstring_first; /* NUL-terminate, for convenience. */ s->data[length] = '\0'; tstring_first = s; return s; } void tstring_clear(void) { while (tstring_first) { struct tstring *s = tstring_first; tstring_first = s->next; free(s); } } struct tstring * tstring_data(size_t length, const uint8_t *data) { struct tstring *s = tstring_alloc (length); memcpy (s->data, data, length); return s; } struct tstring * tstring_hex(const char *hex) { struct base16_decode_ctx ctx; struct tstring *s; size_t length = strlen(hex); s = tstring_alloc(BASE16_DECODE_LENGTH (length)); base16_decode_init (&ctx); ASSERT (base16_decode_update (&ctx, &s->length, s->data, length, hex)); ASSERT (base16_decode_final (&ctx)); return s; } void tstring_print_hex(const struct tstring *s) { print_hex (s->length, s->data); } void print_hex(size_t length, const uint8_t *data) { size_t i; for (i = 0; i < length; i++) { switch (i % 16) { default: break; case 0: printf("\n"); break; case 8: printf(" "); break; } printf("%02x", data[i]); } printf("\n"); } int verbose = 0; int main(int argc, char **argv) { if (argc > 1) { if (argc == 2 && !strcmp(argv[1], "-v")) verbose = 1; else { fprintf(stderr, "Invalid argument `%s', only accepted option is `-v'.\n", argv[1]); return 1; } } test_main(); tstring_clear(); return EXIT_SUCCESS; } void test_cipher(const struct nettle_cipher *cipher, const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext) { void *ctx = xalloc(cipher->context_size); uint8_t *data = xalloc(cleartext->length); size_t length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; ASSERT (key->length == cipher->key_size); cipher->set_encrypt_key(ctx, key->data); cipher->encrypt(ctx, length, data, cleartext->data); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "Encrypt failed:\nInput:"); tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } cipher->set_decrypt_key(ctx, key->data); cipher->decrypt(ctx, length, data, data); if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "Decrypt failed:\nInput:"); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } free(ctx); free(data); } void test_cipher_cbc(const struct nettle_cipher *cipher, const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext, const struct tstring *iiv) { void *ctx = xalloc(cipher->context_size); uint8_t *data; uint8_t *iv = xalloc(cipher->block_size); size_t length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; ASSERT (key->length == cipher->key_size); ASSERT (iiv->length == cipher->block_size); data = xalloc(length); cipher->set_encrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); cbc_encrypt(ctx, cipher->encrypt, cipher->block_size, iv, length, data, cleartext->data); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "CBC encrypt failed:\nInput:"); tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } cipher->set_decrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); cbc_decrypt(ctx, cipher->decrypt, cipher->block_size, iv, length, data, data); if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "CBC decrypt failed:\nInput:"); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } free(ctx); free(data); free(iv); } void test_cipher_cfb(const struct nettle_cipher *cipher, const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext, const struct tstring *iiv) { void *ctx = xalloc(cipher->context_size); uint8_t *data, *data2; uint8_t *iv = xalloc(cipher->block_size); size_t length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; ASSERT (key->length == cipher->key_size); ASSERT (iiv->length == cipher->block_size); data = xalloc(length); data2 = xalloc(length); cipher->set_encrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); cfb_encrypt(ctx, cipher->encrypt, cipher->block_size, iv, length, data, cleartext->data); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "CFB encrypt failed:\nInput:"); tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } cipher->set_encrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); cfb_decrypt(ctx, cipher->encrypt, cipher->block_size, iv, length, data2, data); if (!MEMEQ(length, data2, cleartext->data)) { fprintf(stderr, "CFB decrypt failed:\nInput:"); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data2); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } cipher->set_encrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); memcpy(data, cleartext->data, length); cfb_encrypt(ctx, cipher->encrypt, cipher->block_size, iv, length, data, data); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "CFB inplace encrypt failed:\nInput:"); tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } cipher->set_encrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); cfb_decrypt(ctx, cipher->encrypt, cipher->block_size, iv, length, data, data); if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "CFB inplace decrypt failed:\nInput:"); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } /* Repeat all tests with incomplete last block */ length -= 1; cipher->set_encrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); cfb_encrypt(ctx, cipher->encrypt, cipher->block_size, iv, length, data, cleartext->data); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "CFB encrypt failed:\nInput:"); print_hex(length, cleartext->data); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); print_hex(length, ciphertext->data); fprintf(stderr, "\n"); FAIL(); } cipher->set_encrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); cfb_decrypt(ctx, cipher->encrypt, cipher->block_size, iv, length, data2, data); if (!MEMEQ(length, data2, cleartext->data)) { fprintf(stderr, "CFB decrypt failed:\nInput:"); print_hex(length, ciphertext->data); fprintf(stderr, "\nOutput: "); print_hex(length, data2); fprintf(stderr, "\nExpected:"); print_hex(length, cleartext->data); fprintf(stderr, "\n"); FAIL(); } cipher->set_encrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); memcpy(data, cleartext->data, length); cfb_encrypt(ctx, cipher->encrypt, cipher->block_size, iv, length, data, data); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "CFB inplace encrypt failed:\nInput:"); print_hex(length, cleartext->data); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); print_hex(length, ciphertext->data); fprintf(stderr, "\n"); FAIL(); } cipher->set_encrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); cfb_decrypt(ctx, cipher->encrypt, cipher->block_size, iv, length, data, data); if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "CFB inplace decrypt failed:\nInput:"); print_hex(length, ciphertext->data); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); print_hex(length, cleartext->data); fprintf(stderr, "\n"); FAIL(); } free(ctx); free(data); free(data2); free(iv); } void test_cipher_ctr(const struct nettle_cipher *cipher, const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext, const struct tstring *ictr) { void *ctx = xalloc(cipher->context_size); uint8_t *data; uint8_t *ctr = xalloc(cipher->block_size); uint8_t *octr = xalloc(cipher->block_size); size_t length, nblocks; unsigned low; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; ASSERT (key->length == cipher->key_size); ASSERT (ictr->length == cipher->block_size); /* Compute expected counter value after the operation. */ nblocks = (length + cipher->block_size - 1) / cipher->block_size; ASSERT (nblocks < 0x100); memcpy (octr, ictr->data, cipher->block_size - 1); low = ictr->data[cipher->block_size - 1] + nblocks; octr[cipher->block_size - 1] = low; if (low >= 0x100) INCREMENT (cipher->block_size - 1, octr); data = xalloc(length); cipher->set_encrypt_key(ctx, key->data); memcpy(ctr, ictr->data, cipher->block_size); ctr_crypt(ctx, cipher->encrypt, cipher->block_size, ctr, length, data, cleartext->data); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "CTR encrypt failed:\nInput:"); tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } ASSERT (MEMEQ (cipher->block_size, ctr, octr)); memcpy(ctr, ictr->data, cipher->block_size); ctr_crypt(ctx, cipher->encrypt, cipher->block_size, ctr, length, data, data); if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "CTR decrypt failed:\nInput:"); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } ASSERT (MEMEQ (cipher->block_size, ctr, octr)); free(ctx); free(data); free(octr); free(ctr); } #if 0 void test_cipher_stream(const struct nettle_cipher *cipher, const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext) { size_t block; void *ctx = xalloc(cipher->context_size); uint8_t *data; size_t length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; data = xalloc(length + 1); for (block = 1; block <= length; block++) { size_t i; memset(data, 0x17, length + 1); cipher->set_encrypt_key(ctx, key->length, key->data); for (i = 0; i + block < length; i += block) { cipher->encrypt(ctx, block, data + i, cleartext->data + i); ASSERT (data[i + block] == 0x17); } cipher->encrypt(ctx, length - i, data + i, cleartext->data + i); ASSERT (data[length] == 0x17); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "Encrypt failed, block size %lu\nInput:", (unsigned long) block); tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } } cipher->set_decrypt_key(ctx, key->length, key->data); cipher->decrypt(ctx, length, data, data); ASSERT (data[length] == 0x17); if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "Decrypt failed\nInput:"); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } free(ctx); free(data); } #endif void test_aead(const struct nettle_aead *aead, nettle_hash_update_func *set_nonce, const struct tstring *key, const struct tstring *authtext, const struct tstring *cleartext, const struct tstring *ciphertext, const struct tstring *nonce, const struct tstring *digest) { void *ctx = xalloc(aead->context_size); uint8_t *data; uint8_t *buffer = xalloc(aead->digest_size); size_t length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; ASSERT (key->length == aead->key_size); ASSERT (digest->length <= aead->digest_size); data = xalloc(length); /* encryption */ memset(buffer, 0, aead->digest_size); aead->set_encrypt_key(ctx, key->data); if (nonce->length != aead->nonce_size) { ASSERT (set_nonce); set_nonce (ctx, nonce->length, nonce->data); } else aead->set_nonce(ctx, nonce->data); if (authtext->length) aead->update(ctx, authtext->length, authtext->data); if (length) aead->encrypt(ctx, length, data, cleartext->data); aead->digest(ctx, digest->length, buffer); ASSERT(MEMEQ(length, data, ciphertext->data)); ASSERT(MEMEQ(digest->length, buffer, digest->data)); /* decryption */ memset(buffer, 0, aead->digest_size); aead->set_decrypt_key(ctx, key->data); if (nonce->length != aead->nonce_size) { ASSERT (set_nonce); set_nonce (ctx, nonce->length, nonce->data); } else aead->set_nonce(ctx, nonce->data); if (authtext->length) aead->update(ctx, authtext->length, authtext->data); if (length) aead->decrypt(ctx, length, data, data); aead->digest(ctx, digest->length, buffer); ASSERT(MEMEQ(length, data, cleartext->data)); ASSERT(MEMEQ(digest->length, buffer, digest->data)); free(ctx); free(data); free(buffer); } void test_hash(const struct nettle_hash *hash, const struct tstring *msg, const struct tstring *digest) { void *ctx = xalloc(hash->context_size); uint8_t *buffer = xalloc(hash->digest_size); uint8_t *input; unsigned offset; ASSERT (digest->length == hash->digest_size); hash->init(ctx); hash->update(ctx, msg->length, msg->data); hash->digest(ctx, hash->digest_size, buffer); if (MEMEQ(hash->digest_size, digest->data, buffer) == 0) { fprintf(stdout, "\nGot:\n"); print_hex(hash->digest_size, buffer); fprintf(stdout, "\nExpected:\n"); print_hex(hash->digest_size, digest->data); abort(); } memset(buffer, 0, hash->digest_size); hash->update(ctx, msg->length, msg->data); hash->digest(ctx, hash->digest_size - 1, buffer); ASSERT(MEMEQ(hash->digest_size - 1, digest->data, buffer)); ASSERT(buffer[hash->digest_size - 1] == 0); input = xalloc (msg->length + 16); for (offset = 0; offset < 16; offset++) { memset (input, 0, msg->length + 16); memcpy (input + offset, msg->data, msg->length); hash->update (ctx, msg->length, input + offset); hash->digest (ctx, hash->digest_size, buffer); if (MEMEQ(hash->digest_size, digest->data, buffer) == 0) { fprintf(stdout, "hash input address: %p\nGot:\n", input + offset); print_hex(hash->digest_size, buffer); fprintf(stdout, "\nExpected:\n"); print_hex(hash->digest_size, digest->data); abort(); } } free(ctx); free(buffer); free(input); } void test_hash_large(const struct nettle_hash *hash, size_t count, size_t length, uint8_t c, const struct tstring *digest) { void *ctx = xalloc(hash->context_size); uint8_t *buffer = xalloc(hash->digest_size); uint8_t *data = xalloc(length); size_t i; ASSERT (digest->length == hash->digest_size); memset(data, c, length); hash->init(ctx); for (i = 0; i < count; i++) { hash->update(ctx, length, data); if (i % (count / 50) == 0) fprintf (stderr, "."); } fprintf (stderr, "\n"); hash->digest(ctx, hash->digest_size, buffer); print_hex(hash->digest_size, buffer); ASSERT (MEMEQ(hash->digest_size, digest->data, buffer)); free(ctx); free(buffer); free(data); } void test_armor(const struct nettle_armor *armor, size_t data_length, const uint8_t *data, const char *ascii) { size_t ascii_length = strlen(ascii); char *buffer = xalloc(1 + ascii_length); uint8_t *check = xalloc(1 + armor->decode_length(ascii_length)); void *encode = xalloc(armor->encode_context_size); void *decode = xalloc(armor->decode_context_size); size_t done; ASSERT(ascii_length <= (armor->encode_length(data_length) + armor->encode_final_length)); ASSERT(data_length <= armor->decode_length(ascii_length)); memset(buffer, 0x33, 1 + ascii_length); memset(check, 0x55, 1 + data_length); armor->encode_init(encode); done = armor->encode_update(encode, buffer, data_length, data); done += armor->encode_final(encode, buffer + done); ASSERT(done == ascii_length); ASSERT (MEMEQ(ascii_length, buffer, ascii)); ASSERT (0x33 == buffer[strlen(ascii)]); armor->decode_init(decode); done = armor->decode_length(ascii_length); ASSERT(armor->decode_update(decode, &done, check, ascii_length, buffer)); ASSERT(done == data_length); ASSERT(armor->decode_final(decode)); ASSERT (MEMEQ(data_length, check, data)); ASSERT (0x55 == check[data_length]); free(buffer); free(check); free(encode); free(decode); } #if WITH_HOGWEED #ifndef mpn_zero_p int mpn_zero_p (mp_srcptr ap, mp_size_t n) { while (--n >= 0) { if (ap[n] != 0) return 0; } return 1; } #endif void mpn_out_str (FILE *f, int base, const mp_limb_t *xp, mp_size_t xn) { mpz_t x; mpz_out_str (f, base, mpz_roinit_n (x, xp, xn)); } #if NETTLE_USE_MINI_GMP void gmp_randinit_default (struct knuth_lfib_ctx *ctx) { knuth_lfib_init (ctx, 17); } void mpz_urandomb (mpz_t r, struct knuth_lfib_ctx *ctx, mp_bitcnt_t bits) { size_t bytes = (bits+7)/8; uint8_t *buf = xalloc (bytes); knuth_lfib_random (ctx, bytes, buf); buf[0] &= 0xff >> (8*bytes - bits); nettle_mpz_set_str_256_u (r, bytes, buf); free (buf); } #endif /* NETTLE_USE_MINI_GMP */ mp_limb_t * xalloc_limbs (mp_size_t n) { return xalloc (n * sizeof (mp_limb_t)); } /* Expects local variables pub, key, rstate, digest, signature */ #define SIGN(hash, msg, expected) do { \ hash##_update(&hash, LDATA(msg)); \ ASSERT(rsa_##hash##_sign(key, &hash, signature)); \ if (verbose) \ { \ fprintf(stderr, "rsa-%s signature: ", #hash); \ mpz_out_str(stderr, 16, signature); \ fprintf(stderr, "\n"); \ } \ ASSERT(mpz_cmp (signature, expected) == 0); \ \ hash##_update(&hash, LDATA(msg)); \ ASSERT(rsa_##hash##_sign_tr(pub, key, &rstate, \ (nettle_random_func *) knuth_lfib_random, \ &hash, signature)); \ ASSERT(mpz_cmp (signature, expected) == 0); \ \ hash##_update(&hash, LDATA(msg)); \ hash##_digest(&hash, sizeof(digest), digest); \ ASSERT(rsa_##hash##_sign_digest(key, digest, signature)); \ ASSERT(mpz_cmp (signature, expected) == 0); \ \ ASSERT(rsa_##hash##_sign_digest_tr(pub, key, &rstate, \ (nettle_random_func *)knuth_lfib_random, \ digest, signature)); \ ASSERT(mpz_cmp (signature, expected) == 0); \ } while(0) #define VERIFY(key, hash, msg, signature) ( \ hash##_update(&hash, LDATA(msg)), \ rsa_##hash##_verify(key, &hash, signature) \ ) void test_rsa_set_key_1(struct rsa_public_key *pub, struct rsa_private_key *key) { /* Initialize key pair for test programs */ /* 1000-bit key, generated by * * lsh-keygen -a rsa -l 1000 -f advanced-hex * * (private-key (rsa-pkcs1 * (n #69abd505285af665 36ddc7c8f027e6f0 ed435d6748b16088 * 4fd60842b3a8d7fb bd8a3c98f0cc50ae 4f6a9f7dd73122cc * ec8afa3f77134406 f53721973115fc2d 8cfbba23b145f28d * 84f81d3b6ae8ce1e 2850580c026e809b cfbb52566ea3a3b3 * df7edf52971872a7 e35c1451b8636d22 279a8fb299368238 * e545fbb4cf#) * (e #0db2ad57#) * (d #3240a56f4cd0dcc2 4a413eb4ea545259 5c83d771a1c2ba7b * ec47c5b43eb4b374 09bd2aa1e236dd86 481eb1768811412f * f8d91be3545912af b55c014cb55ceac6 54216af3b85d5c4f * 4a32894e3b5dfcde 5b2875aa4dc8d9a8 6afd0ca92ef50d35 * bd09f1c47efb4c8d c631e07698d362aa 4a83fd304e66d6c5 * 468863c307#) * (p #0a66399919be4b4d e5a78c5ea5c85bf9 aba8c013cb4a8732 * 14557a12bd67711e bb4073fd39ad9a86 f4e80253ad809e5b * f2fad3bc37f6f013 273c9552c9f489#) * (q #0a294f069f118625 f5eae2538db9338c 776a298eae953329 * 9fd1eed4eba04e82 b2593bc98ba8db27 de034da7daaea795 * 2d55b07b5f9a5875 d1ca5f6dcab897#) * (a #011b6c48eb592eee e85d1bb35cfb6e07 344ea0b5e5f03a28 * 5b405396cbc78c5c 868e961db160ba8d 4b984250930cf79a * 1bf8a9f28963de53 128aa7d690eb87#) * (b #0409ecf3d2557c88 214f1af5e1f17853 d8b2d63782fa5628 * 60cf579b0833b7ff 5c0529f2a97c6452 2fa1a8878a9635ab * ce56debf431bdec2 70b308fa5bf387#) * (c #04e103ee925cb5e6 6653949fa5e1a462 c9e65e1adcd60058 * e2df9607cee95fa8 daec7a389a7d9afc 8dd21fef9d83805a * 40d46f49676a2f6b 2926f70c572c00#))) */ mpz_set_str(pub->n, "69abd505285af665" "36ddc7c8f027e6f0" "ed435d6748b16088" "4fd60842b3a8d7fb" "bd8a3c98f0cc50ae" "4f6a9f7dd73122cc" "ec8afa3f77134406" "f53721973115fc2d" "8cfbba23b145f28d" "84f81d3b6ae8ce1e" "2850580c026e809b" "cfbb52566ea3a3b3" "df7edf52971872a7" "e35c1451b8636d22" "279a8fb299368238" "e545fbb4cf", 16); mpz_set_str(pub->e, "0db2ad57", 16); ASSERT (rsa_public_key_prepare(pub)); /* d is not used */ #if 0 mpz_set_str(key->d, "3240a56f4cd0dcc2" "4a413eb4ea545259" "5c83d771a1c2ba7b" "ec47c5b43eb4b374" "09bd2aa1e236dd86" "481eb1768811412f" "f8d91be3545912af" "b55c014cb55ceac6" "54216af3b85d5c4f" "4a32894e3b5dfcde" "5b2875aa4dc8d9a8" "6afd0ca92ef50d35" "bd09f1c47efb4c8d" "c631e07698d362aa" "4a83fd304e66d6c5" "468863c307", 16); #endif mpz_set_str(key->p, "0a66399919be4b4d" "e5a78c5ea5c85bf9" "aba8c013cb4a8732" "14557a12bd67711e" "bb4073fd39ad9a86" "f4e80253ad809e5b" "f2fad3bc37f6f013" "273c9552c9f489", 16); mpz_set_str(key->q, "0a294f069f118625" "f5eae2538db9338c" "776a298eae953329" "9fd1eed4eba04e82" "b2593bc98ba8db27" "de034da7daaea795" "2d55b07b5f9a5875" "d1ca5f6dcab897", 16); mpz_set_str(key->a, "011b6c48eb592eee" "e85d1bb35cfb6e07" "344ea0b5e5f03a28" "5b405396cbc78c5c" "868e961db160ba8d" "4b984250930cf79a" "1bf8a9f28963de53" "128aa7d690eb87", 16); mpz_set_str(key->b, "0409ecf3d2557c88" "214f1af5e1f17853" "d8b2d63782fa5628" "60cf579b0833b7ff" "5c0529f2a97c6452" "2fa1a8878a9635ab" "ce56debf431bdec2" "70b308fa5bf387", 16); mpz_set_str(key->c, "04e103ee925cb5e6" "6653949fa5e1a462" "c9e65e1adcd60058" "e2df9607cee95fa8" "daec7a389a7d9afc" "8dd21fef9d83805a" "40d46f49676a2f6b" "2926f70c572c00", 16); ASSERT (rsa_private_key_prepare(key)); ASSERT (pub->size == key->size); } void test_rsa_md5(struct rsa_public_key *pub, struct rsa_private_key *key, mpz_t expected) { struct md5_ctx md5; struct knuth_lfib_ctx rstate; uint8_t digest[MD5_DIGEST_SIZE]; mpz_t signature; md5_init(&md5); mpz_init(signature); knuth_lfib_init (&rstate, 15); SIGN(md5, "The magic words are squeamish ossifrage", expected); /* Try bad data */ ASSERT (!VERIFY(pub, md5, "The magick words are squeamish ossifrage", signature)); /* Try correct data */ ASSERT (VERIFY(pub, md5, "The magic words are squeamish ossifrage", signature)); /* Try bad signature */ mpz_combit(signature, 17); ASSERT (!VERIFY(pub, md5, "The magic words are squeamish ossifrage", signature)); mpz_clear(signature); } void test_rsa_sha1(struct rsa_public_key *pub, struct rsa_private_key *key, mpz_t expected) { struct sha1_ctx sha1; struct knuth_lfib_ctx rstate; uint8_t digest[SHA1_DIGEST_SIZE]; mpz_t signature; sha1_init(&sha1); mpz_init(signature); knuth_lfib_init (&rstate, 16); SIGN(sha1, "The magic words are squeamish ossifrage", expected); /* Try bad data */ ASSERT (!VERIFY(pub, sha1, "The magick words are squeamish ossifrage", signature)); /* Try correct data */ ASSERT (VERIFY(pub, sha1, "The magic words are squeamish ossifrage", signature)); /* Try bad signature */ mpz_combit(signature, 17); ASSERT (!VERIFY(pub, sha1, "The magic words are squeamish ossifrage", signature)); mpz_clear(signature); } void test_rsa_sha256(struct rsa_public_key *pub, struct rsa_private_key *key, mpz_t expected) { struct sha256_ctx sha256; struct knuth_lfib_ctx rstate; uint8_t digest[SHA256_DIGEST_SIZE]; mpz_t signature; sha256_init(&sha256); mpz_init(signature); knuth_lfib_init (&rstate, 17); SIGN(sha256, "The magic words are squeamish ossifrage", expected); /* Try bad data */ ASSERT (!VERIFY(pub, sha256, "The magick words are squeamish ossifrage", signature)); /* Try correct data */ ASSERT (VERIFY(pub, sha256, "The magic words are squeamish ossifrage", signature)); /* Try bad signature */ mpz_combit(signature, 17); ASSERT (!VERIFY(pub, sha256, "The magic words are squeamish ossifrage", signature)); mpz_clear(signature); } void test_rsa_sha512(struct rsa_public_key *pub, struct rsa_private_key *key, mpz_t expected) { struct sha512_ctx sha512; struct knuth_lfib_ctx rstate; uint8_t digest[SHA512_DIGEST_SIZE]; mpz_t signature; sha512_init(&sha512); mpz_init(signature); knuth_lfib_init (&rstate, 18); SIGN(sha512, "The magic words are squeamish ossifrage", expected); /* Try bad data */ ASSERT (!VERIFY(pub, sha512, "The magick words are squeamish ossifrage", signature)); /* Try correct data */ ASSERT (VERIFY(pub, sha512, "The magic words are squeamish ossifrage", signature)); /* Try bad signature */ mpz_combit(signature, 17); ASSERT (!VERIFY(pub, sha512, "The magic words are squeamish ossifrage", signature)); mpz_clear(signature); } #undef SIGN #undef VERIFY void test_rsa_key(struct rsa_public_key *pub, struct rsa_private_key *key) { mpz_t tmp; mpz_t phi; mpz_init(tmp); mpz_init(phi); if (verbose) { /* FIXME: Use gmp_printf */ fprintf(stderr, "Public key: n="); mpz_out_str(stderr, 16, pub->n); fprintf(stderr, "\n e="); mpz_out_str(stderr, 16, pub->e); fprintf(stderr, "\n\nPrivate key: d="); mpz_out_str(stderr, 16, key->d); fprintf(stderr, "\n p="); mpz_out_str(stderr, 16, key->p); fprintf(stderr, "\n q="); mpz_out_str(stderr, 16, key->q); fprintf(stderr, "\n a="); mpz_out_str(stderr, 16, key->a); fprintf(stderr, "\n b="); mpz_out_str(stderr, 16, key->b); fprintf(stderr, "\n c="); mpz_out_str(stderr, 16, key->c); fprintf(stderr, "\n\n"); } /* Check n = p q */ mpz_mul(tmp, key->p, key->q); ASSERT (mpz_cmp(tmp, pub->n)== 0); /* Check c q = 1 mod p */ mpz_mul(tmp, key->c, key->q); mpz_fdiv_r(tmp, tmp, key->p); ASSERT (mpz_cmp_ui(tmp, 1) == 0); /* Check ed = 1 (mod phi) */ mpz_sub_ui(phi, key->p, 1); mpz_sub_ui(tmp, key->q, 1); mpz_mul(phi, phi, tmp); mpz_mul(tmp, pub->e, key->d); mpz_fdiv_r(tmp, tmp, phi); ASSERT (mpz_cmp_ui(tmp, 1) == 0); /* Check a e = 1 (mod (p-1) ) */ mpz_sub_ui(phi, key->p, 1); mpz_mul(tmp, pub->e, key->a); mpz_fdiv_r(tmp, tmp, phi); ASSERT (mpz_cmp_ui(tmp, 1) == 0); /* Check b e = 1 (mod (q-1) ) */ mpz_sub_ui(phi, key->q, 1); mpz_mul(tmp, pub->e, key->b); mpz_fdiv_r(tmp, tmp, phi); ASSERT (mpz_cmp_ui(tmp, 1) == 0); mpz_clear(tmp); mpz_clear(phi); } /* Requires that the context is named like the hash algorithm. */ #define DSA_VERIFY(key, hash, msg, signature) \ (hash##_update(&hash, LDATA(msg)), \ dsa_##hash##_verify(key, &hash, signature)) void test_dsa160(const struct dsa_public_key *pub, const struct dsa_private_key *key, const struct dsa_signature *expected) { struct sha1_ctx sha1; struct dsa_signature signature; struct knuth_lfib_ctx lfib; sha1_init(&sha1); dsa_signature_init(&signature); knuth_lfib_init(&lfib, 1111); sha1_update(&sha1, LDATA("The magic words are squeamish ossifrage")); ASSERT (dsa_sha1_sign(pub, key, &lfib, (nettle_random_func *) knuth_lfib_random, &sha1, &signature)); if (verbose) { fprintf(stderr, "dsa160 signature: "); mpz_out_str(stderr, 16, signature.r); fprintf(stderr, ", "); mpz_out_str(stderr, 16, signature.s); fprintf(stderr, "\n"); } if (expected) ASSERT (mpz_cmp (signature.r, expected->r) == 0 && mpz_cmp (signature.s, expected->s) == 0); /* Try bad data */ ASSERT (!DSA_VERIFY(pub, sha1, "The magick words are squeamish ossifrage", &signature)); /* Try correct data */ ASSERT (DSA_VERIFY(pub, sha1, "The magic words are squeamish ossifrage", &signature)); /* Try bad signature */ mpz_combit(signature.r, 17); ASSERT (!DSA_VERIFY(pub, sha1, "The magic words are squeamish ossifrage", &signature)); dsa_signature_clear(&signature); } void test_dsa256(const struct dsa_public_key *pub, const struct dsa_private_key *key, const struct dsa_signature *expected) { struct sha256_ctx sha256; struct dsa_signature signature; struct knuth_lfib_ctx lfib; sha256_init(&sha256); dsa_signature_init(&signature); knuth_lfib_init(&lfib, 1111); sha256_update(&sha256, LDATA("The magic words are squeamish ossifrage")); ASSERT (dsa_sha256_sign(pub, key, &lfib, (nettle_random_func *) knuth_lfib_random, &sha256, &signature)); if (verbose) { fprintf(stderr, "dsa256 signature: "); mpz_out_str(stderr, 16, signature.r); fprintf(stderr, ", "); mpz_out_str(stderr, 16, signature.s); fprintf(stderr, "\n"); } if (expected) ASSERT (mpz_cmp (signature.r, expected->r) == 0 && mpz_cmp (signature.s, expected->s) == 0); /* Try bad data */ ASSERT (!DSA_VERIFY(pub, sha256, "The magick words are squeamish ossifrage", &signature)); /* Try correct data */ ASSERT (DSA_VERIFY(pub, sha256, "The magic words are squeamish ossifrage", &signature)); /* Try bad signature */ mpz_combit(signature.r, 17); ASSERT (!DSA_VERIFY(pub, sha256, "The magic words are squeamish ossifrage", &signature)); dsa_signature_clear(&signature); } #if 0 void test_dsa_sign(const struct dsa_public_key *pub, const struct dsa_private_key *key, const struct nettle_hash *hash, const struct dsa_signature *expected) { void *ctx = xalloc (hash->context_size); uint8_t *digest = xalloc (hash->digest_size); uint8_t *bad_digest = xalloc (hash->digest_size); struct dsa_signature signature; struct knuth_lfib_ctx lfib; dsa_signature_init(&signature); knuth_lfib_init(&lfib, 1111); hash->init(ctx); hash->update(ctx, LDATA("The magic words are squeamish ossifrage")); hash->digest(ctx, hash->digest_size, digest); ASSERT (dsa_sign(pub, key, &lfib, (nettle_random_func *) knuth_lfib_random, hash->digest_size, digest, &signature)); if (verbose) { fprintf(stderr, "dsa-%s signature: ", hash->name); mpz_out_str(stderr, 16, signature.r); fprintf(stderr, ", "); mpz_out_str(stderr, 16, signature.s); fprintf(stderr, "\n"); } if (expected) ASSERT (mpz_cmp (signature.r, expected->r) == 0 && mpz_cmp (signature.s, expected->s) == 0); /* Try correct data */ ASSERT (dsa_verify(pub, hash->digest_size, digest, &signature)); /* Try bad data */ hash->update(ctx, LDATA("The magick words are squeamish ossifrage")); hash->digest(ctx, hash->digest_size, bad_digest); ASSERT (!dsa_verify(pub, hash->digest_size, bad_digest, &signature)); /* Try bad signature */ mpz_combit(signature.r, 17); ASSERT (!dsa_verify(pub, hash->digest_size, digest, &signature)); free (ctx); free (digest); free (bad_digest); dsa_signature_clear(&signature); } #endif void test_dsa_verify(const struct dsa_params *params, const mpz_t pub, const struct nettle_hash *hash, struct tstring *msg, const struct dsa_signature *ref) { void *ctx = xalloc (hash->context_size); uint8_t *digest = xalloc (hash->digest_size); struct dsa_signature signature; dsa_signature_init (&signature); hash->init(ctx); hash->update (ctx, msg->length, msg->data); hash->digest (ctx, hash->digest_size, digest); mpz_set (signature.r, ref->r); mpz_set (signature.s, ref->s); ASSERT (dsa_verify (params, pub, hash->digest_size, digest, &signature)); /* Try bad signature */ mpz_combit(signature.r, 17); ASSERT (!dsa_verify (params, pub, hash->digest_size, digest, &signature)); /* Try bad data */ digest[hash->digest_size / 2-1] ^= 8; ASSERT (!dsa_verify (params, pub, hash->digest_size, digest, ref)); free (ctx); free (digest); dsa_signature_clear(&signature); } void test_dsa_key(const struct dsa_params *params, const mpz_t pub, const mpz_t key, unsigned q_size) { mpz_t t; mpz_init(t); ASSERT(mpz_sizeinbase(params->q, 2) == q_size); ASSERT(mpz_sizeinbase(params->p, 2) >= DSA_SHA1_MIN_P_BITS); ASSERT(mpz_probab_prime_p(params->p, 10)); ASSERT(mpz_probab_prime_p(params->q, 10)); mpz_fdiv_r(t, params->p, params->q); ASSERT(0 == mpz_cmp_ui(t, 1)); ASSERT(mpz_cmp_ui(params->g, 1) > 0); mpz_powm(t, params->g, params->q, params->p); ASSERT(0 == mpz_cmp_ui(t, 1)); mpz_powm(t, params->g, key, params->p); ASSERT(0 == mpz_cmp(t, pub)); mpz_clear(t); } const struct ecc_curve * const ecc_curves[] = { &nettle_secp_192r1, &nettle_secp_224r1, &nettle_secp_256r1, &nettle_secp_384r1, &nettle_secp_521r1, &_nettle_curve25519, NULL }; static int test_mpn (const char *ref, const mp_limb_t *xp, mp_size_t n) { mpz_t r; int res; mpz_init_set_str (r, ref, 16); while (n > 0 && xp[n-1] == 0) n--; res = (mpz_limbs_cmp (r, xp, n) == 0); mpz_clear (r); return res; } void write_mpn (FILE *f, int base, const mp_limb_t *xp, mp_size_t n) { mpz_t t; mpz_out_str (f, base, mpz_roinit_n (t,xp, n)); } void test_ecc_point (const struct ecc_curve *ecc, const struct ecc_ref_point *ref, const mp_limb_t *p) { if (! (test_mpn (ref->x, p, ecc->p.size) && test_mpn (ref->y, p + ecc->p.size, ecc->p.size) )) { fprintf (stderr, "Incorrect point!\n" "got: x = "); write_mpn (stderr, 16, p, ecc->p.size); fprintf (stderr, "\n" " y = "); write_mpn (stderr, 16, p + ecc->p.size, ecc->p.size); fprintf (stderr, "\n" "ref: x = %s\n" " y = %s\n", ref->x, ref->y); abort(); } } void test_ecc_mul_a (unsigned curve, unsigned n, const mp_limb_t *p) { /* For each curve, the points 2 g, 3 g and 4 g */ static const struct ecc_ref_point ref[6][3] = { { { "dafebf5828783f2ad35534631588a3f629a70fb16982a888", "dd6bda0d993da0fa46b27bbc141b868f59331afa5c7e93ab" }, { "76e32a2557599e6edcd283201fb2b9aadfd0d359cbb263da", "782c37e372ba4520aa62e0fed121d49ef3b543660cfd05fd" }, { "35433907297cc378b0015703374729d7a4fe46647084e4ba", "a2649984f2135c301ea3acb0776cd4f125389b311db3be32" } }, { { "706a46dc76dcb76798e60e6d89474788d16dc18032d268fd1a704fa6", "1c2b76a7bc25e7702a704fa986892849fca629487acf3709d2e4e8bb" }, { "df1b1d66a551d0d31eff822558b9d2cc75c2180279fe0d08fd896d04", "a3f7f03cadd0be444c0aa56830130ddf77d317344e1af3591981a925" }, { "ae99feebb5d26945b54892092a8aee02912930fa41cd114e40447301", "482580a0ec5bc47e88bc8c378632cd196cb3fa058a7114eb03054c9" }, }, { { "7cf27b188d034f7e8a52380304b51ac3c08969e277f21b35a60b48fc47669978", "7775510db8ed040293d9ac69f7430dbba7dade63ce982299e04b79d227873d1" }, { "5ecbe4d1a6330a44c8f7ef951d4bf165e6c6b721efada985fb41661bc6e7fd6c", "8734640c4998ff7e374b06ce1a64a2ecd82ab036384fb83d9a79b127a27d5032" }, { "e2534a3532d08fbba02dde659ee62bd0031fe2db785596ef509302446b030852", "e0f1575a4c633cc719dfee5fda862d764efc96c3f30ee0055c42c23f184ed8c6" }, }, { { "8d999057ba3d2d969260045c55b97f089025959a6f434d651d207d19fb96e9e" "4fe0e86ebe0e64f85b96a9c75295df61", "8e80f1fa5b1b3cedb7bfe8dffd6dba74b275d875bc6cc43e904e505f256ab425" "5ffd43e94d39e22d61501e700a940e80" }, { "77a41d4606ffa1464793c7e5fdc7d98cb9d3910202dcd06bea4f240d3566da6" "b408bbae5026580d02d7e5c70500c831", "c995f7ca0b0c42837d0bbe9602a9fc998520b41c85115aa5f7684c0edc111eac" "c24abd6be4b5d298b65f28600a2f1df1" }, { "138251cd52ac9298c1c8aad977321deb97e709bd0b4ca0aca55dc8ad51dcfc9d" "1589a1597e3a5120e1efd631c63e1835", "cacae29869a62e1631e8a28181ab56616dc45d918abc09f3ab0e63cf792aa4dc" "ed7387be37bba569549f1c02b270ed67" }, }, { { "43" "3c219024277e7e682fcb288148c282747403279b1ccc06352c6e5505d769be97" "b3b204da6ef55507aa104a3a35c5af41cf2fa364d60fd967f43e3933ba6d783d", "f4" "bb8cc7f86db26700a7f3eceeeed3f0b5c6b5107c4da97740ab21a29906c42dbb" "b3e377de9f251f6b93937fa99a3248f4eafcbe95edc0f4f71be356d661f41b02" }, { "1a7" "3d352443de29195dd91d6a64b5959479b52a6e5b123d9ab9e5ad7a112d7a8dd1" "ad3f164a3a4832051da6bd16b59fe21baeb490862c32ea05a5919d2ede37ad7d", "13e" "9b03b97dfa62ddd9979f86c6cab814f2f1557fa82a9d0317d2f8ab1fa355ceec" "2e2dd4cf8dc575b02d5aced1dec3c70cf105c9bc93a590425f588ca1ee86c0e5" }, { "35" "b5df64ae2ac204c354b483487c9070cdc61c891c5ff39afc06c5d55541d3ceac" "8659e24afe3d0750e8b88e9f078af066a1d5025b08e5a5e2fbc87412871902f3", "82" "096f84261279d2b673e0178eb0b4abb65521aef6e6e32e1b5ae63fe2f19907f2" "79f283e54ba385405224f750a95b85eebb7faef04699d1d9e21f47fc346e4d0d" }, }, { { "36ab384c9f5a046c3d043b7d1833e7ac080d8e4515d7a45f83c5a14e2843ce0e", "2260cdf3092329c21da25ee8c9a21f5697390f51643851560e5f46ae6af8a3c9" }, { "67ae9c4a22928f491ff4ae743edac83a6343981981624886ac62485fd3f8e25c", "1267b1d177ee69aba126a18e60269ef79f16ec176724030402c3684878f5b4d4" }, { "203da8db56cff1468325d4b87a3520f91a739ec193ce1547493aa657c4c9f870", "47d0e827cb1595e1470eb88580d5716c4cf22832ea2f0ff0df38ab61ca32112f" }, } }; assert (curve < 6); assert (n <= 4); if (n == 0) { /* Makes sense for curve25519 only */ const struct ecc_curve *ecc = ecc_curves[curve]; assert (ecc->p.bit_size == 255); if (!mpn_zero_p (p, ecc->p.size) || mpn_cmp (p + ecc->p.size, ecc->unit, ecc->p.size) != 0) { fprintf (stderr, "Incorrect point (expected (0, 1))!\n" "got: x = "); write_mpn (stderr, 16, p, ecc->p.size); fprintf (stderr, "\n" " y = "); write_mpn (stderr, 16, p + ecc->p.size, ecc->p.size); fprintf (stderr, "\n"); abort(); } } else if (n == 1) { const struct ecc_curve *ecc = ecc_curves[curve]; if (mpn_cmp (p, ecc->g, 2*ecc->p.size) != 0) { fprintf (stderr, "Incorrect point (expected g)!\n" "got: x = "); write_mpn (stderr, 16, p, ecc->p.size); fprintf (stderr, "\n" " y = "); write_mpn (stderr, 16, p + ecc->p.size, ecc->p.size); fprintf (stderr, "\n" "ref: x = "); write_mpn (stderr, 16, ecc->g, ecc->p.size); fprintf (stderr, "\n" " y = "); write_mpn (stderr, 16, ecc->g + ecc->p.size, ecc->p.size); fprintf (stderr, "\n"); abort(); } } else test_ecc_point (ecc_curves[curve], &ref[curve][n-2], p); } void test_ecc_mul_h (unsigned curve, unsigned n, const mp_limb_t *p) { const struct ecc_curve *ecc = ecc_curves[curve]; mp_limb_t *np = xalloc_limbs (ecc_size_a (ecc)); mp_limb_t *scratch = xalloc_limbs (ecc->h_to_a_itch); ecc->h_to_a (ecc, 0, np, p, scratch); test_ecc_mul_a (curve, n, np); free (np); free (scratch); } #endif /* WITH_HOGWEED */ nettle-3.4.1/bignum.h0000644000175000017500000000715313401564746013510 0ustar nissenisse/* bignum.h Bignum operations that are missing from gmp. Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_BIGNUM_H_INCLUDED #define NETTLE_BIGNUM_H_INCLUDED #include "nettle-meta.h" #include "nettle-types.h" /* For NETTLE_USE_MINI_GMP */ #include "version.h" #if NETTLE_USE_MINI_GMP # include "mini-gmp.h" # define GMP_NUMB_MASK (~(mp_limb_t) 0) /* Function missing in older gmp versions, and checked for with ifdef */ # define mpz_limbs_read mpz_limbs_read /* Side-channel silent powm not available in mini-gmp. */ # define mpz_powm_sec mpz_powm #else # include #endif #ifdef __cplusplus extern "C" { #endif /* Size needed for signed encoding, including extra sign byte if * necessary. */ size_t nettle_mpz_sizeinbase_256_s(const mpz_t x); /* Size needed for unsigned encoding */ size_t nettle_mpz_sizeinbase_256_u(const mpz_t x); /* Writes an integer as length octets, using big endian byte order, * and two's complement for negative numbers. */ void nettle_mpz_get_str_256(size_t length, uint8_t *s, const mpz_t x); /* Reads a big endian, two's complement, integer. */ void nettle_mpz_set_str_256_s(mpz_t x, size_t length, const uint8_t *s); void nettle_mpz_init_set_str_256_s(mpz_t x, size_t length, const uint8_t *s); /* Similar, but for unsigned format. These function don't interpret * the most significant bit as the sign. */ void nettle_mpz_set_str_256_u(mpz_t x, size_t length, const uint8_t *s); void nettle_mpz_init_set_str_256_u(mpz_t x, size_t length, const uint8_t *s); /* Returns a uniformly distributed random number 0 <= x < 2^n */ void nettle_mpz_random_size(mpz_t x, void *ctx, nettle_random_func *random, unsigned bits); /* Returns a number x, almost uniformly random in the range * 0 <= x < n. */ void nettle_mpz_random(mpz_t x, void *ctx, nettle_random_func *random, const mpz_t n); void nettle_random_prime(mpz_t p, unsigned bits, int top_bits_set, void *ctx, nettle_random_func *random, void *progress_ctx, nettle_progress_func *progress); void _nettle_generate_pocklington_prime (mpz_t p, mpz_t r, unsigned bits, int top_bits_set, void *ctx, nettle_random_func *random, const mpz_t p0, const mpz_t q, const mpz_t p0q); /* sexp parsing */ struct sexp_iterator; /* If LIMIT is non-zero, the number must be at most LIMIT bits. * Implies sexp_iterator_next. */ int nettle_mpz_set_sexp(mpz_t x, unsigned limit, struct sexp_iterator *i); /* der parsing */ struct asn1_der_iterator; int nettle_asn1_der_get_bignum(struct asn1_der_iterator *iterator, mpz_t x, unsigned max_bits); #ifdef __cplusplus } #endif #endif /* NETTLE_BIGNUM_H_INCLUDED */ nettle-3.4.1/hkdf.c0000644000175000017500000000411613401564745013131 0ustar nissenisse/* hkdf.c Copyright (C) 2017 Red Hat, Inc. Author: Nikos Mavrogiannopoulos This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Functions for the HKDF handling. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "hkdf.h" /* hkdf_extract: Outputs a PRK of digest_size */ void hkdf_extract(void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, size_t secret_size, const uint8_t *secret, uint8_t *dst) { update(mac_ctx, secret_size, secret); digest(mac_ctx, digest_size, dst); } /* hkdf_expand: Outputs an arbitrary key of size specified by length */ void hkdf_expand(void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, size_t info_size, const uint8_t *info, size_t length, uint8_t *dst) { uint8_t i = 1; if (!length) return; for (;; dst += digest_size, length -= digest_size, i++) { update(mac_ctx, info_size, info); update(mac_ctx, 1, &i); if (length <= digest_size) break; digest(mac_ctx, digest_size, dst); update(mac_ctx, digest_size, dst); } digest(mac_ctx, length, dst); } nettle-3.4.1/md4-meta.c0000644000175000017500000000222213401564745013621 0ustar nissenisse/* md4-meta.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "md4.h" const struct nettle_hash nettle_md4 = _NETTLE_HASH(md4, MD4); nettle-3.4.1/aes256-set-decrypt-key.c0000644000175000017500000000262613401564745016255 0ustar nissenisse/* aes256-set-decrypt-key.c Copyright (C) 2013, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes-internal.h" #include "macros.h" void aes256_invert_key (struct aes256_ctx *dst, const struct aes256_ctx *src) { _aes_invert (_AES256_ROUNDS, dst->keys, src->keys); } void aes256_set_decrypt_key(struct aes256_ctx *ctx, const uint8_t *key) { aes256_set_encrypt_key (ctx, key); aes256_invert_key (ctx, ctx); } nettle-3.4.1/sexp2rsa.c0000644000175000017500000000542713401564746013773 0ustar nissenisse/* sexp2rsa.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "bignum.h" #include "sexp.h" #define GET(x, l, v) \ do { \ if (!nettle_mpz_set_sexp((x), (l), (v)) \ || mpz_sgn(x) <= 0) \ return 0; \ } while(0) /* Iterator should point past the algorithm tag, e.g. * * (public-key (rsa (n |xxxx|) (e |xxxx|)) * ^ here */ int rsa_keypair_from_sexp_alist(struct rsa_public_key *pub, struct rsa_private_key *priv, unsigned limit, struct sexp_iterator *i) { static const char * const names[8] = { "n", "e", "d", "p", "q", "a", "b", "c" }; struct sexp_iterator values[8]; unsigned nvalues = priv ? 8 : 2; if (!sexp_iterator_assoc(i, nvalues, names, values)) return 0; if (priv) { GET(priv->d, limit, &values[2]); GET(priv->p, limit, &values[3]); GET(priv->q, limit, &values[4]); GET(priv->a, limit, &values[5]); GET(priv->b, limit, &values[6]); GET(priv->c, limit, &values[7]); if (!rsa_private_key_prepare(priv)) return 0; } if (pub) { GET(pub->n, limit, &values[0]); GET(pub->e, limit, &values[1]); if (!rsa_public_key_prepare(pub)) return 0; } return 1; } int rsa_keypair_from_sexp(struct rsa_public_key *pub, struct rsa_private_key *priv, unsigned limit, size_t length, const uint8_t *expr) { struct sexp_iterator i; static const char * const names[3] = { "rsa", "rsa-pkcs1", "rsa-pkcs1-sha1" }; if (!sexp_iterator_first(&i, length, expr)) return 0; if (!sexp_iterator_check_type(&i, priv ? "private-key" : "public-key")) return 0; if (!sexp_iterator_check_types(&i, 3, names)) return 0; return rsa_keypair_from_sexp_alist(pub, priv, limit, &i); } nettle-3.4.1/yarrow256.c0000644000175000017500000002170713401564745014002 0ustar nissenisse/* yarrow256.c The yarrow pseudo-randomness generator. Copyright (C) 2001, 2008, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "yarrow.h" #include "macros.h" #ifndef YARROW_DEBUG #define YARROW_DEBUG 0 #endif #if YARROW_DEBUG #include #endif /* Parameters */ /* An upper limit on the entropy (in bits) in one octet of sample * data. */ #define YARROW_MULTIPLIER 4 /* Entropy threshold for reseeding from the fast pool */ #define YARROW_FAST_THRESHOLD 100 /* Entropy threshold for reseeding from the fast pool */ #define YARROW_SLOW_THRESHOLD 160 /* Number of sources that must exceed the threshold for slow reseed */ #define YARROW_SLOW_K 2 /* The number of iterations when reseeding, P_t in the yarrow paper. * Should be chosen so that reseeding takes on the order of 0.1-1 * seconds. */ #define YARROW_RESEED_ITERATIONS 1500 /* Entropy estimates sticks to this value, it is treated as infinity * in calculations. It should fit comfortably in an uint32_t, to avoid * overflows. */ #define YARROW_MAX_ENTROPY 0x100000 /* Forward declarations */ static void yarrow_gate(struct yarrow256_ctx *ctx); void yarrow256_init(struct yarrow256_ctx *ctx, unsigned n, struct yarrow_source *s) { unsigned i; sha256_init(&ctx->pools[0]); sha256_init(&ctx->pools[1]); ctx->seeded = 0; /* Not strictly necessary, but it makes it easier to see if the * values are sane. */ memset(ctx->counter, 0, sizeof(ctx->counter)); ctx->nsources = n; ctx->sources = s; for (i = 0; isources[i].estimate[YARROW_FAST] = 0; ctx->sources[i].estimate[YARROW_SLOW] = 0; ctx->sources[i].next = YARROW_FAST; } } void yarrow256_seed(struct yarrow256_ctx *ctx, size_t length, const uint8_t *seed_file) { assert(length > 0); sha256_update(&ctx->pools[YARROW_FAST], length, seed_file); yarrow256_fast_reseed(ctx); } /* FIXME: Generalize so that it generates a few more blocks at a * time. */ static void yarrow_generate_block(struct yarrow256_ctx *ctx, uint8_t *block) { unsigned i; aes256_encrypt(&ctx->key, sizeof(ctx->counter), block, ctx->counter); /* Increment counter, treating it as a big-endian number. This is * machine independent, and follows appendix B of the NIST * specification of cipher modes of operation. * * We could keep a representation of the counter as 4 32-bit values, * and write entire words (in big-endian byteorder) into the counter * block, whenever they change. */ for (i = sizeof(ctx->counter); i--; ) { if (++ctx->counter[i]) break; } } static void yarrow_iterate(uint8_t *digest) { uint8_t v0[SHA256_DIGEST_SIZE]; unsigned i; memcpy(v0, digest, SHA256_DIGEST_SIZE); /* When hashed inside the loop, i should run from 1 to * YARROW_RESEED_ITERATIONS */ for (i = 0; ++i < YARROW_RESEED_ITERATIONS; ) { uint8_t count[4]; struct sha256_ctx hash; sha256_init(&hash); /* Hash v_i | v_0 | i */ WRITE_UINT32(count, i); sha256_update(&hash, SHA256_DIGEST_SIZE, digest); sha256_update(&hash, sizeof(v0), v0); sha256_update(&hash, sizeof(count), count); sha256_digest(&hash, SHA256_DIGEST_SIZE, digest); } } /* NOTE: The SHA-256 digest size equals the AES key size, so we need * no "size adaptor". */ void yarrow256_fast_reseed(struct yarrow256_ctx *ctx) { uint8_t digest[SHA256_DIGEST_SIZE]; unsigned i; #if YARROW_DEBUG fprintf(stderr, "yarrow256_fast_reseed\n"); #endif /* We feed two block of output using the current key into the pool * before emptying it. */ if (ctx->seeded) { uint8_t blocks[AES_BLOCK_SIZE * 2]; yarrow_generate_block(ctx, blocks); yarrow_generate_block(ctx, blocks + AES_BLOCK_SIZE); sha256_update(&ctx->pools[YARROW_FAST], sizeof(blocks), blocks); } sha256_digest(&ctx->pools[YARROW_FAST], sizeof(digest), digest); /* Iterate */ yarrow_iterate(digest); aes256_set_encrypt_key(&ctx->key, digest); ctx->seeded = 1; /* Derive new counter value */ memset(ctx->counter, 0, sizeof(ctx->counter)); aes256_encrypt(&ctx->key, sizeof(ctx->counter), ctx->counter, ctx->counter); /* Reset estimates. */ for (i = 0; insources; i++) ctx->sources[i].estimate[YARROW_FAST] = 0; } void yarrow256_slow_reseed(struct yarrow256_ctx *ctx) { uint8_t digest[SHA256_DIGEST_SIZE]; unsigned i; #if YARROW_DEBUG fprintf(stderr, "yarrow256_slow_reseed\n"); #endif /* Get digest of the slow pool*/ sha256_digest(&ctx->pools[YARROW_SLOW], sizeof(digest), digest); /* Feed it into the fast pool */ sha256_update(&ctx->pools[YARROW_FAST], sizeof(digest), digest); yarrow256_fast_reseed(ctx); /* Reset estimates. */ for (i = 0; insources; i++) ctx->sources[i].estimate[YARROW_SLOW] = 0; } int yarrow256_update(struct yarrow256_ctx *ctx, unsigned source_index, unsigned entropy, size_t length, const uint8_t *data) { enum yarrow_pool_id current; struct yarrow_source *source; assert(source_index < ctx->nsources); if (!length) /* Nothing happens */ return 0; source = &ctx->sources[source_index]; if (!ctx->seeded) /* While seeding, use the slow pool */ current = YARROW_SLOW; else { current = source->next; source->next = !source->next; } sha256_update(&ctx->pools[current], length, data); /* NOTE: We should be careful to avoid overflows in the estimates. */ if (source->estimate[current] < YARROW_MAX_ENTROPY) { if (entropy > YARROW_MAX_ENTROPY) entropy = YARROW_MAX_ENTROPY; if ( (length < (YARROW_MAX_ENTROPY / YARROW_MULTIPLIER)) && (entropy > YARROW_MULTIPLIER * length) ) entropy = YARROW_MULTIPLIER * length; entropy += source->estimate[current]; if (entropy > YARROW_MAX_ENTROPY) entropy = YARROW_MAX_ENTROPY; source->estimate[current] = entropy; } /* Check for seed/reseed */ switch(current) { case YARROW_FAST: #if YARROW_DEBUG fprintf(stderr, "yarrow256_update: source_index = %d,\n" " fast pool estimate = %d\n", source_index, source->estimate[YARROW_FAST]); #endif if (source->estimate[YARROW_FAST] >= YARROW_FAST_THRESHOLD) { yarrow256_fast_reseed(ctx); return 1; } else return 0; case YARROW_SLOW: { if (!yarrow256_needed_sources(ctx)) { yarrow256_slow_reseed(ctx); return 1; } else return 0; } default: abort(); } } static void yarrow_gate(struct yarrow256_ctx *ctx) { uint8_t key[AES256_KEY_SIZE]; unsigned i; for (i = 0; i < sizeof(key); i+= AES_BLOCK_SIZE) yarrow_generate_block(ctx, key + i); aes256_set_encrypt_key(&ctx->key, key); } void yarrow256_random(struct yarrow256_ctx *ctx, size_t length, uint8_t *dst) { assert(ctx->seeded); while (length >= AES_BLOCK_SIZE) { yarrow_generate_block(ctx, dst); dst += AES_BLOCK_SIZE; length -= AES_BLOCK_SIZE; } if (length) { uint8_t buffer[AES_BLOCK_SIZE]; assert(length < AES_BLOCK_SIZE); yarrow_generate_block(ctx, buffer); memcpy(dst, buffer, length); } yarrow_gate(ctx); } int yarrow256_is_seeded(struct yarrow256_ctx *ctx) { return ctx->seeded; } unsigned yarrow256_needed_sources(struct yarrow256_ctx *ctx) { /* FIXME: This is somewhat inefficient. It would be better to * either maintain the count, or do this loop only if the * current source just crossed the threshold. */ unsigned k, i; for (i = k = 0; i < ctx->nsources; i++) if (ctx->sources[i].estimate[YARROW_SLOW] >= YARROW_SLOW_THRESHOLD) k++; #if YARROW_DEBUG fprintf(stderr, "yarrow256_needed_sources: source_index = %d,\n" " slow pool estimate = %d,\n" " number of sources above threshold = %d\n", source_index, source->estimate[YARROW_SLOW], k); #endif return (k < YARROW_SLOW_K) ? (YARROW_SLOW_K - k) : 0; } nettle-3.4.1/aesdata.c0000644000175000017500000001434613401564746013626 0ustar nissenisse#include #include #include #include #if 1 # define BYTE_FORMAT "0x%02x" # define BYTE_COLUMNS 8 #else # define BYTE_FORMAT "%3d" # define BYTE_COLUMNS 0x10 #endif #define WORD_FORMAT "0x%08lx" #define WORD_COLUMNS 4 unsigned char sbox[0x100]; unsigned char isbox[0x100]; unsigned char gf2_log[0x100]; unsigned char gf2_exp[0x100]; unsigned long dtable[4][0x100]; unsigned long itable[4][0x100]; unsigned long mtable[4][0x100]; static unsigned xtime(unsigned x) { assert (x < 0x100); x <<= 1; if (x & 0x100) x ^= 0x11b; assert (x < 0x100); return x; } /* Computes the exponentiatiom and logarithm tables for GF_2, to the * base x+1 (0x03). The unit element is 1 (0x01).*/ static void compute_log(void) { unsigned i = 0; unsigned x = 1; memset(gf2_log, 0, 0x100); for (i = 0; i < 0x100; i++, x = x ^ xtime(x)) { gf2_exp[i] = x; gf2_log[x] = i; } /* Invalid. */ gf2_log[0] = 0; /* The loop above sets gf2_log[1] = 0xff, which is correct, * but gf2_log[1] = 0 is nicer. */ gf2_log[1] = 0; } static unsigned mult(unsigned a, unsigned b) { return (a && b) ? gf2_exp[ (gf2_log[a] + gf2_log[b]) % 255] : 0; } static unsigned invert(unsigned x) { return x ? gf2_exp[0xff - gf2_log[x]] : 0; } static unsigned affine(unsigned x) { return 0xff & (0x63^x^(x>>4)^(x<<4)^(x>>5)^(x<<3)^(x>>6)^(x<<2)^(x>>7)^(x<<1)); } static void compute_sbox(void) { unsigned i; for (i = 0; i<0x100; i++) { sbox[i] = affine(invert(i)); isbox[sbox[i]] = i; } } /* Generate little endian tables, i.e. the first row of the AES state * arrays occupies the least significant byte of the words. * * The sbox values are multiplied with the column of GF2 coefficients * of the polynomial 03 x^3 + x^2 + x + 02. */ static void compute_dtable(void) { unsigned i; for (i = 0; i<0x100; i++) { unsigned s = sbox[i]; unsigned j; unsigned long t =( ( (s ^ xtime(s)) << 24) | (s << 16) | (s << 8) | xtime(s) ); for (j = 0; j<4; j++, t = (t << 8) | (t >> 24)) dtable[j][i] = t; } } /* The inverse sbox values are multiplied with the column of GF2 coefficients * of the polynomial inverse 0b x^3 + 0d x^2 + 09 x + 0e. */ static void compute_itable(void) { unsigned i; for (i = 0; i<0x100; i++) { unsigned s = isbox[i]; unsigned j; unsigned long t = ( (mult(s, 0xb) << 24) | (mult(s, 0xd) << 16) | (mult(s, 0x9) << 8) | (mult(s, 0xe) )); for (j = 0; j<4; j++, t = (t << 8) | (t >> 24)) itable[j][i] = t; } } /* Used for key inversion, inverse mix column. No sbox. */ static void compute_mtable(void) { unsigned i; for (i = 0; i<0x100; i++) { unsigned j; unsigned long t = ( (mult(i, 0xb) << 24) | (mult(i, 0xd) << 16) | (mult(i, 0x9) << 8) | (mult(i, 0xe) )); for (j = 0; j<4; j++, t = (t << 8) | (t >> 24)) mtable[j][i] = t; } } static void display_byte_table(const char *name, unsigned char *table) { unsigned i, j; printf("uint8_t %s[0x100] =\n{", name); for (i = 0; i<0x100; i+= BYTE_COLUMNS) { printf("\n "); for (j = 0; j #include #include #include #include "nettle-types.h" #include "aes-internal.h" #include "memxor.h" #include "fat-setup.h" void _nettle_cpuid (uint32_t input, uint32_t regs[4]); struct x86_features { enum x86_vendor { X86_OTHER, X86_INTEL, X86_AMD } vendor; int have_aesni; }; #define SKIP(s, slen, literal, llen) \ (((slen) >= (llen) && memcmp ((s), (literal), llen) == 0) \ ? ((slen) -= (llen), (s) += (llen), 1) : 0) #define MATCH(s, slen, literal, llen) \ ((slen) == (llen) && memcmp ((s), (literal), llen) == 0) static void get_x86_features (struct x86_features *features) { const char *s; features->vendor = X86_OTHER; features->have_aesni = 0; s = secure_getenv (ENV_OVERRIDE); if (s) for (;;) { const char *sep = strchr (s, ','); size_t length = sep ? (size_t) (sep - s) : strlen(s); if (SKIP (s, length, "vendor:", 7)) { if (MATCH(s, length, "intel", 5)) features->vendor = X86_INTEL; else if (MATCH(s, length, "amd", 3)) features->vendor = X86_AMD; } else if (MATCH (s, length, "aesni", 5)) features->have_aesni = 1; if (!sep) break; s = sep + 1; } else { uint32_t cpuid_data[4]; _nettle_cpuid (0, cpuid_data); if (memcmp (cpuid_data + 1, "Genu" "ntel" "ineI", 12) == 0) features->vendor = X86_INTEL; else if (memcmp (cpuid_data + 1, "Auth" "cAMD" "enti", 12) == 0) features->vendor = X86_AMD; _nettle_cpuid (1, cpuid_data); if (cpuid_data[2] & 0x02000000) features->have_aesni = 1; } } DECLARE_FAT_FUNC(_nettle_aes_encrypt, aes_crypt_internal_func) DECLARE_FAT_FUNC_VAR(aes_encrypt, aes_crypt_internal_func, x86_64) DECLARE_FAT_FUNC_VAR(aes_encrypt, aes_crypt_internal_func, aesni) DECLARE_FAT_FUNC(_nettle_aes_decrypt, aes_crypt_internal_func) DECLARE_FAT_FUNC_VAR(aes_decrypt, aes_crypt_internal_func, x86_64) DECLARE_FAT_FUNC_VAR(aes_decrypt, aes_crypt_internal_func, aesni) DECLARE_FAT_FUNC(nettle_memxor, memxor_func) DECLARE_FAT_FUNC_VAR(memxor, memxor_func, x86_64) DECLARE_FAT_FUNC_VAR(memxor, memxor_func, sse2) /* This function should usually be called only once, at startup. But it is idempotent, and on x86, pointer updates are atomic, so there's no danger if it is called simultaneously from multiple threads. */ static void CONSTRUCTOR fat_init (void) { struct x86_features features; int verbose; /* FIXME: Replace all getenv calls by getenv_secure? */ verbose = getenv (ENV_VERBOSE) != NULL; if (verbose) fprintf (stderr, "libnettle: fat library initialization.\n"); get_x86_features (&features); if (verbose) { const char * const vendor_names[3] = { "other", "intel", "amd" }; fprintf (stderr, "libnettle: cpu features: vendor:%s%s\n", vendor_names[features.vendor], features.have_aesni ? ",aesni" : ""); } if (features.have_aesni) { if (verbose) fprintf (stderr, "libnettle: using aes instructions.\n"); _nettle_aes_encrypt_vec = _nettle_aes_encrypt_aesni; _nettle_aes_decrypt_vec = _nettle_aes_decrypt_aesni; } else { if (verbose) fprintf (stderr, "libnettle: not using aes instructions.\n"); _nettle_aes_encrypt_vec = _nettle_aes_encrypt_x86_64; _nettle_aes_decrypt_vec = _nettle_aes_decrypt_x86_64; } if (features.vendor == X86_INTEL) { if (verbose) fprintf (stderr, "libnettle: intel SSE2 will be used for memxor.\n"); nettle_memxor_vec = _nettle_memxor_sse2; } else { if (verbose) fprintf (stderr, "libnettle: intel SSE2 will not be used for memxor.\n"); nettle_memxor_vec = _nettle_memxor_x86_64; } } DEFINE_FAT_FUNC(_nettle_aes_encrypt, void, (unsigned rounds, const uint32_t *keys, const struct aes_table *T, size_t length, uint8_t *dst, const uint8_t *src), (rounds, keys, T, length, dst, src)) DEFINE_FAT_FUNC(_nettle_aes_decrypt, void, (unsigned rounds, const uint32_t *keys, const struct aes_table *T, size_t length, uint8_t *dst, const uint8_t *src), (rounds, keys, T, length, dst, src)) DEFINE_FAT_FUNC(nettle_memxor, void *, (void *dst, const void *src, size_t n), (dst, src, n)) nettle-3.4.1/sha3.c0000644000175000017500000000462613401564745013061 0ustar nissenisse/* sha3.c The sha3 hash function. Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "sha3.h" #include "macros.h" #include "memxor.h" static void sha3_absorb (struct sha3_state *state, unsigned length, const uint8_t *data) { assert ( (length & 7) == 0); #if WORDS_BIGENDIAN { uint64_t *p; for (p = state->a; length > 0; p++, length -= 8, data += 8) *p ^= LE_READ_UINT64 (data); } #else /* !WORDS_BIGENDIAN */ memxor (state->a, data, length); #endif sha3_permute (state); } unsigned _sha3_update (struct sha3_state *state, unsigned block_size, uint8_t *block, unsigned pos, size_t length, const uint8_t *data) { if (pos > 0) { unsigned left = block_size - pos; if (length < left) { memcpy (block + pos, data, length); return pos + length; } else { memcpy (block + pos, data, left); data += left; length -= left; sha3_absorb (state, block_size, block); } } for (; length >= block_size; length -= block_size, data += block_size) sha3_absorb (state, block_size, data); memcpy (block, data, length); return length; } void _sha3_pad (struct sha3_state *state, unsigned block_size, uint8_t *block, unsigned pos) { assert (pos < block_size); block[pos++] = 6; memset (block + pos, 0, block_size - pos); block[block_size - 1] |= 0x80; sha3_absorb (state, block_size, block); } nettle-3.4.1/bignum-random.c0000644000175000017500000000537713401564745014766 0ustar nissenisse/* bignum-random.c Generating big random numbers Copyright (C) 2002, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "bignum.h" #include "gmp-glue.h" void nettle_mpz_random_size(mpz_t x, void *ctx, nettle_random_func *random, unsigned bits) { unsigned length = (bits + 7) / 8; TMP_GMP_DECL(data, uint8_t); TMP_GMP_ALLOC(data, length); random(ctx, length, data); nettle_mpz_set_str_256_u(x, length, data); if (bits % 8) mpz_fdiv_r_2exp(x, x, bits); TMP_GMP_FREE(data); } /* Returns a random number x, 0 <= x < n */ void nettle_mpz_random(mpz_t x, void *ctx, nettle_random_func *random, const mpz_t n) { /* NOTE: This leaves some bias, which may be bad for DSA. A better * way might be to generate a random number of mpz_sizeinbase(n, 2) * bits, and loop until one smaller than n is found. */ /* From Daniel Bleichenbacher (via coderpunks): * * There is still a theoretical attack possible with 8 extra bits. * But, the attack would need about 2^66 signatures 2^66 memory and * 2^66 time (if I remember that correctly). Compare that to DSA, * where the attack requires 2^22 signatures 2^40 memory and 2^64 * time. And of course, the numbers above are not a real threat for * PGP. Using 16 extra bits (i.e. generating a 176 bit random number * and reducing it modulo q) will defeat even this theoretical * attack. * * More generally log_2(q)/8 extra bits are enough to defeat my * attack. NIST also plans to update the standard. */ /* Add a few bits extra, to decrease the bias from the final modulo * operation. NIST FIPS 186-3 specifies 64 extra bits, for use with * DSA. */ nettle_mpz_random_size(x, ctx, random, mpz_sizeinbase(n, 2) + 64); mpz_fdiv_r(x, x, n); } nettle-3.4.1/rsa-pkcs1-sign.c0000644000175000017500000000267013401564745014762 0ustar nissenisse/* rsa-pkcs1-sign.c PKCS#1 version 1.5 signatures. Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa.h" #include "pkcs1.h" int rsa_pkcs1_sign(const struct rsa_private_key *key, size_t length, const uint8_t *digest_info, mpz_t s) { if (pkcs1_rsa_digest_encode (s, key->size, length, digest_info)) { rsa_compute_root(key, s, s); return 1; } else { mpz_set_ui(s, 0); return 0; } } nettle-3.4.1/aes192-meta.c0000644000175000017500000000265513401564745014153 0ustar nissenisse/* aes192-meta.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #include "aes.h" const struct nettle_cipher nettle_aes192 = { "aes192", sizeof(struct aes192_ctx), AES_BLOCK_SIZE, AES192_KEY_SIZE, (nettle_set_key_func *) aes192_set_encrypt_key, (nettle_set_key_func *) aes192_set_decrypt_key, (nettle_cipher_func *) aes192_encrypt, (nettle_cipher_func *) aes192_decrypt }; nettle-3.4.1/eddsa-expand.c0000644000175000017500000000404313401564746014552 0ustar nissenisse/* eddsa-expand.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "eddsa.h" #include "ecc.h" #include "ecc-internal.h" #include "nettle-meta.h" /* Expands a private key, generating the secret scalar K2 and leaving the key K1 for nonce generation, at the end of the digest. */ void _eddsa_expand_key (const struct ecc_curve *ecc, const struct nettle_hash *H, void *ctx, const uint8_t *key, uint8_t *digest, mp_limb_t *k2) { size_t nbytes = 1 + ecc->p.bit_size / 8; assert (H->digest_size >= 2*nbytes); H->init (ctx); H->update (ctx, nbytes, key); H->digest (ctx, 2*nbytes, digest); mpn_set_base256_le (k2, ecc->p.size, digest, nbytes); /* Clear low 3 bits */ k2[0] &= ~(mp_limb_t) 7; /* Set bit number bit_size - 1 (bit 254 for curve25519) */ k2[(ecc->p.bit_size - 1) / GMP_NUMB_BITS] |= (mp_limb_t) 1 << ((ecc->p.bit_size - 1) % GMP_NUMB_BITS); /* Clear any higher bits. */ k2[ecc->p.size - 1] &= ~(mp_limb_t) 0 >> (GMP_NUMB_BITS * ecc->p.size - ecc->p.bit_size); } nettle-3.4.1/chacha-core-internal.c0000644000175000017500000000570513401564745016171 0ustar nissenisse/* chacha-core-internal.c Core functionality of the ChaCha stream cipher. Heavily based on the Salsa20 implementation in Nettle. Copyright (C) 2013 Joachim Strömbergson Copyright (C) 2012 Simon Josefsson, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Based on: chacha-ref.c version 2008.01.20. D. J. Bernstein Public domain. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "chacha.h" #include "macros.h" #ifndef CHACHA_DEBUG # define CHACHA_DEBUG 0 #endif #if CHACHA_DEBUG # include # define DEBUG(i) do { \ unsigned debug_j; \ for (debug_j = 0; debug_j < 16; debug_j++) \ { \ if (debug_j == 0) \ fprintf(stderr, "%2d:", (i)); \ else if (debug_j % 4 == 0) \ fprintf(stderr, "\n "); \ fprintf(stderr, " %8x", x[debug_j]); \ } \ fprintf(stderr, "\n"); \ } while (0) #else # define DEBUG(i) #endif #ifdef WORDS_BIGENDIAN #define LE_SWAP32(v) \ ((ROTL32(8, v) & 0x00FF00FFUL) | \ (ROTL32(24, v) & 0xFF00FF00UL)) #else #define LE_SWAP32(v) (v) #endif #define QROUND(x0, x1, x2, x3) do { \ x0 = x0 + x1; x3 = ROTL32(16, (x0 ^ x3)); \ x2 = x2 + x3; x1 = ROTL32(12, (x1 ^ x2)); \ x0 = x0 + x1; x3 = ROTL32(8, (x0 ^ x3)); \ x2 = x2 + x3; x1 = ROTL32(7, (x1 ^ x2)); \ } while(0) void _chacha_core(uint32_t *dst, const uint32_t *src, unsigned rounds) { uint32_t x[_CHACHA_STATE_LENGTH]; unsigned i; assert ( (rounds & 1) == 0); memcpy (x, src, sizeof(x)); for (i = 0; i < rounds;i += 2) { DEBUG (i); QROUND(x[0], x[4], x[8], x[12]); QROUND(x[1], x[5], x[9], x[13]); QROUND(x[2], x[6], x[10], x[14]); QROUND(x[3], x[7], x[11], x[15]); DEBUG (i+1); QROUND(x[0], x[5], x[10], x[15]); QROUND(x[1], x[6], x[11], x[12]); QROUND(x[2], x[7], x[8], x[13]); QROUND(x[3], x[4], x[9], x[14]); } DEBUG (i); for (i = 0; i < _CHACHA_STATE_LENGTH; i++) { uint32_t t = x[i] + src[i]; dst[i] = LE_SWAP32 (t); } } nettle-3.4.1/salsa20-128-set-key.c0000644000175000017500000000335713401564745015357 0ustar nissenisse/* salsa20-128-set-key.c The Salsa20 stream cipher. Key setup for 256-bit keys. Copyright (C) 2012 Simon Josefsson Copyright (C) 2012-2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Based on: salsa20-ref.c version 20051118 D. J. Bernstein Public domain. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "salsa20.h" #include "macros.h" void salsa20_128_set_key(struct salsa20_ctx *ctx, const uint8_t *key) { ctx->input[11] = ctx->input[1] = LE_READ_UINT32(key + 0); ctx->input[12] = ctx->input[2] = LE_READ_UINT32(key + 4); ctx->input[13] = ctx->input[3] = LE_READ_UINT32(key + 8); ctx->input[14] = ctx->input[4] = LE_READ_UINT32(key + 12); /* "expand 16-byte k" */ ctx->input[0] = 0x61707865; ctx->input[5] = 0x3120646e; ctx->input[10] = 0x79622d36; ctx->input[15] = 0x6b206574; } nettle-3.4.1/base16-meta.c0000644000175000017500000000417713401564745014231 0ustar nissenisse/* base16-meta.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "base16.h" /* Same as the macros with the same name */ static nettle_armor_length_func base16_encode_length; static size_t base16_encode_length(size_t length) { return BASE16_ENCODE_LENGTH(length); } static nettle_armor_length_func base16_decode_length; static size_t base16_decode_length(size_t length) { return BASE16_DECODE_LENGTH(length); } static nettle_armor_init_func base16_encode_init; static void base16_encode_init(void *ctx UNUSED) { } static nettle_armor_encode_update_func base16_encode_update_wrapper; static size_t base16_encode_update_wrapper(void *ctx UNUSED, char *dst, size_t length, const uint8_t *src) { base16_encode_update(dst, length, src); return BASE16_ENCODE_LENGTH(length); } #undef base16_encode_update #define base16_encode_update base16_encode_update_wrapper static nettle_armor_encode_final_func base16_encode_final; static size_t base16_encode_final(void *ctx UNUSED, char *dst UNUSED) { return 0; } #define BASE16_ENCODE_FINAL_LENGTH 0 const struct nettle_armor nettle_base16 = _NETTLE_ARMOR_0(base16, BASE16); nettle-3.4.1/gosthash94.h0000644000175000017500000000644313401564746014225 0ustar nissenisse/* gosthash94.h The GOST R 34.11-94 hash function, described in RFC 5831. Copyright (C) 2012 Nikos Mavrogiannopoulos, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Based on rhash gost.h. */ /* Copyright: 2009-2012 Aleksey Kravchenko * * Permission is hereby granted, free of charge, to any person obtaining a * copy of this software and associated documentation files (the * "Software"), to deal in the Software without restriction, including * without limitation the rights to use, copy, modify, merge, publish, * distribute, sublicense, and/or sell copies of the Software, and to * permit persons to whom the Software is furnished to do so, subject to * the following conditions: * * The above copyright notice and this permission notice shall be included * in all copies or substantial portions of the Software. * * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ /* * Ported to nettle by Nikos Mavrogiannopoulos. */ #ifndef NETTLE_GOSTHASH94_H_INCLUDED #define NETTLE_GOSTHASH94_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif #define gosthash94_init nettle_gosthash94_init #define gosthash94_update nettle_gosthash94_update #define gosthash94_digest nettle_gosthash94_digest #define GOSTHASH94_BLOCK_SIZE 32 #define GOSTHASH94_DIGEST_SIZE 32 /* For backwards compatibility */ #define GOSTHASH94_DATA_SIZE GOSTHASH94_BLOCK_SIZE struct gosthash94_ctx { uint32_t hash[8]; /* algorithm 256-bit state */ uint32_t sum[8]; /* sum of processed message blocks */ uint8_t message[GOSTHASH94_BLOCK_SIZE]; /* 256-bit buffer for leftovers */ uint64_t length; /* number of processed bytes */ }; void gosthash94_init(struct gosthash94_ctx *ctx); void gosthash94_update(struct gosthash94_ctx *ctx, size_t length, const uint8_t *msg); void gosthash94_digest(struct gosthash94_ctx *ctx, size_t length, uint8_t *result); #ifdef __cplusplus } #endif #endif /* NETTLE_GOSTHASH94_H_INCLUDED */ nettle-3.4.1/camellia-internal.h0000644000175000017500000001013213401564746015577 0ustar nissenisse/* camellia-internal.h The camellia block cipher. Copyright (C) 2006,2007 NTT (Nippon Telegraph and Telephone Corporation). Copyright (C) 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* * Algorithm Specification * http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html */ /* Based on camellia.c ver 1.2.0, see http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/camellia-LGPL-1.2.0.tar.gz. */ #ifndef NETTLE_CAMELLIA_INTERNAL_H_INCLUDED #define NETTLE_CAMELLIA_INTERNAL_H_INCLUDED #include "camellia.h" /* Name mangling */ #define _camellia_crypt _nettle_camellia_crypt #define _camellia_absorb _nettle_camellia_absorb #define _camellia_invert_key _nettle_camellia_invert_key #define _camellia_table _nettle_camellia_table /* * macros */ /* Destructive rotation of 128 bit values. */ #define ROTL128(bits, xl, xr) do { \ uint64_t __rol128_t = (xl); \ (xl) = ((xl) << (bits)) | ((xr) >> (64 - (bits))); \ (xr) = ((xr) << (bits)) | (__rol128_t >> (64 - (bits))); \ } while (0) struct camellia_table { uint32_t sp1110[256]; uint32_t sp0222[256]; uint32_t sp3033[256]; uint32_t sp4404[256]; }; /* key constants */ #define SIGMA1 0xA09E667F3BCC908BULL #define SIGMA2 0xB67AE8584CAA73B2ULL #define SIGMA3 0xC6EF372FE94F82BEULL #define SIGMA4 0x54FF53A5F1D36F1CULL #define SIGMA5 0x10E527FADE682D1DULL #define SIGMA6 0xB05688C2B3E6C1FDULL #define CAMELLIA_SP1110(INDEX) (_nettle_camellia_table.sp1110[(int)(INDEX)]) #define CAMELLIA_SP0222(INDEX) (_nettle_camellia_table.sp0222[(int)(INDEX)]) #define CAMELLIA_SP3033(INDEX) (_nettle_camellia_table.sp3033[(int)(INDEX)]) #define CAMELLIA_SP4404(INDEX) (_nettle_camellia_table.sp4404[(int)(INDEX)]) #define CAMELLIA_F(x, k, y) do { \ uint32_t __yl, __yr; \ uint64_t __i = (x) ^ (k); \ __yl \ = CAMELLIA_SP1110( __i & 0xff) \ ^ CAMELLIA_SP0222((__i >> 24) & 0xff) \ ^ CAMELLIA_SP3033((__i >> 16) & 0xff) \ ^ CAMELLIA_SP4404((__i >> 8) & 0xff); \ __yr \ = CAMELLIA_SP1110( __i >> 56) \ ^ CAMELLIA_SP0222((__i >> 48) & 0xff) \ ^ CAMELLIA_SP3033((__i >> 40) & 0xff) \ ^ CAMELLIA_SP4404((__i >> 32) & 0xff); \ __yl ^= __yr; \ __yr = ROTL32(24, __yr); \ __yr ^= __yl; \ (y) = ((uint64_t) __yl << 32) | __yr; \ } while (0) #if ! HAVE_NATIVE_64_BIT #define CAMELLIA_F_HALF_INV(x) do { \ uint32_t __t, __w; \ __t = (x) >> 32; \ __w = __t ^(x); \ __w = ROTL32(8, __w); \ (x) = ((uint64_t) __w << 32) | (__t ^ __w); \ } while (0) #endif void _camellia_crypt(unsigned nkeys, const uint64_t *keys, const struct camellia_table *T, size_t length, uint8_t *dst, const uint8_t *src); /* The initial NKEYS + 2 subkeys in SUBKEY are reduced to the final NKEYS subkeys stored in DST. SUBKEY data is modified in the process. */ void _camellia_absorb(unsigned nkeys, uint64_t *dst, uint64_t *subkey); void _camellia_invert_key(unsigned nkeys, uint64_t *dst, const uint64_t *src); extern const struct camellia_table _camellia_table; #endif /* NETTLE_CAMELLIA_INTERNAL_H_INCLUDED */ nettle-3.4.1/aes-decrypt.c0000644000175000017500000003654313401564745014446 0ustar nissenisse/* aes-decrypt.c Decryption function for aes/rijndael block cipher. Copyright (C) 2002, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes-internal.h" static const struct aes_table _aes_decrypt_table = { /* isbox */ { 0x52,0x09,0x6a,0xd5,0x30,0x36,0xa5,0x38, 0xbf,0x40,0xa3,0x9e,0x81,0xf3,0xd7,0xfb, 0x7c,0xe3,0x39,0x82,0x9b,0x2f,0xff,0x87, 0x34,0x8e,0x43,0x44,0xc4,0xde,0xe9,0xcb, 0x54,0x7b,0x94,0x32,0xa6,0xc2,0x23,0x3d, 0xee,0x4c,0x95,0x0b,0x42,0xfa,0xc3,0x4e, 0x08,0x2e,0xa1,0x66,0x28,0xd9,0x24,0xb2, 0x76,0x5b,0xa2,0x49,0x6d,0x8b,0xd1,0x25, 0x72,0xf8,0xf6,0x64,0x86,0x68,0x98,0x16, 0xd4,0xa4,0x5c,0xcc,0x5d,0x65,0xb6,0x92, 0x6c,0x70,0x48,0x50,0xfd,0xed,0xb9,0xda, 0x5e,0x15,0x46,0x57,0xa7,0x8d,0x9d,0x84, 0x90,0xd8,0xab,0x00,0x8c,0xbc,0xd3,0x0a, 0xf7,0xe4,0x58,0x05,0xb8,0xb3,0x45,0x06, 0xd0,0x2c,0x1e,0x8f,0xca,0x3f,0x0f,0x02, 0xc1,0xaf,0xbd,0x03,0x01,0x13,0x8a,0x6b, 0x3a,0x91,0x11,0x41,0x4f,0x67,0xdc,0xea, 0x97,0xf2,0xcf,0xce,0xf0,0xb4,0xe6,0x73, 0x96,0xac,0x74,0x22,0xe7,0xad,0x35,0x85, 0xe2,0xf9,0x37,0xe8,0x1c,0x75,0xdf,0x6e, 0x47,0xf1,0x1a,0x71,0x1d,0x29,0xc5,0x89, 0x6f,0xb7,0x62,0x0e,0xaa,0x18,0xbe,0x1b, 0xfc,0x56,0x3e,0x4b,0xc6,0xd2,0x79,0x20, 0x9a,0xdb,0xc0,0xfe,0x78,0xcd,0x5a,0xf4, 0x1f,0xdd,0xa8,0x33,0x88,0x07,0xc7,0x31, 0xb1,0x12,0x10,0x59,0x27,0x80,0xec,0x5f, 0x60,0x51,0x7f,0xa9,0x19,0xb5,0x4a,0x0d, 0x2d,0xe5,0x7a,0x9f,0x93,0xc9,0x9c,0xef, 0xa0,0xe0,0x3b,0x4d,0xae,0x2a,0xf5,0xb0, 0xc8,0xeb,0xbb,0x3c,0x83,0x53,0x99,0x61, 0x17,0x2b,0x04,0x7e,0xba,0x77,0xd6,0x26, 0xe1,0x69,0x14,0x63,0x55,0x21,0x0c,0x7d, }, { /* itable */ { 0x50a7f451,0x5365417e,0xc3a4171a,0x965e273a, 0xcb6bab3b,0xf1459d1f,0xab58faac,0x9303e34b, 0x55fa3020,0xf66d76ad,0x9176cc88,0x254c02f5, 0xfcd7e54f,0xd7cb2ac5,0x80443526,0x8fa362b5, 0x495ab1de,0x671bba25,0x980eea45,0xe1c0fe5d, 0x02752fc3,0x12f04c81,0xa397468d,0xc6f9d36b, 0xe75f8f03,0x959c9215,0xeb7a6dbf,0xda595295, 0x2d83bed4,0xd3217458,0x2969e049,0x44c8c98e, 0x6a89c275,0x78798ef4,0x6b3e5899,0xdd71b927, 0xb64fe1be,0x17ad88f0,0x66ac20c9,0xb43ace7d, 0x184adf63,0x82311ae5,0x60335197,0x457f5362, 0xe07764b1,0x84ae6bbb,0x1ca081fe,0x942b08f9, 0x58684870,0x19fd458f,0x876cde94,0xb7f87b52, 0x23d373ab,0xe2024b72,0x578f1fe3,0x2aab5566, 0x0728ebb2,0x03c2b52f,0x9a7bc586,0xa50837d3, 0xf2872830,0xb2a5bf23,0xba6a0302,0x5c8216ed, 0x2b1ccf8a,0x92b479a7,0xf0f207f3,0xa1e2694e, 0xcdf4da65,0xd5be0506,0x1f6234d1,0x8afea6c4, 0x9d532e34,0xa055f3a2,0x32e18a05,0x75ebf6a4, 0x39ec830b,0xaaef6040,0x069f715e,0x51106ebd, 0xf98a213e,0x3d06dd96,0xae053edd,0x46bde64d, 0xb58d5491,0x055dc471,0x6fd40604,0xff155060, 0x24fb9819,0x97e9bdd6,0xcc434089,0x779ed967, 0xbd42e8b0,0x888b8907,0x385b19e7,0xdbeec879, 0x470a7ca1,0xe90f427c,0xc91e84f8,0x00000000, 0x83868009,0x48ed2b32,0xac70111e,0x4e725a6c, 0xfbff0efd,0x5638850f,0x1ed5ae3d,0x27392d36, 0x64d90f0a,0x21a65c68,0xd1545b9b,0x3a2e3624, 0xb1670a0c,0x0fe75793,0xd296eeb4,0x9e919b1b, 0x4fc5c080,0xa220dc61,0x694b775a,0x161a121c, 0x0aba93e2,0xe52aa0c0,0x43e0223c,0x1d171b12, 0x0b0d090e,0xadc78bf2,0xb9a8b62d,0xc8a91e14, 0x8519f157,0x4c0775af,0xbbdd99ee,0xfd607fa3, 0x9f2601f7,0xbcf5725c,0xc53b6644,0x347efb5b, 0x7629438b,0xdcc623cb,0x68fcedb6,0x63f1e4b8, 0xcadc31d7,0x10856342,0x40229713,0x2011c684, 0x7d244a85,0xf83dbbd2,0x1132f9ae,0x6da129c7, 0x4b2f9e1d,0xf330b2dc,0xec52860d,0xd0e3c177, 0x6c16b32b,0x99b970a9,0xfa489411,0x2264e947, 0xc48cfca8,0x1a3ff0a0,0xd82c7d56,0xef903322, 0xc74e4987,0xc1d138d9,0xfea2ca8c,0x360bd498, 0xcf81f5a6,0x28de7aa5,0x268eb7da,0xa4bfad3f, 0xe49d3a2c,0x0d927850,0x9bcc5f6a,0x62467e54, 0xc2138df6,0xe8b8d890,0x5ef7392e,0xf5afc382, 0xbe805d9f,0x7c93d069,0xa92dd56f,0xb31225cf, 0x3b99acc8,0xa77d1810,0x6e639ce8,0x7bbb3bdb, 0x097826cd,0xf418596e,0x01b79aec,0xa89a4f83, 0x656e95e6,0x7ee6ffaa,0x08cfbc21,0xe6e815ef, 0xd99be7ba,0xce366f4a,0xd4099fea,0xd67cb029, 0xafb2a431,0x31233f2a,0x3094a5c6,0xc066a235, 0x37bc4e74,0xa6ca82fc,0xb0d090e0,0x15d8a733, 0x4a9804f1,0xf7daec41,0x0e50cd7f,0x2ff69117, 0x8dd64d76,0x4db0ef43,0x544daacc,0xdf0496e4, 0xe3b5d19e,0x1b886a4c,0xb81f2cc1,0x7f516546, 0x04ea5e9d,0x5d358c01,0x737487fa,0x2e410bfb, 0x5a1d67b3,0x52d2db92,0x335610e9,0x1347d66d, 0x8c61d79a,0x7a0ca137,0x8e14f859,0x893c13eb, 0xee27a9ce,0x35c961b7,0xede51ce1,0x3cb1477a, 0x59dfd29c,0x3f73f255,0x79ce1418,0xbf37c773, 0xeacdf753,0x5baafd5f,0x146f3ddf,0x86db4478, 0x81f3afca,0x3ec468b9,0x2c342438,0x5f40a3c2, 0x72c31d16,0x0c25e2bc,0x8b493c28,0x41950dff, 0x7101a839,0xdeb30c08,0x9ce4b4d8,0x90c15664, 0x6184cb7b,0x70b632d5,0x745c6c48,0x4257b8d0, }, #if !AES_SMALL { /* Before: itable[1] */ 0xa7f45150,0x65417e53,0xa4171ac3,0x5e273a96, 0x6bab3bcb,0x459d1ff1,0x58faacab,0x03e34b93, 0xfa302055,0x6d76adf6,0x76cc8891,0x4c02f525, 0xd7e54ffc,0xcb2ac5d7,0x44352680,0xa362b58f, 0x5ab1de49,0x1bba2567,0x0eea4598,0xc0fe5de1, 0x752fc302,0xf04c8112,0x97468da3,0xf9d36bc6, 0x5f8f03e7,0x9c921595,0x7a6dbfeb,0x595295da, 0x83bed42d,0x217458d3,0x69e04929,0xc8c98e44, 0x89c2756a,0x798ef478,0x3e58996b,0x71b927dd, 0x4fe1beb6,0xad88f017,0xac20c966,0x3ace7db4, 0x4adf6318,0x311ae582,0x33519760,0x7f536245, 0x7764b1e0,0xae6bbb84,0xa081fe1c,0x2b08f994, 0x68487058,0xfd458f19,0x6cde9487,0xf87b52b7, 0xd373ab23,0x024b72e2,0x8f1fe357,0xab55662a, 0x28ebb207,0xc2b52f03,0x7bc5869a,0x0837d3a5, 0x872830f2,0xa5bf23b2,0x6a0302ba,0x8216ed5c, 0x1ccf8a2b,0xb479a792,0xf207f3f0,0xe2694ea1, 0xf4da65cd,0xbe0506d5,0x6234d11f,0xfea6c48a, 0x532e349d,0x55f3a2a0,0xe18a0532,0xebf6a475, 0xec830b39,0xef6040aa,0x9f715e06,0x106ebd51, 0x8a213ef9,0x06dd963d,0x053eddae,0xbde64d46, 0x8d5491b5,0x5dc47105,0xd406046f,0x155060ff, 0xfb981924,0xe9bdd697,0x434089cc,0x9ed96777, 0x42e8b0bd,0x8b890788,0x5b19e738,0xeec879db, 0x0a7ca147,0x0f427ce9,0x1e84f8c9,0x00000000, 0x86800983,0xed2b3248,0x70111eac,0x725a6c4e, 0xff0efdfb,0x38850f56,0xd5ae3d1e,0x392d3627, 0xd90f0a64,0xa65c6821,0x545b9bd1,0x2e36243a, 0x670a0cb1,0xe757930f,0x96eeb4d2,0x919b1b9e, 0xc5c0804f,0x20dc61a2,0x4b775a69,0x1a121c16, 0xba93e20a,0x2aa0c0e5,0xe0223c43,0x171b121d, 0x0d090e0b,0xc78bf2ad,0xa8b62db9,0xa91e14c8, 0x19f15785,0x0775af4c,0xdd99eebb,0x607fa3fd, 0x2601f79f,0xf5725cbc,0x3b6644c5,0x7efb5b34, 0x29438b76,0xc623cbdc,0xfcedb668,0xf1e4b863, 0xdc31d7ca,0x85634210,0x22971340,0x11c68420, 0x244a857d,0x3dbbd2f8,0x32f9ae11,0xa129c76d, 0x2f9e1d4b,0x30b2dcf3,0x52860dec,0xe3c177d0, 0x16b32b6c,0xb970a999,0x489411fa,0x64e94722, 0x8cfca8c4,0x3ff0a01a,0x2c7d56d8,0x903322ef, 0x4e4987c7,0xd138d9c1,0xa2ca8cfe,0x0bd49836, 0x81f5a6cf,0xde7aa528,0x8eb7da26,0xbfad3fa4, 0x9d3a2ce4,0x9278500d,0xcc5f6a9b,0x467e5462, 0x138df6c2,0xb8d890e8,0xf7392e5e,0xafc382f5, 0x805d9fbe,0x93d0697c,0x2dd56fa9,0x1225cfb3, 0x99acc83b,0x7d1810a7,0x639ce86e,0xbb3bdb7b, 0x7826cd09,0x18596ef4,0xb79aec01,0x9a4f83a8, 0x6e95e665,0xe6ffaa7e,0xcfbc2108,0xe815efe6, 0x9be7bad9,0x366f4ace,0x099fead4,0x7cb029d6, 0xb2a431af,0x233f2a31,0x94a5c630,0x66a235c0, 0xbc4e7437,0xca82fca6,0xd090e0b0,0xd8a73315, 0x9804f14a,0xdaec41f7,0x50cd7f0e,0xf691172f, 0xd64d768d,0xb0ef434d,0x4daacc54,0x0496e4df, 0xb5d19ee3,0x886a4c1b,0x1f2cc1b8,0x5165467f, 0xea5e9d04,0x358c015d,0x7487fa73,0x410bfb2e, 0x1d67b35a,0xd2db9252,0x5610e933,0x47d66d13, 0x61d79a8c,0x0ca1377a,0x14f8598e,0x3c13eb89, 0x27a9ceee,0xc961b735,0xe51ce1ed,0xb1477a3c, 0xdfd29c59,0x73f2553f,0xce141879,0x37c773bf, 0xcdf753ea,0xaafd5f5b,0x6f3ddf14,0xdb447886, 0xf3afca81,0xc468b93e,0x3424382c,0x40a3c25f, 0xc31d1672,0x25e2bc0c,0x493c288b,0x950dff41, 0x01a83971,0xb30c08de,0xe4b4d89c,0xc1566490, 0x84cb7b61,0xb632d570,0x5c6c4874,0x57b8d042, },{ /* Before: itable[2] */ 0xf45150a7,0x417e5365,0x171ac3a4,0x273a965e, 0xab3bcb6b,0x9d1ff145,0xfaacab58,0xe34b9303, 0x302055fa,0x76adf66d,0xcc889176,0x02f5254c, 0xe54ffcd7,0x2ac5d7cb,0x35268044,0x62b58fa3, 0xb1de495a,0xba25671b,0xea45980e,0xfe5de1c0, 0x2fc30275,0x4c8112f0,0x468da397,0xd36bc6f9, 0x8f03e75f,0x9215959c,0x6dbfeb7a,0x5295da59, 0xbed42d83,0x7458d321,0xe0492969,0xc98e44c8, 0xc2756a89,0x8ef47879,0x58996b3e,0xb927dd71, 0xe1beb64f,0x88f017ad,0x20c966ac,0xce7db43a, 0xdf63184a,0x1ae58231,0x51976033,0x5362457f, 0x64b1e077,0x6bbb84ae,0x81fe1ca0,0x08f9942b, 0x48705868,0x458f19fd,0xde94876c,0x7b52b7f8, 0x73ab23d3,0x4b72e202,0x1fe3578f,0x55662aab, 0xebb20728,0xb52f03c2,0xc5869a7b,0x37d3a508, 0x2830f287,0xbf23b2a5,0x0302ba6a,0x16ed5c82, 0xcf8a2b1c,0x79a792b4,0x07f3f0f2,0x694ea1e2, 0xda65cdf4,0x0506d5be,0x34d11f62,0xa6c48afe, 0x2e349d53,0xf3a2a055,0x8a0532e1,0xf6a475eb, 0x830b39ec,0x6040aaef,0x715e069f,0x6ebd5110, 0x213ef98a,0xdd963d06,0x3eddae05,0xe64d46bd, 0x5491b58d,0xc471055d,0x06046fd4,0x5060ff15, 0x981924fb,0xbdd697e9,0x4089cc43,0xd967779e, 0xe8b0bd42,0x8907888b,0x19e7385b,0xc879dbee, 0x7ca1470a,0x427ce90f,0x84f8c91e,0x00000000, 0x80098386,0x2b3248ed,0x111eac70,0x5a6c4e72, 0x0efdfbff,0x850f5638,0xae3d1ed5,0x2d362739, 0x0f0a64d9,0x5c6821a6,0x5b9bd154,0x36243a2e, 0x0a0cb167,0x57930fe7,0xeeb4d296,0x9b1b9e91, 0xc0804fc5,0xdc61a220,0x775a694b,0x121c161a, 0x93e20aba,0xa0c0e52a,0x223c43e0,0x1b121d17, 0x090e0b0d,0x8bf2adc7,0xb62db9a8,0x1e14c8a9, 0xf1578519,0x75af4c07,0x99eebbdd,0x7fa3fd60, 0x01f79f26,0x725cbcf5,0x6644c53b,0xfb5b347e, 0x438b7629,0x23cbdcc6,0xedb668fc,0xe4b863f1, 0x31d7cadc,0x63421085,0x97134022,0xc6842011, 0x4a857d24,0xbbd2f83d,0xf9ae1132,0x29c76da1, 0x9e1d4b2f,0xb2dcf330,0x860dec52,0xc177d0e3, 0xb32b6c16,0x70a999b9,0x9411fa48,0xe9472264, 0xfca8c48c,0xf0a01a3f,0x7d56d82c,0x3322ef90, 0x4987c74e,0x38d9c1d1,0xca8cfea2,0xd498360b, 0xf5a6cf81,0x7aa528de,0xb7da268e,0xad3fa4bf, 0x3a2ce49d,0x78500d92,0x5f6a9bcc,0x7e546246, 0x8df6c213,0xd890e8b8,0x392e5ef7,0xc382f5af, 0x5d9fbe80,0xd0697c93,0xd56fa92d,0x25cfb312, 0xacc83b99,0x1810a77d,0x9ce86e63,0x3bdb7bbb, 0x26cd0978,0x596ef418,0x9aec01b7,0x4f83a89a, 0x95e6656e,0xffaa7ee6,0xbc2108cf,0x15efe6e8, 0xe7bad99b,0x6f4ace36,0x9fead409,0xb029d67c, 0xa431afb2,0x3f2a3123,0xa5c63094,0xa235c066, 0x4e7437bc,0x82fca6ca,0x90e0b0d0,0xa73315d8, 0x04f14a98,0xec41f7da,0xcd7f0e50,0x91172ff6, 0x4d768dd6,0xef434db0,0xaacc544d,0x96e4df04, 0xd19ee3b5,0x6a4c1b88,0x2cc1b81f,0x65467f51, 0x5e9d04ea,0x8c015d35,0x87fa7374,0x0bfb2e41, 0x67b35a1d,0xdb9252d2,0x10e93356,0xd66d1347, 0xd79a8c61,0xa1377a0c,0xf8598e14,0x13eb893c, 0xa9ceee27,0x61b735c9,0x1ce1ede5,0x477a3cb1, 0xd29c59df,0xf2553f73,0x141879ce,0xc773bf37, 0xf753eacd,0xfd5f5baa,0x3ddf146f,0x447886db, 0xafca81f3,0x68b93ec4,0x24382c34,0xa3c25f40, 0x1d1672c3,0xe2bc0c25,0x3c288b49,0x0dff4195, 0xa8397101,0x0c08deb3,0xb4d89ce4,0x566490c1, 0xcb7b6184,0x32d570b6,0x6c48745c,0xb8d04257, },{ /* Before: itable[3] */ 0x5150a7f4,0x7e536541,0x1ac3a417,0x3a965e27, 0x3bcb6bab,0x1ff1459d,0xacab58fa,0x4b9303e3, 0x2055fa30,0xadf66d76,0x889176cc,0xf5254c02, 0x4ffcd7e5,0xc5d7cb2a,0x26804435,0xb58fa362, 0xde495ab1,0x25671bba,0x45980eea,0x5de1c0fe, 0xc302752f,0x8112f04c,0x8da39746,0x6bc6f9d3, 0x03e75f8f,0x15959c92,0xbfeb7a6d,0x95da5952, 0xd42d83be,0x58d32174,0x492969e0,0x8e44c8c9, 0x756a89c2,0xf478798e,0x996b3e58,0x27dd71b9, 0xbeb64fe1,0xf017ad88,0xc966ac20,0x7db43ace, 0x63184adf,0xe582311a,0x97603351,0x62457f53, 0xb1e07764,0xbb84ae6b,0xfe1ca081,0xf9942b08, 0x70586848,0x8f19fd45,0x94876cde,0x52b7f87b, 0xab23d373,0x72e2024b,0xe3578f1f,0x662aab55, 0xb20728eb,0x2f03c2b5,0x869a7bc5,0xd3a50837, 0x30f28728,0x23b2a5bf,0x02ba6a03,0xed5c8216, 0x8a2b1ccf,0xa792b479,0xf3f0f207,0x4ea1e269, 0x65cdf4da,0x06d5be05,0xd11f6234,0xc48afea6, 0x349d532e,0xa2a055f3,0x0532e18a,0xa475ebf6, 0x0b39ec83,0x40aaef60,0x5e069f71,0xbd51106e, 0x3ef98a21,0x963d06dd,0xddae053e,0x4d46bde6, 0x91b58d54,0x71055dc4,0x046fd406,0x60ff1550, 0x1924fb98,0xd697e9bd,0x89cc4340,0x67779ed9, 0xb0bd42e8,0x07888b89,0xe7385b19,0x79dbeec8, 0xa1470a7c,0x7ce90f42,0xf8c91e84,0x00000000, 0x09838680,0x3248ed2b,0x1eac7011,0x6c4e725a, 0xfdfbff0e,0x0f563885,0x3d1ed5ae,0x3627392d, 0x0a64d90f,0x6821a65c,0x9bd1545b,0x243a2e36, 0x0cb1670a,0x930fe757,0xb4d296ee,0x1b9e919b, 0x804fc5c0,0x61a220dc,0x5a694b77,0x1c161a12, 0xe20aba93,0xc0e52aa0,0x3c43e022,0x121d171b, 0x0e0b0d09,0xf2adc78b,0x2db9a8b6,0x14c8a91e, 0x578519f1,0xaf4c0775,0xeebbdd99,0xa3fd607f, 0xf79f2601,0x5cbcf572,0x44c53b66,0x5b347efb, 0x8b762943,0xcbdcc623,0xb668fced,0xb863f1e4, 0xd7cadc31,0x42108563,0x13402297,0x842011c6, 0x857d244a,0xd2f83dbb,0xae1132f9,0xc76da129, 0x1d4b2f9e,0xdcf330b2,0x0dec5286,0x77d0e3c1, 0x2b6c16b3,0xa999b970,0x11fa4894,0x472264e9, 0xa8c48cfc,0xa01a3ff0,0x56d82c7d,0x22ef9033, 0x87c74e49,0xd9c1d138,0x8cfea2ca,0x98360bd4, 0xa6cf81f5,0xa528de7a,0xda268eb7,0x3fa4bfad, 0x2ce49d3a,0x500d9278,0x6a9bcc5f,0x5462467e, 0xf6c2138d,0x90e8b8d8,0x2e5ef739,0x82f5afc3, 0x9fbe805d,0x697c93d0,0x6fa92dd5,0xcfb31225, 0xc83b99ac,0x10a77d18,0xe86e639c,0xdb7bbb3b, 0xcd097826,0x6ef41859,0xec01b79a,0x83a89a4f, 0xe6656e95,0xaa7ee6ff,0x2108cfbc,0xefe6e815, 0xbad99be7,0x4ace366f,0xead4099f,0x29d67cb0, 0x31afb2a4,0x2a31233f,0xc63094a5,0x35c066a2, 0x7437bc4e,0xfca6ca82,0xe0b0d090,0x3315d8a7, 0xf14a9804,0x41f7daec,0x7f0e50cd,0x172ff691, 0x768dd64d,0x434db0ef,0xcc544daa,0xe4df0496, 0x9ee3b5d1,0x4c1b886a,0xc1b81f2c,0x467f5165, 0x9d04ea5e,0x015d358c,0xfa737487,0xfb2e410b, 0xb35a1d67,0x9252d2db,0xe9335610,0x6d1347d6, 0x9a8c61d7,0x377a0ca1,0x598e14f8,0xeb893c13, 0xceee27a9,0xb735c961,0xe1ede51c,0x7a3cb147, 0x9c59dfd2,0x553f73f2,0x1879ce14,0x73bf37c7, 0x53eacdf7,0x5f5baafd,0xdf146f3d,0x7886db44, 0xca81f3af,0xb93ec468,0x382c3424,0xc25f40a3, 0x1672c31d,0xbc0c25e2,0x288b493c,0xff41950d, 0x397101a8,0x08deb30c,0xd89ce4b4,0x6490c156, 0x7b6184cb,0xd570b632,0x48745c6c,0xd04257b8, }, #endif /* !AES_SMALL */ } }; void aes_decrypt(const struct aes_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { assert(!(length % AES_BLOCK_SIZE) ); _aes_decrypt(ctx->rounds, ctx->keys, &_aes_decrypt_table, length, dst, src); } void aes128_decrypt(const struct aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { assert(!(length % AES_BLOCK_SIZE) ); _aes_decrypt(_AES128_ROUNDS, ctx->keys, &_aes_decrypt_table, length, dst, src); } void aes192_decrypt(const struct aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { assert(!(length % AES_BLOCK_SIZE) ); _aes_decrypt(_AES192_ROUNDS, ctx->keys, &_aes_decrypt_table, length, dst, src); } void aes256_decrypt(const struct aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { assert(!(length % AES_BLOCK_SIZE) ); _aes_decrypt(_AES256_ROUNDS, ctx->keys, &_aes_decrypt_table, length, dst, src); } nettle-3.4.1/arm/0000755000175000017500000000000013401564746012627 5ustar nissenissenettle-3.4.1/arm/aes-decrypt-internal.asm0000644000175000017500000001031113401564746017357 0ustar nissenisseC arm/aes-decrypt-internal.asm ifelse(< Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) include_src() define(, ) define(, ) define(, ) define(, ) C On stack: DST, SRC define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) C Overlaps inputs, except TABLE define(, ) define(, ) define(, ) define(, ) C lr define(, <[sp]>) define(, <[sp, #+4]>) define(, <[sp, #+8]>) C 8 saved registers define(, <[sp, #+44]>) define(, <[sp, #+48]>) define(, < and T0, MASK, $1, lsl #2 ldr $5, [TABLE, T0] and T0, MASK, $2, lsl #2 ldr $6, [TABLE, T0] and T0, MASK, $3, lsl #2 ldr $7, [TABLE, T0] and T0, MASK, $4, lsl #2 ldr $8, [TABLE, T0] and T0, MASK, $4, ror #6 add TABLE, TABLE, #1024 ldr T0, [TABLE, T0] eor $5, $5, T0 and T0, MASK, $1, ror #6 ldr T0, [TABLE, T0] eor $6, $6, T0 and T0, MASK, $2, ror #6 ldr T0, [TABLE, T0] eor $7, $7, T0 and T0, MASK, $3, ror #6 ldr T0, [TABLE, T0] eor $8, $8, T0 and T0, MASK, $3, ror #14 add TABLE, TABLE, #1024 ldr T0, [TABLE, T0] eor $5, $5, T0 and T0, MASK, $4, ror #14 ldr T0, [TABLE, T0] eor $6, $6, T0 and T0, MASK, $1, ror #14 ldr T0, [TABLE, T0] eor $7, $7, T0 and T0, MASK, $2, ror #14 ldr T0, [TABLE, T0] eor $8, $8, T0 and T0, MASK, $2, ror #22 add TABLE, TABLE, #1024 ldr T0, [TABLE, T0] eor $5, $5, T0 and T0, MASK, $3, ror #22 ldr T0, [TABLE, T0] eor $6, $6, T0 and T0, MASK, $4, ror #22 ldr T0, [TABLE, T0] eor $7, $7, T0 and T0, MASK, $1, ror #22 ldr T0, [TABLE, T0] ldm $9!, {$1,$2,$3,$4} eor $8, $8, T0 sub TABLE, TABLE, #3072 eor $5, $5, $1 eor $6, $6, $2 eor $7, $7, $3 eor $8, $8, $4 >) .file "aes-decrypt-internal.asm" C _aes_decrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .text ALIGN(4) PROLOGUE(_nettle_aes_decrypt) teq PARAM_LENGTH, #0 beq .Lend push {r0,r1,r3, r4,r5,r6,r7,r8,r10,r11,lr} mov MASK, #0x3fc ALIGN(16) .Lblock_loop: ldr X0, FRAME_SRC C Use X0 as SRC pointer ldm sp, {COUNT, KEY} AES_LOAD(X0,KEY,W0) AES_LOAD(X0,KEY,W1) AES_LOAD(X0,KEY,W2) AES_LOAD(X0,KEY,W3) str X0, FRAME_SRC add TABLE, TABLE, #AES_TABLE0 b .Lentry ALIGN(16) .Lround_loop: C Transform X -> W AES_DECRYPT_ROUND(X0, X1, X2, X3, W0, W1, W2, W3, KEY) .Lentry: subs COUNT, COUNT,#2 C Transform W -> X AES_DECRYPT_ROUND(W0, W1, W2, W3, X0, X1, X2, X3, KEY) bne .Lround_loop lsr COUNT, MASK, #2 C Put the needed mask in the unused COUNT register sub TABLE, TABLE, #AES_TABLE0 C Final round AES_FINAL_ROUND_V5(X0, X3, X2, X1, KEY, W0, COUNT) AES_FINAL_ROUND_V5(X1, X0, X3, X2, KEY, W1, COUNT) AES_FINAL_ROUND_V5(X2, X1, X0, X3, KEY, W2, COUNT) AES_FINAL_ROUND_V5(X3, X2, X1, X0, KEY, W3, COUNT) ldr X0, FRAME_DST ldr X1, FRAME_LENGTH AES_STORE(X0,W0) AES_STORE(X0,W1) AES_STORE(X0,W2) AES_STORE(X0,W3) subs X1, X1, #16 str X0, FRAME_DST str X1, FRAME_LENGTH bhi .Lblock_loop add sp, sp, #12 C Drop saved r0, r1, r3 pop {r4,r5,r6,r7,r8,r10,r11,pc} .Lend: bx lr EPILOGUE(_nettle_aes_decrypt) nettle-3.4.1/arm/ecc-256-redc.asm0000644000175000017500000000703713401564746015317 0ustar nissenisseC arm/ecc-256-redc.asm ifelse(< Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) .file "ecc-256-redc.asm" .arm define(, ) define(, ) C Overlaps unused modulo argument define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) C ecc_256_redc (const struct ecc_modulo *m, mp_limb_t *rp) .text .align 2 PROLOGUE(nettle_ecc_256_redc) push {r4,r5,r6,r7,r8,r10,r11,lr} ldm RP!, {T0,T1,T2,T3,T4,T5,T6,T7} C Set to the high 4 limbs of (B^2-B+1) C T2 T1 C T2 T1 T0 C - T2 T1 T0 C ------------- C F3 F2 F1 F0 adds F1, T0, T2 adcs F2, T1, #0 adc F3, T2, #0 subs F0, T1, T0 sbcs F1, F1, T1 C Could also be rsc ? sbcs F2, F2, T2 sbc F3, F3, #0 C Add: C T10 T9 T8 T7 T6 T5 T4 T3 C + F3 F2 F1 F0 T0 T2 T1 T0 C -------------------------- C T7 T6 T5 T4 T3 T2 T1 T0 adds T3, T3, T0 adcs T1, T4, T1 adcs T2, T5, T2 adcs T6, T6, T0 mov T0, T3 C FIXME: Be more clever? mov T3, T6 adcs T4, T7, F0 ldm RP!, {T5,T6,T7} adcs T5, T5, F1 adcs T6, T6, F2 adcs T7, T7, F3 C New F3, F2, F1, F0, also adding in carry adcs F1, T0, T2 adcs F2, T1, #0 adc F3, T2, #0 subs F0, T1, T0 sbcs F1, F1, T1 C Could also be rsc ? sbcs F2, F2, T2 sbc F3, F3, #0 C Start adding adds T3, T3, T0 adcs T1, T4, T1 adcs T2, T5, T2 adcs T6, T6, T0 mov T0, T3 C FIXME: Be more clever? mov T3, T6 adcs T4, T7, F0 ldm RP!, {T5,T6,T7} adcs T5, T5, F1 adcs T6, T6, F2 adcs T7, T7, F3 C Final iteration, eliminate only T0, T1 C Set to the high 3 limbs of (B^2-B+1) C T1 T0 T1 C - T1 T0 C ------------- C F2 F1 F0 C First add in carry adcs F1, T0, #0 adcs F2, T1, #0 subs F0, T1, T0 sbcs F1, F1, T1 sbc F2, F2, #0 C Add: C T9 T8 T7 T6 T5 T4 T3 T2 C + F2 F1 F0 T0 0 T1 T0 0 C -------------------------- C F2 F1 T7 T6 T5 T4 T3 T2 adds T3, T3, T0 adcs T4, T4, T1 adcs T5, T5, #0 adcs T6, T6, T0 adcs T7, T7, F0 ldm RP!, {T0, T1} mov F3, #0 adcs F1, F1, T0 adcs F2, F2, T1 C Sum is < B^8 + p, so it's enough to fold carry once, C If carry, add in C B^7 - B^6 - B^3 + 1 = <0, B-2, B-1, B-1, B-1, 0, 0, 1> C Mask from carry flag, leaving carry intact adc F3, F3, #0 rsb F3, F3, #0 adcs T0, T2, #0 adcs T1, T3, #0 adcs T2, T4, #0 adcs T3, T5, F3 adcs T4, T6, F3 adcs T5, T7, F3 and F3, F3, #-2 adcs T6, F1, F3 adcs T7, F2, #0 sub RP, RP, #64 stm RP, {T0,T1,T2,T3,T4,T5,T6,T7} pop {r4,r5,r6,r7,r8,r10,r11,pc} EPILOGUE(nettle_ecc_256_redc) nettle-3.4.1/arm/neon/0000755000175000017500000000000013401564746013566 5ustar nissenissenettle-3.4.1/arm/neon/umac-nh-n.asm0000644000175000017500000002067313401564746016063 0ustar nissenisseC arm/neon/umac-nh-n.asm ifelse(< Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) .file "umac-nh.asm" .fpu neon define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) C Accumulates for the first two operations. define(, ) define(, ) C Used for 3 and 4 iterations. define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) C FIXME: Try permuting subkeys using vld4, vzip or similar. .text .align 3 PROLOGUE(_nettle_umac_nh_n) ldr MSG, [sp] str lr, [sp, #-4]! C Setup for 64-bit aligned reads ands SHIFT, MSG, #7 and MSG, MSG, #-8 vld1.8 {DM}, [MSG :64] addne MSG, MSG, #8 addeq SHIFT, SHIFT, #8 C FIXME: Combine as rsb ? lsl SHIFT, SHIFT, #3 neg SHIFT, SHIFT C Right shift in QRIGHT (both halves) vmov.i32 D0REG(QRIGHT)[0], SHIFT vmov.32 D1REG(QRIGHT), D0REG(QRIGHT) add SHIFT, SHIFT, #64 vmov.i32 D0REG(QLEFT)[0], SHIFT vmov.32 D1REG(QLEFT), D0REG(QLEFT) cmp r1, #3 vmov.i64 QY0, #0 vshl.u64 DM, DM, D0REG(QRIGHT) bcc .Lnh2 beq .Lnh3 .Lnh4: C Permute key words, so we in each iteration have them in order C C P0: [0, 4,1, 5] P1: [ 2, 6, 3, 7] P2: [ 4, 8, 5, 9] P3: [ 6,10, 7,11] C P4: [8,12,9,13] P5: [10,14,11,15] P6: [12,16,13,17] P7: [14,18,15,19] C C Also arrange the message words, so we get them as C M0: [0,0,1,1] M1: [ 2, 2, 3, 3] M2: [ 4, 4, 5, 5] M3: [ 6, 6, 7, 7] C M4: [8,8,9,9] M5: [10,10,11,11] M6: [12,12,13,13] M7: [14,14,15,15] C C Then, accumulate Y0 (first two "iters") using C C Y0 += (M0+P0) * (M2+P2) + (M1+P1) * (M3+P3) C Y1 += (M0+P4) * (M2+P6) + (M1+P5) * (M3+P7) C C Next iteration is then C C Y0 += (M4+P4) * (M6+P6) + (M5+P5) * (M7 + P7) C Y1 += (M4+P6) * (M6+P8) + (M5+P7) * (M7 + P11) C C So we can reuse P4, P5, P6, P7 from the previous iteration. C How to for in registers? We need 4 Q regs for P0-P3, and one C more for the last read key. We need at least two regiters C for the message (QA and QB, more if we want to expand only C once). For the Y0 update, we can let the factors overwrite C P0-P3, and for the Y1 update, we can overwrite M0-M3. vpush {q4,q5,q6} vld1.32 {QK0,QK1}, [KEY]! vld1.32 {QK2}, [KEY]! vmov QT0, QK1 vmov QT1, QK2 C Permute keys. QK2 us untouched, permuted subkeys put in QK0,QK1,QT0,QT1 vtrn.32 QK0, QK1 C Gives us [0, 4, 2, 6] and [1, 5, 3, 7] vswp D1REG(QK0), D0REG(QK1) C Gives us [0, 4, 1, 5] and [2, 6, 3, 7] vtrn.32 QT0, QT1 C Gives us [4,8,6,10] and [5 ,9,7,11] vswp D1REG(QT0), D0REG(QT1) C Gives us [4,8,5, 9] and [6,10,7,11] vmov.i64 QY1, #0 .Loop4: C Set m[i] <-- m[i-1] >> RSHIFT + m[i] << LSHIFT vld1.8 {QA, QB}, [MSG :64]! vshl.u64 QC, QA, QRIGHT vshl.u64 QD, QB, QRIGHT vshl.u64 QA, QA, QLEFT vshl.u64 QB, QB, QLEFT veor D0REG(QA), D0REG(QA), DM veor D1REG(QA), D1REG(QA), D0REG(QC) veor D0REG(QB), D0REG(QB), D1REG(QC) veor D1REG(QB), D1REG(QB), D0REG(QD) vmov DM, D1REG(QD) C Explode message (too bad there's no vadd with scalar) vdup.32 D1REG(QD), D1REG(QB)[1] vdup.32 D0REG(QD), D1REG(QB)[0] vdup.32 D1REG(QC), D0REG(QB)[1] vdup.32 D0REG(QC), D0REG(QB)[0] vdup.32 D1REG(QB), D1REG(QA)[1] vdup.32 D0REG(QB), D1REG(QA)[0] vdup.32 D1REG(QA), D0REG(QA)[1] vdup.32 D0REG(QA), D0REG(QA)[0] vadd.i32 QK0, QK0, QA vadd.i32 QK1, QK1, QB vadd.i32 QT0, QT0, QC vadd.i32 QT1, QT1, QD vmlal.u32 QY0, D0REG(QK0), D0REG(QT0) vmlal.u32 QY0, D1REG(QK0), D1REG(QT0) vmlal.u32 QY0, D0REG(QK1), D0REG(QT1) vmlal.u32 QY0, D1REG(QK1), D1REG(QT1) C Next 4 subkeys vld1.32 {QT0,QT1}, [KEY]! vmov QK0, QK2 vmov QK1, QT0 vmov QK2, QT1 C Save vtrn.32 QK0, QK1 C Gives us [8,12,10,14] and [9,13,11,15] vswp D1REG(QK0), D0REG(QK1) C Gives us [8,12,9,13] and [10,14,11,15] vtrn.32 QT0, QT1 C Gives us [12,16,14,18] and [13,17,15,19] vswp D1REG(QT0), D0REG(QT1) C Gives us [12,16,13,17] and [14,18,15,19] vadd.i32 QA, QA, QK0 vadd.i32 QB, QB, QK1 vadd.i32 QC, QC, QT0 vadd.i32 QD, QD, QT1 subs LENGTH, LENGTH, #32 vmlal.u32 QY1, D0REG(QA), D0REG(QC) vmlal.u32 QY1, D1REG(QA), D1REG(QC) vmlal.u32 QY1, D0REG(QB), D0REG(QD) vmlal.u32 QY1, D1REG(QB), D1REG(QD) bhi .Loop4 vst1.64 {QY0, QY1}, [OUT] vpop {q4,q5,q6} ldr pc, [sp], #+4 .Lnh3: vpush {q4} vld1.32 {QK0,QK1}, [KEY]! vmov.i64 QY1, #0 .Loop3: C Set m[i] <-- m[i-1] >> RSHIFT + m[i] << LSHIFT vld1.8 {QA, QB}, [MSG :64]! vshl.u64 QT0, QA, QRIGHT vshl.u64 QT1, QB, QRIGHT vshl.u64 QA, QA, QLEFT vshl.u64 QB, QB, QLEFT veor D0REG(QA), D0REG(QA), DM veor D1REG(QA), D1REG(QA), D0REG(QT0) veor D0REG(QB), D0REG(QB), D1REG(QT0) veor D1REG(QB), D1REG(QB), D0REG(QT1) vmov DM, D1REG(QT1) vld1.32 {QK2}, [KEY]! C Construct factors, with low half corresponding to first iteration, C and high half corresponding to the second iteration. vmov QT0, QK1 vtrn.32 QK0, QT0 C Gives us [0, 4, 2, 6] and [1, 5, 3, 7] vswp D1REG(QK0), D0REG(QT0) C Gives us [0, 4, 1, 5] and [2, 6, 3, 7] vdup.32 D0REG(QT1), D0REG(QA)[0] vdup.32 D1REG(QT1), D0REG(QA)[1] vadd.i32 QT1, QT1, QK0 vmov QK0, QK2 C Save for next iteration vtrn.32 QK1, QK2 C Gives us [4, 8, 2, 1] and [1, 5, 3, 7] vswp D1REG(QK1), D0REG(QK2) C Gives us [4, 8, 1, 5] and [2, 1, 3, 7] vdup.32 D0REG(QT2), D0REG(QB)[0] vdup.32 D1REG(QT2), D0REG(QB)[1] vadd.i32 QK1, QK1, QT2 vmlal.u32 QY0, D0REG(QT1), D0REG(QK1) vmlal.u32 QY0, D1REG(QT1), D1REG(QK1) vdup.32 D0REG(QT1), D1REG(QA)[0] vdup.32 D1REG(QT1), D1REG(QA)[1] vadd.i32 QT0, QT0, QT1 vdup.32 D0REG(QT1), D1REG(QB)[0] vdup.32 D1REG(QT1), D1REG(QB)[1] vadd.i32 QK2, QK2, QT1 vmlal.u32 QY0, D0REG(QT0), D0REG(QK2) vmlal.u32 QY0, D1REG(QT0), D1REG(QK2) vld1.32 {QK1}, [KEY]! vadd.i32 QA, QA, QK0 vadd.i32 QB, QB, QK1 subs LENGTH, LENGTH, #32 vmlal.u32 QY1, D0REG(QA), D0REG(QB) vmlal.u32 QY1, D1REG(QA), D1REG(QB) bhi .Loop3 vadd.i64 D0REG(QY1), D0REG(QY1), D1REG(QY1) vst1.64 {D0REG(QY0), D1REG(QY0), D0REG(QY1)}, [OUT] vpop {q4} ldr pc, [sp], #+4 .Lnh2: vld1.32 {QK0}, [KEY]! .Loop2: C Set m[i] <-- m[i-1] >> RSHIFT + m[i] << LSHIFT vld1.8 {QA, QB}, [MSG :64]! vshl.u64 QT0, QA, QRIGHT vshl.u64 QT1, QB, QRIGHT vshl.u64 QA, QA, QLEFT vshl.u64 QB, QB, QLEFT veor D0REG(QA), D0REG(QA), DM veor D1REG(QA), D1REG(QA), D0REG(QT0) veor D0REG(QB), D0REG(QB), D1REG(QT0) veor D1REG(QB), D1REG(QB), D0REG(QT1) vmov DM, D1REG(QT1) vld1.32 {QK1,QK2}, [KEY]! C Construct factors, with low half corresponding to first iteration, C and high half corresponding to the second iteration. vmov QT0, QK1 vtrn.32 QK0, QT0 C Gives us [0, 4, 2, 6] and [1, 5, 3, 7] vswp D1REG(QK0), D0REG(QT0) C Gives us [0, 4, 1, 5] and [2, 6, 3, 7] vdup.32 D0REG(QT1), D0REG(QA)[0] vdup.32 D1REG(QT1), D0REG(QA)[1] vadd.i32 QT1, QT1, QK0 vmov QK0, QK2 C Save for next iteration vtrn.32 QK1, QK2 C Gives us [4, 8, 6, 10] and [5, 9, 7, 11] vswp D1REG(QK1), D0REG(QK2) C Gives us [4, 8, 5, 9] and [6, 10, 7, 11] vdup.32 D0REG(QT2), D0REG(QB)[0] vdup.32 D1REG(QT2), D0REG(QB)[1] vadd.i32 QK1, QK1, QT2 vmlal.u32 QY0, D0REG(QT1), D0REG(QK1) vmlal.u32 QY0, D1REG(QT1), D1REG(QK1) vdup.32 D0REG(QT1), D1REG(QA)[0] vdup.32 D1REG(QT1), D1REG(QA)[1] vadd.i32 QT0, QT0, QT1 vdup.32 D0REG(QT1), D1REG(QB)[0] vdup.32 D1REG(QT1), D1REG(QB)[1] vadd.i32 QK2, QK2, QT1 subs LENGTH, LENGTH, #32 vmlal.u32 QY0, D0REG(QT0), D0REG(QK2) vmlal.u32 QY0, D1REG(QT0), D1REG(QK2) bhi .Loop2 vst1.64 {QY0}, [OUT] .Lend: ldr pc, [sp], #+4 EPILOGUE(_nettle_umac_nh_n) nettle-3.4.1/arm/neon/sha3-permute.asm0000644000175000017500000001354513401564746016615 0ustar nissenisseC arm/neon/sha3-permute.asm ifelse(< Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) .file "sha3-permute.asm" .fpu neon define(, ) define(, ) define(, ) C First column define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) C ROL(DST, SRC, COUNT) C Must have SRC != DST define(, < vshr.u64 $1, $2, #eval(64-$3) vsli.i64 $1, $2, #$3 >) C sha3_permute(struct sha3_ctx *ctx) .text .align 3 .Lrc: .quad 0x0000000000000001 .quad 0x0000000000008082 .quad 0x800000000000808A .quad 0x8000000080008000 .quad 0x000000000000808B .quad 0x0000000080000001 .quad 0x8000000080008081 .quad 0x8000000000008009 .quad 0x000000000000008A .quad 0x0000000000000088 .quad 0x0000000080008009 .quad 0x000000008000000A .quad 0x000000008000808B .quad 0x800000000000008B .quad 0x8000000000008089 .quad 0x8000000000008003 .quad 0x8000000000008002 .quad 0x8000000000000080 .quad 0x000000000000800A .quad 0x800000008000000A .quad 0x8000000080008081 .quad 0x8000000000008080 .quad 0x0000000080000001 .quad 0x8000000080008008 PROLOGUE(nettle_sha3_permute) vpush {d8-d15} vld1.64 {A0}, [CTX]! vldm CTX!, {A1,A2,A3,A4} vld1.64 {A5}, [CTX]! vldm CTX!, {A6,A7,A8,A9} vld1.64 {A10}, [CTX]! vldm CTX!, {A11,A12,A13,A14} vld1.64 {A15}, [CTX]! vldm CTX!, {A16,A17,A18,A19} vld1.64 {A20}, [CTX]! vldm CTX, {A21,A22,A23,A24} sub CTX, CTX, #168 mov COUNT, #24 adr RC, .Lrc .align 3 .Loop: veor QREG(T0), QREG(A5), QREG(A15) veor C0, A0, T0 veor C0, C0, T1 veor QREG(C1), QREG(A1), QREG(A6) veor QREG(C1), QREG(C1), QREG(A11) veor QREG(C1), QREG(C1), QREG(A16) veor QREG(C1), QREG(C1), QREG(A21) veor QREG(C3), QREG(A3), QREG(A8) veor QREG(C3), QREG(C3), QREG(A13) veor QREG(C3), QREG(C3), QREG(A18) veor QREG(C3), QREG(C3), QREG(A23) C D0 = C4 ^ (C1 <<< 1) C NOTE: Using ROL macro (and vsli) is slightly slower. vshl.i64 T0, C1, #1 vshr.u64 T1, C1, #63 veor T0, T0, C4 veor T0, T0, T1 vmov T1, T0 veor A0, A0, T0 veor QREG(A5), QREG(A5), QREG(T0) veor QREG(A15), QREG(A15), QREG(T0) C D1 = C0 ^ (C2 <<< 1) C D2 = C1 ^ (C3 <<< 1) ROL(T0, C2, 1) ROL(T1, C3, 1) veor T0, T0, C0 veor T1, T1, C1 veor QREG(A1), QREG(A1), QREG(T0) veor QREG(A6), QREG(A6), QREG(T0) veor QREG(A11), QREG(A11), QREG(T0) veor QREG(A16), QREG(A16), QREG(T0) veor QREG(A21), QREG(A21), QREG(T0) C D3 = C2 ^ (C4 <<< 1) C D4 = C3 ^ (C0 <<< 1) ROL(T0, C4, 1) ROL(T1, C0, 1) veor T0, T0, C2 veor T1, T1, C3 veor QREG(A3), QREG(A3), QREG(T0) veor QREG(A8), QREG(A8), QREG(T0) veor QREG(A13), QREG(A13), QREG(T0) veor QREG(A18), QREG(A18), QREG(T0) veor QREG(A23), QREG(A23), QREG(T0) ROL( T0, A1, 1) ROL( A1, A6, 44) ROL( A6, A9, 20) ROL( A9, A22, 61) ROL(A22, A14, 39) ROL(A14, A20, 18) ROL(A20, A2, 62) ROL( A2, A12, 43) ROL(A12, A13, 25) ROL(A13, A19, 8) ROL(A19, A23, 56) ROL(A23, A15, 41) ROL(A15, A4, 27) ROL( A4, A24, 14) ROL(A24, A21, 2) ROL(A21, A8, 55) ROL( A8, A16, 45) ROL(A16, A5, 36) ROL( A5, A3, 28) ROL( A3, A18, 21) ROL(A18, A17, 15) ROL(A17, A11, 10) ROL(A11, A7, 6) ROL( A7, A10, 3) C New A10 value left in T0 vbic C0, A2, A1 vbic C1, A3, A2 vbic C2, A4, A3 vbic C3, A0, A4 vbic C4, A1, A0 veor A0, A0, C0 vld1.64 {C0}, [RC :64]! veor QREG(A1), QREG(A1), QREG(C1) veor QREG(A3), QREG(A3), QREG(C3) veor A0, A0, C0 vbic C0, A7, A6 vbic C1, A8, A7 vbic C2, A9, A8 vbic C3, A5, A9 vbic C4, A6, A5 veor A5, A5, C0 veor QREG(A6), QREG(A6), QREG(C1) veor QREG(A8), QREG(A8), QREG(C3) vbic C0, A12, A11 vbic C1, A13, A12 vbic C2, A14, A13 vbic C3, T0, A14 vbic C4, A11, T0 veor A10, T0, C0 veor QREG(A11), QREG(A11), QREG(C1) veor QREG(A13), QREG(A13), QREG(C3) vbic C0, A17, A16 vbic C1, A18, A17 vbic C2, A19, A18 vbic C3, A15, A19 vbic C4, A16, A15 veor A15, A15, C0 veor QREG(A16), QREG(A16), QREG(C1) veor QREG(A18), QREG(A18), QREG(C3) vbic C0, A22, A21 vbic C1, A23, A22 vbic C2, A24, A23 vbic C3, A20, A24 vbic C4, A21, A20 subs COUNT, COUNT, #1 veor A20, A20, C0 veor QREG(A21), QREG(A21), QREG(C1) veor QREG(A23), QREG(A23), QREG(C3) bne .Loop vst1.64 {A0}, [CTX]! vstm CTX!, {A1,A2,A3,A4} vst1.64 {A5}, [CTX]! vstm CTX!, {A6,A7,A8,A9} vst1.64 {A10}, [CTX]! vstm CTX!, {A11,A12,A13,A14} vst1.64 {A15}, [CTX]! vstm CTX!, {A16,A17,A18,A19} vst1.64 {A20}, [CTX]! vstm CTX, {A21,A22,A23,A24} vpop {d8-d15} bx lr EPILOGUE(nettle_sha3_permute) nettle-3.4.1/arm/neon/salsa20-core-internal.asm0000644000175000017500000000717713401564746020311 0ustar nissenisseC arm/neon/salsa20-core-internal.asm ifelse(< Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) .file "salsa20-core-internal.asm" .fpu neon define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, < vadd.i32 T0, $1, $4 vshl.i32 T1, T0, #7 vshr.u32 T0, T0, #25 veor $2, $2, T0 veor $2, $2, T1 vadd.i32 T0, $1, $2 vshl.i32 T1, T0, #9 vshr.u32 T0, T0, #23 veor $3, $3, T0 veor $3, $3, T1 vadd.i32 T0, $2, $3 vshl.i32 T1, T0, #13 vshr.u32 T0, T0, #19 veor $4, $4, T0 veor $4, $4, T1 vadd.i32 T0, $3, $4 vshl.i32 T1, T0, #18 vshr.u32 T0, T0, #14 veor $1, $1, T0 veor $1, $1, T1 >) .text .align 4 .Lmasks: .int 0,-1, 0,-1 .int 0,-1,-1, 0 .int 0, 0,-1,-1 C _salsa20_core(uint32_t *dst, const uint32_t *src, unsigned rounds) PROLOGUE(_nettle_salsa20_core) vldm SRC, {X0,X1,X2,X3} C Input rows: C 0 1 2 3 X0 C 4 5 6 7 X1 C 8 9 10 11 X2 C 12 13 14 15 X3 C Permuted to: C 0 5 10 15 C 4 9 14 3 C 8 13 2 7 C 12 1 6 11 C FIXME: Construct in some other way? adr r12, .Lmasks vldm r12, {M0101, M0110, M0011} vmov S1, X1 vmov S2, X2 vmov S3, X3 C Swaps in columns 1, 3: C 0 5 2 7 X0 ^ C 4 1 6 3 T0 v C 8 13 10 15 T1 ^ C 12 9 14 11 X3 v vmov T0, X1 vmov T1, X2 vbit T0, X0, M0101 vbit X0, X1, M0101 vbit T1, X3, M0101 vbit X3, X2, M0101 C Swaps in column 1, 2: C 0 5 2 7 X0 C 4 9 14 3 X1 ^ C 8 13 10 15 T1 | C 12 1 6 11 X3 v vmov X1, T0 vbit X1, X3, M0110 vbit X3, T0, M0110 C Swaps in columm 2,3: C 0 5 10 15 X0 ^ C 4 9 14 3 X1 | C 8 13 2 7 X2 v C 12 1 6 11 X3 vmov X2, T1 vbit X2, X0, M0011 vbit X0, T1, M0011 .Loop: QROUND(X0, X1, X2, X3) C Rotate rows, to get C 0 5 10 15 C 3 4 9 14 >>> 1 C 2 7 8 13 >>> 2 C 1 6 11 12 >>> 3 vext.32 X1, X1, X1, #3 vext.32 X2, X2, X2, #2 vext.32 X3, X3, X3, #1 QROUND(X0, X3, X2, X1) subs ROUNDS, ROUNDS, #2 C Inverse rotation vext.32 X1, X1, X1, #1 vext.32 X2, X2, X2, #2 vext.32 X3, X3, X3, #3 bhi .Loop C Inverse swaps vmov T1, X2 vbit T1, X0, M0011 vbit X0, X2, M0011 vmov T0, X1 vbit T0, X3, M0110 vbit X3, X1, M0110 vmov X1, T0 vmov X2, T1 vbit X1, X0, M0101 vbit X0, T0, M0101 vbit X2, X3, M0101 vbit X3, T1, M0101 vld1.64 {T0}, [SRC] vadd.u32 X0, X0, T0 vadd.u32 X1, X1, S1 vadd.u32 X2, X2, S2 vadd.u32 X3, X3, S3 vstm DST, {X0,X1,X2,X3} bx lr EPILOGUE(_nettle_salsa20_core) divert(-1) define salsastate p/x $q0.u32 p/x $q1.u32 p/x $q2.u32 p/x $q3.u32 end nettle-3.4.1/arm/neon/sha512-compress.asm0000644000175000017500000002005713401564746017130 0ustar nissenisseC arm/neon/sha512-compress.asm ifelse(< Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) .file "sha512-compress.asm" .fpu neon define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) C d8-d15 are callee-save define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) C Used only when reading the input, can overlap with state define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, <$1>) define(, eval(($1) % 16))>) C If x = W(i+14), y = w(i+1), we xor in parallel C C x << 45 y << 63 C x >> 19 y >> 1 C x << 3 y << 56 C x >> 61 y >> 8 C xor x >> 6 y >> 7 C ----------------------------- C DT0 DT1 define(, < vshl.i64 DT0, W($1+14), #45 vshl.i64 DT1, W($1 + 1), #63 vshr.u64 DT2, W($1+14), #19 vshr.u64 DT3, W($1 + 1), #1 vshl.i64 DT4, W($1+14), #3 vshl.i64 DT5, W($1 + 1), #56 veor.i64 QT01, QT01, QT23 vshr.u64 DT2, W($1+14), #61 vshr.u64 DT3, W($1 + 1), #8 veor.i64 QT01, QT01, QT45 vshr.u64 DT4, W($1+14), #6 vshr.u64 DT5, W($1 + 1), #7 veor.i64 QT01, QT01, QT23 vadd.i64 W($1), W($1), W($1 + 9) veor.i64 QT01, QT01, QT45 vadd.i64 W($1), W($1), DT0 vadd.i64 W($1), W($1), DT1 >) C ROUND(A,B,C,D,E,F,G,H,i) C C H += S1(E) + Choice(E,F,G) + K + W C D += H C H += S0(A) + Majority(A,B,C) C C Where C C S1(E) = E<<<50 ^ E<<<46 ^ E<<<23 C S0(A) = A<<<36 ^ A<<<30 ^ A<<<25 C Choice (E, F, G) = G^(E&(F^G)) C Majority (A,B,C) = (A&B) + (C&(A^B)) C Do S1 and S0 in parallel C C e << 50 a << 36 C e >> 14 a >> 28 C e << 46 a << 30 C e >> 18 a >> 34 C e << 23 a << 25 C xor e >> 41 a >> 39 C ---------------------------- C DT0 DT1 define(, < vshl.i64 DT0, $5, #50 vshl.i64 DT1, $1, #36 vshr.u64 DT2, $5, #14 vshr.u64 DT3, $1, #28 vshl.i64 DT4, $5, #46 vshl.i64 DT5, $1, #30 veor QT01, QT01, QT23 vshr.u64 DT2, $5, #18 vshr.u64 DT3, $1, #34 veor QT01, QT01, QT45 vshl.i64 DT4, $5, #23 vshl.i64 DT5, $1, #25 veor QT01, QT01, QT23 vshr.u64 DT2, $5, #41 vshr.u64 DT3, $1, #39 veor QT01, QT01, QT45 veor DT4, $6, $7 veor DT5, $1, $2 vand DT4, DT4, $5 vand DT5, DT5, $3 veor DT4, DT4, $7 veor QT01, QT01, QT23 vand DT2, $1, $2 vldr DT3, [K,#eval(8*$9)] vadd.i64 $8, $8, W($9) vadd.i64 QT01, QT01, QT45 vadd.i64 $8, $8, DT3 vadd.i64 $8, $8, DT0 vadd.i64 DT1, DT1, DT2 vadd.i64 $4, $4, $8 vadd.i64 $8, $8, DT1 >) C void C _nettle_sha512_compress(uint64_t *state, const uint8_t *input, const uint64_t *k) .text .align 2 PROLOGUE(_nettle_sha512_compress) vpush {d8,d9,d10,d11,d12,d13} ands SHIFT, INPUT, #7 and INPUT, INPUT, #-8 vld1.8 {DT5}, [INPUT :64] addne INPUT, INPUT, #8 addeq SHIFT, SHIFT, #8 lsl SHIFT, SHIFT, #3 C Put right shift in DT0 and DT1, aka QT01 neg SHIFT, SHIFT vmov.i32 DT0, #0 vmov.32 DT0[0], SHIFT vmov DT1, DT0 C Put left shift in DT2 and DT3, aka QT23 add SHIFT, SHIFT, #64 vmov.i32 DT2, #0 vmov.32 DT2[0], SHIFT vmov DT3, DT2 vshl.u64 DT5, DT5, DT0 C Set w[i] <-- w[i-1] >> RSHIFT + w[i] << LSHIFT vld1.8 {W(0),W(1),W(2),W(3)}, [INPUT :64]! vshl.u64 QT67, QW0001, QT01 C Right shift vshl.u64 QW0001, QW0001, QT23 C Left shift veor W(0), W(0), DT5 veor W(1), W(1), DT6 vrev64.8 QW0001, QW0001 vshl.u64 QT45, QW0203, QT01 C Right shift vshl.u64 QW0203, QW0203, QT23 C Left shift veor W(2), W(2), DT7 veor W(3), W(3), DT4 vrev64.8 QW0203, QW0203 vld1.8 {W(4),W(5),W(6),W(7)}, [INPUT :64]! vshl.u64 QT67, QW0405, QT01 C Right shift vshl.u64 QW0405, QW0405, QT23 C Left shift veor W(4), W(4), DT5 veor W(5), W(5), DT6 vrev64.8 QW0405, QW0405 vshl.u64 QT45, QW0607, QT01 C Right shift vshl.u64 QW0607, QW0607, QT23 C Left shift veor W(6), W(6), DT7 veor W(7), W(7), DT4 vrev64.8 QW0607, QW0607 vld1.8 {W(8),W(9),W(10),W(11)}, [INPUT :64]! vshl.u64 QT67, QW0809, QT01 C Right shift vshl.u64 QW0809, QW0809, QT23 C Left shift veor W(8), W(8), DT5 veor W(9), W(9), DT6 vrev64.8 QW0809, QW0809 vshl.u64 QT45, QW1011, QT01 C Right shift vshl.u64 QW1011, QW1011, QT23 C Left shift veor W(10), W(10), DT7 veor W(11), W(11), DT4 vrev64.8 QW1011, QW1011 vld1.8 {W(12),W(13),W(14),W(15)}, [INPUT :64]! vshl.u64 QT67, QW1213, QT01 C Right shift vshl.u64 QW1213, QW1213, QT23 C Left shift veor W(12), W(12), DT5 veor W(13), W(13), DT6 vrev64.8 QW1213, QW1213 vshl.u64 QT45, QW1415, QT01 C Right shift vshl.u64 QW1415, QW1415, QT23 C Left shift veor W(14), W(14), DT7 veor W(15), W(15), DT4 vrev64.8 QW1415, QW1415 vldm STATE, {SA,SB,SC,SD,SE,SF,SG,SH} ROUND(SA,SB,SC,SD,SE,SF,SG,SH, 0) ROUND(SH,SA,SB,SC,SD,SE,SF,SG, 1) ROUND(SG,SH,SA,SB,SC,SD,SE,SF, 2) ROUND(SF,SG,SH,SA,SB,SC,SD,SE, 3) ROUND(SE,SF,SG,SH,SA,SB,SC,SD, 4) ROUND(SD,SE,SF,SG,SH,SA,SB,SC, 5) ROUND(SC,SD,SE,SF,SG,SH,SA,SB, 6) ROUND(SB,SC,SD,SE,SF,SG,SH,SA, 7) ROUND(SA,SB,SC,SD,SE,SF,SG,SH, 8) ROUND(SH,SA,SB,SC,SD,SE,SF,SG, 9) ROUND(SG,SH,SA,SB,SC,SD,SE,SF, 10) ROUND(SF,SG,SH,SA,SB,SC,SD,SE, 11) ROUND(SE,SF,SG,SH,SA,SB,SC,SD, 12) ROUND(SD,SE,SF,SG,SH,SA,SB,SC, 13) ROUND(SC,SD,SE,SF,SG,SH,SA,SB, 14) ROUND(SB,SC,SD,SE,SF,SG,SH,SA, 15) add K, K, #128 mov COUNT, #4 .Loop: EXPN( 0) ROUND(SA,SB,SC,SD,SE,SF,SG,SH, 0) EXPN( 1) ROUND(SH,SA,SB,SC,SD,SE,SF,SG, 1) EXPN( 2) ROUND(SG,SH,SA,SB,SC,SD,SE,SF, 2) EXPN( 3) ROUND(SF,SG,SH,SA,SB,SC,SD,SE, 3) EXPN( 4) ROUND(SE,SF,SG,SH,SA,SB,SC,SD, 4) EXPN( 5) ROUND(SD,SE,SF,SG,SH,SA,SB,SC, 5) EXPN( 6) ROUND(SC,SD,SE,SF,SG,SH,SA,SB, 6) EXPN( 7) ROUND(SB,SC,SD,SE,SF,SG,SH,SA, 7) EXPN( 8) ROUND(SA,SB,SC,SD,SE,SF,SG,SH, 8) EXPN( 9) ROUND(SH,SA,SB,SC,SD,SE,SF,SG, 9) EXPN(10) ROUND(SG,SH,SA,SB,SC,SD,SE,SF, 10) EXPN(11) ROUND(SF,SG,SH,SA,SB,SC,SD,SE, 11) EXPN(12) ROUND(SE,SF,SG,SH,SA,SB,SC,SD, 12) EXPN(13) ROUND(SD,SE,SF,SG,SH,SA,SB,SC, 13) EXPN(14) ROUND(SC,SD,SE,SF,SG,SH,SA,SB, 14) subs COUNT, COUNT, #1 EXPN(15) ROUND(SB,SC,SD,SE,SF,SG,SH,SA, 15) add K, K, #128 bne .Loop vld1.64 {DW0, DW1, DW2, DW3}, [STATE] vadd.i64 QSAB, QSAB, QW0001 vadd.i64 QSCD, QSCD, QW0203 vst1.64 {SA,SB,SC,SD}, [STATE]! vld1.64 {DW0, DW1, DW2, DW3}, [STATE] vadd.i64 QSEF, QSEF, QW0001 vadd.i64 QSGH, QSGH, QW0203 vst1.64 {SE,SF,SG,SH}, [STATE]! vpop {d8,d9,d10,d11,d12,d13} bx lr EPILOGUE(_nettle_sha512_compress) divert(-1) define shastate p/x $d0.u64 p/x $d1.u64 p/x $d2.u64 p/x $d3.u64 p/x $d4.u64 p/x $d5.u64 p/x $d6.u64 p/x $d7.u64 end nettle-3.4.1/arm/neon/chacha-core-internal.asm0000644000175000017500000000533513401564746020245 0ustar nissenisseC arm/neon/chacha-core-internal.asm ifelse(< Copyright (C) 2013, 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) .file "chacha-core-internal.asm" .fpu neon define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, < C x0 += x1, x3 ^= x0, x3 lrot 16 C x2 += x3, x1 ^= x2, x1 lrot 12 C x0 += x1, x3 ^= x0, x3 lrot 8 C x2 += x3, x1 ^= x2, x1 lrot 7 vadd.i32 $1, $1, $2 veor $4, $4, $1 vshl.i32 T0, $4, #16 vshr.u32 $4, $4, #16 veor $4, $4, T0 vadd.i32 $3, $3, $4 veor $2, $2, $3 vshl.i32 T0, $2, #12 vshr.u32 $2, $2, #20 veor $2, $2, T0 vadd.i32 $1, $1, $2 veor $4, $4, $1 vshl.i32 T0, $4, #8 vshr.u32 $4, $4, #24 veor $4, $4, T0 vadd.i32 $3, $3, $4 veor $2, $2, $3 vshl.i32 T0, $2, #7 vshr.u32 $2, $2, #25 veor $2, $2, T0 >) .text .align 4 C _chacha_core(uint32_t *dst, const uint32_t *src, unsigned rounds) PROLOGUE(_nettle_chacha_core) vldm SRC, {X0,X1,X2,X3} vmov S0, X0 vmov S1, X1 vmov S2, X2 vmov S3, X3 C Input rows: C 0 1 2 3 X0 C 4 5 6 7 X1 C 8 9 10 11 X2 C 12 13 14 15 X3 .Loop: QROUND(X0, X1, X2, X3) C Rotate rows, to get C 0 1 2 3 C 5 6 7 4 >>> 3 C 10 11 8 9 >>> 2 C 15 12 13 14 >>> 1 vext.32 X1, X1, X1, #1 vext.32 X2, X2, X2, #2 vext.32 X3, X3, X3, #3 QROUND(X0, X1, X2, X3) subs ROUNDS, ROUNDS, #2 C Inverse rotation vext.32 X1, X1, X1, #3 vext.32 X2, X2, X2, #2 vext.32 X3, X3, X3, #1 bhi .Loop vadd.u32 X0, X0, S0 vadd.u32 X1, X1, S1 vadd.u32 X2, X2, S2 vadd.u32 X3, X3, S3 vstm DST, {X0,X1,X2,X3} bx lr EPILOGUE(_nettle_chacha_core) divert(-1) define chachastate p/x $q0.u32 p/x $q1.u32 p/x $q2.u32 p/x $q3.u32 end nettle-3.4.1/arm/neon/umac-nh.asm0000644000175000017500000000472413401564746015627 0ustar nissenisseC arm/neon/umac-nh.asm ifelse(< Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) .file "umac-nh.asm" .fpu neon define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) .text .align 3 PROLOGUE(_nettle_umac_nh) C Setup for 64-bit aligned reads ands SHIFT, MSG, #7 and MSG, MSG, #-8 vld1.8 {DM}, [MSG :64] addne MSG, MSG, #8 addeq SHIFT, SHIFT, #8 C FIXME: Combine as rsb ? lsl SHIFT, SHIFT, #3 neg SHIFT, SHIFT C Right shift in QRIGHT (both halves) vmov.i32 D0REG(QRIGHT)[0], SHIFT vmov.32 D1REG(QRIGHT), D0REG(QRIGHT) add SHIFT, SHIFT, #64 vmov.i32 D0REG(QLEFT)[0], SHIFT vmov.32 D1REG(QLEFT), D0REG(QLEFT) vmov.i64 QY, #0 vshl.u64 DM, DM, D0REG(QRIGHT) .Loop: C Set m[i] <-- m[i-1] >> RSHIFT + m[i] << LSHIFT vld1.8 {QA, QB}, [MSG :64]! vshl.u64 QT0, QA, QRIGHT vshl.u64 QT1, QB, QRIGHT vshl.u64 QA, QA, QLEFT vshl.u64 QB, QB, QLEFT veor D0REG(QA), D0REG(QA), DM veor D1REG(QA), D1REG(QA), D0REG(QT0) veor D0REG(QB), D0REG(QB), D1REG(QT0) veor D1REG(QB), D1REG(QB), D0REG(QT1) vmov DM, D1REG(QT1) vld1.i32 {QK0, QK1}, [KEY]! vadd.i32 QA, QA, QK0 vadd.i32 QB, QB, QK1 subs LENGTH, LENGTH, #32 vmlal.u32 QY, D0REG(QA), D0REG(QB) vmlal.u32 QY, D1REG(QA), D1REG(QB) bhi .Loop vadd.i64 D0REG(QY), D0REG(QY), D1REG(QY) vmov r0, r1, D0REG(QY) bx lr EPILOGUE(_nettle_umac_nh) nettle-3.4.1/arm/ecc-192-modp.asm0000644000175000017500000000450213401564746015332 0ustar nissenisseC arm/ecc-192-modp.asm ifelse(< Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) .file "ecc-192-modp.asm" .arm define(, ) C Overlaps unused modulo argument define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) C Overlaps T0 and T1 define(

, ) define(, ) define(, ) C ecc_192_modp (const struct ecc_modulo *m, mp_limb_t *rp) .text .align 2 PROLOGUE(nettle_ecc_192_modp) push {r4,r5,r6,r7,r8,r10} C Reduce two words at a time add HP, RP, #48 add RP, RP, #8 ldmdb HP!, {H0,H1} ldm RP, {T2,T3,T4,T5,T6,T7} mov C4, #0 adds T4, T4, H0 adcs T5, T5, H1 adcs T6, T6, H0 adcs T7, T7, H1 C Need to add carry to T2 and T4, do T4 later. adc C4, C4, #0 ldmdb HP!, {H0,H1} mov C2, #0 adcs T2, T2, H0 adcs T3, T3, H1 adcs T4, T4, H0 adcs T5, T5, H1 C Need to add carry to T0 and T2, do T2 later adc C2, C2, #0 ldmdb RP!, {T0, T1} adcs T0, T0, T6 adcs T1, T1, T7 adcs T2, T2, T6 adcs T3, T3, T7 adc C4, C4, #0 adds T2, T2, C2 adcs T3, T3, #0 adcs T4, T4, C4 adcs T5, T5, #0 mov C2, #0 adc C2, C2, #0 C Add in final carry adcs T0, T0, #0 adcs T1, T1, #0 adcs T2, T2, C2 adcs T3, T3, #0 adcs T4, T4, #0 adc T5, T5, #0 stm RP, {T0,T1,T2,T3,T4,T5} pop {r4,r5,r6,r7,r8,r10} bx lr EPILOGUE(nettle_ecc_192_modp) nettle-3.4.1/arm/aes.m40000644000175000017500000000236213401564746013644 0ustar nissenisseC Loads one word, and adds it to the subkey. Uses T0 C AES_LOAD(SRC, KEY, REG) define(, < ldrb $3, [$1], #+1 ldrb T0, [$1], #+1 orr $3, T0, lsl #8 ldrb T0, [$1], #+1 orr $3, T0, lsl #16 ldrb T0, [$1], #+1 orr $3, T0, lsl #24 ldr T0, [$2], #+4 eor $3, T0 >) C Stores one word. Destroys input. C AES_STORE(DST, X) define(, < strb $2, [$1], #+1 ror $2, $2, #8 strb $2, [$1], #+1 ror $2, $2, #8 strb $2, [$1], #+1 ror $2, $2, #8 strb $2, [$1], #+1 >) C AES_FINAL_ROUND_V6(a,b,c,d,key,res) define(, < uxtb T0, $1 ldrb $6, [TABLE, T0] uxtb T0, $2, ror #8 ldrb T0, [TABLE, T0] eor $6, $6, T0, lsl #8 uxtb T0, $3, ror #16 ldrb T0, [TABLE, T0] eor $6, $6, T0, lsl #16 ldrb T0, [TABLE, $4, lsr #24] eor $6, $6, T0, lsl #24 ldr T0, [$5], #+4 eor $6, $6, T0 >) C AES_FINAL_ROUND_V5(a,b,c,d,key,res,mask) C Avoids the uxtb instruction, introduced in ARMv6. C The mask argument should hold the constant 0xff define(, < and T0, $7, $1 ldrb $6, [TABLE, T0] and T0, $7, $2, ror #8 ldrb T0, [TABLE, T0] eor $6, $6, T0, lsl #8 and T0, $7, $3, ror #16 ldrb T0, [TABLE, T0] eor $6, $6, T0, lsl #16 ldrb T0, [TABLE, $4, lsr #24] eor $6, $6, T0, lsl #24 ldr T0, [$5], #+4 eor $6, T0 >) nettle-3.4.1/arm/machine.m40000644000175000017500000000145613401564746014503 0ustar nissenissedefine(, )>)dnl define(, )>)dnl define(, )>)dnl nettle-3.4.1/arm/memxor3.asm0000644000175000017500000001363413401564746014732 0ustar nissenisseC arm/memxor3.asm ifelse(< Copyright (C) 2013, 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) C Possible speedups: C C The ldm instruction can do load two registers per cycle, C if the address is two-word aligned. Or three registers in two C cycles, regardless of alignment. C Register usage: define(, ) define(, ) define(, ) define(, ) C Temporaries r4-r7 define(, ) define(, ) define(, ) define(, ) .syntax unified .file "memxor3.asm" .text .arm C memxor3(void *dst, const void *a, const void *b, size_t n) .align 2 PROLOGUE(nettle_memxor3) cmp N, #0 beq .Lmemxor3_ret push {r4,r5,r6,r7,r8,r10,r11} cmp N, #7 add AP, N add BP, N add DST, N bcs .Lmemxor3_large C Simple byte loop .Lmemxor3_bytes: ldrb r4, [AP, #-1]! ldrb r5, [BP, #-1]! eor r4, r5 strb r4, [DST, #-1]! subs N, #1 bne .Lmemxor3_bytes .Lmemxor3_done: pop {r4,r5,r6,r7,r8,r10,r11} .Lmemxor3_ret: bx lr .Lmemxor3_align_loop: ldrb r4, [AP, #-1]! ldrb r5, [BP, #-1]! eor r5, r4 strb r5, [DST, #-1]! sub N, #1 .Lmemxor3_large: tst DST, #3 bne .Lmemxor3_align_loop C We have at least 4 bytes left to do here. sub N, #4 ands ACNT, AP, #3 lsl ACNT, #3 beq .Lmemxor3_a_aligned ands BCNT, BP, #3 lsl BCNT, #3 bne .Lmemxor3_uu C Swap mov r4, AP mov AP, BP mov BP, r4 .Lmemxor3_au: C NOTE: We have the relevant shift count in ACNT, not BCNT C AP is aligned, BP is not C v original SRC C +-------+------+ C |SRC-4 |SRC | C +---+---+------+ C |DST-4 | C +-------+ C C With little-endian, we need to do C DST[i-i] ^= (SRC[i-i] >> CNT) ^ (SRC[i] << TNC) rsb ATNC, ACNT, #32 bic BP, #3 ldr r4, [BP] tst N, #4 itet eq moveq r5, r4 subne N, #4 beq .Lmemxor3_au_odd .Lmemxor3_au_loop: ldr r5, [BP, #-4]! ldr r6, [AP, #-4]! eor r6, r6, r4, lsl ATNC eor r6, r6, r5, lsr ACNT str r6, [DST, #-4]! .Lmemxor3_au_odd: ldr r4, [BP, #-4]! ldr r6, [AP, #-4]! eor r6, r6, r5, lsl ATNC eor r6, r6, r4, lsr ACNT str r6, [DST, #-4]! subs N, #8 bcs .Lmemxor3_au_loop adds N, #8 beq .Lmemxor3_done C Leftover bytes in r4, low end ldr r5, [AP, #-4] eor r4, r5, r4, lsl ATNC .Lmemxor3_au_leftover: C Store a byte at a time ror r4, #24 strb r4, [DST, #-1]! subs N, #1 beq .Lmemxor3_done subs ACNT, #8 sub AP, #1 bne .Lmemxor3_au_leftover b .Lmemxor3_bytes .Lmemxor3_a_aligned: ands ACNT, BP, #3 lsl ACNT, #3 bne .Lmemxor3_au ; C a, b and dst all have the same alignment. subs N, #8 bcc .Lmemxor3_aligned_word_end C This loop runs at 8 cycles per iteration. It has been C observed running at only 7 cycles, for this speed, the loop C started at offset 0x2ac in the object file. C FIXME: consider software pipelining, similarly to the memxor C loop. .Lmemxor3_aligned_word_loop: ldmdb AP!, {r4,r5,r6} ldmdb BP!, {r7,r8,r10} subs N, #12 eor r4, r7 eor r5, r8 eor r6, r10 stmdb DST!, {r4, r5,r6} bcs .Lmemxor3_aligned_word_loop .Lmemxor3_aligned_word_end: C We have 0-11 bytes left to do, and N holds number of bytes -12. adds N, #4 bcc .Lmemxor3_aligned_lt_8 C Do 8 bytes more, leftover is in N ldmdb AP!, {r4, r5} ldmdb BP!, {r6, r7} eor r4, r6 eor r5, r7 stmdb DST!, {r4,r5} beq .Lmemxor3_done b .Lmemxor3_bytes .Lmemxor3_aligned_lt_8: adds N, #4 bcc .Lmemxor3_aligned_lt_4 ldr r4, [AP,#-4]! ldr r5, [BP,#-4]! eor r4, r5 str r4, [DST,#-4]! beq .Lmemxor3_done b .Lmemxor3_bytes .Lmemxor3_aligned_lt_4: adds N, #4 beq .Lmemxor3_done b .Lmemxor3_bytes .Lmemxor3_uu: cmp ACNT, BCNT bic AP, #3 bic BP, #3 rsb ATNC, ACNT, #32 bne .Lmemxor3_uud C AP and BP are unaligned in the same way ldr r4, [AP] ldr r6, [BP] eor r4, r6 tst N, #4 itet eq moveq r5, r4 subne N, #4 beq .Lmemxor3_uu_odd .Lmemxor3_uu_loop: ldr r5, [AP, #-4]! ldr r6, [BP, #-4]! eor r5, r6 lsl r4, ATNC eor r4, r4, r5, lsr ACNT str r4, [DST, #-4]! .Lmemxor3_uu_odd: ldr r4, [AP, #-4]! ldr r6, [BP, #-4]! eor r4, r6 lsl r5, ATNC eor r5, r5, r4, lsr ACNT str r5, [DST, #-4]! subs N, #8 bcs .Lmemxor3_uu_loop adds N, #8 beq .Lmemxor3_done C Leftover bytes in a4, low end ror r4, ACNT .Lmemxor3_uu_leftover: ror r4, #24 strb r4, [DST, #-1]! subs N, #1 beq .Lmemxor3_done subs ACNT, #8 bne .Lmemxor3_uu_leftover b .Lmemxor3_bytes .Lmemxor3_uud: C Both AP and BP unaligned, and in different ways rsb BTNC, BCNT, #32 ldr r4, [AP] ldr r6, [BP] tst N, #4 ittet eq moveq r5, r4 moveq r7, r6 subne N, #4 beq .Lmemxor3_uud_odd .Lmemxor3_uud_loop: ldr r5, [AP, #-4]! ldr r7, [BP, #-4]! lsl r4, ATNC eor r4, r4, r6, lsl BTNC eor r4, r4, r5, lsr ACNT eor r4, r4, r7, lsr BCNT str r4, [DST, #-4]! .Lmemxor3_uud_odd: ldr r4, [AP, #-4]! ldr r6, [BP, #-4]! lsl r5, ATNC eor r5, r5, r7, lsl BTNC eor r5, r5, r4, lsr ACNT eor r5, r5, r6, lsr BCNT str r5, [DST, #-4]! subs N, #8 bcs .Lmemxor3_uud_loop adds N, #8 beq .Lmemxor3_done C FIXME: More clever left-over handling? For now, just adjust pointers. add AP, AP, ACNT, lsr #3 add BP, BP, BCNT, lsr #3 b .Lmemxor3_bytes EPILOGUE(nettle_memxor3) nettle-3.4.1/arm/ecc-384-modp.asm0000644000175000017500000001171313401564746015337 0ustar nissenisseC arm/ecc-384-modp.asm ifelse(< Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) .file "ecc-384-modp.asm" .arm define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) C ecc_384_modp (const struct ecc_modulo *m, mp_limb_t *rp) .text .align 2 PROLOGUE(nettle_ecc_384_modp) push {r4,r5,r6,r7,r8,r10,lr} add RP, RP, #80 ldm RP, {T0, T1, T2, T3} C 20-23 C First get top 4 limbs, which need folding twice, as C C T3 T2 T1 T0 C T3 T2 T1 C -T3 C ---------------- C F4 F3 F2 F1 F0 C C Start with C C T3 T1 T0 C T1 C -T3 C ----------- C F2 F1 F0 Always fits adds F0, T0, T1 adcs F1, T1, #0 adcs F2, T3, #0 subs F0, F0, T3 sbcs F1, F1, #0 sbcs F2, F2, #0 C T3 T2 T2 0 C F2 F1 F0 C ---------------- C F4 F3 F2 F1 F0 mov F4, #0 adds F1, F1, T2 adcs F2, F2, T2 adcs F3, T3, #0 adcs F4, F4, #0 C Add in to high part sub RP, RP, #32 ldm RP, {T0, T1, T2, T3} C 12-15 mov H, #0 adds F0, T0, F0 adcs F1, T1, F1 adcs F2, T2, F2 adcs F3, T3, F3 adcs F4, F4, #0 C Do F4 later C Add to low part, keeping carry (positive or negative) in H sub RP, RP, #48 ldm RP, {T0, T1, T2, T3} C 0-3 mov H, #0 adds T0, T0, F0 adcs T1, T1, F1 adcs T2, T2, F2 adcs T3, T3, F3 adc H, H, #0 subs T1, T1, F0 sbcs T2, T2, F1 sbcs T3, T3, F2 sbc H, H, #0 adds T3, T3, F0 adc H, H, #0 stm RP!, {T0,T1,T2,T3} C 0-3 mov N, #2 .Loop: ldm RP, {T0,T1,T2,T3} C 4-7 C First, propagate carry adds T0, T0, H asr H, #31 C Sign extend adcs T1, T1, H adcs T2, T2, H adcs T3, T3, H adc H, H, #0 C +B^4 term adds T0, T0, F0 adcs T1, T1, F1 adcs T2, T2, F2 adcs T3, T3, F3 adc H, H, #0 C +B^3 terms ldr F0, [RP, #+48] C 16 adds T0, T0, F1 adcs T1, T1, F2 adcs T2, T2, F3 adcs T3, T3, F0 adc H, H, #0 C -B ldr F1, [RP, #+52] C 17-18 ldr F2, [RP, #+56] subs T0, T0, F3 sbcs T1, T1, F0 sbcs T2, T2, F1 sbcs T3, T3, F2 sbcs H, H, #0 C +1 ldr F3, [RP, #+60] C 19 adds T0, T0, F0 adcs T1, T1, F1 adcs T2, T2, F2 adcs T3, T3, F3 adc H, H, #0 subs N, N, #1 stm RP!, {T0,T1,T2,T3} bne .Loop C Fold high limbs, we need to add in C C F4 F4 0 -F4 F4 H H 0 -H H C C We always have F4 >= 0, but we can have H < 0. C Sign extension gets tricky when F4 = 0 and H < 0. sub RP, RP, #48 ldm RP, {T0,T1,T2,T3} C 0-3 C H H 0 -H H C ---------------- C S H F3 F2 F1 F0 C C Define S = H >> 31 (asr), we then have C C F0 = H C F1 = S - H C F2 = - [H > 0] C F3 = H - [H > 0] C H = H + S C C And we get underflow in S - H iff H > 0 C H = 0 H > 0 H = -1 mov F0, H C 0 H -1 asr H, #31 subs F1, H, F0 C 0,C=1 -H,C=0 0,C=1 sbc F2, F2, F2 C 0 -1 0 sbc F3, F0, #0 C 0 H-1 -1 adds T0, T0, F0 adcs T1, T1, F1 adcs T2, T2, F2 adcs T3, T3, F3 adc H, H, F0 C 0+cy H+cy -2+cy stm RP!, {T0,T1,T2,T3} C 0-3 ldm RP, {T0,T1,T2,T3} C 4-7 C F4 0 -F4 C --------- C F3 F2 F1 rsbs F1, F4, #0 sbc F2, F2, F2 sbc F3, F4, #0 C Sign extend H adds F0, F4, H asr H, H, #31 adcs F1, F1, H adcs F2, F2, H adcs F3, F3, H adcs F4, F4, H adc H, H, #0 adds T0, T0, F0 adcs T1, T1, F1 adcs T2, T2, F2 adcs T3, T3, F3 stm RP!, {T0,T1,T2,T3} C 4-7 ldm RP, {T0,T1,T2,T3} C 8-11 adcs T0, T0, F4 adcs T1, T1, H adcs T2, T2, H adcs T3, T3, H adc H, H, #0 stm RP, {T0,T1,T2,T3} C 8-11 C Final (unlikely) carry sub RP, RP, #32 ldm RP, {T0,T1,T2,T3} C 0-3 C Fold H into F0-F4 mov F0, H asr H, #31 subs F1, H, F0 sbc F2, F2, F2 sbc F3, F0, #0 add F4, F0, H adds T0, T0, F0 adcs T1, T1, F1 adcs T2, T2, F2 adcs T3, T3, F3 stm RP!, {T0,T1,T2,T3} C 0-3 ldm RP, {T0,T1,T2,T3} C 4-7 adcs T0, T0, F4 adcs T1, T1, H adcs T2, T2, H adcs T3, T3, H stm RP!, {T0,T1,T2,T3} C 4-7 ldm RP, {T0,T1,T2,T3} C 8-11 adcs T0, T0, H adcs T1, T1, H adcs T2, T2, H adcs T3, T3, H stm RP!, {T0,T1,T2,T3} C 8-11 pop {r4,r5,r6,r7,r8,r10,pc} EPILOGUE(nettle_ecc_384_modp) nettle-3.4.1/arm/fat/0000755000175000017500000000000013401564746013401 5ustar nissenissenettle-3.4.1/arm/fat/aes-encrypt-internal-2.asm0000644000175000017500000000215513401564746020311 0ustar nissenisseC arm/fat/aes-encrypt-internal-2.asm ifelse(< Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) define(, <$1_armv6>) include_src() nettle-3.4.1/arm/fat/aes-decrypt-internal.asm0000644000175000017500000000214613401564746020140 0ustar nissenisseC arm/fat/aes-decrypt-internal.asm ifelse(< Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) define(, <$1_arm>) include_src() nettle-3.4.1/arm/fat/aes-decrypt-internal-2.asm0000644000175000017500000000215513401564746020277 0ustar nissenisseC arm/fat/aes-decrypt-internal-2.asm ifelse(< Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) define(, <$1_armv6>) include_src() nettle-3.4.1/arm/fat/umac-nh-n-2.asm0000644000175000017500000000222013401564746016021 0ustar nissenisseC arm/fat/umac-nh-n-2.asm ifelse(< Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) dnl PROLOGUE(_nettle_umac_nh_n) picked up by configure define(, <$1_neon>) include_src() nettle-3.4.1/arm/fat/umac-nh-2.asm0000644000175000017500000000221213401564746015567 0ustar nissenisseC arm/fat/umac-nh-2.asm ifelse(< Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) dnl PROLOGUE(_nettle_umac_nh) picked up by configure define(, <$1_neon>) include_src() nettle-3.4.1/arm/fat/salsa20-core-internal-2.asm0000644000175000017500000000225313401564746020251 0ustar nissenisseC arm/fat/salsa20-core-internal-2.asm ifelse(< Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) dnl PROLOGUE(_nettle_salsa20_core) picked up by configure define(, <$1_neon>) include_src() nettle-3.4.1/arm/fat/sha256-compress-2.asm0000644000175000017500000000224113401564746017102 0ustar nissenisseC arm/fat/sha256-compress-2.asm ifelse(< Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) dnl PROLOGUE(_nettle_sha256_compress) picked up by configure define(, <$1_armv6>) include_src() nettle-3.4.1/arm/fat/aes-encrypt-internal.asm0000644000175000017500000000214613401564746020152 0ustar nissenisseC arm/fat/aes-encrypt-internal.asm ifelse(< Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) define(, <$1_arm>) include_src() nettle-3.4.1/arm/fat/sha512-compress-2.asm0000644000175000017500000000224013401564746017074 0ustar nissenisseC arm/fat/sha3-compress-2.asm ifelse(< Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) dnl PROLOGUE(_nettle_sha512_compress) picked up by configure define(, <$1_neon>) include_src() nettle-3.4.1/arm/fat/sha3-permute-2.asm0000644000175000017500000000223213401564746016556 0ustar nissenisseC arm/fat/sha3-permute-2.asm ifelse(< Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) dnl PROLOGUE(_nettle_sha3_permute) picked up by configure define(, <_$1_neon>) include_src() nettle-3.4.1/arm/fat/sha1-compress-2.asm0000644000175000017500000000223313401564746016727 0ustar nissenisseC arm/fat/sha1-compress-2.asm ifelse(< Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) dnl PROLOGUE(_nettle_sha1_compress) picked up by configure define(, <$1_armv6>) include_src() nettle-3.4.1/arm/aes-encrypt-internal.asm0000644000175000017500000001075213401564746017402 0ustar nissenisseC arm/aes-encrypt-internal.asm ifelse(< Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) include_src() C Benchmarked at at 725, 815, 990 cycles/block on cortex A9, C for 128, 192 and 256 bit key sizes. C Possible improvements: More efficient load and store with C aligned accesses. Better scheduling. define(, ) define(, ) define(

, ) define(, ) C On stack: DST, SRC define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) C Overlaps inputs, except TABLE define(, ) define(, ) define(, ) define(, ) C lr define(, <[sp]>) define(, <[sp, #+4]>) define(, <[sp, #+8]>) C 8 saved registers define(, <[sp, #+44]>) define(, <[sp, #+48]>) C AES_ENCRYPT_ROUND(x0,x1,x2,x3,w0,w1,w2,w3,key) C MASK should hold the constant 0x3fc. define(, < and T0, MASK, $1, lsl #2 ldr $5, [TABLE, T0] and T0, MASK, $2, lsl #2 ldr $6, [TABLE, T0] and T0, MASK, $3, lsl #2 ldr $7, [TABLE, T0] and T0, MASK, $4, lsl #2 ldr $8, [TABLE, T0] and T0, MASK, $2, ror #6 add TABLE, TABLE, #1024 ldr T0, [TABLE, T0] eor $5, $5, T0 and T0, MASK, $3, ror #6 ldr T0, [TABLE, T0] eor $6, $6, T0 and T0, MASK, $4, ror #6 ldr T0, [TABLE, T0] eor $7, $7, T0 and T0, MASK, $1, ror #6 ldr T0, [TABLE, T0] eor $8, $8, T0 and T0, MASK, $3, ror #14 add TABLE, TABLE, #1024 ldr T0, [TABLE, T0] eor $5, $5, T0 and T0, MASK, $4, ror #14 ldr T0, [TABLE, T0] eor $6, $6, T0 and T0, MASK, $1, ror #14 ldr T0, [TABLE, T0] eor $7, $7, T0 and T0, MASK, $2, ror #14 ldr T0, [TABLE, T0] eor $8, $8, T0 and T0, MASK, $4, ror #22 add TABLE, TABLE, #1024 ldr T0, [TABLE, T0] eor $5, $5, T0 and T0, MASK, $1, ror #22 ldr T0, [TABLE, T0] eor $6, $6, T0 and T0, MASK, $2, ror #22 ldr T0, [TABLE, T0] eor $7, $7, T0 and T0, MASK, $3, ror #22 ldr T0, [TABLE, T0] ldm $9!, {$1,$2,$3,$4} eor $8, $8, T0 sub TABLE, TABLE, #3072 eor $5, $5, $1 eor $6, $6, $2 eor $7, $7, $3 eor $8, $8, $4 >) .file "aes-encrypt-internal.asm" C _aes_encrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .text ALIGN(4) PROLOGUE(_nettle_aes_encrypt) teq PARAM_LENGTH, #0 beq .Lend push {r0,r1,r3, r4,r5,r6,r7,r8,r10,r11,lr} mov MASK, #0x3fc ALIGN(16) .Lblock_loop: ldr X0, FRAME_SRC C Use X0 as SRC pointer ldm sp, {COUNT, KEY} AES_LOAD(X0,KEY,W0) AES_LOAD(X0,KEY,W1) AES_LOAD(X0,KEY,W2) AES_LOAD(X0,KEY,W3) str X0, FRAME_SRC add TABLE, TABLE, #AES_TABLE0 b .Lentry ALIGN(16) .Lround_loop: C Transform X -> W AES_ENCRYPT_ROUND(X0, X1, X2, X3, W0, W1, W2, W3, KEY) .Lentry: subs COUNT, COUNT,#2 C Transform W -> X AES_ENCRYPT_ROUND(W0, W1, W2, W3, X0, X1, X2, X3, KEY) bne .Lround_loop lsr COUNT, MASK, #2 C Put the needed mask in the unused COUNT register sub TABLE, TABLE, #AES_TABLE0 C Final round AES_FINAL_ROUND_V5(X0, X1, X2, X3, KEY, W0, COUNT) AES_FINAL_ROUND_V5(X1, X2, X3, X0, KEY, W1, COUNT) AES_FINAL_ROUND_V5(X2, X3, X0, X1, KEY, W2, COUNT) AES_FINAL_ROUND_V5(X3, X0, X1, X2, KEY, W3, COUNT) ldr X0, FRAME_DST ldr X1, FRAME_LENGTH AES_STORE(X0,W0) AES_STORE(X0,W1) AES_STORE(X0,W2) AES_STORE(X0,W3) subs X1, X1, #16 str X0, FRAME_DST str X1, FRAME_LENGTH bhi .Lblock_loop add sp, sp, #12 C Drop saved r0, r1, r3 pop {r4,r5,r6,r7,r8,r10,r11,pc} .Lend: bx lr EPILOGUE(_nettle_aes_encrypt) nettle-3.4.1/arm/ecc-224-modp.asm0000644000175000017500000000546213401564746015334 0ustar nissenisseC arm/ecc-224-modp.asm ifelse(< Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) .file "ecc-224-modp.asm" .arm define(, ) define(, ) C Overlaps unused modulo argument define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) C ecc_224_modp (const struct ecc_modulo *m, mp_limb_t *rp) .text .align 2 PROLOGUE(nettle_ecc_224_modp) push {r4,r5,r6,r7,r8,r10,r11,lr} add L2, RP, #28 ldm L2, {T0,T1,T2,T3,T4,T5,T6} mov H, #0 adds T0, T0, T4 adcs T1, T1, T5 adcs T2, T2, T6 adc H, H, #0 C This switch from adcs to sbcs takes carry into account with C correct sign, but it always subtracts 1 too much. We arrange C to also add B^7 + 1 below, so the effect is adding p. This C addition of p also ensures that the result never is C negative. sbcs N3, T3, T0 sbcs T4, T4, T1 sbcs T5, T5, T2 sbcs T6, T6, H mov H, #1 C This is the B^7 sbc H, #0 subs T6, T6, T3 sbc H, #0 C Now subtract from low half ldm RP!, {L0,L1,L2} C Clear carry, with the sbcs, this is the 1. adds RP, #0 sbcs T0, L0, T0 sbcs T1, L1, T1 sbcs T2, L2, T2 ldm RP!, {T3,L0,L1,L2} sbcs T3, T3, N3 sbcs T4, L0, T4 sbcs T5, L1, T5 sbcs T6, L2, T6 rsc H, H, #0 C Now -2 <= H <= 0 is the borrow, so subtract (B^3 - 1) |H| C Use (B^3 - 1) H = if -1 <=H <= 0, and C (B^3 - 1) H = <1,B-1, B-1, B-2> if H = -2 subs T0, T0, H asr L1, H, #1 sbcs T1, T1, L1 eor H, H, L1 sbcs T2, T2, L1 sbcs T3, T3, H sbcs T4, T4, #0 sbcs T5, T5, #0 sbcs T6, T6, #0 sbcs H, H, H C Final borrow, subtract (B^3 - 1) |H| subs T0, T0, H sbcs T1, T1, H sbcs T2, T2, H sbcs T3, T3, #0 sbcs T4, T4, #0 sbcs T5, T5, #0 sbcs T6, T6, #0 stmdb RP, {T0,T1,T2,T3,T4,T5,T6} pop {r4,r5,r6,r7,r8,r10,r11,pc} EPILOGUE(nettle_ecc_224_modp) nettle-3.4.1/arm/v6/0000755000175000017500000000000013401564746013162 5ustar nissenissenettle-3.4.1/arm/v6/aes-decrypt-internal.asm0000644000175000017500000001023113401564746017713 0ustar nissenisseC arm/v6/aes-decrypt-internal.asm ifelse(< Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) .arch armv6 include_src() define(, ) define(, ) define(
, ) define(, ) C On stack: DST, SRC define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) C Overlaps PARAM_ROUNDS and PARAM_KEYS define(, ) define(, ) define(, ) C lr define(>, <[sp]>) define(, <[sp, #+4]>) C 8 saved registers define(, <[sp, #+40]>) define(, <[sp, #+44]>) define(, ) C Overlap registers used in inner loop. define(, ) C AES_DECRYPT_ROUND(x0,x1,x2,x3,w0,w1,w2,w3,key) define(, < uxtb T0, $1 ldr $5, [TABLE, T0, lsl #2] uxtb T0, $2 ldr $6, [TABLE, T0, lsl #2] uxtb T0, $3 ldr $7, [TABLE, T0, lsl #2] uxtb T0, $4 ldr $8, [TABLE, T0, lsl #2] uxtb T0, $4, ror #8 add TABLE, TABLE, #1024 ldr T0, [TABLE, T0, lsl #2] eor $5, $5, T0 uxtb T0, $1, ror #8 ldr T0, [TABLE, T0, lsl #2] eor $6, $6, T0 uxtb T0, $2, ror #8 ldr T0, [TABLE, T0, lsl #2] eor $7, $7, T0 uxtb T0, $3, ror #8 ldr T0, [TABLE, T0, lsl #2] eor $8, $8, T0 uxtb T0, $3, ror #16 add TABLE, TABLE, #1024 ldr T0, [TABLE, T0, lsl #2] eor $5, $5, T0 uxtb T0, $4, ror #16 ldr T0, [TABLE, T0, lsl #2] eor $6, $6, T0 uxtb T0, $1, ror #16 ldr T0, [TABLE, T0, lsl #2] eor $7, $7, T0 uxtb T0, $2, ror #16 ldr T0, [TABLE, T0, lsl #2] eor $8, $8, T0 uxtb T0, $2, ror #24 add TABLE, TABLE, #1024 ldr T0, [TABLE, T0, lsl #2] eor $5, $5, T0 uxtb T0, $3, ror #24 ldr T0, [TABLE, T0, lsl #2] eor $6, $6, T0 uxtb T0, $4, ror #24 ldr T0, [TABLE, T0, lsl #2] eor $7, $7, T0 uxtb T0, $1, ror #24 ldr T0, [TABLE, T0, lsl #2] ldm $9!, {$1,$2,$3,$4} eor $8, $8, T0 sub TABLE, TABLE, #3072 eor $5, $5, $1 eor $6, $6, $2 eor $7, $7, $3 eor $8, $8, $4 >) .file "aes-decrypt-internal.asm" C _aes_decrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .text ALIGN(4) PROLOGUE(_nettle_aes_decrypt) teq LENGTH, #0 beq .Lend ldr SRC, [sp, #+4] push {r0,r1, r4,r5,r6,r7,r8,r10,r11,lr} ALIGN(16) .Lblock_loop: ldm sp, {COUNT, KEY} add TABLE, TABLE, #AES_TABLE0 AES_LOAD(SRC,KEY,W0) AES_LOAD(SRC,KEY,W1) AES_LOAD(SRC,KEY,W2) AES_LOAD(SRC,KEY,W3) str SRC, FRAME_SRC b .Lentry ALIGN(16) .Lround_loop: C Transform X -> W AES_DECRYPT_ROUND(X0, X1, X2, X3, W0, W1, W2, W3, KEY) .Lentry: subs COUNT, COUNT,#2 C Transform W -> X AES_DECRYPT_ROUND(W0, W1, W2, W3, X0, X1, X2, X3, KEY) bne .Lround_loop sub TABLE, TABLE, #AES_TABLE0 C Final round ldr DST, FRAME_DST AES_FINAL_ROUND_V6(X0, X3, X2, X1, KEY, W0) AES_FINAL_ROUND_V6(X1, X0, X3, X2, KEY, W1) AES_FINAL_ROUND_V6(X2, X1, X0, X3, KEY, W2) AES_FINAL_ROUND_V6(X3, X2, X1, X0, KEY, W3) ldr SRC, FRAME_SRC AES_STORE(DST,W0) AES_STORE(DST,W1) AES_STORE(DST,W2) AES_STORE(DST,W3) str DST, FRAME_DST subs LENGTH, LENGTH, #16 bhi .Lblock_loop add sp, sp, #8 C Drop saved r0, r1 pop {r4,r5,r6,r7,r8,r10,r11,pc} .Lend: bx lr EPILOGUE(_nettle_aes_decrypt) nettle-3.4.1/arm/v6/sha256-compress.asm0000644000175000017500000001171513401564746016532 0ustar nissenisseC arm/v6/sha256-compress.asm ifelse(< Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) .file "sha256-compress.asm" .arch armv6 define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) C Overlap INPUT define(, ) C Overlap STATE define(, ) C Used for data load define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, < ldr W, [sp, #+eval(4*$1)] ldr T0, [sp, #+eval(4*(($1 + 14) % 16))] ror T1, T0, #17 eor T1, T1, T0, ror #19 eor T1, T1, T0, lsr #10 add W, W, T1 ldr T0, [sp, #+eval(4*(($1 + 9) % 16))] add W, W, T0 ldr T0, [sp, #+eval(4*(($1 + 1) % 16))] ror T1, T0, #7 eor T1, T1, T0, ror #18 eor T1, T1, T0, lsr #3 add W, W, T1 str W, [sp, #+eval(4*$1)] >) C ROUND(A,B,C,D,E,F,G,H) C C H += S1(E) + Choice(E,F,G) + K + W C D += H C H += S0(A) + Majority(A,B,C) C C Where C C S1(E) = E<<<26 ^ E<<<21 ^ E<<<7 C S0(A) = A<<<30 ^ A<<<19 ^ A<<<10 C Choice (E, F, G) = G^(E&(F^G)) C Majority (A,B,C) = (A&B) + (C&(A^B)) define(, < ror T0, $5, #6 eor T0, T0, $5, ror #11 eor T0, T0, $5, ror #25 add $8, $8, T0 eor T0, $6, $7 and T0, T0, $5 eor T0, T0, $7 add $8,$8, T0 ldr T0, [K], #+4 add $8, $8, W add $8, $8, T0 add $4, $4, $8 ror T0, $1, #2 eor T0, T0, $1, ror #13 eor T0, T0, $1, ror #22 add $8, $8, T0 and T0, $1, $2 add $8, $8, T0 eor T0, $1, $2 and T0, T0, $3 add $8, $8, T0 >) define(, < ldr W, [sp, + $1] add $1, $1, #4 >) C void C _nettle_sha256_compress(uint32_t *state, const uint8_t *input, const uint32_t *k) .text .align 2 PROLOGUE(_nettle_sha256_compress) push {r4,r5,r6,r7,r8,r10,r11,r14} sub sp, sp, #68 str STATE, [sp, #+64] C Load data up front, since we don't have enough registers C to load and shift on-the-fly ands SHIFT, INPUT, #3 and INPUT, INPUT, $-4 ldr I0, [INPUT] addne INPUT, INPUT, #4 lsl SHIFT, SHIFT, #3 mov T0, #0 movne T0, #-1 lsl I1, T0, SHIFT uadd8 T0, T0, I1 C Sets APSR.GE bits mov DST, sp mov ILEFT, #4 .Lcopy: ldm INPUT!, {I1,I2,I3,I4} sel I0, I0, I1 ror I0, I0, SHIFT rev I0, I0 sel I1, I1, I2 ror I1, I1, SHIFT rev I1, I1 sel I2, I2, I3 ror I2, I2, SHIFT rev I2, I2 sel I3, I3, I4 ror I3, I3, SHIFT rev I3, I3 subs ILEFT, ILEFT, #1 stm DST!, {I0,I1,I2,I3} mov I0, I4 bne .Lcopy ldm STATE, {SA,SB,SC,SD,SE,SF,SG,SH} mov COUNT,#0 .Loop1: NOEXPN(COUNT) ROUND(SA,SB,SC,SD,SE,SF,SG,SH) NOEXPN(COUNT) ROUND(SH,SA,SB,SC,SD,SE,SF,SG) NOEXPN(COUNT) ROUND(SG,SH,SA,SB,SC,SD,SE,SF) NOEXPN(COUNT) ROUND(SF,SG,SH,SA,SB,SC,SD,SE) NOEXPN(COUNT) ROUND(SE,SF,SG,SH,SA,SB,SC,SD) NOEXPN(COUNT) ROUND(SD,SE,SF,SG,SH,SA,SB,SC) NOEXPN(COUNT) ROUND(SC,SD,SE,SF,SG,SH,SA,SB) NOEXPN(COUNT) ROUND(SB,SC,SD,SE,SF,SG,SH,SA) cmp COUNT,#64 bne .Loop1 mov COUNT, #3 .Loop2: EXPN( 0) ROUND(SA,SB,SC,SD,SE,SF,SG,SH) EXPN( 1) ROUND(SH,SA,SB,SC,SD,SE,SF,SG) EXPN( 2) ROUND(SG,SH,SA,SB,SC,SD,SE,SF) EXPN( 3) ROUND(SF,SG,SH,SA,SB,SC,SD,SE) EXPN( 4) ROUND(SE,SF,SG,SH,SA,SB,SC,SD) EXPN( 5) ROUND(SD,SE,SF,SG,SH,SA,SB,SC) EXPN( 6) ROUND(SC,SD,SE,SF,SG,SH,SA,SB) EXPN( 7) ROUND(SB,SC,SD,SE,SF,SG,SH,SA) EXPN( 8) ROUND(SA,SB,SC,SD,SE,SF,SG,SH) EXPN( 9) ROUND(SH,SA,SB,SC,SD,SE,SF,SG) EXPN(10) ROUND(SG,SH,SA,SB,SC,SD,SE,SF) EXPN(11) ROUND(SF,SG,SH,SA,SB,SC,SD,SE) EXPN(12) ROUND(SE,SF,SG,SH,SA,SB,SC,SD) EXPN(13) ROUND(SD,SE,SF,SG,SH,SA,SB,SC) EXPN(14) ROUND(SC,SD,SE,SF,SG,SH,SA,SB) subs COUNT, COUNT, #1 EXPN(15) ROUND(SB,SC,SD,SE,SF,SG,SH,SA) bne .Loop2 ldr STATE, [sp, #+64] C No longer needed registers ldm STATE, {r1,r2,r12,r14} add SA, SA, r1 add SB, SB, r2 add SC, SC, r12 add SD, SD, r14 stm STATE!, {SA,SB,SC,SD} ldm STATE, {r1,r2,r12,r14} add SE, SE, r1 add SF, SF, r2 add SG, SG, r12 add SH, SH, r14 stm STATE!, {SE,SF,SG,SH} add sp, sp, #68 pop {r4,r5,r6,r7,r8,r10,r11,pc} EPILOGUE(_nettle_sha256_compress) nettle-3.4.1/arm/v6/sha1-compress.asm0000644000175000017500000001427313401564746016360 0ustar nissenisseC arm/v6/sha1-compress.asm ifelse(< Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) .file "sha1-compress.asm" .arch armv6 define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) C FIXME: Could avoid a mov with even and odd variants. define(, < ldr T0, [INPUT], #+4 sel W, WPREV, T0 ror W, W, SHIFT mov WPREV, T0 rev W, W str W, [SP,#eval(4*$1)] >) define(, < ldr W, [sp, #+eval(4*$1)] ldr T0, [sp, #+eval(4*(($1 + 2) % 16))] eor W, W, T0 ldr T0, [sp, #+eval(4*(($1 + 8) % 16))] eor W, W, T0 ldr T0, [sp, #+eval(4*(($1 + 13) % 16))] eor W, W, T0 ror W, W, #31 str W, [sp, #+eval(4*$1)] >) C F1(B,C,D) = D^(B&(C^D)) C ROUND1(A,B,C,D,E) define(, < eor T0, $3, $4 add $5, $5, K and T0, T0, $2 add $5, $5, $1, ror #27 eor T0, T0, $4 add $5, $5, W ror $2, $2, #2 add $5, $5, T0 >) C F2(B,C,D) = B^C^D define(, < eor T0, $2, $4 add $5, $5, K eor T0, T0, $3 add $5, $5, $1, ror #27 add $5, $5, W ror $2, $2, #2 add $5, $5, T0 >) C F3(B,C,D) = (B&C) | (D & (B|C)) = (B & (C ^ D)) + (C & D) define(, < eor T0, $3, $4 add $5, $5, K and T0, T0, $2 add $5, $5, $1, ror #27 add $5, $5, T0 add $5, $5, W and T0, $3, $4 ror $2, $2, #2 add $5, $5, T0 >) C void _nettle_sha1_compress(uint32_t *state, const uint8_t *input) .text .align 2 .LK1: .int 0x5A827999 .LK2: .int 0x6ED9EBA1 .LK3: .int 0x8F1BBCDC PROLOGUE(_nettle_sha1_compress) push {r4,r5,r6,r7,r8,r10,lr} sub sp, sp, #64 C Sets SHIFT to 8*low bits of input pointer. Sets up GE flags C as follows, corresponding to bytes to be used from WPREV C SHIFT 0 8 16 24 C CPSR.GE 0000 1110 1100 1000 ands SHIFT, INPUT, #3 and INPUT, INPUT, $-4 ldr WPREV, [INPUT] addne INPUT, INPUT, #4 C Unaligned input lsl SHIFT, SHIFT, #3 mov T0, #0 movne T0, #-1 lsl W, T0, SHIFT uadd8 T0, T0, W C Sets APSR.GE bits ldr K, .LK1 ldm STATE, {SA,SB,SC,SD,SE} LOAD( 0) ROUND1(SA, SB, SC, SD, SE) LOAD( 1) ROUND1(SE, SA, SB, SC, SD) LOAD( 2) ROUND1(SD, SE, SA, SB, SC) LOAD( 3) ROUND1(SC, SD, SE, SA, SB) LOAD( 4) ROUND1(SB, SC, SD, SE, SA) LOAD( 5) ROUND1(SA, SB, SC, SD, SE) LOAD( 6) ROUND1(SE, SA, SB, SC, SD) LOAD( 7) ROUND1(SD, SE, SA, SB, SC) LOAD( 8) ROUND1(SC, SD, SE, SA, SB) LOAD( 9) ROUND1(SB, SC, SD, SE, SA) LOAD(10) ROUND1(SA, SB, SC, SD, SE) LOAD(11) ROUND1(SE, SA, SB, SC, SD) LOAD(12) ROUND1(SD, SE, SA, SB, SC) LOAD(13) ROUND1(SC, SD, SE, SA, SB) LOAD(14) ROUND1(SB, SC, SD, SE, SA) LOAD(15) ROUND1(SA, SB, SC, SD, SE) EXPN( 0) ROUND1(SE, SA, SB, SC, SD) EXPN( 1) ROUND1(SD, SE, SA, SB, SC) EXPN( 2) ROUND1(SC, SD, SE, SA, SB) EXPN( 3) ROUND1(SB, SC, SD, SE, SA) ldr K, .LK2 EXPN( 4) ROUND2(SA, SB, SC, SD, SE) EXPN( 5) ROUND2(SE, SA, SB, SC, SD) EXPN( 6) ROUND2(SD, SE, SA, SB, SC) EXPN( 7) ROUND2(SC, SD, SE, SA, SB) EXPN( 8) ROUND2(SB, SC, SD, SE, SA) EXPN( 9) ROUND2(SA, SB, SC, SD, SE) EXPN(10) ROUND2(SE, SA, SB, SC, SD) EXPN(11) ROUND2(SD, SE, SA, SB, SC) EXPN(12) ROUND2(SC, SD, SE, SA, SB) EXPN(13) ROUND2(SB, SC, SD, SE, SA) EXPN(14) ROUND2(SA, SB, SC, SD, SE) EXPN(15) ROUND2(SE, SA, SB, SC, SD) EXPN( 0) ROUND2(SD, SE, SA, SB, SC) EXPN( 1) ROUND2(SC, SD, SE, SA, SB) EXPN( 2) ROUND2(SB, SC, SD, SE, SA) EXPN( 3) ROUND2(SA, SB, SC, SD, SE) EXPN( 4) ROUND2(SE, SA, SB, SC, SD) EXPN( 5) ROUND2(SD, SE, SA, SB, SC) EXPN( 6) ROUND2(SC, SD, SE, SA, SB) EXPN( 7) ROUND2(SB, SC, SD, SE, SA) ldr K, .LK3 EXPN( 8) ROUND3(SA, SB, SC, SD, SE) EXPN( 9) ROUND3(SE, SA, SB, SC, SD) EXPN(10) ROUND3(SD, SE, SA, SB, SC) EXPN(11) ROUND3(SC, SD, SE, SA, SB) EXPN(12) ROUND3(SB, SC, SD, SE, SA) EXPN(13) ROUND3(SA, SB, SC, SD, SE) EXPN(14) ROUND3(SE, SA, SB, SC, SD) EXPN(15) ROUND3(SD, SE, SA, SB, SC) EXPN( 0) ROUND3(SC, SD, SE, SA, SB) EXPN( 1) ROUND3(SB, SC, SD, SE, SA) EXPN( 2) ROUND3(SA, SB, SC, SD, SE) EXPN( 3) ROUND3(SE, SA, SB, SC, SD) EXPN( 4) ROUND3(SD, SE, SA, SB, SC) EXPN( 5) ROUND3(SC, SD, SE, SA, SB) EXPN( 6) ROUND3(SB, SC, SD, SE, SA) EXPN( 7) ROUND3(SA, SB, SC, SD, SE) EXPN( 8) ROUND3(SE, SA, SB, SC, SD) EXPN( 9) ROUND3(SD, SE, SA, SB, SC) EXPN(10) ROUND3(SC, SD, SE, SA, SB) EXPN(11) ROUND3(SB, SC, SD, SE, SA) ldr K, .LK4 EXPN(12) ROUND2(SA, SB, SC, SD, SE) EXPN(13) ROUND2(SE, SA, SB, SC, SD) EXPN(14) ROUND2(SD, SE, SA, SB, SC) EXPN(15) ROUND2(SC, SD, SE, SA, SB) EXPN( 0) ROUND2(SB, SC, SD, SE, SA) EXPN( 1) ROUND2(SA, SB, SC, SD, SE) EXPN( 2) ROUND2(SE, SA, SB, SC, SD) EXPN( 3) ROUND2(SD, SE, SA, SB, SC) EXPN( 4) ROUND2(SC, SD, SE, SA, SB) EXPN( 5) ROUND2(SB, SC, SD, SE, SA) EXPN( 6) ROUND2(SA, SB, SC, SD, SE) EXPN( 7) ROUND2(SE, SA, SB, SC, SD) EXPN( 8) ROUND2(SD, SE, SA, SB, SC) EXPN( 9) ROUND2(SC, SD, SE, SA, SB) EXPN(10) ROUND2(SB, SC, SD, SE, SA) EXPN(11) ROUND2(SA, SB, SC, SD, SE) EXPN(12) ROUND2(SE, SA, SB, SC, SD) EXPN(13) ROUND2(SD, SE, SA, SB, SC) EXPN(14) ROUND2(SC, SD, SE, SA, SB) EXPN(15) ROUND2(SB, SC, SD, SE, SA) C Use registers we no longer need. ldm STATE, {INPUT,T0,SHIFT,W,K} add SA, SA, INPUT add SB, SB, T0 add SC, SC, SHIFT add SD, SD, W add SE, SE, K add sp, sp, #64 stm STATE, {SA,SB,SC,SD,SE} pop {r4,r5,r6,r7,r8,r10,pc} EPILOGUE(_nettle_sha1_compress) .LK4: .int 0xCA62C1D6 nettle-3.4.1/arm/v6/aes-encrypt-internal.asm0000644000175000017500000001065313401564746017735 0ustar nissenisseC arm/v6/aes-encrypt-internal.asm ifelse(< Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) .arch armv6 include_src() C Benchmarked at at 706, 870, 963 cycles/block on cortex A9, C for 128, 192 and 256 bit key sizes. C Possible improvements: More efficient load and store with C aligned accesses. Better scheduling. define(, ) define(, ) define(
, ) define(, ) C On stack: DST, SRC define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) C Overlaps PARAM_ROUNDS and PARAM_KEYS define(, ) define(, ) define(, ) C lr define(>, <[sp]>) define(, <[sp, #+4]>) C 8 saved registers define(, <[sp, #+40]>) define(, <[sp, #+44]>) define(, ) C Overlap registers used in inner loop. define(, ) C 53 instr. C It's tempting to use eor with rotation, but that's slower. C AES_ENCRYPT_ROUND(x0,x1,x2,x3,w0,w1,w2,w3,key) define(, < uxtb T0, $1 ldr $5, [TABLE, T0, lsl #2] uxtb T0, $2 ldr $6, [TABLE, T0, lsl #2] uxtb T0, $3 ldr $7, [TABLE, T0, lsl #2] uxtb T0, $4 ldr $8, [TABLE, T0, lsl #2] uxtb T0, $2, ror #8 add TABLE, TABLE, #1024 ldr T0, [TABLE, T0, lsl #2] eor $5, $5, T0 uxtb T0, $3, ror #8 ldr T0, [TABLE, T0, lsl #2] eor $6, $6, T0 uxtb T0, $4, ror #8 ldr T0, [TABLE, T0, lsl #2] eor $7, $7, T0 uxtb T0, $1, ror #8 ldr T0, [TABLE, T0, lsl #2] eor $8, $8, T0 uxtb T0, $3, ror #16 add TABLE, TABLE, #1024 ldr T0, [TABLE, T0, lsl #2] eor $5, $5, T0 uxtb T0, $4, ror #16 ldr T0, [TABLE, T0, lsl #2] eor $6, $6, T0 uxtb T0, $1, ror #16 ldr T0, [TABLE, T0, lsl #2] eor $7, $7, T0 uxtb T0, $2, ror #16 ldr T0, [TABLE, T0, lsl #2] eor $8, $8, T0 uxtb T0, $4, ror #24 add TABLE, TABLE, #1024 ldr T0, [TABLE, T0, lsl #2] eor $5, $5, T0 uxtb T0, $1, ror #24 ldr T0, [TABLE, T0, lsl #2] eor $6, $6, T0 uxtb T0, $2, ror #24 ldr T0, [TABLE, T0, lsl #2] eor $7, $7, T0 uxtb T0, $3, ror #24 ldr T0, [TABLE, T0, lsl #2] ldm $9!, {$1,$2,$3,$4} eor $8, $8, T0 sub TABLE, TABLE, #3072 eor $5, $5, $1 eor $6, $6, $2 eor $7, $7, $3 eor $8, $8, $4 >) .file "aes-encrypt-internal.asm" C _aes_encrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .text ALIGN(4) PROLOGUE(_nettle_aes_encrypt) teq LENGTH, #0 beq .Lend ldr SRC, [sp, #+4] push {r0,r1, r4,r5,r6,r7,r8,r10,r11,lr} ALIGN(16) .Lblock_loop: ldm sp, {COUNT, KEY} add TABLE, TABLE, #AES_TABLE0 AES_LOAD(SRC,KEY,W0) AES_LOAD(SRC,KEY,W1) AES_LOAD(SRC,KEY,W2) AES_LOAD(SRC,KEY,W3) str SRC, FRAME_SRC b .Lentry ALIGN(16) .Lround_loop: C Transform X -> W AES_ENCRYPT_ROUND(X0, X1, X2, X3, W0, W1, W2, W3, KEY) .Lentry: subs COUNT, COUNT,#2 C Transform W -> X AES_ENCRYPT_ROUND(W0, W1, W2, W3, X0, X1, X2, X3, KEY) bne .Lround_loop sub TABLE, TABLE, #AES_TABLE0 C Final round ldr DST, FRAME_DST AES_FINAL_ROUND_V6(X0, X1, X2, X3, KEY, W0) AES_FINAL_ROUND_V6(X1, X2, X3, X0, KEY, W1) AES_FINAL_ROUND_V6(X2, X3, X0, X1, KEY, W2) AES_FINAL_ROUND_V6(X3, X0, X1, X2, KEY, W3) ldr SRC, FRAME_SRC AES_STORE(DST,W0) AES_STORE(DST,W1) AES_STORE(DST,W2) AES_STORE(DST,W3) str DST, FRAME_DST subs LENGTH, LENGTH, #16 bhi .Lblock_loop add sp, sp, #8 C Drop saved r0, r1 pop {r4,r5,r6,r7,r8,r10,r11,pc} .Lend: bx lr EPILOGUE(_nettle_aes_encrypt) nettle-3.4.1/arm/memxor.asm0000644000175000017500000001073013401564746014641 0ustar nissenisseC arm/memxor.asm ifelse(< Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) C Possible speedups: C C The ldm instruction can do load two registers per cycle, C if the address is two-word aligned. Or three registers in two C cycles, regardless of alignment. C Register usage: define(, ) define(, ) define(, ) define(, ) define(, ) .syntax unified .file "memxor.asm" .text .arm C memxor(void *dst, const void *src, size_t n) .align 4 PROLOGUE(nettle_memxor) cmp N, #0 beq .Lmemxor_done cmp N, #7 bcs .Lmemxor_large C Simple byte loop .Lmemxor_bytes: ldrb r3, [SRC], #+1 ldrb r12, [DST] eor r3, r12 strb r3, [DST], #+1 subs N, #1 bne .Lmemxor_bytes .Lmemxor_done: bx lr .Lmemxor_align_loop: ldrb r3, [SRC], #+1 ldrb r12, [DST] eor r3, r12 strb r3, [DST], #+1 sub N, #1 .Lmemxor_large: tst DST, #3 bne .Lmemxor_align_loop C We have at least 4 bytes left to do here. sub N, #4 ands r3, SRC, #3 beq .Lmemxor_same C Different alignment case. C v original SRC C +-------+------+ C |SRC |SRC+4 | C +---+---+------+ C |DST | C +-------+ C C With little-endian, we need to do C DST[i] ^= (SRC[i] >> CNT) ^ (SRC[i+1] << TNC) push {r4,r5,r6} lsl CNT, r3, #3 bic SRC, #3 rsb TNC, CNT, #32 ldr r4, [SRC], #+4 tst N, #4 itet eq moveq r5, r4 subne N, #4 beq .Lmemxor_odd .Lmemxor_word_loop: ldr r5, [SRC], #+4 ldr r3, [DST] eor r3, r3, r4, lsr CNT eor r3, r3, r5, lsl TNC str r3, [DST], #+4 .Lmemxor_odd: ldr r4, [SRC], #+4 ldr r3, [DST] eor r3, r3, r5, lsr CNT eor r3, r3, r4, lsl TNC str r3, [DST], #+4 subs N, #8 bcs .Lmemxor_word_loop adds N, #8 beq .Lmemxor_odd_done C We have TNC/8 left-over bytes in r4, high end lsr r4, CNT ldr r3, [DST] eor r3, r4 pop {r4,r5,r6} C Store bytes, one by one. .Lmemxor_leftover: strb r3, [DST], #+1 subs N, #1 beq .Lmemxor_done subs TNC, #8 lsr r3, #8 bne .Lmemxor_leftover b .Lmemxor_bytes .Lmemxor_odd_done: pop {r4,r5,r6} bx lr .Lmemxor_same: push {r4,r5,r6,r7,r8,r10,r11,r14} C lr is the link register subs N, #8 bcc .Lmemxor_same_end ldmia SRC!, {r3, r4, r5} C Keep address for loads in r14 mov r14, DST ldmia r14!, {r6, r7, r8} subs N, #12 eor r10, r3, r6 eor r11, r4, r7 eor r12, r5, r8 bcc .Lmemxor_same_final_store subs N, #12 ldmia r14!, {r6, r7, r8} bcc .Lmemxor_same_wind_down C 6 cycles per iteration, 0.50 cycles/byte. For this speed, C loop starts at offset 0x11c in the object file. .Lmemxor_same_loop: C r10-r12 contains values to be stored at DST C r6-r8 contains values read from r14, in advance ldmia SRC!, {r3, r4, r5} subs N, #12 stmia DST!, {r10, r11, r12} eor r10, r3, r6 eor r11, r4, r7 eor r12, r5, r8 ldmia r14!, {r6, r7, r8} bcs .Lmemxor_same_loop .Lmemxor_same_wind_down: C Wind down code ldmia SRC!, {r3, r4, r5} stmia DST!, {r10, r11, r12} eor r10, r3, r6 eor r11, r4, r7 eor r12, r5, r8 .Lmemxor_same_final_store: stmia DST!, {r10, r11, r12} .Lmemxor_same_end: C We have 0-11 bytes left to do, and N holds number of bytes -12. adds N, #4 bcc .Lmemxor_same_lt_8 C Do 8 bytes more, leftover is in N ldmia SRC!, {r3, r4} ldmia DST, {r6, r7} eor r3, r6 eor r4, r7 stmia DST!, {r3, r4} pop {r4,r5,r6,r7,r8,r10,r11,r14} beq .Lmemxor_done b .Lmemxor_bytes .Lmemxor_same_lt_8: pop {r4,r5,r6,r7,r8,r10,r11,r14} adds N, #4 bcc .Lmemxor_same_lt_4 ldr r3, [SRC], #+4 ldr r12, [DST] eor r3, r12 str r3, [DST], #+4 beq .Lmemxor_done b .Lmemxor_bytes .Lmemxor_same_lt_4: adds N, #4 beq .Lmemxor_done b .Lmemxor_bytes EPILOGUE(nettle_memxor) nettle-3.4.1/arm/ecc-521-modp.asm0000644000175000017500000000560413401564746015332 0ustar nissenisseC arm/ecc-521-modp.asm ifelse(< Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. >) .file "ecc-521-modp.asm" .arm define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) C ecc_521_modp (const struct ecc_modulo *m, mp_limb_t *rp) .text .Lc511: .int 511 .align 2 PROLOGUE(nettle_ecc_521_modp) push {r4,r5,r6,r7,r8,lr} C Use that B^17 = 2^23 (mod p) ldr F3, [RP, #+68] C 17 add HP, RP, #72 C 18 ldr T0, [RP] C 0 adds T0, T0, F3, lsl #23 str T0, [RP], #+4 mov N, #5 C 5 iterations, reading limbs 18-20, 21-23, 24-26, 27-29, 30-32 C and adding to limbs 1-3, 4-6, 7-9, 19-12, 13-15 .Loop: ldm RP, {T0,T1,T2} C 1+3*k -- 3+3*k lsr F0, F3, #9 ldm HP!, {F1,F2,F3} C 18+3*k -- 20+3*k orr F0, F0, F1, lsl #23 lsr F1, F1, #9 orr F1, F1, F2, lsl #23 lsr F2, F2, #9 orr F2, F2, F3, lsl #23 adcs T0, T0, F0 adcs T1, T1, F1 adcs T2, T2, F2 sub N, N, #1 stm RP!,{T0,T1,T2} teq N, #0 bne .Loop ldr F0, [RP], #-64 C 16 ldr F1, [HP] C 33 ldr T0, .Lc511 C Handling of high limbs C F0 = rp[16] + carry in + F3 >> 9 adcs F0, F0, F3, lsr #9 C Copy low 9 bits to H, then shift right including carry and H, F0, T0 mov F0, F0, rrx lsr F0, F0, #8 C Add in F1 = rp[33], with weight 2^1056 = 2^14 adds F0, F0, F1, lsl #14 lsr F1, F1, #18 adc F1, F1, #0 ldm RP, {T0, T1} C 0-1 adds T0, T0, F0 adcs T1, T1, F1 stm RP!, {T0, T1} ldm RP, {T0,T1,T2,F0,F1,F2,F3} C 2-8 adcs T0, T0, #0 adcs T1, T1, #0 adcs T2, T2, #0 adcs F0, F0, #0 adcs F1, F1, #0 adcs F2, F2, #0 adcs F3, F3, #0 stm RP!, {T0,T1,T2,F0,F1,F2,F3} C 2-8 ldm RP, {T0,T1,T2,F0,F1,F2,F3} C 9-15 adcs T0, T0, #0 adcs T1, T1, #0 adcs T2, T2, #0 adcs F0, F0, #0 adcs F1, F1, #0 adcs F2, F2, #0 adcs F3, F3, #0 adcs H, H, #0 stm RP, {T0,T1,T2,F0,F1,F2,F3,H} C 9-16 pop {r4,r5,r6,r7,r8,pc} EPILOGUE(nettle_ecc_521_modp) nettle-3.4.1/getopt_int.h0000644000175000017500000001116313401564746014377 0ustar nissenisse/* Internal declarations for getopt. Copyright (C) 1989-2014 Free Software Foundation, Inc. This file is part of the GNU C Library. The GNU C Library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. The GNU C Library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with the GNU C Library; if not, see . */ #ifndef _GETOPT_INT_H #define _GETOPT_INT_H 1 extern int _getopt_internal (int ___argc, char *const *___argv, const char *__shortopts, const struct option *__longopts, int *__longind, int __long_only, int posixly_correct); /* Reentrant versions which can handle parsing multiple argument vectors at the same time. */ /* Data type for reentrant functions. */ struct _getopt_data { /* These have exactly the same meaning as the corresponding global variables, except that they are used for the reentrant versions of getopt. */ int optind; int opterr; int optopt; char *optarg; /* Internal members. */ /* True if the internal members have been initialized. */ int __initialized; /* The next char to be scanned in the option-element in which the last option character we returned was found. This allows us to pick up the scan where we left off. If this is zero, or a null string, it means resume the scan by advancing to the next ARGV-element. */ char *__nextchar; /* Describe how to deal with options that follow non-option ARGV-elements. If the caller did not specify anything, the default is REQUIRE_ORDER if the environment variable POSIXLY_CORRECT is defined, PERMUTE otherwise. REQUIRE_ORDER means don't recognize them as options; stop option processing when the first non-option is seen. This is what Unix does. This mode of operation is selected by either setting the environment variable POSIXLY_CORRECT, or using `+' as the first character of the list of option characters. PERMUTE is the default. We permute the contents of ARGV as we scan, so that eventually all the non-options are at the end. This allows options to be given in any order, even with programs that were not written to expect this. RETURN_IN_ORDER is an option available to programs that were written to expect options and other ARGV-elements in any order and that care about the ordering of the two. We describe each non-option ARGV-element as if it were the argument of an option with character code 1. Using `-' as the first character of the list of option characters selects this mode of operation. The special argument `--' forces an end of option-scanning regardless of the value of `ordering'. In the case of RETURN_IN_ORDER, only `--' can cause `getopt' to return -1 with `optind' != ARGC. */ enum { REQUIRE_ORDER, PERMUTE, RETURN_IN_ORDER } __ordering; /* If the POSIXLY_CORRECT environment variable is set. */ int __posixly_correct; /* Handle permutation of arguments. */ /* Describe the part of ARGV that contains non-options that have been skipped. `first_nonopt' is the index in ARGV of the first of them; `last_nonopt' is the index after the last of them. */ int __first_nonopt; int __last_nonopt; #if defined _LIBC && defined USE_NONOPTION_FLAGS int __nonoption_flags_max_len; int __nonoption_flags_len; # endif }; /* The initializer is necessary to set OPTIND and OPTERR to their default values and to clear the initialization flag. */ #define _GETOPT_DATA_INITIALIZER { 1, 1 } extern int _getopt_internal_r (int ___argc, char *const *___argv, const char *__shortopts, const struct option *__longopts, int *__longind, int __long_only, struct _getopt_data *__data, int posixly_correct); extern int _getopt_long_r (int ___argc, char *const *___argv, const char *__shortopts, const struct option *__longopts, int *__longind, struct _getopt_data *__data); extern int _getopt_long_only_r (int ___argc, char *const *___argv, const char *__shortopts, const struct option *__longopts, int *__longind, struct _getopt_data *__data); #endif /* getopt_int.h */ nettle-3.4.1/ecc-mul-a-eh.c0000644000175000017500000001052513401564746014354 0ustar nissenisse/* ecc-mul-a-eh.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc.h" #include "ecc-internal.h" /* Binary algorithm needs 6*ecc->p.size + scratch for ecc_add_ehh, total 13 ecc->p.size Window algorithm needs (3<p.size for the table, 3*ecc->p.size for a temporary point, and scratch for ecc_add_ehh. */ #if ECC_MUL_A_EH_WBITS == 0 void ecc_mul_a_eh (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *np, const mp_limb_t *p, mp_limb_t *scratch) { #define pe scratch #define tp (scratch + 3*ecc->p.size) #define scratch_out (scratch + 6*ecc->p.size) unsigned i; ecc_a_to_j (ecc, pe, p); /* x = 0, y = 1, z = 1 */ mpn_zero (r, 3*ecc->p.size); r[ecc->p.size] = r[2*ecc->p.size] = 1; for (i = ecc->p.size; i-- > 0; ) { mp_limb_t w = np[i]; mp_limb_t bit; for (bit = (mp_limb_t) 1 << (GMP_NUMB_BITS - 1); bit > 0; bit >>= 1) { int digit; ecc_dup_eh (ecc, r, r, scratch_out); ecc_add_ehh (ecc, tp, r, pe, scratch_out); digit = (w & bit) > 0; /* If we had a one-bit, use the sum. */ cnd_copy (digit, r, tp, 3*ecc->p.size); } } } #else /* ECC_MUL_A_EH_WBITS > 1 */ #define TABLE_SIZE (1U << ECC_MUL_A_EH_WBITS) #define TABLE_MASK (TABLE_SIZE - 1) #define TABLE(j) (table + (j) * 3*ecc->p.size) static void table_init (const struct ecc_curve *ecc, mp_limb_t *table, unsigned bits, const mp_limb_t *p, mp_limb_t *scratch) { unsigned size = 1 << bits; unsigned j; mpn_zero (TABLE(0), 3*ecc->p.size); TABLE(0)[ecc->p.size] = TABLE(0)[2*ecc->p.size] = 1; ecc_a_to_j (ecc, TABLE(1), p); for (j = 2; j < size; j += 2) { ecc_dup_eh (ecc, TABLE(j), TABLE(j/2), scratch); ecc_add_ehh (ecc, TABLE(j+1), TABLE(j), TABLE(1), scratch); } } void ecc_mul_a_eh (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *np, const mp_limb_t *p, mp_limb_t *scratch) { #define tp scratch #define table (scratch + 3*ecc->p.size) mp_limb_t *scratch_out = table + (3*ecc->p.size << ECC_MUL_A_EH_WBITS); /* Avoid the mp_bitcnt_t type for compatibility with older GMP versions. */ unsigned blocks = (ecc->p.bit_size + ECC_MUL_A_EH_WBITS - 1) / ECC_MUL_A_EH_WBITS; unsigned bit_index = (blocks-1) * ECC_MUL_A_EH_WBITS; mp_size_t limb_index = bit_index / GMP_NUMB_BITS; unsigned shift = bit_index % GMP_NUMB_BITS; mp_limb_t w, bits; table_init (ecc, table, ECC_MUL_A_EH_WBITS, p, scratch_out); w = np[limb_index]; bits = w >> shift; if (limb_index < ecc->p.size - 1) bits |= np[limb_index + 1] << (GMP_NUMB_BITS - shift); assert (bits < TABLE_SIZE); sec_tabselect (r, 3*ecc->p.size, table, TABLE_SIZE, bits); for (;;) { unsigned j; if (shift >= ECC_MUL_A_EH_WBITS) { shift -= ECC_MUL_A_EH_WBITS; bits = w >> shift; } else { if (limb_index == 0) { assert (shift == 0); break; } bits = w << (ECC_MUL_A_EH_WBITS - shift); w = np[--limb_index]; shift = shift + GMP_NUMB_BITS - ECC_MUL_A_EH_WBITS; bits |= w >> shift; } for (j = 0; j < ECC_MUL_A_EH_WBITS; j++) ecc_dup_eh (ecc, r, r, scratch_out); bits &= TABLE_MASK; sec_tabselect (tp, 3*ecc->p.size, table, TABLE_SIZE, bits); ecc_add_ehh (ecc, r, tp, r, scratch_out); } #undef table #undef tp } #endif /* ECC_MUL_A_EH_WBITS > 1 */ nettle-3.4.1/salsa20-set-key.c0000644000175000017500000000305413401564745015041 0ustar nissenisse/* salsa20-set-key.c The Salsa20 stream cipher. Copyright (C) 2012 Simon Josefsson, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Based on: salsa20-ref.c version 20051118 D. J. Bernstein Public domain. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "salsa20.h" #include "macros.h" void salsa20_set_key(struct salsa20_ctx *ctx, size_t length, const uint8_t *key) { switch (length) { case SALSA20_128_KEY_SIZE: salsa20_128_set_key (ctx, key); break; case SALSA20_256_KEY_SIZE: salsa20_256_set_key (ctx, key); break; default: abort(); } } nettle-3.4.1/base64url-decode.c0000644000175000017500000000470413401564745015250 0ustar nissenisse/* base64url-decode.c Copyright (C) 2015 Amos Jeffries, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "base64.h" void base64url_decode_init(struct base64_decode_ctx *ctx) { static const signed char base64url_decode_table[0x100] = { /* White space is HT, VT, FF, CR, LF and SPC */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -2, -2, -2, -2, -2, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -2, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, -1, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, -1, -1, -1, -3, -1, -1, -1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, -1, -1, -1, -1, 63, -1, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, }; ctx->word = ctx->bits = ctx->padding = 0; ctx->table = base64url_decode_table; } nettle-3.4.1/hmac-sha384.c0000644000175000017500000000264113401564745014136 0ustar nissenisse/* hmac-sha384.c HMAC-SHA384 message authentication code. Copyright (C) 2003, 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "hmac.h" void hmac_sha384_set_key(struct hmac_sha512_ctx *ctx, size_t key_length, const uint8_t *key) { HMAC_SET_KEY(ctx, &nettle_sha384, key_length, key); } void hmac_sha384_digest(struct hmac_sha512_ctx *ctx, size_t length, uint8_t *digest) { HMAC_DIGEST(ctx, &nettle_sha384, length, digest); } nettle-3.4.1/pkcs1-sec-decrypt.c0000644000175000017500000001152113401564745015454 0ustar nissenisse/* pkcs1-sec-decrypt.c The RSA publickey algorithm. Side channel resistant PKCS#1 decryption. Copyright (C) 2001, 2012 Niels Möller Copyright (C) 2018 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "memops.h" #include "gmp-glue.h" #include "rsa.h" #include "rsa-internal.h" /* Inputs are always cast to uint32_t values. But all values used in this * function should never exceed the maximum value of a uint32_t anyway. * these macros returns 1 on success, 0 on failure */ #define NOT_EQUAL(a, b) \ ((0U - ((uint32_t)(a) ^ (uint32_t)(b))) >> 31) #define EQUAL(a, b) \ ((((uint32_t)(a) ^ (uint32_t)(b)) - 1U) >> 31) #define GREATER_OR_EQUAL(a, b) \ (1U - (((uint32_t)(a) - (uint32_t)(b)) >> 31)) int _pkcs1_sec_decrypt (size_t length, uint8_t *message, size_t padded_message_length, const volatile uint8_t *padded_message) { volatile int ok; size_t i, t; assert (padded_message_length >= length); t = padded_message_length - length - 1; /* Check format, padding, message_size */ ok = EQUAL(padded_message[0], 0); /* ok if padded_message[0] == 0 */ ok &= EQUAL(padded_message[1], 2); /* ok if padded_message[1] == 2 */ for (i = 2; i < t; i++) /* check padding has no zeros */ { ok &= NOT_EQUAL(padded_message[i], 0); } ok &= EQUAL(padded_message[t], 0); /* ok if terminator == 0 */ /* fill destination buffer regardless of outcome */ cnd_memcpy(ok, message, padded_message + t + 1, length); return ok; } int _pkcs1_sec_decrypt_variable(size_t *length, uint8_t *message, size_t padded_message_length, const volatile uint8_t *padded_message) { volatile int not_found = 1; volatile int ok; volatile size_t offset; size_t buflen, msglen; size_t shift, i; /* Check format, padding, message_size */ ok = EQUAL(padded_message[0], 0); ok &= EQUAL(padded_message[1], 2); /* length is discovered in a side-channel silent way. * not_found goes to 0 when the terminator is found. * offset strts at 3 as it includes the terminator and * the fomat bytes already */ offset = 3; for (i = 2; i < padded_message_length; i++) { not_found &= NOT_EQUAL(padded_message[i], 0); offset += not_found; } /* check if we ran out of buffer */ ok &= NOT_EQUAL(not_found, 1); /* padding must be >= 11 (2 format bytes + 8 pad bytes min. + terminator) */ ok &= GREATER_OR_EQUAL(offset, 11); /* offset can vary between 3 and padded_message_length, due to the loop * above, therefore msglen can't underflow */ msglen = padded_message_length - offset; /* we always fill the whole buffer but only up to * padded_message_length length */ buflen = *length; if (buflen > padded_message_length) { /* input independent branch */ buflen = padded_message_length; } /* if the message length is larger than the buffer we must fail */ ok &= GREATER_OR_EQUAL(buflen, msglen); /* fill destination buffer fully regardless of outcome. Copies the message * in a memory access independent way. The destination message buffer will * be clobbered past the message length. */ shift = padded_message_length - buflen; cnd_memcpy(ok, message, padded_message + shift, buflen); offset -= shift; /* In this loop, the bits of the 'offset' variable are used as shifting * conditions, starting from the least significant bit. The end result is * that the buffer is shifted left exactly 'offset' bytes. */ for (shift = 1; shift < buflen; shift <<= 1, offset >>= 1) { /* 'ok' is both a least significant bit mask and a condition */ cnd_memcpy(offset & ok, message, message + shift, buflen - shift); } /* update length only if we succeeded, otherwise leave unchanged */ *length = (msglen & (-(size_t) ok)) + (*length & ((size_t) ok - 1)); return ok; } nettle-3.4.1/umac-nh-n.c0000644000175000017500000000437613401564745014010 0ustar nissenisse/* umac-nh-n.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "umac.h" #include "macros.h" /* For fat builds */ #if HAVE_NATIVE_umac_nh_n void _nettle_umac_nh_n_c (uint64_t *out, unsigned n, const uint32_t *key, unsigned length, const uint8_t *msg); #define _nettle_umac_nh_n _nettle_umac_nh_n_c #endif void _umac_nh_n (uint64_t *out, unsigned n, const uint32_t *key, unsigned length, const uint8_t *msg) { assert (length > 0); assert (length <= 1024); assert (length % 32 == 0); memset(out, 0, n*sizeof(*out)); for (;length > 0; length -= 32, msg += 32, key += 8) { uint32_t a0, a1, b0, b1; unsigned i; a0 = LE_READ_UINT32 (msg); a1 = LE_READ_UINT32 (msg + 4); b0 = LE_READ_UINT32 (msg + 16); b1 = LE_READ_UINT32 (msg + 20); for (i = 0; i < n; i++) out[i] += (uint64_t) (a0 + key[0+4*i]) * (b0 + key[4+4*i]) + (uint64_t) (a1 + key[1+4*i]) * (b1 + key[5+4*i]); a0 = LE_READ_UINT32 (msg + 8); a1 = LE_READ_UINT32 (msg + 12); b0 = LE_READ_UINT32 (msg + 24); b1 = LE_READ_UINT32 (msg + 28); for (i = 0; i < n; i++) out[i] += (uint64_t) (a0 + key[2+4*i]) * (b0 + key[6+4*i]) + (uint64_t) (a1 + key[3+4*i]) * (b1 + key[7+4*i]); } } nettle-3.4.1/hogweed.pc.in0000644000175000017500000000111613401564746014422 0ustar nissenisseprefix=@prefix@ exec_prefix=@exec_prefix@ libdir=@libdir@ includedir=@includedir@ # Uses Requires.private and Libs.private, under the assumption that # when using shared libraries, the ELF dependencies from libhogweed.so # to nettle and gmp work. Name: Hogweed Description: Nettle low-level cryptographic library (public-key algorithms) URL: http://www.lysator.liu.se/~nisse/nettle Version: @PACKAGE_VERSION@ Requires: @IF_NOT_SHARED@ nettle Requires.private: @IF_SHARED@ nettle Libs: -L${libdir} -lhogweed @IF_NOT_SHARED@ @LIBS@ Libs.private: @IF_SHARED@ @LIBS@ Cflags: -I${includedir} nettle-3.4.1/sec-add-1.c0000644000175000017500000000255113401564746013655 0ustar nissenisse/* sec-add-1.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc-internal.h" mp_limb_t sec_add_1 (mp_limb_t *rp, mp_limb_t *ap, mp_size_t n, mp_limb_t b) { mp_size_t i; for (i = 0; i < n; i++) { mp_limb_t r = ap[i] + b; b = (r < b); rp[i] = r; } return b; } nettle-3.4.1/poly1305-aes.c0000644000175000017500000000445613401564745014266 0ustar nissenisse/* poly1305-aes.c Copyright (C) 2013 Nikos Mavrogiannopoulos Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H #include "config.h" #endif #include #include #include "poly1305.h" #include "macros.h" void poly1305_aes_set_key (struct poly1305_aes_ctx *ctx, const uint8_t * key) { aes128_set_encrypt_key(&ctx->aes, (key)); poly1305_set_key(&ctx->pctx, (key+16)); ctx->index = 0; } void poly1305_aes_set_nonce (struct poly1305_aes_ctx *ctx, const uint8_t * nonce) { memcpy (ctx->nonce, nonce, POLY1305_AES_NONCE_SIZE); } #define COMPRESS(ctx, data) _poly1305_block(&(ctx)->pctx, (data), 1) void poly1305_aes_update (struct poly1305_aes_ctx *ctx, size_t length, const uint8_t *data) { MD_UPDATE (ctx, length, data, COMPRESS, (void) 0); } void poly1305_aes_digest (struct poly1305_aes_ctx *ctx, size_t length, uint8_t *digest) { union nettle_block16 s; /* final bytes */ if (ctx->index > 0) { assert (ctx->index < POLY1305_BLOCK_SIZE); ctx->block[ctx->index] = 1; memset (ctx->block + ctx->index + 1, 0, POLY1305_BLOCK_SIZE - 1 - ctx->index); _poly1305_block (&ctx->pctx, ctx->block, 0); } aes128_encrypt(&ctx->aes, POLY1305_BLOCK_SIZE, s.b, ctx->nonce); poly1305_digest (&ctx->pctx, &s); memcpy (digest, s.b, length); INCREMENT (16, ctx->nonce); ctx->index = 0; } nettle-3.4.1/base64.h0000644000175000017500000001233613401564746013312 0ustar nissenisse/* base64.h Base-64 encoding and decoding. Copyright (C) 2002 Niels Möller, Dan Egnor This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_BASE64_H_INCLUDED #define NETTLE_BASE64_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define base64_encode_init nettle_base64_encode_init #define base64url_encode_init nettle_base64url_encode_init #define base64_encode_single nettle_base64_encode_single #define base64_encode_update nettle_base64_encode_update #define base64_encode_final nettle_base64_encode_final #define base64_encode_raw nettle_base64_encode_raw #define base64_encode_group nettle_base64_encode_group #define base64_decode_init nettle_base64_decode_init #define base64url_decode_init nettle_base64url_decode_init #define base64_decode_single nettle_base64_decode_single #define base64_decode_update nettle_base64_decode_update #define base64_decode_final nettle_base64_decode_final #define BASE64_BINARY_BLOCK_SIZE 3 #define BASE64_TEXT_BLOCK_SIZE 4 /* Base64 encoding */ /* Maximum length of output for base64_encode_update. NOTE: Doesn't * include any padding that base64_encode_final may add. */ /* We have at most 4 buffered bits, and a total of (4 + length * 8) bits. */ #define BASE64_ENCODE_LENGTH(length) (((length) * 8 + 4)/6) /* Maximum length of output generated by base64_encode_final. */ #define BASE64_ENCODE_FINAL_LENGTH 3 /* Exact length of output generated by base64_encode_raw, including * padding. */ #define BASE64_ENCODE_RAW_LENGTH(length) ((((length) + 2)/3)*4) struct base64_encode_ctx { const char *alphabet; /* Alphabet to use for encoding */ unsigned short word; /* Leftover bits */ unsigned char bits; /* Number of bits, always 0, 2, or 4. */ }; /* Initialize encoding context for base-64 */ void base64_encode_init(struct base64_encode_ctx *ctx); /* Initialize encoding context for URL safe alphabet, RFC 4648. */ void base64url_encode_init(struct base64_encode_ctx *ctx); /* Encodes a single byte. Returns amount of output (always 1 or 2). */ size_t base64_encode_single(struct base64_encode_ctx *ctx, char *dst, uint8_t src); /* Returns the number of output characters. DST should point to an * area of size at least BASE64_ENCODE_LENGTH(length). */ size_t base64_encode_update(struct base64_encode_ctx *ctx, char *dst, size_t length, const uint8_t *src); /* DST should point to an area of size at least * BASE64_ENCODE_FINAL_LENGTH */ size_t base64_encode_final(struct base64_encode_ctx *ctx, char *dst); /* Lower level functions */ /* Encodes a string in one go, including any padding at the end. * Generates exactly BASE64_ENCODE_RAW_LENGTH(length) bytes of output. * Supports overlapped operation, if src <= dst. FIXME: Use of overlap * is deprecated, if needed there should be a separate public fucntion * to do that.*/ void base64_encode_raw(char *dst, size_t length, const uint8_t *src); void base64_encode_group(char *dst, uint32_t group); /* Base64 decoding */ /* Maximum length of output for base64_decode_update. */ /* We have at most 6 buffered bits, and a total of (length + 1) * 6 bits. */ #define BASE64_DECODE_LENGTH(length) ((((length) + 1) * 6) / 8) struct base64_decode_ctx { const signed char *table; /* Decoding table */ unsigned short word; /* Leftover bits */ unsigned char bits; /* Number buffered bits */ /* Number of padding characters encountered */ unsigned char padding; }; /* Initialize decoding context for base-64 */ void base64_decode_init(struct base64_decode_ctx *ctx); /* Initialize encoding context for URL safe alphabet, RFC 4648. */ void base64url_decode_init(struct base64_decode_ctx *ctx); /* Decodes a single byte. Returns amount of output (0 or 1), or -1 on * errors. */ int base64_decode_single(struct base64_decode_ctx *ctx, uint8_t *dst, char src); /* Returns 1 on success, 0 on error. DST should point to an area of * size at least BASE64_DECODE_LENGTH(length). The amount of data * generated is returned in *DST_LENGTH. */ int base64_decode_update(struct base64_decode_ctx *ctx, size_t *dst_length, uint8_t *dst, size_t src_length, const char *src); /* Returns 1 on success. */ int base64_decode_final(struct base64_decode_ctx *ctx); #ifdef __cplusplus } #endif #endif /* NETTLE_BASE64_H_INCLUDED */ nettle-3.4.1/curve25519.h0000644000175000017500000000304113401564746013751 0ustar nissenisse/* curve25519.h Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_CURVE25519_H #define NETTLE_CURVE25519_H #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define curve25519_mul_g nettle_curve25519_mul_g #define curve25519_mul nettle_curve25519_mul #define CURVE25519_SIZE 32 /* Indicates that curve25519_mul conforms to RFC 7748. */ #define NETTLE_CURVE25519_RFC7748 1 void curve25519_mul_g (uint8_t *q, const uint8_t *n); void curve25519_mul (uint8_t *q, const uint8_t *n, const uint8_t *p); #ifdef __cplusplus } #endif #endif /* NETTLE_CURVE25519_H */ nettle-3.4.1/arctwo-meta.c0000644000175000017500000000372413401564745014444 0ustar nissenisse/* arctwo-meta.c Copyright (C) 2004 Simon Josefsson Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "arctwo.h" #define ARCTWO(bits) { \ "arctwo" #bits, sizeof (struct arctwo_ctx), \ ARCTWO_BLOCK_SIZE, bits/8, \ (nettle_set_key_func *) arctwo ## bits ## _set_key, \ (nettle_set_key_func *) arctwo ## bits ## _set_key, \ (nettle_cipher_func *) arctwo_encrypt, \ (nettle_cipher_func *) arctwo_decrypt, \ } const struct nettle_cipher nettle_arctwo40 = ARCTWO(40); const struct nettle_cipher nettle_arctwo64 = ARCTWO(64); const struct nettle_cipher nettle_arctwo128 = ARCTWO(128); /* Gutmann variant. */ const struct nettle_cipher nettle_arctwo_gutmann128 = { "arctwo_gutmann128", sizeof (struct arctwo_ctx), ARCTWO_BLOCK_SIZE, 16, (nettle_set_key_func *) arctwo128_set_key_gutmann, (nettle_set_key_func *) arctwo128_set_key_gutmann, (nettle_cipher_func *) arctwo_encrypt, (nettle_cipher_func *) arctwo_decrypt, }; nettle-3.4.1/camellia128-set-decrypt-key.c0000644000175000017500000000275513401564745017255 0ustar nissenisse/* camellia128-set-decrypt-key.c Inverse key setup for the camellia block cipher. Copyright (C) 2010, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "camellia-internal.h" void camellia128_invert_key(struct camellia128_ctx *dst, const struct camellia128_ctx *src) { _camellia_invert_key (_CAMELLIA128_NKEYS, dst->keys, src->keys); } void camellia128_set_decrypt_key(struct camellia128_ctx *ctx, const uint8_t *key) { camellia128_set_encrypt_key(ctx, key); camellia128_invert_key(ctx, ctx); } nettle-3.4.1/aes128-set-decrypt-key.c0000644000175000017500000000270713401564745016253 0ustar nissenisse/* aes128-set-decrypt-key.c Key setup for the aes/rijndael block cipher. Copyright (C) 2013, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes-internal.h" #include "macros.h" void aes128_invert_key (struct aes128_ctx *dst, const struct aes128_ctx *src) { _aes_invert (_AES128_ROUNDS, dst->keys, src->keys); } void aes128_set_decrypt_key(struct aes128_ctx *ctx, const uint8_t *key) { aes128_set_encrypt_key (ctx, key); aes128_invert_key (ctx, ctx); } nettle-3.4.1/bignum-random-prime.c0000644000175000017500000003550113401564745016070 0ustar nissenisse/* bignum-random-prime.c Generation of random provable primes. Copyright (C) 2010, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #ifndef RANDOM_PRIME_VERBOSE #define RANDOM_PRIME_VERBOSE 0 #endif #include #include #if RANDOM_PRIME_VERBOSE #include #define VERBOSE(x) (fputs((x), stderr)) #else #define VERBOSE(x) #endif #include "bignum.h" #include "macros.h" /* Use a table of p_2 = 3 to p_{172} = 1021, used for sieving numbers of up to 20 bits. */ #define NPRIMES 171 #define TRIAL_DIV_BITS 20 #define TRIAL_DIV_MASK ((1 << TRIAL_DIV_BITS) - 1) /* A 20-bit number x is divisible by p iff ((x * inverse) & TRIAL_DIV_MASK) <= limit */ struct trial_div_info { uint32_t inverse; /* p^{-1} (mod 2^20) */ uint32_t limit; /* floor( (2^20 - 1) / p) */ }; static const uint16_t primes[NPRIMES] = { 3,5,7,11,13,17,19,23, 29,31,37,41,43,47,53,59, 61,67,71,73,79,83,89,97, 101,103,107,109,113,127,131,137, 139,149,151,157,163,167,173,179, 181,191,193,197,199,211,223,227, 229,233,239,241,251,257,263,269, 271,277,281,283,293,307,311,313, 317,331,337,347,349,353,359,367, 373,379,383,389,397,401,409,419, 421,431,433,439,443,449,457,461, 463,467,479,487,491,499,503,509, 521,523,541,547,557,563,569,571, 577,587,593,599,601,607,613,617, 619,631,641,643,647,653,659,661, 673,677,683,691,701,709,719,727, 733,739,743,751,757,761,769,773, 787,797,809,811,821,823,827,829, 839,853,857,859,863,877,881,883, 887,907,911,919,929,937,941,947, 953,967,971,977,983,991,997,1009, 1013,1019,1021, }; static const uint32_t prime_square[NPRIMES+1] = { 9,25,49,121,169,289,361,529, 841,961,1369,1681,1849,2209,2809,3481, 3721,4489,5041,5329,6241,6889,7921,9409, 10201,10609,11449,11881,12769,16129,17161,18769, 19321,22201,22801,24649,26569,27889,29929,32041, 32761,36481,37249,38809,39601,44521,49729,51529, 52441,54289,57121,58081,63001,66049,69169,72361, 73441,76729,78961,80089,85849,94249,96721,97969, 100489,109561,113569,120409,121801,124609,128881,134689, 139129,143641,146689,151321,157609,160801,167281,175561, 177241,185761,187489,192721,196249,201601,208849,212521, 214369,218089,229441,237169,241081,249001,253009,259081, 271441,273529,292681,299209,310249,316969,323761,326041, 332929,344569,351649,358801,361201,368449,375769,380689, 383161,398161,410881,413449,418609,426409,434281,436921, 452929,458329,466489,477481,491401,502681,516961,528529, 537289,546121,552049,564001,573049,579121,591361,597529, 619369,635209,654481,657721,674041,677329,683929,687241, 703921,727609,734449,737881,744769,769129,776161,779689, 786769,822649,829921,844561,863041,877969,885481,896809, 908209,935089,942841,954529,966289,982081,994009,1018081, 1026169,1038361,1042441,1L<<20 }; static const struct trial_div_info trial_div_table[NPRIMES] = { {699051,349525},{838861,209715},{748983,149796},{953251,95325}, {806597,80659},{61681,61680},{772635,55188},{866215,45590}, {180789,36157},{1014751,33825},{793517,28339},{1023001,25575}, {48771,24385},{870095,22310},{217629,19784},{710899,17772}, {825109,17189},{281707,15650},{502135,14768},{258553,14364}, {464559,13273},{934875,12633},{1001449,11781},{172961,10810}, {176493,10381},{203607,10180},{568387,9799},{788837,9619}, {770193,9279},{1032063,8256},{544299,8004},{619961,7653}, {550691,7543},{182973,7037},{229159,6944},{427445,6678}, {701195,6432},{370455,6278},{90917,6061},{175739,5857}, {585117,5793},{225087,5489},{298817,5433},{228877,5322}, {442615,5269},{546651,4969},{244511,4702},{83147,4619}, {769261,4578},{841561,4500},{732687,4387},{978961,4350}, {133683,4177},{65281,4080},{629943,3986},{374213,3898}, {708079,3869},{280125,3785},{641833,3731},{618771,3705}, {930477,3578},{778747,3415},{623751,3371},{40201,3350}, {122389,3307},{950371,3167},{1042353,3111},{18131,3021}, {285429,3004},{549537,2970},{166487,2920},{294287,2857}, {919261,2811},{636339,2766},{900735,2737},{118605,2695}, {10565,2641},{188273,2614},{115369,2563},{735755,2502}, {458285,2490},{914767,2432},{370513,2421},{1027079,2388}, {629619,2366},{462401,2335},{649337,2294},{316165,2274}, {484655,2264},{65115,2245},{326175,2189},{1016279,2153}, {990915,2135},{556859,2101},{462791,2084},{844629,2060}, {404537,2012},{457123,2004},{577589,1938},{638347,1916}, {892325,1882},{182523,1862},{1002505,1842},{624371,1836}, {69057,1817},{210787,1786},{558769,1768},{395623,1750}, {992745,1744},{317855,1727},{384877,1710},{372185,1699}, {105027,1693},{423751,1661},{408961,1635},{908331,1630}, {74551,1620},{36933,1605},{617371,1591},{506045,1586}, {24929,1558},{529709,1548},{1042435,1535},{31867,1517}, {166037,1495},{928781,1478},{508975,1458},{4327,1442}, {779637,1430},{742091,1418},{258263,1411},{879631,1396}, {72029,1385},{728905,1377},{589057,1363},{348621,1356}, {671515,1332},{710453,1315},{84249,1296},{959363,1292}, {685853,1277},{467591,1274},{646643,1267},{683029,1264}, {439927,1249},{254461,1229},{660713,1223},{554195,1220}, {202911,1215},{753253,1195},{941457,1190},{776635,1187}, {509511,1182},{986147,1156},{768879,1151},{699431,1140}, {696417,1128},{86169,1119},{808997,1114},{25467,1107}, {201353,1100},{708087,1084},{1018339,1079},{341297,1073}, {434151,1066},{96287,1058},{950765,1051},{298257,1039}, {675933,1035},{167731,1029},{815445,1027}, }; /* Element j gives the index of the first prime of size 3+j bits */ static uint8_t prime_by_size[9] = { 1,3,5,10,17,30,53,96,171 }; /* Combined Miller-Rabin test to the base a, and checking the conditions from Pocklington's theorem, nm1dq holds (n-1)/q, with q prime. */ static int miller_rabin_pocklington(mpz_t n, mpz_t nm1, mpz_t nm1dq, mpz_t a) { mpz_t r; mpz_t y; int is_prime = 0; /* Avoid the mp_bitcnt_t type for compatibility with older GMP versions. */ unsigned k; unsigned j; VERBOSE("."); if (mpz_even_p(n) || mpz_cmp_ui(n, 3) < 0) return 0; mpz_init(r); mpz_init(y); k = mpz_scan1(nm1, 0); assert(k > 0); mpz_fdiv_q_2exp (r, nm1, k); mpz_powm(y, a, r, n); if (mpz_cmp_ui(y, 1) == 0 || mpz_cmp(y, nm1) == 0) goto passed_miller_rabin; for (j = 1; j < k; j++) { mpz_powm_ui (y, y, 2, n); if (mpz_cmp_ui (y, 1) == 0) break; if (mpz_cmp (y, nm1) == 0) { passed_miller_rabin: /* We know that a^{n-1} = 1 (mod n) Remains to check that gcd(a^{(n-1)/q} - 1, n) == 1 */ VERBOSE("x"); mpz_powm(y, a, nm1dq, n); mpz_sub_ui(y, y, 1); mpz_gcd(y, y, n); is_prime = mpz_cmp_ui (y, 1) == 0; VERBOSE(is_prime ? "\n" : ""); break; } } mpz_clear(r); mpz_clear(y); return is_prime; } /* The most basic variant of Pocklingtons theorem: Assume that q^e | (n-1), with q prime. If we can find an a such that a^{n-1} = 1 (mod n) gcd(a^{(n-1)/q} - 1, n) = 1 then any prime divisor p of n satisfies p = 1 (mod q^e). Proof (Cohen, 8.3.2): Assume p is a prime factor of n. The central idea of the proof is to consider the order, modulo p, of a. Denote this by d. a^{n-1} = 1 (mod n) implies a^{n-1} = 1 (mod p), hence d | (n-1). Next, the condition gcd(a^{(n-1)/q} - 1, n) = 1 implies that a^{(n-1)/q} != 1, hence d does not divide (n-1)/q. Since q is prime, this means that q^e | d. Finally, we have a^{p-1} = 1 (mod p), hence d | (p-1). So q^e | d | (p-1), which gives the desired result: p = 1 (mod q^e). * Variant, slightly stronger than Fact 4.59, HAC: Assume n = 1 + 2rq, q an odd prime, r <= 2q, and a^{n-1} = 1 (mod n) gcd(a^{(n-1)/q} - 1, n) = 1 Then n is prime. Proof: By Pocklington's theorem, any prime factor p satisfies p = 1 (mod q). Neither 1 or q+1 are primes, hence p >= 1 + 2q. If n is composite, we have n >= (1+2q)^2. But the assumption r <= 2q implies n <= 1 + 4q^2, a contradiction. In bits, the requirement is that #n <= 2 #q, then r = (n-1)/2q < 2^{#n - #q} <= 2^#q = 2 2^{#q-1}< 2 q * Another variant with an extra test (Variant of Fact 4.42, HAC): Assume n = 1 + 2rq, n odd, q an odd prime, 8 q^3 >= n a^{n-1} = 1 (mod n) gcd(a^{(n-1)/q} - 1, n) = 1 Also let x = floor(r / 2q), y = r mod 2q, If y^2 - 4x is not a square, then n is prime. Proof (adapted from Maurer, Journal of Cryptology, 8 (1995)): Assume n is composite. There are at most two factors, both odd, n = (1+2m_1 q)(1+2m_2 q) = 1 + 4 m_1 m_2 q^2 + 2 (m_1 + m_2) q where we can assume m_1 >= m_2. Then the bound n <= 8 q^3 implies m_1 m_2 < 2q, restricting (m_1, m_2) to the domain 0 < m_2 < sqrt(2q), 0 < m_1 < 2q / m_2. We have the bound m_1 + m_2 < 2q / m_2 + m_2 <= 2q + 1 (maximum value for m_2 = 1) And the case m_1 = 2q, m_2 = 1 can be excluded, because it gives n > 8q^3. So in fact, m_1 + m_2 < 2q. Next, write r = (n-1)/2q = 2 m_1 m_2 q + m_1 + m_2. If follows that m_1 + m_2 = y and m_1 m_2 = x. m_1 and m_2 are thus the roots of the equation m^2 - y m + x = 0 which has integer roots iff y^2 - 4 x is the square of an integer. In bits, the requirement is that #n <= 3 #q, then n < 2^#n <= 2^{3 #q} = 8 2^{3 (#q-1)} < 8 q^3 */ /* Generate a prime number p of size bits with 2 p0q dividing (p-1). p0 must be of size >= ceil(bits/3). The extra factor q can be omitted (then p0 and p0q should be equal). If top_bits_set is one, the topmost two bits are set to one, suitable for RSA primes. Also returns r = (p-1)/p0q. */ void _nettle_generate_pocklington_prime (mpz_t p, mpz_t r, unsigned bits, int top_bits_set, void *ctx, nettle_random_func *random, const mpz_t p0, const mpz_t q, const mpz_t p0q) { mpz_t r_min, r_range, pm1, a, e; int need_square_test; unsigned p0_bits; mpz_t x, y, p04; p0_bits = mpz_sizeinbase (p0, 2); assert (bits <= 3*p0_bits); assert (bits > p0_bits); need_square_test = (bits > 2 * p0_bits); mpz_init (r_min); mpz_init (r_range); mpz_init (pm1); mpz_init (a); if (need_square_test) { mpz_init (x); mpz_init (y); mpz_init (p04); mpz_mul_2exp (p04, p0, 2); } if (q) mpz_init (e); if (top_bits_set) { /* i = floor (2^{bits-3} / p0q), then 3I + 3 <= r <= 4I, with I - 2 possible values. */ mpz_set_ui (r_min, 1); mpz_mul_2exp (r_min, r_min, bits-3); mpz_fdiv_q (r_min, r_min, p0q); mpz_sub_ui (r_range, r_min, 2); mpz_mul_ui (r_min, r_min, 3); mpz_add_ui (r_min, r_min, 3); } else { /* i = floor (2^{bits-2} / p0q), I + 1 <= r <= 2I */ mpz_set_ui (r_range, 1); mpz_mul_2exp (r_range, r_range, bits-2); mpz_fdiv_q (r_range, r_range, p0q); mpz_add_ui (r_min, r_range, 1); } for (;;) { uint8_t buf[1]; nettle_mpz_random (r, ctx, random, r_range); mpz_add (r, r, r_min); /* Set p = 2*r*p0q + 1 */ mpz_mul_2exp(r, r, 1); mpz_mul (pm1, r, p0q); mpz_add_ui (p, pm1, 1); assert(mpz_sizeinbase(p, 2) == bits); /* Should use GMP trial division interface when that materializes, we don't need any testing beyond trial division. */ if (!mpz_probab_prime_p (p, 1)) continue; random(ctx, sizeof(buf), buf); mpz_set_ui (a, buf[0] + 2); if (q) { mpz_mul (e, r, q); if (!miller_rabin_pocklington(p, pm1, e, a)) continue; if (need_square_test) { /* Our e corresponds to 2r in the theorem */ mpz_tdiv_qr (x, y, e, p04); goto square_test; } } else { if (!miller_rabin_pocklington(p, pm1, r, a)) continue; if (need_square_test) { mpz_tdiv_qr (x, y, r, p04); square_test: /* We have r' = 2r, x = floor (r/2q) = floor(r'/2q), and y' = r' - x 4q = 2 (r - x 2q) = 2y. Then y^2 - 4x is a square iff y'^2 - 16 x is a square. */ mpz_mul (y, y, y); mpz_submul_ui (y, x, 16); if (mpz_perfect_square_p (y)) continue; } } /* If we passed all the tests, we have found a prime. */ break; } mpz_clear (r_min); mpz_clear (r_range); mpz_clear (pm1); mpz_clear (a); if (need_square_test) { mpz_clear (x); mpz_clear (y); mpz_clear (p04); } if (q) mpz_clear (e); } /* Generate random prime of a given size. Maurer's algorithm (Alg. 6.42 Handbook of applied cryptography), but with ratio = 1/2 (like the variant in fips186-3). */ void nettle_random_prime(mpz_t p, unsigned bits, int top_bits_set, void *random_ctx, nettle_random_func *random, void *progress_ctx, nettle_progress_func *progress) { assert (bits >= 3); if (bits <= 10) { unsigned first; unsigned choices; uint8_t buf; assert (!top_bits_set); random (random_ctx, sizeof(buf), &buf); first = prime_by_size[bits-3]; choices = prime_by_size[bits-2] - first; mpz_set_ui (p, primes[first + buf % choices]); } else if (bits <= 20) { unsigned long highbit; uint8_t buf[3]; unsigned long x; unsigned j; assert (!top_bits_set); highbit = 1L << (bits - 1); again: random (random_ctx, sizeof(buf), buf); x = READ_UINT24(buf); x &= (highbit - 1); x |= highbit | 1; for (j = 0; prime_square[j] <= x; j++) { unsigned q = x * trial_div_table[j].inverse & TRIAL_DIV_MASK; if (q <= trial_div_table[j].limit) goto again; } mpz_set_ui (p, x); } else { mpz_t q, r; mpz_init (q); mpz_init (r); /* Bit size ceil(k/2) + 1, slightly larger than used in Alg. 4.62 in Handbook of Applied Cryptography (which seems to be incorrect for odd k). */ nettle_random_prime (q, (bits+3)/2, 0, random_ctx, random, progress_ctx, progress); _nettle_generate_pocklington_prime (p, r, bits, top_bits_set, random_ctx, random, q, NULL, q); if (progress) progress (progress_ctx, 'x'); mpz_clear (q); mpz_clear (r); } } nettle-3.4.1/nettle-types.h0000644000175000017500000000615713401564746014667 0ustar nissenisse/* nettle-types.h Copyright (C) 2005, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_TYPES_H #define NETTLE_TYPES_H /* For size_t */ #include /* Pretend these types always exists. Nettle doesn't use them. */ #define _STDINT_HAVE_INT_FAST32_T 1 #include "nettle-stdint.h" #ifdef __cplusplus extern "C" { #endif /* An aligned 16-byte block. */ union nettle_block16 { uint8_t b[16]; unsigned long w[16 / sizeof(unsigned long)]; }; /* Randomness. Used by key generation and dsa signature creation. */ typedef void nettle_random_func(void *ctx, size_t length, uint8_t *dst); /* Progress report function, mainly for key generation. */ typedef void nettle_progress_func(void *ctx, int c); /* Realloc function, used by struct nettle_buffer. */ typedef void *nettle_realloc_func(void *ctx, void *p, size_t length); /* Ciphers */ typedef void nettle_set_key_func(void *ctx, const uint8_t *key); /* For block ciphers, const context. */ typedef void nettle_cipher_func(const void *ctx, size_t length, uint8_t *dst, const uint8_t *src); /* Uses a void * for cipher contexts. Used for crypt operations where the internal state changes during the encryption. */ typedef void nettle_crypt_func(void *ctx, size_t length, uint8_t *dst, const uint8_t *src); /* Hash algorithms */ typedef void nettle_hash_init_func(void *ctx); typedef void nettle_hash_update_func(void *ctx, size_t length, const uint8_t *src); typedef void nettle_hash_digest_func(void *ctx, size_t length, uint8_t *dst); /* ASCII armor codecs. NOTE: Experimental and subject to change. */ typedef size_t nettle_armor_length_func(size_t length); typedef void nettle_armor_init_func(void *ctx); typedef size_t nettle_armor_encode_update_func(void *ctx, char *dst, size_t src_length, const uint8_t *src); typedef size_t nettle_armor_encode_final_func(void *ctx, char *dst); typedef int nettle_armor_decode_update_func(void *ctx, size_t *dst_length, uint8_t *dst, size_t src_length, const char *src); typedef int nettle_armor_decode_final_func(void *ctx); #ifdef __cplusplus } #endif #endif /* NETTLE_TYPES_H */ nettle-3.4.1/pbkdf2.c0000644000175000017500000000451113401564745013364 0ustar nissenisse/* pbkdf2.c PKCS #5 password-based key derivation function PBKDF2, see RFC 2898. Copyright (C) 2012 Simon Josefsson, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "pbkdf2.h" #include "macros.h" #include "memxor.h" #include "nettle-internal.h" void pbkdf2 (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst) { TMP_DECL(U, uint8_t, NETTLE_MAX_HASH_DIGEST_SIZE); TMP_DECL(T, uint8_t, NETTLE_MAX_HASH_DIGEST_SIZE); unsigned i; assert (iterations > 0); if (length == 0) return; TMP_ALLOC (U, digest_size); TMP_ALLOC (T, digest_size); for (i = 1;; i++, dst += digest_size, length -= digest_size) { uint8_t tmp[4]; uint8_t *prev; unsigned u; WRITE_UINT32 (tmp, i); update (mac_ctx, salt_length, salt); update (mac_ctx, sizeof(tmp), tmp); digest (mac_ctx, digest_size, T); prev = T; for (u = 1; u < iterations; u++, prev = U) { update (mac_ctx, digest_size, prev); digest (mac_ctx, digest_size, U); memxor (T, U, digest_size); } if (length <= digest_size) { memcpy (dst, T, length); return; } memcpy (dst, T, digest_size); } } nettle-3.4.1/write-be32.c0000644000175000017500000000330213401564745014074 0ustar nissenisse/* write-be32.c Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-write.h" #include "macros.h" void _nettle_write_be32(size_t length, uint8_t *dst, const uint32_t *src) { size_t i; size_t words; unsigned leftover; words = length / 4; leftover = length % 4; for (i = 0; i < words; i++, dst += 4) WRITE_UINT32(dst, src[i]); if (leftover) { uint32_t word; unsigned j = leftover; word = src[i]; switch (leftover) { default: abort(); case 3: dst[--j] = (word >> 8) & 0xff; /* Fall through */ case 2: dst[--j] = (word >> 16) & 0xff; /* Fall through */ case 1: dst[--j] = (word >> 24) & 0xff; } } } nettle-3.4.1/memeql-sec.c0000644000175000017500000000257313401564745014252 0ustar nissenisse/* memeql-sec.c Copyright (C) 2016 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "memops.h" int memeql_sec (const void *a, const void *b, size_t n) { volatile const unsigned char *ap = (const unsigned char *) a; volatile const unsigned char *bp = (const unsigned char *) b; volatile unsigned char diff; size_t i; for (i = diff = 0; i < n; i++) diff |= (ap[i] ^ bp[i]); return diff == 0; } nettle-3.4.1/sec-tabselect.c0000644000175000017500000000337313401564746014740 0ustar nissenisse/* sec-tabselect.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc-internal.h" /* Copy the k'th element of the table out tn elements, each of size rn. Always read complete table. Similar to gmp's mpn_tabselect. */ /* FIXME: Should we need to volatile declare anything? */ void sec_tabselect (mp_limb_t *rp, mp_size_t rn, const mp_limb_t *table, unsigned tn, unsigned k) { const mp_limb_t *end = table + tn * rn; const mp_limb_t *p; mp_size_t i; assert (k < tn); mpn_zero (rp, rn); for (p = table; p < end; p += rn, k--) { mp_limb_t mask = - (mp_limb_t) (k == 0); for (i = 0; i < rn; i++) rp[i] += mask & p[i]; } } nettle-3.4.1/nettle-internal.c0000644000175000017500000000763313401564746015332 0ustar nissenisse/* nettle-internal.c Things that are used only by the testsuite and benchmark, and not included in the library. Copyright (C) 2002, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "nettle-internal.h" #include "arcfour.h" #include "blowfish.h" #include "des.h" #include "chacha.h" #include "salsa20.h" /* Wrapper functions discarding the return value. Needed for the ciphers with weak keys. */ static void des_set_key_wrapper (void *ctx, const uint8_t *key) { des_set_key (ctx, key); } static void des3_set_key_wrapper (void *ctx, const uint8_t *key) { des3_set_key (ctx, key); } static void blowfish128_set_key_wrapper (void *ctx, const uint8_t *key) { blowfish128_set_key (ctx, key); } const struct nettle_cipher nettle_des = { "des", sizeof(struct des_ctx), DES_BLOCK_SIZE, DES_KEY_SIZE, des_set_key_wrapper, des_set_key_wrapper, (nettle_cipher_func *) des_encrypt, (nettle_cipher_func *) des_decrypt }; const struct nettle_cipher nettle_des3 = { "des3", sizeof(struct des3_ctx), DES3_BLOCK_SIZE, DES3_KEY_SIZE, des3_set_key_wrapper, des3_set_key_wrapper, (nettle_cipher_func *) des3_encrypt, (nettle_cipher_func *) des3_decrypt }; const struct nettle_cipher nettle_blowfish128 = { "blowfish128", sizeof(struct blowfish_ctx), BLOWFISH_BLOCK_SIZE, BLOWFISH128_KEY_SIZE, blowfish128_set_key_wrapper, blowfish128_set_key_wrapper, (nettle_cipher_func *) blowfish_encrypt, (nettle_cipher_func *) blowfish_decrypt }; const struct nettle_aead nettle_arcfour128 = { "arcfour128", sizeof(struct arcfour_ctx), 1, ARCFOUR128_KEY_SIZE, 0, 0, (nettle_set_key_func *) arcfour128_set_key, (nettle_set_key_func *) arcfour128_set_key, NULL, NULL, (nettle_crypt_func *) arcfour_crypt, (nettle_crypt_func *) arcfour_crypt, NULL, }; const struct nettle_aead nettle_chacha = { "chacha", sizeof(struct chacha_ctx), CHACHA_BLOCK_SIZE, CHACHA_KEY_SIZE, CHACHA_NONCE_SIZE, 0, (nettle_set_key_func *) chacha_set_key, (nettle_set_key_func *) chacha_set_key, (nettle_set_key_func *) chacha_set_nonce, NULL, (nettle_crypt_func *) chacha_crypt, (nettle_crypt_func *) chacha_crypt, NULL, }; const struct nettle_aead nettle_salsa20 = { "salsa20", sizeof(struct salsa20_ctx), SALSA20_BLOCK_SIZE, SALSA20_256_KEY_SIZE, SALSA20_NONCE_SIZE, 0, (nettle_set_key_func *) salsa20_256_set_key, (nettle_set_key_func *) salsa20_256_set_key, (nettle_set_key_func *) salsa20_set_nonce, NULL, (nettle_crypt_func *) salsa20_crypt, (nettle_crypt_func *) salsa20_crypt, NULL, }; const struct nettle_aead nettle_salsa20r12 = { "salsa20r12", sizeof(struct salsa20_ctx), SALSA20_BLOCK_SIZE, SALSA20_256_KEY_SIZE, SALSA20_NONCE_SIZE, 0, (nettle_set_key_func*) salsa20_256_set_key, (nettle_set_key_func*) salsa20_256_set_key, (nettle_set_key_func*) salsa20_set_nonce, NULL, (nettle_crypt_func *) salsa20r12_crypt, (nettle_crypt_func *) salsa20r12_crypt, NULL, }; nettle-3.4.1/CONTRIBUTING.md0000644000175000017500000000114113401564746014276 0ustar nissenisse# nettle -- Information about our contribution rules # Test suite: New functionality should be accompanied by a test case which verifies its correctness, on successful use of the new functionality, as well as on failure cases. The nettle test suite is run on "make check". # Continuous Integration (CI) We utilize a continuous integration systems, using gitlab-ci. This is run on a repository mirror at: https://gitlab.com/gnutls/nettle # Sending patches Please do not utilize the gitlab web interfaces. They are not being followed on. Please send your patches to nettle-bugs@lists.lysator.liu.se nettle-3.4.1/serpent-encrypt.c0000644000175000017500000003476713401564745015376 0ustar nissenisse/* serpent-encrypt.c The serpent block cipher. For more details on this algorithm, see the Serpent website at http://www.cl.cam.ac.uk/~rja14/serpent.html Copyright (C) 2011 Niels Möller Copyright (C) 2010, 2011 Simon Josefsson Copyright (C) 2003, 2004, 2005 Free Software Foundation, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* This file is derived from cipher/serpent.c in Libgcrypt v1.4.6. The adaption to Nettle was made by Simon Josefsson on 2010-12-07 with final touches on 2011-05-30. Changes include replacing libgcrypt with nettle in the license template, renaming serpent_context to serpent_ctx, renaming u32 to uint32_t, removing libgcrypt stubs and selftests, modifying entry function prototypes, using FOR_BLOCKS to iterate through data in encrypt/decrypt, using LE_READ_UINT32 and LE_WRITE_UINT32 to access data in encrypt/decrypt, and running indent on the code. */ #if HAVE_CONFIG_H #include "config.h" #endif #include #include #include "serpent.h" #include "macros.h" #include "serpent-internal.h" /* These are the S-Boxes of Serpent. They are copied from Serpents reference implementation (the optimized one, contained in `floppy2') and are therefore: Copyright (C) 1998 Ross Anderson, Eli Biham, Lars Knudsen. To quote the Serpent homepage (http://www.cl.cam.ac.uk/~rja14/serpent.html): "Serpent is now completely in the public domain, and we impose no restrictions on its use. This was announced on the 21st August at the First AES Candidate Conference. The optimised implementations in the submission package are now under the GNU PUBLIC LICENSE (GPL), although some comments in the code still say otherwise. You are welcome to use Serpent for any application." */ /* S0: 3 8 15 1 10 6 5 11 14 13 4 2 7 0 9 12 */ /* Could easily let y0, y1 overlap with x0, x1, and possibly also x2 and y2 */ #define SBOX0(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y3 = x1 ^ x2; \ y0 = x0 | x3; \ y1 = x0 ^ x1; \ y3 ^= y0; \ y2 = x2 | y3; \ x0 ^= x3; \ y2 &= x3; \ x3 ^= x2; \ x2 |= x1; \ y0 = y1 & x2; \ y2 ^= y0; \ y0 &= y2; \ y0 ^= x2; \ x1 &= x0; \ y0 ^= x0; \ y0 = ~ y0; \ y1 = y0 ^ x1; \ y1 ^= x3; \ } while (0) /* FIXME: Arrange for some overlap between inputs and outputs? */ /* S1: 15 12 2 7 9 0 5 10 1 11 14 8 6 13 3 4 */ /* Original single-assignment form: t01 = x0 | x3; t02 = x2 ^ x3; t03 = ~ x1; t04 = x0 ^ x2; t05 = x0 | t03; t06 = x3 & t04; t07 = t01 & t02; t08 = x1 | t06; y2 = t02 ^ t05; t10 = t07 ^ t08; t11 = t01 ^ t10; t12 = y2 ^ t11; t13 = x1 & x3; y3 = ~ t10; y1 = t13 ^ t12; t16 = t10 | y1; t17 = t05 & t16; y0 = x2 ^ t17; */ #define SBOX1(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y1 = x0 | x3; \ y2 = x2 ^ x3; \ y0 = ~ x1; \ y3 = x0 ^ x2; \ y0 |= x0; \ y3 &= x3; \ x0 = y1 & y2; \ y3 |= x1; \ y2 ^= y0; \ y3 ^= x0; \ x0 = y1 ^ y3; \ x0 ^= y2; \ y1 = x1 & x3; \ y1 ^= x0; \ x3 = y1 | y3; \ y3 = ~ y3; \ y0 &= x3; \ y0 ^= x2; \ } while (0) /* FIXME: Arrange for some overlap between inputs and outputs? */ /* S2: 8 6 7 9 3 12 10 15 13 1 14 4 0 11 5 2 */ #define SBOX2(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y2 = x0 | x2; \ y1 = x0 ^ x1; \ y3 = x3 ^ y2; \ y0 = y1 ^ y3; \ x3 |= x0; \ x2 ^= y0; \ x0 = x1 ^ x2; \ x2 |= x1; \ x0 &= y2; \ y3 ^= x2; \ y1 |= y3; \ y1 ^= x0; \ y2 = y3 ^ y1; \ y2 ^= x1; \ y3 = ~ y3; \ y2 ^= x3; \ } while (0) /* S3: 0 15 11 8 12 9 6 3 13 1 2 4 10 7 5 14 */ /* Original single-assignment form: t01 = x0 ^ x2; t02 = x0 | x3; t03 = x0 & x3; t04 = t01 & t02; t05 = x1 | t03; t06 = x0 & x1; t07 = x3 ^ t04; t08 = x2 | t06; t09 = x1 ^ t07; t10 = x3 & t05; t11 = t02 ^ t10; y3 = t08 ^ t09; t13 = x3 | y3; t14 = x0 | t07; t15 = x1 & t13; y2 = t08 ^ t11; y0 = t14 ^ t15; y1 = t05 ^ t04; */ #define SBOX3(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y1 = x0 ^ x2; \ y0 = x0 | x3; \ y3 = x0 & x3; \ y1 &= y0; \ y3 |= x1; \ y2 = x0 & x1; \ y2 |= x2; \ x2 = x3 ^ y1; \ y1 ^= y3; \ x0 |= x2; \ x2 ^= x1; \ y3 &= x3; \ y0 ^= y3; \ y3 = y2 ^ x2; \ y2 ^= y0; \ x3 |= y3; \ x1 &= x3; \ y0 = x0 ^ x1; \ } while (0) /* S4: 1 15 8 3 12 0 11 6 2 5 4 10 9 14 7 13 */ /* Original single-assignment form: t01 = x0 | x1; t02 = x1 | x2; t03 = x0 ^ t02; t04 = x1 ^ x3; t05 = x3 | t03; t06 = x3 & t01; y3 = t03 ^ t06; t08 = y3 & t04; t09 = t04 & t05; t10 = x2 ^ t06; t11 = x1 & x2; t12 = t04 ^ t08; t13 = t11 | t03; t14 = t10 ^ t09; t15 = x0 & t05; t16 = t11 | t12; y2 = t13 ^ t08; y1 = t15 ^ t16; y0 = ~ t14; */ #define SBOX4(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y3 = x0 | x1; \ y2 = x1 | x2; \ y2 ^= x0; \ y3 &= x3; \ y0 = x1 ^ x3; \ x3 |= y2; \ x0 &= x3; \ x1 &= x2; \ x2 ^= y3; \ y3 ^= y2; \ y2 |= x1; \ y1 = y3 & y0; \ y2 ^= y1; \ y1 ^= y0; \ y1 |= x1; \ y1 ^= x0; \ y0 &= x3; \ y0 ^= x2; \ y0 = ~y0; \ } while (0) /* S5: 15 5 2 11 4 10 9 12 0 3 14 8 13 6 7 1 */ /* Original single-assignment form: t01 = x1 ^ x3; t02 = x1 | x3; t03 = x0 & t01; t04 = x2 ^ t02; t05 = t03 ^ t04; y0 = ~ t05; t07 = x0 ^ t01; t08 = x3 | y0; t09 = x1 | t05; t10 = x3 ^ t08; t11 = x1 | t07; t12 = t03 | y0; t13 = t07 | t10; t14 = t01 ^ t11; y2 = t09 ^ t13; y1 = t07 ^ t08; y3 = t12 ^ t14; */ #define SBOX5(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y0 = x1 | x3; \ y0 ^= x2; \ x2 = x1 ^ x3; \ y2 = x0 ^ x2; \ x0 &= x2; \ y0 ^= x0; \ y3 = x1 | y2; \ x1 |= y0; \ y0 = ~y0; \ x0 |= y0; \ y3 ^= x2; \ y3 ^= x0; \ y1 = x3 | y0; \ x3 ^= y1; \ y1 ^= y2; \ y2 |= x3; \ y2 ^= x1; \ } while (0) /* S6: 7 2 12 5 8 4 6 11 14 9 1 15 13 3 10 0 */ /* Original single-assignment form: t01 = x0 & x3; t02 = x1 ^ x2; t03 = x0 ^ x3; t04 = t01 ^ t02; t05 = x1 | x2; y1 = ~ t04; t07 = t03 & t05; t08 = x1 & y1; t09 = x0 | x2; t10 = t07 ^ t08; t11 = x1 | x3; t12 = x2 ^ t11; t13 = t09 ^ t10; y2 = ~ t13; t15 = y1 & t03; y3 = t12 ^ t07; t17 = x0 ^ x1; t18 = y2 ^ t15; y0 = t17 ^ t18; */ #define SBOX6(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y0 = x0 ^ x3; \ y1 = x0 & x3; \ y2 = x0 | x2; \ x3 |= x1; \ x3 ^= x2; \ x0 ^= x1; \ y3 = x1 | x2; \ x2 ^= x1; \ y3 &= y0; \ y1 ^= x2; \ y1 = ~y1; \ y0 &= y1; \ x1 &= y1; \ x1 ^= y3; \ y3 ^= x3; \ y2 ^= x1; \ y2 = ~y2; \ y0 ^= y2; \ y0 ^= x0; \ } while (0) /* S7: 1 13 15 0 14 8 2 11 7 4 12 10 9 3 5 6 */ /* Original single-assignment form: t01 = x0 & x2; t02 = ~ x3; t03 = x0 & t02; t04 = x1 | t01; t05 = x0 & x1; t06 = x2 ^ t04; y3 = t03 ^ t06; t08 = x2 | y3; t09 = x3 | t05; t10 = x0 ^ t08; t11 = t04 & y3; y1 = t09 ^ t10; t13 = x1 ^ y1; t14 = t01 ^ y1; t15 = x2 ^ t05; t16 = t11 | t13; t17 = t02 | t14; y0 = t15 ^ t17; y2 = x0 ^ t16; */ /* It appears impossible to do this with only 8 registers. We recompute t02, and t04 (if we have spare registers, hopefully the compiler can recognize them as common subexpressions). */ #define SBOX7(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y0 = x0 & x2; \ y3 = x1 | y0; /* t04 */ \ y3 ^= x2; \ y1 = ~x3; /* t02 */ \ y1 &= x0; \ y3 ^= y1; \ y1 = x2 | y3; \ y1 ^= x0; \ y2 = x0 & x1; \ x2 ^= y2; \ y2 |= x3; \ y1 ^= y2; \ y2 = x1 | y0; /* t04 */ \ y2 &= y3; \ x1 ^= y1; \ y2 |= x1; \ y2 ^= x0; \ y0 ^= y1; \ x3 = ~x3; /* t02 */ \ y0 |= x3; \ y0 ^= x2; \ } while (0) /* In-place linear transformation. */ #define LINEAR_TRANSFORMATION(x0,x1,x2,x3) \ do { \ x0 = ROTL32 (13, x0); \ x2 = ROTL32 (3, x2); \ x1 = x1 ^ x0 ^ x2; \ x3 = x3 ^ x2 ^ (x0 << 3); \ x1 = ROTL32 (1, x1); \ x3 = ROTL32 (7, x3); \ x0 = x0 ^ x1 ^ x3; \ x2 = x2 ^ x3 ^ (x1 << 7); \ x0 = ROTL32 (5, x0); \ x2 = ROTL32 (22, x2); \ } while (0) /* Round inputs are x0,x1,x2,x3 (destroyed), and round outputs are y0,y1,y2,y3. */ #define ROUND(which, subkey, x0,x1,x2,x3, y0,y1,y2,y3) \ do { \ KEYXOR(x0,x1,x2,x3, subkey); \ SBOX##which(x0,x1,x2,x3, y0,y1,y2,y3); \ LINEAR_TRANSFORMATION(y0,y1,y2,y3); \ } while (0) #if HAVE_NATIVE_64_BIT #define LINEAR_TRANSFORMATION64(x0,x1,x2,x3) \ do { \ x0 = DROTL32 (13, x0); \ x2 = DROTL32 (3, x2); \ x1 = x1 ^ x0 ^ x2; \ x3 = x3 ^ x2 ^ DRSHIFT32(3, x0); \ x1 = DROTL32 (1, x1); \ x3 = DROTL32 (7, x3); \ x0 = x0 ^ x1 ^ x3; \ x2 = x2 ^ x3 ^ DRSHIFT32(7, x1); \ x0 = DROTL32 (5, x0); \ x2 = DROTL32 (22, x2); \ } while (0) #define ROUND64(which, subkey, x0,x1,x2,x3, y0,y1,y2,y3) \ do { \ KEYXOR64(x0,x1,x2,x3, subkey); \ SBOX##which(x0,x1,x2,x3, y0,y1,y2,y3); \ LINEAR_TRANSFORMATION64(y0,y1,y2,y3); \ } while (0) #endif /* HAVE_NATIVE_64_BIT */ void serpent_encrypt (const struct serpent_ctx *ctx, size_t length, uint8_t * dst, const uint8_t * src) { assert( !(length % SERPENT_BLOCK_SIZE)); #if HAVE_NATIVE_64_BIT if (length & SERPENT_BLOCK_SIZE) #else while (length >= SERPENT_BLOCK_SIZE) #endif { uint32_t x0,x1,x2,x3, y0,y1,y2,y3; unsigned k; x0 = LE_READ_UINT32 (src); x1 = LE_READ_UINT32 (src + 4); x2 = LE_READ_UINT32 (src + 8); x3 = LE_READ_UINT32 (src + 12); for (k = 0; ; k += 8) { ROUND (0, ctx->keys[k+0], x0,x1,x2,x3, y0,y1,y2,y3); ROUND (1, ctx->keys[k+1], y0,y1,y2,y3, x0,x1,x2,x3); ROUND (2, ctx->keys[k+2], x0,x1,x2,x3, y0,y1,y2,y3); ROUND (3, ctx->keys[k+3], y0,y1,y2,y3, x0,x1,x2,x3); ROUND (4, ctx->keys[k+4], x0,x1,x2,x3, y0,y1,y2,y3); ROUND (5, ctx->keys[k+5], y0,y1,y2,y3, x0,x1,x2,x3); ROUND (6, ctx->keys[k+6], x0,x1,x2,x3, y0,y1,y2,y3); if (k == 24) break; ROUND (7, ctx->keys[k+7], y0,y1,y2,y3, x0,x1,x2,x3); } /* Special final round, using two subkeys. */ KEYXOR (y0,y1,y2,y3, ctx->keys[31]); SBOX7 (y0,y1,y2,y3, x0,x1,x2,x3); KEYXOR (x0,x1,x2,x3, ctx->keys[32]); LE_WRITE_UINT32 (dst, x0); LE_WRITE_UINT32 (dst + 4, x1); LE_WRITE_UINT32 (dst + 8, x2); LE_WRITE_UINT32 (dst + 12, x3); src += SERPENT_BLOCK_SIZE; dst += SERPENT_BLOCK_SIZE; length -= SERPENT_BLOCK_SIZE; } #if HAVE_NATIVE_64_BIT FOR_BLOCKS(length, dst, src, 2*SERPENT_BLOCK_SIZE) { uint64_t x0,x1,x2,x3, y0,y1,y2,y3; unsigned k; x0 = LE_READ_UINT32 (src); x1 = LE_READ_UINT32 (src + 4); x2 = LE_READ_UINT32 (src + 8); x3 = LE_READ_UINT32 (src + 12); x0 <<= 32; x0 |= LE_READ_UINT32 (src + 16); x1 <<= 32; x1 |= LE_READ_UINT32 (src + 20); x2 <<= 32; x2 |= LE_READ_UINT32 (src + 24); x3 <<= 32; x3 |= LE_READ_UINT32 (src + 28); for (k = 0; ; k += 8) { ROUND64 (0, ctx->keys[k+0], x0,x1,x2,x3, y0,y1,y2,y3); ROUND64 (1, ctx->keys[k+1], y0,y1,y2,y3, x0,x1,x2,x3); ROUND64 (2, ctx->keys[k+2], x0,x1,x2,x3, y0,y1,y2,y3); ROUND64 (3, ctx->keys[k+3], y0,y1,y2,y3, x0,x1,x2,x3); ROUND64 (4, ctx->keys[k+4], x0,x1,x2,x3, y0,y1,y2,y3); ROUND64 (5, ctx->keys[k+5], y0,y1,y2,y3, x0,x1,x2,x3); ROUND64 (6, ctx->keys[k+6], x0,x1,x2,x3, y0,y1,y2,y3); if (k == 24) break; ROUND64 (7, ctx->keys[k+7], y0,y1,y2,y3, x0,x1,x2,x3); } /* Special final round, using two subkeys. */ KEYXOR64 (y0,y1,y2,y3, ctx->keys[31]); SBOX7 (y0,y1,y2,y3, x0,x1,x2,x3); KEYXOR64 (x0,x1,x2,x3, ctx->keys[32]); LE_WRITE_UINT32 (dst + 16, x0); LE_WRITE_UINT32 (dst + 20, x1); LE_WRITE_UINT32 (dst + 24, x2); LE_WRITE_UINT32 (dst + 28, x3); x0 >>= 32; LE_WRITE_UINT32 (dst, x0); x1 >>= 32; LE_WRITE_UINT32 (dst + 4, x1); x2 >>= 32; LE_WRITE_UINT32 (dst + 8, x2); x3 >>= 32; LE_WRITE_UINT32 (dst + 12, x3); } #endif /* HAVE_NATIVE_64_BIT */ } nettle-3.4.1/hmac-sha224.c0000644000175000017500000000264113401564745014127 0ustar nissenisse/* hmac-sha224.c HMAC-SHA224 message authentication code. Copyright (C) 2003, 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "hmac.h" void hmac_sha224_set_key(struct hmac_sha224_ctx *ctx, size_t key_length, const uint8_t *key) { HMAC_SET_KEY(ctx, &nettle_sha224, key_length, key); } void hmac_sha224_digest(struct hmac_sha224_ctx *ctx, size_t length, uint8_t *digest) { HMAC_DIGEST(ctx, &nettle_sha224, length, digest); } nettle-3.4.1/nettle-meta-hashes.c0000644000175000017500000000277713401564745015720 0ustar nissenisse/* nettle-meta-hashes.c Copyright (C) 2011 Daniel Kahn Gillmor This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #undef nettle_hashes const struct nettle_hash * const nettle_hashes[] = { &nettle_md2, &nettle_md4, &nettle_md5, &nettle_ripemd160, &nettle_sha1, &nettle_sha224, &nettle_sha256, &nettle_sha384, &nettle_sha512, &nettle_sha3_224, &nettle_sha3_256, &nettle_sha3_384, &nettle_sha3_512, NULL }; const struct nettle_hash * const * nettle_get_hashes (void) { return nettle_hashes; } nettle-3.4.1/ecc-dup-eh.c0000644000175000017500000000553013401564746014131 0ustar nissenisse/* ecc-dup-eh.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc.h" #include "ecc-internal.h" /* Double a point on an Edwards curve, in homogeneous coordinates */ void ecc_dup_eh (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, mp_limb_t *scratch) { /* Formulas (from djb, http://www.hyperelliptic.org/EFD/g1p/auto-edwards-projective.html#doubling-dbl-2007-bl): Computation Operation Live variables b = (x+y)^2 sqr b c = x^2 sqr b, c d = y^2 sqr b, c, d e = c+d b, c, d, e h = z^2 sqr b, c, d, e, h j = e-2*h b, c, d, e, j x' = (b-e)*j mul c, d, e, j y' = e*(c-d) mul e, j z' = e*j mul But for the twisted curve, we need some sign changes. b = (x+y)^2 sqr b c = x^2 sqr b, c d = y^2 sqr b, c, d ! e = -c+d b, c, d, e h = z^2 sqr b, c, d, e, h ! j = -e+2*h b, c, d, e, j ! x' = (b-c-d)*j mul c, d, e, j ! y' = e*(c+d) mul e, j z' = e*j mul */ #define b scratch #define c (scratch + ecc->p.size) #define d (scratch + 2*ecc->p.size) #define e (scratch + 3*ecc->p.size) #define j (scratch + 4*ecc->p.size) /* b */ ecc_modp_add (ecc, e, p, p + ecc->p.size); ecc_modp_sqr (ecc, b, e); /* c */ ecc_modp_sqr (ecc, c, p); /* d */ ecc_modp_sqr (ecc, d, p + ecc->p.size); /* h, can use r as scratch, even for in-place operation. */ ecc_modp_sqr (ecc, r, p + 2*ecc->p.size); /* e, */ ecc_modp_sub (ecc, e, d, c); /* b - c - d */ ecc_modp_sub (ecc, b, b, c); ecc_modp_sub (ecc, b, b, d); /* j */ ecc_modp_add (ecc, r, r, r); ecc_modp_sub (ecc, j, r, e); /* x' */ ecc_modp_mul (ecc, r, b, j); /* y' */ ecc_modp_add (ecc, c, c, d); /* Redundant */ ecc_modp_mul (ecc, r + ecc->p.size, e, c); /* z' */ ecc_modp_mul (ecc, b, e, j); mpn_copyi (r + 2*ecc->p.size, b, ecc->p.size); } nettle-3.4.1/aes-set-key-internal.c0000644000175000017500000000365313401564745016163 0ustar nissenisse/* aes-set-key-internal.c Key setup for the aes/rijndael block cipher. Copyright (C) 2000, 2001, 2002 Rafael R. Sevilla, Niels Möller Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Originally written by Rafael R. Sevilla */ #if HAVE_CONFIG_H # include "config.h" #endif #include "aes-internal.h" #include #include "macros.h" void _aes_set_key(unsigned nr, unsigned nk, uint32_t *subkeys, const uint8_t *key) { static const uint8_t rcon[10] = { 0x01,0x02,0x04,0x08,0x10,0x20,0x40,0x80,0x1b,0x36, }; const uint8_t *rp; unsigned lastkey, i; uint32_t t; assert(nk != 0); lastkey = (AES_BLOCK_SIZE/4) * (nr + 1); for (i=0, rp = rcon; i 6 && (i%nk) == 4) t = SUBBYTE(t, aes_sbox); subkeys[i] = subkeys[i-nk] ^ t; } } nettle-3.4.1/dsa2sexp.c0000644000175000017500000000327413401564746013753 0ustar nissenisse/* dsa2sexp.c Copyright (C) 2002, 2009, 2014 Niels Möller, Magnus Holmgren This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "dsa.h" #include "sexp.h" int dsa_keypair_to_sexp(struct nettle_buffer *buffer, const char *algorithm_name, const struct dsa_params *params, const mpz_t pub, const mpz_t priv) { if (!algorithm_name) algorithm_name = "dsa"; if (priv) return sexp_format(buffer, "(private-key(%0s(p%b)(q%b)" "(g%b)(y%b)(x%b)))", algorithm_name, params->p, params->q, params->g, pub, priv); else return sexp_format(buffer, "(public-key(%0s(p%b)(q%b)" "(g%b)(y%b)))", algorithm_name, params->p, params->q, params->g, pub); } nettle-3.4.1/sha3-384.c0000644000175000017500000000332013401564745013363 0ustar nissenisse/* sha3-384.c The sha3 hash function, 384 bit output. Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "sha3.h" #include "nettle-write.h" void sha3_384_init (struct sha3_384_ctx *ctx) { memset (ctx, 0, offsetof (struct sha3_384_ctx, block)); } void sha3_384_update (struct sha3_384_ctx *ctx, size_t length, const uint8_t *data) { ctx->index = _sha3_update (&ctx->state, SHA3_384_BLOCK_SIZE, ctx->block, ctx->index, length, data); } void sha3_384_digest(struct sha3_384_ctx *ctx, size_t length, uint8_t *digest) { _sha3_pad (&ctx->state, SHA3_384_BLOCK_SIZE, ctx->block, ctx->index); _nettle_write_le64 (length, digest, ctx->state.a); sha3_384_init (ctx); } nettle-3.4.1/rsa-md5-verify.c0000644000175000017500000000334213401564746014770 0ustar nissenisse/* rsa-md5-verify.c Verifying signatures created with RSA and MD5. Copyright (C) 2001, 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "bignum.h" #include "pkcs1.h" int rsa_md5_verify(const struct rsa_public_key *key, struct md5_ctx *hash, const mpz_t s) { int res; mpz_t m; mpz_init(m); res = (pkcs1_rsa_md5_encode(m, key->size, hash) && _rsa_verify(key, m, s)); mpz_clear(m); return res; } int rsa_md5_verify_digest(const struct rsa_public_key *key, const uint8_t *digest, const mpz_t s) { int res; mpz_t m; mpz_init(m); res = (pkcs1_rsa_md5_encode_digest(m, key->size, digest) && _rsa_verify(key, m, s)); mpz_clear(m); return res; } nettle-3.4.1/gcmdata.c0000644000175000017500000000375713401564746013630 0ustar nissenisse/* gcmdata.c Galois counter mode, specified by NIST, http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf Generation of fixed multiplication tables. Copyright (C) 2011 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #include #include #define GHASH_POLYNOMIAL 0xE1 /* When x is shifted out over the block edge, add multiples of the defining polynomial to eliminate each bit. */ static unsigned reduce(unsigned x) { unsigned p = GHASH_POLYNOMIAL << 1; unsigned y = 0; for (; x; x >>= 1, p <<= 1) if (x & 1) y ^= p; return y; } int main(int argc, char **argv) { unsigned i; printf("4-bit table:\n"); for (i = 0; i<16; i++) { unsigned x; if (i && !(i%8)) printf("\n"); x = reduce(i << 4); printf("W(%02x,%02x),", x >> 8, x & 0xff); } printf("\n\n"); printf("8-bit table:\n"); for (i = 0; i<256; i++) { unsigned x; if (i && !(i%8)) printf("\n"); x = reduce(i); printf("W(%02x,%02x),", x >> 8, x & 0xff); } printf("\n"); return EXIT_SUCCESS; } nettle-3.4.1/INSTALL0000644000175000017500000002231013401564746013077 0ustar nissenisseInstallation Instructions ************************* Copyright (C) 1994, 1995, 1996, 1999, 2000, 2001, 2002, 2004, 2005, 2006 Free Software Foundation, Inc. This file is free documentation; the Free Software Foundation gives unlimited permission to copy, distribute and modify it. Basic Installation ================== Briefly, the shell commands `./configure; make; make install' should configure, build, and install this package. The following more-detailed instructions are generic; see the `README' file for instructions specific to this package. The `configure' shell script attempts to guess correct values for various system-dependent variables used during compilation. It uses those values to create a `Makefile' in each directory of the package. It may also create one or more `.h' files containing system-dependent definitions. Finally, it creates a shell script `config.status' that you can run in the future to recreate the current configuration, and a file `config.log' containing compiler output (useful mainly for debugging `configure'). It can also use an optional file (typically called `config.cache' and enabled with `--cache-file=config.cache' or simply `-C') that saves the results of its tests to speed up reconfiguring. Caching is disabled by default to prevent problems with accidental use of stale cache files. If you need to do unusual things to compile the package, please try to figure out how `configure' could check whether to do them, and mail diffs or instructions to the address given in the `README' so they can be considered for the next release. If you are using the cache, and at some point `config.cache' contains results you don't want to keep, you may remove or edit it. The file `configure.ac' (or `configure.in') is used to create `configure' by a program called `autoconf'. You need `configure.ac' if you want to change it or regenerate `configure' using a newer version of `autoconf'. The simplest way to compile this package is: 1. `cd' to the directory containing the package's source code and type `./configure' to configure the package for your system. Running `configure' might take a while. While running, it prints some messages telling which features it is checking for. 2. Type `make' to compile the package. 3. Optionally, type `make check' to run any self-tests that come with the package. 4. Type `make install' to install the programs and any data files and documentation. 5. You can remove the program binaries and object files from the source code directory by typing `make clean'. To also remove the files that `configure' created (so you can compile the package for a different kind of computer), type `make distclean'. There is also a `make maintainer-clean' target, but that is intended mainly for the package's developers. If you use it, you may have to get all sorts of other programs in order to regenerate files that came with the distribution. Compilers and Options ===================== Some systems require unusual options for compilation or linking that the `configure' script does not know about. Run `./configure --help' for details on some of the pertinent environment variables. You can give `configure' initial values for configuration parameters by setting variables in the command line or in the environment. Here is an example: ./configure CC=c99 CFLAGS=-g LIBS=-lposix *Note Defining Variables::, for more details. Compiling For Multiple Architectures ==================================== You can compile the package for more than one kind of computer at the same time, by placing the object files for each architecture in their own directory. To do this, you can use GNU `make'. `cd' to the directory where you want the object files and executables to go and run the `configure' script. `configure' automatically checks for the source code in the directory that `configure' is in and in `..'. With a non-GNU `make', it is safer to compile the package for one architecture at a time in the source code directory. After you have installed the package for one architecture, use `make distclean' before reconfiguring for another architecture. Installation Names ================== By default, `make install' installs the package's commands under `/usr/local/bin', include files under `/usr/local/include', etc. You can specify an installation prefix other than `/usr/local' by giving `configure' the option `--prefix=PREFIX'. You can specify separate installation prefixes for architecture-specific files and architecture-independent files. If you pass the option `--exec-prefix=PREFIX' to `configure', the package uses PREFIX as the prefix for installing programs and libraries. Documentation and other data files still use the regular prefix. In addition, if you use an unusual directory layout you can give options like `--bindir=DIR' to specify different values for particular kinds of files. Run `configure --help' for a list of the directories you can set and what kinds of files go in them. If the package supports it, you can cause programs to be installed with an extra prefix or suffix on their names by giving `configure' the option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'. Optional Features ================= Some packages pay attention to `--enable-FEATURE' options to `configure', where FEATURE indicates an optional part of the package. They may also pay attention to `--with-PACKAGE' options, where PACKAGE is something like `gnu-as' or `x' (for the X Window System). The `README' should mention any `--enable-' and `--with-' options that the package recognizes. For packages that use the X Window System, `configure' can usually find the X include and library files automatically, but if it doesn't, you can use the `configure' options `--x-includes=DIR' and `--x-libraries=DIR' to specify their locations. Specifying the System Type ========================== There may be some features `configure' cannot figure out automatically, but needs to determine by the type of machine the package will run on. Usually, assuming the package is built to be run on the _same_ architectures, `configure' can figure that out, but if it prints a message saying it cannot guess the machine type, give it the `--build=TYPE' option. TYPE can either be a short name for the system type, such as `sun4', or a canonical name which has the form: CPU-COMPANY-SYSTEM where SYSTEM can have one of these forms: OS KERNEL-OS See the file `config.sub' for the possible values of each field. If `config.sub' isn't included in this package, then this package doesn't need to know the machine type. If you are _building_ compiler tools for cross-compiling, you should use the option `--target=TYPE' to select the type of system they will produce code for. If you want to _use_ a cross compiler, that generates code for a platform different from the build platform, you should specify the "host" platform (i.e., that on which the generated programs will eventually be run) with `--host=TYPE'. Sharing Defaults ================ If you want to set default values for `configure' scripts to share, you can create a site shell script called `config.site' that gives default values for variables like `CC', `cache_file', and `prefix'. `configure' looks for `PREFIX/share/config.site' if it exists, then `PREFIX/etc/config.site' if it exists. Or, you can set the `CONFIG_SITE' environment variable to the location of the site script. A warning: not all `configure' scripts look for a site script. Defining Variables ================== Variables not defined in a site shell script can be set in the environment passed to `configure'. However, some packages may run configure again during the build, and the customized values of these variables may be lost. In order to avoid this problem, you should set them in the `configure' command line, using `VAR=value'. For example: ./configure CC=/usr/local2/bin/gcc causes the specified `gcc' to be used as the C compiler (unless it is overridden in the site shell script). Unfortunately, this technique does not work for `CONFIG_SHELL' due to an Autoconf bug. Until the bug is fixed you can use this workaround: CONFIG_SHELL=/bin/bash /bin/bash ./configure CONFIG_SHELL=/bin/bash `configure' Invocation ====================== `configure' recognizes the following options to control how it operates. `--help' `-h' Print a summary of the options to `configure', and exit. `--version' `-V' Print the version of Autoconf used to generate the `configure' script, and exit. `--cache-file=FILE' Enable the cache: use and save the results of the tests in FILE, traditionally `config.cache'. FILE defaults to `/dev/null' to disable caching. `--config-cache' `-C' Alias for `--cache-file=config.cache'. `--quiet' `--silent' `-q' Do not print messages saying which checks are being made. To suppress all normal output, redirect it to `/dev/null' (any error messages will still be shown). `--srcdir=DIR' Look for the package's source code in directory DIR. Usually `configure' can determine that directory automatically. `configure' also accepts some other, not widely useful, options. Run `configure --help' for more details. nettle-3.4.1/gcm-camellia256.c0000644000175000017500000000402013401564745014757 0ustar nissenisse/* gcm-camellia256.c Copyright (C) 2011, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "gcm.h" void gcm_camellia256_set_key(struct gcm_camellia256_ctx *ctx, const uint8_t *key) { GCM_SET_KEY(ctx, camellia256_set_encrypt_key, camellia256_crypt, key); } void gcm_camellia256_set_iv (struct gcm_camellia256_ctx *ctx, size_t length, const uint8_t *iv) { GCM_SET_IV (ctx, length, iv); } void gcm_camellia256_update (struct gcm_camellia256_ctx *ctx, size_t length, const uint8_t *data) { GCM_UPDATE (ctx, length, data); } void gcm_camellia256_encrypt(struct gcm_camellia256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { GCM_ENCRYPT(ctx, camellia256_crypt, length, dst, src); } void gcm_camellia256_decrypt(struct gcm_camellia256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { GCM_DECRYPT(ctx, camellia256_crypt, length, dst, src); } void gcm_camellia256_digest(struct gcm_camellia256_ctx *ctx, size_t length, uint8_t *digest) { GCM_DIGEST(ctx, camellia256_crypt, length, digest); } nettle-3.4.1/md5.h0000644000175000017500000000423213401564746012707 0ustar nissenisse/* md5.h The MD5 hash function, described in RFC 1321. Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_MD5_H_INCLUDED #define NETTLE_MD5_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define md5_init nettle_md5_init #define md5_update nettle_md5_update #define md5_digest nettle_md5_digest #define MD5_DIGEST_SIZE 16 #define MD5_BLOCK_SIZE 64 /* For backwards compatibility */ #define MD5_DATA_SIZE MD5_BLOCK_SIZE /* Digest is kept internally as 4 32-bit words. */ #define _MD5_DIGEST_LENGTH 4 struct md5_ctx { uint32_t state[_MD5_DIGEST_LENGTH]; uint64_t count; /* Block count */ uint8_t block[MD5_BLOCK_SIZE]; /* Block buffer */ unsigned index; /* Into buffer */ }; void md5_init(struct md5_ctx *ctx); void md5_update(struct md5_ctx *ctx, size_t length, const uint8_t *data); void md5_digest(struct md5_ctx *ctx, size_t length, uint8_t *digest); /* Internal compression function. STATE points to 4 uint32_t words, and DATA points to 64 bytes of input data, possibly unaligned. */ void _nettle_md5_compress(uint32_t *state, const uint8_t *data); #ifdef __cplusplus } #endif #endif /* NETTLE_MD5_H_INCLUDED */ nettle-3.4.1/umac-poly64.c0000644000175000017500000000361413401564745014277 0ustar nissenisse/* umac-poly64.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "umac.h" static uint64_t poly64_mul (uint32_t kh, uint32_t kl, uint64_t y) { uint64_t yl, yh, pl, ph, ml, mh; yl = y & 0xffffffff; yh = y >> 32; pl = yl * kl; ph = yh * kh; ml = yh * kl + yl * kh; /* No overflow, thanks to special form */ mh = ml >> 32; ml <<= 32; pl += ml; ph += mh + (pl < ml); /* Reduce, using 2^64 = UMAC_P64_OFFSET (mod p) */ assert (ph < ((uint64_t) 1 << 57)); ph *= UMAC_P64_OFFSET; pl += ph; if (pl < ph) pl += UMAC_P64_OFFSET; return pl; } uint64_t _umac_poly64 (uint32_t kh, uint32_t kl, uint64_t y, uint64_t m) { if ( (m >> 32) == 0xffffffff) { y = poly64_mul (kh, kl, y); if (y == 0) y = UMAC_P64 - 1; else y--; m -= UMAC_P64_OFFSET; } y = poly64_mul (kh, kl, y); y += m; if (y < m) y += UMAC_P64_OFFSET; return y; } nettle-3.4.1/serpent-meta.c0000644000175000017500000000320213401564745014614 0ustar nissenisse/* serpent-meta.c Copyright (C) 2002, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "serpent.h" #define SERPENT(bits) { \ "serpent" #bits, \ sizeof(struct serpent_ctx), \ SERPENT_BLOCK_SIZE, \ SERPENT ## bits ##_KEY_SIZE, \ (nettle_set_key_func *) serpent ## bits ## _set_key, \ (nettle_set_key_func *) serpent ## bits ## _set_key, \ (nettle_cipher_func *) serpent_encrypt, \ (nettle_cipher_func *) serpent_decrypt \ } const struct nettle_cipher nettle_serpent128 = SERPENT(128); const struct nettle_cipher nettle_serpent192 = SERPENT(192); const struct nettle_cipher nettle_serpent256 = SERPENT(256); nettle-3.4.1/configure0000755000175000017500000102342413401564746013765 0ustar nissenisse#! /bin/sh # Guess values for system-dependent variables and create Makefiles. # Generated by GNU Autoconf 2.69 for nettle 3.4.1. # # Report bugs to . # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. # # # This configure script is free software; the Free Software Foundation # gives unlimited permission to copy, distribute and modify it. ## -------------------- ## ## M4sh Initialization. ## ## -------------------- ## # Be more Bourne compatible DUALCASE=1; export DUALCASE # for MKS sh if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then : emulate sh NULLCMD=: # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which # is contrary to our usage. Disable this feature. alias -g '${1+"$@"}'='"$@"' setopt NO_GLOB_SUBST else case `(set -o) 2>/dev/null` in #( *posix*) : set -o posix ;; #( *) : ;; esac fi as_nl=' ' export as_nl # Printing a long string crashes Solaris 7 /usr/bin/printf. as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo # Prefer a ksh shell builtin over an external printf program on Solaris, # but without wasting forks for bash or zsh. if test -z "$BASH_VERSION$ZSH_VERSION" \ && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then as_echo='print -r --' as_echo_n='print -rn --' elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then as_echo='printf %s\n' as_echo_n='printf %s' else if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"' as_echo_n='/usr/ucb/echo -n' else as_echo_body='eval expr "X$1" : "X\\(.*\\)"' as_echo_n_body='eval arg=$1; case $arg in #( *"$as_nl"*) expr "X$arg" : "X\\(.*\\)$as_nl"; arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;; esac; expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl" ' export as_echo_n_body as_echo_n='sh -c $as_echo_n_body as_echo' fi export as_echo_body as_echo='sh -c $as_echo_body as_echo' fi # The user is always right. if test "${PATH_SEPARATOR+set}" != set; then PATH_SEPARATOR=: (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || PATH_SEPARATOR=';' } fi # IFS # We need space, tab and new line, in precisely that order. Quoting is # there to prevent editors from complaining about space-tab. # (If _AS_PATH_WALK were called with IFS unset, it would disable word # splitting by setting IFS to empty value.) IFS=" "" $as_nl" # Find who we are. Look in the path if we contain no directory separator. as_myself= case $0 in #(( *[\\/]* ) as_myself=$0 ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break done IFS=$as_save_IFS ;; esac # We did not find ourselves, most probably we were run as `sh COMMAND' # in which case we are not to be found in the path. if test "x$as_myself" = x; then as_myself=$0 fi if test ! -f "$as_myself"; then $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 exit 1 fi # Unset variables that we do not need and which cause bugs (e.g. in # pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1" # suppresses any "Segmentation fault" message there. '((' could # trigger a bug in pdksh 5.2.14. for as_var in BASH_ENV ENV MAIL MAILPATH do eval test x\${$as_var+set} = xset \ && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : done PS1='$ ' PS2='> ' PS4='+ ' # NLS nuisances. LC_ALL=C export LC_ALL LANGUAGE=C export LANGUAGE # CDPATH. (unset CDPATH) >/dev/null 2>&1 && unset CDPATH # Use a proper internal environment variable to ensure we don't fall # into an infinite loop, continuously re-executing ourselves. if test x"${_as_can_reexec}" != xno && test "x$CONFIG_SHELL" != x; then _as_can_reexec=no; export _as_can_reexec; # We cannot yet assume a decent shell, so we have to provide a # neutralization value for shells without unset; and this also # works around shells that cannot unset nonexistent variables. # Preserve -v and -x to the replacement shell. BASH_ENV=/dev/null ENV=/dev/null (unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV case $- in # (((( *v*x* | *x*v* ) as_opts=-vx ;; *v* ) as_opts=-v ;; *x* ) as_opts=-x ;; * ) as_opts= ;; esac exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} # Admittedly, this is quite paranoid, since all the known shells bail # out after a failed `exec'. $as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2 as_fn_exit 255 fi # We don't want this to propagate to other subprocesses. { _as_can_reexec=; unset _as_can_reexec;} if test "x$CONFIG_SHELL" = x; then as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then : emulate sh NULLCMD=: # Pre-4.2 versions of Zsh do word splitting on \${1+\"\$@\"}, which # is contrary to our usage. Disable this feature. alias -g '\${1+\"\$@\"}'='\"\$@\"' setopt NO_GLOB_SUBST else case \`(set -o) 2>/dev/null\` in #( *posix*) : set -o posix ;; #( *) : ;; esac fi " as_required="as_fn_return () { (exit \$1); } as_fn_success () { as_fn_return 0; } as_fn_failure () { as_fn_return 1; } as_fn_ret_success () { return 0; } as_fn_ret_failure () { return 1; } exitcode=0 as_fn_success || { exitcode=1; echo as_fn_success failed.; } as_fn_failure && { exitcode=1; echo as_fn_failure succeeded.; } as_fn_ret_success || { exitcode=1; echo as_fn_ret_success failed.; } as_fn_ret_failure && { exitcode=1; echo as_fn_ret_failure succeeded.; } if ( set x; as_fn_ret_success y && test x = \"\$1\" ); then : else exitcode=1; echo positional parameters were not saved. fi test x\$exitcode = x0 || exit 1 test -x / || exit 1" as_suggested=" as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" && test \"x\`expr \$as_lineno_1'\$as_run' + 1\`\" = \"x\$as_lineno_2'\$as_run'\"' || exit 1 test \$(( 1 + 1 )) = 2 || exit 1" if (eval "$as_required") 2>/dev/null; then : as_have_required=yes else as_have_required=no fi if test x$as_have_required = xyes && (eval "$as_suggested") 2>/dev/null; then : else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR as_found=false for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. as_found=: case $as_dir in #( /*) for as_base in sh bash ksh sh5; do # Try only shells that exist, to save several forks. as_shell=$as_dir/$as_base if { test -f "$as_shell" || test -f "$as_shell.exe"; } && { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$as_shell"; } 2>/dev/null; then : CONFIG_SHELL=$as_shell as_have_required=yes if { $as_echo "$as_bourne_compatible""$as_suggested" | as_run=a "$as_shell"; } 2>/dev/null; then : break 2 fi fi done;; esac as_found=false done $as_found || { if { test -f "$SHELL" || test -f "$SHELL.exe"; } && { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$SHELL"; } 2>/dev/null; then : CONFIG_SHELL=$SHELL as_have_required=yes fi; } IFS=$as_save_IFS if test "x$CONFIG_SHELL" != x; then : export CONFIG_SHELL # We cannot yet assume a decent shell, so we have to provide a # neutralization value for shells without unset; and this also # works around shells that cannot unset nonexistent variables. # Preserve -v and -x to the replacement shell. BASH_ENV=/dev/null ENV=/dev/null (unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV case $- in # (((( *v*x* | *x*v* ) as_opts=-vx ;; *v* ) as_opts=-v ;; *x* ) as_opts=-x ;; * ) as_opts= ;; esac exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} # Admittedly, this is quite paranoid, since all the known shells bail # out after a failed `exec'. $as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2 exit 255 fi if test x$as_have_required = xno; then : $as_echo "$0: This script requires a shell more modern than all" $as_echo "$0: the shells that I found on your system." if test x${ZSH_VERSION+set} = xset ; then $as_echo "$0: In particular, zsh $ZSH_VERSION has bugs and should" $as_echo "$0: be upgraded to zsh 4.3.4 or later." else $as_echo "$0: Please tell bug-autoconf@gnu.org and $0: nettle-bugs@lists.lysator.liu.se about your system, $0: including any error possibly output before this $0: message. Then install a modern shell, or manually run $0: the script under such a shell if you do have one." fi exit 1 fi fi fi SHELL=${CONFIG_SHELL-/bin/sh} export SHELL # Unset more variables known to interfere with behavior of common tools. CLICOLOR_FORCE= GREP_OPTIONS= unset CLICOLOR_FORCE GREP_OPTIONS ## --------------------- ## ## M4sh Shell Functions. ## ## --------------------- ## # as_fn_unset VAR # --------------- # Portably unset VAR. as_fn_unset () { { eval $1=; unset $1;} } as_unset=as_fn_unset # as_fn_set_status STATUS # ----------------------- # Set $? to STATUS, without forking. as_fn_set_status () { return $1 } # as_fn_set_status # as_fn_exit STATUS # ----------------- # Exit the shell with STATUS, even in a "trap 0" or "set -e" context. as_fn_exit () { set +e as_fn_set_status $1 exit $1 } # as_fn_exit # as_fn_mkdir_p # ------------- # Create "$as_dir" as a directory, including parents if necessary. as_fn_mkdir_p () { case $as_dir in #( -*) as_dir=./$as_dir;; esac test -d "$as_dir" || eval $as_mkdir_p || { as_dirs= while :; do case $as_dir in #( *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( *) as_qdir=$as_dir;; esac as_dirs="'$as_qdir' $as_dirs" as_dir=`$as_dirname -- "$as_dir" || $as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$as_dir" : 'X\(//\)[^/]' \| \ X"$as_dir" : 'X\(//\)$' \| \ X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || $as_echo X"$as_dir" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` test -d "$as_dir" && break done test -z "$as_dirs" || eval "mkdir $as_dirs" } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir" } # as_fn_mkdir_p # as_fn_executable_p FILE # ----------------------- # Test if FILE is an executable regular file. as_fn_executable_p () { test -f "$1" && test -x "$1" } # as_fn_executable_p # as_fn_append VAR VALUE # ---------------------- # Append the text in VALUE to the end of the definition contained in VAR. Take # advantage of any shell optimizations that allow amortized linear growth over # repeated appends, instead of the typical quadratic growth present in naive # implementations. if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then : eval 'as_fn_append () { eval $1+=\$2 }' else as_fn_append () { eval $1=\$$1\$2 } fi # as_fn_append # as_fn_arith ARG... # ------------------ # Perform arithmetic evaluation on the ARGs, and store the result in the # global $as_val. Take advantage of shells that can avoid forks. The arguments # must be portable across $(()) and expr. if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then : eval 'as_fn_arith () { as_val=$(( $* )) }' else as_fn_arith () { as_val=`expr "$@" || test $? -eq 1` } fi # as_fn_arith # as_fn_error STATUS ERROR [LINENO LOG_FD] # ---------------------------------------- # Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are # provided, also output the error to LOG_FD, referencing LINENO. Then exit the # script with STATUS, using 1 if that was 0. as_fn_error () { as_status=$1; test $as_status -eq 0 && as_status=1 if test "$4"; then as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4 fi $as_echo "$as_me: error: $2" >&2 as_fn_exit $as_status } # as_fn_error if expr a : '\(a\)' >/dev/null 2>&1 && test "X`expr 00001 : '.*\(...\)'`" = X001; then as_expr=expr else as_expr=false fi if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then as_basename=basename else as_basename=false fi if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then as_dirname=dirname else as_dirname=false fi as_me=`$as_basename -- "$0" || $as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ X"$0" : 'X\(//\)$' \| \ X"$0" : 'X\(/\)' \| . 2>/dev/null || $as_echo X/"$0" | sed '/^.*\/\([^/][^/]*\)\/*$/{ s//\1/ q } /^X\/\(\/\/\)$/{ s//\1/ q } /^X\/\(\/\).*/{ s//\1/ q } s/.*/./; q'` # Avoid depending upon Character Ranges. as_cr_letters='abcdefghijklmnopqrstuvwxyz' as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' as_cr_Letters=$as_cr_letters$as_cr_LETTERS as_cr_digits='0123456789' as_cr_alnum=$as_cr_Letters$as_cr_digits as_lineno_1=$LINENO as_lineno_1a=$LINENO as_lineno_2=$LINENO as_lineno_2a=$LINENO eval 'test "x$as_lineno_1'$as_run'" != "x$as_lineno_2'$as_run'" && test "x`expr $as_lineno_1'$as_run' + 1`" = "x$as_lineno_2'$as_run'"' || { # Blame Lee E. McMahon (1931-1989) for sed's syntax. :-) sed -n ' p /[$]LINENO/= ' <$as_myself | sed ' s/[$]LINENO.*/&-/ t lineno b :lineno N :loop s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/ t loop s/-\n.*// ' >$as_me.lineno && chmod +x "$as_me.lineno" || { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; } # If we had to re-execute with $CONFIG_SHELL, we're ensured to have # already done that, so ensure we don't try to do so again and fall # in an infinite loop. This has already happened in practice. _as_can_reexec=no; export _as_can_reexec # Don't try to exec as it changes $[0], causing all sort of problems # (the dirname of $[0] is not the place where we might find the # original and so on. Autoconf is especially sensitive to this). . "./$as_me.lineno" # Exit status is that of the last command. exit } ECHO_C= ECHO_N= ECHO_T= case `echo -n x` in #((((( -n*) case `echo 'xy\c'` in *c*) ECHO_T=' ';; # ECHO_T is single tab character. xy) ECHO_C='\c';; *) echo `echo ksh88 bug on AIX 6.1` > /dev/null ECHO_T=' ';; esac;; *) ECHO_N='-n';; esac rm -f conf$$ conf$$.exe conf$$.file if test -d conf$$.dir; then rm -f conf$$.dir/conf$$.file else rm -f conf$$.dir mkdir conf$$.dir 2>/dev/null fi if (echo >conf$$.file) 2>/dev/null; then if ln -s conf$$.file conf$$ 2>/dev/null; then as_ln_s='ln -s' # ... but there are two gotchas: # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. # In both cases, we have to default to `cp -pR'. ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || as_ln_s='cp -pR' elif ln conf$$.file conf$$ 2>/dev/null; then as_ln_s=ln else as_ln_s='cp -pR' fi else as_ln_s='cp -pR' fi rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file rmdir conf$$.dir 2>/dev/null if mkdir -p . 2>/dev/null; then as_mkdir_p='mkdir -p "$as_dir"' else test -d ./-p && rmdir ./-p as_mkdir_p=false fi as_test_x='test -x' as_executable_p=as_fn_executable_p # Sed expression to map a string onto a valid CPP name. as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" # Sed expression to map a string onto a valid variable name. as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'" test -n "$DJDIR" || exec 7<&0 &1 # Name of the host. # hostname on some systems (SVR3.2, old GNU/Linux) returns a bogus exit status, # so uname gets run too. ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q` # # Initializations. # ac_default_prefix=/usr/local ac_clean_files= ac_config_libobj_dir=. LIBOBJS= cross_compiling=no subdirs= MFLAGS= MAKEFLAGS= # Identity of this package. PACKAGE_NAME='nettle' PACKAGE_TARNAME='nettle' PACKAGE_VERSION='3.4.1' PACKAGE_STRING='nettle 3.4.1' PACKAGE_BUGREPORT='nettle-bugs@lists.lysator.liu.se' PACKAGE_URL='' ac_unique_file="arcfour.c" # Factoring default headers for most tests. ac_includes_default="\ #include #ifdef HAVE_SYS_TYPES_H # include #endif #ifdef HAVE_SYS_STAT_H # include #endif #ifdef STDC_HEADERS # include # include #else # ifdef HAVE_STDLIB_H # include # endif #endif #ifdef HAVE_STRING_H # if !defined STDC_HEADERS && defined HAVE_MEMORY_H # include # endif # include #endif #ifdef HAVE_STRINGS_H # include #endif #ifdef HAVE_INTTYPES_H # include #endif #ifdef HAVE_STDINT_H # include #endif #ifdef HAVE_UNISTD_H # include #endif" ac_subst_vars='LTLIBOBJS LIBOBJS BENCH_LIBS OPENSSL_LIBFLAGS IF_MINI_GMP IF_DLL IF_DOCUMENTATION IF_DLOPEN_TEST IF_NOT_SHARED IF_SHARED IF_STATIC IF_HOGWEED MAKEINFO M4 LIBHOGWEED_LIBS LIBHOGWEED_LINK LIBHOGWEED_FILE_SRC LIBHOGWEED_FILE LIBHOGWEED_SONAME LIBHOGWEED_FORLINK LIBHOGWEED_MINOR LIBHOGWEED_MAJOR LIBNETTLE_LIBS LIBNETTLE_LINK LIBNETTLE_FILE_SRC LIBNETTLE_FILE LIBNETTLE_SONAME LIBNETTLE_FORLINK LIBNETTLE_MINOR LIBNETTLE_MAJOR EMULATOR W64_ABI ASM_ALIGN_LOG ASM_MARK_NOEXEC_STACK ASM_TYPE_PROGBITS ASM_TYPE_FUNCTION ASM_COFF_STYLE ASM_ELF_STYLE ASM_SYMBOL_PREFIX CCPIC IF_ASM ASM_RODATA OPT_NETTLE_SOURCES OPT_HOGWEED_OBJS OPT_NETTLE_OBJS GMP_NUMB_BITS NUMB_BITS ALLOCA EGREP GREP CPP DEP_PROCESS DEP_FLAGS DEP_INCLUDE EXEEXT_FOR_BUILD CC_FOR_BUILD LN_S MKDIR_P INSTALL_DATA INSTALL_SCRIPT INSTALL_PROGRAM AR OBJDUMP NM RANLIB SET_MAKE EXTRA_HOGWEED_LINKER_FLAGS EXTRA_LINKER_FLAGS IF_CXX ac_ct_CXX CXXFLAGS CXX OBJEXT EXEEXT ac_ct_CC CPPFLAGS LDFLAGS CFLAGS CC HOGWEED_EXTRA_SYMBOLS NETTLE_USE_MINI_GMP host_os host_vendor host_cpu host build_os build_vendor build_cpu build MINOR_VERSION MAJOR_VERSION target_alias host_alias build_alias LIBS ECHO_T ECHO_N ECHO_C DEFS mandir localedir libdir psdir pdfdir dvidir htmldir infodir docdir oldincludedir includedir runstatedir localstatedir sharedstatedir sysconfdir datadir datarootdir libexecdir sbindir bindir program_transform_name prefix exec_prefix PACKAGE_URL PACKAGE_BUGREPORT PACKAGE_STRING PACKAGE_VERSION PACKAGE_TARNAME PACKAGE_NAME PATH_SEPARATOR SHELL' ac_subst_files='' ac_user_opts=' enable_option_checking with_include_path with_lib_path enable_public_key enable_assembler enable_static enable_shared enable_pic enable_openssl enable_gcov enable_documentation enable_fat enable_arm_neon enable_x86_aesni enable_mini_gmp enable_ld_version_script enable_dependency_tracking ' ac_precious_vars='build_alias host_alias target_alias CC CFLAGS LDFLAGS LIBS CPPFLAGS CXX CXXFLAGS CCC CC_FOR_BUILD CPP' # Initialize some variables set by options. ac_init_help= ac_init_version=false ac_unrecognized_opts= ac_unrecognized_sep= # The variables have the same names as the options, with # dashes changed to underlines. cache_file=/dev/null exec_prefix=NONE no_create= no_recursion= prefix=NONE program_prefix=NONE program_suffix=NONE program_transform_name=s,x,x, silent= site= srcdir= verbose= x_includes=NONE x_libraries=NONE # Installation directory options. # These are left unexpanded so users can "make install exec_prefix=/foo" # and all the variables that are supposed to be based on exec_prefix # by default will actually change. # Use braces instead of parens because sh, perl, etc. also accept them. # (The list follows the same order as the GNU Coding Standards.) bindir='${exec_prefix}/bin' sbindir='${exec_prefix}/sbin' libexecdir='${exec_prefix}/libexec' datarootdir='${prefix}/share' datadir='${datarootdir}' sysconfdir='${prefix}/etc' sharedstatedir='${prefix}/com' localstatedir='${prefix}/var' runstatedir='${localstatedir}/run' includedir='${prefix}/include' oldincludedir='/usr/include' docdir='${datarootdir}/doc/${PACKAGE_TARNAME}' infodir='${datarootdir}/info' htmldir='${docdir}' dvidir='${docdir}' pdfdir='${docdir}' psdir='${docdir}' libdir='${exec_prefix}/lib' localedir='${datarootdir}/locale' mandir='${datarootdir}/man' ac_prev= ac_dashdash= for ac_option do # If the previous option needs an argument, assign it. if test -n "$ac_prev"; then eval $ac_prev=\$ac_option ac_prev= continue fi case $ac_option in *=?*) ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;; *=) ac_optarg= ;; *) ac_optarg=yes ;; esac # Accept the important Cygnus configure options, so we can diagnose typos. case $ac_dashdash$ac_option in --) ac_dashdash=yes ;; -bindir | --bindir | --bindi | --bind | --bin | --bi) ac_prev=bindir ;; -bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*) bindir=$ac_optarg ;; -build | --build | --buil | --bui | --bu) ac_prev=build_alias ;; -build=* | --build=* | --buil=* | --bui=* | --bu=*) build_alias=$ac_optarg ;; -cache-file | --cache-file | --cache-fil | --cache-fi \ | --cache-f | --cache- | --cache | --cach | --cac | --ca | --c) ac_prev=cache_file ;; -cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \ | --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*) cache_file=$ac_optarg ;; --config-cache | -C) cache_file=config.cache ;; -datadir | --datadir | --datadi | --datad) ac_prev=datadir ;; -datadir=* | --datadir=* | --datadi=* | --datad=*) datadir=$ac_optarg ;; -datarootdir | --datarootdir | --datarootdi | --datarootd | --dataroot \ | --dataroo | --dataro | --datar) ac_prev=datarootdir ;; -datarootdir=* | --datarootdir=* | --datarootdi=* | --datarootd=* \ | --dataroot=* | --dataroo=* | --dataro=* | --datar=*) datarootdir=$ac_optarg ;; -disable-* | --disable-*) ac_useropt=`expr "x$ac_option" : 'x-*disable-\(.*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && as_fn_error $? "invalid feature name: $ac_useropt" ac_useropt_orig=$ac_useropt ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in *" "enable_$ac_useropt" "*) ;; *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--disable-$ac_useropt_orig" ac_unrecognized_sep=', ';; esac eval enable_$ac_useropt=no ;; -docdir | --docdir | --docdi | --doc | --do) ac_prev=docdir ;; -docdir=* | --docdir=* | --docdi=* | --doc=* | --do=*) docdir=$ac_optarg ;; -dvidir | --dvidir | --dvidi | --dvid | --dvi | --dv) ac_prev=dvidir ;; -dvidir=* | --dvidir=* | --dvidi=* | --dvid=* | --dvi=* | --dv=*) dvidir=$ac_optarg ;; -enable-* | --enable-*) ac_useropt=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && as_fn_error $? "invalid feature name: $ac_useropt" ac_useropt_orig=$ac_useropt ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in *" "enable_$ac_useropt" "*) ;; *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--enable-$ac_useropt_orig" ac_unrecognized_sep=', ';; esac eval enable_$ac_useropt=\$ac_optarg ;; -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \ | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \ | --exec | --exe | --ex) ac_prev=exec_prefix ;; -exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \ | --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \ | --exec=* | --exe=* | --ex=*) exec_prefix=$ac_optarg ;; -gas | --gas | --ga | --g) # Obsolete; use --with-gas. with_gas=yes ;; -help | --help | --hel | --he | -h) ac_init_help=long ;; -help=r* | --help=r* | --hel=r* | --he=r* | -hr*) ac_init_help=recursive ;; -help=s* | --help=s* | --hel=s* | --he=s* | -hs*) ac_init_help=short ;; -host | --host | --hos | --ho) ac_prev=host_alias ;; -host=* | --host=* | --hos=* | --ho=*) host_alias=$ac_optarg ;; -htmldir | --htmldir | --htmldi | --htmld | --html | --htm | --ht) ac_prev=htmldir ;; -htmldir=* | --htmldir=* | --htmldi=* | --htmld=* | --html=* | --htm=* \ | --ht=*) htmldir=$ac_optarg ;; -includedir | --includedir | --includedi | --included | --include \ | --includ | --inclu | --incl | --inc) ac_prev=includedir ;; -includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \ | --includ=* | --inclu=* | --incl=* | --inc=*) includedir=$ac_optarg ;; -infodir | --infodir | --infodi | --infod | --info | --inf) ac_prev=infodir ;; -infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*) infodir=$ac_optarg ;; -libdir | --libdir | --libdi | --libd) ac_prev=libdir ;; -libdir=* | --libdir=* | --libdi=* | --libd=*) libdir=$ac_optarg ;; -libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \ | --libexe | --libex | --libe) ac_prev=libexecdir ;; -libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \ | --libexe=* | --libex=* | --libe=*) libexecdir=$ac_optarg ;; -localedir | --localedir | --localedi | --localed | --locale) ac_prev=localedir ;; -localedir=* | --localedir=* | --localedi=* | --localed=* | --locale=*) localedir=$ac_optarg ;; -localstatedir | --localstatedir | --localstatedi | --localstated \ | --localstate | --localstat | --localsta | --localst | --locals) ac_prev=localstatedir ;; -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \ | --localstate=* | --localstat=* | --localsta=* | --localst=* | --locals=*) localstatedir=$ac_optarg ;; -mandir | --mandir | --mandi | --mand | --man | --ma | --m) ac_prev=mandir ;; -mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*) mandir=$ac_optarg ;; -nfp | --nfp | --nf) # Obsolete; use --without-fp. with_fp=no ;; -no-create | --no-create | --no-creat | --no-crea | --no-cre \ | --no-cr | --no-c | -n) no_create=yes ;; -no-recursion | --no-recursion | --no-recursio | --no-recursi \ | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r) no_recursion=yes ;; -oldincludedir | --oldincludedir | --oldincludedi | --oldincluded \ | --oldinclude | --oldinclud | --oldinclu | --oldincl | --oldinc \ | --oldin | --oldi | --old | --ol | --o) ac_prev=oldincludedir ;; -oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \ | --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \ | --oldin=* | --oldi=* | --old=* | --ol=* | --o=*) oldincludedir=$ac_optarg ;; -prefix | --prefix | --prefi | --pref | --pre | --pr | --p) ac_prev=prefix ;; -prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*) prefix=$ac_optarg ;; -program-prefix | --program-prefix | --program-prefi | --program-pref \ | --program-pre | --program-pr | --program-p) ac_prev=program_prefix ;; -program-prefix=* | --program-prefix=* | --program-prefi=* \ | --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*) program_prefix=$ac_optarg ;; -program-suffix | --program-suffix | --program-suffi | --program-suff \ | --program-suf | --program-su | --program-s) ac_prev=program_suffix ;; -program-suffix=* | --program-suffix=* | --program-suffi=* \ | --program-suff=* | --program-suf=* | --program-su=* | --program-s=*) program_suffix=$ac_optarg ;; -program-transform-name | --program-transform-name \ | --program-transform-nam | --program-transform-na \ | --program-transform-n | --program-transform- \ | --program-transform | --program-transfor \ | --program-transfo | --program-transf \ | --program-trans | --program-tran \ | --progr-tra | --program-tr | --program-t) ac_prev=program_transform_name ;; -program-transform-name=* | --program-transform-name=* \ | --program-transform-nam=* | --program-transform-na=* \ | --program-transform-n=* | --program-transform-=* \ | --program-transform=* | --program-transfor=* \ | --program-transfo=* | --program-transf=* \ | --program-trans=* | --program-tran=* \ | --progr-tra=* | --program-tr=* | --program-t=*) program_transform_name=$ac_optarg ;; -pdfdir | --pdfdir | --pdfdi | --pdfd | --pdf | --pd) ac_prev=pdfdir ;; -pdfdir=* | --pdfdir=* | --pdfdi=* | --pdfd=* | --pdf=* | --pd=*) pdfdir=$ac_optarg ;; -psdir | --psdir | --psdi | --psd | --ps) ac_prev=psdir ;; -psdir=* | --psdir=* | --psdi=* | --psd=* | --ps=*) psdir=$ac_optarg ;; -q | -quiet | --quiet | --quie | --qui | --qu | --q \ | -silent | --silent | --silen | --sile | --sil) silent=yes ;; -runstatedir | --runstatedir | --runstatedi | --runstated \ | --runstate | --runstat | --runsta | --runst | --runs \ | --run | --ru | --r) ac_prev=runstatedir ;; -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \ | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \ | --run=* | --ru=* | --r=*) runstatedir=$ac_optarg ;; -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) ac_prev=sbindir ;; -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ | --sbi=* | --sb=*) sbindir=$ac_optarg ;; -sharedstatedir | --sharedstatedir | --sharedstatedi \ | --sharedstated | --sharedstate | --sharedstat | --sharedsta \ | --sharedst | --shareds | --shared | --share | --shar \ | --sha | --sh) ac_prev=sharedstatedir ;; -sharedstatedir=* | --sharedstatedir=* | --sharedstatedi=* \ | --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \ | --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \ | --sha=* | --sh=*) sharedstatedir=$ac_optarg ;; -site | --site | --sit) ac_prev=site ;; -site=* | --site=* | --sit=*) site=$ac_optarg ;; -srcdir | --srcdir | --srcdi | --srcd | --src | --sr) ac_prev=srcdir ;; -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*) srcdir=$ac_optarg ;; -sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \ | --syscon | --sysco | --sysc | --sys | --sy) ac_prev=sysconfdir ;; -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \ | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*) sysconfdir=$ac_optarg ;; -target | --target | --targe | --targ | --tar | --ta | --t) ac_prev=target_alias ;; -target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*) target_alias=$ac_optarg ;; -v | -verbose | --verbose | --verbos | --verbo | --verb) verbose=yes ;; -version | --version | --versio | --versi | --vers | -V) ac_init_version=: ;; -with-* | --with-*) ac_useropt=`expr "x$ac_option" : 'x-*with-\([^=]*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && as_fn_error $? "invalid package name: $ac_useropt" ac_useropt_orig=$ac_useropt ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in *" "with_$ac_useropt" "*) ;; *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--with-$ac_useropt_orig" ac_unrecognized_sep=', ';; esac eval with_$ac_useropt=\$ac_optarg ;; -without-* | --without-*) ac_useropt=`expr "x$ac_option" : 'x-*without-\(.*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && as_fn_error $? "invalid package name: $ac_useropt" ac_useropt_orig=$ac_useropt ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in *" "with_$ac_useropt" "*) ;; *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--without-$ac_useropt_orig" ac_unrecognized_sep=', ';; esac eval with_$ac_useropt=no ;; --x) # Obsolete; use --with-x. with_x=yes ;; -x-includes | --x-includes | --x-include | --x-includ | --x-inclu \ | --x-incl | --x-inc | --x-in | --x-i) ac_prev=x_includes ;; -x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \ | --x-incl=* | --x-inc=* | --x-in=* | --x-i=*) x_includes=$ac_optarg ;; -x-libraries | --x-libraries | --x-librarie | --x-librari \ | --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l) ac_prev=x_libraries ;; -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \ | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*) x_libraries=$ac_optarg ;; -*) as_fn_error $? "unrecognized option: \`$ac_option' Try \`$0 --help' for more information" ;; *=*) ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='` # Reject names that are not valid shell variable names. case $ac_envvar in #( '' | [0-9]* | *[!_$as_cr_alnum]* ) as_fn_error $? "invalid variable name: \`$ac_envvar'" ;; esac eval $ac_envvar=\$ac_optarg export $ac_envvar ;; *) # FIXME: should be removed in autoconf 3.0. $as_echo "$as_me: WARNING: you should use --build, --host, --target" >&2 expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null && $as_echo "$as_me: WARNING: invalid host type: $ac_option" >&2 : "${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}" ;; esac done if test -n "$ac_prev"; then ac_option=--`echo $ac_prev | sed 's/_/-/g'` as_fn_error $? "missing argument to $ac_option" fi if test -n "$ac_unrecognized_opts"; then case $enable_option_checking in no) ;; fatal) as_fn_error $? "unrecognized options: $ac_unrecognized_opts" ;; *) $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2 ;; esac fi # Check all directory arguments for consistency. for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ datadir sysconfdir sharedstatedir localstatedir includedir \ oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ libdir localedir mandir runstatedir do eval ac_val=\$$ac_var # Remove trailing slashes. case $ac_val in */ ) ac_val=`expr "X$ac_val" : 'X\(.*[^/]\)' \| "X$ac_val" : 'X\(.*\)'` eval $ac_var=\$ac_val;; esac # Be sure to have absolute directory names. case $ac_val in [\\/$]* | ?:[\\/]* ) continue;; NONE | '' ) case $ac_var in *prefix ) continue;; esac;; esac as_fn_error $? "expected an absolute directory name for --$ac_var: $ac_val" done # There might be people who depend on the old broken behavior: `$host' # used to hold the argument of --host etc. # FIXME: To remove some day. build=$build_alias host=$host_alias target=$target_alias # FIXME: To remove some day. if test "x$host_alias" != x; then if test "x$build_alias" = x; then cross_compiling=maybe elif test "x$build_alias" != "x$host_alias"; then cross_compiling=yes fi fi ac_tool_prefix= test -n "$host_alias" && ac_tool_prefix=$host_alias- test "$silent" = yes && exec 6>/dev/null ac_pwd=`pwd` && test -n "$ac_pwd" && ac_ls_di=`ls -di .` && ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` || as_fn_error $? "working directory cannot be determined" test "X$ac_ls_di" = "X$ac_pwd_ls_di" || as_fn_error $? "pwd does not report name of working directory" # Find the source files, if location was not specified. if test -z "$srcdir"; then ac_srcdir_defaulted=yes # Try the directory containing this script, then the parent directory. ac_confdir=`$as_dirname -- "$as_myself" || $as_expr X"$as_myself" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$as_myself" : 'X\(//\)[^/]' \| \ X"$as_myself" : 'X\(//\)$' \| \ X"$as_myself" : 'X\(/\)' \| . 2>/dev/null || $as_echo X"$as_myself" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` srcdir=$ac_confdir if test ! -r "$srcdir/$ac_unique_file"; then srcdir=.. fi else ac_srcdir_defaulted=no fi if test ! -r "$srcdir/$ac_unique_file"; then test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .." as_fn_error $? "cannot find sources ($ac_unique_file) in $srcdir" fi ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work" ac_abs_confdir=`( cd "$srcdir" && test -r "./$ac_unique_file" || as_fn_error $? "$ac_msg" pwd)` # When building in place, set srcdir=. if test "$ac_abs_confdir" = "$ac_pwd"; then srcdir=. fi # Remove unnecessary trailing slashes from srcdir. # Double slashes in file names in object file debugging info # mess up M-x gdb in Emacs. case $srcdir in */) srcdir=`expr "X$srcdir" : 'X\(.*[^/]\)' \| "X$srcdir" : 'X\(.*\)'`;; esac for ac_var in $ac_precious_vars; do eval ac_env_${ac_var}_set=\${${ac_var}+set} eval ac_env_${ac_var}_value=\$${ac_var} eval ac_cv_env_${ac_var}_set=\${${ac_var}+set} eval ac_cv_env_${ac_var}_value=\$${ac_var} done # # Report the --help message. # if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF \`configure' configures nettle 3.4.1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... To assign environment variables (e.g., CC, CFLAGS...), specify them as VAR=VALUE. See below for descriptions of some of the useful variables. Defaults for the options are specified in brackets. Configuration: -h, --help display this help and exit --help=short display options specific to this package --help=recursive display the short help of all the included packages -V, --version display version information and exit -q, --quiet, --silent do not print \`checking ...' messages --cache-file=FILE cache test results in FILE [disabled] -C, --config-cache alias for \`--cache-file=config.cache' -n, --no-create do not create output files --srcdir=DIR find the sources in DIR [configure dir or \`..'] Installation directories: --prefix=PREFIX install architecture-independent files in PREFIX [$ac_default_prefix] --exec-prefix=EPREFIX install architecture-dependent files in EPREFIX [PREFIX] By default, \`make install' will install all the files in \`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc. You can specify an installation prefix other than \`$ac_default_prefix' using \`--prefix', for instance \`--prefix=\$HOME'. For better control, use the options below. Fine tuning of the installation directories: --bindir=DIR user executables [EPREFIX/bin] --sbindir=DIR system admin executables [EPREFIX/sbin] --libexecdir=DIR program executables [EPREFIX/libexec] --sysconfdir=DIR read-only single-machine data [PREFIX/etc] --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] --localstatedir=DIR modifiable single-machine data [PREFIX/var] --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run] --libdir=DIR object code libraries [EPREFIX/lib] --includedir=DIR C header files [PREFIX/include] --oldincludedir=DIR C header files for non-gcc [/usr/include] --datarootdir=DIR read-only arch.-independent data root [PREFIX/share] --datadir=DIR read-only architecture-independent data [DATAROOTDIR] --infodir=DIR info documentation [DATAROOTDIR/info] --localedir=DIR locale-dependent data [DATAROOTDIR/locale] --mandir=DIR man documentation [DATAROOTDIR/man] --docdir=DIR documentation root [DATAROOTDIR/doc/nettle] --htmldir=DIR html documentation [DOCDIR] --dvidir=DIR dvi documentation [DOCDIR] --pdfdir=DIR pdf documentation [DOCDIR] --psdir=DIR ps documentation [DOCDIR] _ACEOF cat <<\_ACEOF System types: --build=BUILD configure for building on BUILD [guessed] --host=HOST cross-compile to build programs to run on HOST [BUILD] _ACEOF fi if test -n "$ac_init_help"; then case $ac_init_help in short | recursive ) echo "Configuration of nettle 3.4.1:";; esac cat <<\_ACEOF Optional Features: --disable-option-checking ignore unrecognized --enable/--with options --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) --enable-FEATURE[=ARG] include FEATURE [ARG=yes] --disable-public-key Disable public key algorithms --disable-assembler Disable assembler code --disable-static Do not build any static library --disable-shared Do not build any shared library --disable-pic Do not try to compile library files as position independent code --disable-openssl Do not include openssl glue in the benchmark program --enable-gcov Instrument for gcov (requires a modern gcc) --disable-documentation Omit building and installing the documentation. (default=auto) --enable-fat Enable fat library build (default=no) --enable-arm-neon Enable ARM Neon assembly. (default=auto) --enable-x86-aesni Enable x86_64 aes instructions. (default=no) --enable-mini-gmp Enable mini-gmp, used instead of libgmp. --enable-ld-version-script enable linker version script (default is enabled when possible) --disable-dependency-tracking Disable dependency tracking. Dependency tracking doesn't work with BSD make Optional Packages: --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no) --with-include-path A colon-separated list of directories to search for include files --with-lib-path A colon-separated list of directories to search for libraries Some influential environment variables: CC C compiler command CFLAGS C compiler flags LDFLAGS linker flags, e.g. -L if you have libraries in a nonstandard directory LIBS libraries to pass to the linker, e.g. -l CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I if you have headers in a nonstandard directory CXX C++ compiler command CXXFLAGS C++ compiler flags CC_FOR_BUILD build system C compiler CPP C preprocessor Use these variables to override the choices made by `configure' or to help it to find libraries and programs with nonstandard names/locations. Report bugs to . _ACEOF ac_status=$? fi if test "$ac_init_help" = "recursive"; then # If there are subdirs, report their specific --help. for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue test -d "$ac_dir" || { cd "$srcdir" && ac_pwd=`pwd` && srcdir=. && test -d "$ac_dir"; } || continue ac_builddir=. case "$ac_dir" in .) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; *) ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'` # A ".." for each directory in $ac_dir_suffix. ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'` case $ac_top_builddir_sub in "") ac_top_builddir_sub=. ac_top_build_prefix= ;; *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; esac ;; esac ac_abs_top_builddir=$ac_pwd ac_abs_builddir=$ac_pwd$ac_dir_suffix # for backward compatibility: ac_top_builddir=$ac_top_build_prefix case $srcdir in .) # We are building in place. ac_srcdir=. ac_top_srcdir=$ac_top_builddir_sub ac_abs_top_srcdir=$ac_pwd ;; [\\/]* | ?:[\\/]* ) # Absolute name. ac_srcdir=$srcdir$ac_dir_suffix; ac_top_srcdir=$srcdir ac_abs_top_srcdir=$srcdir ;; *) # Relative name. ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix ac_top_srcdir=$ac_top_build_prefix$srcdir ac_abs_top_srcdir=$ac_pwd/$srcdir ;; esac ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix cd "$ac_dir" || { ac_status=$?; continue; } # Check for guested configure. if test -f "$ac_srcdir/configure.gnu"; then echo && $SHELL "$ac_srcdir/configure.gnu" --help=recursive elif test -f "$ac_srcdir/configure"; then echo && $SHELL "$ac_srcdir/configure" --help=recursive else $as_echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2 fi || ac_status=$? cd "$ac_pwd" || { ac_status=$?; break; } done fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF nettle configure 3.4.1 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. This configure script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it. _ACEOF exit fi ## ------------------------ ## ## Autoconf initialization. ## ## ------------------------ ## # ac_fn_c_try_compile LINENO # -------------------------- # Try to compile conftest.$ac_ext, and return whether this succeeded. ac_fn_c_try_compile () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack rm -f conftest.$ac_objext if { { ac_try="$ac_compile" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_compile") 2>conftest.err ac_status=$? if test -s conftest.err; then grep -v '^ *+' conftest.err >conftest.er1 cat conftest.er1 >&5 mv -f conftest.er1 conftest.err fi $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then : ac_retval=0 else $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_retval=1 fi eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno as_fn_set_status $ac_retval } # ac_fn_c_try_compile # ac_fn_c_try_link LINENO # ----------------------- # Try to link conftest.$ac_ext, and return whether this succeeded. ac_fn_c_try_link () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack rm -f conftest.$ac_objext conftest$ac_exeext if { { ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_link") 2>conftest.err ac_status=$? if test -s conftest.err; then grep -v '^ *+' conftest.err >conftest.er1 cat conftest.er1 >&5 mv -f conftest.er1 conftest.err fi $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest$ac_exeext && { test "$cross_compiling" = yes || test -x conftest$ac_exeext }; then : ac_retval=0 else $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_retval=1 fi # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would # interfere with the next link command; also delete a directory that is # left behind by Apple's compiler. We do this before executing the actions. rm -rf conftest.dSYM conftest_ipa8_conftest.oo eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno as_fn_set_status $ac_retval } # ac_fn_c_try_link # ac_fn_cxx_try_compile LINENO # ---------------------------- # Try to compile conftest.$ac_ext, and return whether this succeeded. ac_fn_cxx_try_compile () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack rm -f conftest.$ac_objext if { { ac_try="$ac_compile" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_compile") 2>conftest.err ac_status=$? if test -s conftest.err; then grep -v '^ *+' conftest.err >conftest.er1 cat conftest.er1 >&5 mv -f conftest.er1 conftest.err fi $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } && { test -z "$ac_cxx_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then : ac_retval=0 else $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_retval=1 fi eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno as_fn_set_status $ac_retval } # ac_fn_cxx_try_compile # ac_fn_c_try_cpp LINENO # ---------------------- # Try to preprocess conftest.$ac_ext, and return whether this succeeded. ac_fn_c_try_cpp () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack if { { ac_try="$ac_cpp conftest.$ac_ext" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_cpp conftest.$ac_ext") 2>conftest.err ac_status=$? if test -s conftest.err; then grep -v '^ *+' conftest.err >conftest.er1 cat conftest.er1 >&5 mv -f conftest.er1 conftest.err fi $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } > conftest.i && { test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || test ! -s conftest.err }; then : ac_retval=0 else $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_retval=1 fi eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno as_fn_set_status $ac_retval } # ac_fn_c_try_cpp # ac_fn_c_check_type LINENO TYPE VAR INCLUDES # ------------------------------------------- # Tests whether TYPE exists after having included INCLUDES, setting cache # variable VAR accordingly. ac_fn_c_check_type () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 $as_echo_n "checking for $2... " >&6; } if eval \${$3+:} false; then : $as_echo_n "(cached) " >&6 else eval "$3=no" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 int main () { if (sizeof ($2)) return 0; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 int main () { if (sizeof (($2))) return 0; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : else eval "$3=yes" fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi eval ac_res=\$$3 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_check_type # ac_fn_c_try_run LINENO # ---------------------- # Try to link conftest.$ac_ext, and return whether this succeeded. Assumes # that executables *can* be run. ac_fn_c_try_run () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack if { { ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_link") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } && { ac_try='./conftest$ac_exeext' { { case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_try") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; }; then : ac_retval=0 else $as_echo "$as_me: program exited with status $ac_status" >&5 $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_retval=$ac_status fi rm -rf conftest.dSYM conftest_ipa8_conftest.oo eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno as_fn_set_status $ac_retval } # ac_fn_c_try_run # ac_fn_c_check_header_compile LINENO HEADER VAR INCLUDES # ------------------------------------------------------- # Tests whether HEADER exists and can be compiled using the include files in # INCLUDES, setting the cache variable VAR accordingly. ac_fn_c_check_header_compile () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 $as_echo_n "checking for $2... " >&6; } if eval \${$3+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 #include <$2> _ACEOF if ac_fn_c_try_compile "$LINENO"; then : eval "$3=yes" else eval "$3=no" fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi eval ac_res=\$$3 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_check_header_compile # ac_fn_c_compute_int LINENO EXPR VAR INCLUDES # -------------------------------------------- # Tries to find the compile-time value of EXPR in a program that includes # INCLUDES, setting VAR accordingly. Returns whether the value could be # computed ac_fn_c_compute_int () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack if test "$cross_compiling" = yes; then # Depending upon the size, compute the lo and hi bounds. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 int main () { static int test_array [1 - 2 * !(($2) >= 0)]; test_array [0] = 0; return test_array [0]; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_lo=0 ac_mid=0 while :; do cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 int main () { static int test_array [1 - 2 * !(($2) <= $ac_mid)]; test_array [0] = 0; return test_array [0]; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_hi=$ac_mid; break else as_fn_arith $ac_mid + 1 && ac_lo=$as_val if test $ac_lo -le $ac_mid; then ac_lo= ac_hi= break fi as_fn_arith 2 '*' $ac_mid + 1 && ac_mid=$as_val fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext done else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 int main () { static int test_array [1 - 2 * !(($2) < 0)]; test_array [0] = 0; return test_array [0]; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_hi=-1 ac_mid=-1 while :; do cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 int main () { static int test_array [1 - 2 * !(($2) >= $ac_mid)]; test_array [0] = 0; return test_array [0]; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_lo=$ac_mid; break else as_fn_arith '(' $ac_mid ')' - 1 && ac_hi=$as_val if test $ac_mid -le $ac_hi; then ac_lo= ac_hi= break fi as_fn_arith 2 '*' $ac_mid && ac_mid=$as_val fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext done else ac_lo= ac_hi= fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext # Binary search between lo and hi bounds. while test "x$ac_lo" != "x$ac_hi"; do as_fn_arith '(' $ac_hi - $ac_lo ')' / 2 + $ac_lo && ac_mid=$as_val cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 int main () { static int test_array [1 - 2 * !(($2) <= $ac_mid)]; test_array [0] = 0; return test_array [0]; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_hi=$ac_mid else as_fn_arith '(' $ac_mid ')' + 1 && ac_lo=$as_val fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext done case $ac_lo in #(( ?*) eval "$3=\$ac_lo"; ac_retval=0 ;; '') ac_retval=1 ;; esac else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 static long int longval () { return $2; } static unsigned long int ulongval () { return $2; } #include #include int main () { FILE *f = fopen ("conftest.val", "w"); if (! f) return 1; if (($2) < 0) { long int i = longval (); if (i != ($2)) return 1; fprintf (f, "%ld", i); } else { unsigned long int i = ulongval (); if (i != ($2)) return 1; fprintf (f, "%lu", i); } /* Do not output a trailing newline, as this causes \r\n confusion on some platforms. */ return ferror (f) || fclose (f) != 0; ; return 0; } _ACEOF if ac_fn_c_try_run "$LINENO"; then : echo >>conftest.val; read $3 &5 $as_echo_n "checking for $2... " >&6; } if eval \${$3+:} false; then : $as_echo_n "(cached) " >&6 fi eval ac_res=\$$3 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } else # Is the header compilable? { $as_echo "$as_me:${as_lineno-$LINENO}: checking $2 usability" >&5 $as_echo_n "checking $2 usability... " >&6; } cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 #include <$2> _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_header_compiler=yes else ac_header_compiler=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_header_compiler" >&5 $as_echo "$ac_header_compiler" >&6; } # Is the header present? { $as_echo "$as_me:${as_lineno-$LINENO}: checking $2 presence" >&5 $as_echo_n "checking $2 presence... " >&6; } cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include <$2> _ACEOF if ac_fn_c_try_cpp "$LINENO"; then : ac_header_preproc=yes else ac_header_preproc=no fi rm -f conftest.err conftest.i conftest.$ac_ext { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_header_preproc" >&5 $as_echo "$ac_header_preproc" >&6; } # So? What about this header? case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in #(( yes:no: ) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: accepted by the compiler, rejected by the preprocessor!" >&5 $as_echo "$as_me: WARNING: $2: accepted by the compiler, rejected by the preprocessor!" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5 $as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;} ;; no:yes:* ) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: present but cannot be compiled" >&5 $as_echo "$as_me: WARNING: $2: present but cannot be compiled" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: check for missing prerequisite headers?" >&5 $as_echo "$as_me: WARNING: $2: check for missing prerequisite headers?" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: see the Autoconf documentation" >&5 $as_echo "$as_me: WARNING: $2: see the Autoconf documentation" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: section \"Present But Cannot Be Compiled\"" >&5 $as_echo "$as_me: WARNING: $2: section \"Present But Cannot Be Compiled\"" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5 $as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;} ( $as_echo "## ----------------------------------------------- ## ## Report this to nettle-bugs@lists.lysator.liu.se ## ## ----------------------------------------------- ##" ) | sed "s/^/$as_me: WARNING: /" >&2 ;; esac { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 $as_echo_n "checking for $2... " >&6; } if eval \${$3+:} false; then : $as_echo_n "(cached) " >&6 else eval "$3=\$ac_header_compiler" fi eval ac_res=\$$3 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } fi eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_check_header_mongrel # ac_fn_c_check_func LINENO FUNC VAR # ---------------------------------- # Tests whether FUNC exists, setting the cache variable VAR accordingly ac_fn_c_check_func () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 $as_echo_n "checking for $2... " >&6; } if eval \${$3+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Define $2 to an innocuous variant, in case declares $2. For example, HP-UX 11i declares gettimeofday. */ #define $2 innocuous_$2 /* System header to define __stub macros and hopefully few prototypes, which can conflict with char $2 (); below. Prefer to if __STDC__ is defined, since exists even on freestanding compilers. */ #ifdef __STDC__ # include #else # include #endif #undef $2 /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char $2 (); /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ #if defined __stub_$2 || defined __stub___$2 choke me #endif int main () { return $2 (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : eval "$3=yes" else eval "$3=no" fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext fi eval ac_res=\$$3 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_check_func cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. It was created by nettle $as_me 3.4.1, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ _ACEOF exec 5>>config.log { cat <<_ASUNAME ## --------- ## ## Platform. ## ## --------- ## hostname = `(hostname || uname -n) 2>/dev/null | sed 1q` uname -m = `(uname -m) 2>/dev/null || echo unknown` uname -r = `(uname -r) 2>/dev/null || echo unknown` uname -s = `(uname -s) 2>/dev/null || echo unknown` uname -v = `(uname -v) 2>/dev/null || echo unknown` /usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null || echo unknown` /bin/uname -X = `(/bin/uname -X) 2>/dev/null || echo unknown` /bin/arch = `(/bin/arch) 2>/dev/null || echo unknown` /usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null || echo unknown` /usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null || echo unknown` /usr/bin/hostinfo = `(/usr/bin/hostinfo) 2>/dev/null || echo unknown` /bin/machine = `(/bin/machine) 2>/dev/null || echo unknown` /usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null || echo unknown` /bin/universe = `(/bin/universe) 2>/dev/null || echo unknown` _ASUNAME as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. $as_echo "PATH: $as_dir" done IFS=$as_save_IFS } >&5 cat >&5 <<_ACEOF ## ----------- ## ## Core tests. ## ## ----------- ## _ACEOF # Keep a trace of the command line. # Strip out --no-create and --no-recursion so they do not pile up. # Strip out --silent because we don't want to record it for future runs. # Also quote any args containing shell meta-characters. # Make two passes to allow for proper duplicate-argument suppression. ac_configure_args= ac_configure_args0= ac_configure_args1= ac_must_keep_next=false for ac_pass in 1 2 do for ac_arg do case $ac_arg in -no-create | --no-c* | -n | -no-recursion | --no-r*) continue ;; -q | -quiet | --quiet | --quie | --qui | --qu | --q \ | -silent | --silent | --silen | --sile | --sil) continue ;; *\'*) ac_arg=`$as_echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;; esac case $ac_pass in 1) as_fn_append ac_configure_args0 " '$ac_arg'" ;; 2) as_fn_append ac_configure_args1 " '$ac_arg'" if test $ac_must_keep_next = true; then ac_must_keep_next=false # Got value, back to normal. else case $ac_arg in *=* | --config-cache | -C | -disable-* | --disable-* \ | -enable-* | --enable-* | -gas | --g* | -nfp | --nf* \ | -q | -quiet | --q* | -silent | --sil* | -v | -verb* \ | -with-* | --with-* | -without-* | --without-* | --x) case "$ac_configure_args0 " in "$ac_configure_args1"*" '$ac_arg' "* ) continue ;; esac ;; -* ) ac_must_keep_next=true ;; esac fi as_fn_append ac_configure_args " '$ac_arg'" ;; esac done done { ac_configure_args0=; unset ac_configure_args0;} { ac_configure_args1=; unset ac_configure_args1;} # When interrupted or exit'd, cleanup temporary files, and complete # config.log. We remove comments because anyway the quotes in there # would cause problems or look ugly. # WARNING: Use '\'' to represent an apostrophe within the trap. # WARNING: Do not start the trap code with a newline, due to a FreeBSD 4.0 bug. trap 'exit_status=$? # Save into config.log some information that might help in debugging. { echo $as_echo "## ---------------- ## ## Cache variables. ## ## ---------------- ##" echo # The following way of writing the cache mishandles newlines in values, ( for ac_var in `(set) 2>&1 | sed -n '\''s/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'\''`; do eval ac_val=\$$ac_var case $ac_val in #( *${as_nl}*) case $ac_var in #( *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5 $as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; esac case $ac_var in #( _ | IFS | as_nl) ;; #( BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( *) { eval $ac_var=; unset $ac_var;} ;; esac ;; esac done (set) 2>&1 | case $as_nl`(ac_space='\'' '\''; set) 2>&1` in #( *${as_nl}ac_space=\ *) sed -n \ "s/'\''/'\''\\\\'\'''\''/g; s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\''\\2'\''/p" ;; #( *) sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p" ;; esac | sort ) echo $as_echo "## ----------------- ## ## Output variables. ## ## ----------------- ##" echo for ac_var in $ac_subst_vars do eval ac_val=\$$ac_var case $ac_val in *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; esac $as_echo "$ac_var='\''$ac_val'\''" done | sort echo if test -n "$ac_subst_files"; then $as_echo "## ------------------- ## ## File substitutions. ## ## ------------------- ##" echo for ac_var in $ac_subst_files do eval ac_val=\$$ac_var case $ac_val in *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; esac $as_echo "$ac_var='\''$ac_val'\''" done | sort echo fi if test -s confdefs.h; then $as_echo "## ----------- ## ## confdefs.h. ## ## ----------- ##" echo cat confdefs.h echo fi test "$ac_signal" != 0 && $as_echo "$as_me: caught signal $ac_signal" $as_echo "$as_me: exit $exit_status" } >&5 rm -f core *.core core.conftest.* && rm -f -r conftest* confdefs* conf$$* $ac_clean_files && exit $exit_status ' 0 for ac_signal in 1 2 13 15; do trap 'ac_signal='$ac_signal'; as_fn_exit 1' $ac_signal done ac_signal=0 # confdefs.h avoids OS command line length limits that DEFS can exceed. rm -f -r conftest* confdefs.h $as_echo "/* confdefs.h */" > confdefs.h # Predefined preprocessor variables. cat >>confdefs.h <<_ACEOF #define PACKAGE_NAME "$PACKAGE_NAME" _ACEOF cat >>confdefs.h <<_ACEOF #define PACKAGE_TARNAME "$PACKAGE_TARNAME" _ACEOF cat >>confdefs.h <<_ACEOF #define PACKAGE_VERSION "$PACKAGE_VERSION" _ACEOF cat >>confdefs.h <<_ACEOF #define PACKAGE_STRING "$PACKAGE_STRING" _ACEOF cat >>confdefs.h <<_ACEOF #define PACKAGE_BUGREPORT "$PACKAGE_BUGREPORT" _ACEOF cat >>confdefs.h <<_ACEOF #define PACKAGE_URL "$PACKAGE_URL" _ACEOF # Let the site file select an alternate cache file if it wants to. # Prefer an explicitly selected file to automatically selected ones. ac_site_file1=NONE ac_site_file2=NONE if test -n "$CONFIG_SITE"; then # We do not want a PATH search for config.site. case $CONFIG_SITE in #(( -*) ac_site_file1=./$CONFIG_SITE;; */*) ac_site_file1=$CONFIG_SITE;; *) ac_site_file1=./$CONFIG_SITE;; esac elif test "x$prefix" != xNONE; then ac_site_file1=$prefix/share/config.site ac_site_file2=$prefix/etc/config.site else ac_site_file1=$ac_default_prefix/share/config.site ac_site_file2=$ac_default_prefix/etc/config.site fi for ac_site_file in "$ac_site_file1" "$ac_site_file2" do test "x$ac_site_file" = xNONE && continue if test /dev/null != "$ac_site_file" && test -r "$ac_site_file"; then { $as_echo "$as_me:${as_lineno-$LINENO}: loading site script $ac_site_file" >&5 $as_echo "$as_me: loading site script $ac_site_file" >&6;} sed 's/^/| /' "$ac_site_file" >&5 . "$ac_site_file" \ || { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "failed to load site script $ac_site_file See \`config.log' for more details" "$LINENO" 5; } fi done if test -r "$cache_file"; then # Some versions of bash will fail to source /dev/null (special files # actually), so we avoid doing that. DJGPP emulates it as a regular file. if test /dev/null != "$cache_file" && test -f "$cache_file"; then { $as_echo "$as_me:${as_lineno-$LINENO}: loading cache $cache_file" >&5 $as_echo "$as_me: loading cache $cache_file" >&6;} case $cache_file in [\\/]* | ?:[\\/]* ) . "$cache_file";; *) . "./$cache_file";; esac fi else { $as_echo "$as_me:${as_lineno-$LINENO}: creating cache $cache_file" >&5 $as_echo "$as_me: creating cache $cache_file" >&6;} >$cache_file fi # Check that the precious variables saved in the cache have kept the same # value. ac_cache_corrupted=false for ac_var in $ac_precious_vars; do eval ac_old_set=\$ac_cv_env_${ac_var}_set eval ac_new_set=\$ac_env_${ac_var}_set eval ac_old_val=\$ac_cv_env_${ac_var}_value eval ac_new_val=\$ac_env_${ac_var}_value case $ac_old_set,$ac_new_set in set,) { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5 $as_echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;} ac_cache_corrupted=: ;; ,set) { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was not set in the previous run" >&5 $as_echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;} ac_cache_corrupted=: ;; ,);; *) if test "x$ac_old_val" != "x$ac_new_val"; then # differences in whitespace do not lead to failure. ac_old_val_w=`echo x $ac_old_val` ac_new_val_w=`echo x $ac_new_val` if test "$ac_old_val_w" != "$ac_new_val_w"; then { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' has changed since the previous run:" >&5 $as_echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;} ac_cache_corrupted=: else { $as_echo "$as_me:${as_lineno-$LINENO}: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&5 $as_echo "$as_me: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&2;} eval $ac_var=\$ac_old_val fi { $as_echo "$as_me:${as_lineno-$LINENO}: former value: \`$ac_old_val'" >&5 $as_echo "$as_me: former value: \`$ac_old_val'" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: current value: \`$ac_new_val'" >&5 $as_echo "$as_me: current value: \`$ac_new_val'" >&2;} fi;; esac # Pass precious variables to config.status. if test "$ac_new_set" = set; then case $ac_new_val in *\'*) ac_arg=$ac_var=`$as_echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;; *) ac_arg=$ac_var=$ac_new_val ;; esac case " $ac_configure_args " in *" '$ac_arg' "*) ;; # Avoid dups. Use of quotes ensures accuracy. *) as_fn_append ac_configure_args " '$ac_arg'" ;; esac fi done if $ac_cache_corrupted; then { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: error: changes in the environment can compromise the build" >&5 $as_echo "$as_me: error: changes in the environment can compromise the build" >&2;} as_fn_error $? "run \`make distclean' and/or \`rm $cache_file' and start over" "$LINENO" 5 fi ## -------------------- ## ## Main body of script. ## ## -------------------- ## ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu # Needed to stop autoconf from looking for files in parent directories. ac_aux_dir= for ac_dir in . "$srcdir"/.; do if test -f "$ac_dir/install-sh"; then ac_aux_dir=$ac_dir ac_install_sh="$ac_aux_dir/install-sh -c" break elif test -f "$ac_dir/install.sh"; then ac_aux_dir=$ac_dir ac_install_sh="$ac_aux_dir/install.sh -c" break elif test -f "$ac_dir/shtool"; then ac_aux_dir=$ac_dir ac_install_sh="$ac_aux_dir/shtool install -c" break fi done if test -z "$ac_aux_dir"; then as_fn_error $? "cannot find install-sh, install.sh, or shtool in . \"$srcdir\"/." "$LINENO" 5 fi # These three variables are undocumented and unsupported, # and are intended to be withdrawn in a future Autoconf release. # They can cause serious problems if a builder's source tree is in a directory # whose full name contains unusual characters. ac_config_guess="$SHELL $ac_aux_dir/config.guess" # Please don't use this var. ac_config_sub="$SHELL $ac_aux_dir/config.sub" # Please don't use this var. ac_configure="$SHELL $ac_aux_dir/configure" # Please don't use this var. ac_config_headers="$ac_config_headers config.h" LIBNETTLE_MAJOR=6 LIBNETTLE_MINOR=5 LIBHOGWEED_MAJOR=4 LIBHOGWEED_MINOR=5 MAJOR_VERSION=`echo $PACKAGE_VERSION | sed 's/^\([^.]*\)\..*/\1/'` MINOR_VERSION=`echo $PACKAGE_VERSION | sed 's/^[^.]*\.\([0-9]*\).*/\1/'` # Make sure we can run config.sub. $SHELL "$ac_aux_dir/config.sub" sun4 >/dev/null 2>&1 || as_fn_error $? "cannot run $SHELL $ac_aux_dir/config.sub" "$LINENO" 5 { $as_echo "$as_me:${as_lineno-$LINENO}: checking build system type" >&5 $as_echo_n "checking build system type... " >&6; } if ${ac_cv_build+:} false; then : $as_echo_n "(cached) " >&6 else ac_build_alias=$build_alias test "x$ac_build_alias" = x && ac_build_alias=`$SHELL "$ac_aux_dir/config.guess"` test "x$ac_build_alias" = x && as_fn_error $? "cannot guess build type; you must specify one" "$LINENO" 5 ac_cv_build=`$SHELL "$ac_aux_dir/config.sub" $ac_build_alias` || as_fn_error $? "$SHELL $ac_aux_dir/config.sub $ac_build_alias failed" "$LINENO" 5 fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_build" >&5 $as_echo "$ac_cv_build" >&6; } case $ac_cv_build in *-*-*) ;; *) as_fn_error $? "invalid value of canonical build" "$LINENO" 5;; esac build=$ac_cv_build ac_save_IFS=$IFS; IFS='-' set x $ac_cv_build shift build_cpu=$1 build_vendor=$2 shift; shift # Remember, the first character of IFS is used to create $*, # except with old shells: build_os=$* IFS=$ac_save_IFS case $build_os in *\ *) build_os=`echo "$build_os" | sed 's/ /-/g'`;; esac { $as_echo "$as_me:${as_lineno-$LINENO}: checking host system type" >&5 $as_echo_n "checking host system type... " >&6; } if ${ac_cv_host+:} false; then : $as_echo_n "(cached) " >&6 else if test "x$host_alias" = x; then ac_cv_host=$ac_cv_build else ac_cv_host=`$SHELL "$ac_aux_dir/config.sub" $host_alias` || as_fn_error $? "$SHELL $ac_aux_dir/config.sub $host_alias failed" "$LINENO" 5 fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_host" >&5 $as_echo "$ac_cv_host" >&6; } case $ac_cv_host in *-*-*) ;; *) as_fn_error $? "invalid value of canonical host" "$LINENO" 5;; esac host=$ac_cv_host ac_save_IFS=$IFS; IFS='-' set x $ac_cv_host shift host_cpu=$1 host_vendor=$2 shift; shift # Remember, the first character of IFS is used to create $*, # except with old shells: host_os=$* IFS=$ac_save_IFS case $host_os in *\ *) host_os=`echo "$host_os" | sed 's/ /-/g'`;; esac # Command line options # Check whether --with-include-path was given. if test "${with_include_path+set}" = set; then : withval=$with_include_path; else with_include_path='' fi if test x$with_include_path != x ; then CPPFLAGS="$CPPFLAGS -I`echo $with_include_path | sed 's/:/ -I/g'`" fi # Check whether --with-lib-path was given. if test "${with_lib_path+set}" = set; then : withval=$with_lib_path; else with_lib_path='' fi if test x$with_lib_path != x ; then LDFLAGS="$LDFLAGS -L`echo $with_lib_path | sed 's/:/ -L/g'`" fi # Check whether --enable-public-key was given. if test "${enable_public_key+set}" = set; then : enableval=$enable_public_key; else enable_public_key=yes fi # Check whether --enable-assembler was given. if test "${enable_assembler+set}" = set; then : enableval=$enable_assembler; else enable_assembler=yes fi # Check whether --enable-static was given. if test "${enable_static+set}" = set; then : enableval=$enable_static; else enable_static=yes fi # Check whether --enable-shared was given. if test "${enable_shared+set}" = set; then : enableval=$enable_shared; else enable_shared=yes fi # Check whether --enable-pic was given. if test "${enable_pic+set}" = set; then : enableval=$enable_pic; else enable_pic=yes fi # Check whether --enable-openssl was given. if test "${enable_openssl+set}" = set; then : enableval=$enable_openssl; else enable_openssl=yes fi # Check whether --enable-gcov was given. if test "${enable_gcov+set}" = set; then : enableval=$enable_gcov; else enable_gcov=no fi # Check whether --enable-documentation was given. if test "${enable_documentation+set}" = set; then : enableval=$enable_documentation; else enable_documentation=auto fi # Check whether --enable-fat was given. if test "${enable_fat+set}" = set; then : enableval=$enable_fat; else enable_fat=no fi # Check whether --enable-arm-neon was given. if test "${enable_arm_neon+set}" = set; then : enableval=$enable_arm_neon; else enable_arm_neon=auto fi # Check whether --enable-x86-aesni was given. if test "${enable_x86_aesni+set}" = set; then : enableval=$enable_x86_aesni; else enable_x86_aesni=no fi # Check whether --enable-mini-gmp was given. if test "${enable_mini_gmp+set}" = set; then : enableval=$enable_mini_gmp; else enable_mini_gmp=no fi if test "x$enable_mini_gmp" = xyes ; then NETTLE_USE_MINI_GMP=1 HOGWEED_EXTRA_SYMBOLS="mpz_*;gmp_*;mpn_*;mp_*;" else NETTLE_USE_MINI_GMP=0 HOGWEED_EXTRA_SYMBOLS="" fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for -R flag" >&5 $as_echo_n "checking for -R flag... " >&6; } RPATHFLAG='' case "$host_os" in osf1*) RPATHFLAG="-rpath " ;; irix6.*|irix5.*) RPATHFLAG="-rpath " ;; solaris*) if test "$TCC" = "yes"; then # tcc doesn't know about -R RPATHFLAG="-Wl,-R," else RPATHFLAG=-R fi ;; linux*|freebsd*) RPATHFLAG="-Wl,-rpath," ;; *) RPATHFLAG="" ;; esac if test x$RPATHFLAG = x ; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: none" >&5 $as_echo "none" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: using $RPATHFLAG" >&5 $as_echo "using $RPATHFLAG" >&6; } fi RPATH_CANDIDATE_REAL_DIRS='' RPATH_CANDIDATE_DIRS='' { $as_echo "$as_me:${as_lineno-$LINENO}: result: Searching for libraries" >&5 $as_echo "Searching for libraries" >&6; } for d in `echo $with_lib_path | sed 's/:/ /g'` \ `echo $exec_prefix | sed "s@^NONE@$prefix/lib@g" | sed "s@^NONE@$ac_default_prefix/lib@g"` \ /usr/local/lib /sw/local/lib /sw/lib \ /usr/gnu/lib /opt/gnu/lib /sw/gnu/lib /usr/freeware/lib /usr/pkg/lib ; do { $as_echo "$as_me:${as_lineno-$LINENO}: checking $d" >&5 $as_echo_n "checking $d... " >&6; } ac_exists=no if test -d "$d/." ; then ac_real_dir=`cd $d && pwd` if test -n "$ac_real_dir" ; then ac_exists=yes for old in RPATH_CANDIDATE_REAL_DIRS ; do ac_found=no if test x$ac_real_dir = x$old ; then ac_found=yes; break; fi done if test $ac_found = yes ; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: already added" >&5 $as_echo "already added" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: added" >&5 $as_echo "added" >&6; } # LDFLAGS="$LDFLAGS -L $d" RPATH_CANDIDATE_REAL_DIRS="$ac_real_dir $RPATH_CANDIDATE_REAL_DIRS" RPATH_CANDIDATE_DIRS="$d $RPATH_CANDIDATE_DIRS" fi fi fi if test $ac_exists = no ; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: not found" >&5 $as_echo "not found" >&6; } fi done # Checks for programs. ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args. set dummy ${ac_tool_prefix}gcc; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_CC="${ac_tool_prefix}gcc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 $as_echo "$CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi if test -z "$ac_cv_prog_CC"; then ac_ct_CC=$CC # Extract the first word of "gcc", so it can be a program name with args. set dummy gcc; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_ac_ct_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_CC"; then ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_CC="gcc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_CC=$ac_cv_prog_ac_ct_CC if test -n "$ac_ct_CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 $as_echo "$ac_ct_CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi if test "x$ac_ct_CC" = x; then CC="" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac CC=$ac_ct_CC fi else CC="$ac_cv_prog_CC" fi if test -z "$CC"; then if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args. set dummy ${ac_tool_prefix}cc; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_CC="${ac_tool_prefix}cc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 $as_echo "$CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi fi if test -z "$CC"; then # Extract the first word of "cc", so it can be a program name with args. set dummy cc; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else ac_prog_rejected=no as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then ac_prog_rejected=yes continue fi ac_cv_prog_CC="cc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS if test $ac_prog_rejected = yes; then # We found a bogon in the path, so make sure we never use it. set dummy $ac_cv_prog_CC shift if test $# != 0; then # We chose a different compiler from the bogus one. # However, it has the same basename, so the bogon will be chosen # first if we set CC to just the basename; use the full file name. shift ac_cv_prog_CC="$as_dir/$ac_word${1+' '}$@" fi fi fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 $as_echo "$CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi if test -z "$CC"; then if test -n "$ac_tool_prefix"; then for ac_prog in cl.exe do # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. set dummy $ac_tool_prefix$ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_CC="$ac_tool_prefix$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 $as_echo "$CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi test -n "$CC" && break done fi if test -z "$CC"; then ac_ct_CC=$CC for ac_prog in cl.exe do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_ac_ct_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_CC"; then ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_CC="$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_CC=$ac_cv_prog_ac_ct_CC if test -n "$ac_ct_CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 $as_echo "$ac_ct_CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi test -n "$ac_ct_CC" && break done if test "x$ac_ct_CC" = x; then CC="" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac CC=$ac_ct_CC fi fi fi test -z "$CC" && { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "no acceptable C compiler found in \$PATH See \`config.log' for more details" "$LINENO" 5; } # Provide some information about the compiler. $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler version" >&5 set X $ac_compile ac_compiler=$2 for ac_option in --version -v -V -qversion; do { { ac_try="$ac_compiler $ac_option >&5" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_compiler $ac_option >&5") 2>conftest.err ac_status=$? if test -s conftest.err; then sed '10a\ ... rest of stderr output deleted ... 10q' conftest.err >conftest.er1 cat conftest.er1 >&5 fi rm -f conftest.er1 conftest.err $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } done cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF ac_clean_files_save=$ac_clean_files ac_clean_files="$ac_clean_files a.out a.out.dSYM a.exe b.out" # Try to create an executable without -o first, disregard a.out. # It will help us diagnose broken compilers, and finding out an intuition # of exeext. { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the C compiler works" >&5 $as_echo_n "checking whether the C compiler works... " >&6; } ac_link_default=`$as_echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'` # The possible output files: ac_files="a.out conftest.exe conftest a.exe a_out.exe b.out conftest.*" ac_rmfiles= for ac_file in $ac_files do case $ac_file in *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; * ) ac_rmfiles="$ac_rmfiles $ac_file";; esac done rm -f $ac_rmfiles if { { ac_try="$ac_link_default" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_link_default") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then : # Autoconf-2.13 could set the ac_cv_exeext variable to `no'. # So ignore a value of `no', otherwise this would lead to `EXEEXT = no' # in a Makefile. We should not override ac_cv_exeext if it was cached, # so that the user can short-circuit this test for compilers unknown to # Autoconf. for ac_file in $ac_files '' do test -f "$ac_file" || continue case $ac_file in *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; [ab].out ) # We found the default executable, but exeext='' is most # certainly right. break;; *.* ) if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no; then :; else ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` fi # We set ac_cv_exeext here because the later test for it is not # safe: cross compilers may not add the suffix if given an `-o' # argument, so we may need to know it at that point already. # Even if this section looks crufty: it has the advantage of # actually working. break;; * ) break;; esac done test "$ac_cv_exeext" = no && ac_cv_exeext= else ac_file='' fi if test -z "$ac_file"; then : { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error 77 "C compiler cannot create executables See \`config.log' for more details" "$LINENO" 5; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler default output file name" >&5 $as_echo_n "checking for C compiler default output file name... " >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_file" >&5 $as_echo "$ac_file" >&6; } ac_exeext=$ac_cv_exeext rm -f -r a.out a.out.dSYM a.exe conftest$ac_cv_exeext b.out ac_clean_files=$ac_clean_files_save { $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of executables" >&5 $as_echo_n "checking for suffix of executables... " >&6; } if { { ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_link") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then : # If both `conftest.exe' and `conftest' are `present' (well, observable) # catch `conftest.exe'. For instance with Cygwin, `ls conftest' will # work properly (i.e., refer to `conftest.exe'), while it won't with # `rm'. for ac_file in conftest.exe conftest conftest.*; do test -f "$ac_file" || continue case $ac_file in *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` break;; * ) break;; esac done else { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "cannot compute suffix of executables: cannot compile and link See \`config.log' for more details" "$LINENO" 5; } fi rm -f conftest conftest$ac_cv_exeext { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_exeext" >&5 $as_echo "$ac_cv_exeext" >&6; } rm -f conftest.$ac_ext EXEEXT=$ac_cv_exeext ac_exeext=$EXEEXT cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main () { FILE *f = fopen ("conftest.out", "w"); return ferror (f) || fclose (f) != 0; ; return 0; } _ACEOF ac_clean_files="$ac_clean_files conftest.out" # Check that the compiler produces executables we can run. If not, either # the compiler is broken, or we cross compile. { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are cross compiling" >&5 $as_echo_n "checking whether we are cross compiling... " >&6; } if test "$cross_compiling" != yes; then { { ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_link") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } if { ac_try='./conftest$ac_cv_exeext' { { case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_try") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; }; then cross_compiling=no else if test "$cross_compiling" = maybe; then cross_compiling=yes else { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "cannot run C compiled programs. If you meant to cross compile, use \`--host'. See \`config.log' for more details" "$LINENO" 5; } fi fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $cross_compiling" >&5 $as_echo "$cross_compiling" >&6; } rm -f conftest.$ac_ext conftest$ac_cv_exeext conftest.out ac_clean_files=$ac_clean_files_save { $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of object files" >&5 $as_echo_n "checking for suffix of object files... " >&6; } if ${ac_cv_objext+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF rm -f conftest.o conftest.obj if { { ac_try="$ac_compile" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_compile") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then : for ac_file in conftest.o conftest.obj conftest.*; do test -f "$ac_file" || continue; case $ac_file in *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM ) ;; *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'` break;; esac done else $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "cannot compute suffix of object files: cannot compile See \`config.log' for more details" "$LINENO" 5; } fi rm -f conftest.$ac_cv_objext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_objext" >&5 $as_echo "$ac_cv_objext" >&6; } OBJEXT=$ac_cv_objext ac_objext=$OBJEXT { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using the GNU C compiler" >&5 $as_echo_n "checking whether we are using the GNU C compiler... " >&6; } if ${ac_cv_c_compiler_gnu+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { #ifndef __GNUC__ choke me #endif ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_compiler_gnu=yes else ac_compiler_gnu=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ac_cv_c_compiler_gnu=$ac_compiler_gnu fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_compiler_gnu" >&5 $as_echo "$ac_cv_c_compiler_gnu" >&6; } if test $ac_compiler_gnu = yes; then GCC=yes else GCC= fi ac_test_CFLAGS=${CFLAGS+set} ac_save_CFLAGS=$CFLAGS { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -g" >&5 $as_echo_n "checking whether $CC accepts -g... " >&6; } if ${ac_cv_prog_cc_g+:} false; then : $as_echo_n "(cached) " >&6 else ac_save_c_werror_flag=$ac_c_werror_flag ac_c_werror_flag=yes ac_cv_prog_cc_g=no CFLAGS="-g" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_prog_cc_g=yes else CFLAGS="" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : else ac_c_werror_flag=$ac_save_c_werror_flag CFLAGS="-g" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_prog_cc_g=yes fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ac_c_werror_flag=$ac_save_c_werror_flag fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_g" >&5 $as_echo "$ac_cv_prog_cc_g" >&6; } if test "$ac_test_CFLAGS" = set; then CFLAGS=$ac_save_CFLAGS elif test $ac_cv_prog_cc_g = yes; then if test "$GCC" = yes; then CFLAGS="-g -O2" else CFLAGS="-g" fi else if test "$GCC" = yes; then CFLAGS="-O2" else CFLAGS= fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $CC option to accept ISO C89" >&5 $as_echo_n "checking for $CC option to accept ISO C89... " >&6; } if ${ac_cv_prog_cc_c89+:} false; then : $as_echo_n "(cached) " >&6 else ac_cv_prog_cc_c89=no ac_save_CC=$CC cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include struct stat; /* Most of the following tests are stolen from RCS 5.7's src/conf.sh. */ struct buf { int x; }; FILE * (*rcsopen) (struct buf *, struct stat *, int); static char *e (p, i) char **p; int i; { return p[i]; } static char *f (char * (*g) (char **, int), char **p, ...) { char *s; va_list v; va_start (v,p); s = g (p, va_arg (v,int)); va_end (v); return s; } /* OSF 4.0 Compaq cc is some sort of almost-ANSI by default. It has function prototypes and stuff, but not '\xHH' hex character constants. These don't provoke an error unfortunately, instead are silently treated as 'x'. The following induces an error, until -std is added to get proper ANSI mode. Curiously '\x00'!='x' always comes out true, for an array size at least. It's necessary to write '\x00'==0 to get something that's true only with -std. */ int osf4_cc_array ['\x00' == 0 ? 1 : -1]; /* IBM C 6 for AIX is almost-ANSI by default, but it replaces macro parameters inside strings and character constants. */ #define FOO(x) 'x' int xlc6_cc_array[FOO(a) == 'x' ? 1 : -1]; int test (int i, double x); struct s1 {int (*f) (int a);}; struct s2 {int (*f) (double a);}; int pairnames (int, char **, FILE *(*)(struct buf *, struct stat *, int), int, int); int argc; char **argv; int main () { return f (e, argv, 0) != argv[0] || f (e, argv, 1) != argv[1]; ; return 0; } _ACEOF for ac_arg in '' -qlanglvl=extc89 -qlanglvl=ansi -std \ -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__" do CC="$ac_save_CC $ac_arg" if ac_fn_c_try_compile "$LINENO"; then : ac_cv_prog_cc_c89=$ac_arg fi rm -f core conftest.err conftest.$ac_objext test "x$ac_cv_prog_cc_c89" != "xno" && break done rm -f conftest.$ac_ext CC=$ac_save_CC fi # AC_CACHE_VAL case "x$ac_cv_prog_cc_c89" in x) { $as_echo "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 $as_echo "none needed" >&6; } ;; xno) { $as_echo "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 $as_echo "unsupported" >&6; } ;; *) CC="$CC $ac_cv_prog_cc_c89" { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c89" >&5 $as_echo "$ac_cv_prog_cc_c89" >&6; } ;; esac if test "x$ac_cv_prog_cc_c89" != xno; then : fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ifunc support" >&5 $as_echo_n "checking for ifunc support... " >&6; } if ${nettle_cv_link_ifunc+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ static int foo_imp(int x) { return 1; } typedef void void_func (void); static void_func * foo_resolv(void) { return (void_func *) foo_imp; } int foo (int x) __attribute__ ((ifunc("foo_resolv"))); int main () { return foo(0); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : nettle_cv_link_ifunc=yes else nettle_cv_link_ifunc=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_link_ifunc" >&5 $as_echo "$nettle_cv_link_ifunc" >&6; } if test "x$nettle_cv_link_ifunc" = xyes ; then $as_echo "#define HAVE_LINK_IFUNC 1" >>confdefs.h fi # When $CC foo.c -o foo creates both foo and foo.exe, autoconf picks # up the foo.exe and sets exeext to .exe. That is correct for cygwin, # which has some kind of magic link from foo to foo.exe, but not for # rntcl. A better check for the cygwin case would check if the # contents of foo and foo.exe are equal; in the rntcl case, foo is a # sh script, and foo.exe is a windows executable. if test "x$CC" = xrntcl ; then { $as_echo "$as_me:${as_lineno-$LINENO}: Compiling with rntcl; clearing EXEEXT and disabling assembler" >&5 $as_echo "$as_me: Compiling with rntcl; clearing EXEEXT and disabling assembler" >&6;} ac_exeext='' ac_cv_exeext='' EXEEXT='' enable_assembler=no fi # Used by the testsuite only ac_ext=cpp ac_cpp='$CXXCPP $CPPFLAGS' ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_cxx_compiler_gnu if test -z "$CXX"; then if test -n "$CCC"; then CXX=$CCC else if test -n "$ac_tool_prefix"; then for ac_prog in g++ c++ gpp aCC CC cxx cc++ cl.exe FCC KCC RCC xlC_r xlC do # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. set dummy $ac_tool_prefix$ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_CXX+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$CXX"; then ac_cv_prog_CXX="$CXX" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_CXX="$ac_tool_prefix$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi CXX=$ac_cv_prog_CXX if test -n "$CXX"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CXX" >&5 $as_echo "$CXX" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi test -n "$CXX" && break done fi if test -z "$CXX"; then ac_ct_CXX=$CXX for ac_prog in g++ c++ gpp aCC CC cxx cc++ cl.exe FCC KCC RCC xlC_r xlC do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_ac_ct_CXX+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_CXX"; then ac_cv_prog_ac_ct_CXX="$ac_ct_CXX" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_CXX="$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_CXX=$ac_cv_prog_ac_ct_CXX if test -n "$ac_ct_CXX"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CXX" >&5 $as_echo "$ac_ct_CXX" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi test -n "$ac_ct_CXX" && break done if test "x$ac_ct_CXX" = x; then CXX="g++" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac CXX=$ac_ct_CXX fi fi fi fi # Provide some information about the compiler. $as_echo "$as_me:${as_lineno-$LINENO}: checking for C++ compiler version" >&5 set X $ac_compile ac_compiler=$2 for ac_option in --version -v -V -qversion; do { { ac_try="$ac_compiler $ac_option >&5" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_compiler $ac_option >&5") 2>conftest.err ac_status=$? if test -s conftest.err; then sed '10a\ ... rest of stderr output deleted ... 10q' conftest.err >conftest.er1 cat conftest.er1 >&5 fi rm -f conftest.er1 conftest.err $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } done { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using the GNU C++ compiler" >&5 $as_echo_n "checking whether we are using the GNU C++ compiler... " >&6; } if ${ac_cv_cxx_compiler_gnu+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { #ifndef __GNUC__ choke me #endif ; return 0; } _ACEOF if ac_fn_cxx_try_compile "$LINENO"; then : ac_compiler_gnu=yes else ac_compiler_gnu=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ac_cv_cxx_compiler_gnu=$ac_compiler_gnu fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_cxx_compiler_gnu" >&5 $as_echo "$ac_cv_cxx_compiler_gnu" >&6; } if test $ac_compiler_gnu = yes; then GXX=yes else GXX= fi ac_test_CXXFLAGS=${CXXFLAGS+set} ac_save_CXXFLAGS=$CXXFLAGS { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CXX accepts -g" >&5 $as_echo_n "checking whether $CXX accepts -g... " >&6; } if ${ac_cv_prog_cxx_g+:} false; then : $as_echo_n "(cached) " >&6 else ac_save_cxx_werror_flag=$ac_cxx_werror_flag ac_cxx_werror_flag=yes ac_cv_prog_cxx_g=no CXXFLAGS="-g" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF if ac_fn_cxx_try_compile "$LINENO"; then : ac_cv_prog_cxx_g=yes else CXXFLAGS="" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF if ac_fn_cxx_try_compile "$LINENO"; then : else ac_cxx_werror_flag=$ac_save_cxx_werror_flag CXXFLAGS="-g" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF if ac_fn_cxx_try_compile "$LINENO"; then : ac_cv_prog_cxx_g=yes fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ac_cxx_werror_flag=$ac_save_cxx_werror_flag fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cxx_g" >&5 $as_echo "$ac_cv_prog_cxx_g" >&6; } if test "$ac_test_CXXFLAGS" = set; then CXXFLAGS=$ac_save_CXXFLAGS elif test $ac_cv_prog_cxx_g = yes; then if test "$GXX" = yes; then CXXFLAGS="-g -O2" else CXXFLAGS="-g" fi else if test "$GXX" = yes; then CXXFLAGS="-O2" else CXXFLAGS= fi fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu ac_ext=cpp ac_cpp='$CXXCPP $CPPFLAGS' ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_cxx_compiler_gnu cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { return 0; ; return 0; } _ACEOF if ac_fn_cxx_try_compile "$LINENO"; then : IF_CXX='' else IF_CXX='#' fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu # Check whether --enable-ld-version-script was given. if test "${enable_ld_version_script+set}" = set; then : enableval=$enable_ld_version_script; have_ld_version_script=$enableval fi if test -z "$have_ld_version_script"; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking if LD -Wl,--version-script works" >&5 $as_echo_n "checking if LD -Wl,--version-script works... " >&6; } save_LDFLAGS="$LDFLAGS" LDFLAGS="$LDFLAGS -Wl,--version-script=conftest.map" cat > conftest.map <conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : accepts_syntax_errors=yes else accepts_syntax_errors=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext if test "$accepts_syntax_errors" = no; then cat > conftest.map <conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : have_ld_version_script=yes else have_ld_version_script=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext else have_ld_version_script=no fi rm -f conftest.map LDFLAGS="$save_LDFLAGS" { $as_echo "$as_me:${as_lineno-$LINENO}: result: $have_ld_version_script" >&5 $as_echo "$have_ld_version_script" >&6; } fi if test "$have_ld_version_script" = "yes";then EXTRA_LINKER_FLAGS="-Wl,--version-script=libnettle.map" EXTRA_HOGWEED_LINKER_FLAGS="-Wl,--version-script=libhogweed.map" fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ${MAKE-make} sets \$(MAKE)" >&5 $as_echo_n "checking whether ${MAKE-make} sets \$(MAKE)... " >&6; } set x ${MAKE-make} ac_make=`$as_echo "$2" | sed 's/+/p/g; s/[^a-zA-Z0-9_]/_/g'` if eval \${ac_cv_prog_make_${ac_make}_set+:} false; then : $as_echo_n "(cached) " >&6 else cat >conftest.make <<\_ACEOF SHELL = /bin/sh all: @echo '@@@%%%=$(MAKE)=@@@%%%' _ACEOF # GNU make sometimes prints "make[1]: Entering ...", which would confuse us. case `${MAKE-make} -f conftest.make 2>/dev/null` in *@@@%%%=?*=@@@%%%*) eval ac_cv_prog_make_${ac_make}_set=yes;; *) eval ac_cv_prog_make_${ac_make}_set=no;; esac rm -f conftest.make fi if eval test \$ac_cv_prog_make_${ac_make}_set = yes; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } SET_MAKE= else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } SET_MAKE="MAKE=${MAKE-make}" fi if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args. set dummy ${ac_tool_prefix}ranlib; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_RANLIB+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$RANLIB"; then ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi RANLIB=$ac_cv_prog_RANLIB if test -n "$RANLIB"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $RANLIB" >&5 $as_echo "$RANLIB" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi if test -z "$ac_cv_prog_RANLIB"; then ac_ct_RANLIB=$RANLIB # Extract the first word of "ranlib", so it can be a program name with args. set dummy ranlib; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_ac_ct_RANLIB+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_RANLIB"; then ac_cv_prog_ac_ct_RANLIB="$ac_ct_RANLIB" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_RANLIB="ranlib" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_RANLIB=$ac_cv_prog_ac_ct_RANLIB if test -n "$ac_ct_RANLIB"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_RANLIB" >&5 $as_echo "$ac_ct_RANLIB" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi if test "x$ac_ct_RANLIB" = x; then RANLIB=":" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac RANLIB=$ac_ct_RANLIB fi else RANLIB="$ac_cv_prog_RANLIB" fi if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}nm", so it can be a program name with args. set dummy ${ac_tool_prefix}nm; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_NM+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$NM"; then ac_cv_prog_NM="$NM" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_NM="${ac_tool_prefix}nm" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi NM=$ac_cv_prog_NM if test -n "$NM"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $NM" >&5 $as_echo "$NM" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi if test -z "$ac_cv_prog_NM"; then ac_ct_NM=$NM # Extract the first word of "nm", so it can be a program name with args. set dummy nm; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_ac_ct_NM+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_NM"; then ac_cv_prog_ac_ct_NM="$ac_ct_NM" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_NM="nm" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_NM=$ac_cv_prog_ac_ct_NM if test -n "$ac_ct_NM"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_NM" >&5 $as_echo "$ac_ct_NM" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi if test "x$ac_ct_NM" = x; then NM="strings" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac NM=$ac_ct_NM fi else NM="$ac_cv_prog_NM" fi # Used only for the GNU-stack configure test. if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}objdump", so it can be a program name with args. set dummy ${ac_tool_prefix}objdump; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_OBJDUMP+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$OBJDUMP"; then ac_cv_prog_OBJDUMP="$OBJDUMP" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_OBJDUMP="${ac_tool_prefix}objdump" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi OBJDUMP=$ac_cv_prog_OBJDUMP if test -n "$OBJDUMP"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OBJDUMP" >&5 $as_echo "$OBJDUMP" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi if test -z "$ac_cv_prog_OBJDUMP"; then ac_ct_OBJDUMP=$OBJDUMP # Extract the first word of "objdump", so it can be a program name with args. set dummy objdump; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_ac_ct_OBJDUMP+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_OBJDUMP"; then ac_cv_prog_ac_ct_OBJDUMP="$ac_ct_OBJDUMP" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_OBJDUMP="objdump" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_OBJDUMP=$ac_cv_prog_ac_ct_OBJDUMP if test -n "$ac_ct_OBJDUMP"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_OBJDUMP" >&5 $as_echo "$ac_ct_OBJDUMP" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi if test "x$ac_ct_OBJDUMP" = x; then OBJDUMP="false" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac OBJDUMP=$ac_ct_OBJDUMP fi else OBJDUMP="$ac_cv_prog_OBJDUMP" fi if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}ar", so it can be a program name with args. set dummy ${ac_tool_prefix}ar; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_AR+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$AR"; then ac_cv_prog_AR="$AR" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_AR="${ac_tool_prefix}ar" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi AR=$ac_cv_prog_AR if test -n "$AR"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $AR" >&5 $as_echo "$AR" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi if test -z "$ac_cv_prog_AR"; then ac_ct_AR=$AR # Extract the first word of "ar", so it can be a program name with args. set dummy ar; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_ac_ct_AR+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_AR"; then ac_cv_prog_ac_ct_AR="$ac_ct_AR" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_AR="ar" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_AR=$ac_cv_prog_ac_ct_AR if test -n "$ac_ct_AR"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_AR" >&5 $as_echo "$ac_ct_AR" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi if test "x$ac_ct_AR" = x; then AR="false" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac AR=$ac_ct_AR fi else AR="$ac_cv_prog_AR" fi if test "x$ac_cv_prog_cc_stdc" = xno ; then as_fn_error $? "the C compiler doesn't handle ANSI-C" "$LINENO" 5 #' fi # Find a good install program. We prefer a C program (faster), # so one script is as good as another. But avoid the broken or # incompatible versions: # SysV /etc/install, /usr/sbin/install # SunOS /usr/etc/install # IRIX /sbin/install # AIX /bin/install # AmigaOS /C/install, which installs bootblocks on floppy discs # AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag # AFS /usr/afsws/bin/install, which mishandles nonexistent args # SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff" # OS/2's system install, which has a completely different semantic # ./install, which can be erroneously created by make from ./install.sh. # Reject install programs that cannot install multiple files. { $as_echo "$as_me:${as_lineno-$LINENO}: checking for a BSD-compatible install" >&5 $as_echo_n "checking for a BSD-compatible install... " >&6; } if test -z "$INSTALL"; then if ${ac_cv_path_install+:} false; then : $as_echo_n "(cached) " >&6 else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. # Account for people who put trailing slashes in PATH elements. case $as_dir/ in #(( ./ | .// | /[cC]/* | \ /etc/* | /usr/sbin/* | /usr/etc/* | /sbin/* | /usr/afsws/bin/* | \ ?:[\\/]os2[\\/]install[\\/]* | ?:[\\/]OS2[\\/]INSTALL[\\/]* | \ /usr/ucb/* ) ;; *) # OSF1 and SCO ODT 3.0 have their own names for install. # Don't use installbsd from OSF since it installs stuff as root # by default. for ac_prog in ginstall scoinst install; do for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext"; then if test $ac_prog = install && grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then # AIX install. It has an incompatible calling convention. : elif test $ac_prog = install && grep pwplus "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then # program-specific install script used by HP pwplus--don't use. : else rm -rf conftest.one conftest.two conftest.dir echo one > conftest.one echo two > conftest.two mkdir conftest.dir if "$as_dir/$ac_prog$ac_exec_ext" -c conftest.one conftest.two "`pwd`/conftest.dir" && test -s conftest.one && test -s conftest.two && test -s conftest.dir/conftest.one && test -s conftest.dir/conftest.two then ac_cv_path_install="$as_dir/$ac_prog$ac_exec_ext -c" break 3 fi fi fi done done ;; esac done IFS=$as_save_IFS rm -rf conftest.one conftest.two conftest.dir fi if test "${ac_cv_path_install+set}" = set; then INSTALL=$ac_cv_path_install else # As a last resort, use the slow shell script. Don't cache a # value for INSTALL within a source directory, because that will # break other packages using the cache if that directory is # removed, or if the value is a relative name. INSTALL=$ac_install_sh fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $INSTALL" >&5 $as_echo "$INSTALL" >&6; } # Use test -z because SunOS4 sh mishandles braces in ${var-val}. # It thinks the first close brace ends the variable substitution. test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}' test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL}' test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644' # According to the autoconf manual, needs install-sh from # autoconf-2.60 or automake-1.10 to avoid races. { $as_echo "$as_me:${as_lineno-$LINENO}: checking for a thread-safe mkdir -p" >&5 $as_echo_n "checking for a thread-safe mkdir -p... " >&6; } if test -z "$MKDIR_P"; then if ${ac_cv_path_mkdir+:} false; then : $as_echo_n "(cached) " >&6 else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH$PATH_SEPARATOR/opt/sfw/bin do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_prog in mkdir gmkdir; do for ac_exec_ext in '' $ac_executable_extensions; do as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext" || continue case `"$as_dir/$ac_prog$ac_exec_ext" --version 2>&1` in #( 'mkdir (GNU coreutils) '* | \ 'mkdir (coreutils) '* | \ 'mkdir (fileutils) '4.1*) ac_cv_path_mkdir=$as_dir/$ac_prog$ac_exec_ext break 3;; esac done done done IFS=$as_save_IFS fi test -d ./--version && rmdir ./--version if test "${ac_cv_path_mkdir+set}" = set; then MKDIR_P="$ac_cv_path_mkdir -p" else # As a last resort, use the slow shell script. Don't cache a # value for MKDIR_P within a source directory, because that will # break other packages using the cache if that directory is # removed, or if the value is a relative name. MKDIR_P="$ac_install_sh -d" fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $MKDIR_P" >&5 $as_echo "$MKDIR_P" >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ln -s works" >&5 $as_echo_n "checking whether ln -s works... " >&6; } LN_S=$as_ln_s if test "$LN_S" = "ln -s"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no, using $LN_S" >&5 $as_echo "no, using $LN_S" >&6; } fi # Compiler tests for the build system if test -n "$CC_FOR_BUILD"; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking build system compiler $CC_FOR_BUILD" >&5 $as_echo_n "checking build system compiler $CC_FOR_BUILD... " >&6; } # remove anything that might look like compiler output to our "||" expression rm -f conftest* a.out b.out a.exe a_out.exe cat >conftest.c <&5 (eval $gmp_compile) 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then if (./a.out || ./b.out || ./a.exe || ./a_out.exe || ./conftest) >&5 2>&1; then cc_for_build_works=yes fi fi rm -f conftest* a.out b.out a.exe a_out.exe { $as_echo "$as_me:${as_lineno-$LINENO}: result: $cc_for_build_works" >&5 $as_echo "$cc_for_build_works" >&6; } if test "$cc_for_build_works" = yes; then : else as_fn_error $? "Specified CC_FOR_BUILD doesn't seem to work" "$LINENO" 5 fi elif test -n "$HOST_CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking build system compiler $HOST_CC" >&5 $as_echo_n "checking build system compiler $HOST_CC... " >&6; } # remove anything that might look like compiler output to our "||" expression rm -f conftest* a.out b.out a.exe a_out.exe cat >conftest.c <&5 (eval $gmp_compile) 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then if (./a.out || ./b.out || ./a.exe || ./a_out.exe || ./conftest) >&5 2>&1; then cc_for_build_works=yes fi fi rm -f conftest* a.out b.out a.exe a_out.exe { $as_echo "$as_me:${as_lineno-$LINENO}: result: $cc_for_build_works" >&5 $as_echo "$cc_for_build_works" >&6; } if test "$cc_for_build_works" = yes; then CC_FOR_BUILD=$HOST_CC else as_fn_error $? "Specified HOST_CC doesn't seem to work" "$LINENO" 5 fi else if test $cross_compiling = no ; then CC_FOR_BUILD="$CC" else for i in gcc cc c89 c99; do { $as_echo "$as_me:${as_lineno-$LINENO}: checking build system compiler $i" >&5 $as_echo_n "checking build system compiler $i... " >&6; } # remove anything that might look like compiler output to our "||" expression rm -f conftest* a.out b.out a.exe a_out.exe cat >conftest.c <&5 (eval $gmp_compile) 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then if (./a.out || ./b.out || ./a.exe || ./a_out.exe || ./conftest) >&5 2>&1; then cc_for_build_works=yes fi fi rm -f conftest* a.out b.out a.exe a_out.exe { $as_echo "$as_me:${as_lineno-$LINENO}: result: $cc_for_build_works" >&5 $as_echo "$cc_for_build_works" >&6; } if test "$cc_for_build_works" = yes; then CC_FOR_BUILD=$i break else : fi done if test -z "$CC_FOR_BUILD"; then as_fn_error $? "Cannot find a build system compiler" "$LINENO" 5 fi fi if test "$CC_FOR_BUILD" = gcc ; then CC_FOR_BUILD="$CC_FOR_BUILD -O -g" fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for build system executable suffix" >&5 $as_echo_n "checking for build system executable suffix... " >&6; } if ${gmp_cv_prog_exeext_for_build+:} false; then : $as_echo_n "(cached) " >&6 else if test $cross_compiling = no ; then gmp_cv_prog_exeext_for_build="$EXEEXT" else cat >conftest.c <&5 (eval $gmp_compile) 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then if (./conftest) 2>&5; then gmp_cv_prog_exeext_for_build=$i break fi fi done rm -f conftest* if test "${gmp_cv_prog_exeext_for_build+set}" != set; then as_fn_error $? "Cannot determine executable suffix" "$LINENO" 5 fi fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $gmp_cv_prog_exeext_for_build" >&5 $as_echo "$gmp_cv_prog_exeext_for_build" >&6; } EXEEXT_FOR_BUILD=$gmp_cv_prog_exeext_for_build # Check whether --enable-dependency_tracking was given. if test "${enable_dependency_tracking+set}" = set; then : enableval=$enable_dependency_tracking; else enable_dependency_tracking=yes fi DEP_FLAGS='' DEP_PROCESS='true' if test x$enable_dependency_tracking = xyes ; then if test x$GCC = xyes ; then gcc_version=`gcc --version | head -1` case "$gcc_version" in 2.*|*[!0-9.]2.*) enable_dependency_tracking=no { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Dependency tracking disabled, gcc-3.x is needed" >&5 $as_echo "$as_me: WARNING: Dependency tracking disabled, gcc-3.x is needed" >&2;} ;; *) DEP_FLAGS='-MT $@ -MD -MP -MF $@.d' DEP_PROCESS='true' ;; esac else enable_dependency_tracking=no { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Dependency tracking disabled" >&5 $as_echo "$as_me: WARNING: Dependency tracking disabled" >&2;} fi fi if test x$enable_dependency_tracking = xyes ; then DEP_INCLUDE='include ' else DEP_INCLUDE='# ' fi if test x$enable_dependency_tracking = xyes ; then # Since the makefiles use include to get the dependency files, we must # make sure that the files exist. We generate some more files than are # actually needed. ac_config_commands="$ac_config_commands dummy-dep-files" fi if test "x$enable_gcov" = "xyes"; then CFLAGS="$CFLAGS -ftest-coverage -fprofile-arcs" fi # Checks for typedefs, structures, and compiler characteristics. { $as_echo "$as_me:${as_lineno-$LINENO}: checking for an ANSI C-conforming const" >&5 $as_echo_n "checking for an ANSI C-conforming const... " >&6; } if ${ac_cv_c_const+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { #ifndef __cplusplus /* Ultrix mips cc rejects this sort of thing. */ typedef int charset[2]; const charset cs = { 0, 0 }; /* SunOS 4.1.1 cc rejects this. */ char const *const *pcpcc; char **ppc; /* NEC SVR4.0.2 mips cc rejects this. */ struct point {int x, y;}; static struct point const zero = {0,0}; /* AIX XL C 1.02.0.0 rejects this. It does not let you subtract one const X* pointer from another in an arm of an if-expression whose if-part is not a constant expression */ const char *g = "string"; pcpcc = &g + (g ? g-g : 0); /* HPUX 7.0 cc rejects these. */ ++pcpcc; ppc = (char**) pcpcc; pcpcc = (char const *const *) ppc; { /* SCO 3.2v4 cc rejects this sort of thing. */ char tx; char *t = &tx; char const *s = 0 ? (char *) 0 : (char const *) 0; *t++ = 0; if (s) return 0; } { /* Someone thinks the Sun supposedly-ANSI compiler will reject this. */ int x[] = {25, 17}; const int *foo = &x[0]; ++foo; } { /* Sun SC1.0 ANSI compiler rejects this -- but not the above. */ typedef const int *iptr; iptr p = 0; ++p; } { /* AIX XL C 1.02.0.0 rejects this sort of thing, saying "k.c", line 2.27: 1506-025 (S) Operand must be a modifiable lvalue. */ struct s { int j; const int *ap[3]; } bx; struct s *b = &bx; b->j = 5; } { /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */ const int foo = 10; if (!foo) return 0; } return !cs[0] && !zero.x; #endif ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_c_const=yes else ac_cv_c_const=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_const" >&5 $as_echo "$ac_cv_c_const" >&6; } if test $ac_cv_c_const = no; then $as_echo "#define const /**/" >>confdefs.h fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for inline" >&5 $as_echo_n "checking for inline... " >&6; } if ${ac_cv_c_inline+:} false; then : $as_echo_n "(cached) " >&6 else ac_cv_c_inline=no for ac_kw in inline __inline__ __inline; do cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #ifndef __cplusplus typedef int foo_t; static $ac_kw foo_t static_foo () {return 0; } $ac_kw foo_t foo () {return 0; } #endif _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_c_inline=$ac_kw fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext test "$ac_cv_c_inline" != no && break done fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_inline" >&5 $as_echo "$ac_cv_c_inline" >&6; } case $ac_cv_c_inline in inline | yes) ;; *) case $ac_cv_c_inline in no) ac_val=;; *) ac_val=$ac_cv_c_inline;; esac cat >>confdefs.h <<_ACEOF #ifndef __cplusplus #define inline $ac_val #endif _ACEOF ;; esac ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu { $as_echo "$as_me:${as_lineno-$LINENO}: checking how to run the C preprocessor" >&5 $as_echo_n "checking how to run the C preprocessor... " >&6; } # On Suns, sometimes $CPP names a directory. if test -n "$CPP" && test -d "$CPP"; then CPP= fi if test -z "$CPP"; then if ${ac_cv_prog_CPP+:} false; then : $as_echo_n "(cached) " >&6 else # Double quotes because CPP needs to be expanded for CPP in "$CC -E" "$CC -E -traditional-cpp" "/lib/cpp" do ac_preproc_ok=false for ac_c_preproc_warn_flag in '' yes do # Use a header file that comes with gcc, so configuring glibc # with a fresh cross-compiler works. # Prefer to if __STDC__ is defined, since # exists even on freestanding compilers. # On the NeXT, cc -E runs the code through the compiler's parser, # not just through cpp. "Syntax error" is here to catch this case. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #ifdef __STDC__ # include #else # include #endif Syntax error _ACEOF if ac_fn_c_try_cpp "$LINENO"; then : else # Broken: fails on valid input. continue fi rm -f conftest.err conftest.i conftest.$ac_ext # OK, works on sane cases. Now check whether nonexistent headers # can be detected and how. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include _ACEOF if ac_fn_c_try_cpp "$LINENO"; then : # Broken: success on invalid input. continue else # Passes both tests. ac_preproc_ok=: break fi rm -f conftest.err conftest.i conftest.$ac_ext done # Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. rm -f conftest.i conftest.err conftest.$ac_ext if $ac_preproc_ok; then : break fi done ac_cv_prog_CPP=$CPP fi CPP=$ac_cv_prog_CPP else ac_cv_prog_CPP=$CPP fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CPP" >&5 $as_echo "$CPP" >&6; } ac_preproc_ok=false for ac_c_preproc_warn_flag in '' yes do # Use a header file that comes with gcc, so configuring glibc # with a fresh cross-compiler works. # Prefer to if __STDC__ is defined, since # exists even on freestanding compilers. # On the NeXT, cc -E runs the code through the compiler's parser, # not just through cpp. "Syntax error" is here to catch this case. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #ifdef __STDC__ # include #else # include #endif Syntax error _ACEOF if ac_fn_c_try_cpp "$LINENO"; then : else # Broken: fails on valid input. continue fi rm -f conftest.err conftest.i conftest.$ac_ext # OK, works on sane cases. Now check whether nonexistent headers # can be detected and how. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include _ACEOF if ac_fn_c_try_cpp "$LINENO"; then : # Broken: success on invalid input. continue else # Passes both tests. ac_preproc_ok=: break fi rm -f conftest.err conftest.i conftest.$ac_ext done # Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. rm -f conftest.i conftest.err conftest.$ac_ext if $ac_preproc_ok; then : else { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "C preprocessor \"$CPP\" fails sanity check See \`config.log' for more details" "$LINENO" 5; } fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu { $as_echo "$as_me:${as_lineno-$LINENO}: checking for grep that handles long lines and -e" >&5 $as_echo_n "checking for grep that handles long lines and -e... " >&6; } if ${ac_cv_path_GREP+:} false; then : $as_echo_n "(cached) " >&6 else if test -z "$GREP"; then ac_path_GREP_found=false # Loop through the user's path and test for each of PROGNAME-LIST as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_prog in grep ggrep; do for ac_exec_ext in '' $ac_executable_extensions; do ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext" as_fn_executable_p "$ac_path_GREP" || continue # Check for GNU ac_path_GREP and select it if it is found. # Check for GNU $ac_path_GREP case `"$ac_path_GREP" --version 2>&1` in *GNU*) ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_found=:;; *) ac_count=0 $as_echo_n 0123456789 >"conftest.in" while : do cat "conftest.in" "conftest.in" >"conftest.tmp" mv "conftest.tmp" "conftest.in" cp "conftest.in" "conftest.nl" $as_echo 'GREP' >> "conftest.nl" "$ac_path_GREP" -e 'GREP$' -e '-(cannot match)-' < "conftest.nl" >"conftest.out" 2>/dev/null || break diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break as_fn_arith $ac_count + 1 && ac_count=$as_val if test $ac_count -gt ${ac_path_GREP_max-0}; then # Best one so far, save it but keep looking for a better one ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_max=$ac_count fi # 10*(2^10) chars as input seems more than enough test $ac_count -gt 10 && break done rm -f conftest.in conftest.tmp conftest.nl conftest.out;; esac $ac_path_GREP_found && break 3 done done done IFS=$as_save_IFS if test -z "$ac_cv_path_GREP"; then as_fn_error $? "no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5 fi else ac_cv_path_GREP=$GREP fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_GREP" >&5 $as_echo "$ac_cv_path_GREP" >&6; } GREP="$ac_cv_path_GREP" { $as_echo "$as_me:${as_lineno-$LINENO}: checking for egrep" >&5 $as_echo_n "checking for egrep... " >&6; } if ${ac_cv_path_EGREP+:} false; then : $as_echo_n "(cached) " >&6 else if echo a | $GREP -E '(a|b)' >/dev/null 2>&1 then ac_cv_path_EGREP="$GREP -E" else if test -z "$EGREP"; then ac_path_EGREP_found=false # Loop through the user's path and test for each of PROGNAME-LIST as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_prog in egrep; do for ac_exec_ext in '' $ac_executable_extensions; do ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext" as_fn_executable_p "$ac_path_EGREP" || continue # Check for GNU ac_path_EGREP and select it if it is found. # Check for GNU $ac_path_EGREP case `"$ac_path_EGREP" --version 2>&1` in *GNU*) ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_found=:;; *) ac_count=0 $as_echo_n 0123456789 >"conftest.in" while : do cat "conftest.in" "conftest.in" >"conftest.tmp" mv "conftest.tmp" "conftest.in" cp "conftest.in" "conftest.nl" $as_echo 'EGREP' >> "conftest.nl" "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break as_fn_arith $ac_count + 1 && ac_count=$as_val if test $ac_count -gt ${ac_path_EGREP_max-0}; then # Best one so far, save it but keep looking for a better one ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_max=$ac_count fi # 10*(2^10) chars as input seems more than enough test $ac_count -gt 10 && break done rm -f conftest.in conftest.tmp conftest.nl conftest.out;; esac $ac_path_EGREP_found && break 3 done done done IFS=$as_save_IFS if test -z "$ac_cv_path_EGREP"; then as_fn_error $? "no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5 fi else ac_cv_path_EGREP=$EGREP fi fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_EGREP" >&5 $as_echo "$ac_cv_path_EGREP" >&6; } EGREP="$ac_cv_path_EGREP" { $as_echo "$as_me:${as_lineno-$LINENO}: checking for uid_t in sys/types.h" >&5 $as_echo_n "checking for uid_t in sys/types.h... " >&6; } if ${ac_cv_type_uid_t+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include _ACEOF if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | $EGREP "uid_t" >/dev/null 2>&1; then : ac_cv_type_uid_t=yes else ac_cv_type_uid_t=no fi rm -f conftest* fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_type_uid_t" >&5 $as_echo "$ac_cv_type_uid_t" >&6; } if test $ac_cv_type_uid_t = no; then $as_echo "#define uid_t int" >>confdefs.h $as_echo "#define gid_t int" >>confdefs.h fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ANSI C header files" >&5 $as_echo_n "checking for ANSI C header files... " >&6; } if ${ac_cv_header_stdc+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include #include #include int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_header_stdc=yes else ac_cv_header_stdc=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext if test $ac_cv_header_stdc = yes; then # SunOS 4.x string.h does not declare mem*, contrary to ANSI. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include _ACEOF if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | $EGREP "memchr" >/dev/null 2>&1; then : else ac_cv_header_stdc=no fi rm -f conftest* fi if test $ac_cv_header_stdc = yes; then # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include _ACEOF if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | $EGREP "free" >/dev/null 2>&1; then : else ac_cv_header_stdc=no fi rm -f conftest* fi if test $ac_cv_header_stdc = yes; then # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi. if test "$cross_compiling" = yes; then : : else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include #if ((' ' & 0x0FF) == 0x020) # define ISLOWER(c) ('a' <= (c) && (c) <= 'z') # define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c)) #else # define ISLOWER(c) \ (('a' <= (c) && (c) <= 'i') \ || ('j' <= (c) && (c) <= 'r') \ || ('s' <= (c) && (c) <= 'z')) # define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c)) #endif #define XOR(e, f) (((e) && !(f)) || (!(e) && (f))) int main () { int i; for (i = 0; i < 256; i++) if (XOR (islower (i), ISLOWER (i)) || toupper (i) != TOUPPER (i)) return 2; return 0; } _ACEOF if ac_fn_c_try_run "$LINENO"; then : else ac_cv_header_stdc=no fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext fi fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdc" >&5 $as_echo "$ac_cv_header_stdc" >&6; } if test $ac_cv_header_stdc = yes; then $as_echo "#define STDC_HEADERS 1" >>confdefs.h fi # On IRIX 5.3, sys/types and inttypes.h are conflicting. for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \ inttypes.h stdint.h unistd.h do : as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default " if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 _ACEOF fi done ac_fn_c_check_type "$LINENO" "size_t" "ac_cv_type_size_t" "$ac_includes_default" if test "x$ac_cv_type_size_t" = xyes; then : else cat >>confdefs.h <<_ACEOF #define size_t unsigned int _ACEOF fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether time.h and sys/time.h may both be included" >&5 $as_echo_n "checking whether time.h and sys/time.h may both be included... " >&6; } if ${ac_cv_header_time+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include #include int main () { if ((struct tm *) 0) return 0; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_header_time=yes else ac_cv_header_time=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_time" >&5 $as_echo "$ac_cv_header_time" >&6; } if test $ac_cv_header_time = yes; then $as_echo "#define TIME_WITH_SYS_TIME 1" >>confdefs.h fi # The cast to long int works around a bug in the HP C Compiler # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. # This bug is HP SR number 8606223364. { $as_echo "$as_me:${as_lineno-$LINENO}: checking size of long" >&5 $as_echo_n "checking size of long... " >&6; } if ${ac_cv_sizeof_long+:} false; then : $as_echo_n "(cached) " >&6 else if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (long))" "ac_cv_sizeof_long" "$ac_includes_default"; then : else if test "$ac_cv_type_long" = yes; then { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error 77 "cannot compute sizeof (long) See \`config.log' for more details" "$LINENO" 5; } else ac_cv_sizeof_long=0 fi fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_long" >&5 $as_echo "$ac_cv_sizeof_long" >&6; } cat >>confdefs.h <<_ACEOF #define SIZEOF_LONG $ac_cv_sizeof_long _ACEOF # The cast to long int works around a bug in the HP C Compiler # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. # This bug is HP SR number 8606223364. { $as_echo "$as_me:${as_lineno-$LINENO}: checking size of size_t" >&5 $as_echo_n "checking size of size_t... " >&6; } if ${ac_cv_sizeof_size_t+:} false; then : $as_echo_n "(cached) " >&6 else if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (size_t))" "ac_cv_sizeof_size_t" "$ac_includes_default"; then : else if test "$ac_cv_type_size_t" = yes; then { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error 77 "cannot compute sizeof (size_t) See \`config.log' for more details" "$LINENO" 5; } else ac_cv_sizeof_size_t=0 fi fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_size_t" >&5 $as_echo "$ac_cv_sizeof_size_t" >&6; } cat >>confdefs.h <<_ACEOF #define SIZEOF_SIZE_T $ac_cv_sizeof_size_t _ACEOF for ac_header in openssl/evp.h openssl/ecdsa.h do : as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 _ACEOF else enable_openssl=no break fi done # For use by the testsuite for ac_header in valgrind/memcheck.h do : ac_fn_c_check_header_mongrel "$LINENO" "valgrind/memcheck.h" "ac_cv_header_valgrind_memcheck_h" "$ac_includes_default" if test "x$ac_cv_header_valgrind_memcheck_h" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_VALGRIND_MEMCHECK_H 1 _ACEOF fi done for ac_header in dlfcn.h do : ac_fn_c_check_header_mongrel "$LINENO" "dlfcn.h" "ac_cv_header_dlfcn_h" "$ac_includes_default" if test "x$ac_cv_header_dlfcn_h" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_DLFCN_H 1 _ACEOF fi done { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dlopen in -ldl" >&5 $as_echo_n "checking for dlopen in -ldl... " >&6; } if ${ac_cv_lib_dl_dlopen+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-ldl $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char dlopen (); int main () { return dlopen (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_dl_dlopen=yes else ac_cv_lib_dl_dlopen=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dl_dlopen" >&5 $as_echo "$ac_cv_lib_dl_dlopen" >&6; } if test "x$ac_cv_lib_dl_dlopen" = xyes; then : $as_echo "#define HAVE_LIBDL 1" >>confdefs.h fi # The Ultrix 4.2 mips builtin alloca declared by alloca.h only works # for constant arguments. Useless! { $as_echo "$as_me:${as_lineno-$LINENO}: checking for working alloca.h" >&5 $as_echo_n "checking for working alloca.h... " >&6; } if ${ac_cv_working_alloca_h+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main () { char *p = (char *) alloca (2 * sizeof (int)); if (p) return 0; ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_working_alloca_h=yes else ac_cv_working_alloca_h=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_working_alloca_h" >&5 $as_echo "$ac_cv_working_alloca_h" >&6; } if test $ac_cv_working_alloca_h = yes; then $as_echo "#define HAVE_ALLOCA_H 1" >>confdefs.h fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for alloca" >&5 $as_echo_n "checking for alloca... " >&6; } if ${ac_cv_func_alloca_works+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #ifdef __GNUC__ # define alloca __builtin_alloca #else # ifdef _MSC_VER # include # define alloca _alloca # else # ifdef HAVE_ALLOCA_H # include # else # ifdef _AIX #pragma alloca # else # ifndef alloca /* predefined by HP cc +Olibcalls */ void *alloca (size_t); # endif # endif # endif # endif #endif int main () { char *p = (char *) alloca (1); if (p) return 0; ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_func_alloca_works=yes else ac_cv_func_alloca_works=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_alloca_works" >&5 $as_echo "$ac_cv_func_alloca_works" >&6; } if test $ac_cv_func_alloca_works = yes; then $as_echo "#define HAVE_ALLOCA 1" >>confdefs.h else # The SVR3 libPW and SVR4 libucb both contain incompatible functions # that cause trouble. Some versions do not even contain alloca or # contain a buggy version. If you still want to use their alloca, # use ar to extract alloca.o from them instead of compiling alloca.c. ALLOCA=\${LIBOBJDIR}alloca.$ac_objext $as_echo "#define C_ALLOCA 1" >>confdefs.h { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether \`alloca.c' needs Cray hooks" >&5 $as_echo_n "checking whether \`alloca.c' needs Cray hooks... " >&6; } if ${ac_cv_os_cray+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #if defined CRAY && ! defined CRAY2 webecray #else wenotbecray #endif _ACEOF if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | $EGREP "webecray" >/dev/null 2>&1; then : ac_cv_os_cray=yes else ac_cv_os_cray=no fi rm -f conftest* fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_os_cray" >&5 $as_echo "$ac_cv_os_cray" >&6; } if test $ac_cv_os_cray = yes; then for ac_func in _getb67 GETB67 getb67; do as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" if eval test \"x\$"$as_ac_var"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define CRAY_STACKSEG_END $ac_func _ACEOF break fi done fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking stack direction for C alloca" >&5 $as_echo_n "checking stack direction for C alloca... " >&6; } if ${ac_cv_c_stack_direction+:} false; then : $as_echo_n "(cached) " >&6 else if test "$cross_compiling" = yes; then : ac_cv_c_stack_direction=0 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_includes_default int find_stack_direction (int *addr, int depth) { int dir, dummy = 0; if (! addr) addr = &dummy; *addr = addr < &dummy ? 1 : addr == &dummy ? 0 : -1; dir = depth ? find_stack_direction (addr, depth - 1) : 0; return dir + dummy; } int main (int argc, char **argv) { return find_stack_direction (0, argc + !argv + 20) < 0; } _ACEOF if ac_fn_c_try_run "$LINENO"; then : ac_cv_c_stack_direction=1 else ac_cv_c_stack_direction=-1 fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_stack_direction" >&5 $as_echo "$ac_cv_c_stack_direction" >&6; } cat >>confdefs.h <<_ACEOF #define STACK_DIRECTION $ac_cv_c_stack_direction _ACEOF fi for ac_header in malloc.h do : ac_fn_c_check_header_mongrel "$LINENO" "malloc.h" "ac_cv_header_malloc_h" "$ac_includes_default" if test "x$ac_cv_header_malloc_h" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_MALLOC_H 1 _ACEOF fi done for ac_func in strerror do : ac_fn_c_check_func "$LINENO" "strerror" "ac_cv_func_strerror" if test "x$ac_cv_func_strerror" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_STRERROR 1 _ACEOF fi done # getenv_secure is used for fat overrides, # getline is used in the testsuite for ac_func in secure_getenv getline do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" if eval test \"x\$"$as_ac_var"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 _ACEOF fi done { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether byte ordering is bigendian" >&5 $as_echo_n "checking whether byte ordering is bigendian... " >&6; } if ${ac_cv_c_bigendian+:} false; then : $as_echo_n "(cached) " >&6 else ac_cv_c_bigendian=unknown # See if we're dealing with a universal compiler. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #ifndef __APPLE_CC__ not a universal capable compiler #endif typedef int dummy; _ACEOF if ac_fn_c_try_compile "$LINENO"; then : # Check for potential -arch flags. It is not universal unless # there are at least two -arch flags with different values. ac_arch= ac_prev= for ac_word in $CC $CFLAGS $CPPFLAGS $LDFLAGS; do if test -n "$ac_prev"; then case $ac_word in i?86 | x86_64 | ppc | ppc64) if test -z "$ac_arch" || test "$ac_arch" = "$ac_word"; then ac_arch=$ac_word else ac_cv_c_bigendian=universal break fi ;; esac ac_prev= elif test "x$ac_word" = "x-arch"; then ac_prev=arch fi done fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext if test $ac_cv_c_bigendian = unknown; then # See if sys/param.h defines the BYTE_ORDER macro. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include int main () { #if ! (defined BYTE_ORDER && defined BIG_ENDIAN \ && defined LITTLE_ENDIAN && BYTE_ORDER && BIG_ENDIAN \ && LITTLE_ENDIAN) bogus endian macros #endif ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : # It does; now see whether it defined to BIG_ENDIAN or not. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include int main () { #if BYTE_ORDER != BIG_ENDIAN not big endian #endif ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_c_bigendian=yes else ac_cv_c_bigendian=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi if test $ac_cv_c_bigendian = unknown; then # See if defines _LITTLE_ENDIAN or _BIG_ENDIAN (e.g., Solaris). cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main () { #if ! (defined _LITTLE_ENDIAN || defined _BIG_ENDIAN) bogus endian macros #endif ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : # It does; now see whether it defined to _BIG_ENDIAN or not. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main () { #ifndef _BIG_ENDIAN not big endian #endif ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_c_bigendian=yes else ac_cv_c_bigendian=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi if test $ac_cv_c_bigendian = unknown; then # Compile a test program. if test "$cross_compiling" = yes; then : # Try to guess by grepping values from an object file. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ short int ascii_mm[] = { 0x4249, 0x4765, 0x6E44, 0x6961, 0x6E53, 0x7953, 0 }; short int ascii_ii[] = { 0x694C, 0x5454, 0x656C, 0x6E45, 0x6944, 0x6E61, 0 }; int use_ascii (int i) { return ascii_mm[i] + ascii_ii[i]; } short int ebcdic_ii[] = { 0x89D3, 0xE3E3, 0x8593, 0x95C5, 0x89C4, 0x9581, 0 }; short int ebcdic_mm[] = { 0xC2C9, 0xC785, 0x95C4, 0x8981, 0x95E2, 0xA8E2, 0 }; int use_ebcdic (int i) { return ebcdic_mm[i] + ebcdic_ii[i]; } extern int foo; int main () { return use_ascii (foo) == use_ebcdic (foo); ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : if grep BIGenDianSyS conftest.$ac_objext >/dev/null; then ac_cv_c_bigendian=yes fi if grep LiTTleEnDian conftest.$ac_objext >/dev/null ; then if test "$ac_cv_c_bigendian" = unknown; then ac_cv_c_bigendian=no else # finding both strings is unlikely to happen, but who knows? ac_cv_c_bigendian=unknown fi fi fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_includes_default int main () { /* Are we little or big endian? From Harbison&Steele. */ union { long int l; char c[sizeof (long int)]; } u; u.l = 1; return u.c[sizeof (long int) - 1] == 1; ; return 0; } _ACEOF if ac_fn_c_try_run "$LINENO"; then : ac_cv_c_bigendian=no else ac_cv_c_bigendian=yes fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext fi fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_bigendian" >&5 $as_echo "$ac_cv_c_bigendian" >&6; } case $ac_cv_c_bigendian in #( yes) $as_echo "#define WORDS_BIGENDIAN 1" >>confdefs.h ;; #( no) ;; #( universal) $as_echo "#define AC_APPLE_UNIVERSAL_BUILD 1" >>confdefs.h ;; #( *) as_fn_error $? "unknown endianness presetting ac_cv_c_bigendian=no (or yes) will help" "$LINENO" 5 ;; esac { $as_echo "$as_me:${as_lineno-$LINENO}: checking for __attribute__" >&5 $as_echo_n "checking for __attribute__... " >&6; } if ${lsh_cv_c_attribute+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include static void foo(void) __attribute__ ((noreturn)); static void __attribute__ ((noreturn)) foo(void) { exit(1); } int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : lsh_cv_c_attribute=yes else lsh_cv_c_attribute=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lsh_cv_c_attribute" >&5 $as_echo "$lsh_cv_c_attribute" >&6; } if test "x$lsh_cv_c_attribute" = "xyes"; then $as_echo "#define HAVE_GCC_ATTRIBUTE 1" >>confdefs.h fi # According to Simon Josefsson, looking for uint32_t and friends in # sys/types.h is needed on some systems, in particular cygwin. # ------ AX CREATE STDINT H ------------------------------------- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for stdint types" >&5 $as_echo_n "checking for stdint types... " >&6; } ac_stdint_h=`echo nettle-stdint.h` # try to shortcircuit - if the default include path of the compiler # can find a "stdint.h" header then we assume that all compilers can. if ${ac_cv_header_stdint_t+:} false; then : $as_echo_n "(cached) " >&6 else old_CXXFLAGS="$CXXFLAGS" ; CXXFLAGS="" old_CPPFLAGS="$CPPFLAGS" ; CPPFLAGS="" old_CFLAGS="$CFLAGS" ; CFLAGS="" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main () { int_least32_t v = 0; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_stdint_result="(assuming C99 compatible system)" ac_cv_header_stdint_t="stdint.h"; else ac_cv_header_stdint_t="" fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext CXXFLAGS="$old_CXXFLAGS" CPPFLAGS="$old_CPPFLAGS" CFLAGS="$old_CFLAGS" fi v="... $ac_cv_header_stdint_h" if test "$ac_stdint_h" = "stdint.h" ; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: (are you sure you want them in ./stdint.h?)" >&5 $as_echo "(are you sure you want them in ./stdint.h?)" >&6; } elif test "$ac_stdint_h" = "inttypes.h" ; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: (are you sure you want them in ./inttypes.h?)" >&5 $as_echo "(are you sure you want them in ./inttypes.h?)" >&6; } elif test "_$ac_cv_header_stdint_t" = "_" ; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: (putting them into $ac_stdint_h)$v" >&5 $as_echo "(putting them into $ac_stdint_h)$v" >&6; } else ac_cv_header_stdint="$ac_cv_header_stdint_t" { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdint (shortcircuit)" >&5 $as_echo "$ac_cv_header_stdint (shortcircuit)" >&6; } fi if test "_$ac_cv_header_stdint_t" = "_" ; then # can not shortcircuit.. inttype_headers=`echo sys/types.h | sed -e 's/,/ /g'` ac_cv_stdint_result="(no helpful system typedefs seen)" { $as_echo "$as_me:${as_lineno-$LINENO}: checking for stdint uintptr_t" >&5 $as_echo_n "checking for stdint uintptr_t... " >&6; } if ${ac_cv_header_stdint_x+:} false; then : $as_echo_n "(cached) " >&6 else ac_cv_header_stdint_x="" # the 1997 typedefs (inttypes.h) { $as_echo "$as_me:${as_lineno-$LINENO}: result: (..)" >&5 $as_echo "(..)" >&6; } for i in stdint.h inttypes.h sys/inttypes.h $inttype_headers ; do unset ac_cv_type_uintptr_t unset ac_cv_type_uint64_t ac_fn_c_check_type "$LINENO" "uintptr_t" "ac_cv_type_uintptr_t" "#include <$i> " if test "x$ac_cv_type_uintptr_t" = xyes; then : ac_cv_header_stdint_x=$i else continue fi ac_fn_c_check_type "$LINENO" "uint64_t" "ac_cv_type_uint64_t" "#include<$i> " if test "x$ac_cv_type_uint64_t" = xyes; then : and64="/uint64_t" else and64="" fi ac_cv_stdint_result="(seen uintptr_t$and64 in $i)" break; done { $as_echo "$as_me:${as_lineno-$LINENO}: checking for stdint uintptr_t" >&5 $as_echo_n "checking for stdint uintptr_t... " >&6; } fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdint_x" >&5 $as_echo "$ac_cv_header_stdint_x" >&6; } if test "_$ac_cv_header_stdint_x" = "_" ; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for stdint uint32_t" >&5 $as_echo_n "checking for stdint uint32_t... " >&6; } if ${ac_cv_header_stdint_o+:} false; then : $as_echo_n "(cached) " >&6 else ac_cv_header_stdint_o="" # the 1995 typedefs (sys/inttypes.h) { $as_echo "$as_me:${as_lineno-$LINENO}: result: (..)" >&5 $as_echo "(..)" >&6; } for i in inttypes.h sys/inttypes.h stdint.h $inttype_headers ; do unset ac_cv_type_uint32_t unset ac_cv_type_uint64_t ac_fn_c_check_type "$LINENO" "uint32_t" "ac_cv_type_uint32_t" "#include <$i> " if test "x$ac_cv_type_uint32_t" = xyes; then : ac_cv_header_stdint_o=$i else continue fi ac_fn_c_check_type "$LINENO" "uint64_t" "ac_cv_type_uint64_t" "#include<$i> " if test "x$ac_cv_type_uint64_t" = xyes; then : and64="/uint64_t" else and64="" fi ac_cv_stdint_result="(seen uint32_t$and64 in $i)" break; done { $as_echo "$as_me:${as_lineno-$LINENO}: checking for stdint uint32_t" >&5 $as_echo_n "checking for stdint uint32_t... " >&6; } fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdint_o" >&5 $as_echo "$ac_cv_header_stdint_o" >&6; } fi if test "_$ac_cv_header_stdint_x" = "_" ; then if test "_$ac_cv_header_stdint_o" = "_" ; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for stdint u_int32_t" >&5 $as_echo_n "checking for stdint u_int32_t... " >&6; } if ${ac_cv_header_stdint_u+:} false; then : $as_echo_n "(cached) " >&6 else ac_cv_header_stdint_u="" # the BSD typedefs (sys/types.h) { $as_echo "$as_me:${as_lineno-$LINENO}: result: (..)" >&5 $as_echo "(..)" >&6; } for i in sys/types.h inttypes.h sys/inttypes.h $inttype_headers ; do unset ac_cv_type_u_int32_t unset ac_cv_type_u_int64_t ac_fn_c_check_type "$LINENO" "u_int32_t" "ac_cv_type_u_int32_t" "#include <$i> " if test "x$ac_cv_type_u_int32_t" = xyes; then : ac_cv_header_stdint_u=$i else continue fi ac_fn_c_check_type "$LINENO" "u_int64_t" "ac_cv_type_u_int64_t" "#include<$i> " if test "x$ac_cv_type_u_int64_t" = xyes; then : and64="/u_int64_t" else and64="" fi ac_cv_stdint_result="(seen u_int32_t$and64 in $i)" break; done { $as_echo "$as_me:${as_lineno-$LINENO}: checking for stdint u_int32_t" >&5 $as_echo_n "checking for stdint u_int32_t... " >&6; } fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdint_u" >&5 $as_echo "$ac_cv_header_stdint_u" >&6; } fi fi if test "_$ac_cv_header_stdint_x" = "_" ; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for stdint datatype model" >&5 $as_echo_n "checking for stdint datatype model... " >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: result: (..)" >&5 $as_echo "(..)" >&6; } # The cast to long int works around a bug in the HP C Compiler # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. # This bug is HP SR number 8606223364. { $as_echo "$as_me:${as_lineno-$LINENO}: checking size of char" >&5 $as_echo_n "checking size of char... " >&6; } if ${ac_cv_sizeof_char+:} false; then : $as_echo_n "(cached) " >&6 else if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (char))" "ac_cv_sizeof_char" "$ac_includes_default"; then : else if test "$ac_cv_type_char" = yes; then { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error 77 "cannot compute sizeof (char) See \`config.log' for more details" "$LINENO" 5; } else ac_cv_sizeof_char=0 fi fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_char" >&5 $as_echo "$ac_cv_sizeof_char" >&6; } cat >>confdefs.h <<_ACEOF #define SIZEOF_CHAR $ac_cv_sizeof_char _ACEOF # The cast to long int works around a bug in the HP C Compiler # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. # This bug is HP SR number 8606223364. { $as_echo "$as_me:${as_lineno-$LINENO}: checking size of short" >&5 $as_echo_n "checking size of short... " >&6; } if ${ac_cv_sizeof_short+:} false; then : $as_echo_n "(cached) " >&6 else if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (short))" "ac_cv_sizeof_short" "$ac_includes_default"; then : else if test "$ac_cv_type_short" = yes; then { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error 77 "cannot compute sizeof (short) See \`config.log' for more details" "$LINENO" 5; } else ac_cv_sizeof_short=0 fi fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_short" >&5 $as_echo "$ac_cv_sizeof_short" >&6; } cat >>confdefs.h <<_ACEOF #define SIZEOF_SHORT $ac_cv_sizeof_short _ACEOF # The cast to long int works around a bug in the HP C Compiler # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. # This bug is HP SR number 8606223364. { $as_echo "$as_me:${as_lineno-$LINENO}: checking size of int" >&5 $as_echo_n "checking size of int... " >&6; } if ${ac_cv_sizeof_int+:} false; then : $as_echo_n "(cached) " >&6 else if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (int))" "ac_cv_sizeof_int" "$ac_includes_default"; then : else if test "$ac_cv_type_int" = yes; then { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error 77 "cannot compute sizeof (int) See \`config.log' for more details" "$LINENO" 5; } else ac_cv_sizeof_int=0 fi fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_int" >&5 $as_echo "$ac_cv_sizeof_int" >&6; } cat >>confdefs.h <<_ACEOF #define SIZEOF_INT $ac_cv_sizeof_int _ACEOF # The cast to long int works around a bug in the HP C Compiler # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. # This bug is HP SR number 8606223364. { $as_echo "$as_me:${as_lineno-$LINENO}: checking size of long" >&5 $as_echo_n "checking size of long... " >&6; } if ${ac_cv_sizeof_long+:} false; then : $as_echo_n "(cached) " >&6 else if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (long))" "ac_cv_sizeof_long" "$ac_includes_default"; then : else if test "$ac_cv_type_long" = yes; then { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error 77 "cannot compute sizeof (long) See \`config.log' for more details" "$LINENO" 5; } else ac_cv_sizeof_long=0 fi fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_long" >&5 $as_echo "$ac_cv_sizeof_long" >&6; } cat >>confdefs.h <<_ACEOF #define SIZEOF_LONG $ac_cv_sizeof_long _ACEOF # The cast to long int works around a bug in the HP C Compiler # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. # This bug is HP SR number 8606223364. { $as_echo "$as_me:${as_lineno-$LINENO}: checking size of void*" >&5 $as_echo_n "checking size of void*... " >&6; } if ${ac_cv_sizeof_voidp+:} false; then : $as_echo_n "(cached) " >&6 else if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (void*))" "ac_cv_sizeof_voidp" "$ac_includes_default"; then : else if test "$ac_cv_type_voidp" = yes; then { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error 77 "cannot compute sizeof (void*) See \`config.log' for more details" "$LINENO" 5; } else ac_cv_sizeof_voidp=0 fi fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_voidp" >&5 $as_echo "$ac_cv_sizeof_voidp" >&6; } cat >>confdefs.h <<_ACEOF #define SIZEOF_VOIDP $ac_cv_sizeof_voidp _ACEOF ac_cv_stdint_char_model="" ac_cv_stdint_char_model="$ac_cv_stdint_char_model$ac_cv_sizeof_char" ac_cv_stdint_char_model="$ac_cv_stdint_char_model$ac_cv_sizeof_short" ac_cv_stdint_char_model="$ac_cv_stdint_char_model$ac_cv_sizeof_int" ac_cv_stdint_long_model="" ac_cv_stdint_long_model="$ac_cv_stdint_long_model$ac_cv_sizeof_int" ac_cv_stdint_long_model="$ac_cv_stdint_long_model$ac_cv_sizeof_long" ac_cv_stdint_long_model="$ac_cv_stdint_long_model$ac_cv_sizeof_voidp" name="$ac_cv_stdint_long_model" case "$ac_cv_stdint_char_model/$ac_cv_stdint_long_model" in 122/242) name="$name, IP16 (standard 16bit machine)" ;; 122/244) name="$name, LP32 (standard 32bit mac/win)" ;; 122/*) name="$name (unusual int16 model)" ;; 124/444) name="$name, ILP32 (standard 32bit unixish)" ;; 124/488) name="$name, LP64 (standard 64bit unixish)" ;; 124/448) name="$name, LLP64 (unusual 64bit unixish)" ;; 124/*) name="$name (unusual int32 model)" ;; 128/888) name="$name, ILP64 (unusual 64bit numeric)" ;; 128/*) name="$name (unusual int64 model)" ;; 222/*|444/*) name="$name (unusual dsptype)" ;; *) name="$name (very unusal model)" ;; esac { $as_echo "$as_me:${as_lineno-$LINENO}: result: combined for stdint datatype model... $name" >&5 $as_echo "combined for stdint datatype model... $name" >&6; } fi if test "_$ac_cv_header_stdint_x" != "_" ; then ac_cv_header_stdint="$ac_cv_header_stdint_x" elif test "_$ac_cv_header_stdint_o" != "_" ; then ac_cv_header_stdint="$ac_cv_header_stdint_o" elif test "_$ac_cv_header_stdint_u" != "_" ; then ac_cv_header_stdint="$ac_cv_header_stdint_u" else ac_cv_header_stdint="stddef.h" fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for extra inttypes in chosen header" >&5 $as_echo_n "checking for extra inttypes in chosen header... " >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: result: ($ac_cv_header_stdint)" >&5 $as_echo "($ac_cv_header_stdint)" >&6; } unset ac_cv_type_int_least32_t unset ac_cv_type_int_fast32_t ac_fn_c_check_type "$LINENO" "int_least32_t" "ac_cv_type_int_least32_t" "#include <$ac_cv_header_stdint> " if test "x$ac_cv_type_int_least32_t" = xyes; then : fi ac_fn_c_check_type "$LINENO" "int_fast32_t" "ac_cv_type_int_fast32_t" "#include<$ac_cv_header_stdint> " if test "x$ac_cv_type_int_fast32_t" = xyes; then : fi ac_fn_c_check_type "$LINENO" "intmax_t" "ac_cv_type_intmax_t" "#include <$ac_cv_header_stdint> " if test "x$ac_cv_type_intmax_t" = xyes; then : fi fi # shortcircut to system "stdint.h" # ------------------ PREPARE VARIABLES ------------------------------ if test "$GCC" = "yes" ; then ac_cv_stdint_message="using gnu compiler "`$CC --version | head -1` else ac_cv_stdint_message="using $CC" fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: make use of $ac_cv_header_stdint in $ac_stdint_h $ac_cv_stdint_result" >&5 $as_echo "make use of $ac_cv_header_stdint in $ac_stdint_h $ac_cv_stdint_result" >&6; } # ----------------- DONE inttypes.h checks START header ------------- ac_config_commands="$ac_config_commands $ac_stdint_h" # Check for file locking. We (AC_PROG_CC?) have already checked for # sys/types.h and unistd.h. { $as_echo "$as_me:${as_lineno-$LINENO}: checking for fcntl file locking" >&5 $as_echo_n "checking for fcntl file locking... " >&6; } if ${nettle_cv_fcntl_locking+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #if HAVE_SYS_TYPES_H # include #endif #if HAVE_UNISTD_H # include #endif #include int main () { int op = F_SETLKW; struct flock fl; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : nettle_cv_fcntl_locking=yes else nettle_cv_fcntl_locking=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_fcntl_locking" >&5 $as_echo "$nettle_cv_fcntl_locking" >&6; } if test "x$nettle_cv_fcntl_locking" = "xyes" ; then $as_echo "#define HAVE_FCNTL_LOCKING 1" >>confdefs.h fi # Checks for libraries if test "x$enable_public_key" = "xyes" ; then if test "x$enable_mini_gmp" = "xno" ; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for __gmpn_sec_div_r in -lgmp" >&5 $as_echo_n "checking for __gmpn_sec_div_r in -lgmp... " >&6; } if ${ac_cv_lib_gmp___gmpn_sec_div_r+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lgmp $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char __gmpn_sec_div_r (); int main () { return __gmpn_sec_div_r (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_gmp___gmpn_sec_div_r=yes else ac_cv_lib_gmp___gmpn_sec_div_r=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gmp___gmpn_sec_div_r" >&5 $as_echo "$ac_cv_lib_gmp___gmpn_sec_div_r" >&6; } if test "x$ac_cv_lib_gmp___gmpn_sec_div_r" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_LIBGMP 1 _ACEOF LIBS="-lgmp $LIBS" else { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: GNU MP not found, or too old. GMP-6.0 or later is needed, see https://gmplib.org/. Support for public key algorithms will be unavailable." >&5 $as_echo "$as_me: WARNING: GNU MP not found, or too old. GMP-6.0 or later is needed, see https://gmplib.org/. Support for public key algorithms will be unavailable." >&2;} enable_public_key=no fi # Add -R flags needed to run programs linked with gmp if test $cross_compiling = no -a "x$RPATHFLAG" != x ; then ac_success=no if test "$cross_compiling" = yes; then : : else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main(int argc, char **argv) { return 0; } _ACEOF if ac_fn_c_try_run "$LINENO"; then : ac_success=yes else ac_success=no fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext fi if test $ac_success = no ; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking Running simple test program failed. Trying -R flags" >&5 $as_echo_n "checking Running simple test program failed. Trying -R flags... " >&6; } ac_remaining_dirs='' ac_rpath_save_LDFLAGS="$LDFLAGS" for d in $RPATH_CANDIDATE_DIRS ; do if test $ac_success = yes ; then ac_remaining_dirs="$ac_remaining_dirs $d" else LDFLAGS="$RPATHFLAG$d $LDFLAGS" if test "$cross_compiling" = yes; then : : else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main(int argc, char **argv) { return 0; } _ACEOF if ac_fn_c_try_run "$LINENO"; then : ac_success=yes ac_rpath_save_LDFLAGS="$LDFLAGS" { $as_echo "$as_me:${as_lineno-$LINENO}: result: adding $RPATHFLAG$d" >&5 $as_echo "adding $RPATHFLAG$d" >&6; } else ac_remaining_dirs="$ac_remaining_dirs $d" fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext fi LDFLAGS="$ac_rpath_save_LDFLAGS" fi done RPATH_CANDIDATE_DIRS=$ac_remaining_dirs fi if test $ac_success = no ; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: failed" >&5 $as_echo "failed" >&6; } fi fi fi fi nettle_cv_gmp_numb_bits=0 if test "x$enable_public_key" = "xyes" ; then # Check for gmp limb size if test "x$enable_mini_gmp" = "xyes" ; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for mini-gmp limb size" >&5 $as_echo_n "checking for mini-gmp limb size... " >&6; } # With mini-gmp, mp_limb_t is always unsigned long. if ac_fn_c_compute_int "$LINENO" "(sizeof(unsigned long) * CHAR_BIT)" "nettle_cv_gmp_numb_bits" "#include "; then : else { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "cannot find value of GMP_NUMB_BITS See \`config.log' for more details" "$LINENO" 5; } fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_gmp_numb_bits bits" >&5 $as_echo "$nettle_cv_gmp_numb_bits bits" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GMP limb size" >&5 $as_echo_n "checking for GMP limb size... " >&6; } if ac_fn_c_compute_int "$LINENO" "GMP_NUMB_BITS" "nettle_cv_gmp_numb_bits" "#include "; then : else { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "cannot find value of GMP_NUMB_BITS See \`config.log' for more details" "$LINENO" 5; } fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_gmp_numb_bits bits" >&5 $as_echo "$nettle_cv_gmp_numb_bits bits" >&6; } fi fi # Substituted in Makefile, passed on to the eccdata command. NUMB_BITS="$nettle_cv_gmp_numb_bits" # Substituted in version.h, used only with mini-gmp. if test "x$enable_mini_gmp" = "xyes" ; then GMP_NUMB_BITS="$NUMB_BITS" else GMP_NUMB_BITS="n/a" fi # Figure out ABI. Currently, configurable only by setting CFLAGS. ABI=standard case "$host_cpu" in x86_64 | amd64) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #if defined(__x86_64__) || defined(__arch64__) #error 64-bit x86 #endif int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ABI=32 else ABI=64 fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ;; *sparc*) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #if defined(__sparcv9) || defined(__arch64__) #error 64-bit sparc #endif int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ABI=32 else ABI=64 fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ;; *mips*) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #if defined(__sgi) && defined(__LP64__) #error 64-bit mips #endif int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ABI=32 else ABI=64 fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ;; esac if test "x$ABI" != xstandard ; then { $as_echo "$as_me:${as_lineno-$LINENO}: Compiler uses $ABI-bit ABI. To change, set CC." >&5 $as_echo "$as_me: Compiler uses $ABI-bit ABI. To change, set CC." >&6;} if test "$libdir" = '${exec_prefix}/lib' ; then # Try setting a better default case "$host_cpu:$host_os:$ABI" in *:solaris*:32|*:sunos*:32) libdir='${exec_prefix}/lib' ;; *:solaris*:64|*:sunos*:64) libdir='${exec_prefix}/lib/64' ;; # Linux conventions are a mess... According to the Linux File # Hierarchy Standard, all architectures except IA64 puts 32-bit # libraries in lib, and 64-bit in lib64. Some distributions, # e.g., Fedora and Gentoo, adhere to this standard, while at # least Debian has decided to put 64-bit libraries in lib and # 32-bit libraries in lib32. # We try to figure out the convention, except if we're cross # compiling. We use lib${ABI} if /usr/lib${ABI} exists and # appears to not be a symlink to a different name. *:linux*:32|*:linux*:64) if test "$cross_compiling" = yes ; then { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Cross compiling for linux. Can't guess if libraries go in lib${ABI} or lib." >&5 $as_echo "$as_me: WARNING: Cross compiling for linux. Can't guess if libraries go in lib${ABI} or lib." >&2;}; else # The dash builtin pwd tries to be "helpful" and remember # symlink names. Use -P option, and hope it's portable enough. test -d /usr/lib${ABI} \ && (cd /usr/lib${ABI} && pwd -P | grep >/dev/null "/lib${ABI}"'$') \ && libdir='${exec_prefix}/'"lib${ABI}" fi ;; # On freebsd, it seems 32-bit libraries are in lib32, # and 64-bit in lib. Don't know about "kfreebsd", does # it follow the Linux fhs conventions? *:freebsd*:32) libdir='${exec_prefix}/lib32' ;; *:freebsd*:64) libdir='${exec_prefix}/lib' ;; *:irix*:32) libdir='${exec_prefix}/lib32' ;; *:irix*:64) libdir='${exec_prefix}/lib64' ;; *) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Don't know where to install $ABI-bit libraries on this system." >&5 $as_echo "$as_me: WARNING: Don't know where to install $ABI-bit libraries on this system." >&2;}; esac { $as_echo "$as_me:${as_lineno-$LINENO}: Libraries to be installed in $libdir." >&5 $as_echo "$as_me: Libraries to be installed in $libdir." >&6;} fi fi OPT_NETTLE_SOURCES="" # Select assembler code asm_path= if test "x$enable_assembler" = xyes ; then case "$host_cpu" in i?86* | k[5-8]* | pentium* | athlon) asm_path=x86 ;; x86_64 | amd64) if test "$ABI" = 64 ; then asm_path=x86_64 if test "x$enable_fat" = xyes ; then asm_path="x86_64/fat $asm_path" OPT_NETTLE_SOURCES="fat-x86_64.c $OPT_NETTLE_SOURCES" elif test "x$enable_x86_aesni" = xyes ; then asm_path="x86_64/aesni $asm_path" fi else asm_path=x86 fi ;; *sparc*) if test "$ABI" = 64 ; then asm_path=sparc64 else asm_path=sparc32 fi ;; arm*) asm_path=arm if test "x$enable_fat" = xyes ; then asm_path="arm/fat $asm_path" OPT_NETTLE_SOURCES="fat-arm.c $OPT_NETTLE_SOURCES" else case "$host_cpu" in armv6* | armv7*) if test "$enable_arm_neon" = auto ; then if test "$cross_compiling" = yes ; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking if assembler accepts Neon instructions" >&5 $as_echo_n "checking if assembler accepts Neon instructions... " >&6; } if ${nettle_cv_asm_arm_neon+:} false; then : $as_echo_n "(cached) " >&6 else cat >conftest.s <&5 (eval $gmp_assemble) 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then cat conftest.out >&5 nettle_cv_asm_arm_neon=yes else cat conftest.out >&5 echo "configure: failed program was:" >&5 cat conftest.s >&5 nettle_cv_asm_arm_neon=no fi rm -f conftest* fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_asm_arm_neon" >&5 $as_echo "$nettle_cv_asm_arm_neon" >&6; } enable_arm_neon="$nettle_cv_asm_arm_neon" else { $as_echo "$as_me:${as_lineno-$LINENO}: checking if /proc/cpuinfo claims neon support" >&5 $as_echo_n "checking if /proc/cpuinfo claims neon support... " >&6; } if grep '^Features.*:.* neon' /proc/cpuinfo >/dev/null ; then enable_arm_neon=yes else enable_arm_neon=no fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $enable_arm_neon" >&5 $as_echo "$enable_arm_neon" >&6; } fi fi asm_path="arm/v6 arm" if test "x$enable_arm_neon" = xyes ; then asm_path="arm/neon $asm_path" fi ;; esac fi ;; *) enable_assembler=no ;; esac fi # Files which replace a C source file (or otherwise don't correspond # to a new object file). asm_replace_list="aes-encrypt-internal.asm aes-decrypt-internal.asm \ arcfour-crypt.asm camellia-crypt-internal.asm \ md5-compress.asm memxor.asm memxor3.asm \ poly1305-internal.asm \ chacha-core-internal.asm \ salsa20-crypt.asm salsa20-core-internal.asm \ serpent-encrypt.asm serpent-decrypt.asm \ sha1-compress.asm sha256-compress.asm sha512-compress.asm \ sha3-permute.asm umac-nh.asm umac-nh-n.asm machine.m4" # Assembler files which generate additional object files if they are used. asm_nettle_optional_list="gcm-hash8.asm cpuid.asm \ aes-encrypt-internal-2.asm aes-decrypt-internal-2.asm memxor-2.asm \ salsa20-core-internal-2.asm sha1-compress-2.asm sha256-compress-2.asm \ sha3-permute-2.asm sha512-compress-2.asm \ umac-nh-n-2.asm umac-nh-2.asm" asm_hogweed_optional_list="" if test "x$enable_public_key" = "xyes" ; then asm_hogweed_optional_list="ecc-192-modp.asm ecc-224-modp.asm \ ecc-25519-modp.asm ecc-256-redc.asm ecc-384-modp.asm ecc-521-modp.asm" fi OPT_NETTLE_OBJS="" OPT_HOGWEED_OBJS="" asm_file_list="" if test "x$enable_assembler" = xyes ; then if test -n "$asm_path"; then { $as_echo "$as_me:${as_lineno-$LINENO}: Looking for assembler files in $asm_path." >&5 $as_echo "$as_me: Looking for assembler files in $asm_path." >&6;} for tmp_f in $asm_replace_list ; do for asm_dir in $asm_path ; do if test -f "$srcdir/$asm_dir/$tmp_f"; then asm_file_list="$asm_file_list $tmp_f" ac_config_links="$ac_config_links $tmp_f:$asm_dir/$tmp_f" break fi done done for tmp_n in $asm_nettle_optional_list ; do tmp_b=`echo "$tmp_n" | sed 's/\.[^.]*$//'` for asm_dir in $asm_path ; do if test -f "$srcdir/$asm_dir/$tmp_n"; then asm_file_list="$asm_file_list $tmp_n" ac_config_links="$ac_config_links $tmp_n:$asm_dir/$tmp_n" while read tmp_func ; do cat >>confdefs.h <<_ACEOF #define HAVE_NATIVE_$tmp_func 1 _ACEOF eval HAVE_NATIVE_$tmp_func=yes done <&5 $as_echo "$as_me: WARNING: skipping $tmp_h, because GMP_NUMB_BITS != $tmp_bits" >&2;} continue fi asm_file_list="$asm_file_list $tmp_h" ac_config_links="$ac_config_links $tmp_h:$asm_dir/$tmp_h" while read tmp_func ; do cat >>confdefs.h <<_ACEOF #define HAVE_NATIVE_$tmp_func 1 _ACEOF eval HAVE_NATIVE_$tmp_func=yes done <&5 $as_echo "$as_me: WARNING: No assembler files found." >&2;} fi fi case "$host_os" in darwin*) ASM_RODATA='.section __TEXT,__const' ;; *) ASM_RODATA='.section .rodata' ;; esac fi if test "x$enable_assembler" = xyes ; then IF_ASM='' else IF_ASM='#' fi if test "x$enable_pic" = xyes; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking CCPIC" >&5 $as_echo_n "checking CCPIC... " >&6; } if ${lsh_cv_sys_ccpic+:} false; then : $as_echo_n "(cached) " >&6 else if test -z "$CCPIC" ; then if test "$GCC" = yes ; then case "$host_os" in bsdi4.*) CCPIC="-fPIC" ;; bsdi*) CCPIC="" ;; darwin*) CCPIC="-fPIC" ;; # Could also use -fpic, depending on the number of symbol references solaris*) CCPIC="-fPIC" ;; cygwin*) CCPIC="" ;; mingw32*) CCPIC="" ;; *) CCPIC="-fpic" ;; esac else case "$host_os" in darwin*) CCPIC="-fPIC" ;; irix*) CCPIC="-share" ;; hpux*) CCPIC="+z"; ;; *freebsd*) CCPIC="-fpic" ;; sco*|sysv4.*) CCPIC="-KPIC -dy -Bdynamic" ;; solaris*) CCPIC="-KPIC -Bdynamic" ;; winnt*) CCPIC="-shared" ;; *) CCPIC="" ;; esac fi fi OLD_CFLAGS="$CFLAGS" CFLAGS="$CFLAGS $CCPIC" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { exit(0); ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : lsh_cv_sys_ccpic="$CCPIC" else lsh_cv_sys_ccpic='' fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext CFLAGS="$OLD_CFLAGS" fi CCPIC="$lsh_cv_sys_ccpic" { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CCPIC" >&5 $as_echo "$CCPIC" >&6; } else CCPIC='' fi IF_DLL='#' LIBNETTLE_FILE_SRC='$(LIBNETTLE_FORLINK)' LIBHOGWEED_FILE_SRC='$(LIBHOGWEED_FORLINK)' EMULATOR='' W64_ABI=no case "$host_os" in mingw32*|cygwin*) # The actual DLLs, e.g. libnettle-$major-$minor.dll, are normally # installed into the bin dir (or more exactly $libdir/../bin, for # automake), while libnettle.dll.a, which is a stub file for # linking to the DLL, is installed into the lib dir. case "$host_os" in mingw32*) LIBNETTLE_FORLINK='libnettle-$(LIBNETTLE_MAJOR).dll' LIBHOGWEED_FORLINK='libhogweed-$(LIBHOGWEED_MAJOR).dll' ;; cygwin*) LIBNETTLE_FORLINK='cygnettle-$(LIBNETTLE_MAJOR).dll' LIBHOGWEED_FORLINK='cyghogweed-$(LIBHOGWEED_MAJOR).dll' ;; esac if test "x$cross_compiling" = xyes ; then case "$ABI" in 64) EMULATOR=wine64 ;; *) EMULATOR=wine ;; esac fi if test "x$ABI" = x64 ; then W64_ABI=yes fi LIBNETTLE_SONAME='' LIBNETTLE_FILE='libnettle.dll.a' LIBNETTLE_FILE_SRC='$(LIBNETTLE_FILE)' LIBNETTLE_LINK='$(CC) $(CFLAGS) $(LDFLAGS) -shared -Wl,--out-implib=$(LIBNETTLE_FILE) -Wl,--export-all-symbols -Wl,--enable-auto-import -Wl,--whole-archive' LIBNETTLE_LIBS='-Wl,--no-whole-archive $(LIBS)' LIBHOGWEED_SONAME='' LIBHOGWEED_FILE='libhogweed.dll.a' LIBHOGWEED_FILE_SRC='$(LIBHOGWEED_FILE)' LIBHOGWEED_LINK='$(CC) $(CFLAGS) $(LDFLAGS) -shared -Wl,--out-implib=$(LIBHOGWEED_FILE) -Wl,--export-all-symbols -Wl,--enable-auto-import -Wl,--whole-archive' LIBHOGWEED_LIBS='-Wl,--no-whole-archive $(LIBS) libnettle.dll.a' IF_DLL='' ;; darwin*) LIBNETTLE_FORLINK=libnettle.dylib LIBNETTLE_SONAME='libnettle.$(LIBNETTLE_MAJOR).dylib' LIBNETTLE_FILE='libnettle.$(LIBNETTLE_MAJOR).$(LIBNETTLE_MINOR).dylib' LIBNETTLE_LINK='$(CC) $(CFLAGS) -dynamiclib $(LDFLAGS) -install_name ${libdir}/$(LIBNETTLE_SONAME) -compatibility_version $(LIBNETTLE_MAJOR) -current_version $(LIBNETTLE_MAJOR).$(LIBNETTLE_MINOR)' LIBNETTLE_LIBS='' LIBHOGWEED_FORLINK=libhogweed.dylib LIBHOGWEED_SONAME='libhogweed.$(LIBHOGWEED_MAJOR).dylib' LIBHOGWEED_FILE='libhogweed.$(LIBHOGWEED_MAJOR).$(LIBHOGWEED_MINOR).dylib' LIBHOGWEED_LINK='$(CC) $(CFLAGS) -dynamiclib -L. $(LDFLAGS) -install_name ${libdir}/$(LIBHOGWEED_SONAME) -compatibility_version $(LIBHOGWEED_MAJOR) -current_version $(LIBHOGWEED_MAJOR).$(LIBHOGWEED_MINOR)' LIBHOGWEED_LIBS='-lnettle $(LIBS)' ;; solaris*) # Sun's ld uses -h to set the soname, and this option is passed # through by both Sun's compiler and gcc. Might not work with GNU # ld, but it's unusual to use GNU ld on Solaris. LIBNETTLE_FORLINK=libnettle.so LIBNETTLE_SONAME='$(LIBNETTLE_FORLINK).$(LIBNETTLE_MAJOR)' LIBNETTLE_FILE='$(LIBNETTLE_SONAME).$(LIBNETTLE_MINOR)' LIBNETTLE_LINK='$(CC) $(CFLAGS) $(LDFLAGS) -G -h $(LIBNETTLE_SONAME)' LIBNETTLE_LIBS='' LIBHOGWEED_FORLINK=libhogweed.so LIBHOGWEED_SONAME='$(LIBHOGWEED_FORLINK).$(LIBHOGWEED_MAJOR)' LIBHOGWEED_FILE='$(LIBHOGWEED_SONAME).$(LIBHOGWEED_MINOR)' LIBHOGWEED_LINK='$(CC) $(CFLAGS) $(LDFLAGS) -G -h $(LIBHOGWEED_SONAME)' LIBHOGWEED_LIBS='libnettle.so $(LIBS)' ;; *) LIBNETTLE_FORLINK=libnettle.so LIBNETTLE_SONAME='$(LIBNETTLE_FORLINK).$(LIBNETTLE_MAJOR)' LIBNETTLE_FILE='$(LIBNETTLE_SONAME).$(LIBNETTLE_MINOR)' LIBNETTLE_LINK='$(CC) $(CFLAGS) $(LDFLAGS) -shared -Wl,-soname=$(LIBNETTLE_SONAME)' LIBNETTLE_LIBS='' LIBHOGWEED_FORLINK=libhogweed.so LIBHOGWEED_SONAME='$(LIBHOGWEED_FORLINK).$(LIBHOGWEED_MAJOR)' LIBHOGWEED_FILE='$(LIBHOGWEED_SONAME).$(LIBHOGWEED_MINOR)' LIBHOGWEED_LINK='$(CC) $(CFLAGS) $(LDFLAGS) -shared -Wl,-soname=$(LIBHOGWEED_SONAME)' # Requested by debian, to make linking with only -lhogweed work # (does not work in general, e.g., with static linking all of # -lhogweed -lgmp -lnettle are still required). Also makes dlopen # of libhogweed.so work, without having to use RTLD_GLOBAL. LIBHOGWEED_LIBS='libnettle.so $(LIBS)' ;; esac ASM_SYMBOL_PREFIX='' ASM_ELF_STYLE='no' ASM_COFF_STYLE='no' # GNU as default is to use @ ASM_TYPE_FUNCTION='@function' ASM_TYPE_PROGBITS='@progbits' ASM_MARK_NOEXEC_STACK='' ASM_ALIGN_LOG='' if test x$enable_assembler = xyes ; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking if globals are prefixed by underscore" >&5 $as_echo_n "checking if globals are prefixed by underscore... " >&6; } if ${nettle_cv_asm_underscore+:} false; then : $as_echo_n "(cached) " >&6 else # Default is no underscore nettle_cv_asm_underscore=no cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int a_global_symbol; _ACEOF if ac_fn_c_try_compile "$LINENO"; then : $NM conftest.$OBJEXT >conftest.out if grep _a_global_symbol conftest.out >/dev/null ; then nettle_cv_asm_underscore=yes elif grep a_global_symbol conftest.out >/dev/null ; then nettle_cv_asm_underscore=no else { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: nm does not list a_global_symbol at all" >&5 $as_echo "$as_me: WARNING: nm does not list a_global_symbol at all" >&2;} fi else { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: test program with a single global could not be compiled!?" >&5 $as_echo "$as_me: WARNING: test program with a single global could not be compiled!?" >&2;} fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_asm_underscore" >&5 $as_echo "$nettle_cv_asm_underscore" >&6; } if test x$nettle_cv_asm_underscore = xyes ; then ASM_SYMBOL_PREFIX='_' fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ELF-style .type,%function pseudo-ops" >&5 $as_echo_n "checking for ELF-style .type,%function pseudo-ops... " >&6; } if ${nettle_cv_asm_type_percent_function+:} false; then : $as_echo_n "(cached) " >&6 else cat >conftest.s <&5 (eval $gmp_assemble) 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then cat conftest.out >&5 nettle_cv_asm_type_percent_function=yes else cat conftest.out >&5 echo "configure: failed program was:" >&5 cat conftest.s >&5 nettle_cv_asm_type_percent_function=no fi rm -f conftest* fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_asm_type_percent_function" >&5 $as_echo "$nettle_cv_asm_type_percent_function" >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ELF-style .type,#function pseudo-ops" >&5 $as_echo_n "checking for ELF-style .type,#function pseudo-ops... " >&6; } if ${nettle_cv_asm_type_hash_function+:} false; then : $as_echo_n "(cached) " >&6 else cat >conftest.s <&5 (eval $gmp_assemble) 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then cat conftest.out >&5 nettle_cv_asm_type_hash_function=yes else cat conftest.out >&5 echo "configure: failed program was:" >&5 cat conftest.s >&5 nettle_cv_asm_type_hash_function=no fi rm -f conftest* fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_asm_type_hash_function" >&5 $as_echo "$nettle_cv_asm_type_hash_function" >&6; } if test x$nettle_cv_asm_type_percent_function = xyes ; then ASM_ELF_STYLE='yes' ASM_TYPE_FUNCTION='%function' ASM_TYPE_PROGBITS='%progbits' else if test x$nettle_cv_asm_type_hash_function = xyes ; then ASM_ELF_STYLE='yes' ASM_TYPE_FUNCTION='#function' ASM_TYPE_PROGBITS='#progbits' fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for COFF-style .type directive" >&5 $as_echo_n "checking for COFF-style .type directive... " >&6; } if ${nettle_cv_asm_coff_type+:} false; then : $as_echo_n "(cached) " >&6 else cat >conftest.s <&5 (eval $gmp_assemble) 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then cat conftest.out >&5 nettle_cv_asm_coff_type=yes else cat conftest.out >&5 echo "configure: failed program was:" >&5 cat conftest.s >&5 nettle_cv_asm_coff_type=no fi rm -f conftest* fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_asm_coff_type" >&5 $as_echo "$nettle_cv_asm_coff_type" >&6; } if test "x$nettle_cv_asm_coff_type" = "xyes" ; then ASM_COFF_STYLE=yes fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking if we should use a .note.GNU-stack section" >&5 $as_echo_n "checking if we should use a .note.GNU-stack section... " >&6; } if ${nettle_cv_asm_gnu_stack+:} false; then : $as_echo_n "(cached) " >&6 else # Default nettle_cv_asm_gnu_stack=no cat >conftest.c <&5 (eval $nettle_compile) 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then cat conftest.out >&5 $OBJDUMP -x conftest.o | grep '\.note\.GNU-stack' > /dev/null \ && nettle_cv_asm_gnu_stack=yes else cat conftest.out >&5 echo "configure: failed program was:" >&5 cat conftest.s >&5 fi rm -f conftest.* fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_asm_gnu_stack" >&5 $as_echo "$nettle_cv_asm_gnu_stack" >&6; } if test x$nettle_cv_asm_gnu_stack = xyes ; then ASM_MARK_NOEXEC_STACK='.section .note.GNU-stack,"",TYPE_PROGBITS' fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking if .align assembly directive is logarithmic" >&5 $as_echo_n "checking if .align assembly directive is logarithmic... " >&6; } if ${nettle_cv_asm_align_log+:} false; then : $as_echo_n "(cached) " >&6 else cat >conftest.s <&5 (eval $gmp_assemble) 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then cat conftest.out >&5 nettle_cv_asm_align_log=yes else cat conftest.out >&5 echo "configure: failed program was:" >&5 cat conftest.s >&5 nettle_cv_asm_align_log=no fi rm -f conftest* fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_asm_align_log" >&5 $as_echo "$nettle_cv_asm_align_log" >&6; } ASM_ALIGN_LOG="$nettle_cv_asm_align_log" fi # Extract the first word of "m4", so it can be a program name with args. set dummy m4; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_path_M4+:} false; then : $as_echo_n "(cached) " >&6 else case $M4 in [\\/]* | ?:[\\/]*) ac_cv_path_M4="$M4" # Let the user override the test with a path. ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_path_M4="$as_dir/$ac_word$ac_exec_ext" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS test -z "$ac_cv_path_M4" && ac_cv_path_M4="m4" ;; esac fi M4=$ac_cv_path_M4 if test -n "$M4"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $M4" >&5 $as_echo "$M4" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi if test "x$enable_public_key" = xyes ; then $as_echo "#define WITH_HOGWEED 1" >>confdefs.h IF_HOGWEED='' else IF_HOGWEED='#' fi if test "x$enable_static" = xyes ; then IF_STATIC='' else IF_STATIC='#' fi IF_DLOPEN_TEST='#' if test "x$enable_shared" = xyes ; then IF_SHARED='' IF_NOT_SHARED='#' if test "x$ac_cv_lib_dl_dlopen" = xyes ; then IF_DLOPEN_TEST='' fi else IF_SHARED='#' IF_NOT_SHARED='' fi # Documentation tools if test "x$enable_documentation" != "xno"; then # Extract the first word of "makeinfo", so it can be a program name with args. set dummy makeinfo; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_path_MAKEINFO+:} false; then : $as_echo_n "(cached) " >&6 else case $MAKEINFO in [\\/]* | ?:[\\/]*) ac_cv_path_MAKEINFO="$MAKEINFO" # Let the user override the test with a path. ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_path_MAKEINFO="$as_dir/$ac_word$ac_exec_ext" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS test -z "$ac_cv_path_MAKEINFO" && ac_cv_path_MAKEINFO="not-found" ;; esac fi MAKEINFO=$ac_cv_path_MAKEINFO if test -n "$MAKEINFO"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $MAKEINFO" >&5 $as_echo "$MAKEINFO" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi if test "x$MAKEINFO" != "xnot-found"; then enable_documentation=yes else if test "x$enable_documentation" == "xauto" ; then enable_documentation=no else as_fn_error $? "Cannot find 'makeinfo', required for documentation." "$LINENO" 5 fi fi fi if test "x$enable_documentation" = "xyes" ; then IF_DOCUMENTATION='' else IF_DOCUMENTATION='#' fi if test "x$enable_mini_gmp" = "xyes" ; then IF_MINI_GMP='' else IF_MINI_GMP='#' fi OPENSSL_LIBFLAGS='' # Check for openssl's libcrypto (used only for benchmarking) if test x$enable_openssl = xyes ; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_CIPHER_CTX_new in -lcrypto" >&5 $as_echo_n "checking for EVP_CIPHER_CTX_new in -lcrypto... " >&6; } if ${ac_cv_lib_crypto_EVP_CIPHER_CTX_new+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lcrypto $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char EVP_CIPHER_CTX_new (); int main () { return EVP_CIPHER_CTX_new (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_crypto_EVP_CIPHER_CTX_new=yes else ac_cv_lib_crypto_EVP_CIPHER_CTX_new=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_crypto_EVP_CIPHER_CTX_new" >&5 $as_echo "$ac_cv_lib_crypto_EVP_CIPHER_CTX_new" >&6; } if test "x$ac_cv_lib_crypto_EVP_CIPHER_CTX_new" = xyes; then : OPENSSL_LIBFLAGS='-lcrypto' else enable_openssl=no fi fi if test x$enable_openssl = xyes ; then $as_echo "#define WITH_OPENSSL 1" >>confdefs.h fi # clock_gettime is in librt on *-*-osf5.1 and on glibc, so add -lrt to # BENCH_LIBS if needed. On linux (tested on x86_32, 2.6.26), # clock_getres reports ns accuracy, while in a quick test on osf # clock_getres said only 1 millisecond. old_LIBS="$LIBS" { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing clock_gettime" >&5 $as_echo_n "checking for library containing clock_gettime... " >&6; } if ${ac_cv_search_clock_gettime+:} false; then : $as_echo_n "(cached) " >&6 else ac_func_search_save_LIBS=$LIBS cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char clock_gettime (); int main () { return clock_gettime (); ; return 0; } _ACEOF for ac_lib in '' rt; do if test -z "$ac_lib"; then ac_res="none required" else ac_res=-l$ac_lib LIBS="-l$ac_lib $ac_func_search_save_LIBS" fi if ac_fn_c_try_link "$LINENO"; then : ac_cv_search_clock_gettime=$ac_res fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext if ${ac_cv_search_clock_gettime+:} false; then : break fi done if ${ac_cv_search_clock_gettime+:} false; then : else ac_cv_search_clock_gettime=no fi rm conftest.$ac_ext LIBS=$ac_func_search_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_clock_gettime" >&5 $as_echo "$ac_cv_search_clock_gettime" >&6; } ac_res=$ac_cv_search_clock_gettime if test "$ac_res" != no; then : test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" $as_echo "#define HAVE_CLOCK_GETTIME 1" >>confdefs.h fi BENCH_LIBS="$LIBS" LIBS="$old_LIBS" # Set these flags *last*, or else the test programs won't compile if test x$GCC = xyes ; then # Using -ggdb3 makes (some versions of) Redhat's gcc-2.96 dump core if $CC --version | grep '^2\.96$' 1>/dev/null 2>&1; then true else CFLAGS="$CFLAGS -ggdb3" fi # FIXME: It would be better to actually test if this option works and/or is needed. # Or perhaps use -funsigned-char. if $CC --version | grep 'gcc.* 4\.' 1>/dev/null 2>&1; then CFLAGS="$CFLAGS -Wno-pointer-sign" fi CFLAGS="$CFLAGS -Wall -W \ -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes \ -Wpointer-arith -Wbad-function-cast -Wnested-externs" # Don't enable -Wcast-align as it results in tons of warnings in the # DES code. And when using stdio. # Don't enable -Waggregate-return, as that causes warnings for glibc # inttypes.h. fi ac_config_files="$ac_config_files config.make config.m4 Makefile version.h" ac_config_files="$ac_config_files tools/Makefile testsuite/Makefile examples/Makefile" ac_config_files="$ac_config_files nettle.pc hogweed.pc libnettle.map libhogweed.map" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure # tests run on this system so they can be shared between configure # scripts and configure runs, see configure's option --config-cache. # It is not useful on other systems. If it contains results you don't # want to keep, you may remove or edit it. # # config.status only pays attention to the cache file if you give it # the --recheck option to rerun configure. # # `ac_cv_env_foo' variables (set or unset) will be overridden when # loading this file, other *unset* `ac_cv_foo' will be assigned the # following values. _ACEOF # The following way of writing the cache mishandles newlines in values, # but we know of no workaround that is simple, portable, and efficient. # So, we kill variables containing newlines. # Ultrix sh set writes to stderr and can't be redirected directly, # and sets the high bit in the cache file unless we assign to the vars. ( for ac_var in `(set) 2>&1 | sed -n 's/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'`; do eval ac_val=\$$ac_var case $ac_val in #( *${as_nl}*) case $ac_var in #( *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5 $as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; esac case $ac_var in #( _ | IFS | as_nl) ;; #( BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( *) { eval $ac_var=; unset $ac_var;} ;; esac ;; esac done (set) 2>&1 | case $as_nl`(ac_space=' '; set) 2>&1` in #( *${as_nl}ac_space=\ *) # `set' does not quote correctly, so add quotes: double-quote # substitution turns \\\\ into \\, and sed turns \\ into \. sed -n \ "s/'/'\\\\''/g; s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p" ;; #( *) # `set' quotes correctly as required by POSIX, so do not add quotes. sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p" ;; esac | sort ) | sed ' /^ac_cv_env_/b end t clear :clear s/^\([^=]*\)=\(.*[{}].*\)$/test "${\1+set}" = set || &/ t end s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/ :end' >>confcache if diff "$cache_file" confcache >/dev/null 2>&1; then :; else if test -w "$cache_file"; then if test "x$cache_file" != "x/dev/null"; then { $as_echo "$as_me:${as_lineno-$LINENO}: updating cache $cache_file" >&5 $as_echo "$as_me: updating cache $cache_file" >&6;} if test ! -f "$cache_file" || test -h "$cache_file"; then cat confcache >"$cache_file" else case $cache_file in #( */* | ?:*) mv -f confcache "$cache_file"$$ && mv -f "$cache_file"$$ "$cache_file" ;; #( *) mv -f confcache "$cache_file" ;; esac fi fi else { $as_echo "$as_me:${as_lineno-$LINENO}: not updating unwritable cache $cache_file" >&5 $as_echo "$as_me: not updating unwritable cache $cache_file" >&6;} fi fi rm -f confcache test "x$prefix" = xNONE && prefix=$ac_default_prefix # Let make expand exec_prefix. test "x$exec_prefix" = xNONE && exec_prefix='${prefix}' DEFS=-DHAVE_CONFIG_H ac_libobjs= ac_ltlibobjs= U= for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue # 1. Remove the extension, and $U if already installed. ac_script='s/\$U\././;s/\.o$//;s/\.obj$//' ac_i=`$as_echo "$ac_i" | sed "$ac_script"` # 2. Prepend LIBOBJDIR. When used with automake>=1.10 LIBOBJDIR # will be set to the directory where LIBOBJS objects are built. as_fn_append ac_libobjs " \${LIBOBJDIR}$ac_i\$U.$ac_objext" as_fn_append ac_ltlibobjs " \${LIBOBJDIR}$ac_i"'$U.lo' done LIBOBJS=$ac_libobjs LTLIBOBJS=$ac_ltlibobjs : "${CONFIG_STATUS=./config.status}" ac_write_fail=0 ac_clean_files_save=$ac_clean_files ac_clean_files="$ac_clean_files $CONFIG_STATUS" { $as_echo "$as_me:${as_lineno-$LINENO}: creating $CONFIG_STATUS" >&5 $as_echo "$as_me: creating $CONFIG_STATUS" >&6;} as_write_fail=0 cat >$CONFIG_STATUS <<_ASEOF || as_write_fail=1 #! $SHELL # Generated by $as_me. # Run this file to recreate the current configuration. # Compiler output produced by configure, useful for debugging # configure, is in config.log if it exists. debug=false ac_cs_recheck=false ac_cs_silent=false SHELL=\${CONFIG_SHELL-$SHELL} export SHELL _ASEOF cat >>$CONFIG_STATUS <<\_ASEOF || as_write_fail=1 ## -------------------- ## ## M4sh Initialization. ## ## -------------------- ## # Be more Bourne compatible DUALCASE=1; export DUALCASE # for MKS sh if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then : emulate sh NULLCMD=: # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which # is contrary to our usage. Disable this feature. alias -g '${1+"$@"}'='"$@"' setopt NO_GLOB_SUBST else case `(set -o) 2>/dev/null` in #( *posix*) : set -o posix ;; #( *) : ;; esac fi as_nl=' ' export as_nl # Printing a long string crashes Solaris 7 /usr/bin/printf. as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo # Prefer a ksh shell builtin over an external printf program on Solaris, # but without wasting forks for bash or zsh. if test -z "$BASH_VERSION$ZSH_VERSION" \ && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then as_echo='print -r --' as_echo_n='print -rn --' elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then as_echo='printf %s\n' as_echo_n='printf %s' else if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"' as_echo_n='/usr/ucb/echo -n' else as_echo_body='eval expr "X$1" : "X\\(.*\\)"' as_echo_n_body='eval arg=$1; case $arg in #( *"$as_nl"*) expr "X$arg" : "X\\(.*\\)$as_nl"; arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;; esac; expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl" ' export as_echo_n_body as_echo_n='sh -c $as_echo_n_body as_echo' fi export as_echo_body as_echo='sh -c $as_echo_body as_echo' fi # The user is always right. if test "${PATH_SEPARATOR+set}" != set; then PATH_SEPARATOR=: (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || PATH_SEPARATOR=';' } fi # IFS # We need space, tab and new line, in precisely that order. Quoting is # there to prevent editors from complaining about space-tab. # (If _AS_PATH_WALK were called with IFS unset, it would disable word # splitting by setting IFS to empty value.) IFS=" "" $as_nl" # Find who we are. Look in the path if we contain no directory separator. as_myself= case $0 in #(( *[\\/]* ) as_myself=$0 ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break done IFS=$as_save_IFS ;; esac # We did not find ourselves, most probably we were run as `sh COMMAND' # in which case we are not to be found in the path. if test "x$as_myself" = x; then as_myself=$0 fi if test ! -f "$as_myself"; then $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 exit 1 fi # Unset variables that we do not need and which cause bugs (e.g. in # pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1" # suppresses any "Segmentation fault" message there. '((' could # trigger a bug in pdksh 5.2.14. for as_var in BASH_ENV ENV MAIL MAILPATH do eval test x\${$as_var+set} = xset \ && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : done PS1='$ ' PS2='> ' PS4='+ ' # NLS nuisances. LC_ALL=C export LC_ALL LANGUAGE=C export LANGUAGE # CDPATH. (unset CDPATH) >/dev/null 2>&1 && unset CDPATH # as_fn_error STATUS ERROR [LINENO LOG_FD] # ---------------------------------------- # Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are # provided, also output the error to LOG_FD, referencing LINENO. Then exit the # script with STATUS, using 1 if that was 0. as_fn_error () { as_status=$1; test $as_status -eq 0 && as_status=1 if test "$4"; then as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4 fi $as_echo "$as_me: error: $2" >&2 as_fn_exit $as_status } # as_fn_error # as_fn_set_status STATUS # ----------------------- # Set $? to STATUS, without forking. as_fn_set_status () { return $1 } # as_fn_set_status # as_fn_exit STATUS # ----------------- # Exit the shell with STATUS, even in a "trap 0" or "set -e" context. as_fn_exit () { set +e as_fn_set_status $1 exit $1 } # as_fn_exit # as_fn_unset VAR # --------------- # Portably unset VAR. as_fn_unset () { { eval $1=; unset $1;} } as_unset=as_fn_unset # as_fn_append VAR VALUE # ---------------------- # Append the text in VALUE to the end of the definition contained in VAR. Take # advantage of any shell optimizations that allow amortized linear growth over # repeated appends, instead of the typical quadratic growth present in naive # implementations. if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then : eval 'as_fn_append () { eval $1+=\$2 }' else as_fn_append () { eval $1=\$$1\$2 } fi # as_fn_append # as_fn_arith ARG... # ------------------ # Perform arithmetic evaluation on the ARGs, and store the result in the # global $as_val. Take advantage of shells that can avoid forks. The arguments # must be portable across $(()) and expr. if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then : eval 'as_fn_arith () { as_val=$(( $* )) }' else as_fn_arith () { as_val=`expr "$@" || test $? -eq 1` } fi # as_fn_arith if expr a : '\(a\)' >/dev/null 2>&1 && test "X`expr 00001 : '.*\(...\)'`" = X001; then as_expr=expr else as_expr=false fi if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then as_basename=basename else as_basename=false fi if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then as_dirname=dirname else as_dirname=false fi as_me=`$as_basename -- "$0" || $as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ X"$0" : 'X\(//\)$' \| \ X"$0" : 'X\(/\)' \| . 2>/dev/null || $as_echo X/"$0" | sed '/^.*\/\([^/][^/]*\)\/*$/{ s//\1/ q } /^X\/\(\/\/\)$/{ s//\1/ q } /^X\/\(\/\).*/{ s//\1/ q } s/.*/./; q'` # Avoid depending upon Character Ranges. as_cr_letters='abcdefghijklmnopqrstuvwxyz' as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' as_cr_Letters=$as_cr_letters$as_cr_LETTERS as_cr_digits='0123456789' as_cr_alnum=$as_cr_Letters$as_cr_digits ECHO_C= ECHO_N= ECHO_T= case `echo -n x` in #((((( -n*) case `echo 'xy\c'` in *c*) ECHO_T=' ';; # ECHO_T is single tab character. xy) ECHO_C='\c';; *) echo `echo ksh88 bug on AIX 6.1` > /dev/null ECHO_T=' ';; esac;; *) ECHO_N='-n';; esac rm -f conf$$ conf$$.exe conf$$.file if test -d conf$$.dir; then rm -f conf$$.dir/conf$$.file else rm -f conf$$.dir mkdir conf$$.dir 2>/dev/null fi if (echo >conf$$.file) 2>/dev/null; then if ln -s conf$$.file conf$$ 2>/dev/null; then as_ln_s='ln -s' # ... but there are two gotchas: # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. # In both cases, we have to default to `cp -pR'. ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || as_ln_s='cp -pR' elif ln conf$$.file conf$$ 2>/dev/null; then as_ln_s=ln else as_ln_s='cp -pR' fi else as_ln_s='cp -pR' fi rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file rmdir conf$$.dir 2>/dev/null # as_fn_mkdir_p # ------------- # Create "$as_dir" as a directory, including parents if necessary. as_fn_mkdir_p () { case $as_dir in #( -*) as_dir=./$as_dir;; esac test -d "$as_dir" || eval $as_mkdir_p || { as_dirs= while :; do case $as_dir in #( *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( *) as_qdir=$as_dir;; esac as_dirs="'$as_qdir' $as_dirs" as_dir=`$as_dirname -- "$as_dir" || $as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$as_dir" : 'X\(//\)[^/]' \| \ X"$as_dir" : 'X\(//\)$' \| \ X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || $as_echo X"$as_dir" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` test -d "$as_dir" && break done test -z "$as_dirs" || eval "mkdir $as_dirs" } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir" } # as_fn_mkdir_p if mkdir -p . 2>/dev/null; then as_mkdir_p='mkdir -p "$as_dir"' else test -d ./-p && rmdir ./-p as_mkdir_p=false fi # as_fn_executable_p FILE # ----------------------- # Test if FILE is an executable regular file. as_fn_executable_p () { test -f "$1" && test -x "$1" } # as_fn_executable_p as_test_x='test -x' as_executable_p=as_fn_executable_p # Sed expression to map a string onto a valid CPP name. as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" # Sed expression to map a string onto a valid variable name. as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'" exec 6>&1 ## ----------------------------------- ## ## Main body of $CONFIG_STATUS script. ## ## ----------------------------------- ## _ASEOF test $as_write_fail = 0 && chmod +x $CONFIG_STATUS || ac_write_fail=1 cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # Save the log message, to keep $0 and so on meaningful, and to # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" This file was extended by nettle $as_me 3.4.1, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES CONFIG_HEADERS = $CONFIG_HEADERS CONFIG_LINKS = $CONFIG_LINKS CONFIG_COMMANDS = $CONFIG_COMMANDS $ $0 $@ on `(hostname || uname -n) 2>/dev/null | sed 1q` " _ACEOF case $ac_config_files in *" "*) set x $ac_config_files; shift; ac_config_files=$*;; esac case $ac_config_headers in *" "*) set x $ac_config_headers; shift; ac_config_headers=$*;; esac cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 # Files that config.status was made for. config_files="$ac_config_files" config_headers="$ac_config_headers" config_links="$ac_config_links" config_commands="$ac_config_commands" _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 ac_cs_usage="\ \`$as_me' instantiates files and other configuration actions from templates according to the current configuration. Unless the files and actions are specified as TAGs, all are instantiated by default. Usage: $0 [OPTION]... [TAG]... -h, --help print this help, then exit -V, --version print version number and configuration settings, then exit --config print configuration, then exit -q, --quiet, --silent do not print progress messages -d, --debug don't remove temporary files --recheck update $as_me by reconfiguring in the same conditions --file=FILE[:TEMPLATE] instantiate the configuration file FILE --header=FILE[:TEMPLATE] instantiate the configuration header FILE Configuration files: $config_files Configuration headers: $config_headers Configuration links: $config_links Configuration commands: $config_commands Report bugs to ." _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ nettle config.status 3.4.1 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" Copyright (C) 2012 Free Software Foundation, Inc. This config.status script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it." ac_pwd='$ac_pwd' srcdir='$srcdir' INSTALL='$INSTALL' MKDIR_P='$MKDIR_P' test -n "\$AWK" || AWK=awk _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # The default lists apply if the user does not specify any file. ac_need_defaults=: while test $# != 0 do case $1 in --*=?*) ac_option=`expr "X$1" : 'X\([^=]*\)='` ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'` ac_shift=: ;; --*=) ac_option=`expr "X$1" : 'X\([^=]*\)='` ac_optarg= ac_shift=: ;; *) ac_option=$1 ac_optarg=$2 ac_shift=shift ;; esac case $ac_option in # Handling of the options. -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r) ac_cs_recheck=: ;; --version | --versio | --versi | --vers | --ver | --ve | --v | -V ) $as_echo "$ac_cs_version"; exit ;; --config | --confi | --conf | --con | --co | --c ) $as_echo "$ac_cs_config"; exit ;; --debug | --debu | --deb | --de | --d | -d ) debug=: ;; --file | --fil | --fi | --f ) $ac_shift case $ac_optarg in *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;; '') as_fn_error $? "missing file argument" ;; esac as_fn_append CONFIG_FILES " '$ac_optarg'" ac_need_defaults=false;; --header | --heade | --head | --hea ) $ac_shift case $ac_optarg in *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;; esac as_fn_append CONFIG_HEADERS " '$ac_optarg'" ac_need_defaults=false;; --he | --h) # Conflict between --help and --header as_fn_error $? "ambiguous option: \`$1' Try \`$0 --help' for more information.";; --help | --hel | -h ) $as_echo "$ac_cs_usage"; exit ;; -q | -quiet | --quiet | --quie | --qui | --qu | --q \ | -silent | --silent | --silen | --sile | --sil | --si | --s) ac_cs_silent=: ;; # This is an error. -*) as_fn_error $? "unrecognized option: \`$1' Try \`$0 --help' for more information." ;; *) as_fn_append ac_config_targets " $1" ac_need_defaults=false ;; esac shift done ac_configure_extra_args= if $ac_cs_silent; then exec 6>/dev/null ac_configure_extra_args="$ac_configure_extra_args --silent" fi _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 if \$ac_cs_recheck; then set X $SHELL '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion shift \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6 CONFIG_SHELL='$SHELL' export CONFIG_SHELL exec "\$@" fi _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 exec 5>>config.log { echo sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX ## Running $as_me. ## _ASBOX $as_echo "$ac_log" } >&5 _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 # # INIT-COMMANDS # # variables for create stdint.h replacement PACKAGE="$PACKAGE" VERSION="$VERSION" ac_stdint_h="$ac_stdint_h" _ac_stdint_h=`$as_echo "_$PACKAGE-$ac_stdint_h" | $as_tr_cpp` ac_cv_stdint_message="$ac_cv_stdint_message" ac_cv_header_stdint_t="$ac_cv_header_stdint_t" ac_cv_header_stdint_x="$ac_cv_header_stdint_x" ac_cv_header_stdint_o="$ac_cv_header_stdint_o" ac_cv_header_stdint_u="$ac_cv_header_stdint_u" ac_cv_type_uint64_t="$ac_cv_type_uint64_t" ac_cv_type_u_int64_t="$ac_cv_type_u_int64_t" ac_cv_stdint_char_model="$ac_cv_stdint_char_model" ac_cv_stdint_long_model="$ac_cv_stdint_long_model" ac_cv_type_int_least32_t="$ac_cv_type_int_least32_t" ac_cv_type_int_fast32_t="$ac_cv_type_int_fast32_t" ac_cv_type_intmax_t="$ac_cv_type_intmax_t" _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # Handling of arguments. for ac_config_target in $ac_config_targets do case $ac_config_target in "config.h") CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;; "dummy-dep-files") CONFIG_COMMANDS="$CONFIG_COMMANDS dummy-dep-files" ;; "$ac_stdint_h") CONFIG_COMMANDS="$CONFIG_COMMANDS $ac_stdint_h" ;; "$tmp_f") CONFIG_LINKS="$CONFIG_LINKS $tmp_f:$asm_dir/$tmp_f" ;; "$tmp_n") CONFIG_LINKS="$CONFIG_LINKS $tmp_n:$asm_dir/$tmp_n" ;; "$tmp_h") CONFIG_LINKS="$CONFIG_LINKS $tmp_h:$asm_dir/$tmp_h" ;; "config.make") CONFIG_FILES="$CONFIG_FILES config.make" ;; "config.m4") CONFIG_FILES="$CONFIG_FILES config.m4" ;; "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;; "version.h") CONFIG_FILES="$CONFIG_FILES version.h" ;; "tools/Makefile") CONFIG_FILES="$CONFIG_FILES tools/Makefile" ;; "testsuite/Makefile") CONFIG_FILES="$CONFIG_FILES testsuite/Makefile" ;; "examples/Makefile") CONFIG_FILES="$CONFIG_FILES examples/Makefile" ;; "nettle.pc") CONFIG_FILES="$CONFIG_FILES nettle.pc" ;; "hogweed.pc") CONFIG_FILES="$CONFIG_FILES hogweed.pc" ;; "libnettle.map") CONFIG_FILES="$CONFIG_FILES libnettle.map" ;; "libhogweed.map") CONFIG_FILES="$CONFIG_FILES libhogweed.map" ;; *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; esac done # If the user did not use the arguments to specify the items to instantiate, # then the envvar interface is used. Set only those that are not. # We use the long form for the default assignment because of an extremely # bizarre bug on SunOS 4.1.3. if $ac_need_defaults; then test "${CONFIG_FILES+set}" = set || CONFIG_FILES=$config_files test "${CONFIG_HEADERS+set}" = set || CONFIG_HEADERS=$config_headers test "${CONFIG_LINKS+set}" = set || CONFIG_LINKS=$config_links test "${CONFIG_COMMANDS+set}" = set || CONFIG_COMMANDS=$config_commands fi # Have a temporary directory for convenience. Make it in the build tree # simply because there is no reason against having it here, and in addition, # creating and moving files from /tmp can sometimes cause problems. # Hook for its removal unless debugging. # Note that there is a small window in which the directory will not be cleaned: # after its creation but before its name has been assigned to `$tmp'. $debug || { tmp= ac_tmp= trap 'exit_status=$? : "${ac_tmp:=$tmp}" { test ! -d "$ac_tmp" || rm -fr "$ac_tmp"; } && exit $exit_status ' 0 trap 'as_fn_exit 1' 1 2 13 15 } # Create a (secure) tmp directory for tmp files. { tmp=`(umask 077 && mktemp -d "./confXXXXXX") 2>/dev/null` && test -d "$tmp" } || { tmp=./conf$$-$RANDOM (umask 077 && mkdir "$tmp") } || as_fn_error $? "cannot create a temporary directory in ." "$LINENO" 5 ac_tmp=$tmp # Set up the scripts for CONFIG_FILES section. # No need to generate them if there are no CONFIG_FILES. # This happens for instance with `./config.status config.h'. if test -n "$CONFIG_FILES"; then ac_cr=`echo X | tr X '\015'` # On cygwin, bash can eat \r inside `` if the user requested igncr. # But we know of no other shell where ac_cr would be empty at this # point, so we can use a bashism as a fallback. if test "x$ac_cr" = x; then eval ac_cr=\$\'\\r\' fi ac_cs_awk_cr=`$AWK 'BEGIN { print "a\rb" }' /dev/null` if test "$ac_cs_awk_cr" = "a${ac_cr}b"; then ac_cs_awk_cr='\\r' else ac_cs_awk_cr=$ac_cr fi echo 'BEGIN {' >"$ac_tmp/subs1.awk" && _ACEOF { echo "cat >conf$$subs.awk <<_ACEOF" && echo "$ac_subst_vars" | sed 's/.*/&!$&$ac_delim/' && echo "_ACEOF" } >conf$$subs.sh || as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 ac_delim_num=`echo "$ac_subst_vars" | grep -c '^'` ac_delim='%!_!# ' for ac_last_try in false false false false false :; do . ./conf$$subs.sh || as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 ac_delim_n=`sed -n "s/.*$ac_delim\$/X/p" conf$$subs.awk | grep -c X` if test $ac_delim_n = $ac_delim_num; then break elif $ac_last_try; then as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 else ac_delim="$ac_delim!$ac_delim _$ac_delim!! " fi done rm -f conf$$subs.sh cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 cat >>"\$ac_tmp/subs1.awk" <<\\_ACAWK && _ACEOF sed -n ' h s/^/S["/; s/!.*/"]=/ p g s/^[^!]*!// :repl t repl s/'"$ac_delim"'$// t delim :nl h s/\(.\{148\}\)..*/\1/ t more1 s/["\\]/\\&/g; s/^/"/; s/$/\\n"\\/ p n b repl :more1 s/["\\]/\\&/g; s/^/"/; s/$/"\\/ p g s/.\{148\}// t nl :delim h s/\(.\{148\}\)..*/\1/ t more2 s/["\\]/\\&/g; s/^/"/; s/$/"/ p b :more2 s/["\\]/\\&/g; s/^/"/; s/$/"\\/ p g s/.\{148\}// t delim ' >$CONFIG_STATUS || ac_write_fail=1 rm -f conf$$subs.awk cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 _ACAWK cat >>"\$ac_tmp/subs1.awk" <<_ACAWK && for (key in S) S_is_set[key] = 1 FS = "" } { line = $ 0 nfields = split(line, field, "@") substed = 0 len = length(field[1]) for (i = 2; i < nfields; i++) { key = field[i] keylen = length(key) if (S_is_set[key]) { value = S[key] line = substr(line, 1, len) "" value "" substr(line, len + keylen + 3) len += length(value) + length(field[++i]) substed = 1 } else len += 1 + keylen } print line } _ACAWK _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 if sed "s/$ac_cr//" < /dev/null > /dev/null 2>&1; then sed "s/$ac_cr\$//; s/$ac_cr/$ac_cs_awk_cr/g" else cat fi < "$ac_tmp/subs1.awk" > "$ac_tmp/subs.awk" \ || as_fn_error $? "could not setup config files machinery" "$LINENO" 5 _ACEOF # VPATH may cause trouble with some makes, so we remove sole $(srcdir), # ${srcdir} and @srcdir@ entries from VPATH if srcdir is ".", strip leading and # trailing colons and then remove the whole line if VPATH becomes empty # (actually we leave an empty line to preserve line numbers). if test "x$srcdir" = x.; then ac_vpsub='/^[ ]*VPATH[ ]*=[ ]*/{ h s/// s/^/:/ s/[ ]*$/:/ s/:\$(srcdir):/:/g s/:\${srcdir}:/:/g s/:@srcdir@:/:/g s/^:*// s/:*$// x s/\(=[ ]*\).*/\1/ G s/\n// s/^[^=]*=[ ]*$// }' fi cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 fi # test -n "$CONFIG_FILES" # Set up the scripts for CONFIG_HEADERS section. # No need to generate them if there are no CONFIG_HEADERS. # This happens for instance with `./config.status Makefile'. if test -n "$CONFIG_HEADERS"; then cat >"$ac_tmp/defines.awk" <<\_ACAWK || BEGIN { _ACEOF # Transform confdefs.h into an awk script `defines.awk', embedded as # here-document in config.status, that substitutes the proper values into # config.h.in to produce config.h. # Create a delimiter string that does not exist in confdefs.h, to ease # handling of long lines. ac_delim='%!_!# ' for ac_last_try in false false :; do ac_tt=`sed -n "/$ac_delim/p" confdefs.h` if test -z "$ac_tt"; then break elif $ac_last_try; then as_fn_error $? "could not make $CONFIG_HEADERS" "$LINENO" 5 else ac_delim="$ac_delim!$ac_delim _$ac_delim!! " fi done # For the awk script, D is an array of macro values keyed by name, # likewise P contains macro parameters if any. Preserve backslash # newline sequences. ac_word_re=[_$as_cr_Letters][_$as_cr_alnum]* sed -n ' s/.\{148\}/&'"$ac_delim"'/g t rset :rset s/^[ ]*#[ ]*define[ ][ ]*/ / t def d :def s/\\$// t bsnl s/["\\]/\\&/g s/^ \('"$ac_word_re"'\)\(([^()]*)\)[ ]*\(.*\)/P["\1"]="\2"\ D["\1"]=" \3"/p s/^ \('"$ac_word_re"'\)[ ]*\(.*\)/D["\1"]=" \2"/p d :bsnl s/["\\]/\\&/g s/^ \('"$ac_word_re"'\)\(([^()]*)\)[ ]*\(.*\)/P["\1"]="\2"\ D["\1"]=" \3\\\\\\n"\\/p t cont s/^ \('"$ac_word_re"'\)[ ]*\(.*\)/D["\1"]=" \2\\\\\\n"\\/p t cont d :cont n s/.\{148\}/&'"$ac_delim"'/g t clear :clear s/\\$// t bsnlc s/["\\]/\\&/g; s/^/"/; s/$/"/p d :bsnlc s/["\\]/\\&/g; s/^/"/; s/$/\\\\\\n"\\/p b cont ' >$CONFIG_STATUS || ac_write_fail=1 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 for (key in D) D_is_set[key] = 1 FS = "" } /^[\t ]*#[\t ]*(define|undef)[\t ]+$ac_word_re([\t (]|\$)/ { line = \$ 0 split(line, arg, " ") if (arg[1] == "#") { defundef = arg[2] mac1 = arg[3] } else { defundef = substr(arg[1], 2) mac1 = arg[2] } split(mac1, mac2, "(") #) macro = mac2[1] prefix = substr(line, 1, index(line, defundef) - 1) if (D_is_set[macro]) { # Preserve the white space surrounding the "#". print prefix "define", macro P[macro] D[macro] next } else { # Replace #undef with comments. This is necessary, for example, # in the case of _POSIX_SOURCE, which is predefined and required # on some systems where configure will not decide to define it. if (defundef == "undef") { print "/*", prefix defundef, macro, "*/" next } } } { print } _ACAWK _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 as_fn_error $? "could not setup config headers machinery" "$LINENO" 5 fi # test -n "$CONFIG_HEADERS" eval set X " :F $CONFIG_FILES :H $CONFIG_HEADERS :L $CONFIG_LINKS :C $CONFIG_COMMANDS" shift for ac_tag do case $ac_tag in :[FHLC]) ac_mode=$ac_tag; continue;; esac case $ac_mode$ac_tag in :[FHL]*:*);; :L* | :C*:*) as_fn_error $? "invalid tag \`$ac_tag'" "$LINENO" 5;; :[FH]-) ac_tag=-:-;; :[FH]*) ac_tag=$ac_tag:$ac_tag.in;; esac ac_save_IFS=$IFS IFS=: set x $ac_tag IFS=$ac_save_IFS shift ac_file=$1 shift case $ac_mode in :L) ac_source=$1;; :[FH]) ac_file_inputs= for ac_f do case $ac_f in -) ac_f="$ac_tmp/stdin";; *) # Look for the file first in the build tree, then in the source tree # (if the path is not absolute). The absolute path cannot be DOS-style, # because $ac_f cannot contain `:'. test -f "$ac_f" || case $ac_f in [\\/$]*) false;; *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";; esac || as_fn_error 1 "cannot find input file: \`$ac_f'" "$LINENO" 5;; esac case $ac_f in *\'*) ac_f=`$as_echo "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac as_fn_append ac_file_inputs " '$ac_f'" done # Let's still pretend it is `configure' which instantiates (i.e., don't # use $as_me), people would be surprised to read: # /* config.h. Generated by config.status. */ configure_input='Generated from '` $as_echo "$*" | sed 's|^[^:]*/||;s|:[^:]*/|, |g' `' by configure.' if test x"$ac_file" != x-; then configure_input="$ac_file. $configure_input" { $as_echo "$as_me:${as_lineno-$LINENO}: creating $ac_file" >&5 $as_echo "$as_me: creating $ac_file" >&6;} fi # Neutralize special characters interpreted by sed in replacement strings. case $configure_input in #( *\&* | *\|* | *\\* ) ac_sed_conf_input=`$as_echo "$configure_input" | sed 's/[\\\\&|]/\\\\&/g'`;; #( *) ac_sed_conf_input=$configure_input;; esac case $ac_tag in *:-:* | *:-) cat >"$ac_tmp/stdin" \ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 ;; esac ;; esac ac_dir=`$as_dirname -- "$ac_file" || $as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$ac_file" : 'X\(//\)[^/]' \| \ X"$ac_file" : 'X\(//\)$' \| \ X"$ac_file" : 'X\(/\)' \| . 2>/dev/null || $as_echo X"$ac_file" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` as_dir="$ac_dir"; as_fn_mkdir_p ac_builddir=. case "$ac_dir" in .) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; *) ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'` # A ".." for each directory in $ac_dir_suffix. ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'` case $ac_top_builddir_sub in "") ac_top_builddir_sub=. ac_top_build_prefix= ;; *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; esac ;; esac ac_abs_top_builddir=$ac_pwd ac_abs_builddir=$ac_pwd$ac_dir_suffix # for backward compatibility: ac_top_builddir=$ac_top_build_prefix case $srcdir in .) # We are building in place. ac_srcdir=. ac_top_srcdir=$ac_top_builddir_sub ac_abs_top_srcdir=$ac_pwd ;; [\\/]* | ?:[\\/]* ) # Absolute name. ac_srcdir=$srcdir$ac_dir_suffix; ac_top_srcdir=$srcdir ac_abs_top_srcdir=$srcdir ;; *) # Relative name. ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix ac_top_srcdir=$ac_top_build_prefix$srcdir ac_abs_top_srcdir=$ac_pwd/$srcdir ;; esac ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix case $ac_mode in :F) # # CONFIG_FILE # case $INSTALL in [\\/$]* | ?:[\\/]* ) ac_INSTALL=$INSTALL ;; *) ac_INSTALL=$ac_top_build_prefix$INSTALL ;; esac ac_MKDIR_P=$MKDIR_P case $MKDIR_P in [\\/$]* | ?:[\\/]* ) ;; */*) ac_MKDIR_P=$ac_top_build_prefix$MKDIR_P ;; esac _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # If the template does not know about datarootdir, expand it. # FIXME: This hack should be removed a few years after 2.60. ac_datarootdir_hack=; ac_datarootdir_seen= ac_sed_dataroot=' /datarootdir/ { p q } /@datadir@/p /@docdir@/p /@infodir@/p /@localedir@/p /@mandir@/p' case `eval "sed -n \"\$ac_sed_dataroot\" $ac_file_inputs"` in *datarootdir*) ac_datarootdir_seen=yes;; *@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5 $as_echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;} _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_datarootdir_hack=' s&@datadir@&$datadir&g s&@docdir@&$docdir&g s&@infodir@&$infodir&g s&@localedir@&$localedir&g s&@mandir@&$mandir&g s&\\\${datarootdir}&$datarootdir&g' ;; esac _ACEOF # Neutralize VPATH when `$srcdir' = `.'. # Shell code in configure.ac might set extrasub. # FIXME: do we really want to maintain this feature? cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_sed_extra="$ac_vpsub $extrasub _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 :t /@[a-zA-Z_][a-zA-Z_0-9]*@/!b s|@configure_input@|$ac_sed_conf_input|;t t s&@top_builddir@&$ac_top_builddir_sub&;t t s&@top_build_prefix@&$ac_top_build_prefix&;t t s&@srcdir@&$ac_srcdir&;t t s&@abs_srcdir@&$ac_abs_srcdir&;t t s&@top_srcdir@&$ac_top_srcdir&;t t s&@abs_top_srcdir@&$ac_abs_top_srcdir&;t t s&@builddir@&$ac_builddir&;t t s&@abs_builddir@&$ac_abs_builddir&;t t s&@abs_top_builddir@&$ac_abs_top_builddir&;t t s&@INSTALL@&$ac_INSTALL&;t t s&@MKDIR_P@&$ac_MKDIR_P&;t t $ac_datarootdir_hack " eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$ac_tmp/subs.awk" \ >$ac_tmp/out || as_fn_error $? "could not create $ac_file" "$LINENO" 5 test -z "$ac_datarootdir_hack$ac_datarootdir_seen" && { ac_out=`sed -n '/\${datarootdir}/p' "$ac_tmp/out"`; test -n "$ac_out"; } && { ac_out=`sed -n '/^[ ]*datarootdir[ ]*:*=/p' \ "$ac_tmp/out"`; test -z "$ac_out"; } && { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file contains a reference to the variable \`datarootdir' which seems to be undefined. Please make sure it is defined" >&5 $as_echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir' which seems to be undefined. Please make sure it is defined" >&2;} rm -f "$ac_tmp/stdin" case $ac_file in -) cat "$ac_tmp/out" && rm -f "$ac_tmp/out";; *) rm -f "$ac_file" && mv "$ac_tmp/out" "$ac_file";; esac \ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 ;; :H) # # CONFIG_HEADER # if test x"$ac_file" != x-; then { $as_echo "/* $configure_input */" \ && eval '$AWK -f "$ac_tmp/defines.awk"' "$ac_file_inputs" } >"$ac_tmp/config.h" \ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 if diff "$ac_file" "$ac_tmp/config.h" >/dev/null 2>&1; then { $as_echo "$as_me:${as_lineno-$LINENO}: $ac_file is unchanged" >&5 $as_echo "$as_me: $ac_file is unchanged" >&6;} else rm -f "$ac_file" mv "$ac_tmp/config.h" "$ac_file" \ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 fi else $as_echo "/* $configure_input */" \ && eval '$AWK -f "$ac_tmp/defines.awk"' "$ac_file_inputs" \ || as_fn_error $? "could not create -" "$LINENO" 5 fi ;; :L) # # CONFIG_LINK # if test "$ac_source" = "$ac_file" && test "$srcdir" = '.'; then : else # Prefer the file from the source tree if names are identical. if test "$ac_source" = "$ac_file" || test ! -r "$ac_source"; then ac_source=$srcdir/$ac_source fi { $as_echo "$as_me:${as_lineno-$LINENO}: linking $ac_source to $ac_file" >&5 $as_echo "$as_me: linking $ac_source to $ac_file" >&6;} if test ! -r "$ac_source"; then as_fn_error $? "$ac_source: file not found" "$LINENO" 5 fi rm -f "$ac_file" # Try a relative symlink, then a hard link, then a copy. case $ac_source in [\\/$]* | ?:[\\/]* ) ac_rel_source=$ac_source ;; *) ac_rel_source=$ac_top_build_prefix$ac_source ;; esac ln -s "$ac_rel_source" "$ac_file" 2>/dev/null || ln "$ac_source" "$ac_file" 2>/dev/null || cp -p "$ac_source" "$ac_file" || as_fn_error $? "cannot link or copy $ac_source to $ac_file" "$LINENO" 5 fi ;; :C) { $as_echo "$as_me:${as_lineno-$LINENO}: executing $ac_file commands" >&5 $as_echo "$as_me: executing $ac_file commands" >&6;} ;; esac case $ac_file$ac_mode in "dummy-dep-files":C) (cd "$srcdir" && find . '(' -name '*.c' -o -name '*.cxx' ')' -print) \ | sed 's/\.cx*$//' | (while read f; do \ test -f "$f.o.d" || echo > "$f.o.d"; \ done) ;; "$ac_stdint_h":C) { $as_echo "$as_me:${as_lineno-$LINENO}: creating $ac_stdint_h : $_ac_stdint_h" >&5 $as_echo "$as_me: creating $ac_stdint_h : $_ac_stdint_h" >&6;} ac_stdint=$tmp/_stdint.h echo "#ifndef" $_ac_stdint_h >$ac_stdint echo "#define" $_ac_stdint_h "1" >>$ac_stdint echo "#ifndef" _GENERATED_STDINT_H >>$ac_stdint echo "#define" _GENERATED_STDINT_H '"'$PACKAGE $VERSION'"' >>$ac_stdint echo "/* generated $ac_cv_stdint_message */" >>$ac_stdint if test "_$ac_cv_header_stdint_t" != "_" ; then echo "#define _STDINT_HAVE_STDINT_H" "1" >>$ac_stdint fi cat >>$ac_stdint < #else #include /* .................... configured part ............................ */ STDINT_EOF echo "/* whether we have a C99 compatible stdint header file */" >>$ac_stdint if test "_$ac_cv_header_stdint_x" != "_" ; then ac_header="$ac_cv_header_stdint_x" echo "#define _STDINT_HEADER_INTPTR" '"'"$ac_header"'"' >>$ac_stdint else echo "/* #undef _STDINT_HEADER_INTPTR */" >>$ac_stdint fi echo "/* whether we have a C96 compatible inttypes header file */" >>$ac_stdint if test "_$ac_cv_header_stdint_o" != "_" ; then ac_header="$ac_cv_header_stdint_o" echo "#define _STDINT_HEADER_UINT32" '"'"$ac_header"'"' >>$ac_stdint else echo "/* #undef _STDINT_HEADER_UINT32 */" >>$ac_stdint fi echo "/* whether we have a BSD compatible inet types header */" >>$ac_stdint if test "_$ac_cv_header_stdint_u" != "_" ; then ac_header="$ac_cv_header_stdint_u" echo "#define _STDINT_HEADER_U_INT32" '"'"$ac_header"'"' >>$ac_stdint else echo "/* #undef _STDINT_HEADER_U_INT32 */" >>$ac_stdint fi echo "" >>$ac_stdint if test "_$ac_header" != "_" ; then if test "$ac_header" != "stddef.h" ; then echo "#include <$ac_header>" >>$ac_stdint echo "" >>$ac_stdint fi fi echo "/* which 64bit typedef has been found */" >>$ac_stdint if test "$ac_cv_type_uint64_t" = "yes" ; then echo "#define _STDINT_HAVE_UINT64_T" "1" >>$ac_stdint else echo "/* #undef _STDINT_HAVE_UINT64_T */" >>$ac_stdint fi if test "$ac_cv_type_u_int64_t" = "yes" ; then echo "#define _STDINT_HAVE_U_INT64_T" "1" >>$ac_stdint else echo "/* #undef _STDINT_HAVE_U_INT64_T */" >>$ac_stdint fi echo "" >>$ac_stdint echo "/* which type model has been detected */" >>$ac_stdint if test "_$ac_cv_stdint_char_model" != "_" ; then echo "#define _STDINT_CHAR_MODEL" "$ac_cv_stdint_char_model" >>$ac_stdint echo "#define _STDINT_LONG_MODEL" "$ac_cv_stdint_long_model" >>$ac_stdint else echo "/* #undef _STDINT_CHAR_MODEL // skipped */" >>$ac_stdint echo "/* #undef _STDINT_LONG_MODEL // skipped */" >>$ac_stdint fi echo "" >>$ac_stdint echo "/* whether int_least types were detected */" >>$ac_stdint if test "$ac_cv_type_int_least32_t" = "yes"; then echo "#define _STDINT_HAVE_INT_LEAST32_T" "1" >>$ac_stdint else echo "/* #undef _STDINT_HAVE_INT_LEAST32_T */" >>$ac_stdint fi echo "/* whether int_fast types were detected */" >>$ac_stdint if test "$ac_cv_type_int_fast32_t" = "yes"; then echo "#define _STDINT_HAVE_INT_FAST32_T" "1" >>$ac_stdint else echo "/* #undef _STDINT_HAVE_INT_FAST32_T */" >>$ac_stdint fi echo "/* whether intmax_t type was detected */" >>$ac_stdint if test "$ac_cv_type_intmax_t" = "yes"; then echo "#define _STDINT_HAVE_INTMAX_T" "1" >>$ac_stdint else echo "/* #undef _STDINT_HAVE_INTMAX_T */" >>$ac_stdint fi echo "" >>$ac_stdint cat >>$ac_stdint <= 199901L #define _HAVE_UINT64_T typedef long long int64_t; typedef unsigned long long uint64_t; #elif !defined __STRICT_ANSI__ #if defined _MSC_VER || defined __WATCOMC__ || defined __BORLANDC__ #define _HAVE_UINT64_T typedef __int64 int64_t; typedef unsigned __int64 uint64_t; #elif defined __GNUC__ || defined __MWERKS__ || defined __ELF__ /* note: all ELF-systems seem to have loff-support which needs 64-bit */ #if !defined _NO_LONGLONG #define _HAVE_UINT64_T typedef long long int64_t; typedef unsigned long long uint64_t; #endif #elif defined __alpha || (defined __mips && defined _ABIN32) #if !defined _NO_LONGLONG typedef long int64_t; typedef unsigned long uint64_t; #endif /* compiler/cpu type to define int64_t */ #endif #endif #endif #if defined _STDINT_HAVE_U_INT_TYPES /* int8_t int16_t int32_t defined by inet code, redeclare the u_intXX types */ typedef u_int8_t uint8_t; typedef u_int16_t uint16_t; typedef u_int32_t uint32_t; /* glibc compatibility */ #ifndef __int8_t_defined #define __int8_t_defined #endif #endif #ifdef _STDINT_NEED_INT_MODEL_T /* we must guess all the basic types. Apart from byte-adressable system, */ /* there a few 32-bit-only dsp-systems that we guard with BYTE_MODEL 8-} */ /* (btw, those nibble-addressable systems are way off, or so we assume) */ #if defined _STDINT_BYTE_MODEL #if _STDINT_LONG_MODEL+0 == 242 /* 2:4:2 = IP16 = a normal 16-bit system */ typedef unsigned char uint8_t; typedef unsigned short uint16_t; typedef unsigned long uint32_t; #ifndef __int8_t_defined #define __int8_t_defined typedef char int8_t; typedef short int16_t; typedef long int32_t; #endif #elif _STDINT_LONG_MODEL+0 == 244 || _STDINT_LONG_MODEL == 444 /* 2:4:4 = LP32 = a 32-bit system derived from a 16-bit */ /* 4:4:4 = ILP32 = a normal 32-bit system */ typedef unsigned char uint8_t; typedef unsigned short uint16_t; typedef unsigned int uint32_t; #ifndef __int8_t_defined #define __int8_t_defined typedef char int8_t; typedef short int16_t; typedef int int32_t; #endif #elif _STDINT_LONG_MODEL+0 == 484 || _STDINT_LONG_MODEL+0 == 488 /* 4:8:4 = IP32 = a 32-bit system prepared for 64-bit */ /* 4:8:8 = LP64 = a normal 64-bit system */ typedef unsigned char uint8_t; typedef unsigned short uint16_t; typedef unsigned int uint32_t; #ifndef __int8_t_defined #define __int8_t_defined typedef char int8_t; typedef short int16_t; typedef int int32_t; #endif /* this system has a "long" of 64bit */ #ifndef _HAVE_UINT64_T #define _HAVE_UINT64_T typedef unsigned long uint64_t; typedef long int64_t; #endif #elif _STDINT_LONG_MODEL+0 == 448 /* LLP64 a 64-bit system derived from a 32-bit system */ typedef unsigned char uint8_t; typedef unsigned short uint16_t; typedef unsigned int uint32_t; #ifndef __int8_t_defined #define __int8_t_defined typedef char int8_t; typedef short int16_t; typedef int int32_t; #endif /* assuming the system has a "long long" */ #ifndef _HAVE_UINT64_T #define _HAVE_UINT64_T typedef unsigned long long uint64_t; typedef long long int64_t; #endif #else #define _STDINT_NO_INT32_T #endif #else #define _STDINT_NO_INT8_T #define _STDINT_NO_INT32_T #endif #endif /* * quote from SunOS-5.8 sys/inttypes.h: * Use at your own risk. As of February 1996, the committee is squarely * behind the fixed sized types; the "least" and "fast" types are still being * discussed. The probability that the "fast" types may be removed before * the standard is finalized is high enough that they are not currently * implemented. */ #if defined _STDINT_NEED_INT_LEAST_T typedef int8_t int_least8_t; typedef int16_t int_least16_t; typedef int32_t int_least32_t; #ifdef _HAVE_UINT64_T typedef int64_t int_least64_t; #endif typedef uint8_t uint_least8_t; typedef uint16_t uint_least16_t; typedef uint32_t uint_least32_t; #ifdef _HAVE_UINT64_T typedef uint64_t uint_least64_t; #endif /* least types */ #endif #if defined _STDINT_NEED_INT_FAST_T typedef int8_t int_fast8_t; typedef int int_fast16_t; typedef int32_t int_fast32_t; #ifdef _HAVE_UINT64_T typedef int64_t int_fast64_t; #endif typedef uint8_t uint_fast8_t; typedef unsigned uint_fast16_t; typedef uint32_t uint_fast32_t; #ifdef _HAVE_UINT64_T typedef uint64_t uint_fast64_t; #endif /* fast types */ #endif #ifdef _STDINT_NEED_INTMAX_T #ifdef _HAVE_UINT64_T typedef int64_t intmax_t; typedef uint64_t uintmax_t; #else typedef long intmax_t; typedef unsigned long uintmax_t; #endif #endif #ifdef _STDINT_NEED_INTPTR_T #ifndef __intptr_t_defined #define __intptr_t_defined /* we encourage using "long" to store pointer values, never use "int" ! */ #if _STDINT_LONG_MODEL+0 == 242 || _STDINT_LONG_MODEL+0 == 484 typedef unsigned int uintptr_t; typedef int intptr_t; #elif _STDINT_LONG_MODEL+0 == 244 || _STDINT_LONG_MODEL+0 == 444 typedef unsigned long uintptr_t; typedef long intptr_t; #elif _STDINT_LONG_MODEL+0 == 448 && defined _HAVE_UINT64_T typedef uint64_t uintptr_t; typedef int64_t intptr_t; #else /* matches typical system types ILP32 and LP64 - but not IP16 or LLP64 */ typedef unsigned long uintptr_t; typedef long intptr_t; #endif #endif #endif /* shortcircuit*/ #endif /* once */ #endif #endif STDINT_EOF if cmp -s $ac_stdint_h $ac_stdint 2>/dev/null; then { $as_echo "$as_me:${as_lineno-$LINENO}: $ac_stdint_h is unchanged" >&5 $as_echo "$as_me: $ac_stdint_h is unchanged" >&6;} else ac_dir=`$as_dirname -- "$ac_stdint_h" || $as_expr X"$ac_stdint_h" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$ac_stdint_h" : 'X\(//\)[^/]' \| \ X"$ac_stdint_h" : 'X\(//\)$' \| \ X"$ac_stdint_h" : 'X\(/\)' \| . 2>/dev/null || $as_echo X"$ac_stdint_h" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` as_dir="$ac_dir"; as_fn_mkdir_p rm -f $ac_stdint_h mv $ac_stdint $ac_stdint_h fi ;; esac done # for ac_tag as_fn_exit 0 _ACEOF ac_clean_files=$ac_clean_files_save test $ac_write_fail = 0 || as_fn_error $? "write failure creating $CONFIG_STATUS" "$LINENO" 5 # configure is writing to config.log, and then calls config.status. # config.status does its own redirection, appending to config.log. # Unfortunately, on DOS this fails, as config.log is still kept open # by configure, so config.status won't be able to write to it; its # output is simply discarded. So we exec the FD to /dev/null, # effectively closing config.log, so it can be properly (re)opened and # appended to by config.status. When coming back to configure, we # need to make the FD available again. if test "$no_create" != yes; then ac_cs_success=: ac_config_status_args= test "$silent" = yes && ac_config_status_args="$ac_config_status_args --quiet" exec 5>/dev/null $SHELL $CONFIG_STATUS $ac_config_status_args || ac_cs_success=false exec 5>>config.log # Use ||, not &&, to avoid exiting from the if with $? = 1, which # would make configure fail if this is the last instruction. $ac_cs_success || as_fn_exit 1 fi if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: unrecognized options: $ac_unrecognized_opts" >&5 $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;} fi { $as_echo "$as_me:${as_lineno-$LINENO}: summary of build options: Version: ${PACKAGE_STRING} Host type: ${host} ABI: ${ABI} Assembly files: ${asm_path:-none} Install prefix: ${prefix} Library directory: ${libdir} Compiler: ${CC} Static libraries: ${enable_static} Shared libraries: ${enable_shared} Public key crypto: ${enable_public_key} Using mini-gmp: ${enable_mini_gmp} Documentation: ${enable_documentation} " >&5 $as_echo "$as_me: summary of build options: Version: ${PACKAGE_STRING} Host type: ${host} ABI: ${ABI} Assembly files: ${asm_path:-none} Install prefix: ${prefix} Library directory: ${libdir} Compiler: ${CC} Static libraries: ${enable_static} Shared libraries: ${enable_shared} Public key crypto: ${enable_public_key} Using mini-gmp: ${enable_mini_gmp} Documentation: ${enable_documentation} " >&6;} nettle-3.4.1/config.m4.in0000644000175000017500000000065313401564746014170 0ustar nissenissedefine(, <<@srcdir@>>)dnl define(, <@ASM_SYMBOL_PREFIX@><$1>)dnl define(, <@ASM_ELF_STYLE@>)dnl define(, <@ASM_COFF_STYLE@>)dnl define(, <@ASM_TYPE_FUNCTION@>)dnl define(, <@ASM_TYPE_PROGBITS@>)dnl define(, <@ASM_ALIGN_LOG@>)dnl define(, <@W64_ABI@>)dnl define(, <@ASM_RODATA@>)dnl divert(1) @ASM_MARK_NOEXEC_STACK@ divert nettle-3.4.1/pkcs1.c0000644000175000017500000000340613401564745013237 0ustar nissenisse/* pkcs1.c PKCS1 embedding. Copyright (C) 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "pkcs1.h" /* Formats the PKCS#1 padding, of the form * * 0x00 0x01 0xff ... 0xff 0x00 id ...digest... * * where the 0xff ... 0xff part consists of at least 8 octets. The * total size equals the octet size of n. */ uint8_t * _pkcs1_signature_prefix(unsigned key_size, uint8_t *buffer, unsigned id_size, const uint8_t *id, unsigned digest_size) { unsigned j; if (key_size < 11 + id_size + digest_size) return NULL; j = key_size - digest_size - id_size; memcpy (buffer + j, id, id_size); buffer[0] = 0; buffer[1] = 1; buffer[j-1] = 0; assert(j >= 11); memset(buffer + 2, 0xff, j - 3); return buffer + j + id_size; } nettle-3.4.1/memxor-internal.h0000644000175000017500000000422713401564746015347 0ustar nissenisse/* memxor-internal.h Copyright (C) 2010, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_MEMXOR_INTERNAL_H_INCLUDED #define NETTLE_MEMXOR_INTERNAL_H_INCLUDED #include "nettle-types.h" /* The word_t type is intended to be the native word size. */ #if defined(__x86_64__) || defined(__arch64__) /* Including on M$ windows, where unsigned long is only 32 bits */ typedef uint64_t word_t; #else typedef unsigned long int word_t; #endif #define ALIGN_OFFSET(p) ((uintptr_t) (p) % sizeof(word_t)) #ifndef WORDS_BIGENDIAN #define MERGE(w0, sh_1, w1, sh_2) \ (((w0) >> (sh_1)) | ((w1) << (sh_2))) #else #define MERGE(w0, sh_1, w1, sh_2) \ (((w0) << (sh_1)) | ((w1) >> (sh_2))) #endif #ifndef WORDS_BIGENDIAN #define READ_PARTIAL(r,p,n) do { \ word_t _rp_x; \ unsigned _rp_i; \ for (_rp_i = (n), _rp_x = (p)[--_rp_i]; _rp_i > 0;) \ _rp_x = (_rp_x << CHAR_BIT) | (p)[--_rp_i]; \ (r) = _rp_x; \ } while (0) #else #define READ_PARTIAL(r,p,n) do { \ word_t _rp_x; \ unsigned _rp_i; \ for (_rp_x = (p)[0], _rp_i = 1; _rp_i < (n); _rp_i++) \ _rp_x = (_rp_x << CHAR_BIT) | (p)[_rp_i]; \ (r) = _rp_x; \ } while (0) #endif #endif /* NETTLE_MEMXOR_INTERNAL_H_INCLUDED */ nettle-3.4.1/eddsa-pubkey.c0000644000175000017500000000275613401564746014603 0ustar nissenisse/* eddsa-pubkey.c Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "eddsa.h" #include "ecc-internal.h" mp_size_t _eddsa_public_key_itch (const struct ecc_curve *ecc) { return 3*ecc->p.size + ecc->mul_g_itch; } void _eddsa_public_key (const struct ecc_curve *ecc, const mp_limb_t *k, uint8_t *pub, mp_limb_t *scratch) { #define P scratch #define scratch_out (scratch + 3*ecc->p.size) ecc->mul_g (ecc, P, k, scratch_out); _eddsa_compress (ecc, pub, P, scratch_out); #undef P #undef scratch_out } nettle-3.4.1/rsa-sha512-sign.c0000644000175000017500000000336213401564746014744 0ustar nissenisse/* rsa-sha512-sign.c Signatures using RSA and SHA512. Copyright (C) 2001, 2003, 2006, 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "bignum.h" #include "pkcs1.h" int rsa_sha512_sign(const struct rsa_private_key *key, struct sha512_ctx *hash, mpz_t s) { if (pkcs1_rsa_sha512_encode(s, key->size, hash)) { rsa_compute_root(key, s, s); return 1; } else { mpz_set_ui(s, 0); return 0; } } int rsa_sha512_sign_digest(const struct rsa_private_key *key, const uint8_t *digest, mpz_t s) { if (pkcs1_rsa_sha512_encode_digest(s, key->size, digest)) { rsa_compute_root(key, s, s); return 1; } else { mpz_set_ui(s, 0); return 0; } } nettle-3.4.1/umac32.c0000644000175000017500000000701113401564745013304 0ustar nissenisse/* umac32.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "umac.h" #include "macros.h" void umac32_set_key (struct umac32_ctx *ctx, const uint8_t *key) { _umac_set_key (ctx->l1_key, ctx->l2_key, ctx->l3_key1, ctx->l3_key2, &ctx->pdf_key, key, 1); /* Clear nonce */ memset (ctx->nonce, 0, sizeof(ctx->nonce)); ctx->nonce_low = 0; ctx->nonce_length = sizeof(ctx->nonce); /* Initialize buffer */ ctx->count = ctx->index = 0; } void umac32_set_nonce (struct umac32_ctx *ctx, size_t nonce_length, const uint8_t *nonce) { assert (nonce_length > 0); assert (nonce_length <= AES_BLOCK_SIZE); memcpy (ctx->nonce, nonce, nonce_length); memset (ctx->nonce + nonce_length, 0, AES_BLOCK_SIZE - nonce_length); ctx->nonce_low = ctx->nonce[nonce_length - 1] & 3; ctx->nonce[nonce_length - 1] &= ~3; ctx->nonce_length = nonce_length; } #define UMAC32_BLOCK(ctx, block) do { \ uint64_t __umac32_y \ = _umac_nh (ctx->l1_key, UMAC_BLOCK_SIZE, block) \ + 8*UMAC_BLOCK_SIZE ; \ _umac_l2 (ctx->l2_key, ctx->l2_state, 1, ctx->count++, &__umac32_y); \ } while (0) void umac32_update (struct umac32_ctx *ctx, size_t length, const uint8_t *data) { MD_UPDATE (ctx, length, data, UMAC32_BLOCK, (void)0); } void umac32_digest (struct umac32_ctx *ctx, size_t length, uint8_t *digest) { uint32_t pad; assert (length > 0); assert (length <= 4); if (ctx->index > 0 || ctx->count == 0) { /* Zero pad to multiple of 32 */ uint64_t y; unsigned pad = (ctx->index > 0) ? 31 & - ctx->index : 32; memset (ctx->block + ctx->index, 0, pad); y = _umac_nh (ctx->l1_key, ctx->index + pad, ctx->block) + 8 * ctx->index; _umac_l2 (ctx->l2_key, ctx->l2_state, 1, ctx->count++, &y); } assert (ctx->count > 0); if ( !(ctx->nonce_low & _UMAC_NONCE_CACHED)) { aes128_encrypt (&ctx->pdf_key, AES_BLOCK_SIZE, (uint8_t *) ctx->pad_cache, ctx->nonce); ctx->nonce_low |= _UMAC_NONCE_CACHED; } pad = ctx->pad_cache[ctx->nonce_low & 3]; /* Increment nonce */ ctx->nonce_low++; if ( !(ctx->nonce_low & 3)) { unsigned i = ctx->nonce_length - 1; ctx->nonce_low = 0; ctx->nonce[i] += 4; if (ctx->nonce[i] == 0 && i > 0) INCREMENT (i, ctx->nonce); } _umac_l2_final (ctx->l2_key, ctx->l2_state, 1, ctx->count); pad ^= ctx->l3_key2[0] ^ _umac_l3 (ctx->l3_key1, ctx->l2_state); memcpy (digest, &pad, length); /* Reinitialize */ ctx->count = ctx->index = 0; } nettle-3.4.1/getopt.h0000644000175000017500000001476413401564746013537 0ustar nissenisse/* Declarations for getopt. Copyright (C) 1989-2014 Free Software Foundation, Inc. This file is part of the GNU C Library. The GNU C Library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. The GNU C Library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with the GNU C Library; if not, see . */ #ifndef _GETOPT_H #ifndef __need_getopt # define _GETOPT_H 1 #endif /* If __GNU_LIBRARY__ is not already defined, either we are being used standalone, or this is the first header included in the source file. If we are being used with glibc, we need to include , but that does not exist if we are standalone. So: if __GNU_LIBRARY__ is not defined, include , which will pull in for us if it's from glibc. (Why ctype.h? It's guaranteed to exist and it doesn't flood the namespace with stuff the way some other headers do.) */ #if !defined __GNU_LIBRARY__ # include #endif #ifndef __THROW # ifndef __GNUC_PREREQ # define __GNUC_PREREQ(maj, min) (0) # endif # if defined __cplusplus && __GNUC_PREREQ (2,8) # define __THROW throw () # else # define __THROW # endif #endif #ifdef __cplusplus extern "C" { #endif /* For communication from `getopt' to the caller. When `getopt' finds an option that takes an argument, the argument value is returned here. Also, when `ordering' is RETURN_IN_ORDER, each non-option ARGV-element is returned here. */ extern char *optarg; /* Index in ARGV of the next element to be scanned. This is used for communication to and from the caller and for communication between successive calls to `getopt'. On entry to `getopt', zero means this is the first call; initialize. When `getopt' returns -1, this is the index of the first of the non-option elements that the caller should itself scan. Otherwise, `optind' communicates from one call to the next how much of ARGV has been scanned so far. */ extern int optind; /* Callers store zero here to inhibit the error message `getopt' prints for unrecognized options. */ extern int opterr; /* Set to an option character which was unrecognized. */ extern int optopt; #ifndef __need_getopt /* Describe the long-named options requested by the application. The LONG_OPTIONS argument to getopt_long or getopt_long_only is a vector of `struct option' terminated by an element containing a name which is zero. The field `has_arg' is: no_argument (or 0) if the option does not take an argument, required_argument (or 1) if the option requires an argument, optional_argument (or 2) if the option takes an optional argument. If the field `flag' is not NULL, it points to a variable that is set to the value given in the field `val' when the option is found, but left unchanged if the option is not found. To have a long-named option do something other than set an `int' to a compiled-in constant, such as set a value from `optarg', set the option's `flag' field to zero and its `val' field to a nonzero value (the equivalent single-letter option character, if there is one). For long options that have a zero `flag' field, `getopt' returns the contents of the `val' field. */ struct option { const char *name; /* has_arg can't be an enum because some compilers complain about type mismatches in all the code that assumes it is an int. */ int has_arg; int *flag; int val; }; /* Names for the values of the `has_arg' field of `struct option'. */ # define no_argument 0 # define required_argument 1 # define optional_argument 2 #endif /* need getopt */ /* Get definitions and prototypes for functions to process the arguments in ARGV (ARGC of them, minus the program name) for options given in OPTS. Return the option character from OPTS just read. Return -1 when there are no more options. For unrecognized options, or options missing arguments, `optopt' is set to the option letter, and '?' is returned. The OPTS string is a list of characters which are recognized option letters, optionally followed by colons, specifying that that letter takes an argument, to be placed in `optarg'. If a letter in OPTS is followed by two colons, its argument is optional. This behavior is specific to the GNU `getopt'. The argument `--' causes premature termination of argument scanning, explicitly telling `getopt' that there are no more options. If OPTS begins with `--', then non-option arguments are treated as arguments to the option '\0'. This behavior is specific to the GNU `getopt'. */ #ifdef __GNU_LIBRARY__ /* Many other libraries have conflicting prototypes for getopt, with differences in the consts, in stdlib.h. To avoid compilation errors, only prototype getopt for the GNU C library. */ extern int getopt (int ___argc, char *const *___argv, const char *__shortopts) __THROW; # if defined __need_getopt && defined __USE_POSIX2 \ && !defined __USE_POSIX_IMPLICITLY && !defined __USE_GNU /* The GNU getopt has more functionality than the standard version. The additional functionality can be disable at runtime. This redirection helps to also do this at runtime. */ # ifdef __REDIRECT extern int __REDIRECT_NTH (getopt, (int ___argc, char *const *___argv, const char *__shortopts), __posix_getopt); # else extern int __posix_getopt (int ___argc, char *const *___argv, const char *__shortopts) __THROW; # define getopt __posix_getopt # endif # endif #else /* not __GNU_LIBRARY__ */ extern int getopt (); #endif /* __GNU_LIBRARY__ */ #ifndef __need_getopt extern int getopt_long (int ___argc, char *const *___argv, const char *__shortopts, const struct option *__longopts, int *__longind) __THROW; extern int getopt_long_only (int ___argc, char *const *___argv, const char *__shortopts, const struct option *__longopts, int *__longind) __THROW; #endif #ifdef __cplusplus } #endif /* Make sure we later can get all the definitions and declarations. */ #undef __need_getopt #endif /* getopt.h */ nettle-3.4.1/chacha-set-key.c0000644000175000017500000000331713401564745015005 0ustar nissenisse/* chacha-set-key.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "chacha.h" #include "macros.h" void chacha_set_key(struct chacha_ctx *ctx, const uint8_t *key) { static const uint32_t sigma[4] = { /* "expand 32-byte k" */ 0x61707865, 0x3320646e, 0x79622d32, 0x6b206574 }; ctx->state[4] = LE_READ_UINT32(key + 0); ctx->state[5] = LE_READ_UINT32(key + 4); ctx->state[6] = LE_READ_UINT32(key + 8); ctx->state[7] = LE_READ_UINT32(key + 12); ctx->state[8] = LE_READ_UINT32(key + 16); ctx->state[9] = LE_READ_UINT32(key + 20); ctx->state[10] = LE_READ_UINT32(key + 24); ctx->state[11] = LE_READ_UINT32(key + 28); memcpy (ctx->state, sigma, sizeof(sigma)); } nettle-3.4.1/gcm-aes192-meta.c0000644000175000017500000000342613401564745014714 0ustar nissenisse/* gcm-aes192-meta.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #include "gcm.h" static nettle_set_key_func gcm_aes192_set_nonce_wrapper; static void gcm_aes192_set_nonce_wrapper (void *ctx, const uint8_t *nonce) { gcm_aes192_set_iv (ctx, GCM_IV_SIZE, nonce); } const struct nettle_aead nettle_gcm_aes192 = { "gcm_aes192", sizeof(struct gcm_aes192_ctx), GCM_BLOCK_SIZE, AES192_KEY_SIZE, GCM_IV_SIZE, GCM_DIGEST_SIZE, (nettle_set_key_func *) gcm_aes192_set_key, (nettle_set_key_func *) gcm_aes192_set_key, gcm_aes192_set_nonce_wrapper, (nettle_hash_update_func *) gcm_aes192_update, (nettle_crypt_func *) gcm_aes192_encrypt, (nettle_crypt_func *) gcm_aes192_decrypt, (nettle_hash_digest_func *) gcm_aes192_digest, }; nettle-3.4.1/nettle.pc.in0000644000175000017500000000044613401564746014300 0ustar nissenisseprefix=@prefix@ exec_prefix=@exec_prefix@ libdir=@libdir@ includedir=@includedir@ Name: Nettle Description: Nettle low-level cryptographic library (symmetric algorithms) URL: http://www.lysator.liu.se/~nisse/nettle Version: @PACKAGE_VERSION@ Libs: -L${libdir} -lnettle Cflags: -I${includedir} nettle-3.4.1/rsa-pss-sha256-sign-tr.c0000644000175000017500000000325613401564746016201 0ustar nissenisse/* rsa-pss-sha256-sign-tr.c Signatures using RSA and SHA-256, with PSS padding. Copyright (C) 2017 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa.h" #include "bignum.h" #include "pss.h" int rsa_pss_sha256_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t salt_length, const uint8_t *salt, const uint8_t *digest, mpz_t s) { mpz_t m; int res; mpz_init (m); res = (pss_encode_mgf1(m, mpz_sizeinbase(pub->n, 2) - 1, &nettle_sha256, salt_length, salt, digest) && rsa_compute_root_tr (pub, key, random_ctx, random, s, m)); mpz_clear (m); return res; } nettle-3.4.1/aes-encrypt-internal.c0000644000175000017500000000617513401564745016270 0ustar nissenisse/* aes-encrypt-internal.c Encryption function for the aes/rijndael block cipher. Copyright (C) 2002, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes-internal.h" #include "macros.h" void _nettle_aes_encrypt(unsigned rounds, const uint32_t *keys, const struct aes_table *T, size_t length, uint8_t *dst, const uint8_t *src) { FOR_BLOCKS(length, dst, src, AES_BLOCK_SIZE) { uint32_t w0, w1, w2, w3; /* working ciphertext */ uint32_t t0, t1, t2, t3; unsigned i; /* Get clear text, using little-endian byte order. * Also XOR with the first subkey. */ w0 = LE_READ_UINT32(src) ^ keys[0]; w1 = LE_READ_UINT32(src + 4) ^ keys[1]; w2 = LE_READ_UINT32(src + 8) ^ keys[2]; w3 = LE_READ_UINT32(src + 12) ^ keys[3]; for (i = 1; i < rounds; i++) { t0 = AES_ROUND(T, w0, w1, w2, w3, keys[4*i]); t1 = AES_ROUND(T, w1, w2, w3, w0, keys[4*i + 1]); t2 = AES_ROUND(T, w2, w3, w0, w1, keys[4*i + 2]); t3 = AES_ROUND(T, w3, w0, w1, w2, keys[4*i + 3]); /* We could unroll the loop twice, to avoid these assignments. If all eight variables fit in registers, that should give a slight speedup. */ w0 = t0; w1 = t1; w2 = t2; w3 = t3; } /* Final round */ t0 = AES_FINAL_ROUND(T, w0, w1, w2, w3, keys[4*i]); t1 = AES_FINAL_ROUND(T, w1, w2, w3, w0, keys[4*i + 1]); t2 = AES_FINAL_ROUND(T, w2, w3, w0, w1, keys[4*i + 2]); t3 = AES_FINAL_ROUND(T, w3, w0, w1, w2, keys[4*i + 3]); LE_WRITE_UINT32(dst, t0); LE_WRITE_UINT32(dst + 4, t1); LE_WRITE_UINT32(dst + 8, t2); LE_WRITE_UINT32(dst + 12, t3); } } /* Some stats, all for AES 128: A. Table-driven indexing (the approach of the old unified _aes_crypt function). B. Unrolling the j-loop. C. Eliminated the use of IDXk(j) in the main loop. D. Put wtxt in four scalar variables. E. Also put t in four scalar variables. P4 2.2 GHz AMD Duron 1.4GHz MB/s code size A 35.9 0x202 17 MB/s B 37.3 0x334 C 33.0 0x2a7 D 40.7 0x3f9 E 42.9 0x44a 26 MB/s */ nettle-3.4.1/camellia.h0000644000175000017500000001023413401564746013770 0ustar nissenisse/* camellia.h Copyright (C) 2006,2007 NTT (Nippon Telegraph and Telephone Corporation). Copyright (C) 2010, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_CAMELLIA_H_INCLUDED #define NETTLE_CAMELLIA_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define camellia128_set_encrypt_key nettle_camellia128_set_encrypt_key #define camellia128_set_decrypt_key nettle_camellia_set_decrypt_key #define camellia128_invert_key nettle_camellia128_invert_key #define camellia128_crypt nettle_camellia128_crypt #define camellia192_set_encrypt_key nettle_camellia192_set_encrypt_key #define camellia192_set_decrypt_key nettle_camellia192_set_decrypt_key #define camellia256_set_encrypt_key nettle_camellia256_set_encrypt_key #define camellia256_set_decrypt_key nettle_camellia256_set_decrypt_key #define camellia256_invert_key nettle_camellia256_invert_key #define camellia256_crypt nettle_camellia256_crypt #define CAMELLIA_BLOCK_SIZE 16 /* Valid key sizes are 128, 192 or 256 bits (16, 24 or 32 bytes) */ #define CAMELLIA128_KEY_SIZE 16 #define CAMELLIA192_KEY_SIZE 24 #define CAMELLIA256_KEY_SIZE 32 /* For 128-bit keys, there are 18 regular rounds, pre- and post-whitening, and two FL and FLINV rounds, using a total of 26 subkeys, each of 64 bit. For 192- and 256-bit keys, there are 6 additional regular rounds and one additional FL and FLINV, using a total of 34 subkeys. */ /* The clever combination of subkeys imply one of the pre- and post-whitening keys is folded with the round keys, so that subkey #1 and the last one (#25 or #33) is not used. The result is that we have only 24 or 32 subkeys at the end of key setup. */ #define _CAMELLIA128_NKEYS 24 #define _CAMELLIA256_NKEYS 32 struct camellia128_ctx { uint64_t keys[_CAMELLIA128_NKEYS]; }; void camellia128_set_encrypt_key(struct camellia128_ctx *ctx, const uint8_t *key); void camellia128_set_decrypt_key(struct camellia128_ctx *ctx, const uint8_t *key); void camellia128_invert_key(struct camellia128_ctx *dst, const struct camellia128_ctx *src); void camellia128_crypt(const struct camellia128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); struct camellia256_ctx { uint64_t keys[_CAMELLIA256_NKEYS]; }; void camellia256_set_encrypt_key(struct camellia256_ctx *ctx, const uint8_t *key); void camellia256_set_decrypt_key(struct camellia256_ctx *ctx, const uint8_t *key); void camellia256_invert_key(struct camellia256_ctx *dst, const struct camellia256_ctx *src); void camellia256_crypt(const struct camellia256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); /* camellia192 is the same as camellia256, except for the key schedule. */ /* Slightly ugly with a #define on a struct tag, since it might cause surprises if also used as a name of a variable. */ #define camellia192_ctx camellia256_ctx void camellia192_set_encrypt_key(struct camellia256_ctx *ctx, const uint8_t *key); void camellia192_set_decrypt_key(struct camellia256_ctx *ctx, const uint8_t *key); #define camellia192_invert_key camellia256_invert_key #define camellia192_crypt camellia256_crypt #ifdef __cplusplus } #endif #endif /* NETTLE_CAMELLIA_H_INCLUDED */ nettle-3.4.1/eax-aes128.c0000644000175000017500000000373113401564745013775 0ustar nissenisse/* eax-aes128.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "eax.h" void eax_aes128_set_key(struct eax_aes128_ctx *ctx, const uint8_t *key) { EAX_SET_KEY(ctx, aes128_set_encrypt_key, aes128_encrypt, key); } void eax_aes128_set_nonce(struct eax_aes128_ctx *ctx, size_t length, const uint8_t *iv) { EAX_SET_NONCE(ctx, aes128_encrypt, length, iv); } void eax_aes128_update(struct eax_aes128_ctx *ctx, size_t length, const uint8_t *data) { EAX_UPDATE(ctx, aes128_encrypt, length, data); } void eax_aes128_encrypt(struct eax_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { EAX_ENCRYPT(ctx, aes128_encrypt, length, dst, src); } void eax_aes128_decrypt(struct eax_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { EAX_DECRYPT(ctx, aes128_encrypt, length, dst, src); } void eax_aes128_digest(struct eax_aes128_ctx *ctx, size_t length, uint8_t *digest) { EAX_DIGEST(ctx, aes128_encrypt, length, digest); } nettle-3.4.1/umac-set-key.c0000644000175000017500000000553313401564745014525 0ustar nissenisse/* umac-set-key.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "umac.h" #include "macros.h" static void umac_kdf (struct aes128_ctx *aes, unsigned index, unsigned length, uint8_t *dst) { uint8_t block[AES_BLOCK_SIZE]; uint64_t count; WRITE_UINT64 (block, (uint64_t) index); for (count = 1; length >= AES_BLOCK_SIZE; length -= AES_BLOCK_SIZE, dst += AES_BLOCK_SIZE, count++) { WRITE_UINT64 (block + 8, count); aes128_encrypt (aes, AES_BLOCK_SIZE, dst, block); } if (length > 0) { WRITE_UINT64 (block + 8, count); aes128_encrypt (aes, AES_BLOCK_SIZE, block, block); memcpy (dst, block, length); } } #if WORDS_BIGENDIAN #define BE_SWAP32(x) x #define BE_SWAP32_N(n, x) #else #define BE_SWAP32(x) \ ((ROTL32(8, x) & 0x00FF00FFUL) | \ (ROTL32(24, x) & 0xFF00FF00UL)) #define BE_SWAP32_N(n, x) do { \ unsigned be_i; \ for (be_i = 0; be_i < n; be_i++) \ { \ uint32_t be_x = (x)[be_i]; \ (x)[be_i] = BE_SWAP32 (be_x); \ } \ } while (0) #endif void _umac_set_key (uint32_t *l1_key, uint32_t *l2_key, uint64_t *l3_key1, uint32_t *l3_key2, struct aes128_ctx *aes, const uint8_t *key, unsigned n) { unsigned size; uint8_t buffer[UMAC_KEY_SIZE]; aes128_set_encrypt_key (aes, key); size = UMAC_BLOCK_SIZE / 4 + 4*(n-1); umac_kdf (aes, 1, size * sizeof(uint32_t), (uint8_t *) l1_key); BE_SWAP32_N (size, l1_key); size = 6*n; umac_kdf (aes, 2, size * sizeof(uint32_t), (uint8_t *) l2_key); _umac_l2_init (size, l2_key); size = 8*n; umac_kdf (aes, 3, size * sizeof(uint64_t), (uint8_t *) l3_key1); _umac_l3_init (size, l3_key1); /* No need to byteswap these subkeys. */ umac_kdf (aes, 4, n * sizeof(uint32_t), (uint8_t *) l3_key2); umac_kdf (aes, 0, UMAC_KEY_SIZE, buffer); aes128_set_encrypt_key (aes, buffer); } nettle-3.4.1/dsa-compat.c0000644000175000017500000000302213401564746014241 0ustar nissenisse/* dsa-compat.c The DSA publickey algorithm, old interface. Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "dsa-compat.h" void dsa_public_key_init(struct dsa_public_key *key) { dsa_params_init ((struct dsa_params *) key); mpz_init(key->y); } void dsa_public_key_clear(struct dsa_public_key *key) { dsa_params_clear ((struct dsa_params *) key); mpz_clear(key->y); } void dsa_private_key_init(struct dsa_private_key *key) { mpz_init(key->x); } void dsa_private_key_clear(struct dsa_private_key *key) { mpz_clear(key->x); } nettle-3.4.1/salsa20-core-internal.c0000644000175000017500000000575513401564745016234 0ustar nissenisse/* salsa20-core-internal.c Internal interface to the Salsa20 core function. Copyright (C) 2012 Simon Josefsson, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Based on: salsa20-ref.c version 20051118 D. J. Bernstein Public domain. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "salsa20.h" #include "macros.h" /* For fat builds */ #if HAVE_NATIVE_salsa20_core void _nettle_salsa20_core_c(uint32_t *dst, const uint32_t *src, unsigned rounds); #define _nettle_salsa20_core _nettle_salsa20_core_c #endif #ifndef SALSA20_DEBUG # define SALSA20_DEBUG 0 #endif #if SALSA20_DEBUG # include # define DEBUG(i) do { \ unsigned debug_j; \ for (debug_j = 0; debug_j < 16; debug_j++) \ { \ if (debug_j == 0) \ fprintf(stderr, "%2d:", (i)); \ else if (debug_j % 4 == 0) \ fprintf(stderr, "\n "); \ fprintf(stderr, " %8x", x[debug_j]); \ } \ fprintf(stderr, "\n"); \ } while (0) #else # define DEBUG(i) #endif #ifdef WORDS_BIGENDIAN #define LE_SWAP32(v) \ ((ROTL32(8, v) & 0x00FF00FFUL) | \ (ROTL32(24, v) & 0xFF00FF00UL)) #else #define LE_SWAP32(v) (v) #endif #define QROUND(x0, x1, x2, x3) do { \ x1 ^= ROTL32(7, x0 + x3); \ x2 ^= ROTL32(9, x1 + x0); \ x3 ^= ROTL32(13, x2 + x1); \ x0 ^= ROTL32(18, x3 + x2); \ } while(0) void _salsa20_core(uint32_t *dst, const uint32_t *src, unsigned rounds) { uint32_t x[_SALSA20_INPUT_LENGTH]; unsigned i; assert ( (rounds & 1) == 0); memcpy (x, src, sizeof(x)); for (i = 0; i < rounds;i += 2) { DEBUG (i); QROUND(x[0], x[4], x[8], x[12]); QROUND(x[5], x[9], x[13], x[1]); QROUND(x[10], x[14], x[2], x[6]); QROUND(x[15], x[3], x[7], x[11]); DEBUG (i+1); QROUND(x[0], x[1], x[2], x[3]); QROUND(x[5], x[6], x[7], x[4]); QROUND(x[10], x[11], x[8], x[9]); QROUND(x[15], x[12], x[13], x[14]); } DEBUG (i); for (i = 0; i < _SALSA20_INPUT_LENGTH; i++) { uint32_t t = x[i] + src[i]; dst[i] = LE_SWAP32 (t); } } nettle-3.4.1/hmac-sha256.c0000644000175000017500000000305213401564745014131 0ustar nissenisse/* hmac-sha256.c HMAC-SHA256 message authentication code. Copyright (C) 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "hmac.h" void hmac_sha256_set_key(struct hmac_sha256_ctx *ctx, size_t key_length, const uint8_t *key) { HMAC_SET_KEY(ctx, &nettle_sha256, key_length, key); } void hmac_sha256_update(struct hmac_sha256_ctx *ctx, size_t length, const uint8_t *data) { sha256_update(&ctx->state, length, data); } void hmac_sha256_digest(struct hmac_sha256_ctx *ctx, size_t length, uint8_t *digest) { HMAC_DIGEST(ctx, &nettle_sha256, length, digest); } nettle-3.4.1/COPYING.LESSERv30000644000175000017500000001672713401564746014365 0ustar nissenisse GNU LESSER GENERAL PUBLIC LICENSE Version 3, 29 June 2007 Copyright (C) 2007 Free Software Foundation, Inc. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. This version of the GNU Lesser General Public License incorporates the terms and conditions of version 3 of the GNU General Public License, supplemented by the additional permissions listed below. 0. Additional Definitions. As used herein, "this License" refers to version 3 of the GNU Lesser General Public License, and the "GNU GPL" refers to version 3 of the GNU General Public License. "The Library" refers to a covered work governed by this License, other than an Application or a Combined Work as defined below. An "Application" is any work that makes use of an interface provided by the Library, but which is not otherwise based on the Library. Defining a subclass of a class defined by the Library is deemed a mode of using an interface provided by the Library. A "Combined Work" is a work produced by combining or linking an Application with the Library. The particular version of the Library with which the Combined Work was made is also called the "Linked Version". The "Minimal Corresponding Source" for a Combined Work means the Corresponding Source for the Combined Work, excluding any source code for portions of the Combined Work that, considered in isolation, are based on the Application, and not on the Linked Version. The "Corresponding Application Code" for a Combined Work means the object code and/or source code for the Application, including any data and utility programs needed for reproducing the Combined Work from the Application, but excluding the System Libraries of the Combined Work. 1. Exception to Section 3 of the GNU GPL. You may convey a covered work under sections 3 and 4 of this License without being bound by section 3 of the GNU GPL. 2. Conveying Modified Versions. If you modify a copy of the Library, and, in your modifications, a facility refers to a function or data to be supplied by an Application that uses the facility (other than as an argument passed when the facility is invoked), then you may convey a copy of the modified version: a) under this License, provided that you make a good faith effort to ensure that, in the event an Application does not supply the function or data, the facility still operates, and performs whatever part of its purpose remains meaningful, or b) under the GNU GPL, with none of the additional permissions of this License applicable to that copy. 3. Object Code Incorporating Material from Library Header Files. The object code form of an Application may incorporate material from a header file that is part of the Library. You may convey such object code under terms of your choice, provided that, if the incorporated material is not limited to numerical parameters, data structure layouts and accessors, or small macros, inline functions and templates (ten or fewer lines in length), you do both of the following: a) Give prominent notice with each copy of the object code that the Library is used in it and that the Library and its use are covered by this License. b) Accompany the object code with a copy of the GNU GPL and this license document. 4. Combined Works. You may convey a Combined Work under terms of your choice that, taken together, effectively do not restrict modification of the portions of the Library contained in the Combined Work and reverse engineering for debugging such modifications, if you also do each of the following: a) Give prominent notice with each copy of the Combined Work that the Library is used in it and that the Library and its use are covered by this License. b) Accompany the Combined Work with a copy of the GNU GPL and this license document. c) For a Combined Work that displays copyright notices during execution, include the copyright notice for the Library among these notices, as well as a reference directing the user to the copies of the GNU GPL and this license document. d) Do one of the following: 0) Convey the Minimal Corresponding Source under the terms of this License, and the Corresponding Application Code in a form suitable for, and under terms that permit, the user to recombine or relink the Application with a modified version of the Linked Version to produce a modified Combined Work, in the manner specified by section 6 of the GNU GPL for conveying Corresponding Source. 1) Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that (a) uses at run time a copy of the Library already present on the user's computer system, and (b) will operate properly with a modified version of the Library that is interface-compatible with the Linked Version. e) Provide Installation Information, but only if you would otherwise be required to provide such information under section 6 of the GNU GPL, and only to the extent that such information is necessary to install and execute a modified version of the Combined Work produced by recombining or relinking the Application with a modified version of the Linked Version. (If you use option 4d0, the Installation Information must accompany the Minimal Corresponding Source and Corresponding Application Code. If you use option 4d1, you must provide the Installation Information in the manner specified by section 6 of the GNU GPL for conveying Corresponding Source.) 5. Combined Libraries. You may place library facilities that are a work based on the Library side by side in a single library together with other library facilities that are not Applications and are not covered by this License, and convey such a combined library under terms of your choice, if you do both of the following: a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities, conveyed under the terms of this License. b) Give prominent notice with the combined library that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work. 6. Revised Versions of the GNU Lesser General Public License. The Free Software Foundation may publish revised and/or new versions of the GNU Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Library as you received it specifies that a certain numbered version of the GNU Lesser General Public License "or any later version" applies to it, you have the option of following the terms and conditions either of that published version or of any later version published by the Free Software Foundation. If the Library as you received it does not specify a version number of the GNU Lesser General Public License, you may choose any version of the GNU Lesser General Public License ever published by the Free Software Foundation. If the Library as you received it specifies that a proxy can decide whether future versions of the GNU Lesser General Public License shall apply, that proxy's public statement of acceptance of any version is permanent authorization for you to choose that version for the Library. nettle-3.4.1/hmac-sha1.c0000644000175000017500000000301613401564745013755 0ustar nissenisse/* hmac-sha1.c HMAC-SHA1 message authentication code. Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "hmac.h" void hmac_sha1_set_key(struct hmac_sha1_ctx *ctx, size_t key_length, const uint8_t *key) { HMAC_SET_KEY(ctx, &nettle_sha1, key_length, key); } void hmac_sha1_update(struct hmac_sha1_ctx *ctx, size_t length, const uint8_t *data) { sha1_update(&ctx->state, length, data); } void hmac_sha1_digest(struct hmac_sha1_ctx *ctx, size_t length, uint8_t *digest) { HMAC_DIGEST(ctx, &nettle_sha1, length, digest); } nettle-3.4.1/ccm-aes192.c0000644000175000017500000000623413401564745013764 0ustar nissenisse/* ccm-aes192.c Counter with CBC-MAC mode using AES192 as the underlying cipher. Copyright (C) 2014 Exegin Technologies Limited Copyright (C) 2014 Owen Kirby This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes.h" #include "ccm.h" void ccm_aes192_set_key(struct ccm_aes192_ctx *ctx, const uint8_t *key) { aes192_set_encrypt_key(&ctx->cipher, key); } void ccm_aes192_set_nonce(struct ccm_aes192_ctx *ctx, size_t length, const uint8_t *nonce, size_t authlen, size_t msglen, size_t taglen) { ccm_set_nonce(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes192_encrypt, length, nonce, authlen, msglen, taglen); } void ccm_aes192_update(struct ccm_aes192_ctx *ctx, size_t length, const uint8_t *data) { ccm_update(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes192_encrypt, length, data); } void ccm_aes192_encrypt(struct ccm_aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { ccm_encrypt(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes192_encrypt, length, dst, src); } void ccm_aes192_decrypt(struct ccm_aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { ccm_decrypt(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes192_encrypt, length, dst, src); } void ccm_aes192_digest(struct ccm_aes192_ctx *ctx, size_t length, uint8_t *digest) { ccm_digest(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes192_encrypt, length, digest); } void ccm_aes192_encrypt_message(struct ccm_aes192_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src) { ccm_encrypt_message(&ctx->cipher, (nettle_cipher_func *) aes192_encrypt, nlength, nonce, alength, adata, tlength, clength, dst, src); } int ccm_aes192_decrypt_message(struct ccm_aes192_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src) { return ccm_decrypt_message(&ctx->cipher, (nettle_cipher_func *) aes192_encrypt, nlength, nonce, alength, adata, tlength, mlength, dst, src); } nettle-3.4.1/sexp-transport-format.c0000644000175000017500000000426513401564745016521 0ustar nissenisse/* sexp-transport-format.c Writing s-expressions in transport format. Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "sexp.h" #include "base64.h" #include "buffer.h" static inline void base64_encode_in_place (size_t length, uint8_t *data) { base64_encode_raw ((char *) data, length, data); } size_t sexp_transport_vformat(struct nettle_buffer *buffer, const char *format, va_list args) { size_t start = 0; size_t length; size_t base64_length; if (buffer) { if (!NETTLE_BUFFER_PUTC(buffer, '{')) return 0; start = buffer->size; } length = sexp_vformat(buffer, format, args); if (!length) return 0; base64_length = BASE64_ENCODE_RAW_LENGTH(length); if (buffer) { if (!nettle_buffer_space(buffer, base64_length - length)) return 0; base64_encode_in_place(length, buffer->contents + start); if (!NETTLE_BUFFER_PUTC(buffer, '}')) return 0; } return base64_length + 2; } size_t sexp_transport_format(struct nettle_buffer *buffer, const char *format, ...) { size_t done; va_list args; va_start(args, format); done = sexp_transport_vformat(buffer, format, args); va_end(args); return done; } nettle-3.4.1/umac64.c0000644000175000017500000000740413401564745013317 0ustar nissenisse/* umac64.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "umac.h" #include "macros.h" void umac64_set_key (struct umac64_ctx *ctx, const uint8_t *key) { _umac_set_key (ctx->l1_key, ctx->l2_key, ctx->l3_key1, ctx->l3_key2, &ctx->pdf_key, key, 2); /* Clear nonce */ memset (ctx->nonce, 0, sizeof(ctx->nonce)); ctx->nonce_low = 0; ctx->nonce_length = sizeof(ctx->nonce); /* Initialize buffer */ ctx->count = ctx->index = 0; } void umac64_set_nonce (struct umac64_ctx *ctx, size_t nonce_length, const uint8_t *nonce) { assert (nonce_length > 0); assert (nonce_length <= AES_BLOCK_SIZE); memcpy (ctx->nonce, nonce, nonce_length); memset (ctx->nonce + nonce_length, 0, AES_BLOCK_SIZE - nonce_length); ctx->nonce_low = ctx->nonce[nonce_length - 1] & 1; ctx->nonce[nonce_length - 1] &= ~1; ctx->nonce_length = nonce_length; } #define UMAC64_BLOCK(ctx, block) do { \ uint64_t __umac64_y[2]; \ _umac_nh_n (__umac64_y, 2, ctx->l1_key, UMAC_BLOCK_SIZE, block); \ __umac64_y[0] += 8*UMAC_BLOCK_SIZE; \ __umac64_y[1] += 8*UMAC_BLOCK_SIZE; \ _umac_l2 (ctx->l2_key, ctx->l2_state, 2, ctx->count++, __umac64_y); \ } while (0) void umac64_update (struct umac64_ctx *ctx, size_t length, const uint8_t *data) { MD_UPDATE (ctx, length, data, UMAC64_BLOCK, (void)0); } void umac64_digest (struct umac64_ctx *ctx, size_t length, uint8_t *digest) { uint32_t tag[2]; uint32_t *pad; assert (length > 0); assert (length <= 8); if (ctx->index > 0 || ctx->count == 0) { /* Zero pad to multiple of 32 */ uint64_t y[2]; unsigned pad = (ctx->index > 0) ? 31 & - ctx->index : 32; memset (ctx->block + ctx->index, 0, pad); _umac_nh_n (y, 2, ctx->l1_key, ctx->index + pad, ctx->block); y[0] += 8 * ctx->index; y[1] += 8 * ctx->index; _umac_l2 (ctx->l2_key, ctx->l2_state, 2, ctx->count++, y); } assert (ctx->count > 0); if ( !(ctx->nonce_low & _UMAC_NONCE_CACHED)) { aes128_encrypt (&ctx->pdf_key, AES_BLOCK_SIZE, (uint8_t *) ctx->pad_cache, ctx->nonce); ctx->nonce_low |= _UMAC_NONCE_CACHED; } pad = ctx->pad_cache + 2*(ctx->nonce_low & 1); /* Increment nonce */ ctx->nonce_low++; if ( !(ctx->nonce_low & 1)) { unsigned i = ctx->nonce_length - 1; ctx->nonce_low = 0; ctx->nonce[i] += 2; if (ctx->nonce[i] == 0 && i > 0) INCREMENT (i, ctx->nonce); } _umac_l2_final (ctx->l2_key, ctx->l2_state, 2, ctx->count); tag[0] = pad[0] ^ ctx->l3_key2[0] ^ _umac_l3 (ctx->l3_key1, ctx->l2_state); tag[1] = pad[1] ^ ctx->l3_key2[1] ^ _umac_l3 (ctx->l3_key1 + 8, ctx->l2_state + 2); memcpy (digest, tag, length); /* Reinitialize */ ctx->count = ctx->index = 0; } nettle-3.4.1/write-le64.c0000644000175000017500000000300713401564745014115 0ustar nissenisse/* write-le64.c Copyright (C) 2001, 2011, 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-write.h" #include "macros.h" void _nettle_write_le64(size_t length, uint8_t *dst, const uint64_t *src) { size_t i; size_t words; unsigned leftover; words = length / 8; leftover = length % 8; for (i = 0; i < words; i++, dst += 8) LE_WRITE_UINT64(dst, src[i]); if (leftover) { uint64_t word; word = src[i]; do { *dst++ = word & 0xff; word >>= 8; } while (--leftover); } } nettle-3.4.1/cnd-memcpy.c0000644000175000017500000000265313401564745014255 0ustar nissenisse/* cnd-memcpy.c Copyright (C) 2018 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "memops.h" void cnd_memcpy(int cnd, volatile void *dst, const volatile void *src, size_t n) { const volatile unsigned char *sp = src; volatile unsigned char *dp = dst; volatile unsigned char c; volatile unsigned char m; size_t i; m = -(unsigned char) cnd; for (i = 0; i < n; i++) { c = (sp[i] & m); c |= (dp[i] & ~m); dp[i] = c; } } nettle-3.4.1/eddsa-hash.c0000644000175000017500000000255313401564746014222 0ustar nissenisse/* eddsa-hash.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "eddsa.h" #include "ecc.h" #include "ecc-internal.h" #include "nettle-internal.h" void _eddsa_hash (const struct ecc_modulo *m, mp_limb_t *rp, const uint8_t *digest) { size_t nbytes = 1 + m->bit_size / 8; mpn_set_base256_le (rp, 2*m->size, digest, 2*nbytes); m->mod (m, rp); } nettle-3.4.1/base64-meta.c0000644000175000017500000000300213401564745014216 0ustar nissenisse/* base64-meta.c Copyright (C) 2002 Dan Egnor, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "base64.h" /* Same as the macros with the same name */ static nettle_armor_length_func base64_encode_length; static size_t base64_encode_length(size_t length) { return BASE64_ENCODE_LENGTH(length); } static nettle_armor_length_func base64_decode_length; static size_t base64_decode_length(size_t length) { return BASE64_DECODE_LENGTH(length); } const struct nettle_armor nettle_base64 = _NETTLE_ARMOR(base64, BASE64); nettle-3.4.1/umac-poly128.c0000644000175000017500000000613313401564745014357 0ustar nissenisse/* umac-poly128.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "umac.h" #define HI(x) (x >> 32) #define LO(x) (x & 0xffffffffUL) static void poly128_mul (const uint32_t *k, uint64_t *y) { uint64_t y0,y1,y2,y3,p0,p1,p2,p3,m0,m1,m2; y0 = LO (y[1]); y1 = HI (y[1]); y2 = LO (y[0]); y3 = HI (y[0]); p0 = y0 * k[3]; m0 = y0 * k[2] + y1 * k[3]; p1 = y0 * k[1] + y1 * k[2] + y2 * k[3]; m1 = y0 * k[0] + y1 * k[1] + y2 * k[2] + y3 * k[3]; p2 = y1 * k[0] + y2 * k[1] + y3 * k[2]; m2 = y2 * k[0] + y3 * k[1]; p3 = y3 * k[0]; /* Collaps to 4 64-bit words, +---+---+---+---+ | p3| p2| p1| p0| +-+-+-+-+-+-+-+-+ + | m2| m1| m0| -+-+-+-+-+-+-+-+-+ */ /* But it's convenient to reduce (p3,p2,p1,p0) and (m2,m1,m0) mod p first.*/ m1 += UMAC_P128_OFFSET * HI(p3); p1 += UMAC_P128_OFFSET * (LO(p3) + HI(m2)); m0 += UMAC_P128_OFFSET * (HI(p2) + LO(m2)); p0 += UMAC_P128_OFFSET * (LO(p2) + HI(m1)); /* Left to add +---+---+ | p1| p0| +-+-+-+-+ m1| m0| +-+---+ */ /* First add high parts, with no possibilities for carries */ p1 += m0 >> 32; m0 <<= 32; m1 <<= 32; /* Remains: +---+---+ | p1| p0| +-+-+---+ +| m1| m0| -+---+---+ */ p0 += m0; p1 += (p0 < m0); p1 += m1; if (p1 < m1) { p0 += UMAC_P128_OFFSET; p1 += (p0 < UMAC_P128_OFFSET); } y[0] = p1; y[1] = p0; } void _umac_poly128 (const uint32_t *k, uint64_t *y, uint64_t mh, uint64_t ml) { uint64_t yh, yl, cy; if ( (mh >> 32) == 0xffffffff) { poly128_mul (k, y); if (y[1] > 0) y[1]--; else if (y[0] > 0) { y[0]--; y[1] = UMAC_P128_HI; } else { y[0] = UMAC_P128_HI; y[1] = UMAC_P128_LO-1; } mh -= (ml < UMAC_P128_OFFSET); ml -= UMAC_P128_OFFSET; } assert (mh < UMAC_P128_HI || ml < UMAC_P128_LO); poly128_mul (k, y); yl = y[1] + ml; cy = (yl < ml); yh = y[0] + cy; cy = (yh < cy); yh += mh; cy += (yh < mh); assert (cy <= 1); if (cy) { yl += UMAC_P128_OFFSET; yh += yl < UMAC_P128_OFFSET; } y[0] = yh; y[1] = yl; } nettle-3.4.1/aes-encrypt.c0000644000175000017500000000446513401564745014456 0ustar nissenisse/* aes-encrypt.c Encryption function for the aes/rijndael block cipher. Copyright (C) 2002, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes-internal.h" /* The main point on this function is to help the assembler implementations of _nettle_aes_encrypt to get the table pointer. For PIC code, the details can be complex and system dependent. */ void aes_encrypt(const struct aes_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { assert(!(length % AES_BLOCK_SIZE) ); _aes_encrypt(ctx->rounds, ctx->keys, &_aes_encrypt_table, length, dst, src); } void aes128_encrypt(const struct aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { assert(!(length % AES_BLOCK_SIZE) ); _aes_encrypt(_AES128_ROUNDS, ctx->keys, &_aes_encrypt_table, length, dst, src); } void aes192_encrypt(const struct aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { assert(!(length % AES_BLOCK_SIZE) ); _aes_encrypt(_AES192_ROUNDS, ctx->keys, &_aes_encrypt_table, length, dst, src); } void aes256_encrypt(const struct aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { assert(!(length % AES_BLOCK_SIZE) ); _aes_encrypt(_AES256_ROUNDS, ctx->keys, &_aes_encrypt_table, length, dst, src); } nettle-3.4.1/ecc-384.c0000644000175000017500000001155713401564746013273 0ustar nissenisse/* ecc-384.c Compile time constant (but machine dependent) tables. Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc.h" #include "ecc-internal.h" #define USE_REDC 0 #include "ecc-384.h" #if HAVE_NATIVE_ecc_384_modp #define ecc_384_modp nettle_ecc_384_modp void ecc_384_modp (const struct ecc_modulo *m, mp_limb_t *rp); #elif GMP_NUMB_BITS == 32 /* Use that 2^{384} = 2^{128} + 2^{96} - 2^{32} + 1, and eliminate 256 bits at a time. We can get carry == 2 in the first iteration, and I think *only* in the first iteration. */ /* p is 12 limbs, and B^12 - p = B^4 + B^3 - B + 1. We can eliminate almost 8 at a time. Do only 7, to avoid additional carry propagation, followed by 5. */ static void ecc_384_modp (const struct ecc_modulo *p, mp_limb_t *rp) { mp_limb_t cy, bw; /* Reduce from 24 to 17 limbs. */ cy = mpn_add_n (rp + 4, rp + 4, rp + 16, 8); cy = sec_add_1 (rp + 12, rp + 12, 3, cy); bw = mpn_sub_n (rp + 5, rp + 5, rp + 16, 8); bw = sec_sub_1 (rp + 13, rp + 13, 3, bw); cy += mpn_add_n (rp + 7, rp + 7, rp + 16, 8); cy = sec_add_1 (rp + 15, rp + 15, 1, cy); cy += mpn_add_n (rp + 8, rp + 8, rp + 16, 8); assert (bw <= cy); cy -= bw; assert (cy <= 2); rp[16] = cy; /* Reduce from 17 to 12 limbs */ cy = mpn_add_n (rp, rp, rp + 12, 5); cy = sec_add_1 (rp + 5, rp + 5, 3, cy); bw = mpn_sub_n (rp + 1, rp + 1, rp + 12, 5); bw = sec_sub_1 (rp + 6, rp + 6, 6, bw); cy += mpn_add_n (rp + 3, rp + 3, rp + 12, 5); cy = sec_add_1 (rp + 8, rp + 8, 1, cy); cy += mpn_add_n (rp + 4, rp + 4, rp + 12, 5); cy = sec_add_1 (rp + 9, rp + 9, 3, cy); assert (cy >= bw); cy -= bw; assert (cy <= 1); cy = cnd_add_n (cy, rp, p->B, ECC_LIMB_SIZE); assert (cy == 0); } #elif GMP_NUMB_BITS == 64 /* p is 6 limbs, and B^6 - p = B^2 + 2^32 (B - 1) + 1. Eliminate 3 (almost 4) limbs at a time. */ static void ecc_384_modp (const struct ecc_modulo *p, mp_limb_t *rp) { mp_limb_t tp[6]; mp_limb_t cy; /* Reduce from 12 to 9 limbs */ tp[0] = 0; /* FIXME: Could use mpn_sub_nc */ mpn_copyi (tp + 1, rp + 8, 3); tp[4] = rp[11] - mpn_sub_n (tp, tp, rp + 8, 4); tp[5] = mpn_lshift (tp, tp, 5, 32); cy = mpn_add_n (rp + 2, rp + 2, rp + 8, 4); cy = sec_add_1 (rp + 6, rp + 6, 2, cy); cy += mpn_add_n (rp + 2, rp + 2, tp, 6); cy += mpn_add_n (rp + 4, rp + 4, rp + 8, 4); assert (cy <= 2); rp[8] = cy; /* Reduce from 9 to 6 limbs */ tp[0] = 0; mpn_copyi (tp + 1, rp + 6, 2); tp[3] = rp[8] - mpn_sub_n (tp, tp, rp + 6, 3); tp[4] = mpn_lshift (tp, tp, 4, 32); cy = mpn_add_n (rp, rp, rp + 6, 3); cy = sec_add_1 (rp + 3, rp + 3, 2, cy); cy += mpn_add_n (rp, rp, tp, 5); cy += mpn_add_n (rp + 2, rp + 2, rp + 6, 3); cy = sec_add_1 (rp + 5, rp + 5, 1, cy); assert (cy <= 1); cy = cnd_add_n (cy, rp, p->B, ECC_LIMB_SIZE); assert (cy == 0); } #else #define ecc_384_modp ecc_mod #endif const struct ecc_curve nettle_secp_384r1 = { { 384, ECC_LIMB_SIZE, ECC_BMODP_SIZE, ECC_REDC_SIZE, ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), 0, ecc_p, ecc_Bmodp, ecc_Bmodp_shifted, ecc_redc_ppm1, ecc_pp1h, ecc_384_modp, ecc_384_modp, ecc_mod_inv, NULL, }, { 384, ECC_LIMB_SIZE, ECC_BMODQ_SIZE, 0, ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), 0, ecc_q, ecc_Bmodq, ecc_Bmodq_shifted, NULL, ecc_qp1h, ecc_mod, ecc_mod, ecc_mod_inv, NULL, }, USE_REDC, ECC_PIPPENGER_K, ECC_PIPPENGER_C, ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE), ECC_MUL_A_ITCH (ECC_LIMB_SIZE), ECC_MUL_G_ITCH (ECC_LIMB_SIZE), ECC_J_TO_A_ITCH (ECC_LIMB_SIZE), ecc_add_jjj, ecc_mul_a, ecc_mul_g, ecc_j_to_a, ecc_b, ecc_g, NULL, ecc_unit, ecc_table }; const struct ecc_curve *nettle_get_secp_384r1(void) { return &nettle_secp_384r1; } nettle-3.4.1/md5-compat.c0000644000175000017500000000257113401564745014166 0ustar nissenisse/* md5-compat.c The md5 hash function, RFC 1321-style interface. Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "md5-compat.h" void MD5Init(MD5_CTX *ctx) { md5_init(ctx); } void MD5Update(MD5_CTX *ctx, const unsigned char *data, unsigned int length) { md5_update(ctx, length, data); } void MD5Final(unsigned char *out, MD5_CTX *ctx) { md5_digest(ctx, MD5_DIGEST_SIZE, out); } nettle-3.4.1/nettle.pdf0000644000175000017500000213354413401564746014052 0ustar nissenisse%PDF-1.3 %쏢 5 0 obj <> stream xuRˎ1 +rL&  - qeYf-CuyV}hbWU>C 9[˷ mO8̇>?g%o fU>/o TffM׺k6lRz ǁMi5q6ezMWvB܋A}.{T;Nup<@8UϧN!x}*Ө6nb"l)"x8sE5nQc:TcjޏS˫ aq+ONF9F=\`.Zl=Q%ΰA܇e>kGTal|b Z~>56P%%tHFCuAM+F$JAwĉ:+_=2x6fIC#r#n(-mqJ?!endstream endobj 6 0 obj 444 endobj 15 0 obj <> stream xVɊ1|D+J@.$$29dlf0zJR]jw@0F=FIݨ龗ٻᄍ~zv7M6AUjV"uO2(lOh)FyqΕ4F⶝k⡝Ximހʡ)NZZemKwhvoR}PRtKgKuxL[УFZ],|It*!Bj+b)KjᲔt lJQYS_J砬ByCM&bhX@fQE(vGXf<3G!Hl`_b8j{Wg Ugxu(Q?*". u*FӰ)fhH|rGx !4hw[un3ғNI39CVaUHKt^hɖyn4iU(2M`" ]OR(^C Yz"78^Ho8tUqNcB}?s DJ[g!"٨6@9V4Ք7 3)u`15Nǒ.fendstream endobj 16 0 obj 944 endobj 20 0 obj <> stream x]Ys~ׯGNGy\IͤJdJjc.ߧ <3bA]P n )`!O귯iqx%W?\Aul Zpfzny B߫pOƄSk7gͨN)GշADzdX~VI X F(C*ST @T?V*ؓ-*xx=i]Y|u7[9> ka$hA>F, U(TYXo[R6"SVu4R|1sx| D) а.kTJ@*@ 1BM3oMxPVGRv8L|p z`>K԰}9bGdf,`Jwnsy4S0tf~haRe'}2ɢqh$n(ƕj_tqsKЄNXyӓ j5(2.N[;wj̐v>!-Ƿ~9 }aqZ%ȴ+)KP*FJ+58A1U0dD_)&ht"v|UR߻hEkr.ܤ7ӑ٦e"P6_qn_MV x+ 4e̫X65x*VAX^;)q.ҲƧ(=x0 ? 48.TwHBe+5u~ ,A݀nIuoKiKb}#K Q k C1=n`$ie7i;C?bHeSN3 E8՞VX/wpqab3>2QF?IwU@f p;ǡQW}\ ._b OCC2&/RZ#H/|T$m(@)eBU4:*Z)+RH,]))];>twk;8 cOuH9hS|dN1yOlg;% _6()2`<:1ypIvN= ⢙/q{<$;{@‘^u{n}& 7~Ia81.C>--Ͳ>x'$ ufv&ȅ[1 f7jo^ `Ǝ/ 4CKC-`ߣ'{bg;{~JʔB t:";탍:"|3 }whK1cЪ*5r魒$, a+q/T}<_#]pDS#o׷ZZ??gngAJO!8_;b{Lni$YNCCs ۙ(x3^, ߨQR"6k^4ecN؉:6׍Mk`uۢL|_O'ěN|,)'}Um3/~[~{Wm/9h{}{Q(ya4Bӥ ?h嘭A`f>~CeZ0煱*jmk.D$,Kv-KH]w*cNkS[`$H0Nݠ,|vvU PAM͛6SH._(Re)_R ;SZ~^ 0Wu.δg'hcGjXg3ovNlg[ũƂMԃc=PuR.f2%uPȎЛ2>&}r7­H;}vuH)A{pB3 5ڙg+VQ7OF,4R07ѮBDɳ6bf;ǍY4¢{>{EKQ d5sۃkA ^N% bNwf;ٙ> u#;SYçw$ @n]&ۙrFX#JO]/R.%] rOl(v+Yf}3SǹBE=u/g2ճLA(,V_[߁( _Ox~:"P,i"GP30/Tu3|p=/WWiCendstream endobj 21 0 obj 2441 endobj 31 0 obj <> stream x]Y~_1oY%'bE  W$XȎ}an3CnzPSnLlxW⋧n߼B?nm\\pQRl0,hq^1o6W.}K<O*Xƍ\Jłasg\ز淒>,a !0  %wۿcBXnw 3ۇqaq >C ~%;却jx*5 NW%\ŭ1#˼u|/V4@]J xWy3 .Bl.b qEB58xjZ|V0? vfs3 K4@ї04|K7y7c3|MJhz[@}-?GOY4<J/j0p-[n~~&H}@WR.f-mz$7$%xt5I/C?!F|񤀙4p ~"O;0bJpaZЂi)&0l.T\T' pz:֠[QűM#AW>QϑΗ4(5G3ܾj?.6L4x5srp̀l(K T;6GTMfoL\}Hh{[mXrɬ6A^jbAÃi J~&Չ5Ý%Oc Vn; xQ'Of/+SR tW7W)境vDC1a bE4e]tKy -* exPhrQ$)Ӻ:Nʄָvi|H8p{*pp;ĹI#EЀXv%F>`Wߤw#E3g *{ WjrɉH12.k:l Lis1>ʨ}#%6;fyeD:Tdh G&/E+ZL倳Ai-2:A}9ł[GʹC ZTBIQc:G`ut 5@DG i)* k9|c>|}" GG"b+XEĊZuoW4F2h<9MdOyV[%dspv*ΟXɂ>?%Ydf3,CGtHF)Svߍ`~מ"9󗖆)kȠ(m8oL(MVVKTp)G%Ik0(.<,At=ȌI 돴!5e nfmZwZ9& 1U:AP!äc4؆ی?bZ,ÎHf\C./k697HZojs"9V.F@s*6>M-o҆@nrGet'I~%;S2k-C1#!_YRJ9Nֺ0v S\`%^ @bnd-! 6sܚօ%t[!cv?>!Y[еA0pX *zJ;6pg%7`OQ} ҞO sch4nLq#vn 0Ҥ3qsc`4E^ * /p/ш)8 x׭xEʸ LUj&dD ζ xqݗS@~ P'k#lgo[m si?''/v=ZԼȶzEY.'^9pjm,sRi a8W BGN,sv3IơLU+& V5Lb Bdx# ֊ l!B]=2`Űa‹:CLWXҋ]V/2$#ÂW >6Rhz k?f5m8Td48ӕHn&WN) QsczVjw$˘9椝`M[ic Ƽ:[ *^@X`4wY5qxG f4GNC\?14>AV{EE=)hZq Euy(QN)5 z\z|djt'" ۃ T˙NеBg{ܘRԑws6]ݝ#SN9ke`SrJ+@AyR~Rnto{HiKC}8,9ϯw!xK}'d3X CuaIxʒ'#v?P2ٯ3qpS#C4>anAB:ߚET~(J{+WwK /9>Ԇ@wyqHоS5@k۴h%>'5SMS'tIjk,Kݒ %Vִ ɿB* pvGvrJ9fYxlOr=؞S3c@yUX}9"#ӜtȺk=O+m0[J z{;Vg|@yR"Dl5qXyXfƵ\> stream xMoG {\v<$gș4R=cGRh]J#!C#Kr>jqr*6 lƯUJ h#4wa'427_ECcӢ# h:$ݏYV^Zc]DКWT_v.ƨeg 6gFߊ)P*ONѕ74@;b8n[lGXnSJ'酗l@3MCFBd{KA{=Pɖ܌ܛ"U-ɿ9d׼UŠaw0^MO >zD~ .(훥Z'xpf,1СJx1Q2Tq{kj'p+ ÇJr"}k $"Ìz_u~ﴠyv2Neu/;ßb.bnUAsT_Ld\H-G$<fNt!fJ+KjUR YO\Hl!bbQKwumiJ[*>H47sK4UF t23!LtN)O_&ҍ'Q X>% M__}|ʶOH Cq _~.CvJm !YS^gn }a5gfzmK}Ȕe}0HQcK!^@iPWu2VS tu>CY~Z}9b"Yrp&j~9Ā@^rW> stream x[r4k_t /m>8$H B %3k# l4r}Yxa30?:yݜߞ~I]mp 8=|s$~7mӛӫ?nPvf!zz Bj>#Y[͵^㳱9}3bo;l\,5j ;;a}A>;vKSzړ?gävg;2r~ӿ(af tB ,o6vyNqG;m̤Aְ Q#2[\sO+.Ns+x:(3Gp)\3 yF0R/NN*aˤ@?2ϗPIzf[ yٺnFs:@E+Ǎӏa&Y-!Z"DK_Rs{{{>)SU'GZo.;@`62%<>LTCXQN3%ȃ^$ mwdð!lT)dJD!Q"2EË5(A5R*DT1ӿbf3 X @`ԲGݳҘ?E [y[X,<8IArebмwT >Ȩ3&o;CtӻȋhK77 ;ԮG7,hMzJMIgPv};M 3*[bU *r~˦|N~O|m\)X؆>[ 69Bƾ_*QaM])g!ML\Z b&xRrZN519e ^s.Ru^3SȒ:˵B Ԗ[k+ -KˣTO9M ZM'`H񤠐q1n(}lыO998 ljU?2-pr)ۢ?w<7h4E|ZLMKʺZm)qNZ r)DAǹ[KHN'TN ?s P=S}jr SM[RJl=z[MQpnzx,2o@<0 ,/Zf;r.Ws _cm]]4kzHĕݳ*N1rf׻m7g+DS|.0-z^:m(nxwGQP蛹 ?D#g: U!v^Xo0e:ew7 p`0Ǫ)ۣM'`-, RİR/+$JLm2 |GqFexB<.qXˌV,{ǯ@jtD\ FfbJ+SBxc)@/KΓ";s̉G#HJ#0IFٛ\cC/1: \d S<.tE}G'yED7Q0F0)8I&WyH{9MSRGRM 8~1MlkSgMJY$*n`FG_uf5 T@4*&DKj({) lx}ζktmdUdp)'1uوݧD؜TjvN+w82YI]XVW[ O՝nۥ#ЭK֌G t"lQg D>ꅋU{X `wgzU_l oKm .9o@:By<-dSHt۽-X(Es@75~tV-c+.ø4:HWL#z=mRLa{<<:uqEe*̈́ +ݛ+"Tg'q$4y#<"kifK~Y qx^ف QY?rͺ_h=T `NdW.(Fd|lqQ<r}o#쪪Z ==e1#G)g RClYn[`r&DA ƪ")53o.M߆ױ)LzlLP=2*cU=Z}Yei}3Pa[nQ=B&KeJJw 'Fg],fJSȋ{AbV)rEu]]4ЗԨ6聒%Ao" Qm{6;Ear7g,.?ƚJmO_TyHm> stream x\IO#CԾpc10Fp 3ݙtgVW{+8S]˗K;1ɝg'?]a'SQ8o];ǧ02J31)e0Qi+/z+?vRy3c"]ͭ7gSVLB9/X@$d=?}*? ;'gu 3$zavƕCJbzes>CӉ(g%!`T,yʨYS1rS}%`X،貔{M^}zUG~E]6Tw0e djaP};a:U~.eZ9B$hddo6(1L|?AYeș14" E\t* d$c0֙y֖Rա*!r8%"q֊X%.)c2PpI\QnYu$EVA^cYx-f=5S2R UkXa*~M0nec[vv\M*Rę~<7^5qVRvKcd8XZ*i:ezZ|E u{~HWY/̡pO~ ը"4=JfgCƔlUW:p=bv0E4m6]*g%L-6K쀖bT V/>!/B^lAʦ0qOI|)E3ø,[0m7⽁Cl!0DߤZ=@%9+TW @#ڕG9PePcsY}bG9 O ǪذP{J\bۆ3ZmhP43S14ޱT~,OHm AG@D7}))74m]2E5hD_9`M 6E&+8/>³tEnQ̙x6/X8qi aaxG` 5Qk3 E׻6řbhִ L-Elm dՍtʅ;`X@\ps܍:5`B,/UUX2(L *EHʀ LfkBӛAǨ_]|dt{2RY5^񣧹;t+~苪L5(wejjVϜ[#>x\z&0qrĎkUL _H.c"b.JaIY>\|[~"JRԟ5R2ζ k3 +'0g jۏJ֑j!Hg[2 "j>B=ˢrA7!5H!ͺ³si sgсa_|Cѓv%ܮJrt=hZk& ᱖Z:R 0oµ Zɝ aqwöc< )$ !x@5WmL0RZ3 Օ&c RAƸ fjrEM'$IZ%SDiraqQbP[0X"$$9VTBL15avPJP2mH.%) )ZTXa:hs`&x&#>:U~wC/QVI](--$8ԡG'ᘭK]acV+l- 8l31OR0,&3WdYY%4=JcvŒD >-^Q3M7LSD@+_Ld04xUހ]\jR PQI-z+6?gŝU, q 7T9 "f`u |0O9 Kfűl{n!4@kd㶇h#I +SB_Аϸ~̝> #ۊ \mV6yT Vt%`K)^5k凂% eK8nAuS’%/0#+XG!€}oz,4F\*βBF1rm<*rj*h8`#N DH5Q YLPd^_;Qdzk'ygTު)in1]cci(iE獺sl4~9$\7pmm\y ^ h >|Jj(.^zy|&%FL֢o8 m]Z^sڇGǹ lIܞ渝6QgBZ1B(&6TH`.fS̳1 ㅽ\ pꭥuj#!;|4RpJ@nJ5n> ;me[ }t+S7,X[PBHܾIr H* 0<Ұ[#RA>X&m򻕗)Mm/HItO@HF)<~w.ݕ^g >0O- Z\_&~H|E+$QoM,-Q/>1&Fm>ErV\hy&@c<p0qb'gsvwMԄm|rE)Gx0Q[cϷ2er‚YM;w?-wE"&DsTRf8]]11om'*-S9ߚF1_SjT Fol#46944F.}kdWVXi> stream x\I5GTGen`lv00mcO'S*UTRჃR\\Կo9[~|]}z÷O7oD_o? GXAl/lҗbyż^<{yJ-~9;LJ0A*#d 6c:^+erӿkm t1/ޝ \3 rV OÕ$\|2-K͛VyopM,HQ:nŅ*-V86{|).ӨdAj[|C,]EX4^N_MNdCr/BvxZX/M1g'3JIo tBE3i.DL~;_ \2 cH6;A "a/ ʗ7r*)l)+#'q$e>D-pw8h6.3ʉIA$UFe9D Phpb,RxԱ& MmzqٺawU)Ō(n2[^ R E\]^ad}H=U%ocU.ɧlڧi: W9!`KozUM֑Yetk LVOpkɤJ[3P9P 9]5ӛ=0ʁ26\1o^E]*ѐ]f2TiU+fZid2U X(1 ?fG5?'??>B6=T3{i,hCp &,L(nhEy=8MvAi*m M޻ [ +I@"VICч`hVq!&;At'o/co p=\W&)ۈ0Ԗ Q;e5d[`h~svE!. fAOKEU~>#zc,Uu<McK(RH1ͥ_R{\GE>6k]8ò4ne9G(d#j=x\$%)Qތ6 Gc=u]3  E ,wOc3:kNeze bN2ԓq1nfq|, NWgQo]l~ho7|{{8qk 70$vEg{vVh7R%DtB^es1r1E&ؖ8SEW:4)XޢȉQQIzs8 9S!xoyoRd\1#IME$Xߜ$S ձϓDx2[G/1U(Pt1H K"-TzdB0(mWASܒs UN#HH fkdi/;SYFQ^K@$3mX5d˃8XijQJ3'Hr @qID7vxj;t0uᖩ6Zx#Q܈U#F; DZ52d}MKh}"?kPl,fiŽP1 muKU#p( 68}:Us&ɇx @`o_QuUaPMjrEXF`pa)K-nh({ !JB}``%Ý3d38%sc-UKpW\ikĕvY5P;f;7)^j#aҪ_ oLr45,o)ˌϯ Aw![Nbw_/dȽ_^umڳ8Kr6Uh r]@Ij؂Veps'<ΐ>oJBbgmQ| [uѱ$wy= |^3!^އ)4|!׹X)"N#d\0pvٶkS $-x wƂ>ivɔLE"ΊLj: &tl ~rJ{v^D | Va" _+ ~݉}jD&c$nލwxww3>afދ9wFI:jęid-j9;HߨZ( ߎ~ gטWv",lV qms c9kƚRm w|~7 3,h^:I:p)Om6PpUVdnP!}uVia `f%V]"|4(M$6>/ |ͤ/׏$CE_{?2ߵ%r3D8EZoZ0Rj{#F+S.lٱIN@mm3#.}Q е6YD^D: u2jHt9ga7ɸO2w^P8ש4h&=hCYI&[gţ霢ܚ$, >G@ ^)Fh]D?xy0X.SE+S;T q z*C?akkendstream endobj 54 0 obj 3994 endobj 58 0 obj <> stream x\[o%~w~13GH$$QR@kw.k;`~}2S}츧._UW蓯;<鈇?:p|xˣ%?:8}|zuT(ɞ-B(9f -yjݻza\$/'{b<] p}"uNƿ _,dj|GJE+jE(}WHS.~$OȅI *5tq^Hpf90#a.2#߽p%r AvlȎ(SH).Vyӏ}qbQ"I:+vs_n *rwGt0b;fjW1iqpn B~6N+BU&33PJf`#pxJQ.Vķ:  NZ*7 m _WWȐz1x$QDŽwt8#-V?DQ,L lv9 jdZ2OpfSޅ: f Gɖ > Pb]@3c">(3.}c5F8 [TPtmb!hmR I ֙!0U"!` PjY̺>9(VDl*c$K>hi+V2$0W Cax*)['~ ܩ/m)- o@k _-4i@isp!A*f |k@Va0& e|ķ\T- glzV7''x]GxFH Gn,dʽJz0qvW" Ch(i%+hTn/XR+5(cb cd t<"D2r XPa4Z0Ijg Z tu}9*!K J6uF(tG!yhje,0kb5![d% !=` Tq%cfG`cZDjUnƋ8H(LkZG,Bg;ZseIiC0?#QUtӡ8',!-aFVO:Hr[|I(U*ඩv>2*ܼUƅlzgFu-~`HcP x9 [;ǨDle9|8q B:$d妶XP`CNs V-\th?DeP FBCenD :Qu6X~h EV_Ze )VqD,[cl_έlyJA'D'9#c}wҒ +m1mR{2Dچq|l}>%| 3Ʀ@n9ڭ/ $P#;85u+t8`UXg2@ab $S5J2[X4O{/$z+] <6}=o_*¹:Y8xdkã#%X&LC67 xΫNNT,'֛T7xˋ3B 7\uEkSy1IX4EP J^(A΢<uMrwum}ǕA rxQNu},$>6٩Mt?jk(d[ĨFqlǗ=R@;#A+ͽI7vpb.mJ)uG2*ڌ:F -}uGz2u'Ɂ ~FnE'R 7q!Ujw3ĢXrZ#z_`oendstream endobj 59 0 obj 4410 endobj 63 0 obj <> stream xYYoE~_#FAY}@a(B^$Eחb:wk/.kǂV>8=6Uǽ=X4΋ qԱbpԫdXU {˾7%o.}FN]VQ8W vL*wLg>aXlļъuu ?lf  ɭco[;Zs~\0QS)ʟ#eU_$$$a/tP_6!34 jôFPpOQ@IdkV!2ZP|NMI|ĝ$ߓ%lq Ã=O!N16rΆ&%OXNI^9^kBC;^Fd (7?qPc4Dk4jL x^?e(yuL hw!>xق&= :vNc&o;Lϒ݋]b.BũX_Y^ ^D7Г$~gb̈́:ECB1Ň%ƃx(0{Hg|Y=G 彁r,dwm\st1ǟPטa= ]YN=Φnj)酐^%Q Pt=Hؘx`8'.$>_ƙW(2?yҹN+9EAs>νDZ[3T\iy7Na d{iq$TP`YXZ6|k {:߀!_b\3E -6w^N4majSE&&zC:!}B`ʿtEtk"ޣVaQ.aic1:G+ؽ&Q9t0*߯;-foqB=G{Dym'8^3쌊WJ3*օ7wNUwTS(]T(NVZn3'rhHy8;R̾tkdk 0Oendstream endobj 64 0 obj 1563 endobj 68 0 obj <> stream xTMo0 W(*R>v. 4&]R,mS`ٿe9lx;>#FCm3WכSeMRA^}HMQPGS`uWFHxmZ){ hsK=zLyΪצTT}ߴD]T}22M 7DmSE4GZ\,}m @;ꖢ@!g}Nы|u5VzM]QN)XROUt˜5=E.Zb92,K<Ϳ{eޥg\ Kk!T&av2 S8д1%CI(sCÖ:[7Wr%Y3Iwh:Y5c,ϴ%.ġ#Slѕ2In/qNڬ٠UQf7 '}ZSGźA򳽡̓&pȠgrd@e ,G.GpXͧvyWendstream endobj 69 0 obj 564 endobj 73 0 obj <> stream xYK5ρ07zPcB(( F }& O.ݳ$!j^WUk˵Wn}~Ǖ/w;zwJ_ukf^J+ẋVJ M >{z6HcSzx f `z!UgاnZކ% Jw6[ ee|+ VZhNW}ʯHvoڧfk, RHI- k`Sw]9IzPO}vZK0;R㟅S\c%jh(o-{?-bv, [&ܥ.;KNVǍeid5OStG̾&gVo“d"9Yi &tϲSL-@0m2 T!xohz|?=Nǫl+tt׳p:x<@ax3=OGɓ"!4Y:'q=`"Pv 4p&yfۃ󲴙tL3iqf0-~N{Iyz+,o2@dƈA9#HJ[|qߜl/y0.9MJ3vEe >tSG⧣f*R(Q ^Mf&·']7s ܥݭ.x|>!mK;~sOuL))Ώ1La"`eD"^eQ$GQQ] xT|hD I"dD?kݏ,?g慳BxĶ; "@v4*.{#%JD,gY.~aoW}OH"хey Y;OVEov]%u>$-[s+ Ynp,H7 HzlH* X5n8#1n;jg.EE[S|e;O]B=.R||@~\K/9iw=-~[$!ͮ oXch_P8(pnˆeTFO3MC.}yD94u_U,Y|5H}<ھ_G5ƈ-&>'}t襯[RI`q _{ ho=\QMMML> * AGjΫ2 [65_^Le'lj26#/ΐ?dz{#^,Qj5D˽D"^r6|;w~^k"V8Xy7/] d _.ҥD}muCrh7|\hخ︀*] gnm(endstream endobj 74 0 obj 1989 endobj 78 0 obj <> stream x\[q~Gup8*JE%V\/]ɊK,-w%ק40TAK/__p~ډI?{}7~D^t"?wgw=SQξ?I_];ɷ/NaRe1)es&*mGm뭴vAk; }Ӄ1vrq `PՇ&Z by٘ۉQn. oNI)4y)HG`ְ{]xKiXJĴu?mߪ\՝vo%II}5$m:؝1Jprog+{uzPNo2dHIÙ>v$C_|  ekט7hbwzPaR>v䬫xY>L#Lf'x| yin{6͢'̢V8i!Y}f|Uff'fImQ# TH|MҋD x!ĻSd3J>2ɩnb>iPm1S$f؇f21yc\LdBDSS0z]9Sܤnl@utUH Km:RrY:%hR48^k/B=.! rwt=Vhky:#_KZ|0RL_d#ղ]vΛDzA-' 4H qp7yc|(ɕ:HЗ͎vŽ!߱M1=@r)DǠ|,ծE]$*UԱa4o%iTAPRO2Kd($ :X22̙z+;PHd v@K#z*2w)YviQE]jRw &m-!)T#,!m@EY+T`݀ya׃Un`< I6Ao>J\ 3[Vu  .rDGߪwbG鏒&x& ]4w10S/fT8ky|4f1qh!AJ<ʮNpʛy`^.S z&be[Ѣ9Yu dc+]~f"i)h^+[sv>nIo"t:K8mOe}7ӈIdSrȵTDF7>lfW;T"n= yj:lP[x tN/d~Dnޟ&#rLJfi`fBR'/a2< qݧ }\9&tYdqP' gKZTb> (Nؖ3^!S գGy\7 ܦSQ*TPYx|ռL7-[@ Gq㮃V(E`&z~F`~s\:8!I5LDuq2i2s`వ9hI%ɷEgVrKӶA#:1]9ばBvTollO#N HҐnRvj.X?-a/킮ia4Q5 G:8v4 ٕ\Me|&aZ4ٗ;})=tQv۴cZkLzGsHHaI]0Ҹw6݂g>rU*]MEu&k0)7zx#TBD%`!{B35k>h:Y/(sy@^3х,"@A 1:KYDU|8 >rm2u!CS#nS:DJPô҅Ac#W(7 h` ԩfB<j >FHL$+oT 26~6R0O8ү\fV,Ӱ (4WXؖ8&֌)w{G߯뉲bl&h:&q>U@t0vʎp1eS34Dj+Ö}3qImKY)ј1dLςRQi ?X.J( e?jo |j Y/QT1WX@g2%G٫!r||>̄EF%G~p8 OG#8F*o`6ƹ*n` >P<*綶 QYQ˩kG)~ ; +a)ߊComFp~\+Tq:8ܔt5OهO~* 2sb|,e&I*rSaɃ$(Ÿѩ`uM8!t4r۱)]zfxCX&40D<)7{QAF(~ >qR3X]6>.r,7Lct ucGPb],#6A\v2[[>-&p}zu}VcQТSEO~6%-[\EÇAQ CǞKGŹĄޯhЊQ+VyJۯw-XjGʌ6VYa0R%bcQKL" g0o{AMmDXFH]G5їlHJEhB E`'-2$UaZ*mxs[ t̙p Ub,kvؠboHX|` 8+ueQ4jGo*u`4>az`F=\)c"S5uzxEL0H@ic*M O4#H@Q`#YE-2Q*ha$ D[t\a;Ý0oO_~dᔱWvmRun{nmk.8^XxkXV/"F%>H,stdu9'xr{~D$*% 83(!c¹YjufL Rƀ8tNƪ~L Fajy ZGڊDGs6B<nPE(r:ZnWa7WR=pHkd/8o).>uG_jG7znWyn"F^8e(BF5!D8Ч-螯XQ} aZ.nbL @ >I $Le7z?@NR)Gdy oA1"[N=l/KJ?Q4pRoת*1tIw^Ҽ6/c?+͛|Y祩Jsץ}cbOPbZd?x`ٔ["T([Q|zQv]I&.s*xI#|S?3>`rK> stream x\Ys~g#-KvH\%ۊ9,1/>ʡETdtAR"[[~0 6F_t]\{F U_o[y߉j-֯z6wŠ9&XY&p✐vZ0+uxƦTs.2F =x.y4PCQn+>ɳyH6vNbݠ$Ofj\^Hlz \ He|0ä*$ET Ʃ)Y^se#i26$=8igbne%{15x5͜=jkjp|#QoMxo)^Pr&@ʤwO³yP4l~%&J#I |09[rr&ukaYqIwx"];taq sZ(SLa(7g#PM6AYajPj[PJK? -No/}`45)q˙"eio(ۖjpr}hPy(;X4$}'$'IBk /tTwFE%p__P1¬&Mb(z1q NsxCZ?CD3$6XL 1JpKά?y(P<|<$4=nEIMT/hC0զ)DӟAbxtxjPퟤAb y$QS=D +<J%AnLuc't#r3H])"V@); &:X#P9KzDf6=\?ERa%8m7~ 2*BiK}l~.AQzp2?X1x#(3 C74"<<\px?gy5y&[È`#E6BI?"fDWF'||CDl=Ak."i@y0Xlj%ϲ:1/sTD:Κxyiar# rX ?XSϖ6ffz1*]Y,XFbT7h1?2Ǔx_6; ɋirr89*-=) n`Gcx@ A*\63_Eݣ1p_yn5d4M&yj,UK8d=C->޻y8y!pbyLae&<=@2oùݘC1͏[" &+ÕL+t-c"ѱ6lI.;XyŽ88*^) Ij4WtP{O LE11 <Q܇2!z(#^8E/0m_2:]MK:SS7i,nR<)ZȜFzDlЌ2+2| fXo瘒FD0 ¿&X̒¬9^i 29S1nCuzPsc*zhw-1cj[gSŖn&0w /KNDUx6]^[_ۖvX!eH&A3Wd-&#QZRl4/i4 hx/sg|;bbvY;1m#gn&CRثr6 g obum ~4L'0\ ;1S방]\rN>U?*&d7Hf>/"gPe**AS;φ4|O X8^\΂ U~ق:7l3 ]+wxP0ŵ=~o<ߌY̬<$4=W-boY tҮSOvHUm`{Y1a*Bt% `I$À)^Vp*/r(>yoU?/#~}žj;.0\ ,I'_JӢU.s>S }k_ے\FIy?ۇA]VSN8Ϧneܬvx?*X`Q'W*Lf8J375nீ 5U5[Kx+3R?4*-(l)&Zcŝ1jH*&],/_aV5VKo5TW}ce͹* ӕԜ4Zl@K>*t3|n2Mn|0:=KK /\Om-Ჷ5c` eVOS4ܩUz!Ht~#*^mzD4zqS0G1&HN{;u\Ln7gcukquz~nC^]ۮmu{z0W&Mi$V6qW2Q3m!u>4cw(aZY5@a\Yz -2bvNҩg ;$FQRW2L^Zy%+B=]?)b!Iei{^ZAqc(%BubG`jggeH?Y&*EG!{NxXHYM(ׄ vlZAj(i喱A9?`JkyGA"Il?GMN4c^-Cќ $VI[#lٿxV1[8;fc0b-BetˆAW =nYi^iZf-]nAl訦[,(͜D۠Ӯd"_ (̝9!b^y28cہ-:ERv ?sm18:vg.Skݮav 1<$*w0׿Ʃ0m;0ߍLJBȗ{endstream endobj 92 0 obj 3943 endobj 96 0 obj <> stream xks\ߺ˰NgxR~ 04;S CB}ϑtk;)x`h~]b_1o[t??>:g<_>>+VӃo`S͖ B(>L3|_X[͵^?±~JڐyUJƯYe㰹ZzC68*0'P$}HhVZxnOYd9ݒ8a}H"%OڊFT)+%ՎR;>2Wn\[K6\ \ȻBJnj+2|j7Cǝ\Y)<;Fȕqr&Ow>k\¸3h5uz^ (l_f%> 4d ӰEIȲ~SS[@*s'SX"/ :8ҊI81}+*%ZpK- .RUHU5^V=<|Qs߬ڊ;prՌ~]u%2^IJ15x5\AK9@_WK-~ 6Ʊ4BOO bE'䃹`%.fVBGPs(𸉻EI8w:p@AWW˹7)E2kp5[  jidIql'~±hNMtښAY6[R!W J3bnx+M:MW`Rqf)o--Q}Z-G- "[D`3Fxu%X`F[DfIF! 2`JB8ahyu4@D#mlm)v7QlT5w<@yťcO`z]ZGRj1a?l8p=䈁 l6bqQuWA2 wU3ݫvT+'?+R+c2cASnDF_̰p$LH2OVPOU~q&M;13l&kXe!l7Fɕ*zxK+?k/twmGE9~"3pE 4#d,JS! k,N14Q c1yN^f|80u<yc~w<467ڬEE&bbALj3UTOڒKm3 DPeՈ{R*rn9uA#q*ടOf"LP*.R} iR5dLTAvd֮2UUCviOmr8ڂu~WJ\TOn ;_hYg -e^ j;F$5dQaq]| ;1jw&^򉛌o0fy础&UH:贈ZF%62nnbJzeďR&*h>TͱmWv࣓3טQgqhUepz. t[@qëNdڦ:rC9 A(sRca-9|ꕀQTѫ\hx#ty8N*necc;kukh7ؚ>rJWeN۹aPG>Gk.QRgOd61ac ԫ쇸7v5uE`ЪGRvREևl\X?k[_L2tY*U*ubN\Y"OL`pE+;"-`G=ה\ZE<`ZgIM)M*Ec5#}^Wڧ" 9(*>f/¦R (>&bXR(o]ßQc'0g21_6 l=UvVNUxxbJ3+<\k1 *\ ;"+E}>ݚIo~j0[.j'hK .5 i3ޖUz)vE~J;M ;dokh..$tkhLF]54Ʊ_[dw20\z~iL {W~@l4sl`-~$bqz2Rcׁs{a,0:^G#3K;A5^~n/ s-;nE)F14oid%O7Mrj•> stream x][s\~G]c/quهuR,ʢm_ӍA83CR)YrA|h}&a_7'l'NJ=1.ק;dKNY&~&W^KN&g5Su!1'cr%8,'`KNh"m7;'Ǖ?t2nZlkKM +2\:dgekB//p>yÙ$76o{E8aץ4/NwZs)4uinolZVu~W/)e м-'s3r©Jz@D2#-rW®&!=3y K+ B0*$ÃhldjG׈}t~G ŸH&$~cYУ by~r6TtUt$&&>M(fzCiNV܇&a'Yhj=Ώy8I+=y]>]Bx7:7:u4>] ws)ښ} Uxc'o4L|e*HGGN2; ĊTױ'TQ AcΚF1;-2[ɐLX'?2܃f08m#Oi6`X>Z5LʺY|JH C~{<.gǬn/ձ.%ЬBSv{w)=J ۻ3fGr{ڽ6nx&=ww{0,q{?'Kӕ\p{yoK2&%A];ȕIrvDbhVAPcHsv h 7k)=%=@Z dw2& Nd/f6Muoa468= tRX 'q+VA#odJE*HU=(pPQ=eÛ(NCP[D =f?^+L#Մ=L͖&0 f;~a_Jߝ{9_qt9O ]BV6g y4E% Bf]6"!1-fȡ+=?'gj ;l <ŹB&e<Lyⅺ8!98MΞ*+)f)O#BVT:GILf:ȖeH[Aw[JMS*NӌD Fo8Eq,-D;H57yhiSV"(H]nP M P-vx^Z\1]"nQzt*O^ :ݜ( (vR;&gs+W$'(i+1w? IW<"A72HTH 0ԍ Ty';S-r*bKʅxm!Vsw#?%T̛;xb{2VeOnPWHRL쌔HT:ds hmLy "(b%J$c&~J#s1Q0[K%oZG-&g'|n;nͰTW40z(E G8;crt3O$Eyx~fkta1ͻR9Zd0IA sP0 ~ xZ٬]n.Q7BZ*)A149ɑ8-H k_23HoGvFfwgPr:D <Cs+Na/8hC̉ҟUftF6k`~˘hf9vaTXcָ6E븨5)Xto b|Ȧ:4E !t 90⌜BYn8MMmFWsY+mEqW rׄMp eYi/o#t+kl .JU#/vtf{I6^Fd"uaҵ x:f 3U?%b^Aѳ*(ؿ0m|%Or_ } V-fCQ$$?S?iulpFtfőhG˪83)`}= ՒRU0m,mˌ*ey2^z#' f+ 7=UZ7zW,r` ǃZ:8l.Ev1ԜJs㍿'o`uW<))@' +,eoI?VgYn(GA[OAlnxejl?ƎO}&A2]9 CrwwƷ u2R4ozz8<cW[ *''JU`ˆqlZ?0D A5~`j q禎!5*TN`hy2f+{ g]'m/E:%(u{gJdJj"3H|G}ox/!d 7RS1 <赜hlAHK `y@x$R6e"C>]+:za$h ҥq_ C5++$F|-3 7͈7̑eH)a1e5iy9ʎ?Ո|ՄHLpfmeMDF_!W2@s ol/X[|/I?+Ta3ܼD+[d%o-쯽Dž9*%|2Nb&-2&'b]glpQ{'`s=SRn[;8BUG0I6qZS[ooVګ-b4Gn~!O$Y4} -P /!19H»hǫ$UUk2" YF6/21 gi`aX^in[j "Zw|oJ :JTx`|-9d֤gFg8Kf<_0Vb+~'_1pfgq~xv/?I=w{)l,{Y.͋4 Ycɀ¼4Ywa JӵZiiyw?;%Kd_2Hӯ H k.$N7Xr1i!z +ѽ7qBSKsXPݹQޓ,˼x8|`3~5*)A] N-Z>-bvб"|NS]_ñYThom6Rj}d@HVx#UN-YE:x*15@8䰜*Db\R[r:MNc'Pz'oq wD`!ө}Dnj T/R%jbus/$"Ay|[|IR Xv }SqZm'HC_&VSciLїKh]#zY5 s`rU#|dEܛr[E^ܬ(bتЀutѝ{ܸ""۸|gL2cFn $YŅrmH#;Ms#=|{\so6+T/L GI&@Mi^Ҕ],\Pq?1;! жUJEGzJbzٝaW@s$t/)t^P0.jjiSq/Pޭ紂+Q!3#IQ7!Ϻc r~[wO)FhӠ.blm[I`ړ5_:ɍCNʞ UbL7QnfNӧTIuϵJλ{i>%1/ߖC6,sjޗ8tGym~K^מfP+?4?-/ORW6K)(A; "c)jЫѫ}R ^ʧv X| 1 ᘁQX`>~y ޿Έe2Bs/8Os];>Z= z$"6z| GR O llR_mĬu9C9 v>v5 >Ur#oڢ =QĿA'?!(KG+"㢈򉮋Fȝž&)YcZoxL 8>6`qW͂*<;e7/G[`(3X8kom<- endstream endobj 102 0 obj 5190 endobj 106 0 obj <> stream x\[o ~?ط zsEqAXz$KAeɉ;չȁ,=:?7ҟo_zA Ii>?s5q1V7W%SӞ/Wp.St\(־EO+RQVJE(F?r%"ڵ/=Yi(/~:N >H5ʒ9F|ï3.҉gگ\ PJ:b+ߗoo twz0aMg #hBH\7T8rtH:U&r":s3yI2ɫ5N2˪:7=wge)Xٷ%Q-B+TYnJ,Ĝ!& 9̳ŷ1ͯ~\kqi7`8E9&%*R!JcD1W40jasppA]wcEr@ɚqK0@Gˡ@LA387,EtcP &fQ"=%Jy0%1*'Fٮ(<tЏ 0&XX([2͊sX >u!]:Ծt6 XhhgQC\.YALn R؊@: ! NB}ffɩ ceN*pMQh&nFn^ki.jє@Umw>k;&l,d}yuMRˤna\‰l%ژV 5*pG gô˞0|KQ\p6 ΂sHĮ_8h 5651Jg.u.2{j7<9AS e<>OO:e45xyZ:wt쐧Jl{ɠ+2{MNQXZdTzM:k/ û8QGKε-WJ"k Ƶ 蹌k\yj7t-u"㓮?E@MAwہJ@JCO'!J/2"3,HêjjgN P ؗOQ07cR\|Cظ9N;T9Z:h!vm-0Z1?ʝk]sۥ-i':ZWS/apZVAz/t]>N%2(4;8Uʻju*.p9Yy4> "X |vvs*5G0*nFaK=f!}<^@ĸpAe@&gc>gHIE.c>1R 8zAujw*T%-hkJ vys-T|SLD!`zvP@Oz} "XツKv>I#A\6mO_\rl?a^|,%%d7q|jiNUyէ|Gm!]D2AǦͽq+ O|K*svX֦݆`ݟ ևt7F>xmA7˘.V9KyX1mׄ[߫K߫ˢѫa?[e|êpOrҿ2յ3yLUzR]ByO3)[gy~JUeߊAF7Qq9U:m/Jz5#M!ށ~$zS?ky~*z6W^薧,,xY첁ht֒ ظ/3. EL>$Rცמ!@4NeiD,.oR?X 8P~aH3H=g>DGe^֕ {݈@XXU+Gi])Tdz03L3O3Eڭ?Ek/q AٮKbUIUt>"¨8`RM] `i$Pd,0R-@zfK 6]5XC7>qp,Jg6Ox ;^ c^wg=w^#:BG0{=Q}=nn뉙.o3]g.NS7ӵNLWӃBK3];X/tֻ3]fjLHKzqF@@Nfz:6A;^)CaK=Ć=5+MQ-fkwffOh{;5?|lSй"8O͂x73+'t-4endstream endobj 107 0 obj 2877 endobj 111 0 obj <> stream x\[\~GL%3TF~IR KwbknGs3 3ŃUj}}U~-/bˋw 2<8"~ɖ.ĪɳŗaQ.95Υcju d*# ?VF1V~Z_oP2?7R*sOuVʫťSEeMFDrxxK&_Zb#@,=ƨb_+R!9!A@Jo⫗H]Y8WV&T ɻ;NMֺ toi7+B,Pu0%R|VEE%@c`c Q?2hiK \kИ?CpNav+pd ,9j@}’cD1W4 ޭWiA]$\rK8 [p:1tjLdmrĻL/R[|ؠBI:wPcd];v G}vLiz*s:.d"6dDę7n5L;J.,9K@C b s(ee0]ym .SޠY*hec2>4AzTOOgM. -i`7 wL`/9 >svAvE,족HReo^z‘M;xYju ۺ$2 #x)KW(ŵz{e> rzaUOxPq%Y+WjPQpG>՗g~!dB Z=3#[y4;O@aISE8H8͝0à0lj-G+2X%Q^߆uTt3 )dQ+OLo`/m'@fʀR#kUHgg,_:my;ѣ}8y&\NRV%+e O;V"&yvURn X \Ԑv`L<ْ/=XbΉp,!^ƸP2f)3Zt=m̫D"_']2gJegdfv^ D01ۮЄ 0zw>IHRI~mu3GMFwD)$U•sDE1V6Șo_HZ=1=xwБ;sEk當_U)^k{H꿍Z ioDex^/ëp[exڌHs_f {",˘e;TuʁA3'8Ы**CRl/Cυ8rPW!+C,>n29՗[Ⴁ0-ӻ?,TeQ>(CIs㹖ۃ٫9eGol;M>Pvq ;ȥA֑r@ӄZ+ U~1+Dg_N1H dܻ+Ѹ6?޽ߖ&a964;xi_c;+x}/9 >svAvE,족Hm/KyDX}l=6dM&YeMѫʐ!o=6dMT;6ɾMVÚd9. i$SeIi/ i$xH`OupU2B:?dSWrP7@]4_HǺNսj k# ^*I;Λq7p(|t5*.eG33f?]&1x븈Ѷ'UB #dvȷ(KhT5 (Ӯdx 5DR3̗~Q7!c+jg%))ҽtL%9UH?h'T)g~o336!1D8gma}pox!Κ8'tULz&,qi{w{_|'r r#ף[㟵 "J#"_a P&r0!LH? 5k3|Eal wQDY;t d$[d.֎;|$Q5JjSѳIW^,!KxT=d2$g6Q=(| 4^G{eq=Xf`Vth:8H,jh@]itWѼ? =D6SYI1VAOlH1T"zRrQͦ#t S9>a T.1\3uۥb]Νk0V]G|?0% endstream endobj 112 0 obj 3954 endobj 116 0 obj <> stream xr񝕏7/SZrw8-GٴHH,O7040ryȒew73o޻__'/WӏW3, V?/*y:x}*n}LJY4A*#O3˜13ުRq!ז|FklXkeF g3rdo{Z NI1|KMX7:0/O[ AY<N*‡쬗ޒA|jͅjqK#o`2zRSzlcV E`.B slF1 irC˔[#yEilLE'd|r96]D4x(2T.++]N7ά!/%Nf蔋F=#xX/4)$jt.JG4B  3\JU=lAZ#%i2&L ]Ʀ}}id19$`J9Fp]TR"6 k |o~"$VR zȋɠDЖ/7lM% Az [O,qW"yꑼׇR1r*}OqqeNDJ#8JTYjK;m#,F`IzB 9avOq_%Z#)RzdLK2}h^2rU$Ft$!R ^*@Yz7wq)CVq/lO=(k>;3,[A @6 !.ڨh0q=)"ˆ"n C1c v>`$Cj9b x%<|VeHd"Q=*CS G-%3g6P=\PM%2>|BYp ?+OAA.]`_u͝ƎcX QQoՑRhk-pRF0 _Jʞ˛*z VR c*|P)eF1܋J7{?,_eQpbY/dYDɢ{AطOE'4l0`/~Xb-d%v!?)ijׂa)i p򠼫;Y<|SS}GKSqlօjTX^p[墏>:sRT&;^{enK+B;/Ea=)ßOaAkyJYwQ^W..bn>7%zfRnSHYt*TEtj ,}>ҒY&Wa(Ã.]`_u_ RsiGδ)xe@׹Ӿ$wDT%kDn[.cyJd8-qǂ;bOjLBoEe,u!L\'snML' l wfިRr{/.U*yyAٮYGj(5?_KayR?&;qg D)o U'3X9|PCd%fZ bl ϣAO0>d@Խt\Y_YE4t^7yU?k\o"+r-_k uDţԍڂBfz>I_gUa a'V*<{[!%_Kts2"9W/ƛw^7E3ю,@u!눋 =K@R-fX6Dyg!+&ܽ`êqChmD)ŮJVUMz<ʰ.iW}!=zi˙Z$4  YH%wJ]bGt7% (%qz25*wvD|'=JKQT'JK0P`T+QCVf\˽A='6 ^jm92voUvVԻƴd7Lf,[^X]*jm/tP|L^enf_ͶY 0Rl=UfM)Vu[Ejw9y~b84 "2%o|Efy u=IV$p5+Gf$o6' &*WjTy̮/\4I4.s k/ ЬK7dvo*T/ v;&Lj]& ux%^ l6!mBhzZ8b3Wy.Z@ir|Aa˝vђ[tŽwE g>`lJ0klr nIQ uAld,ļy42-T#pw&վzgZbć5)PI_N/R~^Yc#5'Wto55r[ڀJCk6jœ 3h߯Sս3})#тrZ$R0bpnvӊsWV*ú-Q3/zS'>&/LiNvesjHrnjNM(iNz"% b%'1asr.ykŏ;4LEiɑ'oy::5]mmiݷ5~w{}T;S޶:}ZOw~)>jz:;FZ,@c#O{OG}|j7?Rn> |y|-vW7ķ|w&p|]1@6> stream x\[T~򏘷uy_RTذy1v®ʰ`/6$>:GRKGYFV_nuÚ|ӗ[l'V"@XF|XpR{.̆N7p2Ď:v:GQү!]LYȝҌ?#+O#*yNK7pB4->aN50h$ GdFb)he𐯦ކ1%xBVY 3 So?9ȢH.<- )7eGf3vrL`SɑC(48҂]nQzr `D3'0:zU> =ƃ8R0}(cĆ3di&E&7發ɇϖ Rv.[1KHPl2QP MWwYyX /['7#D(lGIN>68Z1 B .C1i6\d6 f`J3Lq2%dES=*e.}^YzVª,-ZDq͐\Y>YCTE eьsq\JAl&+H? ܙ@hOZUW*1BѮ5jp_,/<Eha!xS9< ȖS7L@pOOdERph vk%rӝy,bDeT2?ȵ/' %)%j|8KjbOwrV>h{Qhbjp==t-{>Uzm)O XnX^t^U&wfHʍ91jZ 翅̪g,n ^̜Fә> 2^&?Ll؜as[u^c5nR^@w)gkw>/a{F;|aZ]ҴhL~Ԟa/D4eu}upfr7cqԶ,(SN< /ސ?0Il?pz0pTù05צ'4#{B,Rf~*v Z-7s4E1a=Pz]a籞~[!eh Oţ9-=ڵk2ѤGJ; ○{4a4B]==Z+. 0v\vgAн,,,,t$4}: HeMgMgMg,o: n: ,h@,x~)cWVPr,sJ5!0uч{gO\.SѼ' .{/7=mэ0U_AhA,BԜУech^9GU8~uc'~9x02]=,)휙H`+qxyYxQ; Qjɴ&_iv $$A=[.,Zp2@펽ȃMOYEtL:M\/09^.'MCg7Y]D3&U cT0ri D4OE=SŀpY SUdnqiiުe`2KB5߰qۤ90ĸn2 /g{mQ60e+r~\WC%s pUM`Gtbxk`bfr7r}4ќ1&#q|37`E",OWjT;HG )/kFoҳ{1ԋ5߆zRZ:lbJ.J3$뜮ͅ):ƾgHL[DVSSR3^YBa}DDcU=`? 8jqs 'Dg;4Q/:l ځϤ$oqUf)tͱQX0EJT՜gd2\y|ΠUG*$iQh׎"yΆn<#VCDD&2{)t8ݹ{)o>_/>6Cם1 0 \n wB;Z]Pqۯ<i-Km+[=+:/[̦S75[^2Iz+Y,c kҗ ft︽DHH)+^R nwendstream endobj 122 0 obj 3863 endobj 126 0 obj <> stream x\[s\5~w폘7AVIva%@;EllBvvKH-iflEiVw~Z/7t'vq|;?秋aǙ3?_g bt] *`vybsxÝ$ܔ7v@E8{EЃւWyxB<4yzŗ_[baAEix*DFh?}7,|B gfZ~RBld7jT4]8rre!zI${>$;I;] `GraÅ dP.Na4rgk\K&G3P}|b֛@U*yo.N(/F /\@'3z"ss``L2 X^B7YwuAL##fe%E6-V\p̽} &vd!;^lZzc2N$ma s͝AQ_wQ܄$",3>|56)L bP^fCHrE.\xn[ "iPP9(u$GG<$4L2]/RvgBQaPh4A2+e(ifd,`)Y>/<"?C&Y~AsErz1pQˏK(yCdH1.izM :1{?cZL@'$*SQd褓c5$91h(B%E+[A@Tx$y*0$<~apruq5y֚;gPbV%XZ eǟT>$` V`d6/KX/YٕBe(- eྔ-tcV*>%NRoH/`g.&:uMXx=ɸOr0i$Kc䗵@Np!\h/Qh@rfp|F2*Y:?}4m*_UhK@p:DH99$mkL4")gL%x YR9#P!@]'l-$K+AYPDʄlO<|`+Ua*)ȁznWApߍX(=YcV0ݲBRh_ -$pwOKv3F Z |'7$S h3;HX0*;7V?|aԖRm;pB>$G|dp~9B#S|Z7^t"ؿG,!X@esGyx'yx 0tXQ\aDxnP: 0rAwGحL~x"^芇xߖCsƕpW ޳ XMmttki ;(qU3˼Ø1zU&(w!~^n^t?Fmxnz[ZXpI$=kW`{A)A:M6ѤʘF{!Mp;*&l)I0m'y(aGm~^ӚX۠u+)4j?^yiDyo-#Y@yP"(x K9`QlZ0q~~UZ+<62{hBɀ,?#Khd0yr6xS&V͕ɀE50j *dU!٧x/9;eQ2}ـ>bBtK\ Or#M_bp&MUWT$a3BNٞ61h}A#ͯ¦:?%fu4gk5a!v֜LfUO ~nV6f_^XBgiU9BI8t:\H(e@U~4UmKܖie,+j6Xkg+-άPO_Ů_b moZiGL pstY64;YX5{]h޺`OD 5 .|0Wa윰O ooo>)dWGx"t-]!i2*Ul-1ZmTLq#@ zPZ$3Sڝh1xeJn˺iZƙx: &%%Owm%OGN{:*E}宺a(!×QaGM6&w%pӨ_]3)aIjCyqqqqQzH.gxꁳZ7i@r7kg&[=p\/0!)NyG{6<_lHիuˆ YMqŖpN{W->LLcCǷұE\ܾHNl^6ulaIbXl@7 . qJPFy 5a<&&Dy&%FcCG@i=@/06C\a (h|>BpLz_AnWw\#ΚО̙ ZsAE"&H'ˆ %5#]!f1`t1(24`fШ*=-CrY޻5JAio,~#>niBDuJf?eW8M˞˸5e&֮ѾVmf4\D(1| cQ_Aj~ BLuwu?3ɕVLav%.m$a/HcRDoW 0\xpyg5[q́E/c(0j\]m<</ڠj}5<;ĵp9| ·vuz|}#clXsY%{Qy +*Soވq#?/4;~no*SAp~5mt; ]~\!tz!>"=yT -t1 |Sendstream endobj 127 0 obj 4100 endobj 131 0 obj <> stream x]s\Ï7 {Gә@)I i&538v~}ϑtt:!!+o`_0?yqvq~sE#gѷKla^8x&J08\A^C7S^H͗/I-\+)XWJ띲L~&W^KQOg5Se1Ozv L6qJZ@^W.~p2nC'XkKVpp +\>ϓ\4O!G_ |Z3[I8)o츍aᜇ^<=\i9&7os"7c+TYTAΌ[2S\^l~RV)9c4Ln`sr\z_)gX/x2FW+k?wv kO+\8\qW 8d*"^~P *XwY[w~4N>Rl`G񔀭 qAؑ/uONB/^/VEhX>#CĶ1 AC|i@N++i9J +*fiaڥְQXTՈ|/)d7YlTryWSZ{)h0kffAX 3( |Ƶ 5] _=@D4 ؠҶ.[,vIG!K¡\$і^"f>$vᕛ,:)zZx7׶;k&dDlr׶Yj M=k[Bfvwږ﷤mM:QHސEiPvM;Lй0 ٖJT0Y2$T?ˊEhԎ :L`І^(;߀3_8d`^-80 YF:G\!ޕt, +en)T_LS\!ȩF7W_ *˟܄Cɑ)Zj`)0qg\X^Tfl<ɴܶX CeV@)΁ 9#\UDc /--UR|痯AyL.^FB;fpA(Mt9C+6tmN!̘S"°وPTtfen>ͣ|c*7sQnp>γ2ٿZN->ܯ*q E[*r@ֿH 3+ᰶH|B}AFRBw2V,-Dk^y+3oG]\WEuoi@S~,O9a5'qg^z]mjRr uFGruO`4xB|$09R}+)&4!b`|90[zBX$ϳ,ܼ͛xq=;/j-Ǩxb`Ie|4% 3U|! AbtvB#yi*-v@E"=FPUR ~RO*K2W f |H-uD*ه[4XZK|+"DX |ʥ HU<8ҽ[bUJ0A?F1"寒*%NXrO%ua5̰}[>qC6as*McQi"0 N Vhִ1$HqP[e3 n04i MZmYSWesGorUn4CCOwXEJqNkHx^^ ˸ϔsscNl19g,Rq @UdWS#J*Oh\s:Jn0*"/F/.//0]R0U0VhLUt9d+bqwq@)X\0zoa!= &Q5!EKIC {ֵڮ9O T*Wy#mb qi<,5!&&G4ug xoM@Ov:k\$鄎]=kNFͱ*wv/}0JNNajez. ח %!x=(1=JX; `#Kn(#7t@. `]MJ bRc0P&!$)Z~۱vx]{8[HT!ЕC8S%Pi4ԝ+B)[@rϧΫVmkos'ȜZ+ -rY4s5jbZߙ{Vcvf(?H%acu=mNv rku®M tSBxq&v'7zd>o֎zK..#`_$hj>QHNBsVb4lIcK1w韽+1BgΣa]9` 3\7i.yNlbK|ȸ 7pƋ`9߇{4ۦ<`KV[cla/׳0X邏np`ם3!j䏟L <:Q_ʿE^Kl'heF6 >GMC2I*̌ħSV;do8 u~mΥ}/r<S)*Kῧ+;P%SZ2eZ~MRe6e4iOo z#Z!t߁pFОph6VҞKNv"n/triON$'"}ۓSS:=k^lMkVT&Snpu@cVo;o./.uYYװU(>_y@SlFr9wBmķum\zJKm\aԸ;Ki]]7̈́4-eO(תYUzQ׾g D՝Kb3(`I)ECiRu-|ikm>U/ !/0-ԳC3` a3V8XJWk+~85Eq1|XܛkX)<L)+"}6 cXv,WHukY T|ϐ[4븺QLyw:Dц ^]0lwGdӽ-C*^ن,J ^{ f(. -J1z1 :"o߂B \ԡi r|JRHǢ5/2oWEhs)bܢ5C!$0`90[ft&~ߐ_El0pj2|~KဃMMdv|.a2?Y`ԳΔlE?$N0[)tQdJHRM7~ -T'k&3HHuY@]PQ$X9JFa/"ئUEЖ{û$mm;{3{%=ɽ,7&)i R]5/`IlrQʭU8%ufoT5Y<=÷[#ey=`ڲ% vWATendstream endobj 132 0 obj 4694 endobj 138 0 obj <> stream x=rGr~/8ٮj6m!EPE")J;3;ȞtAFuYy_tTW~.^x2]~E({0@cxHEO9&VOt&/d6Nޱ N9wx}pћ+cqR٫}:|OSaՋ69 c n9ji8k8b{oۯⅲGcF0]o^t<Ʉ[}y>FkXEaC!ZBٯkG b:?/ެ?_h?s A ݘ|-\???y7!lJϰQP^/C[p]bӼc?G'ͪEn.)a Gc6-C=j<|țK y+H,@oف&3.U:WyJO~=g\/ -1 12Fd`XTSw𢾘e7x*:<1c, &d &Woi6f>=bp8 ǴyQUE+hRFF1_goix]M ,2.ZQYWO[!hnett9ͫ<7ς),5wlޟz9#6msBW%Ø=) q *Bv~TNumL:F69ebLRחYfJ7 T7l'n0HM@H?IiQyǂ .oq4uhrX:7-DZ|hׁU 0|$g&3 +&`!elU).EW˩=h6%MtG6l'8]8/hBd6^W9@;p M$ʞnE\MpH<җ[NLX4fu1Cw@Pl5*v?fq[q@o'҃g}Q"~^jSuپR74tU P`ezlLA eByIŧ5Z$aFө[䴺X:\jdtw F}*c wzx[ly2jW Zt*E6"r+lKC";g  /Q}QV?DX{!qnymT(WXMnIS3Q,>,u{TNcHTcQ [6ViNYp|Hnp^dC|WXNJ|-2E0 Bډp`|h6 1mV"oQk(`jl@QW A6/HɡFe(~&ވΎVzYk:9{yj+|%ͳfcUz\li %wŝ mo580RDfú?P2)ƙZ=)\Zub(km)D]{KW5T'n/cK*!Jaeb_G6NO5͸rdnt:.y[uX]Ѩ(MU=C}BH1iV"}%:W1&yw{FS9%F >6[$gW3p ;\xr⽽Y8hO#`!fhsh i;G A.vǼ| MFS-- jO;86n3cRrEE9VdܴWR'e i#vaԹ-WnUiqbTV8-cٮ q?=y';\p:u-I EPCZ sAFHOo̙eRنOu pЩ߷C~SJ 7YPOPUS%i-ZU9&t /ZX=fQ2ObBǍlZ C炪>NO~U䤝/q\ڙGQRqe*ܝ ƫÍ 5ԢP'_JTzۜO&N𗰝9aI^.!m0~"l8F81"H\Yh\oA-τIܵ8PJeT{1R{Pyrn܃ sRRL^U i1kVl,.;9]s0 b/yB9P9%ع #p+ ?Ȉ`!WS7a0Us~`Lf`wAą1jOi jF4NޔfI[=8߮ЂN.'{3#WI48ac y,l} un}I"|nWt'wh{u,T0uM l,:&SY[{7S5P^iT:gvYJ42 !YRUJRX}ȼ>dH> ^Z&_8YVJ$ɧ/$uF.br`> eyx'SGfJGEE3qlTn%kuGn<*. 5Rf']br6r)]I \K`W6AE6Qm|)ZE +s,b|>!?cjTVy!8ϓªu}7vDDJ]ޒ!Hﶅˀ&>%5cxT+2bRsϷ9 .jW##LnN 0tv]sXGhzJ̗Tk* z91a$OF <~[Qj>Zg;8:ս,ՄJ5Z?M#e)@/V0һzhG@q5(wmCs!TQ,:lp d179y!/Z2ҍa,4 `]il30j϶:Ry)βz&i2u~O\#?G/l8s4!y7+&Z*rtı9!jw7}aJPrYu-lu%H&vMj\ہS&i¾ R!tҸU+J^TP!Ȫ>Dy"c !HXԖ%lxJELlzD@Y i%;5*%yrj+O{lŖ~WyaGZ!}ݔ Yx0?ľM*Ma$ދ/VDɋy/fmPH=8淑a>FD3(D.fb BI˙׉mА Bkz|+Ǥ2~+K+OEZq՝3zM%hmԥuG[R$Еiη#ǒ!48ٚ9'*M7Ӡ hcS:˾g񲃿Nfv=dӛ܌>66gÞO"!lTTq;.{, 1EN9t[wJ\rrpm]jm1`x(EJCrt1+%V[) J%E蕎7ͳ2n_8B:ߠ ?X rQ ʸ 1>)5)(jBcr{V@^N* fekELx@f>(0e*ȝFzxotJzKs+@o $L4T˓  oѷR+l(fFVH, =<% D+1Ӿ:fǕ3u=XsHbT !\Lbʳ.TJh4Ѱ-a/ SI-0A0e 5a0 3سL%?Y#if3'e6a@*㰙B)w!9ʐgtX vNiĶ=|:+f:w }9PXfR"(RiCYoz^$:P˜+]+ ]̀foرYή; @oQxCXy%{.Zom1,Q:[$C%m fW$}mVXӹ"L1VT_Q糅:ohKfýƷ-76" :ac} 5d[M*ui-]ͯ&h* nsDovqnn9 tXv^4M(+oㆣM-BնWl YD {AK*V Ш;6 3_DۛM٪Tӵp; ZAvI_YK=PJbWd bȄy7-ȱqja)r+5חQւox h1 J9vwH ļt +#n┘߶m\q-Fr}>r2^nޔӽRz-7y14nð;N%tTvkeXqiSx%V#*WO*Ѹ^ϊCo䢳)T 1k;&eyV}g RX e=NiTG픀xin@faSSFB"~c6?91Xq׆F1;u-p>%||2g|/Îza`X1+ RphQ}'qmX21?VKmL!,Q5Uld eE;Vm; ~fF ǰ>[`Y$bSIgr*77fYlv/kng.ߊyo0^8;muX e@⍻P(bg(E ZiHiXh(ml@ߓkҔ`<[S5piB91$#r«ɣ!w9ܰcRęws)u,([ n ϣ FQ_I&%^{z'ȈZ7ބ8Or%}^fTa^%UeݰFsED?<Gn!endstream endobj 139 0 obj 7279 endobj 143 0 obj <> stream x]o.o |kEQI""PM׶ٵ,;_rӝ:0LP!9<]`_0{vqrq'EaǞ3?'³uszq+ *`vdfs|Ly!5_$Vs6V;#竵c\, yR3~y{SqcsV3U<&dO_(a:;><]r&8r= ]+9\|I\~U|X Nwܻ~sNԊ#TgNWkX]o>C#41F'յ9 jy _ҏņ dUOUn7:saVC*[xBze"-vL+ތR "6W_8X>h,KVrFVrBI4b`g$vslT (X ^ Ye”/{mSP~V+(G 0^ xB(R!c\sqy:A25.hae?{HV)4@*S0 p)T, 4Xo)cGB[pwp/{e)r2wjnpȋN |N }ÞELz58k)ٗQaq↸  3ńy3jd\rp qgE>O c6{44iH O@a&:ros+‚WSCPATBHg dh%#ԪT1bp *Wj01@hĄ7!»D-˃6#:XUVNM]CXI$ iP|e ~늟Xd1B*`*Is3Y{%zʁG3, <ĝ#釰š$nrӴujdaK=-?$Y2]/J>pH4l#cV R/u0 ; 8Bgz𺡓zݻDvbid`ɾ 8@&Q=F x0¨bh`ŏ=B R+')LiT1X h?LP7B?>09Q umjaQ\U5 $Q[6JB["e3+ux`g*+z豔iC0Ǎ&fRycf=0R5p{) E$+U-&T'_ y㓕WQ@JHN.EuŮ^3&G0%xXb׳̯Ju3?,YV_2cCVmzi"CABjK&U#lϚSND:|ۮQ5qqOzL7q/⌎Y1aI 2d`($67`6ާxaųl1 rr?X=ȶ5Pǡ7ӐLi>"I\#kZhF \!ɶn: U`_,'yO0Fm%dxs> Rj|LǮE&sS)i=goSo n^N;WEvr<^NוMqo[9͉!4vl+ _ $Р)`Evvh΍|8CCXF`y/"`٪.Evy%10\}s8i w~ynͿMU_jkhcjĘ~rda\"W= _ڵNMN^ވ+ ֤ߌMguJ5lq+=u<&lʖfxLUz;v|ۻO>ݗKZ$|wo7^Ug$j^@{ ,/*q7JYH=o/=2Wj$@u|Gsy51yձd܌K.7_&)c<ȽrFkDm@ɓ5C~xa (2 Yȇ'W #w.Mē=q_|%}s=xBJo;xvV xYK:K [Ua(ܥPҴ%/ J O*%ӝ{uW'>컑(i$d%Q3 =nGՉzSؚ}-(=;@*DrBjAԭe@J }+ϠJҬ 8TATC~Au3P2@u{ Z`T{P4@uJjPs վgP5:)&$PZ T #U Ts*T3NpJ.ZLAUP{vU}AucLM"H| RqoRR Ս15 a2HJe1afh΅&ahh5М0vqd[ 8zD[Hc@|#@d4?۸֓WJ>+E'.xK]NEuZugyReݓYI,n:t6T T6?ܶ~͎HeFsyn4r n6dM 7\:ML^_^+z|\ؽ#Бe{G#9CI߳#1I8̾lϾP}2ds$*ّ;8%۹#YssSa)_5F[ZЮ'w3oQq;ܔ>n}?_]L\{*"٤7SpxLeP> stream x]Yo~.A}}J 8S&؉j-?ž& +8t6J/?Fސ\f5|D:Dy?C+9}S?z\|_$EIwː^q:Żj W%y^dS*9dB|/rW®&!=3{, WL,10*$m2A4W6Ov $ Rs^}讫k-LL&uof6S?8KBL %Ҟ/ɫtM6R^ o2 3c,b,϶YFmq93 >⍶X/`o 9g-`BqX]]d_-6c[l7qZ|4ş-^<͚)6NOZq!6h4CfgCrC![;+`粳 ލPhd9h0۫VtUvE^5 8Iv)HwKg4 a%~2h}0aaܴJ*Ie@N8P{ YL$2ܹ%ϭMd_-T_TBXo-B-Tھ@#^ﰈm/TAL!̢ȡ8g(Q8K2s,YarGtP_Es+ϋLdUc3x]3Nz]Qgք.z2ιaJ6fG ! QV(`fL̐ D8>L^5 #*TE4u$^')?6=-(yc:ؤbڸCA84(O(R2kn,#N[z&8,=$aEbJP}YS@L y=,"u&O+Ŋ@Ӂ[tVVap .f geKjNvM0=qߠ,6:0!7']>+}0Jdx,طMy]vppՓachaV[ T(AyZ 9HeI*MfWtT_xߍ`M"1wǷ5b'ek9mpਬo|+Q-.Z= 9g!](dDcJ`{ '". @`G}, )ƌ Ϟ]"/ěv+f{I8V!#+@Vs;azo6ߏzY3ZSTBu3ft{:qDCG|]W41I 6lFYh`F}a(;G=]ѐ\р %_(@4'WFw* zY9BK-Lv8td 2} CC!D 0«&Y1X%Ok bt "n31 al>C xЄx p0œB!*&&< 7>@p.&LÕ?.쐘oN"+CwoyeaU'=O':t`՘\ Ѱ TA*Fn(8/MTM3׆jRA&E} @#5놗,λ :?QbU0 Itj>gI^+)8 գ7zV *.E6:J?k_Sq5BZ?`u0U5m)JtTdv7т4}vgam5L)@iVB+<7>HDW ky8R&Zկĸ3AaO|b/P|&#rqIaTaq6fis07b njta,֗ԅ/s-H{,3|7NyY'[3t )Yt|=B ދ$1Cm;s:\ ;c-H|JӮ],Gy`x)-lPm&fO8c|פ#}uM=M=%դW{hhBjp$b "HijyFW1Gk2t+i{ (]i&m֏hlvnvKMq更i?sBG)x4[]|ч`-6|H))F_.* Z5 ԜpL J[_umZ[3sh롓zH'yEro{WvghK |YԿèx 8bkL :xSr9U"e/ɟJXZGp{خnHc?t'tڵ[QgK$-ɿ?h4xr ߐsT> stream x\[s~W)9_TBlQ$ؒmlKƒM*=3;=3{,BSٹtu~b/t[vl}Wç'g7ʳurpzut *`v}gs Bj~Fc[[͵^Ƕ~ٗR!~_§)D0Zz@68*ϷStv|pdM<;rڗ^ ^W~p\8 DxM|wysqh:k,876g;nN|߬;F9Cw_K9(M~͕ 4wjޘ .`Zs9pLţ)JQ380';'c8)62l p*GniC̸$bxB(>$f3>EvUjJEfxqs8_K (s\.b@$׽\;G:\wrvn97}3~Gy9Asnmvi\`}l=᳦;muFQwݣi mhwsJ.cZ\&JQs\y/,v 蝾39wٕRdㆬxF8.'6EW\ .&}8lv ~V{0v.D67Gg< q'gHi0. <ȔX|0(;кm? vztsä* yջd16 C*6n PN8-@V ڀi'q(NO[(̚8ilSwrJmzMT,]j|ϫ3&y~'wRąTڎбO+.T`2XIB!ءoژXw (֛ݿm^Tf}pM`SynC7"s 7O׾G^qWSZ\pwWYkO wg*V_DiqIMs<7lFig;G$~g#٩j9ϧQ|F(]9A\;}j1v`|2TF'j㼲,d*h2&E]M"1GsTgh^mCv8l\YB'5,X4k*SXfTK3 L"{Aaa_!%dpzW{%do`I76TH?R֢ : N<,.&iyGȀ๼6t}IHǹy1%ѩCB 9$3cF ͑Q.E8=!JL_=ivtt*`kW/=^mj%Sx`OnwO]d2)\<_69 U207Ձ+ᥟaVynZz'#hFL18dIH?Yz .#>ĦJXB#yB0;^ *y p2?5b(@φx[0SnTb8+*PJp0 nAV@7ܠ+\\5xjF?&F% = w3*B7UqoVI>d.j'fdzڷ2xzf,i_23ɪ7WdhJQRSoxUDla0 H-$x [xPttGxy8{X[FG0*{pV,8?51A8u*<#ڍEů(GnXa bK"eK-k^f஍ iWzr{񈡦tMݠ$4a$,]f9C,:A7<?/no nKH5%*mfVu8E1(QƨRRWDJ[sBTҁ:US 4`$.[`ʁw& cۧl!D#Y27ԵLvNL ]*+H\%,? ipd0Z .{b|aA C(c[M5qNBW8/D '?)(]-uiUu)_DCTZXdqh9X1/-縴ňQYhÃ'<$!Ahά t`L7]өa36bfaM 4EKj͏Q[.os<. YE< 926`+eMz-5pI֯Lr)I'*"5jIPI؄UTWpj r҆ɫ-tAԣpj87€ P.DB5J[Fua cfRux8g5Orș\>2Ң Z =%Y5wdḘ8 !jK #DM9s%|V5< Lom @b _m$,M+!VͻF&p: Wh$:z~_eq9@ssE٬"7791Fq~{x'=/"!bhi@WYfY#\8o$&zu]?/O}i23#3͔pǒQ/UCʃaNLUF31]31_p:q%;:\fLx 36T1I)JW Wlr n)HitQq1(47&Ҵ6:>IcM?H_2 )+ aK}0(<:'a%k[գt}U#TG4|,~،i׶M'm;BҟA,PAhuwnTpN#;p٬qdI21HM*@C s=AVYЛ3sMBUPՃAK]!>ΒJNOm/]! AU-DSr^|' o$,}N0=!|`xFpн,gv)!H6Xq ~,5RC䢽u|D.BvMwvڇ%nhDi%8%1Y<%&j.HR -/pn,4? Gk]% sɥ츷8ؑ=gIb^.SWȼ?(r<|,Ь 3f{$GO4.^ؾw .OB)ꪤQ1?%ZEҶR`XZx0ڻG :C2@d.ciL+4^=|OˀIx3qX2.Jv=23j0#Ju\ -\;0hPmⱥl kLӢ0 ]r6h, nTP,(vve-uKco/Ch< ?[l!0? A{n,^ <0Hf@:=(~vendstream endobj 154 0 obj 4273 endobj 158 0 obj <> stream x\s71vtt{U,l!B\nbm6 x}ORT>jOwѳÓ/oы8yÓŵ=ރ%_xNvN/Nv~Y~ %]>]N^C7S^H͗OI\}l+)uǸXvWJmNY&ɕRYTJ6sHɘxR=6\)f:b|r;NtafU`#ObѝǡGj&˓0fF) w=$CaRaHtNWm qi]\Y]a;a[z@G^.wWpBXM(* Z>%k!ttHGsRb\R)U0$=M冎x{NG8\-_Ϙ0p|Fw"pԮF/V\v7ʪ15#SȰ S$IL9 Hq@2E$ȄoIam:%sG棌3ܕƃNʜ@&@a4r(BEQ%IREse%SBNxE<Ŗ*hZ Ԛrh7@BW(㞽J`/(D̕'n p3{EEEPXQKsrQdB:_fyjiM DxTZ24V(0ͥG6i#={h{sfm/b h=k}\ ͋5мsNѩ|i2ix~f{tsGN=O9 Ia.^?v$3b-^H+}O1<׌I1tɫ5ub5ˍ2RU8̗wfb|~/g36(3!ܶ)iw6[AHtDin5pnx&! +9KQDu|NF<2)"U7Dk [Գpoaog贑ýDE/.PF yIc3c#e @ ZAo!|='Qii~ݭ!^ b4[טM-(?? -pAA!A}aN~+(@4ڱOjg; lӺ{lNB!=hH1mT4U/״KskɅ\PQC(P#?y#-}K6j?)wb;-,q{\zZc,GI).9 C Tb#qf?dEX)1`^m@{P:M9ͣ&>Z:lx : CVE6h!/ml\ym} (8B`U Yb~:tn;[GFK P%VL*Hdi|V;A#-;䔍 7ݩ>u| %zGPh*r]*GT7=RH6yz5ծ$|<]{^32kW2ڕ/ծ{kW&,Q/HVOaԄJqL:oAC qm"i4R嗀4~@н,89slMֺnq߲(N b@28շL@}zㄫz:z5*1MU$ Lx)REf-hrf:M$ixI4hb@ӏ6 poI~٧+Zm%3VX',d9&DG>FKΆb"wpY SyzMXL1|$|{7w>%.X&!9j5.WJ87 ZGz^tW RPn"MOx-r\Je`>[Z @!rfLp0,h47zU)нm\?k(q뫐]pQO8Zdf4a4mv- i8̓Xb+An>M#]oSY x19`L2 s?=J^CX "1CMl "":0+UG7rHЎ{ ͷkXƸ>+Z ("-GS:"pBO~{GPwky7b֏;/tendstream endobj 159 0 obj 4486 endobj 163 0 obj <> stream x]Ys]~gGܷ\t/T38ũL<2-"%O74ps/IY'*=q4zݰoK^=n]ͳox&wzp<|s(~7mӛ/y %>?ޱI>jo_,k'X6V;#wRq5ӏwJX띲LT> +h;dLԓ6;3X s-wMZY)?9\D"^~Lf{e |&^Vd<vr O[-y0'u4yC9 _*OKWY_o[jQӶ ߔ'nGth EzbD;M1q9qho#%E ;@UnǑ}U (H 2 ?aל~JWd I:&t}-2o@>qD2,[K9)線, {V#1. 1obPK"/1eGjfI2:/v9@WO1~z -[ySo]Ui>w zt[w4ASB>iaC>+&'tMUm A_.OzXtQQ1A;ulTX?y.YƤ-1RU\j {ĀAAp,W~k0A=L5D} ˓ 3z)6ƶK 60 8dWA\R9LB|jsX^Em B?%+@:|IZe7 FwRoOr|Nzǔz]%4u&opTߕ6uSHR+AKWġ9"Ul„ECakT/.MDvHjڴ14/ sLqK/g:) &viS/f2v' ] F#r#ԽMB' הd\+͌JC %eʝ= T#!"|a%`ˌi7A{4=6 s< 9ֈEA!w궖y]oY<[›oBPBv3r(v;G)˫h &׀h'q[फ़-*cTmxZ 8+"D\ x3ЌQI"q3UCh$ڭh8c |I 6;HOzz~Qzb}|DA\inM&(,f8SQ[ ]>н Ռ;R!\ٍy=/ @Vq&zujm6(%I;N zv9AmWW'q5=D}0s݈OAJo| NcaߑAUt2Hz2J<[|O+yCc}se**D3^ Fs0n`n}Egfv4RgT;Q*|RSXY(5B尨@,/rs> wuOw3Uj+X=dTLWu.ib]BʦmzM =j͊gLuHsQ u*k:6 'draaoGtz qr9#d$r[ ݘ"YG5`k( vit-wam- YFѵe$JMq_߹ʙk"wR̓]ILP^^wb!i l;MD~ynϩxW [Û\DB2$|}a|[k :*g'{w.Soݵ7E!H.Ex'9}^l yiz󒬖)Z(#jfK ,i2嚙ɪ7J?DӇe 7ÕuZj Wp]%7 Z{)UtI~7bs:Q)>_+N8ZumKp ޝhO3n?F[}Jw?{-U4]34BR,t$e?(u/?у.uwu 2"w( #}kG{YgE8:j2dD8utՅHjڭ$ RG8rj'<ƀ)of4 =Z9i7ьQ#q)W1h7_mΓY☼>~lQ2nRqv7?17&l?S8) [s=6v6۾HgF40T4=j$nc^D HT7 U W=Fc: T/7~4L"N 0P#ZN(oPr,BEkR,2-MW2ML%T2;'h1V0<w`rk*[8W8#&2ū־j`tinCл0-j0GCtB^XyV]<N|FіsHyKSdܣ7zE&l l|_9 Z!ph Ґ(9|iTZa8yL&}nYi-^\d@&Q$)~o^h}Zf5)&_ZEq+0aྜMF#85r0$>v~qE=Cg @K˻X P{u!U,xnAFR+L$(JqbМ!nOjď;w6.)H'˥@ПGy֘.0 G=nUUWgJi.ǥxQzyC86wUEu/6W֮66l[IӇ}K}l.m/K bm;\}}t3tgABF ]|(}(Rn$G;s7~^D9^`_8 tfǮjdM˒z~8FA EԥmC,NO0ziQ?8JUK8NPMs-|>!`鶏+μ+ % AuWsN4Y)5[ $TA\c^ 2Wcwr03;omxendstream endobj 164 0 obj 5538 endobj 168 0 obj <> stream x]KsnJ N8)<$~K&)J%RMFӍ3]ZS:Ѐ~s&?Of=u_~yj | Pb~|>w^1o'WYBRK/+ΤA3s2bol,αlV-~_2 O\im ( ^;.?|+(ٯ3 ץ5)o~>LKIR>\/W3t`^hŏVEAxCi{\k,+ Ptk?v泧΅`8i9 38+</s~EX|Q"7bjk?;5c. Uz9PLNü)j82tp‚rtF#)3BTi+Lyir͔IgV]ΡS^x_}gMS/]n'جbJ~RP(HV`0h"R_ogg[55<-wol?Jl!STt0Ffe,G55=J!m,~HS39ОD>R /j}WN01d ˨WÕwx4qM8&5+WnB4!UЃP|&[m F䌑ɶ륓2Q( $]g[W}k]672ϖ+# qr*sZ|Ya@Zē\%sY{.~ŷ}Um"³"oJv`vq^Gw:qd2y k B8_̾97c_{Μ&jԘvIr9~vn khqͦQO%I[XӲe ב8*OiLW%被I+,JV^[ y3nMgvlzRB {&pnD 6IvM͍ ,HMbm@3 PS~XO˾'(QTK>d^?':O@pk*„c(FC@pU us>px+CErS? !xDjB{A)?vZ3(.(w#@p.$"x+c&|C)?V'z!;=@ӂ#v:w;5?m ?O1#qG@p+uxbpe&Po%#\{>Mv,nAY@ݧ { &bGV!%k,4$1c/^cVIü跽;GM:%@ԧFOK,G@9zqYu׹xQuXS {J @S)W?T[ D٢Ox<3Id!grE#Ap ++vR@:~JJdDP%g c )A袓P̚9A,61'y-t`,QI`p ^¢$RXP wQޖS(W&զ;zi;N8uCbv@ϩ.l fKˌI=R d4P;5+agB ?:“E}X.l:LhƏƢp& 'bOm Uq +d9A˘d289Jr`8u,fL{S˘Dn{WW , UKk(UK Us> n"äum FE?yﭾDT};360m y (>O;[Չ~=l#]'>LbGn#[~;i/KM;oy [\L'ꎼVu"dlLendstream endobj 169 0 obj 3287 endobj 173 0 obj <> stream x\r}g#-Kw%r=eIlCIQet wIɑ%A\Ӎ}b_13}twv[={ƿWǚ3W|:98:8~>t*`v}as>j/I\ z`\ /`;NY&ΕRYT]A&sDISpV|p dNFZ^mW.~:a}'XcKMVypl^N \n~Mp.|'̊kl#ai@/9}RJx<0\{XxRgn?!u)^U(zЀP*jLu.j66tY BzfR$+иwIU*O53PxVw, ֚޷0ukW¹\T`ru5皳uOjbo֛]{TJLK2~7+tlq5C4O] 7>"NO4BgI?`$4:w0Xk]MEK:+8)ŋR|H׈;]Y$"}:*mGd6wCjeW8hs=%+鰰PJK5筝J)}uF::QQAlX+؁#!4Hce`L8 tO&AæHb^>+ţE dF5*A5PLVY%jP951ي ?Xt8*;sy1WzPKG=q\jtg{FAt&N:k,ör%i,pTQO:qj\KJ:':Cs#V={Bŀ;!*xp;+r_v{ s],n"e6qtW4$E$gxxO$_<74'X[- ʛ_$M=[kg 6:uVu=X\*=y> |Dm^OQ !ԎƤŀu;-NI|XێS# D]Vf2O]ϝAJ EuS.WcHH&M޵?VQbGEͦ=xx^i 溱 LB\S^ T;, ٬0~P< LN۰ A= 7MɊqdɨX`:31aj ¡QFAC)6wݭ P+W16G;& NQC}(Ep㽘Jy-ιibIND&Ԙ̯xP]KyQnb6IvP)X^Ipl ,? $_"E 4qcTs⓲*#qYNR\0@*Gv¾Ӵr:LƋ4-BwBa']-4.ClRWL龈4 knj@f&@6wrḿbc5D|qw"6\-q~ŏDc^ \+~5w"0XϻR,OPͽOQ;yjn:$&`OR@s4&o[vʩWB OMY?yS,I:-Ͱh 6܄[#SG$fy 2Cjf΄1/(Ŕ\EJcRYJ3c;@4^rЫ&Zm2\CLx ͡n`sXb} za0GN rucҀ: aւu4$jДeOB0n4h4ƈ޸!C%:8ǁjmS1 t{<0SyB4o7Y:95wA#xc~Zb$C)1vӣO uGn`YMal!?&ds?izB>1g]">NNr'r=.Y=λY'hV`CV OY,rV d))d0f@8uH5 q^)MDI"4yG` 0TMV:545 W}3<{I8a͇OxROF#/{wy=\ŝ^94ga.i3ZλksIT)U\@ |m_cϢJ)/T\[R`VH^4n cPd_>hh)b ij6ysy=(NxtȰױNÌ"/ c6(Bcs E5Ɛ0hH+ke7 ^Y5^꘼X>fҝb3vaV;)jȘrTi|%NHiC1̯ZćodÑiF7c˰W:^K *oLYx{ mokn'nd:!ѱ7&דY) Qa<;B@`_Cɻ3@rƻ,x$ TW_=?RjbWBsJ a.endstream endobj 174 0 obj 3956 endobj 178 0 obj <> stream x]s]ᏸ/fNgB<)!NqbݕtV: ˊoW N>ڮ_g<*xpu 8 y:zt+VS7lBy)/sRem5zjgFJ=0.ֆ|ÍRz0~5z,ŇBk)f?#y@IyV)ȜFA++WǕ_|{`H4매4iY_`Y¤IdMd>Z:lLNpÂ?ŏr◹x'W֒n7{7JnpՆˁ)RʽRbCjd× %[|:{)iasbR +񹄕R)wk K|s޲S.nЃ&5s.raf'uP E%.ԩB 5X`{yj336bԾ`)&U/Gj| eИ^ `֮~_euj/5O؀AY@<ղ&2K^/ &ۤw#]L{:_;Y* O$޲v?pKB%N>-!=4ғ=^fΗ{p:Z2@ƑPO2TwuOKo$"d?4%T(U(ulԠ NZY}(΂%gQ`9a& E cʒ̟(.KHu\h\@a`0]8nb@KWġ9"yl„]p]akT u" $0P1.'9vge]T -rj:Yz@yn6y '6#iĭ8ejQ\:_dBI%qT-,C"Z NSF}/P3ӾdrQG)Y(W{d/¬QAV=Ҹ4$MjMN4C'MvHQƗ(' Fp GN+SDsE.>f۳\|ڬ"}*vLZ|Hmd0#-NA&KYXe`9ɳ@̸ Ar'Wzpq`f|}l%(7ngUv4)3xE@1{-P Vr "q+|&hЄO\Zܒ,gɪ`>1޹a.K.!17r 4T?.zqVP<9C8!bM,K#t`q>U?ŏr24kIg=rg" mH]t-<Zpm0!h\(έeZ<ѴAOSCņ`rƚoKO5`A=Pgs13u3azRX}=ss^\HƃF5oi7RkF8xIs$͖yR3Jʵ繘kyrr'W#O ʼnΨyZTتٷcst*^9B> uR[^rhm@9BZqxx5쩰wP+M-!dT!i1o[ }7*t3jwd[@lCJ L5{`ֹY"s`Eנ i2hnMZ359 !TfVnXl9gӍMCkbsOֹjaylQuLc?UxcR8эSAZ4cvHj\lrol֠!0,DgTnOhr|F)љڊ?9.iF1v&fkΫcE  ׆tŊa(xDž/8M*wA)>q⦴3\UȿRy=^}WxٻRq@Yxz| 383 OM@}j *B)IavMGrNO0dHY9%L"%n"˴ɔUtf-ڢLTYPモH:D 8~p?5 \i\^})Dh:uZYLFٔ+ uv+hzHg bf.`  ?1, 4[b^/8ȹ؈J.Is\솰D苃Vh.6 XDz>TU0q섃fGg\.lnNR\p¨UFFBhC3h:3 PI'<SbQ2J]Hl?4HY>hfNZ䥏:.jch}}#\^SY.bϓ2,'4 n=IJ6%LjB@nhδ,4:Cze亲\@\6 !iBR,#D8d5u]ښ~le97(5xZ56ilk>(7G.B𧄗Cgn (sX!-xԒ&=*[?6ԖVɮHF h \̺tEZSa3s׮HTm&X.EBefHүsMf7+.9`ҋ3Vrgtzܑl9^>aJj>![VVb=PcapQ'J=+_% 6_2/KBZ\`NFYm1;µ̝-N"@sPƧ%ˊv3[Jszkg3.t":1"f*.MPmzJYk)MNKoHb5ȭژ:e<'n07Uз,c! ғ9YQf*$S*4l:Hzz1`f.H?0s Y2ё.f39:2l.λN'U$A)_ #.f[tl_,MDZSa 0odG',ddg[%Yrv!(N:۷4A^KXl|\ozWx{ \-1c#[e"6]MZ6nXxJ[d+EzT t*f^V0)RIQ1(Ob.AFS,WBc0o-H1?q n뮛s&~{F\I\8sˢfDX~BhO3Bj`TU(a8ӠŊꠧy$9cGF-%sbPӨI[&|)U;(Q[AFɫ.nMt$\ KmGU $,.؇f#/#Z`[a/5D3ͨy*0R(wf@*f>yhw:(ޓ 'S vޓt ?]-Ve[X^ -\̦LK̓^se_)Ź]f gk[Cֺ 4\Mr8UᱥP"R,-RIFLF#45Cm}DRrj~f4d .w#8~Fh'/85*ecf]UWzkb<.֤7{p+{ N|qj#jHWx7F_ZҌ’=u vH|ɸrIos_ARB=yXxһw޽K,M_!y >Es(97U, cit1^#8]_^(M1 o;aMAޒ'c gsxt`(hfTwTi-汈y 5:'HbS]d2ǎ0_ma-d0vbfRЎ(JrxRkE*|`@gtȾgVyMqnд橕t9*7 Ƞ&Sw\)#ꭴ EK748EU[ב>$O,c$*(zZL6VY!Q T50i~$ r1(Ǟ0L[\6`q|"3ؒZͶ.O7bV犈*ۿ4f%JkQ`% ff=aVj>W`g-7+> IIЊ7  o9^+x _ r?=ptѢvV3Mfb}ڃVk5p.=xéf=,:G^6"n΍_1.LewqG}F WaN $- ڛJ.6~gQ0f k٭ye*M3W#@*))}QtYt)k:I w;})wA-fW7)4_Pm4U߰VO՗ 2V)m+[ %a0Rk.@ `\ImфP* vOjhqJ|j \@.1= 1YpTOs +A a `3u^Sn sYvPka-2=:(-4z+ ~ NYt4Ywc2GJa|`_:] fdG}uӏ1endstream endobj 179 0 obj 5418 endobj 183 0 obj <> stream x][q~8uqG;R)rJʎEآˡKRe)J"ӍˠAJr\| 8`F_<ÌO_};<9Ͼ=?<LaYzS|p^M>9 *3s/'g<~\e^:Y!w@NurM& 㯤=1c](ة`]Y70>D:,Mf Z/ӫڼͿ|1|tx?AFx[OjN8~i5{𩂶eɏr$U7LSqFq#HI mWĪiV˓WgYCM 8 %vfrY֫J|SkPEOfv*u/xD8V8ΥWDYxS‚FVV([@&AedZ?NvF5)Xq!VlXxx_: ԁ0QH/1zҧ' t!pCF]gnSwm5*u1?˛D.)f^x|OH3B;C^7:N }.A>(C^HO{Pu2DVboFc/[\vš )ZtT"WސZ9r E7$+mf 3H@#864.zT$R8 ᤞP#doާJZʲ, fkB':BOL]`F :dmޗL@2i3!TxF3φ}[N'DYL a;= ˓` x?+~!$dTR >vw2*&'䊌K<hQV{Yt3݈` ^#Zk BkI{=~Ų8A q-R: KQt.t'!:mQʳ2.[y: _AӽjB**X۠ {X*+%75>6nP2JƳ*.dz";#PZ .8~`ZQ~:!uS;,O`HC#ߗ6K?rl$օv'^׵ll?ЯP m`=K3S 'Ad;uh _|B0 EǦ g+sc6zF/d>?x!TA?<^/c}8GF}"nh)t_y(JL cfbtF$Aݻ qn4[~NJ#u4 umtSQ`~)EYT4z|5@AR,5qsH9Rx*IZ 6MO9-f8,PЇ#AJ Wf5jA'sFs)@-:8CH3!Nb!Eїg~B|kUߔ8"^Tirv*Kܥ-m#,2fD2 `B!8l+0`і-JM~A}QoV[G'FbJ)QydF7bSƅ mֱh2]:qg~ѡI4W^s _[ ʢ"=F:< ߐ߳"x˸3YX&xHj30{C*nܦb-녍ޡ^*DTv UQ+XJ(2mLq'+yJjGDчQ`AQ~N&"jt |S)9eZXVl >1d'u !#aZT&t Sim'4992a7aa4TM@8VڕǠYA3$#pAro1-'.ċJ1@Z7R(4Zx̖!$)5hMųt^I:Y\>mEX GVr\wb e2;%*k D~`:$@hC9كIz0Up~$iYi:kYV{Fq%w-:b0A$ț2ٵIj?AEIЯt0l70Kzr0\m`46C:!zEVq G8#8T@E5Lw ›`7ba/tm#kli26 FۈW<7 4I9L!,N8 tlhZ3_Fӣȗm엄.޸+穼BѰoθ BXbzJW+ v@!b,sWi^۱/YW5O& o/2Wq-SHz7xC:qFz4U/WceAAd@%t.~T#zpoJ6 K9Qh!)~XAL(&2S0ݩަqGM q{o\6?` AmIQ- Afцf ER)5])HX)p ۸Eիع1`kLhund;(TC3f8tPld&H%;1n-pqu4šGxu@xyx,l0$<%GVmaUe<e6X IݝsPv# QLj-Q0݃P az\1څBcKEn$ Dٟ.m4x&-|VI)lIpCa=ISS\1gTlZGR)Z鍇Hw2bҊ& B׎]&> .ɔOq]B$^O-c- ]p9Q^6E CC+k+,:$MC>t@N,*eZ1-M(Sɔry>t0oHְADfPXxG" # UaLI.s~ SBN`.:V`p^\Z3`Pǁ`gØ@-+b4Egօ%q榹B* JW&0I;4GH[& $QBA7BiBQ]uB7XğM"O9}7r2VuF0YsfAůВ6:'M)UD+\csWP卌vn`.-x"nW4m<zJqFCVɤU#zw $R`tkM$5NOjd~P]P[|1-0<ҙBFj\fUWX>o a9cUWQ]7N]uI˜*E'HhV5#n$خc}Pn )(e%+Ɲ㪻*g/b fc)ZI D#3eMlq ALZ }Qi-`\#_tUjFwg*JV}=XԱ=NЬgs=X`~V *xW:ˊ= 3'q\J Lp+cM@^ԐrkGG;QU{,jj+7 pDwӘ Pm //gxF.TLڃ?NՒazտ/.ڼaհǵy9pSSm[rg1U_o!A?z?S71n"N c"`ONeU1^ eS 0|^kQizh 80kvdlW9"6On.yeQSd6?槱b8tF4sܺ9+J6/Ei ;Gj*~o}xHdo'ExN"$I [˓ W+Ż ?!uBEۀ3LJMrϱ-5h\lr}d2RQ!_ _S7TYu+Hn]|b}74xMWH4%va&7nlr}ݵƳjw2aENjˑ nA KE\rd GIq%" sYҥ l U#[{o9X^F=P`u'u-ruwXgA7.72iF1ob\0J)oG7C'e]>LOHL7},yR5 }5ᛘܙ'BY3[}]g{vڸ7~}xu)]Cmպ~ؑ} -bX:K5x3^sQ3XcW9A cxK%FܓdF| Zk:#rp^uyJ{^ 1ǭu8=k?sxb T:dR9`Ʋ;W\Y씛rr740m%~0w?cR˄;y^tv2sGٺ ]/>ţ89pp涩ƥnj"%o}Qԫ%V [zdF[ixȪ {=/L}8}a*UO9ŖVi5?V'TQF8q,E8`upe;S,"Yf|~yrZJ%/4[Щ!Vw/ #J \w2A:kGiI'mL!-f.:^3wfR5gMm}[Oj$~iS@3.[=xׂWi{BgGSHtLcXc̏3#z]f1Ǘpux~zO famN~.:xwOendstream endobj 184 0 obj 6413 endobj 188 0 obj <> stream x]Y]q~*KRe9rKYeiT";ʘEe(rdq9hgVb@h軝N>>gߝI.  g"ţKb烞],ץK4_QG#ei,ʹ`*6j&;0T^q_hbE-Ц␛Ģ$23#4`1~3eym9r ixvP0CW0ӓqgl` 'j~+RA:$#Hb>(jYCPG <'Ɋ`g-)Rk2JF=Pè nYqWE?hai(]=$@`+FSyaCiy VC&wԓm6ou`DZS JÃK<ʅ:LDfPjٍX(O#2坜 MCjt29 98)=֦ad@_~.πUi>hl[U1.JȖs:eCc-$ c # XG>ne1"=M6?:c1=ZTz#p!q,:$w35'Ho(<Y{/ף3qZ!y_ꈴYqf@ !4NRcrB9ʛ/RE4|k실!Kg٢ł*7ΐkaixqbi8fzRE9gJJS[njhb˵O/R]T WA/$N|@CQIo1WCZR/0PV1>$V7 u!&/C |A7'H$EhDUs#nwD7b-$-Xw~j79FOvF! j֢fT-׵p$ lp!a^a}_ā)BZMkdxC ZK|R0!:hPxi#k),E"?#x礇c)Nq'f _7;'Wv f'ԛz-'ޙ&?߉&#['Nor;1WtRFEƚC|X V~E-&-͗-Ff61I $-zDMJA/Y@^TqVyM>Pˁ&FS*뒄fh8U=h:wg?>Ige_B#3L-McAub/!wYq.4n0tIQG4G|Rl/Nn_\yV^5pXȽM_ AF+O[ u{m8-*YT9BhVGLjc)|@Mڕ3vgjYyF3oaUȃhVd 3jwLИD\[΍ SApT-wڢ HDzL'>Ņ<&`c4\F?HRV#,<@$ p>X1zF/"",ƨ_L&n#4 t?" Ser15mqj$7WNWV'(d^ < fUQP5۰TH_1ʁQb(p-E71} x-R (gM'~G{JCL" qy-7̄BulHUn=zflבROUs3$kK=qm8ɸi'M)4bmAW`m^2Ն ZoLj=bG1Sru@:R^ eWd- %.Dl|$Z|ư~33m,FąZ%wdt5 NG*C:]kp u ayr4Lߑie)q4 A+)Vf*Fk6x:̽ ߶:8{ U5YEi5'bnuA\jI# rgÁ)tB[RH:rlxlDP-2n K"9aG!Z,hV*OAhrٜ)R#l߳r9I v#3m8uv}9*U)fsJ*cEFVO8n~^(c=ǘ$|jQXj!b=8!&Dfz&G+_0z"aЃ[AUX  ʤվNYxԊ3ҴїF'4ݫx\iR -`ȘQMƌj1Z-GP+?IV_/ Ah;&a51ƿťD|xL8.?eԲw"*"s;}l`"+Q}72J_ꘛ2O xtVfiL,}\y$"9.1mh a~AC|35WB+Q$&s%[/覄p@\ĈzJo {frwMoS ^֥i15xd8{չ9tI۩ Bq0[q|^!p-aF晿ުF)2BWig)H5Q֚z^a`m9*S: sw2cıT wv\i~O5GdA-Y ۙ45_'SIz3yDsvl7ס;"VC|6// '.҈o &V˃ P9'\)59'*k QjeWR64X|%GXUMRKŐJ."Q]h܄mLlC8L?򕫈#3]4n0q`ۄ(-L$,~/[AY HWw=qAWANmgXRΙq;tnaQS@6cН5]A\^~8\zQA\WSFѸ0 @21Du4:wwWa 2OuF L['aZ*gNmuM$APp*F hOg֓Nt[|9T=C4W2ŬH۵LJcK!)3*B6ت!qu@0@(齅JWr~&+ Z.o}|J:Zg v`zHcx 7etvlQ8^qq;}7|amo<%Q<% J)cuۆ#5>}b :bZ>~b^mHb_0`4ni3~aՃ1N+ i:ټ`z* Y0 k^9O MݍJe/ǨyEI96^^5hO$;Zy>ha= vN'1[bSZy$E&FJ2q0rlf:bV)A9s%/z;lGp;X`'F2ZFdp2UZu&IztiʰCxOjE"ZU>pB>#LqR{*iue& |9TwMYuZ)+U`; N6mxl.8 r rv{ѹ,O!e0Akw|38Fo7.UfqI u~{9=g ަ}~/CNΈ$,P^cMy Gwkn #W酒v䧥yY:-셃˥SNtNOKgעz(?-$j2]6?%vKUm7OU,q=S '֗+Q%<^W* 8}i>c ;yg,gJS7&7KdPxdڃX5,mn/8"q>0srޏ6If{{ >w:d-(;s[(OiGy\`֞>E}#TKGWD?/jendstream endobj 189 0 obj 5608 endobj 193 0 obj <> stream x\[7~G7R9/E IS:ax׉_O43jiZgo@eۍF'>gbs3t 3D蛃Kbe!L~p'LvJ[=#ضJkO No_jOz3.nbo U4VvB1o_P6'ӛS1zP~99x A У76~ITD|cEimZVNS|5t"%-[;egJj+!v܂|yw`6~0|*t/[)F$ :Si3{>?$6 Q8Sf6˥xz = p$*iP)5/&aݡ 홴a4-dna|JBd,0E ٨OC(旬ڇ8G VQw/,74 `<qol'm5#?(yz0p:єB3ϟ3}VIOZ7"h1cmXyXҲ3_7NVxuzY'dH]iltlf;0'3f5]_m#y$ ZB}lPhۼ렶E>ZhpifTa(VvoA(V3 2HvQiNA:@T\K>A#! -AMzF OƄ^A}4Hr4rQج5-luQǺ7_;mM?! f8b-pDyr]#a XgG$Lf7dk=M54 !+_g|^_vOJP[=߃Ȧ2P aƦi{H[F%i#q P%>&H~+0ʶd nI2|9Am$;7<9Hqd]P2TZVZԎEu&i}66!9.VK<̟Gͧ b%x e ?LB,69 s E ` ɫ\L~XXXՄ|f߂|I؃wuEt q*nZ ^BC=p (X|{+|~̪J 0;Jv&#u#F(Ԁjpn0r$(yO9 pc|/E94X{VW 8DH9}FyȐGTMO&e3\4@)`'+-fyCIu ޣƤso~f$fp: Ι,nluw,R{vvـKEcer:he] JE%6M3F?6F ӯ,~],Oa7фMh8B.͒ΘMpk+;)y2tX\3n5ChN?ٔyh +GI5A3?% QF1Nj>ƴ㚅v DjwQI9#J1}׿1SiyRk]'K$㖟-G;KZT*+d}>b'#8\Na&Vq<[\BhG&bF>hoMvԦw0+IjV28 :Բ=(:;SN6}5ZMtsu/[4]Sz0? `IQCN0;"J(畷"cW |9_$~Phz4'e쓫l%#↉E,tZ1/MhYǥ҅~ JBSC)7ؕxN|myRԠfcL;#_8U➕XIKglyqI Dy H0,B"™DT&L떽Le ~T#}_Bu NN$WzD&'Ձ 0H-P-K͚io<[ IA?-W5$,kdo|3~55Oɾ)mhWBSn^: !Cz=yp?Rƹn]V|va=nֻtGhؗ[v\meB9j%2CU{K8WR/etcED+5BôQ7tH|rV{ ǥ|\kytڢlϛ(XşHBo[k$ ҝg1'a"#PXa&)>왏ua:>Cuۿ}_fuISj>]&ڶμnέţa"1zLҏ ޥaۢ_ɀ7K? '|@<ĶBY"A]5,NR*6)2 j}vp9M`7gҾ$tL4ïyŘ~jm Q#WtZCQ1C^4DhEV#P^fId,)Lݨ>[eQcTN1Y-I'DˑJ&-=dmT աdUP_%9d5 Beê=!:>mr&[hS4)&N5գU;A?qnM8P[)[QsDַ WM;@d>3G`Dmu/#5l$w m$J/-\vk;i`b,uRX*wq6àMl̼?.J=P e]e.YGFM"G˼erWo3m ^gՐBL:zތur4ɹuC]<%z?b݂5E08.{RjJ~'y&}"}~ W%FZ#C-Vw"D.-%Li^CTݣ ;P[9&kȬx!F@lf0?Ȋh~ʼn4dl8~c:j=0ŕZ|W;{㤱J~G I0x4%p#p΅i G )ak5Tg$j`PY@~VR$?jA'Eξ@rg\cعHcWMa^mg{X[b?qѽL>Բh\-r==L Bϋ,U) 8t[j_ 7l&> O/7 ɀMhy9 r?B1,)m/ʏySJai~4X}TY4?.O>)?saREE5`zvkbt["u35oYuiKY?aˬ6 J|K򦱮qR?QQ1~ 2cc+ٽCx,Kb)EYv',ZWn+v9Gfe2ua|)e|LeV&lfܳݏUSwڜendstream endobj 194 0 obj 5020 endobj 198 0 obj <> stream x\[o~#[WAEP N: m$n6"ɲ,V}g]rIGvb[~0Eq7CR= l}]G[Ϸxbodqpa|{ /g T(gB(u{Լ;#XVs,RJz.:C>R)͌ZEa3guS2=RO-%8t'`ƻ0KI2\J Ћq?l/AtϷ`Vkѽ}K8'{<#8%b~JMp,/̂skRqᜇ>ŧB3e"y.5E.Qm2㜝*p*8ykń}j[V)e4T.Ê"3J1a*,s`w;Wk%L.T.8 Ȥ㭝٭[[x(r F^BG `Pz7x/E._"&ӭ-ȊF9X>igFB} v/w1_huA~GM=Y:A%tav%^S`b%m%1Â>ZCNXn4q +@M`WOXpt`Dž Q2J~ܮQQ%:X[= N勈u@xr3Iǩv~H V۝:-GxFLde2 Hvwn/\bSqDxHek,wn"n ks.bF#ݜ,VEjf oMsw,7~l*a.@Ƀ+~?E֬{eQ+ԇK"-@8~װ@3gL)w5n0KЅ})W] O '*>%gGlFW`4ֽ.^WJCܯ&M_׹ef?T/napwⷹy.~;Yo_5~_6%4;o.>XbWU:^?Nׅ$m˹`#:aC=Y@n't2|Pd%tɕZk_gϾi?7FoA@v: t/fvEs2~-,R02*M7 !p1wϟSxND*@Cr\ jUHV8[ > ˼_Zks१oƓ7R8so[w ۊ%[ D%@TjHzمT"CC/%Ju4ƣ;~m>JB}[[~5 oђKFGKcAx-ghihihJW=Zh4a-%mY -o$ho$ha$͌ JT oݻ[(QiX+.J$zf}n_JNϔƚ/% (3gJgJgJ3xaLiLiL|4:3w҇KVr!&jn]NR`mUߝ$%JL9gr#9% 5W\F:>Cyo ,<˯JYl`Kr L:IOػΧHflVb(m~Rs;Wfeh K3[Ld\ohU3JHbsB'IcR0/fh7!8b\$9漌=[g*GLH3%U8•~G+3!ҋ8)9O 鶟OsFo``/P[$XtI=[Q$i~tȊ#\ck ~J'_i2 mO/bo/l'W {k4H szv8w[Q#=endstream endobj 199 0 obj 3730 endobj 203 0 obj <> stream x]Yo7~Gێ O$qO-Y,Yeȯ*Yd=#,v".:u:f_'v}vbկ+~\^\9ty>~wgkdj#T(h:!z .3|\mm5zsmc3rh+Cnh<)Dv0Zr@9ʯ&ļ I_Rf) Mw];,@r~*t} V{C1t(&`{up\wr˗I5PE>LM JyK} HmWVLlDMQp[gCΛT }j<dlqn F|TzH-ML[0f݂t&B GTONj7Px]ZO/"E\ ?%Y#HzvŠA,!z+/ ˾OEjIyKp/4K>V֫iOfCBT|*AX 4M5\ݻZ%:M&H"(r1\ <  H'AE{Dҽ]Uq lİp/F!.Qh; <}ISy jF't0d{Tet*=/W/3cY~` Ǵ%|;(foA?J >eإ3)p4abC&bo 1TX@tM 6X l HB!z+^I۴3Yʹ< J1Q; NOdS4gO0*4E|\Ԅwe|Vp<5Ej"apX\-[0c[061tj1M^4}HT C^Rt]][8`gy[*M OUr:Kq8prj6?8AxUek1q 9 Ai%܇3nóQxD .,j {Sp9 g|?h &t`Ïm‹(U7٢F*ӝa6bvԚ̩WhK6#[CQM㜰ȕ:!O"\|t`@Cb72><]* *kvyVb{ FWj37`g)'(J ax८tSǔ)9ٕC=<sZ-$ʲv l.E}9E*[vzqQwy_W@!&{ 9ȇ0t](``\Jգa]ٌݯ8XC8."@K7R+0JԥGO4+K71+5/6*,V`Y_UR뺿T ui9MP#<rjd6ֈmx :D3ETrU?u ,ZCzÕ9^U2 x͕܁J? _AƎ1)7ߐQjH{xD2¨`y z,^ن)@ $(0Vs]Y}nJG4BPݴ6߫N]}dqo,Ğd>N_?&}h.FC0'k0yN"eU d- VZŁ[~pm̌rFb=./aBVj?$T/x2Asx+u P2N{ˠi\ kg,NAJD |"W|t^+YuyłvV>1-:%Ɛv4T)6$LTT da+m:W_W{" n>xvUq =''#,b?Fƚ\| 6Zar+{B<ꂩ靬y)+2o'LX)^{X ++`Y ΍842> c eJZg| Ww(`1~&%>Ev͆*ph x~k>p7n=Lا@03S?s"n=ܖD_aB_?]_L?F%KOH|SIkB1|4/kbnNZFt֊.Oq |9B }qy 蔠)}yfjXc|cOkܑm@C 1%f8T)q?LܩM}>Edxq4ၾ@4w0hy~H ڥB8S\O3A11 1v5j| p+ (D}endstream endobj 204 0 obj 4788 endobj 208 0 obj <> stream x\[o~#}*Nw2E")Ҥ iP0I ˒cَCJVK,/ jj?gƬή*ul|gpcGlƕbju0(|4LJq\:{ IKl+RSlk!02nTvoYiF^\:%x=8XFY_~H`:;>:] &Fz`6 I~Q͍\_n]銮`ZLOIhj~z0*3[?!78͵Rjښix2|™'HjTt1)ö0nNZPkBXȜjLxRsȩx2MH&Kӭ0pL2'*OW"4s29Cn3[cFMKt*c.PTpԗiF&FZ!ӃyECq{S X|$47:Q'GĘ#O #l[C(PՑ tM+\wG? R! Ylo/dn)hczaX?P;*ON Lk""YY/(~Y%4s^XL:g5_.X%t\ PjjMGh=poMAٝe"^uȆ+i {5~'noaQŊhfxEjƆFkH)~ &B.p&hGҾw$GW,&&YG3ΫC4n xQ8x,LX>Փ(h'1 FijIaԪ\SNH ѕnkiN!@e2ŮRhWoUA 73(<8.ms^ lAFi>aAo pOO9`*-D)FD:+f񧑃6{N$l]6aŹ(I-"a?|΋5]ozgyM<#F7_^( i#gpl 'gZHF8[f@ޑF' vP":A] bH3;5_y ox9Az۱wÃ-e)a9g  v|RjZ8Geo(d7](yM1a5̏{!6\b .@)IY8t*:"6LèA(cR:-3k襨4#a)ԣ| i\ >UHk|.G5~sb{P$ءKS.SApz2~/"85əj1"s'(SZ#@@v$SJ Ů@C\|mzj@PȖ&eь56Wd^IB,\z==*l%0NU1/WE`]0q2:gK j{hqW5; @qJp7,Oc Hk@V:Upb@j ƒ Iê-cкAat-e˗Wh-z36gTowzCi&b#ftRl=+LkzO&lЫ4)$.c;A }nw13mt׉$CtIβWp()>x9J{'n-3tm$؈~.;1?wE8Qg.>DQ~# F~Ӫ>a77lQ:޽NJƸak妇ƸN0i}ԅdD.#@?YF`//,+DrMd8*rE5!ZvP $^Kfp-R7!xYE)F[pX_V!$dQJwA$)n R1vFo$i)CѓўW5mX'aJ* :1|NAڳT(t)U3GXm2d!K1\C*U%LfwP jI^ A( g+ZU2 B}D2rBa)nsJ@ co$@ fxN9>!{W6Z ?LqUpk w;?EG9Ll>ͧtYvK5 0->ur Io-epO#C @xW-!cUc:[g6g#`8Epb?Ѭf)zcAG ycs 掙*h2іd169-c>@#6.Zb:L"QOЂMf#YCl5+p $L wk`(W6[`bI!ۅ&Wa.E;g׳|̡.l%*w "\ va"\8U]r`y.!Rբc;kek.< Ry=j`LTϽ12t:o$ HU9ʹ,l.Ǩ- Z#eUPAꩄٴ' Slm:6_bf؆(?MHzޯr<6U/)R2ogNګkww1#h f'm~am ral!5jC  w0郧1_I>~A(t z)ʎKKz88ݼD ǚJ?CAz0.d'RNԳy6!yap9XLh1/BRo{ 4sV":ИěD{B[T6չ?Sbs ) ZTM>˪d*45LRuJcz{T)rEbֳj4N5g]"|bY]9rpΛ) 惾Y215"R7ntl/}9.$Et3>Yrq+Zpk){ Sbϫ- i-,I< p +V9I]1 P$*Tm!mGKح.8|+3]W0OIJvi "%bTYoYpgS*iqF< (yzM 7Os|?WޗpFռJWKc˕KAda,$+q&5h!9~z- m ӣ&꧃qA{(9 ArTMIۼ))@JB3c"<52v 6. Ád պw$ p&\m?S3pIq-oJ#BʘKP|+ieTQŧeTX|V#3j "fy{NҲkG=R9 (*[c5p`:֒{_UКQ M:! .TS#wӫ(XcµO .bvTXԡ /KY\Uk2K1ClEM#:] iU0#Q <ˍKp<6,(tܲKiݙ=~x%UBYV0ӢavBMIzIin^4}osynL͖kd+ϛb[h"06~f ]OlNѣȕM U1,cgϯ H.VC ZVOeVW⛤$r(\Т݆ߋ)䭮hFcL9&_[\m|>調wM~gr_KҼ䬹Nj;7.XdEs{);~va8nEg>a*N+E0$y]$Un|7XD,;)w*0ZZ}=[dUt\|m9g܆wp2XE]v~w}O{ ~=7*Q8ԽwSSMElŋKѻP!fܩxH|8MKi\2: g]@yK#`M/e~cz[H L=7߻A;Ѫj1- |XynATâo08ހӋ|;` '7SjGWLBj |y#t@)VA>j>ܙt@ӻMwޤlx{4Xᅨ@q#1 Jf2alTS?4͛^wnф]]HLUldG3G-@E){pZ 0zOfL[{z 2!pNj} 2ۏO 'DbkF)QGOr}U&LZ7YsUp\Vy'6#}86%427jd\r5ݰ{5[.o5f=C="_^)fB%YLFUӧnUY#"G~h.endstream endobj 209 0 obj 5397 endobj 213 0 obj <> stream x]Y]q~7߱}/NRdy'"9CJP␔_A8"%rA!.F/_/|{*&y*:cD8D?ys EO/i>)W'>>AQ:ۋI)=D}þŶVZĶ68{sNBc?;{_c0^ipVb Sfyƾ>_QS إfkbmq:uTM4!pR1KMi+g*%_/Kewݯlea"_?*͏״oBJjKW8fߖgqM>-?QI/Q3d(CȬ??l/č7)q2 RE+}%5EEp9S6ˁ *p&ei~Vy#jkZO0.LJƘ|h{| ʌoKvƊpH<įs@ u涤^~|f}0~'~ǴiNV*QTVb~B#K mv .(P8xLzdX@HPYS%]W[ewp>k:Mhi˄\&4a8 (S&Ԕ7n|V&bbQ i!uEkD3:Peڪ8(!u]̈́•5X&,`!dq漬%mc(3([^\M? 6;}^W={|YH"|T WZh]Ɵ$N'P+Ff[237/aLWK>5]q!6`ى;ʭP|2T;PټaݾK skO<p 1=W42P|j^|[_-ނ4XC_PrE7CM4!? Tzإo]QS~rG4oF+іX $ Ү788^PJ'vAKӅP 2-@43k=5zI_]m$X|C%6GXLۗŊ>7HOP\L޻(ЩaOe{ݝ>YX7TRtO-,2=m8~>crcװ\RO(۵y{ ʀWB#MSK-q N%@3h alIUp0cB[ -ɦh3t.Sԣ L`2M#,xގ$IpD tLƄ"2@6OD#{c,|J3F*c- y ny;+̆+UH r8xl@#bS5Xƍsp41VIX2k6T'~CI(@#Cƚ=MX5V@oq$Zi؍fBcS52D , 0Cq\5ב|a؄fCCtiH:C?v9,ta2B7Ѻ$k\\Љ;_]1v ZNaJsh'CUӿf4bD"+Fg(hڂMܲ6Lcj-[%dW2/\t6f?ol*b]iR2Mi0 ,dv>bĐi\8mDhg!Pk/tDRsh9\= t)L{'m(ᚦwUzR ߳^j`1'i(Ler3A0aJYGa/4M7sI2+j2h%pڊ!p!ݐŻJ7~:V^T # 0ԝaи8{n=Lk%@K<'pǷXٙMiߊCa U) T\>Pq qf,L[[zP(0{ "OO{{e"!JyV NMyQT& Yrx \2Kh؄O8mDg M*p| rqVxHJn-݌-`#k``4T!5=L׮;cV o櫉"*"qTC$`t3j$5"wr8ļwl;hܥ\qc9#qKrw&Hj:U$ɘqY0@TiL #I@thgmTt[֛yy% t'cT|~6yԹqCZwr&gQ Γ]uQbw_WEu0FW(UKoeH$ښ'"rn~$c\T;߮؈UeTAmh$*Q<*6hFHd Ya:I^43 {~)m^ܜ]1慯(nR֪}J lgݜbb<r_V hNb>ན:]+׭]|}ɴYػyj$O:4O59Ҏc(eoqpam,K:49tخ 178BZP 9j6"*K*3]c@ٗA)[21EwD'ꁷ4!vjo66 xIUm=N[9BTc9}= eB}G`20#Ԁ?nEJrDw$CVHzbL{^ٯ1F E"^Nvݮ+:?T{-G\9(oRvIͨvrFskcbf|(G⣁c,'-, 12Η)0$>1Ѹ_kU ~ij/[C}Q|]}!0uQXag.l0 eIJ2#p 3o9D{ b׍2Sr{`xȀӶ=]aͪ"(FLXbpxxp~WPw{j^3oeAE$25 ^Z\U}+>˨ơH1jt+zX9(q.{iiO~w̯Zpk-]D EakP?z"wDo ^|5Ra< RP&*BRQguH!Y٣,{ ҍoSt8ټzqL8pr=(rF~QFl~P렣vLzjrѵ<$Ӕ[`L4!ʊ~ER֪a©3_tĚ? yʓn4do]$&g&ޔ&{/YÇ nP^znYGzi? `p@\߇E2ls`5x""X`VJ`U;s=JEMi 7|aߙB*/a(1AkMUGIKP{Dz ?LJiO UK_c\u]~FaC7@Jtcui-+Fo-u rFlTL ичb*#P oϗCh1U_#5.:Lc|Mu1{Gv^PmPAێ@+?V= :\xR~_G17~drD O5_UHb]f]piU> stream x][~8o1r;>$$UMPC]Țo[E6"̌;LbW78͈M?:ټ=7>b/7ή6>>Q%۸qcڜ^=;&咏v8x Ŏߓw8VF1/pZ8 cM~VJ5hw:+ȋK'k(ׄ3wG3*I1j`o I~d g’c`ٜZ yye _)ߑpjp,҈;u0i>ïi>g%Xp8ozApuE~|qD. /pjy/Ӷ31qeeYï6 ;X?N )>&7[&~ċ!Wjtm:z2ȫ^ѕ48Dfj,P,PXXfXnZ"F0û家 o̔5+*aQ-&QWj#9XoO00h vf &N>,DT[Vjl`*KN m4Obb`-(z 8s](Hʈ +^ 7m0"Oj  e=,zI+7т~>SZ(ı_Pϓ׃g u|BkN#8 wPYA,3\_. .KdZp9'QEX9ʒp9|q (a@o. Q~c`>㮀Tt 7rANDKlavI^LN߸?sDcm֌ ԁI} 3àh3L|bFǗmdA/OFʖS]/Tјp``ɘXp=kz*Se脽dE;1DmX!! w2xt5q _=İ@awMNnح8H덍Q:n%q)Cڵ6 7|2W.bcrD))T.o`5<<7 <<L̟sB ϕcsOLjПD#և@"MS[63(\J J"U=Y) F`p[+CQP%PkqjW^`LJ=0#:C\Kn@jvu3` ;([t)qQ[uw"fC^.RK*PLQ*tO$LAJ8!MB ]L* [0= &N1ZeiY(mMJ|>NNۓ ܯ9#[Y[96HQ.M1H$U(#* )!|ԟ]&-=CЀ(Hjnʪ840%S2aWS4 E= `Y.,ir—020۱T@8=iVyǴ106q < =گvFLz4@аia"a՚bAv‰u`1lR4|]fI#g7w4_-Z0#u)hzlB,0G^֎ea?+ T*]X7,slN͉.4׈衰JsRR;mjx,Q?4c7*f%sF֙ }N:*z_ `-*u]Va2;Q/jl2r4#p:uDI>Ô ǵ(YT$}*E^+a\/cq0O7J&O( a{XbmZ B&_Y/cP. BC7" Del)L67A~FE륁|ͷA ¿7ι"ः/>2Js%|bFYSC(#b._|sAz_W oN<}&! TY tHt;y$i~-d?.GbWBӬC+bHѶF [%a@uO ;o$m3)ProAH%:O*і31ԞEvV@UNVZ@x =VV!\wXS XN׺BlS씽0Q[ŃҮG>,?}dvde }PN6OFL*Z,M#1Ev"}BnZ4zUnv<&Bz΋Cg\lAg|9Ȇ椰%jDtձVq5 N㦉B|#H^tH^_Nᅵ%,WDn+Jܜk =/l+HP0/Ș\.3=V{CĜjҙ@^l` +f⤬&f| n$`R1,EJ}2u+G78E 8~&`ZR /:|drJ9׵Cob3x=MY6H9 _ 2qR&9 r#|y$`$ 3LWge&(OyRrQs 3@vޒ: J %! NJ2pfeJU"R僩JH`gNeX*= X^zWc/ՑИG1z z<;rTsQt5Za3&($OZlߦ+dM@oOF9EoeBiSĀ?4*KoO MOzw ]k,Se2D[ V4⠒-9d8+~ v MQ]6rLVE3WPm dynX} lj,4uQRT6NGmԱ}FaYo!:ܣ!ڻz@,}8ޓӣ|{4n~s$Vp%-bsOJO.ڽ?^" Ow2tj(.UI->܅s*}b"(k!0c%2f龗.tipu5{/!|]zy_<ӏX ݹe؟PU \ N\)Lu>+,[C%hGȗa۸T+K^_T /cHVpO{򕢺ΕLWdk?-}&xǢ4Rv.2ڤK[u)tmdsl}}F`uϮy/O.:6l[*8 endstream endobj 219 0 obj 5306 endobj 223 0 obj <> stream x][o~ /GEΆKd7 "-ZG(R؁aK,Xǒ;E{g]r%Ũ f6<$g8oC?㟇{>=:~8<_=< y:xWӫàB f/7lBy3S^Hׯklkcl7)X7J#ꝲL?|W^KQg5S C{JpNG@$kҹ=7k(?8\8L_ ;0-N'3#Lj)8O?x#Pl"6&뇑#iC>!ȖJZ?InDMt[8ȱ7p.g9ʻU`#PzǦ4ņ]A%-f6ä'/I~H@- 5s0XͤdvG\jq$Ћ6B D-lLv eV+\1wqG¬8AB6롒2< en>ͧI淩s $hM=Yg1S a27/r:7s]CӃYHWYh51-#;[d 8En^qnkvx>7_6%]us?tLzO~pJOG!7퉕^N6t9"{.w1!w"*DG{]!/ [C }Io-!}In^Qgr9_A|7e-eM+@mN5!SymH\F lY|;X9qtfh1p U3p^h)Z3:YRVzċf0F`HHFx-4ckWQidjh8o37a'(5ʦpw#8nU%I﮽Y At a.eί1G]e<3xoTNͿ9s& ^)y2uan ΧD>&;]h@-`04&췩bn^I.<RN,e63NY "|qI@G~Iah'/&':'~:M&A@N<+pQ1q->k?%m#QJ|/nj02PU}(tb>h0-g혌בcvwVxi͖m(-*$Gcɶlf=Q[ TG}p'?MF6tЅ)ibaI<[~gopV.yJZ(tdnߒɷsH*Fh=c9uixq&~ gcca'p.ưGp>ac>ac>a8Э:jVX/-'$ZgWj%Ĉh̟M} bLs,/QPƬTccSJ !w<. 죙M p}ב~'cѻ:c@PX/؝ hǴJM1@ >$;?̟[@l>j& h*{P6J-_b)B*GCM{Ӛ$A bnMuV 夂 0CVTqѹT:TvcUL&&h- j?7@] Pr΃Ê&{s-v\:MI$F\ l`ˉ`^+&Yk2].4l!y%&Kr*iR|t%_PeV*y$ˢ}s? v4+<~LҮ^8&L8]26+h 0+M.~UwٜRP|`sQK醆+בܺפRW֋^#[Ė*nNE`Ĉk]K<09MkBIP\\$,r%nZ@;Ba"+?o[Մwa> ." 5eJX{ugg ߊ*U 4(S)\Ӹ"$ix/20ch4xC<+=3}oV%`{;AfRUo8e0g]ELG4}jl!f=  kF?yB0}Dgqd]ka{,+g?D*,P1B9ekNnKӝZzjVq[U^(ƹgLyz}L K':ǫG33LWd? ƯU @9M#F01H4nE>jG84W7,8gNma=@VLyu+',+ƀpoa"lxmѱVJMgF{tb͉x;&D:_糓bn0Qaۛ8bGC¼藍gOXX B]ױux[*~pHIL ,Q4] wEUvG܆=T-L W&ò! ]#2 /Ub# ލt#2 w|C&ګV)P:#]M;#VQGuЉc}cEͳ}_r،4AWz]7Y|'o=PM.,@`Qu|IB(d>1>sFheGq>s0|-6|NqqXb׌KKU|pqH7-N tgHL\\K%>Jq7$ /g@*HH1G=u=pyU |UF|( 6X-YWX^['yj T%f8(%uZ֭> pW*.J.<-prk6?AzqDq"<aW@7G7w֐f¶}kmlM&FI d!,`|AqT&CT"=gKѩ^z$-0IKBg\-3@[^V<@iJz==o*@`פj[\JlcB!#klxO,1|(3ai,B$J$!D/CЃ7Sc^13-.Pr@՛½ tzB?'j:izi[&zI7X- jDp"A^֗\.-gB Eڦ`UBr<YVz^ 6230,Ȩ.S^*{RYJDyj躨H␣p8#-Cy |q ^^ b z ޙTe$ @c| s*1]?a{iOY\~iUpf)ǒh?}~٥PKFPq)j0ZD?)G}x@FFxD Y}!]1r'K.ɞj+o-?#nLfl==i$hx+LJ@q Y<=Z H2pbHHȫwzZnDWIOqTdD աW>櫋k!7j TYCbŊbdٔrIi_=8>g7d;*yێxx8l_cط (cS2ơP\Z bL]6P-_0j&aDϣlS@nT@+/B4l#+݈w'{#j@٭ 2XC ecc]{<훲P@@7]e@m(ӭ:6u]bMFnR9U` _ق> stream x][o]7v~/}2- NΤ*j4 Z,9M.޶Α4EQyC. ˫#v#qӷΠ/g8Ǟ['{x %ݽ:9es{Bj{Gk{mc3rTJ0.v'J;e~" -j;?)a:+>{&Bnԩb*8\oڟ5+_' C)% ߽4Zj}Wؖ {-ZsKB8v28aRUGFUa'XN*節1N@zX=8%i-i/yDS8 w_^3+.H]ynbҐ$ KB,޺ݯ'-\͙W x.JйԾڗfFLr~`K?SYQA =*6|^z?o_semMZc;.|$J,jd "-H(GVr=f* 2pb|qv Gf!R8Y""yF~ R8-x DBҤSU2竣$|.'Qx( (A] ;/xA1z*BT"6?+doQ5``|ouү_ڄ~AfA==/ZF(!Tʯ`b6gT@Σ B*m)UT<]jU.5K@^c#0mDq7BQ@5.GGN Tln8FzVwi 9R5e>e̪s(JE)IL]B3J5l +#:F 9IV94_b mH>[Cd䰕;8N J& o.("H(<<:R` %2bzVn`%:)+NHoNg+5IeA;t7ɾ=[!< <Rj3U;S.N&escC4(VZћ8~KoYTHzMT~;Q{geaB"4>S҈3AʸRL͒Ju2 njUpD}N+U0G eGJHuCXV3"CQ^EpzVq:klm1;%lms\Z+GقAe6c_|{#h -h#[,P;G\@\mi&L4z39q.h/+XY3qk#5p~/,W]+Ӿyc |6ߝ]27耙>8H\E<*U;617PN@mF8a 3p6 TİoQ( (_;M'ջp48Y`nPSj8mh@5((b̋ހBS}yMXyB01dk @fPe&1-p>}k>ݥ E ]VaöK} %T2w&{#O#wt!`3 Fwc``I1(oqG;/GE56TA5]Br7u mJD>g5f'qL~w/i8{r S f `zna~cʦUn"߳8'b l[<뽟FAQȬնiO=Mn(b#sr2 V"lng9vhpc;4' P 'B߫3zNTv땩p憼\;o*pLX1_9PcA!\a`Ny@غ]XE-:uoxÂ336s6=A$& qT,m8$1n\ÇŪ e 6|.Xn۰Ob2Obp7@/N5.>raJgJ<|N܋?Ta]Jf!]VVx~; yTZjFJt 0pHF^)H R ,QYY${Un:0=9YyrJk: ʋĶFr F]7"M4^=Ld"fޘh) O%ps*4aa8 Oy`u;fwMAڵK pijY.9(:jS ilo\.Ah>=( % ̬NVʁQ]i4OK4;,yQ#|ei^/C^!?خ( dGy6a8i? }PKagÉW4fd:BM&v5&8?^'Z?v;ɢ}4)m~IG^8!2tHur,8ܬ`;9;U5U5pQKU&*46̍"B;Ԇ YC5^ܜYg4)LlVb?w7o>*Dy]:A588T=k9)>AeufŲN!ss3ՃӥM/ ïĿ@bꜶ勰poBJ#JJd0Rdc]堤#hдBg,_18 /b;Ω"ڬ+ި}MVwU%{ӱA)@_ʮS <ֆ#m0å>N8̛6v)0(]ڬ(RǘԳ_s8ń'T%}CU,w 崥*eV8[T͈2TWJE"d`m5>TQTlP uNn OI ^ ,Euo~ؙ{V%ȝ P/jP\oH qi°X'/W0`QP.~K+u%e7oZR%gL۫!WMz=k./?d9g+7 ԮB|ϋu$懾Juo.ӃUWyF!8W=,%ƟiS{zp42Sۥ+:qPJU'BsNK59Gpl s;ݏ6mM[r6e3w7۲TdgX ո6~>p3˫W bxݽ0\bf( tbhOb?LCJ ~ӄ|;"R53nm(i~%jY/Hl&?ԪJs0؆Y)CjO`> +tMXC>O8֠mm|]wBֵ[BiW2>d:"I". c'!'mfOQbgʽS[a Շ>˪W,OF^ena k5VDqM pE؛f.fs;cԽsXPy sFyKJ^X\Ίャ|Rfֈ^+QZovE|d&1U46F!dyé BzalڛO#ȲznZLӭ!wk)l='㗸0!6_] c7*bl|+Qkfxǯuc՝o^om_CHUޙVU m6u=3Ȣ-:=RSq}ɭƏQJXrW+xuh/: p餝Qv4lr{>L{MraV[D9V@)D ?(mkb$g\Vx}Z|otU!өٳYr%>j$e@`lD؟x_ )7rBmb:Em|%TSaI&H0F $Z YQK 0g6+:_^Tn~/) k`NJ_F)I5WZqSVOE87׍1>S iOA챴/So.Kqʼnb9q>{Ii~*Mr +}:BiƩ`)Vq7 8⵶#8 DFoį#W9eʴQ`d65ܬ$)S5IhjYz_\HQX /?Q ǛlV%h IO\Ga߂*haU+kWttƠqti V& lq3Kci>}O5: :}RJ?KMi}qxi nZD^q\O77D g'FTR.[dͫaQs4Ѷr@4J߹Tm͊ ~:Fe ]z>TrriZ?mʭkPI|pOFh/LjXQ M=£ó(r%Axt `6aOwU$K#4t6N9)+ڮV:۾RcI RC5d eV4%Ai44BzZ2£}iGi~Ӌ[-6Ӎ0@FvUVՍgp,=H{a}#d_J  /`L):vkzMGCtלkD}Qq7s[!mu1.o $%2L"8ڶQ#^%dpaOG Wkendstream endobj 231 0 obj 6103 endobj 235 0 obj <> stream x]o]ȏ8G&nDƁHlXKN!wC.{%6p4{CO+'[tW/G0cO竣Ile^|&J0~vas~ Ly!5_"WVsOmvF_nbmȣ>(;`w2=4LujcOp%8NN`dSGnFqn`x[Љj-o⻥f +8tv@^I./4?COfy4H7vX0pz/RyjnН爐qj^ԼLMUuд^q:،p*=fXu~xƪҳq%吞2IqSQ~aypt5`/rre.{mТ 0Cd//\ Ԯ?&xεY% ֥z2۱Yû?2͇)-pbL\j?݂Vy\} *%w<5_*^@zK:"ax_m8Q$羑[i,-P[tPLbˌ=78sN 2q,=k`vX,;/&C3|TQɃ@F-ʍS#ܑ)28ar oz~qq*)4:[nãҠ1@ "Ѡ5"1EA` ז4g {ɣu& 3 XBjsZWL $ 8E9SsLD8 Z:ʰvϝe8*@?nO, wrFJZhJQi9evSLݏV75Q06q;(PP,QNZ'O!' _UOJ9dTƥִ%H 2(9pdzx!vcIa8n[\mybXe.%T~m"4ހ6{ f9fbmfdcmgJpog.38 y$Rd)KkKA8mwcr;P;Bm+4 V) =;h B3nk12ԉqG ͏n<9[ڀ30[^Cm6jF|+ g(΀E:,qFXV2IEjPdQ{7NV᪶WS?w{'@:~MسL'A pAhsA&A:ʩ.E%@͘2@P`ҶR<&K X ް~Rig7EapJ.sq(3w l<{:.[X69!MbH@k]D'U}U-C rMj&R})ӢʔE* Z3_ y[ymĂ>@:ԊS8E{t b岍֣p˜aT'NLCKJ܂vHl5`3bPvcHw 1]b K"hщڡE<ʷ ㆾUf5..D̔7c;2̀9Jt Kz R߄ZO 1o* K5nLЄ@"a*QMV) Rg* 3EA%Xp8jR^f#L[ttr۝ :|>/ԙl@zȸ:^ħ|qY2:]+%،nS)L$8"# kF00*3@}TBL.0bsN˳"pTOcIdrͭPtR-߄JyI-A3qh{טwcI1/ .ri!>LLܼCIWiU][5GI|C@W/f};203p,V4v#flgԂۃe|q\(#kꈓGӪ'Df<68z&RO_]z/oSVK+YBkxhjlŝq1eCr3<[/zoSrR{8q3rZc6Cl;3D}YSWI;N&ݩ&9` _a w(H +Y.RʌwU9NZ ])?z-{EC.Z*h|_vwTlle`opYz&ǠYzLϴ\ 78$g@jae$=ޱN5~))m±ݱ@0eJ,եl]HnKi:d4@fmN{q­:t*N#' יDuO"'Ҟo@b&ГW_0|ԴdqI;ZRCp Pڣ4Hpxcϙ9p8c淝Gp|%GC\M.Ŕg]5yj+-<Vr]XS>Qr I>]W<*{C^w22W:5ߤ1p85P*4_&ym lJs4_}s\}uZdŐ/ReO_U V5yu*[+<8Xe&f_ p og% rZTrZ;k%\5O\~mohE WK)=zI4n(NFaaPp D]{4)ݾN@^G sʍ g9ޓ$T)lrKcF6l')J7L29a~֠x=g*[0JaʪlcgK|lP`wI٤/Ta7Iendstream endobj 236 0 obj 5207 endobj 240 0 obj <> stream x]mo.GT6|i?IERa(#dv3r%Nw,ق p8yf8~Y/=>]cӽ_x|Ch{Kla^j:J0|bs9tuj B1'mmO  R\*c˕wbRs\+q) mƖ)VKqőx(̂kVd%<h>yT!A*m+Ng,FҜbU({L޷&:!=3C4T|WI.>_Mi(z~P|/R}?k oƴ9ljA.R8_ר-WU o 5N' beaW +_I f{m7{߃lYܷ{\ ?^Xszq5FtR5g{Mmzt}a;]N{m#/Eod9`R[ gz٧uV^jf@qJ4^ߥ^ 3s{ԻYHâp*1{ jy'흫M:4!Ф\)xeX0.`B{:Y 3l`~.BS[s!QZo9aWL}4 Pzńt7\:K["t<:@H`*3}t̓cUHTTt%[L-&vՁ^,L}Je:@5Ԓt  ůĵ*wGm/Um2!p$" rߞTd2"E!ЁЁ# /AVMʭQ &3Z؋>5ye,_ #F39VekObs-ͬ qOB2UcLF˝RNRj5&{`"`4QuriXq^ׅ.l5$~ nc.ۍ:ik"κ&ъ JM `1h֧G"]5 U307'kyt-j8f[_*u7%i[GRЗD&zMy7Ҝo6er.*@c-ېwwJiּ5[3Wt8" N fG b>"|FTvW짠ӟW d)}5Cz%l' /o~s63 Ռ+ܺAzQ' Es(+95 Q{r,`Uw];dM4-0Vȥ W m2lAIY2hxIJeLH)BvF0w \xPA&xSZ4ә RvX 9ažD({I1ǛqC؞e%h :;' Vg͈lg$j43Q T5 Y$3A4\:Ѱx}S&n^Xښn/P99}s4^#36.GdhTpM<3!8hnoY.GS:hgU%rZ-1DI='\Uʸi"ML@J4+*M+ːg8:6 |O0kv? Qb#Ln36j)L!A  twifoVBeG$i)6 *`zN_Kط]iRP0yT{3BOEvF* Ul`Q3Ovƥ460YXVSԨmi{EsG}F$ΰ< Fqc@ެ̜3Xk_!WxXk[[SĘQ-a+XH}6oB7붢@Ř[헩<Opӡ+?ܦqQY Cl|񢀙 f2,A;eJmb–1^0x~=6X1 snxro 3*9O 74S:"g_aBKެEW^9n^rrZVtI2SfbTCK̶c@&LMA`w!-B&[``%;CY'A(:ނy݇ry5uZ>H Rl*KHa}QNlQ?0KG-n0[@QܨѨm;YL]LH+J٨ku +nTW8@wt3h4arj&^*m_K24[N4߁n 6L辵X J҈t5XzAN ,vaVorsr=V*tV`o}e~z@NEzUM3.\a7-i{ I/;.M؀JˍளX A2  r#bke\ʊ ]Ρ g?JHgxpBqfM˲E*a\=PKz;qqFn앧_U1K$rfbQ[Jfa "5LZ8/`ս*RTFs':HCʮ=%NQ&v2Z!_'TYL"*Y+̂[;?^!NIY8FrBUp\ rU{#P)s]H<=Mt=ftZo䲑Qy0}) yA0Oso3k>;} O0"p\OaPY[}d@WR4o6mjNSUo'`j^~܃AI{)VC AҿD{ $@A'rx@B_HaFNakN-+xx:4;1غZTa+,c6zN)4ښ 1D͟ʨIȋ+[{ᚮ"X-3ZUk^3VT-w|B87hFA`m`Ѱf`mO ֮j0ebV0|PoM&ezvDkk#j7 Fz:0BَlwW.2l.W+\ECt"ݷt¾>]d"dU^ܢK|b{ zչ2kv'OfUߟ SdfmG_a.r ^ sxe*H/: 7v ߌ?$$?oKt69ŐeB.#KnwWYU?\Q>IfRxICT }`rHځCR8XL2&o;\q2gEr޳xW'iݨv1un+WF=QM{"L_‹)Ssjo|v6ż3j nΒG-ŧ `%yeAv$9'cA|0V7U$P ٱ4bFXUyf {TEML)MzFb %Hl%bҁHr;8Zn_oXj\im+8 {|@=gendstream endobj 241 0 obj 4074 endobj 245 0 obj <> stream x][s~gGTj֗Ub9Uq\YDH(_n40C:^\}рa0~^L] ȈtA/FX>'1jcpla d1.ge0oe\0kM5e˸?xWdZZaei:;(7GI+%!B+*Ѹ9Qp`՚J y×I3¦$voYᗸ F- Pv!SCBQWagq{wO@paͤ|tW*"\I33`Z$WQ~8 jL/4ie S\me+d=.h5V:U: q7Dhf0 u/`Gy:`za LZQ+5ZN1F7AՐ=)&mFGay/*Wu4΀H0n>kVY[2U1Hpwtr(-j1M\OR$5x~Z3m+BmR  2F')QՃ1ނu|^ϧ z 3*x 10:=r4J:*MMJx!\L9HTbV|n\<~>aZ/KBף kkrkœO}4!&7,`3 `QgY;_c55V1 vvGiHpSYxnX}; ܾk0 +LZ.9P-G쁉 h,orb,]P6P 3 OFb9X@al`T0JFh`7 imUppEK؏ќK(`zŦQoYn@fq6SBSψ1O =;}f/ĥ  8P$eűET:|H=kvAhpVOJaXl%7rM)CHG>>F@Dpg(?'>Q,)WQ1%ޣ 8Ψʚ!9\_1Z|Ga͂CK`]R3;֭0֧aQm `WV, C l8 J!<R)_n\|m0Pt 5{=v?{YoJ*ޗץxUq(G{ҝewxms;•"JQv?YygnSn+J2+ 5r\s~ N- l6 =j6’eBA`G1O',8RE, ղ)6EТ B*r|EXFBz`n|1qoҘ/ ںHc+3Mdɴh!"F۴3*jb pQ2m>~ǵrRMmK,5 hNvȯ9M .*a0ФxSPa>ͮ3%= J)!B+x*@ x"8ˁG_w@zoPX\\9_yRd`qibxBB7.-a,5,cerdb2X1X0X@1X1X0M˷=7moJd\1J凹^˳觽e^\Imt r[=+P +?,UāK3OO#^NV҃< ЌkS%4pXmʑ:E!!8\q:6um@A:F/8l 1m #jM1fDW\IWl} qsA15 p].D6IG^ hNOqXa^tEv$G|dltkA}FDӓQw۪8Ù{kv' 50d ]8ă0"{6RxtIUI`C*'mJ :d,>T}{ONAmq[shMBB1q *])eX%0޺k;gXѭ+OH4#jR]:j3r'T39ζqKOew7HGۖx4Y$qdJa UgfUƶ|rj܄qCE{);L9;eGf#1S 6}y+o*CjU?d (h^0J$}ǗWxϒ XhBBNDߑ".8jlPwH YQjy++SUt: Ш~:ϡCLqL'& `sm)/SH 2^v\JU)].k Uc:5Ʌ $wB65^+&Vr= >(*k>~MݡS9 "W6}JAA볎yZ~GKiw ~Kd輋"jT d|($N,Q1ULÇôGT?'@vʞDN-G_::FwfĽ V]PPؖ?)ſKyN%cmrr~W踖\|"}u5*=)nIx9'ym''yf,LNnf _}g=HCXQDx^;GʽZxoFD'[`DwFm~ڶNL1O S~f :rt{ԸGR*uDt0e(C " A[+xg#AQ~ fY+e 1:fR@GMj.㢻r:8iov(Uj01ڦvb0k(Z é#Gc|T)87Eޔe)u^^qHU+p=8UjVLkW M^oفTȐe7x'\<DnJ?P32E }$|f* HDx+Y%n)rGw->ƽvNDY9]K4hJiYe)ޔEoWi =L'ALz2j&q@358|9=LhǭgY4ǂaڂqxM>bot-7] hRd2s9o(+|Mҷi;(Lqp]9!<{'2FQu:Gq8-t@iLN ~ jڋv2|0\7:Ϛ_ sx!s$wU" yk:Lz_2{8G(HUF5vxpC9jsa鵓^]$J{1*laE-9pspM"y~̰c^(? UU,ZNx?V.-3n#Bi@ M4P4f~Ҿ~")de-^ca6M:W] {ĮAڵOZIk={5ߘ{gQ[| st"n 4]hdUWI.ŗ]uJӥgr~PRLCb|U?WBvœžTXDoV}[jq%y:>iQ\[P|ly߹A"OYEӬA7XNu}PL&/ S\K0~>hCT!7u\a J2#J7IWµjkY1UGCǣ!Ÿԇ1~zV#i4eM.|F 3;]5"Ac"\V }3$Rx|,[V_ ErcoI)~m/q.f6vd3nIʻI@ڧ|r暇Ih-?I?TvmvkTڿ4#ǹI8 + n\`7 :6?I{Ief?0I ;$f-A/pOE1u|#L%79Ǟ|Q>=t^};1N7&JNhVDի]/Utz G\J+{QaPi: m}u{n1&K yQv @I%r"l[)<?sLۈ>#鏼sWŚjVrnts@Oz$qȃ4?ĒEo I%@K|{^(e^j<z(TZۡv&׏ _V⽗9@8m5Уe'{VijȽUJst> stream x]ݓ칼c}8OHW)'Eqs!fF-4;{qbjV׿n ?XW o.~<|u(<[Y';W'WG߯??A̮oX'\O1S^HVs6V;#/7Rq6䧟oҝow2a\y-E9 Lϟ< INz XR9ƞiAzQs\70ƭrDgWz3 +yp +\?N<#xJasaVw^g ;FyX|g-t\_R*5yj>Ej M*،p*=a/ͰE}LUU'gck-5H)S?!&U/Q-Ug vv ?Dukp}y$4w++h\];'G6ABA,=. .Avǹ }\;fl$//SM.2ť-ؕ@8Ev JvM*<۴'vL̨[Uz3B6\› 1NL `‚aVwНžlUWm;Օ*‘%g;9o獓GMe\4A߄e8 X 8Vª`-Msr 5F[:'L9X"dwR0oy?LFs/n;6 l&GKpVlguf03Y"4lae.45)" aa45/4Fl𞢁p<;>.d5l y1-R[MI@-=KRnĊ H2j$_ mĩ:heo]T_o.1vÉV=\ntvn|`7mt/ Z_ &oQÛ&=.R j'> |Óa?+[izؿ ?۴_|o`qaN[Ei5~" S}?IqKq}`on @?@LLxk E.iZy^ّ`̨a_sH8#&{ 0lyp 8#1MП x_l)6}'x{ p!9Y 'IvXyc۶ϭyxNz e|Uf7/X2s]D8+kZ 8|qRSE~K_&I4&-ޢ گWtjQ5h׬K % R&9YA)ˁ ΪZztPviNT0ܕ"+n1Nu)J2΅[O~VTt)*Gn~qp[,ڝ2L3A0dh(Z:ps jUoV`h (L(Ϋ~kT8 3q4eDaPA&{k r&_L=ܠQRSV8m'bOtf=@JpmŎ sF"\pU? vyì6Bp3d02[:Oz&ƹt*y "(w3>ك'n@j RzL{BæbG]NwvL6C*<KTnN γv:5Pz]txt*(4S|^i/M/ >|z["TQqdޒwQZ>*$VّPE$@ TӇ2̶NO Щ8'2? ь=@H'B bdȢ§>ypU3>SQ)ۇKӭN}&2 MDq]mtYg (ZZ&p GZgq 1ώ!\OXbJYp}V%wS}4tK0c 4awqF' %z@GΙW{x'wR"5M͓ԼW@Wm\L H11YdC6>݇t`,TC P7z]>Km\m_oN}1S5V߼|R(פ+jxufE˓axĔx漒S NRFVir:ЁSڃJp>G9E9D$u9՝;lBBgUB~:e&EE|۲ͻ$9pDw,BE * b +%SH%r&܂-0WZ(P㉽Ĺ*@5Zx%_ZB nX#""`wM1>.^9]м2 -B^C*ZE{Kl}ps()pM٩0 ӤY~x=u   nXz2ҖO}YJa؝jýE|]Öxi6!JQgz/WOXf4z4}^.NT8]Mji);6, 3g^Ā G|OZ]1K)ױ6d ϟyj $a(19yI:2W<5R󴺤Lig/jBrvӐvପՅ^/|hkqt9~i)&V^ZV XG/+$ e%-"г7 81]LnhS5.w1nO%[ݖqUhAuyK9Po吚Nq_+_):Av+^3HeՎz/p в<EJtzWc GGx+L_ޥ$)VO0J`oQCfa Jfq1V$AvYb J{vfH༌#ϘB XXK8"X2,pL:%s2O_j[^ vHHOeS/}#Ǯ)Ca*pWre#IףbCD'!N5)~7ߊ攳M,}B=-$KxUdІ;rނdpk"]W (P![XkzWa,Hqn\s_J }޿[*ɾ%9/r,H~ ԰&XXs rsLqv)u^=mu vJ=X !F/$<X?@r\604qxSLj;Z^:%PLWդEYy~L9UjJډ.ncZLSȱ*5U;wcV7kw vY>.~-RQ?eܼIYӅ8]ap_9OK8/ PVt&EHK%{76XC.S'%94O95(dS,ﰔA鹃x^X(y(7B*A b%Y`HэovAX%M!t(TT _ Itq1?ddلSL}IWӭo&YvjFpN2?~T]-zI)Žm8s'c}~}`ɧf.N<=]D 7YMynY⢛YjQ[-ߪKlyJ8,3~0$)J9 tI8?K\{/KOR>ݓeV_}Z:!w-wW0--CIn:%DHP9+>hD  _0cE8 Zx18 ?mZ8 ;N-^ "Mޙt>xP:O'xʥ"Y{泷5W]y=P (e1b3A>D~0G\R).2\¿18U_nVԌ]Gendstream endobj 251 0 obj 5306 endobj 255 0 obj <> stream x]o]菸ScH?I)[-ZAXlIJ]Kvpw.Nڳl9$'47gP+I>:?_]TUǣ՟OpeT'GݗjNΏ~\;EүoDeqX+6~IVY~L68X>X!^;韎7X>`ՇO&ZJS`+efDµ ^eO&[?o]Q_;a|cQF jQ [:Z3%I0H,#C |ߎu)@Z D2/W~?-ۺF9]B"H:1\7|U>,egEmIس\㍗A0 <+`<>H#"PX>>}d'ukQԞ(4sXbf pN@(u:˄XE~~wULEiS!l A-⧽F%LٯZQ ;U8wr7%M8)࿶ 8/ДlGT;჊3Y N#opGQ=*^UQp JG9e4{][n϶ﴈjY}&Sh79iH5nh=u(8c"C=+YIs5jAYpxiVM T;r lNƻ8@;J) ̏^R ?y3!NP^ ƙ^@C!ɜ(Ж 6ǿ:.f6HF>9̄[h=Tg+2g'M󄖅:A•RGW .lr4j lK&-@ƑU}/:S88+ѰMv1P6ݑ+4h2] ǽBFֻm1Hbʊu\4k f\An,μS dřdE *N`*΄b*FQ?lQi,<շZn¿<8=L aNa*Z#t,9D*fkFcu.4rY/q6%E:^Gc*s[śi6vYj\9SqӜSߘZ#A- 7A oM)N=zYg<%M&xEs1.d0WyV^m闪=F/v&?*XMa7pB듣WշG:ZZ2G"/ /p, (I{gՀ>?>{_CE0Xֻ`y0Xn8Xe{z[Kz#{Xo֛z;㝭bxnybdyzfCEտ+il)\ҠI37oڠHEkUsVޛV5蜮y|/hN uFPsgeءʷBK*TCi3" H5@ 8p49܉?ϝh9\ӟR/mpwȟzܯ@*'ӀFa`7 $\.\3J1:a9J %XQR,OޯiLpږ8a4dM!xDsyv80|Dle+Fލ%o-9:q+PtjGȎs 8Poq3Z |j;dh?dtA?^ўFp=4ֆJ\;`%nɰ\ŏM*= ahvyGQooZZD.?[\dݕ(h *4%2㦡UT2k"4[@Q* j"2 Sf\-Xtc{m0NҤPLBgFu" %x' nm OYС-$s6DC'$&,I!Ғwi(dj)RX4vUXoQxňWy "FSQKCdZ;oc=ͽ-czEP$C b+IZ}oIjPn졒1*ٿF"xg^YըDޠq2ڃ[[uvkܯee|ٯqBǦG-mYfCÖ?sobF)ݻXBvoz{[NU;dý/Xwpowֽ-,3vLߥ4/@Q?I/C5,^`5 Kh Ɂ"}0¸TV}r:ZJ9D&n3VOT`*+F"RQmx/Y:{t(x/A&=-4+㟡|5)'NJ@ɶfs?,YmYgxeߎ]3\k z4+BB5H?r~;2>q0GjHendstream endobj 256 0 obj 3930 endobj 260 0 obj <> stream x][o~#}n~[A h=5 Ųe#Xrΐ<^R"- ~<<Ǚ3 u_^|..nNqyy)\|:88<~ J0|ZF^A5S^H͗פjZJ0.oR1~ kS⇯Ck) YTYԓk~8n'ǧKElWb|r_[kDcˏ&.Ymn4Cm0 un<*jn<ˋ\2/sE.\E"W|F2,znxRE©{lE"ϗ gWx ^ K N aRuzV*@^r~i=ӓokzp,+8\\/8}yw,vXx#40Me:g锡2$RhpE̖o`ʔfNy|1ML]헣[߿ #`tnxiy z cA v0 ll؄t<֒?;Xst' eFcT; aN1'jU!UCc~ͽ4 +&Pc/]d` đA@lc%_~{H)   p1 ^WSz fu3뉑X/Yz#g^bjQi`XxŚzփ~fcc=o:Yo+a9zFI[HpHHz ^z"Q=1˂2^[q53 ,ހ۝3(>/u{nMC@>! >BÁwelRbXMiуe+Q O+v$K5|B*NW} ;]ıb] /p+sm?LW0SB4G vՆw|}z+Z3_ĽlXs2dXzEqߨ]'vJV0\ȴmL#Kg {NOZ]F@,@&\ Q2!WntfUh5Aus4DgvY3]ݦ(h^xTdmVROF d?ؠd . y*VQ:ioˡA--t^`M]uqI>C7-LHlQVV)eGb$WCEc" rVAK퉠sfcCTzE)ADCvZgmRWw=Ö:`F_y?[r6c\vZԵܞ'/YJTǰ] u0/J4"-rS.^x!#-ֽvP0ŠM55KcbXMK)dnwݸ3•vo\K|%}V4bESzGDD1hְnh=qnۄ%%ߤ>k{s*\p^h큥 gSM D͘iy"IR k"vr+@DԎ8 iK% ccT򲏵ڀiw|5)QNEAWs(PZW5A2;ij& f$HEIP ^A^>NEH ==@"IǠ')mVSj@0_wj9@ 3yOjQ$;j_%=@{ZY|AAWs$`qN͒ N`c#{(p~(~O8>0<"η%-~ j*C4DRQF _`K:7ڴ"I v D'+7s~WxʵLRbE}*;B6(S /%uF5Cexyɇg}GW ebXSU1꯷; {՟VUޓZ+BKV~-`UHU=q?DjU&̢`J(pSNt5|7 N} %A5xI"p/O8@fg=pNr8?50?"8<1`VSjkV&Ě=>I v'9Pmw# KzP $0, JIN$ H? QE, γ(pN 21 '@ ۀAb1K 7*&Fwb@K 8.1@Q%w 67%ĊhvN 'dĀzcbkpHף/ð{ MBiDS &lȁێ=Aw3"KQn+AxtʶWo/ubZ70wy0#ߴE p- lQTqE;; Sљk`ڴW 5F{`{N{cʕ%۳("3f=[4YS"!I4eٕV0򺽡Vr[/yŮ,0S)we4,|E,#MO!cp=&}cM>3FVǍ tы;w/{r+!U2#گꫫ8` _G~m58Y.f>C =°f3 m=唌Ȭee HeE&+{L&,"Dw= 5%3ELd p)2caUД͎\Vmu"3jYB/Y5|(|Oδ4Kg]~GBhltMc6sLB1}k`*S1 `:¢EwrS.T_3\*r4_^@Xccć ?);O)ep]yeG%3E'4m6n ru7m'6FmlA-~t69{Sۡ8x:"^)0;rPԄJ7e9+2rO(F78ny]q\"G(pi2c¡E萋g-SzBtiy$_/+jk-!w5ts-堆;|4<^hCn,z!yEf/2`b& x5Lr |H3AÌ DB a#f۶,ϵ0畎+GrLmLVy.핳aϝӟ,> (q A sd;}|ZZxpATn>SP #)]ӱuH_xBmUIPvZiXGf `أ6}k06ΛnF䔠g 5m8wn8:JGS0a^@o&C^O#.'w/#rxJyufendstream endobj 261 0 obj 4460 endobj 265 0 obj <> stream x]mo.GwY֦G(Ɓ!KlD/%9q}gr۽dd-A4ryg }N.o{4X|l^K>:ɜN+~B]I7ZΏ_Fb_C:hsԎ&M⃸f#ؚt QA~.+͝iX8&-υj-Euh˝摻ٴPi_.#\y.zI"ō2#zZ O򅹤8Sy^7yi1LHߘ"oXֹ+E,T7],#v;{ ~73NlOF;J{? >K 80?R?:$ p 4{bNʂ͕谐83A^8tZhLx=K\D,P;ײ,XK9BHR 10S@{|K@TPGLYBJp/M$F>$ J2) ! A[s>jLEޥm@(nT 0Gfk[`'W?$` +rҰXO1t~Q ݵ'`y\ 9DDpT 1<%Re>Gu_ԝq.𪷇\$G<$&ys񪐤v*i:OգZ]s';vيBq8WL7 ЁjJB-[hts617|5PbM .̐#R Ĵ+*ŶRUhm[Z7^_P=!MMΈ"֨@E8ƘV f[e4w}(u+'kjCh^A[`$dRȹlbknLj϶߯r0 Sy\g\$h.a9gzS u KHex?IQ>Ϗ scܢb_av~aT1C`>#ya-ըDa- ړQX3>*pO!*}hAK*Ec| % +Zlvg=H\rG`hH;.j--q?a޷GcB8t|ny)_8}8'^t$b<'[EvMIIl!p$?Nݝp& 9II0>;ݧI#'Ij-NTt$8ɪ'N8m$dUc.'Ic-3'[pcZ.I7Qy#(P:E4LOKDd:Rob!DʼnSq?VT<'?nP` rN>FǐO}p$ =js|sn  ĎTZHDFF+#+Q>v[40-mr>a-Mn(qRFfn4,/4F4+Vr`^ٶ̼ڔ6p":8>~M6aƓGWJ@ 7C-B:6!xǃښy4Yf^OK̼)3o{w'>p#2N Ə:ٹ0s{F07wWyᄠ03>/ՌAJyYq7^iWkq}!iKYs󥄖5r3cG`t!S5[LH:YN9$ϻ.Aof<~JÔ| 7~vZL9Z~VZ";;msK}S {]{3 s ?~J MtJ5BN ?G+J_~N;WtdR^xԆ51e4LܸFKf`рz0#蘅Q~0 m-0(A_oX(x>S7>%8~| )!GS +Q{+ml;@#=N}YthXûHs8ON C%S®ICtיW)C36/7&R.}APE؉@2tE+5^+j"|s)/1i){Pj%>ѱ~>7XPoy0ebBG5s&4Jie\$ f&ߋҔ8үTqN!qWlg>v / eCtc =U4īc~9u(zT L(Br\LreMr|44 _C|(;YH'y`s7q=;'̔e(oNUS - o+{RfyTZ1e7hv}B՜@WNV;wFmFJ0Üvav󞇠/2p>G ~Jᚻ+ȿ.ⷹS.u֧# k<1Ք(IQՋ>g٘"۪UɋkTqP=n;F+4qb8ȏ T.Hȧ{4O4J$x@s!V)Poe9 +!r DvR+Yxhq\݄Sei&pE.ڔيn?2d)aӖ&F)ahendstream endobj 266 0 obj 4044 endobj 270 0 obj <> stream x=k]qпr=a,AmZM"Z끬V]w!yWRN`C!NOgO'ɟNxi7aǞ3O_/g7'=:I^"\A7S^HwHGlkֻmvFޟ bgȧҋ띲L4+'d1ߞD  RHG~ԝr$,{Ǖ]Z=-2έ0ת_pwlXt`L- 0ZXaSG M;7jjg2&=Sx8ڈ.g08 Kg(Q=9ؽVY/"l".s:sGtaT ;& ͜-s~F|(l0(Jb^#0>^Hh6ț3a}Of&%*4LU({t+\^.v:P}J :`-u[# (XC2Ch2`kM35]Ct T6EKN+&!t +̢*"kFm5w>4f%s:%=^`$ts曕wqGd/bQBF&jvxah,$~]ላJ.78rc$ FʪUps#Ŵ;aK?=v{ vl }0RKz-v8? WU wqt~d@.yHҁH:ne&*{hNġc[4?Bc]sfQr1!ߋcP_IVZg_AI$(w gafr& 'mOPEqz0,Uxiv%R2Y*'M?k30ބvCKp V#_>s R,ͮE^a(:i :+6ٰ6?ဥ6jp^qŧ6/{^tgCp^aⳛ %,tڹ/vΉd"Qes6Z}_;G xAڈΐJ+Nڼϵ)BYwȖDM;$wC _4hYހ.7gD=J!nn1UTR3Qt/[-f[K2ݚF`R&G'vm CUË49ڼ*twFܲ\Y:.zkk9H<K-;[5xcFCBPӟmJkR&T~V%"CXi :F݂!ghZf#dЇSd?;.|9.*uj8ā=Qy&U.4\gVCT+L"dBP7T%;ʚE"ȣOѽX=TC@K/WLH 4B(a]ш>A`=nrxD(D^Nح"Zj,tw9 =IsbEnw)-ltV X=,]6bA)1m/Q"I--`#D0<^(E$h>:N[i-5$8c•篪ILsb*}رCDo6߫jK릡 N,&"Q/& p-$,>LEio+|&(ூuXN'(0041fAnF-@S`M-I8_šm*`qhT^en.#>i, d:tH6mlLۡ[PbXt b hY)hdKrSX17x:6 (d 1wgLULbY 2$9Na~RnQLf .,+8s5sV*霈:gFԆ(Z3p7f H_G ^_lf 5U@r͙" |[EN/ME>hFsQ1b||6"Vk4 wY,t3#͐$$C`j%;vj>8\; eaUgJ c+}th 8~jM2vZ|6̆06{9bPXg͛H'qOUÌL'Bd,nA"3n%=զBh ū,4JQ adRŪ e7j8aBN#)v_h%`i{\t+.Zˀ;x/HBDUeytEZi5% Ƽ"cu}Ua\fKifqKJJˮ )'c)wĞPK_6^Sq(p+ ? YOGZ!4 ĸ61̚`Ӗ<" v\x)<4p[`l._ T1.o4o1޳t8#,TL;02L?o$+ecO%Őp q5aj:+*|څh;0GGo"1gmw8D:b;l]rg@3>!4qtŧ6`=c R0U ceMC)CNRpX}U1{&'%}| \IԖ@IBe̲eYz.36E cz=rKo)f\Ml`aB!@촚\q/n2>*9f+)G=flm'.jD6dVH} hT*#jǛJah倷}P:D._ulIij:wq b m-KKp H2e ׺Jޙ\io18ZCD5j& m : zN$`݊MꅻƳƔGEQAmm-2PA[:hK1x$Tp@D*_LV|3y%! *+Gq?aHuvt5v>VC͕ ź0!r:{:TBEs== e'T \ƪ jt]7dw;9pL]DX X4"X]0\ov>uLHs ,r8Y~ S)(Z3Rn! XgW3sp3JCBW=cd[$M$mw{G^GxzͻmI*5pN8z•*F]U-uLPJn]lW]_1{Md]CMc {per@KW!NsO@Vf&'Re /= )$VUϻ*N_%^|RĔU?a)Y:qY? a`9lwOI,UZ=#ͻ-+Q>U0֪o܌O8^scOBG2Wcw6R vlpeBz|sU`\YetƉZg=7q4 ٦Wy8\ Ot8cޢ-o"Nfយ;)iI P9~oEb=6_!){a#@ժ>qXH] Ymx@Bpɫ6%5K_ $$+ioxz |kzvy3GUjp@="Fm6 f$o!ݱ!] _xBک ۢը]*GMes' da]!Xb=϶Tn$37ڹ,t }ֆ3,9w&Zԃ:h#?Დ5Un̨=> D=o8q^z1>a< 1hؿ/g~$c7|aL30ӯ<ݗuɴRXK摤r[c5$ǗcH tG^I DH0PTr2}|pNN?Vq6{;ʿ} P[P|ؼ":%&[3 nFocomϮm7Y=6G(7&Du_#G5*ZEᑏ& @u7OV DND: 7L@[AQ-Uzy~egKdgwrS{MD0@#&v }U>(ՒƒtSd <ގiJq| 5jY=p1kGRȟlD~@W=v~ /G, UL /7'YL\kH>!Uɽ2<3Ű޿3gnrup QV12YUc,k`{11R\fn>*ZpxW`h{lsVq{a5<54wz?\CM-8?t|.ZHi)~L14kIgV?х&ʘ֓8}(TT'4C܏᳑7k BB)ÿŃ@90mPFeԅw<0D76|N5>- xSMf(͟JsrsY A&+oa[ѐ*8( V.Ԗ}_&~k*7:IM> stream x][s~gu r͇SS.TIY+>`]\~0bF z۰o7۳_~i77glss܌vKxc˗g|:98=0P 6<͔R[mm5z{mc3rBJ=0.WJ띲L?|W^KQg5Se̷<=S VȜtn ZYP~p\_7&hdq&z}I Hd΅'>'/p>xæNuTsL_7Cn~Wi`_5kkcjsq5_|`J)lA[+Y0$e„0 '``+ 2)t1iväJVooȼ)#G\j_,65a%~ `ygX&3ol<O >!Bz<7-e.:3eH>pBoCfuջ 9߾'lGظQKt {2(I x%d-8褙(˾++tF p)zg[,i'2(d2Ei@.KzQ ط:YzɾI_Ms8Y(8!b&JDF= \x=x~jE=D|~)T*YzPY̴8$86IﷹyCn~֚ٗG|WpL=)S: x$' 뗑Ѥ%$!9*_axy3O$&7YWR>s)Oˏ깡j/AU(RIҔ -;Pvd9Е" 00֢`C;IfxGvn@Nwi?R[5Ūwqx\MW l$-g(-=uuSOJ@EƦg:7ij@-mSP?un>6 ߖkw@**|/= >z:+¸ .|vypʤo ?-XysUa#J #3ۨU2K^o*^BһD7sZ2vjt%Z6ŸZgTkX}_%p-Z"ZIGH|Ti =LK:Brp/@oiR庳f%9&t0](DlU%_d ^&\^4j+zz7*Pq/ͳ䀆Y6-@dZ$L:E+8rf'OӠ=_g5\wkMjxoM|g6RE^VN:s~Jh4q=Eq]aEW轟8B(B =mS#w=w!5X*N<~F1-f>9{z#xly}F}6EDLJ(v嘜I֋p65 DzNei|<( P   3 vɩg6P#I8 ٯSh3 r>_G @NY(bA5ү::ż?F!9h_ >vSB[m?GXi_:@LqJ Ňdm-;i4-e] A4嫸 /m2% QLp`y}G]OV5,FEHE|1C0qB 5UTX:չ]+S'֖0ز"iUvƓ"d% `J{rKtNDP|'PRDΈ[Eٹx5r(%3Wq7D/`0o)c-EN.HUgXUI0uIp(( Oe܀+(\|ǖ U)6.Qgڒ5 Ҿ&؛4JKW"+& Wg.^xuNFXQvB9~D!x!֬HźB` Wwzr gM3"Dևnf㬺Cd@Z yMrՏħ_4 0!|,7GiFVÿC3aEIS R6`%|)wqKDQSBHt7'WD ZT 95”3yF&KKe Ѝ:] YzS8$M}ꇼM,URjлX_%-G/գ2n ;v;q;z_aN"3`\$o%vч@a1w:©D%'Cu_48Oa燤 ˆ.<S]pű%)&bn~$[\fN ^nZ8Cwch/r.=+nbX hZ"Na$õf?Ae~ FE7LL~cŢ5=hoӳF>\{vؼsb],nVY$Di _Nm/5RKnO{n9b,RfJ,+dE}E;/3 JT&5賣4>.70& RʸaJWj?.ҴX̂M܂+a%lJN ԳL(Lc\jdMr:F-QN˴s&A-|z TeJeSRe?wNflq `tߢʥM|7B R'nԠi0⫻CdqL BOBSG}zΔLv&8{0ex黕+/W;a:r B89SCᤙ-:XK~ŕ}yL9va|X;]S5\A9#2Ԯ7pt`uit+52`yo3{z 0A>1*#T dL5&0ogR1LŦ=D{OhQ߸^+=ڸ@ p6l^66ZPv`Cu-/ pMRtxe?5<^.Z w+_S|َ[24Vmx2>џ<ȧVhgЯ2 OBqDC&科4 L]N.)*x:Fc6:Fۺa45Õ8 endstream endobj 278 0 obj 5624 endobj 282 0 obj <> stream x]Y$~]H]~8a1wTUJkfaJ%)SF\|M&WdkJQ Fxu<%_.AyYgՀ ^0ɓUb:yע1Q|YJ>;>xHp_VV3`}A)TX&\a66͹EeMq;"05Aqs:{LAخpm EN]\S*k`0Ceow*fǝF>(:;<U%UfqЊ>+ iRy*% Yh!qiz?cj-( :;\s,z (a-JY]R[,`Iq;| ~ULl)7^.8 (ʜ-h^`<*eg|:KNތ:ȣfszl"%ZGjݻ " 2F c:D)$a(#> YCdjGP(B}or&7+0p$D@jՈuLhi' PDB[ಯ ;2o=AͧsR :T ͇)N,yHQ~tE#Vq#:Lh!A?Ê`Q E*$ M(| 4FѰaجpUgHڦaYԶ`m/ E`ŀUb|@EXA0W0pyjHgȓHr!i~0 Ξ!h2Ć4@%1QC ЉR(5À'i=WϝFpkԠES 9:^r ۥMW=`]޽,LRGv2/8rn:yEqn]xϾqp=}Mb-L65"MYFX:[ ш"&~'nq\7~؆Kzf,6}y{ephիdq.|O񐝦ct+<8me~i2Jȯwthy}Ԫ@ ]5RR=mrH`@Ɛ ?g=N1;mxfS5eDs^ۛ,3ذn %tsB[vmuF%lhN[-|}oP ?iߌ~4K+yMnx^4i`^R-Qp2gM_>嵾gzyzL]#->77YhYrWǡzU0{L*?[L= &~_L cˈ>iZ+ [[<G㖗8P189ҩ]7۸%rE1Sa1"PR '¸f٨ t^%bh q2_߭圎3֌` vE'JRΚ]R|ͷaPNrY%bjgl/.;Lm У%V=j;b,"s(1Jh3=,\6['΢>Bpj ړ`4ϖʱ ViYE7WP*p9+mg[_!eJjkNrsA@efpD+K-TkR/b@;M˷<)WECZ(mZgsyM1‹Ht5D 'ûx`2Z+LF+=_5v6e9L~snd|Ғ=IVB \*2 MeM8}],uqՔ^FoU''b:H$QpO&%qJ$m7" tb'i6N_dXzK/zv➧.O:݂R%x[kXv8V]BF:x]}؃K&!zpd9GQ".no2hIsP#8q?^;~@iT`b-rh_| p)֛>n^\Ds0n(]7WW{u¡2H30% q!ۦHC8gI x+$gѤ&:$JYyA;sq~8f̲* 4w)U՘[/>$욕HI A=|?V꛹^Vd4PsX oj LJIej牻'%Ajtiܰբi0Op9@% n%:Y+UTSe?o8+(nEgzef$= 'tweE}1pWUru3NY'3AqxqDeޮJǣYT7Jsn8E:Cn! i: ]ՄEޛv盨*4`M?al_E>-:ێ;l%eK,}7p> ŧJʕүJEΟ7β'We5O(2;#XOWNk `XU2&!QO] vVܧ`B=g!b1=vKӱ{8v/rݶ3vÞQ͇}{V'`nw@4Y3K:u9|ӕG?B^iW%۽Z}h*>.`: j #*N\T\] {$+[ror%ðS:(GLS+ʲ3չ Ks9ć;Y~~$CH.Хik&n#UU`nU .((ժtaoU`KEmWMZv$ykүˊ[՛ ivͯԴ?s^> stream xKs7V _G|RMt8,B1n^lnt|[MZ-65ˇ:oh}HNi[TkR ςq9:ȖrUDG) jXA [hjga !Nȭ7H}4OI&֗[ }ֵ#MKǚxDj\vKn8҇DGAN.'16 柳)`~0mؗ% 8GPLԑiy 6{J7/"^bN8Kl .; 0%1[I~M0?̂*~'ozpn LyQwxdu|CLO:z/V-(WU((zwE_&9ZGF-MQn_-[ 5 HI l `ozG.5䃟 !y!ϙb ; )5۝b̃^/fRУRK^D=4E^3!aC4N8yad-ꍙ(^aD>gB v^11%Sk;E=jG$_zG団^So53@^izXSҜT[ }R gFO)vN)cG*Ra*w.* KRSE_r>'sMF-&O5 isIrH/g \Ό獄g?aިB)F+8yh3oƨpbҼQu9GNchxD}dѝFW"0g C薲[2)ed.ɰ@ LL!)B1[f՛HLiWo&E&h/2A!8&cSecu L`473AIJ'&Rzfe1sf&X*-}wLig,٘؞8w͎Llubj3AR/1A| |܉3 6BDPA9AΉty,xx@!0~m'iG h715`[6R½/ۂ49? # NLKcf fE+>86+ǝ%HfGh:5i YTWr`Ĝv&Π3LLЮtdm_(Q[¹ݺ.k9- [ܺe|Uu\P?sNr|E΃=7C-`@౴^O b[ iFNjV/7.Q]m[{B7Fq !D6zAƼ-kꦶ5`vjλZuNWE8RvMvItn0tH蔽;b?acɆ7T ҹ~V|kv(`5y1&ed=ُ, )0_O#0-_ؑ峜 h.|QwJ'_ rϯNy*4+ˆ_P"Uٹ#t7Y=|k4KsڃX#1NFpa;Ʊvc(+>PѬ] N)s4p*аp^G@kvgß"ϙЌcZMNШgВ|)5˗u4!Ϙдfs|qk>j ª4#ghc~`v!oendstream endobj 288 0 obj 3334 endobj 292 0 obj <> stream x][s%q~g#f%pReW*}]jU\ʻO7 0'cPZ^ N싟ndۮϏzů. D]>g揽V`)>kt ~hmϯ\8+F?/ʵ5  d`x\Q03@`_H3bn/jr_4OE])f` ^*m:a5R্8dFK8Xr:H~Y0¢d/ ;nO%{WنmV'Orr`-]̓~1: q¢NfXʱ-Kz5t>NC1D!<JnBr+)qHO$9 b( 0r ZssFiiĹ.iމfжөgfcߛi'  ( q?Bt)q,L<{ofdZ Rr0%h+,9Q7#gz6U,@w M,x]Bٞ@ |Y!ۤl"T;HɷX+;1֝wqH8n@H${vGr0#>pףȄ{Qdݝ'ʷ+roG.nG]O"'J?nƠâ&:vωk 3ލafG0e&ڻLUO!v G=$5Th v h.8if(s މ>=DdNEy #< T$ҳà"FJaxxpެ;xdQ?Oaq < bcb?0R$~QV>ji3֨T>htO1.OTh4Yw';fݟ4eL9^yh aZ|!ܳF ;w~,"Y~2{$zD?LW"r ]z ćQrRh pJS I BƳPG ](n ^PǛG qPhi񻄔B(4OS)t]wם)4]M zBFPh#AtQ zN FOC ]t$0]"'QHJ?U]+,z7xEhhl*4:@ygѻ,4F#.@BW@4"Covmt U~t:"Xkr|R1];urvLoSK6j׵6ἷG6FQMgݩ]8몂#*yM}vPhع :9 2~ DgI>J)i$:T_v nt!Ds';Smԛ\tͽ D'Lx]Cw}L0ǜ=2иVӿ@S=qpG8;DQKD̹;N-ދOSgQ}b cf-]ӝe^{~4N ˳Vrnuc6]|wd @$(ª X4 %W/p)8soҺFm﭅r2Fƶr0~].F1P:{CB4T@yQ"ˢ兖Hf!$Z?ȡ{ !djwoq5Kq,{.yn*eHpTi6*UĠT:N继p:ޣ0оﱹ7)9 TZZ>S."Cr12w~ZgAfXUFZ+ VV$deG0h6T qnp_NX.̨ѿyT4 *4b'k}cQO*aBI?̠)K#LP7-SlC;"q>gbM;u^ DOZcEPÄȹ7M\eTV}[4إ<b zL/^^MƼIzL2FĔ6 lH7 _I.=$J72  0_T&9d_H=MeWCC49;m/ꁒI"f$ve@/(cǁʍ!F\K+LߛP~ 7#E9:żXµ+7wt8zu4-w| BA]$@ N;"0|SaڶQ9]]]-eyu/c}pVIkFYsU͉&gof^ Ta͈8[˧2HGGfRXלW :4l`EDž#҈ =Oeﶦ7.ح"|Ku8CDOr $߈cCzLJA#`ZO5dFBmo9!17/}; (j2'e~JeiPq4Q +IW)\ 80zH#M&S>9v5n%pg'CRDaj# ߭9x?hVN 3OjaH5d1~#'),^ʙb RdO^ c4- a~Zɧ(O{p~].a8F! hZPa~"3 4GWgH2duj$:k/_D #"}ZVXFj`jش@i,U#9トB>.v;^qPv[1a@4}P:F5 t /ϟn&}Ƨ*HK_$r5_]v/Ȱ̜IDLs!P0Av9^Jl [TiÍ(kõ=1]}CGF'UBdN:=߫UNrr%'CIoQM^&&J?>`Y` к(LȪdN0ט:9&s`ɲM2-$ aMm<i%'hZ3jXi۲/ӗf$s&x7$P]qgBX@xXW2/iI" MESO$S:WYշ4)iAIb+{!nlR;V|غM"ی_91/i2w8;V^ixyl"vn"i)%Ime&01ޓ 1wBVjA&ՓqBk6KǢPޏ{1PQʩDHO6z'NRcmL sVEcXWqm:n`G$]K9.{'8뀽g[ڷ={X^ ިrc}r9> Bo+;o\BB:j(ZFvahM@ 'a ҽ*Ow7q7wc!L;Tp"~Y]'E! !$-}A쥪]SNB ^%2TD ?g=p8Cź5qf AĨXu)>{lp-a]Jn/7Fc:L[9툖'PM9Z\ԿM@}0Ɲ3j8jE빮='UE %2н'%ʾ kjfd:Y=yaovuC9{=?DBb`J,}BzaKQe[Xl҉(ޒW6jau-dG7gt3D?x"oyOdg-/T|̋naJfq}TWfM܉Yu-<7WX9 84)䟽ύix3Obn6'p|BvoC`FU,go"S۟ E h|m{C5gCڣV$Xa9oqݚcr@M3s%=nq`EvyD cc}mIgΚNTC&(rN^Epw `&g߸%!<_1EwxT*P= _?r³C}L't0%L}A}"@ pJ,'8:ڛ *1gW燅 `=>*Țڐ>tYu&}tfIOm[brtv.}j`h?+&2eL^kp]Ʒ0 dU9;7qFoVﰆ͛5![<(p d\k`/~MU pk¿cJH_>Qlc58yK8)0ydJұt5>@:1=rw. ocL8]ϡXβkׯG!<3IoEE= $:a_>!* 2 M[IZg%Db/Ao,7ñ&|1ٔ IWILx7\!MY6um.EkhB7|t]2~$r?endstream endobj 293 0 obj 6604 endobj 297 0 obj <> stream x]Ys~K)Jʇ"+v|/RhT&)Z$m+>̠^<jAX @nu>g_r'_gtx|,=['gB f/By̔RiBZ[͵^#mvF.- baOTJ7/Ve"0Zr@8dI;gJpKE=5ZY9_*8\ŏ{KZ5,.0);Ye&=a;8fyJ <0y"?NM"/L''R&%RW?I"~-׃a,HD>MDG=[pcL͗\6tBfchxc.v/ؒ_guj&t xn?h.j%p$3\kK5ohz!Rc&[t4QRƂi.{+ /7|Vv" l-Ý eg@jF%`>N2ȫ7IhLj]wKÁàL|3zר2jEt>xX*?AZ#my gڡn&kg|kdUȵz uu/u8!~A_D3gh}z>/6c3)oklcl&3}h.UsI0ЅŌEKSH ? [Z͕=cx%3Ї߅w:PR?g T=? @7ćCXSщWh&h&Mo8ŀ*qeA5jOC>iP=(N~eØ/O+@Xi$*)o9 F$lbײl w8-Qf oم93BADڨAt)9xQroIQH)GdFq"yHRz9)TA&b@*.Oe\rBr`H6!wP`B4& P j_=4ʺ ^5s&hHh|R۳tqt 'd7}bƱ-zlh*h;pBsiӗTJCAN`)*Uc-ɑgPxr>Av7LՕvf/], Rm/{(&^ ،wHeX{#@ pDKI@kHxR!4lDBI(R Z ]N&%n;1hw䂖-@[6Nn;1᩼)hYUFV< i[v#uG7 ٞPn5DrC|v pB$;D{DRHւ@RD6G=jy#!LA .OՕ(/53].Ҭ" e6+{nzvĢRJk6f}&ǖ0iVg` " 1\ @zұyoW y7aL[Ϙy[Ø ûu-[za @o{!v^)W_\] YfLixVFg!#+ef&s%C,!v4 { Нg>L5 Jbps)5 +e-Ϟ+gx)/IL,9ŵ0/),2f.{24q1%h\zuoEFrNу*&{Lt\wfHy,,fÑ 5y2hy⌯\1轭\BLy{;i@ X+[J3>F@),"6K I]ȃVmu-% hrr"@{P~MU<ؖ#mUtxOIc#cDE`uDD^A 3tg*%F܃IVwB# QNkFbBA ERJz<)cۖĒ)F&],na@ZQs5JV&;+4lQPD>b "$sKDvynP+ t "^} bwhaKCY3IkN78V/yٲo2 Ҙҩ]#K:Wq2N XsF(̴M Ƞ=)nuw@|yAc y!O}?<[5yI$y ⟓pc:^&'_㙗уcun :ъyV : <Fz>-@Zzm98%{B}Kc>҆TgAb}6, aѺ}ijZH%C({%v$^S~vdx_Do01ѺqT8ט]+w֜L YtOC΂*︖pѳ)>>:Xa0E46f. k٢nba b6StY' jnr&€ ځ_|c&N‘AƵxo-l_)yg8DrY{ Y=7!zp RRp]cm$z=5?w58+D>^Rxkă5K q xo[q4P>K+ƴl>^O=<"C"x5ssxr ]@cN85đFƪbcYWN NSĦ['Xqi]veB ,,׮<\endstream endobj 298 0 obj 4305 endobj 302 0 obj <> stream x]Yo$Ǒ~'#MA]>IeyZ2!9CC_YUWɞ0aJ#?$wg݋gb3Iq Egr=x}oaPe1)e'Y[l[o+l;ojOs~0N.1/T4Vz@1o)ayƾ>^QSKإekk{jw0q ҄􋿟`'dW}tְ(%gyuA7Oo2A Yc۴Z7$lZ:la[X ! Kkǵ=X`z{Y^ucn擺F8yRۼnmXn'ޮM6 K3L)$#=i{\x7Gza=tdz Z:}Y'ݾW݉YUd#~L=Y>" e_0,Yxc e~mtncS6EOo8V)Tzq HTQ MsYJL|,Z!n/8K'o8>آ; =-@@JbzruXL =/g,9W]dt*%@=kw,H<_a-D{jYüXMhlg:ʨpb?mu~F5 y5>fL؎7bX* n>N0`ۃK$5onnriԗ<;/nohFvZѹRBu&[a" ;gJutU7T/>j/$y Fh8Mjǧ} s`M+m:Є>iҫ48`?T2v'>q16^ܗ`)RAzֲ:XKT6~ks6OU8h(nLk ʮ;'W\/gB~ y΂)^)pW-_: i#LRT$;?a?n y2o }_ ֺ.*8 SaJt&=}Y/82,rk (m!LBzK:y=y(PG2 K+R.hS`Ah)`Tq 5!߃H6@%Cb h ]+j`xLK3aRV#LF:v5;y743S {Y$sZ8 &ޠT+5Oҟ&p|(t&5L߬gwdI)J=wT* ^\TR]Xpt!ޗ3Lϙp|*;EJ31G%KP+rAydqaq^MV?)RU!M' +`YF[& v`$Z*JAr&y6}!4BKCv.FvI^ TZ ?*36(@7&_˩{$vpGSOolŖh 3#q~3t7Q#ZO_Ff.E<( 9dAzk&qszL =&⏀Ck|#*Ql>_JF6 ~[Urq fr8 YYG$*y%T D0JWuJEDyzXm3Ij <>g+JGb r]US䵯@WBԕ  $, LQ5 H ' L4ׄƲ5ҟM -t~w|QH:TU u +UQg [ P H892As¡%sE"R1ߩYY:IwG 2SHfvԥ^m}`hZ oӤFL0vq)Q)A40o )N5ǯ<<7 2 eqrPp.:-ʈW_h0d$Z _S)'c;NV01g>a3SYDG98LW~2 ,Gf,ql1љ$fl+f\L>]F&@4?@FtXDLY_]N-qfRhlS'cV5y$FfO U@"FX%أ E?RkmP[1u=l@Qugj\Gsg~Uq*!&鍼(1xƂD} .:Ey<ɑQ-:x?h3}sǩb(UFDap潒oprtv!9́Qe `6 2F2&1_M: LhyV1` .kfve8-Dg]S$pb$P?4с=Jh R`$dUvx͉CbTqFGu,ș^|aJ6Ttʧ4~(ëZPVi L#ISN6a* D9._>N"#Pj†vrs)p]͢4LmjF{Rsi놥#zİ+g) C  L*򡡿q}lq2w]3@@6fP{|c`[laBQ'؏¼M v3,a¼njoIZSI-\lOz:GR,VWz^8ұ-*A|y?R jGR-`*z4$QEҚw-ʕq~'ާKIe^66;{ *麀K0Uc(NUWRpX6N6?L\eQI?W{(F_eqGDB`Wr8KZY/(Bx[M Z3[ 5 PGeNvw &)pBxE'ѹR ~H|ngg䬇[B g["n|UrZYfHޡƇNDu8v6RQ%< X6ʃ`UKC#`Z":~ﺸ\+yd]<ǨߙOpKcykEtܕۢ*%7O4՗Q\pkظ~Gf#9^;indMqb$"d,A)2D';*e+CsCscQOC,m0޼;N^;bbXwJ{CUa۝Say XyJV m4Ab#fU֫pqdC܋}%->7q>cMp}c$#s \^Wa0lh]?hi 4 z( `1FH,]h5CȆKf3ą 6;ArڧO}љRkI,|۔k V |v+QynUZE3('#nlŨK|%j*߿gj|=èXH~=](UTt51Ia MZ5mT"V*-H2"w{&^PCT@/<=?CBշ wIu&aHy=Wz&ĶO1siBG[ ʇ!9}ؓsy#?er5"<1dm9QŠ?>[}h1㗞5՝7Gڛ(e]tMvцJ龾vjaBr&? A.)hǸq#9+p~m^y/YzsswJݴ1_,3vD KXj0Vc'Ō^EJ|fS"㸥UKe@ JeYee+\pHǤ5"h׭hzFUYqp`6J'ݱbڣD5F Mؖ.:YH[Wot/UnkV1|-)vA_ }X [XQ[ެ\;zrĘ]5+?:g> stream x][~#YitU@@P]l]&:RK=;cѫӑia{On_Nxf׽ǛϠ/go~86o B fNwlBy)/g5\%ӝz`\l ;`KꝲL?!  jO1w绳(a:+>UjBmK]w+ƖLm_XL0Wؖ UCnSyߟ-a%tѢ`0k14,|p+Ld{_ S({Υ d<5z{D QΆ0 Ǔxmm̛C/s ^ IvOi-;Ôn 2icS+}ۣ|ѦFwaF v%x~JfyskjL5PQtʸ~ͅM'ChS $\E. B`5Q9^+v;qenmW``Wc|r@KXY?Ɔ>m=mFˍ6+ii~#S0>Eg'd@Rd4ge(,œ(l/%F LXݚ6P9L]ZmPv 9oOfN3Pkmȍzr? ܕjC+I"`~.WTm.1ǭY3s~ |_PQP`72E8/Dd:Ҋ>4#vQT4.:bd"86Og7Y7E=ޗaLb% /m\VvJx>,4FhyQ'.a+%yԚ;WX5UX(8J a3,a`gcZ9YZ ά)͆$-nA*l::@DYcEj$4- ܉2(X*% ߃Dvpܟk#;+K@-y>(A2h!h^UZ"e--@6RcSA}S2z pdzYҤĨ#M&hM¬d"_AeT(Ë:L $,}:(~+{7ҁa ZѠ[Oa4WV",RHNwt`4CMQ@nNE֠QB)lvа!A8(V X[^xBh=I,`[et9o:Eभ % T^VVq$bJ=_|W+ʉܼfQ{ 7I|rshE0b΢B #̯*v57(;|O:ņAO)s7i=40_ԚȠ¹A{U&I-]' boC17([j!4 H FVl*Rsm (yj|є*sDiZZaL!uWψT)quaߤN!:/՞$ E|ɃiqSiP(%n ˳wc p>͇Yx.(G#)$R4!ʷ&WzzJ(,ޙZp4nmWB{GDAJ"?~jWj%MAjb_REAi;Ն*IŌ(\ [v3R-RULF4QQu0—h"9ʂfj>'$%.C!/ L; c%W805DЈb0 ^V*FVƇhT"rH&\%Nzw(_F. Q 3|VT icKgeYz\V(P`+1Б8ɬ~7 Br4؎sp>F+ZzFЫ|,h fpYL4fq%`ϼytzz-6Ss!W#sq'KB\;EZ Ss;ax'4=8 S"t[Yeq*Ӷd"_1P^Qx J7~|VY[VhM֒6phT(3a!2uΏjl>Mp A87s^nܼͫ//f\S%"?}͂7v/P!f$^" bN̛OULUc:7/sl,QZ(P]WR/ C=q.kh{lH<rD֗_5}gnF|djqÎaAUtyX-\>\Yw{1n~9aQvT`y|"@1}ytU5K) ڲfzʵG>IMUr;r,9B>cB6=Oj)όw0!<.K] _T4pڥ>[U ؖ^!Һj?-qcu* A.k:UzL7ʰ +Z`^EH]`tگ^it<\ہ UWJ&UN(mBljtմj#UQ~@D@$ZM*03Q:bbNAw/G&niXmv2 teIskgJ _oP0HbD(td~\Tk5bK.oOq%ZRpɦ QK5X.BGXy gtj@)CGM1xkD-n GlBuM}S6!)6Y &w&\a"3 pHW0M@$z00 & Pu4-.J'>/naOr~E~P+*hbm'&` !4[ CJphEp$1Dck-q Xu3" F @Ĵuv//.=97 BTe0mE1]:܋8᪋t׃/s3 CֶG>:UHޭT{Ndy}7}wp]X/Do9 zA`=Y! fu ҄2.̋kC0׽ˋ`88NQ7ݩU߿[lNҦΎ$#cQ@CKAfTAax(@NV٭mN2v\.=ŘcM,.qQ^ENSn GgאbeS"UAP.T–u6 Vb~Ҽ8q FEc gqI2vRS1Goֺ7cᐭ|sM)J Ⱥ536tPZ& o8o~Ae6 &s`V(;:@ d6U/Kq|n\*$ϤI@aDɳ7Rh-d)!<>0A9HsgL<T{d#sPH+- B\ Q՞pVX{O̎I1+dn7ΡUb х<'&\RW] I [Z:sdJyGƯ,yRH[y:$R:$ܱ%6onkƊ#cj ,-ʌI6i!nLs}5O̮rZEb-̱E՘^_h`53%!PwI΀%׏ TF dZ5'nsX* 9t_!PшU637nKb>䲶I|QsRcv=(L I%VA 8J8#Z:@6FIջɫ_:,."!j4>kLf-" Y 6@zo u@,;80u5̈{\G2貇<t*SѥWuX1WG)2j}wr&F׹9AKJ bk+!4.Ysiu)/Eo"kVG] JQ!rr `gB1vnJ ]6[[VC|F 3I&OV0}'_> stream x]r}g#qq$O8J-3UIlJ&eIeRE*3]RaK}qu:`O㳃/x~\:>[p<|qA/<[X';Gg/BB f/WByO)/פjÕc\, +tg1z,Ň?ΕRYTYLԓ6?@  X R9\Ɩ+;b|rW _% m!lps #}X:JzyP8硻s^.'].>ţ/lg:kuˬ}bM3Q.szBQ$b؉xvqQЃzλ{6+9zUry.^ I',KsBԌh8mf17Nڃ`86yԗh]w NmgE{#\'Va"߽:sR9{$E~/〮3ů*]$@QY V^~TTW{AK/iAM G8*|t T1`$xkf049EۃS-G$ U?UpG#s}̃1y&(yn֚hѤ?e189m ֎W`Hv*L gdg n a=aĨ Ƴmfk<@2 ΌUp-Cc[C⡇a6߳0u͑kv-:l"t}(f4N$_&e1:nĶ36ހ6r Mlȶ4%O'ތ/qNK5ym̘Xn~6Pjc d[xpB`lja>'S|'%9^3&%.}9[ (|7! ks.s0#eJeSw_ 2"VZbT4v{㱔j-($<2is7ΚAz0j&lК: vrt(`֞A6o’M]YfO?i΁$ؘ)xq5('^T!)"nںRV+ mj݈BZˁw],z54E(>!\j6JIp-)s.]_yh%2\7؂L?#w,tm%Gq?$픇%k 尭m|\dWgɑ8PIlG2B%>*˕ʇ1WݳmcT -l叇[ה_S%d0JUCebU~t[}g=Mrt'Vn͔̕sH4fl`-xc99F vJӜڠ .s)2h pwO"xP+gy7fC7r6CfϦz ^Ei&d-2v]!{T6Q~'bb '42 BCh 1daYgʠԸU?lb¢ӪS0bW q ^DN}QHuR!v,cnq13EvMF>j9C@2iv*Yr3b<|&Y.>ŹLqGa E"zV$(ٹgnq v/ufĂsC)1`)dm&_zE*!M>œF̻0&{GWvKeN4[0Zv"d!pG  dKk*?uuw(γØ1n7c 聿ݡ H&`@7ӸB!i()=:u`M pTIužY1&_b'!3prf{=.M!YY!vXY!}"/Aŗ D!BJ! nyƐ zC8+|z@~)ga+=+tf)@ 714HW vdLx,e? 2O/c,|3]8 dzm|R;ISV1gjc=ƙ?, K#N7C%5yf|4 |*kNҪw(lLFܴG0Jf6>s$sو60bpn)_ۈ{Aiolj뀎u4py\$RЌY+h`:"u vG@#h! endstream endobj 313 0 obj 4572 endobj 317 0 obj <> stream x\[o~#qUt/}s[7I&ʊķDI;pvv%ͮl \?J gOD.O~>QWEdRN7*UFD:{uT[-F mRn=&mZe_iSέ/h샋ެ9Tz٫>XO'$MȓO(E NV)sqb4V|tL'SgOJ[i3IDecM)Ț)[rbZvGL6 ZAM+KnTa<,ɼɆI)F~ʌ'yD j|JW #ά6G§:9<8 k-P &(<^#5NU 4֪ynU&$?>O(-JkWP\ǘ?/u[g7&>3E|Y|MaHVD'V Qm9Qn YX.cX'iCNs?zzMXN$e>kA:#/ETgkri0ķZgZM1%SƥB";Kc9䠵Cȏc'=ʛ{{|v5 aaҭ|%j Qӝ+Nv,5MK[|\שׂS6•BU5Z!q 8ugA,\<;YCVjrC#3L*FҞo!l1L [eU%5)]S|n[7Xt'tnBߥLu䳯r$Ԛ1epoa ۋ(cJ()L:U:&Dko1]G"%}03kRY CruF3$R& )ǂV8r`YHi  פ"3Pw0Ϩj , ߽TPl#VkuX!KZZ]4򰬗u^N^ltbm*ծq8h/ȍ6&ܐhc*x16’_TI@Ar{j&|Jϫ᧋{"y|cd" {d LMA|sQHxr Cb2љZ~[jkmYÉB|Raj*?/5ڞᥦq:|ѯt;|5o|ܧan"k"*Ofiy|f{c#׻o'ʏcּd`69 ɽ/k#B՟)X 0D|t 4ceƤ0PSAM`MG $=[T&:f+LUML~]2Oq˚I+#jPNTberjʐE}f&WRf~I*;΀R{zTw\d$KV4+# ~aO)^a/(Z>*BUϊoUe~^i"uʖEo7_ lzz:oVr;YIeͧ=~Jn{&UcoAMpN .(ic$3Eino'ԣ | +A{*H>=]N*td:ad'<.h:ٞҕ-v?vQ; aÐwup2JIUil{ jy'` ޛ6bݑCN('w9U'-)]<}J\ܡA0,ߏ %'3\Y uNu 060d% G{\UҧQm9c-{GaUOu7;XMtkѝ';K(>!U tܧA0:T9}ze3 PIw>**!*ړ<;ʄpHftwIskA% q+wޖbSE%GEU"g>@hw-, N|%qUv)cFm:,#JtCK~P~s\.ӻRwϥjGRU \T.T?!+jRiϙEZǢR-7G' jM6h)K&u̿Ic݀&ߤw}oAQnRnR=@*I0J5StNmP**~"|";:ӻFOT `ИAcQT0R`^Td>J]TulaR-LIu(U*BF LR-LIuWL*&¤ZT,&U_u{endstream endobj 318 0 obj 3082 endobj 322 0 obj <> stream x][~GL3ݼEDZsF"kQ`֌+~lv9!-^uBۓyR'3W|vѷIϞ@_4'uG$'!)'|VlIS<ۤSolsEoOόqӬZ7t hì~ElbO~jisإckk{~Y-_)/OUHEdt.,쭧-u=&3P+ʅB@iVN5mNn53"ut^ ۞t 0jFD& I$yǵ<̼!Hz>ޖ~tx??.uɷO;N&:*O;"&(-g+ k92 2_$o8E:Ii}W'%2|{0ܲ!1 9㺔,w6$x%cS(Y$ 2/B$Y}ey,ΏJ/d)5ꭃC-,mf~W68E) bypHeg"h}I|~8k :PR"CKaYEEqۃ]VdLa^*X7l *[Yb]Zߠ%N.CED廤a) {YZ[ ;lYe5vg_dō6Clɶ?T`"چc#Q\!.p "OϬe袤,lv`̀jk2[oYΣ Z^:$/cw{6ʈ}P2uVaȫV5u#L;,ИDYi)0 rǩSN%}7|fH@M`88R `zURHID Ci5!o)w|T Q6c"Y؆ qpJ3tն_e_a7DmV72M(M:/ߋL@9 >bAxN!'L\$..M&j,9ht pqkBѝr{@)Uh4ī-ҾE-򍆸r^z/l>9~aFA ܊Q.ڈp^`0Nlh?'rnt\fJQbIKgN,thixfc̞\eh;ļĈ~&nWRCy9}c(7oO#]&12?D0l,ےX]n-JXYzu.u7M,!H"VwۭL-^݄ ԅ%H٦za-,xIP1mteCi h.mFZo]Ɖ:ȶւs1Hݭ|X"2Æ! _癬n坫r] ơMGC >>.ځ'R281w&`)"{~&gW#U0?gA|1)Oa!gs%+/jǭkk17Wh/Wh+urf%_QO 6mOx?aK%T>:w5,9vqY@)lbap4ǏJ'?Ѭl3@N$EпCϩ9`G@M~ IpI{_9QCM>?+{OGQj7ɊnkI(-1Ezp$t3jSl+v G6H|'Ԕp® ]yКQ=ynx@n>].pǥGw) SHn lX]y+=i6nVa^Bo4dҦ Ix0cVpkZ+GtuQ10B=y+7sS\t)|LK "J94F]8Qt$sj8"ͻ 5o :DiI5\ql =HM<+Y ^>YtRkT5b1q:?F10l`]NSG TZO KÖu{HȎkLyp${c ;iv6~ ;\oƕ"A0ؚ`7+oq/8qq(Fcѕ+$(Ա .Tx^ceһ._nT`@*)M 41,8䱭l|Ł,fF T`Tp<`5*2 Ek, Tm *[;*M6)k,)gmM$P .u_7sj+K96@?\Zֻ\㶭oDЫtSkɱ8hEF\*(@핗R| ONdIU6tw Pw#EwuY&KA \8;⑃JYWNf/t w%0Kr Ԁ{XW9]_ů!ꁺXdLy_u}`Qml}[5T"3a(i^P7-*/Hn_/n_hGFnVzЂsPbyO >׏7^8%@-C=rmwf)F MnUXMQ6ﲴ)A0(@]ᚣ pbEر ] Q#+ݔb7gpULg fEj7x:U!@wS*&iM]|.$0;_hQR~_2ߘ'DbL9NҎP:s @=<0LwAB{7&ϘLoGkd9~3 5̬ \ڦ3zaoje' 2Qe=AQQn7DU<`rv]Q)`BllIM;&q| j)DO *`UԊxվ-"b^ץ# ,/G;ok/L5y2j$ڇK !=%7P̝&;W@jzngFtE틁Bq0d]K}+ݫ!.ͽmx?U!886hm7O`8I:|J }!6؟/KzQH 4rZ5m( MJm"{šMeRME$|E(DX~m-UC.2ralgͮ:oDc<@"9aSZP/B+)؉0 ]6_͟MݡgQ˶hM?9i60v;{:0 nXC51yUn,X HE_ PJ8ظ3NW"k|xw\O?3kSͿS`z-_ :;~N8'69 s?{SكS^NjΑ9^0g&r$sy&>^y_$W%5ۥ_-A|澾 /`1ݙ|A-һ$ۣF 0?]͏/ׯZ <H(s#fȟEѕ_5jXw1ᄡ@^bS7fOl!˰hl#gʲy4JەN ْၑm5`TdT,is娗`,Y&aʏa4@K~oQqzv 8 Ebn@gx2=3,[$nG]+sݕxIP94]@S#̓8X,?gԤC~ޫR=jNG<48.i(J}?}> stream x]Ks3{\0ޏlq9JYb.])Y(D=LҖ YrI@ n|_~Xp&u?_}-/Ñ\t?_,<kXA,N^'"y88~1t*nxř:|\X'WX6cgXx?2 ?6̆ ^;._u0J;;u] 9'm~<ۑ^'a'0KCDr<3کJWw";O7]^bYETPKǼ?`>"BJIoOz`,/JRKR6]bMIb?Dk딞yb% 4ݓqiPo@WEc C)ԸJ{/RC%ŮrQa}q 9ju{Zt ҍUDu" /jQF_'G([ {o`:˜]p#80fdystt;_sA&)w0,i2BI8|/YocP5./}ʹ6~&.qUBdzfȜ':P!X:М3-}Τ6Ij^LxJqH>-P̀0 붞#ugC`VPjf Iy]. dd:x(ҙzt'EXQH p] 3J:ܮun2Q<3n/&~u;O(({nFh 셠qaB%ǥknWL=0- xG4Þ^7Ct,0CZHUCHJz9<Ƴz "/+5b^5|ٝ>@.`Y r5_6`@G:!b2H2CX wx:n+-@9Zt(t538Z& )9f:;pt,pLW1cG1%j4p9f[0s}Q1] XA1Ez=L^G1Dx0x0]  Z< ]]cה:\zV |ߋl 3NJ-41Kɴ5S%= sI9xLj*>09Yckmg>1XB9mSNPY9'PNʀ58'8R~ԭpNLx!0.ԺzJ$~6NAWЀExϘ߬G돉qxP!#]taS7E[~2hJȈI7[ecaZXXa-&y>`x:cAՑ85,{ SEA> L2^U) =ӾӍ Ftߓrmf),f{%ؙ sJVH=%%!dR#C`N y.Cf }I5ĔtDޤLxr_[pU"`9+/ÛbcO|+7h-}Q^ +'*BJVb5Ds`c :\5;42'j `Fgۦ`>S$u:b!>\'Ɩzyyj(2;-.SF5|"4ݑ1b oAVg.IgtgG=#LlZ ά7Ժ߲a}℃)(,rtDN@Sbu-`^2ԙ08E 뛋}ӽVn$7U#zL,_1jtwZjgF̈ZX#Zo^ti\:Sa CnStv[3s66EzFzt%{IL\J.BL*9#BԚKf !5ZWk m`2{]? 1QpaDn=f[rJi@NXV(%t53(bZ,L )Jo/(! 1Sd!fJhM X@ Fph+,kfP}eJ,L Tz{A Y& 1SBC~6Zendstream endobj 328 0 obj 3527 endobj 332 0 obj <> stream x]YY},^[+9sPeo&PUDCKUF<iAy5C'y2-Y /\ˇ_(r֦3i8,*-oJ|g԰ع4ҔJ3_'飑ïJEiޕ}jF`s*3xa}~-l6glp; 62<40G5 Nm+SIi#݄'NO`7?LE-W5t83f]MVXKazj3Q7KLϸO&*?O&LW+[RLSWaA8FfVI7į|%vuy$DVv7ֱfc>4T`/ 4@KQTּIRVHq}Z(v^A2,w <(@i }F$շ2_2E&b@qZm%v;pYؠ&e"~@}EhVEڡ*&TSdhߒ.qNG5#N VI{{wh fR|JhT.9:N)&,&J=DG]6Pت[N^w(3TH[:Gv#5h'y\Ə8> # L,-%?I*Jӂ""P{&͕2 5̿Q4MA٩r}q"#\QYo/ܕ oqU$b[Vn<+l/"P-~)N5/]NH' R2S!۶NByDa,ɴͨ;WQ-EA Oj3Я̒f`d $|KŖ nc?ZoQeyHm˦aenQw@A+_`-ѓ8 <n &M-a;CЕSgUY| ^ vrt2 Y);jԠZ~Ha Yn-/dzrpv!:U%MAydQ^=v@ΩMWOFMx&8`6Ɗcs~>L@*o>}% pi1 g9٢BF _qwyn횞eR%t C )pCB*DQ@vk2].b7frSM N >!!\U:naRgԃfd~a gnY e&˳`Ng(4XTD>S9ٕ&\F'219WO<>@}!?ā99/S $TcFn]dfx`&ǫ&%Y׎I+nM*כQUQ}@ dd׮,MaV;9RjhJA';x9I"3u"Ҽ a'x9{M"QS55Ise\oENqKFrhkQ\awhs:]+5y'b&ŽL!hޑ"Pȯh@\eThHaZ} Eoq' Yf/dܫ4-;:y9߅=_xH_H3KXBf%g~3(DQIY43}@< Opa?j0/˽њlͺV+ᗶHWPşթ HŠxB-}۩ёVrT6wuVW"VÏ]#.|܍q<֝ B~Q6b,t,?1+e=j:rp&JI1gl긤+ zApCNĚbM"&s;yq u"K&y 3 u Hg Ǧ tDqX0 ie Ayߍ]gYFVЧNσ<,eMVH:f-g*(J;! 5 ãEK:>4Zp-ZRaQ2]7 x&|Ӵ=й>yu ܥl`o zJYzr5ԥCfdPwB\A9ł!,.SU%,ME{[u[i:.ZU`{\jW>> gD3XxūɺU7-Re )F xr+)ht|̗IV$n%uOkYOjy&iz^!z6Ԝ4ߖ/KfTc آQN>q]Ϛ 2Us94ujzgBBc-]iͦm I3| frV1<W(Ъ>)@WK!M9Qɩ#Fϓr P7vIh TfuK#ׯ)X}ᙗN\#㆝=w]^zj#6V@?qI4pz©Y+;2&TmN3hQ iv1mRxv]j1U23-X8Ē[ˇ&.r0'(BC։ G:4{XtkP@ bV,[ ܸ-@ߐZ`õ72WXwwy h>F}&i=Vl֔ެ(a,yv\vjCF8lS'ab:q/*o\AK3Z'C}oh`[cQǗ% @H:]<D"; 0ߴ;irc1f~d(8$`{ʢLiq`}teh")i^5>^C{Za:;ZGx]3ҰFp8D5"vk_,ߗKǦcKf|R3=T<0Uw)jyNRƻ4<3TY閖nײC ea8 jolfAfY𓚭R7f(_kaYiȣO *YŁ٦KsY}g k'ҮD,gឦ+߈Mo`) coJOm z+?cޏ=TZ$K-ςcO<8kLxǒ;fj>K# I}n`<_K$/F?cwV9`vUi;YXԋw;u؃KܰbW4*ݲGt^[xh GP2=y<&k:} D<ޔO*aw 9~\٪h]kn`%q|ψr7:@~zE'R%%Kv’,(0~S5лy4f Gc`Ag~0D*)%}X}V͒bZZ/޼p  T e(aJR_ѱXdBMz&sTC^M|$[~fO5QMm[2YKCܿ2?X0 |xty6g1<M]snSs¢^ |Q?Y<%}8\Q""'tP' WmN7M FzVV`jEK$Byehk` 8V 8w鉬6{zng&j}S[׽2n> stream x]%u>ᏸ/PF+*!~I,ؗ9G֑ZwgˮZѣ>::oAL >\ÓI!w'SQ=>K(>)ýgߜUF RLJ(}x,LTWkl[o珰 NxqTi U1 nժPL[a/1s/( S0{aK{^j K MH?ׄO.oG7W3R?3Ͽ/d`e邴|r)h-٥x"ei~_/.SVYi-MY4Ei>IB>*ͫo $ K'4+^/OdںI=>/ҙW*`&ps+ m䚋^^r'5ʻP ¤5*?+s*.kZi<{ gZY9zm@.9< ToyQ]U8$t6 pd|[Ө*r0S2ajij`Yzh?FtJFf!xPĮ ׈]E?C&[k_f1TiuYK=J}:x,'#RIuEi>)ץti#0G`uL|fC6պzJ@ $)sxb$)H~rsn@B6s_'rL8O榰Ϟ)l%x(W:d1 VDT)96d4kʠE]=a#xzt]UB mP5PD|wuQnYza$*1Ѓ6>=k=Y'I`&"3 DBxsFbn*,'(T/="^_,(^,M]4mi~[ǥu_ϖh-mLJ<,WB$PaWZ ĩu8Ȥ6d[S#Ym\ q2q%HB1/)`^U2#JB[? W`3-$Xfr~AD([t ]']Xsȃ Ck9A`F;H؃DFٳ/ӇMF9y^ՒƻtV~u1lmTssF~BjGϴ䮚We1ess $0Mb.GRe'J 8]ՃS"PHY9cmryNdtKSl:ptH?G'lϭS`KTg5CC)gTՁqEF 'kL!*5w aO x:"ɀB/h^PEX<^ o)1 ]q{|-1 XHÜ~a)(- 6u¶Qޛ prʋZEL**CFrTRcz\fqN9)3M\bb@?&%@Qa>X0aA#> TAdիe%+tY+ɚ];zj;V?kk$`3~Q4ҕ{[ 37W#ӕܹ?Hѐdpro3 #&C]&y楏^{(CIȬ֕QJXAz8{BI=X'-˪x;K#TLЋKf㝐Jqzld$ŅwW6xWA_ji\~o)=x!v/%r Sc ~kDr*sUl& !Ga,7;jvJ,=@Ewx/ R):^Bȝyoa)W^cx#,êk#H&|ID]G!JA1ZAnU[:R 3w7Д-+yn Fն"ҚAF㨮hTQViWGDvibJmJ+5J6vËy.ͥK*/Sm) = ;nNv*c1 tj-{by8iFie4B4Z^GY+wd=7!>8wp& ]ņ+He 9Gcp9+hkC@C(Ub.M9 dq G\ɀT/9ڐ#)•J(5@ MP_|tp4BK4!5ADOh&R*91,(&pq?UTv;#+р|H|ڬWm-+xDRikq!D[TA3DPa˭b)MQMiVأj@c˟XεnK;Kȸ0n)ʷn"$A T |kNogr[;{y>c-[[ 5$UsƠX"M:qe׿bYb?Beo3"/OiFlwqbI4UīTǤi ]9{L8_ FS-/Cu8J:/ %VILRQi6u~XOK|XKs쟷( !kY:o Py{ոGxCzöQsRHL=8'C <^ < ".g,d[^nk iOi) Ȼ~ڔ`vy{7ڑ]1a B.(sɱ;'HC2\=.[ Oj;>n G*t6ۺWц7Wۢu -0M9gMs֕Jۮ!_Wgfԫپ%Ov<4RY+779V_g/'ݷ]u)9HٍΉA1m\VQZmZ,X{?kn (uS`OSqic<ϥHRas uh0G:6>LԆ36ʶ,x,:/O8m ?tڣA#Qh9!ۤ%a~>@b͉D29@\)jM ݮ*FϋNx d{ߚ{t=Tg٫EJi6`ɦ1:sv~t>L Lz<'7.]a)+]]K!/ /E} }f|M_X}['qX;P .t+-d t+Uѽ[jJjB@0{7R $eZ=hHc(t8WZIj]jvf^x7_lH02Ⱦ{9/k1S|bvNXmlge4Bwmլ4J,LaS0ŽS#!I:۵YA7$ѓ).p9x.zG|ϑH0( ҡu5//O8„]x4A,3BߏV ٬|rD(\]8ŭXT_s$Xs[#X۸F9yBMܨ €f&t궲 b.G>s STI^%uPͻ/vW*p66w1^m^*3 49Ӟ| R"関3۸EN^ǼV†Ȟ|*Jur&.3kS4*xF& ni貭2oq}pM*jɒ/׿=8481[Z_x)13x4In )p8s5 ql.@5QI leg+BP<8+3kޠoO_*[T16Q1xme Bu#6^&)lAEJd;0}C.DJ Y.2v{ŗ^|C moM߳vb-hV A Ӕ'7u-h ѿDja0UCsc,m /!r ZsF8u&*>d;[ 9$k k>K9Ou<ոZ ^sXVg/cqNJ9dO8ӠP60A ~&Wrѭk#d@*tDf&P4x7Ґ w~S4& 7o1oZ6օ+XqV }&\ qt!F֜4*"6V/xm6 c>g¥x߯.p9?9fCkq}$e+pa ؙky7[a\6 kK"WFv9wgnl<2+v⅞('Ic'`s&jAЄ']9%6j<=!qXQQ8] ͵ Uxmˢ\X}GЍ́VsF}*t1}]Nt0K7xlx"Qڵd9 HAԖQc-xhs bMqqYΈQls]S{~ieo_yuvA/9,QlxZfE #LžAn TiݒNXQw>Cz@a֋޸]\ %5 3v.}S2FΚғ KMA l~(??̇bw4,-YN~eË6,y39/?nȵ!ک>UM6pYrr!4w*ZpYqY0AVpY:˪#\V{eO˪;e^͸y5*^5.M N@eU@)腉QM& &f($09i:0r90P* Nxe)"E_ [)ąwz"nj%^~VZK,nl~Џ1cs&kɟ|vQI%014v RQ3nb6ȸ(˞s.4d;a61>wIpV_ sa V(G01{ k#p㻾vN87a^>>>=]1]/G1b >=FunIREc6WlSCMhOEC5.^{c6 +@>:D`}cx0 |@Yk+ccccҋh 0gnn=lCCC$V zl~rNS50x擊'?"_6s jyrF~{w_%L6oD's;#R]gߝ~׷f n ?rnmI3jźݧW @lҰ1s G0} >*;$iV72~/XՁwp%p ʲdwBO8۠,_ y,(aȽ6j{X<=Ed&qendstream endobj 338 0 obj 6778 endobj 342 0 obj <> stream x=َ]= !cK0`xqzK GRK-C%i)SECsn `)kb6l\_킇yj#Xqfͣ|:99yPPcf -cm5z jg;)ĸ\ғp;e(~jB2j!;|<|" {n=.@^"\4spLQ= \Uĩt98g+JOH/fOF^[˩ESʉ#XfѪU ^\ <|Lrٓ*Jqr9 HR" !ay'm<,0]F\ٷABbE8ؕImġTZ 㜠{| Z.y8h|J $?a妸X:&•.U6iUABq9 4&X3|HB{C.Ac?,u5덀G3_A\5|A6ar񦢫R(".-Y_.Za. W.GCLs4VI)Pa@g3^ӣqՆ4$sq/#-7RS xAIis߳3@+Z凎~@z: ^a  Qp7ySk,FD}/4|" *"Xhp%Em&^8IMBzf2ve| iaVm.#=~w.vׅփq1@qWe~w=4q  D5q B-N*,@xԴ0[ 69y`%|qQ΀'^YGCTr=R6YG{ @uG51v+١s`,`ZK>k_ `~=8f8( 0T6n7 %8<-[;[BGD]@G6KbY99hqX$nz h># NIz~p'kAspv^'G"9WW*+W J2L!T.}@z{q |P"1i n/-qᾰmFQWr3n7\Kq,4M^ #Vm-|oi[D̾ Hh3NPiJ-D&_"1m ÈPkYJDNiRJ]`' mTI%#Sa2pX` Z܃+*de<ǚ2P HS=ZId쨉|V)u)Hᆚs0a)9b, HDxծ90oC4q&Ϝ&qYjtsioz%}!F1{b<T*Xɗ,s\>;M~QP, *ar)tU涨DȰekŐP>V"]2 gu;] 0gyx(>h۬w oڂ'^K6qw-M1aF{K?vdxև4.x|60}s(5 )~ӽzrݫ_;Gx;a|cU)Y(֋;Gؔ*$^\˃;KQZ?rRe#3eq6Srt3sB1VK!,jxRsX5hnr-E̙\<()be G,eESģK qzBAxY5! Bz`3U&)H=T =ۓ:6|%sd(t2Mf E1E^Kp`;hrq<=͒)n̙b[[_9:q5>{J \Nؤn=Űڒx]pޜ+fc =^G6#᫩b9&U\x¨*UykYRy="gBC9w@ha6(&@M-yc ˝6"T>Ό"7d9zp[{8gY /b56gigEN %ݮjbVr&hvOޭ(M)\ Yn\xfs9?M?%MLv@X4wSfhݩb*( @Dj,ECKLSӊ/ 2||8UYᥠrbGgB0]Z#@eޣAwz*w=S8z/y*,$;R?PX3I׺4wj2_UVZmX7ObJFΛ2Y3hoǽƷ֚I65"k/ #:x>Bri֣0y)0h]_oX"06ifظ<4{.Sm<(Ů>wNE Ð'O?w< {i]]wd3l_&8[^ >I3e@T Bk:oQe,yE >!)dc'~p7O쨀 *!~b_{ntUlj@bD.bKib2$VӭCNݲ_ ; x! {A X4sJ< n;7,=&ݏG:ݻ@h Β5 '{rk [ց 8Z$on3yR~j)"_΅g (]"'o *C~}r`a-urXq;Siv:axRɝbsMpr'0'Sقe 9w/ux#N[F yԳ.G=82q'‹-B~}N p!:= i0W4vC熋:oB[+% ϸiu5p-4- I>1t1nӑ.YUBc ie Y %`bHٌ踾"u,¿Kw/4>Jح:͜bC;.U$2]OA3u9Ȅsj97{ bR -(h}5> stream x]YoǕ~20;/$V0vZ(âeͯsNUu^?ݬYTݿE /_3q~u3I<<>#h E珞/y>%Gg:UF xqq)L^ [i>;oӇ/.اtqi]\<|oc0^ԹVCo߿by޳6ygFIN=UZ6=c_Υ^2.ˇ&.Awػ*FyXhfRzG uc+G0&YBxgчxr{FR6 XKY!ÿoF{BEm2G~з9|};{!LiLf"ki5gjm` ڧsq ;`]A-Zux&9!( 'H|aQ>|uruIrR.d%:_'EnǧY~=ۮϷG=u{|=^ӣOݶ==nn"TIBoRͫ5QJm#ߟY;Eٟ߁L9k=5rr}Z C=,!x!, (I9V1GUFgaWf{vpDfg)W* -TW3)?rI腼W[EO+{j1]0EIUFHD2B-nWv *o#R+#6FkB.Ut0lA2Q5po}-h`vT2z=>}o7C0@}@;w T W PkwWC"(+i)YߑB0ٮɸ{%]9 `C@3vNfz*9r. M `@K2zШB߇^!.mDK9&f^5ɫju6,3!P:44]4t6G`1<(@'!"@ua#M1D^Fڗ`'ZD~V+b3739z/J FOû͓d 65!{&zݐ2 `'=wC)ji3 V^;|c9h2gi=s=bk3LɃ/= 9of8_Fo2•sȿ{8_msBߤնηszZhY!eUkNkZ Nzw+-Nfr tN6+< !{|G,m?dÿ=]hj㪛[ƁI!՛EE뛹t>ms舀ҷo|# NZAF "ܓx6@]7z_\,g?Æq{3Α0å Z@s1^3k1f"C^B\ !pN8fM7߅ĴQRZxEAt )+0%ct֚1cϙS;h@Kŭޜ`Q%4sfQIGhhi8 bNprQL 6A/ A9`&죍u^0 6pf)F8m+ kAPwY dVa?` )NN_1|BxE4"k|cZG@Oxe4Gv\8(s$j(( HF2w'\I4.4._H+$FapƄX:b&4LI'QYۿI,!(x^k2Bڈ6ѯ91yX,܍ԪDI,r՜_ rp#v УCѯ u4 _&dS/s ʔOo&)Ut0XQu{A=&EplP95@k/3Hp`Uބ/ua8]PU&g3]wYSmxbÔfUekkW84yw(<‡Fxmś#¹' U6k`gMO(>Dz 5SaYJ nSTVG٨df8gs`5,WTшJT0-,2@W4o2(bge 6(c.+c  /] ڷăZkvL0J4uh>ov23Qgs3,ai:>W=Wj15RW/pT\I7РOs0GY+¡|&KU n0!a(;VY{~*CY!Sqdj ^*ʼn\]ה{J/Ǜj{|=R*'l{4@ /?_y|N*L]=j}y|]^!/jʗJ]z3yt1,#yx,Wfbޛ&\7LQ-硸в4a.EX};-X|F.5{ ~"m)U &|&3h|"vUXr"<57K1FW3|?/WIMFĖo^X~ ZXKM>qdaZOl?&*?3QUi]NC@3qGuqi}F@>tAsqq@)\%M5vm : vR֬>wj@1+;#񡖀e&vP 3o'8=5'pyQIhm^!p"MrZ T=faH*/R<#"r&FmL0Ԯ^P:3=3ܹ&~xQVHz`,[4|w\^=L@;9%i좴A0cT}JU7*21gD6Vh)֕+ :JΦM Ւ,M3s҂YRQD&a=b򖷠C2Kf": 6%2|Eyq ~4M,\ DVN2ܦqT_g\KV`00$m6T̽.5NN;N ^{a$76X0mao8,ol˔)EFWBjEhpBH*F)!1< zp[FK2ndzvmfI8E3z)'Ž :!WמŎD8w\d9GNFlx%X=F B4#\ꏀs-I8$I*6Y;@dzumª7&J^L %$@cuAMj@-Ѭ'~5~XpeՆq{6aڑ=N\H;] r$Tɋ&cf;=Q9Vp+(ÑR!mdg'V R Γu}+l[oCCZs>Os-qYbV,K2%.iXF;)#(wrgbw[`(H@R bՀ5Xc?EJ"V",HsOTvX|kֲ0oۍC;\ЁU ]\a]l?D,KoU Z:ZL6>Z;D%^.#{ck +ߖjGh?`UN4!+t{˪Rx4lNŷTEkj#R ]qgUL3tŜe[ ki*7ܒ]?S; DSY7l ,K[s劋 z; 5-4ק]t%=>L4"*NVRI J7xzh.Y(1XKArzSSߵwUt!_btuKz7 97OCu.}Sw,g寯+,/: ` !DLz7,D?TxɅz(pm WQyǕW5[/YXE;*h\6Qg;anKrI2me3+Gऴ M >N(q$'R!r\+W燁r\BgBIup\ N tBB6fZ2d5&[?Ll7KfJ~NHY H0vqJc2T'fmD]=|Q;ܧ!h`I\0,O3qEHEmumhl9LREMZy`eE0܌`y͊̔rkyo'QY+`99e9/8&`C&oj"(؟ս'{KDEpj|$JuG 0)UBkB'O3гAMRڝl f?`TI8y ‡q470(oxq/&ӜE tEՄۚ)刉ÚI̺K7i]t!8&RhUn RΝ=!8UÃ5cleP$ k9OwԨ&ڻ$!0v?´r|RYN;ebiA 1H"zEwv%B% ̄u(/PNb |s:h)MTz[xfc1^#M d^mj l6vvX_D UȢYue"եvGoڮXødx `Q k}dVH akS&H~!cs4pyyn=sR-#feI0;[o̡`oR;R ֦wɂVm̈b 2ܬm3U>+#{tbAEmȂRZ-m7.hܭ;;bV|jID äDw6i2^}/.KuCWm=/ړ幜*Jj;MkۋKwt4jϔ S #?+B6040LrshW "qڠXO@)Rq]䞤^LIMXLI]J".Mw>;pN%_̛E95+h~{<"=SM|hOA ˑy ύOL ;X8C0#w>7nVww͙~Pv?%THܴL:P24qZRȵ<`|VC.݉a *~Dw~`SDP$ܩFb)#-eG:?O0*BxUz-':ׇ̯d ʷXΒ1 nsEYke;uSoWVHffz(i~&'O[؅R>p |UYtia ud@ $9 Iߗm?v!Mr^=w "i+#Fy7^ASnqTDޞUƒI=%S ;hBBd&-TJMUjznӧ6VkǡY“(Hٛ]qvʅ,t)BHO>Tډ w&0ՏFߡ,+eXiBK]#qO`a'@".DH#)<is[ j:X;*cpt k#fk_UhcfZ,X[W uڛ /ט/X.F:%5 v%K0O\:V䥟T]{a\p?gpR-Kw/aendstream endobj 348 0 obj 7295 endobj 352 0 obj <> stream x]Yq~' Aޗ B 9vq~b@%)B$/%2_^f3wgzk O_?͗ŻGţ寧/x7HDœ" œ׏KT%+(eo0Qi+Ooz+==+":9?^^cO_yyDU?X´ߐ<%=%u VVI$xnV]\iB~ɜ.xnQLom2W0 %qB3 eaDZt)K% yO?uNuA y };eWel*>u+ t#tM;OCO`yo}O;/¦Ho.W1ϛK`2s9)+dQY|X PQz._/7u{u]m*e7-N&M^t{gA0zL-Z]-,EIВk oK]{:%5٨Q3=^*lEۮˢfQ^K>Ѝq ߔM LQ(ã!,NN2=Nfqt$j]%0Mf%lnNB0xw2 B!NY*C>.1 P(6K;19N~ βLQsj".ZN a̞j0u֣땓N#kωJZ[Lu]mۗ(FƦ> 'QlP1gE92mفzf:ufbl_*2hdIp)\7b݈8/HX,! !ƭ66޴[l I#4HD=DhнZϔ*\i* ӞQmNK* /3e7I19`n}覃uK q'نW_EJ~*䝔/ZoeS:?Snz?Zlm$: ڧٗ,̴᛼0Jo.` -VT?m,rzh%1R =)%M>}鈬ь0C´ENm:#' JI#wyL&=OBν"cO2)(Y -J]SB4-w"Sw вIR8l|AϊOᵦJJD'jtF9pA k)S"gkn67ug^M6=GJNi:ZVFAI =3F'OaGgX+߹."B 693,M..>vn D?/$лmXh7 } ׿˯m7&Yh՚qM>!4h]eV9ZKIAj}yNδ4ke3Ӂ^;*4n݇[bgz uN:pHL+w#IN[D;<ֺ`eɮ rG!ɢQ+5;\E\F\+*ND򭽧B:IϤ#{ߨXWs5[Ba]!.ʸph$x a }YƽL¨R{-ց;S̩yw`f3 '(_8N]K׌:F:;8v ,z-='%ŀkphb-ۈ,7F@h !q()Q@fnJu7 2勍+҂R؉7<cf#  8oߺǗHHY`4oXlZaBcx8Q',fэS|@vlKO 1kV:'DZy-xT#Gͯ0-f/0ӾB58WY~$ܮw(Z!W|T6&{!]񸪃\I!Z*iS;) >̈́.We尠fY/o9H-7B>%"8>`=~Nxh[@4.È@֗<"?#x*kU\&PE{d$MRՔ @y }e\DTÔ huz&+Zt֫7k.Tڔ%.9V7.a7$hK$0/..J .k9-{i`~[eH`@͟Bځ/ªiC*dԺ.NRy"(NmTJR/K *窯fTa<T9("B[@fGcOU:'w#7J! s2*j Mm<ϨNN%Q1՗lt# ZcrؽBqDCWDrqd+w{+0ҧ0:Zi{ p )QѪ"6!@cSn 96MQKJH( 'g'1][᧙ya=/Cx!^*R'P':huno2&$DNo}T0$c>..ح(pr+lG=C蜙! 4bp= Q&~SQW7#KfWE:?TZkɄSkMf4LmR&C9wG5D[d櫵foP;wI_t_c6B2Vh<ʙ͌{jF*Y25[!bnPD6];kHBZ`|SJ~SSM'KֳV1ZӴZfѤô0`ߓy<.t|'^2Jŭ,xX];΍m}c>$tYTIW2#cwkY hܮȲ'0g/ εP*5p]Tk~iYTZʯK>ă~1>9]6hE"O@9$[ \g\^-L$6fcOm62Uډ F6yt}rkMMMl{6!HGcz ƒjF6/V+s3 |9L3M I"֏6Ƃ?ocV0XPHNs覶_܈WM7:&:q@ovҖliݾ݄S %naϪ^HX#s&gө?hSׯ*?MyH)k NIn?=8tV#%uԐtI=Ru!q6;)'Avn{}&@`rR"`gƁG >DFU ;Zӏ8YJgnq@ϳjƮV}tLddJ>(d QL< % |[$C*ޤL[MɲƩԨNW].Y~0Ch 1B#G߽֮2QKZzwӎf|YW+ ,M^箶IiN+E APmPkh9lݿj$Ltѵl5 lJ:e [ ɻ:6EY (wȁ^F6J6*2iw>pNreݗ36=R:8mBϐ,$"RA[l]cj4d# 6%R?l=X,J/,[ST!KyIJ;〦2%|Ť3* ]7v^psXjfR,eNѵV&/ʨjR3`W:o%v8ɽ*zxv;e/ oZvGt%㠡+ʜ=[8@NNt;FDC#W3MT$sZUF9S:ڍW֧J vЍ#ٹXM5;Yԟ ++j9sXjꛟ[GfJS^PzT5$&kDurVp8f1χaVTQ&V7ZdpDtRik8x $lÅV4emI@Q$͐9Xb N`.es>Y~2}/hXݟ~W3= A7QݲPE4蚅?J{-'tί1O{IӞ-@t¨U*F&I2YD:!fY1l)`Q*3W"X8¿0;Z†._J.F?]<|g.Ad(A6HMBS (|X7m](@q8.~2ҸSe<)H~URYh $ZՀ3YM4FcwVHg3z?l933:Pi"{Νco.3>KgH[4c?%OK#b7!6P mn7u|H`R!u̷Xm%V|vc2.Vu!pɴIEׁ,$kg8~[Zm-4862{]&9#8qVwC޽]C9sOL鏸1Њx|C <͈>EQkZ:3 1lƏ:Zf<Sz+J=t{MHH:P#+n>$&솯zZ+dϔK,IG% lXZI1MhoO6VW- V-&CCL^S PD AtY"%gߎRW W<>ϴvGhI} 6i)wu 7p)#QgIG FcU^ m׷u^P#e= y`-iP$[,_Lğv}@{9Dendstream endobj 353 0 obj 6968 endobj 357 0 obj <> stream x=ْuS|-Aw\6%=ȪD%SSSqn!U9>@},إ51XϾNLr'Ǘ'wޟݳ'{|9t2EI)wQ|S˓?>IQI)?faV߰m68wzT{dž1vrq[c0^jSDU;fv?1Jr N|~{7}8g&NAf FiP \;yZM&y]`cB3Xz3pd|d}B"6{lM SM~) m{D iQ#eƯZ/E}zNMV!&qp Fyޡ!. rL*1|BS'ac O )VjLR؅/P3@"w00HxsS ^m>D%LdvwV *c3+G0ˀW^z&hꓑG3R+w%vmΤ$0bKb Iռ@2}"EF "Ċ/.aRΚ\SV4M'Tp$޹-.yNBGD~<0hSs3_oF򵓓U6 IŷA%`\hC~eW&T"M^Ks&d:сnEN"I玷C\qO„y M((}ߚϔuؐu<ʫF 8g]FX05q{?/b쀂y?d —d"S"e% B + =tخ1"NHJ.R>l0 o !nP™yE2[ 4W#qư9 DFfM. 2B?3Z^8=Q \c)}}%7CjMc{ ´Kaw*ҘC*krqÿ k0lqVs IY!H)(`.ln(b'eJ3@al83xX @NٹOf;Vg;Z{>d mL GLٓ] [F5tعFC:(Vxc 頕~vdYl4"u!)] )ֶYۜg{֨m{M@, nML5F"tlKWIsFy<^G@5@y PΐΨ0tFa`bw FM'L𪯉%1b\#@=zރ. .)*M>C0t7ZK6L*EX dJd@K ~Ǻ|a?Ir -osa!̲ IM qSq\a@DKG}!L]D紑L/WY]P88|E.JS ԜF5l0P [kid !pafdF'}#OZz٠Xvf'$מ9jP9 ^fL0ͮȩbq:CamgT0zcܶA򕝍?.d+j$k(O 3d^.QB酛`0܇ Z ݰvfkLJ.usGAP;0aQ85EoN)T4=x` .Kpor*J TsV9*p _c}(v$gGUQ+oiy%؜X_F%{8'ǿ+y~l|ծ/ZՖOfFXPߎFaQV?xaK\n ఁle#{TA,咨%Qh7l ̋ M<&!lS`@ޘ,"E WJ,?c4d0qN8DsM} ;X mE8Z=8 /VJYmw\bΘFש8R3?)qAr7o䂭iB^y:[n-pyg,8=B s(\7xʛCԆ ' 7VvEN9HPqFq7oȦkq; -`h՝E v0,;FXS~k4]i0_J-K̀svJi@_Gji-9ܯʉI1(yLX+<*u9(*)E48~_"K-7%0(R{nj͖Zҙ)[60J6>ZgZ.Cky~b(wyrcCalh_J{nW:lrAEX, ߯lrh|UgmP6فL\ke5`k0 ӰLTMP.*Fa + )IHqYAӜ7cF,ctC:eGd'26uҹV@KQubHsvidHD R2pv <_|}60j4R`2 kk*WbwcY4e$GNº =`Ϭ|sK0<@f)id20Qԯ,siSaR2ؔ2!1?]@wg #"Q`vO d>$ek#R#/NM5T+)ɞ>.Z>,GB-̖jSEpJJC ڢBtQBhV%嫲O2ݲ%6(ɋt Ġdt]yu\7:Qq| <" }lEnK̳$J;ʅ!ڎŤjZQ!_+PAR'Bzn^j-8H,?f& s68]fL 8-Y4oHj͠J(wŰ|kU}@CWVGkin)Qvh:;LpvB-W|' `b]DF6 >I-H/HF{K^[Mڄ6%Zm2cتDiVmGզLPip%ӻE􀰙HX9.;A"*Kn͒,p+:E=Bi~GX? sW]k2jFؔ2yGce'DM8u ޡ*^ϽWȉی1yDH1T's Na n. @vr˕aI'Yd1dm?9IWۭ{)`]L{ AnY~4!VQ^j}}m}i[5 BWVurxV2͙ \g6#c|_"3obtCpQn+3~<\Ȗ`cJI]h;ԠEv$V.ې&cErm^'D+SfNk76ڝwFV=YbVq 7KmRM#ʪ/ ছy{Ay r&7e@⵺+ 2aS|WfwU)sdP-90諊A2g.͐~ %DTmR!VHGVهE</H^/}/3&F0操(HV"]6 Gu Pҿ歭놹7 l iEb9ǂ8W( <)JV9ar_||n[Y [s<8QB =.O2ILme`~<oNu;_`b:nP}!z|,^!GDyX{ӛ@e5Է3BѺzj%%Oa0y7Қ$Kq|IZ ^p\HKyX*z7+E>o w@%X_(Z#vH!1g[n"F q>Jܦ q-Q>X -Nh>Ptbx N.UށPXNd-Uػr31tδba#: V㱺Ѷ.:"l;Hned^s |MmtkŃuW%S1uS)}}-C &ܠф?WO{ݬVK{̐mai׵loURx n^].n"A"`hQyt!?eeQx~-sDy#^[ш .|}w8gFıK b^7lrݫ3xW%.ڃ[nn*]0w|FH||/V۾c#,>h߬$y+BKa*3;MB%)*r,:YZnn8#~v'=Oc 'r>~9&c|%_`߰' mx=r7QI=;=(w3=Hgt3 FQ 5Qiת"$_x^U<|?,zYs20Leaåpw;{Q `XK+?w~HlUPOhWh*UG'(KѨ߻`\F|Gxr'[ׅ"?(lb2u'ԩi'F{?BsģWcGi&;:2%kL㤬*.y߈ĭ;/h_'+ hb|8\3:ؓvpM0n!elӿICL4 (C&P?r3#qgKe3K 3dO~wj9S^9V`؝߰M6:V=^\b=8CAMXf/}*wHӁh͏!|\Ջ@ :+5%zvOk'sYƮ]z~#JlC'<4{Lx#sJa:Xu_~A.=ڙcZz!V%Ǔ(-fVdCpv 0R|٤G@ڏ3o2W ۢza\  %X>P^:ӢM?t i 崌|i>0 rUW[/,;˦@oϞ . IмU=;Yޝ˰ ̪^3(r6ѩ72[M4!mY^owdlh-dRm(ËѠ6Gz9 Z!VɠmgmZ"]_"9rgi38y'k. |(\(+uğ`)Q.R.Rz|5` >xmFıM?Xj3 SԜ?-XyU_2ULOˍ w_4!B@gcqR:_1Q7eEer)G&w.0 p6vO19OJ u:py­(NPRkY 9ܫq pqX&DҼZPs\\)& t԰ ?endstream endobj 358 0 obj 6059 endobj 368 0 obj <> stream x]Ks3#:‡!7˅7zcwZev(Iyyh~f Mih*H$%ƁFodzqwy3yqxaFvO^_wƊݓt%8p.SϠy ?ObJgmj?KaҌk߹tJqFl&ļ <3 aO^,)MGRq58ɀkc~|[^P(`%S2EQ$]tfײA8X=,y6$d˷di/l4F΀f мX;Z7( mf^(ĎtPgult<tJIL@A*QNĖ]KԞKdjɐZ+w5|bR&G>- aSbfb~->9::סfEB?QBaw}zkL/=\ KR-FH RlT QV[͏cK[O3ħr;J:ăQFx`I RorZ''UW]|0ڸd7>HVD3Lc{Nܔ ٠VNÙJ $A?u gMR>^3 .E^X?TK VK"84 9=jg0x ЃswQ~ SbHrN{N{|м4=ـBRk"_}hԺڸPY@=CVFU ̦)=:( :2T>?dC˼~GEwme\+ԦPlZK|_ģȂcQ9B`,( (?Ȋ8$g|IAh ½0Zi'FBYھ#bZ!yW85+s5HPThK #ˀ1 VL2u"x̍3KIBZ5@w-sۧ2 R15isJ:7>m 65^RNU Lfg2Zr&6Gf~gKH&Q01?8RwX٧Ioq`DZtAÝ?v@8svkLZ2cWoB]|:&V f$fZ1=0 =/@ֱTVY#`4"23Z*%*ZP4D1}{xU-tP/29sh欈cTUO*%Crz_@w܄sGT}[kU߄_5톄;A-Ge @-,h%fB"*'jgWlB(>8EY0|](dZzv. ;qI] rךW`LnP&@?-UY)%0j$jV/WKe'W$G0R.u$(:|nruEUbv/G/CT`FƔ,T@+{Y2]JAu\`'_ ^\LR@e> NϢƲ:`dH[¿qjkcW?{||k91#~_'hL{DD⾅g릥CXTɼQ%$&с:f,2tlH@=n9a/wu,@z<K&@"=; _Aw4x{/lQ+_ҍ/;B6-[A* 8_D^!5Tiqxa q9;B駵F:<YvwaȋtInBf%Fڛt&-l.I]6ikCr].P 3uۓvHaӛлȺ}p1]n*.GA8=)rg &znL҃oku-<../6n [G}SNus67h2]"x6l "ϷSUj""1M4|^ RYk!b._L܄f&iʽs @ (;8tg,>g 48~βvv[>)`Jwtգ'B&4߹D(`pW+Z"{mD{ąZ3mgRuP1>N Yzجu]Dbda|ѳK9+ X] A?EE=H9Eӈ|c; ;vwթ@ itO5%@J%hʓH,6zthU\KoųzaYxm5&nEI^;Hé()eh!BJ :f=IzNfA? B,oU~W A~*64;*>,\==n1]>M#YŚMW^ U:a)qЕ(-9$@:dlb QNqҋE!5Ɓ_j~LZbd3{,4FwZª Y AU-<+w!x=JlJHE+H2C,Ԁ[_ "Fiy(W{[BeHneg$ACuIvisX5(mƟ!R!>@'!eqr~V'ۗ5Wirg|5 W "x4c^\q٦8"F{ Fȑ0zЭ,G?dr fr B8D`c%3ʒy_ƪ$ {29kɎpy_s;>Ci쯺``aXb'x1l`V`T2_ϷkSf$zl4"5~m-7#K TG0pVrpQb,x/riI|& 8=+ѢCECa og_ 93~ϾF!.&p}Բπ7{s}7Ēo(ْsx^hĐ_x:-{ח7aш(hbv@=_А @s)hbv94hMA4I{S46]ov6{9 L6}mlb̰3}7Ϊ[%J6DZr }э}{oxowy~T{C-/Pbqg;X&`x8UdFZ6xZ* j,(&al%!ǐUf-ɾ8^W tNA=VsPևJh,Ŗ-BY;cq }qB>=)$% y4{;5䑣eD$cxf) *(VTK,(A57eR}ct šڎW!$!'Inc>jZ.^'r-qC_D!Š֛7eS Xa?0{<J>!G}[KM=A`]L3k,#~o {DAS Aws-LvAɎ p@Љ3[@AS ht 46O :o@a$G mtG((ǃL}C/7u bv0=" eE0} WC{,6)L_ծ iՒ~_¾CTM(}-2J9ABӯq-bu1uN f.ZI\;g!|x‹q;_C~ b׭\LbO}/&ƲdN/$Qm<,`yݕcʘ9M ذJ{Tޚ7UЇ?@tUM}Hb.^3,3Swի@qdV+﫳**_%'blT,Z|nJ>nc;XZFQq /=T~~u0˔a|)YI㩟h!aB4FXB czUqXusZKQ7uj~?6S_ޱE$Bw^WWU0ic`_y^ڲ|wO#ihYM}b)Jg}dg&5V麴UAc}GEڽ}ַůeބ7HNj>MPYs6W@eY!5U|nt[Aוȸ#eD kH&_ %#>L~Goa(E m8JTGl QFoP.Zh@Q`[BDؖPŶ{ > stream x]Ys~gGl%^cGĎsTRX.,JbM9>~}1(C 4u7V+~q#:>aNx@5g<+VՓ/:N̮9ݰN^?jߐXVs/lvF?H;ڐt_?ZeйZC9*/`z';Q̒I2H Ы|q3nS':X-7iNX@Vz~;"$|94|H:FJyc4^A/90Z+TjsY.~lME?avuFy^? ų\|?qk_u.mvFjŧ\~Wxqe\b sK k+/{ ܷuTg°ss%ٍ8ϞDu֮~4\wreF Pcfy}xRJFwco ^Կ<߳N& VtޙƱ`wJrߞ 16ϑoKB.ĥj؄o2_og#@48o"w V'h 8~֔gM|ϛs6 i)l:\/}0x_[*Zl10$&R > W9Pz^z k]=á%vH9IqWXA0`J kPgxCTVj#a@%nM?-$kbA3AmEQ@{5eХ3Oe2 ښ] 'ao&BP<@;d14?~i$xRrP)I #UlQ"er.G|"s?Ea J1<=\ZE`IVTi:"&كu+VTo:f6R| z 4Ȱ{i{ө{f:%=4`.8b:Ёˉ {a8e6J|6JeȰ{iDGlJNidӝ VS_1h7%i6T26,J#|3 4ZM3"؞4P #~XI%Pw@R^6:%ĮEwtB0 ~r-H+27MHkt>>7[<&C,_5 ,J*4R.$ lKՔ H_(W=GzuD 'sLoo19LI߿RKnW =^nDi.\௹y.~sIug)vVg- YUO%L?`thy4AN$lTZRYnJN"O(:|԰rD&Q +GDʯoY@%s ̽ES eza/T\V@哠Y jj .'д\ Cv~?/z^H4@J %۪ 8QU=; Dނak0(= 觼,;}Xv7TU}b~ث(9`0^}OKü^7E ٻئʠY}aID'Y)pXj HT >*H_5eK8_ `C0lsR'(Bs+.=(`tH\Jg:%E=&R֊\\KTQ!9`j ޮGrs/b gJX@{%5vx<6#>3!?;OmvFjEr~F 2 ke۔p5FpҶ54qv‰ZFԕoȣM)ҨS_0&>'6~\ Y6'π̂JΚ<KS~Jڦ Qh{W )3M{Z>` 8~C.С)d<>%t)55)'ʚZM31+ a@8= ʹXig hQY & Z bq;uhO-~在NQ?6x;&r e䅬Ua#MXx0BX |%1'D3x<[Y?.eU>ԭ ੎$3 &,ʘ?O :K:z 4;.i[&+v]Sn7|*e(h%/y3!m{?brh%t|]gC;.Vʂ-xhةfAmr{q7@/$ ?XQsܡ1C+E+a:W.}J\C\` fZsyԴn4nAems9+;$.h0C͌$|:(9dOk e-{;S(y7A=jпo$1Gv3~F:tR,tܐN1C͌ 4(c/CdP2gArw#Hpz#E ƌy tҢZ}҃\J'.p)9/ ]DQa^bJqP5^X&<(53v{C4vd B̳Ef-$") NMAʚqbwLk 1>V`] (6t߃޹p  [L,?(=UhPv m2a.K ߇;Lۺb#J=!6̇X6$$$?b Sm>OAbEvА@lҺ f%O><ݠkTȘ9C0S~?=M; wx:#SfƭAF!fm SxbHh=,2ST711~lLlm 1E$jP0}9#КBfC-[\Mi"OU2\7x)֮QSK?U E(P++( 5SAyoL .H-:DQbˏ )"N{Ę4nþxc+gy38156q&a)tQf#x"NK]L'7qRU1{' 3$^8QW![ + IeU?&uygf5_Y뗑M"PAӖNً:N۸˝r11-2[w3)lp"[ {Э7M.ϼgiu]eH4slٵu?R~"w ;JD*qju,7~E8hC8J?SUx-1􎤱9Y`-c +M-p{œGc2-^<8m`dC)d39/^9FT$ `vu~NAnaTez˪`}:)~6L#endstream endobj 374 0 obj 5439 endobj 378 0 obj <> stream x][s7r~g#N%9Lc4n6lZ*--X"e]3<<.d 4h4u4z~و6߻ͳ7Gb#@=C6_&jfџ~J->?>:ٞbA*W-3` 3ު @n-7'ZvBV?|((u9#1gi 8?>p3Fnߥ 6ᥓPe92#  g' w*X"S4 Arm}SCi*͟KqwMGS}QKmlqؼ(2Ǜvj&Z8,V&TʅiD+-I,C֒ã?{<;ArJK1ǟz^=X<{ZeF+N(oҙF#l}Nf+PJA^ „Z|H;ך8xu.Pi.4?J_rՎQV"8;-!“n4L7'A+950-E9OW(S1QdQy[;1CT:LIf:s: e#l188?8{Õ0cxͪu&}t܎\N'ҘALHxyT #ߒESz_M52o"b}AnB{Bfݨ4[@4r^B^ "AD{oeWF@-hV|TMY!*4NhCCT/+.ؠʏm:6gw#Q|V<20dY0O{DЉjSj>xl|SvV ҦZs6D4}^8F546nx5q4x._ DrlVƏ0#;-+H)6%"?PW<ظg&w0#Fo虀+W87pOM#PR'In6/0?Zu^@]❵GpoO"B"{nt^Du*-ig򟦽pg1($$a $ZaS>8FiR?ʉm#i}Ff%uq55^Ȇ(lg6so`LgO֥pq(%`WLɀk~9gbAVT\m#/lwgP5hSrϱ'Zs=VCHDu"Pנ&> ]/slY4&QhMt)rE-C)aU^oZ oZxQ&bW$$S2/TV温Qz?CT`&qvw&f4JtXā({ZڈCPpcrWmg.aeA l~I>FhgqU" cD@ i.\^S-~*K,@cd+WPV5+QD$w"jsQDu 3>LDl=%2 ߵR~k$Y}Iu5E;"@qXt FpBbjj=>IQ?#F̕b8n,EXl< 馞=N/q]c^h )Ï,x ?+׽S\_qG[' lW,"`e$[[VѬW۠\ԞB[!Q{=\P4fad+R [d/-v[夃 le 'ZE>s7tъ@kdր=xˊ; &Qoxq;#kWK}W{ #DI3E|hW PLh{5hJi W*Bdk[k"y: M6 CE[ʌ6pMۆB#/I 0\}H zTΣ3Sp?/8EI&Dy 3pmq%JB1K sΣbFgj@M)5GU hc@9{@]@?9w@mZzj 89V~z'O@7'D֥^32] h%JMPJ#Oj2'^I&GB^,GsqނS:ϒap=˼ Xg 4ifK?b8>ޒ܎r)x>ΨTk ny)y&W~])qtEL(JzNVy#(lqƄ<#jqd~[1veeل '+YvZFnk0Ya;d/H1 pa:11&;jN 9v M| X9>tjq囎go&f\D츙%zeȨd!TۀD/UVs:YHO w ՟暪`nżh =K'o 7ؽ5K[w3 c;f?e^ɳq0]zA?ץ.ĵ\ڧ}2tV;Nq};S̈́Z*6 tobbD'h@ r&ہhT}΄O:dy0pnpk; ǎ`=tA  N&p]HGa0ˆt#HНC*P(K)g2*x B}*è9j OQ% 遄^NUM $#=0QRu2k0_4*ьJdNm_eQӁ!& ]D>1\ P!}3s?+H|*.ܳ?QR=@z=Cz/ O$>/mb >"3{35SEm!T1k!CimS%haLJI =4%UTp~Ea\fݚ)KC9.<)),cl?K<16r˩-UDmJX*Iem4JaVvy=h,7U1@M7iJ/ߕw4v{u ֓ oR1.kzl(oK>csLY^v~\P:KtD-^91'&C*z)d܁SK3(`2q:gL2%q03uAwH\))GR:Z,@QdCtIݹWɿ60/Ͽ_м(w@GuCuW(es@#?qt$RWp&t{kWl@%6TfݓmsmͶ:Ҽ*s,I+=,QO.Ǭ]gY~]843k'R$2޴J!9ɫÔ^^]|mq:%jCÃk2;LJs,?_vT5+z>m|rw?BqܥG^i&/ܪ#A|qE,9x%?{\h$JSR7E| kMuq_ NFXrT#,nMKn6K5pACe{=[.賏͑vpR7!;\gh7C /U_"6u'g\ޤ!_5+/jCqradeR,eiK:_ qrb5fr0LH.SqsG)&G޹T7OϿf/}CI ]Pt^G&t,KBitTm b%bCE[s6,wuz*K!~!s]_rA gUkq7.JhmysvץPV"d:4_.ݟ]tx%,y>ӝzulAe\g۔]R/RSMQN;uz>|2"*/OO6<:v&_-KOsgO TPpѥCgkOuٛSx\Kܞ|xKgZHٵUQŋc% )w ݗ1iD.q"j/j lyx7+kzU]/1 9uo:i${9~+<!V>CK޹jd|xSPs\N_b`{̣RRzKߚwzrm,B0X>LqMf}sOZ}>[iI`Y(I.i!_fgJR7/hӅ&OxCն$bSjendstream endobj 379 0 obj 5683 endobj 383 0 obj <> stream x]Ks3boYp^R8RDVK-tc@,@F+Ċ>nun.w!?<[)< 鋋byżY=0Ԓ7ΤA3:He m0f}m댷jF)økK~FklXkeqp퀜yg_a~BK0W0K*)m|r(6:0/~ ?]zɜ1r~xr&9t2!wIAN~YyMxEO~eҮ`f+Kx HCCn+4,hZ˽oKYi~]oϾ>;:|7qeiҴ`,`,6_MyūK~vgy}Ż`j]Kuia}y*-.?؁2r'jYte4Q8x. Ӌ\hPZWNi0jlD݈'qWސP/-A\xS䆁TbkK7Sqi!=(e8 eHX*a9eW1˰X2P,Ca3˰Xיe> `eaeY3˰'`p!.,CY2L9 EyeX2X D!ed CT6z(B)qCHԺ9(L HJ:BnG W/-VHT-F!*/mLQ:Ydv#dccd&xԡw#!pۖѹ̄sxP 9`v$8uۼ5aoذ £Ujsҳ$-pL@ f4Eĺv``SpE‰ע# Tg_i9++C}T!l >!9R 8ZbC#GMV"57̀ r,&wucks"w>)OsץEpp%FsE{@(%6UiԭZbs؜(̜h;릪iWo Ϩ$BR~ʔ(Myj_]=c@qV4llNnMՂ4Q{ !ioǔLmP-R0< QN4 mX;K H;.=e*b>{PBG$  8IQiìfxt9b<7ژ ?MRN]_qPvUbHs L|+(62GJ&q\Bo^.]%GmhUJgA 0Չj"uU(@kT;` (puetMHT?01= G7-ހx;^v?w ꨋlC<:|_sҒCnTWEi3{-K˒[zF52p%+nA9iq3@J[w85g&&#$fdLP.sakRWG}m&LL'Vigz!XzAMKo%>m<8=u̦9ߞ=SUEi d>gƟL5xDZ#jw=DcFÔ_qQFC_?Wg(A3&CAs¸IAW;RgE>t壞_0i g50@ɽ/&9E+/\].fΠ3Z :s]gеS3zK(>re5x?)R'̵X茹П ϥ)#kX`f8Sl o-^e;í)ZOhk9~"+;{.|#-oĦm9Z-NL#8z҂v ةRt/;xtI#N K =4'x[cqWCkY a,-\\:1Z\u͇q-ʑgze#BgH5&%:*oio(^ 5|>tKYXkc(J7B4Ul/1njq[0Գ%ĕ|6ؑʗS lZ GWu̇RnCX/6 M>!B&V ٽ \ #Z\mSd$8h&lsp1\-uwIȆH/n( cK`i2i=z%o?rǂo̝Z)h2"uØ#VZ-ᶢH{hK`?_]PA.!V CJ=˯+^TZ.w|=P:]\zJׇ\qx1-y =?i?n,^ӬRZ/*׽xB@CXӻFXn 6`fx/ "= (ffq ~hGw xb-}*~v[5g6Y1l>K^e`e&XDZl4g&(&nй&L OCdc3|VVIJW]p&! ]!RrR U^ӊ[碹$.@WcELo ѹbLzg+߬*۹/% %#DTD=W`q]4[ M;jC Zv *}hGRU!A;CO6=<ҽocL.$Mtg|~,InS??jS(ۉj44> stream x][s7r~gG=2gw $ƩMR6ި(TI(i-t3@Әs|`ݍomAlFo}6gog"q3!Al.?K0nW7˻lZnbAt:He m0f{m댷jB)3Bn-?_hm`oڍqpuO&gzgZ x_^*HP`6: ^h~ ^_{98c}zryBy7ȩ ddGp.FڍC0&م xHCCn+4C{K4uiޔ$}MxC_̍!#ޚXRΏQЩL@*)tg<7^5 cC^ g;;-qJ_ݙ =Ͼ gZ1XqaTh!K.,:qt`()@ ^0mlkùthB`>"ՠ/ ^ )25"XMG9܄s(.)*-1ڥR*K*) `4~Mh0BlǹV;Mi~<%H:PF$g4Kxv4~~2Ҽ/|(ͻ|V/J]ih9mf AbUM3Pz]t &'0ٰeڈ&Ow.gDqpL>aĿ//S"W N?v_ū9!J}GRϣkIm-  fxfzD =*[Y̠Vc[mV$P,m֥8 ''ƊVVhR#v~z~Ѓ-kȿZH(7e"XV Pp+!hXN=>} 7KuOFAY}_ydΑtny1UܩD G>H<h^ؿԬblއr[%D鿍Po[ omCPHݔ?F~y6sLҞ܉u 0sUppewFmxO<ڠtZZ4ɹ&c&rK/ЧS1mx(ͻ$ц%ALvܷĉ@ gm+mYo,wpƞ:3U]V N &wGeqX,a:k+pLۊד5!3BmA> mSwp ނ [9joCH{q8|Ƀ/0$ sҟpq''CLܸW'lh0h=u,/|H #pf3  :op0oYS{(% 9w_!9,~9}~V <1,rs  W@7>KGOlja40SRPl,Yzd﹌`g$k))i_pLm#aKT(lwzy,hWW&2C3*9wv׳S(XN7IX0[G8\ZyފOt *ԫG 罏JN4Σ 8f*>df?S3n@t`}2E9`}]!6D*(E *|`WM~cNǟY t:a;=GAi(q }^BcQVi/议Vb>ƚOnxA`P,`9bUMC2d Fӊ#:8j @EZLzEoU[sPV2rt?;>y$ARI 1!  Y@AS8BW)tw/| PKjZ]v"G!QTG cU' ܲ0}[} C@sPUy*n:0M|&ϯohqu9Ѓ 0Q#N[}œts~bhQ#y/ּ;Bc #?MY@*8aSE5~6~=*,M.6%0x>T"dgJ80pı `OxCfVd^IiF5Vas=nzd 9Fg_CoZ?Ƅ"$C:%i=1a QqPd=č`ݲ [!3#"yq4s?+tX .؅Gu=3g=mjmFQ(!fjֽtLثw5?5+72(ccI&=lG*wUH > bUQ$s:ӑ{EZz&PQ5X[MRk^= b=M )- p"[uB~&W3z2S8j\RU˨M0ti$Fdb84d*2:kd]-zc(j.:8hԫvO ߳WeN$ciF"VG<+or3Oq߭C;S~DWܗf ҂;Mu8Qm/XM^)#:E$Fj\|ebLXīh!$xlK$8_U} JKb;=vZ|aа{l./W [JүNX/B.~=JYX61@|QZCS >5S,O,[ A6.8S2 p"o (#;[,iF7C.^2Ww'WD݊R% #,y,K&h4q0 ]?(T3}q+ϔ#O嚧{A%BgMN:sJR4=d6=*y)1 hO4KH)L;,SkHG&td{Uc4b [Aƽ駡T,dGR'%=L5E`(\f+8[[gƞ4Ÿ>s`q-1zźv*djpFsEQ6HVsAfoe"gq< X{4_SoiXCE;O9M#}RQʸe.. @bU <&OGxv4Di`.wTR3sLТX,WD-]S'i8pox4.x}g הHZLJTncCRӠc]xI[O H .v)l|sN3S*0RyD:2:;R˥WrrK ]]G|L5Ere[4i/GTo<^ ,z QTmkT@sa>b5ZH#\^s{]SiF&0/RN2h} tl<X7hQ1-M:?U_ #gebi{lJ)7fMRU^>;5c9CmT<ȕ0ʳk=JٸpOQZ\bԣd\4%q+`{t(Xt+ 'RÚXvhx,xN<ŕʁlհ N`50],WY.6Rrh^[<ڠ\,=&- >:GԜ nNޅ):]X"y\ weP1)2 ?=*qPrPLk xr+_s1 0 w\֨QQ$hL/Iwu4za @IAKw+m_nZrG()aCdkGQHDmS!ۦ|p51W)K$M(d\|L1kk]rQṫTȤ}ZP~RJE6N lXx},r7IYp!Ndne05YwȆT ?೐UHKlQY f-!ȃ+ RHi`7 |0~2'w"[r4^H/ ;SNh&ѧmOבC/I 7|%ȏc R/l]ʈ}ň /3$5lM`np/"TE LkO5&sbyBr+@ǎe/\i&Ezu{_3sMl vL+^heh]˂ .ۼ_cj`K%V8oPʑxQ_T]iqd]$Wv5>UkO;zݩYޥ=&DФO$=_~Y%°W{FlGa|6bWc8 Axy("[y~|zO)aGYݶqt'(MM" {@2"Y7/qT3N$i_Hc%y:5 >I#EQX5*SJgú쇵NQ|8^Cڻ|Ilћ@uUSX&{0SZ6`O/ HIr >VOc-fM '#Vԋ( ""#c<*T?KUo!%}S|8r2 jY4h03)fJl@.K$Y[i_cBu}&?z4Ep{ ^Z;mtMr8u'?ٰF) D,Z5ʣY@ i@5h8f|MV _Ew;\}kendstream endobj 389 0 obj 6462 endobj 393 0 obj <> stream x=ےq߰o9kk_NrR\`;UTI\{@`\2bqÕ?WGi>LYe}GI}ULvJxk85'p[lק;kO:D=OJS`9?| 2̓.{k ՔW-)=rF -쒯)8Ʃ0ion\v Lֱ{58AVp`)>,8.:N:,xW EUw#LDkw Zh76 #UyY5q<٠thqg[G9з<9b# "EKz[|#Kcg)\C-A,_Pg m5llt^/a *#9< ^U!N NL41Yg6և) %y;㗶boјHYyݻ w-t2ڰ?Hэkî]縷9T䮜ػ<*eH/V+%ۋMGc͔л_U:C8]]:lvaLyN;$6"?]9Y>F'q1PzIw ߕaQ˚$Ywh!%j@$%:#Bj]=vgWX|̪$K%0h%?xc9w"o*6Ͼy`9w:h A4^KToi=pcxݻVr&" SD74j|8R26B FxD7c@dGxʛU&P":;fWFdHwפ;~_n;>J;Fg\_bx)e=dژX} ƭsk`qxFPAmEK*vbgڊv7˃ d7mY@^*6Zt2hT bbТIrϡOsbr9%xDө-҆|0SM7k"w@z.=j'( zd@8c!,>Ѣ0Zvg.p:@bueq3ws<:R1=mA];mڈy!șJ^QMūvC>a.O? Jt8@E4D,n]Ĺ%Axw\]wK65cn1R-B,Bd yA% zW0D 39ˆd5LiY ,8ݤipt+$x7k1Dȶ $fyRTP)D!ySsq[Sv ZRj&m(gTZ5"&{k/STQ "ȋ)[yQ@^4mCa7*˾}OS&ޖǼKNgI3lǪFeÇ%!| ?v~5g.2YnK{F '(UX&ԺǬHrr#H1|Q|;sRRCd[KF"rײk(5l#z4=P%&vHo=2cmb,NYExKQ\ۤՔ.;:nXJ8)d8`q<.%+%dsf<6 =x;z A1FW :`zdE}}(Q*a14Yg} f:0 +UmMpaitJX=QFɭSTt.+Mf'4,0J9K擒!/N#8GoBId+x@>9S7֚}; >m-Ma5Y? j /\ŬHV2KKV&Lvmg!7׫ s),w-D>nN%yI Jhz͝Zp(~جH q!l:3.cyЅ˖!袕D:7o+tL{$Y5@wakQnzndw6yr牢5&7xs# ڻDRR`k!'ԅDk|?Iw$ƒ[)ׄ!nZ).a{R[ 3[fO`w#NHzM_X*/x.`^*_Ā>g>GB%ON6$Jm;6K#uIMwXSG4.aI=3#/ @=iXT@-hk9% 8al{Wbğ"y_c1su`%g+3m2VW )$%e3q`!w'YxԼ]W ׊]O06"z "PBrmv˳s]ڭL>+6 Q裂'}~(]8Z FmuHy6 VwE>ё7LR2:7ƜڤBڐ&hI%}CW<c.Dws`wqxX<5/+ݩt[Dڂa\cWZt˺W7_ܶ`;ӯ۲uVm?Ǭt ;IE=;-l[Xh`E4JǁP8fܱm#:StSMArE퀵a?EӤ` E6."X51&IlydF,*N7yl)Qm4^}Ks=DնZMQ%) a6~(<tUo&Y>%-v cZ3wBŃ(B}6B&^-bJFG9K6Nqx_ن ;O.׽3>D8 Oqbl >N^/_ ]}9VG>`h?"D6/M;.dTHy%{ccL^\ej.ʸCr/z! |S8wfneE,pUuM~.73ϗl:}NjzYt˻L3" ϱ%`ev5@qӘYL-f:+˘3c# r<6ēyF239׊R'εڵzFvE9FnG찿UӨsr+ iX\IA{U7MT(|޸/$2ӎt> stream x]Y~؜cc/Z,ɫ%9CExo&P$PꞃVXQ( ǗL;1ɝ?ߏ^|=}{"vOO~,#s<\agÈBd/(ki?tIg@(&19WtjqzҀa΢Gj,^\Dm[,mX:Ď*ٌAQI/VSWC fLKζW:hb $umV)&yhcW8ڈ^$7LSɅ_do3-%*9#8 {3D :DQ~2-c,c4WyÀ|y]hQަg+_&J~ Ovƙ8P$=/\r}ڼEuӊ{\a'_3WjzYƠ4mLNF :(-(v1kk]4)'4~/=VDy*dݡ(\ƔK쟭4^c|Pj ~mrw` Ji}L%'Ts,.LC%t` Q,[<bHʢhtpu͎71Z"NN lh(L@4n}HrPCh] /7={DG` Y1vE d[^Gnj]B? ~MXp/4== s}5=PZ"q8QGY'.QInsY5ԫ2enՂn̺YT1NI  nq7\1AoN{f5.1Vr3x ;d*u-R͈ތ{L 09!m{yme.DPCK#X|с;y )aKlꄯOŁ!v2)pͻ.sꅴQ&[ c i,.(9i=4b'c,fhMrHӇmlyu2х/jld'0w 1f:\o= إ bf3.&ރa)r|p|lyp8"ޝhoN `Nt!L"xna8۪9ׯacϘ"M*x h!1Vڅҙg|uRȣP<xU3 # c5o(χaF[wׄm~_2oOI8eN7X'A @dQ2=(ːusO'js!隙O Ա~·cER"F<ck>8Ym.`E)?(2}K]U giSAt Np_ۇT]{]hշێ[eEd/3KQ3[RmsȽMcʉЫlwG\|*%B;cIY0B j}~sFDK `xF&!Z,qe2egL@Ox@S0ydXy*.-LjF.SŽfMljV'?>n,sS57W+AQ,6?=wΫF74.i3N;֓3E~;6 <k RR8yǡ: _Tcd3>;keG} K`\}iFԧ}L׋:q Аҍ{̷wF8 Z5(s[X~@<#.VE #%$+"`pgWAGÜr,VlC^WG%5~v;LC¶xRYJ{Љwpki4w(d9b_LvRy#uo[[LODouޞ,Gݹ0KἒjC̰t[:EE ]:W5-f\V_:cqy!UCpJIJRS3m% ~ IQBY=ܧ^Ϋz$5'FPl>0Bc.7a§TۍTuJUps RKv8ˢO?Jlö:}\=CTLҹkQkefb.v$](eS=p`q)oAևg񃚢}s~KF0V1Ў8+ƕM3ݰsp R \[l%8͓30<-T v0zP%R{`3 uԩAes=O6jֺBeBt Qmv58BO`!%L>{!L-N5( [46iϧ|=< $xW0eBg!=F"Jj御:ow>4,2^#2m*o#>oY؄@i5┑s+8SÝrzdb4FԊF"1,!sܱnuD'EbGz"Q:PjreQ Ȇ Fs7qՆ e֣ [A ߃%䮧[Ccc52s$e` P6A\HPFC(s# rDִ۴ b0v\r3i[G_WʕsZ(Txb+x3BO\:JE־KKV>> x1y}<AzD=g7 ?dA+4 ϶dWhEa4N"9(N?T VaيQz{`wpz"l%w+b MR:x Զӹ6(}EB7uq, 6|P*YT6oH#ũ( PKKXCpsb>P_;&|L K4:R|GI T ]}GQ}Xm{1gKAUT( =܉Ƣru&wņݺxJgVuEBcXGbCr|&/TTx s׵8`-ͧ3jr?qc"-^s7"<2:u 1:7|LFT /A><=͈(j`Ygo{Yu`LcWs,ZNX{Ik#9!BG C2Mz8]C꘍N->WF5'|`*-7`T=\gN:D:,^F}2{PS:xuSp7j^1W>^E)f}HˆہJx3a#@c "0՜h*UUK;,\*Qx}CAz "L #L!]Rs4v`P֥V6r R'ӡ;YMQbA ϷlhI8F 8(:*IRS 5=0̸tra; `F hM%,d-Nmcw͍`.\l )wlS?oT6bcwsSnV:/}9I.ݒYy8x<2:jZ !O*\/mۂuu\qF{KL-_Dc{빣j/Ww c3^Vʫ!L| οXBoV3lԲ:Bk ^j ۑ>x݀ Z"yUM@i/*g=0{7tߑ]V>F[14 }b o7zB k0f#r/GC>R\Sy+[́J? 0T0:4l*[hxP*m yWu"ZG> stream x=َ%u|}m]Ƀ$6 A6i5#x{ԳhF_s"y"6 zP E}vl;~ś+{q{~3qdݳo/γurrzO]âB f/o$\ᅡa_ZX?]H'ސRz2~9z, +hdzl9's?:'~v {gsWFz1 WWjv=ﯸR=87yG^]}1)׽).d&&807,aW:C^4m}v ̧Udp'y(XO x )Jgr1L<fA^4ڧ x~+8nЊ[$'Ih/Li S&5Rxu]=Ϡ֛+8J=Y!Lg͔ppB  :|Vzo_6f ЮZ%y{=8ZXq U'Y!`[.d )2#x 8kW@)0x7(|&Jo8YhyΉoP]z7elDEO9\ZL)Bb F@+mBAW0<ȿ%y{ my|[ߠW8+>!ݞ bڐlR:h^lhQ,e.+gDxB"Op".W2(ܴZH?W 9ꬮA8x N!xQ(bKUOC#jfYu:b: i{h]Hb͢yR#}YN%UYZ&%)s3l3j"cTxH8]"D˞U6[ىtx,P3 KX8nTFjl̆AB簿J#'  (٦<.<#~ k6v.EJJ6>)Fl!p OC2jWDJ{q*_?V' 9k%`h}6޸(FO35HjE)ϗ3JFKity I:-2Vܧo}Tfdh}Ds"؊$V2_z]gh ֈsh==wry!..4rV,.h> ȗφN~,M%4r+ ?@a $:r~w? bZ",@Ze@TxVFY.x I?jOo>2,#gQ&Np3Y/pmL'nU<_]Mw=# Ʈt-.rH8HEeKߚMc1@;jL!ݪK$7J?i5Bœ=Obp.;*~' /V>)i^s)a+Yw {=F\pKу!ڥ]Xsc2έDɆez (D·s;)h\1!J0\+xIGTx@ ǻCm1 *uʮ C6 t@]? 5r ?Fj'FGĦ&_Ƹ{\ 40A0jyr[[tI 7ôY?vXU-p.YM%?D+VSL֕@C~k_Y7uPAdRfa&|oLhȠ'/Ni?ɺWf͛=U{x lBcEnCSs8'@a4F韐o8jDňpVVXT0u](j>!!A0[O*e4cQwI#''5&FʑF 9)Z)2l@Tۿ(q-]ŶNzI sW| EDR1镞"7&}%}]`|iw`a`D#J8+Mstv6&P=}B.+]c;QqI81YT#cA`3,Sɇ jV8Yh+FCoFx}}+N?Fe U|Xf06c4[ tR\yL:EߠmɹAZb[]ܡmXqAY}cuai>.?\eQ) b#$5--i2 P8y*Eͦq2ͷ&(&db6[X%Z7㹥f%.T9 >rcCF:p.v GHon\emdg9>ť4|JpAU':'88n16"G$0XI|j# ]~HlpʃwkqE,7H[ѪTܿT\Pi(c3ARR [$ѐNJ зair/WJ|TQBdjd `Zڵ qRJUґS5B^&t Dn^'0k].sRpM/Y6?ҵ>{rrgSpap\V ^oƆn=LB y9DC'%8usӧ(=`dXʇq5ZS/`[3XܘJ2S0(-f'ږp#NCu/q9\,|!etM *U kq@ 2_,ȴVs偅~4N[;GGZ*UoBXlA ތ+P܃h7a?A^1Ǒ1g>Y)27[/*Nv!>&A*]6hkՉOaŁ=1Jx⸪[zZXh$_“y71D>ўI'Ngu OTN!< M6K .Н%<}bٓSXDW \7x=P\2@]%839e 6 X ;)AapTƍS-'@@ 4bs :5p#UC}*Bڵ` Fo Fn Yy6z 2V bOq&UeĶEg'pWg]iД8mcF}5Ώ)#ޢ\dJ ɝY*p,z 6%El1CCdHhaEk29tax A$:69IvC[#ɥ+do+xqL 7Q{B&iBF*d [l# adrZ7A΅$L )Lu(_9x .zwد0-gNMsNwG󣃥&Qt8:ŜYeP),1 tymti vF8,u.hʫȇYۤ/.8qu8Cz$rg'$1e)vSc qWh;$H?fNNz966?Cl|8 oRdGvR(/6@{V]X?\X{s!bKzOgY LbV44a )f:C*|^y/ig]ckF0, GN0:`IFLeYF,㧀3N^,.W\.hW,IW@d1+_i5K ԋK\-0^V80D+o~ւdcE-RCBc/ F!PsY GV04e+.ؓaVbiE\CVґW%w#'`(ר:밚 j8Xf.8nfgHTӻ]#G6/_ #ST3e8IqAK,VfjeY_T}; kS2kd1a\Zendstream endobj 404 0 obj 6652 endobj 408 0 obj <> stream x]Ys~\|ؗy3R55[<$)EtethFRʃ;.p; Wl+{qsv [:\Y}:pl<|'|:98zqsNaP P43|㷶k~jgt#kC~_`klNY&3  j7 NşN0UZB˯݊aܥÍ]Z=_2έ0]pע_hڈ*?lRIפ%gMjpblq۵R 8~wy+>xž aTs؝I_tSIŜF&ƭK7mco%o)ImS&wd#ޜJK%u\LE>[.ejwNN )dj`$(|b1 Q|[3~` ɭo Q \r~nFHQ*Q4+PQיF}9d!wg^I jZ?/Fl=~6_%^Gh:qҔ¸%;Ax*H^O/?x#-Z+Ѝߌ$:iuʛ =H%54y0,~7E; F 6#A%K+ze ftӱN0l:!~Ρv9&MbĮ_`0KFB3č(1f,u#Kxg˸N2Iyo5q RԄO"JB ,l]|?/h_@?}Z9§mn|ɨ:7~ɤߦ׹ej|H-E9TӺAkʋ gq/ő GEĩd]M5D Cs= F\ Z::ϻ*xcW2ZT!*s]*'9>J DWGm[ngJ,R^d3Ή%m-sPZ:q8@} uK*.~;@ʗѾ8E~`9,y6d[2Ul ?M&Zc`#׭_ƙƳܸiImjiiICnj3-?^ ӃspѾ~5&dP4pA\"Z\Nx2X*6mZ']ѦP%U=@Ed# CMViUEٲp>te)q=zw@Ƃ6܅O9~(%.s7gw񧊫֖a-I T䋕M+A@xK,=_V1GU';$0E$fڳNWZv C\I6K}UXSϧy Bh#C8= F,/7(R%Gvj?j&JH@Jiq=8N@"ΧBXD|/IcI" Sd0ʸ:!|jcp7)5vχqkMe=Ӫ?ݠ]URz۠5m^ <(ldg̿p:O{s%qF,6N'<`_ C]ʆ ٙE|NYF@\0 F:HmPH 9E<˟Ϸ}<ϟ3c<^ϗ!}Eqyּ\~dSiD4`Jc-0r[>e!z&1 $Zn"(1Ue~Xf8ѲcoB#r v!Jɓ=7z|<NC=B+`LBSO,l+~2F9#NM3_7 2$nf(%Npd=`tm=6 b⯈1/\ ?h-"ZŨ] D5iK({qwX38& қnFdTu2TiW/ {yt s>(ޘOX/UD)Ս.DD8BŎȾ&`AH˦he)ܗmkL vqpZsq~ڷn%[G=ʘKufZ(=3BD7H+ct)?/N XpȅX)ir-׼NF5.uOw* @0MF1dKmKrPFSz0x!: \iqp|#`ӚJSoiAX8uJn)F`^))RZ3*#]\4 'ꋝ0\(ac(JAc`H,(PJ:S#AlxrZ#%Cʌy5N$ٚ\)Ei+fBӐ 닰}rgjՀg@ޮD*b=:d~:R/fAb9+3;04pYaqzƞkƺ]4:V|G\:3d=,W.r<RŞX.wu 4_uS/UJZ,ICvܯs,ޚ(3.p OT>"em >"jfi:(楚u30 &0]FKGz2^)r.M #=qL? j=cV ^38al$~Yj93 ?C8bhq4$ɠlr%Q&d 1#^'+B8 8rzc ~#).!'jY0\3$xi@}>'õ> 1 >=o_F7`|л&J\{| 7X'K+3E.* 4pvI4UɞлwGSԼ~>r+rQ^k?um"Psx M>ZhʑqLStyDlZC5>o(\E*"0sKgd;=z1r˧scHGpM-D8ɧ# {V |J (rrg:7g>`󒍈 PڐtVNcydk6C63Yt o]-֣ 2B:Ő w-fNF1ANol9D"x1tp3x# KoxsYr+#+gޖ'ٛM1 KSaޜ ή6ؒu9r ^n"*n%#pydj9Rbi5ex)2 d% Nv$SpGG{$۸[=IM-'`ϒk#􏹶#smϩW62MhJQ6zL[{̴NidNǔh[Z> stream x][s7r3kkygKRyHRTTl3yrID)"EZei}\)[JBs0 /_7=?W _ޞ[~8cxjvǞ3W//ʳurpzuq{àB fׯ7lByϠ)/{mm5zjgFJ=0.ֆ7J띲L?|W^KQg5Se[B%'?Δ:3YZBm|r#-,^mW.O^z`㻥&.M dy;B[2_G+̊kl#aia05Z+ʽ,7o>M_a FB*7_W\S3S75יg P8eޮ=`:RUݓP^y0WØ(:dI͕ ovkW?3)^Y] n9ﺺ5uTr0Ƹ'QxNo2B l! E)XTOGm/~s.,,/Ǹߕz/d$k5}sy͘}*LnxALLdP|'۠ n86`d؇m8S;Ď2rfr^N=@.h3#0Eʃ&:qߟkWSڲf vtyyPr'f7M@v|?G,>+4[L۳|4wy4-8gM1e38撤amjG GK#}AS6 W95VWD "J{dkCbe~yA@Jxe.f!;kEzcĨu @ztPƣT⮥~=03kPƇ{Qh8Ew/Y﷉?L 8{?۲II}z@&a-HGl0x[%뉢B, {pߺZkɆ7/s17?f@6nr拯@҃2zخbHn-lUtly\> Xd 4@T,"* VV&3&r͡!g'PohO6-:" 胫EnlJ%?v`s Ӧq+f [> r, `x0/#KBmx!\N+<K|W|ѳi>ASkpTe=9 4l"_ayETRi(pPGa':Q 5óItaB׏`7RƑ@]VݹƷj_#P>Ա[L2 v)is[@ƈ6.ε>MqR;5|]dh<QZɹK #J :4I4m%)J^rJ#˹ o &VPҚ98 3ߕfׅ7) nOx)9 ҇s$Gf=M-!H9Dn0VطmTҶu95zWh ]?Z%d$}I&tؾ/jPZ*(<Pz$1T4n44 ((X'L%dG=dsN 4N-BJvBBS! 8`9IfB20@Yፔ7/%%{cRRy_x#N7# rAUAAI)VZrsn9@Qp1+qpIA6R4YQ]+ 7d')^ 0𺿡jӯ;mDsfcsaYM$j Yr͝euȸ[/nA`O؉)3wO?gJAUJ=AvSllP`.>q4% @@dEle"R٥sx٥8>Qե'5$hpuKkPEX {lZ粜MCҨQc$@wMn> [ msh 8[S;E uwuzÊf2e#H:(=hD#?4ݷ繹BHaݞ J V>_>.DVI+vo\7px4N(PH^[ZgզN+Jw#^d>FJB̍ ."8J/&!]ƊV|~X6k11]8NP ~xj7DbDAZ 7.F=nU%@d~p 8"2^Q:7@@DN' &$5=Q@. @hH볋]_h8 44N~fsۏR%@ImMREs8fEV@mi"ҸOPd@6x2oNK7П̛5V5vΆY7ݞTxl]v3uJt/w;YWn@^~e6R这  lk퇒 v<ȚowwrOUҍ$)(zx{\IBL3X/&@%Ҕ:[.&% w+92WW7 z?U#ݱ4 t/ڏGD'Μ#Gs#V_-(Xm+̴mG,B  Lr wF1$mqB5уT&܍>~{x 簃e5aRGgEoc}+Y:+LTy\K7 .:wՇ^ERmN :ğyX%oXډbF^ǍJTUs e_hǏkkl؞c1Vs޿(Ur_TveJbm(cEJ'kVA'f`` .'BݜƓ Ӭ,FÊ{2BL8 ;mHhڦ99B)Wk.:?Q Poי8\=5̀Vf!UW42Y&,3x hRL)eNxSEhAOmq b)b6 lˡshԼ-vjb K -v!&tC6C=\C xj)Vjه踇ڕwtr63ŨNi!WQBp-Jj-pK=Қ9R[Ny,ҳQ,AH}uӷ B ;aʏ"wsatzw1.`aDo)4_uEOejDq^;ĸ7k 9CMxLogY:WmOJ2'^üCi%ȃ+̀1sCFuj:c=38r:ݹ6f"]rS8`U3uǍҏ</ bzlQB`ÂZM|?]ٯ&/L֒ĀENj̤M3ϫx/vZcNQ.*oɐ۶~2[P5ELG>F+A+WtZ<R8mJ{'Z Ŧj^|$][Nړj@;sJ4O7f4Cއ%b e^i{[9̦,c|M$o6<p2$l|;uFX1+tqYGG'hxxxs#Y}Z.p*n?LW0#i*LE|>:||&/B, u?{f@,2WNctq;ze0=XG %VXXŁ7/uZE fC-aJmAECJ%Nge2a yec}En\;*#6cn1endstream endobj 414 0 obj 6473 endobj 418 0 obj <> stream x=ێ7ryV/ QnE@q dEZ66,d]P>UEX${hdCjbob]Ŋ|Wŋ??PO_^֤͒.| .zYx7_g\Ó1nY?5UGZI-qBf ֎9P %p=kP=8+hn> _hF d0eJ5cɛBg.w{;o ))iW(7R ;_^F~>zi<|y\?l/P*e=Q+0X7+[`V\[?}43Z0! S{^i^I~SYbyqdlXFG?4l~ko|]vY%ju"g*#8Inr1`HC!LoSptwb0Џ{xW*4F۳yMvj8|O326Mֺf_2 ?Yz60nB8:yp6dw肀la?p7. C򤝁9A|脎_u~.i~fi)u@-BHV+hk%xw+,/[b$s%CXƤ[ѥOw@6]><}1ëFuwO،@UYC3Z$4RE֤Tr55[:[oǷ.oIq59О8_X 4m@*Wyunթr4<XN[uj^>I- MOW9>UL5[C,1QS>Lnh;'Y Z.FTS*ɼHatgm$DU"{N]`>1o3d#G1CY] bTv\m1M|Glds yAqά ^RZuyo'*󬯣2qz*t RV;-̈́pKȥ~4w!Ȍ)a2hJ ~ 6SWmIs`[2N21IU'MY|9\/O (@HCJ1jl/7U541V Y/`;4tzz3+ sKENDN8[L^6 &/>"4V嬮>:]|%߮e cSdBgkYL**`HID %8s caY1ifHprv:r\8qp3ebYQĝ4Z;9Ik6;=_W0&/Le޳q7K'}2l )eRL~8u&Ͷf7$2A)y,1r$P<>OyµzYUI+AsQAZo&NqBaG+vK,IfctTd*γA/ʞlqFM6|KC9jhl;| ڡEOI5›ZiQ C:u+BWG{'J,F6Zy+[ gҚx-cB*;"ֳF6∐&Yp^W-ndLo<ƯaT,xXRo|Mļ+w$ 3rͬFKqZc;@nv$HJ|$)?3e"Gy9z;HXnv,w5M+2$ُIJ,GLPDd= JSuYڧF NCZMico8Jf2P+] ۫6q  "AJk(?=80 Ph3cDXZWI`vI}[3^Jӏ&`QwM @J}xqEaC-3%d4ER_08w1CmP;܏R<Ӱe]fVhnqj ƄbE0~ _6ۂ+iZTko 4YXCfD%bMٰqJd\VMݯF/x_)ʼni(a'a֝i+\Pwo5eT+rk;68O.jL]׊ć"gg"xKR1uNJ54H[* 12ZfZ; 5 q7cG,RY f}- UunZp5fOYjygͮā<l*1?b԰ŊfS\G=+j7jjtbU̒ln @7(Nqw@ #y0MZ6eR(wpEBPe #~k]@>l"oTn, s\RhKsFChJMs/fϤ^۸,`x|~ Z@5߹5:#s[4>dh.&qzP PaKōXFLCLZ(؀6^͍ N "&ʞ1Wɓ!m*;n/ƼaK2N֋}VT8/Q6@(3qO$~ha'l!ʂU{=tGWv ,6J"pn ՛La-b1*ȍ{ͱqѷ9ݔZKtS98Fe~tIShL1?#!Ñ+3fA]@^}DW~ >LT~DG7y?_J6mB)ՑC?Tn#J ]/MZ&=H2{Q #n`v>L*0Z5Oˀg'U gڳMTgeKl_/uqx {R͢.W~|p51{ΔIc _%]k$%C>z tޜr;Rc7){rxCh{z|??HpQ6H|{ ggzoզ gGe]˚1dpglw:k,]||@ċUMu7>}߮[UmG6yǪϸ#"mbfHT> stream x]Ys~gGl%˔vHqWR9)N$\(YH> )*?hu |'/~\ݜg;߱A>Ly!5߾"`[[͵^bXܾ>I֐O}SJo§)DйZC68*_i6W7iⴇ֟yP jLMzl|e5陙^RA){gTw[>iq2_<<;A<F Dn^t5z,zEPS;.>vpR۴,n,,xL.O|US1?XvM/?Q)cj@֧otcQ d$0)LzP$ܔ{F'B0 B ƤZ@35(2(U%q4OwV|8,~u}b&,I7t|lx4/ZyzJ>{VK-lBiJ5AWt/nAz5;q0 b*9U,ݱҝz];\E_~Ff}]apw HDqQy@lS O|=,˄~Hb&E>F1. N5V#QŮ -/2n43] ՜u[{',)Gv#)74xLka;/b~Mv w/f9Fv9y# d;P6%95MS]Iͦ}=huh"(m~zBC.`64>1kA=R54I0cTbrH2rWH`&ɲ[>#Mӻ56hX[脋KILw@Yp;,&.\4jeUN.t\!({4 7wP4 4y޼8S3OIțqwM~Ky0 %RW `%d~aQt svn33L'~0_Nv1H3Ha\`,}iDjs]]GOoȔ@q @/"ݙ_үRNҴ{+Nsvu(^*${Ѥ|Az;d 9E1A?7A`i Jq:RKF;9ƳFB)Q Xy K֥>6,FC"J XK ]ΪK:%s[ZMtċ8+^+T;36]#78%eIkTTr4}0 lwAhY(H|䷰qIq-Bu 4D3/OPw7o^vLY/4@ip$.*/"Q~_T$Y)Pa--ܧUU 7(W/Np#<(M0QV}=ހY>qT G%<(Fv0Y88;a)(|NX"uG(a8܏p7ڠ/-óvZQДUeLm Ӄa| +^6E3y/q+S V *l99N; Ìqf6 N5+]/ jiQM1`]_:p=/:XseS-Pw@`(`AجZ,hDswåA J{IuΣ hvqf8fmI"^ql#Dp'%<7OsqMg3a,mU`صHl G PYz(hܺt "іR~ѿީ]/fpLúކst>ՀyhmpҊMGGdxUb˜,H1rfxB:Ng*fD"_8,P.f+V)[_e>} FKF* K:7 ӨSpBA]S?KǸ,QtK2}Fa1\[a|Z:iI:aUl.x1r^ם"023⡛WnC"JPS!zXmH&&o8)VQr5ÇMx }>Nfؤ0]%2aq3Ik䑆 &h:iY3 SmT(o_F A: 7=C`q-n|;d&10iմK\xc^|-}|qh}N-S*X3NOB*FE!;+5Kȱ7fAcaC`*AvP1$+wv+C!N6Y%jM sDaN8zPнîox5 kxT?@ $ 683j+ԗP*DU#!Bz^Gb 2yX6CzJbU 폠&*OE6 m>+[.Lx+fyĎ+1{ĘyJoŚ:S[-U} , `Bt :>wLvik+V]nʗd?,[ N2Q4fR} ?(oqnx5X Ii& >D5cCRx+Q]?85`ꊌ$ *24stWDr:U Eݢs:.cMkV|TIGN Ϛd3HPߐaRz5A7+iYʉGP_8ZUR|ץif*ZJ佛 >D^T0T;>>Y  @f~:yPxZOs][@Uz+N=QT36aH% 8 MYEҰ+4 ܊%*77&5[\%l<죨,-ێ; ({xFE)c~Y[=NTߴPL`Q*(>bx7-&8hΥl C!CVALQ(x0h"qeL'cU"$w!p=4KG$GObhXQD`Ewd rexEbeTH}ɚ4QCX-M|A7f9KˊrQdRal:7/renor\=UXFk[E_{jpAo6'<&5<= x̞dSn4AYx^s@-x>v5& !wkb)C;$̡NHs"d;֘=xEc BHxT;7M$u_ó}>߬uaf**%#)] Bɕ3 TNetԬ7j][D?Z,䩯6JS2#b}}zB 3J` 4 d-e" yz76㣦8-~iM bZEc*L=4Wt)I"뜜#*&Ik^?Τ^) Z{YqGݻt=YaS0zlij뙹2g<,~Mַy.C.wggۧA ~ф9WU&0w #/ˑ 7=yf*Xx^m(֎Gy27Imn ?iE;prp/ PEUU׌/ āT7FKbBibiIl*)GêX`6ԀK/o yi,%u*EE* 7AbT◝zIl[ۦ08S`#U" ~UԔ!g08&'ۆ0o)Q<,L,X4o$c6A ,hinKf. k[?"* xd́=̱AU/k#+ !4dV@P(J`j;ݪ`tyXE ihiY9^Aҁx1 x +=X{:" 8kJ:!Z=R#sl v/^#Xnޝc)HMVF$vZFXTe oGڢ~@ P_G32B&0wpQ5lU&̶kst䬝u0hz6Bw!r۪tٖT*|Dyoݛu az Җ?7 4Jeza:dN2"@ZnM%endstream endobj 424 0 obj 5390 endobj 428 0 obj <> stream x]ݓqEa+/sx7ةɱKqJ\#,(׻RA,>ݿ@wqL?:\ޞ˓NDoΡ!Al__M7ΫɟOS趯NAJ~գR}Kc8#پu[}wzF!gZ ^QV?|;(v8ޙQd2I=iߟh)`8 +>U:2']LvFnt>sקgЛnћB?S/%>уRa{I~[WofTF ] -t5_G!jiybu0BI=M(Sbt0PcYz?SRnߴL_]ŃR6?LAie?vݴ^/E(s*yxtj*>v#솉wL zXM).ŋ3#n}Nm)~S_e)ήc-h;mn4D,~[2RM).w699 aj[{j^2&F;7pbʄ^PZ#GD9_|v~%_D l *5oNvygypwĩH?HktExyeܼ*y`p FS+gUsшGI`FG %3 pτ`[epls s&`$QeÑTs̻Z.jA0ox𩡀rf&ޡ-i|K߱,/JXߗkVK}W&RMW/J5)q2hkJ[`Zp\!F*֛ѦK1@2VY_֑d&{0:m(c|uZaz8SF̌3-؍g> UzZfAewHNpS@fŘ -LVXKgeu _W561}m 3@L"!.6f_6[V|A@yj{_iqԎyp̠;rS@BYA@8qAAHu'٫7oK2.GՆIY5N6pD>l.pɯktI3f T{Z(O;OAzQ9hdSxʎSA8[XV⽙>.O/$ W=FԄcT $89N2BvQ8H~8=|x+U4cDAv(4Bt2XnceCͤ ^)?3wڟP鷔ę+2Mg~y`[*^E)ޔU)~XΰrV.ʯK\T~+#SS̕/ce|+_GsewJjق۶bEw2T$rUaܑAwǛ3rjtn*7e}Ս#E>Ճ(BFAUd!֯M {g k牑%uX%Ow`! ȇN_)Dg>D4M5E-pA#gXY@5X[3~ybJ/6ȨFaӯ" ?8sty9~+QpflL^E=-;HTiiػ e3;= ]S-U+I[hwԊvl̂V?5z۝R fO]D)t'N%.KCVޮ+Ypb>-ḁ9dl֌w] {<(jn_5(dZ@jQC\yUYSC&p@&6G=PءN߇N# V:/+)qq~@yۑ&Zs36pj4#^raZ %W\_ծ-{ :6U(_RFHWi2hUpɔw?]ڸvKs{YOho~]͇$loD4Nb GlZc*b^5 /т=7-3#VQsҚݍŠRDreޔz b7MD r:z"ELGTHCxzVFUy\A f6K7u {MoxH(@dX Rf>KR<ȴNfr7*xq juy7'ĦIʴ,l$B=J {-cR۪ cm \D>S8 ET!h@ ѨȔ,x0Uݸ"xzv; Um #^`%ԇHٿӕpI}elisCK5QYLhU4PqE*z`)pJzF"6xpԏ[)֌98mI3^4y7ը}][#_$,dKL,|. i x4QU0jf `u@+ N 4 ]zIETWNH{j31RwG1ub(&MOq(M#ueEKjP2z 1O2ՠ)V׉lL Wh; =5wiVh4il5/W΁R;KYd@V}jLg䧔ϡxHƸD$@\?+VE'ѭTlyƈe5ͼ'͚4JT$s ~\Y-"i@_'pjۉCLީJ@eEtO#&xx6Ɲv$vnИ=@$Q"F%Wk(0_ *`G!秽PCEzÑoLxFA{O",NId.] !HH)jZ4]t@NMzC1'` 9鎿q9ԴfV֋\ނ_ۓh6<xk8؋.` u<)x&X!Jh3cNrH"o:giA I&1JȌD+Zd Em(uϴ,dFmǝt=n#e$ e"m-1s,0wωO{>9\/[P 5Λ4(Zy7~j:,"Gi*0ov"(7FOkE{z|̎T{vGj Fh {쎭1wbޫ{Ȟ`jX IlHjv\l#G35.=^ :Fi1jBor9*("X5oA&qKiNWdn ؙMLIbzT2/RJZ5osϻJ[v%y{XUHX;hrV> IֺOBڠ"Di ΂DFդvX%ud`wŦ-ٹCXjXD|鋢8-j ؛%jb\Ud Q {$c9Ym:E [,,GDk ˴N'8$&:uHaLraa@t>Nac޵$EJS*E \IE d@t)*;ڔwCId7Ϗ蜸#^(qڮ36a.N K ću%D߽mCΪn84I3IQF+ 1ք{܋BكՍ򱸈Ҷ`7*~m/\-H43>.6 /ۯCy7ʞcHry?lkU\ɼ'}p~ʾNJڄr4Nw4ϸ;O3~4E:]2sip;) w#8ݞJ/Nυ &0:9v<[¼i:U- mg\xL+a^S$!Bv<{j!f7Sx״l)Sj vRO,QiBBm:7yaktūQRjPD暵gj'b(a*ͨ-Z@kŻl0:\" !Eh9`CFG P_#a"0]#4${H|Z[3 1= c[H̏C)'`~Ju ;FG4Dr08Yޒ_. ѷM+41*BWƈ'wqdwT>+sۖ$L}\[OJlxA}9;u)uCɽtB$YK4uY3bsJњo@2Wƛ%1L<ˆXc W9C1}[hCXƹSKlEeA#>qOK4mc%h"ЎAD5Ue$C=. #LWA[tf }LR[ԥsM9G݈hP1]4eh7 >cjbse@<11^4,ܦY6n2".3-=>`#ωz[S$=L .)0D o(xi:;9`L[m,~*ODOE.a9sȴxWF۟i%$lLqho^l?osK N~ûgvMvFX)>YA, |r,=*rUEZK!OK> {WKo؁D>xj}Wza*ot*Ț4h͑n#fUl5HW_5i oΏyh!`5/vwպ\$Ou=zW&zՔ]UA#vUi;Q<Ю^e4'>0Q>y>KeYzP"i4n4Tnq#1 ae(sJCjG{qTK5+6vg$`&/fGYv~!#lua,"'(ދ(ŋP|z DSo!|oP@ˊ? σ?T*$2TEE_MDV*zNmou`+_KVc38?$$ӓsNQȊ_-A tM!M1~')jp(As Rׁ0s%Vp_x̹PfʼG⏛?Qci@T><Q].> Wz~х .3gd> O > u(0xT.Wf;~uvLOR GA}bV1\Q4ᰈmcuܛL@F O]G̕8\\z*M+~:^$Lyy0GsRY>z]'#w3O g5L8> stream x=n]}V i{K>MZ-[)&E`[lX[N~}gH.rE%ٮs/ùp6 'G~`7o#I=p<|s(~7mӛˣo?In$\oA7S^HͷH5\㝔zb\l 7;dz,ՇOk) f"yBɘH  8)Ғ=Ƒ;izS~r\7;q?;1Ym\[Zo}8aż.dedWd!_?fwpS?,9}YKx<4_&4Eino}4/ _ uBN&|o $gf0f N]a`>k7?1H(%&%6VVn.ꉻsqpHrKrBI0d"kXxzC0I\NPe>-dn|/W2B7؆N} '^)4&0d`6Lo!P0΀PET7jU ,wfTO=A*7p8Y; l\;*?#2Wo_钀'>\m[+U3e<ű’au x./QynR"$nr~c <@۝d,/gK<%@VqD)t0yfhUaB5!ғv>̧em[-m.iD!D`R.!⁄¸J8#*9sVtsi=YHY`~ujB5 ÅJ4BEJQ0l^}^2%Z ܒoaj3;^[<)+R) TƊ5geCC҂hrz T ç4j}{Zt\Ir]9{* gf C$i21^J_Jd4=., Ι0JV ؔ`)}S Gl_xnWD* U43ɎRL.'нvIVw05^ V#^s8٥v'?2սd J#tw`?RF *vcOњ'9@TawhK0& EdKiP8EZ7f&4Z/@pE Ybch%rzY*>2@gkM>Θ wt~;EԹSN;}.w>,_tF'gX'Sb)7&Lͤ<(aI <Uz0zW53@FO|l"I|G[`b=͹>.Y܈jh]:Ɂ!Q b4Qw C k|S`o}ǤJy6 nK)^(-y9vj=!VVuPX}ݤ="[rPcXE:9P 䐠<dJ&ǘD%YZoPAPUOl BI ] X/2<[HԬyO9,eÆOj##4hǎ JA>m/FyWpln'+Ѯ,pͮ~ Wa,Rk`mF+ 5*>p7=n\`QT  o"X &݁pŀϢvO.[+D͞Dbx #$АB͢,(أ0*BtN*B|YYi6%47gbI=9595U7T9+4^NIn2 }|B~g\Y ,r&d,K۶nMV؆Ixx$W@p^xE@qQY_n+E(1AҎWY *IځC'NǃWt(lBܹfԊQp  ^<#;MB5_Zv@;:Em-FىCLt@G0/LJTk>&Ԗp5ѻyBJb d+}0[bgىT[fP͈q^P!rRҔ1S<չ S52A9?T(% H'^6ĤKG`J)zCe IJGGVew I:qZmEvQ' ,͋JNވh}adM'.`jI\+!f♝u+!/\U9WC~&tP];԰"*z`x">NF4]c<@tTéS>iY'4uĊU:BR2hkY9 WamBQLcr^)ZKt%0N'z7cQBd|``,Ty:"tE'Mċ}VBVϲ t|t)`%*?{RKFj9O.32uBC8 + z*ꕔ҂WN)b.*eoTսEQKYF;&ۄ|>Quonihj:l>Lev?ʚ9 Sf8w露6 GYK*Φuȡ&q;ۍ0VEw5hݮ8 `_r0X:b nRY"&VG$|C)Wu,EAJlEJa`ޘU0V"98yۚJ]fB36p/8J6Vp:Qn_%Nǯ(ҍ2\qUW5F0jtzɐRܥ'1Χ6ґ'S_˄avgD="BfDJ0OW.*h41CϸQsw!5G /TOKfܰokZ%;I?{ TTN~@ PK(%&w|r0fɈՖ>ryS-r=+ dA 89sG[ wmHv{>\;tLĐ sƽxGV Q^Vl9z^q7Yp_\b2!; 媅34jЗ(5~F⌔U(lp8B*=G8!Q!F7(T]iX,^h>.K y阡;ً<+w 75<2cؓU> Yh,Ǎ/r-q 9Y0RXo~F8CUN}#G૸21wq޺ܓȆѰ#װo Tb/ܠzպ<\U`vj.VX>LU9snME%4Uq;vJzP I% `aQj1Pa}a|cˆTnԭ(h٢~,N3&]5 ?·_$l&fԻAe o w7{Nn$lZ^gS Ok_s'^G8 z6P sԶcKsQm\ ?&Yݱ"?3*>1XmU~5oB{Uj*vT<ʍΠb* N*smoicJ{bHڂZ1|k_va}'uu~Xz-\qc5JPn1pss@rLFfB,<20[_.g?%ϸ;@RxI.,n_o5E%]LXY B7yoc_]qt*ZxńQh<à@' 5U؋^ BZ`!*yZYō)2t3M:1j˻>ϒIMΟ 5&29i)t d"G6LT ΀/? Gf b"  YpNadEmZ%0ڣVɻ1GDHqtGj\rN>)Lb0C͍ ۔wa/"o#.2qmcI'.^!{rFT=+nRP cԝ@XY/@54ߎigu͂A}ڦONaj&7UCL8 _ w&OwKgQXM>,j,|pp[\ŚhɕrY{14<vi&k2rͩSu1Ni|j6&>Rnڂ$V vr|4p@"\vJ@1ulne |}!`jԘmwN24*5|AEz fe"W'2:R&:XuX6aJ" 90r1;dS2BʟspFվ:?Y7|v$\Q-QNX(fe`t.S]'xg0j /F;(lm c %?Dk{[BD9_Pp#Dۼ-LhxF))53K|~a~ K$DsSqF|8  *e:5xB&*|k\1@ CICY?f=9FGwHsX ݘGc)7<*}s%tx8U1E< i~*R_#]<-endstream endobj 434 0 obj 6131 endobj 438 0 obj <> stream x=Iqw+ ,_1o<]Rvq%6s*(7ɔhߧh#)x6?\p?璘/և|>l=}a'KYyMSvKz?w&ޮGb/&=ǫ/s{)1;ػ^ѽa/dV۽5MKpVN.9_vaOr\`ꈔѐ}7 > {v~u<>tHf3.u.x~sv Levθ:-CL{Ȧe %tfyg}*ȗ6Z^c-/; -rab~O!v-) ^٦~5 z}D@lg|v=ߐx5 tGwzGMĽ[ {mGp* `WmNSXIb>%Gs_=2kGEpoݮ{\,ٸ6t`f3N% ekbG_G7-*yl\@K~j.c| `~@QYVFPUϟӋY]=`EFӴhïn&ٛ4;:Ll|r3 ?1X3fZ" jcH=~U;TdvQLe3zSa9j$~ d؍={.ӪW8虡-(OF+W)ͲcFO0] 1* I5J,DrõFr 4) \i m*`IN?Ԭ%~;=m=F"&VtCO$`Yf8l4FG>"bPlyR{:A<2AM{Yqa<Եhj<w ԋ z`m`% )wlo7@2QBSz֔+ۙL=FqqrC-^sA+S Jnkn 袑1 }H繐d…5%*T_ݧWiH<ՈՂ5; DP}K7i:8J cYSۭ?"sM1YT-#ٔmUgUN@f3kfcz¼M*c+}0OK%䩀`V҃>@&KL71=~KZd_H$m;fۍ@ d^5GD<5řrYPa=F)؆/gt3BpKeGf!r8Dk%&iQ0-f)W2 0͕ x̮lWq:}AA ^O'~,6J~FoCH{'B(cWWGJ$ " n.Kn"tqne-ߊFȆ||۵R("u C^|K'C{ZERy$7=~~w|0][ nq)×%z=7@.'s@\3Xb/ 9cʬauh_TY^"<ϴ]"d3͏Hcy5( LSo[L:V=#]d1 ~x~j ;+ 3[,SFKIPRf-JG9 >ެqUNR#UNݘL]2}S?aS;xWTx{էo}`E^<=Ɣ aqĨ% NlNб†`b}}1$%(!Y|/]W@ɗhl%[P.= ~ARfph[qXqON7VRh#vO[Z ZcxSO*#jcmyG.~i&&xK~AK%aiw1q|[2Q?^L yG䵴g)r*0p)s~϶a]{W=皓ԞPu&P0"zН5hCʹyl1ΎAGFC.Tmj}{I)cc!{*πް#i yQ=:BgqXj~hp6c3s,8^p&<%8&4ظOYOiqAeBsdBdÏ\`wG Ⱦja-{Y齦%#@T@JwKc/eFUfG;`Lkpfa/y&;{gt"w5=IHfhO|aBp=4㿓BvVc\)U¯a$_>Q(?^M;_۰bLI <p)b+ _ yLѧuG(47kj[ ez7dViPil~6;tJ̝œwwaټ3xGo@OSl6|@[Θ# DS>Xx0AȧZ*L@M8n DIStqucN('p!9K"$f]Z9P^C &w߃Y%'z_Lj/ⴲ{JFo<Ɇ!eL"@һ8qxnr؂!CYVbV q"/Kޫ/aό60![EQ}}& / M:7Ր >'$A: :^{Tqzq\'LN68|((4ZX.ٻu:,$pHORAK=Z9M+O=B!1BKk=;7#9^+H7$wѽ+RRqC D,O8 !`M~]"tF/0PDje_3L  aTDTMD!W|T Lu)Ӹ2q&v+!P\ӟNy(轍ִ'ܞ ,P,iՋg*I$ȯ ,SCFw8ЇM8 q $!d^:B]aӳWxQ:ТQ'˺DG-/s|WGuJӕdKف@Е&G7𙔘Gcὒ)8PEųeJSAzmM{IbCA4PZ&P8!PL [, ^]xELMy >Sց~}f8lwuhPLpMNI:A>H\vOwAsS;OY)|N 42?5aW /ٗWX?)&?)]<_D >LvJՙ`cӂ 2-Q] Œ@)'*M`λG.V69fMFPRV,Lfka7Fs0ml. Y/8)]08ҋدPPJHZWcKMTfLuerBA9lDt/UV|[iD8B`nIHtoyi2M9Bá@$G,փGE?0ħcDE=80>(/!zn+G{y3͂MZ6l9L<;T3q }@yT$1ЬDc1^<$ilH*}ZکDTGA&IwK2њZ6GΙM6SʓďCp,Y#SL/~Z,%k>%d^VOUzǒJIK 4kPS5 S4h8WSRƜ= vB^s^ᩱF7؈d4(}p'˴qtXR㥸eYi,v)iJܛzҹ-!nJr{WM"J:w䊱b=a|1{jt-{ˋ4SW mچBj{*y˗MF-.幖/c-BB3;i%WĪ4x0'ݬfOۼ6b[,꓊Miyd#d{o.q 14O'9Ka#Et9j$,,W"Zcžuk+ dЮ'G\j[!grV%HV$%2bc=\-ẚ:[NG?U ȞZW60Гa8J~6Ä [?E5TD/>Ǥ4A-.3*EZ# ,7za[.;BlY؎!D/:|TWMpH h_׺ oa6~Ay*>mB"n,-`ʘlh+Jԓșf5;#jd!%,1SΡ|ܒIZOdTM6•-uR+u,55ɢA6X!(h͉eWʼ$Ͽs2`]UX#gD>{jS>yR̿2GOtP:Mf(i{͵Ą*NFa?&!'LQ.%5x'ڰigCOE~hQ^7U@" vhmҙ 55!=,T[iqjAfk5U`TSh*Q*h|"AN=1CيH@/6 |KˣVOEcbawXQqLٵB9L3SѽV4{삹mϣ )gYnCAn c &#z"~-|Xd蛢gU`0O~V_X~«h=npտ&1056'GU&)G f ~ЩQ>jeJ^RX؎BPzoAw':C3'38K+(Q |BŽ9׃>lnob/WE\U9ꥍn/ cBxqq(3muAElL3l,Vk*6}8+OKg𫶔<|Jy=vɓ˪zvoq;-/JpMfR &}٩9-%v#1#FPrz#(zrY VW-'Ovff/ !iŭTqT'*F-_)'Қ/j_e)O2K8C\:~!Fa:L@5ЄhZO0Mϓt^x.5;'=Kq.,cgiϧS*Y`#Vϔ7-3ss( ;FO}1n.܁׳I'Ɓpĺj|VfBә\ђxc+@nۗ,蘥oFuŚĝMF]7Z_Md/o2*9jUdspj=ı)%R_!3޿ %fQ!75͇S0&ݞn60$`ʀ2O#Uc,ʜ;e&oM-ٯ\_RFc\tmBev3]ڵn*2[%b ؀)gf8'I0Pq0iUz +ZlcݗQeØgdlHgCֆ2ɧSjO[P VP#U4Ml0OS:d Y_ +1b 3ahl> stream x=ٮqo<N! .ETUwϩs%8R]vYs7><ݼ޼z#Cyzos)MnɛGu0vM߮pz W_ {C & |)N?[s|[O>|IKNal3{6濟#o ,gO){Ƒ.ys˒;sد-nI 0+7eX#H ޜ}l, ·ChWbO? ;u7嗐/`;˯OuI#V~|W7bc:}E8K|.(IHǷL|86 h>}SmBD[ٚӇ # DArpaBGm+}\-O#l-/@'ܫq9'["[2l(AܰuMn`!F6Cpxή.%_>f1j9 Itp8==Hy./"=?zw$`r~3 \[ A 0u6 87@cjK>Ctd{x3GdX:B,~) Ť&yR!?.L4>qwHj J<8r 3 d!GHsT\1(̕-%uh*e$rf0 \v]{2/)vVF9߭Bo6 ^kC/]j E=E;8>  Rr(uZ~$g,JH;'g !dt{'U,%Qռ"b I']yַM+EVJc!p[)_y9 #YǺAJRs 4,sh5XK%዆9Y(*ַ)fhKBJ! !v1㜚^aʿa:G`ʔ&_8tN th~j2mHKER{dB\u&7xaΣ؝?ůо8KN .%L997+C"w5D@Q|\ЪTGÇu-4Ǜ(Mc[/`d^:h8ϵ"wɠMZBp?#xWUB·ˁHn;Q:"[}8!TH`Ean]?/c#}A%d c$W67hL15e\$,؍Zcɓ@zrݝZnEK b IaQuLNH=sǥ˹]z'| eUP3iRDKwṗp`S=SVJ,䋋DML7U=:˒ߑ Q!l2>dkb5Ѫ=5uŨLEE,;u`Ah}'n=0w+ !31N& ,ǝÁCTA\c*.of |m¨Ȩ+m%Ͱįi]pr`i;M;&0ueuon!(q ^)ks~B2C%.nu/K4C 4 wQ]B.X%ЮغYG7ΉF䗅>.f/^7Xrt"c-gE-TmnVԮKJrGzPƩwBi;߰`Pͽ䬸73jD#[=rH* &mrzqͣ"R5ݱ%Ŏpu03[!4 qڑGC0z+5:.)u#:fg-9UWG?_540$\|Dl!SQ5ܑRgͿ1[l 73'A*h9@qs}/å5 ݃G9!zHeIic{{@#&׹c~,!p@mq ["N\t;Ms_:Z1ً{Zߗ8*%" [ %]h޶S#[YemЪ!dA l߰yC?LDj]W=-Z)I,,#;rz,".-ōD^f2hhqI^jG)mFj&෹*P qBҜ_]ƥ7 9 oSS[p fZMXnt}SI#,ʹ]2rsJ ,_u&2rv@%Su⣉*0M9A%ܷ59 u+h3vei(Q9pF"9q4$h.a%2]^.]&;ͷ%CNĸڛ[ bcR##Lj1J+ *Zo_&rY3K+~IZT̩ۜ) B-<)L1!Vc"Zt_wmqlˤ | a[Ckap#Sf">z4Fuӏ4C8vkMZl`4B!![G ̭+fD"QU5SȮ3.wIN&IP~H7|Ox&!n;U6m+*Ci 4u2\sN ~ˬţCw{Uw7)anCM~hi ŻYٶN?kKNs 68X'Sq3&ehn.xUs~2}s~nXf&oM7rMP+v@p8n*cno @ tA3f$ՆLt3MSdW+D2 H!p}-yGzbY --cȼPœsVfŖeP ͯJ\wL gV|!F)նΥd{M4arCuc>GXk% XE3q4\|Xe)ȴcuY/R9]VSi% *CNT 84^gDUi[}vf08~G?ck%ǁ榏0x&fK#s@O6NJTVDc4+ 4`ٚfjKRB.D/ŕ +e4&y_bNqTg먷҅'3JĽ0S`egPOSiJXHUE"؃_掓h B)eټQ3mE勪Ud,MGu̎B8:Ʌz夕]0ue=\$k+uREH-Xr!T&ۑ)tO=\bD)k} "^H?d`Qm#]e|iDBLٜT?i-@1,3ӊt@S&X3PWTV rpԦ@N'[k,f)葵+Fy<_pExYX#}A8HϪ/vCG29dreLŞ|^!Aq #>2Jk?| D붓ِ= kaoti1S{fַt_v['2#}K'x A/iԾʬh}. 坖I1o &W4Rff/-6α]_]nA牅2lDv/pt'֜6/8g4eް/+ 3G6dw7 ߲(>#:GH+0"7E'QKI)*W'4N/"];GCf.?Wn;& j4(y܆qZ[ݍh\ЯYN5Mo#l3Z$AgQ4 *m:N~@hٹXîjbfN^ZWؤ5kseV(M)ͥvE^Q{s}xmKVs EvႢ a^$Cވ]rT#1,NAwx"\OgtIͿMIiƶG~/*F I|џb]w Sڏ7m:bn`L-R{vh87Enkh9FMǔ;T2_-L<7GC~Te9aF&S_]hn T ݮNJt]LՎp`VS R:.4 [x\](&3F}pC;:JfwUl٠!Ŏ6-hdD]\)8Cpb''0ȬiTWf)ஒӬLc6PZwe.ֺDT09 1w:v\E4/k9-lr,ĭǾ̥u%}H=;nwt.B"YJ^ߴP Xhc3dGe_X;i޲@y?>`a1~5 DS[DZtEO;?>yendstream endobj 444 0 obj 6689 endobj 448 0 obj <> stream x][q~'^t6bD8 "3 +HH.I)^+.%y}{f{ٙ|u>?\I_(׏&^}.^=ᑦ?^{7OwxQyS_duxџx gT<|wyT1.kx z}a㵏^{x!Z?)mˣs~ Ee_.{kՔWg?rF 22zO~Mjt_=<%R_pa 9wG}8M9f&e{㤀tbdA7yՓ.S8j;ixk|#u,1,_z 3/MlmVV;x޲yⵅY-O(Ɛ:ussV(TR#{zȾS4 ﵋YK0b}q;>BBF4IVm?c!WVf<74]:rx{ W /.QL \z֐weXA6ۙ3ļe 4ӕDgēr;3qAъTu,wLds_,MERy~Eר4M]DuJ9Z K H'6暛qIoRi}nWc6ׁ>kzګPE؃=ߎUVO=̪1YyY, f01?0){kFҳ‘ai46+ !R qyqs[؀ vZCz'X6XrѺ-% USn-K&A]!@]&VO(0t&62ڕ;1AFojE$%eu3wei~:KLԞ!4^#V哫¿"y=P1E2spI{b:)Gxdx3,sYN=Iun>nhvᏴJW I)̆zWeݬmQlɰih ga2Iyj_ 6dkRI?o cW1trih p-z٥W(cUAIO9S*DZg绂>G]/({O*w%rR;15S֢( cc_gW;!9Ũ`o%?zKcz)'$wSF? ^ |%ie ^ %4Cl_eˋ kt̜992>4ҒO{3h4]4l&2/T #-/G.7B@1hf̬Y7 LhWWyU6tФЁ \T(' ų!G8M>q);γk]^TnB 0݈Pum 9ǂT`%JnTfЅҐޛQ9K˸WK/T#\n'> ,ӡc;&3ل& fIhO=KDXR{(ww1 #>9O8u$jUHoC>6Ikw׍l5̇P9H$,۰TdZ$VDYH M0??md$TfHՂ^jqN F7~"6?WL~4|tEʒk+^쳂+`6 {)z/9 ;şWܮߓS)3 G9(obQ`, s4>û{ yo>p^G.r*q ԥ*(U "Z.s'=b7mخB!N-kLK 1 6`IxAFbM.OG6w7@yטr%|!VOE208"FGVBö@)$e㛎8ߩX\k 4CoYIg>E y'%>Ek´3`ye̟I`'6myXWTH]R(ȭہG8 K\) @odjU-v`ޟ k&\յҰhe6`5XNkmsP/'ʓst4f_ ]N1GF8#uGA>>3j? 1sε!˅|5U XC%9c_,8FKVNM+c\AXM,ly9GpG"vpa.xᷗ dɫT @?[GJ$d$Lͯ䷁WfaCO$K6%X @wR% /@&\W4TJk\X>mśL5\|& P?Mc& X* I=FͱTDr AHM:ZUVߢPlZh)m3lX2mzffjqh'؈2¶SC޴jE WcG4 Ml5yy)̋9K@ٸ?'B(`OvRوq\qf 8AIiG b.pu*5M B"j@]|y/Q<\q]Q]*%ƶ"8n/ d`y؄uUC]^ZuRlos]kP `\U!7q m|nrY 9ԩ=S 3akOax/b64S1xB%pilx͉]ϕ+njIڸm'-6v9OjhpnPO.eφYR5vLg^ ,NѓCy|MB9D+]1u)|c$$5>$?埾ѯ$XII=jYEkP4t"2ͼG ԋur55Kn#((ڶ0;Ճje{^}mM?jh  O-=R{E q.UXѾߠWae tbG&HZ%5quvIPGpjmq]z=XvrÎa*-(஻C>䰉}P;>{Ζ`l6̓MWݬ&ϧ.Yzy_vK([aIwC"ʣ@2 lnwO^=5s{=ʹkuc50On|$vJt}PГ fIw ӀA^ KsQ@3j{rfm^1m L]-ޖ/bpYgq!@A8h)UmV +b۷!dd|n@w>i D!޴p |]v'e?'XFh;]o'؝:p?F{op:+#kGcYA΀RڭER4boWYplD6ھ`b߳Oiß1gXE|ӝD˱'V\޹vY3`B^dSIÑ.RFRY]!n?8I`n?b+BMbcޕy:kdxG }%cTgC đFh 1Trx6,C#6-[2گKBOʼ 2Za_`Tz51A>I7ͭ6xvd2:HzA ϴD=)ВKMSCL~cfH7M6'%NY/m ?lvO&[JQ Fmf㊝ֽ`ݮzLZ3*,Lh} xfvbـe b]b=vy?W,ߗobb[ՠ0ɇ%)xnNKawg'Wڈ`#^ӚXi@|qqdH{ҍO`f:ٗ_ppz&!-S{fCχE]` =դ]' Cn<֙hZ78:9vC@2Ω/I>G==rB>eNT햦NQJ ~*Po2B* xQ]Z"x&zBtDjɀE<{.aν,h;uq|Ĩ|>M>UWGWi.fuB]up`IuoAn0D!OF,UלW>gn'%xݑi鞁دC u3~jP)/{燠R[:{clLJP<{yқj]pkm4Y?]chPYȞ@$/T*]T;•5^׶h1ŝObendstream endobj 449 0 obj 6089 endobj 453 0 obj <> stream x][~_#n3%`"G("% kꞙ3{GAQD{v/u}ۉAo˓ݓW'brLJ'CQ~}(v>!˓/Nt*?l/L y~m뭴1ӗg{ :uߜ퍱i U}uDUۡϟ<";x$ `/`)6^ݛ8iB+k Sk'Cg@!+|E[Lcz m4Ay~OGw!6nu~Y2M Շy*x=MVjˇH (O8SaƸKTq0]8i'mb5u~]*zw.tv{\іѫt@g3d+%N~Xb␸-i`6K૗3`_%+T>)ped5t3IuwGH(M&iuF&:$(jr_e\jqR&vv2,`&%d`;~s@Uu0Y n!fT몤e;EJUpȷesyY?I^rI7䉑:ʊ`z2`ќ^&X "H?f*<J\%u d&z 'bd oӸE5niܜ!h Xˆ=╪ ٟi}/?lM+YkabqU>_dɥݞߦ Z֢TܚAF/INv$m=iAЛ4gT<.|WIS:Vya<Ş4ߌ R?R+2dzF" 0qR>7d+Cp3Ș@7ZL / .n֫J@!`¼y}QfI 5vckC3]PCmg{^-Vv C C`dxZ7UOj\8DL a'1ݼЋ;}0.5wB\H,U^u +RŊӮsQ!=ӶW*#Ы<>>ě3sڒ&4}p0j d S# NlD2ٵ*Ay\4[ӅSӖcʉ[tsLZ ?/64k]WG[hD+2Eǁ@;NfDV@ͪj hJ383D<'/dxPiگa s?ѨtvQ_eo 7˄h` B6FH?-\)j [;HzuHiYЃ"vgX# \0:F'.bNKSy lC*I6\jM@"bfrb)0Km 4*!ƧxZw^n]uΌ~ۨy( z=ZeV3,"pd$4t4fzA'!+ u@>\1L΂WP"m1 _Sgv,}#Zۘ»=$n% 'mɚD0AEaQʌiB`@$Zw^7ҁAhnW`vzV~|\l4K%ۼ*Js(oJs7~TfIH`^-/*;9?'7'\UK/2 }bΦuv@)_$ sei.GݽUWysҼ*JS-M>3lF&Ӓ2~ok6jMQǫ Y+-,z3|sml&c-_iWP`}mj/j{-z5 p2sR(l8E4Y4md$J^i4!Lsu-$&OD=LS MdqiJHFX0L\[.\4[V. rZG9֪ƁqО鸗T%$7;j߳vii^) 2F@2Ԙi_FBy(땦QJdGgѬO)Ll˹SXNX#v8nw OTO<U ~?rkL?ypXkW:Qt'pcASGQܡ;IWFoaӟt$S-bNrWyUKeiv hZCK!ө(bx|QYCچF_.ͧnp&򍆥?ݕ`@@!2jSsL.t蔹<+Xj])b۪Σw[8-B}Ɉxv{yUօ&#`;+2Vx+-GoҹR5؉b)~y𳳊_C[?9 &h˻l,lOn+͏gR'<K6VV3 ƺ2)^O^σuh%̸^(*ӭ.ߔPO |VYD?"Zsy%o_5o PO9xo)V֠Į9jupc9Rl& wI,aCl&񸉝>㊢U<2Zw&S/*0uA8.\'g55}`3Vրuǂ Zм̼'ư<\%Q.noOPYUPxܻ˄]we`p$N<-s%I#X~v.ޙ{$d*NjðVׅ$lv6j#1f|&H{=UbB P!B5p= ӰABrާyA`7EOpn/AVn_JsZyQh {9O,hbC b9% ;g[Z2q@*IE@}Qϴtw_[qN"[sT*?+%ttQ?|7I=Gzv1B %{<7AgКjvfJ0 =\tǓlEMT^1z)u!wld|~1H <ρ!T^ZQgq:gW0םy{*6m_GCӭzu8 %3*[zLTK+ibu\R);R  nxFʿ._B1bϜt!u/g;p^rJ-PR1`)b"4> {{s1rݺyW[8T7U R`,x5hR/J*M1מA:;?b=]EvluYftyzA-H%SNѣ!~TW5z(cS? 4%mNqg+J-RpH@wW!&)#]leF i}Ďa0vew6݀ ʎ5|1 *8Q+ #"y#m>3dZ^cZr1ܳˑoCJA;QuKL?ܶ5S~wQ@DG 3ݮhcrf`x%b779,Ɣ*CZDU]h14.SAve" +q.f69́DPzp =|B( \cDd&23_0S=-gT洙119Q_8V*c4!8#ݑ;.7k^2W-2Grs1Y"t݊&]R6,[ʜjn2'XܦIVp+yga]\ r*5ݘj!$iG UZi5nYPmQu[K 0J<ϠI:eV#/-ilHKclߝvjڶ`JډT!ҙ|96qlObVoV,JL[رs};PNKoN쀵 ^W#H+w\x||h̸jxUJEOh6Hթ6q~pLRnw*`2% oނz!kNBwW +R[Tpj&> stream x=[oE/ԍ&_ CEA&*KlՒ/sH3NA8/ߎ$o#qoG2wg0@bEgO8cw/O`Re;9R&J{xD<\l[o l;oӇ'ZIHupߜc'`o |$MnժPL[aǤ%a9;>;]my =5q ҄W8Bh3'OsxEf|Sp8'!NN8$SӺx_8yZǻrlV8C݉ me:Wj5:$I+0 <ݛO,+O޸)xxV,'擏;rNhsfࢴpD(Wc|[Zzy7yy%Y%?^.EGAtHDeL>r]p8Ҁ_!.OҒLcB!Q6o9'ʿByIv[C2#exL`%6zf=Re5BFPX7}p,r' !0bE+*38~@OleDgW#Qm^UM{Ty^5ܯNNQ !4HD[g[| vsQHmq!@Sjr,vfCm_ivᑢ%Q0FsQHO/Lwawj*@$˂kUP@@1Z*=8s4@[87(zSDf`$6|rRN$ZjVȷnY^9=/%MpDqzi282牬)6򣝲؟jFjF~^Ωd{'73)u//S#7yͼY/'1%!cny\ S;'ς߽;Uz:{Q&A@6h!}/.׵x86ɕj_cg|5"K8*U fl9*j NɟXG0qE!6J%=ja'Fd t-E8AcλqS a&p!!:lʃ.nMob"G ֤ Z}^F ;RWV*?2Dg[h_q5 eHH%$5﹘_p Mr>tXHClH`IX"+ vg#d 6N.e &gʙɈ@=oX7C B{;Pw^LRMOɓp\"k%q%&gԿLf lۈB 52~J7:D9;nn7$˂ՇAt:ޓ|B^C6S1Y5eJHU[U<4XJu4ޮ}##7}۞UJdz6dNsZ U54kOz%!^U+]&A8Su~ڕl G,[Kt ;"B`mm܇DN b.V |Ho\2Bll7n/{~ϓ],,f9%8G ~oE!)(y@ц-uOJ]W*XLӛv eYM8&uޅzK\s1%n,+,ְ+}C%voɄURuygh5jk]\6! %/ܝB8*}{1"={L0A\N|_"nؖ cF`;;yb%2+Br)mKĚl0 HOES^@X,Mzhf[Iu8;\` @zJb6QE,띆F , -!պϾ3+%H+_g_mMU[N*+I;jsa5twTrN2 o/%A>Bcs󹪘I`V: KJTI[e:Fbi%TJ[n jr٫|R6oO( ߾W@|*30&, AIdEi慾/mhT}: `J%nIUT^^P* ܅RD_gd5wr)crfD)(wmZsfoWް],rVE(s}ܶo*)眯T3E>|u@Q [=]WX}sz$ N%.èǯuxjLCd:+gUv{AvDm[Ãs${KuFVjl_!/=lfi]TKnvY:zY;7KgEF$x ѬQI]9~'ڢbЧW e!Suďg"ZD4DuuOxo֌p"g EoEc8RXOt[dܳhv޸ qf iʺ&nVV v9F8&$#6B =}\Mt{Jj'SfEPaa6D)uq,.Ms6QM]众Hc/uDsB#k(-?R0/I jS a]R獰X*#d< xT۴55m<9+{pkRvErZw A9E}p:'b'EoZR*MNDi)hPU7u \Ok&<5"ha(i!ٛ`ăPL;c#LKK+ Tsptk |4tʫXݪWT΋*z*'ZK%heow ':Mbu8/{OW9)e!嬒!;8M4 LyrIQM=H s`1h_ ,DhStX]PTLiM/NcOb|47a ysOS$gOesVX!tAm%[ž,!-ҎTAXdNJoH9cUT{]_D\=w 3nj % ȟ a&jTiBMl˲hXj0qS|!rh:w@>uQ>\FbdL4哘مLտG*{11tԫr #B~'|8Z5 zon9N*mWFM;TFgqU9ЀN΋<͋<$kf)Ac_6knϏp=YTCIzPإ:?Z+ցrHq9A EZS-GaG V)QS"%j,iendstream endobj 459 0 obj 5979 endobj 463 0 obj <> stream xn]GGEΆKQhIh>5AH%ǒ_rչHy0%ùs8~b_ч_ճ#zv??/W=gN/ʳurpzu_돏aR6<'͔R+mm5z}mc3rx#kC>F)={SçarlpV3U_`NI?_జ.6(fjr6^`YA5K̈́*j&•0 7|]oJ>#C^o`&>#|8;X /ʻ,|(8.3qVi~28@i;+k<kҟh0#뷸l>0$m^X~kᜏh$8rNK5Qi گCA\ ˑ[q `3'4Vg4ȗIwJ`L17=޳8x9R1F Hr0ekB)Ԅ:,B&Fq" ?%C?õ?ǦPX `OI%3a.g- PŶ 4 )f$_.@u܅2s6SM 4tzJHtY¹^! U:@ (ʜba2Xs1lc/i) x"/X%6\X@oRW*^=!6u|upuYj~ċ&G֜kLFEV^)'y!QEaʖ}a4峴 ÷6`#O'(ִFFZd6~IX3E}aYDi܆Cz:sZ!&PHXpAaAu8]J C4OP`!沔-aE#@lqlÆAI7R /.=`Ǔc!W#!<΢u/n P"kqu*K1CX+)Spqc]+lu=h%+IYYe*x.ΏN)b-Nl0hM\L,|Z:ӧwBtJJgDs^I8ɪəK. Z8qP%R֫ ebzZ3~y_4}:LC kxń jNZR#o+&Ú`qWzZ t:;p,vbW©-PЫb&y˸@?;&t@4$t˱EwAҋ( yO0ēLtT#dЃM]%7a| Xuib6f 2|@ .\X~x(x g&S栘FRƟc ~K[Э^I>USWKz׼D&=NP{>lA* [9=xpm6z0}WBFvȶ%`zШPK8Q{ULmRfI J*߭E^bI 7%~Yb t9VZ;0FŘza ;=F=X =l)/~ȒeAKlšGNtnnrIө_- H!w!HqBCBϝ 5lۿu>%D/Ǹc DTpHSЋN9I yQ%,kX} ;םO^y{3Mҍ.N'=,z 'KܼͳgdHov[rmVuKQ,ˁ{L{J-Z֑rer,Ju3(AN}X#zfA':<1=fo<mi[DAGpb~sbgjw؟Q3y]>HV: 'LӣɏTҜ1HԺ6I!9/boAaCܢ->~>!5ɚΒEūaz6ޯl<8KFN=8K`9*XZq,HPA 6/8a%[b URuPR^3t3A<Hed0KԱ;9i3 -GOY6D&)rmv 7W$|U-|NM` _(Xl 途 a):BnDEAcXpoVmz?%m[ӽjo䎲Li:Xu_kO)Q^ͷ^l40޿ѱOkRٝBKg0,\ϒ/C0ɔ p:nvn ZLiFxՈ Lrfjxӈ|t䎒Mܐ7a( ?WVE6Q>νͿ4?#=^74I^e+75 +@Ve5aV I%gD 4&V$yN^/^to}j}ރ4GՂ :#j8U3>LL+ފo>^Fd4 Yj3/f(v-_^q N&`uxihcVW5J2rY;gJI8-; ʫgd7dPi mI;{orUnϞ%nZ|z 11'>سO/}v v>hܕO/Ә&9c>=0HnO1ΞiLSuB`vtf 3A^::+J[0H >rRq@*B(s: 6t X)*Bې`^Sb$C,Ⱥ7o|L #Dr_Ҙ zyT Mp*Hඃv}V7̅יaS̉u9E^SI|Ff Q|5Kzh<~0Hb®ޔV}:FDίcw*5Ȅ1hW(K6m뜨~C8PVi3\jh\|N 8Uda(B0]E`y@*QDc[6|8\A/w)# A=-q%Ƃ+rV4ie{]{+EnF6hBxZM|+/i×>3A )gb>Yr;{ 10V՟A<}yuG5NNuAMXZc3{QtIyoq,nl[IHw ̬"L7`:T:cCN=K6o\ H0E 6Qqp뿄&_&;ZI>vZP?gGc;D~G2j %Too&?t<=8=^r>l͊bĭ_}>Ϋ$7GyU/ǘ ,C9yWPh+WyXgw$47ɜޘPU3=ei1ROr47iJ#~uۈ>{ȅv!;=:@1b[HY9>bV PJYЀQ) ( 40RYVg܂I|l%I=AaMA|+8n -n]<Y\ 6aLx1%4D] -)g" vPl!`j}ZgLOzBLv XTYdie zö}U#lj4-50qG`ZMjaՋ)0hb8/ ΚT[ѩ8^-UgɺWrLjbXYmrupx!ݗRbϲr ukFYh,}y : {0N tS6+ua^v3gwPbg;ljuB**z{5H ;)TκoIfKr<)u}a頨;*x'|tАۮ<{hD4{_k_xV0V:*`~HB]k,{ɗس+aU|R+w*{uܩUC.>ծeWmy՝GKas[9Z:-EimGp);K;K D兦ѻVW8 Tڑ(Ln캟ƼGU-֙j!L#^gL7êZxJTY5MU0rĖ&gZq!Y{)Wæ%pHo2"JVl?Eoh%t[ȗwzKݾy~GU-}z`! WM3`!wWU Dۀ̡ ,;(]\UK+zﴬi-xoY)-=99_LԾZSv f%D ŗ 6??vendstream endobj 464 0 obj 5137 endobj 468 0 obj <> stream x\Ys~gG[)J*>"'eoKH]%* `LZ*=bF~Y/]}.9bgGsvp<|q(~-Ӌ_CB fϏWByP͔R+Rem5zjgJJ1.|R3~kSçsesV3_bH=iɿ0,I2\I Ћ~<^A0[؉j-oz3\:;0J//R'WKc,8aVV;L"cBw^T{oRI*TT(,qjfږEan$yשŒB?2͇.>H `^@}& N;GB#D<9# !s@T^`jGFWz,nKI^yiJ寱{:b/b f{V ;d`P$ #:fQ`O刹_qu_Lk+rݖE:lPV2jV\l 3 ~XOY:0H`x9|?ά|E} )ʟ61`^ lj >y$QT3$hY;=wTO+oz :$SY/į*o`A~O]7`ց-=lY4)ӷ"#<fXft%rEPjA4.KǾF5>nXԺY2DF "(J9BDI5>]~`~ cK6vbV;-dI7#2Ag,j_L'ez6%lb /i/{*>Lo.? Weg K{xFvޢWg,YE]5ܧF~i_=%IvnsuR]N~.TPD8%]]Ql@lg"gt+kk*V?Z &8ZUÙT="a55?050)͑SD7Y$~c'A`0祪˅ Pq v UhP:PUD列!QC8 BI4cJ(1*ԜtwWXo(ߦgdeg[[<4AވAB.luhUC/$(tGoSU*i(5 i޺ 6 pa0$}!"CN XA,BRLv΁=| ~#xQcLa'OI R=@Qfܛ}@u'8lЇ*R k1&i5n_$wkF2%6R৙f;f̰*(ֱ&ƻ8^v:m}$ON$,ȮpQ6l&9֍B;L (RJwZ)kt >`lt(T)0=}f-9.I4u\gDVB rH5TS3O;>-Fo)KmQV뚱UG gΡlN8a+9vطU‖D`8Upp`poP1 5;lD=q`ʵ`Q_⟇ԦꟋN#͎3qlLV|| lšpWΣƬ ay ~HfTO8 Aa&K܋% b1)69][jc܆6O @8`bD++K}{/I먀 u`70hlbk= 0ؕ֏5sۺ<=J-}I"G@~"߇&ֳ<AO fT+nȉfDG8 I̷ ʎf[Adc0[C_lć(;9#nbG.B2ާz1P=cE%VRq0Gst_"P&laJa2mأRVmPYu$Q1s <4 ^*lZCGҍ5ĐD { o rǃmmBpG!-HsXCv'cO3 pJRB9*~,li>Wh}7X"(]ogɷ(3<&I)R T?X0EA* N5r `Сp`D0_y4t;C7,02J+NX pk$($oyׂ'lB,?LB\Sn]T18?3GWT1s2IFuT|t3&T|5gvܟ{Piy@x1$LiTN&,nܧ2K kf'j7J)xTky9VN?aVO1*$pՊ[`XBKȏZԇnᵨjRB|fw_ d4Uڮ&] F0.뽚i FnBaޚS*6qz5|R| zjwcӷ ׆b@ =$ _D%s?:TL t?ߋCh[ɓd*<1-844ҽq,~I1F)ͩ'XɾO5{d5'ɠ/;1›>!B@޷'N^/r{-^'/=dA%qb'3QmJm cfaM3J=KL ~zˣ׉ã׻3rx:c`6*jvz0{KSnk|Gͨ#'> stream x][o%7r~WGe>_ @o6Gva/hndקn>GGmyaRW"F r#7nNw'2fg@bE'Kbݜ;j)t~t'Lv{D~Koln_`y޾?im!֑Otg\~1/TԹVC1odzogqbVȜt)c˝@ٙ8iBtÄA Z>}t#W+VGɕ1BcPya+4Bvh p m@@Yp6ԋ{ ޷k"hZŵxm@:/pD/PpV 1R l,MQN_(`#c =t(RMe^TZ}yO%@7 ~J\]sEרރwS"LhB7U&Nj@>8 !UCh9hg*:\=ɇZ &E{м ӫ@]*X#8:dt05 =FϚ`I+{$rM '$׳t7Ɋw3;Ɗ ({vDDlv!#.,D( wI٠&4PlFFa"(='QL=d~X$偟QUx5^KzC_j'MEԾ4qPՐZ[in9A/ VOx(瀉`@M&qYk>x=Na91'8h%*t:ZT&kUD2kDC} xVՓ,o쁯&8+@sHu7uDtQrkBt G6X9] ?K; ;1"G9Tw$}  nЫ,doss续_|`Ʈݾ&aRD|ёasZ`}/؎wzإa 1J1ޔ%lcS5+X[$j"p TZoKyCf鞌:jLcT5J.Ӑbut U:$RH 2&HdjP38$p3m'""y!.VZ#S1G~06ƫ 1M^{q_=;d>1L--4vo86)L<3pdƈzQn$˩NAT~Eq l@<8a c 2&6>DZP".IKy1!&#Qjd<L epcr +K牓p曆&˻:e6 :E kF?(ߋJ v?eP8Jjb}?9Pχ#fV(|0`G{ݬW>j]]FܷD3G>@4s1WNJ Z%AŰ~ P~j%)ch|PO3L*"Ox ,m|^*+?̕|ҍH4drACRňȩ + RH9eAs(ql9B9CʣPQ3.qodQ,!立i}]GY !#s$7‚`o@!V`㦊#NF4v?%Z'?(ikgt]D&( ($ S)^UT=#&$I+D  1=3>1CchgQ&c ,ԠĨ oN] 5Hk[Қyƒ9;4qo"ӒXS7Ğ3^Ͷ}y^+Nj+Er.ޮH3ČRt:XPĿO'*m1/Y۹昻]c {HGDGxp8ۜ>%<[L(1[ˇAt<.1 6Jj[:\2*g0 X0ʫ2Q>el[EO/h )t^*c7>gN7,TCm^Ko5@V-jpWndr1Z,rSKu/%9CӋܹ9"B{?(A,ɉ'΄4BKn(Ux li)DBv(to@4",0_})a+6w/ٶg|-śRJu)j,1>~I1# 7ƁtsN>o .N!'(ψXS6IZUpn^+01#JkB h-j ŕP 2^#f}σGTBW8qo"5zi7|ם 8p[m%lx?17GҖ9U52ܣ.cb8^] m e=l_lZhJ;=C%TYOַΫD] !{,&24dԮed\1#rOT*k霩KǼ^`Pߞj9ML ٕql>;9WKI'Lɵ=yA(z% =E ud?q{@{OP0R%'mf -.&ݛh/+K4KcƩDwJs\V;*l:Qz%f4˞oOYmL;$I$aRO9,<ٛ,%j5sxعQ0E lYizSXX}L s6ɚ&DsG :Rb Gy)Gc9BHA`T؍sis hwoL av#tΝ8ŗExr9g@|l` qsơ#>Hp`ޏ%E瞋#{^LHMM7rw6)UbkQCOaѾ/.TtL. -)!4ksgd!ќAYeF]@L*k^U`</+\%#9rّ* ,s/Jі-ky>gsLZrW,vj]y5麂(N)29E!4RP$o8>P3"#A_p`I}Oa}Rd)ŏK:e.!dxT~6cNk#R\%?oie8Ο|F!?a%Ojx A0_XNYpOMX0JlPޥ|ڒ]Ifɍ"yct ǎ`I5q9?&$@=)\-u~[Ab k>n@F/٢N1y^Y=ܘBn)JU?2WI6Cs|hgdm=DN;%z/7ƫi롦4:㶦w΄]k:cDӑ\~f,j%,(5~cݐ|wӳ{Ql]/ZMg)8N=COos'^V/s-^ ~<.7<=p`!><2D`ԊGw9}\٤erp=v!Tjn߭x cMdqNY8c9Y-ɇP{ll^=9|jB?cBV5꒬ScbLDѮFf.-TVF^_lL@5OfRt$4|2W~ziXe\_Q'`ꅫoIwr('fN#`j'R|2'z[_tT\3N U7e KɬA F,\|Jԯ_6({O^E!_>??&k~-`%3x*bV$ºW=2\!^X[VU'q%3CsR=vNm{˶=ւ7Q忣yl(cYRIX-~nyaL7srhsendstream endobj 474 0 obj 6130 endobj 478 0 obj <> stream xYrEW )גq5lZIɬ'ՖD:^Rj_ݬlJ(QFޝNrwWH:p\TV:oAԈ敧^v$YԃѢ4 AZ-?".&qn|6`ڸ̈́y&hɼA> B9x$8$u,4Ǹe97K5p^'w9EўܮAdF jNؘNEiF.8ͮdсA@H.>Vh=H1az5i'>z=iCR)rUV^e*jMRlk>`7PF)D۪#e|&'>O7+J 'nCb9gˋ2f G+׈Q##R-Li 3dԌ'=v]D7mg7:wO=gn  ;Ċ3@%:5 vl͌XH7oq_$*H/RN/%6̙N2 hl[KR4ET]Az%dL~Y-Җ<ݧ,A=弨 ՜x5R>6MdEbELQy,V~u%A,xV׾`mISrDzO}^gwݸ|)kp0>HCagx8Zx3|i62T5Tev!ܴWIJ8]?{'LI).tS9`;slKӝ]*Q9-3᷻oendstream endobj 479 0 obj 2052 endobj 483 0 obj <> stream xZKo$#dZ|?|H`'|jB#,ߧG]li7 r(v,VU?mE/ lN_a#O;~q$QD=/6v{v UF ]Dv?B0Qi+;m뭴68ݟ촶 Ov8X[LwK=Tt m'; 妖X<B_6F@g{]8UJ+J܍_L4aNBOo}Jdh0VI7.XZa#دu=ЧFM/!Nߥ~Ppyu9_q KBM\1gDyQEYKx x*s:v]Έ}K" ǭ|y|U>A!es$!ށ$N5]ap0X!#ށi%(M? 6 DL@"; ٥P(9F99n-_/ .2JR.G@=!(KR9qF,Sт$vx4y(Lg+M/gn2*.-Nu&C n~9Wh İ"Bx XBgm`zO$E) $^;* $RqG%.XnWѼ=#--]1(Y(8-1䅅N6a n(sF^S+̹O~^xfd]U1Ws:VZkwa5KV-9d>.ITқ/RWߨ0C ŵ} B b5UAރx >1(\ Ii0;g2IEgm&["4;X{9@1 ߟNBN-%dB,WJJEZAq\ɐǼ[!Z˻etE~DU RTpD&I)%z-`&@H=&JfzytКKhaUuP6vCb HIM%[t-I J4wiBӠҪ{e^6ͤ ~&8w?Qg@ћSf)Pyw8LL=n.6K2?suBu Yd1L +U9hmOgo7 ooqkSBQC:=v7?*E=Z^B,3OƘXow#@RB+7xWJXCL'i(Uq;bFe@˻j]&bbY)oSRV2Dī|H {Z/&t,y |S845a} KVg VQ-Tj>,kW?537<ӪgHOoKA5C꼧EH$d@coKsgTl5O CyEE@qE%]:% yywß(ѣ'䟞fLFu8Xzi('RD@^Өtx˺seêQKr)\:X >nԎAC,ZϜ26G =< 2/ RxQJ,N1,D x@rDe2 0ޏ3&g%DC3^^_,^5R+uM"DxWHHh±PÓ-BC`UUɲ3Z@207 po0D ϡ@L'#]bD##DR;34zAn;}r, UGӹPZ }}P=?J#+.PS(*ܧaGUUm=h&je!Ĉ x|r5жo zjh!\"Bq0NsR \B9(J+,srŲ%9bV.a*\Fu^b GQ%B*ң%3}`Jͭ]˕dyMɫLщZXgMd9l2.{;?rq *] %C}Fo})8$3:nD .qO>=?ߧ%Vѳu~ªѯe{vl| 7O=+:LhT"Ht6){b| !5A6vu{.XoB_?.W M^G=DOuCSzr,,SCd Iu3#=bfl-:4X@V܅ʪ}:4ӏ*±?5dN뫋 \ߍ)sC鮶ۨ":k;>uKA/di CW5{xendstream endobj 484 0 obj 2912 endobj 488 0 obj <> stream x]msFί[z{oCߦM۔鴓0ƩM{' @ !,>{I?]JKO{t:{?]E XjI]m81ۿ뼉0h.!z1)ɱ\D#4Gs,)%ʄ5%TXqr.&O]/@tI?Ȍ'3*ˢi.`gg[k?wsdTiddRc?צ 0 ŕ$|}a9a˜T4[ܞ ݞ;eZh$p]'#Sw^Z8Aziùѹ ܕ?-L-&jϏ^M Ւv .5ƩM,W+M?}K˄X.m7VCAEXY (eimKRZ(gfdhc/EkpVqܡEǃ+  QX$cRK/jb^:*wםh8 ǣO7I:ö *XS JlAp羖nelVڂK[OT@W~a2w0*4&hBSmM`gl<_['t/Hdzk3;ֻS{B[4{KqwwhMЄR(pVaC@1kjnnYFY $G$,C:#́ttt&NHgHgdTHgK`#yF`#i7aVgD:\D:$w؞"&!pP'X%E2Ct8t =nRD{+oeuײ7)OC]~n==[%ՄIY%)@Pl.EBnw:!Y쀤pcGNje4YA/%bX &q,M%!re/ }R|qIÆܛ'0VbNV\ MYF[$C-RLx+1;^:u&z[Bw@Mۋ01OO58y k2Sl MaspC7LonŹP[ξh@p=~#tOq-yp-R&.)X$`[9` 9Cq V`(R.0n0n2tpƭ-o#Kȣq+0rkᶔDVD.()O/{zxm?^HuOQBD)Wp-%'Ϊ` 642K(S6]0Me:zn8aZ %Y3if4U,T)uasPޒ# KdLGpJT0fzz{ddz{pqʊ$.lUݕ8XEY؝MlPdVzXyʞ'$ (7Gv2L +$ZC`2ԭu/qTmyW|3[jl~TG7rߍr;<{3P:ylo&r0%a+\6(NjHA)~ Q0sj"괺N-8t@ySG ÜFp{uZ9hJ 0"6N+āټRyPtwSFt[]3[d81oG }u Lƚ8Éc KLoWszS(|f1(@.'2B~CAsT F;Q p80O CQI,?\zq5^[ p=0q/C(o S\Wo Wh ApSz_{wZV,> stream x][~_[TF%o1IQimq<>R754 ʮrꃾ\$@gKѹg(3gty (P,uId٧uWb CS4O9$4k.$k&b,w*=t!TaӍ 0*ĢE]&S z'cj3K{ GoDŽi2ʺ{nvFM _ёLbumZtI8H8' sDT.n0pwR u@SGV`kTz~֢84qEHb`i6c F))AQsD%Wh8s4G Ol lK* txVmcZ@xA#.xcԭTEnLl u)=[#KoTH,4 Gn8H<|@u3?CU--Q mN)0ٗb $69{?f]Db= SIQ,ڄ_=E#Z+,[ww/>}x3_=P|#=Ȳ=sXUZ>*;TS?Oeh .#^'dP !@Vp >8K 0 ZiR\HU0'KpwzŞW RPP>PKO?\>#YR `Ģ0H UέD`O@@ FDa;Ch'(~ !aBx3q@83@\GOGPdxLIV|U:6ѰrE-!N]`Kk(炛 fKBt7wgICΝtXf\>p qʖ%pPE:Y3.#.̆IIPtAj娋Vd`g1~~%s}V"("A΅^cöԁ#7S3MW֟LJ!b(V_ٰbmDl|C`{k=7k}7jʑ~Ȳ$ɁJ¶{ɗۣEr*dtbn"~aprLC92-ڑ,Se$>#QZ ildiKY{4s&٢g0N]O< IkpuPB~# \] r/(xZ,E_aAݵ" >w\AS`H3X#EJW&6BM{w0j?ڞSX~y[a*-0Ĵ5}Aw#֬\統N^#lYc/}*eRI,|kU VO= &x&NC`*\4Lbi-ƌ!5{ 9~YLNT7!'cg(TbAn'YX53a8 +|]&}<'sOxq4 PZ; 2 _>timcPP~>T @8OZs- 1@  *FklpǓ,6\x'9 `s8&\"E I̘VLdU0;,0jt0 說xxe j6*H!N.&!+`cwۓt;j;E~uX q:RsB}ÔӔ”MtB!Pz|;O@U U&E0ev `:o>AzM˰Uz 4I>QO_ y@Jl5V޺ũUg5Hsb84n+7h\5$^?Zet-dYYcHWPJb-9ќm-@gZAls 8B~ #\MDRT$N#agEUVA}A laj uީV=o {n)24}gC={KA=F}:> o<`d(:F6k}vrxG;>p|ow|亼*e] xXMZ_ Tv=sTrjzA|eU\/< VUǜz D+GZݎ9kJ# :&R 5#ff56™,`F8 Zk8OQձ誛WS CP ^C `:"nj$LGu5%8œF]M.*, [\=X?&sdU4[+ȏ QSs S~m{PQ!y?6ɋnS 1+CƱ%1|.a}RX?zZZה -<1! YXu!L6FH _w.CY$ܕ%ѬΜ.<iۓ"0dC?Cєendstream endobj 496 0 obj 3193 endobj 500 0 obj <> stream x][s6~ׯ#Fq[i6Nhwh$6r&~^LPA(} (_w|N$W\M>OPIgN 9T(}wDDH$KfoS L QACBӅ9INGsC73 J@y ~<*ey J%S CeY1 dV peɘ@S9ag*4pTE7 J6z( 9Ah))KiM,h @mK MCY a-}unr5 B^`VbYz ^}qK1[&\!`"P_/RBӹ6H3bL4sl0(mB oX~_KPչc>_Lʪ׶4<f (/<\pr7]N;Ɓs0UN-̄ B\x/6H n 5!j_ O K#ծK}$.@8!s=SܩU{ .q`@,zge=_Ʉkb Qqad>>]lkO&^X^-(~y Q##iCAG@ֳ>w|kz8WB@[`9l)0ZU=ܮz Wہa1@R[@W2JƎ pgsg8tCI6z:S6 d;YϔudpQQǫm t^-G6:/n{5:ٽWo>%=D] G6't-袙4E39 ]A,O(árNT !)֚O"w+bv:;2[W,N[;-ysٿ6ڙF;N/N g;ױ[p.ױ2x*~ʸ-Ҍ駰М~bC!dB˦*?yeFz 6#1 Ո&K@o~Ú_J"Uj (st )5FZ(* MpI:jT/i*'cIɞ%Bv&@R\dqx@Ih' H{ǵʹrJT!.* PmĚ(E&Q XL*.Ȏ%:&c[&X/07"p?iGc4qZF9C;s&vAa m~(S륷OGh2 s<큢8}NwD3")jȏd(&,3> stream x]KsW*xޏN%ުxmݒhDqI$1 9|,u1"ClmNo>z$͟5@'`C_7 i1+y7)&H}t+,Č'SJhɒGJ! L# 2:?g䆈f{I~Cv?sKc&@]8k,kc4?p d(hLGȄjdd*j+n&\gXX5gpj8*S$L3];Rs/׃m@Hba{Dr$R~k(|n*@jbFiNmpIt~DF朜Q_`E,ג,N ;#2m#*]%L/W(^1~gZ.N7w"xp&y&qjL.MG=$6jI]jFEF 'B_荣0]{JM?FT!Fń&O#/`Iȳ PPS"N4&b%SImnfg Ws2O%W& JM|Zqj ۔pB~fxRژۇ yY`kRauf2|ׄVX`Z0}MMhͶ'wO9;$yFj$?ی_JM!o.8܎{u78Evhq 24U%3W>2j3I1nUZ)Z ]cD _ u1CvWl i~2Nפ$A0;J ǺY*[ -D, ? ("Er I*-n}|ÑR^]I4?}5\8J.AfV")*šr˜$Jeԛ UNR|*a`0)!lc"pDl=֏^2 8` A0,v:y/]ֳٓ1i;Q"H [f(iGiμ8̑uN5$"#7oq/o&~<"tf;~Ηy-3ZbqT{,'8YG}Z-Nwv2owӯe.V6,#X k_jX8Fu&Fqt n m^7;KqgN❷˝vɈk%A #^m&N"rE4 M& MrvC$c7quI#Gvq [a.ڭdA ?"n|An$d<}_~WAVv'=dǏ'ӇEI&b›M{e'CRsU皾MWOKjiXwA!3)s[iщehCEt e8㻉l1[Azl'qzvwY# 2QAx9 p°`.a 1|Hu~誕i_^m *kt1BwvC2 ǗAXt~V/'bp<ږ`vU tMRɘ7 J>` hѓ?z&L n@O2 2:!>VPX{pjcӎOfC"wz/ė~PZfɪY^K¨zyI#@JDP} Kㇵ=sT HxiiZz4>4 k5"{шi&1BQ*ItN0[7^NcY}n)Kf0yխS7HvW^9cWU{25@{@\QX]!f8Hek8)= =<7W lcCdKvFZ?)Ǘ^ؐ^3}YJ1E;hmznKG_,_DF4G3/hF}[=`zn_z?6>endstream endobj 506 0 obj 2787 endobj 510 0 obj <> stream x[ˎ"7on%Jd YD!&3@Йu=hK]s=2F!a oޛ~`}s&Go|P$F>c*iS#fQΕ4fBokd(P -Kgɸ(ip iIwQ:P_v=v.93˓{OcgϨ'?Ba` ߢYm,pKCrNJ:.}7R~[ؖtԂ~ 2}*>ΚpDqZPp[\UMLt+Wf 1bR)b<%39`sհ320٤> AWHa7Ű RP x.XC.<=6񇯇8 kh.k'#e<%pEnQxx]q [TR. I&_-'69> Sa޵~4:Z'YBb]!:#+T">ŝ'5.FhMf媮@d= 0l 4" GZ"&CኛM%i4$"k;u@ζ"d3Ja>z6yU[hOY\/L 8{ ۰Uͼ`O-k PX.h6oE@dі ]K`U?g1JځΘk̾ӇN?MgoV9g"-0o {5([lNJRrt$-li:|Lkx%/E*gf<-zjNaܖҭ U ȀP/+:h?ĺN(]L-6G-Sp%A΃پ]9*ܴ]K Iv^<^uFMkP חgd sjdO.j׃_Sǻ1İ{8GjwzyS:kl-/.y 1![Xb8d iޯd_עΑ%@v|v.ڗ^ avhh`E6zE;|U+źxi]-;ӒGa9] x#*4xc 1~aRVK.J 8Ng3eg$0RVtxq;xIMGЫQ (V7cbϮOrneâa[Y?-ͲJwYgNӴ_sYpJڔu>:OJAϵӎ5y k%9sՙ&tZqbpyX79NPXZIw~MkH]뮾֭  jyƞu sƤ?Wendstream endobj 511 0 obj 1409 endobj 4 0 obj <> /Contents 5 0 R >> endobj 14 0 obj <> /Contents 15 0 R >> endobj 19 0 obj <> /Contents 20 0 R >> endobj 30 0 obj <> /Contents 31 0 R >> endobj 35 0 obj <> /Contents 36 0 R >> endobj 40 0 obj <> /Contents 41 0 R >> endobj 47 0 obj <> /Contents 48 0 R >> endobj 52 0 obj <> /Contents 53 0 R >> endobj 57 0 obj <> /Contents 58 0 R >> endobj 62 0 obj <> /Contents 63 0 R >> endobj 67 0 obj <> /Contents 68 0 R >> endobj 72 0 obj <> /Contents 73 0 R >> endobj 77 0 obj <> /Contents 78 0 R >> endobj 90 0 obj <> /Contents 91 0 R >> endobj 95 0 obj <> /Contents 96 0 R >> endobj 100 0 obj <> /Contents 101 0 R >> endobj 105 0 obj <> /Contents 106 0 R >> endobj 110 0 obj <> /Contents 111 0 R >> endobj 115 0 obj <> /Contents 116 0 R >> endobj 120 0 obj <> /Contents 121 0 R >> endobj 125 0 obj <> /Contents 126 0 R >> endobj 130 0 obj <> /Contents 131 0 R >> endobj 137 0 obj <> /Contents 138 0 R >> endobj 142 0 obj <> /Contents 143 0 R >> endobj 147 0 obj <> /Contents 148 0 R >> endobj 152 0 obj <> /Contents 153 0 R >> endobj 157 0 obj <> /Contents 158 0 R >> endobj 162 0 obj <> /Contents 163 0 R >> endobj 167 0 obj <> /Contents 168 0 R >> endobj 172 0 obj <> /Contents 173 0 R >> endobj 177 0 obj <> /Contents 178 0 R >> endobj 182 0 obj <> /Contents 183 0 R >> endobj 187 0 obj <> /Contents 188 0 R >> endobj 192 0 obj <> /Contents 193 0 R >> endobj 197 0 obj <> /Contents 198 0 R >> endobj 202 0 obj <> /Contents 203 0 R >> endobj 207 0 obj <> /Contents 208 0 R >> endobj 212 0 obj <> /Contents 213 0 R >> endobj 217 0 obj <> /Contents 218 0 R >> endobj 222 0 obj <> /Contents 223 0 R >> endobj 229 0 obj <> /Contents 230 0 R >> endobj 234 0 obj <> /Contents 235 0 R >> endobj 239 0 obj <> /Contents 240 0 R >> endobj 244 0 obj <> /Contents 245 0 R >> endobj 249 0 obj <> /Contents 250 0 R >> endobj 254 0 obj <> /Contents 255 0 R >> endobj 259 0 obj <> /Contents 260 0 R >> endobj 264 0 obj <> /Contents 265 0 R >> endobj 269 0 obj <> /Contents 270 0 R >> endobj 276 0 obj <> /Contents 277 0 R >> endobj 281 0 obj <> /Contents 282 0 R >> endobj 286 0 obj <> /Contents 287 0 R >> endobj 291 0 obj <> /Contents 292 0 R >> endobj 296 0 obj <> /Contents 297 0 R >> endobj 301 0 obj <> /Contents 302 0 R >> endobj 306 0 obj <> /Contents 307 0 R >> endobj 311 0 obj <> /Contents 312 0 R >> endobj 316 0 obj <> /Contents 317 0 R >> endobj 321 0 obj <> /Contents 322 0 R >> endobj 326 0 obj <> /Contents 327 0 R >> endobj 331 0 obj <> /Contents 332 0 R >> endobj 336 0 obj <> /Contents 337 0 R >> endobj 341 0 obj <> /Contents 342 0 R >> endobj 346 0 obj <> /Contents 347 0 R >> endobj 351 0 obj <> /Contents 352 0 R >> endobj 356 0 obj <> /Contents 357 0 R >> endobj 367 0 obj <> /Contents 368 0 R >> endobj 372 0 obj <> /Contents 373 0 R >> endobj 377 0 obj <> /Contents 378 0 R >> endobj 382 0 obj <> /Contents 383 0 R >> endobj 387 0 obj <> /Contents 388 0 R >> endobj 392 0 obj <> /Contents 393 0 R >> endobj 397 0 obj <> /Contents 398 0 R >> endobj 402 0 obj <> /Contents 403 0 R >> endobj 407 0 obj <> /Contents 408 0 R >> endobj 412 0 obj <> /Contents 413 0 R >> endobj 417 0 obj <> /Contents 418 0 R >> endobj 422 0 obj <> /Contents 423 0 R >> endobj 427 0 obj <> /Contents 428 0 R >> endobj 432 0 obj <> /Contents 433 0 R >> endobj 437 0 obj <> /Contents 438 0 R >> endobj 442 0 obj <> /Contents 443 0 R >> endobj 447 0 obj <> /Contents 448 0 R >> endobj 452 0 obj <> /Contents 453 0 R >> endobj 457 0 obj <> /Contents 458 0 R >> endobj 462 0 obj <> /Contents 463 0 R >> endobj 467 0 obj <> /Contents 468 0 R >> endobj 472 0 obj <> /Contents 473 0 R >> endobj 477 0 obj <> /Contents 478 0 R >> endobj 482 0 obj <> /Contents 483 0 R >> endobj 487 0 obj <> /Contents 488 0 R >> endobj 494 0 obj <> /Contents 495 0 R >> endobj 499 0 obj <> /Contents 500 0 R >> endobj 504 0 obj <> /Contents 505 0 R >> endobj 509 0 obj <> /Contents 510 0 R >> endobj 3 0 obj << /Type /Pages /Kids [ 4 0 R 14 0 R 19 0 R 30 0 R 35 0 R 40 0 R 47 0 R 52 0 R 57 0 R 62 0 R 67 0 R 72 0 R 77 0 R 90 0 R 95 0 R 100 0 R 105 0 R 110 0 R 115 0 R 120 0 R 125 0 R 130 0 R 137 0 R 142 0 R 147 0 R 152 0 R 157 0 R 162 0 R 167 0 R 172 0 R 177 0 R 182 0 R 187 0 R 192 0 R 197 0 R 202 0 R 207 0 R 212 0 R 217 0 R 222 0 R 229 0 R 234 0 R 239 0 R 244 0 R 249 0 R 254 0 R 259 0 R 264 0 R 269 0 R 276 0 R 281 0 R 286 0 R 291 0 R 296 0 R 301 0 R 306 0 R 311 0 R 316 0 R 321 0 R 326 0 R 331 0 R 336 0 R 341 0 R 346 0 R 351 0 R 356 0 R 367 0 R 372 0 R 377 0 R 382 0 R 387 0 R 392 0 R 397 0 R 402 0 R 407 0 R 412 0 R 417 0 R 422 0 R 427 0 R 432 0 R 437 0 R 442 0 R 447 0 R 452 0 R 457 0 R 462 0 R 467 0 R 472 0 R 477 0 R 482 0 R 487 0 R 494 0 R 499 0 R 504 0 R 509 0 R ] /Count 95 >> endobj 1 0 obj <> endobj 7 0 obj <>endobj 12 0 obj <> endobj 13 0 obj <> endobj 17 0 obj <> endobj 18 0 obj <> endobj 28 0 obj <> endobj 29 0 obj <> endobj 33 0 obj <> endobj 34 0 obj <> endobj 38 0 obj <> endobj 39 0 obj <> endobj 45 0 obj <> endobj 46 0 obj <> endobj 50 0 obj <> endobj 51 0 obj <> endobj 55 0 obj <> endobj 56 0 obj <> endobj 60 0 obj <> endobj 61 0 obj <> endobj 65 0 obj <> endobj 66 0 obj <> endobj 70 0 obj <> endobj 71 0 obj <> endobj 75 0 obj <> endobj 76 0 obj <> endobj 88 0 obj <> endobj 89 0 obj <> endobj 93 0 obj <> endobj 94 0 obj <> endobj 98 0 obj <> endobj 99 0 obj <> endobj 103 0 obj <> endobj 104 0 obj <> endobj 108 0 obj <> endobj 109 0 obj <> endobj 113 0 obj <> endobj 114 0 obj <> endobj 118 0 obj <> endobj 119 0 obj <> endobj 123 0 obj <> endobj 124 0 obj <> endobj 128 0 obj <> endobj 129 0 obj <> endobj 135 0 obj <> endobj 136 0 obj <> endobj 140 0 obj <> endobj 141 0 obj <> endobj 145 0 obj <> endobj 146 0 obj <> endobj 150 0 obj <> endobj 151 0 obj <> endobj 155 0 obj <> endobj 156 0 obj <> endobj 160 0 obj <> endobj 161 0 obj <> endobj 165 0 obj <> endobj 166 0 obj <> endobj 170 0 obj <> endobj 171 0 obj <> endobj 175 0 obj <> endobj 176 0 obj <> endobj 180 0 obj <> endobj 181 0 obj <> endobj 185 0 obj <> endobj 186 0 obj <> endobj 190 0 obj <> endobj 191 0 obj <> endobj 195 0 obj <> endobj 196 0 obj <> endobj 200 0 obj <> endobj 201 0 obj <> endobj 205 0 obj <> endobj 206 0 obj <> endobj 210 0 obj <> endobj 211 0 obj <> endobj 215 0 obj <> endobj 216 0 obj <> endobj 220 0 obj <> endobj 221 0 obj <> endobj 227 0 obj <> endobj 228 0 obj <> endobj 232 0 obj <> endobj 233 0 obj <> endobj 237 0 obj <> endobj 238 0 obj <> endobj 242 0 obj <> endobj 243 0 obj <> endobj 247 0 obj <> endobj 248 0 obj <> endobj 252 0 obj <> endobj 253 0 obj <> endobj 257 0 obj <> endobj 258 0 obj <> endobj 262 0 obj <> endobj 263 0 obj <> endobj 267 0 obj <> endobj 268 0 obj <> endobj 274 0 obj <> endobj 275 0 obj <> endobj 279 0 obj <> endobj 280 0 obj <> endobj 284 0 obj <> endobj 285 0 obj <> endobj 289 0 obj <> endobj 290 0 obj <> endobj 294 0 obj <> endobj 295 0 obj <> endobj 299 0 obj <> endobj 300 0 obj <> endobj 304 0 obj <> endobj 305 0 obj <> endobj 309 0 obj <> endobj 310 0 obj <> endobj 314 0 obj <> endobj 315 0 obj <> endobj 319 0 obj <> endobj 320 0 obj <> endobj 324 0 obj <> endobj 325 0 obj <> endobj 329 0 obj <> endobj 330 0 obj <> endobj 334 0 obj <> endobj 335 0 obj <> endobj 339 0 obj <> endobj 340 0 obj <> endobj 344 0 obj <> endobj 345 0 obj <> endobj 349 0 obj <> endobj 350 0 obj <> endobj 354 0 obj <> endobj 355 0 obj <> endobj 365 0 obj <> endobj 366 0 obj <> endobj 370 0 obj <> endobj 371 0 obj <> endobj 375 0 obj <> endobj 376 0 obj <> endobj 380 0 obj <> endobj 381 0 obj <> endobj 385 0 obj <> endobj 386 0 obj <> endobj 390 0 obj <> endobj 391 0 obj <> endobj 395 0 obj <> endobj 396 0 obj <> endobj 400 0 obj <> endobj 401 0 obj <> endobj 405 0 obj <> endobj 406 0 obj <> endobj 410 0 obj <> endobj 411 0 obj <> endobj 415 0 obj <> endobj 416 0 obj <> endobj 420 0 obj <> endobj 421 0 obj <> endobj 425 0 obj <> endobj 426 0 obj <> endobj 430 0 obj <> endobj 431 0 obj <> endobj 435 0 obj <> endobj 436 0 obj <> endobj 440 0 obj <> endobj 441 0 obj <> endobj 445 0 obj <> endobj 446 0 obj <> endobj 450 0 obj <> endobj 451 0 obj <> endobj 455 0 obj <> endobj 456 0 obj <> endobj 460 0 obj <> endobj 461 0 obj <> endobj 465 0 obj <> endobj 466 0 obj <> endobj 470 0 obj <> endobj 471 0 obj <> endobj 475 0 obj <> endobj 476 0 obj <> endobj 480 0 obj <> endobj 481 0 obj <> endobj 485 0 obj <> endobj 486 0 obj <> endobj 492 0 obj <> endobj 493 0 obj <> endobj 497 0 obj <> endobj 498 0 obj <> endobj 502 0 obj <> endobj 503 0 obj <> endobj 507 0 obj <> endobj 508 0 obj <> endobj 512 0 obj <> endobj 513 0 obj <> endobj 82 0 obj <> endobj 80 0 obj <> endobj 531 0 obj <> endobj 43 0 obj <> endobj 490 0 obj <> endobj 532 0 obj <> endobj 26 0 obj <> endobj 363 0 obj <> endobj 361 0 obj <> endobj 24 0 obj <> endobj 533 0 obj <> endobj 359 0 obj <> endobj 534 0 obj <> endobj 22 0 obj <> endobj 535 0 obj <> endobj 272 0 obj <> endobj 225 0 obj <> endobj 536 0 obj <> endobj 10 0 obj <> endobj 537 0 obj <> endobj 133 0 obj <> endobj 8 0 obj <> endobj 538 0 obj <> endobj 86 0 obj <> endobj 84 0 obj <> endobj 83 0 obj <> endobj 514 0 obj <>stream xWTTgܫ";؍`ucK,(H*҇*" E ХTbM1ٸ1шMooL;w|+cl12L2Du4Ȗ'uۂlF&Ob`2dai QAjɻt`N8- Q8m Np8HX8cF\\tQ9).X??*iExiO߮1j('p?0af, lyԊbV>=hc{B9Ϝ5{ܷ/X0cfΌg60&fx0o2[)Vƅʼ,c3˙3ɬbf39\mƍY3Capf31#Gf:L0IYgrwygM65l89;'P3v`O&4oP4}8 Y6${߇bˇ1lIcߝ ".J2iv>)ɍ*JHxM[e} gQ{ܱ\bCumqڠ%ʤw <*qϡz}ѱhJDS"{&%c(3Q.}$<*1Zhҷ[ - 8#p IuK ̝3o wH8V^«tMSIYi˯7%*=q庖E&d"tb2tiJҟ|c;NeJU];mOrL.H^d6KͲ*8B.`8cf?#?c@?_CtH$q$tztBqPSuaCT558/@H"J?p{ZLLHj3҅ [v6o+YdAFXo=Ǒ-'&ANA `yM@gе̏)|ߊKD&CpzClqY,{H&2_ ?~o 6>m,YnA ( Cד[ԭv7!-۽WwBNu4^IEEI J2oyOV r)+d[e(6D:!wu6X(3sQI3!sRH fx O&"M.\v{K:ak253*-ړe&i5@>18҆  V?Kс.;U9ľF+"LF l=tq=Ehc9iFf8bs"bU2x7_YSkj)SC5p+vTdcCu4XThUBYq!ET08]ni~PXatvKKE<[U1>8l6DJ=r3zd@y&Y49[bRZ9xC`9 mt@ܴ#t6D98t87B ;|û؞}-|>`9pd2a_nW*pVOGWD6$m;UjMCz뉕 A7P9^i){AͽZK+ĉL~]6GAjRnf)M{JtxVsLy\ #pœM.4AUb@Bpq*)h0)КƱkGA%TgQ079g !pn!&J?8{[A|jWRsћDs7\3c;k L&S[UJ_g% +OnLk4]4†u-PJ*gkpa_fy!`_ f:3g9O\Fh:Yڬ}Yubwzl^S} TRZVUVyL%pYJ#J2%{q<.z0T Îȫ{n]j>{B+p)jeZVFݲksj1Fe"s ћ3q __`]/"9ZSKkPD!LܠJ~oz:h}ZEṚpl#򦒐^^*~RX`ݜF)g-mX_c׶pA s)(kX#P6rxKGpiWRC5@4ZΏ9׀RJÄ쌽:eW\T8+75:#7<)ϼ#B k(uXl,'o(],{}ZRR\%,ZiIx&Mo} /ҞW)YQ ~u;6P]>ظ*w+wǔf5i !Cn̫ښq%BUUM}-&^sۦ)9i(r'11)ԫc&\zU'-1`H޾(!/3M@L1P:6CUދYr ’x/  .HKMgQNW)X'u]]WjBⲍЙ>.?_1ʂnï,!?^d WzKY͸/)Z,k^`y_f$}[@1"/P'cہo;ļ9@As틳Jafe n9_ª5cYNҋbS@lTl)XF{qY*L}Y4rK&:cYousNQYʲN8{$yͼO,\9Ͻ#\KdyPPYݘKcÂW,$4o;&H6Rѷm &Y+[fH]nQ꼺R/m @[?_ ߻O/iR\Umn/=eJkݜ'5Pлg$_eg6@A"p 1L9[Vi\7 RrgfKXu ܀&$P?64y!:xRX,{r[28I܈ME`F Yʝ;}ax /4h  yq\Zc մ~ MpPe_=t>'DCI54pF'mM[ә( OZnDWH> endobj 515 0 obj <>stream xy tպuM7@a+ C@dQ $!!!sҙ:cUUIg;#@ " 2(^U<{N>koeJ:ݧ}Nɨ>P2AK&x|NzR&=܂CҥW|<5AQhc\&O1ΉOH6ҴiSO?+6<)*,$i&2<6DCŇEk2GόhO6!$6yB|ҖWnjOD OOJ ?/>N,$6; _scR4IK7'Q5cV9 o$KY05-dqzhFRe#D z3zU&0ŗ(j95 VP+ j&5ZEVSc5Zj65ZG͡Ss [Dj@ͧ&Q "j "zZJMQ j05bQ}T,5Ip'oeeȧ;}r2C9Wӳ-^|ɏ򏱏}|AAMsLeh&cġO$m?â}'{*O=l$X|FYk5H.KhWr0H7`_bՈ/_F} 1Tbld!ХJ[/g>"1+ߌYoWDk[{.W"i,j^'2|uN+8n gj76Ȥ+r2Kt6WQhg36'WPrcczUnI,vfw1,r(D=( 'gb唠]ùrFZh'xsgm]Aax};k K&Bhnc|[ ϊ MBV#WN}kޛYQ@ϋ37GjsYoLnԶ]k1*f$2ߨVPk]eqZAU)ǧNe'2;Z#W",ˁ !|(O+ ^.%Tx^Nfs*E!DOzܐ# T}&Β<:`q)b*sNquoVXbk\*kEo8jZiˀ4:XP_ҚPykr .hrԊf*϶מ8=p=ݰqxtQkE[t99q}R(7l[XrV.5Ì,AToIGFSʦAÚMU1g Z'ѽ?KC-))\2|狢|(dOEP.f7:P`b}K5KS Zrz~[Wz~uʏïμդd;zT BZctz]x~^4-.R ~$:~>N@"m`SGXl|1XU-{JK8ahlMs |ߞ%@U O1Z&x]N /@ [3 EK'ϙbTÅ~kQ`@T5*AX' ֈq֞i4@= {~Q1TIpP$^: VSA,ўn34;`& *{A~ ..Qd}RX!tU]TxZ֡ࢿxsiR3JExq lX3p,OJFLxL@cΗ9jDm+;iz},v'qC `HWc;TfT (&T rpJwȅ"i!1!tBMd8$^%NN)eE:6F V"֑[h{RU\~>MǪ~#q4|O`p[ T h/TF(..fd0UcyyצƓEI)h7 x7k]hDp3胞E^7{ͦ4تZQm#@ ?d6/]rBq\.euGdwo=d%eC?xDvKt!ǬgplYj;_vUV6V" abWgQ]?YxLHDGm \HeKnLsfk#B޹|Q}OfE w+Pf oQUCsu9- ؇V+W4X4Z5_K$h`v=P~Ř1?nΒl ޸. >ݽ 8yz-U!,_2[UW㌅'OTaRH{g*yiS~%hd-b,=8 m6( QT_T4(둢>!L_%훗#UyUʃh9Iq_R0% P.ʥ3N-8ZWu`6I;Cq Xb¸AЦDl[v šlcu\7ɮyu951 xMkRJK1нϒd8 !9ͬBǻd|E{鸟ѹo@T)B2,xk1?se/Io-:3^ Q-2끾cR%c)]/7~IJ+流0h>$/ ~'s FkzVwdFM&n/@#v$Ϟ.;#tELT`?e-AGKUmc P9xC2Ԗ=5_})pVmh6M0k*|Ѹ)79 RgXUZ+1:e_hDe҃QA3hzʬKIG+ i=࠯+/Nx%mfS_^@CʓWPEYѦXiT(f${C̪.)j,2m޲IE5zW''ThY!< ބrMyз ^ZI*@1 emfp-ݸtYߠcuR2r\ĄUr:>`]۷Wn#rbef3%h ֕mc3f/4}xS%:)&6=K/^5M-'?)ݕoGW povOc'; RФ?Q_'g|?зƜOYu;lX^jVD h09o ixd/~}FR:gMTT_֋uPB''7D$;ѥ 6^+UV_˱ < -Aм_娣Kib㣓j۶x^xO'z'ÉVvBG [&}"u4,CyTp^.]=D3 d3+S[ 8)֐YwDrT AK\0)^%b=pyY˩ppOϩL6@\}~z>z Ꮔgc;Ë[ ֭e1n ׆kTPbsVOA`;eH 줝bZhm*RЎJDAY9Aʕ8ýhb.4ʉ ,0xODk\p r }t>늣eZX\ޝ/_$Hm= %+\ CU՞fAUVo_t+✼uՖs6X5++Q*GI6ٮul"z9xW)u+SXS\]~.ѻRcr<0,MOE2<t8Pf@#[2[W>v/]>,%u\W0x#7<]=َ}54kãR=.1)~>g<1$qz'CX+yr嗟ن>@nɥ$4IRƴZ"6qaUzž> i$|t<~j:0\R)2$`Q})h ?{t<x+ޠәs [%K$G֡?i[L qU)M^|>c[;#36teHM'/֜RF;݇Nz10$aohz_{rPnAj6|m$K'K4&v{4-NHo%MCI0 Bvۧ{>˂,E*o4fNA%[KȾR4 3"Ry0Mr9ُHOGoCc~P?{g3oP| [ zhsCjrYS^3{R+FIrKRg PCcK$|J kBZgFuGlX1+zYq/=4N]]yws;4w= ;{j'Gtdyj._S/FpX>&`TxEX5/g^ ! :Ug.z@o٢yZsj֫fp̠|qo;=3:YUdJ.ME3ٓ^uK䧻md@74մmisBM+fO?~ߠGX8H./Xhك4ӳ >h@%ugHEI)&p㒹GյT'ЉNȮtR'R1(YYQ 55GhKJ4u旒JTy&3o~CRiiUPɢP66"Ңd5l=Ü_/hh9K/Il)vVϾ 0BM4R*3N*ͳTeUUz{^>Eϟ+qQsLMgHhfW<>"kNV `1yeOm 7g]tEEd 3=i^zi;-dt/1?9e葿GKwءoKS]JZu>Sk| }|(݇ endstream endobj 44 0 obj <> endobj 516 0 obj <>stream xYtTUa`x(ƒ "RDD ` bH/MzLO/ )$4 oۮGI2}wP0r@(^y ?GGoQ0VcG6?Xx!oQ#P^$NI:+|ԅ˖-;uт˦JL M94-&2!4?u[RxldZYŤI?TffЄI)Ϟ;536-f꫑)S_NJL%4!r&)A2usRDdJ@ xfUꤠ5җ֦.m}MYadoj;-Xh,yv@0]/xL X.!*x\0SM````5Auj\A```%|ZS  O ,ll<+ &hD$D0YTY0RnA4Y#*œE͡XZPsXo8u>6G2ƟkNhN=I9~$>gOa}Տz~7w1na1FO>A;=*߈v4y!DcPp\pXb\h7ᱏYҥM}Q~ CYb^>*3UCL;t; [EPQ@ 97gI.Et 5 G} 7?-Dg".>nuy7~8? y+mq@-CQI9lձ.4NQnw\QmhLM R:Rl4-LC!Q/c Daϫ**Umhg<LAڱ{Bo;/yq,fȧݏ}Zy,dyqуA)|ҨMXMG[`T|ƏlF+{B/?>2E5r`mr.hE`FʏQ@KYG7(ETXn"26>.BWy].YdPs[% h[{2/GElSY4zN6wBzI("$(\V)^ B0pu Ϳ|=I4]'~JAIWHj9@7JYqFZRNS9ȧʊ0M53veө֜'o %% 'Q$m19U RC,ifC[Q SR..r9TI H.$j?Y0gOCxu]`|bZSE3;r׃Y%D-2EA7/DoNN˅|I=e7_|()ԕ٠GsryoU ڤf#!B8#wlgfx/?cl,̭`wxW^BuPxK`YwShLT DY{`(Iv\p`ٽ]fՖbxBYa֛J S@\T4?M^ O%?\TTB;Tוz*:N 5LWbJaxDcu\!q50swCnm"5}`]= (l`bttAsD.l.#XJD ΖD x%?n{Rd6U&HLڅ {OmXʬ:K2a|i\G=QĹ>xY4,#zV'qO)}m-[|]χK?)? X{l}jKRz[qҨNi8]4_ޏ1 qs*(au`sV݋D g8M2#eI];3~q/1=Nޞ)Xs%}kc};QǑޅ6/]͇=hLE7[wpuNk;aunCgh WSyV4B9eYL "ͱqI [iNf׸&{R%QX@4.yQ6ۡOMCVe/,%YF6x}]r %*q FoD~(2}gG%n߳3KɤiOxRXfa>>ʴT΂(VonXzHfJ ,%%cODwZ_ގrCz:&W=~> ThʺKm8qPewDQB4-$$B'rh*,Sp%QoR+zp̬A+ R{u4As޸}=p5!1kSiUSgGkER ğ(])6.DB CE$3k Bə$>K- ^?|6-=vϨRNғ|At$^jwPowX$Yʨ\WA>KER8NbV[jGJc _.nJ(o' 7ωSO/VA' \s~SW%?7O,)6HT .jxutDZ6WMz(%! gʔRfucm'MF\d,Oxxֵr`Ă j rMg$1[Wo!{_-/Cq,yFC H`T>ԍV mP. 7[بf |XݨxgZtz+i4 _,YwDM|}K<py{Sѣh"|bz}%hU@?8K^[nĢE/BqA~_FLRr^k(jowGYm(MB&^,j '#Fm ='^=8FYɐbeѠ,RR U;ۙܓ~ Eeyz6'~"B=%Fє1םB7U:8B~wLMy#w1AYd~/&&e*zqs$߯g茥 MFR$|W8 AꪲUP\Pޞ}oT2Ho,,%p(T:|ic<Ƴ%ב **.:oTmYI2 W3S};~w?PgKU?;'+:#ijr #ef K[D[cTRS11 ncnt#䳑SsҶfF^-P y;؄Ġu@#|Mw.\npcp/yܿT6 Gs 򷱊]|ȢV{v7v*qZٖT\kg5P 'c_rk'ƣ 'p/nU)Q$*P_=^p6UJNDE͋ų?XcoCVMKU$؄ge{%ɏQaGEs ?h4.Ӟ!LJRT5V6$~:3Q޸v_ <#F-Ǒݯ4] &9WhqAI.XtV3gqyG"h|+Ms,)4Ý{V%sj]:ёn]8h4Eh75@9Pk7!K$(&siF댅`!D#0Nq&q~Mv^G\ϊ"0̘LF XhZ5S dp[ b ĆOc#p<8 r)!BIIfm!! $!{?  .~q`P[?s[Z,n/_=<98Q頔౷C?шJ}7H _ yEwT53m%<&uJڬ$'|NfYOSQuSdDC1y<҉^#Es%jڠݻՕ`{b?xmNz4ogUseNcO5 YJ0CfQ[εj ɵF 8d9Pn`IFA>jCHgw&u %|\'.%%g/@ T#8cIG.R{)j=5f$v#^@'#JIsjuE&$4Nfhv(0Ƽ.-jS&bz͊]X"*0&_ׅt}ށ>:B~{qw+P]6ZewHo'A*!<@yP<9D  LTũ+A5I J,̘n.XMcӯܨȍ.kFcwDhᏯwy*DSh+e8xc5f7QQ&h"eFc@N%FM"WZ/OA `k*֒ߋ"{cžf3r=dGjwX ž[mpă([h &nwWx[CC9(Kn.wclǭ#ra Gץd XM{_?ɟJ?umP :M'OK߽-#̈́g6YS,T"96;1>?A/hZ Z @Ox:<>s~zIG3x-r\~#eo !Xt7ƅRMen1u> endobj 517 0 obj <>stream xcd`ab`dddsT~H3a!=;k7s7Bߣ``fd+nr/,L(QHT04Q020TpM-LNSM,HM,rr3SK*4l2JJ s4u3K2RSRSJsSN%E )Ey V L,*?:o;+J-*Zjђr| 8O6{B߉Wq]b1ùd"Z9 endstream endobj 27 0 obj <> endobj 518 0 obj <>stream xY\SWۿ*x+ֽբb(N+#앜@ a/E[mkv(Vj[}C;!@[/{9yNe/J 9:9Mjw~@?m?j@֖u#j]A:B<<%vk7m޼9O:]M&!vxK/HO6/xrcѻ¼$v܃š{VKֺl,/0D.s .(j[n[B2ɇ!VKw wGyxnw\&N9-jlY9o,pw'lcE>Qu|j4zCmRq5DKm&PDj DmQQۨdj;BRPӨ)jIfQkٔ#5ZKͥQj 5DS;)B X-j(eCR0ʒNhmJHqOP}5G9@!KAE9-X$YI}Zhmnտ~_\0pPȠ_g~&*oאgGl[%CF -Ȇyͦvmm0aS>㷙eovC|"wSΏ#g5jQF֗ח!ZT-@7˔ExwܯCc#C$MJCь_Rq%> yZl|G@%ﴪ O΋CPb2}?:+lCw. mZ':p }CT[JGDU?\MW0.$֋Q$ +hщg?9W ;Uƽg>.~NՇK*e:˴fYU]dx'E(1-Gr;3glca)V/EV${=-t30j'k\8 ]Dr$,l*gY7zݰm-"+d;mM<GBO֕f=״O'i|ާ{2mL#!N'^uޱVFp q,Bg+y3<Ё'١JX]'i*;db 8TLVdn_ GJs.twtgnF^x͏Y4pP.\z.'AGj82fS!Ôu8`yYT-KI\̜۴ ,;V5qX BK4ȶԧj7a%Dbi];&wLgK&lGU\FfF&*f*j$$g;;!R4` Xki0YC F_NQʷ['V :*d̑+(XlHj̥1 >j1. Aueܞ!I:lmCeaz3pTPzqFigt@W[{Zь.vLOWxcwx1h&&IɡRV܏rY^l8lUs&Ԗ}%9GH$dp?n dD{_,L'C'aQa\je¢ng A uY3gLO7tt(^Hc`/ 8 b>:LVw_niSۏ]ܪ[&#,=ۘȗVݺ 1z.5 &vG^Efq!IvB%G%p7vbɂt6PTF#NNW[b:SV{4@ADf4i(B%!EG`!ʉxw[[t+u7p$a!s6k4"R_HZ * j4ʹgIV¸*tȶ56f{7IM1Dviz_GAC޳f`7:/~3H7Lycg,ݷHÚ]7 &h DeSc\VERf]ԘoiC$:TyŨVRS`NZc8ǰ0M' E<| 9u0beBi7ym9$hGE (F0f }qG~0]`H+!am"8$ئȊ/xA8A;:Cz;s(kP.ov3=+HdKO:= e!ۊlU|FLv' Apmq jh7nC&vռ,.Jr(UXHbTt{ebuYvǤ bg{aqkCX>a@2œnߺ.ǯ}v3OwXT4?LkDL:4|DψIh+ ` ڪ &),)دBW)@?*x1+y<"B #NuG+(+3kW qPZ̹v#r$HVqcT63L7.]'z5-@1ߋ1ȳĤ ^|:/. IH:ZKK8O_;_i=y}À;?`}5*M y|6WtTj;8՗XTN8nZቘRA)89q7l@) ^)$D;=NlT=Y}Wf3y$$-:T|贲`eĽ]i _ou{>[Pͧ33;=g8ӟ'5O8Stc%.jAuZ4C*M0;7LL9ɣMqvj>1Nj Q":w0,w+sYDoց_Pe=k6@ewbKHPU7)H0'zGsV\ [&[F A= N~%6Gk;w~?5~d ᝟?DQqlf2IBLpIXUZUq~)avD/pX. ~@hǽ89GfaW-aZy"K @GQlgwCYu7iuޟJriAd|"^xO|RtڢؼDƧ+<<> VƼ]Vw`C8GO&ܜҭT|rY5]B6[7ەQKHXZGzS˾<{+B@k!y<(OqFG}d|Q}2k`uVqȜUUe>غ Ölvdwlof*xfdb\T/8u߿.h;Y[p$>$I GIPx'M䉷AoEx'MD$ ts En#MU#&R#<&v[RS-4d<ͫ`"/ 7mbQQbFxNE`5~,@ELN:68=9q+wn靍29iCD" Gg6ZqRXBT~bf*sBи}çF%$(&!+v5H_\Wn_χ N@ڧVr_Rɕ+yA@])ޟM.eiUQ-Qw!-Y%"۰(i~~+:LINBa)0oʃ6y8*>Wq&/&U?ĸF{7+ G٤W 8rO âniGt>4! GxmL&%BwQlE,Hƒ48(1)qD`Kc=?ZleZ6?6_,8<[ Y8x# endstream endobj 364 0 obj <> endobj 519 0 obj <>stream x]HSq4(S *ٴdhвjهٖc2ݻY:%: }_de7aEAԅMy><$!$I& E"SB [%6)ŨX )(dӢ2 mD'RTBJ>i5[8&>]\\/f*mZo3Fڌ\œc9,dY8$/茶fieQ+VILb}ϫ߃ZO進#v rP1 5dÐCnY eOxRvq"*}۪ !|Ϧ5&#&Fɩia_w], C!h5(Py!ɴf(HBBPY ؖq L9Ĩly*.j/tJ';1 7ƅsY>u/Uxbt+a!RJT13. u‹t+-xKG7 >=YxY, A9c*øF?I=f"ag〾yHi),p3^anr>^{}ja}O.:I6@+ ic)X)t/Pw-\w_s JQ{nFm.1Ȏrpa_](nW@}Z b5ۏ}%݋o2n;f[ [a Mg adgea~=Q91ܭ5_TtoBVwv;+78 SڢS};fMD0I'+}5\:H"N@ HMaVͳCšx߽ʶ-+BLmsӧ*.[ZgYfI=:ꠜP|^yfmS9/E̼yocMWqE|vBvliA=1'HԬ%1Y#2A mM|DaR]FT.jߨ' }O6BB܃ArS?%+3CL/_1G'Q[*\L֘U {ծ{b?kQeEM]Ng{ g<54qP%zՈ;r۹p5@L%aeAvխusTq5F+˄$ fңv4hEqbd_L{IB7Y'K7#,:.|jc{P H_dɩAK)v'ZUJZ]r!NY$GѾM(1|ZN6*w?B# ZԪ1a1ՀbHh#*f\ 7ca$䦤eܐRFV֠F[!2Y=#Q@87@R rhDhwmN%pC꛹5;~ qcɤVAd Jg,ODj' V*t,8q )M`(8@m|Ԛ( F3)_2lKA7 ,Ǯ5Z \p3*Gԉ.J4%EB䆖%{E)f 5. o}jv4T֖6)s+kc f;kj!G]RzztX3g K&6(Ae˰@k0xME(uW<$Cs RBwQsJ}\-_U\]ʋФ^NѴN9]K+3yz@IhE"V4;s֝Q3_n0m.Hm1빥̙-[x*}-c;nom>|&7ܛ=s ҭIZwS=4dκ#C-g϶4A_}9k!gn5&!tD! ]ݥ}RB 3"щSQ^J 7$1ER6w~ֶjf?ɽx7Z^^-Rinxy#NAE3<f.;tuWS8U"& ͙P?1v\ee' f<|[Gm8U'Kd03T4sCIgQ27=iNi ;. \(:ʜ:q&G搖d$aL $<.<5'hu\ξI/zAcS^zllM.? 0҅~h0 S4&B ԯ%g0< Ə2Spkb,:*%v~ݾj52SC%~jүגη@ tm [jZZew'E*hP"n\CQ#,?8|M]͕q"?=B7~P?s[t @y|NGﭦ:h!9jh,㕯p+9BKWa̵߼ymi_Ǹ_(Ok_94쪩4RSӹE2ߝ YL(״ҨOY|+5oi#;t«߱iiiD l0}^qĉ>VVy@q?`w}Ե博\ѣm74ghC+p}st˚U3" *[Ty(;PB(٫DDX0ӗ\{k[g:μ+X-۰$*v^`gю|NsX4/闩4cHozySx2Q4#vh7 \j7:q:g%F3xz7B(bcՆMR xR&.Bm&(bEnnnSd;hū}=+x*P]loVnuo!lPlŴu~`~Kl?{ўI(ԕC/#A 'p[> Ѵ'jgLWdz c`̝._b͂Q ,|A%dpP~ܛy[cs_x![b?NN6_p4ϝ8~ۖE~}kוst!Dd!t#r/4&#^E{RC[ԥVk:uDS~.wSg+nqHt╉uKZ> endobj 521 0 obj <>stream xVyPWq[b0nv hҍ7F;D0Af`k` Gs3ȭj Ac4DZƜnzͶlݪݭ>_}}M8Ό+_]BO_2>o:¬BB9`6Jyr8]P!e 1bV]&.f+y=_ e$Kt)8S$*bb7u+Vd_K7-˜=bT*.Ƽ/y'xq~aT I ÞJ37I6ǰD, { ۋbX Ķ`+Jl; {=]?p͟5tu3W\ī˴)(z99v LpijJf{,d~[#-!Fw$-tLºϒj;nl`')L+J<&9^};D". p ZlN{S7Z @O )5V2P!< 8-nResH;G |B! &\j\DF>5ZԤ2xP;P011-rQueOFUMҗ{gK+j4F7asG믻S-TA b(}rvܮ;v$tIU"TQ؉S,1lKϧ#xbJJOEG{ZVE8>xt 3r.EeC#}V((py30w\:%!T8gNZ'wfdTĖMԏ.D3L ST0E\fZ=<#G=,/NJlgS(Gt}#Vۘw nCKJ!$o0<ԤvF<xC&)l{C'@R( :&V %Qվ.;_N1uf2'f[q.EY`us"R"k<+x"BkQY@+=P{ڦS4"C)Tb,at[(FЋ_'_[QO6\<3WFjklO.i uYUL:u3]F9jS+4٠3*tEB}af{ȖP s;A\wC],Aȕtr2sb?> +f&P eu j:Ҝ)Y?x5: uC7tUie,ozTafԊìf20K%/8qN9D]Sxv]5<ei{3ŀT^FO!Ԭz$'ę4ComJД"s1JdGIQLݠX,y2 AC23rי*\7kgLG^UE&ٴ4PЃ٩FGev|vg=B )✼Gh7*u-h.8Âc[.o}һY'62PQyD( {0%SE g.@R-Цp?;n1ϑp9|l13LdRN?J7k7^67A6eaOM"R,1ԻlNDf?wn^g)wk٬eG҅7G )M.K?ͳYc2u.H(mpVV1̋o:VK*eQCU ש Krќw.r/JJ䥊<ۊR* Dg3'~f bͦV)z}.C+R>a2&)ddL%-A/8|1̬Era]iٍZAo&$q[ѮgyC;\kC ?AďߝyK0Ŭ夡W=)e.XU\8140txCHu=]t+cV~5>GJ>Zhj=~Wkt`4JTxP湮~h]7G6KWfGpվP}wws'OXfPYb32i|m`aqv}; l`|:E>u:; !(ʻ*$Ƣ%6 j|];'TX M8'nDd E|O3Oakglu͚aH# endstream endobj 360 0 obj <> endobj 522 0 obj <>stream xXXguegudBFC`G)A@g&K[X@ET,SWƒϐo) 3sӷ#,8)=/^#(b e^? U2r?X7nɎ3Mqpp#nGGCe*sWXYaaAL1?tb`Ϝ1"ڹxzf 0 nlNAa^!vy0 3c^NAoY0lQ[tXa2f< l'qUz6J{RWx3R+h )rUv5+UN&߫)ߕh/nH8Aˌ.D2 yz}IѼH6>Y 3^χsܾ/ɚbqL^Y%4+&5I{:jyܮW~now][py߻V# j.DJϸ$%5m0 |hTػiq2XH۰'${"J,p47,>VÅ&,{=Rŏsky*Eyul<\0awRcMܫBIY zY;M;Kqp sKXٿىrC7U~ʆN3SZN x% )"8[q82R?Ss-L„63=a%TICMRI+E&S Y\U#Zmцhl+BoI&3z&a!k/mN659q-JhyVw7CN'6nk9^f~S1ٻc " ^IDlFb5CV U5[zܘlu'h@# ɅzmĶI Q^mG`_Ӊm#Յ`[i99Y̌ c`rm]|kF5~}iQx6p5 >>pH@'Wa 77cRUٮҪ X]u<缦;XeF;7eo:]7.~\M';!N=;|{ͩ lxbzR+HH$$[@5W=ݠ Qzvɞewg6X/LTFSSsꏵ8ZQ ~)ymgVZpЦ2SeMX͛OMZX.*RmT[{n KxnJaq '@z(PqF<(\`[/TB6/t6!k.ؕ1z*(,$*:ȭԻ-opjnU[QA;| ԩ#IM&u 6~Y[#w#L.4lSɐqvd~S܇@V+Y[*x=pKOQw|im=x]%zE_k{>E&\?&-2K )u_!aR!*_3 #h mԶNږpZz=~b2b62ӳ_h(Q(HhChvTm-Yܢ}Akf{ա}M vV{E"wLTGڍ!<Hіb,ǿ߷Uri8PݪW`O%ߏXj{RIJՉGL:~G<4sJ>')3pCOP+u(krYV:]Q[$NVkA܉;:P^85ɏ$瘋E4$SGV;i(C~!amG[rr9B|*5M!\pIճG o|^a{]`c v <)v?~"!0(]ı<;W#>nn")吭ոjL՞Wq.Ѧǀ[!R(AΊ(()+1y}|mtFp:ݢVKn{OuhOoĽۯ<])jxSDC@fd5ZQFav>יOՆbaiua pw`lX,#s}8P c浞)y; Z+r\ڵ=%n\Utn҄5&:o osj>,] yt$KHԉ)T*{uiބ&^HD 0- 2(Ge 7gbv2ued訡L(9JϒԌ4_Z 1UV֙g::D:]t>οZ|pN_q# H}J^O#%tqIBlTNuJם@i#fnH`zopuC(k;& :ʷ=>B$kH.$Joy$Nr-wIy楩 M&٤;?nQ(@ZKerũxTa0aJј}ؓm0(7=TKs P tҀ3[*0Y#9y)C 1puQ8ĩzT?HOj{B>0\ccO&ƗCo`^,%QHKkg~(q-wKF‗PQ7of렵nFpX:acHa czX4"]f3q_u1hZk'Ο)6z^n1܆M;+=6z{۳q vnuwK5. j9R5'qi6_Zr]C\Ǐy{U +Pq~ R^`alˬעpKO9"To-j߇OΔ~q@GD0r3(Ň7QD\.%oBK'QS% ( pi5t7/)v>4N>FV*α |pd=iN[dJvÆƺ Rʏ.޵asfn\'UM JJ"PaU t@n;Z3w| pWڎڲچBU;Dn-䟼1KTj!Z-$)AS{VǓ! }G͸&6Rcᠻw:p{qe9š&ɣT\z^Uh sp#CȢS[5[+Ь8.&A yIaѭ`{"FC\bD &#(PIKꚏW >*X&yxDngXzE,JkMA;<9 8໇,6FK0J.B nܜA]۞%Zj/8%N7:Dk%]򥵲M:sU*=(c>wtdPpqDMMIqYvI_"JBI%Z-o *''{%l \;Zj#n@wɄ6XO(^*tI>3ݣCΥoG 24.PxQHs6?/+(a{+kYGf܎‘|U\kxOǚWqUC߻za+7{ hD':wo™N* Ff)qK/2){㲸[x>UH5 RUW.+9+wy u$Ϭ~I$2b!ilkfVRÇkIΎ,I&Uxr3dkkwЯRgW,0O\2 endstream endobj 23 0 obj <> endobj 523 0 obj <>stream xcd`ab`dddw441H3a! k7s7BcG``fd/mq/,L(QHT04Q020TpM-LNSM,HM,rr3SK*4l2JJ s4u3K2RSRSJsS NӃP%E )Ey V L,J?:/~ wݢ+-._br|e ~8O6{ Srb1ùpZ[ endstream endobj 273 0 obj <> endobj 524 0 obj <>stream x{LSwz nXT@N3E F p)ʭ[r(s`V^BPY: -h\0$ع+$'s)/EӴwl|b\^LK Xo"AŀʫG{1!bhZ8V2u *u5_oՋF] Q/z7G,.X:NI@TDggڝM=昈YZ 9IJKJ һr¯R*_ 9/PD=~Ħ'n4^m˖#k_y:|bQq-~apZZm\^m >?% 啬Z\PMsn vɞ(&<~vFNT@pZV(3h}m67¨u:A ݚ [iRΙ90 X;`q*N?z? G4Ɨ$ @jt 2Nax߭7zGX>&lw Wd%YDHmF Zݔ% 9]U67ٙ{W;vJ'`H: ̅91r$^S*/~jNuᆴ:#UϳYeSXEOo}.35 YZJGnWAY骩!KK=[5pe5CK~| ssCz{<(QRoT-  endstream endobj 226 0 obj <> endobj 525 0 obj <>stream xcd`ab`dddw 441U~H3a!Gk7s7['~.Ș__PYQ`hii`d``ZXX('gT*hdX뗗%i(gd(((%*@ܦs JKR|SRD 2X4~t83'o#%G{<_ ~KOc̵[E,sl e`r{ endstream endobj 11 0 obj <> endobj 526 0 obj <>stream xytä́bȔ! %@1wބ-YHrE-7ƅԐ@HKHHHs+&{򲥹3>{P={P@pɓ, !=ׅX\ޞd}Ч!Pc??%ÒG w>qY3;N4i\}<\?NA=ãG ~7#""&M ;fcpa{<=;v tnn `ig @ܲ hm, ]$|tٞ+"VFXkN6o wDŽo4yiӇ5cY~gQΣ}\BmQ0j 5NަFPw7HʉEmFS1&j,GmP㩭BjzHmQoRIj2ZFMSӨtj%AfR\ʖGS(;JLJkT5zP '5BSPW(G՛MԒ\ 8- rQY1ԦlwiمgwwW,AcGV4U { HZPk9:"B CĔW[__[KvFv$a6Can027g^АE뮓l]MKz RߥxF8n: SH<'3oՙBGQ!5*nBfާD`!%JhHMhJK9%\ O>?P'r")wiA-wQZNM(ɇRɏֆNUAB֨6OUS25U'kl!jÅvZQJj`'hD^yB4]bz% f(q諮or$4GU1]6I-ropf<`vWd ]WdJl.IJdMpk!lu2?,(4t.+PUpI٨ HHR)7p=jZ&(! P;!5YI4y?}F65!-;-"GjzrΖ_K&XFEm~gإWP fj=}N]Ϲ)τDTUk>4xS?'hAONN"( U\ ^MS磻ʱ/)D1lQI69/VS{:8ҭ/GJ ߠ= ^rA}5D]ըU>Ɨ/Ljd]i,:`N. +(Oqب=[}`WwEkygn4gKqH?JbۧIyjM$y\jQ!Յ2F LGTNOը u&0Y*Еp)Az|a֧O9X1\-0t! (@c4=,u`ac}̛# ܠ_`{ KsI*y1a+ׄ7D]"hQ! 婰=d.vо:'L18k[ :;{.k=>mI}QَzF6~W1Pg,ʣ m5聹z*ƣ%O?wXt'Ԧ[_d rpol>)z ȍARZ"'*AG_GV[F}]}@#_bGKg T9-'tTߝe&4~[jCU&C-HmRs*S!ѧ7\F?,~ռqć;FZ&1u Kr>fď*SjR !9.8/&n yu:'j~35L4:]qxQ2ˀ7 L(2 'b;(zT֡qPB`2(@ nƹZt?!ZpA^t$+(I%.rB$&P D%_L& f4U15gš%VtҺu9 6.ǒx:/SBZjrh%'3-:t~t 2#^f9uDބ/b~DcrM5 _sf8 `?I?^b_d#zš+ٕT%)b!bǺwMmOb?.Ewњ3\T"Dh {-Lpm8o"Cgx lz>~--S$&*9U9Ȳr rrt-="vE.n؊JDSj50*(HG<˙LMK͜{)߹² (hn ]2 _~sew\a ,q8uMnG|a8mp2kMQCÅlQJG8{&! xDĶfS>"'Yj%W3l}LC>0/eңeHl<#[+7t& 2$Ç Y4 6"zZx_?1ⷓg$)-GlnB2D:D)BJkh mwfyhc~#޳`jomZ} ?CV2U-b)ÎLgCNE2$Br SHrO܄60Ȋ*zVFL5aa^!;?Q=uŦhoOʎǢ;$P@oh=vpOTpHHqp '(FF q +WILJ"=6,fVvA3}pdn4wXw_k,n:L*L pD#$odxwXȉ;ז ꍯ+!଼00| %'*3W[x[ b5)ӷ|0Ͷ U b7"tE23C>H3 `_,7Hw:sc4ԝ:VVpGV}즁}қ';GrM59I@Z^rw;j{Ko^c~x .04;[܄PONw=hOKA6Avг4hfFߜagM_3:ܹwB.<[@.~4c]F`@Vu9PW%nm#uDFL:eö8.|3Ŀ~-eg.;\T# 64Vݗ_Otky~i+a3sةD_ f4%C! JAX mq3~XtL:،M-/Չ 4""8\AA^V_x"x!rGTIAAFiUC_"B!5UFcm*#^V|h98ncq(3M]ilA|[RA`܋x6TӐT a|+Kʊj>:" j@:Yt=EyY9VkѨVvqdW kݸh6*( z]x`y OɦѽcNk]<\`Sz001SB!?=%~"֏TESѪ\Z$H`0Mwyrku?CM ;_Q\x~+0+9 ˺擯>(O /EQ) 1X$7[?)ޫU!I dJǖ(07(ny\3}^1fsQߧ/EF endstream endobj 134 0 obj <> endobj 527 0 obj <>stream xT}Lgp=ulzs!6Xip\)1(Jd&:%фaMv5 N{ (u}Ø?a1__dHGȀ G<~ǃNRwNbu^h̠<0ڡQq\j*L4Cgg+(wg%v_>>Q= ,4,•km ꚴG=<vP z.k-]uq؃޻*A9(B~[-;pe=84ͩ&SǤ}:h ]=ͷm+cy񨉗+ rFg iYaк=Ί%v^+5ՠW״]*++X ЪxM,{x}Rw $J$8z}ppwݺgs^ ]c=Xi:rq}fP(bJq8+Unҙ{; ږ\&'"̧{TF*ֲyq%}N}gѶ: Ic%=z!&eD5 խ5`C3*iW5uL%מK:[{4: 5g+V_m~&r']ǿ}؃f+&u'D؄p2nWYqmQTdDםH^hUWU۠bmC")G ^ck<"yw||N$7k{6rbqx#En[> endobj 528 0 obj <>stream xX XS׶>1$爊QpHN8c*ZjEQAq22 cE@yFD" AEV[mm꽭zmVkM{Zm$+gֿ-az1[4m 00J dH{B_#G: Ăy#HB6A^!;&ϰ3mKK+~A^;\\B<\B _s^!zΛ>=<<|_ &N1 4_fnbݼxӺ3 ciQ&Kl, ]r몈vn\gi3ޞ9sZ͛3ab0Vƞnje23YX0Ff81)&Ɔlf3Ә%tƖd23erf&żìbf3vjf.cg2g2SƌΌ`8&ǼG1#ICsR[ ##ӲᲓrGy!;b~S{bj|O>i}}/_0.ݠw]l?X=d̐\ė 4v0,tiK z͇; )&aEDaūK4!4I:4)A) \J_wjJ͇}Ppܴlq)/KT^~.),'Dȑ&+7鐁A0KP܆p?~@zyb/9NO3MI.۪JU8@׫mыEF# L.7-ha9:}t ̇Y_Ry!㉓)nf*X@`cEǤxi䕺uXpcA?GJv,U/:V N,Zݼ臹_~J[sr dJ\>+޴͆V63 m<*Ms pb 5O 2g2 {8g{OpZ }>,mPV;^b!8 #u7, Ь?cp5Xu)YO~"chQ@y?bQ)*V 4А=c$ Y{pE9$h!Y1P6'U-3@qd'qʼn4 Mи815*.bx23`,qsP?~z9':`?d.>]l480A9ɼ-WGzǣb}2)gKvgQk+4GNsĔqZRU-Dy,FR4+ף7)؟+ox1Nbe#@zG9znܺ{p&az,:)>h7b%"#wZEKl>'@ٌ]ǹLVcZq*WkczU2̟?0gL~Ou^.{iKduZ U]ɟESH\Kz<ٸÚ߽Vr8p>13죬틺=X}b=9΄EDXJ/B?a_ QR$ĪRvfxG&KR$X p޳0UEe=AJnPf꠨Li(380N҇(]yelY&Nr݇rf, )RDЕCZ%GAlu#m4=y|`5,]DZ;£}\`X}v<F7w]Iy4 r.I~ЯY8Xtpk--,R8}+굖.r?5pRaRJ{܀% ƿ0t/H %/ > Ư4Wh<7?"JFϵޒC'v'WQ#8v%_M"uf *#DScxFb7.tMDu>&F*fBC7f'0=pC(4Qk*Z&)IoCx<$;#%®. ,.[T fE.޽CЏ,NX_M =gd?hCr-OXl}$BΞnDϱ/:=>-1'@֦, kM }f)gǩ3#`KUKL_PYedp&!Q58K/9DS*j.v Is\#j֖7K*UP MV,yNȅ[ʔ;AM^W*#9>]'Lݏ($^sTs]CS7W8-iLoѝRғ ,v3*Tl;=& hTD UWhu[<=ͼ OUZNQΚhdͯzlhIQ 0!fZ=TyJZbfwؾTHR>EJJ^D en%=4\(c:VoҢgbVxqJQSQ[v*9O*i 2x6XS%Γ{+(z缑mm#iƗgN{AY6l@o_X.E/|fTJY$Km蔔DmXb<(X0 b }O]dѮs\R^m>K b 6Cz09}popזN_k)S)6hl)KOB\VP\6рSKa8,ZFLI О[@lPMƒ?L 8LS=q*<79ySQzQ$PvWr&\\f&`/#柮M N8bub32r^b5pP q b ø7a"z!SQ66t{-39d6i-U:h; ,t>]V;ELj֊Fes-\WK*ECl>.WN?:ˍIYdT*,TO/ѕ~*5EIۣ+AUJmrB9 PuR wP}P}}kҥ!(f#3K(.HmJtr׊abGUR70P&}S7ѐߍiХVhiG%~ǣ'QxD(2x4'1.s I.+`UG_%}O'iwh|fUێͳ-"v& *k*-QAa0d*OTrL"}NPD0nG}–&ŖDN8Ÿk_lFlJݡcߓ>Cf]b]?}.$/2nIq(O: "Y6emQUz.%\X J˫"]Taa *l'6{)@U<28.q-U8߮ S8WtI̘F˲R s9ς/O/ۭ[v,q濺鹖 g/^B1[?o^' o}#Ff#zl0 G#68J/lD*枾u):e+!nG`1u Ba]m^t;EoYp%LG0g߾$ۥ.鬘Zwpw_*j7o_WWѮ%-/ *0Ē8 I`,Ʀb}" N`Z ($RuT~3sDbu@+]/z`MFS/YArHPiKP[C)[a.Jo846B;l) Qu '}}N}6*%#q"s-cE:|47H^h'CgV F&ly!g!rM..ӟnh?~^O$FV6_{Deܡ-/ `痼]^4m6YjHdi8VbZ3džIBy6=(BQ1 sLGHġ 'ID+q'ч2'0@̧ E٫#TWz8A^VIqc(su)b nP"-ѥd) Z(wm` sUG^c jvyGlh29G:i4> iE=pTg}ztEsϨhH rO @Σ&~O"5)Xǯj3t _ w(PB+!tr^=܀l:OcVq8 ʍz@&kr59ܛ Źr99FGG.~l斵AVuA~f"-S u[>u!^?{Mo!bx 5k)ln[pS4E{7+y适,{ƇT#UWyu wl  o:~dMǪK `kkYE,}=P5V޳}gtm̽O"b|*Ǿ^WFnbte%s9JHRE9N(Dž]_%ާ]5vZZ(yq?AϽ8lvh-)>86b%#gkcU>nAM5MWZJqG) HkDH?k'wpE3=]a'g<9ٚQGal4oC}oԾ& ?7 endstream endobj 87 0 obj <> endobj 529 0 obj <>stream xV{PSw1rk]n.֩ՊjhVU$yBH$e Hy/c:NgEEtζZkvκ;sgIv/wrs8Dزs(f; 23ABsig"t8r89P!-L]teQQ+2Saqra(Y>d퐤f Uɢ,cL0l{zn,?=-MXN(=l_H'OIeb K9\yl^~"0(-}03+[H[mĻvbxXD"v=D Kl$$6[fb GC#=e;pw\C~8' Ҩ Skg81pn1eD8Nh 9#(XU-׻iwbdL:0SzX $.h㋼2-ԉ^tu97dB\^YRY,:7ܽz.sjGk-3qiL} `4_8/o K_Ien-*a֟;d= @gP BP9~ G.RTh>gUsQ]`juL,]nl#g~ Prږy"(,7_pqk -]TY..D5,|onKTm;c*zAn~9Iq!HsAq*[^ű[T*\>)-D&4ӍJ\&yl)k_yW>YY)$QFx /sF"LX~ʩ"HT>t,ļƲa{R!Dޮ.TVhNB,5j,ouem!hr2`h2/41ԡ.I.|Egdzj} P[LՇh/n69&]p%*c83_5ۊƂJ=рJD}nF,c鑊s@uuLP(Go4(3 rJRʄ@ MG3'cR٢H$ tԂm??[/y >F C4}O 'GP%t-yF3lbkV<X gLߞSYLr/Aޞ q(&+=~H'Fje(蓢-E:s34PVm(S-9~?>q 5Q Y,Z<=)/U{GF\@3r tUe ".-+EhC[^?3qJS!0:Ǟِ ,̰eB:n3Z!xmi|Oh:~&^ F}#{ǽZ_ztzD'Y*P-/FГ'ل#|~zGxRIo/O\ECd%{[<2,g}ҼH~Ƽuzϊ,|*l|X 6$ފG'1'T eT;O߻>>EMz1*V9#^͘~ί[~n&r͗>&>' maժwv muP2peԂbnGJF+P:(dJ> endobj 530 0 obj <>stream xcd`ab`dddw 641UH3a!M<<,k(={3#c~is~AeQfzFFcnjQfrbobIFjnb ZRaQRR`_^^[_nPYZZTWqr-(-I-ROI-c```d`d9ţG} ~guMٹ~Z_[rw< ݿv};\[s9f Œ@C8^yM}w~l 37Wo ,҅?|_8{!'nrq>endobj xref 0 539 0000000000 65535 f 0000474729 00000 n 0000560094 00000 n 0000473931 00000 n 0000458223 00000 n 0000000015 00000 n 0000000529 00000 n 0000474777 00000 n 0000491408 00000 n 0000550255 00000 n 0000490440 00000 n 0000539350 00000 n 0000474818 00000 n 0000474848 00000 n 0000458383 00000 n 0000000548 00000 n 0000001564 00000 n 0000474889 00000 n 0000474919 00000 n 0000458545 00000 n 0000001584 00000 n 0000004097 00000 n 0000489744 00000 n 0000536716 00000 n 0000488783 00000 n 0000527211 00000 n 0000487647 00000 n 0000512734 00000 n 0000474951 00000 n 0000474981 00000 n 0000458707 00000 n 0000004118 00000 n 0000007629 00000 n 0000475055 00000 n 0000475085 00000 n 0000458869 00000 n 0000007650 00000 n 0000008773 00000 n 0000475139 00000 n 0000475169 00000 n 0000459031 00000 n 0000008794 00000 n 0000012321 00000 n 0000486998 00000 n 0000504988 00000 n 0000475232 00000 n 0000475262 00000 n 0000459193 00000 n 0000012342 00000 n 0000017560 00000 n 0000475325 00000 n 0000475355 00000 n 0000459355 00000 n 0000017581 00000 n 0000021647 00000 n 0000475407 00000 n 0000475437 00000 n 0000459517 00000 n 0000021668 00000 n 0000026150 00000 n 0000475480 00000 n 0000475510 00000 n 0000459679 00000 n 0000026171 00000 n 0000027806 00000 n 0000475573 00000 n 0000475603 00000 n 0000459841 00000 n 0000027827 00000 n 0000028463 00000 n 0000475655 00000 n 0000475685 00000 n 0000460003 00000 n 0000028483 00000 n 0000030544 00000 n 0000475728 00000 n 0000475758 00000 n 0000460165 00000 n 0000030565 00000 n 0000035856 00000 n 0000486429 00000 n 0000497465 00000 n 0000486032 00000 n 0000492425 00000 n 0000492266 00000 n 0000559392 00000 n 0000491958 00000 n 0000556497 00000 n 0000475810 00000 n 0000475840 00000 n 0000460327 00000 n 0000035877 00000 n 0000039892 00000 n 0000475947 00000 n 0000475977 00000 n 0000460489 00000 n 0000039913 00000 n 0000044240 00000 n 0000476073 00000 n 0000476103 00000 n 0000460651 00000 n 0000044261 00000 n 0000049525 00000 n 0000476199 00000 n 0000476230 00000 n 0000460817 00000 n 0000049547 00000 n 0000052498 00000 n 0000476327 00000 n 0000476358 00000 n 0000460983 00000 n 0000052520 00000 n 0000056548 00000 n 0000476455 00000 n 0000476486 00000 n 0000461149 00000 n 0000056570 00000 n 0000060471 00000 n 0000476583 00000 n 0000476614 00000 n 0000461315 00000 n 0000060493 00000 n 0000064430 00000 n 0000476711 00000 n 0000476742 00000 n 0000461481 00000 n 0000064452 00000 n 0000068626 00000 n 0000476839 00000 n 0000476870 00000 n 0000461647 00000 n 0000068648 00000 n 0000073416 00000 n 0000491180 00000 n 0000548576 00000 n 0000476967 00000 n 0000476998 00000 n 0000461813 00000 n 0000073438 00000 n 0000080791 00000 n 0000477097 00000 n 0000477128 00000 n 0000461979 00000 n 0000080813 00000 n 0000084711 00000 n 0000477203 00000 n 0000477234 00000 n 0000462145 00000 n 0000084733 00000 n 0000089946 00000 n 0000477320 00000 n 0000477351 00000 n 0000462311 00000 n 0000089968 00000 n 0000094315 00000 n 0000477448 00000 n 0000477479 00000 n 0000462477 00000 n 0000094337 00000 n 0000098897 00000 n 0000477565 00000 n 0000477596 00000 n 0000462643 00000 n 0000098919 00000 n 0000104531 00000 n 0000477682 00000 n 0000477713 00000 n 0000462809 00000 n 0000104553 00000 n 0000107914 00000 n 0000477799 00000 n 0000477830 00000 n 0000462975 00000 n 0000107936 00000 n 0000111966 00000 n 0000477918 00000 n 0000477949 00000 n 0000463141 00000 n 0000111988 00000 n 0000117480 00000 n 0000478035 00000 n 0000478066 00000 n 0000463307 00000 n 0000117502 00000 n 0000123989 00000 n 0000478163 00000 n 0000478194 00000 n 0000463473 00000 n 0000124011 00000 n 0000129693 00000 n 0000478291 00000 n 0000478322 00000 n 0000463639 00000 n 0000129715 00000 n 0000134809 00000 n 0000478430 00000 n 0000478461 00000 n 0000463805 00000 n 0000134831 00000 n 0000138635 00000 n 0000478558 00000 n 0000478589 00000 n 0000463971 00000 n 0000138657 00000 n 0000143519 00000 n 0000478688 00000 n 0000478719 00000 n 0000464137 00000 n 0000143541 00000 n 0000149012 00000 n 0000478805 00000 n 0000478836 00000 n 0000464303 00000 n 0000149034 00000 n 0000154737 00000 n 0000478933 00000 n 0000478964 00000 n 0000464469 00000 n 0000154759 00000 n 0000160139 00000 n 0000479061 00000 n 0000479092 00000 n 0000464635 00000 n 0000160161 00000 n 0000164946 00000 n 0000490163 00000 n 0000538727 00000 n 0000479189 00000 n 0000479220 00000 n 0000464801 00000 n 0000164968 00000 n 0000171145 00000 n 0000479319 00000 n 0000479350 00000 n 0000464967 00000 n 0000171167 00000 n 0000176448 00000 n 0000479427 00000 n 0000479458 00000 n 0000465133 00000 n 0000176470 00000 n 0000180618 00000 n 0000479566 00000 n 0000479597 00000 n 0000465299 00000 n 0000180640 00000 n 0000186226 00000 n 0000479705 00000 n 0000479736 00000 n 0000465465 00000 n 0000186248 00000 n 0000191628 00000 n 0000479844 00000 n 0000479875 00000 n 0000465631 00000 n 0000191650 00000 n 0000195654 00000 n 0000479983 00000 n 0000480014 00000 n 0000465797 00000 n 0000195676 00000 n 0000200210 00000 n 0000480111 00000 n 0000480142 00000 n 0000465963 00000 n 0000200232 00000 n 0000204350 00000 n 0000480250 00000 n 0000480281 00000 n 0000466129 00000 n 0000204372 00000 n 0000210452 00000 n 0000489980 00000 n 0000537285 00000 n 0000480369 00000 n 0000480400 00000 n 0000466295 00000 n 0000210474 00000 n 0000216172 00000 n 0000480501 00000 n 0000480532 00000 n 0000466461 00000 n 0000216194 00000 n 0000221068 00000 n 0000480640 00000 n 0000480671 00000 n 0000466627 00000 n 0000221090 00000 n 0000224498 00000 n 0000480768 00000 n 0000480799 00000 n 0000466793 00000 n 0000224520 00000 n 0000231198 00000 n 0000480876 00000 n 0000480907 00000 n 0000466959 00000 n 0000231220 00000 n 0000235599 00000 n 0000481017 00000 n 0000481048 00000 n 0000467125 00000 n 0000235621 00000 n 0000241621 00000 n 0000481158 00000 n 0000481189 00000 n 0000467291 00000 n 0000241643 00000 n 0000247020 00000 n 0000481286 00000 n 0000481317 00000 n 0000467457 00000 n 0000247042 00000 n 0000251688 00000 n 0000481394 00000 n 0000481425 00000 n 0000467623 00000 n 0000251710 00000 n 0000254866 00000 n 0000481522 00000 n 0000481553 00000 n 0000467789 00000 n 0000254888 00000 n 0000260734 00000 n 0000481650 00000 n 0000481681 00000 n 0000467955 00000 n 0000260756 00000 n 0000264357 00000 n 0000481756 00000 n 0000481787 00000 n 0000468121 00000 n 0000264379 00000 n 0000270367 00000 n 0000481875 00000 n 0000481906 00000 n 0000468287 00000 n 0000270389 00000 n 0000277241 00000 n 0000482018 00000 n 0000482049 00000 n 0000468453 00000 n 0000277263 00000 n 0000283330 00000 n 0000482135 00000 n 0000482166 00000 n 0000468619 00000 n 0000283352 00000 n 0000290721 00000 n 0000482263 00000 n 0000482294 00000 n 0000468785 00000 n 0000290743 00000 n 0000297785 00000 n 0000482402 00000 n 0000482433 00000 n 0000468951 00000 n 0000297807 00000 n 0000303940 00000 n 0000489188 00000 n 0000530330 00000 n 0000488348 00000 n 0000521660 00000 n 0000488155 00000 n 0000520687 00000 n 0000482508 00000 n 0000482539 00000 n 0000469117 00000 n 0000303962 00000 n 0000310612 00000 n 0000482688 00000 n 0000482719 00000 n 0000469283 00000 n 0000310634 00000 n 0000316147 00000 n 0000482796 00000 n 0000482827 00000 n 0000469449 00000 n 0000316169 00000 n 0000321926 00000 n 0000482904 00000 n 0000482935 00000 n 0000469615 00000 n 0000321948 00000 n 0000327073 00000 n 0000483012 00000 n 0000483043 00000 n 0000469781 00000 n 0000327095 00000 n 0000333631 00000 n 0000483120 00000 n 0000483151 00000 n 0000469947 00000 n 0000333653 00000 n 0000340687 00000 n 0000483248 00000 n 0000483279 00000 n 0000470113 00000 n 0000340709 00000 n 0000346978 00000 n 0000483345 00000 n 0000483376 00000 n 0000470279 00000 n 0000347000 00000 n 0000353726 00000 n 0000483473 00000 n 0000483504 00000 n 0000470445 00000 n 0000353748 00000 n 0000359494 00000 n 0000483581 00000 n 0000483612 00000 n 0000470611 00000 n 0000359516 00000 n 0000366063 00000 n 0000483709 00000 n 0000483740 00000 n 0000470777 00000 n 0000366085 00000 n 0000372637 00000 n 0000483874 00000 n 0000483905 00000 n 0000470943 00000 n 0000372659 00000 n 0000378123 00000 n 0000484006 00000 n 0000484037 00000 n 0000471109 00000 n 0000378145 00000 n 0000385444 00000 n 0000484125 00000 n 0000484156 00000 n 0000471275 00000 n 0000385466 00000 n 0000391671 00000 n 0000484290 00000 n 0000484321 00000 n 0000471441 00000 n 0000391693 00000 n 0000399083 00000 n 0000484444 00000 n 0000484475 00000 n 0000471607 00000 n 0000399105 00000 n 0000405868 00000 n 0000484532 00000 n 0000484563 00000 n 0000471773 00000 n 0000405890 00000 n 0000412053 00000 n 0000484607 00000 n 0000484638 00000 n 0000471939 00000 n 0000412075 00000 n 0000417841 00000 n 0000484724 00000 n 0000484755 00000 n 0000472105 00000 n 0000417863 00000 n 0000423916 00000 n 0000484843 00000 n 0000484874 00000 n 0000472271 00000 n 0000423938 00000 n 0000429149 00000 n 0000484960 00000 n 0000484991 00000 n 0000472437 00000 n 0000429171 00000 n 0000433741 00000 n 0000485068 00000 n 0000485099 00000 n 0000472603 00000 n 0000433763 00000 n 0000439967 00000 n 0000485176 00000 n 0000485207 00000 n 0000472769 00000 n 0000439989 00000 n 0000442115 00000 n 0000485293 00000 n 0000485324 00000 n 0000472935 00000 n 0000442137 00000 n 0000445123 00000 n 0000485366 00000 n 0000485397 00000 n 0000473101 00000 n 0000445145 00000 n 0000447511 00000 n 0000487410 00000 n 0000512160 00000 n 0000485461 00000 n 0000485492 00000 n 0000473267 00000 n 0000447533 00000 n 0000450800 00000 n 0000485573 00000 n 0000485604 00000 n 0000473433 00000 n 0000450822 00000 n 0000453813 00000 n 0000485696 00000 n 0000485727 00000 n 0000473599 00000 n 0000453835 00000 n 0000456696 00000 n 0000485808 00000 n 0000485839 00000 n 0000473765 00000 n 0000456718 00000 n 0000458201 00000 n 0000485920 00000 n 0000485951 00000 n 0000492778 00000 n 0000497872 00000 n 0000505353 00000 n 0000512375 00000 n 0000513357 00000 n 0000520905 00000 n 0000522078 00000 n 0000527487 00000 n 0000530722 00000 n 0000536928 00000 n 0000537529 00000 n 0000538946 00000 n 0000539935 00000 n 0000548866 00000 n 0000550665 00000 n 0000556814 00000 n 0000559627 00000 n 0000486913 00000 n 0000487558 00000 n 0000489093 00000 n 0000489658 00000 n 0000489891 00000 n 0000490343 00000 n 0000490994 00000 n 0000491852 00000 n trailer << /Size 539 /Root 1 0 R /Info 2 0 R /ID [<94CB60EFC69BDD1E1EE0881908A5D928><94CB60EFC69BDD1E1EE0881908A5D928>] >> startxref 560299 %%EOF nettle-3.4.1/des-compat.h0000644000175000017500000001161713401564746014263 0ustar nissenisse/* des-compat.h The des block cipher, old libdes/openssl-style interface. Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_DES_COMPAT_H_INCLUDED #define NETTLE_DES_COMPAT_H_INCLUDED /* According to Assar, des_set_key, des_set_key_odd_parity, * des_is_weak_key, plus the encryption functions (des_*_encrypt and * des_cbc_cksum) would be a pretty useful subset. */ /* NOTE: This is quite experimental, and not all functions are * implemented. Contributions, in particular test cases are welcome. */ #include "des.h" #ifdef __cplusplus extern "C" { #endif /* We use some name mangling, to avoid collisions with either other * nettle functions or with libcrypto. */ #define des_ecb3_encrypt nettle_openssl_des_ecb3_encrypt #define des_cbc_cksum nettle_openssl_des_cbc_cksum #define des_ncbc_encrypt nettle_openssl_des_ncbc_encrypt #define des_cbc_encrypt nettle_openssl_des_cbc_encrypt #define des_ecb_encrypt nettle_openssl_des_ecb_encrypt #define des_ede3_cbc_encrypt nettle_openssl_des_ede3_cbc_encrypt #define des_set_odd_parity nettle_openssl_des_set_odd_parity #define des_check_key nettle_openssl_des_check_key #define des_key_sched nettle_openssl_des_key_sched #define des_is_weak_key nettle_openssl_des_is_weak_key /* An extra alias */ #undef des_set_key #define des_set_key nettle_openssl_des_key_sched enum { DES_DECRYPT = 0, DES_ENCRYPT = 1 }; /* Types */ typedef uint32_t DES_LONG; /* Note: Typedef:ed arrays should be avoided, but they're used here * for compatibility. */ typedef struct des_ctx des_key_schedule[1]; typedef uint8_t des_cblock[DES_BLOCK_SIZE]; /* Note: The proper definition, typedef const uint8_t const_des_cblock[DES_BLOCK_SIZE]; would have worked, *if* all the prototypes had used arguments like foo(const_des_cblock src, des_cblock dst), letting argument arrays "decay" into pointers of type uint8_t * and const uint8_t *. But since openssl's prototypes use *pointers* const_des_cblock *src, des_cblock *dst, this ends up in type conflicts, and the workaround is to not use const at all. */ #define const_des_cblock des_cblock /* Aliases */ #define des_ecb2_encrypt(i,o,k1,k2,e) \ des_ecb3_encrypt((i),(o),(k1),(k2),(k1),(e)) #define des_ede2_cbc_encrypt(i,o,l,k1,k2,iv,e) \ des_ede3_cbc_encrypt((i),(o),(l),(k1),(k2),(k1),(iv),(e)) /* Global flag */ extern int des_check_key; /* Prototypes */ /* Typing is a little confusing. Since both des_cblock and des_key_schedule are typedef:ed arrays, it automatically decay to a pointers. But the functions are declared taking pointers to des_cblock, i.e. pointers to arrays. And on the other hand, they take plain des_key_schedule arguments, which is equivalent to pointers to struct des_ctx. */ void des_ecb3_encrypt(const_des_cblock *src, des_cblock *dst, des_key_schedule k1, des_key_schedule k2, des_key_schedule k3, int enc); /* des_cbc_cksum in libdes returns a 32 bit integer, representing the * latter half of the output block, using little endian byte order. */ uint32_t des_cbc_cksum(const uint8_t *src, des_cblock *dst, long length, des_key_schedule ctx, const_des_cblock *iv); /* NOTE: Doesn't update iv. */ void des_cbc_encrypt(const_des_cblock *src, des_cblock *dst, long length, des_key_schedule ctx, const_des_cblock *iv, int enc); /* Similar, but updates iv. */ void des_ncbc_encrypt(const_des_cblock *src, des_cblock *dst, long length, des_key_schedule ctx, des_cblock *iv, int enc); void des_ecb_encrypt(const_des_cblock *src, des_cblock *dst, des_key_schedule ctx, int enc); void des_ede3_cbc_encrypt(const_des_cblock *src, des_cblock *dst, long length, des_key_schedule k1, des_key_schedule k2, des_key_schedule k3, des_cblock *iv, int enc); int des_set_odd_parity(des_cblock *key); int des_key_sched(const_des_cblock *key, des_key_schedule ctx); int des_is_weak_key(const_des_cblock *key); #ifdef __cplusplus } #endif #endif /* NETTLE_DES_COMPAT_H_INCLUDED */ nettle-3.4.1/serpent-decrypt.c0000644000175000017500000003733413401564745015355 0ustar nissenisse/* serpent-decrypt.c The serpent block cipher. For more details on this algorithm, see the Serpent website at http://www.cl.cam.ac.uk/~rja14/serpent.html Copyright (C) 2011 Niels Möller Copyright (C) 2010, 2011 Simon Josefsson Copyright (C) 2003, 2004, 2005 Free Software Foundation, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* This file is derived from cipher/serpent.c in Libgcrypt v1.4.6. The adaption to Nettle was made by Simon Josefsson on 2010-12-07 with final touches on 2011-05-30. Changes include replacing libgcrypt with nettle in the license template, renaming serpent_context to serpent_ctx, renaming u32 to uint32_t, removing libgcrypt stubs and selftests, modifying entry function prototypes, using FOR_BLOCKS to iterate through data in encrypt/decrypt, using LE_READ_UINT32 and LE_WRITE_UINT32 to access data in encrypt/decrypt, and running indent on the code. */ #if HAVE_CONFIG_H #include "config.h" #endif #include #include #include "serpent.h" #include "macros.h" #include "serpent-internal.h" /* These are the S-Boxes of Serpent. They are copied from Serpents reference implementation (the optimized one, contained in `floppy2') and are therefore: Copyright (C) 1998 Ross Anderson, Eli Biham, Lars Knudsen. To quote the Serpent homepage (http://www.cl.cam.ac.uk/~rja14/serpent.html): "Serpent is now completely in the public domain, and we impose no restrictions on its use. This was announced on the 21st August at the First AES Candidate Conference. The optimised implementations in the submission package are now under the GNU PUBLIC LICENSE (GPL), although some comments in the code still say otherwise. You are welcome to use Serpent for any application." */ /* S0 inverse: 13 3 11 0 10 6 5 12 1 14 4 7 15 9 8 2 */ /* Original single-assignment form: t01 = x2 ^ x3; t02 = x0 | x1; t03 = x1 | x2; t04 = x2 & t01; t05 = t02 ^ t01; t06 = x0 | t04; y2 = ~ t05; t08 = x1 ^ x3; t09 = t03 & t08; t10 = x3 | y2; y1 = t09 ^ t06; t12 = x0 | t05; t13 = y1 ^ t12; t14 = t03 ^ t10; t15 = x0 ^ x2; y3 = t14 ^ t13; t17 = t05 & t13; t18 = t14 | t17; y0 = t15 ^ t18; */ #define SBOX0_INVERSE(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y0 = x0 ^ x2; \ y2 = x0 | x1; \ y1 = x2 ^ x3; \ y2 ^= y1; \ y1 &= x2; \ x2 |= x1; \ x1 ^= x3; \ y1 |= x0; \ x1 &= x2; \ y1 ^= x1; \ x0 |= y2; \ x0 ^= y1; \ x1 = y2 & x0; \ y2 = ~ y2; \ x3 |= y2; \ x3 ^= x2; \ y3 = x3 ^ x0; \ x1 |= x3; \ y0 ^= x1; \ } while (0) /* S1 inverse: 5 8 2 14 15 6 12 3 11 4 7 9 1 13 10 0 */ /* Original single-assignment form: t01 = x0 ^ x1; t02 = x1 | x3; t03 = x0 & x2; t04 = x2 ^ t02; t05 = x0 | t04; t06 = t01 & t05; t07 = x3 | t03; t08 = x1 ^ t06; t09 = t07 ^ t06; t10 = t04 | t03; t11 = x3 & t08; y2 = ~ t09; y1 = t10 ^ t11; t14 = x0 | y2; t15 = t06 ^ y1; y3 = t01 ^ t04; t17 = x2 ^ t15; y0 = t14 ^ t17; */ #define SBOX1_INVERSE(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y1 = x1 | x3; \ y1 ^= x2; \ y3 = x0 ^ x1; \ y0 = x0 | y1; \ y0 &= y3; \ x1 ^= y0; \ y3 ^= y1; \ x1 &= x3; \ y2 = x0 & x2; \ y1 |= y2; \ y2 |= x3; \ y2 ^= y0; \ y2 = ~ y2; \ y1 ^= x1; \ y0 ^= y1; \ y0 ^= x2; \ x0 |= y2; \ y0 ^= x0; \ } while (0) /* S2 inverse: 12 9 15 4 11 14 1 2 0 3 6 13 5 8 10 7 */ /* Original single-assignment form: t01 = x0 ^ x3; t02 = x2 ^ x3; t03 = x0 & x2; t04 = x1 | t02; y0 = t01 ^ t04; t06 = x0 | x2; t07 = x3 | y0; t08 = ~ x3; t09 = x1 & t06; t10 = t08 | t03; t11 = x1 & t07; t12 = t06 & t02; y3 = t09 ^ t10; y1 = t12 ^ t11; t15 = x2 & y3; t16 = y0 ^ y1; t17 = t10 ^ t15; y2 = t16 ^ t17; */ #define SBOX2_INVERSE(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y0 = x0 ^ x3; \ y2 = x2 ^ x3; \ y1 = x1 | y2; \ y0 ^= y1; \ y1 = x3 | y0; \ y1 &= x1; \ x3 = ~ x3; \ y3 = x0 | x2; \ y2 &= y3; \ y1 ^= y2; \ y3 &= x1; \ x0 &= x2; \ x0 |= x3; \ y3 ^= x0; \ x2 &= y3; \ x2 ^= x0; \ y2 = y0 ^ y1; \ y2 ^= x2; \ } while (0) /* S3 inverse: 0 9 10 7 11 14 6 13 3 5 12 2 4 8 15 1 */ /* Original single-assignment form: t01 = x2 | x3; t02 = x0 | x3; t03 = x2 ^ t02; t04 = x1 ^ t02; t05 = x0 ^ x3; t06 = t04 & t03; t07 = x1 & t01; y2 = t05 ^ t06; t09 = x0 ^ t03; y0 = t07 ^ t03; t11 = y0 | t05; t12 = t09 & t11; t13 = x0 & y2; t14 = t01 ^ t05; y1 = x1 ^ t12; t16 = x1 | t13; y3 = t14 ^ t16; */ #define SBOX3_INVERSE(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y3 = x2 | x3; \ y0 = x1 & y3; \ y2 = x0 | x3; \ y1 = x2 ^ y2; \ y0 ^= y1; \ x3 ^= x0; \ y3 ^= x3; \ y2 ^= x1; \ y2 &= y1; \ y2 ^= x3; \ y1 ^= x0; \ x3 |= y0; \ y1 &= x3; \ y1 ^= x1; \ x0 &= y2; \ x0 |= x1; \ y3 ^= x0; \ } while (0) /* S4 inverse: 5 0 8 3 10 9 7 14 2 12 11 6 4 15 13 1 */ /* Original single-assignment form: t01 = x1 | x3; t02 = x2 | x3; t03 = x0 & t01; t04 = x1 ^ t02; t05 = x2 ^ x3; t06 = ~ t03; t07 = x0 & t04; y1 = t05 ^ t07; t09 = y1 | t06; t10 = x0 ^ t07; t11 = t01 ^ t09; t12 = x3 ^ t04; t13 = x2 | t10; y3 = t03 ^ t12; t15 = x0 ^ t04; y2 = t11 ^ t13; y0 = t15 ^ t09; */ #define SBOX4_INVERSE(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y1 = x2 ^ x3; \ y2 = x2 | x3; \ y2 ^= x1; \ x1 |= x3; \ y0 = x0 ^ y2; \ x3 ^= y2; \ y2 &= x0; \ y1 ^= y2; \ y2 ^= x0; \ y2 |= x2; \ x0 &= x1; \ y3 = x0 ^ x3; \ x0 = ~ x0; \ x0 |= y1; \ y0 ^= x0; \ x0 ^= x1; \ y2 ^= x0; \ } while (0) /* S5 inverse: 8 15 2 9 4 1 13 14 11 6 5 3 7 12 10 0 */ /* Original single-assignment form: t01 = x0 & x3; t02 = x2 ^ t01; t03 = x0 ^ x3; t04 = x1 & t02; t05 = x0 & x2; y0 = t03 ^ t04; t07 = x0 & y0; t08 = t01 ^ y0; t09 = x1 | t05; t10 = ~ x1; y1 = t08 ^ t09; t12 = t10 | t07; t13 = y0 | y1; y3 = t02 ^ t12; t15 = t02 ^ t13; t16 = x1 ^ x3; y2 = t16 ^ t15; */ #define SBOX5_INVERSE(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y1 = x0 & x3; \ y3 = x2 ^ y1; \ y0 = x1 & y3; \ y2 = x0 ^ x3; \ x3 ^= x1; \ y0 ^= y2; \ x2 &= x0; \ x0 &= y0; \ x2 |= x1; \ y1 ^= y0; \ y1 ^= x2; \ y2 = y0 | y1; \ y2 ^= y3; \ y2 ^= x3; \ x1 = ~ x1; \ x1 |= x0; \ y3 ^= x1; \ } while (0) /* S6 inverse: 15 10 1 13 5 3 6 0 4 9 14 7 2 12 8 11 */ /* Original single-assignment form: t01 = x0 ^ x2; t02 = ~ x2; t03 = x1 & t01; t04 = x1 | t02; t05 = x3 | t03; t06 = x1 ^ x3; t07 = x0 & t04; t08 = x0 | t02; t09 = t07 ^ t05; y1 = t06 ^ t08; y0 = ~ t09; t12 = x1 & y0; t13 = t01 & t05; t14 = t01 ^ t12; t15 = t07 ^ t13; t16 = x3 | t02; t17 = x0 ^ y1; y3 = t17 ^ t15; y2 = t16 ^ t14; */ #define SBOX6_INVERSE(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y2 = x0 ^ x2; \ x2 = ~ x2; \ y0 = x1 ^ x3; \ y1 = x0 | x2; \ y1 ^= y0; \ y3 = x1 & y2; \ y3 |= x3; \ x3 |= x2; \ x2 |= x1; \ x2 &= x0; \ y0 = x2 ^ y3; \ y0 = ~ y0; \ y3 &= y2; \ y3 ^= x2; \ x0 ^= y1; \ y3 ^= x0; \ x1 &= y0; \ y2 ^= x1; \ y2 ^= x3; \ } while (0) /* S7 inverse: 3 0 6 13 9 14 15 8 5 12 11 7 10 1 4 2 */ /* Original single-assignment form: t01 = x0 & x1; t02 = x0 | x1; t03 = x2 | t01; t04 = x3 & t02; y3 = t03 ^ t04; t06 = x1 ^ t04; t07 = x3 ^ y3; t08 = ~ t07; t09 = t06 | t08; t10 = x1 ^ x3; t11 = x0 | x3; y1 = x0 ^ t09; t13 = x2 ^ t06; t14 = x2 & t11; t15 = x3 | y1; t16 = t01 | t10; y0 = t13 ^ t15; y2 = t14 ^ t16; */ #define SBOX7_INVERSE(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y3 = x0 & x1; \ y2 = x1 ^ x3; \ y2 |= y3; \ y1 = x0 | x3; \ y1 &= x2; \ y2 ^= y1; \ y3 |= x2; \ y0 = x0 | x1; \ y0 &= x3; \ y3 ^= y0; \ y0 ^= x1; \ y1 = x3 ^ y3; \ y1 = ~ y1; \ y1 |= y0; \ y0 ^= x2; \ y1 ^= x0; \ x3 |= y1; \ y0 ^= x3; \ } while (0) /* In-place inverse linear transformation. */ #define LINEAR_TRANSFORMATION_INVERSE(x0,x1,x2,x3) \ do { \ x2 = ROTL32 (10, x2); \ x0 = ROTL32 (27, x0); \ x2 = x2 ^ x3 ^ (x1 << 7); \ x0 = x0 ^ x1 ^ x3; \ x3 = ROTL32 (25, x3); \ x1 = ROTL32 (31, x1); \ x3 = x3 ^ x2 ^ (x0 << 3); \ x1 = x1 ^ x0 ^ x2; \ x2 = ROTL32 (29, x2); \ x0 = ROTL32 (19, x0); \ } while (0) /* Round inputs are x0,x1,x2,x3 (destroyed), and round outputs are y0,y1,y2,y3. */ #define ROUND_INVERSE(which, subkey, x0,x1,x2,x3, y0,y1,y2,y3) \ do { \ LINEAR_TRANSFORMATION_INVERSE (x0,x1,x2,x3); \ SBOX##which##_INVERSE(x0,x1,x2,x3, y0,y1,y2,y3); \ KEYXOR(y0,y1,y2,y3, subkey); \ } while (0) #if HAVE_NATIVE_64_BIT /* In-place inverse linear transformation. */ #define LINEAR_TRANSFORMATION64_INVERSE(x0,x1,x2,x3) \ do { \ x2 = DROTL32 (10, x2); \ x0 = DROTL32 (27, x0); \ x2 = x2 ^ x3 ^ DRSHIFT32(7, x1); \ x0 = x0 ^ x1 ^ x3; \ x3 = DROTL32 (25, x3); \ x1 = DROTL32 (31, x1); \ x3 = x3 ^ x2 ^ DRSHIFT32(3, x0); \ x1 = x1 ^ x0 ^ x2; \ x2 = DROTL32 (29, x2); \ x0 = DROTL32 (19, x0); \ } while (0) #define ROUND64_INVERSE(which, subkey, x0,x1,x2,x3, y0,y1,y2,y3) \ do { \ LINEAR_TRANSFORMATION64_INVERSE (x0,x1,x2,x3); \ SBOX##which##_INVERSE(x0,x1,x2,x3, y0,y1,y2,y3); \ KEYXOR64(y0,y1,y2,y3, subkey); \ } while (0) #endif /* HAVE_NATIVE_64_BIT */ void serpent_decrypt (const struct serpent_ctx *ctx, size_t length, uint8_t * dst, const uint8_t * src) { assert( !(length % SERPENT_BLOCK_SIZE)); #if HAVE_NATIVE_64_BIT if (length & SERPENT_BLOCK_SIZE) #else while (length >= SERPENT_BLOCK_SIZE) #endif { uint32_t x0,x1,x2,x3, y0,y1,y2,y3; unsigned k; x0 = LE_READ_UINT32 (src); x1 = LE_READ_UINT32 (src + 4); x2 = LE_READ_UINT32 (src + 8); x3 = LE_READ_UINT32 (src + 12); /* Inverse of special round */ KEYXOR (x0,x1,x2,x3, ctx->keys[32]); SBOX7_INVERSE (x0,x1,x2,x3, y0,y1,y2,y3); KEYXOR (y0,y1,y2,y3, ctx->keys[31]); k = 24; goto start32; while (k > 0) { k -= 8; ROUND_INVERSE (7, ctx->keys[k+7], x0,x1,x2,x3, y0,y1,y2,y3); start32: ROUND_INVERSE (6, ctx->keys[k+6], y0,y1,y2,y3, x0,x1,x2,x3); ROUND_INVERSE (5, ctx->keys[k+5], x0,x1,x2,x3, y0,y1,y2,y3); ROUND_INVERSE (4, ctx->keys[k+4], y0,y1,y2,y3, x0,x1,x2,x3); ROUND_INVERSE (3, ctx->keys[k+3], x0,x1,x2,x3, y0,y1,y2,y3); ROUND_INVERSE (2, ctx->keys[k+2], y0,y1,y2,y3, x0,x1,x2,x3); ROUND_INVERSE (1, ctx->keys[k+1], x0,x1,x2,x3, y0,y1,y2,y3); ROUND_INVERSE (0, ctx->keys[k], y0,y1,y2,y3, x0,x1,x2,x3); } LE_WRITE_UINT32 (dst, x0); LE_WRITE_UINT32 (dst + 4, x1); LE_WRITE_UINT32 (dst + 8, x2); LE_WRITE_UINT32 (dst + 12, x3); src += SERPENT_BLOCK_SIZE; dst += SERPENT_BLOCK_SIZE; length -= SERPENT_BLOCK_SIZE; } #if HAVE_NATIVE_64_BIT FOR_BLOCKS(length, dst, src, 2*SERPENT_BLOCK_SIZE) { uint64_t x0,x1,x2,x3, y0,y1,y2,y3; unsigned k; x0 = LE_READ_UINT32 (src); x1 = LE_READ_UINT32 (src + 4); x2 = LE_READ_UINT32 (src + 8); x3 = LE_READ_UINT32 (src + 12); x0 <<= 32; x0 |= LE_READ_UINT32 (src + 16); x1 <<= 32; x1 |= LE_READ_UINT32 (src + 20); x2 <<= 32; x2 |= LE_READ_UINT32 (src + 24); x3 <<= 32; x3 |= LE_READ_UINT32 (src + 28); /* Inverse of special round */ KEYXOR64 (x0,x1,x2,x3, ctx->keys[32]); SBOX7_INVERSE (x0,x1,x2,x3, y0,y1,y2,y3); KEYXOR64 (y0,y1,y2,y3, ctx->keys[31]); k = 24; goto start64; while (k > 0) { k -= 8; ROUND64_INVERSE (7, ctx->keys[k+7], x0,x1,x2,x3, y0,y1,y2,y3); start64: ROUND64_INVERSE (6, ctx->keys[k+6], y0,y1,y2,y3, x0,x1,x2,x3); ROUND64_INVERSE (5, ctx->keys[k+5], x0,x1,x2,x3, y0,y1,y2,y3); ROUND64_INVERSE (4, ctx->keys[k+4], y0,y1,y2,y3, x0,x1,x2,x3); ROUND64_INVERSE (3, ctx->keys[k+3], x0,x1,x2,x3, y0,y1,y2,y3); ROUND64_INVERSE (2, ctx->keys[k+2], y0,y1,y2,y3, x0,x1,x2,x3); ROUND64_INVERSE (1, ctx->keys[k+1], x0,x1,x2,x3, y0,y1,y2,y3); ROUND64_INVERSE (0, ctx->keys[k], y0,y1,y2,y3, x0,x1,x2,x3); } LE_WRITE_UINT32 (dst + 16, x0); LE_WRITE_UINT32 (dst + 20, x1); LE_WRITE_UINT32 (dst + 24, x2); LE_WRITE_UINT32 (dst + 28, x3); x0 >>= 32; LE_WRITE_UINT32 (dst, x0); x1 >>= 32; LE_WRITE_UINT32 (dst + 4, x1); x2 >>= 32; LE_WRITE_UINT32 (dst + 8, x2); x3 >>= 32; LE_WRITE_UINT32 (dst + 12, x3); } #endif /* HAVE_NATIVE_64_BIT */ } nettle-3.4.1/serpent.h0000644000175000017500000000570713401564746013712 0ustar nissenisse/* serpent.h The serpent block cipher. Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Serpent is a 128-bit block cipher that accepts a key size of 256 * bits, designed by Ross Anderson, Eli Biham, and Lars Knudsen. See * http://www.cl.cam.ac.uk/~rja14/serpent.html for details. */ #ifndef NETTLE_SERPENT_H_INCLUDED #define NETTLE_SERPENT_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define serpent_set_key nettle_serpent_set_key #define serpent128_set_key nettle_serpent128_set_key #define serpent192_set_key nettle_serpent192_set_key #define serpent256_set_key nettle_serpent256_set_key #define serpent_encrypt nettle_serpent_encrypt #define serpent_decrypt nettle_serpent_decrypt #define SERPENT_BLOCK_SIZE 16 /* Other key lengths are possible, but the design of Serpent makes * smaller key lengths quite pointless; they cheated with the AES * requirements, using a 256-bit key length exclusively and just * padding it out if the desired key length was less, so there really * is no advantage to using key lengths less than 256 bits. */ #define SERPENT_KEY_SIZE 32 /* Allow keys of size 128 <= bits <= 256 */ #define SERPENT_MIN_KEY_SIZE 16 #define SERPENT_MAX_KEY_SIZE 32 #define SERPENT128_KEY_SIZE 16 #define SERPENT192_KEY_SIZE 24 #define SERPENT256_KEY_SIZE 32 struct serpent_ctx { uint32_t keys[33][4]; /* key schedule */ }; void serpent_set_key(struct serpent_ctx *ctx, size_t length, const uint8_t *key); void serpent128_set_key(struct serpent_ctx *ctx, const uint8_t *key); void serpent192_set_key(struct serpent_ctx *ctx, const uint8_t *key); void serpent256_set_key(struct serpent_ctx *ctx, const uint8_t *key); void serpent_encrypt(const struct serpent_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void serpent_decrypt(const struct serpent_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus } #endif #endif /* NETTLE_SERPENT_H_INCLUDED */ nettle-3.4.1/mini-gmp.h0000644000175000017500000002604213401564746013742 0ustar nissenisse/* mini-gmp, a minimalistic implementation of a GNU GMP subset. Copyright 2011-2015 Free Software Foundation, Inc. This file is part of the GNU MP Library. The GNU MP Library is free software; you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. The GNU MP Library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with the GNU MP Library. If not, see https://www.gnu.org/licenses/. */ /* About mini-gmp: This is a minimal implementation of a subset of the GMP interface. It is intended for inclusion into applications which have modest bignums needs, as a fallback when the real GMP library is not installed. This file defines the public interface. */ #ifndef __MINI_GMP_H__ #define __MINI_GMP_H__ /* For size_t */ #include #if defined (__cplusplus) extern "C" { #endif void mp_set_memory_functions (void *(*) (size_t), void *(*) (void *, size_t, size_t), void (*) (void *, size_t)); void mp_get_memory_functions (void *(**) (size_t), void *(**) (void *, size_t, size_t), void (**) (void *, size_t)); typedef unsigned long mp_limb_t; typedef long mp_size_t; typedef unsigned long mp_bitcnt_t; typedef mp_limb_t *mp_ptr; typedef const mp_limb_t *mp_srcptr; typedef struct { int _mp_alloc; /* Number of *limbs* allocated and pointed to by the _mp_d field. */ int _mp_size; /* abs(_mp_size) is the number of limbs the last field points to. If _mp_size is negative this is a negative number. */ mp_limb_t *_mp_d; /* Pointer to the limbs. */ } __mpz_struct; typedef __mpz_struct mpz_t[1]; typedef __mpz_struct *mpz_ptr; typedef const __mpz_struct *mpz_srcptr; extern const int mp_bits_per_limb; void mpn_copyi (mp_ptr, mp_srcptr, mp_size_t); void mpn_copyd (mp_ptr, mp_srcptr, mp_size_t); void mpn_zero (mp_ptr, mp_size_t); int mpn_cmp (mp_srcptr, mp_srcptr, mp_size_t); int mpn_zero_p (mp_srcptr, mp_size_t); mp_limb_t mpn_add_1 (mp_ptr, mp_srcptr, mp_size_t, mp_limb_t); mp_limb_t mpn_add_n (mp_ptr, mp_srcptr, mp_srcptr, mp_size_t); mp_limb_t mpn_add (mp_ptr, mp_srcptr, mp_size_t, mp_srcptr, mp_size_t); mp_limb_t mpn_sub_1 (mp_ptr, mp_srcptr, mp_size_t, mp_limb_t); mp_limb_t mpn_sub_n (mp_ptr, mp_srcptr, mp_srcptr, mp_size_t); mp_limb_t mpn_sub (mp_ptr, mp_srcptr, mp_size_t, mp_srcptr, mp_size_t); mp_limb_t mpn_mul_1 (mp_ptr, mp_srcptr, mp_size_t, mp_limb_t); mp_limb_t mpn_addmul_1 (mp_ptr, mp_srcptr, mp_size_t, mp_limb_t); mp_limb_t mpn_submul_1 (mp_ptr, mp_srcptr, mp_size_t, mp_limb_t); mp_limb_t mpn_mul (mp_ptr, mp_srcptr, mp_size_t, mp_srcptr, mp_size_t); void mpn_mul_n (mp_ptr, mp_srcptr, mp_srcptr, mp_size_t); void mpn_sqr (mp_ptr, mp_srcptr, mp_size_t); int mpn_perfect_square_p (mp_srcptr, mp_size_t); mp_size_t mpn_sqrtrem (mp_ptr, mp_ptr, mp_srcptr, mp_size_t); mp_limb_t mpn_lshift (mp_ptr, mp_srcptr, mp_size_t, unsigned int); mp_limb_t mpn_rshift (mp_ptr, mp_srcptr, mp_size_t, unsigned int); mp_bitcnt_t mpn_scan0 (mp_srcptr, mp_bitcnt_t); mp_bitcnt_t mpn_scan1 (mp_srcptr, mp_bitcnt_t); void mpn_com (mp_ptr, mp_srcptr, mp_size_t); mp_limb_t mpn_neg (mp_ptr, mp_srcptr, mp_size_t); mp_bitcnt_t mpn_popcount (mp_srcptr, mp_size_t); mp_limb_t mpn_invert_3by2 (mp_limb_t, mp_limb_t); #define mpn_invert_limb(x) mpn_invert_3by2 ((x), 0) size_t mpn_get_str (unsigned char *, int, mp_ptr, mp_size_t); mp_size_t mpn_set_str (mp_ptr, const unsigned char *, size_t, int); void mpz_init (mpz_t); void mpz_init2 (mpz_t, mp_bitcnt_t); void mpz_clear (mpz_t); #define mpz_odd_p(z) (((z)->_mp_size != 0) & (int) (z)->_mp_d[0]) #define mpz_even_p(z) (! mpz_odd_p (z)) int mpz_sgn (const mpz_t); int mpz_cmp_si (const mpz_t, long); int mpz_cmp_ui (const mpz_t, unsigned long); int mpz_cmp (const mpz_t, const mpz_t); int mpz_cmpabs_ui (const mpz_t, unsigned long); int mpz_cmpabs (const mpz_t, const mpz_t); int mpz_cmp_d (const mpz_t, double); int mpz_cmpabs_d (const mpz_t, double); void mpz_abs (mpz_t, const mpz_t); void mpz_neg (mpz_t, const mpz_t); void mpz_swap (mpz_t, mpz_t); void mpz_add_ui (mpz_t, const mpz_t, unsigned long); void mpz_add (mpz_t, const mpz_t, const mpz_t); void mpz_sub_ui (mpz_t, const mpz_t, unsigned long); void mpz_ui_sub (mpz_t, unsigned long, const mpz_t); void mpz_sub (mpz_t, const mpz_t, const mpz_t); void mpz_mul_si (mpz_t, const mpz_t, long int); void mpz_mul_ui (mpz_t, const mpz_t, unsigned long int); void mpz_mul (mpz_t, const mpz_t, const mpz_t); void mpz_mul_2exp (mpz_t, const mpz_t, mp_bitcnt_t); void mpz_addmul_ui (mpz_t, const mpz_t, unsigned long int); void mpz_addmul (mpz_t, const mpz_t, const mpz_t); void mpz_submul_ui (mpz_t, const mpz_t, unsigned long int); void mpz_submul (mpz_t, const mpz_t, const mpz_t); void mpz_cdiv_qr (mpz_t, mpz_t, const mpz_t, const mpz_t); void mpz_fdiv_qr (mpz_t, mpz_t, const mpz_t, const mpz_t); void mpz_tdiv_qr (mpz_t, mpz_t, const mpz_t, const mpz_t); void mpz_cdiv_q (mpz_t, const mpz_t, const mpz_t); void mpz_fdiv_q (mpz_t, const mpz_t, const mpz_t); void mpz_tdiv_q (mpz_t, const mpz_t, const mpz_t); void mpz_cdiv_r (mpz_t, const mpz_t, const mpz_t); void mpz_fdiv_r (mpz_t, const mpz_t, const mpz_t); void mpz_tdiv_r (mpz_t, const mpz_t, const mpz_t); void mpz_cdiv_q_2exp (mpz_t, const mpz_t, mp_bitcnt_t); void mpz_fdiv_q_2exp (mpz_t, const mpz_t, mp_bitcnt_t); void mpz_tdiv_q_2exp (mpz_t, const mpz_t, mp_bitcnt_t); void mpz_cdiv_r_2exp (mpz_t, const mpz_t, mp_bitcnt_t); void mpz_fdiv_r_2exp (mpz_t, const mpz_t, mp_bitcnt_t); void mpz_tdiv_r_2exp (mpz_t, const mpz_t, mp_bitcnt_t); void mpz_mod (mpz_t, const mpz_t, const mpz_t); void mpz_divexact (mpz_t, const mpz_t, const mpz_t); int mpz_divisible_p (const mpz_t, const mpz_t); int mpz_congruent_p (const mpz_t, const mpz_t, const mpz_t); unsigned long mpz_cdiv_qr_ui (mpz_t, mpz_t, const mpz_t, unsigned long); unsigned long mpz_fdiv_qr_ui (mpz_t, mpz_t, const mpz_t, unsigned long); unsigned long mpz_tdiv_qr_ui (mpz_t, mpz_t, const mpz_t, unsigned long); unsigned long mpz_cdiv_q_ui (mpz_t, const mpz_t, unsigned long); unsigned long mpz_fdiv_q_ui (mpz_t, const mpz_t, unsigned long); unsigned long mpz_tdiv_q_ui (mpz_t, const mpz_t, unsigned long); unsigned long mpz_cdiv_r_ui (mpz_t, const mpz_t, unsigned long); unsigned long mpz_fdiv_r_ui (mpz_t, const mpz_t, unsigned long); unsigned long mpz_tdiv_r_ui (mpz_t, const mpz_t, unsigned long); unsigned long mpz_cdiv_ui (const mpz_t, unsigned long); unsigned long mpz_fdiv_ui (const mpz_t, unsigned long); unsigned long mpz_tdiv_ui (const mpz_t, unsigned long); unsigned long mpz_mod_ui (mpz_t, const mpz_t, unsigned long); void mpz_divexact_ui (mpz_t, const mpz_t, unsigned long); int mpz_divisible_ui_p (const mpz_t, unsigned long); unsigned long mpz_gcd_ui (mpz_t, const mpz_t, unsigned long); void mpz_gcd (mpz_t, const mpz_t, const mpz_t); void mpz_gcdext (mpz_t, mpz_t, mpz_t, const mpz_t, const mpz_t); void mpz_lcm_ui (mpz_t, const mpz_t, unsigned long); void mpz_lcm (mpz_t, const mpz_t, const mpz_t); int mpz_invert (mpz_t, const mpz_t, const mpz_t); void mpz_sqrtrem (mpz_t, mpz_t, const mpz_t); void mpz_sqrt (mpz_t, const mpz_t); int mpz_perfect_square_p (const mpz_t); void mpz_pow_ui (mpz_t, const mpz_t, unsigned long); void mpz_ui_pow_ui (mpz_t, unsigned long, unsigned long); void mpz_powm (mpz_t, const mpz_t, const mpz_t, const mpz_t); void mpz_powm_ui (mpz_t, const mpz_t, unsigned long, const mpz_t); void mpz_rootrem (mpz_t, mpz_t, const mpz_t, unsigned long); int mpz_root (mpz_t, const mpz_t, unsigned long); void mpz_fac_ui (mpz_t, unsigned long); void mpz_bin_uiui (mpz_t, unsigned long, unsigned long); int mpz_probab_prime_p (const mpz_t, int); int mpz_tstbit (const mpz_t, mp_bitcnt_t); void mpz_setbit (mpz_t, mp_bitcnt_t); void mpz_clrbit (mpz_t, mp_bitcnt_t); void mpz_combit (mpz_t, mp_bitcnt_t); void mpz_com (mpz_t, const mpz_t); void mpz_and (mpz_t, const mpz_t, const mpz_t); void mpz_ior (mpz_t, const mpz_t, const mpz_t); void mpz_xor (mpz_t, const mpz_t, const mpz_t); mp_bitcnt_t mpz_popcount (const mpz_t); mp_bitcnt_t mpz_hamdist (const mpz_t, const mpz_t); mp_bitcnt_t mpz_scan0 (const mpz_t, mp_bitcnt_t); mp_bitcnt_t mpz_scan1 (const mpz_t, mp_bitcnt_t); int mpz_fits_slong_p (const mpz_t); int mpz_fits_ulong_p (const mpz_t); long int mpz_get_si (const mpz_t); unsigned long int mpz_get_ui (const mpz_t); double mpz_get_d (const mpz_t); size_t mpz_size (const mpz_t); mp_limb_t mpz_getlimbn (const mpz_t, mp_size_t); void mpz_realloc2 (mpz_t, mp_bitcnt_t); mp_srcptr mpz_limbs_read (mpz_srcptr); mp_ptr mpz_limbs_modify (mpz_t, mp_size_t); mp_ptr mpz_limbs_write (mpz_t, mp_size_t); void mpz_limbs_finish (mpz_t, mp_size_t); mpz_srcptr mpz_roinit_n (mpz_t, mp_srcptr, mp_size_t); #define MPZ_ROINIT_N(xp, xs) {{0, (xs),(xp) }} void mpz_set_si (mpz_t, signed long int); void mpz_set_ui (mpz_t, unsigned long int); void mpz_set (mpz_t, const mpz_t); void mpz_set_d (mpz_t, double); void mpz_init_set_si (mpz_t, signed long int); void mpz_init_set_ui (mpz_t, unsigned long int); void mpz_init_set (mpz_t, const mpz_t); void mpz_init_set_d (mpz_t, double); size_t mpz_sizeinbase (const mpz_t, int); char *mpz_get_str (char *, int, const mpz_t); int mpz_set_str (mpz_t, const char *, int); int mpz_init_set_str (mpz_t, const char *, int); /* This long list taken from gmp.h. */ /* For reference, "defined(EOF)" cannot be used here. In g++ 2.95.4, defines EOF but not FILE. */ #if defined (FILE) \ || defined (H_STDIO) \ || defined (_H_STDIO) /* AIX */ \ || defined (_STDIO_H) /* glibc, Sun, SCO */ \ || defined (_STDIO_H_) /* BSD, OSF */ \ || defined (__STDIO_H) /* Borland */ \ || defined (__STDIO_H__) /* IRIX */ \ || defined (_STDIO_INCLUDED) /* HPUX */ \ || defined (__dj_include_stdio_h_) /* DJGPP */ \ || defined (_FILE_DEFINED) /* Microsoft */ \ || defined (__STDIO__) /* Apple MPW MrC */ \ || defined (_MSL_STDIO_H) /* Metrowerks */ \ || defined (_STDIO_H_INCLUDED) /* QNX4 */ \ || defined (_ISO_STDIO_ISO_H) /* Sun C++ */ \ || defined (__STDIO_LOADED) /* VMS */ size_t mpz_out_str (FILE *, int, const mpz_t); #endif void mpz_import (mpz_t, size_t, int, size_t, int, size_t, const void *); void *mpz_export (void *, size_t *, int, size_t, int, size_t, const mpz_t); #if defined (__cplusplus) } #endif #endif /* __MINI_GMP_H__ */ nettle-3.4.1/config.h.in0000644000175000017500000001510013401564746014070 0ustar nissenisse/* config.h.in. Generated from configure.ac by autoheader. */ /* Define if building universal (internal helper macro) */ #undef AC_APPLE_UNIVERSAL_BUILD /* Define to one of `_getb67', `GETB67', `getb67' for Cray-2 and Cray-YMP systems. This function is required for `alloca.c' support on those systems. */ #undef CRAY_STACKSEG_END /* Define to 1 if using `alloca.c'. */ #undef C_ALLOCA /* Define to 1 if you have `alloca', as a function or macro. */ #undef HAVE_ALLOCA /* Define to 1 if you have and it should be used (not on Ultrix). */ #undef HAVE_ALLOCA_H /* Define if clock_gettime is available */ #undef HAVE_CLOCK_GETTIME /* Define to 1 if you have the header file. */ #undef HAVE_DLFCN_H /* Define if fcntl file locking is available */ #undef HAVE_FCNTL_LOCKING /* Define if the compiler understands __attribute__ */ #undef HAVE_GCC_ATTRIBUTE /* Define to 1 if you have the `getline' function. */ #undef HAVE_GETLINE /* Define to 1 if you have the header file. */ #undef HAVE_INTTYPES_H /* Define to 1 if you have dlopen (with -ldl). */ #undef HAVE_LIBDL /* Define to 1 if you have the `gmp' library (-lgmp). */ #undef HAVE_LIBGMP /* Define if compiler and linker supports __attribute__ ifunc */ #undef HAVE_LINK_IFUNC /* Define to 1 if you have the header file. */ #undef HAVE_MALLOC_H /* Define to 1 if you have the header file. */ #undef HAVE_MEMORY_H /* Define to 1 each of the following for which a native (ie. CPU specific) implementation of the corresponding routine exists. */ #undef HAVE_NATIVE_ecc_192_modp #undef HAVE_NATIVE_ecc_192_redc #undef HAVE_NATIVE_ecc_224_modp #undef HAVE_NATIVE_ecc_224_redc #undef HAVE_NATIVE_ecc_25519_modp #undef HAVE_NATIVE_ecc_256_modp #undef HAVE_NATIVE_ecc_256_redc #undef HAVE_NATIVE_ecc_384_modp #undef HAVE_NATIVE_ecc_384_redc #undef HAVE_NATIVE_ecc_521_modp #undef HAVE_NATIVE_ecc_521_redc #undef HAVE_NATIVE_gcm_hash8 #undef HAVE_NATIVE_salsa20_core #undef HAVE_NATIVE_sha1_compress #undef HAVE_NATIVE_sha256_compress #undef HAVE_NATIVE_sha512_compress #undef HAVE_NATIVE_sha3_permute #undef HAVE_NATIVE_umac_nh #undef HAVE_NATIVE_umac_nh_n /* Define to 1 if you have the header file. */ #undef HAVE_OPENSSL_ECDSA_H /* Define to 1 if you have the header file. */ #undef HAVE_OPENSSL_EVP_H /* Define to 1 if you have the `secure_getenv' function. */ #undef HAVE_SECURE_GETENV /* Define to 1 if you have the header file. */ #undef HAVE_STDINT_H /* Define to 1 if you have the header file. */ #undef HAVE_STDLIB_H /* Define to 1 if you have the `strerror' function. */ #undef HAVE_STRERROR /* Define to 1 if you have the header file. */ #undef HAVE_STRINGS_H /* Define to 1 if you have the header file. */ #undef HAVE_STRING_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_STAT_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_TYPES_H /* Define to 1 if you have the header file. */ #undef HAVE_UNISTD_H /* Define to 1 if you have the header file. */ #undef HAVE_VALGRIND_MEMCHECK_H /* Define to the address where bug reports for this package should be sent. */ #undef PACKAGE_BUGREPORT /* Define to the full name of this package. */ #undef PACKAGE_NAME /* Define to the full name and version of this package. */ #undef PACKAGE_STRING /* Define to the one symbol short name of this package. */ #undef PACKAGE_TARNAME /* Define to the home page for this package. */ #undef PACKAGE_URL /* Define to the version of this package. */ #undef PACKAGE_VERSION /* The size of `char', as computed by sizeof. */ #undef SIZEOF_CHAR /* The size of `int', as computed by sizeof. */ #undef SIZEOF_INT /* The size of `long', as computed by sizeof. */ #undef SIZEOF_LONG /* The size of `short', as computed by sizeof. */ #undef SIZEOF_SHORT /* The size of `size_t', as computed by sizeof. */ #undef SIZEOF_SIZE_T /* The size of `void*', as computed by sizeof. */ #undef SIZEOF_VOIDP /* If using the C implementation of alloca, define if you know the direction of stack growth for your system; otherwise it will be automatically deduced at runtime. STACK_DIRECTION > 0 => grows toward higher addresses STACK_DIRECTION < 0 => grows toward lower addresses STACK_DIRECTION = 0 => direction of growth unknown */ #undef STACK_DIRECTION /* Define to 1 if you have the ANSI C header files. */ #undef STDC_HEADERS /* Define to 1 if you can safely include both and . */ #undef TIME_WITH_SYS_TIME /* Defined if public key features are enabled */ #undef WITH_HOGWEED /* Define if you have openssl's libcrypto (used for benchmarking) */ #undef WITH_OPENSSL /* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most significant byte first (like Motorola and SPARC, unlike Intel). */ #if defined AC_APPLE_UNIVERSAL_BUILD # if defined __BIG_ENDIAN__ # define WORDS_BIGENDIAN 1 # endif #else # ifndef WORDS_BIGENDIAN # undef WORDS_BIGENDIAN # endif #endif /* Define to empty if `const' does not conform to ANSI C. */ #undef const /* Define to `int' if doesn't define. */ #undef gid_t /* Define to `__inline__' or `__inline' if that's what the C compiler calls it, or to nothing if 'inline' is not supported under any name. */ #ifndef __cplusplus #undef inline #endif /* Define to `unsigned int' if does not define. */ #undef size_t /* Define to `int' if doesn't define. */ #undef uid_t /* AIX requires this to be the first thing in the file. */ #ifndef __GNUC__ # if HAVE_ALLOCA_H # include # else # ifdef _AIX #pragma alloca # else # ifndef alloca /* predefined by HP cc +Olibcalls */ char *alloca (); # endif # endif /* Needed for alloca on windows */ # if HAVE_MALLOC_H # include # endif # endif #else /* defined __GNUC__ */ # if HAVE_ALLOCA_H # include # else /* Needed for alloca on windows, also with gcc */ # if HAVE_MALLOC_H # include # endif # endif #endif #if HAVE_STRERROR #define STRERROR strerror #else #define STRERROR(x) (sys_errlist[x]) #endif #if __GNUC__ && HAVE_GCC_ATTRIBUTE # define NORETURN __attribute__ ((__noreturn__)) # define PRINTF_STYLE(f, a) __attribute__ ((__format__ (__printf__, f, a))) # define UNUSED __attribute__ ((__unused__)) #else # define NORETURN # define PRINTF_STYLE(f, a) # define UNUSED #endif #if defined(__x86_64__) || defined(__arch64__) # define HAVE_NATIVE_64_BIT 1 #else /* Needs include of before use. */ # define HAVE_NATIVE_64_BIT (SIZEOF_LONG * CHAR_BIT >= 64) #endif nettle-3.4.1/rsa-sha256-sign-tr.c0000644000175000017500000000372513401564746015377 0ustar nissenisse/* rsa-sha256-sign-tr.c Signatures using RSA and SHA256. Copyright (C) 2001, 2003, 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "bignum.h" #include "pkcs1.h" int rsa_sha256_sign_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, struct sha256_ctx *hash, mpz_t s) { mpz_t m; int res; mpz_init (m); res = (pkcs1_rsa_sha256_encode(m, key->size, hash) && rsa_compute_root_tr (pub, key, random_ctx, random, s, m)); mpz_clear (m); return res; } int rsa_sha256_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, mpz_t s) { mpz_t m; int res; mpz_init (m); res = (pkcs1_rsa_sha256_encode_digest(m, key->size, digest) && rsa_compute_root_tr (pub, key, random_ctx, random, s, m)); mpz_clear (m); return res; } nettle-3.4.1/ecc-add-jjj.c0000644000175000017500000000762513401564746014261 0ustar nissenisse/* ecc-add-jjj.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc.h" #include "ecc-internal.h" void ecc_add_jjj (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch) { /* Formulas, from djb, http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl: Computation Operation Live variables Z1Z1 = Z1^2 sqr Z1Z1 Z2Z2 = Z2^2 sqr Z1Z1, Z2Z2 U1 = X1*Z2Z2 mul Z1Z1, Z2Z2, U1 U2 = X2*Z1Z1 mul Z1Z1, Z2Z2, U1, U2 H = U2-U1 Z1Z1, Z2Z2, U1, H Z3 = ((Z1+Z2)^2-Z1Z1-Z2Z2)*H sqr, mul Z1Z1, Z2Z2, U1, H S1 = Y1*Z2*Z2Z2 mul, mul Z1Z1, U1, H, S1 S2 = Y2*Z1*Z1Z1 mul, mul U1, H, S1, S2 W = 2*(S2-S1) (djb: r) U1, H, S1, W I = (2*H)^2 sqr U1, H, S1, W, I J = H*I mul U1, S1, W, J, V V = U1*I mul S1, W, J, V X3 = W^2-J-2*V sqr S1, W, J, V Y3 = W*(V-X3)-2*S1*J mul, mul */ mp_limb_t *z1z1 = scratch; mp_limb_t *z2z2 = scratch + ecc->p.size; mp_limb_t *u1 = scratch + 2*ecc->p.size; mp_limb_t *u2 = scratch + 3*ecc->p.size; mp_limb_t *s1 = scratch; /* overlap z1z1 */ mp_limb_t *s2 = scratch + ecc->p.size; /* overlap z2z2 */ mp_limb_t *i = scratch + 4*ecc->p.size; mp_limb_t *j = scratch + 5*ecc->p.size; mp_limb_t *v = scratch + 6*ecc->p.size; /* z1^2, z2^2, u1 = x1 x2^2, u2 = x2 z1^2 - u1 */ ecc_modp_sqr (ecc, z1z1, p + 2*ecc->p.size); ecc_modp_sqr (ecc, z2z2, q + 2*ecc->p.size); ecc_modp_mul (ecc, u1, p, z2z2); ecc_modp_mul (ecc, u2, q, z1z1); ecc_modp_sub (ecc, u2, u2, u1); /* Store h in u2 */ /* z3, use i, j, v as scratch, result at i. */ ecc_modp_add (ecc, i, p + 2*ecc->p.size, q + 2*ecc->p.size); ecc_modp_sqr (ecc, v, i); ecc_modp_sub (ecc, v, v, z1z1); ecc_modp_sub (ecc, v, v, z2z2); ecc_modp_mul (ecc, i, v, u2); /* Delayed write, to support in-place operation. */ /* s1 = y1 z2^3, s2 = y2 z1^3, scratch at j and v */ ecc_modp_mul (ecc, j, z1z1, p + 2*ecc->p.size); /* z1^3 */ ecc_modp_mul (ecc, v, z2z2, q + 2*ecc->p.size); /* z2^3 */ ecc_modp_mul (ecc, s1, p + ecc->p.size, v); ecc_modp_mul (ecc, v, j, q + ecc->p.size); ecc_modp_sub (ecc, s2, v, s1); ecc_modp_mul_1 (ecc, s2, s2, 2); /* Store z3 */ mpn_copyi (r + 2*ecc->p.size, i, ecc->p.size); /* i, j, v */ ecc_modp_sqr (ecc, i, u2); ecc_modp_mul_1 (ecc, i, i, 4); ecc_modp_mul (ecc, j, u2, i); ecc_modp_mul (ecc, v, u1, i); /* now, u1, u2 and i are free for reuse .*/ /* x3, use u1, u2 as scratch */ ecc_modp_sqr (ecc, u1, s2); ecc_modp_sub (ecc, r, u1, j); ecc_modp_submul_1 (ecc, r, v, 2); /* y3 */ ecc_modp_mul (ecc, u1, s1, j); /* Frees j */ ecc_modp_sub (ecc, u2, v, r); /* Frees v */ ecc_modp_mul (ecc, i, s2, u2); ecc_modp_submul_1 (ecc, i, u1, 2); mpn_copyi (r + ecc->p.size, i, ecc->p.size); } nettle-3.4.1/rsa-encrypt.c0000644000175000017500000000300613401564746014462 0ustar nissenisse/* rsa-encrypt.c The RSA publickey algorithm. PKCS#1 encryption. Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa.h" #include "pkcs1.h" int rsa_encrypt(const struct rsa_public_key *key, /* For padding */ void *random_ctx, nettle_random_func *random, size_t length, const uint8_t *message, mpz_t gibberish) { if (pkcs1_encrypt (key->size, random_ctx, random, length, message, gibberish)) { mpz_powm(gibberish, gibberish, key->e, key->n); return 1; } else return 0; } nettle-3.4.1/twofishdata.c0000644000175000017500000000634413401564746014540 0ustar nissenisse/* twofishdata.c Generates the permutations q0 and q1 for twofish. Copyright (C) 1999 Ruud de Rooij This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02111-1301 USA. */ #include #define ror4(x) (((x) >> 1) | (((x) & 1) << 3)) static unsigned char q0(unsigned char x) { static const unsigned char t0[16] = { 0x8, 0x1, 0x7, 0xD, 0x6, 0xF, 0x3, 0x2, 0x0, 0xB, 0x5, 0x9, 0xE, 0xC, 0xA, 0x4 }; static const unsigned char t1[16] = { 0xE, 0xC, 0xB, 0x8, 0x1, 0x2, 0x3, 0x5, 0xF, 0x4, 0xA, 0x6, 0x7, 0x0, 0x9, 0xD }; static const unsigned char t2[16] = { 0xB, 0xA, 0x5, 0xE, 0x6, 0xD, 0x9, 0x0, 0xC, 0x8, 0xF, 0x3, 0x2, 0x4, 0x7, 0x1 }; static const unsigned char t3[16] = { 0xD, 0x7, 0xF, 0x4, 0x1, 0x2, 0x6, 0xE, 0x9, 0xB, 0x3, 0x0, 0x8, 0x5, 0xC, 0xA }; unsigned char a0 = x / 16; unsigned char b0 = x % 16; unsigned char a1 = a0 ^ b0; unsigned char b1 = a0 ^ ror4(b0) ^ ((8*a0) % 16); unsigned char a2 = t0[a1]; unsigned char b2 = t1[b1]; unsigned char a3 = a2 ^ b2; unsigned char b3 = a2 ^ ror4(b2) ^ ((8*a2) % 16); unsigned char a4 = t2[a3]; unsigned char b4 = t3[b3]; unsigned char y = 16*b4 + a4; return y; } static unsigned char q1(unsigned char x) { static const unsigned char t0[16] = { 0x2, 0x8, 0xB, 0xD, 0xF, 0x7, 0x6, 0xE, 0x3, 0x1, 0x9, 0x4, 0x0, 0xA, 0xC, 0x5 }; static const unsigned char t1[16] = { 0x1, 0xE, 0x2, 0xB, 0x4, 0xC, 0x3, 0x7, 0x6, 0xD, 0xA, 0x5, 0xF, 0x9, 0x0, 0x8 }; static const unsigned char t2[16] = { 0x4, 0xC, 0x7, 0x5, 0x1, 0x6, 0x9, 0xA, 0x0, 0xE, 0xD, 0x8, 0x2, 0xB, 0x3, 0xF }; static const unsigned char t3[16] = { 0xB, 0x9, 0x5, 0x1, 0xC, 0x3, 0xD, 0xE, 0x6, 0x4, 0x7, 0xF, 0x2, 0x0, 0x8, 0xA }; unsigned char a0 = x / 16; unsigned char b0 = x % 16; unsigned char a1 = a0 ^ b0; unsigned char b1 = a0 ^ ror4(b0) ^ ((8*a0) % 16); unsigned char a2 = t0[a1]; unsigned char b2 = t1[b1]; unsigned char a3 = a2 ^ b2; unsigned char b3 = a2 ^ ror4(b2) ^ ((8*a2) % 16); unsigned char a4 = t2[a3]; unsigned char b4 = t3[b3]; unsigned char y = 16*b4 + a4; return y; } int main(void) { unsigned i; printf("static const uint8_t q0[256] = {"); for (i = 0; i < 256; i++) { if ( (i % 8) == 0) printf("\n "); printf("0x%02X,", q0(i)); } printf("\n};\n\n"); printf("static const uint8_t q1[256] = {"); for (i = 0; i < 256; i++) { if ( (i % 8) == 0) printf("\n "); printf("0x%02X,", q1(i)); } printf("\n};\n"); return 0; } nettle-3.4.1/fat-arm.c0000644000175000017500000001756613401564746013562 0ustar nissenisse/* fat-arm.c Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #define _GNU_SOURCE #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include "nettle-types.h" #include "aes-internal.h" #include "fat-setup.h" struct arm_features { /* /proc/cpuinfo "CPU Architecture" doesn't correspond exactly to ARM architecture version, but it's good enough for our purposes. Will be set to 5, 6, 7 or 8. */ unsigned arch_version; int have_neon; }; #define SKIP(s, slen, literal, llen) \ (((slen) >= (llen) && memcmp ((s), (literal), llen) == 0) \ ? ((slen) -= (llen), (s) += (llen), 1) : 0) #define MATCH(s, slen, literal, llen) \ ((slen) == (llen) && memcmp ((s), (literal), llen) == 0) static void get_arm_features (struct arm_features *features) { const char *s; features->arch_version = 5; features->have_neon = 0; s = secure_getenv (ENV_OVERRIDE); if (s) for (;;) { const char *sep = strchr (s, ','); size_t length = sep ? (size_t) (sep - s) : strlen(s); if (SKIP (s, length, "arch:", 5)) { if (length == 1 && *s >= '0' && *s <= '9') features->arch_version = *s - '0'; } else if (MATCH (s, length, "neon", 4)) features->have_neon = 1; if (!sep) break; s = sep + 1; } else { FILE *f; char line[200]; int seen_arch = 0; int seen_features = 0; f = fopen ("/proc/cpuinfo", "r"); if (!f) return; while (seen_features + seen_arch < 2 && fgets (line, sizeof(line), f)) { char *sep; char *p; sep = strchr (line, ':'); if (!sep) continue; for (p = sep; p - line > 0 && p[-1] == '\t'; p--) ; *p = '\0'; p = sep+1; if (strcmp (line, "Features") == 0) { features->have_neon = (strstr (p, " neon ") != NULL); seen_features = 1; } else if (strcmp (line, "CPU architecture") == 0) { /* Don't use strtol, since it's locale dependent. */ while (p[0] == ' ') p++; if (p[0] > '5' && p[0] <= '9') features->arch_version = p[0] - '0'; else if (strcmp (p, "AArch64") == 0) features->arch_version = 8; seen_arch = 1; } } if (features->arch_version >= 8) { /* Neon is not required, and maybe not listed in feature flags */ features->have_neon = 1; } fclose (f); } } DECLARE_FAT_FUNC(_nettle_aes_encrypt, aes_crypt_internal_func) DECLARE_FAT_FUNC_VAR(aes_encrypt, aes_crypt_internal_func, arm) DECLARE_FAT_FUNC_VAR(aes_encrypt, aes_crypt_internal_func, armv6) DECLARE_FAT_FUNC(_nettle_aes_decrypt, aes_crypt_internal_func) DECLARE_FAT_FUNC_VAR(aes_decrypt, aes_crypt_internal_func, arm) DECLARE_FAT_FUNC_VAR(aes_decrypt, aes_crypt_internal_func, armv6) DECLARE_FAT_FUNC(_nettle_salsa20_core, salsa20_core_func) DECLARE_FAT_FUNC_VAR(salsa20_core, salsa20_core_func, c) DECLARE_FAT_FUNC_VAR(salsa20_core, salsa20_core_func, neon) DECLARE_FAT_FUNC(_nettle_sha1_compress, sha1_compress_func) DECLARE_FAT_FUNC_VAR(sha1_compress, sha1_compress_func, c) DECLARE_FAT_FUNC_VAR(sha1_compress, sha1_compress_func, armv6) DECLARE_FAT_FUNC(_nettle_sha256_compress, sha256_compress_func) DECLARE_FAT_FUNC_VAR(sha256_compress, sha256_compress_func, c) DECLARE_FAT_FUNC_VAR(sha256_compress, sha256_compress_func, armv6) DECLARE_FAT_FUNC(_nettle_sha512_compress, sha512_compress_func) DECLARE_FAT_FUNC_VAR(sha512_compress, sha512_compress_func, c) DECLARE_FAT_FUNC_VAR(sha512_compress, sha512_compress_func, neon) DECLARE_FAT_FUNC(nettle_sha3_permute, sha3_permute_func) DECLARE_FAT_FUNC_VAR(sha3_permute, sha3_permute_func, c) DECLARE_FAT_FUNC_VAR(sha3_permute, sha3_permute_func, neon) DECLARE_FAT_FUNC(_nettle_umac_nh, umac_nh_func) DECLARE_FAT_FUNC_VAR(umac_nh, umac_nh_func, c); DECLARE_FAT_FUNC_VAR(umac_nh, umac_nh_func, neon); DECLARE_FAT_FUNC(_nettle_umac_nh_n, umac_nh_n_func) DECLARE_FAT_FUNC_VAR(umac_nh_n, umac_nh_n_func, c); DECLARE_FAT_FUNC_VAR(umac_nh_n, umac_nh_n_func, neon); static void CONSTRUCTOR fat_init (void) { struct arm_features features; int verbose; get_arm_features (&features); verbose = getenv (ENV_VERBOSE) != NULL; if (verbose) fprintf (stderr, "libnettle: cpu features: arch:%d%s\n", features.arch_version, features.have_neon ? ",neon" : ""); if (features.arch_version >= 6) { if (verbose) fprintf (stderr, "libnettle: enabling armv6 code.\n"); _nettle_aes_encrypt_vec = _nettle_aes_encrypt_armv6; _nettle_aes_decrypt_vec = _nettle_aes_decrypt_armv6; _nettle_sha1_compress_vec = _nettle_sha1_compress_armv6; _nettle_sha256_compress_vec = _nettle_sha256_compress_armv6; } else { if (verbose) fprintf (stderr, "libnettle: not enabling armv6 code.\n"); _nettle_aes_encrypt_vec = _nettle_aes_encrypt_arm; _nettle_aes_decrypt_vec = _nettle_aes_decrypt_arm; _nettle_sha1_compress_vec = _nettle_sha1_compress_c; _nettle_sha256_compress_vec = _nettle_sha256_compress_c; } if (features.have_neon) { if (verbose) fprintf (stderr, "libnettle: enabling neon code.\n"); _nettle_salsa20_core_vec = _nettle_salsa20_core_neon; _nettle_sha512_compress_vec = _nettle_sha512_compress_neon; nettle_sha3_permute_vec = _nettle_sha3_permute_neon; _nettle_umac_nh_vec = _nettle_umac_nh_neon; _nettle_umac_nh_n_vec = _nettle_umac_nh_n_neon; } else { if (verbose) fprintf (stderr, "libnettle: not enabling neon code.\n"); _nettle_salsa20_core_vec = _nettle_salsa20_core_c; _nettle_sha512_compress_vec = _nettle_sha512_compress_c; nettle_sha3_permute_vec = _nettle_sha3_permute_c; _nettle_umac_nh_vec = _nettle_umac_nh_c; _nettle_umac_nh_n_vec = _nettle_umac_nh_n_c; } } DEFINE_FAT_FUNC(_nettle_aes_encrypt, void, (unsigned rounds, const uint32_t *keys, const struct aes_table *T, size_t length, uint8_t *dst, const uint8_t *src), (rounds, keys, T, length, dst, src)) DEFINE_FAT_FUNC(_nettle_aes_decrypt, void, (unsigned rounds, const uint32_t *keys, const struct aes_table *T, size_t length, uint8_t *dst, const uint8_t *src), (rounds, keys, T, length, dst, src)) DEFINE_FAT_FUNC(_nettle_salsa20_core, void, (uint32_t *dst, const uint32_t *src, unsigned rounds), (dst, src, rounds)) DEFINE_FAT_FUNC(_nettle_sha1_compress, void, (uint32_t *state, const uint8_t *input), (state, input)) DEFINE_FAT_FUNC(_nettle_sha256_compress, void, (uint32_t *state, const uint8_t *input, const uint32_t *k), (state, input, k)) DEFINE_FAT_FUNC(_nettle_sha512_compress, void, (uint64_t *state, const uint8_t *input, const uint64_t *k), (state, input, k)) DEFINE_FAT_FUNC(nettle_sha3_permute, void, (struct sha3_state *state), (state)) DEFINE_FAT_FUNC(_nettle_umac_nh, uint64_t, (const uint32_t *key, unsigned length, const uint8_t *msg), (key, length, msg)) DEFINE_FAT_FUNC(_nettle_umac_nh_n, void, (uint64_t *out, unsigned n, const uint32_t *key, unsigned length, const uint8_t *msg), (out, n, key, length, msg)) nettle-3.4.1/config.sub0000755000175000017500000010541213401564746014036 0ustar nissenisse#! /bin/sh # Configuration validation subroutine script. # Copyright 1992-2014 Free Software Foundation, Inc. timestamp='2014-01-01' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, see . # # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a # configuration script generated by Autoconf, you may include it under # the same distribution terms that you use for the rest of that # program. This Exception is an additional permission under section 7 # of the GNU General Public License, version 3 ("GPLv3"). # Please send patches with a ChangeLog entry to config-patches@gnu.org. # # Configuration subroutine to validate and canonicalize a configuration type. # Supply the specified configuration type as an argument. # If it is invalid, we print an error message on stderr and exit with code 1. # Otherwise, we print the canonical config type on stdout and succeed. # You can get the latest version of this script from: # http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD # This file is supposed to be the same for all GNU packages # and recognize all the CPU types, system types and aliases # that are meaningful with *any* GNU software. # Each package is responsible for reporting which valid configurations # it does not support. The user should be able to distinguish # a failure to support a valid configuration from a meaningless # configuration. # The goal of this file is to map all the various variations of a given # machine specification into a single specification in the form: # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM # or in some cases, the newer four-part form: # CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM # It is wrong to echo any other type of specification. me=`echo "$0" | sed -e 's,.*/,,'` usage="\ Usage: $0 [OPTION] CPU-MFR-OPSYS $0 [OPTION] ALIAS Canonicalize a configuration name. Operation modes: -h, --help print this help, then exit -t, --time-stamp print date of last modification, then exit -v, --version print version number, then exit Report bugs and patches to ." version="\ GNU config.sub ($timestamp) Copyright 1992-2014 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." help=" Try \`$me --help' for more information." # Parse command line while test $# -gt 0 ; do case $1 in --time-stamp | --time* | -t ) echo "$timestamp" ; exit ;; --version | -v ) echo "$version" ; exit ;; --help | --h* | -h ) echo "$usage"; exit ;; -- ) # Stop option processing shift; break ;; - ) # Use stdin as input. break ;; -* ) echo "$me: invalid option $1$help" exit 1 ;; *local*) # First pass through any local machine types. echo $1 exit ;; * ) break ;; esac done case $# in 0) echo "$me: missing argument$help" >&2 exit 1;; 1) ;; *) echo "$me: too many arguments$help" >&2 exit 1;; esac # Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any). # Here we must recognize all the valid KERNEL-OS combinations. maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'` case $maybe_os in nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \ linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \ knetbsd*-gnu* | netbsd*-gnu* | \ kopensolaris*-gnu* | \ storm-chaos* | os2-emx* | rtmk-nova*) os=-$maybe_os basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'` ;; android-linux) os=-linux-android basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`-unknown ;; *) basic_machine=`echo $1 | sed 's/-[^-]*$//'` if [ $basic_machine != $1 ] then os=`echo $1 | sed 's/.*-/-/'` else os=; fi ;; esac ### Let's recognize common machines as not being operating systems so ### that things like config.sub decstation-3100 work. We also ### recognize some manufacturers as not being operating systems, so we ### can provide default operating systems below. case $os in -sun*os*) # Prevent following clause from handling this invalid input. ;; -dec* | -mips* | -sequent* | -encore* | -pc532* | -sgi* | -sony* | \ -att* | -7300* | -3300* | -delta* | -motorola* | -sun[234]* | \ -unicom* | -ibm* | -next | -hp | -isi* | -apollo | -altos* | \ -convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\ -c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \ -harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \ -apple | -axis | -knuth | -cray | -microblaze*) os= basic_machine=$1 ;; -bluegene*) os=-cnk ;; -sim | -cisco | -oki | -wec | -winbond) os= basic_machine=$1 ;; -scout) ;; -wrs) os=-vxworks basic_machine=$1 ;; -chorusos*) os=-chorusos basic_machine=$1 ;; -chorusrdb) os=-chorusrdb basic_machine=$1 ;; -hiux*) os=-hiuxwe2 ;; -sco6) os=-sco5v6 basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -sco5) os=-sco3.2v5 basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -sco4) os=-sco3.2v4 basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -sco3.2.[4-9]*) os=`echo $os | sed -e 's/sco3.2./sco3.2v/'` basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -sco3.2v[4-9]*) # Don't forget version if it is 3.2v4 or newer. basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -sco5v6*) # Don't forget version if it is 3.2v4 or newer. basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -sco*) os=-sco3.2v2 basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -udk*) basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -isc) os=-isc2.2 basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -clix*) basic_machine=clipper-intergraph ;; -isc*) basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -lynx*178) os=-lynxos178 ;; -lynx*5) os=-lynxos5 ;; -lynx*) os=-lynxos ;; -ptx*) basic_machine=`echo $1 | sed -e 's/86-.*/86-sequent/'` ;; -windowsnt*) os=`echo $os | sed -e 's/windowsnt/winnt/'` ;; -psos*) os=-psos ;; -mint | -mint[0-9]*) basic_machine=m68k-atari os=-mint ;; esac # Decode aliases for certain CPU-COMPANY combinations. case $basic_machine in # Recognize the basic CPU types without company name. # Some are omitted here because they have special meanings below. 1750a | 580 \ | a29k \ | aarch64 | aarch64_be \ | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \ | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \ | am33_2.0 \ | arc | arceb \ | arm | arm[bl]e | arme[lb] | armv[2-8] | armv[3-8][lb] | armv7[arm] \ | avr | avr32 \ | be32 | be64 \ | bfin \ | c4x | c8051 | clipper \ | d10v | d30v | dlx | dsp16xx \ | epiphany \ | fido | fr30 | frv \ | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \ | hexagon \ | i370 | i860 | i960 | ia64 \ | ip2k | iq2000 \ | k1om \ | le32 | le64 \ | lm32 \ | m32c | m32r | m32rle | m68000 | m68k | m88k \ | maxq | mb | microblaze | microblazeel | mcore | mep | metag \ | mips | mipsbe | mipseb | mipsel | mipsle \ | mips16 \ | mips64 | mips64el \ | mips64octeon | mips64octeonel \ | mips64orion | mips64orionel \ | mips64r5900 | mips64r5900el \ | mips64vr | mips64vrel \ | mips64vr4100 | mips64vr4100el \ | mips64vr4300 | mips64vr4300el \ | mips64vr5000 | mips64vr5000el \ | mips64vr5900 | mips64vr5900el \ | mipsisa32 | mipsisa32el \ | mipsisa32r2 | mipsisa32r2el \ | mipsisa64 | mipsisa64el \ | mipsisa64r2 | mipsisa64r2el \ | mipsisa64sb1 | mipsisa64sb1el \ | mipsisa64sr71k | mipsisa64sr71kel \ | mipsr5900 | mipsr5900el \ | mipstx39 | mipstx39el \ | mn10200 | mn10300 \ | moxie \ | mt \ | msp430 \ | nds32 | nds32le | nds32be \ | nios | nios2 | nios2eb | nios2el \ | ns16k | ns32k \ | open8 \ | or1k | or32 \ | pdp10 | pdp11 | pj | pjl \ | powerpc | powerpc64 | powerpc64le | powerpcle \ | pyramid \ | rl78 | rx \ | score \ | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ | sh64 | sh64le \ | sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \ | sparcv8 | sparcv9 | sparcv9b | sparcv9v \ | spu \ | tahoe | tic4x | tic54x | tic55x | tic6x | tic80 | tron \ | ubicom32 \ | v850 | v850e | v850e1 | v850e2 | v850es | v850e2v3 \ | we32k \ | x86 | xc16x | xstormy16 | xtensa \ | z8k | z80) basic_machine=$basic_machine-unknown ;; c54x) basic_machine=tic54x-unknown ;; c55x) basic_machine=tic55x-unknown ;; c6x) basic_machine=tic6x-unknown ;; m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | nvptx | picochip) basic_machine=$basic_machine-unknown os=-none ;; m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | v70 | w65 | z8k) ;; ms1) basic_machine=mt-unknown ;; strongarm | thumb | xscale) basic_machine=arm-unknown ;; xgate) basic_machine=$basic_machine-unknown os=-none ;; xscaleeb) basic_machine=armeb-unknown ;; xscaleel) basic_machine=armel-unknown ;; # We use `pc' rather than `unknown' # because (1) that's what they normally are, and # (2) the word "unknown" tends to confuse beginning users. i*86 | x86_64) basic_machine=$basic_machine-pc ;; # Object if more than one company name word. *-*-*) echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2 exit 1 ;; # Recognize the basic CPU types with company name. 580-* \ | a29k-* \ | aarch64-* | aarch64_be-* \ | alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \ | alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \ | alphapca5[67]-* | alpha64pca5[67]-* | arc-* | arceb-* \ | arm-* | armbe-* | armle-* | armeb-* | armv*-* \ | avr-* | avr32-* \ | be32-* | be64-* \ | bfin-* | bs2000-* \ | c[123]* | c30-* | [cjt]90-* | c4x-* \ | c8051-* | clipper-* | craynv-* | cydra-* \ | d10v-* | d30v-* | dlx-* \ | elxsi-* \ | f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \ | h8300-* | h8500-* \ | hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \ | hexagon-* \ | i*86-* | i860-* | i960-* | ia64-* \ | ip2k-* | iq2000-* \ | k1om-* \ | le32-* | le64-* \ | lm32-* \ | m32c-* | m32r-* | m32rle-* \ | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \ | m88110-* | m88k-* | maxq-* | mcore-* | metag-* \ | microblaze-* | microblazeel-* \ | mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \ | mips16-* \ | mips64-* | mips64el-* \ | mips64octeon-* | mips64octeonel-* \ | mips64orion-* | mips64orionel-* \ | mips64r5900-* | mips64r5900el-* \ | mips64vr-* | mips64vrel-* \ | mips64vr4100-* | mips64vr4100el-* \ | mips64vr4300-* | mips64vr4300el-* \ | mips64vr5000-* | mips64vr5000el-* \ | mips64vr5900-* | mips64vr5900el-* \ | mipsisa32-* | mipsisa32el-* \ | mipsisa32r2-* | mipsisa32r2el-* \ | mipsisa64-* | mipsisa64el-* \ | mipsisa64r2-* | mipsisa64r2el-* \ | mipsisa64sb1-* | mipsisa64sb1el-* \ | mipsisa64sr71k-* | mipsisa64sr71kel-* \ | mipsr5900-* | mipsr5900el-* \ | mipstx39-* | mipstx39el-* \ | mmix-* \ | mt-* \ | msp430-* \ | nds32-* | nds32le-* | nds32be-* \ | nios-* | nios2-* | nios2eb-* | nios2el-* \ | none-* | np1-* | ns16k-* | ns32k-* \ | open8-* \ | orion-* \ | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \ | pyramid-* \ | rl78-* | romp-* | rs6000-* | rx-* \ | sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \ | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \ | sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \ | sparclite-* \ | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx?-* \ | tahoe-* \ | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \ | tile*-* \ | tron-* \ | ubicom32-* \ | v850-* | v850e-* | v850e1-* | v850es-* | v850e2-* | v850e2v3-* \ | vax-* \ | we32k-* \ | x86-* | x86_64-* | xc16x-* | xps100-* \ | xstormy16-* | xtensa*-* \ | ymp-* \ | z8k-* | z80-*) ;; # Recognize the basic CPU types without company name, with glob match. xtensa*) basic_machine=$basic_machine-unknown ;; # Recognize the various machine names and aliases which stand # for a CPU type and a company and sometimes even an OS. 386bsd) basic_machine=i386-unknown os=-bsd ;; 3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc) basic_machine=m68000-att ;; 3b*) basic_machine=we32k-att ;; a29khif) basic_machine=a29k-amd os=-udi ;; abacus) basic_machine=abacus-unknown ;; adobe68k) basic_machine=m68010-adobe os=-scout ;; alliant | fx80) basic_machine=fx80-alliant ;; altos | altos3068) basic_machine=m68k-altos ;; am29k) basic_machine=a29k-none os=-bsd ;; amd64) basic_machine=x86_64-pc ;; amd64-*) basic_machine=x86_64-`echo $basic_machine | sed 's/^[^-]*-//'` ;; amdahl) basic_machine=580-amdahl os=-sysv ;; amiga | amiga-*) basic_machine=m68k-unknown ;; amigaos | amigados) basic_machine=m68k-unknown os=-amigaos ;; amigaunix | amix) basic_machine=m68k-unknown os=-sysv4 ;; apollo68) basic_machine=m68k-apollo os=-sysv ;; apollo68bsd) basic_machine=m68k-apollo os=-bsd ;; aros) basic_machine=i386-pc os=-aros ;; aux) basic_machine=m68k-apple os=-aux ;; balance) basic_machine=ns32k-sequent os=-dynix ;; blackfin) basic_machine=bfin-unknown os=-linux ;; blackfin-*) basic_machine=bfin-`echo $basic_machine | sed 's/^[^-]*-//'` os=-linux ;; bluegene*) basic_machine=powerpc-ibm os=-cnk ;; c54x-*) basic_machine=tic54x-`echo $basic_machine | sed 's/^[^-]*-//'` ;; c55x-*) basic_machine=tic55x-`echo $basic_machine | sed 's/^[^-]*-//'` ;; c6x-*) basic_machine=tic6x-`echo $basic_machine | sed 's/^[^-]*-//'` ;; c90) basic_machine=c90-cray os=-unicos ;; cegcc) basic_machine=arm-unknown os=-cegcc ;; convex-c1) basic_machine=c1-convex os=-bsd ;; convex-c2) basic_machine=c2-convex os=-bsd ;; convex-c32) basic_machine=c32-convex os=-bsd ;; convex-c34) basic_machine=c34-convex os=-bsd ;; convex-c38) basic_machine=c38-convex os=-bsd ;; cray | j90) basic_machine=j90-cray os=-unicos ;; craynv) basic_machine=craynv-cray os=-unicosmp ;; cr16 | cr16-*) basic_machine=cr16-unknown os=-elf ;; crds | unos) basic_machine=m68k-crds ;; crisv32 | crisv32-* | etraxfs*) basic_machine=crisv32-axis ;; cris | cris-* | etrax*) basic_machine=cris-axis ;; crx) basic_machine=crx-unknown os=-elf ;; da30 | da30-*) basic_machine=m68k-da30 ;; decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn) basic_machine=mips-dec ;; decsystem10* | dec10*) basic_machine=pdp10-dec os=-tops10 ;; decsystem20* | dec20*) basic_machine=pdp10-dec os=-tops20 ;; delta | 3300 | motorola-3300 | motorola-delta \ | 3300-motorola | delta-motorola) basic_machine=m68k-motorola ;; delta88) basic_machine=m88k-motorola os=-sysv3 ;; dicos) basic_machine=i686-pc os=-dicos ;; djgpp) basic_machine=i586-pc os=-msdosdjgpp ;; dpx20 | dpx20-*) basic_machine=rs6000-bull os=-bosx ;; dpx2* | dpx2*-bull) basic_machine=m68k-bull os=-sysv3 ;; ebmon29k) basic_machine=a29k-amd os=-ebmon ;; elxsi) basic_machine=elxsi-elxsi os=-bsd ;; encore | umax | mmax) basic_machine=ns32k-encore ;; es1800 | OSE68k | ose68k | ose | OSE) basic_machine=m68k-ericsson os=-ose ;; fx2800) basic_machine=i860-alliant ;; genix) basic_machine=ns32k-ns ;; gmicro) basic_machine=tron-gmicro os=-sysv ;; go32) basic_machine=i386-pc os=-go32 ;; h3050r* | hiux*) basic_machine=hppa1.1-hitachi os=-hiuxwe2 ;; h8300hms) basic_machine=h8300-hitachi os=-hms ;; h8300xray) basic_machine=h8300-hitachi os=-xray ;; h8500hms) basic_machine=h8500-hitachi os=-hms ;; harris) basic_machine=m88k-harris os=-sysv3 ;; hp300-*) basic_machine=m68k-hp ;; hp300bsd) basic_machine=m68k-hp os=-bsd ;; hp300hpux) basic_machine=m68k-hp os=-hpux ;; hp3k9[0-9][0-9] | hp9[0-9][0-9]) basic_machine=hppa1.0-hp ;; hp9k2[0-9][0-9] | hp9k31[0-9]) basic_machine=m68000-hp ;; hp9k3[2-9][0-9]) basic_machine=m68k-hp ;; hp9k6[0-9][0-9] | hp6[0-9][0-9]) basic_machine=hppa1.0-hp ;; hp9k7[0-79][0-9] | hp7[0-79][0-9]) basic_machine=hppa1.1-hp ;; hp9k78[0-9] | hp78[0-9]) # FIXME: really hppa2.0-hp basic_machine=hppa1.1-hp ;; hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893) # FIXME: really hppa2.0-hp basic_machine=hppa1.1-hp ;; hp9k8[0-9][13679] | hp8[0-9][13679]) basic_machine=hppa1.1-hp ;; hp9k8[0-9][0-9] | hp8[0-9][0-9]) basic_machine=hppa1.0-hp ;; hppa-next) os=-nextstep3 ;; hppaosf) basic_machine=hppa1.1-hp os=-osf ;; hppro) basic_machine=hppa1.1-hp os=-proelf ;; i370-ibm* | ibm*) basic_machine=i370-ibm ;; i*86v32) basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` os=-sysv32 ;; i*86v4*) basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` os=-sysv4 ;; i*86v) basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` os=-sysv ;; i*86sol2) basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` os=-solaris2 ;; i386mach) basic_machine=i386-mach os=-mach ;; i386-vsta | vsta) basic_machine=i386-unknown os=-vsta ;; iris | iris4d) basic_machine=mips-sgi case $os in -irix*) ;; *) os=-irix4 ;; esac ;; isi68 | isi) basic_machine=m68k-isi os=-sysv ;; m68knommu) basic_machine=m68k-unknown os=-linux ;; m68knommu-*) basic_machine=m68k-`echo $basic_machine | sed 's/^[^-]*-//'` os=-linux ;; m88k-omron*) basic_machine=m88k-omron ;; magnum | m3230) basic_machine=mips-mips os=-sysv ;; merlin) basic_machine=ns32k-utek os=-sysv ;; microblaze*) basic_machine=microblaze-xilinx ;; mingw64) basic_machine=x86_64-pc os=-mingw64 ;; mingw32) basic_machine=i686-pc os=-mingw32 ;; mingw32ce) basic_machine=arm-unknown os=-mingw32ce ;; miniframe) basic_machine=m68000-convergent ;; *mint | -mint[0-9]* | *MiNT | *MiNT[0-9]*) basic_machine=m68k-atari os=-mint ;; mips3*-*) basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'` ;; mips3*) basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown ;; monitor) basic_machine=m68k-rom68k os=-coff ;; morphos) basic_machine=powerpc-unknown os=-morphos ;; msdos) basic_machine=i386-pc os=-msdos ;; ms1-*) basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'` ;; msys) basic_machine=i686-pc os=-msys ;; mvs) basic_machine=i370-ibm os=-mvs ;; nacl) basic_machine=le32-unknown os=-nacl ;; ncr3000) basic_machine=i486-ncr os=-sysv4 ;; netbsd386) basic_machine=i386-unknown os=-netbsd ;; netwinder) basic_machine=armv4l-rebel os=-linux ;; news | news700 | news800 | news900) basic_machine=m68k-sony os=-newsos ;; news1000) basic_machine=m68030-sony os=-newsos ;; news-3600 | risc-news) basic_machine=mips-sony os=-newsos ;; necv70) basic_machine=v70-nec os=-sysv ;; next | m*-next ) basic_machine=m68k-next case $os in -nextstep* ) ;; -ns2*) os=-nextstep2 ;; *) os=-nextstep3 ;; esac ;; nh3000) basic_machine=m68k-harris os=-cxux ;; nh[45]000) basic_machine=m88k-harris os=-cxux ;; nindy960) basic_machine=i960-intel os=-nindy ;; mon960) basic_machine=i960-intel os=-mon960 ;; nonstopux) basic_machine=mips-compaq os=-nonstopux ;; np1) basic_machine=np1-gould ;; neo-tandem) basic_machine=neo-tandem ;; nse-tandem) basic_machine=nse-tandem ;; nsr-tandem) basic_machine=nsr-tandem ;; op50n-* | op60c-*) basic_machine=hppa1.1-oki os=-proelf ;; openrisc | openrisc-*) basic_machine=or32-unknown ;; os400) basic_machine=powerpc-ibm os=-os400 ;; OSE68000 | ose68000) basic_machine=m68000-ericsson os=-ose ;; os68k) basic_machine=m68k-none os=-os68k ;; pa-hitachi) basic_machine=hppa1.1-hitachi os=-hiuxwe2 ;; paragon) basic_machine=i860-intel os=-osf ;; parisc) basic_machine=hppa-unknown os=-linux ;; parisc-*) basic_machine=hppa-`echo $basic_machine | sed 's/^[^-]*-//'` os=-linux ;; pbd) basic_machine=sparc-tti ;; pbb) basic_machine=m68k-tti ;; pc532 | pc532-*) basic_machine=ns32k-pc532 ;; pc98) basic_machine=i386-pc ;; pc98-*) basic_machine=i386-`echo $basic_machine | sed 's/^[^-]*-//'` ;; pentium | p5 | k5 | k6 | nexgen | viac3) basic_machine=i586-pc ;; pentiumpro | p6 | 6x86 | athlon | athlon_*) basic_machine=i686-pc ;; pentiumii | pentium2 | pentiumiii | pentium3) basic_machine=i686-pc ;; pentium4) basic_machine=i786-pc ;; pentium-* | p5-* | k5-* | k6-* | nexgen-* | viac3-*) basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'` ;; pentiumpro-* | p6-* | 6x86-* | athlon-*) basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` ;; pentiumii-* | pentium2-* | pentiumiii-* | pentium3-*) basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` ;; pentium4-*) basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'` ;; pn) basic_machine=pn-gould ;; power) basic_machine=power-ibm ;; ppc | ppcbe) basic_machine=powerpc-unknown ;; ppc-* | ppcbe-*) basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ppcle | powerpclittle | ppc-le | powerpc-little) basic_machine=powerpcle-unknown ;; ppcle-* | powerpclittle-*) basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ppc64) basic_machine=powerpc64-unknown ;; ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ppc64le | powerpc64little | ppc64-le | powerpc64-little) basic_machine=powerpc64le-unknown ;; ppc64le-* | powerpc64little-*) basic_machine=powerpc64le-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ps2) basic_machine=i386-ibm ;; pw32) basic_machine=i586-unknown os=-pw32 ;; rdos | rdos64) basic_machine=x86_64-pc os=-rdos ;; rdos32) basic_machine=i386-pc os=-rdos ;; rom68k) basic_machine=m68k-rom68k os=-coff ;; rm[46]00) basic_machine=mips-siemens ;; rtpc | rtpc-*) basic_machine=romp-ibm ;; s390 | s390-*) basic_machine=s390-ibm ;; s390x | s390x-*) basic_machine=s390x-ibm ;; sa29200) basic_machine=a29k-amd os=-udi ;; sb1) basic_machine=mipsisa64sb1-unknown ;; sb1el) basic_machine=mipsisa64sb1el-unknown ;; sde) basic_machine=mipsisa32-sde os=-elf ;; sei) basic_machine=mips-sei os=-seiux ;; sequent) basic_machine=i386-sequent ;; sh) basic_machine=sh-hitachi os=-hms ;; sh5el) basic_machine=sh5le-unknown ;; sh64) basic_machine=sh64-unknown ;; sparclite-wrs | simso-wrs) basic_machine=sparclite-wrs os=-vxworks ;; sps7) basic_machine=m68k-bull os=-sysv2 ;; spur) basic_machine=spur-unknown ;; st2000) basic_machine=m68k-tandem ;; stratus) basic_machine=i860-stratus os=-sysv4 ;; strongarm-* | thumb-*) basic_machine=arm-`echo $basic_machine | sed 's/^[^-]*-//'` ;; sun2) basic_machine=m68000-sun ;; sun2os3) basic_machine=m68000-sun os=-sunos3 ;; sun2os4) basic_machine=m68000-sun os=-sunos4 ;; sun3os3) basic_machine=m68k-sun os=-sunos3 ;; sun3os4) basic_machine=m68k-sun os=-sunos4 ;; sun4os3) basic_machine=sparc-sun os=-sunos3 ;; sun4os4) basic_machine=sparc-sun os=-sunos4 ;; sun4sol2) basic_machine=sparc-sun os=-solaris2 ;; sun3 | sun3-*) basic_machine=m68k-sun ;; sun4) basic_machine=sparc-sun ;; sun386 | sun386i | roadrunner) basic_machine=i386-sun ;; sv1) basic_machine=sv1-cray os=-unicos ;; symmetry) basic_machine=i386-sequent os=-dynix ;; t3e) basic_machine=alphaev5-cray os=-unicos ;; t90) basic_machine=t90-cray os=-unicos ;; tile*) basic_machine=$basic_machine-unknown os=-linux-gnu ;; tx39) basic_machine=mipstx39-unknown ;; tx39el) basic_machine=mipstx39el-unknown ;; toad1) basic_machine=pdp10-xkl os=-tops20 ;; tower | tower-32) basic_machine=m68k-ncr ;; tpf) basic_machine=s390x-ibm os=-tpf ;; udi29k) basic_machine=a29k-amd os=-udi ;; ultra3) basic_machine=a29k-nyu os=-sym1 ;; v810 | necv810) basic_machine=v810-nec os=-none ;; vaxv) basic_machine=vax-dec os=-sysv ;; vms) basic_machine=vax-dec os=-vms ;; vpp*|vx|vx-*) basic_machine=f301-fujitsu ;; vxworks960) basic_machine=i960-wrs os=-vxworks ;; vxworks68) basic_machine=m68k-wrs os=-vxworks ;; vxworks29k) basic_machine=a29k-wrs os=-vxworks ;; w65*) basic_machine=w65-wdc os=-none ;; w89k-*) basic_machine=hppa1.1-winbond os=-proelf ;; xbox) basic_machine=i686-pc os=-mingw32 ;; xps | xps100) basic_machine=xps100-honeywell ;; xscale-* | xscalee[bl]-*) basic_machine=`echo $basic_machine | sed 's/^xscale/arm/'` ;; ymp) basic_machine=ymp-cray os=-unicos ;; z8k-*-coff) basic_machine=z8k-unknown os=-sim ;; z80-*-coff) basic_machine=z80-unknown os=-sim ;; none) basic_machine=none-none os=-none ;; # Here we handle the default manufacturer of certain CPU types. It is in # some cases the only manufacturer, in others, it is the most popular. w89k) basic_machine=hppa1.1-winbond ;; op50n) basic_machine=hppa1.1-oki ;; op60c) basic_machine=hppa1.1-oki ;; romp) basic_machine=romp-ibm ;; mmix) basic_machine=mmix-knuth ;; rs6000) basic_machine=rs6000-ibm ;; vax) basic_machine=vax-dec ;; pdp10) # there are many clones, so DEC is not a safe bet basic_machine=pdp10-unknown ;; pdp11) basic_machine=pdp11-dec ;; we32k) basic_machine=we32k-att ;; sh[1234] | sh[24]a | sh[24]aeb | sh[34]eb | sh[1234]le | sh[23]ele) basic_machine=sh-unknown ;; sparc | sparcv8 | sparcv9 | sparcv9b | sparcv9v) basic_machine=sparc-sun ;; cydra) basic_machine=cydra-cydrome ;; orion) basic_machine=orion-highlevel ;; orion105) basic_machine=clipper-highlevel ;; mac | mpw | mac-mpw) basic_machine=m68k-apple ;; pmac | pmac-mpw) basic_machine=powerpc-apple ;; *-unknown) # Make sure to match an already-canonicalized machine name. ;; *) echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2 exit 1 ;; esac # Here we canonicalize certain aliases for manufacturers. case $basic_machine in *-digital*) basic_machine=`echo $basic_machine | sed 's/digital.*/dec/'` ;; *-commodore*) basic_machine=`echo $basic_machine | sed 's/commodore.*/cbm/'` ;; *) ;; esac # Decode manufacturer-specific aliases for certain operating systems. if [ x"$os" != x"" ] then case $os in # First match some system type aliases # that might get confused with valid system types. # -solaris* is a basic system type, with this one exception. -auroraux) os=-auroraux ;; -solaris1 | -solaris1.*) os=`echo $os | sed -e 's|solaris1|sunos4|'` ;; -solaris) os=-solaris2 ;; -svr4*) os=-sysv4 ;; -unixware*) os=-sysv4.2uw ;; -gnu/linux*) os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'` ;; # First accept the basic system types. # The portable systems comes first. # Each alternative MUST END IN A *, to match a version number. # -sysv* is not here because it comes later, after sysvr4. -gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \ | -*vms* | -sco* | -esix* | -isc* | -aix* | -cnk* | -sunos | -sunos[34]*\ | -hpux* | -unos* | -osf* | -luna* | -dgux* | -auroraux* | -solaris* \ | -sym* | -kopensolaris* | -plan9* \ | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \ | -aos* | -aros* \ | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \ | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \ | -bitrig* | -openbsd* | -solidbsd* \ | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \ | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \ | -chorusos* | -chorusrdb* | -cegcc* \ | -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \ | -linux-newlib* | -linux-musl* | -linux-uclibc* \ | -uxpv* | -beos* | -mpeix* | -udk* \ | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \ | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \ | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \ | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \ | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \ | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \ | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es*) # Remember, each alternative MUST END IN *, to match a version number. ;; -qnx*) case $basic_machine in x86-* | i*86-*) ;; *) os=-nto$os ;; esac ;; -nto-qnx*) ;; -nto*) os=`echo $os | sed -e 's|nto|nto-qnx|'` ;; -sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \ | -windows* | -osx | -abug | -netware* | -os9* | -beos* | -haiku* \ | -macos* | -mpw* | -magic* | -mmixware* | -mon960* | -lnews*) ;; -mac*) os=`echo $os | sed -e 's|mac|macos|'` ;; -linux-dietlibc) os=-linux-dietlibc ;; -linux*) os=`echo $os | sed -e 's|linux|linux-gnu|'` ;; -sunos5*) os=`echo $os | sed -e 's|sunos5|solaris2|'` ;; -sunos6*) os=`echo $os | sed -e 's|sunos6|solaris3|'` ;; -opened*) os=-openedition ;; -os400*) os=-os400 ;; -wince*) os=-wince ;; -osfrose*) os=-osfrose ;; -osf*) os=-osf ;; -utek*) os=-bsd ;; -dynix*) os=-bsd ;; -acis*) os=-aos ;; -atheos*) os=-atheos ;; -syllable*) os=-syllable ;; -386bsd) os=-bsd ;; -ctix* | -uts*) os=-sysv ;; -nova*) os=-rtmk-nova ;; -ns2 ) os=-nextstep2 ;; -nsk*) os=-nsk ;; # Preserve the version number of sinix5. -sinix5.*) os=`echo $os | sed -e 's|sinix|sysv|'` ;; -sinix*) os=-sysv4 ;; -tpf*) os=-tpf ;; -triton*) os=-sysv3 ;; -oss*) os=-sysv3 ;; -svr4) os=-sysv4 ;; -svr3) os=-sysv3 ;; -sysvr4) os=-sysv4 ;; # This must come after -sysvr4. -sysv*) ;; -ose*) os=-ose ;; -es1800*) os=-ose ;; -xenix) os=-xenix ;; -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*) os=-mint ;; -aros*) os=-aros ;; -zvmoe) os=-zvmoe ;; -dicos*) os=-dicos ;; -nacl*) ;; -none) ;; *) # Get rid of the `-' at the beginning of $os. os=`echo $os | sed 's/[^-]*-//'` echo Invalid configuration \`$1\': system \`$os\' not recognized 1>&2 exit 1 ;; esac else # Here we handle the default operating systems that come with various machines. # The value should be what the vendor currently ships out the door with their # machine or put another way, the most popular os provided with the machine. # Note that if you're going to try to match "-MANUFACTURER" here (say, # "-sun"), then you have to tell the case statement up towards the top # that MANUFACTURER isn't an operating system. Otherwise, code above # will signal an error saying that MANUFACTURER isn't an operating # system, and we'll never get to this point. case $basic_machine in score-*) os=-elf ;; spu-*) os=-elf ;; *-acorn) os=-riscix1.2 ;; arm*-rebel) os=-linux ;; arm*-semi) os=-aout ;; c4x-* | tic4x-*) os=-coff ;; c8051-*) os=-elf ;; hexagon-*) os=-elf ;; tic54x-*) os=-coff ;; tic55x-*) os=-coff ;; tic6x-*) os=-coff ;; # This must come before the *-dec entry. pdp10-*) os=-tops20 ;; pdp11-*) os=-none ;; *-dec | vax-*) os=-ultrix4.2 ;; m68*-apollo) os=-domain ;; i386-sun) os=-sunos4.0.2 ;; m68000-sun) os=-sunos3 ;; m68*-cisco) os=-aout ;; mep-*) os=-elf ;; mips*-cisco) os=-elf ;; mips*-*) os=-elf ;; or1k-*) os=-elf ;; or32-*) os=-coff ;; *-tti) # must be before sparc entry or we get the wrong os. os=-sysv3 ;; sparc-* | *-sun) os=-sunos4.1.1 ;; *-be) os=-beos ;; *-haiku) os=-haiku ;; *-ibm) os=-aix ;; *-knuth) os=-mmixware ;; *-wec) os=-proelf ;; *-winbond) os=-proelf ;; *-oki) os=-proelf ;; *-hp) os=-hpux ;; *-hitachi) os=-hiux ;; i860-* | *-att | *-ncr | *-altos | *-motorola | *-convergent) os=-sysv ;; *-cbm) os=-amigaos ;; *-dg) os=-dgux ;; *-dolphin) os=-sysv3 ;; m68k-ccur) os=-rtu ;; m88k-omron*) os=-luna ;; *-next ) os=-nextstep ;; *-sequent) os=-ptx ;; *-crds) os=-unos ;; *-ns) os=-genix ;; i370-*) os=-mvs ;; *-next) os=-nextstep3 ;; *-gould) os=-sysv ;; *-highlevel) os=-bsd ;; *-encore) os=-bsd ;; *-sgi) os=-irix ;; *-siemens) os=-sysv4 ;; *-masscomp) os=-rtu ;; f30[01]-fujitsu | f700-fujitsu) os=-uxpv ;; *-rom68k) os=-coff ;; *-*bug) os=-coff ;; *-apple) os=-macos ;; *-atari*) os=-mint ;; *) os=-none ;; esac fi # Here we handle the case where we know the os, and the CPU type, but not the # manufacturer. We pick the logical manufacturer. vendor=unknown case $basic_machine in *-unknown) case $os in -riscix*) vendor=acorn ;; -sunos*) vendor=sun ;; -cnk*|-aix*) vendor=ibm ;; -beos*) vendor=be ;; -hpux*) vendor=hp ;; -mpeix*) vendor=hp ;; -hiux*) vendor=hitachi ;; -unos*) vendor=crds ;; -dgux*) vendor=dg ;; -luna*) vendor=omron ;; -genix*) vendor=ns ;; -mvs* | -opened*) vendor=ibm ;; -os400*) vendor=ibm ;; -ptx*) vendor=sequent ;; -tpf*) vendor=ibm ;; -vxsim* | -vxworks* | -windiss*) vendor=wrs ;; -aux*) vendor=apple ;; -hms*) vendor=hitachi ;; -mpw* | -macos*) vendor=apple ;; -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*) vendor=atari ;; -vos*) vendor=stratus ;; esac basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"` ;; esac echo $basic_machine$os exit # Local variables: # eval: (add-hook 'write-file-hooks 'time-stamp) # time-stamp-start: "timestamp='" # time-stamp-format: "%:y-%02m-%02d" # time-stamp-end: "'" # End: nettle-3.4.1/twofish.c0000644000175000017500000003541613401564745013707 0ustar nissenisse/* twofish.c The twofish block cipher. Copyright (C) 2001, 2014 Niels Möller Copyright (C) 1999 Ruud de Rooij Modifications for lsh, integrated testing Copyright (C) 1999 J.H.M. Dassen (Ray) This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "twofish.h" #include "macros.h" /* Bitwise rotations on 32-bit words. These are defined as macros that * evaluate their argument twice, so do not apply to any expressions with * side effects. */ #define rol1(x) (((x) << 1) | (((x) & 0x80000000) >> 31)) #define rol8(x) (((x) << 8) | (((x) & 0xFF000000) >> 24)) #define rol9(x) (((x) << 9) | (((x) & 0xFF800000) >> 23)) #define ror1(x) (((x) >> 1) | (((x) & 0x00000001) << 31)) /* ------------------------------------------------------------------------- */ /* The permutations q0 and q1. These are fixed permutations on 8-bit values. * The permutations have been computed using the program twofish-data, * which is distributed along with this file. */ static const uint8_t q0[256] = { 0xA9,0x67,0xB3,0xE8,0x04,0xFD,0xA3,0x76, 0x9A,0x92,0x80,0x78,0xE4,0xDD,0xD1,0x38, 0x0D,0xC6,0x35,0x98,0x18,0xF7,0xEC,0x6C, 0x43,0x75,0x37,0x26,0xFA,0x13,0x94,0x48, 0xF2,0xD0,0x8B,0x30,0x84,0x54,0xDF,0x23, 0x19,0x5B,0x3D,0x59,0xF3,0xAE,0xA2,0x82, 0x63,0x01,0x83,0x2E,0xD9,0x51,0x9B,0x7C, 0xA6,0xEB,0xA5,0xBE,0x16,0x0C,0xE3,0x61, 0xC0,0x8C,0x3A,0xF5,0x73,0x2C,0x25,0x0B, 0xBB,0x4E,0x89,0x6B,0x53,0x6A,0xB4,0xF1, 0xE1,0xE6,0xBD,0x45,0xE2,0xF4,0xB6,0x66, 0xCC,0x95,0x03,0x56,0xD4,0x1C,0x1E,0xD7, 0xFB,0xC3,0x8E,0xB5,0xE9,0xCF,0xBF,0xBA, 0xEA,0x77,0x39,0xAF,0x33,0xC9,0x62,0x71, 0x81,0x79,0x09,0xAD,0x24,0xCD,0xF9,0xD8, 0xE5,0xC5,0xB9,0x4D,0x44,0x08,0x86,0xE7, 0xA1,0x1D,0xAA,0xED,0x06,0x70,0xB2,0xD2, 0x41,0x7B,0xA0,0x11,0x31,0xC2,0x27,0x90, 0x20,0xF6,0x60,0xFF,0x96,0x5C,0xB1,0xAB, 0x9E,0x9C,0x52,0x1B,0x5F,0x93,0x0A,0xEF, 0x91,0x85,0x49,0xEE,0x2D,0x4F,0x8F,0x3B, 0x47,0x87,0x6D,0x46,0xD6,0x3E,0x69,0x64, 0x2A,0xCE,0xCB,0x2F,0xFC,0x97,0x05,0x7A, 0xAC,0x7F,0xD5,0x1A,0x4B,0x0E,0xA7,0x5A, 0x28,0x14,0x3F,0x29,0x88,0x3C,0x4C,0x02, 0xB8,0xDA,0xB0,0x17,0x55,0x1F,0x8A,0x7D, 0x57,0xC7,0x8D,0x74,0xB7,0xC4,0x9F,0x72, 0x7E,0x15,0x22,0x12,0x58,0x07,0x99,0x34, 0x6E,0x50,0xDE,0x68,0x65,0xBC,0xDB,0xF8, 0xC8,0xA8,0x2B,0x40,0xDC,0xFE,0x32,0xA4, 0xCA,0x10,0x21,0xF0,0xD3,0x5D,0x0F,0x00, 0x6F,0x9D,0x36,0x42,0x4A,0x5E,0xC1,0xE0, }; static const uint8_t q1[256] = { 0x75,0xF3,0xC6,0xF4,0xDB,0x7B,0xFB,0xC8, 0x4A,0xD3,0xE6,0x6B,0x45,0x7D,0xE8,0x4B, 0xD6,0x32,0xD8,0xFD,0x37,0x71,0xF1,0xE1, 0x30,0x0F,0xF8,0x1B,0x87,0xFA,0x06,0x3F, 0x5E,0xBA,0xAE,0x5B,0x8A,0x00,0xBC,0x9D, 0x6D,0xC1,0xB1,0x0E,0x80,0x5D,0xD2,0xD5, 0xA0,0x84,0x07,0x14,0xB5,0x90,0x2C,0xA3, 0xB2,0x73,0x4C,0x54,0x92,0x74,0x36,0x51, 0x38,0xB0,0xBD,0x5A,0xFC,0x60,0x62,0x96, 0x6C,0x42,0xF7,0x10,0x7C,0x28,0x27,0x8C, 0x13,0x95,0x9C,0xC7,0x24,0x46,0x3B,0x70, 0xCA,0xE3,0x85,0xCB,0x11,0xD0,0x93,0xB8, 0xA6,0x83,0x20,0xFF,0x9F,0x77,0xC3,0xCC, 0x03,0x6F,0x08,0xBF,0x40,0xE7,0x2B,0xE2, 0x79,0x0C,0xAA,0x82,0x41,0x3A,0xEA,0xB9, 0xE4,0x9A,0xA4,0x97,0x7E,0xDA,0x7A,0x17, 0x66,0x94,0xA1,0x1D,0x3D,0xF0,0xDE,0xB3, 0x0B,0x72,0xA7,0x1C,0xEF,0xD1,0x53,0x3E, 0x8F,0x33,0x26,0x5F,0xEC,0x76,0x2A,0x49, 0x81,0x88,0xEE,0x21,0xC4,0x1A,0xEB,0xD9, 0xC5,0x39,0x99,0xCD,0xAD,0x31,0x8B,0x01, 0x18,0x23,0xDD,0x1F,0x4E,0x2D,0xF9,0x48, 0x4F,0xF2,0x65,0x8E,0x78,0x5C,0x58,0x19, 0x8D,0xE5,0x98,0x57,0x67,0x7F,0x05,0x64, 0xAF,0x63,0xB6,0xFE,0xF5,0xB7,0x3C,0xA5, 0xCE,0xE9,0x68,0x44,0xE0,0x4D,0x43,0x69, 0x29,0x2E,0xAC,0x15,0x59,0xA8,0x0A,0x9E, 0x6E,0x47,0xDF,0x34,0x35,0x6A,0xCF,0xDC, 0x22,0xC9,0xC0,0x9B,0x89,0xD4,0xED,0xAB, 0x12,0xA2,0x0D,0x52,0xBB,0x02,0x2F,0xA9, 0xD7,0x61,0x1E,0xB4,0x50,0x04,0xF6,0xC2, 0x16,0x25,0x86,0x56,0x55,0x09,0xBE,0x91, }; /* ------------------------------------------------------------------------- */ /* uint32_t gf_multiply(uint8_t p, uint8_t a, uint8_t b) * * Multiplication in GF(2^8). Larger return type, to avoid need for * type casts when the return value is shifted left. * * This function multiplies a times b in the Galois Field GF(2^8) with * primitive polynomial p. * The representation of the polynomials a, b, and p uses bits with * values 2^i to represent the terms x^i. The polynomial p contains an * implicit term x^8. * * Note that addition and subtraction in GF(2^8) is simply the XOR * operation. */ static uint32_t gf_multiply(uint8_t p, uint8_t a, uint8_t b) { uint32_t shift = b; uint8_t result = 0; while (a) { if (a & 1) result ^= shift; a = a >> 1; shift = shift << 1; if (shift & 0x100) shift ^= p; } return result; } /* ------------------------------------------------------------------------- */ /* The matrix RS as specified in section 4.3 the twofish paper. */ static const uint8_t rs_matrix[4][8] = { { 0x01, 0xA4, 0x55, 0x87, 0x5A, 0x58, 0xDB, 0x9E }, { 0xA4, 0x56, 0x82, 0xF3, 0x1E, 0xC6, 0x68, 0xE5 }, { 0x02, 0xA1, 0xFC, 0xC1, 0x47, 0xAE, 0x3D, 0x19 }, { 0xA4, 0x55, 0x87, 0x5A, 0x58, 0xDB, 0x9E, 0x03 } }; /* uint32_t compute_s(uint32_t m1, uint32_t m2); * * Computes the value RS * M, where M is a byte vector composed of the * bytes of m1 and m2. Arithmetic is done in GF(2^8) with primitive * polynomial x^8 + x^6 + x^3 + x^2 + 1. * * This function is used to compute the sub-keys S which are in turn used * to generate the S-boxes. */ static uint32_t compute_s(uint32_t m1, uint32_t m2) { uint32_t s = 0; int i; for (i = 0; i < 4; i++) s |= (( gf_multiply(0x4D, m1, rs_matrix[i][0]) ^ gf_multiply(0x4D, m1 >> 8, rs_matrix[i][1]) ^ gf_multiply(0x4D, m1 >> 16, rs_matrix[i][2]) ^ gf_multiply(0x4D, m1 >> 24, rs_matrix[i][3]) ^ gf_multiply(0x4D, m2, rs_matrix[i][4]) ^ gf_multiply(0x4D, m2 >> 8, rs_matrix[i][5]) ^ gf_multiply(0x4D, m2 >> 16, rs_matrix[i][6]) ^ gf_multiply(0x4D, m2 >> 24, rs_matrix[i][7])) << (i*8)); return s; } /* ------------------------------------------------------------------------- */ /* This table describes which q S-boxes are used for each byte in each stage * of the function h, cf. figure 2 of the twofish paper. */ static const uint8_t * const q_table[4][5] = { { q1, q1, q0, q0, q1 }, { q0, q1, q1, q0, q0 }, { q0, q0, q0, q1, q1 }, { q1, q0, q1, q1, q0 } }; /* The matrix MDS as specified in section 4.3.2 of the twofish paper. */ static const uint8_t mds_matrix[4][4] = { { 0x01, 0xEF, 0x5B, 0x5B }, { 0x5B, 0xEF, 0xEF, 0x01 }, { 0xEF, 0x5B, 0x01, 0xEF }, { 0xEF, 0x01, 0xEF, 0x5B } }; /* uint32_t h_uint8_t(int k, int i, uint8_t x, uint8_t l0, uint8_t l1, uint8_t l2, uint8_t l3); * * Perform the h function (section 4.3.2) on one byte. It consists of * repeated applications of the q permutation, followed by a XOR with * part of a sub-key. Finally, the value is multiplied by one column of * the MDS matrix. To obtain the result for a full word, the results of * h for the individual bytes are XORed. * * k is the key size (/ 64 bits), i is the byte number (0 = LSB), x is the * actual byte to apply the function to; l0, l1, l2, and l3 are the * appropriate bytes from the subkey. Note that only l0..l(k-1) are used. */ static uint32_t h_byte(int k, int i, uint8_t x, uint8_t l0, uint8_t l1, uint8_t l2, uint8_t l3) { uint8_t y = q_table[i][4][l0 ^ q_table[i][3][l1 ^ q_table[i][2][k == 2 ? x : l2 ^ q_table[i][1][k == 3 ? x : l3 ^ q_table[i][0][x]]]]]; return ( (gf_multiply(0x69, mds_matrix[0][i], y)) | (gf_multiply(0x69, mds_matrix[1][i], y) << 8) | (gf_multiply(0x69, mds_matrix[2][i], y) << 16) | (gf_multiply(0x69, mds_matrix[3][i], y) << 24) ); } /* uint32_t h(int k, uint8_t x, uint32_t l0, uint32_t l1, uint32_t l2, uint32_t l3); * * Perform the function h on a word. See the description of h_byte() above. */ static uint32_t h(int k, uint8_t x, uint32_t l0, uint32_t l1, uint32_t l2, uint32_t l3) { return ( h_byte(k, 0, x, l0, l1, l2, l3) ^ h_byte(k, 1, x, l0 >> 8, l1 >> 8, l2 >> 8, l3 >> 8) ^ h_byte(k, 2, x, l0 >> 16, l1 >> 16, l2 >> 16, l3 >> 16) ^ h_byte(k, 3, x, l0 >> 24, l1 >> 24, l2 >> 24, l3 >> 24) ); } /* ------------------------------------------------------------------------- */ /* API */ /* Structure which contains the tables containing the subkeys and the * key-dependent s-boxes. */ /* Set up internal tables required for twofish encryption and decryption. * * The key size is specified in bytes. Key sizes up to 32 bytes are * supported. Larger key sizes are silently truncated. */ void twofish_set_key(struct twofish_ctx *context, size_t keysize, const uint8_t *key) { uint8_t key_copy[32]; uint32_t m[8], s[4], t; int i, j, k; /* Extend key as necessary */ assert(keysize <= 32); /* We do a little more copying than necessary, but that doesn't * really matter. */ memset(key_copy, 0, 32); memcpy(key_copy, key, keysize); for (i = 0; i<8; i++) m[i] = LE_READ_UINT32(key_copy + i*4); if (keysize <= 16) k = 2; else if (keysize <= 24) k = 3; else k = 4; /* Compute sub-keys */ for (i = 0; i < 20; i++) { t = h(k, 2*i+1, m[1], m[3], m[5], m[7]); t = rol8(t); t += (context->keys[2*i] = t + h(k, 2*i, m[0], m[2], m[4], m[6])); t = rol9(t); context->keys[2*i+1] = t; } /* Compute key-dependent S-boxes */ for (i = 0; i < k; i++) s[k-1-i] = compute_s(m[2*i], m[2*i+1]); for (i = 0; i < 4; i++) for (j = 0; j < 256; j++) context->s_box[i][j] = h_byte(k, i, j, s[0] >> (i*8), s[1] >> (i*8), s[2] >> (i*8), s[3] >> (i*8)); } void twofish128_set_key(struct twofish_ctx *context, const uint8_t *key) { twofish_set_key (context, TWOFISH128_KEY_SIZE, key); } void twofish192_set_key(struct twofish_ctx *context, const uint8_t *key) { twofish_set_key (context, TWOFISH192_KEY_SIZE, key); } void twofish256_set_key(struct twofish_ctx *context, const uint8_t *key) { twofish_set_key (context, TWOFISH256_KEY_SIZE, key); } /* Encrypt blocks of 16 bytes of data with the twofish algorithm. * * Before this function can be used, twofish_set_key() must be used in order to * set up various tables required for the encryption algorithm. * * This function always encrypts 16 bytes of plaintext to 16 bytes of * ciphertext. The memory areas of the plaintext and the ciphertext can * overlap. */ void twofish_encrypt(const struct twofish_ctx *context, size_t length, uint8_t *ciphertext, const uint8_t *plaintext) { const uint32_t * keys = context->keys; const uint32_t (*s_box)[256] = context->s_box; assert( !(length % TWOFISH_BLOCK_SIZE) ); for ( ; length; length -= TWOFISH_BLOCK_SIZE) { uint32_t words[4]; uint32_t r0, r1, r2, r3, t0, t1; int i; for (i = 0; i<4; i++, plaintext += 4) words[i] = LE_READ_UINT32(plaintext); r0 = words[0] ^ keys[0]; r1 = words[1] ^ keys[1]; r2 = words[2] ^ keys[2]; r3 = words[3] ^ keys[3]; for (i = 0; i < 8; i++) { t1 = ( s_box[1][r1 & 0xFF] ^ s_box[2][(r1 >> 8) & 0xFF] ^ s_box[3][(r1 >> 16) & 0xFF] ^ s_box[0][(r1 >> 24) & 0xFF]); t0 = ( s_box[0][r0 & 0xFF] ^ s_box[1][(r0 >> 8) & 0xFF] ^ s_box[2][(r0 >> 16) & 0xFF] ^ s_box[3][(r0 >> 24) & 0xFF]) + t1; r3 = (t1 + t0 + keys[4*i+9]) ^ rol1(r3); r2 = (t0 + keys[4*i+8]) ^ r2; r2 = ror1(r2); t1 = ( s_box[1][r3 & 0xFF] ^ s_box[2][(r3 >> 8) & 0xFF] ^ s_box[3][(r3 >> 16) & 0xFF] ^ s_box[0][(r3 >> 24) & 0xFF]); t0 = ( s_box[0][r2 & 0xFF] ^ s_box[1][(r2 >> 8) & 0xFF] ^ s_box[2][(r2 >> 16) & 0xFF] ^ s_box[3][(r2 >> 24) & 0xFF]) + t1; r1 = (t1 + t0 + keys[4*i+11]) ^ rol1(r1); r0 = (t0 + keys[4*i+10]) ^ r0; r0 = ror1(r0); } words[0] = r2 ^ keys[4]; words[1] = r3 ^ keys[5]; words[2] = r0 ^ keys[6]; words[3] = r1 ^ keys[7]; for (i = 0; i<4; i++, ciphertext += 4) LE_WRITE_UINT32(ciphertext, words[i]); } } /* Decrypt blocks of 16 bytes of data with the twofish algorithm. * * Before this function can be used, twofish_set_key() must be used in order to * set up various tables required for the decryption algorithm. * * This function always decrypts 16 bytes of ciphertext to 16 bytes of * plaintext. The memory areas of the plaintext and the ciphertext can * overlap. */ void twofish_decrypt(const struct twofish_ctx *context, size_t length, uint8_t *plaintext, const uint8_t *ciphertext) { const uint32_t *keys = context->keys; const uint32_t (*s_box)[256] = context->s_box; assert( !(length % TWOFISH_BLOCK_SIZE) ); for ( ; length; length -= TWOFISH_BLOCK_SIZE) { uint32_t words[4]; uint32_t r0, r1, r2, r3, t0, t1; int i; for (i = 0; i<4; i++, ciphertext += 4) words[i] = LE_READ_UINT32(ciphertext); r0 = words[2] ^ keys[6]; r1 = words[3] ^ keys[7]; r2 = words[0] ^ keys[4]; r3 = words[1] ^ keys[5]; for (i = 0; i < 8; i++) { t1 = ( s_box[1][r3 & 0xFF] ^ s_box[2][(r3 >> 8) & 0xFF] ^ s_box[3][(r3 >> 16) & 0xFF] ^ s_box[0][(r3 >> 24) & 0xFF]); t0 = ( s_box[0][r2 & 0xFF] ^ s_box[1][(r2 >> 8) & 0xFF] ^ s_box[2][(r2 >> 16) & 0xFF] ^ s_box[3][(r2 >> 24) & 0xFF]) + t1; r1 = (t1 + t0 + keys[39-4*i]) ^ r1; r1 = ror1(r1); r0 = (t0 + keys[38-4*i]) ^ rol1(r0); t1 = ( s_box[1][r1 & 0xFF] ^ s_box[2][(r1 >> 8) & 0xFF] ^ s_box[3][(r1 >> 16) & 0xFF] ^ s_box[0][(r1 >> 24) & 0xFF]); t0 = ( s_box[0][r0 & 0xFF] ^ s_box[1][(r0 >> 8) & 0xFF] ^ s_box[2][(r0 >> 16) & 0xFF] ^ s_box[3][(r0 >> 24) & 0xFF]) + t1; r3 = (t1 + t0 + keys[37-4*i]) ^ r3; r3 = ror1(r3); r2 = (t0 + keys[36-4*i]) ^ rol1(r2); } words[0] = r0 ^ keys[0]; words[1] = r1 ^ keys[1]; words[2] = r2 ^ keys[2]; words[3] = r3 ^ keys[3]; for (i = 0; i<4; i++, plaintext += 4) LE_WRITE_UINT32(plaintext, words[i]); } } nettle-3.4.1/COPYINGv20000644000175000017500000004325413401564746013363 0ustar nissenisse GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Lesser General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. , 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Lesser General Public License instead of this License. nettle-3.4.1/NEWS0000644000175000017500000013265313401564746012561 0ustar nissenisseNEWS for the Nettle 3.4.1 release This release fixes a few bugs, and makes the RSA private key operations side channel silent. The RSA improvements are contributed by Simo Sorce and Red Hat, and include one new public function, rsa_sec_decrypt, see below. All functions using RSA private keys are now side-channel silent, meaning that they try hard to avoid any branches or memory accesses depending on secret data. This applies both to the bignum calculations, which now use GMP's mpn_sec_* family of functions, and the processing of PKCS#1 padding needed for RSA decryption. Nettle's ECC functions were already side-channel silent, while the DSA functions still aren't. There's also one caveat regarding the improved RSA functions: due to small table lookups in relevant mpn_sec_* functions in GMP-6.1.2, the lowest and highest few bits of the secret factors p and q may still leak. I'm not aware of any attacks on RSA where knowing a few bits of the factors makes a significant difference. This leak will likely be plugged in later GMP versions. Changes in behavior: * The functions rsa_decrypt and rsa_decrypt_tr may now clobber all of the provided message buffer, independent of the actual message length. They are side-channel silent, in that branches and memory accesses don't depend on the validity or length of the message. Side-channel leakage from the caller's use of length and return value may still provide an oracle useable for a Bleichenbacher-style chosen ciphertext attack. Which is why the new function rsa_sec_decrypt is recommended. New features: * A new function rsa_sec_decrypt. It differs from rsa_decrypt_tr in that the length of the decrypted message is given a priori, and PKCS#1 padding indicating a different length is treated as an error. For applications that may be subject to chosen ciphertext attacks, it is recommended to initialize the message area with random data, call this function, and ignore the return value. This applies in particular to RSA-based key exchange in the TLS protocol. Bug fixes: * Fix bug in pkcs1-conv, missing break statements in the parsing of PEM input files. * Fix link error on the pss-mgf1-test test, affecting builds without public key support. Performance regression: * All RSA private key operations employing RSA blinding, i.e., rsa_decrypt_tr, rsa_*_sign_tr, the new rsa_sec_decrypt, and rsa_compute_root_tr, are significantly slower. This is because (i) RSA blinding now use side-channel silent operations, (ii) blinding includes a modular inversion, and (iii) side-channel silent modular inversion, implemented as mpn_sec_invert, is very expensive. A 60% slowdown for 2048-bit RSA keys have been measured. Miscellaneous: * Building the public key support of nettle now requires GMP version 6.0 or later (unless --enable-mini-gmp is used). The shared library names are libnettle.so.6.5 and libhogweed.so.4.5, with sonames still libnettle.so.6 and libhogweed.so.4. It is intended to be fully binary compatible with nettle-3.1. NEWS for the Nettle 3.4 release This release fixes bugs and adds a few new features. It also addresses an ABI compatibility issue affecting Nettle-3.1 and later, see below. Bug fixes: * Fixed an improper use of GMP mpn_mul, breaking curve2559 and eddsa on certain platforms. Reported by Sergei Trofimovich. * Fixed memory leak when handling invalid signatures in ecdsa_verify. Fix contributed by Nikos Mavrogiannopoulos. * Fix compilation error with --enable-fat om ARM. Fix contributed by Andreas Schneider. * Reorganized the way certain data items are made available. Short version: Nettle header files now define the symbols nettle_hashes, nettle_ciphers, and nettle_aeads, as preprocessor macros invoking a corresponding accessor function. For backwards ABI compatibility, the symbols are still present in the compiled libraries, and with the same sizes as in nettle-3.3. New features: * Support for RSA-PSS signatures, contributed by Daiki Ueno. * Support for the HKDF key derivation function, defined by RFC 5869. Contributed by Nikos Mavrogiannopoulos. * Support for the Cipher Feedback Mode (CFB), contributed by Dmitry Eremin-Solenikov. * New accessor functions: nettle_get_hashes, nettle_get_ciphers, nettle_get_aeads, nettle_get_secp_192r1, nettle_get_secp_224r1, nettle_get_secp_256r1, nettle_get_secp_384r1, nettle_get_secp_521r1. For source-level compatibility with future versions, applications are encouraged to migrate to using these functions instead of referring to the corresponding data items directly. Miscellaneous: * The base16 and base64 functions now use the type char * for ascii data, rather than uint8_t *. This eliminates the last pointer-signedness warnings when building Nettle. This is a minor API change, and applications may need to be adjusted, but the ABI is unaffected on all platforms I'm aware of. * The contents of the header file nettle/version.h is now architecture independent, except in --enable-mini-gmp configurations. ABI issue: Since the breakage was a bit subtle, let me document it here. The nettle and hogweed libraries export a couple of data symbols, and for some of these, the size was never intended to be part of the ABI. E.g., extern const struct nettle_hash * const nettle_hashes[]; which is an NULL-terminated array. It turns out the sizes nevertheless may leak into the ABI, and that increasing the sizes can break old executables linked with a newer version of the library. When linking a classic non-PIE executable with a shared library, we get ELF relocations of type R_X86_64_COPY for references to data items. These mean that the linker allocates space for the data item in the data segment of executable, at a fixed address determined at link-time, and with size extracted from the version of the .so-file seen when linking. At load time, the run time linker then copies the contents of the symbol from the .so file to that location, and uses the copy instead of the version loaded with the .so-file. And if the data item in the .so file used at load time is larger than the data item seen at link time, it is silently truncated in the process. So when SHA3 hashes were was added to the nettle_hashes array in the nettle-3.3 release, this way of linking produces a truncated array at load time, no longer NULL-terminated. We will get similar problems for planned extensions of the internal struct ecc_curve, and exported data items like extern const struct ecc_curve nettle_secp_256r1; where the ecc_curve struct is only forward declared in the public headers. To prepare, applications should migrate to using the new function nettle_get_secp_256r1, and similarly for the other curves. In some future version, the plan is to add a leading underscore to the name of the actual data items. E.g., nettle_hashes --> _nettle_hashes, breaking the ABI, while keeping the nettle_get_hashes function and the nettle_hashes macro as the supported ways to access it. We will also rename nettle_secp_256r1 --> _nettle_secp_256r1, breaking both ABI and API. Note that data items like nettle_sha256 are *not* affected, since the size and layout of this struct is considered part of the ABI, and R_X86_64_COPY-relocations then work fine. The shared library names are libnettle.so.6.4 and libhogweed.so.4.4, with sonames still libnettle.so.6 and libhogweed.so.4. It is intended to be fully binary compatible with nettle-3.1. NEWS for the Nettle 3.3 release This release fixes a couple of bugs, and improves resistance to side-channel attacks on RSA and DSA private key operations. Changes in behavior: * Invalid private RSA keys, with an even modulo, are now rejected by rsa_private_key_prepare. (Earlier versions allowed such keys, even if results of using them were bogus). Nettle applications are required to call rsa_private_key_prepare and check the return value, before using any other RSA private key functions; failing to do so may result in crashes for invalid private keys. As a workaround for versions of Gnutls which don't use rsa_private_key_prepare, additional checks for even moduli are added to the rsa_*_tr functions which are used by all recent versions of Gnutls. * Ignore bit 255 of the x coordinate of the input point to curve25519_mul, as required by RFC 7748. To differentiate at compile time, curve25519.h defines the constant NETTLE_CURVE25519_RFC7748. Security: * RSA and DSA now use side-channel silent modular exponentiation, to defend against attacks on the private key from evil processes sharing the same processor cache. This attack scenario is of particular relevance when running an HTTPS server on a virtual machine, where you don't know who you share the cache hardware with. (Private key operations on elliptic curves were already side-channel silent). Bug fixes: * Fix sexp-conv crashes on invalid input. Reported by Hanno Böck. * Fix out-of-bounds read in des_weak_p. Fixed by Nikos Mavrogiannopoulos. * Fix a couple of formally undefined shift operations, reported by Nikos Mavrogiannopoulos. * Fix compilation with c89. Reported by Henrik Grubbström. New features: * New function memeql_sec, for side-channel silent comparison of two memory areas. Miscellaneous: * Building the public key support of nettle now requires GMP version 5.0 or later (unless --enable-mini-gmp is used). * Filenames of windows DLL libraries now include major number only. So the dll names change at the same time as the corresponding soname on ELF platforms. Fixed by Nikos Mavrogiannopoulos. * Eliminate most pointer-signedness warnings. In the process, the strings representing expression type for sexp_interator functions were changed from const uint8_t * to const char *. These functions are undocumented, and it doesn't change the ABI on any platform I'm aware of. The shared library names are libnettle.so.6.3 and libhogweed.so.4.3, with sonames still libnettle.so.6 and libhogweed.so.4. It is intended to be fully binary compatible with nettle-3.1. NEWS for the Nettle 3.2 release Bug fixes: * The SHA3 implementation is updated according to the FIPS 202 standard. It is not interoperable with earlier versions of Nettle. Thanks to Nikos Mavrogiannopoulos. To easily differentiate at compile time, sha3.h defines the constant NETTLE_SHA3_FIPS202. * Fix corner-case carry propagation bugs affecting elliptic curve operations on the curves secp_256r1 and secp_384r1 on certain platforms, including x86_64. Reported by Hanno Böck. New features: * New functions for RSA private key operations, identified by the "_tr" suffix, with better resistance to side channel attacks and to hardware or software failures which could break the CRT optimization. See the Nettle manual for details. Initial patch by Nikos Mavrogiannopoulos. * New functions nettle_version_major, nettle_version_minor, as a run-time variant of the compile-time constants NETTLE_VERSION_MAJOR and NETTLE_VERSION_MINOR. Optimizations: * New ARM Neon implementation of the chacha stream cipher. Miscellaneous: * ABI detection on mips, with improved default libdir location. Contributed by Klaus Ziegler. * Fixes for ARM assembly syntax, to work better with the clang assembler. Thanks to Jukka Ukkonen. * Disabled use of ifunc relocations for fat builds, to fix problems most easily triggered by using dlopen RTLD_NOW. The shared library names are libnettle.so.6.2 and libhogweed.so.4.2, with sonames still libnettle.so.6 and libhogweed.so.4. It is intended to be fully binary compatible with nettle-3.1. NEWS for the Nettle 3.1.1 release This release fixes a couple of non-critical bugs. Bug fixes: * By accident, nettle-3.1 disabled the assembly code for the secp_224r1 and secp_521r1 elliptic curves on all x86_64 configurations, making signature operations on those curves 10%-30% slower. This code is now re-enabled. * The x86_64 assembly implementation of gcm hashing has been fixed to work with the Sun/Oracle assembler. The shared library names are libnettle.so.6.1 and libhogweed.so.4.1, with sonames still libnettle.so.6 and libhogweed.so.4. It is intended to be fully binary compatible with nettle-3.1. NEWS for the Nettle 3.1 release This release adds a couple of new features. The library is mostly source-level compatible with nettle-3.0. It is however not binary compatible, due to the introduction of versioned symbols, and extensions to the base64 context structs. The shared library names are libnettle.so.6.0 and libhogweed.so.4.0, with sonames libnettle.so.6 and libhogweed.so.4. Bug fixes: * Fixed a missing include of , which made the camellia implementation fail on all 64-bit non-x86 platforms. * Eliminate out-of-bounds reads in the C implementation of memxor (related to valgrind's --partial-loads-ok flag). Interface changes: * Declarations of many internal functions are moved from ecc.h to ecc-internal.h. The functions are undocumented, and luckily they're apparently also unused by applications, so I don't expect any problems from this change. New features: * Support for curve25519 and for EdDSA25519 signatures. * Support for "fat builds" on x86_64 and arm, where the implementation of certain functions is selected at run-time depending on available cpu features. Configure with --enable-fat to try this out. If it turns out to work well enough, it will likely be enabled by default in later releases. * Support for building the hogweed library (public key support) using "mini-gmp", a small but slower implementation of a subset of the GMP interfaces. Note that builds using mini-gmp are *not* binary compatible with regular builds, and more likely to leak side-channel information. One intended use-case is for small embedded applications which need to verify digital signatures. * The shared libraries are now built with versioned symbols. Should reduce problems in case a program links explicitly to nettle and/or hogweed, and to gnutls, and the program and gnutls expect different versions. * Support for "URL-safe" base64 encoding and decoding, as specified in RFC 4648. Contributed by Amos Jeffries. Optimizations: * New x86_64 implementation of AES, using the "aesni" instructions. Autodetected in fat builds. In non-fat builds, it has to be enabled explicitly with --enable-x86-aesni. Build system: * Use the same object files for both static and shared libraries. This eliminates the *.po object files which were confusing to some tools (as well as humans). Like before, PIC code is used by default; to build a non-pic static library, configure with --disable-pic --disable-shared. Miscellaneous: * Made type-checking hack in CBC_ENCRYPT and similar macros stricter, to generate warnings if they are used with functions which have a length argument smaller than size_t. NEWS for the Nettle 3.0 release This is a major release, including several interface changes, and new features, some of which are a bit experimental. Feedback is highly appreciated. It is *not* binary (ABI) compatible with earlier versions. It is mostly source-level (API) compatible, with a couple of incompatibilities noted below. The shared library names are libnettle.so.5.0 and libhogweed.so.3.0, with sonames libnettle.so.5 and libhogweed.so.3. There may be some problems in the new interfaces and new features which really need incompatible fixes. It is likely that there will be an update in the form of a 3.1 release in the not too distant future, with small but incompatible changes, and if that happens, bugfix-only releases 3.0.x are unlikely. Users and applications which desire better API and ABI stability are advised to stay with nettle-2.7.x (latest version is now 2.7.1) until the dust settles. Interface changes: * For the many _set_key functions, it is now consider the normal case to have a fixed key size, with no key_size arguments. _set_key functions with a length parameter are provided only for algorithms with a truly variable keysize, and where it makes sense for backwards compatibility. INCOMPATIBLE CHANGE: cast128_set_key no longer accepts a key size argument. The old function is available under a new name, cast5_set_key. INCOMPATIBLE CHANGE: The function typedef nettle_set_key_func no longer accepts a key size argument. In particular, this affects users of struct nettle_cipher. * The nettle_cipher abstraction (in nettle-meta.h) is restricted to block ciphers only. The encrypt and decrypt functions now take a const argument for the context. INCOMPATIBLE CHANGE: nettle_arcfour, i.e., the nettle_cipher abstraction for the arcfour stream cipher, is deleted. INCOMPATIBLE CHANGE: New type, nettle_cipher_func, for the encrypt and decrypt fields of struct nettle_cipher. * New DSA interface, with a separate struct dsa_param to represent the underlying group, and generalized dsa_sign and dsa_verify functions which don't care about the hash function used. Limited backwards compatibility provided in dsa-compat.h. INCOMPATIBLE CHANGE: Declarations of the old interface, e.g., struct dsa_public_key, dsa_sha1_sign, etc, is moved to dsa-compat.h. INCOMPATIBLE CHANGE: The various key conversion functions, e.g., dsa_keypair_to_sexp, all use the new DSA interface, with no backwards compatible functions. INCOMPATIBLE CHANGE: dsa_generate_keypair also uses the new interface. dsa-compat.h declares a function dsa_compat_generate_keypair, implementing the old interface, and #defines dsa_generate_keypair to refer to this backwards compatible function. * New AES and Camellia interfaces. There are now separate context structs for each key size, e.g., aes128_ctx and camellia256_ctx, and corresponding new functions. The old interface, with struct aes_ctx and struct camellia_ctx, is kept for backwards compatibility, but might be removed in later versions. * The type of most length arguments is changed from unsigned to size_t. The memxor functions have their pointer arguments changed from uint8_t * to void *, for consistency with related libc functions. * For hash functions, the constants *_DATA_SIZE have been renamed to *_BLOCK_SIZE. Old names kept for backwards compatibility. Removed features: * The nettle_next_prime function has been deleted. Applications should use GMP's mpz_nextprime instead. * Deleted the RSAREF compatibility, including the header file rsa-compat.h and everything declared therein. * Also under consideration for removal is des-compat.h and everything declared therein. This implements a subset of the old libdes/ssleay/openssl interface for DES and triple-DES, and it is poorly tested. If anyone uses this interface, please speak up! Otherwise, it will likely be removed in the next release. Bug fixes: * Building with ./configure --disable-static now works. * Use GMP's allocation functions for temporary storage related to bignums, to avoid potentially large stack allocations. * Fixes for shared libraries on M$ Windows. New features: * Support for Poly1305-AES MAC. * Support for the ChaCha stream cipher and EXPERIMENTAL support for the ChaCha-Poly1305 AEAD mode. Specifications are still in flux, and future releases may do incompatible changes to track standardization. Currently uses 256-bit key and 64-bit nonce. * Support for EAX mode. * Support for CCM mode. Contributed by Owen Kirby. * Additional variants of SHA512 with output size of 224 and 256 bits. Contributed by Joachim Strömbergson. * New interface, struct nettle_aead, for mechanisms providing authenticated encryption with associated data (AEAD). * DSA: Support a wider range for the size of q and a wider range for the digest size. Optimizations: * New x86_64 assembly for GCM and MD5. Modest speedups on the order of 10%-20%. Miscellaneous: * SHA3 is now documented as EXPERIMENTAL. Nettle currently implements SHA3 as specified at the time Keccak won the SHA3 competition. However, the final standard specified by NIST is likely to be incompatible, in which case future releases may do incompatible changes to track standardization. * The portability fix for the rotation macros, mentioned in NEWS for 2.7.1, actually didn't make it into that release. It is included now. * cast128_set_key rewritten for clarity, also eliminating a couple of compiler warnings. * New command line tool nettle-pbkdf2. NEWS for the 2.7.1 release This is a bugfix release. Bug fixes: * Fixed a bug in the new ECC code. The ecc_j_to_a function called GMP:s mpn_mul_n (via ecc_modp_mul) with overlapping input and output arguments, which is not supported. * The assembly files for SHA1, SHA256 and AES depend on ARMv6 instructions, breaking nettle-2.7 for pre-v6 ARM processors. The configure script now enables those assembly files only when building for ARMv6 or later. * Use a more portable C expression for rotations. The previous version used the following "standard" expression for 32-bit rotation: (x << n) | (x >> (32 - n)) But this gives undefined behavior (according to the C specification) for n = 0. The rotate expression is replaced by the more portable: (x << n) | (x >> ((-n)&31)) This change affects only CAST128, which uses non-constant rotation counts. Unfortunately, the new expression is poorly optimized by released versions of gcc, making CAST128 a bit slower. This is being fixed by the gcc hackers, see http://gcc.gnu.org/bugzilla/show_bug.cgi?id=57157. The following problems have been reported, but are *not* fixed in this release: * ARM assembly files use instruction syntax which is not supported by all assemblers. Workaround: Use a current version of GNU as, or configure with --disable-assembler. * Configuring with --disable-static doesn't work on windows. The libraries are intended to be binary compatible with nettle-2.2 and later. The shared library names are libnettle.so.4.7 and libhogweed.so.2.5, with sonames still libnettle.so.4 and libhogweed.so.2. NEWS for the 2.7 release This release includes an implementation of elliptic curve cryptography (ECC) and optimizations for the ARM architecture. This work was done at the offices of South Pole AB, and generously funded by the .SE Internet Fund. Bug fixes: * Fixed a bug in the buffer handling for incremental SHA3 hashing, with a possible buffer overflow. Patch by Edgar E. Iglesias. New features: * Support for ECDSA signatures. Elliptic curve operations over the following curves: secp192r1, secp224r1, secp256r1, secp384r1 and secp521r1, including x86_64 and ARM assembly for the most important primitives. * Support for UMAC, including x86_64 and ARM assembly. * Support for 12-round salsa20, "salsa20r12", as specified by eSTREAM. Contributed by Nikos Mavrogiannopoulos. Optimizations: * ARM assembly code for several additional algorithms, including AES, Salsa20, and the SHA family of hash functions. * x86_64 assembly for SHA256, SHA512, and SHA3. (SHA3 assembly was included in the 2.6 release, but disabled due to poor performance on some AMD processors. Hopefully, that performance problem is fixed now). The ARM code was tested and benchmarked on Cortex-A9. Some of the functions use "neon" instructions. The configure script decides if neon instructions can be used, and the command line options --enable-arm-neon and --disable-arm-neon can be used to override its choice. Feedback appreciated. The libraries are intended to be binary compatible with nettle-2.2 and later. The shared library names are libnettle.so.4.6 and libhogweed.so.2.4, with sonames still libnettle.so.4 and libhogweed.so.2. NEWS for the 2.6 release Bug fixes: * Fixed a bug in ctr_crypt. For zero length (which should be a NOP), it sometimes incremented the counter. Reported by Tim Kosse. * Fixed a small memory leak in nettle_realloc and nettle_xrealloc. New features: * Support for PKCS #5 PBKDF2, to generate a key from a password or passphrase. Contributed by Simon Josefsson. Specification in RFC 2898 and test vectors in RFC 6070. * Support for SHA3. * Support for the GOST R 34.11-94 hash algorithm. Ported from librhash by Nikos Mavrogiannopoulos. Written by Aleksey Kravchenko. More information in RFC4357. Test vectors taken from the GOST hash wikipedia page. Miscellaneous: * The include file has been split into and . For now, sha.h is kept for backwards compatibility and it simply includes both files, but applications are encouraged to use the new names. The new SHA3 functions are declared in . * Testsuite can be run under valgrind, using make check EMULATOR='$(VALGRIND)' For this to work, test programs and other executables now deallocate storage. * New configure options --disable-documentation and --disable-static. Contributed by Sam Thursfield and Alon Bar-Lev, respectively. * The section on hash functions in the manual is split into separate nodes for recommended hash functions and legacy hash functions. * Various smaller improvements, most of them portability fixes. Credits go to David Woodhouse, Tim Rühsen, Martin Storsjö, Nikos Mavrogiannopoulos, Fredrik Thulin and Dennis Clarke. Finally, a note on the naming of the various "SHA" hash functions. Naming is a bit inconsistent; we have, e.g., SHA1: sha1_digest SHA2: sha256_digest (not sha2_256_digest) SHA3: sha3_256_digest Renaming the SHA2 functions to make Nettle's naming more consistent has been considered, but the current naming follows common usage. Most documents (including the specification for SHA2) refer to 256-bit SHA2 as "SHA-256" or "SHA256" rather than "SHA2-256". The libraries are intended to be binary compatible with nettle-2.2 and later. The shared library names are libnettle.so.4.5 and libhogweed.so.2.3, with sonames still libnettle.so.4 and libhogweed.so.2 NEWS for the 2.5 release This release includes important portability fixes for Windows and MacOS. There are also a few new features. First a *warning*: Some internal functions have been removed from the library. Since the functions in question are internal and not documented, this is not considered a change of ABI or API. Programs explicitly using any of these functions will break. * The function pkcs1_signature_prefix has been renamed to _pkcs1_signature_prefix, and with slightly different behavior. * The file nettle-internal.c is no longer included in the library (the features defined there are used by the benchmark and test programs, and were never intended for public use). New features: * Support for the salsa20 stream cipher, including x86_64 assembler. Originally contributed by Simon Josefsson, based on the reference implementation, then further optimized. * Tentative interface for timing-resistant RSA functions, contributed by Nikos Mavrogiannopoulos. * A more general interface for PKCS#1 signatures, taking the input in the form of a "DigestInfo". Suggested by Nikos Mavrogiannopoulos. Configuration: * Building of shared libraries (./configure --enable-shared) is now enabled by default. * Various portability fixes for MacOS and M$ Windows. A lot of this work done by Martin Storsjö. * In particular, Nettle now hopefully works on 64-bit Windows builds, "W64", including the x86_64 assembly code. Miscellaneous: * Documentation and example programs for the base16 and base64 functions. Was contributed by Jeronimo Pellegrini back in 2006, but unfortunately forgotten until now. * Use an additional table to avoid GF2^8 multiplications in aes_invert_key (mainly used by aes_set_decrypt_key). Also tabulate round constants in aes_set_encrypt_key. * The nettle repository has been migrated from cvs to git, with a public repository at http://git.lysator.liu.se/nettle. To make it independent of the LSH repository, a few files have been moved around. While at it, files have also been converted from latin-1 to utf-8. The libraries are intended to be binary compatible with nettle-2.2 and later. The shared library names are libnettle.so.4.4 and libhogweed.so.2.2, with sonames still libnettle.so.4 and libhogweed.so.2 NEWS for the 2.4 release This is a bugfix release only. It turned out ripemd160 in the 2.3 release was broken on all big-endian systems, due to a missing include of config.h. nettle-2.4 fixes this. The library is intended to be binary compatible with nettle-2.2 and nettle-2.3. The shared library names are libnettle.so.4.3 and libhogweed.so.2.1, with sonames still libnettle.so.4 and libhogweed.so.2. NEWS for the 2.3 release * Support for the ripemd-160 hash function. * Generates and installs nettle.pc and hogweed.pc files, for use with pkg-config. Feedback appreciated. For projects using autoconf, the traditional non-pkg-config ways of detecting libraries, and setting LIBS and LDFLAGS, is still recommended. * Fixed a bug which made the testsuite fail in the GCM test on certain platforms. Should not affect any documented features of the library. * Reorganization of the code for the various Merkle-Damgård hash functions. Some fields in the context structs for md4, md5 and sha1 have been renamed, for consistency. Applications should not peek inside these structs, and the ABI is unchanged. * In the manual, fixed mis-placed const in certain function prototypes. The library is intended to be binary compatible with nettle-2.2. The shared library names are libnettle.so.4.2 and libhogweed.so.2.1, with sonames still libnettle.so.4 and libhogweed.so.2. NEWS for the 2.2 release Licensing change: * Relicensed as LGPL v2.1 or later (user's option). * Replaced blowfish and serpent implementation. New code is based on the LGPLed code in libgcrypt. New features: * Support for Galois/Counter Mode (GCM). * New interface for enumerating (most) available algorithms, contributed by Daniel Kahn Gillmor. * New tool nettle-hash. Can generate hash digests using any supported hash function, with output compatible with md5sum and friends from GNU coreutils. Checking (like md5sum -c) not yet implemented. Bug fixes: * The old serpent code had a byte order bug (introduced by yours truly about ten years ago). New serpent implementation does not interoperate with earlier versions of nettle. * Fixed ABI-dependent libdir default for Linux-based systems which do not follow the Linux File Hierarchy Standard, e.g., Debian GNU/Linux. Optimizations: * x86_64 implemention of serpent. * x86_64 implemention of camellia. * Optimized memxor using word rather than byte operations. Both generic C and x86_64 assembler. * Eliminated a memcpy for in-place CBC decrypt. Miscellaneous: * In command line tools, no longer support -? for requesting help, since using it without shell quoting is a dangerous habit. Use long option --help instead. The shared library names are libnettle.so.4.1 and libhogweed.so.2.1, with sonames libnettle.so.4 and libhogweed.so.2. NEWS for the 2.1 release *Important*: this release breaks source and binary compatibility for the digital signature functions, and for the DES and BLOWFISH ciphers which have weak keys. Incompatible changes: * The functions rsa_md5_sign, rsa_sha1_sign and rsa_sha256_sign, and the corresponding _digest variants, now have a return value which callers should check. The functions return failure if the key is too small for the type of signature. * The functions dsa_sign and dsa_verify are renamed to dsa_sha1_sign and dsa_sha1_verify. The _-digest variants are renamed similarly. These functions now have a return value which callers should check, and they return failure if the number q is not of the appropriate size. * The return value from des_set_key, des3_set_key and blowfish_set_key now indicates whether or not the given key is weak. But in either case, the key setup is done, and applications that don't care about weak keys can ignore the return value. The incompatible part of this change is that enum des_error and enum blowfish_error has been deleted, and so has the status attribute in struct des_ctx, struct des3_ctx, and struct blowfish_ctx. The shared library names are libnettle.so.4.0 and libhogweed.so.2.0, with sonames libnettle.so.4 and libhogweed.so.2. Other changes: * Support for the Camellia block cipher, including an assembler implementation for x86_32. * New function aes_invert_key, useful for applications that need both encryption and decryption using the same AES key. * des_set_key and des3_set_key no longer check the key parity bits. Parity bits are silently ignored. A new function des_check_parity is provided, for applications that care about the DES parity bits. * Support for sha224, sha384 and sha512. * Support for digital signatures using rsa-sha512 and dsa-sha256. Due to lack of official test vectors and interop testing, this support should be considered somewhat experimental. * Key generation for RSA and DSA changed to use Maurer's algorithm to generate provably prime numbers (as usual, the mathematical proof does not guaranteee that the implementation is bug free). * x86_64 assembler implementation actually included in the distribution (was accidentally left out in nettle-2.0). * Configure script now detects if the compiler uses a 32-bit or 64-bit ABI on x86_64 (prevously did this for sparc only). Also sets the default location for installing libraries (libdir) depending on system type and the ABI used. * Added the nettle and gmp libraries as dependencies when linking shared library libhogweed.so. On systems using shared libraries where such dependencies work (in particular, ELF systems), it is sufficient to link applications with -lhogweed. For static linking -lhogweed -lnettle -lgmp is still required. * The program pkcs1-conv is extended to also handle dsa keys. Contributed by Magnus Holmgren. * Slightly improved sha1 performance on x86. NEWS for the 2.0 release This release breaks binary compatibility by splitting the library into two. Some other smaller changes that are not backwards compatible are also done at the same time. * The nettle library is split into two libraries, libnettle and libhogweed. libnettle contains the symmetric crypto algorithms that don't depend on GMP, while libhogweed contains the public key algorithms that depend on GMP. Using a single library worked fine with static linking, but not with dynamic linking. Consider an application that uses nettle and which doesn't use any public key cryptography. If this application is linked dynamically to nettle, it would have to be linked also with GMP if and only if public key support was enabled when the nettle library was installed. The library names are libnettle.so.3.0 and libhogweed.so.1.0, with sonames libnettle.so.3 and libhogweed.so.1. * Function typedefs have been changed to non-pointer types. E.g, the typedef void (nettle_hash_init_func *)(void *ctx); of previous versions is replaced by typedef void (nettle_hash_init_func)(void *ctx); This makes it possible to use the type when declaring functions, like nettle_hash_init_func foo_hash_init; void foo_hash_init(void *ctx) { ... } * Changes to the yarrow256 interface. The automatic seed file generation, and the seed_file member in struct yarrow256_ctx, has been removed. To generate a new seed file, use yarrow256_random. The function yarrow256_force_reseed has been replaced by the two functions yarrow256_fast_reseed and yarrow256_slow_reseed, which were previously static. This interface change makes it easier to mix in the current content of the seed file before overwriting it with newly generated data. Other changes: * Nettle manual now contributed to the public domain, to enable remixing into documentation of programs that use Nettle. * The sexp-conv program preserves comments when using the advanced syntax for output. Optionally locks the output file. * The base64 decoder recognizes ASCII FF (form feed) and VT (vertical tab) as white space. * New x86_64 implementations of AES and SHA1. On a 2.2 GHz opteron, SHA1 was benchmarked at 250 MByte/s, and AES-128 at 110 MByte/s. * Performance of AES increased by 20-30% on x86. * New programs in the examples directory: erathostenes and next-prime. NEWS for the 1.15 release Added support for PKCS#1 style RSA signatures using SHA256, according to RFC 3447. Currently lacks interoperability testing. Header files are now C++ aware, so C++ programs using Nettle should now use plain #include rather than #extern "C" { #include } as was the recommendation for the previous version. This breaks source-level compatibility with C++, even though there's full binary compatibility. The file rfc1750.txt (which is considered non-free by debian) has been removed from the distribution. The file was used as input for the Yarrow testcase, and has been replaced by the short story "The Gold-bug" by Edgar Allan Poe. Anyway, RFC 1750 is obsoleted by RFC 4086. Fixes for Darwin shared library support, contributed by Grant Robinsson. Example programs now use a supplied getopt.c. Configure tests for assemblers with a logarithmic .align directive. The library is intended to be upwards binary compatible with earlier versions. The library name is libnettle.so.2.6, soname is still libnettle.so.2. NEWS for the 1.14 release Experimental support for reading keys in PKCS#1 ASN1/DER format, and a new command line tool pkcs1-conv. Improved MD5 performance on x86. Fixed support for sparc64. Reorganized AES code. Better performance for all three implementations (C, x86 assembler, sparc assembler). New sparc assembler for arcfour. Compared to the code generated by gcc, the new code is about 25% faster on old sparcs, and 6 times faster on ultrasparc. Replaced the internal function nettle_mpz_from_octets with a call to mpz_import, if available in the installed GMP library. More Makefile fixes; it now seems to work to build with the the make programs on Solaris and FreeBSD (although --disable-dependency-tracking is required for the latter). The library is intended to be binary compatible with earlier versions. The library name is libnettle.so.2.5, soname is still libnettle.so.2. NEWS for the 1.13 release Fixed problem with broken m4 on bsd, which resulted in corrupted x86 assembler for sha1. Nettle probably works on windows: I've been able to cross compile it with ./configure --host=i586-mingw32msvc (without public-key support), and the testsuite binaries seem to run fine in Wine. Implemented CTR mode. Improved sha1 performance on x86. Configure check to figure out if symbols in assembler files need a leading underscore. Improved benchmark program. Displays cycles per byte and block, and compares with openssl (if openssl is installed). Terminating newline in output from sexp-conv --hash. The library is intended to be binary compatible with earlier versions. The library name is libnettle.so.2.4. However, the interface for the internal function _nettle_sha1_compress has changed; any program that calls this function directly will break. NEWS for the 1.12 release Fixed a bug in the configure script. Updated the description of aes_set_encrypt_key and aes_set_decrypt_key in the manual. NEWS for the 1.11 release Nettle no longer uses automake. Side effects: * Dependency tracking is enabled only for gcc-3 (help with supporting dependency tracking with other compilers is appreciated). * Makefile compatibility with make programs other than GNU make is mostly unknown, please report any problems. Support for arctwo. Fixes to the libdes compatibility code. Declarations should now match openssl/libdes better. des_cbc_cksum pads input with NUL's, if it's not an integral number of blocks (in general, such unreversible padding is a bad idea). By default, also the static library is compiled as position independent code. This is needed on some systems to make it possible to link nettle into a dynamically loaded module. Use the configure flag --disable-pic if this is not desired. Stricter constness typing for the sexp_iterator_assoc and sexp_iterator_check_types arguments. Minor tweaks of arcfour on x86 cpu:s, to speed it up on older x86 variants such as PII and PPro. The shared library is intended to be binary compatible with nettle-1.8 - nettle-1.10. Only the minor version number of the shared library is increased. The soname is still libnettle.so.2. NEWS for the 1.10 release Nettle should now compile also on Tru64, Darwin, FreeBSD and Windows. (The only tested windows build uses the rntcl rsh wrapper to run the command line M$ C compiler "cl". See http://pike.ida.liu.se for those tools, I don't know all details about the Pike team's windows setup). There are some known testsuite failures, on Windows and on one of the xenofarm HPUX machines, see http://www.lysator.liu.se/~nisse/xeno-lsh/latest.html. Help tracking these down is appreciated. There are no new features. This release is intended to be binary compatible with nettle-1.8 and nettle-1.9. NEWS for the 1.9 release Optimized C implementation of arcfour. Optimized x86 implementations of arcfour and sha1. Improved benchmark program. Fixed bug in the rsa-encrypt example program. Fixed bug in make install, some of the header files were forgotten. Portability fixes. Fixes to make Nettle compile on systems without gmp. This version has been tested on GNU/Linux, Solaris, HPUX and AIX. The shared library is intended to be binary compatible with nettle-1.8. Only the minor version number of the shared library is increased. NEWS for the 1.8 release New example programs, demonstrating encrypting and decrypting files using RSA, and random sessions keys for bulk encryption and message authentication. Support for systems that don't have alloca. On such systems, some of Nettle's functions have arbitrary limits applied to their input. Uses AX_CREATE_STDINT_H, to support systems without inttypes.h. Support for the md2 and md4 hash functions. New name mangling, to reduce the risk of link collisions. All functions (except memxor) now use a nettle_ or _nettle_ prefix when seen by the linker. For most functions, the header file that declares a function also uses #define to provide a shorter more readable name without the prefix. The shared library soname for this version is libnettle.so.2. NEWS for the 1.7 release Implemented DSA. Renamed RSA functions for consistency. Now it's rsa_public_key_init, not rsa_init_public_key, etc. Both RSA and DSA now have sign/verify functions that take the hash digest as argument. A rewritten and much more powerful sexp-conv program. Other changes to the sexp code, in particular updating it to the latest SPKI draft. Building nettle as a shared library (ELF only) seems to work. The version number is increased, so the library "soname" for this release is "libnettle.so.1". Bugfixes. Fixes for build and portability problems. NEWS for the 1.6 release Optimized assembler implementations of aes, for sparc and x86. The aes interface has changed slightly. The function aes_set_key is no more. Instead one has to use aes_set_encrypt_key or aes_set_decrypt_key. Sorry about that. New example programs, rsa-keygen, rsa-sign and rsa-verify, located in the examples directory. New configure option --enable-shared, which builds a shared library. Not tested. New experimental features, including sexp parsing and formatting, and changes to base64 encoding and decoding. The interfaces to these functions are subject to change, and are documented only in the source code. NEWS for the 1.5 release RSA support. Key generation and signatures. Support for HMAC (RFC-2104). An implementation of the Yarrow-256 PRNG. New sections in the manual. Changed the interface for hash functions. The md5_digest function is now equivalent to the old sequence of md5_final, md5_digest, md5_init, and similarly for the other hashing algorithms. This makes the interface simpler. NEWS for the 1.0 release Fixed twofish bug spotted by Jean-Pierre Stierlin. Added des3 and cbc. New RFC-1321-like interface in nettle/md5-compat.h, suggested by Assar Westerlund. New libdes-style compatibility interface in nettle/des-compat.h. nettle-3.4.1/nettle.info0000644000175000017500000101530013401564746014220 0ustar nissenisseThis is nettle.info, produced by makeinfo version 6.3 from nettle.texinfo. This manual is for the Nettle library (version 3.4), a low-level cryptographic library. Originally written 2001 by Niels Möller, updated 2017. This manual is placed in the public domain. You may freely copy it, in whole or in part, with or without modification. Attribution is appreciated, but not required. INFO-DIR-SECTION Encryption START-INFO-DIR-ENTRY * Nettle: (nettle). A low-level cryptographic library. END-INFO-DIR-ENTRY  File: nettle.info, Node: Top, Next: Introduction, Prev: (dir), Up: (dir) Nettle ****** This document describes the Nettle low-level cryptographic library. You can use the library directly from your C programs, or write or use an object-oriented wrapper for your favorite language or application. This manual is for the Nettle library (version 3.4), a low-level cryptographic library. Originally written 2001 by Niels Möller, updated 2017. This manual is placed in the public domain. You may freely copy it, in whole or in part, with or without modification. Attribution is appreciated, but not required. * Menu: * Introduction:: What is Nettle? * Copyright:: Your rights. * Conventions:: General interface conventions. * Example:: An example program. * Linking:: Linking with libnettle and libhogweed. * Reference:: All Nettle functions and features. * Nettle soup:: For the serious nettle hacker. * Installation:: How to install Nettle. * Index:: Function and concept index. — The Detailed Node Listing — Reference * Hash functions:: * Cipher functions:: * Cipher modes:: * Keyed hash functions:: * Key derivation functions:: * Public-key algorithms:: * Randomness:: * ASCII encoding:: * Miscellaneous functions:: * Compatibility functions:: Hash functions * Recommended hash functions:: * Legacy hash functions:: * nettle_hash abstraction:: Cipher modes * CBC:: * CTR:: * CFB:: * GCM:: * CCM:: Keyed Hash Functions * HMAC:: * UMAC:: Public-key algorithms * RSA:: The RSA public key algorithm. * DSA:: The DSA digital signature algorithm. * Elliptic curves:: Elliptic curves and ECDSA Elliptic curves * Side-channel silence:: * ECDSA:: * Curve 25519::  File: nettle.info, Node: Introduction, Next: Copyright, Prev: Top, Up: Top 1 Introduction ************** Nettle is a cryptographic library that is designed to fit easily in more or less any context: In crypto toolkits for object-oriented languages (C++, Python, Pike, ...), in applications like LSH or GNUPG, or even in kernel space. In most contexts, you need more than the basic cryptographic algorithms, you also need some way to keep track of available algorithms, their properties and variants. You often have some algorithm selection process, often dictated by a protocol you want to implement. And as the requirements of applications differ in subtle and not so subtle ways, an API that fits one application well can be a pain to use in a different context. And that is why there are so many different cryptographic libraries around. Nettle tries to avoid this problem by doing one thing, the low-level crypto stuff, and providing a _simple_ but general interface to it. In particular, Nettle doesn’t do algorithm selection. It doesn’t do memory allocation. It doesn’t do any I/O. The idea is that one can build several application and context specific interfaces on top of Nettle, and share the code, test cases, benchmarks, documentation, etc. Examples are the Nettle module for the Pike language, and LSH, which both use an object-oriented abstraction on top of the library. This manual explains how to use the Nettle library. It also tries to provide some background on the cryptography, and advice on how to best put it to use.  File: nettle.info, Node: Copyright, Next: Conventions, Prev: Introduction, Up: Top 2 Copyright *********** Nettle is dual licenced under the GNU General Public License version 2 or later, and the GNU Lesser General Public License version 3 or later. When using Nettle, you must comply fully with all conditions of at least one of these licenses. A few of the individual files are licensed under more permissive terms, or in the public domain. To find the current status of particular files, you have to read the copyright notices at the top of the files. This manual is in the public domain. You may freely copy it in whole or in part, e.g., into documentation of programs that build on Nettle. Attribution, as well as contribution of improvements to the text, is of course appreciated, but it is not required. A list of the supported algorithms, their origins, and exceptions to the above licensing: _AES_ The implementation of the AES cipher (also known as rijndael) is written by Rafael Sevilla. Assembler for x86 by Rafael Sevilla and Niels Möller, Sparc assembler by Niels Möller. _ARCFOUR_ The implementation of the ARCFOUR (also known as RC4) cipher is written by Niels Möller. _ARCTWO_ The implementation of the ARCTWO (also known as RC2) cipher is written by Nikos Mavroyanopoulos and modified by Werner Koch and Simon Josefsson. _BLOWFISH_ The implementation of the BLOWFISH cipher is written by Werner Koch, copyright owned by the Free Software Foundation. Also hacked by Simon Josefsson and Niels Möller. _CAMELLIA_ The C implementation is by Nippon Telegraph and Telephone Corporation (NTT), heavily modified by Niels Möller. Assembler for x86 and x86_64 by Niels Möller. _CAST128_ The implementation of the CAST128 cipher is written by Steve Reid. Released into the public domain. _CHACHA_ Implemented by Joachim Strömbergson, based on the implementation of SALSA20 (see below). Assembly for x86_64 by Niels Möller. _DES_ The implementation of the DES cipher is written by Dana L. How, and released under the LGPL, version 2 or later. _GOSTHASH94_ The C implementation of the GOST94 message digest is written by Aleksey Kravchenko and was ported from the rhash library by Nikos Mavrogiannopoulos. It is released under the MIT license. _MD2_ The implementation of MD2 is written by Andrew Kuchling, and hacked some by Andreas Sigfridsson and Niels Möller. Python Cryptography Toolkit license (essentially public domain). _MD4_ This is almost the same code as for MD5 below, with modifications by Marcus Comstedt. Released into the public domain. _MD5_ The implementation of the MD5 message digest is written by Colin Plumb. It has been hacked some more by Andrew Kuchling and Niels Möller. Released into the public domain. _PBKDF2_ The C implementation of PBKDF2 is based on earlier work for Shishi and GnuTLS by Simon Josefsson. _RIPEMD160_ The implementation of RIPEMD160 message digest is based on the code in libgcrypt, copyright owned by the Free Software Foundation. Ported to Nettle by Andres Mejia. _SALSA20_ The C implementation of SALSA20 is based on D. J. Bernstein’s reference implementation (in the public domain), adapted to Nettle by Simon Josefsson, and heavily modified by Niels Möller. Assembly for x86_64 and ARM by Niels Möller. _SERPENT_ The implementation of the SERPENT cipher is based on the code in libgcrypt, copyright owned by the Free Software Foundation. Adapted to Nettle by Simon Josefsson and heavily modified by Niels Möller. Assembly for x86_64 by Niels Möller. _POLY1305_ Based on the implementation by Andrew M. (floodyberry), modified by Nikos Mavrogiannopoulos and Niels Möller. Assembly for x86_64 by Niels Möller. _SHA1_ The C implementation of the SHA1 message digest is written by Peter Gutmann, and hacked some more by Andrew Kuchling and Niels Möller. Released into the public domain. Assembler for x86, x86_64 and ARM by Niels Möller, released under the LGPL. _SHA2_ Written by Niels Möller, using Peter Gutmann’s SHA1 code as a model. _SHA3_ Written by Niels Möller. _TWOFISH_ The implementation of the TWOFISH cipher is written by Ruud de Rooij. _UMAC_ Written by Niels Möller. _RSA_ Written by Niels Möller. Uses the GMP library for bignum operations. _DSA_ Written by Niels Möller. Uses the GMP library for bignum operations. _ECDSA_ Written by Niels Möller. Uses the GMP library for bignum operations. Development of Nettle’s ECC support was funded by the .SE Internet Fund.  File: nettle.info, Node: Conventions, Next: Example, Prev: Copyright, Up: Top 3 Conventions ************* For each supported algorithm, there is an include file that defines a _context struct_, a few constants, and declares functions for operating on the context. The context struct encapsulates all information needed by the algorithm, and it can be copied or moved in memory with no unexpected effects. For consistency, functions for different algorithms are very similar, but there are some differences, for instance reflecting if the key setup or encryption function differ for encryption and decryption, and whether or not key setup can fail. There are also differences between algorithms that don’t show in function prototypes, but which the application must nevertheless be aware of. There is no big difference between the functions for stream ciphers and for block ciphers, although they should be used quite differently by the application. If your application uses more than one algorithm of the same type, you should probably create an interface that is tailor-made for your needs, and then write a few lines of glue code on top of Nettle. By convention, for an algorithm named ‘foo’, the struct tag for the context struct is ‘foo_ctx’, constants and functions uses prefixes like ‘FOO_BLOCK_SIZE’ (a constant) and ‘foo_set_key’ (a function). In all functions, strings are represented with an explicit length, of type ‘size_t’, and a pointer of type ‘uint8_t *’ or ‘const uint8_t *’. For functions that transform one string to another, the argument order is length, destination pointer and source pointer. Source and destination areas are usually of the same length. When they differ, e.g., for ‘ccm_encrypt_message’, the length argument specifies the size of the destination area. Source and destination pointers may be equal, so that you can process strings in place, but source and destination areas _must not_ overlap in any other way. Many of the functions lack return value and can never fail. Those functions which can fail, return one on success and zero on failure.  File: nettle.info, Node: Example, Next: Linking, Prev: Conventions, Up: Top 4 Example ********* A simple example program that reads a file from standard input and writes its SHA1 check-sum on standard output should give the flavor of Nettle. #include #include #include #define BUF_SIZE 1000 static void display_hex(unsigned length, uint8_t *data) { unsigned i; for (i = 0; i’. -- Context struct: struct sha256_ctx -- Constant: SHA256_DIGEST_SIZE The size of a SHA256 digest, i.e. 32. -- Constant: SHA256_BLOCK_SIZE The internal block size of SHA256. Useful for some special constructions, in particular HMAC-SHA256. -- Function: void sha256_init (struct sha256_ctx *CTX) Initialize the SHA256 state. -- Function: void sha256_update (struct sha256_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void sha256_digest (struct sha256_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing it to DIGEST. LENGTH may be smaller than ‘SHA256_DIGEST_SIZE’, in which case only the first LENGTH octets of the digest are written. This function also resets the context in the same way as ‘sha256_init’. Earlier versions of nettle defined SHA256 in the header file ‘’, which is now deprecated, but kept for compatibility. 6.1.1.2 SHA224 .............. SHA224 is a variant of SHA256, with a different initial state, and with the output truncated to 224 bits, or 28 octets. Nettle defines SHA224 in ‘’ (and in ‘’, for backwards compatibility). -- Context struct: struct sha224_ctx -- Constant: SHA224_DIGEST_SIZE The size of a SHA224 digest, i.e. 28. -- Constant: SHA224_BLOCK_SIZE The internal block size of SHA224. Useful for some special constructions, in particular HMAC-SHA224. -- Function: void sha224_init (struct sha224_ctx *CTX) Initialize the SHA224 state. -- Function: void sha224_update (struct sha224_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void sha224_digest (struct sha224_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing it to DIGEST. LENGTH may be smaller than ‘SHA224_DIGEST_SIZE’, in which case only the first LENGTH octets of the digest are written. This function also resets the context in the same way as ‘sha224_init’. 6.1.1.3 SHA512 .............. SHA512 is a larger sibling to SHA256, with a very similar structure but with both the output and the internal variables of twice the size. The internal variables are 64 bits rather than 32, making it significantly slower on 32-bit computers. It outputs hash values of 512 bits, or 64 octets. Nettle defines SHA512 in ‘’ (and in ‘’, for backwards compatibility). -- Context struct: struct sha512_ctx -- Constant: SHA512_DIGEST_SIZE The size of a SHA512 digest, i.e. 64. -- Constant: SHA512_BLOCK_SIZE The internal block size of SHA512, 128. Useful for some special constructions, in particular HMAC-SHA512. -- Function: void sha512_init (struct sha512_ctx *CTX) Initialize the SHA512 state. -- Function: void sha512_update (struct sha512_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void sha512_digest (struct sha512_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing it to DIGEST. LENGTH may be smaller than ‘SHA512_DIGEST_SIZE’, in which case only the first LENGTH octets of the digest are written. This function also resets the context in the same way as ‘sha512_init’. 6.1.1.4 SHA384 and other variants of SHA512 ........................................... Several variants of SHA512 have been defined, with a different initial state, and with the output truncated to shorter length than 512 bits. Naming is a bit confused, these algorithms are called SHA512-224, SHA512-256 and SHA384, for output sizes of 224, 256 and 384 bits, respectively. Nettle defines these in ‘’ (and in ‘’, for backwards compatibility). -- Context struct: struct sha512_224_ctx -- Context struct: struct sha512_256_ctx -- Context struct: struct sha384_ctx These context structs are all the same as sha512_ctx. They are defined as simple preprocessor aliases, which may cause some problems if used as identifiers for other purposes. So avoid doing that. -- Constant: SHA512_224_DIGEST_SIZE -- Constant: SHA512_256_DIGEST_SIZE -- Constant: SHA384_DIGEST_SIZE The digest size for each variant, i.e., 28, 32, and 48, respectively. -- Constant: SHA512_224_BLOCK_SIZE -- Constant: SHA512_256_BLOCK_SIZE -- Constant: SHA384_BLOCK_SIZE The internal block size, same as SHA512_BLOCK_SIZE, i.e., 128. Useful for some special constructions, in particular HMAC-SHA384. -- Function: void sha512_224_init (struct sha512_224_ctx *CTX) -- Function: void sha512_256_init (struct sha512_256_ctx *CTX) -- Function: void sha384_init (struct sha384_ctx *CTX) Initialize the context struct. -- Function: void sha512_224_update (struct sha512_224_ctx *CTX, size_t LENGTH, const uint8_t *DATA) -- Function: void sha512_256_update (struct sha512_256_ctx *CTX, size_t LENGTH, const uint8_t *DATA) -- Function: void sha384_update (struct sha384_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. These are all aliases for sha512_update, which does the same thing. -- Function: void sha512_224_digest (struct sha512_224_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) -- Function: void sha512_256_digest (struct sha512_256_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) -- Function: void sha384_digest (struct sha384_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing it to DIGEST. LENGTH may be smaller than the specified digest size, in which case only the first LENGTH octets of the digest are written. These function also reset the context in the same way as the corresponding init function. 6.1.1.5 SHA3-224 ................ The SHA3 hash functions were specified by NIST in response to weaknesses in SHA1, and doubts about SHA2 hash functions which structurally are very similar to SHA1. SHA3 is a result of a competition, where the winner, also known as Keccak, was designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. It is structurally very different from all widely used earlier hash functions. Like SHA2, there are several variants, with output sizes of 224, 256, 384 and 512 bits (28, 32, 48 and 64 octets, respectively). In August 2015, it was formally standardized by NIST, as FIPS 202, . Note that the SHA3 implementation in earlier versions of Nettle was based on the specification at the time Keccak was announced as the winner of the competition, which is incompatible with the final standard and hence with current versions of Nettle. The ‘nette/sha3.h’ defines a preprocessor symbol ‘NETTLE_SHA3_FIPS202’ to indicate conformance with the standard. -- Constant: NETTLE_SHA3_FIPS202 Defined to 1 in Nettle versions supporting FIPS 202. Undefined in earlier versions. Nettle defines SHA3-224 in ‘’. -- Context struct: struct sha3_224_ctx -- Constant: SHA3_224_DIGEST_SIZE The size of a SHA3_224 digest, i.e., 28. -- Constant: SHA3_224_BLOCK_SIZE The internal block size of SHA3_224. -- Function: void sha3_224_init (struct sha3_224_ctx *CTX) Initialize the SHA3-224 state. -- Function: void sha3_224_update (struct sha3_224_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void sha3_224_digest (struct sha3_224_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing it to DIGEST. LENGTH may be smaller than ‘SHA3_224_DIGEST_SIZE’, in which case only the first LENGTH octets of the digest are written. This function also resets the context. 6.1.1.6 SHA3-256 ................ This is SHA3 with 256-bit output size, and possibly the most useful of the SHA3 hash functions. Nettle defines SHA3-256 in ‘’. -- Context struct: struct sha3_256_ctx -- Constant: SHA3_256_DIGEST_SIZE The size of a SHA3_256 digest, i.e., 32. -- Constant: SHA3_256_BLOCK_SIZE The internal block size of SHA3_256. -- Function: void sha3_256_init (struct sha3_256_ctx *CTX) Initialize the SHA3-256 state. -- Function: void sha3_256_update (struct sha3_256_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void sha3_256_digest (struct sha3_256_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing it to DIGEST. LENGTH may be smaller than ‘SHA3_256_DIGEST_SIZE’, in which case only the first LENGTH octets of the digest are written. This function also resets the context. 6.1.1.7 SHA3-384 ................ This is SHA3 with 384-bit output size. Nettle defines SHA3-384 in ‘’. -- Context struct: struct sha3_384_ctx -- Constant: SHA3_384_DIGEST_SIZE The size of a SHA3_384 digest, i.e., 48. -- Constant: SHA3_384_BLOCK_SIZE The internal block size of SHA3_384. -- Function: void sha3_384_init (struct sha3_384_ctx *CTX) Initialize the SHA3-384 state. -- Function: void sha3_384_update (struct sha3_384_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void sha3_384_digest (struct sha3_384_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing it to DIGEST. LENGTH may be smaller than ‘SHA3_384_DIGEST_SIZE’, in which case only the first LENGTH octets of the digest are written. This function also resets the context. 6.1.1.8 SHA3-512 ................ This is SHA3 with 512-bit output size. Nettle defines SHA3-512 in ‘’. -- Context struct: struct sha3_512_ctx -- Constant: SHA3_512_DIGEST_SIZE The size of a SHA3_512 digest, i.e. 64. -- Constant: SHA3_512_BLOCK_SIZE The internal block size of SHA3_512. -- Function: void sha3_512_init (struct sha3_512_ctx *CTX) Initialize the SHA3-512 state. -- Function: void sha3_512_update (struct sha3_512_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void sha3_512_digest (struct sha3_512_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing it to DIGEST. LENGTH may be smaller than ‘SHA3_512_DIGEST_SIZE’, in which case only the first LENGTH octets of the digest are written. This function also resets the context.  File: nettle.info, Node: Legacy hash functions, Next: nettle_hash abstraction, Prev: Recommended hash functions, Up: Hash functions 6.1.2 Legacy hash functions --------------------------- The hash functions in this section all have some known weaknesses, and should be avoided for new applications. These hash functions are mainly useful for compatibility with old applications and protocols. Some are still considered safe as building blocks for particular constructions, e.g., there seems to be no known attacks against HMAC-SHA1 or even HMAC-MD5. In some important cases, use of a “legacy” hash function does not in itself make the application insecure; if a known weakness is relevant depends on how the hash function is used, and on the threat model. 6.1.2.1 MD5 ........... MD5 is a message digest function constructed by Ronald Rivest, and described in ‘RFC 1321’. It outputs message digests of 128 bits, or 16 octets. Nettle defines MD5 in ‘’. -- Context struct: struct md5_ctx -- Constant: MD5_DIGEST_SIZE The size of an MD5 digest, i.e. 16. -- Constant: MD5_BLOCK_SIZE The internal block size of MD5. Useful for some special constructions, in particular HMAC-MD5. -- Function: void md5_init (struct md5_ctx *CTX) Initialize the MD5 state. -- Function: void md5_update (struct md5_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void md5_digest (struct md5_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing it to DIGEST. LENGTH may be smaller than ‘MD5_DIGEST_SIZE’, in which case only the first LENGTH octets of the digest are written. This function also resets the context in the same way as ‘md5_init’. The normal way to use MD5 is to call the functions in order: First ‘md5_init’, then ‘md5_update’ zero or more times, and finally ‘md5_digest’. After ‘md5_digest’, the context is reset to its initial state, so you can start over calling ‘md5_update’ to hash new data. To start over, you can call ‘md5_init’ at any time. 6.1.2.2 MD2 ........... MD2 is another hash function of Ronald Rivest’s, described in ‘RFC 1319’. It outputs message digests of 128 bits, or 16 octets. Nettle defines MD2 in ‘’. -- Context struct: struct md2_ctx -- Constant: MD2_DIGEST_SIZE The size of an MD2 digest, i.e. 16. -- Constant: MD2_BLOCK_SIZE The internal block size of MD2. -- Function: void md2_init (struct md2_ctx *CTX) Initialize the MD2 state. -- Function: void md2_update (struct md2_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void md2_digest (struct md2_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing it to DIGEST. LENGTH may be smaller than ‘MD2_DIGEST_SIZE’, in which case only the first LENGTH octets of the digest are written. This function also resets the context in the same way as ‘md2_init’. 6.1.2.3 MD4 ........... MD4 is a predecessor of MD5, described in ‘RFC 1320’. Like MD5, it is constructed by Ronald Rivest. It outputs message digests of 128 bits, or 16 octets. Nettle defines MD4 in ‘’. Use of MD4 is not recommended, but it is sometimes needed for compatibility with existing applications and protocols. -- Context struct: struct md4_ctx -- Constant: MD4_DIGEST_SIZE The size of an MD4 digest, i.e. 16. -- Constant: MD4_BLOCK_SIZE The internal block size of MD4. -- Function: void md4_init (struct md4_ctx *CTX) Initialize the MD4 state. -- Function: void md4_update (struct md4_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void md4_digest (struct md4_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing it to DIGEST. LENGTH may be smaller than ‘MD4_DIGEST_SIZE’, in which case only the first LENGTH octets of the digest are written. This function also resets the context in the same way as ‘md4_init’. 6.1.2.4 RIPEMD160 ................. RIPEMD160 is a hash function designed by Hans Dobbertin, Antoon Bosselaers, and Bart Preneel, as a strengthened version of RIPEMD (which, like MD4 and MD5, fails the collision-resistance requirement). It produces message digests of 160 bits, or 20 octets. Nettle defined RIPEMD160 in ‘nettle/ripemd160.h’. -- Context struct: struct ripemd160_ctx -- Constant: RIPEMD160_DIGEST_SIZE The size of a RIPEMD160 digest, i.e. 20. -- Constant: RIPEMD160_BLOCK_SIZE The internal block size of RIPEMD160. -- Function: void ripemd160_init (struct ripemd160_ctx *CTX) Initialize the RIPEMD160 state. -- Function: void ripemd160_update (struct ripemd160_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void ripemd160_digest (struct ripemd160_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing it to DIGEST. LENGTH may be smaller than ‘RIPEMD160_DIGEST_SIZE’, in which case only the first LENGTH octets of the digest are written. This function also resets the context in the same way as ‘ripemd160_init’. 6.1.2.5 SHA1 ............ SHA1 is a hash function specified by “NIST” (The U.S. National Institute for Standards and Technology). It outputs hash values of 160 bits, or 20 octets. Nettle defines SHA1 in ‘’ (and in ‘’, for backwards compatibility). -- Context struct: struct sha1_ctx -- Constant: SHA1_DIGEST_SIZE The size of a SHA1 digest, i.e. 20. -- Constant: SHA1_BLOCK_SIZE The internal block size of SHA1. Useful for some special constructions, in particular HMAC-SHA1. -- Function: void sha1_init (struct sha1_ctx *CTX) Initialize the SHA1 state. -- Function: void sha1_update (struct sha1_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void sha1_digest (struct sha1_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing it to DIGEST. LENGTH may be smaller than ‘SHA1_DIGEST_SIZE’, in which case only the first LENGTH octets of the digest are written. This function also resets the context in the same way as ‘sha1_init’. 6.1.2.6 GOSTHASH94 .................. The GOST94 or GOST R 34.11-94 hash algorithm is a Soviet-era algorithm used in Russian government standards (see ‘RFC 4357’). It outputs message digests of 256 bits, or 32 octets. Nettle defines GOSTHASH94 in ‘’. -- Context struct: struct gosthash94_ctx -- Constant: GOSTHASH94_DIGEST_SIZE The size of a GOSTHASH94 digest, i.e. 32. -- Constant: GOSTHASH94_BLOCK_SIZE The internal block size of GOSTHASH94, i.e., 32. -- Function: void gosthash94_init (struct gosthash94_ctx *CTX) Initialize the GOSTHASH94 state. -- Function: void gosthash94_update (struct gosthash94_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void gosthash94_digest (struct gosthash94_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing it to DIGEST. LENGTH may be smaller than ‘GOSTHASH94_DIGEST_SIZE’, in which case only the first LENGTH octets of the digest are written. This function also resets the context in the same way as ‘gosthash94_init’.  File: nettle.info, Node: nettle_hash abstraction, Prev: Legacy hash functions, Up: Hash functions 6.1.3 The ‘struct nettle_hash’ abstraction ------------------------------------------ Nettle includes a struct including information about the supported hash functions. It is defined in ‘’, and is used by Nettle’s implementation of HMAC (*note Keyed hash functions::). -- Meta struct: ‘struct nettle_hash’ name context_size digest_size block_size init update digest The last three attributes are function pointers, of types ‘nettle_hash_init_func *’, ‘nettle_hash_update_func *’, and ‘nettle_hash_digest_func *’. The first argument to these functions is ‘void *’ pointer to a context struct, which is of size ‘context_size’. -- Constant Struct: struct nettle_hash nettle_md2 -- Constant Struct: struct nettle_hash nettle_md4 -- Constant Struct: struct nettle_hash nettle_md5 -- Constant Struct: struct nettle_hash nettle_ripemd160 -- Constant Struct: struct nettle_hash nettle_sha1 -- Constant Struct: struct nettle_hash nettle_sha224 -- Constant Struct: struct nettle_hash nettle_sha256 -- Constant Struct: struct nettle_hash nettle_sha384 -- Constant Struct: struct nettle_hash nettle_sha512 -- Constant Struct: struct nettle_hash nettle_sha3_256 -- Constant Struct: struct nettle_hash nettle_gosthash94 These are all the hash functions that Nettle implements. Nettle also exports a list of all these hashes. -- Function: const struct nettle_hash **nettle_get_hashes(void) Returns a NULL-terminated list of pointers to supported hash functions. This list can be used to dynamically enumerate or search the supported algorithms. -- Macro: nettle_hashes A macro expanding to a call to nettle_get_hashes, so that one could write, e.g., ‘nettle_hashes[0]->name’ for the name of the first hash function on the list. In earlier versions, this was not a macro but the actual array of pointers. However, referring directly to the array makes the array size leak into the ABI in some cases.  File: nettle.info, Node: Cipher functions, Next: Cipher modes, Prev: Hash functions, Up: Reference 6.2 Cipher functions ==================== A “cipher” is a function that takes a message or “plaintext” and a secret “key” and transforms it to a “ciphertext”. Given only the ciphertext, but not the key, it should be hard to find the plaintext. Given matching pairs of plaintext and ciphertext, it should be hard to find the key. There are two main classes of ciphers: Block ciphers and stream ciphers. A block cipher can process data only in fixed size chunks, called “blocks”. Typical block sizes are 8 or 16 octets. To encrypt arbitrary messages, you usually have to pad it to an integral number of blocks, split it into blocks, and then process each block. The simplest way is to process one block at a time, independent of each other. That mode of operation is called “ECB”, Electronic Code Book mode. However, using ECB is usually a bad idea. For a start, plaintext blocks that are equal are transformed to ciphertext blocks that are equal; that leaks information about the plaintext. Usually you should apply the cipher is some “feedback mode”, “CBC” (Cipher Block Chaining) and “CTR” (Counter mode) being two of of the most popular. See *Note Cipher modes::, for information on how to apply CBC and CTR with Nettle. A stream cipher can be used for messages of arbitrary length. A typical stream cipher is a keyed pseudo-random generator. To encrypt a plaintext message of N octets, you key the generator, generate N octets of pseudo-random data, and XOR it with the plaintext. To decrypt, regenerate the same stream using the key, XOR it to the ciphertext, and the plaintext is recovered. *Caution:* The first rule for this kind of cipher is the same as for a One Time Pad: _never_ ever use the same key twice. A common misconception is that encryption, by itself, implies authentication. Say that you and a friend share a secret key, and you receive an encrypted message. You apply the key, and get a plaintext message that makes sense to you. Can you then be sure that it really was your friend that wrote the message you’re reading? The answer is no. For example, if you were using a block cipher in ECB mode, an attacker may pick up the message on its way, and reorder, delete or repeat some of the blocks. Even if the attacker can’t decrypt the message, he can change it so that you are not reading the same message as your friend wrote. If you are using a block cipher in CBC mode rather than ECB, or are using a stream cipher, the possibilities for this sort of attack are different, but the attacker can still make predictable changes to the message. It is recommended to _always_ use an authentication mechanism in addition to encrypting the messages. Popular choices are Message Authentication Codes like HMAC-SHA1 (*note Keyed hash functions::), or digital signatures like RSA. Some ciphers have so called “weak keys”, keys that results in undesirable structure after the key setup processing, and should be avoided. In Nettle, most key setup functions have no return value, but for ciphers with weak keys, the return value indicates whether or not the given key is weak. For good keys, key setup returns 1, and for weak keys, it returns 0. When possible, avoid algorithms that have weak keys. There are several good ciphers that don’t have any weak keys. To encrypt a message, you first initialize a cipher context for encryption or decryption with a particular key. You then use the context to process plaintext or ciphertext messages. The initialization is known as “key setup”. With Nettle, it is recommended to use each context struct for only one direction, even if some of the ciphers use a single key setup function that can be used for both encryption and decryption. 6.2.1 AES --------- AES is a block cipher, specified by NIST as a replacement for the older DES standard. The standard is the result of a competition between cipher designers. The winning design, also known as RIJNDAEL, was constructed by Joan Daemen and Vincent Rijnmen. Like all the AES candidates, the winning design uses a block size of 128 bits, or 16 octets, and three possible key-size, 128, 192 and 256 bits (16, 24 and 32 octets) being the allowed key sizes. It does not have any weak keys. Nettle defines AES in ‘’, and there is one context struct for each key size. (Earlier versions of Nettle used a single context struct, ‘struct aes_ctx’, for all key sizes. This interface kept for backwards compatibility). -- Context struct: struct aes128_ctx -- Context struct: struct aes192_ctx -- Context struct: struct aes256_ctx -- Context struct: struct aes_ctx Alternative struct, for the old AES interface. -- Constant: AES_BLOCK_SIZE The AES block-size, 16. -- Constant: AES128_KEY_SIZE -- Constant: AES192_KEY_SIZE -- Constant: AES256_KEY_SIZE -- Constant: AES_MIN_KEY_SIZE -- Constant: AES_MAX_KEY_SIZE -- Constant: AES_KEY_SIZE Default AES key size, 32. -- Function: void aes128_set_encrypt_key (struct aes128_ctx *CTX, const uint8_t *KEY) -- Function: void aes128_set_decrypt_key (struct aes128_ctx *CTX, const uint8_t *KEY) -- Function: void aes192_set_encrypt_key (struct aes192_ctx *CTX, const uint8_t *KEY) -- Function: void aes192_set_decrypt_key (struct aes192_ctx *CTX, const uint8_t *KEY) -- Function: void aes256_set_encrypt_key (struct aes256_ctx *CTX, const uint8_t *KEY) -- Function: void aes256_set_decrypt_key (struct aes256_ctx *CTX, const uint8_t *KEY) -- Function: void aes_set_encrypt_key (struct aes_ctx *CTX, size_t LENGTH, const uint8_t *KEY) -- Function: void aes_set_decrypt_key (struct aes_ctx *CTX, size_t LENGTH, const uint8_t *KEY) Initialize the cipher, for encryption or decryption, respectively. -- Function: void aes128_invert_key (struct aes128_ctx *DST, const struct aes128_ctx *SRC) -- Function: void aes192_invert_key (struct aes192_ctx *DST, const struct aes192_ctx *SRC) -- Function: void aes256_invert_key (struct aes256_ctx *DST, const struct aes256_ctx *SRC) -- Function: void aes_invert_key (struct aes_ctx *DST, const struct aes_ctx *SRC) Given a context SRC initialized for encryption, initializes the context struct DST for decryption, using the same key. If the same context struct is passed for both ‘src’ and ‘dst’, it is converted in place. These functions are mainly useful for applications which needs to both encrypt and decrypt using the _same_ key, because calling, e.g., ‘aes128_set_encrypt_key’ and ‘aes128_invert_key’, is more efficient than calling ‘aes128_set_encrypt_key’ and ‘aes128_set_decrypt_key’. -- Function: void aes128_encrypt (struct aes128_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void aes192_encrypt (struct aes192_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void aes256_encrypt (struct aes256_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void aes_encrypt (struct aes_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encryption function. LENGTH must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. ‘src’ and ‘dst’ may be equal, but they must not overlap in any other way. -- Function: void aes128_decrypt (struct aes128_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void aes192_decrypt (struct aes192_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void aes256_decrypt (struct aes256_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void aes_decrypt (struct aes_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Analogous to the encryption functions above. 6.2.2 ARCFOUR ------------- ARCFOUR is a stream cipher, also known under the trade marked name RC4, and it is one of the fastest ciphers around. A problem is that the key setup of ARCFOUR is quite weak, you should never use keys with structure, keys that are ordinary passwords, or sequences of keys like “secret:1”, “secret:2”, .... If you have keys that don’t look like random bit strings, and you want to use ARCFOUR, always hash the key before feeding it to ARCFOUR. Furthermore, the initial bytes of the generated key stream leak information about the key; for this reason, it is recommended to discard the first 512 bytes of the key stream. /* A more robust key setup function for ARCFOUR */ void arcfour_set_key_hashed(struct arcfour_ctx *ctx, size_t length, const uint8_t *key) { struct sha256_ctx hash; uint8_t digest[SHA256_DIGEST_SIZE]; uint8_t buffer[0x200]; sha256_init(&hash); sha256_update(&hash, length, key); sha256_digest(&hash, SHA256_DIGEST_SIZE, digest); arcfour_set_key(ctx, SHA256_DIGEST_SIZE, digest); arcfour_crypt(ctx, sizeof(buffer), buffer, buffer); } Nettle defines ARCFOUR in ‘’. -- Context struct: struct arcfour_ctx -- Constant: ARCFOUR_MIN_KEY_SIZE Minimum key size, 1. -- Constant: ARCFOUR_MAX_KEY_SIZE Maximum key size, 256. -- Constant: ARCFOUR_KEY_SIZE Default ARCFOUR key size, 16. -- Function: void arcfour_set_key (struct arcfour_ctx *CTX, size_t LENGTH, const uint8_t *KEY) Initialize the cipher. The same function is used for both encryption and decryption. -- Function: void arcfour_crypt (struct arcfour_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encrypt some data. The same function is used for both encryption and decryption. Unlike the block ciphers, this function modifies the context, so you can split the data into arbitrary chunks and encrypt them one after another. The result is the same as if you had called ‘arcfour_crypt’ only once with all the data. 6.2.3 ARCTWO ------------ ARCTWO (also known as the trade marked name RC2) is a block cipher specified in RFC 2268. Nettle also include a variation of the ARCTWO set key operation that lack one step, to be compatible with the reverse engineered RC2 cipher description, as described in a Usenet post to ‘sci.crypt’ by Peter Gutmann. ARCTWO uses a block size of 64 bits, and variable key-size ranging from 1 to 128 octets. Besides the key, ARCTWO also has a second parameter to key setup, the number of effective key bits, ‘ekb’. This parameter can be used to artificially reduce the key size. In practice, ‘ekb’ is usually set equal to the input key size. Nettle defines ARCTWO in ‘’. We do not recommend the use of ARCTWO; the Nettle implementation is provided primarily for interoperability with existing applications and standards. -- Context struct: struct arctwo_ctx -- Constant: ARCTWO_BLOCK_SIZE The ARCTWO block-size, 8. -- Constant: ARCTWO_MIN_KEY_SIZE -- Constant: ARCTWO_MAX_KEY_SIZE -- Constant: ARCTWO_KEY_SIZE Default ARCTWO key size, 8. -- Function: void arctwo_set_key_ekb (struct arctwo_ctx *CTX, size_t LENGTH, const uint8_t *KEY, unsigned EKB) -- Function: void arctwo_set_key (struct arctwo_ctx *CTX, size_t LENGTH, const uint8_t *KEY) -- Function: void arctwo_set_key_gutmann (struct arctwo_ctx *CTX, size_t LENGTH, const uint8_t *KEY) Initialize the cipher. The same function is used for both encryption and decryption. The first function is the most general one, which lets you provide both the variable size key, and the desired effective key size (in bits). The maximum value for EKB is 1024, and for convenience, ‘ekb = 0’ has the same effect as ‘ekb = 1024’. ‘arctwo_set_key(ctx, length, key)’ is equivalent to ‘arctwo_set_key_ekb(ctx, length, key, 8*length)’, and ‘arctwo_set_key_gutmann(ctx, length, key)’ is equivalent to ‘arctwo_set_key_ekb(ctx, length, key, 1024)’ -- Function: void arctwo_encrypt (struct arctwo_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encryption function. LENGTH must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. ‘src’ and ‘dst’ may be equal, but they must not overlap in any other way. -- Function: void arctwo_decrypt (struct arctwo_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Analogous to ‘arctwo_encrypt’ 6.2.4 BLOWFISH -------------- BLOWFISH is a block cipher designed by Bruce Schneier. It uses a block size of 64 bits (8 octets), and a variable key size, up to 448 bits. It has some weak keys. Nettle defines BLOWFISH in ‘’. -- Context struct: struct blowfish_ctx -- Constant: BLOWFISH_BLOCK_SIZE The BLOWFISH block-size, 8. -- Constant: BLOWFISH_MIN_KEY_SIZE Minimum BLOWFISH key size, 8. -- Constant: BLOWFISH_MAX_KEY_SIZE Maximum BLOWFISH key size, 56. -- Constant: BLOWFISH_KEY_SIZE Default BLOWFISH key size, 16. -- Function: int blowfish_set_key (struct blowfish_ctx *CTX, size_t LENGTH, const uint8_t *KEY) Initialize the cipher. The same function is used for both encryption and decryption. Checks for weak keys, returning 1 for good keys and 0 for weak keys. Applications that don’t care about weak keys can ignore the return value. ‘blowfish_encrypt’ or ‘blowfish_decrypt’ with a weak key will crash with an assert violation. -- Function: void blowfish_encrypt (struct blowfish_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encryption function. LENGTH must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. ‘src’ and ‘dst’ may be equal, but they must not overlap in any other way. -- Function: void blowfish_decrypt (struct blowfish_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Analogous to ‘blowfish_encrypt’ 6.2.5 Camellia -------------- Camellia is a block cipher developed by Mitsubishi and Nippon Telegraph and Telephone Corporation, described in ‘RFC3713’. It is recommended by some Japanese and European authorities as an alternative to AES, and it is one of the selected algorithms in the New European Schemes for Signatures, Integrity and Encryption (NESSIE) project. The algorithm is patented. The implementation in Nettle is derived from the implementation released by NTT under the GNU LGPL (v2.1 or later), and relies on the implicit patent license of the LGPL. There is also a statement of royalty-free licensing for Camellia at , but this statement has some limitations which seem problematic for free software. Camellia uses a the same block size and key sizes as AES: The block size is 128 bits (16 octets), and the supported key sizes are 128, 192, and 256 bits. The variants with 192 and 256 bit keys are identical, except for the key setup. Nettle defines Camellia in ‘’, and there is one context struct for each key size. (Earlier versions of Nettle used a single context struct, ‘struct camellia_ctx’, for all key sizes. This interface kept for backwards compatibility). -- Context struct: struct camellia128_ctx -- Context struct: struct camellia192_ctx -- Context struct: struct camellia256_ctx Contexts structs. Actually, ‘camellia192_ctx’ is an alias for ‘camellia256_ctx’. -- Context struct: struct camellia_ctx Alternative struct, for the old Camellia interface. -- Constant: CAMELLIA_BLOCK_SIZE The CAMELLIA block-size, 16. -- Constant: CAMELLIA128_KEY_SIZE -- Constant: CAMELLIA192_KEY_SIZE -- Constant: CAMELLIA256_KEY_SIZE -- Constant: CAMELLIA_MIN_KEY_SIZE -- Constant: CAMELLIA_MAX_KEY_SIZE -- Constant: CAMELLIA_KEY_SIZE Default CAMELLIA key size, 32. -- Function: void camellia128_set_encrypt_key (struct camellia128_ctx *CTX, const uint8_t *KEY) -- Function: void camellia128_set_decrypt_key (struct camellia128_ctx *CTX, const uint8_t *KEY) -- Function: void camellia192_set_encrypt_key (struct camellia192_ctx *CTX, const uint8_t *KEY) -- Function: void camellia192_set_decrypt_key (struct camellia192_ctx *CTX, const uint8_t *KEY) -- Function: void camellia256_set_encrypt_key (struct camellia256_ctx *CTX, const uint8_t *KEY) -- Function: void camellia256_set_decrypt_key (struct camellia256_ctx *CTX, const uint8_t *KEY) -- Function: void camellia_set_encrypt_key (struct camellia_ctx *CTX, size_t LENGTH, const uint8_t *KEY) -- Function: void camellia_set_decrypt_key (struct camellia_ctx *CTX, size_t LENGTH, const uint8_t *KEY) Initialize the cipher, for encryption or decryption, respectively. -- Function: void camellia128_invert_key (struct camellia128_ctx *DST, const struct camellia128_ctx *SRC) -- Function: void camellia192_invert_key (struct camellia192_ctx *DST, const struct camellia192_ctx *SRC) -- Function: void camellia256_invert_key (struct camellia256_ctx *DST, const struct camellia256_ctx *SRC) -- Function: void camellia_invert_key (struct camellia_ctx *DST, const struct camellia_ctx *SRC) Given a context SRC initialized for encryption, initializes the context struct DST for decryption, using the same key. If the same context struct is passed for both ‘src’ and ‘dst’, it is converted in place. These functions are mainly useful for applications which needs to both encrypt and decrypt using the _same_ key. -- Function: void camellia128_crypt (struct camellia128_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void camellia192_crypt (struct camellia192_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void camellia256_crypt (struct camellia256_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void camellia_crypt (struct camellia_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) The same function is used for both encryption and decryption. LENGTH must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. ‘src’ and ‘dst’ may be equal, but they must not overlap in any other way. 6.2.6 CAST128 ------------- CAST-128 is a block cipher, specified in ‘RFC 2144’. It uses a 64 bit (8 octets) block size, and a variable key size of up to 128 bits. Nettle defines cast128 in ‘’. -- Context struct: struct cast128_ctx -- Constant: CAST128_BLOCK_SIZE The CAST128 block-size, 8. -- Constant: CAST128_MIN_KEY_SIZE Minimum CAST128 key size, 5. -- Constant: CAST128_MAX_KEY_SIZE Maximum CAST128 key size, 16. -- Constant: CAST128_KEY_SIZE Default CAST128 key size, 16. -- Function: void cast128_set_key (struct cast128_ctx *CTX, size_t LENGTH, const uint8_t *KEY) Initialize the cipher. The same function is used for both encryption and decryption. -- Function: void cast128_encrypt (struct cast128_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encryption function. LENGTH must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. ‘src’ and ‘dst’ may be equal, but they must not overlap in any other way. -- Function: void cast128_decrypt (struct cast128_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Analogous to ‘cast128_encrypt’ 6.2.7 ChaCha ------------ ChaCha is a variant of the stream cipher Salsa20, also designed by D. J. Bernstein. For more information on Salsa20, see below. Nettle defines ChaCha in ‘’. -- Context struct: struct chacha_ctx -- Constant: CHACHA_KEY_SIZE ChaCha key size, 32. -- Constant: CHACHA_BLOCK_SIZE ChaCha block size, 64. -- Constant: CHACHA_NONCE_SIZE Size of the nonce, 8. -- Function: void chacha_set_key (struct chacha_ctx *CTX, const uint8_t *KEY) Initialize the cipher. The same function is used for both encryption and decryption. Before using the cipher, you _must_ also call ‘chacha_set_nonce’, see below. -- Function: void chacha_set_nonce (struct chacha_ctx *CTX, const uint8_t *NONCE) Sets the nonce. It is always of size ‘CHACHA_NONCE_SIZE’, 8 octets. This function also initializes the block counter, setting it to zero. -- Function: void chacha_crypt (struct chacha_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encrypts or decrypts the data of a message, using ChaCha. When a message is encrypted using a sequence of calls to ‘chacha_crypt’, all but the last call _must_ use a length that is a multiple of ‘CHACHA_BLOCK_SIZE’. 6.2.8 DES --------- DES is the old Data Encryption Standard, specified by NIST. It uses a block size of 64 bits (8 octets), and a key size of 56 bits. However, the key bits are distributed over 8 octets, where the least significant bit of each octet may be used for parity. A common way to use DES is to generate 8 random octets in some way, then set the least significant bit of each octet to get odd parity, and initialize DES with the resulting key. The key size of DES is so small that keys can be found by brute force, using specialized hardware or lots of ordinary work stations in parallel. One shouldn’t be using plain DES at all today, if one uses DES at all one should be using “triple DES”, see DES3 below. DES also has some weak keys. Nettle defines DES in ‘’. -- Context struct: struct des_ctx -- Constant: DES_BLOCK_SIZE The DES block-size, 8. -- Constant: DES_KEY_SIZE DES key size, 8. -- Function: int des_set_key (struct des_ctx *CTX, const uint8_t *KEY) Initialize the cipher. The same function is used for both encryption and decryption. Parity bits are ignored. Checks for weak keys, returning 1 for good keys and 0 for weak keys. Applications that don’t care about weak keys can ignore the return value. -- Function: void des_encrypt (struct des_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encryption function. LENGTH must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. ‘src’ and ‘dst’ may be equal, but they must not overlap in any other way. -- Function: void des_decrypt (struct des_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Analogous to ‘des_encrypt’ -- Function: int des_check_parity (size_t LENGTH, const uint8_t *KEY); Checks that the given key has correct, odd, parity. Returns 1 for correct parity, and 0 for bad parity. -- Function: void des_fix_parity (size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Adjusts the parity bits to match DES’s requirements. You need this function if you have created a random-looking string by a key agreement protocol, and want to use it as a DES key. DST and SRC may be equal. 6.2.9 DES3 ---------- The inadequate key size of DES has already been mentioned. One way to increase the key size is to pipe together several DES boxes with independent keys. It turns out that using two DES ciphers is not as secure as one might think, even if the key size of the combination is a respectable 112 bits. The standard way to increase DES’s key size is to use three DES boxes. The mode of operation is a little peculiar: the middle DES box is wired in the reverse direction. To encrypt a block with DES3, you encrypt it using the first 56 bits of the key, then _decrypt_ it using the middle 56 bits of the key, and finally encrypt it again using the last 56 bits of the key. This is known as “ede” triple-DES, for “encrypt-decrypt-encrypt”. The “ede” construction provides some backward compatibility, as you get plain single DES simply by feeding the same key to all three boxes. That should help keeping down the gate count, and the price, of hardware circuits implementing both plain DES and DES3. DES3 has a key size of 168 bits, but just like plain DES, useless parity bits are inserted, so that keys are represented as 24 octets (192 bits). As a 112 bit key is large enough to make brute force attacks impractical, some applications uses a “two-key” variant of triple-DES. In this mode, the same key bits are used for the first and the last DES box in the pipe, while the middle box is keyed independently. The two-key variant is believed to be secure, i.e. there are no known attacks significantly better than brute force. Naturally, it’s simple to implement triple-DES on top of Nettle’s DES functions. Nettle includes an implementation of three-key “ede” triple-DES, it is defined in the same place as plain DES, ‘’. -- Context struct: struct des3_ctx -- Constant: DES3_BLOCK_SIZE The DES3 block-size is the same as DES_BLOCK_SIZE, 8. -- Constant: DES3_KEY_SIZE DES key size, 24. -- Function: int des3_set_key (struct des3_ctx *CTX, const uint8_t *KEY) Initialize the cipher. The same function is used for both encryption and decryption. Parity bits are ignored. Checks for weak keys, returning 1 if all three keys are good keys, and 0 if one or more key is weak. Applications that don’t care about weak keys can ignore the return value. For random-looking strings, you can use ‘des_fix_parity’ to adjust the parity bits before calling ‘des3_set_key’. -- Function: void des3_encrypt (struct des3_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encryption function. LENGTH must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. ‘src’ and ‘dst’ may be equal, but they must not overlap in any other way. -- Function: void des3_decrypt (struct des3_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Analogous to ‘des_encrypt’ 6.2.10 Salsa20 -------------- Salsa20 is a fairly recent stream cipher designed by D. J. Bernstein. It is built on the observation that a cryptographic hash function can be used for encryption: Form the hash input from the secret key and a counter, xor the hash output and the first block of the plaintext, then increment the counter to process the next block (similar to CTR mode, see *note CTR::). Bernstein defined an encryption algorithm, Snuffle, in this way to ridicule United States export restrictions which treated hash functions as nice and harmless, but ciphers as dangerous munitions. Salsa20 uses the same idea, but with a new specialized hash function to mix key, block counter, and a couple of constants. It’s also designed for speed; on x86_64, it is currently the fastest cipher offered by nettle. It uses a block size of 512 bits (64 octets) and there are two specified key sizes, 128 and 256 bits (16 and 32 octets). *Caution:* The hash function used in Salsa20 is _not_ directly applicable for use as a general hash function. It’s _not_ collision resistant if arbitrary inputs are allowed, and furthermore, the input and output is of fixed size. When using Salsa20 to process a message, one specifies both a key and a “nonce”, the latter playing a similar rôle to the initialization vector (IV) used with CBC or CTR mode. One can use the same key for several messages, provided one uses a unique random iv for each message. The iv is 64 bits (8 octets). The block counter is initialized to zero for each message, and is also 64 bits (8 octets). Nettle defines Salsa20 in ‘’. -- Context struct: struct salsa20_ctx -- Constant: SALSA20_128_KEY_SIZE -- Constant: SALSA20_256_KEY_SIZE The two supported key sizes, 16 and 32 octets. -- Constant: SALSA20_KEY_SIZE Recommended key size, 32. -- Constant: SALSA20_BLOCK_SIZE Salsa20 block size, 64. -- Constant: SALSA20_NONCE_SIZE Size of the nonce, 8. -- Function: void salsa20_128_set_key (struct salsa20_ctx *CTX, const uint8_t *KEY) -- Function: void salsa20_256_set_key (struct salsa20_ctx *CTX, const uint8_t *KEY) -- Function: void salsa20_set_key (struct salsa20_ctx *CTX, size_t LENGTH, const uint8_t *KEY) Initialize the cipher. The same function is used for both encryption and decryption. ‘salsa20_128_set_key’ and ‘salsa20_128_set_key’ use a fix key size each, 16 and 32 octets, respectively. The function ‘salsa20_set_key’ is provided for backwards compatibility, and the LENGTH argument must be either 16 or 32. Before using the cipher, you _must_ also call ‘salsa20_set_nonce’, see below. -- Function: void salsa20_set_nonce (struct salsa20_ctx *CTX, const uint8_t *NONCE) Sets the nonce. It is always of size ‘SALSA20_NONCE_SIZE’, 8 octets. This function also initializes the block counter, setting it to zero. -- Function: void salsa20_crypt (struct salsa20_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encrypts or decrypts the data of a message, using salsa20. When a message is encrypted using a sequence of calls to ‘salsa20_crypt’, all but the last call _must_ use a length that is a multiple of ‘SALSA20_BLOCK_SIZE’. The full salsa20 cipher uses 20 rounds of mixing. Variants of Salsa20 with fewer rounds are possible, and the 12-round variant is specified by eSTREAM, see . Nettle calls this variant ‘salsa20r12’. It uses the same context struct and key setup as the full salsa20 cipher, but a separate function for encryption and decryption. -- Function: void salsa20r12_crypt (struct salsa20_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encrypts or decrypts the data of a message, using salsa20 reduced to 12 rounds. 6.2.11 SERPENT -------------- SERPENT is one of the AES finalists, designed by Ross Anderson, Eli Biham and Lars Knudsen. Thus, the interface and properties are similar to AES’. One peculiarity is that it is quite pointless to use it with anything but the maximum key size, smaller keys are just padded to larger ones. Nettle defines SERPENT in ‘’. -- Context struct: struct serpent_ctx -- Constant: SERPENT_BLOCK_SIZE The SERPENT block-size, 16. -- Constant: SERPENT_MIN_KEY_SIZE Minimum SERPENT key size, 16. -- Constant: SERPENT_MAX_KEY_SIZE Maximum SERPENT key size, 32. -- Constant: SERPENT_KEY_SIZE Default SERPENT key size, 32. -- Function: void serpent_set_key (struct serpent_ctx *CTX, size_t LENGTH, const uint8_t *KEY) Initialize the cipher. The same function is used for both encryption and decryption. -- Function: void serpent_encrypt (struct serpent_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encryption function. LENGTH must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. ‘src’ and ‘dst’ may be equal, but they must not overlap in any other way. -- Function: void serpent_decrypt (struct serpent_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Analogous to ‘serpent_encrypt’ 6.2.12 TWOFISH -------------- Another AES finalist, this one designed by Bruce Schneier and others. Nettle defines it in ‘’. -- Context struct: struct twofish_ctx -- Constant: TWOFISH_BLOCK_SIZE The TWOFISH block-size, 16. -- Constant: TWOFISH_MIN_KEY_SIZE Minimum TWOFISH key size, 16. -- Constant: TWOFISH_MAX_KEY_SIZE Maximum TWOFISH key size, 32. -- Constant: TWOFISH_KEY_SIZE Default TWOFISH key size, 32. -- Function: void twofish_set_key (struct twofish_ctx *CTX, size_t LENGTH, const uint8_t *KEY) Initialize the cipher. The same function is used for both encryption and decryption. -- Function: void twofish_encrypt (struct twofish_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encryption function. LENGTH must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. ‘src’ and ‘dst’ may be equal, but they must not overlap in any other way. -- Function: void twofish_decrypt (struct twofish_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Analogous to ‘twofish_encrypt’ 6.2.13 The ‘struct nettle_cipher’ abstraction --------------------------------------------- Nettle includes a struct including information about some of the more regular cipher functions. It can be useful for applications that need a simple way to handle various algorithms. Nettle defines these structs in ‘’. -- Meta struct: ‘struct nettle_cipher’ name context_size block_size key_size set_encrypt_key set_decrypt_key encrypt decrypt The last four attributes are function pointers, of types ‘nettle_set_key_func *’ and ‘nettle_cipher_func *’. The first argument to these functions is a ‘const void *’ pointer to a context struct, which is of size ‘context_size’. -- Constant Struct: struct nettle_cipher nettle_aes128 -- Constant Struct: struct nettle_cipher nettle_aes192 -- Constant Struct: struct nettle_cipher nettle_aes256 -- Constant Struct: struct nettle_cipher nettle_arctwo40 -- Constant Struct: struct nettle_cipher nettle_arctwo64 -- Constant Struct: struct nettle_cipher nettle_arctwo128 -- Constant Struct: struct nettle_cipher nettle_arctwo_gutmann128 -- Constant Struct: struct nettle_cipher nettle_arcfour128 -- Constant Struct: struct nettle_cipher nettle_camellia128 -- Constant Struct: struct nettle_cipher nettle_camellia192 -- Constant Struct: struct nettle_cipher nettle_camellia256 -- Constant Struct: struct nettle_cipher nettle_cast128 -- Constant Struct: struct nettle_cipher nettle_serpent128 -- Constant Struct: struct nettle_cipher nettle_serpent192 -- Constant Struct: struct nettle_cipher nettle_serpent256 -- Constant Struct: struct nettle_cipher nettle_twofish128 -- Constant Struct: struct nettle_cipher nettle_twofish192 -- Constant Struct: struct nettle_cipher nettle_twofish256 Nettle includes such structs for all the _regular_ ciphers, i.e. ones without weak keys or other oddities. Nettle also exports a list of all these ciphers without weak keys or other oddities. -- Function: const struct nettle_cipher **nettle_get_ciphers(void) Returns a NULL-terminated list of pointers to supported block ciphers. This list can be used to dynamically enumerate or search the supported algorithms. -- Macro: nettle_ciphers A macro expanding to a call to nettle_get_ciphers. In earlier versions, this was not a macro but the actual array of pointers.  File: nettle.info, Node: Cipher modes, Next: Authenticated encryption, Prev: Cipher functions, Up: Reference 6.3 Cipher modes ================ Cipher modes of operation specifies the procedure to use when encrypting a message that is larger than the cipher’s block size. As explained in *Note Cipher functions::, splitting the message into blocks and processing them independently with the block cipher (Electronic Code Book mode, ECB), leaks information. Besides ECB, Nettle provides several other modes of operation: Cipher Block Chaining (CBC), Counter mode (CTR), Cipher Feedback (CFB) and a couple of AEAD modes (*note Authenticated encryption::). CBC is widely used, but there are a few subtle issues of information leakage, see, e.g., SSH CBC vulnerability (http://www.kb.cert.org/vuls/id/958563). Today, CTR is usually preferred over CBC. Modes like CBC, CTR and CFB provide _no_ message authentication, and should always be used together with a MAC (*note Keyed hash functions::) or signature to authenticate the message. * Menu: * CBC:: * CTR:: * CFB::  File: nettle.info, Node: CBC, Next: CTR, Prev: Cipher modes, Up: Cipher modes 6.3.1 Cipher Block Chaining --------------------------- When using CBC mode, plaintext blocks are not encrypted independently of each other, like in Electronic Cook Book mode. Instead, when encrypting a block in CBC mode, the previous ciphertext block is XORed with the plaintext before it is fed to the block cipher. When encrypting the first block, a random block called an “IV”, or Initialization Vector, is used as the “previous ciphertext block”. The IV should be chosen randomly, but it need not be kept secret, and can even be transmitted in the clear together with the encrypted data. In symbols, if ‘E_k’ is the encryption function of a block cipher, and ‘IV’ is the initialization vector, then ‘n’ plaintext blocks ‘M_1’,... ‘M_n’ are transformed into ‘n’ ciphertext blocks ‘C_1’,... ‘C_n’ as follows: C_1 = E_k(IV XOR M_1) C_2 = E_k(C_1 XOR M_2) ... C_n = E_k(C_(n-1) XOR M_n) Nettle’s includes two functions for applying a block cipher in Cipher Block Chaining (CBC) mode, one for encryption and one for decryption. These functions uses ‘void *’ to pass cipher contexts around. -- Function: void cbc_encrypt (const void *CTX, nettle_cipher_func *F, size_t BLOCK_SIZE, uint8_t *IV, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void cbc_decrypt (const void *CTX, nettle_cipher_func *F, size_t BLOCK_SIZE, uint8_t *IV, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Applies the encryption or decryption function F in CBC mode. The final ciphertext block processed is copied into IV before returning, so that a large message can be processed by a sequence of calls to ‘cbc_encrypt’. The function F is of type ‘void f (void *CTX, size_t LENGTH, uint8_t DST, const uint8_t *SRC)’, and the ‘cbc_encrypt’ and ‘cbc_decrypt’ functions pass their argument CTX on to F. There are also some macros to help use these functions correctly. -- Macro: CBC_CTX (CONTEXT_TYPE, BLOCK_SIZE) Expands to { context_type ctx; uint8_t iv[block_size]; } It can be used to define a CBC context struct, either directly, struct CBC_CTX(struct aes_ctx, AES_BLOCK_SIZE) ctx; or to give it a struct tag, struct aes_cbc_ctx CBC_CTX (struct aes_ctx, AES_BLOCK_SIZE); -- Macro: CBC_SET_IV (CTX, IV) First argument is a pointer to a context struct as defined by ‘CBC_CTX’, and the second is a pointer to an Initialization Vector (IV) that is copied into that context. -- Macro: CBC_ENCRYPT (CTX, F, LENGTH, DST, SRC) -- Macro: CBC_DECRYPT (CTX, F, LENGTH, DST, SRC) A simpler way to invoke ‘cbc_encrypt’ and ‘cbc_decrypt’. The first argument is a pointer to a context struct as defined by ‘CBC_CTX’, and the second argument is an encryption or decryption function following Nettle’s conventions. The last three arguments define the source and destination area for the operation. These macros use some tricks to make the compiler display a warning if the types of F and CTX don’t match, e.g. if you try to use an ‘struct aes_ctx’ context with the ‘des_encrypt’ function.  File: nettle.info, Node: CTR, Next: CFB, Prev: CBC, Up: Cipher modes 6.3.2 Counter mode ------------------ Counter mode (CTR) uses the block cipher as a keyed pseudo-random generator. The output of the generator is XORed with the data to be encrypted. It can be understood as a way to transform a block cipher to a stream cipher. The message is divided into ‘n’ blocks ‘M_1’,... ‘M_n’, where ‘M_n’ is of size ‘m’ which may be smaller than the block size. Except for the last block, all the message blocks must be of size equal to the cipher’s block size. If ‘E_k’ is the encryption function of a block cipher, ‘IC’ is the initial counter, then the ‘n’ plaintext blocks are transformed into ‘n’ ciphertext blocks ‘C_1’,... ‘C_n’ as follows: C_1 = E_k(IC) XOR M_1 C_2 = E_k(IC + 1) XOR M_2 ... C_(n-1) = E_k(IC + n - 2) XOR M_(n-1) C_n = E_k(IC + n - 1) [1..m] XOR M_n The IC is the initial value for the counter, it plays a similar rôle as the IV for CBC. When adding, ‘IC + x’, IC is interpreted as an integer, in network byte order. For the last block, ‘E_k(IC + n - 1) [1..m]’ means that the cipher output is truncated to ‘m’ bytes. -- Function: void ctr_crypt (const void *CTX, nettle_cipher_func *F, size_t BLOCK_SIZE, uint8_t *CTR, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Applies the encryption function F in CTR mode. Note that for CTR mode, encryption and decryption is the same operation, and hence F should always be the encryption function for the underlying block cipher. When a message is encrypted using a sequence of calls to ‘ctr_crypt’, all but the last call _must_ use a length that is a multiple of the block size. Like for CBC, there are also a couple of helper macros. -- Macro: CTR_CTX (CONTEXT_TYPE, BLOCK_SIZE) Expands to { context_type ctx; uint8_t ctr[block_size]; } -- Macro: CTR_SET_COUNTER (CTX, IV) First argument is a pointer to a context struct as defined by ‘CTR_CTX’, and the second is a pointer to an initial counter that is copied into that context. -- Macro: CTR_CRYPT (CTX, F, LENGTH, DST, SRC) A simpler way to invoke ‘ctr_crypt’. The first argument is a pointer to a context struct as defined by ‘CTR_CTX’, and the second argument is an encryption function following Nettle’s conventions. The last three arguments define the source and destination area for the operation.  File: nettle.info, Node: CFB, Prev: CTR, Up: Cipher modes 6.3.3 Cipher Feedback mode -------------------------- Cipher Feedback mode (CFB) being a close relative to both CBC mode and CTR mode borrows some characteristics from stream ciphers. The message is divided into ‘n’ blocks ‘M_1’,... ‘M_n’, where ‘M_n’ is of size ‘m’ which may be smaller than the block size. Except for the last block, all the message blocks must be of size equal to the cipher’s block size. If ‘E_k’ is the encryption function of a block cipher, ‘IV’ is the initialization vector, then the ‘n’ plaintext blocks are transformed into ‘n’ ciphertext blocks ‘C_1’,... ‘C_n’ as follows: C_1 = E_k(IV) XOR M_1 C_2 = E_k(C_1) XOR M_2 ... C_(n-1) = E_k(C_(n - 2)) XOR M_(n-1) C_n = E_k(C_(n - 1)) [1..m] XOR M_n Nettle’s includes two functions for applying a block cipher in Cipher Feedback (CFB) mode, one for encryption and one for decryption. These functions uses ‘void *’ to pass cipher contexts around. -- Function: void cfb_encrypt (const void *CTX, nettle_cipher_func *F, size_t BLOCK_SIZE, uint8_t *IV, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void cfb_decrypt (const void *CTX, nettle_cipher_func *F, size_t BLOCK_SIZE, uint8_t *IV, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Applies the encryption or decryption function F in CFB mode. The final ciphertext block processed is copied into IV before returning, so that a large message can be processed by a sequence of calls to ‘cfb_encrypt’. Note that for CFB mode internally uses encryption only function and hence F should always be the encryption function for the underlying block cipher. When a message is encrypted using a sequence of calls to ‘cfb_encrypt’, all but the last call _must_ use a length that is a multiple of the block size. Like for CBC, there are also a couple of helper macros. -- Macro: CFB_CTX (CONTEXT_TYPE, BLOCK_SIZE) Expands to { context_type ctx; uint8_t iv[block_size]; } -- Macro: CFB_SET_IV(CTX, IV) First argument is a pointer to a context struct as defined by ‘CFB_CTX’, and the second is a pointer to an initialization vector that is copied into that context. -- Macro: CFB_ENCRYPT (CTX, F, LENGTH, DST, SRC) A simpler way to invoke ‘cfb_encrypt’. The first argument is a pointer to a context struct as defined by ‘CFB_CTX’, and the second argument is an encryption function following Nettle’s conventions. The last three arguments define the source and destination area for the operation. -- Macro: CFB_DECRYPT (CTX, F, LENGTH, DST, SRC) A simpler way to invoke ‘cfb_decrypt’. The first argument is a pointer to a context struct as defined by ‘CFB_CTX’, and the second argument is an encryption function following Nettle’s conventions. The last three arguments define the source and destination area for the operation.  File: nettle.info, Node: Authenticated encryption, Next: Keyed hash functions, Prev: Cipher modes, Up: Reference 6.4 Authenticated encryption with associated data ================================================= Since there are some subtle design choices to be made when combining a block cipher mode with out authentication with a MAC. In recent years, several constructions that combine encryption and authentication have been defined. These constructions typically also have an additional input, the “associated data”, which is authenticated but not included with the message. A simple example is an implicit message number which is available at both sender and receiver, and which needs authentication in order to detect deletions or replay of messages. This family of building blocks are therefore called AEAD, Authenticated encryption with associated data. The aim is to provide building blocks that it is easier for designers of protocols and applications to use correctly. There is also some potential for improved performance, if encryption and authentication can be done in a single step, although that potential is not realized for the constructions currently supported by Nettle. For encryption, the inputs are: • The key, which can be used for many messages. • A nonce, which must be unique for each message using the same key. • Additional associated data to be authenticated, but not included in the message. • The cleartext message to be encrypted. The outputs are: • The ciphertext, of the same size as the cleartext. • A digest or “authentication tag”. Decryption works the same, but with cleartext and ciphertext interchanged. All currently supported AEAD algorithms always use the encryption function of the underlying block cipher, for both encryption and decryption. Usually, the authentication tag should be appended at the end of the ciphertext, producing an encrypted message which is slightly longer than the cleartext. However, Nettle’s low level AEAD functions produce the authentication tag as a separate output for both encryption and decryption. Both associated data and the message data (cleartext or ciphertext) can be processed incrementally. In general, all associated data must be processed before the message data, and all calls but the last one must use a length that is a multiple of the block size, although some AEAD may implement more liberal conventions. The CCM mode is a bit special in that it requires the message lengths up front, other AEAD constructions don’t have this restriction. The supported AEAD constructions are Galois/Counter mode (GCM), EAX, ChaCha-Poly1305, and Counter with CBC-MAC (CCM). There are some weaknesses in GCM authentication, see . CCM and EAX use the same building blocks, but the EAX design is cleaner and avoids a couple of inconveniences of CCM. Therefore, EAX seems like a good conservative choice. The more recent ChaCha-Poly1305 may also be an attractive but more adventurous alternative, in particular if performance is important. * Menu: * EAX:: * GCM:: * CCM:: * ChaCha-Poly1305:: * nettle_aead abstraction::  File: nettle.info, Node: EAX, Next: GCM, Prev: Authenticated encryption, Up: Authenticated encryption 6.4.1 EAX --------- The EAX mode is an AEAD mode whichcombines CTR mode encryption, *Note CTR::, with a message authentication based on CBC, *Note CBC::. The implementation in Nettle is restricted to ciphers with a block size of 128 bits (16 octets). EAX was defined as a reaction to the CCM mode, *Note CCM::, which uses the same primitives but has some undesirable and inelegant properties. EAX supports arbitrary nonce size; it’s even possible to use an empty nonce in case only a single message is encrypted for each key. Nettle’s support for EAX consists of a low-level general interface, some convenience macros, and specific functions for EAX using AES-128 as the underlying cipher. These interfaces are defined in ‘’ 6.4.1.1 General EAX interface ............................. -- Context struct: struct eax_key EAX state which depends only on the key, but not on the nonce or the message. -- Context struct: struct eax_ctx Holds state corresponding to a particular message. -- Constant: EAX_BLOCK_SIZE EAX’s block size, 16. -- Constant: EAX_DIGEST_SIZE Size of the EAX digest, also 16. -- Function: void eax_set_key (struct eax_key *KEY, const void *CIPHER, nettle_cipher_func *F) Initializes KEY. CIPHER gives a context struct for the underlying cipher, which must have been previously initialized for encryption, and F is the encryption function. -- Function: void eax_set_nonce (struct eax_ctx *EAX, const struct eax_key *KEY, const void *CIPHER, nettle_cipher_func *F, size_t NONCE_LENGTH, const uint8_t *NONCE) Initializes CTX for processing a new message, using the given nonce. -- Function: void eax_update (struct eax_ctx *EAX, const struct eax_key *KEY, const void *CIPHER, nettle_cipher_func *F, size_t DATA_LENGTH, const uint8_t *DATA) Process associated data for authentication. All but the last call for each message _must_ use a length that is a multiple of the block size. Unlike many other AEAD constructions, for EAX it’s not necessary to complete the processing of all associated data before encrypting or decrypting the message data. -- Function: void eax_encrypt (struct eax_ctx *EAX, const struct eax_key *KEY, const void *CIPHER, nettle_cipher_func *F, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void eax_decrypt (struct eax_ctx *EAX, const struct eax_key *KEY, const void *CIPHER, nettle_cipher_func *F, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encrypts or decrypts the data of a message. CIPHER is the context struct for the underlying cipher and F is the encryption function. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void eax_digest (struct eax_ctx *EAX, const struct eax_key *KEY, const void *CIPHER, nettle_cipher_func *F, size_t LENGTH, uint8_t *DIGEST); Extracts the message digest (also known “authentication tag”). This is the final operation when processing a message. If LENGTH is smaller than ‘EAX_DIGEST_SIZE’, only the first LENGTH octets of the digest are written. 6.4.1.2 EAX helper macros ......................... The following macros are defined. -- Macro: EAX_CTX (CONTEXT_TYPE) This defines an all-in-one context struct, including the context of the underlying cipher and all EAX state. It expands to { struct eax_key key; struct eax_ctx eax; context_type cipher; } For all these macros, CTX, is a context struct as defined by ‘EAX_CTX’, and ENCRYPT is the encryption function of the underlying cipher. -- Macro: EAX_SET_KEY (CTX, SET_KEY, ENCRYPT, KEY) SET_KEY is the function for setting the encryption key for the underlying cipher, and KEY is the key. -- Macro: EAX_SET_NONCE (CTX, ENCRYPT, LENGTH, NONCE) Sets the nonce to be used for the message. -- Macro: EAX_UPDATE (CTX, ENCRYPT, LENGTH, DATA) Process associated data for authentication. -- Macro: EAX_ENCRYPT (CTX, ENCRYPT, LENGTH, DST, SRC) -- Macro: EAX_DECRYPT (CTX, ENCRYPT, LENGTH, DST, SRC) Process message data for encryption or decryption. -- Macro: EAX_DIGEST (CTX, ENCRYPT, LENGTH, DIGEST) Extract te authentication tag for the message. 6.4.1.3 EAX-AES128 interface ............................ The following functions implement EAX using AES-128 as the underlying cipher. -- Context struct: struct eax_aes128_ctx The context struct, defined using ‘EAX_CTX’. -- Function: void eax_aes128_set_key (struct eax_aes128_ctx *CTX, const uint8_t *KEY) Initializes CTX using the given key. -- Function: void eax_aes128_set_nonce (struct eax_aes128_ctx *CTX, size_t LENGTH, const uint8_t *IV) Initializes the per-message state, using the given nonce. -- Function: void eax_aes128_update (struct eax_aes128_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Process associated data for authentication. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void eax_aes128_encrypt (struct eax_aes128_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void eax_aes128_decrypt (struct eax_aes128_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encrypts or decrypts the data of a message. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void eax_aes128_digest (struct eax_aes128_ctx *CTX, size_t LENGTH, uint8_t *DIGEST); Extracts the message digest (also known “authentication tag”). This is the final operation when processing a message. If LENGTH is smaller than ‘EAX_DIGEST_SIZE’, only the first LENGTH octets of the digest are written.  File: nettle.info, Node: GCM, Next: CCM, Prev: EAX, Up: Authenticated encryption 6.4.2 Galois counter mode ------------------------- Galois counter mode is an AEAD constructions combining counter mode with message authentication based on universal hashing. The main objective of the design is to provide high performance for hardware implementations, where other popular MAC algorithms (*note Keyed hash functions::) become a bottleneck for high-speed hardware implementations. It was proposed by David A. McGrew and John Viega in 2005, and recommended by NIST in 2007, NIST Special Publication 800-38D (http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf). It is constructed on top of a block cipher which must have a block size of 128 bits. The authentication in GCM has some known weaknesses, see . In particular, don’t use GCM with short authentication tags. Nettle’s support for GCM consists of a low-level general interface, some convenience macros, and specific functions for GCM using AES or Camellia as the underlying cipher. These interfaces are defined in ‘’ 6.4.2.1 General GCM interface ............................. -- Context struct: struct gcm_key Message independent hash sub-key, and related tables. -- Context struct: struct gcm_ctx Holds state corresponding to a particular message. -- Constant: GCM_BLOCK_SIZE GCM’s block size, 16. -- Constant: GCM_DIGEST_SIZE Size of the GCM digest, also 16. -- Constant: GCM_IV_SIZE Recommended size of the IV, 12. Arbitrary sizes are allowed. -- Function: void gcm_set_key (struct gcm_key *KEY, const void *CIPHER, nettle_cipher_func *F) Initializes KEY. CIPHER gives a context struct for the underlying cipher, which must have been previously initialized for encryption, and F is the encryption function. -- Function: void gcm_set_iv (struct gcm_ctx *CTX, const struct gcm_key *KEY, size_t LENGTH, const uint8_t *IV) Initializes CTX using the given IV. The KEY argument is actually needed only if LENGTH differs from ‘GCM_IV_SIZE’. -- Function: void gcm_update (struct gcm_ctx *CTX, const struct gcm_key *KEY, size_t LENGTH, const uint8_t *DATA) Provides associated data to be authenticated. If used, must be called before ‘gcm_encrypt’ or ‘gcm_decrypt’. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void gcm_encrypt (struct gcm_ctx *CTX, const struct gcm_key *KEY, const void *CIPHER, nettle_cipher_func *F, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void gcm_decrypt (struct gcm_ctx *CTX, const struct gcm_key *KEY, const void *CIPHER, nettle_cipher_func *F, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encrypts or decrypts the data of a message. CIPHER is the context struct for the underlying cipher and F is the encryption function. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void gcm_digest (struct gcm_ctx *CTX, const struct gcm_key *KEY, const void *CIPHER, nettle_cipher_func *F, size_t LENGTH, uint8_t *DIGEST) Extracts the message digest (also known “authentication tag”). This is the final operation when processing a message. It’s strongly recommended that LENGTH is ‘GCM_DIGEST_SIZE’, but if you provide a smaller value, only the first LENGTH octets of the digest are written. To encrypt a message using GCM, first initialize a context for the underlying block cipher with a key to use for encryption. Then call the above functions in the following order: ‘gcm_set_key’, ‘gcm_set_iv’, ‘gcm_update’, ‘gcm_encrypt’, ‘gcm_digest’. The decryption procedure is analogous, just calling ‘gcm_decrypt’ instead of ‘gcm_encrypt’ (note that GCM decryption still uses the encryption function of the underlying block cipher). To process a new message, using the same key, call ‘gcm_set_iv’ with a new iv. 6.4.2.2 GCM helper macros ......................... The following macros are defined. -- Macro: GCM_CTX (CONTEXT_TYPE) This defines an all-in-one context struct, including the context of the underlying cipher, the hash sub-key, and the per-message state. It expands to { struct gcm_key key; struct gcm_ctx gcm; context_type cipher; } Example use: struct gcm_aes128_ctx GCM_CTX(struct aes128_ctx); The following macros operate on context structs of this form. -- Macro: GCM_SET_KEY (CTX, SET_KEY, ENCRYPT, KEY) First argument, CTX, is a context struct as defined by ‘GCM_CTX’. SET_KEY and ENCRYPT are functions for setting the encryption key and for encrypting data using the underlying cipher. -- Macro: GCM_SET_IV (CTX, LENGTH, DATA) First argument is a context struct as defined by ‘GCM_CTX’. LENGTH and DATA give the initialization vector (IV). -- Macro: GCM_UPDATE (CTX, LENGTH, DATA) Simpler way to call ‘gcm_update’. First argument is a context struct as defined by ‘GCM_CTX’ -- Macro: GCM_ENCRYPT (CTX, ENCRYPT, LENGTH, DST, SRC) -- Macro: GCM_DECRYPT (CTX, ENCRYPT, LENGTH, DST, SRC) -- Macro: GCM_DIGEST (CTX, ENCRYPT, LENGTH, DIGEST) Simpler way to call ‘gcm_encrypt’, ‘gcm_decrypt’ or ‘gcm_digest’. First argument is a context struct as defined by ‘GCM_CTX’. Second argument, ENCRYPT, is the encryption function of the underlying cipher. 6.4.2.3 GCM-AES interface ......................... The following functions implement the common case of GCM using AES as the underlying cipher. The variants with a specific AES flavor are recommended, while the fucntinos using ‘struct gcm_aes_ctx’ are kept for compatibility with older versiosn of Nettle. -- Context struct: struct gcm_aes128_ctx -- Context struct: struct gcm_aes192_ctx -- Context struct: struct gcm_aes256_ctx Context structs, defined using ‘GCM_CTX’. -- Context struct: struct gcm_aes_ctx Alternative context struct, usign the old AES interface. -- Function: void gcm_aes128_set_key (struct gcm_aes128_ctx *CTX, const uint8_t *KEY) -- Function: void gcm_aes192_set_key (struct gcm_aes192_ctx *CTX, const uint8_t *KEY) -- Function: void gcm_aes256_set_key (struct gcm_aes256_ctx *CTX, const uint8_t *KEY) Initializes CTX using the given key. -- Function: void gcm_aes_set_key (struct gcm_aes_ctx *CTX, size_t LENGTH, const uint8_t *KEY) Corresponding function, using the old AES interface. All valid AES key sizes can be used. -- Function: void gcm_aes128_set_iv (struct gcm_aes128_ctx *CTX, size_t LENGTH, const uint8_t *IV) -- Function: void gcm_aes192_set_iv (struct gcm_aes192_ctx *CTX, size_t LENGTH, const uint8_t *IV) -- Function: void gcm_aes256_set_iv (struct gcm_aes256_ctx *CTX, size_t LENGTH, const uint8_t *IV) -- Function: void gcm_aes_set_iv (struct gcm_aes_ctx *CTX, size_t LENGTH, const uint8_t *IV) Initializes the per-message state, using the given IV. -- Function: void gcm_aes128_update (struct gcm_aes128_ctx *CTX, size_t LENGTH, const uint8_t *DATA) -- Function: void gcm_aes192_update (struct gcm_aes192_ctx *CTX, size_t LENGTH, const uint8_t *DATA) -- Function: void gcm_aes256_update (struct gcm_aes256_ctx *CTX, size_t LENGTH, const uint8_t *DATA) -- Function: void gcm_aes_update (struct gcm_aes_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Provides associated data to be authenticated. If used, must be called before ‘gcm_aes_encrypt’ or ‘gcm_aes_decrypt’. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void gcm_aes128_encrypt (struct gcm_aes128_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void gcm_aes192_encrypt (struct gcm_aes192_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void gcm_aes256_encrypt (struct gcm_aes256_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void gcm_aes_encrypt (struct gcm_aes_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void gcm_aes128_decrypt (struct gcm_aes128_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void gcm_aes192_decrypt (struct gcm_aes192_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void gcm_aes256_decrypt (struct gcm_aes256_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void gcm_aes_decrypt (struct gcm_aes_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encrypts or decrypts the data of a message. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void gcm_aes128_digest (struct gcm_aes128_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) -- Function: void gcm_aes192_digest (struct gcm_aes192_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) -- Function: void gcm_aes256_digest (struct gcm_aes256_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) -- Function: void gcm_aes_digest (struct gcm_aes_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Extracts the message digest (also known “authentication tag”). This is the final operation when processing a message. It’s strongly recommended that LENGTH is ‘GCM_DIGEST_SIZE’, but if you provide a smaller value, only the first LENGTH octets of the digest are written. 6.4.2.4 GCM-Camellia interface .............................. The following functions implement the case of GCM using Camellia as the underlying cipher. -- Context struct: struct gcm_camellia128_ctx -- Context struct: struct gcm_camellia256_ctx Context structs, defined using ‘GCM_CTX’. -- Function: void gcm_camellia128_set_key (struct gcm_camellia128_ctx *CTX, const uint8_t *KEY) -- Function: void gcm_camellia256_set_key (struct gcm_camellia256_ctx *CTX, const uint8_t *KEY) Initializes CTX using the given key. -- Function: void gcm_camellia128_set_iv (struct gcm_camellia128_ctx *CTX, size_t LENGTH, const uint8_t *IV) -- Function: void gcm_camellia256_set_iv (struct gcm_camellia256_ctx *CTX, size_t LENGTH, const uint8_t *IV) Initializes the per-message state, using the given IV. -- Function: void gcm_camellia128_update (struct gcm_camellia128_ctx *CTX, size_t LENGTH, const uint8_t *DATA) -- Function: void gcm_camellia256_update (struct gcm_camellia256_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Provides associated data to be authenticated. If used, must be called before ‘gcm_camellia_encrypt’ or ‘gcm_camellia_decrypt’. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void gcm_camellia128_encrypt (struct gcm_camellia128_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void gcm_camellia256_encrypt (struct gcm_camellia256_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void gcm_camellia128_decrypt (struct gcm_camellia128_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void gcm_camellia256_decrypt (struct gcm_camellia256_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encrypts or decrypts the data of a message. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void gcm_camellia128_digest (struct gcm_camellia128_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) -- Function: void gcm_camellia192_digest (struct gcm_camellia192_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) -- Function: void gcm_camellia256_digest (struct gcm_camellia256_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) -- Function: void gcm_camellia_digest (struct gcm_camellia_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Extracts the message digest (also known “authentication tag”). This is the final operation when processing a message. It’s strongly recommended that LENGTH is ‘GCM_DIGEST_SIZE’, but if you provide a smaller value, only the first LENGTH octets of the digest are written.  File: nettle.info, Node: CCM, Next: ChaCha-Poly1305, Prev: GCM, Up: Authenticated encryption 6.4.3 Counter with CBC-MAC mode ------------------------------- CCM mode is a combination of counter mode with message authentication based on cipher block chaining, the same building blocks as EAX, *note EAX::. It is constructed on top of a block cipher which must have a block size of 128 bits. CCM mode is recommended by NIST in NIST Special Publication 800-38C (http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf). Nettle’s support for CCM consists of a low-level general interface, a message encryption and authentication interface, and specific functions for CCM using AES as the underlying block cipher. These interfaces are defined in ‘’. In CCM, the length of the message must be known before processing. The maximum message size depends on the size of the nonce, since the message size is encoded in a field which must fit in a single block, together with the nonce and a flag byte. E.g., with a nonce size of 12 octets, there are three octets left for encoding the message length, the maximum message length is 2^24 - 1 octets. CCM mode encryption operates as follows: • The nonce and message length are concatenated to create ‘B_0 = flags | nonce | mlength’ • The authenticated data and plaintext is formatted into the string ‘B = L(adata) | adata | padding | plaintext | padding’ with ‘padding’ being the shortest string of zero bytes such that the length of the string is a multiple of the block size, and ‘L(adata)’ is an encoding of the length of ‘adata’. • The string ‘B’ is separated into blocks ‘B_1’ ... ‘B_n’ • The authentication tag ‘T’ is calculated as ‘T=0, for i=0 to n, do T = E_k(B_i XOR T)’ • An initial counter is then initialized from the nonce to create ‘IC = flags | nonce | padding’, where ‘padding’ is the shortest string of zero bytes such that ‘IC’ is exactly one block in length. • The authentication tag is encrypted using using CTR mode: ‘MAC = E_k(IC) XOR T’ • The plaintext is then encrypted using CTR mode with an initial counter of ‘IC+1’. CCM mode decryption operates similarly, except that the ciphertext and MAC are first decrypted using CTR mode to retreive the plaintext and authentication tag. The authentication tag can then be recalucated from the authenticated data and plantext, and compared to the value in the message to check for authenticity. 6.4.3.1 General CCM interface ............................. For all of the functions in the CCM interface, CIPHER is the context struct for the underlying cipher and F is the encryption function. The cipher’s encryption key must be set before calling any of the CCM functions. The cipher’s decryption function and key are never used. -- Context struct: struct ccm_ctx Holds state corresponding to a particular message. -- Constant: CCM_BLOCK_SIZE CCM’s block size, 16. -- Constant: CCM_DIGEST_SIZE Size of the CCM digest, 16. -- Constant: CCM_MIN_NONCE_SIZE -- Constant: CCM_MAX_NONCE_SIZE The the minimum and maximum sizes for an CCM nonce, 7 and 14, respectively. -- Macro: CCM_MAX_MSG_SIZE (NONCE_SIZE) The largest allowed plaintext length, when using CCM with a nonce of the given size. -- Function: void ccm_set_nonce (struct ccm_ctx *CTX, const void *CIPHER, nettle_cipher_func *F, size_t NONCELEN, const uint8_t *NONCE, size_t AUTHLEN, size_t MSGLEN, size_t TAGLEN) Initializes CTX using the given nonce and the sizes of the authenticated data, message, and MAC to be processed. -- Function: void ccm_update (struct ccm_ctx *CTX, const void *CIPHER, nettle_cipher_func *F, size_t LENGTH, const uint8_t *DATA) Provides associated data to be authenticated. Must be called after ‘ccm_set_nonce’, and before ‘ccm_encrypt’, ‘ccm_decrypt’, or ‘ccm_digest’. -- Function: void ccm_encrypt (struct ccm_ctx *CTX, const void *CIPHER, nettle_cipher_func *F, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void ccm_decrypt (struct ccm_ctx *CTX, const void *CIPHER, nettle_cipher_func *F, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encrypts or decrypts the message data. Must be called after ‘ccm_set_nonce’ and before ‘ccm_digest’. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void ccm_digest (struct ccm_ctx *CTX, const void *CIPHER, nettle_cipher_func *F, size_t LENGTH, uint8_t *DIGEST) Extracts the message digest (also known “authentication tag”). This is the final operation when processing a message. LENGTH is usually equal to the TAGLEN parameter supplied to ‘ccm_set_nonce’, but if you provide a smaller value, only the first LENGTH octets of the digest are written. To encrypt a message using the general CCM interface, set the message nonce and length using ‘ccm_set_nonce’ and then call ‘ccm_update’ to generate the digest of any authenticated data. After all of the authenticated data has been digested use ‘ccm_encrypt’ to encrypt the plaintext. Finally, use ‘ccm_digest’ to return the encrypted MAC. To decrypt a message, use ‘ccm_set_nonce’ and ‘ccm_update’ the same as you would for encryption, and then call ‘ccm_decrypt’ to decrypt the ciphertext. After decrypting the ciphertext ‘ccm_digest’ will return the encrypted MAC which should be identical to the MAC in the received message. 6.4.3.2 CCM message interface ............................. The CCM message fuctions provides a simple interface that will perform authentication and message encryption in a single function call. The length of the cleartext is given by MLENGTH and the length of the ciphertext is given by CLENGTH, always exactly TLENGTH bytes longer than the corresponding plaintext. The length argument passed to a function is always the size for the result, CLENGTH for the encryption functions, and MLENGTH for the decryption functions. -- Function: void ccm_encrypt_message (void *CIPHER, nettle_cipher_func *F, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t TLENGTH, size_t CLENGTH, uint8_t *DST, const uint8_t *SRC) Computes the message digest from the ADATA and SRC parameters, encrypts the plaintext from SRC, appends the encrypted MAC to ciphertext and outputs it to DST. -- Function: int ccm_decrypt_message (void *CIPHER, nettle_cipher_func *F, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t TLENGTH, size_t MLENGTH, uint8_t *DST, const uint8_t *SRC) Decrypts the ciphertext from SRC, outputs the plaintext to DST, recalculates the MAC from ADATA and the plaintext, and compares it to the final TLENGTH bytes of SRC. If the values of the received and calculated MACs are equal, this will return 1 indicating a valid and authenticated message. Otherwise, this function will return zero. 6.4.3.3 CCM-AES interface ......................... The AES CCM functions provide an API for using CCM mode with the AES block ciphers. The parameters all have the same meaning as the general and message interfaces, except that the CIPHER, F, and CTX parameters are replaced with an AES context structure, and a set-key function must be called before using any of the other functions in this interface. -- Context struct: struct ccm_aes128_ctx Holds state corresponding to a particular message encrypted using the AES-128 block cipher. -- Context struct: struct ccm_aes192_ctx Holds state corresponding to a particular message encrypted using the AES-192 block cipher. -- Context struct: struct ccm_aes256_ctx Holds state corresponding to a particular message encrypted using the AES-256 block cipher. -- Function: void ccm_aes128_set_key (struct ccm_aes128_ctx *CTX, const uint8_t *KEY) -- Function: void ccm_aes192_set_key (struct ccm_aes192_ctx *CTX, const uint8_t *KEY) -- Function: void ccm_aes256_set_key (struct ccm_aes256_ctx *CTX, const uint8_t *KEY) Initializes the encryption key for the AES block cipher. One of these functions must be called before any of the other functions in the AES CCM interface. -- Function: void ccm_aes128_set_nonce (struct ccm_aes128_ctx *CTX, size_t NONCELEN, const uint8_t *NONCE, size_t AUTHLEN, size_t MSGLEN, size_t TAGLEN) -- Function: void ccm_aes192_set_nonce (struct ccm_aes192_ctx *CTX, size_t NONCELEN, const uint8_t *NONCE, size_t AUTHLEN, size_t MSGLEN, size_t TAGLEN) -- Function: void ccm_aes256_set_nonce (struct ccm_aes256_ctx *CTX, size_t NONCELEN, const uint8_t *NONCE, size_t AUTHLEN, size_t MSGLEN, size_t TAGLEN) These are identical to ‘ccm_set_nonce’, except that CIPHER, F, and CTX are replaced with a context structure. -- Function: void ccm_aes128_update (struct ccm_aes128_ctx *CTX, size_t LENGTH, const uint8_t *DATA) -- Function: void ccm_aes192_update (struct ccm_aes192_ctx *CTX, size_t LENGTH, const uint8_t *DATA) -- Function: void ccm_aes256_update (struct ccm_aes256_ctx *CTX, size_t LENGTH, const uint8_t *DATA) These are identical to ‘ccm_set_update’, except that CIPHER, F, and CTX are replaced with a context structure. -- Function: void ccm_aes128_encrypt (struct ccm_aes128_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void ccm_aes192_encrypt (struct ccm_aes192_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void ccm_aes256_encrypt (struct ccm_aes256_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void ccm_aes128_decrypt (struct ccm_aes128_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void ccm_aes192_decrypt (struct ccm_aes192_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void ccm_aes256_decrypt (struct ccm_aes256_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) These are identical to ‘ccm_set_encrypt’ and ‘ccm_set_decrypt’, except that CIPHER, F, and CTX are replaced with a context structure. -- Function: void ccm_aes128_digest (struct ccm_aes128_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) -- Function: void ccm_aes192_digest (struct ccm_aes192_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) -- Function: void ccm_aes256_digest (struct ccm_aes256_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) These are identical to ‘ccm_set_digest’, except that CIPHER, F, and CTX are replaced with a context structure. -- Function: void ccm_aes128_encrypt_message (struct ccm_aes128_ctx *CTX, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t TLENGTH, size_t CLENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void ccm_aes192_encrypt_message (struct ccm_aes192_ctx *CTX, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t TLENGTH, size_t CLENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void ccm_aes256_encrypt_message (struct ccm_aes256_ctx *CTX, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t TLENGTH, size_t CLENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: int ccm_aes128_decrypt_message (struct ccm_aes128_ctx *CTX, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t TLENGTH, size_t MLENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: int ccm_aes192_decrypt_message (struct ccm_aes192_ctx *CTX, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t TLENGTH, size_t MLENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: int ccm_aes192_decrypt_message (struct ccm_aes256_ctx *CTX, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t TLENGTH, size_t MLENGTH, uint8_t *DST, const uint8_t *SRC) These are identical to ‘ccm_encrypt_message’ and ‘ccm_decrypt_message’ except that CIPHER and F are replaced with a context structure.  File: nettle.info, Node: ChaCha-Poly1305, Next: nettle_aead abstraction, Prev: CCM, Up: Authenticated encryption 6.4.4 ChaCha-Poly1305 --------------------- ChaCha-Poly1305 is a combination of the ChaCha stream cipher and the poly1305 message authentication code (*note Poly1305::). It originates from the NaCl cryptographic library by D. J. Bernstein et al, which defines a similar construction but with Salsa20 instead of ChaCha. Nettle’s implementation ChaCha-Poly1305 should be considered *experimental*. At the time of this writing, there is no authoritative specification for ChaCha-Poly1305, and a couple of different incompatible variants. Nettle implements it using the original definition of ChaCha, with 64 bits (8 octets) each for the nonce and the block counter. Some protocols prefer to use nonces of 12 bytes, and it’s a small change to ChaCha to use the upper 32 bits of the block counter as a nonce, instead limiting message size to 2^32 blocks or 256 GBytes, but that variant is currently not supported. For ChaCha-Poly1305, the ChaCha cipher is initialized with a key, of 256 bits, and a per-message nonce. The first block of the key stream (counter all zero) is set aside for the authentication subkeys. Of this 64-octet block, the first 16 octets specify the poly1305 evaluation point, and the next 16 bytes specify the value to add in for the final digest. The final 32 bytes of this block are unused. Note that unlike poly1305-aes, the evaluation point depends on the nonce. This is preferable, because it leaks less information in case the attacker for some reason is lucky enough to forge a valid authentication tag, and observe (from the receiver’s behaviour) that the forgery succeeded. The ChaCha key stream, starting with counter value 1, is then used to encrypt the message. For authentication, poly1305 is applied to the concatenation of the associated data, the cryptotext, and the lengths of the associated data and the message, each a 64-bit number (eight octets, little-endian). Nettle defines ChaCha-Poly1305 in ‘’. -- Constant: CHACHA_POLY1305_BLOCK_SIZE Same as the ChaCha block size, 64. -- Constant: CHACHA_POLY1305_KEY_SIZE ChaCha-Poly1305 key size, 32. -- Constant: CHACHA_POLY1305_NONCE_SIZE Same as the ChaCha nonce size, 16. -- Constant: CHACHA_POLY1305_DIGEST_SIZE Digest size, 16. -- Context struct: struct chacha_poly1305_ctx -- Function: void chacha_poly1305_set_key (struct chacha_poly1305_ctx *CTX, const uint8_t *KEY) Initializes CTX using the given key. Before using the context, you _must_ also call ‘chacha_poly1305_set_nonce’, see below. -- Function: void chacha_poly1305_set_nonce (struct chacha_poly1305_ctx *CTX, const uint8_t *NONCE) Initializes the per-message state, using the given nonce. -- Function: void chacha_poly1305_update (struct chacha_poly1305_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Process associated data for authentication. -- Function: void chacha_poly1305_encrypt (struct chacha_poly1305_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void chacha_poly1305_decrypt (struct chacha_poly1305_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encrypts or decrypts the data of a message. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void chacha_poly1305_digest (struct chacha_poly1305_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Extracts the message digest (also known “authentication tag”). This is the final operation when processing a message. If LENGTH is smaller than ‘CHACHA_POLY1305_DIGEST_SIZE’, only the first LENGTH octets of the digest are written.  File: nettle.info, Node: nettle_aead abstraction, Prev: ChaCha-Poly1305, Up: Authenticated encryption 6.4.5 The ‘struct nettle_aead’ abstraction ------------------------------------------ Nettle includes a struct including information about the supported hash functions. It is defined in ‘’. -- Meta struct: ‘struct nettle_aead’ name context_size block_size key_size nonce_size digest_size set_encrypt_key set_decrypt_key set_nonce update encrypt decrypt digest The last seven attributes are function pointers. -- Constant Struct: struct nettle_aead nettle_gcm_aes128 -- Constant Struct: struct nettle_aead nettle_gcm_aes192 -- Constant Struct: struct nettle_aead nettle_gcm_aes256 -- Constant Struct: struct nettle_aead nettle_gcm_camellia128 -- Constant Struct: struct nettle_aead nettle_gcm_camellia256 -- Constant Struct: struct nettle_aead nettle_eax_aes128 -- Constant Struct: struct nettle_aead nettle_chacha_poly1305 These are most of the AEAD constructions that Nettle implements. Note that CCM is missing; it requirement that the message size is specified in advance makes it incompatible with the ‘nettle_aead’ abstraction. Nettle also exports a list of all these constructions. -- Function: const struct nettle_aead **nettle_get_aeads(void) Returns a NULL-terminated list of pointers to supported algorithms.This list can be used to dynamically enumerate or search the supported algorithms. -- Macro: nettle_aeads A macro expanding to a call to nettle_get_aeads. In earlier versions, this was not a macro but the actual array of pointers.  File: nettle.info, Node: Keyed hash functions, Next: Key derivation functions, Prev: Authenticated encryption, Up: Reference 6.5 Keyed Hash Functions ======================== A “keyed hash function”, or “Message Authentication Code” (MAC) is a function that takes a key and a message, and produces fixed size MAC. It should be hard to compute a message and a matching MAC without knowledge of the key. It should also be hard to compute the key given only messages and corresponding MACs. Keyed hash functions are useful primarily for message authentication, when Alice and Bob shares a secret: The sender, Alice, computes the MAC and attaches it to the message. The receiver, Bob, also computes the MAC of the message, using the same key, and compares that to Alice’s value. If they match, Bob can be assured that the message has not been modified on its way from Alice. However, unlike digital signatures, this assurance is not transferable. Bob can’t show the message and the MAC to a third party and prove that Alice sent that message. Not even if he gives away the key to the third party. The reason is that the _same_ key is used on both sides, and anyone knowing the key can create a correct MAC for any message. If Bob believes that only he and Alice knows the key, and he knows that he didn’t attach a MAC to a particular message, he knows it must be Alice who did it. However, the third party can’t distinguish between a MAC created by Alice and one created by Bob. Keyed hash functions are typically a lot faster than digital signatures as well. * Menu: * HMAC:: * UMAC:: * Poly1305::  File: nettle.info, Node: HMAC, Next: UMAC, Prev: Keyed hash functions, Up: Keyed hash functions 6.5.1 HMAC ---------- One can build keyed hash functions from ordinary hash functions. Older constructions simply concatenate secret key and message and hashes that, but such constructions have weaknesses. A better construction is HMAC, described in ‘RFC 2104’. For an underlying hash function ‘H’, with digest size ‘l’ and internal block size ‘b’, HMAC-H is constructed as follows: From a given key ‘k’, two distinct subkeys ‘k_i’ and ‘k_o’ are constructed, both of length ‘b’. The HMAC-H of a message ‘m’ is then computed as ‘H(k_o | H(k_i | m))’, where ‘|’ denotes string concatenation. HMAC keys can be of any length, but it is recommended to use keys of length ‘l’, the digest size of the underlying hash function ‘H’. Keys that are longer than ‘b’ are shortened to length ‘l’ by hashing with ‘H’, so arbitrarily long keys aren’t very useful. Nettle’s HMAC functions are defined in ‘’. There are abstract functions that use a pointer to a ‘struct nettle_hash’ to represent the underlying hash function and ‘void *’ pointers that point to three different context structs for that hash function. There are also concrete functions for HMAC-MD5, HMAC-RIPEMD160 HMAC-SHA1, HMAC-SHA256, and HMAC-SHA512. First, the abstract functions: -- Function: void hmac_set_key (void *OUTER, void *INNER, void *STATE, const struct nettle_hash *H, size_t LENGTH, const uint8_t *KEY) Initializes the three context structs from the key. The OUTER and INNER contexts corresponds to the subkeys ‘k_o’ and ‘k_i’. STATE is used for hashing the message, and is initialized as a copy of the INNER context. -- Function: void hmac_update (void *STATE, const struct nettle_hash *H, size_t LENGTH, const uint8_t *DATA) This function is called zero or more times to process the message. Actually, ‘hmac_update(state, H, length, data)’ is equivalent to ‘H->update(state, length, data)’, so if you wish you can use the ordinary update function of the underlying hash function instead. -- Function: void hmac_digest (const void *OUTER, const void *INNER, void *STATE, const struct nettle_hash *H, size_t LENGTH, uint8_t *DIGEST) Extracts the MAC of the message, writing it to DIGEST. OUTER and INNER are not modified. LENGTH is usually equal to ‘H->digest_size’, but if you provide a smaller value, only the first LENGTH octets of the MAC are written. This function also resets the STATE context so that you can start over processing a new message (with the same key). Like for CBC, there are some macros to help use these functions correctly. -- Macro: HMAC_CTX (TYPE) Expands to { type outer; type inner; type state; } It can be used to define a HMAC context struct, either directly, struct HMAC_CTX(struct md5_ctx) ctx; or to give it a struct tag, struct hmac_md5_ctx HMAC_CTX (struct md5_ctx); -- Macro: HMAC_SET_KEY (CTX, H, LENGTH, KEY) CTX is a pointer to a context struct as defined by ‘HMAC_CTX’, H is a pointer to a ‘const struct nettle_hash’ describing the underlying hash function (so it must match the type of the components of CTX). The last two arguments specify the secret key. -- Macro: HMAC_DIGEST (CTX, H, LENGTH, DIGEST) CTX is a pointer to a context struct as defined by ‘HMAC_CTX’, H is a pointer to a ‘const struct nettle_hash’ describing the underlying hash function. The last two arguments specify where the digest is written. Note that there is no ‘HMAC_UPDATE’ macro; simply call ‘hmac_update’ function directly, or the update function of the underlying hash function. 6.5.2 Concrete HMAC functions ----------------------------- Now we come to the specialized HMAC functions, which are easier to use than the general HMAC functions. 6.5.2.1 HMAC-MD5 ................ -- Context struct: struct hmac_md5_ctx -- Function: void hmac_md5_set_key (struct hmac_md5_ctx *CTX, size_t KEY_LENGTH, const uint8_t *KEY) Initializes the context with the key. -- Function: void hmac_md5_update (struct hmac_md5_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Process some more data. -- Function: void hmac_md5_digest (struct hmac_md5_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Extracts the MAC, writing it to DIGEST. LENGTH may be smaller than ‘MD5_DIGEST_SIZE’, in which case only the first LENGTH octets of the MAC are written. This function also resets the context for processing new messages, with the same key. 6.5.2.2 HMAC-RIPEMD160 ...................... -- Context struct: struct hmac_ripemd160_ctx -- Function: void hmac_ripemd160_set_key (struct hmac_ripemd160_ctx *CTX, size_t KEY_LENGTH, const uint8_t *KEY) Initializes the context with the key. -- Function: void hmac_ripemd160_update (struct hmac_ripemd160_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Process some more data. -- Function: void hmac_ripemd160_digest (struct hmac_ripemd160_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Extracts the MAC, writing it to DIGEST. LENGTH may be smaller than ‘RIPEMD160_DIGEST_SIZE’, in which case only the first LENGTH octets of the MAC are written. This function also resets the context for processing new messages, with the same key. 6.5.2.3 HMAC-SHA1 ................. -- Context struct: struct hmac_sha1_ctx -- Function: void hmac_sha1_set_key (struct hmac_sha1_ctx *CTX, size_t KEY_LENGTH, const uint8_t *KEY) Initializes the context with the key. -- Function: void hmac_sha1_update (struct hmac_sha1_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Process some more data. -- Function: void hmac_sha1_digest (struct hmac_sha1_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Extracts the MAC, writing it to DIGEST. LENGTH may be smaller than ‘SHA1_DIGEST_SIZE’, in which case only the first LENGTH octets of the MAC are written. This function also resets the context for processing new messages, with the same key. 6.5.2.4 HMAC-SHA256 ................... -- Context struct: struct hmac_sha256_ctx -- Function: void hmac_sha256_set_key (struct hmac_sha256_ctx *CTX, size_t KEY_LENGTH, const uint8_t *KEY) Initializes the context with the key. -- Function: void hmac_sha256_update (struct hmac_sha256_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Process some more data. -- Function: void hmac_sha256_digest (struct hmac_sha256_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Extracts the MAC, writing it to DIGEST. LENGTH may be smaller than ‘SHA256_DIGEST_SIZE’, in which case only the first LENGTH octets of the MAC are written. This function also resets the context for processing new messages, with the same key. 6.5.2.5 HMAC-SHA512 ................... -- Context struct: struct hmac_sha512_ctx -- Function: void hmac_sha512_set_key (struct hmac_sha512_ctx *CTX, size_t KEY_LENGTH, const uint8_t *KEY) Initializes the context with the key. -- Function: void hmac_sha512_update (struct hmac_sha512_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Process some more data. -- Function: void hmac_sha512_digest (struct hmac_sha512_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Extracts the MAC, writing it to DIGEST. LENGTH may be smaller than ‘SHA512_DIGEST_SIZE’, in which case only the first LENGTH octets of the MAC are written. This function also resets the context for processing new messages, with the same key.  File: nettle.info, Node: UMAC, Next: Poly1305, Prev: HMAC, Up: Keyed hash functions 6.5.3 UMAC ---------- UMAC is a message authentication code based on universal hashing, and designed for high performance on modern processors (in contrast to GCM, *Note GCM::, which is designed primarily for hardware performance). On processors with good integer multiplication performance, it can be 10 times faster than SHA256 and SHA512. UMAC is specified in ‘RFC 4418’. The secret key is always 128 bits (16 octets). The key is used as an encryption key for the AES block cipher. This cipher is used in counter mode to generate various internal subkeys needed in UMAC. Messages are of arbitrary size, and for each message, UMAC also needs a unique nonce. Nonce values must not be reused for two messages with the same key, but they need not be kept secret. The nonce must be at least one octet, and at most 16; nonces shorter than 16 octets are zero-padded. Nettle’s implementation of UMAC increments the nonce automatically for each message, so explicitly setting the nonce for each message is optional. This auto-increment uses network byte order and it takes the length of the nonce into account. E.g., if the initial nonce is “abc” (3 octets), this value is zero-padded to 16 octets for the first message. For the next message, the nonce is incremented to “abd”, and this incremented value is zero-padded to 16 octets. UMAC is defined in four variants, for different output sizes: 32 bits (4 octets), 64 bits (8 octets), 96 bits (12 octets) and 128 bits (16 octets), corresponding to different trade-offs between speed and security. Using a shorter output size sometimes (but not always!) gives the same result as using a longer output size and truncating the result. So it is important to use the right variant. For consistency with other hash and MAC functions, Nettle’s ‘_digest’ functions for UMAC accept a length parameter so that the output can be truncated to any desired size, but it is recommended to stick to the specified output size and select the umac variant corresponding to the desired size. The internal block size of UMAC is 1024 octets, and it also generates more than 1024 bytes of subkeys. This makes the size of the context struct quite a bit larger than other hash functions and MAC algorithms in Nettle. Nettle defines UMAC in ‘’. -- Context struct: struct umac32_ctx -- Context struct: struct umac64_ctx -- Context struct: struct umac96_ctx -- Context struct: struct umac128_ctx Each UMAC variant uses its own context struct. -- Constant: UMAC_KEY_SIZE The UMAC key size, 16. -- Constant: UMAC_MIN_NONCE_SIZE -- Constant: UMAC_MAX_NONCE_SIZE The the minimum and maximum sizes for an UMAC nonce, 1 and 16, respectively. -- Constant: UMAC32_DIGEST_SIZE The size of an UMAC32 digest, 4. -- Constant: UMAC64_DIGEST_SIZE The size of an UMAC64 digest, 8. -- Constant: UMAC96_DIGEST_SIZE The size of an UMAC96 digest, 12. -- Constant: UMAC128_DIGEST_SIZE The size of an UMAC128 digest, 16. -- Constant: UMAC_BLOCK_SIZE The internal block size of UMAC. -- Function: void umac32_set_key (struct umac32_ctx *CTX, const uint8_t *KEY) -- Function: void umac64_set_key (struct umac64_ctx *CTX, const uint8_t *KEY) -- Function: void umac96_set_key (struct umac96_ctx *CTX, const uint8_t *KEY) -- Function: void umac128_set_key (struct umac128_ctx *CTX, const uint8_t *KEY) These functions initialize the UMAC context struct. They also initialize the nonce to zero (with length 16, for auto-increment). -- Function: void umac32_set_nonce (struct umac32_ctx *CTX, size_t LENGTH, const uint8_t *NONCE) -- Function: void umac64_set_nonce (struct umac64_ctx *CTX, size_t LENGTH, const uint8_t *NONCE) -- Function: void umac96_set_nonce (struct umac96_ctx *CTX, size_t LENGTH, const uint8_t *NONCE) -- Function: void umac128_set_nonce (struct umac128_ctx *CTX, size_t LENGTH, const uint8_t *NONCE) Sets the nonce to be used for the next message. In general, nonces should be set before processing of the message. This is not strictly required for UMAC (the nonce only affects the final processing generating the digest), but it is nevertheless recommended that this function is called _before_ the first ‘_update’ call for the message. -- Function: void umac32_update (struct umac32_ctx *CTX, size_t LENGTH, const uint8_t *DATA) -- Function: void umac64_update (struct umac64_ctx *CTX, size_t LENGTH, const uint8_t *DATA) -- Function: void umac96_update (struct umac96_ctx *CTX, size_t LENGTH, const uint8_t *DATA) -- Function: void umac128_update (struct umac128_ctx *CTX, size_t LENGTH, const uint8_t *DATA) These functions are called zero or more times to process the message. -- Function: void umac32_digest (struct umac32_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) -- Function: void umac64_digest (struct umac64_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) -- Function: void umac96_digest (struct umac96_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) -- Function: void umac128_digest (struct umac128_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Extracts the MAC of the message, writing it to DIGEST. LENGTH is usually equal to the specified output size, but if you provide a smaller value, only the first LENGTH octets of the MAC are written. These functions reset the context for processing of a new message with the same key. The nonce is incremented as described above, the new value is used unless you call the ‘_set_nonce’ function explicitly for each message.  File: nettle.info, Node: Poly1305, Prev: UMAC, Up: Keyed hash functions 6.5.4 Poly1305 -------------- Poly1305-AES is a message authentication code designed by D. J. Bernstein. It treats the message as a polynomial modulo the prime number 2^130 - 5. The key, 256 bits, consists of two parts, where the first half is an AES-128 key, and the second half specifies the point where the polynomial is evaluated. Of the latter half, 22 bits are set to zero, to enable high-performance implementation, leaving 106 bits for specifying an evaluation point ‘r’. For each message, one must also provide a 128-bit nonce. The nonce is encrypted using the AES key, and that’s the only thing AES is used for. The message is split into 128-bit chunks (with final chunk possibly being shorter), each read as a little-endian integer. Each chunk has a one-bit appended at the high end. The resulting integers are treated as polynomial coefficients modulo 2^130 - 5, and the polynomial is evaluated at the point ‘r’. Finally, this value is reduced modulo 2^128, and added (also modulo 2^128) to the encrypted nonce, to produce an 128-bit authenticator for the message. See for further details. Clearly, variants using a different cipher than AES could be defined. Another variant is the ChaCha-Poly1305 AEAD construction (*note ChaCha-Poly1305::). Nettle defines Poly1305-AES in ‘nettle/poly1305.h’. -- Constant: POLY1305_AES_KEY_SIZE Key size, 32 octets. -- Constant: POLY1305_AES_DIGEST_SIZE Size of the digest or “authenticator”, 16 octets. -- Constant: POLY1305_AES_NONCE_SIZE Nonce size, 16 octets. -- Context struct: struct poly1305_aes_ctx The poly1305-aes context struct. -- Function: void poly1305_aes_set_key (struct poly1305_aes_ctx *CTX, const uint8_t *KEY) Initialize the context struct. Also sets the nonce to zero. -- Function: void poly1305_aes_set_nonce (struct poly1305_aes_ctx *CTX, const uint8_t *NONCE) Sets the nonce. Calling this function is optional, since the nonce is incremented automatically for each message. -- Function: void poly1305_aes_update (struct poly1305_aes_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Process more data. -- Function: void poly1305_aes_digest (struct poly1305_aes_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Extracts the digest. If LENGTH is smaller than ‘POLY1305_AES_DIGEST_SIZE’, only the first LENGTH octets are written. Also increments the nonce, and prepares the context for processing a new message.  File: nettle.info, Node: Key derivation functions, Next: Public-key algorithms, Prev: Keyed hash functions, Up: Reference 6.6 Key derivation Functions ============================ A “key derivation function” (KDF) is a function that from a given symmetric key derives other symmetric keys. A sub-class of KDFs is the “password-based key derivation functions” (PBKDFs), which take as input a password or passphrase, and its purpose is typically to strengthen it and protect against certain pre-computation attacks by using salting and expensive computation. 6.6.1 HKDF: HMAC-based Extract-and-Expand ----------------------------------------- HKDF is a key derivation function used as a building block of higher-level protocols like TLS 1.3. It is a derivation function based on HMAC described in ‘RFC 5869’, and is split into two logical modules, called ’extract’ and ’expand’. The extract module takes an initial secret and a random salt to "extract" a fixed-length pseudorandom key (PRK). The second stage takes as input the previous PRK and some informational data (e.g., text) and expands them into multiple keys. Nettle’s HKDF functions are defined in ‘’. There are two abstract functions for the extract and expand operations that operate on any HMAC implemented via the ‘nettle_hash_update_func’, and ‘nettle_hash_digest_func’ interfaces. -- Function: void hkdf_extract (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size,size_t secret_size, const uint8_t *secret, uint8_t *dst) Extract a Pseudorandom Key (PRK) from a secret and a salt according to HKDF. The HMAC must have been initialized, with its key being the salt for the Extract operation. This function will call the UPDATE and DIGEST functions passing the MAC_CTX context parameter as an argument in order to compute digest of size DIGEST_SIZE. Inputs are the secret SECRET of length SECRET_LENGTH. The output length is fixed to DIGEST_SIZE octets, thus the output buffer DST must have room for at least DIGEST_SIZE octets. -- Function: void hkdf_expand (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, size_t info_size, const uint8_t *info, size_t length, uint8_t *dst) Expand a Pseudorandom Key (PRK) to an arbitrary size according to HKDF. The HMAC must have been initialized, with its key being the PRK from the Extract operation. This function will call the UPDATE and DIGEST functions passing the MAC_CTX context parameter as an argument in order to compute digest of size DIGEST_SIZE. Inputs are the info INFO of length INFO_LENGTH, and the desired derived output length LENGTH. The output buffer is DST which must have room for at least LENGTH octets. 6.6.2 PBKDF2 ------------ The most well known PBKDF is the ‘PKCS #5 PBKDF2’ described in ‘RFC 2898’ which uses a pseudo-random function such as HMAC-SHA1. Nettle’s PBKDF2 functions are defined in ‘’. There is an abstract function that operate on any PRF implemented via the ‘nettle_hash_update_func’, ‘nettle_hash_digest_func’ interfaces. There is also helper macros and concrete functions PBKDF2-HMAC-SHA1 and PBKDF2-HMAC-SHA256. First, the abstract function: -- Function: void pbkdf2 (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst) Derive symmetric key from a password according to PKCS #5 PBKDF2. The PRF is assumed to have been initialized and this function will call the UPDATE and DIGEST functions passing the MAC_CTX context parameter as an argument in order to compute digest of size DIGEST_SIZE. Inputs are the salt SALT of length SALT_LENGTH, the iteration counter ITERATIONS (> 0), and the desired derived output length LENGTH. The output buffer is DST which must have room for at least LENGTH octets. Like for CBC and HMAC, there is a macro to help use the function correctly. -- Macro: PBKDF2 (CTX, UPDATE, DIGEST, DIGEST_SIZE, ITERATIONS, SALT_LENGTH, SALT, LENGTH, DST) CTX is a pointer to a context struct passed to the UPDATE and DIGEST functions (of the types ‘nettle_hash_update_func’ and ‘nettle_hash_digest_func’ respectively) to implement the underlying PRF with digest size of DIGEST_SIZE. Inputs are the salt SALT of length SALT_LENGTH, the iteration counter ITERATIONS (> 0), and the desired derived output length LENGTH. The output buffer is DST which must have room for at least LENGTH octets. 6.6.3 Concrete PBKDF2 functions ------------------------------- Now we come to the specialized PBKDF2 functions, which are easier to use than the general PBKDF2 function. 6.6.3.1 PBKDF2-HMAC-SHA1 ........................ -- Function: void pbkdf2_hmac_sha1 (size_t KEY_LENGTH, const uint8_t *KEY, unsigned ITERATIONS, size_t SALT_LENGTH, const uint8_t *SALT, size_t LENGTH, uint8_t *DST) PBKDF2 with HMAC-SHA1. Derive LENGTH bytes of key into buffer DST using the password KEY of length KEY_LENGTH and salt SALT of length SALT_LENGTH, with iteration counter ITERATIONS (> 0). The output buffer is DST which must have room for at least LENGTH octets. 6.6.3.2 PBKDF2-HMAC-SHA256 .......................... -- Function: void pbkdf2_hmac_sha256 (size_t KEY_LENGTH, const uint8_t *KEY, unsigned ITERATIONS, size_t SALT_LENGTH, const uint8_t *SALT, size_t LENGTH, uint8_t *DST) PBKDF2 with HMAC-SHA256. Derive LENGTH bytes of key into buffer DST using the password KEY of length KEY_LENGTH and salt SALT of length SALT_LENGTH, with iteration counter ITERATIONS (> 0). The output buffer is DST which must have room for at least LENGTH octets.  File: nettle.info, Node: Public-key algorithms, Next: Randomness, Prev: Key derivation functions, Up: Reference 6.7 Public-key algorithms ========================= Nettle uses GMP, the GNU bignum library, for all calculations with large numbers. In order to use the public-key features of Nettle, you must install GMP, at least version 3.0, before compiling Nettle, and you need to link your programs with ‘-lhogweed -lnettle -lgmp’. The concept of “Public-key” encryption and digital signatures was discovered by Whitfield Diffie and Martin E. Hellman and described in a paper 1976. In traditional, “symmetric”, cryptography, sender and receiver share the same keys, and these keys must be distributed in a secure way. And if there are many users or entities that need to communicate, each _pair_ needs a shared secret key known by nobody else. Public-key cryptography uses trapdoor one-way functions. A “one-way function” is a function ‘F’ such that it is easy to compute the value ‘F(x)’ for any ‘x’, but given a value ‘y’, it is hard to compute a corresponding ‘x’ such that ‘y = F(x)’. Two examples are cryptographic hash functions, and exponentiation in certain groups. A “trapdoor one-way function” is a function ‘F’ that is one-way, unless one knows some secret information about ‘F’. If one knows the secret, it is easy to compute both ‘F’ and it’s inverse. If this sounds strange, look at the RSA example below. Two important uses for one-way functions with trapdoors are public-key encryption, and digital signatures. The public-key encryption functions in Nettle are not yet documented; the rest of this chapter is about digital signatures. To use a digital signature algorithm, one must first create a “key-pair”: A public key and a corresponding private key. The private key is used to sign messages, while the public key is used for verifying that that signatures and messages match. Some care must be taken when distributing the public key; it need not be kept secret, but if a bad guy is able to replace it (in transit, or in some user’s list of known public keys), bad things may happen. There are two operations one can do with the keys. The signature operation takes a message and a private key, and creates a signature for the message. A signature is some string of bits, usually at most a few thousand bits or a few hundred octets. Unlike paper-and-ink signatures, the digital signature depends on the message, so one can’t cut it out of context and glue it to a different message. The verification operation takes a public key, a message, and a string that is claimed to be a signature on the message, and returns true or false. If it returns true, that means that the three input values matched, and the verifier can be sure that someone went through with the signature operation on that very message, and that the “someone” also knows the private key corresponding to the public key. The desired properties of a digital signature algorithm are as follows: Given the public key and pairs of messages and valid signatures on them, it should be hard to compute the private key, and it should also be hard to create a new message and signature that is accepted by the verification operation. Besides signing meaningful messages, digital signatures can be used for authorization. A server can be configured with a public key, such that any client that connects to the service is given a random nonce message. If the server gets a reply with a correct signature matching the nonce message and the configured public key, the client is granted access. So the configuration of the server can be understood as “grant access to whoever knows the private key corresponding to this particular public key, and to no others”. * Menu: * RSA:: The RSA public key algorithm. * DSA:: The DSA digital signature algorithm. * Elliptic curves:: Elliptic curves and ECDSA  File: nettle.info, Node: RSA, Next: DSA, Prev: Public-key algorithms, Up: Public-key algorithms 6.7.1 RSA --------- The RSA algorithm was the first practical digital signature algorithm that was constructed. It was described 1978 in a paper by Ronald Rivest, Adi Shamir and L.M. Adleman, and the technique was also patented in the USA in 1983. The patent expired on September 20, 2000, and since that day, RSA can be used freely, even in the USA. It’s remarkably simple to describe the trapdoor function behind RSA. The “one-way”-function used is F(x) = x^e mod n I.e. raise x to the ‘e’’th power, while discarding all multiples of ‘n’. The pair of numbers ‘n’ and ‘e’ is the public key. ‘e’ can be quite small, even ‘e = 3’ has been used, although slightly larger numbers are recommended. ‘n’ should be about 2000 bits or larger. If ‘n’ is large enough, and properly chosen, the inverse of F, the computation of ‘e’’th roots modulo ‘n’, is very difficult. But, where’s the trapdoor? Let’s first look at how RSA key-pairs are generated. First ‘n’ is chosen as the product of two large prime numbers ‘p’ and ‘q’ of roughly the same size (so if ‘n’ is 2000 bits, ‘p’ and ‘q’ are about 1000 bits each). One also computes the number ‘phi = (p-1)(q-1)’, in mathematical speak, ‘phi’ is the order of the multiplicative group of integers modulo n. Next, ‘e’ is chosen. It must have no factors in common with ‘phi’ (in particular, it must be odd), but can otherwise be chosen more or less randomly. ‘e = 65537’ is a popular choice, because it makes raising to the ‘e’’th power particularly efficient, and being prime, it usually has no factors common with ‘phi’. Finally, a number ‘d’, ‘d < n’ is computed such that ‘e d mod phi = 1’. It can be shown that such a number exists (this is why ‘e’ and ‘phi’ must have no common factors), and that for all x, (x^e)^d mod n = x^(ed) mod n = (x^d)^e mod n = x Using Euclid’s algorithm, ‘d’ can be computed quite easily from ‘phi’ and ‘e’. But it is still hard to get ‘d’ without knowing ‘phi’, which depends on the factorization of ‘n’. So ‘d’ is the trapdoor, if we know ‘d’ and ‘y = F(x)’, we can recover x as ‘y^d mod n’. ‘d’ is also the private half of the RSA key-pair. The most common signature operation for RSA is defined in ‘PKCS#1’, a specification by RSA Laboratories. The message to be signed is first hashed using a cryptographic hash function, e.g. MD5 or SHA1. Next, some padding, the ASN.1 “Algorithm Identifier” for the hash function, and the message digest itself, are concatenated and converted to a number ‘x’. The signature is computed from ‘x’ and the private key as ‘s = x^d mod n’(1) (*note RSA-Footnote-1::). The signature, ‘s’ is a number of about the same size of ‘n’, and it usually encoded as a sequence of octets, most significant octet first. The verification operation is straight-forward, ‘x’ is computed from the message in the same way as above. Then ‘s^e mod n’ is computed, the operation returns true if and only if the result equals ‘x’. The RSA algorithm can also be used for encryption. RSA encryption uses the public key ‘(n,e)’ to compute the ciphertext ‘m^e mod n’. The ‘PKCS#1’ padding scheme will use at least 8 random and non-zero octets, using M of the form ‘[00 02 padding 00 plaintext]’. It is required that ‘m < n’, and therefor the plaintext must be smaller than the octet size of the modulo ‘n’, with some margin. To decrypt the message, one needs the private key to compute ‘m = c^e mod n’ followed by checking and removing the padding. 6.7.1.1 Nettle’s RSA support ............................ Nettle represents RSA keys using two structures that contain large numbers (of type ‘mpz_t’). -- Context struct: rsa_public_key size n e ‘size’ is the size, in octets, of the modulo, and is used internally. ‘n’ and ‘e’ is the public key. -- Context struct: rsa_private_key size d p q a b c ‘size’ is the size, in octets, of the modulo, and is used internally. ‘d’ is the secret exponent, but it is not actually used when signing. Instead, the factors ‘p’ and ‘q’, and the parameters ‘a’, ‘b’ and ‘c’ are used. They are computed from ‘p’, ‘q’ and ‘e’ such that ‘a e mod (p - 1) = 1, b e mod (q - 1) = 1, c q mod p = 1’. Before use, these structs must be initialized by calling one of -- Function: void rsa_public_key_init (struct rsa_public_key *PUB) -- Function: void rsa_private_key_init (struct rsa_private_key *KEY) Calls ‘mpz_init’ on all numbers in the key struct. and when finished with them, the space for the numbers must be deallocated by calling one of -- Function: void rsa_public_key_clear (struct rsa_public_key *PUB) -- Function: void rsa_private_key_clear (struct rsa_private_key *KEY) Calls ‘mpz_clear’ on all numbers in the key struct. In general, Nettle’s RSA functions deviates from Nettle’s “no memory allocation”-policy. Space for all the numbers, both in the key structs above, and temporaries, are allocated dynamically. For information on how to customize allocation, see *Note GMP Allocation: (gmp)Custom Allocation. When you have assigned values to the attributes of a key, you must call -- Function: int rsa_public_key_prepare (struct rsa_public_key *PUB) -- Function: int rsa_private_key_prepare (struct rsa_private_key *KEY) Computes the octet size of the key (stored in the ‘size’ attribute, and may also do other basic sanity checks. Returns one if successful, or zero if the key can’t be used, for instance if the modulo is smaller than the minimum size needed for RSA operations specified by PKCS#1. For each operation using the private key, there are two variants, e.g., ‘rsa_sha256_sign’ and ‘rsa_sha256_sign_tr’. The former function is older, and it should be avoided, because it provides no defenses against side-channel attacks. The latter function use randomized RSA blinding, which defends against timing attacks using chosen-ciphertext, and it also checks the correctness of the private key computation using the public key, which defends against software or hardware errors which could leak the private key. Before signing or verifying a message, you first hash it with the appropriate hash function. You pass the hash function’s context struct to the RSA signature function, and it will extract the message digest and do the rest of the work. There are also alternative functions that take the hash digest as argument. There is currently no support for using SHA224 or SHA384 with RSA signatures, since there’s no gain in either computation time nor message size compared to using SHA256 and SHA512, respectively. Creating an RSA signature is done with one of the following functions: -- Function: int rsa_md5_sign_tr(const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, struct md5_ctx *HASH, mpz_t SIGNATURE) -- Function: int rsa_sha1_sign_tr(const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, struct sha1_ctx *HASH, mpz_t SIGNATURE) -- Function: int rsa_sha256_sign_tr(const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, struct sha256_ctx *HASH, mpz_t SIGNATURE) -- Function: int rsa_sha512_sign_tr(const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, struct sha512_ctx *HASH, mpz_t SIGNATURE) The signature is stored in SIGNATURE (which must have been ‘mpz_init’’ed earlier). The hash context is reset so that it can be used for new messages. The RANDOM_CTX and RANDOM pointers are used to generate the RSA blinding. Returns one on success, or zero on failure. Signing fails if an error in the computation was detected, or if the key is too small for the given hash size, e.g., it’s not possible to create a signature using SHA512 and a 512-bit RSA key. -- Function: int rsa_md5_sign_digest_tr(const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, const uint8_t *DIGEST, mpz_t SIGNATURE) -- Function: int rsa_sha1_sign_digest_tr(const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, const uint8_t *DIGEST, mpz_t SIGNATURE) -- Function: int rsa_sha256_sign_digest_tr(const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, const uint8_t *DIGEST, mpz_t SIGNATURE) -- Function: int rsa_sha512_sign_digest_tr(const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, const uint8_t *DIGEST, mpz_t SIGNATURE) Creates a signature from the given hash digest. DIGEST should point to a digest of size ‘MD5_DIGEST_SIZE’, ‘SHA1_DIGEST_SIZE’, ‘SHA256_DIGEST_SIZE’, or ‘SHA512_DIGEST_SIZE’respectively. The signature is stored in SIGNATURE (which must have been ‘mpz_init’:ed earlier). Returns one on success, or zero on failure. -- Function: int rsa_pkcs1_sign_tr(const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, size_t LENGTH, const uint8_t *DIGEST_INFO, mpz_t SIGNATURE) Similar to the above ‘_sign_digest_tr’ functions, but the input is not the plain hash digest, but a PKCS#1 “DigestInfo”, an ASN.1 DER-encoding of the digest together with an object identifier for the used hash algorithm. -- Function: int rsa_md5_sign (const struct rsa_private_key *KEY, struct md5_ctx *HASH, mpz_t SIGNATURE) -- Function: int rsa_sha1_sign (const struct rsa_private_key *KEY, struct sha1_ctx *HASH, mpz_t SIGNATURE) -- Function: int rsa_sha256_sign (const struct rsa_private_key *KEY, struct sha256_ctx *HASH, mpz_t SIGNATURE) -- Function: int rsa_sha512_sign (const struct rsa_private_key *KEY, struct sha512_ctx *HASH, mpz_t SIGNATURE) The signature is stored in SIGNATURE (which must have been ‘mpz_init’’ed earlier). The hash context is reset so that it can be used for new messages. Returns one on success, or zero on failure. Signing fails if the key is too small for the given hash size, e.g., it’s not possible to create a signature using SHA512 and a 512-bit RSA key. -- Function: int rsa_md5_sign_digest (const struct rsa_private_key *KEY, const uint8_t *DIGEST, mpz_t SIGNATURE) -- Function: int rsa_sha1_sign_digest (const struct rsa_private_key *KEY, const uint8_t *DIGEST, mpz_t SIGNATURE); -- Function: int rsa_sha256_sign_digest (const struct rsa_private_key *KEY, const uint8_t *DIGEST, mpz_t SIGNATURE); -- Function: int rsa_sha512_sign_digest (const struct rsa_private_key *KEY, const uint8_t *DIGEST, mpz_t SIGNATURE); Creates a signature from the given hash digest; otherwise analoguous to the above signing functions. DIGEST should point to a digest of size ‘MD5_DIGEST_SIZE’, ‘SHA1_DIGEST_SIZE’, ‘SHA256_DIGEST_SIZE’, or ‘SHA512_DIGEST_SIZE’, respectively. The signature is stored in SIGNATURE (which must have been ‘mpz_init’:ed earlier). Returns one on success, or zero on failure. -- Function: int rsa_pkcs1_sign(const struct rsa_private_key *KEY, size_t LENGTH, const uint8_t *DIGEST_INFO, mpz_t S) Similar to the above _sign_digest functions, but the input is not the plain hash digest, but a PKCS#1 “DigestInfo”, an ASN.1 DER-encoding of the digest together with an object identifier for the used hash algorithm. Verifying an RSA signature is done with one of the following functions: -- Function: int rsa_md5_verify (const struct rsa_public_key *KEY, struct md5_ctx *HASH, const mpz_t SIGNATURE) -- Function: int rsa_sha1_verify (const struct rsa_public_key *KEY, struct sha1_ctx *HASH, const mpz_t SIGNATURE) -- Function: int rsa_sha256_verify (const struct rsa_public_key *KEY, struct sha256_ctx *HASH, const mpz_t SIGNATURE) -- Function: int rsa_sha512_verify (const struct rsa_public_key *KEY, struct sha512_ctx *HASH, const mpz_t SIGNATURE) Returns 1 if the signature is valid, or 0 if it isn’t. In either case, the hash context is reset so that it can be used for new messages. -- Function: int rsa_md5_verify_digest (const struct rsa_public_key *KEY, const uint8_t *DIGEST, const mpz_t SIGNATURE) -- Function: int rsa_sha1_verify_digest (const struct rsa_public_key *KEY, const uint8_t *DIGEST, const mpz_t SIGNATURE) -- Function: int rsa_sha256_verify_digest (const struct rsa_public_key *KEY, const uint8_t *DIGEST, const mpz_t SIGNATURE) -- Function: int rsa_sha512_verify_digest (const struct rsa_public_key *KEY, const uint8_t *DIGEST, const mpz_t SIGNATURE) Returns 1 if the signature is valid, or 0 if it isn’t. DIGEST should point to a digest of size ‘MD5_DIGEST_SIZE’, ‘SHA1_DIGEST_SIZE’, ‘SHA256_DIGEST_SIZE’, or ‘SHA512_DIGEST_SIZE’ respectively. -- Function: int rsa_pkcs1_verify(const struct rsa_public_key *KEY, size_t LENGTH, const uint8_t *DIGEST_INFO, const mpz_t SIGNATURE) Similar to the above _verify_digest functions, but the input is not the plain hash digest, but a PKCS#1 “DigestInfo”, and ASN.1 DER-encoding of the digest together with an object identifier for the used hash algorithm. While the above functions for the RSA signature operations use the ‘PKCS#1’ padding scheme, Nettle also provides the variants based on the PSS padding scheme, specified in ‘RFC 3447’. These variants take advantage of a randomly choosen salt value, which could enhance the security by causing output to be different for equivalent inputs. However, assuming the same security level as inverting the RSA algorithm, a longer salt value does not always mean a better security . The typical choices of the length are between 0 and the digest size of the underlying hash function. Creating an RSA signature with the PSS padding scheme is done with one of the following functions: -- Function: int rsa_pss_sha256_sign_digest_tr(const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, size_t SALT_LENGTH, const uint8_t *SALT, const uint8_t *DIGEST, mpz_t SIGNATURE) -- Function: int rsa_pss_sha384_sign_digest_tr(const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, size_t SALT_LENGTH, const uint8_t *SALT, const uint8_t *DIGEST, mpz_t SIGNATURE) -- Function: int rsa_pss_sha512_sign_digest_tr(const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, size_t SALT_LENGTH, const uint8_t *SALT, const uint8_t *DIGEST, mpz_t SIGNATURE) Creates a signature using the PSS padding scheme. SALT should point to a salt string of size SALT_LENGTH. DIGEST should point to a digest of size ‘SHA256_DIGEST_SIZE’, ‘SHA384_DIGEST_SIZE’, or ‘SHA512_DIGEST_SIZE’respectively. The signature is stored in SIGNATURE (which must have been ‘mpz_init’:ed earlier). Returns one on success, or zero on failure. Verifying an RSA signature with the PSS padding scheme is done with one of the following functions: -- Function: int rsa_pss_sha256_verify_digest (const struct rsa_public_key *KEY, size_t SALT_LENGTH, const uint8_t *DIGEST, const mpz_t SIGNATURE) -- Function: int rsa_pss_sha384_verify_digest (const struct rsa_public_key *KEY, size_t SALT_LENGTH, const uint8_t *DIGEST, const mpz_t SIGNATURE) -- Function: int rsa_pss_sha512_verify_digest (const struct rsa_public_key *KEY, size_t SALT_LENGTH, const uint8_t *DIGEST, const mpz_t SIGNATURE) Returns 1 if the signature is valid, or 0 if it isn’t. DIGEST should point to a digest of size ‘SHA256_DIGEST_SIZE’, ‘SHA384_DIGEST_SIZE’, or ‘SHA512_DIGEST_SIZE’ respectively. The following function is used to encrypt a clear text message using RSA. -- Function: int rsa_encrypt (const struct rsa_public_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, size_t LENGTH, const uint8_t *CLEARTEXT, mpz_t CIPHERTEXT) Returns 1 on success, 0 on failure. If the message is too long then this will lead to a failure. The following function is used to decrypt a cipher text message using RSA. -- Function: int rsa_decrypt (const struct rsa_private_key *KEY, size_t *LENGTH, uint8_t *CLEARTEXT, const mpz_t CIPHERTEXT) Returns 1 on success, 0 on failure. Causes of failure include decryption failing or the resulting message being to large. The message buffer pointed to by CLEARTEXT must be of size *LENGTH. After decryption, *LENGTH will be updated with the size of the message. There is also a timing resistant version of decryption that utilizes randomized RSA blinding. -- Function: int rsa_decrypt_tr (const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, size_t *LENGTH, uint8_t *MESSAGE, const mpz_t CIPHERTEXT) Returns 1 on success, 0 on failure. If you need to use the RSA trapdoor, the private key, in a way that isn’t supported by the above functions Nettle also includes a function that computes ‘x^d mod n’ and nothing more, using the CRT optimization. -- Function: int rsa_compute_root_tr(const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, mpz_t X, const mpz_t M) Computes ‘x = m^d’. Returns one on success, or zero if a failure in the computation was detected. -- Function: void rsa_compute_root (struct rsa_private_key *KEY, mpz_t X, const mpz_t M) Computes ‘x = m^d’. At last, how do you create new keys? -- Function: int rsa_generate_keypair (struct rsa_public_key *PUB, struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func RANDOM, void *PROGRESS_CTX, nettle_progress_func PROGRESS, unsigned N_SIZE, unsigned E_SIZE); There are lots of parameters. PUB and KEY is where the resulting key pair is stored. The structs should be initialized, but you don’t need to call ‘rsa_public_key_prepare’ or ‘rsa_private_key_prepare’ after key generation. RANDOM_CTX and RANDOM is a randomness generator. ‘random(random_ctx, length, dst)’ should generate ‘length’ random octets and store them at ‘dst’. For advice, see *Note Randomness::. PROGRESS and PROGRESS_CTX can be used to get callbacks during the key generation process, in order to uphold an illusion of progress. PROGRESS can be NULL, in that case there are no callbacks. SIZE_N is the desired size of the modulo, in bits. If SIZE_E is non-zero, it is the desired size of the public exponent and a random exponent of that size is selected. But if E_SIZE is zero, it is assumed that the caller has already chosen a value for ‘e’, and stored it in PUB. Returns one on success, and zero on failure. The function can fail for example if if N_SIZE is too small, or if E_SIZE is zero and ‘pub->e’ is an even number.  File: nettle.info, Node: RSA-Footnotes, Up: RSA (1) Actually, the computation is not done like this, it is done more efficiently using ‘p’, ‘q’ and the Chinese remainder theorem (CRT). But the result is the same.  File: nettle.info, Node: DSA, Next: Elliptic curves, Prev: RSA, Up: Public-key algorithms 6.7.2 DSA --------- The DSA digital signature algorithm is more complex than RSA. It was specified during the early 1990s, and in 1994 NIST published FIPS 186 which is the authoritative specification. Sometimes DSA is referred to using the acronym DSS, for Digital Signature Standard. The most recent revision of the specification, FIPS186-3, was issued in 2009, and it adds support for larger hash functions than sha1. For DSA, the underlying mathematical problem is the computation of discrete logarithms. The public key consists of a large prime ‘p’, a small prime ‘q’ which is a factor of ‘p-1’, a number ‘g’ which generates a subgroup of order ‘q’ modulo ‘p’, and an element ‘y’ in that subgroup. In the original DSA, the size of ‘q’ is fixed to 160 bits, to match with the SHA1 hash algorithm. The size of ‘p’ is in principle unlimited, but the standard specifies only nine specific sizes: ‘512 + l*64’, where ‘l’ is between 0 and 8. Thus, the maximum size of ‘p’ is 1024 bits, and sizes less than 1024 bits are considered obsolete and not secure. The subgroup requirement means that if you compute g^t mod p for all possible integers ‘t’, you will get precisely ‘q’ distinct values. The private key is a secret exponent ‘x’, such that g^x = y mod p In mathematical speak, ‘x’ is the “discrete logarithm” of ‘y’ mod ‘p’, with respect to the generator ‘g’. The size of ‘x’ will also be about the same size as ‘q’. The security of the DSA algorithm relies on the difficulty of the discrete logarithm problem. Current algorithms to compute discrete logarithms in this setting, and hence crack DSA, are of two types. The first type works directly in the (multiplicative) group of integers mod ‘p’. The best known algorithm of this type is the Number Field Sieve, and it’s complexity is similar to the complexity of factoring numbers of the same size as ‘p’. The other type works in the smaller ‘q’-sized subgroup generated by ‘g’, which has a more difficult group structure. One good algorithm is Pollard-rho, which has complexity ‘sqrt(q)’. The important point is that security depends on the size of _both_ ‘p’ and ‘q’, and they should be chosen so that the difficulty of both discrete logarithm methods are comparable. Today, the security margin of the original DSA may be uncomfortably small. Using a ‘p’ of 1024 bits implies that cracking using the number field sieve is expected to take about the same time as factoring a 1024-bit RSA modulo, and using a ‘q’ of size 160 bits implies that cracking using Pollard-rho will take roughly ‘2^80’ group operations. With the size of ‘q’ fixed, tied to the SHA1 digest size, it may be tempting to increase the size of ‘p’ to, say, 4096 bits. This will provide excellent resistance against attacks like the number field sieve which works in the large group. But it will do very little to defend against Pollard-rho attacking the small subgroup; the attacker is slowed down at most by a single factor of 10 due to the more expensive group operation. And the attacker will surely choose the latter attack. The signature generation algorithm is randomized; in order to create a DSA signature, you need a good source for random numbers (*note Randomness::). Let us describe the common case of a 160-bit ‘q’. To create a signature, one starts with the hash digest of the message, ‘h’, which is a 160 bit number, and a random number ‘k, 0’. A DSA group is represented using the following struct. -- Context struct: dsa_params p q g Parameters of the DSA group. -- Function: void dsa_params_init (struct dsa_params *PARAMS) Calls ‘mpz_init’ on all numbers in the struct. -- Function: void dsa_params_clear (struct dsa_params *PARAMSparams) Calls ‘mpz_clear’ on all numbers in the struct. -- Function: int dsa_generate_params (struct dsa_params *PARAMS, void *RANDOM_CTX, nettle_random_func *RANDOM, void *PROGRESS_CTX, nettle_progress_func *PROGRESS, unsigned P_BITS, unsigned Q_BITS) Generates paramaters of a new group. The PARAMS struct should be initialized before you call this function. RANDOM_CTX and RANDOM is a randomness generator. ‘random(random_ctx, length, dst)’ should generate ‘length’ random octets and store them at ‘dst’. For advice, see *Note Randomness::. PROGRESS and PROGRESS_CTX can be used to get callbacks during the key generation process, in order to uphold an illusion of progress. PROGRESS can be NULL, in that case there are no callbacks. P_BITS and Q_BITS are the desired sizes of ‘p’ and ‘q’. To generate keys that conform to the original DSA standard, you must use ‘q_bits = 160’ and select P_BITS of the form ‘p_bits = 512 + l*64’, for ‘0 <= l <= 8’, where the smaller sizes are no longer recommended, so you should most likely stick to ‘p_bits = 1024’. Non-standard sizes are possible, in particular ‘p_bits’ larger than 1024, although DSA implementations can not in general be expected to support such keys. Also note that using very large P_BITS, with Q_BITS fixed at 160, doesn’t make much sense, because the security is also limited by the size of the smaller prime. To generate DSA keys for use with SHA256, use ‘q_bits = 256’ and, e.g., ‘p_bits = 2048’. Returns one on success, and zero on failure. The function will fail if Q_BITS is too small, or too close to P_BITS. Signatures are represented using the structure below. -- Context struct: dsa_signature r s -- Function: void dsa_signature_init (struct dsa_signature *SIGNATURE) -- Function: void dsa_signature_clear (struct dsa_signature *SIGNATURE) You must call ‘dsa_signature_init’ before creating or using a signature, and call ‘dsa_signature_clear’ when you are finished with it. Keys are represented as bignums, of type ‘mpz_t’. A public keys represent a group element, and is of the same size as ‘p’, while a private key is an exponent, of the same size as ‘q’. -- Function: int dsa_sign (const struct dsa_params *PARAMS, const mpz_t X, void *RANDOM_CTX, nettle_random_func *RANDOM, size_t DIGEST_SIZE, const uint8_t *DIGEST, struct dsa_signature *SIGNATURE) Creates a signature from the given hash digest, using the private key X. RANDOM_CTX and RANDOM is a randomness generator. ‘random(random_ctx, length, dst)’ should generate ‘length’ random octets and store them at ‘dst’. For advice, see *Note Randomness::. Returns one on success, or zero on failure. Signing can fail only if the key is invalid, so that inversion modulo ‘q’ fails. -- Function: int dsa_verify (const struct dsa_params *PARAMS, const mpz_t Y, size_t DIGEST_SIZE, const uint8_t *DIGEST, const struct dsa_signature *SIGNATURE) Verifies a signature, using the public key y. Returns 1 if the signature is valid, otherwise 0. To generate a keypair, first generate a DSA group using ‘dsa_generate_params’. A keypair in this group is then created using -- Function: void dsa_generate_keypair (const struct dsa_params *PARAMS, mpz_t PUB, mpz_t KEY, void *RANDOM_CTX, nettle_random_func *RANDOM) Generates a new keypair, using the group PARAMS. The public key is stored in PUB, and the private key in KEY. Both variables must be initialized using ‘mpz_init’ before this call. RANDOM_CTX and RANDOM is a randomness generator. ‘random(random_ctx, length, dst)’ should generate ‘length’ random octets and store them at ‘dst’. For advice, see *Note Randomness::. 6.7.2.2 Old, deprecated, DSA interface ...................................... Versions before nettle-3.0 used a different interface for DSA signatures, where the group parameters and the public key was packed together as ‘struct dsa_public_key’. Most of this interface is kept for backwards compatibility, and declared in ‘nettle/dsa-compat.h’. Below is the old documentation. The old and new interface use distinct names and don’t confict, with one exception: The key generation function. The ‘nettle/dsa-compat.h’ redefines ‘dsa_generate_keypair’ as an alias for ‘dsa_compat_generate_keypair’, compatible with the old interface and documented below. The old DSA functions are very similar to the corresponding RSA functions, but there are a few differences pointed out below. For a start, there are no functions corresponding to ‘rsa_public_key_prepare’ and ‘rsa_private_key_prepare’. -- Context struct: dsa_public_key p q g y The public parameters described above. -- Context struct: dsa_private_key x The private key ‘x’. Before use, these structs must be initialized by calling one of -- Function: void dsa_public_key_init (struct dsa_public_key *PUB) -- Function: void dsa_private_key_init (struct dsa_private_key *KEY) Calls ‘mpz_init’ on all numbers in the key struct. When finished with them, the space for the numbers must be deallocated by calling one of -- Function: void dsa_public_key_clear (struct dsa_public_key *PUB) -- Function: void dsa_private_key_clear (struct dsa_private_key *KEY) Calls ‘mpz_clear’ on all numbers in the key struct. Signatures are represented using ‘struct dsa_signature’, described earlier. For signing, you need to provide both the public and the private key (unlike RSA, where the private key struct includes all information needed for signing), and a source for random numbers. Signatures can use the SHA1 or the SHA256 hash function, although the implementation of DSA with SHA256 should be considered somewhat experimental due to lack of official test vectors and interoperability testing. -- Function: int dsa_sha1_sign (const struct dsa_public_key *PUB, const struct dsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func RANDOM, struct sha1_ctx *HASH, struct dsa_signature *SIGNATURE) -- Function: int dsa_sha1_sign_digest (const struct dsa_public_key *PUB, const struct dsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func RANDOM, const uint8_t *DIGEST, struct dsa_signature *SIGNATURE) -- Function: int dsa_sha256_sign (const struct dsa_public_key *PUB, const struct dsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func RANDOM, struct sha256_ctx *HASH, struct dsa_signature *SIGNATURE) -- Function: int dsa_sha256_sign_digest (const struct dsa_public_key *PUB, const struct dsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func RANDOM, const uint8_t *DIGEST, struct dsa_signature *SIGNATURE) Creates a signature from the given hash context or digest. RANDOM_CTX and RANDOM is a randomness generator. ‘random(random_ctx, length, dst)’ should generate ‘length’ random octets and store them at ‘dst’. For advice, see *Note Randomness::. Returns one on success, or zero on failure. Signing fails if the key size and the hash size don’t match. Verifying signatures is a little easier, since no randomness generator is needed. The functions are -- Function: int dsa_sha1_verify (const struct dsa_public_key *KEY, struct sha1_ctx *HASH, const struct dsa_signature *SIGNATURE) -- Function: int dsa_sha1_verify_digest (const struct dsa_public_key *KEY, const uint8_t *DIGEST, const struct dsa_signature *SIGNATURE) -- Function: int dsa_sha256_verify (const struct dsa_public_key *KEY, struct sha256_ctx *HASH, const struct dsa_signature *SIGNATURE) -- Function: int dsa_sha256_verify_digest (const struct dsa_public_key *KEY, const uint8_t *DIGEST, const struct dsa_signature *SIGNATURE) Verifies a signature. Returns 1 if the signature is valid, otherwise 0. Key generation uses mostly the same parameters as the corresponding RSA function. -- Function: int dsa_compat_generate_keypair (struct dsa_public_key *PUB, struct dsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func RANDOM, void *PROGRESS_CTX, nettle_progress_func PROGRESS, unsigned P_BITS, unsigned Q_BITS) PUB and KEY is where the resulting key pair is stored. The structs should be initialized before you call this function. RANDOM_CTX and RANDOM is a randomness generator. ‘random(random_ctx, length, dst)’ should generate ‘length’ random octets and store them at ‘dst’. For advice, see *Note Randomness::. PROGRESS and PROGRESS_CTX can be used to get callbacks during the key generation process, in order to uphold an illusion of progress. PROGRESS can be NULL, in that case there are no callbacks. P_BITS and Q_BITS are the desired sizes of ‘p’ and ‘q’. See ‘dsa_generate_keypair’ for details.  File: nettle.info, Node: Elliptic curves, Prev: DSA, Up: Public-key algorithms 6.7.3 Elliptic curves --------------------- For cryptographic purposes, an elliptic curve is a mathematical group of points, and computing logarithms in this group is computationally difficult problem. Nettle uses additive notation for elliptic curve groups. If P and Q are two points, and k is an integer, the point sum, P + Q, and the multiple k P can be computed efficiently, but given only two points P and Q, finding an integer k such that Q = k P is the elliptic curve discrete logarithm problem. Nettle supports standard curves which are all of the form y^2 = x^3 - 3 x + b (mod p), i.e., the points have coordinates (x,y), both considered as integers modulo a specified prime p. Curves are represented as a ‘struct ecc_curve’. It also supports curve25519, which uses a different form of curve. Supported curves are declared in ‘’, e.g., call ‘nettle_get_secp_256r1’ for a standardized curve using the 256-bit prime p = 2^{256} - 2^{224} + 2^{192} + 2^{96} - 1. The contents of these structs is not visible to nettle users. The “bitsize of the curve” is used as a shorthand for the bitsize of the curve’s prime p, e.g., 256 bits for the SECP 256R1 curve. * Menu: * Side-channel silence:: * ECDSA:: * Curve 25519::  File: nettle.info, Node: Side-channel silence, Next: ECDSA, Up: Elliptic curves 6.7.3.1 Side-channel silence ............................ Nettle’s implementation of the elliptic curve operations is intended to be side-channel silent. The side-channel attacks considered are: • Timing attacks If the timing of operations depends on secret values, an attacker interacting with your system can measure the response time, and infer information about your secrets, e.g., a private signature key. • Attacks using memory caches Assume you have some secret data on a multi-user system, and that this data is properly protected so that other users get no direct access to it. If you have a process operating on the secret data, and this process does memory accesses depending on the data, e.g, an internal lookup table in some cryptographic algorithm, an attacker running a separate process on the same system may use behavior of internal CPU caches to get information about your secrets. This type of attack can even cross virtual machine boundaries. Nettle’s ECC implementation is designed to be “side-channel silent”, and not leak any information to these attacks. Timing and memory accesses depend only on the size of the input data and its location in memory, not on the actual data bits. This implies a performance penalty in several of the building blocks.  File: nettle.info, Node: ECDSA, Next: Curve 25519, Prev: Side-channel silence, Up: Elliptic curves 6.7.3.2 ECDSA ............. ECDSA is a variant of the DSA digital signature scheme (*note DSA::), which works over an elliptic curve group rather than over a (subgroup of) integers modulo p. Like DSA, creating a signature requires a unique random nonce (repeating the nonce with two different messages reveals the private key, and any leak or bias in the generation of the nonce also leaks information about the key). Unlike DSA, signatures are in general not tied to any particular hash function or even hash size. Any hash function can be used, and the hash value is truncated or padded as needed to get a size matching the curve being used. It is recommended to use a strong cryptographic hash function with digest size close to the bit size of the curve, e.g., SHA256 is a reasonable choice when using ECDSA signature over the curve secp256r1. A protocol or application using ECDSA has to specify which curve and which hash function to use, or provide some mechanism for negotiating. Nettle defines ECDSA in ‘’. We first need to define the data types used to represent public and private keys. -- struct: struct ecc_point Represents a point on an elliptic curve. In particular, it is used to represent an ECDSA public key. -- Function: void ecc_point_init (struct ecc_point *P, const struct ecc_curve *ECC) Initializes P to represent points on the given curve ECC. Allocates storage for the coordinates, using the same allocation functions as GMP. -- Function: void ecc_point_clear (struct ecc_point *P) Deallocate storage. -- Function: int ecc_point_set (struct ecc_point *P, const mpz_t X, const mpz_t Y) Check that the given coordinates represent a point on the curve. If so, the coordinates are copied and converted to internal representation, and the function returns 1. Otherwise, it returns 0. Currently, the infinity point (or zero point, with additive notation) is not allowed. -- Function: void ecc_point_get (const struct ecc_point *P, mpz_t X, mpz_t Y) Extracts the coordinate of the point P. The output parameters X or Y may be NULL if the caller doesn’t want that coordinate. -- struct: struct ecc_scalar Represents an integer in the range 0 < x < group order, where the “group order” refers to the order of an ECC group. In particular, it is used to represent an ECDSA private key. -- Function: void ecc_scalar_init (struct ecc_scalar *S, const struct ecc_curve *ECC) Initializes S to represent a scalar suitable for the given curve ECC. Allocates storage using the same allocation functions as GMP. -- Function: void ecc_scalar_clear (struct ecc_scalar *S) Deallocate storage. -- Function: int ecc_scalar_set (struct ecc_scalar *S, const mpz_t Z) Check that Z is in the correct range. If so, copies the value to S and returns 1, otherwise returns 0. -- Function: void ecc_scalar_get (const struct ecc_scalar *S, mpz_t Z) Extracts the scalar, in GMP ‘mpz_t’ representation. To create and verify ECDSA signatures, the following functions are used. -- Function: void ecdsa_sign (const struct ecc_scalar *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, size_t DIGEST_LENGTH, const uint8_t *DIGEST, struct dsa_signature *SIGNATURE) Uses the private key KEY to create a signature on DIGEST. RANDOM_CTX and RANDOM is a randomness generator. ‘random(random_ctx, length, dst)’ should generate ‘length’ random octets and store them at ‘dst’. The signature is stored in SIGNATURE, in the same was as for plain DSA. -- Function: int ecdsa_verify (const struct ecc_point *PUB, size_t LENGTH, const uint8_t *DIGEST, const struct dsa_signature *SIGNATURE) Uses the public key PUB to verify that SIGNATURE is a valid signature for the message digest DIGEST (of LENGTH octets). Returns 1 if the signature is valid, otherwise 0. Finally, generating a new ECDSA key pair: -- Function: void ecdsa_generate_keypair (struct ecc_point *PUB, struct ecc_scalar *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM); PUB and KEY is where the resulting key pair is stored. The structs should be initialized, for the desired ECC curve, before you call this function. RANDOM_CTX and RANDOM is a randomness generator. ‘random(random_ctx, length, dst)’ should generate ‘length’ random octets and store them at ‘dst’. For advice, see *Note Randomness::.  File: nettle.info, Node: Curve 25519, Prev: ECDSA, Up: Elliptic curves 6.7.3.3 Curve25519 .................. Curve25519 is an elliptic curve of Montgomery type, y^2 = x^3 + 486662 x^2 + x (mod p), with p = 2^255 - 19. Montgomery curves have the advantage of simple and efficient point addition based on the x-coordinate only. This particular curve was proposed by D. J. Bernstein in 2006, for fast Diffie-Hellman key exchange, and is also described in ‘RFC 7748’. The group generator is defined by x = 9 (there are actually two points with x = 9, differing by the sign of the y-coordinate, but that doesn’t matter for the curve25519 operations which work with the x-coordinate only). The curve25519 functions are defined as operations on octet strings, representing 255-bit scalars or x-coordinates, in little-endian byte order. The most significant input bit, i.e, the most significant bit of the last octet, is always ignored. For scalars, in addition, the least significant three bits are ignored, and treated as zero, and the second most significant bit is ignored too, and treated as one. Then the scalar input string always represents 8 times a number in the range 2^251 <= s < 2^252. Of all the possible input strings, only about half correspond to x-coordinates of points on curve25519, i.e., a value x for which the the curve equation can be solved for y. The other half correspond to points on a related “twist curve”. The function ‘curve25519_mul’ uses a Montgomery ladder for the scalar multiplication, as suggested in the curve25519 literature, and required by ‘RFC 7748’. The output is therefore well defined for _all_ possible inputs, no matter if the input string represents a valid point on the curve or not. Note that the curve25519 implementation in earlier versions of Nettle deviates slightly from ‘RFC 7748’, in that bit 255 of the x coordinate of the point input to curve25519_mul was not ignored. The ‘nette/curve25519.h’ defines a preprocessor symbol ‘NETTLE_CURVE25519_RFC7748’ to indicate conformance with the standard. Nettle defines Curve 25519 in ‘’. -- Constant: NETTLE_CURVE25519_RFC7748 Defined to 1 in Nettle versions conforming to RFC 7748. Undefined in earlier versions. -- Constant: CURVE25519_SIZE The size of the strings representing curve25519 points and scalars, 32. -- Function: void curve25519_mul_g (uint8_t *Q, const uint8_t *N) Computes Q = N G, where G is the group generator and N is an integer. The input argument N and the output argument Q use a little-endian representation of the scalar and the x-coordinate, respectively. They are both of size ‘CURVE25519_SIZE’. This function is intended to be compatible with the function ‘crypto_scalar_mult_base’ in the NaCl library. -- Function: void curve25519_mul (uint8_t *Q, const uint8_t *N, const uint8_t *P) Computes Q = N P, where P is an input point and N is an integer. The input arguments N and P and the output argument Q use a little-endian representation of the scalar and the x-coordinates, respectively. They are all of size ‘CURVE25519_SIZE’. This function is intended to be compatible with the function ‘crypto_scalar_mult’ in the NaCl library. 6.7.3.4 EdDSA ............. EdDSA is a signature scheme proposed by D. J. Bernstein et al. in 2011. It is defined using a “Twisted Edwards curve”, of the form -x^2 + y^2 = 1 + d x^2 y^2. The specific signature scheme Ed25519 uses a curve which is equivalent to curve25519: The two groups used differ only by a simple change of coordinates, so that the discrete logarithm problem is of equal difficulty in both groups. Unlike other signature schemes in Nettle, the input to the EdDSA sign and verify functions is the possibly large message itself, not a hash digest. EdDSA is a variant of Schnorr signatures, where the message is hashed together with other data during the signature process, providing resilience to hash-collisions: A successful attack finding collisions in the hash function does not automatically translate into an attack to forge signatures. EdDSA also avoids the use of a randomness source by generating the needed signature nonce from a hash of the private key and the message, which means that the message is actually hashed twice when creating a signature. If signing huge messages, it is possible to hash the message first and pass the short message digest as input to the sign and verify functions, however, the resilience to hash collision is then lost. -- Constant: ED25519_KEY_SIZE The size of a private or public Ed25519 key, 32 octets. -- Constant: ED25519_SIGNATURE_SIZE The size of an Ed25519 signature, 64 octets. -- Function: void ed25519_sha512_public_key (uint8_t *PUB, const uint8_t *PRIV) Computes the public key corresponding to the given private key. Both input and output are of size ‘ED25519_KEY_SIZE’. -- Function: void ed25519_sha512_sign (const uint8_t *PUB, const uint8_t *PRIV, size_t LENGTH, const uint8_t *MSG, uint8_t *SIGNATURE) Signs a message using the provided key pair. -- Function: int ed25519_sha512_verify (const uint8_t *PUB, size_t LENGTH, const uint8_t *MSG, const uint8_t *SIGNATURE) Verifies a message using the provided public key. Returns 1 if the signature is valid, otherwise 0.  File: nettle.info, Node: Randomness, Next: ASCII encoding, Prev: Public-key algorithms, Up: Reference 6.8 Randomness ============== A crucial ingredient in many cryptographic contexts is randomness: Let ‘p’ be a random prime, choose a random initialization vector ‘iv’, a random key ‘k’ and a random exponent ‘e’, etc. In the theories, it is assumed that you have plenty of randomness around. If this assumption is not true in practice, systems that are otherwise perfectly secure, can be broken. Randomness has often turned out to be the weakest link in the chain. In non-cryptographic applications, such as games as well as scientific simulation, a good randomness generator usually means a generator that has good statistical properties, and is seeded by some simple function of things like the current time, process id, and host name. However, such a generator is inadequate for cryptography, for at least two reasons: • It’s too easy for an attacker to guess the initial seed. Even if it will take some 2^32 tries before he guesses right, that’s far too easy. For example, if the process id is 16 bits, the resolution of “current time” is one second, and the attacker knows what day the generator was seeded, there are only about 2^32 possibilities to try if all possible values for the process id and time-of-day are tried. • The generator output reveals too much. By observing only a small segment of the generator’s output, its internal state can be recovered, and from there, all previous output and all future output can be computed by the attacker. A randomness generator that is used for cryptographic purposes must have better properties. Let’s first look at the seeding, as the issues here are mostly independent of the rest of the generator. The initial state of the generator (its seed) must be unguessable by the attacker. So what’s unguessable? It depends on what the attacker already knows. The concept used in information theory to reason about such things is called “entropy”, or “conditional entropy” (not to be confused with the thermodynamic concept with the same name). A reasonable requirement is that the seed contains a conditional entropy of at least some 80-100 bits. This property can be explained as follows: Allow the attacker to ask ‘n’ yes-no-questions, of his own choice, about the seed. If the attacker, using this question-and-answer session, as well as any other information he knows about the seeding process, still can’t guess the seed correctly, then the conditional entropy is more than ‘n’ bits. Let’s look at an example. Say information about timing of received network packets is used in the seeding process. If there is some random network traffic going on, this will contribute some bits of entropy or “unguessability” to the seed. However, if the attacker can listen in to the local network, or if all but a small number of the packets were transmitted by machines that the attacker can monitor, this additional information makes the seed easier for the attacker to figure out. Even if the information is exactly the same, the conditional entropy, or unguessability, is smaller for an attacker that knows some of it already before the hypothetical question-and-answer session. Seeding of good generators is usually based on several sources. The key point here is that the amount of unguessability that each source contributes, depends on who the attacker is. Some sources that have been used are: High resolution timing of i/o activities Such as completed blocks from spinning hard disks, network packets, etc. Getting access to such information is quite system dependent, and not all systems include suitable hardware. If available, it’s one of the better randomness source one can find in a digital, mostly predictable, computer. User activity Timing and contents of user interaction events is another popular source that is available for interactive programs (even if I suspect that it is sometimes used in order to make the user feel good, not because the quality of the input is needed or used properly). Obviously, not available when a machine is unattended. Also beware of networks: User interaction that happens across a long serial cable, TELNET session, or even SSH session may be visible to an attacker, in full or partially. Audio input Any room, or even a microphone input that’s left unconnected, is a source of some random background noise, which can be fed into the seeding process. Specialized hardware Hardware devices with the sole purpose of generating random data have been designed. They range from radioactive samples with an attached Geiger counter, to amplification of the inherent noise in electronic components such as diodes and resistors, to low-frequency sampling of chaotic systems. Hashing successive images of a Lava lamp is a spectacular example of the latter type. Secret information Secret information, such as user passwords or keys, or private files stored on disk, can provide some unguessability. A problem is that if the information is revealed at a later time, the unguessability vanishes. Another problem is that this kind of information tends to be fairly constant, so if you rely on it and seed your generator regularly, you risk constructing almost similar seeds or even constructing the same seed more than once. For all practical sources, it’s difficult but important to provide a reliable lower bound on the amount of unguessability that it provides. Two important points are to make sure that the attacker can’t observe your sources (so if you like the Lava lamp idea, remember that you have to get your own lamp, and not put it by a window or anywhere else where strangers can see it), and that hardware failures are detected. What if the bulb in the Lava lamp, which you keep locked into a cupboard following the above advice, breaks after a few months? So let’s assume that we have been able to find an unguessable seed, which contains at least 80 bits of conditional entropy, relative to all attackers that we care about (typically, we must at the very least assume that no attacker has root privileges on our machine). How do we generate output from this seed, and how much can we get? Some generators (notably the Linux ‘/dev/random’ generator) tries to estimate available entropy and restrict the amount of output. The goal is that if you read 128 bits from ‘/dev/random’, you should get 128 “truly random” bits. This is a property that is useful in some specialized circumstances, for instance when generating key material for a one time pad, or when working with unconditional blinding, but in most cases, it doesn’t matter much. For most application, there’s no limit on the amount of useful “random” data that we can generate from a small seed; what matters is that the seed is unguessable and that the generator has good cryptographic properties. At the heart of all generators lies its internal state. Future output is determined by the internal state alone. Let’s call it the generator’s key. The key is initialized from the unguessable seed. Important properties of a generator are: “Key-hiding” An attacker observing the output should not be able to recover the generator’s key. “Independence of outputs” Observing some of the output should not help the attacker to guess previous or future output. “Forward secrecy” Even if an attacker compromises the generator’s key, he should not be able to guess the generator output _before_ the key compromise. “Recovery from key compromise” If an attacker compromises the generator’s key, he can compute _all_ future output. This is inevitable if the generator is seeded only once, at startup. However, the generator can provide a reseeding mechanism, to achieve recovery from key compromise. More precisely: If the attacker compromises the key at a particular time ‘t_1’, there is another later time ‘t_2’, such that if the attacker observes all output generated between ‘t_1’ and ‘t_2’, he still can’t guess what output is generated after ‘t_2’. Nettle includes one randomness generator that is believed to have all the above properties, and two simpler ones. ARCFOUR, like any stream cipher, can be used as a randomness generator. Its output should be of reasonable quality, if the seed is hashed properly before it is used with ‘arcfour_set_key’. There’s no single natural way to reseed it, but if you need reseeding, you should be using Yarrow instead. The “lagged Fibonacci” generator in ‘’ is a fast generator with good statistical properties, but is *not* for cryptographic use, and therefore not documented here. It is included mostly because the Nettle test suite needs to generate some test data from a small seed. The recommended generator to use is Yarrow, described below. 6.8.1 Yarrow ------------ Yarrow is a family of pseudo-randomness generators, designed for cryptographic use, by John Kelsey, Bruce Schneier and Niels Ferguson. Yarrow-160 is described in a paper at , and it uses SHA1 and triple-DES, and has a 160-bit internal state. Nettle implements Yarrow-256, which is similar, but uses SHA256 and AES to get an internal state of 256 bits. Yarrow was an almost finished project, the paper mentioned above is the closest thing to a specification for it, but some smaller details are left out. There is no official reference implementation or test cases. This section includes an overview of Yarrow, but for the details of Yarrow-256, as implemented by Nettle, you have to consult the source code. Maybe a complete specification can be written later. Yarrow can use many sources (at least two are needed for proper reseeding), and two randomness “pools”, referred to as the “slow pool” and the “fast pool”. Input from the sources is fed alternatingly into the two pools. When one of the sources has contributed 100 bits of entropy to the fast pool, a “fast reseed” happens and the fast pool is mixed into the internal state. When at least two of the sources have contributed at least 160 bits each to the slow pool, a “slow reseed” takes place. The contents of both pools are mixed into the internal state. These procedures should ensure that the generator will eventually recover after a key compromise. The output is generated by using AES to encrypt a counter, using the generator’s current key. After each request for output, another 256 bits are generated which replace the key. This ensures forward secrecy. Yarrow can also use a “seed file” to save state across restarts. Yarrow is seeded by either feeding it the contents of the previous seed file, or feeding it input from its sources until a slow reseed happens. Nettle defines Yarrow-256 in ‘’. -- Context struct: struct yarrow256_ctx -- Context struct: struct yarrow_source Information about a single source. -- Constant: YARROW256_SEED_FILE_SIZE Recommended size of the Yarrow-256 seed file. -- Function: void yarrow256_init (struct yarrow256_ctx *CTX, unsigned NSOURCES, struct yarrow_source *SOURCES) Initializes the yarrow context, and its NSOURCES sources. It’s possible to call it with NSOURCES=0 and SOURCES=NULL, if you don’t need the update features. -- Function: void yarrow256_seed (struct yarrow256_ctx *CTX, size_t LENGTH, uint8_t *SEED_FILE) Seeds Yarrow-256 from a previous seed file. LENGTH should be at least ‘YARROW256_SEED_FILE_SIZE’, but it can be larger. The generator will trust you that the SEED_FILE data really is unguessable. After calling this function, you _must_ overwrite the old seed file with newly generated data from ‘yarrow256_random’. If it’s possible for several processes to read the seed file at about the same time, access must be coordinated using some locking mechanism. -- Function: int yarrow256_update (struct yarrow256_ctx *CTX, unsigned SOURCE, unsigned ENTROPY, size_t LENGTH, const uint8_t *DATA) Updates the generator with data from source SOURCE (an index that must be smaller than the number of sources). ENTROPY is your estimated lower bound for the entropy in the data, measured in bits. Calling update with zero ENTROPY is always safe, no matter if the data is random or not. Returns 1 if a reseed happened, in which case an application using a seed file may want to generate new seed data with ‘yarrow256_random’ and overwrite the seed file. Otherwise, the function returns 0. -- Function: void yarrow256_random (struct yarrow256_ctx *CTX, size_t LENGTH, uint8_t *DST) Generates LENGTH octets of output. The generator must be seeded before you call this function. If you don’t need forward secrecy, e.g. if you need non-secret randomness for initialization vectors or padding, you can gain some efficiency by buffering, calling this function for reasonably large blocks of data, say 100-1000 octets at a time. -- Function: int yarrow256_is_seeded (struct yarrow256_ctx *CTX) Returns 1 if the generator is seeded and ready to generate output, otherwise 0. -- Function: unsigned yarrow256_needed_sources (struct yarrow256_ctx *CTX) Returns the number of sources that must reach the threshold before a slow reseed will happen. Useful primarily when the generator is unseeded. -- Function: void yarrow256_fast_reseed (struct yarrow256_ctx *CTX) -- Function: void yarrow256_slow_reseed (struct yarrow256_ctx *CTX) Causes a fast or slow reseed to take place immediately, regardless of the current entropy estimates of the two pools. Use with care. Nettle includes an entropy estimator for one kind of input source: User keyboard input. -- Context struct: struct yarrow_key_event_ctx Information about recent key events. -- Function: void yarrow_key_event_init (struct yarrow_key_event_ctx *CTX) Initializes the context. -- Function: unsigned yarrow_key_event_estimate (struct yarrow_key_event_ctx *CTX, unsigned KEY, unsigned TIME) KEY is the id of the key (ASCII value, hardware key code, X keysym, ..., it doesn’t matter), and TIME is the timestamp of the event. The time must be given in units matching the resolution by which you read the clock. If you read the clock with microsecond precision, TIME should be provided in units of microseconds. But if you use ‘gettimeofday’ on a typical Unix system where the clock ticks 10 or so microseconds at a time, TIME should be given in units of 10 microseconds. Returns an entropy estimate, in bits, suitable for calling ‘yarrow256_update’. Usually, 0, 1 or 2 bits.  File: nettle.info, Node: ASCII encoding, Next: Miscellaneous functions, Prev: Randomness, Up: Reference 6.9 ASCII encoding ================== Encryption will transform your data from text into binary format, and that may be a problem if, for example, you want to send the data as if it was plain text in an email, or store it along with descriptive text in a file. You may then use an encoding from binary to text: each binary byte is translated into a number of bytes of plain text. A base-N encoding of data is one representation of data that only uses N different symbols (instead of the 256 possible values of a byte). The base64 encoding will always use alphanumeric (upper and lower case) characters and the ’+’, ’/’ and ’=’ symbols to represent the data. Four output characters are generated for each three bytes of input. In case the length of the input is not a multiple of three, padding characters are added at the end. There’s also a “URL safe” variant, which is useful for encoding binary data into URLs and filenames. See ‘RFC 4648’. The base16 encoding, also known as “hexadecimal”, uses the decimal digits and the letters from A to F. Two hexadecimal digits are generated for each input byte. Nettle supports both base64 and base16 encoding and decoding. Encoding and decoding uses a context struct to maintain its state (with the exception of base16 encoding, which doesn’t need any). To encode or decode the data, first initialize the context, then call the update function as many times as necessary, and complete the operation by calling the final function. The following functions can be used to perform base64 encoding and decoding. They are defined in ‘’. -- Context struct: struct base64_encode_ctx -- Function: void base64_encode_init (struct base64_encode_ctx *CTX) -- Function: void base64url_encode_init (struct base64_encode_ctx *CTX) Initializes a base64 context. This is necessary before starting an encoding session. ‘base64_encode_init’ selects the standard base64 alphabet, while ‘base64url_encode_init’ selects the URL safe alphabet. -- Function: size_t base64_encode_single (struct base64_encode_ctx *CTX, uint8_t *DST, uint8_t SRC) Encodes a single byte. Returns amount of output (always 1 or 2). -- Macro: BASE64_ENCODE_LENGTH (LENGTH) The maximum number of output bytes when passing LENGTH input bytes to ‘base64_encode_update’. -- Function: size_t base64_encode_update (struct base64_encode_ctx *CTX, uint8_t *DST, size_t LENGTH, const uint8_t *SRC) After CTX is initialized, this function may be called to encode LENGTH bytes from SRC. The result will be placed in DST, and the return value will be the number of bytes generated. Note that DST must be at least of size BASE64_ENCODE_LENGTH(LENGTH). -- Constant: BASE64_ENCODE_FINAL_LENGTH The maximum amount of output from ‘base64_encode_final’. -- Function: size_t base64_encode_final (struct base64_encode_ctx *CTX, uint8_t *DST) After calling base64_encode_update one or more times, this function should be called to generate the final output bytes, including any needed paddding. The return value is the number of output bytes generated. -- Context struct: struct base64_decode_ctx -- Function: void base64_decode_init (struct base64_decode_ctx *CTX) -- Function: void base64url_decode_init (struct base64_decode_ctx *CTX) Initializes a base64 decoding context. This is necessary before starting a decoding session. ‘base64_decode_init’ selects the standard base64 alphabet, while ‘base64url_decode_init’ selects the URL safe alphabet. -- Function: int base64_decode_single (struct base64_decode_ctx *CTX, uint8_t *DST, uint8_t SRC) Decodes a single byte (SRC) and stores the result in DST. Returns amount of output (0 or 1), or -1 on errors. -- Macro: BASE64_DECODE_LENGTH (LENGTH) The maximum number of output bytes when passing LENGTH input bytes to ‘base64_decode_update’. -- Function: void base64_decode_update (struct base64_decode_ctx *CTX, size_t *DST_LENGTH, uint8_t *DST, size_t SRC_LENGTH, const uint8_t *SRC) After CTX is initialized, this function may be called to decode SRC_LENGTH bytes from SRC. DST should point to an area of size at least BASE64_DECODE_LENGTH(SRC_LENGTH). The amount of data generated is returned in *DST_LENGTH. Returns 1 on success and 0 on error. -- Function: int base64_decode_final (struct base64_decode_ctx *CTX) Check that final padding is correct. Returns 1 on success, and 0 on error. Similarly to the base64 functions, the following functions perform base16 encoding, and are defined in ‘’. Note that there is no encoding context necessary for doing base16 encoding. -- Function: void base16_encode_single (uint8_t *DST, uint8_t SRC) Encodes a single byte. Always stores two digits in DST[0] and DST[1]. -- Macro: BASE16_ENCODE_LENGTH (LENGTH) The number of output bytes when passing LENGTH input bytes to ‘base16_encode_update’. -- Function: void base16_encode_update (uint8_t *DST, size_t LENGTH, const uint8_t *SRC) Always stores BASE16_ENCODE_LENGTH(LENGTH) digits in DST. -- Context struct: struct base16_decode_ctx -- Function: void base16_decode_init (struct base16_decode_ctx *CTX) Initializes a base16 decoding context. This is necessary before starting a decoding session. -- Function: int base16_decode_single (struct base16_decode_ctx *CTX, uint8_t *DST, uint8_t SRC) Decodes a single byte from SRC into DST. Returns amount of output (0 or 1), or -1 on errors. -- Macro: BASE16_DECODE_LENGTH (LENGTH) The maximum number of output bytes when passing LENGTH input bytes to ‘base16_decode_update’. -- Function: int base16_decode_update (struct base16_decode_ctx *CTX, size_t *DST_LENGTH, uint8_t *DST, size_t SRC_LENGTH, const uint8_t *SRC) After CTX is initialized, this function may be called to decode SRC_LENGTH bytes from SRC. DST should point to an area of size at least BASE16_DECODE_LENGTH(SRC_LENGTH). The amount of data generated is returned in *DST_LENGTH. Returns 1 on success and 0 on error. -- Function: int base16_decode_final (struct base16_decode_ctx *CTX) Checks that the end of data is correct (i.e., an even number of hexadecimal digits have been seen). Returns 1 on success, and 0 on error.  File: nettle.info, Node: Miscellaneous functions, Next: Compatibility functions, Prev: ASCII encoding, Up: Reference 6.10 Miscellaneous functions ============================ -- Function: void * memxor (void *DST, const void *SRC, size_t N) XORs the source area on top of the destination area. The interface doesn’t follow the Nettle conventions, because it is intended to be similar to the ANSI-C ‘memcpy’ function. -- Function: void * memxor3 (void *DST, const void *A, const void *B, size_t N) Like ‘memxor’, but takes two source areas and separate destination area. -- Function: int memeql_sec (const void *A, const void *B, size_t N) Side-channel silent comparison of the N bytes at A and B. I.e., instructions executed and memory accesses are identical no matter where the areas differ, *note Side-channel silence::. Return non-zero if the areas are equal, and zero if they differ. These functions are declared in ‘’. For compatibility with earlier versions of Nettle, ‘memxor’ and ‘memxor3’ are also declared in ‘’.  File: nettle.info, Node: Compatibility functions, Prev: Miscellaneous functions, Up: Reference 6.11 Compatibility functions ============================ For convenience, Nettle includes alternative interfaces to some algorithms, for compatibility with some other popular crypto toolkits. These are not fully documented here; refer to the source or to the documentation for the original implementation. MD5 is defined in [RFC 1321], which includes a reference implementation. Nettle defines a compatible interface to MD5 in ‘’. This file defines the typedef ‘MD5_CTX’, and declares the functions ‘MD5Init’, ‘MD5Update’ and ‘MD5Final’. Eric Young’s “libdes” (also part of OpenSSL) is a quite popular DES implementation. Nettle includes a subset if its interface in ‘’. This file defines the typedefs ‘des_key_schedule’ and ‘des_cblock’, two constants ‘DES_ENCRYPT’ and ‘DES_DECRYPT’, and declares one global variable ‘des_check_key’, and the functions ‘des_cbc_cksum’ ‘des_cbc_encrypt’, ‘des_ecb2_encrypt’, ‘des_ecb3_encrypt’, ‘des_ecb_encrypt’, ‘des_ede2_cbc_encrypt’, ‘des_ede3_cbc_encrypt’, ‘des_is_weak_key’, ‘des_key_sched’, ‘des_ncbc_encrypt’ ‘des_set_key’, and ‘des_set_odd_parity’.  File: nettle.info, Node: Nettle soup, Next: Installation, Prev: Reference, Up: Top 7 Traditional Nettle Soup ************************* For the serious nettle hacker, here is a recipe for nettle soup. 4 servings. 1 liter fresh nettles (urtica dioica) 2 tablespoons butter 3 tablespoons flour 1 liter stock (meat or vegetable) 1/2 teaspoon salt a tad white pepper some cream or milk Gather 1 liter fresh nettles. Use gloves! Small, tender shoots are preferable but the tops of larger nettles can also be used. Rinse the nettles very well. Boil them for 10 minutes in lightly salted water. Strain the nettles and save the water. Hack the nettles. Melt the butter and mix in the flour. Dilute with stock and the nettle-water you saved earlier. Add the hacked nettles. If you wish you can add some milk or cream at this stage. Bring to a boil and let boil for a few minutes. Season with salt and pepper. Serve with boiled egg-halves.  File: nettle.info, Node: Installation, Next: Index, Prev: Nettle soup, Up: Top 8 Installation ************** Nettle uses ‘autoconf’. To build it, unpack the source and run ./configure make make check make install to install it under the default prefix, ‘/usr/local’. Using GNU make is strongly recommended. By default, both static and shared libraries are built and installed. To get a list of configure options, use ‘./configure --help’. Some of the more interesting are: ‘--enable-fat’ Include multiple versions of certain functions in the library, and select the ones to use at run-time, depending on available processor features. Supported for ARM and x86_64. ‘--enable-mini-gmp’ Use the smaller and slower “mini-gmp” implementation of the bignum functions needed for public-key cryptography, instead of the real GNU GMP library. This option is intended primarily for smaller embedded systems. Note that builds using mini-gmp are *not* binary compatible with regular builds of Nettle, and more likely to leak side-channel information. ‘--disable-shared’ Omit building the shared libraries. ‘--disable-dependency-tracking’ Disable the automatic dependency tracking. You will likely need this option to be able to build with BSD make.  File: nettle.info, Node: Index, Prev: Installation, Up: Top Function and Concept Index ************************** [index] * Menu: * AEAD: Authenticated encryption. (line 6) * aes128_decrypt: Cipher functions. (line 156) * aes128_encrypt: Cipher functions. (line 143) * aes128_invert_key: Cipher functions. (line 126) * aes128_set_decrypt_key: Cipher functions. (line 110) * aes128_set_encrypt_key: Cipher functions. (line 108) * aes192_decrypt: Cipher functions. (line 158) * aes192_encrypt: Cipher functions. (line 145) * aes192_invert_key: Cipher functions. (line 128) * aes192_set_decrypt_key: Cipher functions. (line 114) * aes192_set_encrypt_key: Cipher functions. (line 112) * aes256_decrypt: Cipher functions. (line 160) * aes256_encrypt: Cipher functions. (line 147) * aes256_invert_key: Cipher functions. (line 130) * aes256_set_decrypt_key: Cipher functions. (line 118) * aes256_set_encrypt_key: Cipher functions. (line 116) * aes_decrypt: Cipher functions. (line 162) * aes_encrypt: Cipher functions. (line 149) * aes_invert_key: Cipher functions. (line 132) * aes_set_decrypt_key: Cipher functions. (line 122) * aes_set_encrypt_key: Cipher functions. (line 120) * arcfour_crypt: Cipher functions. (line 214) * arcfour_set_key: Cipher functions. (line 209) * arctwo_decrypt: Cipher functions. (line 279) * arctwo_encrypt: Cipher functions. (line 272) * arctwo_set_key: Cipher functions. (line 256) * arctwo_set_key_ekb: Cipher functions. (line 254) * arctwo_set_key_gutmann: Cipher functions. (line 258) * Authenticated encryption: Authenticated encryption. (line 6) * base16_decode_final: ASCII encoding. (line 143) * base16_decode_init: ASCII encoding. (line 121) * BASE16_DECODE_LENGTH: ASCII encoding. (line 130) * base16_decode_single: ASCII encoding. (line 125) * base16_decode_update: ASCII encoding. (line 134) * BASE16_ENCODE_LENGTH: ASCII encoding. (line 111) * base16_encode_single: ASCII encoding. (line 107) * base16_encode_update: ASCII encoding. (line 115) * base64url_decode_init: ASCII encoding. (line 75) * base64url_encode_init: ASCII encoding. (line 41) * base64_decode_final: ASCII encoding. (line 99) * base64_decode_init: ASCII encoding. (line 74) * BASE64_DECODE_LENGTH: ASCII encoding. (line 86) * base64_decode_single: ASCII encoding. (line 81) * base64_decode_update: ASCII encoding. (line 90) * base64_encode_final: ASCII encoding. (line 65) * base64_encode_init: ASCII encoding. (line 40) * BASE64_ENCODE_LENGTH: ASCII encoding. (line 51) * base64_encode_single: ASCII encoding. (line 47) * base64_encode_update: ASCII encoding. (line 55) * Block Cipher: Cipher functions. (line 12) * blowfish_decrypt: Cipher functions. (line 321) * blowfish_encrypt: Cipher functions. (line 314) * blowfish_set_key: Cipher functions. (line 304) * camellia128_crypt: Cipher functions. (line 402) * camellia128_invert_key: Cipher functions. (line 388) * camellia128_set_decrypt_key: Cipher functions. (line 372) * camellia128_set_encrypt_key: Cipher functions. (line 370) * camellia192_crypt: Cipher functions. (line 404) * camellia192_invert_key: Cipher functions. (line 390) * camellia192_set_decrypt_key: Cipher functions. (line 376) * camellia192_set_encrypt_key: Cipher functions. (line 374) * camellia256_crypt: Cipher functions. (line 406) * camellia256_invert_key: Cipher functions. (line 392) * camellia256_set_decrypt_key: Cipher functions. (line 380) * camellia256_set_encrypt_key: Cipher functions. (line 378) * camellia_crypt: Cipher functions. (line 408) * camellia_invert_key: Cipher functions. (line 394) * camellia_set_decrypt_key: Cipher functions. (line 384) * camellia_set_encrypt_key: Cipher functions. (line 382) * cast128_decrypt: Cipher functions. (line 448) * cast128_encrypt: Cipher functions. (line 441) * cast128_set_key: Cipher functions. (line 436) * CBC Mode: CBC. (line 6) * CBC_CTX: CBC. (line 51) * cbc_decrypt: CBC. (line 34) * CBC_DECRYPT: CBC. (line 72) * cbc_encrypt: CBC. (line 31) * CBC_ENCRYPT: CBC. (line 71) * CBC_SET_IV: CBC. (line 66) * CCM Mode: CCM. (line 6) * ccm_aes128_decrypt: CCM. (line 211) * ccm_aes128_decrypt_message: CCM. (line 242) * ccm_aes128_digest: CCM. (line 221) * ccm_aes128_encrypt: CCM. (line 205) * ccm_aes128_encrypt_message: CCM. (line 230) * ccm_aes128_set_key: CCM. (line 174) * ccm_aes128_set_nonce: CCM. (line 184) * ccm_aes128_update: CCM. (line 196) * ccm_aes192_decrypt: CCM. (line 213) * ccm_aes192_decrypt_message: CCM. (line 246) * ccm_aes192_decrypt_message <1>: CCM. (line 250) * ccm_aes192_digest: CCM. (line 223) * ccm_aes192_encrypt: CCM. (line 207) * ccm_aes192_encrypt_message: CCM. (line 234) * ccm_aes192_set_key: CCM. (line 176) * ccm_aes192_set_nonce: CCM. (line 187) * ccm_aes192_update: CCM. (line 198) * ccm_aes256_decrypt: CCM. (line 215) * ccm_aes256_digest: CCM. (line 225) * ccm_aes256_encrypt: CCM. (line 209) * ccm_aes256_encrypt_message: CCM. (line 238) * ccm_aes256_set_key: CCM. (line 178) * ccm_aes256_set_nonce: CCM. (line 190) * ccm_aes256_update: CCM. (line 200) * ccm_decrypt: CCM. (line 95) * ccm_decrypt_message: CCM. (line 142) * ccm_digest: CCM. (line 103) * ccm_encrypt: CCM. (line 92) * ccm_encrypt_message: CCM. (line 134) * CCM_MAX_MSG_SIZE: CCM. (line 76) * ccm_set_nonce: CCM. (line 80) * ccm_update: CCM. (line 86) * CFB Mode: CFB. (line 6) * CFB_CTX: CFB. (line 50) * cfb_decrypt: CFB. (line 33) * CFB_DECRYPT: CFB. (line 69) * cfb_encrypt: CFB. (line 30) * CFB_ENCRYPT: CFB. (line 62) * CFB_SET_IV(CTX,: CFB. (line 57) * chacha_crypt: Cipher functions. (line 482) * chacha_poly1305_decrypt: ChaCha-Poly1305. (line 68) * chacha_poly1305_digest: ChaCha-Poly1305. (line 74) * chacha_poly1305_encrypt: ChaCha-Poly1305. (line 66) * chacha_poly1305_set_key: ChaCha-Poly1305. (line 53) * chacha_poly1305_set_nonce: ChaCha-Poly1305. (line 58) * chacha_poly1305_update: ChaCha-Poly1305. (line 62) * chacha_set_key: Cipher functions. (line 470) * chacha_set_nonce: Cipher functions. (line 476) * Cipher: Cipher functions. (line 6) * Cipher Block Chaining: CBC. (line 6) * Cipher Feedback Mode: CFB. (line 6) * Collision-resistant: Hash functions. (line 18) * Conditional entropy: Randomness. (line 51) * Counter Mode: CTR. (line 6) * Counter with CBC-MAC Mode: CCM. (line 6) * CTR Mode: CTR. (line 6) * ctr_crypt: CTR. (line 33) * CTR_CRYPT: CTR. (line 60) * CTR_CTX: CTR. (line 48) * CTR_SET_COUNTER: CTR. (line 55) * Curve 25519: Curve 25519. (line 6) * curve25519_mul: Curve 25519. (line 60) * curve25519_mul_g: Curve 25519. (line 51) * des3_decrypt: Cipher functions. (line 606) * des3_encrypt: Cipher functions. (line 599) * des3_set_key: Cipher functions. (line 588) * des_check_parity: Cipher functions. (line 533) * des_decrypt: Cipher functions. (line 529) * des_encrypt: Cipher functions. (line 522) * des_fix_parity: Cipher functions. (line 537) * des_set_key: Cipher functions. (line 515) * dsa_compat_generate_keypair: DSA. (line 300) * dsa_generate_keypair: DSA. (line 198) * dsa_generate_params: DSA. (line 131) * dsa_params_clear: DSA. (line 128) * dsa_params_init: DSA. (line 125) * dsa_private_key_clear: DSA. (line 244) * dsa_private_key_init: DSA. (line 237) * dsa_public_key_clear: DSA. (line 243) * dsa_public_key_init: DSA. (line 236) * dsa_sha1_sign: DSA. (line 257) * dsa_sha1_sign_digest: DSA. (line 261) * dsa_sha1_verify: DSA. (line 283) * dsa_sha1_verify_digest: DSA. (line 285) * dsa_sha256_sign: DSA. (line 265) * dsa_sha256_sign_digest: DSA. (line 269) * dsa_sha256_verify: DSA. (line 288) * dsa_sha256_verify_digest: DSA. (line 291) * dsa_sign: DSA. (line 177) * dsa_signature_clear: DSA. (line 168) * dsa_signature_init: DSA. (line 167) * dsa_verify: DSA. (line 189) * eax_aes128_decrypt: EAX. (line 136) * eax_aes128_digest: EAX. (line 142) * eax_aes128_encrypt: EAX. (line 134) * eax_aes128_set_key: EAX. (line 120) * eax_aes128_set_nonce: EAX. (line 124) * eax_aes128_update: EAX. (line 128) * EAX_CTX: EAX. (line 81) * eax_decrypt: EAX. (line 60) * EAX_DECRYPT: EAX. (line 105) * eax_digest: EAX. (line 68) * EAX_DIGEST: EAX. (line 108) * eax_encrypt: EAX. (line 57) * EAX_ENCRYPT: EAX. (line 104) * eax_set_key: EAX. (line 36) * EAX_SET_KEY: EAX. (line 94) * eax_set_nonce: EAX. (line 42) * EAX_SET_NONCE: EAX. (line 98) * eax_update: EAX. (line 48) * EAX_UPDATE: EAX. (line 101) * ecc_point_clear: ECDSA. (line 36) * ecc_point_get: ECDSA. (line 47) * ecc_point_init: ECDSA. (line 30) * ecc_point_set: ECDSA. (line 39) * ecc_scalar_clear: ECDSA. (line 62) * ecc_scalar_get: ECDSA. (line 69) * ecc_scalar_init: ECDSA. (line 57) * ecc_scalar_set: ECDSA. (line 65) * ecdsa_generate_keypair: ECDSA. (line 93) * ecdsa_sign: ECDSA. (line 75) * ecdsa_verify: ECDSA. (line 84) * ed25519_sha512_public_key: Curve 25519. (line 100) * ed25519_sha512_sign: Curve 25519. (line 105) * ed25519_sha512_verify: Curve 25519. (line 110) * eddsa: Curve 25519. (line 73) * Entropy: Randomness. (line 51) * Galois Counter Mode: GCM. (line 6) * GCM: GCM. (line 6) * gcm_aes128_decrypt: GCM. (line 192) * gcm_aes128_digest: GCM. (line 204) * gcm_aes128_encrypt: GCM. (line 184) * gcm_aes128_set_iv: GCM. (line 161) * gcm_aes128_set_key: GCM. (line 148) * gcm_aes128_update: GCM. (line 171) * gcm_aes192_decrypt: GCM. (line 194) * gcm_aes192_digest: GCM. (line 206) * gcm_aes192_encrypt: GCM. (line 186) * gcm_aes192_set_iv: GCM. (line 163) * gcm_aes192_set_key: GCM. (line 150) * gcm_aes192_update: GCM. (line 173) * gcm_aes256_decrypt: GCM. (line 196) * gcm_aes256_digest: GCM. (line 208) * gcm_aes256_encrypt: GCM. (line 188) * gcm_aes256_set_iv: GCM. (line 165) * gcm_aes256_set_key: GCM. (line 152) * gcm_aes256_update: GCM. (line 175) * gcm_aes_decrypt: GCM. (line 198) * gcm_aes_digest: GCM. (line 210) * gcm_aes_encrypt: GCM. (line 190) * gcm_aes_set_iv: GCM. (line 167) * gcm_aes_set_key: GCM. (line 156) * gcm_aes_update: GCM. (line 177) * gcm_camellia128_decrypt: GCM. (line 253) * gcm_camellia128_digest: GCM. (line 261) * gcm_camellia128_encrypt: GCM. (line 249) * gcm_camellia128_set_iv: GCM. (line 234) * gcm_camellia128_set_key: GCM. (line 228) * gcm_camellia128_update: GCM. (line 240) * gcm_camellia192_digest: GCM. (line 263) * gcm_camellia256_decrypt: GCM. (line 255) * gcm_camellia256_digest: GCM. (line 265) * gcm_camellia256_encrypt: GCM. (line 251) * gcm_camellia256_set_iv: GCM. (line 236) * gcm_camellia256_set_key: GCM. (line 230) * gcm_camellia256_update: GCM. (line 242) * gcm_camellia_digest: GCM. (line 267) * GCM_CTX: GCM. (line 96) * gcm_decrypt: GCM. (line 65) * GCM_DECRYPT: GCM. (line 125) * gcm_digest: GCM. (line 73) * GCM_DIGEST: GCM. (line 126) * gcm_encrypt: GCM. (line 62) * GCM_ENCRYPT: GCM. (line 124) * gcm_set_iv: GCM. (line 50) * GCM_SET_IV: GCM. (line 116) * gcm_set_key: GCM. (line 44) * GCM_SET_KEY: GCM. (line 111) * gcm_update: GCM. (line 55) * GCM_UPDATE: GCM. (line 120) * gosthash94_digest: Legacy hash functions. (line 209) * gosthash94_init: Legacy hash functions. (line 202) * gosthash94_update: Legacy hash functions. (line 205) * Hash function: Hash functions. (line 6) * HKDF: Key derivation functions. (line 16) * hkdf_expand: Key derivation functions. (line 42) * hkdf_extract: Key derivation functions. (line 29) * HMAC: HMAC. (line 6) * HMAC_CTX: HMAC. (line 58) * hmac_digest: HMAC. (line 44) * HMAC_DIGEST: HMAC. (line 80) * hmac_md5_digest: HMAC. (line 109) * hmac_md5_set_key: HMAC. (line 101) * hmac_md5_update: HMAC. (line 105) * hmac_ripemd160_digest: HMAC. (line 131) * hmac_ripemd160_set_key: HMAC. (line 123) * hmac_ripemd160_update: HMAC. (line 127) * hmac_set_key: HMAC. (line 29) * HMAC_SET_KEY: HMAC. (line 74) * hmac_sha1_digest: HMAC. (line 153) * hmac_sha1_set_key: HMAC. (line 145) * hmac_sha1_update: HMAC. (line 149) * hmac_sha256_digest: HMAC. (line 175) * hmac_sha256_set_key: HMAC. (line 167) * hmac_sha256_update: HMAC. (line 171) * hmac_sha512_digest: HMAC. (line 197) * hmac_sha512_set_key: HMAC. (line 189) * hmac_sha512_update: HMAC. (line 193) * hmac_update: HMAC. (line 37) * KDF: Key derivation functions. (line 58) * Key Derivation Function: Key derivation functions. (line 6) * Keyed Hash Function: Keyed hash functions. (line 6) * MAC: Keyed hash functions. (line 6) * md2_digest: Legacy hash functions. (line 77) * md2_init: Legacy hash functions. (line 70) * md2_update: Legacy hash functions. (line 73) * md4_digest: Legacy hash functions. (line 110) * md4_init: Legacy hash functions. (line 103) * md4_update: Legacy hash functions. (line 106) * md5_digest: Legacy hash functions. (line 39) * md5_init: Legacy hash functions. (line 32) * md5_update: Legacy hash functions. (line 35) * memeql_sec: Miscellaneous functions. (line 16) * memxor: Miscellaneous functions. (line 6) * memxor3: Miscellaneous functions. (line 11) * Message Authentication Code: Keyed hash functions. (line 6) * nettle_aead: nettle_aead abstraction. (line 6) * nettle_aeads: nettle_aead abstraction. (line 6) * nettle_aeads <1>: nettle_aead abstraction. (line 33) * nettle_cipher: Cipher functions. (line 774) * nettle_ciphers: Cipher functions. (line 774) * nettle_ciphers <1>: Cipher functions. (line 821) * nettle_get_aeads: nettle_aead abstraction. (line 6) * nettle_get_ciphers: Cipher functions. (line 774) * nettle_get_hashes: nettle_hash abstraction. (line 6) * nettle_hash: nettle_hash abstraction. (line 6) * nettle_hashes: nettle_hash abstraction. (line 6) * nettle_hashes <1>: nettle_hash abstraction. (line 38) * One-way: Hash functions. (line 14) * One-way function: Public-key algorithms. (line 18) * Password Based Key Derivation Function: Key derivation functions. (line 58) * PBKDF: Key derivation functions. (line 58) * pbkdf2: Key derivation functions. (line 67) * PBKDF2: Key derivation functions. (line 83) * pbkdf2_hmac_sha1: Key derivation functions. (line 102) * pbkdf2_hmac_sha256: Key derivation functions. (line 113) * PKCS #5: Key derivation functions. (line 58) * poly1305_aes_digest: Poly1305. (line 56) * poly1305_aes_set_key: Poly1305. (line 43) * poly1305_aes_set_nonce: Poly1305. (line 47) * poly1305_aes_update: Poly1305. (line 52) * Public Key Cryptography: Public-key algorithms. (line 18) * Randomness: Randomness. (line 6) * ripemd160_digest: Legacy hash functions. (line 143) * ripemd160_init: Legacy hash functions. (line 136) * ripemd160_update: Legacy hash functions. (line 139) * rsa_compute_root: RSA. (line 360) * rsa_compute_root_tr(const: RSA. (line 354) * rsa_decrypt: RSA. (line 335) * rsa_decrypt_tr: RSA. (line 344) * rsa_encrypt: RSA. (line 328) * rsa_generate_keypair: RSA. (line 366) * rsa_md5_sign: RSA. (line 203) * rsa_md5_sign_digest: RSA. (line 218) * rsa_md5_sign_digest_tr(const: RSA. (line 171) * rsa_md5_sign_tr(const: RSA. (line 146) * rsa_md5_verify: RSA. (line 244) * rsa_md5_verify_digest: RSA. (line 256) * rsa_pkcs1_sign(const: RSA. (line 234) * rsa_pkcs1_sign_tr(const: RSA. (line 194) * rsa_pkcs1_verify(const: RSA. (line 269) * rsa_private_key_clear: RSA. (line 104) * rsa_private_key_init: RSA. (line 97) * rsa_private_key_prepare: RSA. (line 117) * rsa_pss_sha256_sign_digest_tr(const: RSA. (line 291) * rsa_pss_sha256_verify_digest: RSA. (line 313) * rsa_pss_sha384_sign_digest_tr(const: RSA. (line 295) * rsa_pss_sha384_verify_digest: RSA. (line 316) * rsa_pss_sha512_sign_digest_tr(const: RSA. (line 299) * rsa_pss_sha512_verify_digest: RSA. (line 319) * rsa_public_key_clear: RSA. (line 103) * rsa_public_key_init: RSA. (line 96) * rsa_public_key_prepare: RSA. (line 116) * rsa_sha1_sign: RSA. (line 205) * rsa_sha1_sign_digest: RSA. (line 220) * rsa_sha1_sign_digest_tr(const: RSA. (line 175) * rsa_sha1_sign_tr(const: RSA. (line 150) * rsa_sha1_verify: RSA. (line 246) * rsa_sha1_verify_digest: RSA. (line 258) * rsa_sha256_sign: RSA. (line 207) * rsa_sha256_sign_digest: RSA. (line 222) * rsa_sha256_sign_digest_tr(const: RSA. (line 179) * rsa_sha256_sign_tr(const: RSA. (line 154) * rsa_sha256_verify: RSA. (line 248) * rsa_sha256_verify_digest: RSA. (line 260) * rsa_sha512_sign: RSA. (line 209) * rsa_sha512_sign_digest: RSA. (line 224) * rsa_sha512_sign_digest_tr(const: RSA. (line 183) * rsa_sha512_sign_tr(const: RSA. (line 158) * rsa_sha512_verify: RSA. (line 250) * rsa_sha512_verify_digest: RSA. (line 262) * salsa20r12_crypt: Cipher functions. (line 691) * salsa20_128_set_key: Cipher functions. (line 656) * salsa20_256_set_key: Cipher functions. (line 658) * salsa20_crypt: Cipher functions. (line 676) * salsa20_set_key: Cipher functions. (line 660) * salsa20_set_nonce: Cipher functions. (line 670) * serpent_decrypt: Cipher functions. (line 731) * serpent_encrypt: Cipher functions. (line 724) * serpent_set_key: Cipher functions. (line 719) * sha1_digest: Legacy hash functions. (line 177) * sha1_init: Legacy hash functions. (line 170) * sha1_update: Legacy hash functions. (line 173) * sha224_digest: Recommended hash functions. (line 68) * sha224_init: Recommended hash functions. (line 61) * sha224_update: Recommended hash functions. (line 64) * sha256_digest: Recommended hash functions. (line 32) * sha256_init: Recommended hash functions. (line 25) * sha256_update: Recommended hash functions. (line 28) * SHA3: Recommended hash functions. (line 173) * sha384_digest: Recommended hash functions. (line 160) * sha384_init: Recommended hash functions. (line 144) * sha384_update: Recommended hash functions. (line 151) * sha3_224_digest: Recommended hash functions. (line 212) * sha3_224_init: Recommended hash functions. (line 205) * sha3_224_update: Recommended hash functions. (line 208) * sha3_256_digest: Recommended hash functions. (line 244) * sha3_256_init: Recommended hash functions. (line 237) * sha3_256_update: Recommended hash functions. (line 240) * sha3_384_digest: Recommended hash functions. (line 275) * sha3_384_init: Recommended hash functions. (line 268) * sha3_384_update: Recommended hash functions. (line 271) * sha3_512_digest: Recommended hash functions. (line 306) * sha3_512_init: Recommended hash functions. (line 299) * sha3_512_update: Recommended hash functions. (line 302) * sha512_224_digest: Recommended hash functions. (line 156) * sha512_224_init: Recommended hash functions. (line 142) * sha512_224_update: Recommended hash functions. (line 147) * sha512_256_digest: Recommended hash functions. (line 158) * sha512_256_init: Recommended hash functions. (line 143) * sha512_256_update: Recommended hash functions. (line 149) * sha512_digest: Recommended hash functions. (line 103) * sha512_init: Recommended hash functions. (line 96) * sha512_update: Recommended hash functions. (line 99) * Side-channel attack: Side-channel silence. (line 6) * Stream Cipher: Cipher functions. (line 12) * struct: nettle_hash abstraction. (line 33) * struct <1>: Cipher functions. (line 816) * struct <2>: nettle_aead abstraction. (line 28) * twofish_decrypt: Cipher functions. (line 767) * twofish_encrypt: Cipher functions. (line 760) * twofish_set_key: Cipher functions. (line 755) * UMAC: UMAC. (line 6) * umac128_digest: UMAC. (line 113) * umac128_set_key: UMAC. (line 76) * umac128_set_nonce: UMAC. (line 87) * umac128_update: UMAC. (line 102) * umac32_digest: UMAC. (line 107) * umac32_set_key: UMAC. (line 70) * umac32_set_nonce: UMAC. (line 81) * umac32_update: UMAC. (line 96) * umac64_digest: UMAC. (line 109) * umac64_set_key: UMAC. (line 72) * umac64_set_nonce: UMAC. (line 83) * umac64_update: UMAC. (line 98) * umac96_digest: UMAC. (line 111) * umac96_set_key: UMAC. (line 74) * umac96_set_nonce: UMAC. (line 85) * umac96_update: UMAC. (line 100) * yarrow256_fast_reseed: Randomness. (line 274) * yarrow256_init: Randomness. (line 223) * yarrow256_is_seeded: Randomness. (line 264) * yarrow256_needed_sources: Randomness. (line 268) * yarrow256_random: Randomness. (line 254) * yarrow256_seed: Randomness. (line 229) * yarrow256_slow_reseed: Randomness. (line 275) * yarrow256_update: Randomness. (line 241) * yarrow_key_event_estimate: Randomness. (line 289) * yarrow_key_event_init: Randomness. (line 285)  Tag Table: Node: Top543 Node: Introduction2677 Node: Copyright4256 Node: Conventions9106 Node: Example11260 Node: Linking12510 Node: Reference13371 Node: Hash functions13919 Node: Recommended hash functions15453 Node: Legacy hash functions26984 Node: nettle_hash abstraction34838 Node: Cipher functions37000 Node: Cipher modes72964 Node: CBC74100 Node: CTR77492 Node: CFB80105 Node: Authenticated encryption83270 Node: EAX86623 Node: GCM92796 Node: CCM105633 Node: ChaCha-Poly1305118419 Node: nettle_aead abstraction122294 Node: Keyed hash functions123981 Node: HMAC125623 Node: UMAC133643 Node: Poly1305139518 Node: Key derivation functions142175 Node: Public-key algorithms148301 Node: RSA152372 Node: RSA-Footnotes172969 Ref: RSA-Footnote-1173022 Node: DSA173200 Node: Elliptic curves188680 Node: Side-channel silence190039 Node: ECDSA191486 Node: Curve 25519196234 Node: Randomness201752 Node: ASCII encoding217107 Node: Miscellaneous functions223834 Node: Compatibility functions224994 Node: Nettle soup226342 Node: Installation227339 Node: Index228715  End Tag Table  Local Variables: coding: utf-8 End: nettle-3.4.1/pkcs1-rsa-md5.c0000644000175000017500000000542713401564745014512 0ustar nissenisse/* pkcs1-rsa-md5.c PKCS stuff for rsa-md5. Copyright (C) 2001, 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "rsa.h" #include "bignum.h" #include "pkcs1.h" #include "gmp-glue.h" /* From pkcs-1v2 * * md5 OBJECT IDENTIFIER ::= * {iso(1) member-body(2) US(840) rsadsi(113549) digestAlgorithm(2) 5} * * The parameters part of the algorithm identifier is NULL: * * md5Identifier ::= AlgorithmIdentifier {md5, NULL} */ static const uint8_t md5_prefix[] = { /* 18 octets prefix, 16 octets hash, 34 total. */ 0x30, 32, /* SEQUENCE */ 0x30, 12, /* SEQUENCE */ 0x06, 8, /* OBJECT IDENTIFIER */ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0, /* NULL */ 0x04, 16 /* OCTET STRING */ /* Here comes the raw hash value */ }; int pkcs1_rsa_md5_encode(mpz_t m, size_t key_size, struct md5_ctx *hash) { uint8_t *p; TMP_GMP_DECL(em, uint8_t); TMP_GMP_ALLOC(em, key_size); p = _pkcs1_signature_prefix(key_size, em, sizeof(md5_prefix), md5_prefix, MD5_DIGEST_SIZE); if (p) { md5_digest(hash, MD5_DIGEST_SIZE, p); nettle_mpz_set_str_256_u(m, key_size, em); TMP_GMP_FREE(em); return 1; } else { TMP_GMP_FREE(em); return 0; } } int pkcs1_rsa_md5_encode_digest(mpz_t m, size_t key_size, const uint8_t *digest) { uint8_t *p; TMP_GMP_DECL(em, uint8_t); TMP_GMP_ALLOC(em, key_size); p = _pkcs1_signature_prefix(key_size, em, sizeof(md5_prefix), md5_prefix, MD5_DIGEST_SIZE); if (p) { memcpy(p, digest, MD5_DIGEST_SIZE); nettle_mpz_set_str_256_u(m, key_size, em); TMP_GMP_FREE(em); return 1; } else { TMP_GMP_FREE(em); return 0; } } nettle-3.4.1/config.guess0000755000175000017500000013135513401564746014400 0ustar nissenisse#! /bin/sh # Attempt to guess a canonical system name. # Copyright 1992-2014 Free Software Foundation, Inc. timestamp='2014-01-01' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, see . # # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a # configuration script generated by Autoconf, you may include it under # the same distribution terms that you use for the rest of that # program. This Exception is an additional permission under section 7 # of the GNU General Public License, version 3 ("GPLv3"). # # Originally written by Per Bothner. # # You can get the latest version of this script from: # http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD # # Please send patches with a ChangeLog entry to config-patches@gnu.org. me=`echo "$0" | sed -e 's,.*/,,'` usage="\ Usage: $0 [OPTION] Output the configuration name of the system \`$me' is run on. Operation modes: -h, --help print this help, then exit -t, --time-stamp print date of last modification, then exit -v, --version print version number, then exit Report bugs and patches to ." version="\ GNU config.guess ($timestamp) Originally written by Per Bothner. Copyright 1992-2014 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." help=" Try \`$me --help' for more information." # Parse command line while test $# -gt 0 ; do case $1 in --time-stamp | --time* | -t ) echo "$timestamp" ; exit ;; --version | -v ) echo "$version" ; exit ;; --help | --h* | -h ) echo "$usage"; exit ;; -- ) # Stop option processing shift; break ;; - ) # Use stdin as input. break ;; -* ) echo "$me: invalid option $1$help" >&2 exit 1 ;; * ) break ;; esac done if test $# != 0; then echo "$me: too many arguments$help" >&2 exit 1 fi trap 'exit 1' 1 2 15 # CC_FOR_BUILD -- compiler used by this script. Note that the use of a # compiler to aid in system detection is discouraged as it requires # temporary files to be created and, as you can see below, it is a # headache to deal with in a portable fashion. # Historically, `CC_FOR_BUILD' used to be named `HOST_CC'. We still # use `HOST_CC' if defined, but it is deprecated. # Portable tmp directory creation inspired by the Autoconf team. set_cc_for_build=' trap "exitcode=\$?; (rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null) && exit \$exitcode" 0 ; trap "rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null; exit 1" 1 2 13 15 ; : ${TMPDIR=/tmp} ; { tmp=`(umask 077 && mktemp -d "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } || { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir $tmp) ; } || { tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir $tmp) && echo "Warning: creating insecure temp directory" >&2 ; } || { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } ; dummy=$tmp/dummy ; tmpfiles="$dummy.c $dummy.o $dummy.rel $dummy" ; case $CC_FOR_BUILD,$HOST_CC,$CC in ,,) echo "int x;" > $dummy.c ; for c in cc gcc c89 c99 ; do if ($c -c -o $dummy.o $dummy.c) >/dev/null 2>&1 ; then CC_FOR_BUILD="$c"; break ; fi ; done ; if test x"$CC_FOR_BUILD" = x ; then CC_FOR_BUILD=no_compiler_found ; fi ;; ,,*) CC_FOR_BUILD=$CC ;; ,*,*) CC_FOR_BUILD=$HOST_CC ;; esac ; set_cc_for_build= ;' # This is needed to find uname on a Pyramid OSx when run in the BSD universe. # (ghazi@noc.rutgers.edu 1994-08-24) if (test -f /.attbin/uname) >/dev/null 2>&1 ; then PATH=$PATH:/.attbin ; export PATH fi UNAME_MACHINE=`(uname -m) 2>/dev/null` || UNAME_MACHINE=unknown UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown case "${UNAME_SYSTEM}" in Linux|GNU|GNU/*) # If the system lacks a compiler, then just pick glibc. # We could probably try harder. LIBC=gnu eval $set_cc_for_build cat <<-EOF > $dummy.c #include #if defined(__UCLIBC__) LIBC=uclibc #elif defined(__dietlibc__) LIBC=dietlibc #else LIBC=gnu #endif EOF eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC'` ;; esac # Note: order is significant - the case branches are not exclusive. case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in *:NetBSD:*:*) # NetBSD (nbsd) targets should (where applicable) match one or # more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*, # *-*-netbsdecoff* and *-*-netbsd*. For targets that recently # switched to ELF, *-*-netbsd* would select the old # object file format. This provides both forward # compatibility and a consistent mechanism for selecting the # object file format. # # Note: NetBSD doesn't particularly care about the vendor # portion of the name. We always set it to "unknown". sysctl="sysctl -n hw.machine_arch" UNAME_MACHINE_ARCH=`(/sbin/$sysctl 2>/dev/null || \ /usr/sbin/$sysctl 2>/dev/null || echo unknown)` case "${UNAME_MACHINE_ARCH}" in armeb) machine=armeb-unknown ;; arm*) machine=arm-unknown ;; sh3el) machine=shl-unknown ;; sh3eb) machine=sh-unknown ;; sh5el) machine=sh5le-unknown ;; *) machine=${UNAME_MACHINE_ARCH}-unknown ;; esac # The Operating System including object format, if it has switched # to ELF recently, or will in the future. case "${UNAME_MACHINE_ARCH}" in arm*|i386|m68k|ns32k|sh3*|sparc|vax) eval $set_cc_for_build if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ELF__ then # Once all utilities can be ECOFF (netbsdecoff) or a.out (netbsdaout). # Return netbsd for either. FIX? os=netbsd else os=netbsdelf fi ;; *) os=netbsd ;; esac # The OS release # Debian GNU/NetBSD machines have a different userland, and # thus, need a distinct triplet. However, they do not need # kernel version information, so it can be replaced with a # suitable tag, in the style of linux-gnu. case "${UNAME_VERSION}" in Debian*) release='-gnu' ;; *) release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'` ;; esac # Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM: # contains redundant information, the shorter form: # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used. echo "${machine}-${os}${release}" exit ;; *:Bitrig:*:*) UNAME_MACHINE_ARCH=`arch | sed 's/Bitrig.//'` echo ${UNAME_MACHINE_ARCH}-unknown-bitrig${UNAME_RELEASE} exit ;; *:OpenBSD:*:*) UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'` echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE} exit ;; *:ekkoBSD:*:*) echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE} exit ;; *:SolidBSD:*:*) echo ${UNAME_MACHINE}-unknown-solidbsd${UNAME_RELEASE} exit ;; macppc:MirBSD:*:*) echo powerpc-unknown-mirbsd${UNAME_RELEASE} exit ;; *:MirBSD:*:*) echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE} exit ;; alpha:OSF1:*:*) case $UNAME_RELEASE in *4.0) UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'` ;; *5.*) UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'` ;; esac # According to Compaq, /usr/sbin/psrinfo has been available on # OSF/1 and Tru64 systems produced since 1995. I hope that # covers most systems running today. This code pipes the CPU # types through head -n 1, so we only detect the type of CPU 0. ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^ The alpha \(.*\) processor.*$/\1/p' | head -n 1` case "$ALPHA_CPU_TYPE" in "EV4 (21064)") UNAME_MACHINE="alpha" ;; "EV4.5 (21064)") UNAME_MACHINE="alpha" ;; "LCA4 (21066/21068)") UNAME_MACHINE="alpha" ;; "EV5 (21164)") UNAME_MACHINE="alphaev5" ;; "EV5.6 (21164A)") UNAME_MACHINE="alphaev56" ;; "EV5.6 (21164PC)") UNAME_MACHINE="alphapca56" ;; "EV5.7 (21164PC)") UNAME_MACHINE="alphapca57" ;; "EV6 (21264)") UNAME_MACHINE="alphaev6" ;; "EV6.7 (21264A)") UNAME_MACHINE="alphaev67" ;; "EV6.8CB (21264C)") UNAME_MACHINE="alphaev68" ;; "EV6.8AL (21264B)") UNAME_MACHINE="alphaev68" ;; "EV6.8CX (21264D)") UNAME_MACHINE="alphaev68" ;; "EV6.9A (21264/EV69A)") UNAME_MACHINE="alphaev69" ;; "EV7 (21364)") UNAME_MACHINE="alphaev7" ;; "EV7.9 (21364A)") UNAME_MACHINE="alphaev79" ;; esac # A Pn.n version is a patched version. # A Vn.n version is a released version. # A Tn.n version is a released field test version. # A Xn.n version is an unreleased experimental baselevel. # 1.2 uses "1.2" for uname -r. echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` # Reset EXIT trap before exiting to avoid spurious non-zero exit code. exitcode=$? trap '' 0 exit $exitcode ;; Alpha\ *:Windows_NT*:*) # How do we know it's Interix rather than the generic POSIX subsystem? # Should we change UNAME_MACHINE based on the output of uname instead # of the specific Alpha model? echo alpha-pc-interix exit ;; 21064:Windows_NT:50:3) echo alpha-dec-winnt3.5 exit ;; Amiga*:UNIX_System_V:4.0:*) echo m68k-unknown-sysv4 exit ;; *:[Aa]miga[Oo][Ss]:*:*) echo ${UNAME_MACHINE}-unknown-amigaos exit ;; *:[Mm]orph[Oo][Ss]:*:*) echo ${UNAME_MACHINE}-unknown-morphos exit ;; *:OS/390:*:*) echo i370-ibm-openedition exit ;; *:z/VM:*:*) echo s390-ibm-zvmoe exit ;; *:OS400:*:*) echo powerpc-ibm-os400 exit ;; arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*) echo arm-acorn-riscix${UNAME_RELEASE} exit ;; arm*:riscos:*:*|arm*:RISCOS:*:*) echo arm-unknown-riscos exit ;; SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*) echo hppa1.1-hitachi-hiuxmpp exit ;; Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*) # akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE. if test "`(/bin/universe) 2>/dev/null`" = att ; then echo pyramid-pyramid-sysv3 else echo pyramid-pyramid-bsd fi exit ;; NILE*:*:*:dcosx) echo pyramid-pyramid-svr4 exit ;; DRS?6000:unix:4.0:6*) echo sparc-icl-nx6 exit ;; DRS?6000:UNIX_SV:4.2*:7* | DRS?6000:isis:4.2*:7*) case `/usr/bin/uname -p` in sparc) echo sparc-icl-nx7; exit ;; esac ;; s390x:SunOS:*:*) echo ${UNAME_MACHINE}-ibm-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit ;; sun4H:SunOS:5.*:*) echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit ;; sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*) echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit ;; i86pc:AuroraUX:5.*:* | i86xen:AuroraUX:5.*:*) echo i386-pc-auroraux${UNAME_RELEASE} exit ;; i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*) eval $set_cc_for_build SUN_ARCH="i386" # If there is a compiler, see if it is configured for 64-bit objects. # Note that the Sun cc does not turn __LP64__ into 1 like gcc does. # This test works for both compilers. if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then if (echo '#ifdef __amd64'; echo IS_64BIT_ARCH; echo '#endif') | \ (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ grep IS_64BIT_ARCH >/dev/null then SUN_ARCH="x86_64" fi fi echo ${SUN_ARCH}-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit ;; sun4*:SunOS:6*:*) # According to config.sub, this is the proper way to canonicalize # SunOS6. Hard to guess exactly what SunOS6 will be like, but # it's likely to be more like Solaris than SunOS4. echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit ;; sun4*:SunOS:*:*) case "`/usr/bin/arch -k`" in Series*|S4*) UNAME_RELEASE=`uname -v` ;; esac # Japanese Language versions have a version number like `4.1.3-JL'. echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'` exit ;; sun3*:SunOS:*:*) echo m68k-sun-sunos${UNAME_RELEASE} exit ;; sun*:*:4.2BSD:*) UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null` test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3 case "`/bin/arch`" in sun3) echo m68k-sun-sunos${UNAME_RELEASE} ;; sun4) echo sparc-sun-sunos${UNAME_RELEASE} ;; esac exit ;; aushp:SunOS:*:*) echo sparc-auspex-sunos${UNAME_RELEASE} exit ;; # The situation for MiNT is a little confusing. The machine name # can be virtually everything (everything which is not # "atarist" or "atariste" at least should have a processor # > m68000). The system name ranges from "MiNT" over "FreeMiNT" # to the lowercase version "mint" (or "freemint"). Finally # the system name "TOS" denotes a system which is actually not # MiNT. But MiNT is downward compatible to TOS, so this should # be no problem. atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*) echo m68k-atari-mint${UNAME_RELEASE} exit ;; atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*) echo m68k-atari-mint${UNAME_RELEASE} exit ;; *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*) echo m68k-atari-mint${UNAME_RELEASE} exit ;; milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*) echo m68k-milan-mint${UNAME_RELEASE} exit ;; hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*) echo m68k-hades-mint${UNAME_RELEASE} exit ;; *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*) echo m68k-unknown-mint${UNAME_RELEASE} exit ;; m68k:machten:*:*) echo m68k-apple-machten${UNAME_RELEASE} exit ;; powerpc:machten:*:*) echo powerpc-apple-machten${UNAME_RELEASE} exit ;; RISC*:Mach:*:*) echo mips-dec-mach_bsd4.3 exit ;; RISC*:ULTRIX:*:*) echo mips-dec-ultrix${UNAME_RELEASE} exit ;; VAX*:ULTRIX*:*:*) echo vax-dec-ultrix${UNAME_RELEASE} exit ;; 2020:CLIX:*:* | 2430:CLIX:*:*) echo clipper-intergraph-clix${UNAME_RELEASE} exit ;; mips:*:*:UMIPS | mips:*:*:RISCos) eval $set_cc_for_build sed 's/^ //' << EOF >$dummy.c #ifdef __cplusplus #include /* for printf() prototype */ int main (int argc, char *argv[]) { #else int main (argc, argv) int argc; char *argv[]; { #endif #if defined (host_mips) && defined (MIPSEB) #if defined (SYSTYPE_SYSV) printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0); #endif #if defined (SYSTYPE_SVR4) printf ("mips-mips-riscos%ssvr4\n", argv[1]); exit (0); #endif #if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD) printf ("mips-mips-riscos%sbsd\n", argv[1]); exit (0); #endif #endif exit (-1); } EOF $CC_FOR_BUILD -o $dummy $dummy.c && dummyarg=`echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` && SYSTEM_NAME=`$dummy $dummyarg` && { echo "$SYSTEM_NAME"; exit; } echo mips-mips-riscos${UNAME_RELEASE} exit ;; Motorola:PowerMAX_OS:*:*) echo powerpc-motorola-powermax exit ;; Motorola:*:4.3:PL8-*) echo powerpc-harris-powermax exit ;; Night_Hawk:*:*:PowerMAX_OS | Synergy:PowerMAX_OS:*:*) echo powerpc-harris-powermax exit ;; Night_Hawk:Power_UNIX:*:*) echo powerpc-harris-powerunix exit ;; m88k:CX/UX:7*:*) echo m88k-harris-cxux7 exit ;; m88k:*:4*:R4*) echo m88k-motorola-sysv4 exit ;; m88k:*:3*:R3*) echo m88k-motorola-sysv3 exit ;; AViiON:dgux:*:*) # DG/UX returns AViiON for all architectures UNAME_PROCESSOR=`/usr/bin/uname -p` if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ] then if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \ [ ${TARGET_BINARY_INTERFACE}x = x ] then echo m88k-dg-dgux${UNAME_RELEASE} else echo m88k-dg-dguxbcs${UNAME_RELEASE} fi else echo i586-dg-dgux${UNAME_RELEASE} fi exit ;; M88*:DolphinOS:*:*) # DolphinOS (SVR3) echo m88k-dolphin-sysv3 exit ;; M88*:*:R3*:*) # Delta 88k system running SVR3 echo m88k-motorola-sysv3 exit ;; XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3) echo m88k-tektronix-sysv3 exit ;; Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD) echo m68k-tektronix-bsd exit ;; *:IRIX*:*:*) echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'` exit ;; ????????:AIX?:[12].1:2) # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX. echo romp-ibm-aix # uname -m gives an 8 hex-code CPU id exit ;; # Note that: echo "'`uname -s`'" gives 'AIX ' i*86:AIX:*:*) echo i386-ibm-aix exit ;; ia64:AIX:*:*) if [ -x /usr/bin/oslevel ] ; then IBM_REV=`/usr/bin/oslevel` else IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE} fi echo ${UNAME_MACHINE}-ibm-aix${IBM_REV} exit ;; *:AIX:2:3) if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then eval $set_cc_for_build sed 's/^ //' << EOF >$dummy.c #include main() { if (!__power_pc()) exit(1); puts("powerpc-ibm-aix3.2.5"); exit(0); } EOF if $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy` then echo "$SYSTEM_NAME" else echo rs6000-ibm-aix3.2.5 fi elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then echo rs6000-ibm-aix3.2.4 else echo rs6000-ibm-aix3.2 fi exit ;; *:AIX:*:[4567]) IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'` if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then IBM_ARCH=rs6000 else IBM_ARCH=powerpc fi if [ -x /usr/bin/oslevel ] ; then IBM_REV=`/usr/bin/oslevel` else IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE} fi echo ${IBM_ARCH}-ibm-aix${IBM_REV} exit ;; *:AIX:*:*) echo rs6000-ibm-aix exit ;; ibmrt:4.4BSD:*|romp-ibm:BSD:*) echo romp-ibm-bsd4.4 exit ;; ibmrt:*BSD:*|romp-ibm:BSD:*) # covers RT/PC BSD and echo romp-ibm-bsd${UNAME_RELEASE} # 4.3 with uname added to exit ;; # report: romp-ibm BSD 4.3 *:BOSX:*:*) echo rs6000-bull-bosx exit ;; DPX/2?00:B.O.S.:*:*) echo m68k-bull-sysv3 exit ;; 9000/[34]??:4.3bsd:1.*:*) echo m68k-hp-bsd exit ;; hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*) echo m68k-hp-bsd4.4 exit ;; 9000/[34678]??:HP-UX:*:*) HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'` case "${UNAME_MACHINE}" in 9000/31? ) HP_ARCH=m68000 ;; 9000/[34]?? ) HP_ARCH=m68k ;; 9000/[678][0-9][0-9]) if [ -x /usr/bin/getconf ]; then sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null` sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` case "${sc_cpu_version}" in 523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0 528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1 532) # CPU_PA_RISC2_0 case "${sc_kernel_bits}" in 32) HP_ARCH="hppa2.0n" ;; 64) HP_ARCH="hppa2.0w" ;; '') HP_ARCH="hppa2.0" ;; # HP-UX 10.20 esac ;; esac fi if [ "${HP_ARCH}" = "" ]; then eval $set_cc_for_build sed 's/^ //' << EOF >$dummy.c #define _HPUX_SOURCE #include #include int main () { #if defined(_SC_KERNEL_BITS) long bits = sysconf(_SC_KERNEL_BITS); #endif long cpu = sysconf (_SC_CPU_VERSION); switch (cpu) { case CPU_PA_RISC1_0: puts ("hppa1.0"); break; case CPU_PA_RISC1_1: puts ("hppa1.1"); break; case CPU_PA_RISC2_0: #if defined(_SC_KERNEL_BITS) switch (bits) { case 64: puts ("hppa2.0w"); break; case 32: puts ("hppa2.0n"); break; default: puts ("hppa2.0"); break; } break; #else /* !defined(_SC_KERNEL_BITS) */ puts ("hppa2.0"); break; #endif default: puts ("hppa1.0"); break; } exit (0); } EOF (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy` test -z "$HP_ARCH" && HP_ARCH=hppa fi ;; esac if [ ${HP_ARCH} = "hppa2.0w" ] then eval $set_cc_for_build # hppa2.0w-hp-hpux* has a 64-bit kernel and a compiler generating # 32-bit code. hppa64-hp-hpux* has the same kernel and a compiler # generating 64-bit code. GNU and HP use different nomenclature: # # $ CC_FOR_BUILD=cc ./config.guess # => hppa2.0w-hp-hpux11.23 # $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess # => hppa64-hp-hpux11.23 if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | grep -q __LP64__ then HP_ARCH="hppa2.0w" else HP_ARCH="hppa64" fi fi echo ${HP_ARCH}-hp-hpux${HPUX_REV} exit ;; ia64:HP-UX:*:*) HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'` echo ia64-hp-hpux${HPUX_REV} exit ;; 3050*:HI-UX:*:*) eval $set_cc_for_build sed 's/^ //' << EOF >$dummy.c #include int main () { long cpu = sysconf (_SC_CPU_VERSION); /* The order matters, because CPU_IS_HP_MC68K erroneously returns true for CPU_PA_RISC1_0. CPU_IS_PA_RISC returns correct results, however. */ if (CPU_IS_PA_RISC (cpu)) { switch (cpu) { case CPU_PA_RISC1_0: puts ("hppa1.0-hitachi-hiuxwe2"); break; case CPU_PA_RISC1_1: puts ("hppa1.1-hitachi-hiuxwe2"); break; case CPU_PA_RISC2_0: puts ("hppa2.0-hitachi-hiuxwe2"); break; default: puts ("hppa-hitachi-hiuxwe2"); break; } } else if (CPU_IS_HP_MC68K (cpu)) puts ("m68k-hitachi-hiuxwe2"); else puts ("unknown-hitachi-hiuxwe2"); exit (0); } EOF $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy` && { echo "$SYSTEM_NAME"; exit; } echo unknown-hitachi-hiuxwe2 exit ;; 9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* ) echo hppa1.1-hp-bsd exit ;; 9000/8??:4.3bsd:*:*) echo hppa1.0-hp-bsd exit ;; *9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*) echo hppa1.0-hp-mpeix exit ;; hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* ) echo hppa1.1-hp-osf exit ;; hp8??:OSF1:*:*) echo hppa1.0-hp-osf exit ;; i*86:OSF1:*:*) if [ -x /usr/sbin/sysversion ] ; then echo ${UNAME_MACHINE}-unknown-osf1mk else echo ${UNAME_MACHINE}-unknown-osf1 fi exit ;; parisc*:Lites*:*:*) echo hppa1.1-hp-lites exit ;; C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*) echo c1-convex-bsd exit ;; C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*) if getsysinfo -f scalar_acc then echo c32-convex-bsd else echo c2-convex-bsd fi exit ;; C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*) echo c34-convex-bsd exit ;; C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*) echo c38-convex-bsd exit ;; C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*) echo c4-convex-bsd exit ;; CRAY*Y-MP:*:*:*) echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit ;; CRAY*[A-Z]90:*:*:*) echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \ | sed -e 's/CRAY.*\([A-Z]90\)/\1/' \ -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ \ -e 's/\.[^.]*$/.X/' exit ;; CRAY*TS:*:*:*) echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit ;; CRAY*T3E:*:*:*) echo alphaev5-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit ;; CRAY*SV1:*:*:*) echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit ;; *:UNICOS/mp:*:*) echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit ;; F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" exit ;; 5000:UNIX_System_V:4.*:*) FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'` echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" exit ;; i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*) echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE} exit ;; sparc*:BSD/OS:*:*) echo sparc-unknown-bsdi${UNAME_RELEASE} exit ;; *:BSD/OS:*:*) echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE} exit ;; *:FreeBSD:*:*) UNAME_PROCESSOR=`/usr/bin/uname -p` case ${UNAME_PROCESSOR} in amd64) echo x86_64-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; *) echo ${UNAME_PROCESSOR}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; esac exit ;; i*:CYGWIN*:*) echo ${UNAME_MACHINE}-pc-cygwin exit ;; *:MINGW64*:*) echo ${UNAME_MACHINE}-pc-mingw64 exit ;; *:MINGW*:*) echo ${UNAME_MACHINE}-pc-mingw32 exit ;; i*:MSYS*:*) echo ${UNAME_MACHINE}-pc-msys exit ;; i*:windows32*:*) # uname -m includes "-pc" on this system. echo ${UNAME_MACHINE}-mingw32 exit ;; i*:PW*:*) echo ${UNAME_MACHINE}-pc-pw32 exit ;; *:Interix*:*) case ${UNAME_MACHINE} in x86) echo i586-pc-interix${UNAME_RELEASE} exit ;; authenticamd | genuineintel | EM64T) echo x86_64-unknown-interix${UNAME_RELEASE} exit ;; IA64) echo ia64-unknown-interix${UNAME_RELEASE} exit ;; esac ;; [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*) echo i${UNAME_MACHINE}-pc-mks exit ;; 8664:Windows_NT:*) echo x86_64-pc-mks exit ;; i*:Windows_NT*:* | Pentium*:Windows_NT*:*) # How do we know it's Interix rather than the generic POSIX subsystem? # It also conflicts with pre-2.0 versions of AT&T UWIN. Should we # UNAME_MACHINE based on the output of uname instead of i386? echo i586-pc-interix exit ;; i*:UWIN*:*) echo ${UNAME_MACHINE}-pc-uwin exit ;; amd64:CYGWIN*:*:* | x86_64:CYGWIN*:*:*) echo x86_64-unknown-cygwin exit ;; p*:CYGWIN*:*) echo powerpcle-unknown-cygwin exit ;; prep*:SunOS:5.*:*) echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit ;; *:GNU:*:*) # the GNU system echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-${LIBC}`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'` exit ;; *:GNU/*:*:*) # other systems with GNU libc and userland echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC} exit ;; i*86:Minix:*:*) echo ${UNAME_MACHINE}-pc-minix exit ;; aarch64:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; aarch64_be:Linux:*:*) UNAME_MACHINE=aarch64_be echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; alpha:Linux:*:*) case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in EV5) UNAME_MACHINE=alphaev5 ;; EV56) UNAME_MACHINE=alphaev56 ;; PCA56) UNAME_MACHINE=alphapca56 ;; PCA57) UNAME_MACHINE=alphapca56 ;; EV6) UNAME_MACHINE=alphaev6 ;; EV67) UNAME_MACHINE=alphaev67 ;; EV68*) UNAME_MACHINE=alphaev68 ;; esac objdump --private-headers /bin/sh | grep -q ld.so.1 if test "$?" = 0 ; then LIBC="gnulibc1" ; fi echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; arc:Linux:*:* | arceb:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; arm*:Linux:*:*) eval $set_cc_for_build if echo __ARM_EABI__ | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ARM_EABI__ then echo ${UNAME_MACHINE}-unknown-linux-${LIBC} else if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ARM_PCS_VFP then echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabi else echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabihf fi fi exit ;; avr32*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; cris:Linux:*:*) echo ${UNAME_MACHINE}-axis-linux-${LIBC} exit ;; crisv32:Linux:*:*) echo ${UNAME_MACHINE}-axis-linux-${LIBC} exit ;; frv:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; hexagon:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; i*86:Linux:*:*) echo ${UNAME_MACHINE}-pc-linux-${LIBC} exit ;; ia64:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; m32r*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; m68*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; mips:Linux:*:* | mips64:Linux:*:*) eval $set_cc_for_build sed 's/^ //' << EOF >$dummy.c #undef CPU #undef ${UNAME_MACHINE} #undef ${UNAME_MACHINE}el #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL) CPU=${UNAME_MACHINE}el #else #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB) CPU=${UNAME_MACHINE} #else CPU= #endif #endif EOF eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'` test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; } ;; or1k:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; or32:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; padre:Linux:*:*) echo sparc-unknown-linux-${LIBC} exit ;; parisc64:Linux:*:* | hppa64:Linux:*:*) echo hppa64-unknown-linux-${LIBC} exit ;; parisc:Linux:*:* | hppa:Linux:*:*) # Look for CPU level case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in PA7*) echo hppa1.1-unknown-linux-${LIBC} ;; PA8*) echo hppa2.0-unknown-linux-${LIBC} ;; *) echo hppa-unknown-linux-${LIBC} ;; esac exit ;; ppc64:Linux:*:*) echo powerpc64-unknown-linux-${LIBC} exit ;; ppc:Linux:*:*) echo powerpc-unknown-linux-${LIBC} exit ;; ppc64le:Linux:*:*) echo powerpc64le-unknown-linux-${LIBC} exit ;; ppcle:Linux:*:*) echo powerpcle-unknown-linux-${LIBC} exit ;; s390:Linux:*:* | s390x:Linux:*:*) echo ${UNAME_MACHINE}-ibm-linux-${LIBC} exit ;; sh64*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; sh*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; sparc:Linux:*:* | sparc64:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; tile*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; vax:Linux:*:*) echo ${UNAME_MACHINE}-dec-linux-${LIBC} exit ;; x86_64:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; xtensa*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; i*86:DYNIX/ptx:4*:*) # ptx 4.0 does uname -s correctly, with DYNIX/ptx in there. # earlier versions are messed up and put the nodename in both # sysname and nodename. echo i386-sequent-sysv4 exit ;; i*86:UNIX_SV:4.2MP:2.*) # Unixware is an offshoot of SVR4, but it has its own version # number series starting with 2... # I am not positive that other SVR4 systems won't match this, # I just have to hope. -- rms. # Use sysv4.2uw... so that sysv4* matches it. echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION} exit ;; i*86:OS/2:*:*) # If we were able to find `uname', then EMX Unix compatibility # is probably installed. echo ${UNAME_MACHINE}-pc-os2-emx exit ;; i*86:XTS-300:*:STOP) echo ${UNAME_MACHINE}-unknown-stop exit ;; i*86:atheos:*:*) echo ${UNAME_MACHINE}-unknown-atheos exit ;; i*86:syllable:*:*) echo ${UNAME_MACHINE}-pc-syllable exit ;; i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.[02]*:*) echo i386-unknown-lynxos${UNAME_RELEASE} exit ;; i*86:*DOS:*:*) echo ${UNAME_MACHINE}-pc-msdosdjgpp exit ;; i*86:*:4.*:* | i*86:SYSTEM_V:4.*:*) UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'` if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then echo ${UNAME_MACHINE}-univel-sysv${UNAME_REL} else echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL} fi exit ;; i*86:*:5:[678]*) # UnixWare 7.x, OpenUNIX and OpenServer 6. case `/bin/uname -X | grep "^Machine"` in *486*) UNAME_MACHINE=i486 ;; *Pentium) UNAME_MACHINE=i586 ;; *Pent*|*Celeron) UNAME_MACHINE=i686 ;; esac echo ${UNAME_MACHINE}-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION} exit ;; i*86:*:3.2:*) if test -f /usr/options/cb.name; then UNAME_REL=`sed -n 's/.*Version //p' /dev/null >/dev/null ; then UNAME_REL=`(/bin/uname -X|grep Release|sed -e 's/.*= //')` (/bin/uname -X|grep i80486 >/dev/null) && UNAME_MACHINE=i486 (/bin/uname -X|grep '^Machine.*Pentium' >/dev/null) \ && UNAME_MACHINE=i586 (/bin/uname -X|grep '^Machine.*Pent *II' >/dev/null) \ && UNAME_MACHINE=i686 (/bin/uname -X|grep '^Machine.*Pentium Pro' >/dev/null) \ && UNAME_MACHINE=i686 echo ${UNAME_MACHINE}-pc-sco$UNAME_REL else echo ${UNAME_MACHINE}-pc-sysv32 fi exit ;; pc:*:*:*) # Left here for compatibility: # uname -m prints for DJGPP always 'pc', but it prints nothing about # the processor, so we play safe by assuming i586. # Note: whatever this is, it MUST be the same as what config.sub # prints for the "djgpp" host, or else GDB configury will decide that # this is a cross-build. echo i586-pc-msdosdjgpp exit ;; Intel:Mach:3*:*) echo i386-pc-mach3 exit ;; paragon:*:*:*) echo i860-intel-osf1 exit ;; i860:*:4.*:*) # i860-SVR4 if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4 else # Add other i860-SVR4 vendors below as they are discovered. echo i860-unknown-sysv${UNAME_RELEASE} # Unknown i860-SVR4 fi exit ;; mini*:CTIX:SYS*5:*) # "miniframe" echo m68010-convergent-sysv exit ;; mc68k:UNIX:SYSTEM5:3.51m) echo m68k-convergent-sysv exit ;; M680?0:D-NIX:5.3:*) echo m68k-diab-dnix exit ;; M68*:*:R3V[5678]*:*) test -r /sysV68 && { echo 'm68k-motorola-sysv'; exit; } ;; 3[345]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0 | S7501*:*:4.0:3.0) OS_REL='' test -r /etc/.relid \ && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ && { echo i486-ncr-sysv4.3${OS_REL}; exit; } /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;; 3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*) /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ && { echo i486-ncr-sysv4; exit; } ;; NCR*:*:4.2:* | MPRAS*:*:4.2:*) OS_REL='.3' test -r /etc/.relid \ && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ && { echo i486-ncr-sysv4.3${OS_REL}; exit; } /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ && { echo i586-ncr-sysv4.3${OS_REL}; exit; } /bin/uname -p 2>/dev/null | /bin/grep pteron >/dev/null \ && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;; m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*) echo m68k-unknown-lynxos${UNAME_RELEASE} exit ;; mc68030:UNIX_System_V:4.*:*) echo m68k-atari-sysv4 exit ;; TSUNAMI:LynxOS:2.*:*) echo sparc-unknown-lynxos${UNAME_RELEASE} exit ;; rs6000:LynxOS:2.*:*) echo rs6000-unknown-lynxos${UNAME_RELEASE} exit ;; PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.[02]*:*) echo powerpc-unknown-lynxos${UNAME_RELEASE} exit ;; SM[BE]S:UNIX_SV:*:*) echo mips-dde-sysv${UNAME_RELEASE} exit ;; RM*:ReliantUNIX-*:*:*) echo mips-sni-sysv4 exit ;; RM*:SINIX-*:*:*) echo mips-sni-sysv4 exit ;; *:SINIX-*:*:*) if uname -p 2>/dev/null >/dev/null ; then UNAME_MACHINE=`(uname -p) 2>/dev/null` echo ${UNAME_MACHINE}-sni-sysv4 else echo ns32k-sni-sysv fi exit ;; PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort # says echo i586-unisys-sysv4 exit ;; *:UNIX_System_V:4*:FTX*) # From Gerald Hewes . # How about differentiating between stratus architectures? -djm echo hppa1.1-stratus-sysv4 exit ;; *:*:*:FTX*) # From seanf@swdc.stratus.com. echo i860-stratus-sysv4 exit ;; i*86:VOS:*:*) # From Paul.Green@stratus.com. echo ${UNAME_MACHINE}-stratus-vos exit ;; *:VOS:*:*) # From Paul.Green@stratus.com. echo hppa1.1-stratus-vos exit ;; mc68*:A/UX:*:*) echo m68k-apple-aux${UNAME_RELEASE} exit ;; news*:NEWS-OS:6*:*) echo mips-sony-newsos6 exit ;; R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*) if [ -d /usr/nec ]; then echo mips-nec-sysv${UNAME_RELEASE} else echo mips-unknown-sysv${UNAME_RELEASE} fi exit ;; BeBox:BeOS:*:*) # BeOS running on hardware made by Be, PPC only. echo powerpc-be-beos exit ;; BeMac:BeOS:*:*) # BeOS running on Mac or Mac clone, PPC only. echo powerpc-apple-beos exit ;; BePC:BeOS:*:*) # BeOS running on Intel PC compatible. echo i586-pc-beos exit ;; BePC:Haiku:*:*) # Haiku running on Intel PC compatible. echo i586-pc-haiku exit ;; x86_64:Haiku:*:*) echo x86_64-unknown-haiku exit ;; SX-4:SUPER-UX:*:*) echo sx4-nec-superux${UNAME_RELEASE} exit ;; SX-5:SUPER-UX:*:*) echo sx5-nec-superux${UNAME_RELEASE} exit ;; SX-6:SUPER-UX:*:*) echo sx6-nec-superux${UNAME_RELEASE} exit ;; SX-7:SUPER-UX:*:*) echo sx7-nec-superux${UNAME_RELEASE} exit ;; SX-8:SUPER-UX:*:*) echo sx8-nec-superux${UNAME_RELEASE} exit ;; SX-8R:SUPER-UX:*:*) echo sx8r-nec-superux${UNAME_RELEASE} exit ;; Power*:Rhapsody:*:*) echo powerpc-apple-rhapsody${UNAME_RELEASE} exit ;; *:Rhapsody:*:*) echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE} exit ;; *:Darwin:*:*) UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown eval $set_cc_for_build if test "$UNAME_PROCESSOR" = unknown ; then UNAME_PROCESSOR=powerpc fi if test `echo "$UNAME_RELEASE" | sed -e 's/\..*//'` -le 10 ; then if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ grep IS_64BIT_ARCH >/dev/null then case $UNAME_PROCESSOR in i386) UNAME_PROCESSOR=x86_64 ;; powerpc) UNAME_PROCESSOR=powerpc64 ;; esac fi fi elif test "$UNAME_PROCESSOR" = i386 ; then # Avoid executing cc on OS X 10.9, as it ships with a stub # that puts up a graphical alert prompting to install # developer tools. Any system running Mac OS X 10.7 or # later (Darwin 11 and later) is required to have a 64-bit # processor. This is not true of the ARM version of Darwin # that Apple uses in portable devices. UNAME_PROCESSOR=x86_64 fi echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE} exit ;; *:procnto*:*:* | *:QNX:[0123456789]*:*) UNAME_PROCESSOR=`uname -p` if test "$UNAME_PROCESSOR" = "x86"; then UNAME_PROCESSOR=i386 UNAME_MACHINE=pc fi echo ${UNAME_PROCESSOR}-${UNAME_MACHINE}-nto-qnx${UNAME_RELEASE} exit ;; *:QNX:*:4*) echo i386-pc-qnx exit ;; NEO-?:NONSTOP_KERNEL:*:*) echo neo-tandem-nsk${UNAME_RELEASE} exit ;; NSE-*:NONSTOP_KERNEL:*:*) echo nse-tandem-nsk${UNAME_RELEASE} exit ;; NSR-?:NONSTOP_KERNEL:*:*) echo nsr-tandem-nsk${UNAME_RELEASE} exit ;; *:NonStop-UX:*:*) echo mips-compaq-nonstopux exit ;; BS2000:POSIX*:*:*) echo bs2000-siemens-sysv exit ;; DS/*:UNIX_System_V:*:*) echo ${UNAME_MACHINE}-${UNAME_SYSTEM}-${UNAME_RELEASE} exit ;; *:Plan9:*:*) # "uname -m" is not consistent, so use $cputype instead. 386 # is converted to i386 for consistency with other x86 # operating systems. if test "$cputype" = "386"; then UNAME_MACHINE=i386 else UNAME_MACHINE="$cputype" fi echo ${UNAME_MACHINE}-unknown-plan9 exit ;; *:TOPS-10:*:*) echo pdp10-unknown-tops10 exit ;; *:TENEX:*:*) echo pdp10-unknown-tenex exit ;; KS10:TOPS-20:*:* | KL10:TOPS-20:*:* | TYPE4:TOPS-20:*:*) echo pdp10-dec-tops20 exit ;; XKL-1:TOPS-20:*:* | TYPE5:TOPS-20:*:*) echo pdp10-xkl-tops20 exit ;; *:TOPS-20:*:*) echo pdp10-unknown-tops20 exit ;; *:ITS:*:*) echo pdp10-unknown-its exit ;; SEI:*:*:SEIUX) echo mips-sei-seiux${UNAME_RELEASE} exit ;; *:DragonFly:*:*) echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` exit ;; *:*VMS:*:*) UNAME_MACHINE=`(uname -p) 2>/dev/null` case "${UNAME_MACHINE}" in A*) echo alpha-dec-vms ; exit ;; I*) echo ia64-dec-vms ; exit ;; V*) echo vax-dec-vms ; exit ;; esac ;; *:XENIX:*:SysV) echo i386-pc-xenix exit ;; i*86:skyos:*:*) echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE}` | sed -e 's/ .*$//' exit ;; i*86:rdos:*:*) echo ${UNAME_MACHINE}-pc-rdos exit ;; i*86:AROS:*:*) echo ${UNAME_MACHINE}-pc-aros exit ;; x86_64:VMkernel:*:*) echo ${UNAME_MACHINE}-unknown-esx exit ;; esac eval $set_cc_for_build cat >$dummy.c < # include #endif main () { #if defined (sony) #if defined (MIPSEB) /* BFD wants "bsd" instead of "newsos". Perhaps BFD should be changed, I don't know.... */ printf ("mips-sony-bsd\n"); exit (0); #else #include printf ("m68k-sony-newsos%s\n", #ifdef NEWSOS4 "4" #else "" #endif ); exit (0); #endif #endif #if defined (__arm) && defined (__acorn) && defined (__unix) printf ("arm-acorn-riscix\n"); exit (0); #endif #if defined (hp300) && !defined (hpux) printf ("m68k-hp-bsd\n"); exit (0); #endif #if defined (NeXT) #if !defined (__ARCHITECTURE__) #define __ARCHITECTURE__ "m68k" #endif int version; version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`; if (version < 4) printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version); else printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version); exit (0); #endif #if defined (MULTIMAX) || defined (n16) #if defined (UMAXV) printf ("ns32k-encore-sysv\n"); exit (0); #else #if defined (CMU) printf ("ns32k-encore-mach\n"); exit (0); #else printf ("ns32k-encore-bsd\n"); exit (0); #endif #endif #endif #if defined (__386BSD__) printf ("i386-pc-bsd\n"); exit (0); #endif #if defined (sequent) #if defined (i386) printf ("i386-sequent-dynix\n"); exit (0); #endif #if defined (ns32000) printf ("ns32k-sequent-dynix\n"); exit (0); #endif #endif #if defined (_SEQUENT_) struct utsname un; uname(&un); if (strncmp(un.version, "V2", 2) == 0) { printf ("i386-sequent-ptx2\n"); exit (0); } if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */ printf ("i386-sequent-ptx1\n"); exit (0); } printf ("i386-sequent-ptx\n"); exit (0); #endif #if defined (vax) # if !defined (ultrix) # include # if defined (BSD) # if BSD == 43 printf ("vax-dec-bsd4.3\n"); exit (0); # else # if BSD == 199006 printf ("vax-dec-bsd4.3reno\n"); exit (0); # else printf ("vax-dec-bsd\n"); exit (0); # endif # endif # else printf ("vax-dec-bsd\n"); exit (0); # endif # else printf ("vax-dec-ultrix\n"); exit (0); # endif #endif #if defined (alliant) && defined (i860) printf ("i860-alliant-bsd\n"); exit (0); #endif exit (1); } EOF $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && SYSTEM_NAME=`$dummy` && { echo "$SYSTEM_NAME"; exit; } # Apollos put the system type in the environment. test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit; } # Convex versions that predate uname can use getsysinfo(1) if [ -x /usr/convex/getsysinfo ] then case `getsysinfo -f cpu_type` in c1*) echo c1-convex-bsd exit ;; c2*) if getsysinfo -f scalar_acc then echo c32-convex-bsd else echo c2-convex-bsd fi exit ;; c34*) echo c34-convex-bsd exit ;; c38*) echo c38-convex-bsd exit ;; c4*) echo c4-convex-bsd exit ;; esac fi cat >&2 < in order to provide the needed information to handle your system. config.guess timestamp = $timestamp uname -m = `(uname -m) 2>/dev/null || echo unknown` uname -r = `(uname -r) 2>/dev/null || echo unknown` uname -s = `(uname -s) 2>/dev/null || echo unknown` uname -v = `(uname -v) 2>/dev/null || echo unknown` /usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null` /bin/uname -X = `(/bin/uname -X) 2>/dev/null` hostinfo = `(hostinfo) 2>/dev/null` /bin/universe = `(/bin/universe) 2>/dev/null` /usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null` /bin/arch = `(/bin/arch) 2>/dev/null` /usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null` /usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null` UNAME_MACHINE = ${UNAME_MACHINE} UNAME_RELEASE = ${UNAME_RELEASE} UNAME_SYSTEM = ${UNAME_SYSTEM} UNAME_VERSION = ${UNAME_VERSION} EOF exit 1 # Local variables: # eval: (add-hook 'write-file-hooks 'time-stamp) # time-stamp-start: "timestamp='" # time-stamp-format: "%:y-%02m-%02d" # time-stamp-end: "'" # End: nettle-3.4.1/poly1305-internal.c0000644000175000017500000001541113401564745015323 0ustar nissenisse/* poly1305-internal.c Copyright: 2012-2013 Andrew M. (floodyberry) Copyright: 2013 Nikos Mavrogiannopoulos Copyright: 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Based on https://github.com/floodyberry/poly1305-donna. * Modified for nettle by Nikos Mavrogiannopoulos and Niels Möller. * Original license notice: * * Permission is hereby granted, free of charge, to any person obtaining a * copy of this software and associated documentation files (the * "Software"), to deal in the Software without restriction, including * without limitation the rights to use, copy, modify, merge, publish, * distribute, sublicense, and/or sell copies of the Software, and to * permit persons to whom the Software is furnished to do so, subject to * the following conditions: * * The above copyright notice and this permission notice shall be included * in all copies or substantial portions of the Software. * * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ #if HAVE_CONFIG_H #include "config.h" #endif #include #include #include "poly1305.h" #include "macros.h" #define mul32x32_64(a,b) ((uint64_t)(a) * (b)) #define r0 r.r32[0] #define r1 r.r32[1] #define r2 r.r32[2] #define r3 r.r32[3] #define r4 r.r32[4] #define s1 r.r32[5] #define s2 s32[0] #define s3 s32[1] #define s4 s32[2] #define h0 h.h32[0] #define h1 h.h32[1] #define h2 h.h32[2] #define h3 h.h32[3] #define h4 hh void poly1305_set_key(struct poly1305_ctx *ctx, const uint8_t key[16]) { uint32_t t0,t1,t2,t3; t0 = LE_READ_UINT32(key); t1 = LE_READ_UINT32(key+4); t2 = LE_READ_UINT32(key+8); t3 = LE_READ_UINT32(key+12); ctx->r0 = t0 & 0x3ffffff; t0 >>= 26; t0 |= t1 << 6; ctx->r1 = t0 & 0x3ffff03; t1 >>= 20; t1 |= t2 << 12; ctx->r2 = t1 & 0x3ffc0ff; t2 >>= 14; t2 |= t3 << 18; ctx->r3 = t2 & 0x3f03fff; t3 >>= 8; ctx->r4 = t3 & 0x00fffff; ctx->s1 = ctx->r1 * 5; ctx->s2 = ctx->r2 * 5; ctx->s3 = ctx->r3 * 5; ctx->s4 = ctx->r4 * 5; ctx->h0 = 0; ctx->h1 = 0; ctx->h2 = 0; ctx->h3 = 0; ctx->h4 = 0; } void _poly1305_block (struct poly1305_ctx *ctx, const uint8_t *m, unsigned t4) { uint32_t t0,t1,t2,t3; uint32_t b; uint64_t t[5]; uint64_t c; t0 = LE_READ_UINT32(m); t1 = LE_READ_UINT32(m+4); t2 = LE_READ_UINT32(m+8); t3 = LE_READ_UINT32(m+12); ctx->h0 += t0 & 0x3ffffff; ctx->h1 += ((((uint64_t)t1 << 32) | t0) >> 26) & 0x3ffffff; ctx->h2 += ((((uint64_t)t2 << 32) | t1) >> 20) & 0x3ffffff; ctx->h3 += ((((uint64_t)t3 << 32) | t2) >> 14) & 0x3ffffff; ctx->h4 += (t3 >> 8) | ((uint32_t) t4 << 24); /* poly1305_donna_mul: */ t[0] = mul32x32_64(ctx->h0,ctx->r0) + mul32x32_64(ctx->h1,ctx->s4) + mul32x32_64(ctx->h2,ctx->s3) + mul32x32_64(ctx->h3,ctx->s2) + mul32x32_64(ctx->h4,ctx->s1); t[1] = mul32x32_64(ctx->h0,ctx->r1) + mul32x32_64(ctx->h1,ctx->r0) + mul32x32_64(ctx->h2,ctx->s4) + mul32x32_64(ctx->h3,ctx->s3) + mul32x32_64(ctx->h4,ctx->s2); t[2] = mul32x32_64(ctx->h0,ctx->r2) + mul32x32_64(ctx->h1,ctx->r1) + mul32x32_64(ctx->h2,ctx->r0) + mul32x32_64(ctx->h3,ctx->s4) + mul32x32_64(ctx->h4,ctx->s3); t[3] = mul32x32_64(ctx->h0,ctx->r3) + mul32x32_64(ctx->h1,ctx->r2) + mul32x32_64(ctx->h2,ctx->r1) + mul32x32_64(ctx->h3,ctx->r0) + mul32x32_64(ctx->h4,ctx->s4); t[4] = mul32x32_64(ctx->h0,ctx->r4) + mul32x32_64(ctx->h1,ctx->r3) + mul32x32_64(ctx->h2,ctx->r2) + mul32x32_64(ctx->h3,ctx->r1) + mul32x32_64(ctx->h4,ctx->r0); ctx->h0 = (uint32_t)t[0] & 0x3ffffff; c = (t[0] >> 26); t[1] += c; ctx->h1 = (uint32_t)t[1] & 0x3ffffff; b = (uint32_t)(t[1] >> 26); t[2] += b; ctx->h2 = (uint32_t)t[2] & 0x3ffffff; b = (uint32_t)(t[2] >> 26); t[3] += b; ctx->h3 = (uint32_t)t[3] & 0x3ffffff; b = (uint32_t)(t[3] >> 26); t[4] += b; ctx->h4 = (uint32_t)t[4] & 0x3ffffff; b = (uint32_t)(t[4] >> 26); ctx->h0 += b * 5; } /* Adds digest to the nonce */ void poly1305_digest (struct poly1305_ctx *ctx, union nettle_block16 *s) { uint32_t b, nb; uint64_t f0,f1,f2,f3; uint32_t g0,g1,g2,g3,g4; b = ctx->h0 >> 26; ctx->h0 = ctx->h0 & 0x3ffffff; ctx->h1 += b; b = ctx->h1 >> 26; ctx->h1 = ctx->h1 & 0x3ffffff; ctx->h2 += b; b = ctx->h2 >> 26; ctx->h2 = ctx->h2 & 0x3ffffff; ctx->h3 += b; b = ctx->h3 >> 26; ctx->h3 = ctx->h3 & 0x3ffffff; ctx->h4 += b; b = ctx->h4 >> 26; ctx->h4 = ctx->h4 & 0x3ffffff; ctx->h0 += b * 5; b = ctx->h0 >> 26; ctx->h0 = ctx->h0 & 0x3ffffff; ctx->h1 += b; g0 = ctx->h0 + 5; b = g0 >> 26; g0 &= 0x3ffffff; g1 = ctx->h1 + b; b = g1 >> 26; g1 &= 0x3ffffff; g2 = ctx->h2 + b; b = g2 >> 26; g2 &= 0x3ffffff; g3 = ctx->h3 + b; b = g3 >> 26; g3 &= 0x3ffffff; g4 = ctx->h4 + b - (1 << 26); b = (g4 >> 31) - 1; nb = ~b; ctx->h0 = (ctx->h0 & nb) | (g0 & b); ctx->h1 = (ctx->h1 & nb) | (g1 & b); ctx->h2 = (ctx->h2 & nb) | (g2 & b); ctx->h3 = (ctx->h3 & nb) | (g3 & b); ctx->h4 = (ctx->h4 & nb) | (g4 & b); /* FIXME: Take advantage of s being aligned as an unsigned long. */ f0 = ((ctx->h0 )|(ctx->h1<<26)) + (uint64_t)LE_READ_UINT32(s->b); f1 = ((ctx->h1>> 6)|(ctx->h2<<20)) + (uint64_t)LE_READ_UINT32(s->b+4); f2 = ((ctx->h2>>12)|(ctx->h3<<14)) + (uint64_t)LE_READ_UINT32(s->b+8); f3 = ((ctx->h3>>18)|(ctx->h4<< 8)) + (uint64_t)LE_READ_UINT32(s->b+12); LE_WRITE_UINT32(s->b, f0); f1 += (f0 >> 32); LE_WRITE_UINT32(s->b+4, f1); f2 += (f1 >> 32); LE_WRITE_UINT32(s->b+8, f2); f3 += (f2 >> 32); LE_WRITE_UINT32(s->b+12, f3); ctx->h0 = 0; ctx->h1 = 0; ctx->h2 = 0; ctx->h3 = 0; ctx->h4 = 0; } nettle-3.4.1/aes256-meta.c0000644000175000017500000000265513401564745014154 0ustar nissenisse/* aes256-meta.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #include "aes.h" const struct nettle_cipher nettle_aes256 = { "aes256", sizeof(struct aes256_ctx), AES_BLOCK_SIZE, AES256_KEY_SIZE, (nettle_set_key_func *) aes256_set_encrypt_key, (nettle_set_key_func *) aes256_set_decrypt_key, (nettle_cipher_func *) aes256_encrypt, (nettle_cipher_func *) aes256_decrypt }; nettle-3.4.1/knuth-lfib.h0000644000175000017500000000424613401564746014272 0ustar nissenisse/* knuth-lfib.h The "lagged fibonacci" pseudorandomness generator, described in Knuth, TAoCP, 3.6 This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* NOTE: This generator is totally inappropriate for cryptographic * applications. It is useful for generating deterministic but * random-looking test data, and is used by the Nettle testsuite. */ #ifndef NETTLE_KNUTH_LFIB_H_INCLUDED #define NETTLE_KNUTH_LFIB_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Namespace mangling */ #define knuth_lfib_init nettle_knuth_lfib_init #define knuth_lfib_get nettle_knuth_lfib_get #define knuth_lfib_get_array nettle_knuth_lfib_get_array #define knuth_lfib_random nettle_knuth_lfib_random #define _KNUTH_LFIB_KK 100 struct knuth_lfib_ctx { uint32_t x[_KNUTH_LFIB_KK]; unsigned index; }; void knuth_lfib_init(struct knuth_lfib_ctx *ctx, uint32_t seed); /* Get's a single number in the range 0 ... 2^30-1 */ uint32_t knuth_lfib_get(struct knuth_lfib_ctx *ctx); /* Get an array of numbers */ void knuth_lfib_get_array(struct knuth_lfib_ctx *ctx, size_t n, uint32_t *a); /* Get an array of octets. */ void knuth_lfib_random(struct knuth_lfib_ctx *ctx, size_t n, uint8_t *dst); #ifdef __cplusplus } #endif #endif /* NETTLE_KNUTH_LFIB_H_INCLUDED */ nettle-3.4.1/ecc-point-mul-g.c0000644000175000017500000000322513401564746015116 0ustar nissenisse/* ecc-point-mul-g.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc.h" #include "ecc-internal.h" #include "nettle-internal.h" void ecc_point_mul_g (struct ecc_point *r, const struct ecc_scalar *n) { TMP_DECL(scratch, mp_limb_t, 3*ECC_MAX_SIZE + ECC_MUL_G_ITCH (ECC_MAX_SIZE)); const struct ecc_curve *ecc = r->ecc; mp_limb_t size = ecc->p.size; mp_size_t itch = 3*size + ecc->mul_g_itch; assert (n->ecc == ecc); TMP_ALLOC (scratch, itch); ecc->mul_g (ecc, scratch, n->p, scratch + 3*size); ecc->h_to_a (ecc, 0, r->p, scratch, scratch + 3*size); } nettle-3.4.1/md4.h0000644000175000017500000000373113401564746012711 0ustar nissenisse/* md4.h The MD4 hash function, described in RFC 1320. Copyright (C) 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_MD4_H_INCLUDED #define NETTLE_MD4_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define md4_init nettle_md4_init #define md4_update nettle_md4_update #define md4_digest nettle_md4_digest #define MD4_DIGEST_SIZE 16 #define MD4_BLOCK_SIZE 64 /* For backwards compatibility */ #define MD4_DATA_SIZE MD4_BLOCK_SIZE /* Digest is kept internally as 4 32-bit words. */ #define _MD4_DIGEST_LENGTH 4 /* FIXME: Identical to md5_ctx */ struct md4_ctx { uint32_t state[_MD4_DIGEST_LENGTH]; uint64_t count; /* Block count */ uint8_t block[MD4_BLOCK_SIZE]; /* Block buffer */ unsigned index; /* Into buffer */ }; void md4_init(struct md4_ctx *ctx); void md4_update(struct md4_ctx *ctx, size_t length, const uint8_t *data); void md4_digest(struct md4_ctx *ctx, size_t length, uint8_t *digest); #ifdef __cplusplus } #endif #endif /* NETTLE_MD4_H_INCLUDED */ nettle-3.4.1/AUTHORS0000644000175000017500000000003613401564746013117 0ustar nissenissePlease see the Nettle manual. nettle-3.4.1/pkcs1-decrypt.c0000644000175000017500000000304313401564745014704 0ustar nissenisse/* pkcs1-decrypt.c The RSA publickey algorithm. PKCS#1 decryption. Copyright (C) 2001, 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "pkcs1.h" #include "bignum.h" #include "gmp-glue.h" #include "rsa-internal.h" int pkcs1_decrypt (size_t key_size, const mpz_t m, size_t *length, uint8_t *message) { TMP_GMP_DECL(em, uint8_t); int ret; TMP_GMP_ALLOC(em, key_size); nettle_mpz_get_str_256(key_size, em, m); ret = _pkcs1_sec_decrypt_variable (length, message, key_size, em); TMP_GMP_FREE(em); return ret; } nettle-3.4.1/mini-gmp.c0000644000175000017500000024627213401564746013746 0ustar nissenisse/* mini-gmp, a minimalistic implementation of a GNU GMP subset. Contributed to the GNU project by Niels Möller Copyright 1991-1997, 1999-2017 Free Software Foundation, Inc. This file is part of the GNU MP Library. The GNU MP Library is free software; you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. The GNU MP Library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with the GNU MP Library. If not, see https://www.gnu.org/licenses/. */ /* NOTE: All functions in this file which are not declared in mini-gmp.h are internal, and are not intended to be compatible neither with GMP nor with future versions of mini-gmp. */ /* Much of the material copied from GMP files, including: gmp-impl.h, longlong.h, mpn/generic/add_n.c, mpn/generic/addmul_1.c, mpn/generic/lshift.c, mpn/generic/mul_1.c, mpn/generic/mul_basecase.c, mpn/generic/rshift.c, mpn/generic/sbpi1_div_qr.c, mpn/generic/sub_n.c, mpn/generic/submul_1.c. */ #include #include #include #include #include #include #include "mini-gmp.h" /* Macros */ #define GMP_LIMB_BITS (sizeof(mp_limb_t) * CHAR_BIT) #define GMP_LIMB_MAX (~ (mp_limb_t) 0) #define GMP_LIMB_HIGHBIT ((mp_limb_t) 1 << (GMP_LIMB_BITS - 1)) #define GMP_HLIMB_BIT ((mp_limb_t) 1 << (GMP_LIMB_BITS / 2)) #define GMP_LLIMB_MASK (GMP_HLIMB_BIT - 1) #define GMP_ULONG_BITS (sizeof(unsigned long) * CHAR_BIT) #define GMP_ULONG_HIGHBIT ((unsigned long) 1 << (GMP_ULONG_BITS - 1)) #define GMP_ABS(x) ((x) >= 0 ? (x) : -(x)) #define GMP_NEG_CAST(T,x) (-((T)((x) + 1) - 1)) #define GMP_MIN(a, b) ((a) < (b) ? (a) : (b)) #define GMP_MAX(a, b) ((a) > (b) ? (a) : (b)) #define GMP_CMP(a,b) (((a) > (b)) - ((a) < (b))) /* Return non-zero if xp,xsize and yp,ysize overlap. If xp+xsize<=yp there's no overlap, or if yp+ysize<=xp there's no overlap. If both these are false, there's an overlap. */ #define GMP_MPN_OVERLAP_P(xp, xsize, yp, ysize) \ ((xp) + (xsize) > (yp) && (yp) + (ysize) > (xp)) #define gmp_assert_nocarry(x) do { \ mp_limb_t __cy = (x); \ assert (__cy == 0); \ } while (0) #define gmp_clz(count, x) do { \ mp_limb_t __clz_x = (x); \ unsigned __clz_c; \ for (__clz_c = 0; \ (__clz_x & ((mp_limb_t) 0xff << (GMP_LIMB_BITS - 8))) == 0; \ __clz_c += 8) \ __clz_x <<= 8; \ for (; (__clz_x & GMP_LIMB_HIGHBIT) == 0; __clz_c++) \ __clz_x <<= 1; \ (count) = __clz_c; \ } while (0) #define gmp_ctz(count, x) do { \ mp_limb_t __ctz_x = (x); \ unsigned __ctz_c = 0; \ gmp_clz (__ctz_c, __ctz_x & - __ctz_x); \ (count) = GMP_LIMB_BITS - 1 - __ctz_c; \ } while (0) #define gmp_add_ssaaaa(sh, sl, ah, al, bh, bl) \ do { \ mp_limb_t __x; \ __x = (al) + (bl); \ (sh) = (ah) + (bh) + (__x < (al)); \ (sl) = __x; \ } while (0) #define gmp_sub_ddmmss(sh, sl, ah, al, bh, bl) \ do { \ mp_limb_t __x; \ __x = (al) - (bl); \ (sh) = (ah) - (bh) - ((al) < (bl)); \ (sl) = __x; \ } while (0) #define gmp_umul_ppmm(w1, w0, u, v) \ do { \ mp_limb_t __x0, __x1, __x2, __x3; \ unsigned __ul, __vl, __uh, __vh; \ mp_limb_t __u = (u), __v = (v); \ \ __ul = __u & GMP_LLIMB_MASK; \ __uh = __u >> (GMP_LIMB_BITS / 2); \ __vl = __v & GMP_LLIMB_MASK; \ __vh = __v >> (GMP_LIMB_BITS / 2); \ \ __x0 = (mp_limb_t) __ul * __vl; \ __x1 = (mp_limb_t) __ul * __vh; \ __x2 = (mp_limb_t) __uh * __vl; \ __x3 = (mp_limb_t) __uh * __vh; \ \ __x1 += __x0 >> (GMP_LIMB_BITS / 2);/* this can't give carry */ \ __x1 += __x2; /* but this indeed can */ \ if (__x1 < __x2) /* did we get it? */ \ __x3 += GMP_HLIMB_BIT; /* yes, add it in the proper pos. */ \ \ (w1) = __x3 + (__x1 >> (GMP_LIMB_BITS / 2)); \ (w0) = (__x1 << (GMP_LIMB_BITS / 2)) + (__x0 & GMP_LLIMB_MASK); \ } while (0) #define gmp_udiv_qrnnd_preinv(q, r, nh, nl, d, di) \ do { \ mp_limb_t _qh, _ql, _r, _mask; \ gmp_umul_ppmm (_qh, _ql, (nh), (di)); \ gmp_add_ssaaaa (_qh, _ql, _qh, _ql, (nh) + 1, (nl)); \ _r = (nl) - _qh * (d); \ _mask = -(mp_limb_t) (_r > _ql); /* both > and >= are OK */ \ _qh += _mask; \ _r += _mask & (d); \ if (_r >= (d)) \ { \ _r -= (d); \ _qh++; \ } \ \ (r) = _r; \ (q) = _qh; \ } while (0) #define gmp_udiv_qr_3by2(q, r1, r0, n2, n1, n0, d1, d0, dinv) \ do { \ mp_limb_t _q0, _t1, _t0, _mask; \ gmp_umul_ppmm ((q), _q0, (n2), (dinv)); \ gmp_add_ssaaaa ((q), _q0, (q), _q0, (n2), (n1)); \ \ /* Compute the two most significant limbs of n - q'd */ \ (r1) = (n1) - (d1) * (q); \ gmp_sub_ddmmss ((r1), (r0), (r1), (n0), (d1), (d0)); \ gmp_umul_ppmm (_t1, _t0, (d0), (q)); \ gmp_sub_ddmmss ((r1), (r0), (r1), (r0), _t1, _t0); \ (q)++; \ \ /* Conditionally adjust q and the remainders */ \ _mask = - (mp_limb_t) ((r1) >= _q0); \ (q) += _mask; \ gmp_add_ssaaaa ((r1), (r0), (r1), (r0), _mask & (d1), _mask & (d0)); \ if ((r1) >= (d1)) \ { \ if ((r1) > (d1) || (r0) >= (d0)) \ { \ (q)++; \ gmp_sub_ddmmss ((r1), (r0), (r1), (r0), (d1), (d0)); \ } \ } \ } while (0) /* Swap macros. */ #define MP_LIMB_T_SWAP(x, y) \ do { \ mp_limb_t __mp_limb_t_swap__tmp = (x); \ (x) = (y); \ (y) = __mp_limb_t_swap__tmp; \ } while (0) #define MP_SIZE_T_SWAP(x, y) \ do { \ mp_size_t __mp_size_t_swap__tmp = (x); \ (x) = (y); \ (y) = __mp_size_t_swap__tmp; \ } while (0) #define MP_BITCNT_T_SWAP(x,y) \ do { \ mp_bitcnt_t __mp_bitcnt_t_swap__tmp = (x); \ (x) = (y); \ (y) = __mp_bitcnt_t_swap__tmp; \ } while (0) #define MP_PTR_SWAP(x, y) \ do { \ mp_ptr __mp_ptr_swap__tmp = (x); \ (x) = (y); \ (y) = __mp_ptr_swap__tmp; \ } while (0) #define MP_SRCPTR_SWAP(x, y) \ do { \ mp_srcptr __mp_srcptr_swap__tmp = (x); \ (x) = (y); \ (y) = __mp_srcptr_swap__tmp; \ } while (0) #define MPN_PTR_SWAP(xp,xs, yp,ys) \ do { \ MP_PTR_SWAP (xp, yp); \ MP_SIZE_T_SWAP (xs, ys); \ } while(0) #define MPN_SRCPTR_SWAP(xp,xs, yp,ys) \ do { \ MP_SRCPTR_SWAP (xp, yp); \ MP_SIZE_T_SWAP (xs, ys); \ } while(0) #define MPZ_PTR_SWAP(x, y) \ do { \ mpz_ptr __mpz_ptr_swap__tmp = (x); \ (x) = (y); \ (y) = __mpz_ptr_swap__tmp; \ } while (0) #define MPZ_SRCPTR_SWAP(x, y) \ do { \ mpz_srcptr __mpz_srcptr_swap__tmp = (x); \ (x) = (y); \ (y) = __mpz_srcptr_swap__tmp; \ } while (0) const int mp_bits_per_limb = GMP_LIMB_BITS; /* Memory allocation and other helper functions. */ static void gmp_die (const char *msg) { fprintf (stderr, "%s\n", msg); abort(); } static void * gmp_default_alloc (size_t size) { void *p; assert (size > 0); p = malloc (size); if (!p) gmp_die("gmp_default_alloc: Virtual memory exhausted."); return p; } static void * gmp_default_realloc (void *old, size_t old_size, size_t new_size) { void * p; p = realloc (old, new_size); if (!p) gmp_die("gmp_default_realloc: Virtual memory exhausted."); return p; } static void gmp_default_free (void *p, size_t size) { free (p); } static void * (*gmp_allocate_func) (size_t) = gmp_default_alloc; static void * (*gmp_reallocate_func) (void *, size_t, size_t) = gmp_default_realloc; static void (*gmp_free_func) (void *, size_t) = gmp_default_free; void mp_get_memory_functions (void *(**alloc_func) (size_t), void *(**realloc_func) (void *, size_t, size_t), void (**free_func) (void *, size_t)) { if (alloc_func) *alloc_func = gmp_allocate_func; if (realloc_func) *realloc_func = gmp_reallocate_func; if (free_func) *free_func = gmp_free_func; } void mp_set_memory_functions (void *(*alloc_func) (size_t), void *(*realloc_func) (void *, size_t, size_t), void (*free_func) (void *, size_t)) { if (!alloc_func) alloc_func = gmp_default_alloc; if (!realloc_func) realloc_func = gmp_default_realloc; if (!free_func) free_func = gmp_default_free; gmp_allocate_func = alloc_func; gmp_reallocate_func = realloc_func; gmp_free_func = free_func; } #define gmp_xalloc(size) ((*gmp_allocate_func)((size))) #define gmp_free(p) ((*gmp_free_func) ((p), 0)) static mp_ptr gmp_xalloc_limbs (mp_size_t size) { return (mp_ptr) gmp_xalloc (size * sizeof (mp_limb_t)); } static mp_ptr gmp_xrealloc_limbs (mp_ptr old, mp_size_t size) { assert (size > 0); return (mp_ptr) (*gmp_reallocate_func) (old, 0, size * sizeof (mp_limb_t)); } /* MPN interface */ void mpn_copyi (mp_ptr d, mp_srcptr s, mp_size_t n) { mp_size_t i; for (i = 0; i < n; i++) d[i] = s[i]; } void mpn_copyd (mp_ptr d, mp_srcptr s, mp_size_t n) { while (--n >= 0) d[n] = s[n]; } int mpn_cmp (mp_srcptr ap, mp_srcptr bp, mp_size_t n) { while (--n >= 0) { if (ap[n] != bp[n]) return ap[n] > bp[n] ? 1 : -1; } return 0; } static int mpn_cmp4 (mp_srcptr ap, mp_size_t an, mp_srcptr bp, mp_size_t bn) { if (an != bn) return an < bn ? -1 : 1; else return mpn_cmp (ap, bp, an); } static mp_size_t mpn_normalized_size (mp_srcptr xp, mp_size_t n) { while (n > 0 && xp[n-1] == 0) --n; return n; } int mpn_zero_p(mp_srcptr rp, mp_size_t n) { return mpn_normalized_size (rp, n) == 0; } void mpn_zero (mp_ptr rp, mp_size_t n) { while (--n >= 0) rp[n] = 0; } mp_limb_t mpn_add_1 (mp_ptr rp, mp_srcptr ap, mp_size_t n, mp_limb_t b) { mp_size_t i; assert (n > 0); i = 0; do { mp_limb_t r = ap[i] + b; /* Carry out */ b = (r < b); rp[i] = r; } while (++i < n); return b; } mp_limb_t mpn_add_n (mp_ptr rp, mp_srcptr ap, mp_srcptr bp, mp_size_t n) { mp_size_t i; mp_limb_t cy; for (i = 0, cy = 0; i < n; i++) { mp_limb_t a, b, r; a = ap[i]; b = bp[i]; r = a + cy; cy = (r < cy); r += b; cy += (r < b); rp[i] = r; } return cy; } mp_limb_t mpn_add (mp_ptr rp, mp_srcptr ap, mp_size_t an, mp_srcptr bp, mp_size_t bn) { mp_limb_t cy; assert (an >= bn); cy = mpn_add_n (rp, ap, bp, bn); if (an > bn) cy = mpn_add_1 (rp + bn, ap + bn, an - bn, cy); return cy; } mp_limb_t mpn_sub_1 (mp_ptr rp, mp_srcptr ap, mp_size_t n, mp_limb_t b) { mp_size_t i; assert (n > 0); i = 0; do { mp_limb_t a = ap[i]; /* Carry out */ mp_limb_t cy = a < b; rp[i] = a - b; b = cy; } while (++i < n); return b; } mp_limb_t mpn_sub_n (mp_ptr rp, mp_srcptr ap, mp_srcptr bp, mp_size_t n) { mp_size_t i; mp_limb_t cy; for (i = 0, cy = 0; i < n; i++) { mp_limb_t a, b; a = ap[i]; b = bp[i]; b += cy; cy = (b < cy); cy += (a < b); rp[i] = a - b; } return cy; } mp_limb_t mpn_sub (mp_ptr rp, mp_srcptr ap, mp_size_t an, mp_srcptr bp, mp_size_t bn) { mp_limb_t cy; assert (an >= bn); cy = mpn_sub_n (rp, ap, bp, bn); if (an > bn) cy = mpn_sub_1 (rp + bn, ap + bn, an - bn, cy); return cy; } mp_limb_t mpn_mul_1 (mp_ptr rp, mp_srcptr up, mp_size_t n, mp_limb_t vl) { mp_limb_t ul, cl, hpl, lpl; assert (n >= 1); cl = 0; do { ul = *up++; gmp_umul_ppmm (hpl, lpl, ul, vl); lpl += cl; cl = (lpl < cl) + hpl; *rp++ = lpl; } while (--n != 0); return cl; } mp_limb_t mpn_addmul_1 (mp_ptr rp, mp_srcptr up, mp_size_t n, mp_limb_t vl) { mp_limb_t ul, cl, hpl, lpl, rl; assert (n >= 1); cl = 0; do { ul = *up++; gmp_umul_ppmm (hpl, lpl, ul, vl); lpl += cl; cl = (lpl < cl) + hpl; rl = *rp; lpl = rl + lpl; cl += lpl < rl; *rp++ = lpl; } while (--n != 0); return cl; } mp_limb_t mpn_submul_1 (mp_ptr rp, mp_srcptr up, mp_size_t n, mp_limb_t vl) { mp_limb_t ul, cl, hpl, lpl, rl; assert (n >= 1); cl = 0; do { ul = *up++; gmp_umul_ppmm (hpl, lpl, ul, vl); lpl += cl; cl = (lpl < cl) + hpl; rl = *rp; lpl = rl - lpl; cl += lpl > rl; *rp++ = lpl; } while (--n != 0); return cl; } mp_limb_t mpn_mul (mp_ptr rp, mp_srcptr up, mp_size_t un, mp_srcptr vp, mp_size_t vn) { assert (un >= vn); assert (vn >= 1); assert (!GMP_MPN_OVERLAP_P(rp, un + vn, up, un)); assert (!GMP_MPN_OVERLAP_P(rp, un + vn, vp, vn)); /* We first multiply by the low order limb. This result can be stored, not added, to rp. We also avoid a loop for zeroing this way. */ rp[un] = mpn_mul_1 (rp, up, un, vp[0]); /* Now accumulate the product of up[] and the next higher limb from vp[]. */ while (--vn >= 1) { rp += 1, vp += 1; rp[un] = mpn_addmul_1 (rp, up, un, vp[0]); } return rp[un]; } void mpn_mul_n (mp_ptr rp, mp_srcptr ap, mp_srcptr bp, mp_size_t n) { mpn_mul (rp, ap, n, bp, n); } void mpn_sqr (mp_ptr rp, mp_srcptr ap, mp_size_t n) { mpn_mul (rp, ap, n, ap, n); } mp_limb_t mpn_lshift (mp_ptr rp, mp_srcptr up, mp_size_t n, unsigned int cnt) { mp_limb_t high_limb, low_limb; unsigned int tnc; mp_limb_t retval; assert (n >= 1); assert (cnt >= 1); assert (cnt < GMP_LIMB_BITS); up += n; rp += n; tnc = GMP_LIMB_BITS - cnt; low_limb = *--up; retval = low_limb >> tnc; high_limb = (low_limb << cnt); while (--n != 0) { low_limb = *--up; *--rp = high_limb | (low_limb >> tnc); high_limb = (low_limb << cnt); } *--rp = high_limb; return retval; } mp_limb_t mpn_rshift (mp_ptr rp, mp_srcptr up, mp_size_t n, unsigned int cnt) { mp_limb_t high_limb, low_limb; unsigned int tnc; mp_limb_t retval; assert (n >= 1); assert (cnt >= 1); assert (cnt < GMP_LIMB_BITS); tnc = GMP_LIMB_BITS - cnt; high_limb = *up++; retval = (high_limb << tnc); low_limb = high_limb >> cnt; while (--n != 0) { high_limb = *up++; *rp++ = low_limb | (high_limb << tnc); low_limb = high_limb >> cnt; } *rp = low_limb; return retval; } static mp_bitcnt_t mpn_common_scan (mp_limb_t limb, mp_size_t i, mp_srcptr up, mp_size_t un, mp_limb_t ux) { unsigned cnt; assert (ux == 0 || ux == GMP_LIMB_MAX); assert (0 <= i && i <= un ); while (limb == 0) { i++; if (i == un) return (ux == 0 ? ~(mp_bitcnt_t) 0 : un * GMP_LIMB_BITS); limb = ux ^ up[i]; } gmp_ctz (cnt, limb); return (mp_bitcnt_t) i * GMP_LIMB_BITS + cnt; } mp_bitcnt_t mpn_scan1 (mp_srcptr ptr, mp_bitcnt_t bit) { mp_size_t i; i = bit / GMP_LIMB_BITS; return mpn_common_scan ( ptr[i] & (GMP_LIMB_MAX << (bit % GMP_LIMB_BITS)), i, ptr, i, 0); } mp_bitcnt_t mpn_scan0 (mp_srcptr ptr, mp_bitcnt_t bit) { mp_size_t i; i = bit / GMP_LIMB_BITS; return mpn_common_scan (~ptr[i] & (GMP_LIMB_MAX << (bit % GMP_LIMB_BITS)), i, ptr, i, GMP_LIMB_MAX); } void mpn_com (mp_ptr rp, mp_srcptr up, mp_size_t n) { while (--n >= 0) *rp++ = ~ *up++; } mp_limb_t mpn_neg (mp_ptr rp, mp_srcptr up, mp_size_t n) { while (*up == 0) { *rp = 0; if (!--n) return 0; ++up; ++rp; } *rp = - *up; mpn_com (++rp, ++up, --n); return 1; } /* MPN division interface. */ /* The 3/2 inverse is defined as m = floor( (B^3-1) / (B u1 + u0)) - B */ mp_limb_t mpn_invert_3by2 (mp_limb_t u1, mp_limb_t u0) { mp_limb_t r, p, m, ql; unsigned ul, uh, qh; assert (u1 >= GMP_LIMB_HIGHBIT); /* For notation, let b denote the half-limb base, so that B = b^2. Split u1 = b uh + ul. */ ul = u1 & GMP_LLIMB_MASK; uh = u1 >> (GMP_LIMB_BITS / 2); /* Approximation of the high half of quotient. Differs from the 2/1 inverse of the half limb uh, since we have already subtracted u0. */ qh = ~u1 / uh; /* Adjust to get a half-limb 3/2 inverse, i.e., we want qh' = floor( (b^3 - 1) / u) - b = floor ((b^3 - b u - 1) / u = floor( (b (~u) + b-1) / u), and the remainder r = b (~u) + b-1 - qh (b uh + ul) = b (~u - qh uh) + b-1 - qh ul Subtraction of qh ul may underflow, which implies adjustments. But by normalization, 2 u >= B > qh ul, so we need to adjust by at most 2. */ r = ((~u1 - (mp_limb_t) qh * uh) << (GMP_LIMB_BITS / 2)) | GMP_LLIMB_MASK; p = (mp_limb_t) qh * ul; /* Adjustment steps taken from udiv_qrnnd_c */ if (r < p) { qh--; r += u1; if (r >= u1) /* i.e. we didn't get carry when adding to r */ if (r < p) { qh--; r += u1; } } r -= p; /* Low half of the quotient is ql = floor ( (b r + b-1) / u1). This is a 3/2 division (on half-limbs), for which qh is a suitable inverse. */ p = (r >> (GMP_LIMB_BITS / 2)) * qh + r; /* Unlike full-limb 3/2, we can add 1 without overflow. For this to work, it is essential that ql is a full mp_limb_t. */ ql = (p >> (GMP_LIMB_BITS / 2)) + 1; /* By the 3/2 trick, we don't need the high half limb. */ r = (r << (GMP_LIMB_BITS / 2)) + GMP_LLIMB_MASK - ql * u1; if (r >= (p << (GMP_LIMB_BITS / 2))) { ql--; r += u1; } m = ((mp_limb_t) qh << (GMP_LIMB_BITS / 2)) + ql; if (r >= u1) { m++; r -= u1; } /* Now m is the 2/1 invers of u1. If u0 > 0, adjust it to become a 3/2 inverse. */ if (u0 > 0) { mp_limb_t th, tl; r = ~r; r += u0; if (r < u0) { m--; if (r >= u1) { m--; r -= u1; } r -= u1; } gmp_umul_ppmm (th, tl, u0, m); r += th; if (r < th) { m--; m -= ((r > u1) | ((r == u1) & (tl > u0))); } } return m; } struct gmp_div_inverse { /* Normalization shift count. */ unsigned shift; /* Normalized divisor (d0 unused for mpn_div_qr_1) */ mp_limb_t d1, d0; /* Inverse, for 2/1 or 3/2. */ mp_limb_t di; }; static void mpn_div_qr_1_invert (struct gmp_div_inverse *inv, mp_limb_t d) { unsigned shift; assert (d > 0); gmp_clz (shift, d); inv->shift = shift; inv->d1 = d << shift; inv->di = mpn_invert_limb (inv->d1); } static void mpn_div_qr_2_invert (struct gmp_div_inverse *inv, mp_limb_t d1, mp_limb_t d0) { unsigned shift; assert (d1 > 0); gmp_clz (shift, d1); inv->shift = shift; if (shift > 0) { d1 = (d1 << shift) | (d0 >> (GMP_LIMB_BITS - shift)); d0 <<= shift; } inv->d1 = d1; inv->d0 = d0; inv->di = mpn_invert_3by2 (d1, d0); } static void mpn_div_qr_invert (struct gmp_div_inverse *inv, mp_srcptr dp, mp_size_t dn) { assert (dn > 0); if (dn == 1) mpn_div_qr_1_invert (inv, dp[0]); else if (dn == 2) mpn_div_qr_2_invert (inv, dp[1], dp[0]); else { unsigned shift; mp_limb_t d1, d0; d1 = dp[dn-1]; d0 = dp[dn-2]; assert (d1 > 0); gmp_clz (shift, d1); inv->shift = shift; if (shift > 0) { d1 = (d1 << shift) | (d0 >> (GMP_LIMB_BITS - shift)); d0 = (d0 << shift) | (dp[dn-3] >> (GMP_LIMB_BITS - shift)); } inv->d1 = d1; inv->d0 = d0; inv->di = mpn_invert_3by2 (d1, d0); } } /* Not matching current public gmp interface, rather corresponding to the sbpi1_div_* functions. */ static mp_limb_t mpn_div_qr_1_preinv (mp_ptr qp, mp_srcptr np, mp_size_t nn, const struct gmp_div_inverse *inv) { mp_limb_t d, di; mp_limb_t r; mp_ptr tp = NULL; if (inv->shift > 0) { tp = gmp_xalloc_limbs (nn); r = mpn_lshift (tp, np, nn, inv->shift); np = tp; } else r = 0; d = inv->d1; di = inv->di; while (--nn >= 0) { mp_limb_t q; gmp_udiv_qrnnd_preinv (q, r, r, np[nn], d, di); if (qp) qp[nn] = q; } if (inv->shift > 0) gmp_free (tp); return r >> inv->shift; } static mp_limb_t mpn_div_qr_1 (mp_ptr qp, mp_srcptr np, mp_size_t nn, mp_limb_t d) { assert (d > 0); /* Special case for powers of two. */ if ((d & (d-1)) == 0) { mp_limb_t r = np[0] & (d-1); if (qp) { if (d <= 1) mpn_copyi (qp, np, nn); else { unsigned shift; gmp_ctz (shift, d); mpn_rshift (qp, np, nn, shift); } } return r; } else { struct gmp_div_inverse inv; mpn_div_qr_1_invert (&inv, d); return mpn_div_qr_1_preinv (qp, np, nn, &inv); } } static void mpn_div_qr_2_preinv (mp_ptr qp, mp_ptr rp, mp_srcptr np, mp_size_t nn, const struct gmp_div_inverse *inv) { unsigned shift; mp_size_t i; mp_limb_t d1, d0, di, r1, r0; mp_ptr tp; assert (nn >= 2); shift = inv->shift; d1 = inv->d1; d0 = inv->d0; di = inv->di; if (shift > 0) { tp = gmp_xalloc_limbs (nn); r1 = mpn_lshift (tp, np, nn, shift); np = tp; } else r1 = 0; r0 = np[nn - 1]; i = nn - 2; do { mp_limb_t n0, q; n0 = np[i]; gmp_udiv_qr_3by2 (q, r1, r0, r1, r0, n0, d1, d0, di); if (qp) qp[i] = q; } while (--i >= 0); if (shift > 0) { assert ((r0 << (GMP_LIMB_BITS - shift)) == 0); r0 = (r0 >> shift) | (r1 << (GMP_LIMB_BITS - shift)); r1 >>= shift; gmp_free (tp); } rp[1] = r1; rp[0] = r0; } #if 0 static void mpn_div_qr_2 (mp_ptr qp, mp_ptr rp, mp_srcptr np, mp_size_t nn, mp_limb_t d1, mp_limb_t d0) { struct gmp_div_inverse inv; assert (nn >= 2); mpn_div_qr_2_invert (&inv, d1, d0); mpn_div_qr_2_preinv (qp, rp, np, nn, &inv); } #endif static void mpn_div_qr_pi1 (mp_ptr qp, mp_ptr np, mp_size_t nn, mp_limb_t n1, mp_srcptr dp, mp_size_t dn, mp_limb_t dinv) { mp_size_t i; mp_limb_t d1, d0; mp_limb_t cy, cy1; mp_limb_t q; assert (dn > 2); assert (nn >= dn); d1 = dp[dn - 1]; d0 = dp[dn - 2]; assert ((d1 & GMP_LIMB_HIGHBIT) != 0); /* Iteration variable is the index of the q limb. * * We divide * by */ i = nn - dn; do { mp_limb_t n0 = np[dn-1+i]; if (n1 == d1 && n0 == d0) { q = GMP_LIMB_MAX; mpn_submul_1 (np+i, dp, dn, q); n1 = np[dn-1+i]; /* update n1, last loop's value will now be invalid */ } else { gmp_udiv_qr_3by2 (q, n1, n0, n1, n0, np[dn-2+i], d1, d0, dinv); cy = mpn_submul_1 (np + i, dp, dn-2, q); cy1 = n0 < cy; n0 = n0 - cy; cy = n1 < cy1; n1 = n1 - cy1; np[dn-2+i] = n0; if (cy != 0) { n1 += d1 + mpn_add_n (np + i, np + i, dp, dn - 1); q--; } } if (qp) qp[i] = q; } while (--i >= 0); np[dn - 1] = n1; } static void mpn_div_qr_preinv (mp_ptr qp, mp_ptr np, mp_size_t nn, mp_srcptr dp, mp_size_t dn, const struct gmp_div_inverse *inv) { assert (dn > 0); assert (nn >= dn); if (dn == 1) np[0] = mpn_div_qr_1_preinv (qp, np, nn, inv); else if (dn == 2) mpn_div_qr_2_preinv (qp, np, np, nn, inv); else { mp_limb_t nh; unsigned shift; assert (inv->d1 == dp[dn-1]); assert (inv->d0 == dp[dn-2]); assert ((inv->d1 & GMP_LIMB_HIGHBIT) != 0); shift = inv->shift; if (shift > 0) nh = mpn_lshift (np, np, nn, shift); else nh = 0; mpn_div_qr_pi1 (qp, np, nn, nh, dp, dn, inv->di); if (shift > 0) gmp_assert_nocarry (mpn_rshift (np, np, dn, shift)); } } static void mpn_div_qr (mp_ptr qp, mp_ptr np, mp_size_t nn, mp_srcptr dp, mp_size_t dn) { struct gmp_div_inverse inv; mp_ptr tp = NULL; assert (dn > 0); assert (nn >= dn); mpn_div_qr_invert (&inv, dp, dn); if (dn > 2 && inv.shift > 0) { tp = gmp_xalloc_limbs (dn); gmp_assert_nocarry (mpn_lshift (tp, dp, dn, inv.shift)); dp = tp; } mpn_div_qr_preinv (qp, np, nn, dp, dn, &inv); if (tp) gmp_free (tp); } /* MPN base conversion. */ static unsigned mpn_base_power_of_two_p (unsigned b) { switch (b) { case 2: return 1; case 4: return 2; case 8: return 3; case 16: return 4; case 32: return 5; case 64: return 6; case 128: return 7; case 256: return 8; default: return 0; } } struct mpn_base_info { /* bb is the largest power of the base which fits in one limb, and exp is the corresponding exponent. */ unsigned exp; mp_limb_t bb; }; static void mpn_get_base_info (struct mpn_base_info *info, mp_limb_t b) { mp_limb_t m; mp_limb_t p; unsigned exp; m = GMP_LIMB_MAX / b; for (exp = 1, p = b; p <= m; exp++) p *= b; info->exp = exp; info->bb = p; } static mp_bitcnt_t mpn_limb_size_in_base_2 (mp_limb_t u) { unsigned shift; assert (u > 0); gmp_clz (shift, u); return GMP_LIMB_BITS - shift; } static size_t mpn_get_str_bits (unsigned char *sp, unsigned bits, mp_srcptr up, mp_size_t un) { unsigned char mask; size_t sn, j; mp_size_t i; unsigned shift; sn = ((un - 1) * GMP_LIMB_BITS + mpn_limb_size_in_base_2 (up[un-1]) + bits - 1) / bits; mask = (1U << bits) - 1; for (i = 0, j = sn, shift = 0; j-- > 0;) { unsigned char digit = up[i] >> shift; shift += bits; if (shift >= GMP_LIMB_BITS && ++i < un) { shift -= GMP_LIMB_BITS; digit |= up[i] << (bits - shift); } sp[j] = digit & mask; } return sn; } /* We generate digits from the least significant end, and reverse at the end. */ static size_t mpn_limb_get_str (unsigned char *sp, mp_limb_t w, const struct gmp_div_inverse *binv) { mp_size_t i; for (i = 0; w > 0; i++) { mp_limb_t h, l, r; h = w >> (GMP_LIMB_BITS - binv->shift); l = w << binv->shift; gmp_udiv_qrnnd_preinv (w, r, h, l, binv->d1, binv->di); assert ( (r << (GMP_LIMB_BITS - binv->shift)) == 0); r >>= binv->shift; sp[i] = r; } return i; } static size_t mpn_get_str_other (unsigned char *sp, int base, const struct mpn_base_info *info, mp_ptr up, mp_size_t un) { struct gmp_div_inverse binv; size_t sn; size_t i; mpn_div_qr_1_invert (&binv, base); sn = 0; if (un > 1) { struct gmp_div_inverse bbinv; mpn_div_qr_1_invert (&bbinv, info->bb); do { mp_limb_t w; size_t done; w = mpn_div_qr_1_preinv (up, up, un, &bbinv); un -= (up[un-1] == 0); done = mpn_limb_get_str (sp + sn, w, &binv); for (sn += done; done < info->exp; done++) sp[sn++] = 0; } while (un > 1); } sn += mpn_limb_get_str (sp + sn, up[0], &binv); /* Reverse order */ for (i = 0; 2*i + 1 < sn; i++) { unsigned char t = sp[i]; sp[i] = sp[sn - i - 1]; sp[sn - i - 1] = t; } return sn; } size_t mpn_get_str (unsigned char *sp, int base, mp_ptr up, mp_size_t un) { unsigned bits; assert (un > 0); assert (up[un-1] > 0); bits = mpn_base_power_of_two_p (base); if (bits) return mpn_get_str_bits (sp, bits, up, un); else { struct mpn_base_info info; mpn_get_base_info (&info, base); return mpn_get_str_other (sp, base, &info, up, un); } } static mp_size_t mpn_set_str_bits (mp_ptr rp, const unsigned char *sp, size_t sn, unsigned bits) { mp_size_t rn; size_t j; unsigned shift; for (j = sn, rn = 0, shift = 0; j-- > 0; ) { if (shift == 0) { rp[rn++] = sp[j]; shift += bits; } else { rp[rn-1] |= (mp_limb_t) sp[j] << shift; shift += bits; if (shift >= GMP_LIMB_BITS) { shift -= GMP_LIMB_BITS; if (shift > 0) rp[rn++] = (mp_limb_t) sp[j] >> (bits - shift); } } } rn = mpn_normalized_size (rp, rn); return rn; } /* Result is usually normalized, except for all-zero input, in which case a single zero limb is written at *RP, and 1 is returned. */ static mp_size_t mpn_set_str_other (mp_ptr rp, const unsigned char *sp, size_t sn, mp_limb_t b, const struct mpn_base_info *info) { mp_size_t rn; mp_limb_t w; unsigned k; size_t j; assert (sn > 0); k = 1 + (sn - 1) % info->exp; j = 0; w = sp[j++]; while (--k != 0) w = w * b + sp[j++]; rp[0] = w; for (rn = 1; j < sn;) { mp_limb_t cy; w = sp[j++]; for (k = 1; k < info->exp; k++) w = w * b + sp[j++]; cy = mpn_mul_1 (rp, rp, rn, info->bb); cy += mpn_add_1 (rp, rp, rn, w); if (cy > 0) rp[rn++] = cy; } assert (j == sn); return rn; } mp_size_t mpn_set_str (mp_ptr rp, const unsigned char *sp, size_t sn, int base) { unsigned bits; if (sn == 0) return 0; bits = mpn_base_power_of_two_p (base); if (bits) return mpn_set_str_bits (rp, sp, sn, bits); else { struct mpn_base_info info; mpn_get_base_info (&info, base); return mpn_set_str_other (rp, sp, sn, base, &info); } } /* MPZ interface */ void mpz_init (mpz_t r) { static const mp_limb_t dummy_limb = 0xc1a0; r->_mp_alloc = 0; r->_mp_size = 0; r->_mp_d = (mp_ptr) &dummy_limb; } /* The utility of this function is a bit limited, since many functions assigns the result variable using mpz_swap. */ void mpz_init2 (mpz_t r, mp_bitcnt_t bits) { mp_size_t rn; bits -= (bits != 0); /* Round down, except if 0 */ rn = 1 + bits / GMP_LIMB_BITS; r->_mp_alloc = rn; r->_mp_size = 0; r->_mp_d = gmp_xalloc_limbs (rn); } void mpz_clear (mpz_t r) { if (r->_mp_alloc) gmp_free (r->_mp_d); } static mp_ptr mpz_realloc (mpz_t r, mp_size_t size) { size = GMP_MAX (size, 1); if (r->_mp_alloc) r->_mp_d = gmp_xrealloc_limbs (r->_mp_d, size); else r->_mp_d = gmp_xalloc_limbs (size); r->_mp_alloc = size; if (GMP_ABS (r->_mp_size) > size) r->_mp_size = 0; return r->_mp_d; } /* Realloc for an mpz_t WHAT if it has less than NEEDED limbs. */ #define MPZ_REALLOC(z,n) ((n) > (z)->_mp_alloc \ ? mpz_realloc(z,n) \ : (z)->_mp_d) /* MPZ assignment and basic conversions. */ void mpz_set_si (mpz_t r, signed long int x) { if (x >= 0) mpz_set_ui (r, x); else /* (x < 0) */ { r->_mp_size = -1; MPZ_REALLOC (r, 1)[0] = GMP_NEG_CAST (unsigned long int, x); } } void mpz_set_ui (mpz_t r, unsigned long int x) { if (x > 0) { r->_mp_size = 1; MPZ_REALLOC (r, 1)[0] = x; } else r->_mp_size = 0; } void mpz_set (mpz_t r, const mpz_t x) { /* Allow the NOP r == x */ if (r != x) { mp_size_t n; mp_ptr rp; n = GMP_ABS (x->_mp_size); rp = MPZ_REALLOC (r, n); mpn_copyi (rp, x->_mp_d, n); r->_mp_size = x->_mp_size; } } void mpz_init_set_si (mpz_t r, signed long int x) { mpz_init (r); mpz_set_si (r, x); } void mpz_init_set_ui (mpz_t r, unsigned long int x) { mpz_init (r); mpz_set_ui (r, x); } void mpz_init_set (mpz_t r, const mpz_t x) { mpz_init (r); mpz_set (r, x); } int mpz_fits_slong_p (const mpz_t u) { mp_size_t us = u->_mp_size; if (us == 1) return u->_mp_d[0] < GMP_LIMB_HIGHBIT; else if (us == -1) return u->_mp_d[0] <= GMP_LIMB_HIGHBIT; else return (us == 0); } int mpz_fits_ulong_p (const mpz_t u) { mp_size_t us = u->_mp_size; return (us == (us > 0)); } long int mpz_get_si (const mpz_t u) { if (u->_mp_size < 0) /* This expression is necessary to properly handle 0x80000000 */ return -1 - (long) ((u->_mp_d[0] - 1) & ~GMP_LIMB_HIGHBIT); else return (long) (mpz_get_ui (u) & ~GMP_LIMB_HIGHBIT); } unsigned long int mpz_get_ui (const mpz_t u) { return u->_mp_size == 0 ? 0 : u->_mp_d[0]; } size_t mpz_size (const mpz_t u) { return GMP_ABS (u->_mp_size); } mp_limb_t mpz_getlimbn (const mpz_t u, mp_size_t n) { if (n >= 0 && n < GMP_ABS (u->_mp_size)) return u->_mp_d[n]; else return 0; } void mpz_realloc2 (mpz_t x, mp_bitcnt_t n) { mpz_realloc (x, 1 + (n - (n != 0)) / GMP_LIMB_BITS); } mp_srcptr mpz_limbs_read (mpz_srcptr x) { return x->_mp_d; } mp_ptr mpz_limbs_modify (mpz_t x, mp_size_t n) { assert (n > 0); return MPZ_REALLOC (x, n); } mp_ptr mpz_limbs_write (mpz_t x, mp_size_t n) { return mpz_limbs_modify (x, n); } void mpz_limbs_finish (mpz_t x, mp_size_t xs) { mp_size_t xn; xn = mpn_normalized_size (x->_mp_d, GMP_ABS (xs)); x->_mp_size = xs < 0 ? -xn : xn; } mpz_srcptr mpz_roinit_n (mpz_t x, mp_srcptr xp, mp_size_t xs) { x->_mp_alloc = 0; x->_mp_d = (mp_ptr) xp; mpz_limbs_finish (x, xs); return x; } /* Conversions and comparison to double. */ void mpz_set_d (mpz_t r, double x) { int sign; mp_ptr rp; mp_size_t rn, i; double B; double Bi; mp_limb_t f; /* x != x is true when x is a NaN, and x == x * 0.5 is true when x is zero or infinity. */ if (x != x || x == x * 0.5) { r->_mp_size = 0; return; } sign = x < 0.0 ; if (sign) x = - x; if (x < 1.0) { r->_mp_size = 0; return; } B = 2.0 * (double) GMP_LIMB_HIGHBIT; Bi = 1.0 / B; for (rn = 1; x >= B; rn++) x *= Bi; rp = MPZ_REALLOC (r, rn); f = (mp_limb_t) x; x -= f; assert (x < 1.0); i = rn-1; rp[i] = f; while (--i >= 0) { x = B * x; f = (mp_limb_t) x; x -= f; assert (x < 1.0); rp[i] = f; } r->_mp_size = sign ? - rn : rn; } void mpz_init_set_d (mpz_t r, double x) { mpz_init (r); mpz_set_d (r, x); } double mpz_get_d (const mpz_t u) { mp_size_t un; double x; double B = 2.0 * (double) GMP_LIMB_HIGHBIT; un = GMP_ABS (u->_mp_size); if (un == 0) return 0.0; x = u->_mp_d[--un]; while (un > 0) x = B*x + u->_mp_d[--un]; if (u->_mp_size < 0) x = -x; return x; } int mpz_cmpabs_d (const mpz_t x, double d) { mp_size_t xn; double B, Bi; mp_size_t i; xn = x->_mp_size; d = GMP_ABS (d); if (xn != 0) { xn = GMP_ABS (xn); B = 2.0 * (double) GMP_LIMB_HIGHBIT; Bi = 1.0 / B; /* Scale d so it can be compared with the top limb. */ for (i = 1; i < xn; i++) d *= Bi; if (d >= B) return -1; /* Compare floor(d) to top limb, subtract and cancel when equal. */ for (i = xn; i-- > 0;) { mp_limb_t f, xl; f = (mp_limb_t) d; xl = x->_mp_d[i]; if (xl > f) return 1; else if (xl < f) return -1; d = B * (d - f); } } return - (d > 0.0); } int mpz_cmp_d (const mpz_t x, double d) { if (x->_mp_size < 0) { if (d >= 0.0) return -1; else return -mpz_cmpabs_d (x, d); } else { if (d < 0.0) return 1; else return mpz_cmpabs_d (x, d); } } /* MPZ comparisons and the like. */ int mpz_sgn (const mpz_t u) { return GMP_CMP (u->_mp_size, 0); } int mpz_cmp_si (const mpz_t u, long v) { mp_size_t usize = u->_mp_size; if (usize < -1) return -1; else if (v >= 0) return mpz_cmp_ui (u, v); else if (usize >= 0) return 1; else /* usize == -1 */ return GMP_CMP (GMP_NEG_CAST (mp_limb_t, v), u->_mp_d[0]); } int mpz_cmp_ui (const mpz_t u, unsigned long v) { mp_size_t usize = u->_mp_size; if (usize > 1) return 1; else if (usize < 0) return -1; else return GMP_CMP (mpz_get_ui (u), v); } int mpz_cmp (const mpz_t a, const mpz_t b) { mp_size_t asize = a->_mp_size; mp_size_t bsize = b->_mp_size; if (asize != bsize) return (asize < bsize) ? -1 : 1; else if (asize >= 0) return mpn_cmp (a->_mp_d, b->_mp_d, asize); else return mpn_cmp (b->_mp_d, a->_mp_d, -asize); } int mpz_cmpabs_ui (const mpz_t u, unsigned long v) { if (GMP_ABS (u->_mp_size) > 1) return 1; else return GMP_CMP (mpz_get_ui (u), v); } int mpz_cmpabs (const mpz_t u, const mpz_t v) { return mpn_cmp4 (u->_mp_d, GMP_ABS (u->_mp_size), v->_mp_d, GMP_ABS (v->_mp_size)); } void mpz_abs (mpz_t r, const mpz_t u) { mpz_set (r, u); r->_mp_size = GMP_ABS (r->_mp_size); } void mpz_neg (mpz_t r, const mpz_t u) { mpz_set (r, u); r->_mp_size = -r->_mp_size; } void mpz_swap (mpz_t u, mpz_t v) { MP_SIZE_T_SWAP (u->_mp_size, v->_mp_size); MP_SIZE_T_SWAP (u->_mp_alloc, v->_mp_alloc); MP_PTR_SWAP (u->_mp_d, v->_mp_d); } /* MPZ addition and subtraction */ /* Adds to the absolute value. Returns new size, but doesn't store it. */ static mp_size_t mpz_abs_add_ui (mpz_t r, const mpz_t a, unsigned long b) { mp_size_t an; mp_ptr rp; mp_limb_t cy; an = GMP_ABS (a->_mp_size); if (an == 0) { MPZ_REALLOC (r, 1)[0] = b; return b > 0; } rp = MPZ_REALLOC (r, an + 1); cy = mpn_add_1 (rp, a->_mp_d, an, b); rp[an] = cy; an += cy; return an; } /* Subtract from the absolute value. Returns new size, (or -1 on underflow), but doesn't store it. */ static mp_size_t mpz_abs_sub_ui (mpz_t r, const mpz_t a, unsigned long b) { mp_size_t an = GMP_ABS (a->_mp_size); mp_ptr rp; if (an == 0) { MPZ_REALLOC (r, 1)[0] = b; return -(b > 0); } rp = MPZ_REALLOC (r, an); if (an == 1 && a->_mp_d[0] < b) { rp[0] = b - a->_mp_d[0]; return -1; } else { gmp_assert_nocarry (mpn_sub_1 (rp, a->_mp_d, an, b)); return mpn_normalized_size (rp, an); } } void mpz_add_ui (mpz_t r, const mpz_t a, unsigned long b) { if (a->_mp_size >= 0) r->_mp_size = mpz_abs_add_ui (r, a, b); else r->_mp_size = -mpz_abs_sub_ui (r, a, b); } void mpz_sub_ui (mpz_t r, const mpz_t a, unsigned long b) { if (a->_mp_size < 0) r->_mp_size = -mpz_abs_add_ui (r, a, b); else r->_mp_size = mpz_abs_sub_ui (r, a, b); } void mpz_ui_sub (mpz_t r, unsigned long a, const mpz_t b) { if (b->_mp_size < 0) r->_mp_size = mpz_abs_add_ui (r, b, a); else r->_mp_size = -mpz_abs_sub_ui (r, b, a); } static mp_size_t mpz_abs_add (mpz_t r, const mpz_t a, const mpz_t b) { mp_size_t an = GMP_ABS (a->_mp_size); mp_size_t bn = GMP_ABS (b->_mp_size); mp_ptr rp; mp_limb_t cy; if (an < bn) { MPZ_SRCPTR_SWAP (a, b); MP_SIZE_T_SWAP (an, bn); } rp = MPZ_REALLOC (r, an + 1); cy = mpn_add (rp, a->_mp_d, an, b->_mp_d, bn); rp[an] = cy; return an + cy; } static mp_size_t mpz_abs_sub (mpz_t r, const mpz_t a, const mpz_t b) { mp_size_t an = GMP_ABS (a->_mp_size); mp_size_t bn = GMP_ABS (b->_mp_size); int cmp; mp_ptr rp; cmp = mpn_cmp4 (a->_mp_d, an, b->_mp_d, bn); if (cmp > 0) { rp = MPZ_REALLOC (r, an); gmp_assert_nocarry (mpn_sub (rp, a->_mp_d, an, b->_mp_d, bn)); return mpn_normalized_size (rp, an); } else if (cmp < 0) { rp = MPZ_REALLOC (r, bn); gmp_assert_nocarry (mpn_sub (rp, b->_mp_d, bn, a->_mp_d, an)); return -mpn_normalized_size (rp, bn); } else return 0; } void mpz_add (mpz_t r, const mpz_t a, const mpz_t b) { mp_size_t rn; if ( (a->_mp_size ^ b->_mp_size) >= 0) rn = mpz_abs_add (r, a, b); else rn = mpz_abs_sub (r, a, b); r->_mp_size = a->_mp_size >= 0 ? rn : - rn; } void mpz_sub (mpz_t r, const mpz_t a, const mpz_t b) { mp_size_t rn; if ( (a->_mp_size ^ b->_mp_size) >= 0) rn = mpz_abs_sub (r, a, b); else rn = mpz_abs_add (r, a, b); r->_mp_size = a->_mp_size >= 0 ? rn : - rn; } /* MPZ multiplication */ void mpz_mul_si (mpz_t r, const mpz_t u, long int v) { if (v < 0) { mpz_mul_ui (r, u, GMP_NEG_CAST (unsigned long int, v)); mpz_neg (r, r); } else mpz_mul_ui (r, u, (unsigned long int) v); } void mpz_mul_ui (mpz_t r, const mpz_t u, unsigned long int v) { mp_size_t un, us; mp_ptr tp; mp_limb_t cy; us = u->_mp_size; if (us == 0 || v == 0) { r->_mp_size = 0; return; } un = GMP_ABS (us); tp = MPZ_REALLOC (r, un + 1); cy = mpn_mul_1 (tp, u->_mp_d, un, v); tp[un] = cy; un += (cy > 0); r->_mp_size = (us < 0) ? - un : un; } void mpz_mul (mpz_t r, const mpz_t u, const mpz_t v) { int sign; mp_size_t un, vn, rn; mpz_t t; mp_ptr tp; un = u->_mp_size; vn = v->_mp_size; if (un == 0 || vn == 0) { r->_mp_size = 0; return; } sign = (un ^ vn) < 0; un = GMP_ABS (un); vn = GMP_ABS (vn); mpz_init2 (t, (un + vn) * GMP_LIMB_BITS); tp = t->_mp_d; if (un >= vn) mpn_mul (tp, u->_mp_d, un, v->_mp_d, vn); else mpn_mul (tp, v->_mp_d, vn, u->_mp_d, un); rn = un + vn; rn -= tp[rn-1] == 0; t->_mp_size = sign ? - rn : rn; mpz_swap (r, t); mpz_clear (t); } void mpz_mul_2exp (mpz_t r, const mpz_t u, mp_bitcnt_t bits) { mp_size_t un, rn; mp_size_t limbs; unsigned shift; mp_ptr rp; un = GMP_ABS (u->_mp_size); if (un == 0) { r->_mp_size = 0; return; } limbs = bits / GMP_LIMB_BITS; shift = bits % GMP_LIMB_BITS; rn = un + limbs + (shift > 0); rp = MPZ_REALLOC (r, rn); if (shift > 0) { mp_limb_t cy = mpn_lshift (rp + limbs, u->_mp_d, un, shift); rp[rn-1] = cy; rn -= (cy == 0); } else mpn_copyd (rp + limbs, u->_mp_d, un); mpn_zero (rp, limbs); r->_mp_size = (u->_mp_size < 0) ? - rn : rn; } void mpz_addmul_ui (mpz_t r, const mpz_t u, unsigned long int v) { mpz_t t; mpz_init (t); mpz_mul_ui (t, u, v); mpz_add (r, r, t); mpz_clear (t); } void mpz_submul_ui (mpz_t r, const mpz_t u, unsigned long int v) { mpz_t t; mpz_init (t); mpz_mul_ui (t, u, v); mpz_sub (r, r, t); mpz_clear (t); } void mpz_addmul (mpz_t r, const mpz_t u, const mpz_t v) { mpz_t t; mpz_init (t); mpz_mul (t, u, v); mpz_add (r, r, t); mpz_clear (t); } void mpz_submul (mpz_t r, const mpz_t u, const mpz_t v) { mpz_t t; mpz_init (t); mpz_mul (t, u, v); mpz_sub (r, r, t); mpz_clear (t); } /* MPZ division */ enum mpz_div_round_mode { GMP_DIV_FLOOR, GMP_DIV_CEIL, GMP_DIV_TRUNC }; /* Allows q or r to be zero. Returns 1 iff remainder is non-zero. */ static int mpz_div_qr (mpz_t q, mpz_t r, const mpz_t n, const mpz_t d, enum mpz_div_round_mode mode) { mp_size_t ns, ds, nn, dn, qs; ns = n->_mp_size; ds = d->_mp_size; if (ds == 0) gmp_die("mpz_div_qr: Divide by zero."); if (ns == 0) { if (q) q->_mp_size = 0; if (r) r->_mp_size = 0; return 0; } nn = GMP_ABS (ns); dn = GMP_ABS (ds); qs = ds ^ ns; if (nn < dn) { if (mode == GMP_DIV_CEIL && qs >= 0) { /* q = 1, r = n - d */ if (r) mpz_sub (r, n, d); if (q) mpz_set_ui (q, 1); } else if (mode == GMP_DIV_FLOOR && qs < 0) { /* q = -1, r = n + d */ if (r) mpz_add (r, n, d); if (q) mpz_set_si (q, -1); } else { /* q = 0, r = d */ if (r) mpz_set (r, n); if (q) q->_mp_size = 0; } return 1; } else { mp_ptr np, qp; mp_size_t qn, rn; mpz_t tq, tr; mpz_init_set (tr, n); np = tr->_mp_d; qn = nn - dn + 1; if (q) { mpz_init2 (tq, qn * GMP_LIMB_BITS); qp = tq->_mp_d; } else qp = NULL; mpn_div_qr (qp, np, nn, d->_mp_d, dn); if (qp) { qn -= (qp[qn-1] == 0); tq->_mp_size = qs < 0 ? -qn : qn; } rn = mpn_normalized_size (np, dn); tr->_mp_size = ns < 0 ? - rn : rn; if (mode == GMP_DIV_FLOOR && qs < 0 && rn != 0) { if (q) mpz_sub_ui (tq, tq, 1); if (r) mpz_add (tr, tr, d); } else if (mode == GMP_DIV_CEIL && qs >= 0 && rn != 0) { if (q) mpz_add_ui (tq, tq, 1); if (r) mpz_sub (tr, tr, d); } if (q) { mpz_swap (tq, q); mpz_clear (tq); } if (r) mpz_swap (tr, r); mpz_clear (tr); return rn != 0; } } void mpz_cdiv_qr (mpz_t q, mpz_t r, const mpz_t n, const mpz_t d) { mpz_div_qr (q, r, n, d, GMP_DIV_CEIL); } void mpz_fdiv_qr (mpz_t q, mpz_t r, const mpz_t n, const mpz_t d) { mpz_div_qr (q, r, n, d, GMP_DIV_FLOOR); } void mpz_tdiv_qr (mpz_t q, mpz_t r, const mpz_t n, const mpz_t d) { mpz_div_qr (q, r, n, d, GMP_DIV_TRUNC); } void mpz_cdiv_q (mpz_t q, const mpz_t n, const mpz_t d) { mpz_div_qr (q, NULL, n, d, GMP_DIV_CEIL); } void mpz_fdiv_q (mpz_t q, const mpz_t n, const mpz_t d) { mpz_div_qr (q, NULL, n, d, GMP_DIV_FLOOR); } void mpz_tdiv_q (mpz_t q, const mpz_t n, const mpz_t d) { mpz_div_qr (q, NULL, n, d, GMP_DIV_TRUNC); } void mpz_cdiv_r (mpz_t r, const mpz_t n, const mpz_t d) { mpz_div_qr (NULL, r, n, d, GMP_DIV_CEIL); } void mpz_fdiv_r (mpz_t r, const mpz_t n, const mpz_t d) { mpz_div_qr (NULL, r, n, d, GMP_DIV_FLOOR); } void mpz_tdiv_r (mpz_t r, const mpz_t n, const mpz_t d) { mpz_div_qr (NULL, r, n, d, GMP_DIV_TRUNC); } void mpz_mod (mpz_t r, const mpz_t n, const mpz_t d) { mpz_div_qr (NULL, r, n, d, d->_mp_size >= 0 ? GMP_DIV_FLOOR : GMP_DIV_CEIL); } static void mpz_div_q_2exp (mpz_t q, const mpz_t u, mp_bitcnt_t bit_index, enum mpz_div_round_mode mode) { mp_size_t un, qn; mp_size_t limb_cnt; mp_ptr qp; int adjust; un = u->_mp_size; if (un == 0) { q->_mp_size = 0; return; } limb_cnt = bit_index / GMP_LIMB_BITS; qn = GMP_ABS (un) - limb_cnt; bit_index %= GMP_LIMB_BITS; if (mode == ((un > 0) ? GMP_DIV_CEIL : GMP_DIV_FLOOR)) /* un != 0 here. */ /* Note: Below, the final indexing at limb_cnt is valid because at that point we have qn > 0. */ adjust = (qn <= 0 || !mpn_zero_p (u->_mp_d, limb_cnt) || (u->_mp_d[limb_cnt] & (((mp_limb_t) 1 << bit_index) - 1))); else adjust = 0; if (qn <= 0) qn = 0; else { qp = MPZ_REALLOC (q, qn); if (bit_index != 0) { mpn_rshift (qp, u->_mp_d + limb_cnt, qn, bit_index); qn -= qp[qn - 1] == 0; } else { mpn_copyi (qp, u->_mp_d + limb_cnt, qn); } } q->_mp_size = qn; if (adjust) mpz_add_ui (q, q, 1); if (un < 0) mpz_neg (q, q); } static void mpz_div_r_2exp (mpz_t r, const mpz_t u, mp_bitcnt_t bit_index, enum mpz_div_round_mode mode) { mp_size_t us, un, rn; mp_ptr rp; mp_limb_t mask; us = u->_mp_size; if (us == 0 || bit_index == 0) { r->_mp_size = 0; return; } rn = (bit_index + GMP_LIMB_BITS - 1) / GMP_LIMB_BITS; assert (rn > 0); rp = MPZ_REALLOC (r, rn); un = GMP_ABS (us); mask = GMP_LIMB_MAX >> (rn * GMP_LIMB_BITS - bit_index); if (rn > un) { /* Quotient (with truncation) is zero, and remainder is non-zero */ if (mode == ((us > 0) ? GMP_DIV_CEIL : GMP_DIV_FLOOR)) /* us != 0 here. */ { /* Have to negate and sign extend. */ mp_size_t i; gmp_assert_nocarry (! mpn_neg (rp, u->_mp_d, un)); for (i = un; i < rn - 1; i++) rp[i] = GMP_LIMB_MAX; rp[rn-1] = mask; us = -us; } else { /* Just copy */ if (r != u) mpn_copyi (rp, u->_mp_d, un); rn = un; } } else { if (r != u) mpn_copyi (rp, u->_mp_d, rn - 1); rp[rn-1] = u->_mp_d[rn-1] & mask; if (mode == ((us > 0) ? GMP_DIV_CEIL : GMP_DIV_FLOOR)) /* us != 0 here. */ { /* If r != 0, compute 2^{bit_count} - r. */ mpn_neg (rp, rp, rn); rp[rn-1] &= mask; /* us is not used for anything else, so we can modify it here to indicate flipped sign. */ us = -us; } } rn = mpn_normalized_size (rp, rn); r->_mp_size = us < 0 ? -rn : rn; } void mpz_cdiv_q_2exp (mpz_t r, const mpz_t u, mp_bitcnt_t cnt) { mpz_div_q_2exp (r, u, cnt, GMP_DIV_CEIL); } void mpz_fdiv_q_2exp (mpz_t r, const mpz_t u, mp_bitcnt_t cnt) { mpz_div_q_2exp (r, u, cnt, GMP_DIV_FLOOR); } void mpz_tdiv_q_2exp (mpz_t r, const mpz_t u, mp_bitcnt_t cnt) { mpz_div_q_2exp (r, u, cnt, GMP_DIV_TRUNC); } void mpz_cdiv_r_2exp (mpz_t r, const mpz_t u, mp_bitcnt_t cnt) { mpz_div_r_2exp (r, u, cnt, GMP_DIV_CEIL); } void mpz_fdiv_r_2exp (mpz_t r, const mpz_t u, mp_bitcnt_t cnt) { mpz_div_r_2exp (r, u, cnt, GMP_DIV_FLOOR); } void mpz_tdiv_r_2exp (mpz_t r, const mpz_t u, mp_bitcnt_t cnt) { mpz_div_r_2exp (r, u, cnt, GMP_DIV_TRUNC); } void mpz_divexact (mpz_t q, const mpz_t n, const mpz_t d) { gmp_assert_nocarry (mpz_div_qr (q, NULL, n, d, GMP_DIV_TRUNC)); } int mpz_divisible_p (const mpz_t n, const mpz_t d) { return mpz_div_qr (NULL, NULL, n, d, GMP_DIV_TRUNC) == 0; } int mpz_congruent_p (const mpz_t a, const mpz_t b, const mpz_t m) { mpz_t t; int res; /* a == b (mod 0) iff a == b */ if (mpz_sgn (m) == 0) return (mpz_cmp (a, b) == 0); mpz_init (t); mpz_sub (t, a, b); res = mpz_divisible_p (t, m); mpz_clear (t); return res; } static unsigned long mpz_div_qr_ui (mpz_t q, mpz_t r, const mpz_t n, unsigned long d, enum mpz_div_round_mode mode) { mp_size_t ns, qn; mp_ptr qp; mp_limb_t rl; mp_size_t rs; ns = n->_mp_size; if (ns == 0) { if (q) q->_mp_size = 0; if (r) r->_mp_size = 0; return 0; } qn = GMP_ABS (ns); if (q) qp = MPZ_REALLOC (q, qn); else qp = NULL; rl = mpn_div_qr_1 (qp, n->_mp_d, qn, d); assert (rl < d); rs = rl > 0; rs = (ns < 0) ? -rs : rs; if (rl > 0 && ( (mode == GMP_DIV_FLOOR && ns < 0) || (mode == GMP_DIV_CEIL && ns >= 0))) { if (q) gmp_assert_nocarry (mpn_add_1 (qp, qp, qn, 1)); rl = d - rl; rs = -rs; } if (r) { MPZ_REALLOC (r, 1)[0] = rl; r->_mp_size = rs; } if (q) { qn -= (qp[qn-1] == 0); assert (qn == 0 || qp[qn-1] > 0); q->_mp_size = (ns < 0) ? - qn : qn; } return rl; } unsigned long mpz_cdiv_qr_ui (mpz_t q, mpz_t r, const mpz_t n, unsigned long d) { return mpz_div_qr_ui (q, r, n, d, GMP_DIV_CEIL); } unsigned long mpz_fdiv_qr_ui (mpz_t q, mpz_t r, const mpz_t n, unsigned long d) { return mpz_div_qr_ui (q, r, n, d, GMP_DIV_FLOOR); } unsigned long mpz_tdiv_qr_ui (mpz_t q, mpz_t r, const mpz_t n, unsigned long d) { return mpz_div_qr_ui (q, r, n, d, GMP_DIV_TRUNC); } unsigned long mpz_cdiv_q_ui (mpz_t q, const mpz_t n, unsigned long d) { return mpz_div_qr_ui (q, NULL, n, d, GMP_DIV_CEIL); } unsigned long mpz_fdiv_q_ui (mpz_t q, const mpz_t n, unsigned long d) { return mpz_div_qr_ui (q, NULL, n, d, GMP_DIV_FLOOR); } unsigned long mpz_tdiv_q_ui (mpz_t q, const mpz_t n, unsigned long d) { return mpz_div_qr_ui (q, NULL, n, d, GMP_DIV_TRUNC); } unsigned long mpz_cdiv_r_ui (mpz_t r, const mpz_t n, unsigned long d) { return mpz_div_qr_ui (NULL, r, n, d, GMP_DIV_CEIL); } unsigned long mpz_fdiv_r_ui (mpz_t r, const mpz_t n, unsigned long d) { return mpz_div_qr_ui (NULL, r, n, d, GMP_DIV_FLOOR); } unsigned long mpz_tdiv_r_ui (mpz_t r, const mpz_t n, unsigned long d) { return mpz_div_qr_ui (NULL, r, n, d, GMP_DIV_TRUNC); } unsigned long mpz_cdiv_ui (const mpz_t n, unsigned long d) { return mpz_div_qr_ui (NULL, NULL, n, d, GMP_DIV_CEIL); } unsigned long mpz_fdiv_ui (const mpz_t n, unsigned long d) { return mpz_div_qr_ui (NULL, NULL, n, d, GMP_DIV_FLOOR); } unsigned long mpz_tdiv_ui (const mpz_t n, unsigned long d) { return mpz_div_qr_ui (NULL, NULL, n, d, GMP_DIV_TRUNC); } unsigned long mpz_mod_ui (mpz_t r, const mpz_t n, unsigned long d) { return mpz_div_qr_ui (NULL, r, n, d, GMP_DIV_FLOOR); } void mpz_divexact_ui (mpz_t q, const mpz_t n, unsigned long d) { gmp_assert_nocarry (mpz_div_qr_ui (q, NULL, n, d, GMP_DIV_TRUNC)); } int mpz_divisible_ui_p (const mpz_t n, unsigned long d) { return mpz_div_qr_ui (NULL, NULL, n, d, GMP_DIV_TRUNC) == 0; } /* GCD */ static mp_limb_t mpn_gcd_11 (mp_limb_t u, mp_limb_t v) { unsigned shift; assert ( (u | v) > 0); if (u == 0) return v; else if (v == 0) return u; gmp_ctz (shift, u | v); u >>= shift; v >>= shift; if ( (u & 1) == 0) MP_LIMB_T_SWAP (u, v); while ( (v & 1) == 0) v >>= 1; while (u != v) { if (u > v) { u -= v; do u >>= 1; while ( (u & 1) == 0); } else { v -= u; do v >>= 1; while ( (v & 1) == 0); } } return u << shift; } unsigned long mpz_gcd_ui (mpz_t g, const mpz_t u, unsigned long v) { mp_size_t un; if (v == 0) { if (g) mpz_abs (g, u); } else { un = GMP_ABS (u->_mp_size); if (un != 0) v = mpn_gcd_11 (mpn_div_qr_1 (NULL, u->_mp_d, un, v), v); if (g) mpz_set_ui (g, v); } return v; } static mp_bitcnt_t mpz_make_odd (mpz_t r) { mp_bitcnt_t shift; assert (r->_mp_size > 0); /* Count trailing zeros, equivalent to mpn_scan1, because we know that there is a 1 */ shift = mpn_common_scan (r->_mp_d[0], 0, r->_mp_d, 0, 0); mpz_tdiv_q_2exp (r, r, shift); return shift; } void mpz_gcd (mpz_t g, const mpz_t u, const mpz_t v) { mpz_t tu, tv; mp_bitcnt_t uz, vz, gz; if (u->_mp_size == 0) { mpz_abs (g, v); return; } if (v->_mp_size == 0) { mpz_abs (g, u); return; } mpz_init (tu); mpz_init (tv); mpz_abs (tu, u); uz = mpz_make_odd (tu); mpz_abs (tv, v); vz = mpz_make_odd (tv); gz = GMP_MIN (uz, vz); if (tu->_mp_size < tv->_mp_size) mpz_swap (tu, tv); mpz_tdiv_r (tu, tu, tv); if (tu->_mp_size == 0) { mpz_swap (g, tv); } else for (;;) { int c; mpz_make_odd (tu); c = mpz_cmp (tu, tv); if (c == 0) { mpz_swap (g, tu); break; } if (c < 0) mpz_swap (tu, tv); if (tv->_mp_size == 1) { mp_limb_t vl = tv->_mp_d[0]; mp_limb_t ul = mpz_tdiv_ui (tu, vl); mpz_set_ui (g, mpn_gcd_11 (ul, vl)); break; } mpz_sub (tu, tu, tv); } mpz_clear (tu); mpz_clear (tv); mpz_mul_2exp (g, g, gz); } void mpz_gcdext (mpz_t g, mpz_t s, mpz_t t, const mpz_t u, const mpz_t v) { mpz_t tu, tv, s0, s1, t0, t1; mp_bitcnt_t uz, vz, gz; mp_bitcnt_t power; if (u->_mp_size == 0) { /* g = 0 u + sgn(v) v */ signed long sign = mpz_sgn (v); mpz_abs (g, v); if (s) mpz_set_ui (s, 0); if (t) mpz_set_si (t, sign); return; } if (v->_mp_size == 0) { /* g = sgn(u) u + 0 v */ signed long sign = mpz_sgn (u); mpz_abs (g, u); if (s) mpz_set_si (s, sign); if (t) mpz_set_ui (t, 0); return; } mpz_init (tu); mpz_init (tv); mpz_init (s0); mpz_init (s1); mpz_init (t0); mpz_init (t1); mpz_abs (tu, u); uz = mpz_make_odd (tu); mpz_abs (tv, v); vz = mpz_make_odd (tv); gz = GMP_MIN (uz, vz); uz -= gz; vz -= gz; /* Cofactors corresponding to odd gcd. gz handled later. */ if (tu->_mp_size < tv->_mp_size) { mpz_swap (tu, tv); MPZ_SRCPTR_SWAP (u, v); MPZ_PTR_SWAP (s, t); MP_BITCNT_T_SWAP (uz, vz); } /* Maintain * * u = t0 tu + t1 tv * v = s0 tu + s1 tv * * where u and v denote the inputs with common factors of two * eliminated, and det (s0, t0; s1, t1) = 2^p. Then * * 2^p tu = s1 u - t1 v * 2^p tv = -s0 u + t0 v */ /* After initial division, tu = q tv + tu', we have * * u = 2^uz (tu' + q tv) * v = 2^vz tv * * or * * t0 = 2^uz, t1 = 2^uz q * s0 = 0, s1 = 2^vz */ mpz_setbit (t0, uz); mpz_tdiv_qr (t1, tu, tu, tv); mpz_mul_2exp (t1, t1, uz); mpz_setbit (s1, vz); power = uz + vz; if (tu->_mp_size > 0) { mp_bitcnt_t shift; shift = mpz_make_odd (tu); mpz_mul_2exp (t0, t0, shift); mpz_mul_2exp (s0, s0, shift); power += shift; for (;;) { int c; c = mpz_cmp (tu, tv); if (c == 0) break; if (c < 0) { /* tv = tv' + tu * * u = t0 tu + t1 (tv' + tu) = (t0 + t1) tu + t1 tv' * v = s0 tu + s1 (tv' + tu) = (s0 + s1) tu + s1 tv' */ mpz_sub (tv, tv, tu); mpz_add (t0, t0, t1); mpz_add (s0, s0, s1); shift = mpz_make_odd (tv); mpz_mul_2exp (t1, t1, shift); mpz_mul_2exp (s1, s1, shift); } else { mpz_sub (tu, tu, tv); mpz_add (t1, t0, t1); mpz_add (s1, s0, s1); shift = mpz_make_odd (tu); mpz_mul_2exp (t0, t0, shift); mpz_mul_2exp (s0, s0, shift); } power += shift; } } /* Now tv = odd part of gcd, and -s0 and t0 are corresponding cofactors. */ mpz_mul_2exp (tv, tv, gz); mpz_neg (s0, s0); /* 2^p g = s0 u + t0 v. Eliminate one factor of two at a time. To adjust cofactors, we need u / g and v / g */ mpz_divexact (s1, v, tv); mpz_abs (s1, s1); mpz_divexact (t1, u, tv); mpz_abs (t1, t1); while (power-- > 0) { /* s0 u + t0 v = (s0 - v/g) u - (t0 + u/g) v */ if (mpz_odd_p (s0) || mpz_odd_p (t0)) { mpz_sub (s0, s0, s1); mpz_add (t0, t0, t1); } mpz_divexact_ui (s0, s0, 2); mpz_divexact_ui (t0, t0, 2); } /* Arrange so that |s| < |u| / 2g */ mpz_add (s1, s0, s1); if (mpz_cmpabs (s0, s1) > 0) { mpz_swap (s0, s1); mpz_sub (t0, t0, t1); } if (u->_mp_size < 0) mpz_neg (s0, s0); if (v->_mp_size < 0) mpz_neg (t0, t0); mpz_swap (g, tv); if (s) mpz_swap (s, s0); if (t) mpz_swap (t, t0); mpz_clear (tu); mpz_clear (tv); mpz_clear (s0); mpz_clear (s1); mpz_clear (t0); mpz_clear (t1); } void mpz_lcm (mpz_t r, const mpz_t u, const mpz_t v) { mpz_t g; if (u->_mp_size == 0 || v->_mp_size == 0) { r->_mp_size = 0; return; } mpz_init (g); mpz_gcd (g, u, v); mpz_divexact (g, u, g); mpz_mul (r, g, v); mpz_clear (g); mpz_abs (r, r); } void mpz_lcm_ui (mpz_t r, const mpz_t u, unsigned long v) { if (v == 0 || u->_mp_size == 0) { r->_mp_size = 0; return; } v /= mpz_gcd_ui (NULL, u, v); mpz_mul_ui (r, u, v); mpz_abs (r, r); } int mpz_invert (mpz_t r, const mpz_t u, const mpz_t m) { mpz_t g, tr; int invertible; if (u->_mp_size == 0 || mpz_cmpabs_ui (m, 1) <= 0) return 0; mpz_init (g); mpz_init (tr); mpz_gcdext (g, tr, NULL, u, m); invertible = (mpz_cmp_ui (g, 1) == 0); if (invertible) { if (tr->_mp_size < 0) { if (m->_mp_size >= 0) mpz_add (tr, tr, m); else mpz_sub (tr, tr, m); } mpz_swap (r, tr); } mpz_clear (g); mpz_clear (tr); return invertible; } /* Higher level operations (sqrt, pow and root) */ void mpz_pow_ui (mpz_t r, const mpz_t b, unsigned long e) { unsigned long bit; mpz_t tr; mpz_init_set_ui (tr, 1); bit = GMP_ULONG_HIGHBIT; do { mpz_mul (tr, tr, tr); if (e & bit) mpz_mul (tr, tr, b); bit >>= 1; } while (bit > 0); mpz_swap (r, tr); mpz_clear (tr); } void mpz_ui_pow_ui (mpz_t r, unsigned long blimb, unsigned long e) { mpz_t b; mpz_pow_ui (r, mpz_roinit_n (b, &blimb, 1), e); } void mpz_powm (mpz_t r, const mpz_t b, const mpz_t e, const mpz_t m) { mpz_t tr; mpz_t base; mp_size_t en, mn; mp_srcptr mp; struct gmp_div_inverse minv; unsigned shift; mp_ptr tp = NULL; en = GMP_ABS (e->_mp_size); mn = GMP_ABS (m->_mp_size); if (mn == 0) gmp_die ("mpz_powm: Zero modulo."); if (en == 0) { mpz_set_ui (r, 1); return; } mp = m->_mp_d; mpn_div_qr_invert (&minv, mp, mn); shift = minv.shift; if (shift > 0) { /* To avoid shifts, we do all our reductions, except the final one, using a *normalized* m. */ minv.shift = 0; tp = gmp_xalloc_limbs (mn); gmp_assert_nocarry (mpn_lshift (tp, mp, mn, shift)); mp = tp; } mpz_init (base); if (e->_mp_size < 0) { if (!mpz_invert (base, b, m)) gmp_die ("mpz_powm: Negative exponent and non-invertible base."); } else { mp_size_t bn; mpz_abs (base, b); bn = base->_mp_size; if (bn >= mn) { mpn_div_qr_preinv (NULL, base->_mp_d, base->_mp_size, mp, mn, &minv); bn = mn; } /* We have reduced the absolute value. Now take care of the sign. Note that we get zero represented non-canonically as m. */ if (b->_mp_size < 0) { mp_ptr bp = MPZ_REALLOC (base, mn); gmp_assert_nocarry (mpn_sub (bp, mp, mn, bp, bn)); bn = mn; } base->_mp_size = mpn_normalized_size (base->_mp_d, bn); } mpz_init_set_ui (tr, 1); while (--en >= 0) { mp_limb_t w = e->_mp_d[en]; mp_limb_t bit; bit = GMP_LIMB_HIGHBIT; do { mpz_mul (tr, tr, tr); if (w & bit) mpz_mul (tr, tr, base); if (tr->_mp_size > mn) { mpn_div_qr_preinv (NULL, tr->_mp_d, tr->_mp_size, mp, mn, &minv); tr->_mp_size = mpn_normalized_size (tr->_mp_d, mn); } bit >>= 1; } while (bit > 0); } /* Final reduction */ if (tr->_mp_size >= mn) { minv.shift = shift; mpn_div_qr_preinv (NULL, tr->_mp_d, tr->_mp_size, mp, mn, &minv); tr->_mp_size = mpn_normalized_size (tr->_mp_d, mn); } if (tp) gmp_free (tp); mpz_swap (r, tr); mpz_clear (tr); mpz_clear (base); } void mpz_powm_ui (mpz_t r, const mpz_t b, unsigned long elimb, const mpz_t m) { mpz_t e; mpz_powm (r, b, mpz_roinit_n (e, &elimb, 1), m); } /* x=trunc(y^(1/z)), r=y-x^z */ void mpz_rootrem (mpz_t x, mpz_t r, const mpz_t y, unsigned long z) { int sgn; mpz_t t, u; sgn = y->_mp_size < 0; if ((~z & sgn) != 0) gmp_die ("mpz_rootrem: Negative argument, with even root."); if (z == 0) gmp_die ("mpz_rootrem: Zeroth root."); if (mpz_cmpabs_ui (y, 1) <= 0) { if (x) mpz_set (x, y); if (r) r->_mp_size = 0; return; } mpz_init (u); mpz_init (t); mpz_setbit (t, mpz_sizeinbase (y, 2) / z + 1); if (z == 2) /* simplify sqrt loop: z-1 == 1 */ do { mpz_swap (u, t); /* u = x */ mpz_tdiv_q (t, y, u); /* t = y/x */ mpz_add (t, t, u); /* t = y/x + x */ mpz_tdiv_q_2exp (t, t, 1); /* x'= (y/x + x)/2 */ } while (mpz_cmpabs (t, u) < 0); /* |x'| < |x| */ else /* z != 2 */ { mpz_t v; mpz_init (v); if (sgn) mpz_neg (t, t); do { mpz_swap (u, t); /* u = x */ mpz_pow_ui (t, u, z - 1); /* t = x^(z-1) */ mpz_tdiv_q (t, y, t); /* t = y/x^(z-1) */ mpz_mul_ui (v, u, z - 1); /* v = x*(z-1) */ mpz_add (t, t, v); /* t = y/x^(z-1) + x*(z-1) */ mpz_tdiv_q_ui (t, t, z); /* x'=(y/x^(z-1) + x*(z-1))/z */ } while (mpz_cmpabs (t, u) < 0); /* |x'| < |x| */ mpz_clear (v); } if (r) { mpz_pow_ui (t, u, z); mpz_sub (r, y, t); } if (x) mpz_swap (x, u); mpz_clear (u); mpz_clear (t); } int mpz_root (mpz_t x, const mpz_t y, unsigned long z) { int res; mpz_t r; mpz_init (r); mpz_rootrem (x, r, y, z); res = r->_mp_size == 0; mpz_clear (r); return res; } /* Compute s = floor(sqrt(u)) and r = u - s^2. Allows r == NULL */ void mpz_sqrtrem (mpz_t s, mpz_t r, const mpz_t u) { mpz_rootrem (s, r, u, 2); } void mpz_sqrt (mpz_t s, const mpz_t u) { mpz_rootrem (s, NULL, u, 2); } int mpz_perfect_square_p (const mpz_t u) { if (u->_mp_size <= 0) return (u->_mp_size == 0); else return mpz_root (NULL, u, 2); } int mpn_perfect_square_p (mp_srcptr p, mp_size_t n) { mpz_t t; assert (n > 0); assert (p [n-1] != 0); return mpz_root (NULL, mpz_roinit_n (t, p, n), 2); } mp_size_t mpn_sqrtrem (mp_ptr sp, mp_ptr rp, mp_srcptr p, mp_size_t n) { mpz_t s, r, u; mp_size_t res; assert (n > 0); assert (p [n-1] != 0); mpz_init (r); mpz_init (s); mpz_rootrem (s, r, mpz_roinit_n (u, p, n), 2); assert (s->_mp_size == (n+1)/2); mpn_copyd (sp, s->_mp_d, s->_mp_size); mpz_clear (s); res = r->_mp_size; if (rp) mpn_copyd (rp, r->_mp_d, res); mpz_clear (r); return res; } /* Combinatorics */ void mpz_fac_ui (mpz_t x, unsigned long n) { mpz_set_ui (x, n + (n == 0)); while (n > 2) mpz_mul_ui (x, x, --n); } void mpz_bin_uiui (mpz_t r, unsigned long n, unsigned long k) { mpz_t t; mpz_set_ui (r, k <= n); if (k > (n >> 1)) k = (k <= n) ? n - k : 0; mpz_init (t); mpz_fac_ui (t, k); for (; k > 0; k--) mpz_mul_ui (r, r, n--); mpz_divexact (r, r, t); mpz_clear (t); } /* Primality testing */ static int gmp_millerrabin (const mpz_t n, const mpz_t nm1, mpz_t y, const mpz_t q, mp_bitcnt_t k) { assert (k > 0); /* Caller must initialize y to the base. */ mpz_powm (y, y, q, n); if (mpz_cmp_ui (y, 1) == 0 || mpz_cmp (y, nm1) == 0) return 1; while (--k > 0) { mpz_powm_ui (y, y, 2, n); if (mpz_cmp (y, nm1) == 0) return 1; /* y == 1 means that the previous y was a non-trivial square root of 1 (mod n). y == 0 means that n is a power of the base. In either case, n is not prime. */ if (mpz_cmp_ui (y, 1) <= 0) return 0; } return 0; } /* This product is 0xc0cfd797, and fits in 32 bits. */ #define GMP_PRIME_PRODUCT \ (3UL*5UL*7UL*11UL*13UL*17UL*19UL*23UL*29UL) /* Bit (p+1)/2 is set, for each odd prime <= 61 */ #define GMP_PRIME_MASK 0xc96996dcUL int mpz_probab_prime_p (const mpz_t n, int reps) { mpz_t nm1; mpz_t q; mpz_t y; mp_bitcnt_t k; int is_prime; int j; /* Note that we use the absolute value of n only, for compatibility with the real GMP. */ if (mpz_even_p (n)) return (mpz_cmpabs_ui (n, 2) == 0) ? 2 : 0; /* Above test excludes n == 0 */ assert (n->_mp_size != 0); if (mpz_cmpabs_ui (n, 64) < 0) return (GMP_PRIME_MASK >> (n->_mp_d[0] >> 1)) & 2; if (mpz_gcd_ui (NULL, n, GMP_PRIME_PRODUCT) != 1) return 0; /* All prime factors are >= 31. */ if (mpz_cmpabs_ui (n, 31*31) < 0) return 2; /* Use Miller-Rabin, with a deterministic sequence of bases, a[j] = j^2 + j + 41 using Euler's polynomial. We potentially stop early, if a[j] >= n - 1. Since n >= 31*31, this can happen only if reps > 30 (a[30] == 971 > 31*31 == 961). */ mpz_init (nm1); mpz_init (q); mpz_init (y); /* Find q and k, where q is odd and n = 1 + 2**k * q. */ nm1->_mp_size = mpz_abs_sub_ui (nm1, n, 1); k = mpz_scan1 (nm1, 0); mpz_tdiv_q_2exp (q, nm1, k); for (j = 0, is_prime = 1; is_prime & (j < reps); j++) { mpz_set_ui (y, (unsigned long) j*j+j+41); if (mpz_cmp (y, nm1) >= 0) { /* Don't try any further bases. This "early" break does not affect the result for any reasonable reps value (<=5000 was tested) */ assert (j >= 30); break; } is_prime = gmp_millerrabin (n, nm1, y, q, k); } mpz_clear (nm1); mpz_clear (q); mpz_clear (y); return is_prime; } /* Logical operations and bit manipulation. */ /* Numbers are treated as if represented in two's complement (and infinitely sign extended). For a negative values we get the two's complement from -x = ~x + 1, where ~ is bitwise complement. Negation transforms xxxx10...0 into yyyy10...0 where yyyy is the bitwise complement of xxxx. So least significant bits, up to and including the first one bit, are unchanged, and the more significant bits are all complemented. To change a bit from zero to one in a negative number, subtract the corresponding power of two from the absolute value. This can never underflow. To change a bit from one to zero, add the corresponding power of two, and this might overflow. E.g., if x = -001111, the two's complement is 110001. Clearing the least significant bit, we get two's complement 110000, and -010000. */ int mpz_tstbit (const mpz_t d, mp_bitcnt_t bit_index) { mp_size_t limb_index; unsigned shift; mp_size_t ds; mp_size_t dn; mp_limb_t w; int bit; ds = d->_mp_size; dn = GMP_ABS (ds); limb_index = bit_index / GMP_LIMB_BITS; if (limb_index >= dn) return ds < 0; shift = bit_index % GMP_LIMB_BITS; w = d->_mp_d[limb_index]; bit = (w >> shift) & 1; if (ds < 0) { /* d < 0. Check if any of the bits below is set: If so, our bit must be complemented. */ if (shift > 0 && (w << (GMP_LIMB_BITS - shift)) > 0) return bit ^ 1; while (--limb_index >= 0) if (d->_mp_d[limb_index] > 0) return bit ^ 1; } return bit; } static void mpz_abs_add_bit (mpz_t d, mp_bitcnt_t bit_index) { mp_size_t dn, limb_index; mp_limb_t bit; mp_ptr dp; dn = GMP_ABS (d->_mp_size); limb_index = bit_index / GMP_LIMB_BITS; bit = (mp_limb_t) 1 << (bit_index % GMP_LIMB_BITS); if (limb_index >= dn) { mp_size_t i; /* The bit should be set outside of the end of the number. We have to increase the size of the number. */ dp = MPZ_REALLOC (d, limb_index + 1); dp[limb_index] = bit; for (i = dn; i < limb_index; i++) dp[i] = 0; dn = limb_index + 1; } else { mp_limb_t cy; dp = d->_mp_d; cy = mpn_add_1 (dp + limb_index, dp + limb_index, dn - limb_index, bit); if (cy > 0) { dp = MPZ_REALLOC (d, dn + 1); dp[dn++] = cy; } } d->_mp_size = (d->_mp_size < 0) ? - dn : dn; } static void mpz_abs_sub_bit (mpz_t d, mp_bitcnt_t bit_index) { mp_size_t dn, limb_index; mp_ptr dp; mp_limb_t bit; dn = GMP_ABS (d->_mp_size); dp = d->_mp_d; limb_index = bit_index / GMP_LIMB_BITS; bit = (mp_limb_t) 1 << (bit_index % GMP_LIMB_BITS); assert (limb_index < dn); gmp_assert_nocarry (mpn_sub_1 (dp + limb_index, dp + limb_index, dn - limb_index, bit)); dn = mpn_normalized_size (dp, dn); d->_mp_size = (d->_mp_size < 0) ? - dn : dn; } void mpz_setbit (mpz_t d, mp_bitcnt_t bit_index) { if (!mpz_tstbit (d, bit_index)) { if (d->_mp_size >= 0) mpz_abs_add_bit (d, bit_index); else mpz_abs_sub_bit (d, bit_index); } } void mpz_clrbit (mpz_t d, mp_bitcnt_t bit_index) { if (mpz_tstbit (d, bit_index)) { if (d->_mp_size >= 0) mpz_abs_sub_bit (d, bit_index); else mpz_abs_add_bit (d, bit_index); } } void mpz_combit (mpz_t d, mp_bitcnt_t bit_index) { if (mpz_tstbit (d, bit_index) ^ (d->_mp_size < 0)) mpz_abs_sub_bit (d, bit_index); else mpz_abs_add_bit (d, bit_index); } void mpz_com (mpz_t r, const mpz_t u) { mpz_neg (r, u); mpz_sub_ui (r, r, 1); } void mpz_and (mpz_t r, const mpz_t u, const mpz_t v) { mp_size_t un, vn, rn, i; mp_ptr up, vp, rp; mp_limb_t ux, vx, rx; mp_limb_t uc, vc, rc; mp_limb_t ul, vl, rl; un = GMP_ABS (u->_mp_size); vn = GMP_ABS (v->_mp_size); if (un < vn) { MPZ_SRCPTR_SWAP (u, v); MP_SIZE_T_SWAP (un, vn); } if (vn == 0) { r->_mp_size = 0; return; } uc = u->_mp_size < 0; vc = v->_mp_size < 0; rc = uc & vc; ux = -uc; vx = -vc; rx = -rc; /* If the smaller input is positive, higher limbs don't matter. */ rn = vx ? un : vn; rp = MPZ_REALLOC (r, rn + (mp_size_t) rc); up = u->_mp_d; vp = v->_mp_d; i = 0; do { ul = (up[i] ^ ux) + uc; uc = ul < uc; vl = (vp[i] ^ vx) + vc; vc = vl < vc; rl = ( (ul & vl) ^ rx) + rc; rc = rl < rc; rp[i] = rl; } while (++i < vn); assert (vc == 0); for (; i < rn; i++) { ul = (up[i] ^ ux) + uc; uc = ul < uc; rl = ( (ul & vx) ^ rx) + rc; rc = rl < rc; rp[i] = rl; } if (rc) rp[rn++] = rc; else rn = mpn_normalized_size (rp, rn); r->_mp_size = rx ? -rn : rn; } void mpz_ior (mpz_t r, const mpz_t u, const mpz_t v) { mp_size_t un, vn, rn, i; mp_ptr up, vp, rp; mp_limb_t ux, vx, rx; mp_limb_t uc, vc, rc; mp_limb_t ul, vl, rl; un = GMP_ABS (u->_mp_size); vn = GMP_ABS (v->_mp_size); if (un < vn) { MPZ_SRCPTR_SWAP (u, v); MP_SIZE_T_SWAP (un, vn); } if (vn == 0) { mpz_set (r, u); return; } uc = u->_mp_size < 0; vc = v->_mp_size < 0; rc = uc | vc; ux = -uc; vx = -vc; rx = -rc; /* If the smaller input is negative, by sign extension higher limbs don't matter. */ rn = vx ? vn : un; rp = MPZ_REALLOC (r, rn + (mp_size_t) rc); up = u->_mp_d; vp = v->_mp_d; i = 0; do { ul = (up[i] ^ ux) + uc; uc = ul < uc; vl = (vp[i] ^ vx) + vc; vc = vl < vc; rl = ( (ul | vl) ^ rx) + rc; rc = rl < rc; rp[i] = rl; } while (++i < vn); assert (vc == 0); for (; i < rn; i++) { ul = (up[i] ^ ux) + uc; uc = ul < uc; rl = ( (ul | vx) ^ rx) + rc; rc = rl < rc; rp[i] = rl; } if (rc) rp[rn++] = rc; else rn = mpn_normalized_size (rp, rn); r->_mp_size = rx ? -rn : rn; } void mpz_xor (mpz_t r, const mpz_t u, const mpz_t v) { mp_size_t un, vn, i; mp_ptr up, vp, rp; mp_limb_t ux, vx, rx; mp_limb_t uc, vc, rc; mp_limb_t ul, vl, rl; un = GMP_ABS (u->_mp_size); vn = GMP_ABS (v->_mp_size); if (un < vn) { MPZ_SRCPTR_SWAP (u, v); MP_SIZE_T_SWAP (un, vn); } if (vn == 0) { mpz_set (r, u); return; } uc = u->_mp_size < 0; vc = v->_mp_size < 0; rc = uc ^ vc; ux = -uc; vx = -vc; rx = -rc; rp = MPZ_REALLOC (r, un + (mp_size_t) rc); up = u->_mp_d; vp = v->_mp_d; i = 0; do { ul = (up[i] ^ ux) + uc; uc = ul < uc; vl = (vp[i] ^ vx) + vc; vc = vl < vc; rl = (ul ^ vl ^ rx) + rc; rc = rl < rc; rp[i] = rl; } while (++i < vn); assert (vc == 0); for (; i < un; i++) { ul = (up[i] ^ ux) + uc; uc = ul < uc; rl = (ul ^ ux) + rc; rc = rl < rc; rp[i] = rl; } if (rc) rp[un++] = rc; else un = mpn_normalized_size (rp, un); r->_mp_size = rx ? -un : un; } static unsigned gmp_popcount_limb (mp_limb_t x) { unsigned c; /* Do 16 bits at a time, to avoid limb-sized constants. */ for (c = 0; x > 0; x >>= 16) { unsigned w = ((x >> 1) & 0x5555) + (x & 0x5555); w = ((w >> 2) & 0x3333) + (w & 0x3333); w = ((w >> 4) & 0x0f0f) + (w & 0x0f0f); w = (w >> 8) + (w & 0x00ff); c += w; } return c; } mp_bitcnt_t mpn_popcount (mp_srcptr p, mp_size_t n) { mp_size_t i; mp_bitcnt_t c; for (c = 0, i = 0; i < n; i++) c += gmp_popcount_limb (p[i]); return c; } mp_bitcnt_t mpz_popcount (const mpz_t u) { mp_size_t un; un = u->_mp_size; if (un < 0) return ~(mp_bitcnt_t) 0; return mpn_popcount (u->_mp_d, un); } mp_bitcnt_t mpz_hamdist (const mpz_t u, const mpz_t v) { mp_size_t un, vn, i; mp_limb_t uc, vc, ul, vl, comp; mp_srcptr up, vp; mp_bitcnt_t c; un = u->_mp_size; vn = v->_mp_size; if ( (un ^ vn) < 0) return ~(mp_bitcnt_t) 0; comp = - (uc = vc = (un < 0)); if (uc) { assert (vn < 0); un = -un; vn = -vn; } up = u->_mp_d; vp = v->_mp_d; if (un < vn) MPN_SRCPTR_SWAP (up, un, vp, vn); for (i = 0, c = 0; i < vn; i++) { ul = (up[i] ^ comp) + uc; uc = ul < uc; vl = (vp[i] ^ comp) + vc; vc = vl < vc; c += gmp_popcount_limb (ul ^ vl); } assert (vc == 0); for (; i < un; i++) { ul = (up[i] ^ comp) + uc; uc = ul < uc; c += gmp_popcount_limb (ul ^ comp); } return c; } mp_bitcnt_t mpz_scan1 (const mpz_t u, mp_bitcnt_t starting_bit) { mp_ptr up; mp_size_t us, un, i; mp_limb_t limb, ux; us = u->_mp_size; un = GMP_ABS (us); i = starting_bit / GMP_LIMB_BITS; /* Past the end there's no 1 bits for u>=0, or an immediate 1 bit for u<0. Notice this test picks up any u==0 too. */ if (i >= un) return (us >= 0 ? ~(mp_bitcnt_t) 0 : starting_bit); up = u->_mp_d; ux = 0; limb = up[i]; if (starting_bit != 0) { if (us < 0) { ux = mpn_zero_p (up, i); limb = ~ limb + ux; ux = - (mp_limb_t) (limb >= ux); } /* Mask to 0 all bits before starting_bit, thus ignoring them. */ limb &= (GMP_LIMB_MAX << (starting_bit % GMP_LIMB_BITS)); } return mpn_common_scan (limb, i, up, un, ux); } mp_bitcnt_t mpz_scan0 (const mpz_t u, mp_bitcnt_t starting_bit) { mp_ptr up; mp_size_t us, un, i; mp_limb_t limb, ux; us = u->_mp_size; ux = - (mp_limb_t) (us >= 0); un = GMP_ABS (us); i = starting_bit / GMP_LIMB_BITS; /* When past end, there's an immediate 0 bit for u>=0, or no 0 bits for u<0. Notice this test picks up all cases of u==0 too. */ if (i >= un) return (ux ? starting_bit : ~(mp_bitcnt_t) 0); up = u->_mp_d; limb = up[i] ^ ux; if (ux == 0) limb -= mpn_zero_p (up, i); /* limb = ~(~limb + zero_p) */ /* Mask all bits before starting_bit, thus ignoring them. */ limb &= (GMP_LIMB_MAX << (starting_bit % GMP_LIMB_BITS)); return mpn_common_scan (limb, i, up, un, ux); } /* MPZ base conversion. */ size_t mpz_sizeinbase (const mpz_t u, int base) { mp_size_t un; mp_srcptr up; mp_ptr tp; mp_bitcnt_t bits; struct gmp_div_inverse bi; size_t ndigits; assert (base >= 2); assert (base <= 62); un = GMP_ABS (u->_mp_size); if (un == 0) return 1; up = u->_mp_d; bits = (un - 1) * GMP_LIMB_BITS + mpn_limb_size_in_base_2 (up[un-1]); switch (base) { case 2: return bits; case 4: return (bits + 1) / 2; case 8: return (bits + 2) / 3; case 16: return (bits + 3) / 4; case 32: return (bits + 4) / 5; /* FIXME: Do something more clever for the common case of base 10. */ } tp = gmp_xalloc_limbs (un); mpn_copyi (tp, up, un); mpn_div_qr_1_invert (&bi, base); ndigits = 0; do { ndigits++; mpn_div_qr_1_preinv (tp, tp, un, &bi); un -= (tp[un-1] == 0); } while (un > 0); gmp_free (tp); return ndigits; } char * mpz_get_str (char *sp, int base, const mpz_t u) { unsigned bits; const char *digits; mp_size_t un; size_t i, sn; digits = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; if (base > 1) { if (base <= 36) digits = "0123456789abcdefghijklmnopqrstuvwxyz"; else if (base > 62) return NULL; } else if (base >= -1) base = 10; else { base = -base; if (base > 36) return NULL; } sn = 1 + mpz_sizeinbase (u, base); if (!sp) sp = (char *) gmp_xalloc (1 + sn); un = GMP_ABS (u->_mp_size); if (un == 0) { sp[0] = '0'; sp[1] = '\0'; return sp; } i = 0; if (u->_mp_size < 0) sp[i++] = '-'; bits = mpn_base_power_of_two_p (base); if (bits) /* Not modified in this case. */ sn = i + mpn_get_str_bits ((unsigned char *) sp + i, bits, u->_mp_d, un); else { struct mpn_base_info info; mp_ptr tp; mpn_get_base_info (&info, base); tp = gmp_xalloc_limbs (un); mpn_copyi (tp, u->_mp_d, un); sn = i + mpn_get_str_other ((unsigned char *) sp + i, base, &info, tp, un); gmp_free (tp); } for (; i < sn; i++) sp[i] = digits[(unsigned char) sp[i]]; sp[sn] = '\0'; return sp; } int mpz_set_str (mpz_t r, const char *sp, int base) { unsigned bits, value_of_a; mp_size_t rn, alloc; mp_ptr rp; size_t dn; int sign; unsigned char *dp; assert (base == 0 || (base >= 2 && base <= 62)); while (isspace( (unsigned char) *sp)) sp++; sign = (*sp == '-'); sp += sign; if (base == 0) { if (sp[0] == '0') { if (sp[1] == 'x' || sp[1] == 'X') { base = 16; sp += 2; } else if (sp[1] == 'b' || sp[1] == 'B') { base = 2; sp += 2; } else base = 8; } else base = 10; } if (!*sp) { r->_mp_size = 0; return -1; } dp = (unsigned char *) gmp_xalloc (strlen (sp)); value_of_a = (base > 36) ? 36 : 10; for (dn = 0; *sp; sp++) { unsigned digit; if (isspace ((unsigned char) *sp)) continue; else if (*sp >= '0' && *sp <= '9') digit = *sp - '0'; else if (*sp >= 'a' && *sp <= 'z') digit = *sp - 'a' + value_of_a; else if (*sp >= 'A' && *sp <= 'Z') digit = *sp - 'A' + 10; else digit = base; /* fail */ if (digit >= (unsigned) base) { gmp_free (dp); r->_mp_size = 0; return -1; } dp[dn++] = digit; } if (!dn) { gmp_free (dp); r->_mp_size = 0; return -1; } bits = mpn_base_power_of_two_p (base); if (bits > 0) { alloc = (dn * bits + GMP_LIMB_BITS - 1) / GMP_LIMB_BITS; rp = MPZ_REALLOC (r, alloc); rn = mpn_set_str_bits (rp, dp, dn, bits); } else { struct mpn_base_info info; mpn_get_base_info (&info, base); alloc = (dn + info.exp - 1) / info.exp; rp = MPZ_REALLOC (r, alloc); rn = mpn_set_str_other (rp, dp, dn, base, &info); /* Normalization, needed for all-zero input. */ assert (rn > 0); rn -= rp[rn-1] == 0; } assert (rn <= alloc); gmp_free (dp); r->_mp_size = sign ? - rn : rn; return 0; } int mpz_init_set_str (mpz_t r, const char *sp, int base) { mpz_init (r); return mpz_set_str (r, sp, base); } size_t mpz_out_str (FILE *stream, int base, const mpz_t x) { char *str; size_t len; str = mpz_get_str (NULL, base, x); len = strlen (str); len = fwrite (str, 1, len, stream); gmp_free (str); return len; } static int gmp_detect_endian (void) { static const int i = 2; const unsigned char *p = (const unsigned char *) &i; return 1 - *p; } /* Import and export. Does not support nails. */ void mpz_import (mpz_t r, size_t count, int order, size_t size, int endian, size_t nails, const void *src) { const unsigned char *p; ptrdiff_t word_step; mp_ptr rp; mp_size_t rn; /* The current (partial) limb. */ mp_limb_t limb; /* The number of bytes already copied to this limb (starting from the low end). */ size_t bytes; /* The index where the limb should be stored, when completed. */ mp_size_t i; if (nails != 0) gmp_die ("mpz_import: Nails not supported."); assert (order == 1 || order == -1); assert (endian >= -1 && endian <= 1); if (endian == 0) endian = gmp_detect_endian (); p = (unsigned char *) src; word_step = (order != endian) ? 2 * size : 0; /* Process bytes from the least significant end, so point p at the least significant word. */ if (order == 1) { p += size * (count - 1); word_step = - word_step; } /* And at least significant byte of that word. */ if (endian == 1) p += (size - 1); rn = (size * count + sizeof(mp_limb_t) - 1) / sizeof(mp_limb_t); rp = MPZ_REALLOC (r, rn); for (limb = 0, bytes = 0, i = 0; count > 0; count--, p += word_step) { size_t j; for (j = 0; j < size; j++, p -= (ptrdiff_t) endian) { limb |= (mp_limb_t) *p << (bytes++ * CHAR_BIT); if (bytes == sizeof(mp_limb_t)) { rp[i++] = limb; bytes = 0; limb = 0; } } } assert (i + (bytes > 0) == rn); if (limb != 0) rp[i++] = limb; else i = mpn_normalized_size (rp, i); r->_mp_size = i; } void * mpz_export (void *r, size_t *countp, int order, size_t size, int endian, size_t nails, const mpz_t u) { size_t count; mp_size_t un; if (nails != 0) gmp_die ("mpz_import: Nails not supported."); assert (order == 1 || order == -1); assert (endian >= -1 && endian <= 1); assert (size > 0 || u->_mp_size == 0); un = u->_mp_size; count = 0; if (un != 0) { size_t k; unsigned char *p; ptrdiff_t word_step; /* The current (partial) limb. */ mp_limb_t limb; /* The number of bytes left to to in this limb. */ size_t bytes; /* The index where the limb was read. */ mp_size_t i; un = GMP_ABS (un); /* Count bytes in top limb. */ limb = u->_mp_d[un-1]; assert (limb != 0); k = 0; do { k++; limb >>= CHAR_BIT; } while (limb != 0); count = (k + (un-1) * sizeof (mp_limb_t) + size - 1) / size; if (!r) r = gmp_xalloc (count * size); if (endian == 0) endian = gmp_detect_endian (); p = (unsigned char *) r; word_step = (order != endian) ? 2 * size : 0; /* Process bytes from the least significant end, so point p at the least significant word. */ if (order == 1) { p += size * (count - 1); word_step = - word_step; } /* And at least significant byte of that word. */ if (endian == 1) p += (size - 1); for (bytes = 0, i = 0, k = 0; k < count; k++, p += word_step) { size_t j; for (j = 0; j < size; j++, p -= (ptrdiff_t) endian) { if (bytes == 0) { if (i < un) limb = u->_mp_d[i++]; bytes = sizeof (mp_limb_t); } *p = limb; limb >>= CHAR_BIT; bytes--; } } assert (i == un); assert (k == count); } if (countp) *countp = count; return r; } nettle-3.4.1/sha2.h0000644000175000017500000001253713401564746013066 0ustar nissenisse/* sha2.h The sha2 family of hash functions. Copyright (C) 2001, 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_SHA2_H_INCLUDED #define NETTLE_SHA2_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define sha224_init nettle_sha224_init #define sha224_digest nettle_sha224_digest #define sha256_init nettle_sha256_init #define sha256_update nettle_sha256_update #define sha256_digest nettle_sha256_digest #define sha384_init nettle_sha384_init #define sha384_digest nettle_sha384_digest #define sha512_init nettle_sha512_init #define sha512_update nettle_sha512_update #define sha512_digest nettle_sha512_digest #define sha512_224_init nettle_sha512_224_init #define sha512_224_digest nettle_sha512_224_digest #define sha512_256_init nettle_sha512_256_init #define sha512_256_digest nettle_sha512_256_digest /* For backwards compatibility */ #define SHA224_DATA_SIZE SHA256_BLOCK_SIZE #define SHA256_DATA_SIZE SHA256_BLOCK_SIZE #define SHA512_DATA_SIZE SHA512_BLOCK_SIZE #define SHA384_DATA_SIZE SHA512_BLOCK_SIZE /* SHA256 */ #define SHA256_DIGEST_SIZE 32 #define SHA256_BLOCK_SIZE 64 /* Digest is kept internally as 8 32-bit words. */ #define _SHA256_DIGEST_LENGTH 8 struct sha256_ctx { uint32_t state[_SHA256_DIGEST_LENGTH]; /* State variables */ uint64_t count; /* 64-bit block count */ uint8_t block[SHA256_BLOCK_SIZE]; /* SHA256 data buffer */ unsigned int index; /* index into buffer */ }; void sha256_init(struct sha256_ctx *ctx); void sha256_update(struct sha256_ctx *ctx, size_t length, const uint8_t *data); void sha256_digest(struct sha256_ctx *ctx, size_t length, uint8_t *digest); /* Internal compression function. STATE points to 8 uint32_t words, DATA points to 64 bytes of input data, possibly unaligned, and K points to the table of constants. */ void _nettle_sha256_compress(uint32_t *state, const uint8_t *data, const uint32_t *k); /* SHA224, a truncated SHA256 with different initial state. */ #define SHA224_DIGEST_SIZE 28 #define SHA224_BLOCK_SIZE SHA256_BLOCK_SIZE #define sha224_ctx sha256_ctx void sha224_init(struct sha256_ctx *ctx); #define sha224_update nettle_sha256_update void sha224_digest(struct sha256_ctx *ctx, size_t length, uint8_t *digest); /* SHA512 */ #define SHA512_DIGEST_SIZE 64 #define SHA512_BLOCK_SIZE 128 /* Digest is kept internally as 8 64-bit words. */ #define _SHA512_DIGEST_LENGTH 8 struct sha512_ctx { uint64_t state[_SHA512_DIGEST_LENGTH]; /* State variables */ uint64_t count_low, count_high; /* 128-bit block count */ uint8_t block[SHA512_BLOCK_SIZE]; /* SHA512 data buffer */ unsigned int index; /* index into buffer */ }; void sha512_init(struct sha512_ctx *ctx); void sha512_update(struct sha512_ctx *ctx, size_t length, const uint8_t *data); void sha512_digest(struct sha512_ctx *ctx, size_t length, uint8_t *digest); /* Internal compression function. STATE points to 8 uint64_t words, DATA points to 128 bytes of input data, possibly unaligned, and K points to the table of constants. */ void _nettle_sha512_compress(uint64_t *state, const uint8_t *data, const uint64_t *k); /* SHA384, a truncated SHA512 with different initial state. */ #define SHA384_DIGEST_SIZE 48 #define SHA384_BLOCK_SIZE SHA512_BLOCK_SIZE #define sha384_ctx sha512_ctx void sha384_init(struct sha512_ctx *ctx); #define sha384_update nettle_sha512_update void sha384_digest(struct sha512_ctx *ctx, size_t length, uint8_t *digest); /* SHA512_224 and SHA512_256, two truncated versions of SHA512 with different initial states. */ #define SHA512_224_DIGEST_SIZE 28 #define SHA512_224_BLOCK_SIZE SHA512_BLOCK_SIZE #define sha512_224_ctx sha512_ctx void sha512_224_init(struct sha512_224_ctx *ctx); #define sha512_224_update nettle_sha512_update void sha512_224_digest(struct sha512_224_ctx *ctx, size_t length, uint8_t *digest); #define SHA512_256_DIGEST_SIZE 32 #define SHA512_256_BLOCK_SIZE SHA512_BLOCK_SIZE #define sha512_256_ctx sha512_ctx void sha512_256_init(struct sha512_256_ctx *ctx); #define sha512_256_update nettle_sha512_update void sha512_256_digest(struct sha512_256_ctx *ctx, size_t length, uint8_t *digest); #ifdef __cplusplus } #endif #endif /* NETTLE_SHA2_H_INCLUDED */ nettle-3.4.1/umac128.c0000644000175000017500000000657413401564745013407 0ustar nissenisse/* umac128.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "umac.h" #include "macros.h" void umac128_set_key (struct umac128_ctx *ctx, const uint8_t *key) { _umac_set_key (ctx->l1_key, ctx->l2_key, ctx->l3_key1, ctx->l3_key2, &ctx->pdf_key, key, 4); /* Clear nonce */ memset (ctx->nonce, 0, sizeof(ctx->nonce)); ctx->nonce_length = sizeof(ctx->nonce); /* Initialize buffer */ ctx->count = ctx->index = 0; } void umac128_set_nonce (struct umac128_ctx *ctx, size_t nonce_length, const uint8_t *nonce) { assert (nonce_length > 0); assert (nonce_length <= AES_BLOCK_SIZE); memcpy (ctx->nonce, nonce, nonce_length); memset (ctx->nonce + nonce_length, 0, AES_BLOCK_SIZE - nonce_length); ctx->nonce_length = nonce_length; } #define UMAC128_BLOCK(ctx, block) do { \ uint64_t __umac128_y[4]; \ _umac_nh_n (__umac128_y, 4, ctx->l1_key, UMAC_BLOCK_SIZE, block); \ __umac128_y[0] += 8*UMAC_BLOCK_SIZE; \ __umac128_y[1] += 8*UMAC_BLOCK_SIZE; \ __umac128_y[2] += 8*UMAC_BLOCK_SIZE; \ __umac128_y[3] += 8*UMAC_BLOCK_SIZE; \ _umac_l2 (ctx->l2_key, ctx->l2_state, 4, ctx->count++, __umac128_y); \ } while (0) void umac128_update (struct umac128_ctx *ctx, size_t length, const uint8_t *data) { MD_UPDATE (ctx, length, data, UMAC128_BLOCK, (void)0); } void umac128_digest (struct umac128_ctx *ctx, size_t length, uint8_t *digest) { uint32_t tag[4]; unsigned i; assert (length > 0); assert (length <= 16); if (ctx->index > 0 || ctx->count == 0) { /* Zero pad to multiple of 32 */ uint64_t y[4]; unsigned pad = (ctx->index > 0) ? 31 & - ctx->index : 32; memset (ctx->block + ctx->index, 0, pad); _umac_nh_n (y, 4, ctx->l1_key, ctx->index + pad, ctx->block); y[0] += 8 * ctx->index; y[1] += 8 * ctx->index; y[2] += 8 * ctx->index; y[3] += 8 * ctx->index; _umac_l2 (ctx->l2_key, ctx->l2_state, 4, ctx->count++, y); } assert (ctx->count > 0); aes128_encrypt (&ctx->pdf_key, AES_BLOCK_SIZE, (uint8_t *) tag, ctx->nonce); INCREMENT (ctx->nonce_length, ctx->nonce); _umac_l2_final (ctx->l2_key, ctx->l2_state, 4, ctx->count); for (i = 0; i < 4; i++) tag[i] ^= ctx->l3_key2[i] ^ _umac_l3 (ctx->l3_key1 + 8*i, ctx->l2_state + 2*i); memcpy (digest, tag, length); /* Reinitialize */ ctx->count = ctx->index = 0; } nettle-3.4.1/gcm.h0000644000175000017500000002451113401564746012772 0ustar nissenisse/* gcm.h Galois counter mode, specified by NIST, http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf Copyright (C) 2011 Katholieke Universiteit Leuven Copyright (C) 2011, 2014 Niels Möller Contributed by Nikos Mavrogiannopoulos This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_GCM_H_INCLUDED #define NETTLE_GCM_H_INCLUDED #include "aes.h" #include "camellia.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define gcm_set_key nettle_gcm_set_key #define gcm_set_iv nettle_gcm_set_iv #define gcm_update nettle_gcm_update #define gcm_encrypt nettle_gcm_encrypt #define gcm_decrypt nettle_gcm_decrypt #define gcm_digest nettle_gcm_digest #define gcm_aes128_set_key nettle_gcm_aes128_set_key #define gcm_aes128_set_iv nettle_gcm_aes128_set_iv #define gcm_aes128_update nettle_gcm_aes128_update #define gcm_aes128_encrypt nettle_gcm_aes128_encrypt #define gcm_aes128_decrypt nettle_gcm_aes128_decrypt #define gcm_aes128_digest nettle_gcm_aes128_digest #define gcm_aes192_set_key nettle_gcm_aes192_set_key #define gcm_aes192_set_iv nettle_gcm_aes192_set_iv #define gcm_aes192_update nettle_gcm_aes192_update #define gcm_aes192_encrypt nettle_gcm_aes192_encrypt #define gcm_aes192_decrypt nettle_gcm_aes192_decrypt #define gcm_aes192_digest nettle_gcm_aes192_digest #define gcm_aes256_set_key nettle_gcm_aes256_set_key #define gcm_aes256_set_iv nettle_gcm_aes256_set_iv #define gcm_aes256_update nettle_gcm_aes256_update #define gcm_aes256_encrypt nettle_gcm_aes256_encrypt #define gcm_aes256_decrypt nettle_gcm_aes256_decrypt #define gcm_aes256_digest nettle_gcm_aes256_digest #define gcm_aes_set_key nettle_gcm_aes_set_key #define gcm_aes_set_iv nettle_gcm_aes_set_iv #define gcm_aes_update nettle_gcm_aes_update #define gcm_aes_encrypt nettle_gcm_aes_encrypt #define gcm_aes_decrypt nettle_gcm_aes_decrypt #define gcm_aes_digest nettle_gcm_aes_digest #define gcm_camellia128_set_key nettle_gcm_camellia128_set_key #define gcm_camellia128_set_iv nettle_gcm_camellia128_set_iv #define gcm_camellia128_update nettle_gcm_camellia128_update #define gcm_camellia128_encrypt nettle_gcm_camellia128_encrypt #define gcm_camellia128_decrypt nettle_gcm_camellia128_decrypt #define gcm_camellia128_digest nettle_gcm_camellia128_digest #define gcm_camellia256_set_key nettle_gcm_camellia256_set_key #define gcm_camellia256_set_iv nettle_gcm_camellia256_set_iv #define gcm_camellia256_update nettle_gcm_camellia256_update #define gcm_camellia256_encrypt nettle_gcm_camellia256_encrypt #define gcm_camellia256_decrypt nettle_gcm_camellia256_decrypt #define gcm_camellia256_digest nettle_gcm_camellia256_digest #define GCM_BLOCK_SIZE 16 #define GCM_IV_SIZE (GCM_BLOCK_SIZE - 4) #define GCM_DIGEST_SIZE 16 #define GCM_TABLE_BITS 8 /* Hashing subkey */ struct gcm_key { union nettle_block16 h[1 << GCM_TABLE_BITS]; }; /* Per-message state, depending on the iv */ struct gcm_ctx { /* Original counter block */ union nettle_block16 iv; /* Updated for each block. */ union nettle_block16 ctr; /* Hashing state */ union nettle_block16 x; uint64_t auth_size; uint64_t data_size; }; void gcm_set_key(struct gcm_key *key, const void *cipher, nettle_cipher_func *f); void gcm_set_iv(struct gcm_ctx *ctx, const struct gcm_key *key, size_t length, const uint8_t *iv); void gcm_update(struct gcm_ctx *ctx, const struct gcm_key *key, size_t length, const uint8_t *data); void gcm_encrypt(struct gcm_ctx *ctx, const struct gcm_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src); void gcm_decrypt(struct gcm_ctx *ctx, const struct gcm_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src); void gcm_digest(struct gcm_ctx *ctx, const struct gcm_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *digest); /* Convenience macrology (not sure how useful it is) */ /* All-in-one context, with hash subkey, message state, and cipher. */ #define GCM_CTX(type) \ { struct gcm_key key; struct gcm_ctx gcm; type cipher; } /* NOTE: Avoid using NULL, as we don't include anything defining it. */ #define GCM_SET_KEY(ctx, set_key, encrypt, gcm_key) \ do { \ (set_key)(&(ctx)->cipher, (gcm_key)); \ if (0) (encrypt)(&(ctx)->cipher, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0); \ gcm_set_key(&(ctx)->key, &(ctx)->cipher, \ (nettle_cipher_func *) (encrypt)); \ } while (0) #define GCM_SET_IV(ctx, length, data) \ gcm_set_iv(&(ctx)->gcm, &(ctx)->key, (length), (data)) #define GCM_UPDATE(ctx, length, data) \ gcm_update(&(ctx)->gcm, &(ctx)->key, (length), (data)) #define GCM_ENCRYPT(ctx, encrypt, length, dst, src) \ (0 ? (encrypt)(&(ctx)->cipher, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0) \ : gcm_encrypt(&(ctx)->gcm, &(ctx)->key, &(ctx)->cipher, \ (nettle_cipher_func *) (encrypt), \ (length), (dst), (src))) #define GCM_DECRYPT(ctx, encrypt, length, dst, src) \ (0 ? (encrypt)(&(ctx)->cipher, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0) \ : gcm_decrypt(&(ctx)->gcm, &(ctx)->key, &(ctx)->cipher, \ (nettle_cipher_func *) (encrypt), \ (length), (dst), (src))) #define GCM_DIGEST(ctx, encrypt, length, digest) \ (0 ? (encrypt)(&(ctx)->cipher, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0) \ : gcm_digest(&(ctx)->gcm, &(ctx)->key, &(ctx)->cipher, \ (nettle_cipher_func *) (encrypt), \ (length), (digest))) struct gcm_aes128_ctx GCM_CTX(struct aes128_ctx); void gcm_aes128_set_key(struct gcm_aes128_ctx *ctx, const uint8_t *key); /* FIXME: Define _update and _set_iv as some kind of aliaes, there's nothing aes-specific. */ void gcm_aes128_update (struct gcm_aes128_ctx *ctx, size_t length, const uint8_t *data); void gcm_aes128_set_iv (struct gcm_aes128_ctx *ctx, size_t length, const uint8_t *iv); void gcm_aes128_encrypt(struct gcm_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void gcm_aes128_decrypt(struct gcm_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void gcm_aes128_digest(struct gcm_aes128_ctx *ctx, size_t length, uint8_t *digest); struct gcm_aes192_ctx GCM_CTX(struct aes192_ctx); void gcm_aes192_set_key(struct gcm_aes192_ctx *ctx, const uint8_t *key); void gcm_aes192_update (struct gcm_aes192_ctx *ctx, size_t length, const uint8_t *data); void gcm_aes192_set_iv (struct gcm_aes192_ctx *ctx, size_t length, const uint8_t *iv); void gcm_aes192_encrypt(struct gcm_aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void gcm_aes192_decrypt(struct gcm_aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void gcm_aes192_digest(struct gcm_aes192_ctx *ctx, size_t length, uint8_t *digest); struct gcm_aes256_ctx GCM_CTX(struct aes256_ctx); void gcm_aes256_set_key(struct gcm_aes256_ctx *ctx, const uint8_t *key); void gcm_aes256_update (struct gcm_aes256_ctx *ctx, size_t length, const uint8_t *data); void gcm_aes256_set_iv (struct gcm_aes256_ctx *ctx, size_t length, const uint8_t *iv); void gcm_aes256_encrypt(struct gcm_aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void gcm_aes256_decrypt(struct gcm_aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void gcm_aes256_digest(struct gcm_aes256_ctx *ctx, size_t length, uint8_t *digest); /* Old aes interface, for backwards compatibility */ struct gcm_aes_ctx GCM_CTX(struct aes_ctx); void gcm_aes_set_key(struct gcm_aes_ctx *ctx, size_t length, const uint8_t *key); void gcm_aes_set_iv(struct gcm_aes_ctx *ctx, size_t length, const uint8_t *iv); void gcm_aes_update(struct gcm_aes_ctx *ctx, size_t length, const uint8_t *data); void gcm_aes_encrypt(struct gcm_aes_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void gcm_aes_decrypt(struct gcm_aes_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void gcm_aes_digest(struct gcm_aes_ctx *ctx, size_t length, uint8_t *digest); struct gcm_camellia128_ctx GCM_CTX(struct camellia128_ctx); void gcm_camellia128_set_key(struct gcm_camellia128_ctx *ctx, const uint8_t *key); void gcm_camellia128_set_iv(struct gcm_camellia128_ctx *ctx, size_t length, const uint8_t *iv); void gcm_camellia128_update(struct gcm_camellia128_ctx *ctx, size_t length, const uint8_t *data); void gcm_camellia128_encrypt(struct gcm_camellia128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void gcm_camellia128_decrypt(struct gcm_camellia128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void gcm_camellia128_digest(struct gcm_camellia128_ctx *ctx, size_t length, uint8_t *digest); struct gcm_camellia256_ctx GCM_CTX(struct camellia256_ctx); void gcm_camellia256_set_key(struct gcm_camellia256_ctx *ctx, const uint8_t *key); void gcm_camellia256_set_iv(struct gcm_camellia256_ctx *ctx, size_t length, const uint8_t *iv); void gcm_camellia256_update(struct gcm_camellia256_ctx *ctx, size_t length, const uint8_t *data); void gcm_camellia256_encrypt(struct gcm_camellia256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void gcm_camellia256_decrypt(struct gcm_camellia256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void gcm_camellia256_digest(struct gcm_camellia256_ctx *ctx, size_t length, uint8_t *digest); #ifdef __cplusplus } #endif #endif /* NETTLE_GCM_H_INCLUDED */ nettle-3.4.1/curve25519-eh-to-x.c0000644000175000017500000000443013401564746015226 0ustar nissenisse/* curve25519-x.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "curve25519.h" #include "ecc.h" #include "ecc-internal.h" /* Transform a point on the twisted Edwards curve to the curve25519 Montgomery curve, and return the x coordinate. */ void curve25519_eh_to_x (mp_limb_t *xp, const mp_limb_t *p, mp_limb_t *scratch) { #define vp (p + ecc->p.size) #define wp (p + 2*ecc->p.size) #define t0 scratch #define t1 (scratch + ecc->p.size) #define t2 (scratch + 2*ecc->p.size) const struct ecc_curve *ecc = &_nettle_curve25519; mp_limb_t cy; /* If u = U/W and v = V/W are the coordiantes of the point on the Edwards curve we get the curve25519 x coordinate as x = (1+v) / (1-v) = (W + V) / (W - V) */ /* NOTE: For the infinity point, this subtraction gives zero (mod p), which isn't invertible. For curve25519, the desired output is x = 0, and we should be fine, since ecc_modp_inv returns 0 in this case. */ ecc_modp_sub (ecc, t0, wp, vp); /* Needs a total of 5*size storage. */ ecc->p.invert (&ecc->p, t1, t0, t2 + ecc->p.size); ecc_modp_add (ecc, t0, wp, vp); ecc_modp_mul (ecc, t2, t0, t1); cy = mpn_sub_n (xp, t2, ecc->p.m, ecc->p.size); cnd_copy (cy, xp, t2, ecc->p.size); #undef vp #undef wp #undef t0 #undef t1 #undef t2 } nettle-3.4.1/gcm-camellia128.c0000644000175000017500000000402013401564745014755 0ustar nissenisse/* gcm-camellia128.c Copyright (C) 2011, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "gcm.h" void gcm_camellia128_set_key(struct gcm_camellia128_ctx *ctx, const uint8_t *key) { GCM_SET_KEY(ctx, camellia128_set_encrypt_key, camellia128_crypt, key); } void gcm_camellia128_set_iv (struct gcm_camellia128_ctx *ctx, size_t length, const uint8_t *iv) { GCM_SET_IV (ctx, length, iv); } void gcm_camellia128_update (struct gcm_camellia128_ctx *ctx, size_t length, const uint8_t *data) { GCM_UPDATE (ctx, length, data); } void gcm_camellia128_encrypt(struct gcm_camellia128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { GCM_ENCRYPT(ctx, camellia128_crypt, length, dst, src); } void gcm_camellia128_decrypt(struct gcm_camellia128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { GCM_DECRYPT(ctx, camellia128_crypt, length, dst, src); } void gcm_camellia128_digest(struct gcm_camellia128_ctx *ctx, size_t length, uint8_t *digest) { GCM_DIGEST(ctx, camellia128_crypt, length, digest); } nettle-3.4.1/curve25519-mul-g.c0000644000175000017500000000367013401564746014773 0ustar nissenisse/* curve25519-mul-g.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "curve25519.h" #include "ecc.h" #include "ecc-internal.h" /* Intended to be compatible with NaCl's crypto_scalarmult_base. */ void curve25519_mul_g (uint8_t *r, const uint8_t *n) { const struct ecc_curve *ecc = &_nettle_curve25519; uint8_t t[CURVE25519_SIZE]; mp_limb_t *scratch; mp_size_t itch; #define ng scratch #define x (scratch + 3*ecc->p.size) #define scratch_out (scratch + 4*ecc->p.size) memcpy (t, n, sizeof(t)); t[0] &= ~7; t[CURVE25519_SIZE-1] = (t[CURVE25519_SIZE-1] & 0x3f) | 0x40; itch = 4*ecc->p.size + ecc->mul_g_itch; scratch = gmp_alloc_limbs (itch); mpn_set_base256_le (x, ecc->p.size, t, CURVE25519_SIZE); ecc_mul_g_eh (ecc, ng, x, scratch_out); curve25519_eh_to_x (x, ng, scratch_out); mpn_get_base256_le (r, CURVE25519_SIZE, x, ecc->p.size); gmp_free_limbs (scratch, itch); #undef p #undef x #undef scratch_out } nettle-3.4.1/sha3.h0000644000175000017500000001105213401564746013056 0ustar nissenisse/* sha3.h The sha3 hash function (aka Keccak). Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_SHA3_H_INCLUDED #define NETTLE_SHA3_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define sha3_permute nettle_sha3_permute #define _sha3_update _nettle_sha3_update #define _sha3_pad _nettle_sha3_pad #define sha3_224_init nettle_sha3_224_init #define sha3_224_update nettle_sha3_224_update #define sha3_224_digest nettle_sha3_224_digest #define sha3_256_init nettle_sha3_256_init #define sha3_256_update nettle_sha3_256_update #define sha3_256_digest nettle_sha3_256_digest #define sha3_384_init nettle_sha3_384_init #define sha3_384_update nettle_sha3_384_update #define sha3_384_digest nettle_sha3_384_digest #define sha3_512_init nettle_sha3_512_init #define sha3_512_update nettle_sha3_512_update #define sha3_512_digest nettle_sha3_512_digest /* Indicates that SHA3 is the NIST FIPS 202 version. */ #define NETTLE_SHA3_FIPS202 1 /* The sha3 state is a 5x5 matrix of 64-bit words. In the notation of Keccak description, S[x,y] is element x + 5*y, so if x is interpreted as the row index and y the column index, it is stored in column-major order. */ #define SHA3_STATE_LENGTH 25 /* The "width" is 1600 bits or 200 octets */ struct sha3_state { uint64_t a[SHA3_STATE_LENGTH]; }; void sha3_permute (struct sha3_state *state); unsigned _sha3_update (struct sha3_state *state, unsigned block_size, uint8_t *block, unsigned pos, size_t length, const uint8_t *data); void _sha3_pad (struct sha3_state *state, unsigned block_size, uint8_t *block, unsigned pos); /* The "capacity" is set to 2*(digest size), 512 bits or 64 octets. The "rate" is the width - capacity, or width - 2 * (digest size). */ #define SHA3_224_DIGEST_SIZE 28 #define SHA3_224_BLOCK_SIZE 144 #define SHA3_256_DIGEST_SIZE 32 #define SHA3_256_BLOCK_SIZE 136 #define SHA3_384_DIGEST_SIZE 48 #define SHA3_384_BLOCK_SIZE 104 #define SHA3_512_DIGEST_SIZE 64 #define SHA3_512_BLOCK_SIZE 72 /* For backwards compatibility */ #define SHA3_224_DATA_SIZE SHA3_224_BLOCK_SIZE #define SHA3_256_DATA_SIZE SHA3_256_BLOCK_SIZE #define SHA3_384_DATA_SIZE SHA3_384_BLOCK_SIZE #define SHA3_512_DATA_SIZE SHA3_512_BLOCK_SIZE struct sha3_224_ctx { struct sha3_state state; unsigned index; uint8_t block[SHA3_224_BLOCK_SIZE]; }; void sha3_224_init (struct sha3_224_ctx *ctx); void sha3_224_update (struct sha3_224_ctx *ctx, size_t length, const uint8_t *data); void sha3_224_digest(struct sha3_224_ctx *ctx, size_t length, uint8_t *digest); struct sha3_256_ctx { struct sha3_state state; unsigned index; uint8_t block[SHA3_256_BLOCK_SIZE]; }; void sha3_256_init (struct sha3_256_ctx *ctx); void sha3_256_update (struct sha3_256_ctx *ctx, size_t length, const uint8_t *data); void sha3_256_digest(struct sha3_256_ctx *ctx, size_t length, uint8_t *digest); struct sha3_384_ctx { struct sha3_state state; unsigned index; uint8_t block[SHA3_384_BLOCK_SIZE]; }; void sha3_384_init (struct sha3_384_ctx *ctx); void sha3_384_update (struct sha3_384_ctx *ctx, size_t length, const uint8_t *data); void sha3_384_digest(struct sha3_384_ctx *ctx, size_t length, uint8_t *digest); struct sha3_512_ctx { struct sha3_state state; unsigned index; uint8_t block[SHA3_512_BLOCK_SIZE]; }; void sha3_512_init (struct sha3_512_ctx *ctx); void sha3_512_update (struct sha3_512_ctx *ctx, size_t length, const uint8_t *data); void sha3_512_digest(struct sha3_512_ctx *ctx, size_t length, uint8_t *digest); #ifdef __cplusplus } #endif #endif /* NETTLE_SHA3_H_INCLUDED */ nettle-3.4.1/aes256-set-encrypt-key.c0000644000175000017500000000237113401564745016264 0ustar nissenisse/* aes256-set-encrypt-key.c Copyright (C) 2013, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes-internal.h" void aes256_set_encrypt_key(struct aes256_ctx *ctx, const uint8_t *key) { _aes_set_key (_AES256_ROUNDS, AES256_KEY_SIZE / 4, ctx->keys, key); } nettle-3.4.1/ecc-curve.h0000644000175000017500000000422513401564746014100 0ustar nissenisse/* ecc-curve.h Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #ifndef NETTLE_ECC_CURVE_H_INCLUDED #define NETTLE_ECC_CURVE_H_INCLUDED #ifdef __cplusplus extern "C" { #endif /* The contents of this struct is internal. */ struct ecc_curve; /* FIXME: Rename with leading underscore. Due to ABI subtleties, applications should not refer to these directly, but use the below accessor functions. */ extern const struct ecc_curve nettle_secp_192r1; extern const struct ecc_curve nettle_secp_224r1; extern const struct ecc_curve nettle_secp_256r1; extern const struct ecc_curve nettle_secp_384r1; extern const struct ecc_curve nettle_secp_521r1; #ifdef __GNUC__ #define NETTLE_PURE __attribute__((pure)) #else #define NETTLE_PURE #endif const struct ecc_curve * NETTLE_PURE nettle_get_secp_192r1(void); const struct ecc_curve * NETTLE_PURE nettle_get_secp_224r1(void); const struct ecc_curve * NETTLE_PURE nettle_get_secp_256r1(void); const struct ecc_curve * NETTLE_PURE nettle_get_secp_384r1(void); const struct ecc_curve * NETTLE_PURE nettle_get_secp_521r1(void); #undef NETTLE_PURE #ifdef __cplusplus } #endif #endif /* NETTLE_ECC_CURVE_H_INCLUDED */ nettle-3.4.1/rsa.c0000644000175000017500000000370213401564745013002 0ustar nissenisse/* rsa.c The RSA publickey algorithm. Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa.h" #include "bignum.h" void rsa_public_key_init(struct rsa_public_key *key) { mpz_init(key->n); mpz_init(key->e); /* Not really necessary, but it seems cleaner to initialize all the * storage. */ key->size = 0; } void rsa_public_key_clear(struct rsa_public_key *key) { mpz_clear(key->n); mpz_clear(key->e); } /* Computes the size, in octets, of a the modulo. Returns 0 if the * modulo is too small to be useful, or otherwise appears invalid. */ size_t _rsa_check_size(mpz_t n) { /* Round upwards */ size_t size; /* Even moduli are invalid, and not supported by mpz_powm_sec. */ if (mpz_even_p (n)) return 0; size = (mpz_sizeinbase(n, 2) + 7) / 8; if (size < RSA_MINIMUM_N_OCTETS) return 0; return size; } int rsa_public_key_prepare(struct rsa_public_key *key) { key->size = _rsa_check_size(key->n); return (key->size > 0); } nettle-3.4.1/eccdata.c0000644000175000017500000007262213401564746013611 0ustar nissenisse/* eccdata.c Generate compile time constant (but machine dependent) tables. Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #include #include #include #include #include "mini-gmp.c" /* Affine coordinates, for simplicity. Infinity point, i.e., te neutral group element, is represented using the is_zero flag. */ struct ecc_point { int is_zero; mpz_t x; mpz_t y; }; enum ecc_type { /* y^2 = x^3 - 3x + b (mod p) */ ECC_TYPE_WEIERSTRASS, /* y^2 = x^3 + b x^2 + x */ ECC_TYPE_MONTGOMERY }; struct ecc_curve { unsigned bit_size; unsigned pippenger_k; unsigned pippenger_c; enum ecc_type type; /* Prime */ mpz_t p; mpz_t b; /* Curve order */ mpz_t q; struct ecc_point g; /* Non-zero if we want elements represented as point s(u, v) on an equivalent Edwards curve, using u = t x / y v = (x-1) / (x+1) */ int use_edwards; mpz_t d; mpz_t t; /* Table for pippenger's algorithm. Element i 2^c + j_0 + j_1 2 + j_2 2^2 + ... + j_{c-1} 2^{c-1} holds 2^{ikc} ( j_0 + j_1 2^k + j_2 2^{2k} + ... + j_{c-1} 2^{(c-1)k}) g */ mp_size_t table_size; struct ecc_point *table; /* If non-NULL, holds 2g, 3g, 4g */ struct ecc_point *ref; }; static void ecc_init (struct ecc_point *p) { mpz_init (p->x); mpz_init (p->y); } static void ecc_clear (struct ecc_point *p) { mpz_clear (p->x); mpz_clear (p->y); } static int ecc_zero_p (const struct ecc_point *p) { return p->is_zero; } static int ecc_equal_p (const struct ecc_point *p, const struct ecc_point *q) { return p->is_zero ? q->is_zero : !q->is_zero && mpz_cmp (p->x, q->x) == 0 && mpz_cmp (p->y, q->y) == 0; } static void ecc_set_zero (struct ecc_point *r) { r->is_zero = 1; } static void ecc_set (struct ecc_point *r, const struct ecc_point *p) { r->is_zero = p->is_zero; mpz_set (r->x, p->x); mpz_set (r->y, p->y); } /* Needs to support in-place operation. */ static void ecc_dup (const struct ecc_curve *ecc, struct ecc_point *r, const struct ecc_point *p) { if (ecc_zero_p (p)) ecc_set_zero (r); else { mpz_t m, t, x, y; mpz_init (m); mpz_init (t); mpz_init (x); mpz_init (y); /* m = (2 y)^-1 */ mpz_mul_ui (m, p->y, 2); mpz_invert (m, m, ecc->p); switch (ecc->type) { case ECC_TYPE_WEIERSTRASS: /* t = 3 (x^2 - 1) * m */ mpz_mul (t, p->x, p->x); mpz_mod (t, t, ecc->p); mpz_sub_ui (t, t, 1); mpz_mul_ui (t, t, 3); break; case ECC_TYPE_MONTGOMERY: /* t = (3 x^2 + 2 b x + 1) m = [x(3x+2b)+1] m */ mpz_mul_ui (t, ecc->b, 2); mpz_addmul_ui (t, p->x, 3); mpz_mul (t, t, p->x); mpz_mod (t, t, ecc->p); mpz_add_ui (t, t, 1); break; } mpz_mul (t, t, m); mpz_mod (t, t, ecc->p); /* x' = t^2 - 2 x */ mpz_mul (x, t, t); mpz_submul_ui (x, p->x, 2); if (ecc->type == ECC_TYPE_MONTGOMERY) mpz_sub (x, x, ecc->b); mpz_mod (x, x, ecc->p); /* y' = (x - x') * t - y */ mpz_sub (y, p->x, x); mpz_mul (y, y, t); mpz_sub (y, y, p->y); mpz_mod (y, y, ecc->p); r->is_zero = 0; mpz_swap (x, r->x); mpz_swap (y, r->y); mpz_clear (m); mpz_clear (t); mpz_clear (x); mpz_clear (y); } } static void ecc_add (const struct ecc_curve *ecc, struct ecc_point *r, const struct ecc_point *p, const struct ecc_point *q) { if (ecc_zero_p (p)) ecc_set (r, q); else if (ecc_zero_p (q)) ecc_set (r, p); else if (mpz_cmp (p->x, q->x) == 0) { if (mpz_cmp (p->y, q->y) == 0) ecc_dup (ecc, r, p); else ecc_set_zero (r); } else { mpz_t s, t, x, y; mpz_init (s); mpz_init (t); mpz_init (x); mpz_init (y); /* t = (q_y - p_y) / (q_x - p_x) */ mpz_sub (t, q->x, p->x); mpz_invert (t, t, ecc->p); mpz_sub (s, q->y, p->y); mpz_mul (t, t, s); mpz_mod (t, t, ecc->p); /* x' = t^2 - p_x - q_x */ mpz_mul (x, t, t); mpz_sub (x, x, p->x); mpz_sub (x, x, q->x); /* This appears to be the only difference between formulas. */ if (ecc->type == ECC_TYPE_MONTGOMERY) mpz_sub (x, x, ecc->b); mpz_mod (x, x, ecc->p); /* y' = (x - x') * t - y */ mpz_sub (y, p->x, x); mpz_mul (y, y, t); mpz_sub (y, y, p->y); mpz_mod (y, y, ecc->p); r->is_zero = 0; mpz_swap (x, r->x); mpz_swap (y, r->y); mpz_clear (s); mpz_clear (t); mpz_clear (x); mpz_clear (y); } } static void ecc_mul_binary (const struct ecc_curve *ecc, struct ecc_point *r, const mpz_t n, const struct ecc_point *p) { /* Avoid the mp_bitcnt_t type for compatibility with older GMP versions. */ unsigned k; assert (r != p); assert (mpz_sgn (n) > 0); ecc_set (r, p); /* Index of highest one bit */ for (k = mpz_sizeinbase (n, 2) - 1; k-- > 0; ) { ecc_dup (ecc, r, r); if (mpz_tstbit (n, k)) ecc_add (ecc, r, r, p); } } static struct ecc_point * ecc_alloc (size_t n) { struct ecc_point *p = malloc (n * sizeof(*p)); size_t i; if (!p) { fprintf (stderr, "Virtual memory exhausted.\n"); exit (EXIT_FAILURE); } for (i = 0; i < n; i++) ecc_init (&p[i]); return p; } static void ecc_set_str (struct ecc_point *p, const char *x, const char *y) { p->is_zero = 0; mpz_set_str (p->x, x, 16); mpz_set_str (p->y, y, 16); } static void ecc_curve_init_str (struct ecc_curve *ecc, enum ecc_type type, const char *p, const char *b, const char *q, const char *gx, const char *gy, const char *d, const char *t) { ecc->type = type; mpz_init_set_str (ecc->p, p, 16); mpz_init_set_str (ecc->b, b, 16); mpz_init_set_str (ecc->q, q, 16); ecc_init (&ecc->g); ecc_set_str (&ecc->g, gx, gy); ecc->pippenger_k = 0; ecc->pippenger_c = 0; ecc->table = NULL; ecc->ref = NULL; mpz_init (ecc->d); mpz_init (ecc->t); ecc->use_edwards = (t != NULL); if (ecc->use_edwards) { mpz_set_str (ecc->t, t, 16); mpz_set_str (ecc->d, d, 16); } } static void ecc_curve_init (struct ecc_curve *ecc, unsigned bit_size) { switch (bit_size) { case 192: ecc_curve_init_str (ecc, ECC_TYPE_WEIERSTRASS, /* p = 2^{192} - 2^{64} - 1 */ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE" "FFFFFFFFFFFFFFFF", "64210519e59c80e70fa7e9ab72243049" "feb8deecc146b9b1", "ffffffffffffffffffffffff99def836" "146bc9b1b4d22831", "188da80eb03090f67cbf20eb43a18800" "f4ff0afd82ff1012", "07192b95ffc8da78631011ed6b24cdd5" "73f977a11e794811", NULL, NULL); ecc->ref = ecc_alloc (3); ecc_set_str (&ecc->ref[0], /* 2 g */ "dafebf5828783f2ad35534631588a3f629a70fb16982a888", "dd6bda0d993da0fa46b27bbc141b868f59331afa5c7e93ab"); ecc_set_str (&ecc->ref[1], /* 3 g */ "76e32a2557599e6edcd283201fb2b9aadfd0d359cbb263da", "782c37e372ba4520aa62e0fed121d49ef3b543660cfd05fd"); ecc_set_str (&ecc->ref[2], /* 4 g */ "35433907297cc378b0015703374729d7a4fe46647084e4ba", "a2649984f2135c301ea3acb0776cd4f125389b311db3be32"); break; case 224: ecc_curve_init_str (ecc, ECC_TYPE_WEIERSTRASS, /* p = 2^{224} - 2^{96} + 1 */ "ffffffffffffffffffffffffffffffff" "000000000000000000000001", "b4050a850c04b3abf54132565044b0b7" "d7bfd8ba270b39432355ffb4", "ffffffffffffffffffffffffffff16a2" "e0b8f03e13dd29455c5c2a3d", "b70e0cbd6bb4bf7f321390b94a03c1d3" "56c21122343280d6115c1d21", "bd376388b5f723fb4c22dfe6cd4375a0" "5a07476444d5819985007e34", NULL, NULL); ecc->ref = ecc_alloc (3); ecc_set_str (&ecc->ref[0], /* 2 g */ "706a46dc76dcb76798e60e6d89474788d16dc18032d268fd1a704fa6", "1c2b76a7bc25e7702a704fa986892849fca629487acf3709d2e4e8bb"); ecc_set_str (&ecc->ref[1], /* 3 g */ "df1b1d66a551d0d31eff822558b9d2cc75c2180279fe0d08fd896d04", "a3f7f03cadd0be444c0aa56830130ddf77d317344e1af3591981a925"); ecc_set_str (&ecc->ref[2], /* 4 g */ "ae99feebb5d26945b54892092a8aee02912930fa41cd114e40447301", "482580a0ec5bc47e88bc8c378632cd196cb3fa058a7114eb03054c9"); break; case 256: ecc_curve_init_str (ecc, ECC_TYPE_WEIERSTRASS, /* p = 2^{256} - 2^{224} + 2^{192} + 2^{96} - 1 */ "FFFFFFFF000000010000000000000000" "00000000FFFFFFFFFFFFFFFFFFFFFFFF", "5AC635D8AA3A93E7B3EBBD55769886BC" "651D06B0CC53B0F63BCE3C3E27D2604B", "FFFFFFFF00000000FFFFFFFFFFFFFFFF" "BCE6FAADA7179E84F3B9CAC2FC632551", "6B17D1F2E12C4247F8BCE6E563A440F2" "77037D812DEB33A0F4A13945D898C296", "4FE342E2FE1A7F9B8EE7EB4A7C0F9E16" "2BCE33576B315ECECBB6406837BF51F5", NULL, NULL); ecc->ref = ecc_alloc (3); ecc_set_str (&ecc->ref[0], /* 2 g */ "7cf27b188d034f7e8a52380304b51ac3c08969e277f21b35a60b48fc47669978", "7775510db8ed040293d9ac69f7430dbba7dade63ce982299e04b79d227873d1"); ecc_set_str (&ecc->ref[1], /* 3 g */ "5ecbe4d1a6330a44c8f7ef951d4bf165e6c6b721efada985fb41661bc6e7fd6c", "8734640c4998ff7e374b06ce1a64a2ecd82ab036384fb83d9a79b127a27d5032"); ecc_set_str (&ecc->ref[2], /* 4 g */ "e2534a3532d08fbba02dde659ee62bd0031fe2db785596ef509302446b030852", "e0f1575a4c633cc719dfee5fda862d764efc96c3f30ee0055c42c23f184ed8c6"); break; case 384: ecc_curve_init_str (ecc, ECC_TYPE_WEIERSTRASS, /* p = 2^{384} - 2^{128} - 2^{96} + 2^{32} - 1 */ "ffffffffffffffffffffffffffffffff" "fffffffffffffffffffffffffffffffe" "ffffffff0000000000000000ffffffff", "b3312fa7e23ee7e4988e056be3f82d19" "181d9c6efe8141120314088f5013875a" "c656398d8a2ed19d2a85c8edd3ec2aef", "ffffffffffffffffffffffffffffffff" "ffffffffffffffffc7634d81f4372ddf" "581a0db248b0a77aecec196accc52973", "aa87ca22be8b05378eb1c71ef320ad74" "6e1d3b628ba79b9859f741e082542a38" "5502f25dbf55296c3a545e3872760ab7", "3617de4a96262c6f5d9e98bf9292dc29" "f8f41dbd289a147ce9da3113b5f0b8c0" "0a60b1ce1d7e819d7a431d7c90ea0e5f", NULL, NULL); ecc->ref = ecc_alloc (3); ecc_set_str (&ecc->ref[0], /* 2 g */ "8d999057ba3d2d969260045c55b97f089025959a6f434d651d207d19fb96e9e4fe0e86ebe0e64f85b96a9c75295df61", "8e80f1fa5b1b3cedb7bfe8dffd6dba74b275d875bc6cc43e904e505f256ab4255ffd43e94d39e22d61501e700a940e80"); ecc_set_str (&ecc->ref[1], /* 3 g */ "77a41d4606ffa1464793c7e5fdc7d98cb9d3910202dcd06bea4f240d3566da6b408bbae5026580d02d7e5c70500c831", "c995f7ca0b0c42837d0bbe9602a9fc998520b41c85115aa5f7684c0edc111eacc24abd6be4b5d298b65f28600a2f1df1"); ecc_set_str (&ecc->ref[2], /* 4 g */ "138251cd52ac9298c1c8aad977321deb97e709bd0b4ca0aca55dc8ad51dcfc9d1589a1597e3a5120e1efd631c63e1835", "cacae29869a62e1631e8a28181ab56616dc45d918abc09f3ab0e63cf792aa4dced7387be37bba569549f1c02b270ed67"); break; case 521: ecc_curve_init_str (ecc, ECC_TYPE_WEIERSTRASS, "1ff" /* p = 2^{521} - 1 */ "ffffffffffffffffffffffffffffffff" "ffffffffffffffffffffffffffffffff" "ffffffffffffffffffffffffffffffff" "ffffffffffffffffffffffffffffffff", "051" "953eb9618e1c9a1f929a21a0b68540ee" "a2da725b99b315f3b8b489918ef109e1" "56193951ec7e937b1652c0bd3bb1bf07" "3573df883d2c34f1ef451fd46b503f00", "1ff" "ffffffffffffffffffffffffffffffff" "fffffffffffffffffffffffffffffffa" "51868783bf2f966b7fcc0148f709a5d0" "3bb5c9b8899c47aebb6fb71e91386409", "c6" "858e06b70404e9cd9e3ecb662395b442" "9c648139053fb521f828af606b4d3dba" "a14b5e77efe75928fe1dc127a2ffa8de" "3348b3c1856a429bf97e7e31c2e5bd66", "118" "39296a789a3bc0045c8a5fb42c7d1bd9" "98f54449579b446817afbd17273e662c" "97ee72995ef42640c550b9013fad0761" "353c7086a272c24088be94769fd16650", NULL, NULL); ecc->ref = ecc_alloc (3); ecc_set_str (&ecc->ref[0], /* 2 g */ "433c219024277e7e682fcb288148c282747403279b1ccc06352c6e5505d769be97b3b204da6ef55507aa104a3a35c5af41cf2fa364d60fd967f43e3933ba6d783d", "f4bb8cc7f86db26700a7f3eceeeed3f0b5c6b5107c4da97740ab21a29906c42dbbb3e377de9f251f6b93937fa99a3248f4eafcbe95edc0f4f71be356d661f41b02"); ecc_set_str (&ecc->ref[1], /* 3 g */ "1a73d352443de29195dd91d6a64b5959479b52a6e5b123d9ab9e5ad7a112d7a8dd1ad3f164a3a4832051da6bd16b59fe21baeb490862c32ea05a5919d2ede37ad7d", "13e9b03b97dfa62ddd9979f86c6cab814f2f1557fa82a9d0317d2f8ab1fa355ceec2e2dd4cf8dc575b02d5aced1dec3c70cf105c9bc93a590425f588ca1ee86c0e5"); ecc_set_str (&ecc->ref[2], /* 4 g */ "35b5df64ae2ac204c354b483487c9070cdc61c891c5ff39afc06c5d55541d3ceac8659e24afe3d0750e8b88e9f078af066a1d5025b08e5a5e2fbc87412871902f3", "82096f84261279d2b673e0178eb0b4abb65521aef6e6e32e1b5ae63fe2f19907f279f283e54ba385405224f750a95b85eebb7faef04699d1d9e21f47fc346e4d0d"); break; case 255: /* curve25519, y^2 = x^3 + 486662 x^2 + x (mod p), with p = 2^{255} - 19. According to http://cr.yp.to/papers.html#newelliptic, this is birationally equivalent to the Edwards curve x^2 + y^2 = 1 + (121665/121666) x^2 y^2 (mod p). And since the constant is not a square, the Edwards formulas should be "complete", with no special cases needed for doubling, neutral element, negatives, etc. Generator is x = 9, with y coordinate 14781619447589544791020593568409986887264606134616475288964881837755586237401, according to x = Mod(9, 2^255-19); sqrt(x^3 + 486662*x^2 + x) in PARI/GP. Also, in PARI notation, curve25519 = Mod([0, 486662, 0, 1, 0], 2^255-19) */ ecc_curve_init_str (ecc, ECC_TYPE_MONTGOMERY, "7fffffffffffffffffffffffffffffff" "ffffffffffffffffffffffffffffffed", "76d06", /* Order of the subgroup is 2^252 + q_0, where q_0 = 27742317777372353535851937790883648493, 125 bits. */ "10000000000000000000000000000000" "14def9dea2f79cd65812631a5cf5d3ed", "9", /* y coordinate from PARI/GP x = Mod(9, 2^255-19); sqrt(x^3 + 486662*x^2 + x) */ "20ae19a1b8a086b4e01edd2c7748d14c" "923d4d7e6d7c61b229e9c5a27eced3d9", /* (121665/121666) mod p, from PARI/GP c = Mod(121665, p); c / (c+1) */ "2dfc9311d490018c7338bf8688861767" "ff8ff5b2bebe27548a14b235eca6874a", /* A square root of -486664 mod p, PARI/GP -sqrt(Mod(-486664, p)) in PARI/GP. Sign is important to map to the right generator on the twisted edwards curve used for EdDSA. */ "70d9120b9f5ff9442d84f723fc03b081" "3a5e2c2eb482e57d3391fb5500ba81e7" ); ecc->ref = ecc_alloc (3); ecc_set_str (&ecc->ref[0], /* 2 g */ "20d342d51873f1b7d9750c687d157114" "8f3f5ced1e350b5c5cae469cdd684efb", "13b57e011700e8ae050a00945d2ba2f3" "77659eb28d8d391ebcd70465c72df563"); ecc_set_str (&ecc->ref[1], /* 3 g */ "1c12bc1a6d57abe645534d91c21bba64" "f8824e67621c0859c00a03affb713c12", "2986855cbe387eaeaceea446532c338c" "536af570f71ef7cf75c665019c41222b"); ecc_set_str (&ecc->ref[2], /* 4 g */ "79ce98b7e0689d7de7d1d074a15b315f" "fe1805dfcd5d2a230fee85e4550013ef", "75af5bf4ebdc75c8fe26873427d275d7" "3c0fb13da361077a565539f46de1c30"); break; default: fprintf (stderr, "No known curve for size %d\n", bit_size); exit(EXIT_FAILURE); } ecc->bit_size = bit_size; } static void ecc_pippenger_precompute (struct ecc_curve *ecc, unsigned k, unsigned c) { unsigned p = (ecc->bit_size + k-1) / k; unsigned M = (p + c-1)/c; unsigned i, j; ecc->pippenger_k = k; ecc->pippenger_c = c; ecc->table_size = M << c; ecc->table = ecc_alloc (ecc->table_size); /* Compute the first 2^c entries */ ecc_set_zero (&ecc->table[0]); ecc_set (&ecc->table[1], &ecc->g); for (j = 2; j < (1U<table[j], &ecc->table[j/2]); for (i = 1; i < k; i++) ecc_dup (ecc, &ecc->table[j], &ecc->table[j]); for (i = 1; i < j; i++) ecc_add (ecc, &ecc->table[j + i], &ecc->table[j], &ecc->table[i]); } for (j = 1<table_size; j++) { /* T[j] = 2^{kc} T[j-2^c] */ ecc_dup (ecc, &ecc->table[j], &ecc->table[j - (1<table[j], &ecc->table[j]); } } static void ecc_mul_pippenger (const struct ecc_curve *ecc, struct ecc_point *r, const mpz_t n_input) { mpz_t n; unsigned k, c; unsigned i, j; unsigned bit_rows; mpz_init (n); mpz_mod (n, n_input, ecc->q); ecc_set_zero (r); k = ecc->pippenger_k; c = ecc->pippenger_c; bit_rows = (ecc->bit_size + k - 1) / k; for (i = k; i-- > 0; ) { ecc_dup (ecc, r, r); for (j = 0; j * c < bit_rows; j++) { unsigned bits; mp_size_t bit_index; /* Extract c bits of the exponent, stride k, starting at i + kcj, ending at i + k (cj + c - 1)*/ for (bits = 0, bit_index = i + k*(c*j+c); bit_index > i + k*c*j; ) { bit_index -= k; bits = (bits << 1) | mpz_tstbit (n, bit_index); } ecc_add (ecc, r, r, &ecc->table[(j << c) | bits]); } } mpz_clear (n); } static void ecc_point_out (FILE *f, const struct ecc_point *p) { if (p->is_zero) fprintf (f, "zero"); else { fprintf (f, "("); mpz_out_str (f, 16, p->x); fprintf (f, ",\n "); mpz_out_str (f, 16, (p)->y); fprintf (f, ")"); } } #define ASSERT_EQUAL(p, q) do { \ if (!ecc_equal_p (p, q)) \ { \ fprintf (stderr, "%s:%d: ASSERT_EQUAL (%s, %s) failed.\n", \ __FILE__, __LINE__, #p, #q); \ fprintf (stderr, "p = "); \ ecc_point_out (stderr, (p)); \ fprintf (stderr, "\nq = "); \ ecc_point_out (stderr, (q)); \ fprintf (stderr, "\n"); \ abort(); \ } \ } while (0) #define ASSERT_ZERO(p) do { \ if (!ecc_zero_p (p)) \ { \ fprintf (stderr, "%s:%d: ASSERT_ZERO (%s) failed.\n", \ __FILE__, __LINE__, #p); \ fprintf (stderr, "p = "); \ ecc_point_out (stderr, (p)); \ fprintf (stderr, "\n"); \ abort(); \ } \ } while (0) static void ecc_curve_check (const struct ecc_curve *ecc) { struct ecc_point p, q; mpz_t n; ecc_init (&p); ecc_init (&q); mpz_init (n); ecc_dup (ecc, &p, &ecc->g); if (ecc->ref) ASSERT_EQUAL (&p, &ecc->ref[0]); else { fprintf (stderr, "g2 = "); mpz_out_str (stderr, 16, p.x); fprintf (stderr, "\n "); mpz_out_str (stderr, 16, p.y); fprintf (stderr, "\n"); } ecc_add (ecc, &q, &p, &ecc->g); if (ecc->ref) ASSERT_EQUAL (&q, &ecc->ref[1]); else { fprintf (stderr, "g3 = "); mpz_out_str (stderr, 16, q.x); fprintf (stderr, "\n "); mpz_out_str (stderr, 16, q.y); fprintf (stderr, "\n"); } ecc_add (ecc, &q, &q, &ecc->g); if (ecc->ref) ASSERT_EQUAL (&q, &ecc->ref[2]); else { fprintf (stderr, "g4 = "); mpz_out_str (stderr, 16, q.x); fprintf (stderr, "\n "); mpz_out_str (stderr, 16, q.y); fprintf (stderr, "\n"); } ecc_dup (ecc, &q, &p); if (ecc->ref) ASSERT_EQUAL (&q, &ecc->ref[2]); else { fprintf (stderr, "g4 = "); mpz_out_str (stderr, 16, q.x); fprintf (stderr, "\n "); mpz_out_str (stderr, 16, q.y); fprintf (stderr, "\n"); } ecc_mul_binary (ecc, &p, ecc->q, &ecc->g); ASSERT_ZERO (&p); ecc_mul_pippenger (ecc, &q, ecc->q); ASSERT_ZERO (&q); ecc_clear (&p); ecc_clear (&q); mpz_clear (n); } static void output_digits (const mpz_t x, unsigned size, unsigned bits_per_limb) { mpz_t t; mpz_t mask; mpz_t limb; unsigned i; const char *suffix; mpz_init (t); mpz_init (mask); mpz_init (limb); mpz_setbit (mask, bits_per_limb); mpz_sub_ui (mask, mask, 1); suffix = bits_per_limb > 32 ? "ULL" : "UL"; mpz_init_set (t, x); for (i = 0; i < size; i++) { if ( (i % 8) == 0) printf("\n "); mpz_and (limb, mask, t); printf (" 0x"); mpz_out_str (stdout, 16, limb); printf ("%s,", suffix); mpz_tdiv_q_2exp (t, t, bits_per_limb); } mpz_clear (t); mpz_clear (mask); mpz_clear (limb); } static void output_bignum (const char *name, const mpz_t x, unsigned size, unsigned bits_per_limb) { printf ("static const mp_limb_t %s[%d] = {", name, size); output_digits (x, size, bits_per_limb); printf("\n};\n"); } static void output_point (const char *name, const struct ecc_curve *ecc, const struct ecc_point *p, int use_redc, unsigned size, unsigned bits_per_limb) { mpz_t x, y, t; mpz_init (x); mpz_init (y); mpz_init (t); if (name) printf("static const mp_limb_t %s[%u] = {", name, 2*size); if (ecc->use_edwards) { if (ecc_zero_p (p)) { mpz_set_si (x, 0); mpz_set_si (y, 1); } else if (!mpz_sgn (p->y)) { assert (!mpz_sgn (p->x)); mpz_set_si (x, 0); mpz_set_si (y, -1); } else { mpz_invert (x, p->y, ecc->p); mpz_mul (x, x, p->x); mpz_mul (x, x, ecc->t); mpz_mod (x, x, ecc->p); mpz_sub_ui (y, p->x, 1); mpz_add_ui (t, p->x, 1); mpz_invert (t, t, ecc->p); mpz_mul (y, y, t); mpz_mod (y, y, ecc->p); } } else { mpz_set (x, p->x); mpz_set (y, p->y); } if (use_redc) { mpz_mul_2exp (x, x, size * bits_per_limb); mpz_mod (x, x, ecc->p); mpz_mul_2exp (y, y, size * bits_per_limb); mpz_mod (y, y, ecc->p); } output_digits (x, size, bits_per_limb); output_digits (y, size, bits_per_limb); if (name) printf("\n};\n"); mpz_clear (x); mpz_clear (y); mpz_clear (t); } static unsigned output_modulo (const char *name, const mpz_t x, unsigned size, unsigned bits_per_limb) { mpz_t mod; unsigned bits; mpz_init (mod); mpz_setbit (mod, bits_per_limb * size); mpz_mod (mod, mod, x); bits = mpz_sizeinbase (mod, 2); output_bignum (name, mod, size, bits_per_limb); mpz_clear (mod); return bits; } static void output_curve (const struct ecc_curve *ecc, unsigned bits_per_limb) { unsigned limb_size = (ecc->bit_size + bits_per_limb - 1)/bits_per_limb; unsigned i; unsigned bits, e; int redc_limbs; mpz_t t; mpz_init (t); printf ("/* For NULL. */\n#include \n"); printf ("#define ECC_LIMB_SIZE %u\n", limb_size); printf ("#define ECC_PIPPENGER_K %u\n", ecc->pippenger_k); printf ("#define ECC_PIPPENGER_C %u\n", ecc->pippenger_c); output_bignum ("ecc_p", ecc->p, limb_size, bits_per_limb); output_bignum ("ecc_b", ecc->b, limb_size, bits_per_limb); if (ecc->use_edwards) output_bignum ("ecc_d", ecc->d, limb_size, bits_per_limb); output_bignum ("ecc_q", ecc->q, limb_size, bits_per_limb); output_point ("ecc_g", ecc, &ecc->g, 0, limb_size, bits_per_limb); bits = output_modulo ("ecc_Bmodp", ecc->p, limb_size, bits_per_limb); printf ("#define ECC_BMODP_SIZE %u\n", (bits + bits_per_limb - 1) / bits_per_limb); bits = output_modulo ("ecc_Bmodq", ecc->q, limb_size, bits_per_limb); printf ("#define ECC_BMODQ_SIZE %u\n", (bits + bits_per_limb - 1) / bits_per_limb); bits = mpz_sizeinbase (ecc->q, 2); if (bits < ecc->bit_size) { /* for curve25519, with q = 2^k + q', with a much smaller q' */ unsigned mbits; unsigned shift; /* Shift to align the one bit at B */ shift = bits_per_limb * limb_size + 1 - bits; mpz_set (t, ecc->q); mpz_clrbit (t, bits-1); mbits = mpz_sizeinbase (t, 2); /* The shifted value must be a limb smaller than q. */ if (mbits + shift + bits_per_limb <= bits) { /* q of the form 2^k + q', with q' a limb smaller */ mpz_mul_2exp (t, t, shift); output_bignum ("ecc_mBmodq_shifted", t, limb_size, bits_per_limb); } } if (ecc->bit_size < limb_size * bits_per_limb) { int shift; mpz_set_ui (t, 0); mpz_setbit (t, ecc->bit_size); mpz_sub (t, t, ecc->p); output_bignum ("ecc_Bmodp_shifted", t, limb_size, bits_per_limb); shift = limb_size * bits_per_limb - ecc->bit_size; if (shift > 0) { /* Check condition for reducing hi limbs. If s is the normalization shift and n is the bit size (so that s + n = limb_size * bite_per_limb), then we need (2^n - 1) + (2^s - 1) (2^n - p) < 2p or equivalently, 2^s (2^n - p) <= p To a allow a carry limb to be added in at the same time, substitute s+1 for s. */ /* FIXME: For ecdsa verify, we actually need the stricter inequality < 2 q. */ mpz_mul_2exp (t, t, shift + 1); if (mpz_cmp (t, ecc->p) > 0) { fprintf (stderr, "Reduction condition failed for %u-bit curve.\n", ecc->bit_size); exit (EXIT_FAILURE); } } } else printf ("#define ecc_Bmodp_shifted ecc_Bmodp\n"); if (bits < limb_size * bits_per_limb) { mpz_set_ui (t, 0); mpz_setbit (t, bits); mpz_sub (t, t, ecc->q); output_bignum ("ecc_Bmodq_shifted", t, limb_size, bits_per_limb); } else printf ("#define ecc_Bmodq_shifted ecc_Bmodq\n"); mpz_add_ui (t, ecc->p, 1); mpz_fdiv_q_2exp (t, t, 1); output_bignum ("ecc_pp1h", t, limb_size, bits_per_limb); mpz_add_ui (t, ecc->q, 1); mpz_fdiv_q_2exp (t, t, 1); output_bignum ("ecc_qp1h", t, limb_size, bits_per_limb); if (ecc->use_edwards) output_bignum ("ecc_edwards", ecc->t, limb_size, bits_per_limb); /* Trailing zeros in p+1 correspond to trailing ones in p. */ redc_limbs = mpz_scan0 (ecc->p, 0) / bits_per_limb; if (redc_limbs > 0) { mpz_add_ui (t, ecc->p, 1); mpz_fdiv_q_2exp (t, t, redc_limbs * bits_per_limb); output_bignum ("ecc_redc_ppm1", t, limb_size - redc_limbs, bits_per_limb); } else { /* Trailing zeros in p-1 correspond to zeros just above the low bit of p */ redc_limbs = mpz_scan1 (ecc->p, 1) / bits_per_limb; if (redc_limbs > 0) { printf ("#define ecc_redc_ppm1 (ecc_p + %d)\n", redc_limbs); redc_limbs = -redc_limbs; } else printf ("#define ecc_redc_ppm1 NULL\n"); } printf ("#define ECC_REDC_SIZE %d\n", redc_limbs); /* For mod p square root computation. */ if (mpz_fdiv_ui (ecc->p, 4) == 3) { /* x = a^{(p+1)/4} gives square root of a (if it exists, otherwise the square root of -a). */ e = 1; mpz_add_ui (t, ecc->p, 1); mpz_fdiv_q_2exp (t, t, 2); } else { /* p-1 = 2^e s, s odd, t = (s-1)/2*/ unsigned g, i; mpz_t s; mpz_t z; mpz_init (s); mpz_init (z); mpz_sub_ui (s, ecc->p, 1); e = mpz_scan1 (s, 0); assert (e > 1); mpz_fdiv_q_2exp (s, s, e); /* Find a non-square g, g^{(p-1)/2} = -1, and z = g^{(p-1)/4 */ for (g = 2; ; g++) { mpz_set_ui (z, g); mpz_powm (z, z, s, ecc->p); mpz_mul (t, z, z); mpz_mod (t, t, ecc->p); for (i = 2; i < e; i++) { mpz_mul (t, t, t); mpz_mod (t, t, ecc->p); } if (mpz_cmp_ui (t, 1) != 0) break; } mpz_add_ui (t, t, 1); assert (mpz_cmp (t, ecc->p) == 0); output_bignum ("ecc_sqrt_z", z, limb_size, bits_per_limb); mpz_fdiv_q_2exp (t, s, 1); mpz_clear (s); mpz_clear (z); } printf ("#define ECC_SQRT_E %u\n", e); printf ("#define ECC_SQRT_T_BITS %u\n", (unsigned) mpz_sizeinbase (t, 2)); output_bignum ("ecc_sqrt_t", t, limb_size, bits_per_limb); printf ("#if USE_REDC\n"); printf ("#define ecc_unit ecc_Bmodp\n"); printf ("static const mp_limb_t ecc_table[%lu] = {", (unsigned long) (2*ecc->table_size * limb_size)); for (i = 0; i < ecc->table_size; i++) output_point (NULL, ecc, &ecc->table[i], 1, limb_size, bits_per_limb); printf("\n};\n"); printf ("#else\n"); mpz_init_set_ui (t, 1); output_bignum ("ecc_unit", t, limb_size, bits_per_limb); printf ("static const mp_limb_t ecc_table[%lu] = {", (unsigned long) (2*ecc->table_size * limb_size)); for (i = 0; i < ecc->table_size; i++) output_point (NULL, ecc, &ecc->table[i], 0, limb_size, bits_per_limb); printf("\n};\n"); printf ("#endif\n"); mpz_clear (t); } int main (int argc, char **argv) { struct ecc_curve ecc; if (argc < 4) { fprintf (stderr, "Usage: %s CURVE-BITS K C [BITS-PER-LIMB]\n", argv[0]); return EXIT_FAILURE; } ecc_curve_init (&ecc, atoi(argv[1])); ecc_pippenger_precompute (&ecc, atoi(argv[2]), atoi(argv[3])); fprintf (stderr, "Table size: %lu entries\n", (unsigned long) ecc.table_size); ecc_curve_check (&ecc); if (argc > 4) output_curve (&ecc, atoi(argv[4])); return EXIT_SUCCESS; } nettle-3.4.1/ecc-pm1-redc.c0000644000175000017500000000374713401564746014367 0ustar nissenisse/* ecc-pm1-redc.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc-internal.h" /* Use that 1 = - (p - 1) (mod p), and that at least one low limb of p - 1 is zero. */ void ecc_pm1_redc (const struct ecc_modulo *m, mp_limb_t *rp) { unsigned i; mp_limb_t hi, cy; unsigned shift = m->size * GMP_NUMB_BITS - m->bit_size; mp_size_t k = m->redc_size; for (i = 0; i < m->size; i++) rp[i] = mpn_submul_1 (rp + i + k, m->redc_mpm1, m->size - k, rp[i]); hi = mpn_sub_n (rp, rp + m->size, rp, m->size); cy = cnd_add_n (hi, rp, m->m, m->size); assert (cy == hi); if (shift > 0) { /* Result is always < 2p, provided that 2^shift * Bmodp_shifted <= p */ hi = (rp[m->size - 1] >> (GMP_NUMB_BITS - shift)); rp[m->size - 1] = (rp[m->size - 1] & (((mp_limb_t) 1 << (GMP_NUMB_BITS - shift)) - 1)) + mpn_addmul_1 (rp, m->B_shifted, m->size-1, hi); } } nettle-3.4.1/gcm-aes256-meta.c0000644000175000017500000000342613401564745014715 0ustar nissenisse/* gcm-aes256-meta.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #include "gcm.h" static nettle_set_key_func gcm_aes256_set_nonce_wrapper; static void gcm_aes256_set_nonce_wrapper (void *ctx, const uint8_t *nonce) { gcm_aes256_set_iv (ctx, GCM_IV_SIZE, nonce); } const struct nettle_aead nettle_gcm_aes256 = { "gcm_aes256", sizeof(struct gcm_aes256_ctx), GCM_BLOCK_SIZE, AES256_KEY_SIZE, GCM_IV_SIZE, GCM_DIGEST_SIZE, (nettle_set_key_func *) gcm_aes256_set_key, (nettle_set_key_func *) gcm_aes256_set_key, gcm_aes256_set_nonce_wrapper, (nettle_hash_update_func *) gcm_aes256_update, (nettle_crypt_func *) gcm_aes256_encrypt, (nettle_crypt_func *) gcm_aes256_decrypt, (nettle_hash_digest_func *) gcm_aes256_digest, }; nettle-3.4.1/rsa-sha512-verify.c0000644000175000017500000000335413401564746015311 0ustar nissenisse/* rsa-sha512-verify.c Verifying signatures created with RSA and SHA512. Copyright (C) 2001, 2003, 2006, 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "bignum.h" #include "pkcs1.h" int rsa_sha512_verify(const struct rsa_public_key *key, struct sha512_ctx *hash, const mpz_t s) { int res; mpz_t m; mpz_init(m); res = (pkcs1_rsa_sha512_encode(m, key->size, hash) && _rsa_verify(key, m, s)); mpz_clear(m); return res; } int rsa_sha512_verify_digest(const struct rsa_public_key *key, const uint8_t *digest, const mpz_t s) { int res; mpz_t m; mpz_init(m); res = (pkcs1_rsa_sha512_encode_digest(m, key->size, digest) && _rsa_verify(key, m, s)); mpz_clear(m); return res; } nettle-3.4.1/config.make.in0000644000175000017500000000535613401564746014572 0ustar nissenisse# Makefile settings shared between Makefiles. CC = @CC@ CXX = @CXX@ CFLAGS = @CFLAGS@ CXXFLAGS = @CXXFLAGS@ CCPIC = @CCPIC@ CPPFLAGS = @CPPFLAGS@ DEFS = @DEFS@ LDFLAGS = @LDFLAGS@ LIBS = @LIBS@ LIBOBJS = @LIBOBJS@ EMULATOR = @EMULATOR@ NM = @NM@ OBJEXT = @OBJEXT@ EXEEXT = @EXEEXT@ CC_FOR_BUILD = @CC_FOR_BUILD@ EXEEXT_FOR_BUILD = @EXEEXT_FOR_BUILD@ DEP_FLAGS = @DEP_FLAGS@ DEP_PROCESS = @DEP_PROCESS@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ LIBNETTLE_MAJOR = @LIBNETTLE_MAJOR@ LIBNETTLE_MINOR = @LIBNETTLE_MINOR@ LIBNETTLE_SONAME = @LIBNETTLE_SONAME@ LIBNETTLE_FILE = @LIBNETTLE_FILE@ LIBNETTLE_FILE_SRC = @LIBNETTLE_FILE_SRC@ LIBNETTLE_FORLINK = @LIBNETTLE_FORLINK@ LIBNETTLE_LIBS = @LIBNETTLE_LIBS@ LIBNETTLE_LINK = @LIBNETTLE_LINK@ LIBHOGWEED_MAJOR = @LIBHOGWEED_MAJOR@ LIBHOGWEED_MINOR = @LIBHOGWEED_MINOR@ LIBHOGWEED_SONAME = @LIBHOGWEED_SONAME@ LIBHOGWEED_FILE = @LIBHOGWEED_FILE@ LIBHOGWEED_FILE_SRC = @LIBHOGWEED_FILE_SRC@ LIBHOGWEED_FORLINK = @LIBHOGWEED_FORLINK@ LIBHOGWEED_LIBS = @LIBHOGWEED_LIBS@ LIBHOGWEED_LINK = @LIBHOGWEED_LINK@ NUMB_BITS = @NUMB_BITS@ AR = @AR@ ARFLAGS = cru AUTOCONF = autoconf AUTOHEADER = autoheader M4 = @M4@ MAKEINFO = makeinfo RANLIB = @RANLIB@ LN_S = @LN_S@ prefix = @prefix@ exec_prefix = @exec_prefix@ datarootdir = @datarootdir@ bindir = @bindir@ libdir = @libdir@ includedir = @includedir@ infodir = @infodir@ # PRE_CPPFLAGS and PRE_LDFLAGS lets each Makefile.in prepend its own # flags before CPPFLAGS and LDFLAGS. While EXTRA_CFLAGS are added at the end. COMPILE = $(CC) $(PRE_CPPFLAGS) $(CPPFLAGS) $(DEFS) $(CFLAGS) $(EXTRA_CFLAGS) $(DEP_FLAGS) COMPILE_CXX = $(CXX) $(PRE_CPPFLAGS) $(CPPFLAGS) $(DEFS) $(CXXFLAGS) $(DEP_FLAGS) LINK = $(CC) $(CFLAGS) $(PRE_LDFLAGS) $(LDFLAGS) LINK_CXX = $(CXX) $(CXXFLAGS) $(PRE_LDFLAGS) $(LDFLAGS) # Default rule. Must be here, since config.make is included before the # usual targets. default: all # For some reason the suffixes list must be set before the rules. # Otherwise BSD make won't build binaries e.g. aesdata. On the other # hand, AIX make has the opposite idiosyncrasies to BSD, and the AIX # compile was broken when .SUFFIXES was moved here from Makefile.in. .SUFFIXES: .SUFFIXES: .asm .c .$(OBJEXT) .html .dvi .info .exe .pdf .ps .texinfo # Disable builtin rule %$(EXEEXT) : %.c .c: # Keep object files .PRECIOUS: %.o .PHONY: all check install uninstall clean distclean mostlyclean maintainer-clean distdir \ all-here check-here install-here clean-here distclean-here mostlyclean-here \ maintainer-clean-here distdir-here \ install-shared install-info install-headers \ uninstall-shared uninstall-info uninstall-headers \ dist distcleancheck nettle-3.4.1/gosthash94.c0000644000175000017500000006276513401564745014230 0ustar nissenisse/* gost.c - an implementation of GOST Hash Function * based on the Russian Standard GOST R 34.11-94. * See also RFC 4357. * * Copyright: 2009-2012 Aleksey Kravchenko * * Permission is hereby granted, free of charge, to any person obtaining a * copy of this software and associated documentation files (the * "Software"), to deal in the Software without restriction, including * without limitation the rights to use, copy, modify, merge, publish, * distribute, sublicense, and/or sell copies of the Software, and to * permit persons to whom the Software is furnished to do so, subject to * the following conditions: * * The above copyright notice and this permission notice shall be included * in all copies or substantial portions of the Software. * * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ /* * Ported to nettle by Nikos Mavrogiannopoulos. */ #if HAVE_CONFIG_H #include "config.h" #endif #include #include #include "macros.h" #include "nettle-write.h" #include "gosthash94.h" /* pre-initialized GOST lookup tables based on rotated S-Box */ static const uint32_t gosthash94_sbox[4][256] = { { 0x72000, 0x75000, 0x74800, 0x71000, 0x76800, 0x74000, 0x70000, 0x77000, 0x73000, 0x75800, 0x70800, 0x76000, 0x73800, 0x77800, 0x72800, 0x71800, 0x5A000, 0x5D000, 0x5C800, 0x59000, 0x5E800, 0x5C000, 0x58000, 0x5F000, 0x5B000, 0x5D800, 0x58800, 0x5E000, 0x5B800, 0x5F800, 0x5A800, 0x59800, 0x22000, 0x25000, 0x24800, 0x21000, 0x26800, 0x24000, 0x20000, 0x27000, 0x23000, 0x25800, 0x20800, 0x26000, 0x23800, 0x27800, 0x22800, 0x21800, 0x62000, 0x65000, 0x64800, 0x61000, 0x66800, 0x64000, 0x60000, 0x67000, 0x63000, 0x65800, 0x60800, 0x66000, 0x63800, 0x67800, 0x62800, 0x61800, 0x32000, 0x35000, 0x34800, 0x31000, 0x36800, 0x34000, 0x30000, 0x37000, 0x33000, 0x35800, 0x30800, 0x36000, 0x33800, 0x37800, 0x32800, 0x31800, 0x6A000, 0x6D000, 0x6C800, 0x69000, 0x6E800, 0x6C000, 0x68000, 0x6F000, 0x6B000, 0x6D800, 0x68800, 0x6E000, 0x6B800, 0x6F800, 0x6A800, 0x69800, 0x7A000, 0x7D000, 0x7C800, 0x79000, 0x7E800, 0x7C000, 0x78000, 0x7F000, 0x7B000, 0x7D800, 0x78800, 0x7E000, 0x7B800, 0x7F800, 0x7A800, 0x79800, 0x52000, 0x55000, 0x54800, 0x51000, 0x56800, 0x54000, 0x50000, 0x57000, 0x53000, 0x55800, 0x50800, 0x56000, 0x53800, 0x57800, 0x52800, 0x51800, 0x12000, 0x15000, 0x14800, 0x11000, 0x16800, 0x14000, 0x10000, 0x17000, 0x13000, 0x15800, 0x10800, 0x16000, 0x13800, 0x17800, 0x12800, 0x11800, 0x1A000, 0x1D000, 0x1C800, 0x19000, 0x1E800, 0x1C000, 0x18000, 0x1F000, 0x1B000, 0x1D800, 0x18800, 0x1E000, 0x1B800, 0x1F800, 0x1A800, 0x19800, 0x42000, 0x45000, 0x44800, 0x41000, 0x46800, 0x44000, 0x40000, 0x47000, 0x43000, 0x45800, 0x40800, 0x46000, 0x43800, 0x47800, 0x42800, 0x41800, 0xA000, 0xD000, 0xC800, 0x9000, 0xE800, 0xC000, 0x8000, 0xF000, 0xB000, 0xD800, 0x8800, 0xE000, 0xB800, 0xF800, 0xA800, 0x9800, 0x2000, 0x5000, 0x4800, 0x1000, 0x6800, 0x4000, 0x0, 0x7000, 0x3000, 0x5800, 0x800, 0x6000, 0x3800, 0x7800, 0x2800, 0x1800, 0x3A000, 0x3D000, 0x3C800, 0x39000, 0x3E800, 0x3C000, 0x38000, 0x3F000, 0x3B000, 0x3D800, 0x38800, 0x3E000, 0x3B800, 0x3F800, 0x3A800, 0x39800, 0x2A000, 0x2D000, 0x2C800, 0x29000, 0x2E800, 0x2C000, 0x28000, 0x2F000, 0x2B000, 0x2D800, 0x28800, 0x2E000, 0x2B800, 0x2F800, 0x2A800, 0x29800, 0x4A000, 0x4D000, 0x4C800, 0x49000, 0x4E800, 0x4C000, 0x48000, 0x4F000, 0x4B000, 0x4D800, 0x48800, 0x4E000, 0x4B800, 0x4F800, 0x4A800, 0x49800 }, { 0x3A80000, 0x3C00000, 0x3880000, 0x3E80000, 0x3D00000, 0x3980000, 0x3A00000, 0x3900000, 0x3F00000, 0x3F80000, 0x3E00000, 0x3B80000, 0x3B00000, 0x3800000, 0x3C80000, 0x3D80000, 0x6A80000, 0x6C00000, 0x6880000, 0x6E80000, 0x6D00000, 0x6980000, 0x6A00000, 0x6900000, 0x6F00000, 0x6F80000, 0x6E00000, 0x6B80000, 0x6B00000, 0x6800000, 0x6C80000, 0x6D80000, 0x5280000, 0x5400000, 0x5080000, 0x5680000, 0x5500000, 0x5180000, 0x5200000, 0x5100000, 0x5700000, 0x5780000, 0x5600000, 0x5380000, 0x5300000, 0x5000000, 0x5480000, 0x5580000, 0xA80000, 0xC00000, 0x880000, 0xE80000, 0xD00000, 0x980000, 0xA00000, 0x900000, 0xF00000, 0xF80000, 0xE00000, 0xB80000, 0xB00000, 0x800000, 0xC80000, 0xD80000, 0x280000, 0x400000, 0x80000, 0x680000, 0x500000, 0x180000, 0x200000, 0x100000, 0x700000, 0x780000, 0x600000, 0x380000, 0x300000, 0x0, 0x480000, 0x580000, 0x4280000, 0x4400000, 0x4080000, 0x4680000, 0x4500000, 0x4180000, 0x4200000, 0x4100000, 0x4700000, 0x4780000, 0x4600000, 0x4380000, 0x4300000, 0x4000000, 0x4480000, 0x4580000, 0x4A80000, 0x4C00000, 0x4880000, 0x4E80000, 0x4D00000, 0x4980000, 0x4A00000, 0x4900000, 0x4F00000, 0x4F80000, 0x4E00000, 0x4B80000, 0x4B00000, 0x4800000, 0x4C80000, 0x4D80000, 0x7A80000, 0x7C00000, 0x7880000, 0x7E80000, 0x7D00000, 0x7980000, 0x7A00000, 0x7900000, 0x7F00000, 0x7F80000, 0x7E00000, 0x7B80000, 0x7B00000, 0x7800000, 0x7C80000, 0x7D80000, 0x7280000, 0x7400000, 0x7080000, 0x7680000, 0x7500000, 0x7180000, 0x7200000, 0x7100000, 0x7700000, 0x7780000, 0x7600000, 0x7380000, 0x7300000, 0x7000000, 0x7480000, 0x7580000, 0x2280000, 0x2400000, 0x2080000, 0x2680000, 0x2500000, 0x2180000, 0x2200000, 0x2100000, 0x2700000, 0x2780000, 0x2600000, 0x2380000, 0x2300000, 0x2000000, 0x2480000, 0x2580000, 0x3280000, 0x3400000, 0x3080000, 0x3680000, 0x3500000, 0x3180000, 0x3200000, 0x3100000, 0x3700000, 0x3780000, 0x3600000, 0x3380000, 0x3300000, 0x3000000, 0x3480000, 0x3580000, 0x6280000, 0x6400000, 0x6080000, 0x6680000, 0x6500000, 0x6180000, 0x6200000, 0x6100000, 0x6700000, 0x6780000, 0x6600000, 0x6380000, 0x6300000, 0x6000000, 0x6480000, 0x6580000, 0x5A80000, 0x5C00000, 0x5880000, 0x5E80000, 0x5D00000, 0x5980000, 0x5A00000, 0x5900000, 0x5F00000, 0x5F80000, 0x5E00000, 0x5B80000, 0x5B00000, 0x5800000, 0x5C80000, 0x5D80000, 0x1280000, 0x1400000, 0x1080000, 0x1680000, 0x1500000, 0x1180000, 0x1200000, 0x1100000, 0x1700000, 0x1780000, 0x1600000, 0x1380000, 0x1300000, 0x1000000, 0x1480000, 0x1580000, 0x2A80000, 0x2C00000, 0x2880000, 0x2E80000, 0x2D00000, 0x2980000, 0x2A00000, 0x2900000, 0x2F00000, 0x2F80000, 0x2E00000, 0x2B80000, 0x2B00000, 0x2800000, 0x2C80000, 0x2D80000, 0x1A80000, 0x1C00000, 0x1880000, 0x1E80000, 0x1D00000, 0x1980000, 0x1A00000, 0x1900000, 0x1F00000, 0x1F80000, 0x1E00000, 0x1B80000, 0x1B00000, 0x1800000, 0x1C80000, 0x1D80000 }, { 0x30000002, 0x60000002, 0x38000002, 0x8000002, 0x28000002, 0x78000002, 0x68000002, 0x40000002, 0x20000002, 0x50000002, 0x48000002, 0x70000002, 0x2, 0x18000002, 0x58000002, 0x10000002, 0xB0000005, 0xE0000005, 0xB8000005, 0x88000005, 0xA8000005, 0xF8000005, 0xE8000005, 0xC0000005, 0xA0000005, 0xD0000005, 0xC8000005, 0xF0000005, 0x80000005, 0x98000005, 0xD8000005, 0x90000005, 0x30000005, 0x60000005, 0x38000005, 0x8000005, 0x28000005, 0x78000005, 0x68000005, 0x40000005, 0x20000005, 0x50000005, 0x48000005, 0x70000005, 0x5, 0x18000005, 0x58000005, 0x10000005, 0x30000000, 0x60000000, 0x38000000, 0x8000000, 0x28000000, 0x78000000, 0x68000000, 0x40000000, 0x20000000, 0x50000000, 0x48000000, 0x70000000, 0x0, 0x18000000, 0x58000000, 0x10000000, 0xB0000003, 0xE0000003, 0xB8000003, 0x88000003, 0xA8000003, 0xF8000003, 0xE8000003, 0xC0000003, 0xA0000003, 0xD0000003, 0xC8000003, 0xF0000003, 0x80000003, 0x98000003, 0xD8000003, 0x90000003, 0x30000001, 0x60000001, 0x38000001, 0x8000001, 0x28000001, 0x78000001, 0x68000001, 0x40000001, 0x20000001, 0x50000001, 0x48000001, 0x70000001, 0x1, 0x18000001, 0x58000001, 0x10000001, 0xB0000000, 0xE0000000, 0xB8000000, 0x88000000, 0xA8000000, 0xF8000000, 0xE8000000, 0xC0000000, 0xA0000000, 0xD0000000, 0xC8000000, 0xF0000000, 0x80000000, 0x98000000, 0xD8000000, 0x90000000, 0xB0000006, 0xE0000006, 0xB8000006, 0x88000006, 0xA8000006, 0xF8000006, 0xE8000006, 0xC0000006, 0xA0000006, 0xD0000006, 0xC8000006, 0xF0000006, 0x80000006, 0x98000006, 0xD8000006, 0x90000006, 0xB0000001, 0xE0000001, 0xB8000001, 0x88000001, 0xA8000001, 0xF8000001, 0xE8000001, 0xC0000001, 0xA0000001, 0xD0000001, 0xC8000001, 0xF0000001, 0x80000001, 0x98000001, 0xD8000001, 0x90000001, 0x30000003, 0x60000003, 0x38000003, 0x8000003, 0x28000003, 0x78000003, 0x68000003, 0x40000003, 0x20000003, 0x50000003, 0x48000003, 0x70000003, 0x3, 0x18000003, 0x58000003, 0x10000003, 0x30000004, 0x60000004, 0x38000004, 0x8000004, 0x28000004, 0x78000004, 0x68000004, 0x40000004, 0x20000004, 0x50000004, 0x48000004, 0x70000004, 0x4, 0x18000004, 0x58000004, 0x10000004, 0xB0000002, 0xE0000002, 0xB8000002, 0x88000002, 0xA8000002, 0xF8000002, 0xE8000002, 0xC0000002, 0xA0000002, 0xD0000002, 0xC8000002, 0xF0000002, 0x80000002, 0x98000002, 0xD8000002, 0x90000002, 0xB0000004, 0xE0000004, 0xB8000004, 0x88000004, 0xA8000004, 0xF8000004, 0xE8000004, 0xC0000004, 0xA0000004, 0xD0000004, 0xC8000004, 0xF0000004, 0x80000004, 0x98000004, 0xD8000004, 0x90000004, 0x30000006, 0x60000006, 0x38000006, 0x8000006, 0x28000006, 0x78000006, 0x68000006, 0x40000006, 0x20000006, 0x50000006, 0x48000006, 0x70000006, 0x6, 0x18000006, 0x58000006, 0x10000006, 0xB0000007, 0xE0000007, 0xB8000007, 0x88000007, 0xA8000007, 0xF8000007, 0xE8000007, 0xC0000007, 0xA0000007, 0xD0000007, 0xC8000007, 0xF0000007, 0x80000007, 0x98000007, 0xD8000007, 0x90000007, 0x30000007, 0x60000007, 0x38000007, 0x8000007, 0x28000007, 0x78000007, 0x68000007, 0x40000007, 0x20000007, 0x50000007, 0x48000007, 0x70000007, 0x7, 0x18000007, 0x58000007, 0x10000007 }, { 0xE8, 0xD8, 0xA0, 0x88, 0x98, 0xF8, 0xA8, 0xC8, 0x80, 0xD0, 0xF0, 0xB8, 0xB0, 0xC0, 0x90, 0xE0, 0x7E8, 0x7D8, 0x7A0, 0x788, 0x798, 0x7F8, 0x7A8, 0x7C8, 0x780, 0x7D0, 0x7F0, 0x7B8, 0x7B0, 0x7C0, 0x790, 0x7E0, 0x6E8, 0x6D8, 0x6A0, 0x688, 0x698, 0x6F8, 0x6A8, 0x6C8, 0x680, 0x6D0, 0x6F0, 0x6B8, 0x6B0, 0x6C0, 0x690, 0x6E0, 0x68, 0x58, 0x20, 0x8, 0x18, 0x78, 0x28, 0x48, 0x0, 0x50, 0x70, 0x38, 0x30, 0x40, 0x10, 0x60, 0x2E8, 0x2D8, 0x2A0, 0x288, 0x298, 0x2F8, 0x2A8, 0x2C8, 0x280, 0x2D0, 0x2F0, 0x2B8, 0x2B0, 0x2C0, 0x290, 0x2E0, 0x3E8, 0x3D8, 0x3A0, 0x388, 0x398, 0x3F8, 0x3A8, 0x3C8, 0x380, 0x3D0, 0x3F0, 0x3B8, 0x3B0, 0x3C0, 0x390, 0x3E0, 0x568, 0x558, 0x520, 0x508, 0x518, 0x578, 0x528, 0x548, 0x500, 0x550, 0x570, 0x538, 0x530, 0x540, 0x510, 0x560, 0x268, 0x258, 0x220, 0x208, 0x218, 0x278, 0x228, 0x248, 0x200, 0x250, 0x270, 0x238, 0x230, 0x240, 0x210, 0x260, 0x4E8, 0x4D8, 0x4A0, 0x488, 0x498, 0x4F8, 0x4A8, 0x4C8, 0x480, 0x4D0, 0x4F0, 0x4B8, 0x4B0, 0x4C0, 0x490, 0x4E0, 0x168, 0x158, 0x120, 0x108, 0x118, 0x178, 0x128, 0x148, 0x100, 0x150, 0x170, 0x138, 0x130, 0x140, 0x110, 0x160, 0x1E8, 0x1D8, 0x1A0, 0x188, 0x198, 0x1F8, 0x1A8, 0x1C8, 0x180, 0x1D0, 0x1F0, 0x1B8, 0x1B0, 0x1C0, 0x190, 0x1E0, 0x768, 0x758, 0x720, 0x708, 0x718, 0x778, 0x728, 0x748, 0x700, 0x750, 0x770, 0x738, 0x730, 0x740, 0x710, 0x760, 0x368, 0x358, 0x320, 0x308, 0x318, 0x378, 0x328, 0x348, 0x300, 0x350, 0x370, 0x338, 0x330, 0x340, 0x310, 0x360, 0x5E8, 0x5D8, 0x5A0, 0x588, 0x598, 0x5F8, 0x5A8, 0x5C8, 0x580, 0x5D0, 0x5F0, 0x5B8, 0x5B0, 0x5C0, 0x590, 0x5E0, 0x468, 0x458, 0x420, 0x408, 0x418, 0x478, 0x428, 0x448, 0x400, 0x450, 0x470, 0x438, 0x430, 0x440, 0x410, 0x460, 0x668, 0x658, 0x620, 0x608, 0x618, 0x678, 0x628, 0x648, 0x600, 0x650, 0x670, 0x638, 0x630, 0x640, 0x610, 0x660 } }; /** * Initialize algorithm context before calculating hash * with test parameters set. * * @param ctx context to initalize */ void gosthash94_init (struct gosthash94_ctx *ctx) { memset (ctx, 0, sizeof (struct gosthash94_ctx)); } /* * A macro that performs a full encryption round of GOST 28147-89. * Temporary variables tmp assumed and variables r and l for left and right * blocks. */ #define GOST_ENCRYPT_ROUND(key1, key2, sbox) \ tmp = (key1) + r; \ l ^= (sbox)[0][tmp & 0xff] ^ (sbox)[1][(tmp >> 8) & 0xff] ^ \ (sbox)[2][(tmp >> 16) & 0xff] ^ (sbox)[3][tmp >> 24]; \ tmp = (key2) + l; \ r ^= (sbox)[0][tmp & 0xff] ^ (sbox)[1][(tmp >> 8) & 0xff] ^ \ (sbox)[2][(tmp >> 16) & 0xff] ^ (sbox)[3][tmp >> 24]; /* encrypt a block with the given key */ #define GOST_ENCRYPT(result, i, key, hash, sbox) \ r = hash[i], l = hash[i + 1]; \ GOST_ENCRYPT_ROUND(key[0], key[1], sbox) \ GOST_ENCRYPT_ROUND(key[2], key[3], sbox) \ GOST_ENCRYPT_ROUND(key[4], key[5], sbox) \ GOST_ENCRYPT_ROUND(key[6], key[7], sbox) \ GOST_ENCRYPT_ROUND(key[0], key[1], sbox) \ GOST_ENCRYPT_ROUND(key[2], key[3], sbox) \ GOST_ENCRYPT_ROUND(key[4], key[5], sbox) \ GOST_ENCRYPT_ROUND(key[6], key[7], sbox) \ GOST_ENCRYPT_ROUND(key[0], key[1], sbox) \ GOST_ENCRYPT_ROUND(key[2], key[3], sbox) \ GOST_ENCRYPT_ROUND(key[4], key[5], sbox) \ GOST_ENCRYPT_ROUND(key[6], key[7], sbox) \ GOST_ENCRYPT_ROUND(key[7], key[6], sbox) \ GOST_ENCRYPT_ROUND(key[5], key[4], sbox) \ GOST_ENCRYPT_ROUND(key[3], key[2], sbox) \ GOST_ENCRYPT_ROUND(key[1], key[0], sbox) \ result[i] = l, result[i + 1] = r; /** * The core transformation. Process a 512-bit block. * * @param hash intermediate message hash * @param block the message block to process */ static void gost_block_compress (struct gosthash94_ctx *ctx, const uint32_t *block) { unsigned i; uint32_t key[8], u[8], v[8], w[8], s[8]; uint32_t l, r, tmp; /* u := hash, v := <256-bit message block> */ memcpy (u, ctx->hash, sizeof (u)); memcpy (v, block, sizeof (v)); /* w := u xor v */ w[0] = u[0] ^ v[0], w[1] = u[1] ^ v[1]; w[2] = u[2] ^ v[2], w[3] = u[3] ^ v[3]; w[4] = u[4] ^ v[4], w[5] = u[5] ^ v[5]; w[6] = u[6] ^ v[6], w[7] = u[7] ^ v[7]; /* calculate keys, encrypt hash and store result to the s[] array */ for (i = 0;; i += 2) { /* key generation: key_i := P(w) */ key[0] = (w[0] & 0x000000ff) | ((w[2] & 0x000000ff) << 8) | ((w[4] & 0x000000ff) << 16) | ((w[6] & 0x000000ff) << 24); key[1] = ((w[0] & 0x0000ff00) >> 8) | (w[2] & 0x0000ff00) | ((w[4] & 0x0000ff00) << 8) | ((w[6] & 0x0000ff00) << 16); key[2] = ((w[0] & 0x00ff0000) >> 16) | ((w[2] & 0x00ff0000) >> 8) | (w[4] & 0x00ff0000) | ((w[6] & 0x00ff0000) << 8); key[3] = ((w[0] & 0xff000000) >> 24) | ((w[2] & 0xff000000) >> 16) | ((w[4] & 0xff000000) >> 8) | (w[6] & 0xff000000); key[4] = (w[1] & 0x000000ff) | ((w[3] & 0x000000ff) << 8) | ((w[5] & 0x000000ff) << 16) | ((w[7] & 0x000000ff) << 24); key[5] = ((w[1] & 0x0000ff00) >> 8) | (w[3] & 0x0000ff00) | ((w[5] & 0x0000ff00) << 8) | ((w[7] & 0x0000ff00) << 16); key[6] = ((w[1] & 0x00ff0000) >> 16) | ((w[3] & 0x00ff0000) >> 8) | (w[5] & 0x00ff0000) | ((w[7] & 0x00ff0000) << 8); key[7] = ((w[1] & 0xff000000) >> 24) | ((w[3] & 0xff000000) >> 16) | ((w[5] & 0xff000000) >> 8) | (w[7] & 0xff000000); /* encryption: s_i := E_{key_i} (h_i) */ GOST_ENCRYPT (s, i, key, ctx->hash, gosthash94_sbox); if (i == 0) { /* w:= A(u) ^ A^2(v) */ w[0] = u[2] ^ v[4], w[1] = u[3] ^ v[5]; w[2] = u[4] ^ v[6], w[3] = u[5] ^ v[7]; w[4] = u[6] ^ (v[0] ^= v[2]); w[5] = u[7] ^ (v[1] ^= v[3]); w[6] = (u[0] ^= u[2]) ^ (v[2] ^= v[4]); w[7] = (u[1] ^= u[3]) ^ (v[3] ^= v[5]); } else if ((i & 2) != 0) { if (i == 6) break; /* w := A^2(u) xor A^4(v) xor C_3; u := A(u) xor C_3 */ /* C_3=0xff00ffff000000ffff0000ff00ffff0000ff00ff00ff00ffff00ff00ff00ff00 */ u[2] ^= u[4] ^ 0x000000ff; u[3] ^= u[5] ^ 0xff00ffff; u[4] ^= 0xff00ff00; u[5] ^= 0xff00ff00; u[6] ^= 0x00ff00ff; u[7] ^= 0x00ff00ff; u[0] ^= 0x00ffff00; u[1] ^= 0xff0000ff; w[0] = u[4] ^ v[0]; w[2] = u[6] ^ v[2]; w[4] = u[0] ^ (v[4] ^= v[6]); w[6] = u[2] ^ (v[6] ^= v[0]); w[1] = u[5] ^ v[1]; w[3] = u[7] ^ v[3]; w[5] = u[1] ^ (v[5] ^= v[7]); w[7] = u[3] ^ (v[7] ^= v[1]); } else { /* i==4 here */ /* w:= A( A^2(u) xor C_3 ) xor A^6(v) */ w[0] = u[6] ^ v[4], w[1] = u[7] ^ v[5]; w[2] = u[0] ^ v[6], w[3] = u[1] ^ v[7]; w[4] = u[2] ^ (v[0] ^= v[2]); w[5] = u[3] ^ (v[1] ^= v[3]); w[6] = (u[4] ^= u[6]) ^ (v[2] ^= v[4]); w[7] = (u[5] ^= u[7]) ^ (v[3] ^= v[5]); } } /* step hash function: x(block, hash) := psi^61(hash xor psi(block xor psi^12(S))) */ /* 12 rounds of the LFSR and xor in */ u[0] = block[0] ^ s[6]; u[1] = block[1] ^ s[7]; u[2] = block[2] ^ (s[0] << 16) ^ (s[0] >> 16) ^ (s[0] & 0xffff) ^ (s[1] & 0xffff) ^ (s[1] >> 16) ^ (s[2] << 16) ^ s[6] ^ (s[6] << 16) ^ (s[7] & 0xffff0000) ^ (s[7] >> 16); u[3] = block[3] ^ (s[0] & 0xffff) ^ (s[0] << 16) ^ (s[1] & 0xffff) ^ (s[1] << 16) ^ (s[1] >> 16) ^ (s[2] << 16) ^ (s[2] >> 16) ^ (s[3] << 16) ^ s[6] ^ (s[6] << 16) ^ (s[6] >> 16) ^ (s[7] & 0xffff) ^ (s[7] << 16) ^ (s[7] >> 16); u[4] = block[4] ^ (s[0] & 0xffff0000) ^ (s[0] << 16) ^ (s[0] >> 16) ^ (s[1] & 0xffff0000) ^ (s[1] >> 16) ^ (s[2] << 16) ^ (s[2] >> 16) ^ (s[3] << 16) ^ (s[3] >> 16) ^ (s[4] << 16) ^ (s[6] << 16) ^ (s[6] >> 16) ^ (s[7] & 0xffff) ^ (s[7] << 16) ^ (s[7] >> 16); u[5] = block[5] ^ (s[0] << 16) ^ (s[0] >> 16) ^ (s[0] & 0xffff0000) ^ (s[1] & 0xffff) ^ s[2] ^ (s[2] >> 16) ^ (s[3] << 16) ^ (s[3] >> 16) ^ (s[4] << 16) ^ (s[4] >> 16) ^ (s[5] << 16) ^ (s[6] << 16) ^ (s[6] >> 16) ^ (s[7] & 0xffff0000) ^ (s[7] << 16) ^ (s[7] >> 16); u[6] = block[6] ^ s[0] ^ (s[1] >> 16) ^ (s[2] << 16) ^ s[3] ^ (s[3] >> 16) ^ (s[4] << 16) ^ (s[4] >> 16) ^ (s[5] << 16) ^ (s[5] >> 16) ^ s[6] ^ (s[6] << 16) ^ (s[6] >> 16) ^ (s[7] << 16); u[7] = block[7] ^ (s[0] & 0xffff0000) ^ (s[0] << 16) ^ (s[1] & 0xffff) ^ (s[1] << 16) ^ (s[2] >> 16) ^ (s[3] << 16) ^ s[4] ^ (s[4] >> 16) ^ (s[5] << 16) ^ (s[5] >> 16) ^ (s[6] >> 16) ^ (s[7] & 0xffff) ^ (s[7] << 16) ^ (s[7] >> 16); /* 1 round of the LFSR (a mixing transformation) and xor with */ v[0] = ctx->hash[0] ^ (u[1] << 16) ^ (u[0] >> 16); v[1] = ctx->hash[1] ^ (u[2] << 16) ^ (u[1] >> 16); v[2] = ctx->hash[2] ^ (u[3] << 16) ^ (u[2] >> 16); v[3] = ctx->hash[3] ^ (u[4] << 16) ^ (u[3] >> 16); v[4] = ctx->hash[4] ^ (u[5] << 16) ^ (u[4] >> 16); v[5] = ctx->hash[5] ^ (u[6] << 16) ^ (u[5] >> 16); v[6] = ctx->hash[6] ^ (u[7] << 16) ^ (u[6] >> 16); v[7] = ctx-> hash[7] ^ (u[0] & 0xffff0000) ^ (u[0] << 16) ^ (u[1] & 0xffff0000) ^ (u[1] << 16) ^ (u[6] << 16) ^ (u[7] & 0xffff0000) ^ (u[7] >> 16); /* 61 rounds of LFSR, mixing up hash */ ctx->hash[0] = (v[0] & 0xffff0000) ^ (v[0] << 16) ^ (v[0] >> 16) ^ (v[1] >> 16) ^ (v[1] & 0xffff0000) ^ (v[2] << 16) ^ (v[3] >> 16) ^ (v[4] << 16) ^ (v[5] >> 16) ^ v[5] ^ (v[6] >> 16) ^ (v[7] << 16) ^ (v[7] >> 16) ^ (v[7] & 0xffff); ctx->hash[1] = (v[0] << 16) ^ (v[0] >> 16) ^ (v[0] & 0xffff0000) ^ (v[1] & 0xffff) ^ v[2] ^ (v[2] >> 16) ^ (v[3] << 16) ^ (v[4] >> 16) ^ (v[5] << 16) ^ (v[6] << 16) ^ v[6] ^ (v[7] & 0xffff0000) ^ (v[7] >> 16); ctx->hash[2] = (v[0] & 0xffff) ^ (v[0] << 16) ^ (v[1] << 16) ^ (v[1] >> 16) ^ (v[1] & 0xffff0000) ^ (v[2] << 16) ^ (v[3] >> 16) ^ v[3] ^ (v[4] << 16) ^ (v[5] >> 16) ^ v[6] ^ (v[6] >> 16) ^ (v[7] & 0xffff) ^ (v[7] << 16) ^ (v[7] >> 16); ctx->hash[3] = (v[0] << 16) ^ (v[0] >> 16) ^ (v[0] & 0xffff0000) ^ (v[1] & 0xffff0000) ^ (v[1] >> 16) ^ (v[2] << 16) ^ (v[2] >> 16) ^ v[2] ^ (v[3] << 16) ^ (v[4] >> 16) ^ v[4] ^ (v[5] << 16) ^ (v[6] << 16) ^ (v[7] & 0xffff) ^ (v[7] >> 16); ctx->hash[4] = (v[0] >> 16) ^ (v[1] << 16) ^ v[1] ^ (v[2] >> 16) ^ v[2] ^ (v[3] << 16) ^ (v[3] >> 16) ^ v[3] ^ (v[4] << 16) ^ (v[5] >> 16) ^ v[5] ^ (v[6] << 16) ^ (v[6] >> 16) ^ (v[7] << 16); ctx->hash[5] = (v[0] << 16) ^ (v[0] & 0xffff0000) ^ (v[1] << 16) ^ (v[1] >> 16) ^ (v[1] & 0xffff0000) ^ (v[2] << 16) ^ v[2] ^ (v[3] >> 16) ^ v[3] ^ (v[4] << 16) ^ (v[4] >> 16) ^ v[4] ^ (v[5] << 16) ^ (v[6] << 16) ^ (v[6] >> 16) ^ v[6] ^ (v[7] << 16) ^ (v[7] >> 16) ^ (v[7] & 0xffff0000); ctx->hash[6] = v[0] ^ v[2] ^ (v[2] >> 16) ^ v[3] ^ (v[3] << 16) ^ v[4] ^ (v[4] >> 16) ^ (v[5] << 16) ^ (v[5] >> 16) ^ v[5] ^ (v[6] << 16) ^ (v[6] >> 16) ^ v[6] ^ (v[7] << 16) ^ v[7]; ctx->hash[7] = v[0] ^ (v[0] >> 16) ^ (v[1] << 16) ^ (v[1] >> 16) ^ (v[2] << 16) ^ (v[3] >> 16) ^ v[3] ^ (v[4] << 16) ^ v[4] ^ (v[5] >> 16) ^ v[5] ^ (v[6] << 16) ^ (v[6] >> 16) ^ (v[7] << 16) ^ v[7]; } /** * This function calculates hash value by 256-bit blocks. * It updates 256-bit check sum as follows: * *(uint256_t)(ctx->sum) += *(uint256_t*)block; * and then updates intermediate hash value ctx->hash * by calling gost_block_compress(). * * @param ctx algorithm context * @param block the 256-bit message block to process */ static void gost_compute_sum_and_hash (struct gosthash94_ctx *ctx, const uint8_t *block) { uint32_t block_le[8]; unsigned i, carry; /* compute the 256-bit sum */ for (i = carry = 0; i < 8; i++, block += 4) { block_le[i] = LE_READ_UINT32(block); ctx->sum[i] += carry; carry = (ctx->sum[i] < carry); ctx->sum[i] += block_le[i]; carry += (ctx->sum[i] < block_le[i]); } /* update message hash */ gost_block_compress (ctx, block_le); } /** * Calculate message hash. * Can be called repeatedly with chunks of the message to be hashed. * * @param ctx the algorithm context containing current hashing state * @param msg message chunk * @param size length of the message chunk */ void gosthash94_update (struct gosthash94_ctx *ctx, size_t length, const uint8_t *msg) { unsigned index = (unsigned) ctx->length & 31; ctx->length += length; /* fill partial block */ if (index) { unsigned left = GOSTHASH94_BLOCK_SIZE - index; memcpy (ctx->message + index, msg, (length < left ? length : left)); if (length < left) return; /* process partial block */ gost_compute_sum_and_hash (ctx, ctx->message); msg += left; length -= left; } while (length >= GOSTHASH94_BLOCK_SIZE) { gost_compute_sum_and_hash (ctx, msg); msg += GOSTHASH94_BLOCK_SIZE; length -= GOSTHASH94_BLOCK_SIZE; } if (length) { /* save leftovers */ memcpy (ctx->message, msg, length); } } /** * Finish hashing and store message digest into given array. * * @param ctx the algorithm context containing current hashing state * @param result calculated hash in binary form */ void gosthash94_digest (struct gosthash94_ctx *ctx, size_t length, uint8_t *result) { unsigned index = ctx->length & 31; uint32_t msg32[8]; assert(length <= GOSTHASH94_DIGEST_SIZE); /* pad the last block with zeroes and hash it */ if (index > 0) { memset (ctx->message + index, 0, 32 - index); gost_compute_sum_and_hash (ctx, ctx->message); } /* hash the message length and the sum */ msg32[0] = ctx->length << 3; msg32[1] = ctx->length >> 29; memset (msg32 + 2, 0, sizeof (uint32_t) * 6); gost_block_compress (ctx, msg32); gost_block_compress (ctx, ctx->sum); /* convert hash state to result bytes */ _nettle_write_le32(length, result, ctx->hash); gosthash94_init (ctx); } nettle-3.4.1/cfb.c0000644000175000017500000001012313401564745012742 0ustar nissenisse/* cfb.c Cipher feedback mode. Copyright (C) 2015, 2017 Dmitry Eremin-Solenikov Copyright (C) 2001, 2011 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "cfb.h" #include "memxor.h" #include "nettle-internal.h" void cfb_encrypt(const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src) { uint8_t *p; TMP_DECL(buffer, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE); TMP_ALLOC(buffer, block_size); if (src != dst) { for (p = iv; length >= block_size; p = dst, dst += block_size, src += block_size, length -= block_size) { f(ctx, block_size, dst, p); memxor(dst, src, block_size); } } else { for (p = iv; length >= block_size; p = dst, dst += block_size, src += block_size, length -= block_size) { f(ctx, block_size, buffer, p); memxor(dst, buffer, block_size); } } if (p != iv) memcpy(iv, p, block_size); if (length) { f(ctx, block_size, buffer, iv); memxor3(dst, buffer, src, length); /* We do not care about updating IV here. This is the last call in * message sequence and one has to set IV afterwards anyway */ } } /* Don't allocate any more space than this on the stack */ #define CFB_BUFFER_LIMIT 512 void cfb_decrypt(const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src) { if (src != dst) { size_t left = length % block_size; length -= left; if (length > 0) { /* Decrypt in ECB mode */ f(ctx, block_size, dst, iv); f(ctx, length - block_size, dst + block_size, src); memcpy(iv, src + length - block_size, block_size); memxor(dst, src, length); } if (left > 0) { TMP_DECL(buffer, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE); TMP_ALLOC(buffer, block_size); f(ctx, block_size, buffer, iv); memxor3(dst + length, src + length, buffer, left); } } else { /* For in-place CFB, we decrypt into a temporary buffer of size * at most CFB_BUFFER_LIMIT, and process that amount of data at * a time. */ /* NOTE: We assume that block_size <= CFB_BUFFER_LIMIT */ TMP_DECL(buffer, uint8_t, CFB_BUFFER_LIMIT); TMP_DECL(initial_iv, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE); size_t buffer_size; size_t left; buffer_size = CFB_BUFFER_LIMIT - (CFB_BUFFER_LIMIT % block_size); TMP_ALLOC(buffer, buffer_size); TMP_ALLOC(initial_iv, block_size); left = length % block_size; length -= left; while (length > 0) { size_t part = length > buffer_size ? buffer_size : length; /* length is greater that zero and is divided by block_size, so it is * not less than block_size. So does part */ f(ctx, block_size, buffer, iv); f(ctx, part - block_size, buffer + block_size, src); memcpy(iv, src + part - block_size, block_size); memxor(dst, buffer, part); length -= part; src += part; dst += part; } if (left > 0) { f(ctx, block_size, buffer, iv); memxor(dst, buffer, left); } } } nettle-3.4.1/rsa2sexp.c0000644000175000017500000000322613401564746013766 0ustar nissenisse/* rsa2sexp.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa.h" #include "sexp.h" int rsa_keypair_to_sexp(struct nettle_buffer *buffer, const char *algorithm_name, const struct rsa_public_key *pub, const struct rsa_private_key *priv) { if (!algorithm_name) algorithm_name = "rsa-pkcs1"; if (priv) return sexp_format(buffer, "(private-key(%0s(n%b)(e%b)" "(d%b)(p%b)(q%b)(a%b)(b%b)(c%b)))", algorithm_name, pub->n, pub->e, priv->d, priv->p, priv->q, priv->a, priv->b, priv->c); else return sexp_format(buffer, "(public-key(%0s(n%b)(e%b)))", algorithm_name, pub->n, pub->e); } nettle-3.4.1/base64-decode.c0000644000175000017500000000766013401564745014531 0ustar nissenisse/* base64-encode.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "base64.h" #define TABLE_INVALID -1 #define TABLE_SPACE -2 #define TABLE_END -3 void base64_decode_init(struct base64_decode_ctx *ctx) { static const signed char base64_decode_table[0x100] = { /* White space is HT, VT, FF, CR, LF and SPC */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -2, -2, -2, -2, -2, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -2, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, -1, -1, 63, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, -1, -1, -1, -3, -1, -1, -1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, -1, -1, -1, -1, -1, -1, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, }; ctx->word = ctx->bits = ctx->padding = 0; ctx->table = base64_decode_table; } int base64_decode_single(struct base64_decode_ctx *ctx, uint8_t *dst, char src) { int data = ctx->table[(uint8_t) src]; switch(data) { default: assert(data >= 0 && data < 0x40); if (ctx->padding) return -1; ctx->word = ctx->word << 6 | data; ctx->bits += 6; if (ctx->bits >= 8) { ctx->bits -= 8; dst[0] = ctx->word >> ctx->bits; return 1; } else return 0; case TABLE_INVALID: return -1; case TABLE_SPACE: return 0; case TABLE_END: /* There can be at most two padding characters. */ if (!ctx->bits || ctx->padding > 2) return -1; if (ctx->word & ( (1<bits) - 1)) /* We shouldn't have any leftover bits */ return -1; ctx->padding++; ctx->bits -= 2; return 0; } } int base64_decode_update(struct base64_decode_ctx *ctx, size_t *dst_length, uint8_t *dst, size_t src_length, const char *src) { size_t done; size_t i; for (i = 0, done = 0; ibits == 0; } nettle-3.4.1/sha1.c0000644000175000017500000000471513401564745013056 0ustar nissenisse/* sha1.c The sha1 hash function. Defined by http://www.itl.nist.gov/fipspubs/fip180-1.htm. Copyright (C) 2001, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "sha1.h" #include "macros.h" #include "nettle-write.h" /* Initialize the SHA values */ void sha1_init(struct sha1_ctx *ctx) { /* FIXME: Put the buffer last in the struct, and arrange so that we can initialize with a single memcpy. */ static const uint32_t iv[_SHA1_DIGEST_LENGTH] = { /* SHA initial values, first 4 identical to md5's. */ 0x67452301L, 0xEFCDAB89L, 0x98BADCFEL, 0x10325476L, 0xC3D2E1F0L, }; memcpy(ctx->state, iv, sizeof(ctx->state)); ctx->count = 0; /* Initialize buffer */ ctx->index = 0; } #define COMPRESS(ctx, data) (_nettle_sha1_compress((ctx)->state, data)) void sha1_update(struct sha1_ctx *ctx, size_t length, const uint8_t *data) { MD_UPDATE (ctx, length, data, COMPRESS, ctx->count++); } void sha1_digest(struct sha1_ctx *ctx, size_t length, uint8_t *digest) { uint64_t bit_count; assert(length <= SHA1_DIGEST_SIZE); MD_PAD(ctx, 8, COMPRESS); /* There are 512 = 2^9 bits in one block */ bit_count = (ctx->count << 9) | (ctx->index << 3); /* append the 64 bit count */ WRITE_UINT64(ctx->block + (SHA1_BLOCK_SIZE - 8), bit_count); _nettle_sha1_compress(ctx->state, ctx->block); _nettle_write_be32(length, digest, ctx->state); sha1_init(ctx); } nettle-3.4.1/yarrow.h0000644000175000017500000000714413401564746013552 0ustar nissenisse/* yarrow.h The yarrow pseudo-randomness generator. Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_YARROW_H_INCLUDED #define NETTLE_YARROW_H_INCLUDED #include "aes.h" #include "sha2.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define yarrow256_init nettle_yarrow256_init #define yarrow256_seed nettle_yarrow256_seed #define yarrow256_update nettle_yarrow256_update #define yarrow256_random nettle_yarrow256_random #define yarrow256_is_seeded nettle_yarrow256_is_seeded #define yarrow256_needed_sources nettle_yarrow256_needed_sources #define yarrow256_fast_reseed nettle_yarrow256_fast_reseed #define yarrow256_slow_reseed nettle_yarrow256_slow_reseed #define yarrow_key_event_init nettle_yarrow_key_event_init #define yarrow_key_event_estimate nettle_yarrow_key_event_estimate /* Obsolete alias for backwards compatibility. Will be deleted in some later version. */ #define yarrow256_force_reseed yarrow256_slow_reseed enum yarrow_pool_id { YARROW_FAST = 0, YARROW_SLOW = 1 }; struct yarrow_source { /* Indexed by yarrow_pool_id */ uint32_t estimate[2]; /* The pool next sample should go to. */ enum yarrow_pool_id next; }; #define YARROW256_SEED_FILE_SIZE (2 * AES_BLOCK_SIZE) /* Yarrow-256, based on SHA-256 and AES-256 */ struct yarrow256_ctx { /* Indexed by yarrow_pool_id */ struct sha256_ctx pools[2]; int seeded; /* The current key and counter block */ struct aes256_ctx key; uint8_t counter[AES_BLOCK_SIZE]; /* The entropy sources */ unsigned nsources; struct yarrow_source *sources; }; void yarrow256_init(struct yarrow256_ctx *ctx, unsigned nsources, struct yarrow_source *sources); void yarrow256_seed(struct yarrow256_ctx *ctx, size_t length, const uint8_t *seed_file); /* Returns 1 on reseed */ int yarrow256_update(struct yarrow256_ctx *ctx, unsigned source, unsigned entropy, size_t length, const uint8_t *data); void yarrow256_random(struct yarrow256_ctx *ctx, size_t length, uint8_t *dst); int yarrow256_is_seeded(struct yarrow256_ctx *ctx); unsigned yarrow256_needed_sources(struct yarrow256_ctx *ctx); void yarrow256_fast_reseed(struct yarrow256_ctx *ctx); void yarrow256_slow_reseed(struct yarrow256_ctx *ctx); /* Key event estimator */ #define YARROW_KEY_EVENT_BUFFER 16 struct yarrow_key_event_ctx { /* Counter for initial priming of the state */ unsigned index; unsigned chars[YARROW_KEY_EVENT_BUFFER]; unsigned previous; }; void yarrow_key_event_init(struct yarrow_key_event_ctx *ctx); unsigned yarrow_key_event_estimate(struct yarrow_key_event_ctx *ctx, unsigned key, unsigned time); #ifdef __cplusplus } #endif #endif /* NETTLE_YARROW_H_INCLUDED */ nettle-3.4.1/sha1.h0000644000175000017500000000437113401564746013062 0ustar nissenisse/* sha1.h The sha1 hash function. Copyright (C) 2001, 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_SHA1_H_INCLUDED #define NETTLE_SHA1_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define sha1_init nettle_sha1_init #define sha1_update nettle_sha1_update #define sha1_digest nettle_sha1_digest /* SHA1 */ #define SHA1_DIGEST_SIZE 20 #define SHA1_BLOCK_SIZE 64 /* For backwards compatibility */ #define SHA1_DATA_SIZE SHA1_BLOCK_SIZE /* Digest is kept internally as 5 32-bit words. */ #define _SHA1_DIGEST_LENGTH 5 struct sha1_ctx { uint32_t state[_SHA1_DIGEST_LENGTH]; /* State variables */ uint64_t count; /* 64-bit block count */ uint8_t block[SHA1_BLOCK_SIZE]; /* SHA1 data buffer */ unsigned int index; /* index into buffer */ }; void sha1_init(struct sha1_ctx *ctx); void sha1_update(struct sha1_ctx *ctx, size_t length, const uint8_t *data); void sha1_digest(struct sha1_ctx *ctx, size_t length, uint8_t *digest); /* Internal compression function. STATE points to 5 uint32_t words, and DATA points to 64 bytes of input data, possibly unaligned. */ void _nettle_sha1_compress(uint32_t *state, const uint8_t *data); #ifdef __cplusplus } #endif #endif /* NETTLE_SHA1_H_INCLUDED */ nettle-3.4.1/md2-meta.c0000644000175000017500000000222213401564745013617 0ustar nissenisse/* md2-meta.c Copyright (C) 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "md2.h" const struct nettle_hash nettle_md2 = _NETTLE_HASH(md2, MD2); nettle-3.4.1/aes-internal.h0000644000175000017500000000604413401564746014607 0ustar nissenisse/* aes-internal.h The aes/rijndael block cipher. Copyright (C) 2001, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_AES_INTERNAL_H_INCLUDED #define NETTLE_AES_INTERNAL_H_INCLUDED #include "aes.h" /* Name mangling */ #define _aes_set_key _nettle_aes_set_key #define _aes_invert _nettle_aes_invert #define _aes_encrypt _nettle_aes_encrypt #define _aes_decrypt _nettle_aes_decrypt #define _aes_encrypt_table _nettle_aes_encrypt_table /* Define to use only small tables. */ #ifndef AES_SMALL # define AES_SMALL 0 #endif #if AES_SMALL # define AES_TABLE_SIZE 1 #else # define AES_TABLE_SIZE 4 #endif struct aes_table { uint8_t sbox[0x100]; uint32_t table[AES_TABLE_SIZE][0x100]; }; void _aes_set_key(unsigned nr, unsigned nk, uint32_t *subkeys, const uint8_t *key); void _aes_invert(unsigned rounds, uint32_t *dst, const uint32_t *src); void _aes_encrypt(unsigned rounds, const uint32_t *keys, const struct aes_table *T, size_t length, uint8_t *dst, const uint8_t *src); void _aes_decrypt(unsigned rounds, const uint32_t *keys, const struct aes_table *T, size_t length, uint8_t *dst, const uint8_t *src); /* Macros */ /* Get the byte with index 0, 1, 2 and 3 */ #define B0(x) ((x) & 0xff) #define B1(x) (((x) >> 8) & 0xff) #define B2(x) (((x) >> 16) & 0xff) #define B3(x) (((x) >> 24) & 0xff) #define SUBBYTE(x, box) ((uint32_t)(box)[B0(x)] \ | ((uint32_t)(box)[B1(x)] << 8) \ | ((uint32_t)(box)[B2(x)] << 16) \ | ((uint32_t)(box)[B3(x)] << 24)) #define AES_ROUND(T, w0, w1, w2, w3, k) \ (( T->table[0][ B0(w0) ] \ ^ T->table[1][ B1(w1) ] \ ^ T->table[2][ B2(w2) ] \ ^ T->table[3][ B3(w3) ]) ^ (k)) #define AES_FINAL_ROUND(T, w0, w1, w2, w3, k) \ (( (uint32_t) T->sbox[ B0(w0) ] \ | ((uint32_t) T->sbox[ B1(w1) ] << 8) \ | ((uint32_t) T->sbox[ B2(w2) ] << 16) \ | ((uint32_t) T->sbox[ B3(w3) ] << 24)) ^ (k)) /* Globally visible so that the same sbox table can be used by aes_set_encrypt_key */ extern const struct aes_table _aes_encrypt_table; #define aes_sbox (_aes_encrypt_table.sbox) #endif /* NETTLE_AES_INTERNAL_H_INCLUDED */ nettle-3.4.1/ecc-pp1-redc.c0000644000175000017500000000370713401564746014366 0ustar nissenisse/* ecc-pp1-redc.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc-internal.h" /* Use that 1 = p + 1 (mod p), and that at least one low limb of p + 1 is zero. */ void ecc_pp1_redc (const struct ecc_modulo *m, mp_limb_t *rp) { unsigned i; mp_limb_t hi, cy; unsigned shift = m->size * GMP_NUMB_BITS - m->bit_size; mp_size_t k = m->redc_size; for (i = 0; i < m->size; i++) rp[i] = mpn_addmul_1 (rp + i + k, m->redc_mpm1, m->size - k, rp[i]); hi = mpn_add_n (rp, rp, rp + m->size, m->size); if (shift > 0) { hi = (hi << shift) | (rp[m->size - 1] >> (GMP_NUMB_BITS - shift)); rp[m->size - 1] = (rp[m->size - 1] & (((mp_limb_t) 1 << (GMP_NUMB_BITS - shift)) - 1)) + mpn_addmul_1 (rp, m->B_shifted, m->size-1, hi); } else { cy = cnd_sub_n (hi, rp, m->m, m->size); assert (cy == hi); } } nettle-3.4.1/rsa-decrypt.c0000644000175000017500000000265013401564746014454 0ustar nissenisse/* rsa-decrypt.c The RSA publickey algorithm. PKCS#1 encryption. Copyright (C) 2001, 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa.h" #include "pkcs1.h" int rsa_decrypt(const struct rsa_private_key *key, size_t *length, uint8_t *message, const mpz_t gibberish) { mpz_t m; int res; mpz_init(m); rsa_compute_root(key, m, gibberish); res = pkcs1_decrypt (key->size, m, length, message); mpz_clear(m); return res; } nettle-3.4.1/camellia-table.c0000644000175000017500000003351313401564745015054 0ustar nissenisse/* camellia-table.c SBOX tables used by both encryption and key setup. Copyright (C) 2006,2007 NTT (Nippon Telegraph and Telephone Corporation). Copyright (C) 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* * Algorithm Specification * http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html */ /* Based on camellia.c ver 1.2.0, see http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/camellia-LGPL-1.2.0.tar.gz. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "camellia-internal.h" const struct camellia_table _camellia_table = { /* sp1110 */ { 0x70707000,0x82828200,0x2c2c2c00,0xececec00, 0xb3b3b300,0x27272700,0xc0c0c000,0xe5e5e500, 0xe4e4e400,0x85858500,0x57575700,0x35353500, 0xeaeaea00,0x0c0c0c00,0xaeaeae00,0x41414100, 0x23232300,0xefefef00,0x6b6b6b00,0x93939300, 0x45454500,0x19191900,0xa5a5a500,0x21212100, 0xededed00,0x0e0e0e00,0x4f4f4f00,0x4e4e4e00, 0x1d1d1d00,0x65656500,0x92929200,0xbdbdbd00, 0x86868600,0xb8b8b800,0xafafaf00,0x8f8f8f00, 0x7c7c7c00,0xebebeb00,0x1f1f1f00,0xcecece00, 0x3e3e3e00,0x30303000,0xdcdcdc00,0x5f5f5f00, 0x5e5e5e00,0xc5c5c500,0x0b0b0b00,0x1a1a1a00, 0xa6a6a600,0xe1e1e100,0x39393900,0xcacaca00, 0xd5d5d500,0x47474700,0x5d5d5d00,0x3d3d3d00, 0xd9d9d900,0x01010100,0x5a5a5a00,0xd6d6d600, 0x51515100,0x56565600,0x6c6c6c00,0x4d4d4d00, 0x8b8b8b00,0x0d0d0d00,0x9a9a9a00,0x66666600, 0xfbfbfb00,0xcccccc00,0xb0b0b000,0x2d2d2d00, 0x74747400,0x12121200,0x2b2b2b00,0x20202000, 0xf0f0f000,0xb1b1b100,0x84848400,0x99999900, 0xdfdfdf00,0x4c4c4c00,0xcbcbcb00,0xc2c2c200, 0x34343400,0x7e7e7e00,0x76767600,0x05050500, 0x6d6d6d00,0xb7b7b700,0xa9a9a900,0x31313100, 0xd1d1d100,0x17171700,0x04040400,0xd7d7d700, 0x14141400,0x58585800,0x3a3a3a00,0x61616100, 0xdedede00,0x1b1b1b00,0x11111100,0x1c1c1c00, 0x32323200,0x0f0f0f00,0x9c9c9c00,0x16161600, 0x53535300,0x18181800,0xf2f2f200,0x22222200, 0xfefefe00,0x44444400,0xcfcfcf00,0xb2b2b200, 0xc3c3c300,0xb5b5b500,0x7a7a7a00,0x91919100, 0x24242400,0x08080800,0xe8e8e800,0xa8a8a800, 0x60606000,0xfcfcfc00,0x69696900,0x50505000, 0xaaaaaa00,0xd0d0d000,0xa0a0a000,0x7d7d7d00, 0xa1a1a100,0x89898900,0x62626200,0x97979700, 0x54545400,0x5b5b5b00,0x1e1e1e00,0x95959500, 0xe0e0e000,0xffffff00,0x64646400,0xd2d2d200, 0x10101000,0xc4c4c400,0x00000000,0x48484800, 0xa3a3a300,0xf7f7f700,0x75757500,0xdbdbdb00, 0x8a8a8a00,0x03030300,0xe6e6e600,0xdadada00, 0x09090900,0x3f3f3f00,0xdddddd00,0x94949400, 0x87878700,0x5c5c5c00,0x83838300,0x02020200, 0xcdcdcd00,0x4a4a4a00,0x90909000,0x33333300, 0x73737300,0x67676700,0xf6f6f600,0xf3f3f300, 0x9d9d9d00,0x7f7f7f00,0xbfbfbf00,0xe2e2e200, 0x52525200,0x9b9b9b00,0xd8d8d800,0x26262600, 0xc8c8c800,0x37373700,0xc6c6c600,0x3b3b3b00, 0x81818100,0x96969600,0x6f6f6f00,0x4b4b4b00, 0x13131300,0xbebebe00,0x63636300,0x2e2e2e00, 0xe9e9e900,0x79797900,0xa7a7a700,0x8c8c8c00, 0x9f9f9f00,0x6e6e6e00,0xbcbcbc00,0x8e8e8e00, 0x29292900,0xf5f5f500,0xf9f9f900,0xb6b6b600, 0x2f2f2f00,0xfdfdfd00,0xb4b4b400,0x59595900, 0x78787800,0x98989800,0x06060600,0x6a6a6a00, 0xe7e7e700,0x46464600,0x71717100,0xbababa00, 0xd4d4d400,0x25252500,0xababab00,0x42424200, 0x88888800,0xa2a2a200,0x8d8d8d00,0xfafafa00, 0x72727200,0x07070700,0xb9b9b900,0x55555500, 0xf8f8f800,0xeeeeee00,0xacacac00,0x0a0a0a00, 0x36363600,0x49494900,0x2a2a2a00,0x68686800, 0x3c3c3c00,0x38383800,0xf1f1f100,0xa4a4a400, 0x40404000,0x28282800,0xd3d3d300,0x7b7b7b00, 0xbbbbbb00,0xc9c9c900,0x43434300,0xc1c1c100, 0x15151500,0xe3e3e300,0xadadad00,0xf4f4f400, 0x77777700,0xc7c7c700,0x80808000,0x9e9e9e00, }, /* sp0222 */ { 0x00e0e0e0,0x00050505,0x00585858,0x00d9d9d9, 0x00676767,0x004e4e4e,0x00818181,0x00cbcbcb, 0x00c9c9c9,0x000b0b0b,0x00aeaeae,0x006a6a6a, 0x00d5d5d5,0x00181818,0x005d5d5d,0x00828282, 0x00464646,0x00dfdfdf,0x00d6d6d6,0x00272727, 0x008a8a8a,0x00323232,0x004b4b4b,0x00424242, 0x00dbdbdb,0x001c1c1c,0x009e9e9e,0x009c9c9c, 0x003a3a3a,0x00cacaca,0x00252525,0x007b7b7b, 0x000d0d0d,0x00717171,0x005f5f5f,0x001f1f1f, 0x00f8f8f8,0x00d7d7d7,0x003e3e3e,0x009d9d9d, 0x007c7c7c,0x00606060,0x00b9b9b9,0x00bebebe, 0x00bcbcbc,0x008b8b8b,0x00161616,0x00343434, 0x004d4d4d,0x00c3c3c3,0x00727272,0x00959595, 0x00ababab,0x008e8e8e,0x00bababa,0x007a7a7a, 0x00b3b3b3,0x00020202,0x00b4b4b4,0x00adadad, 0x00a2a2a2,0x00acacac,0x00d8d8d8,0x009a9a9a, 0x00171717,0x001a1a1a,0x00353535,0x00cccccc, 0x00f7f7f7,0x00999999,0x00616161,0x005a5a5a, 0x00e8e8e8,0x00242424,0x00565656,0x00404040, 0x00e1e1e1,0x00636363,0x00090909,0x00333333, 0x00bfbfbf,0x00989898,0x00979797,0x00858585, 0x00686868,0x00fcfcfc,0x00ececec,0x000a0a0a, 0x00dadada,0x006f6f6f,0x00535353,0x00626262, 0x00a3a3a3,0x002e2e2e,0x00080808,0x00afafaf, 0x00282828,0x00b0b0b0,0x00747474,0x00c2c2c2, 0x00bdbdbd,0x00363636,0x00222222,0x00383838, 0x00646464,0x001e1e1e,0x00393939,0x002c2c2c, 0x00a6a6a6,0x00303030,0x00e5e5e5,0x00444444, 0x00fdfdfd,0x00888888,0x009f9f9f,0x00656565, 0x00878787,0x006b6b6b,0x00f4f4f4,0x00232323, 0x00484848,0x00101010,0x00d1d1d1,0x00515151, 0x00c0c0c0,0x00f9f9f9,0x00d2d2d2,0x00a0a0a0, 0x00555555,0x00a1a1a1,0x00414141,0x00fafafa, 0x00434343,0x00131313,0x00c4c4c4,0x002f2f2f, 0x00a8a8a8,0x00b6b6b6,0x003c3c3c,0x002b2b2b, 0x00c1c1c1,0x00ffffff,0x00c8c8c8,0x00a5a5a5, 0x00202020,0x00898989,0x00000000,0x00909090, 0x00474747,0x00efefef,0x00eaeaea,0x00b7b7b7, 0x00151515,0x00060606,0x00cdcdcd,0x00b5b5b5, 0x00121212,0x007e7e7e,0x00bbbbbb,0x00292929, 0x000f0f0f,0x00b8b8b8,0x00070707,0x00040404, 0x009b9b9b,0x00949494,0x00212121,0x00666666, 0x00e6e6e6,0x00cecece,0x00ededed,0x00e7e7e7, 0x003b3b3b,0x00fefefe,0x007f7f7f,0x00c5c5c5, 0x00a4a4a4,0x00373737,0x00b1b1b1,0x004c4c4c, 0x00919191,0x006e6e6e,0x008d8d8d,0x00767676, 0x00030303,0x002d2d2d,0x00dedede,0x00969696, 0x00262626,0x007d7d7d,0x00c6c6c6,0x005c5c5c, 0x00d3d3d3,0x00f2f2f2,0x004f4f4f,0x00191919, 0x003f3f3f,0x00dcdcdc,0x00797979,0x001d1d1d, 0x00525252,0x00ebebeb,0x00f3f3f3,0x006d6d6d, 0x005e5e5e,0x00fbfbfb,0x00696969,0x00b2b2b2, 0x00f0f0f0,0x00313131,0x000c0c0c,0x00d4d4d4, 0x00cfcfcf,0x008c8c8c,0x00e2e2e2,0x00757575, 0x00a9a9a9,0x004a4a4a,0x00575757,0x00848484, 0x00111111,0x00454545,0x001b1b1b,0x00f5f5f5, 0x00e4e4e4,0x000e0e0e,0x00737373,0x00aaaaaa, 0x00f1f1f1,0x00dddddd,0x00595959,0x00141414, 0x006c6c6c,0x00929292,0x00545454,0x00d0d0d0, 0x00787878,0x00707070,0x00e3e3e3,0x00494949, 0x00808080,0x00505050,0x00a7a7a7,0x00f6f6f6, 0x00777777,0x00939393,0x00868686,0x00838383, 0x002a2a2a,0x00c7c7c7,0x005b5b5b,0x00e9e9e9, 0x00eeeeee,0x008f8f8f,0x00010101,0x003d3d3d, }, /* sp3033 */ { 0x38003838,0x41004141,0x16001616,0x76007676, 0xd900d9d9,0x93009393,0x60006060,0xf200f2f2, 0x72007272,0xc200c2c2,0xab00abab,0x9a009a9a, 0x75007575,0x06000606,0x57005757,0xa000a0a0, 0x91009191,0xf700f7f7,0xb500b5b5,0xc900c9c9, 0xa200a2a2,0x8c008c8c,0xd200d2d2,0x90009090, 0xf600f6f6,0x07000707,0xa700a7a7,0x27002727, 0x8e008e8e,0xb200b2b2,0x49004949,0xde00dede, 0x43004343,0x5c005c5c,0xd700d7d7,0xc700c7c7, 0x3e003e3e,0xf500f5f5,0x8f008f8f,0x67006767, 0x1f001f1f,0x18001818,0x6e006e6e,0xaf00afaf, 0x2f002f2f,0xe200e2e2,0x85008585,0x0d000d0d, 0x53005353,0xf000f0f0,0x9c009c9c,0x65006565, 0xea00eaea,0xa300a3a3,0xae00aeae,0x9e009e9e, 0xec00ecec,0x80008080,0x2d002d2d,0x6b006b6b, 0xa800a8a8,0x2b002b2b,0x36003636,0xa600a6a6, 0xc500c5c5,0x86008686,0x4d004d4d,0x33003333, 0xfd00fdfd,0x66006666,0x58005858,0x96009696, 0x3a003a3a,0x09000909,0x95009595,0x10001010, 0x78007878,0xd800d8d8,0x42004242,0xcc00cccc, 0xef00efef,0x26002626,0xe500e5e5,0x61006161, 0x1a001a1a,0x3f003f3f,0x3b003b3b,0x82008282, 0xb600b6b6,0xdb00dbdb,0xd400d4d4,0x98009898, 0xe800e8e8,0x8b008b8b,0x02000202,0xeb00ebeb, 0x0a000a0a,0x2c002c2c,0x1d001d1d,0xb000b0b0, 0x6f006f6f,0x8d008d8d,0x88008888,0x0e000e0e, 0x19001919,0x87008787,0x4e004e4e,0x0b000b0b, 0xa900a9a9,0x0c000c0c,0x79007979,0x11001111, 0x7f007f7f,0x22002222,0xe700e7e7,0x59005959, 0xe100e1e1,0xda00dada,0x3d003d3d,0xc800c8c8, 0x12001212,0x04000404,0x74007474,0x54005454, 0x30003030,0x7e007e7e,0xb400b4b4,0x28002828, 0x55005555,0x68006868,0x50005050,0xbe00bebe, 0xd000d0d0,0xc400c4c4,0x31003131,0xcb00cbcb, 0x2a002a2a,0xad00adad,0x0f000f0f,0xca00caca, 0x70007070,0xff00ffff,0x32003232,0x69006969, 0x08000808,0x62006262,0x00000000,0x24002424, 0xd100d1d1,0xfb00fbfb,0xba00baba,0xed00eded, 0x45004545,0x81008181,0x73007373,0x6d006d6d, 0x84008484,0x9f009f9f,0xee00eeee,0x4a004a4a, 0xc300c3c3,0x2e002e2e,0xc100c1c1,0x01000101, 0xe600e6e6,0x25002525,0x48004848,0x99009999, 0xb900b9b9,0xb300b3b3,0x7b007b7b,0xf900f9f9, 0xce00cece,0xbf00bfbf,0xdf00dfdf,0x71007171, 0x29002929,0xcd00cdcd,0x6c006c6c,0x13001313, 0x64006464,0x9b009b9b,0x63006363,0x9d009d9d, 0xc000c0c0,0x4b004b4b,0xb700b7b7,0xa500a5a5, 0x89008989,0x5f005f5f,0xb100b1b1,0x17001717, 0xf400f4f4,0xbc00bcbc,0xd300d3d3,0x46004646, 0xcf00cfcf,0x37003737,0x5e005e5e,0x47004747, 0x94009494,0xfa00fafa,0xfc00fcfc,0x5b005b5b, 0x97009797,0xfe00fefe,0x5a005a5a,0xac00acac, 0x3c003c3c,0x4c004c4c,0x03000303,0x35003535, 0xf300f3f3,0x23002323,0xb800b8b8,0x5d005d5d, 0x6a006a6a,0x92009292,0xd500d5d5,0x21002121, 0x44004444,0x51005151,0xc600c6c6,0x7d007d7d, 0x39003939,0x83008383,0xdc00dcdc,0xaa00aaaa, 0x7c007c7c,0x77007777,0x56005656,0x05000505, 0x1b001b1b,0xa400a4a4,0x15001515,0x34003434, 0x1e001e1e,0x1c001c1c,0xf800f8f8,0x52005252, 0x20002020,0x14001414,0xe900e9e9,0xbd00bdbd, 0xdd00dddd,0xe400e4e4,0xa100a1a1,0xe000e0e0, 0x8a008a8a,0xf100f1f1,0xd600d6d6,0x7a007a7a, 0xbb00bbbb,0xe300e3e3,0x40004040,0x4f004f4f, }, /* sp4404 */ { 0x70700070,0x2c2c002c,0xb3b300b3,0xc0c000c0, 0xe4e400e4,0x57570057,0xeaea00ea,0xaeae00ae, 0x23230023,0x6b6b006b,0x45450045,0xa5a500a5, 0xeded00ed,0x4f4f004f,0x1d1d001d,0x92920092, 0x86860086,0xafaf00af,0x7c7c007c,0x1f1f001f, 0x3e3e003e,0xdcdc00dc,0x5e5e005e,0x0b0b000b, 0xa6a600a6,0x39390039,0xd5d500d5,0x5d5d005d, 0xd9d900d9,0x5a5a005a,0x51510051,0x6c6c006c, 0x8b8b008b,0x9a9a009a,0xfbfb00fb,0xb0b000b0, 0x74740074,0x2b2b002b,0xf0f000f0,0x84840084, 0xdfdf00df,0xcbcb00cb,0x34340034,0x76760076, 0x6d6d006d,0xa9a900a9,0xd1d100d1,0x04040004, 0x14140014,0x3a3a003a,0xdede00de,0x11110011, 0x32320032,0x9c9c009c,0x53530053,0xf2f200f2, 0xfefe00fe,0xcfcf00cf,0xc3c300c3,0x7a7a007a, 0x24240024,0xe8e800e8,0x60600060,0x69690069, 0xaaaa00aa,0xa0a000a0,0xa1a100a1,0x62620062, 0x54540054,0x1e1e001e,0xe0e000e0,0x64640064, 0x10100010,0x00000000,0xa3a300a3,0x75750075, 0x8a8a008a,0xe6e600e6,0x09090009,0xdddd00dd, 0x87870087,0x83830083,0xcdcd00cd,0x90900090, 0x73730073,0xf6f600f6,0x9d9d009d,0xbfbf00bf, 0x52520052,0xd8d800d8,0xc8c800c8,0xc6c600c6, 0x81810081,0x6f6f006f,0x13130013,0x63630063, 0xe9e900e9,0xa7a700a7,0x9f9f009f,0xbcbc00bc, 0x29290029,0xf9f900f9,0x2f2f002f,0xb4b400b4, 0x78780078,0x06060006,0xe7e700e7,0x71710071, 0xd4d400d4,0xabab00ab,0x88880088,0x8d8d008d, 0x72720072,0xb9b900b9,0xf8f800f8,0xacac00ac, 0x36360036,0x2a2a002a,0x3c3c003c,0xf1f100f1, 0x40400040,0xd3d300d3,0xbbbb00bb,0x43430043, 0x15150015,0xadad00ad,0x77770077,0x80800080, 0x82820082,0xecec00ec,0x27270027,0xe5e500e5, 0x85850085,0x35350035,0x0c0c000c,0x41410041, 0xefef00ef,0x93930093,0x19190019,0x21210021, 0x0e0e000e,0x4e4e004e,0x65650065,0xbdbd00bd, 0xb8b800b8,0x8f8f008f,0xebeb00eb,0xcece00ce, 0x30300030,0x5f5f005f,0xc5c500c5,0x1a1a001a, 0xe1e100e1,0xcaca00ca,0x47470047,0x3d3d003d, 0x01010001,0xd6d600d6,0x56560056,0x4d4d004d, 0x0d0d000d,0x66660066,0xcccc00cc,0x2d2d002d, 0x12120012,0x20200020,0xb1b100b1,0x99990099, 0x4c4c004c,0xc2c200c2,0x7e7e007e,0x05050005, 0xb7b700b7,0x31310031,0x17170017,0xd7d700d7, 0x58580058,0x61610061,0x1b1b001b,0x1c1c001c, 0x0f0f000f,0x16160016,0x18180018,0x22220022, 0x44440044,0xb2b200b2,0xb5b500b5,0x91910091, 0x08080008,0xa8a800a8,0xfcfc00fc,0x50500050, 0xd0d000d0,0x7d7d007d,0x89890089,0x97970097, 0x5b5b005b,0x95950095,0xffff00ff,0xd2d200d2, 0xc4c400c4,0x48480048,0xf7f700f7,0xdbdb00db, 0x03030003,0xdada00da,0x3f3f003f,0x94940094, 0x5c5c005c,0x02020002,0x4a4a004a,0x33330033, 0x67670067,0xf3f300f3,0x7f7f007f,0xe2e200e2, 0x9b9b009b,0x26260026,0x37370037,0x3b3b003b, 0x96960096,0x4b4b004b,0xbebe00be,0x2e2e002e, 0x79790079,0x8c8c008c,0x6e6e006e,0x8e8e008e, 0xf5f500f5,0xb6b600b6,0xfdfd00fd,0x59590059, 0x98980098,0x6a6a006a,0x46460046,0xbaba00ba, 0x25250025,0x42420042,0xa2a200a2,0xfafa00fa, 0x07070007,0x55550055,0xeeee00ee,0x0a0a000a, 0x49490049,0x68680068,0x38380038,0xa4a400a4, 0x28280028,0x7b7b007b,0xc9c900c9,0xc1c100c1, 0xe3e300e3,0xf4f400f4,0xc7c700c7,0x9e9e009e, } }; nettle-3.4.1/rsa-sign-tr.c0000644000175000017500000002306213401564745014364 0ustar nissenisse/* rsa-sign-tr.c Creating RSA signatures, with some additional checks. Copyright (C) 2001, 2015 Niels Möller Copyright (C) 2012 Nikos Mavrogiannopoulos Copyright (C) 2018 Red Hat Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "gmp-glue.h" #include "rsa.h" #include "rsa-internal.h" #define MAX(a, b) ((a) > (b) ? (a) : (b)) #if NETTLE_USE_MINI_GMP /* Blinds m, by computing c = m r^e (mod n), for a random r. Also returns the inverse (ri), for use by rsa_unblind. */ static void rsa_blind (const struct rsa_public_key *pub, void *random_ctx, nettle_random_func *random, mpz_t c, mpz_t ri, const mpz_t m) { mpz_t r; mpz_init(r); /* c = m*(r^e) * ri = r^(-1) */ do { nettle_mpz_random(r, random_ctx, random, pub->n); /* invert r */ } while (!mpz_invert (ri, r, pub->n)); /* c = c*(r^e) mod n */ mpz_powm_sec(r, r, pub->e, pub->n); mpz_mul(c, m, r); mpz_fdiv_r(c, c, pub->n); mpz_clear(r); } /* m = c ri mod n */ static void rsa_unblind (const struct rsa_public_key *pub, mpz_t m, const mpz_t ri, const mpz_t c) { mpz_mul(m, c, ri); mpz_fdiv_r(m, m, pub->n); } /* Checks for any errors done in the RSA computation. That avoids * attacks which rely on faults on hardware, or even software MPI * implementation. */ int rsa_compute_root_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, mpz_t x, const mpz_t m) { int res; mpz_t t, mb, xb, ri; /* mpz_powm_sec handles only odd moduli. If p, q or n is even, the key is invalid and rejected by rsa_private_key_prepare. However, some applications, notably gnutls, don't use this function, and we don't want an invalid key to lead to a crash down inside mpz_powm_sec. So do an additional check here. */ if (mpz_even_p (pub->n) || mpz_even_p (key->p) || mpz_even_p (key->q)) return 0; mpz_init (mb); mpz_init (xb); mpz_init (ri); mpz_init (t); rsa_blind (pub, random_ctx, random, mb, ri, m); rsa_compute_root (key, xb, mb); mpz_powm_sec(t, xb, pub->e, pub->n); res = (mpz_cmp(mb, t) == 0); if (res) rsa_unblind (pub, x, ri, xb); mpz_clear (mb); mpz_clear (xb); mpz_clear (ri); mpz_clear (t); return res; } int _rsa_sec_compute_root_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, mp_limb_t *x, const mp_limb_t *m, size_t mn) { mpz_t mz; mpz_t xz; int res; mpz_init(mz); mpz_init(xz); mpn_copyi(mpz_limbs_write(mz, mn), m, mn); mpz_limbs_finish(mz, mn); res = rsa_compute_root_tr(pub, key, random_ctx, random, xz, mz); if (res) mpz_limbs_copy(x, xz, mpz_size(pub->n)); mpz_clear(mz); mpz_clear(xz); return res; } #else /* Blinds m, by computing c = m r^e (mod n), for a random r. Also returns the inverse (ri), for use by rsa_unblind. */ static void rsa_sec_blind (const struct rsa_public_key *pub, void *random_ctx, nettle_random_func *random, mp_limb_t *c, mp_limb_t *ri, const mp_limb_t *m, mp_size_t mn) { const mp_limb_t *ep = mpz_limbs_read (pub->e); const mp_limb_t *np = mpz_limbs_read (pub->n); mp_bitcnt_t ebn = mpz_sizeinbase (pub->e, 2); mp_size_t nn = mpz_size (pub->n); size_t itch; size_t i2; mp_limb_t *scratch; TMP_GMP_DECL (tp, mp_limb_t); TMP_GMP_DECL (rp, mp_limb_t); TMP_GMP_DECL (r, uint8_t); TMP_GMP_ALLOC (rp, nn); TMP_GMP_ALLOC (r, nn * sizeof(mp_limb_t)); /* c = m*(r^e) mod n */ itch = mpn_sec_powm_itch(nn, ebn, nn); i2 = mpn_sec_mul_itch(nn, mn); itch = MAX(itch, i2); i2 = mpn_sec_div_r_itch(nn + mn, nn); itch = MAX(itch, i2); i2 = mpn_sec_invert_itch(nn); itch = MAX(itch, i2); TMP_GMP_ALLOC (tp, nn + mn + itch); scratch = tp + nn + mn; /* ri = r^(-1) */ do { random(random_ctx, nn * sizeof(mp_limb_t), (uint8_t *)r); mpn_set_base256(rp, nn, r, nn * sizeof(mp_limb_t)); mpn_copyi(tp, rp, nn); /* invert r */ } while (!mpn_sec_invert (ri, tp, np, nn, 2 * nn * GMP_NUMB_BITS, scratch)); mpn_sec_powm (c, rp, nn, ep, ebn, np, nn, scratch); /* normally mn == nn, but m can be smaller in some cases */ mpn_sec_mul (tp, c, nn, m, mn, scratch); mpn_sec_div_r (tp, nn + mn, np, nn, scratch); mpn_copyi(c, tp, nn); TMP_GMP_FREE (r); TMP_GMP_FREE (rp); TMP_GMP_FREE (tp); } /* m = c ri mod n */ static void rsa_sec_unblind (const struct rsa_public_key *pub, mp_limb_t *x, mp_limb_t *ri, const mp_limb_t *c) { const mp_limb_t *np = mpz_limbs_read (pub->n); mp_size_t nn = mpz_size (pub->n); size_t itch; size_t i2; mp_limb_t *scratch; TMP_GMP_DECL(tp, mp_limb_t); itch = mpn_sec_mul_itch(nn, nn); i2 = mpn_sec_div_r_itch(nn + nn, nn); itch = MAX(itch, i2); TMP_GMP_ALLOC (tp, nn + nn + itch); scratch = tp + nn + nn; mpn_sec_mul (tp, c, nn, ri, nn, scratch); mpn_sec_div_r (tp, nn + nn, np, nn, scratch); mpn_copyi(x, tp, nn); TMP_GMP_FREE (tp); } static int sec_equal(const mp_limb_t *a, const mp_limb_t *b, size_t limbs) { volatile mp_limb_t z = 0; for (size_t i = 0; i < limbs; i++) { z |= (a[i] ^ b[i]); } /* FIXME: Might compile to a branch instruction on some platforms. */ return z == 0; } static int rsa_sec_check_root(const struct rsa_public_key *pub, const mp_limb_t *x, const mp_limb_t *m) { mp_size_t nn = mpz_size (pub->n); mp_size_t ebn = mpz_sizeinbase (pub->e, 2); const mp_limb_t *np = mpz_limbs_read (pub->n); const mp_limb_t *ep = mpz_limbs_read (pub->e); int ret; mp_size_t itch; mp_limb_t *scratch; TMP_GMP_DECL(tp, mp_limb_t); itch = mpn_sec_powm_itch (nn, ebn, nn); TMP_GMP_ALLOC (tp, nn + itch); scratch = tp + nn; mpn_sec_powm(tp, x, nn, ep, ebn, np, nn, scratch); ret = sec_equal(tp, m, nn); TMP_GMP_FREE (tp); return ret; } static void cnd_mpn_zero (int cnd, volatile mp_ptr rp, mp_size_t n) { volatile mp_limb_t c; volatile mp_limb_t mask = (mp_limb_t) cnd - 1; while (--n >= 0) { c = rp[n]; c &= mask; rp[n] = c; } } /* Checks for any errors done in the RSA computation. That avoids * attacks which rely on faults on hardware, or even software MPI * implementation. * This version is side-channel silent even in case of error, * the destination buffer is always overwritten */ int _rsa_sec_compute_root_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, mp_limb_t *x, const mp_limb_t *m, size_t mn) { TMP_GMP_DECL (c, mp_limb_t); TMP_GMP_DECL (ri, mp_limb_t); TMP_GMP_DECL (scratch, mp_limb_t); size_t key_limb_size; int ret; key_limb_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size); /* mpz_powm_sec handles only odd moduli. If p, q or n is even, the key is invalid and rejected by rsa_private_key_prepare. However, some applications, notably gnutls, don't use this function, and we don't want an invalid key to lead to a crash down inside mpz_powm_sec. So do an additional check here. */ if (mpz_even_p (pub->n) || mpz_even_p (key->p) || mpz_even_p (key->q)) { mpn_zero(x, key_limb_size); return 0; } assert(mpz_size(pub->n) == key_limb_size); assert(mn <= key_limb_size); TMP_GMP_ALLOC (c, key_limb_size); TMP_GMP_ALLOC (ri, key_limb_size); TMP_GMP_ALLOC (scratch, _rsa_sec_compute_root_itch(key)); rsa_sec_blind (pub, random_ctx, random, x, ri, m, mn); _rsa_sec_compute_root(key, c, x, scratch); ret = rsa_sec_check_root(pub, c, x); rsa_sec_unblind(pub, x, ri, c); cnd_mpn_zero(1 - ret, x, key_limb_size); TMP_GMP_FREE (scratch); TMP_GMP_FREE (ri); TMP_GMP_FREE (c); return ret; } /* Checks for any errors done in the RSA computation. That avoids * attacks which rely on faults on hardware, or even software MPI * implementation. * This version is maintained for API compatibility reasons. It * is not completely side-channel silent. There are conditionals * in buffer copying both in case of success or error. */ int rsa_compute_root_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, mpz_t x, const mpz_t m) { TMP_GMP_DECL (l, mp_limb_t); int res; mp_size_t l_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size); TMP_GMP_ALLOC (l, l_size); res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, l, mpz_limbs_read(m), mpz_size(m)); if (res) { mp_limb_t *xp = mpz_limbs_write (x, l_size); mpn_copyi (xp, l, l_size); mpz_limbs_finish (x, l_size); } TMP_GMP_FREE (l); return res; } #endif nettle-3.4.1/camellia128-set-encrypt-key.c0000644000175000017500000000623313401564745017262 0ustar nissenisse/* camellia128-set-encrypt-key.c Key setup for the camellia block cipher. Copyright (C) 2006,2007 NTT (Nippon Telegraph and Telephone Corporation). Copyright (C) 2010, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* * Algorithm Specification * http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html */ /* Based on camellia.c ver 1.2.0, see http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/camellia-LGPL-1.2.0.tar.gz. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "camellia-internal.h" #include "macros.h" void camellia128_set_encrypt_key (struct camellia128_ctx *ctx, const uint8_t *key) { uint64_t k0, k1; uint64_t subkey[_CAMELLIA128_NKEYS + 2]; uint64_t w; k0 = READ_UINT64(key); k1 = READ_UINT64(key + 8); /** * generate KL dependent subkeys */ subkey[0] = k0; subkey[1] = k1; ROTL128(15, k0, k1); subkey[4] = k0; subkey[5] = k1; ROTL128(30, k0, k1); subkey[10] = k0; subkey[11] = k1; ROTL128(15, k0, k1); subkey[13] = k1; ROTL128(17, k0, k1); subkey[16] = k0; subkey[17] = k1; ROTL128(17, k0, k1); subkey[18] = k0; subkey[19] = k1; ROTL128(17, k0, k1); subkey[22] = k0; subkey[23] = k1; /* generate KA. D1 is k0, d2 is k1. */ /* FIXME: Make notation match the spec better. */ /* For the 128-bit case, KR = 0, the construction of KA reduces to: D1 = KL >> 64; W = KL & MASK64; D2 = F(D1, Sigma1); W = D2 ^ W D1 = F(W, Sigma2) D2 = D2 ^ F(D1, Sigma3); D1 = D1 ^ F(D2, Sigma4); KA = (D1 << 64) | D2; */ k0 = subkey[0]; w = subkey[1]; CAMELLIA_F(k0, SIGMA1, k1); w ^= k1; CAMELLIA_F(w, SIGMA2, k0); CAMELLIA_F(k0, SIGMA3, w); k1 ^= w; CAMELLIA_F(k1, SIGMA4, w); k0 ^= w; /* generate KA dependent subkeys */ subkey[2] = k0; subkey[3] = k1; ROTL128(15, k0, k1); subkey[6] = k0; subkey[7] = k1; ROTL128(15, k0, k1); subkey[8] = k0; subkey[9] = k1; ROTL128(15, k0, k1); subkey[12] = k0; ROTL128(15, k0, k1); subkey[14] = k0; subkey[15] = k1; ROTL128(34, k0, k1); subkey[20] = k0; subkey[21] = k1; ROTL128(17, k0, k1); subkey[24] = k0; subkey[25] = k1; /* Common final processing */ _camellia_absorb (_CAMELLIA128_NKEYS, ctx->keys, subkey); } nettle-3.4.1/eax.h0000644000175000017500000001317013401564746013000 0ustar nissenisse/* eax.h EAX mode, see http://www.cs.ucdavis.edu/~rogaway/papers/eax.pdf Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_EAX_H_INCLUDED #define NETTLE_EAX_H_INCLUDED #include "aes.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define eax_set_key nettle_eax_set_key #define eax_set_nonce nettle_eax_set_nonce #define eax_update nettle_eax_update #define eax_encrypt nettle_eax_encrypt #define eax_decrypt nettle_eax_decrypt #define eax_digest nettle_eax_digest #define eax_aes128_set_key nettle_eax_aes128_set_key #define eax_aes128_set_nonce nettle_eax_aes128_set_nonce #define eax_aes128_update nettle_eax_aes128_update #define eax_aes128_encrypt nettle_eax_aes128_encrypt #define eax_aes128_decrypt nettle_eax_aes128_decrypt #define eax_aes128_digest nettle_eax_aes128_digest /* Restricted to block ciphers with 128 bit block size. FIXME: Reflect this in naming? */ #define EAX_BLOCK_SIZE 16 #define EAX_DIGEST_SIZE 16 /* FIXME: Reasonable default? */ #define EAX_IV_SIZE 16 /* Values independent of message and nonce */ struct eax_key { union nettle_block16 pad_block; union nettle_block16 pad_partial; }; struct eax_ctx { union nettle_block16 omac_nonce; union nettle_block16 omac_data; union nettle_block16 omac_message; union nettle_block16 ctr; }; void eax_set_key (struct eax_key *key, const void *cipher, nettle_cipher_func *f); void eax_set_nonce (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t nonce_length, const uint8_t *nonce); void eax_update (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t data_length, const uint8_t *data); void eax_encrypt (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src); void eax_decrypt (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src); void eax_digest (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *digest); /* Put the cipher last, to get cipher-independent offsets for the EAX * state. */ #define EAX_CTX(type) \ { struct eax_key key; struct eax_ctx eax; type cipher; } #define EAX_SET_KEY(ctx, set_key, encrypt, data) \ do { \ (set_key)(&(ctx)->cipher, (data)); \ if (0) (encrypt) (&(ctx)->cipher, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0); \ eax_set_key (&(ctx)->key, &(ctx)->cipher, (nettle_cipher_func *) encrypt); \ } while (0) #define EAX_SET_NONCE(ctx, encrypt, length, nonce) \ (0 ? (encrypt) (&(ctx)->cipher, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0) \ : eax_set_nonce (&(ctx)->eax, &(ctx)->key, \ &(ctx)->cipher, (nettle_cipher_func *) (encrypt), \ (length), (nonce))) #define EAX_UPDATE(ctx, encrypt, length, data) \ (0 ? (encrypt) (&(ctx)->cipher, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0) \ : eax_update (&(ctx)->eax, &(ctx)->key, \ &(ctx)->cipher, (nettle_cipher_func *) (encrypt), \ (length), (data))) #define EAX_ENCRYPT(ctx, encrypt, length, dst, src) \ (0 ? (encrypt) (&(ctx)->cipher, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0) \ : eax_encrypt (&(ctx)->eax, &(ctx)->key, \ &(ctx)->cipher, (nettle_cipher_func *) (encrypt), \ (length), (dst), (src))) #define EAX_DECRYPT(ctx, encrypt, length, dst, src) \ (0 ? (encrypt) (&(ctx)->cipher, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0) \ : eax_decrypt (&(ctx)->eax, &(ctx)->key, \ &(ctx)->cipher, (nettle_cipher_func *) (encrypt), \ (length), (dst), (src))) #define EAX_DIGEST(ctx, encrypt, length, digest) \ (0 ? (encrypt) (&(ctx)->cipher, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0) \ : eax_digest (&(ctx)->eax, &(ctx)->key, \ &(ctx)->cipher, (nettle_cipher_func *) (encrypt), \ (length), (digest))) struct eax_aes128_ctx EAX_CTX(struct aes128_ctx); void eax_aes128_set_key(struct eax_aes128_ctx *ctx, const uint8_t *key); void eax_aes128_set_nonce(struct eax_aes128_ctx *ctx, size_t length, const uint8_t *iv); void eax_aes128_update(struct eax_aes128_ctx *ctx, size_t length, const uint8_t *data); void eax_aes128_encrypt(struct eax_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void eax_aes128_decrypt(struct eax_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void eax_aes128_digest(struct eax_aes128_ctx *ctx, size_t length, uint8_t *digest); #ifdef __cplusplus } #endif #endif /* NETTLE_EAX_H_INCLUDED */ nettle-3.4.1/memxor.h0000644000175000017500000000063713401564746013536 0ustar nissenisse/* memxor.h * */ #ifndef NETTLE_MEMXOR_H_INCLUDED #define NETTLE_MEMXOR_H_INCLUDED #include #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define memxor nettle_memxor #define memxor3 nettle_memxor3 void *memxor(void *dst, const void *src, size_t n); void *memxor3(void *dst, const void *a, const void *b, size_t n); #ifdef __cplusplus } #endif #endif /* NETTLE_MEMXOR_H_INCLUDED */ nettle-3.4.1/ripemd160-compress.c0000644000175000017500000002132313401564745015554 0ustar nissenisse/* ripemd160-compress.c RIPE-MD160 (Transform function) Copyright (C) 1998, 2001, 2002, 2003 Free Software Foundation, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Ported from libgcrypt by Andres Mejia */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ripemd160.h" #include "macros.h" /**************** * Transform the message X which consists of 16 32-bit-words */ void _nettle_ripemd160_compress(uint32_t *state, const uint8_t *data) { register uint32_t a,b,c,d,e; uint32_t aa,bb,cc,dd,ee,t; uint32_t x[16]; #ifdef WORDS_BIGENDIAN { int i; for (i=0; i < 16; i++, data += 4 ) x[i] = LE_READ_UINT32(data); } #else /* memcpy seems a bit faster. Benchmarked on Intel SU4100, it makes the entire update function roughly 6% faster. */ memcpy(x, data, sizeof(x)); #endif #define K0 0x00000000 #define K1 0x5A827999 #define K2 0x6ED9EBA1 #define K3 0x8F1BBCDC #define K4 0xA953FD4E #define KK0 0x50A28BE6 #define KK1 0x5C4DD124 #define KK2 0x6D703EF3 #define KK3 0x7A6D76E9 #define KK4 0x00000000 #define F0(x,y,z) ( (x) ^ (y) ^ (z) ) #define F1(x,y,z) ( ((x) & (y)) | (~(x) & (z)) ) #define F2(x,y,z) ( ((x) | ~(y)) ^ (z) ) #define F3(x,y,z) ( ((x) & (z)) | ((y) & ~(z)) ) #define F4(x,y,z) ( (x) ^ ((y) | ~(z)) ) #define R(a,b,c,d,e,f,k,r,s) do { t = a + f(b,c,d) + k + x[r]; \ a = ROTL32(s,t) + e; \ c = ROTL32(10,c); \ } while(0) /* left lane */ a = state[0]; b = state[1]; c = state[2]; d = state[3]; e = state[4]; R( a, b, c, d, e, F0, K0, 0, 11 ); R( e, a, b, c, d, F0, K0, 1, 14 ); R( d, e, a, b, c, F0, K0, 2, 15 ); R( c, d, e, a, b, F0, K0, 3, 12 ); R( b, c, d, e, a, F0, K0, 4, 5 ); R( a, b, c, d, e, F0, K0, 5, 8 ); R( e, a, b, c, d, F0, K0, 6, 7 ); R( d, e, a, b, c, F0, K0, 7, 9 ); R( c, d, e, a, b, F0, K0, 8, 11 ); R( b, c, d, e, a, F0, K0, 9, 13 ); R( a, b, c, d, e, F0, K0, 10, 14 ); R( e, a, b, c, d, F0, K0, 11, 15 ); R( d, e, a, b, c, F0, K0, 12, 6 ); R( c, d, e, a, b, F0, K0, 13, 7 ); R( b, c, d, e, a, F0, K0, 14, 9 ); R( a, b, c, d, e, F0, K0, 15, 8 ); R( e, a, b, c, d, F1, K1, 7, 7 ); R( d, e, a, b, c, F1, K1, 4, 6 ); R( c, d, e, a, b, F1, K1, 13, 8 ); R( b, c, d, e, a, F1, K1, 1, 13 ); R( a, b, c, d, e, F1, K1, 10, 11 ); R( e, a, b, c, d, F1, K1, 6, 9 ); R( d, e, a, b, c, F1, K1, 15, 7 ); R( c, d, e, a, b, F1, K1, 3, 15 ); R( b, c, d, e, a, F1, K1, 12, 7 ); R( a, b, c, d, e, F1, K1, 0, 12 ); R( e, a, b, c, d, F1, K1, 9, 15 ); R( d, e, a, b, c, F1, K1, 5, 9 ); R( c, d, e, a, b, F1, K1, 2, 11 ); R( b, c, d, e, a, F1, K1, 14, 7 ); R( a, b, c, d, e, F1, K1, 11, 13 ); R( e, a, b, c, d, F1, K1, 8, 12 ); R( d, e, a, b, c, F2, K2, 3, 11 ); R( c, d, e, a, b, F2, K2, 10, 13 ); R( b, c, d, e, a, F2, K2, 14, 6 ); R( a, b, c, d, e, F2, K2, 4, 7 ); R( e, a, b, c, d, F2, K2, 9, 14 ); R( d, e, a, b, c, F2, K2, 15, 9 ); R( c, d, e, a, b, F2, K2, 8, 13 ); R( b, c, d, e, a, F2, K2, 1, 15 ); R( a, b, c, d, e, F2, K2, 2, 14 ); R( e, a, b, c, d, F2, K2, 7, 8 ); R( d, e, a, b, c, F2, K2, 0, 13 ); R( c, d, e, a, b, F2, K2, 6, 6 ); R( b, c, d, e, a, F2, K2, 13, 5 ); R( a, b, c, d, e, F2, K2, 11, 12 ); R( e, a, b, c, d, F2, K2, 5, 7 ); R( d, e, a, b, c, F2, K2, 12, 5 ); R( c, d, e, a, b, F3, K3, 1, 11 ); R( b, c, d, e, a, F3, K3, 9, 12 ); R( a, b, c, d, e, F3, K3, 11, 14 ); R( e, a, b, c, d, F3, K3, 10, 15 ); R( d, e, a, b, c, F3, K3, 0, 14 ); R( c, d, e, a, b, F3, K3, 8, 15 ); R( b, c, d, e, a, F3, K3, 12, 9 ); R( a, b, c, d, e, F3, K3, 4, 8 ); R( e, a, b, c, d, F3, K3, 13, 9 ); R( d, e, a, b, c, F3, K3, 3, 14 ); R( c, d, e, a, b, F3, K3, 7, 5 ); R( b, c, d, e, a, F3, K3, 15, 6 ); R( a, b, c, d, e, F3, K3, 14, 8 ); R( e, a, b, c, d, F3, K3, 5, 6 ); R( d, e, a, b, c, F3, K3, 6, 5 ); R( c, d, e, a, b, F3, K3, 2, 12 ); R( b, c, d, e, a, F4, K4, 4, 9 ); R( a, b, c, d, e, F4, K4, 0, 15 ); R( e, a, b, c, d, F4, K4, 5, 5 ); R( d, e, a, b, c, F4, K4, 9, 11 ); R( c, d, e, a, b, F4, K4, 7, 6 ); R( b, c, d, e, a, F4, K4, 12, 8 ); R( a, b, c, d, e, F4, K4, 2, 13 ); R( e, a, b, c, d, F4, K4, 10, 12 ); R( d, e, a, b, c, F4, K4, 14, 5 ); R( c, d, e, a, b, F4, K4, 1, 12 ); R( b, c, d, e, a, F4, K4, 3, 13 ); R( a, b, c, d, e, F4, K4, 8, 14 ); R( e, a, b, c, d, F4, K4, 11, 11 ); R( d, e, a, b, c, F4, K4, 6, 8 ); R( c, d, e, a, b, F4, K4, 15, 5 ); R( b, c, d, e, a, F4, K4, 13, 6 ); aa = a; bb = b; cc = c; dd = d; ee = e; /* right lane */ a = state[0]; b = state[1]; c = state[2]; d = state[3]; e = state[4]; R( a, b, c, d, e, F4, KK0, 5, 8); R( e, a, b, c, d, F4, KK0, 14, 9); R( d, e, a, b, c, F4, KK0, 7, 9); R( c, d, e, a, b, F4, KK0, 0, 11); R( b, c, d, e, a, F4, KK0, 9, 13); R( a, b, c, d, e, F4, KK0, 2, 15); R( e, a, b, c, d, F4, KK0, 11, 15); R( d, e, a, b, c, F4, KK0, 4, 5); R( c, d, e, a, b, F4, KK0, 13, 7); R( b, c, d, e, a, F4, KK0, 6, 7); R( a, b, c, d, e, F4, KK0, 15, 8); R( e, a, b, c, d, F4, KK0, 8, 11); R( d, e, a, b, c, F4, KK0, 1, 14); R( c, d, e, a, b, F4, KK0, 10, 14); R( b, c, d, e, a, F4, KK0, 3, 12); R( a, b, c, d, e, F4, KK0, 12, 6); R( e, a, b, c, d, F3, KK1, 6, 9); R( d, e, a, b, c, F3, KK1, 11, 13); R( c, d, e, a, b, F3, KK1, 3, 15); R( b, c, d, e, a, F3, KK1, 7, 7); R( a, b, c, d, e, F3, KK1, 0, 12); R( e, a, b, c, d, F3, KK1, 13, 8); R( d, e, a, b, c, F3, KK1, 5, 9); R( c, d, e, a, b, F3, KK1, 10, 11); R( b, c, d, e, a, F3, KK1, 14, 7); R( a, b, c, d, e, F3, KK1, 15, 7); R( e, a, b, c, d, F3, KK1, 8, 12); R( d, e, a, b, c, F3, KK1, 12, 7); R( c, d, e, a, b, F3, KK1, 4, 6); R( b, c, d, e, a, F3, KK1, 9, 15); R( a, b, c, d, e, F3, KK1, 1, 13); R( e, a, b, c, d, F3, KK1, 2, 11); R( d, e, a, b, c, F2, KK2, 15, 9); R( c, d, e, a, b, F2, KK2, 5, 7); R( b, c, d, e, a, F2, KK2, 1, 15); R( a, b, c, d, e, F2, KK2, 3, 11); R( e, a, b, c, d, F2, KK2, 7, 8); R( d, e, a, b, c, F2, KK2, 14, 6); R( c, d, e, a, b, F2, KK2, 6, 6); R( b, c, d, e, a, F2, KK2, 9, 14); R( a, b, c, d, e, F2, KK2, 11, 12); R( e, a, b, c, d, F2, KK2, 8, 13); R( d, e, a, b, c, F2, KK2, 12, 5); R( c, d, e, a, b, F2, KK2, 2, 14); R( b, c, d, e, a, F2, KK2, 10, 13); R( a, b, c, d, e, F2, KK2, 0, 13); R( e, a, b, c, d, F2, KK2, 4, 7); R( d, e, a, b, c, F2, KK2, 13, 5); R( c, d, e, a, b, F1, KK3, 8, 15); R( b, c, d, e, a, F1, KK3, 6, 5); R( a, b, c, d, e, F1, KK3, 4, 8); R( e, a, b, c, d, F1, KK3, 1, 11); R( d, e, a, b, c, F1, KK3, 3, 14); R( c, d, e, a, b, F1, KK3, 11, 14); R( b, c, d, e, a, F1, KK3, 15, 6); R( a, b, c, d, e, F1, KK3, 0, 14); R( e, a, b, c, d, F1, KK3, 5, 6); R( d, e, a, b, c, F1, KK3, 12, 9); R( c, d, e, a, b, F1, KK3, 2, 12); R( b, c, d, e, a, F1, KK3, 13, 9); R( a, b, c, d, e, F1, KK3, 9, 12); R( e, a, b, c, d, F1, KK3, 7, 5); R( d, e, a, b, c, F1, KK3, 10, 15); R( c, d, e, a, b, F1, KK3, 14, 8); R( b, c, d, e, a, F0, KK4, 12, 8); R( a, b, c, d, e, F0, KK4, 15, 5); R( e, a, b, c, d, F0, KK4, 10, 12); R( d, e, a, b, c, F0, KK4, 4, 9); R( c, d, e, a, b, F0, KK4, 1, 12); R( b, c, d, e, a, F0, KK4, 5, 5); R( a, b, c, d, e, F0, KK4, 8, 14); R( e, a, b, c, d, F0, KK4, 7, 6); R( d, e, a, b, c, F0, KK4, 6, 8); R( c, d, e, a, b, F0, KK4, 2, 13); R( b, c, d, e, a, F0, KK4, 13, 6); R( a, b, c, d, e, F0, KK4, 14, 5); R( e, a, b, c, d, F0, KK4, 0, 15); R( d, e, a, b, c, F0, KK4, 3, 13); R( c, d, e, a, b, F0, KK4, 9, 11); R( b, c, d, e, a, F0, KK4, 11, 11); t = state[1] + d + cc; state[1] = state[2] + e + dd; state[2] = state[3] + a + ee; state[3] = state[4] + b + aa; state[4] = state[0] + c + bb; state[0] = t; } nettle-3.4.1/ecc-a-to-j.c0000644000175000017500000000314513401564746014036 0ustar nissenisse/* ecc-a-to-j.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc.h" #include "ecc-internal.h" void ecc_a_to_j (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p) { if (ecc->use_redc) { mpn_copyd (r + ecc->p.size, p, 2*ecc->p.size); mpn_zero (r, ecc->p.size); ecc->p.mod (&ecc->p, r); mpn_zero (r + ecc->p.size, ecc->p.size); ecc->p.mod (&ecc->p, r + ecc->p.size); } else if (r != p) mpn_copyi (r, p, 2*ecc->p.size); mpn_copyi (r + 2*ecc->p.size, ecc->unit, ecc->p.size); } nettle-3.4.1/dsa-sha1-sign.c0000644000175000017500000000361413401564746014557 0ustar nissenisse/* dsa-sha1-sign.c The original DSA publickey algorithm, using SHA-1. Copyright (C) 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "dsa-compat.h" int dsa_sha1_sign_digest(const struct dsa_public_key *pub, const struct dsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, struct dsa_signature *signature) { return dsa_sign((const struct dsa_params *) pub, key->x, random_ctx, random, SHA1_DIGEST_SIZE, digest, signature); } int dsa_sha1_sign(const struct dsa_public_key *pub, const struct dsa_private_key *key, void *random_ctx, nettle_random_func *random, struct sha1_ctx *hash, struct dsa_signature *signature) { uint8_t digest[SHA1_DIGEST_SIZE]; sha1_digest(hash, sizeof(digest), digest); return dsa_sign((const struct dsa_params *) pub, key->x, random_ctx, random, sizeof(digest), digest, signature); } nettle-3.4.1/camellia256-meta.c0000644000175000017500000000274613401564745015154 0ustar nissenisse/* camellia256-meta.c Copyright (C) 2010, 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #include "camellia.h" const struct nettle_cipher nettle_camellia256 = { "camellia256", sizeof(struct camellia256_ctx), CAMELLIA_BLOCK_SIZE, CAMELLIA256_KEY_SIZE, (nettle_set_key_func *) camellia256_set_encrypt_key, (nettle_set_key_func *) camellia256_set_decrypt_key, (nettle_cipher_func *) camellia256_crypt, (nettle_cipher_func *) camellia256_crypt }; nettle-3.4.1/dsa-compat.h0000644000175000017500000001221713401564746014254 0ustar nissenisse/* dsa-compat.h Old DSA publickey interface. Copyright (C) 2002, 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_DSA_COMPAT_H_INCLUDED #define NETTLE_DSA_COMPAT_H_INCLUDED #include "dsa.h" #include "sha1.h" #include "sha2.h" /* Name mangling */ #define dsa_public_key_init nettle_dsa_public_key_init #define dsa_public_key_clear nettle_dsa_public_key_clear #define dsa_private_key_init nettle_dsa_private_key_init #define dsa_private_key_clear nettle_dsa_private_key_clear #define dsa_sha1_sign nettle_dsa_sha1_sign #define dsa_sha1_verify nettle_dsa_sha1_verify #define dsa_sha256_sign nettle_dsa_sha256_sign #define dsa_sha256_verify nettle_dsa_sha256_verify #define dsa_sha1_sign_digest nettle_dsa_sha1_sign_digest #define dsa_sha1_verify_digest nettle_dsa_sha1_verify_digest #define dsa_sha256_sign_digest nettle_dsa_sha256_sign_digest #define dsa_sha256_verify_digest nettle_dsa_sha256_verify_digest #define dsa_compat_generate_keypair nettle_dsa_compat_generate_keypair /* Switch meaning of dsa_generate_keypair */ #undef dsa_generate_keypair #define dsa_generate_keypair nettle_dsa_compat_generate_keypair #ifdef __cplusplus extern "C" { #endif struct dsa_public_key { /* Same as struct dsa_params, but can't use that struct here without breaking backwards compatibility. Layout must be identical, since this is cast to a struct dsa_param pointer for calling _dsa_sign and _dsa_verify */ mpz_t p; mpz_t q; mpz_t g; /* Public value */ mpz_t y; }; struct dsa_private_key { /* Unlike an rsa public key, private key operations will need both * the private and the public information. */ mpz_t x; }; /* Signing a message works as follows: * * Store the private key in a dsa_private_key struct. * * Initialize a hashing context, by callling * sha1_init * * Hash the message by calling * sha1_update * * Create the signature by calling * dsa_sha1_sign * * The signature is represented as a struct dsa_signature. This call also * resets the hashing context. * * When done with the key and signature, don't forget to call * dsa_signature_clear. */ /* Calls mpz_init to initialize bignum storage. */ void dsa_public_key_init(struct dsa_public_key *key); /* Calls mpz_clear to deallocate bignum storage. */ void dsa_public_key_clear(struct dsa_public_key *key); /* Calls mpz_init to initialize bignum storage. */ void dsa_private_key_init(struct dsa_private_key *key); /* Calls mpz_clear to deallocate bignum storage. */ void dsa_private_key_clear(struct dsa_private_key *key); int dsa_sha1_sign(const struct dsa_public_key *pub, const struct dsa_private_key *key, void *random_ctx, nettle_random_func *random, struct sha1_ctx *hash, struct dsa_signature *signature); int dsa_sha256_sign(const struct dsa_public_key *pub, const struct dsa_private_key *key, void *random_ctx, nettle_random_func *random, struct sha256_ctx *hash, struct dsa_signature *signature); int dsa_sha1_verify(const struct dsa_public_key *key, struct sha1_ctx *hash, const struct dsa_signature *signature); int dsa_sha256_verify(const struct dsa_public_key *key, struct sha256_ctx *hash, const struct dsa_signature *signature); int dsa_sha1_sign_digest(const struct dsa_public_key *pub, const struct dsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, struct dsa_signature *signature); int dsa_sha256_sign_digest(const struct dsa_public_key *pub, const struct dsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, struct dsa_signature *signature); int dsa_sha1_verify_digest(const struct dsa_public_key *key, const uint8_t *digest, const struct dsa_signature *signature); int dsa_sha256_verify_digest(const struct dsa_public_key *key, const uint8_t *digest, const struct dsa_signature *signature); /* Key generation */ int dsa_generate_keypair(struct dsa_public_key *pub, struct dsa_private_key *key, void *random_ctx, nettle_random_func *random, void *progress_ctx, nettle_progress_func *progress, unsigned p_bits, unsigned q_bits); #ifdef __cplusplus } #endif #endif /* NETTLE_DSA_COMPAT_H_INCLUDED */ nettle-3.4.1/md2.h0000644000175000017500000000354513401564746012712 0ustar nissenisse/* md2.h The MD2 hash function, described in RFC 1319. Copyright (C) 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_MD2_H_INCLUDED #define NETTLE_MD2_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define md2_init nettle_md2_init #define md2_update nettle_md2_update #define md2_digest nettle_md2_digest #define MD2_DIGEST_SIZE 16 #define MD2_BLOCK_SIZE 16 /* For backwards compatibility */ #define MD2_DATA_SIZE MD2_BLOCK_SIZE struct md2_ctx { uint8_t C[MD2_BLOCK_SIZE]; uint8_t X[3 * MD2_BLOCK_SIZE]; uint8_t block[MD2_BLOCK_SIZE]; /* Block buffer */ unsigned index; /* Into buffer */ }; void md2_init(struct md2_ctx *ctx); void md2_update(struct md2_ctx *ctx, size_t length, const uint8_t *data); void md2_digest(struct md2_ctx *ctx, size_t length, uint8_t *digest); #ifdef __cplusplus } #endif #endif /* NETTLE_MD2_H_INCLUDED */ nettle-3.4.1/nettle.texinfo0000644000175000017500000072555113401564746014760 0ustar nissenisse\input texinfo @c -*-texinfo-*- @c %**start of header @setfilename nettle.info @settitle Nettle: a low-level cryptographic library @documentencoding UTF-8 @footnotestyle separate @syncodeindex fn cp @c %**end of header @set UPDATED-FOR 3.4 @set AUTHOR Niels Möller @copying This manual is for the Nettle library (version @value{UPDATED-FOR}), a low-level cryptographic library. Originally written 2001 by @value{AUTHOR}, updated 2017. @quotation This manual is placed in the public domain. You may freely copy it, in whole or in part, with or without modification. Attribution is appreciated, but not required. @end quotation @end copying @ifnottex @macro pmod {m} (mod \m\) @end macro @end ifnottex @titlepage @title Nettle Manual @subtitle For the Nettle Library version @value{UPDATED-FOR} @author @value{AUTHOR} @page @vskip 0pt plus 1filll @insertcopying @end titlepage @dircategory Encryption @direntry * Nettle: (nettle). A low-level cryptographic library. @end direntry @contents @ifnottex @node Top, Introduction, (dir), (dir) @comment node-name, next, previous, up @top Nettle This document describes the Nettle low-level cryptographic library. You can use the library directly from your C programs, or write or use an object-oriented wrapper for your favorite language or application. @insertcopying @menu * Introduction:: What is Nettle? * Copyright:: Your rights. * Conventions:: General interface conventions. * Example:: An example program. * Linking:: Linking with libnettle and libhogweed. * Reference:: All Nettle functions and features. * Nettle soup:: For the serious nettle hacker. * Installation:: How to install Nettle. * Index:: Function and concept index. @detailmenu --- The Detailed Node Listing --- Reference * Hash functions:: * Cipher functions:: * Cipher modes:: * Keyed hash functions:: * Key derivation functions:: * Public-key algorithms:: * Randomness:: * ASCII encoding:: * Miscellaneous functions:: * Compatibility functions:: Hash functions * Recommended hash functions:: * Legacy hash functions:: * nettle_hash abstraction:: Cipher modes * CBC:: * CTR:: * CFB:: * GCM:: * CCM:: Keyed Hash Functions * HMAC:: * UMAC:: Public-key algorithms * RSA:: The RSA public key algorithm. * DSA:: The DSA digital signature algorithm. * Elliptic curves:: Elliptic curves and ECDSA @acronym{Elliptic curves} * Side-channel silence:: * ECDSA:: * Curve 25519:: @end detailmenu @end menu @end ifnottex @node Introduction, Copyright, Top, Top @comment node-name, next, previous, up @chapter Introduction Nettle is a cryptographic library that is designed to fit easily in more or less any context: In crypto toolkits for object-oriented languages (C++, Python, Pike, ...), in applications like LSH or GNUPG, or even in kernel space. In most contexts, you need more than the basic cryptographic algorithms, you also need some way to keep track of available algorithms, their properties and variants. You often have some algorithm selection process, often dictated by a protocol you want to implement. And as the requirements of applications differ in subtle and not so subtle ways, an API that fits one application well can be a pain to use in a different context. And that is why there are so many different cryptographic libraries around. Nettle tries to avoid this problem by doing one thing, the low-level crypto stuff, and providing a @emph{simple} but general interface to it. In particular, Nettle doesn't do algorithm selection. It doesn't do memory allocation. It doesn't do any I/O. The idea is that one can build several application and context specific interfaces on top of Nettle, and share the code, test cases, benchmarks, documentation, etc. Examples are the Nettle module for the Pike language, and LSH, which both use an object-oriented abstraction on top of the library. This manual explains how to use the Nettle library. It also tries to provide some background on the cryptography, and advice on how to best put it to use. @node Copyright, Conventions, Introduction, Top @comment node-name, next, previous, up @chapter Copyright Nettle is dual licenced under the GNU General Public License version 2 or later, and the GNU Lesser General Public License version 3 or later. When using Nettle, you must comply fully with all conditions of at least one of these licenses. A few of the individual files are licensed under more permissive terms, or in the public domain. To find the current status of particular files, you have to read the copyright notices at the top of the files. This manual is in the public domain. You may freely copy it in whole or in part, e.g., into documentation of programs that build on Nettle. Attribution, as well as contribution of improvements to the text, is of course appreciated, but it is not required. A list of the supported algorithms, their origins, and exceptions to the above licensing: @table @emph @item AES The implementation of the AES cipher (also known as rijndael) is written by Rafael Sevilla. Assembler for x86 by Rafael Sevilla and @value{AUTHOR}, Sparc assembler by @value{AUTHOR}. @item ARCFOUR The implementation of the ARCFOUR (also known as RC4) cipher is written by @value{AUTHOR}. @item ARCTWO The implementation of the ARCTWO (also known as RC2) cipher is written by Nikos Mavroyanopoulos and modified by Werner Koch and Simon Josefsson. @item BLOWFISH The implementation of the BLOWFISH cipher is written by Werner Koch, copyright owned by the Free Software Foundation. Also hacked by Simon Josefsson and Niels Möller. @item CAMELLIA The C implementation is by Nippon Telegraph and Telephone Corporation (NTT), heavily modified by @value{AUTHOR}. Assembler for x86 and x86_64 by @value{AUTHOR}. @item CAST128 The implementation of the CAST128 cipher is written by Steve Reid. Released into the public domain. @item CHACHA Implemented by Joachim Strömbergson, based on the implementation of SALSA20 (see below). Assembly for x86_64 by Niels Möller. @item DES The implementation of the DES cipher is written by Dana L. How, and released under the LGPL, version 2 or later. @item GOSTHASH94 The C implementation of the GOST94 message digest is written by Aleksey Kravchenko and was ported from the rhash library by Nikos Mavrogiannopoulos. It is released under the MIT license. @item MD2 The implementation of MD2 is written by Andrew Kuchling, and hacked some by Andreas Sigfridsson and @value{AUTHOR}. Python Cryptography Toolkit license (essentially public domain). @item MD4 This is almost the same code as for MD5 below, with modifications by Marcus Comstedt. Released into the public domain. @item MD5 The implementation of the MD5 message digest is written by Colin Plumb. It has been hacked some more by Andrew Kuchling and @value{AUTHOR}. Released into the public domain. @item PBKDF2 The C implementation of PBKDF2 is based on earlier work for Shishi and GnuTLS by Simon Josefsson. @item RIPEMD160 The implementation of RIPEMD160 message digest is based on the code in libgcrypt, copyright owned by the Free Software Foundation. Ported to Nettle by Andres Mejia. @item SALSA20 The C implementation of SALSA20 is based on D. J. Bernstein's reference implementation (in the public domain), adapted to Nettle by Simon Josefsson, and heavily modified by Niels Möller. Assembly for x86_64 and ARM by Niels Möller. @item SERPENT The implementation of the SERPENT cipher is based on the code in libgcrypt, copyright owned by the Free Software Foundation. Adapted to Nettle by Simon Josefsson and heavily modified by Niels Möller. Assembly for x86_64 by Niels Möller. @item POLY1305 Based on the implementation by Andrew M. (floodyberry), modified by Nikos Mavrogiannopoulos and Niels Möller. Assembly for x86_64 by Niels Möller. @item SHA1 The C implementation of the SHA1 message digest is written by Peter Gutmann, and hacked some more by Andrew Kuchling and @value{AUTHOR}. Released into the public domain. Assembler for x86, x86_64 and ARM by @value{AUTHOR}, released under the LGPL. @item SHA2 Written by @value{AUTHOR}, using Peter Gutmann's SHA1 code as a model. @item SHA3 Written by @value{AUTHOR}. @item TWOFISH The implementation of the TWOFISH cipher is written by Ruud de Rooij. @item UMAC Written by @value{AUTHOR}. @item RSA Written by @value{AUTHOR}. Uses the GMP library for bignum operations. @item DSA Written by @value{AUTHOR}. Uses the GMP library for bignum operations. @item ECDSA Written by @value{AUTHOR}. Uses the GMP library for bignum operations. Development of Nettle's ECC support was funded by the .SE Internet Fund. @end table @node Conventions, Example, Copyright, Top @comment node-name, next, previous, up @chapter Conventions For each supported algorithm, there is an include file that defines a @emph{context struct}, a few constants, and declares functions for operating on the context. The context struct encapsulates all information needed by the algorithm, and it can be copied or moved in memory with no unexpected effects. For consistency, functions for different algorithms are very similar, but there are some differences, for instance reflecting if the key setup or encryption function differ for encryption and decryption, and whether or not key setup can fail. There are also differences between algorithms that don't show in function prototypes, but which the application must nevertheless be aware of. There is no big difference between the functions for stream ciphers and for block ciphers, although they should be used quite differently by the application. If your application uses more than one algorithm of the same type, you should probably create an interface that is tailor-made for your needs, and then write a few lines of glue code on top of Nettle. By convention, for an algorithm named @code{foo}, the struct tag for the context struct is @code{foo_ctx}, constants and functions uses prefixes like @code{FOO_BLOCK_SIZE} (a constant) and @code{foo_set_key} (a function). In all functions, strings are represented with an explicit length, of type @code{size_t}, and a pointer of type @code{uint8_t *} or @code{const uint8_t *}. For functions that transform one string to another, the argument order is length, destination pointer and source pointer. Source and destination areas are usually of the same length. When they differ, e.g., for @code{ccm_encrypt_message}, the length argument specifies the size of the destination area. Source and destination pointers may be equal, so that you can process strings in place, but source and destination areas @emph{must not} overlap in any other way. Many of the functions lack return value and can never fail. Those functions which can fail, return one on success and zero on failure. @c FIXME: Say something about the name mangling. @node Example, Linking, Conventions, Top @comment node-name, next, previous, up @chapter Example A simple example program that reads a file from standard input and writes its SHA1 check-sum on standard output should give the flavor of Nettle. @example @verbatiminclude sha-example.c @end example On a typical Unix system, this program can be compiled and linked with the command line @example gcc sha-example.c -o sha-example -lnettle @end example @node Linking, Reference, Example, Top @comment node-name, next, previous, up @chapter Linking Nettle actually consists of two libraries, @file{libnettle} and @file{libhogweed}. The @file{libhogweed} library contains those functions of Nettle that uses bignum operations, and depends on the GMP library. With this division, linking works the same for both static and dynamic libraries. If an application uses only the symmetric crypto algorithms of Nettle (i.e., block ciphers, hash functions, and the like), it's sufficient to link with @code{-lnettle}. If an application also uses public-key algorithms, the recommended linker flags are @code{-lhogweed -lnettle -lgmp}. If the involved libraries are installed as dynamic libraries, it may be sufficient to link with just @code{-lhogweed}, and the loader will resolve the dependencies automatically. @node Reference, Nettle soup, Linking, Top @comment node-name, next, previous, up @chapter Reference This chapter describes all the Nettle functions, grouped by family. @menu * Hash functions:: * Cipher functions:: * Cipher modes:: * Authenticated encryption:: * Keyed hash functions:: * Key derivation functions:: * Public-key algorithms:: * Randomness:: * ASCII encoding:: * Miscellaneous functions:: * Compatibility functions:: @end menu @node Hash functions, Cipher functions, Reference, Reference @comment node-name, next, previous, up @section Hash functions @cindex Hash function A cryptographic @dfn{hash function} is a function that takes variable size strings, and maps them to strings of fixed, short, length. There are naturally lots of collisions, as there are more possible 1MB files than 20 byte strings. But the function is constructed such that is hard to find the collisions. More precisely, a cryptographic hash function @code{H} should have the following properties: @table @emph @item One-way @cindex One-way Given a hash value @code{H(x)} it is hard to find a string @code{x} that hashes to that value. @item Collision-resistant @cindex Collision-resistant It is hard to find two different strings, @code{x} and @code{y}, such that @code{H(x)} = @code{H(y)}. @end table Hash functions are useful as building blocks for digital signatures, message authentication codes, pseudo random generators, association of unique ids to documents, and many other things. The most commonly used hash functions are MD5 and SHA1. Unfortunately, both these fail the collision-resistance requirement; cryptologists have found ways to construct colliding inputs. The recommended hash functions for new applications are SHA2 (with main variants SHA256 and SHA512). At the time of this writing (Autumn 2015), SHA3 has recently been standardized, and the new SHA3 and other top SHA3 candidates may also be reasonable alternatives. @menu * Recommended hash functions:: * Legacy hash functions:: * nettle_hash abstraction:: @end menu @node Recommended hash functions, Legacy hash functions,, Hash functions @comment node-name, next, previous, up @subsection Recommended hash functions The following hash functions have no known weaknesses, and are suitable for new applications. The SHA2 family of hash functions were specified by @dfn{NIST}, intended as a replacement for @acronym{SHA1}. @subsubsection @acronym{SHA256} SHA256 is a member of the SHA2 family. It outputs hash values of 256 bits, or 32 octets. Nettle defines SHA256 in @file{}. @deftp {Context struct} {struct sha256_ctx} @end deftp @defvr Constant SHA256_DIGEST_SIZE The size of a SHA256 digest, i.e. 32. @end defvr @defvr Constant SHA256_BLOCK_SIZE The internal block size of SHA256. Useful for some special constructions, in particular HMAC-SHA256. @end defvr @deftypefun void sha256_init (struct sha256_ctx *@var{ctx}) Initialize the SHA256 state. @end deftypefun @deftypefun void sha256_update (struct sha256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void sha256_digest (struct sha256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than @code{SHA256_DIGEST_SIZE}, in which case only the first @var{length} octets of the digest are written. This function also resets the context in the same way as @code{sha256_init}. @end deftypefun Earlier versions of nettle defined SHA256 in the header file @file{}, which is now deprecated, but kept for compatibility. @subsubsection @acronym{SHA224} SHA224 is a variant of SHA256, with a different initial state, and with the output truncated to 224 bits, or 28 octets. Nettle defines SHA224 in @file{} (and in @file{}, for backwards compatibility). @deftp {Context struct} {struct sha224_ctx} @end deftp @defvr Constant SHA224_DIGEST_SIZE The size of a SHA224 digest, i.e. 28. @end defvr @defvr Constant SHA224_BLOCK_SIZE The internal block size of SHA224. Useful for some special constructions, in particular HMAC-SHA224. @end defvr @deftypefun void sha224_init (struct sha224_ctx *@var{ctx}) Initialize the SHA224 state. @end deftypefun @deftypefun void sha224_update (struct sha224_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void sha224_digest (struct sha224_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than @code{SHA224_DIGEST_SIZE}, in which case only the first @var{length} octets of the digest are written. This function also resets the context in the same way as @code{sha224_init}. @end deftypefun @subsubsection @acronym{SHA512} SHA512 is a larger sibling to SHA256, with a very similar structure but with both the output and the internal variables of twice the size. The internal variables are 64 bits rather than 32, making it significantly slower on 32-bit computers. It outputs hash values of 512 bits, or 64 octets. Nettle defines SHA512 in @file{} (and in @file{}, for backwards compatibility). @deftp {Context struct} {struct sha512_ctx} @end deftp @defvr Constant SHA512_DIGEST_SIZE The size of a SHA512 digest, i.e. 64. @end defvr @defvr Constant SHA512_BLOCK_SIZE The internal block size of SHA512, 128. Useful for some special constructions, in particular HMAC-SHA512. @end defvr @deftypefun void sha512_init (struct sha512_ctx *@var{ctx}) Initialize the SHA512 state. @end deftypefun @deftypefun void sha512_update (struct sha512_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void sha512_digest (struct sha512_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than @code{SHA512_DIGEST_SIZE}, in which case only the first @var{length} octets of the digest are written. This function also resets the context in the same way as @code{sha512_init}. @end deftypefun @subsubsection @acronym{SHA384 and other variants of SHA512} Several variants of SHA512 have been defined, with a different initial state, and with the output truncated to shorter length than 512 bits. Naming is a bit confused, these algorithms are called SHA512-224, SHA512-256 and SHA384, for output sizes of 224, 256 and 384 bits, respectively. Nettle defines these in @file{} (and in @file{}, for backwards compatibility). @deftp {Context struct} {struct sha512_224_ctx} @deftpx {Context struct} {struct sha512_256_ctx} @deftpx {Context struct} {struct sha384_ctx} These context structs are all the same as sha512_ctx. They are defined as simple preprocessor aliases, which may cause some problems if used as identifiers for other purposes. So avoid doing that. @end deftp @defvr Constant SHA512_224_DIGEST_SIZE @defvrx Constant SHA512_256_DIGEST_SIZE @defvrx Constant SHA384_DIGEST_SIZE The digest size for each variant, i.e., 28, 32, and 48, respectively. @end defvr @defvr Constant SHA512_224_BLOCK_SIZE @defvrx Constant SHA512_256_BLOCK_SIZE @defvrx Constant SHA384_BLOCK_SIZE The internal block size, same as SHA512_BLOCK_SIZE, i.e., 128. Useful for some special constructions, in particular HMAC-SHA384. @end defvr @deftypefun void sha512_224_init (struct sha512_224_ctx *@var{ctx}) @deftypefunx void sha512_256_init (struct sha512_256_ctx *@var{ctx}) @deftypefunx void sha384_init (struct sha384_ctx *@var{ctx}) Initialize the context struct. @end deftypefun @deftypefun void sha512_224_update (struct sha512_224_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) @deftypefunx void sha512_256_update (struct sha512_256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) @deftypefunx void sha384_update (struct sha384_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. These are all aliases for sha512_update, which does the same thing. @end deftypefun @deftypefun void sha512_224_digest (struct sha512_224_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) @deftypefunx void sha512_256_digest (struct sha512_256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) @deftypefunx void sha384_digest (struct sha384_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than the specified digest size, in which case only the first @var{length} octets of the digest are written. These function also reset the context in the same way as the corresponding init function. @end deftypefun @subsubsection @acronym{SHA3-224} @cindex SHA3 The SHA3 hash functions were specified by NIST in response to weaknesses in SHA1, and doubts about SHA2 hash functions which structurally are very similar to SHA1. SHA3 is a result of a competition, where the winner, also known as Keccak, was designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. It is structurally very different from all widely used earlier hash functions. Like SHA2, there are several variants, with output sizes of 224, 256, 384 and 512 bits (28, 32, 48 and 64 octets, respectively). In August 2015, it was formally standardized by NIST, as FIPS 202, @uref{http://dx.doi.org/10.6028/NIST.FIPS.202}. Note that the SHA3 implementation in earlier versions of Nettle was based on the specification at the time Keccak was announced as the winner of the competition, which is incompatible with the final standard and hence with current versions of Nettle. The @file{nette/sha3.h} defines a preprocessor symbol @code{NETTLE_SHA3_FIPS202} to indicate conformance with the standard. @defvr Constant NETTLE_SHA3_FIPS202 Defined to 1 in Nettle versions supporting FIPS 202. Undefined in earlier versions. @end defvr Nettle defines SHA3-224 in @file{}. @deftp {Context struct} {struct sha3_224_ctx} @end deftp @defvr Constant SHA3_224_DIGEST_SIZE The size of a SHA3_224 digest, i.e., 28. @end defvr @defvr Constant SHA3_224_BLOCK_SIZE The internal block size of SHA3_224. @end defvr @deftypefun void sha3_224_init (struct sha3_224_ctx *@var{ctx}) Initialize the SHA3-224 state. @end deftypefun @deftypefun void sha3_224_update (struct sha3_224_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void sha3_224_digest (struct sha3_224_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than @code{SHA3_224_DIGEST_SIZE}, in which case only the first @var{length} octets of the digest are written. This function also resets the context. @end deftypefun @subsubsection @acronym{SHA3-256} This is SHA3 with 256-bit output size, and possibly the most useful of the SHA3 hash functions. Nettle defines SHA3-256 in @file{}. @deftp {Context struct} {struct sha3_256_ctx} @end deftp @defvr Constant SHA3_256_DIGEST_SIZE The size of a SHA3_256 digest, i.e., 32. @end defvr @defvr Constant SHA3_256_BLOCK_SIZE The internal block size of SHA3_256. @end defvr @deftypefun void sha3_256_init (struct sha3_256_ctx *@var{ctx}) Initialize the SHA3-256 state. @end deftypefun @deftypefun void sha3_256_update (struct sha3_256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void sha3_256_digest (struct sha3_256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than @code{SHA3_256_DIGEST_SIZE}, in which case only the first @var{length} octets of the digest are written. This function also resets the context. @end deftypefun @subsubsection @acronym{SHA3-384} This is SHA3 with 384-bit output size. Nettle defines SHA3-384 in @file{}. @deftp {Context struct} {struct sha3_384_ctx} @end deftp @defvr Constant SHA3_384_DIGEST_SIZE The size of a SHA3_384 digest, i.e., 48. @end defvr @defvr Constant SHA3_384_BLOCK_SIZE The internal block size of SHA3_384. @end defvr @deftypefun void sha3_384_init (struct sha3_384_ctx *@var{ctx}) Initialize the SHA3-384 state. @end deftypefun @deftypefun void sha3_384_update (struct sha3_384_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void sha3_384_digest (struct sha3_384_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than @code{SHA3_384_DIGEST_SIZE}, in which case only the first @var{length} octets of the digest are written. This function also resets the context. @end deftypefun @subsubsection @acronym{SHA3-512} This is SHA3 with 512-bit output size. Nettle defines SHA3-512 in @file{}. @deftp {Context struct} {struct sha3_512_ctx} @end deftp @defvr Constant SHA3_512_DIGEST_SIZE The size of a SHA3_512 digest, i.e. 64. @end defvr @defvr Constant SHA3_512_BLOCK_SIZE The internal block size of SHA3_512. @end defvr @deftypefun void sha3_512_init (struct sha3_512_ctx *@var{ctx}) Initialize the SHA3-512 state. @end deftypefun @deftypefun void sha3_512_update (struct sha3_512_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void sha3_512_digest (struct sha3_512_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than @code{SHA3_512_DIGEST_SIZE}, in which case only the first @var{length} octets of the digest are written. This function also resets the context. @end deftypefun @node Legacy hash functions, nettle_hash abstraction, Recommended hash functions, Hash functions @comment node-name, next, previous, up @subsection Legacy hash functions The hash functions in this section all have some known weaknesses, and should be avoided for new applications. These hash functions are mainly useful for compatibility with old applications and protocols. Some are still considered safe as building blocks for particular constructions, e.g., there seems to be no known attacks against HMAC-SHA1 or even HMAC-MD5. In some important cases, use of a ``legacy'' hash function does not in itself make the application insecure; if a known weakness is relevant depends on how the hash function is used, and on the threat model. @subsubsection @acronym{MD5} MD5 is a message digest function constructed by Ronald Rivest, and described in @cite{RFC 1321}. It outputs message digests of 128 bits, or 16 octets. Nettle defines MD5 in @file{}. @deftp {Context struct} {struct md5_ctx} @end deftp @defvr Constant MD5_DIGEST_SIZE The size of an MD5 digest, i.e. 16. @end defvr @defvr Constant MD5_BLOCK_SIZE The internal block size of MD5. Useful for some special constructions, in particular HMAC-MD5. @end defvr @deftypefun void md5_init (struct md5_ctx *@var{ctx}) Initialize the MD5 state. @end deftypefun @deftypefun void md5_update (struct md5_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void md5_digest (struct md5_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than @code{MD5_DIGEST_SIZE}, in which case only the first @var{length} octets of the digest are written. This function also resets the context in the same way as @code{md5_init}. @end deftypefun The normal way to use MD5 is to call the functions in order: First @code{md5_init}, then @code{md5_update} zero or more times, and finally @code{md5_digest}. After @code{md5_digest}, the context is reset to its initial state, so you can start over calling @code{md5_update} to hash new data. To start over, you can call @code{md5_init} at any time. @subsubsection @acronym{MD2} MD2 is another hash function of Ronald Rivest's, described in @cite{RFC 1319}. It outputs message digests of 128 bits, or 16 octets. Nettle defines MD2 in @file{}. @deftp {Context struct} {struct md2_ctx} @end deftp @defvr Constant MD2_DIGEST_SIZE The size of an MD2 digest, i.e. 16. @end defvr @defvr Constant MD2_BLOCK_SIZE The internal block size of MD2. @end defvr @deftypefun void md2_init (struct md2_ctx *@var{ctx}) Initialize the MD2 state. @end deftypefun @deftypefun void md2_update (struct md2_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void md2_digest (struct md2_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than @code{MD2_DIGEST_SIZE}, in which case only the first @var{length} octets of the digest are written. This function also resets the context in the same way as @code{md2_init}. @end deftypefun @subsubsection @acronym{MD4} MD4 is a predecessor of MD5, described in @cite{RFC 1320}. Like MD5, it is constructed by Ronald Rivest. It outputs message digests of 128 bits, or 16 octets. Nettle defines MD4 in @file{}. Use of MD4 is not recommended, but it is sometimes needed for compatibility with existing applications and protocols. @deftp {Context struct} {struct md4_ctx} @end deftp @defvr Constant MD4_DIGEST_SIZE The size of an MD4 digest, i.e. 16. @end defvr @defvr Constant MD4_BLOCK_SIZE The internal block size of MD4. @end defvr @deftypefun void md4_init (struct md4_ctx *@var{ctx}) Initialize the MD4 state. @end deftypefun @deftypefun void md4_update (struct md4_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void md4_digest (struct md4_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than @code{MD4_DIGEST_SIZE}, in which case only the first @var{length} octets of the digest are written. This function also resets the context in the same way as @code{md4_init}. @end deftypefun @subsubsection @acronym{RIPEMD160} RIPEMD160 is a hash function designed by Hans Dobbertin, Antoon Bosselaers, and Bart Preneel, as a strengthened version of RIPEMD (which, like MD4 and MD5, fails the collision-resistance requirement). It produces message digests of 160 bits, or 20 octets. Nettle defined RIPEMD160 in @file{nettle/ripemd160.h}. @deftp {Context struct} {struct ripemd160_ctx} @end deftp @defvr Constant RIPEMD160_DIGEST_SIZE The size of a RIPEMD160 digest, i.e. 20. @end defvr @defvr Constant RIPEMD160_BLOCK_SIZE The internal block size of RIPEMD160. @end defvr @deftypefun void ripemd160_init (struct ripemd160_ctx *@var{ctx}) Initialize the RIPEMD160 state. @end deftypefun @deftypefun void ripemd160_update (struct ripemd160_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void ripemd160_digest (struct ripemd160_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than @code{RIPEMD160_DIGEST_SIZE}, in which case only the first @var{length} octets of the digest are written. This function also resets the context in the same way as @code{ripemd160_init}. @end deftypefun @subsubsection @acronym{SHA1} SHA1 is a hash function specified by @dfn{NIST} (The U.S. National Institute for Standards and Technology). It outputs hash values of 160 bits, or 20 octets. Nettle defines SHA1 in @file{} (and in @file{}, for backwards compatibility). @deftp {Context struct} {struct sha1_ctx} @end deftp @defvr Constant SHA1_DIGEST_SIZE The size of a SHA1 digest, i.e. 20. @end defvr @defvr Constant SHA1_BLOCK_SIZE The internal block size of SHA1. Useful for some special constructions, in particular HMAC-SHA1. @end defvr @deftypefun void sha1_init (struct sha1_ctx *@var{ctx}) Initialize the SHA1 state. @end deftypefun @deftypefun void sha1_update (struct sha1_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void sha1_digest (struct sha1_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than @code{SHA1_DIGEST_SIZE}, in which case only the first @var{length} octets of the digest are written. This function also resets the context in the same way as @code{sha1_init}. @end deftypefun @subsubsection @acronym{GOSTHASH94} The GOST94 or GOST R 34.11-94 hash algorithm is a Soviet-era algorithm used in Russian government standards (see @cite{RFC 4357}). It outputs message digests of 256 bits, or 32 octets. Nettle defines GOSTHASH94 in @file{}. @deftp {Context struct} {struct gosthash94_ctx} @end deftp @defvr Constant GOSTHASH94_DIGEST_SIZE The size of a GOSTHASH94 digest, i.e. 32. @end defvr @defvr Constant GOSTHASH94_BLOCK_SIZE The internal block size of GOSTHASH94, i.e., 32. @end defvr @deftypefun void gosthash94_init (struct gosthash94_ctx *@var{ctx}) Initialize the GOSTHASH94 state. @end deftypefun @deftypefun void gosthash94_update (struct gosthash94_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void gosthash94_digest (struct gosthash94_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than @code{GOSTHASH94_DIGEST_SIZE}, in which case only the first @var{length} octets of the digest are written. This function also resets the context in the same way as @code{gosthash94_init}. @end deftypefun @node nettle_hash abstraction,, Legacy hash functions, Hash functions @comment node-name, next, previous, up @subsection The @code{struct nettle_hash} abstraction @cindex nettle_hash @cindex nettle_hashes @cindex nettle_get_hashes Nettle includes a struct including information about the supported hash functions. It is defined in @file{}, and is used by Nettle's implementation of @acronym{HMAC} (@pxref{Keyed hash functions}). @deftp {Meta struct} @code{struct nettle_hash} name context_size digest_size block_size init update digest The last three attributes are function pointers, of types @code{nettle_hash_init_func *}, @code{nettle_hash_update_func *}, and @code{nettle_hash_digest_func *}. The first argument to these functions is @code{void *} pointer to a context struct, which is of size @code{context_size}. @end deftp @deftypevr {Constant Struct} {struct nettle_hash} nettle_md2 @deftypevrx {Constant Struct} {struct nettle_hash} nettle_md4 @deftypevrx {Constant Struct} {struct nettle_hash} nettle_md5 @deftypevrx {Constant Struct} {struct nettle_hash} nettle_ripemd160 @deftypevrx {Constant Struct} {struct nettle_hash} nettle_sha1 @deftypevrx {Constant Struct} {struct nettle_hash} nettle_sha224 @deftypevrx {Constant Struct} {struct nettle_hash} nettle_sha256 @deftypevrx {Constant Struct} {struct nettle_hash} nettle_sha384 @deftypevrx {Constant Struct} {struct nettle_hash} nettle_sha512 @deftypevrx {Constant Struct} {struct nettle_hash} nettle_sha3_256 @deftypevrx {Constant Struct} {struct nettle_hash} nettle_gosthash94 These are all the hash functions that Nettle implements. @end deftypevr Nettle also exports a list of all these hashes. @deftypefun const struct nettle_hash **nettle_get_hashes(void) Returns a NULL-terminated list of pointers to supported hash functions. This list can be used to dynamically enumerate or search the supported algorithms. @end deftypefun @deffn Macro nettle_hashes A macro expanding to a call to nettle_get_hashes, so that one could write, e.g., @code{nettle_hashes[0]->name} for the name of the first hash function on the list. In earlier versions, this was not a macro but the actual array of pointers. However, referring directly to the array makes the array size leak into the ABI in some cases. @end deffn @node Cipher functions, Cipher modes, Hash functions, Reference @comment node-name, next, previous, up @section Cipher functions @cindex Cipher A @dfn{cipher} is a function that takes a message or @dfn{plaintext} and a secret @dfn{key} and transforms it to a @dfn{ciphertext}. Given only the ciphertext, but not the key, it should be hard to find the plaintext. Given matching pairs of plaintext and ciphertext, it should be hard to find the key. @cindex Block Cipher @cindex Stream Cipher There are two main classes of ciphers: Block ciphers and stream ciphers. A block cipher can process data only in fixed size chunks, called @dfn{blocks}. Typical block sizes are 8 or 16 octets. To encrypt arbitrary messages, you usually have to pad it to an integral number of blocks, split it into blocks, and then process each block. The simplest way is to process one block at a time, independent of each other. That mode of operation is called @dfn{ECB}, Electronic Code Book mode. However, using @acronym{ECB} is usually a bad idea. For a start, plaintext blocks that are equal are transformed to ciphertext blocks that are equal; that leaks information about the plaintext. Usually you should apply the cipher is some ``feedback mode'', @dfn{CBC} (Cipher Block Chaining) and @dfn{CTR} (Counter mode) being two of of the most popular. See @xref{Cipher modes}, for information on how to apply @acronym{CBC} and @acronym{CTR} with Nettle. A stream cipher can be used for messages of arbitrary length. A typical stream cipher is a keyed pseudo-random generator. To encrypt a plaintext message of @var{n} octets, you key the generator, generate @var{n} octets of pseudo-random data, and XOR it with the plaintext. To decrypt, regenerate the same stream using the key, XOR it to the ciphertext, and the plaintext is recovered. @strong{Caution:} The first rule for this kind of cipher is the same as for a One Time Pad: @emph{never} ever use the same key twice. A common misconception is that encryption, by itself, implies authentication. Say that you and a friend share a secret key, and you receive an encrypted message. You apply the key, and get a plaintext message that makes sense to you. Can you then be sure that it really was your friend that wrote the message you're reading? The answer is no. For example, if you were using a block cipher in ECB mode, an attacker may pick up the message on its way, and reorder, delete or repeat some of the blocks. Even if the attacker can't decrypt the message, he can change it so that you are not reading the same message as your friend wrote. If you are using a block cipher in @acronym{CBC} mode rather than ECB, or are using a stream cipher, the possibilities for this sort of attack are different, but the attacker can still make predictable changes to the message. It is recommended to @emph{always} use an authentication mechanism in addition to encrypting the messages. Popular choices are Message Authentication Codes like @acronym{HMAC-SHA1} (@pxref{Keyed hash functions}), or digital signatures like @acronym{RSA}. Some ciphers have so called ``weak keys'', keys that results in undesirable structure after the key setup processing, and should be avoided. In Nettle, most key setup functions have no return value, but for ciphers with weak keys, the return value indicates whether or not the given key is weak. For good keys, key setup returns 1, and for weak keys, it returns 0. When possible, avoid algorithms that have weak keys. There are several good ciphers that don't have any weak keys. To encrypt a message, you first initialize a cipher context for encryption or decryption with a particular key. You then use the context to process plaintext or ciphertext messages. The initialization is known as @dfn{key setup}. With Nettle, it is recommended to use each context struct for only one direction, even if some of the ciphers use a single key setup function that can be used for both encryption and decryption. @subsection AES AES is a block cipher, specified by NIST as a replacement for the older DES standard. The standard is the result of a competition between cipher designers. The winning design, also known as RIJNDAEL, was constructed by Joan Daemen and Vincent Rijnmen. Like all the AES candidates, the winning design uses a block size of 128 bits, or 16 octets, and three possible key-size, 128, 192 and 256 bits (16, 24 and 32 octets) being the allowed key sizes. It does not have any weak keys. Nettle defines AES in @file{}, and there is one context struct for each key size. (Earlier versions of Nettle used a single context struct, @code{struct aes_ctx}, for all key sizes. This interface kept for backwards compatibility). @deftp {Context struct} {struct aes128_ctx} @deftpx {Context struct} {struct aes192_ctx} @deftpx {Context struct} {struct aes256_ctx} @end deftp @deftp {Context struct} {struct aes_ctx} Alternative struct, for the old AES interface. @end deftp @defvr Constant AES_BLOCK_SIZE The AES block-size, 16. @end defvr @defvr Constant AES128_KEY_SIZE @defvrx Constant AES192_KEY_SIZE @defvrx Constant AES256_KEY_SIZE @defvrx Constant AES_MIN_KEY_SIZE @defvrx Constant AES_MAX_KEY_SIZE @end defvr @defvr Constant AES_KEY_SIZE Default AES key size, 32. @end defvr @deftypefun void aes128_set_encrypt_key (struct aes128_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void aes128_set_decrypt_key (struct aes128_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void aes192_set_encrypt_key (struct aes192_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void aes192_set_decrypt_key (struct aes192_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void aes256_set_encrypt_key (struct aes256_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void aes256_set_decrypt_key (struct aes256_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void aes_set_encrypt_key (struct aes_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) @deftypefunx void aes_set_decrypt_key (struct aes_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) Initialize the cipher, for encryption or decryption, respectively. @end deftypefun @deftypefun void aes128_invert_key (struct aes128_ctx *@var{dst}, const struct aes128_ctx *@var{src}) @deftypefunx void aes192_invert_key (struct aes192_ctx *@var{dst}, const struct aes192_ctx *@var{src}) @deftypefunx void aes256_invert_key (struct aes256_ctx *@var{dst}, const struct aes256_ctx *@var{src}) @deftypefunx void aes_invert_key (struct aes_ctx *@var{dst}, const struct aes_ctx *@var{src}) Given a context @var{src} initialized for encryption, initializes the context struct @var{dst} for decryption, using the same key. If the same context struct is passed for both @code{src} and @code{dst}, it is converted in place. These functions are mainly useful for applications which needs to both encrypt and decrypt using the @emph{same} key, because calling, e.g., @code{aes128_set_encrypt_key} and @code{aes128_invert_key}, is more efficient than calling @code{aes128_set_encrypt_key} and @code{aes128_set_decrypt_key}. @end deftypefun @deftypefun void aes128_encrypt (struct aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void aes192_encrypt (struct aes192_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void aes256_encrypt (struct aes256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void aes_encrypt (struct aes_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encryption function. @var{length} must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. @code{src} and @code{dst} may be equal, but they must not overlap in any other way. @end deftypefun @deftypefun void aes128_decrypt (struct aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void aes192_decrypt (struct aes192_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void aes256_decrypt (struct aes256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void aes_decrypt (struct aes_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Analogous to the encryption functions above. @end deftypefun @subsection ARCFOUR ARCFOUR is a stream cipher, also known under the trade marked name RC4, and it is one of the fastest ciphers around. A problem is that the key setup of ARCFOUR is quite weak, you should never use keys with structure, keys that are ordinary passwords, or sequences of keys like ``secret:1'', ``secret:2'', @enddots{}. If you have keys that don't look like random bit strings, and you want to use ARCFOUR, always hash the key before feeding it to ARCFOUR. Furthermore, the initial bytes of the generated key stream leak information about the key; for this reason, it is recommended to discard the first 512 bytes of the key stream. @example /* A more robust key setup function for ARCFOUR */ void arcfour_set_key_hashed(struct arcfour_ctx *ctx, size_t length, const uint8_t *key) @{ struct sha256_ctx hash; uint8_t digest[SHA256_DIGEST_SIZE]; uint8_t buffer[0x200]; sha256_init(&hash); sha256_update(&hash, length, key); sha256_digest(&hash, SHA256_DIGEST_SIZE, digest); arcfour_set_key(ctx, SHA256_DIGEST_SIZE, digest); arcfour_crypt(ctx, sizeof(buffer), buffer, buffer); @} @end example Nettle defines ARCFOUR in @file{}. @deftp {Context struct} {struct arcfour_ctx} @end deftp @defvr Constant ARCFOUR_MIN_KEY_SIZE Minimum key size, 1. @end defvr @defvr Constant ARCFOUR_MAX_KEY_SIZE Maximum key size, 256. @end defvr @defvr Constant ARCFOUR_KEY_SIZE Default ARCFOUR key size, 16. @end defvr @deftypefun void arcfour_set_key (struct arcfour_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) Initialize the cipher. The same function is used for both encryption and decryption. @end deftypefun @deftypefun void arcfour_crypt (struct arcfour_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypt some data. The same function is used for both encryption and decryption. Unlike the block ciphers, this function modifies the context, so you can split the data into arbitrary chunks and encrypt them one after another. The result is the same as if you had called @code{arcfour_crypt} only once with all the data. @end deftypefun @subsection ARCTWO ARCTWO (also known as the trade marked name RC2) is a block cipher specified in RFC 2268. Nettle also include a variation of the ARCTWO set key operation that lack one step, to be compatible with the reverse engineered RC2 cipher description, as described in a Usenet post to @code{sci.crypt} by Peter Gutmann. ARCTWO uses a block size of 64 bits, and variable key-size ranging from 1 to 128 octets. Besides the key, ARCTWO also has a second parameter to key setup, the number of effective key bits, @code{ekb}. This parameter can be used to artificially reduce the key size. In practice, @code{ekb} is usually set equal to the input key size. Nettle defines ARCTWO in @file{}. We do not recommend the use of ARCTWO; the Nettle implementation is provided primarily for interoperability with existing applications and standards. @deftp {Context struct} {struct arctwo_ctx} @end deftp @defvr Constant ARCTWO_BLOCK_SIZE The ARCTWO block-size, 8. @end defvr @defvr Constant ARCTWO_MIN_KEY_SIZE @end defvr @defvr Constant ARCTWO_MAX_KEY_SIZE @end defvr @defvr Constant ARCTWO_KEY_SIZE Default ARCTWO key size, 8. @end defvr @deftypefun void arctwo_set_key_ekb (struct arctwo_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}, unsigned @var{ekb}) @deftypefunx void arctwo_set_key (struct arctwo_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) @deftypefunx void arctwo_set_key_gutmann (struct arctwo_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) Initialize the cipher. The same function is used for both encryption and decryption. The first function is the most general one, which lets you provide both the variable size key, and the desired effective key size (in bits). The maximum value for @var{ekb} is 1024, and for convenience, @code{ekb = 0} has the same effect as @code{ekb = 1024}. @code{arctwo_set_key(ctx, length, key)} is equivalent to @code{arctwo_set_key_ekb(ctx, length, key, 8*length)}, and @code{arctwo_set_key_gutmann(ctx, length, key)} is equivalent to @code{arctwo_set_key_ekb(ctx, length, key, 1024)} @end deftypefun @deftypefun void arctwo_encrypt (struct arctwo_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encryption function. @var{length} must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. @code{src} and @code{dst} may be equal, but they must not overlap in any other way. @end deftypefun @deftypefun void arctwo_decrypt (struct arctwo_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Analogous to @code{arctwo_encrypt} @end deftypefun @subsection BLOWFISH BLOWFISH is a block cipher designed by Bruce Schneier. It uses a block size of 64 bits (8 octets), and a variable key size, up to 448 bits. It has some weak keys. Nettle defines BLOWFISH in @file{}. @deftp {Context struct} {struct blowfish_ctx} @end deftp @defvr Constant BLOWFISH_BLOCK_SIZE The BLOWFISH block-size, 8. @end defvr @defvr Constant BLOWFISH_MIN_KEY_SIZE Minimum BLOWFISH key size, 8. @end defvr @defvr Constant BLOWFISH_MAX_KEY_SIZE Maximum BLOWFISH key size, 56. @end defvr @defvr Constant BLOWFISH_KEY_SIZE Default BLOWFISH key size, 16. @end defvr @deftypefun int blowfish_set_key (struct blowfish_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) Initialize the cipher. The same function is used for both encryption and decryption. Checks for weak keys, returning 1 for good keys and 0 for weak keys. Applications that don't care about weak keys can ignore the return value. @code{blowfish_encrypt} or @code{blowfish_decrypt} with a weak key will crash with an assert violation. @end deftypefun @deftypefun void blowfish_encrypt (struct blowfish_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encryption function. @var{length} must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. @code{src} and @code{dst} may be equal, but they must not overlap in any other way. @end deftypefun @deftypefun void blowfish_decrypt (struct blowfish_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Analogous to @code{blowfish_encrypt} @end deftypefun @subsection Camellia Camellia is a block cipher developed by Mitsubishi and Nippon Telegraph and Telephone Corporation, described in @cite{RFC3713}. It is recommended by some Japanese and European authorities as an alternative to AES, and it is one of the selected algorithms in the New European Schemes for Signatures, Integrity and Encryption (NESSIE) project. The algorithm is patented. The implementation in Nettle is derived from the implementation released by NTT under the GNU LGPL (v2.1 or later), and relies on the implicit patent license of the LGPL. There is also a statement of royalty-free licensing for Camellia at @url{http://www.ntt.co.jp/news/news01e/0104/010417.html}, but this statement has some limitations which seem problematic for free software. Camellia uses a the same block size and key sizes as AES: The block size is 128 bits (16 octets), and the supported key sizes are 128, 192, and 256 bits. The variants with 192 and 256 bit keys are identical, except for the key setup. Nettle defines Camellia in @file{}, and there is one context struct for each key size. (Earlier versions of Nettle used a single context struct, @code{struct camellia_ctx}, for all key sizes. This interface kept for backwards compatibility). @deftp {Context struct} {struct camellia128_ctx} @deftpx {Context struct} {struct camellia192_ctx} @deftpx {Context struct} {struct camellia256_ctx} Contexts structs. Actually, @code{camellia192_ctx} is an alias for @code{camellia256_ctx}. @end deftp @deftp {Context struct} {struct camellia_ctx} Alternative struct, for the old Camellia interface. @end deftp @defvr Constant CAMELLIA_BLOCK_SIZE The CAMELLIA block-size, 16. @end defvr @defvr Constant CAMELLIA128_KEY_SIZE @defvrx Constant CAMELLIA192_KEY_SIZE @defvrx Constant CAMELLIA256_KEY_SIZE @defvrx Constant CAMELLIA_MIN_KEY_SIZE @defvrx Constant CAMELLIA_MAX_KEY_SIZE @end defvr @defvr Constant CAMELLIA_KEY_SIZE Default CAMELLIA key size, 32. @end defvr @deftypefun void camellia128_set_encrypt_key (struct camellia128_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void camellia128_set_decrypt_key (struct camellia128_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void camellia192_set_encrypt_key (struct camellia192_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void camellia192_set_decrypt_key (struct camellia192_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void camellia256_set_encrypt_key (struct camellia256_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void camellia256_set_decrypt_key (struct camellia256_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void camellia_set_encrypt_key (struct camellia_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) @deftypefunx void camellia_set_decrypt_key (struct camellia_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) Initialize the cipher, for encryption or decryption, respectively. @end deftypefun @deftypefun void camellia128_invert_key (struct camellia128_ctx *@var{dst}, const struct camellia128_ctx *@var{src}) @deftypefunx void camellia192_invert_key (struct camellia192_ctx *@var{dst}, const struct camellia192_ctx *@var{src}) @deftypefunx void camellia256_invert_key (struct camellia256_ctx *@var{dst}, const struct camellia256_ctx *@var{src}) @deftypefunx void camellia_invert_key (struct camellia_ctx *@var{dst}, const struct camellia_ctx *@var{src}) Given a context @var{src} initialized for encryption, initializes the context struct @var{dst} for decryption, using the same key. If the same context struct is passed for both @code{src} and @code{dst}, it is converted in place. These functions are mainly useful for applications which needs to both encrypt and decrypt using the @emph{same} key. @end deftypefun @deftypefun void camellia128_crypt (struct camellia128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void camellia192_crypt (struct camellia192_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void camellia256_crypt (struct camellia256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void camellia_crypt (struct camellia_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) The same function is used for both encryption and decryption. @var{length} must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. @code{src} and @code{dst} may be equal, but they must not overlap in any other way. @end deftypefun @subsection CAST128 CAST-128 is a block cipher, specified in @cite{RFC 2144}. It uses a 64 bit (8 octets) block size, and a variable key size of up to 128 bits. Nettle defines cast128 in @file{}. @deftp {Context struct} {struct cast128_ctx} @end deftp @defvr Constant CAST128_BLOCK_SIZE The CAST128 block-size, 8. @end defvr @defvr Constant CAST128_MIN_KEY_SIZE Minimum CAST128 key size, 5. @end defvr @defvr Constant CAST128_MAX_KEY_SIZE Maximum CAST128 key size, 16. @end defvr @defvr Constant CAST128_KEY_SIZE Default CAST128 key size, 16. @end defvr @deftypefun void cast128_set_key (struct cast128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) Initialize the cipher. The same function is used for both encryption and decryption. @end deftypefun @deftypefun void cast128_encrypt (struct cast128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encryption function. @var{length} must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. @code{src} and @code{dst} may be equal, but they must not overlap in any other way. @end deftypefun @deftypefun void cast128_decrypt (struct cast128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Analogous to @code{cast128_encrypt} @end deftypefun @subsection ChaCha ChaCha is a variant of the stream cipher Salsa20, also designed by D. J. Bernstein. For more information on Salsa20, see below. Nettle defines ChaCha in @file{}. @deftp {Context struct} {struct chacha_ctx} @end deftp @defvr Constant CHACHA_KEY_SIZE ChaCha key size, 32. @end defvr @defvr Constant CHACHA_BLOCK_SIZE ChaCha block size, 64. @end defvr @defvr Constant CHACHA_NONCE_SIZE Size of the nonce, 8. @end defvr @deftypefun void chacha_set_key (struct chacha_ctx *@var{ctx}, const uint8_t *@var{key}) Initialize the cipher. The same function is used for both encryption and decryption. Before using the cipher, you @emph{must} also call @code{chacha_set_nonce}, see below. @end deftypefun @deftypefun void chacha_set_nonce (struct chacha_ctx *@var{ctx}, const uint8_t *@var{nonce}) Sets the nonce. It is always of size @code{CHACHA_NONCE_SIZE}, 8 octets. This function also initializes the block counter, setting it to zero. @end deftypefun @deftypefun void chacha_crypt (struct chacha_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts or decrypts the data of a message, using ChaCha. When a message is encrypted using a sequence of calls to @code{chacha_crypt}, all but the last call @emph{must} use a length that is a multiple of @code{CHACHA_BLOCK_SIZE}. @end deftypefun @subsection DES DES is the old Data Encryption Standard, specified by NIST. It uses a block size of 64 bits (8 octets), and a key size of 56 bits. However, the key bits are distributed over 8 octets, where the least significant bit of each octet may be used for parity. A common way to use DES is to generate 8 random octets in some way, then set the least significant bit of each octet to get odd parity, and initialize DES with the resulting key. The key size of DES is so small that keys can be found by brute force, using specialized hardware or lots of ordinary work stations in parallel. One shouldn't be using plain DES at all today, if one uses DES at all one should be using ``triple DES'', see DES3 below. DES also has some weak keys. Nettle defines DES in @file{}. @deftp {Context struct} {struct des_ctx} @end deftp @defvr Constant DES_BLOCK_SIZE The DES block-size, 8. @end defvr @defvr Constant DES_KEY_SIZE DES key size, 8. @end defvr @deftypefun int des_set_key (struct des_ctx *@var{ctx}, const uint8_t *@var{key}) Initialize the cipher. The same function is used for both encryption and decryption. Parity bits are ignored. Checks for weak keys, returning 1 for good keys and 0 for weak keys. Applications that don't care about weak keys can ignore the return value. @end deftypefun @deftypefun void des_encrypt (struct des_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encryption function. @var{length} must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. @code{src} and @code{dst} may be equal, but they must not overlap in any other way. @end deftypefun @deftypefun void des_decrypt (struct des_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Analogous to @code{des_encrypt} @end deftypefun @deftypefun int des_check_parity (size_t @var{length}, const uint8_t *@var{key}); Checks that the given key has correct, odd, parity. Returns 1 for correct parity, and 0 for bad parity. @end deftypefun @deftypefun void des_fix_parity (size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Adjusts the parity bits to match DES's requirements. You need this function if you have created a random-looking string by a key agreement protocol, and want to use it as a DES key. @var{dst} and @var{src} may be equal. @end deftypefun @subsection DES3 The inadequate key size of DES has already been mentioned. One way to increase the key size is to pipe together several DES boxes with independent keys. It turns out that using two DES ciphers is not as secure as one might think, even if the key size of the combination is a respectable 112 bits. The standard way to increase DES's key size is to use three DES boxes. The mode of operation is a little peculiar: the middle DES box is wired in the reverse direction. To encrypt a block with DES3, you encrypt it using the first 56 bits of the key, then @emph{decrypt} it using the middle 56 bits of the key, and finally encrypt it again using the last 56 bits of the key. This is known as ``ede'' triple-DES, for ``encrypt-decrypt-encrypt''. The ``ede'' construction provides some backward compatibility, as you get plain single DES simply by feeding the same key to all three boxes. That should help keeping down the gate count, and the price, of hardware circuits implementing both plain DES and DES3. DES3 has a key size of 168 bits, but just like plain DES, useless parity bits are inserted, so that keys are represented as 24 octets (192 bits). As a 112 bit key is large enough to make brute force attacks impractical, some applications uses a ``two-key'' variant of triple-DES. In this mode, the same key bits are used for the first and the last DES box in the pipe, while the middle box is keyed independently. The two-key variant is believed to be secure, i.e. there are no known attacks significantly better than brute force. Naturally, it's simple to implement triple-DES on top of Nettle's DES functions. Nettle includes an implementation of three-key ``ede'' triple-DES, it is defined in the same place as plain DES, @file{}. @deftp {Context struct} {struct des3_ctx} @end deftp @defvr Constant DES3_BLOCK_SIZE The DES3 block-size is the same as DES_BLOCK_SIZE, 8. @end defvr @defvr Constant DES3_KEY_SIZE DES key size, 24. @end defvr @deftypefun int des3_set_key (struct des3_ctx *@var{ctx}, const uint8_t *@var{key}) Initialize the cipher. The same function is used for both encryption and decryption. Parity bits are ignored. Checks for weak keys, returning 1 if all three keys are good keys, and 0 if one or more key is weak. Applications that don't care about weak keys can ignore the return value. @end deftypefun For random-looking strings, you can use @code{des_fix_parity} to adjust the parity bits before calling @code{des3_set_key}. @deftypefun void des3_encrypt (struct des3_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encryption function. @var{length} must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. @code{src} and @code{dst} may be equal, but they must not overlap in any other way. @end deftypefun @deftypefun void des3_decrypt (struct des3_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Analogous to @code{des_encrypt} @end deftypefun @subsection Salsa20 Salsa20 is a fairly recent stream cipher designed by D. J. Bernstein. It is built on the observation that a cryptographic hash function can be used for encryption: Form the hash input from the secret key and a counter, xor the hash output and the first block of the plaintext, then increment the counter to process the next block (similar to CTR mode, see @pxref{CTR}). Bernstein defined an encryption algorithm, Snuffle, in this way to ridicule United States export restrictions which treated hash functions as nice and harmless, but ciphers as dangerous munitions. Salsa20 uses the same idea, but with a new specialized hash function to mix key, block counter, and a couple of constants. It's also designed for speed; on x86_64, it is currently the fastest cipher offered by nettle. It uses a block size of 512 bits (64 octets) and there are two specified key sizes, 128 and 256 bits (16 and 32 octets). @strong{Caution:} The hash function used in Salsa20 is @emph{not} directly applicable for use as a general hash function. It's @emph{not} collision resistant if arbitrary inputs are allowed, and furthermore, the input and output is of fixed size. When using Salsa20 to process a message, one specifies both a key and a @dfn{nonce}, the latter playing a similar rôle to the initialization vector (@acronym{IV}) used with @acronym{CBC} or @acronym{CTR} mode. One can use the same key for several messages, provided one uses a unique random @acronym{iv} for each message. The @acronym{iv} is 64 bits (8 octets). The block counter is initialized to zero for each message, and is also 64 bits (8 octets). Nettle defines Salsa20 in @file{}. @deftp {Context struct} {struct salsa20_ctx} @end deftp @defvr Constant SALSA20_128_KEY_SIZE @defvrx Constant SALSA20_256_KEY_SIZE The two supported key sizes, 16 and 32 octets. @end defvr @defvr Constant SALSA20_KEY_SIZE Recommended key size, 32. @end defvr @defvr Constant SALSA20_BLOCK_SIZE Salsa20 block size, 64. @end defvr @defvr Constant SALSA20_NONCE_SIZE Size of the nonce, 8. @end defvr @deftypefun void salsa20_128_set_key (struct salsa20_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void salsa20_256_set_key (struct salsa20_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void salsa20_set_key (struct salsa20_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) Initialize the cipher. The same function is used for both encryption and decryption. @code{salsa20_128_set_key} and @code{salsa20_128_set_key} use a fix key size each, 16 and 32 octets, respectively. The function @code{salsa20_set_key} is provided for backwards compatibility, and the @var{length} argument must be either 16 or 32. Before using the cipher, you @emph{must} also call @code{salsa20_set_nonce}, see below. @end deftypefun @deftypefun void salsa20_set_nonce (struct salsa20_ctx *@var{ctx}, const uint8_t *@var{nonce}) Sets the nonce. It is always of size @code{SALSA20_NONCE_SIZE}, 8 octets. This function also initializes the block counter, setting it to zero. @end deftypefun @deftypefun void salsa20_crypt (struct salsa20_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts or decrypts the data of a message, using salsa20. When a message is encrypted using a sequence of calls to @code{salsa20_crypt}, all but the last call @emph{must} use a length that is a multiple of @code{SALSA20_BLOCK_SIZE}. @end deftypefun The full salsa20 cipher uses 20 rounds of mixing. Variants of Salsa20 with fewer rounds are possible, and the 12-round variant is specified by eSTREAM, see @url{http://www.ecrypt.eu.org/stream/finallist.html}. Nettle calls this variant @code{salsa20r12}. It uses the same context struct and key setup as the full salsa20 cipher, but a separate function for encryption and decryption. @deftypefun void salsa20r12_crypt (struct salsa20_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts or decrypts the data of a message, using salsa20 reduced to 12 rounds. @end deftypefun @subsection SERPENT SERPENT is one of the AES finalists, designed by Ross Anderson, Eli Biham and Lars Knudsen. Thus, the interface and properties are similar to AES'. One peculiarity is that it is quite pointless to use it with anything but the maximum key size, smaller keys are just padded to larger ones. Nettle defines SERPENT in @file{}. @deftp {Context struct} {struct serpent_ctx} @end deftp @defvr Constant SERPENT_BLOCK_SIZE The SERPENT block-size, 16. @end defvr @defvr Constant SERPENT_MIN_KEY_SIZE Minimum SERPENT key size, 16. @end defvr @defvr Constant SERPENT_MAX_KEY_SIZE Maximum SERPENT key size, 32. @end defvr @defvr Constant SERPENT_KEY_SIZE Default SERPENT key size, 32. @end defvr @deftypefun void serpent_set_key (struct serpent_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) Initialize the cipher. The same function is used for both encryption and decryption. @end deftypefun @deftypefun void serpent_encrypt (struct serpent_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encryption function. @var{length} must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. @code{src} and @code{dst} may be equal, but they must not overlap in any other way. @end deftypefun @deftypefun void serpent_decrypt (struct serpent_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Analogous to @code{serpent_encrypt} @end deftypefun @subsection TWOFISH Another AES finalist, this one designed by Bruce Schneier and others. Nettle defines it in @file{}. @deftp {Context struct} {struct twofish_ctx} @end deftp @defvr Constant TWOFISH_BLOCK_SIZE The TWOFISH block-size, 16. @end defvr @defvr Constant TWOFISH_MIN_KEY_SIZE Minimum TWOFISH key size, 16. @end defvr @defvr Constant TWOFISH_MAX_KEY_SIZE Maximum TWOFISH key size, 32. @end defvr @defvr Constant TWOFISH_KEY_SIZE Default TWOFISH key size, 32. @end defvr @deftypefun void twofish_set_key (struct twofish_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) Initialize the cipher. The same function is used for both encryption and decryption. @end deftypefun @deftypefun void twofish_encrypt (struct twofish_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encryption function. @var{length} must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. @code{src} and @code{dst} may be equal, but they must not overlap in any other way. @end deftypefun @deftypefun void twofish_decrypt (struct twofish_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Analogous to @code{twofish_encrypt} @end deftypefun @c @node nettle_cipher, Cipher Block Chaining, Cipher functions, Reference @c @comment node-name, next, previous, up @subsection The @code{struct nettle_cipher} abstraction @cindex nettle_cipher @cindex nettle_ciphers @cindex nettle_get_ciphers Nettle includes a struct including information about some of the more regular cipher functions. It can be useful for applications that need a simple way to handle various algorithms. Nettle defines these structs in @file{}. @deftp {Meta struct} @code{struct nettle_cipher} name context_size block_size key_size set_encrypt_key set_decrypt_key encrypt decrypt The last four attributes are function pointers, of types @code{nettle_set_key_func *} and @code{nettle_cipher_func *}. The first argument to these functions is a @code{const void *} pointer to a context struct, which is of size @code{context_size}. @end deftp @deftypevr {Constant Struct} {struct nettle_cipher} nettle_aes128 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_aes192 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_aes256 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_arctwo40 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_arctwo64 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_arctwo128 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_arctwo_gutmann128 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_arcfour128 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_camellia128 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_camellia192 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_camellia256 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_cast128 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_serpent128 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_serpent192 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_serpent256 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_twofish128 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_twofish192 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_twofish256 Nettle includes such structs for all the @emph{regular} ciphers, i.e. ones without weak keys or other oddities. @end deftypevr Nettle also exports a list of all these ciphers without weak keys or other oddities. @deftypefun const struct nettle_cipher **nettle_get_ciphers(void) Returns a NULL-terminated list of pointers to supported block ciphers. This list can be used to dynamically enumerate or search the supported algorithms. @end deftypefun @deffn Macro nettle_ciphers A macro expanding to a call to nettle_get_ciphers. In earlier versions, this was not a macro but the actual array of pointers. @end deffn @node Cipher modes, Authenticated encryption, Cipher functions, Reference @comment node-name, next, previous, up @section Cipher modes Cipher modes of operation specifies the procedure to use when encrypting a message that is larger than the cipher's block size. As explained in @xref{Cipher functions}, splitting the message into blocks and processing them independently with the block cipher (Electronic Code Book mode, @acronym{ECB}), leaks information. Besides @acronym{ECB}, Nettle provides several other modes of operation: Cipher Block Chaining (@acronym{CBC}), Counter mode (@acronym{CTR}), Cipher Feedback (@acronym{CFB}) and a couple of @acronym{AEAD} modes (@pxref{Authenticated encryption}). @acronym{CBC} is widely used, but there are a few subtle issues of information leakage, see, e.g., @uref{http://www.kb.cert.org/vuls/id/958563, @acronym{SSH} @acronym{CBC} vulnerability}. Today, @acronym{CTR} is usually preferred over @acronym{CBC}. Modes like @acronym{CBC}, @acronym{CTR} and @acronym{CFB} provide @emph{no} message authentication, and should always be used together with a @acronym{MAC} (@pxref{Keyed hash functions}) or signature to authenticate the message. @menu * CBC:: * CTR:: * CFB:: @end menu @node CBC, CTR, Cipher modes, Cipher modes @comment node-name, next, previous, up @subsection Cipher Block Chaining @cindex Cipher Block Chaining @cindex CBC Mode When using @acronym{CBC} mode, plaintext blocks are not encrypted independently of each other, like in Electronic Cook Book mode. Instead, when encrypting a block in @acronym{CBC} mode, the previous ciphertext block is XORed with the plaintext before it is fed to the block cipher. When encrypting the first block, a random block called an @dfn{IV}, or Initialization Vector, is used as the ``previous ciphertext block''. The IV should be chosen randomly, but it need not be kept secret, and can even be transmitted in the clear together with the encrypted data. In symbols, if @code{E_k} is the encryption function of a block cipher, and @code{IV} is the initialization vector, then @code{n} plaintext blocks @code{M_1},@dots{} @code{M_n} are transformed into @code{n} ciphertext blocks @code{C_1},@dots{} @code{C_n} as follows: @example C_1 = E_k(IV XOR M_1) C_2 = E_k(C_1 XOR M_2) @dots{} C_n = E_k(C_(n-1) XOR M_n) @end example Nettle's includes two functions for applying a block cipher in Cipher Block Chaining (@acronym{CBC}) mode, one for encryption and one for decryption. These functions uses @code{void *} to pass cipher contexts around. @deftypefun {void} cbc_encrypt (const void *@var{ctx}, nettle_cipher_func *@var{f}, size_t @var{block_size}, uint8_t *@var{iv}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx {void} cbc_decrypt (const void *@var{ctx}, nettle_cipher_func *@var{f}, size_t @var{block_size}, uint8_t *@var{iv}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Applies the encryption or decryption function @var{f} in @acronym{CBC} mode. The final ciphertext block processed is copied into @var{iv} before returning, so that a large message can be processed by a sequence of calls to @code{cbc_encrypt}. The function @var{f} is of type @code{void f (void *@var{ctx}, size_t @var{length}, uint8_t @var{dst}, const uint8_t *@var{src})}, @noindent and the @code{cbc_encrypt} and @code{cbc_decrypt} functions pass their argument @var{ctx} on to @var{f}. @end deftypefun There are also some macros to help use these functions correctly. @deffn Macro CBC_CTX (@var{context_type}, @var{block_size}) Expands to @example @{ context_type ctx; uint8_t iv[block_size]; @} @end example @end deffn It can be used to define a @acronym{CBC} context struct, either directly, @example struct CBC_CTX(struct aes_ctx, AES_BLOCK_SIZE) ctx; @end example or to give it a struct tag, @example struct aes_cbc_ctx CBC_CTX (struct aes_ctx, AES_BLOCK_SIZE); @end example @deffn Macro CBC_SET_IV (@var{ctx}, @var{iv}) First argument is a pointer to a context struct as defined by @code{CBC_CTX}, and the second is a pointer to an Initialization Vector (IV) that is copied into that context. @end deffn @deffn Macro CBC_ENCRYPT (@var{ctx}, @var{f}, @var{length}, @var{dst}, @var{src}) @deffnx Macro CBC_DECRYPT (@var{ctx}, @var{f}, @var{length}, @var{dst}, @var{src}) A simpler way to invoke @code{cbc_encrypt} and @code{cbc_decrypt}. The first argument is a pointer to a context struct as defined by @code{CBC_CTX}, and the second argument is an encryption or decryption function following Nettle's conventions. The last three arguments define the source and destination area for the operation. @end deffn These macros use some tricks to make the compiler display a warning if the types of @var{f} and @var{ctx} don't match, e.g. if you try to use an @code{struct aes_ctx} context with the @code{des_encrypt} function. @node CTR, CFB, CBC, Cipher modes @comment node-name, next, previous, up @subsection Counter mode @cindex Counter Mode @cindex CTR Mode Counter mode (@acronym{CTR}) uses the block cipher as a keyed pseudo-random generator. The output of the generator is XORed with the data to be encrypted. It can be understood as a way to transform a block cipher to a stream cipher. The message is divided into @code{n} blocks @code{M_1},@dots{} @code{M_n}, where @code{M_n} is of size @code{m} which may be smaller than the block size. Except for the last block, all the message blocks must be of size equal to the cipher's block size. If @code{E_k} is the encryption function of a block cipher, @code{IC} is the initial counter, then the @code{n} plaintext blocks are transformed into @code{n} ciphertext blocks @code{C_1},@dots{} @code{C_n} as follows: @example C_1 = E_k(IC) XOR M_1 C_2 = E_k(IC + 1) XOR M_2 @dots{} C_(n-1) = E_k(IC + n - 2) XOR M_(n-1) C_n = E_k(IC + n - 1) [1..m] XOR M_n @end example The @acronym{IC} is the initial value for the counter, it plays a similar rôle as the @acronym{IV} for @acronym{CBC}. When adding, @code{IC + x}, @acronym{IC} is interpreted as an integer, in network byte order. For the last block, @code{E_k(IC + n - 1) [1..m]} means that the cipher output is truncated to @code{m} bytes. @deftypefun {void} ctr_crypt (const void *@var{ctx}, nettle_cipher_func *@var{f}, size_t @var{block_size}, uint8_t *@var{ctr}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Applies the encryption function @var{f} in @acronym{CTR} mode. Note that for @acronym{CTR} mode, encryption and decryption is the same operation, and hence @var{f} should always be the encryption function for the underlying block cipher. When a message is encrypted using a sequence of calls to @code{ctr_crypt}, all but the last call @emph{must} use a length that is a multiple of the block size. @end deftypefun Like for @acronym{CBC}, there are also a couple of helper macros. @deffn Macro CTR_CTX (@var{context_type}, @var{block_size}) Expands to @example @{ context_type ctx; uint8_t ctr[block_size]; @} @end example @end deffn @deffn Macro CTR_SET_COUNTER (@var{ctx}, @var{iv}) First argument is a pointer to a context struct as defined by @code{CTR_CTX}, and the second is a pointer to an initial counter that is copied into that context. @end deffn @deffn Macro CTR_CRYPT (@var{ctx}, @var{f}, @var{length}, @var{dst}, @var{src}) A simpler way to invoke @code{ctr_crypt}. The first argument is a pointer to a context struct as defined by @code{CTR_CTX}, and the second argument is an encryption function following Nettle's conventions. The last three arguments define the source and destination area for the operation. @end deffn @node CFB, , CTR, Cipher modes @comment node-name, next, previous, up @subsection Cipher Feedback mode @cindex Cipher Feedback Mode @cindex CFB Mode Cipher Feedback mode (@acronym{CFB}) being a close relative to both @acronym{CBC} mode and @acronym{CTR} mode borrows some characteristics from stream ciphers. The message is divided into @code{n} blocks @code{M_1},@dots{} @code{M_n}, where @code{M_n} is of size @code{m} which may be smaller than the block size. Except for the last block, all the message blocks must be of size equal to the cipher's block size. If @code{E_k} is the encryption function of a block cipher, @code{IV} is the initialization vector, then the @code{n} plaintext blocks are transformed into @code{n} ciphertext blocks @code{C_1},@dots{} @code{C_n} as follows: @example C_1 = E_k(IV) XOR M_1 C_2 = E_k(C_1) XOR M_2 @dots{} C_(n-1) = E_k(C_(n - 2)) XOR M_(n-1) C_n = E_k(C_(n - 1)) [1..m] XOR M_n @end example Nettle's includes two functions for applying a block cipher in Cipher Feedback (@acronym{CFB}) mode, one for encryption and one for decryption. These functions uses @code{void *} to pass cipher contexts around. @deftypefun {void} cfb_encrypt (const void *@var{ctx}, nettle_cipher_func *@var{f}, size_t @var{block_size}, uint8_t *@var{iv}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx {void} cfb_decrypt (const void *@var{ctx}, nettle_cipher_func *@var{f}, size_t @var{block_size}, uint8_t *@var{iv}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Applies the encryption or decryption function @var{f} in @acronym{CFB} mode. The final ciphertext block processed is copied into @var{iv} before returning, so that a large message can be processed by a sequence of calls to @code{cfb_encrypt}. Note that for @acronym{CFB} mode internally uses encryption only function and hence @var{f} should always be the encryption function for the underlying block cipher. When a message is encrypted using a sequence of calls to @code{cfb_encrypt}, all but the last call @emph{must} use a length that is a multiple of the block size. @end deftypefun Like for @acronym{CBC}, there are also a couple of helper macros. @deffn Macro CFB_CTX (@var{context_type}, @var{block_size}) Expands to @example @{ context_type ctx; uint8_t iv[block_size]; @} @end example @end deffn @deffn Macro CFB_SET_IV(@var{ctx}, @var{iv}) First argument is a pointer to a context struct as defined by @code{CFB_CTX}, and the second is a pointer to an initialization vector that is copied into that context. @end deffn @deffn Macro CFB_ENCRYPT (@var{ctx}, @var{f}, @var{length}, @var{dst}, @var{src}) A simpler way to invoke @code{cfb_encrypt}. The first argument is a pointer to a context struct as defined by @code{CFB_CTX}, and the second argument is an encryption function following Nettle's conventions. The last three arguments define the source and destination area for the operation. @end deffn @deffn Macro CFB_DECRYPT (@var{ctx}, @var{f}, @var{length}, @var{dst}, @var{src}) A simpler way to invoke @code{cfb_decrypt}. The first argument is a pointer to a context struct as defined by @code{CFB_CTX}, and the second argument is an encryption function following Nettle's conventions. The last three arguments define the source and destination area for the operation. @end deffn @node Authenticated encryption, Keyed hash functions, Cipher modes, Reference @comment node-name, next, previous, up @section Authenticated encryption with associated data @cindex AEAD @cindex Authenticated encryption Since there are some subtle design choices to be made when combining a block cipher mode with out authentication with a @acronym{MAC}. In recent years, several constructions that combine encryption and authentication have been defined. These constructions typically also have an additional input, the ``associated data'', which is authenticated but not included with the message. A simple example is an implicit message number which is available at both sender and receiver, and which needs authentication in order to detect deletions or replay of messages. This family of building blocks are therefore called @acronym{AEAD}, Authenticated encryption with associated data. The aim is to provide building blocks that it is easier for designers of protocols and applications to use correctly. There is also some potential for improved performance, if encryption and authentication can be done in a single step, although that potential is not realized for the constructions currently supported by Nettle. For encryption, the inputs are: @itemize @item The key, which can be used for many messages. @item A nonce, which must be unique for each message using the same key. @item Additional associated data to be authenticated, but not included in the message. @item The cleartext message to be encrypted. @end itemize The outputs are: @itemize @item The ciphertext, of the same size as the cleartext. @item A digest or ``authentication tag''. @end itemize Decryption works the same, but with cleartext and ciphertext interchanged. All currently supported @acronym{AEAD} algorithms always use the encryption function of the underlying block cipher, for both encryption and decryption. Usually, the authentication tag should be appended at the end of the ciphertext, producing an encrypted message which is slightly longer than the cleartext. However, Nettle's low level @acronym{AEAD} functions produce the authentication tag as a separate output for both encryption and decryption. Both associated data and the message data (cleartext or ciphertext) can be processed incrementally. In general, all associated data must be processed before the message data, and all calls but the last one must use a length that is a multiple of the block size, although some @acronym{AEAD} may implement more liberal conventions. The @acronym{CCM} mode is a bit special in that it requires the message lengths up front, other @acronym{AEAD} constructions don't have this restriction. The supported @acronym{AEAD} constructions are Galois/Counter mode (@acronym{GCM}), @acronym{EAX}, ChaCha-Poly1305, and Counter with @acronym{CBC}-@acronym{MAC} (@acronym{CCM}). There are some weaknesses in @acronym{GCM} authentication, see @uref{http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf}. @acronym{CCM} and @acronym{EAX} use the same building blocks, but the @acronym{EAX} design is cleaner and avoids a couple of inconveniences of @acronym{CCM}. Therefore, @acronym{EAX} seems like a good conservative choice. The more recent ChaCha-Poly1305 may also be an attractive but more adventurous alternative, in particular if performance is important. @menu * EAX:: * GCM:: * CCM:: * ChaCha-Poly1305:: * nettle_aead abstraction:: @end menu @node EAX, GCM, Authenticated encryption, Authenticated encryption @comment node-name, next, previous, up @subsection EAX The @acronym{EAX} mode is an @acronym{AEAD} mode whichcombines @acronym{CTR} mode encryption, @xref{CTR}, with a message authentication based on @acronym{CBC}, @xref{CBC}. The implementation in Nettle is restricted to ciphers with a block size of 128 bits (16 octets). @acronym{EAX} was defined as a reaction to the @acronym{CCM} mode, @xref{CCM}, which uses the same primitives but has some undesirable and inelegant properties. @acronym{EAX} supports arbitrary nonce size; it's even possible to use an empty nonce in case only a single message is encrypted for each key. Nettle's support for @acronym{EAX} consists of a low-level general interface, some convenience macros, and specific functions for @acronym{EAX} using @acronym{AES}-128 as the underlying cipher. These interfaces are defined in @file{} @subsubsection General @acronym{EAX} interface @deftp {Context struct} {struct eax_key} @acronym{EAX} state which depends only on the key, but not on the nonce or the message. @end deftp @deftp {Context struct} {struct eax_ctx} Holds state corresponding to a particular message. @end deftp @defvr Constant EAX_BLOCK_SIZE @acronym{EAX}'s block size, 16. @end defvr @defvr Constant EAX_DIGEST_SIZE Size of the @acronym{EAX} digest, also 16. @end defvr @deftypefun void eax_set_key (struct eax_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}) Initializes @var{key}. @var{cipher} gives a context struct for the underlying cipher, which must have been previously initialized for encryption, and @var{f} is the encryption function. @end deftypefun @deftypefun void eax_set_nonce (struct eax_ctx *@var{eax}, const struct eax_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{nonce_length}, const uint8_t *@var{nonce}) Initializes @var{ctx} for processing a new message, using the given nonce. @end deftypefun @deftypefun void eax_update (struct eax_ctx *@var{eax}, const struct eax_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{data_length}, const uint8_t *@var{data}) Process associated data for authentication. All but the last call for each message @emph{must} use a length that is a multiple of the block size. Unlike many other @acronym{AEAD} constructions, for @acronym{EAX} it's not necessary to complete the processing of all associated data before encrypting or decrypting the message data. @end deftypefun @deftypefun void eax_encrypt (struct eax_ctx *@var{eax}, const struct eax_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void eax_decrypt (struct eax_ctx *@var{eax}, const struct eax_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts or decrypts the data of a message. @var{cipher} is the context struct for the underlying cipher and @var{f} is the encryption function. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void eax_digest (struct eax_ctx *@var{eax}, const struct eax_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, uint8_t *@var{digest}); Extracts the message digest (also known ``authentication tag''). This is the final operation when processing a message. If @var{length} is smaller than @code{EAX_DIGEST_SIZE}, only the first @var{length} octets of the digest are written. @end deftypefun @subsubsection @acronym{EAX} helper macros The following macros are defined. @deffn Macro EAX_CTX (@var{context_type}) This defines an all-in-one context struct, including the context of the underlying cipher and all @acronym{EAX} state. It expands to @example @{ struct eax_key key; struct eax_ctx eax; context_type cipher; @} @end example @end deffn For all these macros, @var{ctx}, is a context struct as defined by @code{EAX_CTX}, and @var{encrypt} is the encryption function of the underlying cipher. @deffn Macro EAX_SET_KEY (@var{ctx}, @var{set_key}, @var{encrypt}, @var{key}) @var{set_key} is the function for setting the encryption key for the underlying cipher, and @var{key} is the key. @end deffn @deffn Macro EAX_SET_NONCE (@var{ctx}, @var{encrypt}, @var{length}, @var{nonce}) Sets the nonce to be used for the message. @end deffn @deffn Macro EAX_UPDATE (@var{ctx}, @var{encrypt}, @var{length}, @var{data}) Process associated data for authentication. @end deffn @deffn Macro EAX_ENCRYPT (@var{ctx}, @var{encrypt}, @var{length}, @var{dst}, @var{src}) @deffnx Macro EAX_DECRYPT (@var{ctx}, @var{encrypt}, @var{length}, @var{dst}, @var{src}) Process message data for encryption or decryption. @end deffn @deffn Macro EAX_DIGEST (@var{ctx}, @var{encrypt}, @var{length}, @var{digest}) Extract te authentication tag for the message. @end deffn @subsubsection @acronym{EAX}-@acronym{AES}128 interface The following functions implement @acronym{EAX} using @acronym{AES}-128 as the underlying cipher. @deftp {Context struct} {struct eax_aes128_ctx} The context struct, defined using @code{EAX_CTX}. @end deftp @deftypefun void eax_aes128_set_key (struct eax_aes128_ctx *@var{ctx}, const uint8_t *@var{key}) Initializes @var{ctx} using the given key. @end deftypefun @deftypefun void eax_aes128_set_nonce (struct eax_aes128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{iv}) Initializes the per-message state, using the given nonce. @end deftypefun @deftypefun void eax_aes128_update (struct eax_aes128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Process associated data for authentication. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void eax_aes128_encrypt (struct eax_aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void eax_aes128_decrypt (struct eax_aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts or decrypts the data of a message. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void eax_aes128_digest (struct eax_aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}); Extracts the message digest (also known ``authentication tag''). This is the final operation when processing a message. If @var{length} is smaller than @code{EAX_DIGEST_SIZE}, only the first @var{length} octets of the digest are written. @end deftypefun @node GCM, CCM, EAX, Authenticated encryption @comment node-name, next, previous, up @subsection Galois counter mode @cindex Galois Counter Mode @cindex GCM Galois counter mode is an @acronym{AEAD} constructions combining counter mode with message authentication based on universal hashing. The main objective of the design is to provide high performance for hardware implementations, where other popular @acronym{MAC} algorithms (@pxref{Keyed hash functions}) become a bottleneck for high-speed hardware implementations. It was proposed by David A. McGrew and John Viega in 2005, and recommended by NIST in 2007, @uref{http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf, NIST Special Publication 800-38D}. It is constructed on top of a block cipher which must have a block size of 128 bits. The authentication in @acronym{GCM} has some known weaknesses, see @uref{http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf}. In particular, don't use @acronym{GCM} with short authentication tags. Nettle's support for @acronym{GCM} consists of a low-level general interface, some convenience macros, and specific functions for @acronym{GCM} using @acronym{AES} or Camellia as the underlying cipher. These interfaces are defined in @file{} @subsubsection General @acronym{GCM} interface @deftp {Context struct} {struct gcm_key} Message independent hash sub-key, and related tables. @end deftp @deftp {Context struct} {struct gcm_ctx} Holds state corresponding to a particular message. @end deftp @defvr Constant GCM_BLOCK_SIZE @acronym{GCM}'s block size, 16. @end defvr @defvr Constant GCM_DIGEST_SIZE Size of the @acronym{GCM} digest, also 16. @end defvr @defvr Constant GCM_IV_SIZE Recommended size of the @acronym{IV}, 12. Arbitrary sizes are allowed. @end defvr @deftypefun void gcm_set_key (struct gcm_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}) Initializes @var{key}. @var{cipher} gives a context struct for the underlying cipher, which must have been previously initialized for encryption, and @var{f} is the encryption function. @end deftypefun @deftypefun void gcm_set_iv (struct gcm_ctx *@var{ctx}, const struct gcm_key *@var{key}, size_t @var{length}, const uint8_t *@var{iv}) Initializes @var{ctx} using the given @acronym{IV}. The @var{key} argument is actually needed only if @var{length} differs from @code{GCM_IV_SIZE}. @end deftypefun @deftypefun void gcm_update (struct gcm_ctx *@var{ctx}, const struct gcm_key *@var{key}, size_t @var{length}, const uint8_t *@var{data}) Provides associated data to be authenticated. If used, must be called before @code{gcm_encrypt} or @code{gcm_decrypt}. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void gcm_encrypt (struct gcm_ctx *@var{ctx}, const struct gcm_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void gcm_decrypt (struct gcm_ctx *@var{ctx}, const struct gcm_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts or decrypts the data of a message. @var{cipher} is the context struct for the underlying cipher and @var{f} is the encryption function. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void gcm_digest (struct gcm_ctx *@var{ctx}, const struct gcm_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, uint8_t *@var{digest}) Extracts the message digest (also known ``authentication tag''). This is the final operation when processing a message. It's strongly recommended that @var{length} is @code{GCM_DIGEST_SIZE}, but if you provide a smaller value, only the first @var{length} octets of the digest are written. @end deftypefun To encrypt a message using @acronym{GCM}, first initialize a context for the underlying block cipher with a key to use for encryption. Then call the above functions in the following order: @code{gcm_set_key}, @code{gcm_set_iv}, @code{gcm_update}, @code{gcm_encrypt}, @code{gcm_digest}. The decryption procedure is analogous, just calling @code{gcm_decrypt} instead of @code{gcm_encrypt} (note that @acronym{GCM} decryption still uses the encryption function of the underlying block cipher). To process a new message, using the same key, call @code{gcm_set_iv} with a new @acronym{iv}. @subsubsection @acronym{GCM} helper macros The following macros are defined. @deffn Macro GCM_CTX (@var{context_type}) This defines an all-in-one context struct, including the context of the underlying cipher, the hash sub-key, and the per-message state. It expands to @example @{ struct gcm_key key; struct gcm_ctx gcm; context_type cipher; @} @end example @end deffn Example use: @example struct gcm_aes128_ctx GCM_CTX(struct aes128_ctx); @end example The following macros operate on context structs of this form. @deffn Macro GCM_SET_KEY (@var{ctx}, @var{set_key}, @var{encrypt}, @var{key}) First argument, @var{ctx}, is a context struct as defined by @code{GCM_CTX}. @var{set_key} and @var{encrypt} are functions for setting the encryption key and for encrypting data using the underlying cipher. @end deffn @deffn Macro GCM_SET_IV (@var{ctx}, @var{length}, @var{data}) First argument is a context struct as defined by @code{GCM_CTX}. @var{length} and @var{data} give the initialization vector (@acronym{IV}). @end deffn @deffn Macro GCM_UPDATE (@var{ctx}, @var{length}, @var{data}) Simpler way to call @code{gcm_update}. First argument is a context struct as defined by @code{GCM_CTX} @end deffn @deffn Macro GCM_ENCRYPT (@var{ctx}, @var{encrypt}, @var{length}, @var{dst}, @var{src}) @deffnx Macro GCM_DECRYPT (@var{ctx}, @var{encrypt}, @var{length}, @var{dst}, @var{src}) @deffnx Macro GCM_DIGEST (@var{ctx}, @var{encrypt}, @var{length}, @var{digest}) Simpler way to call @code{gcm_encrypt}, @code{gcm_decrypt} or @code{gcm_digest}. First argument is a context struct as defined by @code{GCM_CTX}. Second argument, @var{encrypt}, is the encryption function of the underlying cipher. @end deffn @subsubsection @acronym{GCM}-@acronym{AES} interface The following functions implement the common case of @acronym{GCM} using @acronym{AES} as the underlying cipher. The variants with a specific @acronym{AES} flavor are recommended, while the fucntinos using @code{struct gcm_aes_ctx} are kept for compatibility with older versiosn of Nettle. @deftp {Context struct} {struct gcm_aes128_ctx} @deftpx {Context struct} {struct gcm_aes192_ctx} @deftpx {Context struct} {struct gcm_aes256_ctx} Context structs, defined using @code{GCM_CTX}. @end deftp @deftp {Context struct} {struct gcm_aes_ctx} Alternative context struct, usign the old @acronym{AES} interface. @end deftp @deftypefun void gcm_aes128_set_key (struct gcm_aes128_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void gcm_aes192_set_key (struct gcm_aes192_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void gcm_aes256_set_key (struct gcm_aes256_ctx *@var{ctx}, const uint8_t *@var{key}) Initializes @var{ctx} using the given key. @end deftypefun @deftypefun void gcm_aes_set_key (struct gcm_aes_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) Corresponding function, using the old @acronym{AES} interface. All valid @acronym{AES} key sizes can be used. @end deftypefun @deftypefun void gcm_aes128_set_iv (struct gcm_aes128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{iv}) @deftypefunx void gcm_aes192_set_iv (struct gcm_aes192_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{iv}) @deftypefunx void gcm_aes256_set_iv (struct gcm_aes256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{iv}) @deftypefunx void gcm_aes_set_iv (struct gcm_aes_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{iv}) Initializes the per-message state, using the given @acronym{IV}. @end deftypefun @deftypefun void gcm_aes128_update (struct gcm_aes128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) @deftypefunx void gcm_aes192_update (struct gcm_aes192_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) @deftypefunx void gcm_aes256_update (struct gcm_aes256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) @deftypefunx void gcm_aes_update (struct gcm_aes_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Provides associated data to be authenticated. If used, must be called before @code{gcm_aes_encrypt} or @code{gcm_aes_decrypt}. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void gcm_aes128_encrypt (struct gcm_aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void gcm_aes192_encrypt (struct gcm_aes192_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void gcm_aes256_encrypt (struct gcm_aes256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void gcm_aes_encrypt (struct gcm_aes_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void gcm_aes128_decrypt (struct gcm_aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void gcm_aes192_decrypt (struct gcm_aes192_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void gcm_aes256_decrypt (struct gcm_aes256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void gcm_aes_decrypt (struct gcm_aes_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts or decrypts the data of a message. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void gcm_aes128_digest (struct gcm_aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) @deftypefunx void gcm_aes192_digest (struct gcm_aes192_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) @deftypefunx void gcm_aes256_digest (struct gcm_aes256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) @deftypefunx void gcm_aes_digest (struct gcm_aes_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Extracts the message digest (also known ``authentication tag''). This is the final operation when processing a message. It's strongly recommended that @var{length} is @code{GCM_DIGEST_SIZE}, but if you provide a smaller value, only the first @var{length} octets of the digest are written. @end deftypefun @subsubsection @acronym{GCM}-Camellia interface The following functions implement the case of @acronym{GCM} using Camellia as the underlying cipher. @deftp {Context struct} {struct gcm_camellia128_ctx} @deftpx {Context struct} {struct gcm_camellia256_ctx} Context structs, defined using @code{GCM_CTX}. @end deftp @deftypefun void gcm_camellia128_set_key (struct gcm_camellia128_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void gcm_camellia256_set_key (struct gcm_camellia256_ctx *@var{ctx}, const uint8_t *@var{key}) Initializes @var{ctx} using the given key. @end deftypefun @deftypefun void gcm_camellia128_set_iv (struct gcm_camellia128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{iv}) @deftypefunx void gcm_camellia256_set_iv (struct gcm_camellia256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{iv}) Initializes the per-message state, using the given @acronym{IV}. @end deftypefun @deftypefun void gcm_camellia128_update (struct gcm_camellia128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) @deftypefunx void gcm_camellia256_update (struct gcm_camellia256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Provides associated data to be authenticated. If used, must be called before @code{gcm_camellia_encrypt} or @code{gcm_camellia_decrypt}. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void gcm_camellia128_encrypt (struct gcm_camellia128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void gcm_camellia256_encrypt (struct gcm_camellia256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void gcm_camellia128_decrypt (struct gcm_camellia128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void gcm_camellia256_decrypt (struct gcm_camellia256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts or decrypts the data of a message. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void gcm_camellia128_digest (struct gcm_camellia128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) @deftypefunx void gcm_camellia192_digest (struct gcm_camellia192_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) @deftypefunx void gcm_camellia256_digest (struct gcm_camellia256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) @deftypefunx void gcm_camellia_digest (struct gcm_camellia_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Extracts the message digest (also known ``authentication tag''). This is the final operation when processing a message. It's strongly recommended that @var{length} is @code{GCM_DIGEST_SIZE}, but if you provide a smaller value, only the first @var{length} octets of the digest are written. @end deftypefun @node CCM, ChaCha-Poly1305, GCM, Authenticated encryption @comment node-name, next, previous, up @subsection Counter with CBC-MAC mode @cindex Counter with CBC-MAC Mode @cindex CCM Mode @acronym{CCM} mode is a combination of counter mode with message authentication based on cipher block chaining, the same building blocks as @acronym{EAX}, @pxref{EAX}. It is constructed on top of a block cipher which must have a block size of 128 bits. @acronym{CCM} mode is recommended by NIST in @uref{http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf, NIST Special Publication 800-38C}. Nettle's support for CCM consists of a low-level general interface, a message encryption and authentication interface, and specific functions for CCM using AES as the underlying block cipher. These interfaces are defined in @file{}. In @acronym{CCM}, the length of the message must be known before processing. The maximum message size depends on the size of the nonce, since the message size is encoded in a field which must fit in a single block, together with the nonce and a flag byte. E.g., with a nonce size of 12 octets, there are three octets left for encoding the message length, the maximum message length is @math{2^24 - 1} octets. @acronym{CCM} mode encryption operates as follows: @itemize @item The nonce and message length are concatenated to create @code{B_0 = flags | nonce | mlength} @item The authenticated data and plaintext is formatted into the string @code{B = L(adata) | adata | padding | plaintext | padding} with @code{padding} being the shortest string of zero bytes such that the length of the string is a multiple of the block size, and @code{L(adata)} is an encoding of the length of @code{adata}. @item The string @code{B} is separated into blocks @code{B_1} ... @code{B_n} @item The authentication tag @code{T} is calculated as @code{T=0, for i=0 to n, do T = E_k(B_i XOR T)} @item An initial counter is then initialized from the nonce to create @code{IC = flags | nonce | padding}, where @code{padding} is the shortest string of zero bytes such that @code{IC} is exactly one block in length. @item The authentication tag is encrypted using using @acronym{CTR} mode: @code{MAC = E_k(IC) XOR T} @item The plaintext is then encrypted using @acronym{CTR} mode with an initial counter of @code{IC+1}. @end itemize @acronym{CCM} mode decryption operates similarly, except that the ciphertext and @acronym{MAC} are first decrypted using CTR mode to retreive the plaintext and authentication tag. The authentication tag can then be recalucated from the authenticated data and plantext, and compared to the value in the message to check for authenticity. @subsubsection General @acronym{CCM} interface For all of the functions in the @acronym{CCM} interface, @var{cipher} is the context struct for the underlying cipher and @var{f} is the encryption function. The cipher's encryption key must be set before calling any of the @acronym{CCM} functions. The cipher's decryption function and key are never used. @deftp {Context struct} {struct ccm_ctx} Holds state corresponding to a particular message. @end deftp @defvr Constant CCM_BLOCK_SIZE @acronym{CCM}'s block size, 16. @end defvr @defvr Constant CCM_DIGEST_SIZE Size of the @acronym{CCM} digest, 16. @end defvr @defvr Constant CCM_MIN_NONCE_SIZE @defvrx Constant CCM_MAX_NONCE_SIZE The the minimum and maximum sizes for an @acronym{CCM} nonce, 7 and 14, respectively. @end defvr @deffn Macro CCM_MAX_MSG_SIZE (@var{nonce_size}) The largest allowed plaintext length, when using @acronym{CCM} with a nonce of the given size. @end deffn @deftypefun void ccm_set_nonce (struct ccm_ctx *@var{ctx}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{noncelen}, const uint8_t *@var{nonce}, size_t @var{authlen}, size_t @var{msglen}, size_t @var{taglen}) Initializes @var{ctx} using the given nonce and the sizes of the authenticated data, message, and @acronym{MAC} to be processed. @end deftypefun @deftypefun void ccm_update (struct ccm_ctx *@var{ctx}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, const uint8_t *@var{data}) Provides associated data to be authenticated. Must be called after @code{ccm_set_nonce}, and before @code{ccm_encrypt}, @code{ccm_decrypt}, or @code{ccm_digest}. @end deftypefun @deftypefun void ccm_encrypt (struct ccm_ctx *@var{ctx}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void ccm_decrypt (struct ccm_ctx *@var{ctx}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts or decrypts the message data. Must be called after @code{ccm_set_nonce} and before @code{ccm_digest}. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void ccm_digest (struct ccm_ctx *@var{ctx}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, uint8_t *@var{digest}) Extracts the message digest (also known ``authentication tag''). This is the final operation when processing a message. @var{length} is usually equal to the @var{taglen} parameter supplied to @code{ccm_set_nonce}, but if you provide a smaller value, only the first @var{length} octets of the digest are written. @end deftypefun To encrypt a message using the general @acronym{CCM} interface, set the message nonce and length using @code{ccm_set_nonce} and then call @code{ccm_update} to generate the digest of any authenticated data. After all of the authenticated data has been digested use @code{ccm_encrypt} to encrypt the plaintext. Finally, use @code{ccm_digest} to return the encrypted @acronym{MAC}. To decrypt a message, use @code{ccm_set_nonce} and @code{ccm_update} the same as you would for encryption, and then call @code{ccm_decrypt} to decrypt the ciphertext. After decrypting the ciphertext @code{ccm_digest} will return the encrypted @acronym{MAC} which should be identical to the @acronym{MAC} in the received message. @subsubsection @acronym{CCM} message interface The @acronym{CCM} message fuctions provides a simple interface that will perform authentication and message encryption in a single function call. The length of the cleartext is given by @var{mlength} and the length of the ciphertext is given by @var{clength}, always exactly @var{tlength} bytes longer than the corresponding plaintext. The length argument passed to a function is always the size for the result, @var{clength} for the encryption functions, and @var{mlength} for the decryption functions. @deftypefun void ccm_encrypt_message (void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{clength}, uint8_t *@var{dst}, const uint8_t *@var{src}) Computes the message digest from the @var{adata} and @var{src} parameters, encrypts the plaintext from @var{src}, appends the encrypted @acronym{MAC} to ciphertext and outputs it to @var{dst}. @end deftypefun @deftypefun int ccm_decrypt_message (void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{mlength}, uint8_t *@var{dst}, const uint8_t *@var{src}) Decrypts the ciphertext from @var{src}, outputs the plaintext to @var{dst}, recalculates the @acronym{MAC} from @var{adata} and the plaintext, and compares it to the final @var{tlength} bytes of @var{src}. If the values of the received and calculated @acronym{MAC}s are equal, this will return 1 indicating a valid and authenticated message. Otherwise, this function will return zero. @end deftypefun @subsubsection @acronym{CCM}-@acronym{AES} interface The @acronym{AES} @acronym{CCM} functions provide an API for using @acronym{CCM} mode with the @acronym{AES} block ciphers. The parameters all have the same meaning as the general and message interfaces, except that the @var{cipher}, @var{f}, and @var{ctx} parameters are replaced with an @acronym{AES} context structure, and a set-key function must be called before using any of the other functions in this interface. @deftp {Context struct} {struct ccm_aes128_ctx} Holds state corresponding to a particular message encrypted using the AES-128 block cipher. @end deftp @deftp {Context struct} {struct ccm_aes192_ctx} Holds state corresponding to a particular message encrypted using the AES-192 block cipher. @end deftp @deftp {Context struct} {struct ccm_aes256_ctx} Holds state corresponding to a particular message encrypted using the AES-256 block cipher. @end deftp @deftypefun void ccm_aes128_set_key (struct ccm_aes128_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void ccm_aes192_set_key (struct ccm_aes192_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void ccm_aes256_set_key (struct ccm_aes256_ctx *@var{ctx}, const uint8_t *@var{key}) Initializes the encryption key for the AES block cipher. One of these functions must be called before any of the other functions in the @acronym{AES} @acronym{CCM} interface. @end deftypefun @deftypefun void ccm_aes128_set_nonce (struct ccm_aes128_ctx *@var{ctx}, size_t @var{noncelen}, const uint8_t *@var{nonce}, size_t @var{authlen}, size_t @var{msglen}, size_t @var{taglen}) @deftypefunx void ccm_aes192_set_nonce (struct ccm_aes192_ctx *@var{ctx}, size_t @var{noncelen}, const uint8_t *@var{nonce}, size_t @var{authlen}, size_t @var{msglen}, size_t @var{taglen}) @deftypefunx void ccm_aes256_set_nonce (struct ccm_aes256_ctx *@var{ctx}, size_t @var{noncelen}, const uint8_t *@var{nonce}, size_t @var{authlen}, size_t @var{msglen}, size_t @var{taglen}) These are identical to @code{ccm_set_nonce}, except that @var{cipher}, @var{f}, and @var{ctx} are replaced with a context structure. @end deftypefun @deftypefun void ccm_aes128_update (struct ccm_aes128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) @deftypefunx void ccm_aes192_update (struct ccm_aes192_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) @deftypefunx void ccm_aes256_update (struct ccm_aes256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) These are identical to @code{ccm_set_update}, except that @var{cipher}, @var{f}, and @var{ctx} are replaced with a context structure. @end deftypefun @deftypefun void ccm_aes128_encrypt (struct ccm_aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void ccm_aes192_encrypt (struct ccm_aes192_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void ccm_aes256_encrypt (struct ccm_aes256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void ccm_aes128_decrypt (struct ccm_aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void ccm_aes192_decrypt (struct ccm_aes192_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void ccm_aes256_decrypt (struct ccm_aes256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) These are identical to @code{ccm_set_encrypt} and @code{ccm_set_decrypt}, except that @var{cipher}, @var{f}, and @var{ctx} are replaced with a context structure. @end deftypefun @deftypefun void ccm_aes128_digest (struct ccm_aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) @deftypefunx void ccm_aes192_digest (struct ccm_aes192_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) @deftypefunx void ccm_aes256_digest (struct ccm_aes256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) These are identical to @code{ccm_set_digest}, except that @var{cipher}, @var{f}, and @var{ctx} are replaced with a context structure. @end deftypefun @deftypefun void ccm_aes128_encrypt_message (struct ccm_aes128_ctx *@var{ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{clength}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void ccm_aes192_encrypt_message (struct ccm_aes192_ctx *@var{ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{clength}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void ccm_aes256_encrypt_message (struct ccm_aes256_ctx *@var{ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{clength}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx int ccm_aes128_decrypt_message (struct ccm_aes128_ctx *@var{ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{mlength}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx int ccm_aes192_decrypt_message (struct ccm_aes192_ctx *@var{ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{mlength}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx int ccm_aes192_decrypt_message (struct ccm_aes256_ctx *@var{ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{mlength}, uint8_t *@var{dst}, const uint8_t *@var{src}) These are identical to @code{ccm_encrypt_message} and @code{ccm_decrypt_message} except that @var{cipher} and @var{f} are replaced with a context structure. @end deftypefun @node ChaCha-Poly1305, nettle_aead abstraction, CCM, Authenticated encryption @comment node-name, next, previous, up @subsection ChaCha-Poly1305 ChaCha-Poly1305 is a combination of the ChaCha stream cipher and the poly1305 message authentication code (@pxref{Poly1305}). It originates from the NaCl cryptographic library by D. J. Bernstein et al, which defines a similar construction but with Salsa20 instead of ChaCha. Nettle's implementation ChaCha-Poly1305 should be considered @strong{experimental}. At the time of this writing, there is no authoritative specification for ChaCha-Poly1305, and a couple of different incompatible variants. Nettle implements it using the original definition of ChaCha, with 64 bits (8 octets) each for the nonce and the block counter. Some protocols prefer to use nonces of 12 bytes, and it's a small change to ChaCha to use the upper 32 bits of the block counter as a nonce, instead limiting message size to @math{2^32} blocks or 256 GBytes, but that variant is currently not supported. For ChaCha-Poly1305, the ChaCha cipher is initialized with a key, of 256 bits, and a per-message nonce. The first block of the key stream (counter all zero) is set aside for the authentication subkeys. Of this 64-octet block, the first 16 octets specify the poly1305 evaluation point, and the next 16 bytes specify the value to add in for the final digest. The final 32 bytes of this block are unused. Note that unlike poly1305-aes, the evaluation point depends on the nonce. This is preferable, because it leaks less information in case the attacker for some reason is lucky enough to forge a valid authentication tag, and observe (from the receiver's behaviour) that the forgery succeeded. The ChaCha key stream, starting with counter value 1, is then used to encrypt the message. For authentication, poly1305 is applied to the concatenation of the associated data, the cryptotext, and the lengths of the associated data and the message, each a 64-bit number (eight octets, little-endian). Nettle defines ChaCha-Poly1305 in @file{}. @defvr Constant CHACHA_POLY1305_BLOCK_SIZE Same as the ChaCha block size, 64. @end defvr @defvr Constant CHACHA_POLY1305_KEY_SIZE ChaCha-Poly1305 key size, 32. @end defvr @defvr Constant CHACHA_POLY1305_NONCE_SIZE Same as the ChaCha nonce size, 16. @end defvr @defvr Constant CHACHA_POLY1305_DIGEST_SIZE Digest size, 16. @end defvr @deftp {Context struct} {struct chacha_poly1305_ctx} @end deftp @deftypefun void chacha_poly1305_set_key (struct chacha_poly1305_ctx *@var{ctx}, const uint8_t *@var{key}) Initializes @var{ctx} using the given key. Before using the context, you @emph{must} also call @code{chacha_poly1305_set_nonce}, see below. @end deftypefun @deftypefun void chacha_poly1305_set_nonce (struct chacha_poly1305_ctx *@var{ctx}, const uint8_t *@var{nonce}) Initializes the per-message state, using the given nonce. @end deftypefun @deftypefun void chacha_poly1305_update (struct chacha_poly1305_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Process associated data for authentication. @end deftypefun @deftypefun void chacha_poly1305_encrypt (struct chacha_poly1305_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void chacha_poly1305_decrypt (struct chacha_poly1305_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts or decrypts the data of a message. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void chacha_poly1305_digest (struct chacha_poly1305_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Extracts the message digest (also known ``authentication tag''). This is the final operation when processing a message. If @var{length} is smaller than @code{CHACHA_POLY1305_DIGEST_SIZE}, only the first @var{length} octets of the digest are written. @end deftypefun @node nettle_aead abstraction, , ChaCha-Poly1305, Authenticated encryption @comment node-name, next, previous, up @subsection The @code{struct nettle_aead} abstraction @cindex nettle_aead @cindex nettle_aeads @cindex nettle_get_aeads Nettle includes a struct including information about the supported hash functions. It is defined in @file{}. @deftp {Meta struct} @code{struct nettle_aead} name context_size block_size key_size nonce_size digest_size set_encrypt_key set_decrypt_key set_nonce update encrypt decrypt digest The last seven attributes are function pointers. @end deftp @deftypevr {Constant Struct} {struct nettle_aead} nettle_gcm_aes128 @deftypevrx {Constant Struct} {struct nettle_aead} nettle_gcm_aes192 @deftypevrx {Constant Struct} {struct nettle_aead} nettle_gcm_aes256 @deftypevrx {Constant Struct} {struct nettle_aead} nettle_gcm_camellia128 @deftypevrx {Constant Struct} {struct nettle_aead} nettle_gcm_camellia256 @deftypevrx {Constant Struct} {struct nettle_aead} nettle_eax_aes128 @deftypevrx {Constant Struct} {struct nettle_aead} nettle_chacha_poly1305 These are most of the @acronym{AEAD} constructions that Nettle implements. Note that @acronym{CCM} is missing; it requirement that the message size is specified in advance makes it incompatible with the @code{nettle_aead} abstraction. @end deftypevr Nettle also exports a list of all these constructions. @deftypefun const struct nettle_aead **nettle_get_aeads(void) Returns a NULL-terminated list of pointers to supported algorithms.This list can be used to dynamically enumerate or search the supported algorithms. @end deftypefun @deffn Macro nettle_aeads A macro expanding to a call to nettle_get_aeads. In earlier versions, this was not a macro but the actual array of pointers. @end deffn @node Keyed hash functions, Key derivation functions, Authenticated encryption, Reference @comment node-name, next, previous, up @section Keyed Hash Functions @cindex Keyed Hash Function @cindex Message Authentication Code @cindex MAC A @dfn{keyed hash function}, or @dfn{Message Authentication Code} (@acronym{MAC}) is a function that takes a key and a message, and produces fixed size @acronym{MAC}. It should be hard to compute a message and a matching @acronym{MAC} without knowledge of the key. It should also be hard to compute the key given only messages and corresponding @acronym{MAC}s. Keyed hash functions are useful primarily for message authentication, when Alice and Bob shares a secret: The sender, Alice, computes the @acronym{MAC} and attaches it to the message. The receiver, Bob, also computes the @acronym{MAC} of the message, using the same key, and compares that to Alice's value. If they match, Bob can be assured that the message has not been modified on its way from Alice. However, unlike digital signatures, this assurance is not transferable. Bob can't show the message and the @acronym{MAC} to a third party and prove that Alice sent that message. Not even if he gives away the key to the third party. The reason is that the @emph{same} key is used on both sides, and anyone knowing the key can create a correct @acronym{MAC} for any message. If Bob believes that only he and Alice knows the key, and he knows that he didn't attach a @acronym{MAC} to a particular message, he knows it must be Alice who did it. However, the third party can't distinguish between a @acronym{MAC} created by Alice and one created by Bob. Keyed hash functions are typically a lot faster than digital signatures as well. @menu * HMAC:: * UMAC:: * Poly1305:: @end menu @node HMAC, UMAC, Keyed hash functions, Keyed hash functions @comment node-name, next, previous, up @subsection @acronym{HMAC} @cindex HMAC One can build keyed hash functions from ordinary hash functions. Older constructions simply concatenate secret key and message and hashes that, but such constructions have weaknesses. A better construction is @acronym{HMAC}, described in @cite{RFC 2104}. For an underlying hash function @code{H}, with digest size @code{l} and internal block size @code{b}, @acronym{HMAC-H} is constructed as follows: From a given key @code{k}, two distinct subkeys @code{k_i} and @code{k_o} are constructed, both of length @code{b}. The @acronym{HMAC-H} of a message @code{m} is then computed as @code{H(k_o | H(k_i | m))}, where @code{|} denotes string concatenation. @acronym{HMAC} keys can be of any length, but it is recommended to use keys of length @code{l}, the digest size of the underlying hash function @code{H}. Keys that are longer than @code{b} are shortened to length @code{l} by hashing with @code{H}, so arbitrarily long keys aren't very useful. Nettle's @acronym{HMAC} functions are defined in @file{}. There are abstract functions that use a pointer to a @code{struct nettle_hash} to represent the underlying hash function and @code{void *} pointers that point to three different context structs for that hash function. There are also concrete functions for @acronym{HMAC-MD5}, @acronym{HMAC-RIPEMD160} @acronym{HMAC-SHA1}, @acronym{HMAC-SHA256}, and @acronym{HMAC-SHA512}. First, the abstract functions: @deftypefun void hmac_set_key (void *@var{outer}, void *@var{inner}, void *@var{state}, const struct nettle_hash *@var{H}, size_t @var{length}, const uint8_t *@var{key}) Initializes the three context structs from the key. The @var{outer} and @var{inner} contexts corresponds to the subkeys @code{k_o} and @code{k_i}. @var{state} is used for hashing the message, and is initialized as a copy of the @var{inner} context. @end deftypefun @deftypefun void hmac_update (void *@var{state}, const struct nettle_hash *@var{H}, size_t @var{length}, const uint8_t *@var{data}) This function is called zero or more times to process the message. Actually, @code{hmac_update(state, H, length, data)} is equivalent to @code{H->update(state, length, data)}, so if you wish you can use the ordinary update function of the underlying hash function instead. @end deftypefun @deftypefun void hmac_digest (const void *@var{outer}, const void *@var{inner}, void *@var{state}, const struct nettle_hash *@var{H}, size_t @var{length}, uint8_t *@var{digest}) Extracts the @acronym{MAC} of the message, writing it to @var{digest}. @var{outer} and @var{inner} are not modified. @var{length} is usually equal to @code{H->digest_size}, but if you provide a smaller value, only the first @var{length} octets of the @acronym{MAC} are written. This function also resets the @var{state} context so that you can start over processing a new message (with the same key). @end deftypefun Like for @acronym{CBC}, there are some macros to help use these functions correctly. @deffn Macro HMAC_CTX (@var{type}) Expands to @example @{ type outer; type inner; type state; @} @end example @end deffn It can be used to define a @acronym{HMAC} context struct, either directly, @example struct HMAC_CTX(struct md5_ctx) ctx; @end example or to give it a struct tag, @example struct hmac_md5_ctx HMAC_CTX (struct md5_ctx); @end example @deffn Macro HMAC_SET_KEY (@var{ctx}, @var{H}, @var{length}, @var{key}) @var{ctx} is a pointer to a context struct as defined by @code{HMAC_CTX}, @var{H} is a pointer to a @code{const struct nettle_hash} describing the underlying hash function (so it must match the type of the components of @var{ctx}). The last two arguments specify the secret key. @end deffn @deffn Macro HMAC_DIGEST (@var{ctx}, @var{H}, @var{length}, @var{digest}) @var{ctx} is a pointer to a context struct as defined by @code{HMAC_CTX}, @var{H} is a pointer to a @code{const struct nettle_hash} describing the underlying hash function. The last two arguments specify where the digest is written. @end deffn Note that there is no @code{HMAC_UPDATE} macro; simply call @code{hmac_update} function directly, or the update function of the underlying hash function. @subsection Concrete @acronym{HMAC} functions Now we come to the specialized @acronym{HMAC} functions, which are easier to use than the general @acronym{HMAC} functions. @subsubsection @acronym{HMAC-MD5} @deftp {Context struct} {struct hmac_md5_ctx} @end deftp @deftypefun void hmac_md5_set_key (struct hmac_md5_ctx *@var{ctx}, size_t @var{key_length}, const uint8_t *@var{key}) Initializes the context with the key. @end deftypefun @deftypefun void hmac_md5_update (struct hmac_md5_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Process some more data. @end deftypefun @deftypefun void hmac_md5_digest (struct hmac_md5_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Extracts the @acronym{MAC}, writing it to @var{digest}. @var{length} may be smaller than @code{MD5_DIGEST_SIZE}, in which case only the first @var{length} octets of the @acronym{MAC} are written. This function also resets the context for processing new messages, with the same key. @end deftypefun @subsubsection @acronym{HMAC-RIPEMD160} @deftp {Context struct} {struct hmac_ripemd160_ctx} @end deftp @deftypefun void hmac_ripemd160_set_key (struct hmac_ripemd160_ctx *@var{ctx}, size_t @var{key_length}, const uint8_t *@var{key}) Initializes the context with the key. @end deftypefun @deftypefun void hmac_ripemd160_update (struct hmac_ripemd160_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Process some more data. @end deftypefun @deftypefun void hmac_ripemd160_digest (struct hmac_ripemd160_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Extracts the @acronym{MAC}, writing it to @var{digest}. @var{length} may be smaller than @code{RIPEMD160_DIGEST_SIZE}, in which case only the first @var{length} octets of the @acronym{MAC} are written. This function also resets the context for processing new messages, with the same key. @end deftypefun @subsubsection @acronym{HMAC-SHA1} @deftp {Context struct} {struct hmac_sha1_ctx} @end deftp @deftypefun void hmac_sha1_set_key (struct hmac_sha1_ctx *@var{ctx}, size_t @var{key_length}, const uint8_t *@var{key}) Initializes the context with the key. @end deftypefun @deftypefun void hmac_sha1_update (struct hmac_sha1_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Process some more data. @end deftypefun @deftypefun void hmac_sha1_digest (struct hmac_sha1_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Extracts the @acronym{MAC}, writing it to @var{digest}. @var{length} may be smaller than @code{SHA1_DIGEST_SIZE}, in which case only the first @var{length} octets of the @acronym{MAC} are written. This function also resets the context for processing new messages, with the same key. @end deftypefun @subsubsection @acronym{HMAC-SHA256} @deftp {Context struct} {struct hmac_sha256_ctx} @end deftp @deftypefun void hmac_sha256_set_key (struct hmac_sha256_ctx *@var{ctx}, size_t @var{key_length}, const uint8_t *@var{key}) Initializes the context with the key. @end deftypefun @deftypefun void hmac_sha256_update (struct hmac_sha256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Process some more data. @end deftypefun @deftypefun void hmac_sha256_digest (struct hmac_sha256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Extracts the @acronym{MAC}, writing it to @var{digest}. @var{length} may be smaller than @code{SHA256_DIGEST_SIZE}, in which case only the first @var{length} octets of the @acronym{MAC} are written. This function also resets the context for processing new messages, with the same key. @end deftypefun @subsubsection @acronym{HMAC-SHA512} @deftp {Context struct} {struct hmac_sha512_ctx} @end deftp @deftypefun void hmac_sha512_set_key (struct hmac_sha512_ctx *@var{ctx}, size_t @var{key_length}, const uint8_t *@var{key}) Initializes the context with the key. @end deftypefun @deftypefun void hmac_sha512_update (struct hmac_sha512_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Process some more data. @end deftypefun @deftypefun void hmac_sha512_digest (struct hmac_sha512_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Extracts the @acronym{MAC}, writing it to @var{digest}. @var{length} may be smaller than @code{SHA512_DIGEST_SIZE}, in which case only the first @var{length} octets of the @acronym{MAC} are written. This function also resets the context for processing new messages, with the same key. @end deftypefun @node UMAC, Poly1305 , HMAC, Keyed hash functions @comment node-name, next, previous, up @subsection @acronym{UMAC} @cindex UMAC @acronym{UMAC} is a message authentication code based on universal hashing, and designed for high performance on modern processors (in contrast to GCM, @xref{GCM}, which is designed primarily for hardware performance). On processors with good integer multiplication performance, it can be 10 times faster than SHA256 and SHA512. @acronym{UMAC} is specified in @cite{RFC 4418}. The secret key is always 128 bits (16 octets). The key is used as an encryption key for the @acronym{AES} block cipher. This cipher is used in counter mode to generate various internal subkeys needed in @acronym{UMAC}. Messages are of arbitrary size, and for each message, @acronym{UMAC} also needs a unique nonce. Nonce values must not be reused for two messages with the same key, but they need not be kept secret. The nonce must be at least one octet, and at most 16; nonces shorter than 16 octets are zero-padded. Nettle's implementation of @acronym{UMAC} increments the nonce automatically for each message, so explicitly setting the nonce for each message is optional. This auto-increment uses network byte order and it takes the length of the nonce into account. E.g., if the initial nonce is ``abc'' (3 octets), this value is zero-padded to 16 octets for the first message. For the next message, the nonce is incremented to ``abd'', and this incremented value is zero-padded to 16 octets. @acronym{UMAC} is defined in four variants, for different output sizes: 32 bits (4 octets), 64 bits (8 octets), 96 bits (12 octets) and 128 bits (16 octets), corresponding to different trade-offs between speed and security. Using a shorter output size sometimes (but not always!) gives the same result as using a longer output size and truncating the result. So it is important to use the right variant. For consistency with other hash and @acronym{MAC} functions, Nettle's @code{_digest} functions for @acronym{UMAC} accept a length parameter so that the output can be truncated to any desired size, but it is recommended to stick to the specified output size and select the @acronym{umac} variant corresponding to the desired size. The internal block size of @acronym{UMAC} is 1024 octets, and it also generates more than 1024 bytes of subkeys. This makes the size of the context struct quite a bit larger than other hash functions and @acronym{MAC} algorithms in Nettle. Nettle defines @acronym{UMAC} in @file{}. @deftp {Context struct} {struct umac32_ctx} @deftpx {Context struct} {struct umac64_ctx} @deftpx {Context struct} {struct umac96_ctx} @deftpx {Context struct} {struct umac128_ctx} Each @acronym{UMAC} variant uses its own context struct. @end deftp @defvr Constant UMAC_KEY_SIZE The UMAC key size, 16. @end defvr @defvr Constant UMAC_MIN_NONCE_SIZE @defvrx Constant UMAC_MAX_NONCE_SIZE The the minimum and maximum sizes for an UMAC nonce, 1 and 16, respectively. @end defvr @defvr Constant UMAC32_DIGEST_SIZE The size of an UMAC32 digest, 4. @end defvr @defvr Constant UMAC64_DIGEST_SIZE The size of an UMAC64 digest, 8. @end defvr @defvr Constant UMAC96_DIGEST_SIZE The size of an UMAC96 digest, 12. @end defvr @defvr Constant UMAC128_DIGEST_SIZE The size of an UMAC128 digest, 16. @end defvr @defvr Constant UMAC_BLOCK_SIZE The internal block size of UMAC. @end defvr @deftypefun void umac32_set_key (struct umac32_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void umac64_set_key (struct umac64_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void umac96_set_key (struct umac96_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void umac128_set_key (struct umac128_ctx *@var{ctx}, const uint8_t *@var{key}) These functions initialize the @acronym{UMAC} context struct. They also initialize the nonce to zero (with length 16, for auto-increment). @end deftypefun @deftypefun void umac32_set_nonce (struct umac32_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{nonce}) @deftypefunx void umac64_set_nonce (struct umac64_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{nonce}) @deftypefunx void umac96_set_nonce (struct umac96_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{nonce}) @deftypefunx void umac128_set_nonce (struct umac128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{nonce}) Sets the nonce to be used for the next message. In general, nonces should be set before processing of the message. This is not strictly required for @acronym{UMAC} (the nonce only affects the final processing generating the digest), but it is nevertheless recommended that this function is called @emph{before} the first @code{_update} call for the message. @end deftypefun @deftypefun void umac32_update (struct umac32_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) @deftypefunx void umac64_update (struct umac64_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) @deftypefunx void umac96_update (struct umac96_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) @deftypefunx void umac128_update (struct umac128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) These functions are called zero or more times to process the message. @end deftypefun @deftypefun void umac32_digest (struct umac32_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) @deftypefunx void umac64_digest (struct umac64_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) @deftypefunx void umac96_digest (struct umac96_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) @deftypefunx void umac128_digest (struct umac128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Extracts the @acronym{MAC} of the message, writing it to @var{digest}. @var{length} is usually equal to the specified output size, but if you provide a smaller value, only the first @var{length} octets of the @acronym{MAC} are written. These functions reset the context for processing of a new message with the same key. The nonce is incremented as described above, the new value is used unless you call the @code{_set_nonce} function explicitly for each message. @end deftypefun @node Poly1305,, UMAC, Keyed hash functions @comment node-name, next, previous, up @subsection Poly1305 Poly1305-@acronym{AES} is a message authentication code designed by D. J. Bernstein. It treats the message as a polynomial modulo the prime number @math{2^130 - 5}. The key, 256 bits, consists of two parts, where the first half is an @acronym{AES}-128 key, and the second half specifies the point where the polynomial is evaluated. Of the latter half, 22 bits are set to zero, to enable high-performance implementation, leaving 106 bits for specifying an evaluation point @code{r}. For each message, one must also provide a 128-bit nonce. The nonce is encrypted using the @acronym{AES} key, and that's the only thing @acronym{AES} is used for. The message is split into 128-bit chunks (with final chunk possibly being shorter), each read as a little-endian integer. Each chunk has a one-bit appended at the high end. The resulting integers are treated as polynomial coefficients modulo @math{2^130 - 5}, and the polynomial is evaluated at the point @code{r}. Finally, this value is reduced modulo @math{2^128}, and added (also modulo @math{2^128}) to the encrypted nonce, to produce an 128-bit authenticator for the message. See @uref{http://cr.yp.to/mac/poly1305-20050329.pdf} for further details. Clearly, variants using a different cipher than @acronym{AES} could be defined. Another variant is the ChaCha-Poly1305 @acronym{AEAD} construction (@pxref{ChaCha-Poly1305}). Nettle defines Poly1305-@acronym{AES} in @file{nettle/poly1305.h}. @defvr Constant POLY1305_AES_KEY_SIZE Key size, 32 octets. @end defvr @defvr Constant POLY1305_AES_DIGEST_SIZE Size of the digest or ``authenticator'', 16 octets. @end defvr @defvr Constant POLY1305_AES_NONCE_SIZE Nonce size, 16 octets. @end defvr @deftp {Context struct} {struct poly1305_aes_ctx} The poly1305-aes context struct. @end deftp @deftypefun void poly1305_aes_set_key (struct poly1305_aes_ctx *@var{ctx}, const uint8_t *@var{key}) Initialize the context struct. Also sets the nonce to zero. @end deftypefun @deftypefun void poly1305_aes_set_nonce (struct poly1305_aes_ctx *@var{ctx}, const uint8_t *@var{nonce}) Sets the nonce. Calling this function is optional, since the nonce is incremented automatically for each message. @end deftypefun @deftypefun void poly1305_aes_update (struct poly1305_aes_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Process more data. @end deftypefun @deftypefun void poly1305_aes_digest (struct poly1305_aes_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Extracts the digest. If @var{length} is smaller than @code{POLY1305_AES_DIGEST_SIZE}, only the first @var{length} octets are written. Also increments the nonce, and prepares the context for processing a new message. @end deftypefun @node Key derivation functions, Public-key algorithms, Keyed hash functions, Reference @comment node-name, next, previous, up @section Key derivation Functions @cindex Key Derivation Function A @dfn{key derivation function} (@acronym{KDF}) is a function that from a given symmetric key derives other symmetric keys. A sub-class of KDFs is the @dfn{password-based key derivation functions} (@acronym{PBKDFs}), which take as input a password or passphrase, and its purpose is typically to strengthen it and protect against certain pre-computation attacks by using salting and expensive computation. @subsection HKDF: HMAC-based Extract-and-Expand @cindex HKDF HKDF is a key derivation function used as a building block of higher-level protocols like TLS 1.3. It is a derivation function based on HMAC described in @cite{RFC 5869}, and is split into two logical modules, called 'extract' and 'expand'. The extract module takes an initial secret and a random salt to "extract" a fixed-length pseudorandom key (PRK). The second stage takes as input the previous PRK and some informational data (e.g., text) and expands them into multiple keys. Nettle's @acronym{HKDF} functions are defined in @file{}. There are two abstract functions for the extract and expand operations that operate on any HMAC implemented via the @code{nettle_hash_update_func}, and @code{nettle_hash_digest_func} interfaces. @deftypefun void hkdf_extract (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size,size_t secret_size, const uint8_t *secret, uint8_t *dst) Extract a Pseudorandom Key (PRK) from a secret and a salt according to HKDF. The HMAC must have been initialized, with its key being the salt for the Extract operation. This function will call the @var{update} and @var{digest} functions passing the @var{mac_ctx} context parameter as an argument in order to compute digest of size @var{digest_size}. Inputs are the secret @var{secret} of length @var{secret_length}. The output length is fixed to @var{digest_size} octets, thus the output buffer @var{dst} must have room for at least @var{digest_size} octets. @end deftypefun @deftypefun void hkdf_expand (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, size_t info_size, const uint8_t *info, size_t length, uint8_t *dst) Expand a Pseudorandom Key (PRK) to an arbitrary size according to HKDF. The HMAC must have been initialized, with its key being the PRK from the Extract operation. This function will call the @var{update} and @var{digest} functions passing the @var{mac_ctx} context parameter as an argument in order to compute digest of size @var{digest_size}. Inputs are the info @var{info} of length @var{info_length}, and the desired derived output length @var{length}. The output buffer is @var{dst} which must have room for at least @var{length} octets. @end deftypefun @subsection @acronym{PBKDF2} @cindex Password Based Key Derivation Function @cindex PKCS #5 @cindex KDF @cindex PBKDF The most well known PBKDF is the @code{PKCS #5 PBKDF2} described in @cite{RFC 2898} which uses a pseudo-random function such as @acronym{HMAC-SHA1}. Nettle's @acronym{PBKDF2} functions are defined in @file{}. There is an abstract function that operate on any PRF implemented via the @code{nettle_hash_update_func}, @code{nettle_hash_digest_func} interfaces. There is also helper macros and concrete functions PBKDF2-HMAC-SHA1 and PBKDF2-HMAC-SHA256. First, the abstract function: @deftypefun void pbkdf2 (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst) Derive symmetric key from a password according to PKCS #5 PBKDF2. The PRF is assumed to have been initialized and this function will call the @var{update} and @var{digest} functions passing the @var{mac_ctx} context parameter as an argument in order to compute digest of size @var{digest_size}. Inputs are the salt @var{salt} of length @var{salt_length}, the iteration counter @var{iterations} (> 0), and the desired derived output length @var{length}. The output buffer is @var{dst} which must have room for at least @var{length} octets. @end deftypefun Like for CBC and HMAC, there is a macro to help use the function correctly. @deffn Macro PBKDF2 (@var{ctx}, @var{update}, @var{digest}, @var{digest_size}, @var{iterations}, @var{salt_length}, @var{salt}, @var{length}, @var{dst}) @var{ctx} is a pointer to a context struct passed to the @var{update} and @var{digest} functions (of the types @code{nettle_hash_update_func} and @code{nettle_hash_digest_func} respectively) to implement the underlying PRF with digest size of @var{digest_size}. Inputs are the salt @var{salt} of length @var{salt_length}, the iteration counter @var{iterations} (> 0), and the desired derived output length @var{length}. The output buffer is @var{dst} which must have room for at least @var{length} octets. @end deffn @subsection Concrete @acronym{PBKDF2} functions Now we come to the specialized @acronym{PBKDF2} functions, which are easier to use than the general @acronym{PBKDF2} function. @subsubsection @acronym{PBKDF2-HMAC-SHA1} @deftypefun void pbkdf2_hmac_sha1 (size_t @var{key_length}, const uint8_t *@var{key}, unsigned @var{iterations}, size_t @var{salt_length}, const uint8_t *@var{salt}, size_t @var{length}, uint8_t *@var{dst}) PBKDF2 with HMAC-SHA1. Derive @var{length} bytes of key into buffer @var{dst} using the password @var{key} of length @var{key_length} and salt @var{salt} of length @var{salt_length}, with iteration counter @var{iterations} (> 0). The output buffer is @var{dst} which must have room for at least @var{length} octets. @end deftypefun @subsubsection @acronym{PBKDF2-HMAC-SHA256} @deftypefun void pbkdf2_hmac_sha256 (size_t @var{key_length}, const uint8_t *@var{key}, unsigned @var{iterations}, size_t @var{salt_length}, const uint8_t *@var{salt}, size_t @var{length}, uint8_t *@var{dst}) PBKDF2 with HMAC-SHA256. Derive @var{length} bytes of key into buffer @var{dst} using the password @var{key} of length @var{key_length} and salt @var{salt} of length @var{salt_length}, with iteration counter @var{iterations} (> 0). The output buffer is @var{dst} which must have room for at least @var{length} octets. @end deftypefun @node Public-key algorithms, Randomness, Key derivation functions, Reference @comment node-name, next, previous, up @section Public-key algorithms Nettle uses @acronym{GMP}, the GNU bignum library, for all calculations with large numbers. In order to use the public-key features of Nettle, you must install @acronym{GMP}, at least version 3.0, before compiling Nettle, and you need to link your programs with @code{-lhogweed -lnettle -lgmp}. The concept of @dfn{Public-key} encryption and digital signatures was discovered by Whitfield Diffie and Martin E. Hellman and described in a paper 1976. In traditional, ``symmetric'', cryptography, sender and receiver share the same keys, and these keys must be distributed in a secure way. And if there are many users or entities that need to communicate, each @emph{pair} needs a shared secret key known by nobody else. @cindex Public Key Cryptography @cindex One-way function Public-key cryptography uses trapdoor one-way functions. A @dfn{one-way function} is a function @code{F} such that it is easy to compute the value @code{F(x)} for any @code{x}, but given a value @code{y}, it is hard to compute a corresponding @code{x} such that @code{y = F(x)}. Two examples are cryptographic hash functions, and exponentiation in certain groups. A @dfn{trapdoor one-way function} is a function @code{F} that is one-way, unless one knows some secret information about @code{F}. If one knows the secret, it is easy to compute both @code{F} and it's inverse. If this sounds strange, look at the @acronym{RSA} example below. Two important uses for one-way functions with trapdoors are public-key encryption, and digital signatures. The public-key encryption functions in Nettle are not yet documented; the rest of this chapter is about digital signatures. To use a digital signature algorithm, one must first create a @dfn{key-pair}: A public key and a corresponding private key. The private key is used to sign messages, while the public key is used for verifying that that signatures and messages match. Some care must be taken when distributing the public key; it need not be kept secret, but if a bad guy is able to replace it (in transit, or in some user's list of known public keys), bad things may happen. There are two operations one can do with the keys. The signature operation takes a message and a private key, and creates a signature for the message. A signature is some string of bits, usually at most a few thousand bits or a few hundred octets. Unlike paper-and-ink signatures, the digital signature depends on the message, so one can't cut it out of context and glue it to a different message. The verification operation takes a public key, a message, and a string that is claimed to be a signature on the message, and returns true or false. If it returns true, that means that the three input values matched, and the verifier can be sure that someone went through with the signature operation on that very message, and that the ``someone'' also knows the private key corresponding to the public key. The desired properties of a digital signature algorithm are as follows: Given the public key and pairs of messages and valid signatures on them, it should be hard to compute the private key, and it should also be hard to create a new message and signature that is accepted by the verification operation. Besides signing meaningful messages, digital signatures can be used for authorization. A server can be configured with a public key, such that any client that connects to the service is given a random nonce message. If the server gets a reply with a correct signature matching the nonce message and the configured public key, the client is granted access. So the configuration of the server can be understood as ``grant access to whoever knows the private key corresponding to this particular public key, and to no others''. @menu * RSA:: The RSA public key algorithm. * DSA:: The DSA digital signature algorithm. * Elliptic curves:: Elliptic curves and ECDSA @end menu @node RSA, DSA, Public-key algorithms, Public-key algorithms @comment node-name, next, previous, up @subsection @acronym{RSA} The @acronym{RSA} algorithm was the first practical digital signature algorithm that was constructed. It was described 1978 in a paper by Ronald Rivest, Adi Shamir and L.M. Adleman, and the technique was also patented in the @acronym{USA} in 1983. The patent expired on September 20, 2000, and since that day, @acronym{RSA} can be used freely, even in the @acronym{USA}. It's remarkably simple to describe the trapdoor function behind @acronym{RSA}. The ``one-way''-function used is @example F(x) = x^e mod n @end example I.e. raise x to the @code{e}'th power, while discarding all multiples of @code{n}. The pair of numbers @code{n} and @code{e} is the public key. @code{e} can be quite small, even @code{e = 3} has been used, although slightly larger numbers are recommended. @code{n} should be about 2000 bits or larger. If @code{n} is large enough, and properly chosen, the inverse of F, the computation of @code{e}'th roots modulo @code{n}, is very difficult. But, where's the trapdoor? Let's first look at how @acronym{RSA} key-pairs are generated. First @code{n} is chosen as the product of two large prime numbers @code{p} and @code{q} of roughly the same size (so if @code{n} is 2000 bits, @code{p} and @code{q} are about 1000 bits each). One also computes the number @code{phi = (p-1)(q-1)}, in mathematical speak, @code{phi} is the order of the multiplicative group of integers modulo n. Next, @code{e} is chosen. It must have no factors in common with @code{phi} (in particular, it must be odd), but can otherwise be chosen more or less randomly. @code{e = 65537} is a popular choice, because it makes raising to the @code{e}'th power particularly efficient, and being prime, it usually has no factors common with @code{phi}. Finally, a number @code{d}, @code{d < n} is computed such that @code{e d mod phi = 1}. It can be shown that such a number exists (this is why @code{e} and @code{phi} must have no common factors), and that for all x, @example (x^e)^d mod n = x^(ed) mod n = (x^d)^e mod n = x @end example Using Euclid's algorithm, @code{d} can be computed quite easily from @code{phi} and @code{e}. But it is still hard to get @code{d} without knowing @code{phi}, which depends on the factorization of @code{n}. So @code{d} is the trapdoor, if we know @code{d} and @code{y = F(x)}, we can recover x as @code{y^d mod n}. @code{d} is also the private half of the @acronym{RSA} key-pair. The most common signature operation for @acronym{RSA} is defined in @cite{PKCS#1}, a specification by RSA Laboratories. The message to be signed is first hashed using a cryptographic hash function, e.g. @acronym{MD5} or @acronym{SHA1}. Next, some padding, the @acronym{ASN.1} ``Algorithm Identifier'' for the hash function, and the message digest itself, are concatenated and converted to a number @code{x}. The signature is computed from @code{x} and the private key as @code{s = x^d mod n}@footnote{Actually, the computation is not done like this, it is done more efficiently using @code{p}, @code{q} and the Chinese remainder theorem (@acronym{CRT}). But the result is the same.}. The signature, @code{s} is a number of about the same size of @code{n}, and it usually encoded as a sequence of octets, most significant octet first. The verification operation is straight-forward, @code{x} is computed from the message in the same way as above. Then @code{s^e mod n} is computed, the operation returns true if and only if the result equals @code{x}. The @acronym{RSA} algorithm can also be used for encryption. RSA encryption uses the public key @code{(n,e)} to compute the ciphertext @code{m^e mod n}. The @cite{PKCS#1} padding scheme will use at least 8 random and non-zero octets, using @var{m} of the form @code{[00 02 padding 00 plaintext]}. It is required that @code{m < n}, and therefor the plaintext must be smaller than the octet size of the modulo @code{n}, with some margin. To decrypt the message, one needs the private key to compute @code{m = c^e mod n} followed by checking and removing the padding. @subsubsection Nettle's @acronym{RSA} support Nettle represents @acronym{RSA} keys using two structures that contain large numbers (of type @code{mpz_t}). @deftp {Context struct} {rsa_public_key} size n e @code{size} is the size, in octets, of the modulo, and is used internally. @code{n} and @code{e} is the public key. @end deftp @deftp {Context struct} {rsa_private_key} size d p q a b c @code{size} is the size, in octets, of the modulo, and is used internally. @code{d} is the secret exponent, but it is not actually used when signing. Instead, the factors @code{p} and @code{q}, and the parameters @code{a}, @code{b} and @code{c} are used. They are computed from @code{p}, @code{q} and @code{e} such that @code{a e mod (p - 1) = 1, b e mod (q - 1) = 1, c q mod p = 1}. @end deftp Before use, these structs must be initialized by calling one of @deftypefun void rsa_public_key_init (struct rsa_public_key *@var{pub}) @deftypefunx void rsa_private_key_init (struct rsa_private_key *@var{key}) Calls @code{mpz_init} on all numbers in the key struct. @end deftypefun and when finished with them, the space for the numbers must be deallocated by calling one of @deftypefun void rsa_public_key_clear (struct rsa_public_key *@var{pub}) @deftypefunx void rsa_private_key_clear (struct rsa_private_key *@var{key}) Calls @code{mpz_clear} on all numbers in the key struct. @end deftypefun In general, Nettle's @acronym{RSA} functions deviates from Nettle's ``no memory allocation''-policy. Space for all the numbers, both in the key structs above, and temporaries, are allocated dynamically. For information on how to customize allocation, see @xref{Custom Allocation,,GMP Allocation,gmp, GMP Manual}. When you have assigned values to the attributes of a key, you must call @deftypefun int rsa_public_key_prepare (struct rsa_public_key *@var{pub}) @deftypefunx int rsa_private_key_prepare (struct rsa_private_key *@var{key}) Computes the octet size of the key (stored in the @code{size} attribute, and may also do other basic sanity checks. Returns one if successful, or zero if the key can't be used, for instance if the modulo is smaller than the minimum size needed for @acronym{RSA} operations specified by PKCS#1. @end deftypefun For each operation using the private key, there are two variants, e.g., @code{rsa_sha256_sign} and @code{rsa_sha256_sign_tr}. The former function is older, and it should be avoided, because it provides no defenses against side-channel attacks. The latter function use randomized @acronym{RSA} blinding, which defends against timing attacks using chosen-ciphertext, and it also checks the correctness of the private key computation using the public key, which defends against software or hardware errors which could leak the private key. Before signing or verifying a message, you first hash it with the appropriate hash function. You pass the hash function's context struct to the @acronym{RSA} signature function, and it will extract the message digest and do the rest of the work. There are also alternative functions that take the hash digest as argument. There is currently no support for using SHA224 or SHA384 with @acronym{RSA} signatures, since there's no gain in either computation time nor message size compared to using SHA256 and SHA512, respectively. Creating an @acronym{RSA} signature is done with one of the following functions: @deftypefun int rsa_md5_sign_tr(const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, struct md5_ctx *@var{hash}, mpz_t @var{signature}) @deftypefunx int rsa_sha1_sign_tr(const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, struct sha1_ctx *@var{hash}, mpz_t @var{signature}) @deftypefunx int rsa_sha256_sign_tr(const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, struct sha256_ctx *@var{hash}, mpz_t @var{signature}) @deftypefunx int rsa_sha512_sign_tr(const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, struct sha512_ctx *@var{hash}, mpz_t @var{signature}) The signature is stored in @var{signature} (which must have been @code{mpz_init}'ed earlier). The hash context is reset so that it can be used for new messages. The @var{random_ctx} and @var{random} pointers are used to generate the @acronym{RSA} blinding. Returns one on success, or zero on failure. Signing fails if an error in the computation was detected, or if the key is too small for the given hash size, e.g., it's not possible to create a signature using SHA512 and a 512-bit @acronym{RSA} key. @end deftypefun @deftypefun int rsa_md5_sign_digest_tr(const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, const uint8_t *@var{digest}, mpz_t @var{signature}) @deftypefunx int rsa_sha1_sign_digest_tr(const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, const uint8_t *@var{digest}, mpz_t @var{signature}) @deftypefunx int rsa_sha256_sign_digest_tr(const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, const uint8_t *@var{digest}, mpz_t @var{signature}) @deftypefunx int rsa_sha512_sign_digest_tr(const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, const uint8_t *@var{digest}, mpz_t @var{signature}) Creates a signature from the given hash digest. @var{digest} should point to a digest of size @code{MD5_DIGEST_SIZE}, @code{SHA1_DIGEST_SIZE}, @code{SHA256_DIGEST_SIZE}, or @code{SHA512_DIGEST_SIZE}respectively. The signature is stored in @var{signature} (which must have been @code{mpz_init}:ed earlier). Returns one on success, or zero on failure. @end deftypefun @deftypefun int rsa_pkcs1_sign_tr(const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{length}, const uint8_t *@var{digest_info}, mpz_t @var{signature}) Similar to the above @code{_sign_digest_tr} functions, but the input is not the plain hash digest, but a PKCS#1 ``DigestInfo'', an ASN.1 DER-encoding of the digest together with an object identifier for the used hash algorithm. @end deftypefun @deftypefun int rsa_md5_sign (const struct rsa_private_key *@var{key}, struct md5_ctx *@var{hash}, mpz_t @var{signature}) @deftypefunx int rsa_sha1_sign (const struct rsa_private_key *@var{key}, struct sha1_ctx *@var{hash}, mpz_t @var{signature}) @deftypefunx int rsa_sha256_sign (const struct rsa_private_key *@var{key}, struct sha256_ctx *@var{hash}, mpz_t @var{signature}) @deftypefunx int rsa_sha512_sign (const struct rsa_private_key *@var{key}, struct sha512_ctx *@var{hash}, mpz_t @var{signature}) The signature is stored in @var{signature} (which must have been @code{mpz_init}'ed earlier). The hash context is reset so that it can be used for new messages. Returns one on success, or zero on failure. Signing fails if the key is too small for the given hash size, e.g., it's not possible to create a signature using SHA512 and a 512-bit @acronym{RSA} key. @end deftypefun @deftypefun int rsa_md5_sign_digest (const struct rsa_private_key *@var{key}, const uint8_t *@var{digest}, mpz_t @var{signature}) @deftypefunx int rsa_sha1_sign_digest (const struct rsa_private_key *@var{key}, const uint8_t *@var{digest}, mpz_t @var{signature}); @deftypefunx int rsa_sha256_sign_digest (const struct rsa_private_key *@var{key}, const uint8_t *@var{digest}, mpz_t @var{signature}); @deftypefunx int rsa_sha512_sign_digest (const struct rsa_private_key *@var{key}, const uint8_t *@var{digest}, mpz_t @var{signature}); Creates a signature from the given hash digest; otherwise analoguous to the above signing functions. @var{digest} should point to a digest of size @code{MD5_DIGEST_SIZE}, @code{SHA1_DIGEST_SIZE}, @code{SHA256_DIGEST_SIZE}, or @code{SHA512_DIGEST_SIZE}, respectively. The signature is stored in @var{signature} (which must have been @code{mpz_init}:ed earlier). Returns one on success, or zero on failure. @end deftypefun @deftypefun int rsa_pkcs1_sign(const struct rsa_private_key *@var{key}, size_t @var{length}, const uint8_t *@var{digest_info}, mpz_t @var{s}) Similar to the above _sign_digest functions, but the input is not the plain hash digest, but a PKCS#1 ``DigestInfo'', an ASN.1 DER-encoding of the digest together with an object identifier for the used hash algorithm. @end deftypefun Verifying an RSA signature is done with one of the following functions: @deftypefun int rsa_md5_verify (const struct rsa_public_key *@var{key}, struct md5_ctx *@var{hash}, const mpz_t @var{signature}) @deftypefunx int rsa_sha1_verify (const struct rsa_public_key *@var{key}, struct sha1_ctx *@var{hash}, const mpz_t @var{signature}) @deftypefunx int rsa_sha256_verify (const struct rsa_public_key *@var{key}, struct sha256_ctx *@var{hash}, const mpz_t @var{signature}) @deftypefunx int rsa_sha512_verify (const struct rsa_public_key *@var{key}, struct sha512_ctx *@var{hash}, const mpz_t @var{signature}) Returns 1 if the signature is valid, or 0 if it isn't. In either case, the hash context is reset so that it can be used for new messages. @end deftypefun @deftypefun int rsa_md5_verify_digest (const struct rsa_public_key *@var{key}, const uint8_t *@var{digest}, const mpz_t @var{signature}) @deftypefunx int rsa_sha1_verify_digest (const struct rsa_public_key *@var{key}, const uint8_t *@var{digest}, const mpz_t @var{signature}) @deftypefunx int rsa_sha256_verify_digest (const struct rsa_public_key *@var{key}, const uint8_t *@var{digest}, const mpz_t @var{signature}) @deftypefunx int rsa_sha512_verify_digest (const struct rsa_public_key *@var{key}, const uint8_t *@var{digest}, const mpz_t @var{signature}) Returns 1 if the signature is valid, or 0 if it isn't. @var{digest} should point to a digest of size @code{MD5_DIGEST_SIZE}, @code{SHA1_DIGEST_SIZE}, @code{SHA256_DIGEST_SIZE}, or @code{SHA512_DIGEST_SIZE} respectively. @end deftypefun @deftypefun int rsa_pkcs1_verify(const struct rsa_public_key *@var{key}, size_t @var{length}, const uint8_t *@var{digest_info}, const mpz_t @var{signature}) Similar to the above _verify_digest functions, but the input is not the plain hash digest, but a PKCS#1 ``DigestInfo'', and ASN.1 DER-encoding of the digest together with an object identifier for the used hash algorithm. @end deftypefun While the above functions for the RSA signature operations use the @cite{PKCS#1} padding scheme, Nettle also provides the variants based on the PSS padding scheme, specified in @cite{RFC 3447}. These variants take advantage of a randomly choosen salt value, which could enhance the security by causing output to be different for equivalent inputs. However, assuming the same security level as inverting the @acronym{RSA} algorithm, a longer salt value does not always mean a better security @uref{http://www.iacr.org/archive/eurocrypt2002/23320268/coron.pdf}. The typical choices of the length are between 0 and the digest size of the underlying hash function. Creating an RSA signature with the PSS padding scheme is done with one of the following functions: @deftypefun int rsa_pss_sha256_sign_digest_tr(const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{salt_length}, const uint8_t *@var{salt}, const uint8_t *@var{digest}, mpz_t @var{signature}) @deftypefunx int rsa_pss_sha384_sign_digest_tr(const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{salt_length}, const uint8_t *@var{salt}, const uint8_t *@var{digest}, mpz_t @var{signature}) @deftypefunx int rsa_pss_sha512_sign_digest_tr(const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{salt_length}, const uint8_t *@var{salt}, const uint8_t *@var{digest}, mpz_t @var{signature}) Creates a signature using the PSS padding scheme. @var{salt} should point to a salt string of size @var{salt_length}. @var{digest} should point to a digest of size @code{SHA256_DIGEST_SIZE}, @code{SHA384_DIGEST_SIZE}, or @code{SHA512_DIGEST_SIZE}respectively. The signature is stored in @var{signature} (which must have been @code{mpz_init}:ed earlier). Returns one on success, or zero on failure. @end deftypefun Verifying an RSA signature with the PSS padding scheme is done with one of the following functions: @deftypefun int rsa_pss_sha256_verify_digest (const struct rsa_public_key *@var{key}, size_t @var{salt_length}, const uint8_t *@var{digest}, const mpz_t @var{signature}) @deftypefunx int rsa_pss_sha384_verify_digest (const struct rsa_public_key *@var{key}, size_t @var{salt_length}, const uint8_t *@var{digest}, const mpz_t @var{signature}) @deftypefunx int rsa_pss_sha512_verify_digest (const struct rsa_public_key *@var{key}, size_t @var{salt_length}, const uint8_t *@var{digest}, const mpz_t @var{signature}) Returns 1 if the signature is valid, or 0 if it isn't. @var{digest} should point to a digest of size @code{SHA256_DIGEST_SIZE}, @code{SHA384_DIGEST_SIZE}, or @code{SHA512_DIGEST_SIZE} respectively. @end deftypefun The following function is used to encrypt a clear text message using RSA. @deftypefun int rsa_encrypt (const struct rsa_public_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{length}, const uint8_t *@var{cleartext}, mpz_t @var{ciphertext}) Returns 1 on success, 0 on failure. If the message is too long then this will lead to a failure. @end deftypefun The following function is used to decrypt a cipher text message using RSA. @deftypefun int rsa_decrypt (const struct rsa_private_key *@var{key}, size_t *@var{length}, uint8_t *@var{cleartext}, const mpz_t @var{ciphertext}) Returns 1 on success, 0 on failure. Causes of failure include decryption failing or the resulting message being to large. The message buffer pointed to by @var{cleartext} must be of size *@var{length}. After decryption, *@var{length} will be updated with the size of the message. @end deftypefun There is also a timing resistant version of decryption that utilizes randomized RSA blinding. @deftypefun int rsa_decrypt_tr (const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t *@var{length}, uint8_t *@var{message}, const mpz_t @var{ciphertext}) Returns 1 on success, 0 on failure. @end deftypefun If you need to use the @acronym{RSA} trapdoor, the private key, in a way that isn't supported by the above functions Nettle also includes a function that computes @code{x^d mod n} and nothing more, using the @acronym{CRT} optimization. @deftypefun int rsa_compute_root_tr(const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, mpz_t @var{x}, const mpz_t @var{m}) Computes @code{x = m^d}. Returns one on success, or zero if a failure in the computation was detected. @end deftypefun @deftypefun void rsa_compute_root (struct rsa_private_key *@var{key}, mpz_t @var{x}, const mpz_t @var{m}) Computes @code{x = m^d}. @end deftypefun At last, how do you create new keys? @deftypefun int rsa_generate_keypair (struct rsa_public_key *@var{pub}, struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func @var{random}, void *@var{progress_ctx}, nettle_progress_func @var{progress}, unsigned @var{n_size}, unsigned @var{e_size}); There are lots of parameters. @var{pub} and @var{key} is where the resulting key pair is stored. The structs should be initialized, but you don't need to call @code{rsa_public_key_prepare} or @code{rsa_private_key_prepare} after key generation. @var{random_ctx} and @var{random} is a randomness generator. @code{random(random_ctx, length, dst)} should generate @code{length} random octets and store them at @code{dst}. For advice, see @xref{Randomness}. @var{progress} and @var{progress_ctx} can be used to get callbacks during the key generation process, in order to uphold an illusion of progress. @var{progress} can be NULL, in that case there are no callbacks. @var{size_n} is the desired size of the modulo, in bits. If @var{size_e} is non-zero, it is the desired size of the public exponent and a random exponent of that size is selected. But if @var{e_size} is zero, it is assumed that the caller has already chosen a value for @code{e}, and stored it in @var{pub}. Returns one on success, and zero on failure. The function can fail for example if if @var{n_size} is too small, or if @var{e_size} is zero and @code{pub->e} is an even number. @end deftypefun @node DSA, Elliptic curves, RSA, Public-key algorithms @comment node-name, next, previous, up @subsection @acronym{DSA} The @acronym{DSA} digital signature algorithm is more complex than @acronym{RSA}. It was specified during the early 1990s, and in 1994 NIST published @acronym{FIPS} 186 which is the authoritative specification. Sometimes @acronym{DSA} is referred to using the acronym @acronym{DSS}, for Digital Signature Standard. The most recent revision of the specification, FIPS186-3, was issued in 2009, and it adds support for larger hash functions than @acronym{sha1}. For @acronym{DSA}, the underlying mathematical problem is the computation of discrete logarithms. The public key consists of a large prime @code{p}, a small prime @code{q} which is a factor of @code{p-1}, a number @code{g} which generates a subgroup of order @code{q} modulo @code{p}, and an element @code{y} in that subgroup. In the original @acronym{DSA}, the size of @code{q} is fixed to 160 bits, to match with the @acronym{SHA1} hash algorithm. The size of @code{p} is in principle unlimited, but the standard specifies only nine specific sizes: @code{512 + l*64}, where @code{l} is between 0 and 8. Thus, the maximum size of @code{p} is 1024 bits, and sizes less than 1024 bits are considered obsolete and not secure. The subgroup requirement means that if you compute @example g^t mod p @end example for all possible integers @code{t}, you will get precisely @code{q} distinct values. The private key is a secret exponent @code{x}, such that @example g^x = y mod p @end example In mathematical speak, @code{x} is the @dfn{discrete logarithm} of @code{y} mod @code{p}, with respect to the generator @code{g}. The size of @code{x} will also be about the same size as @code{q}. The security of the @acronym{DSA} algorithm relies on the difficulty of the discrete logarithm problem. Current algorithms to compute discrete logarithms in this setting, and hence crack @acronym{DSA}, are of two types. The first type works directly in the (multiplicative) group of integers mod @code{p}. The best known algorithm of this type is the Number Field Sieve, and it's complexity is similar to the complexity of factoring numbers of the same size as @code{p}. The other type works in the smaller @code{q}-sized subgroup generated by @code{g}, which has a more difficult group structure. One good algorithm is Pollard-rho, which has complexity @code{sqrt(q)}. The important point is that security depends on the size of @emph{both} @code{p} and @code{q}, and they should be chosen so that the difficulty of both discrete logarithm methods are comparable. Today, the security margin of the original @acronym{DSA} may be uncomfortably small. Using a @code{p} of 1024 bits implies that cracking using the number field sieve is expected to take about the same time as factoring a 1024-bit @acronym{RSA} modulo, and using a @code{q} of size 160 bits implies that cracking using Pollard-rho will take roughly @code{2^80} group operations. With the size of @code{q} fixed, tied to the @acronym{SHA1} digest size, it may be tempting to increase the size of @code{p} to, say, 4096 bits. This will provide excellent resistance against attacks like the number field sieve which works in the large group. But it will do very little to defend against Pollard-rho attacking the small subgroup; the attacker is slowed down at most by a single factor of 10 due to the more expensive group operation. And the attacker will surely choose the latter attack. The signature generation algorithm is randomized; in order to create a @acronym{DSA} signature, you need a good source for random numbers (@pxref{Randomness}). Let us describe the common case of a 160-bit @code{q}. To create a signature, one starts with the hash digest of the message, @code{h}, which is a 160 bit number, and a random number @code{k, 0}. A @acronym{DSA} group is represented using the following struct. @deftp {Context struct} {dsa_params} p q g Parameters of the @acronym{DSA} group. @end deftp @deftypefun void dsa_params_init (struct dsa_params *@var{params}) Calls @code{mpz_init} on all numbers in the struct. @end deftypefun @deftypefun void dsa_params_clear (struct dsa_params *@var{params}params) Calls @code{mpz_clear} on all numbers in the struct. @end deftypefun @deftypefun int dsa_generate_params (struct dsa_params *@var{params}, void *@var{random_ctx}, nettle_random_func *@var{random}, void *@var{progress_ctx}, nettle_progress_func *@var{progress}, unsigned @var{p_bits}, unsigned @var{q_bits}) Generates paramaters of a new group. The @var{params} struct should be initialized before you call this function. @var{random_ctx} and @var{random} is a randomness generator. @code{random(random_ctx, length, dst)} should generate @code{length} random octets and store them at @code{dst}. For advice, see @xref{Randomness}. @var{progress} and @var{progress_ctx} can be used to get callbacks during the key generation process, in order to uphold an illusion of progress. @var{progress} can be NULL, in that case there are no callbacks. @var{p_bits} and @var{q_bits} are the desired sizes of @code{p} and @code{q}. To generate keys that conform to the original @acronym{DSA} standard, you must use @code{q_bits = 160} and select @var{p_bits} of the form @code{p_bits = 512 + l*64}, for @code{0 <= l <= 8}, where the smaller sizes are no longer recommended, so you should most likely stick to @code{p_bits = 1024}. Non-standard sizes are possible, in particular @code{p_bits} larger than 1024, although @acronym{DSA} implementations can not in general be expected to support such keys. Also note that using very large @var{p_bits}, with @var{q_bits} fixed at 160, doesn't make much sense, because the security is also limited by the size of the smaller prime. To generate @acronym{DSA} keys for use with @acronym{SHA256}, use @code{q_bits = 256} and, e.g., @code{p_bits = 2048}. Returns one on success, and zero on failure. The function will fail if @var{q_bits} is too small, or too close to @var{p_bits}. @end deftypefun Signatures are represented using the structure below. @deftp {Context struct} {dsa_signature} r s @end deftp @deftypefun void dsa_signature_init (struct dsa_signature *@var{signature}) @deftypefunx void dsa_signature_clear (struct dsa_signature *@var{signature}) You must call @code{dsa_signature_init} before creating or using a signature, and call @code{dsa_signature_clear} when you are finished with it. @end deftypefun Keys are represented as bignums, of type @code{mpz_t}. A public keys represent a group element, and is of the same size as @code{p}, while a private key is an exponent, of the same size as @code{q}. @deftypefun int dsa_sign (const struct dsa_params *@var{params}, const mpz_t @var{x}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{digest_size}, const uint8_t *@var{digest}, struct dsa_signature *@var{signature}) Creates a signature from the given hash digest, using the private key @var{x}. @var{random_ctx} and @var{random} is a randomness generator. @code{random(random_ctx, length, dst)} should generate @code{length} random octets and store them at @code{dst}. For advice, see @xref{Randomness}. Returns one on success, or zero on failure. Signing can fail only if the key is invalid, so that inversion modulo @code{q} fails. @end deftypefun @deftypefun int dsa_verify (const struct dsa_params *@var{params}, const mpz_t @var{y}, size_t @var{digest_size}, const uint8_t *@var{digest}, const struct dsa_signature *@var{signature}) Verifies a signature, using the public key y. Returns 1 if the signature is valid, otherwise 0. @end deftypefun To generate a keypair, first generate a @acronym{DSA} group using @code{dsa_generate_params}. A keypair in this group is then created using @deftypefun void dsa_generate_keypair (const struct dsa_params *@var{params}, mpz_t @var{pub}, mpz_t @var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}) Generates a new keypair, using the group @var{params}. The public key is stored in @var{pub}, and the private key in @var{key}. Both variables must be initialized using @code{mpz_init} before this call. @var{random_ctx} and @var{random} is a randomness generator. @code{random(random_ctx, length, dst)} should generate @code{length} random octets and store them at @code{dst}. For advice, see @xref{Randomness}. @end deftypefun @subsubsection Old, deprecated, @acronym{DSA} interface Versions before nettle-3.0 used a different interface for @acronym{DSA} signatures, where the group parameters and the public key was packed together as @code{struct dsa_public_key}. Most of this interface is kept for backwards compatibility, and declared in @file{nettle/dsa-compat.h}. Below is the old documentation. The old and new interface use distinct names and don't confict, with one exception: The key generation function. The @file{nettle/dsa-compat.h} redefines @code{dsa_generate_keypair} as an alias for @code{dsa_compat_generate_keypair}, compatible with the old interface and documented below. The old @acronym{DSA} functions are very similar to the corresponding @acronym{RSA} functions, but there are a few differences pointed out below. For a start, there are no functions corresponding to @code{rsa_public_key_prepare} and @code{rsa_private_key_prepare}. @deftp {Context struct} {dsa_public_key} p q g y The public parameters described above. @end deftp @deftp {Context struct} {dsa_private_key} x The private key @code{x}. @end deftp Before use, these structs must be initialized by calling one of @deftypefun void dsa_public_key_init (struct dsa_public_key *@var{pub}) @deftypefunx void dsa_private_key_init (struct dsa_private_key *@var{key}) Calls @code{mpz_init} on all numbers in the key struct. @end deftypefun When finished with them, the space for the numbers must be deallocated by calling one of @deftypefun void dsa_public_key_clear (struct dsa_public_key *@var{pub}) @deftypefunx void dsa_private_key_clear (struct dsa_private_key *@var{key}) Calls @code{mpz_clear} on all numbers in the key struct. @end deftypefun Signatures are represented using @code{struct dsa_signature}, described earlier. For signing, you need to provide both the public and the private key (unlike @acronym{RSA}, where the private key struct includes all information needed for signing), and a source for random numbers. Signatures can use the @acronym{SHA1} or the @acronym{SHA256} hash function, although the implementation of @acronym{DSA} with @acronym{SHA256} should be considered somewhat experimental due to lack of official test vectors and interoperability testing. @deftypefun int dsa_sha1_sign (const struct dsa_public_key *@var{pub}, const struct dsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func @var{random}, struct sha1_ctx *@var{hash}, struct dsa_signature *@var{signature}) @deftypefunx int dsa_sha1_sign_digest (const struct dsa_public_key *@var{pub}, const struct dsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func @var{random}, const uint8_t *@var{digest}, struct dsa_signature *@var{signature}) @deftypefunx int dsa_sha256_sign (const struct dsa_public_key *@var{pub}, const struct dsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func @var{random}, struct sha256_ctx *@var{hash}, struct dsa_signature *@var{signature}) @deftypefunx int dsa_sha256_sign_digest (const struct dsa_public_key *@var{pub}, const struct dsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func @var{random}, const uint8_t *@var{digest}, struct dsa_signature *@var{signature}) Creates a signature from the given hash context or digest. @var{random_ctx} and @var{random} is a randomness generator. @code{random(random_ctx, length, dst)} should generate @code{length} random octets and store them at @code{dst}. For advice, see @xref{Randomness}. Returns one on success, or zero on failure. Signing fails if the key size and the hash size don't match. @end deftypefun Verifying signatures is a little easier, since no randomness generator is needed. The functions are @deftypefun int dsa_sha1_verify (const struct dsa_public_key *@var{key}, struct sha1_ctx *@var{hash}, const struct dsa_signature *@var{signature}) @deftypefunx int dsa_sha1_verify_digest (const struct dsa_public_key *@var{key}, const uint8_t *@var{digest}, const struct dsa_signature *@var{signature}) @deftypefunx int dsa_sha256_verify (const struct dsa_public_key *@var{key}, struct sha256_ctx *@var{hash}, const struct dsa_signature *@var{signature}) @deftypefunx int dsa_sha256_verify_digest (const struct dsa_public_key *@var{key}, const uint8_t *@var{digest}, const struct dsa_signature *@var{signature}) Verifies a signature. Returns 1 if the signature is valid, otherwise 0. @end deftypefun Key generation uses mostly the same parameters as the corresponding @acronym{RSA} function. @deftypefun int dsa_compat_generate_keypair (struct dsa_public_key *@var{pub}, struct dsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func @var{random}, void *@var{progress_ctx}, nettle_progress_func @var{progress}, unsigned @var{p_bits}, unsigned @var{q_bits}) @var{pub} and @var{key} is where the resulting key pair is stored. The structs should be initialized before you call this function. @var{random_ctx} and @var{random} is a randomness generator. @code{random(random_ctx, length, dst)} should generate @code{length} random octets and store them at @code{dst}. For advice, see @xref{Randomness}. @var{progress} and @var{progress_ctx} can be used to get callbacks during the key generation process, in order to uphold an illusion of progress. @var{progress} can be NULL, in that case there are no callbacks. @var{p_bits} and @var{q_bits} are the desired sizes of @code{p} and @code{q}. See @code{dsa_generate_keypair} for details. @end deftypefun @node Elliptic curves,, DSA, Public-key algorithms @comment node-name, next, previous, up @subsection @acronym{Elliptic curves} For cryptographic purposes, an elliptic curve is a mathematical group of points, and computing logarithms in this group is computationally difficult problem. Nettle uses additive notation for elliptic curve groups. If @math{P} and @math{Q} are two points, and @math{k} is an integer, the point sum, @math{P + Q}, and the multiple @math{k P} can be computed efficiently, but given only two points @math{P} and @math{Q}, finding an integer @math{k} such that @math{Q = k P} is the elliptic curve discrete logarithm problem. Nettle supports standard curves which are all of the form @math{y^2 = x^3 - 3 x + b @pmod{p}}, i.e., the points have coordinates @math{(x,y)}, both considered as integers modulo a specified prime @math{p}. Curves are represented as a @code{struct ecc_curve}. It also supports curve25519, which uses a different form of curve. Supported curves are declared in @file{}, e.g., call @code{nettle_get_secp_256r1} for a standardized curve using the 256-bit prime @math{p = 2^{256} - 2^{224} + 2^{192} + 2^{96} - 1}. The contents of these structs is not visible to nettle users. The ``bitsize of the curve'' is used as a shorthand for the bitsize of the curve's prime @math{p}, e.g., 256 bits for the SECP 256R1 curve. @menu * Side-channel silence:: * ECDSA:: * Curve 25519:: @end menu @node Side-channel silence, ECDSA, , Elliptic curves @comment node-name, next, previous, up @subsubsection Side-channel silence @cindex Side-channel attack Nettle's implementation of the elliptic curve operations is intended to be side-channel silent. The side-channel attacks considered are: @itemize @item Timing attacks If the timing of operations depends on secret values, an attacker interacting with your system can measure the response time, and infer information about your secrets, e.g., a private signature key. @item Attacks using memory caches Assume you have some secret data on a multi-user system, and that this data is properly protected so that other users get no direct access to it. If you have a process operating on the secret data, and this process does memory accesses depending on the data, e.g, an internal lookup table in some cryptographic algorithm, an attacker running a separate process on the same system may use behavior of internal CPU caches to get information about your secrets. This type of attack can even cross virtual machine boundaries. @end itemize Nettle's ECC implementation is designed to be @dfn{side-channel silent}, and not leak any information to these attacks. Timing and memory accesses depend only on the size of the input data and its location in memory, not on the actual data bits. This implies a performance penalty in several of the building blocks. @node ECDSA, Curve 25519, Side-channel silence, Elliptic curves @comment node-name, next, previous, up @subsubsection ECDSA ECDSA is a variant of the DSA digital signature scheme (@pxref{DSA}), which works over an elliptic curve group rather than over a (subgroup of) integers modulo @math{p}. Like DSA, creating a signature requires a unique random nonce (repeating the nonce with two different messages reveals the private key, and any leak or bias in the generation of the nonce also leaks information about the key). Unlike DSA, signatures are in general not tied to any particular hash function or even hash size. Any hash function can be used, and the hash value is truncated or padded as needed to get a size matching the curve being used. It is recommended to use a strong cryptographic hash function with digest size close to the bit size of the curve, e.g., SHA256 is a reasonable choice when using ECDSA signature over the curve secp256r1. A protocol or application using ECDSA has to specify which curve and which hash function to use, or provide some mechanism for negotiating. Nettle defines ECDSA in @file{}. We first need to define the data types used to represent public and private keys. @deftp {struct} {struct ecc_point} Represents a point on an elliptic curve. In particular, it is used to represent an ECDSA public key. @end deftp @deftypefun void ecc_point_init (struct ecc_point *@var{p}, const struct ecc_curve *@var{ecc}) Initializes @var{p} to represent points on the given curve @var{ecc}. Allocates storage for the coordinates, using the same allocation functions as GMP. @end deftypefun @deftypefun void ecc_point_clear (struct ecc_point *@var{p}) Deallocate storage. @end deftypefun @deftypefun int ecc_point_set (struct ecc_point *@var{p}, const mpz_t @var{x}, const mpz_t @var{y}) Check that the given coordinates represent a point on the curve. If so, the coordinates are copied and converted to internal representation, and the function returns 1. Otherwise, it returns 0. Currently, the infinity point (or zero point, with additive notation) is not allowed. @end deftypefun @deftypefun void ecc_point_get (const struct ecc_point *@var{p}, mpz_t @var{x}, mpz_t @var{y}) Extracts the coordinate of the point @var{p}. The output parameters @var{x} or @var{y} may be NULL if the caller doesn't want that coordinate. @end deftypefun @deftp {struct} {struct ecc_scalar} Represents an integer in the range @math{0 < x < group order}, where the ``group order'' refers to the order of an ECC group. In particular, it is used to represent an ECDSA private key. @end deftp @deftypefun void ecc_scalar_init (struct ecc_scalar *@var{s}, const struct ecc_curve *@var{ecc}) Initializes @var{s} to represent a scalar suitable for the given curve @var{ecc}. Allocates storage using the same allocation functions as GMP. @end deftypefun @deftypefun void ecc_scalar_clear (struct ecc_scalar *@var{s}) Deallocate storage. @end deftypefun @deftypefun int ecc_scalar_set (struct ecc_scalar *@var{s}, const mpz_t @var{z}) Check that @var{z} is in the correct range. If so, copies the value to @var{s} and returns 1, otherwise returns 0. @end deftypefun @deftypefun void ecc_scalar_get (const struct ecc_scalar *@var{s}, mpz_t @var{z}) Extracts the scalar, in GMP @code{mpz_t} representation. @end deftypefun To create and verify ECDSA signatures, the following functions are used. @deftypefun void ecdsa_sign (const struct ecc_scalar *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{digest_length}, const uint8_t *@var{digest}, struct dsa_signature *@var{signature}) Uses the private key @var{key} to create a signature on @var{digest}. @var{random_ctx} and @var{random} is a randomness generator. @code{random(random_ctx, length, dst)} should generate @code{length} random octets and store them at @code{dst}. The signature is stored in @var{signature}, in the same was as for plain DSA. @end deftypefun @deftypefun int ecdsa_verify (const struct ecc_point *@var{pub}, size_t @var{length}, const uint8_t *@var{digest}, const struct dsa_signature *@var{signature}) Uses the public key @var{pub} to verify that @var{signature} is a valid signature for the message digest @var{digest} (of @var{length} octets). Returns 1 if the signature is valid, otherwise 0. @end deftypefun Finally, generating a new ECDSA key pair: @deftypefun void ecdsa_generate_keypair (struct ecc_point *@var{pub}, struct ecc_scalar *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}); @var{pub} and @var{key} is where the resulting key pair is stored. The structs should be initialized, for the desired ECC curve, before you call this function. @var{random_ctx} and @var{random} is a randomness generator. @code{random(random_ctx, length, dst)} should generate @code{length} random octets and store them at @code{dst}. For advice, see @xref{Randomness}. @end deftypefun @node Curve 25519, , ECDSA, Elliptic curves @comment node-name, next, previous, up @subsubsection Curve25519 @cindex Curve 25519 @c FIXME: Make 2^255 pretty in all output formats. Use @sup? @c There are other places too (2^32, 2^130). Curve25519 is an elliptic curve of Montgomery type, @math{y^2 = x^3 + 486662 x^2 + x @pmod{p}}, with @math{p = 2^255 - 19}. Montgomery curves have the advantage of simple and efficient point addition based on the x-coordinate only. This particular curve was proposed by D. J. Bernstein in 2006, for fast Diffie-Hellman key exchange, and is also described in @cite{RFC 7748}. The group generator is defined by @math{x = 9} (there are actually two points with @math{x = 9}, differing by the sign of the y-coordinate, but that doesn't matter for the curve25519 operations which work with the x-coordinate only). The curve25519 functions are defined as operations on octet strings, representing 255-bit scalars or x-coordinates, in little-endian byte order. The most significant input bit, i.e, the most significant bit of the last octet, is always ignored. For scalars, in addition, the least significant three bits are ignored, and treated as zero, and the second most significant bit is ignored too, and treated as one. Then the scalar input string always represents 8 times a number in the range @math{2^251 <= s < 2^252}. Of all the possible input strings, only about half correspond to x-coordinates of points on curve25519, i.e., a value @math{x} for which the the curve equation can be solved for @math{y}. The other half correspond to points on a related ``twist curve''. The function @code{curve25519_mul} uses a Montgomery ladder for the scalar multiplication, as suggested in the curve25519 literature, and required by @cite{RFC 7748}. The output is therefore well defined for @emph{all} possible inputs, no matter if the input string represents a valid point on the curve or not. Note that the curve25519 implementation in earlier versions of Nettle deviates slightly from @cite{RFC 7748}, in that bit 255 of the @math{x} coordinate of the point input to curve25519_mul was not ignored. The @file{nette/curve25519.h} defines a preprocessor symbol @code{NETTLE_CURVE25519_RFC7748} to indicate conformance with the standard. Nettle defines Curve 25519 in @file{}. @defvr Constant NETTLE_CURVE25519_RFC7748 Defined to 1 in Nettle versions conforming to RFC 7748. Undefined in earlier versions. @end defvr @defvr Constant CURVE25519_SIZE The size of the strings representing curve25519 points and scalars, 32. @end defvr @deftypefun void curve25519_mul_g (uint8_t *@var{q}, const uint8_t *@var{n}) Computes @math{Q = N G}, where @math{G} is the group generator and @math{N} is an integer. The input argument @var{n} and the output argument @var{q} use a little-endian representation of the scalar and the x-coordinate, respectively. They are both of size @code{CURVE25519_SIZE}. This function is intended to be compatible with the function @code{crypto_scalar_mult_base} in the NaCl library. @end deftypefun @deftypefun void curve25519_mul (uint8_t *@var{q}, const uint8_t *@var{n}, const uint8_t *@var{p}) Computes @math{Q = N P}, where @math{P} is an input point and @math{N} is an integer. The input arguments @var{n} and @var{p} and the output argument @var{q} use a little-endian representation of the scalar and the x-coordinates, respectively. They are all of size @code{CURVE25519_SIZE}. This function is intended to be compatible with the function @code{crypto_scalar_mult} in the NaCl library. @end deftypefun @subsubsection EdDSA @cindex eddsa EdDSA is a signature scheme proposed by D. J. Bernstein et al. in 2011. It is defined using a ``Twisted Edwards curve'', of the form @math{-x^2 + y^2 = 1 + d x^2 y^2}. The specific signature scheme Ed25519 uses a curve which is equivalent to curve25519: The two groups used differ only by a simple change of coordinates, so that the discrete logarithm problem is of equal difficulty in both groups. Unlike other signature schemes in Nettle, the input to the EdDSA sign and verify functions is the possibly large message itself, not a hash digest. EdDSA is a variant of Schnorr signatures, where the message is hashed together with other data during the signature process, providing resilience to hash-collisions: A successful attack finding collisions in the hash function does not automatically translate into an attack to forge signatures. EdDSA also avoids the use of a randomness source by generating the needed signature nonce from a hash of the private key and the message, which means that the message is actually hashed twice when creating a signature. If signing huge messages, it is possible to hash the message first and pass the short message digest as input to the sign and verify functions, however, the resilience to hash collision is then lost. @defvr Constant ED25519_KEY_SIZE The size of a private or public Ed25519 key, 32 octets. @end defvr @defvr Constant ED25519_SIGNATURE_SIZE The size of an Ed25519 signature, 64 octets. @end defvr @deftypefun void ed25519_sha512_public_key (uint8_t *@var{pub}, const uint8_t *@var{priv}) Computes the public key corresponding to the given private key. Both input and output are of size @code{ED25519_KEY_SIZE}. @end deftypefun @deftypefun void ed25519_sha512_sign (const uint8_t *@var{pub}, const uint8_t *@var{priv}, size_t @var{length}, const uint8_t *@var{msg}, uint8_t *@var{signature}) Signs a message using the provided key pair. @end deftypefun @deftypefun int ed25519_sha512_verify (const uint8_t *@var{pub}, size_t @var{length}, const uint8_t *@var{msg}, const uint8_t *@var{signature}) Verifies a message using the provided public key. Returns 1 if the signature is valid, otherwise 0. @end deftypefun @node Randomness, ASCII encoding, Public-key algorithms, Reference @comment node-name, next, previous, up @section Randomness @cindex Randomness A crucial ingredient in many cryptographic contexts is randomness: Let @code{p} be a random prime, choose a random initialization vector @code{iv}, a random key @code{k} and a random exponent @code{e}, etc. In the theories, it is assumed that you have plenty of randomness around. If this assumption is not true in practice, systems that are otherwise perfectly secure, can be broken. Randomness has often turned out to be the weakest link in the chain. In non-cryptographic applications, such as games as well as scientific simulation, a good randomness generator usually means a generator that has good statistical properties, and is seeded by some simple function of things like the current time, process id, and host name. However, such a generator is inadequate for cryptography, for at least two reasons: @itemize @item It's too easy for an attacker to guess the initial seed. Even if it will take some 2^32 tries before he guesses right, that's far too easy. For example, if the process id is 16 bits, the resolution of ``current time'' is one second, and the attacker knows what day the generator was seeded, there are only about 2^32 possibilities to try if all possible values for the process id and time-of-day are tried. @item The generator output reveals too much. By observing only a small segment of the generator's output, its internal state can be recovered, and from there, all previous output and all future output can be computed by the attacker. @end itemize A randomness generator that is used for cryptographic purposes must have better properties. Let's first look at the seeding, as the issues here are mostly independent of the rest of the generator. The initial state of the generator (its seed) must be unguessable by the attacker. So what's unguessable? It depends on what the attacker already knows. The concept used in information theory to reason about such things is called ``entropy'', or ``conditional entropy'' (not to be confused with the thermodynamic concept with the same name). A reasonable requirement is that the seed contains a conditional entropy of at least some 80-100 bits. This property can be explained as follows: Allow the attacker to ask @code{n} yes-no-questions, of his own choice, about the seed. If the attacker, using this question-and-answer session, as well as any other information he knows about the seeding process, still can't guess the seed correctly, then the conditional entropy is more than @code{n} bits. @cindex Entropy @cindex Conditional entropy Let's look at an example. Say information about timing of received network packets is used in the seeding process. If there is some random network traffic going on, this will contribute some bits of entropy or ``unguessability'' to the seed. However, if the attacker can listen in to the local network, or if all but a small number of the packets were transmitted by machines that the attacker can monitor, this additional information makes the seed easier for the attacker to figure out. Even if the information is exactly the same, the conditional entropy, or unguessability, is smaller for an attacker that knows some of it already before the hypothetical question-and-answer session. Seeding of good generators is usually based on several sources. The key point here is that the amount of unguessability that each source contributes, depends on who the attacker is. Some sources that have been used are: @table @asis @item High resolution timing of i/o activities Such as completed blocks from spinning hard disks, network packets, etc. Getting access to such information is quite system dependent, and not all systems include suitable hardware. If available, it's one of the better randomness source one can find in a digital, mostly predictable, computer. @item User activity Timing and contents of user interaction events is another popular source that is available for interactive programs (even if I suspect that it is sometimes used in order to make the user feel good, not because the quality of the input is needed or used properly). Obviously, not available when a machine is unattended. Also beware of networks: User interaction that happens across a long serial cable, @acronym{TELNET} session, or even @acronym{SSH} session may be visible to an attacker, in full or partially. @item Audio input Any room, or even a microphone input that's left unconnected, is a source of some random background noise, which can be fed into the seeding process. @item Specialized hardware Hardware devices with the sole purpose of generating random data have been designed. They range from radioactive samples with an attached Geiger counter, to amplification of the inherent noise in electronic components such as diodes and resistors, to low-frequency sampling of chaotic systems. Hashing successive images of a Lava lamp is a spectacular example of the latter type. @item Secret information Secret information, such as user passwords or keys, or private files stored on disk, can provide some unguessability. A problem is that if the information is revealed at a later time, the unguessability vanishes. Another problem is that this kind of information tends to be fairly constant, so if you rely on it and seed your generator regularly, you risk constructing almost similar seeds or even constructing the same seed more than once. @end table For all practical sources, it's difficult but important to provide a reliable lower bound on the amount of unguessability that it provides. Two important points are to make sure that the attacker can't observe your sources (so if you like the Lava lamp idea, remember that you have to get your own lamp, and not put it by a window or anywhere else where strangers can see it), and that hardware failures are detected. What if the bulb in the Lava lamp, which you keep locked into a cupboard following the above advice, breaks after a few months? So let's assume that we have been able to find an unguessable seed, which contains at least 80 bits of conditional entropy, relative to all attackers that we care about (typically, we must at the very least assume that no attacker has root privileges on our machine). How do we generate output from this seed, and how much can we get? Some generators (notably the Linux @file{/dev/random} generator) tries to estimate available entropy and restrict the amount of output. The goal is that if you read 128 bits from @file{/dev/random}, you should get 128 ``truly random'' bits. This is a property that is useful in some specialized circumstances, for instance when generating key material for a one time pad, or when working with unconditional blinding, but in most cases, it doesn't matter much. For most application, there's no limit on the amount of useful ``random'' data that we can generate from a small seed; what matters is that the seed is unguessable and that the generator has good cryptographic properties. At the heart of all generators lies its internal state. Future output is determined by the internal state alone. Let's call it the generator's key. The key is initialized from the unguessable seed. Important properties of a generator are: @table @dfn @item Key-hiding An attacker observing the output should not be able to recover the generator's key. @item Independence of outputs Observing some of the output should not help the attacker to guess previous or future output. @item Forward secrecy Even if an attacker compromises the generator's key, he should not be able to guess the generator output @emph{before} the key compromise. @item Recovery from key compromise If an attacker compromises the generator's key, he can compute @emph{all} future output. This is inevitable if the generator is seeded only once, at startup. However, the generator can provide a reseeding mechanism, to achieve recovery from key compromise. More precisely: If the attacker compromises the key at a particular time @code{t_1}, there is another later time @code{t_2}, such that if the attacker observes all output generated between @code{t_1} and @code{t_2}, he still can't guess what output is generated after @code{t_2}. @end table Nettle includes one randomness generator that is believed to have all the above properties, and two simpler ones. @acronym{ARCFOUR}, like any stream cipher, can be used as a randomness generator. Its output should be of reasonable quality, if the seed is hashed properly before it is used with @code{arcfour_set_key}. There's no single natural way to reseed it, but if you need reseeding, you should be using Yarrow instead. The ``lagged Fibonacci'' generator in @file{} is a fast generator with good statistical properties, but is @strong{not} for cryptographic use, and therefore not documented here. It is included mostly because the Nettle test suite needs to generate some test data from a small seed. The recommended generator to use is Yarrow, described below. @subsection Yarrow Yarrow is a family of pseudo-randomness generators, designed for cryptographic use, by John Kelsey, Bruce Schneier and Niels Ferguson. Yarrow-160 is described in a paper at @url{http://www.counterpane.com/yarrow.html}, and it uses @acronym{SHA1} and triple-DES, and has a 160-bit internal state. Nettle implements Yarrow-256, which is similar, but uses @acronym{SHA256} and @acronym{AES} to get an internal state of 256 bits. Yarrow was an almost finished project, the paper mentioned above is the closest thing to a specification for it, but some smaller details are left out. There is no official reference implementation or test cases. This section includes an overview of Yarrow, but for the details of Yarrow-256, as implemented by Nettle, you have to consult the source code. Maybe a complete specification can be written later. Yarrow can use many sources (at least two are needed for proper reseeding), and two randomness ``pools'', referred to as the ``slow pool'' and the ``fast pool''. Input from the sources is fed alternatingly into the two pools. When one of the sources has contributed 100 bits of entropy to the fast pool, a ``fast reseed'' happens and the fast pool is mixed into the internal state. When at least two of the sources have contributed at least 160 bits each to the slow pool, a ``slow reseed'' takes place. The contents of both pools are mixed into the internal state. These procedures should ensure that the generator will eventually recover after a key compromise. The output is generated by using @acronym{AES} to encrypt a counter, using the generator's current key. After each request for output, another 256 bits are generated which replace the key. This ensures forward secrecy. Yarrow can also use a @dfn{seed file} to save state across restarts. Yarrow is seeded by either feeding it the contents of the previous seed file, or feeding it input from its sources until a slow reseed happens. Nettle defines Yarrow-256 in @file{}. @deftp {Context struct} {struct yarrow256_ctx} @end deftp @deftp {Context struct} {struct yarrow_source} Information about a single source. @end deftp @defvr Constant YARROW256_SEED_FILE_SIZE Recommended size of the Yarrow-256 seed file. @end defvr @deftypefun void yarrow256_init (struct yarrow256_ctx *@var{ctx}, unsigned @var{nsources}, struct yarrow_source *@var{sources}) Initializes the yarrow context, and its @var{nsources} sources. It's possible to call it with @var{nsources}=0 and @var{sources}=NULL, if you don't need the update features. @end deftypefun @deftypefun void yarrow256_seed (struct yarrow256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{seed_file}) Seeds Yarrow-256 from a previous seed file. @var{length} should be at least @code{YARROW256_SEED_FILE_SIZE}, but it can be larger. The generator will trust you that the @var{seed_file} data really is unguessable. After calling this function, you @emph{must} overwrite the old seed file with newly generated data from @code{yarrow256_random}. If it's possible for several processes to read the seed file at about the same time, access must be coordinated using some locking mechanism. @end deftypefun @deftypefun int yarrow256_update (struct yarrow256_ctx *@var{ctx}, unsigned @var{source}, unsigned @var{entropy}, size_t @var{length}, const uint8_t *@var{data}) Updates the generator with data from source @var{SOURCE} (an index that must be smaller than the number of sources). @var{entropy} is your estimated lower bound for the entropy in the data, measured in bits. Calling update with zero @var{entropy} is always safe, no matter if the data is random or not. Returns 1 if a reseed happened, in which case an application using a seed file may want to generate new seed data with @code{yarrow256_random} and overwrite the seed file. Otherwise, the function returns 0. @end deftypefun @deftypefun void yarrow256_random (struct yarrow256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}) Generates @var{length} octets of output. The generator must be seeded before you call this function. If you don't need forward secrecy, e.g. if you need non-secret randomness for initialization vectors or padding, you can gain some efficiency by buffering, calling this function for reasonably large blocks of data, say 100-1000 octets at a time. @end deftypefun @deftypefun int yarrow256_is_seeded (struct yarrow256_ctx *@var{ctx}) Returns 1 if the generator is seeded and ready to generate output, otherwise 0. @end deftypefun @deftypefun unsigned yarrow256_needed_sources (struct yarrow256_ctx *@var{ctx}) Returns the number of sources that must reach the threshold before a slow reseed will happen. Useful primarily when the generator is unseeded. @end deftypefun @deftypefun void yarrow256_fast_reseed (struct yarrow256_ctx *@var{ctx}) @deftypefunx void yarrow256_slow_reseed (struct yarrow256_ctx *@var{ctx}) Causes a fast or slow reseed to take place immediately, regardless of the current entropy estimates of the two pools. Use with care. @end deftypefun Nettle includes an entropy estimator for one kind of input source: User keyboard input. @deftp {Context struct} {struct yarrow_key_event_ctx} Information about recent key events. @end deftp @deftypefun void yarrow_key_event_init (struct yarrow_key_event_ctx *@var{ctx}) Initializes the context. @end deftypefun @deftypefun unsigned yarrow_key_event_estimate (struct yarrow_key_event_ctx *@var{ctx}, unsigned @var{key}, unsigned @var{time}) @var{key} is the id of the key (ASCII value, hardware key code, X keysym, @dots{}, it doesn't matter), and @var{time} is the timestamp of the event. The time must be given in units matching the resolution by which you read the clock. If you read the clock with microsecond precision, @var{time} should be provided in units of microseconds. But if you use @code{gettimeofday} on a typical Unix system where the clock ticks 10 or so microseconds at a time, @var{time} should be given in units of 10 microseconds. Returns an entropy estimate, in bits, suitable for calling @code{yarrow256_update}. Usually, 0, 1 or 2 bits. @end deftypefun @node ASCII encoding, Miscellaneous functions, Randomness, Reference @comment node-name, next, previous, up @section ASCII encoding Encryption will transform your data from text into binary format, and that may be a problem if, for example, you want to send the data as if it was plain text in an email, or store it along with descriptive text in a file. You may then use an encoding from binary to text: each binary byte is translated into a number of bytes of plain text. A base-N encoding of data is one representation of data that only uses N different symbols (instead of the 256 possible values of a byte). The base64 encoding will always use alphanumeric (upper and lower case) characters and the '+', '/' and '=' symbols to represent the data. Four output characters are generated for each three bytes of input. In case the length of the input is not a multiple of three, padding characters are added at the end. There's also a ``URL safe'' variant, which is useful for encoding binary data into URLs and filenames. See @cite{RFC 4648}. The base16 encoding, also known as ``hexadecimal'', uses the decimal digits and the letters from A to F. Two hexadecimal digits are generated for each input byte. Nettle supports both base64 and base16 encoding and decoding. Encoding and decoding uses a context struct to maintain its state (with the exception of base16 encoding, which doesn't need any). To encode or decode the data, first initialize the context, then call the update function as many times as necessary, and complete the operation by calling the final function. The following functions can be used to perform base64 encoding and decoding. They are defined in @file{}. @deftp {Context struct} {struct base64_encode_ctx} @end deftp @deftypefun {void} base64_encode_init (struct base64_encode_ctx *@var{ctx}) @deftypefunx {void} base64url_encode_init (struct base64_encode_ctx *@var{ctx}) Initializes a base64 context. This is necessary before starting an encoding session. @code{base64_encode_init} selects the standard base64 alphabet, while @code{base64url_encode_init} selects the URL safe alphabet. @end deftypefun @deftypefun {size_t} base64_encode_single (struct base64_encode_ctx *@var{ctx}, uint8_t *@var{dst}, uint8_t @var{src}) Encodes a single byte. Returns amount of output (always 1 or 2). @end deftypefun @deffn Macro BASE64_ENCODE_LENGTH (@var{length}) The maximum number of output bytes when passing @var{length} input bytes to @code{base64_encode_update}. @end deffn @deftypefun {size_t} base64_encode_update (struct base64_encode_ctx *@var{ctx}, uint8_t *@var{dst}, size_t @var{length}, const uint8_t *@var{src}) After @var{ctx} is initialized, this function may be called to encode @var{length} bytes from @var{src}. The result will be placed in @var{dst}, and the return value will be the number of bytes generated. Note that @var{dst} must be at least of size BASE64_ENCODE_LENGTH(@var{length}). @end deftypefun @defvr Constant BASE64_ENCODE_FINAL_LENGTH The maximum amount of output from @code{base64_encode_final}. @end defvr @deftypefun {size_t} base64_encode_final (struct base64_encode_ctx *@var{ctx}, uint8_t *@var{dst}) After calling base64_encode_update one or more times, this function should be called to generate the final output bytes, including any needed paddding. The return value is the number of output bytes generated. @end deftypefun @deftp {Context struct} {struct base64_decode_ctx} @end deftp @deftypefun {void} base64_decode_init (struct base64_decode_ctx *@var{ctx}) @deftypefunx {void} base64url_decode_init (struct base64_decode_ctx *@var{ctx}) Initializes a base64 decoding context. This is necessary before starting a decoding session. @code{base64_decode_init} selects the standard base64 alphabet, while @code{base64url_decode_init} selects the URL safe alphabet. @end deftypefun @deftypefun {int} base64_decode_single (struct base64_decode_ctx *@var{ctx}, uint8_t *@var{dst}, uint8_t @var{src}) Decodes a single byte (@var{src}) and stores the result in @var{dst}. Returns amount of output (0 or 1), or -1 on errors. @end deftypefun @deffn Macro BASE64_DECODE_LENGTH (@var{length}) The maximum number of output bytes when passing @var{length} input bytes to @code{base64_decode_update}. @end deffn @deftypefun {void} base64_decode_update (struct base64_decode_ctx *@var{ctx}, size_t *@var{dst_length}, uint8_t *@var{dst}, size_t @var{src_length}, const uint8_t *@var{src}) After @var{ctx} is initialized, this function may be called to decode @var{src_length} bytes from @var{src}. @var{dst} should point to an area of size at least BASE64_DECODE_LENGTH(@var{src_length}). The amount of data generated is returned in *@var{dst_length}. Returns 1 on success and 0 on error. @end deftypefun @deftypefun {int} base64_decode_final (struct base64_decode_ctx *@var{ctx}) Check that final padding is correct. Returns 1 on success, and 0 on error. @end deftypefun Similarly to the base64 functions, the following functions perform base16 encoding, and are defined in @file{}. Note that there is no encoding context necessary for doing base16 encoding. @deftypefun {void} base16_encode_single (uint8_t *@var{dst}, uint8_t @var{src}) Encodes a single byte. Always stores two digits in @var{dst}[0] and @var{dst}[1]. @end deftypefun @deffn Macro BASE16_ENCODE_LENGTH (@var{length}) The number of output bytes when passing @var{length} input bytes to @code{base16_encode_update}. @end deffn @deftypefun {void} base16_encode_update (uint8_t *@var{dst}, size_t @var{length}, const uint8_t *@var{src}) Always stores BASE16_ENCODE_LENGTH(@var{length}) digits in @var{dst}. @end deftypefun @deftp {Context struct} {struct base16_decode_ctx} @end deftp @deftypefun {void} base16_decode_init (struct base16_decode_ctx *@var{ctx}) Initializes a base16 decoding context. This is necessary before starting a decoding session. @end deftypefun @deftypefun {int} base16_decode_single (struct base16_decode_ctx *@var{ctx}, uint8_t *@var{dst}, uint8_t @var{src}) Decodes a single byte from @var{src} into @var{dst}. Returns amount of output (0 or 1), or -1 on errors. @end deftypefun @deffn Macro BASE16_DECODE_LENGTH (@var{length}) The maximum number of output bytes when passing @var{length} input bytes to @code{base16_decode_update}. @end deffn @deftypefun {int} base16_decode_update (struct base16_decode_ctx *@var{ctx}, size_t *@var{dst_length}, uint8_t *@var{dst}, size_t @var{src_length}, const uint8_t *@var{src}) After @var{ctx} is initialized, this function may be called to decode @var{src_length} bytes from @var{src}. @var{dst} should point to an area of size at least BASE16_DECODE_LENGTH(@var{src_length}). The amount of data generated is returned in *@var{dst_length}. Returns 1 on success and 0 on error. @end deftypefun @deftypefun {int} base16_decode_final (struct base16_decode_ctx *@var{ctx}) Checks that the end of data is correct (i.e., an even number of hexadecimal digits have been seen). Returns 1 on success, and 0 on error. @end deftypefun @node Miscellaneous functions, Compatibility functions, ASCII encoding, Reference @comment node-name, next, previous, up @section Miscellaneous functions @deftypefun {void *} memxor (void *@var{dst}, const void *@var{src}, size_t @var{n}) XORs the source area on top of the destination area. The interface doesn't follow the Nettle conventions, because it is intended to be similar to the ANSI-C @code{memcpy} function. @end deftypefun @deftypefun {void *} memxor3 (void *@var{dst}, const void *@var{a}, const void *@var{b}, size_t @var{n}) Like @code{memxor}, but takes two source areas and separate destination area. @end deftypefun @deftypefun int memeql_sec (const void *@var{a}, const void *@var{b}, size_t @var{n}) Side-channel silent comparison of the @var{n} bytes at @var{a} and @var{b}. I.e., instructions executed and memory accesses are identical no matter where the areas differ, @pxref{Side-channel silence}. Return non-zero if the areas are equal, and zero if they differ. @end deftypefun These functions are declared in @file{}. For compatibility with earlier versions of Nettle, @code{memxor} and @code{memxor3} are also declared in @file{}. @node Compatibility functions, , Miscellaneous functions, Reference @comment node-name, next, previous, up @section Compatibility functions For convenience, Nettle includes alternative interfaces to some algorithms, for compatibility with some other popular crypto toolkits. These are not fully documented here; refer to the source or to the documentation for the original implementation. MD5 is defined in [RFC 1321], which includes a reference implementation. Nettle defines a compatible interface to MD5 in @file{}. This file defines the typedef @code{MD5_CTX}, and declares the functions @code{MD5Init}, @code{MD5Update} and @code{MD5Final}. Eric Young's ``libdes'' (also part of OpenSSL) is a quite popular DES implementation. Nettle includes a subset if its interface in @file{}. This file defines the typedefs @code{des_key_schedule} and @code{des_cblock}, two constants @code{DES_ENCRYPT} and @code{DES_DECRYPT}, and declares one global variable @code{des_check_key}, and the functions @code{des_cbc_cksum} @code{des_cbc_encrypt}, @code{des_ecb2_encrypt}, @code{des_ecb3_encrypt}, @code{des_ecb_encrypt}, @code{des_ede2_cbc_encrypt}, @code{des_ede3_cbc_encrypt}, @code{des_is_weak_key}, @code{des_key_sched}, @code{des_ncbc_encrypt} @code{des_set_key}, and @code{des_set_odd_parity}. @node Nettle soup, Installation, Reference, Top @comment node-name, next, previous, up @chapter Traditional Nettle Soup For the serious nettle hacker, here is a recipe for nettle soup. 4 servings. @itemize @w{} @item 1 liter fresh nettles (urtica dioica) @item 2 tablespoons butter @item 3 tablespoons flour @item 1 liter stock (meat or vegetable) @item 1/2 teaspoon salt @item a tad white pepper @item some cream or milk @end itemize Gather 1 liter fresh nettles. Use gloves! Small, tender shoots are preferable but the tops of larger nettles can also be used. Rinse the nettles very well. Boil them for 10 minutes in lightly salted water. Strain the nettles and save the water. Hack the nettles. Melt the butter and mix in the flour. Dilute with stock and the nettle-water you saved earlier. Add the hacked nettles. If you wish you can add some milk or cream at this stage. Bring to a boil and let boil for a few minutes. Season with salt and pepper. Serve with boiled egg-halves. @c And the original Swedish version. @ignore Recept på nässelsoppa 4 portioner 1 l färska nässlor 2 msk smör 3 msk vetemjöl 1 l kött- eller grönsaksbuljong 1/2 tsk salt 1-2 krm peppar (lite grädde eller mjölk) Plocka 1 liter färska nässlor. Använd handskar! Helst små och späda skott, men topparna av större nässlor går också bra. Skölj nässlorna väl. Förväll dem ca 10 minuter i lätt saltat vatten. Häll av och spara spadet. Hacka nässlorna. Smält smöret, rör i mjöl och späd med buljong och nässelspad. Lägg i de hackade nässlorna. Om så önskas, häll i en skvätt mjölk eller grädde. Koka några minuter, och smaksätt med salt och peppar. Servera med kokta ägghalvor. @end ignore @node Installation, Index, Nettle soup, Top @comment node-name, next, previous, up @chapter Installation Nettle uses @command{autoconf}. To build it, unpack the source and run @example ./configure make make check make install @end example @noindent to install it under the default prefix, @file{/usr/local}. Using GNU make is strongly recommended. By default, both static and shared libraries are built and installed. To get a list of configure options, use @code{./configure --help}. Some of the more interesting are: @table @option @item --enable-fat Include multiple versions of certain functions in the library, and select the ones to use at run-time, depending on available processor features. Supported for ARM and x86_64. @item --enable-mini-gmp Use the smaller and slower ``mini-gmp'' implementation of the bignum functions needed for public-key cryptography, instead of the real GNU GMP library. This option is intended primarily for smaller embedded systems. Note that builds using mini-gmp are @strong{not} binary compatible with regular builds of Nettle, and more likely to leak side-channel information. @item --disable-shared Omit building the shared libraries. @item --disable-dependency-tracking Disable the automatic dependency tracking. You will likely need this option to be able to build with BSD make. @end table @node Index, , Installation, Top @comment node-name, next, previous, up @unnumbered Function and Concept Index @printindex cp @bye Local Variables: ispell-local-dictionary: "american" End: @c LocalWords: cryptographics crypto LSH GNUPG API GPL LGPL aes rijndael ller @c LocalWords: Sevilla arcfour RC Niels Dassen Colin Kuchling Biham sha Ruud @c LocalWords: Gutmann twofish de Rooij struct MB Rivest RFC Nettle's ECB CBC @c LocalWords: RSA Daemen Rijnmen Schneier DES's ede structs oddnesses HMAC @c LocalWords: NIST Alice's GMP bignum Diffie Adi Shamir Adleman Euclid's ASN @c LocalWords: PKCS callbacks Young's urtica dioica autoconf SSH tad @c LocalWords: unguessability reseeding reseed alternatingly keysym subkeys @c LocalWords: DSA gmp FIPS DSS libdes OpenSSL ARCTWO Josefsson Nikos Andreas @c LocalWords: Mavroyanopoulos Sigfridsson Comstedt interoperability Sparc IC @c LocalWords: DES FIXME Rivest's plaintext ciphertext CTR XORed timestamp @c LocalWords: XORs cryptologists libnettle libhogweed GCM ECDSA NTT @c LocalWords: toolkits BLOWFISH Möller RIPEMD libgcrypt PBKDF Shishi @c LocalWords: GnuTLS Gutmann's GOSTHASH GOST Aleksey Kravchenko ECC @c LocalWords: rhash Mavrogiannopoulos Keccak Bertoni @c LocalWords: Michaël Peeters Assche Dobbertin Antoon Bosselaers KDF @c LocalWords: Preneel rôle McGrew Viega KDFs PBKDFs passphrase PRF @c LocalWords: th deallocate pre bitsize multi lookup secp startup @c LocalWords: typedef typedef nettle-3.4.1/cfb.h0000644000175000017500000000464213401564746012761 0ustar nissenisse/* cfb.h Cipher feedback mode. Copyright (C) 2015, 2017 Dmitry Eremin-Solenikov Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_CFB_H_INCLUDED #define NETTLE_CFB_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define cfb_encrypt nettle_cfb_encrypt #define cfb_decrypt nettle_cfb_decrypt void cfb_encrypt(const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src); void cfb_decrypt(const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src); #define CFB_CTX(type, size) \ { type ctx; uint8_t iv[size]; } #define CFB_SET_IV(ctx, data) \ memcpy((ctx)->iv, (data), sizeof((ctx)->iv)) /* NOTE: Avoid using NULL, as we don't include anything defining it. */ #define CFB_ENCRYPT(self, f, length, dst, src) \ (0 ? ((f)(&(self)->ctx, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0)) \ : cfb_encrypt((void *) &(self)->ctx, \ (nettle_cipher_func *) (f), \ sizeof((self)->iv), (self)->iv, \ (length), (dst), (src))) #define CFB_DECRYPT(self, f, length, dst, src) \ (0 ? ((f)(&(self)->ctx, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0)) \ : cfb_decrypt((void *) &(self)->ctx, \ (nettle_cipher_func *) (f), \ sizeof((self)->iv), (self)->iv, \ (length), (dst), (src))) #ifdef __cplusplus } #endif #endif /* NETTLE_CFB_H_INCLUDED */ nettle-3.4.1/rsa-verify.c0000644000175000017500000000322613401564745014305 0ustar nissenisse/* rsa-verify.c Verifying RSA signatures. Copyright (C) 2001, 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa.h" #include "bignum.h" int _rsa_verify(const struct rsa_public_key *key, const mpz_t m, const mpz_t s) { int res; mpz_t m1; if ( (mpz_sgn(s) <= 0) || (mpz_cmp(s, key->n) >= 0) ) return 0; mpz_init(m1); mpz_powm(m1, s, key->e, key->n); res = !mpz_cmp(m, m1); mpz_clear(m1); return res; } int _rsa_verify_recover(const struct rsa_public_key *key, mpz_t m, const mpz_t s) { if ( (mpz_sgn(s) <= 0) || (mpz_cmp(s, key->n) >= 0) ) return 0; mpz_powm(m, s, key->e, key->n); return 1; } nettle-3.4.1/nettle-meta-ciphers.c0000644000175000017500000000321113401564745016062 0ustar nissenisse/* nettle-meta-ciphers.c Copyright (C) 2011 Daniel Kahn Gillmor This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #undef nettle_ciphers const struct nettle_cipher * const nettle_ciphers[] = { &nettle_aes128, &nettle_aes192, &nettle_aes256, &nettle_camellia128, &nettle_camellia192, &nettle_camellia256, &nettle_cast128, &nettle_serpent128, &nettle_serpent192, &nettle_serpent256, &nettle_twofish128, &nettle_twofish192, &nettle_twofish256, &nettle_arctwo40, &nettle_arctwo64, &nettle_arctwo128, &nettle_arctwo_gutmann128, NULL }; const struct nettle_cipher * const * nettle_get_ciphers (void) { return nettle_ciphers; } nettle-3.4.1/sha3-256-meta.c0000644000175000017500000000224713401564745014314 0ustar nissenisse/* sha3-256-meta.c Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "sha3.h" const struct nettle_hash nettle_sha3_256 = _NETTLE_HASH(sha3_256, SHA3_256); nettle-3.4.1/dsa-sha1-verify.c0000644000175000017500000000327313401564746015124 0ustar nissenisse/* dsa-sha1-verify.c The original DSA publickey algorithm, using SHA-1. Copyright (C) 2002, 2003, 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "dsa-compat.h" int dsa_sha1_verify_digest(const struct dsa_public_key *key, const uint8_t *digest, const struct dsa_signature *signature) { return dsa_verify((const struct dsa_params *) key, key->y, SHA1_DIGEST_SIZE, digest, signature); } int dsa_sha1_verify(const struct dsa_public_key *key, struct sha1_ctx *hash, const struct dsa_signature *signature) { uint8_t digest[SHA1_DIGEST_SIZE]; sha1_digest(hash, sizeof(digest), digest); return dsa_verify((const struct dsa_params *) key, key->y, sizeof(digest), digest, signature); } nettle-3.4.1/sexp.h0000644000175000017500000001352613401564746013207 0ustar nissenisse/* sexp.h Parsing s-expressions. Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_SEXP_H_INCLUDED #define NETTLE_SEXP_H_INCLUDED #include #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define sexp_iterator_first nettle_sexp_iterator_first #define sexp_transport_iterator_first nettle_sexp_transport_iterator_first #define sexp_iterator_next nettle_sexp_iterator_next #define sexp_iterator_enter_list nettle_sexp_iterator_enter_list #define sexp_iterator_exit_list nettle_sexp_iterator_exit_list #define sexp_iterator_subexpr nettle_sexp_iterator_subexpr #define sexp_iterator_get_uint32 nettle_sexp_iterator_get_uint32 #define sexp_iterator_check_type nettle_sexp_iterator_check_type #define sexp_iterator_check_types nettle_sexp_iterator_check_types #define sexp_iterator_assoc nettle_sexp_iterator_assoc #define sexp_format nettle_sexp_format #define sexp_vformat nettle_sexp_vformat #define sexp_transport_format nettle_sexp_transport_format #define sexp_transport_vformat nettle_sexp_transport_vformat #define sexp_token_chars nettle_sexp_token_chars enum sexp_type { SEXP_ATOM, SEXP_LIST, SEXP_END }; struct sexp_iterator { size_t length; const uint8_t *buffer; /* Points at the start of the current sub expression. */ size_t start; /* If type is SEXP_LIST, pos points at the start of the current * element. Otherwise, it points at the end. */ size_t pos; unsigned level; enum sexp_type type; size_t display_length; const uint8_t *display; size_t atom_length; const uint8_t *atom; }; /* All these functions return 1 on success, 0 on failure */ /* Initializes the iterator. */ int sexp_iterator_first(struct sexp_iterator *iterator, size_t length, const uint8_t *input); /* NOTE: Decodes the input string in place */ int sexp_transport_iterator_first(struct sexp_iterator *iterator, size_t length, uint8_t *input); int sexp_iterator_next(struct sexp_iterator *iterator); /* Current element must be a list. */ int sexp_iterator_enter_list(struct sexp_iterator *iterator); /* Skips the rest of the current list */ int sexp_iterator_exit_list(struct sexp_iterator *iterator); #if 0 /* Skips out of as many lists as necessary to get back to the given * level. */ int sexp_iterator_exit_lists(struct sexp_iterator *iterator, unsigned level); #endif /* Gets start and length of the current subexpression. Implies * sexp_iterator_next. */ const uint8_t * sexp_iterator_subexpr(struct sexp_iterator *iterator, size_t *length); int sexp_iterator_get_uint32(struct sexp_iterator *iterator, uint32_t *x); /* Checks the type of the current expression, which should be a list * * ( ...) */ int sexp_iterator_check_type(struct sexp_iterator *iterator, const char *type); const char * sexp_iterator_check_types(struct sexp_iterator *iterator, unsigned ntypes, const char * const *types); /* Current element must be a list. Looks up element of type * * (key rest...) * * For a matching key, the corresponding iterator is initialized * pointing at the start of REST. * * On success, exits the current list. */ int sexp_iterator_assoc(struct sexp_iterator *iterator, unsigned nkeys, const char * const *keys, struct sexp_iterator *values); /* Output functions. What is a reasonable API for this? It seems * ugly to have to reimplement string streams. */ /* Declared for real in buffer.h */ struct nettle_buffer; /* Returns the number of output characters, or 0 on out of memory. If * buffer == NULL, just compute length. * * Format strings can contained matched parentheses, tokens ("foo" in * the format string is formatted as "3:foo"), whitespace (which * separates tokens but is otherwise ignored) and the following * formatting specifiers: * * %s String represented as size_t length, const uint8_t *data. * * %t Optional display type, represented as * size_t display_length, const uint8_t *display, * display == NULL means no display type. * * %i Non-negative small integer, uint32_t. * * %b Non-negative bignum, mpz_t. * * %l Literal string (no length added), typically a balanced * subexpression. Represented as size_t length, const uint8_t * *data. * * %(, %) Allows insertion of unbalanced parenthesis. * * Modifiers: * * %0 For %s, %t and %l, says that there's no length argument, * instead the string is NUL-terminated, and there's only one * const uint8_t * argument. */ size_t sexp_format(struct nettle_buffer *buffer, const char *format, ...); size_t sexp_vformat(struct nettle_buffer *buffer, const char *format, va_list args); size_t sexp_transport_format(struct nettle_buffer *buffer, const char *format, ...); size_t sexp_transport_vformat(struct nettle_buffer *buffer, const char *format, va_list args); #ifdef __cplusplus } #endif #endif /* NETTLE_SEXP_H_INCLUDED */ nettle-3.4.1/gcm-aes.c0000644000175000017500000000400013401564745013521 0ustar nissenisse/* gcm-aes.c Galois counter mode using AES as the underlying cipher. Copyright (C) 2011 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "gcm.h" void gcm_aes_set_key(struct gcm_aes_ctx *ctx, size_t length, const uint8_t *key) { aes_set_encrypt_key (&ctx->cipher, length, key); gcm_set_key (&ctx->key, &ctx->cipher, (nettle_cipher_func *) aes_encrypt); } void gcm_aes_set_iv(struct gcm_aes_ctx *ctx, size_t length, const uint8_t *iv) { GCM_SET_IV(ctx, length, iv); } void gcm_aes_update(struct gcm_aes_ctx *ctx, size_t length, const uint8_t *data) { GCM_UPDATE(ctx, length, data); } void gcm_aes_encrypt(struct gcm_aes_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { GCM_ENCRYPT(ctx, aes_encrypt, length, dst, src); } void gcm_aes_decrypt(struct gcm_aes_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { GCM_DECRYPT(ctx, aes_encrypt, length, dst, src); } void gcm_aes_digest(struct gcm_aes_ctx *ctx, size_t length, uint8_t *digest) { GCM_DIGEST(ctx, aes_encrypt, length, digest); } nettle-3.4.1/shadata.c0000644000175000017500000000210113401564746013613 0ustar nissenisse#include #include static const unsigned primes[64] = { 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, 101, 103, 107, 109, 113, 127, 131, 137, 139, 149, 151, 157, 163, 167, 173, 179, 181, 191, 193, 197, 199, 211, 223, 227, 229, 233, 239, 241, 251, 257, 263, 269, 271, 277, 281, 283, 293, 307, 311 }; int main(int argc, char **argv) { int i; static const double third = 1.0/3; printf("SHA-256 constants: \n"); for (i = 0; i < 64; ) { double root = pow(primes[i++], third); double fraction = root - floor(root); double value = floor(ldexp(fraction, 32)); printf("0x%08lxUL, ", (unsigned long) value); if (!(i % 4)) printf("\n"); } printf("\nSHA-256 initial values: \n"); for (i = 0; i < 8; ) { double root = pow(primes[i++], 0.5); double fraction = root - (floor(root)); double value = floor(ldexp(fraction, 32)); printf("0x%08lxUL, ", (unsigned long) value); if (!(i % 4)) printf("\n"); } return 0; } nettle-3.4.1/md5.c0000644000175000017500000000426713401564745012711 0ustar nissenisse/* md5.c The MD5 hash function, described in RFC 1321. Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Based on public domain code hacked by Colin Plumb, Andrew Kuchling, and * Niels Möller. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "md5.h" #include "macros.h" #include "nettle-write.h" void md5_init(struct md5_ctx *ctx) { const uint32_t iv[_MD5_DIGEST_LENGTH] = { 0x67452301, 0xefcdab89, 0x98badcfe, 0x10325476, }; memcpy(ctx->state, iv, sizeof(ctx->state)); ctx->count = 0; ctx->index = 0; } #define COMPRESS(ctx, data) (_nettle_md5_compress((ctx)->state, (data))) void md5_update(struct md5_ctx *ctx, size_t length, const uint8_t *data) { MD_UPDATE(ctx, length, data, COMPRESS, ctx->count++); } void md5_digest(struct md5_ctx *ctx, size_t length, uint8_t *digest) { uint64_t bit_count; assert(length <= MD5_DIGEST_SIZE); MD_PAD(ctx, 8, COMPRESS); /* There are 512 = 2^9 bits in one block */ bit_count = (ctx->count << 9) | (ctx->index << 3); LE_WRITE_UINT64(ctx->block + (MD5_BLOCK_SIZE - 8), bit_count); _nettle_md5_compress(ctx->state, ctx->block); _nettle_write_le32(length, digest, ctx->state); md5_init(ctx); } nettle-3.4.1/cnd-copy.c0000644000175000017500000000260113401564746013727 0ustar nissenisse/* cnd-copy.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc-internal.h" void cnd_copy (int cnd, mp_limb_t *rp, const mp_limb_t *ap, mp_size_t n) { mp_limb_t mask, keep; mp_size_t i; mask = -(mp_limb_t) (cnd !=0); keep = ~mask; for (i = 0; i < n; i++) rp[i] = (rp[i] & keep) + (ap[i] & mask); } nettle-3.4.1/ChangeLog0000644000175000017500000133634613401564746013642 0ustar nissenisse2018-12-04 Niels Möller * Released nettle-3.4.1. 2018-11-28 Niels Möller * configure.ac: Update GMP check. Check for the function mpn_sec_div_r, available since GMP-6.0.0. * testsuite/rsa-encrypt-test.c (test_main): Fix allocation of decrypted storage. Update test of rsa_decrypt, to allow clobbering of all of the passed in message area. * pkcs1-decrypt.c (pkcs1_decrypt): Rewrite as a wrapper around _pkcs1_sec_decrypt_variable. Improves side-channel silence of the only caller, rsa_decrypt. * Makefile.in (DISTFILES): Add rsa-internal.h, needed for make dist. Patch from Simo Sorce. * rsa-internal.h: Add include of rsa.h. 2018-11-27 Niels Möller * rsa-sec-compute-root.c (sec_mul, sec_mod_mul, sec_powm): New local helper functions, with their own itch functions. (_rsa_sec_compute_root_itch, _rsa_sec_compute_root): Rewrote to use helpers, for clarity. 2018-11-26 Niels Möller * testsuite/rsa-compute-root-test.c (generate_keypair): Simplify selection of psize and qsize, and fix so that qsize is used. (test_main): Add outer loop, to test with more than one key. Deallocate storage before exiting. 2018-11-25 Niels Möller * testsuite/rsa-compute-root-test.c: Renamed, from ... * testsuite/rsa-sec-compute-root-test.c: ... old name. * rsa.h (rsa_sec_compute_root_tr): Deleted declaration, moved to ... * rsa-internal.h (_rsa_sec_compute_root_tr): ... new location. * rsa-sign-tr.c (_rsa_sec_compute_root_tr): Renamed, from... (rsa_sec_compute_root_tr): ... old name. Updated callers. (cnd_mpn_zero): Use a volatile-declared mask variable. * testsuite/testutils.c (mpz_urandomb) [NETTLE_USE_MINI_GMP]: Fix masking of most significant bits. * rsa-decrypt-tr.c (rsa_decrypt_tr): Use NETTLE_OCTET_SIZE_TO_LIMB_SIZE. * testsuite/rsa-sec-decrypt-test.c (rsa_decrypt_for_test): Tweak valgrind marking, and document potential leakage of lowest and highest bits of p and q. * rsa-sec-compute-root.c (_rsa_sec_compute_root): Avoid calls to mpz_sizeinbase, since that potentially leaks most significant bits of private key parameters a and b. * testsuite/pkcs1-sec-decrypt-test.c (pkcs1_decrypt_for_test): Fix valgrind marking of return value. Merged below changes from Simo Sorce, to make RSA private key operations side-channel silent. 2018-11-08 Simo Sorce * rsa-sign.c (rsa_compute_root) [!NETTLE_USE_MINI_GMP]: Use _rsa_sec_compute_root. * testsuite/rsa-sec-compute-root-test.c: Add more tests for new side-channel silent functions. * rsa-sign.c (rsa_private_key_prepare): Check that qn + cn >= pn, since that is required for one of the GMP calls in _rsa_sec_compute_root. * rsa-decrypt-tr.c: Switch to use side-channel silent functions. * pkcs1-sec-decrypt.c (_pkcs1_sec_decrypt_variable): New private function. Variable size version for backwards compatibility. * testsuite/rsa-sec-decrypt-test.c: Adds more tests. * rsa-sec-decrypt.c (rsa_sec_decrypt): New function. Fixed length side-channel silent version of rsa-decrypt. * testsuite/rsa-encrypt-test.c: add tests for the new fucntion. * testsuite/pkcs1-sec-decrypt-test.c: Adds tests for _pkcs1_sec_decrypt. * gmp-glue.c (mpn_get_base256): New function. * pkcs1-sec-decrypt.c (_pkcs1_sec_decrypt): New private function. Fixed length side-channel silent version of pkcs1-decrypt. * cnd-memcpy.c (cnd_memcpy): New function. * memops.h: Declare it. * testsuite/cnd-memcpy-test.c: New test case. * rsa-sign-tr.c (rsa_sec_compute_root_tr): New function that uses _rsa_sec_compute_root, as well as side-channel silent RSA blinding. (rsa_compute_root_tr) Rewritten as a wrapper around rsa_sec_compute_root_tr. (rsa_sec_blind, rsa_sec_unblind, sec_equal, rsa_sec_check_root) (cnd_mpn_zero): New helper functions. (rsa_sec_compute_root_tr) [NETTLE_USE_MINI_GMP]: Defined as a not side-channel silent wrapper around rsa_compute_root_tr, and the latter function left unchanged. * rsa-sec-compute-root.c (_rsa_sec_compute_root_itch) (_rsa_sec_compute_root): New file, new private functions. Side-channel silent version of rsa_compute_root. * rsa-internal.h: New header file with declarations. * gmp-glue.h (NETTLE_OCTET_SIZE_TO_LIMB_SIZE): New macro. 2018-11-24 Niels Möller * configure.ac: Bump package version to 3.4.1. (LIBNETTLE_MINOR): Bump library version to 6.5. (LIBHOGWEED_MINOR): Bump library version to 4.5. 2018-06-17 Niels Möller Backported from master branch. * aclocal.m4 (NETTLE_CHECK_IFUNC): Fix quoting. Patch contributed by Dmitry Eremin-Solenikov. * testsuite/symbols-test: Exclude ____chkstk_darwin symbols, produced by Apple's Xcode 10 compiler. Patch contributed by Dominyk Tiller. 2018-02-18 Niels Möller Backported from master branch. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Moved pss-mgf1-test.c... (TS_HOGWEED_SOURCES): ...to here. Fixes link failure in builds without public-key support. 2018-01-16 Niels Möller Backported from master branch. * tools/pkcs1-conv.c (convert_file): Add missing break statements. 2018-10-10 Niels Möller Backported from master branch. * aes-set-encrypt-key.c: Add missing include of stdlib.h. * des-compat.c: Likewise. 2018-08-09 Niels Möller Backported from master branch. * nettle-internal.c (des_set_key_wrapper, des3_set_key_wrapper) (blowfish128_set_key_wrapper): Wrapper functions, to avoid cast between incompatible function types (which gcc-8 warns about). Wrappers are expected to compile to a single jmp instruction. * des-compat.c (des_compat_des3_encrypt) (des_compat_des3_decrypt): Change length argument type to size_t. 2017-11-19 Niels Möller * Released nettle-3.4. 2017-11-12 Niels Möller * configure.ac: Update check of GMP_NUMB_BITS declaration in assembly files. Was broken by rename of configure variable GMP_NUMB_BITS --> NUMB_BITS. 2017-11-11 Niels Möller * nettle.texinfo: Document nettle_get_hashes, nettle_get_ciphers and nettle_get_aeads, and replace nettle_secp_256r1 by nettle_get_secp_256r1. Update version numbers. Delete ancient setting of ispell-skip-region-alist as an emacs file-local variable. 2017-11-08 Niels Möller * ecc-curve.h (nettle_secp_192r1, nettle_secp_224r1) (nettle_secp_256r1, nettle_secp_384r1, nettle_secp_521r1): Delete macro wrappers, partially reverting below 2017-04-09 change. They didn't work at all for applications that only see a forward declaration of struct ecc_curve. Instead, we will have to make an ABI and API break and delete these symbols, when the size of struct ecc_curve is increased. 2017-11-05 Niels Möller * configure.ac Bump package version to 3.4. (LIBNETTLE_MINOR): Bump library version to 6.4. (LIBHOGWEED_MINOR): Bump library version to 4.4. 2017-10-23 Niels Möller * examples/Makefile.in (check): Also set DYLD_LIBRARY_PATH in the environment, to support Mac OSX shared libraries. * testsuite/Makefile.in (LD_LIBRARY_PATH): Likewise. 2017-10-23 Niels Möller Merge API fixes, starting at 2017-01-12. 2017-04-09 Niels Möller * ecc-curve.h (nettle_get_secp_192r1, nettle_get_secp_224r1) (nettle_get_secp_256r1, nettle_get_secp_384r1) (nettle_get_secp_521r1): New functions, returning a pointer to corresponding structure. (nettle_secp_192r1, nettle_secp_224r1, nettle_secp_256r1) (nettle_secp_384r1, nettle_secp_521r1): Redefined as macros, calling the corresponding function. * nettle-meta.h (nettle_ciphers, nettle_aeads, nettle_armors): New macros, analogous to below change to nettle_hashes. * nettle-meta-ciphers.c (nettle_get_ciphers): New function. * nettle-meta-aeads.c (nettle_get_aeads): New function. * nettle-meta-armors.c (nettle_get_armors): New function. 2017-01-12 Niels Möller * tools/nettle-hash.c (find_algorithm): Deleted function. (main): Replaced by call to nettle_lookup_hash. * testsuite/meta-hash-test.c (test_main): Use nettle_lookup_hash. * nettle-meta.h (nettle_hashes): New macro, expanding to a call to nettle_get_hashes. Direct access to the array causes the array size to leak into the ABI, since a plain un-relocatable executable linking with libnettle.so gets copy relocations for any referenced data items in the shared library. * nettle-meta-hashes.c (nettle_get_hashes): New function. 2017-10-16 Niels Möller CFB support, contributed by Dmitry Eremin-Solenikov. * cfb.c (cfb_encrypt, cfb_decrypt): New file, new functions. * cfb.h: New header file. (CFB_CTX, CFB_SET_IV, CFB_ENCRYPT, CFB_DECRYPT): New macros. * Makefile.in (nettle_SOURCES): Add cfb.c. (HEADERS): Add cfb.h. * testsuite/cfb-test.c: New test case. * testsuite/testutils.c (test_cipher_cfb): New function. * nettle.texinfo (CFB): Documentation. 2017-10-16 Niels Möller * aclocal.m4 (GMP_PROG_CC_FOR_BUILD): Add -g when compiling with gcc. 2017-09-27 Niels Möller Merged armor-signedness branch, starting 2017-08-27. 2017-09-24 Niels Möller * tools/pkcs1-conv.c (base64_decode_in_place): New helper function. (decode_base64): Use it. * sexp-transport-format.c (base64_encode_in_place): New helper function. (sexp_transport_vformat): Use it. * testsuite/base64-test.c (test_fuzz_once): Update to use char type where appropriate. (test_main): Use helper functions base64_encode_in_place and base64_decode_in_place (copied to this file). * testsuite/testutils.c (tstring_data): Use uint8_t for data argument. * testsuite/testutils.h (SDATA): Use US macro to cast data argument. 2017-08-27 Niels Möller * base64-encode.c (base64_encode_raw, base64_encode_group) (base64_encode_single, base64_encode_update) (base64_encode_final): Change type of destination to char *. * base16-encode.c (base16_encode_single, base16_encode_update): Likewise. * base64-decode.c (base64_decode_single, base64_decode_update): Change type of source argument to const char *. Update (almost) all callers. * base16-decode.c (base16_decode_single, base16_decode_update): Likewise. * nettle-types.h (nettle_armor_encode_update_func) (nettle_armor_encode_final_func, nettle_armor_decode_update_func): Corresponding updates to typedefs. 2017-09-14 Niels Möller * hkdf.c: Delete unneeded includes. Use Nettle licensing notice. * hkdf.h: Include only nettle-types.h, not nettle-meta.h. * ecc-mod.c (ecc_mod): Workaround to silence a false positive from the clang static analyzer. 2017-09-12 Niels Möller * testsuite/testutils.h (mpn_zero_p): Avoid redefining mpn_zero_p when building with mini-gmp. Since the mini-gmp update, this function is defined by mini-gmp, causing link errors if nettle is configured with --enable-mini-gmp --disable-shared. Reported by Tim Rühsen. 2017-09-09 Daiki Ueno * testsuite/ecc-mul-g-test.c (test_main): Fixed mpn_cmp call. * testsuite/ecc-mul-a-test.c (test_main): Likewise. * eccdata.c (ecc_point_out): Write to given stream, instead of stderr. * eccdata.c (output_curve): In curve448, the bit size of the order is slightly smaller than the one of p's. Adjust ecc_Bmodq_shifted accordingly. 2017-09-09 Niels Möller * mini-gmp.c: Updated mini-gmp from the gmp repository, latest change from 2017-07-23. * mini-gmp.h: Likewise. 2017-09-06 Niels Möller * hkdf.c (hkdf_expand): Eliminate a (signed) ssize_t variable, use break rather than return at loop termination. 2017-09-06 Niels Möller HKDF implementation, contributed by Nikos Mavrogiannopoulos. * hkdf.c (hkdf_extract, hkdf_expand): New file, new functions. * hkdf.h: New file. * Makefile.in (nettle_SOURCES): Add hkdf.c. (HEADERS): Add hkdf.h. * testsuite/hkdf-test.c: Tests for hkdf-sha256 and hkdf-sha1. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added hkdf-test.c. * nettle.texinfo (Key derivation functions): Document HKDF. 2017-09-04 Andreas Schneider * fat-arm.c: Add missing define for _GNU_SOURCE. 2017-08-27 Niels Möller * configure.ac (GMP_NUMB_BITS): Set to dummy value "n/a" in mini-gmp builds. (NUMB_BITS): New substituted variable which always holds the configured value. * Makefile.in (GMP_NUMB_BITS): Renamed variable... (NUMB_BITS): ...new name * config.make.in: Update corresponding substitution. 2017-08-26 Niels Möller * ecc-mod-inv.c (ecc_mod_inv): Add missing assert. Fixes a "dead increment" warning from the clang static analyzer. 2017-08-26 Niels Möller * examples/nettle-openssl.c (struct openssl_cipher_ctx): New struct. Use everywhere, instead of typing EVP_CIPHER_CTX pointers directly. * configure.ac: Update openssl-related tests. Checks for cipher-specific headers are replaced by a check for openssl/evp.h, and the check for the BF_ecb_encrypt function is replaced by a check for EVP_CIPHER_CTX_new. 2017-08-03 Daniel P. Berrange * examples/nettle-openssl.c: Rewritten to use openssl's EVP APIs. The older cipher-specific functions always use openssl's generic software implementation, while the EVP functions enables platform-specific code, e.g., using the x86 AES-NI instructions. (nettle_openssl_init): New function. 2017-07-18 Niels Möller * ecc-add-eh.c (ecc_add_eh): Fix in-place operation by reordering two multiplies. Previously, in-place operation resulted in an invalid call to mpn_mul with overlapping operands. Reported by Sergei Trofimovich. 2017-06-09 Niels Möller * pss.c (pss_verify_mgf1): Check for m being too large, fixing an assertion failure for certain invalid signatures. Based on a patch contributed by Daiki Ueno. * testsuite/rsa-pss-sign-tr-test.c (test_main): Add test case contributed by Daiki Ueno. Problem originally found by oss-fuzz, see https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2132. That problem report is currently embargoed, but will hopefully be public in a month or two. 2017-05-23 Niels Möller Rework the previous change, which had the unintended effect of always regenerating .test-rules.make after ./configure is run. * testsuite/Makefile.in (test-rules.stamp): New stamp file target, depend on Makefile.in, and run $(MAKE) test-rules. (.test-rules.make): Add a level of indirection, by depending on test-rules.stamp. 2017-05-20 Niels Möller * testsuite/Makefile.in (test-rules): Use $(srddir)/-prefix for .test-rules.make target, and change dependency from Makefile.in to Makefile. 2017-05-17 Nikos Mavrogiannopoulos * testsuite/Makefile.in: Ensure .test-rules.make is regenerated when Makefile.in is modified. 2017-04-09 Niels Möller * testsuite/dlopen-test.c (main): Call dlclose, to fix memory leak on success. * testsuite/pss-test.c: Delete magic to let valgrind to check if pss_encode_mgf1 is side-channel silent with respect to the salt and digest inputs. It turns out that the most significant bits of the padded bignum, and hence its size, depends on these inputs. Which results in a data-dependent branch in the normalization code of at the end of gmp's mpz_import. 2017-04-04 Niels Möller * pss.c (pss_verify_mgf1): Use const for input mpz_t argument. (pss_encode_mgf1): Avoid unnecessary memset and xor operations. Merged RSA-PSS support, contributed by Daiki Ueno. * pss-mgf1.h, pss.h: New header files. * pss-mgf1.c (pss_mgf1): New file and function. * pss.c (pss_encode_mgf1, pss_verify_mgf1): New file and functions. * rsa-verify.c (_rsa_verify_recover): New function. * rsa-pss-sha256-sign-tr.c: (rsa_pss_sha256_sign_digest_tr): New file and function. * rsa-pss-sha256-verify.c (rsa_pss_sha256_verify_digest): New file and function. * rsa-pss-sha512-sign-tr.c (rsa_pss_sha384_sign_digest_tr) (rsa_pss_sha512_sign_digest_tr): New file and functions. * rsa-pss-sha512-verify.c (rsa_pss_sha384_verify_digest) (rsa_pss_sha512_verify_digest): New file and functions. * rsa.h: Prototypes for new functions. * testsuite/rsa-pss-sign-tr-test.c: New test case. * testsuite/pss-test.c: New test case. * testsuite/pss-mgf1-test.c: New test case. * Makefile.in, testsuite/Makefile.in: Added new files. * nettle.texinfo: Documentation of rsa-pss functions. 2017-03-20 Niels Möller * nettle-internal.h (NETTLE_MAX_HASH_CONTEXT_SIZE): New constant. * testsuite/meta-hash-test.c (test_main): Add sanity check for NETTLE_MAX_HASH_CONTEXT_SIZE. * tools/nettle-hash.c (list_algorithms): Also display the internal context size. 2017-01-03 Nikos Mavrogiannopoulos * ecdsa-verify.c (ecdsa_verify): Eliminated memory leak on error path. 2016-10-10 Niels Möller * write-be32.c (_nettle_write_be32): Use const for source argument. * write-le32.c (_nettle_write_le32): Likewise. * write-le64.c (_nettle_write_le64): Likewise. * nettle-write.h: Update prototypes. 2016-10-01 Niels Möller * Released nettle-3.3. 2016-09-13 Niels Möller * nettle-meta-hashes.c (nettle_hashes): Added SHA3 hashes. Reported missing by Thomas Walter. * testsuite/meta-hash-test.c: Update test accordingly. 2016-09-07 Niels Möller * nettle.texinfo (Elliptic curves): Split into sub-nodes. (Miscellaneous functions): Document memeql_sec. * NEWS: Mention memeql_sec. 2016-09-06 Niels Möller * NEWS: Update for 3.3. * configure.ac: Bump package version to 3.3. (LIBNETTLE_MINOR): Bump library version to 6.3. (LIBHOGWEED_MINOR): Bump library version to 4.3. 2016-09-05 Niels Möller * curve25519.h (NETTLE_CURVE25519_RFC7748): New preprocessor constant. * nettle.texinfo: Document it. 2016-09-03 Niels Möller * config.make.in (.SUFFIXES): Delete no longer used .p$(OBJEXT). * sexp.h (TOKEN_CHAR): Delete macro and declaration of sexp_token_chars. They belong in tools/misc.h, not here. * examples/ecc-benchmark.c (die): Deleted unused function. * testsuite/testutils.h (US): New macro, for unsigned string literals. (LDATA): Use the US macro, to eliminate pointer signedness warnings. * testsuite/eddsa-verify-test.c (test_eddsa): Use LDATA. * testsuite/pbkdf2-test.c (test_main): Likewise. * testsuite/pkcs1-test.c (test_main): Likewise. * testsuite/md5-compat-test.c (test_main): Use US macro. * testsuite/sexp-test.c (test_main): Use const char * for assoc keys. Overlooked in 2016-08-16 change. * testsuite/yarrow-test.c (test_main): Fix pointer signednesss warnings. * testsuite/sexp-format-test.c (test_main): Likewise. * testsuite/rsa-encrypt-test.c (test_main): Likewise. * tools/nettle-lfib-stream.c (main): Likewise. * tools/output.c (sexp_put_string): Likewise. * testsuite/testutils.c (test_armor): Change ascii argument to const char *. * testsuite/base16-test.c (test_main): Use LDATA for the non-ascii argument to test_armor. * testsuite/base64-test.c (test_main): Likewise. * tools/nettle-pbkdf2.c (main): Fix some pointer signedness warning. * tools/nettle-hash.c (hash_file): Likewise. * examples/rsa-decrypt.c (process_file): Use memeql_sec to check the digest. * memeql-sec.c (memeql_sec): New public function, moved from... * ccm.c (memeql_sec): ... previous location. * memops.h: New header file, generalizing memxor.h. * testsuite/memeql-test.c (test_main): New test case. (memeql_sec_for_test): Wrapper to get valgrind to check for side-channel silence. 2016-08-29 Niels Möller * sexp-format.c (strlen_u8): New helper function. (sexp_vformat): Use uint8_t * for strings instead of char *. 2016-08-16 Niels Möller * examples/io.c (hash_file): Use uint8_t for buffer. * sexp.c (sexp_iterator_check_type, sexp_iterator_check_types) (sexp_iterator_assoc): Use const char * for caller's expression types. Updated all callers. * rsa2openpgp.c (rsa_keypair_to_openpgp): Added cast to const uint8_t *. * pgp-encode.c (write_string): New helper function, replacing... (WRITE): ... deleted macro. * examples/io.c (write_data): Renamed, and use const void * for the input data. Updated all callers. (write_string): ... old name. (write_file): Use const void * for the input data. 2016-08-05 Niels Möller * examples/hogweed-benchmark.c: Use uint8_t for curve25519 values. (bench_rsa_init): Use unsigned char for sexp strings. (bench_dsa_init): Likewise. (hash_string): Delete length argument, calling strlen instead. Cast string to const uint8_t *. Updated callers. * examples/io.c (read_file): Use size_t for sizes, and uint8_t for the contents. 2016-08-04 Niels Möller * dsa-sign.c (dsa_sign): Return failure if p is even, so that an invalid key doesn't result in a crash inside mpz_powm_sec. * rsa-sign-tr.c (rsa_compute_root_tr): Return failure if any of p, q or n is even, to avoid crashing inside mpz_powm_sec. Invalid keys with even modulo are rejected by rsa_public_key_prepare and rsa_private_key_prepare, but some applications, notably gnutls, don't use them. 2016-07-31 Niels Möller * rsa.c (_rsa_check_size): Check that n is odd. Otherwise, using an invalid key may crash in mpz_powm_sec. Problem reported by Hanno Böck. 2016-07-13 Niels Möller * bignum.c (nettle_mpz_from_octets): Unconditionally use mpz_import. * gmp-glue.c (mpn_copyd, mpn_copyi, mpn_zero): Deleted compatibility definitions for older versions of GMP. * gmp-glue.h (mpn_sqr): Deleted compatibility definition. * testsuite/testutils.c (mpz_combit): Deleted compatibility definition. 2016-07-12 Niels Möller * configure.ac: Check for mpz_powm_sec, and require GMP-5.0 or later. * bignum.h (mpz_powm_sec): Fall back to plain mpz_powm for mini-gmp build. * dsa-sign.c (dsa_sign): Use mpz_powm_sec. * rsa-sign.c (rsa_compute_root): Likewise. * rsa-sign-tr.c (rsa_blind, rsa_compute_root_tr): Likewise. * rsa-blind.c (_rsa_blind): Likewise. 2016-05-02 Niels Möller * nettle.texinfo: Update Curve25519 documentation. * testsuite/curve25519-dh-test.c: Test that inputs bits which must be ignored really are ignored. 2016-04-25 Niels Möller * curve25519-mul.c (curve25519_mul): Ignore top bit of the input x coordinate, as required by RFC 7748. 2016-03-30 Niels Möller From Nikos Mavrogiannopoulos. * configure.ac: Change dll names to follow the libtool convention with only major version number in the name. 2016-03-15 Niels Möller * twofish.c (gf_multiply): Change return value to uint32_t, to make shifting of the return value well defined, without any type casts. Fixes an undefined shift in compute_s, reported by Nikos Mavrogiannopoulos. (h_byte): Deleted type casts. * blowfish.c (blowfish_encrypt, blowfish_decrypt): Use READ_UINT32 macro. Fixes an undefined shift, reported by Nikos Mavrogiannopoulos. From Nikos Mavrogiannopoulos. * configure.ac (HOGWEED_EXTRA_SYMBOLS): Add "mp_*", when building with mini-gmp. * des.c (des_weak_p): Check that the hash value is in the proper range before using it. Fixes an out-of-bounds read. 2016-03-14 Niels Möller * getopt.c (_getopt_internal_r): Fix c99-ism, move declarations to top of block. Reported by Henrik Grubbström. 2016-02-16 Niels Möller * tools/input.c (sexp_get_string_length): Process advanced string syntax only when in advanced mode. Fixes an assertion failure reported by Hanno Böck, for input where advanced syntax is improperly wrapped inside transport syntax. * tools/parse.c (sexp_parse): Fail with an error message for unexpected ']' characters. Fixes crash reported by Hanno Böck. Also handle SEXP_DISPLAY (internal error) explicitly, without a default clause. 2016-01-28 Niels Möller * Released nettle-3.2. 2016-01-26 Niels Möller * tools/nettle-pbkdf2.c (main): Fix handling of unrecognized options. Bug reported by Dongsheng Zhang. Display usage message and exit non-zero. Also added "Usage: "-prefix to the message. * tools/nettle-hash.c (usage): New function, extracted from main. (main): Analogous fix for unrecognized options. 2016-01-23 Niels Möller * nettle.texinfo: Set UPDATED-FOR to 3.2. 2016-01-21 Niels Möller * .gitlab-ci.yml: New file. Configuration for gitlab's continuous integration system. 2016-01-20 Niels Möller * testsuite/dlopen-test.c (main): Mark arguments as UNUSED. * testsuite/Makefile.in (clean): Delete dlopen-test. * configure.ac: Bump package version, to nettle-3.2. (LIBNETTLE_MINOR, LIBHOGWEED_MINOR): Bump minor versions, to libnettle.so.6.2 and and libhogweed.so.4.2. 2016-01-10 Niels Möller * base64-encode.c (encode_raw): Use const uint8_t * for the alphabet argument. * nettle.texinfo (RSA): Document the rsa_pkcs1_verify and rsa_pkcs1_sign functions, and the new rsa_*_tr functions. 2015-12-18 Niels Möller * testsuite/testutils.h: Fix include order, system headers before nettle headers. Always include version.h, needed by version-test.c. It was included indirectly via bignum.h, but only if configured with publickey support. * configure.ac (IF_DLOPEN_TEST): Fixed shell conditional. * testsuite/ecc-mod-test.c (test_main): Handle random seeding if NETTLE_TEST_SEED is set in the environment. 2015-12-15 Niels Möller * x86_64/ecc-384-modp.asm: Fixed carry propagation bug. Problem reported by Hanno Böck. Simplified the folding to always use non-negative carry, the old code attempted to add in a carry which could be either positive or negative, but didn't get that case right. 2015-12-10 Niels Möller * ecc-256.c (ecc_256_modp): Fixed carry propagation bug. Problem reported by Hanno Böck. (ecc_256_modq): Fixed another carry propagation bug. 2015-11-23 Niels Möller * nettle.texinfo: Document rsa_encrypt, rsa_decrypt and rsa_decrypt_tr. Text contributed by Andy Lawrence. 2015-11-15 Niels Möller * rsa.h (_rsa_blind, _rsa_unblind): Mark as deprecated. 2015-09-17 Niels Möller * rsa-md5-sign-tr.c (rsa_md5_sign_tr, rsa_md5_sign_digest_tr): New file, new functions. * rsa-sha1-sign-tr.c (rsa_sha1_sign_tr, rsa_sha1_sign_digest_tr): Likewise. * rsa-sha256-sign-tr.c (rsa_sha256_sign_tr) (rsa_sha256_sign_digest_tr): Likewise. * rsa-sha512-sign-tr.c (rsa_sha512_sign_tr) (rsa_sha512_sign_digest_tr): Likewise. * rsa.h: Added corresponding prototypes. * Makefile.in (hogweed_SOURCES): Added new files. * testsuite/testutils.c (SIGN): Extend macro to test new functions, and the rsa_*_sign_digest functions. Updated callers. 2015-09-14 Niels Möller * rsa-decrypt-tr.c (rsa_decrypt_tr): Use rsa_compute_root_tr. Mainly for simplicity and consistency, I'm not aware of any CRT fault attacks on RSA decryption. * testsuite/rsa-encrypt-test.c (test_main): Added test with invalid private key. * rsa-sign-tr.c (rsa_compute_root_tr): New file and function. * rsa.h: Declare it. * rsa-pkcs1-sign-tr.c (rsa_pkcs1_sign_tr): Use rsa_compute_root_tr. (rsa_verify_res): Deleted, replaced by rsa_compute_root_tr. * testsuite/rsa-sign-tr-test.c (test_rsa_sign_tr): Check that signature argument is unchanged on failure. * Makefile.in (hogweed_SOURCES): Added rsa-sign-tr.c. 2015-09-07 Niels Möller * testsuite/rsa-sign-tr-test.c: Drop include of nettle-internal.h. (test_main): Fix incorrect use of sizeof, and use LDATA macro. From Nikos Mavrogiannopoulos. * rsa-pkcs1-sign-tr.c (rsa_verify_res): New function. (rsa_pkcs1_sign_tr): Check result of private key operation, to protect against hardware or software errors leaking the private key. * testsuite/rsa-sign-tr-test.c: New testcase. 2015-09-06 Niels Möller * nettle.texinfo: Updated SHA3 documentation. 2015-09-02 Niels Möller * testsuite/dlopen-test.c: New test program, exposing the problem with ifunc and RTLD_NOW. * testsuite/Makefile.in (TS_ALL): Conditionally add dlopen-test. (SOURCES): Added dlopen-test.c. (dlopen-test): New target, unlike other test programs, *not* linked with -lnettle. * configure.ac: Check for dlfcn.h and the dlopen function. (IF_DLOPEN_TEST): New substituted variable, true if dlopen is available and we are building a shared library. * fat-setup.h: Disable use of ifunc, since it breaks dlopen with RTLD_NOW. 2015-08-25 Niels Möller * NEWS: Started on entries for Nettle-3.2. * sha3.h (NETTLE_SHA3_FIPS202): New preprocessor constant. 2015-08-24 Niels Möller * testsuite/sha3.awk: Document origin of test vectors. From Nikos Mavrogiannopoulos. * sha3.c (_sha3_pad): Update for NIST version. * testsuite/sha3-224-test.c: Updated test vectors. * testsuite/sha3-256-test.c: Likewise. * testsuite/sha3-384-test.c: Likewise. * testsuite/sha3-512-test.c: Likewise. 2015-06-03 Niels Möller * arm/neon/chacha-core-internal.asm: New file. 55% speedup over C version on Cortex-A9. 2015-05-19 Niels Möller * configure.ac: ABI detection (n32 or n64) on Irix, and appropriate default for libdir. Patch from Klaus Ziegler. 2015-05-12 Niels Möller * version.c (nettle_version_major, nettle_version_minor): New file. New functions, returning the value of the corresponding preprocessor constant. * Makefile.in (nettle_SOURCES): Added version.c. * testsuite/version-test.c: New testcase. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added version-test.c. 2015-04-29 Niels Möller * arm/v6/sha256-compress.asm: Fix syntax error in offset addressing. Spotted by Jukka Ukkonen. * arm/v6/aes-decrypt-internal.asm: Drop %-prefix on r12 register. * arm/v6/aes-encrypt-internal.asm: Likewise. 2015-04-24 Niels Möller * Released nettle-3.1.1. * configure.ac: Bump package version, to nettle-3.1.1. (LIBNETTLE_MINOR, LIBHOGWEED_MINOR): Bump minor versions, to libnettle.so.6.1 and and libhogweed.so.4.1. 2015-04-22 Niels Möller * x86_64/gcm-hash8.asm: Use ".value" instead of ".short", since the latter is not supported by the Sun/Oracle assembler. 2015-04-13 Niels Möller * configure.ac: Fix shell quoting in test of GMP_NUMB_BITS asm compatibility. Reported by Edward Sheldrake. 2015-04-07 Niels Möller * Released nettle-3.1. 2015-03-31 Niels Möller * x86_64/ecc-224-modp.asm: Require that GMP_NUMB_BITS == 64. * x86_64/ecc-521-modp.asm: Likewise. Note that the other ecc-*-modp.asm files happen to work fine on x86_64, with either 32 or 64 bits. * asm.m4 (GMP_NUMB_BITS): New macro, expanding to nothing. * configure.ac: Move tests for compiler characteristics, libraries, and GMP_NUMB_BITS, before assembler-related tests. For files in $asm_hogweed_optional_list, check if they declare a GMP_NUMB_BITS requirement, and skip files which are incompatible with the configuration. Needed for --enable-mini-gmp om w64. * Makefile.in (clean-here): Unconditionally delete *.a (including stub libraries like *.dll.a). 2015-03-30 Niels Möller * version.h.in (GMP_NUMB_BITS) [NETTLE_USE_MINI_GMP]: Move definition here (uses configure substitution). * bignum.h (GMP_NUMB_BITS): ...old location. * nettle.texinfo: Updated version number. (Installation): Document some more configure options. * testsuite/symbols-test: Look for NETTLE_USE_MINI_GMP in version.h, not bignum.h. Allow leading underscore on mini-gmp symbols. 2015-03-26 Niels Möller * Makefile.in (PRE_CPPFLAGS): Drop -I$(srcdir), no longer needed. (HEADERS): Added bignum.h. Removed version.h. (INSTALL_HEADERS): Added version.h. (DISTFILES): Removed bignum.h.in. (bignum.h): Deleted make target. (distclean-here): Don't delete bignum.h. * configure.ac: No longer generate bignum.h. * bignum.h: Renamed. Removed substitution of NETTLE_USE_MINI_GMP, and include version.h instead. * bignum.h.in: ... old name. * version.h.in (NETTLE_USE_MINI_GMP): Substitute here. 2015-03-25 Niels Möller * configure.ac (MAJOR_VERSION, MINOR_VERSION): Tweak sed expressions, to tolerate version suffixes. * Makefile.in (distdir): Include assembly files from the new x86_64/aesni, x86_64/fat, and arm/fat directories. * ed25519-sha512-pubkey.c: Fix stack overwrite. The digest array must have room for a complete sha512 digest. 2015-03-19 Niels Möller * Makefile.in (OPT_HOGWEED_SOURCES): Deleted make variable. (nettle_SOURCES, hogweed_SOURCES): Don't include optional sources here. (OPT_SOURCES): New variable. (SOURCES): Include OPT_SOURCES. (DISTFILES): Drop mini-gmp.c here, included via OPT_SOURCES. (nettle_OBJS, hogweed_OBJS): Add the object files corresponding to the optional source files included in the build. * ecc-curve.h (nettle_curve25519): Removed public declaration. * ecc-internal.h (_nettle_curve25519): New location, new name. Updated all users. * nettle.texinfo: Updated EdDSA documentation. * Makefile.in (DISTFILES): Added version.h.in, libnettle.map.in, and libhogweed.map.in (latter two patch by Nikos). (version.h): New make target. (distclean-here): Added version.h, libnettle.map, and libhogweed.map. From Nikos Mavrogiannopoulos. * configure.ac (MAJOR_VERSION, MINOR_VERSION): New substituted variables. * version.h.in: New file, defining version numbers. 2015-03-18 Niels Möller EdDSA interface change, use plain strings to represent keys. * eddsa.h (_ED25519_LIMB_SIZE): Deleted constant. (struct ed25519_private_key, ed25519_public_key): Deleted. * eddsa-expand.c (_eddsa_expand_key): Don't compute the public key. (_eddsa_expand_key_itch): Deleted function. * eddsa-pubkey.c (_eddsa_public_key, _eddsa_public_key_itch): New file, new functions. * ed25519-sha512-pubkey.c (ed25519_sha512_public_key): New file and function. * ed25519-sha512-verify.c (ed25519_sha512_set_public_key): Deleted function. (ed25519_sha512_verify): Use a string to represent the public key. * ed25519-sha512-sign.c (ed25519_sha512_set_private_key): Deleted function. (ed25519_sha512_sign): Use strings for the input key pair. * Makefile.in (hogweed_SOURCES): Added eddsa-pubkey.c and ed25519-sha512-pubkey.c. * testsuite/eddsa-sign-test.c (test_eddsa_sign): Adapt to _eddsa_expand_key changes, and use _eddsa_public_key. * testsuite/ed25519-test.c (test_one): Test ed25519_sha512_public_key, and adapt to new ed25519 interface. 2015-03-14 Niels Möller * ccm.c (memeql_sec): New function, more side-channel silent than memcmp. (ccm_decrypt_message): Use it. 2015-03-12 Niels Möller * base64.h (struct base64_encode_ctx): Micro optimization of struct layout, saving a few bytes. (struct base64_decode_ctx): Likewise. * base16.h (struct base16_decode_ctx): Likewise. * nettle.texinfo (ASCII encoding): Document base64url functions. 2015-03-10 Niels Möller * nettle.texinfo: Update documentation of curve25519_mul. Say that the output is undefined for points belonging to the twist rather than the proper curve. * curve25519-mul.c (curve25519_mul): Changed return type to void. * curve25519.h (curve25519_mul): Updated prototype. * examples/hogweed-benchmark.c (bench_curve25519_mul): Drop check of curve25519_mul return value. * testsuite/curve25519-dh-test.c (test_a): Likewise. 2015-02-26 Niels Möller * nettle.texinfo: Document curve25519 and eddsa. 2015-02-10 Niels Möller * base64url-meta.c (nettle_base64url): New file. * nettle-meta.h (nettle_base64url): Declare it. * nettle-meta-armors.c (nettle_armors): Added nettle_base64url. * testsuite/meta-armor-test.c: Updated testcase. * testsuite/base64-test.c (test_main): Additional tests, using nettle_base64url. * Makefile.in (nettle_SOURCES): Added base64url-meta.c. Base-64 generalization to support RFC4648 URL safe alphabet, contributed by Amos Jeffries. * base64url-decode.c (base64url_decode_init): New file and function. * base64url-encode.c (base64url_encode_init): New file and function. * Makefile.in (nettle_SOURCES): Added base64url-encode.c and base64url-decode.c. * base64.h: Declare new functions. * testsuite/base64-test.c (test_fuzz): Test base64url encoding and decoding. * base64.h (struct base64_encode_ctx): Added pointer to alphabet. (struct base64_decode_ctx): Added pointer to decoding table. * base64-decode.c (base64_decode_init): Initialize table pointer. Moved definition of table to local scope. (base64_decode_single): Use the context's decoding table. * base64-encode.c (ENCODE): Added alphabet argument. Updated all uses. (encode_raw): New static function, like base64_encode_raw but with an alphabet argument. (base64_encode_raw): Call encode_raw. (base64_encode_init): Initialize alphabet pointer. (base64_encode_single, base64_encode_update, base64_encode_final): Use the context's alphabet. 2015-02-09 Niels Möller * base64-encode.c (base64_encode): Deleted old #if:ed out function. * testsuite/base64-test.c (test_fuzz_once, test_fuzz): Additional tests, based on contribution by Amos Jeffries. 2015-02-05 Niels Möller * configure.ac (LIBHOGWEED_MAJOR): Undo latest bump, 4 should be enough (previous release, nettle-3.0, used 3). 2015-01-30 Niels Möller Update chacha-poly1305 for draft-irtf-cfrg-chacha20-poly1305-08. * chacha-poly1305.h (CHACHA_POLY1305_NONCE_SIZE): Increase to 12 bytes, i.e., CHACHA_NONCE96_SIZE. * chacha-poly1305.c (chacha_poly1305_set_nonce): Use chacha_set_nonce96. (poly1305_pad): New function. (chacha_poly1305_encrypt): Use poly1305_pad. (chacha_poly1305_digest): Call poly1305_pad, and format length fields as a single poly1305 block. * chacha-set-nonce.c (chacha_set_nonce96): New function. * chacha.h (CHACHA_NONCE96_SIZE): New constant. * testsuite/chacha-test.c: Add test for chacha with 96-bit nonce. 2015-01-27 Niels Möller * ecc.h: Deleted declarations of unused itch functions. Moved declarations of internal functions to... * ecc-internal.h: ...new location. Also added a leading under score on the symbols. (ecc_a_to_j, ecc_j_to_a, ecc_eh_to_a, ecc_dup_jj, ecc_add_jja) (ecc_add_jjj, ecc_dup_eh, ecc_add_eh, ecc_add_ehh, ecc_mul_g) (ecc_mul_a, ecc_mul_g_eh, ecc_mul_a_eh): Affected functions. 2015-01-26 Niels Möller * ecc-add-eh.c (ecc_add_eh_itch): Deleted. * ecc-add-ehh.c (ecc_add_ehh_itch): Deleted. * ecc-add-jja.c (ecc_add_jja_itch): Deleted. * ecc-add-jjj.c (ecc_add_jjj_itch): Deleted. * ecc-dup-eh.c (ecc_dup_eh_itch): Deleted. * ecc-dup-jj.c (ecc_dup_jj_itch): Deleted. * ecc-eh-to-a.c (ecc_eh_to_a_itch): Deleted. * ecc-j-to-a.c (ecc_j_to_a_itch): Deleted. * ecc-mul-a-eh.c (ecc_mul_a_eh_itch): Deleted. * ecc-mul-a.c (ecc_mul_a_itch): Deleted. * ecc-mul-g-eh.c (ecc_mul_g_eh_itch): Deleted. * ecc-mul-g.c (ecc_mul_g_itch): Deleted. 2015-01-25 Niels Möller * arm/fat/sha1-compress-2.asm: New file. * arm/fat/sha256-compress-2.asm: Likewise. * fat-arm.c (fat_init): Setup for use of additional v6 assembly functions. * sha1-compress.c: Prepare for fat build with C and assembly implementations. * sha256-compress.c: Likewise. * fat-setup.h (sha1_compress_func, sha256_compress_func): New typedefs. * configure.ac (asm_nettle_optional_list): Added sha1-compress-2.asm and sha256-compress-2.asm, and corresponding HAVE_NATIVE_*. From Martin Storsjö: * arm: Add .arch directives for armv6. This allows building these files as part of a fat build, even if the assembler by default targets a lower architecture version. 2015-01-23 Niels Möller * fat-setup.h (DEFINE_FAT_FUNC): Check value of function pointer, before calling fat_init. Should be correct even without memory barrier. * fat-x86_64.c (fat_init): Deleted static variable initialized. The checks of the relevant pointer in DEFINE_FAT_FUNC is more robust. * fat-arm.c (fat_init): Likewise. 2015-01-21 Niels Möller * fat-arm.c (fat_init): Setup for use of neon assembly functions. * arm/fat/salsa20-core-internal-2.asm: New file. * arm/fat/sha3-permute-2.asm: New file. * arm/fat/sha512-compress-2.asm: New file. * arm/fat/umac-nh-2.asm: New file. * arm/fat/umac-nh-n-2.asm: New file. * salsa20-core-internal.c: Prepare for fat build with C and assembly implementations. * sha512-compress.c: Likewise. * sha3-permute.c: Likewise. * umac-nh.c: Likewise. * umac-nh-n.c: Likewise. * configure.ac (asm_nettle_optional_list): Added more *-2.asm files, and corresponding HAVE_NATIVE_* defines. Recognize PROLOGUE macro in asm files, also when not at the start of the line. 2015-01-20 Niels Möller * fat-arm.c (get_arm_features): Check NETTLE_FAT_OVERRIDE environment variable. * fat-x86_64.c (get_x86_features): New function. Check NETTLE_FAT_OVERRIDE environment variable. (fat_init): Use it. * fat-setup.h (secure_getenv) [!HAVE_SECURE_GETENV]: Dummy definition, returning NULL. (ENV_OVERRIDE): New constant. * configure.ac: Check for secure_getenv function. 2015-01-19 Niels Möller * configure.ac: Fat library setup for arm. * fat-arm.c: New file. * arm/fat/aes-encrypt-internal.asm: New files. * arm/fat/aes-encrypt-internal-2.asm: New file. * arm/fat/aes-decrypt-internal.asm: New file. * arm/fat/aes-decrypt-internal-2.asm: New file. * Makefile.in (DISTFILES): Added fat-setup.h. * fat-setup.h: New file, declarations moved from... * fat-x86_64.c: ... old location 2015-01-17 Niels Möller * fat-x86_64.c (DECLARE_FAT_FUNC, DEFINE_FAT_FUNC) (DECLARE_FAT_FUNC_VAR): New macros, to define needed resolver and wrapper functions. * config.m4.in (SYMBOL_PREFIX): Define from from autoconf ASM_SYMBOL_PREFIX. (C_NAMS): move definition to... * asm.m4 (C_NAME): Define here, also take fat_transform. (fat_suffix): Replaced by... (fat_transform): New macro, taking symbol name as argument. Updated all uses of fat_suffix. * fat-x86_64.c: Updated for internal "_nettle" prefix on cpu-specific memxor functions. * fat-x86_64.c: Set up for sse2 vs non-sse2 memxor. Patch by Nikos Mavrogiannopoulos. * configure.ac (asm_nettle_optional_list): Added memxor-2.asm. * x86_64/fat/memxor-2.asm: New file. * x86_64/fat/memxor.asm: New file. * x86_64/memxor.asm: Use ifdef, not ifelse, for testing USE_SSE2. 2015-01-16 Niels Möller * configure.ac (OPT_NETTLE_SOURCES): New substituted variable. (asm_path): Fixed x86_64 fat setup. Include only x86_64 and x86_64/fat in the asm_path. Put fat-x86_64.c in OPT_NETTLE_SOURCES, with no symlinking. * fat-x86_64.c: Renamed,... * x86_64/fat/fat.c: ... from old name. 2015-01-13 Niels Möller * x86_64/fat/fat.c: For constructor hack, check HAVE_GCC_ATTRIBUTE, not __GNUC__. Also support sun compilers, as suggested by Nikos Mavrogiannopoulos, and attch the constructor attribute directly to fat_init. (fat_constructor): Deleted wrapper function. * x86_64/fat/fat.c: New file, initialization for x86_64 fat library. * x86_64/fat/cpuid.asm (_nettle_cpuid): New file and function. * x86_64/fat/aes-encrypt-internal.asm: New file, including x86_64/aes-encrypt-internal.asm, after setting fat_suffix to _x86_64. * x86_64/fat/aes-decrypt-internal.asm: New file, analogous setup. * x86_64/fat/aes-encrypt-internal-2.asm: New file, including x86_64/aesni/aes-encrypt-internal.asm, after setting fat_suffix to _aesni. * x86_64/fat/aes-decrypt-internal.asm-2: New file, analogous setup. * configure.ac: New command line option --enable-fat. (asm_nettle_optional_list): Added cpuid.asm, fat.c, aes-encrypt-internal-2.asm, and aes-decrypt-internal-2.asm. * asm.m4 (fat_suffix): New suffix added to symbol names. * x86_64/aesni/aes-encrypt-internal.asm: Use explicit .byte sequences for aes instructions, don't rely on assembler support. * x86_64/aesni/aes-decrypt-internal.asm: Likewise. * aclocal.m4 (NETTLE_CHECK_IFUNC): New macro, checking for ifunc and settting HAVE_LINK_IFUNC if working. * configure.ac: Use it. 2015-01-12 Niels Möller * asm.m4 (DECLARE_FUNC): New macro, extracted from PROLOGUE. (PROLOGUE): Use it. * configure.ac (OPT_NETTLE_OBJS, OPT_HOGWEED_OBJS): Renamed substituted variables, and list the object files rather than source files. (OPT_ASM_NETTLE_SOURCES, OPT_ASM_HOGWEED_SOURCES): ...Old names. * Makefile.in (OPT_NETTLE_OBJS, OPT_HOGWEED_OBJS): Use new variables. 2015-01-11 Niels Möller * x86_64/aesni/aes-decrypt-internal.asm: New file. * x86_64/aesni/aes-encrypt-internal.asm: New file. * configure.ac: New configure flag --enable-x86-aesni. * aclocal.m4 (LSH_RPATH_INIT): Handle freebsd, in the same way as gnu/linux, with -Wl,-rpath,. Merged memxor-reorg changes, starting at 2014-10-23. 2015-01-10 Niels Möller * arm/memxor.asm (memxor3): Moved to new file. * arm/memxor3.asm: New file. 2014-11-24 Niels Möller * x86_64/memxor3.asm (memxor3): New file, code moved from old memxor.asm. * x86_64/memxor.asm (memxor): Rewritten, no longer jumps into memxor3. * configure.ac (asm_replace_list): Added memxor.asm and memxor3.asm. 2014-10-23 Niels Möller * configure.ac (IF_ASM): New substituted variable. * testsuite/Makefile.in (VALGRIND): Allow partial loads only when build includes assembly files. * memxor-internal.h (READ_PARTIAL): New macro. * memxor.c (memxor_different_alignment): Avoid out-of-bounds reads, corresponding to valgrind's --partial-loads-ok. Use READ_PARTIAL. * memxor3.c: Analogous changes for unaligned operations. * configure.ac (asm_replace_list): Deleted memxor.asm, now incompatible with the memxor/memxor3 split. * memxor3.c: New file, split off from memxor.c. * memxor-internal.h: New file, declarations shared by memxor.c and memxor3.c. * memxor.c: memxor3 functions moved out from this file. * Makefile.in (nettle_SOURCES): Added memxor3.c. (DISTFILES): Added memxor-internal.h. * memxor.c (memxor_common_alignment, memxor_different_alignment) (memxor): Change loop order, iterate from the end. (memxor3_common_alignment): Unroll twice. (word_t): On x86_64, unconditionally define as uint64_t, to get 64 bits also in M$ windows. Replaced all uses of SIZEOF_LONG. 2014-12-12 Niels Möller * cbc.h (CBC_ENCRYPT, CBC_DECRYPT): Make type-checking hack stricter, warn if type of length argument is smaller than size_t. * ctr.h (CTR_CRYPT): Likewise. * eax.h (EAX_SET_KEY, EAX_SET_NONCE, EAX_UPDATE, EAX_ENCRYPT) (EAX_DECRYPT, EAX_DIGEST): Likewise. * gcm.h (GCM_SET_KEY, GCM_ENCRYPT, GCM_DECRYPT, GCM_DIGEST): Likewise. 2014-12-08 Niels Möller * aclocal.m4 (LD_VERSION_SCRIPT): Linker scripts no longer located in the source tree. * configure.ac (LIBNETTLE_MAJOR): Bump major number, now 6. (LIBHOGWEED_MAJOR): Bump major number, now 5. From Nikos Mavrogiannopoulos. Support for versioned symbols. * aclocal.m4 (LD_VERSION_SCRIPT): New macro. Substitute EXTRA_LINKER_FLAGS and EXTRA_HOGWEED_LINKER_FLAGS. * configure.ac: Use LD_VERSION_SCRIPT. Generate libnettle.map and libhogweed.map. (HOGWEED_EXTRA_SYMBOLS): New substituted variable. * libnettle.map.in: New file, libnettle.so linker script * libhogweed.map.in: New file, libhogweed.so linker script. * Makefile.in ($(LIBNETTLE_FORLINK)): Use EXTRA_LINKER_FLAGS. ($(LIBHOGWEED_FORLINK)): Use EXTRA_HOGWEED_LINKER_FLAGS. 2014-11-24 Niels Möller * gcm.h (GCM_SET_KEY): Rename macro argument KEY to avoid collision with a struct tag. Spotted by Nikos Mavrogiannopoulos. * testsuite/eddsa-verify-test.c (test_eddsa): Fixed test case bug, showing up as use of uninitialized data with valgrind. 2014-10-23 Niels Möller * examples/nettle-benchmark.c (time_memxor): Allocate buffers as arrays of unsigned long, for more reliable alignment. 2014-10-22 Niels Möller * configure.ac: Check for getline function. * testsuite/ed25519-test.c (getline) [!HAVE_GETLINE]: Fallback definition. * Makefile.in (clean-here): Unconditionally delete .so and .dll files. (IMPLICIT_TARGETS): Deleted variable. 2014-10-21 Niels Möller * testsuite/ed25519-test.c: New test case. Optionally reads the file pointed to by $ED25519_SIGN_INPUT. * testsuite/testutils.c (tstring_hex): Rewrite, using Nettle's base16 functions. (decode_hex, decode_hex_length): Deleted functions. 2014-10-20 Niels Möller * eddsa.h (ED25519_KEY_SIZE): New constant. (ED25519_SIGNATURE_SIZE): New constant. (struct ed25519_private_key): New struct. (struct ed25519_public_key): New struct. * ed25519-sha512-sign.c (ed25519_sha512_set_private_key) (ed25519_sha512_sign): New file and functions. * ed25519-sha512-verify.c (ed25519_sha512_set_public_key) (ed25519_sha512_verify): New file and functions. * Makefile.in (hogweed_SOURCES): Added ed25519-sha512-sign.c and ed25519-sha512-verify.c. 2014-10-18 Niels Möller * eddsa-verify.c (_eddsa_verify): Change argument order, putting A before ctx. * eddsa.h: Updated prototype. * testsuite/eddsa-verify-test.c (test_eddsa): Updated _eddsa_verify calls. 2014-10-14 Niels Möller * eddsa-verify.c (equal_h): New function. (_eddsa_verify): Use it for a proper point compare, replacing an ecc_add_ehh. * testsuite/eddsa-verify-test.c: New testcase. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added eddsa-verify-test.c. * eddsa-verify.c (_eddsa_verify, eddsa_verify_itch): New file, new functions. * eddsa.h: Declare new functions. * Makefile.in (hogweed_SOURCES): Added eddsa-verify.c. 2014-10-08 Niels Möller * testsuite/eddsa-sign-test.c (test_eddsa_sign): Use _eddsa_expand_key, and check its public key output. * eddsa-expand.c (_eddsa_expand_key): New file, new function. * eddsa.h (_eddsa_expand_key): Declare it. * Makefile.in (hogweed_SOURCES): Added eddsa-expand.c. * eddsa-sign.c: Drop unneeded include of nettle-internal.h. 2014-10-04 Niels Möller * testsuite/eddsa-sign-test.c: New testcase. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added eddsa-sign-test.c. * eddsa-sign.c (_eddsa_sign, _eddsa_sign_itch): New file, new functions. * eddsa-hash.c (_eddsa_hash): New file and function. * eddsa.h: Declare new functions. * Makefile.in (hogweed_SOURCES): Added eddsa-hash.c and eddsa-sign.c. 2014-10-03 Niels Möller * testsuite/ecc-redc-test.c [NETTLE_USE_MINI_GMP]: Enable test. (test_main): Replace gmp_fprintf calls. * testsuite/ecc-mul-a-test.c: Likewise. * testsuite/ecc-mul-g-test.c: Likewise. * testsuite/ecc-modinv-test.c [NETTLE_USE_MINI_GMP]: Enable test. (ref_modinv): Use mpz_gcdext, instead of mpn_gcdext. (test_modulo): Replace gmp_fprintf calls. * testsuite/ecc-mod-test.c [NETTLE_USE_MINI_GMP]: Enable test. (ref_mod): Use mpz_mod and mpz_limbs_copy, instead of mpn_tdiv_qr. (test_modulo): Replace gmp_fprintf calls by plain fprintf and mpn_out_str. * testsuite/testutils.c (mpn_out_str): New function, needed to replace uses of gmp_fprintf. * testsuite/ecc-sqrt-test.c (mpz_ui_kronecker) [NETTLE_USE_MINI_GMP]: New fallback definition when building with mini-gmp. * testsuite/testutils.c (gmp_randinit_default) [NETTLE_USE_MINI_GMP]: Likewise. (mpz_urandomb): Likewise. * testsuite/testutils.h (gmp_randstate_t) [NETTLE_USE_MINI_GMP]: Fallback typedef, using knuth_lfib_ctx. 2014-10-02 Niels Möller * testsuite/eddsa-compress-test.c: New testcase. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added eddsa-compress-test.c. * eddsa-decompress.c (_eddsa_decompress): New file, new function. * eddsa-compress.c (_eddsa_compress): New file, new function. * eddsa.h: New file. * Makefile.in (HEADERS): Added eddsa.h. (hogweed_SOURCES): Added eddsa-compress.c and eddsa-decompress.c. * testsuite/ecc-sqrt-test.c: New test case. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added ecc-sqrt-test.c. * ecc-25519.c (PHIGH_BITS): Always define this constant. (ecc_25519_zero_p): New function. (ecc_25519_sqrt): Take a ratio u/v as input. Added scratch argument. Made static. * ecc-internal.h (ecc_mod_sqrt_func): New typedef. (struct ecc_modulo): Added sqrt_itch and sqrt function pointer. Updated all instances. (ecc_25519_sqrt): Deleted declaration, function now static. 2014-09-24 Niels Möller * curve25519.h [__cplusplus]: Fixed extern "C" block. 2014-09-23 Niels Möller * ecc-hash.c (ecc_hash): Changed argument type from struct ecc_curve to struct ecc_modulo. Updated callers. * testsuite/ecdsa-sign-test.c (test_main): Updated curve25519 signature s. Changed since the hash value is truncated a few bits more, to match the size of q. * testsuite/ecdsa-verify-test.c (test_main): Likewise. * testsuite/ecc-modinv-test.c (zero_p): New function, checking for zero modulo p. (test_modulo): Use zero_p. Switch to dynamic allocation. Updated for larger modinv result area, and use invert_itch. * ecc-25519.c (ecc_mod_pow_2kp1): Renamed, and take a struct ecc_modulo * as argument. (ecc_modp_powm_2kp1): ... old name. (ecc_mod_pow_252m3): New function, extracted from ecc_25519_sqrt. (ecc_25519_inv): New modp invert function, about 5.5 times faster then ecc_mod_inv. (ecc_25519_sqrt): Use ecc_mod_pow_252m3. (nettle_curve25519): Point to ecc_25519_inv. Updated p.invert_itch and h_to_a_itch. * ecc-internal.h (struct ecc_modulo): New field invert_itch. Updated all implementations. (ECC_EH_TO_A_ITCH): Updated, and take invert itch as an argument. * ecc-eh-to-a.c (ecc_eh_to_a_itch): Take invert scratch into account. * testsuite/testutils.c (test_ecc_mul_h): Use ecc->h_to_a_itch. * ecc-mod-inv.c (ecc_mod_inv): Interface change, make ap input const, and require 2n limbs at rp. Preparing for powm-based alternative implementations. Drop #if:ed out code and dp temporary. Updated all callers, more complicated cases described below. * ecc-internal.h (typedef ecc_mod_inv_func): Added const to input argument. (ECC_MOD_INV_ITCH): Renamed, was ECC_MODINV_ITCH, and reduced to 2*n. * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Overhauled allocation, putting mod_inv scratch at the end. 2014-09-22 Niels Möller * ecc-random.c (ecc_mod_random): Renamed, and take a const struct ecc_modulo * as argument. Updated callers. (ecc_modq_random): ... old name. * ecc-mod-arith.c: New file, replacing ecc-modp.c and ecc-modq.c. All functions take a struct ecc_modulo as argument. (ecc_mod_add, ecc_mod_sub, ecc_mod_mul_1, ecc_mod_addmul_1) (ecc_mod_submul_1, ecc_mod_mul, ecc_mod_sqr): New functions, replacing the corresponding ecc_modp_* functions. For convenience, old names are defined as macros wrapping the new functions. * ecc-modp.c: Deleted file. * ecc-modq.c: Deleted file. * Makefile.in (hogweed_SOURCES): Updated accordingly. * testsuite/ecc-redc-test.c (test_main): Relaxed tests for which tests to run. * testsuite/ecc-modinv-test.c (test_modulo): New function, same organization as in ecc-mod-test.c below. * testsuite/ecc-mod-test.c (test_modulo): New function, testing one modulo. Replacing... (test_curve): ... old function. (test_main): Invoke test_modulo for p and q of each curve. * ecc-internal.h (ecc_mod_inv_func): New typedef. (struct ecc_modulo): Added mp1h constant and invert function pointer. Updated all callers. * ecc-modp.c (ecc_modp_inv): Deleted wrapper function. * ecc-modq.c (ecc_modq_inv): Deleted wrapper function. * ecc-mod-inv.c (ecc_mod_inv): Renamed file and function. Also take a struct ecc_modulo * as argument. * sec-modinv.c (sec_modinv): ... the old names. Deleted. * Makefile.in (hogweed_SOURCES): Updated accordingly. * examples/ecc-benchmark.c (bench_modinv_powm, bench_curve): Updated benchmarking of mpn_sec_powm. * ecc-internal.h (struct ecc_curve): Deleted redc function pointer. Use only reduce pointer, which is redc or modp as applicable. Updated all users. (struct ecc_modulo): Moved mod and reduce function pointers to this struct. * ecc-generic-modp.c (ecc_generic_modp): Deleted file and function. We no longer need a wrapper around ecc_mod. * ecc-generic-modq.c (ecc_generic_modq): Likewise deleted. * Makefile.in (hogweed_SOURCES): Removed ecc-generic-modp.c and ecc-generic-modq.c. * ecc-internal.h (typedef ecc_mod_func): Take a const struct ecc_modulo * argument, not const struct ecc_curve *. Updated all implementations and all callers. * ecc-mod.c (ecc_mod): Use struct ecc_modulo to specify the modulo. Drop input size argument, always reduce from 2*size to size. * ecc-internal.h (struct ecc_modulo): New struct, collecting constants needed for modulo arithmetic. (struct ecc_curve): Use struct ecc_modulo for p and q arithmetic. Updated all ecc-related files. 2014-09-17 Niels Möller * gmp-glue.c (mpn_get_base256_le): Fixed missing update of rn counter, making the function clear some bytes beyond the end of the output buffer. The bug triggered a make check failure on ARM. * testsuite/testutils.c (ecc_curves): Include curve25519 in list. (test_ecc_mul_a): Include reference points for curve25519 (with Edwards coordinates). Allow n == 0 and n == 1, comparing to zero and the generator, respectively. * testsuite/ecc-add-test.c (point_zero_p): Deleted function. (test_main): Replace calls to point_zero_p by calls to test_ecc_mul_h with n == 0. * testsuite/ecc-dup-test.c: Likewise. * testsuite/ecc-modinv-test.c (mpn_zero_p): Moved function, to... * testsuite/testutils.c (mpn_zero_p): New location. Also make non-static. * testsuite/ecdsa-keygen-test.c (ecc_valid_p): Add special case for curve25519. * testsuite/ecc-mul-a-test.c (test_main): Fix point negation to support curve25519. * testsuite/ecc-mul-g-test.c (test_main): Likewise. * ecc-a-to-eh.c (ecc_a_to_eh_itch, ecc_a_to_eh): Deleted file and functions. * ecc.h: Deleted corresponding declarations. * ecc-internal.h (ECC_A_TO_EH_ITCH): Deleted macro. * Makefile.in (hogweed_SOURCES): Removed ecc-a-to-eh.c. * testsuite/ecdh-test.c (test_main): Update curve25519 test to use Edwards coordinates. * testsuite/ecdsa-sign-test.c (test_main): Likewise. * testsuite/ecdsa-verify-test.c (test_main): Likewise. * ecc-point.c (ecc_point_set): Use Edwards rather than Montgomery curve. * ecc-mul-a-eh.c (ecc_mul_a_eh, table_init): Take an Edwards point as input, not a Montgomery point. Hence, use ecc_a_to_j, not ecc_a_to_eh. * ecc-eh-to-a.c (ecc_eh_to_a): Just convert to affine coordinates, don't transform from Edwards to Montgomery form. Also reduces scratch need slightly. * ecc-internal.h (ECC_EH_TO_A_ITCH): Reduced. * ecdsa-keygen.c (ecdsa_generate_keypair): Use struct ecc_curve function pointers. * testsuite/curve25519-dup-test.c: Deleted file. In the way for conversion to Edwards coordinate convention, and in the end the tests will be done by ecc-dup-test.c. * testsuite/curve25519-add-test.c: Similarly deleted. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Removed curve25519-dup-test.c and curve25519-add-test.c. 2014-09-16 Niels Möller * testsuite/ecc-add-test.c: New generalized testcase, to replace curve25519-add-test.c. * testsuite/ecc-dup-test.c: New generalized testcase, to replace curve25519-dup-test.c. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added ecc-add-test.c and ecc-dup-test.c. 2014-09-14 Niels Möller * testsuite/ecc-mul-a-test.c (test_main): Use struct ecc_curve function pointers. * testsuite/ecc-mul-g-test.c (test_main): Likewise. 2014-09-09 Niels Möller * curve25519-mul.c (curve25519_mul): Switch to use Montgomery ladder. About 20% faster than current Edwards curve operations. Difference is expected to shrink when Edwards operations are optimized to take advantage of the twist, but it seems unlikely to get significantly faster than the Montgomery ladder. * gmp-glue.c (cnd_swap): Moved function here, made non-static. Changed cnd type to mp_limb_t, for consistency with GMP mpn_cnd_add_n. * sec-modinv.c (cnd_swap): ... old location. * gmp-glue.h (cnd_swap): Declare function. 2014-09-06 Niels Möller * examples/hogweed-benchmark.c (bench_curve25519_mul_g) (bench_curve25519_mul, bench_curve25519): New functions. (main): Added benchmarking of curve25519 functions. 2014-09-03 Niels Möller * Makefile.in: Revert 2013-02-06 Makefile changes: use a single rule for transforming .asm to .o, and drop include of asm.d. Possible now since we generate a single object file from each asm file. This change also helps Solaris' make recognize .asm files. * config.make.in (.SUFFIXES): Drop .s from list. * configure.ac: Delete code to generate asm.d. * Makefile.in: Delete all uses of *.po files, use the same object files for both shared and static libraries. * configure.ac (dummy-dep-files): Don't create any .po.d files. * aclocal.m4 (LSH_CCPIC): Don't substitute CCPIC here, let configure.ac do that if needed. * configure.ac (CCPIC_MAYBE, SHLIBCFLAGS): Deleted substituted variables. Instead, use CCPIC directly when compiling all library files. (CCPIC): Set to empty, if --disable-pic is used. * config.make.in (SHLIBCFLAGS, CCPIC_MAYBE): Deleted. (COMPILE, COMPILE_CXX): Drop CCPIC. New variable EXTRA_CFLAGS, which can be set by individual Makefiles. * Makefile.in (EXTRA_CFLAGS): Set using CCPIC. Also delete all uses of CCPIC_MAYBE and SHLIBCFLAGS. 2014-09-02 Niels Möller * curve25519-eh-to-x.c (curve25519_eh_to_x): New file, new function. The curve25519 transform currently done by ecc_eh_to_a, but which should eventually be eliminted from that function. * Makefile.in (hogweed_SOURCES): Added curve25519-eh-to-x.c. * ecc-internal.h (curve25519_eh_to_x): Declare it. * curve25519-mul.c (curve25519_mul): Use it. * curve25519-mul-g.c (curve25519_mul_g): Likewise. Also introduce local variable ecc, and use ecc->mul_g_itch. 2014-08-29 Niels Möller * testsuite/testutils.c (test_ecc_mul_j): Renamed, to ... (test_ecc_mul_h): ... new name. Use ecc->h_to_a function pointer. Updated callers. * examples/ecc-benchmark.c (bench_add_jjj): Renamed, to ... (bench_add_hhh): ... new name. Use ecc->add_hhh function pointer. (bench_add_ehh): Deleted. (bench_curve): Use bench_add_hhh for all curves. Use ecc->mul_itch for scratch size. Switch the curve25519 implementation to use the isomorphism to the twisted Edwards curve which is used for Ed25519 signatures. * eccdata.c (ecc_curve_init): Tweaked the transformation constant for the isomorphism between curve25519 and the twisted Edwards curve. * ecc-add-ehh.c (ecc_add_ehh): Updated formulas for the twist curve. * ecc-add-eh.c (ecc_add_eh): Likewise. * ecc-dup-eh.c (ecc_dup_eh): Likewise. 2014-08-28 Niels Möller * ecdsa-verify.c (ecdsa_verify): Drop include of ecc-internal.h, use ecc_size function instead. * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use the struct ecc_curve function pointers: mul, mul_g, add_hhh, h_to_a. * ecc-internal.h (ECC_ECDSA_VERIFY_ITCH): Deleted macro. Needed scratch depends on curve type, not just size. (ecc_add_func): New typedef. (struct ecc_curve): New function pointer add_hhh, and constant add_hhh_itch. Updated all instances. * ecdsa-verify.c (ecdsa_verify): Use the ecc_ecdsa_verify_itch function, not the corresponding macro. * ecc-ecdsa-verify.c (ecc_ecdsa_verify_itch): Take ecc->mul_itch into account. Also reduce to 5*ecc->size + ecc->mul_itch. * testsuite/ecdsa-sign-test.c (test_main): Added test for the obscure case of ecdsa using curve25519. * testsuite/ecdsa-verify-test.c (test_main): Likewise (depends on above changes). * ecc-ecdsa-sign.c (ecc_ecdsa_sign): Use mul_g and h_to_a function pointers. Implies (obscure) support for curve25519. * ecc-25519.c (ecc_25519_modq): Access q via the ecc struct. * ecc-eh-to-a.c (ecc_eh_to_a): Analogous change as for ecc_j_to_a. The modulo q case (op == 2) is hardcoded for curve25519. * ecc-j-to-a.c (ecc_j_to_a): For curves using redc, always convert back from redc form. When producing x coordinate only, optionally reduce it modulo q. Completely changes the meaning of the "flags" argument, and renames it to "op". Update all users of this function or ecc->h_to_a. * ecc-ecdsa-sign.c (ecc_ecdsa_sign): Use new ecc_j_to_a modulo q feature. * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Likewise. * testsuite/symbols-test: Regexp fixes, to better filter out get_pc_thunk functions. * ecc-generic-redc.c (ecc_generic_redc): Deleted file and function. Split into... * ecc-pp1-redc.c (ecc_pp1_redc): New file and function. * ecc-pm1-redc.c (ecc_pm1_redc): New file and function. * ecc-internal.h: Updated declarations. * Makefile.in (hogweed_SOURCES): Replace ecc-generic-redc.c by ecc-pp1-redc.c and ecc-pm1-redc.c. * ecc-192.c: Use ecc_pp1_redc (benchmarking only). * ecc-224.c: Use ecc_pm1_redc when applicable. * ecc-256.c: Use ecc_pp1_redc when applicable. * ecc-384.c: Use ecc_pp1_redc (benchmarking only). * ecc-521.c: Use ecc_pp1_redc (benchmarking only). * testsuite/ecc-redc-test.c (test_main): Replace use of ecc_generic_redc by ecc_pp1_redc and ecc_pm1_redc. * eccdata.c (output_curve): Don't output ecc_redc_g. * ecc-internal.h (struct ecc_curve): Deleted unused field redc_g. Updated all instances. 2014-08-27 Niels Möller * ecc-modq.c (ecc_modq_inv): Use q_bit_size. * ecc-internal.h (struct ecc_curve): New field q_bit_size. Updated all instances. * configure.ac: Bumped package version number to 3.1. (LIBHOGWEED_MAJOR): Bumped library version to 4.0. Merged curve25519 changes (starting at 2014-07-04). * Makefile.in (clean-here): Added ecc-25519.h. 2014-08-26 Niels Möller * examples/ecc-benchmark.c (bench_mul_g, bench_mul_a): Use struct ecc_curve function pointers. (bench_mul_g_eh, bench_mul_a_eh): Deleted. (bench_curve): Make modq benchmark unconditional. Use bench_mul_g and bench_mul_a also for curve25519. * testsuite/ecc-mod-test.c (test_curve): Make modq test unconditional, partially reverting 2014-07-04 change. * ecc-25519.c (ecc_25519_modq): New function. * eccdata.c (output_curve): Precomputation for curve25519 mod q. * mini-gmp.c (mpz_abs_sub_bit): Do full normalization, needed in case the most significant bit is cleared. 2014-08-25 Niels Möller * testsuite/ecdh-test.c (set_point): Check return value of ecc_point_set. (test_main): Enable curve25519 test. * ecc-point-mul-g.c (ecc_point_mul_g): Use ecc->mul_g and ecc->h_to_a function pointers. * ecc-point-mul.c (ecc_point_mul): Use the ecc->mul and ecc->h_to_a function pointers. * ecc-internal.h (ecc_mul_g_func, ecc_mul_func, ecc_h_to_a_func): New typedefs. (struct ecc_curve): New function pointers mul, mul_g, h_to_a, and constans for their scratch requirements. Updated all instances. * ecc-point.c (ecc_point_set): Handle curve25519 as a special case, when checking if the point is on the curve. 2014-08-24 Niels Möller * testsuite/ecdh-test.c: Test ecc_point_mul and ecc_point_mul_g, using test data generated by ecc-ref.gp. Tests for all curves except curve25519, which doesn't yet work with the general ecc_point interface. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added ecdh-test.c. * misc/ecc-ref.gp: Script to generate ECDH test data. 2014-08-23 Niels Möller * ecc-a-to-j.c (ecc_a_to_j): Deleted INITIAL argument. * ecc.h (ecc_a_to_j): Updated prototype. * ecc-mul-a.c (ecc_mul_a, table_init): Updated calls to ecc_a_to_j. * ecc-mul-a.c (ecc_mul_a): Deleted INITIAL argument, all callers, except the tests, pass 1. Updated all callers. (table_init): Likewise deleted INITIAL. * ecc.h (ecc_mul_a): Updated prototype. * testsuite/ecc-mul-a-test.c (test_main): Deleted tests for ecc_mul_a with INITIAL == 0. * ecc-internal.h (struct ecc_curve): Reordered struct, moved function pointers before pointers to bignum constants. * sec-modinv.c (sec_modinv): Document that for a == 0 (mod m), we should produce the "inverse" 0. * testsuite/ecc-modinv-test.c (test_main): Check that ecc_modp_inv produces 0 if a == 0 or a == p. 2014-08-22 Niels Möller * x86_64/ecc-25519-modp.asm: New file. Assembly implementation, initial version yields 30% speedup of ecc_25519_modp. Early folding eliminates one pass of carry propagation, and yields almost 20% additional speedup. * ecc-25519.c [HAVE_NATIVE_ecc_25519_modp]: Use assembly version if available. * configure.ac (asm_hogweed_optional_list): Added ecc-25519-modp.asm. Also add HAVE_NATIVE_ecc_25519_modp to config.h.in. 2014-08-19 Niels Möller * examples/ecc-benchmark.c (bench_curve): Support benchmarking of curve25519, for now handled as a special case. (curves): Added nettle_curve25519. (bench_dup_eh, bench_add_eh, bench_add_ehh, bench_mul_g_eh): New functions. 2014-08-18 Niels Möller * testsuite/curve25519-dh-test.c (test_a): Use curve25519_mul. (test_main): Use little-endian inputs for test_a. (curve25519_sqrt, curve_25519): Deleted static helper functions, no longer needed. * curve25519-mul.c (curve25519_mul): New file and function. * curve25519.h (curve25519_mul): Declare it. * Makefile.in (hogweed_SOURCES): Added curve25519-mul.c. * curve25519-mul-g.c (curve25519_mul_g): Renamed file and function, updated callers. * curve25519-base.c (curve25519_base): ... old names. * Makefile.in (hogweed_SOURCES): Updated for rename. * eccdata.c (output_curve): Compute constants needed for Shanks-Tonelli. * ecc-25519.c (ecc_modp_powm_2kp1, ecc_25519_sqrt): New functions. * ecc-internal.h (ecc_25519_sqrt): Declare it. 2014-08-06 Niels Möller * testsuite/curve25519-dh-test.c (test_g): Use curve25519_base. (test_main): Use little-endian inputs for test_g. * curve25519-base.c (curve25519_base): New file, new function. Analogous to NaCl's crypto_scalarmult_base. * curve25519.h: New file. * Makefile.in (hogweed_SOURCES): Added curve25519-base.c. (HEADERS): Added curve25519.h. * gmp-glue.c (mpn_set_base256_le, mpn_get_base256_le): New functions. * gmp-glue.h: Declare them. 2014-08-02 Niels Möller * testsuite/curve25519-dh-test.c (curve25519_sqrt): Fixed memory leak, a mpz_clear call was missing. * ecc-internal.h (ECC_MUL_A_EH_WBITS): Set to 4, to enable window-based scalar multiplication. * ecc-mul-a-eh.c (table_init) [ECC_MUL_A_EH_WBITS > 0]: Fixed initialization of TABLE(1). 2014-07-29 Niels Möller * ecc-internal.h (ECC_MUL_A_EH_WBITS): New constant. (ECC_A_TO_EH_ITCH, ECC_MUL_A_EH_ITCH): New macros. * ecc-a-to-eh.c (ecc_a_to_eh, ecc_a_to_eh_itch): New file, new functions. * ecc-mul-a-eh.c: New file. (ecc_mul_a_eh): New function. The case [ECC_MUL_A_EH_WBITS > 0] not yet working). (ecc_mul_a_eh_itch): New function. * ecc.h: Declare new functions. * Makefile.in (hogweed_SOURCES): Added ecc-a-to-eh.c and ecc-mul-a-eh.c. * testsuite/curve25519-dh-test.c (curve25519_sqrt): New function. (curve_25519): Use ecc_mul_a_eh. (test_a): New function. (test_main): Test construction of shared secret, using scalar multiplication with points other than the fix generator. 2014-07-26 Niels Möller * ecc-add-ehh.c (ecc_add_ehh): Reduce scratch need. * ecc-internal.h (ECC_ADD_EHH_ITCH): Reduced to 7*size. 2014-07-23 Niels Möller * testsuite/curve25519-dh-test.c: New test case, based on draft-josefsson-tls-curve25519-05 test vectors. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added curve25519-dh-test.c. 2014-07-18 Niels Möller * ecc-mul-g-eh.c (ecc_mul_g_eh, ecc_mul_g_eh_itch): New file and functions. Untested. * ecc.h (ecc_mul_g_eh_itch): Declare new functions. * ecc-internal.h (ECC_MUL_G_EH_ITCH): New macro. * Makefile.in (hogweed_SOURCES): Added ecc-mul-g-eh.c. 2014-07-17 Niels Möller * ecc-add-eh.c (ecc_add_eh): Reduce scratch need. * ecc-internal.h (ECC_ADD_EH_ITCH): Reduced to 6*size. * testsuite/curve25519-dup-test.c (test_main): Free allocated storage. 2014-07-15 Niels Möller * ecc-add-eh.c (ecc_add_eh, ecc_add_eh_itch): New file, new functions. * ecc.h: Declare new functions. * ecc-internal.h (ECC_ADD_EH_ITCH): New macro. * Makefile.in (hogweed_SOURCES): Added ecc-add-eh.c. * testsuite/curve25519-add-test.c (test_main): Test ecc_add_eh. Additional test for g2+g2. Free allocated storage. 2014-07-14 Niels Möller * testsuite/curve25519-add-test.c: New test case. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added curve25519-add-test.c. * ecc-add-ehh.c (ecc_add_ehh, ecc_add_ehh_itch): New file, new functions. * ecc.h (ecc_add_ehh, ecc_add_ehh_itch): Declare them. * ecc-internal.h (ECC_ADD_EHH_ITCH): New macro. * Makefile.in (hogweed_SOURCES): Added ecc-add-ehh.c. * ecc-25519.c (nettle_curve25519): Use ecc_d instead of ecc_b. * eccdata.c: For curve25519, output the Edwards curve constant, ecc_d = (121665/121666) mod p. * testsuite/curve25519-dup-test.c (test_main): Add test for 4g. Delete some left-over debug output. 2014-07-11 Niels Möller * misc/ecc-formulas.tex: Some ECC notes. * testsuite/curve25519-dup-test.c: New testcase. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added curve25519-dup-test.c. * testsuite/testutils.c (test_ecc_point): Made non-static. * testsuite/testutils.h (struct ecc_ref_point): Moved here, from testutils.h. (test_ecc_point): Declare it. * ecc-dup-eh.c (ecc_dup_eh, ecc_dup_eh_itch): New file, new functions. * ecc-eh-to-a.c (ecc_eh_to_a, ecc_eh_to_a_itch): New file, new functions. * ecc.h: Declare new functions. * ecc-internal.h (ECC_EH_TO_A_ITCH, ECC_DUP_EH_ITCH): New macros. * Makefile.in (hogweed_SOURCES): Added ecc-dup-eh.c and ecc-eh-to-a.c. * ecc-internal.h (struct ecc_curve): New constant edwards_root. * ecc-192.c (nettle_secp_192r1): Updated accordingly, additional NULL pointer. * ecc-224.c (nettle_secp_224r1): Likewise. * ecc-256.c (nettle_secp_256r1): Likewise. * ecc-384.c (nettle_secp_384r1): Likewise. * ecc-521.c (nettle_secp_521r1): Likewise. * ecc-25519.c (nettle_curve25519): Initialize new constant. * eccdata.c (ecc_curve_init): For curve 25519, use correct constant for edwards coordinate transform, and output the constant as ecc_edwards. 2014-07-06 Niels Möller * eccdata.c: Use separate is_zero flag to represent the neutral element. (output_point, output_point_redc): Unified to a single function, with a use_redc flag argument. Also support conversion to Edwards form. (ecc_curve_init_str): New argument for Edwards curve conversion constant. 2014-07-04 Niels Möller Started curve25519 branch. * ecc-25519.c: New file. (ecc_25519_modp): New function. (nettle_curve25519): New curve. * ecc-curve.h (nettle_curve25519): Declare it. * Makefile.in (hogweed_SOURCES): Added ecc-25519.c. (ecc-25519.h): New generated file. Add as explicit dependency for ecc-25519.o. * testsuite/ecc-mod-test.c (test_curve): New function, extracted from test_main. Tolerate NULL modq function pointer. (test_main): Use test_curve, iterate over supported curves, and also test curve_25519 for the new modp function. 2014-08-23 Niels Möller * ecc-modp.c (ecc_modp_sub_1): Deleted unused function. * ecc-internal.h: Deleted corresponding declaration. * examples/nettle-benchmark.c (time_cipher): Fixed memset calls, amending the totally broken change from 2014-02-06. 2014-07-02 Niels Möller * eccdata.c (ecc_dup): Use mpz_submul_ui, now available in mini-gmp. (ecc_type): New enum, for Weierstrass and Montgomery curves (ecc_curve): New field type. (ecc_dup): Support montgomery curves. (ecc_add): Likewise. (ecc_curve_init_str): New argument, for the curve type. (ecc_curve_init): Pass curve type to all ecc_curve_init_str calls. Recognize curve25519, for bit_size 255. (output_modulo): Deleted assert, which isn't true for curve25519. 2014-06-30 Niels Möller * camellia-absorb.c: Include , needed for correct use of HAVE_NATIVE_64_BIT. Reported and debugged by Magnus Holmgren. Fixes debian build failure on s390x. 2014-06-26 Niels Möller From Martin Storsjö: * configure.ac (IF_NOT_SHARED): New substituted variable. * hogweed.pc.in: Use @LIBS@, instead of hardcoding -lgmp. When shared libraries are disabled, move needed libraries from Requires.private: to Requires: and from Libs.private: to Libs:. From Nikos Mavrogiannopoulos. * examples/hogweed-benchmark.c (bench_alg): Tolerate alg->init returning NULL. (bench_openssl_ecdsa_init): Return NULL if EC_KEY_new_by_curve_name fails, indicating the curve is not supported. 2014-06-25 Niels Möller Support for building with mini-gmp instead of the real GMP. Loosely based on work by Nikos Mavrogiannopoulos. * configure.ac: New command line option --enable-mini-gmp. Also disable all libgmp-related checks when enabled. (NETTLE_USE_MINI_GMP): New substituted variable. (LIBHOGWEED_LIBS): Use $(LIBS) instead of -lgmp. (IF_MINI_GMP): New Makefile conditional. (GMP_NUMB_BITS): Alternative test for the mini-gmp case. Substituted also in bignum.h. (HAVE_MPZ_POWM_SEC): Drop this unused check. * bignum.h: Renamed, to... * bignum.h.in: New name. (NETTLE_USE_MINI_GMP): Substituted by configure. (GMP_NUMB_BITS): Substituted by configure, for the mini-gmp case. * Makefile.in (OPT_HOGWEED_SOURCES): New variable, value conditional on @IF_MINI_GMP@. (hogweed_SOURCES): Add $(OPT_HOGWEED_SOURCES). (PRE_CPPFLAGS): Add -I$(srcdir). (HEADERS): Delete bignum.h. (INSTALL_HEADERS): Add bignum.h. Also add mini-gmp.h, if mini-gmp is enabled. (DISTFILES): Added bignum.h.in. (bignum.h): New target. (distclean-here): Delete bignum.h. * examples/ecc-benchmark.c (modinv_gcd) [NETTLE_USE_MINI_GMP]: Disable this benchmark. (mpn_random) [NETTLE_USE_MINI_GMP]: Provide a simple implementation. * testsuite/ecc-mod-test.c [NETTLE_USE_MINI_GMP]: Skip test, it depends on gmp_randstate_t. * testsuite/ecc-modinv-test.c [NETTLE_USE_MINI_GMP]: Likewise. * testsuite/ecc-mul-a-test.c [NETTLE_USE_MINI_GMP]: Likewise. * testsuite/ecc-mul-g-test.c [NETTLE_USE_MINI_GMP]: Likewise. * testsuite/ecc-redc-test.c [NETTLE_USE_MINI_GMP]: Likewise. Various preparations for mini-gmp support. * testsuite/bignum-test.c: Use WITH_HOGWEED instead of HAVE_LIBGMP for preprocessor conditionals. * testsuite/testutils.h: Likewise. * testsuite/sexp-format-test.c: Likewise. * testsuite/ecdsa-keygen-test.c (test_main): Use printf, mpz_out_str and write_mpn instead of gmp_fprintf. * testsuite/ecdsa-sign-test.c (test_ecdsa): Likewise. * testsuite/ecdsa-verify-test.c (test_ecdsa): Likewise. * dsa.h: Include bignum.h instead of gmp.h. * ecc-internal.h: Likewise. * ecc.h: Likewise. * gmp-glue.h: Likewise. * pkcs1.h: Likewise. * rsa.h: Likewise. * testsuite/testutils.c (die): Use plain vfprintf, not gmp_vfprintf. (write_mpn): New function. (test_ecc_point): Use it, replacing gmp_fprintf. * testsuite/testutils.h (write_mpn): Declare it. * der-iterator.c: Deleted HAVE_LIBGMP conditionals. 2014-06-07 Niels Möller * Released nettle-3.0. 2014-06-04 Niels Möller * NEWS: List des-compat.h as a candidate for removal in the next release. * testsuite/des-compat-test.c (test_main): Fixed out of bounds memory read, reported by Nikos Mavrogiannopoulos. * nettle-write.h: Include , fixing compilation on freebsd. * aclocal.m4 (ac_stdint): Fixed "unsinged" typo, spotted by Andy Goth. 2014-06-01 Niels Möller * x86_64/gcm-hash8.asm: Pass correct argument count to W64_EXIT. * x86_64/camellia-crypt-internal.asm: Pass correct argument count to W64_ENTRY and W64_EXIT. * x86_64/machine.m4 [W64_ABI]: Fix for the case of 6 function arguments. Also push %rdi unconditionally, and use aligned accesses for save and restore %xmm registers (movdqa). 2014-05-31 Niels Möller * configure.ac: Check for COFF type directives. (ASM_COFF_STYLE): New substituted variable. * config.m4.in: Set COFF_STYLE from configure. * asm.m4 (PROLOGUE): Use COFF type directive, if enabled by configure. Fixes problem with windows dll linking. * asm.m4: Deleted unused offsets for struct aes_ctx. 2014-05-28 Niels Möller * testsuite/nettle-pbkdf2-test: Delete carriage return characters from output. * configure.ac (LIBHOGWEED_LIBS): Be explicit and link libhogweed.so with libnettle.so, not -lnettle. (LIBHOGWEED_LINK): Drop -L. flag, no longer needed, and previously not at the correct position in the link command line. 2014-05-27 Niels Möller * examples/ecc-benchmark.c: If mpn_sec_powm is available, benchmark it, for modinv. (bench_modinv_powm): New function. (bench_curve): Use it. 2014-05-22 Niels Möller From Claudio Bley: * Makefile.in ($(des_headers)): Use the EXEEXT_FOR_BUILD. 2014-05-15 Niels Möller * NEWS: Updated with library version numbers. * configure.ac (dummy-dep-files): Use simpler and more portable sed expression. Problem reported by Peter Eriksson. (LIBHOGWEED_MAJOR): Bumped shared library version to 3.0. (LIBHOGWEED_MINOR): Reset to zero. Also increased the package version number to 3.0. * getopt.c: Don't use gettext. 2014-05-14 Niels Möller * testsuite/nettle-pbkdf2-test: Avoid the bash construction ${#foo}. * getopt.c: Copied from glibc tree, tag glibc-2.19. * getopt.h: Likewise. * getopt1.c: Likewise. * getopt_int.h: New file, also copied from glibc. * Makefile.in (DISTFILES): Added getopt_int.h. 2014-05-09 Niels Möller * mini-gmp.c: Updated, use version from gmp-6.0.0. * mini-gmp.h: Likewise. * testsuite/Makefile.in (all): Drop dependency on $(TARGETS), to delay building of test programs until make check. 2014-05-08 Niels Möller * nettle.texinfo (nettle_aead abstraction): Document nettle_aead. * Makefile.in (nettle_SOURCES): Added nettle-meta-aeads.c. * nettle-meta.h (nettle_aeads): Declare array. * nettle-meta-aeads.c (nettle_aeads): New file, new array. * testsuite/meta-aead-test.c: New test case. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added meta-aead-test.c. * aclocal.m4 (GMP_PROG_CC_FOR_BUILD): If CC_FOR_BUILD is gcc, add -O option. This makes eccdata twice as fast. 2014-05-06 Niels Möller * nettle.texinfo: Document SHA3 and ChaCha-Poly1305 as experimental. 2014-05-05 Niels Möller * nettle.texinfo (POLY1305): Document poly1305-aes. (Authenticated encryption): Move AEAD algorithms to their own section. (RSA, DSA, ECDSA): Change some subsections to subsubsections. (ChaCha-Poly1305): Document ChaCha-Poly1305. 2014-05-04 Niels Möller * nettle.texinfo (DSA): Document new DSA interface. (Salsa20): Update salsa20 docs. (ChaCha): Document ChaCha. 2014-05-03 Niels Möller * configure.ac: Check for SIZEOF_SIZE_T. * ccm.c (ccm_set_nonce): Skip code for 64-bit encoding when size_t is only 32 bits. * nettle.texinfo (CCM): Document new ccm macros and constants. Describe ccm restrictions. * ccm.h (CCM_DIGEST_SIZE): New constant. 2014-04-30 Niels Möller * ccm.c (CCM_IV_MAX_SIZE, CCM_IV_MIN_SIZE): Deleted, replaced by public constants CCM_MIN_NONCE_SIZE and CCM_MAX_NONCE_SIZE. (ccm_build_iv): Updated for above rename. (CCM_L_MAX_SIZE): Deleted, no longer used. * ccm.h (CCM_MIN_NONCE_SIZE, CCM_MAX_NONCE_SIZE): New constants. (CCM_MAX_MSG_SIZE): New macro. 2014-04-27 Niels Möller * nettle.texinfo (Cipher modes): Subsection on AEAD constructions. (GCM): Update GCM documentation, including functions for gcm_aes128, gcm_camellia128, ... 2014-04-26 Niels Möller * nettle.texinfo: Update for introduction of nettle_cipher_func. (GCM): Document GCM_DIGEST_SIZE. (UMAC): Document new UMAC constants. (Keyed hash functions): Make HMAC and UMAC their own info nodes. (EAX): Document EAX. * umac.h (UMAC_MIN_NONCE_SIZE, UMAC_MAX_NONCE_SIZE): New constants. 2014-04-25 Niels Möller * All hash-related files: Renamed all _DATA_SIZE constants to _BLOCK_SIZE, for consistency. Old names kept for backwards compatibility. * nettle.texinfo (CCM): Documentation for CCM mode, contributed by Owen Kirby. * testsuite/ccm-test.c (test_cipher_ccm): And tests. * ccm.c (ccm_decrypt_message): Change length argument, should now be clear text (dst) length. * ccm-aes128.c (ccm_aes128_decrypt_message): Likewise. * ccm-aes192.c (ccm_aes192_decrypt_message): Likewise. * ccm-aes256.c (ccm_aes256_decrypt_message): Likewise. * ccm.h: Updated prototypes. 2014-04-22 Niels Möller * nettle.texinfo (Recommended hash functions): Document additional sha512 variants. * sha2.h (sha512_224_ctx, sha512_256_ctx): New aliases for the sha512_ctx struct tag. 2014-04-17 Niels Möller * examples/Makefile.in (SOURCES): Deleted next-prime.c (forgotten in 2014-04-13 change). 2014-04-16 Niels Möller * testsuite/ccm-test.c (test_cipher_ccm): Deleted check for NULL authdata. * sha3-224.c (sha3_224_init): Pass pointer to context struct, not pointer to first element, to memset. * sha3-256.c (sha3_256_init): Likewise. * sha3-384.c (sha3_384_init): Likewise. * sha3-512.c (sha3_512_init): Likewise. * examples/eratosthenes.c (vector_alloc): Use sizeof(*vector) instead of explicit type in malloc call. (vector_init): Make constant explicitly unsigned long. * tools/input.c (sexp_get_quoted_char): Deleted useless for loop. 2014-04-13 Niels Möller * rsa-compat.c: Deleted file. * rsa-compat.h: Deleted file. * Makefile.in (hogweed_SOURCES): Deleted rsa-compat.c. (HEADERS): Deleted rsa-compat.h. * examples/next-prime.c: Deleted file. * bignum-next-prime.c (nettle_next_prime): Deleted file and function. * prime-list.h: Deleted file. * bignum.h (nettle_next_prime): Deleted prototype. * Makefile.in (hogweed_SOURCES): Deleted bignum-next-prime.c. (DISTFILES): Deleted prime-list.h. * examples/Makefile.in (HOGWEED_TARGETS): Deleted next-prime, and corresponding make target. 2014-04-12 Niels Möller * nettle.texinfo (Copyright): Updated licensing info. * README: Likewise. * Makefile.in (DISTFILES): Distribute new COPYING* files. * COPYING.LESSERv3: New file. * COPYINGv3: New file. * COPYING.LIB: Deleted. * COPYINGv2: New name for GPL version 2 file. * COPYING: Old name, deleted. * Update license headers for LGPL3+ and GPL2+ dual licensing. 2014-04-11 Niels Möller * testsuite/testutils.c (test_aead): Use aead->digest_size. * configure.ac: Skip GMP tests if public key support is disabled. * eax.c (block16_xor): Fixed bug effecting 32-bit platforms. * Makefile.in (DISTFILES): Deleted memxor.c, already included via nettle_SOURCES. * tools/Makefile.in (SOURCES): Add nettle-pbkdf2.c. 2014-04-10 Niels Möller From Nikos Mavrogiannopoulos: * examples/hogweed-benchmark.c (bench_openssl_ecdsa_init): Support for secp192r1 and secp256r1. (alg_list): Add them. 2014-04-09 Niels Möller * examples/nettle-benchmark.c (main): Benchmark sha512_224 and sha512_256. * testsuite/sha512-224-test.c: New file. * testsuite/sha512-256-test.c: New file. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added new files. * nettle-meta.h (nettle_sha512_224, nettle_sha512_256): Declare. * sha512-224-meta.c (nettle_sha512_224): New file, new nettle_hash. * sha512-256-meta.c (nettle_sha512_256): New file, new nettle_hash. * sha2.h (SHA512_224_DIGEST_SIZE, SHA512_224_DATA_SIZE) (SHA512_256_DIGEST_SIZE, SHA512_256_DATA_SIZE): New constants. * sha512.c (sha512_256_digest): Typo fix, call sha512_256_init. * testsuite/testutils.c (test_hash): Removed redundant init call. Tests that digest implies init. 2014-03-28 Niels Möller * testsuite/dsa-keygen-test.c (test_main): Explicitly use dsa_compat_generate_keypair. (test_main): Test dsa_generate_params and dsa_generate_keypair with a large q; p_bits = 1024, q_bits = 768. * testsuite/testutils.h: Undo dsa-compat.h name mangling. * dsa-keygen.c (dsa_generate_keypair): New interface, generating only a keypair, and no new parameters. * dsa-compat-keygen.c (dsa_compat_generate_keypair): New file. Moved old key generation function here. Use dsa_generate_keypair. 2014-03-27 Niels Möller * dsa-compat.c (dsa_public_key_init, dsa_public_key_clear) (dsa_private_key_init, dsa_private_key_clear): : Move deprecated DSA functions to a separate file... * dsa.c: ...from here. * dsa-compat.h: New file, declaring deprecated DSA interface. Include in corresponding C files. * Makefile.in (hogweed_SOURCES): Add dsa-compat.c. (HEADERS): Add dsa-compat.h. * dsa-gen-params.c (dsa_generate_params): New file and function, extracted from DSA key generation. * dsa-keygen.c (dsa_generate_keypair): Use dsa_generate_params. 2014-03-26 Niels Möller * der2dsa.c (dsa_params_from_der_iterator): Converted to new DSA interface. Allow q_size == 0, meaning any q < p is allowed. Additional validity checks. (dsa_public_key_from_der_iterator): Converted to new DSA interface. Also check that the public value is in the correct range. (dsa_openssl_private_key_from_der_iterator): Converted to new DSA interface. Additional validity checks. (dsa_openssl_private_key_from_der): Converted to new DSA interface. * tools/pkcs1-conv.c (convert_dsa_private_key): Update to use struct dsa_params, and adapt to the der decoding changes. (convert_public_key): Likewise. * examples/hogweed-benchmark.c: Update dsa benchmarking to use new DSA interface. * dsa.c (dsa_params_init, dsa_params_clear): New functions. (dsa_public_key_init): Use dsa_params_init. (dsa_public_key_clear): Use dsa_params_clear. * sexp2dsa.c (dsa_keypair_from_sexp_alist): Converted to new DSA interface. Allow q_size == 0, meaning any q < p is allowed. Additional validity checks. (dsa_sha1_keypair_from_sexp, dsa_sha256_keypair_from_sexp): Converted to new DSA interface. * dsa2sexp.c (dsa_keypair_to_sexp): Converted to new DSA interface. * tools/pkcs1-conv.c: Updated uses of dsa_keypair_to_sexp. * dsa.h (struct dsa_params): New struct. * dsa-sign.c (dsa_sign): Use struct dsa_params, with key as a separate mpz_t. * dsa-verify.c (dsa_verify): Likewise. * dsa-sha1-verify.c (dsa_sha1_verify_digest, dsa_sha1_verify): Use dsa_verify, cast the struct dsa_public_key * input to a struct dsa_params * * dsa-sha256-verify.c (dsa_sha256_verify_digest) (dsa_sha256_verify): Likewise. * dsa-sha1-sign.c (dsa_sha1_sign_digest, dsa_sha1_sign): Likewise use dsa_sign, with a cast from struct dsa_public_key * to struct dsa_params *. * dsa-sha256-sign.c (dsa_sha256_sign_digest, dsa_sha256_sign): Likewise. * testsuite/testutils.c (test_dsa_verify): Use struct dsa_params. (test_dsa_key): Likewise. * testsuite/dsa-test.c (test_main): Adapt to test_dsa_key and test_dsa_verify changes. * testsuite/dsa-keygen-test.c (test_main): Adapt to test_dsa_key change. * testsuite/testutils.c (test_dsa_sign): #if out, currently unused. 2014-03-23 Niels Möller From Owen Kirby: * ccm.c: New file. * ccm.h: New file. * ccm-aes128.c: New file. * ccm-aes192.c: New file. * ccm-aes256.c: New file. * Makefile.in (nettle_SOURCES): Added ccm source files. (HEADERS): Added ccm.h. * testsuite/ccm-test.c: New file. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added ccm-test.c. 2014-03-20 Niels Möller From Joachim Strömbergson: * sha512.c (K): Indentation fix. (sha512_224_init, sha512_224_digest, sha512_256_init) (sha512_256_digest): New functions. * sha2.h: Add prototypes. (sha512_224_update, sha512_256_update): New aliases for sha512_update. 2014-03-18 Niels Möller * examples/nettle-benchmark.c (main): Add benchmarking of arcfour, salsa20 and chacha, via time_aead. * nettle-internal.c (nettle_arcfour128): Define, as a struct nettle_aead (with NULL set_nonce, update, and digest methods). * examples/nettle-openssl.c (nettle_openssl_arcfour128): Likewise. * nettle-internal.h (nettle_arcfour128) (nettle_openssl_arcfour128): Declare. * nettle-types.h (nettle_cipher_func): New typedef, similar to nettle_crypt_func, but with a const context, intended for block ciphers. * nettle-meta.h (struct nettle_cipher): Use the nettle_cipher_func type. * Many other files affected: aes*-meta.c, camellia*-meta.c, cast128-meta.c, serpent-meta.c, twofish-meta.c, cbc.[ch], ctr.[ch], ctr.[ch], des-compat.c, eax.[ch], gcm*.[ch], nettle-internal.*, testsuite/aes-test.c, examples/nettle-benchmark.c, examples/nettle-openssl.c. 2014-03-16 Niels Möller * chacha-set-key.c: Include string.h. * arcfour-meta.c: Deleted file. * nettle-meta.h (nettle_arcfour128): Deleted declaration. * nettle-meta-ciphers.c (nettle_ciphers): Deleted nettle_arcfour128 from list. * Makefile.in (nettle_SOURCES): Deleted arcfour-meta.c. * examples/nettle-openssl.c (nettle_openssl_arcfour128): Deleted. * testsuite/meta-cipher-test.c: Adjust test for removal of nettle_arcfour128. 2014-03-15 Niels Möller * examples/nettle-benchmark.c (struct bench_aead_info): New struct. (bench_aead_crypt, bench_aead_update, init_nonce, time_aead): New functions, for benchmarking aead algorithms. (time_gcm, time_eax): Deleted functions. (main): Use time_aead to benchmark gcm, eax and chacha-poly1305. * salsa20.h (SALSA20_NONCE_SIZE): Renamed constant, old name SALSA20_IV_SIZE kept as an alias. (salsa20_set_nonce): Update prototype for the 2014-01-20 rename. * Makefile.in (.asm.s): Add dependencies. (.s.o, .s.po): Empty any dependency .d file. 2014-03-04 Niels Möller * testsuite/chacha-test.c (test_main): Additional test cases, for 256-bit keys. * Makefile.in (nettle_SOURCES): Deleted chacha128-set-key.c and chacha256-set-key.c. * chacha.h (CHACHA256_KEY_SIZE): Deleted. (chacha_set_key): Updated prototype. * chacha256-set-key.c (chacha256_set_key): Deleted file and function, moved to... * chacha-set-key.c (chacha_set_key): Do 256-bit keys only. Deleted length argument. Updated all callers. * chacha128-set-key.c (chacha128_set_key): Deleted file and function. Support for 128-bit chacha keys may be reintroduced later, if really needed. * chacha.h: Deleted chacha128-related declarations. * chacha-set-key.c (chacha_set_key): Drop support for 128-bit keys. * testsuite/chacha-test.c (test_main): #if:ed out all tests with 128-bit keys. 2014-02-16 Niels Möller * gcm.h: Declarations for gcm-camellia256. * gcm-camellia256.c: New file. * gcm-camellia256-meta.c: New file. * nettle-meta.h (nettle_gcm_camellia256): Declare. * Makefile.in (nettle_SOURCES): Added gcm-camellia256.c and gcm-camellia256-meta.c. * testsuite/gcm-test.c (test_main): Test cases for nettle_gcm_camellia256. * gcm.h: Include camellia.h. Declarations for gcm-camellia128. * gcm-camellia128.c: New file. * gcm-camellia128-meta.c: New file. * nettle-meta.h (nettle_gcm_camellia128): Declare. * Makefile.in (nettle_SOURCES): Added gcm-camellia128.c and gcm-camellia128-meta.c. * testsuite/gcm-test.c (test_main): Test cases for nettle_gcm_camellia128. From Nikos Mavrogiannopoulos. 2014-02-13 Niels Möller * Makefile.in (nettle_SOURCES): Added eax-aes128.c eax-aes128-meta.c. * examples/nettle-benchmark.c: Include eax.h. * nettle-meta.h (nettle_eax_aes128): Declare, moved from nettle-internal.h. * eax.h: Declare eax_aes128_ctx and related functions. Moved from nettle-internal.h (EAX_IV_SIZE): New constant. * eax-aes128-meta.c (nettle_eax_aes128): Moved definition to new file. * eax-aes128.c (eax_aes128_set_key, eax_aes128_set_nonce) (eax_aes128_update, eax_aes128_encrypt, eax_aes128_decrypt) (eax_aes128_digest): Moved functions to a new file. * nettle-internal.c: ... from old location. * nettle-internal.h: Moved eax declarations elsewhere. * tools/nettle-pbkdf2.c (main): Added missing deallocation. 2014-02-12 Niels Möller * chacha-poly1305.h: New file. * chacha-poly1305.c: New file. * chacha-poly1305-meta.c (nettle_chacha_poly1305): New file, new aead algorithm. * nettle-meta.h (nettle_chacha_poly1305): Declare. * Makefile.in (nettle_SOURCES): Added chacha-poly1305.c and chacha-poly1305-meta.c. (HEADERS): Added chacha-poly1305.h. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added chacha-poly1305-test.c. * testsuite/chacha-poly1305-test.c: New file. * nettle-meta.h (struct nettle_aead): New generalized version if this struct. (nettle_gcm_aes128, nettle_gcm_aes192, nettle_gcm_aes256) (nettle_eax_aes128): Declare, moved from nettle-internal.h. * nettle-internal.h (struct nettle_aead): Deleted struct, moved to nettle-meta.h. Deleted declarations of unused instances. (_NETTLE_AEAD): Deleted macro. * nettle-internal.c (nettle_eax_aes128): Updated for new nettle_aead struct. (nettle_gcm_aes128, nettle_gcm_aes192, nettle_gcm_aes256): Deleted, moved to new files. * gcm-aes128-meta.c (nettle_gcm_aes128): Moved to new file, updated for new nettle_aead struct. * gcm-aes192-meta.c (nettle_gcm_aes192): Likewise. * gcm-aes256-meta.c (nettle_gcm_aes256): Likewise. * testsuite/testutils.c (test_aead): Take alternative set_nonce function as argument, and use it when nonce size differs from aead->nonce_length. * testsuite/testutils.h (test_aead): Updated prototype. * testsuite/gcm-test.c (nettle_gcm_unified_aes128): Updated for new nettle_aead struct. (test_main): Pass additional argument to test_aead. * testsuite/eax-test.c (test_main): Pass additional NULL argument to test_aead. * eax.h (EAX_DIGEST_SIZE): New constant. * gcm.h (GCM_DIGEST_SIZE): Likewise. 2014-02-10 Niels Möller * chacha-set-nonce.c (chacha_set_nonce): Renamed file and function, updated callers and Makefile.in. * chacha-set-iv.c (chacha_set_iv): ... from old names. 2014-02-08 Niels Möller * testsuite/chacha-test.c (test_chacha): For 20 rounds, use chacha_crypt, and test varying the message length. (test_main): Add second key stream block, for all testcases with 20 rounds. * chacha-crypt.c (chacha_crypt): Fixed block counter update. 2014-02-07 Niels Möller * nettle.texinfo (ASCII encoding): Document that base16_encode_update and base64_encode_update now uses dst_length as an output only. * testsuite/base64-test.c (test_main): Updated base64_decode_update test case. * sexp-transport.c (sexp_transport_iterator_first): For base64_decode_update, omit initialization of coded_length. * examples/base64dec.c (main): Likewise. * examples/base16dec.c (main): Likewise, for base16_decode_update. * base64-decode.c (base64_decode_update): Use *dst_length for output only. Don't require callers to pass a sane value. * base16-decode.c (base16_decode_update): Likewise. 2014-02-06 Niels Möller * NEWS: List _set_key incompatibilities. * nettle-meta.h (_NETTLE_CIPHER_SEP, _NETTLE_CIPHER_SEP_SET_KEY) (_NETTLE_CIPHER_FIX, _NETTLE_CIPHER): Deleted unused macros. * nettle-internal.c (nettle_blowfish128): Deleted only use of _NETTLE_CIPHER. * blowfish.c (blowfish128_set_key): New function. * blowfish.h (BLOWFISH128_KEY_SIZE): New constant. * cast128-meta.c (nettle_cast128): Deleted only use of _NETTLE_CIPHER_FIX. * examples/nettle-benchmark.c (time_cipher): Fixed memset calls. 2014-01-30 Niels Möller * Makefile.in (nettle_SOURCES): Arrange in alphabetic order. * nettle.texinfo: Updated, document size_t for length arguments. Document new AES and Camellia interfaces. * ecc-size.c (ecc_bit_size): New function. * ecc.h (ecc_bit_size): Declare it. 2014-01-29 Niels Möller * nettle-types.h (typedef nettle_set_key_func): Deleted length argument. * arctwo.c (arctwo40_set_key, arctwo64_set_key) (arctwo128_set_key, arctwo128_set_key_gutmann): New functions. * arctwo.h: Declare them. * arctwo-meta.c (ARCTWO): New macro. (nettle_arctwo40, nettle_arctwo64, nettle_arctwo128) (nettle_arctwo_gutmann128): Use new _set_key functions. * arcfour.h (ARCFOUR128_KEY_SIZE): New constant. * arcfour.c (arcfour128_set_key): New function. * arcfour-meta.c (nettle_arcfour128): Use arcfour128_set_key and ARCFOUR128_KEY_SIZE. * cast128.c (cast5_set_key): Renamed, was cast128_set_key. (cast128_set_key): New definition, with fixed key size. * cast128.h (CAST128_MIN_KEY_SIZE, CAST128_MAX_KEY_SIZE): Renamed constants, to... (CAST5_MIN_KEY_SIZE, CAST5_MAX_KEY_SIZE): ... new names. * eax.h (EAX_SET_KEY): Deleted length argument. * aes128-meta.c: Deleted _set_key wrappers. * aes192-meta.c: Likewise. * aes256-meta.c: Likewise. * camellia128-meta.c: Likewise. * camellia192-meta.c: Likewise. * camellia256-meta.c: Likewise. * gcm-aes128.c (gcm_aes128_set_key): Deleted length argument. * gcm-aes192.c (gcm_aes192_set_key): Likewise. * gcm-aes256.c (gcm_aes256_set_key): Likewise. * gcm.h: Updated prototypes. * serpent-set-key.c (serpent128_set_key, serpent192_set_key) (serpent256_set_key): New functions. * serpent.h: Declare new functions. (SERPENT128_KEY_SIZE, SERPENT192_KEY_SIZE) (SERPENT256_KEY_SIZE): New constants. * serpent-meta.c (SERPENT): New macro. (nettle_serpent128, nettle_serpent192, nettle_serpent256): Use new _set_key functions. * twofish-set-key.c (twofish128_set_key, twofish192_set_key) (twofish256_set_key): New functions. * twofish.h: Declare new functions. (TWOFISH128_KEY_SIZE, TWOFISH192_KEY_SIZE) (TWOFISH256_KEY_SIZE): New constants. * twofish-meta.c (TWOFISH): New macro. (nettle_twofish128, nettle_twofish192, nettle_twofish256): Use new _set_key functions. * nettle-internal.h (struct nettle_aead): Use nettle_hash_update_func for the set_iv function pointer. * nettle-internal.c (des_set_key_hack, des3_set_key_hack): Deleted wrapper functions. (chacha_set_key_hack): Deleted length argument. Use chacha256_set_key. (salsa20_set_key_hack): Deleted length argument. Use salsa20_256_set_key. (nettle_unified_aes128, nettle_unified_aes192) (nettle_unified_aes256): Deleted, moved to test program. (eax_aes128_set_key): Deleted length argument. Use EAX_SET_KEY. * examples/nettle-benchmark.c: Updated for _set_key changes. * examples/nettle-openssl.c: Likewise. * testsuite/testutils.c: Likewise. * testsuite/gcm-test.c: Likewise. * testsuite/aes-test.c (UNIFIED_AES): New macro. Moved glue for testing the old aes interface (struct aes_ctx) here. * testsuite/arcfour-test.c (test_arcfour): New function, for key sizes != 128 bits. (test_main): Use it. * testsuite/blowfish-test.c (test_blowfish): New function. (test_main): Use it. Also deleted old #if:ed out code. * testsuite/cast128-test.c (test_cast5): New function. (test_main): Use it, for 40-bit and 80-bit tests. * testsuite/serpent-test.c (test_serpent): New function. (test_main): Use it. 2014-01-27 Niels Möller * eax.h (struct eax_key, struct eax_ctx): Use union nettle_block16, for alignment. * eax.c: Updated everything to use nettle_block16. (block16_xor): New function. * examples/nettle-benchmark.c (time_eax): New function. (main): Use it. * x86_64/chacha-core-internal.asm: Use pshufhw + pshuflw for the 16-bit rotate. * configure.ac (asm_replace_list): Added chacha-core-internal.asm. * x86_64/chacha-core-internal.asm: New file. * examples/nettle-benchmark.c (main): Add benchmarking of chacha. * nettle-internal.c (nettle_chacha): New const struct, for the benchmark. Chacha implementation, based on contribution by Joachim Strömbergson. * chacha.h: New file. * chacha256-set-key.c (chacha256_set_key): New file and function. * chacha128-set-key.c (chacha128_set_key): New file and function. * chacha-set-key.c (chacha_set_key): New file and function. * chacha-set-iv.c (chacha_set_iv): New file and function. * chacha-core-internal.c (_chacha_core): New file and function. * chacha-crypt.c (chacha_crypt): New file and function. * Makefile.in (nettle_SOURCES): Added chacha files. (HEADERS): Added chacha.h. * testsuite/chacha-test.c: New file. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added chacha-test.c. 2014-01-26 Niels Möller * nettle-internal.h (_NETTLE_AEAD_FIX): Renamed to... (_NETTLE_AEAD): ... new name, and deleted old definition. Also use _set_nonce instead of _set_iv. * nettle-internal.c (nettle_gcm_aes128, nettle_gcm_aes192) (nettle_gcm_aes256): Define in terms of new interface. (nettle_eax_aes128): Updated for _NETTLE_AEAD changes. * testsuite/gcm-test.c (test_gcm_hash): Likewise use struct gcm_aes128_ctx. (test_main): Added a testcase using the old interface based on struct gcm_aes_ctx. * examples/nettle-benchmark.c (time_gcm): Update to use new struct gcm_aes128_ctx. Also use name "gcm-aes128" in output. * gcm.h: New interface for gcm_aes128, gcm_aes192, gcm_aes256, using the new AES interface. (GCM_CTX): Reorder fields, putting the cipher context last. * Makefile.in (nettle_SOURCES): Added gcm-aes128.c, gcm-aes192.c, and gcm-aes256.c. * gcm-aes128.c: New file. * gcm-aes192.c: New file * gcm-aes256.c: New file. 2014-01-25 Niels Möller * gcm.h (GCM_SET_KEY): Deleted length argument. * gcm-aes.c (gcm_aes_set_key): Use aes_set_encrypt_key and gcm_set_key, can no longer use GCM_SET_KEY macro. 2014-01-23 Niels Möller * testsuite/gcm-test.c (test_main): Use the correct nettle_gcm_aes128/192/256 object. 2014-01-21 Niels Möller Merged camellia-reorg changes (starting at 2013-10-07). 2013-10-10 Niels Möller * Makefile.in (nettle_SOURCES): Updated list of camellia files. * testsuite/camellia-test.c (test_invert): Updated for new camellia interface. * camellia.h: Reorganized camellia interface, with distinct context structs and functions for camellia128 and camellia256. * camellia-meta.c: Deleted file. * camellia256-meta.c: New file. * camellia192-meta.c: New file. * camellia128-meta.c: New file. * camellia-set-decrypt-key.c: Deleted file, code moved to: * camellia128-set-decrypt-key.c: New file. (camellia128_invert_key, camellia128_set_decrypt_key): New functions. * camellia256-set-decrypt-key.c: New file. (camellia256_invert_key, camellia256_set_decrypt_key) (camellia192_set_decrypt_key): New functions. * camellia-invert-key.c (_camellia_invert_key): New file and function. * camellia-set-encrypt-key.c: Deleted file, code moved to: * camellia128-set-encrypt-key.c: New file. (camellia128_set_encrypt_key): New function. * camellia256-set-encrypt-key.c: New file. (_camellia256_set_encrypt_key, camellia256_set_encrypt_key) (camellia192_set_encrypt_key): New functions. * camellia-absorb.c (_camellia_absorb): New file and function. * camellia-internal.h: Moved key schedule macros here. * camellia-crypt.c: Deleted file, code moved to: * camellia128-crypt.c (camellia128_crypt): New file and function. * camellia256-crypt.c (camellia256_crypt): New file and function. 2013-10-07 Niels Möller * configure.ac: Delete check for ALIGNOF_UINT64_T, no longer needed. * config.m4.in: Likewise delete ALIGNOF_UINT64_T. * camellia-crypt.c (camellia_crypt): Updated call to _camellia_crypt. * camellia-internal.h (_camellia_crypt): Updated prototype. * camellia-crypt-internal.c (_camellia_crypt): Take separate arguments for rounds and subkey array. * x86_64/camellia-crypt-internal.asm: Likewise. Also corrected .file pseudo-ops. * x86/camellia-crypt-internal.asm: Likewise. 2014-01-20 Niels Möller * poly1305-internal.c (poly1305_digest): Use union nettle_block16 for s argument. * poly1305-aes.c (poly1305_aes_digest): Update for poly1305_digest change. Merged poly1305 changes (starting at 2013-11-08). * x86_64/poly1305-internal.asm: Update to new interface. poly1305_digest much simplified. * poly1305.h (struct poly1305_ctx): Moved block and index fields... (struct poly1305_aes_ctx): ... to here. * asm.m4: Delete also from the assembly definition of struct poly1305_ctx. * poly1305-internal.c (poly1305_digest): Don't do final padding here, leave that to caller. Add digest to the provided nonce s, and deleted length and dst arguments. Also reset h0-h4 to zero when done. (_poly1305_block): Renamed, from... (poly1305_block): ...old name. * poly1305-aes.c (poly1305_aes_update): New function. (poly1305_aes_digest): Update for poly1305_digest changes, do final padding here. * poly1305.c (poly1305_update): Deleted file and function. Moved to poly1305-aes.c. * Makefile.in (nettle_SOURCES): Deleted poly1305.c. 2014-01-17 Niels Möller * poly1305-internal.c (poly1305_block): Additional argument with the high bit. (poly1305_block_internal): Deleted function, code moved into the poly1305_block. (poly1305_digest): Simplified padding code, call poly1305_block with high bit 0. * poly1305.h (poly1305_block): Update prototype. * poly1305.c (poly1305_update): Call poly1305_block with high bit 1. * x86_64/poly1305-internal.asm (poly1305_block): Handle new argument. * poly1305.h (struct poly1305_ctx): Moved nonce field from here... (struct poly1305_aes_ctx): ... to here. * poly1305-aes.c (poly1305_aes_set_nonce, poly1305_aes_digest): Updated for above. * poly1305.c (poly1305_set_nonce): Deleted function. * asm.m4: Delete nonce also from the assembly definition of struct poly1305_ctx. 2014-01-16 Niels Möller * poly1305-aes.c: Include poly1305.h. Rewrite functions without using the POLY1305_* macros. * Makefile.in (HEADERS): Deleted poly1305-aes.h. * poly1305.h (POLY1305_CTX, POLY1305_SET_KEY, POLY1305_SET_NONCE) (POLY1305_DIGEST): Deleted macros. Only implemented variant is poly1305-aes. (POLY1305_DIGEST_SIZE, POLY1305_BLOCK_SIZE, POLY1305_KEY_SIZE): New constants. (POLY1305_AES_KEY_SIZE, POLY1305_AES_DIGEST_SIZE): Moved here, from poly1305-aes.h. (struct poly1305_aes_ctx): Likewise. (poly1305_aes_set_key, poly1305_aes_set_nonce) (poly1305_aes_update, poly1305_aes_digest): Likewise. * poly1305-aes.h: Deleted file, declarations moved to poly1305.h. Update all users. * poly1305-internal.c (s2, s3, s4): Fixed macros. * poly1305-aes.h (struct poly1305_aes_ctx): Replace struct aes_ctx by struct aes128_ctx. * poly1305-aes.c (poly1305_aes_set_key, poly1305_aes_digest): Update to use aes128_* functions. * poly1305.h (POLY1305_SET_KEY): Drop key size argument when calling set_key. 2013-12-19 Niels Möller * poly1305-aes.h (poly1305_aes_update): Define as an alias for poly1305_update, using preprocessor and a type cast. * poly1305-aes.c (poly1305_aes_update): Deleted function. * poly1305.h (poly1305_update): Declare. (_POLY1305_BLOCK, POLY1305_UPDATE): Deleted macros. * poly1305.c (poly1305_update): New function. 2013-11-21 Niels Möller * x86_64/poly1305-internal.asm: New file. Almost a factor of two speedup. * configure.ac (asm_replace_list): Added poly1305-internal.asm. * asm.m4: Define struct offsets for 64-bit poly1305_ctx. * poly1305.h (POLY1305_DIGEST): Pass the encrypted nonce as an additional argument to poly1305_digest. (struct poly1305_ctx): Introduce unions, to support either 26-bit or 64-bit implementation. * poly1305-internal.c (poly1305_digest): Added s argument. * poly1305.c (poly1305_set_s): Deleted function. 2013-11-12 Niels Möller * poly1305-internal.c: New file, for poly1305 functions depending on the internal mod (2^130 - 5) representation. (poly1305_block_internal): New helper function. (poly1305_block, poly1305_digest): Use it. 2013-11-08 Nikos Mavrogiannopoulos * poly1305.h: New file. * poly1305.c: New file. * poly1305-aes.h: New file. * poly1305-aes.c: New file. * Makefile.in (nettle_SOURCES): Added poly1305-aes.c and poly1305.c. (HEADERS): Added poly1305-aes.h and poly1305.h. * testsuite/poly1305-test.c: New file. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added poly1305-test.c. * examples/nettle-benchmark.c (time_poly1305_aes): New function. (main): Benchmark poly1305. 2014-01-20 Niels Möller * Makefile.in (nettle_SOURCES): Added salsa20-set-nonce.c, salsa20-128-set-key.c, and salsa20-256-set-key.c. * salsa20.h: Declare new functions. (SALSA20_128_KEY_SIZE, SALSA20_256_KEY_SIZE): New constants. (salsa20_set_iv): Define as an alias for salsa20_set_nonce. * salsa20-set-key.c (salsa20_set_key): Use salsa20_128_set_key and salsa20_256_set_key. (salsa20_set_iv): Renamed and moved... * salsa20-set-nonce.c (salsa20_set_nonce): ... new file, new name. * salsa20-256-set-key.c (salsa20_256_set_key): New file and function. * salsa20-128-set-key.c (salsa20_128_set_key): New file and function. 2014-01-13 Niels Möller * nettle-types.h (union nettle_block16): New type, replacing union gcm_block. * gcm.h (union gcm_block): Deleted. Replaced by nettle_block16. * gcm.c: Replaced all use of gcm_block by nettle_block16. 2014-01-04 Niels Möller * config.guess: Updated to 2014-01-01 version, from git://git.sv.gnu.org/config.git. * config.sub: Likewise. * testsuite/memxor-test.c [HAVE_VALGRIND_MEMCHECK_H] (test_mark): New function. (test_memxor, test_memxor3): Use test_mark to tell valgrind the start and end of src and destination areas. * configure.ac: Check for valgrind/memcheck.h. * testsuite/Makefile.in (VALGRIND): Added --partial-loads-ok=yes, needed for the way unaligned data is handled in, e.g., memxor. 2014-01-03 Niels Möller * shadata.c (main): Zero-pad output values to 8 hex digits. * sha256.c (K): Updated table. 2013-12-17 Niels Möller * configure.ac (ASM_RODATA): New substituted variable. Needed for portability to darwin. * config.m4.in: Define RODATA, using configure variable ASM_RODATA * x86_64/gcm-hash8.asm: Use RODATA macro. * bignum-random-prime.c (_nettle_generate_pocklington_prime): Use stronger variants of Pocklington's theorem, to allow p0 of size down to bits/3. 2013-12-15 Niels Möller * nettle-internal.h (NETTLE_MAX_BIGNUM_BITS) (NETTLE_MAX_BIGNUM_SIZE): Deleted arbitrary limits. 2013-12-15 Nikos Mavrogiannopoulos Introduced TMP_GMP_ALLOC macro for temporary allocations of potentially large data, e.g, sized as an RSA key. * gmp-glue.h (TMP_GMP_DECL, TMP_GMP_ALLOC, TMP_GMP_FREE): New macros. * gmp-glue.c (gmp_alloc, gmp_free): New functions. * bignum-next-prime.c (nettle_next_prime): Use TMP_GMP_ALLOC. * bignum-random.c (nettle_mpz_random_size): Likewise. * pkcs1-decrypt.c (pkcs1_decrypt): Likewise. * pkcs1-encrypt.c (pkcs1_encrypt): Likewise. * pkcs1-rsa-digest.c (pkcs1_rsa_digest_encode): Likewise. * pkcs1-rsa-sha512.c (pkcs1_rsa_sha512_encode) (pkcs1_rsa_sha512_encode_digest): Likewise. * pkcs1-rsa-sha256.c (pkcs1_rsa_sha256_encode) (pkcs1_rsa_sha256_encode_digest): Likewise. * pkcs1-rsa-sha1.c (pkcs1_rsa_sha1_encode) (pkcs1_rsa_sha1_encode_digest): Likewise. * pkcs1-rsa-md5.c (pkcs1_rsa_md5_encode) (pkcs1_rsa_md5_encode_digest): Likewise. 2013-12-14 Niels Möller * x86_64/gcm-hash8.asm: Use .short rather than .hword, for compatibility with apple's assembler. 2013-12-03 Niels Möller * x86_64/sha1-compress.asm: Reorganized, to get closer to the x86 version. No difference in running time. * configure.ac (dummy-dep-files): Don't overwrite any existing dependency files. * x86_64/md5-compress.asm: New file, similar to the x86 version. 35% speedup on AMD, 15% speedup on Intel. 2013-11-25 Niels Möller * testsuite/dsa-test.c (test_main): Additional tests from NIST test vectors. * testsuite/testutils.c (test_dsa_sign, test_dsa_verify): New functions, supporting arbitrary digest size. * testsuite/testutils.h (ASSERT): Improved failure message. * dsa-verify.c (dsa_verify): Renamed, from _dsa_verify. * dsa-sign.c (dsa_sign): Renamed, from _dsa_sign. 2013-11-24 Niels Möller * testsuite/dsa-keygen-test.c (test_main): Test generating a key with 224-bit q. * dsa-verify.c (_dsa_verify): Use _dsa_hash. * dsa-sign.c (_dsa_sign): Use _dsa_hash. Fix memory leak in error case, spotted by Nikos. * dsa-keygen.c (dsa_generate_keypair): Allow q_bits == 224. * dsa-hash.c (_dsa_hash): New file and function. Allows digest sizes not matching the bitsize of q. * dsa.h (_dsa_hash): Declare it. * Makefile.in (hogweed_SOURCES): Added dsa-hash.c. 2013-11-23 Niels Möller * configure.ac: Check also for openssl/ecdsa.h. 2013-10-05 Niels Möller * Makefile.in (nettle_SOURCES): Added eax.c. (HEADERS): Added eax.h. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added eax-test.c. * testsuite/eax-test.c: New file. * nettle-internal.c (nettle_eax_aes128): New aead algorithm. (eax_aes128_set_key, eax_aes128_set_nonce, eax_aes128_update) (eax_aes128_encrypt, eax_aes128_decrypt, eax_aes128_digest): New functions. * eax.c: New file. * eax.h: New file. * aes.h: Fixed typo in name mangling for new aes functions. 2013-09-28 Niels Möller * Merge aes-reorg branch. Changes below, dated 2013-05-17 - 2013-08-13. 2013-08-13 Niels Möller * yarrow.h (struct yarrow256_ctx): Use aes256_ctx, not aes_ctx. * yarrow256.c: Adapted to use new aes256 interface. 2013-08-07 Niels Möller * umac.h (_UMAC_STATE): Use struct aes128_ctx, not aes_ctx. * umac-set-key.c (umac_kdf, _umac_set_key): Use aes128 interface. * umac32.c (umac32_digest): Likewise. * umac64.c (umac64_digest): Likewise. * umac96.c (umac96_digest): Likewise. * umac128.c (umac128_digest): Likewise. 2013-06-25 Niels Möller * aes-meta.c: Deleted file. Analogous changes for new aes192 and aes256 interface. * aes.h (struct aes128_ctx): New aes128 declarations. * aes-decrypt.c (aes128_decrypt): New function. * aes-encrypt.c (aes128_encrypt): New function. * aes128-meta.c: New file. * aes128-set-encrypt-key.c (aes128_set_encrypt_key): New file and function. * aes128-set-decrypt-key.c (aes128_set_decrypt_key) (aes128_invert_key): New file and functions. * Makefile.in (nettle_SOURCES): Added aes128-set-encrypt-key.c, aes128-set-decrypt-key.c and aes128-meta.c. * nettle-internal.c (nettle_unified_aes128): For testing the old AES interface. * testsuite/aes-test.c (test_cipher2): New function. (test_main): Test both nettle_aes128 and nettle_unified_aes128. 2013-05-22 Niels Möller * Makefile.in (nettle_SOURCES): Added aes-invert-internal.c and aes-set-key-internal.c. * aes.h (AES128_KEY_SIZE, _AES128_ROUNDS): New constants. Similarly also for aes192 and aes256. * aes-internal.h: Declare new functions. * aes-set-key-internal.c (_aes_set_key): New file and funxtion extracted from aes_set_encrypt_key. * aes-set-encrypt-key.c (aes_set_encrypt_key): Use _aes_set_key. * aes-invert-internal.c (_aes_invert): New file and function, extracted from aes_invert_key. * aes-set-decrypt-key.c (aes_invert_key): Use _aes_invert. * arm/v6/aes-encrypt-internal.asm: Adapted to new interface. Unfortunately, 4% slowdown on Cortex-A9, for unknown reason. * arm/v6/aes-decrypt-internal.asm: Likewise. * arm/aes-encrypt-internal.asm: Adapted to new interface. * arm/aes-decrypt-internal.asm: Likewise. 2013-05-21 Niels Möller * sparc32/aes-encrypt-internal.asm: Adapted to new interface. * sparc32/aes-decrypt-internal.asm: Likewise. * sparc64/aes-encrypt-internal.asm: Likewise. * sparc64/aes-decrypt-internal.asm: Likewise. * x86/aes-encrypt-internal.asm: Adapted to new interface. * x86/aes-decrypt-internal.asm: Likewise. 2013-05-20 Niels Möller * x86_64/aes-encrypt-internal.asm: Adapted to new interface. * x86_64/aes-decrypt-internal.asm: Likewise. 2013-05-17 Niels Möller * aes.h (struct aes_ctx): Renamed nrounds to rounds, and moved first in the structure. * aes-set-encrypt-key.c (aes_set_encrypt_key): Updated for renaming. * aes-set-decrypt-key.c (aes_invert_key): Likewise. * aes-encrypt-internal.c (_nettle_aes_encrypt): Take rounds and subkeys as separate arguments, not a struct aes_ctx *. Updated callers. * aes-decrypt-internal.c (_nettle_aes_decrypt): Likewise. * aes-internal.h: Updated prototypes. * Start of aes-reorg changes. 2013-09-28 Niels Möller * md4.h (struct md4_ctx): Use single uint64_t variable for block count. * md4.c: Use new block count variable. * md5.c, md5.h (struct md5_ctx): Likewise. * ripemd160.c, ripemd160.h (struct ripemd160_ctx): Likewise. * sha1.c, sha1.h (struct sha1_ctx): Likewise. * sha256.c, sha2.h (struct sha256_ctx): Likewise. * testsuite/testutils.c (test_hash_large): Added simple progress indicator. * macros.h (MD_PAD): Use size argument, don't depend on sizeof of the count field(s). 2013-09-22 Niels Möller * x86_64/gcm-hash8.asm: New file. * x86_64/gcm-gf-mul-8.asm: Deleted. * configure.ac (asm_nettle_optional_list): Look for gcm-hash8.asm, not gcm-gf-mul-8.asm. * gcm.c [HAVE_NATIVE_gcm_hash8]: Make use of (optional) assembly implementation. 2013-09-21 Niels Möller * Makefile.in (des.po): Add same dependencies as for des.o. Reported by Vincent Torri. 2013-09-20 Niels Möller * testsuite/gcm-test.c: Added tests with associated data of varying size. * testsuite/testutils.c (tstring_alloc): Add NUL-termination. 2013-09-18 Niels Möller * Makefile.in: New stampfiles, libnettle.stamp and libhogweed.stamp, updated when both static and shared libraries are rebuilt. Used as link dependencies in subdirectories. * examples/Makefile.in: Make executable targets depend on ../libnettle.stamp and libhogweed.stamp, not directly on the static library files. * testsuite/Makefile.in: Likewise. * tools/Makefile.in: Likewise. 2013-09-09 Niels Möller * gcm.c [HAVE_NATIVE_gcm_gf_mul_8]: Make use of (optional) assembly implementation. * configure.ac: Support optional assembly files for both nettle and hogweed. Replaced OPT_ASM_SOURCES with OPT_ASM_NETTLE_SOURCES, OPT_ASM_HOGWEED_SOURCES, and asm_optional_list with asm_nettle_optional_list and asm_hogweed_optional_list. (asm_nettle_optional_list): Added gcm-gf-mul-8.asm. 2013-06-25 Niels Möller * testsuite/gcm-test.c: Deleted redundant include of aes.h. * testsuite/testutils.c (test_aead): Allow digest size smaller than the block size. * tools/nettle-pbkdf2.c: New command line tool. * tools/Makefile.in (TARGETS): Added nettle-pbkdf2. (nettle-pbkdf2$(EXEEXT)): New target. * testsuite/nettle-pbkdf2-test: New test case. * testsuite/Makefile.in (TS_SH): Added nettle-pbkdf2-test. * tools/nettle-hash.c (digest_file): Use stack allocation for the small hex output buffer. * examples/io.c (MIN): Deleted unused macro. 2013-05-21 Niels Möller From nettle-2.7-fixes branch: * Makefile.in (distdir): Distribute files in arm/v6 subdirectory. 2013-05-20 Niels Möller * arm/v6/sha1-compress.asm: Moved into v6 directory, since it uses the v6 instruction uadd8, sel and rev. * arm/v6/sha256-compress.asm: Likewise. * nettle-types.h: Include , for size_t. 2013-05-17 Niels Möller * macros.h (ROTL32, ROTL64): Avoid undefined behaviour for zero rotation count. Unfortunately makes CAST128 a bit slower with gcc-4.6.3. * ecc-j-to-a.c (ecc_j_to_a): Fixed ecc_modp_mul call, to avoid invalid overlap of arguments to mpn_mul_n. Problem tracked down by Magnus Holmgren. 2013-05-16 Niels Möller * arm/aes-encrypt-internal.asm: New file, for pre-v6 processors. * arm/aes-decrypt-internal.asm: New file, likewise. * arm/aes.m4 (AES_FINAL_ROUND_V5): Variant without using uxtb. (AES_FINAL_ROUND_V6): New name, updated callers. (AES_FINAL_ROUND): ... old name. Also eliminated one uxtb instruction. (AES_ENCRYPT_ROUND, AES_DECRYPT): Moved macros to the files using them. * arm/v6/aes-encrypt-internal.asm: Use ALIGN macro. Use 16-byte alignment for loops. * arm/v6/aes-decrypt-internal.asm: Likewise. Also added a nop which mysteriously improves benchmark performance on Cortex-A9. 2013-05-15 Niels Möller * configure.ac (asm_path): Handle armv6 and armv7 differently from older ARMs. Add the arm/v6 directory to asm_path when appropriate. * arm/v6/aes-encrypt-internal.asm: Moved into v6 directory. Uses the uxtb instruction which is not available for older ARMs. * arm/v6/aes-decrypt-internal.asm: Likewise. 2013-05-03 Niels Möller * cast128.c: Adapt to new struct cast128_ctx. (cast128_set_key): Rewrite, eliminating lots of conditions and some false warnings. * cast128.h (struct cast128_ctx): Separate the small 5-bit rotation subkeys and the larger 32-bit masking subkeys. 2013-05-02 Niels Möller * testsuite/testutils.c (mpz_combit): Renamed. Define only if not provided GMP. Updated all uses. (mpz_togglebit): ... old name. * sexp-format.c (sexp_vformat): Use type mpz_srcptr rather than the old MP_INT *. 2013-04-26 Niels Möller * Many files: Use size_t rather than unsigned for data sizes. * x86_64/aes-encrypt-internal.asm: Accept 64-bit length. * x86_64/aes-decrypt-internal.asm: Likewise. 2013-04-25 Niels Möller * configure.ac: Changed version number, to 2.8. (LIBNETTLE_MAJOR): Bumped major number, following nettle_memxor ABI break. (LIBNETTLE_MINOR): Reset to zero. * examples/hogweed-benchmark.c: Add benchmarking of OpenSSL's RSA functions. (all functions): Deleted unneeded casts. 2013-04-24 Niels Möller * nettle.texinfo (Miscellaneous functions): Updated memxor prototype. Document memxor3. * salsa20-crypt.c (salsa20_crypt): Deleted cast of memxor argument, no longer needed. * salsa20r12-crypt.c (salsa20r12_crypt): Likewise. * sha3.c (sha3_absorb): Likewise. * memxor.h: Updated prototypes. Drop include of nettle-types.h. * memxor.c: Include nettle-types.h, for uintptr_t. Replace all internal uses of uint8_t by plain char. (memxor): Use void * rather than uint8_t * for arguments. (memxor3): Likewise. * x86_64/memxor.asm: Added nettle_ prefix to symbols. * arm/memxor.asm: Likewise. * testsuite/symbols-test: Don't allow memxor functions without nettle prefix, * memxor.h (memxor3): Added name mangling to add "nettle_" prefix to memxor and memxor3 symbols. * Makefile.in (nettle_OBJS): Deleted $(LIBOBJS), and also deleted LIBOBJS substitution. (nettle_SOURCES): Added memxor.c, to include it in the library unconditionally. * configure.ac: Deleted AC_REPLACE_FUNCS for memxor. * Released nettle-2.7. 2013-04-23 Niels Möller From Martin Storsjö: * x86_64/sha256-compress.asm: Add forgotten W64_EXIT. * x86_64/sha512-compress.asm: Likewise. * x86_64/salsa20-crypt.asm (Lpartial): Don't return via W64_EXIT within this subfunction. * x86_64/machine.m4 (W64_ENTRY): Use movdqu instead of movdqa for saving xmm registers, since the stack is not guaranteed to be 16-byte aligned on win64. Take pushed xmm registers into account when reading the fifth parameter from the stack. * Makefile.in: Consistently use EXEEXT_FOR_BUILD. 2013-04-21 Niels Möller * Makefile.in (DISTFILES): Added mini-gmp.c and mini-gmp.h. (distdir): Use find, for identifying assembly files to copy. 2013-04-18 Niels Möller * configure.ac: Recognize cpu type "arm*", not just "armv7*'. * arm/aes-encrypt-internal.asm: Updated include of aes.m4. * arm/aes-decrypt-internal.asm: Likewise. * Makefile.in (distdir): Updated for ARM reorganization. * configure.ac (asm_path): Generalized, can now be a list of directories. On ARM, check for neon instructions, and add arm/neon if appropriate. New command line options --enable-arm-neon/--disable-arm-neon, for overriding the default. arm/neon: New subdirectory, for assembly files making use of neon instructions. arm: Renamed directory, from... armv7: ...old name. * aclocal.m4 (NETTLE_CHECK_ARM_NEON): New macro. * nettle.texinfo (Keyed hash functions): Document UMAC. * umac.h (UMAC32_DIGEST_SIZE, UMAC64_DIGEST_SIZE) (UMAC96_DIGEST_SIZE, UMAC128_DIGEST_SIZE): New constants. (UMAC_DATA_SIZE): New name, for consistency with hash functions. Updated all uses. (UMAC_BLOCK_SIZE): ... old name. 2013-04-17 Niels Möller * examples/nettle-benchmark.c (main): Benchmark salsa20r12. * nettle-internal.c (nettle_salsa20r12): Cipher struct for benchmarking only. * nettle-internal.h (nettle_salsa20): Declare it. * Makefile.in (eccdata): Depend on mini-gmp files. Drop -lgmp. * eccdata.c: Use mini-gmp, to avoid gmp dependency and associated configure tests for the *build* system. Replaced mpz_submul_ui by mpz_mul_ui + mpz_sub, and gmp_printf and gmp_fprintf by calls to mpz_out_str. * mini-gmp.h, mini-gmp.c: New files, copied from gmp-5.1.1. 2013-04-16 Niels Möller * umac-set-key.c (BE_SWAP32_N): Fixed dummy definition used for big-endian systems. * Makefile.in (TARGETS): Deleted eccdata, it should be build only when public key support is enabled. (clean-here): Exlicitly list it here. * asm.m4 (m4_log2): New macro, similar to the one in gmp. (ALIGN): Changed to take alignment in bytes. Updated all callers, currently used only in x86 and x86_64 files. * umac.h (umac32_ctx, umac64_ctx, umac96_ctx, umac128_ctx): Make block count an uint64_t. Reorder some elements to put short values together. * umac-l2.c (_umac_l2, _umac_l2_final): Make count argument an uint64_t. (_umac_l2): Deleted redundant memcpy. (_umac_l2, _umac_l2_final): Store input buffer at end of the poly64/poly128 state. Deleted l1_out from corresponding context structs, and updated all callers. * configure.ac: Changed version number to 2.7. (LIBNETTLE_MINOR): Bumped library version, to 4.6. (LIBHOGWEED_MINOR): And to 2.4. * Makefile.in (distdir): Include files from armv7 subdirectory. * x86_64/umac-nh-n.asm: New file, 3.5 time speedup. * umac32.c (umac32_digest): Fix nonce caching. * umac64.c (umac64_digest): Likewise. * testsuite/umac-test.c (test_incr): New function. (test_main): Test nonce increment. * misc/umac/umac.py: UMAC reference implementation. * misc/umac/rijndael.py: AES implementation used by umac.py. * misc/umac/mkvectors: Script to generate UMAC test vectors. * misc/umac/vectors.out: Generated test vectors. * umac32.c (umac32_digest): Fix nonce increment, use INCREMENT macro. * umac64.c (umac64_digest): Likewise. * umac96.c (umac96_digest): Likewise. * umac128.c (umac128_digest): Likewise. * macros.h (INCREMENT): Allow size == 1. 2013-04-15 Niels Möller * x86_64/umac-nh.asm: New file. 4.4 time speedup. * armv7/umac-nh-n.asm: New file. 2.0-2.3 time speedup. * testsuite/umac-test.c (test_align): Fixed memory leak. 2013-04-12 Niels Möller * armv7/umac-nh.asm: New file. 2.4 time speedup. * armv7/machine.m4 (D0REG, D1REG): New macros. * configure.ac (asm_replace_list): Added umac-nh.asm and umac-nh-n.asm. * testsuite/umac-test.c: Test different alignments for the message. 2013-04-11 Niels Möller * umac-nh-n.c (_umac_nh_n): Rewrote as a single pass over the message data. * examples/nettle-benchmark.c (time_umac): New function. (main): Call it. * umac-set-key.c (_umac_set_key): Drop byteswapping of l3_key2, it can be xored directly to the pad in native byteorder. * umac-l3.c (_umac_l3): Drop key_2 argument, let caller do that xor. Updated all callers. * umac32.c (umac32_digest): Adapt to l3 changes. * umac64.c (umac64_digest): Likewise. * umac96.c (umac96_digest): Likewise. * umac128.c (umac128_digest): Likewise. Initial implementation of umac. * umac.h: New file. * umac-nh.c: New file. * umac-nh-n.c: New file. * umac-poly64.c: New file. * umac-poly128.c: New file. * umac-l2.c: New file. * umac-l3.c: New file. * Makefile.in (nettle_SOURCES): Added umac source files. (HEADERS): Added umac.h. * testsuite/umac-test.c: New file. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added umac-test.c. * ecc-mul-a.c (ecc_mul_a): Avoid using mp_bitcnt_t, for compatibility with older GMP versions. * ecc-mul-g.c (ecc_mul_g): Likewise. * eccdata.c (ecc_mul_binary): Likewise. * sec-modinv.c (sec_modinv): Likewise. * x86_64/sha3-permute.asm: Go via memory for moves between general registers and xmm registers. 2013-04-06 Niels Möller From Edgar E. Iglesias: * sha3.c (_sha3_update): Fix condition for when the block buffer is full. 2013-04-04 Niels Möller * ecc-point.c (ecc_point_get): Allow NULL x or y, ignore corresponding coordinate. * nettle.texinfo (Elliptic curves): Document high-level ECDSA support. From Martin Storsjö. Fallback functions for older GMP releases. * gmp-glue.c (mpn_copyd, mpn_copyi, mpn_zero): New functions. * gmp-glue.h: Declare them. (mpn_sqr): Fallback macro. * gmp-glue.h (cnd_add_n, cnd_sub_n): Moved here, define in terms of mpn_cnd_add_n and mpn_sub_n if available, otherwise in terms of mpn_addmul_1 and mpn_submul_1. This seems to be an improvement for subtraction, but more questionable for addition. * ecc-internal.h: Include gmp-glue.h. Deleted corresponding include in all files using ecc-internal.h. (cnd_add_n, cnd_sub_n): Moved from here. 2013-04-03 Niels Möller * ecc-point-mul-g.c (ecc_point_mul_g): New file and function. * ecc-point-mul.c (ecc_point_mul): New file and function. * ecc.h: Updated declarations and name mangling. * Makefile.in (hogweed_SOURCES): Added ecc-point-mul.c and ecc-point-mul-g.c. * testsuite/salsa20-test.c (test_main): Tests for salsa20r12, contributed by Nikos Mavrogiannopoulos. 2013-03-26 Niels Möller * armv7/salsa20-core-internal.asm: New file. 45% speedup. 2013-03-25 Niels Möller From Martin Storsjö: * examples/timing.c: New file, extracted from nettle-benchmark.c. * examples/timing.h: New file. * examples/Makefile.in (SOURCES): Added timing.c. (DISTFILES): Added timing.h. (BENCH_OBJS, ECC_BENCH_OBJS, HOGWEED_BENCH_OBJS): Added timing.o. * examples/nettle-benchmark.c: Use timing.h. * examples/hogweed-benchmark.c: Likewise. * examples/ecc-benchmark.c: Likewise. From Nikos Mavrogiannopoulos: * salsa20r12-crypt.c (salsa20r12_crypt): New file and function. * salsa20.h (salsa20r12_crypt): Declare. * Makefile.in (nettle_SOURCES): Added salsa20r12-crypt.c. From Martin Storsjö: * examples/hogweed-benchmark.c: Include local headers. * testsuite/ecdsa-keygen-test.c: Likewise. * x86_64/sha3-permute.asm: Workaround for Apple's assembler; write movq instructions as movd. * Makefile.in (hogweed_PURE_OBJS): Don't include OPT_ASM_SOURCES twice. 2013-03-15 Niels Möller * armv7/sha3-permute.asm: New file. 4.5 time speedup. * armv7/machine.m4 (QREG): New macro. 2013-03-14 Niels Möller * configure.ac (asm_replace_list): Added sha3-permute.asm, revering 2012-12-30 change. 34% speedup on intel i5, from 2190 cycles for the C implementation down to 1630. * armv7/sha512-compress.asm: Optimized. Keep expanded data in registers, exploit parallelism. Another 70% speedup. * testsuite/sha512-test.c (test_main): Additional test vectors, including some longer than 128 bytes. 2013-03-13 Niels Möller * armv7/sha512-compress.asm: New file, using neon instructions. 2.3 time speedup. * configure.ac (asm_replace_list): Added sha512-compress.asm. * x86_64/machine.m4 (OFFSET64): New macro. * x86_64/sha512-compress.asm: New file, 20% speedup. * sha512-compress.c (ROUND): Eliminated a temporary, analogous to sha256 change below. * x86_64/sha256-compress.asm: New file, 16% speedup (benchmarked on intel i5). 2013-03-11 Niels Möller * armv7/sha256-compress.asm: New file, 25% speedup. * configure.ac (asm_replace_list): Added sha256-compress.asm. * sha256-compress.c (ROUND): Eliminated a temporary. * armv7/sha1-compress.asm: New file, 9% speedup. * testsuite/testutils.c (test_hash): Test different alignments for the hash input. 2013-03-08 Niels Möller * armv7/aes-decrypt-internal.asm: New file, 15% speedup. * armv7/aes-encrypt-internal.asm: New file, 25% speedup. * armv7/aes.m4: New file. 2013-03-07 Niels Möller * gmp-glue.c (mpz_limbs_cmp): Don't use PTR and SIZ macros. * Makefile.in (aesdata, desdata, twofishdata, shadata, gcmdata) (eccdata): Arrange for compiling these programs for running on the build system, also when cross compiling everything else. * config.make.in (CC_FOR_BUILD, EXEEXT_FOR_BUILD): New variables. * configure.ac: Use GMP_PROG_CC_FOR_BUILD and GMP_PROG_EXEEXT_FOR_BUILD. * aclocal.m4 (GMP_PROG_CC_FOR_BUILD, GMP_PROG_CC_FOR_BUILD_WORKS) (GMP_PROG_EXEEXT_FOR_BUILD): New macros, based on GMP's. * aesdata.c: Deleted includes of config.h and nettle-types.h. Use unsigned char and unsigned long instead of stdint.h types. * desdata.c: Deleted includes of config.h and desCode.h. (main): Return 1 on invalid argument. Don't use ROR macro. Use unsigned long instead of uint32_t, and make it work if unsigned long is larger than 32 bits. * gcmdata.c: Deleted include of config.h and use UNUSED macro. * shadata.c: Likewise. * twofishdata.c: Deleted include of nettle-types.h. Use unsigned char instead of stdint.h types. * x86_64/ecc-521-modp.asm: New file. 2.4 time speedup. 2013-03-06 Niels Möller * x86_64/ecc-384-modp.asm: New file, 3 time speedup. * x86_64/ecc-256-redc.asm: New file, 2.5 time speedup. * x86_64/ecc-224-modp.asm: New file, 5 time speedup over C version. 2013-03-05 Niels Möller * configure.ac (asm_optional_list): Added ecc-521-modp.asm. * ecc-521.c: Check HAVE_NATIVE_ecc_521_modp, and use native version if available. * armv7/ecc-521-modp.asm: New file, 2 time speedup over C version. 2013-03-04 Niels Möller * configure.ac (asm_optional_list): Added ecc-384-modp.asm. Deleted bogus reference to $asm_search_list. * ecc-384.c: Check HAVE_NATIVE_ecc_384_modp, and use native version if available. * armv7/ecc-384-modp.asm: New file, 3 time speedup over C version. 2013-03-03 Niels Möller * ecc-256.c: Fixed definition of USE_REDC. 2013-03-01 Niels Möller * ecc-256.c: Check HAVE_NATIVE_ecc_256_redc, and use native version if available. * armv7/ecc-256-redc.asm: New file, 4 time speedup over C version. * testsuite/ecc-redc-test.c: Increased test count. * ecc-224.c: Check HAVE_NATIVE_ecc_224_modp, and use native version if available. * armv7/ecc-224-modp.asm: New file, 4.5 time speedup over C version. * configure.ac (asm_optional_list): Added ecc-224-modp.asm. (OPT_ASM_SOURCES): Fixed assignment. 2013-02-28 Niels Möller * x86_64/ecc-192-modp.asm: Reorganized to reduce number of additions. Use setc instruction. * examples/Makefile.in: Let $(HOGWEED_TARGETS) depend on ../libhogweed.a. * armv7/ecc-192-modp.asm: New file. 2.5 time speedup over C version. 2013-02-27 Niels Möller * ecc-192.c: Check HAVE_NATIVE_ecc_192_modp, and use native version if available. (ecc_192_modp): Fixed carry handling bug in 32-bit version. * x86_64/ecc-192-modp.asm: New file. 3.8 times speedup over C version. * configure.ac (OPT_ASM_SOURCES): New substituted variable. (asm_replace_list, asm_optional_list): New variables. For files in asm_optional_list, also add them to OPT_ASM_SOURCES and define appropriate HAVE_NATIVE_* symbols found. * Makefile.in (OPT_ASM_SOURCES): New variable. Used for setting hogweed_OBJS and hogweed_PURE_OBJS. * testsuite/ecc-mod-test.c: Increased test count. * ecc-384.c (ecc_384_modp): Fixed typo which broke carry handling in the 64-bit version. * examples/ecc-benchmark.c (bench_add_jjj): Typo fix, benchmark the right function. * gmp-glue.h: Check if GMP provides mpz_limbs_read (expected in next release). * gmp-glue.c: Use GMP's mpz_limbs_read and friends if available. Renamed all functions for consistency with GMP. Updated all callers. 2013-02-20 Niels Möller * examples/Makefile.in (HOGWEED_TARGETS): Added hogweed-benchmark$(EXEEXT). (SOURCES): Added hogweed-benchmark.c. (hogweed-benchmark$(EXEEXT)): New target. * examples/hogweed-benchmark.c: New file. * ecdsa-keygen.c (ecdsa_generate_keypair): New file and function. * Makefile.in (hogweed_SOURCES): Added ecdsa-keygen.c. * testsuite/ecdsa-keygen-test.c: New testcase. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added ecdsa-keygen-test.c. * nettle-internal.h (TMP_ALLOC): Added missing parentheses. 2013-02-18 Niels Möller * testsuite/ecdsa-verify-test.c: New testcase. * testsuite/ecdsa-sign-test.c: New testcase. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added ecdsa-sign-test.c and ecdsa-verify-test.c. * testsuite/testutils.h: Include ecdsa.h. (SHEX): Deleted const cast. * ecc-point.c: New file, struct ecc_point abstraction. * ecc-scalar.c: New file, struct ecc_scalar abstraction. * ecc-random.c (ecc_modq_random, ecc_scalar_random): New file, new functions. * ecc-hash.c (ecc_hash): New file and function. * ecc-ecdsa-sign.c: New file, low-level signing interface. * ecc-ecdsa-verify.c: New file, low-level ecdsa verify. * ecdsa-sign.c: (ecdsa_sign): New file and function. * ecdsa-verify.c (ecdsa_verify): New file and function. * ecdsa.h: New header file. * ecc.h: Declare ecc_point and ecc_scalar functions. * ecc-internal.h: Added declarations. * Makefile.in (hogweed_SOURCES): Added new source files. (HEADERS): Added ecdsa.h. * gmp-glue.c (_mpz_set_mpn): New convenience function. (_mpn_set_base256): New function. (_gmp_alloc_limbs): New function. (_gmp_free_limbs): New function. * gmp-glue.h: Corresponding declarations. Include nettle-stdinh.h. * examples/Makefile.in (HOGWEED_TARGETS): Renamed, was RSA_TARGETS. Added ecc-benchmark$(EXEEXT). (SOURCES): Added ecc-benchmark.c. (ecc-benchmark$(EXEEXT)): New target. * examples/ecc-benchmark.c: New file, benchmarking ecc primitives. 2013-02-15 Niels Möller Integrate ecc_mul_a. * ecc-a-to-j.c: New file. * ecc-add-jjj.c: New file. * ecc-mul-a.c: New file. * Makefile.in (hogweed_SOURCES): Added new files. * testsuite/ecc-mul-a-test.c: New file. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added ecc-mul-a-test.c. * testsuite/testutils.c: Removed redundant includes. (die): New function. Integrate ecc_mul_g. * ecc.h: New file. * ecc-j-to-a.c: New file. * ecc-size.c: New file. * ecc-add-jja.c: New file. * ecc-dup-jj.c: New file. * ecc-mul-g.c: New file. * sec-tabselect.c: New file. * Makefile.in (hogweed_SOURCES): Added new files. (HEADERS): Added ecc.h * testsuite/ecc-mul-g-test.c: New file. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added ecc-mul-g-test.c. * testsuite/testutils.c (xalloc_limbs): New function. (test_mpn): New function. (test_ecc_point): New function. (test_ecc_mul_a): New function. (test_ecc_mul_j): New function. * testsuite/testutils.h: Corresponding declarations. Integrate ECC internals. * ecc-curve.h: New file. * ecc-internal.h: New file. * cnd-copy.c: New file. * ecc-192.c: New file. * ecc-224.c: New file. * ecc-256.c: New file. * ecc-384.c: New file. * ecc-521.c: New file. * ecc-generic-modp.c: New file. * ecc-generic-modq.c: New file. * ecc-generic-redc.c: New file. * ecc-mod.c: New file. * ecc-modp.c: New file. * ecc-modq.c: New file. * sec-add-1.c: New file. * sec-modinv.c: New file. * sec-sub-1.c: New file. * Makefile.in (hogweed_SOURCES): Added new files. (HEADERS): Added ecc-curve.h. (DISTFILES): Added ecc-internal.h. * testsuite/ecc-mod-test.c: New file. * testsuite/ecc-modinv-test.c: New file. * testsuite/ecc-redc-test.c: New file. * testsuite/testutils.c (ecc_curves): New constant array. * testsuite/testutils.h: Include ecc-related headers. Declare ecc_curves array. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added ecc-mod-test.c ecc-modinv-test.c ecc-redc-test.c. * gmp-glue.c: New file, mpn <-> mpz conversions. * gmp-glue.h: New file. * Makefile.in: Added to hogweed_SOURCES and DISTFILES, respectively. * eccdata.c: New program, for generating ECC-related tables. * Makefile.in (ecc-192.h, ecc-224.h, ecc-256.h, ecc-384.h) (ecc-512.h): New generated files. 2013-02-19 Niels Möller * armv7/memxor.asm (memxor): Software pipelining for the aligned case. Runs at 6 cycles (0.5 cycles per byte). Delayed push of registers until we know how many registers we need. (memxor3): Use 3-way unrolling also for aligned memxor3. Runs at 8 cycles (0.67 cycles per byte) 2013-02-14 Niels Möller * configure.ac: Find GMP's GMP_NUMB_BITS. Substitute in Makefile. * config.make.in (GMP_NUMB_BITS): New variable. * examples/rsa-keygen.c (uint_arg): New function. (main): New options -s and -e, to specify key size and public exponent. Increased default key size to 2048. 2013-02-12 Niels Möller * armv7/memxor.asm (memxor): Optimized aligned case, using 3-way unrolling. 2013-02-06 Niels Möller * armv7/memxor.asm (memxor, memxor3): Optimized aligned case, now runs at 0.75 cycles/byte. * armv7/README: New file. * armv7/machine.m4: New (empty) file. * armv7/memxor.asm: Initial assembly implementation. * config.m4.in: Substitute ASM_TYPE_PROGBITS as TYPE_PROGBITS. * config.make.in: Added .s to the suffix list. * Makefile.in (.asm.s): Use a separate make target for .asm preprocessing. Include asm.d, which the corresponding dependencies. * configure.ac (asm_file_list): Collect assembly files into this variable. (asm.d): Make config.status write dependencies for .s files into asm.d. (ASM_ALIGN_LOG): Set to "no" when appropriate. (ASM_TYPE_FUNCTION): Default to "@function". (ASM_TYPE_PROGBITS): New substituted variable, set in the same way as ASM_TYPE_FUNCTION. (ASM_MARK_NOEXEC_STACK): Use TYPE_PROGBITS. (asm_path): Set up asm_path for armv7. * asm.m4: Use changecom to disable m4 quoting. Use divert to suppress output. 2013-02-05 Niels Möller * testsuite/rsa-keygen-test.c (test_main): Updated expected signatures, after the nettle_mpz_random change below. * testsuite/dsa-test.c (test_main): Likewise. Also fixed the dsa256 test to actually use the expected signature. 2013-01-31 Niels Möller * bignum-random.c (nettle_mpz_random): Increased number of extra bits to 64, following FIPS 186-3. 2013-01-16 Niels Möller * Released nettle-2.6. 2013-01-12 Niels Möller * configure.ac: Use AC_LANG_SOURCE. 2013-01-02 Niels Möller * configure.ac (LIBNETTLE_MINOR): Bumped library version, to 4.5. (LIBHOGWEED_MINOR): And to 2.3. * examples/Makefile.in: Explicit rules for building objects in parent directory. * tools/Makefile.in: Likewise. * testsuite/Makefile.in: Likewise. 2013-01-01 Niels Möller * nettle.texinfo (Recommended hash functions): Document additional sha3 functions. * examples/nettle-benchmark.c (main): Benchmark additional sha3 functions. 2012-12-30 Niels Möller * sha3-224.c, sha3-224-meta.c: New files. * sha3-384.c, sha3-384-meta.c: New files. * sha3-512.c, sha3-512-meta.c: New files. * sha3.h: Prototypes for sha3 with sizes 224, 384 and 512. * nettle-meta.h: Declare nettle_sha3_224, nettle_sha3_384 and nettle_sha3_512. * Makefile.in (nettle_SOURCES): Added new sha3 files. * testsuite/sha3-224-test.c: New file. * testsuite/sha3-384-test.c: New file. * testsuite/sha3-512-test.c: New file. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added new sha3 test files. * configure.ac: Disabled use of sha3-permute.asm. 2012-12-20 Niels Möller From Tim Rühsen: * testsuite/des-compat-test.c (pt): Use proper prototype, use const. * testsuite/testutils.c (test_dsa_key): Deleted spurious semicolon. 2012-12-15 Niels Möller Based on a patch from Alon Bar-Lev: * Makefile.in (LIBTARGETS, SHLIBTARGET): Define as empty if static or shared libraries, respectively, are disabled. (TARGETS): Deleted @IF_SHARED@ conditional, now in the definition of SHLIBTARGET. From Alon Bar-Lev: * configure.ac: Check for ar program. New option --disable-static. * config.make.in (AR): Use configured value. 2012-12-13 Niels Möller * x86_64/sha3-permute.asm: Rewrote, to keep all state in registers. 2400 cycles on x86_64, only slightly faster than the current C code. 2012-12-09 Niels Möller * sha3-permute.c (sha3_permute): Rewrote to do permutation in place. 80% speedup on x86_64, 2500 cycles. 2012-12-04 Niels Möller * ctr.c (ctr_crypt): Fix bug reported by Tim Kosse. Don't increment the counter when length is zero (was broken for the in-place case). * testsuite/ctr-test.c (test_main): Added test with zero-length data. * testsuite/testutils.c (test_cipher_ctr): Check the ctr value after encrypt and decrypt. 2012-12-03 Niels Möller * sha3-permute.c (sha3_permute): Optimized, to reduce number of passes over the data. 20% speedup on x86_64, 4700 cycles. * configure.ac: Added sha3-permute.asm. * x86_64/sha3-permute.asm: New file. 30% speedup over current C code, 4300 cycles. * nettle.texinfo (Hash functions): Split into several sections, separating recommended hash functions and legacy hash functions. Document sha3-256. 2012-12-02 Niels Möller Split sha.h into new files sha1.h and sha2.h. Replaced all internal usage of sha.h in all files. * sha.h: Kept for compatibility, just includes both new files. * sha1.h: New file. * sha2.h: New file. * Makefile.in (HEADERS): Added sha1.h and sha2.h. 2012-11-28 Niels Möller From Fredrik Thulin: * testsuite/pbkdf2-test.c (test_main): Add PBKDF2-HMAC-SHA512 test cases. 2012-11-15 Niels Möller * sha3-permute.c (sha3_permute): Use ULL suffix on round constants. Avoid passing shift count 0 to ROTL64. * sha3.c (sha3_absorb): Fixed big-endian code. Need macros.h. * macros.h (LE_READ_UINT64): New macro. 2012-11-13 Niels Möller * sha3-permute.c (sha3_permute): Micro optimizations. Partial unrolling. Use lookup table for the permutation. On an x86_64, execution time reduced from appr. 13000 cycles to appr. 6000. * examples/nettle-benchmark.c (TIME_CYCLES): New macro. (bench_sha1_compress, bench_salsa20_core): Use it. (bench_sha3_permute): New function. (main): Call bench_sha3_permute. 2012-11-12 Niels Möller * examples/nettle-benchmark.c (main): Benchmark sha3_256. * sha3-permute.c: New file. Permutation function for sha3, aka Keccak. * sha3.h: New header file. * sha3.c: New file, absorption and padding for sha3. * sha3-256.c: New file. * sha3-256-meta.c: New file. * nettle-meta.h (nettle_sha3_256): Declare. * Makefile.in (nettle_SOURCES): Added sha3 files. (HEADERS): Added sha3.h. * testsuite/sha3.awk: New file. Script to extract test vectors. * testsuite/sha3-256-test.c: New file. * testsuite/sha3-permute-test.c: New file. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added sha3-permute-test.c and sha3-256-test.c. (DISTFILES): Added sha3.awk. * testsuite/.test-rules.make: Added sha3 targets. * macros.h (LE_WRITE_UINT64): New macro. * write-le64.c (_nettle_write_le64): New file and function. * nettle-write.h (_nettle_write_le64): Declare. Also deleted declaration of non-existent _nettle_write_be64. * Makefile.in (nettle_SOURCES): Added write-le64.c. * macros.h (ROTL64): New macro, moved from... * sha512-compress.c (ROTL64): ... old location, deleted. * serpent-internal.h [HAVE_NATIVE_64_BIT] (DROTL32): Renamed from... (ROTL64): ... old name. (DRSHIFT32): Renamed from ... (RSHIFT64): ... old name. * serpent-encrypt.c (LINEAR_TRANSFORMATION64): Updated for above renames. * serpent-decrypt.c (LINEAR_TRANSFORMATION64_INVERSE): Likewise. 2012-11-11 Niels Möller From Nikos Mavrogiannopoulos: * nettle.texinfo (Hash functions): Added documentation for gosthash94. * examples/nettle-benchmark.c (main): Benchmark gosthash94. 2012-11-10 Niels Möller * nettle.texinfo (nettle_hashes, nettle_ciphers): Use deftypevr, not deftypevrx. Spotted by Nikos Mavrogiannopoulos. 2012-11-08 Niels Möller Gost hash function, ported from Aleksey Kravchenko's rhash library by Nikos Mavrogiannopoulos. * gosthash94.c: New file. * gosthash94.h: New file. * gosthash94-meta.c: New file. * nettle-meta.h (nettle_gosthash94): Declare. * Makefile.in (nettle_SOURCES): Added gosthash94.c and gosthash94-meta.c. (HEADERS): Added gosthash94.h. * testsuite/gosthash94-test.c: New file. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added gosthash94-test.c. 2012-10-29 Niels Möller From Martin Storsjö: * configure.ac (dummy-dep-files): Avoid non-posix \|-operator in sed regexp. 2012-10-29 Niels Möller * x86_64/salsa20-core-internal.asm: New file. * configure.ac: Added salsa20-core-internal.asm. * examples/nettle-benchmark.c (bench_salsa20_core): New function. 2012-10-27 Niels Möller * testsuite/Makefile.in (TS_SOURCES, CXX_SOURCES): Include sources unconditionally. (TS_CXX): Moved @IF_CXX@ conditional here. (DISTFILES): Use $(SOURCES), which now includes all C source files. testutils.c was lost in a the 2012-09-20 change. * x86_64/salsa20-crypt.asm: Include x86_64/salsa20.m4. Make all exits go via .Lend and W64_EXIT. * x86_64/salsa20.m4: New file, extracted from x86_64/salsa20-crypt.asm. 2012-10-26 Niels Möller * configure.ac (LIBNETTLE_LINK, LIBHOGWEED_LIBS): Add $(CFLAGS) on the link command line. Reported by Dennis Clarke. 2012-10-03 Niels Möller From: Nikos Mavrogiannopoulos: * testsuite/testutils.c (test_hash): On failure, print the expected and returned hash values. 2012-09-23 Niels Möller * Makefile.in (nettle_SOURCES): Added salsa20-core-internal.c. * salsa20-core-internal.c (_salsa20_core): New file and function, extracted from salsa20_crypt. * salsa20.h (_salsa20_core): Declare it. * salsa20-crypt.c (salsa20_crypt): Use _salsa20_core. 2012-09-21 Niels Möller * pbkdf2.c (pbkdf2): assert that iterations > 0. Reorganized loops. * nettle.texinfo (Cipher functions): Stress that the salsa20 hash function is not suitable as a general hash function. 2012-09-20 Simon Josefsson * pbkdf2-hmac-sha1.c, pbkdf2-hmac-sha256.c: New files. * pbkdf2.h (pbkdf2_hmac_sha1, pbkdf2_hmac_sha256): New prototypes. * Makefile.in (nettle_SOURCES): Add pbkdf2-hmac-sha1.c and pbkdf2-hmac-sha256.c. * nettle.texinfo (Key derivation functions): Improve. * testsuite/pbkdf2-test.c (test_main): Test new functions. 2012-09-20 Niels Möller * pbkdf2.c (pbkdf2): Reordered arguments, for consistency. * pbkdf2.h (PBKDF2): Analogous reordering. * testsuite/pbkdf2-test.c: Adapted to new argument order. Also use LDATA for the salt. * nettle.texinfo (Key derivation functions): Updated documented pbkdf2 prototype. * testsuite/Makefile.in (VALGRIND): New variable, to make valgrind checking easier. * configure.ac: New substitution IF_CXX, replacing CXX_TESTS. (dummy-dep-files): Handle .cxx files. * testsuite/Makefile.in: Use IF_CXX. Include dependency file for cxx-test.o. 2012-09-19 Niels Möller From Tim Rühsen: * examples/rsa-encrypt.c (main): Added missing mpz_clear. * examples/rsa-keygen.c (main): Added missing deallocation. * testsuite/meta-hash-test.c (test_main): Validate NETTLE_MAX_HASH_DIGEST_SIZE. * pbkdf2.h (PBKDF2): New macro. * testsuite/pbkdf2-test.c: Use it. 2012-09-12 Simon Josefsson * NEWS: Mention addition of PBKDF2. * pbkdf2.c (pbkdf2): New file and function. * pbkdf2.h: Declare it. * Makefile.in (nettle_SOURCES): Add pbkdf2.c. (HEADERS): Add pbkdf2.h. * nettle.texinfo (Key derivation functions): New section. * testsuite/pbkdf2-test.c: New test case. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Add pbkdf2-test.c. * testsuite/.test-rules.make (pbkdf2-test): New target. 2012-09-16 Niels Möller * testsuite/: Overhaul of testsuite, affecting almost all files. + Use struct tstring for allocated strings, and deallocate before exit. + Changed most test functions to take struct tstring as arguments. + Made all test_main return on success. * testsuite/testutils.h (struct tstring): New struct type. (H2, HL, MEMEQH, SUCCESS): Deleted macros. (SHEX, SDATA): New macros. (H): Redefined to track storage. * testsuite/testutils.c (tstring_alloc): New function. (tstring_clear): New function. (tstring_data): New function. (tstring_hex): New function. (tstring_print_hex): New function. (decode_hex_length): Made static. (decode_hex): Made static. No return value, abort on error. (main): Expect test_main to return, and call tstring_clear before exit. (test_dsa_key): Added missing mpz_clear. (test_mac): Deleted unused function. * testsuite/rsa2sexp-test.c (test_main): Added missing nettle_buffer_clear. * testsuite/yarrow-test.c (open_file): Don't leak filename. (test_main): fclose input file properly. * testsuite/sexp-format-test.c (test_main): Added missing calls to nettle_buffer_clear and mpz_clear. * testsuite/serpent-test.c (tstring_hex_reverse): New function, replacing... (decode_hex_reverse): ... deleted function. (RHEX): New macro, replacing... (RH, RHL): ... deleted macros. * testsuite/rsa2sexp-test.c (test_main): Added missing nettle_buffer_clear. * testsuite/random-prime-test.c (test_main): Added missing mpz_clear. * realloc.c (nettle_realloc): Only call libc realloc if length > 0, otherwise call free. Fixes a small memory leak. (nettle_xrealloc): Likewise. * run-tests (test_program): Don't quote $EMULATOR; allow it to expand to program and arguments (e.g., valgrind). * tools/pkcs1-conv.c (convert_public_key): Added missing calls to dsa_public_key_clear and rsa_public_key_clear. (main): Added missing nettle_buffer_clear. 2012-09-10 Niels Möller * examples/eratosthenes.c (main): Explicitly deallocate storage before exit. * examples/io.c (read_file): Explicitly treat an empty file as an error. Rearrange loop, check for short fread return value. * desdata.c: Don't declare printf, include instead. Also deleted casts of printf return value. From Tim Rühsen: * examples/nettle-benchmark.c (die): Use PRINTF_STYLE attribute. * pgp-encode.c (pgp_put_rsa_sha1_signature): Deleted unused variable. * rsa2openpgp.c (rsa_keypair_to_openpgp): Likewise. * examples/base16enc.c (main): Deleted useless allocations. 2012-09-07 Niels Möller * examples/nettle-benchmark.c (die): Add NORETURN attribute. Patch from Tim Rühsen. * tools/misc.h (die, werror): Use PRINTF_STYLE and NORETURN macros for attributes. Patch from Tim Rühsen. * examples/io.h (werror): Use PRINTF_STYLE macro. 2012-08-22 Niels Möller From Sam Thursfield : * configure.ac: Make documentation optional, to avoid requiring TeX. New option --disable-documentation, and Makefile substitution IF_DOCUMENTATION. * Makefile.in: Use IF_DOCUMENTATION. 2012-07-12 Niels Möller * asm.m4 (ALIGN): Use << operator rather than **, with m4 eval. The latter is not supported by BSD m4. 2012-07-07 Niels Möller Copyright headers: Updated FSF address. Patch from David Woodhouse. * examples/Makefile.in (BENCH_LIBS): Added -lm, needed for the ldexp function. Reported by Anthony G. Basile. * configure.ac: Changed version number to 2.6. * Released nettle-2.5. 2012-07-05 Niels Möller * x86_64/salsa20-crypt.asm (salsa20_crypt): Write the 64-bit movq instructions as "movd", since that makes the osx assembler happier. Assembles to the same machine code on gnu/linux. 2012-07-03 Niels Möller * aclocal.m4 (LSH_FUNC_ALLOCA): In the config.h boilerplate, include malloc.h if it exists, also when compiling with gcc. Needed for cross-compiling with --host=i586-mingw32msvc. * examples/base16dec.c: Don't #include files using , we don't want to pick up installed versions. On windows, include , needed for _setmode. * examples/base16enc.c: Likewise. * examples/base64dec.c: Likewise. * examples/base64enc.c: Likewise * nettle.texinfo (Cipher functions): Document Salsa20. 2012-06-25 Niels Möller * pkcs1.c (_pkcs1_signature_prefix): Renamed function, adding a leading underscore. Updated all callers. * bignum-next-prime.c (nettle_next_prime): Consistently use the type nettle_random_func * (rather then just nettle_random_func) when passing the function pointer as argument. Similar change for nettle_progress_func. Should have been done for the 2.0 release, but a few arguments were overlooked. * bignum-random-prime.c (_nettle_generate_pocklington_prime) (nettle_random_prime): Likewise. * bignum-random.c (nettle_mpz_random_size, nettle_mpz_random): Likewise. * dsa-keygen.c (dsa_generate_keypair): Likewise. * dsa-sha1-sign.c (dsa_sha1_sign_digest, dsa_sha1_sign): Likewise. * dsa-sha256-sign.c (dsa_sha256_sign_digest, dsa_sha256_sign): Likewise. * dsa-sign.c (_dsa_sign): Likewise. * pkcs1-encrypt.c (pkcs1_encrypt): Likewise. * rsa-blind.c (_rsa_blind): Likewise. * rsa-decrypt-tr.c (rsa_decrypt_tr): Likewise. * rsa-encrypt.c (rsa_encrypt): Likewise. * rsa-keygen.c (rsa_generate_keypair): Likewise. * rsa-pkcs1-sign-tr.c (rsa_pkcs1_sign_tr): Likewise. * cbc.c (cbc_encrypt, cbc_decrypt): Similarly, use the type nettle_crypt_func * rather than just nettle_crypt_func. * ctr.c (ctr_crypt): Likewise. * gcm.c (gcm_set_key): Likewise. * testsuite/des-compat-test.c (test_main): Disable declarations of disabled functions and variables, to avoid warnings. No verbose output unless verbose flag is set. 2012-06-09 Niels Möller * examples/Makefile.in (SOURCES): Added base16dec.c, forgotten earlier. General pkcs1 signatures, with a "DigestInfo" input. Suggested by Nikos Mavrogiannopoulos. * Makefile.in (hogweed_SOURCES): Added pkcs1-rsa-digest.c, rsa-pkcs1-sign.c, rsa-pkcs1-sign-tr.c, and rsa-pkcs1-verify.c. * pkcs1-rsa-digest.c (pkcs1_rsa_digest_encode): New file and function. * pkcs1.h: Declare it. * rsa-pkcs1-verify.c (rsa_pkcs1_verify): New file and function. * rsa-pkcs1-sign.c (rsa_pkcs1_sign): New file and function. * rsa-pkcs1-sign-tr.c (rsa_pkcs1_sign_tr): New file and function, contributed by Nikos Mavrogiannopoulos. * rsa.h: Declare new functions. * rsa.h (_rsa_blind, _rsa_unblind): Declare functions. * rsa-blind.c (_rsa_blind, _rsa_unblind): Functions moved to a separate file, renamed and made non-static. Moved from... * rsa-decrypt-tr.c: ... here. 2012-06-03 Niels Möller * testsuite/pkcs1-test.c (test_main): Include leading zero in expected result. * pkcs1.c (pkcs1_signature_prefix): Return pointer to where the digest should be written. Let the size input be the key size in octets, rather then key size - 1. * pkcs1-rsa-*.c: Updated for above. * rsa-*-sign.c, rsa-*-verify.c: Pass key->size, not key->size - 1. 2012-05-18 Niels Möller * pkcs1-encrypt.c (pkcs1_encrypt): New file and function. * rsa-encrypt.c (rsa_encrypt): Use pkcs1_encrypt. 2012-05-09 Niels Möller * rsa-decrypt-tr.c (rsa_decrypt_tr): Added missing mpz_clear, spotted by Nikos Mavrogiannopoulos. 2012-05-07 Niels Möller * nettle-types.h (_STDINT_HAVE_INT_FAST32_T): Define here, to force nettle-stdint.h to not try to define the int_fast*_t types. Avoids compilation problems with gnutls on SunOS-5.8, where the definitions here collide with gnulib's. 2012-04-23 Niels Möller * nettle-internal.h (NETTLE_MAX_BIGNUM_SIZE): New constant. Based on NETTLE_MAX_BIGNUM_BITS, rounded upwards. Replaced all uses of NETTLE_MAX_BIGNUM_BITS. 2012-04-19 Niels Möller * list-obj-sizes.awk: Use decimal rather than hexadecimal output. (hex2int): Use local variables. 2012-04-18 Niels Möller * x86_64/salsa20-crypt.asm: New file. 2012-04-17 Niels Möller * testsuite/salsa20-test.c (test_salsa20_stream): Check that salsa20_crypt doesn't write beyond the given destination area. (test_salsa20): Likewise. * salsa20-crypt.c: Renamed file, from... * salsa20.c: ... old name. * x86_64/machine.m4 (WREG): New macro. * salsa20.c (salsa20_hash): Deleted function, inlined into salsa20_crypt. (salsa20_set_key, salsa20_set_iv): Moved, to... * salsa20-set-key.c: ...new file. 2012-04-15 Niels Möller * testsuite/salsa20-test.c (test_salsa20_stream): New function. (test_main): Tests for encrypting more than one block at a time. 2012-04-14 Niels Möller * examples/io.c (write_file): Use write_string. * examples/Makefile.in (base64enc): New targets. Also added missing io.o dependency to several other targets. (base64dec, base16enc, base16dec): Likewise. * examples/base64enc.c: New file, based on example code contributed by Jeronimo Pellegrini. * examples/base64dec.c: Likewise. * examples/base16enc.c: Likewise. * examples/base16dec.c: Likewise. * examples/rsa-encrypt.c (process_file): Reorganized fread loop. (usage): New function. (main): Implemented --help option. * examples/rsa-decrypt.c (process_file): Improved error message for too short input file. * aes-set-decrypt-key.c (gf2_log, gf2_exp): Deleted tables. (mult, inv_mix_column): Deleted functions. (mtable): New table. (MIX_COLUMN): New macro. (aes_invert_key): Use MIX_COLUMN and mtable. * aesdata.c (compute_mtable): New table, for the inv mix column operation in aes_invert_key. 2012-04-13 Niels Möller * aes-set-encrypt-key.c (aes_set_encrypt_key): Use LE_READ_UINT32. Tabulate the needed "round constants". (xtime): Deleted function. * aes-internal.h (SUBBYTE): Cast to uint32_t. Use B0, ..., B3 macros. 2012-04-09 Niels Möller Timing resistant RSA decryption, based on RSA blinding code contributed by Nikos Mavrogiannopoulos. * rsa-decrypt-tr.c (rsa_decrypt_tr): New function. (rsa_blind): Helper function. (rsa_unblind): Helper function. * rsa.h: Declare rsa_decrypt_tr. Some cleanups, no longer include nettle-meta.h, more consistent declarations of function pointer arguments. * testsuite/rsa-encrypt-test.c (test_main): Test rsa_decrypt_tr. Check for writes past the end of the message area. * Makefile.in (hogweed_SOURCES): Added pkcs1-decrypt.c. * rsa-decrypt.c (rsa_decrypt): Use pkcs1_decrypt. * pkcs1-decrypt.c (pkcs1_decrypt): New file and function, extracted from rsa_decrypt. 2012-04-01 Niels Möller * salsa20.c (LE_SWAP32): Typo fix for big-endian case. (QROUND): New macro. (salsa20_hash): Use it. 2012-03-31 Niels Möller * salsa20.c: (salsa20_set_iv): Deleted size argument, only one size allowed. (U8TO32_LITTLE): Deleted macro. Use LE_READ_UINT32 instead, which avoids unaligned reads. (salsa20_set_key): Rearranged slightly, to avoid unnecessary byte-to-word conversions. (LE_SWAP32): Renamed macro from... (U32TO32_LITTLE): ... old name. (U32TO8_LITTLE): Deleted macro. (salsa20_wordtobyte): Renamed function to... (salsa20_hash): ... new name. Changed output argument from byte array to word array. Use memxor3, which brings a considerable performance gain. * nettle-internal.c (salsa20_set_key_hack): Updated salsa20_set_iv call. * testsuite/salsa20-test.c (test_salsa20): Deleted iv_length argument, updated all calls. * salsa20.h (SALSA20_BLOCK_SIZE): New constant. (_SALSA20_INPUT_LENGTH): New constant. * salsa20.c: Use these constants. * salsa20.c (ROTL32): Deleted macro, use the one from macros.h instead, with reversed order of arguments. (ROTATE, XOR, PLUS, PLUSONE): Deleted macros, use ROTL32 and builtin operators directly. Unification of rotation macros. * macros.h (ROTL32): New macro, to replace (almost) all other rotation macros. * aes-set-encrypt-key.c: Include macros.h. (aes_set_encrypt_key): Use ROTL32. * aes-internal.h (ROTBYTE, ROTRBYTE): Deleted macros. * camellia-internal.h (ROL32): Deleted macro. (ROTL128): Renamed for consistency, from... (ROL128): ... old name. * camellia-crypt-internal.c: Updated for renamed rotation macros. * camellia-set-encrypt-key.c: Likewise. * cast128.c (ROL): Deleted macro. (F1, F2, F3): Updated to use ROTL32 (reversed order of arguments). Also added proper do { ... } while (0) wrappers. * ripemd160-compress.c (ROL32): Deleted macro. (R): Updated to use ROTL32 (reversed order of arguments). * serpent-internal.h (ROL32): Deleted macro. (ROTL64): Renamed (from ROL64) and reorderd arguments, for consistency. (RSHIFT64): Reordered arguments, for consistency. * serpent-decrypt.c: Updated for renamed rotation macros, with reversed argument order. * serpent-encrypt.c: Likewise. * serpent-set-key.c: Likewise. * sha1-compress.c (ROTL): Deleted macro, use ROTL32 instead. * sha256-compress.c (ROTR): Deleted macro. Replaced by ROTL32, with complemented shift count. (SHR): Deleted macro, use plain shift operator instead. * sha512-compress.c (ROTR): Deleted macro, replaced by... (ROTL64): ...new macro, with complemented shift count (SHR): Deleted macro, use plain shift operator instead. (S0, S1, s0, s1): Updated accordingly. 2012-03-30 Niels Möller * nettle-internal.c (nettle_salsa20): Cipher struct for benchmarking only. Sets a fix zero IV, and ignores block size. * nettle-internal.h (nettle_salsa20): Declare it. * examples/nettle-benchmark.c (block_cipher_p): New function. (time_cipher): Use block_cipher_p. (main): Include salsa20 in benchmark. * Makefile.in (soname link): Fixed logic. (nettle_SOURCES): Removed nettle-internal.c, so that it's not part of the library... (internal_SOURCES): ...and put it here. * testsuite/Makefile.in (TEST_OBJS): Added ../nettle-internal.o. * examples/Makefile.in (BENCH_OBJS): New variable, to simplify the nettle-benchmark rule. Also link with ../nettle-internal.o. 2012-03-29 Niels Möller Implementation of Salsa20, contributed by Simon Josefsson. * salsa20.h: New file. * salsa20.c: New file. * Makefile.in (nettle_SOURCES): Added salsa20.c (HEADERS): Added salsa20.h. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added salsa20-test.c. * testsuite/salsa20-test.c: New test case. * Makefile.in (soname links): Adding missing space before ]. 2012-03-23 Niels Möller * arcfour.h (arcfour_stream): Deleted obsolete prototype. 2012-03-05 Niels Möller * configure.ac (enable_shared): Build shared libraries by default. 2012-03-04 Niels Möller * configure.ac (LIBNETTLE_MINOR): Bumped library version, to 4.4. (LIBHOGWEED_MINOR): And to 2.2. 2012-02-27 Niels Möller * list-obj-sizes.awk: Recognize elf64 objects. * Makefile.in (.texinfo.dvi): Pass -b option to texi2dvi. * Makefile.in (TARGETS): Added twofishdata. (SOURCES): Added twofishdata.c. (twofishdata): New rule. * twofish.c (q0, q1): Made const, and reformatted to match the twofishdata program. * twofishdata.c: Resurrected old file. Used to be called generate_q.c, when the twofish code was contributed back in 1999. * nettle.texinfo: Documentation for base16 and base64 encoding. Text contributed by Jeronimo Pellegrini , back in April 2006. 2012-02-18 Niels Möller * run-tests, getopt.c, getopt1.c, getopt.h: These files were moved to the top-level in the conversion to an independent git repository. They used to be symlinks to lsh files, from the subdirectories which use them. * Makefile.in: Build and distribute getopt files. Distribute run-tests script. * examples/Makefile.in: Adapt to getopt files and the run-tests script now located in the parent directory. * testsuite/Makefile.in: Likewise. * tools/Makefile.in: Likewise. * index.html: Converted to xhtml (from lsh repository, change dated 2012-02-03). Updated git instructions. * nettle.texinfo: Updated charset declaration. * misc/plan.html: Likewise. 2012-01-17 Niels Möller * testsuite/Makefile.in (DISTFILES): Added setup-env. * examples/rsa-decrypt.c (main): Use _setmode rather than setmode, suggested by Eli Zaretskii. Affects windows builds only. * examples/rsa-encrypt.c: Likewise. * Makefile.in ($(LIBNETTLE_FORLINK)): Always create a .lib symlink to the library file. Use LN_S. ($(LIBHOGWEED_FORLINK)): Likewise. (install-shared-nettle): Use LN_S. (install-shared-hogweed): Likewise. * configure.ac: Use AC_PROG_LN_S. * config.make.in (LN_S): New substitution. * testsuite/setup-env: New file. Wine workaround. Can't get ../.lib into wine's dll search path, so create additional symlinks. * testsuite/teardown-env: ...and delete them here. Also delete file testtmp. * examples/setup-env: Similar links setup here. * examples/teardown-env: ... and deleted. 2012-01-07 Niels Möller * examples/Makefile.in (check): Add ../.lib to PATH, like in testsuite/Makefile. Needed for w*ndows. Reported by Eli Zaretskii. 2011-11-25 Niels Möller From Martin Storsjö: * x86_64/machine.m4 (W64_ENTRY, W64_EXIT): New macros for supporting W64 ABI. * x86_64: Updated all assembly files to use them. * configure.ac (W64_ABI): New variable, set when compiling for W64 ABI (64-bit M$ windows). * config.m4.in (W64_ABI): Define, from configure substitution. 2011-11-24 Niels Möller From Martin Storsjö: * examples/Makefile.in (check): Pass $(EMULATOR) and $(EXEEXT) in the environment of run-tests. * examples/rsa-encrypt-test: Use $EXEEXT and $EMULATOR. * examples/rsa-sign-test: Likewise. * examples/rsa-verify-test: Likewise. * examples/setup-env: Likewise. * testsuite/Makefile.in (check): Pass $(EXEEXT) in the environment of run-tests. * testsuite/pkcs1-conv-test: Use $EXEEXT and $EMULATOR. Ignore \r in rsa-sign output. * examples/rsa-decrypt.c (main) [WIN32]: Set stdout/stdin to binary mode. * examples/rsa-encrypt.c (main): Likewise. 2011-11-24 Niels Möller * configure.ac (HAVE_NATIVE_64_BIT): Workaround to get it set to 1 on w64. * serpent-internal.h (ROL64): Use (uint64_t) 1 rather than 1L, for M$ w64. (RSHIFT64): Likewise. Also added a missing parenthesis. 2011-11-24 Niels Möller From Martin Storsjö: * testsuite/symbols-test: Use $NM, falling back to nm if undefined. * testsuite/Makefile.in (check): Pass $(NM) in the environment of run-tests. * config.make.in (NM): Set NM. * testsuite/sexp-conv-test: Use $EMULATOR when running test programs. Also ignore \r for output in the non-canonical output formats. * testsuite/Makefile.in (check): Pass $(EMULATOR) in the environment of run-tests. * configure.ac (EMULATOR): New substituted variable. Set to wine or wine64 when cross compiling for windows, otherwise empty. * config.make.in (EMULATOR): Set from autoconf value. 2011-11-20 Niels Möller * x86/camellia-crypt-internal.asm: Take ALIGNOF_UINT64_T into account when getting the offset for the subkeys. Differs between w32 and other systems. w32 problem identified by Martin Storsjö. * config.m4.in: Define ALIGNOF_UINT64_T (from configure). * configure.ac: Check alignment of uint64_t, and also use AC_SUBST for use in config.m4.in. 2011-11-19 Niels Möller Cygwin/mingw32 improvements contributed by Martin Storsjö: * Makefile.in (IMPLICIT_TARGETS): New variable for DLL link libraries. (clean-here): Delete the DLL import libraries. * configure.ac: Setup installation of DLL files in $bindir. (IF_DLL, LIBNETTLE_FILE_SRC, LIBHOGWEED_FILE_SRC): New substitutions. * config.make.in (LIBNETTLE_FILE_SRC): Substitute new autoconf variable. (LIBHOGWEED_FILE_SRC): Likewise. * Makefile.in (install-dll-nettle, uninstall-dll-nettle): New target for installing the DLL file in $bindir. (install-shared-nettle): Conditionally depend on install-dll-nettle. Use LIBNETTLE_FILE_SRC. (uninstall-shared-nettle): Conditionally depend on install-dll-nettle. (various hogweed targets): Analogous changes. * configure.ac: Unify shared lib setup for cygwin and mingw. 2011-10-31 Niels Möller * configure.ac (LIBHOGWEED_LIBS): Typo fix for the darwin case. Spotted by Martin Storsjö. 2011-10-25 Niels Möller * configure.ac (LIBHOGWEED_LIBS): cygwin fix, added libnettle.dll.a. Reported by Volker Zell. 2011-10-18 Niels Möller * configure.ac: Improved setup för darwin shared libraries. Patch contributed by Ryan Schmidt. 2011-10-03 Niels Möller * x86_64/memxor.asm: Implemented sse2-loop. Configured at compile time, and currently disabled. * testsuite/testutils.h (ASSERT): Write message to stderr. * testsuite/memxor-test.c: Use 16-byte alignment for "fully aligned" operands. 2011-09-03 Niels Möller * x86/camellia-crypt-internal.asm: Use "l"-suffix on instructions more consistently. Reportedly, freebsd and netbsd systems with clang are more picky about this. * configure.ac: Changed version number to 2.5. * Released nettle-2.4. * configure.ac (LIBNETTLE_MINOR): Bumped library version, to 4.3. * gcm-aes.c: Include config.h. * tools/nettle-lfib-stream.c: Likewise. * ripemd160-compress.c: Added missing include of config.h. Needed for correct operation on big-endian systems. 2011-09-02 Niels Möller * configure.ac: Changed version number to 2.4. * Released nettle-2.3. 2011-08-30 Niels Möller * testsuite/hmac-test.c: Added tests for hmac-ripemd160. * hmac.h: Declare hmac-ripemd160 related functions. * Makefile.in (nettle_SOURCES): Added hmac-ripemd160.c. 2011-08-30 Niels Möller * nettle.texinfo (Hash functions): Document ripemd-160. * hmac-ripemd160.c: New file. * hmac.h: Declare hmac-ripemd160 functions. 2011-08-29 Niels Möller * sha256.c (sha256_update): Updated MD_UPDATE call for new conventions. (sha256_write_digest): Use MD_PAD rather than MD_FINAL, and insert the length manually. * sha512.c: Analogous changes. * sha1.c (COMPRESS): New macro. (sha1_update): Updated MD_UPDATE call for new conventions. (sha1_digest): Use MD_PAD rather than MD_FINAL, and insert the length manually. * ripemd160.c (ripemd160_init): Use memcpy for initializing the state vector. (COMPRESS): New macro. (ripemd160_update): Use MD_UPDATE. (ripemd160_digest): Inline ripemd160_final processing. Use MD_PAD and _nettle_write_le32. (ripemd160_final): Deleted function. * ripemd160.h (struct ripemd160_ctx): Use a 64-bit block count. Renamed digest to state. * md5.c (md5_init): Use memcpy for initializing the state vector. (COMPRESS): New macro, wrapping _nettle_md5_compress. (md5_update): Use MD_UPDATE. (md5_digest): Inline md5_final processing. Use MD_PAD and _nettle_write_le32. (md5_final): Deleted. * md5.h (struct md5_ctx): Renamed some fields, for consistency. * md4.h (struct md4_ctx): Renamed some fields, for consistency. * md4.c (md4_init): Use memcpy for initializing the state vector. (md4_update): Use MD_UPDATE. (md4_digest): Inline md4_final processing, using MD_PAD. Use _nettle_write_le32. (md4_block): Renamed, to... (md4_compress): ... new name. Take ctx pinter as argument. (md4_final): Deleted function. * md2.c (md2_update): Use MD_UPDATE. * macros.h (MD_UPDATE): Added incr argument. Invoke compression function with ctx pointer as argument, rather than ctx->state. (MD_FINAL): Just pad, don't store length field. Renamed to MD_PAD. (MD_PAD): Analogous change of compression invocations. * sha512.c: (COMPRESS): New macro wrapping _nettle_sha512_compress. (sha512_update): Use MD_UPDATE. (sha512_final): Deleted function. (sha512_write_digest): Use MD_FINAL. * sha256.c (COMPRESS): New macro wrapping _nettle_sha256_compress. (SHA256_INCR): Deleted macro. (sha256_update): Use MD_UPDATE. (sha256_final): Deleted function. (sha256_write_digest): New function, replacing sha256_final, and using MD_FINAL. (sha256_digest): Use sha256_write_digest. (sha224_digest): Likewise. * tools/nettle-hash.c (list_algorithms): Fixed typo in header. * sha1.c (SHA1_DATA_LENGTH): Deleted unused macro. (sha1_init): Use memcpy to initialize the state vector. (SHA1_INCR): Deleted macro. (sha1_update): Use MD_UPDATE macro, to reduce code duplication. (sha1_digest): Use MD_FINAL macro. (sha1_final): Deleted function. * sha.h (struct sha1_ctx): Renamed attribute digest to state. * macros.h (MD_UPDATE): New macro. (MD_FINAL): New macro. 2011-08-28 Niels Möller * ripemd160.c (ripemd160_final): Use LE_WRITE_UINT32. Deleted byte swapping at the end, leaving it to ripemd160_digest. (ripemd160_digest): Use _nettle_write_le32. * Makefile.in (nettle_SOURCES): Added write-le32.c. * md5.c (md5_digest): Use _nettle_write_le32. * write-le32.c (_nettle_write_le32): New file and function. * ripemd160-compress.c (ROL32): Renamed macro (was "rol"). Deleted x86 version using inline assembly; at least gcc-4.4.5 recognizes shift-and-or expressions which are in fact rotations. (_nettle_ripemd160_compress): Use LE_READ_UINT32. * configure.ac (LIBNETTLE_MINOR): Bumped library version, to 4.2. * testsuite/meta-hash-test.c: Updated for the addition of ripemd-160. * testsuite/.test-rules.make: Added rule for ripemd160-test. * examples/nettle-benchmark.c (main): Benchmark ripemd-160. 2011-08-28 Niels Möller RIPEMD-160 hash function. Ported from libgcrypt by Andres Mejia. * testsuite/ripemd160-test.c: New file. * ripemd160.h: New file. * nettle-meta.h: Declare nettle_ripemd160. * ripemd160.c: New file, ported from libgcrypt. * ripemd160-compress.c: Likewise. * ripemd160-meta.c: New file. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added ripemd160-test.c. * nettle-meta-hashes.c (nettle_hashes): Added nettle_ripemd160. * Makefile.in (nettle_SOURCES): Added ripemd160.c, ripemd160-compress.c, and ripemd160-meta.c. (HEADERS): Added ripemd160.h. 2011-08-10 Niels Möller * nettle.texinfo: Fixed mis-placed const in various prototypes. Spotted by Tatsuhiro Tsujikawa. 2011-07-24 Niels Möller * Makefile.in (PKGCONFIG_FILES, pkgconfigdir): New variables. (DISTFILES): Added nettle.pc.in and hogweed.pc.in. (nettle.pc, hogweed.pc): New targets (invoking config.status). (install-pkgconfig, uninstall-pkgconfig): New targets. (install-here): Depend on install-pkgconfig. (uninstall-here): Depend on uninstall-pkgconfig. (distclean-here): Delete nettle.pc and hogweed.pc. 2011-07-20 Niels Möller * configure.ac: Generate nettle.pc and hogweed.pc. * nettle.pc.in, hogweed.pc.in: New files. 2011-07-17 Niels Möller * nettle-internal.h: Added missing extern declarations. 2011-07-11 Niels Möller * configure.ac: Changed version number to 2.3. * Released nettle-2.2. * Makefile.in (DISTFILES): Distribute COPYING.LIB, not COPYING, 2011-07-07 Niels Möller * tools/misc.h (werror): Removed incorrect noreturn attribute from declaration. * examples/io.c (read_file): Bug fix, in dependence of initial size on max_size. 2011-07-01 Niels Möller * cbc.c (CBC_BUFFER_LIMIT): Reduced to 512 bytes. (cbc_decrypt): For in-place operation, use overlapping memxor3 and eliminate a memcpy. * ctr.c (ctr_crypt): Reorganized to call the encryption function with several blocks at a time. Handle the case of a single block specially. * x86_64/memxor.asm: Added ALIGN for shifting loop. Deleted obsolete ifelse. 2011-06-30 Niels Möller * configure.ac: Link in serpent-decrypt.asm, if found. * x86_64/serpent-decrypt.asm: Added an SSE2 loop, doing four blocks at a time in parallel. * x86_64/serpent-encrypt.asm: Include serpent.m4. Deleted a redundant label. * x86_64/serpent.m4: New file, with serpent-related macros. 2011-06-29 Niels Möller * x86_64/serpent-decrypt.asm: Wrote main (32-bit) loop. (SBOX0I, SBOX1I, SBOX7I): Fixed bugs. * nettle.texinfo (Copyright): Updated for license change to LGPLv2+. Updated copyright info on serpent. * NEWS: Updated information for nettle-2.2. * x86_64/serpent-decrypt.asm: New file. * x86_64/serpent-encrypt.asm: Fixed .file pseudo op. * testsuite/testutils.c (test_cipher_ctr): Display more info on failure. * examples/nettle-benchmark.c (bench_ctr): New function. (time_cipher): Also benchmark CTR mode. * configure.ac (LIBNETTLE_MINOR): Updated library version number to 4.1. (LIBHOGWEED_MINOR): And to 2.1. 2011-06-22 Niels Möller * configure.ac: Use pwd -P when examining lib directories. Link in serpent-encrypt.asm, if found. 2011-06-21 Niels Möller * serpent-decrypt.c (SBOX3_INVERSE): Eliminated temporaries. (SBOX4_INVERSE): Likewise. (SBOX5_INVERSE): Likewise. (SBOX6_INVERSE): Likewise. (SBOX7_INVERSE): Likewise. (All SBOX_INVERSE-macros): Deleted type argument, and updated users. 2011-06-20 Niels Möller * serpent-decrypt.c: Renamed arguments in sbox macros. (SBOX0_INVERSE): Eliminated temporaries. (SBOX1_INVERSE): Likewise. (SBOX2_INVERSE): Likewise. * x86_64/serpent-encrypt.asm: Added an SSE2 loop, doing four blocks at a time in parallel. * testsuite/serpent-test.c (test_main): Added some more multiple block tests. 2011-06-15 Niels Möller * configure.ac (libdir): On 64-bit Linux, we used to assume that libraries are installed according to the FHS. Since at least Fedora and Gentoo follow the FHS convention, while at least Debian doesn't, we have to try to figure out which convention is used. 2011-06-14 Niels Möller * x86_64/serpent-encrypt.asm: Slight simplification of loop logic. * x86_64/serpent-encrypt.asm: New file. 2011-06-12 Niels Möller * testsuite/serpent-test.c (test_main): Added tests with multiple blocks at a time. * serpent-encrypt.c (SBOX6): Renamed arguments. Eliminated temporaries. (SBOX7): Likewise. (All SBOX-macros): Deleted type argument, and updated users. * configure.ac: Display summary at the end of configure.. (asm_path): Set only if enable_assember is yes. 2011-06-10 Niels Möller * serpent-encrypt.c (SBOX5): Renamed arguments. Eliminated temporaries. 2011-06-09 Niels Möller * serpent-encrypt.c (SBOX4): Renamed arguments. Eliminated temporaries. * configure.ac (LIBNETTLE_LINK, LIBHOGWEED_LINK): Cygwin fix, from Vincent Torri. 2011-06-08 Niels Möller * examples/eratosthenes.c (find_first_one): Fixed c99-style declaration. Reported by Sebastian Reitenbach. (find_first_one): Declare the lookup table as static const, and use unsigned char rather than unsigned.. 2011-06-07 Niels Möller * serpent-encrypt.c (SBOX0): Renamed arguments. Eliminated temporaries. (SBOX1): Likewise. (SBOX2): Likewise. (SBOX3): Likewise. 2011-06-06 Niels Möller * Makefile.in (DISTFILES): Added serpent-internal.h. (nettle_SOURCES): Replaced serpent.c by serpent-set-key.c, serpent-encrypt.c, and serpent-decrypt.c. * serpent.c: Replaced by several new files. * serpent-set-key.c: New file. * serpent-encrypt.c: New file. * serpent-decrypt.c: New file. * serpent-internal.h: New file. * serpent.c [HAVE_NATIVE_64_BIT]: Process two blocks at a time in parallel. Measured speedup of 10%--25% (higher for encryption) on x86_64. 2011-06-01 Niels Möller * serpent.c (ROUNDS): Deleted macro. (serpent_block_t): Deleted array typedef. (KEYXOR): New macro, replacing BLOCK_XOR. (BLOCK_COPY, SBOX, SBOX_INVERSE): Deleted macros. (LINEAR_TRANSFORMATION): Use four separate arguments. (LINEAR_TRANSFORMATION_INVERSE): Likewise. (ROUND): Take separate arguments for all input and output words. (ROUND_INVERSE): Likewise. (ROUND_LAST, ROUND_FIRST_INVERSE): Deleted macros. (serpent_set_key): Moved loop termination test. (serpent_encrypt): Rewrote with unrolling of just eight rounds, and without serpent_block_t. (serpent_decrypt): Likewise. * serpent.c: Added do { ... } while (0) around block macros. (serpent_key_t): Deleted array typedef. (ROL32, ROR32): Renamed macros, were rol and ror. (KS_RECURRENCE, KS): New macros. (serpent_key_pad): Renamed, from... (serpent_key_prepare): ...old name. (serpent_subkeys_generate): Deleted function. (serpent_set_key): Rewrote the generation of subkeys. Reduced both temporary storage and code size (less unrolling) 2011-05-31 Niels Möller * testsuite/serpent-test.c (test_main): Enabled test with short, 40-bit, key. * serpent.c (byte_swap_32): Deleted macro. (serpent_key_prepare): Use LE_READ_UINT32. Don't require aligned input, and support arbitrary key sizes. 2011-05-30 Simon Josefsson * serpent.c: Rewrite, based on libgcrypt code. License changed from GPL to LGPL. * serpent_sboxes.h: Removed. * Makefile.in: Drop serpent_sboxes.h. 2011-05-31 Niels Möller * testsuite/serpent-test.c (test_main): Added some tests for padding of keys of length which is not a multiple of four bytes. 2011-05-30 Simon Josefsson * testsuite/serpent-test.c (test_main): Add test vectors from libgcrypt. 2011-05-21 Niels Möller * dsa-keygen.c (dsa_generate_keypair): Avoid double init of mpz variable. Spotted by Nikos Mavrogiannopoulos. 2011-05-06 Niels Möller * configure.ac: Fix link flags for shared libraries on Solaris, which needs -h to set the soname. Patch contributed by Dagobert Michelsen. 2011-05-06 Niels Möller * configure.ac: New configure option --enable-gcov. * arcfour.h (arcfour_stream): Deleted obsolete define. 2011-04-27 Niels Möller * tools/nettle-hash.c (find_algorithm): Require exact match. 2011-04-15 Niels Möller Reverted broken byte-order change from 2001-06-17: * serpent.c (serpent_set_key): Use correct byteorder. (serpent_encrypt): Likewise. (serpent_decrypt): Likewise. * testsuite/serpent-test.c (decode_hex_reverse): New function. (RH, RHL): New macros. (test_main): Byte reverse inputs and outputs for the testvectors taken from the serpent submission package. Enable test vectors from http://www.cs.technion.ac.il/~biham/Reports/Serpent/. 2011-03-23 Niels Möller * tools/sexp-conv.c (xalloc): Deleted function, now it's in misc.c instead. * configure.ac: Use LSH_FUNC_STRERROR. * tools/Makefile.in (TARGETS): Added nettle-hash, and related build rules. (SOURCES): Added nettle-hash.c. * tools/misc.c (xalloc): New function. * tools/pkcs1-conv.c (main): Made the OPT_* constants local, and fixed numerical values to start with non-ASCII 0x300. * tools/nettle-hash.c: New file. 2011-03-23 Niels Möller Contributed by Daniel Kahn Gillmor: * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added meta-hash-test.c, meta-cipher-test.c, and meta-armor-test.c. * testsuite/meta-hash-test.c: New file. * testsuite/meta-cipher-test.c: New file. * testsuite/meta-armor-test.c: New file. * nettle.texinfo: Document nettle_hashes and nettle_ciphers. * nettle-meta.h: Declare algorithm lists nettle_ciphers, nettle_hashes, nettle_armors. * Makefile.in (nettle_SOURCES): Added nettle-meta-hashes.c, nettle-meta-ciphers.c, and nettle-meta-armors.c. * nettle-meta-armors.c: New file. * nettle-meta-ciphers.c: New file. * nettle-meta-hashes.c: New file. 2011-02-18 Niels Möller * arcfour.c (arcfour_stream): Deleted function. It's not very useful, and neither documented nor tested. 2011-02-16 Niels Möller * cbc.h (CBC_ENCRYPT): Avoid using NULL; we don't ensure that it is defined. (CBC_DECRYPT): Likewise. * gcm-aes.c (gcm_aes_set_iv): Use GCM_SET_IV. (gcm_aes_set_key): Deleted cast. (gcm_aes_encrypt): Likewise. (gcm_aes_decrypt): Likewise. (gcm_aes_digest): Likewise. (gcm_aes_update): One less argument to GCM_UPDATE. * gcm.h (GCM_SET_KEY): Added cast to nettle_crypt_func *. Help compiler type checking despite this cast. (GCM_ENCRYPT): Likewise. (GCM_DECRYPT): Likewise. (GCM_DIGEST): Likewise. (GCM_SET_IV): New macro, for completeness. (GCM_UPDATE): Deleted unused argument encrypt. 2011-02-14 Niels Möller * nettle.texinfo: Split node on cipher modes, and started on the GCM documentation. * testsuite/gcm-test.c (test_gcm_aes): Deleted function, replaced by test_aead. (test_main): Use test_aead. * testsuite/testutils.c (test_aead): New function, replacing test_gcm_aes and before that test_cipher_gcm. * nettle-internal.c (nettle_gcm_aes128): New const struct. (nettle_gcm_aes192): Likewise. (nettle_gcm_aes256): Likewise. * nettle-internal.h (struct nettle_aead): Tentative interface for authenticated encryption with associated data. * examples/nettle-benchmark.c (time_gcm): Renamed. Updated for gcm_aes_auth to gcm_aes_update renaming. Benchmark both encryption and hashing. (time_gmac): ...old name. * nettle-internal.c (des_set_key_hack): Don't touch the bits parity, since thay are now ignored. (des3_set_key_hack): Likewise. * cast128-meta.c (nettle_cast128): Don't pass keysize. * nettle-meta.h (_NETTLE_CIPHER_FIX): Deleted keysize parameter derived from the appropriate constant instead. * testsuite/gcm-test.c (test_gcm_aes): Updated for gcm_aes_auth to gcm_aes_update renaming. 2011-02-13 Niels Möller * gcm.h (GCM_UPDATE): Renamed, from... (GCM_AUTH): ...old name. * gcm-aes.c (gcm_aes_update): Renamed, from... (gcm_aes_auth): ...old name. * gcm.c (gcm_update): Renamed, and fixed an assert. From... (gcm_auth): ...old name. * gcm.h (GCM_TABLE_BITS): Increase table size to 8 bits, corresponding to 4 KByte of key-dependent tables. 2011-02-10 Niels Möller * x86_64/memxor.asm: New file. Improves performance by 22% for the unaligned01 case and 35% for the unaligned12 case, benchmarked on Intel SU1400. * examples/nettle-benchmark.c (cgt_works_p): New function. (cgt_time_start): Likewise. (cgt_time_end): Likewise. (clock_time_start): Likewise. (clock_time_end): Likewise. (time_function): Read clock via function pointers time_start and time_end, so we can select method at runtime. (xalloc): Use die function. (main): Choose timing function. If available, try clock_gettime, and fall back to clock if it doesn't exist. * examples/nettle-benchmark.c (die): New function. (TIME_END, TIME_START): Check return value from clock_gettime. * gcm.h (union gcm_block): Use correct length for w array. * testsuite/gcm-test.c (test_main): Added the rest of the testcases from the spec. 2011-02-09 Niels Möller * testsuite/gcm-test.c (test_main): Enabled testcases 5 and 6, with different IV lengths. * gcm-aes.c (gcm_aes_set_iv): Updated for gcm_set_iv change. * gcm.c (gcm_hash_sizes): New function. (gcm_set_iv): Added support for IVs of arbitrary size. Needed another argument, for the hash subkey. (gcm_digest): Use gcm_hash_sizes. * examples/nettle-benchmark.c (time_gmac): Use gcm_aes interface. * testsuite/gcm-test.c (test_gcm_aes): New function, replacing test_cipher_gcm and using the new gcm_aes interface. (test_main): Updated to use test_gcm_aes. * testsuite/testutils.c (test_cipher_gcm): Deleted function. * Makefile.in (nettle_SOURCES): Added gcm-aes.c. * gcm.c (gcm_set_key): Replaced context argument by a struct gcm_key *. (gcm_hash): Replaced context argument by a struct gcm_key * and a pointer to the hashing state block. (gcm_auth): Added struct gcm_key * argument. (gcm_encrypt): Likewise. (gcm_decrypt): Likewise. (gcm_digest): Likewise. * gcm-aes.c: New file. (gcm_aes_set_key): New function. (gcm_aes_set_iv): Likewise. (gcm_aes_auth): Likewise. (gcm_aes_encrypt): Likewise. (gcm_aes_decrypt): Likewise. (gcm_aes_digest): Likewise. * gcm.h (struct gcm_key): Moved the key-dependent and message-independent state to its own struct. (struct gcm_ctx): ... and removed it here. (GCM_CTX): New macro. (GCM_SET_KEY): Likewise. (GCM_AUTH): Likewise. (GCM_ENCRYPT): Likewise. (GCM_DECRYPT): Likewise. (GCM_DIGEST): Likewise. (struct gcm_aes_ctx): New struct. 2011-02-08 Niels Möller * gcm.h (struct gcm_ctx): The hash key is now always an array, named h, with array size depending on GCM_TABLE_BITS. * gcm.c (gcm_gf_shift): Added a separate result argument. (gcm_gf_mul): Compile bitwise version only when GCM_TABLE_BITS == 0. Simplified interface with just two arguments pointing to complete blocks. (gcm_gf_shift_4, gcm_gf_shift_8): Renamed table-based functions, from... (gcm_gf_shift_chunk): ... old name. (gcm_gf_mul): Renamed both table-based versions and made the argument types compatible with the bitwise gcm_gf_mul. (gcm_gf_mul_chunk): ... the old name. (gcm_set_key): Initialize the table using adds and shifts only. When GCM_TABLE_BITS > 0, this eliminates the only use of the bitwise multiplication. (gcm_hash): Simplified, now that we have the same interface for gcm_gf_mul, regardless of table size. * gcm.c (GHASH_POLYNOMIAL): Use unsigned long for this constant. (gcm_gf_shift_chunk): Fixed bugs for the big endian 64-bit case, e.g., sparc64. For both 4-bit and 8-bit tables. * gcm.c: Use the new union gcm_block for all gf operations. * gcm.h (union gcm_block): New union, used to enforce alignment. 2011-02-07 Niels Möller * gcm.c (gcm_gf_shift_chunk) : Bug fix for little-endian 8-bit tables. * gcm.c (gcm_gf_mul_chunk): Special case first and last iteration. (gcm_gf_add): New function, a special case of memxor. Use it for all memxor calls with word-aligned 16 byte blocks. Improves performance to 152 cycles/byte with no tables, 28 cycles per byte with 4-bit tables and 10.5 cycles per byte with 8-bit tables. Introduced 8-bit tables. If enabled, gives gmac performance of 19 cycles per byte (still on intel x86_64). * gcm.c (gcm_gf_shift_chunk): New implementation for 8-bit tables. (gcm_gf_mul_chunk): Likewise. (gcm_set_key): Generate 8-bit tables. * Makefile.in (SOURCES): Added gcmdata.c. * gcm.h (GCM_TABLE_BITS): Set to 4. 2011-02-06 Niels Möller * Makefile.in (TARGETS): Added gcmdata. (gcmdata): New rule. Introduced 4-bit tables. Gives gmac performance of 45 cycles per byte (still on intel x86_64). * gcm.c (gcm_gf_shift): Renamed. Tweaked little-endian masks. (gcm_rightshift): ... old name. (gcm_gf_mul): New argument for the output. Added length argument for one of the inputs (implicitly padding with zeros). (shift_table): New table (in 4-bit and 8-bit versions), generated by gcmdata. (gcm_gf_shift_chunk): New function shifting 4 bits at a time. (gcm_gf_mul_chunk): New function processing 4 bits at a time. (gcm_set_key): Generation of 4-bit key table. (gcm_hash): Use tables, when available. * gcmdata.c (main): New file. * gcm.c (gcm_rightshift): Moved the reduction of the shifted out bit here. (gcm_gf_mul): Updated for gcm_rightshift change. Improves gmac performance to 181 cycles/byte. * gcm.c (gcm_gf_mul): Rewrote. Still uses the bitwise algorithm from the specification, but with separate byte and bit loops. Improves gmac performance a bit further, to 227 cycles/byte. * gcm.c (gcm_rightshift): Complete rewrite, to use word rather than byte operations. Improves gmac performance from 830 cycles / byte to (still poor) 268 cycles per byte on intel x86_64. 2011-02-05 Niels Möller * examples/nettle-benchmark.c (time_gmac): New function. (main): Call time_gmac. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added gcm-test.c. * testsuite/testutils.c (test_cipher_gcm): New function, contributed by Nikos Mavrogiannopoulos. * testsuite/gcm-test.c: New file, contributed by Nikos Mavrogiannopoulos. * Makefile.in (nettle_SOURCES): Added gcm.c. (HEADERS): Added gcm.h. * gcm.c: New file, contributed by Nikos Mavrogiannopoulos. * gcm.h: New file, contributed by Nikos Mavrogiannopoulos. * macros.h (INCREMENT): New macro, moved from ctr.c. Deleted third argument. * ctr.c: Use INCREMENT macro from macros.h, deleted local version. 2011-01-07 Niels Möller * testsuite/Makefile.in (check): Add ../.lib to PATH, since that's where w*ndows looks for dlls. * testsuite/testutils.c (test_cipher_stream): More debug output on failure. 2010-12-14 Niels Möller * nettle-types.h: Deleted some unnecessary parenthesis from function typedefs. (nettle_realloc_func): Moved typedef here... * realloc.h: ...from here. * buffer.c (nettle_buffer_init_realloc): Use an explicit pointer for realloc argument. 2010-12-07 Niels Möller * nettle.texinfo (Copyright): Updated info on blowfish. 2010-11-26 Niels Möller Reapplied optimizations (150% speedup on x86_32) and other fixes, relicensing them as LGPL. * blowfish.c (do_encrypt): Renamed, to... (encrypt): ...new name. (F): Added context argument. Shift input explicitly, instead of reading individual bytes via memory. (R): Added context argument. (encrypt): Deleted a bunch of local variables. Using the context pointer for everything should consume less registers. (decrypt): Likewise. (initial_ctx): Arrange constants into a struct, to simplify key setup. (blowfish_set_key): Some simplification. 2010-11-26 Simon Josefsson * blowfish.c: New version ported from libgcrypt. License changed from GPL to LGPL. 2010-11-25 Niels Möller * Makefile.in (install-shared-nettle): Use INSTALL_DATA, which clears the execute permission bits. (install-shared-hogweed): Likewise. 2010-11-16 Niels Möller * configure.ac: Updated gmp url. 2010-11-01 Niels Möller * tools/misc.c (werror): Don't call exit (copy&paste-error). 2010-10-26 Niels Möller * examples/rsa-encrypt.c (main): No extra message for bad options. * examples/rsa-keygen.c (main): Added long options. Deleted -?, and fixed handling of bad options. * examples/next-prime.c (main): Deleted -?, and fixed handling of bad options. * examples/random-prime.c (main): Likewise. 2010-10-22 Niels Möller * examples/nettle-benchmark.c (main): Added long options. Deleted -?, and fixed handling of bad options. * examples/eratosthenes.c (main): Added long options. Deleted -?, and fixed handling of bad options. Renamed -s to -q (long option --quiet). * tools/pkcs1-conv.c (main): Deleted short alias -? for --help, and fixed handling of bad options. * tools/sexp-conv.c (parse_options): Likewise. 2010-10-06 Niels Möller * memxor.c (memxor3): Optimized. (memxor3_common_alignment): New function. (memxor3_different_alignment_b): New function. (memxor3_different_alignment_ab): New function. (memxor3_different_alignment_all): New function. * examples/nettle-benchmark.c (time_function): Reorganized, to reduce overhead. (time_memxor): Also benchmark memxor3. * x86_64/memxor.asm: New file. * examples/nettle-benchmark.c (overhead): New global variable. (time_function): Compensate for call overhead. (bench_nothing, time_overhead): New functions. (time_memxor): Tweaked src size, making it an integral number of words. (main): Call time_overhead. 2010-10-01 Niels Möller * x86_64/camellia-crypt-internal.asm (ROUND): Reordered sbox lookups. * testsuite/memxor-test.c: Also test memxor3. 2010-09-30 Niels Möller * configure.ac: Link in memxor.asm, if found. * testsuite/testutils.c (test_cipher_cbc): Print more info when failing. * testsuite/memxor-test.c (test_xor): Added verbose printout. * examples/nettle-benchmark.c (time_memxor): Count size of unsigned long as "block size" for memxor. 2010-09-24 Niels Möller * testsuite/.test-rules.make: Added rule for memxor-test. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added memxor-test.c * testsuite/memxor-test.c: New file. * memxor.c (memxor_common_alignment): New function. (memxor_different_alignment): New function. (memxor): Optimized to do word-operations rather than byte operations. * configure.ac (HAVE_NATIVE_64_BIT): New config.h define. Partial revert of 2010-09-20 changes. * camellia-set-encrypt-key.c (camellia_set_encrypt_key): Reintroduce CAMELLIA_F_HALF_INV, for 32-bit machines. * camellia-crypt-internal.c (CAMELLIA_ROUNDSM): Two variants, differing in where addition of the key is done. * x86/camellia-crypt-internal.asm: Moved addition of key. 2010-09-22 Niels Möller * examples/nettle-benchmark.c (BENCH_INTERVAL): Changed unit to seconds. (time_function): Use clock_gettime with CLOCK_PROCESS_CPUTIME_ID, if available. This gives better accuracy, at least on recent linux. (BENCH_INTERVAL): Reduced to 0.1 s. (struct bench_memxor_info): New struct. (bench_memxor): New function. (time_memxor): New function. (main): Use time_memxor. Added optional argument used to limit the algorithms being benchmarked. (GET_CYCLE_COUNTER): Define also for x86_64. (time_memxor): Improved display. * examples/Makefile.in (nettle-benchmark): Link using $(BENCH_LIBS) rather than $(LIBS). * configure.ac: Check for clock_gettime, and add -lrt to BENCH_LIBS if needed. 2010-09-20 Niels Möller * configure.ac: Less quoting when invoking $CC, to allow CC="gcc -m32". * x86/camellia-crypt-internal.asm (ROUND): Adapted to new key convention, moving key xor to the end. * camellia-set-encrypt-key.c (CAMELLIA_F_HALF_INV): Deleted macro. (camellia_set_encrypt_key): Deleted the CAMELLIA_F_HALF_INV operations intended for moving the key xor into the middle of the round. * camellia-crypt-internal.c (CAMELLIA_ROUNDSM): Moved addition of key to the end, to use a 64-bit xor operation. * x86_64/camellia-crypt-internal.asm: New file. * x86_64/machine.m4 (LREG, HREG, XREG): New macros. 2010-09-17 Niels Möller * configure.ac: Support shared libraries (dlls) with mingw32. Contributed by David Hoyt. 2010-07-25 Niels Möller * configure.ac: Changed version number to nettle-2.2. * Released nettle-2.1. * configure.ac: Use camellia-crypt-internal.asm, if available. Bumped soname to libnettle.so.4, and reset LIBNETTLE_MINOR to zero. * x86/machine.m4 (LREG, HREG): Moved macros here, from... * x86/aes.m4: ...here. * x86/camellia-crypt-internal.asm: New file. * nettle.texinfo: Updated and expanded section on DSA. Document aes_invert_key, and camellia. Added missing functions rsa_sha512_verify and rsa_sha512_verify_digest. * camellia.h (struct camellia_ctx): Eliminate the two unused subkeys, and renumber the remaining ones. * camellia-crypt-internal.c (_camellia_crypt): Updated for renumbered subkeys. * camellia-set-encrypt-key.c (camellia_set_encrypt_key): Likewise. * camellia-set-decrypt-key.c (camellia_invert_key): Likewise. * camellia-set-encrypt-key.c (camellia_set_encrypt_key): Inline the expansion of camellia_setup128 and camellia_setup256, keeping the unexpanded key in scalar variables. (camellia_setup128): Deleted. (camellia_setup256): Deleted. 2010-07-24 Niels Möller * camellia-set-encrypt-key.c (camellia_set_encrypt_key): Reduced code size, no complete loop unroll. Use one loop for each phase of the post-processing. * testsuite/camellia-test.c: New tests for camellia_invert_key. * testsuite/aes-test.c: New tests for aes_invert_key. * aes.h (aes_invert_key): Declare it. * aes-set-decrypt-key.c (aes_invert_key): New function, key inversion code extracted from aes_set_decrypt_key. (aes_set_decrypt_key): Use aes_invert_key. * camellia-set-encrypt-key.c (camellia_setup128): Generate unmodified subkeys according to the spec. Moved clever combination of subkeys to camellia_set_encrypt_key. (camellia_setup256): Likewise. (camellia_set_encrypt_key): Moved subkey post-processing code here, and reduce code duplication between 128-bit keys and larger keys. * camellia.c: Deleted file, split into several new files... * camellia-table.c (_camellia_table): New file with the constant sbox tables. * camellia-set-encrypt-key.c: New file. (camellia_setup128): Generate unmodified subkeys according to the spec. Moved clever combination of subkeys to camellia_set_encrypt_key. (camellia_setup256): Likewise. * camellia-set-decrypt-key.c: New file. (camellia_invert_key): Key inversion function. (camellia_set_decrypt_key): New key setup function. * camellia-internal.h: New file. * camellia-crypt.c (camellia_crypt): New file, new wrapper function passing the sbox table to _camellia_crypt. * camellia-crypt-internal.c (_camellia_crypt): New file, with main encrypt/decrypt function. * Makefile.in (nettle_SOURCES): Updated list of camellia source files. (DISTFILES): Added camellia-internal.h. 2010-07-20 Niels Möller * camellia-meta.c: Use _NETTLE_CIPHER_SEP_SET_KEY. * camellia.h (struct camellia_ctx): Replaced flag camellia128 by expanded key length nkeys. * camellia.c (camellia_set_encrypt_key): Renamed, from... (camellia_set_key): ... old name. (camellia_invert_key): New function. (camellia_set_decrypt_key): New function, using camellia_invert_key. (camellia_crypt): Renamed, from... (camellia_encrypt): ... old name. (camellia_decrypt): Deleted, no longer needed. camellia_crypt used for both encryption and decryption. * nettle-meta.h (_NETTLE_CIPHER_SEP_SET_KEY): New macro. * dsa-keygen.c: Removed unnecessary include of memxor.h. * camellia.c: Rewrote to use 64-bit type for subkeys and use 64-bit operations throughout. Performance on x86_32, when compiled with gcc-4.4.4, is reduced by roughly 15%, this should be fixed later. * camellia.h (struct camellia_ctx): Use type uint64_t for subkeys. 2010-07-07 Niels Möller * aes.h (aes_encrypt, aes_decrypt): Declare ctx argument as const. Also updated implementation. * blowfish.h (blowfish_encrypt, blowfish_decrypt): Likewise. * cast128.h (cast128_encrypt, cast128_decrypt): Likewise. * serpent.h (serpent_encrypt, serpent_decrypt): Likewise. * twofish.h (twofish_encrypt, twofish_decrypt): Likewise. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added camellia-test.c. * examples/nettle-benchmark.c: Added camellia ciphers. * Makefile.in (nettle_SOURCES): Added camellia.c and camellia-meta.c. (HEADERS): Added camellia.h. * nettle-meta.h (nettle_camellia128): Declare. (nettle_camellia192): Likewise. (nettle_camellia256): Likewise. * camellia-meta.c: New file. * camellia.h: Rewrote interface to match nettle conventions. * camellia.c: Converted to nettle conventions. (camellia_encrypt128, camellia_encrypt256): Unified to new function... (camellia_encrypt): ...New function, with a loop doing 6 regular rounds, one FL round and one FLINV round per iteration, with iteration count depending on the key size. (camellia_decrypt128, camellia_decrypt256): Similarly unified as... (camellia_decrypt): ...New function, analogous to camellia_encrypt. 2010-07-06 Niels Möller * camellia.c, camellia.h: New files, copied from http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/camellia-LGPL-1.2.0.tar.gz. * testsuite/camellia-test.c: New file. 2010-07-05 Niels Möller * nettle.texinfo: Document new conventions for weak key and des parity checks. Document des_check_parity. * testsuite/des-test.c (test_weak): Don't check the deleted status attribute. * des-compat.c (des_key_sched): Rewrote error checking logic for the case of non-zero des_check_key. * des3.c (des3_set_key): Changed weak key detection logic. Complete key setup also for weak keys, and don't set the status attribute. * des.c (des_set_key): New iteration logic, to keep key pointer unchanged. Moved weak key check to the end, and don't set the status attribute. (des_encrypt): Ignore status attribute. (des_decrypt): Likewise. * des.h (enum des_error): Deleted. (struct des_ctx): Deleted status attribute. (struct des3_ctx): Likewise. * blowfish.c (initial_ctx): Deleted status value. (blowfish_encrypt): Ignore status attribute. (blowfish_decrypt): Likewise. (blowfish_set_key): Return result from weak key check, without setting the status attribute. * blowfish.h (enum blowfish_error): Deleted. (struct blowfish_ctx): Deleted status attribute. * Makefile.in (des_headers): Deleted parity.h. 2010-06-30 Niels Möller * testsuite/des-test.c (test_des): New function. (test_weak): New function. (test_main): Use test_des and test_weak. Added tests for all the weak keys. Added some tests with invalid (to be ignored) parity bits. * des.c (parity_16): New smaller parity table. (des_check_parity): New function. (des_fix_parity): Use parity_16. (des_weak_p): New weak-key detection. Ignores parity bits, and uses a hash table. (des_set_key): Deleted parity checking code. Replaced old weak-key detection code by a call to des_weak_p. 2010-06-04 Niels Möller * testsuite/testutils.c (test_dsa_key): Updated for new name DSA_SHA1_MIN_P_BITS. * dsa-keygen.c (dsa_generate_keypair): Use DSA_SHA1_MIN_P_BITS and DSA_SHA256_MIN_P_BITS. * dsa.h (DSA_MIN_P_BITS, DSA_Q_OCTETS, DSA_Q_BITS): Renamed to... (DSA_SHA1_MIN_P_BITS, DSA_SHA1_Q_OCTETS, DSA_SHA1_Q_BITS): New names. * sexp2dsa.c (dsa_keypair_from_sexp_alist): New argument q_bits. Renamed parameter limit to p_max_bits. (dsa_sha1_keypair_from_sexp): Renamed, was dsa_keypair_from_sexp. Updated to call dsa_keypair_from_sexp_alist with the new argument. (dsa_sha256_keypair_from_sexp): New function. (dsa_signature_from_sexp): New argument q_bits. * der2dsa.c (dsa_params_from_der_iterator): Enforce 160-bit limit on q. Renamed parameter limit to p_max_bits. (dsa_openssl_private_key_from_der_iterator): Enforce 160-bit limit on q and x. Renamed parameter limit to p_max_bits. 2010-06-03 Niels Möller * testsuite/dsa-test.c (test_main): Added test for dsa-sha256. 2010-06-02 Niels Möller * testsuite/dsa-test.c (test_main): Provide expected value of the signature. * testsuite/testutils.c (test_dsa160): Added argument for expected signature. (test_dsa256): Likewise. 2010-06-01 Niels Möller * testsuite/rsa-keygen-test.c (test_main): Updated expected signatures. * examples/random-prime.c (main): Updated for nettle_random_prime change. * testsuite/random-prime-test.c (test_main): Likewise. * rsa-keygen.c (bignum_random_prime): Deleted function. (rsa_generate_keypair): Use new nettle_random_prime. Generate secret factors p and q with the two most significant bits set. * dsa-keygen.c (dsa_generate_keypair): Updated for changes in nettle_random_prime and _nettle_generate_pocklington_prime. Invoke progress callback. * bignum-random-prime.c (_nettle_generate_pocklington_prime): New argument top_bits_set, to optionally generate primes with the two most significant bits set. Reordered argument list. (nettle_random_prime): Likewise, added top_bits_set argument. Invoke progress callback when a prime is generated. 2010-05-26 Niels Möller * dsa-keygen.c (dsa_generate_keypair): Use _nettle_generate_pocklington_prime. Deleted old key generation code. * bignum-random-prime.c (_nettle_generate_pocklington_prime): Also return the used r. Updated caller. * examples/random-prime.c (main): Allow sizes down to 3 bits. * bignum-random-prime.c (_nettle_generate_pocklington_prime): New function. Rely on mpz_probab_prime_p (for lack of a trial division function) for trial division. (nettle_random_prime): Rewritten. Uses the prime table for the smallest sizes, then trial division using a new set of tables, and then Maurer's algorithm, calling the new _nettle_generate_pocklington_prime for the final search. 2010-05-25 Niels Möller * testsuite/dsa-test.c (test_main): Updated for dsa testing changes. * testsuite/dsa-keygen-test.c (test_main): Test dsa256. * testsuite/testutils.h (struct nettle_mac): New struct, currently unused. * testsuite/testutils.c (test_mac): New function (currently not used). (test_dsa): Replaced by two new functions... (test_dsa160): New function. (test_dsa256): New function. (test_dsa_key): New argument q_size. (DSA_VERIFY): Generalized. * dsa-keygen.c (dsa_generate_keypair): Rewritten, now generating primes using Pocklington's theorem. Takes both p_size and q_size as arguments. 2010-05-20 Niels Möller * bignum-random-prime.c (miller_rabin_pocklington): Fixed broken logic when Miller-rabin succeeds early. 2010-04-09 Niels Möller * bignum-next-prime.c: Include stdlib.h, needed for alloca on freebsd. * hmac.c: Likewise. * examples/Makefile.in (SOURCES): Added random-prime.c. * examples/random-prime.c: New program. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Moved knuth-lfib-test.c, cbc-test.c, ctr-test.c, hmac-test.c here, from TS_HOGWEED_SOURCES. (TS_HOGWEED_SOURCES): Added random-prime-test.c. * testsuite/random-prime-test.c: New test case. * examples/next-prime.c (main): With no command line arguments. exit after dislaying usage message. * examples/io.c (simple_random): Free buffer when done. * configure.ac: Changed message, say CC is the recommended way to configure the ABI. * bignum-random.c: Deleted test of HAVE_LIBGMP. * bignum.c: Likewise. * sexp2bignum.c: Likewise. * Makefile.in (hogweed_SOURCES): Added bignum-random-prime.c. * bignum-random-prime.c (nettle_random_prime): New file, new function. 2010-03-31 Niels Möller * examples/nettle-benchmark.c (main): Benchmark sha224. 2010-03-30 Niels Möller * testsuite/testutils.c (DSA_VERIFY): Updated for dsa_sha1_verify rename. (test_dsa): Check return value from dsa_sha1_sign. * Makefile.in (hogweed_SOURCES): Added dsa-sha1-sign.c, dsa-sha1-verify.c, dsa-sha256-sign.c, and dsa-sha256-verify.c. * dsa.h: Updated and added dsa declarations. * dsa-sha256-verify.c (dsa_sha256_verify_digest): New file, new function. (dsa_sha256_verify): New function. * dsa-sha256-sign.c (dsa_sha256_sign_digest): New file, new function. (dsa_sha256_sign): New function. * dsa-sha1-verify.c (dsa_sha1_verify_digest): New file. Moved and renamed function, from dsa_verify_digest, rewrote to use _dsa_verify. (dsa_sha1_verify): Analogous change, renamed from dsa_verify. * dsa-sha1-sign.c (dsa_sha1_sign_digest): New file. Moved and renamed function, from dsa_sign_digest, rewrote to use _dsa_sign, and added return value. (dsa_sha1_sign): Analogous change, renamed from dsa_sign. * dsa-verify.c (_dsa_verify): New general verification function, for any hash. * dsa-sign.c (_dsa_sign): New general signing function, for any hash. Returns success code, like the rsa signture functions. 2010-03-29 Niels Möller * configure.ac (ABI): Attempt to use a better, ABI-dependant, default value for libdir. * x86/md5-compress.asm: Fixed function name in epilogue. * asm.m4 (EPILOGUE): Use . to refer to current address. * configure.ac (ABI): Detect which ABI the compiler is using. On x86_64, also check for __arch64__. 2010-03-28 Niels Möller * configure.ac (asm_path): For x86_64, check if compiler is generating 32-bit code. 2010-03-27 Niels Möller * testsuite/hmac-test.c (test_main): Rewrote rest of tests to use HMAC_TEST, and added more tests from Daniel Kahn Gillmor and from RFC 4231. * Makefile.in (nettle_SOURCES): Added hmac-sha224.c and hmac-sha384.c. * hmac.h: Added declarations of hmac-sha224 and hmac-sha384. * hmac-sha224.c: New file. 2010-03-26 Niels Möller * testsuite/hmac-test.c (HMAC_TEST): New macro. (test_main): Use HMAC_TEST for the md5 and sha1 tests, and add test vectors from Daniel Kahn Gillmor. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added sha224-test.c. * Makefile.in (nettle_SOURCES): Added sha224-meta.c and write-be32.c. (DISTFILES): Added nettle-write.h. * sha.h: Added declarations for sha224. Some are aliases for the corresponding sha256 definition. * sha256.c (sha256_digest): Use _nettle_write_be32. (sha224_init): New function. (sha224_digest): New function. * sha1.c (sha1_digest): Use _nettle_write_be32. * nettle-internal.h (NETTLE_MAX_HASH_BLOCK_SIZE) (NETTLE_MAX_HASH_DIGEST_SIZE): Increased, to take sha512 into account. * nettle-write.h: New file. * write-be32.c (_nettle_write_be32): New file, new function. * sha224-meta.c: New file. 2010-03-25 Niels Möller * hmac-sha384.c: New file. * testsuite/sha224-test.c: New file. * testsuite/md4-test.c (test_main): More test vectors, provided by Daniel Kahn Gillmor. * testsuite/md5-test.c (test_main): Likewise. * testsuite/sha1-test.c (test_main): Likewise. * testsuite/sha256-test.c (test_main): Likewise. * testsuite/sha384-test.c (test_main): Likewise. * testsuite/sha512-test.c (test_main): Likewise. * configure.ac: Bumped version numbers. Package version nettle-2.1, library versions libnettle.so.3.1, libhogweed.so.2.0. * examples/nettle-benchmark.c (main): Benchmark sha384. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added sha384-test.c. * testsuite/sha384-test.c: New file. * Makefile.in (nettle_SOURCES): Added sha384-meta.c. * sha384-meta.c: New file. * sha.h: Added declarations for sha384. Some are aliases for the corresponding sha512 definition. * sha512.c (sha512_write_digest): New function. (sha512_digest): Use it. (sha384_init): New function. (sha384_digest): New function. 2010-03-24 Niels Möller * sha512.c: (sha512_digest): Simplified handling of any final partial word of the digest. * sha512.c: Reorganized to use _nettle_sha512_compress. * sha512-compress.c (_nettle_sha512_compress): Compression function extracted from sha512.c to a new file. * Makefile.in (nettle_SOURCES): Added sha256-compress.c and sha512-compress.c. * sha256.c: Reorganized to use _nettle_sha256_compress. * sha256-compress.c (_nettle_sha256_compress): Compression function extracted from sha256.c to a new file. * examples/nettle-benchmark.c (main): Benchmark sha512. * rsa-keygen.c (rsa_generate_keypair): Ensure that bit size of e is less than bit size of n, and check for the unlikely case p = q. * rsa.h (RSA_MINIMUM_N_OCTETS, RSA_MINIMUM_N_BITS): Reduced, to correspond to pkcs#1 encryption of single byte messagees. * pgp-encode.c (pgp_put_rsa_sha1_signature): Check return value from rsa_sha1_sign. * rsa-compat.c (R_SignFinal): Likewise. * rsa-md5-sign.c (rsa_md5_sign): Check and propagate return value from pkcs1_rsa_md5_encode. (rsa_md5_sign_digest): Check and propagate return value from pkcs1_rsa_md5_encode_digest. * rsa-md5-verify.c (rsa_md5_verify): Check return value from pkcs1_rsa_md5_encode. (rsa_md5_verify_digest): Check return value from pkcs1_rsa_md5_encode_digest. * rsa-sha1-sign.c: Analogous changes. * rsa-sha1-verify.c: Analogous changes. * rsa-sha256-sign.c: Analogous changes. * rsa-sha256-verify.c: Analogous changes. * rsa-sha512-sign.c: Analogous changes. * rsa-sha512-verify.c: Analogous changes. * pkcs1-rsa-md5.c (pkcs1_rsa_md5_encode) (pkcs1_rsa_md5_encode_digest): Added return value. Check and propagate return value from pkcs1_signature_prefix. * pkcs1-rsa-sha256.c (pkcs1_rsa_sha256_encode) (pkcs1_rsa_sha256_encode_digest): Likewise. * pkcs1-rsa-sha1.c (pkcs1_rsa_sha1_encode) (pkcs1_rsa_sha1_encode_digest): Likewise. * pkcs1-rsa-sha512.c (pkcs1_rsa_sha512_encode) (pkcs1_rsa_sha512_encode_digest): Likewise. * pkcs1.c (pkcs1_signature_prefix): Interface change, take both the total size and digest size as arguments, and return a status code to say if the size was large enough. * testsuite/Makefile.in: Added hogweed dependency for the test programs. 2010-03-23 Niels Möller * testsuite/rsa-test.c (test_main): Test signing with sha512. * testsuite/testutils.c (test_rsa_sha512): New function. * Makefile.in (hogweed_SOURCES): Added pkcs1-rsa-sha512.c, rsa-sha512-sign.c and rsa-sha512-verify.c. * rsa.h: Added prototypes for sha512-related functions. (RSA_MINIMUM_N_OCTETS, RSA_MINIMUM_N_BITS): Increased. * pkcs1.h: Added prototypes for sha512-related functions. * rsa-sha512-verify.c: New file. * rsa-sha512-sign.c: New file. * pkcs1-rsa-sha512.c: New file. 2010-03-22 Niels Möller * Makefile.in (nettle_SOURCES): Added hmac-sha512.c. * testsuite/hmac-test.c (test_main): Added test cases for hmac-sha512. * hmac.h: Declare functions sha512-related functions. * hmac-sha512.c (hmac_sha512_set_key): New file. Basic sha512 support. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added sha512-test.c. * testsuite/sha512-test.c: New file. * macros.h (READ_UINT64, WRITE_UINT64): New macros. * Makefile.in (nettle_SOURCES): Added sha512.c and sha512-meta.c. * sha.h: Added sha512-related declarations. * nettle-meta.h: Likewise. * sha512-meta.c: New file. * sha512.c: New file. 2010-03-06 Niels Möller * Makefile.in (distdir): Include x86_64 assembler files. 2010-01-20 Niels Möller * configure.ac: Check for mpz_powm_sec. 2010-01-13 Niels Möller * Makefile.in ($(LIBHOGWEED_FORLINK)): Depend on $(LIBNETTLE_FORLINK). * configure.ac (LIBHOGWEED_LIBS): Added -lnettle -lgmp for the default case. Follows debian, and also makes dlopen of libhogweed.so work, without having to use RTLD_GLOBAL. (LIBHOGWEED_LINK): Added -L., to find our libnettle.so. 2009-10-21 Niels Möller * tools/Makefile.in (pkcs1-conv$(EXEEXT)): Added dependency on ../libhogweed.a. 2009-10-19 Niels Möller * tools/pkcs1-conv.c: Updated for dsa/der interface change. * der2dsa.c (dsa_public_key_from_der_iterators): Split into two new functions... (dsa_params_from_der_iterator): New function. (dsa_public_key_from_der_iterator): New function. (dsa_openssl_private_key_from_der_iterator): Renamed, was dsa_private_key_from_der_iterator. (dsa_openssl_private_key_from_der): Likewise. * dsa.h: Corresponding changees to prototypes and #defines. 2009-10-12 Niels Möller * sexp-format.c: Removed conditioning on HAVE_LIBGMP. * tools/pkcs1-conv.c: Support for DSA keys, contributed by Magnus Holmgren. * Makefile.in (hogweed_SOURCES): Added dsa2sexp.c and der2dsa.c. * der2dsa.c: New file, contributed by Magnus Holmgren. * dsa2sexp.c: Likewise. * dsa.h: Added prototypes. * configure.ac (LIBHOGWEED_MINOR): Bumped libhogweed minor version, now it's 1.1. * testsuite/rsa2sexp-test.c (test_main): Updated testcase for "rsa-pkcs1". 2009-10-11 Niels Möller * rsa2sexp.c (rsa_keypair_to_sexp): Changed default algorithm name to "rsa-pkcs1". 2009-09-20 Niels Möller * x86/sha1-compress.asm: Improved performance by 17% on AMD K7, by letting loopmix scramble the instruction order. 2009-09-15 Niels Möller * x86/sha1-compress.asm: Cleanup, removing old cruft. Slight improvement to ROUND_F1_NOEXP. Slight reduction of dependency-chains. 2009-08-25 Niels Möller * x86/sha1-compress.asm: Eliminated tmp variable for f3 rounds. * examples/nettle-benchmark.c (bench_sha1_compress): New function, for precise benchmarking of the compression function. 2009-06-08 Niels Möller * Released nettle-2.0. 2009-06-04 Niels Möller * configure.ac: Set version to 2.0 2009-05-30 Niels Möller * Makefile.in (.texinfo.info): Don't use a temporary output file $@T, trust makeinfo to remove output file on errors. 2009-05-19 Niels Möller * nettle.texinfo: Changed license to public domain. 2009-05-11 Niels Möller * nettle.texinfo: Fixes from Karl Berry. Added some more index terms. 2009-03-06 Niels Möller * x86_64/aes-encrypt-internal.asm: Reduced unrolling. Keep state in %eax--%edx only. * x86_64/aes-decrypt-internal.asm: Likewise. * x86_64/aes.m4 (MOVE_HREG): Deleted, no longer needed. (AES_STORE): Reduced offsets. (AES_ROUND): Use HREG directly, not MOVE_HREG. * x86_64/aes-decrypt-internal.asm: Rearrange register allocation. Put SA--SD in %eax--%edx, so the second byte can be accessed as %ah-%dh. TD is not needed, SD can be reused. Use the register that is saved for the outer loop counter, getting it off the stack. * x86_64/aes-encrypt-internal.asm: Likewise. * x86_64/aes.m4 (HREG, MOVE_HREG): New macros. (XREG): Fixed bug in handling of %r8 and %r9. (AES_ROUND): Use MOVE_HREG. 2009-02-10 Niels Möller * base16-meta.c (base16_encode_update_wrapper): Mark ctx argument as UNUSED. * testsuite/sexp-conv-test: Updated testcases for improved handling of comments. * tools/sexp-conv.c (sexp_convert_item): Use sexp_put_soft_newline to terminate comments, and modify indentation for the case that a list starts with a comment. * tools/output.c (sexp_output_init): Initialize soft_newline. (sexp_put_raw_char): Clear soft_newline. (sexp_put_newline): Check and reset soft_newline. (sexp_put_soft_newline): New function. * tools/output.h (struct sexp_output): Removed union with single element, and updated all users. New attribute soft_newline. 2008-12-22 Niels Möller * Makefile.in ($(des_headers)): Create files in $(srcdir). 2008-11-28 Niels Möller * testsuite/cxx-test.cxx: Include . 2008-11-22 Niels Möller * yarrow256.c (yarrow256_fast_reseed): Set ctx->seeded = 1, so that it is set if and only if the aes context has been initialized with aes_set_encrypt_key. (yarrow256_seed): No need to set ctx->seeded here. (yarrow256_update): Likewise. 2008-11-04 Niels Möller * examples/next-prime.c (main): Avoid using gmp_fprintf, to stay compatible with gmp-3.1. 2008-11-01 Niels Möller * nettle.texinfo: Updated for 2.0. New section on linking. * nettle-types.h, nettle-meta.h: Moved all typedefs for function types to nettle-types.h. Use non-pointer types, so that the types can be used to declare functions. Updated all users. 2008-10-31 Niels Möller * testsuite/yarrow-test.c (test_main): Updated for seed file changes. * sha-example.c (display_hex): Use %02x, not %2x. 2008-10-30 Niels Möller * tools/sexp-conv.c (main): Fixed file locking. 2008-10-25 Niels Möller * configure.ac: Set version to 2.0rc1. * examples/Makefile.in (next-prime$(EXEEXT)): Added -lnettle to linker. 2008-10-24 Niels Möller * sha256.c (ROUND): Simplified macro. * yarrow256.c (yarrow256_fast_reseed): Renamed (was yarrow_fast_reseed) and made non-static. Don't generate seed file here, let the application use yarrow256_random instead. (yarrow256_slow_reseed): Renamed (was yarrow_slow_reseed) and made non-static. (yarrow256_force_reseed): Deleted function, use yarrow256_slow_reseed instead. For backwards compatibility, yarrow.h defines yarrow256_force_reseed as an alias for that function. * yarrow.h (struct yarrow256_ctx): Deleted seed_file buffer. 2008-09-17 Niels Möller * x86/arcfour-crypt.asm: Improved loop logic, and unrolled loop twice. Gave a modest speedup. 2008-09-15 Niels Möller * yarrow256.c (yarrow256_seed): Disallow length == 0. * base64-decode.c (decode_table): Added vertical tab (VT) and form feed (FF) as white space characters. * x86_64/aes-decrypt-internal.asm: New file. 2008-09-13 Niels Möller * x86/aes-encrypt-internal.asm: Replaced pushl and popl in the loop with movl. Eliminated redundant movl. * x86/aes-decrypt-internal.asm: Likewise. * x86_64/aes.m4: New file. * x86/aes-encrypt-internal.asm: Updated for AES_FINAL_ROUND. Only three times through the substitution loop. * x86/aes-decrypt-internal.asm: Likewise. * x86_64/aes-encrypt-internal.asm: Likewise. * x86/aes.m4 (AES_FINAL_ROUND): Do the substitution on the least significant byte here. * x86/aes-encrypt-internal.asm: Updated use of AES_SUBST_BYTE. USe decl for outer loop. * x86/aes-decrypt-internal.asm: Likewise. * x86/aes.m4 (LREG, HREG): New macros. (AES_SUBST_BYTE): Take state registers as argument. Use LREG to get the corresponding byte register. (AES_ROUND): Use movzbl together with LREG and HREG. (AES_SUBST_BYTE): Likewise. 2008-09-10 Niels Möller * x86_64/sha1-compress.asm: Avoid using registers %rbx and %rbp, which must be preserved. 2008-09-08 Niels Möller * Makefile.in (stamp-h.in): Use $(AUTOHEADER). * x86_64/sha1-compress.asm: New x86_64 assembler, based on the x86 version. * configure.ac (asm_path): Set up asm_path for x86_64. * x86_64/machine.m4: New file, new directory. 2008-08-28 Niels Möller * examples/eratosthenes.c (main): Rewrote block-wise sieving to use less memory. New options -s and -v. 2008-08-27 Niels Möller * testsuite/sexp-conv-test (print_raw, print_nl): Use printf. Updated testcases with comments; comments are now preserved. * tools/sexp-conv.c (sexp_convert_item): Keep comments in advanced output. (parse_options): New --lock option. (main): Optionally lock output file. * tools/parse.c (sexp_check_token): Removed check for "any" token. All callers specify the token they expect. (sexp_parse): Pass on comment tokens. * tools/output.c (sexp_put_data): Made non-static. * tools/input.c (sexp_get_comment): New function. (sexp_get_token): Use sexp_get_comment. * tools/misc.h (enum sexp_token): Start enumeration with zero, zero is no longer used to mean any type. New type SEXP_COMMENT. * configure.ac: Check for fcntl file locking. 2008-08-26 Niels Möller * Makefile.in (tags-here): Put TAGS file in the source directory. * examples/Makefile.in (tags): Likewise. * testsuite/Makefile.in (tags): Likewise. * tools/Makefile.in (tags): Likewise. 2008-02-29 Niels Möller * examples/Makefile.in (SOURCES): Added next-prime.c. 2008-01-05 Niels Möller * examples/Makefile.in (TARGETS): Added eratosthenes and next-prime. (next-prime, eratosthenes): New rules. (nettle-benchmark): Don't rely on $@. * examples/eratosthenes.c (find_first_one): Optimized, using slightly larger table. (main): Use atol, rather than atoi. * testsuite/symbols-test: Check symbols also in libhogweed. * examples/next-prime.c: New file. Deleted code for detailed timing. * Makefile.in (hogweed_SOURCES): Added bignum-next-prime.c. (DISTFILES): Added prime-list.h. (hogweed_OBJS): Removed $(LIBOBJS). * bignum-next-prime.c (nettle_next_prime): Renamed function, for name space reasons. Was bignum_next_prime. Updated call in rsa-keygen.c. (primes): Use prime-list.h. (nettle_next_prime): Skip Fermat test. Use mpz_millerrabin directly, rather than mpz_probab_prime_p, when the former is available. * bignum.h (nettle_next_prime): New prototype. * rsa-keygen.c (bignum_next_prime): Deleted, moved to bignum-next-prime.c. Call with a larger prime limit, this improves the running time of lsh-keygen by roughly 25%. * prime-list.h: List of odd primes < 2^16. * configure.ac: Check for sizeof(long). 2008-01-03 Niels Möller * examples/nettle-benchmark.c (main): Removed incorrect UNUSED from declaration. * bignum-next-prime.c: Moved the bignum_next_prime function to a separate file. 2007-09-08 Niels Möller * sparc64/aes-encrypt-internal.asm: The directory with the aes.m4 include file was renamed from "sparc" to "sparc32". Updated include. * sparc64/aes-decrypt-internal.asm: Likewise. * sparc32/aes-encrypt-internal.asm: Likewise. * sparc32/aes-decrypt-internal.asm: Likewise. 2007-09-07 Niels Möller * examples/read_rsa_key.c: Include stdlib.h. 2007-06-02 Niels Möller * Makefile.in: Typo fixes to install targets, spotted by Magnus Holmgren. 2007-05-14 Niels Möller * configure.ac: Fixed copy-and-paste errors in shared library name setup. * config.make.in (LIBNETTLE_SONAME, LIBHOGWEED_SONAME): Define. * Makefile.in (libnettle.so, libhogweed.so): Fixed rules. * Makefile.in: Split nettle library into two files, libnettle.a and libhogweed.a, and similarly for the shared libraries. * configure.ac: Bumped nettle so-versions to 3.0. Set hogweed so-versions to 1.0. New makefile conditionals IF_SHARED and IF_HOGWEED. Renamed WITH_PUBLIC_KEY to WITH_HOGWEED. Deleted SHLIBTARGET, SHLIBINSTALL, RSA_EXAMPLES and RSA_TOOLS. * config.make.in: Updated for hogweed split. * C source files: Don't use WITH_PUBLIC_KEY / WITH_HOGWEED, the Makefile sorts out which files should be compiled. * pgp.h: Include bignum.h, don't pretend to work without bignums. * pgp-encode.c (pgp_put_mpi, pgp_put_public_rsa_key) (pgp_put_rsa_sha1_signature): Define unconditionally. Removed the checking of HAVE_LIBGMP and WITH_PUBLIC_KEY. * examples/io.h: Use WITH_HOGWEED, not WITH_PUBLIC_KEY. * examples/io.c (read_rsa_key): Deleted, moved to... * examples/read_rsa_key.c: New file, extracted from io.c. * examples/Makefile.in: Use IF_HOGWEED instead of RSA_EXAMPLES. Link appropriate programs with -lhogweed. (SOURCES): Added read_rsa_key.c. * tools/Makefile.in (pkcs1-conv): Use IF_HOGWEED, not @RSA_TOOLS@, for configuration. Link with -lhogweed. * testsuite/testutils.h: Use WITH_HOGWEED, not WITH_PUBLIC_KEY. * testsuite/testutils.c: Likewise. * testsuite/Makefile.in (TS_NETTLE_SOURCES, TS_HOGWEED_SOURCES): Separate test cases using nettle and those also using hogweed. 2007-04-05 Niels Möller * Moved in CVS tree. Also renamed directory sparc to sparc32. 2007-02-24 Niels Möller * Makefile.in (clean-here): Remove .lib directory. (distclean-here): Remove machine.m4. 2006-12-05 Niels Möller * configure.ac: AC_PREREQ 2.61, for AC_PROG_MKDIR_P. * config.make.in (datarootdir): New directory variable (for autoconf-2.61). 2006-11-28 Niels Möller * configure.ac: Bumped version to 1.16. * Released nettle-1.15. 2006-11-27 Niels Möller * NEWS: New entry for nettle-1.15. * configure.ac (SHLIBMINOR): Bumped version. Library name is now libnettle.so.2.6. * sha256.c: Changed copyright notice to use the LGPL. * Makefile.in (DISTFILES): Added COPYING.LIB. * COPYING.LIB: New file (previously only the plain GPL was included in the distribution). * nettle.texinfo: Updated vor nettle-1.15. * testsuite/rsa-test.c (test_main): Use test_rsa_sha256. * testsuite/testutils.c (test_rsa_sha256): New function. * testsuite/Makefile.in (DISTFILES): Replaces rfc1750.txt by gold-bug.txt. * rsa.h (rsa_sha256_sign, rsa_sha256_verify) (rsa_sha256_sign_digest, rsa_sha256_verify_digest): New declarations. (RSA_MINIMUM_N_OCTETS, RSA_MINIMUM_N_BITS): Increased to 62 octets and 489 bits, respectively, for supporting sha256. * pkcs1.h (pkcs1_rsa_sha256_encode) (pkcs1_rsa_sha256_encode_digest): New declarations and name mangling symbols. * Makefile.in (nettle_SOURCES): Added pkcs1-rsa-sha256.c, rsa-sha256-sign.c, rsa-sha256-verify.c. * pkcs1-rsa-sha256.c, rsa-sha256-sign.c, rsa-sha256-verify.c: New files. * COPYING, INSTALL, install-sh, texinfo.tex: Updated files, from automake-1.10. 2006-11-27 Niels Möller * tools/Makefile.in (install): Use MKDIR_P to create installation directory. Install only one file at a time. * Makefile.in (MKDIR_P): Use MKDIR_P for creating installation directories. * configure.ac: Use AC_PROG_MKDIR_P. 2006-11-24 Niels Möller * testsuite/yarrow-test.c (test_main): Use gold-bug.txt as input file, instead of rfc1750.txt. * testsuite/gold-bug.txt: New test input file for yarrow-test. The copyright on this short story by Edgar Allan Poe has expired. * testsuite/rfc1750.txt: Deleted file. Debian considers RFC:s non-free, and it was expired anyway. Replaced by gold-bug.txt. 2006-11-24 Niels Möller * Almost all header files: Added C++ guards. * configure.ac: Test if the system has any C++ compiler. * config.make.in (CXX, CXXFLAGS, COMPILE_CXX, LINK_CXX): New variables. * testsuite/Makefile.in: New variables TS_C and TS_CXX. Setup for compiling the C++ file cxx-test.cxx. * testsuite/cxx-test.cxx: New testcase, trying to use nettle from a C++ program. 2006-08-28 Niels Möller * index.html: Added section on language bindings. 2006-06-10 Niels Möller * configure.ac: Darwin shared library support, from Grant Robinsson. 2006-05-18 Niels Möller * src/nettle/x86/aes.asm: Deleted unused file. * aes-decrypt.c (_aes_decrypt_table): Deleted the indexing array, previously commented out. * aes-encrypt-table.c (_aes_encrypt_table): Likewise. * Makefile.in (.texinfo.info, .dvi.ps): Use more quotes with basename. (install-here, install-shared, install-info, install-headers): Use plain mkdir, not $(INSTALL) -d. 2006-05-16 Niels Möller Merged from the lsh experimental branch. 2006-04-26 Niels Möller * examples/rsa-decrypt.c: Don't include "getopt.h", since it's not used. * examples/nettle-benchmark.c: Include "getopt.h". * examples/Makefile.in (GETOPT_OBJS): New variable. (rsa-keygen, rsa-encrypt, nettle-benchmark): Depend on and link with $(GETOPT_OBJS). * x86/aes-decrypt-internal.asm: Use ALIGN. * x86/aes-encrypt-internal.asm: Likewise. * x86/arcfour-crypt.asm: Likewise. * x86/md5-compress.asm: Likewise. * x86/sha1-compress.asm: Likewise. * config.m4.in (ASM_ALIGN_LOG): Substitute. * configure.ac (ASM_ALIGN_LOG): Check if .align directive is logarithmic. * asm.m4 (ALIGN): New macro. Takes a logarithmic argument, and expands to a .align directive. 2006-04-21 Niels Möller * nettle.texinfo (Public-key algorithms): Say that the public key operations are undocumented, not unsupported. Reported by Jeronimo Pellegrini. 2006-04-08 Niels Möller * tools/pkcs1-conv.c (read_pem): Fixed c99-style declaration. Reported by Henrik Grubbström. 2006-01-31 Niels Möller * examples/rsa-verify.c: Fixed typo in usage message. 2005-12-05 Niels Möller * configure.ac: Bumped version to 1.15, * Released nettle-1.14. * NEWS: Updated for 1.14. * configure.ac (SHLIBMINOR): Increased minor number. Library version is now libnettle.so.2.5, soname still libnettle.so.2. 2005-11-28 Niels Möller * config.make.in (INSTALL): Don't substitute INSTALL, INSTALL_DATA and friends here, to get a correct a relative filename for install-sh when used in tools/Makefile. * tools/Makefile.in (INSTALL): Substitute INSTALL, INSTALL_DATA and friends here. * Makefile.in (INSTALL): Likewise. 2005-11-27 Niels Möller * Makefile.in (.texinfo.pdf): New rule. Avoid dependency on intermediate .dvi and .ps files. * testsuite/Makefile.in (clean): Delete sha1-huge-test. * Makefile.in (install-info, install-headers): Don't use $< and $?; Solaris make doesn't support them in explicit rules. 2005-11-26 Niels Möller * testsuite/Makefile.in: Include .test-rules.make, which contains the rules for all the test executables. (test-rules): New rule, to update this file. (DISTFILES): Added $(EXTRA_SOURCES). * testsuite/.test-rules.make: Automatically generated file for building the test programs. 2005-11-25 Niels Möller * configure.ac: Disable assembler when compiling with rntcl. * tools/Makefile.in (pkcs1_conv_SOURCES): New variable. (pkcs1-conv): Link with getopt.o and getopt1.o. * Makefile.in (aesdata, desdata, shadata): Use explicit rules for executables. * testsuite/Makefile.in: Use %-rules for building the -test executables, in addition to the suffix rules. Hopefully, this should make all of GNU make, BSD make and Solaris make happy. Use $(EXEEXT) and $(OBJEXT) more consistently. * examples/Makefile.in: Use explicit rules for all executable targets. Use $(EXEEXT) and $(OBJEXT) more consistently. 2005-11-25 Niels Möller * testsuite/Makefile.in: Avoid using single-suffix rule to build executables. 2005-11-24 Niels Möller * Makefile.in (distdir): Use [ -f, not [ -e, since the latter is less portable, and not supported by Solaris /bin/sh. 2005-11-23 Niels Möller * testsuite/Makefile.in (DISTFILES): Added teardown-env. * testsuite/teardown-env: New file. Delete files created by the testsuite. 2005-11-21 Niels Möller * testsuite/testutils.c (main): Fixed check for -v option. Spotted by Goran K. 2005-11-21 Niels Möller * ctr.h (CTR_CTX, CTR_CRYPT): Fixed bugs, spotted by Goran K. 2005-11-20 Niels Möller * Makefile.in (nettle_SOURCES): Added der2rsa.c. * testsuite/Makefile.in (TS_SH): Added pkcs1-conv-test. * tools/Makefile.in (TARGETS): Added @RSA_TOOLS@. (SOURCES): Added pkcs1-conv.c. (pkcs1-conv): New rule. * tools/pkcs1-conv.c: New program. * testsuite/pkcs1-conv-test: New file. * examples/rsa-verify-test: Use rsa-sign to create signature. * examples/io.c (read_file): Fixed spelling in error message. * rsa.h (rsa_public_key_from_der_iterator) (rsa_private_key_from_der_iterator, rsa_keypair_from_der): Declare functions. * der2rsa.c: New file. * der-iterator.c (asn1_der_iterator_init): Initialize length and data. (asn1_der_iterator_next): Support for lengths >= 0x80. (asn1_der_decode_constructed_last, asn1_der_decode_bitstring) (asn1_der_decode_bitstring_last): New functions. (asn1_der_get_bignum): Check for non-mininal encodings. * configure.ac (RSA_TOOLS): New substituted variable. Includes pkcs1-conv, when public-key support is enabled. * bignum.h (nettle_asn1_der_get_bignum): Include nettle_-prefix in declaration. * asn1.h: Added name mangling defines, and a few new declarations. 2005-11-13 Niels Möller * Makefile.in (nettle_SOURCES): Added der-iterator.c. (HEADERS): Added asn1.h. * bignum.h (asn1_der_get_bignum): Declare function. * der-iterator.c: New file. * asn1.h: New file. 2005-11-07 Niels Möller * examples/nettle-benchmark.c: Check HAVE_UNISTD_H. * examples/Makefile.in (TARGETS): Use $(EXEEXT). * tools/Makefile.in (TARGETS, sexp-conv, nettle-lfib-stream): Likewise. * configure.ac: Use $host_cpu, not $host, when setting up the assembler path. Use $host_os, not uname, when setting up shared library flags. * Makefile.in (des.$(OBJEXT)): Use OBJEXT. * config.guess, config.sub: In the CVS tree, moved files to the lsh top-level directory. 2005-10-23 Niels Möller * sparc64/arcfour-crypt.asm: New file, almost the same as sparc/arcfour-crypt.asm. * examples/nettle-benchmark.c (display): Use two decimal places. * sparc/arcfour-crypt.asm: Reorganized. Main loop unrolled four times. Uses aligned 32-bit write accesses at DST. Still uses 8-bit read accesses at SRC; could be improved int he case that SRC and DST have compatible alignment. 2005-10-19 Niels Möller * testsuite/arcfour-test.c (test_main): New testcase with 512 bytes of data. 2005-10-19 Niels Möller * sparc/arcfour-crypt.asm: Fixed bug, spotted by Mikael Kalms. We must order the store at [CTX+I] before the load of [CTX+SI+SJ]. 2005-10-18 Niels Möller * sparc/arcfour-crypt.asm: Special unrolled code if SRC and DST have compatible alignment. Improves performance by 20%, but I'm not sure it's worth the extra complexity. * bignum.c (nettle_mpz_from_octets): Removed sign argument. If mpz_import is available, define nettle_mpz_from_octets as a macro calling mpz_import. (nettle_mpz_from_octets): Start by setting x to zero; callers no longer need to do that. (nettle_mpz_set_str_256_s): New logic for the handling of negative numbers. Convert in the same way as for positive numbers, and then subtract the appropriate power of two. 2005-10-17 Niels Möller * bignum.c (nettle_mpz_from_octets): Improved loop. Removed the digit temporary (suggested by Torbjörn Granlund). * sparc/arcfour-crypt.asm: Improved instruction scheduling. * sparc/arcfour-crypt.asm: Bugfix, use lduh and stuh. * sparc/arcfour-crypt.asm: New file. * sparc64/aes.asm: Deleted unused file. * x86/arcfour-crypt.asm: Use ARCFOUR_I and ARCFOUR_J * asm.m4 (ARCFOUR): New struct. 2005-10-17 Niels Möller * aes-internal.h (struct aes_table): Deleted idx and sparc_idx arrays. * aes-encrypt-table.c (_aes_encrypt_table): Likewise. * aes-decrypt.c (_aes_decrypt_table): Likewise. * asm.m4 (AES): Likewise 2005-10-16 Niels Möller * tools/input.c (sexp_get_char): Use unsigned for the done flag. * sparc64/aes-encrypt-internal.asm: Include sparc/aes.m4. * sparc64/aes-decrypt-internal.asm: Likewise. * sparc64/machine.m4: Use .register pseudo op to say that we use %g2 and %g3 as scratch registers. * sparc/aes-encrypt-internal.asm: Explicitly include sparc/aes.m4. * sparc/aes-decrypt-internal.asm: Likewise. * sparc/aes.m4: New file. Moved aes-related macros here... * sparc/machine.m4: ... removed aes macros. * x86/aes-encrypt-internal.asm: Explicitly include x86/aes.m4. * x86/aes-decrypt-internal.asm: Likewise. * x86/aes.m4: New file. Moved aes-related macros here, from... * x86/machine.m4: ... removed aes macros. * sparc64/aes-encrypt-internal.asm: New file. * sparc64/aes-decrypt-internal.asm: New file. * sparc64/machine.m4: Include the same aes macros used for sparc32. (BIAS): Define magic stack bias constant. * sparc/aes-encrypt-internal.asm, sparc/aes-decrypt-internal.asm: Reduced frame size to 104 bytes, since we no longer need wtxt and tmp on the stack. * sparc/aes.asm: Deleted old aes implementation. * sparc/aes-decrypt-internal.asm: New file. * sparc/machine.m4: Don't use m4 eval, instead rely on the assembler's arithmetic. * sparc/machine.m4 (AES_FINAL_ROUND): Better scheduling, by interleaving independent operations. * sparc/machine.m4 (TMP3): A third temporary register. (AES_FINAL_ROUND): Prepared for scheduling. * sparc/machine.m4 (AES_ROUND): Deleted unused argument T. Updated all calls in aes-encrypt-internal.asm. * sparc/machine.m4 (AES_ROUND): New loop invariants T0-T3, to avoid the additions of the AES_TABLEx constants in the inner loop. * sparc/machine.m4 (AES_ROUND): Better scheduling, by interleaving independent operations. * sparc/machine.m4 (AES_ROUND): Alternate between using TMP1 and TMP2, to prepare for scheduling. * sparc/aes-encrypt-internal.asm: Renamed Ti -> Xi. * sparc/aes-encrypt-internal.asm: Fixed bugs. Now passes the testsuite. * sparc/machine.m4 (AES_ROUND, AES_FINAL_ROUND): Bugfixes. Put NOPs in the load dely slots. * sparc/aes-encrypt-internal.asm: Implemented. Not yet working, and not optimized. * sparc/machine.m4: Use TMP1 and TMP2, so we don't need to pass them as arguments. (AES_FINAL_ROUND): New macro. 2005-10-15 Niels Möller * configure.ac (OBJDUMP): Substitute the program false if objdump is not found. * asm.m4 (PROLOGUE): Use TYPE_FUNCTION. * config.m4.in: Substitute ASM_TYPE_FUNCTION as TYPE_FUNCTION. * configure.ac (ASM_ELF_STYLE): Check for %function and #function, but not for @function. (ASM_TYPE_FUNCTION): New substituted variable. * configure.ac (ASM_ELF_STYLE): Fixed .type foo,@function statement used when checking for pseudo operations. * sparc/machine.m4 (AES_LOAD, AES_ROUND): Started writing new AES macros. * sparc/aes-encrypt-internal.asm: New file. 2005-10-14 Niels Möller * x86/aes-decrypt.asm, x86/aes-encrypt.asm: Deleted files. * x86/aes-decrypt-internal.asm: New file. * x86/machine.m4: Changed AES macros, to handle a table register. Also take more of the used registers as argument. * x86/aes-encrypt-internal.asm: Rewritten to match new interface, with the table pointer as an argument. Unlike the old code, this should really be position independent. * configure.ac: When looking for assembler files, link in aes-encrypt-internal.asm and aes-decrypt-internal.asm. Don't look for aes.asm, aes-encrypt.asm and aes-decrypt.asm. * configure.ac (OBJDUMP): Use AC_CHECK_TOOL to check for objdump. (ASM_MARK_NOEXEC_STACK): Use $OBJDUMP when examining the object file. * Makefile.in (nettle_SOURCES): Removed aes.c, aes-decrypt-table.c. Added aes-decrypt-internal.c and aes-encrypt-internal.c. * aes.c, aes-decrypt-table.c: Deleted files. * aes-decrypt.c (_aes_decrypt_table): Moved table here, and made static. * aes-internal.h (_aes_decrypt_table): Don't declare, it's no longer globally visible. * aes-decrypt-internal.c (_nettle_aes_decrypt): New AES decryption function, analogous to _nettle_aes_encrypt. 2005-10-14 Niels Möller * aes-internal.h (AES_ROUND, AES_FINAL_ROUND): New macros. * aes-encrypt-internal.c (_nettle_aes_encrypt): New AES encryption function, avoiding the table-based indexing. * sha1-compress.c: Added debugging code. * md5-compress.c: Likewise. 2005-10-13 Niels Möller * config.m4.in (ASM_MARK_NOEXEC_STACK): Use a diversion, to substitute the value of ASM_MARK_NOEXEC_STACK at the end of each assembler file. * configure.ac (ASM_MARK_NOEXEC_STACK): Check if the C compiler generates a .note.GNU-stack section. If so, we should do the same in our assembler files. * sparc64/aes.asm: New file. Copy of sparc/aes.asm, with minor changes to the stack frame layout. Patch contributed by Henrik Grubbström. Not yet tested. * x86/md5-compress.asm: Skip copying of input to the stack, and don't allocate space for it. (F1): Fixed bug. * testsuite/md5-test.c: Document intermediate values for first test case. * configure.ac (asm_path): Check for sparc64, and use sparc64 subdirectory. Link in md5-compress.asm, if it exists. 2005-10-13 Niels Möller * x86/md5-compress.asm (REF): Fixed calculation of offset. 2005-10-12 Niels Möller * x86/machine.m4 (OFFSET): Moved macro, used to be in... * x86/sha1-compress.asm (OFFSET): ... removed macro. * x86/md5-compress.asm: New file, with first attempt at md5 assembler. Not yet working. 2005-10-11 Niels Möller * Makefile.in (nettle_SOURCES): Added md5-compress.c. * md5.c: Reorganized to use _nettle_md5_compress, in analogy with sha1.c. * md5-compress.c (_nettle_md5_compress): New file and new function. 2005-10-10 Niels Möller * testsuite/Makefile.in (EXTRA_SOURCES, EXTRA_TARGETS): New variables, for test cases that are not run by default. * testsuite/sha1-huge-test.c (test_main): New test case, with a very large sha1 input. * testsuite/testutils.c (test_hash_large): New function. * sha1.c (sha1_block): Deleted function; inlined where used. (SHA1_INCR): New macro for incrementing the block count. 2005-10-06 Niels Möller * configure.ac: Bumped version to 1.14. * Released nettle-1.13. * configure.ac: Check for openssl/aes.h. * Makefile.in (distdir): Use a loop to pick up the contents of $(DISTFILES) from source and build directories. For some reason, $? failed to find stamp-h.in in the source directory. 2005-10-05 Niels Möller * x86/aes-decrypt.asm: Use C_NAME(_nettle_aes_decrypt_table) when using the AES_SUBST_BYTE macro. Use PROLOGUE and EPILOGUE. * x86/sha1-compress.asm: Use PROLOGUE and EPILOGUE. * x86/arcfour-crypt.asm: Likewise. * x86/aes-encrypt.asm: Likewise. * config.m4.in (ELF_STYLE): Substitute configure's ASM_ELF_STYLE. * asm.m4 (PROLOGUE, EPILOGUE): New macros, checking the value of ELF_STYLE. So far, used and tested only for the x86 assembler files, and needed to make the assembler happy both with ELF (linux, solaris) and COFF (windows). * configure.ac (NM): Use AC_CHECK_TOOL to check for nm. (ASM_SYMBOL_PREFIX): Use $NM when examining the object file. (ASM_ELF_STYLE): New variable. Set to 'yes' if assembling a file with ELF-style .type and .size pseudo ops works. * Makefile.in (TARGETS, DISTFILES): Added nettle.pdf. (.texinfo.dvi, .dvi.ps, .ps.pdf): New targets, to build nettle.pdf. (DOCTARGETS): New variable with targets that shouldn't be deleted by make clean. (maintainer-clean-here): New target. Deletes generated documentation files. * nettle.texinfo: Define AUTHOR with accents, when running in TeX mode, which doesn't handle latin-1 properly. Set UPDATED-FOR to 1.13. Updated copyright years, and introduced a COPYRIGHT-YEARS symbol. Updated copyright section, to mention assembler implementations. (Cipher modes): Transformed the Cipher Block Chaining to a section Cipher modes, describing both CBC and the new CTR mode. * src/nettle/x86/aes_tables.asm: Deleted unused file. * x86/aes.asm: Deleted contents. This file is needed just to override aes.c, which isn't needed for the x86 implementation. * configure.ac (SHLIBMINOR): Increased minor number. Library version is now libnettle.so.2.4, soname still libnettle.so.2. * examples/nettle-benchmark.c (main): Reordered hash benchmarks. * x86/sha1-compress.asm (EXPAND): Use % 16 instead of & 15 to compute offsets mod 16, since m4 on FreeBSD 49.RELEASE and NetBSD doesn't implement & correctly in eval. 2005-10-03 Niels Möller * x86/sha1-compress.asm (OFFSET): New macro. (F3): Eliminated a movl. (ROUND): New argument, for k. When using F3, it's TMP3, on the stack, otherwise, it is kept in TMP2, a register. 2005-10-03 Niels Möller * examples/nettle-openssl.c: Use correct block sizes for openssl ciphers. * examples/nettle-benchmark.c: Also display cycles per block. 2005-10-02 Niels Möller * sha1-compress.c (_nettle_sha1_compress): Updated to new interface. Now responsible for byte conversion. * x86/sha1-compress.asm (_nettle_sha1_compress): Do byte order conversion, and store the input data on the stack. This leaves one more register free for other uses. * examples/nettle-benchmark.c: Now display cycles/byte, if the -f option is used to say what the clock frequency is. * sha1.c (sha1_block): Don't convert data from uint8_t to uint32_t, that's now the responsibility of _nettle_sha1_compress. * sha.h (_nettle_sha1_compress): Changed interface. Second argument is now a pointer to the input data in unaligned, big-endian form. 2005-09-28 Niels Möller * sha1.c (sha1_final): Call sha1_block, don't call the compression function _nettle_sha1_compress directly. * nettle-internal.h (nettle_openssl_md5) (nettle_openssl_sha1): Declare. * examples/nettle-benchmark.c (main): Benchmark openssl md5 and sha1. * examples/nettle-openssl.c (nettle_openssl_md5) (nettle_openssl_sha1): Added glue for openssl hash functions. * nettle-internal.h (nettle_openssl_aes128, nettle_openssl_aes192) (nettle_openssl_aes256, nettle_openssl_arcfour128): Declare. * examples/nettle-benchmark.c: Check WITH_OPENSSL, not HAVE_LIBCRYPTO. Benchmark openssl's aes and arcfour code. * examples/nettle-openssl.c: Updated openssl des glue to use the new openssl des interface. Added glue for arcfour and aes. 2005-09-27 Niels Möller * nettle.texinfo (RSA): Improved text about the RSA patent. Use @documentencoding ISO-8859-1. 2005-09-07 Niels Möller * tools/sexp-conv.c (parse_options): New option --raw-hash, for compatibility with lsh-1.x. Equivalent to --hash. 2005-09-06 Niels Möller * tools/sexp-conv.c (main): With --hash, output a newline after each hash. 2005-07-02 Niels Möller * testsuite/Makefile.in (TS_SOURCES): Added ctr-test.c. * testsuite/testutils.c (test_cipher_ctr): New function. * testsuite/ctr-test.c: New file. * testsuite/cbc-test.c (test_main): Use static const for msg. * Makefile.in (nettle_SOURCES): Added ctr.c. (HEADERS): Added ctr.h. (HEADERS): Added nettle-types.h. (INSTALL_HEADERS): Install nettle-stdint.h. (distclean-here): Delete nettle-stdint.h, not nettle-types.h. * ctr.c (ctr_crypt): New file, new function. * memxor.c (memxor3): New function, suggested by Adam Langley. * nettle-internal.h (NETTLE_MAX_CIPHER_BLOCK_SIZE): New constant. * nettle.texinfo (Cipher functions): Fixed typo in prototype for arctwo_encrypt (noticed by Adam Langley). * nettle-meta.h: No longer needs to include cbc.h. * cbc.h (nettle_crypt_func): Moved typedef to nettle-types.h. (CBC_ENCRYPT, CBC_DECRYPT): Deleted older #if:ed out versions. * configure.ac (AX_CREATE_STDINT_H): Use the file name nettle-stdint.h, not nettle-types.h. * nettle-types.h: New file. Automatically generated declarations are now in nettle-stdint.h. 2005-03-17 Niels Möller * config.guess: Support Solaris on x86_64. Fix by Henrik Grubbström. 2005-01-03 Niels Möller * examples/io.h: Include RSA declarations only when public key algorithms are enabled. Problem reported by Meilof Veeningen . 2004-12-07 Niels Möller * Makefile.in: Install directories, using $(INSTALL) -d, only if they don't exist already. 2004-12-05 Niels Möller * config.make.in (.PRECIOUS): Reverted earlier change. We need .PRECIOUS to stop GNU make from deleting object files for the test programs. 2004-12-02 Niels Möller * Makefile.in (.SUFFIXES): Moved from Makefile.in to... * config.make.in (.SUFFIXES): ... here. This helps compilation with BSD make. * testsuite/Makefile.in (.SUFFIXES): Deleted target. * config.make.in (.c): Disable default rule for BSD-make. * Makefile.in (all check install uninstall) (clean distclean mostlyclean maintainer-clean): Don't use the -C flag when invoking make, for compatibility with Solaris make. 2004-12-02 Niels Möller * Makefile.in (aesdata, desdata): Commented out the explicit targets. (shadata): Avoid using $< in non-pattern rule. 2004-12-01 Niels Möller * config.make.in: Added a default target. 2004-11-29 Niels Möller * testsuite/Makefile.in: Use .$(OBJEXT). Explicitly set .SUFFIXES. * Makefile.in: Use .$(OBJEXT). 2004-11-28 Niels Möller * tools/Makefile.in (nettle-lfib-stream): Avoid using $< in non-suffix rule. * Makefile.in (distdir): Handle absolute $distdir. Avoid using the GNU extension $^. * examples/Makefile.in: Avoid using the GNU extension $^. * tools/Makefile.in: Likewise. * testsuite/Makefile.in: Likewise. 2004-11-24 Niels Möller * configure.ac: Fixed typo, preventing the creation of dependency files. 2004-11-23 Niels Möller * Makefile.in: Use DEP_INCLUDE. * tools/Makefile.in: Likewise. * testsuite/Makefile.in: Likewise. * examples/Makefile.in: Likewise. * configure.ac (dummy-dep-files): Generate only of dependency tracking is enabled. 2004-11-18 Niels Möller * Makefile.in (clean-here): The clean target should not delete the dependency files. Moved to the distclean target. * examples/Makefile.in: Likewise. * testsuite/Makefile.in: Likewise. * tools/Makefile.in: Likewise. * configure.ac (ASM_SYMBOL_PREFIX): Fixed test. (dummy-dep-files): Added quotes to sed command. 2004-11-17 Niels Möller * testsuite/symbols-test: Try plain nm if nm -g doesn't work. * x86/sha1-compress.asm: Use C_NAME for global symbols. * x86/aes-encrypt.asm: Likewise. * x86/aes-decrypt.asm: Likewise. * x86/arcfour-crypt.asm: Likewise. * Makefile.in (config.m4): New rule. * config.m4.in (C_NAME): New macro. * configure.ac (ASM_SYMBOL_PREFIX): Check if global symbols have a leading underscore. 2004-11-16 Niels Möller * Deleted getopt.c, getopt.h and getopt1.c from the CVS tree. Link them from shared copies in lsh/misc instead. 2004-11-14 Niels Möller * Makefile.in (DEP_FILES): Try include with only one macro argument to be expanted. * configure.ac (dummy-dep-files): Create dummy dependency files, so that they can be included by the makefiles. 2004-11-13 Niels Möller * Makefile.in: Don't use -include, as it's GNU make specific. * examples/Makefile.in, tools/Makefile.in, testsuite/Makefile.in: Likewise. * examples/nettle-openssl.c: Check WITH_OPENSSL, not HAVE_LIBCRYPTO. * configure.ac: Check for individual openssl headers blowfish.h, cast.h, des.h. Renamed symbol HAVE_LIBCRYPTO to WITH_OPENSSL. New configure option --disable-openssl. 2004-11-04 Niels Möller * configure.ac: Bumped version to 1.13. * Released nettle-1.12. 2004-11-04 Niels Möller * nettle.texinfo (UPDATED-FOR): Bumped to 1.12. 2004-11-02 Niels Möller * nettle.texinfo (Cipher functions): Updated AES documentation, for aes_set_encrypt_key and aes_set_decrypt_key. (UPDATED-FOR): Set to 1.11. I think the manual should be updated with all user-visible changes. * aclocal.m4 (LSH_DEPENDENCY_TRACKING): Need extra quoting in case pattern. (This file really lives in the lsh tree, as lsh/acinclude.m4. For a complete ChangeLog, see lsh/Changelog). 2004-10-26 Niels Möller * configure.ac: Bumped version to 1.12. * Released nettle-1.11. * Makefile.in (clean-here): Delete *.s files. (PRE_CPPFLAGS): Use this variable, not INCLUDES. Removed -I$(srcdir). * x86/arcfour-crypt.asm: Use movzbl when extending %cl to 32 bits. 2004-10-24 Niels Möller * x86/arcfour-crypt.asm: Reverted the latest two changes; update bost src and dst pointers in the loop, and use plain addb when updating j. These two previous changes slowed the code down on AMD Duron. 2004-10-21 Niels Möller * Makefile.in (install-shared): Use $(INSTALL_PROGRAM). * configure.ac (SHLIBMINOR): Updated, shared library version is now libnettle.so.2.3, soname still libnettle.so.2. * Makefile.in (DISTFILES): Added asm.m4. 2004-10-21 Niels Möller * examples/Makefile.in: Deleted all configure-related rules, except the one rebuilding this Makefile. One should run make at top level if other configure related files change. * tools/Makefile.in: Likewise. * testsuite/Makefile.in: Likewise. * configure.ac: Replaced AC_OUTPUT(list...) with an AC_OUTPUT without arguments, and AC_CONFIG_FILES listing the files. * Makefile.in: Changed the assembler rules as suffix rules. Rewrote the configure-related rules, mostly based on the example in the autoconf manual. 2004-10-20 Niels Möller * examples/nettle-openssl.c (NCOMPAT): Disable openssl backwards compatibility. * config.make.in: Insert $(PRE_CPPFLAGS) and $(PRE_LDFLAGS) before $(CPPFLAGS) and $(LDFLAGS). This mechanism replaces $(INCLUDES). * examples/Makefile.in (PRE_CPPFLAGS, PRE_LDFLAGS): Use these flags to get -I.. and -L.. early on the command line. * testsuite/Makefile.in: Likewise * tools/Makefile.in: Likewise. 2004-10-20 Niels Möller * Makefile.in: In the assembler rules, there's no need to look in $(srcdir) for the input file. * x86/arcfour-crypt.asm: Reduced inner loop by one instruction, by precomputing the offset between src and dst. * tools/Makefile.in (.c.$(OBJEXT)): Removed redundant -I.. flag. * x86/arcfour-crypt.asm (nettle_arcfour_crypt): Replaced addb -> addl + andl $0xff, improving speed on PPro by another 15%. 2004-10-20 Niels Möller * tools/Makefile.in (install): Support DESTDIR. (uninstall): New target. * testsuite/Makefile.in (uninstall): New dummy target. * config.sub: Copied from automake-1.8.5. * examples/Makefile.in (SOURCES): Added rsa-sign.c and rsa-verify.c. (DISTFILES): Added getopt.h. (install uninstall): New dummy targets. * config.make.in (.PHONY): Added more targets. * Makefile.in (.texinfo.info, .texinfo.html): New targets. Added support for uninstall and DESTDIR. Various fixes to install and distcheck. * examples/Makefile.in (INCLUDES): Added -I flags. (distdir): Use $^ to refer to the files. (distclean): New target. * testsuite/Makefile.in: Likewise. * tools/Makefile.in: Likewise. * Makefile.in (INCLUDES): Need -I flags for VPATH build. (clean distclean mostlyclean maintainer-clean): Clean subdirectories first. (DISTFILES): Added a bunch of files. (des_headers): Added desCore rules. (install-here): Split off target install-headers, which uses $^ to refer to the files. (distdir): Use $^ to refer to the files. distcheck): Fixes. * config.make.in (COMPILE): Add $(INCLUDE) to the line. 2004-10-19 Niels Möller Stop using automake. Replaced each Makefile.am with a hand-written Makefile.in. * configure.ac: New output variable CCPIC_MAYBE. New output file config.make. Replaced automake constructions. * .bootstrap: Don't run aclocal and automake. * config.make.in: New file, with shared Makefile variables and rules. 2004-10-18 Niels Möller * x86/arcfour-crypt.asm (nettle_arcfour_crypt): Replace incb -> incl + andl, to improve speed on PPro and PII. Suggested by Fredrik Olsson. 2004-10-08 Niels Möller * examples/rsa-encrypt-test: Avoid reading and executing a file at the same time. * examples/setup-env: Likewise. 2004-10-06 Niels Möller * testsuite/symbols-test: Ignore __i686.get_pc_thunk.bx and similar symbols. 2004-10-05 Niels Möller * twofish.c (q_table): Use a const pointer array. * sexp2dsa.c (dsa_keypair_from_sexp_alist): Use a const pointer array for the keywords. (dsa_signature_from_sexp): Likewise. * sexp2rsa.c (rsa_keypair_from_sexp_alist): Likewise. (rsa_keypair_from_sexp): Likewise. * sexp.c (sexp_iterator_check_types): Use an argument of type "const uint8_t * const *" for the types list. (sexp_iterator_assoc): Likewise, for the keys list. * list-obj-sizes.awk: Fixes to handle multiple .data and .rodata sections. Also fixed to handle the last file correctly. 2004-09-23 Niels Möller * configure.ac (SHLIBLINK, SHLIBLIBS): On cygwin, linking needs -Wl,--whole-archive $(OBJECTS) -Wl,--no-whole-archive $(LIBS). 2004-09-22 Niels Möller * configure.ac: Setup SHLIBFORLINK and friends for cygwin. * list-obj-sizes.awk: Strip *_a-prefix from all file names. * Makefile.am (libnettle_a_SOURCES): List only .c files. Headers moved to noinst_HEADERS. (SHLIBOBJECTS): Substitute from libnettle_a_SOURCES, not am_libnettle_a_OBJECTS, since the latter includes libnettle_a-prefixes with some automake versions. (SHLIBSONAME): Check if this name is empty, which is the case on cygwin, before using it. 2004-08-31 Niels Möller * configure.ac: New command line option --disable-pic. Use LSH_CCPIC. * Makefile.am (libnettle_a_CFLAGS): Added $(CCPIC), to attempt to build also the static library as position independent code. 2004-08-24 Niels Möller * des-compat.c (des_cbc_cksum): Pad input with NUL's, if it's not an integral number of blocks. 2004-08-24 Niels Möller * testsuite/arctwo-test.c, arctwo.h, arctwo.c (arctwo_set_key_ekb): Fixed typo; it should be "ekb", not "ebk". Integrated arctwo patch from Simon Josefsson. * testsuite/Makefile.am (noinst_PROGRAMS): Added arctwo-test. * Makefile.am (libnettleinclude_HEADERS): Added arctwo.h. (libnettle_a_SOURCES): Added arctwo.c, arctwo.h and arctwo-meta.c. * nettle-meta.h (nettle_arctwo40, nettle_arctwo64) (nettle_arctwo64, nettle_arctwo_gutmann128): Declare ciphers. * arctwo-meta.c, arctwo.c, arctwo.h, testsuite/arctwo-test.c: New files. * macros.h (LE_READ_UINT16, LE_WRITE_UINT16): New macros. 2004-08-23 Niels Möller * testsuite/md5-test.c (test_main): Added collision, found in 2004. (test_main): Added second collision. 2004-08-23 Niels Möller * testsuite/md5-test.c (test_main): Added first half of a collision test case. * des-compat.c (des_cbc_cksum): Changed input argument to be of type const uint8_t * (was const des_cblock *). * des-compat.h (const_des_cblock): New bogus type. Disabled use of const, for compatibility with openssl. 2004-06-08 Niels Möller * aesdata.c: Renamed log and ilog to gf2_log and gf2_exp. 2004-04-07 Niels Möller * aes-set-encrypt-key.c (log, ilog): Deleted unused tables. * aes-set-decrypt-key.c (gf2_log, gf2_exp, mult): Renamed tables, were log and ilog. 2004-03-20 Niels Möller * configure.ac: Use AC_CONFIG_AUX_DIR([.]). 2004-03-18 Niels Möller * examples/io.c (read_file): Display a message if fopen fails. 2004-03-05 Niels Möller * Released nettle-1.10. * configure.ac (SHLIBMINOR): Shared library version is now 2.2. 2004-03-04 Niels Möller * testsuite/symbols-test: Pass -g flag to nm. 2004-03-02 Niels Möller * configure.ac: Fixed EXEEXT workaround. 2004-03-02 Niels Möller * configure.ac: Added workaround to get the correct $(EXEEXT)='' when compiling with rntcl. 2004-03-02 Niels Möller * testsuite/Makefile.am (noinst_PROGRAMS): Put test program list here, to let automake add $(EXEEXT). * configure.ac (RSA_EXAMPLES): Append $(EXEEXT) to the filenames. 2004-03-01 Niels Möller * examples/rsa-keygen.c, examples/rsa-encrypt.c, examples/rsa-decrypt.c: Include "getopt.h" instead of . * examples/Makefile.am (rsa_encrypt_SOURCES, rsa_decrypt_SOURCES) (rsa_keygen_SOURCES): Added getopt.h, getopt.c and getopt1.c. * examples/getopt.h, examples/getopt.c, examples/getopt1.c: New files. * testsuite/des-compat-test.c: Don't include . * testsuite/testutils.c (main): Don't use getopt. Then we don't need to include . 2004-03-01 Niels Möller * config.guess: Copied from automake-1.8.2. Hacked to recognize Windows_NT (and Windows_95 and Windows_98) running on "x86" and "686". * install-sh: Removed from CVS repository. Let automake supply it. 2004-02-26 Niels Möller * nettle-meta.h (nettle_crypt_func): Typedef moved to cbc.h. Include cbc.h instead. * des-compat.c: Reverted const change, now all the des_key_sched arguments are not const. This is also what openssl's interface looks like. (cbc_crypt_func): Deleted typedef, use nettle_crypt_func instead. * cbc.h (nettle_crypt_func): Moved typedef here. * cbc.c (cbc_encrypt, cbc_decrypt_internal, cbc_decrypt): Use it for typing the f argument. Reverted the const change, for compatibility with nettle_crypt_func. 2004-02-25 Niels Möller * testsuite/des-compat-test.c: Use des_cblock for typing more of the variables. Use const. Got rid of most of the explicit casts. Disabled the input/output alignment tests. * des.c (des_encrypt, des_decrypt): Use a const context pointer. * des3.c (des3_encrypt, des3_decrypt): Likewise. * cbc.c (cbc_encrypt, cbc_decrypt): Use a _const_ void *ctx argument. * des-compat.c: Use const for all unchanged arguments. (des_key_sched): Use a copy of the key if we need to fix the parity. * testsuite/des-compat-test.c (C_Block, Key_schedule): Deleted defines. Deleted some of the explicit casts. * des-compat.c (des_cbc_cksum): Dereference DST pointer. 2004-02-25 Niels Möller * pgp.h: Include nettle-types.h. 2004-02-24 Niels Möller * testsuite/symbols-test: Allow symbols starting with double underscores, like on darwin. 2004-02-17 Niels Möller * Makefile.am: Protected %-rules used for building pure objects, and for assembler files, by automake conditionals. Needed for makes such as tru64's, which tries to understand %-patterns, but doesn't get it right. (SUFFIXES): Added .html. (.texinfo.html): Rewrote rule to use a traditional suffix target. * configure.ac (enable_assembler): Explicitly set enable_assembler=no, on architectures where we have no assembler files. (ENABLE_ASSEMBLER, ENABLE_SHARED): New automake conditionals. * testsuite/testutils.c (xalloc): xalloc(0) should work also on systems where malloc(0) returns NULL. 2004-02-16 Niels Möller * Makefile.am (%.o: %.asm): Added comment about OSF1 make problem. 2004-02-15 Niels Möller * testsuite/testutils.h: #include nettle-types.h instead of inttypes.h. 2004-02-12 Niels Möller * examples/rsa-encrypt-test: Use -r option when invoking rsa-encrypt. Needed for the test to work on systems with no /dev/urandom. 2004-02-12 Niels Möller * configure.ac (CPPFLAGS, LDFLAGS): No spaces after -I and -L, as some C compilers, in particular True64 cc, don't like that. 2004-02-08 Niels Möller * configure.ac: Bumped version number to 1.10. 2004-02-07 Niels Möller * Released nettle-1.9. * configure.ac (SHLIBMINOR): Bumped, library version is now 2.1. * testsuite/sexp-format-test.c: Include bignum.h only if HAVE_LIBGMP. * testsuite/rsa-encrypt-test.c: Include rsa.h only if WITH_PUBLIC_KEY. * testsuite/pkcs1-test.c: Include pkcs1.h only if WITH_PUBLIC_KEY. * pgp-encode.c [!HAVE_LIBGMP]: Kludge around the pgp.h's dependency on gmp.h. (pgp_put_mpi): Condition on HAVE_LIBGMP. * pgp.h: Don't include bignum.h, to make it possible to compile the non-bignum parts of pgp-encode.c without bignum support. Needs to be fixed properly before the pgp interface is advertised. * tools/sexp-conv.c (xalloc): New function. (main): Use xalloc. * tools/output.c (sexp_put_digest): Use TMP_DECL instead of alloca. * testsuite/testutils.c (xalloc): New function. Made all other functions use xalloc instead of alloca. * examples/rsa-keygen.c (main): Use xalloc for allocation. * examples/rsa-encrypt.c (write_bignum): Likewise. * examples/rsa-decrypt.c (read_bignum): Likewise. * testsuite/yarrow-test.c (open_file): Likewise. * testsuite/rsa-encrypt-test.c (test_main): Likewise. * testsuite/bignum-test.c (test_bignum): Likewise. * examples/nettle-openssl.c: When calling des_key_sched and des_ecb_encrypt, cst arguments to (void *). Openssl's typedefs des_cblock and const_des_cblock are too broken. * examples/nettle-benchmark.c (xalloc): New function. Use instead of alloca, for better portability. * examples/io.c (xalloc): New function. * Makefile.am (nodist_libnettleinclude_HEADERS): nettle-types.h should not be distributed. 2004-02-06 Niels Möller * x86/sha1-compress.asm: Rename round -> ROUND. * x86/sha1-compress.asm: Store the magic constants on stack. Accessing them via %esp should be a little faster than using large immediate operands. * Makefile.am (EXTRA_DIST, DISTCLEANFILES): Handle sha1-compress.asm. * configure.ac: Use assembler file sha1-compress.asm if available. * x86/sha1-compress.asm (EXPAND): Fixed the rotation part of the data expansion. 2004-02-06 Niels Möller * x86/sha1-compress.asm: Assembler implementation of sha1_compress. (Not yet working). * Makefile.am (libnettle_a_SOURCES): Added sha1-compress.c. * sha1.c (sha1_transform): Function renamed to sha1_compress, and moved to... * sha1-compress.c: ... New file. 2004-02-05 Niels Möller * examples/rsa-encrypt.c (process_file): Copy the leftover to the start of the buffer, when preparing for the final processing. * examples/nettle-benchmark.c (bench_hash, time_hash): New functions. (main): Benchmark hash functions too. (BENCH_BLOCK): Increased 10K. (BENCH_INTERVAL): Decreased to 0.25s. * examples/nettle-benchmark.c (time_function): Loop around calling f, until 1s has elapsed. Returns seconds per call. Updated bench functions to not loop themselves. (display): Updated MB/s calculation. * testsuite/arcfour-test.c (test_main): Use test_cipher_stream. * testsuite/testutils.c (test_cipher_stream): New function, that tries dividing the input into varying size blocks before processing. * x86/arcfour-crypt.asm (nettle_arcfour_crypt): Bug fix, half of the S array swap was forgotten. * arcfour.c (arcfour_stream): Likewise. * arcfour-crypt.c (arcfour_crypt): Likewise. 2004-02-05 Niels Möller * x86/arcfour-crypt.asm (nettle_arcfour_crypt): Must store the new i, j at the end of the loop. * Makefile.am (EXTRA_DIST): Make sure x86 assembler files are distributed. (DISTCLEANFILES): And that the symlinks and .s files are deleted. * x86/aes-encrypt.asm, x86/aes-decrypt.asm, x86/arcfour-crypt.asm: Fixed debug information. * x86/arcfour-crypt.asm: New file. About three times faster than the optimized C code. * configure.ac: Use assembler file arcfour-crypt.asm if available. * arcfour.c (arcfour_crypt): Moved function too... * arcfour-crypt.c (arcfour_crypt): New file. * arcfour.c (arcfour_crypt): Optimization suggested by Jonas Walldén. Makes arcfour up to 50% faster on x86 and ppc, and probably on other architectures as well. 2004-01-31 Niels Möller * configure.ac (AX_CREATE_STDINT_H): Also look for uint32_t and friends in sys/types.h. 2004-01-11 Niels Möller * Makefile.am (libnettleinclude_HEADERS): Added bignum.h, memxor.h, pkcs1.h and rsa-compat.h. * configure.ac: Bumped version to 1.9. 2004-01-10 Niels Möller * Released nettle-1.8. * examples/teardown-env: Delete more test files. * nettle.texinfo (Hash functions): Documented md2 and md4. * configure.ac (SHLIBMAJOR): Bumped to 2. 2004-01-09 Niels Möller * examples/rsa-encrypt-test: New testcase. * examples/rsa-encrypt.c, examples/rsa-session.h: Expanded the comment describing the file format, and moved to rsa-session.h. * examples/rsa-decrypt.c (process_file): Finished this function. (main): Initialize x. Check the size of the session key after rsa decryption. * examples/io.c (write_string): Treat short item count as an error. 2004-01-08 Niels Möller * index.html: Added instructions for CVS access. * dsa-keygen.c (dsa_nist_gen): Fixed declaration/statement order. * rsa-keygen.c (bignum_next_prime): Fixed off-by-one error when comparing input to the largest listed prime. General cleanup, as prime_limit > 0 always. Use TMP_DECL and TMP_ALLOC. * nettle-internal.h (TMP_DECL, TMP_ALLOC): New macros. When alloca is unavailable, they work by allocating a fix amount of stack and imposing a hard limit on what can be allocated. Updated all users of alloca. 2004-01-07 Niels Möller * nettle-types.h: New (generated) file, to be used instead of including directly. Updated all users of inttypes.h. * Makefile.am (DISTCLEANFILES, libnettleinclude_HEADERS): Added nettle-types.h. * configure.ac (AX_CREATE_STDINT_H): Create nettle-types.h. 2003-11-16 Niels Möller * yarrow256.c (yarrow256_seed): Use const for the seed_file input. 2003-11-12 Niels Möller * list-obj-sizes.awk: New function for decoding hex values, with a new function hex2int. Also implemented calculation of total storage, removed the dependence on the .comment section, and use the $FILTER environment variable as a regexp for restricting the object files that are considered. 2003-09-21 Niels Möller * testsuite/rsa-encrypt-test.c (test_main): Don't use gmp_printf, as it seems it's only available with the newer gmp. Use mpz_out_str instead. 2003-09-19 Niels Möller * examples/Makefile.am (EXTRA_DIST): Added rsa-session.h. * tools/nettle-lfib-stream.c: New tool, which outputs a sequence of pseudorandom (non-cryptographic) bytes, using Knuth's lagged fibonacci generator. * examples/rsa-decrypt.c: Fixes to get the file to compile. It won't work yet. * examples/Makefile.am (EXTRA_PROGRAMS): Added rsa-encrypt and rsa-decrypt. * examples/io.c (write_file): New function. (write_string): Simplified error check, it's no real point in calling ferror unless we also call fflush. * examples/rsa-keygen.c (main): Check return value from simple_random. * examples/rsa-decrypt.c, examples/rsa-encrypt.c, examples/rsa-session.h: New files, demonstrating rsa encryption and decryption. * configure.ac (RSA_EXAMPLES): Added rsa-encrypt and rsa-decrypt. 2003-09-01 Niels Möller * testsuite/testutils.c (print_hex): Use const. 2003-08-30 Niels Möller * md2.c, md2.h: Added reference to RFC 1319. * md4.c, md4.h: Added reference to RFC 1320 2003-08-26 Niels Möller * Makefile.am: Added md2 and md5 files. Deleted the print-path hack. * configure.ac: Bumped version to 1.8. * testsuite/testutils.c (test_rsa_set_key_1): New function. * testsuite/rsa-test.c (test_main): Use it. * testsuite/dsa-keygen-test.c: Deleted definition of UNUSED, it's now in config.h. * testsuite/rsa-keygen-test.c: Likewise. * testsuite/Makefile.am (TS_PROGS): Added rsa-encrypt-test, md4-test, and md2-test. * testsuite/rsa-encrypt-test.c, testsuite/md4-test.c, testsuite/md2-test.c: New test cases. * nettle-meta.h: Declare nettle_md2 and nettle_md4. * md5.c: Reorderd functions, putting md5_final at the end. * md2.c, md2.h, md2-meta.c: New files, implemented md2. * md4.c, md4.h, md4-meta.c: New files, implemented md4. 2003-08-17 Niels Möller * desCode.h (des_keymap, des_bigmap): Deleted extern declarations, they conficted with the static definition in des.c. Reported by Simon Josefsson. * des.c (DesSmallFipsEncrypt, DesSmallFipsDecrypt): Moved definitions after the definition of the des_kemap array. 2003-08-11 Niels Möller * rsa-encrypt.c (rsa_encrypt): Bugfix contributed by leg@terra.com.br. 2003-06-10 Niels Möller * Makefile.am (EXTRA_DIST): Distribute sha-example.c. 2003-06-05 Niels Möller * Makefile.am (DISTCLEANFILES): Delete .s files. 2003-05-27 Niels Möller * testsuite/symbols-test: And allow symbols that start at the beginning of the line, as output by AIX nm. 2003-05-26 Niels Möller * testsuite/symbols-test: Allow symbols to start with a dot. 2003-05-14 Niels Möller * pgp.h (enum pgp_subpacket_tag): Copied values from RFC 2440. Renamed PGP_SUBPACKET_ISSUER to PGP_SUBPACKET_ISSUER_KEY_ID. 2003-05-13 Niels Möller * pgp.h: Do proper namemangling for pgp_put_public_rsa_key and pgp_put_rsa_sha1_signature. * pgp-encode.c (pgp_put_mpi): Fixed nettle_mpz_get_str_256 call. 2003-05-12 Niels Möller * rsa2openpgp.c (rsa_keypair_to_openpgp): Some bugfixes. * pgp.h (enum pgp_subpacket_tag): New enum. Definition is bogus and needs to be fixed. Added forward declarations of structs, and prototypes for pgp_put_public_rsa_key and pgp_put_rsa_sha1_signature. * pgp-encode.c (pgp_put_mpi): Take a const mpz_t argument. Gugfix, use nettle_mpz_get_str_256. (pgp_put_public_rsa_key, pgp_put_rsa_sha1_signature): Constification. Some bugfixes. * Use "config.h", not . * Reordered includes in most or all .c-files. All should now include config.h. 2003-05-12 Niels Möller * configure.ac: Use LSH_FUNC_ALLOCA. 2003-04-25 Niels Möller * Makefile.am (libnettle_a_SOURCES): Added hmac-sha256.c. * testsuite/hmac-test.c (test_main): Added tests for hmac-sha256, from draft-ietf-ipsec-ciph-sha-256-01.txt. * hmac-sha256.c (hmac_sha256_digest): New file. 2003-04-22 Niels Möller * sha-example.c (display_hex): Simplified by using printf better. * nettle.texinfo (Example): Use @verbatiminclude to include the example program. * sha-example.c: Example program, for inclusion in the manual. Fixed bugs reported by Mark Arking. 2003-04-14 Niels Möller * x86/aes-encrypt.asm (nettle_aes_encrypt): Fixed references to _nettle_aes_encrypt_table. * x86/aes-decrypt.asm (nettle_aes_decrypt): Fixed references to _nettle_aes_decrypt_table. 2003-04-12 Niels Möller * testsuite/Makefile.am (TS_SH): New test case symbols-test. (EXTRA_PROGRAMS): Added testutils, as a kludge to get automake to track dependencies for testutils.o. * x86/aes-encrypt.asm (nettle_aes_encrypt): Renamed function to use the nettle_ prefix. * x86/aes-decrypt.asm (nettle_aes_decrypt): Likewise. * sparc/aes.asm (_nettle_aes_crypt): Likewise. * examples/Makefile.am (EXTRA_PROGRAMS): Add "io", as a kludge to get automake to track dependencies for io.o. (LDADD): Added ../libnettle.a, for the dependency. * des-compat.c: Use names with the nettle_ prefix when using Nettle's des functions. * base16-meta.c (base16_encode_update): Need to undef before redefining. * New name mangling, to reduce the risk of link collisions. All functions (except memxor) now use a nettle_ or _nettle prefix when seen by the linker. For most functions, the header file that declares a function also use #define to provide a shorter more readable name without the prefix. 2003-03-11 Niels Möller * Released nettle-1.7. * configure.ac: Bumped version to 1.7. * nettle.texinfo (DSA): New section. (RSA): Updated documentation. 2003-03-02 Niels Möller * examples/nettle-benchmark.c (time_cipher): Don't use GNU C non-constant initializers. 2003-02-23 Niels Moller * configure.ac: Use LSH_GCC_ATTRIBUTES. 2003-02-19 Niels Möller * acinclude.m4: Deleted file from cvs, use a link to lsh's acinclude.m4 instead. 2003-02-16 Niels Möller * Makefile.am (libnettleinclude_HEADERS): Added macros.h. * tools/Makefile.am (EXTRA_DIST): Added getopt.h. 2003-02-14 Niels Möller * Makefile.am (print_path): Added target to print the used PATH, for debugging. (print-path): Moved dependency to all-local. 2003-02-11 Niels Möller * buffer.c (nettle_buffer_copy): Bug fix, it didn't return any value. 2003-02-11 Niels Möller * testsuite/sexp-format-test.c (test_main): Added test for %( and %). * sexp-format.c (sexp_vformat): Handle %( and %). * realloc.c (nettle_xrealloc): Fixed out-of-memory check. * configure.ac (SHLIBMAJOR): Bumped version number to 1. * buffer.c (nettle_buffer_init_realloc): New function. * buffer-init.c (nettle_buffer_init): Use nettle_buffer_init_realloc. 2003-02-10 Niels Möller * testsuite/sexp-format-test.c (test_main): New test with tokens in the format string. (test_main): Test space-searated literals too. * rsa2sexp.c (rsa_keypair_to_sexp): New argument ALGORITHM_NAME. * examples/rsa-keygen.c (main): Updated call to rsa_keypair_to_sexp. * testsuite/rsa2sexp-test.c (test_main): Likewise. * sexp-format.c (sexp_vformat): Allow whitespace in format string. * rsa2sexp.c (rsa_keypair_to_sexp): Use literals with sexp_format. * sexp-format.c (format_string): New function. (sexp_vformat): Implemented support for literals in the format string. 2003-02-06 Niels Möller * testsuite/sexp-conv-test (print_raw, print_nl): New functions. The testfunctions use these instead of using echo directly. Use the test input '3:"\x' instead of '2:"\', to be friendlier to sysv echo. 2003-02-05 Niels Möller * des-compat.h (des_set_key): Different name mangling, if this file is included, des_set_key should refer to a function that behaves like openssl's. * des-compat.c (des_key_sched, des_is_weak_key): Use the name nettle_des_set_key for referring to Nettle's function. * des.h (des_set_key): Name mangling, linker symbols should use a "nettle_" prefix, and this one collided with openssl. Perhaps all symbols should be mangled in a similar way, but that's for later. * configure.ac (LDFLAGS): --with-lib-path should add to LDFLAGS, not replace it. 2003-01-30 Niels Möller * tools/output.c (sexp_put_string): Fixed handling of escapable characters. The code generated random escape sequences for characters in the 0x10-0x1f range. * testsuite/sexp-conv-test: More tests for hex and base64 input and output. 2003-01-30 Niels Möller * sexp2bignum.c (nettle_mpz_set_sexp): Call sexp_iterator_next on success. That means the iterator argument can't be const. 2003-01-29 Niels Möller * tools/Makefile.am (LDADD): Add libnettle.a, for the dependency. 2003-01-27 Niels Möller * sexp2dsa.c (dsa_signature_from_sexp): New function. RSA renaming. Updated all callers. * rsa-sign.c (rsa_private_key_init, rsa_private_key_clear) (rsa_private_key_prepare): Renamed functions. * rsa.c (rsa_public_key_init, rsa_public_key_clear) (rsa_public_key_prepare): Renamed functions. 2003-01-23 Niels Möller * Makefile.am (libnettle_a_SOURCES): Added new rsa and pkcs1 files. Removed old rsa_md5.c and rsa_sha1.c. * testsuite/Makefile.am (TS_PROGS): Added pkcs1-test. * dsa-verify.c (dsa_verify_digest): New function. (dsa_verify): Most of the code moved to dsa_verify_digest, which is used here. * dsa-sign.c (dsa_sign_digest): New function. (dsa_sign): Most of the code moved to dsa_sign_digest, which is used here. * dsa.c (_dsa_hash): Deleted function. * rsa_md5.c, rsa_sha1.c: Deleted files, contents spread over several files for signing and verification. * rsa-sign.c, rsa-sha1-verify.c, rsa-sha1-sign.c, rsa-md5-verify.c, rsa-md5-sign.c: New files. * rsa-sha1-verify.c (rsa_sha1_verify_digest): New function. * rsa-sha1-sign.c (rsa_sha1_sign_digest): New function. * rsa-md5-verify.c (rsa_md5_verify_digest): New function. * rsa-md5-sign.c (rsa_md5_sign_digest): New function. * rsa-verify.c (_rsa_verify): New file, new function. * rsa.c (_rsa_check_size): Renamed from rsa_check_size, and made non-static. Private key functions moved to rsa-sign.c. * pkcs1.c, pkcs1.h, pkcs1-rsa-md5.c, pkcs1-rsa-sha1.c: New files. (pkcs1_signature_prefix): New function. * testsuite/pkcs1-test.c: New test. 2003-01-22 Niels Möller * examples/Makefile.am (nettle_benchmark_LDADD): Use OPENSSL_LIBFLAGS. * configure.ac (OPENSSL_LIBFLAGS): If libcrypto is found, add -lcrypto to OPENSSL_LIBFLAGS, not the plain LDFLAGS. 2003-01-20 Niels Möller * testsuite/Makefile.am (CLEANFILES): Delete test.in, test1.out and test2.out. 2003-01-17 Niels Möller * examples/Makefile.am (AM_CPPFLAGS): Use AM_CPPFLAGS instead of AM_CFLAGS. * testsuite/Makefile.am (AM_CPPFLAGS): Likewise. 2003-01-16 Niels Möller * testsuite/Makefile.am (check): Can't use quotes around $(srcdir). 2003-01-14 Niels Möller * testsuite/Makefile.am (check): Don't use "run-tests" as a target, as it's confused with the file with the same name. * .bootstrap: Added missing #! /bin/sh. 2003-01-12 Niels Möller * buffer.c (nettle_buffer_reset): New function. (nettle_buffer_copy): New function. * tools/input.c, tools/input.h, tools/output.c, tools/output.h, tools/parse.c, tools/parse.h, tools/misc.c, tools/misc.h: Moved parts ov sexp-conv.c to separate files * tools/sexp-conv.c (sexp_convert_list): Inlined into sexp_convert_item. * tools/sexp-conv.c (struct sexp_input): Deleted string attribute. Changed all related functions to take a struct nettle_buffer * argument instead. (struct sexp_compound_token): New struct. (sexp_compound_token_init, sexp_compound_token_clear): New functions. (struct sexp_parser): Added a struct sexp_compound_token attribute, as a temporary measure. (sexp_parse): Take a struct sexp_compound_token * as argument. Updated all callers. Simplified handling of display types and transport encoding. * tools/sexp-conv.c (struct sexp_parser): Renamed struct (was struct sexp_parse_state). Added input pointer. Updated users to not pass around both parser and input. (sexp_check_token): handle token == 0. (sexp_parse): Simplified a little by calling sexp_check_token unconditionally. * tools/sexp-conv.c (sexp_convert_string): Deleted function. (sexp_skip_token): Likewise. * tools/sexp-conv.c (enum sexp_token): New constant SEXP_DISPLAY. Start constants from 1, to keep 0 free for special uses. (struct sexp_parse_state): New struct for keeping track of parser state. (sexp_parse_init): New function. (sexp_check_token): New function, replacing sexp_skip_token. (sexp_parse): New function. (sexp_convert_item): Simplified by using sexp_parse. (sexp_convert_list): Use sexp_parse. (main): Likewise. 2003-01-08 Niels Möller * tools/sexp-conv.c (parse_options): Initialize prefer_hex. 2003-01-07 Niels Möller * Makefile.am (des_headers): Refer to the desdata binary using $(EXEEXT). 2003-01-01 Niels Möller * testsuite/sexp-conv-test: New tests for hex and base64 literal output. * tools/sexp-conv.c (sexp_put_string): Print binary strings using either hex or base 64 (in advanced mode). (parse_options): Implemented -s hex, for output using hex rather than base64. 2002-12-30 Niels Möller * testsuite/rsa2sexp-test.c: Don't include rsa.h (done by testutils.h, if enabled). * testsuite/sexp2rsa-test.c: Likewise. * rsa-decrypt.c: Make compilation conditional on WITH_PUBLIC_KEY. * rsa-encrypt.c: Likewise. * rsa-compat.c: Likewise. 2002-12-04 Niels Möller * testsuite/Makefile.am (LDADD): Added path to ../libnettle.a, which is redundant except for the dependency. 2002-12-04 Niels Möller * testsuite/sexp-format-test.c (test_main): Use %0s instead of %z. New test for %t. * sexp-format.c (format_length_string): Deleted function. (format_string): Deleted function. (sexp_vformat): New %t specifier, formatting an optional display type. Deleted %z specifier. Instead, introduced a new modifier "0" that can be used with %s, %l and %t, which says that the data is NUL-terminated. * rsa2sexp.c (rsa_keypair_to_sexp): Use %0s rather than %z, when formatting s-expressions. * buffer.c (nettle_buffer_grow): Fixed assertion. 2002-11-22 Niels Möller * buffer.c: Include assert.h. 2002-11-21 Niels Möller * testsuite/testutils.c (print_hex): Add line breaks. * Makefile.am (libnettleinclude_HEADERS): Added realloc.h. (libnettle_a_SOURCES): Added buffer-init.c and realloc.c. * sexp.c (sexp_iterator_exit_lists): New function, #if:ed out for now. * desdata.c: Include config.h, to get definition of UNUSED. * shadata.c: Likewise. * buffer.c (nettle_buffer_grow): New function, replacing grow_realloc. (nettle_buffer_clear): Rewritten to use buffer->realloc. * buffer.h (struct nettle_buffer): Replaced the GROW function pointer with a nettle_realloc_func pointer and a void *realloc_ctx. (NETTLE_BUFFER_GROW): Deleted macro, use function instead. * buffer-init.c (nettle_buffer_init): Moved to a separate file. * realloc.c (nettle_realloc): New function. (nettle_xrealloc): New function. * realloc.h (nettle_realloc_func): New typedef. * configure.ac: Check for gcc:s __attribute__. 2002-11-16 Niels Möller * sexp2dsa.c, sexp2rsa.c: (macro GET): Check sign of parsed numbers. * sexp2bignum.c (nettle_mpz_set_sexp): In the first check against limit, added some margin to allow for sign octets. 2002-11-15 Niels Möller * testsuite/testutils.h (LDATA): Use sizeof instead of strlen. Now handles strings including NUL-characters. But works only with literals and character arrays, no char pointers. (LLENGTH): New macro, computing length the same way as LDATA. * testsuite/sexp-test.c (test_main): Test sexp_iterator_get_uint32. * testsuite/sexp-format-test.c (test_main): Check that %i and %b generate leading zeroes when needed. Check that %b handles negative numbers. * testsuite/rsa2sexp-test.c (test_main): Updated test, one leading zero is needed in the private key expression. In verbose mode, print the generated keys. * testsuite/sexp2rsa-test.c (test_main): Added a leading zero in the private key expression. * testsuite/bignum-test.c (test_bignum): Use nettle_mpz_init_set_str_256_s. (test_size): New function. (test_main): Test size computation and formatting of negative numbers. * sexp2bignum.c (nettle_mpz_set_sexp): Use nettle_mpz_set_str_256_s, to handle negative numbers correctly. * sexp-format.c (sexp_vformat): For %i, output a leading zero when needed to get a correct, positive, sign. For %b, use nettle_mpz_sizeinbase_256_s, to handle negative numbers properly. * bignum.c (nettle_mpz_sizeinbase_256_s): New function. (nettle_mpz_sizeinbase_256_u): New name, was nettle_mpz_sizeinbase_256. Updated all callers. (nettle_mpz_to_octets): New function. (nettle_mpz_get_str_256): Handle negative numbers. (nettle_mpz_from_octets): New function. (nettle_mpz_set_str_256_u): New name, was nettle_mpz_set_str_256. (nettle_mpz_init_set_str_256_u): New name, was nettle_mpz_init_set_str_256. (nettle_mpz_set_str_256_s): New function, handling negative two's complement numbers. (nettle_mpz_init_set_str_256_s): And an init variant. * sexp.c (sexp_iterator_get_uint32): New function. 2002-11-10 Niels Möller * testsuite/sexp-conv-test: Use input files without any trailing newline character, in order to stress the end of file handling. * tools/sexp-conv.c (sexp_get_token_string): Fixed end of file handling. (sexp_get_string): Fixed end of encoding/end of file handling. (parse_options): Check for negative width and complain. * tools/sexp-conv.c: Use supplied getopt. (werror): New function. (sexp_output_hash_init): New function. (sexp_put_char): Made base64 linebreaking configurable. Implemented hashing. (sexp_put_code_start, sexp_put_code_end): Don't output any delimiters here. (sexp_put_string): Output base64 delimiters. (sexp_put_digest): New function. (sexp_convert_item): Output transport delimiters. (sexp_convert_file): Deleted function, folded with main. (parse_options): New function. (main): Implemented --hash and --once, needed by lsh-authorize. * sexp.h (struct sexp_iterator): New field start. * sexp.c (sexp_iterator_subexpr): New function. (sexp_iterator_parse): Initialize ITERATOR->start. * sexp-format.c (sexp_vformat): Abort if format string contains unhandled characters. 2002-11-08 Niels Möller * des-compat.c (des_ecb3_encrypt): Don't use struct initialization (c89 doesn't allow non-constant initializers). Reported by James Ralston. (des_ede3_cbc_encrypt): Likewise. * examples/nettle-openssl.c: Moved from the top-level directory. Should *not* be included in the nettle library. 2002-11-08 Niels Möller * testsuite/testutils.c (test_dsa_key): Bugfix for renamed DSA constant (noted by James Ralston). 2002-11-07 Niels Möller * testsuite/run-tests: Copied new version rom lsh/src/testsuite. This version handles test scripts located in $srcdir. * examples/Makefile.am (AM_CFLAGS): We need -I$(top_srcdir). * tools/Makefile.am (AM_CFLAGS): Likewise. * testsuite/Makefile.am (AM_CFLAGS): Likewise. 2002-11-07 Niels Möller * Makefile.am (SUBDIRS): Added tools. (libnettle_a_SOURCES): Added sexp-transport-format.c, sexp2bignum.c, sexp2dsa.c. * sexp2dsa.c (dsa_keypair_from_sexp_alist, dsa_keypair_from_sexp): New file, new functions. * rsa2sexp.c (rsa_keypair_to_sexp): %s -> %z renaming. * sexp-transport.c (sexp_transport_iterator_first): Fixed bug, length was mishandled. * sexp-transport-format.c (sexp_transport_format, sexp_transport_vformat): New file, new functions. * sexp-format.c (sexp_format): Return length of output. Allow buffer == NULL, and only compute the needed length in this case. Renamed %s to %z. New format specifiers %s, %i, and %l. (sexp_vformat): New function. (format_prefix): Rewrote to not use snprintf. * sexp2rsa.c (rsa_keypair_from_sexp): New limit argument. Use nettle_mpz_set_sexp. * dsa-keygen.c (dsa_generate_keypair): Added some newlines to progress display. Use DSA_P_MIN_BITS. * dsa.h (DSA_MIN_P_BITS): New constant (was DSA_MINIMUM_BITS). (DSA_Q_OCTETS, DSA_Q_BITS): New constants. (dsa_keypair_from_sexp_alist, dsa_keypair_from_sexp): New prototypes. * configure.ac: Output tools/Makefile. * sexp2bignum.c (nettle_mpz_set_sexp): New file, and new function. Moved from sexp2rsa.c:get_value. * examples/io.c (read_rsa_key): New limit argument in call of rsa_keypair_from_sexp_alist. * examples/Makefile.am (noinst_PROGRAMS): Removed sexp-conv. * tools/sexp-conv.c: Moved file from examples directory. * testsuite/Makefile.am (TS_SH): New variable. Added sexp-conv-test. * testsuite/testutils.h (LDUP): New macro. * testsuite/sexp2rsa-test.c (test_main): New limit argument in call of rsa_keypair_from_sexp_alist. * testsuite/sexp-test.c (test_main): Added test for lengths with more than one digit. Added tests for transport mode decoding. * testsuite/sexp-format-test.c (test_main): Added tests for %i and %l. * testsuite/sexp-conv-test: Moved test from examples directory. Updated path to sexp-conv, now in ../tools/sexp-conv. 2002-11-03 Niels Möller * sexp-format.c, sexp_format.c: Renamed sexp_format.c to sexp-format.c. * Makefile.am (libnettle_a_SOURCES): Renamed sexp_format.c to sexp-format.c. * examples/Makefile.am: Don't set CFLAGS or CPPFLAGS explicitly, let automake handle that. * testsuite/Makefile.am: Likewise. * sexp2rsa.c (rsa_keypair_from_sexp_alist): New function. (rsa_keypair_from_sexp): Use it. 2002-11-01 Niels Möller * examples/Makefile.am (LDADD): Use -lnettle, instead of an explicit filename libnettle.a, so that we will use the shared library, if it exists. (AM_LDFLAGS): Added -L.., so we can find -lnettle. (run-tests): Set LD_LIBRARY_PATH to ../.lib, when running the testsuite. * testsuite/Makefile.am: Similar changes. * Makefile.am (LIBOBJS): Put @LIBOBJS@ into the make variable LIBOBJS. (CLEANFILES): Delete libnettle.so. (clean-local): Delete the .lib linkfarm. ($(SHLIBFORLINK)): When building libnettle.so, create a link from .lib/$SHLIBSONAME. Needed at runtime, for the testsuite. 2002-11-01 Niels Möller * configure.ac: Fixed definitions using SHLIBMAJOR and SHLIBMINOR. Also AC_SUBST SHLIBMAJOR and SHLIBMINOR. Reported by James Ralston. 2002-10-31 Niels Möller * examples/sexp-conv.c(sexp_put_list_start): Deleted function. (sexp_put_list_end): Likewise. (sexp_put_display_start): Likewise. (sexp_put_display_end): Likewise. (sexp_puts): Likewise. * examples/sexp-conv.c (sexp_get_quoted_string): Deleted function. Merged with sexp_get_String. (sexp_get_hex_string): Likewise. (sexp_get_base64_string): Likewise. (sexp_get_string): Do hex and base64 decoding. * examples/sexp-conv.c (enum sexp_char_type): New enum, for end markers in the input strem. (struct sexp_input): Deleted LEVEL attribute. Deleted all usage of it. (sexp_get_raw_char): Use INPUT->c and INPUT->ctype to store results. Deleted OUT argument. (sexp_get_char): Likewise. Also removed the INPUT->coding->decode_final call, for symmetry. (sexp_input_end_coding): Call INPUT->coding->decode_final. (sexp_next_char): New function. (sexp_push_char): New function. (sexp_get_token_char): Deleted function. (sexp_get_quoted_char): Simplified. Deleted output argument. (sexp_get_quoted_string): Simplified. (sexp_get_base64_string): Likewise. (sexp_get_token_string): Likewise. (sexp_get_string_length): Skip the character that terminates the string. (sexp_get_token): Cleared upp calling conventions. Always consume the final character of the token. (sexp_convert_list): Take responsibility for converting the start and end of the list. (sexp_convert_file): Call sexp_get_char first, to get the token reading started. (sexp_convert_item): Cleared up calling conventions. Should be called with INPUT->token being the first token of the expression, and returns with INPUT->token being the final token of the expression. Return value changed to void.. * examples/sexp-conv-test: Added test for transport mode input. * examples/sexp-conv.c (sexp_get_char): Use the nettle_armor interface for decoding. (sexp_input_start_coding): New function. (sexp_input_end_coding): New function. (sexp_get_base64_string): Rewrote to use sexp_input_start_coding and sexp_input_end_coding. (sexp_get_token): Generate SEXP_TRANSPORT_START tokens. (sexp_convert_list): Lists are ended only by SEXP_LIST_END. (sexp_convert_item): Implemented transport mode, using sexp_input_start_coding and sexp_input_end_coding. 2002-10-30 Niels Möller * Makefile.am: Added base16 files. * examples/sexp-conv-test: New tests for transport output. * examples/sexp-conv.c: Deleted hex functions, moved to Nettle's base16 files. (struct sexp_output): Represent the current encoding as a nettle_armor pointer and a state struct. (sexp_output_init): Deleted MODE argument. Now passed to functions that need it. (sexp_get_char): Updated to new base64 conventions. (sexp_get_base64_string): Likewise. (sexp_put_raw_char): New function. (sexp_put_newline): Use sexp_put_raw_char. (sexp_put_char): Use nettle_armor interface for encoding data. Use OUTPUT->coding_indent for line breaking, so the INDENT argument was deleted. (sexp_put_code_start): New function, replacing sexp_put_base64_start. (sexp_put_code_end): New function, replacing sexp_put_base64_end. (sexp_put_data): Deleted argument INDENT. (sexp_puts): Likewise. (sexp_put_length): Likewise. (sexp_put_list_start): Likewise. (sexp_put_list_end): Likewise. (sexp_put_display_start): Likewise. (sexp_put_display_end): Likewise. (sexp_put_string): Likewise. Also changed base64 handling. (sexp_convert_string): Deleted argument INDENT. New argument MODE_OUT. (sexp_convert_list): New argument MODE_OUT. (sexp_convert_file): Likewise. (sexp_convert_item): Likewise. Also handle output in transport mode. (match_argument): Simple string comparison. (main): Adapted to above changes. * testsuite/testutils.c (test_armor): Allocate a larger buffer CHECK, to make decode_update happy. Updated to new base64 conventions. * testsuite/base64-test.c (test_main): Fixed overlap test to not change the base64 before decoding. Updated to new base64 conventions. * testsuite/Makefile.am (TS_PROGS): Added base16-test. * testsuite/base16-test.c: New test. * sexp-transport.c (sexp_transport_iterator_first): Updated to new conventions for base64_decode_update and base64_decode_final. * nettle-meta.h: Updated ascii armor declarations. New declaration for nettle_base16. * base64-decode.c (base64_decode_single): Return -1 on error. Also keep track of the number of padding characters ('=') seen. (base64_decode_update): New argument dst_length. Return -1 on error. (base64_decode_status): Renamed function... (base64_decode_final): ... to this. * base64.h (struct base64_decode_ctx): Deleted STATUS attribute. Added PADDING attribute. * base16.h, base16-encode.c, base16-decode.c, base16-meta.c: New files. 2002-10-28 Niels Möller * examples/sexp-conv.c (struct hex_decode_ctx): New hex decoding functions. (sexp_get_raw_char): New function. (sexp_get_char): Use sexp_get_raw_char. 2002-10-26 Niels Möller * examples/sexp-conv.c (sexp_put_length): Bugfix, don't output any leading zero. (main): Implemented -s option. * examples/sexp-conv-test: Test for echo -n vs echo '\c'. Added a few tests for canonical output. 2002-10-25 Niels Möller * examples/sexp-conv.c (struct sexp_input): Deleted the mode from the state, that should be passed as argument to relevant functions. Instead, introduces enum sexp_coding, to say if base64 coding is in effect. (struct sexp_output): Added coding attribute. (sexp_put_char): Use output->coding. (sexp_put_base64_start): Likewise. (sexp_put_base64_end): Likewise. * base64-decode.c (base64_decode_single): Simplified, got rid of the done variable. 2002-10-25 Niels Möller * examples/sexp-conv.c (sexp_put_newline): Return void, die on error. (sexp_put_char, sexp_put_data, sexp_puts, sexp_put_length, sexp_put_base64_start, sexp_put_base64_end, sexp_put_string, sexp_put_list_start, sexp_put_list_end, sexp_put_display_start, sexp_put_display_end, sexp_convert_string, sexp_convert_list, sexp_skip_token): Likewise. (sexp_convert_item): Die on error. 2002-10-24 Niels Möller * examples/sexp-conv-test: Doesn't need echo -n anymore. * examples/sexp-conv.c (die): New function. (struct sexp_input): Deleted field ITEM. (sexp_get_char): Die on failure, never return -1. (sexp_get_quoted_char): Likewise. (sexp_get_quoted_string): Die on failure, no returned value. (sexp_get_base64_string): Likewise. (sexp_get_token_string): Likewise. (sexp_get_string): Likewise. (sexp_get_string_length): Likewise. (sexp_get_token): Likewise. (sexp_convert_string): Adapted to sexp_get_token. (sexp_convert_list): Likewise. (sexp_convert_file): New function. (main): Use sexp_convert_file. 2002-10-23 Niels Möller * examples/Makefile.am (TS_PROGS): Added sexp-conv-test. * examples/sexp-conv.c (sexp_input_init): Initialize input->string properly. (sexp_get_char): Fixed non-transport case. (sexp_get_quoted_char): Fixed default case. (sexp_get_token): Loop over sexp_get_char (needed for handling of white space). Don't modify input->level. Fixed the code that skips comments. (sexp_put_char): Fixed off-by-one bug in assertion. (sexp_put_string): Fixed escape handling for output of quoted strings. (sexp_convert_list): Prettier output, hanging indent after the first list element. (sexp_skip_token): New function. (sexp_convert_item): Use sexp_skip_token to skip the end of a "[display-type]". 2002-10-22 Niels Möller * examples/sexp-conv-test: New test program. * examples/Makefile.am (noinst_PROGRAMS): Added sexp-conv. * examples/sexp-conv.c (sexp_convert_list): New function. (sexp_convert_item): New function. (main): New function. Compiles and runs now, but doesn't work. * base64-decode.c (base64_decode_single): New function. (base64_decode_update): Use base64_decode_single. * examples/sexp-conv.c: Added output functions. 2002-10-21 Pontus Sköld * base64-encode.c (base64_encode_raw): Fixed null statement amongst variable declarations, broke compilation for non C99 compilers. 2002-10-21 Niels Möller * examples/sexp-conv.c: New sexp conversion program. 2002-10-21 Niels Möller * Makefile.am (libnettle_a_SOURCES): Added sexp-format-transport.c. * sexp-transport.c (sexp_transport_iterator_first): New file and function. * sexp.h (sexp_transport_iterator_first): Added protoype. * sexp.c (sexp_iterator_next): Abort if iterator type is boogus. 2002-10-19 Niels Möller * testsuite/testutils.c (test_armor): Updated to new armor conventions. * testsuite/base64-test.c (test_main): Test BASE64_ENCODE_LENGTH and BASE64_DECODE_LENGTH. Updated test of base64_encode_raw (used to be base64_encode). * base64.h (BASE64_ENCODE_LENGTH, BASE64_DECODE_LENGTH): Fixed and documented macros. * base64-meta.c (base64_encode_length, base64_decode_length): New functions, corresponding to the macros with the same name. * Makefile.am (libnettle_a_SOURCES): base64.c replaced by base64-encode.c and base64-decode.c. * pgp-encode.c (pgp_armor): Use new base64 conventions. * nettle-meta.h: Updated nettle_armor definitions. * base64.h: Major reorganization. * base64.c: Deleted file, contents moved to base64-encode.c or base64-decode.c. * base64-encode.c: New file. New supporting both encode-at-once and streamed operation. * base64-decode.c: New file. 2002-10-09 Niels Möller * testsuite/Makefile.am (TS_PROGS): Added dsa-keygen-test. * dsa-keygen.c: Call the progress callback only if it's non-NULL. * Makefile.am (libnettle_a_SOURCES): Added bignum-random.c and dsa-keygen.c. * testsuite/testutils.c (test_dsa_key): New function to sanity check a dsa keypair. * testsuite/dsa-test.c (test_main): Call dsa_test_key. * testsuite/dsa-keygen-test.c: New test case. * dsa.h (DSA_MINIMUM_BITS): New constant. * bignum.h (nettle_mpz_random, nettle_mpz_random_size): Added prototypes. * dsa-keygen.c: New file. * bignum-random.c: New file. (nettle_mpz_random): New function, moved from... * dsa-sign.c (nettle_mpz_random): ... here. Also changed argument ordering and updated callers. * bignum-random.c: (nettle_mpz_random_size): New function, renamed and moved here from... * rsa-keygen.c (bignum_random_size): ... here. Updated all callers. * testsuite/testutils.c (test_dsa): Needs both public and private key as arguments. * testsuite/dsa-test.c (test_main): Updated to changes of the private key struct. * testsuite/Makefile.am (TS_PROGS): Added dsa-test. * rsa-decrypt.c (rsa_decrypt): Constification. * rsa-encrypt.c (rsa_encrypt): Likewise. * rsa.c (rsa_compute_root): Likewise. * rsa_md5.c (rsa_md5_sign): Likewise. (rsa_md5_verify): Likewise. * rsa_sha1.c (rsa_sha1_sign): Likewise. (rsa_sha1_verify): Likewise. * dsa-verify.c (dsa_verify): Use const for the public key argument. * dsa-sign.c (dsa_sign): Needs the public key as argument, in addition to the private key. Use const. * dsa.h (struct dsa_private_key): Don't include the public information here. * dsa.c (dsa_private_key_init, dsa_private_key_clear): Updated to new struct dsa_private_key. * dsa-sign.c (dsa_sign): Bugfix, added missing mpz_init call. * Makefile.am (libnettle_a_SOURCES): Added dsa files. (libnettleinclude_HEADERS): Added dsa.h. * testsuite/testutils.c (test_dsa): New function. * testsuite/dsa-test.c: New test. * dsa.h, dsa.c, dsa-sign.c, dsa-verify.c: New files. * nettle-meta.h: Moved the nettle_random_func and nettle_progress_func typedefs here... * rsa.h: ... from here. 2002-10-07 Niels Möller * sexp.h (enum sexp_type): Deleted SEXP_START. * sexp.c (sexp_iterator_parse): New function, similar to the old sexp_iterator_next, but independent of the previous value of the iterator->type. (sexp_iterator_first): Use sexp_iterator_parse. (sexp_iterator_next): Likewise. (sexp_iterator_enter_list): Use sexp_iterator_parse. SEXP_START not needed anymore. (sexp_iterator_exit_list): Likewise. 2002-10-06 Niels Möller * sexp2rsa.c (get_value): No need to call sexp_iterator_next anymore. * sexp.c (sexp_iterator_assoc): Advance the iterator to the element after a matching tag, before recording it. * testsuite/sexp-test.c (test_main): Updated test. * testsuite/sexp-test.c (test_main): No need to call sexp_iterator_next after sexp_iterator_exit_list. * sexp2rsa.c (rsa_keypair_from_sexp): No need to call sexp_iterator_next anymore. * sexp.c (sexp_iterator_next): Updated to new sexp_iterator_exit_list. (sexp_iterator_exit_list): Return with iterator pointing to the element after the list. (sexp_iterator_check_type): Call sexp_iterator_next before returning. (sexp_iterator_check_types): Likewise. (sexp_iterator_assoc): Rearranged calls of sexp_iterator_next. * sexp.c (sexp_iterator_enter_list): Call sexp_iterator_next to get to the first element of the list. Updated callers. * base64.c (base64_encode_group): New function, used by openpgp armoring code. * Makefile.am: Added openpgp files. * sexp2rsa.c (rsa_keypair_from_sexp): Use sexp_iterator_first. * testsuite/sexp-test.c (test_main): Likewise. * sexp.c (sexp_iterator_init): Made this function static. (sexp_iterator_first): New, friendlier, initialization function. * pgp-encode.c: New file. Functions for writing openpgp data packets. * pgp.h: New file, with pgp related declarations. * rsa2openpgp.c (rsa_keypair_to_openpgp): New file, new function. 2002-10-04 Niels Möller * examples/rsa-keygen.c: Use malloc, instead of asprintf. 2002-10-03 Niels Möller * Released nettle-1.6. * NEWS: Note the aes api change. * examples/Makefile.am (EXTRA_DIST): Distribute setup-env and teardown-env. 2002-10-02 Niels Möller * examples/rsa-keygen.c (main): Comment on the lax security of the private key file. * index.html: Added link to mailing list. 2002-10-02 Niels Möller * Makefile.am: Fixed assembler rules, and shared libraries. * configure.ac: Fixed the enable-shared option. 2002-10-01 Niels Möller * configure.ac: New option --enable-shared, and a first attempt at building a shared library (*without* using libtool). * Makefile.am: A first attempt at rules for building a shared libnettle.so. 2002-10-01 Niels Möller * examples/run-tests (test_program): Use basename. * examples/teardown-env: Delete some more files. * examples/run-tests (test_program): Strip directory part of displayed name. * examples/Makefile.am (TS_PROGS): New variable. Run tests. * examples/io.c (read_file): Bug fix, used to overwrite pointer. * examples/rsa-keygen.c (main): Bug fix, private key wasn't written properly. * testsuite/Makefile.am: Some cleanup of make check. * examples/setup-env, examples/teardown-env: Test environment scripts. * examples/rsa-verify-test, examples/rsa-sign-test: New test cases. * examples/run-tests: New file (copied from lsh testsuite). * examples/Makefile.am: Use EXTRA_PROGRAMS and @RSA_EXAMPLES@. * examples/rsa-sign.c: No need to include config.h. Use werror instead of fprintf. * examples/rsa-verify.c: Likewise. * examples/rsa-keygen.c: Likewise. * examples/io.h: Forward declare struct rsa_public_key and struct rsa_private_key, to avoid dependences on config.h. * configure.ac (RSA_EXAMPLES): New substituted variable, controlling which example programs to build. * examples/rsa-verify.c: New example program. * examples/rsa-keygen.c: Use functions from io.c. * examples/rsa-sign.c: Likewise. * examples/Makefile.am (noinst_PROGRAMS): Added rsa-verify. (LDADD): Added io.o. * configure.ac: New define WITH_PUBLIC_KEY, and new configure flag --disable-public-key. Updated rsa-files to check for that, rather than for HAVE_LIBGMP. * examples/io.c, examples/io.c: New files. Miscellaneous functions used by the example programs. * base64.h (BASE64_DECODE_LENGTH): Comment fix. 2002-09-30 Niels Möller * sexp2rsa.c (rsa_keypair_from_sexp): Bugfix: Call rsa_prepare_public_key and rsa_prepare_private_key. * examples/Makefile.am (noinst_PROGRAMS): Added rsa-sign. * examples/rsa-sign.c: New example program. * testsuite/base64-test.c (test_main): Test encoding and decoding in place. * base64.c (base64_encode): Encode from the end of the data towards the start, in order to support overlapping areas. (base64_encode): Broke out some common code from the switch.. 2002-09-30 Niels Möller * sexp_format.c (sexp_format): Don't mix code and declarations. 2002-09-29 Niels Möller * testsuite/Makefile.am (TS_PROGS): Added buffer-test sexp-format-test rsa2sexp-test sexp2rsa-test. * testsuite/sexp-test.c (test_main): Updated calls to sexp_iterator_assoc. * testsuite/testutils.h (MEMEQH): New macro. * testsuite/sexp2rsa-test.c: New test. * testsuite/sexp-format-test.c: New test. * testsuite/rsa2sexp-test.c: New test. * testsuite/buffer-test.c: New test. * testsuite/testutils.c (test_rsa_key): Copied this function from... testsuite/rsa-keygen-test.c: ... here. * examples/rsa-keygen.c: New file. * Makefile.am: Added new source files and headers buffer.h, buffer.c, sexp_format.c, sexp2rsa.c, rsa2sexp.c. * rsa.h (rsa_keypair_to_sexp, rsa_keypair_from_sexp): New prototypes. * rsa2sexp.c, sexp2rsa.c: New files. * sexp.c (sexp_iterator_assoc): Don't enter the list, associate keys within the current list. Still exit the list when done. (sexp_iterator_assoc): Represent keys as plain NUL-terminated strings. (sexp_iterator_check_type, sexp_iterator_check_types): New functions. * sexp_format.c: New file, implementing an sexp canonical syntax formatter. * buffer.c, buffer.h: New files, implementing a bare-bones string stream. * bignum.c (nettle_mpz_sizeinbase_256): New function. 2002-09-28 Niels Möller * sexp.c (sexp_iterator_assoc): Return 0 for missing or duplicate keys. Now passes all the tests. * sexp.c (sexp_iterator_simple): Bugfixes. Check earlier that length doesn't grow too large. (sexp_iterator_next): Skip the current list only if type is SEXP_LIST. Handle ')'. (sexp_iterator_enter_list): Set type to SEXP_START. (sexp_iterator_exit_list): Likewise. Don't skip the ')' here. (sexp_iterator_assoc): Bug fix. * testsuite/sexp-test.c (test_main): Reordered sexp_iterator_assoc tests. * nettle.texinfo (Randomness): Documented that yarrow256_init can be called with a zero number of sources. * testsuite/testutils.h (ASSERT): New macro. * testsuite/sexp-test.c: Test sexp parser. * Makefile.am (SUBDIRS): Added sexp files. * sexp.c, sexp.h: New files, implementing an sexp-parser. 2002-08-27 Niels Möller * Makefile.am (DISTCLEANFILES): make distclean should delete the assembler-related symlinks. 2002-08-26 Niels Möller * Makefile.am (%.o: %.asm): Create an empty (and unused) dependency file, to make the make/automake dependency tracking happier. 2002-07-18 Niels Möller * examples/nettle-benchmark.c (main): Try openssl's ciphers as well, if available. * Makefile.am (libnettle_a_SOURCES): Added nettle-openssl.c. * nettle-openssl.c: New file. * nettle-internal.h: Declare openssl glue ciphers. * des-compat.h: Extra name-mangling, to avoid collisions in case a program links with both nettle and libcrypto (the nettle-benchmark program does). * configure.ac: Don't use -ggdb3 with gcc-2.96. Check for openssl's libcrypto (for benchmarking). 2002-05-16 Niels Möller * sparc/aes.asm: Deleted registers i and t3. (_aes_crypt): Moved some registers around. We now use input registers only for arguments, local registers for loop invariants, output registers for temporaries and loop variables, and no global registers at all. * sparc/aes.asm (AES_FINAL_ROUND): New macro. (_aes_crypt): Use AES_FINAL_ROUND for the first word of the final round. (_aes_crypt): And for the rest of the final round. (AES_FINAL_ROUND): Don't update dst, just access it offseted by i. (_aes_crypt): Add 16 to dst at the end of the final round. (AES_ROUND): Use ldub, not ld + and, to get the third byte of wtxt. (AES_ROUND): Use ldub, not lduh + and, to get the second byte of a word. (AES_ROUND): Reordered instructions, so that we can save one register. (AES_ROUND): Eliminated use of t3. (AES_FINAL_ROUND): Eliminated ands. (AES_FINAL_ROUND): Reordered, so that we can save one register. (AES_FINAL_ROUND): Eliminated t3. (AES_LOAD): New macro. (_aes_crypt): Unrolled source loop. (_aes_crypt): Use AES_LOAD macro. (_aes_crypt): Deleted cruft from the old source loop. (AES_LOAD): Eliminated t3. 2002-05-15 Niels Möller * sparc/aes.asm (AES_ROUND): New macro. (_aes_crypt): Use AES_ROUND for first word of the round function. (_aes_crypt): And for the rest of the round function. * sparc/aes.asm (_aes_crypt): Deleted a bunch of additions, after accessing IDX1. * aes-internal.h (struct aes_table): sparc_idx[0] should now contain index values shifted by the size of a word, and with 2 added. This saves some additions in the sparc assembler code. Updates aes-encrypt-table.c and aes-decrypt-table.c. * sparc/aes.asm (_aes_crypt): Unrolled final loop, preparing for optimizations. (_aes_crypt): Eliminated i from forst copy of the loop. Some cleanup. (_aes_crypt): And from second copy. (_aes_crypt): And from third. (_aes_crypt): And fourth. (_aes_crypt): Eliminated updates of i from the loop. (_aes_crypt): Access IDX1 and IDX3 through the T pointer, saving two registers. * aes-internal.h (struct aes_table): Renamed the shift_idx field to sparc_idx, as it will be tweaked to improve the sparc code. Also reduced its size to [2][4]. (IDX_FACTOR): Deleted constant. * aes-encrypt-table.c (_aes_encrypt_table): Adapted initializer of sparc_idx. * aes-decrypt-table.c (_aes_decrypt_table): Likewise. * asm.m4: Deleted AES_SIDX2, to match struct aes_table. * sparc/aes.asm (_aes_crypt): Unrolled the inner loop, preparing for optimizations suggested by Marcus Comstedt. (_aes_crypt): Eliminated i from the first copy of the inner loop. (_aes_crypt): And from the second copy. (_aes_crypt): And from the third copy. (_aes_crypt): And from the fourth copy. (_aes_crypt): Renamed .Linner_loop to .Lround_loop. (_aes_crypt): Eliminated the loop variable i from the unrolled loop. (_aes_crypt): Deleted moves of constants into t2. 2002-05-15 Niels Möller * x86/aes-encrypt.asm (aes_encrypt): Use AES_SUBST_BYTE. * x86/aes-decrypt.asm (aes_decrypt): Likewise. (aes_decrypt): Use AES_STORE. (aes_decrypt): Deleted first xchgl instruction into, permuting the AES_ROUND calls instead. (aes_decrypt): Likewise for the final round. (aes_decrypt): Got rid if the xchgl instruction after the final round, folding it into the final round. * x86/machine.m4: Renamed AES_LAST_ROUND to AES_FINAL_ROUND. Updated users. * x86/aes-decrypt.asm (aes_decrypt): Use the AES_LOAD macro. (aes_decrypt): Start using AES_ROUND. (aes_decrypt): Use AES_LAST_ROUND. * x86/aes-decrypt.asm (aes_decrypt): Moved function to a separate file... * x86/aes.asm: ... from here. * x86/aes.asm (aes_decrypt): Use _aes_decrypt_table instead of itbl1-4. Commented out the inclusion of aes_tables.asm. (aes_decrypt): Use _aes_decrypt_table instead of isbox. * x86/aes-decrypt.asm: New file, empty at the start. * Makefile.am (libnettle_a_SOURCES): Added aes-decrypt-table.c. * aes-decrypt.c (_aes_decrypt_table): Moved from this file... * aes-decrypt-table.c (_aes_decrypt_table): ... to a new file. * testsuite/aes-test.out: New file, with the output of testsuite/aes-test, when aes.c has been compiled with debugging printouts of intermediate state. 2002-05-15 Niels Möller * sparc/aes.asm: (_aes_crypt): Restore %fp at end of function, to make %fp available for other uses. * sparc/aes.asm: The frame setup was broken. Tried to fix it. Reverted to revision 1.70 + minor changes from the head revision. * x86/aes-encrypt.asm (aes_encrypt): Use test instead of cmpl $0,. * x86/machine.m4 (AES_SUBST_BYTE): New macro. * sparc/aes.asm: wtxt needs no register of it's own, as its pointed to by %sp. %g5 moved to %l0, the register previously allocated for wtxt, so that we stay clean of the reserved %g registers. 2002-05-14 Niels Möller * sparc/aes.asm: Avoid using %g6 and %g7, as they are reserved for operating sytem use. Use %i5 and %o7 instead. Also moved %g4 to %g1. (_aes_crypt): Allocate only 32 bytes local storage on the stack. Calculate wtxt and tmp using offsets from %sp, not %fp. 2002-05-14 Niels Möller * x86/aes-encrypt.asm (aes_encrypt): Replaced first quarter of the round function with an invocation of AES_ROUND. (aes_encrypt): Similarly for the second column. (aes_encrypt): Similarly for the rest of the round function. * x86/machine.m4 (AES_ROUND): New macro. * x86/aes-encrypt.asm (aes_encrypt): Use AES_LOAD macro. * x86/machine.m4 (AES_LOAD): New macro. * x86/aes-encrypt.asm (aes_encrypt): Use AES_STORE. * x86/machine.m4 (AES_STORE): New macro. * x86/aes-encrypt.asm (aes_encrypt): Use the AES_LAST_ROUND macro for the first column of the final round. (aes_encrypt): Similarly for the second column. (aes_encrypt): Similarly for the third and fourth column. (aes_encrypt): Deleted xchgl instruction in final round, by reordering the second and fourth round. * x86/machine.m4 (AES_LAST_ROUND): New macro. * x86/aes-encrypt.asm (aes_encrypt): Move code here... * x86/aes.asm: ...from here. * x86/aes.asm: Use addl and subl, not add and sub. Replaced references to dtbl1-4 with references to _aes_encrypt_table. * configure.ac (asm_path): Enable x86 assembler. * x86/aes.asm (aes_decrypt): Adapted to the current interface. Notably, the order of the subkeys was reversed. Single block encrypt/decrypt works now. (aes_encrypt, aes_decrypt): Added an outer loop, so that we can encrypt more than one block at a time. 2002-05-07 Niels Möller * configure.ac: Generate config.m4. * x86/aes.asm: Use C for comments, include the tables using include_src, and commented out the key setup functions. Fixed the processing of the first handling of the round function. Now, encryption of a single block works! Multiple blocks, and decryption, is still broken. * x86/machine.m4: New file (empty). * x86/aes-encrypt.asm: New file, empty for now. * Makefile.am (%.asm): Added asm.m4, machine.m4 and config.m4 to the m4 command line. (libnettle_a_SOURCES): Added aes-encrypt-table.c. * sparc/aes.asm: No need to include asm.m4, that is taken care of by the Makefile. * config.m4.in: New file, configuration for asm.m4. * asm.m4 (C, include_src): New macros. * aes-encrypt-table.c: New file, table moved out from aes-encrypt.c. 2002-05-06 Niels Möller * configure.ac (CFLAGS): Don't enable -Waggregate-return. 2002-05-05 Niels Möller * configure.ac: Pass no arguments to AM_INIT_AUTOMAKE. 2002-05-05 Niels Möller * configure.ac: Update for automake-1.6. * configure.ac: Renamed file, used to be configure.in. 2002-03-20 Niels Möller * testsuite/run-tests (test_program): Added missing single quote. 2002-03-20 Niels Möller * testsuite/run-tests (test_program): Test the exit status of the right process. 2002-03-19 Pontus Sköld * testsuite/run-tests: Removed /bin/bashisms to use with /bin/sh. 2002-03-18 Niels Möller * rsa-keygen.c (rsa_generate_keypair): Output a newline after a non-empty line of 'e':s (bad e was chosen, try again). 2002-03-16 Niels Möller * configure.in (asm_path): AC_CONFIG_LINKS adds $srcdir automatically. 2002-03-14 Niels Möller * sparc/aes.asm, x86/aes.asm: Added copyright notice. * Makefile.am (libnettle_a_SOURCES): Added aes-internal.h. (EXTRA_DIST): Added assembler files. * configure.in (asm_path): Use $srcdir when looking for the files. * configure.in (asm_path): For now, disable x86 assembler code. Bumped version to 1.6. 2002-02-25 Niels Möller * sparc/aes.asm (_aes_crypt): Moved increment of src into the source_loop. Also fixed stop condition, the loop was run 5 times, not 4, as it should. (_aes_crypt): Use src directly when accessing the source data, don't use %o5. (_aes_crypt): Renamed variables in source_loop. (_aes_crypt): Changed stop condition in source_loop to not depend on i. Finally reduced the source_loop to 16 instructions. Also increased the alignment of the code to 16. (_aes_crypt): In final_loop, use preshifted indices. (_aes_crypt): In final_loop, construct the result in t0. Use t0-t3 for intermediate values. (_aes_crypt): In final_loop, use the register idx. (_aes_crypt): In final_loop, keep i multiplied by 4. Use key to get to the current roundkey. (_aes_crypt): In final_loop, use i for indexing. (_aes_crypt): Update dst in the output loop. This yields a delay slot that isn't filled yet. (_aes_crypt): Decrement round when looping, saving yet some instructions. (_aes_crypt): Reformatted code as blocks of four instructions each. (_aes_crypt): Copy the addresses of the indexing tables into registers at the start. No more need for the idx register. (_aes_crypt): Deleted idx register. (_aes_crypt): Some peep hole optimizations, duplicating some instructions to fill nop:s, and put branch instructions on even word addresses. 2002-02-22 Niels Möller * sparc/aes.asm (_aes_crypt): Moved some more additions out of the inner loop, using additional registers. (_aes_crypt): Deleted one more addition from the inner loop, by using the subkey pointer. 2002-02-19 Niels Möller * configure.in (asm_path): Renamed "path" to "asm_path". Also look for a machine.m4. 2002-02-16 Niels Möller * sparc/aes.asm: Use that IDX2(j) == j ^ 2 * Makefile.am (libnettle_a_SOURCES): Reordered aes-decrypt.c and aes-encrypt.c. For some strange reason it makes the benchmark go faster... * sparc/aes.asm (_aes_crypt): Use double-buffering, and no separate loop for adding the round key. (round): Keep round index muliplied by 16, so it can be used directly for indexing the subkeys. (_aes_crypt): In the final loop, use ctx+round to access the subkeys, no need for an extra register. 2002-02-15 Niels Möller * sparc/aes.asm (_aes_crypt): Renaming variables, allocating locals starting from %l0. (_aes_crypt): Consistently use %l4, aka i, as the variable for the innermost loops. (_aes_crypt): Moved reading of ctx->nrounds out of the loop. (_aes_crypt): In final_loop, deleted a redundant mov, and use i as loop variable. (_aes_crypt): Started renumbering registers in the inner loop. The computation for the table[j] sub-expression should be kept in register %o[j]. (_aes_crypt): Renamed more variables in the inner loop. Now the primary variables are t0, t1, t2, t3. * sparc/aes.asm (_aes_crypt): Swapped register %i0 and %o5, %i1 and %o0, %i2 and %o4, %i3 and %o3, %i4 and %o2. (_aes_crypt): wtxt was stored in both %l1 and %l2 for the entire function. Freed %l2 for other uses. (_aes_crypt): Likewise for tmp, freeing register %o1. * sparc/machine.m4: New file, for sparc-specific macros. * sparc/aes.asm (_aes_crypt): Hacked the source_loop, to get rid of yet another redundant loop variable, and one instruction. (_aes_crypt): Strength reduce loop variable in the inner loop, getting rid of one register. (_aes_crypt): Use pre-shifted indices (aes_table.idx_shift), to avoid some shifts in the inner loop. (_aes_crypt): Don't check for nrounds==0 at the start of the loop. * asm.m4: Define and use structure-defining macros. * Makefile.am (%.asm): Use a GNU pattern rule, to make %.o depend on both %.asm and asm.m4. * aes-internal.h (struct aes_table): New subtable idx_shift. Updated tables in aes_encrypt.c and aes_decrypt.c. * asm.m4: Use eval to compute values. * sparc/aes.asm (_aes_crypt): Deleted commented out old version of the code. * asm.m4: Added constants for individual rows of the aes table. * aes.c (IDX0, IDX1, IDX2, IDX3): New macros, encapsualting the structure of the idx table. * asm.m4: Define various aes struct offsets. * testsuite/cbc-test.c (test_cbc_bulk): Use aes_set_encrypt_key and aes_set_decrypt_key. * sparc/aes.asm (_aes_crypt): Use symbolic names for the fucntion arguments. 2002-02-14 Niels Möller * sparc/aes.asm: Copied gcc assembler code for _aes_crypt. * aesdata.c: New program for generating AES-related tables. * testsuite/testutils.c (print_hex): New function (moved from yarrow-test.c). * testsuite/rsa-keygen-test.c (progress): Declare the ctx argument as UNUSED. * testsuite/cbc-test.c (test_cbc_bulk): New function, testing CBC with larger blocks. * yarrow256.c: Replaced uses of aes_set_key with aes_set_encrypt_key. * nettle-meta.h (_NETTLE_CIPHER_SEP): New macro, useful for algorithms with separate encyption and decryption key setup. * aes-internal.h (struct aes_table): New structure, including all constant tables needed by the unified encryption or decryption function _aes_crypt. * aes.c (_aes_crypt): New function, which unifies encryption and decryption. AES key setup now uses two separate functions for setting encryption and decryption keys. Applications that don't do decryption need no inverted subkeys and no code to generate them. Similarly, the tables (about 4K each for encryption and decryption), are put into separate files. * aes.h (struct aes_ctx): Deleted space for inverse subkeys. For decryption, the inverse subkeys replace the normal subkeys, and they are stored _in the order they are used_. * aes-set-key.c (aes_set_key): Deleted file, code moved... * aes-set-decrypt-key.c, aes-set-encrypt-key.c: New files, separated normal and inverse key setup. * aes-tables.c: Deleted, tables moved elsewhere... * aes-encrypt.c, aes-decrypt.c: New files; moved encryption and decryption funktions, and needed tables, into separate files. 2002-02-13 Niels Möller * aes.c (aes_encrypt): Don't unroll the innerloop. (aes_encrypt): Don't unroll the loop for the final round. (aes_decrypt): Likewise, no loop unrolling. * aes-set-key.c (aes_set_key): Reversed the order of the inverted subkeys. They are now stored in the same order as they are used. * aes-tables.c (itable): New bigger table, generated by aesdata.c. * aes.c (aes_decrypt): Rewrote to use the bigger tables. 2002-02-12 Niels Möller * aes.c (aes_encrypt): Interleave computation and output in the final round. * aes-internal.h (AES_SMALL): New macro. * aes.c (aes_encrypt): Optionally use smaller rotating inner loop. * aes-tables.c (dtbl): Replaced with table generated by aesdata. * aes.c (aes_encrypt): Rewrite, now uses larger tables in order to avoid rotates. * sparc/aes.asm (aes_encrypt): Strength reduced on j, getting rid of one register and one instruction in the inner loop. * sparc/aes.asm (idx, aes_encrypt): Multiplied tabled values by 4, making it possible to get rid of some shifts in the inner loop. * configure.in: Fixed spelling of --enable-assembler. Commented out debug echo:s. * asm.m4: New file. For now, only doing changequote and changecom. * sparc/aes.asm (aes_encrypt): Added comments. (aes_encrypt): Cut off redundant instruction per block, also saving one redundant register pointing to idx. (idx_row): New macro. Include asm.m4. 2002-02-11 Niels Möller * sparc/aes.asm (key_addition_8to32): Cleaned up. Deleted gcc-generated debugging information. * sparc/aes.asm (key_addition32): First attempt at optimization. Made it slower ;-) * sparc/aes.asm (key_addition32): Unrolled loop, gained 4% speed, payed four instructions compared to gcc generated code. * Makefile.am (.asm.o): New rule for assembling via m4. (libnettle_a_SOURCES): Added new rsa and aes files. * configure.in: New command line option --enable-assembler. Selects assembler code depending on the host system. * rsa-decrypt.c, rsa-encrypt.c: New files for rsa pkcs#1 encryption. * aes-set-key.c, aes-tables.c: New files, split off from aes.c. Tables are now not static, but use a _aes_ prefix on their names. * aes-internal.h: New file. * cast128-meta.c (_NETTLE_CIPHER_FIX): Use _NETTLE_CIPHER_FIX. * cbc.c (cbc_decrypt_internal): New function, doing the real CBC procesing and requiring that src != dst. (cbc_decrypt): Use cbc_decrypt_internal. If src == dst, use a buffer of limited size to copy the ciphertext. * nettle-internal.c (nettle_blowfish128): Fixed definition, with key size in bits. * nettle-meta.h (_NETTLE_CIPHER_FIX): New macro, suitable for ciphers with a fixed key size. * examples/nettle-benchmark.c (display): New function for displaying the results, including MB/s figures. * sparc/aes.asm: New file. Not yet tuned in any way (it's just the code generated by gcc). 2002-02-11 Niels Möller * x86/aes.asm, x86/aes_tables.asm: New assembler implementation by Rafael Sevilla. 2002-02-06 Niels Möller Applied patch from Dan Egnor improving the base64 code. * base64.h (BASE64_ENCODE_LENGTH): New macro. (struct base64_ctx): New context struct, for decoding. (BASE64_DECODE_LENGTH): New macro. * base64.c (base64_decode_init): New function. (base64_decode_update): New function, replacing base64_decode. Takes a struct base64_ctx argument. * nettle-meta.h: Updated nettle_armor, and related typedefs and macros. * testsuite/testutils.c (test_armor): Updated. * configure.in: Use AC_PREREQ(2.50). 2002-02-01 Niels Möller * Released nettle-1.5. 2002-01-31 Niels Möller * acinclude.m4: Commented out gmp-related macros, they're probably not needed anymore. 2002-01-31 Niels Möller * configure.in: Added command line options --with-lib-path and --with-include-path. Use the RPATH-macros to get correct flags for linking the test programs with gmp. * acinclude.m4: New file. 2002-01-31 Niels Möller * nettle.texinfo (Randomness): New subsection on Yarrow. 2002-01-30 Niels Möller * nettle.texinfo (Randomness): New chapter. Spell checking and ispell configuration. * md5.c: Added reference to RFC 1321. 2002-01-24 Niels Möller * nettle.texinfo (Public-key algorithms): Minor fixes. 2002-01-22 Niels Möller * nettle.texinfo (Nettle soup): New chapter. (Hash functions): New subsection on struct nettle_hash. (Hash functions): New subsection on struct nettle_cipher. (Keyed hash functions): New section, describing MAC:s and HMAC. (Public-key algorithms): New chapter. * testsuite/testutils.c (test_armor): New function. * testsuite/base64-test.c: New testcase. * testsuite/Makefile.am (TS_PROGS): Added base64-test. * nettle-meta.h (struct nettle_armor): New struct. * configure.in: Bumped version to 1.5. * Makefile.am (libnettle_a_SOURCES): Added base64 files, and some missing header files. * base64.c, base64.h, base64-meta.c: New files, hacked by Dan Egnor. 2002-01-16 Niels Möller * testsuite/yarrow-test.c: Deleted ran_array code, use knuth-lfib.h instead. * testsuite/testutils.c (test_rsa_md5, test_rsa_sha1): Moved functions here... * testsuite/rsa-test.c: ...from here. * testsuite/rsa-keygen-test.c: New file. * testsuite/knuth-lfib-test.c: New file. * Makefile.am (libnettle_a_SOURCES): Added knuth-lfib.c and rsa-keygen.c. * rsa-keygen.c: New file. * rsa.h (RSA_MINIMUM_N_OCTETS): New constant. (RSA_MINIMUM_N_BITS): New constant. (nettle_random_func, nettle_progress_func): New typedefs. Perhaps they don't really belong in this file. (rsa_generate_keypair): Added progress-callback argument. * macros.h (READ_UINT24, WRITE_UINT24, READ_UINT16, WRITE_UINT16): New macros. * knuth-lfib.c, knuth-lfib.h: New files, implementing a non-cryptographic prng. 2002-01-15 Niels Möller * hmac-sha1.c: New file. 2002-01-14 Niels Möller * configure.in: Bumped version to 1.1. * testsuite/hmac-test.c (test_main): Added hmac-sha1 test cases. * rsa.c (rsa_init_private_key, rsa_clear_private_key): Handle d. * rsa.h (struct rsa_private_key): Reintroduced d attribute, to be used only for key generation output. (rsa_generate_keypair): Wrote a prototype. * Makefile.am (libnettle_a_SOURCES): Added hmac-sha1.c and nettle-internal.h. * des.c: Use static const for all tables. (des_set_key): Use a new const * variable for the parity procesing, for constness reasons. * list-obj-sizes.awk: New file. * nettle-internal.c, nettle-internal.h: New files. * testsuite/Makefile.am (TS_PROGS): Added hmac-test. Deleted old m4-stuff. * testsuite/testutils.h (LDATA): Moved this macro here,... * testsuite/rsa-test.c: ... from here. * testsuite/hmac-test.c: New file. * hmac.h: General cleanup. Added declarations of hmac-md5, hmac-sha1 and hmac-sha256. * hmac.c: Bug fixes. * hmac-md5.c: First working version. * Makefile.am (libnettle_a_SOURCES): Added hmac.c and hmac-md5.c. (libnettleinclude_HEADERS): Added hmac.h. * testsuite/rsa-test.c: Also test a 777-bit key. * rsa.c (rsa_check_size): Changed argument to an mpz_t. Updated callers. (rsa_prepare_private_key): Compute the size of the key by computing n = p * q. * rsa-compat.c: Adapted to new private key struct. * rsa_md5.c: Likewise. * rsa_sha1.c: Likewise. * rsa.c (rsa_check_size): New function, for computing and checking the size of the modulo in octets. (rsa_prepare_public_key): Usa rsa_check_size. (rsa_init_private_key): Removed code handling n, e and d. (rsa_clear_private_key): Likewise. (rsa_compute_root): Always use CRT. * rsa.h (struct rsa_private_key): Deleted public key and d from the struct, as they are not needed. Added size attribute. 2002-01-12 Niels Möller * Makefile.am: Added *-meta files. * rsa.c (rsa_init_public_key): New function. (rsa_clear_public_key): Likewise. (rsa_init_private_key): Likewise. (rsa_clear_private_key): Likewise. * aes-meta.c: New file. * arcfour-meta.c: New file. * cast128-meta.c: New file. * serpent-meta.c: New file. * twofish-meta.c: New file. * examples/nettle-benchmark.c: Use the interface in nettle-meta.h. 2002-01-11 Niels Möller Don't use m4 for generating test programs, it's way overkill. Use the C preprocessor instead. * testsuite/*-test.c: New file. * hmac.c, hmac.h, hmac-md5.c: New files. Defined structures describing the algoriths. Useful for code that wants to treat an algorithm as a black box. * nettle-meta.h, md5-meta.c, sha1-meta.c, sha256-meta.c: New files. 2002-01-09 Niels Möller * rsa-compat.c: Updated for new md5 and rsa conventions. * rsa_md5.c: Represent a signature as an mpz_t, not a string. Updated calls of md5 functions. * rsa_sha1.c: Likewise. * rsa.c (rsa_prepare_public_key): Renamed function, was rsa_init_public_key. (rsa_prepare_private_key): Renamed function, was rsa_init_private_key. * nettle.texinfo (Hash functions): Update for the changed interface without *_final. Document sha256. * testsuite/md5-test.m4, testsuite/sha1-test.m4, testsuite/sha256-test.m4, testsuite/yarrow-test.c: Updated for new hash function interface. * yarrow256.c: Removed calls of sha256_final and and some calls of sha256_init. * md5-compat.c (MD5Final): Call only md5_digest. * md5.c (md5_digest): Call md5_final and md5_init. (md5_final): Declared static. sha1.c, sha256.c: Analogous changes. * bignum.c (nettle_mpz_get_str_256): Declare the input argument const. 2001-12-14 Niels Möller * Makefile.am (EXTRA_DIST): Added $(des_headers). Changed dependencies for $(des_headers) to depend only on the source file desdata.c, not on the executable. 2001-12-12 Niels Möller * testsuite/yarrow-test.c (main): Updated testcase to match fixed generator. Send verbose output to stdout, not stderr. * yarrow256.c (yarrow_slow_reseed): Bug fix, update the fast pool with the digest of the slow pool. (yarrow256_init): Initialize seed_file and counter to zero, to ease debugging. 2001-12-07 Niels Möller * bignum.c (nettle_mpz_get_str_256): Fixed handling of leading zeroes. 2001-12-05 Niels Möller * testsuite/yarrow-test.c (main): Updated test to match the fixed key event estimator. * yarrow_key_event.c (yarrow_key_event_estimate): Fixed handling of timing info. * nettle.texinfo (Copyright): Say that under certain circumstances, Nettle can be used as if under the LGPL. * README: Added a paragraph on copyright. 2001-11-15 Niels Möller * yarrow256.c (yarrow256_force_reseed): New function. 2001-11-14 Niels Möller * testsuite/yarrow-test.c (main): Use yarrow256_is_seeded. * yarrow256.c (yarrow256_needed_sources): New function. (yarrow256_is_seeded): New function. (yarrow256_update): Use yarrow256_needed_sources. 2001-11-14 Niels Möller * testsuite/yarrow-test.out: Updated, to match the seed-file aware generator. * testsuite/yarrow-test.c: Updated expected_output. Check the seed file contents at the end. * yarrow256.c (yarrow256_seed): New function. (yarrow_fast_reseed): Create new seed file contents. 2001-11-13 Niels Möller * yarrow.h: Deleted yarrow160 declarations. 2001-11-02 Niels Möller * yarrow256.c (yarrow256_init): Fixed order of code and declarations. 2001-10-30 Niels Möller * rsa-compat.h: Added real prototypes and declarations. * Makefile.am (libnettle_a_SOURCES): Added rsa-compat.h and rsa-compat.c. * rsa-compat.c: New file, implementing RSA ref signature and verification functions. * configure.in: Check for libgmp. Deleted tests for SIZEOF_INT and friends. * rsa_sha1.c: New file, PKCS#1 rsa-sha1 signatures. * rsa_md5.c: New file, PKCS#1 rsa-md5 signatures. * rsa.c: New file with general rsa functions. * Makefile.am (libnettle_a_SOURCES): Added rsa and bignum files. * bignum.c, bignum.h: New file, with base256 functions missing in gmp. * testsuite/Makefile.am: Added bignum-test. * testsuite/run-tests (test_program): Check the exit code more carefully, and treat 77 as skip. This convention was borrowed from autotest. * testsuite/macros.m4: New macro SKIP which exits with code 77. * testsuite/bignum-test.m4: New file. 2001-10-15 Niels Möller * testsuite/Makefile.am (EXTRA_DIST): Include rfc1750.txt in the distribution. 2001-10-14 Niels Möller * testsuite/des-test.m4: Added testcase taken from applied cryptography. * testsuite/yarrow-test.c: Use sha256 instead of sha1 for checking input and output. Updated the expected values. * yarrow256.c (YARROW_RESEED_ITERATIONS): New constant. (yarrow_iterate): New function. (yarrow_fast_reseed): Call yarrow_iterate. * testsuite/yarrow-test.c: Added verbose flag, disabled by default. 2001-10-12 Niels Möller * examples/nettle-benchmark.c: Added more ciphers. * Makefile.am (SUBDIRS): Added the examples subdir. * configure.in: Output examples/Makefile. 2001-10-12 Niels Möller * examples/nettle-benchmark.c: New benchmarking program. 2001-10-10 Niels Möller * testsuite/yarrow-test.c: Open rfc1750.txt. Hash input and output, and compare to expected values. * testsuite/Makefile.am (CFLAGS): Don't disable optimization. (run-tests): Set srcdir in the environment when running run-tests. * testsuite/rfc1750.txt: Added this rfc as test input for yarrow. * yarrow_key_event.c (yarrow_key_event_estimate): Check if previous is zero. (yarrow_key_event_init): Initialize previous to zero. * yarrow256.c: Added debug some output. * testsuite/yarrow-test.c (main): Better output of entropy estimates at the end. 2001-10-09 Niels Möller * testsuite/Makefile.am (TS_PROGS): Added yarrow-test. * testsuite/yarrow-test.c: New file. * yarrow256.c (yarrow256_init): Initialize the sources. (yarrow256_random): Fixed loop condition. * yarrow.h (YARROW_KEY_EVENT_BUFFER): New constant. * yarrow_key_event.c: New file. * Makefile.am (libnettle_a_SOURCES): Added yarrow_key_event.c. 2001-10-08 Niels Möller * yarrow.h (struct yarrow_key_event_ctx): New struct. * yarrow256.c (yarrow_fast_reseed): Generate two block of output using the old key and feed into the pool. * yarrow.h (struct yarrow256_ctx): Deleted buffer, index and block_count. * yarrow256.c (yarrow_fast_reseed): New function. (yarrow_slow_reseed): New function. (yarrow256_update): Check seed/reseed thresholds. (yarrow_gate): New function, extracted from yarrow_generate_block_with_gate which was deleted. (yarrow_generate_block_with_gate): Deleted function. (yarrow256_random): Don't buffer any output, instead gate after each request. (YARROW_GATE_THRESHOLD): Deleted constant. 2001-10-07 Niels Möller * Makefile.am: Added yarrow files. * yarrow256.c: New file, implementing Yarrow. Work in progress. * sha256.c: New file, implementing sha256. * testsuite/Makefile.am (CFLAGS): Added sha256-test. * testsuite/sha256-test.m4: New testcases for sha256. * shadata.c: New file, for generating sha256 constants. * sha.h: Renamed sha1.h to sha.h, and added declarations for sha256. 2001-10-05 Niels Möller * testsuite/aes-test.m4: Added a comment with NIST test vectors. 2001-10-04 Niels Möller * rsa.h, rsa-compat.h, yarrow.h: New files. 2001-09-25 Niels Möller * Released version 1.0. 2001-09-25 Niels Möller * sha1.c: Include stdlib.h, for abort. * md5.c: Include string.h, for memcpy. * testsuite/Makefile.am (M4_FILES): New variable. Explicitly list those C source files that should be generated by m4. * configure.in: Changed package name from "libnettle" to "nettle". * Makefile.am (EXTRA_DIST): Added .bootstrap. * AUTHORS: Added a reference to the manual. 2001-09-25 Niels Möller * des-compat.c (des_cbc_cksum): Bug fix, local variable was declared in the middle of a block. 2001-09-19 Niels Möller * nettle.texinfo (Compatibility functions): New section, mentioning md5-compat.h and des-compat.h. 2001-09-18 Niels Möller * index.html: New file. 2001-09-16 Niels Möller * nettle.texinfo: Added description of des3. Minor fixes. * testsuite/des-compat-test.c (cbc_data): Shorten to 32 bytes (4 blocks), the last block of zeroes wasn't used anyway. * des-compat.c (des_compat_des3_decrypt): Decrypt in the right order. (des_ncbc_encrypt): Bug fixed. (des_cbc_encrypt): Rewritten as a wrapper around des_ncbc_encrypt. 2001-09-14 Niels Möller * testsuite/des-compat-test.c: New file, copied from libdes (freeswan). All implemented functions but des_cbc_cksum seems to work now. * testsuite/Makefile.am (TS_PROGS): Added des-compat-test. * des-compat.c: Added libdes typedef:s. Had to remove all use of const in the process. (des_check_key): New global variable, checked by des_set_key. * des.c (des_set_key): Go on and expand the key even if it is weak. * des-compat.c (des_cbc_cksum): Implemented. (des_key_sched): Fixed return values. 2001-09-11 Niels Möller * Makefile.am: Added des-compat.c and des-compat.h * des-compat.c: Bugfixes, more functions implemented. * des-compat.h: Define DES_ENCRYPT and DES_DECRYPT. Bugfixes. 2001-09-10 Niels Möller * nettle.texinfo (Copyright): Added copyright information for serpent. (Miscellaneous functions): Started writing documentation on the CBC functions. (Cipher Block Chaining): This section more or less complete now. 2001-09-09 Niels Möller * testsuite/cbc-test.m4: Record intermediate values in a comment. * testsuite/des3-test.m4: Likewise. * testsuite/aes-test.m4: Added test case that appeared broken in the cbc test. * cbc.c (cbc_encrypt): Bug fix, encrypt block *after* XOR:ing the iv. * Makefile.am (libnettleinclude_HEADERS): Added cbc.h. Deleted des3.h. (libnettle_a_SOURCES): Added des3.c. * testsuite/Makefile.am (TS_PROGS): Added des3-test and cbc-test. * testsuite/cbc-test.m4: New testcase. * testsuite/des3-test.m4: New testcase. * cbc.h (CBC_CTX): New macro. (CBC_ENCRYPT): New macro. (CBC_DECRYPT): New macro. * des.c (des_fix_parity): New function. * des3.c: New file, implementing triple des. 2001-09-06 Niels Möller * cbc.c, cbc.h: New files, for general CBC encryption. * des-compat.h: Added some prototypes. 2001-09-05 Niels Möller * testsuite/Makefile.am (TS_PROGS): Added md5-compat-test. * README: Copied introduction from the manual. * configure.in: Bumped version to 1.0. * Makefile.am (libnettleinclude_HEADERS): Added missing includes. (libnettle_a_SOURCES): Added md5-compat.c and md5-compat.h. * md5-compat.c, md5-compat.h: New files, implementing an RFC 1321-style interface. 2001-09-02 Niels Möller * twofish.c (twofish_decrypt): Fixed for();-bug in the block-loop. Spotted by Jean-Pierre. (twofish_encrypt): Likewise. 2001-07-03 Niels Möller * testsuite/testutils.c: Include string.h. * twofish.c: Include string.h. 2001-06-17 Niels Möller * Makefile.am (des_headers): Dont use $(srcdir)/-prefixes as that seems to break with GNU make 3.79.1. * testsuite/testutils.c, testsuite/testutils.h: Use , not . Include . 2001-06-17 Niels Möller * Use , not . * blowfish.h (BLOWFISH_MAX_KEY_SIZE): Fixed, should be 56. * Fixed copyright notices. * Makefile.am (libnettle_a_SOURCES): Added desinfo.h and desCode.h. (info_TEXINFOS): Added manual. (EXTRA_DIST): Added nettle.html. (%.html): Added rule for building nettle.html. * nettle.texinfo: New manual. * configure.in: Bumped version to 0.2. * testsuite/Makefile.am (TS_PROGS): Added cast128 test. * Added CAST128. * testsuite/serpent-test.m4: Added a few rudimentary tests extracted from the serpent package. * twofish.c: Adapted to nettle. Made constant tables const. Deleted bytes_to_word and word_to_bytes; use LE_READ_UINT32 and LE_WRITE_UINT32 instead. (twofish_selftest): Deleted. Moved the tests to the external testsuite. (twofish_set_key): Don't silently truncate too large keys. * sha1.c (sha1_update): Use unsigned for length. * serpent.c (serpent_set_key): Read the key backwards. Fixed padding (but there are no test vectors for key_size not a multiple of 4). (serpent_encrypt): Read and write data in the strange order used by the reference implementation. (serpent_decrypt): Likewise. * macros.h (FOR_BLOCKS): New macro, taken from lsh. * blowfish.h (struct blowfish_ctx): Use a two-dimensional array for s. * blowfish.c (initial_ctx): Arrange constants into a struct, to simplify key setup. (F): Deleted all but one definitions of the F function/macro. Added a context argument, and use that to find the subkeys. (R): Added context argument, and use that to find the subkeys. (blowfish_set_key): Some simplification. (encrypt): Deleted code for non-standard number of rounds. Deleted a bunch of local variables. Using the context pointer for everything should consume less registers. (decrypt): Likewise. * Makefile.am (libnettle_a_SOURCES): Added twofish. 2001-06-16 Niels Möller * testsuite/blowfish-test.m4: Fixed test. * Added twofish implementation. * blowfish.h (struct blowfish_ctx): Use the correct size for the p array. 2001-06-15 Niels Möller * testsuite/blowfish-test.m4: Fixed testcase, use correct key length. * Makefile.am (libnettle_a_SOURCES): Added blowfish files. ($(des_headers)): Strip directory part when passing file name to desdata. * testsuite/blowfish-test.m4: Added one test, from GNUPG. * Created blowfish.c and blowfish.h (from GNUPG via LSH). Needs more work. * aes.h: Fixed copyright notice to not mention GNU MP. XXX: Review all nettle copyrights. * testsuite/Makefile.am (TS_PROGS): Added tests for twofish and blowfish. 2001-06-13 Niels Möller * Makefile.am (libnettle_a_SOURCES): Added serpent files. 2001-06-12 Niels Möller * des.c (des_encrypt, des_decrypt): Assert that the key setup was successful. * testsuite/Makefile.am (TS_PROGS): Added tests for des and sha1. * testsuite/sha1-test.m4: New file. * testsuite/des-test.m4: New file. * Added sha1 files. * Added desCore files. * Makefile.am: Added desCore and sha1. 2001-04-17 Niels Möller * install-sh: Copied the standard install script. * testsuite/Makefile.am (CFLAGS): Disable optimization. Add $(top_srcdir) to the include path. (EXTRA_DIST): Added testutils.h, testutils.c and run-tests. (run-tests): Fixed path to run-tests. * Makefile.am (EXTRA_DIST): Added memxor.h. (libnettleinclude_HEADERS): Install headers in $(libnettleincludedir). 2001-04-13 Niels Möller * Initial checkin. nettle-3.4.1/ecc-mod-inv.c0000644000175000017500000000740013401564746014316 0ustar nissenisse/* ecc-mod-inv.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc-internal.h" static void cnd_neg (int cnd, mp_limb_t *rp, const mp_limb_t *ap, mp_size_t n) { mp_limb_t cy = (cnd != 0); mp_limb_t mask = -cy; mp_size_t i; for (i = 0; i < n; i++) { mp_limb_t r = (ap[i] ^ mask) + cy; cy = r < cy; rp[i] = r; } } /* Compute a^{-1} mod m, with running time depending only on the size. Returns zero if a == 0 (mod m), to be consistent with a^{phi(m)-1}. Also needs (m+1)/2, and m must be odd. Needs 2n limbs available at rp, and 2n additional scratch limbs. */ /* FIXME: Could use mpn_sec_invert (in GMP-6), but with a bit more scratch need since it doesn't precompute (m+1)/2. */ void ecc_mod_inv (const struct ecc_modulo *m, mp_limb_t *vp, const mp_limb_t *in_ap, mp_limb_t *scratch) { #define ap scratch #define bp (scratch + n) #define up (vp + n) mp_size_t n = m->size; /* Avoid the mp_bitcnt_t type for compatibility with older GMP versions. */ unsigned i; /* Maintain a = u * orig_a (mod m) b = v * orig_a (mod m) and b odd at all times. Initially, a = a_orig, u = 1 b = m, v = 0 */ assert (ap != vp); up[0] = 1; mpn_zero (up+1, n - 1); mpn_copyi (bp, m->m, n); mpn_zero (vp, n); mpn_copyi (ap, in_ap, n); for (i = m->bit_size + GMP_NUMB_BITS * n; i-- > 0; ) { mp_limb_t odd, swap, cy; /* Always maintain b odd. The logic of the iteration is as follows. For a, b: odd = a & 1 a -= odd * b if (underflow from a-b) { b += a, assigns old a a = B^n-a } a /= 2 For u, v: if (underflow from a - b) swap u, v u -= odd * v if (underflow from u - v) u += m u /= 2 if (a one bit was shifted out) u += (m+1)/2 As long as a > 0, the quantity (bitsize of a) + (bitsize of b) is reduced by at least one bit per iteration, hence after (bit_size of orig_a) + (bit_size of m) - 1 iterations we surely have a = 0. Then b = gcd(orig_a, m) and if b = 1 then also v = orig_a^{-1} (mod m) */ assert (bp[0] & 1); odd = ap[0] & 1; swap = cnd_sub_n (odd, ap, bp, n); cnd_add_n (swap, bp, ap, n); cnd_neg (swap, ap, ap, n); cnd_swap (swap, up, vp, n); cy = cnd_sub_n (odd, up, vp, n); cy -= cnd_add_n (cy, up, m->m, n); assert (cy == 0); cy = mpn_rshift (ap, ap, n, 1); assert (cy == 0); cy = mpn_rshift (up, up, n, 1); cy = cnd_add_n (cy, up, m->mp1h, n); assert (cy == 0); } assert ( (ap[0] | ap[n-1]) == 0); #undef ap #undef bp #undef up } nettle-3.4.1/ecc-mod.c0000644000175000017500000000625713401564746013535 0ustar nissenisse/* ecc-mod.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc-internal.h" /* Computes r mod m, input 2*m->size, output m->size. */ void ecc_mod (const struct ecc_modulo *m, mp_limb_t *rp) { mp_limb_t hi; mp_size_t mn = m->size; mp_size_t bn = m->B_size; mp_size_t sn = mn - bn; mp_size_t rn = 2*mn; mp_size_t i; unsigned shift; assert (bn < mn); /* FIXME: Could use mpn_addmul_2. */ /* Eliminate sn limbs at a time */ if (m->B[bn-1] < ((mp_limb_t) 1 << (GMP_NUMB_BITS - 1))) { /* Multiply sn + 1 limbs at a time, so we get a mn+1 limb product. Then we can absorb the carry in the high limb */ while (rn > 2 * mn - bn) { rn -= sn; for (i = 0; i <= sn; i++) rp[rn+i-1] = mpn_addmul_1 (rp + rn - mn - 1 + i, m->B, bn, rp[rn+i-1]); rp[rn-1] = rp[rn+sn-1] + mpn_add_n (rp + rn - sn - 1, rp + rn - sn - 1, rp + rn - 1, sn); } goto final_limbs; } else { /* The loop below always runs at least once. But the analyzer doesn't realize that, and complains about hi being used later on without a well defined value. */ #ifdef __clang_analyzer__ hi = 0; #endif while (rn >= 2 * mn - bn) { rn -= sn; for (i = 0; i < sn; i++) rp[rn+i] = mpn_addmul_1 (rp + rn - mn + i, m->B, bn, rp[rn+i]); hi = mpn_add_n (rp + rn - sn, rp + rn - sn, rp + rn, sn); hi = cnd_add_n (hi, rp + rn - mn, m->B, mn); assert (hi == 0); } } if (rn > mn) { final_limbs: sn = rn - mn; for (i = 0; i < sn; i++) rp[mn+i] = mpn_addmul_1 (rp + i, m->B, bn, rp[mn+i]); hi = mpn_add_n (rp + bn, rp + bn, rp + mn, sn); hi = sec_add_1 (rp + bn + sn, rp + bn + sn, mn - bn - sn, hi); } shift = m->size * GMP_NUMB_BITS - m->bit_size; if (shift > 0) { /* Combine hi with top bits, add in */ hi = (hi << shift) | (rp[mn-1] >> (GMP_NUMB_BITS - shift)); rp[mn-1] = (rp[mn-1] & (((mp_limb_t) 1 << (GMP_NUMB_BITS - shift)) - 1)) + mpn_addmul_1 (rp, m->B_shifted, mn-1, hi); } else { hi = cnd_add_n (hi, rp, m->B_shifted, mn); assert (hi == 0); } } nettle-3.4.1/cbc.c0000644000175000017500000001061113401564745012741 0ustar nissenisse/* cbc.c Cipher block chaining mode. Copyright (C) 2001, 2011 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "cbc.h" #include "memxor.h" #include "nettle-internal.h" void cbc_encrypt(const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src) { assert(!(length % block_size)); for ( ; length; length -= block_size, src += block_size, dst += block_size) { memxor(iv, src, block_size); f(ctx, block_size, dst, iv); memcpy(iv, dst, block_size); } } /* Don't allocate any more space than this on the stack */ #define CBC_BUFFER_LIMIT 512 void cbc_decrypt(const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src) { assert(!(length % block_size)); if (!length) return; if (src != dst) { /* Decrypt in ECB mode */ f(ctx, length, dst, src); /* XOR the cryptotext, shifted one block */ memxor(dst, iv, block_size); memxor(dst + block_size, src, length - block_size); memcpy(iv, src + length - block_size, block_size); } else { /* For in-place CBC, we decrypt into a temporary buffer of size * at most CBC_BUFFER_LIMIT, and process that amount of data at * a time. */ /* NOTE: We assume that block_size <= CBC_BUFFER_LIMIT, and we depend on memxor3 working from the end of the area, allowing certain overlapping operands. */ TMP_DECL(buffer, uint8_t, CBC_BUFFER_LIMIT); TMP_DECL(initial_iv, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE); size_t buffer_size; if (length <= CBC_BUFFER_LIMIT) buffer_size = length; else buffer_size = CBC_BUFFER_LIMIT - (CBC_BUFFER_LIMIT % block_size); TMP_ALLOC(buffer, buffer_size); TMP_ALLOC(initial_iv, block_size); for ( ; length > buffer_size; length -= buffer_size, src += buffer_size, dst += buffer_size) { f(ctx, buffer_size, buffer, src); memcpy(initial_iv, iv, block_size); memcpy(iv, src + buffer_size - block_size, block_size); memxor3(dst + block_size, buffer + block_size, src, buffer_size - block_size); memxor3(dst, buffer, initial_iv, block_size); } f(ctx, length, buffer, src); memcpy(initial_iv, iv, block_size); /* Copies last block */ memcpy(iv, src + length - block_size, block_size); /* Writes all but first block, reads all but last block. */ memxor3(dst + block_size, buffer + block_size, src, length - block_size); /* Writes first block. */ memxor3(dst, buffer, initial_iv, block_size); } } #if 0 #include "twofish.h" #include "aes.h" static void foo(void) { struct CBC_CTX(struct twofish_ctx, TWOFISH_BLOCK_SIZE) ctx; uint8_t src[TWOFISH_BLOCK_SIZE]; uint8_t dst[TWOFISH_BLOCK_SIZE]; CBC_ENCRYPT(&ctx, twofish_encrypt, TWOFISH_BLOCK_SIZE, dst, src); /* Should result in a warning */ CBC_ENCRYPT(&ctx, aes_encrypt, TWOFISH_BLOCK_SIZE, dst, src); } static void foo2(void) { struct twofish_ctx ctx; uint8_t iv[TWOFISH_BLOCK_SIZE]; uint8_t src[TWOFISH_BLOCK_SIZE]; uint8_t dst[TWOFISH_BLOCK_SIZE]; CBC_ENCRYPT2(&ctx, twofish_encrypt, TWOFISH_BLOCK_SIZE, iv, TWOFISH_BLOCK_SIZE, dst, src); /* Should result in a warning */ CBC_ENCRYPT2(&ctx, aes_encrypt, TWOFISH_BLOCK_SIZE, iv, TWOFISH_BLOCK_SIZE, dst, src); } #endif nettle-3.4.1/camellia128-crypt.c0000644000175000017500000000314713401564745015361 0ustar nissenisse/* camellia128-crypt.c Crypt function for the camellia block cipher. Copyright (C) 2010, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "camellia-internal.h" /* The main point on this function is to help the assembler implementations of _nettle_camellia_crypt to get the table pointer. For PIC code, the details can be complex and system dependent. */ void camellia128_crypt(const struct camellia128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { assert(!(length % CAMELLIA_BLOCK_SIZE) ); _camellia_crypt(_CAMELLIA128_NKEYS, ctx->keys, &_camellia_table, length, dst, src); } nettle-3.4.1/base16.h0000644000175000017500000000603113401564746013302 0ustar nissenisse/* base16.h Hex encoding and decoding, following spki conventions (i.e. allowing whitespace between digits). Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_BASE16_H_INCLUDED #define NETTLE_BASE16_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define base16_encode_single nettle_base16_encode_single #define base16_encode_update nettle_base16_encode_update #define base16_decode_init nettle_base16_decode_init #define base16_decode_single nettle_base16_decode_single #define base16_decode_update nettle_base16_decode_update #define base16_decode_final nettle_base16_decode_final /* Base16 encoding */ /* Maximum length of output for base16_encode_update. */ #define BASE16_ENCODE_LENGTH(length) ((length) * 2) /* Encodes a single byte. Always stores two digits in dst[0] and dst[1]. */ void base16_encode_single(char *dst, uint8_t src); /* Always stores BASE16_ENCODE_LENGTH(length) digits in dst. */ void base16_encode_update(char *dst, size_t length, const uint8_t *src); /* Base16 decoding */ /* Maximum length of output for base16_decode_update. */ /* We have at most 4 buffered bits, and a total of (length + 1) * 4 bits. */ #define BASE16_DECODE_LENGTH(length) (((length) + 1) / 2) struct base16_decode_ctx { unsigned char word; /* Leftover bits */ unsigned char bits; /* Number buffered bits */ }; void base16_decode_init(struct base16_decode_ctx *ctx); /* Decodes a single byte. Returns amount of output (0 or 1), or -1 on * errors. */ int base16_decode_single(struct base16_decode_ctx *ctx, uint8_t *dst, char src); /* Returns 1 on success, 0 on error. DST should point to an area of * size at least BASE16_DECODE_LENGTH(length). The amount of data * generated is returned in *DST_LENGTH. */ int base16_decode_update(struct base16_decode_ctx *ctx, size_t *dst_length, uint8_t *dst, size_t src_length, const char *src); /* Returns 1 on success. */ int base16_decode_final(struct base16_decode_ctx *ctx); #ifdef __cplusplus } #endif #endif /* NETTLE_BASE16_H_INCLUDED */ nettle-3.4.1/hkdf.h0000644000175000017500000000335613401564746013144 0ustar nissenisse/* hkdf.h TLS PRF code (RFC-5246, RFC-2246). Copyright (C) 2017 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_HKDF_H_INCLUDED #define NETTLE_HKDF_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Namespace mangling */ #define hkdf_extract nettle_hkdf_extract #define hkdf_expand nettle_hkdf_expand void hkdf_extract(void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, size_t secret_size, const uint8_t *secret, uint8_t *dst); void hkdf_expand(void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, size_t info_size, const uint8_t *info, size_t length, uint8_t *dst); #ifdef __cplusplus } #endif #endif /* NETTLE_HKDF_H_INCLUDED */ nettle-3.4.1/ripemd160.c0000644000175000017500000001606613401564745013733 0ustar nissenisse/* ripemd160.c RIPE-MD160 Copyright (C) 1998, 2001, 2002, 2003 Free Software Foundation, Inc. Copyright (C) 2011 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "ripemd160.h" #include "macros.h" #include "nettle-write.h" /********************************* * RIPEMD-160 is not patented, see (as of 2011-08-28) * http://www.esat.kuleuven.ac.be/~bosselae/ripemd160.html * Note that the code uses Little Endian byteorder, which is good for * 386 etc, but we must add some conversion when used on a big endian box. * * * Pseudo-code for RIPEMD-160 * * RIPEMD-160 is an iterative hash function that operates on 32-bit words. * The round function takes as input a 5-word chaining variable and a 16-word * message block and maps this to a new chaining variable. All operations are * defined on 32-bit words. Padding is identical to that of MD4. * * * RIPEMD-160: definitions * * * nonlinear functions at bit level: exor, mux, -, mux, - * * f(j, x, y, z) = x XOR y XOR z (0 <= j <= 15) * f(j, x, y, z) = (x AND y) OR (NOT(x) AND z) (16 <= j <= 31) * f(j, x, y, z) = (x OR NOT(y)) XOR z (32 <= j <= 47) * f(j, x, y, z) = (x AND z) OR (y AND NOT(z)) (48 <= j <= 63) * f(j, x, y, z) = x XOR (y OR NOT(z)) (64 <= j <= 79) * * * added constants (hexadecimal) * * K(j) = 0x00000000 (0 <= j <= 15) * K(j) = 0x5A827999 (16 <= j <= 31) int(2**30 x sqrt(2)) * K(j) = 0x6ED9EBA1 (32 <= j <= 47) int(2**30 x sqrt(3)) * K(j) = 0x8F1BBCDC (48 <= j <= 63) int(2**30 x sqrt(5)) * K(j) = 0xA953FD4E (64 <= j <= 79) int(2**30 x sqrt(7)) * K'(j) = 0x50A28BE6 (0 <= j <= 15) int(2**30 x cbrt(2)) * K'(j) = 0x5C4DD124 (16 <= j <= 31) int(2**30 x cbrt(3)) * K'(j) = 0x6D703EF3 (32 <= j <= 47) int(2**30 x cbrt(5)) * K'(j) = 0x7A6D76E9 (48 <= j <= 63) int(2**30 x cbrt(7)) * K'(j) = 0x00000000 (64 <= j <= 79) * * * selection of message word * * r(j) = j (0 <= j <= 15) * r(16..31) = 7, 4, 13, 1, 10, 6, 15, 3, 12, 0, 9, 5, 2, 14, 11, 8 * r(32..47) = 3, 10, 14, 4, 9, 15, 8, 1, 2, 7, 0, 6, 13, 11, 5, 12 * r(48..63) = 1, 9, 11, 10, 0, 8, 12, 4, 13, 3, 7, 15, 14, 5, 6, 2 * r(64..79) = 4, 0, 5, 9, 7, 12, 2, 10, 14, 1, 3, 8, 11, 6, 15, 13 * r0(0..15) = 5, 14, 7, 0, 9, 2, 11, 4, 13, 6, 15, 8, 1, 10, 3, 12 * r0(16..31)= 6, 11, 3, 7, 0, 13, 5, 10, 14, 15, 8, 12, 4, 9, 1, 2 * r0(32..47)= 15, 5, 1, 3, 7, 14, 6, 9, 11, 8, 12, 2, 10, 0, 4, 13 * r0(48..63)= 8, 6, 4, 1, 3, 11, 15, 0, 5, 12, 2, 13, 9, 7, 10, 14 * r0(64..79)= 12, 15, 10, 4, 1, 5, 8, 7, 6, 2, 13, 14, 0, 3, 9, 11 * * * amount for rotate left (rol) * * s(0..15) = 11, 14, 15, 12, 5, 8, 7, 9, 11, 13, 14, 15, 6, 7, 9, 8 * s(16..31) = 7, 6, 8, 13, 11, 9, 7, 15, 7, 12, 15, 9, 11, 7, 13, 12 * s(32..47) = 11, 13, 6, 7, 14, 9, 13, 15, 14, 8, 13, 6, 5, 12, 7, 5 * s(48..63) = 11, 12, 14, 15, 14, 15, 9, 8, 9, 14, 5, 6, 8, 6, 5, 12 * s(64..79) = 9, 15, 5, 11, 6, 8, 13, 12, 5, 12, 13, 14, 11, 8, 5, 6 * s'(0..15) = 8, 9, 9, 11, 13, 15, 15, 5, 7, 7, 8, 11, 14, 14, 12, 6 * s'(16..31)= 9, 13, 15, 7, 12, 8, 9, 11, 7, 7, 12, 7, 6, 15, 13, 11 * s'(32..47)= 9, 7, 15, 11, 8, 6, 6, 14, 12, 13, 5, 14, 13, 13, 7, 5 * s'(48..63)= 15, 5, 8, 11, 14, 14, 6, 14, 6, 9, 12, 9, 12, 5, 15, 8 * s'(64..79)= 8, 5, 12, 9, 12, 5, 14, 6, 8, 13, 6, 5, 15, 13, 11, 11 * * * initial value (hexadecimal) * * h0 = 0x67452301; h1 = 0xEFCDAB89; h2 = 0x98BADCFE; h3 = 0x10325476; * h4 = 0xC3D2E1F0; * * * RIPEMD-160: pseudo-code * * It is assumed that the message after padding consists of t 16-word blocks * that will be denoted with X[i][j], with 0 <= i <= t-1 and 0 <= j <= 15. * The symbol [+] denotes addition modulo 2**32 and rol_s denotes cyclic left * shift (rotate) over s positions. * * * for i := 0 to t-1 { * A := h0; B := h1; C := h2; D = h3; E = h4; * A' := h0; B' := h1; C' := h2; D' = h3; E' = h4; * for j := 0 to 79 { * T := rol_s(j)(A [+] f(j, B, C, D) [+] X[i][r(j)] [+] K(j)) [+] E; * A := E; E := D; D := rol_10(C); C := B; B := T; * T := rol_s'(j)(A' [+] f(79-j, B', C', D') [+] X[i][r'(j)] [+] K'(j)) [+] E'; * A' := E'; E' := D'; D' := rol_10(C'); C' := B'; B' := T; * } * T := h1 [+] C [+] D'; h1 := h2 [+] D [+] E'; h2 := h3 [+] E [+] A'; * h3 := h4 [+] A [+] B'; h4 := h0 [+] B [+] C'; h0 := T; * } */ /* Some examples: * "" 9c1185a5c5e9fc54612808977ee8f548b2258d31 * "a" 0bdc9d2d256b3ee9daae347be6f4dc835a467ffe * "abc" 8eb208f7e05d987a9b044a8e98c6b087f15a0bfc * "message digest" 5d0689ef49d2fae572b881b123a85ffa21595f36 * "a...z" f71c27109c692c1b56bbdceb5b9d2865b3708dbc * "abcdbcde...nopq" 12a053384a9c0c88e405a06c27dcf49ada62eb2b * "A...Za...z0...9" b0e20b6e3116640286ed3a87a5713079b21f5189 * 8 times "1234567890" 9b752e45573d4b39f4dbd3323cab82bf63326bfb * 1 million times "a" 52783243c1697bdbe16d37f97f68f08325dc1528 */ void ripemd160_init(struct ripemd160_ctx *ctx) { static const uint32_t iv[_RIPEMD160_DIGEST_LENGTH] = { 0x67452301, 0xEFCDAB89, 0x98BADCFE, 0x10325476, 0xC3D2E1F0, }; memcpy(ctx->state, iv, sizeof(ctx->state)); ctx->count = 0; ctx->index = 0; } #define COMPRESS(ctx, data) (_nettle_ripemd160_compress((ctx)->state, (data))) /* Update the message digest with the contents * of DATA with length LENGTH. */ void ripemd160_update(struct ripemd160_ctx *ctx, size_t length, const uint8_t *data) { MD_UPDATE(ctx, length, data, COMPRESS, ctx->count++); } void ripemd160_digest(struct ripemd160_ctx *ctx, size_t length, uint8_t *digest) { uint64_t bit_count; assert(length <= RIPEMD160_DIGEST_SIZE); MD_PAD(ctx, 8, COMPRESS); /* There are 2^9 bits in one block */ bit_count = (ctx->count << 9) | (ctx->index << 3); \ /* append the 64 bit count */ LE_WRITE_UINT64(ctx->block + 56, bit_count); _nettle_ripemd160_compress(ctx->state, ctx->block); _nettle_write_le32(length, digest, ctx->state); ripemd160_init(ctx); } nettle-3.4.1/pkcs1.h0000644000175000017500000000630413401564746013245 0ustar nissenisse/* pkcs1.h PKCS1 embedding. Copyright (C) 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_PKCS1_H_INCLUDED #define NETTLE_PKCS1_H_INCLUDED #include "nettle-types.h" #include "bignum.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define _pkcs1_signature_prefix _nettle_pkcs1_signature_prefix #define pkcs1_rsa_digest_encode nettle_pkcs1_rsa_digest_encode #define pkcs1_rsa_md5_encode nettle_pkcs1_rsa_md5_encode #define pkcs1_rsa_md5_encode_digest nettle_pkcs1_rsa_md5_encode_digest #define pkcs1_rsa_sha1_encode nettle_pkcs1_rsa_sha1_encode #define pkcs1_rsa_sha1_encode_digest nettle_pkcs1_rsa_sha1_encode_digest #define pkcs1_rsa_sha256_encode nettle_pkcs1_rsa_sha256_encode #define pkcs1_rsa_sha256_encode_digest nettle_pkcs1_rsa_sha256_encode_digest #define pkcs1_rsa_sha512_encode nettle_pkcs1_rsa_sha512_encode #define pkcs1_rsa_sha512_encode_digest nettle_pkcs1_rsa_sha512_encode_digest #define pkcs1_encrypt nettle_pkcs1_encrypt #define pkcs1_decrypt nettle_pkcs1_decrypt struct md5_ctx; struct sha1_ctx; struct sha256_ctx; struct sha512_ctx; uint8_t * _pkcs1_signature_prefix(unsigned key_size, uint8_t *buffer, unsigned id_size, const uint8_t *id, unsigned digest_size); int pkcs1_encrypt (size_t key_size, /* For padding */ void *random_ctx, nettle_random_func *random, size_t length, const uint8_t *message, mpz_t m); int pkcs1_decrypt (size_t key_size, const mpz_t m, size_t *length, uint8_t *message); int pkcs1_rsa_digest_encode(mpz_t m, size_t key_size, size_t di_length, const uint8_t *digest_info); int pkcs1_rsa_md5_encode(mpz_t m, size_t length, struct md5_ctx *hash); int pkcs1_rsa_md5_encode_digest(mpz_t m, size_t length, const uint8_t *digest); int pkcs1_rsa_sha1_encode(mpz_t m, size_t length, struct sha1_ctx *hash); int pkcs1_rsa_sha1_encode_digest(mpz_t m, size_t length, const uint8_t *digest); int pkcs1_rsa_sha256_encode(mpz_t m, size_t length, struct sha256_ctx *hash); int pkcs1_rsa_sha256_encode_digest(mpz_t m, size_t length, const uint8_t *digest); int pkcs1_rsa_sha512_encode(mpz_t m, size_t length, struct sha512_ctx *hash); int pkcs1_rsa_sha512_encode_digest(mpz_t m, size_t length, const uint8_t *digest); #ifdef __cplusplus } #endif #endif /* NETTLE_PKCS1_H_INCLUDED */ nettle-3.4.1/md4.c0000644000175000017500000001313613401564745012703 0ustar nissenisse/* md4.c The MD4 hash function, described in RFC 1320. Copyright (C) 2003 Niels Möller, Marcus Comstedt This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Based on the public domain md5 code, and modified by Marcus Comstedt */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "md4.h" #include "macros.h" #include "nettle-write.h" /* A block, treated as a sequence of 32-bit words. */ #define MD4_DATA_LENGTH 16 static void md4_transform(uint32_t *digest, const uint32_t *data); static void md4_compress(struct md4_ctx *ctx, const uint8_t *block); /* FIXME: Could be an alias for md5_init */ void md4_init(struct md4_ctx *ctx) { /* Same constants as for md5. */ const uint32_t iv[_MD4_DIGEST_LENGTH] = { 0x67452301, 0xefcdab89, 0x98badcfe, 0x10325476, }; memcpy(ctx->state, iv, sizeof(ctx->state)); ctx->count = 0; ctx->index = 0; } void md4_update(struct md4_ctx *ctx, size_t length, const uint8_t *data) { MD_UPDATE(ctx, length, data, md4_compress, ctx->count++); } void md4_digest(struct md4_ctx *ctx, size_t length, uint8_t *digest) { uint64_t bit_count; uint32_t data[MD4_DATA_LENGTH]; unsigned i; assert(length <= MD4_DIGEST_SIZE); MD_PAD(ctx, 8, md4_compress); for (i = 0; i < MD4_DATA_LENGTH - 2; i++) data[i] = LE_READ_UINT32(ctx->block + 4*i); /* There are 512 = 2^9 bits in one block * Little-endian order => Least significant word first */ bit_count = (ctx->count << 9) | (ctx->index << 3); data[MD4_DATA_LENGTH-2] = bit_count; data[MD4_DATA_LENGTH-1] = bit_count >> 32; md4_transform(ctx->state, data); _nettle_write_le32(length, digest, ctx->state); md4_init(ctx); } /* MD4 functions */ #define F(x, y, z) (((y) & (x)) | ((z) & ~(x))) #define G(x, y, z) (((y) & (x)) | ((z) & (x)) | ((y) & (z))) #define H(x, y, z) ((x) ^ (y) ^ (z)) #define ROUND(f, w, x, y, z, data, s) \ ( w += f(x, y, z) + data, w = w<>(32-s) ) /* Perform the MD4 transformation on one full block of 16 32-bit words. */ static void md4_transform(uint32_t *digest, const uint32_t *data) { uint32_t a, b, c, d; a = digest[0]; b = digest[1]; c = digest[2]; d = digest[3]; ROUND(F, a, b, c, d, data[ 0], 3); ROUND(F, d, a, b, c, data[ 1], 7); ROUND(F, c, d, a, b, data[ 2], 11); ROUND(F, b, c, d, a, data[ 3], 19); ROUND(F, a, b, c, d, data[ 4], 3); ROUND(F, d, a, b, c, data[ 5], 7); ROUND(F, c, d, a, b, data[ 6], 11); ROUND(F, b, c, d, a, data[ 7], 19); ROUND(F, a, b, c, d, data[ 8], 3); ROUND(F, d, a, b, c, data[ 9], 7); ROUND(F, c, d, a, b, data[10], 11); ROUND(F, b, c, d, a, data[11], 19); ROUND(F, a, b, c, d, data[12], 3); ROUND(F, d, a, b, c, data[13], 7); ROUND(F, c, d, a, b, data[14], 11); ROUND(F, b, c, d, a, data[15], 19); ROUND(G, a, b, c, d, data[ 0] + 0x5a827999, 3); ROUND(G, d, a, b, c, data[ 4] + 0x5a827999, 5); ROUND(G, c, d, a, b, data[ 8] + 0x5a827999, 9); ROUND(G, b, c, d, a, data[12] + 0x5a827999, 13); ROUND(G, a, b, c, d, data[ 1] + 0x5a827999, 3); ROUND(G, d, a, b, c, data[ 5] + 0x5a827999, 5); ROUND(G, c, d, a, b, data[ 9] + 0x5a827999, 9); ROUND(G, b, c, d, a, data[13] + 0x5a827999, 13); ROUND(G, a, b, c, d, data[ 2] + 0x5a827999, 3); ROUND(G, d, a, b, c, data[ 6] + 0x5a827999, 5); ROUND(G, c, d, a, b, data[10] + 0x5a827999, 9); ROUND(G, b, c, d, a, data[14] + 0x5a827999, 13); ROUND(G, a, b, c, d, data[ 3] + 0x5a827999, 3); ROUND(G, d, a, b, c, data[ 7] + 0x5a827999, 5); ROUND(G, c, d, a, b, data[11] + 0x5a827999, 9); ROUND(G, b, c, d, a, data[15] + 0x5a827999, 13); ROUND(H, a, b, c, d, data[ 0] + 0x6ed9eba1, 3); ROUND(H, d, a, b, c, data[ 8] + 0x6ed9eba1, 9); ROUND(H, c, d, a, b, data[ 4] + 0x6ed9eba1, 11); ROUND(H, b, c, d, a, data[12] + 0x6ed9eba1, 15); ROUND(H, a, b, c, d, data[ 2] + 0x6ed9eba1, 3); ROUND(H, d, a, b, c, data[10] + 0x6ed9eba1, 9); ROUND(H, c, d, a, b, data[ 6] + 0x6ed9eba1, 11); ROUND(H, b, c, d, a, data[14] + 0x6ed9eba1, 15); ROUND(H, a, b, c, d, data[ 1] + 0x6ed9eba1, 3); ROUND(H, d, a, b, c, data[ 9] + 0x6ed9eba1, 9); ROUND(H, c, d, a, b, data[ 5] + 0x6ed9eba1, 11); ROUND(H, b, c, d, a, data[13] + 0x6ed9eba1, 15); ROUND(H, a, b, c, d, data[ 3] + 0x6ed9eba1, 3); ROUND(H, d, a, b, c, data[11] + 0x6ed9eba1, 9); ROUND(H, c, d, a, b, data[ 7] + 0x6ed9eba1, 11); ROUND(H, b, c, d, a, data[15] + 0x6ed9eba1, 15); digest[0] += a; digest[1] += b; digest[2] += c; digest[3] += d; } static void md4_compress(struct md4_ctx *ctx, const uint8_t *block) { uint32_t data[MD4_DATA_LENGTH]; unsigned i; /* Endian independent conversion */ for (i = 0; i<16; i++, block += 4) data[i] = LE_READ_UINT32(block); md4_transform(ctx->state, data); } nettle-3.4.1/pkcs1-rsa-sha512.c0000644000175000017500000000560213401564745015023 0ustar nissenisse/* pkcs1-rsa-sha512.c PKCS stuff for rsa-sha512. Copyright (C) 2001, 2003, 2006, 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "rsa.h" #include "bignum.h" #include "pkcs1.h" #include "gmp-glue.h" /* From RFC 3447, Public-Key Cryptography Standards (PKCS) #1: RSA * Cryptography Specifications Version 2.1. * * id-sha512 OBJECT IDENTIFIER ::= * {joint-iso-itu-t(2) country(16) us(840) organization(1) * gov(101) csor(3) nistalgorithm(4) hashalgs(2) 3} */ static const uint8_t sha512_prefix[] = { /* 19 octets prefix, 64 octets hash, total 83 */ 0x30, 81, /* SEQUENCE */ 0x30, 13, /* SEQUENCE */ 0x06, 9, /* OBJECT IDENTIFIER */ 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0, /* NULL */ 0x04, 64 /* OCTET STRING */ /* Here comes the raw hash value, 64 octets */ }; int pkcs1_rsa_sha512_encode(mpz_t m, size_t key_size, struct sha512_ctx *hash) { uint8_t *p; TMP_GMP_DECL(em, uint8_t); TMP_GMP_ALLOC(em, key_size); p = _pkcs1_signature_prefix(key_size, em, sizeof(sha512_prefix), sha512_prefix, SHA512_DIGEST_SIZE); if (p) { sha512_digest(hash, SHA512_DIGEST_SIZE, p); nettle_mpz_set_str_256_u(m, key_size, em); TMP_GMP_FREE(em); return 1; } else { TMP_GMP_FREE(em); return 0; } } int pkcs1_rsa_sha512_encode_digest(mpz_t m, size_t key_size, const uint8_t *digest) { uint8_t *p; TMP_GMP_DECL(em, uint8_t); TMP_GMP_ALLOC(em, key_size); p = _pkcs1_signature_prefix(key_size, em, sizeof(sha512_prefix), sha512_prefix, SHA512_DIGEST_SIZE); if (p) { memcpy(p, digest, SHA512_DIGEST_SIZE); nettle_mpz_set_str_256_u(m, key_size, em); TMP_GMP_FREE(em); return 1; } else { TMP_GMP_FREE(em); return 0; } } nettle-3.4.1/arcfour.h0000644000175000017500000000365013401564746013666 0ustar nissenisse/* arcfour.h The arcfour/rc4 stream cipher. Copyright (C) 2001, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_ARCFOUR_H_INCLUDED #define NETTLE_ARCFOUR_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define arcfour128_set_key nettle_arcfour128_set_key #define arcfour_set_key nettle_arcfour_set_key #define arcfour_crypt nettle_arcfour_crypt /* Minimum and maximum keysizes, and a reasonable default. In * octets.*/ #define ARCFOUR_MIN_KEY_SIZE 1 #define ARCFOUR_MAX_KEY_SIZE 256 #define ARCFOUR_KEY_SIZE 16 #define ARCFOUR128_KEY_SIZE 16 struct arcfour_ctx { uint8_t S[256]; uint8_t i; uint8_t j; }; void arcfour_set_key(struct arcfour_ctx *ctx, size_t length, const uint8_t *key); void arcfour128_set_key(struct arcfour_ctx *ctx, const uint8_t *key); void arcfour_crypt(struct arcfour_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus } #endif #endif /* NETTLE_ARCFOUR_H_INCLUDED */ nettle-3.4.1/rsa-pss-sha512-verify.c0000644000175000017500000000366213401564746016116 0ustar nissenisse/* rsa-pss-sha512-verify.c Verifying signatures created with RSA and SHA-384/SHA-512, with PSS padding. Copyright (C) 2017 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa.h" #include "bignum.h" #include "pss.h" int rsa_pss_sha384_verify_digest(const struct rsa_public_key *key, size_t salt_length, const uint8_t *digest, const mpz_t signature) { int res; mpz_t m; mpz_init (m); res = (_rsa_verify_recover(key, m, signature) && pss_verify_mgf1(m, mpz_sizeinbase(key->n, 2) - 1, &nettle_sha384, salt_length, digest)); mpz_clear (m); return res; } int rsa_pss_sha512_verify_digest(const struct rsa_public_key *key, size_t salt_length, const uint8_t *digest, const mpz_t signature) { int res; mpz_t m; mpz_init (m); res = (_rsa_verify_recover(key, m, signature) && pss_verify_mgf1(m, mpz_sizeinbase(key->n, 2) - 1, &nettle_sha512, salt_length, digest)); mpz_clear (m); return res; } nettle-3.4.1/sha3-384-meta.c0000644000175000017500000000224713401564745014316 0ustar nissenisse/* sha3-384-meta.c Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "sha3.h" const struct nettle_hash nettle_sha3_384 = _NETTLE_HASH(sha3_384, SHA3_384); nettle-3.4.1/sha3-permute.c0000644000175000017500000001236113401564745014533 0ustar nissenisse/* sha3-permute.c The sha3 permutation function (aka Keccak). Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "sha3.h" #include "macros.h" #define SHA3_ROUNDS 24 /* For fat builds */ #if HAVE_NATIVE_sha3_permute void _nettle_sha3_permute_c(struct sha3_state *state); #define nettle_sha3_permute _nettle_sha3_permute_c #endif void sha3_permute (struct sha3_state *state) { static const uint64_t rc[SHA3_ROUNDS] = { 0x0000000000000001ULL, 0X0000000000008082ULL, 0X800000000000808AULL, 0X8000000080008000ULL, 0X000000000000808BULL, 0X0000000080000001ULL, 0X8000000080008081ULL, 0X8000000000008009ULL, 0X000000000000008AULL, 0X0000000000000088ULL, 0X0000000080008009ULL, 0X000000008000000AULL, 0X000000008000808BULL, 0X800000000000008BULL, 0X8000000000008089ULL, 0X8000000000008003ULL, 0X8000000000008002ULL, 0X8000000000000080ULL, 0X000000000000800AULL, 0X800000008000000AULL, 0X8000000080008081ULL, 0X8000000000008080ULL, 0X0000000080000001ULL, 0X8000000080008008ULL, }; /* Original permutation: 0,10,20, 5,15, 16, 1,11,21, 6, 7,17, 2,12,22, 23, 8,18, 3,13, 14,24, 9,19, 4 Rotation counts: 0, 1, 62, 28, 27, 36, 44, 6, 55, 20, 3, 10, 43, 25, 39, 41, 45, 15, 21, 8, 18, 2, 61, 56, 14, */ /* In-place implementation. Permutation done as a long sequence of 25 moves "following" the permutation. T <-- 1 1 <-- 6 6 <-- 9 9 <-- 22 22 <-- 14 14 <-- 20 20 <-- 2 2 <-- 12 12 <-- 13 13 <-- 19 19 <-- 23 23 <-- 15 15 <-- 4 4 <-- 24 24 <-- 21 21 <-- 8 8 <-- 16 16 <-- 5 5 <-- 3 3 <-- 18 18 <-- 17 17 <-- 11 11 <-- 7 7 <-- 10 10 <-- T */ uint64_t C[5], D[5], T, X; unsigned i, y; #define A state->a C[0] = A[0] ^ A[5+0] ^ A[10+0] ^ A[15+0] ^ A[20+0]; C[1] = A[1] ^ A[5+1] ^ A[10+1] ^ A[15+1] ^ A[20+1]; C[2] = A[2] ^ A[5+2] ^ A[10+2] ^ A[15+2] ^ A[20+2]; C[3] = A[3] ^ A[5+3] ^ A[10+3] ^ A[15+3] ^ A[20+3]; C[4] = A[4] ^ A[5+4] ^ A[10+4] ^ A[15+4] ^ A[20+4]; for (i = 0; i < SHA3_ROUNDS; i++) { D[0] = C[4] ^ ROTL64(1, C[1]); D[1] = C[0] ^ ROTL64(1, C[2]); D[2] = C[1] ^ ROTL64(1, C[3]); D[3] = C[2] ^ ROTL64(1, C[4]); D[4] = C[3] ^ ROTL64(1, C[0]); A[0] ^= D[0]; X = A[ 1] ^ D[1]; T = ROTL64(1, X); X = A[ 6] ^ D[1]; A[ 1] = ROTL64 (44, X); X = A[ 9] ^ D[4]; A[ 6] = ROTL64 (20, X); X = A[22] ^ D[2]; A[ 9] = ROTL64 (61, X); X = A[14] ^ D[4]; A[22] = ROTL64 (39, X); X = A[20] ^ D[0]; A[14] = ROTL64 (18, X); X = A[ 2] ^ D[2]; A[20] = ROTL64 (62, X); X = A[12] ^ D[2]; A[ 2] = ROTL64 (43, X); X = A[13] ^ D[3]; A[12] = ROTL64 (25, X); X = A[19] ^ D[4]; A[13] = ROTL64 ( 8, X); X = A[23] ^ D[3]; A[19] = ROTL64 (56, X); X = A[15] ^ D[0]; A[23] = ROTL64 (41, X); X = A[ 4] ^ D[4]; A[15] = ROTL64 (27, X); X = A[24] ^ D[4]; A[ 4] = ROTL64 (14, X); X = A[21] ^ D[1]; A[24] = ROTL64 ( 2, X); X = A[ 8] ^ D[3]; A[21] = ROTL64 (55, X); /* row 4 done */ X = A[16] ^ D[1]; A[ 8] = ROTL64 (45, X); X = A[ 5] ^ D[0]; A[16] = ROTL64 (36, X); X = A[ 3] ^ D[3]; A[ 5] = ROTL64 (28, X); X = A[18] ^ D[3]; A[ 3] = ROTL64 (21, X); /* row 0 done */ X = A[17] ^ D[2]; A[18] = ROTL64 (15, X); X = A[11] ^ D[1]; A[17] = ROTL64 (10, X); /* row 3 done */ X = A[ 7] ^ D[2]; A[11] = ROTL64 ( 6, X); /* row 1 done */ X = A[10] ^ D[0]; A[ 7] = ROTL64 ( 3, X); A[10] = T; /* row 2 done */ D[0] = ~A[1] & A[2]; D[1] = ~A[2] & A[3]; D[2] = ~A[3] & A[4]; D[3] = ~A[4] & A[0]; D[4] = ~A[0] & A[1]; A[0] ^= D[0] ^ rc[i]; C[0] = A[0]; A[1] ^= D[1]; C[1] = A[1]; A[2] ^= D[2]; C[2] = A[2]; A[3] ^= D[3]; C[3] = A[3]; A[4] ^= D[4]; C[4] = A[4]; for (y = 5; y < 25; y+= 5) { D[0] = ~A[y+1] & A[y+2]; D[1] = ~A[y+2] & A[y+3]; D[2] = ~A[y+3] & A[y+4]; D[3] = ~A[y+4] & A[y+0]; D[4] = ~A[y+0] & A[y+1]; A[y+0] ^= D[0]; C[0] ^= A[y+0]; A[y+1] ^= D[1]; C[1] ^= A[y+1]; A[y+2] ^= D[2]; C[2] ^= A[y+2]; A[y+3] ^= D[3]; C[3] ^= A[y+3]; A[y+4] ^= D[4]; C[4] ^= A[y+4]; } } #undef A } nettle-3.4.1/base64url-encode.c0000644000175000017500000000254113401564745015257 0ustar nissenisse/* base64url-encode.c Copyright (C) 2015 Amos Jeffries, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "base64.h" void base64url_encode_init(struct base64_encode_ctx *ctx) { static const char base64url_encode_table[64] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "0123456789-_"; ctx->word = ctx->bits = 0; ctx->alphabet = base64url_encode_table; } nettle-3.4.1/ecc-random.c0000644000175000017500000000472513401564746014234 0ustar nissenisse/* ecc-random.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc.h" #include "ecc-internal.h" #include "nettle-internal.h" static int zero_p (const struct ecc_modulo *m, const mp_limb_t *xp) { mp_limb_t t; mp_size_t i; for (i = t = 0; i < m->size; i++) t |= xp[i]; return t == 0; } static int ecdsa_in_range (const struct ecc_modulo *m, const mp_limb_t *xp, mp_limb_t *scratch) { /* Check if 0 < x < q, with data independent timing. */ return !zero_p (m, xp) & (mpn_sub_n (scratch, xp, m->m, m->size) != 0); } void ecc_mod_random (const struct ecc_modulo *m, mp_limb_t *xp, void *ctx, nettle_random_func *random, mp_limb_t *scratch) { uint8_t *buf = (uint8_t *) scratch; unsigned nbytes = (m->bit_size + 7)/8; /* The bytes ought to fit in the scratch area, unless we have very unusual limb and byte sizes. */ assert (nbytes <= m->size * sizeof (mp_limb_t)); do { random (ctx, nbytes, buf); buf[0] &= 0xff >> (nbytes * 8 - m->bit_size); mpn_set_base256 (xp, m->size, buf, nbytes); } while (!ecdsa_in_range (m, xp, scratch)); } void ecc_scalar_random (struct ecc_scalar *x, void *random_ctx, nettle_random_func *random) { TMP_DECL (scratch, mp_limb_t, ECC_MOD_RANDOM_ITCH (ECC_MAX_SIZE)); TMP_ALLOC (scratch, ECC_MOD_RANDOM_ITCH (x->ecc->q.size)); ecc_mod_random (&x->ecc->q, x->p, random_ctx, random, scratch); } nettle-3.4.1/base16-encode.c0000644000175000017500000000315713401564745014535 0ustar nissenisse/* base16-encode.c Hex encoding. Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "base16.h" static const uint8_t hex_digits[16] = "0123456789abcdef"; #define DIGIT(x) (hex_digits[(x) & 0xf]) /* Encodes a single byte. Always stores two digits in dst[0] and dst[1]. */ void base16_encode_single(char *dst, uint8_t src) { dst[0] = DIGIT(src/0x10); dst[1] = DIGIT(src); } /* Always stores BASE16_ENCODE_LENGTH(length) digits in dst. */ void base16_encode_update(char *dst, size_t length, const uint8_t *src) { size_t i; for (i = 0; i #include "ecc.h" #include "ecc-internal.h" void ecc_mul_g_eh (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *np, mp_limb_t *scratch) { /* Scratch need determined by the ecc_add_eh call. Current total is 9 * ecc->p.size, at most 648 bytes. */ #define tp scratch #define scratch_out (scratch + 3*ecc->p.size) unsigned k, c; unsigned i, j; unsigned bit_rows; k = ecc->pippenger_k; c = ecc->pippenger_c; bit_rows = (ecc->p.bit_size + k - 1) / k; /* x = 0, y = 1, z = 1 */ mpn_zero (r, 3*ecc->p.size); r[ecc->p.size] = r[2*ecc->p.size] = 1; for (i = k; i-- > 0; ) { ecc_dup_eh (ecc, r, r, scratch); for (j = 0; j * c < bit_rows; j++) { unsigned bits; /* Avoid the mp_bitcnt_t type for compatibility with older GMP versions. */ unsigned bit_index; /* Extract c bits from n, stride k, starting at i + kcj, ending at i + k (cj + c - 1)*/ for (bits = 0, bit_index = i + k*(c*j+c); bit_index > i + k*c*j; ) { mp_size_t limb_index; unsigned shift; bit_index -= k; limb_index = bit_index / GMP_NUMB_BITS; if (limb_index >= ecc->p.size) continue; shift = bit_index % GMP_NUMB_BITS; bits = (bits << 1) | ((np[limb_index] >> shift) & 1); } sec_tabselect (tp, 2*ecc->p.size, (ecc->pippenger_table + (2*ecc->p.size * (mp_size_t) j << c)), 1<. % % As a special exception, when this file is read by TeX when processing % a Texinfo source document, you may use the result without % restriction. (This has been our intent since Texinfo was invented.) % % Please try the latest version of texinfo.tex before submitting bug % reports; you can get the latest version from: % http://www.gnu.org/software/texinfo/ (the Texinfo home page), or % ftp://tug.org/tex/texinfo.tex % (and all CTAN mirrors, see http://www.ctan.org). % The texinfo.tex in any given distribution could well be out % of date, so if that's what you're using, please check. % % Send bug reports to bug-texinfo@gnu.org. Please include including a % complete document in each bug report with which we can reproduce the % problem. Patches are, of course, greatly appreciated. % % To process a Texinfo manual with TeX, it's most reliable to use the % texi2dvi shell script that comes with the distribution. For a simple % manual foo.texi, however, you can get away with this: % tex foo.texi % texindex foo.?? % tex foo.texi % tex foo.texi % dvips foo.dvi -o # or whatever; this makes foo.ps. % The extra TeX runs get the cross-reference information correct. % Sometimes one run after texindex suffices, and sometimes you need more % than two; texi2dvi does it as many times as necessary. % % It is possible to adapt texinfo.tex for other languages, to some % extent. You can get the existing language-specific files from the % full Texinfo distribution. % % The GNU Texinfo home page is http://www.gnu.org/software/texinfo. \message{Loading texinfo [version \texinfoversion]:} % If in a .fmt file, print the version number % and turn on active characters that we couldn't do earlier because % they might have appeared in the input file name. \everyjob{\message{[Texinfo version \texinfoversion]}% \catcode`+=\active \catcode`\_=\active} \chardef\other=12 % We never want plain's \outer definition of \+ in Texinfo. % For @tex, we can use \tabalign. \let\+ = \relax % Save some plain tex macros whose names we will redefine. \let\ptexb=\b \let\ptexbullet=\bullet \let\ptexc=\c \let\ptexcomma=\, \let\ptexdot=\. \let\ptexdots=\dots \let\ptexend=\end \let\ptexequiv=\equiv \let\ptexexclam=\! \let\ptexfootnote=\footnote \let\ptexgtr=> \let\ptexhat=^ \let\ptexi=\i \let\ptexindent=\indent \let\ptexinsert=\insert \let\ptexlbrace=\{ \let\ptexless=< \let\ptexnewwrite\newwrite \let\ptexnoindent=\noindent \let\ptexplus=+ \let\ptexrbrace=\} \let\ptexslash=\/ \let\ptexstar=\* \let\ptext=\t \let\ptextop=\top {\catcode`\'=\active \global\let\ptexquoteright'}% Math-mode def from plain.tex. \let\ptexraggedright=\raggedright % If this character appears in an error message or help string, it % starts a new line in the output. \newlinechar = `^^J % Use TeX 3.0's \inputlineno to get the line number, for better error % messages, but if we're using an old version of TeX, don't do anything. % \ifx\inputlineno\thisisundefined \let\linenumber = \empty % Pre-3.0. \else \def\linenumber{l.\the\inputlineno:\space} \fi % Set up fixed words for English if not already set. \ifx\putwordAppendix\undefined \gdef\putwordAppendix{Appendix}\fi \ifx\putwordChapter\undefined \gdef\putwordChapter{Chapter}\fi \ifx\putwordfile\undefined \gdef\putwordfile{file}\fi \ifx\putwordin\undefined \gdef\putwordin{in}\fi \ifx\putwordIndexIsEmpty\undefined \gdef\putwordIndexIsEmpty{(Index is empty)}\fi \ifx\putwordIndexNonexistent\undefined \gdef\putwordIndexNonexistent{(Index is nonexistent)}\fi \ifx\putwordInfo\undefined \gdef\putwordInfo{Info}\fi \ifx\putwordInstanceVariableof\undefined \gdef\putwordInstanceVariableof{Instance Variable of}\fi \ifx\putwordMethodon\undefined \gdef\putwordMethodon{Method on}\fi \ifx\putwordNoTitle\undefined \gdef\putwordNoTitle{No Title}\fi \ifx\putwordof\undefined \gdef\putwordof{of}\fi \ifx\putwordon\undefined \gdef\putwordon{on}\fi \ifx\putwordpage\undefined \gdef\putwordpage{page}\fi \ifx\putwordsection\undefined \gdef\putwordsection{section}\fi \ifx\putwordSection\undefined \gdef\putwordSection{Section}\fi \ifx\putwordsee\undefined \gdef\putwordsee{see}\fi \ifx\putwordSee\undefined \gdef\putwordSee{See}\fi \ifx\putwordShortTOC\undefined \gdef\putwordShortTOC{Short Contents}\fi \ifx\putwordTOC\undefined \gdef\putwordTOC{Table of Contents}\fi % \ifx\putwordMJan\undefined \gdef\putwordMJan{January}\fi \ifx\putwordMFeb\undefined \gdef\putwordMFeb{February}\fi \ifx\putwordMMar\undefined \gdef\putwordMMar{March}\fi \ifx\putwordMApr\undefined \gdef\putwordMApr{April}\fi \ifx\putwordMMay\undefined \gdef\putwordMMay{May}\fi \ifx\putwordMJun\undefined \gdef\putwordMJun{June}\fi \ifx\putwordMJul\undefined \gdef\putwordMJul{July}\fi \ifx\putwordMAug\undefined \gdef\putwordMAug{August}\fi \ifx\putwordMSep\undefined \gdef\putwordMSep{September}\fi \ifx\putwordMOct\undefined \gdef\putwordMOct{October}\fi \ifx\putwordMNov\undefined \gdef\putwordMNov{November}\fi \ifx\putwordMDec\undefined \gdef\putwordMDec{December}\fi % \ifx\putwordDefmac\undefined \gdef\putwordDefmac{Macro}\fi \ifx\putwordDefspec\undefined \gdef\putwordDefspec{Special Form}\fi \ifx\putwordDefvar\undefined \gdef\putwordDefvar{Variable}\fi \ifx\putwordDefopt\undefined \gdef\putwordDefopt{User Option}\fi \ifx\putwordDeffunc\undefined \gdef\putwordDeffunc{Function}\fi % Since the category of space is not known, we have to be careful. \chardef\spacecat = 10 \def\spaceisspace{\catcode`\ =\spacecat} % sometimes characters are active, so we need control sequences. \chardef\colonChar = `\: \chardef\commaChar = `\, \chardef\dashChar = `\- \chardef\dotChar = `\. \chardef\exclamChar= `\! \chardef\lquoteChar= `\` \chardef\questChar = `\? \chardef\rquoteChar= `\' \chardef\semiChar = `\; \chardef\underChar = `\_ % Ignore a token. % \def\gobble#1{} % The following is used inside several \edef's. \def\makecsname#1{\expandafter\noexpand\csname#1\endcsname} % Hyphenation fixes. \hyphenation{ Flor-i-da Ghost-script Ghost-view Mac-OS Post-Script ap-pen-dix bit-map bit-maps data-base data-bases eshell fall-ing half-way long-est man-u-script man-u-scripts mini-buf-fer mini-buf-fers over-view par-a-digm par-a-digms rath-er rec-tan-gu-lar ro-bot-ics se-vere-ly set-up spa-ces spell-ing spell-ings stand-alone strong-est time-stamp time-stamps which-ever white-space wide-spread wrap-around } % Margin to add to right of even pages, to left of odd pages. \newdimen\bindingoffset \newdimen\normaloffset \newdimen\pagewidth \newdimen\pageheight % For a final copy, take out the rectangles % that mark overfull boxes (in case you have decided % that the text looks ok even though it passes the margin). % \def\finalout{\overfullrule=0pt} % @| inserts a changebar to the left of the current line. It should % surround any changed text. This approach does *not* work if the % change spans more than two lines of output. To handle that, we would % have adopt a much more difficult approach (putting marks into the main % vertical list for the beginning and end of each change). % \def\|{% % \vadjust can only be used in horizontal mode. \leavevmode % % Append this vertical mode material after the current line in the output. \vadjust{% % We want to insert a rule with the height and depth of the current % leading; that is exactly what \strutbox is supposed to record. \vskip-\baselineskip % % \vadjust-items are inserted at the left edge of the type. So % the \llap here moves out into the left-hand margin. \llap{% % % For a thicker or thinner bar, change the `1pt'. \vrule height\baselineskip width1pt % % This is the space between the bar and the text. \hskip 12pt }% }% } % Sometimes it is convenient to have everything in the transcript file % and nothing on the terminal. We don't just call \tracingall here, % since that produces some useless output on the terminal. We also make % some effort to order the tracing commands to reduce output in the log % file; cf. trace.sty in LaTeX. % \def\gloggingall{\begingroup \globaldefs = 1 \loggingall \endgroup}% \def\loggingall{% \tracingstats2 \tracingpages1 \tracinglostchars2 % 2 gives us more in etex \tracingparagraphs1 \tracingoutput1 \tracingmacros2 \tracingrestores1 \showboxbreadth\maxdimen \showboxdepth\maxdimen \ifx\eTeXversion\undefined\else % etex gives us more logging \tracingscantokens1 \tracingifs1 \tracinggroups1 \tracingnesting2 \tracingassigns1 \fi \tracingcommands3 % 3 gives us more in etex \errorcontextlines16 }% % add check for \lastpenalty to plain's definitions. If the last thing % we did was a \nobreak, we don't want to insert more space. % \def\smallbreak{\ifnum\lastpenalty<10000\par\ifdim\lastskip<\smallskipamount \removelastskip\penalty-50\smallskip\fi\fi} \def\medbreak{\ifnum\lastpenalty<10000\par\ifdim\lastskip<\medskipamount \removelastskip\penalty-100\medskip\fi\fi} \def\bigbreak{\ifnum\lastpenalty<10000\par\ifdim\lastskip<\bigskipamount \removelastskip\penalty-200\bigskip\fi\fi} % For @cropmarks command. % Do @cropmarks to get crop marks. % \newif\ifcropmarks \let\cropmarks = \cropmarkstrue % % Dimensions to add cropmarks at corners. % Added by P. A. MacKay, 12 Nov. 1986 % \newdimen\outerhsize \newdimen\outervsize % set by the paper size routines \newdimen\cornerlong \cornerlong=1pc \newdimen\cornerthick \cornerthick=.3pt \newdimen\topandbottommargin \topandbottommargin=.75in % Output a mark which sets \thischapter, \thissection and \thiscolor. % We dump everything together because we only have one kind of mark. % This works because we only use \botmark / \topmark, not \firstmark. % % A mark contains a subexpression of the \ifcase ... \fi construct. % \get*marks macros below extract the needed part using \ifcase. % % Another complication is to let the user choose whether \thischapter % (\thissection) refers to the chapter (section) in effect at the top % of a page, or that at the bottom of a page. The solution is % described on page 260 of The TeXbook. It involves outputting two % marks for the sectioning macros, one before the section break, and % one after. I won't pretend I can describe this better than DEK... \def\domark{% \toks0=\expandafter{\lastchapterdefs}% \toks2=\expandafter{\lastsectiondefs}% \toks4=\expandafter{\prevchapterdefs}% \toks6=\expandafter{\prevsectiondefs}% \toks8=\expandafter{\lastcolordefs}% \mark{% \the\toks0 \the\toks2 \noexpand\or \the\toks4 \the\toks6 \noexpand\else \the\toks8 }% } % \topmark doesn't work for the very first chapter (after the title % page or the contents), so we use \firstmark there -- this gets us % the mark with the chapter defs, unless the user sneaks in, e.g., % @setcolor (or @url, or @link, etc.) between @contents and the very % first @chapter. \def\gettopheadingmarks{% \ifcase0\topmark\fi \ifx\thischapter\empty \ifcase0\firstmark\fi \fi } \def\getbottomheadingmarks{\ifcase1\botmark\fi} \def\getcolormarks{\ifcase2\topmark\fi} % Avoid "undefined control sequence" errors. \def\lastchapterdefs{} \def\lastsectiondefs{} \def\prevchapterdefs{} \def\prevsectiondefs{} \def\lastcolordefs{} % Main output routine. \chardef\PAGE = 255 \output = {\onepageout{\pagecontents\PAGE}} \newbox\headlinebox \newbox\footlinebox % \onepageout takes a vbox as an argument. Note that \pagecontents % does insertions, but you have to call it yourself. \def\onepageout#1{% \ifcropmarks \hoffset=0pt \else \hoffset=\normaloffset \fi % \ifodd\pageno \advance\hoffset by \bindingoffset \else \advance\hoffset by -\bindingoffset\fi % % Do this outside of the \shipout so @code etc. will be expanded in % the headline as they should be, not taken literally (outputting ''code). \ifodd\pageno \getoddheadingmarks \else \getevenheadingmarks \fi \setbox\headlinebox = \vbox{\let\hsize=\pagewidth \makeheadline}% \ifodd\pageno \getoddfootingmarks \else \getevenfootingmarks \fi \setbox\footlinebox = \vbox{\let\hsize=\pagewidth \makefootline}% % {% % Have to do this stuff outside the \shipout because we want it to % take effect in \write's, yet the group defined by the \vbox ends % before the \shipout runs. % \indexdummies % don't expand commands in the output. \normalturnoffactive % \ in index entries must not stay \, e.g., if % the page break happens to be in the middle of an example. % We don't want .vr (or whatever) entries like this: % \entry{{\tt \indexbackslash }acronym}{32}{\code {\acronym}} % "\acronym" won't work when it's read back in; % it needs to be % {\code {{\tt \backslashcurfont }acronym} \shipout\vbox{% % Do this early so pdf references go to the beginning of the page. \ifpdfmakepagedest \pdfdest name{\the\pageno} xyz\fi % \ifcropmarks \vbox to \outervsize\bgroup \hsize = \outerhsize \vskip-\topandbottommargin \vtop to0pt{% \line{\ewtop\hfil\ewtop}% \nointerlineskip \line{% \vbox{\moveleft\cornerthick\nstop}% \hfill \vbox{\moveright\cornerthick\nstop}% }% \vss}% \vskip\topandbottommargin \line\bgroup \hfil % center the page within the outer (page) hsize. \ifodd\pageno\hskip\bindingoffset\fi \vbox\bgroup \fi % \unvbox\headlinebox \pagebody{#1}% \ifdim\ht\footlinebox > 0pt % Only leave this space if the footline is nonempty. % (We lessened \vsize for it in \oddfootingyyy.) % The \baselineskip=24pt in plain's \makefootline has no effect. \vskip 24pt \unvbox\footlinebox \fi % \ifcropmarks \egroup % end of \vbox\bgroup \hfil\egroup % end of (centering) \line\bgroup \vskip\topandbottommargin plus1fill minus1fill \boxmaxdepth = \cornerthick \vbox to0pt{\vss \line{% \vbox{\moveleft\cornerthick\nsbot}% \hfill \vbox{\moveright\cornerthick\nsbot}% }% \nointerlineskip \line{\ewbot\hfil\ewbot}% }% \egroup % \vbox from first cropmarks clause \fi }% end of \shipout\vbox }% end of group with \indexdummies \advancepageno \ifnum\outputpenalty>-20000 \else\dosupereject\fi } \newinsert\margin \dimen\margin=\maxdimen \def\pagebody#1{\vbox to\pageheight{\boxmaxdepth=\maxdepth #1}} {\catcode`\@ =11 \gdef\pagecontents#1{\ifvoid\topins\else\unvbox\topins\fi % marginal hacks, juha@viisa.uucp (Juha Takala) \ifvoid\margin\else % marginal info is present \rlap{\kern\hsize\vbox to\z@{\kern1pt\box\margin \vss}}\fi \dimen@=\dp#1\relax \unvbox#1\relax \ifvoid\footins\else\vskip\skip\footins\footnoterule \unvbox\footins\fi \ifr@ggedbottom \kern-\dimen@ \vfil \fi} } % Here are the rules for the cropmarks. Note that they are % offset so that the space between them is truly \outerhsize or \outervsize % (P. A. MacKay, 12 November, 1986) % \def\ewtop{\vrule height\cornerthick depth0pt width\cornerlong} \def\nstop{\vbox {\hrule height\cornerthick depth\cornerlong width\cornerthick}} \def\ewbot{\vrule height0pt depth\cornerthick width\cornerlong} \def\nsbot{\vbox {\hrule height\cornerlong depth\cornerthick width\cornerthick}} % Parse an argument, then pass it to #1. The argument is the rest of % the input line (except we remove a trailing comment). #1 should be a % macro which expects an ordinary undelimited TeX argument. % \def\parsearg{\parseargusing{}} \def\parseargusing#1#2{% \def\argtorun{#2}% \begingroup \obeylines \spaceisspace #1% \parseargline\empty% Insert the \empty token, see \finishparsearg below. } {\obeylines % \gdef\parseargline#1^^M{% \endgroup % End of the group started in \parsearg. \argremovecomment #1\comment\ArgTerm% }% } % First remove any @comment, then any @c comment. \def\argremovecomment#1\comment#2\ArgTerm{\argremovec #1\c\ArgTerm} \def\argremovec#1\c#2\ArgTerm{\argcheckspaces#1\^^M\ArgTerm} % Each occurrence of `\^^M' or `\^^M' is replaced by a single space. % % \argremovec might leave us with trailing space, e.g., % @end itemize @c foo % This space token undergoes the same procedure and is eventually removed % by \finishparsearg. % \def\argcheckspaces#1\^^M{\argcheckspacesX#1\^^M \^^M} \def\argcheckspacesX#1 \^^M{\argcheckspacesY#1\^^M} \def\argcheckspacesY#1\^^M#2\^^M#3\ArgTerm{% \def\temp{#3}% \ifx\temp\empty % Do not use \next, perhaps the caller of \parsearg uses it; reuse \temp: \let\temp\finishparsearg \else \let\temp\argcheckspaces \fi % Put the space token in: \temp#1 #3\ArgTerm } % If a _delimited_ argument is enclosed in braces, they get stripped; so % to get _exactly_ the rest of the line, we had to prevent such situation. % We prepended an \empty token at the very beginning and we expand it now, % just before passing the control to \argtorun. % (Similarly, we have to think about #3 of \argcheckspacesY above: it is % either the null string, or it ends with \^^M---thus there is no danger % that a pair of braces would be stripped. % % But first, we have to remove the trailing space token. % \def\finishparsearg#1 \ArgTerm{\expandafter\argtorun\expandafter{#1}} % \parseargdef\foo{...} % is roughly equivalent to % \def\foo{\parsearg\Xfoo} % \def\Xfoo#1{...} % % Actually, I use \csname\string\foo\endcsname, ie. \\foo, as it is my % favourite TeX trick. --kasal, 16nov03 \def\parseargdef#1{% \expandafter \doparseargdef \csname\string#1\endcsname #1% } \def\doparseargdef#1#2{% \def#2{\parsearg#1}% \def#1##1% } % Several utility definitions with active space: { \obeyspaces \gdef\obeyedspace{ } % Make each space character in the input produce a normal interword % space in the output. Don't allow a line break at this space, as this % is used only in environments like @example, where each line of input % should produce a line of output anyway. % \gdef\sepspaces{\obeyspaces\let =\tie} % If an index command is used in an @example environment, any spaces % therein should become regular spaces in the raw index file, not the % expansion of \tie (\leavevmode \penalty \@M \ ). \gdef\unsepspaces{\let =\space} } \def\flushcr{\ifx\par\lisppar \def\next##1{}\else \let\next=\relax \fi \next} % Define the framework for environments in texinfo.tex. It's used like this: % % \envdef\foo{...} % \def\Efoo{...} % % It's the responsibility of \envdef to insert \begingroup before the % actual body; @end closes the group after calling \Efoo. \envdef also % defines \thisenv, so the current environment is known; @end checks % whether the environment name matches. The \checkenv macro can also be % used to check whether the current environment is the one expected. % % Non-false conditionals (@iftex, @ifset) don't fit into this, so they % are not treated as environments; they don't open a group. (The % implementation of @end takes care not to call \endgroup in this % special case.) % At run-time, environments start with this: \def\startenvironment#1{\begingroup\def\thisenv{#1}} % initialize \let\thisenv\empty % ... but they get defined via ``\envdef\foo{...}'': \long\def\envdef#1#2{\def#1{\startenvironment#1#2}} \def\envparseargdef#1#2{\parseargdef#1{\startenvironment#1#2}} % Check whether we're in the right environment: \def\checkenv#1{% \def\temp{#1}% \ifx\thisenv\temp \else \badenverr \fi } % Environment mismatch, #1 expected: \def\badenverr{% \errhelp = \EMsimple \errmessage{This command can appear only \inenvironment\temp, not \inenvironment\thisenv}% } \def\inenvironment#1{% \ifx#1\empty out of any environment% \else in environment \expandafter\string#1% \fi } % @end foo executes the definition of \Efoo. % But first, it executes a specialized version of \checkenv % \parseargdef\end{% \if 1\csname iscond.#1\endcsname \else % The general wording of \badenverr may not be ideal, but... --kasal, 06nov03 \expandafter\checkenv\csname#1\endcsname \csname E#1\endcsname \endgroup \fi } \newhelp\EMsimple{Press RETURN to continue.} %% Simple single-character @ commands % @@ prints an @ % Kludge this until the fonts are right (grr). \def\@{{\tt\char64}} % This is turned off because it was never documented % and you can use @w{...} around a quote to suppress ligatures. %% Define @` and @' to be the same as ` and ' %% but suppressing ligatures. %\def\`{{`}} %\def\'{{'}} % Used to generate quoted braces. \def\mylbrace {{\tt\char123}} \def\myrbrace {{\tt\char125}} \let\{=\mylbrace \let\}=\myrbrace \begingroup % Definitions to produce \{ and \} commands for indices, % and @{ and @} for the aux/toc files. \catcode`\{ = \other \catcode`\} = \other \catcode`\[ = 1 \catcode`\] = 2 \catcode`\! = 0 \catcode`\\ = \other !gdef!lbracecmd[\{]% !gdef!rbracecmd[\}]% !gdef!lbraceatcmd[@{]% !gdef!rbraceatcmd[@}]% !endgroup % @comma{} to avoid , parsing problems. \let\comma = , % Accents: @, @dotaccent @ringaccent @ubaraccent @udotaccent % Others are defined by plain TeX: @` @' @" @^ @~ @= @u @v @H. \let\, = \c \let\dotaccent = \. \def\ringaccent#1{{\accent23 #1}} \let\tieaccent = \t \let\ubaraccent = \b \let\udotaccent = \d % Other special characters: @questiondown @exclamdown @ordf @ordm % Plain TeX defines: @AA @AE @O @OE @L (plus lowercase versions) @ss. \def\questiondown{?`} \def\exclamdown{!`} \def\ordf{\leavevmode\raise1ex\hbox{\selectfonts\lllsize \underbar{a}}} \def\ordm{\leavevmode\raise1ex\hbox{\selectfonts\lllsize \underbar{o}}} % Dotless i and dotless j, used for accents. \def\imacro{i} \def\jmacro{j} \def\dotless#1{% \def\temp{#1}% \ifx\temp\imacro \ifmmode\imath \else\ptexi \fi \else\ifx\temp\jmacro \ifmmode\jmath \else\j \fi \else \errmessage{@dotless can be used only with i or j}% \fi\fi } % The \TeX{} logo, as in plain, but resetting the spacing so that a % period following counts as ending a sentence. (Idea found in latex.) % \edef\TeX{\TeX \spacefactor=1000 } % @LaTeX{} logo. Not quite the same results as the definition in % latex.ltx, since we use a different font for the raised A; it's most % convenient for us to use an explicitly smaller font, rather than using % the \scriptstyle font (since we don't reset \scriptstyle and % \scriptscriptstyle). % \def\LaTeX{% L\kern-.36em {\setbox0=\hbox{T}% \vbox to \ht0{\hbox{\selectfonts\lllsize A}\vss}}% \kern-.15em \TeX } % Be sure we're in horizontal mode when doing a tie, since we make space % equivalent to this in @example-like environments. Otherwise, a space % at the beginning of a line will start with \penalty -- and % since \penalty is valid in vertical mode, we'd end up putting the % penalty on the vertical list instead of in the new paragraph. {\catcode`@ = 11 % Avoid using \@M directly, because that causes trouble % if the definition is written into an index file. \global\let\tiepenalty = \@M \gdef\tie{\leavevmode\penalty\tiepenalty\ } } % @: forces normal size whitespace following. \def\:{\spacefactor=1000 } % @* forces a line break. \def\*{\hfil\break\hbox{}\ignorespaces} % @/ allows a line break. \let\/=\allowbreak % @. is an end-of-sentence period. \def\.{.\spacefactor=\endofsentencespacefactor\space} % @! is an end-of-sentence bang. \def\!{!\spacefactor=\endofsentencespacefactor\space} % @? is an end-of-sentence query. \def\?{?\spacefactor=\endofsentencespacefactor\space} % @frenchspacing on|off says whether to put extra space after punctuation. % \def\onword{on} \def\offword{off} % \parseargdef\frenchspacing{% \def\temp{#1}% \ifx\temp\onword \plainfrenchspacing \else\ifx\temp\offword \plainnonfrenchspacing \else \errhelp = \EMsimple \errmessage{Unknown @frenchspacing option `\temp', must be on/off}% \fi\fi } % @w prevents a word break. Without the \leavevmode, @w at the % beginning of a paragraph, when TeX is still in vertical mode, would % produce a whole line of output instead of starting the paragraph. \def\w#1{\leavevmode\hbox{#1}} % @group ... @end group forces ... to be all on one page, by enclosing % it in a TeX vbox. We use \vtop instead of \vbox to construct the box % to keep its height that of a normal line. According to the rules for % \topskip (p.114 of the TeXbook), the glue inserted is % max (\topskip - \ht (first item), 0). If that height is large, % therefore, no glue is inserted, and the space between the headline and % the text is small, which looks bad. % % Another complication is that the group might be very large. This can % cause the glue on the previous page to be unduly stretched, because it % does not have much material. In this case, it's better to add an % explicit \vfill so that the extra space is at the bottom. The % threshold for doing this is if the group is more than \vfilllimit % percent of a page (\vfilllimit can be changed inside of @tex). % \newbox\groupbox \def\vfilllimit{0.7} % \envdef\group{% \ifnum\catcode`\^^M=\active \else \errhelp = \groupinvalidhelp \errmessage{@group invalid in context where filling is enabled}% \fi \startsavinginserts % \setbox\groupbox = \vtop\bgroup % Do @comment since we are called inside an environment such as % @example, where each end-of-line in the input causes an % end-of-line in the output. We don't want the end-of-line after % the `@group' to put extra space in the output. Since @group % should appear on a line by itself (according to the Texinfo % manual), we don't worry about eating any user text. \comment } % % The \vtop produces a box with normal height and large depth; thus, TeX puts % \baselineskip glue before it, and (when the next line of text is done) % \lineskip glue after it. Thus, space below is not quite equal to space % above. But it's pretty close. \def\Egroup{% % To get correct interline space between the last line of the group % and the first line afterwards, we have to propagate \prevdepth. \endgraf % Not \par, as it may have been set to \lisppar. \global\dimen1 = \prevdepth \egroup % End the \vtop. % \dimen0 is the vertical size of the group's box. \dimen0 = \ht\groupbox \advance\dimen0 by \dp\groupbox % \dimen2 is how much space is left on the page (more or less). \dimen2 = \pageheight \advance\dimen2 by -\pagetotal % if the group doesn't fit on the current page, and it's a big big % group, force a page break. \ifdim \dimen0 > \dimen2 \ifdim \pagetotal < \vfilllimit\pageheight \page \fi \fi \box\groupbox \prevdepth = \dimen1 \checkinserts } % % TeX puts in an \escapechar (i.e., `@') at the beginning of the help % message, so this ends up printing `@group can only ...'. % \newhelp\groupinvalidhelp{% group can only be used in environments such as @example,^^J% where each line of input produces a line of output.} % @need space-in-mils % forces a page break if there is not space-in-mils remaining. \newdimen\mil \mil=0.001in % Old definition--didn't work. %\parseargdef\need{\par % %% This method tries to make TeX break the page naturally %% if the depth of the box does not fit. %{\baselineskip=0pt% %\vtop to #1\mil{\vfil}\kern -#1\mil\nobreak %\prevdepth=-1000pt %}} \parseargdef\need{% % Ensure vertical mode, so we don't make a big box in the middle of a % paragraph. \par % % If the @need value is less than one line space, it's useless. \dimen0 = #1\mil \dimen2 = \ht\strutbox \advance\dimen2 by \dp\strutbox \ifdim\dimen0 > \dimen2 % % Do a \strut just to make the height of this box be normal, so the % normal leading is inserted relative to the preceding line. % And a page break here is fine. \vtop to #1\mil{\strut\vfil}% % % TeX does not even consider page breaks if a penalty added to the % main vertical list is 10000 or more. But in order to see if the % empty box we just added fits on the page, we must make it consider % page breaks. On the other hand, we don't want to actually break the % page after the empty box. So we use a penalty of 9999. % % There is an extremely small chance that TeX will actually break the % page at this \penalty, if there are no other feasible breakpoints in % sight. (If the user is using lots of big @group commands, which % almost-but-not-quite fill up a page, TeX will have a hard time doing % good page breaking, for example.) However, I could not construct an % example where a page broke at this \penalty; if it happens in a real % document, then we can reconsider our strategy. \penalty9999 % % Back up by the size of the box, whether we did a page break or not. \kern -#1\mil % % Do not allow a page break right after this kern. \nobreak \fi } % @br forces paragraph break (and is undocumented). \let\br = \par % @page forces the start of a new page. % \def\page{\par\vfill\supereject} % @exdent text.... % outputs text on separate line in roman font, starting at standard page margin % This records the amount of indent in the innermost environment. % That's how much \exdent should take out. \newskip\exdentamount % This defn is used inside fill environments such as @defun. \parseargdef\exdent{\hfil\break\hbox{\kern -\exdentamount{\rm#1}}\hfil\break} % This defn is used inside nofill environments such as @example. \parseargdef\nofillexdent{{\advance \leftskip by -\exdentamount \leftline{\hskip\leftskip{\rm#1}}}} % @inmargin{WHICH}{TEXT} puts TEXT in the WHICH margin next to the current % paragraph. For more general purposes, use the \margin insertion % class. WHICH is `l' or `r'. % \newskip\inmarginspacing \inmarginspacing=1cm \def\strutdepth{\dp\strutbox} % \def\doinmargin#1#2{\strut\vadjust{% \nobreak \kern-\strutdepth \vtop to \strutdepth{% \baselineskip=\strutdepth \vss % if you have multiple lines of stuff to put here, you'll need to % make the vbox yourself of the appropriate size. \ifx#1l% \llap{\ignorespaces #2\hskip\inmarginspacing}% \else \rlap{\hskip\hsize \hskip\inmarginspacing \ignorespaces #2}% \fi \null }% }} \def\inleftmargin{\doinmargin l} \def\inrightmargin{\doinmargin r} % % @inmargin{TEXT [, RIGHT-TEXT]} % (if RIGHT-TEXT is given, use TEXT for left page, RIGHT-TEXT for right; % else use TEXT for both). % \def\inmargin#1{\parseinmargin #1,,\finish} \def\parseinmargin#1,#2,#3\finish{% not perfect, but better than nothing. \setbox0 = \hbox{\ignorespaces #2}% \ifdim\wd0 > 0pt \def\lefttext{#1}% have both texts \def\righttext{#2}% \else \def\lefttext{#1}% have only one text \def\righttext{#1}% \fi % \ifodd\pageno \def\temp{\inrightmargin\righttext}% odd page -> outside is right margin \else \def\temp{\inleftmargin\lefttext}% \fi \temp } % @include FILE -- \input text of FILE. % \def\include{\parseargusing\filenamecatcodes\includezzz} \def\includezzz#1{% \pushthisfilestack \def\thisfile{#1}% {% \makevalueexpandable % we want to expand any @value in FILE. \turnoffactive % and allow special characters in the expansion \indexnofonts % Allow `@@' and other weird things in file names. \edef\temp{\noexpand\input #1 }% % % This trickery is to read FILE outside of a group, in case it makes % definitions, etc. \expandafter }\temp \popthisfilestack } \def\filenamecatcodes{% \catcode`\\=\other \catcode`~=\other \catcode`^=\other \catcode`_=\other \catcode`|=\other \catcode`<=\other \catcode`>=\other \catcode`+=\other \catcode`-=\other \catcode`\`=\other \catcode`\'=\other } \def\pushthisfilestack{% \expandafter\pushthisfilestackX\popthisfilestack\StackTerm } \def\pushthisfilestackX{% \expandafter\pushthisfilestackY\thisfile\StackTerm } \def\pushthisfilestackY #1\StackTerm #2\StackTerm {% \gdef\popthisfilestack{\gdef\thisfile{#1}\gdef\popthisfilestack{#2}}% } \def\popthisfilestack{\errthisfilestackempty} \def\errthisfilestackempty{\errmessage{Internal error: the stack of filenames is empty.}} \def\thisfile{} % @center line % outputs that line, centered. % \parseargdef\center{% \ifhmode \let\next\centerH \else \let\next\centerV \fi \next{\hfil \ignorespaces#1\unskip \hfil}% } \def\centerH#1{% {% \hfil\break \advance\hsize by -\leftskip \advance\hsize by -\rightskip \line{#1}% \break }% } \def\centerV#1{\line{\kern\leftskip #1\kern\rightskip}} % @sp n outputs n lines of vertical space \parseargdef\sp{\vskip #1\baselineskip} % @comment ...line which is ignored... % @c is the same as @comment % @ignore ... @end ignore is another way to write a comment \def\comment{\begingroup \catcode`\^^M=\other% \catcode`\@=\other \catcode`\{=\other \catcode`\}=\other% \commentxxx} {\catcode`\^^M=\other \gdef\commentxxx#1^^M{\endgroup}} \let\c=\comment % @paragraphindent NCHARS % We'll use ems for NCHARS, close enough. % NCHARS can also be the word `asis' or `none'. % We cannot feasibly implement @paragraphindent asis, though. % \def\asisword{asis} % no translation, these are keywords \def\noneword{none} % \parseargdef\paragraphindent{% \def\temp{#1}% \ifx\temp\asisword \else \ifx\temp\noneword \defaultparindent = 0pt \else \defaultparindent = #1em \fi \fi \parindent = \defaultparindent } % @exampleindent NCHARS % We'll use ems for NCHARS like @paragraphindent. % It seems @exampleindent asis isn't necessary, but % I preserve it to make it similar to @paragraphindent. \parseargdef\exampleindent{% \def\temp{#1}% \ifx\temp\asisword \else \ifx\temp\noneword \lispnarrowing = 0pt \else \lispnarrowing = #1em \fi \fi } % @firstparagraphindent WORD % If WORD is `none', then suppress indentation of the first paragraph % after a section heading. If WORD is `insert', then do indent at such % paragraphs. % % The paragraph indentation is suppressed or not by calling % \suppressfirstparagraphindent, which the sectioning commands do. % We switch the definition of this back and forth according to WORD. % By default, we suppress indentation. % \def\suppressfirstparagraphindent{\dosuppressfirstparagraphindent} \def\insertword{insert} % \parseargdef\firstparagraphindent{% \def\temp{#1}% \ifx\temp\noneword \let\suppressfirstparagraphindent = \dosuppressfirstparagraphindent \else\ifx\temp\insertword \let\suppressfirstparagraphindent = \relax \else \errhelp = \EMsimple \errmessage{Unknown @firstparagraphindent option `\temp'}% \fi\fi } % Here is how we actually suppress indentation. Redefine \everypar to % \kern backwards by \parindent, and then reset itself to empty. % % We also make \indent itself not actually do anything until the next % paragraph. % \gdef\dosuppressfirstparagraphindent{% \gdef\indent{% \restorefirstparagraphindent \indent }% \gdef\noindent{% \restorefirstparagraphindent \noindent }% \global\everypar = {% \kern -\parindent \restorefirstparagraphindent }% } \gdef\restorefirstparagraphindent{% \global \let \indent = \ptexindent \global \let \noindent = \ptexnoindent \global \everypar = {}% } % @asis just yields its argument. Used with @table, for example. % \def\asis#1{#1} % @math outputs its argument in math mode. % % One complication: _ usually means subscripts, but it could also mean % an actual _ character, as in @math{@var{some_variable} + 1}. So make % _ active, and distinguish by seeing if the current family is \slfam, % which is what @var uses. { \catcode`\_ = \active \gdef\mathunderscore{% \catcode`\_=\active \def_{\ifnum\fam=\slfam \_\else\sb\fi}% } } % Another complication: we want \\ (and @\) to output a \ character. % FYI, plain.tex uses \\ as a temporary control sequence (why?), but % this is not advertised and we don't care. Texinfo does not % otherwise define @\. % % The \mathchar is class=0=ordinary, family=7=ttfam, position=5C=\. \def\mathbackslash{\ifnum\fam=\ttfam \mathchar"075C \else\backslash \fi} % \def\math{% \tex \mathunderscore \let\\ = \mathbackslash \mathactive % make the texinfo accent commands work in math mode \let\"=\ddot \let\'=\acute \let\==\bar \let\^=\hat \let\`=\grave \let\u=\breve \let\v=\check \let\~=\tilde \let\dotaccent=\dot $\finishmath } \def\finishmath#1{#1$\endgroup} % Close the group opened by \tex. % Some active characters (such as <) are spaced differently in math. % We have to reset their definitions in case the @math was an argument % to a command which sets the catcodes (such as @item or @section). % { \catcode`^ = \active \catcode`< = \active \catcode`> = \active \catcode`+ = \active \catcode`' = \active \gdef\mathactive{% \let^ = \ptexhat \let< = \ptexless \let> = \ptexgtr \let+ = \ptexplus \let' = \ptexquoteright } } % Some math mode symbols. \def\bullet{$\ptexbullet$} \def\geq{\ifmmode \ge\else $\ge$\fi} \def\leq{\ifmmode \le\else $\le$\fi} \def\minus{\ifmmode -\else $-$\fi} % @dots{} outputs an ellipsis using the current font. % We do .5em per period so that it has the same spacing in the cm % typewriter fonts as three actual period characters; on the other hand, % in other typewriter fonts three periods are wider than 1.5em. So do % whichever is larger. % \def\dots{% \leavevmode \setbox0=\hbox{...}% get width of three periods \ifdim\wd0 > 1.5em \dimen0 = \wd0 \else \dimen0 = 1.5em \fi \hbox to \dimen0{% \hskip 0pt plus.25fil .\hskip 0pt plus1fil .\hskip 0pt plus1fil .\hskip 0pt plus.5fil }% } % @enddots{} is an end-of-sentence ellipsis. % \def\enddots{% \dots \spacefactor=\endofsentencespacefactor } % @comma{} is so commas can be inserted into text without messing up % Texinfo's parsing. % \let\comma = , % @refill is a no-op. \let\refill=\relax % If working on a large document in chapters, it is convenient to % be able to disable indexing, cross-referencing, and contents, for test runs. % This is done with @novalidate (before @setfilename). % \newif\iflinks \linkstrue % by default we want the aux files. \let\novalidate = \linksfalse % @setfilename is done at the beginning of every texinfo file. % So open here the files we need to have open while reading the input. % This makes it possible to make a .fmt file for texinfo. \def\setfilename{% \fixbackslash % Turn off hack to swallow `\input texinfo'. \iflinks \tryauxfile % Open the new aux file. TeX will close it automatically at exit. \immediate\openout\auxfile=\jobname.aux \fi % \openindices needs to do some work in any case. \openindices \let\setfilename=\comment % Ignore extra @setfilename cmds. % % If texinfo.cnf is present on the system, read it. % Useful for site-wide @afourpaper, etc. \openin 1 texinfo.cnf \ifeof 1 \else \input texinfo.cnf \fi \closein 1 % \comment % Ignore the actual filename. } % Called from \setfilename. % \def\openindices{% \newindex{cp}% \newcodeindex{fn}% \newcodeindex{vr}% \newcodeindex{tp}% \newcodeindex{ky}% \newcodeindex{pg}% } % @bye. \outer\def\bye{\pagealignmacro\tracingstats=1\ptexend} \message{pdf,} % adobe `portable' document format \newcount\tempnum \newcount\lnkcount \newtoks\filename \newcount\filenamelength \newcount\pgn \newtoks\toksA \newtoks\toksB \newtoks\toksC \newtoks\toksD \newbox\boxA \newcount\countA \newif\ifpdf \newif\ifpdfmakepagedest % when pdftex is run in dvi mode, \pdfoutput is defined (so \pdfoutput=1 % can be set). So we test for \relax and 0 as well as \undefined, % borrowed from ifpdf.sty. \ifx\pdfoutput\undefined \else \ifx\pdfoutput\relax \else \ifcase\pdfoutput \else \pdftrue \fi \fi \fi % PDF uses PostScript string constants for the names of xref targets, % for display in the outlines, and in other places. Thus, we have to % double any backslashes. Otherwise, a name like "\node" will be % interpreted as a newline (\n), followed by o, d, e. Not good. % http://www.ntg.nl/pipermail/ntg-pdftex/2004-July/000654.html % (and related messages, the final outcome is that it is up to the TeX % user to double the backslashes and otherwise make the string valid, so % that's what we do). % double active backslashes. % {\catcode`\@=0 \catcode`\\=\active @gdef@activebackslashdouble{% @catcode`@\=@active @let\=@doublebackslash} } % To handle parens, we must adopt a different approach, since parens are % not active characters. hyperref.dtx (which has the same problem as % us) handles it with this amazing macro to replace tokens, with minor % changes for Texinfo. It is included here under the GPL by permission % from the author, Heiko Oberdiek. % % #1 is the tokens to replace. % #2 is the replacement. % #3 is the control sequence with the string. % \def\HyPsdSubst#1#2#3{% \def\HyPsdReplace##1#1##2\END{% ##1% \ifx\\##2\\% \else #2% \HyReturnAfterFi{% \HyPsdReplace##2\END }% \fi }% \xdef#3{\expandafter\HyPsdReplace#3#1\END}% } \long\def\HyReturnAfterFi#1\fi{\fi#1} % #1 is a control sequence in which to do the replacements. \def\backslashparens#1{% \xdef#1{#1}% redefine it as its expansion; the definition is simply % \lastnode when called from \setref -> \pdfmkdest. \HyPsdSubst{(}{\realbackslash(}{#1}% \HyPsdSubst{)}{\realbackslash)}{#1}% } \newhelp\nopdfimagehelp{Texinfo supports .png, .jpg, .jpeg, and .pdf images with PDF output, and none of those formats could be found. (.eps cannot be supported due to the design of the PDF format; use regular TeX (DVI output) for that.)} \ifpdf % % Color manipulation macros based on pdfcolor.tex. \def\cmykDarkRed{0.28 1 1 0.35} \def\cmykBlack{0 0 0 1} % % k sets the color for filling (usual text, etc.); % K sets the color for stroking (thin rules, e.g., normal _'s). \def\pdfsetcolor#1{\pdfliteral{#1 k #1 K}} % % Set color, and create a mark which defines \thiscolor accordingly, % so that \makeheadline knows which color to restore. \def\setcolor#1{% \xdef\lastcolordefs{\gdef\noexpand\thiscolor{#1}}% \domark \pdfsetcolor{#1}% } % \def\maincolor{\cmykBlack} \pdfsetcolor{\maincolor} \edef\thiscolor{\maincolor} \def\lastcolordefs{} % \def\makefootline{% \baselineskip24pt \line{\pdfsetcolor{\maincolor}\the\footline}% } % \def\makeheadline{% \vbox to 0pt{% \vskip-22.5pt \line{% \vbox to8.5pt{}% % Extract \thiscolor definition from the marks. \getcolormarks % Typeset the headline with \maincolor, then restore the color. \pdfsetcolor{\maincolor}\the\headline\pdfsetcolor{\thiscolor}% }% \vss }% \nointerlineskip } % % \pdfcatalog{/PageMode /UseOutlines} % % #1 is image name, #2 width (might be empty/whitespace), #3 height (ditto). \def\dopdfimage#1#2#3{% \def\imagewidth{#2}\setbox0 = \hbox{\ignorespaces #2}% \def\imageheight{#3}\setbox2 = \hbox{\ignorespaces #3}% % % pdftex (and the PDF format) support .png, .jpg, .pdf (among % others). Let's try in that order. \let\pdfimgext=\empty \begingroup \openin 1 #1.png \ifeof 1 \openin 1 #1.jpg \ifeof 1 \openin 1 #1.jpeg \ifeof 1 \openin 1 #1.JPG \ifeof 1 \openin 1 #1.pdf \ifeof 1 \openin 1 #1.PDF \ifeof 1 \errhelp = \nopdfimagehelp \errmessage{Could not find image file #1 for pdf}% \else \gdef\pdfimgext{PDF}% \fi \else \gdef\pdfimgext{pdf}% \fi \else \gdef\pdfimgext{JPG}% \fi \else \gdef\pdfimgext{jpeg}% \fi \else \gdef\pdfimgext{jpg}% \fi \else \gdef\pdfimgext{png}% \fi \closein 1 \endgroup % % without \immediate, ancient pdftex seg faults when the same image is % included twice. (Version 3.14159-pre-1.0-unofficial-20010704.) \ifnum\pdftexversion < 14 \immediate\pdfimage \else \immediate\pdfximage \fi \ifdim \wd0 >0pt width \imagewidth \fi \ifdim \wd2 >0pt height \imageheight \fi \ifnum\pdftexversion<13 #1.\pdfimgext \else {#1.\pdfimgext}% \fi \ifnum\pdftexversion < 14 \else \pdfrefximage \pdflastximage \fi} % \def\pdfmkdest#1{{% % We have to set dummies so commands such as @code, and characters % such as \, aren't expanded when present in a section title. \indexnofonts \turnoffactive \activebackslashdouble \makevalueexpandable \def\pdfdestname{#1}% \backslashparens\pdfdestname \safewhatsit{\pdfdest name{\pdfdestname} xyz}% }} % % used to mark target names; must be expandable. \def\pdfmkpgn#1{#1} % % by default, use a color that is dark enough to print on paper as % nearly black, but still distinguishable for online viewing. \def\urlcolor{\cmykDarkRed} \def\linkcolor{\cmykDarkRed} \def\endlink{\setcolor{\maincolor}\pdfendlink} % % Adding outlines to PDF; macros for calculating structure of outlines % come from Petr Olsak \def\expnumber#1{\expandafter\ifx\csname#1\endcsname\relax 0% \else \csname#1\endcsname \fi} \def\advancenumber#1{\tempnum=\expnumber{#1}\relax \advance\tempnum by 1 \expandafter\xdef\csname#1\endcsname{\the\tempnum}} % % #1 is the section text, which is what will be displayed in the % outline by the pdf viewer. #2 is the pdf expression for the number % of subentries (or empty, for subsubsections). #3 is the node text, % which might be empty if this toc entry had no corresponding node. % #4 is the page number % \def\dopdfoutline#1#2#3#4{% % Generate a link to the node text if that exists; else, use the % page number. We could generate a destination for the section % text in the case where a section has no node, but it doesn't % seem worth the trouble, since most documents are normally structured. \def\pdfoutlinedest{#3}% \ifx\pdfoutlinedest\empty \def\pdfoutlinedest{#4}% \else % Doubled backslashes in the name. {\activebackslashdouble \xdef\pdfoutlinedest{#3}% \backslashparens\pdfoutlinedest}% \fi % % Also double the backslashes in the display string. {\activebackslashdouble \xdef\pdfoutlinetext{#1}% \backslashparens\pdfoutlinetext}% % \pdfoutline goto name{\pdfmkpgn{\pdfoutlinedest}}#2{\pdfoutlinetext}% } % \def\pdfmakeoutlines{% \begingroup % Thanh's hack / proper braces in bookmarks \edef\mylbrace{\iftrue \string{\else}\fi}\let\{=\mylbrace \edef\myrbrace{\iffalse{\else\string}\fi}\let\}=\myrbrace % % Read toc silently, to get counts of subentries for \pdfoutline. \def\numchapentry##1##2##3##4{% \def\thischapnum{##2}% \def\thissecnum{0}% \def\thissubsecnum{0}% }% \def\numsecentry##1##2##3##4{% \advancenumber{chap\thischapnum}% \def\thissecnum{##2}% \def\thissubsecnum{0}% }% \def\numsubsecentry##1##2##3##4{% \advancenumber{sec\thissecnum}% \def\thissubsecnum{##2}% }% \def\numsubsubsecentry##1##2##3##4{% \advancenumber{subsec\thissubsecnum}% }% \def\thischapnum{0}% \def\thissecnum{0}% \def\thissubsecnum{0}% % % use \def rather than \let here because we redefine \chapentry et % al. a second time, below. \def\appentry{\numchapentry}% \def\appsecentry{\numsecentry}% \def\appsubsecentry{\numsubsecentry}% \def\appsubsubsecentry{\numsubsubsecentry}% \def\unnchapentry{\numchapentry}% \def\unnsecentry{\numsecentry}% \def\unnsubsecentry{\numsubsecentry}% \def\unnsubsubsecentry{\numsubsubsecentry}% \readdatafile{toc}% % % Read toc second time, this time actually producing the outlines. % The `-' means take the \expnumber as the absolute number of % subentries, which we calculated on our first read of the .toc above. % % We use the node names as the destinations. \def\numchapentry##1##2##3##4{% \dopdfoutline{##1}{count-\expnumber{chap##2}}{##3}{##4}}% \def\numsecentry##1##2##3##4{% \dopdfoutline{##1}{count-\expnumber{sec##2}}{##3}{##4}}% \def\numsubsecentry##1##2##3##4{% \dopdfoutline{##1}{count-\expnumber{subsec##2}}{##3}{##4}}% \def\numsubsubsecentry##1##2##3##4{% count is always zero \dopdfoutline{##1}{}{##3}{##4}}% % % PDF outlines are displayed using system fonts, instead of % document fonts. Therefore we cannot use special characters, % since the encoding is unknown. For example, the eogonek from % Latin 2 (0xea) gets translated to a | character. Info from % Staszek Wawrykiewicz, 19 Jan 2004 04:09:24 +0100. % % xx to do this right, we have to translate 8-bit characters to % their "best" equivalent, based on the @documentencoding. Right % now, I guess we'll just let the pdf reader have its way. \indexnofonts \setupdatafile \catcode`\\=\active \otherbackslash \input \tocreadfilename \endgroup } % \def\skipspaces#1{\def\PP{#1}\def\D{|}% \ifx\PP\D\let\nextsp\relax \else\let\nextsp\skipspaces \ifx\p\space\else\addtokens{\filename}{\PP}% \advance\filenamelength by 1 \fi \fi \nextsp} \def\getfilename#1{\filenamelength=0\expandafter\skipspaces#1|\relax} \ifnum\pdftexversion < 14 \let \startlink \pdfannotlink \else \let \startlink \pdfstartlink \fi % make a live url in pdf output. \def\pdfurl#1{% \begingroup % it seems we really need yet another set of dummies; have not % tried to figure out what each command should do in the context % of @url. for now, just make @/ a no-op, that's the only one % people have actually reported a problem with. % \normalturnoffactive \def\@{@}% \let\/=\empty \makevalueexpandable % do we want to go so far as to use \indexnofonts instead of just % special-casing \var here? \def\var##1{##1}% % \leavevmode\setcolor{\urlcolor}% \startlink attr{/Border [0 0 0]}% user{/Subtype /Link /A << /S /URI /URI (#1) >>}% \endgroup} \def\pdfgettoks#1.{\setbox\boxA=\hbox{\toksA={#1.}\toksB={}\maketoks}} \def\addtokens#1#2{\edef\addtoks{\noexpand#1={\the#1#2}}\addtoks} \def\adn#1{\addtokens{\toksC}{#1}\global\countA=1\let\next=\maketoks} \def\poptoks#1#2|ENDTOKS|{\let\first=#1\toksD={#1}\toksA={#2}} \def\maketoks{% \expandafter\poptoks\the\toksA|ENDTOKS|\relax \ifx\first0\adn0 \else\ifx\first1\adn1 \else\ifx\first2\adn2 \else\ifx\first3\adn3 \else\ifx\first4\adn4 \else\ifx\first5\adn5 \else\ifx\first6\adn6 \else\ifx\first7\adn7 \else\ifx\first8\adn8 \else\ifx\first9\adn9 \else \ifnum0=\countA\else\makelink\fi \ifx\first.\let\next=\done\else \let\next=\maketoks \addtokens{\toksB}{\the\toksD} \ifx\first,\addtokens{\toksB}{\space}\fi \fi \fi\fi\fi\fi\fi\fi\fi\fi\fi\fi \next} \def\makelink{\addtokens{\toksB}% {\noexpand\pdflink{\the\toksC}}\toksC={}\global\countA=0} \def\pdflink#1{% \startlink attr{/Border [0 0 0]} goto name{\pdfmkpgn{#1}} \setcolor{\linkcolor}#1\endlink} \def\done{\edef\st{\global\noexpand\toksA={\the\toksB}}\st} \else % non-pdf mode \let\pdfmkdest = \gobble \let\pdfurl = \gobble \let\endlink = \relax \let\setcolor = \gobble \let\pdfsetcolor = \gobble \let\pdfmakeoutlines = \relax \fi % \ifx\pdfoutput \message{fonts,} % Change the current font style to #1, remembering it in \curfontstyle. % For now, we do not accumulate font styles: @b{@i{foo}} prints foo in % italics, not bold italics. % \def\setfontstyle#1{% \def\curfontstyle{#1}% not as a control sequence, because we are \edef'd. \csname ten#1\endcsname % change the current font } % Select #1 fonts with the current style. % \def\selectfonts#1{\csname #1fonts\endcsname \csname\curfontstyle\endcsname} \def\rm{\fam=0 \setfontstyle{rm}} \def\it{\fam=\itfam \setfontstyle{it}} \def\sl{\fam=\slfam \setfontstyle{sl}} \def\bf{\fam=\bffam \setfontstyle{bf}}\def\bfstylename{bf} \def\tt{\fam=\ttfam \setfontstyle{tt}} % Unfortunately, we have to override this for titles and the like, since % in those cases "rm" is bold. Sigh. \def\rmisbold{\rm\def\curfontstyle{bf}} % Texinfo sort of supports the sans serif font style, which plain TeX does not. % So we set up a \sf. \newfam\sffam \def\sf{\fam=\sffam \setfontstyle{sf}} \let\li = \sf % Sometimes we call it \li, not \sf. % We don't need math for this font style. \def\ttsl{\setfontstyle{ttsl}} % Default leading. \newdimen\textleading \textleading = 13.2pt % Set the baselineskip to #1, and the lineskip and strut size % correspondingly. There is no deep meaning behind these magic numbers % used as factors; they just match (closely enough) what Knuth defined. % \def\lineskipfactor{.08333} \def\strutheightpercent{.70833} \def\strutdepthpercent {.29167} % % can get a sort of poor man's double spacing by redefining this. \def\baselinefactor{1} % \def\setleading#1{% \dimen0 = #1\relax \normalbaselineskip = \baselinefactor\dimen0 \normallineskip = \lineskipfactor\normalbaselineskip \normalbaselines \setbox\strutbox =\hbox{% \vrule width0pt height\strutheightpercent\baselineskip depth \strutdepthpercent \baselineskip }% } % PDF CMaps. See also LaTeX's t1.cmap. % % do nothing with this by default. \expandafter\let\csname cmapOT1\endcsname\gobble \expandafter\let\csname cmapOT1IT\endcsname\gobble \expandafter\let\csname cmapOT1TT\endcsname\gobble % if we are producing pdf, and we have \pdffontattr, then define cmaps. % (\pdffontattr was introduced many years ago, but people still run % older pdftex's; it's easy to conditionalize, so we do.) \ifpdf \ifx\pdffontattr\undefined \else \begingroup \catcode`\^^M=\active \def^^M{^^J}% Output line endings as the ^^J char. \catcode`\%=12 \immediate\pdfobj stream {%!PS-Adobe-3.0 Resource-CMap %%DocumentNeededResources: ProcSet (CIDInit) %%IncludeResource: ProcSet (CIDInit) %%BeginResource: CMap (TeX-OT1-0) %%Title: (TeX-OT1-0 TeX OT1 0) %%Version: 1.000 %%EndComments /CIDInit /ProcSet findresource begin 12 dict begin begincmap /CIDSystemInfo << /Registry (TeX) /Ordering (OT1) /Supplement 0 >> def /CMapName /TeX-OT1-0 def /CMapType 2 def 1 begincodespacerange <00> <7F> endcodespacerange 8 beginbfrange <00> <01> <0393> <09> <0A> <03A8> <23> <26> <0023> <28> <3B> <0028> <3F> <5B> <003F> <5D> <5E> <005D> <61> <7A> <0061> <7B> <7C> <2013> endbfrange 40 beginbfchar <02> <0398> <03> <039B> <04> <039E> <05> <03A0> <06> <03A3> <07> <03D2> <08> <03A6> <0B> <00660066> <0C> <00660069> <0D> <0066006C> <0E> <006600660069> <0F> <00660066006C> <10> <0131> <11> <0237> <12> <0060> <13> <00B4> <14> <02C7> <15> <02D8> <16> <00AF> <17> <02DA> <18> <00B8> <19> <00DF> <1A> <00E6> <1B> <0153> <1C> <00F8> <1D> <00C6> <1E> <0152> <1F> <00D8> <21> <0021> <22> <201D> <27> <2019> <3C> <00A1> <3D> <003D> <3E> <00BF> <5C> <201C> <5F> <02D9> <60> <2018> <7D> <02DD> <7E> <007E> <7F> <00A8> endbfchar endcmap CMapName currentdict /CMap defineresource pop end end %%EndResource %%EOF }\endgroup \expandafter\edef\csname cmapOT1\endcsname#1{% \pdffontattr#1{/ToUnicode \the\pdflastobj\space 0 R}% }% % % \cmapOT1IT \begingroup \catcode`\^^M=\active \def^^M{^^J}% Output line endings as the ^^J char. \catcode`\%=12 \immediate\pdfobj stream {%!PS-Adobe-3.0 Resource-CMap %%DocumentNeededResources: ProcSet (CIDInit) %%IncludeResource: ProcSet (CIDInit) %%BeginResource: CMap (TeX-OT1IT-0) %%Title: (TeX-OT1IT-0 TeX OT1IT 0) %%Version: 1.000 %%EndComments /CIDInit /ProcSet findresource begin 12 dict begin begincmap /CIDSystemInfo << /Registry (TeX) /Ordering (OT1IT) /Supplement 0 >> def /CMapName /TeX-OT1IT-0 def /CMapType 2 def 1 begincodespacerange <00> <7F> endcodespacerange 8 beginbfrange <00> <01> <0393> <09> <0A> <03A8> <25> <26> <0025> <28> <3B> <0028> <3F> <5B> <003F> <5D> <5E> <005D> <61> <7A> <0061> <7B> <7C> <2013> endbfrange 42 beginbfchar <02> <0398> <03> <039B> <04> <039E> <05> <03A0> <06> <03A3> <07> <03D2> <08> <03A6> <0B> <00660066> <0C> <00660069> <0D> <0066006C> <0E> <006600660069> <0F> <00660066006C> <10> <0131> <11> <0237> <12> <0060> <13> <00B4> <14> <02C7> <15> <02D8> <16> <00AF> <17> <02DA> <18> <00B8> <19> <00DF> <1A> <00E6> <1B> <0153> <1C> <00F8> <1D> <00C6> <1E> <0152> <1F> <00D8> <21> <0021> <22> <201D> <23> <0023> <24> <00A3> <27> <2019> <3C> <00A1> <3D> <003D> <3E> <00BF> <5C> <201C> <5F> <02D9> <60> <2018> <7D> <02DD> <7E> <007E> <7F> <00A8> endbfchar endcmap CMapName currentdict /CMap defineresource pop end end %%EndResource %%EOF }\endgroup \expandafter\edef\csname cmapOT1IT\endcsname#1{% \pdffontattr#1{/ToUnicode \the\pdflastobj\space 0 R}% }% % % \cmapOT1TT \begingroup \catcode`\^^M=\active \def^^M{^^J}% Output line endings as the ^^J char. \catcode`\%=12 \immediate\pdfobj stream {%!PS-Adobe-3.0 Resource-CMap %%DocumentNeededResources: ProcSet (CIDInit) %%IncludeResource: ProcSet (CIDInit) %%BeginResource: CMap (TeX-OT1TT-0) %%Title: (TeX-OT1TT-0 TeX OT1TT 0) %%Version: 1.000 %%EndComments /CIDInit /ProcSet findresource begin 12 dict begin begincmap /CIDSystemInfo << /Registry (TeX) /Ordering (OT1TT) /Supplement 0 >> def /CMapName /TeX-OT1TT-0 def /CMapType 2 def 1 begincodespacerange <00> <7F> endcodespacerange 5 beginbfrange <00> <01> <0393> <09> <0A> <03A8> <21> <26> <0021> <28> <5F> <0028> <61> <7E> <0061> endbfrange 32 beginbfchar <02> <0398> <03> <039B> <04> <039E> <05> <03A0> <06> <03A3> <07> <03D2> <08> <03A6> <0B> <2191> <0C> <2193> <0D> <0027> <0E> <00A1> <0F> <00BF> <10> <0131> <11> <0237> <12> <0060> <13> <00B4> <14> <02C7> <15> <02D8> <16> <00AF> <17> <02DA> <18> <00B8> <19> <00DF> <1A> <00E6> <1B> <0153> <1C> <00F8> <1D> <00C6> <1E> <0152> <1F> <00D8> <20> <2423> <27> <2019> <60> <2018> <7F> <00A8> endbfchar endcmap CMapName currentdict /CMap defineresource pop end end %%EndResource %%EOF }\endgroup \expandafter\edef\csname cmapOT1TT\endcsname#1{% \pdffontattr#1{/ToUnicode \the\pdflastobj\space 0 R}% }% \fi\fi % Set the font macro #1 to the font named #2, adding on the % specified font prefix (normally `cm'). % #3 is the font's design size, #4 is a scale factor, #5 is the CMap % encoding (currently only OT1, OT1IT and OT1TT are allowed, pass % empty to omit). \def\setfont#1#2#3#4#5{% \font#1=\fontprefix#2#3 scaled #4 \csname cmap#5\endcsname#1% } % This is what gets called when #5 of \setfont is empty. \let\cmap\gobble % emacs-page end of cmaps % Use cm as the default font prefix. % To specify the font prefix, you must define \fontprefix % before you read in texinfo.tex. \ifx\fontprefix\undefined \def\fontprefix{cm} \fi % Support font families that don't use the same naming scheme as CM. \def\rmshape{r} \def\rmbshape{bx} %where the normal face is bold \def\bfshape{b} \def\bxshape{bx} \def\ttshape{tt} \def\ttbshape{tt} \def\ttslshape{sltt} \def\itshape{ti} \def\itbshape{bxti} \def\slshape{sl} \def\slbshape{bxsl} \def\sfshape{ss} \def\sfbshape{ss} \def\scshape{csc} \def\scbshape{csc} % Definitions for a main text size of 11pt. This is the default in % Texinfo. % \def\definetextfontsizexi{% % Text fonts (11.2pt, magstep1). \def\textnominalsize{11pt} \edef\mainmagstep{\magstephalf} \setfont\textrm\rmshape{10}{\mainmagstep}{OT1} \setfont\texttt\ttshape{10}{\mainmagstep}{OT1TT} \setfont\textbf\bfshape{10}{\mainmagstep}{OT1} \setfont\textit\itshape{10}{\mainmagstep}{OT1IT} \setfont\textsl\slshape{10}{\mainmagstep}{OT1} \setfont\textsf\sfshape{10}{\mainmagstep}{OT1} \setfont\textsc\scshape{10}{\mainmagstep}{OT1} \setfont\textttsl\ttslshape{10}{\mainmagstep}{OT1TT} \font\texti=cmmi10 scaled \mainmagstep \font\textsy=cmsy10 scaled \mainmagstep \def\textecsize{1095} % A few fonts for @defun names and args. \setfont\defbf\bfshape{10}{\magstep1}{OT1} \setfont\deftt\ttshape{10}{\magstep1}{OT1TT} \setfont\defttsl\ttslshape{10}{\magstep1}{OT1TT} \def\df{\let\tentt=\deftt \let\tenbf = \defbf \let\tenttsl=\defttsl \bf} % Fonts for indices, footnotes, small examples (9pt). \def\smallnominalsize{9pt} \setfont\smallrm\rmshape{9}{1000}{OT1} \setfont\smalltt\ttshape{9}{1000}{OT1TT} \setfont\smallbf\bfshape{10}{900}{OT1} \setfont\smallit\itshape{9}{1000}{OT1IT} \setfont\smallsl\slshape{9}{1000}{OT1} \setfont\smallsf\sfshape{9}{1000}{OT1} \setfont\smallsc\scshape{10}{900}{OT1} \setfont\smallttsl\ttslshape{10}{900}{OT1TT} \font\smalli=cmmi9 \font\smallsy=cmsy9 \def\smallecsize{0900} % Fonts for small examples (8pt). \def\smallernominalsize{8pt} \setfont\smallerrm\rmshape{8}{1000}{OT1} \setfont\smallertt\ttshape{8}{1000}{OT1TT} \setfont\smallerbf\bfshape{10}{800}{OT1} \setfont\smallerit\itshape{8}{1000}{OT1IT} \setfont\smallersl\slshape{8}{1000}{OT1} \setfont\smallersf\sfshape{8}{1000}{OT1} \setfont\smallersc\scshape{10}{800}{OT1} \setfont\smallerttsl\ttslshape{10}{800}{OT1TT} \font\smalleri=cmmi8 \font\smallersy=cmsy8 \def\smallerecsize{0800} % Fonts for title page (20.4pt): \def\titlenominalsize{20pt} \setfont\titlerm\rmbshape{12}{\magstep3}{OT1} \setfont\titleit\itbshape{10}{\magstep4}{OT1IT} \setfont\titlesl\slbshape{10}{\magstep4}{OT1} \setfont\titlett\ttbshape{12}{\magstep3}{OT1TT} \setfont\titlettsl\ttslshape{10}{\magstep4}{OT1TT} \setfont\titlesf\sfbshape{17}{\magstep1}{OT1} \let\titlebf=\titlerm \setfont\titlesc\scbshape{10}{\magstep4}{OT1} \font\titlei=cmmi12 scaled \magstep3 \font\titlesy=cmsy10 scaled \magstep4 \def\titleecsize{2074} % Chapter (and unnumbered) fonts (17.28pt). \def\chapnominalsize{17pt} \setfont\chaprm\rmbshape{12}{\magstep2}{OT1} \setfont\chapit\itbshape{10}{\magstep3}{OT1IT} \setfont\chapsl\slbshape{10}{\magstep3}{OT1} \setfont\chaptt\ttbshape{12}{\magstep2}{OT1TT} \setfont\chapttsl\ttslshape{10}{\magstep3}{OT1TT} \setfont\chapsf\sfbshape{17}{1000}{OT1} \let\chapbf=\chaprm \setfont\chapsc\scbshape{10}{\magstep3}{OT1} \font\chapi=cmmi12 scaled \magstep2 \font\chapsy=cmsy10 scaled \magstep3 \def\chapecsize{1728} % Section fonts (14.4pt). \def\secnominalsize{14pt} \setfont\secrm\rmbshape{12}{\magstep1}{OT1} \setfont\secit\itbshape{10}{\magstep2}{OT1IT} \setfont\secsl\slbshape{10}{\magstep2}{OT1} \setfont\sectt\ttbshape{12}{\magstep1}{OT1TT} \setfont\secttsl\ttslshape{10}{\magstep2}{OT1TT} \setfont\secsf\sfbshape{12}{\magstep1}{OT1} \let\secbf\secrm \setfont\secsc\scbshape{10}{\magstep2}{OT1} \font\seci=cmmi12 scaled \magstep1 \font\secsy=cmsy10 scaled \magstep2 \def\sececsize{1440} % Subsection fonts (13.15pt). \def\ssecnominalsize{13pt} \setfont\ssecrm\rmbshape{12}{\magstephalf}{OT1} \setfont\ssecit\itbshape{10}{1315}{OT1IT} \setfont\ssecsl\slbshape{10}{1315}{OT1} \setfont\ssectt\ttbshape{12}{\magstephalf}{OT1TT} \setfont\ssecttsl\ttslshape{10}{1315}{OT1TT} \setfont\ssecsf\sfbshape{12}{\magstephalf}{OT1} \let\ssecbf\ssecrm \setfont\ssecsc\scbshape{10}{1315}{OT1} \font\sseci=cmmi12 scaled \magstephalf \font\ssecsy=cmsy10 scaled 1315 \def\ssececsize{1200} % Reduced fonts for @acro in text (10pt). \def\reducednominalsize{10pt} \setfont\reducedrm\rmshape{10}{1000}{OT1} \setfont\reducedtt\ttshape{10}{1000}{OT1TT} \setfont\reducedbf\bfshape{10}{1000}{OT1} \setfont\reducedit\itshape{10}{1000}{OT1IT} \setfont\reducedsl\slshape{10}{1000}{OT1} \setfont\reducedsf\sfshape{10}{1000}{OT1} \setfont\reducedsc\scshape{10}{1000}{OT1} \setfont\reducedttsl\ttslshape{10}{1000}{OT1TT} \font\reducedi=cmmi10 \font\reducedsy=cmsy10 \def\reducedecsize{1000} % reset the current fonts \textfonts \rm } % end of 11pt text font size definitions % Definitions to make the main text be 10pt Computer Modern, with % section, chapter, etc., sizes following suit. This is for the GNU % Press printing of the Emacs 22 manual. Maybe other manuals in the % future. Used with @smallbook, which sets the leading to 12pt. % \def\definetextfontsizex{% % Text fonts (10pt). \def\textnominalsize{10pt} \edef\mainmagstep{1000} \setfont\textrm\rmshape{10}{\mainmagstep}{OT1} \setfont\texttt\ttshape{10}{\mainmagstep}{OT1TT} \setfont\textbf\bfshape{10}{\mainmagstep}{OT1} \setfont\textit\itshape{10}{\mainmagstep}{OT1IT} \setfont\textsl\slshape{10}{\mainmagstep}{OT1} \setfont\textsf\sfshape{10}{\mainmagstep}{OT1} \setfont\textsc\scshape{10}{\mainmagstep}{OT1} \setfont\textttsl\ttslshape{10}{\mainmagstep}{OT1TT} \font\texti=cmmi10 scaled \mainmagstep \font\textsy=cmsy10 scaled \mainmagstep \def\textecsize{1000} % A few fonts for @defun names and args. \setfont\defbf\bfshape{10}{\magstephalf}{OT1} \setfont\deftt\ttshape{10}{\magstephalf}{OT1TT} \setfont\defttsl\ttslshape{10}{\magstephalf}{OT1TT} \def\df{\let\tentt=\deftt \let\tenbf = \defbf \let\tenttsl=\defttsl \bf} % Fonts for indices, footnotes, small examples (9pt). \def\smallnominalsize{9pt} \setfont\smallrm\rmshape{9}{1000}{OT1} \setfont\smalltt\ttshape{9}{1000}{OT1TT} \setfont\smallbf\bfshape{10}{900}{OT1} \setfont\smallit\itshape{9}{1000}{OT1IT} \setfont\smallsl\slshape{9}{1000}{OT1} \setfont\smallsf\sfshape{9}{1000}{OT1} \setfont\smallsc\scshape{10}{900}{OT1} \setfont\smallttsl\ttslshape{10}{900}{OT1TT} \font\smalli=cmmi9 \font\smallsy=cmsy9 \def\smallecsize{0900} % Fonts for small examples (8pt). \def\smallernominalsize{8pt} \setfont\smallerrm\rmshape{8}{1000}{OT1} \setfont\smallertt\ttshape{8}{1000}{OT1TT} \setfont\smallerbf\bfshape{10}{800}{OT1} \setfont\smallerit\itshape{8}{1000}{OT1IT} \setfont\smallersl\slshape{8}{1000}{OT1} \setfont\smallersf\sfshape{8}{1000}{OT1} \setfont\smallersc\scshape{10}{800}{OT1} \setfont\smallerttsl\ttslshape{10}{800}{OT1TT} \font\smalleri=cmmi8 \font\smallersy=cmsy8 \def\smallerecsize{0800} % Fonts for title page (20.4pt): \def\titlenominalsize{20pt} \setfont\titlerm\rmbshape{12}{\magstep3}{OT1} \setfont\titleit\itbshape{10}{\magstep4}{OT1IT} \setfont\titlesl\slbshape{10}{\magstep4}{OT1} \setfont\titlett\ttbshape{12}{\magstep3}{OT1TT} \setfont\titlettsl\ttslshape{10}{\magstep4}{OT1TT} \setfont\titlesf\sfbshape{17}{\magstep1}{OT1} \let\titlebf=\titlerm \setfont\titlesc\scbshape{10}{\magstep4}{OT1} \font\titlei=cmmi12 scaled \magstep3 \font\titlesy=cmsy10 scaled \magstep4 \def\titleecsize{2074} % Chapter fonts (14.4pt). \def\chapnominalsize{14pt} \setfont\chaprm\rmbshape{12}{\magstep1}{OT1} \setfont\chapit\itbshape{10}{\magstep2}{OT1IT} \setfont\chapsl\slbshape{10}{\magstep2}{OT1} \setfont\chaptt\ttbshape{12}{\magstep1}{OT1TT} \setfont\chapttsl\ttslshape{10}{\magstep2}{OT1TT} \setfont\chapsf\sfbshape{12}{\magstep1}{OT1} \let\chapbf\chaprm \setfont\chapsc\scbshape{10}{\magstep2}{OT1} \font\chapi=cmmi12 scaled \magstep1 \font\chapsy=cmsy10 scaled \magstep2 \def\chapecsize{1440} % Section fonts (12pt). \def\secnominalsize{12pt} \setfont\secrm\rmbshape{12}{1000}{OT1} \setfont\secit\itbshape{10}{\magstep1}{OT1IT} \setfont\secsl\slbshape{10}{\magstep1}{OT1} \setfont\sectt\ttbshape{12}{1000}{OT1TT} \setfont\secttsl\ttslshape{10}{\magstep1}{OT1TT} \setfont\secsf\sfbshape{12}{1000}{OT1} \let\secbf\secrm \setfont\secsc\scbshape{10}{\magstep1}{OT1} \font\seci=cmmi12 \font\secsy=cmsy10 scaled \magstep1 \def\sececsize{1200} % Subsection fonts (10pt). \def\ssecnominalsize{10pt} \setfont\ssecrm\rmbshape{10}{1000}{OT1} \setfont\ssecit\itbshape{10}{1000}{OT1IT} \setfont\ssecsl\slbshape{10}{1000}{OT1} \setfont\ssectt\ttbshape{10}{1000}{OT1TT} \setfont\ssecttsl\ttslshape{10}{1000}{OT1TT} \setfont\ssecsf\sfbshape{10}{1000}{OT1} \let\ssecbf\ssecrm \setfont\ssecsc\scbshape{10}{1000}{OT1} \font\sseci=cmmi10 \font\ssecsy=cmsy10 \def\ssececsize{1000} % Reduced fonts for @acro in text (9pt). \def\reducednominalsize{9pt} \setfont\reducedrm\rmshape{9}{1000}{OT1} \setfont\reducedtt\ttshape{9}{1000}{OT1TT} \setfont\reducedbf\bfshape{10}{900}{OT1} \setfont\reducedit\itshape{9}{1000}{OT1IT} \setfont\reducedsl\slshape{9}{1000}{OT1} \setfont\reducedsf\sfshape{9}{1000}{OT1} \setfont\reducedsc\scshape{10}{900}{OT1} \setfont\reducedttsl\ttslshape{10}{900}{OT1TT} \font\reducedi=cmmi9 \font\reducedsy=cmsy9 \def\reducedecsize{0900} % reduce space between paragraphs \divide\parskip by 2 % reset the current fonts \textfonts \rm } % end of 10pt text font size definitions % We provide the user-level command % @fonttextsize 10 % (or 11) to redefine the text font size. pt is assumed. % \def\xword{10} \def\xiword{11} % \parseargdef\fonttextsize{% \def\textsizearg{#1}% \wlog{doing @fonttextsize \textsizearg}% % % Set \globaldefs so that documents can use this inside @tex, since % makeinfo 4.8 does not support it, but we need it nonetheless. % \begingroup \globaldefs=1 \ifx\textsizearg\xword \definetextfontsizex \else \ifx\textsizearg\xiword \definetextfontsizexi \else \errhelp=\EMsimple \errmessage{@fonttextsize only supports `10' or `11', not `\textsizearg'} \fi\fi \endgroup } % In order for the font changes to affect most math symbols and letters, % we have to define the \textfont of the standard families. Since % texinfo doesn't allow for producing subscripts and superscripts except % in the main text, we don't bother to reset \scriptfont and % \scriptscriptfont (which would also require loading a lot more fonts). % \def\resetmathfonts{% \textfont0=\tenrm \textfont1=\teni \textfont2=\tensy \textfont\itfam=\tenit \textfont\slfam=\tensl \textfont\bffam=\tenbf \textfont\ttfam=\tentt \textfont\sffam=\tensf } % The font-changing commands redefine the meanings of \tenSTYLE, instead % of just \STYLE. We do this because \STYLE needs to also set the % current \fam for math mode. Our \STYLE (e.g., \rm) commands hardwire % \tenSTYLE to set the current font. % % Each font-changing command also sets the names \lsize (one size lower) % and \lllsize (three sizes lower). These relative commands are used in % the LaTeX logo and acronyms. % % This all needs generalizing, badly. % \def\textfonts{% \let\tenrm=\textrm \let\tenit=\textit \let\tensl=\textsl \let\tenbf=\textbf \let\tentt=\texttt \let\smallcaps=\textsc \let\tensf=\textsf \let\teni=\texti \let\tensy=\textsy \let\tenttsl=\textttsl \def\curfontsize{text}% \def\lsize{reduced}\def\lllsize{smaller}% \resetmathfonts \setleading{\textleading}} \def\titlefonts{% \let\tenrm=\titlerm \let\tenit=\titleit \let\tensl=\titlesl \let\tenbf=\titlebf \let\tentt=\titlett \let\smallcaps=\titlesc \let\tensf=\titlesf \let\teni=\titlei \let\tensy=\titlesy \let\tenttsl=\titlettsl \def\curfontsize{title}% \def\lsize{chap}\def\lllsize{subsec}% \resetmathfonts \setleading{25pt}} \def\titlefont#1{{\titlefonts\rmisbold #1}} \def\chapfonts{% \let\tenrm=\chaprm \let\tenit=\chapit \let\tensl=\chapsl \let\tenbf=\chapbf \let\tentt=\chaptt \let\smallcaps=\chapsc \let\tensf=\chapsf \let\teni=\chapi \let\tensy=\chapsy \let\tenttsl=\chapttsl \def\curfontsize{chap}% \def\lsize{sec}\def\lllsize{text}% \resetmathfonts \setleading{19pt}} \def\secfonts{% \let\tenrm=\secrm \let\tenit=\secit \let\tensl=\secsl \let\tenbf=\secbf \let\tentt=\sectt \let\smallcaps=\secsc \let\tensf=\secsf \let\teni=\seci \let\tensy=\secsy \let\tenttsl=\secttsl \def\curfontsize{sec}% \def\lsize{subsec}\def\lllsize{reduced}% \resetmathfonts \setleading{16pt}} \def\subsecfonts{% \let\tenrm=\ssecrm \let\tenit=\ssecit \let\tensl=\ssecsl \let\tenbf=\ssecbf \let\tentt=\ssectt \let\smallcaps=\ssecsc \let\tensf=\ssecsf \let\teni=\sseci \let\tensy=\ssecsy \let\tenttsl=\ssecttsl \def\curfontsize{ssec}% \def\lsize{text}\def\lllsize{small}% \resetmathfonts \setleading{15pt}} \let\subsubsecfonts = \subsecfonts \def\reducedfonts{% \let\tenrm=\reducedrm \let\tenit=\reducedit \let\tensl=\reducedsl \let\tenbf=\reducedbf \let\tentt=\reducedtt \let\reducedcaps=\reducedsc \let\tensf=\reducedsf \let\teni=\reducedi \let\tensy=\reducedsy \let\tenttsl=\reducedttsl \def\curfontsize{reduced}% \def\lsize{small}\def\lllsize{smaller}% \resetmathfonts \setleading{10.5pt}} \def\smallfonts{% \let\tenrm=\smallrm \let\tenit=\smallit \let\tensl=\smallsl \let\tenbf=\smallbf \let\tentt=\smalltt \let\smallcaps=\smallsc \let\tensf=\smallsf \let\teni=\smalli \let\tensy=\smallsy \let\tenttsl=\smallttsl \def\curfontsize{small}% \def\lsize{smaller}\def\lllsize{smaller}% \resetmathfonts \setleading{10.5pt}} \def\smallerfonts{% \let\tenrm=\smallerrm \let\tenit=\smallerit \let\tensl=\smallersl \let\tenbf=\smallerbf \let\tentt=\smallertt \let\smallcaps=\smallersc \let\tensf=\smallersf \let\teni=\smalleri \let\tensy=\smallersy \let\tenttsl=\smallerttsl \def\curfontsize{smaller}% \def\lsize{smaller}\def\lllsize{smaller}% \resetmathfonts \setleading{9.5pt}} % Fonts for short table of contents. \setfont\shortcontrm\rmshape{12}{1000}{OT1} \setfont\shortcontbf\bfshape{10}{\magstep1}{OT1} % no cmb12 \setfont\shortcontsl\slshape{12}{1000}{OT1} \setfont\shortconttt\ttshape{12}{1000}{OT1TT} % Define these just so they can be easily changed for other fonts. \def\angleleft{$\langle$} \def\angleright{$\rangle$} % Set the fonts to use with the @small... environments. \let\smallexamplefonts = \smallfonts % About \smallexamplefonts. If we use \smallfonts (9pt), @smallexample % can fit this many characters: % 8.5x11=86 smallbook=72 a4=90 a5=69 % If we use \scriptfonts (8pt), then we can fit this many characters: % 8.5x11=90+ smallbook=80 a4=90+ a5=77 % For me, subjectively, the few extra characters that fit aren't worth % the additional smallness of 8pt. So I'm making the default 9pt. % % By the way, for comparison, here's what fits with @example (10pt): % 8.5x11=71 smallbook=60 a4=75 a5=58 % --karl, 24jan03. % Set up the default fonts, so we can use them for creating boxes. % \definetextfontsizexi \message{markup,} % Check if we are currently using a typewriter font. Since all the % Computer Modern typewriter fonts have zero interword stretch (and % shrink), and it is reasonable to expect all typewriter fonts to have % this property, we can check that font parameter. % \def\ifmonospace{\ifdim\fontdimen3\font=0pt } % Markup style infrastructure. \defmarkupstylesetup\INITMACRO will % define and register \INITMACRO to be called on markup style changes. % \INITMACRO can check \currentmarkupstyle for the innermost % style and the set of \ifmarkupSTYLE switches for all styles % currently in effect. \newif\ifmarkupvar \newif\ifmarkupsamp \newif\ifmarkupkey %\newif\ifmarkupfile % @file == @samp. %\newif\ifmarkupoption % @option == @samp. \newif\ifmarkupcode \newif\ifmarkupkbd %\newif\ifmarkupenv % @env == @code. %\newif\ifmarkupcommand % @command == @code. \newif\ifmarkuptex % @tex (and part of @math, for now). \newif\ifmarkupexample \newif\ifmarkupverb \newif\ifmarkupverbatim \let\currentmarkupstyle\empty \def\setupmarkupstyle#1{% \csname markup#1true\endcsname \def\currentmarkupstyle{#1}% \markupstylesetup } \let\markupstylesetup\empty \def\defmarkupstylesetup#1{% \expandafter\def\expandafter\markupstylesetup \expandafter{\markupstylesetup #1}% \def#1% } % Markup style setup for left and right quotes. \defmarkupstylesetup\markupsetuplq{% \expandafter\let\expandafter \temp \csname markupsetuplq\currentmarkupstyle\endcsname \ifx\temp\relax \markupsetuplqdefault \else \temp \fi } \defmarkupstylesetup\markupsetuprq{% \expandafter\let\expandafter \temp \csname markupsetuprq\currentmarkupstyle\endcsname \ifx\temp\relax \markupsetuprqdefault \else \temp \fi } { \catcode`\'=\active \catcode`\`=\active \gdef\markupsetuplqdefault{\let`\lq} \gdef\markupsetuprqdefault{\let'\rq} \gdef\markupsetcodequoteleft{\let`\codequoteleft} \gdef\markupsetcodequoteright{\let'\codequoteright} \gdef\markupsetnoligaturesquoteleft{\let`\noligaturesquoteleft} } \let\markupsetuplqcode \markupsetcodequoteleft \let\markupsetuprqcode \markupsetcodequoteright \let\markupsetuplqexample \markupsetcodequoteleft \let\markupsetuprqexample \markupsetcodequoteright \let\markupsetuplqverb \markupsetcodequoteleft \let\markupsetuprqverb \markupsetcodequoteright \let\markupsetuplqverbatim \markupsetcodequoteleft \let\markupsetuprqverbatim \markupsetcodequoteright \let\markupsetuplqsamp \markupsetnoligaturesquoteleft \let\markupsetuplqkbd \markupsetnoligaturesquoteleft % Allow an option to not replace quotes with a regular directed right % quote/apostrophe (char 0x27), but instead use the undirected quote % from cmtt (char 0x0d). The undirected quote is ugly, so don't make it % the default, but it works for pasting with more pdf viewers (at least % evince), the lilypond developers report. xpdf does work with the % regular 0x27. % \def\codequoteright{% \expandafter\ifx\csname SETtxicodequoteundirected\endcsname\relax \expandafter\ifx\csname SETcodequoteundirected\endcsname\relax '% \else \char'15 \fi \else \char'15 \fi } % % and a similar option for the left quote char vs. a grave accent. % Modern fonts display ASCII 0x60 as a grave accent, so some people like % the code environments to do likewise. % \def\codequoteleft{% \expandafter\ifx\csname SETtxicodequotebacktick\endcsname\relax \expandafter\ifx\csname SETcodequotebacktick\endcsname\relax % [Knuth] pp. 380,381,391 % \relax disables Spanish ligatures ?` and !` of \tt font. \relax`% \else \char'22 \fi \else \char'22 \fi } % [Knuth] pp. 380,381,391, disable Spanish ligatures ?` and !` of \tt font. \def\noligaturesquoteleft{\relax\lq} % Count depth in font-changes, for error checks \newcount\fontdepth \fontdepth=0 %% Add scribe-like font environments, plus @l for inline lisp (usually sans %% serif) and @ii for TeX italic % \smartitalic{ARG} outputs arg in italics, followed by an italic correction % unless the following character is such as not to need one. \def\smartitalicx{\ifx\next,\else\ifx\next-\else\ifx\next.\else \ptexslash\fi\fi\fi} \def\smartslanted#1{{\ifusingtt\ttsl\sl #1}\futurelet\next\smartitalicx} \def\smartitalic#1{{\ifusingtt\ttsl\it #1}\futurelet\next\smartitalicx} % like \smartslanted except unconditionally uses \ttsl. % @var is set to this for defun arguments. \def\ttslanted#1{{\ttsl #1}\futurelet\next\smartitalicx} % @cite is like \smartslanted except unconditionally use \sl. We never want % ttsl for book titles, do we? \def\cite#1{{\sl #1}\futurelet\next\smartitalicx} \let\i=\smartitalic \let\slanted=\smartslanted \def\var#1{{\setupmarkupstyle{var}\smartslanted{#1}}} \let\dfn=\smartslanted \let\emph=\smartitalic % Explicit font changes: @r, @sc, undocumented @ii. \def\r#1{{\rm #1}} % roman font \def\sc#1{{\smallcaps#1}} % smallcaps font \def\ii#1{{\it #1}} % italic font % @b, explicit bold. Also @strong. \def\b#1{{\bf #1}} \let\strong=\b % @sansserif, explicit sans. \def\sansserif#1{{\sf #1}} % We can't just use \exhyphenpenalty, because that only has effect at % the end of a paragraph. Restore normal hyphenation at the end of the % group within which \nohyphenation is presumably called. % \def\nohyphenation{\hyphenchar\font = -1 \aftergroup\restorehyphenation} \def\restorehyphenation{\hyphenchar\font = `- } % Set sfcode to normal for the chars that usually have another value. % Can't use plain's \frenchspacing because it uses the `\x notation, and % sometimes \x has an active definition that messes things up. % \catcode`@=11 \def\plainfrenchspacing{% \sfcode\dotChar =\@m \sfcode\questChar=\@m \sfcode\exclamChar=\@m \sfcode\colonChar=\@m \sfcode\semiChar =\@m \sfcode\commaChar =\@m \def\endofsentencespacefactor{1000}% for @. and friends } \def\plainnonfrenchspacing{% \sfcode`\.3000\sfcode`\?3000\sfcode`\!3000 \sfcode`\:2000\sfcode`\;1500\sfcode`\,1250 \def\endofsentencespacefactor{3000}% for @. and friends } \catcode`@=\other \def\endofsentencespacefactor{3000}% default % @t, explicit typewriter. \def\t#1{% {\tt \rawbackslash \plainfrenchspacing #1}% \null } % @samp. \def\samp#1{{\setupmarkupstyle{samp}\lq\tclose{#1}\rq\null}} % definition of @key that produces a lozenge. Doesn't adjust to text size. %\setfont\keyrm\rmshape{8}{1000}{OT1} %\font\keysy=cmsy9 %\def\key#1{{\keyrm\textfont2=\keysy \leavevmode\hbox{% % \raise0.4pt\hbox{\angleleft}\kern-.08em\vtop{% % \vbox{\hrule\kern-0.4pt % \hbox{\raise0.4pt\hbox{\vphantom{\angleleft}}#1}}% % \kern-0.4pt\hrule}% % \kern-.06em\raise0.4pt\hbox{\angleright}}}} % definition of @key with no lozenge. If the current font is already % monospace, don't change it; that way, we respect @kbdinputstyle. But % if it isn't monospace, then use \tt. % \def\key#1{{\setupmarkupstyle{key}% \nohyphenation \ifmonospace\else\tt\fi #1}\null} % ctrl is no longer a Texinfo command. \def\ctrl #1{{\tt \rawbackslash \hat}#1} % @file, @option are the same as @samp. \let\file=\samp \let\option=\samp % @code is a modification of @t, % which makes spaces the same size as normal in the surrounding text. \def\tclose#1{% {% % Change normal interword space to be same as for the current font. \spaceskip = \fontdimen2\font % % Switch to typewriter. \tt % % But `\ ' produces the large typewriter interword space. \def\ {{\spaceskip = 0pt{} }}% % % Turn off hyphenation. \nohyphenation % \rawbackslash \plainfrenchspacing #1% }% \null } % We *must* turn on hyphenation at `-' and `_' in @code. % Otherwise, it is too hard to avoid overfull hboxes % in the Emacs manual, the Library manual, etc. % Unfortunately, TeX uses one parameter (\hyphenchar) to control % both hyphenation at - and hyphenation within words. % We must therefore turn them both off (\tclose does that) % and arrange explicitly to hyphenate at a dash. % -- rms. { \catcode`\-=\active \catcode`\_=\active \catcode`\'=\active \catcode`\`=\active \global\let'=\rq \global\let`=\lq % default definitions % \global\def\code{\begingroup \setupmarkupstyle{code}% % The following should really be moved into \setupmarkupstyle handlers. \catcode\dashChar=\active \catcode\underChar=\active \ifallowcodebreaks \let-\codedash \let_\codeunder \else \let-\realdash \let_\realunder \fi \codex } } \def\realdash{-} \def\codedash{-\discretionary{}{}{}} \def\codeunder{% % this is all so @math{@code{var_name}+1} can work. In math mode, _ % is "active" (mathcode"8000) and \normalunderscore (or \char95, etc.) % will therefore expand the active definition of _, which is us % (inside @code that is), therefore an endless loop. \ifusingtt{\ifmmode \mathchar"075F % class 0=ordinary, family 7=ttfam, pos 0x5F=_. \else\normalunderscore \fi \discretionary{}{}{}}% {\_}% } \def\codex #1{\tclose{#1}\endgroup} % An additional complication: the above will allow breaks after, e.g., % each of the four underscores in __typeof__. This is undesirable in % some manuals, especially if they don't have long identifiers in % general. @allowcodebreaks provides a way to control this. % \newif\ifallowcodebreaks \allowcodebreakstrue \def\keywordtrue{true} \def\keywordfalse{false} \parseargdef\allowcodebreaks{% \def\txiarg{#1}% \ifx\txiarg\keywordtrue \allowcodebreakstrue \else\ifx\txiarg\keywordfalse \allowcodebreaksfalse \else \errhelp = \EMsimple \errmessage{Unknown @allowcodebreaks option `\txiarg'}% \fi\fi } % @kbd is like @code, except that if the argument is just one @key command, % then @kbd has no effect. \def\kbd#1{{\setupmarkupstyle{kbd}\def\look{#1}\expandafter\kbdfoo\look??\par}} % @kbdinputstyle -- arg is `distinct' (@kbd uses slanted tty font always), % `example' (@kbd uses ttsl only inside of @example and friends), % or `code' (@kbd uses normal tty font always). \parseargdef\kbdinputstyle{% \def\txiarg{#1}% \ifx\txiarg\worddistinct \gdef\kbdexamplefont{\ttsl}\gdef\kbdfont{\ttsl}% \else\ifx\txiarg\wordexample \gdef\kbdexamplefont{\ttsl}\gdef\kbdfont{\tt}% \else\ifx\txiarg\wordcode \gdef\kbdexamplefont{\tt}\gdef\kbdfont{\tt}% \else \errhelp = \EMsimple \errmessage{Unknown @kbdinputstyle option `\txiarg'}% \fi\fi\fi } \def\worddistinct{distinct} \def\wordexample{example} \def\wordcode{code} % Default is `distinct'. \kbdinputstyle distinct \def\xkey{\key} \def\kbdfoo#1#2#3\par{\def\one{#1}\def\three{#3}\def\threex{??}% \ifx\one\xkey\ifx\threex\three \key{#2}% \else{\tclose{\kbdfont\setupmarkupstyle{kbd}\look}}\fi \else{\tclose{\kbdfont\setupmarkupstyle{kbd}\look}}\fi} % For @indicateurl, @env, @command quotes seem unnecessary, so use \code. \let\indicateurl=\code \let\env=\code \let\command=\code % @clicksequence{File @click{} Open ...} \def\clicksequence#1{\begingroup #1\endgroup} % @clickstyle @arrow (by default) \parseargdef\clickstyle{\def\click{#1}} \def\click{\arrow} % @uref (abbreviation for `urlref') takes an optional (comma-separated) % second argument specifying the text to display and an optional third % arg as text to display instead of (rather than in addition to) the url % itself. First (mandatory) arg is the url. Perhaps eventually put in % a hypertex \special here. % \def\uref#1{\douref #1,,,\finish} \def\douref#1,#2,#3,#4\finish{\begingroup \unsepspaces \pdfurl{#1}% \setbox0 = \hbox{\ignorespaces #3}% \ifdim\wd0 > 0pt \unhbox0 % third arg given, show only that \else \setbox0 = \hbox{\ignorespaces #2}% \ifdim\wd0 > 0pt \ifpdf \unhbox0 % PDF: 2nd arg given, show only it \else \unhbox0\ (\code{#1})% DVI: 2nd arg given, show both it and url \fi \else \code{#1}% only url given, so show it \fi \fi \endlink \endgroup} % @url synonym for @uref, since that's how everyone uses it. % \let\url=\uref % rms does not like angle brackets --karl, 17may97. % So now @email is just like @uref, unless we are pdf. % %\def\email#1{\angleleft{\tt #1}\angleright} \ifpdf \def\email#1{\doemail#1,,\finish} \def\doemail#1,#2,#3\finish{\begingroup \unsepspaces \pdfurl{mailto:#1}% \setbox0 = \hbox{\ignorespaces #2}% \ifdim\wd0>0pt\unhbox0\else\code{#1}\fi \endlink \endgroup} \else \let\email=\uref \fi % Typeset a dimension, e.g., `in' or `pt'. The only reason for the % argument is to make the input look right: @dmn{pt} instead of @dmn{}pt. % \def\dmn#1{\thinspace #1} % @l was never documented to mean ``switch to the Lisp font'', % and it is not used as such in any manual I can find. We need it for % Polish suppressed-l. --karl, 22sep96. %\def\l#1{{\li #1}\null} % @acronym for "FBI", "NATO", and the like. % We print this one point size smaller, since it's intended for % all-uppercase. % \def\acronym#1{\doacronym #1,,\finish} \def\doacronym#1,#2,#3\finish{% {\selectfonts\lsize #1}% \def\temp{#2}% \ifx\temp\empty \else \space ({\unsepspaces \ignorespaces \temp \unskip})% \fi } % @abbr for "Comput. J." and the like. % No font change, but don't do end-of-sentence spacing. % \def\abbr#1{\doabbr #1,,\finish} \def\doabbr#1,#2,#3\finish{% {\plainfrenchspacing #1}% \def\temp{#2}% \ifx\temp\empty \else \space ({\unsepspaces \ignorespaces \temp \unskip})% \fi } \message{glyphs,} % @point{}, @result{}, @expansion{}, @print{}, @equiv{}. % % Since these characters are used in examples, they should be an even number of % \tt widths. Each \tt character is 1en, so two makes it 1em. % \def\point{$\star$} \def\arrow{\leavevmode\raise.05ex\hbox to 1em{\hfil$\rightarrow$\hfil}} \def\result{\leavevmode\raise.05ex\hbox to 1em{\hfil$\Rightarrow$\hfil}} \def\expansion{\leavevmode\hbox to 1em{\hfil$\mapsto$\hfil}} \def\print{\leavevmode\lower.1ex\hbox to 1em{\hfil$\dashv$\hfil}} \def\equiv{\leavevmode\hbox to 1em{\hfil$\ptexequiv$\hfil}} % The @error{} command. % Adapted from the TeXbook's \boxit. % \newbox\errorbox % {\tentt \global\dimen0 = 3em}% Width of the box. \dimen2 = .55pt % Thickness of rules % The text. (`r' is open on the right, `e' somewhat less so on the left.) \setbox0 = \hbox{\kern-.75pt \reducedsf error\kern-1.5pt} % \setbox\errorbox=\hbox to \dimen0{\hfil \hsize = \dimen0 \advance\hsize by -5.8pt % Space to left+right. \advance\hsize by -2\dimen2 % Rules. \vbox{% \hrule height\dimen2 \hbox{\vrule width\dimen2 \kern3pt % Space to left of text. \vtop{\kern2.4pt \box0 \kern2.4pt}% Space above/below. \kern3pt\vrule width\dimen2}% Space to right. \hrule height\dimen2} \hfil} % \def\error{\leavevmode\lower.7ex\copy\errorbox} % @pounds{} is a sterling sign, which Knuth put in the CM italic font. % \def\pounds{{\it\$}} % @euro{} comes from a separate font, depending on the current style. % We use the free feym* fonts from the eurosym package by Henrik % Theiling, which support regular, slanted, bold and bold slanted (and % "outlined" (blackboard board, sort of) versions, which we don't need). % It is available from http://www.ctan.org/tex-archive/fonts/eurosym. % % Although only regular is the truly official Euro symbol, we ignore % that. The Euro is designed to be slightly taller than the regular % font height. % % feymr - regular % feymo - slanted % feybr - bold % feybo - bold slanted % % There is no good (free) typewriter version, to my knowledge. % A feymr10 euro is ~7.3pt wide, while a normal cmtt10 char is ~5.25pt wide. % Hmm. % % Also doesn't work in math. Do we need to do math with euro symbols? % Hope not. % % \def\euro{{\eurofont e}} \def\eurofont{% % We set the font at each command, rather than predefining it in % \textfonts and the other font-switching commands, so that % installations which never need the symbol don't have to have the % font installed. % % There is only one designed size (nominal 10pt), so we always scale % that to the current nominal size. % % By the way, simply using "at 1em" works for cmr10 and the like, but % does not work for cmbx10 and other extended/shrunken fonts. % \def\eurosize{\csname\curfontsize nominalsize\endcsname}% % \ifx\curfontstyle\bfstylename % bold: \font\thiseurofont = \ifusingit{feybo10}{feybr10} at \eurosize \else % regular: \font\thiseurofont = \ifusingit{feymo10}{feymr10} at \eurosize \fi \thiseurofont } % Glyphs from the EC fonts. We don't use \let for the aliases, because % sometimes we redefine the original macro, and the alias should reflect % the redefinition. % % Use LaTeX names for the Icelandic letters. \def\DH{{\ecfont \char"D0}} % Eth \def\dh{{\ecfont \char"F0}} % eth \def\TH{{\ecfont \char"DE}} % Thorn \def\th{{\ecfont \char"FE}} % thorn % \def\guillemetleft{{\ecfont \char"13}} \def\guillemotleft{\guillemetleft} \def\guillemetright{{\ecfont \char"14}} \def\guillemotright{\guillemetright} \def\guilsinglleft{{\ecfont \char"0E}} \def\guilsinglright{{\ecfont \char"0F}} \def\quotedblbase{{\ecfont \char"12}} \def\quotesinglbase{{\ecfont \char"0D}} % % This positioning is not perfect (see the ogonek LaTeX package), but % we have the precomposed glyphs for the most common cases. We put the % tests to use those glyphs in the single \ogonek macro so we have fewer % dummy definitions to worry about for index entries, etc. % % ogonek is also used with other letters in Lithuanian (IOU), but using % the precomposed glyphs for those is not so easy since they aren't in % the same EC font. \def\ogonek#1{{% \def\temp{#1}% \ifx\temp\macrocharA\Aogonek \else\ifx\temp\macrochara\aogonek \else\ifx\temp\macrocharE\Eogonek \else\ifx\temp\macrochare\eogonek \else \ecfont \setbox0=\hbox{#1}% \ifdim\ht0=1ex\accent"0C #1% \else\ooalign{\unhbox0\crcr\hidewidth\char"0C \hidewidth}% \fi \fi\fi\fi\fi }% } \def\Aogonek{{\ecfont \char"81}}\def\macrocharA{A} \def\aogonek{{\ecfont \char"A1}}\def\macrochara{a} \def\Eogonek{{\ecfont \char"86}}\def\macrocharE{E} \def\eogonek{{\ecfont \char"A6}}\def\macrochare{e} % % Use the ec* fonts (cm-super in outline format) for non-CM glyphs. \def\ecfont{% % We can't distinguish serif/sans and italic/slanted, but this % is used for crude hacks anyway (like adding French and German % quotes to documents typeset with CM, where we lose kerning), so % hopefully nobody will notice/care. \edef\ecsize{\csname\curfontsize ecsize\endcsname}% \edef\nominalsize{\csname\curfontsize nominalsize\endcsname}% \ifx\curfontstyle\bfstylename % bold: \font\thisecfont = ecb\ifusingit{i}{x}\ecsize \space at \nominalsize \else % regular: \font\thisecfont = ec\ifusingit{ti}{rm}\ecsize \space at \nominalsize \fi \thisecfont } % @registeredsymbol - R in a circle. The font for the R should really % be smaller yet, but lllsize is the best we can do for now. % Adapted from the plain.tex definition of \copyright. % \def\registeredsymbol{% $^{{\ooalign{\hfil\raise.07ex\hbox{\selectfonts\lllsize R}% \hfil\crcr\Orb}}% }$% } % @textdegree - the normal degrees sign. % \def\textdegree{$^\circ$} % Laurent Siebenmann reports \Orb undefined with: % Textures 1.7.7 (preloaded format=plain 93.10.14) (68K) 16 APR 2004 02:38 % so we'll define it if necessary. % \ifx\Orb\undefined \def\Orb{\mathhexbox20D} \fi % Quotes. \chardef\quotedblleft="5C \chardef\quotedblright=`\" \chardef\quoteleft=`\` \chardef\quoteright=`\' \message{page headings,} \newskip\titlepagetopglue \titlepagetopglue = 1.5in \newskip\titlepagebottomglue \titlepagebottomglue = 2pc % First the title page. Must do @settitle before @titlepage. \newif\ifseenauthor \newif\iffinishedtitlepage % Do an implicit @contents or @shortcontents after @end titlepage if the % user says @setcontentsaftertitlepage or @setshortcontentsaftertitlepage. % \newif\ifsetcontentsaftertitlepage \let\setcontentsaftertitlepage = \setcontentsaftertitlepagetrue \newif\ifsetshortcontentsaftertitlepage \let\setshortcontentsaftertitlepage = \setshortcontentsaftertitlepagetrue \parseargdef\shorttitlepage{\begingroup\hbox{}\vskip 1.5in \chaprm \centerline{#1}% \endgroup\page\hbox{}\page} \envdef\titlepage{% % Open one extra group, as we want to close it in the middle of \Etitlepage. \begingroup \parindent=0pt \textfonts % Leave some space at the very top of the page. \vglue\titlepagetopglue % No rule at page bottom unless we print one at the top with @title. \finishedtitlepagetrue % % Most title ``pages'' are actually two pages long, with space % at the top of the second. We don't want the ragged left on the second. \let\oldpage = \page \def\page{% \iffinishedtitlepage\else \finishtitlepage \fi \let\page = \oldpage \page \null }% } \def\Etitlepage{% \iffinishedtitlepage\else \finishtitlepage \fi % It is important to do the page break before ending the group, % because the headline and footline are only empty inside the group. % If we use the new definition of \page, we always get a blank page % after the title page, which we certainly don't want. \oldpage \endgroup % % Need this before the \...aftertitlepage checks so that if they are % in effect the toc pages will come out with page numbers. \HEADINGSon % % If they want short, they certainly want long too. \ifsetshortcontentsaftertitlepage \shortcontents \contents \global\let\shortcontents = \relax \global\let\contents = \relax \fi % \ifsetcontentsaftertitlepage \contents \global\let\contents = \relax \global\let\shortcontents = \relax \fi } \def\finishtitlepage{% \vskip4pt \hrule height 2pt width \hsize \vskip\titlepagebottomglue \finishedtitlepagetrue } %%% Macros to be used within @titlepage: \let\subtitlerm=\tenrm \def\subtitlefont{\subtitlerm \normalbaselineskip = 13pt \normalbaselines} \parseargdef\title{% \checkenv\titlepage \leftline{\titlefonts\rmisbold #1} % print a rule at the page bottom also. \finishedtitlepagefalse \vskip4pt \hrule height 4pt width \hsize \vskip4pt } \parseargdef\subtitle{% \checkenv\titlepage {\subtitlefont \rightline{#1}}% } % @author should come last, but may come many times. % It can also be used inside @quotation. % \parseargdef\author{% \def\temp{\quotation}% \ifx\thisenv\temp \def\quotationauthor{#1}% printed in \Equotation. \else \checkenv\titlepage \ifseenauthor\else \vskip 0pt plus 1filll \seenauthortrue \fi {\secfonts\rmisbold \leftline{#1}}% \fi } %%% Set up page headings and footings. \let\thispage=\folio \newtoks\evenheadline % headline on even pages \newtoks\oddheadline % headline on odd pages \newtoks\evenfootline % footline on even pages \newtoks\oddfootline % footline on odd pages % Now make TeX use those variables \headline={{\textfonts\rm \ifodd\pageno \the\oddheadline \else \the\evenheadline \fi}} \footline={{\textfonts\rm \ifodd\pageno \the\oddfootline \else \the\evenfootline \fi}\HEADINGShook} \let\HEADINGShook=\relax % Commands to set those variables. % For example, this is what @headings on does % @evenheading @thistitle|@thispage|@thischapter % @oddheading @thischapter|@thispage|@thistitle % @evenfooting @thisfile|| % @oddfooting ||@thisfile \def\evenheading{\parsearg\evenheadingxxx} \def\evenheadingxxx #1{\evenheadingyyy #1\|\|\|\|\finish} \def\evenheadingyyy #1\|#2\|#3\|#4\finish{% \global\evenheadline={\rlap{\centerline{#2}}\line{#1\hfil#3}}} \def\oddheading{\parsearg\oddheadingxxx} \def\oddheadingxxx #1{\oddheadingyyy #1\|\|\|\|\finish} \def\oddheadingyyy #1\|#2\|#3\|#4\finish{% \global\oddheadline={\rlap{\centerline{#2}}\line{#1\hfil#3}}} \parseargdef\everyheading{\oddheadingxxx{#1}\evenheadingxxx{#1}}% \def\evenfooting{\parsearg\evenfootingxxx} \def\evenfootingxxx #1{\evenfootingyyy #1\|\|\|\|\finish} \def\evenfootingyyy #1\|#2\|#3\|#4\finish{% \global\evenfootline={\rlap{\centerline{#2}}\line{#1\hfil#3}}} \def\oddfooting{\parsearg\oddfootingxxx} \def\oddfootingxxx #1{\oddfootingyyy #1\|\|\|\|\finish} \def\oddfootingyyy #1\|#2\|#3\|#4\finish{% \global\oddfootline = {\rlap{\centerline{#2}}\line{#1\hfil#3}}% % % Leave some space for the footline. Hopefully ok to assume % @evenfooting will not be used by itself. \global\advance\pageheight by -12pt \global\advance\vsize by -12pt } \parseargdef\everyfooting{\oddfootingxxx{#1}\evenfootingxxx{#1}} % @evenheadingmarks top \thischapter <- chapter at the top of a page % @evenheadingmarks bottom \thischapter <- chapter at the bottom of a page % % The same set of arguments for: % % @oddheadingmarks % @evenfootingmarks % @oddfootingmarks % @everyheadingmarks % @everyfootingmarks \def\evenheadingmarks{\headingmarks{even}{heading}} \def\oddheadingmarks{\headingmarks{odd}{heading}} \def\evenfootingmarks{\headingmarks{even}{footing}} \def\oddfootingmarks{\headingmarks{odd}{footing}} \def\everyheadingmarks#1 {\headingmarks{even}{heading}{#1} \headingmarks{odd}{heading}{#1} } \def\everyfootingmarks#1 {\headingmarks{even}{footing}{#1} \headingmarks{odd}{footing}{#1} } % #1 = even/odd, #2 = heading/footing, #3 = top/bottom. \def\headingmarks#1#2#3 {% \expandafter\let\expandafter\temp \csname get#3headingmarks\endcsname \global\expandafter\let\csname get#1#2marks\endcsname \temp } \everyheadingmarks bottom \everyfootingmarks bottom % @headings double turns headings on for double-sided printing. % @headings single turns headings on for single-sided printing. % @headings off turns them off. % @headings on same as @headings double, retained for compatibility. % @headings after turns on double-sided headings after this page. % @headings doubleafter turns on double-sided headings after this page. % @headings singleafter turns on single-sided headings after this page. % By default, they are off at the start of a document, % and turned `on' after @end titlepage. \def\headings #1 {\csname HEADINGS#1\endcsname} \def\HEADINGSoff{% \global\evenheadline={\hfil} \global\evenfootline={\hfil} \global\oddheadline={\hfil} \global\oddfootline={\hfil}} \HEADINGSoff % When we turn headings on, set the page number to 1. % For double-sided printing, put current file name in lower left corner, % chapter name on inside top of right hand pages, document % title on inside top of left hand pages, and page numbers on outside top % edge of all pages. \def\HEADINGSdouble{% \global\pageno=1 \global\evenfootline={\hfil} \global\oddfootline={\hfil} \global\evenheadline={\line{\folio\hfil\thistitle}} \global\oddheadline={\line{\thischapter\hfil\folio}} \global\let\contentsalignmacro = \chapoddpage } \let\contentsalignmacro = \chappager % For single-sided printing, chapter title goes across top left of page, % page number on top right. \def\HEADINGSsingle{% \global\pageno=1 \global\evenfootline={\hfil} \global\oddfootline={\hfil} \global\evenheadline={\line{\thischapter\hfil\folio}} \global\oddheadline={\line{\thischapter\hfil\folio}} \global\let\contentsalignmacro = \chappager } \def\HEADINGSon{\HEADINGSdouble} \def\HEADINGSafter{\let\HEADINGShook=\HEADINGSdoublex} \let\HEADINGSdoubleafter=\HEADINGSafter \def\HEADINGSdoublex{% \global\evenfootline={\hfil} \global\oddfootline={\hfil} \global\evenheadline={\line{\folio\hfil\thistitle}} \global\oddheadline={\line{\thischapter\hfil\folio}} \global\let\contentsalignmacro = \chapoddpage } \def\HEADINGSsingleafter{\let\HEADINGShook=\HEADINGSsinglex} \def\HEADINGSsinglex{% \global\evenfootline={\hfil} \global\oddfootline={\hfil} \global\evenheadline={\line{\thischapter\hfil\folio}} \global\oddheadline={\line{\thischapter\hfil\folio}} \global\let\contentsalignmacro = \chappager } % Subroutines used in generating headings % This produces Day Month Year style of output. % Only define if not already defined, in case a txi-??.tex file has set % up a different format (e.g., txi-cs.tex does this). \ifx\today\undefined \def\today{% \number\day\space \ifcase\month \or\putwordMJan\or\putwordMFeb\or\putwordMMar\or\putwordMApr \or\putwordMMay\or\putwordMJun\or\putwordMJul\or\putwordMAug \or\putwordMSep\or\putwordMOct\or\putwordMNov\or\putwordMDec \fi \space\number\year} \fi % @settitle line... specifies the title of the document, for headings. % It generates no output of its own. \def\thistitle{\putwordNoTitle} \def\settitle{\parsearg{\gdef\thistitle}} \message{tables,} % Tables -- @table, @ftable, @vtable, @item(x). % default indentation of table text \newdimen\tableindent \tableindent=.8in % default indentation of @itemize and @enumerate text \newdimen\itemindent \itemindent=.3in % margin between end of table item and start of table text. \newdimen\itemmargin \itemmargin=.1in % used internally for \itemindent minus \itemmargin \newdimen\itemmax % Note @table, @ftable, and @vtable define @item, @itemx, etc., with % these defs. % They also define \itemindex % to index the item name in whatever manner is desired (perhaps none). \newif\ifitemxneedsnegativevskip \def\itemxpar{\par\ifitemxneedsnegativevskip\nobreak\vskip-\parskip\nobreak\fi} \def\internalBitem{\smallbreak \parsearg\itemzzz} \def\internalBitemx{\itemxpar \parsearg\itemzzz} \def\itemzzz #1{\begingroup % \advance\hsize by -\rightskip \advance\hsize by -\tableindent \setbox0=\hbox{\itemindicate{#1}}% \itemindex{#1}% \nobreak % This prevents a break before @itemx. % % If the item text does not fit in the space we have, put it on a line % by itself, and do not allow a page break either before or after that % line. We do not start a paragraph here because then if the next % command is, e.g., @kindex, the whatsit would get put into the % horizontal list on a line by itself, resulting in extra blank space. \ifdim \wd0>\itemmax % % Make this a paragraph so we get the \parskip glue and wrapping, % but leave it ragged-right. \begingroup \advance\leftskip by-\tableindent \advance\hsize by\tableindent \advance\rightskip by0pt plus1fil \leavevmode\unhbox0\par \endgroup % % We're going to be starting a paragraph, but we don't want the % \parskip glue -- logically it's part of the @item we just started. \nobreak \vskip-\parskip % % Stop a page break at the \parskip glue coming up. However, if % what follows is an environment such as @example, there will be no % \parskip glue; then the negative vskip we just inserted would % cause the example and the item to crash together. So we use this % bizarre value of 10001 as a signal to \aboveenvbreak to insert % \parskip glue after all. Section titles are handled this way also. % \penalty 10001 \endgroup \itemxneedsnegativevskipfalse \else % The item text fits into the space. Start a paragraph, so that the % following text (if any) will end up on the same line. \noindent % Do this with kerns and \unhbox so that if there is a footnote in % the item text, it can migrate to the main vertical list and % eventually be printed. \nobreak\kern-\tableindent \dimen0 = \itemmax \advance\dimen0 by \itemmargin \advance\dimen0 by -\wd0 \unhbox0 \nobreak\kern\dimen0 \endgroup \itemxneedsnegativevskiptrue \fi } \def\item{\errmessage{@item while not in a list environment}} \def\itemx{\errmessage{@itemx while not in a list environment}} % @table, @ftable, @vtable. \envdef\table{% \let\itemindex\gobble \tablecheck{table}% } \envdef\ftable{% \def\itemindex ##1{\doind {fn}{\code{##1}}}% \tablecheck{ftable}% } \envdef\vtable{% \def\itemindex ##1{\doind {vr}{\code{##1}}}% \tablecheck{vtable}% } \def\tablecheck#1{% \ifnum \the\catcode`\^^M=\active \endgroup \errmessage{This command won't work in this context; perhaps the problem is that we are \inenvironment\thisenv}% \def\next{\doignore{#1}}% \else \let\next\tablex \fi \next } \def\tablex#1{% \def\itemindicate{#1}% \parsearg\tabley } \def\tabley#1{% {% \makevalueexpandable \edef\temp{\noexpand\tablez #1\space\space\space}% \expandafter }\temp \endtablez } \def\tablez #1 #2 #3 #4\endtablez{% \aboveenvbreak \ifnum 0#1>0 \advance \leftskip by #1\mil \fi \ifnum 0#2>0 \tableindent=#2\mil \fi \ifnum 0#3>0 \advance \rightskip by #3\mil \fi \itemmax=\tableindent \advance \itemmax by -\itemmargin \advance \leftskip by \tableindent \exdentamount=\tableindent \parindent = 0pt \parskip = \smallskipamount \ifdim \parskip=0pt \parskip=2pt \fi \let\item = \internalBitem \let\itemx = \internalBitemx } \def\Etable{\endgraf\afterenvbreak} \let\Eftable\Etable \let\Evtable\Etable \let\Eitemize\Etable \let\Eenumerate\Etable % This is the counter used by @enumerate, which is really @itemize \newcount \itemno \envdef\itemize{\parsearg\doitemize} \def\doitemize#1{% \aboveenvbreak \itemmax=\itemindent \advance\itemmax by -\itemmargin \advance\leftskip by \itemindent \exdentamount=\itemindent \parindent=0pt \parskip=\smallskipamount \ifdim\parskip=0pt \parskip=2pt \fi % % Try typesetting the item mark that if the document erroneously says % something like @itemize @samp (intending @table), there's an error % right away at the @itemize. It's not the best error message in the % world, but it's better than leaving it to the @item. This means if % the user wants an empty mark, they have to say @w{} not just @w. \def\itemcontents{#1}% \setbox0 = \hbox{\itemcontents}% % % @itemize with no arg is equivalent to @itemize @bullet. \ifx\itemcontents\empty\def\itemcontents{\bullet}\fi % \let\item=\itemizeitem } % Definition of @item while inside @itemize and @enumerate. % \def\itemizeitem{% \advance\itemno by 1 % for enumerations {\let\par=\endgraf \smallbreak}% reasonable place to break {% % If the document has an @itemize directly after a section title, a % \nobreak will be last on the list, and \sectionheading will have % done a \vskip-\parskip. In that case, we don't want to zero % parskip, or the item text will crash with the heading. On the % other hand, when there is normal text preceding the item (as there % usually is), we do want to zero parskip, or there would be too much % space. In that case, we won't have a \nobreak before. At least % that's the theory. \ifnum\lastpenalty<10000 \parskip=0in \fi \noindent \hbox to 0pt{\hss \itemcontents \kern\itemmargin}% % \vadjust{\penalty 1200}}% not good to break after first line of item. \flushcr } % \splitoff TOKENS\endmark defines \first to be the first token in % TOKENS, and \rest to be the remainder. % \def\splitoff#1#2\endmark{\def\first{#1}\def\rest{#2}}% % Allow an optional argument of an uppercase letter, lowercase letter, % or number, to specify the first label in the enumerated list. No % argument is the same as `1'. % \envparseargdef\enumerate{\enumeratey #1 \endenumeratey} \def\enumeratey #1 #2\endenumeratey{% % If we were given no argument, pretend we were given `1'. \def\thearg{#1}% \ifx\thearg\empty \def\thearg{1}\fi % % Detect if the argument is a single token. If so, it might be a % letter. Otherwise, the only valid thing it can be is a number. % (We will always have one token, because of the test we just made. % This is a good thing, since \splitoff doesn't work given nothing at % all -- the first parameter is undelimited.) \expandafter\splitoff\thearg\endmark \ifx\rest\empty % Only one token in the argument. It could still be anything. % A ``lowercase letter'' is one whose \lccode is nonzero. % An ``uppercase letter'' is one whose \lccode is both nonzero, and % not equal to itself. % Otherwise, we assume it's a number. % % We need the \relax at the end of the \ifnum lines to stop TeX from % continuing to look for a . % \ifnum\lccode\expandafter`\thearg=0\relax \numericenumerate % a number (we hope) \else % It's a letter. \ifnum\lccode\expandafter`\thearg=\expandafter`\thearg\relax \lowercaseenumerate % lowercase letter \else \uppercaseenumerate % uppercase letter \fi \fi \else % Multiple tokens in the argument. We hope it's a number. \numericenumerate \fi } % An @enumerate whose labels are integers. The starting integer is % given in \thearg. % \def\numericenumerate{% \itemno = \thearg \startenumeration{\the\itemno}% } % The starting (lowercase) letter is in \thearg. \def\lowercaseenumerate{% \itemno = \expandafter`\thearg \startenumeration{% % Be sure we're not beyond the end of the alphabet. \ifnum\itemno=0 \errmessage{No more lowercase letters in @enumerate; get a bigger alphabet}% \fi \char\lccode\itemno }% } % The starting (uppercase) letter is in \thearg. \def\uppercaseenumerate{% \itemno = \expandafter`\thearg \startenumeration{% % Be sure we're not beyond the end of the alphabet. \ifnum\itemno=0 \errmessage{No more uppercase letters in @enumerate; get a bigger alphabet} \fi \char\uccode\itemno }% } % Call \doitemize, adding a period to the first argument and supplying the % common last two arguments. Also subtract one from the initial value in % \itemno, since @item increments \itemno. % \def\startenumeration#1{% \advance\itemno by -1 \doitemize{#1.}\flushcr } % @alphaenumerate and @capsenumerate are abbreviations for giving an arg % to @enumerate. % \def\alphaenumerate{\enumerate{a}} \def\capsenumerate{\enumerate{A}} \def\Ealphaenumerate{\Eenumerate} \def\Ecapsenumerate{\Eenumerate} % @multitable macros % Amy Hendrickson, 8/18/94, 3/6/96 % % @multitable ... @end multitable will make as many columns as desired. % Contents of each column will wrap at width given in preamble. Width % can be specified either with sample text given in a template line, % or in percent of \hsize, the current width of text on page. % Table can continue over pages but will only break between lines. % To make preamble: % % Either define widths of columns in terms of percent of \hsize: % @multitable @columnfractions .25 .3 .45 % @item ... % % Numbers following @columnfractions are the percent of the total % current hsize to be used for each column. You may use as many % columns as desired. % Or use a template: % @multitable {Column 1 template} {Column 2 template} {Column 3 template} % @item ... % using the widest term desired in each column. % Each new table line starts with @item, each subsequent new column % starts with @tab. Empty columns may be produced by supplying @tab's % with nothing between them for as many times as empty columns are needed, % ie, @tab@tab@tab will produce two empty columns. % @item, @tab do not need to be on their own lines, but it will not hurt % if they are. % Sample multitable: % @multitable {Column 1 template} {Column 2 template} {Column 3 template} % @item first col stuff @tab second col stuff @tab third col % @item % first col stuff % @tab % second col stuff % @tab % third col % @item first col stuff @tab second col stuff % @tab Many paragraphs of text may be used in any column. % % They will wrap at the width determined by the template. % @item@tab@tab This will be in third column. % @end multitable % Default dimensions may be reset by user. % @multitableparskip is vertical space between paragraphs in table. % @multitableparindent is paragraph indent in table. % @multitablecolmargin is horizontal space to be left between columns. % @multitablelinespace is space to leave between table items, baseline % to baseline. % 0pt means it depends on current normal line spacing. % \newskip\multitableparskip \newskip\multitableparindent \newdimen\multitablecolspace \newskip\multitablelinespace \multitableparskip=0pt \multitableparindent=6pt \multitablecolspace=12pt \multitablelinespace=0pt % Macros used to set up halign preamble: % \let\endsetuptable\relax \def\xendsetuptable{\endsetuptable} \let\columnfractions\relax \def\xcolumnfractions{\columnfractions} \newif\ifsetpercent % #1 is the @columnfraction, usually a decimal number like .5, but might % be just 1. We just use it, whatever it is. % \def\pickupwholefraction#1 {% \global\advance\colcount by 1 \expandafter\xdef\csname col\the\colcount\endcsname{#1\hsize}% \setuptable } \newcount\colcount \def\setuptable#1{% \def\firstarg{#1}% \ifx\firstarg\xendsetuptable \let\go = \relax \else \ifx\firstarg\xcolumnfractions \global\setpercenttrue \else \ifsetpercent \let\go\pickupwholefraction \else \global\advance\colcount by 1 \setbox0=\hbox{#1\unskip\space}% Add a normal word space as a % separator; typically that is always in the input, anyway. \expandafter\xdef\csname col\the\colcount\endcsname{\the\wd0}% \fi \fi \ifx\go\pickupwholefraction % Put the argument back for the \pickupwholefraction call, so % we'll always have a period there to be parsed. \def\go{\pickupwholefraction#1}% \else \let\go = \setuptable \fi% \fi \go } % multitable-only commands. % % @headitem starts a heading row, which we typeset in bold. % Assignments have to be global since we are inside the implicit group % of an alignment entry. \everycr resets \everytab so we don't have to % undo it ourselves. \def\headitemfont{\b}% for people to use in the template row; not changeable \def\headitem{% \checkenv\multitable \crcr \global\everytab={\bf}% can't use \headitemfont since the parsing differs \the\everytab % for the first item }% % % A \tab used to include \hskip1sp. But then the space in a template % line is not enough. That is bad. So let's go back to just `&' until % we again encounter the problem the 1sp was intended to solve. % --karl, nathan@acm.org, 20apr99. \def\tab{\checkenv\multitable &\the\everytab}% % @multitable ... @end multitable definitions: % \newtoks\everytab % insert after every tab. % \envdef\multitable{% \vskip\parskip \startsavinginserts % % @item within a multitable starts a normal row. % We use \def instead of \let so that if one of the multitable entries % contains an @itemize, we don't choke on the \item (seen as \crcr aka % \endtemplate) expanding \doitemize. \def\item{\crcr}% % \tolerance=9500 \hbadness=9500 \setmultitablespacing \parskip=\multitableparskip \parindent=\multitableparindent \overfullrule=0pt \global\colcount=0 % \everycr = {% \noalign{% \global\everytab={}% \global\colcount=0 % Reset the column counter. % Check for saved footnotes, etc. \checkinserts % Keeps underfull box messages off when table breaks over pages. %\filbreak % Maybe so, but it also creates really weird page breaks when the % table breaks over pages. Wouldn't \vfil be better? Wait until the % problem manifests itself, so it can be fixed for real --karl. }% }% % \parsearg\domultitable } \def\domultitable#1{% % To parse everything between @multitable and @item: \setuptable#1 \endsetuptable % % This preamble sets up a generic column definition, which will % be used as many times as user calls for columns. % \vtop will set a single line and will also let text wrap and % continue for many paragraphs if desired. \halign\bgroup &% \global\advance\colcount by 1 \multistrut \vtop{% % Use the current \colcount to find the correct column width: \hsize=\expandafter\csname col\the\colcount\endcsname % % In order to keep entries from bumping into each other % we will add a \leftskip of \multitablecolspace to all columns after % the first one. % % If a template has been used, we will add \multitablecolspace % to the width of each template entry. % % If the user has set preamble in terms of percent of \hsize we will % use that dimension as the width of the column, and the \leftskip % will keep entries from bumping into each other. Table will start at % left margin and final column will justify at right margin. % % Make sure we don't inherit \rightskip from the outer environment. \rightskip=0pt \ifnum\colcount=1 % The first column will be indented with the surrounding text. \advance\hsize by\leftskip \else \ifsetpercent \else % If user has not set preamble in terms of percent of \hsize % we will advance \hsize by \multitablecolspace. \advance\hsize by \multitablecolspace \fi % In either case we will make \leftskip=\multitablecolspace: \leftskip=\multitablecolspace \fi % Ignoring space at the beginning and end avoids an occasional spurious % blank line, when TeX decides to break the line at the space before the % box from the multistrut, so the strut ends up on a line by itself. % For example: % @multitable @columnfractions .11 .89 % @item @code{#} % @tab Legal holiday which is valid in major parts of the whole country. % Is automatically provided with highlighting sequences respectively % marking characters. \noindent\ignorespaces##\unskip\multistrut }\cr } \def\Emultitable{% \crcr \egroup % end the \halign \global\setpercentfalse } \def\setmultitablespacing{% \def\multistrut{\strut}% just use the standard line spacing % % Compute \multitablelinespace (if not defined by user) for use in % \multitableparskip calculation. We used define \multistrut based on % this, but (ironically) that caused the spacing to be off. % See bug-texinfo report from Werner Lemberg, 31 Oct 2004 12:52:20 +0100. \ifdim\multitablelinespace=0pt \setbox0=\vbox{X}\global\multitablelinespace=\the\baselineskip \global\advance\multitablelinespace by-\ht0 \fi %% Test to see if parskip is larger than space between lines of %% table. If not, do nothing. %% If so, set to same dimension as multitablelinespace. \ifdim\multitableparskip>\multitablelinespace \global\multitableparskip=\multitablelinespace \global\advance\multitableparskip-7pt %% to keep parskip somewhat smaller %% than skip between lines in the table. \fi% \ifdim\multitableparskip=0pt \global\multitableparskip=\multitablelinespace \global\advance\multitableparskip-7pt %% to keep parskip somewhat smaller %% than skip between lines in the table. \fi} \message{conditionals,} % @iftex, @ifnotdocbook, @ifnothtml, @ifnotinfo, @ifnotplaintext, % @ifnotxml always succeed. They currently do nothing; we don't % attempt to check whether the conditionals are properly nested. But we % have to remember that they are conditionals, so that @end doesn't % attempt to close an environment group. % \def\makecond#1{% \expandafter\let\csname #1\endcsname = \relax \expandafter\let\csname iscond.#1\endcsname = 1 } \makecond{iftex} \makecond{ifnotdocbook} \makecond{ifnothtml} \makecond{ifnotinfo} \makecond{ifnotplaintext} \makecond{ifnotxml} % Ignore @ignore, @ifhtml, @ifinfo, and the like. % \def\direntry{\doignore{direntry}} \def\documentdescription{\doignore{documentdescription}} \def\docbook{\doignore{docbook}} \def\html{\doignore{html}} \def\ifdocbook{\doignore{ifdocbook}} \def\ifhtml{\doignore{ifhtml}} \def\ifinfo{\doignore{ifinfo}} \def\ifnottex{\doignore{ifnottex}} \def\ifplaintext{\doignore{ifplaintext}} \def\ifxml{\doignore{ifxml}} \def\ignore{\doignore{ignore}} \def\menu{\doignore{menu}} \def\xml{\doignore{xml}} % Ignore text until a line `@end #1', keeping track of nested conditionals. % % A count to remember the depth of nesting. \newcount\doignorecount \def\doignore#1{\begingroup % Scan in ``verbatim'' mode: \obeylines \catcode`\@ = \other \catcode`\{ = \other \catcode`\} = \other % % Make sure that spaces turn into tokens that match what \doignoretext wants. \spaceisspace % % Count number of #1's that we've seen. \doignorecount = 0 % % Swallow text until we reach the matching `@end #1'. \dodoignore{#1}% } { \catcode`_=11 % We want to use \_STOP_ which cannot appear in texinfo source. \obeylines % % \gdef\dodoignore#1{% % #1 contains the command name as a string, e.g., `ifinfo'. % % Define a command to find the next `@end #1'. \long\def\doignoretext##1^^M@end #1{% \doignoretextyyy##1^^M@#1\_STOP_}% % % And this command to find another #1 command, at the beginning of a % line. (Otherwise, we would consider a line `@c @ifset', for % example, to count as an @ifset for nesting.) \long\def\doignoretextyyy##1^^M@#1##2\_STOP_{\doignoreyyy{##2}\_STOP_}% % % And now expand that command. \doignoretext ^^M% }% } \def\doignoreyyy#1{% \def\temp{#1}% \ifx\temp\empty % Nothing found. \let\next\doignoretextzzz \else % Found a nested condition, ... \advance\doignorecount by 1 \let\next\doignoretextyyy % ..., look for another. % If we're here, #1 ends with ^^M\ifinfo (for example). \fi \next #1% the token \_STOP_ is present just after this macro. } % We have to swallow the remaining "\_STOP_". % \def\doignoretextzzz#1{% \ifnum\doignorecount = 0 % We have just found the outermost @end. \let\next\enddoignore \else % Still inside a nested condition. \advance\doignorecount by -1 \let\next\doignoretext % Look for the next @end. \fi \next } % Finish off ignored text. { \obeylines% % Ignore anything after the last `@end #1'; this matters in verbatim % environments, where otherwise the newline after an ignored conditional % would result in a blank line in the output. \gdef\enddoignore#1^^M{\endgroup\ignorespaces}% } % @set VAR sets the variable VAR to an empty value. % @set VAR REST-OF-LINE sets VAR to the value REST-OF-LINE. % % Since we want to separate VAR from REST-OF-LINE (which might be % empty), we can't just use \parsearg; we have to insert a space of our % own to delimit the rest of the line, and then take it out again if we % didn't need it. % We rely on the fact that \parsearg sets \catcode`\ =10. % \parseargdef\set{\setyyy#1 \endsetyyy} \def\setyyy#1 #2\endsetyyy{% {% \makevalueexpandable \def\temp{#2}% \edef\next{\gdef\makecsname{SET#1}}% \ifx\temp\empty \next{}% \else \setzzz#2\endsetzzz \fi }% } % Remove the trailing space \setxxx inserted. \def\setzzz#1 \endsetzzz{\next{#1}} % @clear VAR clears (i.e., unsets) the variable VAR. % \parseargdef\clear{% {% \makevalueexpandable \global\expandafter\let\csname SET#1\endcsname=\relax }% } % @value{foo} gets the text saved in variable foo. \def\value{\begingroup\makevalueexpandable\valuexxx} \def\valuexxx#1{\expandablevalue{#1}\endgroup} { \catcode`\- = \active \catcode`\_ = \active % \gdef\makevalueexpandable{% \let\value = \expandablevalue % We don't want these characters active, ... \catcode`\-=\other \catcode`\_=\other % ..., but we might end up with active ones in the argument if % we're called from @code, as @code{@value{foo-bar_}}, though. % So \let them to their normal equivalents. \let-\realdash \let_\normalunderscore } } % We have this subroutine so that we can handle at least some @value's % properly in indexes (we call \makevalueexpandable in \indexdummies). % The command has to be fully expandable (if the variable is set), since % the result winds up in the index file. This means that if the % variable's value contains other Texinfo commands, it's almost certain % it will fail (although perhaps we could fix that with sufficient work % to do a one-level expansion on the result, instead of complete). % \def\expandablevalue#1{% \expandafter\ifx\csname SET#1\endcsname\relax {[No value for ``#1'']}% \message{Variable `#1', used in @value, is not set.}% \else \csname SET#1\endcsname \fi } % @ifset VAR ... @end ifset reads the `...' iff VAR has been defined % with @set. % % To get special treatment of `@end ifset,' call \makeond and the redefine. % \makecond{ifset} \def\ifset{\parsearg{\doifset{\let\next=\ifsetfail}}} \def\doifset#1#2{% {% \makevalueexpandable \let\next=\empty \expandafter\ifx\csname SET#2\endcsname\relax #1% If not set, redefine \next. \fi \expandafter }\next } \def\ifsetfail{\doignore{ifset}} % @ifclear VAR ... @end ifclear reads the `...' iff VAR has never been % defined with @set, or has been undefined with @clear. % % The `\else' inside the `\doifset' parameter is a trick to reuse the % above code: if the variable is not set, do nothing, if it is set, % then redefine \next to \ifclearfail. % \makecond{ifclear} \def\ifclear{\parsearg{\doifset{\else \let\next=\ifclearfail}}} \def\ifclearfail{\doignore{ifclear}} % @dircategory CATEGORY -- specify a category of the dir file % which this file should belong to. Ignore this in TeX. \let\dircategory=\comment % @defininfoenclose. \let\definfoenclose=\comment \message{indexing,} % Index generation facilities % Define \newwrite to be identical to plain tex's \newwrite % except not \outer, so it can be used within macros and \if's. \edef\newwrite{\makecsname{ptexnewwrite}} % \newindex {foo} defines an index named foo. % It automatically defines \fooindex such that % \fooindex ...rest of line... puts an entry in the index foo. % It also defines \fooindfile to be the number of the output channel for % the file that accumulates this index. The file's extension is foo. % The name of an index should be no more than 2 characters long % for the sake of vms. % \def\newindex#1{% \iflinks \expandafter\newwrite \csname#1indfile\endcsname \openout \csname#1indfile\endcsname \jobname.#1 % Open the file \fi \expandafter\xdef\csname#1index\endcsname{% % Define @#1index \noexpand\doindex{#1}} } % @defindex foo == \newindex{foo} % \def\defindex{\parsearg\newindex} % Define @defcodeindex, like @defindex except put all entries in @code. % \def\defcodeindex{\parsearg\newcodeindex} % \def\newcodeindex#1{% \iflinks \expandafter\newwrite \csname#1indfile\endcsname \openout \csname#1indfile\endcsname \jobname.#1 \fi \expandafter\xdef\csname#1index\endcsname{% \noexpand\docodeindex{#1}}% } % @synindex foo bar makes index foo feed into index bar. % Do this instead of @defindex foo if you don't want it as a separate index. % % @syncodeindex foo bar similar, but put all entries made for index foo % inside @code. % \def\synindex#1 #2 {\dosynindex\doindex{#1}{#2}} \def\syncodeindex#1 #2 {\dosynindex\docodeindex{#1}{#2}} % #1 is \doindex or \docodeindex, #2 the index getting redefined (foo), % #3 the target index (bar). \def\dosynindex#1#2#3{% % Only do \closeout if we haven't already done it, else we'll end up % closing the target index. \expandafter \ifx\csname donesynindex#2\endcsname \relax % The \closeout helps reduce unnecessary open files; the limit on the % Acorn RISC OS is a mere 16 files. \expandafter\closeout\csname#2indfile\endcsname \expandafter\let\csname donesynindex#2\endcsname = 1 \fi % redefine \fooindfile: \expandafter\let\expandafter\temp\expandafter=\csname#3indfile\endcsname \expandafter\let\csname#2indfile\endcsname=\temp % redefine \fooindex: \expandafter\xdef\csname#2index\endcsname{\noexpand#1{#3}}% } % Define \doindex, the driver for all \fooindex macros. % Argument #1 is generated by the calling \fooindex macro, % and it is "foo", the name of the index. % \doindex just uses \parsearg; it calls \doind for the actual work. % This is because \doind is more useful to call from other macros. % There is also \dosubind {index}{topic}{subtopic} % which makes an entry in a two-level index such as the operation index. \def\doindex#1{\edef\indexname{#1}\parsearg\singleindexer} \def\singleindexer #1{\doind{\indexname}{#1}} % like the previous two, but they put @code around the argument. \def\docodeindex#1{\edef\indexname{#1}\parsearg\singlecodeindexer} \def\singlecodeindexer #1{\doind{\indexname}{\code{#1}}} % Take care of Texinfo commands that can appear in an index entry. % Since there are some commands we want to expand, and others we don't, % we have to laboriously prevent expansion for those that we don't. % \def\indexdummies{% \escapechar = `\\ % use backslash in output files. \def\@{@}% change to @@ when we switch to @ as escape char in index files. \def\ {\realbackslash\space }% % % Need these in case \tex is in effect and \{ is a \delimiter again. % But can't use \lbracecmd and \rbracecmd because texindex assumes % braces and backslashes are used only as delimiters. \let\{ = \mylbrace \let\} = \myrbrace % % I don't entirely understand this, but when an index entry is % generated from a macro call, the \endinput which \scanmacro inserts % causes processing to be prematurely terminated. This is, % apparently, because \indexsorttmp is fully expanded, and \endinput % is an expandable command. The redefinition below makes \endinput % disappear altogether for that purpose -- although logging shows that % processing continues to some further point. On the other hand, it % seems \endinput does not hurt in the printed index arg, since that % is still getting written without apparent harm. % % Sample source (mac-idx3.tex, reported by Graham Percival to % help-texinfo, 22may06): % @macro funindex {WORD} % @findex xyz % @end macro % ... % @funindex commtest % % The above is not enough to reproduce the bug, but it gives the flavor. % % Sample whatsit resulting: % .@write3{\entry{xyz}{@folio }{@code {xyz@endinput }}} % % So: \let\endinput = \empty % % Do the redefinitions. \commondummies } % For the aux and toc files, @ is the escape character. So we want to % redefine everything using @ as the escape character (instead of % \realbackslash, still used for index files). When everything uses @, % this will be simpler. % \def\atdummies{% \def\@{@@}% \def\ {@ }% \let\{ = \lbraceatcmd \let\} = \rbraceatcmd % % Do the redefinitions. \commondummies \otherbackslash } % Called from \indexdummies and \atdummies. % \def\commondummies{% % % \definedummyword defines \#1 as \string\#1\space, thus effectively % preventing its expansion. This is used only for control% words, % not control letters, because the \space would be incorrect for % control characters, but is needed to separate the control word % from whatever follows. % % For control letters, we have \definedummyletter, which omits the % space. % % These can be used both for control words that take an argument and % those that do not. If it is followed by {arg} in the input, then % that will dutifully get written to the index (or wherever). % \def\definedummyword ##1{\def##1{\string##1\space}}% \def\definedummyletter##1{\def##1{\string##1}}% \let\definedummyaccent\definedummyletter % \commondummiesnofonts % \definedummyletter\_% % % Non-English letters. \definedummyword\AA \definedummyword\AE \definedummyword\DH \definedummyword\L \definedummyword\O \definedummyword\OE \definedummyword\TH \definedummyword\aa \definedummyword\ae \definedummyword\dh \definedummyword\exclamdown \definedummyword\l \definedummyword\o \definedummyword\oe \definedummyword\ordf \definedummyword\ordm \definedummyword\questiondown \definedummyword\ss \definedummyword\th % % Although these internal commands shouldn't show up, sometimes they do. \definedummyword\bf \definedummyword\gtr \definedummyword\hat \definedummyword\less \definedummyword\sf \definedummyword\sl \definedummyword\tclose \definedummyword\tt % \definedummyword\LaTeX \definedummyword\TeX % % Assorted special characters. \definedummyword\bullet \definedummyword\comma \definedummyword\copyright \definedummyword\registeredsymbol \definedummyword\dots \definedummyword\enddots \definedummyword\equiv \definedummyword\error \definedummyword\euro \definedummyword\guillemetleft \definedummyword\guillemetright \definedummyword\guilsinglleft \definedummyword\guilsinglright \definedummyword\expansion \definedummyword\minus \definedummyword\ogonek \definedummyword\pounds \definedummyword\point \definedummyword\print \definedummyword\quotedblbase \definedummyword\quotedblleft \definedummyword\quotedblright \definedummyword\quoteleft \definedummyword\quoteright \definedummyword\quotesinglbase \definedummyword\result \definedummyword\textdegree % % We want to disable all macros so that they are not expanded by \write. \macrolist % \normalturnoffactive % % Handle some cases of @value -- where it does not contain any % (non-fully-expandable) commands. \makevalueexpandable } % \commondummiesnofonts: common to \commondummies and \indexnofonts. % \def\commondummiesnofonts{% % Control letters and accents. \definedummyletter\!% \definedummyaccent\"% \definedummyaccent\'% \definedummyletter\*% \definedummyaccent\,% \definedummyletter\.% \definedummyletter\/% \definedummyletter\:% \definedummyaccent\=% \definedummyletter\?% \definedummyaccent\^% \definedummyaccent\`% \definedummyaccent\~% \definedummyword\u \definedummyword\v \definedummyword\H \definedummyword\dotaccent \definedummyword\ogonek \definedummyword\ringaccent \definedummyword\tieaccent \definedummyword\ubaraccent \definedummyword\udotaccent \definedummyword\dotless % % Texinfo font commands. \definedummyword\b \definedummyword\i \definedummyword\r \definedummyword\sc \definedummyword\t % % Commands that take arguments. \definedummyword\acronym \definedummyword\cite \definedummyword\code \definedummyword\command \definedummyword\dfn \definedummyword\emph \definedummyword\env \definedummyword\file \definedummyword\kbd \definedummyword\key \definedummyword\math \definedummyword\option \definedummyword\pxref \definedummyword\ref \definedummyword\samp \definedummyword\strong \definedummyword\tie \definedummyword\uref \definedummyword\url \definedummyword\var \definedummyword\verb \definedummyword\w \definedummyword\xref } % \indexnofonts is used when outputting the strings to sort the index % by, and when constructing control sequence names. It eliminates all % control sequences and just writes whatever the best ASCII sort string % would be for a given command (usually its argument). % \def\indexnofonts{% % Accent commands should become @asis. \def\definedummyaccent##1{\let##1\asis}% % We can just ignore other control letters. \def\definedummyletter##1{\let##1\empty}% % Hopefully, all control words can become @asis. \let\definedummyword\definedummyaccent % \commondummiesnofonts % % Don't no-op \tt, since it isn't a user-level command % and is used in the definitions of the active chars like <, >, |, etc. % Likewise with the other plain tex font commands. %\let\tt=\asis % \def\ { }% \def\@{@}% % how to handle braces? \def\_{\normalunderscore}% % % Non-English letters. \def\AA{AA}% \def\AE{AE}% \def\DH{DZZ}% \def\L{L}% \def\OE{OE}% \def\O{O}% \def\TH{ZZZ}% \def\aa{aa}% \def\ae{ae}% \def\dh{dzz}% \def\exclamdown{!}% \def\l{l}% \def\oe{oe}% \def\ordf{a}% \def\ordm{o}% \def\o{o}% \def\questiondown{?}% \def\ss{ss}% \def\th{zzz}% % \def\LaTeX{LaTeX}% \def\TeX{TeX}% % % Assorted special characters. % (The following {} will end up in the sort string, but that's ok.) \def\bullet{bullet}% \def\comma{,}% \def\copyright{copyright}% \def\registeredsymbol{R}% \def\dots{...}% \def\enddots{...}% \def\equiv{==}% \def\error{error}% \def\euro{euro}% \def\guillemetleft{<<}% \def\guillemetright{>>}% \def\guilsinglleft{<}% \def\guilsinglright{>}% \def\expansion{==>}% \def\minus{-}% \def\pounds{pounds}% \def\point{.}% \def\print{-|}% \def\quotedblbase{"}% \def\quotedblleft{"}% \def\quotedblright{"}% \def\quoteleft{`}% \def\quoteright{'}% \def\quotesinglbase{,}% \def\result{=>}% \def\textdegree{degrees}% % % We need to get rid of all macros, leaving only the arguments (if present). % Of course this is not nearly correct, but it is the best we can do for now. % makeinfo does not expand macros in the argument to @deffn, which ends up % writing an index entry, and texindex isn't prepared for an index sort entry % that starts with \. % % Since macro invocations are followed by braces, we can just redefine them % to take a single TeX argument. The case of a macro invocation that % goes to end-of-line is not handled. % \macrolist } \let\indexbackslash=0 %overridden during \printindex. \let\SETmarginindex=\relax % put index entries in margin (undocumented)? % Most index entries go through here, but \dosubind is the general case. % #1 is the index name, #2 is the entry text. \def\doind#1#2{\dosubind{#1}{#2}{}} % Workhorse for all \fooindexes. % #1 is name of index, #2 is stuff to put there, #3 is subentry -- % empty if called from \doind, as we usually are (the main exception % is with most defuns, which call us directly). % \def\dosubind#1#2#3{% \iflinks {% % Store the main index entry text (including the third arg). \toks0 = {#2}% % If third arg is present, precede it with a space. \def\thirdarg{#3}% \ifx\thirdarg\empty \else \toks0 = \expandafter{\the\toks0 \space #3}% \fi % \edef\writeto{\csname#1indfile\endcsname}% % \safewhatsit\dosubindwrite }% \fi } % Write the entry in \toks0 to the index file: % \def\dosubindwrite{% % Put the index entry in the margin if desired. \ifx\SETmarginindex\relax\else \insert\margin{\hbox{\vrule height8pt depth3pt width0pt \the\toks0}}% \fi % % Remember, we are within a group. \indexdummies % Must do this here, since \bf, etc expand at this stage \def\backslashcurfont{\indexbackslash}% \indexbackslash isn't defined now % so it will be output as is; and it will print as backslash. % % Process the index entry with all font commands turned off, to % get the string to sort by. {\indexnofonts \edef\temp{\the\toks0}% need full expansion \xdef\indexsorttmp{\temp}% }% % % Set up the complete index entry, with both the sort key and % the original text, including any font commands. We write % three arguments to \entry to the .?? file (four in the % subentry case), texindex reduces to two when writing the .??s % sorted result. \edef\temp{% \write\writeto{% \string\entry{\indexsorttmp}{\noexpand\folio}{\the\toks0}}% }% \temp } % Take care of unwanted page breaks/skips around a whatsit: % % If a skip is the last thing on the list now, preserve it % by backing up by \lastskip, doing the \write, then inserting % the skip again. Otherwise, the whatsit generated by the % \write or \pdfdest will make \lastskip zero. The result is that % sequences like this: % @end defun % @tindex whatever % @defun ... % will have extra space inserted, because the \medbreak in the % start of the @defun won't see the skip inserted by the @end of % the previous defun. % % But don't do any of this if we're not in vertical mode. We % don't want to do a \vskip and prematurely end a paragraph. % % Avoid page breaks due to these extra skips, too. % % But wait, there is a catch there: % We'll have to check whether \lastskip is zero skip. \ifdim is not % sufficient for this purpose, as it ignores stretch and shrink parts % of the skip. The only way seems to be to check the textual % representation of the skip. % % The following is almost like \def\zeroskipmacro{0.0pt} except that % the ``p'' and ``t'' characters have catcode \other, not 11 (letter). % \edef\zeroskipmacro{\expandafter\the\csname z@skip\endcsname} % \newskip\whatsitskip \newcount\whatsitpenalty % % ..., ready, GO: % \def\safewhatsit#1{% \ifhmode #1% \else % \lastskip and \lastpenalty cannot both be nonzero simultaneously. \whatsitskip = \lastskip \edef\lastskipmacro{\the\lastskip}% \whatsitpenalty = \lastpenalty % % If \lastskip is nonzero, that means the last item was a % skip. And since a skip is discardable, that means this % -\whatsitskip glue we're inserting is preceded by a % non-discardable item, therefore it is not a potential % breakpoint, therefore no \nobreak needed. \ifx\lastskipmacro\zeroskipmacro \else \vskip-\whatsitskip \fi % #1% % \ifx\lastskipmacro\zeroskipmacro % If \lastskip was zero, perhaps the last item was a penalty, and % perhaps it was >=10000, e.g., a \nobreak. In that case, we want % to re-insert the same penalty (values >10000 are used for various % signals); since we just inserted a non-discardable item, any % following glue (such as a \parskip) would be a breakpoint. For example: % % @deffn deffn-whatever % @vindex index-whatever % Description. % would allow a break between the index-whatever whatsit % and the "Description." paragraph. \ifnum\whatsitpenalty>9999 \penalty\whatsitpenalty \fi \else % On the other hand, if we had a nonzero \lastskip, % this make-up glue would be preceded by a non-discardable item % (the whatsit from the \write), so we must insert a \nobreak. \nobreak\vskip\whatsitskip \fi \fi } % The index entry written in the file actually looks like % \entry {sortstring}{page}{topic} % or % \entry {sortstring}{page}{topic}{subtopic} % The texindex program reads in these files and writes files % containing these kinds of lines: % \initial {c} % before the first topic whose initial is c % \entry {topic}{pagelist} % for a topic that is used without subtopics % \primary {topic} % for the beginning of a topic that is used with subtopics % \secondary {subtopic}{pagelist} % for each subtopic. % Define the user-accessible indexing commands % @findex, @vindex, @kindex, @cindex. \def\findex {\fnindex} \def\kindex {\kyindex} \def\cindex {\cpindex} \def\vindex {\vrindex} \def\tindex {\tpindex} \def\pindex {\pgindex} \def\cindexsub {\begingroup\obeylines\cindexsub} {\obeylines % \gdef\cindexsub "#1" #2^^M{\endgroup % \dosubind{cp}{#2}{#1}}} % Define the macros used in formatting output of the sorted index material. % @printindex causes a particular index (the ??s file) to get printed. % It does not print any chapter heading (usually an @unnumbered). % \parseargdef\printindex{\begingroup \dobreak \chapheadingskip{10000}% % \smallfonts \rm \tolerance = 9500 \plainfrenchspacing \everypar = {}% don't want the \kern\-parindent from indentation suppression. % % See if the index file exists and is nonempty. % Change catcode of @ here so that if the index file contains % \initial {@} % as its first line, TeX doesn't complain about mismatched braces % (because it thinks @} is a control sequence). \catcode`\@ = 11 \openin 1 \jobname.#1s \ifeof 1 % \enddoublecolumns gets confused if there is no text in the index, % and it loses the chapter title and the aux file entries for the % index. The easiest way to prevent this problem is to make sure % there is some text. \putwordIndexNonexistent \else % % If the index file exists but is empty, then \openin leaves \ifeof % false. We have to make TeX try to read something from the file, so % it can discover if there is anything in it. \read 1 to \temp \ifeof 1 \putwordIndexIsEmpty \else % Index files are almost Texinfo source, but we use \ as the escape % character. It would be better to use @, but that's too big a change % to make right now. \def\indexbackslash{\backslashcurfont}% \catcode`\\ = 0 \escapechar = `\\ \begindoublecolumns \input \jobname.#1s \enddoublecolumns \fi \fi \closein 1 \endgroup} % These macros are used by the sorted index file itself. % Change them to control the appearance of the index. \def\initial#1{{% % Some minor font changes for the special characters. \let\tentt=\sectt \let\tt=\sectt \let\sf=\sectt % % Remove any glue we may have, we'll be inserting our own. \removelastskip % % We like breaks before the index initials, so insert a bonus. \nobreak \vskip 0pt plus 3\baselineskip \penalty 0 \vskip 0pt plus -3\baselineskip % % Typeset the initial. Making this add up to a whole number of % baselineskips increases the chance of the dots lining up from column % to column. It still won't often be perfect, because of the stretch % we need before each entry, but it's better. % % No shrink because it confuses \balancecolumns. \vskip 1.67\baselineskip plus .5\baselineskip \leftline{\secbf #1}% % Do our best not to break after the initial. \nobreak \vskip .33\baselineskip plus .1\baselineskip }} % \entry typesets a paragraph consisting of the text (#1), dot leaders, and % then page number (#2) flushed to the right margin. It is used for index % and table of contents entries. The paragraph is indented by \leftskip. % % A straightforward implementation would start like this: % \def\entry#1#2{... % But this freezes the catcodes in the argument, and can cause problems to % @code, which sets - active. This problem was fixed by a kludge--- % ``-'' was active throughout whole index, but this isn't really right. % % The right solution is to prevent \entry from swallowing the whole text. % --kasal, 21nov03 \def\entry{% \begingroup % % Start a new paragraph if necessary, so our assignments below can't % affect previous text. \par % % Do not fill out the last line with white space. \parfillskip = 0in % % No extra space above this paragraph. \parskip = 0in % % Do not prefer a separate line ending with a hyphen to fewer lines. \finalhyphendemerits = 0 % % \hangindent is only relevant when the entry text and page number % don't both fit on one line. In that case, bob suggests starting the % dots pretty far over on the line. Unfortunately, a large % indentation looks wrong when the entry text itself is broken across % lines. So we use a small indentation and put up with long leaders. % % \hangafter is reset to 1 (which is the value we want) at the start % of each paragraph, so we need not do anything with that. \hangindent = 2em % % When the entry text needs to be broken, just fill out the first line % with blank space. \rightskip = 0pt plus1fil % % A bit of stretch before each entry for the benefit of balancing % columns. \vskip 0pt plus1pt % % Swallow the left brace of the text (first parameter): \afterassignment\doentry \let\temp = } \def\doentry{% \bgroup % Instead of the swallowed brace. \noindent \aftergroup\finishentry % And now comes the text of the entry. } \def\finishentry#1{% % #1 is the page number. % % The following is kludged to not output a line of dots in the index if % there are no page numbers. The next person who breaks this will be % cursed by a Unix daemon. \setbox\boxA = \hbox{#1}% \ifdim\wd\boxA = 0pt \ % \else % % If we must, put the page number on a line of its own, and fill out % this line with blank space. (The \hfil is overwhelmed with the % fill leaders glue in \indexdotfill if the page number does fit.) \hfil\penalty50 \null\nobreak\indexdotfill % Have leaders before the page number. % % The `\ ' here is removed by the implicit \unskip that TeX does as % part of (the primitive) \par. Without it, a spurious underfull % \hbox ensues. \ifpdf \pdfgettoks#1.% \ \the\toksA \else \ #1% \fi \fi \par \endgroup } % Like plain.tex's \dotfill, except uses up at least 1 em. \def\indexdotfill{\cleaders \hbox{$\mathsurround=0pt \mkern1.5mu.\mkern1.5mu$}\hskip 1em plus 1fill} \def\primary #1{\line{#1\hfil}} \newskip\secondaryindent \secondaryindent=0.5cm \def\secondary#1#2{{% \parfillskip=0in \parskip=0in \hangindent=1in \hangafter=1 \noindent\hskip\secondaryindent\hbox{#1}\indexdotfill \ifpdf \pdfgettoks#2.\ \the\toksA % The page number ends the paragraph. \else #2 \fi \par }} % Define two-column mode, which we use to typeset indexes. % Adapted from the TeXbook, page 416, which is to say, % the manmac.tex format used to print the TeXbook itself. \catcode`\@=11 \newbox\partialpage \newdimen\doublecolumnhsize \def\begindoublecolumns{\begingroup % ended by \enddoublecolumns % Grab any single-column material above us. \output = {% % % Here is a possibility not foreseen in manmac: if we accumulate a % whole lot of material, we might end up calling this \output % routine twice in a row (see the doublecol-lose test, which is % essentially a couple of indexes with @setchapternewpage off). In % that case we just ship out what is in \partialpage with the normal % output routine. Generally, \partialpage will be empty when this % runs and this will be a no-op. See the indexspread.tex test case. \ifvoid\partialpage \else \onepageout{\pagecontents\partialpage}% \fi % \global\setbox\partialpage = \vbox{% % Unvbox the main output page. \unvbox\PAGE \kern-\topskip \kern\baselineskip }% }% \eject % run that output routine to set \partialpage % % Use the double-column output routine for subsequent pages. \output = {\doublecolumnout}% % % Change the page size parameters. We could do this once outside this % routine, in each of @smallbook, @afourpaper, and the default 8.5x11 % format, but then we repeat the same computation. Repeating a couple % of assignments once per index is clearly meaningless for the % execution time, so we may as well do it in one place. % % First we halve the line length, less a little for the gutter between % the columns. We compute the gutter based on the line length, so it % changes automatically with the paper format. The magic constant % below is chosen so that the gutter has the same value (well, +-<1pt) % as it did when we hard-coded it. % % We put the result in a separate register, \doublecolumhsize, so we % can restore it in \pagesofar, after \hsize itself has (potentially) % been clobbered. % \doublecolumnhsize = \hsize \advance\doublecolumnhsize by -.04154\hsize \divide\doublecolumnhsize by 2 \hsize = \doublecolumnhsize % % Double the \vsize as well. (We don't need a separate register here, % since nobody clobbers \vsize.) \vsize = 2\vsize } % The double-column output routine for all double-column pages except % the last. % \def\doublecolumnout{% \splittopskip=\topskip \splitmaxdepth=\maxdepth % Get the available space for the double columns -- the normal % (undoubled) page height minus any material left over from the % previous page. \dimen@ = \vsize \divide\dimen@ by 2 \advance\dimen@ by -\ht\partialpage % % box0 will be the left-hand column, box2 the right. \setbox0=\vsplit255 to\dimen@ \setbox2=\vsplit255 to\dimen@ \onepageout\pagesofar \unvbox255 \penalty\outputpenalty } % % Re-output the contents of the output page -- any previous material, % followed by the two boxes we just split, in box0 and box2. \def\pagesofar{% \unvbox\partialpage % \hsize = \doublecolumnhsize \wd0=\hsize \wd2=\hsize \hbox to\pagewidth{\box0\hfil\box2}% } % % All done with double columns. \def\enddoublecolumns{% % The following penalty ensures that the page builder is exercised % _before_ we change the output routine. This is necessary in the % following situation: % % The last section of the index consists only of a single entry. % Before this section, \pagetotal is less than \pagegoal, so no % break occurs before the last section starts. However, the last % section, consisting of \initial and the single \entry, does not % fit on the page and has to be broken off. Without the following % penalty the page builder will not be exercised until \eject % below, and by that time we'll already have changed the output % routine to the \balancecolumns version, so the next-to-last % double-column page will be processed with \balancecolumns, which % is wrong: The two columns will go to the main vertical list, with % the broken-off section in the recent contributions. As soon as % the output routine finishes, TeX starts reconsidering the page % break. The two columns and the broken-off section both fit on the % page, because the two columns now take up only half of the page % goal. When TeX sees \eject from below which follows the final % section, it invokes the new output routine that we've set after % \balancecolumns below; \onepageout will try to fit the two columns % and the final section into the vbox of \pageheight (see % \pagebody), causing an overfull box. % % Note that glue won't work here, because glue does not exercise the % page builder, unlike penalties (see The TeXbook, pp. 280-281). \penalty0 % \output = {% % Split the last of the double-column material. Leave it on the % current page, no automatic page break. \balancecolumns % % If we end up splitting too much material for the current page, % though, there will be another page break right after this \output % invocation ends. Having called \balancecolumns once, we do not % want to call it again. Therefore, reset \output to its normal % definition right away. (We hope \balancecolumns will never be % called on to balance too much material, but if it is, this makes % the output somewhat more palatable.) \global\output = {\onepageout{\pagecontents\PAGE}}% }% \eject \endgroup % started in \begindoublecolumns % % \pagegoal was set to the doubled \vsize above, since we restarted % the current page. We're now back to normal single-column % typesetting, so reset \pagegoal to the normal \vsize (after the % \endgroup where \vsize got restored). \pagegoal = \vsize } % % Called at the end of the double column material. \def\balancecolumns{% \setbox0 = \vbox{\unvbox255}% like \box255 but more efficient, see p.120. \dimen@ = \ht0 \advance\dimen@ by \topskip \advance\dimen@ by-\baselineskip \divide\dimen@ by 2 % target to split to %debug\message{final 2-column material height=\the\ht0, target=\the\dimen@.}% \splittopskip = \topskip % Loop until we get a decent breakpoint. {% \vbadness = 10000 \loop \global\setbox3 = \copy0 \global\setbox1 = \vsplit3 to \dimen@ \ifdim\ht3>\dimen@ \global\advance\dimen@ by 1pt \repeat }% %debug\message{split to \the\dimen@, column heights: \the\ht1, \the\ht3.}% \setbox0=\vbox to\dimen@{\unvbox1}% \setbox2=\vbox to\dimen@{\unvbox3}% % \pagesofar } \catcode`\@ = \other \message{sectioning,} % Chapters, sections, etc. % \unnumberedno is an oxymoron, of course. But we count the unnumbered % sections so that we can refer to them unambiguously in the pdf % outlines by their "section number". We avoid collisions with chapter % numbers by starting them at 10000. (If a document ever has 10000 % chapters, we're in trouble anyway, I'm sure.) \newcount\unnumberedno \unnumberedno = 10000 \newcount\chapno \newcount\secno \secno=0 \newcount\subsecno \subsecno=0 \newcount\subsubsecno \subsubsecno=0 % This counter is funny since it counts through charcodes of letters A, B, ... \newcount\appendixno \appendixno = `\@ % % \def\appendixletter{\char\the\appendixno} % We do the following ugly conditional instead of the above simple % construct for the sake of pdftex, which needs the actual % letter in the expansion, not just typeset. % \def\appendixletter{% \ifnum\appendixno=`A A% \else\ifnum\appendixno=`B B% \else\ifnum\appendixno=`C C% \else\ifnum\appendixno=`D D% \else\ifnum\appendixno=`E E% \else\ifnum\appendixno=`F F% \else\ifnum\appendixno=`G G% \else\ifnum\appendixno=`H H% \else\ifnum\appendixno=`I I% \else\ifnum\appendixno=`J J% \else\ifnum\appendixno=`K K% \else\ifnum\appendixno=`L L% \else\ifnum\appendixno=`M M% \else\ifnum\appendixno=`N N% \else\ifnum\appendixno=`O O% \else\ifnum\appendixno=`P P% \else\ifnum\appendixno=`Q Q% \else\ifnum\appendixno=`R R% \else\ifnum\appendixno=`S S% \else\ifnum\appendixno=`T T% \else\ifnum\appendixno=`U U% \else\ifnum\appendixno=`V V% \else\ifnum\appendixno=`W W% \else\ifnum\appendixno=`X X% \else\ifnum\appendixno=`Y Y% \else\ifnum\appendixno=`Z Z% % The \the is necessary, despite appearances, because \appendixletter is % expanded while writing the .toc file. \char\appendixno is not % expandable, thus it is written literally, thus all appendixes come out % with the same letter (or @) in the toc without it. \else\char\the\appendixno \fi\fi\fi\fi\fi\fi\fi\fi\fi\fi\fi\fi\fi \fi\fi\fi\fi\fi\fi\fi\fi\fi\fi\fi\fi\fi} % Each @chapter defines these (using marks) as the number+name, number % and name of the chapter. Page headings and footings can use % these. @section does likewise. \def\thischapter{} \def\thischapternum{} \def\thischaptername{} \def\thissection{} \def\thissectionnum{} \def\thissectionname{} \newcount\absseclevel % used to calculate proper heading level \newcount\secbase\secbase=0 % @raisesections/@lowersections modify this count % @raisesections: treat @section as chapter, @subsection as section, etc. \def\raisesections{\global\advance\secbase by -1} \let\up=\raisesections % original BFox name % @lowersections: treat @chapter as section, @section as subsection, etc. \def\lowersections{\global\advance\secbase by 1} \let\down=\lowersections % original BFox name % we only have subsub. \chardef\maxseclevel = 3 % % A numbered section within an unnumbered changes to unnumbered too. % To achive this, remember the "biggest" unnum. sec. we are currently in: \chardef\unmlevel = \maxseclevel % % Trace whether the current chapter is an appendix or not: % \chapheadtype is "N" or "A", unnumbered chapters are ignored. \def\chapheadtype{N} % Choose a heading macro % #1 is heading type % #2 is heading level % #3 is text for heading \def\genhead#1#2#3{% % Compute the abs. sec. level: \absseclevel=#2 \advance\absseclevel by \secbase % Make sure \absseclevel doesn't fall outside the range: \ifnum \absseclevel < 0 \absseclevel = 0 \else \ifnum \absseclevel > 3 \absseclevel = 3 \fi \fi % The heading type: \def\headtype{#1}% \if \headtype U% \ifnum \absseclevel < \unmlevel \chardef\unmlevel = \absseclevel \fi \else % Check for appendix sections: \ifnum \absseclevel = 0 \edef\chapheadtype{\headtype}% \else \if \headtype A\if \chapheadtype N% \errmessage{@appendix... within a non-appendix chapter}% \fi\fi \fi % Check for numbered within unnumbered: \ifnum \absseclevel > \unmlevel \def\headtype{U}% \else \chardef\unmlevel = 3 \fi \fi % Now print the heading: \if \headtype U% \ifcase\absseclevel \unnumberedzzz{#3}% \or \unnumberedseczzz{#3}% \or \unnumberedsubseczzz{#3}% \or \unnumberedsubsubseczzz{#3}% \fi \else \if \headtype A% \ifcase\absseclevel \appendixzzz{#3}% \or \appendixsectionzzz{#3}% \or \appendixsubseczzz{#3}% \or \appendixsubsubseczzz{#3}% \fi \else \ifcase\absseclevel \chapterzzz{#3}% \or \seczzz{#3}% \or \numberedsubseczzz{#3}% \or \numberedsubsubseczzz{#3}% \fi \fi \fi \suppressfirstparagraphindent } % an interface: \def\numhead{\genhead N} \def\apphead{\genhead A} \def\unnmhead{\genhead U} % @chapter, @appendix, @unnumbered. Increment top-level counter, reset % all lower-level sectioning counters to zero. % % Also set \chaplevelprefix, which we prepend to @float sequence numbers % (e.g., figures), q.v. By default (before any chapter), that is empty. \let\chaplevelprefix = \empty % \outer\parseargdef\chapter{\numhead0{#1}} % normally numhead0 calls chapterzzz \def\chapterzzz#1{% % section resetting is \global in case the chapter is in a group, such % as an @include file. \global\secno=0 \global\subsecno=0 \global\subsubsecno=0 \global\advance\chapno by 1 % % Used for \float. \gdef\chaplevelprefix{\the\chapno.}% \resetallfloatnos % % \putwordChapter can contain complex things in translations. \toks0=\expandafter{\putwordChapter}% \message{\the\toks0 \space \the\chapno}% % % Write the actual heading. \chapmacro{#1}{Ynumbered}{\the\chapno}% % % So @section and the like are numbered underneath this chapter. \global\let\section = \numberedsec \global\let\subsection = \numberedsubsec \global\let\subsubsection = \numberedsubsubsec } \outer\parseargdef\appendix{\apphead0{#1}} % normally calls appendixzzz % \def\appendixzzz#1{% \global\secno=0 \global\subsecno=0 \global\subsubsecno=0 \global\advance\appendixno by 1 \gdef\chaplevelprefix{\appendixletter.}% \resetallfloatnos % % \putwordAppendix can contain complex things in translations. \toks0=\expandafter{\putwordAppendix}% \message{\the\toks0 \space \appendixletter}% % \chapmacro{#1}{Yappendix}{\appendixletter}% % \global\let\section = \appendixsec \global\let\subsection = \appendixsubsec \global\let\subsubsection = \appendixsubsubsec } \outer\parseargdef\unnumbered{\unnmhead0{#1}} % normally unnmhead0 calls unnumberedzzz \def\unnumberedzzz#1{% \global\secno=0 \global\subsecno=0 \global\subsubsecno=0 \global\advance\unnumberedno by 1 % % Since an unnumbered has no number, no prefix for figures. \global\let\chaplevelprefix = \empty \resetallfloatnos % % This used to be simply \message{#1}, but TeX fully expands the % argument to \message. Therefore, if #1 contained @-commands, TeX % expanded them. For example, in `@unnumbered The @cite{Book}', TeX % expanded @cite (which turns out to cause errors because \cite is meant % to be executed, not expanded). % % Anyway, we don't want the fully-expanded definition of @cite to appear % as a result of the \message, we just want `@cite' itself. We use % \the to achieve this: TeX expands \the only once, % simply yielding the contents of . (We also do this for % the toc entries.) \toks0 = {#1}% \message{(\the\toks0)}% % \chapmacro{#1}{Ynothing}{\the\unnumberedno}% % \global\let\section = \unnumberedsec \global\let\subsection = \unnumberedsubsec \global\let\subsubsection = \unnumberedsubsubsec } % @centerchap is like @unnumbered, but the heading is centered. \outer\parseargdef\centerchap{% % Well, we could do the following in a group, but that would break % an assumption that \chapmacro is called at the outermost level. % Thus we are safer this way: --kasal, 24feb04 \let\centerparametersmaybe = \centerparameters \unnmhead0{#1}% \let\centerparametersmaybe = \relax } % @top is like @unnumbered. \let\top\unnumbered % Sections. \outer\parseargdef\numberedsec{\numhead1{#1}} % normally calls seczzz \def\seczzz#1{% \global\subsecno=0 \global\subsubsecno=0 \global\advance\secno by 1 \sectionheading{#1}{sec}{Ynumbered}{\the\chapno.\the\secno}% } \outer\parseargdef\appendixsection{\apphead1{#1}} % normally calls appendixsectionzzz \def\appendixsectionzzz#1{% \global\subsecno=0 \global\subsubsecno=0 \global\advance\secno by 1 \sectionheading{#1}{sec}{Yappendix}{\appendixletter.\the\secno}% } \let\appendixsec\appendixsection \outer\parseargdef\unnumberedsec{\unnmhead1{#1}} % normally calls unnumberedseczzz \def\unnumberedseczzz#1{% \global\subsecno=0 \global\subsubsecno=0 \global\advance\secno by 1 \sectionheading{#1}{sec}{Ynothing}{\the\unnumberedno.\the\secno}% } % Subsections. \outer\parseargdef\numberedsubsec{\numhead2{#1}} % normally calls numberedsubseczzz \def\numberedsubseczzz#1{% \global\subsubsecno=0 \global\advance\subsecno by 1 \sectionheading{#1}{subsec}{Ynumbered}{\the\chapno.\the\secno.\the\subsecno}% } \outer\parseargdef\appendixsubsec{\apphead2{#1}} % normally calls appendixsubseczzz \def\appendixsubseczzz#1{% \global\subsubsecno=0 \global\advance\subsecno by 1 \sectionheading{#1}{subsec}{Yappendix}% {\appendixletter.\the\secno.\the\subsecno}% } \outer\parseargdef\unnumberedsubsec{\unnmhead2{#1}} %normally calls unnumberedsubseczzz \def\unnumberedsubseczzz#1{% \global\subsubsecno=0 \global\advance\subsecno by 1 \sectionheading{#1}{subsec}{Ynothing}% {\the\unnumberedno.\the\secno.\the\subsecno}% } % Subsubsections. \outer\parseargdef\numberedsubsubsec{\numhead3{#1}} % normally numberedsubsubseczzz \def\numberedsubsubseczzz#1{% \global\advance\subsubsecno by 1 \sectionheading{#1}{subsubsec}{Ynumbered}% {\the\chapno.\the\secno.\the\subsecno.\the\subsubsecno}% } \outer\parseargdef\appendixsubsubsec{\apphead3{#1}} % normally appendixsubsubseczzz \def\appendixsubsubseczzz#1{% \global\advance\subsubsecno by 1 \sectionheading{#1}{subsubsec}{Yappendix}% {\appendixletter.\the\secno.\the\subsecno.\the\subsubsecno}% } \outer\parseargdef\unnumberedsubsubsec{\unnmhead3{#1}} %normally unnumberedsubsubseczzz \def\unnumberedsubsubseczzz#1{% \global\advance\subsubsecno by 1 \sectionheading{#1}{subsubsec}{Ynothing}% {\the\unnumberedno.\the\secno.\the\subsecno.\the\subsubsecno}% } % These macros control what the section commands do, according % to what kind of chapter we are in (ordinary, appendix, or unnumbered). % Define them by default for a numbered chapter. \let\section = \numberedsec \let\subsection = \numberedsubsec \let\subsubsection = \numberedsubsubsec % Define @majorheading, @heading and @subheading % NOTE on use of \vbox for chapter headings, section headings, and such: % 1) We use \vbox rather than the earlier \line to permit % overlong headings to fold. % 2) \hyphenpenalty is set to 10000 because hyphenation in a % heading is obnoxious; this forbids it. % 3) Likewise, headings look best if no \parindent is used, and % if justification is not attempted. Hence \raggedright. \def\majorheading{% {\advance\chapheadingskip by 10pt \chapbreak }% \parsearg\chapheadingzzz } \def\chapheading{\chapbreak \parsearg\chapheadingzzz} \def\chapheadingzzz#1{% {\chapfonts \vbox{\hyphenpenalty=10000\tolerance=5000 \parindent=0pt\ptexraggedright \rmisbold #1\hfill}}% \bigskip \par\penalty 200\relax \suppressfirstparagraphindent } % @heading, @subheading, @subsubheading. \parseargdef\heading{\sectionheading{#1}{sec}{Yomitfromtoc}{} \suppressfirstparagraphindent} \parseargdef\subheading{\sectionheading{#1}{subsec}{Yomitfromtoc}{} \suppressfirstparagraphindent} \parseargdef\subsubheading{\sectionheading{#1}{subsubsec}{Yomitfromtoc}{} \suppressfirstparagraphindent} % These macros generate a chapter, section, etc. heading only % (including whitespace, linebreaking, etc. around it), % given all the information in convenient, parsed form. %%% Args are the skip and penalty (usually negative) \def\dobreak#1#2{\par\ifdim\lastskip<#1\removelastskip\penalty#2\vskip#1\fi} %%% Define plain chapter starts, and page on/off switching for it % Parameter controlling skip before chapter headings (if needed) \newskip\chapheadingskip \def\chapbreak{\dobreak \chapheadingskip {-4000}} \def\chappager{\par\vfill\supereject} % Because \domark is called before \chapoddpage, the filler page will % get the headings for the next chapter, which is wrong. But we don't % care -- we just disable all headings on the filler page. \def\chapoddpage{% \chappager \ifodd\pageno \else \begingroup \evenheadline={\hfil}\evenfootline={\hfil}% \oddheadline={\hfil}\oddfootline={\hfil}% \hbox to 0pt{}% \chappager \endgroup \fi } \def\setchapternewpage #1 {\csname CHAPPAG#1\endcsname} \def\CHAPPAGoff{% \global\let\contentsalignmacro = \chappager \global\let\pchapsepmacro=\chapbreak \global\let\pagealignmacro=\chappager} \def\CHAPPAGon{% \global\let\contentsalignmacro = \chappager \global\let\pchapsepmacro=\chappager \global\let\pagealignmacro=\chappager \global\def\HEADINGSon{\HEADINGSsingle}} \def\CHAPPAGodd{% \global\let\contentsalignmacro = \chapoddpage \global\let\pchapsepmacro=\chapoddpage \global\let\pagealignmacro=\chapoddpage \global\def\HEADINGSon{\HEADINGSdouble}} \CHAPPAGon % Chapter opening. % % #1 is the text, #2 is the section type (Ynumbered, Ynothing, % Yappendix, Yomitfromtoc), #3 the chapter number. % % To test against our argument. \def\Ynothingkeyword{Ynothing} \def\Yomitfromtockeyword{Yomitfromtoc} \def\Yappendixkeyword{Yappendix} % \def\chapmacro#1#2#3{% % Insert the first mark before the heading break (see notes for \domark). \let\prevchapterdefs=\lastchapterdefs \let\prevsectiondefs=\lastsectiondefs \gdef\lastsectiondefs{\gdef\thissectionname{}\gdef\thissectionnum{}% \gdef\thissection{}}% % \def\temptype{#2}% \ifx\temptype\Ynothingkeyword \gdef\lastchapterdefs{\gdef\thischaptername{#1}\gdef\thischapternum{}% \gdef\thischapter{\thischaptername}}% \else\ifx\temptype\Yomitfromtockeyword \gdef\lastchapterdefs{\gdef\thischaptername{#1}\gdef\thischapternum{}% \gdef\thischapter{}}% \else\ifx\temptype\Yappendixkeyword \toks0={#1}% \xdef\lastchapterdefs{% \gdef\noexpand\thischaptername{\the\toks0}% \gdef\noexpand\thischapternum{\appendixletter}% % \noexpand\putwordAppendix avoids expanding indigestible % commands in some of the translations. \gdef\noexpand\thischapter{\noexpand\putwordAppendix{} \noexpand\thischapternum: \noexpand\thischaptername}% }% \else \toks0={#1}% \xdef\lastchapterdefs{% \gdef\noexpand\thischaptername{\the\toks0}% \gdef\noexpand\thischapternum{\the\chapno}% % \noexpand\putwordChapter avoids expanding indigestible % commands in some of the translations. \gdef\noexpand\thischapter{\noexpand\putwordChapter{} \noexpand\thischapternum: \noexpand\thischaptername}% }% \fi\fi\fi % % Output the mark. Pass it through \safewhatsit, to take care of % the preceding space. \safewhatsit\domark % % Insert the chapter heading break. \pchapsepmacro % % Now the second mark, after the heading break. No break points % between here and the heading. \let\prevchapterdefs=\lastchapterdefs \let\prevsectiondefs=\lastsectiondefs \domark % {% \chapfonts \rmisbold % % Have to define \lastsection before calling \donoderef, because the % xref code eventually uses it. On the other hand, it has to be called % after \pchapsepmacro, or the headline will change too soon. \gdef\lastsection{#1}% % % Only insert the separating space if we have a chapter/appendix % number, and don't print the unnumbered ``number''. \ifx\temptype\Ynothingkeyword \setbox0 = \hbox{}% \def\toctype{unnchap}% \else\ifx\temptype\Yomitfromtockeyword \setbox0 = \hbox{}% contents like unnumbered, but no toc entry \def\toctype{omit}% \else\ifx\temptype\Yappendixkeyword \setbox0 = \hbox{\putwordAppendix{} #3\enspace}% \def\toctype{app}% \else \setbox0 = \hbox{#3\enspace}% \def\toctype{numchap}% \fi\fi\fi % % Write the toc entry for this chapter. Must come before the % \donoderef, because we include the current node name in the toc % entry, and \donoderef resets it to empty. \writetocentry{\toctype}{#1}{#3}% % % For pdftex, we have to write out the node definition (aka, make % the pdfdest) after any page break, but before the actual text has % been typeset. If the destination for the pdf outline is after the % text, then jumping from the outline may wind up with the text not % being visible, for instance under high magnification. \donoderef{#2}% % % Typeset the actual heading. \nobreak % Avoid page breaks at the interline glue. \vbox{\hyphenpenalty=10000 \tolerance=5000 \parindent=0pt \ptexraggedright \hangindent=\wd0 \centerparametersmaybe \unhbox0 #1\par}% }% \nobreak\bigskip % no page break after a chapter title \nobreak } % @centerchap -- centered and unnumbered. \let\centerparametersmaybe = \relax \def\centerparameters{% \advance\rightskip by 3\rightskip \leftskip = \rightskip \parfillskip = 0pt } % I don't think this chapter style is supported any more, so I'm not % updating it with the new noderef stuff. We'll see. --karl, 11aug03. % \def\setchapterstyle #1 {\csname CHAPF#1\endcsname} % \def\unnchfopen #1{% \chapoddpage {\chapfonts \vbox{\hyphenpenalty=10000\tolerance=5000 \parindent=0pt\ptexraggedright \rmisbold #1\hfill}}\bigskip \par\nobreak } \def\chfopen #1#2{\chapoddpage {\chapfonts \vbox to 3in{\vfil \hbox to\hsize{\hfil #2} \hbox to\hsize{\hfil #1} \vfil}}% \par\penalty 5000 % } \def\centerchfopen #1{% \chapoddpage {\chapfonts \vbox{\hyphenpenalty=10000\tolerance=5000 \parindent=0pt \hfill {\rmisbold #1}\hfill}}\bigskip \par\nobreak } \def\CHAPFopen{% \global\let\chapmacro=\chfopen \global\let\centerchapmacro=\centerchfopen} % Section titles. These macros combine the section number parts and % call the generic \sectionheading to do the printing. % \newskip\secheadingskip \def\secheadingbreak{\dobreak \secheadingskip{-1000}} % Subsection titles. \newskip\subsecheadingskip \def\subsecheadingbreak{\dobreak \subsecheadingskip{-500}} % Subsubsection titles. \def\subsubsecheadingskip{\subsecheadingskip} \def\subsubsecheadingbreak{\subsecheadingbreak} % Print any size, any type, section title. % % #1 is the text, #2 is the section level (sec/subsec/subsubsec), #3 is % the section type for xrefs (Ynumbered, Ynothing, Yappendix), #4 is the % section number. % \def\seckeyword{sec} % \def\sectionheading#1#2#3#4{% {% % Switch to the right set of fonts. \csname #2fonts\endcsname \rmisbold % \def\sectionlevel{#2}% \def\temptype{#3}% % % Insert first mark before the heading break (see notes for \domark). \let\prevsectiondefs=\lastsectiondefs \ifx\temptype\Ynothingkeyword \ifx\sectionlevel\seckeyword \gdef\lastsectiondefs{\gdef\thissectionname{#1}\gdef\thissectionnum{}% \gdef\thissection{\thissectionname}}% \fi \else\ifx\temptype\Yomitfromtockeyword % Don't redefine \thissection. \else\ifx\temptype\Yappendixkeyword \ifx\sectionlevel\seckeyword \toks0={#1}% \xdef\lastsectiondefs{% \gdef\noexpand\thissectionname{\the\toks0}% \gdef\noexpand\thissectionnum{#4}% % \noexpand\putwordSection avoids expanding indigestible % commands in some of the translations. \gdef\noexpand\thissection{\noexpand\putwordSection{} \noexpand\thissectionnum: \noexpand\thissectionname}% }% \fi \else \ifx\sectionlevel\seckeyword \toks0={#1}% \xdef\lastsectiondefs{% \gdef\noexpand\thissectionname{\the\toks0}% \gdef\noexpand\thissectionnum{#4}% % \noexpand\putwordSection avoids expanding indigestible % commands in some of the translations. \gdef\noexpand\thissection{\noexpand\putwordSection{} \noexpand\thissectionnum: \noexpand\thissectionname}% }% \fi \fi\fi\fi % % Go into vertical mode. Usually we'll already be there, but we % don't want the following whatsit to end up in a preceding paragraph % if the document didn't happen to have a blank line. \par % % Output the mark. Pass it through \safewhatsit, to take care of % the preceding space. \safewhatsit\domark % % Insert space above the heading. \csname #2headingbreak\endcsname % % Now the second mark, after the heading break. No break points % between here and the heading. \let\prevsectiondefs=\lastsectiondefs \domark % % Only insert the space after the number if we have a section number. \ifx\temptype\Ynothingkeyword \setbox0 = \hbox{}% \def\toctype{unn}% \gdef\lastsection{#1}% \else\ifx\temptype\Yomitfromtockeyword % for @headings -- no section number, don't include in toc, % and don't redefine \lastsection. \setbox0 = \hbox{}% \def\toctype{omit}% \let\sectionlevel=\empty \else\ifx\temptype\Yappendixkeyword \setbox0 = \hbox{#4\enspace}% \def\toctype{app}% \gdef\lastsection{#1}% \else \setbox0 = \hbox{#4\enspace}% \def\toctype{num}% \gdef\lastsection{#1}% \fi\fi\fi % % Write the toc entry (before \donoderef). See comments in \chapmacro. \writetocentry{\toctype\sectionlevel}{#1}{#4}% % % Write the node reference (= pdf destination for pdftex). % Again, see comments in \chapmacro. \donoderef{#3}% % % Interline glue will be inserted when the vbox is completed. % That glue will be a valid breakpoint for the page, since it'll be % preceded by a whatsit (usually from the \donoderef, or from the % \writetocentry if there was no node). We don't want to allow that % break, since then the whatsits could end up on page n while the % section is on page n+1, thus toc/etc. are wrong. Debian bug 276000. \nobreak % % Output the actual section heading. \vbox{\hyphenpenalty=10000 \tolerance=5000 \parindent=0pt \ptexraggedright \hangindent=\wd0 % zero if no section number \unhbox0 #1}% }% % Add extra space after the heading -- half of whatever came above it. % Don't allow stretch, though. \kern .5 \csname #2headingskip\endcsname % % Do not let the kern be a potential breakpoint, as it would be if it % was followed by glue. \nobreak % % We'll almost certainly start a paragraph next, so don't let that % glue accumulate. (Not a breakpoint because it's preceded by a % discardable item.) \vskip-\parskip % % This is purely so the last item on the list is a known \penalty > % 10000. This is so \startdefun can avoid allowing breakpoints after % section headings. Otherwise, it would insert a valid breakpoint between: % % @section sec-whatever % @deffn def-whatever \penalty 10001 } \message{toc,} % Table of contents. \newwrite\tocfile % Write an entry to the toc file, opening it if necessary. % Called from @chapter, etc. % % Example usage: \writetocentry{sec}{Section Name}{\the\chapno.\the\secno} % We append the current node name (if any) and page number as additional % arguments for the \{chap,sec,...}entry macros which will eventually % read this. The node name is used in the pdf outlines as the % destination to jump to. % % We open the .toc file for writing here instead of at @setfilename (or % any other fixed time) so that @contents can be anywhere in the document. % But if #1 is `omit', then we don't do anything. This is used for the % table of contents chapter openings themselves. % \newif\iftocfileopened \def\omitkeyword{omit}% % \def\writetocentry#1#2#3{% \edef\writetoctype{#1}% \ifx\writetoctype\omitkeyword \else \iftocfileopened\else \immediate\openout\tocfile = \jobname.toc \global\tocfileopenedtrue \fi % \iflinks {\atdummies \edef\temp{% \write\tocfile{@#1entry{#2}{#3}{\lastnode}{\noexpand\folio}}}% \temp }% \fi \fi % % Tell \shipout to create a pdf destination on each page, if we're % writing pdf. These are used in the table of contents. We can't % just write one on every page because the title pages are numbered % 1 and 2 (the page numbers aren't printed), and so are the first % two pages of the document. Thus, we'd have two destinations named % `1', and two named `2'. \ifpdf \global\pdfmakepagedesttrue \fi } % These characters do not print properly in the Computer Modern roman % fonts, so we must take special care. This is more or less redundant % with the Texinfo input format setup at the end of this file. % \def\activecatcodes{% \catcode`\"=\active \catcode`\$=\active \catcode`\<=\active \catcode`\>=\active \catcode`\\=\active \catcode`\^=\active \catcode`\_=\active \catcode`\|=\active \catcode`\~=\active } % Read the toc file, which is essentially Texinfo input. \def\readtocfile{% \setupdatafile \activecatcodes \input \tocreadfilename } \newskip\contentsrightmargin \contentsrightmargin=1in \newcount\savepageno \newcount\lastnegativepageno \lastnegativepageno = -1 % Prepare to read what we've written to \tocfile. % \def\startcontents#1{% % If @setchapternewpage on, and @headings double, the contents should % start on an odd page, unlike chapters. Thus, we maintain % \contentsalignmacro in parallel with \pagealignmacro. % From: Torbjorn Granlund \contentsalignmacro \immediate\closeout\tocfile % % Don't need to put `Contents' or `Short Contents' in the headline. % It is abundantly clear what they are. \chapmacro{#1}{Yomitfromtoc}{}% % \savepageno = \pageno \begingroup % Set up to handle contents files properly. \raggedbottom % Worry more about breakpoints than the bottom. \advance\hsize by -\contentsrightmargin % Don't use the full line length. % % Roman numerals for page numbers. \ifnum \pageno>0 \global\pageno = \lastnegativepageno \fi } % redefined for the two-volume lispref. We always output on % \jobname.toc even if this is redefined. % \def\tocreadfilename{\jobname.toc} % Normal (long) toc. % \def\contents{% \startcontents{\putwordTOC}% \openin 1 \tocreadfilename\space \ifeof 1 \else \readtocfile \fi \vfill \eject \contentsalignmacro % in case @setchapternewpage odd is in effect \ifeof 1 \else \pdfmakeoutlines \fi \closein 1 \endgroup \lastnegativepageno = \pageno \global\pageno = \savepageno } % And just the chapters. \def\summarycontents{% \startcontents{\putwordShortTOC}% % \let\numchapentry = \shortchapentry \let\appentry = \shortchapentry \let\unnchapentry = \shortunnchapentry % We want a true roman here for the page numbers. \secfonts \let\rm=\shortcontrm \let\bf=\shortcontbf \let\sl=\shortcontsl \let\tt=\shortconttt \rm \hyphenpenalty = 10000 \advance\baselineskip by 1pt % Open it up a little. \def\numsecentry##1##2##3##4{} \let\appsecentry = \numsecentry \let\unnsecentry = \numsecentry \let\numsubsecentry = \numsecentry \let\appsubsecentry = \numsecentry \let\unnsubsecentry = \numsecentry \let\numsubsubsecentry = \numsecentry \let\appsubsubsecentry = \numsecentry \let\unnsubsubsecentry = \numsecentry \openin 1 \tocreadfilename\space \ifeof 1 \else \readtocfile \fi \closein 1 \vfill \eject \contentsalignmacro % in case @setchapternewpage odd is in effect \endgroup \lastnegativepageno = \pageno \global\pageno = \savepageno } \let\shortcontents = \summarycontents % Typeset the label for a chapter or appendix for the short contents. % The arg is, e.g., `A' for an appendix, or `3' for a chapter. % \def\shortchaplabel#1{% % This space should be enough, since a single number is .5em, and the % widest letter (M) is 1em, at least in the Computer Modern fonts. % But use \hss just in case. % (This space doesn't include the extra space that gets added after % the label; that gets put in by \shortchapentry above.) % % We'd like to right-justify chapter numbers, but that looks strange % with appendix letters. And right-justifying numbers and % left-justifying letters looks strange when there is less than 10 % chapters. Have to read the whole toc once to know how many chapters % there are before deciding ... \hbox to 1em{#1\hss}% } % These macros generate individual entries in the table of contents. % The first argument is the chapter or section name. % The last argument is the page number. % The arguments in between are the chapter number, section number, ... % Chapters, in the main contents. \def\numchapentry#1#2#3#4{\dochapentry{#2\labelspace#1}{#4}} % % Chapters, in the short toc. % See comments in \dochapentry re vbox and related settings. \def\shortchapentry#1#2#3#4{% \tocentry{\shortchaplabel{#2}\labelspace #1}{\doshortpageno\bgroup#4\egroup}% } % Appendices, in the main contents. % Need the word Appendix, and a fixed-size box. % \def\appendixbox#1{% % We use M since it's probably the widest letter. \setbox0 = \hbox{\putwordAppendix{} M}% \hbox to \wd0{\putwordAppendix{} #1\hss}} % \def\appentry#1#2#3#4{\dochapentry{\appendixbox{#2}\labelspace#1}{#4}} % Unnumbered chapters. \def\unnchapentry#1#2#3#4{\dochapentry{#1}{#4}} \def\shortunnchapentry#1#2#3#4{\tocentry{#1}{\doshortpageno\bgroup#4\egroup}} % Sections. \def\numsecentry#1#2#3#4{\dosecentry{#2\labelspace#1}{#4}} \let\appsecentry=\numsecentry \def\unnsecentry#1#2#3#4{\dosecentry{#1}{#4}} % Subsections. \def\numsubsecentry#1#2#3#4{\dosubsecentry{#2\labelspace#1}{#4}} \let\appsubsecentry=\numsubsecentry \def\unnsubsecentry#1#2#3#4{\dosubsecentry{#1}{#4}} % And subsubsections. \def\numsubsubsecentry#1#2#3#4{\dosubsubsecentry{#2\labelspace#1}{#4}} \let\appsubsubsecentry=\numsubsubsecentry \def\unnsubsubsecentry#1#2#3#4{\dosubsubsecentry{#1}{#4}} % This parameter controls the indentation of the various levels. % Same as \defaultparindent. \newdimen\tocindent \tocindent = 15pt % Now for the actual typesetting. In all these, #1 is the text and #2 is the % page number. % % If the toc has to be broken over pages, we want it to be at chapters % if at all possible; hence the \penalty. \def\dochapentry#1#2{% \penalty-300 \vskip1\baselineskip plus.33\baselineskip minus.25\baselineskip \begingroup \chapentryfonts \tocentry{#1}{\dopageno\bgroup#2\egroup}% \endgroup \nobreak\vskip .25\baselineskip plus.1\baselineskip } \def\dosecentry#1#2{\begingroup \secentryfonts \leftskip=\tocindent \tocentry{#1}{\dopageno\bgroup#2\egroup}% \endgroup} \def\dosubsecentry#1#2{\begingroup \subsecentryfonts \leftskip=2\tocindent \tocentry{#1}{\dopageno\bgroup#2\egroup}% \endgroup} \def\dosubsubsecentry#1#2{\begingroup \subsubsecentryfonts \leftskip=3\tocindent \tocentry{#1}{\dopageno\bgroup#2\egroup}% \endgroup} % We use the same \entry macro as for the index entries. \let\tocentry = \entry % Space between chapter (or whatever) number and the title. \def\labelspace{\hskip1em \relax} \def\dopageno#1{{\rm #1}} \def\doshortpageno#1{{\rm #1}} \def\chapentryfonts{\secfonts \rm} \def\secentryfonts{\textfonts} \def\subsecentryfonts{\textfonts} \def\subsubsecentryfonts{\textfonts} \message{environments,} % @foo ... @end foo. % @tex ... @end tex escapes into raw Tex temporarily. % One exception: @ is still an escape character, so that @end tex works. % But \@ or @@ will get a plain tex @ character. \envdef\tex{% \setupmarkupstyle{tex}% \catcode `\\=0 \catcode `\{=1 \catcode `\}=2 \catcode `\$=3 \catcode `\&=4 \catcode `\#=6 \catcode `\^=7 \catcode `\_=8 \catcode `\~=\active \let~=\tie \catcode `\%=14 \catcode `\+=\other \catcode `\"=\other \catcode `\|=\other \catcode `\<=\other \catcode `\>=\other \catcode`\`=\other \catcode`\'=\other \escapechar=`\\ % \let\b=\ptexb \let\bullet=\ptexbullet \let\c=\ptexc \let\,=\ptexcomma \let\.=\ptexdot \let\dots=\ptexdots \let\equiv=\ptexequiv \let\!=\ptexexclam \let\i=\ptexi \let\indent=\ptexindent \let\noindent=\ptexnoindent \let\{=\ptexlbrace \let\+=\tabalign \let\}=\ptexrbrace \let\/=\ptexslash \let\*=\ptexstar \let\t=\ptext \expandafter \let\csname top\endcsname=\ptextop % outer \let\frenchspacing=\plainfrenchspacing % \def\endldots{\mathinner{\ldots\ldots\ldots\ldots}}% \def\enddots{\relax\ifmmode\endldots\else$\mathsurround=0pt \endldots\,$\fi}% \def\@{@}% } % There is no need to define \Etex. % Define @lisp ... @end lisp. % @lisp environment forms a group so it can rebind things, % including the definition of @end lisp (which normally is erroneous). % Amount to narrow the margins by for @lisp. \newskip\lispnarrowing \lispnarrowing=0.4in % This is the definition that ^^M gets inside @lisp, @example, and other % such environments. \null is better than a space, since it doesn't % have any width. \def\lisppar{\null\endgraf} % This space is always present above and below environments. \newskip\envskipamount \envskipamount = 0pt % Make spacing and below environment symmetrical. We use \parskip here % to help in doing that, since in @example-like environments \parskip % is reset to zero; thus the \afterenvbreak inserts no space -- but the % start of the next paragraph will insert \parskip. % \def\aboveenvbreak{{% % =10000 instead of <10000 because of a special case in \itemzzz and % \sectionheading, q.v. \ifnum \lastpenalty=10000 \else \advance\envskipamount by \parskip \endgraf \ifdim\lastskip<\envskipamount \removelastskip % it's not a good place to break if the last penalty was \nobreak % or better ... \ifnum\lastpenalty<10000 \penalty-50 \fi \vskip\envskipamount \fi \fi }} \let\afterenvbreak = \aboveenvbreak % \nonarrowing is a flag. If "set", @lisp etc don't narrow margins; it will % also clear it, so that its embedded environments do the narrowing again. \let\nonarrowing=\relax % @cartouche ... @end cartouche: draw rectangle w/rounded corners around % environment contents. \font\circle=lcircle10 \newdimen\circthick \newdimen\cartouter\newdimen\cartinner \newskip\normbskip\newskip\normpskip\newskip\normlskip \circthick=\fontdimen8\circle % \def\ctl{{\circle\char'013\hskip -6pt}}% 6pt from pl file: 1/2charwidth \def\ctr{{\hskip 6pt\circle\char'010}} \def\cbl{{\circle\char'012\hskip -6pt}} \def\cbr{{\hskip 6pt\circle\char'011}} \def\carttop{\hbox to \cartouter{\hskip\lskip \ctl\leaders\hrule height\circthick\hfil\ctr \hskip\rskip}} \def\cartbot{\hbox to \cartouter{\hskip\lskip \cbl\leaders\hrule height\circthick\hfil\cbr \hskip\rskip}} % \newskip\lskip\newskip\rskip \envdef\cartouche{% \ifhmode\par\fi % can't be in the midst of a paragraph. \startsavinginserts \lskip=\leftskip \rskip=\rightskip \leftskip=0pt\rightskip=0pt % we want these *outside*. \cartinner=\hsize \advance\cartinner by-\lskip \advance\cartinner by-\rskip \cartouter=\hsize \advance\cartouter by 18.4pt % allow for 3pt kerns on either % side, and for 6pt waste from % each corner char, and rule thickness \normbskip=\baselineskip \normpskip=\parskip \normlskip=\lineskip % Flag to tell @lisp, etc., not to narrow margin. \let\nonarrowing = t% \vbox\bgroup \baselineskip=0pt\parskip=0pt\lineskip=0pt \carttop \hbox\bgroup \hskip\lskip \vrule\kern3pt \vbox\bgroup \kern3pt \hsize=\cartinner \baselineskip=\normbskip \lineskip=\normlskip \parskip=\normpskip \vskip -\parskip \comment % For explanation, see the end of \def\group. } \def\Ecartouche{% \ifhmode\par\fi \kern3pt \egroup \kern3pt\vrule \hskip\rskip \egroup \cartbot \egroup \checkinserts } % This macro is called at the beginning of all the @example variants, % inside a group. \newdimen\nonfillparindent \def\nonfillstart{% \aboveenvbreak \hfuzz = 12pt % Don't be fussy \sepspaces % Make spaces be word-separators rather than space tokens. \let\par = \lisppar % don't ignore blank lines \obeylines % each line of input is a line of output \parskip = 0pt % Turn off paragraph indentation but redefine \indent to emulate % the normal \indent. \nonfillparindent=\parindent \parindent = 0pt \let\indent\nonfillindent % \emergencystretch = 0pt % don't try to avoid overfull boxes \ifx\nonarrowing\relax \advance \leftskip by \lispnarrowing \exdentamount=\lispnarrowing \else \let\nonarrowing = \relax \fi \let\exdent=\nofillexdent } \begingroup \obeyspaces % We want to swallow spaces (but not other tokens) after the fake % @indent in our nonfill-environments, where spaces are normally % active and set to @tie, resulting in them not being ignored after % @indent. \gdef\nonfillindent{\futurelet\temp\nonfillindentcheck}% \gdef\nonfillindentcheck{% \ifx\temp % \expandafter\nonfillindentgobble% \else% \leavevmode\nonfillindentbox% \fi% }% \endgroup \def\nonfillindentgobble#1{\nonfillindent} \def\nonfillindentbox{\hbox to \nonfillparindent{\hss}} % If you want all examples etc. small: @set dispenvsize small. % If you want even small examples the full size: @set dispenvsize nosmall. % This affects the following displayed environments: % @example, @display, @format, @lisp % \def\smallword{small} \def\nosmallword{nosmall} \let\SETdispenvsize\relax \def\setnormaldispenv{% \ifx\SETdispenvsize\smallword % end paragraph for sake of leading, in case document has no blank % line. This is redundant with what happens in \aboveenvbreak, but % we need to do it before changing the fonts, and it's inconvenient % to change the fonts afterward. \ifnum \lastpenalty=10000 \else \endgraf \fi \smallexamplefonts \rm \fi } \def\setsmalldispenv{% \ifx\SETdispenvsize\nosmallword \else \ifnum \lastpenalty=10000 \else \endgraf \fi \smallexamplefonts \rm \fi } % We often define two environments, @foo and @smallfoo. % Let's do it by one command: \def\makedispenv #1#2{ \expandafter\envdef\csname#1\endcsname {\setnormaldispenv #2} \expandafter\envdef\csname small#1\endcsname {\setsmalldispenv #2} \expandafter\let\csname E#1\endcsname \afterenvbreak \expandafter\let\csname Esmall#1\endcsname \afterenvbreak } % Define two synonyms: \def\maketwodispenvs #1#2#3{ \makedispenv{#1}{#3} \makedispenv{#2}{#3} } % @lisp: indented, narrowed, typewriter font; @example: same as @lisp. % % @smallexample and @smalllisp: use smaller fonts. % Originally contributed by Pavel@xerox. % \maketwodispenvs {lisp}{example}{% \nonfillstart \tt\setupmarkupstyle{example}% \let\kbdfont = \kbdexamplefont % Allow @kbd to do something special. \gobble % eat return } % @display/@smalldisplay: same as @lisp except keep current font. % \makedispenv {display}{% \nonfillstart \gobble } % @format/@smallformat: same as @display except don't narrow margins. % \makedispenv{format}{% \let\nonarrowing = t% \nonfillstart \gobble } % @flushleft: same as @format, but doesn't obey \SETdispenvsize. \envdef\flushleft{% \let\nonarrowing = t% \nonfillstart \gobble } \let\Eflushleft = \afterenvbreak % @flushright. % \envdef\flushright{% \let\nonarrowing = t% \nonfillstart \advance\leftskip by 0pt plus 1fill \gobble } \let\Eflushright = \afterenvbreak % @raggedright does more-or-less normal line breaking but no right % justification. From plain.tex. \envdef\raggedright{% \rightskip0pt plus2em \spaceskip.3333em \xspaceskip.5em\relax } \let\Eraggedright\par \envdef\raggedleft{% \parindent=0pt \leftskip0pt plus2em \spaceskip.3333em \xspaceskip.5em \parfillskip=0pt \hbadness=10000 % Last line will usually be underfull, so turn off % badness reporting. } \let\Eraggedleft\par \envdef\raggedcenter{% \parindent=0pt \rightskip0pt plus1em \leftskip0pt plus1em \spaceskip.3333em \xspaceskip.5em \parfillskip=0pt \hbadness=10000 % Last line will usually be underfull, so turn off % badness reporting. } \let\Eraggedcenter\par % @quotation does normal linebreaking (hence we can't use \nonfillstart) % and narrows the margins. We keep \parskip nonzero in general, since % we're doing normal filling. So, when using \aboveenvbreak and % \afterenvbreak, temporarily make \parskip 0. % \def\quotationstart{% {\parskip=0pt \aboveenvbreak}% because \aboveenvbreak inserts \parskip \parindent=0pt % % @cartouche defines \nonarrowing to inhibit narrowing at next level down. \ifx\nonarrowing\relax \advance\leftskip by \lispnarrowing \advance\rightskip by \lispnarrowing \exdentamount = \lispnarrowing \else \let\nonarrowing = \relax \fi \parsearg\quotationlabel } \envdef\quotation{% \setnormaldispenv \quotationstart } \envdef\smallquotation{% \setsmalldispenv \quotationstart } \let\Esmallquotation = \Equotation % We have retained a nonzero parskip for the environment, since we're % doing normal filling. % \def\Equotation{% \par \ifx\quotationauthor\undefined\else % indent a bit. \leftline{\kern 2\leftskip \sl ---\quotationauthor}% \fi {\parskip=0pt \afterenvbreak}% } % If we're given an argument, typeset it in bold with a colon after. \def\quotationlabel#1{% \def\temp{#1}% \ifx\temp\empty \else {\bf #1: }% \fi } % LaTeX-like @verbatim...@end verbatim and @verb{...} % If we want to allow any as delimiter, % we need the curly braces so that makeinfo sees the @verb command, eg: % `@verbx...x' would look like the '@verbx' command. --janneke@gnu.org % % [Knuth]: Donald Ervin Knuth, 1996. The TeXbook. % % [Knuth] p.344; only we need to do the other characters Texinfo sets % active too. Otherwise, they get lost as the first character on a % verbatim line. \def\dospecials{% \do\ \do\\\do\{\do\}\do\$\do\&% \do\#\do\^\do\^^K\do\_\do\^^A\do\%\do\~% \do\<\do\>\do\|\do\@\do+\do\"% % Don't do the quotes -- if we do, @set txicodequoteundirected and % @set txicodequotebacktick will not have effect on @verb and % @verbatim, and ?` and !` ligatures won't get disabled. %\do\`\do\'% } % % [Knuth] p. 380 \def\uncatcodespecials{% \def\do##1{\catcode`##1=\other}\dospecials} % % Setup for the @verb command. % % Eight spaces for a tab \begingroup \catcode`\^^I=\active \gdef\tabeightspaces{\catcode`\^^I=\active\def^^I{\ \ \ \ \ \ \ \ }} \endgroup % \def\setupverb{% \tt % easiest (and conventionally used) font for verbatim \def\par{\leavevmode\endgraf}% \setupmarkupstyle{verb}% \tabeightspaces % Respect line breaks, % print special symbols as themselves, and % make each space count % must do in this order: \obeylines \uncatcodespecials \sepspaces } % Setup for the @verbatim environment % % Real tab expansion \newdimen\tabw \setbox0=\hbox{\tt\space} \tabw=8\wd0 % tab amount % \def\starttabbox{\setbox0=\hbox\bgroup} % \begingroup \catcode`\^^I=\active \gdef\tabexpand{% \catcode`\^^I=\active \def^^I{\leavevmode\egroup \dimen0=\wd0 % the width so far, or since the previous tab \divide\dimen0 by\tabw \multiply\dimen0 by\tabw % compute previous multiple of \tabw \advance\dimen0 by\tabw % advance to next multiple of \tabw \wd0=\dimen0 \box0 \starttabbox }% } \endgroup % start the verbatim environment. \def\setupverbatim{% \let\nonarrowing = t% \nonfillstart % Easiest (and conventionally used) font for verbatim \tt \def\par{\leavevmode\egroup\box0\endgraf}% \tabexpand \setupmarkupstyle{verbatim}% % Respect line breaks, % print special symbols as themselves, and % make each space count % must do in this order: \obeylines \uncatcodespecials \sepspaces \everypar{\starttabbox}% } % Do the @verb magic: verbatim text is quoted by unique % delimiter characters. Before first delimiter expect a % right brace, after last delimiter expect closing brace: % % \def\doverb'{'#1'}'{#1} % % [Knuth] p. 382; only eat outer {} \begingroup \catcode`[=1\catcode`]=2\catcode`\{=\other\catcode`\}=\other \gdef\doverb{#1[\def\next##1#1}[##1\endgroup]\next] \endgroup % \def\verb{\begingroup\setupverb\doverb} % % % Do the @verbatim magic: define the macro \doverbatim so that % the (first) argument ends when '@end verbatim' is reached, ie: % % \def\doverbatim#1@end verbatim{#1} % % For Texinfo it's a lot easier than for LaTeX, % because texinfo's \verbatim doesn't stop at '\end{verbatim}': % we need not redefine '\', '{' and '}'. % % Inspired by LaTeX's verbatim command set [latex.ltx] % \begingroup \catcode`\ =\active \obeylines % % ignore everything up to the first ^^M, that's the newline at the end % of the @verbatim input line itself. Otherwise we get an extra blank % line in the output. \xdef\doverbatim#1^^M#2@end verbatim{#2\noexpand\end\gobble verbatim}% % We really want {...\end verbatim} in the body of the macro, but % without the active space; thus we have to use \xdef and \gobble. \endgroup % \envdef\verbatim{% \setupverbatim\doverbatim } \let\Everbatim = \afterenvbreak % @verbatiminclude FILE - insert text of file in verbatim environment. % \def\verbatiminclude{\parseargusing\filenamecatcodes\doverbatiminclude} % \def\doverbatiminclude#1{% {% \makevalueexpandable \setupverbatim \indexnofonts % Allow `@@' and other weird things in file names. \input #1 \afterenvbreak }% } % @copying ... @end copying. % Save the text away for @insertcopying later. % % We save the uninterpreted tokens, rather than creating a box. % Saving the text in a box would be much easier, but then all the % typesetting commands (@smallbook, font changes, etc.) have to be done % beforehand -- and a) we want @copying to be done first in the source % file; b) letting users define the frontmatter in as flexible order as % possible is very desirable. % \def\copying{\checkenv{}\begingroup\scanargctxt\docopying} \def\docopying#1@end copying{\endgroup\def\copyingtext{#1}} % \def\insertcopying{% \begingroup \parindent = 0pt % paragraph indentation looks wrong on title page \scanexp\copyingtext \endgroup } \message{defuns,} % @defun etc. \newskip\defbodyindent \defbodyindent=.4in \newskip\defargsindent \defargsindent=50pt \newskip\deflastargmargin \deflastargmargin=18pt \newcount\defunpenalty % Start the processing of @deffn: \def\startdefun{% \ifnum\lastpenalty<10000 \medbreak \defunpenalty=10003 % Will keep this @deffn together with the % following @def command, see below. \else % If there are two @def commands in a row, we'll have a \nobreak, % which is there to keep the function description together with its % header. But if there's nothing but headers, we need to allow a % break somewhere. Check specifically for penalty 10002, inserted % by \printdefunline, instead of 10000, since the sectioning % commands also insert a nobreak penalty, and we don't want to allow % a break between a section heading and a defun. % % As a minor refinement, we avoid "club" headers by signalling % with penalty of 10003 after the very first @deffn in the % sequence (see above), and penalty of 10002 after any following % @def command. \ifnum\lastpenalty=10002 \penalty2000 \else \defunpenalty=10002 \fi % % Similarly, after a section heading, do not allow a break. % But do insert the glue. \medskip % preceded by discardable penalty, so not a breakpoint \fi % \parindent=0in \advance\leftskip by \defbodyindent \exdentamount=\defbodyindent } \def\dodefunx#1{% % First, check whether we are in the right environment: \checkenv#1% % % As above, allow line break if we have multiple x headers in a row. % It's not a great place, though. \ifnum\lastpenalty=10002 \penalty3000 \else \defunpenalty=10002 \fi % % And now, it's time to reuse the body of the original defun: \expandafter\gobbledefun#1% } \def\gobbledefun#1\startdefun{} % \printdefunline \deffnheader{text} % \def\printdefunline#1#2{% \begingroup % call \deffnheader: #1#2 \endheader % common ending: \interlinepenalty = 10000 \advance\rightskip by 0pt plus 1fil \endgraf \nobreak\vskip -\parskip \penalty\defunpenalty % signal to \startdefun and \dodefunx % Some of the @defun-type tags do not enable magic parentheses, % rendering the following check redundant. But we don't optimize. \checkparencounts \endgroup } \def\Edefun{\endgraf\medbreak} % \makedefun{deffn} creates \deffn, \deffnx and \Edeffn; % the only thing remaining is to define \deffnheader. % \def\makedefun#1{% \expandafter\let\csname E#1\endcsname = \Edefun \edef\temp{\noexpand\domakedefun \makecsname{#1}\makecsname{#1x}\makecsname{#1header}}% \temp } % \domakedefun \deffn \deffnx \deffnheader % % Define \deffn and \deffnx, without parameters. % \deffnheader has to be defined explicitly. % \def\domakedefun#1#2#3{% \envdef#1{% \startdefun \parseargusing\activeparens{\printdefunline#3}% }% \def#2{\dodefunx#1}% \def#3% } %%% Untyped functions: % @deffn category name args \makedefun{deffn}{\deffngeneral{}} % @deffn category class name args \makedefun{defop}#1 {\defopon{#1\ \putwordon}} % \defopon {category on}class name args \def\defopon#1#2 {\deffngeneral{\putwordon\ \code{#2}}{#1\ \code{#2}} } % \deffngeneral {subind}category name args % \def\deffngeneral#1#2 #3 #4\endheader{% % Remember that \dosubind{fn}{foo}{} is equivalent to \doind{fn}{foo}. \dosubind{fn}{\code{#3}}{#1}% \defname{#2}{}{#3}\magicamp\defunargs{#4\unskip}% } %%% Typed functions: % @deftypefn category type name args \makedefun{deftypefn}{\deftypefngeneral{}} % @deftypeop category class type name args \makedefun{deftypeop}#1 {\deftypeopon{#1\ \putwordon}} % \deftypeopon {category on}class type name args \def\deftypeopon#1#2 {\deftypefngeneral{\putwordon\ \code{#2}}{#1\ \code{#2}} } % \deftypefngeneral {subind}category type name args % \def\deftypefngeneral#1#2 #3 #4 #5\endheader{% \dosubind{fn}{\code{#4}}{#1}% \defname{#2}{#3}{#4}\defunargs{#5\unskip}% } %%% Typed variables: % @deftypevr category type var args \makedefun{deftypevr}{\deftypecvgeneral{}} % @deftypecv category class type var args \makedefun{deftypecv}#1 {\deftypecvof{#1\ \putwordof}} % \deftypecvof {category of}class type var args \def\deftypecvof#1#2 {\deftypecvgeneral{\putwordof\ \code{#2}}{#1\ \code{#2}} } % \deftypecvgeneral {subind}category type var args % \def\deftypecvgeneral#1#2 #3 #4 #5\endheader{% \dosubind{vr}{\code{#4}}{#1}% \defname{#2}{#3}{#4}\defunargs{#5\unskip}% } %%% Untyped variables: % @defvr category var args \makedefun{defvr}#1 {\deftypevrheader{#1} {} } % @defcv category class var args \makedefun{defcv}#1 {\defcvof{#1\ \putwordof}} % \defcvof {category of}class var args \def\defcvof#1#2 {\deftypecvof{#1}#2 {} } %%% Type: % @deftp category name args \makedefun{deftp}#1 #2 #3\endheader{% \doind{tp}{\code{#2}}% \defname{#1}{}{#2}\defunargs{#3\unskip}% } % Remaining @defun-like shortcuts: \makedefun{defun}{\deffnheader{\putwordDeffunc} } \makedefun{defmac}{\deffnheader{\putwordDefmac} } \makedefun{defspec}{\deffnheader{\putwordDefspec} } \makedefun{deftypefun}{\deftypefnheader{\putwordDeffunc} } \makedefun{defvar}{\defvrheader{\putwordDefvar} } \makedefun{defopt}{\defvrheader{\putwordDefopt} } \makedefun{deftypevar}{\deftypevrheader{\putwordDefvar} } \makedefun{defmethod}{\defopon\putwordMethodon} \makedefun{deftypemethod}{\deftypeopon\putwordMethodon} \makedefun{defivar}{\defcvof\putwordInstanceVariableof} \makedefun{deftypeivar}{\deftypecvof\putwordInstanceVariableof} % \defname, which formats the name of the @def (not the args). % #1 is the category, such as "Function". % #2 is the return type, if any. % #3 is the function name. % % We are followed by (but not passed) the arguments, if any. % \def\defname#1#2#3{% % Get the values of \leftskip and \rightskip as they were outside the @def... \advance\leftskip by -\defbodyindent % % How we'll format the type name. Putting it in brackets helps % distinguish it from the body text that may end up on the next line % just below it. \def\temp{#1}% \setbox0=\hbox{\kern\deflastargmargin \ifx\temp\empty\else [\rm\temp]\fi} % % Figure out line sizes for the paragraph shape. % The first line needs space for \box0; but if \rightskip is nonzero, % we need only space for the part of \box0 which exceeds it: \dimen0=\hsize \advance\dimen0 by -\wd0 \advance\dimen0 by \rightskip % The continuations: \dimen2=\hsize \advance\dimen2 by -\defargsindent % (plain.tex says that \dimen1 should be used only as global.) \parshape 2 0in \dimen0 \defargsindent \dimen2 % % Put the type name to the right margin. \noindent \hbox to 0pt{% \hfil\box0 \kern-\hsize % \hsize has to be shortened this way: \kern\leftskip % Intentionally do not respect \rightskip, since we need the space. }% % % Allow all lines to be underfull without complaint: \tolerance=10000 \hbadness=10000 \exdentamount=\defbodyindent {% % defun fonts. We use typewriter by default (used to be bold) because: % . we're printing identifiers, they should be in tt in principle. % . in languages with many accents, such as Czech or French, it's % common to leave accents off identifiers. The result looks ok in % tt, but exceedingly strange in rm. % . we don't want -- and --- to be treated as ligatures. % . this still does not fix the ?` and !` ligatures, but so far no % one has made identifiers using them :). \df \tt \def\temp{#2}% return value type \ifx\temp\empty\else \tclose{\temp} \fi #3% output function name }% {\rm\enskip}% hskip 0.5 em of \tenrm % \boldbrax % arguments will be output next, if any. } % Print arguments in slanted roman (not ttsl), inconsistently with using % tt for the name. This is because literal text is sometimes needed in % the argument list (groff manual), and ttsl and tt are not very % distinguishable. Prevent hyphenation at `-' chars. % \def\defunargs#1{% % use sl by default (not ttsl), % tt for the names. \df \sl \hyphenchar\font=0 % % On the other hand, if an argument has two dashes (for instance), we % want a way to get ttsl. Let's try @var for that. \def\var##1{{\setupmarkupstyle{var}\ttslanted{##1}}}% #1% \sl\hyphenchar\font=45 } % We want ()&[] to print specially on the defun line. % \def\activeparens{% \catcode`\(=\active \catcode`\)=\active \catcode`\[=\active \catcode`\]=\active \catcode`\&=\active } % Make control sequences which act like normal parenthesis chars. \let\lparen = ( \let\rparen = ) % Be sure that we always have a definition for `(', etc. For example, % if the fn name has parens in it, \boldbrax will not be in effect yet, % so TeX would otherwise complain about undefined control sequence. { \activeparens \global\let(=\lparen \global\let)=\rparen \global\let[=\lbrack \global\let]=\rbrack \global\let& = \& \gdef\boldbrax{\let(=\opnr\let)=\clnr\let[=\lbrb\let]=\rbrb} \gdef\magicamp{\let&=\amprm} } \newcount\parencount % If we encounter &foo, then turn on ()-hacking afterwards \newif\ifampseen \def\amprm#1 {\ampseentrue{\bf\ }} \def\parenfont{% \ifampseen % At the first level, print parens in roman, % otherwise use the default font. \ifnum \parencount=1 \rm \fi \else % The \sf parens (in \boldbrax) actually are a little bolder than % the contained text. This is especially needed for [ and ] . \sf \fi } \def\infirstlevel#1{% \ifampseen \ifnum\parencount=1 #1% \fi \fi } \def\bfafterword#1 {#1 \bf} \def\opnr{% \global\advance\parencount by 1 {\parenfont(}% \infirstlevel \bfafterword } \def\clnr{% {\parenfont)}% \infirstlevel \sl \global\advance\parencount by -1 } \newcount\brackcount \def\lbrb{% \global\advance\brackcount by 1 {\bf[}% } \def\rbrb{% {\bf]}% \global\advance\brackcount by -1 } \def\checkparencounts{% \ifnum\parencount=0 \else \badparencount \fi \ifnum\brackcount=0 \else \badbrackcount \fi } % these should not use \errmessage; the glibc manual, at least, actually % has such constructs (when documenting function pointers). \def\badparencount{% \message{Warning: unbalanced parentheses in @def...}% \global\parencount=0 } \def\badbrackcount{% \message{Warning: unbalanced square brackets in @def...}% \global\brackcount=0 } \message{macros,} % @macro. % To do this right we need a feature of e-TeX, \scantokens, % which we arrange to emulate with a temporary file in ordinary TeX. \ifx\eTeXversion\undefined \newwrite\macscribble \def\scantokens#1{% \toks0={#1}% \immediate\openout\macscribble=\jobname.tmp \immediate\write\macscribble{\the\toks0}% \immediate\closeout\macscribble \input \jobname.tmp } \fi \def\scanmacro#1{% \begingroup \newlinechar`\^^M \let\xeatspaces\eatspaces % Undo catcode changes of \startcontents and \doprintindex % When called from @insertcopying or (short)caption, we need active % backslash to get it printed correctly. Previously, we had % \catcode`\\=\other instead. We'll see whether a problem appears % with macro expansion. --kasal, 19aug04 \catcode`\@=0 \catcode`\\=\active \escapechar=`\@ % ... and \example \spaceisspace % % Append \endinput to make sure that TeX does not see the ending newline. % I've verified that it is necessary both for e-TeX and for ordinary TeX % --kasal, 29nov03 \scantokens{#1\endinput}% \endgroup } \def\scanexp#1{% \edef\temp{\noexpand\scanmacro{#1}}% \temp } \newcount\paramno % Count of parameters \newtoks\macname % Macro name \newif\ifrecursive % Is it recursive? % List of all defined macros in the form % \definedummyword\macro1\definedummyword\macro2... % Currently is also contains all @aliases; the list can be split % if there is a need. \def\macrolist{} % Add the macro to \macrolist \def\addtomacrolist#1{\expandafter \addtomacrolistxxx \csname#1\endcsname} \def\addtomacrolistxxx#1{% \toks0 = \expandafter{\macrolist\definedummyword#1}% \xdef\macrolist{\the\toks0}% } % Utility routines. % This does \let #1 = #2, with \csnames; that is, % \let \csname#1\endcsname = \csname#2\endcsname % (except of course we have to play expansion games). % \def\cslet#1#2{% \expandafter\let \csname#1\expandafter\endcsname \csname#2\endcsname } % Trim leading and trailing spaces off a string. % Concepts from aro-bend problem 15 (see CTAN). {\catcode`\@=11 \gdef\eatspaces #1{\expandafter\trim@\expandafter{#1 }} \gdef\trim@ #1{\trim@@ @#1 @ #1 @ @@} \gdef\trim@@ #1@ #2@ #3@@{\trim@@@\empty #2 @} \def\unbrace#1{#1} \unbrace{\gdef\trim@@@ #1 } #2@{#1} } % Trim a single trailing ^^M off a string. {\catcode`\^^M=\other \catcode`\Q=3% \gdef\eatcr #1{\eatcra #1Q^^MQ}% \gdef\eatcra#1^^MQ{\eatcrb#1Q}% \gdef\eatcrb#1Q#2Q{#1}% } % Macro bodies are absorbed as an argument in a context where % all characters are catcode 10, 11 or 12, except \ which is active % (as in normal texinfo). It is necessary to change the definition of \. % Non-ASCII encodings make 8-bit characters active, so un-activate % them to avoid their expansion. Must do this non-globally, to % confine the change to the current group. % It's necessary to have hard CRs when the macro is executed. This is % done by making ^^M (\endlinechar) catcode 12 when reading the macro % body, and then making it the \newlinechar in \scanmacro. \def\scanctxt{% \catcode`\"=\other \catcode`\+=\other \catcode`\<=\other \catcode`\>=\other \catcode`\@=\other \catcode`\^=\other \catcode`\_=\other \catcode`\|=\other \catcode`\~=\other \ifx\declaredencoding\ascii \else \setnonasciicharscatcodenonglobal\other \fi } \def\scanargctxt{% \scanctxt \catcode`\\=\other \catcode`\^^M=\other } \def\macrobodyctxt{% \scanctxt \catcode`\{=\other \catcode`\}=\other \catcode`\^^M=\other \usembodybackslash } \def\macroargctxt{% \scanctxt \catcode`\\=\other } % \mbodybackslash is the definition of \ in @macro bodies. % It maps \foo\ => \csname macarg.foo\endcsname => #N % where N is the macro parameter number. % We define \csname macarg.\endcsname to be \realbackslash, so % \\ in macro replacement text gets you a backslash. {\catcode`@=0 @catcode`@\=@active @gdef@usembodybackslash{@let\=@mbodybackslash} @gdef@mbodybackslash#1\{@csname macarg.#1@endcsname} } \expandafter\def\csname macarg.\endcsname{\realbackslash} \def\macro{\recursivefalse\parsearg\macroxxx} \def\rmacro{\recursivetrue\parsearg\macroxxx} \def\macroxxx#1{% \getargs{#1}% now \macname is the macname and \argl the arglist \ifx\argl\empty % no arguments \paramno=0% \else \expandafter\parsemargdef \argl;% \fi \if1\csname ismacro.\the\macname\endcsname \message{Warning: redefining \the\macname}% \else \expandafter\ifx\csname \the\macname\endcsname \relax \else \errmessage{Macro name \the\macname\space already defined}\fi \global\cslet{macsave.\the\macname}{\the\macname}% \global\expandafter\let\csname ismacro.\the\macname\endcsname=1% \addtomacrolist{\the\macname}% \fi \begingroup \macrobodyctxt \ifrecursive \expandafter\parsermacbody \else \expandafter\parsemacbody \fi} \parseargdef\unmacro{% \if1\csname ismacro.#1\endcsname \global\cslet{#1}{macsave.#1}% \global\expandafter\let \csname ismacro.#1\endcsname=0% % Remove the macro name from \macrolist: \begingroup \expandafter\let\csname#1\endcsname \relax \let\definedummyword\unmacrodo \xdef\macrolist{\macrolist}% \endgroup \else \errmessage{Macro #1 not defined}% \fi } % Called by \do from \dounmacro on each macro. The idea is to omit any % macro definitions that have been changed to \relax. % \def\unmacrodo#1{% \ifx #1\relax % remove this \else \noexpand\definedummyword \noexpand#1% \fi } % This makes use of the obscure feature that if the last token of a % is #, then the preceding argument is delimited by % an opening brace, and that opening brace is not consumed. \def\getargs#1{\getargsxxx#1{}} \def\getargsxxx#1#{\getmacname #1 \relax\getmacargs} \def\getmacname #1 #2\relax{\macname={#1}} \def\getmacargs#1{\def\argl{#1}} % Parse the optional {params} list. Set up \paramno and \paramlist % so \defmacro knows what to do. Define \macarg.blah for each blah % in the params list, to be ##N where N is the position in that list. % That gets used by \mbodybackslash (above). % We need to get `macro parameter char #' into several definitions. % The technique used is stolen from LaTeX: let \hash be something % unexpandable, insert that wherever you need a #, and then redefine % it to # just before using the token list produced. % % The same technique is used to protect \eatspaces till just before % the macro is used. \def\parsemargdef#1;{\paramno=0\def\paramlist{}% \let\hash\relax\let\xeatspaces\relax\parsemargdefxxx#1,;,} \def\parsemargdefxxx#1,{% \if#1;\let\next=\relax \else \let\next=\parsemargdefxxx \advance\paramno by 1% \expandafter\edef\csname macarg.\eatspaces{#1}\endcsname {\xeatspaces{\hash\the\paramno}}% \edef\paramlist{\paramlist\hash\the\paramno,}% \fi\next} % These two commands read recursive and nonrecursive macro bodies. % (They're different since rec and nonrec macros end differently.) \long\def\parsemacbody#1@end macro% {\xdef\temp{\eatcr{#1}}\endgroup\defmacro}% \long\def\parsermacbody#1@end rmacro% {\xdef\temp{\eatcr{#1}}\endgroup\defmacro}% % This defines the macro itself. There are six cases: recursive and % nonrecursive macros of zero, one, and many arguments. % Much magic with \expandafter here. % \xdef is used so that macro definitions will survive the file % they're defined in; @include reads the file inside a group. \def\defmacro{% \let\hash=##% convert placeholders to macro parameter chars \ifrecursive \ifcase\paramno % 0 \expandafter\xdef\csname\the\macname\endcsname{% \noexpand\scanmacro{\temp}}% \or % 1 \expandafter\xdef\csname\the\macname\endcsname{% \bgroup\noexpand\macroargctxt \noexpand\braceorline \expandafter\noexpand\csname\the\macname xxx\endcsname}% \expandafter\xdef\csname\the\macname xxx\endcsname##1{% \egroup\noexpand\scanmacro{\temp}}% \else % many \expandafter\xdef\csname\the\macname\endcsname{% \bgroup\noexpand\macroargctxt \noexpand\csname\the\macname xx\endcsname}% \expandafter\xdef\csname\the\macname xx\endcsname##1{% \expandafter\noexpand\csname\the\macname xxx\endcsname ##1,}% \expandafter\expandafter \expandafter\xdef \expandafter\expandafter \csname\the\macname xxx\endcsname \paramlist{\egroup\noexpand\scanmacro{\temp}}% \fi \else \ifcase\paramno % 0 \expandafter\xdef\csname\the\macname\endcsname{% \noexpand\norecurse{\the\macname}% \noexpand\scanmacro{\temp}\egroup}% \or % 1 \expandafter\xdef\csname\the\macname\endcsname{% \bgroup\noexpand\macroargctxt \noexpand\braceorline \expandafter\noexpand\csname\the\macname xxx\endcsname}% \expandafter\xdef\csname\the\macname xxx\endcsname##1{% \egroup \noexpand\norecurse{\the\macname}% \noexpand\scanmacro{\temp}\egroup}% \else % many \expandafter\xdef\csname\the\macname\endcsname{% \bgroup\noexpand\macroargctxt \expandafter\noexpand\csname\the\macname xx\endcsname}% \expandafter\xdef\csname\the\macname xx\endcsname##1{% \expandafter\noexpand\csname\the\macname xxx\endcsname ##1,}% \expandafter\expandafter \expandafter\xdef \expandafter\expandafter \csname\the\macname xxx\endcsname \paramlist{% \egroup \noexpand\norecurse{\the\macname}% \noexpand\scanmacro{\temp}\egroup}% \fi \fi} \def\norecurse#1{\bgroup\cslet{#1}{macsave.#1}} % \braceorline decides whether the next nonwhitespace character is a % {. If so it reads up to the closing }, if not, it reads the whole % line. Whatever was read is then fed to the next control sequence % as an argument (by \parsebrace or \parsearg) \def\braceorline#1{\let\macnamexxx=#1\futurelet\nchar\braceorlinexxx} \def\braceorlinexxx{% \ifx\nchar\bgroup\else \expandafter\parsearg \fi \macnamexxx} % @alias. % We need some trickery to remove the optional spaces around the equal % sign. Just make them active and then expand them all to nothing. \def\alias{\parseargusing\obeyspaces\aliasxxx} \def\aliasxxx #1{\aliasyyy#1\relax} \def\aliasyyy #1=#2\relax{% {% \expandafter\let\obeyedspace=\empty \addtomacrolist{#1}% \xdef\next{\global\let\makecsname{#1}=\makecsname{#2}}% }% \next } \message{cross references,} \newwrite\auxfile \newif\ifhavexrefs % True if xref values are known. \newif\ifwarnedxrefs % True if we warned once that they aren't known. % @inforef is relatively simple. \def\inforef #1{\inforefzzz #1,,,,**} \def\inforefzzz #1,#2,#3,#4**{\putwordSee{} \putwordInfo{} \putwordfile{} \file{\ignorespaces #3{}}, node \samp{\ignorespaces#1{}}} % @node's only job in TeX is to define \lastnode, which is used in % cross-references. The @node line might or might not have commas, and % might or might not have spaces before the first comma, like: % @node foo , bar , ... % We don't want such trailing spaces in the node name. % \parseargdef\node{\checkenv{}\donode #1 ,\finishnodeparse} % % also remove a trailing comma, in case of something like this: % @node Help-Cross, , , Cross-refs \def\donode#1 ,#2\finishnodeparse{\dodonode #1,\finishnodeparse} \def\dodonode#1,#2\finishnodeparse{\gdef\lastnode{#1}} \let\nwnode=\node \let\lastnode=\empty % Write a cross-reference definition for the current node. #1 is the % type (Ynumbered, Yappendix, Ynothing). % \def\donoderef#1{% \ifx\lastnode\empty\else \setref{\lastnode}{#1}% \global\let\lastnode=\empty \fi } % @anchor{NAME} -- define xref target at arbitrary point. % \newcount\savesfregister % \def\savesf{\relax \ifhmode \savesfregister=\spacefactor \fi} \def\restoresf{\relax \ifhmode \spacefactor=\savesfregister \fi} \def\anchor#1{\savesf \setref{#1}{Ynothing}\restoresf \ignorespaces} % \setref{NAME}{SNT} defines a cross-reference point NAME (a node or an % anchor), which consists of three parts: % 1) NAME-title - the current sectioning name taken from \lastsection, % or the anchor name. % 2) NAME-snt - section number and type, passed as the SNT arg, or % empty for anchors. % 3) NAME-pg - the page number. % % This is called from \donoderef, \anchor, and \dofloat. In the case of % floats, there is an additional part, which is not written here: % 4) NAME-lof - the text as it should appear in a @listoffloats. % \def\setref#1#2{% \pdfmkdest{#1}% \iflinks {% \atdummies % preserve commands, but don't expand them \edef\writexrdef##1##2{% \write\auxfile{@xrdef{#1-% #1 of \setref, expanded by the \edef ##1}{##2}}% these are parameters of \writexrdef }% \toks0 = \expandafter{\lastsection}% \immediate \writexrdef{title}{\the\toks0 }% \immediate \writexrdef{snt}{\csname #2\endcsname}% \Ynumbered etc. \safewhatsit{\writexrdef{pg}{\folio}}% will be written later, during \shipout }% \fi } % @xref, @pxref, and @ref generate cross-references. For \xrefX, #1 is % the node name, #2 the name of the Info cross-reference, #3 the printed % node name, #4 the name of the Info file, #5 the name of the printed % manual. All but the node name can be omitted. % \def\pxref#1{\putwordsee{} \xrefX[#1,,,,,,,]} \def\xref#1{\putwordSee{} \xrefX[#1,,,,,,,]} \def\ref#1{\xrefX[#1,,,,,,,]} \def\xrefX[#1,#2,#3,#4,#5,#6]{\begingroup \unsepspaces \def\printedmanual{\ignorespaces #5}% \def\printedrefname{\ignorespaces #3}% \setbox1=\hbox{\printedmanual\unskip}% \setbox0=\hbox{\printedrefname\unskip}% \ifdim \wd0 = 0pt % No printed node name was explicitly given. \expandafter\ifx\csname SETxref-automatic-section-title\endcsname\relax % Use the node name inside the square brackets. \def\printedrefname{\ignorespaces #1}% \else % Use the actual chapter/section title appear inside % the square brackets. Use the real section title if we have it. \ifdim \wd1 > 0pt % It is in another manual, so we don't have it. \def\printedrefname{\ignorespaces #1}% \else \ifhavexrefs % We know the real title if we have the xref values. \def\printedrefname{\refx{#1-title}{}}% \else % Otherwise just copy the Info node name. \def\printedrefname{\ignorespaces #1}% \fi% \fi \fi \fi % % Make link in pdf output. \ifpdf {\indexnofonts \turnoffactive % This expands tokens, so do it after making catcode changes, so _ % etc. don't get their TeX definitions. \getfilename{#4}% % % See comments at \activebackslashdouble. {\activebackslashdouble \xdef\pdfxrefdest{#1}% \backslashparens\pdfxrefdest}% % \leavevmode \startlink attr{/Border [0 0 0]}% \ifnum\filenamelength>0 goto file{\the\filename.pdf} name{\pdfxrefdest}% \else goto name{\pdfmkpgn{\pdfxrefdest}}% \fi }% \setcolor{\linkcolor}% \fi % % Float references are printed completely differently: "Figure 1.2" % instead of "[somenode], p.3". We distinguish them by the % LABEL-title being set to a magic string. {% % Have to otherify everything special to allow the \csname to % include an _ in the xref name, etc. \indexnofonts \turnoffactive \expandafter\global\expandafter\let\expandafter\Xthisreftitle \csname XR#1-title\endcsname }% \iffloat\Xthisreftitle % If the user specified the print name (third arg) to the ref, % print it instead of our usual "Figure 1.2". \ifdim\wd0 = 0pt \refx{#1-snt}{}% \else \printedrefname \fi % % if the user also gave the printed manual name (fifth arg), append % "in MANUALNAME". \ifdim \wd1 > 0pt \space \putwordin{} \cite{\printedmanual}% \fi \else % node/anchor (non-float) references. % % If we use \unhbox0 and \unhbox1 to print the node names, TeX does not % insert empty discretionaries after hyphens, which means that it will % not find a line break at a hyphen in a node names. Since some manuals % are best written with fairly long node names, containing hyphens, this % is a loss. Therefore, we give the text of the node name again, so it % is as if TeX is seeing it for the first time. \ifdim \wd1 > 0pt \putwordSection{} ``\printedrefname'' \putwordin{} \cite{\printedmanual}% \else % _ (for example) has to be the character _ for the purposes of the % control sequence corresponding to the node, but it has to expand % into the usual \leavevmode...\vrule stuff for purposes of % printing. So we \turnoffactive for the \refx-snt, back on for the % printing, back off for the \refx-pg. {\turnoffactive % Only output a following space if the -snt ref is nonempty; for % @unnumbered and @anchor, it won't be. \setbox2 = \hbox{\ignorespaces \refx{#1-snt}{}}% \ifdim \wd2 > 0pt \refx{#1-snt}\space\fi }% % output the `[mynode]' via a macro so it can be overridden. \xrefprintnodename\printedrefname % % But we always want a comma and a space: ,\space % % output the `page 3'. \turnoffactive \putwordpage\tie\refx{#1-pg}{}% \fi \fi \endlink \endgroup} % This macro is called from \xrefX for the `[nodename]' part of xref % output. It's a separate macro only so it can be changed more easily, % since square brackets don't work well in some documents. Particularly % one that Bob is working on :). % \def\xrefprintnodename#1{[#1]} % Things referred to by \setref. % \def\Ynothing{} \def\Yomitfromtoc{} \def\Ynumbered{% \ifnum\secno=0 \putwordChapter@tie \the\chapno \else \ifnum\subsecno=0 \putwordSection@tie \the\chapno.\the\secno \else \ifnum\subsubsecno=0 \putwordSection@tie \the\chapno.\the\secno.\the\subsecno \else \putwordSection@tie \the\chapno.\the\secno.\the\subsecno.\the\subsubsecno \fi\fi\fi } \def\Yappendix{% \ifnum\secno=0 \putwordAppendix@tie @char\the\appendixno{}% \else \ifnum\subsecno=0 \putwordSection@tie @char\the\appendixno.\the\secno \else \ifnum\subsubsecno=0 \putwordSection@tie @char\the\appendixno.\the\secno.\the\subsecno \else \putwordSection@tie @char\the\appendixno.\the\secno.\the\subsecno.\the\subsubsecno \fi\fi\fi } % Define \refx{NAME}{SUFFIX} to reference a cross-reference string named NAME. % If its value is nonempty, SUFFIX is output afterward. % \def\refx#1#2{% {% \indexnofonts \otherbackslash \expandafter\global\expandafter\let\expandafter\thisrefX \csname XR#1\endcsname }% \ifx\thisrefX\relax % If not defined, say something at least. \angleleft un\-de\-fined\angleright \iflinks \ifhavexrefs \message{\linenumber Undefined cross reference `#1'.}% \else \ifwarnedxrefs\else \global\warnedxrefstrue \message{Cross reference values unknown; you must run TeX again.}% \fi \fi \fi \else % It's defined, so just use it. \thisrefX \fi #2% Output the suffix in any case. } % This is the macro invoked by entries in the aux file. Usually it's % just a \def (we prepend XR to the control sequence name to avoid % collisions). But if this is a float type, we have more work to do. % \def\xrdef#1#2{% {% The node name might contain 8-bit characters, which in our current % implementation are changed to commands like @'e. Don't let these % mess up the control sequence name. \indexnofonts \turnoffactive \xdef\safexrefname{#1}% }% % \expandafter\gdef\csname XR\safexrefname\endcsname{#2}% remember this xref % % Was that xref control sequence that we just defined for a float? \expandafter\iffloat\csname XR\safexrefname\endcsname % it was a float, and we have the (safe) float type in \iffloattype. \expandafter\let\expandafter\floatlist \csname floatlist\iffloattype\endcsname % % Is this the first time we've seen this float type? \expandafter\ifx\floatlist\relax \toks0 = {\do}% yes, so just \do \else % had it before, so preserve previous elements in list. \toks0 = \expandafter{\floatlist\do}% \fi % % Remember this xref in the control sequence \floatlistFLOATTYPE, % for later use in \listoffloats. \expandafter\xdef\csname floatlist\iffloattype\endcsname{\the\toks0 {\safexrefname}}% \fi } % Read the last existing aux file, if any. No error if none exists. % \def\tryauxfile{% \openin 1 \jobname.aux \ifeof 1 \else \readdatafile{aux}% \global\havexrefstrue \fi \closein 1 } \def\setupdatafile{% \catcode`\^^@=\other \catcode`\^^A=\other \catcode`\^^B=\other \catcode`\^^C=\other \catcode`\^^D=\other \catcode`\^^E=\other \catcode`\^^F=\other \catcode`\^^G=\other \catcode`\^^H=\other \catcode`\^^K=\other \catcode`\^^L=\other \catcode`\^^N=\other \catcode`\^^P=\other \catcode`\^^Q=\other \catcode`\^^R=\other \catcode`\^^S=\other \catcode`\^^T=\other \catcode`\^^U=\other \catcode`\^^V=\other \catcode`\^^W=\other \catcode`\^^X=\other \catcode`\^^Z=\other \catcode`\^^[=\other \catcode`\^^\=\other \catcode`\^^]=\other \catcode`\^^^=\other \catcode`\^^_=\other % It was suggested to set the catcode of ^ to 7, which would allow ^^e4 etc. % in xref tags, i.e., node names. But since ^^e4 notation isn't % supported in the main text, it doesn't seem desirable. Furthermore, % that is not enough: for node names that actually contain a ^ % character, we would end up writing a line like this: 'xrdef {'hat % b-title}{'hat b} and \xrdef does a \csname...\endcsname on the first % argument, and \hat is not an expandable control sequence. It could % all be worked out, but why? Either we support ^^ or we don't. % % The other change necessary for this was to define \auxhat: % \def\auxhat{\def^{'hat }}% extra space so ok if followed by letter % and then to call \auxhat in \setq. % \catcode`\^=\other % % Special characters. Should be turned off anyway, but... \catcode`\~=\other \catcode`\[=\other \catcode`\]=\other \catcode`\"=\other \catcode`\_=\other \catcode`\|=\other \catcode`\<=\other \catcode`\>=\other \catcode`\$=\other \catcode`\#=\other \catcode`\&=\other \catcode`\%=\other \catcode`+=\other % avoid \+ for paranoia even though we've turned it off % % This is to support \ in node names and titles, since the \ % characters end up in a \csname. It's easier than % leaving it active and making its active definition an actual \ % character. What I don't understand is why it works in the *value* % of the xrdef. Seems like it should be a catcode12 \, and that % should not typeset properly. But it works, so I'm moving on for % now. --karl, 15jan04. \catcode`\\=\other % % Make the characters 128-255 be printing characters. {% \count1=128 \def\loop{% \catcode\count1=\other \advance\count1 by 1 \ifnum \count1<256 \loop \fi }% }% % % @ is our escape character in .aux files, and we need braces. \catcode`\{=1 \catcode`\}=2 \catcode`\@=0 } \def\readdatafile#1{% \begingroup \setupdatafile \input\jobname.#1 \endgroup} \message{insertions,} % including footnotes. \newcount \footnoteno % The trailing space in the following definition for supereject is % vital for proper filling; pages come out unaligned when you do a % pagealignmacro call if that space before the closing brace is % removed. (Generally, numeric constants should always be followed by a % space to prevent strange expansion errors.) \def\supereject{\par\penalty -20000\footnoteno =0 } % @footnotestyle is meaningful for info output only. \let\footnotestyle=\comment {\catcode `\@=11 % % Auto-number footnotes. Otherwise like plain. \gdef\footnote{% \let\indent=\ptexindent \let\noindent=\ptexnoindent \global\advance\footnoteno by \@ne \edef\thisfootno{$^{\the\footnoteno}$}% % % In case the footnote comes at the end of a sentence, preserve the % extra spacing after we do the footnote number. \let\@sf\empty \ifhmode\edef\@sf{\spacefactor\the\spacefactor}\ptexslash\fi % % Remove inadvertent blank space before typesetting the footnote number. \unskip \thisfootno\@sf \dofootnote }% % Don't bother with the trickery in plain.tex to not require the % footnote text as a parameter. Our footnotes don't need to be so general. % % Oh yes, they do; otherwise, @ifset (and anything else that uses % \parseargline) fails inside footnotes because the tokens are fixed when % the footnote is read. --karl, 16nov96. % \gdef\dofootnote{% \insert\footins\bgroup % We want to typeset this text as a normal paragraph, even if the % footnote reference occurs in (for example) a display environment. % So reset some parameters. \hsize=\pagewidth \interlinepenalty\interfootnotelinepenalty \splittopskip\ht\strutbox % top baseline for broken footnotes \splitmaxdepth\dp\strutbox \floatingpenalty\@MM \leftskip\z@skip \rightskip\z@skip \spaceskip\z@skip \xspaceskip\z@skip \parindent\defaultparindent % \smallfonts \rm % % Because we use hanging indentation in footnotes, a @noindent appears % to exdent this text, so make it be a no-op. makeinfo does not use % hanging indentation so @noindent can still be needed within footnote % text after an @example or the like (not that this is good style). \let\noindent = \relax % % Hang the footnote text off the number. Use \everypar in case the % footnote extends for more than one paragraph. \everypar = {\hang}% \textindent{\thisfootno}% % % Don't crash into the line above the footnote text. Since this % expands into a box, it must come within the paragraph, lest it % provide a place where TeX can split the footnote. \footstrut \futurelet\next\fo@t } }%end \catcode `\@=11 % In case a @footnote appears in a vbox, save the footnote text and create % the real \insert just after the vbox finished. Otherwise, the insertion % would be lost. % Similarly, if a @footnote appears inside an alignment, save the footnote % text to a box and make the \insert when a row of the table is finished. % And the same can be done for other insert classes. --kasal, 16nov03. % Replace the \insert primitive by a cheating macro. % Deeper inside, just make sure that the saved insertions are not spilled % out prematurely. % \def\startsavinginserts{% \ifx \insert\ptexinsert \let\insert\saveinsert \else \let\checkinserts\relax \fi } % This \insert replacement works for both \insert\footins{foo} and % \insert\footins\bgroup foo\egroup, but it doesn't work for \insert27{foo}. % \def\saveinsert#1{% \edef\next{\noexpand\savetobox \makeSAVEname#1}% \afterassignment\next % swallow the left brace \let\temp = } \def\makeSAVEname#1{\makecsname{SAVE\expandafter\gobble\string#1}} \def\savetobox#1{\global\setbox#1 = \vbox\bgroup \unvbox#1} \def\checksaveins#1{\ifvoid#1\else \placesaveins#1\fi} \def\placesaveins#1{% \ptexinsert \csname\expandafter\gobblesave\string#1\endcsname {\box#1}% } % eat @SAVE -- beware, all of them have catcode \other: { \def\dospecials{\do S\do A\do V\do E} \uncatcodespecials % ;-) \gdef\gobblesave @SAVE{} } % initialization: \def\newsaveins #1{% \edef\next{\noexpand\newsaveinsX \makeSAVEname#1}% \next } \def\newsaveinsX #1{% \csname newbox\endcsname #1% \expandafter\def\expandafter\checkinserts\expandafter{\checkinserts \checksaveins #1}% } % initialize: \let\checkinserts\empty \newsaveins\footins \newsaveins\margin % @image. We use the macros from epsf.tex to support this. % If epsf.tex is not installed and @image is used, we complain. % % Check for and read epsf.tex up front. If we read it only at @image % time, we might be inside a group, and then its definitions would get % undone and the next image would fail. \openin 1 = epsf.tex \ifeof 1 \else % Do not bother showing banner with epsf.tex v2.7k (available in % doc/epsf.tex and on ctan). \def\epsfannounce{\toks0 = }% \input epsf.tex \fi \closein 1 % % We will only complain once about lack of epsf.tex. \newif\ifwarnednoepsf \newhelp\noepsfhelp{epsf.tex must be installed for images to work. It is also included in the Texinfo distribution, or you can get it from ftp://tug.org/tex/epsf.tex.} % \def\image#1{% \ifx\epsfbox\undefined \ifwarnednoepsf \else \errhelp = \noepsfhelp \errmessage{epsf.tex not found, images will be ignored}% \global\warnednoepsftrue \fi \else \imagexxx #1,,,,,\finish \fi } % % Arguments to @image: % #1 is (mandatory) image filename; we tack on .eps extension. % #2 is (optional) width, #3 is (optional) height. % #4 is (ignored optional) html alt text. % #5 is (ignored optional) extension. % #6 is just the usual extra ignored arg for parsing this stuff. \newif\ifimagevmode \def\imagexxx#1,#2,#3,#4,#5,#6\finish{\begingroup \catcode`\^^M = 5 % in case we're inside an example \normalturnoffactive % allow _ et al. in names % If the image is by itself, center it. \ifvmode \imagevmodetrue \nobreak\medskip % Usually we'll have text after the image which will insert % \parskip glue, so insert it here too to equalize the space % above and below. \nobreak\vskip\parskip \nobreak \fi % % Leave vertical mode so that indentation from an enclosing % environment such as @quotation is respected. On the other hand, if % it's at the top level, we don't want the normal paragraph indentation. \noindent % % Output the image. \ifpdf \dopdfimage{#1}{#2}{#3}% \else % \epsfbox itself resets \epsf?size at each figure. \setbox0 = \hbox{\ignorespaces #2}\ifdim\wd0 > 0pt \epsfxsize=#2\relax \fi \setbox0 = \hbox{\ignorespaces #3}\ifdim\wd0 > 0pt \epsfysize=#3\relax \fi \epsfbox{#1.eps}% \fi % \ifimagevmode \medskip \fi % space after the standalone image \endgroup} % @float FLOATTYPE,LABEL,LOC ... @end float for displayed figures, tables, % etc. We don't actually implement floating yet, we always include the % float "here". But it seemed the best name for the future. % \envparseargdef\float{\eatcommaspace\eatcommaspace\dofloat#1, , ,\finish} % There may be a space before second and/or third parameter; delete it. \def\eatcommaspace#1, {#1,} % #1 is the optional FLOATTYPE, the text label for this float, typically % "Figure", "Table", "Example", etc. Can't contain commas. If omitted, % this float will not be numbered and cannot be referred to. % % #2 is the optional xref label. Also must be present for the float to % be referable. % % #3 is the optional positioning argument; for now, it is ignored. It % will somehow specify the positions allowed to float to (here, top, bottom). % % We keep a separate counter for each FLOATTYPE, which we reset at each % chapter-level command. \let\resetallfloatnos=\empty % \def\dofloat#1,#2,#3,#4\finish{% \let\thiscaption=\empty \let\thisshortcaption=\empty % % don't lose footnotes inside @float. % % BEWARE: when the floats start float, we have to issue warning whenever an % insert appears inside a float which could possibly float. --kasal, 26may04 % \startsavinginserts % % We can't be used inside a paragraph. \par % \vtop\bgroup \def\floattype{#1}% \def\floatlabel{#2}% \def\floatloc{#3}% we do nothing with this yet. % \ifx\floattype\empty \let\safefloattype=\empty \else {% % the floattype might have accents or other special characters, % but we need to use it in a control sequence name. \indexnofonts \turnoffactive \xdef\safefloattype{\floattype}% }% \fi % % If label is given but no type, we handle that as the empty type. \ifx\floatlabel\empty \else % We want each FLOATTYPE to be numbered separately (Figure 1, % Table 1, Figure 2, ...). (And if no label, no number.) % \expandafter\getfloatno\csname\safefloattype floatno\endcsname \global\advance\floatno by 1 % {% % This magic value for \lastsection is output by \setref as the % XREFLABEL-title value. \xrefX uses it to distinguish float % labels (which have a completely different output format) from % node and anchor labels. And \xrdef uses it to construct the % lists of floats. % \edef\lastsection{\floatmagic=\safefloattype}% \setref{\floatlabel}{Yfloat}% }% \fi % % start with \parskip glue, I guess. \vskip\parskip % % Don't suppress indentation if a float happens to start a section. \restorefirstparagraphindent } % we have these possibilities: % @float Foo,lbl & @caption{Cap}: Foo 1.1: Cap % @float Foo,lbl & no caption: Foo 1.1 % @float Foo & @caption{Cap}: Foo: Cap % @float Foo & no caption: Foo % @float ,lbl & Caption{Cap}: 1.1: Cap % @float ,lbl & no caption: 1.1 % @float & @caption{Cap}: Cap % @float & no caption: % \def\Efloat{% \let\floatident = \empty % % In all cases, if we have a float type, it comes first. \ifx\floattype\empty \else \def\floatident{\floattype}\fi % % If we have an xref label, the number comes next. \ifx\floatlabel\empty \else \ifx\floattype\empty \else % if also had float type, need tie first. \appendtomacro\floatident{\tie}% \fi % the number. \appendtomacro\floatident{\chaplevelprefix\the\floatno}% \fi % % Start the printed caption with what we've constructed in % \floatident, but keep it separate; we need \floatident again. \let\captionline = \floatident % \ifx\thiscaption\empty \else \ifx\floatident\empty \else \appendtomacro\captionline{: }% had ident, so need a colon between \fi % % caption text. \appendtomacro\captionline{\scanexp\thiscaption}% \fi % % If we have anything to print, print it, with space before. % Eventually this needs to become an \insert. \ifx\captionline\empty \else \vskip.5\parskip \captionline % % Space below caption. \vskip\parskip \fi % % If have an xref label, write the list of floats info. Do this % after the caption, to avoid chance of it being a breakpoint. \ifx\floatlabel\empty \else % Write the text that goes in the lof to the aux file as % \floatlabel-lof. Besides \floatident, we include the short % caption if specified, else the full caption if specified, else nothing. {% \atdummies % % since we read the caption text in the macro world, where ^^M % is turned into a normal character, we have to scan it back, so % we don't write the literal three characters "^^M" into the aux file. \scanexp{% \xdef\noexpand\gtemp{% \ifx\thisshortcaption\empty \thiscaption \else \thisshortcaption \fi }% }% \immediate\write\auxfile{@xrdef{\floatlabel-lof}{\floatident \ifx\gtemp\empty \else : \gtemp \fi}}% }% \fi \egroup % end of \vtop % % place the captured inserts % % BEWARE: when the floats start floating, we have to issue warning % whenever an insert appears inside a float which could possibly % float. --kasal, 26may04 % \checkinserts } % Append the tokens #2 to the definition of macro #1, not expanding either. % \def\appendtomacro#1#2{% \expandafter\def\expandafter#1\expandafter{#1#2}% } % @caption, @shortcaption % \def\caption{\docaption\thiscaption} \def\shortcaption{\docaption\thisshortcaption} \def\docaption{\checkenv\float \bgroup\scanargctxt\defcaption} \def\defcaption#1#2{\egroup \def#1{#2}} % The parameter is the control sequence identifying the counter we are % going to use. Create it if it doesn't exist and assign it to \floatno. \def\getfloatno#1{% \ifx#1\relax % Haven't seen this figure type before. \csname newcount\endcsname #1% % % Remember to reset this floatno at the next chap. \expandafter\gdef\expandafter\resetallfloatnos \expandafter{\resetallfloatnos #1=0 }% \fi \let\floatno#1% } % \setref calls this to get the XREFLABEL-snt value. We want an @xref % to the FLOATLABEL to expand to "Figure 3.1". We call \setref when we % first read the @float command. % \def\Yfloat{\floattype@tie \chaplevelprefix\the\floatno}% % Magic string used for the XREFLABEL-title value, so \xrefX can % distinguish floats from other xref types. \def\floatmagic{!!float!!} % #1 is the control sequence we are passed; we expand into a conditional % which is true if #1 represents a float ref. That is, the magic % \lastsection value which we \setref above. % \def\iffloat#1{\expandafter\doiffloat#1==\finish} % % #1 is (maybe) the \floatmagic string. If so, #2 will be the % (safe) float type for this float. We set \iffloattype to #2. % \def\doiffloat#1=#2=#3\finish{% \def\temp{#1}% \def\iffloattype{#2}% \ifx\temp\floatmagic } % @listoffloats FLOATTYPE - print a list of floats like a table of contents. % \parseargdef\listoffloats{% \def\floattype{#1}% floattype {% % the floattype might have accents or other special characters, % but we need to use it in a control sequence name. \indexnofonts \turnoffactive \xdef\safefloattype{\floattype}% }% % % \xrdef saves the floats as a \do-list in \floatlistSAFEFLOATTYPE. \expandafter\ifx\csname floatlist\safefloattype\endcsname \relax \ifhavexrefs % if the user said @listoffloats foo but never @float foo. \message{\linenumber No `\safefloattype' floats to list.}% \fi \else \begingroup \leftskip=\tocindent % indent these entries like a toc \let\do=\listoffloatsdo \csname floatlist\safefloattype\endcsname \endgroup \fi } % This is called on each entry in a list of floats. We're passed the % xref label, in the form LABEL-title, which is how we save it in the % aux file. We strip off the -title and look up \XRLABEL-lof, which % has the text we're supposed to typeset here. % % Figures without xref labels will not be included in the list (since % they won't appear in the aux file). % \def\listoffloatsdo#1{\listoffloatsdoentry#1\finish} \def\listoffloatsdoentry#1-title\finish{{% % Can't fully expand XR#1-lof because it can contain anything. Just % pass the control sequence. On the other hand, XR#1-pg is just the % page number, and we want to fully expand that so we can get a link % in pdf output. \toksA = \expandafter{\csname XR#1-lof\endcsname}% % % use the same \entry macro we use to generate the TOC and index. \edef\writeentry{\noexpand\entry{\the\toksA}{\csname XR#1-pg\endcsname}}% \writeentry }} \message{localization,} % For single-language documents, @documentlanguage is usually given very % early, just after @documentencoding. Single argument is the language % (de) or locale (de_DE) abbreviation. % { \catcode`\_ = \active \globaldefs=1 \parseargdef\documentlanguage{\begingroup \let_=\normalunderscore % normal _ character for filenames \tex % read txi-??.tex file in plain TeX. % Read the file by the name they passed if it exists. \openin 1 txi-#1.tex \ifeof 1 \documentlanguagetrywithoutunderscore{#1_\finish}% \else \globaldefs = 1 % everything in the txi-LL files needs to persist \input txi-#1.tex \fi \closein 1 \endgroup % end raw TeX \endgroup} % % If they passed de_DE, and txi-de_DE.tex doesn't exist, % try txi-de.tex. % \gdef\documentlanguagetrywithoutunderscore#1_#2\finish{% \openin 1 txi-#1.tex \ifeof 1 \errhelp = \nolanghelp \errmessage{Cannot read language file txi-#1.tex}% \else \globaldefs = 1 % everything in the txi-LL files needs to persist \input txi-#1.tex \fi \closein 1 } }% end of special _ catcode % \newhelp\nolanghelp{The given language definition file cannot be found or is empty. Maybe you need to install it? Putting it in the current directory should work if nowhere else does.} % This macro is called from txi-??.tex files; the first argument is the % \language name to set (without the "\lang@" prefix), the second and % third args are \{left,right}hyphenmin. % % The language names to pass are determined when the format is built. % See the etex.log file created at that time, e.g., % /usr/local/texlive/2008/texmf-var/web2c/pdftex/etex.log. % % With TeX Live 2008, etex now includes hyphenation patterns for all % available languages. This means we can support hyphenation in % Texinfo, at least to some extent. (This still doesn't solve the % accented characters problem.) % \catcode`@=11 \def\txisetlanguage#1#2#3{% % do not set the language if the name is undefined in the current TeX. \expandafter\ifx\csname lang@#1\endcsname \relax \message{no patterns for #1}% \else \global\language = \csname lang@#1\endcsname \fi % but there is no harm in adjusting the hyphenmin values regardless. \global\lefthyphenmin = #2\relax \global\righthyphenmin = #3\relax } % Helpers for encodings. % Set the catcode of characters 128 through 255 to the specified number. % \def\setnonasciicharscatcode#1{% \count255=128 \loop\ifnum\count255<256 \global\catcode\count255=#1\relax \advance\count255 by 1 \repeat } \def\setnonasciicharscatcodenonglobal#1{% \count255=128 \loop\ifnum\count255<256 \catcode\count255=#1\relax \advance\count255 by 1 \repeat } % @documentencoding sets the definition of non-ASCII characters % according to the specified encoding. % \parseargdef\documentencoding{% % Encoding being declared for the document. \def\declaredencoding{\csname #1.enc\endcsname}% % % Supported encodings: names converted to tokens in order to be able % to compare them with \ifx. \def\ascii{\csname US-ASCII.enc\endcsname}% \def\latnine{\csname ISO-8859-15.enc\endcsname}% \def\latone{\csname ISO-8859-1.enc\endcsname}% \def\lattwo{\csname ISO-8859-2.enc\endcsname}% \def\utfeight{\csname UTF-8.enc\endcsname}% % \ifx \declaredencoding \ascii \asciichardefs % \else \ifx \declaredencoding \lattwo \setnonasciicharscatcode\active \lattwochardefs % \else \ifx \declaredencoding \latone \setnonasciicharscatcode\active \latonechardefs % \else \ifx \declaredencoding \latnine \setnonasciicharscatcode\active \latninechardefs % \else \ifx \declaredencoding \utfeight \setnonasciicharscatcode\active \utfeightchardefs % \else \message{Unknown document encoding #1, ignoring.}% % \fi % utfeight \fi % latnine \fi % latone \fi % lattwo \fi % ascii } % A message to be logged when using a character that isn't available % the default font encoding (OT1). % \def\missingcharmsg#1{\message{Character missing in OT1 encoding: #1.}} % Take account of \c (plain) vs. \, (Texinfo) difference. \def\cedilla#1{\ifx\c\ptexc\c{#1}\else\,{#1}\fi} % First, make active non-ASCII characters in order for them to be % correctly categorized when TeX reads the replacement text of % macros containing the character definitions. \setnonasciicharscatcode\active % % Latin1 (ISO-8859-1) character definitions. \def\latonechardefs{% \gdef^^a0{~} \gdef^^a1{\exclamdown} \gdef^^a2{\missingcharmsg{CENT SIGN}} \gdef^^a3{{\pounds}} \gdef^^a4{\missingcharmsg{CURRENCY SIGN}} \gdef^^a5{\missingcharmsg{YEN SIGN}} \gdef^^a6{\missingcharmsg{BROKEN BAR}} \gdef^^a7{\S} \gdef^^a8{\"{}} \gdef^^a9{\copyright} \gdef^^aa{\ordf} \gdef^^ab{\guillemetleft} \gdef^^ac{$\lnot$} \gdef^^ad{\-} \gdef^^ae{\registeredsymbol} \gdef^^af{\={}} % \gdef^^b0{\textdegree} \gdef^^b1{$\pm$} \gdef^^b2{$^2$} \gdef^^b3{$^3$} \gdef^^b4{\'{}} \gdef^^b5{$\mu$} \gdef^^b6{\P} % \gdef^^b7{$^.$} \gdef^^b8{\cedilla\ } \gdef^^b9{$^1$} \gdef^^ba{\ordm} % \gdef^^bb{\guilletright} \gdef^^bc{$1\over4$} \gdef^^bd{$1\over2$} \gdef^^be{$3\over4$} \gdef^^bf{\questiondown} % \gdef^^c0{\`A} \gdef^^c1{\'A} \gdef^^c2{\^A} \gdef^^c3{\~A} \gdef^^c4{\"A} \gdef^^c5{\ringaccent A} \gdef^^c6{\AE} \gdef^^c7{\cedilla C} \gdef^^c8{\`E} \gdef^^c9{\'E} \gdef^^ca{\^E} \gdef^^cb{\"E} \gdef^^cc{\`I} \gdef^^cd{\'I} \gdef^^ce{\^I} \gdef^^cf{\"I} % \gdef^^d0{\DH} \gdef^^d1{\~N} \gdef^^d2{\`O} \gdef^^d3{\'O} \gdef^^d4{\^O} \gdef^^d5{\~O} \gdef^^d6{\"O} \gdef^^d7{$\times$} \gdef^^d8{\O} \gdef^^d9{\`U} \gdef^^da{\'U} \gdef^^db{\^U} \gdef^^dc{\"U} \gdef^^dd{\'Y} \gdef^^de{\TH} \gdef^^df{\ss} % \gdef^^e0{\`a} \gdef^^e1{\'a} \gdef^^e2{\^a} \gdef^^e3{\~a} \gdef^^e4{\"a} \gdef^^e5{\ringaccent a} \gdef^^e6{\ae} \gdef^^e7{\cedilla c} \gdef^^e8{\`e} \gdef^^e9{\'e} \gdef^^ea{\^e} \gdef^^eb{\"e} \gdef^^ec{\`{\dotless i}} \gdef^^ed{\'{\dotless i}} \gdef^^ee{\^{\dotless i}} \gdef^^ef{\"{\dotless i}} % \gdef^^f0{\dh} \gdef^^f1{\~n} \gdef^^f2{\`o} \gdef^^f3{\'o} \gdef^^f4{\^o} \gdef^^f5{\~o} \gdef^^f6{\"o} \gdef^^f7{$\div$} \gdef^^f8{\o} \gdef^^f9{\`u} \gdef^^fa{\'u} \gdef^^fb{\^u} \gdef^^fc{\"u} \gdef^^fd{\'y} \gdef^^fe{\th} \gdef^^ff{\"y} } % Latin9 (ISO-8859-15) encoding character definitions. \def\latninechardefs{% % Encoding is almost identical to Latin1. \latonechardefs % \gdef^^a4{\euro} \gdef^^a6{\v S} \gdef^^a8{\v s} \gdef^^b4{\v Z} \gdef^^b8{\v z} \gdef^^bc{\OE} \gdef^^bd{\oe} \gdef^^be{\"Y} } % Latin2 (ISO-8859-2) character definitions. \def\lattwochardefs{% \gdef^^a0{~} \gdef^^a1{\ogonek{A}} \gdef^^a2{\u{}} \gdef^^a3{\L} \gdef^^a4{\missingcharmsg{CURRENCY SIGN}} \gdef^^a5{\v L} \gdef^^a6{\'S} \gdef^^a7{\S} \gdef^^a8{\"{}} \gdef^^a9{\v S} \gdef^^aa{\cedilla S} \gdef^^ab{\v T} \gdef^^ac{\'Z} \gdef^^ad{\-} \gdef^^ae{\v Z} \gdef^^af{\dotaccent Z} % \gdef^^b0{\textdegree} \gdef^^b1{\ogonek{a}} \gdef^^b2{\ogonek{ }} \gdef^^b3{\l} \gdef^^b4{\'{}} \gdef^^b5{\v l} \gdef^^b6{\'s} \gdef^^b7{\v{}} \gdef^^b8{\cedilla\ } \gdef^^b9{\v s} \gdef^^ba{\cedilla s} \gdef^^bb{\v t} \gdef^^bc{\'z} \gdef^^bd{\H{}} \gdef^^be{\v z} \gdef^^bf{\dotaccent z} % \gdef^^c0{\'R} \gdef^^c1{\'A} \gdef^^c2{\^A} \gdef^^c3{\u A} \gdef^^c4{\"A} \gdef^^c5{\'L} \gdef^^c6{\'C} \gdef^^c7{\cedilla C} \gdef^^c8{\v C} \gdef^^c9{\'E} \gdef^^ca{\ogonek{E}} \gdef^^cb{\"E} \gdef^^cc{\v E} \gdef^^cd{\'I} \gdef^^ce{\^I} \gdef^^cf{\v D} % \gdef^^d0{\DH} \gdef^^d1{\'N} \gdef^^d2{\v N} \gdef^^d3{\'O} \gdef^^d4{\^O} \gdef^^d5{\H O} \gdef^^d6{\"O} \gdef^^d7{$\times$} \gdef^^d8{\v R} \gdef^^d9{\ringaccent U} \gdef^^da{\'U} \gdef^^db{\H U} \gdef^^dc{\"U} \gdef^^dd{\'Y} \gdef^^de{\cedilla T} \gdef^^df{\ss} % \gdef^^e0{\'r} \gdef^^e1{\'a} \gdef^^e2{\^a} \gdef^^e3{\u a} \gdef^^e4{\"a} \gdef^^e5{\'l} \gdef^^e6{\'c} \gdef^^e7{\cedilla c} \gdef^^e8{\v c} \gdef^^e9{\'e} \gdef^^ea{\ogonek{e}} \gdef^^eb{\"e} \gdef^^ec{\v e} \gdef^^ed{\'\i} \gdef^^ee{\^\i} \gdef^^ef{\v d} % \gdef^^f0{\dh} \gdef^^f1{\'n} \gdef^^f2{\v n} \gdef^^f3{\'o} \gdef^^f4{\^o} \gdef^^f5{\H o} \gdef^^f6{\"o} \gdef^^f7{$\div$} \gdef^^f8{\v r} \gdef^^f9{\ringaccent u} \gdef^^fa{\'u} \gdef^^fb{\H u} \gdef^^fc{\"u} \gdef^^fd{\'y} \gdef^^fe{\cedilla t} \gdef^^ff{\dotaccent{}} } % UTF-8 character definitions. % % This code to support UTF-8 is based on LaTeX's utf8.def, with some % changes for Texinfo conventions. It is included here under the GPL by % permission from Frank Mittelbach and the LaTeX team. % \newcount\countUTFx \newcount\countUTFy \newcount\countUTFz \gdef\UTFviiiTwoOctets#1#2{\expandafter \UTFviiiDefined\csname u8:#1\string #2\endcsname} % \gdef\UTFviiiThreeOctets#1#2#3{\expandafter \UTFviiiDefined\csname u8:#1\string #2\string #3\endcsname} % \gdef\UTFviiiFourOctets#1#2#3#4{\expandafter \UTFviiiDefined\csname u8:#1\string #2\string #3\string #4\endcsname} \gdef\UTFviiiDefined#1{% \ifx #1\relax \message{\linenumber Unicode char \string #1 not defined for Texinfo}% \else \expandafter #1% \fi } \begingroup \catcode`\~13 \catcode`\"12 \def\UTFviiiLoop{% \global\catcode\countUTFx\active \uccode`\~\countUTFx \uppercase\expandafter{\UTFviiiTmp}% \advance\countUTFx by 1 \ifnum\countUTFx < \countUTFy \expandafter\UTFviiiLoop \fi} \countUTFx = "C2 \countUTFy = "E0 \def\UTFviiiTmp{% \xdef~{\noexpand\UTFviiiTwoOctets\string~}} \UTFviiiLoop \countUTFx = "E0 \countUTFy = "F0 \def\UTFviiiTmp{% \xdef~{\noexpand\UTFviiiThreeOctets\string~}} \UTFviiiLoop \countUTFx = "F0 \countUTFy = "F4 \def\UTFviiiTmp{% \xdef~{\noexpand\UTFviiiFourOctets\string~}} \UTFviiiLoop \endgroup \begingroup \catcode`\"=12 \catcode`\<=12 \catcode`\.=12 \catcode`\,=12 \catcode`\;=12 \catcode`\!=12 \catcode`\~=13 \gdef\DeclareUnicodeCharacter#1#2{% \countUTFz = "#1\relax \wlog{\space\space defining Unicode char U+#1 (decimal \the\countUTFz)}% \begingroup \parseXMLCharref \def\UTFviiiTwoOctets##1##2{% \csname u8:##1\string ##2\endcsname}% \def\UTFviiiThreeOctets##1##2##3{% \csname u8:##1\string ##2\string ##3\endcsname}% \def\UTFviiiFourOctets##1##2##3##4{% \csname u8:##1\string ##2\string ##3\string ##4\endcsname}% \expandafter\expandafter\expandafter\expandafter \expandafter\expandafter\expandafter \gdef\UTFviiiTmp{#2}% \endgroup} \gdef\parseXMLCharref{% \ifnum\countUTFz < "A0\relax \errhelp = \EMsimple \errmessage{Cannot define Unicode char value < 00A0}% \else\ifnum\countUTFz < "800\relax \parseUTFviiiA,% \parseUTFviiiB C\UTFviiiTwoOctets.,% \else\ifnum\countUTFz < "10000\relax \parseUTFviiiA;% \parseUTFviiiA,% \parseUTFviiiB E\UTFviiiThreeOctets.{,;}% \else \parseUTFviiiA;% \parseUTFviiiA,% \parseUTFviiiA!% \parseUTFviiiB F\UTFviiiFourOctets.{!,;}% \fi\fi\fi } \gdef\parseUTFviiiA#1{% \countUTFx = \countUTFz \divide\countUTFz by 64 \countUTFy = \countUTFz \multiply\countUTFz by 64 \advance\countUTFx by -\countUTFz \advance\countUTFx by 128 \uccode `#1\countUTFx \countUTFz = \countUTFy} \gdef\parseUTFviiiB#1#2#3#4{% \advance\countUTFz by "#10\relax \uccode `#3\countUTFz \uppercase{\gdef\UTFviiiTmp{#2#3#4}}} \endgroup \def\utfeightchardefs{% \DeclareUnicodeCharacter{00A0}{\tie} \DeclareUnicodeCharacter{00A1}{\exclamdown} \DeclareUnicodeCharacter{00A3}{\pounds} \DeclareUnicodeCharacter{00A8}{\"{ }} \DeclareUnicodeCharacter{00A9}{\copyright} \DeclareUnicodeCharacter{00AA}{\ordf} \DeclareUnicodeCharacter{00AB}{\guillemetleft} \DeclareUnicodeCharacter{00AD}{\-} \DeclareUnicodeCharacter{00AE}{\registeredsymbol} \DeclareUnicodeCharacter{00AF}{\={ }} \DeclareUnicodeCharacter{00B0}{\ringaccent{ }} \DeclareUnicodeCharacter{00B4}{\'{ }} \DeclareUnicodeCharacter{00B8}{\cedilla{ }} \DeclareUnicodeCharacter{00BA}{\ordm} \DeclareUnicodeCharacter{00BB}{\guillemetright} \DeclareUnicodeCharacter{00BF}{\questiondown} \DeclareUnicodeCharacter{00C0}{\`A} \DeclareUnicodeCharacter{00C1}{\'A} \DeclareUnicodeCharacter{00C2}{\^A} \DeclareUnicodeCharacter{00C3}{\~A} \DeclareUnicodeCharacter{00C4}{\"A} \DeclareUnicodeCharacter{00C5}{\AA} \DeclareUnicodeCharacter{00C6}{\AE} \DeclareUnicodeCharacter{00C7}{\cedilla{C}} \DeclareUnicodeCharacter{00C8}{\`E} \DeclareUnicodeCharacter{00C9}{\'E} \DeclareUnicodeCharacter{00CA}{\^E} \DeclareUnicodeCharacter{00CB}{\"E} \DeclareUnicodeCharacter{00CC}{\`I} \DeclareUnicodeCharacter{00CD}{\'I} \DeclareUnicodeCharacter{00CE}{\^I} \DeclareUnicodeCharacter{00CF}{\"I} \DeclareUnicodeCharacter{00D0}{\DH} \DeclareUnicodeCharacter{00D1}{\~N} \DeclareUnicodeCharacter{00D2}{\`O} \DeclareUnicodeCharacter{00D3}{\'O} \DeclareUnicodeCharacter{00D4}{\^O} \DeclareUnicodeCharacter{00D5}{\~O} \DeclareUnicodeCharacter{00D6}{\"O} \DeclareUnicodeCharacter{00D8}{\O} \DeclareUnicodeCharacter{00D9}{\`U} \DeclareUnicodeCharacter{00DA}{\'U} \DeclareUnicodeCharacter{00DB}{\^U} \DeclareUnicodeCharacter{00DC}{\"U} \DeclareUnicodeCharacter{00DD}{\'Y} \DeclareUnicodeCharacter{00DE}{\TH} \DeclareUnicodeCharacter{00DF}{\ss} \DeclareUnicodeCharacter{00E0}{\`a} \DeclareUnicodeCharacter{00E1}{\'a} \DeclareUnicodeCharacter{00E2}{\^a} \DeclareUnicodeCharacter{00E3}{\~a} \DeclareUnicodeCharacter{00E4}{\"a} \DeclareUnicodeCharacter{00E5}{\aa} \DeclareUnicodeCharacter{00E6}{\ae} \DeclareUnicodeCharacter{00E7}{\cedilla{c}} \DeclareUnicodeCharacter{00E8}{\`e} \DeclareUnicodeCharacter{00E9}{\'e} \DeclareUnicodeCharacter{00EA}{\^e} \DeclareUnicodeCharacter{00EB}{\"e} \DeclareUnicodeCharacter{00EC}{\`{\dotless{i}}} \DeclareUnicodeCharacter{00ED}{\'{\dotless{i}}} \DeclareUnicodeCharacter{00EE}{\^{\dotless{i}}} \DeclareUnicodeCharacter{00EF}{\"{\dotless{i}}} \DeclareUnicodeCharacter{00F0}{\dh} \DeclareUnicodeCharacter{00F1}{\~n} \DeclareUnicodeCharacter{00F2}{\`o} \DeclareUnicodeCharacter{00F3}{\'o} \DeclareUnicodeCharacter{00F4}{\^o} \DeclareUnicodeCharacter{00F5}{\~o} \DeclareUnicodeCharacter{00F6}{\"o} \DeclareUnicodeCharacter{00F8}{\o} \DeclareUnicodeCharacter{00F9}{\`u} \DeclareUnicodeCharacter{00FA}{\'u} \DeclareUnicodeCharacter{00FB}{\^u} \DeclareUnicodeCharacter{00FC}{\"u} \DeclareUnicodeCharacter{00FD}{\'y} \DeclareUnicodeCharacter{00FE}{\th} \DeclareUnicodeCharacter{00FF}{\"y} \DeclareUnicodeCharacter{0100}{\=A} \DeclareUnicodeCharacter{0101}{\=a} \DeclareUnicodeCharacter{0102}{\u{A}} \DeclareUnicodeCharacter{0103}{\u{a}} \DeclareUnicodeCharacter{0104}{\ogonek{A}} \DeclareUnicodeCharacter{0105}{\ogonek{a}} \DeclareUnicodeCharacter{0106}{\'C} \DeclareUnicodeCharacter{0107}{\'c} \DeclareUnicodeCharacter{0108}{\^C} \DeclareUnicodeCharacter{0109}{\^c} \DeclareUnicodeCharacter{0118}{\ogonek{E}} \DeclareUnicodeCharacter{0119}{\ogonek{e}} \DeclareUnicodeCharacter{010A}{\dotaccent{C}} \DeclareUnicodeCharacter{010B}{\dotaccent{c}} \DeclareUnicodeCharacter{010C}{\v{C}} \DeclareUnicodeCharacter{010D}{\v{c}} \DeclareUnicodeCharacter{010E}{\v{D}} \DeclareUnicodeCharacter{0112}{\=E} \DeclareUnicodeCharacter{0113}{\=e} \DeclareUnicodeCharacter{0114}{\u{E}} \DeclareUnicodeCharacter{0115}{\u{e}} \DeclareUnicodeCharacter{0116}{\dotaccent{E}} \DeclareUnicodeCharacter{0117}{\dotaccent{e}} \DeclareUnicodeCharacter{011A}{\v{E}} \DeclareUnicodeCharacter{011B}{\v{e}} \DeclareUnicodeCharacter{011C}{\^G} \DeclareUnicodeCharacter{011D}{\^g} \DeclareUnicodeCharacter{011E}{\u{G}} \DeclareUnicodeCharacter{011F}{\u{g}} \DeclareUnicodeCharacter{0120}{\dotaccent{G}} \DeclareUnicodeCharacter{0121}{\dotaccent{g}} \DeclareUnicodeCharacter{0124}{\^H} \DeclareUnicodeCharacter{0125}{\^h} \DeclareUnicodeCharacter{0128}{\~I} \DeclareUnicodeCharacter{0129}{\~{\dotless{i}}} \DeclareUnicodeCharacter{012A}{\=I} \DeclareUnicodeCharacter{012B}{\={\dotless{i}}} \DeclareUnicodeCharacter{012C}{\u{I}} \DeclareUnicodeCharacter{012D}{\u{\dotless{i}}} \DeclareUnicodeCharacter{0130}{\dotaccent{I}} \DeclareUnicodeCharacter{0131}{\dotless{i}} \DeclareUnicodeCharacter{0132}{IJ} \DeclareUnicodeCharacter{0133}{ij} \DeclareUnicodeCharacter{0134}{\^J} \DeclareUnicodeCharacter{0135}{\^{\dotless{j}}} \DeclareUnicodeCharacter{0139}{\'L} \DeclareUnicodeCharacter{013A}{\'l} \DeclareUnicodeCharacter{0141}{\L} \DeclareUnicodeCharacter{0142}{\l} \DeclareUnicodeCharacter{0143}{\'N} \DeclareUnicodeCharacter{0144}{\'n} \DeclareUnicodeCharacter{0147}{\v{N}} \DeclareUnicodeCharacter{0148}{\v{n}} \DeclareUnicodeCharacter{014C}{\=O} \DeclareUnicodeCharacter{014D}{\=o} \DeclareUnicodeCharacter{014E}{\u{O}} \DeclareUnicodeCharacter{014F}{\u{o}} \DeclareUnicodeCharacter{0150}{\H{O}} \DeclareUnicodeCharacter{0151}{\H{o}} \DeclareUnicodeCharacter{0152}{\OE} \DeclareUnicodeCharacter{0153}{\oe} \DeclareUnicodeCharacter{0154}{\'R} \DeclareUnicodeCharacter{0155}{\'r} \DeclareUnicodeCharacter{0158}{\v{R}} \DeclareUnicodeCharacter{0159}{\v{r}} \DeclareUnicodeCharacter{015A}{\'S} \DeclareUnicodeCharacter{015B}{\'s} \DeclareUnicodeCharacter{015C}{\^S} \DeclareUnicodeCharacter{015D}{\^s} \DeclareUnicodeCharacter{015E}{\cedilla{S}} \DeclareUnicodeCharacter{015F}{\cedilla{s}} \DeclareUnicodeCharacter{0160}{\v{S}} \DeclareUnicodeCharacter{0161}{\v{s}} \DeclareUnicodeCharacter{0162}{\cedilla{t}} \DeclareUnicodeCharacter{0163}{\cedilla{T}} \DeclareUnicodeCharacter{0164}{\v{T}} \DeclareUnicodeCharacter{0168}{\~U} \DeclareUnicodeCharacter{0169}{\~u} \DeclareUnicodeCharacter{016A}{\=U} \DeclareUnicodeCharacter{016B}{\=u} \DeclareUnicodeCharacter{016C}{\u{U}} \DeclareUnicodeCharacter{016D}{\u{u}} \DeclareUnicodeCharacter{016E}{\ringaccent{U}} \DeclareUnicodeCharacter{016F}{\ringaccent{u}} \DeclareUnicodeCharacter{0170}{\H{U}} \DeclareUnicodeCharacter{0171}{\H{u}} \DeclareUnicodeCharacter{0174}{\^W} \DeclareUnicodeCharacter{0175}{\^w} \DeclareUnicodeCharacter{0176}{\^Y} \DeclareUnicodeCharacter{0177}{\^y} \DeclareUnicodeCharacter{0178}{\"Y} \DeclareUnicodeCharacter{0179}{\'Z} \DeclareUnicodeCharacter{017A}{\'z} \DeclareUnicodeCharacter{017B}{\dotaccent{Z}} \DeclareUnicodeCharacter{017C}{\dotaccent{z}} \DeclareUnicodeCharacter{017D}{\v{Z}} \DeclareUnicodeCharacter{017E}{\v{z}} \DeclareUnicodeCharacter{01C4}{D\v{Z}} \DeclareUnicodeCharacter{01C5}{D\v{z}} \DeclareUnicodeCharacter{01C6}{d\v{z}} \DeclareUnicodeCharacter{01C7}{LJ} \DeclareUnicodeCharacter{01C8}{Lj} \DeclareUnicodeCharacter{01C9}{lj} \DeclareUnicodeCharacter{01CA}{NJ} \DeclareUnicodeCharacter{01CB}{Nj} \DeclareUnicodeCharacter{01CC}{nj} \DeclareUnicodeCharacter{01CD}{\v{A}} \DeclareUnicodeCharacter{01CE}{\v{a}} \DeclareUnicodeCharacter{01CF}{\v{I}} \DeclareUnicodeCharacter{01D0}{\v{\dotless{i}}} \DeclareUnicodeCharacter{01D1}{\v{O}} \DeclareUnicodeCharacter{01D2}{\v{o}} \DeclareUnicodeCharacter{01D3}{\v{U}} \DeclareUnicodeCharacter{01D4}{\v{u}} \DeclareUnicodeCharacter{01E2}{\={\AE}} \DeclareUnicodeCharacter{01E3}{\={\ae}} \DeclareUnicodeCharacter{01E6}{\v{G}} \DeclareUnicodeCharacter{01E7}{\v{g}} \DeclareUnicodeCharacter{01E8}{\v{K}} \DeclareUnicodeCharacter{01E9}{\v{k}} \DeclareUnicodeCharacter{01F0}{\v{\dotless{j}}} \DeclareUnicodeCharacter{01F1}{DZ} \DeclareUnicodeCharacter{01F2}{Dz} \DeclareUnicodeCharacter{01F3}{dz} \DeclareUnicodeCharacter{01F4}{\'G} \DeclareUnicodeCharacter{01F5}{\'g} \DeclareUnicodeCharacter{01F8}{\`N} \DeclareUnicodeCharacter{01F9}{\`n} \DeclareUnicodeCharacter{01FC}{\'{\AE}} \DeclareUnicodeCharacter{01FD}{\'{\ae}} \DeclareUnicodeCharacter{01FE}{\'{\O}} \DeclareUnicodeCharacter{01FF}{\'{\o}} \DeclareUnicodeCharacter{021E}{\v{H}} \DeclareUnicodeCharacter{021F}{\v{h}} \DeclareUnicodeCharacter{0226}{\dotaccent{A}} \DeclareUnicodeCharacter{0227}{\dotaccent{a}} \DeclareUnicodeCharacter{0228}{\cedilla{E}} \DeclareUnicodeCharacter{0229}{\cedilla{e}} \DeclareUnicodeCharacter{022E}{\dotaccent{O}} \DeclareUnicodeCharacter{022F}{\dotaccent{o}} \DeclareUnicodeCharacter{0232}{\=Y} \DeclareUnicodeCharacter{0233}{\=y} \DeclareUnicodeCharacter{0237}{\dotless{j}} \DeclareUnicodeCharacter{02DB}{\ogonek{ }} \DeclareUnicodeCharacter{1E02}{\dotaccent{B}} \DeclareUnicodeCharacter{1E03}{\dotaccent{b}} \DeclareUnicodeCharacter{1E04}{\udotaccent{B}} \DeclareUnicodeCharacter{1E05}{\udotaccent{b}} \DeclareUnicodeCharacter{1E06}{\ubaraccent{B}} \DeclareUnicodeCharacter{1E07}{\ubaraccent{b}} \DeclareUnicodeCharacter{1E0A}{\dotaccent{D}} \DeclareUnicodeCharacter{1E0B}{\dotaccent{d}} \DeclareUnicodeCharacter{1E0C}{\udotaccent{D}} \DeclareUnicodeCharacter{1E0D}{\udotaccent{d}} \DeclareUnicodeCharacter{1E0E}{\ubaraccent{D}} \DeclareUnicodeCharacter{1E0F}{\ubaraccent{d}} \DeclareUnicodeCharacter{1E1E}{\dotaccent{F}} \DeclareUnicodeCharacter{1E1F}{\dotaccent{f}} \DeclareUnicodeCharacter{1E20}{\=G} \DeclareUnicodeCharacter{1E21}{\=g} \DeclareUnicodeCharacter{1E22}{\dotaccent{H}} \DeclareUnicodeCharacter{1E23}{\dotaccent{h}} \DeclareUnicodeCharacter{1E24}{\udotaccent{H}} \DeclareUnicodeCharacter{1E25}{\udotaccent{h}} \DeclareUnicodeCharacter{1E26}{\"H} \DeclareUnicodeCharacter{1E27}{\"h} \DeclareUnicodeCharacter{1E30}{\'K} \DeclareUnicodeCharacter{1E31}{\'k} \DeclareUnicodeCharacter{1E32}{\udotaccent{K}} \DeclareUnicodeCharacter{1E33}{\udotaccent{k}} \DeclareUnicodeCharacter{1E34}{\ubaraccent{K}} \DeclareUnicodeCharacter{1E35}{\ubaraccent{k}} \DeclareUnicodeCharacter{1E36}{\udotaccent{L}} \DeclareUnicodeCharacter{1E37}{\udotaccent{l}} \DeclareUnicodeCharacter{1E3A}{\ubaraccent{L}} \DeclareUnicodeCharacter{1E3B}{\ubaraccent{l}} \DeclareUnicodeCharacter{1E3E}{\'M} \DeclareUnicodeCharacter{1E3F}{\'m} \DeclareUnicodeCharacter{1E40}{\dotaccent{M}} \DeclareUnicodeCharacter{1E41}{\dotaccent{m}} \DeclareUnicodeCharacter{1E42}{\udotaccent{M}} \DeclareUnicodeCharacter{1E43}{\udotaccent{m}} \DeclareUnicodeCharacter{1E44}{\dotaccent{N}} \DeclareUnicodeCharacter{1E45}{\dotaccent{n}} \DeclareUnicodeCharacter{1E46}{\udotaccent{N}} \DeclareUnicodeCharacter{1E47}{\udotaccent{n}} \DeclareUnicodeCharacter{1E48}{\ubaraccent{N}} \DeclareUnicodeCharacter{1E49}{\ubaraccent{n}} \DeclareUnicodeCharacter{1E54}{\'P} \DeclareUnicodeCharacter{1E55}{\'p} \DeclareUnicodeCharacter{1E56}{\dotaccent{P}} \DeclareUnicodeCharacter{1E57}{\dotaccent{p}} \DeclareUnicodeCharacter{1E58}{\dotaccent{R}} \DeclareUnicodeCharacter{1E59}{\dotaccent{r}} \DeclareUnicodeCharacter{1E5A}{\udotaccent{R}} \DeclareUnicodeCharacter{1E5B}{\udotaccent{r}} \DeclareUnicodeCharacter{1E5E}{\ubaraccent{R}} \DeclareUnicodeCharacter{1E5F}{\ubaraccent{r}} \DeclareUnicodeCharacter{1E60}{\dotaccent{S}} \DeclareUnicodeCharacter{1E61}{\dotaccent{s}} \DeclareUnicodeCharacter{1E62}{\udotaccent{S}} \DeclareUnicodeCharacter{1E63}{\udotaccent{s}} \DeclareUnicodeCharacter{1E6A}{\dotaccent{T}} \DeclareUnicodeCharacter{1E6B}{\dotaccent{t}} \DeclareUnicodeCharacter{1E6C}{\udotaccent{T}} \DeclareUnicodeCharacter{1E6D}{\udotaccent{t}} \DeclareUnicodeCharacter{1E6E}{\ubaraccent{T}} \DeclareUnicodeCharacter{1E6F}{\ubaraccent{t}} \DeclareUnicodeCharacter{1E7C}{\~V} \DeclareUnicodeCharacter{1E7D}{\~v} \DeclareUnicodeCharacter{1E7E}{\udotaccent{V}} \DeclareUnicodeCharacter{1E7F}{\udotaccent{v}} \DeclareUnicodeCharacter{1E80}{\`W} \DeclareUnicodeCharacter{1E81}{\`w} \DeclareUnicodeCharacter{1E82}{\'W} \DeclareUnicodeCharacter{1E83}{\'w} \DeclareUnicodeCharacter{1E84}{\"W} \DeclareUnicodeCharacter{1E85}{\"w} \DeclareUnicodeCharacter{1E86}{\dotaccent{W}} \DeclareUnicodeCharacter{1E87}{\dotaccent{w}} \DeclareUnicodeCharacter{1E88}{\udotaccent{W}} \DeclareUnicodeCharacter{1E89}{\udotaccent{w}} \DeclareUnicodeCharacter{1E8A}{\dotaccent{X}} \DeclareUnicodeCharacter{1E8B}{\dotaccent{x}} \DeclareUnicodeCharacter{1E8C}{\"X} \DeclareUnicodeCharacter{1E8D}{\"x} \DeclareUnicodeCharacter{1E8E}{\dotaccent{Y}} \DeclareUnicodeCharacter{1E8F}{\dotaccent{y}} \DeclareUnicodeCharacter{1E90}{\^Z} \DeclareUnicodeCharacter{1E91}{\^z} \DeclareUnicodeCharacter{1E92}{\udotaccent{Z}} \DeclareUnicodeCharacter{1E93}{\udotaccent{z}} \DeclareUnicodeCharacter{1E94}{\ubaraccent{Z}} \DeclareUnicodeCharacter{1E95}{\ubaraccent{z}} \DeclareUnicodeCharacter{1E96}{\ubaraccent{h}} \DeclareUnicodeCharacter{1E97}{\"t} \DeclareUnicodeCharacter{1E98}{\ringaccent{w}} \DeclareUnicodeCharacter{1E99}{\ringaccent{y}} \DeclareUnicodeCharacter{1EA0}{\udotaccent{A}} \DeclareUnicodeCharacter{1EA1}{\udotaccent{a}} \DeclareUnicodeCharacter{1EB8}{\udotaccent{E}} \DeclareUnicodeCharacter{1EB9}{\udotaccent{e}} \DeclareUnicodeCharacter{1EBC}{\~E} \DeclareUnicodeCharacter{1EBD}{\~e} \DeclareUnicodeCharacter{1ECA}{\udotaccent{I}} \DeclareUnicodeCharacter{1ECB}{\udotaccent{i}} \DeclareUnicodeCharacter{1ECC}{\udotaccent{O}} \DeclareUnicodeCharacter{1ECD}{\udotaccent{o}} \DeclareUnicodeCharacter{1EE4}{\udotaccent{U}} \DeclareUnicodeCharacter{1EE5}{\udotaccent{u}} \DeclareUnicodeCharacter{1EF2}{\`Y} \DeclareUnicodeCharacter{1EF3}{\`y} \DeclareUnicodeCharacter{1EF4}{\udotaccent{Y}} \DeclareUnicodeCharacter{1EF8}{\~Y} \DeclareUnicodeCharacter{1EF9}{\~y} \DeclareUnicodeCharacter{2013}{--} \DeclareUnicodeCharacter{2014}{---} \DeclareUnicodeCharacter{2018}{\quoteleft} \DeclareUnicodeCharacter{2019}{\quoteright} \DeclareUnicodeCharacter{201A}{\quotesinglbase} \DeclareUnicodeCharacter{201C}{\quotedblleft} \DeclareUnicodeCharacter{201D}{\quotedblright} \DeclareUnicodeCharacter{201E}{\quotedblbase} \DeclareUnicodeCharacter{2022}{\bullet} \DeclareUnicodeCharacter{2026}{\dots} \DeclareUnicodeCharacter{2039}{\guilsinglleft} \DeclareUnicodeCharacter{203A}{\guilsinglright} \DeclareUnicodeCharacter{20AC}{\euro} \DeclareUnicodeCharacter{2192}{\expansion} \DeclareUnicodeCharacter{21D2}{\result} \DeclareUnicodeCharacter{2212}{\minus} \DeclareUnicodeCharacter{2217}{\point} \DeclareUnicodeCharacter{2261}{\equiv} }% end of \utfeightchardefs % US-ASCII character definitions. \def\asciichardefs{% nothing need be done \relax } % Make non-ASCII characters printable again for compatibility with % existing Texinfo documents that may use them, even without declaring a % document encoding. % \setnonasciicharscatcode \other \message{formatting,} \newdimen\defaultparindent \defaultparindent = 15pt \chapheadingskip = 15pt plus 4pt minus 2pt \secheadingskip = 12pt plus 3pt minus 2pt \subsecheadingskip = 9pt plus 2pt minus 2pt % Prevent underfull vbox error messages. \vbadness = 10000 % Don't be so finicky about underfull hboxes, either. \hbadness = 2000 % Following George Bush, get rid of widows and orphans. \widowpenalty=10000 \clubpenalty=10000 % Use TeX 3.0's \emergencystretch to help line breaking, but if we're % using an old version of TeX, don't do anything. We want the amount of % stretch added to depend on the line length, hence the dependence on % \hsize. We call this whenever the paper size is set. % \def\setemergencystretch{% \ifx\emergencystretch\thisisundefined % Allow us to assign to \emergencystretch anyway. \def\emergencystretch{\dimen0}% \else \emergencystretch = .15\hsize \fi } % Parameters in order: 1) textheight; 2) textwidth; % 3) voffset; 4) hoffset; 5) binding offset; 6) topskip; % 7) physical page height; 8) physical page width. % % We also call \setleading{\textleading}, so the caller should define % \textleading. The caller should also set \parskip. % \def\internalpagesizes#1#2#3#4#5#6#7#8{% \voffset = #3\relax \topskip = #6\relax \splittopskip = \topskip % \vsize = #1\relax \advance\vsize by \topskip \outervsize = \vsize \advance\outervsize by 2\topandbottommargin \pageheight = \vsize % \hsize = #2\relax \outerhsize = \hsize \advance\outerhsize by 0.5in \pagewidth = \hsize % \normaloffset = #4\relax \bindingoffset = #5\relax % \ifpdf \pdfpageheight #7\relax \pdfpagewidth #8\relax % if we don't reset these, they will remain at "1 true in" of % whatever layout pdftex was dumped with. \pdfhorigin = 1 true in \pdfvorigin = 1 true in \fi % \setleading{\textleading} % \parindent = \defaultparindent \setemergencystretch } % @letterpaper (the default). \def\letterpaper{{\globaldefs = 1 \parskip = 3pt plus 2pt minus 1pt \textleading = 13.2pt % % If page is nothing but text, make it come out even. \internalpagesizes{607.2pt}{6in}% that's 46 lines {\voffset}{.25in}% {\bindingoffset}{36pt}% {11in}{8.5in}% }} % Use @smallbook to reset parameters for 7x9.25 trim size. \def\smallbook{{\globaldefs = 1 \parskip = 2pt plus 1pt \textleading = 12pt % \internalpagesizes{7.5in}{5in}% {-.2in}{0in}% {\bindingoffset}{16pt}% {9.25in}{7in}% % \lispnarrowing = 0.3in \tolerance = 700 \hfuzz = 1pt \contentsrightmargin = 0pt \defbodyindent = .5cm }} % Use @smallerbook to reset parameters for 6x9 trim size. % (Just testing, parameters still in flux.) \def\smallerbook{{\globaldefs = 1 \parskip = 1.5pt plus 1pt \textleading = 12pt % \internalpagesizes{7.4in}{4.8in}% {-.2in}{-.4in}% {0pt}{14pt}% {9in}{6in}% % \lispnarrowing = 0.25in \tolerance = 700 \hfuzz = 1pt \contentsrightmargin = 0pt \defbodyindent = .4cm }} % Use @afourpaper to print on European A4 paper. \def\afourpaper{{\globaldefs = 1 \parskip = 3pt plus 2pt minus 1pt \textleading = 13.2pt % % Double-side printing via postscript on Laserjet 4050 % prints double-sided nicely when \bindingoffset=10mm and \hoffset=-6mm. % To change the settings for a different printer or situation, adjust % \normaloffset until the front-side and back-side texts align. Then % do the same for \bindingoffset. You can set these for testing in % your texinfo source file like this: % @tex % \global\normaloffset = -6mm % \global\bindingoffset = 10mm % @end tex \internalpagesizes{673.2pt}{160mm}% that's 51 lines {\voffset}{\hoffset}% {\bindingoffset}{44pt}% {297mm}{210mm}% % \tolerance = 700 \hfuzz = 1pt \contentsrightmargin = 0pt \defbodyindent = 5mm }} % Use @afivepaper to print on European A5 paper. % From romildo@urano.iceb.ufop.br, 2 July 2000. % He also recommends making @example and @lisp be small. \def\afivepaper{{\globaldefs = 1 \parskip = 2pt plus 1pt minus 0.1pt \textleading = 12.5pt % \internalpagesizes{160mm}{120mm}% {\voffset}{\hoffset}% {\bindingoffset}{8pt}% {210mm}{148mm}% % \lispnarrowing = 0.2in \tolerance = 800 \hfuzz = 1.2pt \contentsrightmargin = 0pt \defbodyindent = 2mm \tableindent = 12mm }} % A specific text layout, 24x15cm overall, intended for A4 paper. \def\afourlatex{{\globaldefs = 1 \afourpaper \internalpagesizes{237mm}{150mm}% {\voffset}{4.6mm}% {\bindingoffset}{7mm}% {297mm}{210mm}% % % Must explicitly reset to 0 because we call \afourpaper. \globaldefs = 0 }} % Use @afourwide to print on A4 paper in landscape format. \def\afourwide{{\globaldefs = 1 \afourpaper \internalpagesizes{241mm}{165mm}% {\voffset}{-2.95mm}% {\bindingoffset}{7mm}% {297mm}{210mm}% \globaldefs = 0 }} % @pagesizes TEXTHEIGHT[,TEXTWIDTH] % Perhaps we should allow setting the margins, \topskip, \parskip, % and/or leading, also. Or perhaps we should compute them somehow. % \parseargdef\pagesizes{\pagesizesyyy #1,,\finish} \def\pagesizesyyy#1,#2,#3\finish{{% \setbox0 = \hbox{\ignorespaces #2}\ifdim\wd0 > 0pt \hsize=#2\relax \fi \globaldefs = 1 % \parskip = 3pt plus 2pt minus 1pt \setleading{\textleading}% % \dimen0 = #1\relax \advance\dimen0 by \voffset % \dimen2 = \hsize \advance\dimen2 by \normaloffset % \internalpagesizes{#1}{\hsize}% {\voffset}{\normaloffset}% {\bindingoffset}{44pt}% {\dimen0}{\dimen2}% }} % Set default to letter. % \letterpaper \message{and turning on texinfo input format.} % DEL is a comment character, in case @c does not suffice. \catcode`\^^? = 14 % Define macros to output various characters with catcode for normal text. \catcode`\"=\other \catcode`\~=\other \catcode`\^=\other \catcode`\_=\other \catcode`\|=\other \catcode`\<=\other \catcode`\>=\other \catcode`\+=\other \catcode`\$=\other \def\normaldoublequote{"} \def\normaltilde{~} \def\normalcaret{^} \def\normalunderscore{_} \def\normalverticalbar{|} \def\normalless{<} \def\normalgreater{>} \def\normalplus{+} \def\normaldollar{$}%$ font-lock fix % This macro is used to make a character print one way in \tt % (where it can probably be output as-is), and another way in other fonts, % where something hairier probably needs to be done. % % #1 is what to print if we are indeed using \tt; #2 is what to print % otherwise. Since all the Computer Modern typewriter fonts have zero % interword stretch (and shrink), and it is reasonable to expect all % typewriter fonts to have this, we can check that font parameter. % \def\ifusingtt#1#2{\ifdim \fontdimen3\font=0pt #1\else #2\fi} % Same as above, but check for italic font. Actually this also catches % non-italic slanted fonts since it is impossible to distinguish them from % italic fonts. But since this is only used by $ and it uses \sl anyway % this is not a problem. \def\ifusingit#1#2{\ifdim \fontdimen1\font>0pt #1\else #2\fi} % Turn off all special characters except @ % (and those which the user can use as if they were ordinary). % Most of these we simply print from the \tt font, but for some, we can % use math or other variants that look better in normal text. \catcode`\"=\active \def\activedoublequote{{\tt\char34}} \let"=\activedoublequote \catcode`\~=\active \def~{{\tt\char126}} \chardef\hat=`\^ \catcode`\^=\active \def^{{\tt \hat}} \catcode`\_=\active \def_{\ifusingtt\normalunderscore\_} \let\realunder=_ % Subroutine for the previous macro. \def\_{\leavevmode \kern.07em \vbox{\hrule width.3em height.1ex}\kern .07em } \catcode`\|=\active \def|{{\tt\char124}} \chardef \less=`\< \catcode`\<=\active \def<{{\tt \less}} \chardef \gtr=`\> \catcode`\>=\active \def>{{\tt \gtr}} \catcode`\+=\active \def+{{\tt \char 43}} \catcode`\$=\active \def${\ifusingit{{\sl\$}}\normaldollar}%$ font-lock fix % If a .fmt file is being used, characters that might appear in a file % name cannot be active until we have parsed the command line. % So turn them off again, and have \everyjob (or @setfilename) turn them on. % \otherifyactive is called near the end of this file. \def\otherifyactive{\catcode`+=\other \catcode`\_=\other} % Used sometimes to turn off (effectively) the active characters even after % parsing them. \def\turnoffactive{% \normalturnoffactive \otherbackslash } \catcode`\@=0 % \backslashcurfont outputs one backslash character in current font, % as in \char`\\. \global\chardef\backslashcurfont=`\\ \global\let\rawbackslashxx=\backslashcurfont % let existing .??s files work % \realbackslash is an actual character `\' with catcode other, and % \doublebackslash is two of them (for the pdf outlines). {\catcode`\\=\other @gdef@realbackslash{\} @gdef@doublebackslash{\\}} % In texinfo, backslash is an active character; it prints the backslash % in fixed width font. \catcode`\\=\active @def@normalbackslash{{@tt@backslashcurfont}} % On startup, @fixbackslash assigns: % @let \ = @normalbackslash % \rawbackslash defines an active \ to do \backslashcurfont. % \otherbackslash defines an active \ to be a literal `\' character with % catcode other. @gdef@rawbackslash{@let\=@backslashcurfont} @gdef@otherbackslash{@let\=@realbackslash} % Same as @turnoffactive except outputs \ as {\tt\char`\\} instead of % the literal character `\'. % @def@normalturnoffactive{% @let\=@normalbackslash @let"=@normaldoublequote @let~=@normaltilde @let^=@normalcaret @let_=@normalunderscore @let|=@normalverticalbar @let<=@normalless @let>=@normalgreater @let+=@normalplus @let$=@normaldollar %$ font-lock fix @markupsetuplqdefault @markupsetuprqdefault @unsepspaces } % Make _ and + \other characters, temporarily. % This is canceled by @fixbackslash. @otherifyactive % If a .fmt file is being used, we don't want the `\input texinfo' to show up. % That is what \eatinput is for; after that, the `\' should revert to printing % a backslash. % @gdef@eatinput input texinfo{@fixbackslash} @global@let\ = @eatinput % On the other hand, perhaps the file did not have a `\input texinfo'. Then % the first `\' in the file would cause an error. This macro tries to fix % that, assuming it is called before the first `\' could plausibly occur. % Also turn back on active characters that might appear in the input % file name, in case not using a pre-dumped format. % @gdef@fixbackslash{% @ifx\@eatinput @let\ = @normalbackslash @fi @catcode`+=@active @catcode`@_=@active } % Say @foo, not \foo, in error messages. @escapechar = `@@ % These look ok in all fonts, so just make them not special. @catcode`@& = @other @catcode`@# = @other @catcode`@% = @other @c Finally, make ` and ' active, so that txicodequoteundirected and @c txicodequotebacktick work right in, e.g., @w{@code{`foo'}}. If we @c don't make ` and ' active, @code will not get them as active chars. @c Do this last of all since we use ` in the previous @catcode assignments. @catcode`@'=@active @catcode`@`=@active @markupsetuplqdefault @markupsetuprqdefault @c Local variables: @c eval: (add-hook 'write-file-hooks 'time-stamp) @c page-delimiter: "^\\\\message" @c time-stamp-start: "def\\\\texinfoversion{" @c time-stamp-format: "%:y-%02m-%02d.%02H" @c time-stamp-end: "}" @c End: @c vim:sw=2: @ignore arch-tag: e1b36e32-c96e-4135-a41a-0b2efa2ea115 @end ignore nettle-3.4.1/sha512-compress.c0000644000175000017500000001363413401564745015056 0ustar nissenisse/* sha512-compress.c The compression function of the sha512 hash function. Copyright (C) 2001, 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #ifndef SHA512_DEBUG # define SHA512_DEBUG 0 #endif #if SHA512_DEBUG # include # define DEBUG(i) \ fprintf(stderr, "%2d: %8lx %8lx %8lx %8lx\n %8lx %8lx %8lx %8lx\n", \ i, A, B, C, D ,E, F, G, H) #else # define DEBUG(i) #endif #include #include #include #include "sha2.h" #include "macros.h" /* A block, treated as a sequence of 64-bit words. */ #define SHA512_DATA_LENGTH 16 /* For fat builds */ #if HAVE_NATIVE_sha512_compress void _nettle_sha512_compress_c (uint64_t *state, const uint8_t *input, const uint64_t *k); #define _nettle_sha512_compress _nettle_sha512_compress_c #endif /* The SHA512 functions. The Choice function is the same as the SHA1 function f1, and the majority function is the same as the SHA1 f3 function, and the same as for SHA256. */ #define Choice(x,y,z) ( (z) ^ ( (x) & ( (y) ^ (z) ) ) ) #define Majority(x,y,z) ( ((x) & (y)) ^ ((z) & ((x) ^ (y))) ) #define S0(x) (ROTL64(36,(x)) ^ ROTL64(30,(x)) ^ ROTL64(25,(x))) #define S1(x) (ROTL64(50,(x)) ^ ROTL64(46,(x)) ^ ROTL64(23,(x))) #define s0(x) (ROTL64(63,(x)) ^ ROTL64(56,(x)) ^ ((x) >> 7)) #define s1(x) (ROTL64(45,(x)) ^ ROTL64(3,(x)) ^ ((x) >> 6)) /* The initial expanding function. The hash function is defined over an 64-word expanded input array W, where the first 16 are copies of the input data, and the remaining 64 are defined by W[ t ] = s1(W[t-2]) + W[t-7] + s0(W[i-15]) + W[i-16] This implementation generates these values on the fly in a circular buffer. */ #define EXPAND(W,i) \ ( W[(i) & 15 ] += (s1(W[((i)-2) & 15]) + W[((i)-7) & 15] + s0(W[((i)-15) & 15])) ) /* The prototype SHA sub-round. The fundamental sub-round is: T1 = h + S1(e) + Choice(e,f,g) + K[t] + W[t] T2 = S0(a) + Majority(a,b,c) a' = T1+T2 b' = a c' = b d' = c e' = d + T1 f' = e g' = f h' = g but this is implemented by unrolling the loop 8 times and renaming the variables ( h, a, b, c, d, e, f, g ) = ( a, b, c, d, e, f, g, h ) each iteration. This code is then replicated 8, using the next 8 values from the W[] array each time */ /* It's crucial that DATA is only used once, as that argument will * have side effects. */ #define ROUND(a,b,c,d,e,f,g,h,k,data) do { \ h += S1(e) + Choice(e,f,g) + k + data; \ d += h; \ h += S0(a) + Majority(a,b,c); \ } while (0) void _nettle_sha512_compress(uint64_t *state, const uint8_t *input, const uint64_t *k) { uint64_t data[SHA512_DATA_LENGTH]; uint64_t A, B, C, D, E, F, G, H; /* Local vars */ unsigned i; uint64_t *d; for (i = 0; i < SHA512_DATA_LENGTH; i++, input += 8) { data[i] = READ_UINT64(input); } /* Set up first buffer and local data buffer */ A = state[0]; B = state[1]; C = state[2]; D = state[3]; E = state[4]; F = state[5]; G = state[6]; H = state[7]; /* Heavy mangling */ /* First 16 subrounds that act on the original data */ DEBUG(-1); for (i = 0, d = data; i<16; i+=8, k += 8, d+= 8) { ROUND(A, B, C, D, E, F, G, H, k[0], d[0]); DEBUG(i); ROUND(H, A, B, C, D, E, F, G, k[1], d[1]); DEBUG(i+1); ROUND(G, H, A, B, C, D, E, F, k[2], d[2]); ROUND(F, G, H, A, B, C, D, E, k[3], d[3]); ROUND(E, F, G, H, A, B, C, D, k[4], d[4]); ROUND(D, E, F, G, H, A, B, C, k[5], d[5]); ROUND(C, D, E, F, G, H, A, B, k[6], d[6]); DEBUG(i+6); ROUND(B, C, D, E, F, G, H, A, k[7], d[7]); DEBUG(i+7); } for (; i<80; i += 16, k+= 16) { ROUND(A, B, C, D, E, F, G, H, k[ 0], EXPAND(data, 0)); DEBUG(i); ROUND(H, A, B, C, D, E, F, G, k[ 1], EXPAND(data, 1)); DEBUG(i+1); ROUND(G, H, A, B, C, D, E, F, k[ 2], EXPAND(data, 2)); DEBUG(i+2); ROUND(F, G, H, A, B, C, D, E, k[ 3], EXPAND(data, 3)); ROUND(E, F, G, H, A, B, C, D, k[ 4], EXPAND(data, 4)); ROUND(D, E, F, G, H, A, B, C, k[ 5], EXPAND(data, 5)); ROUND(C, D, E, F, G, H, A, B, k[ 6], EXPAND(data, 6)); ROUND(B, C, D, E, F, G, H, A, k[ 7], EXPAND(data, 7)); ROUND(A, B, C, D, E, F, G, H, k[ 8], EXPAND(data, 8)); ROUND(H, A, B, C, D, E, F, G, k[ 9], EXPAND(data, 9)); ROUND(G, H, A, B, C, D, E, F, k[10], EXPAND(data, 10)); ROUND(F, G, H, A, B, C, D, E, k[11], EXPAND(data, 11)); ROUND(E, F, G, H, A, B, C, D, k[12], EXPAND(data, 12)); ROUND(D, E, F, G, H, A, B, C, k[13], EXPAND(data, 13)); ROUND(C, D, E, F, G, H, A, B, k[14], EXPAND(data, 14)); DEBUG(i+14); ROUND(B, C, D, E, F, G, H, A, k[15], EXPAND(data, 15)); DEBUG(i+15); } /* Update state */ state[0] += A; state[1] += B; state[2] += C; state[3] += D; state[4] += E; state[5] += F; state[6] += G; state[7] += H; #if SHA512_DEBUG fprintf(stderr, "99: %8lx %8lx %8lx %8lx\n %8lx %8lx %8lx %8lx\n", state[0], state[1], state[2], state[3], state[4], state[5], state[6], state[7]); #endif } nettle-3.4.1/camellia-crypt-internal.c0000644000175000017500000001267713401564745016750 0ustar nissenisse/* camellia-crypt-internal.c Copyright (C) 2006,2007 NTT (Nippon Telegraph and Telephone Corporation). Copyright (C) 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* * Algorithm Specification * http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html */ /* Based on camellia.c ver 1.2.0, see http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/camellia-LGPL-1.2.0.tar.gz. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "camellia-internal.h" #include "macros.h" #define CAMELLIA_FL(x, k) do { \ uint32_t __xl, __xr, __kl, __kr, __t; \ __xl = (x) >> 32; \ __xr = (x) & 0xffffffff; \ __kl = (k) >> 32; \ __kr = (k) & 0xffffffff; \ __t = __xl & __kl; \ __xr ^= ROTL32(1, __t); \ __xl ^= (__xr | __kr); \ (x) = ((uint64_t) __xl << 32) | __xr; \ } while (0) #define CAMELLIA_FLINV(x, k) do { \ uint32_t __xl, __xr, __kl, __kr, __t; \ __xl = (x) >> 32; \ __xr = (x) & 0xffffffff; \ __kl = (k) >> 32; \ __kr = (k) & 0xffffffff; \ __xl ^= (__xr | __kr); \ __t = __xl & __kl; \ __xr ^= ROTL32(1, __t); \ (x) = ((uint64_t) __xl << 32) | __xr; \ } while (0) #if HAVE_NATIVE_64_BIT #define CAMELLIA_ROUNDSM(T, x, k, y) do { \ uint32_t __il, __ir; \ __ir \ = T->sp1110[(x) & 0xff] \ ^ T->sp0222[((x) >> 24) & 0xff] \ ^ T->sp3033[((x) >> 16) & 0xff] \ ^ T->sp4404[((x) >> 8) & 0xff]; \ /* ir == (t6^t7^t8),(t5^t7^t8),(t5^t6^t8),(t5^t6^t7) */ \ __il \ = T->sp1110[ (x) >> 56] \ ^ T->sp0222[((x) >> 48) & 0xff] \ ^ T->sp3033[((x) >> 40) & 0xff] \ ^ T->sp4404[((x) >> 32) & 0xff]; \ /* il == (t1^t3^t4),(t1^t2^t4),(t1^t2^t3),(t2^t3^t4) */ \ __ir ^= __il; \ /* ir == (t1^t3^t4^t6^t7^t8),(t1^t2^t4^t5^t7^t8), \ (t1^t2^t3^t5^t6^t8),(t2^t3^t4^t5^t6^t7) \ == y1,y2,y3,y4 */ \ __il = ROTL32(24, __il); \ /* il == (t2^t3^t4),(t1^t3^t4),(t1^t2^t4),(t1^t2^t3) */ \ __il ^= __ir; \ /* il == (t1^t2^t6^t7^t8),(t2^t3^t5^t7^t8), \ (t3^t4^t5^t6^t8),(t1^t4^t5^t6^t7) \ == y5,y6,y7,y8 */ \ y ^= (k); \ y ^= ((uint64_t) __ir << 32) | __il; \ } while (0) #else /* !HAVE_NATIVE_64_BIT */ #define CAMELLIA_ROUNDSM(T, x, k, y) do { \ uint32_t __il, __ir; \ __ir \ = T->sp1110[(x) & 0xff] \ ^ T->sp0222[((x) >> 24) & 0xff] \ ^ T->sp3033[((x) >> 16) & 0xff] \ ^ T->sp4404[((x) >> 8) & 0xff]; \ /* ir == (t6^t7^t8),(t5^t7^t8),(t5^t6^t8),(t5^t6^t7) */ \ __il \ = T->sp1110[ (x) >> 56] \ ^ T->sp0222[((x) >> 48) & 0xff] \ ^ T->sp3033[((x) >> 40) & 0xff] \ ^ T->sp4404[((x) >> 32) & 0xff]; \ /* il == (t1^t3^t4),(t1^t2^t4),(t1^t2^t3),(t2^t3^t4) */ \ __il ^= (k) >> 32; \ __ir ^= (k) & 0xffffffff; \ __ir ^= __il; \ /* ir == (t1^t3^t4^t6^t7^t8),(t1^t2^t4^t5^t7^t8), \ (t1^t2^t3^t5^t6^t8),(t2^t3^t4^t5^t6^t7) \ == y1,y2,y3,y4 */ \ __il = ROTL32(24, __il); \ /* il == (t2^t3^t4),(t1^t3^t4),(t1^t2^t4),(t1^t2^t3) */ \ __il ^= __ir; \ /* il == (t1^t2^t6^t7^t8),(t2^t3^t5^t7^t8), \ (t3^t4^t5^t6^t8),(t1^t4^t5^t6^t7) \ == y5,y6,y7,y8 */ \ y ^= ((uint64_t) __ir << 32) | __il; \ } while (0) #endif void _camellia_crypt(unsigned nkeys, const uint64_t *keys, const struct camellia_table *T, size_t length, uint8_t *dst, const uint8_t *src) { FOR_BLOCKS(length, dst, src, CAMELLIA_BLOCK_SIZE) { uint64_t i0,i1; unsigned i; i0 = READ_UINT64(src); i1 = READ_UINT64(src + 8); /* pre whitening but absorb kw2*/ i0 ^= keys[0]; /* main iteration */ CAMELLIA_ROUNDSM(T, i0, keys[1], i1); CAMELLIA_ROUNDSM(T, i1, keys[2], i0); CAMELLIA_ROUNDSM(T, i0, keys[3], i1); CAMELLIA_ROUNDSM(T, i1, keys[4], i0); CAMELLIA_ROUNDSM(T, i0, keys[5], i1); CAMELLIA_ROUNDSM(T, i1, keys[6], i0); for (i = 0; i < nkeys - 8; i+= 8) { CAMELLIA_FL(i0, keys[i+7]); CAMELLIA_FLINV(i1, keys[i+8]); CAMELLIA_ROUNDSM(T, i0, keys[i+9], i1); CAMELLIA_ROUNDSM(T, i1, keys[i+10], i0); CAMELLIA_ROUNDSM(T, i0, keys[i+11], i1); CAMELLIA_ROUNDSM(T, i1, keys[i+12], i0); CAMELLIA_ROUNDSM(T, i0, keys[i+13], i1); CAMELLIA_ROUNDSM(T, i1, keys[i+14], i0); } /* post whitening but kw4 */ i1 ^= keys[i+7]; WRITE_UINT64(dst , i1); WRITE_UINT64(dst + 8, i0); } } nettle-3.4.1/rsa-sha1-verify.c0000644000175000017500000000336313401564746015142 0ustar nissenisse/* rsa-sha1-verify.c Verifying signatures created with RSA and SHA1. Copyright (C) 2001, 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "bignum.h" #include "pkcs1.h" int rsa_sha1_verify(const struct rsa_public_key *key, struct sha1_ctx *hash, const mpz_t s) { int res; mpz_t m; mpz_init(m); res = (pkcs1_rsa_sha1_encode(m, key->size, hash) && _rsa_verify(key, m, s)); mpz_clear(m); return res; } int rsa_sha1_verify_digest(const struct rsa_public_key *key, const uint8_t *digest, const mpz_t s) { int res; mpz_t m; mpz_init(m); res = (pkcs1_rsa_sha1_encode_digest(m, key->size, digest) && _rsa_verify(key, m, s)); mpz_clear(m); return res; } nettle-3.4.1/gcm-aes192.c0000644000175000017500000000400013401564745013755 0ustar nissenisse/* gcm-aes192.c Galois counter mode using AES192 as the underlying cipher. Copyright (C) 2011, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "gcm.h" void gcm_aes192_set_key(struct gcm_aes192_ctx *ctx, const uint8_t *key) { GCM_SET_KEY(ctx, aes192_set_encrypt_key, aes192_encrypt, key); } void gcm_aes192_set_iv (struct gcm_aes192_ctx *ctx, size_t length, const uint8_t *iv) { GCM_SET_IV (ctx, length, iv); } void gcm_aes192_update (struct gcm_aes192_ctx *ctx, size_t length, const uint8_t *data) { GCM_UPDATE (ctx, length, data); } void gcm_aes192_encrypt(struct gcm_aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { GCM_ENCRYPT(ctx, aes192_encrypt, length, dst, src); } void gcm_aes192_decrypt(struct gcm_aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { GCM_DECRYPT(ctx, aes192_encrypt, length, dst, src); } void gcm_aes192_digest(struct gcm_aes192_ctx *ctx, size_t length, uint8_t *digest) { GCM_DIGEST(ctx, aes192_encrypt, length, digest); } nettle-3.4.1/ecdsa-keygen.c0000644000175000017500000000336513401564746014562 0ustar nissenisse/* ecdsa-keygen.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "ecdsa.h" #include "ecc-internal.h" #include "nettle-internal.h" void ecdsa_generate_keypair (struct ecc_point *pub, struct ecc_scalar *key, void *random_ctx, nettle_random_func *random) { TMP_DECL(p, mp_limb_t, 3*ECC_MAX_SIZE + ECC_MUL_G_ITCH (ECC_MAX_SIZE)); const struct ecc_curve *ecc = pub->ecc; mp_size_t itch = 3*ecc->p.size + ecc->mul_g_itch; assert (key->ecc == ecc); TMP_ALLOC (p, itch); ecc_mod_random (&ecc->q, key->p, random_ctx, random, p); ecc->mul_g (ecc, p, key->p, p + 3*ecc->p.size); ecc->h_to_a (ecc, 0, pub->p, p, p + 3*ecc->p.size); } nettle-3.4.1/der-iterator.c0000644000175000017500000001576213401564746014630 0ustar nissenisse/* der-iterator.c Parsing of ASN.1 DER encoded objects. Copyright (C) 2005 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "bignum.h" #include "asn1.h" #include "macros.h" /* Basic DER syntax: (reference: A Layman's Guide to a Subset of ASN.1, BER, and DER, http://luca.ntop.org/Teaching/Appunti/asn1.html) The DER header contains a tag and a length. First, the tag. cls is the class number, c is one if the object is "constructed" and zero if it is primitive. The tag is represented either using a single byte, 7 6 5 4 3 2 1 0 _____________________ |_cls_|_c_|_______tag_| 0 <= tag <= 30 or multiple bytes 7 6 5 4 3 2 1 0 _____________________ |_cls_|_c_|_1_1_1_1_1_| followed by the real tag number, in base 128, with all but the final byte having the most significant bit set. The tag must be represented with as few bytes as possible. High tag numbers are currently *not* supported. Next, the length, either a single byte with the most significant bit clear, or 7 6 5 4 3 2 1 0 _________________ |_1_|___________k_| followed by k additional bytes that give the length, in network byte order. The length must be encoded using as few bytes as possible, and k = 0 is reserved for the "indefinite length form" which is not supported. After the length comes the contets. For primitive objects (c == 0), it's depends on the type. For constructed objects, it's a concatenation of the DER encodings of zero or more other objects. */ enum { TAG_MASK = 0x1f, CLASS_MASK = 0xc0, CONSTRUCTED_MASK = 0x20, }; /* Initializes the iterator, but one has to call next to get to the * first element. */ static void asn1_der_iterator_init(struct asn1_der_iterator *iterator, size_t length, const uint8_t *input) { iterator->buffer_length = length; iterator->buffer = input; iterator->pos = 0; iterator->type = 0; iterator->length = 0; iterator->data = NULL; } #define LEFT(i) ((i)->buffer_length - (i)->pos) #define NEXT(i) ((i)->buffer[(i)->pos++]) /* Gets type and length of the next object. */ enum asn1_iterator_result asn1_der_iterator_next(struct asn1_der_iterator *i) { uint8_t tag; if (!LEFT(i)) return ASN1_ITERATOR_END; tag = NEXT(i); if (!LEFT(i)) return ASN1_ITERATOR_ERROR; if ( (tag & TAG_MASK) == TAG_MASK) { /* FIXME: Long tags not supported */ return ASN1_ITERATOR_ERROR; } i->length = NEXT(i); if (i->length & 0x80) { unsigned k = i->length & 0x7f; unsigned j; const uint8_t *data = i->buffer + i->pos; if (k == 0) /* Indefinite encoding. Not supported. */ return ASN1_ITERATOR_ERROR; if (LEFT(i) < k) return ASN1_ITERATOR_ERROR; if (k > sizeof(i->length)) return ASN1_ITERATOR_ERROR; i->pos += k; i->length = data[0]; if (i->length == 0 || (k == 1 && i->length < 0x80)) return ASN1_ITERATOR_ERROR; for (j = 1; j < k; j++) i->length = (i->length << 8) | data[j]; } if (LEFT(i) < i->length) return ASN1_ITERATOR_ERROR; i->data = i->buffer + i->pos; i->pos += i->length; i->type = tag & TAG_MASK; i->type |= (tag & CLASS_MASK) << (ASN1_CLASS_SHIFT - 6); if (tag & CONSTRUCTED_MASK) { i->type |= ASN1_TYPE_CONSTRUCTED; return ASN1_ITERATOR_CONSTRUCTED; } else return ASN1_ITERATOR_PRIMITIVE; } enum asn1_iterator_result asn1_der_iterator_first(struct asn1_der_iterator *i, size_t length, const uint8_t *input) { asn1_der_iterator_init(i, length, input); return asn1_der_iterator_next(i); } enum asn1_iterator_result asn1_der_decode_constructed(struct asn1_der_iterator *i, struct asn1_der_iterator *contents) { assert(i->type & ASN1_TYPE_CONSTRUCTED); return asn1_der_iterator_first(contents, i->length, i->data); } enum asn1_iterator_result asn1_der_decode_constructed_last(struct asn1_der_iterator *i) { if (LEFT(i) > 0) return ASN1_ITERATOR_ERROR; return asn1_der_decode_constructed(i, i); } /* Decoding a DER object which is wrapped in a bit string. */ enum asn1_iterator_result asn1_der_decode_bitstring(struct asn1_der_iterator *i, struct asn1_der_iterator *contents) { assert(i->type == ASN1_BITSTRING); /* First byte is the number of padding bits, which must be zero. */ if (i->length == 0 || i->data[0] != 0) return ASN1_ITERATOR_ERROR; return asn1_der_iterator_first(contents, i->length - 1, i->data + 1); } enum asn1_iterator_result asn1_der_decode_bitstring_last(struct asn1_der_iterator *i) { if (LEFT(i) > 0) return ASN1_ITERATOR_ERROR; return asn1_der_decode_bitstring(i, i); } int asn1_der_get_uint32(struct asn1_der_iterator *i, uint32_t *x) { /* Big endian, two's complement, minimum number of octets (except 0, which is encoded as a single octet */ uint32_t value = 0; size_t length = i->length; unsigned k; if (!length || length > 5) return 0; if (i->data[length - 1] >= 0x80) /* Signed number */ return 0; if (length > 1 && i->data[length -1] == 0 && i->data[length -2] < 0x80) /* Non-minimal number of digits */ return 0; if (length == 5) { if (i->data[4]) return 0; length--; } for (value = k = 0; k < length; k++) value = (value << 8) | i->data[k]; *x = value; return 1; } /* NOTE: This is the only function in this file which needs bignums. One could split this file in two, one in libnettle and one in libhogweed. */ int asn1_der_get_bignum(struct asn1_der_iterator *i, mpz_t x, unsigned max_bits) { if (i->length > 1 && ((i->data[0] == 0 && i->data[1] < 0x80) || (i->data[0] == 0xff && i->data[1] >= 0x80))) /* Non-minimal number of digits */ return 0; /* Allow some extra here, for leading sign octets. */ if (max_bits && (8 * i->length > (16 + max_bits))) return 0; nettle_mpz_set_str_256_s(x, i->length, i->data); /* FIXME: How to interpret a max_bits for negative numbers? */ if (max_bits && mpz_sizeinbase(x, 2) > max_bits) return 0; return 1; } nettle-3.4.1/knuth-lfib.c0000644000175000017500000001001313401564745014251 0ustar nissenisse/* knuth-lfib.c The "lagged fibonacci" pseudorandomness generator, described in Knuth, TAoCP, 3.6 Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* This file includes code copied verbatim from Knuth's TAoCP. Technically, doing that probably requires asking for the author's explicit permission. I'd expect such a request to be granted, but I haven't asked, because I don't want to distract him from more important and interesting work. */ /* NOTE: This generator is totally inappropriate for cryptographic * applications. It is useful for generating deterministic but * random-looking test data, and is used by the Nettle testsuite. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "knuth-lfib.h" #include "macros.h" #define KK _KNUTH_LFIB_KK #define LL 37 #define MM (1UL << 30) #define TT 70 void knuth_lfib_init(struct knuth_lfib_ctx *ctx, uint32_t seed) { uint32_t t,j; uint32_t x[2*KK - 1]; uint32_t ss = (seed + 2) & (MM-2); for (j = 0; j= MM) ss -= (MM-2); } for (;j< 2*KK-1; j++) x[j] = 0; x[1]++; ss = seed & (MM-1); for (t = TT-1; t; ) { for (j = KK-1; j>0; j--) x[j+j] = x[j]; for (j = 2*KK-2; j > KK-LL; j-= 2) x[2*KK-1-j] = x[j] & ~1; for (j = 2*KK-2; j>=KK; j--) if (x[j] & 1) { x[j-(KK-LL)] = (x[j - (KK-LL)] - x[j]) & (MM-1); x[j-KK] = (x[j-KK] - x[j]) & (MM-1); } if (ss & 1) { for (j=KK; j>0; j--) x[j] = x[j-1]; x[0] = x[KK]; if (x[KK] & 1) x[LL] = (x[LL] - x[KK]) & (MM-1); } if (ss) ss >>= 1; else t--; } for (j=0; jx[j+KK-LL] = x[j]; for (; jx[j-LL] = x[j]; ctx->index = 0; } /* Get's a single number in the range 0 ... 2^30-1 */ uint32_t knuth_lfib_get(struct knuth_lfib_ctx *ctx) { uint32_t value; assert(ctx->index < KK); value = ctx->x[ctx->index]; ctx->x[ctx->index] -= ctx->x[(ctx->index + KK - LL) % KK]; ctx->x[ctx->index] &= (MM-1); ctx->index = (ctx->index + 1) % KK; return value; } /* NOTE: Not at all optimized. */ void knuth_lfib_get_array(struct knuth_lfib_ctx *ctx, size_t n, uint32_t *a) { unsigned i; for (i = 0; i= 3; n-=3, dst += 3) { uint32_t value = knuth_lfib_get(ctx); /* Xor the most significant octet (containing 6 significant bits) * into the lower octet. */ value ^= (value >> 24); WRITE_UINT24(dst, value); } if (n) { /* We need one or two octets more */ uint32_t value = knuth_lfib_get(ctx); switch (n) { case 1: *dst++ = value & 0xff; break; case 2: WRITE_UINT16(dst, value); break; default: abort(); } } } nettle-3.4.1/eax-aes128-meta.c0000644000175000017500000000341013401564745014713 0ustar nissenisse/* eax-aes128-meta.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "eax.h" #include "nettle-meta.h" static nettle_set_key_func eax_aes128_set_nonce_wrapper; static void eax_aes128_set_nonce_wrapper (void *ctx, const uint8_t *nonce) { eax_aes128_set_nonce (ctx, EAX_IV_SIZE, nonce); } const struct nettle_aead nettle_eax_aes128 = { "eax_aes128", sizeof(struct eax_aes128_ctx), EAX_BLOCK_SIZE, AES128_KEY_SIZE, EAX_IV_SIZE, EAX_DIGEST_SIZE, (nettle_set_key_func *) eax_aes128_set_key, (nettle_set_key_func *) eax_aes128_set_key, eax_aes128_set_nonce_wrapper, (nettle_hash_update_func *) eax_aes128_update, (nettle_crypt_func *) eax_aes128_encrypt, (nettle_crypt_func *) eax_aes128_decrypt, (nettle_hash_digest_func *) eax_aes128_digest }; nettle-3.4.1/pbkdf2-hmac-sha1.c0000644000175000017500000000300513401564745015121 0ustar nissenisse/* pbkdf2-hmac-sha1.c PKCS #5 PBKDF2 used with HMAC-SHA1, see RFC 2898. Copyright (C) 2012 Simon Josefsson This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "pbkdf2.h" #include "hmac.h" void pbkdf2_hmac_sha1 (size_t key_length, const uint8_t *key, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst) { struct hmac_sha1_ctx sha1ctx; hmac_sha1_set_key (&sha1ctx, key_length, key); PBKDF2 (&sha1ctx, hmac_sha1_update, hmac_sha1_digest, SHA1_DIGEST_SIZE, iterations, salt_length, salt, length, dst); } nettle-3.4.1/fat-setup.h0000644000175000017500000001407613401564746014141 0ustar nissenisse/* fat-setup.h Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Fat library initialization works as follows. The main function is fat_init. We try to do initialization only once, but since it is idempotent, there's no harm if it is in some cases called multiple times from several threads. For correctness, we rely on atomic writes, but not on memory barriers or any other synchronization mechanism. The fat_init function checks the cpuid flags, and sets function pointers, e.g, _nettle_aes_encrypt_vec, to point to the appropriate implementation. To get everything hooked in, we use a belt-and-suspenders approach. We try to register fat_init as a constructor function to be called at load time. If this is unavailable or non-working, we instead arrange fat_init to be called lazily. For the actual indirection, there are two cases. * If ifunc support is available, function pointers are statically initialized to NULL, and we register resolver functions, e.g., _nettle_aes_encrypt_resolve, which call fat_init, and then return the function pointer, e.g., the value of _nettle_aes_encrypt_vec. * If ifunc is not available, we have to define a wrapper function to jump via the function pointer. (FIXME: For internal calls, we could do this as a macro). We statically initialize each function pointer to point to a special initialization function, e.g., _nettle_aes_encrypt_init, which calls fat_init, and then invokes the right function. This way, all pointers are setup correctly at the first call to any fat function. And atomic writes are required for correctness in the case that several threads do "first call to any fat function" at the same time. */ #if HAVE_GCC_ATTRIBUTE # define CONSTRUCTOR __attribute__ ((constructor)) #else # define CONSTRUCTOR # if defined (__sun) # pragma init(fat_init) # endif #endif /* Disable use of ifunc for now. Problem is, there's no guarantee that one can call any libc functions from the ifunc resolver. On x86 and x86_64, the corresponding IRELATIVE relocs are supposed to be processed last, but that doesn't seem to happen, and its a platform-specific feature. To trigger problems, simply try dlopen ("libnettle.so", RTLD_NOW), which crashes in an uninitialized plt entry. */ #undef HAVE_LINK_IFUNC #if !HAVE_SECURE_GETENV #define secure_getenv(s) NULL #endif #define ENV_VERBOSE "NETTLE_FAT_VERBOSE" #define ENV_OVERRIDE "NETTLE_FAT_OVERRIDE" /* DECLARE_FAT_FUNC(name, ftype) * * name is the public function, e.g., _nettle_aes_encrypt. * ftype is its type, e.g., aes_crypt_internal_func. * * DECLARE_FAT_VAR(name, type, var) * * name is name without _nettle prefix. * type is its type. * var is the variant, used as a suffix on the symbol name. * * DEFINE_FAT_FUNC(name, rtype, prototype, args) * * name is the public function. * rtype its return type. * prototype is the list of formal arguments, with types. * args contain the argument list without any types. */ #if HAVE_LINK_IFUNC #define IFUNC(resolve) __attribute__ ((ifunc (resolve))) #define DECLARE_FAT_FUNC(name, ftype) \ ftype name IFUNC(#name"_resolve"); \ static ftype *name##_vec = NULL; #define DEFINE_FAT_FUNC(name, rtype, prototype, args) \ static void_func * name##_resolve(void) \ { \ if (getenv (ENV_VERBOSE)) \ fprintf (stderr, "libnettle: "#name"_resolve\n"); \ if (!name##_vec) \ fat_init(); \ return (void_func *) name##_vec; \ } #else /* !HAVE_LINK_IFUNC */ #define DECLARE_FAT_FUNC(name, ftype) \ ftype name; \ static ftype name##_init; \ static ftype *name##_vec = name##_init; #define DEFINE_FAT_FUNC(name, rtype, prototype, args) \ rtype name prototype \ { \ return name##_vec args; \ } \ static rtype name##_init prototype { \ if (getenv (ENV_VERBOSE)) \ fprintf (stderr, "libnettle: "#name"_init\n"); \ if (name##_vec == name##_init) \ fat_init(); \ assert (name##_vec != name##_init); \ return name##_vec args; \ } #endif /* !HAVE_LINK_IFUNC */ #define DECLARE_FAT_FUNC_VAR(name, type, var) \ type _nettle_##name##_##var; typedef void void_func (void); typedef void aes_crypt_internal_func (unsigned rounds, const uint32_t *keys, const struct aes_table *T, size_t length, uint8_t *dst, const uint8_t *src); typedef void *(memxor_func)(void *dst, const void *src, size_t n); typedef void salsa20_core_func (uint32_t *dst, const uint32_t *src, unsigned rounds); typedef void sha1_compress_func(uint32_t *state, const uint8_t *input); typedef void sha256_compress_func(uint32_t *state, const uint8_t *input, const uint32_t *k); struct sha3_state; typedef void sha3_permute_func (struct sha3_state *state); typedef void sha512_compress_func (uint64_t *state, const uint8_t *input, const uint64_t *k); typedef uint64_t umac_nh_func (const uint32_t *key, unsigned length, const uint8_t *msg); typedef void umac_nh_n_func (uint64_t *out, unsigned n, const uint32_t *key, unsigned length, const uint8_t *msg); nettle-3.4.1/umac.h0000644000175000017500000001575713401564746013165 0ustar nissenisse/* umac.h UMAC message authentication code (RFC-4418). Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_UMAC_H_INCLUDED #define NETTLE_UMAC_H_INCLUDED #ifdef __cplusplus extern "C" { #endif /* Namespace mangling */ #define umac32_set_key nettle_umac32_set_key #define umac64_set_key nettle_umac64_set_key #define umac96_set_key nettle_umac96_set_key #define umac128_set_key nettle_umac128_set_key #define umac32_set_nonce nettle_umac32_set_nonce #define umac64_set_nonce nettle_umac64_set_nonce #define umac96_set_nonce nettle_umac96_set_nonce #define umac128_set_nonce nettle_umac128_set_nonce #define umac32_update nettle_umac32_update #define umac64_update nettle_umac64_update #define umac96_update nettle_umac96_update #define umac128_update nettle_umac128_update #define umac32_digest nettle_umac32_digest #define umac64_digest nettle_umac64_digest #define umac96_digest nettle_umac96_digest #define umac128_digest nettle_umac128_digest #define _umac_set_key _nettle_umac_set_key #define _umac_nh _nettle_umac_nh #define _umac_nh_n _nettle_umac_nh_n #define _umac_poly64 _nettle_umac_poly64 #define _umac_poly128 _nettle_umac_poly128 #define _umac_l2_init _nettle_umac_l2_init #define _umac_l2 _nettle_umac_l2 #define _umac_l2_final _nettle_umac_l2_final #define _umac_l3_init _nettle_umac_l3_init #define _umac_l3 _nettle_umac_l3 #include "nettle-types.h" #include "aes.h" #define UMAC_KEY_SIZE AES128_KEY_SIZE #define UMAC32_DIGEST_SIZE 4 #define UMAC64_DIGEST_SIZE 8 #define UMAC96_DIGEST_SIZE 12 #define UMAC128_DIGEST_SIZE 16 #define UMAC_BLOCK_SIZE 1024 #define UMAC_MIN_NONCE_SIZE 1 #define UMAC_MAX_NONCE_SIZE AES_BLOCK_SIZE /* For backwards compatibility */ #define UMAC_DATA_SIZE UMAC_BLOCK_SIZE /* Subkeys and state for UMAC with tag size 32*n bits. */ #define _UMAC_STATE(n) \ uint32_t l1_key[UMAC_BLOCK_SIZE/4 + 4*((n)-1)]; \ /* Keys in 32-bit pieces, high first */ \ uint32_t l2_key[6*(n)]; \ uint64_t l3_key1[8*(n)]; \ uint32_t l3_key2[(n)]; \ /* AES cipher for encrypting the nonce */ \ struct aes128_ctx pdf_key; \ /* The l2_state consists of 2*n uint64_t, for poly64 \ and poly128 hashing, followed by n additional \ uint64_t used as an input buffer. */ \ uint64_t l2_state[3*(n)]; \ /* Input to the pdf_key, zero-padded and low bits \ cleared if appropriate. */ \ uint8_t nonce[AES_BLOCK_SIZE]; \ unsigned short nonce_length /* For incrementing */ /* Buffering */ #define _UMAC_BUFFER \ unsigned index; \ /* Complete blocks processed */ \ uint64_t count; \ uint8_t block[UMAC_BLOCK_SIZE] #define _UMAC_NONCE_CACHED 0x80 struct umac32_ctx { _UMAC_STATE(1); /* Low bits and cache flag. */ unsigned short nonce_low; /* Previous padding block */ uint32_t pad_cache[AES_BLOCK_SIZE / 4]; _UMAC_BUFFER; }; struct umac64_ctx { _UMAC_STATE(2); /* Low bit and cache flag. */ unsigned short nonce_low; /* Previous padding block */ uint32_t pad_cache[AES_BLOCK_SIZE/4]; _UMAC_BUFFER; }; struct umac96_ctx { _UMAC_STATE(3); _UMAC_BUFFER; }; struct umac128_ctx { _UMAC_STATE(4); _UMAC_BUFFER; }; /* The _set_key function initialize the nonce to zero. */ void umac32_set_key (struct umac32_ctx *ctx, const uint8_t *key); void umac64_set_key (struct umac64_ctx *ctx, const uint8_t *key); void umac96_set_key (struct umac96_ctx *ctx, const uint8_t *key); void umac128_set_key (struct umac128_ctx *ctx, const uint8_t *key); /* Optional, if not used, messages get incrementing nonces starting from zero. */ void umac32_set_nonce (struct umac32_ctx *ctx, size_t nonce_length, const uint8_t *nonce); void umac64_set_nonce (struct umac64_ctx *ctx, size_t nonce_length, const uint8_t *nonce); void umac96_set_nonce (struct umac96_ctx *ctx, size_t nonce_length, const uint8_t *nonce); void umac128_set_nonce (struct umac128_ctx *ctx, size_t nonce_length, const uint8_t *nonce); void umac32_update (struct umac32_ctx *ctx, size_t length, const uint8_t *data); void umac64_update (struct umac64_ctx *ctx, size_t length, const uint8_t *data); void umac96_update (struct umac96_ctx *ctx, size_t length, const uint8_t *data); void umac128_update (struct umac128_ctx *ctx, size_t length, const uint8_t *data); /* The _digest functions increment the nonce */ void umac32_digest (struct umac32_ctx *ctx, size_t length, uint8_t *digest); void umac64_digest (struct umac64_ctx *ctx, size_t length, uint8_t *digest); void umac96_digest (struct umac96_ctx *ctx, size_t length, uint8_t *digest); void umac128_digest (struct umac128_ctx *ctx, size_t length, uint8_t *digest); /* Internal functions */ #define UMAC_POLY64_BLOCKS 16384 #define UMAC_P64_OFFSET 59 #define UMAC_P64 (- (uint64_t) UMAC_P64_OFFSET) #define UMAC_P128_OFFSET 159 #define UMAC_P128_HI (~(uint64_t) 0) #define UMAC_P128_LO (-(uint64_t) UMAC_P128_OFFSET) void _umac_set_key (uint32_t *l1_key, uint32_t *l2_key, uint64_t *l3_key1, uint32_t *l3_key2, struct aes128_ctx *pad, const uint8_t *key, unsigned n); uint64_t _umac_nh (const uint32_t *key, unsigned length, const uint8_t *msg); /* Equivalent to for (i = 0; i < n; i++) out[i] = _umac_nh (key + 4*i, length, msg); but processing input only once. */ void _umac_nh_n (uint64_t *out, unsigned n, const uint32_t *key, unsigned length, const uint8_t *msg); /* Returns y*k + m (mod p), including "marker" processing. Return value is *not* in canonical representation, and must be normalized before the output is used. */ uint64_t _umac_poly64 (uint32_t kh, uint32_t kl, uint64_t y, uint64_t m); void _umac_poly128 (const uint32_t *k, uint64_t *y, uint64_t mh, uint64_t ml); void _umac_l2_init (unsigned size, uint32_t *k); void _umac_l2(const uint32_t *key, uint64_t *state, unsigned n, uint64_t count, const uint64_t *m); void _umac_l2_final(const uint32_t *key, uint64_t *state, unsigned n, uint64_t count); void _umac_l3_init (unsigned size, uint64_t *k); uint32_t _umac_l3 (const uint64_t *key, const uint64_t *m); #ifdef __cplusplus } #endif #endif /* NETTLE_UMAC_H_INCLUDED */ nettle-3.4.1/aes-set-encrypt-key.c0000644000175000017500000000342613401564745016031 0ustar nissenisse/* aes-set-encrypt-key.c Key setup for the aes/rijndael block cipher. Copyright (C) 2000, 2001, 2002 Rafael R. Sevilla, Niels Möller Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "aes-internal.h" void aes_set_encrypt_key(struct aes_ctx *ctx, size_t keysize, const uint8_t *key) { unsigned nk, nr; assert(keysize >= AES_MIN_KEY_SIZE); assert(keysize <= AES_MAX_KEY_SIZE); /* Truncate keysizes to the valid key sizes provided by Rijndael */ if (keysize == AES256_KEY_SIZE) { nk = 8; nr = _AES256_ROUNDS; } else if (keysize >= AES192_KEY_SIZE) { nk = 6; nr = _AES192_ROUNDS; } else { /* must be 16 or more */ nk = 4; nr = _AES128_ROUNDS; } ctx->rounds = nr; _aes_set_key (nr, nk, ctx->keys, key); } nettle-3.4.1/libhogweed.map.in0000644000175000017500000000052213401564746015264 0ustar nissenisse# libhogweed.map -- libhogweed linker version script. -*- ld-script -*- # # The symbol version must be updated on every hogweed # library major number change. That is taken care by # auto-generating the file. HOGWEED_@LIBHOGWEED_MAJOR@ { global: nettle_*; _nettle_*; @HOGWEED_EXTRA_SYMBOLS@ local: *; }; nettle-3.4.1/ripemd160.h0000644000175000017500000000437113401564746013735 0ustar nissenisse/* ripemd160.h RIPEMD-160 hash function. Copyright (C) 2011 Andres Mejia This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_RIPEMD160_H_INCLUDED #define NETTLE_RIPEMD160_H_INCLUDED #ifdef __cplusplus extern "C" { #endif #include "nettle-types.h" /* Name mangling */ #define ripemd160_init nettle_ripemd160_init #define ripemd160_update nettle_ripemd160_update #define ripemd160_digest nettle_ripemd160_digest /* RIPEMD160 */ #define RIPEMD160_DIGEST_SIZE 20 #define RIPEMD160_BLOCK_SIZE 64 /* For backwards compatibility */ #define RIPEMD160_DATA_SIZE RIPEMD160_BLOCK_SIZE /* Digest is kept internally as 5 32-bit words. */ #define _RIPEMD160_DIGEST_LENGTH 5 struct ripemd160_ctx { uint32_t state[_RIPEMD160_DIGEST_LENGTH]; uint64_t count; /* 64-bit block count */ uint8_t block[RIPEMD160_BLOCK_SIZE]; unsigned int index; }; void ripemd160_init(struct ripemd160_ctx *ctx); void ripemd160_update(struct ripemd160_ctx *ctx, size_t length, const uint8_t *data); void ripemd160_digest(struct ripemd160_ctx *ctx, size_t length, uint8_t *digest); /* Internal compression function. STATE points to 5 uint32_t words, and DATA points to 64 bytes of input data, possibly unaligned. */ void _nettle_ripemd160_compress(uint32_t *state, const uint8_t *data); #ifdef __cplusplus } #endif #endif /* NETTLE_RIPEMD160_H_INCLUDED */ nettle-3.4.1/ecc.h0000644000175000017500000001127213401564746012756 0ustar nissenisse/* ecc.h Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #ifndef NETTLE_ECC_H_INCLUDED #define NETTLE_ECC_H_INCLUDED #include "nettle-types.h" #include "bignum.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define ecc_point_init nettle_ecc_point_init #define ecc_point_clear nettle_ecc_point_clear #define ecc_point_set nettle_ecc_point_set #define ecc_point_get nettle_ecc_point_get #define ecc_point_mul nettle_ecc_point_mul #define ecc_point_mul_g nettle_ecc_point_mul_g #define ecc_scalar_init nettle_ecc_scalar_init #define ecc_scalar_clear nettle_ecc_scalar_clear #define ecc_scalar_set nettle_ecc_scalar_set #define ecc_scalar_get nettle_ecc_scalar_get #define ecc_scalar_random nettle_ecc_scalar_random #define ecc_point_mul nettle_ecc_point_mul #define ecc_bit_size nettle_ecc_bit_size #define ecc_size nettle_ecc_size #define ecc_size_a nettle_ecc_size_a #define ecc_size_j nettle_ecc_size_j struct ecc_curve; /* High level interface, for ECDSA, DH, etc */ /* Represents a point on the ECC curve */ struct ecc_point { const struct ecc_curve *ecc; /* Allocated using the same allocation function as GMP. */ mp_limb_t *p; }; /* Represents a non-zero scalar, an element of Z_q^*, where q is the group order of the curve. */ struct ecc_scalar { const struct ecc_curve *ecc; /* Allocated using the same allocation function as GMP. */ mp_limb_t *p; }; void ecc_point_init (struct ecc_point *p, const struct ecc_curve *ecc); void ecc_point_clear (struct ecc_point *p); /* Fails and returns zero if the point is not on the curve. */ int ecc_point_set (struct ecc_point *p, const mpz_t x, const mpz_t y); void ecc_point_get (const struct ecc_point *p, mpz_t x, mpz_t y); void ecc_scalar_init (struct ecc_scalar *s, const struct ecc_curve *ecc); void ecc_scalar_clear (struct ecc_scalar *s); /* Fails and returns zero if the scalar is not in the proper range. */ int ecc_scalar_set (struct ecc_scalar *s, const mpz_t z); void ecc_scalar_get (const struct ecc_scalar *s, mpz_t z); /* Generates a random scalar, suitable as an ECDSA private key or a ECDH exponent. */ void ecc_scalar_random (struct ecc_scalar *s, void *random_ctx, nettle_random_func *random); /* Computes r = n p */ void ecc_point_mul (struct ecc_point *r, const struct ecc_scalar *n, const struct ecc_point *p); /* Computes r = n g */ void ecc_point_mul_g (struct ecc_point *r, const struct ecc_scalar *n); /* Low-level interface */ /* Points on a curve are represented as arrays of mp_limb_t, with curve-specific representation. For the secp curves, we use Jacobian coordinates (possibly in Montgomery form for mod multiplication). For curve25519 we use homogeneous coordinates on an equivalent Edwards curve. The suffix "_h" denotes this internal representation. Since we use additive notation for the groups, the infinity point on the curve is denoted 0. The infinity point can be represented with x = y = 0 in affine coordinates, and Z = 0 in Jacobian coordinates. However, note that most of the ECC functions do *not* support infinity as an input or output. */ /* Returns the bit size of a single coordinate (and of the prime p). */ unsigned ecc_bit_size (const struct ecc_curve *ecc); /* Returns the size of a single coordinate. */ mp_size_t ecc_size (const struct ecc_curve *ecc); /* Size of a point, using affine coordinates x, y. */ mp_size_t ecc_size_a (const struct ecc_curve *ecc); /* Size of a point, using jacobian coordinates X, Y and Z. */ mp_size_t ecc_size_j (const struct ecc_curve *ecc); /* FIXME: Define a generic ecc_dup, ecc_add, for any type of curve. Do they need to handle infinity points? */ #ifdef __cplusplus } #endif #endif /* NETTLE_ECC_H_INCLUDED */ nettle-3.4.1/gcm.c0000644000175000017500000003571113401564745012770 0ustar nissenisse/* gcm.c Galois counter mode, specified by NIST, http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf See also the gcm paper at http://www.cryptobarn.com/papers/gcm-spec.pdf. Copyright (C) 2011, 2013 Niels Möller Copyright (C) 2011 Katholieke Universiteit Leuven Contributed by Nikos Mavrogiannopoulos This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "gcm.h" #include "memxor.h" #include "nettle-internal.h" #include "macros.h" #define GHASH_POLYNOMIAL 0xE1UL static void gcm_gf_add (union nettle_block16 *r, const union nettle_block16 *x, const union nettle_block16 *y) { r->w[0] = x->w[0] ^ y->w[0]; r->w[1] = x->w[1] ^ y->w[1]; #if SIZEOF_LONG == 4 r->w[2] = x->w[2] ^ y->w[2]; r->w[3] = x->w[3] ^ y->w[3]; #endif } /* Multiplication by 010...0; a big-endian shift right. If the bit shifted out is one, the defining polynomial is added to cancel it out. r == x is allowed. */ static void gcm_gf_shift (union nettle_block16 *r, const union nettle_block16 *x) { long mask; /* Shift uses big-endian representation. */ #if WORDS_BIGENDIAN # if SIZEOF_LONG == 4 mask = - (x->w[3] & 1); r->w[3] = (x->w[3] >> 1) | ((x->w[2] & 1) << 31); r->w[2] = (x->w[2] >> 1) | ((x->w[1] & 1) << 31); r->w[1] = (x->w[1] >> 1) | ((x->w[0] & 1) << 31); r->w[0] = (x->w[0] >> 1) ^ (mask & (GHASH_POLYNOMIAL << 24)); # elif SIZEOF_LONG == 8 mask = - (x->w[1] & 1); r->w[1] = (x->w[1] >> 1) | ((x->w[0] & 1) << 63); r->w[0] = (x->w[0] >> 1) ^ (mask & (GHASH_POLYNOMIAL << 56)); # else # error Unsupported word size. */ #endif #else /* ! WORDS_BIGENDIAN */ # if SIZEOF_LONG == 4 #define RSHIFT_WORD(x) \ ((((x) & 0xfefefefeUL) >> 1) \ | (((x) & 0x00010101) << 15)) mask = - ((x->w[3] >> 24) & 1); r->w[3] = RSHIFT_WORD(x->w[3]) | ((x->w[2] >> 17) & 0x80); r->w[2] = RSHIFT_WORD(x->w[2]) | ((x->w[1] >> 17) & 0x80); r->w[1] = RSHIFT_WORD(x->w[1]) | ((x->w[0] >> 17) & 0x80); r->w[0] = RSHIFT_WORD(x->w[0]) ^ (mask & GHASH_POLYNOMIAL); # elif SIZEOF_LONG == 8 #define RSHIFT_WORD(x) \ ((((x) & 0xfefefefefefefefeUL) >> 1) \ | (((x) & 0x0001010101010101UL) << 15)) mask = - ((x->w[1] >> 56) & 1); r->w[1] = RSHIFT_WORD(x->w[1]) | ((x->w[0] >> 49) & 0x80); r->w[0] = RSHIFT_WORD(x->w[0]) ^ (mask & GHASH_POLYNOMIAL); # else # error Unsupported word size. */ # endif # undef RSHIFT_WORD #endif /* ! WORDS_BIGENDIAN */ } #if GCM_TABLE_BITS == 0 /* Sets x <- x * y mod r, using the plain bitwise algorithm from the specification. y may be shorter than a full block, missing bytes are assumed zero. */ static void gcm_gf_mul (union nettle_block16 *x, const union nettle_block16 *y) { union nettle_block16 V; union nettle_block16 Z; unsigned i; memcpy(V.b, x, sizeof(V)); memset(Z.b, 0, sizeof(Z)); for (i = 0; i < GCM_BLOCK_SIZE; i++) { uint8_t b = y->b[i]; unsigned j; for (j = 0; j < 8; j++, b <<= 1) { if (b & 0x80) gcm_gf_add(&Z, &Z, &V); gcm_gf_shift(&V, &V); } } memcpy (x->b, Z.b, sizeof(Z)); } #else /* GCM_TABLE_BITS != 0 */ # if WORDS_BIGENDIAN # define W(left,right) (0x##left##right) # else # define W(left,right) (0x##right##left) # endif # if GCM_TABLE_BITS == 4 static const uint16_t shift_table[0x10] = { W(00,00),W(1c,20),W(38,40),W(24,60),W(70,80),W(6c,a0),W(48,c0),W(54,e0), W(e1,00),W(fd,20),W(d9,40),W(c5,60),W(91,80),W(8d,a0),W(a9,c0),W(b5,e0), }; static void gcm_gf_shift_4(union nettle_block16 *x) { unsigned long *w = x->w; unsigned long reduce; /* Shift uses big-endian representation. */ #if WORDS_BIGENDIAN # if SIZEOF_LONG == 4 reduce = shift_table[w[3] & 0xf]; w[3] = (w[3] >> 4) | ((w[2] & 0xf) << 28); w[2] = (w[2] >> 4) | ((w[1] & 0xf) << 28); w[1] = (w[1] >> 4) | ((w[0] & 0xf) << 28); w[0] = (w[0] >> 4) ^ (reduce << 16); # elif SIZEOF_LONG == 8 reduce = shift_table[w[1] & 0xf]; w[1] = (w[1] >> 4) | ((w[0] & 0xf) << 60); w[0] = (w[0] >> 4) ^ (reduce << 48); # else # error Unsupported word size. */ #endif #else /* ! WORDS_BIGENDIAN */ # if SIZEOF_LONG == 4 #define RSHIFT_WORD(x) \ ((((x) & 0xf0f0f0f0UL) >> 4) \ | (((x) & 0x000f0f0f) << 12)) reduce = shift_table[(w[3] >> 24) & 0xf]; w[3] = RSHIFT_WORD(w[3]) | ((w[2] >> 20) & 0xf0); w[2] = RSHIFT_WORD(w[2]) | ((w[1] >> 20) & 0xf0); w[1] = RSHIFT_WORD(w[1]) | ((w[0] >> 20) & 0xf0); w[0] = RSHIFT_WORD(w[0]) ^ reduce; # elif SIZEOF_LONG == 8 #define RSHIFT_WORD(x) \ ((((x) & 0xf0f0f0f0f0f0f0f0UL) >> 4) \ | (((x) & 0x000f0f0f0f0f0f0fUL) << 12)) reduce = shift_table[(w[1] >> 56) & 0xf]; w[1] = RSHIFT_WORD(w[1]) | ((w[0] >> 52) & 0xf0); w[0] = RSHIFT_WORD(w[0]) ^ reduce; # else # error Unsupported word size. */ # endif # undef RSHIFT_WORD #endif /* ! WORDS_BIGENDIAN */ } static void gcm_gf_mul (union nettle_block16 *x, const union nettle_block16 *table) { union nettle_block16 Z; unsigned i; memset(Z.b, 0, sizeof(Z)); for (i = GCM_BLOCK_SIZE; i-- > 0;) { uint8_t b = x->b[i]; gcm_gf_shift_4(&Z); gcm_gf_add(&Z, &Z, &table[b & 0xf]); gcm_gf_shift_4(&Z); gcm_gf_add(&Z, &Z, &table[b >> 4]); } memcpy (x->b, Z.b, sizeof(Z)); } # elif GCM_TABLE_BITS == 8 # if HAVE_NATIVE_gcm_hash8 #define gcm_hash _nettle_gcm_hash8 void _nettle_gcm_hash8 (const struct gcm_key *key, union nettle_block16 *x, size_t length, const uint8_t *data); # else /* !HAVE_NATIVE_gcm_hash8 */ static const uint16_t shift_table[0x100] = { W(00,00),W(01,c2),W(03,84),W(02,46),W(07,08),W(06,ca),W(04,8c),W(05,4e), W(0e,10),W(0f,d2),W(0d,94),W(0c,56),W(09,18),W(08,da),W(0a,9c),W(0b,5e), W(1c,20),W(1d,e2),W(1f,a4),W(1e,66),W(1b,28),W(1a,ea),W(18,ac),W(19,6e), W(12,30),W(13,f2),W(11,b4),W(10,76),W(15,38),W(14,fa),W(16,bc),W(17,7e), W(38,40),W(39,82),W(3b,c4),W(3a,06),W(3f,48),W(3e,8a),W(3c,cc),W(3d,0e), W(36,50),W(37,92),W(35,d4),W(34,16),W(31,58),W(30,9a),W(32,dc),W(33,1e), W(24,60),W(25,a2),W(27,e4),W(26,26),W(23,68),W(22,aa),W(20,ec),W(21,2e), W(2a,70),W(2b,b2),W(29,f4),W(28,36),W(2d,78),W(2c,ba),W(2e,fc),W(2f,3e), W(70,80),W(71,42),W(73,04),W(72,c6),W(77,88),W(76,4a),W(74,0c),W(75,ce), W(7e,90),W(7f,52),W(7d,14),W(7c,d6),W(79,98),W(78,5a),W(7a,1c),W(7b,de), W(6c,a0),W(6d,62),W(6f,24),W(6e,e6),W(6b,a8),W(6a,6a),W(68,2c),W(69,ee), W(62,b0),W(63,72),W(61,34),W(60,f6),W(65,b8),W(64,7a),W(66,3c),W(67,fe), W(48,c0),W(49,02),W(4b,44),W(4a,86),W(4f,c8),W(4e,0a),W(4c,4c),W(4d,8e), W(46,d0),W(47,12),W(45,54),W(44,96),W(41,d8),W(40,1a),W(42,5c),W(43,9e), W(54,e0),W(55,22),W(57,64),W(56,a6),W(53,e8),W(52,2a),W(50,6c),W(51,ae), W(5a,f0),W(5b,32),W(59,74),W(58,b6),W(5d,f8),W(5c,3a),W(5e,7c),W(5f,be), W(e1,00),W(e0,c2),W(e2,84),W(e3,46),W(e6,08),W(e7,ca),W(e5,8c),W(e4,4e), W(ef,10),W(ee,d2),W(ec,94),W(ed,56),W(e8,18),W(e9,da),W(eb,9c),W(ea,5e), W(fd,20),W(fc,e2),W(fe,a4),W(ff,66),W(fa,28),W(fb,ea),W(f9,ac),W(f8,6e), W(f3,30),W(f2,f2),W(f0,b4),W(f1,76),W(f4,38),W(f5,fa),W(f7,bc),W(f6,7e), W(d9,40),W(d8,82),W(da,c4),W(db,06),W(de,48),W(df,8a),W(dd,cc),W(dc,0e), W(d7,50),W(d6,92),W(d4,d4),W(d5,16),W(d0,58),W(d1,9a),W(d3,dc),W(d2,1e), W(c5,60),W(c4,a2),W(c6,e4),W(c7,26),W(c2,68),W(c3,aa),W(c1,ec),W(c0,2e), W(cb,70),W(ca,b2),W(c8,f4),W(c9,36),W(cc,78),W(cd,ba),W(cf,fc),W(ce,3e), W(91,80),W(90,42),W(92,04),W(93,c6),W(96,88),W(97,4a),W(95,0c),W(94,ce), W(9f,90),W(9e,52),W(9c,14),W(9d,d6),W(98,98),W(99,5a),W(9b,1c),W(9a,de), W(8d,a0),W(8c,62),W(8e,24),W(8f,e6),W(8a,a8),W(8b,6a),W(89,2c),W(88,ee), W(83,b0),W(82,72),W(80,34),W(81,f6),W(84,b8),W(85,7a),W(87,3c),W(86,fe), W(a9,c0),W(a8,02),W(aa,44),W(ab,86),W(ae,c8),W(af,0a),W(ad,4c),W(ac,8e), W(a7,d0),W(a6,12),W(a4,54),W(a5,96),W(a0,d8),W(a1,1a),W(a3,5c),W(a2,9e), W(b5,e0),W(b4,22),W(b6,64),W(b7,a6),W(b2,e8),W(b3,2a),W(b1,6c),W(b0,ae), W(bb,f0),W(ba,32),W(b8,74),W(b9,b6),W(bc,f8),W(bd,3a),W(bf,7c),W(be,be), }; static void gcm_gf_shift_8(union nettle_block16 *x) { unsigned long *w = x->w; unsigned long reduce; /* Shift uses big-endian representation. */ #if WORDS_BIGENDIAN # if SIZEOF_LONG == 4 reduce = shift_table[w[3] & 0xff]; w[3] = (w[3] >> 8) | ((w[2] & 0xff) << 24); w[2] = (w[2] >> 8) | ((w[1] & 0xff) << 24); w[1] = (w[1] >> 8) | ((w[0] & 0xff) << 24); w[0] = (w[0] >> 8) ^ (reduce << 16); # elif SIZEOF_LONG == 8 reduce = shift_table[w[1] & 0xff]; w[1] = (w[1] >> 8) | ((w[0] & 0xff) << 56); w[0] = (w[0] >> 8) ^ (reduce << 48); # else # error Unsupported word size. */ #endif #else /* ! WORDS_BIGENDIAN */ # if SIZEOF_LONG == 4 reduce = shift_table[(w[3] >> 24) & 0xff]; w[3] = (w[3] << 8) | (w[2] >> 24); w[2] = (w[2] << 8) | (w[1] >> 24); w[1] = (w[1] << 8) | (w[0] >> 24); w[0] = (w[0] << 8) ^ reduce; # elif SIZEOF_LONG == 8 reduce = shift_table[(w[1] >> 56) & 0xff]; w[1] = (w[1] << 8) | (w[0] >> 56); w[0] = (w[0] << 8) ^ reduce; # else # error Unsupported word size. */ # endif #endif /* ! WORDS_BIGENDIAN */ } static void gcm_gf_mul (union nettle_block16 *x, const union nettle_block16 *table) { union nettle_block16 Z; unsigned i; memcpy(Z.b, table[x->b[GCM_BLOCK_SIZE-1]].b, GCM_BLOCK_SIZE); for (i = GCM_BLOCK_SIZE-2; i > 0; i--) { gcm_gf_shift_8(&Z); gcm_gf_add(&Z, &Z, &table[x->b[i]]); } gcm_gf_shift_8(&Z); gcm_gf_add(x, &Z, &table[x->b[0]]); } # endif /* ! HAVE_NATIVE_gcm_hash8 */ # else /* GCM_TABLE_BITS != 8 */ # error Unsupported table size. # endif /* GCM_TABLE_BITS != 8 */ #undef W #endif /* GCM_TABLE_BITS */ /* Increment the rightmost 32 bits. */ #define INC32(block) INCREMENT(4, (block.b) + GCM_BLOCK_SIZE - 4) /* Initialization of GCM. * @ctx: The context of GCM * @cipher: The context of the underlying block cipher * @f: The underlying cipher encryption function */ void gcm_set_key(struct gcm_key *key, const void *cipher, nettle_cipher_func *f) { /* Middle element if GCM_TABLE_BITS > 0, otherwise the first element */ unsigned i = (1<h[0].b, 0, GCM_BLOCK_SIZE); f (cipher, GCM_BLOCK_SIZE, key->h[i].b, key->h[0].b); #if GCM_TABLE_BITS /* Algorithm 3 from the gcm paper. First do powers of two, then do the rest by adding. */ while (i /= 2) gcm_gf_shift(&key->h[i], &key->h[2*i]); for (i = 2; i < 1<h[i+j], &key->h[i],&key->h[j]); } #endif } #ifndef gcm_hash static void gcm_hash(const struct gcm_key *key, union nettle_block16 *x, size_t length, const uint8_t *data) { for (; length >= GCM_BLOCK_SIZE; length -= GCM_BLOCK_SIZE, data += GCM_BLOCK_SIZE) { memxor (x->b, data, GCM_BLOCK_SIZE); gcm_gf_mul (x, key->h); } if (length > 0) { memxor (x->b, data, length); gcm_gf_mul (x, key->h); } } #endif /* !gcm_hash */ static void gcm_hash_sizes(const struct gcm_key *key, union nettle_block16 *x, uint64_t auth_size, uint64_t data_size) { uint8_t buffer[GCM_BLOCK_SIZE]; data_size *= 8; auth_size *= 8; WRITE_UINT64 (buffer, auth_size); WRITE_UINT64 (buffer + 8, data_size); gcm_hash(key, x, GCM_BLOCK_SIZE, buffer); } /* NOTE: The key is needed only if length != GCM_IV_SIZE */ void gcm_set_iv(struct gcm_ctx *ctx, const struct gcm_key *key, size_t length, const uint8_t *iv) { if (length == GCM_IV_SIZE) { memcpy (ctx->iv.b, iv, GCM_BLOCK_SIZE - 4); ctx->iv.b[GCM_BLOCK_SIZE - 4] = 0; ctx->iv.b[GCM_BLOCK_SIZE - 3] = 0; ctx->iv.b[GCM_BLOCK_SIZE - 2] = 0; ctx->iv.b[GCM_BLOCK_SIZE - 1] = 1; } else { memset(ctx->iv.b, 0, GCM_BLOCK_SIZE); gcm_hash(key, &ctx->iv, length, iv); gcm_hash_sizes(key, &ctx->iv, 0, length); } memcpy (ctx->ctr.b, ctx->iv.b, GCM_BLOCK_SIZE); INC32 (ctx->ctr); /* Reset the rest of the message-dependent state. */ memset(ctx->x.b, 0, sizeof(ctx->x)); ctx->auth_size = ctx->data_size = 0; } void gcm_update(struct gcm_ctx *ctx, const struct gcm_key *key, size_t length, const uint8_t *data) { assert(ctx->auth_size % GCM_BLOCK_SIZE == 0); assert(ctx->data_size == 0); gcm_hash(key, &ctx->x, length, data); ctx->auth_size += length; } static void gcm_crypt(struct gcm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src) { uint8_t buffer[GCM_BLOCK_SIZE]; if (src != dst) { for (; length >= GCM_BLOCK_SIZE; (length -= GCM_BLOCK_SIZE, src += GCM_BLOCK_SIZE, dst += GCM_BLOCK_SIZE)) { f (cipher, GCM_BLOCK_SIZE, dst, ctx->ctr.b); memxor (dst, src, GCM_BLOCK_SIZE); INC32 (ctx->ctr); } } else { for (; length >= GCM_BLOCK_SIZE; (length -= GCM_BLOCK_SIZE, src += GCM_BLOCK_SIZE, dst += GCM_BLOCK_SIZE)) { f (cipher, GCM_BLOCK_SIZE, buffer, ctx->ctr.b); memxor3 (dst, src, buffer, GCM_BLOCK_SIZE); INC32 (ctx->ctr); } } if (length > 0) { /* A final partial block */ f (cipher, GCM_BLOCK_SIZE, buffer, ctx->ctr.b); memxor3 (dst, src, buffer, length); INC32 (ctx->ctr); } } void gcm_encrypt (struct gcm_ctx *ctx, const struct gcm_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src) { assert(ctx->data_size % GCM_BLOCK_SIZE == 0); gcm_crypt(ctx, cipher, f, length, dst, src); gcm_hash(key, &ctx->x, length, dst); ctx->data_size += length; } void gcm_decrypt(struct gcm_ctx *ctx, const struct gcm_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src) { assert(ctx->data_size % GCM_BLOCK_SIZE == 0); gcm_hash(key, &ctx->x, length, src); gcm_crypt(ctx, cipher, f, length, dst, src); ctx->data_size += length; } void gcm_digest(struct gcm_ctx *ctx, const struct gcm_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *digest) { uint8_t buffer[GCM_BLOCK_SIZE]; assert (length <= GCM_BLOCK_SIZE); gcm_hash_sizes(key, &ctx->x, ctx->auth_size, ctx->data_size); f (cipher, GCM_BLOCK_SIZE, buffer, ctx->iv.b); memxor3 (digest, ctx->x.b, buffer, length); return; } nettle-3.4.1/ed25519-sha512-sign.c0000644000175000017500000000356513401564746015162 0ustar nissenisse/* ed25519-sha512-sign.c Copyright (C) 2014, 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "eddsa.h" #include "ecc-internal.h" #include "sha2.h" void ed25519_sha512_sign (const uint8_t *pub, const uint8_t *priv, size_t length, const uint8_t *msg, uint8_t *signature) { const struct ecc_curve *ecc = &_nettle_curve25519; mp_size_t itch = ecc->q.size + _eddsa_sign_itch (ecc); mp_limb_t *scratch = gmp_alloc_limbs (itch); #define k2 scratch #define scratch_out (scratch + ecc->q.size) struct sha512_ctx ctx; uint8_t digest[SHA512_DIGEST_SIZE]; #define k1 (digest + ED25519_KEY_SIZE) _eddsa_expand_key (ecc, &nettle_sha512, &ctx, priv, digest, k2); sha512_update (&ctx, ED25519_KEY_SIZE, k1); _eddsa_sign (ecc, &nettle_sha512, pub, &ctx, k2, length, msg, signature, scratch_out); gmp_free_limbs (scratch, itch); #undef k1 #undef k2 #undef scratch_out } nettle-3.4.1/cast128.h0000644000175000017500000000425213401564746013411 0ustar nissenisse/* cast128.h The CAST-128 block cipher. Copyright (C) 2001, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_CAST128_H_INCLUDED #define NETTLE_CAST128_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define cast5_set_key nettle_cast5_set_key #define cast128_set_key nettle_cast128_set_key #define cast128_encrypt nettle_cast128_encrypt #define cast128_decrypt nettle_cast128_decrypt #define CAST128_BLOCK_SIZE 8 /* Variable key size between 40 and 128. */ #define CAST5_MIN_KEY_SIZE 5 #define CAST5_MAX_KEY_SIZE 16 #define CAST128_KEY_SIZE 16 struct cast128_ctx { unsigned rounds; /* Number of rounds to use, 12 or 16 */ /* Expanded key, rotations (5 bits only) and 32-bit masks. */ unsigned char Kr[16]; uint32_t Km[16]; }; /* Using variable key size. */ void cast5_set_key(struct cast128_ctx *ctx, size_t length, const uint8_t *key); void cast128_set_key(struct cast128_ctx *ctx, const uint8_t *key); void cast128_encrypt(const struct cast128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void cast128_decrypt(const struct cast128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus } #endif #endif /* NETTLE_CAST128_H_INCLUDED */ nettle-3.4.1/des.h0000644000175000017500000000555213401564746013003 0ustar nissenisse/* des.h The des block cipher. And triple des. Copyright (C) 1992 Dana L. How Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* * des - fast & portable DES encryption & decryption. * Copyright (C) 1992 Dana L. How * Please see the file `../lib/descore.README' for the complete copyright * notice. * * Slightly edited by Niels Möller, 1997 */ #ifndef NETTLE_DES_H_INCLUDED #define NETTLE_DES_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Namespace mangling */ #define des_set_key nettle_des_set_key #define des_encrypt nettle_des_encrypt #define des_decrypt nettle_des_decrypt #define des_check_parity nettle_des_check_parity #define des_fix_parity nettle_des_fix_parity #define des3_set_key nettle_des3_set_key #define des3_encrypt nettle_des3_encrypt #define des3_decrypt nettle_des3_decrypt #define DES_KEY_SIZE 8 #define DES_BLOCK_SIZE 8 /* Expanded key length */ #define _DES_KEY_LENGTH 32 struct des_ctx { uint32_t key[_DES_KEY_LENGTH]; }; /* Returns 1 for good keys and 0 for weak keys. */ int des_set_key(struct des_ctx *ctx, const uint8_t *key); void des_encrypt(const struct des_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void des_decrypt(const struct des_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); int des_check_parity(size_t length, const uint8_t *key); void des_fix_parity(size_t length, uint8_t *dst, const uint8_t *src); #define DES3_KEY_SIZE 24 #define DES3_BLOCK_SIZE DES_BLOCK_SIZE struct des3_ctx { struct des_ctx des[3]; }; /* Returns 1 for good keys and 0 for weak keys. */ int des3_set_key(struct des3_ctx *ctx, const uint8_t *key); void des3_encrypt(const struct des3_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void des3_decrypt(const struct des3_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus } #endif #endif /* NETTLE_DES_H_INCLUDED */ nettle-3.4.1/run-tests0000755000175000017500000000447713401564746013756 0ustar nissenisse#! /bin/sh # Copyright (C) 2000, 2001, 2002, 2004, 2005, 2011, 2012 Niels Möller # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. failed=0 all=0 debug='no' testflags='' if [ -z "$srcdir" ] ; then srcdir=`pwd` fi export srcdir # When used in make rules, we sometimes get the filenames VPATH # expanded, but usually not. find_program () { case "$1" in */*) echo "$1" ;; *) if [ -x "$1" ] ; then echo "./$1" else echo "$srcdir/$1" fi ;; esac } env_program () { if [ -x "$1" ] ; then if "$1"; then : ; else echo FAIL: $1 exit 1 fi fi } test_program () { testname=`basename "$1" .exe` testname=`basename "$testname" -test` if [ -z "$EMULATOR" ] || head -1 "$1" | grep '^#!' > /dev/null; then "$1" $testflags else $EMULATOR "$1" $testflags fi case "$?" in 0) echo PASS: $testname all=`expr $all + 1` ;; 77) echo SKIP: $testname ;; *) echo FAIL: $testname failed=`expr $failed + 1` all=`expr $all + 1` ;; esac } env_program `find_program setup-env` while test $# != 0 do case "$1" in --debug) debug=yes ;; -v) testflags='-v' ;; -*) echo >&2 'Unknown option `'"$1'" exit 1 ;; *) break ;; esac shift done if [ $# -eq 0 ] ; then for f in *-test; do test_program "./$f"; done else for f in "$@" ; do test_program `find_program "$f"`; done fi if [ $failed -eq 0 ] ; then banner="All $all tests passed" else banner="$failed of $all tests failed" fi dashes=`echo "$banner" | sed s/./=/g` echo "$dashes" echo "$banner" echo "$dashes" if [ "x$debug" = xno ] ; then env_program `find_program teardown-env` fi [ "$failed" -eq 0 ] nettle-3.4.1/sha224-meta.c0000644000175000017500000000224513401564745014145 0ustar nissenisse/* sha224-meta.c Copyright (C) 2002, 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "sha2.h" const struct nettle_hash nettle_sha224 = _NETTLE_HASH(sha224, SHA224); nettle-3.4.1/pss.c0000644000175000017500000001243313401564745013023 0ustar nissenisse/* pss.c PKCS#1 RSA-PSS padding (RFC-3447). Copyright (C) 2017 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "pss.h" #include "pss-mgf1.h" #include "bignum.h" #include "gmp-glue.h" #include "memxor.h" #include "nettle-internal.h" /* Masks to clear the leftmost N bits. */ static const uint8_t pss_masks[8] = { 0xFF, 0x7F, 0x3F, 0x1F, 0xF, 0x7, 0x3, 0x1 }; static const uint8_t pss_pad[8] = {0, 0, 0, 0, 0, 0, 0, 0}; /* Format the PKCS#1 PSS padding for given salt and digest, using * pss_mgf1() as the mask generation function. * * The encoded messsage is stored in M, and the consistency can be * checked with pss_verify_mgf1(), which takes the encoded message, * the length of salt, and the digest. */ int pss_encode_mgf1(mpz_t m, size_t bits, const struct nettle_hash *hash, size_t salt_length, const uint8_t *salt, const uint8_t *digest) { TMP_GMP_DECL(em, uint8_t); TMP_DECL(state, uint8_t, NETTLE_MAX_HASH_CONTEXT_SIZE); size_t key_size = (bits + 7) / 8; size_t j; TMP_GMP_ALLOC(em, key_size); TMP_ALLOC(state, hash->context_size); if (key_size < hash->digest_size + salt_length + 2) { TMP_GMP_FREE(em); return 0; } /* Compute M'. */ hash->init(state); hash->update(state, sizeof(pss_pad), pss_pad); hash->update(state, hash->digest_size, digest); hash->update(state, salt_length, salt); /* Store H in EM, right after maskedDB. */ hash->digest(state, hash->digest_size, em + key_size - hash->digest_size - 1); /* Compute dbMask. */ hash->init(state); hash->update(state, hash->digest_size, em + key_size - hash->digest_size - 1); pss_mgf1(state, hash, key_size - hash->digest_size - 1, em); /* Compute maskedDB and store it in front of H in EM. */ j = key_size - salt_length - hash->digest_size - 2; em[j++] ^= 1; memxor(em + j, salt, salt_length); j += salt_length; /* Store the trailer field following H. */ j += hash->digest_size; em[j] = 0xbc; /* Clear the leftmost 8 * emLen - emBits of the leftmost octet in EM. */ *em &= pss_masks[(8 * key_size - bits)]; nettle_mpz_set_str_256_u(m, key_size, em); TMP_GMP_FREE(em); return 1; } /* Check the consistency of given PKCS#1 PSS encoded message, created * with pss_encode_mgf1(). * * Returns 1 if the encoded message is consistent, 0 if it is * inconsistent. */ int pss_verify_mgf1(const mpz_t m, size_t bits, const struct nettle_hash *hash, size_t salt_length, const uint8_t *digest) { TMP_GMP_DECL(em, uint8_t); TMP_DECL(h2, uint8_t, NETTLE_MAX_HASH_DIGEST_SIZE); TMP_DECL(state, uint8_t, NETTLE_MAX_HASH_CONTEXT_SIZE); uint8_t *h, *db, *salt; size_t key_size = (bits + 7) / 8; size_t j; int ret = 0; /* Allocate twice the key size to store the intermediate data DB * following the EM value. */ TMP_GMP_ALLOC(em, key_size * 2); TMP_ALLOC(h2, hash->digest_size); TMP_ALLOC(state, hash->context_size); if (key_size < hash->digest_size + salt_length + 2) goto cleanup; if (mpz_sizeinbase(m, 2) > bits) goto cleanup; nettle_mpz_get_str_256(key_size, em, m); /* Check the trailer field. */ if (em[key_size - 1] != 0xbc) goto cleanup; /* Extract H. */ h = em + (key_size - hash->digest_size - 1); /* The leftmost 8 * emLen - emBits bits of the leftmost octet of EM * must all equal to zero. Always true here, thanks to the above * check on the bit size of m. */ assert((*em & ~pss_masks[(8 * key_size - bits)]) == 0); /* Compute dbMask. */ hash->init(state); hash->update(state, hash->digest_size, h); db = em + key_size; pss_mgf1(state, hash, key_size - hash->digest_size - 1, db); /* Compute DB. */ memxor(db, em, key_size - hash->digest_size - 1); *db &= pss_masks[(8 * key_size - bits)]; for (j = 0; j < key_size - salt_length - hash->digest_size - 2; j++) if (db[j] != 0) goto cleanup; /* Check the octet right after PS is 0x1. */ if (db[j] != 0x1) goto cleanup; salt = db + j + 1; /* Compute H'. */ hash->init(state); hash->update(state, sizeof(pss_pad), pss_pad); hash->update(state, hash->digest_size, digest); hash->update(state, salt_length, salt); hash->digest(state, hash->digest_size, h2); /* Check if H' = H. */ if (memcmp(h2, h, hash->digest_size) != 0) goto cleanup; ret = 1; cleanup: TMP_GMP_FREE(em); return ret; } nettle-3.4.1/der2dsa.c0000644000175000017500000000767413401564746013556 0ustar nissenisse/* der2dsa.c Decoding of DSA keys in OpenSSL and X.509.1 format. Copyright (C) 2005, 2009 Niels Möller, Magnus Holmgren Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "dsa.h" #include "bignum.h" #include "asn1.h" #define GET(i, x, l) \ (asn1_der_iterator_next((i)) == ASN1_ITERATOR_PRIMITIVE \ && (i)->type == ASN1_INTEGER \ && asn1_der_get_bignum((i), (x), (l)) \ && mpz_sgn((x)) > 0) /* If q_bits > 0, q is required to be of exactly this size. */ int dsa_params_from_der_iterator(struct dsa_params *params, unsigned max_bits, unsigned q_bits, struct asn1_der_iterator *i) { /* Dss-Parms ::= SEQUENCE { p INTEGER, q INTEGER, g INTEGER } */ if (i->type == ASN1_INTEGER && asn1_der_get_bignum(i, params->p, max_bits) && mpz_sgn(params->p) > 0) { unsigned p_bits = mpz_sizeinbase (params->p, 2); return (GET(i, params->q, q_bits ? q_bits : p_bits) && (q_bits == 0 || mpz_sizeinbase(params->q, 2) == q_bits) && mpz_cmp (params->q, params->p) < 0 && GET(i, params->g, p_bits) && mpz_cmp (params->g, params->p) < 0 && asn1_der_iterator_next(i) == ASN1_ITERATOR_END); } else return 0; } int dsa_public_key_from_der_iterator(const struct dsa_params *params, mpz_t pub, struct asn1_der_iterator *i) { /* DSAPublicKey ::= INTEGER */ return (i->type == ASN1_INTEGER && asn1_der_get_bignum(i, pub, mpz_sizeinbase (params->p, 2)) && mpz_sgn(pub) > 0 && mpz_cmp(pub, params->p) < 0); } int dsa_openssl_private_key_from_der_iterator(struct dsa_params *params, mpz_t pub, mpz_t priv, unsigned p_max_bits, struct asn1_der_iterator *i) { /* DSAPrivateKey ::= SEQUENCE { version Version, p INTEGER, q INTEGER, g INTEGER, pub_key INTEGER, -- y priv_key INTEGER, -- x } */ uint32_t version; if (i->type == ASN1_SEQUENCE && asn1_der_decode_constructed_last(i) == ASN1_ITERATOR_PRIMITIVE && i->type == ASN1_INTEGER && asn1_der_get_uint32(i, &version) && version == 0 && GET(i, params->p, p_max_bits)) { unsigned p_bits = mpz_sizeinbase (params->p, 2); return (GET(i, params->q, DSA_SHA1_Q_BITS) && GET(i, params->g, p_bits) && mpz_cmp (params->g, params->p) < 0 && GET(i, pub, p_bits) && mpz_cmp (pub, params->p) < 0 && GET(i, priv, DSA_SHA1_Q_BITS) && asn1_der_iterator_next(i) == ASN1_ITERATOR_END); } else return 0; } int dsa_openssl_private_key_from_der(struct dsa_params *params, mpz_t pub, mpz_t priv, unsigned p_max_bits, size_t length, const uint8_t *data) { struct asn1_der_iterator i; enum asn1_iterator_result res; res = asn1_der_iterator_first(&i, length, data); return (res == ASN1_ITERATOR_CONSTRUCTED && dsa_openssl_private_key_from_der_iterator(params, pub, priv, p_max_bits, &i)); } nettle-3.4.1/aes128-set-encrypt-key.c0000644000175000017500000000237113401564745016262 0ustar nissenisse/* aes128-set-encrypt-key.c Copyright (C) 2013, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes-internal.h" void aes128_set_encrypt_key(struct aes128_ctx *ctx, const uint8_t *key) { _aes_set_key (_AES128_ROUNDS, AES128_KEY_SIZE / 4, ctx->keys, key); } nettle-3.4.1/getopt.c0000644000175000017500000010214513401564746013521 0ustar nissenisse/* Getopt for GNU. NOTE: getopt is part of the C library, so if you don't know what "Keep this file name-space clean" means, talk to drepper@gnu.org before changing it! Copyright (C) 1987-2014 Free Software Foundation, Inc. This file is part of the GNU C Library. The GNU C Library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. The GNU C Library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with the GNU C Library; if not, see . */ /* This tells Alpha OSF/1 not to define a getopt prototype in . Ditto for AIX 3.2 and . */ #ifndef _NO_PROTO # define _NO_PROTO #endif #ifdef HAVE_CONFIG_H # include #endif #include /* Comment out all this code if we are using the GNU C Library, and are not actually compiling the library itself. This code is part of the GNU C Library, but also included in many other GNU distributions. Compiling and linking in this code is a waste when using the GNU C library (especially if it is a shared library). Rather than having every GNU program understand `configure --with-gnu-libc' and omit the object files, it is simpler to just do this in the source for each such file. */ #define GETOPT_INTERFACE_VERSION 2 #if !defined _LIBC && defined __GLIBC__ && __GLIBC__ >= 2 # include # if _GNU_GETOPT_INTERFACE_VERSION == GETOPT_INTERFACE_VERSION # define ELIDE_CODE # endif #endif #ifndef ELIDE_CODE /* This needs to come after some library #include to get __GNU_LIBRARY__ defined. */ #ifdef __GNU_LIBRARY__ /* Don't include stdlib.h for non-GNU C libraries because some of them contain conflicting prototypes for getopt. */ # include # include #endif /* GNU C library. */ #include #ifdef VMS # include #endif #ifdef _LIBC # include #else /* The glibc version includes "gettext.h" here, but Nettle currently doesn't have that. */ # define _(msgid) msgid #endif #if defined _LIBC # include #endif #ifndef attribute_hidden # define attribute_hidden #endif /* This version of `getopt' appears to the caller like standard Unix `getopt' but it behaves differently for the user, since it allows the user to intersperse the options with the other arguments. As `getopt' works, it permutes the elements of ARGV so that, when it is done, all the options precede everything else. Thus all application programs are extended to handle flexible argument order. Setting the environment variable POSIXLY_CORRECT disables permutation. Then the behavior is completely standard. GNU application programs can use a third alternative mode in which they can distinguish the relative order of options and other arguments. */ #include "getopt.h" #include "getopt_int.h" /* For communication from `getopt' to the caller. When `getopt' finds an option that takes an argument, the argument value is returned here. Also, when `ordering' is RETURN_IN_ORDER, each non-option ARGV-element is returned here. */ char *optarg; /* Index in ARGV of the next element to be scanned. This is used for communication to and from the caller and for communication between successive calls to `getopt'. On entry to `getopt', zero means this is the first call; initialize. When `getopt' returns -1, this is the index of the first of the non-option elements that the caller should itself scan. Otherwise, `optind' communicates from one call to the next how much of ARGV has been scanned so far. */ /* 1003.2 says this must be 1 before any call. */ int optind = 1; /* Callers store zero here to inhibit the error message for unrecognized options. */ int opterr = 1; /* Set to an option character which was unrecognized. This must be initialized on some systems to avoid linking in the system's own getopt implementation. */ int optopt = '?'; /* Keep a global copy of all internal members of getopt_data. */ static struct _getopt_data getopt_data; #ifndef __GNU_LIBRARY__ /* Avoid depending on library functions or files whose names are inconsistent. */ #ifndef getenv extern char *getenv (); #endif #endif /* not __GNU_LIBRARY__ */ #ifdef _LIBC /* Stored original parameters. XXX This is no good solution. We should rather copy the args so that we can compare them later. But we must not use malloc(3). */ extern int __libc_argc; extern char **__libc_argv; /* Bash 2.0 gives us an environment variable containing flags indicating ARGV elements that should not be considered arguments. */ # ifdef USE_NONOPTION_FLAGS /* Defined in getopt_init.c */ extern char *__getopt_nonoption_flags; # endif # ifdef USE_NONOPTION_FLAGS # define SWAP_FLAGS(ch1, ch2) \ if (d->__nonoption_flags_len > 0) \ { \ char __tmp = __getopt_nonoption_flags[ch1]; \ __getopt_nonoption_flags[ch1] = __getopt_nonoption_flags[ch2]; \ __getopt_nonoption_flags[ch2] = __tmp; \ } # else # define SWAP_FLAGS(ch1, ch2) # endif #else /* !_LIBC */ # define SWAP_FLAGS(ch1, ch2) #endif /* _LIBC */ /* Exchange two adjacent subsequences of ARGV. One subsequence is elements [first_nonopt,last_nonopt) which contains all the non-options that have been skipped so far. The other is elements [last_nonopt,optind), which contains all the options processed since those non-options were skipped. `first_nonopt' and `last_nonopt' are relocated so that they describe the new indices of the non-options in ARGV after they are moved. */ static void exchange (char **argv, struct _getopt_data *d) { int bottom = d->__first_nonopt; int middle = d->__last_nonopt; int top = d->optind; char *tem; /* Exchange the shorter segment with the far end of the longer segment. That puts the shorter segment into the right place. It leaves the longer segment in the right place overall, but it consists of two parts that need to be swapped next. */ #if defined _LIBC && defined USE_NONOPTION_FLAGS /* First make sure the handling of the `__getopt_nonoption_flags' string can work normally. Our top argument must be in the range of the string. */ if (d->__nonoption_flags_len > 0 && top >= d->__nonoption_flags_max_len) { /* We must extend the array. The user plays games with us and presents new arguments. */ char *new_str = malloc (top + 1); if (new_str == NULL) d->__nonoption_flags_len = d->__nonoption_flags_max_len = 0; else { memset (__mempcpy (new_str, __getopt_nonoption_flags, d->__nonoption_flags_max_len), '\0', top + 1 - d->__nonoption_flags_max_len); d->__nonoption_flags_max_len = top + 1; __getopt_nonoption_flags = new_str; } } #endif while (top > middle && middle > bottom) { if (top - middle > middle - bottom) { /* Bottom segment is the short one. */ int len = middle - bottom; int i; /* Swap it with the top part of the top segment. */ for (i = 0; i < len; i++) { tem = argv[bottom + i]; argv[bottom + i] = argv[top - (middle - bottom) + i]; argv[top - (middle - bottom) + i] = tem; SWAP_FLAGS (bottom + i, top - (middle - bottom) + i); } /* Exclude the moved bottom segment from further swapping. */ top -= len; } else { /* Top segment is the short one. */ int len = top - middle; int i; /* Swap it with the bottom part of the bottom segment. */ for (i = 0; i < len; i++) { tem = argv[bottom + i]; argv[bottom + i] = argv[middle + i]; argv[middle + i] = tem; SWAP_FLAGS (bottom + i, middle + i); } /* Exclude the moved top segment from further swapping. */ bottom += len; } } /* Update records for the slots the non-options now occupy. */ d->__first_nonopt += (d->optind - d->__last_nonopt); d->__last_nonopt = d->optind; } /* Initialize the internal data when the first call is made. */ static const char * _getopt_initialize (int argc, char *const *argv, const char *optstring, struct _getopt_data *d, int posixly_correct) { /* Start processing options with ARGV-element 1 (since ARGV-element 0 is the program name); the sequence of previously skipped non-option ARGV-elements is empty. */ d->__first_nonopt = d->__last_nonopt = d->optind; d->__nextchar = NULL; d->__posixly_correct = posixly_correct | !!getenv ("POSIXLY_CORRECT"); /* Determine how to handle the ordering of options and nonoptions. */ if (optstring[0] == '-') { d->__ordering = RETURN_IN_ORDER; ++optstring; } else if (optstring[0] == '+') { d->__ordering = REQUIRE_ORDER; ++optstring; } else if (d->__posixly_correct) d->__ordering = REQUIRE_ORDER; else d->__ordering = PERMUTE; #if defined _LIBC && defined USE_NONOPTION_FLAGS if (!d->__posixly_correct && argc == __libc_argc && argv == __libc_argv) { if (d->__nonoption_flags_max_len == 0) { if (__getopt_nonoption_flags == NULL || __getopt_nonoption_flags[0] == '\0') d->__nonoption_flags_max_len = -1; else { const char *orig_str = __getopt_nonoption_flags; int len = d->__nonoption_flags_max_len = strlen (orig_str); if (d->__nonoption_flags_max_len < argc) d->__nonoption_flags_max_len = argc; __getopt_nonoption_flags = (char *) malloc (d->__nonoption_flags_max_len); if (__getopt_nonoption_flags == NULL) d->__nonoption_flags_max_len = -1; else memset (__mempcpy (__getopt_nonoption_flags, orig_str, len), '\0', d->__nonoption_flags_max_len - len); } } d->__nonoption_flags_len = d->__nonoption_flags_max_len; } else d->__nonoption_flags_len = 0; #endif return optstring; } /* Scan elements of ARGV (whose length is ARGC) for option characters given in OPTSTRING. If an element of ARGV starts with '-', and is not exactly "-" or "--", then it is an option element. The characters of this element (aside from the initial '-') are option characters. If `getopt' is called repeatedly, it returns successively each of the option characters from each of the option elements. If `getopt' finds another option character, it returns that character, updating `optind' and `nextchar' so that the next call to `getopt' can resume the scan with the following option character or ARGV-element. If there are no more option characters, `getopt' returns -1. Then `optind' is the index in ARGV of the first ARGV-element that is not an option. (The ARGV-elements have been permuted so that those that are not options now come last.) OPTSTRING is a string containing the legitimate option characters. If an option character is seen that is not listed in OPTSTRING, return '?' after printing an error message. If you set `opterr' to zero, the error message is suppressed but we still return '?'. If a char in OPTSTRING is followed by a colon, that means it wants an arg, so the following text in the same ARGV-element, or the text of the following ARGV-element, is returned in `optarg'. Two colons mean an option that wants an optional arg; if there is text in the current ARGV-element, it is returned in `optarg', otherwise `optarg' is set to zero. If OPTSTRING starts with `-' or `+', it requests different methods of handling the non-option ARGV-elements. See the comments about RETURN_IN_ORDER and REQUIRE_ORDER, above. Long-named options begin with `--' instead of `-'. Their names may be abbreviated as long as the abbreviation is unique or is an exact match for some defined option. If they have an argument, it follows the option name in the same ARGV-element, separated from the option name by a `=', or else the in next ARGV-element. When `getopt' finds a long-named option, it returns 0 if that option's `flag' field is nonzero, the value of the option's `val' field if the `flag' field is zero. The elements of ARGV aren't really const, because we permute them. But we pretend they're const in the prototype to be compatible with other systems. LONGOPTS is a vector of `struct option' terminated by an element containing a name which is zero. LONGIND returns the index in LONGOPT of the long-named option found. It is only valid when a long-named option has been found by the most recent call. If LONG_ONLY is nonzero, '-' as well as '--' can introduce long-named options. */ int _getopt_internal_r (int argc, char *const *argv, const char *optstring, const struct option *longopts, int *longind, int long_only, struct _getopt_data *d, int posixly_correct) { int print_errors = d->opterr; if (argc < 1) return -1; d->optarg = NULL; if (d->optind == 0 || !d->__initialized) { if (d->optind == 0) d->optind = 1; /* Don't scan ARGV[0], the program name. */ optstring = _getopt_initialize (argc, argv, optstring, d, posixly_correct); d->__initialized = 1; } else if (optstring[0] == '-' || optstring[0] == '+') optstring++; if (optstring[0] == ':') print_errors = 0; /* Test whether ARGV[optind] points to a non-option argument. Either it does not have option syntax, or there is an environment flag from the shell indicating it is not an option. The later information is only used when the used in the GNU libc. */ #if defined _LIBC && defined USE_NONOPTION_FLAGS # define NONOPTION_P (argv[d->optind][0] != '-' || argv[d->optind][1] == '\0' \ || (d->optind < d->__nonoption_flags_len \ && __getopt_nonoption_flags[d->optind] == '1')) #else # define NONOPTION_P (argv[d->optind][0] != '-' || argv[d->optind][1] == '\0') #endif if (d->__nextchar == NULL || *d->__nextchar == '\0') { /* Advance to the next ARGV-element. */ /* Give FIRST_NONOPT & LAST_NONOPT rational values if OPTIND has been moved back by the user (who may also have changed the arguments). */ if (d->__last_nonopt > d->optind) d->__last_nonopt = d->optind; if (d->__first_nonopt > d->optind) d->__first_nonopt = d->optind; if (d->__ordering == PERMUTE) { /* If we have just processed some options following some non-options, exchange them so that the options come first. */ if (d->__first_nonopt != d->__last_nonopt && d->__last_nonopt != d->optind) exchange ((char **) argv, d); else if (d->__last_nonopt != d->optind) d->__first_nonopt = d->optind; /* Skip any additional non-options and extend the range of non-options previously skipped. */ while (d->optind < argc && NONOPTION_P) d->optind++; d->__last_nonopt = d->optind; } /* The special ARGV-element `--' means premature end of options. Skip it like a null option, then exchange with previous non-options as if it were an option, then skip everything else like a non-option. */ if (d->optind != argc && !strcmp (argv[d->optind], "--")) { d->optind++; if (d->__first_nonopt != d->__last_nonopt && d->__last_nonopt != d->optind) exchange ((char **) argv, d); else if (d->__first_nonopt == d->__last_nonopt) d->__first_nonopt = d->optind; d->__last_nonopt = argc; d->optind = argc; } /* If we have done all the ARGV-elements, stop the scan and back over any non-options that we skipped and permuted. */ if (d->optind == argc) { /* Set the next-arg-index to point at the non-options that we previously skipped, so the caller will digest them. */ if (d->__first_nonopt != d->__last_nonopt) d->optind = d->__first_nonopt; return -1; } /* If we have come to a non-option and did not permute it, either stop the scan or describe it to the caller and pass it by. */ if (NONOPTION_P) { if (d->__ordering == REQUIRE_ORDER) return -1; d->optarg = argv[d->optind++]; return 1; } /* We have found another option-ARGV-element. Skip the initial punctuation. */ d->__nextchar = (argv[d->optind] + 1 + (longopts != NULL && argv[d->optind][1] == '-')); } /* Decode the current option-ARGV-element. */ /* Check whether the ARGV-element is a long option. If long_only and the ARGV-element has the form "-f", where f is a valid short option, don't consider it an abbreviated form of a long option that starts with f. Otherwise there would be no way to give the -f short option. On the other hand, if there's a long option "fubar" and the ARGV-element is "-fu", do consider that an abbreviation of the long option, just like "--fu", and not "-f" with arg "u". This distinction seems to be the most useful approach. */ if (longopts != NULL && (argv[d->optind][1] == '-' || (long_only && (argv[d->optind][2] || !strchr (optstring, argv[d->optind][1]))))) { char *nameend; unsigned int namelen; const struct option *p; const struct option *pfound = NULL; struct option_list { const struct option *p; struct option_list *next; } *ambig_list = NULL; int exact = 0; int indfound = -1; int option_index; for (nameend = d->__nextchar; *nameend && *nameend != '='; nameend++) /* Do nothing. */ ; namelen = nameend - d->__nextchar; /* Test all long options for either exact match or abbreviated matches. */ for (p = longopts, option_index = 0; p->name; p++, option_index++) if (!strncmp (p->name, d->__nextchar, namelen)) { if (namelen == (unsigned int) strlen (p->name)) { /* Exact match found. */ pfound = p; indfound = option_index; exact = 1; break; } else if (pfound == NULL) { /* First nonexact match found. */ pfound = p; indfound = option_index; } else if (long_only || pfound->has_arg != p->has_arg || pfound->flag != p->flag || pfound->val != p->val) { /* Second or later nonexact match found. */ struct option_list *newp = alloca (sizeof (*newp)); newp->p = p; newp->next = ambig_list; ambig_list = newp; } } if (ambig_list != NULL && !exact) { if (print_errors) { struct option_list first; first.p = pfound; first.next = ambig_list; ambig_list = &first; #if defined _LIBC char *buf = NULL; size_t buflen = 0; FILE *fp = open_memstream (&buf, &buflen); if (fp != NULL) { fprintf (fp, _("%s: option '%s' is ambiguous; possibilities:"), argv[0], argv[d->optind]); do { fprintf (fp, " '--%s'", ambig_list->p->name); ambig_list = ambig_list->next; } while (ambig_list != NULL); fputc_unlocked ('\n', fp); if (__builtin_expect (fclose (fp) != EOF, 1)) { _IO_flockfile (stderr); int old_flags2 = ((_IO_FILE *) stderr)->_flags2; ((_IO_FILE *) stderr)->_flags2 |= _IO_FLAGS2_NOTCANCEL; __fxprintf (NULL, "%s", buf); ((_IO_FILE *) stderr)->_flags2 = old_flags2; _IO_funlockfile (stderr); free (buf); } } #else fprintf (stderr, _("%s: option '%s' is ambiguous; possibilities:"), argv[0], argv[d->optind]); do { fprintf (stderr, " '--%s'", ambig_list->p->name); ambig_list = ambig_list->next; } while (ambig_list != NULL); fputc ('\n', stderr); #endif } d->__nextchar += strlen (d->__nextchar); d->optind++; d->optopt = 0; return '?'; } if (pfound != NULL) { option_index = indfound; d->optind++; if (*nameend) { /* Don't test has_arg with >, because some C compilers don't allow it to be used on enums. */ if (pfound->has_arg) d->optarg = nameend + 1; else { if (print_errors) { #if defined _LIBC char *buf; int n; #endif if (argv[d->optind - 1][1] == '-') { /* --option */ #if defined _LIBC n = __asprintf (&buf, _("\ %s: option '--%s' doesn't allow an argument\n"), argv[0], pfound->name); #else fprintf (stderr, _("\ %s: option '--%s' doesn't allow an argument\n"), argv[0], pfound->name); #endif } else { /* +option or -option */ #if defined _LIBC n = __asprintf (&buf, _("\ %s: option '%c%s' doesn't allow an argument\n"), argv[0], argv[d->optind - 1][0], pfound->name); #else fprintf (stderr, _("\ %s: option '%c%s' doesn't allow an argument\n"), argv[0], argv[d->optind - 1][0], pfound->name); #endif } #if defined _LIBC if (n >= 0) { _IO_flockfile (stderr); int old_flags2 = ((_IO_FILE *) stderr)->_flags2; ((_IO_FILE *) stderr)->_flags2 |= _IO_FLAGS2_NOTCANCEL; __fxprintf (NULL, "%s", buf); ((_IO_FILE *) stderr)->_flags2 = old_flags2; _IO_funlockfile (stderr); free (buf); } #endif } d->__nextchar += strlen (d->__nextchar); d->optopt = pfound->val; return '?'; } } else if (pfound->has_arg == 1) { if (d->optind < argc) d->optarg = argv[d->optind++]; else { if (print_errors) { #if defined _LIBC char *buf; if (__asprintf (&buf, _("\ %s: option '--%s' requires an argument\n"), argv[0], pfound->name) >= 0) { _IO_flockfile (stderr); int old_flags2 = ((_IO_FILE *) stderr)->_flags2; ((_IO_FILE *) stderr)->_flags2 |= _IO_FLAGS2_NOTCANCEL; __fxprintf (NULL, "%s", buf); ((_IO_FILE *) stderr)->_flags2 = old_flags2; _IO_funlockfile (stderr); free (buf); } #else fprintf (stderr, _("%s: option '--%s' requires an argument\n"), argv[0], pfound->name); #endif } d->__nextchar += strlen (d->__nextchar); d->optopt = pfound->val; return optstring[0] == ':' ? ':' : '?'; } } d->__nextchar += strlen (d->__nextchar); if (longind != NULL) *longind = option_index; if (pfound->flag) { *(pfound->flag) = pfound->val; return 0; } return pfound->val; } /* Can't find it as a long option. If this is not getopt_long_only, or the option starts with '--' or is not a valid short option, then it's an error. Otherwise interpret it as a short option. */ if (!long_only || argv[d->optind][1] == '-' || strchr (optstring, *d->__nextchar) == NULL) { if (print_errors) { #if defined _LIBC char *buf; int n; #endif if (argv[d->optind][1] == '-') { /* --option */ #if defined _LIBC n = __asprintf (&buf, _("%s: unrecognized option '--%s'\n"), argv[0], d->__nextchar); #else fprintf (stderr, _("%s: unrecognized option '--%s'\n"), argv[0], d->__nextchar); #endif } else { /* +option or -option */ #if defined _LIBC n = __asprintf (&buf, _("%s: unrecognized option '%c%s'\n"), argv[0], argv[d->optind][0], d->__nextchar); #else fprintf (stderr, _("%s: unrecognized option '%c%s'\n"), argv[0], argv[d->optind][0], d->__nextchar); #endif } #if defined _LIBC if (n >= 0) { _IO_flockfile (stderr); int old_flags2 = ((_IO_FILE *) stderr)->_flags2; ((_IO_FILE *) stderr)->_flags2 |= _IO_FLAGS2_NOTCANCEL; __fxprintf (NULL, "%s", buf); ((_IO_FILE *) stderr)->_flags2 = old_flags2; _IO_funlockfile (stderr); free (buf); } #endif } d->__nextchar = (char *) ""; d->optind++; d->optopt = 0; return '?'; } } /* Look at and handle the next short option-character. */ { char c = *d->__nextchar++; char *temp = strchr (optstring, c); /* Increment `optind' when we start to process its last character. */ if (*d->__nextchar == '\0') ++d->optind; if (temp == NULL || c == ':' || c == ';') { if (print_errors) { #if defined _LIBC char *buf; int n; #endif #if defined _LIBC n = __asprintf (&buf, _("%s: invalid option -- '%c'\n"), argv[0], c); #else fprintf (stderr, _("%s: invalid option -- '%c'\n"), argv[0], c); #endif #if defined _LIBC if (n >= 0) { _IO_flockfile (stderr); int old_flags2 = ((_IO_FILE *) stderr)->_flags2; ((_IO_FILE *) stderr)->_flags2 |= _IO_FLAGS2_NOTCANCEL; __fxprintf (NULL, "%s", buf); ((_IO_FILE *) stderr)->_flags2 = old_flags2; _IO_funlockfile (stderr); free (buf); } #endif } d->optopt = c; return '?'; } /* Convenience. Treat POSIX -W foo same as long option --foo */ if (temp[0] == 'W' && temp[1] == ';') { char *nameend; const struct option *p; const struct option *pfound = NULL; int exact = 0; int ambig = 0; int indfound = 0; int option_index; if (longopts == NULL) goto no_longs; /* This is an option that requires an argument. */ if (*d->__nextchar != '\0') { d->optarg = d->__nextchar; /* If we end this ARGV-element by taking the rest as an arg, we must advance to the next element now. */ d->optind++; } else if (d->optind == argc) { if (print_errors) { #if defined _LIBC char *buf; if (__asprintf (&buf, _("%s: option requires an argument -- '%c'\n"), argv[0], c) >= 0) { _IO_flockfile (stderr); int old_flags2 = ((_IO_FILE *) stderr)->_flags2; ((_IO_FILE *) stderr)->_flags2 |= _IO_FLAGS2_NOTCANCEL; __fxprintf (NULL, "%s", buf); ((_IO_FILE *) stderr)->_flags2 = old_flags2; _IO_funlockfile (stderr); free (buf); } #else fprintf (stderr, _("%s: option requires an argument -- '%c'\n"), argv[0], c); #endif } d->optopt = c; if (optstring[0] == ':') c = ':'; else c = '?'; return c; } else /* We already incremented `d->optind' once; increment it again when taking next ARGV-elt as argument. */ d->optarg = argv[d->optind++]; /* optarg is now the argument, see if it's in the table of longopts. */ for (d->__nextchar = nameend = d->optarg; *nameend && *nameend != '='; nameend++) /* Do nothing. */ ; /* Test all long options for either exact match or abbreviated matches. */ for (p = longopts, option_index = 0; p->name; p++, option_index++) if (!strncmp (p->name, d->__nextchar, nameend - d->__nextchar)) { if ((unsigned int) (nameend - d->__nextchar) == strlen (p->name)) { /* Exact match found. */ pfound = p; indfound = option_index; exact = 1; break; } else if (pfound == NULL) { /* First nonexact match found. */ pfound = p; indfound = option_index; } else if (long_only || pfound->has_arg != p->has_arg || pfound->flag != p->flag || pfound->val != p->val) /* Second or later nonexact match found. */ ambig = 1; } if (ambig && !exact) { if (print_errors) { #if defined _LIBC char *buf; if (__asprintf (&buf, _("%s: option '-W %s' is ambiguous\n"), argv[0], d->optarg) >= 0) { _IO_flockfile (stderr); int old_flags2 = ((_IO_FILE *) stderr)->_flags2; ((_IO_FILE *) stderr)->_flags2 |= _IO_FLAGS2_NOTCANCEL; __fxprintf (NULL, "%s", buf); ((_IO_FILE *) stderr)->_flags2 = old_flags2; _IO_funlockfile (stderr); free (buf); } #else fprintf (stderr, _("%s: option '-W %s' is ambiguous\n"), argv[0], d->optarg); #endif } d->__nextchar += strlen (d->__nextchar); d->optind++; return '?'; } if (pfound != NULL) { option_index = indfound; if (*nameend) { /* Don't test has_arg with >, because some C compilers don't allow it to be used on enums. */ if (pfound->has_arg) d->optarg = nameend + 1; else { if (print_errors) { #if defined _LIBC char *buf; if (__asprintf (&buf, _("\ %s: option '-W %s' doesn't allow an argument\n"), argv[0], pfound->name) >= 0) { _IO_flockfile (stderr); int old_flags2 = ((_IO_FILE *) stderr)->_flags2; ((_IO_FILE *) stderr)->_flags2 |= _IO_FLAGS2_NOTCANCEL; __fxprintf (NULL, "%s", buf); ((_IO_FILE *) stderr)->_flags2 = old_flags2; _IO_funlockfile (stderr); free (buf); } #else fprintf (stderr, _("\ %s: option '-W %s' doesn't allow an argument\n"), argv[0], pfound->name); #endif } d->__nextchar += strlen (d->__nextchar); return '?'; } } else if (pfound->has_arg == 1) { if (d->optind < argc) d->optarg = argv[d->optind++]; else { if (print_errors) { #if defined _LIBC char *buf; if (__asprintf (&buf, _("\ %s: option '-W %s' requires an argument\n"), argv[0], pfound->name) >= 0) { _IO_flockfile (stderr); int old_flags2 = ((_IO_FILE *) stderr)->_flags2; ((_IO_FILE *) stderr)->_flags2 |= _IO_FLAGS2_NOTCANCEL; __fxprintf (NULL, "%s", buf); ((_IO_FILE *) stderr)->_flags2 = old_flags2; _IO_funlockfile (stderr); free (buf); } #else fprintf (stderr, _("\ %s: option '-W %s' requires an argument\n"), argv[0], pfound->name); #endif } d->__nextchar += strlen (d->__nextchar); return optstring[0] == ':' ? ':' : '?'; } } else d->optarg = NULL; d->__nextchar += strlen (d->__nextchar); if (longind != NULL) *longind = option_index; if (pfound->flag) { *(pfound->flag) = pfound->val; return 0; } return pfound->val; } no_longs: d->__nextchar = NULL; return 'W'; /* Let the application handle it. */ } if (temp[1] == ':') { if (temp[2] == ':') { /* This is an option that accepts an argument optionally. */ if (*d->__nextchar != '\0') { d->optarg = d->__nextchar; d->optind++; } else d->optarg = NULL; d->__nextchar = NULL; } else { /* This is an option that requires an argument. */ if (*d->__nextchar != '\0') { d->optarg = d->__nextchar; /* If we end this ARGV-element by taking the rest as an arg, we must advance to the next element now. */ d->optind++; } else if (d->optind == argc) { if (print_errors) { #if defined _LIBC char *buf; if (__asprintf (&buf, _("\ %s: option requires an argument -- '%c'\n"), argv[0], c) >= 0) { _IO_flockfile (stderr); int old_flags2 = ((_IO_FILE *) stderr)->_flags2; ((_IO_FILE *) stderr)->_flags2 |= _IO_FLAGS2_NOTCANCEL; __fxprintf (NULL, "%s", buf); ((_IO_FILE *) stderr)->_flags2 = old_flags2; _IO_funlockfile (stderr); free (buf); } #else fprintf (stderr, _("%s: option requires an argument -- '%c'\n"), argv[0], c); #endif } d->optopt = c; if (optstring[0] == ':') c = ':'; else c = '?'; } else /* We already incremented `optind' once; increment it again when taking next ARGV-elt as argument. */ d->optarg = argv[d->optind++]; d->__nextchar = NULL; } } return c; } } int _getopt_internal (int argc, char *const *argv, const char *optstring, const struct option *longopts, int *longind, int long_only, int posixly_correct) { int result; getopt_data.optind = optind; getopt_data.opterr = opterr; result = _getopt_internal_r (argc, argv, optstring, longopts, longind, long_only, &getopt_data, posixly_correct); optind = getopt_data.optind; optarg = getopt_data.optarg; optopt = getopt_data.optopt; return result; } int getopt (int argc, char *const *argv, const char *optstring) { return _getopt_internal (argc, argv, optstring, (const struct option *) 0, (int *) 0, 0, 0); } #ifdef _LIBC int __posix_getopt (int argc, char *const *argv, const char *optstring) { return _getopt_internal (argc, argv, optstring, (const struct option *) 0, (int *) 0, 0, 1); } #endif #endif /* Not ELIDE_CODE. */ #ifdef TEST /* Compile with -DTEST to make an executable for use in testing the above definition of `getopt'. */ int main (int argc, char **argv) { int c; int digit_optind = 0; while (1) { int this_option_optind = optind ? optind : 1; c = getopt (argc, argv, "abc:d:0123456789"); if (c == -1) break; switch (c) { case '0': case '1': case '2': case '3': case '4': case '5': case '6': case '7': case '8': case '9': if (digit_optind != 0 && digit_optind != this_option_optind) printf ("digits occur in two different argv-elements.\n"); digit_optind = this_option_optind; printf ("option %c\n", c); break; case 'a': printf ("option a\n"); break; case 'b': printf ("option b\n"); break; case 'c': printf ("option c with value '%s'\n", optarg); break; case '?': break; default: printf ("?? getopt returned character code 0%o ??\n", c); } } if (optind < argc) { printf ("non-option ARGV-elements: "); while (optind < argc) printf ("%s ", argv[optind++]); printf ("\n"); } exit (0); } #endif /* TEST */ nettle-3.4.1/sha3-224-meta.c0000644000175000017500000000224713401564745014307 0ustar nissenisse/* sha3-224-meta.c Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "sha3.h" const struct nettle_hash nettle_sha3_224 = _NETTLE_HASH(sha3_224, SHA3_224); nettle-3.4.1/ecc-internal.h0000644000175000017500000003126713401564746014576 0ustar nissenisse/* ecc-internal.h Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #ifndef NETTLE_ECC_INTERNAL_H_INCLUDED #define NETTLE_ECC_INTERNAL_H_INCLUDED #include "nettle-types.h" #include "bignum.h" #include "ecc-curve.h" #include "gmp-glue.h" /* Name mangling */ #define ecc_pp1_redc _nettle_ecc_pp1_redc #define ecc_pm1_redc _nettle_ecc_pm1_redc #define ecc_mod_add _nettle_ecc_mod_add #define ecc_mod_sub _nettle_ecc_mod_sub #define ecc_mod_mul_1 _nettle_ecc_mod_mul_1 #define ecc_mod_addmul_1 _nettle_ecc_mod_addmul_1 #define ecc_mod_submul_1 _nettle_ecc_mod_submul_1 #define ecc_mod_mul _nettle_ecc_mod_mul #define ecc_mod_sqr _nettle_ecc_mod_sqr #define ecc_mod_random _nettle_ecc_mod_random #define ecc_mod _nettle_ecc_mod #define ecc_mod_inv _nettle_ecc_mod_inv #define ecc_hash _nettle_ecc_hash #define ecc_a_to_j _nettle_ecc_a_to_j #define ecc_j_to_a _nettle_ecc_j_to_a #define ecc_eh_to_a _nettle_ecc_eh_to_a #define ecc_dup_jj _nettle_ecc_dup_jj #define ecc_add_jja _nettle_ecc_add_jja #define ecc_add_jjj _nettle_ecc_add_jjj #define ecc_dup_eh _nettle_ecc_dup_eh #define ecc_add_eh _nettle_ecc_add_eh #define ecc_add_ehh _nettle_ecc_add_ehh #define ecc_mul_g _nettle_ecc_mul_g #define ecc_mul_a _nettle_ecc_mul_a #define ecc_mul_g_eh _nettle_ecc_mul_g_eh #define ecc_mul_a_eh _nettle_ecc_mul_a_eh #define cnd_copy _nettle_cnd_copy #define sec_add_1 _nettle_sec_add_1 #define sec_sub_1 _nettle_sec_sub_1 #define sec_tabselect _nettle_sec_tabselect #define sec_modinv _nettle_sec_modinv #define curve25519_eh_to_x _nettle_curve25519_eh_to_x /* Keep this structure internal for now. It's misnamed (since it's really implementing the equivalent twisted Edwards curve, with different coordinates). And we're not quite ready to provide general ecc operations over an arbitrary type of curve. */ extern const struct ecc_curve _nettle_curve25519; #define ECC_MAX_SIZE ((521 + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS) /* Window size for ecc_mul_a. Using 4 bits seems like a good choice, for both Intel x86_64 and ARM Cortex A9. For the larger curves, of 384 and 521 bits, we could improve speed by a few percent if we go up to 5 bits, but I don't think that's worth doubling the storage. */ #define ECC_MUL_A_WBITS 4 /* And for ecc_mul_a_eh */ #define ECC_MUL_A_EH_WBITS 4 struct ecc_modulo; /* Reduces from 2*ecc->size to ecc->size. */ /* Required to return a result < 2q. This property is inherited by mod_mul and mod_sqr. */ typedef void ecc_mod_func (const struct ecc_modulo *m, mp_limb_t *rp); typedef void ecc_mod_inv_func (const struct ecc_modulo *m, mp_limb_t *vp, const mp_limb_t *ap, mp_limb_t *scratch); /* Computes the square root of (u/v) (mod p) */ typedef int ecc_mod_sqrt_func (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *up, const mp_limb_t *vp, mp_limb_t *scratch); typedef void ecc_add_func (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch); typedef void ecc_mul_g_func (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *np, mp_limb_t *scratch); typedef void ecc_mul_func (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *np, const mp_limb_t *p, mp_limb_t *scratch); typedef void ecc_h_to_a_func (const struct ecc_curve *ecc, int flags, mp_limb_t *r, const mp_limb_t *p, mp_limb_t *scratch); struct ecc_modulo { unsigned short bit_size; unsigned short size; unsigned short B_size; unsigned short redc_size; unsigned short invert_itch; unsigned short sqrt_itch; const mp_limb_t *m; /* B^size mod m. Expected to have at least 32 leading zeros (equality for secp_256r1). */ const mp_limb_t *B; /* 2^{bit_size} - p, same value as above, but shifted. */ const mp_limb_t *B_shifted; /* m +/- 1, for redc, excluding redc_size low limbs. */ const mp_limb_t *redc_mpm1; /* (m+1)/2 */ const mp_limb_t *mp1h; ecc_mod_func *mod; ecc_mod_func *reduce; ecc_mod_inv_func *invert; ecc_mod_sqrt_func *sqrt; }; /* Represents an elliptic curve of the form y^2 = x^3 - 3x + b (mod p) */ struct ecc_curve { /* The prime p. */ struct ecc_modulo p; /* Group order. FIXME: Currently, many fucntions rely on q.size == p.size. This has to change for radix-51 implementation of curve25519 mod p arithmetic. */ struct ecc_modulo q; unsigned short use_redc; unsigned short pippenger_k; unsigned short pippenger_c; unsigned short add_hhh_itch; unsigned short mul_itch; unsigned short mul_g_itch; unsigned short h_to_a_itch; ecc_add_func *add_hhh; ecc_mul_func *mul; ecc_mul_g_func *mul_g; ecc_h_to_a_func *h_to_a; /* Curve constant */ const mp_limb_t *b; /* Generator, x coordinate followed by y (affine coordinates). Currently used only by the test suite. */ const mp_limb_t *g; /* If non-NULL, the constant needed for transformation to the equivalent Edwards curve. */ const mp_limb_t *edwards_root; /* For redc, same as B mod p, otherwise 1. */ const mp_limb_t *unit; /* Tables for multiplying by the generator, size determined by k and c. The first 2^c entries are defined by T[ j_0 + j_1 2 + ... + j_{c-1} 2^{c-1} ] = j_0 g + j_1 2^k g + ... + j_{c-1} 2^{k(c-1)} g The following entries differ by powers of 2^{kc}, T[i] = 2^{kc} T[i-2^c] */ const mp_limb_t *pippenger_table; }; /* In-place reduction. */ ecc_mod_func ecc_mod; ecc_mod_func ecc_pp1_redc; ecc_mod_func ecc_pm1_redc; ecc_mod_inv_func ecc_mod_inv; void ecc_mod_add (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *bp); void ecc_mod_sub (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *bp); void ecc_mod_mul_1 (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t b); void ecc_mod_addmul_1 (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t b); void ecc_mod_submul_1 (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t b); /* NOTE: mul and sqr needs 2*ecc->size limbs at rp */ void ecc_mod_mul (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *bp); void ecc_mod_sqr (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap); #define ecc_modp_add(ecc, r, a, b) \ ecc_mod_add (&(ecc)->p, (r), (a), (b)) #define ecc_modp_sub(ecc, r, a, b) \ ecc_mod_sub (&(ecc)->p, (r), (a), (b)) #define ecc_modp_mul_1(ecc, r, a, b) \ ecc_mod_mul_1 (&(ecc)->p, (r), (a), (b)) #define ecc_modp_addmul_1(ecc, r, a, b) \ ecc_mod_addmul_1 (&(ecc)->p, (r), (a), (b)) #define ecc_modp_submul_1(ecc, r, a, b) \ ecc_mod_submul_1 (&(ecc)->p, (r), (a), (b)) #define ecc_modp_mul(ecc, r, a, b) \ ecc_mod_mul (&(ecc)->p, (r), (a), (b)) #define ecc_modp_sqr(ecc, r, a) \ ecc_mod_sqr (&(ecc)->p, (r), (a)) #define ecc_modq_add(ecc, r, a, b) \ ecc_mod_add (&(ecc)->q, (r), (a), (b)) #define ecc_modq_mul(ecc, r, a, b) \ ecc_mod_mul (&(ecc)->q, (r), (a), (b)) /* mod q operations. */ void ecc_mod_random (const struct ecc_modulo *m, mp_limb_t *xp, void *ctx, nettle_random_func *random, mp_limb_t *scratch); void ecc_hash (const struct ecc_modulo *m, mp_limb_t *hp, size_t length, const uint8_t *digest); /* Converts a point P in affine coordinates into a point R in jacobian coordinates. */ void ecc_a_to_j (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p); /* Converts a point P in jacobian coordinates into a point R in affine coordinates. If op == 1, produce x coordinate only. If op == 2, produce the x coordiante only, and in also it modulo q. FIXME: For the public interface, have separate for the three cases, and use this flag argument only for the internal ecc->h_to_a function. */ void ecc_j_to_a (const struct ecc_curve *ecc, int op, mp_limb_t *r, const mp_limb_t *p, mp_limb_t *scratch); /* Converts a point P on an Edwards curve to affine coordinates on the corresponding Montgomery curve. */ void ecc_eh_to_a (const struct ecc_curve *ecc, int op, mp_limb_t *r, const mp_limb_t *p, mp_limb_t *scratch); /* Group operations */ /* Point doubling, with jacobian input and output. Corner cases: Correctly sets R = 0 (r_Z = 0) if p = 0 or 2p = 0. */ void ecc_dup_jj (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, mp_limb_t *scratch); /* Point addition, with jacobian output, one jacobian input and one affine input. Corner cases: Fails for the cases P = Q != 0 Duplication of non-zero point P = 0, Q != 0 or P != 0, Q = 0 One input zero Correctly gives R = 0 if P = Q = 0 or P = -Q. */ void ecc_add_jja (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch); /* Point addition with Jacobian input and output. */ void ecc_add_jjj (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch); /* Point doubling on an Edwards curve, with homogeneous cooordinates. */ void ecc_dup_eh (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, mp_limb_t *scratch); void ecc_add_eh (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch); void ecc_add_ehh (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch); /* Computes N * the group generator. N is an array of ecc_size() limbs. It must be in the range 0 < N < group order, then R != 0, and the algorithm can work without any intermediate values getting to zero. */ void ecc_mul_g (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *np, mp_limb_t *scratch); /* Computes N * P. The scalar N is the same as for ecc_mul_g. P is a non-zero point on the curve, in affine coordinates. Output R is a non-zero point, in Jacobian coordinates. */ void ecc_mul_a (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *np, const mp_limb_t *p, mp_limb_t *scratch); void ecc_mul_g_eh (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *np, mp_limb_t *scratch); void ecc_mul_a_eh (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *np, const mp_limb_t *p, mp_limb_t *scratch); void cnd_copy (int cnd, mp_limb_t *rp, const mp_limb_t *ap, mp_size_t n); mp_limb_t sec_add_1 (mp_limb_t *rp, mp_limb_t *ap, mp_size_t n, mp_limb_t b); mp_limb_t sec_sub_1 (mp_limb_t *rp, mp_limb_t *ap, mp_size_t n, mp_limb_t b); void sec_tabselect (mp_limb_t *rp, mp_size_t rn, const mp_limb_t *table, unsigned tn, unsigned k); void curve25519_eh_to_x (mp_limb_t *xp, const mp_limb_t *p, mp_limb_t *scratch); /* Current scratch needs: */ #define ECC_MOD_INV_ITCH(size) (2*(size)) #define ECC_J_TO_A_ITCH(size) (5*(size)) #define ECC_EH_TO_A_ITCH(size, inv) (2*(size)+(inv)) #define ECC_DUP_JJ_ITCH(size) (5*(size)) #define ECC_DUP_EH_ITCH(size) (5*(size)) #define ECC_ADD_JJA_ITCH(size) (6*(size)) #define ECC_ADD_JJJ_ITCH(size) (8*(size)) #define ECC_ADD_EH_ITCH(size) (6*(size)) #define ECC_ADD_EHH_ITCH(size) (7*(size)) #define ECC_MUL_G_ITCH(size) (9*(size)) #define ECC_MUL_G_EH_ITCH(size) (9*(size)) #if ECC_MUL_A_WBITS == 0 #define ECC_MUL_A_ITCH(size) (12*(size)) #else #define ECC_MUL_A_ITCH(size) \ (((3 << ECC_MUL_A_WBITS) + 11) * (size)) #endif #if ECC_MUL_A_EH_WBITS == 0 #define ECC_MUL_A_EH_ITCH(size) (13*(size)) #else #define ECC_MUL_A_EH_ITCH(size) \ (((3 << ECC_MUL_A_EH_WBITS) + 10) * (size)) #endif #define ECC_ECDSA_SIGN_ITCH(size) (12*(size)) #define ECC_MOD_RANDOM_ITCH(size) (size) #define ECC_HASH_ITCH(size) (1+(size)) #endif /* NETTLE_ECC_INTERNAL_H_INCLUDED */ nettle-3.4.1/camellia128-meta.c0000644000175000017500000000274613401564745015152 0ustar nissenisse/* camellia128-meta.c Copyright (C) 2010, 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #include "camellia.h" const struct nettle_cipher nettle_camellia128 = { "camellia128", sizeof(struct camellia128_ctx), CAMELLIA_BLOCK_SIZE, CAMELLIA128_KEY_SIZE, (nettle_set_key_func *) camellia128_set_encrypt_key, (nettle_set_key_func *) camellia128_set_decrypt_key, (nettle_cipher_func *) camellia128_crypt, (nettle_cipher_func *) camellia128_crypt }; nettle-3.4.1/libnettle.map.in0000644000175000017500000000046113401564746015137 0ustar nissenisse# libnettle.map -- libnettle linker version script. -*- ld-script -*- # # The symbol version must be updated on every nettle # library major number change. That is taken care by # auto-generating the file. NETTLE_@LIBNETTLE_MAJOR@ { global: nettle_*; _nettle_*; local: *; }; nettle-3.4.1/arctwo.h0000644000175000017500000000570513401564746013527 0ustar nissenisse/* arctwo.h The arctwo/rfc2268 block cipher. Copyright (C) 2004 Simon Josefsson Copyright (C) 2002, 2004, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_ARCTWO_H_INCLUDED #define NETTLE_ARCTWO_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define arctwo_set_key nettle_arctwo_set_key #define arctwo_set_key_ekb nettle_arctwo_set_key_ekb #define arctwo_set_key_gutmann nettle_arctwo_set_key_gutmann #define arctwo40_set_key nettle_arctwo40_set_key #define arctwo64_set_key nettle_arctwo64_set_key #define arctwo128_set_key nettle_arctwo128_set_key #define arctwo128_set_key_gutmann nettle_arctwo128_set_key_gutmann #define arctwo_encrypt nettle_arctwo_encrypt #define arctwo_decrypt nettle_arctwo_decrypt #define ARCTWO_BLOCK_SIZE 8 /* Variable key size from 1 byte to 128 bytes. */ #define ARCTWO_MIN_KEY_SIZE 1 #define ARCTWO_MAX_KEY_SIZE 128 #define ARCTWO_KEY_SIZE 8 struct arctwo_ctx { uint16_t S[64]; }; /* Key expansion function that takes the "effective key bits", 1-1024, as an explicit argument. 0 means maximum key bits. */ void arctwo_set_key_ekb (struct arctwo_ctx *ctx, size_t length, const uint8_t * key, unsigned ekb); /* Equvivalent to arctwo_set_key_ekb, with ekb = 8 * length */ void arctwo_set_key (struct arctwo_ctx *ctx, size_t length, const uint8_t *key); void arctwo40_set_key (struct arctwo_ctx *ctx, const uint8_t *key); void arctwo64_set_key (struct arctwo_ctx *ctx, const uint8_t *key); void arctwo128_set_key (struct arctwo_ctx *ctx, const uint8_t *key); /* Equvivalent to arctwo_set_key_ekb, with ekb = 1024 */ void arctwo_set_key_gutmann (struct arctwo_ctx *ctx, size_t length, const uint8_t *key); void arctwo128_set_key_gutmann (struct arctwo_ctx *ctx, const uint8_t *key); void arctwo_encrypt (struct arctwo_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void arctwo_decrypt (struct arctwo_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus } #endif #endif /* NETTLE_ARCTWO_H_INCLUDED */ nettle-3.4.1/buffer.c0000644000175000017500000000602413401564745013466 0ustar nissenisse/* buffer.c A bare-bones string stream. Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "buffer.h" int nettle_buffer_grow(struct nettle_buffer *buffer, size_t length) { assert(buffer->size <= buffer->alloc); if (buffer->size + length > buffer->alloc) { size_t alloc; uint8_t *p; if (!buffer->realloc) return 0; alloc = buffer->alloc * 2 + length + 100; p = buffer->realloc(buffer->realloc_ctx, buffer->contents, alloc); if (!p) return 0; buffer->contents = p; buffer->alloc = alloc; } return 1; } void nettle_buffer_init_realloc(struct nettle_buffer *buffer, void *realloc_ctx, nettle_realloc_func *realloc) { buffer->contents = NULL; buffer->alloc = 0; buffer->realloc = realloc; buffer->realloc_ctx = realloc_ctx; buffer->size = 0; } void nettle_buffer_init_size(struct nettle_buffer *buffer, size_t length, uint8_t *space) { buffer->contents = space; buffer->alloc = length; buffer->realloc = NULL; buffer->realloc_ctx = NULL; buffer->size = 0; } void nettle_buffer_clear(struct nettle_buffer *buffer) { if (buffer->realloc) buffer->realloc(buffer->realloc_ctx, buffer->contents, 0); buffer->contents = NULL; buffer->alloc = 0; buffer->size = 0; } void nettle_buffer_reset(struct nettle_buffer *buffer) { buffer->size = 0; } uint8_t * nettle_buffer_space(struct nettle_buffer *buffer, size_t length) { uint8_t *p; if (!nettle_buffer_grow(buffer, length)) return NULL; p = buffer->contents + buffer->size; buffer->size += length; return p; } int nettle_buffer_write(struct nettle_buffer *buffer, size_t length, const uint8_t *data) { uint8_t *p = nettle_buffer_space(buffer, length); if (p) { memcpy(p, data, length); return 1; } else return 0; } int nettle_buffer_copy(struct nettle_buffer *dst, const struct nettle_buffer *src) { return nettle_buffer_write(dst, src->size, src->contents); } nettle-3.4.1/dsa-sha256-verify.c0000644000175000017500000000327413401564746015301 0ustar nissenisse/* dsa-sha256-verify.c The DSA publickey algorithm, using SHA-256 (FIPS186-3). Copyright (C) 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "dsa-compat.h" int dsa_sha256_verify_digest(const struct dsa_public_key *key, const uint8_t *digest, const struct dsa_signature *signature) { return dsa_verify((const struct dsa_params *) key, key->y, SHA256_DIGEST_SIZE, digest, signature); } int dsa_sha256_verify(const struct dsa_public_key *key, struct sha256_ctx *hash, const struct dsa_signature *signature) { uint8_t digest[SHA256_DIGEST_SIZE]; sha256_digest(hash, sizeof(digest), digest); return dsa_verify((const struct dsa_params *) key, key->y, sizeof(digest), digest, signature); }