diff -Nru nettle-3.4.1/aclocal.m4 nettle-3.7.3/aclocal.m4 --- nettle-3.4.1/aclocal.m4 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/aclocal.m4 2021-06-06 20:06:29.000000000 +0000 @@ -1,25 +1,3 @@ -dnl Try to detect the type of the third arg to getsockname() et al -AC_DEFUN([LSH_TYPE_SOCKLEN_T], -[AH_TEMPLATE([socklen_t], [Length type used by getsockopt]) -AC_CACHE_CHECK([for socklen_t in sys/socket.h], ac_cv_type_socklen_t, -[AC_EGREP_HEADER(socklen_t, sys/socket.h, - [ac_cv_type_socklen_t=yes], [ac_cv_type_socklen_t=no])]) -if test $ac_cv_type_socklen_t = no; then - AC_MSG_CHECKING(for AIX) - AC_EGREP_CPP(yes, [ -#ifdef _AIX - yes -#endif -],[ -AC_MSG_RESULT(yes) -AC_DEFINE(socklen_t, size_t) -],[ -AC_MSG_RESULT(no) -AC_DEFINE(socklen_t, int) -]) -fi -]) - dnl Choose cc flags for compiling position independent code dnl FIXME: Doesn't do the right thing when crosscompiling. AC_DEFUN([LSH_CCPIC], @@ -53,7 +31,7 @@ fi OLD_CFLAGS="$CFLAGS" CFLAGS="$CFLAGS $CCPIC" - AC_TRY_COMPILE([], [exit(0);], + AC_TRY_COMPILE([], [return 0;], lsh_cv_sys_ccpic="$CCPIC", lsh_cv_sys_ccpic='') CFLAGS="$OLD_CFLAGS" ]) @@ -166,146 +144,6 @@ fi ]) -dnl Like AC_CHECK_LIB, but uses $KRB_LIBS rather than $LIBS. -dnl LSH_CHECK_KRB_LIB(LIBRARY, FUNCTION, [, ACTION-IF-FOUND [, -dnl ACTION-IF-NOT-FOUND [, OTHER-LIBRARIES]]]) - -AC_DEFUN([LSH_CHECK_KRB_LIB], -[AC_CHECK_LIB([$1], [$2], - ifelse([$3], , - [[ac_tr_lib=HAVE_LIB`echo $1 | sed -e 's/[^a-zA-Z0-9_]/_/g' \ - -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'` - AC_DEFINE_UNQUOTED($ac_tr_lib) - KRB_LIBS="-l$1 $KRB_LIBS" - ]], [$3]), - ifelse([$4], , , [$4 -])dnl -, [$5 $KRB_LIBS]) -]) - -dnl LSH_LIB_ARGP(ACTION-IF-OK, ACTION-IF-BAD) -AC_DEFUN([LSH_LIB_ARGP], -[ ac_argp_save_LIBS="$LIBS" - ac_argp_save_LDFLAGS="$LDFLAGS" - ac_argp_ok=no - # First check if we can link with argp. - AC_SEARCH_LIBS(argp_parse, argp, - [ LSH_RPATH_FIX - AC_CACHE_CHECK([for working argp], - lsh_cv_lib_argp_works, - [ AC_TRY_RUN( -[#include -#include - -static const struct argp_option -options[] = -{ - { NULL, 0, NULL, 0, NULL, 0 } -}; - -struct child_state -{ - int n; -}; - -static error_t -child_parser(int key, char *arg, struct argp_state *state) -{ - struct child_state *input = (struct child_state *) state->input; - - switch(key) - { - default: - return ARGP_ERR_UNKNOWN; - case ARGP_KEY_END: - if (!input->n) - input->n = 1; - break; - } - return 0; -} - -const struct argp child_argp = -{ - options, - child_parser, - NULL, NULL, NULL, NULL, NULL -}; - -struct main_state -{ - struct child_state child; - int m; -}; - -static error_t -main_parser(int key, char *arg, struct argp_state *state) -{ - struct main_state *input = (struct main_state *) state->input; - - switch(key) - { - default: - return ARGP_ERR_UNKNOWN; - case ARGP_KEY_INIT: - state->child_inputs[0] = &input->child; - break; - case ARGP_KEY_END: - if (!input->m) - input->m = input->child.n; - - break; - } - return 0; -} - -static const struct argp_child -main_children[] = -{ - { &child_argp, 0, "", 0 }, - { NULL, 0, NULL, 0} -}; - -static const struct argp -main_argp = -{ options, main_parser, - NULL, - NULL, - main_children, - NULL, NULL -}; - -int main(int argc, char **argv) -{ - struct main_state input = { { 0 }, 0 }; - char *v[2] = { "foo", NULL }; - - argp_parse(&main_argp, 1, v, 0, NULL, &input); - - if ( (input.m == 1) && (input.child.n == 1) ) - return 0; - else - return 1; -} -], lsh_cv_lib_argp_works=yes, - lsh_cv_lib_argp_works=no, - lsh_cv_lib_argp_works=no)]) - - if test x$lsh_cv_lib_argp_works = xyes ; then - ac_argp_ok=yes - else - # Reset link flags - LIBS="$ac_argp_save_LIBS" - LDFLAGS="$ac_argp_save_LDFLAGS" - fi]) - - if test x$ac_argp_ok = xyes ; then - ifelse([$1],, true, [$1]) - else - ifelse([$2],, true, [$2]) - fi -]) - dnl LSH_GCC_ATTRIBUTES dnl Check for gcc's __attribute__ construction @@ -409,18 +247,6 @@ #endif /* !HAVE_STRSIGNAL */ ])]) -dnl LSH_MAKE_CONDITIONAL(symbol, test) -AC_DEFUN([LSH_MAKE_CONDITIONAL], -[if $2 ; then - IF_$1='' - UNLESS_$1='# ' -else - IF_$1='# ' - UNLESS_$1='' -fi -AC_SUBST(IF_$1) -AC_SUBST(UNLESS_$1)]) - dnl LSH_DEPENDENCY_TRACKING dnl Defines compiler flags DEP_FLAGS to generate dependency @@ -456,13 +282,6 @@ fi fi -if test x$enable_dependency_tracking = xyes ; then - DEP_INCLUDE='include ' -else - DEP_INCLUDE='# ' -fi - -AC_SUBST([DEP_INCLUDE]) AC_SUBST([DEP_FLAGS]) AC_SUBST([DEP_PROCESS])]) @@ -550,7 +369,7 @@ int main () { - exit(0); + return 0; } EOF gmp_compile="$1 conftest.c" @@ -591,7 +410,7 @@ int main () { - exit (0); + return 0; } EOF for i in .exe ,ff8 ""; do @@ -678,575 +497,6 @@ fi ]) -dnl @synopsis AX_CREATE_STDINT_H [( HEADER-TO-GENERATE [, HEADERS-TO-CHECK])] -dnl -dnl the "ISO C9X: 7.18 Integer types " section requires the -dnl existence of an include file that defines a set of -dnl typedefs, especially uint8_t,int32_t,uintptr_t. -dnl Many older installations will not provide this file, but some will -dnl have the very same definitions in . In other enviroments -dnl we can use the inet-types in which would define the -dnl typedefs int8_t and u_int8_t respectivly. -dnl -dnl This macros will create a local "_stdint.h" or the headerfile given as -dnl an argument. In many cases that file will just "#include " -dnl or "#include ", while in other environments it will provide -dnl the set of basic 'stdint's definitions/typedefs: -dnl int8_t,uint8_t,int16_t,uint16_t,int32_t,uint32_t,intptr_t,uintptr_t -dnl int_least32_t.. int_fast32_t.. intmax_t -dnl which may or may not rely on the definitions of other files, -dnl or using the AC_CHECK_SIZEOF macro to determine the actual -dnl sizeof each type. -dnl -dnl if your header files require the stdint-types you will want to create an -dnl installable file mylib-int.h that all your other installable header -dnl may include. So if you have a library package named "mylib", just use -dnl AX_CREATE_STDINT_H(mylib-int.h) -dnl in configure.ac and go to install that very header file in Makefile.am -dnl along with the other headers (mylib.h) - and the mylib-specific headers -dnl can simply use "#include " to obtain the stdint-types. -dnl -dnl Remember, if the system already had a valid , the generated -dnl file will include it directly. No need for fuzzy HAVE_STDINT_H things... -dnl -dnl @, (status: used on new platforms) (see http://ac-archive.sf.net/gstdint/) -dnl @author Guido Draheim - -AC_DEFUN([AX_CREATE_STDINT_H], -[# ------ AX CREATE STDINT H ------------------------------------- -AC_MSG_CHECKING([for stdint types]) -ac_stdint_h=`echo ifelse($1, , _stdint.h, $1)` -# try to shortcircuit - if the default include path of the compiler -# can find a "stdint.h" header then we assume that all compilers can. -AC_CACHE_VAL([ac_cv_header_stdint_t],[ -old_CXXFLAGS="$CXXFLAGS" ; CXXFLAGS="" -old_CPPFLAGS="$CPPFLAGS" ; CPPFLAGS="" -old_CFLAGS="$CFLAGS" ; CFLAGS="" -AC_TRY_COMPILE([#include ],[int_least32_t v = 0;], -[ac_cv_stdint_result="(assuming C99 compatible system)" - ac_cv_header_stdint_t="stdint.h"; ], -[ac_cv_header_stdint_t=""]) -CXXFLAGS="$old_CXXFLAGS" -CPPFLAGS="$old_CPPFLAGS" -CFLAGS="$old_CFLAGS" ]) - -v="... $ac_cv_header_stdint_h" -if test "$ac_stdint_h" = "stdint.h" ; then - AC_MSG_RESULT([(are you sure you want them in ./stdint.h?)]) -elif test "$ac_stdint_h" = "inttypes.h" ; then - AC_MSG_RESULT([(are you sure you want them in ./inttypes.h?)]) -elif test "_$ac_cv_header_stdint_t" = "_" ; then - AC_MSG_RESULT([(putting them into $ac_stdint_h)$v]) -else - ac_cv_header_stdint="$ac_cv_header_stdint_t" - AC_MSG_RESULT([$ac_cv_header_stdint (shortcircuit)]) -fi - -if test "_$ac_cv_header_stdint_t" = "_" ; then # can not shortcircuit.. - -dnl .....intro message done, now do a few system checks..... -dnl btw, all CHECK_TYPE macros do automatically "DEFINE" a type, therefore -dnl we use the autoconf implementation detail _AC CHECK_TYPE_NEW instead - -inttype_headers=`echo $2 | sed -e 's/,/ /g'` - -ac_cv_stdint_result="(no helpful system typedefs seen)" -AC_CACHE_CHECK([for stdint uintptr_t], [ac_cv_header_stdint_x],[ - ac_cv_header_stdint_x="" # the 1997 typedefs (inttypes.h) - AC_MSG_RESULT([(..)]) - for i in stdint.h inttypes.h sys/inttypes.h $inttype_headers ; do - unset ac_cv_type_uintptr_t - unset ac_cv_type_uint64_t - _AC_CHECK_TYPE_NEW(uintptr_t,[ac_cv_header_stdint_x=$i],dnl - continue,[#include <$i>]) - AC_CHECK_TYPE(uint64_t,[and64="/uint64_t"],[and64=""],[#include<$i>]) - ac_cv_stdint_result="(seen uintptr_t$and64 in $i)" - break; - done - AC_MSG_CHECKING([for stdint uintptr_t]) - ]) - -if test "_$ac_cv_header_stdint_x" = "_" ; then -AC_CACHE_CHECK([for stdint uint32_t], [ac_cv_header_stdint_o],[ - ac_cv_header_stdint_o="" # the 1995 typedefs (sys/inttypes.h) - AC_MSG_RESULT([(..)]) - for i in inttypes.h sys/inttypes.h stdint.h $inttype_headers ; do - unset ac_cv_type_uint32_t - unset ac_cv_type_uint64_t - AC_CHECK_TYPE(uint32_t,[ac_cv_header_stdint_o=$i],dnl - continue,[#include <$i>]) - AC_CHECK_TYPE(uint64_t,[and64="/uint64_t"],[and64=""],[#include<$i>]) - ac_cv_stdint_result="(seen uint32_t$and64 in $i)" - break; - done - AC_MSG_CHECKING([for stdint uint32_t]) - ]) -fi - -if test "_$ac_cv_header_stdint_x" = "_" ; then -if test "_$ac_cv_header_stdint_o" = "_" ; then -AC_CACHE_CHECK([for stdint u_int32_t], [ac_cv_header_stdint_u],[ - ac_cv_header_stdint_u="" # the BSD typedefs (sys/types.h) - AC_MSG_RESULT([(..)]) - for i in sys/types.h inttypes.h sys/inttypes.h $inttype_headers ; do - unset ac_cv_type_u_int32_t - unset ac_cv_type_u_int64_t - AC_CHECK_TYPE(u_int32_t,[ac_cv_header_stdint_u=$i],dnl - continue,[#include <$i>]) - AC_CHECK_TYPE(u_int64_t,[and64="/u_int64_t"],[and64=""],[#include<$i>]) - ac_cv_stdint_result="(seen u_int32_t$and64 in $i)" - break; - done - AC_MSG_CHECKING([for stdint u_int32_t]) - ]) -fi fi - -dnl if there was no good C99 header file, do some typedef checks... -if test "_$ac_cv_header_stdint_x" = "_" ; then - AC_MSG_CHECKING([for stdint datatype model]) - AC_MSG_RESULT([(..)]) - AC_CHECK_SIZEOF(char) - AC_CHECK_SIZEOF(short) - AC_CHECK_SIZEOF(int) - AC_CHECK_SIZEOF(long) - AC_CHECK_SIZEOF(void*) - ac_cv_stdint_char_model="" - ac_cv_stdint_char_model="$ac_cv_stdint_char_model$ac_cv_sizeof_char" - ac_cv_stdint_char_model="$ac_cv_stdint_char_model$ac_cv_sizeof_short" - ac_cv_stdint_char_model="$ac_cv_stdint_char_model$ac_cv_sizeof_int" - ac_cv_stdint_long_model="" - ac_cv_stdint_long_model="$ac_cv_stdint_long_model$ac_cv_sizeof_int" - ac_cv_stdint_long_model="$ac_cv_stdint_long_model$ac_cv_sizeof_long" - ac_cv_stdint_long_model="$ac_cv_stdint_long_model$ac_cv_sizeof_voidp" - name="$ac_cv_stdint_long_model" - case "$ac_cv_stdint_char_model/$ac_cv_stdint_long_model" in - 122/242) name="$name, IP16 (standard 16bit machine)" ;; - 122/244) name="$name, LP32 (standard 32bit mac/win)" ;; - 122/*) name="$name (unusual int16 model)" ;; - 124/444) name="$name, ILP32 (standard 32bit unixish)" ;; - 124/488) name="$name, LP64 (standard 64bit unixish)" ;; - 124/448) name="$name, LLP64 (unusual 64bit unixish)" ;; - 124/*) name="$name (unusual int32 model)" ;; - 128/888) name="$name, ILP64 (unusual 64bit numeric)" ;; - 128/*) name="$name (unusual int64 model)" ;; - 222/*|444/*) name="$name (unusual dsptype)" ;; - *) name="$name (very unusal model)" ;; - esac - AC_MSG_RESULT([combined for stdint datatype model... $name]) -fi - -if test "_$ac_cv_header_stdint_x" != "_" ; then - ac_cv_header_stdint="$ac_cv_header_stdint_x" -elif test "_$ac_cv_header_stdint_o" != "_" ; then - ac_cv_header_stdint="$ac_cv_header_stdint_o" -elif test "_$ac_cv_header_stdint_u" != "_" ; then - ac_cv_header_stdint="$ac_cv_header_stdint_u" -else - ac_cv_header_stdint="stddef.h" -fi - -AC_MSG_CHECKING([for extra inttypes in chosen header]) -AC_MSG_RESULT([($ac_cv_header_stdint)]) -dnl see if int_least and int_fast types are present in _this_ header. -unset ac_cv_type_int_least32_t -unset ac_cv_type_int_fast32_t -AC_CHECK_TYPE(int_least32_t,,,[#include <$ac_cv_header_stdint>]) -AC_CHECK_TYPE(int_fast32_t,,,[#include<$ac_cv_header_stdint>]) -AC_CHECK_TYPE(intmax_t,,,[#include <$ac_cv_header_stdint>]) - -fi # shortcircut to system "stdint.h" -# ------------------ PREPARE VARIABLES ------------------------------ -if test "$GCC" = "yes" ; then -ac_cv_stdint_message="using gnu compiler "`$CC --version | head -1` -else -ac_cv_stdint_message="using $CC" -fi - -AC_MSG_RESULT([make use of $ac_cv_header_stdint in $ac_stdint_h dnl -$ac_cv_stdint_result]) - -# ----------------- DONE inttypes.h checks START header ------------- -AC_CONFIG_COMMANDS([$ac_stdint_h],[ -AC_MSG_NOTICE(creating $ac_stdint_h : $_ac_stdint_h) -ac_stdint=$tmp/_stdint.h - -echo "#ifndef" $_ac_stdint_h >$ac_stdint -echo "#define" $_ac_stdint_h "1" >>$ac_stdint -echo "#ifndef" _GENERATED_STDINT_H >>$ac_stdint -echo "#define" _GENERATED_STDINT_H '"'$PACKAGE $VERSION'"' >>$ac_stdint -echo "/* generated $ac_cv_stdint_message */" >>$ac_stdint -if test "_$ac_cv_header_stdint_t" != "_" ; then -echo "#define _STDINT_HAVE_STDINT_H" "1" >>$ac_stdint -fi - -cat >>$ac_stdint < -#else -#include - -/* .................... configured part ............................ */ - -STDINT_EOF - -echo "/* whether we have a C99 compatible stdint header file */" >>$ac_stdint -if test "_$ac_cv_header_stdint_x" != "_" ; then - ac_header="$ac_cv_header_stdint_x" - echo "#define _STDINT_HEADER_INTPTR" '"'"$ac_header"'"' >>$ac_stdint -else - echo "/* #undef _STDINT_HEADER_INTPTR */" >>$ac_stdint -fi - -echo "/* whether we have a C96 compatible inttypes header file */" >>$ac_stdint -if test "_$ac_cv_header_stdint_o" != "_" ; then - ac_header="$ac_cv_header_stdint_o" - echo "#define _STDINT_HEADER_UINT32" '"'"$ac_header"'"' >>$ac_stdint -else - echo "/* #undef _STDINT_HEADER_UINT32 */" >>$ac_stdint -fi - -echo "/* whether we have a BSD compatible inet types header */" >>$ac_stdint -if test "_$ac_cv_header_stdint_u" != "_" ; then - ac_header="$ac_cv_header_stdint_u" - echo "#define _STDINT_HEADER_U_INT32" '"'"$ac_header"'"' >>$ac_stdint -else - echo "/* #undef _STDINT_HEADER_U_INT32 */" >>$ac_stdint -fi - -echo "" >>$ac_stdint - -if test "_$ac_header" != "_" ; then if test "$ac_header" != "stddef.h" ; then - echo "#include <$ac_header>" >>$ac_stdint - echo "" >>$ac_stdint -fi fi - -echo "/* which 64bit typedef has been found */" >>$ac_stdint -if test "$ac_cv_type_uint64_t" = "yes" ; then -echo "#define _STDINT_HAVE_UINT64_T" "1" >>$ac_stdint -else -echo "/* #undef _STDINT_HAVE_UINT64_T */" >>$ac_stdint -fi -if test "$ac_cv_type_u_int64_t" = "yes" ; then -echo "#define _STDINT_HAVE_U_INT64_T" "1" >>$ac_stdint -else -echo "/* #undef _STDINT_HAVE_U_INT64_T */" >>$ac_stdint -fi -echo "" >>$ac_stdint - -echo "/* which type model has been detected */" >>$ac_stdint -if test "_$ac_cv_stdint_char_model" != "_" ; then -echo "#define _STDINT_CHAR_MODEL" "$ac_cv_stdint_char_model" >>$ac_stdint -echo "#define _STDINT_LONG_MODEL" "$ac_cv_stdint_long_model" >>$ac_stdint -else -echo "/* #undef _STDINT_CHAR_MODEL // skipped */" >>$ac_stdint -echo "/* #undef _STDINT_LONG_MODEL // skipped */" >>$ac_stdint -fi -echo "" >>$ac_stdint - -echo "/* whether int_least types were detected */" >>$ac_stdint -if test "$ac_cv_type_int_least32_t" = "yes"; then -echo "#define _STDINT_HAVE_INT_LEAST32_T" "1" >>$ac_stdint -else -echo "/* #undef _STDINT_HAVE_INT_LEAST32_T */" >>$ac_stdint -fi -echo "/* whether int_fast types were detected */" >>$ac_stdint -if test "$ac_cv_type_int_fast32_t" = "yes"; then -echo "#define _STDINT_HAVE_INT_FAST32_T" "1" >>$ac_stdint -else -echo "/* #undef _STDINT_HAVE_INT_FAST32_T */" >>$ac_stdint -fi -echo "/* whether intmax_t type was detected */" >>$ac_stdint -if test "$ac_cv_type_intmax_t" = "yes"; then -echo "#define _STDINT_HAVE_INTMAX_T" "1" >>$ac_stdint -else -echo "/* #undef _STDINT_HAVE_INTMAX_T */" >>$ac_stdint -fi -echo "" >>$ac_stdint - - cat >>$ac_stdint <= 199901L -#define _HAVE_UINT64_T -typedef long long int64_t; -typedef unsigned long long uint64_t; - -#elif !defined __STRICT_ANSI__ -#if defined _MSC_VER || defined __WATCOMC__ || defined __BORLANDC__ -#define _HAVE_UINT64_T -typedef __int64 int64_t; -typedef unsigned __int64 uint64_t; - -#elif defined __GNUC__ || defined __MWERKS__ || defined __ELF__ -/* note: all ELF-systems seem to have loff-support which needs 64-bit */ -#if !defined _NO_LONGLONG -#define _HAVE_UINT64_T -typedef long long int64_t; -typedef unsigned long long uint64_t; -#endif - -#elif defined __alpha || (defined __mips && defined _ABIN32) -#if !defined _NO_LONGLONG -typedef long int64_t; -typedef unsigned long uint64_t; -#endif - /* compiler/cpu type to define int64_t */ -#endif -#endif -#endif - -#if defined _STDINT_HAVE_U_INT_TYPES -/* int8_t int16_t int32_t defined by inet code, redeclare the u_intXX types */ -typedef u_int8_t uint8_t; -typedef u_int16_t uint16_t; -typedef u_int32_t uint32_t; - -/* glibc compatibility */ -#ifndef __int8_t_defined -#define __int8_t_defined -#endif -#endif - -#ifdef _STDINT_NEED_INT_MODEL_T -/* we must guess all the basic types. Apart from byte-adressable system, */ -/* there a few 32-bit-only dsp-systems that we guard with BYTE_MODEL 8-} */ -/* (btw, those nibble-addressable systems are way off, or so we assume) */ - -dnl /* have a look at "64bit and data size neutrality" at */ -dnl /* http://unix.org/version2/whatsnew/login_64bit.html */ -dnl /* (the shorthand "ILP" types always have a "P" part) */ - -#if defined _STDINT_BYTE_MODEL -#if _STDINT_LONG_MODEL+0 == 242 -/* 2:4:2 = IP16 = a normal 16-bit system */ -typedef unsigned char uint8_t; -typedef unsigned short uint16_t; -typedef unsigned long uint32_t; -#ifndef __int8_t_defined -#define __int8_t_defined -typedef char int8_t; -typedef short int16_t; -typedef long int32_t; -#endif -#elif _STDINT_LONG_MODEL+0 == 244 || _STDINT_LONG_MODEL == 444 -/* 2:4:4 = LP32 = a 32-bit system derived from a 16-bit */ -/* 4:4:4 = ILP32 = a normal 32-bit system */ -typedef unsigned char uint8_t; -typedef unsigned short uint16_t; -typedef unsigned int uint32_t; -#ifndef __int8_t_defined -#define __int8_t_defined -typedef char int8_t; -typedef short int16_t; -typedef int int32_t; -#endif -#elif _STDINT_LONG_MODEL+0 == 484 || _STDINT_LONG_MODEL+0 == 488 -/* 4:8:4 = IP32 = a 32-bit system prepared for 64-bit */ -/* 4:8:8 = LP64 = a normal 64-bit system */ -typedef unsigned char uint8_t; -typedef unsigned short uint16_t; -typedef unsigned int uint32_t; -#ifndef __int8_t_defined -#define __int8_t_defined -typedef char int8_t; -typedef short int16_t; -typedef int int32_t; -#endif -/* this system has a "long" of 64bit */ -#ifndef _HAVE_UINT64_T -#define _HAVE_UINT64_T -typedef unsigned long uint64_t; -typedef long int64_t; -#endif -#elif _STDINT_LONG_MODEL+0 == 448 -/* LLP64 a 64-bit system derived from a 32-bit system */ -typedef unsigned char uint8_t; -typedef unsigned short uint16_t; -typedef unsigned int uint32_t; -#ifndef __int8_t_defined -#define __int8_t_defined -typedef char int8_t; -typedef short int16_t; -typedef int int32_t; -#endif -/* assuming the system has a "long long" */ -#ifndef _HAVE_UINT64_T -#define _HAVE_UINT64_T -typedef unsigned long long uint64_t; -typedef long long int64_t; -#endif -#else -#define _STDINT_NO_INT32_T -#endif -#else -#define _STDINT_NO_INT8_T -#define _STDINT_NO_INT32_T -#endif -#endif - -/* - * quote from SunOS-5.8 sys/inttypes.h: - * Use at your own risk. As of February 1996, the committee is squarely - * behind the fixed sized types; the "least" and "fast" types are still being - * discussed. The probability that the "fast" types may be removed before - * the standard is finalized is high enough that they are not currently - * implemented. - */ - -#if defined _STDINT_NEED_INT_LEAST_T -typedef int8_t int_least8_t; -typedef int16_t int_least16_t; -typedef int32_t int_least32_t; -#ifdef _HAVE_UINT64_T -typedef int64_t int_least64_t; -#endif - -typedef uint8_t uint_least8_t; -typedef uint16_t uint_least16_t; -typedef uint32_t uint_least32_t; -#ifdef _HAVE_UINT64_T -typedef uint64_t uint_least64_t; -#endif - /* least types */ -#endif - -#if defined _STDINT_NEED_INT_FAST_T -typedef int8_t int_fast8_t; -typedef int int_fast16_t; -typedef int32_t int_fast32_t; -#ifdef _HAVE_UINT64_T -typedef int64_t int_fast64_t; -#endif - -typedef uint8_t uint_fast8_t; -typedef unsigned uint_fast16_t; -typedef uint32_t uint_fast32_t; -#ifdef _HAVE_UINT64_T -typedef uint64_t uint_fast64_t; -#endif - /* fast types */ -#endif - -#ifdef _STDINT_NEED_INTMAX_T -#ifdef _HAVE_UINT64_T -typedef int64_t intmax_t; -typedef uint64_t uintmax_t; -#else -typedef long intmax_t; -typedef unsigned long uintmax_t; -#endif -#endif - -#ifdef _STDINT_NEED_INTPTR_T -#ifndef __intptr_t_defined -#define __intptr_t_defined -/* we encourage using "long" to store pointer values, never use "int" ! */ -#if _STDINT_LONG_MODEL+0 == 242 || _STDINT_LONG_MODEL+0 == 484 -typedef unsigned int uintptr_t; -typedef int intptr_t; -#elif _STDINT_LONG_MODEL+0 == 244 || _STDINT_LONG_MODEL+0 == 444 -typedef unsigned long uintptr_t; -typedef long intptr_t; -#elif _STDINT_LONG_MODEL+0 == 448 && defined _HAVE_UINT64_T -typedef uint64_t uintptr_t; -typedef int64_t intptr_t; -#else /* matches typical system types ILP32 and LP64 - but not IP16 or LLP64 */ -typedef unsigned long uintptr_t; -typedef long intptr_t; -#endif -#endif -#endif - - /* shortcircuit*/ -#endif - /* once */ -#endif -#endif -STDINT_EOF - if cmp -s $ac_stdint_h $ac_stdint 2>/dev/null; then - AC_MSG_NOTICE([$ac_stdint_h is unchanged]) - else - ac_dir=`AS_DIRNAME(["$ac_stdint_h"])` - AS_MKDIR_P(["$ac_dir"]) - rm -f $ac_stdint_h - mv $ac_stdint $ac_stdint_h - fi -],[# variables for create stdint.h replacement -PACKAGE="$PACKAGE" -VERSION="$VERSION" -ac_stdint_h="$ac_stdint_h" -_ac_stdint_h=AS_TR_CPP(_$PACKAGE-$ac_stdint_h) -ac_cv_stdint_message="$ac_cv_stdint_message" -ac_cv_header_stdint_t="$ac_cv_header_stdint_t" -ac_cv_header_stdint_x="$ac_cv_header_stdint_x" -ac_cv_header_stdint_o="$ac_cv_header_stdint_o" -ac_cv_header_stdint_u="$ac_cv_header_stdint_u" -ac_cv_type_uint64_t="$ac_cv_type_uint64_t" -ac_cv_type_u_int64_t="$ac_cv_type_u_int64_t" -ac_cv_stdint_char_model="$ac_cv_stdint_char_model" -ac_cv_stdint_long_model="$ac_cv_stdint_long_model" -ac_cv_type_int_least32_t="$ac_cv_type_int_least32_t" -ac_cv_type_int_fast32_t="$ac_cv_type_int_fast32_t" -ac_cv_type_intmax_t="$ac_cv_type_intmax_t" -]) -]) - # ld-version-script.m4 serial 3 dnl Copyright (C) 2008-2014 Free Software Foundation, Inc. dnl This file is free software; the Free Software Foundation @@ -1305,3 +555,27 @@ AC_SUBST(EXTRA_HOGWEED_LINKER_FLAGS) fi ]) + +dnl GMP_ASM_POWERPC_R_REGISTERS +dnl --------------------------- +dnl Determine whether the assembler takes powerpc registers with an "r" as +dnl in "r6", or as plain "6". The latter is standard, but NeXT, Rhapsody, +dnl and MacOS-X require the "r" forms. +dnl +dnl See also mpn/powerpc32/powerpc-defs.m4 which uses the result of this +dnl test. + +AC_DEFUN([GMP_ASM_POWERPC_R_REGISTERS], +[AC_CACHE_CHECK([if the assembler needs r on registers], + gmp_cv_asm_powerpc_r_registers, +[GMP_TRY_ASSEMBLE( +[ $gmp_cv_asm_text + mtctr r6], +[gmp_cv_asm_powerpc_r_registers=yes], +[GMP_TRY_ASSEMBLE( +[ .text + mtctr 6], +[gmp_cv_asm_powerpc_r_registers=no], +[AC_MSG_ERROR([neither "mtctr 6" nor "mtctr r6" works])])])]) +ASM_PPC_WANT_R_REGISTERS="$gmp_cv_asm_powerpc_r_registers" +]) diff -Nru nettle-3.4.1/aes128-set-decrypt-key.c nettle-3.7.3/aes128-set-decrypt-key.c --- nettle-3.4.1/aes128-set-decrypt-key.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/aes128-set-decrypt-key.c 2021-06-06 20:06:29.000000000 +0000 @@ -43,7 +43,7 @@ void aes128_invert_key (struct aes128_ctx *dst, const struct aes128_ctx *src) { - _aes_invert (_AES128_ROUNDS, dst->keys, src->keys); + _nettle_aes_invert (_AES128_ROUNDS, dst->keys, src->keys); } void diff -Nru nettle-3.4.1/aes128-set-encrypt-key.c nettle-3.7.3/aes128-set-encrypt-key.c --- nettle-3.4.1/aes128-set-encrypt-key.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/aes128-set-encrypt-key.c 2021-06-06 20:06:29.000000000 +0000 @@ -40,5 +40,5 @@ void aes128_set_encrypt_key(struct aes128_ctx *ctx, const uint8_t *key) { - _aes_set_key (_AES128_ROUNDS, AES128_KEY_SIZE / 4, ctx->keys, key); + _nettle_aes_set_key (_AES128_ROUNDS, AES128_KEY_SIZE / 4, ctx->keys, key); } diff -Nru nettle-3.4.1/aes192-set-decrypt-key.c nettle-3.7.3/aes192-set-decrypt-key.c --- nettle-3.4.1/aes192-set-decrypt-key.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/aes192-set-decrypt-key.c 2021-06-06 20:06:29.000000000 +0000 @@ -41,7 +41,7 @@ void aes192_invert_key (struct aes192_ctx *dst, const struct aes192_ctx *src) { - _aes_invert (_AES192_ROUNDS, dst->keys, src->keys); + _nettle_aes_invert (_AES192_ROUNDS, dst->keys, src->keys); } void diff -Nru nettle-3.4.1/aes192-set-encrypt-key.c nettle-3.7.3/aes192-set-encrypt-key.c --- nettle-3.4.1/aes192-set-encrypt-key.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/aes192-set-encrypt-key.c 2021-06-06 20:06:29.000000000 +0000 @@ -40,5 +40,5 @@ void aes192_set_encrypt_key(struct aes192_ctx *ctx, const uint8_t *key) { - _aes_set_key (_AES192_ROUNDS, AES192_KEY_SIZE / 4, ctx->keys, key); + _nettle_aes_set_key (_AES192_ROUNDS, AES192_KEY_SIZE / 4, ctx->keys, key); } diff -Nru nettle-3.4.1/aes256-set-decrypt-key.c nettle-3.7.3/aes256-set-decrypt-key.c --- nettle-3.4.1/aes256-set-decrypt-key.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/aes256-set-decrypt-key.c 2021-06-06 20:06:29.000000000 +0000 @@ -41,7 +41,7 @@ void aes256_invert_key (struct aes256_ctx *dst, const struct aes256_ctx *src) { - _aes_invert (_AES256_ROUNDS, dst->keys, src->keys); + _nettle_aes_invert (_AES256_ROUNDS, dst->keys, src->keys); } void diff -Nru nettle-3.4.1/aes256-set-encrypt-key.c nettle-3.7.3/aes256-set-encrypt-key.c --- nettle-3.4.1/aes256-set-encrypt-key.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/aes256-set-encrypt-key.c 2021-06-06 20:06:29.000000000 +0000 @@ -40,5 +40,5 @@ void aes256_set_encrypt_key(struct aes256_ctx *ctx, const uint8_t *key) { - _aes_set_key (_AES256_ROUNDS, AES256_KEY_SIZE / 4, ctx->keys, key); + _nettle_aes_set_key (_AES256_ROUNDS, AES256_KEY_SIZE / 4, ctx->keys, key); } diff -Nru nettle-3.4.1/aes-decrypt.c nettle-3.7.3/aes-decrypt.c --- nettle-3.4.1/aes-decrypt.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/aes-decrypt.c 2021-06-06 20:06:29.000000000 +0000 @@ -36,6 +36,7 @@ #endif #include +#include #include "aes-internal.h" @@ -349,9 +350,19 @@ size_t length, uint8_t *dst, const uint8_t *src) { - assert(!(length % AES_BLOCK_SIZE) ); - _aes_decrypt(ctx->rounds, ctx->keys, &_aes_decrypt_table, - length, dst, src); + switch (ctx->key_size) + { + default: abort(); + case AES128_KEY_SIZE: + aes128_decrypt(&ctx->u.ctx128, length, dst, src); + break; + case AES192_KEY_SIZE: + aes192_decrypt(&ctx->u.ctx192, length, dst, src); + break; + case AES256_KEY_SIZE: + aes256_decrypt(&ctx->u.ctx256, length, dst, src); + break; + } } void @@ -360,8 +371,8 @@ const uint8_t *src) { assert(!(length % AES_BLOCK_SIZE) ); - _aes_decrypt(_AES128_ROUNDS, ctx->keys, &_aes_decrypt_table, - length, dst, src); + _nettle_aes_decrypt(_AES128_ROUNDS, ctx->keys, &_aes_decrypt_table, + length, dst, src); } void @@ -370,8 +381,8 @@ const uint8_t *src) { assert(!(length % AES_BLOCK_SIZE) ); - _aes_decrypt(_AES192_ROUNDS, ctx->keys, &_aes_decrypt_table, - length, dst, src); + _nettle_aes_decrypt(_AES192_ROUNDS, ctx->keys, &_aes_decrypt_table, + length, dst, src); } void @@ -380,6 +391,6 @@ const uint8_t *src) { assert(!(length % AES_BLOCK_SIZE) ); - _aes_decrypt(_AES256_ROUNDS, ctx->keys, &_aes_decrypt_table, - length, dst, src); + _nettle_aes_decrypt(_AES256_ROUNDS, ctx->keys, &_aes_decrypt_table, + length, dst, src); } diff -Nru nettle-3.4.1/aes-decrypt-internal.c nettle-3.7.3/aes-decrypt-internal.c --- nettle-3.4.1/aes-decrypt-internal.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/aes-decrypt-internal.c 2021-06-06 20:06:29.000000000 +0000 @@ -40,6 +40,16 @@ #include "aes-internal.h" #include "macros.h" +/* For fat builds */ +#if HAVE_NATIVE_aes_decrypt +void +_nettle_aes_decrypt_c(unsigned rounds, const uint32_t *keys, + const struct aes_table *T, + size_t length, uint8_t *dst, + const uint8_t *src); +#define _nettle_aes_decrypt _nettle_aes_decrypt_c +#endif + void _nettle_aes_decrypt(unsigned rounds, const uint32_t *keys, const struct aes_table *T, diff -Nru nettle-3.4.1/aes-encrypt.c nettle-3.7.3/aes-encrypt.c --- nettle-3.4.1/aes-encrypt.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/aes-encrypt.c 2021-06-06 20:06:29.000000000 +0000 @@ -36,6 +36,7 @@ #endif #include +#include #include "aes-internal.h" @@ -47,9 +48,19 @@ size_t length, uint8_t *dst, const uint8_t *src) { - assert(!(length % AES_BLOCK_SIZE) ); - _aes_encrypt(ctx->rounds, ctx->keys, &_aes_encrypt_table, - length, dst, src); + switch (ctx->key_size) + { + default: abort(); + case AES128_KEY_SIZE: + aes128_encrypt(&ctx->u.ctx128, length, dst, src); + break; + case AES192_KEY_SIZE: + aes192_encrypt(&ctx->u.ctx192, length, dst, src); + break; + case AES256_KEY_SIZE: + aes256_encrypt(&ctx->u.ctx256, length, dst, src); + break; + } } void @@ -58,8 +69,8 @@ const uint8_t *src) { assert(!(length % AES_BLOCK_SIZE) ); - _aes_encrypt(_AES128_ROUNDS, ctx->keys, &_aes_encrypt_table, - length, dst, src); + _nettle_aes_encrypt(_AES128_ROUNDS, ctx->keys, &_nettle_aes_encrypt_table, + length, dst, src); } void @@ -68,8 +79,8 @@ const uint8_t *src) { assert(!(length % AES_BLOCK_SIZE) ); - _aes_encrypt(_AES192_ROUNDS, ctx->keys, &_aes_encrypt_table, - length, dst, src); + _nettle_aes_encrypt(_AES192_ROUNDS, ctx->keys, &_nettle_aes_encrypt_table, + length, dst, src); } void @@ -78,6 +89,6 @@ const uint8_t *src) { assert(!(length % AES_BLOCK_SIZE) ); - _aes_encrypt(_AES256_ROUNDS, ctx->keys, &_aes_encrypt_table, - length, dst, src); + _nettle_aes_encrypt(_AES256_ROUNDS, ctx->keys, &_nettle_aes_encrypt_table, + length, dst, src); } diff -Nru nettle-3.4.1/aes-encrypt-internal.c nettle-3.7.3/aes-encrypt-internal.c --- nettle-3.4.1/aes-encrypt-internal.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/aes-encrypt-internal.c 2021-06-06 20:06:29.000000000 +0000 @@ -40,6 +40,16 @@ #include "aes-internal.h" #include "macros.h" +/* For fat builds */ +#if HAVE_NATIVE_aes_encrypt +void +_nettle_aes_encrypt_c(unsigned rounds, const uint32_t *keys, + const struct aes_table *T, + size_t length, uint8_t *dst, + const uint8_t *src); +#define _nettle_aes_encrypt _nettle_aes_encrypt_c +#endif + void _nettle_aes_encrypt(unsigned rounds, const uint32_t *keys, const struct aes_table *T, diff -Nru nettle-3.4.1/aes-encrypt-table.c nettle-3.7.3/aes-encrypt-table.c --- nettle-3.4.1/aes-encrypt-table.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/aes-encrypt-table.c 2021-06-06 20:06:29.000000000 +0000 @@ -49,7 +49,7 @@ * consistent with the row numbering. */ const struct aes_table -_aes_encrypt_table = +_nettle_aes_encrypt_table = { /* sbox */ { 0x63,0x7c,0x77,0x7b,0xf2,0x6b,0x6f,0xc5, diff -Nru nettle-3.4.1/aes.h nettle-3.7.3/aes.h --- nettle-3.4.1/aes.h 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/aes.h 2021-06-06 20:06:29.000000000 +0000 @@ -71,42 +71,6 @@ #define _AES192_ROUNDS 12 #define _AES256_ROUNDS 14 -/* Variable key size between 128 and 256 bits. But the only valid - * values are 16 (128 bits), 24 (192 bits) and 32 (256 bits). */ -#define AES_MIN_KEY_SIZE AES128_KEY_SIZE -#define AES_MAX_KEY_SIZE AES256_KEY_SIZE - -/* Older nettle-2.7 interface */ - -#define AES_KEY_SIZE 32 - -struct aes_ctx -{ - unsigned rounds; /* number of rounds to use for our key size */ - uint32_t keys[4*(_AES256_ROUNDS + 1)]; /* maximum size of key schedule */ -}; - -void -aes_set_encrypt_key(struct aes_ctx *ctx, - size_t length, const uint8_t *key); - -void -aes_set_decrypt_key(struct aes_ctx *ctx, - size_t length, const uint8_t *key); - -void -aes_invert_key(struct aes_ctx *dst, - const struct aes_ctx *src); - -void -aes_encrypt(const struct aes_ctx *ctx, - size_t length, uint8_t *dst, - const uint8_t *src); -void -aes_decrypt(const struct aes_ctx *ctx, - size_t length, uint8_t *dst, - const uint8_t *src); - struct aes128_ctx { uint32_t keys[4 * (_AES128_ROUNDS + 1)]; @@ -170,6 +134,50 @@ size_t length, uint8_t *dst, const uint8_t *src); +/* The older nettle-2.7 AES interface is deprecated, please migrate to + the newer interface where each algorithm has a fixed key size. */ + +/* Variable key size between 128 and 256 bits. But the only valid + * values are 16 (128 bits), 24 (192 bits) and 32 (256 bits). */ +#define AES_MIN_KEY_SIZE AES128_KEY_SIZE +#define AES_MAX_KEY_SIZE AES256_KEY_SIZE + +#define AES_KEY_SIZE 32 + +struct aes_ctx +{ + unsigned key_size; /* In octets */ + union { + struct aes128_ctx ctx128; + struct aes192_ctx ctx192; + struct aes256_ctx ctx256; + } u; +}; + +void +aes_set_encrypt_key(struct aes_ctx *ctx, + size_t length, const uint8_t *key) + _NETTLE_ATTRIBUTE_DEPRECATED; + +void +aes_set_decrypt_key(struct aes_ctx *ctx, + size_t length, const uint8_t *key) + _NETTLE_ATTRIBUTE_DEPRECATED; + +void +aes_invert_key(struct aes_ctx *dst, + const struct aes_ctx *src) + _NETTLE_ATTRIBUTE_DEPRECATED; + +void +aes_encrypt(const struct aes_ctx *ctx, + size_t length, uint8_t *dst, + const uint8_t *src) _NETTLE_ATTRIBUTE_DEPRECATED; +void +aes_decrypt(const struct aes_ctx *ctx, + size_t length, uint8_t *dst, + const uint8_t *src) _NETTLE_ATTRIBUTE_DEPRECATED; + #ifdef __cplusplus } #endif diff -Nru nettle-3.4.1/aes-internal.h nettle-3.7.3/aes-internal.h --- nettle-3.4.1/aes-internal.h 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/aes-internal.h 2021-06-06 20:06:29.000000000 +0000 @@ -36,13 +36,6 @@ #include "aes.h" -/* Name mangling */ -#define _aes_set_key _nettle_aes_set_key -#define _aes_invert _nettle_aes_invert -#define _aes_encrypt _nettle_aes_encrypt -#define _aes_decrypt _nettle_aes_decrypt -#define _aes_encrypt_table _nettle_aes_encrypt_table - /* Define to use only small tables. */ #ifndef AES_SMALL # define AES_SMALL 0 @@ -61,23 +54,23 @@ }; void -_aes_set_key(unsigned nr, unsigned nk, - uint32_t *subkeys, const uint8_t *key); +_nettle_aes_set_key(unsigned nr, unsigned nk, + uint32_t *subkeys, const uint8_t *key); void -_aes_invert(unsigned rounds, uint32_t *dst, const uint32_t *src); +_nettle_aes_invert(unsigned rounds, uint32_t *dst, const uint32_t *src); void -_aes_encrypt(unsigned rounds, const uint32_t *keys, - const struct aes_table *T, - size_t length, uint8_t *dst, - const uint8_t *src); +_nettle_aes_encrypt(unsigned rounds, const uint32_t *keys, + const struct aes_table *T, + size_t length, uint8_t *dst, + const uint8_t *src); void -_aes_decrypt(unsigned rounds, const uint32_t *keys, - const struct aes_table *T, - size_t length, uint8_t *dst, - const uint8_t *src); +_nettle_aes_decrypt(unsigned rounds, const uint32_t *keys, + const struct aes_table *T, + size_t length, uint8_t *dst, + const uint8_t *src); /* Macros */ /* Get the byte with index 0, 1, 2 and 3 */ @@ -105,7 +98,7 @@ /* Globally visible so that the same sbox table can be used by aes_set_encrypt_key */ -extern const struct aes_table _aes_encrypt_table; -#define aes_sbox (_aes_encrypt_table.sbox) +extern const struct aes_table _nettle_aes_encrypt_table; +#define aes_sbox (_nettle_aes_encrypt_table.sbox) #endif /* NETTLE_AES_INTERNAL_H_INCLUDED */ diff -Nru nettle-3.4.1/aes-invert-internal.c nettle-3.7.3/aes-invert-internal.c --- nettle-3.4.1/aes-invert-internal.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/aes-invert-internal.c 2021-06-06 20:06:29.000000000 +0000 @@ -132,7 +132,7 @@ do { uint32_t t_swap = (a); (a) = (b); (b) = t_swap; } while(0) void -_aes_invert(unsigned rounds, uint32_t *dst, const uint32_t *src) +_nettle_aes_invert(unsigned rounds, uint32_t *dst, const uint32_t *src) { unsigned i; diff -Nru nettle-3.4.1/aes-set-decrypt-key.c nettle-3.7.3/aes-set-decrypt-key.c --- nettle-3.4.1/aes-set-decrypt-key.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/aes-set-decrypt-key.c 2021-06-06 20:06:29.000000000 +0000 @@ -36,14 +36,32 @@ # include "config.h" #endif -#include "aes-internal.h" +#include + +/* This file implements and uses deprecated functions */ +#define _NETTLE_ATTRIBUTE_DEPRECATED + +#include "aes.h" void aes_invert_key(struct aes_ctx *dst, const struct aes_ctx *src) { - _aes_invert (src->rounds, dst->keys, src->keys); - dst->rounds = src->rounds; + switch (src->key_size) + { + default: abort(); + case AES128_KEY_SIZE: + aes128_invert_key(&dst->u.ctx128, &src->u.ctx128); + break; + case AES192_KEY_SIZE: + aes192_invert_key(&dst->u.ctx192, &src->u.ctx192); + break; + case AES256_KEY_SIZE: + aes256_invert_key(&dst->u.ctx256, &src->u.ctx256); + break; + } + + dst->key_size = src->key_size; } void diff -Nru nettle-3.4.1/aes-set-encrypt-key.c nettle-3.7.3/aes-set-encrypt-key.c --- nettle-3.4.1/aes-set-encrypt-key.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/aes-set-encrypt-key.c 2021-06-06 20:06:29.000000000 +0000 @@ -36,32 +36,27 @@ # include "config.h" #endif -#include #include -#include "aes-internal.h" +#include "aes.h" void aes_set_encrypt_key(struct aes_ctx *ctx, - size_t keysize, const uint8_t *key) + size_t key_size, const uint8_t *key) { - unsigned nk, nr; - - assert(keysize >= AES_MIN_KEY_SIZE); - assert(keysize <= AES_MAX_KEY_SIZE); + switch (key_size) + { + default: abort(); + case AES128_KEY_SIZE: + aes128_set_encrypt_key(&ctx->u.ctx128, key); + break; + case AES192_KEY_SIZE: + aes192_set_encrypt_key(&ctx->u.ctx192, key); + break; + case AES256_KEY_SIZE: + aes256_set_encrypt_key(&ctx->u.ctx256, key); + break; + } - /* Truncate keysizes to the valid key sizes provided by Rijndael */ - if (keysize == AES256_KEY_SIZE) { - nk = 8; - nr = _AES256_ROUNDS; - } else if (keysize >= AES192_KEY_SIZE) { - nk = 6; - nr = _AES192_ROUNDS; - } else { /* must be 16 or more */ - nk = 4; - nr = _AES128_ROUNDS; - } - - ctx->rounds = nr; - _aes_set_key (nr, nk, ctx->keys, key); + ctx->key_size = key_size; } diff -Nru nettle-3.4.1/aes-set-key-internal.c nettle-3.7.3/aes-set-key-internal.c --- nettle-3.4.1/aes-set-key-internal.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/aes-set-key-internal.c 2021-06-06 20:06:29.000000000 +0000 @@ -43,8 +43,8 @@ #include "macros.h" void -_aes_set_key(unsigned nr, unsigned nk, - uint32_t *subkeys, const uint8_t *key) +_nettle_aes_set_key(unsigned nr, unsigned nk, + uint32_t *subkeys, const uint8_t *key) { static const uint8_t rcon[10] = { 0x01,0x02,0x04,0x08,0x10,0x20,0x40,0x80,0x1b,0x36, diff -Nru nettle-3.4.1/arm/aes-decrypt-internal.asm nettle-3.7.3/arm/aes-decrypt-internal.asm --- nettle-3.4.1/arm/aes-decrypt-internal.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/arm/aes-decrypt-internal.asm 2021-06-06 20:06:30.000000000 +0000 @@ -1,6 +1,6 @@ C arm/aes-decrypt-internal.asm -ifelse(< +ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. @@ -28,39 +28,39 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') -include_src() +include_src(`arm/aes.m4') -define(, ) -define(, ) -define(, ) -define(, ) +define(`PARAM_ROUNDS', `r0') +define(`PARAM_KEYS', `r1') +define(`TABLE', `r2') +define(`PARAM_LENGTH', `r3') C On stack: DST, SRC -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) - -define(, ) C Overlaps inputs, except TABLE -define(, ) -define(, ) -define(, ) -define(, ) C lr - -define(, <[sp]>) -define(, <[sp, #+4]>) -define(, <[sp, #+8]>) +define(`W0', `r4') +define(`W1', `r5') +define(`W2', `r6') +define(`W3', `r7') +define(`T0', `r8') +define(`COUNT', `r10') +define(`KEY', `r11') + +define(`MASK', `r0') C Overlaps inputs, except TABLE +define(`X0', `r1') +define(`X1', `r3') +define(`X2', `r12') +define(`X3', `r14') C lr + +define(`FRAME_ROUNDS', `[sp]') +define(`FRAME_KEYS', `[sp, #+4]') +define(`FRAME_LENGTH', `[sp, #+8]') C 8 saved registers -define(, <[sp, #+44]>) -define(, <[sp, #+48]>) +define(`FRAME_DST', `[sp, #+44]') +define(`FRAME_SRC', `[sp, #+48]') -define(, < +define(`AES_DECRYPT_ROUND', ` and T0, MASK, $1, lsl #2 ldr $5, [TABLE, T0] and T0, MASK, $2, lsl #2 @@ -118,7 +118,7 @@ eor $6, $6, $2 eor $7, $7, $3 eor $8, $8, $4 ->) +') .file "aes-decrypt-internal.asm" diff -Nru nettle-3.4.1/arm/aes-encrypt-internal.asm nettle-3.7.3/arm/aes-encrypt-internal.asm --- nettle-3.4.1/arm/aes-encrypt-internal.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/arm/aes-encrypt-internal.asm 2021-06-06 20:06:30.000000000 +0000 @@ -1,6 +1,6 @@ C arm/aes-encrypt-internal.asm -ifelse(< +ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. @@ -28,9 +28,9 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') -include_src() +include_src(`arm/aes.m4') C Benchmarked at at 725, 815, 990 cycles/block on cortex A9, C for 128, 192 and 256 bit key sizes. @@ -38,37 +38,37 @@ C Possible improvements: More efficient load and store with C aligned accesses. Better scheduling. -define(, ) -define(, ) -define(
, ) -define(, ) +define(`PARAM_ROUNDS', `r0') +define(`PARAM_KEYS', `r1') +define(`TABLE', `r2') +define(`PARAM_LENGTH', `r3') C On stack: DST, SRC -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) - -define(, ) C Overlaps inputs, except TABLE -define(, ) -define(, ) -define(, ) -define(, ) C lr - -define(, <[sp]>) -define(, <[sp, #+4]>) -define(, <[sp, #+8]>) +define(`W0', `r4') +define(`W1', `r5') +define(`W2', `r6') +define(`W3', `r7') +define(`T0', `r8') +define(`COUNT', `r10') +define(`KEY', `r11') + +define(`MASK', `r0') C Overlaps inputs, except TABLE +define(`X0', `r1') +define(`X1', `r3') +define(`X2', `r12') +define(`X3', `r14') C lr + +define(`FRAME_ROUNDS', `[sp]') +define(`FRAME_KEYS', `[sp, #+4]') +define(`FRAME_LENGTH', `[sp, #+8]') C 8 saved registers -define(, <[sp, #+44]>) -define(, <[sp, #+48]>) +define(`FRAME_DST', `[sp, #+44]') +define(`FRAME_SRC', `[sp, #+48]') C AES_ENCRYPT_ROUND(x0,x1,x2,x3,w0,w1,w2,w3,key) C MASK should hold the constant 0x3fc. -define(, < +define(`AES_ENCRYPT_ROUND', ` and T0, MASK, $1, lsl #2 ldr $5, [TABLE, T0] @@ -127,7 +127,7 @@ eor $6, $6, $2 eor $7, $7, $3 eor $8, $8, $4 ->) +') .file "aes-encrypt-internal.asm" diff -Nru nettle-3.4.1/arm/aes.m4 nettle-3.7.3/arm/aes.m4 --- nettle-3.4.1/arm/aes.m4 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/arm/aes.m4 2021-06-06 20:06:30.000000000 +0000 @@ -1,6 +1,6 @@ C Loads one word, and adds it to the subkey. Uses T0 C AES_LOAD(SRC, KEY, REG) -define(, < +define(`AES_LOAD', ` ldrb $3, [$1], #+1 ldrb T0, [$1], #+1 orr $3, T0, lsl #8 @@ -10,10 +10,10 @@ orr $3, T0, lsl #24 ldr T0, [$2], #+4 eor $3, T0 ->) +') C Stores one word. Destroys input. C AES_STORE(DST, X) -define(, < +define(`AES_STORE', ` strb $2, [$1], #+1 ror $2, $2, #8 strb $2, [$1], #+1 @@ -21,10 +21,10 @@ strb $2, [$1], #+1 ror $2, $2, #8 strb $2, [$1], #+1 ->) +') C AES_FINAL_ROUND_V6(a,b,c,d,key,res) -define(, < +define(`AES_FINAL_ROUND_V6', ` uxtb T0, $1 ldrb $6, [TABLE, T0] uxtb T0, $2, ror #8 @@ -37,12 +37,12 @@ eor $6, $6, T0, lsl #24 ldr T0, [$5], #+4 eor $6, $6, T0 ->) +') C AES_FINAL_ROUND_V5(a,b,c,d,key,res,mask) C Avoids the uxtb instruction, introduced in ARMv6. C The mask argument should hold the constant 0xff -define(, < +define(`AES_FINAL_ROUND_V5', ` and T0, $7, $1 ldrb $6, [TABLE, T0] and T0, $7, $2, ror #8 @@ -55,4 +55,4 @@ eor $6, $6, T0, lsl #24 ldr T0, [$5], #+4 eor $6, T0 ->) +') diff -Nru nettle-3.4.1/arm/ecc-192-modp.asm nettle-3.7.3/arm/ecc-192-modp.asm --- nettle-3.4.1/arm/ecc-192-modp.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/arm/ecc-192-modp.asm 1970-01-01 00:00:00.000000000 +0000 @@ -1,106 +0,0 @@ -C arm/ecc-192-modp.asm - -ifelse(< - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - - .file "ecc-192-modp.asm" - .arm - -define(, ) C Overlaps unused modulo argument -define(, ) - -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) C Overlaps T0 and T1 -define(

, ) -define(, ) -define(, ) - - C ecc_192_modp (const struct ecc_modulo *m, mp_limb_t *rp) - .text - .align 2 - -PROLOGUE(nettle_ecc_192_modp) - push {r4,r5,r6,r7,r8,r10} - C Reduce two words at a time - add HP, RP, #48 - add RP, RP, #8 - ldmdb HP!, {H0,H1} - ldm RP, {T2,T3,T4,T5,T6,T7} - mov C4, #0 - adds T4, T4, H0 - adcs T5, T5, H1 - adcs T6, T6, H0 - adcs T7, T7, H1 - C Need to add carry to T2 and T4, do T4 later. - adc C4, C4, #0 - - ldmdb HP!, {H0,H1} - mov C2, #0 - adcs T2, T2, H0 - adcs T3, T3, H1 - adcs T4, T4, H0 - adcs T5, T5, H1 - C Need to add carry to T0 and T2, do T2 later - adc C2, C2, #0 - - ldmdb RP!, {T0, T1} - adcs T0, T0, T6 - adcs T1, T1, T7 - adcs T2, T2, T6 - adcs T3, T3, T7 - adc C4, C4, #0 - - adds T2, T2, C2 - adcs T3, T3, #0 - adcs T4, T4, C4 - adcs T5, T5, #0 - mov C2, #0 - adc C2, C2, #0 - - C Add in final carry - adcs T0, T0, #0 - adcs T1, T1, #0 - adcs T2, T2, C2 - adcs T3, T3, #0 - adcs T4, T4, #0 - adc T5, T5, #0 - - stm RP, {T0,T1,T2,T3,T4,T5} - - pop {r4,r5,r6,r7,r8,r10} - bx lr -EPILOGUE(nettle_ecc_192_modp) diff -Nru nettle-3.4.1/arm/ecc-224-modp.asm nettle-3.7.3/arm/ecc-224-modp.asm --- nettle-3.4.1/arm/ecc-224-modp.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/arm/ecc-224-modp.asm 1970-01-01 00:00:00.000000000 +0000 @@ -1,124 +0,0 @@ -C arm/ecc-224-modp.asm - -ifelse(< - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - - .file "ecc-224-modp.asm" - .arm - -define(, ) -define(, ) C Overlaps unused modulo argument - -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) - - C ecc_224_modp (const struct ecc_modulo *m, mp_limb_t *rp) - .text - .align 2 - -PROLOGUE(nettle_ecc_224_modp) - push {r4,r5,r6,r7,r8,r10,r11,lr} - - add L2, RP, #28 - ldm L2, {T0,T1,T2,T3,T4,T5,T6} - mov H, #0 - - adds T0, T0, T4 - adcs T1, T1, T5 - adcs T2, T2, T6 - adc H, H, #0 - - C This switch from adcs to sbcs takes carry into account with - C correct sign, but it always subtracts 1 too much. We arrange - C to also add B^7 + 1 below, so the effect is adding p. This - C addition of p also ensures that the result never is - C negative. - - sbcs N3, T3, T0 - sbcs T4, T4, T1 - sbcs T5, T5, T2 - sbcs T6, T6, H - mov H, #1 C This is the B^7 - sbc H, #0 - subs T6, T6, T3 - sbc H, #0 - - C Now subtract from low half - ldm RP!, {L0,L1,L2} - - C Clear carry, with the sbcs, this is the 1. - adds RP, #0 - - sbcs T0, L0, T0 - sbcs T1, L1, T1 - sbcs T2, L2, T2 - ldm RP!, {T3,L0,L1,L2} - sbcs T3, T3, N3 - sbcs T4, L0, T4 - sbcs T5, L1, T5 - sbcs T6, L2, T6 - rsc H, H, #0 - - C Now -2 <= H <= 0 is the borrow, so subtract (B^3 - 1) |H| - C Use (B^3 - 1) H = if -1 <=H <= 0, and - C (B^3 - 1) H = <1,B-1, B-1, B-2> if H = -2 - subs T0, T0, H - asr L1, H, #1 - sbcs T1, T1, L1 - eor H, H, L1 - sbcs T2, T2, L1 - sbcs T3, T3, H - sbcs T4, T4, #0 - sbcs T5, T5, #0 - sbcs T6, T6, #0 - sbcs H, H, H - - C Final borrow, subtract (B^3 - 1) |H| - subs T0, T0, H - sbcs T1, T1, H - sbcs T2, T2, H - sbcs T3, T3, #0 - sbcs T4, T4, #0 - sbcs T5, T5, #0 - sbcs T6, T6, #0 - - stmdb RP, {T0,T1,T2,T3,T4,T5,T6} - - pop {r4,r5,r6,r7,r8,r10,r11,pc} -EPILOGUE(nettle_ecc_224_modp) diff -Nru nettle-3.4.1/arm/ecc-256-redc.asm nettle-3.7.3/arm/ecc-256-redc.asm --- nettle-3.4.1/arm/ecc-256-redc.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/arm/ecc-256-redc.asm 1970-01-01 00:00:00.000000000 +0000 @@ -1,173 +0,0 @@ -C arm/ecc-256-redc.asm - -ifelse(< - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - - .file "ecc-256-redc.asm" - .arm - -define(, ) - -define(, ) C Overlaps unused modulo argument -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) - - C ecc_256_redc (const struct ecc_modulo *m, mp_limb_t *rp) - .text - .align 2 - -PROLOGUE(nettle_ecc_256_redc) - push {r4,r5,r6,r7,r8,r10,r11,lr} - - ldm RP!, {T0,T1,T2,T3,T4,T5,T6,T7} - - C Set to the high 4 limbs of (B^2-B+1) - C T2 T1 - C T2 T1 T0 - C - T2 T1 T0 - C ------------- - C F3 F2 F1 F0 - - - adds F1, T0, T2 - adcs F2, T1, #0 - adc F3, T2, #0 - - subs F0, T1, T0 - sbcs F1, F1, T1 C Could also be rsc ? - sbcs F2, F2, T2 - sbc F3, F3, #0 - - C Add: - C T10 T9 T8 T7 T6 T5 T4 T3 - C + F3 F2 F1 F0 T0 T2 T1 T0 - C -------------------------- - C T7 T6 T5 T4 T3 T2 T1 T0 - - adds T3, T3, T0 - adcs T1, T4, T1 - adcs T2, T5, T2 - adcs T6, T6, T0 - mov T0, T3 C FIXME: Be more clever? - mov T3, T6 - adcs T4, T7, F0 - - ldm RP!, {T5,T6,T7} - adcs T5, T5, F1 - adcs T6, T6, F2 - adcs T7, T7, F3 - - C New F3, F2, F1, F0, also adding in carry - adcs F1, T0, T2 - adcs F2, T1, #0 - adc F3, T2, #0 - - subs F0, T1, T0 - sbcs F1, F1, T1 C Could also be rsc ? - sbcs F2, F2, T2 - sbc F3, F3, #0 - - C Start adding - adds T3, T3, T0 - adcs T1, T4, T1 - adcs T2, T5, T2 - adcs T6, T6, T0 - mov T0, T3 C FIXME: Be more clever? - mov T3, T6 - adcs T4, T7, F0 - - ldm RP!, {T5,T6,T7} - adcs T5, T5, F1 - adcs T6, T6, F2 - adcs T7, T7, F3 - - C Final iteration, eliminate only T0, T1 - C Set to the high 3 limbs of (B^2-B+1) - - C T1 T0 T1 - C - T1 T0 - C ------------- - C F2 F1 F0 - - C First add in carry - adcs F1, T0, #0 - adcs F2, T1, #0 - subs F0, T1, T0 - sbcs F1, F1, T1 - sbc F2, F2, #0 - - C Add: - C T9 T8 T7 T6 T5 T4 T3 T2 - C + F2 F1 F0 T0 0 T1 T0 0 - C -------------------------- - C F2 F1 T7 T6 T5 T4 T3 T2 - - adds T3, T3, T0 - adcs T4, T4, T1 - adcs T5, T5, #0 - adcs T6, T6, T0 - adcs T7, T7, F0 - ldm RP!, {T0, T1} - mov F3, #0 - adcs F1, F1, T0 - adcs F2, F2, T1 - - C Sum is < B^8 + p, so it's enough to fold carry once, - C If carry, add in - C B^7 - B^6 - B^3 + 1 = <0, B-2, B-1, B-1, B-1, 0, 0, 1> - - C Mask from carry flag, leaving carry intact - adc F3, F3, #0 - rsb F3, F3, #0 - - adcs T0, T2, #0 - adcs T1, T3, #0 - adcs T2, T4, #0 - adcs T3, T5, F3 - adcs T4, T6, F3 - adcs T5, T7, F3 - and F3, F3, #-2 - adcs T6, F1, F3 - adcs T7, F2, #0 - - sub RP, RP, #64 - stm RP, {T0,T1,T2,T3,T4,T5,T6,T7} - - pop {r4,r5,r6,r7,r8,r10,r11,pc} -EPILOGUE(nettle_ecc_256_redc) diff -Nru nettle-3.4.1/arm/ecc-384-modp.asm nettle-3.7.3/arm/ecc-384-modp.asm --- nettle-3.4.1/arm/ecc-384-modp.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/arm/ecc-384-modp.asm 1970-01-01 00:00:00.000000000 +0000 @@ -1,270 +0,0 @@ -C arm/ecc-384-modp.asm - -ifelse(< - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - - .file "ecc-384-modp.asm" - .arm - -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) - - C ecc_384_modp (const struct ecc_modulo *m, mp_limb_t *rp) - .text - .align 2 - -PROLOGUE(nettle_ecc_384_modp) - push {r4,r5,r6,r7,r8,r10,lr} - - add RP, RP, #80 - ldm RP, {T0, T1, T2, T3} C 20-23 - - C First get top 4 limbs, which need folding twice, as - C - C T3 T2 T1 T0 - C T3 T2 T1 - C -T3 - C ---------------- - C F4 F3 F2 F1 F0 - C - C Start with - C - C T3 T1 T0 - C T1 - C -T3 - C ----------- - C F2 F1 F0 Always fits - - adds F0, T0, T1 - adcs F1, T1, #0 - adcs F2, T3, #0 - subs F0, F0, T3 - sbcs F1, F1, #0 - sbcs F2, F2, #0 - - C T3 T2 T2 0 - C F2 F1 F0 - C ---------------- - C F4 F3 F2 F1 F0 - - mov F4, #0 - adds F1, F1, T2 - adcs F2, F2, T2 - adcs F3, T3, #0 - adcs F4, F4, #0 - - C Add in to high part - sub RP, RP, #32 - ldm RP, {T0, T1, T2, T3} C 12-15 - mov H, #0 - adds F0, T0, F0 - adcs F1, T1, F1 - adcs F2, T2, F2 - adcs F3, T3, F3 - adcs F4, F4, #0 C Do F4 later - - C Add to low part, keeping carry (positive or negative) in H - sub RP, RP, #48 - ldm RP, {T0, T1, T2, T3} C 0-3 - mov H, #0 - adds T0, T0, F0 - adcs T1, T1, F1 - adcs T2, T2, F2 - adcs T3, T3, F3 - adc H, H, #0 - subs T1, T1, F0 - sbcs T2, T2, F1 - sbcs T3, T3, F2 - sbc H, H, #0 - adds T3, T3, F0 - adc H, H, #0 - - stm RP!, {T0,T1,T2,T3} C 0-3 - mov N, #2 -.Loop: - ldm RP, {T0,T1,T2,T3} C 4-7 - - C First, propagate carry - adds T0, T0, H - asr H, #31 C Sign extend - adcs T1, T1, H - adcs T2, T2, H - adcs T3, T3, H - adc H, H, #0 - - C +B^4 term - adds T0, T0, F0 - adcs T1, T1, F1 - adcs T2, T2, F2 - adcs T3, T3, F3 - adc H, H, #0 - - C +B^3 terms - ldr F0, [RP, #+48] C 16 - adds T0, T0, F1 - adcs T1, T1, F2 - adcs T2, T2, F3 - adcs T3, T3, F0 - adc H, H, #0 - - C -B - ldr F1, [RP, #+52] C 17-18 - ldr F2, [RP, #+56] - subs T0, T0, F3 - sbcs T1, T1, F0 - sbcs T2, T2, F1 - sbcs T3, T3, F2 - sbcs H, H, #0 - - C +1 - ldr F3, [RP, #+60] C 19 - adds T0, T0, F0 - adcs T1, T1, F1 - adcs T2, T2, F2 - adcs T3, T3, F3 - adc H, H, #0 - subs N, N, #1 - stm RP!, {T0,T1,T2,T3} - bne .Loop - - C Fold high limbs, we need to add in - C - C F4 F4 0 -F4 F4 H H 0 -H H - C - C We always have F4 >= 0, but we can have H < 0. - C Sign extension gets tricky when F4 = 0 and H < 0. - sub RP, RP, #48 - - ldm RP, {T0,T1,T2,T3} C 0-3 - - C H H 0 -H H - C ---------------- - C S H F3 F2 F1 F0 - C - C Define S = H >> 31 (asr), we then have - C - C F0 = H - C F1 = S - H - C F2 = - [H > 0] - C F3 = H - [H > 0] - C H = H + S - C - C And we get underflow in S - H iff H > 0 - - C H = 0 H > 0 H = -1 - mov F0, H C 0 H -1 - asr H, #31 - subs F1, H, F0 C 0,C=1 -H,C=0 0,C=1 - sbc F2, F2, F2 C 0 -1 0 - sbc F3, F0, #0 C 0 H-1 -1 - - adds T0, T0, F0 - adcs T1, T1, F1 - adcs T2, T2, F2 - adcs T3, T3, F3 - adc H, H, F0 C 0+cy H+cy -2+cy - - stm RP!, {T0,T1,T2,T3} C 0-3 - ldm RP, {T0,T1,T2,T3} C 4-7 - - C F4 0 -F4 - C --------- - C F3 F2 F1 - - rsbs F1, F4, #0 - sbc F2, F2, F2 - sbc F3, F4, #0 - - C Sign extend H - adds F0, F4, H - asr H, H, #31 - adcs F1, F1, H - adcs F2, F2, H - adcs F3, F3, H - adcs F4, F4, H - adc H, H, #0 - - adds T0, T0, F0 - adcs T1, T1, F1 - adcs T2, T2, F2 - adcs T3, T3, F3 - - stm RP!, {T0,T1,T2,T3} C 4-7 - ldm RP, {T0,T1,T2,T3} C 8-11 - - adcs T0, T0, F4 - adcs T1, T1, H - adcs T2, T2, H - adcs T3, T3, H - adc H, H, #0 - - stm RP, {T0,T1,T2,T3} C 8-11 - - C Final (unlikely) carry - sub RP, RP, #32 - ldm RP, {T0,T1,T2,T3} C 0-3 - C Fold H into F0-F4 - mov F0, H - asr H, #31 - subs F1, H, F0 - sbc F2, F2, F2 - sbc F3, F0, #0 - add F4, F0, H - - adds T0, T0, F0 - adcs T1, T1, F1 - adcs T2, T2, F2 - adcs T3, T3, F3 - - stm RP!, {T0,T1,T2,T3} C 0-3 - ldm RP, {T0,T1,T2,T3} C 4-7 - adcs T0, T0, F4 - adcs T1, T1, H - adcs T2, T2, H - adcs T3, T3, H - stm RP!, {T0,T1,T2,T3} C 4-7 - ldm RP, {T0,T1,T2,T3} C 8-11 - adcs T0, T0, H - adcs T1, T1, H - adcs T2, T2, H - adcs T3, T3, H - stm RP!, {T0,T1,T2,T3} C 8-11 - pop {r4,r5,r6,r7,r8,r10,pc} -EPILOGUE(nettle_ecc_384_modp) diff -Nru nettle-3.4.1/arm/ecc-521-modp.asm nettle-3.7.3/arm/ecc-521-modp.asm --- nettle-3.4.1/arm/ecc-521-modp.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/arm/ecc-521-modp.asm 1970-01-01 00:00:00.000000000 +0000 @@ -1,127 +0,0 @@ -C arm/ecc-521-modp.asm - -ifelse(< - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - - .file "ecc-521-modp.asm" - .arm - -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) - - C ecc_521_modp (const struct ecc_modulo *m, mp_limb_t *rp) - .text -.Lc511: - .int 511 - - .align 2 - -PROLOGUE(nettle_ecc_521_modp) - push {r4,r5,r6,r7,r8,lr} - - C Use that B^17 = 2^23 (mod p) - ldr F3, [RP, #+68] C 17 - add HP, RP, #72 C 18 - ldr T0, [RP] C 0 - adds T0, T0, F3, lsl #23 - str T0, [RP], #+4 - mov N, #5 - - C 5 iterations, reading limbs 18-20, 21-23, 24-26, 27-29, 30-32 - C and adding to limbs 1-3, 4-6, 7-9, 19-12, 13-15 -.Loop: - ldm RP, {T0,T1,T2} C 1+3*k -- 3+3*k - lsr F0, F3, #9 - ldm HP!, {F1,F2,F3} C 18+3*k -- 20+3*k - orr F0, F0, F1, lsl #23 - lsr F1, F1, #9 - orr F1, F1, F2, lsl #23 - lsr F2, F2, #9 - orr F2, F2, F3, lsl #23 - adcs T0, T0, F0 - adcs T1, T1, F1 - adcs T2, T2, F2 - sub N, N, #1 - stm RP!,{T0,T1,T2} - teq N, #0 - bne .Loop - - ldr F0, [RP], #-64 C 16 - ldr F1, [HP] C 33 - ldr T0, .Lc511 - - C Handling of high limbs - C F0 = rp[16] + carry in + F3 >> 9 - adcs F0, F0, F3, lsr #9 - C Copy low 9 bits to H, then shift right including carry - and H, F0, T0 - mov F0, F0, rrx - lsr F0, F0, #8 - C Add in F1 = rp[33], with weight 2^1056 = 2^14 - adds F0, F0, F1, lsl #14 - lsr F1, F1, #18 - adc F1, F1, #0 - - ldm RP, {T0, T1} C 0-1 - adds T0, T0, F0 - adcs T1, T1, F1 - stm RP!, {T0, T1} - - ldm RP, {T0,T1,T2,F0,F1,F2,F3} C 2-8 - adcs T0, T0, #0 - adcs T1, T1, #0 - adcs T2, T2, #0 - adcs F0, F0, #0 - adcs F1, F1, #0 - adcs F2, F2, #0 - adcs F3, F3, #0 - stm RP!, {T0,T1,T2,F0,F1,F2,F3} C 2-8 - ldm RP, {T0,T1,T2,F0,F1,F2,F3} C 9-15 - adcs T0, T0, #0 - adcs T1, T1, #0 - adcs T2, T2, #0 - adcs F0, F0, #0 - adcs F1, F1, #0 - adcs F2, F2, #0 - adcs F3, F3, #0 - adcs H, H, #0 - stm RP, {T0,T1,T2,F0,F1,F2,F3,H} C 9-16 - - pop {r4,r5,r6,r7,r8,pc} -EPILOGUE(nettle_ecc_521_modp) diff -Nru nettle-3.4.1/arm/ecc-secp192r1-modp.asm nettle-3.7.3/arm/ecc-secp192r1-modp.asm --- nettle-3.4.1/arm/ecc-secp192r1-modp.asm 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/arm/ecc-secp192r1-modp.asm 2021-06-06 20:06:30.000000000 +0000 @@ -0,0 +1,107 @@ +C arm/ecc-secp192r1-modp.asm + +ifelse(` + Copyright (C) 2013 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +') + + .file "ecc-secp192r1-modp.asm" + .arm + +define(`HP', `r0') C Overlaps unused modulo argument +define(`RP', `r1') +define(`XP', `r2') + +define(`T0', `r3') +define(`T1', `r4') +define(`T2', `r5') +define(`T3', `r6') +define(`T4', `r7') +define(`T5', `r8') +define(`T6', `r10') +define(`T7', `r11') +define(`H0', `T0') C Overlaps T0 and T1 +define(`H1', `T1') +define(`C2', `HP') +define(`C4', `r12') + + C ecc_secp192r1_modp (const struct ecc_modulo *m, mp_limb_t *rp) + .text + .align 2 + +PROLOGUE(_nettle_ecc_secp192r1_modp) + push {r4,r5,r6,r7,r8,r10,r11} + C Reduce two words at a time + add HP, XP, #48 + add XP, XP, #8 + ldmdb HP!, {H0,H1} + ldm XP, {T2,T3,T4,T5,T6,T7} + mov C4, #0 + adds T4, T4, H0 + adcs T5, T5, H1 + adcs T6, T6, H0 + adcs T7, T7, H1 + C Need to add carry to T2 and T4, do T4 later. + adc C4, C4, #0 + + ldmdb HP!, {H0,H1} + mov C2, #0 + adcs T2, T2, H0 + adcs T3, T3, H1 + adcs T4, T4, H0 + adcs T5, T5, H1 + C Need to add carry to T0 and T2, do T2 later + adc C2, C2, #0 + + ldmdb XP!, {T0, T1} + adcs T0, T0, T6 + adcs T1, T1, T7 + adcs T2, T2, T6 + adcs T3, T3, T7 + adc C4, C4, #0 + + adds T2, T2, C2 + adcs T3, T3, #0 + adcs T4, T4, C4 + adcs T5, T5, #0 + mov C2, #0 + adc C2, C2, #0 + + C Add in final carry + adcs T0, T0, #0 + adcs T1, T1, #0 + adcs T2, T2, C2 + adcs T3, T3, #0 + adcs T4, T4, #0 + adc T5, T5, #0 + + stm RP, {T0,T1,T2,T3,T4,T5} + + pop {r4,r5,r6,r7,r8,r10,r11} + bx lr +EPILOGUE(_nettle_ecc_secp192r1_modp) diff -Nru nettle-3.4.1/arm/ecc-secp224r1-modp.asm nettle-3.7.3/arm/ecc-secp224r1-modp.asm --- nettle-3.4.1/arm/ecc-secp224r1-modp.asm 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/arm/ecc-secp224r1-modp.asm 2021-06-06 20:06:30.000000000 +0000 @@ -0,0 +1,128 @@ +C arm/ecc-secp224r1-modp.asm + +ifelse(` + Copyright (C) 2013 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +') + + .file "ecc-secp224r1-modp.asm" + .arm + +define(`RP', `r1') C Overlaps T0 +define(`XP', `r2') +define(`H', `r0') C Overlaps unused modulo argument + +define(`T0', `r1') +define(`T1', `r3') +define(`T2', `r4') +define(`T3', `r5') +define(`T4', `r6') +define(`T5', `r7') +define(`T6', `r8') +define(`N3', `r10') +define(`L0', `r11') +define(`L1', `r12') +define(`L2', `lr') + + C ecc_secp224r1_modp (const struct ecc_modulo *m, mp_limb_t *rp) + .text + .align 2 + +PROLOGUE(_nettle_ecc_secp224r1_modp) + C Pushes RP last + push {r1,r4,r5,r6,r7,r8,r10,r11,lr} + + add L2, XP, #28 + ldm L2, {T0,T1,T2,T3,T4,T5,T6} + mov H, #0 + + adds T0, T0, T4 + adcs T1, T1, T5 + adcs T2, T2, T6 + adc H, H, #0 + + C This switch from adcs to sbcs takes carry into account with + C correct sign, but it always subtracts 1 too much. We arrange + C to also add B^7 + 1 below, so the effect is adding p. This + C addition of p also ensures that the result never is + C negative. + + sbcs N3, T3, T0 + sbcs T4, T4, T1 + sbcs T5, T5, T2 + sbcs T6, T6, H + mov H, #1 C This is the B^7 + sbc H, #0 + subs T6, T6, T3 + sbc H, #0 + + C Now subtract from low half + ldm XP!, {L0,L1,L2} + + C Clear carry, with the sbcs, this is the 1. + adds XP, #0 + + sbcs T0, L0, T0 + sbcs T1, L1, T1 + sbcs T2, L2, T2 + ldm XP!, {T3,L0,L1,L2} + sbcs T3, T3, N3 + sbcs T4, L0, T4 + sbcs T5, L1, T5 + sbcs T6, L2, T6 + rsc H, H, #0 + + C Now -2 <= H <= 0 is the borrow, so subtract (B^3 - 1) |H| + C Use (B^3 - 1) H = if -1 <=H <= 0, and + C (B^3 - 1) H = <1,B-1, B-1, B-2> if H = -2 + subs T0, T0, H + asr L1, H, #1 + sbcs T1, T1, L1 + eor H, H, L1 + sbcs T2, T2, L1 + sbcs T3, T3, H + sbcs T4, T4, #0 + sbcs T5, T5, #0 + sbcs T6, T6, #0 + sbcs H, H, H + + pop {XP} C Original RP + + C Final borrow, subtract (B^3 - 1) |H| + subs T0, T0, H + sbcs T1, T1, H + sbcs T2, T2, H + sbcs T3, T3, #0 + sbcs T4, T4, #0 + sbcs T5, T5, #0 + sbcs T6, T6, #0 + + stm XP, {T0,T1,T2,T3,T4,T5,T6} + + pop {r4,r5,r6,r7,r8,r10,r11,pc} +EPILOGUE(_nettle_ecc_secp224r1_modp) diff -Nru nettle-3.4.1/arm/ecc-secp256r1-redc.asm nettle-3.7.3/arm/ecc-secp256r1-redc.asm --- nettle-3.4.1/arm/ecc-secp256r1-redc.asm 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/arm/ecc-secp256r1-redc.asm 2021-06-06 20:06:30.000000000 +0000 @@ -0,0 +1,176 @@ +C arm/ecc-secp256r1-redc.asm + +ifelse(` + Copyright (C) 2013 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +') + + .file "ecc-secp256r1-redc.asm" + .arm + +define(`RP', `r1') C Overlaps T1 below +define(`XP', `r2') + +define(`T0', `r0') C Overlaps unused modulo argument +define(`T1', `r1') +define(`T2', `r3') +define(`T3', `r4') +define(`T4', `r5') +define(`T5', `r6') +define(`T6', `r7') +define(`T7', `r8') +define(`F0', `r10') +define(`F1', `r11') +define(`F2', `r12') +define(`F3', `lr') + + C ecc_secp256r1_redc (const struct ecc_modulo *m, mp_limb_t *rp) + .text + .align 2 + +PROLOGUE(_nettle_ecc_secp256r1_redc) + C Pushes RP last + push {r1, r4,r5,r6,r7,r8,r10,r11,lr} + + ldm XP!, {T0,T1,T2,T3,T4,T5,T6,T7} + + C Set to the high 4 limbs of (B^2-B+1) + C T2 T1 + C T2 T1 T0 + C - T2 T1 T0 + C ------------- + C F3 F2 F1 F0 + + + adds F1, T0, T2 + adcs F2, T1, #0 + adc F3, T2, #0 + + subs F0, T1, T0 + sbcs F1, F1, T1 C Could also be rsc ? + sbcs F2, F2, T2 + sbc F3, F3, #0 + + C Add: + C T10 T9 T8 T7 T6 T5 T4 T3 + C + F3 F2 F1 F0 T0 T2 T1 T0 + C -------------------------- + C T7 T6 T5 T4 T3 T2 T1 T0 + + adds T3, T3, T0 + adcs T1, T4, T1 + adcs T2, T5, T2 + adcs T6, T6, T0 + mov T0, T3 C FIXME: Be more clever? + mov T3, T6 + adcs T4, T7, F0 + + ldm XP!, {T5,T6,T7} + adcs T5, T5, F1 + adcs T6, T6, F2 + adcs T7, T7, F3 + + C New F3, F2, F1, F0, also adding in carry + adcs F1, T0, T2 + adcs F2, T1, #0 + adc F3, T2, #0 + + subs F0, T1, T0 + sbcs F1, F1, T1 C Could also be rsc ? + sbcs F2, F2, T2 + sbc F3, F3, #0 + + C Start adding + adds T3, T3, T0 + adcs T1, T4, T1 + adcs T2, T5, T2 + adcs T6, T6, T0 + mov T0, T3 C FIXME: Be more clever? + mov T3, T6 + adcs T4, T7, F0 + + ldm XP!, {T5,T6,T7} + adcs T5, T5, F1 + adcs T6, T6, F2 + adcs T7, T7, F3 + + C Final iteration, eliminate only T0, T1 + C Set to the high 3 limbs of (B^2-B+1) + + C T1 T0 T1 + C - T1 T0 + C ------------- + C F2 F1 F0 + + C First add in carry + adcs F1, T0, #0 + adcs F2, T1, #0 + subs F0, T1, T0 + sbcs F1, F1, T1 + sbc F2, F2, #0 + + C Add: + C T9 T8 T7 T6 T5 T4 T3 T2 + C + F2 F1 F0 T0 0 T1 T0 0 + C -------------------------- + C F2 F1 T7 T6 T5 T4 T3 T2 + + adds T3, T3, T0 + adcs T4, T4, T1 + adcs T5, T5, #0 + adcs T6, T6, T0 + adcs T7, T7, F0 + ldm XP!, {T0, T1} + mov F3, #0 + adcs F1, F1, T0 + adcs F2, F2, T1 + + C Sum is < B^8 + p, so it's enough to fold carry once, + C If carry, add in + C B^7 - B^6 - B^3 + 1 = <0, B-2, B-1, B-1, B-1, 0, 0, 1> + + C Mask from carry flag, leaving carry intact + adc F3, F3, #0 + rsb F3, F3, #0 + + pop {XP} C Original RP + + adcs T0, T2, #0 + adcs T1, T3, #0 + adcs T2, T4, #0 + adcs T3, T5, F3 + adcs T4, T6, F3 + adcs T5, T7, F3 + and F3, F3, #-2 + adcs T6, F1, F3 + adcs T7, F2, #0 + + stm XP, {T0,T1,T2,T3,T4,T5,T6,T7} + + pop {r4,r5,r6,r7,r8,r10,r11,pc} +EPILOGUE(_nettle_ecc_secp256r1_redc) diff -Nru nettle-3.4.1/arm/ecc-secp384r1-modp.asm nettle-3.7.3/arm/ecc-secp384r1-modp.asm --- nettle-3.4.1/arm/ecc-secp384r1-modp.asm 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/arm/ecc-secp384r1-modp.asm 2021-06-06 20:06:30.000000000 +0000 @@ -0,0 +1,272 @@ +C arm/ecc-secp384r1-modp.asm + +ifelse(` + Copyright (C) 2013 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +') + + .file "ecc-secp384r1-modp.asm" + .arm + +define(`RP', `r1') +define(`XP', `r2') + +define(`T0', `r0') +define(`T1', `r3') +define(`T2', `r4') +define(`T3', `r5') +define(`F0', `r6') +define(`F1', `r7') +define(`F2', `r8') +define(`F3', `r10') +define(`F4', `r11') +define(`N', `r12') +define(`H', `lr') + + C ecc_secp384r1_modp (const struct ecc_modulo *m, mp_limb_t *rp) + .text + .align 2 + +PROLOGUE(_nettle_ecc_secp384r1_modp) + push {r4,r5,r6,r7,r8,r10,r11,lr} + + add XP, XP, #80 + ldm XP, {T0, T1, T2, T3} C 20-23 + + C First get top 4 limbs, which need folding twice, as + C + C T3 T2 T1 T0 + C T3 T2 T1 + C -T3 + C ---------------- + C F4 F3 F2 F1 F0 + C + C Start with + C + C T3 T1 T0 + C T1 + C -T3 + C ----------- + C F2 F1 F0 Always fits + + adds F0, T0, T1 + adcs F1, T1, #0 + adcs F2, T3, #0 + subs F0, F0, T3 + sbcs F1, F1, #0 + sbcs F2, F2, #0 + + C T3 T2 T2 0 + C F2 F1 F0 + C ---------------- + C F4 F3 F2 F1 F0 + + mov F4, #0 + adds F1, F1, T2 + adcs F2, F2, T2 + adcs F3, T3, #0 + adcs F4, F4, #0 + + C Add in to high part + sub XP, XP, #32 + ldm XP, {T0, T1, T2, T3} C 12-15 + mov H, #0 + adds F0, T0, F0 + adcs F1, T1, F1 + adcs F2, T2, F2 + adcs F3, T3, F3 + adcs F4, F4, #0 C Do F4 later + + C Add to low part, keeping carry (positive or negative) in H + sub XP, XP, #48 + ldm XP, {T0, T1, T2, T3} C 0-3 + mov H, #0 + adds T0, T0, F0 + adcs T1, T1, F1 + adcs T2, T2, F2 + adcs T3, T3, F3 + adc H, H, #0 + subs T1, T1, F0 + sbcs T2, T2, F1 + sbcs T3, T3, F2 + sbc H, H, #0 + adds T3, T3, F0 + adc H, H, #0 + + stm XP!, {T0,T1,T2,T3} C 0-3 + mov N, #2 +.Loop: + ldm XP, {T0,T1,T2,T3} C 4-7 + + C First, propagate carry + adds T0, T0, H + asr H, #31 C Sign extend + adcs T1, T1, H + adcs T2, T2, H + adcs T3, T3, H + adc H, H, #0 + + C +B^4 term + adds T0, T0, F0 + adcs T1, T1, F1 + adcs T2, T2, F2 + adcs T3, T3, F3 + adc H, H, #0 + + C +B^3 terms + ldr F0, [XP, #+48] C 16 + adds T0, T0, F1 + adcs T1, T1, F2 + adcs T2, T2, F3 + adcs T3, T3, F0 + adc H, H, #0 + + C -B + ldr F1, [XP, #+52] C 17-18 + ldr F2, [XP, #+56] + subs T0, T0, F3 + sbcs T1, T1, F0 + sbcs T2, T2, F1 + sbcs T3, T3, F2 + sbcs H, H, #0 + + C +1 + ldr F3, [XP, #+60] C 19 + adds T0, T0, F0 + adcs T1, T1, F1 + adcs T2, T2, F2 + adcs T3, T3, F3 + adc H, H, #0 + subs N, N, #1 + stm XP!, {T0,T1,T2,T3} + bne .Loop + + C Fold high limbs, we need to add in + C + C F4 F4 0 -F4 F4 H H 0 -H H + C + C We always have F4 >= 0, but we can have H < 0. + C Sign extension gets tricky when F4 = 0 and H < 0. + sub XP, XP, #48 + + ldm XP, {T0,T1,T2,T3} C 0-3 + + C H H 0 -H H + C ---------------- + C S H F3 F2 F1 F0 + C + C Define S = H >> 31 (asr), we then have + C + C F0 = H + C F1 = S - H + C F2 = - [H > 0] + C F3 = H - [H > 0] + C H = H + S + C + C And we get underflow in S - H iff H > 0 + + C H = 0 H > 0 H = -1 + mov F0, H C 0 H -1 + asr H, #31 + subs F1, H, F0 C 0,C=1 -H,C=0 0,C=1 + sbc F2, F2, F2 C 0 -1 0 + sbc F3, F0, #0 C 0 H-1 -1 + + adds T0, T0, F0 + adcs T1, T1, F1 + adcs T2, T2, F2 + adcs T3, T3, F3 + adc H, H, F0 C 0+cy H+cy -2+cy + + stm XP!, {T0,T1,T2,T3} C 0-3 + ldm XP, {T0,T1,T2,T3} C 4-7 + + C F4 0 -F4 + C --------- + C F3 F2 F1 + + rsbs F1, F4, #0 + sbc F2, F2, F2 + sbc F3, F4, #0 + + C Sign extend H + adds F0, F4, H + asr H, H, #31 + adcs F1, F1, H + adcs F2, F2, H + adcs F3, F3, H + adcs F4, F4, H + adc H, H, #0 + + adds T0, T0, F0 + adcs T1, T1, F1 + adcs T2, T2, F2 + adcs T3, T3, F3 + + stm XP!, {T0,T1,T2,T3} C 4-7 + ldm XP, {T0,T1,T2,T3} C 8-11 + + adcs T0, T0, F4 + adcs T1, T1, H + adcs T2, T2, H + adcs T3, T3, H + adc H, H, #0 + + stm XP, {T0,T1,T2,T3} C 8-11 + + C Final (unlikely) carry + sub XP, XP, #32 + ldm XP!, {T0,T1,T2,T3} C 0-3 + C Fold H into F0-F4 + mov F0, H + asr H, #31 + subs F1, H, F0 + sbc F2, F2, F2 + sbc F3, F0, #0 + add F4, F0, H + + adds T0, T0, F0 + adcs T1, T1, F1 + adcs T2, T2, F2 + adcs T3, T3, F3 + + stm RP!, {T0,T1,T2,T3} C 0-3 + ldm XP!, {T0,T1,T2,T3} C 4-7 + adcs T0, T0, F4 + adcs T1, T1, H + adcs T2, T2, H + adcs T3, T3, H + stm RP!, {T0,T1,T2,T3} C 4-7 + ldm XP, {T0,T1,T2,T3} C 8-11 + adcs T0, T0, H + adcs T1, T1, H + adcs T2, T2, H + adcs T3, T3, H + stm RP, {T0,T1,T2,T3} C 8-11 + pop {r4,r5,r6,r7,r8,r10,r11,pc} +EPILOGUE(_nettle_ecc_secp384r1_modp) diff -Nru nettle-3.4.1/arm/ecc-secp521r1-modp.asm nettle-3.7.3/arm/ecc-secp521r1-modp.asm --- nettle-3.4.1/arm/ecc-secp521r1-modp.asm 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/arm/ecc-secp521r1-modp.asm 2021-06-06 20:06:30.000000000 +0000 @@ -0,0 +1,128 @@ +C arm/ecc-secp521r1-modp.asm + +ifelse(` + Copyright (C) 2013 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +') + + .file "ecc-secp521r1-modp.asm" + .arm + +define(`HP', `r0') +define(`RP', `r1') +define(`XP', `r2') +define(`T0', `r3') +define(`T1', `r4') +define(`T2', `r5') +define(`F0', `r6') +define(`F1', `r7') +define(`F2', `r8') +define(`F3', `r10') +define(`H', `r12') +define(`N', `lr') + + C ecc_secp521r1_modp (const struct ecc_modulo *m, mp_limb_t *rp) + .text +.Lc511: + .int 511 + + .align 2 + +PROLOGUE(_nettle_ecc_secp521r1_modp) + push {r4,r5,r6,r7,r8,r10,lr} + + C Use that B^17 = 2^23 (mod p) + ldr F3, [XP, #+68] C 17 + add HP, XP, #72 C 18 + ldr T0, [XP] C 0 + adds T0, T0, F3, lsl #23 + str T0, [XP], #+4 + mov N, #5 + + C 5 iterations, reading limbs 18-20, 21-23, 24-26, 27-29, 30-32 + C and adding to limbs 1-3, 4-6, 7-9, 19-12, 13-15 +.Loop: + ldm XP, {T0,T1,T2} C 1+3*k -- 3+3*k + lsr F0, F3, #9 + ldm HP!, {F1,F2,F3} C 18+3*k -- 20+3*k + orr F0, F0, F1, lsl #23 + lsr F1, F1, #9 + orr F1, F1, F2, lsl #23 + lsr F2, F2, #9 + orr F2, F2, F3, lsl #23 + adcs T0, T0, F0 + adcs T1, T1, F1 + adcs T2, T2, F2 + sub N, N, #1 + stm XP!,{T0,T1,T2} + teq N, #0 + bne .Loop + + ldr F0, [XP], #-64 C 16 + ldr F1, [HP] C 33 + ldr T0, .Lc511 + + C Handling of high limbs + C F0 = rp[16] + carry in + F3 >> 9 + adcs F0, F0, F3, lsr #9 + C Copy low 9 bits to H, then shift right including carry + and H, F0, T0 + mov F0, F0, rrx + lsr F0, F0, #8 + C Add in F1 = rp[33], with weight 2^1056 = 2^14 + adds F0, F0, F1, lsl #14 + lsr F1, F1, #18 + adc F1, F1, #0 + + ldm XP!, {T0, T1} C 0-1 + adds T0, T0, F0 + adcs T1, T1, F1 + stm RP!, {T0, T1} + + ldm XP!, {T0,T1,T2,F0,F1,F2,F3} C 2-8 + adcs T0, T0, #0 + adcs T1, T1, #0 + adcs T2, T2, #0 + adcs F0, F0, #0 + adcs F1, F1, #0 + adcs F2, F2, #0 + adcs F3, F3, #0 + stm RP!, {T0,T1,T2,F0,F1,F2,F3} C 2-8 + ldm XP, {T0,T1,T2,F0,F1,F2,F3} C 9-15 + adcs T0, T0, #0 + adcs T1, T1, #0 + adcs T2, T2, #0 + adcs F0, F0, #0 + adcs F1, F1, #0 + adcs F2, F2, #0 + adcs F3, F3, #0 + adcs H, H, #0 + stm RP, {T0,T1,T2,F0,F1,F2,F3,H} C 9-16 + + pop {r4,r5,r6,r7,r8,r10,pc} +EPILOGUE(_nettle_ecc_secp521r1_modp) diff -Nru nettle-3.4.1/arm/fat/aes-decrypt-internal-2.asm nettle-3.7.3/arm/fat/aes-decrypt-internal-2.asm --- nettle-3.4.1/arm/fat/aes-decrypt-internal-2.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/arm/fat/aes-decrypt-internal-2.asm 2021-06-06 20:06:30.000000000 +0000 @@ -1,7 +1,7 @@ C arm/fat/aes-decrypt-internal-2.asm -ifelse(< +ifelse(` Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. @@ -29,7 +29,7 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') -define(, <$1_armv6>) -include_src() +define(`fat_transform', `$1_armv6') +include_src(`arm/v6/aes-decrypt-internal.asm') diff -Nru nettle-3.4.1/arm/fat/aes-decrypt-internal.asm nettle-3.7.3/arm/fat/aes-decrypt-internal.asm --- nettle-3.4.1/arm/fat/aes-decrypt-internal.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/arm/fat/aes-decrypt-internal.asm 2021-06-06 20:06:30.000000000 +0000 @@ -1,7 +1,7 @@ C arm/fat/aes-decrypt-internal.asm -ifelse(< +ifelse(` Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. @@ -29,7 +29,7 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') -define(, <$1_arm>) -include_src() +define(`fat_transform', `$1_arm') +include_src(`arm/aes-decrypt-internal.asm') diff -Nru nettle-3.4.1/arm/fat/aes-encrypt-internal-2.asm nettle-3.7.3/arm/fat/aes-encrypt-internal-2.asm --- nettle-3.4.1/arm/fat/aes-encrypt-internal-2.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/arm/fat/aes-encrypt-internal-2.asm 2021-06-06 20:06:30.000000000 +0000 @@ -1,7 +1,7 @@ C arm/fat/aes-encrypt-internal-2.asm -ifelse(< +ifelse(` Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. @@ -29,7 +29,7 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') -define(, <$1_armv6>) -include_src() +define(`fat_transform', `$1_armv6') +include_src(`arm/v6/aes-encrypt-internal.asm') diff -Nru nettle-3.4.1/arm/fat/aes-encrypt-internal.asm nettle-3.7.3/arm/fat/aes-encrypt-internal.asm --- nettle-3.4.1/arm/fat/aes-encrypt-internal.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/arm/fat/aes-encrypt-internal.asm 2021-06-06 20:06:30.000000000 +0000 @@ -1,7 +1,7 @@ C arm/fat/aes-encrypt-internal.asm -ifelse(< +ifelse(` Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. @@ -29,7 +29,7 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') -define(, <$1_arm>) -include_src() +define(`fat_transform', `$1_arm') +include_src(`arm/aes-encrypt-internal.asm') diff -Nru nettle-3.4.1/arm/fat/chacha-3core.asm nettle-3.7.3/arm/fat/chacha-3core.asm --- nettle-3.4.1/arm/fat/chacha-3core.asm 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/arm/fat/chacha-3core.asm 2021-06-06 20:06:30.000000000 +0000 @@ -0,0 +1,36 @@ +C arm/fat/chacha-3core.asm + + +ifelse(` + Copyright (C) 2020 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +') + +dnl PROLOGUE(_nettle_fat_chacha_3core) picked up by configure + +include_src(`arm/neon/chacha-3core.asm') diff -Nru nettle-3.4.1/arm/fat/salsa20-2core.asm nettle-3.7.3/arm/fat/salsa20-2core.asm --- nettle-3.4.1/arm/fat/salsa20-2core.asm 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/arm/fat/salsa20-2core.asm 2021-06-06 20:06:30.000000000 +0000 @@ -0,0 +1,36 @@ +C arm/fat/salsa20-2core.asm + + +ifelse(` + Copyright (C) 2020 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +') + +dnl PROLOGUE(_nettle_fat_salsa20_2core) picked up by configure + +include_src(`arm/neon/salsa20-2core.asm') diff -Nru nettle-3.4.1/arm/fat/salsa20-core-internal-2.asm nettle-3.7.3/arm/fat/salsa20-core-internal-2.asm --- nettle-3.4.1/arm/fat/salsa20-core-internal-2.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/arm/fat/salsa20-core-internal-2.asm 1970-01-01 00:00:00.000000000 +0000 @@ -1,37 +0,0 @@ -C arm/fat/salsa20-core-internal-2.asm - - -ifelse(< - Copyright (C) 2015 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - -dnl PROLOGUE(_nettle_salsa20_core) picked up by configure - -define(, <$1_neon>) -include_src() diff -Nru nettle-3.4.1/arm/fat/sha1-compress-2.asm nettle-3.7.3/arm/fat/sha1-compress-2.asm --- nettle-3.4.1/arm/fat/sha1-compress-2.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/arm/fat/sha1-compress-2.asm 2021-06-06 20:06:30.000000000 +0000 @@ -1,7 +1,7 @@ C arm/fat/sha1-compress-2.asm -ifelse(< +ifelse(` Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. @@ -29,9 +29,9 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') -dnl PROLOGUE(_nettle_sha1_compress) picked up by configure +dnl PROLOGUE(nettle_sha1_compress) picked up by configure -define(, <$1_armv6>) -include_src() +define(`fat_transform', `_$1_armv6') +include_src(`arm/v6/sha1-compress.asm') diff -Nru nettle-3.4.1/arm/fat/sha256-compress-2.asm nettle-3.7.3/arm/fat/sha256-compress-2.asm --- nettle-3.4.1/arm/fat/sha256-compress-2.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/arm/fat/sha256-compress-2.asm 2021-06-06 20:06:30.000000000 +0000 @@ -1,7 +1,7 @@ C arm/fat/sha256-compress-2.asm -ifelse(< +ifelse(` Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. @@ -29,9 +29,9 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') dnl PROLOGUE(_nettle_sha256_compress) picked up by configure -define(, <$1_armv6>) -include_src() +define(`fat_transform', `$1_armv6') +include_src(`arm/v6/sha256-compress.asm') diff -Nru nettle-3.4.1/arm/fat/sha3-permute-2.asm nettle-3.7.3/arm/fat/sha3-permute-2.asm --- nettle-3.4.1/arm/fat/sha3-permute-2.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/arm/fat/sha3-permute-2.asm 2021-06-06 20:06:30.000000000 +0000 @@ -1,7 +1,7 @@ C arm/fat/sha3-permute-2.asm -ifelse(< +ifelse(` Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. @@ -29,9 +29,9 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') dnl PROLOGUE(_nettle_sha3_permute) picked up by configure -define(, <_$1_neon>) -include_src() +define(`fat_transform', `_$1_neon') +include_src(`arm/neon/sha3-permute.asm') diff -Nru nettle-3.4.1/arm/fat/sha512-compress-2.asm nettle-3.7.3/arm/fat/sha512-compress-2.asm --- nettle-3.4.1/arm/fat/sha512-compress-2.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/arm/fat/sha512-compress-2.asm 2021-06-06 20:06:30.000000000 +0000 @@ -1,7 +1,7 @@ C arm/fat/sha3-compress-2.asm -ifelse(< +ifelse(` Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. @@ -29,9 +29,9 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') dnl PROLOGUE(_nettle_sha512_compress) picked up by configure -define(, <$1_neon>) -include_src() +define(`fat_transform', `$1_neon') +include_src(`arm/neon/sha512-compress.asm') diff -Nru nettle-3.4.1/arm/fat/umac-nh-2.asm nettle-3.7.3/arm/fat/umac-nh-2.asm --- nettle-3.4.1/arm/fat/umac-nh-2.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/arm/fat/umac-nh-2.asm 2021-06-06 20:06:30.000000000 +0000 @@ -1,7 +1,7 @@ C arm/fat/umac-nh-2.asm -ifelse(< +ifelse(` Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. @@ -29,9 +29,9 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') dnl PROLOGUE(_nettle_umac_nh) picked up by configure -define(, <$1_neon>) -include_src() +define(`fat_transform', `$1_neon') +include_src(`arm/neon/umac-nh.asm') diff -Nru nettle-3.4.1/arm/fat/umac-nh-n-2.asm nettle-3.7.3/arm/fat/umac-nh-n-2.asm --- nettle-3.4.1/arm/fat/umac-nh-n-2.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/arm/fat/umac-nh-n-2.asm 2021-06-06 20:06:30.000000000 +0000 @@ -1,7 +1,7 @@ C arm/fat/umac-nh-n-2.asm -ifelse(< +ifelse(` Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. @@ -29,9 +29,9 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') dnl PROLOGUE(_nettle_umac_nh_n) picked up by configure -define(, <$1_neon>) -include_src() +define(`fat_transform', `$1_neon') +include_src(`arm/neon/umac-nh-n.asm') diff -Nru nettle-3.4.1/arm/machine.m4 nettle-3.7.3/arm/machine.m4 --- nettle-3.4.1/arm/machine.m4 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/arm/machine.m4 2021-06-06 20:06:30.000000000 +0000 @@ -1,4 +1,4 @@ -define(, )>)dnl + `NO REGISTER')')dnl -define(, )>)dnl + `NO REGISTER')')dnl -define(, )>)dnl + `NO REGISTER')')dnl diff -Nru nettle-3.4.1/arm/memxor3.asm nettle-3.7.3/arm/memxor3.asm --- nettle-3.4.1/arm/memxor3.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/arm/memxor3.asm 2021-06-06 20:06:30.000000000 +0000 @@ -1,6 +1,6 @@ C arm/memxor3.asm -ifelse(< +ifelse(` Copyright (C) 2013, 2015 Niels Möller This file is part of GNU Nettle. @@ -28,7 +28,7 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') C Possible speedups: C @@ -38,16 +38,21 @@ C Register usage: -define(, ) -define(, ) -define(, ) -define(, ) +define(`DST', `r0') +define(`AP', `r1') +define(`BP', `r2') +define(`N', `r3') C Temporaries r4-r7 -define(, ) -define(, ) -define(, ) -define(, ) +define(`ACNT', `r8') +define(`ATNC', `r10') +define(`BCNT', `r11') +define(`BTNC', `r12') + +C little-endian and big-endian need to shift in different directions for +C alignment correction +define(`S0ADJ', IF_LE(`lsr', `lsl')) +define(`S1ADJ', IF_LE(`lsl', `lsr')) .syntax unified @@ -124,6 +129,8 @@ C C With little-endian, we need to do C DST[i-i] ^= (SRC[i-i] >> CNT) ^ (SRC[i] << TNC) + C With big-endian, we need to do + C DST[i-i] ^= (SRC[i-i] << CNT) ^ (SRC[i] >> TNC) rsb ATNC, ACNT, #32 bic BP, #3 @@ -138,31 +145,37 @@ .Lmemxor3_au_loop: ldr r5, [BP, #-4]! ldr r6, [AP, #-4]! - eor r6, r6, r4, lsl ATNC - eor r6, r6, r5, lsr ACNT + eor r6, r6, r4, S1ADJ ATNC + eor r6, r6, r5, S0ADJ ACNT str r6, [DST, #-4]! .Lmemxor3_au_odd: ldr r4, [BP, #-4]! ldr r6, [AP, #-4]! - eor r6, r6, r5, lsl ATNC - eor r6, r6, r4, lsr ACNT + eor r6, r6, r5, S1ADJ ATNC + eor r6, r6, r4, S0ADJ ACNT str r6, [DST, #-4]! subs N, #8 bcs .Lmemxor3_au_loop adds N, #8 beq .Lmemxor3_done - C Leftover bytes in r4, low end + C Leftover bytes in r4, low end on LE and high end on BE before + C preparatory alignment correction ldr r5, [AP, #-4] - eor r4, r5, r4, lsl ATNC + eor r4, r5, r4, S1ADJ ATNC + C now byte-aligned in high end on LE and low end on BE because we're + C working downwards in saving the very first bytes of the buffer .Lmemxor3_au_leftover: C Store a byte at a time - ror r4, #24 + C bring uppermost byte down for saving while preserving lower ones +IF_LE(` ror r4, #24') strb r4, [DST, #-1]! subs N, #1 beq .Lmemxor3_done subs ACNT, #8 + C bring down next byte, no need to preserve +IF_BE(` lsr r4, #8') sub AP, #1 bne .Lmemxor3_au_leftover b .Lmemxor3_bytes @@ -247,29 +260,36 @@ ldr r5, [AP, #-4]! ldr r6, [BP, #-4]! eor r5, r6 - lsl r4, ATNC - eor r4, r4, r5, lsr ACNT + S1ADJ r4, ATNC + eor r4, r4, r5, S0ADJ ACNT str r4, [DST, #-4]! .Lmemxor3_uu_odd: ldr r4, [AP, #-4]! ldr r6, [BP, #-4]! eor r4, r6 - lsl r5, ATNC - eor r5, r5, r4, lsr ACNT + S1ADJ r5, ATNC + eor r5, r5, r4, S0ADJ ACNT str r5, [DST, #-4]! subs N, #8 bcs .Lmemxor3_uu_loop adds N, #8 beq .Lmemxor3_done - C Leftover bytes in a4, low end - ror r4, ACNT + C Leftover bytes in r4, low end on LE and high end on BE before + C preparatory alignment correction +IF_LE(` ror r4, ACNT') +IF_BE(` ror r4, ATNC') + C now byte-aligned in high end on LE and low end on BE because we're + C working downwards in saving the very first bytes of the buffer .Lmemxor3_uu_leftover: - ror r4, #24 + C bring uppermost byte down for saving while preserving lower ones +IF_LE(` ror r4, #24') strb r4, [DST, #-1]! subs N, #1 beq .Lmemxor3_done subs ACNT, #8 + C bring down next byte, no need to preserve +IF_BE(` lsr r4, #8') bne .Lmemxor3_uu_leftover b .Lmemxor3_bytes @@ -290,18 +310,18 @@ .Lmemxor3_uud_loop: ldr r5, [AP, #-4]! ldr r7, [BP, #-4]! - lsl r4, ATNC - eor r4, r4, r6, lsl BTNC - eor r4, r4, r5, lsr ACNT - eor r4, r4, r7, lsr BCNT + S1ADJ r4, ATNC + eor r4, r4, r6, S1ADJ BTNC + eor r4, r4, r5, S0ADJ ACNT + eor r4, r4, r7, S0ADJ BCNT str r4, [DST, #-4]! .Lmemxor3_uud_odd: ldr r4, [AP, #-4]! ldr r6, [BP, #-4]! - lsl r5, ATNC - eor r5, r5, r7, lsl BTNC - eor r5, r5, r4, lsr ACNT - eor r5, r5, r6, lsr BCNT + S1ADJ r5, ATNC + eor r5, r5, r7, S1ADJ BTNC + eor r5, r5, r4, S0ADJ ACNT + eor r5, r5, r6, S0ADJ BCNT str r5, [DST, #-4]! subs N, #8 bcs .Lmemxor3_uud_loop diff -Nru nettle-3.4.1/arm/memxor.asm nettle-3.7.3/arm/memxor.asm --- nettle-3.4.1/arm/memxor.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/arm/memxor.asm 2021-06-06 20:06:30.000000000 +0000 @@ -1,6 +1,6 @@ C arm/memxor.asm -ifelse(< +ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. @@ -28,7 +28,7 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') C Possible speedups: C @@ -38,11 +38,16 @@ C Register usage: -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) +define(`DST', `r0') +define(`SRC', `r1') +define(`N', `r2') +define(`CNT', `r6') +define(`TNC', `r12') + +C little-endian and big-endian need to shift in different directions for +C alignment correction +define(`S0ADJ', IF_LE(`lsr', `lsl')) +define(`S1ADJ', IF_LE(`lsl', `lsr')) .syntax unified @@ -99,6 +104,8 @@ C C With little-endian, we need to do C DST[i] ^= (SRC[i] >> CNT) ^ (SRC[i+1] << TNC) + C With big-endian, we need to do + C DST[i] ^= (SRC[i] << CNT) ^ (SRC[i+1] >> TNC) push {r4,r5,r6} @@ -117,22 +124,24 @@ .Lmemxor_word_loop: ldr r5, [SRC], #+4 ldr r3, [DST] - eor r3, r3, r4, lsr CNT - eor r3, r3, r5, lsl TNC + eor r3, r3, r4, S0ADJ CNT + eor r3, r3, r5, S1ADJ TNC str r3, [DST], #+4 .Lmemxor_odd: ldr r4, [SRC], #+4 ldr r3, [DST] - eor r3, r3, r5, lsr CNT - eor r3, r3, r4, lsl TNC + eor r3, r3, r5, S0ADJ CNT + eor r3, r3, r4, S1ADJ TNC str r3, [DST], #+4 subs N, #8 bcs .Lmemxor_word_loop adds N, #8 beq .Lmemxor_odd_done - C We have TNC/8 left-over bytes in r4, high end - lsr r4, CNT + C We have TNC/8 left-over bytes in r4, high end on LE and low end on + C BE, excess bits to be discarded by alignment adjustment at the other + S0ADJ r4, CNT + C now byte-aligned at low end on LE and high end on BE ldr r3, [DST] eor r3, r4 @@ -140,11 +149,14 @@ C Store bytes, one by one. .Lmemxor_leftover: + C bring uppermost byte down for saving while preserving lower ones +IF_BE(` ror r3, #24') strb r3, [DST], #+1 subs N, #1 beq .Lmemxor_done subs TNC, #8 - lsr r3, #8 + C bring down next byte, no need to preserve +IF_LE(` lsr r3, #8') bne .Lmemxor_leftover b .Lmemxor_bytes .Lmemxor_odd_done: diff -Nru nettle-3.4.1/arm/neon/chacha-3core.asm nettle-3.7.3/arm/neon/chacha-3core.asm --- nettle-3.4.1/arm/neon/chacha-3core.asm 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/arm/neon/chacha-3core.asm 2021-06-06 20:06:30.000000000 +0000 @@ -0,0 +1,267 @@ +C arm/neon/chacha-3core.asm + +ifelse(` + Copyright (C) 2020 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +') + + .file "chacha-3core.asm" + .fpu neon + +define(`DST', `r0') +define(`SRC', `r1') +define(`ROUNDS', `r2') +define(`SRCp32', `r3') + +C State, X, Y and Z representing consecutive blocks +define(`X0', `q0') +define(`X1', `q1') +define(`X2', `q2') +define(`X3', `q3') +define(`Y0', `q8') +define(`Y1', `q9') +define(`Y2', `q10') +define(`Y3', `q11') +define(`Z0', `q12') +define(`Z1', `q13') +define(`Z2', `q14') +define(`Z3', `q15') + +define(`T0', `q4') +define(`T1', `q5') +define(`T2', `q6') +define(`T3', `q7') + + .text + .align 4 +.Lcount1: + .int 1,0,0,0 + + C _chacha_3core(uint32_t *dst, const uint32_t *src, unsigned rounds) + +PROLOGUE(_nettle_chacha_3core) + C loads using vld1.32 to be endianness-neutral wrt consecutive 32-bit words + add SRCp32, SRC, #32 + vld1.32 {X0,X1}, [SRC] + vld1.32 {X2,X3}, [SRCp32] + vpush {q4,q5,q6,q7} + adr r12, .Lcount1 + vld1.32 {Z3}, [r12] + + vadd.i64 Y3, X3, Z3 C Increment 64-bit counter + vadd.i64 Z3, Y3, Z3 + +.Lshared_entry: + vmov Y0, X0 + vmov Z0, X0 + vmov Y1, X1 + vmov Z1, X1 + vmov Y2, X2 + vmov Z2, X2 + + C Save initial values for the words including the counters. + vmov T2, Y3 + vmov T3, Z3 + +.Loop: + C Interleave three blocks. Note that with this scheduling, + C only two temporaries, T0 and T1, are needed. + vadd.i32 X0, X0, X1 + veor X3, X3, X0 + vadd.i32 Y0, Y0, Y1 + vrev32.16 X3, X3 C lrot 16 + veor Y3, Y3, Y0 + vadd.i32 Z0, Z0, Z1 + + vadd.i32 X2, X2, X3 + vrev32.16 Y3, Y3 C lrot 16 + veor Z3, Z3, Z0 + veor T0, X1, X2 + vadd.i32 Y2, Y2, Y3 + vrev32.16 Z3, Z3 C lrot 16 + vshl.i32 X1, T0, #12 + veor T1, Y1, Y2 + vadd.i32 Z2, Z2, Z3 + vsri.u32 X1, T0, #20 + vshl.i32 Y1, T1, #12 + veor T0, Z1, Z2 + + vadd.i32 X0, X0, X1 + vsri.u32 Y1, T1, #20 + vshl.i32 Z1, T0, #12 + veor T1, X3, X0 + vadd.i32 Y0, Y0, Y1 + vsri.u32 Z1, T0, #20 + vshl.i32 X3, T1, #8 + veor T0, Y3, Y0 + vadd.i32 Z0, Z0, Z1 + vsri.u32 X3, T1, #24 + vshl.i32 Y3, T0, #8 + veor T1, Z3, Z0 + + vadd.i32 X2, X2, X3 + vsri.u32 Y3, T0, #24 + vext.32 X3, X3, X3, #3 + vshl.i32 Z3, T1, #8 + veor T0, X1, X2 + vadd.i32 Y2, Y2, Y3 + vsri.u32 Z3, T1, #24 + vext.32 Y3, Y3, Y3, #3 + vshl.i32 X1, T0, #7 + veor T1, Y1, Y2 + vadd.i32 Z2, Z2, Z3 + vsri.u32 X1, T0, #25 + vshl.i32 Y1, T1, #7 + veor T0, Z1, Z2 + vext.32 X1, X1, X1, #1 + vsri.u32 Y1, T1, #25 + vshl.i32 Z1, T0, #7 + vext.32 Y2, Y2, Y2, #2 + vext.32 Y1, Y1, Y1, #1 + vsri.u32 Z1, T0, #25 + vext.32 X2, X2, X2, #2 + + C Second QROUND + vadd.i32 X0, X0, X1 + vext.32 Z2, Z2, Z2, #2 + vext.32 Z1, Z1, Z1, #1 + veor X3, X3, X0 + vadd.i32 Y0, Y0, Y1 + vext.32 Z3, Z3, Z3, #3 + vrev32.16 X3, X3 C lrot 16 + veor Y3, Y3, Y0 + vadd.i32 Z0, Z0, Z1 + + vadd.i32 X2, X2, X3 + vrev32.16 Y3, Y3 C lrot 16 + veor Z3, Z3, Z0 + veor T0, X1, X2 + vadd.i32 Y2, Y2, Y3 + vrev32.16 Z3, Z3 C lrot 16 + vshl.i32 X1, T0, #12 + veor T1, Y1, Y2 + vadd.i32 Z2, Z2, Z3 + vsri.u32 X1, T0, #20 + vshl.i32 Y1, T1, #12 + veor T0, Z1, Z2 + + vadd.i32 X0, X0, X1 + vsri.u32 Y1, T1, #20 + vshl.i32 Z1, T0, #12 + veor T1, X3, X0 + vadd.i32 Y0, Y0, Y1 + vsri.u32 Z1, T0, #20 + vshl.i32 X3, T1, #8 + veor T0, Y3, Y0 + vadd.i32 Z0, Z0, Z1 + vsri.u32 X3, T1, #24 + vshl.i32 Y3, T0, #8 + veor T1, Z3, Z0 + + vadd.i32 X2, X2, X3 + vsri.u32 Y3, T0, #24 + vext.32 X3, X3, X3, #1 + vshl.i32 Z3, T1, #8 + veor T0, X1, X2 + vext.32 X2, X2, X2, #2 + vadd.i32 Y2, Y2, Y3 + vext.32 Y3, Y3, Y3, #1 + vsri.u32 Z3, T1, #24 + vshl.i32 X1, T0, #7 + veor T1, Y1, Y2 + vext.32 Y2, Y2, Y2, #2 + vadd.i32 Z2, Z2, Z3 + vext.32 Z3, Z3, Z3, #1 + vsri.u32 X1, T0, #25 + vshl.i32 Y1, T1, #7 + veor T0, Z1, Z2 + vext.32 Z2, Z2, Z2, #2 + vext.32 X1, X1, X1, #3 + vsri.u32 Y1, T1, #25 + vshl.i32 Z1, T0, #7 + vext.32 Y1, Y1, Y1, #3 + vsri.u32 Z1, T0, #25 + + subs ROUNDS, ROUNDS, #2 + + vext.32 Z1, Z1, Z1, #3 + + bhi .Loop + + C Add updated counters + vadd.i32 Y3, Y3, T2 + vadd.i32 Z3, Z3, T3 + + vld1.32 {T0,T1}, [SRC] + vadd.i32 X0, X0, T0 + vadd.i32 X1, X1, T1 + + C vst1.8 because caller expects results little-endian + C interleave loads, calculations and stores to save cycles on stores + C use vstm when little-endian for some additional speedup +IF_BE(` vst1.8 {X0,X1}, [DST]!') + + vld1.32 {T2,T3}, [SRCp32] + vadd.i32 X2, X2, T2 + vadd.i32 X3, X3, T3 +IF_BE(` vst1.8 {X2,X3}, [DST]!') +IF_LE(` vstmia DST!, {X0,X1,X2,X3}') + + vadd.i32 Y0, Y0, T0 + vadd.i32 Y1, Y1, T1 +IF_BE(` vst1.8 {Y0,Y1}, [DST]!') + + vadd.i32 Y2, Y2, T2 +IF_BE(` vst1.8 {Y2,Y3}, [DST]!') +IF_LE(` vstmia DST!, {Y0,Y1,Y2,Y3}') + + vadd.i32 Z0, Z0, T0 + vadd.i32 Z1, Z1, T1 +IF_BE(` vst1.8 {Z0,Z1}, [DST]!') + + vadd.i32 Z2, Z2, T2 + + vpop {q4,q5,q6,q7} + +IF_BE(` vst1.8 {Z2,Z3}, [DST]') +IF_LE(` vstm DST, {Z0,Z1,Z2,Z3}') + bx lr +EPILOGUE(_nettle_chacha_3core) + +PROLOGUE(_nettle_chacha_3core32) + add SRCp32, SRC, #32 + vld1.32 {X0,X1}, [SRC] + vld1.32 {X2,X3}, [SRCp32] + vpush {q4,q5,q6,q7} + adr r12, .Lcount1 + vld1.32 {Z3}, [r12] + + vadd.i32 Y3, X3, Z3 C Increment 32-bit counter + vadd.i32 Z3, Y3, Z3 + b .Lshared_entry +EPILOGUE(_nettle_chacha_3core32) diff -Nru nettle-3.4.1/arm/neon/chacha-core-internal.asm nettle-3.7.3/arm/neon/chacha-core-internal.asm --- nettle-3.4.1/arm/neon/chacha-core-internal.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/arm/neon/chacha-core-internal.asm 1970-01-01 00:00:00.000000000 +0000 @@ -1,136 +0,0 @@ -C arm/neon/chacha-core-internal.asm - -ifelse(< - Copyright (C) 2013, 2015 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - - .file "chacha-core-internal.asm" - .fpu neon - -define(, ) -define(, ) -define(, ) - -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) - -define(, < - C x0 += x1, x3 ^= x0, x3 lrot 16 - C x2 += x3, x1 ^= x2, x1 lrot 12 - C x0 += x1, x3 ^= x0, x3 lrot 8 - C x2 += x3, x1 ^= x2, x1 lrot 7 - - vadd.i32 $1, $1, $2 - veor $4, $4, $1 - vshl.i32 T0, $4, #16 - vshr.u32 $4, $4, #16 - veor $4, $4, T0 - - vadd.i32 $3, $3, $4 - veor $2, $2, $3 - vshl.i32 T0, $2, #12 - vshr.u32 $2, $2, #20 - veor $2, $2, T0 - - vadd.i32 $1, $1, $2 - veor $4, $4, $1 - vshl.i32 T0, $4, #8 - vshr.u32 $4, $4, #24 - veor $4, $4, T0 - - vadd.i32 $3, $3, $4 - veor $2, $2, $3 - vshl.i32 T0, $2, #7 - vshr.u32 $2, $2, #25 - veor $2, $2, T0 ->) - - .text - .align 4 - C _chacha_core(uint32_t *dst, const uint32_t *src, unsigned rounds) - -PROLOGUE(_nettle_chacha_core) - vldm SRC, {X0,X1,X2,X3} - - vmov S0, X0 - vmov S1, X1 - vmov S2, X2 - vmov S3, X3 - - C Input rows: - C 0 1 2 3 X0 - C 4 5 6 7 X1 - C 8 9 10 11 X2 - C 12 13 14 15 X3 - -.Loop: - QROUND(X0, X1, X2, X3) - - C Rotate rows, to get - C 0 1 2 3 - C 5 6 7 4 >>> 3 - C 10 11 8 9 >>> 2 - C 15 12 13 14 >>> 1 - vext.32 X1, X1, X1, #1 - vext.32 X2, X2, X2, #2 - vext.32 X3, X3, X3, #3 - - QROUND(X0, X1, X2, X3) - - subs ROUNDS, ROUNDS, #2 - C Inverse rotation - vext.32 X1, X1, X1, #3 - vext.32 X2, X2, X2, #2 - vext.32 X3, X3, X3, #1 - - bhi .Loop - - vadd.u32 X0, X0, S0 - vadd.u32 X1, X1, S1 - vadd.u32 X2, X2, S2 - vadd.u32 X3, X3, S3 - - vstm DST, {X0,X1,X2,X3} - bx lr -EPILOGUE(_nettle_chacha_core) - -divert(-1) -define chachastate -p/x $q0.u32 -p/x $q1.u32 -p/x $q2.u32 -p/x $q3.u32 -end diff -Nru nettle-3.4.1/arm/neon/salsa20-2core.asm nettle-3.7.3/arm/neon/salsa20-2core.asm --- nettle-3.4.1/arm/neon/salsa20-2core.asm 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/arm/neon/salsa20-2core.asm 2021-06-06 20:06:30.000000000 +0000 @@ -0,0 +1,220 @@ +C arm/neon/salsa20-2core.asm + +ifelse(` + Copyright (C) 2020 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +') + + .file "salsa20-2core.asm" + .fpu neon + +define(`DST', `r0') +define(`SRC', `r1') +define(`ROUNDS', `r2') +define(`SRCp32', `r3') + +C State, even elements in X, odd elements in Y +define(`X0', `q0') +define(`X1', `q1') +define(`X2', `q2') +define(`X3', `q3') +define(`Y0', `q8') +define(`Y1', `q9') +define(`Y2', `q10') +define(`Y3', `q11') +define(`T0', `q12') +define(`T1', `q13') +define(`T2', `q14') +define(`T3', `q15') + + .text + .align 4 +.Lcount1: + .int 1,0,0,0 + + C _salsa20_2core(uint32_t *dst, const uint32_t *src, unsigned rounds) +PROLOGUE(_nettle_salsa20_2core) + C loads using vld1.32 to be endianness-neutral wrt consecutive 32-bit words + add SRCp32, SRC, #32 + vld1.32 {X0,X1}, [SRC] + vld1.32 {X2,X3}, [SRCp32] + adr r12, .Lcount1 + + vmov Y3, X0 + vld1.32 {Y1}, [r12] + vmov Y0, X1 + vadd.i64 Y1, Y1, X2 C Increment counter + vmov Y2, X3 + + vtrn.32 X0, Y3 C X0: 0 0 2 2 Y3: 1 1 3 3 + vtrn.32 X1, Y0 C X1: 4 4 6 6 Y0: 5 5 7 7 + vtrn.32 X2, Y1 C X2: 8 8 10 10 Y1: 9 9 11 11 + vtrn.32 X3, Y2 C X3: 12 12 14 14 Y2: 13 13 15 15 + + C Swap, to get + C X0: 0 10 Y0: 5 15 + C X1: 4 14 Y1: 9 3 + C X2: 8 2 Y2: 13 7 + C X3: 12 6 Y3: 1 11 + vswp D1REG(X0), D1REG(X2) + vswp D1REG(X1), D1REG(X3) + vswp D1REG(Y0), D1REG(Y2) + vswp D1REG(Y1), D1REG(Y3) + +.Loop: +C Register layout (A is first block, B is second block) +C +C X0: A0 B0 A10 B10 Y0: A5 A5 A15 B15 +C X1: A4 B4 A14 B14 Y1: A9 B9 A3 B3 +C X2: A8 B8 A2 B2 Y2: A13 B13 A7 B7 +C X3: A12 B12 A6 B6 Y3: A1 B1 A11 B11 + + vadd.i32 T0, X0, X3 + vshl.i32 T1, T0, #7 + vadd.i32 T2, Y0, Y3 + vsri.u32 T1, T0, #25 + vshl.i32 T3, T2, #7 + veor X1, X1, T1 + vsri.u32 T3, T2, #25 + vadd.i32 T0, X1, X0 + veor Y1, Y1, T3 + vshl.i32 T1, T0, #9 + vadd.i32 T2, Y1, Y0 + vsri.u32 T1, T0, #23 + vshl.i32 T3, T2, #9 + veor X2, X2, T1 + vsri.u32 T3, T2, #23 + vadd.i32 T0, X2, X1 + veor Y2, Y2, T3 + vshl.i32 T1, T0, #13 + vadd.i32 T2, Y2, Y1 + vsri.u32 T1, T0, #19 + vshl.i32 T3, T2, #13 + veor X3, X3, T1 + vsri.u32 T3, T2, #19 + vadd.i32 T0, X3, X2 + veor Y3, Y3, T3 + vshl.i32 T1, T0, #18 + vadd.i32 T2, Y3, Y2 + vext.32 Y1, Y1, Y1, #2 + vsri.u32 T1, T0, #14 + vshl.i32 T3, T2, #18 + vext.32 Y2, Y2, Y2, #2 + veor X0, X0, T1 + vsri.u32 T3, T2, #14 + vext.32 X3, X3, X3, #2 + veor Y0, Y0, T3 + +C Register layout: +C X0: A0 B0 A10 B10 Y0: A5 A5 A15 B15 +C Y1: A3 B3 A9 B9 X1: A4 B4 A14 B14 (Y1 swapped) +C X2: A2 B2 A8 B8 Y2: A7 B7 A13 B13 (X2, Y2 swapped) +C Y3: A1 B1 A11 B11 X3: A6 B6 A12 B12 (X3 swapped) + + vadd.i32 T0, X0, Y1 + vext.32 X2, X2, X2, #2 + vshl.i32 T1, T0, #7 + vadd.i32 T2, Y0, X1 + vsri.u32 T1, T0, #25 + vshl.i32 T3, T2, #7 + veor Y3, Y3, T1 + vsri.u32 T3, T2, #25 + vadd.i32 T0, Y3, X0 + veor X3, X3, T3 + vshl.i32 T1, T0, #9 + vadd.i32 T2, X3, Y0 + vsri.u32 T1, T0, #23 + vshl.i32 T3, T2, #9 + veor X2, X2, T1 + vsri.u32 T3, T2, #23 + vadd.i32 T0, X2, Y3 + veor Y2, Y2, T3 + vshl.i32 T1, T0, #13 + vadd.i32 T2, Y2, X3 + vsri.u32 T1, T0, #19 + vshl.i32 T3, T2, #13 + veor Y1, Y1, T1 + vsri.u32 T3, T2, #19 + vadd.i32 T0, Y1, X2 + veor X1, X1, T3 + vext.32 X2, X2, X2, #2 + vshl.i32 T1, T0, #18 + vadd.i32 T2, X1, Y2 + vext.32 Y1, Y1, Y1, #2 + vsri.u32 T1, T0, #14 + subs ROUNDS, ROUNDS, #2 + vshl.i32 T3, T2, #18 + vext.32 X3, X3, X3, #2 + veor X0, X0, T1 + vsri.u32 T3, T2, #14 + vext.32 Y2, Y2, Y2, #2 + veor Y0, Y0, T3 + + bhi .Loop + +C Inverse swaps and transpositions + + vswp D1REG(X0), D1REG(X2) + vswp D1REG(X1), D1REG(X3) + vswp D1REG(Y0), D1REG(Y2) + vswp D1REG(Y1), D1REG(Y3) + + vld1.32 {T0,T1}, [SRC] + vld1.32 {T2,T3}, [SRCp32] + + vtrn.32 X0, Y3 + vtrn.32 X1, Y0 + vtrn.32 X2, Y1 + vtrn.32 X3, Y2 + +C Add in the original context + vadd.i32 X0, X0, T0 + vadd.i32 X1, X1, T1 + +C vst1.8 because caller expects results little-endian +C interleave loads, calculations and stores to save cycles on stores +C use vstm when little-endian for some additional speedup +IF_BE(` vst1.8 {X0,X1}, [DST]!') + + vadd.i32 X2, X2, T2 + vadd.i32 X3, X3, T3 +IF_BE(` vst1.8 {X2,X3}, [DST]!') +IF_LE(` vstmia DST!, {X0,X1,X2,X3}') + + vld1.32 {X0}, [r12] + vadd.i32 T0, T0, Y3 + vadd.i64 T2, T2, X0 + vadd.i32 T1, T1, Y0 +IF_BE(` vst1.8 {T0,T1}, [DST]!') + + vadd.i32 T2, T2, Y1 + vadd.i32 T3, T3, Y2 +IF_BE(` vst1.8 {T2,T3}, [DST]') +IF_LE(` vstm DST, {T0,T1,T2,T3}') + bx lr +EPILOGUE(_nettle_salsa20_2core) diff -Nru nettle-3.4.1/arm/neon/salsa20-core-internal.asm nettle-3.7.3/arm/neon/salsa20-core-internal.asm --- nettle-3.4.1/arm/neon/salsa20-core-internal.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/arm/neon/salsa20-core-internal.asm 1970-01-01 00:00:00.000000000 +0000 @@ -1,194 +0,0 @@ -C arm/neon/salsa20-core-internal.asm - -ifelse(< - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - - .file "salsa20-core-internal.asm" - .fpu neon - -define(, ) -define(, ) -define(, ) - -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) - -define(, < - vadd.i32 T0, $1, $4 - vshl.i32 T1, T0, #7 - vshr.u32 T0, T0, #25 - veor $2, $2, T0 - veor $2, $2, T1 - - vadd.i32 T0, $1, $2 - vshl.i32 T1, T0, #9 - vshr.u32 T0, T0, #23 - veor $3, $3, T0 - veor $3, $3, T1 - - vadd.i32 T0, $2, $3 - vshl.i32 T1, T0, #13 - vshr.u32 T0, T0, #19 - veor $4, $4, T0 - veor $4, $4, T1 - - vadd.i32 T0, $3, $4 - vshl.i32 T1, T0, #18 - vshr.u32 T0, T0, #14 - veor $1, $1, T0 - veor $1, $1, T1 ->) - - .text - .align 4 -.Lmasks: - .int 0,-1, 0,-1 - .int 0,-1,-1, 0 - .int 0, 0,-1,-1 - - C _salsa20_core(uint32_t *dst, const uint32_t *src, unsigned rounds) - -PROLOGUE(_nettle_salsa20_core) - vldm SRC, {X0,X1,X2,X3} - - C Input rows: - C 0 1 2 3 X0 - C 4 5 6 7 X1 - C 8 9 10 11 X2 - C 12 13 14 15 X3 - C Permuted to: - C 0 5 10 15 - C 4 9 14 3 - C 8 13 2 7 - C 12 1 6 11 - - C FIXME: Construct in some other way? - adr r12, .Lmasks - vldm r12, {M0101, M0110, M0011} - - vmov S1, X1 - vmov S2, X2 - vmov S3, X3 - - C Swaps in columns 1, 3: - C 0 5 2 7 X0 ^ - C 4 1 6 3 T0 v - C 8 13 10 15 T1 ^ - C 12 9 14 11 X3 v - vmov T0, X1 - vmov T1, X2 - vbit T0, X0, M0101 - vbit X0, X1, M0101 - vbit T1, X3, M0101 - vbit X3, X2, M0101 - - C Swaps in column 1, 2: - C 0 5 2 7 X0 - C 4 9 14 3 X1 ^ - C 8 13 10 15 T1 | - C 12 1 6 11 X3 v - vmov X1, T0 - vbit X1, X3, M0110 - vbit X3, T0, M0110 - - C Swaps in columm 2,3: - C 0 5 10 15 X0 ^ - C 4 9 14 3 X1 | - C 8 13 2 7 X2 v - C 12 1 6 11 X3 - vmov X2, T1 - vbit X2, X0, M0011 - vbit X0, T1, M0011 - -.Loop: - QROUND(X0, X1, X2, X3) - - C Rotate rows, to get - C 0 5 10 15 - C 3 4 9 14 >>> 1 - C 2 7 8 13 >>> 2 - C 1 6 11 12 >>> 3 - vext.32 X1, X1, X1, #3 - vext.32 X2, X2, X2, #2 - vext.32 X3, X3, X3, #1 - - QROUND(X0, X3, X2, X1) - - subs ROUNDS, ROUNDS, #2 - C Inverse rotation - vext.32 X1, X1, X1, #1 - vext.32 X2, X2, X2, #2 - vext.32 X3, X3, X3, #3 - - bhi .Loop - - C Inverse swaps - vmov T1, X2 - vbit T1, X0, M0011 - vbit X0, X2, M0011 - - vmov T0, X1 - vbit T0, X3, M0110 - vbit X3, X1, M0110 - - vmov X1, T0 - vmov X2, T1 - vbit X1, X0, M0101 - vbit X0, T0, M0101 - vbit X2, X3, M0101 - vbit X3, T1, M0101 - - vld1.64 {T0}, [SRC] - vadd.u32 X0, X0, T0 - vadd.u32 X1, X1, S1 - vadd.u32 X2, X2, S2 - vadd.u32 X3, X3, S3 - - vstm DST, {X0,X1,X2,X3} - bx lr -EPILOGUE(_nettle_salsa20_core) - -divert(-1) -define salsastate -p/x $q0.u32 -p/x $q1.u32 -p/x $q2.u32 -p/x $q3.u32 -end diff -Nru nettle-3.4.1/arm/neon/sha3-permute.asm nettle-3.7.3/arm/neon/sha3-permute.asm --- nettle-3.4.1/arm/neon/sha3-permute.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/arm/neon/sha3-permute.asm 2021-06-06 20:06:30.000000000 +0000 @@ -1,6 +1,6 @@ C arm/neon/sha3-permute.asm -ifelse(< +ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. @@ -28,62 +28,62 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') .file "sha3-permute.asm" .fpu neon -define(, ) -define(, ) -define(, ) +define(`CTX', `r0') +define(`COUNT', `r1') +define(`RC', `r2') C First column -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) - -define(, ) -define(, ) -define(, ) -define(, ) - -define(, ) -define(, ) -define(, ) -define(, ) - -define(, ) -define(, ) -define(, ) -define(, ) - -define(, ) -define(, ) -define(, ) -define(, ) - -define(, ) -define(, ) -define(, ) -define(, ) - -define(, ) -define(, ) - -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) +define(`A0', `d0') +define(`A5', `d2') +define(`A10', `d3') +define(`A15', `d4') +define(`A20', `d5') + +define(`A1', `d6') +define(`A2', `d7') +define(`A3', `d8') +define(`A4', `d9') + +define(`A6', `d16') +define(`A7', `d17') +define(`A8', `d18') +define(`A9', `d19') + +define(`A11', `d20') +define(`A12', `d21') +define(`A13', `d22') +define(`A14', `d23') + +define(`A16', `d24') +define(`A17', `d25') +define(`A18', `d26') +define(`A19', `d27') + +define(`A21', `d28') +define(`A22', `d29') +define(`A23', `d30') +define(`A24', `d31') + +define(`T0', `d10') +define(`T1', `d11') + +define(`C0', `d1') +define(`C1', `d12') +define(`C2', `d13') +define(`C3', `d14') +define(`C4', `d15') C ROL(DST, SRC, COUNT) C Must have SRC != DST -define(, < +define(`ROL', ` vshr.u64 $1, $2, #eval(64-$3) vsli.i64 $1, $2, #$3 - >) + ') C sha3_permute(struct sha3_ctx *ctx) .text diff -Nru nettle-3.4.1/arm/neon/sha512-compress.asm nettle-3.7.3/arm/neon/sha512-compress.asm --- nettle-3.4.1/arm/neon/sha512-compress.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/arm/neon/sha512-compress.asm 2021-06-06 20:06:30.000000000 +0000 @@ -1,6 +1,6 @@ C arm/neon/sha512-compress.asm -ifelse(< +ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. @@ -28,73 +28,73 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') .file "sha512-compress.asm" .fpu neon -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) - -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) +define(`STATE', `r0') +define(`INPUT', `r1') +define(`K', `r2') +define(`COUNT', `r3') +define(`SHIFT', `r12') + +define(`SA', `d0') +define(`SB', `d1') +define(`SC', `d2') +define(`SD', `d3') +define(`SE', `d4') +define(`SF', `d5') +define(`SG', `d6') +define(`SH', `d7') +define(`QSAB', `q0') +define(`QSCD', `q1') +define(`QSEF', `q2') +define(`QSGH', `q3') C d8-d15 are callee-save -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) +define(`DT0', `d8') +define(`DT1', `d9') +define(`QT01', `q4') +define(`DT2', `d10') +define(`DT3', `d11') +define(`QT23', `q5') +define(`DT4', `d12') +define(`DT5', `d13') +define(`QT45', `q6') C Used only when reading the input, can overlap with state -define(, ) -define(, ) -define(, ) - -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) +define(`DT6', `d0') +define(`DT7', `d1') +define(`QT67', `q0') + +define(`DW0', `d16') +define(`DW1', `d17') +define(`DW2', `d18') +define(`DW3', `d19') +define(`DW4', `d20') +define(`DW5', `d21') +define(`DW6', `d22') +define(`DW7', `d23') +define(`DW8', `d24') +define(`DW9', `d25') +define(`DW10', `d26') +define(`DW11', `d27') +define(`DW12', `d28') +define(`DW13', `d29') +define(`DW14', `d30') +define(`DW15', `d31') +define(`QW0001', `q8') +define(`QW0203', `q9') +define(`QW0405', `q10') +define(`QW0607', `q11') +define(`QW0809', `q12') +define(`QW1011', `q13') +define(`QW1213', `q14') +define(`QW1415', `q15') -define(, <$1>) -define(, eval(($1) % 16))>) +define(`EXPAND_ME', `$1') +define(`W', `EXPAND_ME(`DW'eval(($1) % 16))') C If x = W(i+14), y = w(i+1), we xor in parallel C @@ -105,7 +105,7 @@ C xor x >> 6 y >> 7 C ----------------------------- C DT0 DT1 -define(, < +define(`EXPN', ` vshl.i64 DT0, W($1+14), #45 vshl.i64 DT1, W($1 + 1), #63 vshr.u64 DT2, W($1+14), #19 @@ -123,7 +123,7 @@ veor.i64 QT01, QT01, QT45 vadd.i64 W($1), W($1), DT0 vadd.i64 W($1), W($1), DT1 ->) +') C ROUND(A,B,C,D,E,F,G,H,i) C @@ -148,7 +148,7 @@ C xor e >> 41 a >> 39 C ---------------------------- C DT0 DT1 -define(, < +define(`ROUND', ` vshl.i64 DT0, $5, #50 vshl.i64 DT1, $1, #36 vshr.u64 DT2, $5, #14 @@ -180,7 +180,7 @@ vadd.i64 DT1, DT1, DT2 vadd.i64 $4, $4, $8 vadd.i64 $8, $8, DT1 ->) +') C void C _nettle_sha512_compress(uint64_t *state, const uint8_t *input, const uint64_t *k) diff -Nru nettle-3.4.1/arm/neon/umac-nh.asm nettle-3.7.3/arm/neon/umac-nh.asm --- nettle-3.4.1/arm/neon/umac-nh.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/arm/neon/umac-nh.asm 2021-06-06 20:06:30.000000000 +0000 @@ -1,6 +1,6 @@ C arm/neon/umac-nh.asm -ifelse(< +ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. @@ -28,26 +28,26 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') .file "umac-nh.asm" .fpu neon -define(, ) -define(, ) -define(, ) -define(, ) - -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) +define(`KEY', `r0') +define(`LENGTH', `r1') +define(`MSG', `r2') +define(`SHIFT', `r3') + +define(`QA', `q0') +define(`QB', `q1') +define(`DM', `d16') +define(`QLEFT', `q9') +define(`QRIGHT', `q10') +define(`QY', `q11') +define(`QT0', `q12') +define(`QT1', `q13') +define(`QK0', `q14') +define(`QK1', `q15') .text .align 3 @@ -97,6 +97,8 @@ bhi .Loop vadd.i64 D0REG(QY), D0REG(QY), D1REG(QY) - vmov r0, r1, D0REG(QY) + C return value needs to respect word order mandated by AAPCS +IF_LE(` vmov r0, r1, D0REG(QY)') +IF_BE(` vmov r1, r0, D0REG(QY)') bx lr EPILOGUE(_nettle_umac_nh) diff -Nru nettle-3.4.1/arm/neon/umac-nh-n.asm nettle-3.7.3/arm/neon/umac-nh-n.asm --- nettle-3.4.1/arm/neon/umac-nh-n.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/arm/neon/umac-nh-n.asm 2021-06-06 20:06:30.000000000 +0000 @@ -1,6 +1,6 @@ C arm/neon/umac-nh-n.asm -ifelse(< +ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. @@ -28,33 +28,33 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') .file "umac-nh.asm" .fpu neon -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) - -define(, ) -define(, ) -define(, ) C Accumulates for the first two operations. -define(, ) -define(, ) C Used for 3 and 4 iterations. -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) +define(`OUT', `r0') +define(`ITERS', `r1') +define(`KEY', `r2') +define(`LENGTH', `r3') +define(`MSG', `r12') +define(`SHIFT', `r14') + +define(`QA', `q0') +define(`QB', `q1') +define(`QY0', `q3') C Accumulates for the first two operations. +define(`DM', `d4') +define(`QY1', `q4') C Used for 3 and 4 iterations. +define(`QC', `q5') +define(`QD', `q6') +define(`QLEFT', `q8') +define(`QRIGHT', `q9') +define(`QT0', `q10') +define(`QT1', `q11') +define(`QT2', `q12') +define(`QK0', `q13') +define(`QK1', `q14') +define(`QK2', `q15') C FIXME: Try permuting subkeys using vld4, vzip or similar. diff -Nru nettle-3.4.1/arm/README nettle-3.7.3/arm/README --- nettle-3.4.1/arm/README 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/arm/README 2021-06-06 20:06:30.000000000 +0000 @@ -0,0 +1,126 @@ +Currently, code in this directory is written for arm cortex-a9. + +For efficient loads and stores, use ldmia, stmia and friends. Can do +two loads or stores per cycle with 8-byte aligned addresses, or three +loads or stores in two cycles, regardless of alignment. + +12 usable registers (if we exclude r9). + +ABI gnueabi(hf) (not depending on the floating point conventions) + +Registers May be Argument + clobbered number + +r0 Y 1 +r1 Y 2 +r2 Y 3 +r3 Y 4 +r4 N +r5 N +r6 N +r7 N +r8 N +r9 (sl) +r10 N +r11 N +r12 (ip) Y +r13 (sp) +r14 (lr) N +r15 (pc) + +q0 (d0, d1) Y 1 (for "hf" abi) +q1 (d2, d3) Y 2 +q2 (d4, d5) Y 3 +q3 (d6, d7) Y 4 +q4 (d8, d9) N +q5 (d10, d11) N +q6 (d12, d13) N +q7 (d14, d15) N +q8 (d16, d17) Y +q9 (d18, d19) Y +q10 (d20, d21) Y +q11 (d22, d23) Y +q12 (d24, d25) Y +q13 (d26, d27) Y +q14 (d28, d29) Y +q15 (d30, d31) Y + +Endianness + +ARM supports big- and little-endian memory access modes. Representation in +registers stays the same but loads and stores switch bytes. This has to be +taken into account in various cases. + +Two m4 macros are provided to handle these special cases in assembly source: +IF_LE(,) +IF_BE(,) +respectively expand to if the target system's endianness is +little-endian or big-endian. Otherwise they expand to . + +1. ldr/str + +Loading and storing 32-bit words will reverse the words' bytes in little-endian +mode. If the handled data is actually a byte sequence or data in network byte +order (big-endian), the loaded word needs to be reversed after load to get it +back into correct sequence. See v6/sha1-compress.asm LOAD macro for example. + +2. shifts + +If data is to be processed with bit operations only, endianness can be ignored +because byte-swapping on load and store will cancel each other out. Shifts +however have to be inverted. See arm/memxor.asm for an example. + +3. v{ld,st}1.{8,32} + +NEON's vld instruction can be used to produce endianness-neutral code. vld1.8 +will load a byte sequence into a register regardless of memory endianness. This +can be used to process byte sequences. See arm/neon/umac-nh.asm for example. + +In the same fashion, vst1.8 can be used do a little-endian store. See +arm/neon/salsa and chacha routines for examples. + +NOTE: vst1.x (at least on the Allwinner A20 Cortex-A7 implementation) seems to +interfer with itself on subsequent calls, slowing it down. This can be avoided +by putting calculcations or loads inbetween two vld1.x stores. + +Similarly, vld1.32 is used in chacha and salsa routines where 32-bit operands +are stored in host-endianness in RAM but need to be loaded sequentially without +the distortion introduced by vldm/vstm. Consecutive vld1.x instructions do not +seem to suffer from slowdown similar to vst1.x. + +4. vldm/vstm + +Care has to be taken when using vldm/vstm because they have two non-obvious +characteristics: + +a. vldm/vstm do normal byte-swapping on each value they load. When loading into + d (doubleword) registers, this means that bytes, halfwords and words of the + doubleword get swapped. When the data loaded actually represents e.g. + vectors of 32-bit words this will swap columns. +a. vldm/vstm on q (quadword) registers get translated into lvdm/vstm on the + equivalent number of d (doubleword) registers. Instead of a 128-bit load it + does two 64-bit loads. When again handling vectors of 32-bit words this will + still swap adjacent columns but will not reverse all four columns. + +memory adr0: w0 w1 w2 w3 +register q0: w1 w0 w3 w2 + +See arm/neon/chacha-core-internal.asm for an example. + +5. simple byte store + +Sometimes it is necessary to store remaining single bytes to memory. A simple +logic will store the lowest byte from a register, then do a right shift and +start over until all bytes are stored. Since this constitutes a +least-significant-byte-first store, the data to be stored needs to be reversed +first on a big-endian system. See arm/memxor.asm Lmemxor_leftover for an +example. + +6. Function parameters/return values + +AAPCS requires 64-bit parameters to be passed to and returned from functions +"in two consecutive registers [...] as if the value had been loaded from memory +representation with a single LDM instruction." Since loading a big-endian +doubleword using ldm transposes its words, the same has to be done when e.g. +returning a 64-bit value from an assembler routine. See arm/neon/umac-nh.asm +for an example. diff -Nru nettle-3.4.1/arm/v6/aes-decrypt-internal.asm nettle-3.7.3/arm/v6/aes-decrypt-internal.asm --- nettle-3.4.1/arm/v6/aes-decrypt-internal.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/arm/v6/aes-decrypt-internal.asm 2021-06-06 20:06:30.000000000 +0000 @@ -1,6 +1,6 @@ C arm/v6/aes-decrypt-internal.asm -ifelse(< +ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. @@ -28,42 +28,42 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') .arch armv6 -include_src() +include_src(`arm/aes.m4') -define(, ) -define(, ) -define(

, ) -define(, ) +define(`PARAM_ROUNDS', `r0') +define(`PARAM_KEYS', `r1') +define(`TABLE', `r2') +define(`LENGTH', `r3') C On stack: DST, SRC -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) - -define(, ) C Overlaps PARAM_ROUNDS and PARAM_KEYS -define(, ) -define(, ) -define(, ) C lr +define(`W0', `r4') +define(`W1', `r5') +define(`W2', `r6') +define(`W3', `r7') +define(`T0', `r8') +define(`COUNT', `r10') +define(`KEY', `r11') + +define(`X0', `r0') C Overlaps PARAM_ROUNDS and PARAM_KEYS +define(`X1', `r1') +define(`X2', `r12') +define(`X3', `r14') C lr -define(>, <[sp]>) -define(, <[sp, #+4]>) +define(`FRAME_ROUNDS', `[sp]') +define(`FRAME_KEYS', `[sp, #+4]') C 8 saved registers -define(, <[sp, #+40]>) -define(, <[sp, #+44]>) +define(`FRAME_DST', `[sp, #+40]') +define(`FRAME_SRC', `[sp, #+44]') -define(, ) C Overlap registers used in inner loop. -define(, ) +define(`SRC', `r12') C Overlap registers used in inner loop. +define(`DST', `COUNT') C AES_DECRYPT_ROUND(x0,x1,x2,x3,w0,w1,w2,w3,key) -define(, < +define(`AES_DECRYPT_ROUND', ` uxtb T0, $1 ldr $5, [TABLE, T0, lsl #2] uxtb T0, $2 @@ -121,7 +121,7 @@ eor $6, $6, $2 eor $7, $7, $3 eor $8, $8, $4 ->) +') .file "aes-decrypt-internal.asm" diff -Nru nettle-3.4.1/arm/v6/aes-encrypt-internal.asm nettle-3.7.3/arm/v6/aes-encrypt-internal.asm --- nettle-3.4.1/arm/v6/aes-encrypt-internal.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/arm/v6/aes-encrypt-internal.asm 2021-06-06 20:06:30.000000000 +0000 @@ -1,6 +1,6 @@ C arm/v6/aes-encrypt-internal.asm -ifelse(< +ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. @@ -28,11 +28,11 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') .arch armv6 -include_src() +include_src(`arm/aes.m4') C Benchmarked at at 706, 870, 963 cycles/block on cortex A9, C for 128, 192 and 256 bit key sizes. @@ -40,38 +40,38 @@ C Possible improvements: More efficient load and store with C aligned accesses. Better scheduling. -define(, ) -define(, ) -define(
, ) -define(, ) +define(`PARAM_ROUNDS', `r0') +define(`PARAM_KEYS', `r1') +define(`TABLE', `r2') +define(`LENGTH', `r3') C On stack: DST, SRC -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) - -define(, ) C Overlaps PARAM_ROUNDS and PARAM_KEYS -define(, ) -define(, ) -define(, ) C lr +define(`W0', `r4') +define(`W1', `r5') +define(`W2', `r6') +define(`W3', `r7') +define(`T0', `r8') +define(`COUNT', `r10') +define(`KEY', `r11') + +define(`X0', `r0') C Overlaps PARAM_ROUNDS and PARAM_KEYS +define(`X1', `r1') +define(`X2', `r12') +define(`X3', `r14') C lr -define(>, <[sp]>) -define(, <[sp, #+4]>) +define(`FRAME_ROUNDS', `[sp]') +define(`FRAME_KEYS', `[sp, #+4]') C 8 saved registers -define(, <[sp, #+40]>) -define(, <[sp, #+44]>) +define(`FRAME_DST', `[sp, #+40]') +define(`FRAME_SRC', `[sp, #+44]') -define(, ) C Overlap registers used in inner loop. -define(, ) +define(`SRC', `r12') C Overlap registers used in inner loop. +define(`DST', `COUNT') C 53 instr. C It's tempting to use eor with rotation, but that's slower. C AES_ENCRYPT_ROUND(x0,x1,x2,x3,w0,w1,w2,w3,key) -define(, < +define(`AES_ENCRYPT_ROUND', ` uxtb T0, $1 ldr $5, [TABLE, T0, lsl #2] uxtb T0, $2 @@ -129,7 +129,7 @@ eor $6, $6, $2 eor $7, $7, $3 eor $8, $8, $4 ->) +') .file "aes-encrypt-internal.asm" diff -Nru nettle-3.4.1/arm/v6/sha1-compress.asm nettle-3.7.3/arm/v6/sha1-compress.asm --- nettle-3.4.1/arm/v6/sha1-compress.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/arm/v6/sha1-compress.asm 2021-06-06 20:06:30.000000000 +0000 @@ -1,6 +1,6 @@ C arm/v6/sha1-compress.asm -ifelse(< +ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. @@ -28,34 +28,34 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') .file "sha1-compress.asm" .arch armv6 -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) +define(`STATE', `r0') +define(`INPUT', `r1') +define(`SA', `r2') +define(`SB', `r3') +define(`SC', `r4') +define(`SD', `r5') +define(`SE', `r6') +define(`T0', `r7') +define(`SHIFT', `r8') +define(`WPREV', `r10') +define(`W', `r12') +define(`K', `lr') C FIXME: Could avoid a mov with even and odd variants. -define(, < +define(`LOAD', ` ldr T0, [INPUT], #+4 sel W, WPREV, T0 ror W, W, SHIFT mov WPREV, T0 - rev W, W +IF_LE(` rev W, W') str W, [SP,#eval(4*$1)] ->) -define(, < +') +define(`EXPN', ` ldr W, [sp, #+eval(4*$1)] ldr T0, [sp, #+eval(4*(($1 + 2) % 16))] eor W, W, T0 @@ -65,11 +65,11 @@ eor W, W, T0 ror W, W, #31 str W, [sp, #+eval(4*$1)] ->) +') C F1(B,C,D) = D^(B&(C^D)) C ROUND1(A,B,C,D,E) -define(, < +define(`ROUND1', ` eor T0, $3, $4 add $5, $5, K and T0, T0, $2 @@ -78,9 +78,9 @@ add $5, $5, W ror $2, $2, #2 add $5, $5, T0 ->) +') C F2(B,C,D) = B^C^D -define(, < +define(`ROUND2', ` eor T0, $2, $4 add $5, $5, K eor T0, T0, $3 @@ -88,9 +88,9 @@ add $5, $5, W ror $2, $2, #2 add $5, $5, T0 ->) +') C F3(B,C,D) = (B&C) | (D & (B|C)) = (B & (C ^ D)) + (C & D) -define(, < +define(`ROUND3', ` eor T0, $3, $4 add $5, $5, K and T0, T0, $2 @@ -100,8 +100,8 @@ and T0, $3, $4 ror $2, $2, #2 add $5, $5, T0 ->) - C void _nettle_sha1_compress(uint32_t *state, const uint8_t *input) +') + C void nettle_sha1_compress(uint32_t *state, const uint8_t *input) .text .align 2 @@ -112,7 +112,7 @@ .LK3: .int 0x8F1BBCDC -PROLOGUE(_nettle_sha1_compress) +PROLOGUE(nettle_sha1_compress) push {r4,r5,r6,r7,r8,r10,lr} sub sp, sp, #64 @@ -127,8 +127,12 @@ lsl SHIFT, SHIFT, #3 mov T0, #0 movne T0, #-1 - lsl W, T0, SHIFT +IF_LE(` lsl W, T0, SHIFT') +IF_BE(` lsr W, T0, SHIFT') uadd8 T0, T0, W C Sets APSR.GE bits + C on BE rotate right by 32-SHIFT bits + C because there is no rotate left +IF_BE(` rsb SHIFT, SHIFT, #32') ldr K, .LK1 ldm STATE, {SA,SB,SC,SD,SE} @@ -242,7 +246,7 @@ add sp, sp, #64 stm STATE, {SA,SB,SC,SD,SE} pop {r4,r5,r6,r7,r8,r10,pc} -EPILOGUE(_nettle_sha1_compress) +EPILOGUE(nettle_sha1_compress) .LK4: .int 0xCA62C1D6 diff -Nru nettle-3.4.1/arm/v6/sha256-compress.asm nettle-3.7.3/arm/v6/sha256-compress.asm --- nettle-3.4.1/arm/v6/sha256-compress.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/arm/v6/sha256-compress.asm 2021-06-06 20:06:30.000000000 +0000 @@ -1,6 +1,6 @@ C arm/v6/sha256-compress.asm -ifelse(< +ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. @@ -28,38 +28,38 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') .file "sha256-compress.asm" .arch armv6 -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) C Overlap INPUT -define(, ) C Overlap STATE -define(, ) +define(`STATE', `r0') +define(`INPUT', `r1') +define(`K', `r2') +define(`SA', `r3') +define(`SB', `r4') +define(`SC', `r5') +define(`SD', `r6') +define(`SE', `r7') +define(`SF', `r8') +define(`SG', `r10') +define(`SH', `r11') +define(`T0', `r12') +define(`T1', `r1') C Overlap INPUT +define(`COUNT', `r0') C Overlap STATE +define(`W', `r14') C Used for data load -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) +define(`I0', `r3') +define(`I1', `r4') +define(`I2', `r5') +define(`I3', `r6') +define(`I4', `r7') +define(`DST', `r8') +define(`SHIFT', `r10') +define(`ILEFT', `r11') -define(, < +define(`EXPN', ` ldr W, [sp, #+eval(4*$1)] ldr T0, [sp, #+eval(4*(($1 + 14) % 16))] ror T1, T0, #17 @@ -74,7 +74,7 @@ eor T1, T1, T0, lsr #3 add W, W, T1 str W, [sp, #+eval(4*$1)] ->) +') C ROUND(A,B,C,D,E,F,G,H) C @@ -89,7 +89,7 @@ C Choice (E, F, G) = G^(E&(F^G)) C Majority (A,B,C) = (A&B) + (C&(A^B)) -define(, < +define(`ROUND', ` ror T0, $5, #6 eor T0, T0, $5, ror #11 eor T0, T0, $5, ror #25 @@ -111,12 +111,12 @@ eor T0, $1, $2 and T0, T0, $3 add $8, $8, T0 ->) +') -define(, < +define(`NOEXPN', ` ldr W, [sp, + $1] add $1, $1, #4 ->) +') C void C _nettle_sha256_compress(uint32_t *state, const uint8_t *input, const uint32_t *k) @@ -137,8 +137,12 @@ lsl SHIFT, SHIFT, #3 mov T0, #0 movne T0, #-1 - lsl I1, T0, SHIFT +IF_LE(` lsl I1, T0, SHIFT') +IF_BE(` lsr I1, T0, SHIFT') uadd8 T0, T0, I1 C Sets APSR.GE bits + C on BE rotate right by 32-SHIFT bits + C because there is no rotate left +IF_BE(` rsb SHIFT, SHIFT, #32') mov DST, sp mov ILEFT, #4 @@ -146,16 +150,16 @@ ldm INPUT!, {I1,I2,I3,I4} sel I0, I0, I1 ror I0, I0, SHIFT - rev I0, I0 +IF_LE(` rev I0, I0') sel I1, I1, I2 ror I1, I1, SHIFT - rev I1, I1 +IF_LE(` rev I1, I1') sel I2, I2, I3 ror I2, I2, SHIFT - rev I2, I2 +IF_LE(` rev I2, I2') sel I3, I3, I4 ror I3, I3, SHIFT - rev I3, I3 +IF_LE(` rev I3, I3') subs ILEFT, ILEFT, #1 stm DST!, {I0,I1,I2,I3} mov I0, I4 diff -Nru nettle-3.4.1/asm.m4 nettle-3.7.3/asm.m4 --- nettle-3.4.1/asm.m4 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/asm.m4 2021-06-06 20:06:29.000000000 +0000 @@ -1,71 +1,77 @@ divert(-1) -changequote(<,>)dnl -dnl (progn (modify-syntax-entry ?< "(>") (modify-syntax-entry ?> ")<") ) dnl FORTRAN style comment character -define(, < -dnl>)dnl +define(`C', ` +dnl')dnl dnl Disable m4 comment processing, since the default, #, is used for dnl constants on some architectures, in particular ARM. changecom()dnl dnl Including files from the srcdir -define(, )dnl +define(`include_src', `include(srcdir/$1)')dnl dnl default definition, changed in fat builds -define(, <$1>) -define(, fat_transform($1)>) +define(`fat_transform', `$1') +define(`C_NAME', `SYMBOL_PREFIX`'fat_transform($1)') dnl Pseudo ops -define(, -, +define(`DECLARE_FUNC', +`ifelse(ELF_STYLE,yes, +`.type $1,TYPE_FUNCTION', COFF_STYLE, yes, -<.def $1 +`.def $1 .scl 2 .type 32 -.endef>, -<>)>) +.endef', +`')') -define(,<>)dnl +define(`GMP_NUMB_BITS',`')dnl -define(, -<.globl C_NAME($1) +define(`PROLOGUE', +`.globl C_NAME($1) DECLARE_FUNC(C_NAME($1)) -C_NAME($1):>) +C_NAME($1): ASM_X86_ENDBR') -define(, -,<>)>) - -define(, ) -define(, -, +define(`EPILOGUE', +`ifelse(ELF_STYLE,yes, +`.size C_NAME($1), . - C_NAME($1)',`')') + +define(`m4_log2', `m4_log2_internal($1,1,0)') +define(`m4_log2_internal', +`ifelse($3, 10, `not-a-power-of-two', $1, $2, $3, -)>) +`m4_log2_internal($1, eval(2*$2), eval(1 + $3))')') dnl Argument to ALIGN is always in bytes, and converted to a dnl logarithmic .align if necessary. -define(, -<.align ifelse(ALIGN_LOG,yes,,$1) ->) +define(`ALIGN', +`.align ifelse(ALIGN_LOG,yes,`m4_log2($1)',$1) +') + +define(`IF_BE', `ifelse( +WORDS_BIGENDIAN,yes,`$1', +WORDS_BIGENDIAN,no,`$2', +`errprint(`Unsupported endianness value',WORDS_BIGENDIAN,` +') + m4exit(1)')') +define(`IF_LE', `IF_BE(`$2', `$1')') dnl Struct defining macros dnl STRUCTURE(prefix) -define(, , 0)define(, <$1>)>)dnl +define(`STRUCTURE', `define(`SOFFSET', 0)define(`SPREFIX', `$1')')dnl dnl STRUCT(name, size) -define(, -$1, SOFFSET)dnl - define(, eval(SOFFSET + ($2)))>)dnl +define(`STRUCT', +`define(SPREFIX`_'$1, SOFFSET)dnl + define(`SOFFSET', eval(SOFFSET + ($2)))')dnl dnl UCHAR(name) -define(, , 1)>)dnl +define(`UCHAR', `STRUCT(`$1', 1)')dnl dnl UNSIGNED(name) -define(, , 4)>)dnl +define(`UNSIGNED', `STRUCT(`$1', 4)')dnl dnl Offsets in arcfour_ctx STRUCTURE(ARCFOUR) diff -Nru nettle-3.4.1/bignum.h nettle-3.7.3/bignum.h --- nettle-3.4.1/bignum.h 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/bignum.h 2021-06-06 20:06:29.000000000 +0000 @@ -34,8 +34,6 @@ #ifndef NETTLE_BIGNUM_H_INCLUDED #define NETTLE_BIGNUM_H_INCLUDED -#include "nettle-meta.h" - #include "nettle-types.h" /* For NETTLE_USE_MINI_GMP */ @@ -46,8 +44,6 @@ # define GMP_NUMB_MASK (~(mp_limb_t) 0) -/* Function missing in older gmp versions, and checked for with ifdef */ -# define mpz_limbs_read mpz_limbs_read /* Side-channel silent powm not available in mini-gmp. */ # define mpz_powm_sec mpz_powm #else @@ -109,13 +105,6 @@ void *ctx, nettle_random_func *random, void *progress_ctx, nettle_progress_func *progress); -void -_nettle_generate_pocklington_prime (mpz_t p, mpz_t r, - unsigned bits, int top_bits_set, - void *ctx, nettle_random_func *random, - const mpz_t p0, - const mpz_t q, - const mpz_t p0q); /* sexp parsing */ struct sexp_iterator; diff -Nru nettle-3.4.1/bignum-random-prime.c nettle-3.7.3/bignum-random-prime.c --- nettle-3.4.1/bignum-random-prime.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/bignum-random-prime.c 2021-06-06 20:06:29.000000000 +0000 @@ -50,7 +50,7 @@ #endif #include "bignum.h" - +#include "hogweed-internal.h" #include "macros.h" /* Use a table of p_2 = 3 to p_{172} = 1021, used for sieving numbers diff -Nru nettle-3.4.1/block-internal.h nettle-3.7.3/block-internal.h --- nettle-3.4.1/block-internal.h 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/block-internal.h 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,193 @@ +/* block-internal.h + + Internal implementations of nettle_blockZ-related functions. + + Copyright (C) 2011 Katholieke Universiteit Leuven + Copyright (C) 2011, 2013, 2018 Niels Möller + Copyright (C) 2018 Red Hat, Inc. + Copyright (C) 2019 Dmitry Eremin-Solenikov + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_BLOCK_INTERNAL_H_INCLUDED +#define NETTLE_BLOCK_INTERNAL_H_INCLUDED + +#include + +#include "nettle-types.h" +#include "memxor.h" + +static inline void +block16_xor (union nettle_block16 *r, + const union nettle_block16 *x) +{ + r->u64[0] ^= x->u64[0]; + r->u64[1] ^= x->u64[1]; +} + +static inline void +block16_xor3 (union nettle_block16 *r, + const union nettle_block16 *x, + const union nettle_block16 *y) +{ + r->u64[0] = x->u64[0] ^ y->u64[0]; + r->u64[1] = x->u64[1] ^ y->u64[1]; +} + +static inline void +block16_xor_bytes (union nettle_block16 *r, + const union nettle_block16 *x, + const uint8_t *bytes) +{ + memxor3 (r->b, x->b, bytes, 16); +} + +static inline void +block8_xor (union nettle_block8 *r, + const union nettle_block8 *x) +{ + r->u64 ^= x->u64; +} + +static inline void +block8_xor3 (union nettle_block8 *r, + const union nettle_block8 *x, + const union nettle_block8 *y) +{ + r->u64 = x->u64 ^ y->u64; +} + +static inline void +block8_xor_bytes (union nettle_block8 *r, + const union nettle_block8 *x, + const uint8_t *bytes) +{ + memxor3 (r->b, x->b, bytes, 8); +} + +/* Do a foreign-endianness shift of data */ + +#define LSHIFT_ALIEN_UINT64(x) \ + ((((x) & UINT64_C(0x7f7f7f7f7f7f7f7f)) << 1) | \ + (((x) & UINT64_C(0x8080808080808080)) >> 15)) +#define RSHIFT_ALIEN_UINT64(x) \ + ((((x) & UINT64_C(0xfefefefefefefefe)) >> 1) | \ + (((x) & UINT64_C(0x0001010101010101)) << 15)) + +/* Two typical defining polynoms */ + +#define BLOCK16_POLY (UINT64_C(0x87)) +#define BLOCK8_POLY (UINT64_C(0x1b)) +#define GHASH_POLY (UINT64_C(0xE1)) + +/* Galois multiplications by 2: + * functions differ in shifting right or left, big- or little- endianness + * and by defining polynom. + * r == x is allowed. */ + +#if WORDS_BIGENDIAN +static inline void +block16_mulx_be (union nettle_block16 *dst, + const union nettle_block16 *src) +{ + uint64_t carry = src->u64[0] >> 63; + dst->u64[0] = (src->u64[0] << 1) | (src->u64[1] >> 63); + dst->u64[1] = (src->u64[1] << 1) ^ (BLOCK16_POLY & -carry); +} + +static inline void +block16_mulx_le (union nettle_block16 *dst, + const union nettle_block16 *src) +{ + uint64_t carry = (src->u64[1] & 0x80) >> 7; + dst->u64[1] = LSHIFT_ALIEN_UINT64(src->u64[1]) | ((src->u64[0] & 0x80) << 49); + dst->u64[0] = LSHIFT_ALIEN_UINT64(src->u64[0]) ^ ((BLOCK16_POLY << 56) & -carry); +} + +static inline void +block8_mulx_be (union nettle_block8 *dst, + const union nettle_block8 *src) +{ + uint64_t carry = src->u64 >> 63; + + dst->u64 = (src->u64 << 1) ^ (BLOCK8_POLY & -carry); +} + +static inline void +block16_mulx_ghash (union nettle_block16 *r, + const union nettle_block16 *x) +{ + uint64_t mask; + + /* Shift uses big-endian representation. */ + mask = - (x->u64[1] & 1); + r->u64[1] = (x->u64[1] >> 1) | ((x->u64[0] & 1) << 63); + r->u64[0] = (x->u64[0] >> 1) ^ (mask & (GHASH_POLY << 56)); +} +#else /* !WORDS_BIGENDIAN */ +static inline void +block16_mulx_be (union nettle_block16 *dst, + const union nettle_block16 *src) +{ + uint64_t carry = (src->u64[0] & 0x80) >> 7; + dst->u64[0] = LSHIFT_ALIEN_UINT64(src->u64[0]) | ((src->u64[1] & 0x80) << 49); + dst->u64[1] = LSHIFT_ALIEN_UINT64(src->u64[1]) ^ ((BLOCK16_POLY << 56) & -carry); +} + +static inline void +block16_mulx_le (union nettle_block16 *dst, + const union nettle_block16 *src) +{ + uint64_t carry = src->u64[1] >> 63; + dst->u64[1] = (src->u64[1] << 1) | (src->u64[0] >> 63); + dst->u64[0] = (src->u64[0] << 1) ^ (BLOCK16_POLY & -carry); +} + +static inline void +block8_mulx_be (union nettle_block8 *dst, + const union nettle_block8 *src) +{ + uint64_t carry = (src->u64 & 0x80) >> 7; + + dst->u64 = LSHIFT_ALIEN_UINT64(src->u64) ^ ((BLOCK8_POLY << 56) & -carry); +} + +static inline void +block16_mulx_ghash (union nettle_block16 *r, + const union nettle_block16 *x) +{ + uint64_t mask; + + /* Shift uses big-endian representation. */ + mask = - ((x->u64[1] >> 56) & 1); + r->u64[1] = RSHIFT_ALIEN_UINT64(x->u64[1]) | ((x->u64[0] >> 49) & 0x80); + r->u64[0] = RSHIFT_ALIEN_UINT64(x->u64[0]) ^ (mask & GHASH_POLY); +} +#endif /* ! WORDS_BIGENDIAN */ + +#endif /* NETTLE_BLOCK_INTERNAL_H_INCLUDED */ diff -Nru nettle-3.4.1/blowfish-bcrypt.c nettle-3.7.3/blowfish-bcrypt.c --- nettle-3.4.1/blowfish-bcrypt.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/blowfish-bcrypt.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,527 @@ +/* blowfish-bcrypt.c + + The blowfish bcrypt implementation. + + Copyright (c) 2020 Stephen R. van den Berg + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +#include "config.h" +#endif + +#include +#include +#include + +#include "blowfish.h" +#include "blowfish-internal.h" +#include "base64.h" + +#include "macros.h" + +#define CRYPTPLEN 7 +#define SALTLEN ((BLOWFISH_BCRYPT_BINSALT_SIZE*8+5) / 6) + +#define HASHOFFSET (CRYPTPLEN + SALTLEN) + +static const signed char radix64_decode_table[0x100] = { + /* White space is HT, VT, FF, CR, LF and SPC */ + -1, -1, -1, -1, -1, -1, -1, -1, -1, -2, -2, -2, -2, -2, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -2, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 0, 1, + 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, -1, -1, -1, -3, -1, -1, + -1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, + 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, -1, -1, -1, -1, -1, + -1, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, + 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, +}; + +static const char radix64_encode_table[64] = + "./ABCDEFGHIJKLMNOPQRSTUVWXYZ" + "abcdefghijklmnopqrstuvwxyz" + "0123456789"; + +int +blowfish_bcrypt_verify(size_t lenkey, const uint8_t *key, + size_t lenhashed, const uint8_t *hashed) +{ + uint8_t newhash[BLOWFISH_BCRYPT_HASH_SIZE]; + + return blowfish_bcrypt_hash(newhash, + lenkey, key, lenhashed, hashed, + -1, (void*)0) + && !strcmp((const char*)newhash, (const char*)hashed); +} + +static char *encode_radix64(char *dst, size_t len, const uint8_t *src) +{ + struct base64_encode_ctx ctx; + base64_encode_init(&ctx); + ctx.alphabet = radix64_encode_table; + dst += base64_encode_update(&ctx, dst, len, src); + dst += base64_encode_final(&ctx, dst); + *--dst = '\0'; /* Strip the trailing = */ + return dst; +} + +/* + * Large parts of the code below are based on public domain sources. + * The comments and copyright notices have been preserved. + * Any code added or modified by me is licensed under the + * licenses listed above. -- Stephen R. van den Berg + */ + +/* + * This code comes from John the Ripper password cracker, with reentrant + * and crypt(3) interfaces added, but optimizations specific to password + * cracking removed. + * + * Written by Solar Designer in 1998-2015. + * No copyright is claimed, and the software is hereby placed in the public + * domain. In case this attempt to disclaim copyright and place the software + * in the public domain is deemed null and void, then the software is + * Copyright (c) 1998-2015 Solar Designer and it is hereby released to the + * general public under the following terms: + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted. + * + * There's ABSOLUTELY NO WARRANTY, express or implied. + * + * It is my intent that you should be able to use this on your system, + * as part of a software package, or anywhere else to improve security, + * ensure compatibility, or for any other purpose. I would appreciate + * it if you give credit where it is due and keep your modifications in + * the public domain as well, but I don't require that in order to let + * you place this code and any modifications you make under a license + * of your choice. + * + * This implementation is fully compatible with OpenBSD's bcrypt.c for prefix + * "$2b$", originally by Niels Provos , and it uses + * some of his ideas. The password hashing algorithm was designed by David + * Mazieres . For information on the level of + * compatibility for bcrypt hash prefixes other than "$2b$", please refer to + * the comments in set_key() below and to the included crypt(3) man page. + */ + +typedef uint32_t bf_key[_BLOWFISH_ROUNDS + 2]; + +/* + * Magic IV for 64 Blowfish encryptions that we do at the end. + * The string is "OrpheanBeholderScryDoubt" on big-endian. + */ +static uint32_t magic_w[6] = { + 0x4F727068, 0x65616E42, 0x65686F6C, + 0x64657253, 0x63727944, 0x6F756274 +}; + +static void swap32(uint32_t *x, int count) +{ +#if !WORDS_BIGENDIAN + do { + uint32_t tmp = *x; + tmp = (tmp << 16) | (tmp >> 16); + *x++ = ((tmp & 0x00FF00FF) << 8) | ((tmp >> 8) & 0x00FF00FF); + } while (--count); +#endif +} + +static void set_xkey(size_t lenkey, const uint8_t *key, + bf_key expanded, bf_key initial, + unsigned bug, uint32_t safety) +{ + const uint8_t *ptr = key; + size_t n = lenkey; + unsigned i, j; + uint32_t sign, diff, tmp[2]; + +/* + * There was a sign extension bug in older revisions of this function. While + * we would have liked to simply fix the bug and move on, we have to provide + * a backwards compatibility feature (essentially the bug) for some systems and + * a safety measure for some others. The latter is needed because for certain + * multiple inputs to the buggy algorithm there exist easily found inputs to + * the correct algorithm that produce the same hash. Thus, we optionally + * deviate from the correct algorithm just enough to avoid such collisions. + * While the bug itself affected the majority of passwords containing + * characters with the 8th bit set (although only a percentage of those in a + * collision-producing way), the anti-collision safety measure affects + * only a subset of passwords containing the '\xff' character (not even all of + * those passwords, just some of them). This character is not found in valid + * UTF-8 sequences and is rarely used in popular 8-bit character encodings. + * Thus, the safety measure is unlikely to cause much annoyance, and is a + * reasonable tradeoff to use when authenticating against existing hashes that + * are not reliably known to have been computed with the correct algorithm. + * + * We use an approach that tries to minimize side-channel leaks of password + * information - that is, we mostly use fixed-cost bitwise operations instead + * of branches or table lookups. (One conditional branch based on password + * length remains. It is not part of the bug aftermath, though, and is + * difficult and possibly unreasonable to avoid given the use of C strings by + * the caller, which results in similar timing leaks anyway.) + * + * For actual implementation, we set an array index in the variable "bug" + * (0 means no bug, 1 means sign extension bug emulation) and a flag in the + * variable "safety" (bit 16 is set when the safety measure is requested). + * Valid combinations of settings are: + * + * Prefix "$2a$": bug = 0, safety = 0x10000 + * Prefix "$2b$": bug = 0, safety = 0 + * Prefix "$2x$": bug = 1, safety = 0 + * Prefix "$2y$": bug = 0, safety = 0 + */ + + sign = diff = 0; + + for (i = 0; i < _BLOWFISH_ROUNDS + 2; i++) { + tmp[0] = tmp[1] = 0; + for (j = 0; j < 4; j++) { + tmp[0] <<= 8; + tmp[0] |= (unsigned char)*ptr; /* correct */ + tmp[1] <<= 8; + tmp[1] |= (signed char)*ptr; /* bug */ +/* + * Sign extension in the first char has no effect - nothing to overwrite yet, + * and those extra 24 bits will be fully shifted out of the 32-bit word. For + * chars 2, 3, 4 in each four-char block, we set bit 7 of "sign" if sign + * extension in tmp[1] occurs. Once this flag is set, it remains set. + */ + if (j) + sign |= tmp[1] & 0x80; + if (n--) + ptr++; + else + ptr = key, n = lenkey; + } + diff |= tmp[0] ^ tmp[1]; /* Non-zero on any differences */ + + expanded[i] = tmp[bug]; + initial[i] = _nettle_blowfish_initial_ctx.p[i] ^ tmp[bug]; + } + +/* + * At this point, "diff" is zero if the correct and buggy algorithms produced + * exactly the same result. If so and if "sign" is non-zero, which indicates + * that there was a non-benign sign extension, this means that we have a + * collision between the correctly computed hash for this password and a set of + * passwords that could be supplied to the buggy algorithm. Our safety measure + * is meant to protect from such many-buggy to one-correct collisions, by + * deviating from the correct algorithm in such cases. Let's check for this. + */ + diff |= diff >> 16; /* still zero if exact match */ + diff &= 0xffff; /* ditto */ + diff += 0xffff; /* bit 16 set if "diff" was non-zero (on non-match) */ + sign <<= 9; /* move the non-benign sign extension flag to bit 16 */ + sign &= ~diff & safety; /* action needed? */ + +/* + * If we have determined that we need to deviate from the correct algorithm, + * flip bit 16 in initial expanded key. (The choice of 16 is arbitrary, but + * let's stick to it now. It came out of the approach we used above, and it's + * not any worse than any other choice we could make.) + * + * It is crucial that we don't do the same to the expanded key used in the main + * Eksblowfish loop. By doing it to only one of these two, we deviate from a + * state that could be directly specified by a password to the buggy algorithm + * (and to the fully correct one as well, but that's a side-effect). + */ + initial[0] ^= sign; +} + +static int ibcrypt(uint8_t *dst, + size_t lenkey, const uint8_t *key, + size_t lenscheme, const uint8_t *scheme, + int minlog2rounds, + int log2rounds, const uint8_t *salt) +{ + struct { + struct blowfish_ctx ctx; + bf_key expanded_key; + union { + uint32_t salt[4]; + uint32_t output[6]; + } binary; + } data; + uint8_t psalt[BLOWFISH_BCRYPT_BINSALT_SIZE]; + uint32_t L, R; + uint32_t *ptr; + uint32_t count; + int i; + unsigned cscheme; + unsigned bug = 0; + uint32_t safety = 0; + if (lenscheme < 2) + return 0; + + if (lenscheme >= 3 && *scheme++ != '$') + return 0; + if (*scheme++ != '2') + return 0; + + switch (cscheme = *scheme++) { + default: + return 0; + case 'a': safety = 0x10000; + break; + case 'x': bug = 1; + break; + case 'b': case 'y': + break; + } + + if (lenscheme >= 4) { + if (*scheme++ != '$') + return 0; + if (lenscheme >= 6) { + if (log2rounds < 0) { + unsigned c = *scheme++ - '0'; + if (c > 9) + return 0; + log2rounds = c * 10; + c = *scheme++ - '0'; + if (c > 9) + return 0; + log2rounds += c; + } else + scheme += 2; + if (lenscheme >= CRYPTPLEN && *scheme++ != '$') + return 0; + if (lenscheme >= HASHOFFSET && !salt) { + struct base64_decode_ctx ctx; + size_t saltlen = BLOWFISH_BCRYPT_BINSALT_SIZE; + + base64_decode_init(&ctx); + ctx.table = radix64_decode_table; + + if (!base64_decode_update(&ctx, &saltlen, (uint8_t *) data.binary.salt, + SALTLEN, (const char*) scheme) + || saltlen != BLOWFISH_BCRYPT_BINSALT_SIZE) + return 0; + } + } + } + + if (salt) + memcpy(data.binary.salt, salt, BLOWFISH_BCRYPT_BINSALT_SIZE); + else if (lenscheme < HASHOFFSET) + return 0; + memcpy(psalt, data.binary.salt, BLOWFISH_BCRYPT_BINSALT_SIZE); + swap32(data.binary.salt, 4); + + if (log2rounds < minlog2rounds || log2rounds > 31) + return 0; + count = (uint32_t)1 << log2rounds; + + set_xkey(lenkey, key, data.expanded_key, data.ctx.p, bug, safety); + memcpy(data.ctx.s, _nettle_blowfish_initial_ctx.s, sizeof(data.ctx.s)); + + L = R = 0; + for (i = 0; i < _BLOWFISH_ROUNDS + 2; i += 2) { + L ^= data.binary.salt[i & 2]; + R ^= data.binary.salt[(i & 2) + 1]; + _nettle_blowfish_encround(&data.ctx, &L, &R); + data.ctx.p[i] = L; + data.ctx.p[i + 1] = R; + } + + ptr = data.ctx.s[0]; + do { + ptr += 4; + L ^= data.binary.salt[(_BLOWFISH_ROUNDS + 2) & 3]; + R ^= data.binary.salt[(_BLOWFISH_ROUNDS + 3) & 3]; + _nettle_blowfish_encround(&data.ctx, &L, &R); + *(ptr - 4) = L; + *(ptr - 3) = R; + + L ^= data.binary.salt[(_BLOWFISH_ROUNDS + 4) & 3]; + R ^= data.binary.salt[(_BLOWFISH_ROUNDS + 5) & 3]; + _nettle_blowfish_encround(&data.ctx, &L, &R); + *(ptr - 2) = L; + *(ptr - 1) = R; + } while (ptr < &data.ctx.s[3][0xFF]); + + do { + int done; + + for (i = 0; i < _BLOWFISH_ROUNDS + 2; i += 2) { + data.ctx.p[i] ^= data.expanded_key[i]; + data.ctx.p[i + 1] ^= data.expanded_key[i + 1]; + } + + done = 0; + do { + uint32_t tmp1, tmp2, tmp3, tmp4; + + L = R = 0; + ptr = data.ctx.p; + do { + ptr += 2; + _nettle_blowfish_encround(&data.ctx, &L, &R); + *(ptr - 2) = L; + *(ptr - 1) = R; + } while (ptr < &data.ctx.p[_BLOWFISH_ROUNDS + 2]); + + ptr = data.ctx.s[0]; + do { + ptr += 2; + _nettle_blowfish_encround(&data.ctx, &L, &R); + *(ptr - 2) = L; + *(ptr - 1) = R; + } while (ptr < &data.ctx.s[3][0xFF]); + + if (done) + break; + done = 1; + + tmp1 = data.binary.salt[0]; + tmp2 = data.binary.salt[1]; + tmp3 = data.binary.salt[2]; + tmp4 = data.binary.salt[3]; + for (i = 0; i < _BLOWFISH_ROUNDS; i += 4) { + data.ctx.p[i] ^= tmp1; + data.ctx.p[i + 1] ^= tmp2; + data.ctx.p[i + 2] ^= tmp3; + data.ctx.p[i + 3] ^= tmp4; + } + data.ctx.p[16] ^= tmp1; + data.ctx.p[17] ^= tmp2; + } while (1); + } while (--count); + + for (i = 0; i < 6; i += 2) { + L = magic_w[i]; + R = magic_w[i + 1]; + + count = 64; + do + _nettle_blowfish_encround(&data.ctx, &L, &R); + while (--count); + + data.binary.output[i] = L; + data.binary.output[i + 1] = R; + } + + *dst++ = '$'; + *dst++ = '2'; + *dst++ = cscheme; + *dst++ = '$'; + *dst++ = '0' + log2rounds / 10; + *dst++ = '0' + log2rounds % 10; + *dst++ = '$'; + dst = (uint8_t*) + encode_radix64((char*) dst, BLOWFISH_BCRYPT_BINSALT_SIZE, psalt) - 1; + + swap32(data.binary.output, 6); +/* This has to be bug-compatible with the original implementation, so + only encode 23 of the 24 bytes. */ + encode_radix64((char*) dst, 23, (uint8_t *) data.binary.output); + return cscheme; +} + +/* + * Please preserve the runtime self-test. It serves two purposes at once: + * + * 1. We really can't afford the risk of producing incompatible hashes e.g. + * when there's something like gcc bug 26587 again, whereas an application or + * library integrating this code might not also integrate our external tests or + * it might not run them after every build. Even if it does, the miscompile + * might only occur on the production build, but not on a testing build (such + * as because of different optimization settings). It is painful to recover + * from incorrectly-computed hashes - merely fixing whatever broke is not + * enough. Thus, a proactive measure like this self-test is needed. + * + * 2. We don't want to leave sensitive data from our actual password hash + * computation on the stack or in registers. Previous revisions of the code + * would do explicit cleanups, but simply running the self-test after hash + * computation is more reliable. + * + * The performance cost of this quick self-test is around 0.6% at the "$2a$08" + * setting. + */ +int blowfish_bcrypt_hash(uint8_t *dst, + size_t lenkey, const uint8_t *key, + size_t lenscheme, const uint8_t *scheme, + int log2rounds, const uint8_t *salt) +{ + const uint8_t test_pw[] = "8b \xd0\xc1\xd2\xcf\xcc\xd8"; + const uint8_t test_scheme[] = "$2a$00$abcdefghijklmnopqrstuu"; + static const char * const test_hashes[2] = + {"i1D709vfamulimlGcq0qq3UvuUasvEa\0\x55", /* 'a', 'b', 'y' */ + "VUrPmXD6q/nVSSp7pNDhCR9071IfIRe\0\x55"}; /* 'x' */ + const char *test_hash = test_hashes[0]; + int cscheme; + int ok; + uint8_t bufs[sizeof(test_scheme) - 1]; + uint8_t bufo[BLOWFISH_BCRYPT_HASH_SIZE]; + + *dst = '\0'; +/* Hash the supplied password */ + cscheme = ibcrypt(dst, lenkey, key, lenscheme, scheme, 4, log2rounds, salt); + +/* + * Do a quick self-test. It is important that we make both calls to ibcrypt() + * from the same scope such that they likely use the same stack locations, + * which makes the second call overwrite the first call's sensitive data on the + * stack and makes it more likely that any alignment related issues would be + * detected by the self-test. + */ + memcpy(bufs, test_scheme, sizeof(test_scheme) - 1); + + if (cscheme) + test_hash = test_hashes[(bufs[2] = cscheme) == 'x']; + + *bufo = 0; + ok = ibcrypt(bufo, sizeof(test_pw) - 1, test_pw, + sizeof(bufs), bufs, 0, -1, (void*)0); + + ok = (ok && + !memcmp(bufo, bufs, sizeof(bufs)) && + !memcmp(bufo + HASHOFFSET, test_hash, sizeof(test_hash) - 1)); + + { + const uint8_t k[] = "\xff\xa3" "34" "\xff\xff\xff\xa3" "345"; + bf_key ae, ai, ye, yi; + set_xkey(sizeof(k) - 1, k, ae, ai, 0, 0x10000); /* $2a$ */ + set_xkey(sizeof(k) - 1, k, ye, yi, 0, 0); /* $2y$ */ + ai[0] ^= 0x10000; /* undo the safety (for comparison) */ + ok = ok && ai[0] == 0xdb9c59bc && ye[17] == 0x33343500 && + !memcmp(ae, ye, sizeof(ae)) && + !memcmp(ai, yi, sizeof(ai)); + } + + return ok && !!cscheme; +} diff -Nru nettle-3.4.1/blowfish.c nettle-3.7.3/blowfish.c --- nettle-3.4.1/blowfish.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/blowfish.c 2021-06-06 20:06:29.000000000 +0000 @@ -54,12 +54,13 @@ #include #include "blowfish.h" +#include "blowfish-internal.h" #include "macros.h" /* precomputed S boxes */ -static const struct blowfish_ctx -initial_ctx = { +const struct blowfish_ctx +_nettle_blowfish_initial_ctx = { { { /* ks0 */ 0xD1310BA6, 0x98DFB5AC, 0x2FFD72DB, 0xD01ADFB7, 0xB8E1AFED, 0x6A267E96, @@ -261,8 +262,8 @@ #define R(c, l,r,i) do { l ^= c->p[i]; r ^= F(c,l); } while(0) -static void -encrypt (const struct blowfish_ctx *ctx, uint32_t * ret_xl, +void +_nettle_blowfish_encround (const struct blowfish_ctx *ctx, uint32_t * ret_xl, uint32_t * ret_xr) { uint32_t xl, xr; @@ -295,7 +296,7 @@ } static void -decrypt (const struct blowfish_ctx *ctx, uint32_t * ret_xl, uint32_t * ret_xr) +decround (const struct blowfish_ctx *ctx, uint32_t * ret_xl, uint32_t * ret_xr) { uint32_t xl, xr; @@ -339,7 +340,7 @@ d1 = READ_UINT32(src); d2 = READ_UINT32(src+4); - encrypt (ctx, &d1, &d2); + _nettle_blowfish_encround (ctx, &d1, &d2); dst[0] = (d1 >> 24) & 0xff; dst[1] = (d1 >> 16) & 0xff; dst[2] = (d1 >> 8) & 0xff; @@ -361,7 +362,7 @@ d1 = READ_UINT32(src); d2 = READ_UINT32(src+4); - decrypt (ctx, &d1, &d2); + decround (ctx, &d1, &d2); dst[0] = (d1 >> 24) & 0xff; dst[1] = (d1 >> 16) & 0xff; dst[2] = (d1 >> 8) & 0xff; @@ -380,12 +381,14 @@ int i, j; uint32_t data, datal, datar; - *ctx = initial_ctx; + *ctx = _nettle_blowfish_initial_ctx; for (i = j = 0; i < _BLOWFISH_ROUNDS + 2; i++) { - data = (key[j] << 24) | (key[(j+1) % length] << 16) - | (key[(j+2) % length] << 8) | key[(j+3) % length]; + data = ((uint32_t) key[j] << 24) + | ((uint32_t) key[(j+1) % length] << 16) + | ((uint32_t) key[(j+2) % length] << 8) + | (uint32_t) key[(j+3) % length]; ctx->p[i] ^= data; j = (j + 4) % length; } @@ -393,15 +396,15 @@ datal = datar = 0; for (i = 0; i < _BLOWFISH_ROUNDS + 2; i += 2) { - encrypt (ctx, &datal, &datar); + _nettle_blowfish_encround (ctx, &datal, &datar); ctx->p[i] = datal; ctx->p[i + 1] = datar; } - + for (j = 0; j < 4; j++) for (i = 0; i < 256; i += 2) { - encrypt (ctx, &datal, &datar); + _nettle_blowfish_encround (ctx, &datal, &datar); ctx->s[j][i] = datal; ctx->s[j][i + 1] = datar; } diff -Nru nettle-3.4.1/blowfish.h nettle-3.7.3/blowfish.h --- nettle-3.4.1/blowfish.h 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/blowfish.h 2021-06-06 20:06:29.000000000 +0000 @@ -46,6 +46,8 @@ #define blowfish128_set_key nettle_blowfish128_set_key #define blowfish_encrypt nettle_blowfish_encrypt #define blowfish_decrypt nettle_blowfish_decrypt +#define blowfish_bcrypt_hash nettle_blowfish_bcrypt_hash +#define blowfish_bcrypt_verify nettle_blowfish_bcrypt_verify #define BLOWFISH_BLOCK_SIZE 8 @@ -60,6 +62,9 @@ #define _BLOWFISH_ROUNDS 16 +#define BLOWFISH_BCRYPT_HASH_SIZE (60 + 1) /* Including null-terminator */ +#define BLOWFISH_BCRYPT_BINSALT_SIZE 16 /* Binary string size */ + struct blowfish_ctx { uint32_t s[4][256]; @@ -82,6 +87,18 @@ size_t length, uint8_t *dst, const uint8_t *src); +/* dst parameter must point to a buffer of minimally + * BLOWFISH_BCRYPT_HASH_SIZE bytes */ +int +blowfish_bcrypt_hash(uint8_t *dst, + size_t lenkey, const uint8_t *key, + size_t lenscheme, const uint8_t *scheme, + int log2rounds, + const uint8_t *salt); +int +blowfish_bcrypt_verify(size_t lenkey, const uint8_t *key, + size_t lenhashed, const uint8_t *hashed); + #ifdef __cplusplus } #endif diff -Nru nettle-3.4.1/blowfish-internal.h nettle-3.7.3/blowfish-internal.h --- nettle-3.4.1/blowfish-internal.h 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/blowfish-internal.h 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,52 @@ +/* blowfish-internal.h + + Blowfish block cipher. + + Copyright (C) 2014 Niels Möller + Copyright (C) 1998, 2001 FSF, Ray Dassen, Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_BLOWFISH_INTERNAL_H_INCLUDED +#define NETTLE_BLOWFISH_INTERNAL_H_INCLUDED + +#include "nettle-types.h" + +#ifdef __cplusplus +extern "C" { +#endif + +extern const struct blowfish_ctx _nettle_blowfish_initial_ctx; +extern void _nettle_blowfish_encround (const struct blowfish_ctx *ctx, + uint32_t * ret_xl, uint32_t * ret_xr); + +#ifdef __cplusplus +} +#endif + +#endif /* NETTLE_BLOWFISH_INTERNAL_H_INCLUDED */ diff -Nru nettle-3.4.1/camellia128-crypt.c nettle-3.7.3/camellia128-crypt.c --- nettle-3.4.1/camellia128-crypt.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/camellia128-crypt.c 2021-06-06 20:06:29.000000000 +0000 @@ -48,7 +48,7 @@ const uint8_t *src) { assert(!(length % CAMELLIA_BLOCK_SIZE) ); - _camellia_crypt(_CAMELLIA128_NKEYS, ctx->keys, - &_camellia_table, - length, dst, src); + _nettle_camellia_crypt(_CAMELLIA128_NKEYS, ctx->keys, + &_nettle_camellia_table, + length, dst, src); } diff -Nru nettle-3.4.1/camellia128-set-decrypt-key.c nettle-3.7.3/camellia128-set-decrypt-key.c --- nettle-3.4.1/camellia128-set-decrypt-key.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/camellia128-set-decrypt-key.c 2021-06-06 20:06:29.000000000 +0000 @@ -41,7 +41,7 @@ camellia128_invert_key(struct camellia128_ctx *dst, const struct camellia128_ctx *src) { - _camellia_invert_key (_CAMELLIA128_NKEYS, dst->keys, src->keys); + _nettle_camellia_invert_key (_CAMELLIA128_NKEYS, dst->keys, src->keys); } void diff -Nru nettle-3.4.1/camellia128-set-encrypt-key.c nettle-3.7.3/camellia128-set-encrypt-key.c --- nettle-3.4.1/camellia128-set-encrypt-key.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/camellia128-set-encrypt-key.c 2021-06-06 20:06:29.000000000 +0000 @@ -120,5 +120,5 @@ subkey[24] = k0; subkey[25] = k1; /* Common final processing */ - _camellia_absorb (_CAMELLIA128_NKEYS, ctx->keys, subkey); + _nettle_camellia_absorb (_CAMELLIA128_NKEYS, ctx->keys, subkey); } diff -Nru nettle-3.4.1/camellia256-crypt.c nettle-3.7.3/camellia256-crypt.c --- nettle-3.4.1/camellia256-crypt.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/camellia256-crypt.c 2021-06-06 20:06:29.000000000 +0000 @@ -48,7 +48,7 @@ const uint8_t *src) { assert(!(length % CAMELLIA_BLOCK_SIZE) ); - _camellia_crypt(_CAMELLIA256_NKEYS, ctx->keys, - &_camellia_table, - length, dst, src); + _nettle_camellia_crypt(_CAMELLIA256_NKEYS, ctx->keys, + &_nettle_camellia_table, + length, dst, src); } diff -Nru nettle-3.4.1/camellia256-set-decrypt-key.c nettle-3.7.3/camellia256-set-decrypt-key.c --- nettle-3.4.1/camellia256-set-decrypt-key.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/camellia256-set-decrypt-key.c 2021-06-06 20:06:29.000000000 +0000 @@ -41,7 +41,7 @@ camellia256_invert_key(struct camellia256_ctx *dst, const struct camellia256_ctx *src) { - _camellia_invert_key (_CAMELLIA256_NKEYS, dst->keys, src->keys); + _nettle_camellia_invert_key (_CAMELLIA256_NKEYS, dst->keys, src->keys); } void diff -Nru nettle-3.4.1/camellia256-set-encrypt-key.c nettle-3.7.3/camellia256-set-encrypt-key.c --- nettle-3.4.1/camellia256-set-encrypt-key.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/camellia256-set-encrypt-key.c 2021-06-06 20:06:29.000000000 +0000 @@ -139,7 +139,7 @@ subkey[32] = k2; subkey[33] = k3; /* Common final processing */ - _camellia_absorb (_CAMELLIA256_NKEYS, ctx->keys, subkey); + _nettle_camellia_absorb (_CAMELLIA256_NKEYS, ctx->keys, subkey); } void diff -Nru nettle-3.4.1/camellia-absorb.c nettle-3.7.3/camellia-absorb.c --- nettle-3.4.1/camellia-absorb.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/camellia-absorb.c 2021-06-06 20:06:29.000000000 +0000 @@ -55,7 +55,7 @@ #include "macros.h" void -_camellia_absorb(unsigned nkeys, uint64_t *dst, uint64_t *subkey) +_nettle_camellia_absorb(unsigned nkeys, uint64_t *dst, uint64_t *subkey) { uint64_t kw2, kw4; uint32_t dw, tl, tr; diff -Nru nettle-3.4.1/camellia-crypt-internal.c nettle-3.7.3/camellia-crypt-internal.c --- nettle-3.4.1/camellia-crypt-internal.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/camellia-crypt-internal.c 2021-06-06 20:06:29.000000000 +0000 @@ -135,11 +135,11 @@ #endif void -_camellia_crypt(unsigned nkeys, - const uint64_t *keys, - const struct camellia_table *T, - size_t length, uint8_t *dst, - const uint8_t *src) +_nettle_camellia_crypt(unsigned nkeys, + const uint64_t *keys, + const struct camellia_table *T, + size_t length, uint8_t *dst, + const uint8_t *src) { FOR_BLOCKS(length, dst, src, CAMELLIA_BLOCK_SIZE) { diff -Nru nettle-3.4.1/camellia-internal.h nettle-3.7.3/camellia-internal.h --- nettle-3.4.1/camellia-internal.h 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/camellia-internal.h 2021-06-06 20:06:29.000000000 +0000 @@ -48,12 +48,6 @@ #include "camellia.h" -/* Name mangling */ -#define _camellia_crypt _nettle_camellia_crypt -#define _camellia_absorb _nettle_camellia_absorb -#define _camellia_invert_key _nettle_camellia_invert_key -#define _camellia_table _nettle_camellia_table - /* * macros */ @@ -117,21 +111,21 @@ #endif void -_camellia_crypt(unsigned nkeys, const uint64_t *keys, - const struct camellia_table *T, - size_t length, uint8_t *dst, - const uint8_t *src); +_nettle_camellia_crypt(unsigned nkeys, const uint64_t *keys, + const struct camellia_table *T, + size_t length, uint8_t *dst, + const uint8_t *src); /* The initial NKEYS + 2 subkeys in SUBKEY are reduced to the final NKEYS subkeys stored in DST. SUBKEY data is modified in the process. */ void -_camellia_absorb(unsigned nkeys, uint64_t *dst, uint64_t *subkey); +_nettle_camellia_absorb(unsigned nkeys, uint64_t *dst, uint64_t *subkey); void -_camellia_invert_key(unsigned nkeys, - uint64_t *dst, const uint64_t *src); +_nettle_camellia_invert_key(unsigned nkeys, + uint64_t *dst, const uint64_t *src); -extern const struct camellia_table _camellia_table; +extern const struct camellia_table _nettle_camellia_table; #endif /* NETTLE_CAMELLIA_INTERNAL_H_INCLUDED */ diff -Nru nettle-3.4.1/camellia-invert-key.c nettle-3.7.3/camellia-invert-key.c --- nettle-3.4.1/camellia-invert-key.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/camellia-invert-key.c 2021-06-06 20:06:29.000000000 +0000 @@ -41,8 +41,8 @@ do { uint64_t t_swap = (a); (a) = (b); (b) = t_swap; } while(0) void -_camellia_invert_key(unsigned nkeys, - uint64_t *dst, const uint64_t *src) +_nettle_camellia_invert_key(unsigned nkeys, + uint64_t *dst, const uint64_t *src) { unsigned i; if (dst == src) diff -Nru nettle-3.4.1/camellia-table.c nettle-3.7.3/camellia-table.c --- nettle-3.4.1/camellia-table.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/camellia-table.c 2021-06-06 20:06:29.000000000 +0000 @@ -49,7 +49,7 @@ #include "camellia-internal.h" -const struct camellia_table _camellia_table = { +const struct camellia_table _nettle_camellia_table = { /* sp1110 */ { 0x70707000,0x82828200,0x2c2c2c00,0xececec00, diff -Nru nettle-3.4.1/cbc.c nettle-3.7.3/cbc.c --- nettle-3.4.1/cbc.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/cbc.c 2021-06-06 20:06:29.000000000 +0000 @@ -109,23 +109,22 @@ TMP_ALLOC(buffer, buffer_size); TMP_ALLOC(initial_iv, block_size); - for ( ; length > buffer_size; - length -= buffer_size, src += buffer_size, dst += buffer_size) + for ( ; length > buffer_size; length -= buffer_size, dst += buffer_size) { - f(ctx, buffer_size, buffer, src); + f(ctx, buffer_size, buffer, dst); memcpy(initial_iv, iv, block_size); - memcpy(iv, src + buffer_size - block_size, block_size); - memxor3(dst + block_size, buffer + block_size, src, + memcpy(iv, dst + buffer_size - block_size, block_size); + memxor3(dst + block_size, buffer + block_size, dst, buffer_size - block_size); memxor3(dst, buffer, initial_iv, block_size); } - f(ctx, length, buffer, src); + f(ctx, length, buffer, dst); memcpy(initial_iv, iv, block_size); /* Copies last block */ - memcpy(iv, src + length - block_size, block_size); + memcpy(iv, dst + length - block_size, block_size); /* Writes all but first block, reads all but last block. */ - memxor3(dst + block_size, buffer + block_size, src, + memxor3(dst + block_size, buffer + block_size, dst, length - block_size); /* Writes first block. */ memxor3(dst, buffer, initial_iv, block_size); diff -Nru nettle-3.4.1/cfb.c nettle-3.7.3/cfb.c --- nettle-3.4.1/cfb.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/cfb.c 2021-06-06 20:06:29.000000000 +0000 @@ -147,12 +147,11 @@ * not less than block_size. So does part */ f(ctx, block_size, buffer, iv); - f(ctx, part - block_size, buffer + block_size, src); - memcpy(iv, src + part - block_size, block_size); + f(ctx, part - block_size, buffer + block_size, dst); + memcpy(iv, dst + part - block_size, block_size); memxor(dst, buffer, part); length -= part; - src += part; dst += part; } @@ -163,3 +162,77 @@ } } } + +/* CFB-8 uses slight optimization: it encrypts or decrypts up to block_size + * bytes and does memcpy/memxor afterwards */ +void +cfb8_encrypt(const void *ctx, nettle_cipher_func *f, + size_t block_size, uint8_t *iv, + size_t length, uint8_t *dst, + const uint8_t *src) +{ + TMP_DECL(buffer, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE * 2); + TMP_DECL(outbuf, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE); + TMP_ALLOC(buffer, block_size * 2); + TMP_ALLOC(outbuf, block_size); + uint8_t pos; + + memcpy(buffer, iv, block_size); + pos = 0; + while (length) + { + uint8_t t; + + if (pos == block_size) + { + memcpy(buffer, buffer + block_size, block_size); + pos = 0; + } + + f(ctx, block_size, outbuf, buffer + pos); + t = *(dst++) = *(src++) ^ outbuf[0]; + buffer[pos + block_size] = t; + length--; + pos ++; + } + memcpy(iv, buffer + pos, block_size); +} + +void +cfb8_decrypt(const void *ctx, nettle_cipher_func *f, + size_t block_size, uint8_t *iv, + size_t length, uint8_t *dst, + const uint8_t *src) +{ + TMP_DECL(buffer, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE * 2); + TMP_DECL(outbuf, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE * 2); + TMP_ALLOC(buffer, block_size * 2); + TMP_ALLOC(outbuf, block_size * 2); + uint8_t i = 0; + + memcpy(buffer, iv, block_size); + memcpy(buffer + block_size, src, + length < block_size ? length : block_size); + + while (length) + { + + for (i = 0; i < length && i < block_size; i++) + f(ctx, block_size, outbuf + i, buffer + i); + + memxor3(dst, src, outbuf, i); + + length -= i; + src += i; + dst += i; + + if (i == block_size) + { + memcpy(buffer, buffer + block_size, block_size); + memcpy(buffer + block_size, src, + length < block_size ? length : block_size); + } + } + + memcpy(iv, buffer + i, block_size); +} diff -Nru nettle-3.4.1/cfb.h nettle-3.7.3/cfb.h --- nettle-3.4.1/cfb.h 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/cfb.h 2021-06-06 20:06:29.000000000 +0000 @@ -45,6 +45,9 @@ #define cfb_encrypt nettle_cfb_encrypt #define cfb_decrypt nettle_cfb_decrypt +#define cfb8_encrypt nettle_cfb8_encrypt +#define cfb8_decrypt nettle_cfb8_decrypt + void cfb_encrypt(const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, @@ -57,12 +60,28 @@ size_t length, uint8_t *dst, const uint8_t *src); +void +cfb8_encrypt(const void *ctx, nettle_cipher_func *f, + size_t block_size, uint8_t *iv, + size_t length, uint8_t *dst, + const uint8_t *src); + +void +cfb8_decrypt(const void *ctx, nettle_cipher_func *f, + size_t block_size, uint8_t *iv, + size_t length, uint8_t *dst, + const uint8_t *src); + + #define CFB_CTX(type, size) \ { type ctx; uint8_t iv[size]; } #define CFB_SET_IV(ctx, data) \ memcpy((ctx)->iv, (data), sizeof((ctx)->iv)) +#define CFB8_CTX CFB_CTX +#define CFB8_SET_IV CFB_SET_IV + /* NOTE: Avoid using NULL, as we don't include anything defining it. */ #define CFB_ENCRYPT(self, f, length, dst, src) \ (0 ? ((f)(&(self)->ctx, ~(size_t) 0, \ @@ -80,6 +99,22 @@ sizeof((self)->iv), (self)->iv, \ (length), (dst), (src))) +#define CFB8_ENCRYPT(self, f, length, dst, src) \ + (0 ? ((f)(&(self)->ctx, ~(size_t) 0, \ + (uint8_t *) 0, (const uint8_t *) 0)) \ + : cfb8_encrypt((void *) &(self)->ctx, \ + (nettle_cipher_func *) (f), \ + sizeof((self)->iv), (self)->iv, \ + (length), (dst), (src))) + +#define CFB8_DECRYPT(self, f, length, dst, src) \ + (0 ? ((f)(&(self)->ctx, ~(size_t) 0, \ + (uint8_t *) 0, (const uint8_t *) 0)) \ + : cfb8_decrypt((void *) &(self)->ctx, \ + (nettle_cipher_func *) (f), \ + sizeof((self)->iv), (self)->iv, \ + (length), (dst), (src))) + #ifdef __cplusplus } #endif diff -Nru nettle-3.4.1/chacha-core-internal.c nettle-3.7.3/chacha-core-internal.c --- nettle-3.4.1/chacha-core-internal.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/chacha-core-internal.c 2021-06-06 20:06:29.000000000 +0000 @@ -47,9 +47,17 @@ #include #include "chacha.h" +#include "chacha-internal.h" #include "macros.h" +/* For fat builds */ +#if HAVE_NATIVE_chacha_core +void +_nettle_chacha_core_c(uint32_t *dst, const uint32_t *src, unsigned rounds); +#define _nettle_chacha_core _nettle_chacha_core_c +#endif + #ifndef CHACHA_DEBUG # define CHACHA_DEBUG 0 #endif @@ -88,7 +96,7 @@ } while(0) void -_chacha_core(uint32_t *dst, const uint32_t *src, unsigned rounds) +_nettle_chacha_core(uint32_t *dst, const uint32_t *src, unsigned rounds) { uint32_t x[_CHACHA_STATE_LENGTH]; unsigned i; diff -Nru nettle-3.4.1/chacha-crypt.c nettle-3.7.3/chacha-crypt.c --- nettle-3.4.1/chacha-crypt.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/chacha-crypt.c 2021-06-06 20:06:29.000000000 +0000 @@ -47,17 +47,119 @@ #include #include "chacha.h" +#include "chacha-internal.h" #include "macros.h" #include "memxor.h" #define CHACHA_ROUNDS 20 +#if HAVE_NATIVE_chacha_4core +#define _nettle_chacha_crypt_4core chacha_crypt +#define _nettle_chacha_crypt32_4core chacha_crypt32 +#elif HAVE_NATIVE_chacha_3core +#define _nettle_chacha_crypt_3core chacha_crypt +#define _nettle_chacha_crypt32_3core chacha_crypt32 +#elif !(HAVE_NATIVE_fat_chacha_4core || HAVE_NATIVE_fat_chacha_3core) +#define _nettle_chacha_crypt_1core chacha_crypt +#define _nettle_chacha_crypt32_1core chacha_crypt32 +#endif + +#if HAVE_NATIVE_chacha_4core || HAVE_NATIVE_fat_chacha_4core +void +_nettle_chacha_crypt_4core(struct chacha_ctx *ctx, + size_t length, + uint8_t *dst, + const uint8_t *src) +{ + uint32_t x[4*_CHACHA_STATE_LENGTH]; + + if (!length) + return; + + while (length > 2*CHACHA_BLOCK_SIZE) + { + _nettle_chacha_4core (x, ctx->state, CHACHA_ROUNDS); + if (length <= 4*CHACHA_BLOCK_SIZE) + { + uint32_t incr = 3 + (length > 3*CHACHA_BLOCK_SIZE); + ctx->state[12] += incr; + ctx->state[13] += (ctx->state[12] < incr); + memxor3 (dst, src, x, length); + return; + } + ctx->state[12] += 4; + ctx->state[13] += (ctx->state[12] < 4); + memxor3 (dst, src, x, 4*CHACHA_BLOCK_SIZE); + + length -= 4*CHACHA_BLOCK_SIZE; + dst += 4*CHACHA_BLOCK_SIZE; + src += 4*CHACHA_BLOCK_SIZE; + } + if (length > CHACHA_BLOCK_SIZE) + { + _nettle_chacha_2core (x, ctx->state, CHACHA_ROUNDS); + ctx->state[12] += 2; + ctx->state[13] += (ctx->state[12] < 2); + } + else + { + _nettle_chacha_core (x, ctx->state, CHACHA_ROUNDS); + ctx->state[13] += (++ctx->state[12] == 0); + } + memxor3 (dst, src, x, length); +} +#endif + +#if HAVE_NATIVE_chacha_3core || HAVE_NATIVE_fat_chacha_3core +void +_nettle_chacha_crypt_3core(struct chacha_ctx *ctx, + size_t length, + uint8_t *dst, + const uint8_t *src) +{ + uint32_t x[3*_CHACHA_STATE_LENGTH]; + + if (!length) + return; + + while (length > 2*CHACHA_BLOCK_SIZE) + { + _nettle_chacha_3core (x, ctx->state, CHACHA_ROUNDS); + ctx->state[12] += 3; + ctx->state[13] += (ctx->state[12] < 3); + if (length <= 3*CHACHA_BLOCK_SIZE) + { + memxor3 (dst, src, x, length); + return; + } + memxor3 (dst, src, x, 3*CHACHA_BLOCK_SIZE); + + length -= 3*CHACHA_BLOCK_SIZE; + dst += 3*CHACHA_BLOCK_SIZE; + src += 3*CHACHA_BLOCK_SIZE; + } + if (length <= CHACHA_BLOCK_SIZE) + { + _nettle_chacha_core (x, ctx->state, CHACHA_ROUNDS); + ctx->state[13] += (++ctx->state[12] == 0); + } + else + { + _nettle_chacha_3core (x, ctx->state, CHACHA_ROUNDS); + ctx->state[12] += 2; + ctx->state[13] += (ctx->state[12] < 2); + } + memxor3 (dst, src, x, length); +} +#endif + +#if !(HAVE_NATIVE_chacha_4core || HAVE_NATIVE_chacha_3core) void -chacha_crypt(struct chacha_ctx *ctx, - size_t length, - uint8_t *c, - const uint8_t *m) +_nettle_chacha_crypt_1core(struct chacha_ctx *ctx, + size_t length, + uint8_t *dst, + const uint8_t *src) { if (!length) return; @@ -66,7 +168,7 @@ { uint32_t x[_CHACHA_STATE_LENGTH]; - _chacha_core (x, ctx->state, CHACHA_ROUNDS); + _nettle_chacha_core (x, ctx->state, CHACHA_ROUNDS); ctx->state[13] += (++ctx->state[12] == 0); @@ -74,13 +176,131 @@ if (length <= CHACHA_BLOCK_SIZE) { - memxor3 (c, m, x, length); + memxor3 (dst, src, x, length); + return; + } + memxor3 (dst, src, x, CHACHA_BLOCK_SIZE); + + length -= CHACHA_BLOCK_SIZE; + dst += CHACHA_BLOCK_SIZE; + src += CHACHA_BLOCK_SIZE; + } +} +#endif + +#if HAVE_NATIVE_chacha_4core || HAVE_NATIVE_fat_chacha_4core +void +_nettle_chacha_crypt32_4core(struct chacha_ctx *ctx, + size_t length, + uint8_t *dst, + const uint8_t *src) +{ + uint32_t x[4*_CHACHA_STATE_LENGTH]; + + if (!length) + return; + + while (length > 2*CHACHA_BLOCK_SIZE) + { + _nettle_chacha_4core32 (x, ctx->state, CHACHA_ROUNDS); + if (length <= 4*CHACHA_BLOCK_SIZE) + { + ctx->state[12] += 3 + (length > 3*CHACHA_BLOCK_SIZE); + memxor3 (dst, src, x, length); + return; + } + ctx->state[12] += 4; + memxor3 (dst, src, x, 4*CHACHA_BLOCK_SIZE); + + length -= 4*CHACHA_BLOCK_SIZE; + dst += 4*CHACHA_BLOCK_SIZE; + src += 4*CHACHA_BLOCK_SIZE; + } + if (length > CHACHA_BLOCK_SIZE) + { + _nettle_chacha_2core32 (x, ctx->state, CHACHA_ROUNDS); + ctx->state[12] += 2; + } + else + { + _nettle_chacha_core (x, ctx->state, CHACHA_ROUNDS); + ++ctx->state[12]; + } + memxor3 (dst, src, x, length); +} +#endif + +#if HAVE_NATIVE_chacha_3core || HAVE_NATIVE_fat_chacha_3core +void +_nettle_chacha_crypt32_3core(struct chacha_ctx *ctx, + size_t length, + uint8_t *dst, + const uint8_t *src) +{ + uint32_t x[3*_CHACHA_STATE_LENGTH]; + + if (!length) + return; + + while (length > 2*CHACHA_BLOCK_SIZE) + { + _nettle_chacha_3core32 (x, ctx->state, CHACHA_ROUNDS); + ctx->state[12] += 3; + if (length <= 3*CHACHA_BLOCK_SIZE) + { + memxor3 (dst, src, x, length); + return; + } + memxor3 (dst, src, x, 3*CHACHA_BLOCK_SIZE); + + length -= 3*CHACHA_BLOCK_SIZE; + dst += 3*CHACHA_BLOCK_SIZE; + src += 3*CHACHA_BLOCK_SIZE; + } + if (length <= CHACHA_BLOCK_SIZE) + { + _nettle_chacha_core (x, ctx->state, CHACHA_ROUNDS); + ++ctx->state[12]; + } + else + { + _nettle_chacha_3core32 (x, ctx->state, CHACHA_ROUNDS); + ctx->state[12] += 2; + } + memxor3 (dst, src, x, length); +} +#endif + +#if !(HAVE_NATIVE_chacha_4core || HAVE_NATIVE_chacha_3core) +void +_nettle_chacha_crypt32_1core(struct chacha_ctx *ctx, + size_t length, + uint8_t *dst, + const uint8_t *src) +{ + if (!length) + return; + + for (;;) + { + uint32_t x[_CHACHA_STATE_LENGTH]; + + _nettle_chacha_core (x, ctx->state, CHACHA_ROUNDS); + + ++ctx->state[12]; + + /* stopping at 2^38 length per nonce is user's responsibility */ + + if (length <= CHACHA_BLOCK_SIZE) + { + memxor3 (dst, src, x, length); return; } - memxor3 (c, m, x, CHACHA_BLOCK_SIZE); + memxor3 (dst, src, x, CHACHA_BLOCK_SIZE); length -= CHACHA_BLOCK_SIZE; - c += CHACHA_BLOCK_SIZE; - m += CHACHA_BLOCK_SIZE; + dst += CHACHA_BLOCK_SIZE; + src += CHACHA_BLOCK_SIZE; } } +#endif diff -Nru nettle-3.4.1/chacha.h nettle-3.7.3/chacha.h --- nettle-3.4.1/chacha.h 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/chacha.h 2021-06-06 20:06:29.000000000 +0000 @@ -46,14 +46,18 @@ #define chacha_set_key nettle_chacha_set_key #define chacha_set_nonce nettle_chacha_set_nonce #define chacha_set_nonce96 nettle_chacha_set_nonce96 +#define chacha_set_counter nettle_chacha_set_counter +#define chacha_set_counter32 nettle_chacha_set_counter32 #define chacha_crypt nettle_chacha_crypt -#define _chacha_core _nettle_chacha_core +#define chacha_crypt32 nettle_chacha_crypt32 /* Currently, only 256-bit keys are supported. */ #define CHACHA_KEY_SIZE 32 #define CHACHA_BLOCK_SIZE 64 #define CHACHA_NONCE_SIZE 8 #define CHACHA_NONCE96_SIZE 12 +#define CHACHA_COUNTER_SIZE 8 +#define CHACHA_COUNTER32_SIZE 4 #define _CHACHA_STATE_LENGTH 16 @@ -83,11 +87,18 @@ chacha_set_nonce96(struct chacha_ctx *ctx, const uint8_t *nonce); void +chacha_set_counter(struct chacha_ctx *ctx, const uint8_t *counter); + +void +chacha_set_counter32(struct chacha_ctx *ctx, const uint8_t *counter); + +void chacha_crypt(struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void -_chacha_core(uint32_t *dst, const uint32_t *src, unsigned rounds); +chacha_crypt32(struct chacha_ctx *ctx, size_t length, + uint8_t *dst, const uint8_t *src); #ifdef __cplusplus } diff -Nru nettle-3.4.1/chacha-internal.h nettle-3.7.3/chacha-internal.h --- nettle-3.4.1/chacha-internal.h 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/chacha-internal.h 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,100 @@ +/* chacha-internal.h + + The ChaCha stream cipher. + + Copyright (C) 2013 Joachim Strömbergson + Copyright (C) 2012 Simon Josefsson + Copyright (C) 2014 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_CHACHA_INTERNAL_H_INCLUDED +#define NETTLE_CHACHA_INTERNAL_H_INCLUDED + +#include "nettle-types.h" +#include "chacha.h" + +void +_nettle_chacha_core(uint32_t *dst, const uint32_t *src, unsigned rounds); + +/* Functions available only in some configurations */ +void +_nettle_chacha_2core(uint32_t *dst, const uint32_t *src, unsigned rounds); + +void +_nettle_chacha_2core32(uint32_t *dst, const uint32_t *src, unsigned rounds); + +void +_nettle_chacha_3core(uint32_t *dst, const uint32_t *src, unsigned rounds); + +void +_nettle_chacha_3core32(uint32_t *dst, const uint32_t *src, unsigned rounds); + +void +_nettle_chacha_4core(uint32_t *dst, const uint32_t *src, unsigned rounds); + +void +_nettle_chacha_4core32(uint32_t *dst, const uint32_t *src, unsigned rounds); + +void +_nettle_chacha_crypt_1core(struct chacha_ctx *ctx, + size_t length, + uint8_t *dst, + const uint8_t *src); + +void +_nettle_chacha_crypt_3core(struct chacha_ctx *ctx, + size_t length, + uint8_t *dst, + const uint8_t *src); + +void +_nettle_chacha_crypt_4core(struct chacha_ctx *ctx, + size_t length, + uint8_t *dst, + const uint8_t *src); + +void +_nettle_chacha_crypt32_1core(struct chacha_ctx *ctx, + size_t length, + uint8_t *dst, + const uint8_t *src); + +void +_nettle_chacha_crypt32_3core(struct chacha_ctx *ctx, + size_t length, + uint8_t *dst, + const uint8_t *src); + +void +_nettle_chacha_crypt32_4core(struct chacha_ctx *ctx, + size_t length, + uint8_t *dst, + const uint8_t *src); + +#endif /* NETTLE_CHACHA_INTERNAL_H_INCLUDED */ diff -Nru nettle-3.4.1/chacha-poly1305.c nettle-3.7.3/chacha-poly1305.c --- nettle-3.4.1/chacha-poly1305.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/chacha-poly1305.c 2021-06-06 20:06:29.000000000 +0000 @@ -52,7 +52,9 @@ #include #include +#include "chacha-internal.h" #include "chacha-poly1305.h" +#include "poly1305-internal.h" #include "macros.h" @@ -78,8 +80,8 @@ chacha_set_nonce96 (&ctx->chacha, nonce); /* Generate authentication key */ - _chacha_core (u.x, ctx->chacha.state, CHACHA_ROUNDS); - poly1305_set_key (&ctx->poly1305, u.subkey); + _nettle_chacha_core (u.x, ctx->chacha.state, CHACHA_ROUNDS); + _nettle_poly1305_set_key (&ctx->poly1305, u.subkey); /* For final poly1305 processing */ memcpy (ctx->s.b, u.subkey + 16, 16); /* Increment block count */ @@ -89,7 +91,7 @@ } /* FIXME: Duplicated in poly1305-aes128.c */ -#define COMPRESS(ctx, data) _poly1305_block(&(ctx)->poly1305, (data), 1) +#define COMPRESS(ctx, data) _nettle_poly1305_block(&(ctx)->poly1305, (data), 1) static void poly1305_update (struct chacha_poly1305_ctx *ctx, @@ -105,7 +107,7 @@ { memset (ctx->block + ctx->index, 0, POLY1305_BLOCK_SIZE - ctx->index); - _poly1305_block(&ctx->poly1305, ctx->block, 1); + _nettle_poly1305_block(&ctx->poly1305, ctx->block, 1); ctx->index = 0; } } @@ -129,7 +131,7 @@ assert (ctx->data_size % CHACHA_POLY1305_BLOCK_SIZE == 0); poly1305_pad (ctx); - chacha_crypt (&ctx->chacha, length, dst, src); + chacha_crypt32 (&ctx->chacha, length, dst, src); poly1305_update (ctx, length, dst); ctx->data_size += length; } @@ -145,7 +147,7 @@ poly1305_pad (ctx); poly1305_update (ctx, length, src); - chacha_crypt (&ctx->chacha, length, dst, src); + chacha_crypt32 (&ctx->chacha, length, dst, src); ctx->data_size += length; } @@ -159,8 +161,8 @@ LE_WRITE_UINT64 (buf, ctx->auth_size); LE_WRITE_UINT64 (buf + 8, ctx->data_size); - _poly1305_block (&ctx->poly1305, buf, 1); + _nettle_poly1305_block (&ctx->poly1305, buf, 1); - poly1305_digest (&ctx->poly1305, &ctx->s); + _nettle_poly1305_digest (&ctx->poly1305, &ctx->s); memcpy (digest, &ctx->s.b, length); } diff -Nru nettle-3.4.1/chacha-set-nonce.c nettle-3.7.3/chacha-set-nonce.c --- nettle-3.4.1/chacha-set-nonce.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/chacha-set-nonce.c 2021-06-06 20:06:29.000000000 +0000 @@ -68,3 +68,16 @@ ctx->state[14] = LE_READ_UINT32(nonce + 4); ctx->state[15] = LE_READ_UINT32(nonce + 8); } + +void +chacha_set_counter(struct chacha_ctx *ctx, const uint8_t *counter) +{ + ctx->state[12] = LE_READ_UINT32(counter + 0); + ctx->state[13] = LE_READ_UINT32(counter + 4); +} + +void +chacha_set_counter32(struct chacha_ctx *ctx, const uint8_t *counter) +{ + ctx->state[12] = LE_READ_UINT32(counter + 0); +} diff -Nru nettle-3.4.1/ChangeLog nettle-3.7.3/ChangeLog --- nettle-3.4.1/ChangeLog 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/ChangeLog 2021-06-06 20:06:29.000000000 +0000 @@ -1,3 +1,1617 @@ +2021-05-22 Niels Möller + + * configure.ac: Bump package version, to 3.7.3. + (LIBNETTLE_MINOR): Bump minor number, to 8.4. + (LIBHOGWEED_MINOR): Bump minor number, to 6.4. + +2021-05-17 Niels Möller + + * rsa-decrypt-tr.c (rsa_decrypt_tr): Check up-front that input is + in range. + * rsa-sec-decrypt.c (rsa_sec_decrypt): Likewise. + * rsa-decrypt.c (rsa_decrypt): Likewise. + * testsuite/rsa-encrypt-test.c (test_main): Add tests with input > n. + +2021-05-14 Niels Möller + + * rsa-sign-tr.c (rsa_sec_blind): Delete mn argument. + (_rsa_sec_compute_root_tr): Delete mn argument, instead require + that input size matches key size. Rearrange use of temporary + storage, to support in-place operation, x == m. Update all + callers. + + * rsa-decrypt-tr.c (rsa_decrypt_tr): Make zero-padded copy of + input, for calling _rsa_sec_compute_root_tr. + * rsa-sec-decrypt.c (rsa_sec_decrypt): Likewise. + + * testsuite/rsa-encrypt-test.c (test_main): Test calling all of + rsa_decrypt, rsa_decrypt_tr, and rsa_sec_decrypt with zero input. + +2021-05-06 Niels Möller + + * pkcs1-sec-decrypt.c (_pkcs1_sec_decrypt): Check that message + length is valid, for given key size. + * testsuite/rsa-sec-decrypt-test.c (test_main): Add test cases for + calls to rsa_sec_decrypt specifying a too large message length. + +2021-03-21 Niels Möller + + * NEWS: NEWS entries for 3.7.2. + +2021-03-17 Niels Möller + + * configure.ac: Bump package version, to 3.7.2. + (LIBNETTLE_MINOR): Bump minor number, to 8.3. + (LIBHOGWEED_MINOR): Bump minor number, to 6.3. + +2021-03-13 Niels Möller + + * gostdsa-vko.c (gostdsa_vko): Use ecc_mod_mul_canonical to + compute the scalar used for ecc multiplication. + + * eddsa-hash.c (_eddsa_hash): Ensure result is canonically + reduced. Two of the three call sites need that. + + * ecc-gostdsa-verify.c (ecc_gostdsa_verify): Use ecc_mod_mul_canonical + to compute the scalars used for ecc multiplication. + + * ecc-ecdsa-sign.c (ecc_ecdsa_sign): Ensure s output is reduced to + canonical range. + + * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical + to compute the scalars used for ecc multiplication. + * testsuite/ecdsa-verify-test.c (test_main): Add test case that + triggers an assert on 64-bit platforms, without above fix. + * testsuite/ecdsa-sign-test.c (test_main): Test case generating + the same signature. + +2021-03-13 Niels Möller + + * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical. + +2021-03-11 Niels Möller + + * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical): + New functions. + * ecc-internal.h: Declare and document new functions. + * curve448-eh-to-x.c (curve448_eh_to_x): Use ecc_mod_sqr_canonical. + * curve25519-eh-to-x.c (curve25519_eh_to_x): Use ecc_mod_mul_canonical. + * ecc-eh-to-a.c (ecc_eh_to_a): Likewise. + * ecc-j-to-a.c (ecc_j_to_a): Likewise. + * ecc-mul-m.c (ecc_mul_m): Likewise. + +2021-02-17 Niels Möller + + * Released Nettle-3.7.1. + +2021-02-15 Niels Möller + + * examples/nettle-openssl.c (nettle_openssl_arcfour128): Deleted + glue to openssl arcfour. + (openssl_arcfour128_set_encrypt_key) + (openssl_arcfour128_set_decrypt_key): Deleted. + * nettle-internal.h: Deleted declaration. + * examples/nettle-benchmark.c (aeads): Delete benchmarking. + +2021-02-13 Niels Möller + + * configure.ac: Bump package version, to 3.7.1. + (LIBNETTLE_MINOR): Bump minor number, to 8.2. + (LIBHOGWEED_MINOR): Bump minor number, to 6.2. + +2021-02-10 Niels Möller + + * chacha-crypt.c (_nettle_chacha_crypt_4core): Fix for the case + that counter increment should be 3 (129 <= message length <= 192). + (_nettle_chacha_crypt32_4core): Likewise. + + * testsuite/chacha-test.c (test_chacha_rounds): New function, for + tests with non-standard round count. Extracted from _test_chacha. + (_test_chacha): Deleted rounds argument. Reorganized crypt/crypt32 + handling. When testing message prefixes of varying length, also + encrypt the remainder of the message, to catch errors in counter + value update. + (test_main): Add a few tests with large messages (16 blocks, 1024 + octets), to improve test coverage for _nettle_chacha_crypt_4core + and _nettle_chacha_crypt32_4core. + +2021-01-25 Niels Möller + + * arm/neon/salsa20-core-internal.asm: Deleted file. This ARM Neon + implementation reportedly gave a speedup of 45% on Cortex A9, + compared to the C implementation, when it was added back in 2013. + That appears to no longer be the case with more recent processors + and compilers. And it's even significantly slower than the C + implementation on some platforms, including the Raspberry Pi 4. + With the introduction of salsa20-2core.asm, performance of this + function is also less important. + * arm/neon/chacha-core-internal.asm: Deleted file, for analogous reasons. + * arm/fat/salsa20-core-internal-2.asm: Deleted file. + * arm/fat/chacha-core-internal-2.asm: Deleted file. + * fat-arm.c (_nettle_salsa20_core, _nettle_chacha_core): Delete fat setup. + +2021-01-31 Niels Möller + + New variants, contributed by Nicolas Mora. + * pbkdf2-hmac-sha384.c (pbkdf2_hmac_sha384): New file and function. + * pbkdf2-hmac-sha512.c (pbkdf2_hmac_sha512): New file and function. + * testsuite/pbkdf2-test.c (test_main): Corresponding tests. + +2021-01-20 Niels Möller + + * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Fix corner case with + all-zero hash. Reported by Guido Vranken. + * testsuite/ecdsa-verify-test.c: Add corresponding test case. + +2021-01-10 Niels Möller + + * fat-ppc.c: Don't use __GLIBC_PREREQ in the same preprocessor + conditional as defined(__GLIBC_PREREQ), but move to a nested #if + conditional. Fixes compile error on OpenBSD/powerpc64, reported by + Jasper Lievisse Adriaanse. + +2021-01-04 Niels Möller + + * Released Nettle-3.7. + +2020-12-27 Niels Möller + + * configure.ac: Enable fat build by default. + +2020-12-26 Niels Möller + + * NEWS: News entries for Nettle-3.7. + + * Makefile.in (distdir): Distribute the README files in assembly + directories. + + * configure.ac: Bump package version, to 3.7. + (LIBNETTLE_MINOR): Bump minor number, to 8.1. + (LIBHOGWEED_MINOR): Bump minor number, to 6.1. + +2020-12-21 Niels Möller + + From Mamone Tarsha: + * fat-ppc.c: Check glibc version, and use getauxval only when available. + +2020-12-12 Niels Möller + + * powerpc64/p7/chacha-4core.asm: More interleaving of independent + instructions, gives slight speedup on Power9. + +2020-12-01 Niels Möller + + * powerpc64/p7/chacha-4core.asm: Use protected zone below stack + pointer to save registers, without modifying the stack pointer. + (QR): Instruction level interleaving in the main loop, written by + Torbjörn Granlund. + +2020-11-30 Niels Möller + + * m4-utils.m4 (m4_unquote): New macro, copied from GMP's + mpn/asm-defs.m4. + + * chacha-crypt.c: (_nettle_chacha_crypt_4core) + (_nettle_chacha_crypt32_4core): New functions. + (_nettle_chacha_crypt_2core, _nettle_chacha_crypt32_2core): + Deleted, no longer needed. + * chacha-internal.h: Add prototypes for _nettle_chacha_4core and + related functions. + * configure.ac (asm_nettle_optional_list): Add chacha-4core.asm. + * powerpc64/fat/chacha-4core.asm: New file. + * powerpc64/p7/chacha-4core.asm: New file. + * fat-ppc.c (fat_init): When altivec is available, use + _nettle_chacha_crypt_4core and _nettle_chacha_crypt32_4core + instead of _2core variants. + + * chacha-crypt.c (_nettle_chacha_crypt32_3core): Fix bug in + handling of counter; this function should not propagate any carry. + + * aes-internal.h: Delete name mangling of internal symbols. Update + all internal references to use _nettle prefix. + * camellia-internal.h: Likewise. + * chacha-internal.h: Likewise. + * ctr-internal.h: Likewise. + * dsa-internal.h: Likewise. + * gost28147-internal.h: Likewise. + * poly1305-internal.h: Likewise. + * salsa20-internal.h: Likewise. + * sha3-internal.h: Likewise. + * umac-internal.h: Likewise. + +2020-11-26 Niels Möller + + Enable powerpc64 gcm code in fat builds. Based on patch + contributed by Mamone Tarsha: + * powerpc64/fat/gcm-hash.asm: New file. + * configure.ac: Add HAVE_NATIVE_fat_gcm_init_key and + HAVE_NATIVE_fat_gcm_hash. + * gcm.c (gcm_init_key): Renamed, to ... + (_nettle_gcm_init_key_c): ... new name. Add fat setup conditionals. + (gcm_hash): Renamed, to... + (_nettle_gcm_hash_c): ... new name. Add fat setup conditionals. + * fat-setup.h (gcm_init_key_func, gcm_hash_func): New typedefs. + * fat-ppc.c: Select implementations of _nettle_gcm_init_key and _nettle_gcm_hash. + * gcm-internal.h: New file. + * Makefile.in (DISTFILES): Add gcm-internal.h. + + * powerpc64/p8/gcm-hash.asm: New file, contributed by Mamone + Tarsha. Implements _nettle_gcm_init_key and _nettle_gcm_hash. + +2020-11-28 Niels Möller + + * powerpc64/p7/chacha-2core.asm: Simplify counter carry handling + using the vaddcuw instruction. + + Merge changes by Marco Bodrato and Torbjorn Granlund, from the + gmp/mini-gmp copy of this file. + * run-tests: Delete special handling of zero arguments. Update + WINEPATH, instead of overwriting it. + +2020-11-27 Niels Möller + + * aclocal.m4: Replace some calls to exit with return, since exit + requires stdlib.h. Including patch contributed by Adrien Béraud. + + * testsuite/version-test.c: Include version.h. Patch contributed + by Brian Smith. + +2020-11-25 Niels Möller + + * powerpc64/p7/chacha-2core.asm: Add byte swapping of output, for + big-endian builds. + +2020-11-24 Niels Möller + + Enable ppc chacha_2core in fat builds. + * configure.ac: Add HAVE_NATIVE_fat_chacha_2core. + * chacha-crypt.c: Check HAVE_NATIVE_fat_chacha_2core. + * chacha-internal.h (_chacha_crypt_2core, _chacha_crypt32_2core): + Add declarations. + * fat-ppc.c (fat_init): Use _nettle_chacha_crypt_2core and + _nettle_chacha_crypt32_2core when altivec is available. + * powerpc64/fat/chacha-2core.asm: New file, including p7 version. + +2020-11-23 Niels Möller + + * powerpc64/p7/chacha-2core.asm: New file. + + * chacha-crypt.c (_chacha_crypt_2core, _chacha_crypt32_2core): New + variants of chacha_crypt, using _chacha_2core to do two blocks at + a time. + * chacha-internal.h (_chacha_2core, _chacha_2core32): Add declarations. + * configure.ac (asm_nettle_optional_list): Add chacha-2core.asm. + +2020-11-14 Niels Möller + + * ecc-mod-inv.c (ecc_mod_inv): Use passed in scratch for all + scratch needs, don't use memory after the result area. + * ecc-ecdsa-sign.c (ecc_ecdsa_sign): Update invert call. + * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Likewise. + * ecc-eh-to-a.c (ecc_eh_to_a): Likewise. + * ecc-j-to-a.c (ecc_j_to_a): Likewise. + * ecc-gostdsa-verify.c (ecc_gostdsa_verify): Likewise. + * curve25519-eh-to-x.c (curve25519_eh_to_x): Likewise. + * curve448-eh-to-x.c (curve448_eh_to_x): Update invert call, and + reduce scratch need from 9*size to 5*size. + * ecc-internal.h (ECC_MOD_INV_ITCH, ECC_J_TO_A_ITCH) + (ECC_EH_TO_A_ITCH): Update accordingly, but no change in total + scratch need. + +2020-11-13 Niels Möller + + * ecc-internal.h (ECC_J_TO_A_ITCH): Generalize, and take invert + itch as an argument, similarly to ECC_EH_TO_A_ITCH. Updated all + secp and gost curve definitions to use it. + +2020-10-21 Niels Möller + + * ecc-secp384r1.c (ecc_secp384r1_inv): New function, modular + inverse using powering. + (_nettle_secp_384r1): Analogous updates. Increases signing + performance roughly 15% on x86_64. + +2020-10-20 Niels Möller + + * ecc-mod-inv.c (ecc_mod_inv_redc): Deleted, no longer needed. + (ecc_mod_inv_destructive): Deleted, merged with ecc_mod_inv. + + * ecc-secp256r1.c (ecc_secp256r1_inv): New function, modular + inverse using powering. + (_nettle_secp_256r1): Analogous updates. Increases signing + performance roughly 6% on x86_64. + + * ecc-secp224r1.c (ecc_secp224r1_inv): New function, modular + inverse using powering. + (_nettle_secp_224r1): Analogous updates. Increases signing + performance roughly 17% on x86_64. + +2020-10-19 Niels Möller + + * ecc-secp521r1.c (ecc_secp521r1_inv): New function, modular + inverse using powering. + (_nettle_secp_521r1): Analogous updates. Increases signing + performance roughly 15% on x86_64. + +2020-10-15 Niels Möller + + * ecc-secp192r1.c (ecc_secp192r1_inv): New function, modular + inverse using powering. + (_nettle_secp_192r1): Use it for p.invert, and also update + h_to_a_itch. Increases signing performance roughly 25% on x86_64. + + * testsuite/ecc-modinv-test.c (test_modulo): Allow invert function + to return a non-canonical representation. + +2020-11-08 Niels Möller + + Merge refactoring of ecc modulo and reduce functions. + * eddsa-sign.c (_eddsa_sign_itch): Update, since now point + multiplication needs less scratch than point compression. + * eddsa-pubkey.c (_eddsa_public_key_itch): Likewise. + + * ecc-internal.h: Update *_ITCH macros for point multiplication + and signatures. They need slightly less scratch after optimization + of the point addition functions. + + * ecc-mul-m.c (ecc_mul_m): Reduce scratch need. + (ecc_mul_m): Optimize swapping, with only a single mpn_cnd_swap + per iteration. + + * ecc-add-jja.c (ecc_add_jja): Reduce scratch need. + * ecc-add-jjj.c (ecc_add_jjj): Reduce scratch need. + * ecc-internal.h (ECC_ADD_JJA_ITCH, ECC_ADD_JJJ_ITCH): Now 5*size. + (ECC_MUL_M_ITCH): New 8*size. + +2020-11-06 Niels Möller + + After these changes, both curve25519 and curve448 need 4*size for + invert and 6*size for sqrt. + * ecc-curve448.c (ecc_mod_pow_446m224m1): Reduce scratch need. + (ecc_curve448_inv): Likewise. + (ecc_curve448_sqrt): Likewise. + * ecc-curve25519.c (ecc_curve25519_sqrt): Reduce scratch need. + + * ecc-add-jja.c (ecc_add_jja): Delete an unneeded copy. + +2020-11-05 Niels Möller + + * ecc-dup-jj.c (ecc_dup_jj): Reduce scratch need. + * ecc-internal.h (ECC_DUP_JJ_ITCH): Now 4*size. + +2020-11-03 Niels Möller + + * ecc-dup-eh.c (ecc_dup_eh): Reduce scratch need. + * ecc-dup-th.c (ecc_dup_th): Analogous changes. + * ecc-internal.h (ECC_DUP_EH_ITCH, ECC_DUP_TH_ITCH): Now 3*size. + + * ecc-internal.h (ecc_add_func): Document in-place operation. + * ecc-mul-a-eh.c (ecc_mul_a_eh): Fix call to ecc->add_hhh accordingly. + * testsuite/ecc-add-test.c (test_main): Likewise. + + * ecc-add-eh.c (ecc_add_eh): Reduce scratch need. + * ecc-add-th.c (ecc_add_th): Analogous changes. + * ecc-add-ehh.c (ecc_add_ehh): Reduce scratch need. + * ecc-add-thh.c (ecc_add_thh): Analogous changes. + * ecc-internal.h (ECC_ADD_EH_ITCH, ECC_ADD_EHH_ITCH) + (ECC_ADD_TH_ITCH, ECC_ADD_THH_ITCH): Now 4*size. + +2020-11-02 Niels Möller + + * ecc-curve25519.c (ecc_mod_pow_252m3): Reduce scratch need. + (ecc_curve25519_inv): Likewise. + (ecc_curve25519_sqrt): Likewise. + +2020-11-01 Niels Möller + + * ecc-mod-arith.c (ecc_mod_mul, ecc_mod_sqr): Separate argument + for scratch area, reducing required size of result area. Update + all callers to naïvely keep using result in scratch area. + (ecc_mod_pow_2k, ecc_mod_pow_2k_mul): Simplified, also reducing + required size of result area. + + * testsuite/testutils.c (test_ecc_point): Show curve bits on failure. + +2020-10-31 Niels Möller + + * ecc-internal.h (typedef ecc_mod_func): Updated all assembly + implementations. + + * testsuite/ecc-mod-test.c (test_one): Extend tests, to also test + with different destination area. + * testsuite/ecc-redc-test.c (test_main): Likewise. + +2020-10-30 Niels Möller + + * ecc-internal.h (typedef ecc_mod_func): Add separate result + argument. Updated all C implementations and callers. + +2020-10-29 Niels Möller + + * ecc-mod.c (ecc_mod): More unified handling of final carry + folding. Also eliminates a goto statement. + +2020-11-07 Niels Möller + + Merged initial powerpc64 implementation of chacha. + * configure.ac: New command line option --enable-power-altivec. + Update asm_path logic, and add altivec to FAT_TEST_LIST. + * fat-ppc.c (get_ppc_features): Add logic to check for altivec and + vsx support, and select aither C or altivec implementation of + chacha_core. + * powerpc64/p7/chacha-core-internal.asm: New file. + +2020-09-25 Niels Möller + + * powerpc64/p7/chacha-core-internal.asm: New file. + * Makefile.in (distdir): Add powerpc64/p7. + +2020-10-29 Niels Möller + + * blowfish.c (blowfish_set_key): Add casts to uint32_t. Avoids + undefined behavior, since shifting an 8-bit value left by 24 bits + overflows the range of signed int. Reported by Guido Vranken. + +2020-10-28 Niels Möller + + * gmp-glue.h (cnd_add_n, cnd_sub_n, cnd_swap): Deleted, use + corresponding functions mpn_cnd_add_n, mpn_cnd_sub_n, + mpn_cnd_swap, available from GMP version 6.1.0. Update all + callers, in particular, mpn_cnd_add_n and mpn_cnd_sub_n has one + more argument than the old functions. + + * gmp-glue.c (mpn_cnd_add_n, mpn_cnd_sub_n, mpn_cnd_swap) + [NETTLE_USE_MINI_GMP]: Fallback definitions or mini-gmp builds. + +2020-10-14 Niels Möller + + * ecc-mod-arith.c (ecc_mod_pow_2k, ecc_mod_pow_2k_mul): Moved + functions here. + * ecc-internal.h (ecc_mod_pow_2kp1): New macro, calling the more + general ecc_mod_pow_2k_mul. + * ecc-curve25519.c (ecc_mod_pow_2kp1): Deleted static function. + * ecc-curve448.c (ecc_mod_pow_2k, ecc_mod_pow_2kp1): Deleted + static functions. + +2020-10-13 Niels Möller + + * ecc-mod-inv.c (ecc_mod_inv_destructive): New helper function, + not preserving input argument. Extracted from old ecc_mod_inv. + (ecc_mod_inv): Call ecc_mod_inv_destructive. + (ecc_mod_inv_redc): New inversion function, with input and output + in redc form. + + * ecc-secp224r1.c: Select between ecc_mod_inv and ecc_mod_inv_redc. + * ecc-secp256r1.c: Likewise. + + * ecc-j-to-a.c (ecc_j_to_a): Simplify redc-related logic, taking + advantage of ecc->p.invert handling redc, when appropriate. Reduce + scratch need from 5n to 4n in the process (assuming inversion + needs 2n). + + * testsuite/ecc-modinv-test.c (ref_modinv): Updated to do redc, if + appropriate. + +2020-09-25 Niels Möller + + * gcm.c (gcm_fill): Added separate implementations for big- and + little-endian, to use uint64_t stores and less overhead. + +2020-09-24 Niels Möller + + * aclocal.m4 (GMP_ASM_POWERPC_R_REGISTERS): Prefer to use register + names. Can be tested by configuring with CC='gcc -Wa,-mregnames'. + +2020-09-21 Niels Möller + + * m4-utils.m4: New file with m4 utilities, copied from GMP's + mpn/asm-defs.m4. + * Makefile.in (DISTFILES): Add m4-utils.m4. + (%.asm): Include m4-utils.m4 for preprocessing of .asm files, and + include config.m4 before machine.m4. + + * aclocal.m4 (GMP_ASM_POWERPC_R_REGISTERS): New configure test, + adapted from corresponding test in GMP's acinlude.m4. + * configure.ac (ASM_PPC_WANT_R_REGISTERS): New substituted + variable. Set using GMP_ASM_POWERPC_R_REGISTERS, when powerpc64 + assembly code is enabled. + * config.m4.in: Substituted here. + * powerpc64/machine.m4: Check ASM_PPC_WANT_R_REGISTERS, and + if needed, replace register names like r0, r1, ... with integers. + +2020-09-15 Niels Möller + + * Makefile.in (DISTFILES): Add missing file blowfish-internal.h. + +2020-09-14 Niels Möller + + * asm.m4: Delete use of changequote, stick to the m4 default + quoting characters `'. Updated all assembly and m4 files. + * x86_64/machine.m4 (W64_ENTRY, W64_EXIT): Delete quoting workaround. + +2020-09-12 Niels Möller + + * x86_64/salsa20-2core.asm: Fix incorrect W64_EXIT. + +2020-08-29 Niels Möller + + Initial powerpc64 assembly support, contributed by Mamone Tarsha: + * configure.ac: New configure option --enable-power-crypto-ext. + (asm_path): Setup this and related variables for powerpc64. + * powerpc64/machine.m4: New file. + * powerpc64/README: New file. + * powerpc64/p8/aes-encrypt-internal.asm: New file. + * powerpc64/p8/aes-decrypt-internal.asm: New file. + * powerpc64/fat/aes-encrypt-internal-2.asm: New file. + * powerpc64/fat/aes-decrypt-internal-2.asm: New file. + * fat-ppc.c: New file. + * Makefile.in (OPT_SOURCES): Add fat-ppc.c. + (distdir): Add powerpc64 directories. + * aes-decrypt-internal.c (_nettle_aes_decrypt_c): Alternative + name, for fat builds. + * aes-encrypt-internal.c (_nettle_aes_encrypt_c): Likewise. + +2020-07-28 Niels Möller + + * configure.ac (FAT_TEST_LIST): New substituted variable. Set for + fat builds, otherwise empty. + * Makefile.in (check-fat): New target, using $(FAT_TEST_LIST). + +2020-07-13 Niels Möller + + * chacha-crypt.c (chacha_crypt) [HAVE_NATIVE_chacha_3core]: Use + _chacha_3core. + + * arm/neon/chacha-3core.asm: New file, 3-way interleaving of + chacha. + +2020-07-11 Niels Möller + + * testsuite/chacha-test.c (test_main): Delete obsolete tests for + chacha with 128-bit keys. #if:ed out since 2014-03-04, see below. + (test_chacha_core): New function, test chacha with simple input + structure. + +2020-07-10 Niels Möller + + * x86_64/salsa20-2core.asm: New file. + * x86_64/salsa20-crypt.asm: Deleted, since the 2core assembly is + faster. + +2020-07-08 Niels Möller + + Rearrange salsa20, enabling ARM fat builds to use sala20_2core. + * salsa20-crypt-internal.c (_salsa20_crypt_2core) + (_salsa20_crypt_1core): New file, new functions. One or the other + is used for implementing salsa20_crypt and salsa20r12_crypt, + depending on availability of salsa20_2core. + * salsa20-crypt.c (salsa20_crypt): Call _salsa20_crypt. + * salsa20r12-crypt.c (salsa20r12_crypt): Likewise. + * salsa20-internal.h: Declare new internal functions. + * Makefile.in (nettle_SOURCES): Add salsa20-crypt-internal.c. + * fat-setup.h (salsa20_crypt_func): New typedef. + * fat-arm.c (_salsa20_crypt): Select _salsa20_crypt + implementation, use 2core version when Neon instructions are + available. + * arm/fat/salsa20-2core.asm: New file, including Neon + implementation. Trigger configure's HAVE_NATIVE_fat_salsa20_2core, + * configure.ac: Add HAVE_NATIVE_fat_salsa20_2core, to identify the + case that salsa20_2core is defined, but runtime checks are needed + to determine if it is usable. + +2020-07-06 Niels Möller + + * testsuite/salsa20-test.c (test_salsa20_core): New function, test + salsa20 with simple input structure. + + * configure.ac: Obey --enable-arm-neon=yes, even if not explicitly + targetting ARM v6 or later. + +2020-07-01 Niels Möller + + * testsuite/bcrypt-test.c: New file. Moved bcrypt tests here. + + Support for bcrypt, contributed by Stephen R. van den Berg. + * blowfish-bcrypt.c (blowfish_bcrypt_hash) + (blowfish_bcrypt_verify): New file, new functions. + * blowfish-internal.h: New header file, declaring internals needed + for bcrypt. + * testsuite/blowfish-test.c: Add bcrypt tests. + * nettle.texinfo (Cipher functions): Document bcrypt. + +2020-06-30 Niels Möller + + * nettle.texinfo (Miscellaneous hash functions): New section, with + Streebog documentation, contributed by Dmitry Baryshkov. + (Top): Added some missing entries to the detailed node listing + +2020-06-29 Niels Möller + + * .gitlab-ci.yml: Add cross tests for powerpc64le, based on patch + by Maamoun TK. + +2020-06-25 Niels Möller + + * x86_64/chacha-core-internal.asm (QROUND): Fix use of macro + arguments. Spotted by Torbjörn Granlund. + +2020-06-02 Niels Möller + + * examples/nettle-benchmark.c (main): Delete call to + time_overhead. The attempt to measure function call overhead is + not very useful or accurate. The benchmarking loop is optimized + away by gcc-10, making the benchmark program hang. + (bench_nothing, time_overhead): Deleted. + +2020-04-29 Niels Möller + + * Released Nettle-3.6. + +2020-04-27 Niels Möller + + * configure.ac: Tweak gcc command line options. Delete checks for + older gcc versions. Add -Wno-sign-compare, since warnings for + signed/unsigned comparisons adds a lot of noise, in particular + when building mini-gmp. + + * mini-gmp.c: Updated mini-gmp from the gmp repository, latest + change from 2020-04-20. + * mini-gmp.h: Likewise. + +2020-04-25 Niels Möller + + * gmp-glue.c (mpz_limbs_read, mpz_limbs_write, mpz_limbs_modify) + (mpz_limbs_finish, mpz_roinit_n): Delete compatibility + definitions. These functions available in GMP since version 6.0.0. + * gmp-glue.h: Delete corresponding declarations, and preprocessor + conditions. + + * configure.ac: Update required version of GMP to 6.1.0, needed + for mpn_zero_p. + * ecc-ecdsa-verify.c (zero_p): Deleted static function, usage + replaced with mpn_zero_p. + * testsuite/testutils.c (mpn_zero_p): Delete conditional + definition. + * testsuite/testutils.h: Delete corresponding declarations. + + * Makefile.in (DISTFILES): Add poly1305-internal.h. + * testsuite/Makefile.in (DISTFILES): Delete setup-env. + +2020-04-23 Niels Möller + + * run-tests: Set WINEPATH, since it appears wine doesn't search + for dlls in the unix PATH. + * examples/setup-env: Delete creation of extra dll symlinks. + * examples/teardown-env: Delete corresponding cleanup. + * testsuite/setup-env: Deleted file (same symlink creation). + * testsuite/teardown-env: Delete corresponding cleanup. + + * testsuite/ecc-add-test.c (test_main): Delete ASSERTs with + functions pointer comparisons. They provide little value, and fail + when linking with hogweed.dll on windows. + * testsuite/ecc-dup-test.c (test_main): Likewise. + +2020-04-22 Niels Möller + + * testsuite/Makefile.in: Use pattern rules for test executables, + replacing... + (test-rules): ...deleted rule. + * testsuite/.test-rules.make: Deleted file. + +2020-04-21 Niels Möller + + From Dmitry Baryshkov: + * gostdsa-vko.c (gostdsa_vko): New file and function. + * testsuite/gostdsa-vko-test.c (test_vko): New test. + * nettle.texinfo (GOSTDSA): Document it. + +2020-04-19 Niels Möller + + From Dmitry Baryshkov: + * gosthash94.h (struct gosthash94_ctx): Rearrange struct to enable + use of MD_UPDATE macro, in particular, replacing byte count with + block count and index. Also move buffer last, for consistency with + other hash functions. + * gosthash94.c (gosthash94_update_int): Use MD_UPDATE macro. + (gosthash94_write_digest): Update for block count rather than byte + count. + +2020-04-17 Niels Möller + + * configure.ac (LIBNETTLE_MAJOR): Increase libnettle version + number to 8.0, for move of internal poly1305 functions. + (LIBNETTLE_MINOR): Reset to zero. + +2020-04-15 Niels Möller + + From Dmitry Baryshkov: + * poly1305.h (poly1305_set_key, poly1305_digest, _poly1305_block): + Removed declarations from this public header file. + * poly1305-internal.h: New file, with declarations of internal + poly1305 functions. + (_poly1305_set_key, _poly1305_digest): Renamed, with leading + underscore. Updated definitions and all uses. + +2020-04-12 Niels Möller + + * Makefile.in (DISTFILES): Reorder to ensure that generated des + headers can't be older than desdata.stamp. + + * testsuite/ed448-test.c: Define _GNU_SOURCE, for getline with gcc + -std=c89. + +2020-04-06 Niels Möller + + * configure.ac (LIBHOGWEED_MAJOR): Increase libhogweed version + number to 6.0, at request of Gnutls team. + (LIBHOGWEED_MINOR): Reset to zero. + +2020-04-01 Niels Möller + + * config.guess: Update to 2020-01-01 version, from savannah's + config.git. + * config.sub: Likewise. + +2020-03-31 Niels Möller + + * aclocal.m4 (LSH_TYPE_SOCKLEN_T, LSH_CHECK_KRB_LIB, LSH_LIB_ARGP) + (LSH_MAKE_CONDITIONAL): Delete unused macros. + + * config.make.in (abs_top_builddir, TEST_SHLIB_DIR): New variables. + + * run-tests: Check TEST_SHLIB_DIR, and set up LD_LIBRARY_PATH and + related member variables. + + * testsuite/Makefile.in (check): Pass only TEST_SHLIB_DIR + to the run-tests script, and leave setting of LD_LIBRARY_PATH and + related variables to that script. + * examples/Makefile.in (check): Likewise. + +2020-03-26 Niels Möller + + * configure.ac: Bump package version to 3.6. + (LIBNETTLE_MINOR): Bump minor number, now 7.1. + (LIBHOGWEED_MINOR): Bump minor numbers, now 5.1 + +2020-03-14 Niels Möller + + From H.J. Lu: + * configure.ac (ASM_X86_ENDBR) + (ASM_X86_MARK_CETASM_X86_MARK_CET_ALIGN): New substituted + variables. + * config.m4.in: Substituted here. Add ASM_X86_MARK_CET to + diversion inserted at end of assembly files. + * asm.m4 (PROLOGUE): Add ASM_X86_ENDBR at entry point. + +2020-03-09 Niels Möller + + From Daiki Ueno: + * chacha-crypt.c (chacha_crypt32): New function. + * chacha-set-nonce.c (chacha_set_counter, chacha_set_counter32): + New functions. + * chacha.h (CHACHA_COUNTER_SIZE, CHACHA_COUNTER32_SIZE): New constants. + * chacha-poly1305.c (chacha_poly1305_encrypt) + (chacha_poly1305_decrypt): Use chacha_crypt32. + * testsuite/chacha-test.c: Update tests to use new functions. + * nettle.texinfo: Document new chacha functions, and update + out-of-date chacha-poly1305 documentation. + +2020-03-08 Niels Möller + + From Dmitry Baryshkov: + * cmac-des3-meta.c (nettle_cmac_des): New file, moving definition + from... + * testsuite/cmac-test.c: ... old location. + * nettle-meta.h (nettle_cmac_des): Declare it. + +2020-02-15 Niels Möller + + From Dmitry Baryshkov: + * ecc-internal.h (ecc_modq_add, ecc_modq_mul, ecc_modp_sqr) + (ecc_modp_mul, ecc_mod_submul_1, ecc_modp_mul_1, ecc_modp_add) + (ecc_modp_sub): Deleted macros. Updated callers to use respective + functions instead. + (ecc_modp_addmul_1): Delete unused macro. + +2020-02-09 Niels Möller + + Addition of struct nettle_mac based on patches by Daiki Ueno. + * nettle-meta-macs.c (nettle_get_macs): New file, new function. + * testsuite/meta-mac-test.c: New test. + + * nettle-meta.h (_NETTLE_HMAC): New macro. + (nettle_hmac_md5, nettle_hmac_ripemd160, nettle_hmac_sha1) + (nettle_hmac_sha224, nettle_hmac_sha256, nettle_hmac_sha384) + (nettle_hmac_sha512): Declare. + (struct nettle_mac): New public struct, + * testsuite/testutils.h: ...moved from this file. + + * hmac-md5-meta.c: New file. + * hmac-ripemd160-meta.c: Likewise. + * hmac-sha1-meta.c: Likewise. + * hmac-sha224-meta.c: Likewise. + * hmac-sha256-meta.c: Likewise. + * hmac-sha384-meta.c: Likewise. + * hmac-sha512-meta.c: Likewise. + + * Makefile.in (nettle_SOURCES): Add new files. + + * testsuite/testutils.h (_NETTLE_HMAC): Delete unused version of + this macro. + * testsuite/testutils.c (test_mac): Allow testing with smaller + digest size. + * testsuite/hmac-test.c (test_main): Use test_mac for tests using + key size == digest size. + + * testsuite/cmac-test.c (nettle_cmac_aes128, nettle_cmac_aes256): + Moved to... + * cmac-aes128-meta.c: New file. + * cmac-aes256-meta.c: New file. + + * nettle-meta.h (struct nettle_mac): New public struct, + * testsuite/testutils.h: ...moved from this file. + +2020-02-06 Niels Möller + + From Dmitry Baryshkov: + * gost28147.h: Deleted, move declarations to gost28147-internal.h. + +2020-02-05 Niels Möller + + * configure.ac: On Solaris, link shared libraries with --shared + rather than -G. For gcc, --shared is the proper way. For Solaris' + proprietary cc, according to docs, it accepts --shared as an alias + for -G since Oracle Solaris Studio 12.4, and it was made more gcc + compatible in later versions. Since 12.4 was released in 2014, + don't attempt to cater for older versions. + +2020-01-26 Niels Möller + + * ecc-internal.h (struct ecc_curve): Delete g, the curve + generator, since it was used only by tests. Update all curve + instances. + + * eccdata.c (output_curve): Delete output of ecc_g. + (output_point): Delete name argument, and update callers. + + * testsuite/testutils.c (ecc_ref): Table of reference points moved + out of test_ecc_mul_a. Add generator to the list of points. + (test_ecc_mul_a): Use ecc_ref table also for the n == 1 case. + (test_ecc_ga, test_ecc_get_g, test_ecc_get_ga): New functions, + using the tabulated generator. + + * testsuite/ecc-add-test.c: Use test_ecc_get_g, instead of + accessing ecc->g. + * testsuite/ecc-dup-test.c: Likewise. + * testsuite/ecc-mul-a-test.c: Use test_ecc_get_ga and test_ecc_ga. + Delete special case for n == 1. + * testsuite/ecc-mul-g-test.c: Use test_ecc_ga. + + Support for GOST DSA, contributed by Dmitry Baryshkov. + * gostdsa-verify.c (gostdsa_verify): New file and function. + * gostdsa-sign.c (gostdsa_sign): New file and function. + * ecc-gostdsa-verify.c (ecdsa_in_range, ecc_gostdsa_verify_itch) + (ecc_gostdsa_verify): New file and functions. + * ecc-gostdsa-sign.c (ecc_gostdsa_sign_itch, ecc_gostdsa_sign): + New file and functions. + * ecc-internal.h (ECC_GOSTDSA_SIGN_ITCH): New macro. + * ecc-hash.c (gost_hash): New function. + * testsuite/gostdsa-verify-test.c: New test. + * testsuite/gostdsa-sign-test.c: New test. + * testsuite/gostdsa-keygen-test.c: New test. + * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Add new tests. + + Support for GOST gc256b and gc512a curves, contributed by Dmitry + Baryshkov. + * eccdata.c (ecc_curve_init): Add parameters for gost_gc256b and + gost_gc512a. + * ecc-gost-gc256b.c: New file, define _nettle_gost_gc256b. + * ecc-gost-gc512a.c: New file, define _nettle_gost_gc512a. + * Makefile.in: Add rules to generate ecc-gost-gc256b.h and + ecc-gost-gc512a.h. + (hogweed_SOURCES): Add ecc-gost-gc256b.c ecc-gost-gc512a.c. + * examples/ecc-benchmark.c (curves): Add to list. + * testsuite/testutils.c (ecc_curves): Add to list. + (test_ecc_mul_a): Reference points for new curves. + + * NEWS: Started on entries for Nettle-3.6. + +2020-01-25 Niels Möller + + * examples/hogweed-benchmark.c (bench_curve_init): Pass correct + sizes to knuth_lfib_random. Patch contributed by Dmitry Baryshkov. + +2020-01-15 Niels Möller + + * Makefile.in: Replace suffix rules by pattern rules. Move .asm + rule above .c rule, since now the order of rules in the Makefile + matters, rather than the order in the .SUFFIXES list. + (aesdata, desdata, twofishdata, shadata, gcmdata, eccparams): + Individual rules replaced by a pattern rule. + (eccdata): Add explicit dependencies, to complement the pattern + rule. + * examples/Makefile.in: Replace suffix rules by pattern rules. + * testsuite/Makefile.in: Likewise. + * tools/Makefile.in: Likewise. + + * config.make.in: Empty .SUFFIXES, to not accidentally use any + suffix rules. + + * aclocal.m4 (DEP_INCLUDE): Delete substituted variable. + + * Makefile.in: Use the GNU make directive -include to include + dependency .d files. Delete dependency files on make clean. + * examples/Makefile.in: Likewise. + * testsuite/Makefile.in: Likewise. Also use $(OBJEXT) properly. + * tools/Makefile.in: Likewise. + + * configure.ac (dummy-dep-files): Delete these config commands. + +2020-01-10 Niels Möller + + From Dmitry Eremin-Solenikov: Consistently rename ecc files and + internal functions to include curve name rather than just number + of bits. E.g., + * ecc-256.c (nettle_ecc_256_redc): File and function renamed to... + * ecc-secp256r1.c (_nettle_ecc_256_redc): ... new names. + * eccdata.c (ecc_curve_init, main): Take curve name as input, not + bit size. + +2020-01-03 Niels Möller + + Add benchmarking of ed25519, ed448 and curve448. + * examples/hogweed-benchmark.c: (struct eddsa_ctx): New struct. + (bench_eddsa_init, bench_eddsa_sign, bench_eddsa_verify) + (bench_eddsa_clear): New functions. + (struct curve_ctx): New struct, generalizing struct curve25519_ctx. + (bench_curve_init, bench_curve_mul_g, bench_curve_mul) + (bench_curve_clear): New functions. + (struct curve25519_ctx, bench_curve25519_mul_g) + (bench_curve25519_mul, bench_curve25519): Deleted. + (alg_list): Add eddsa and curve entries. + (main): Delete call to bench_curve25519. + +2020-01-02 Niels Möller + + * eddsa-internal.h (nettle_eddsa_dom_func): New typedef. + (struct ecc_eddsa): Use function pointer to represent eddsa dom + string. To avoid calling sha512_update with empty input for + ed25519. + * ed448-shake256.c (ed448_dom): New function, calling + sha3_256_update with the magic dom prefix. + (_nettle_ed448_shake256): Point to it. + * ed25519-sha512.c (_nettle_ed25519_sha512): Add do-nothing dom function. + + * eddsa-sign.c (_eddsa_sign): Update to use dom function pointer. + * eddsa-verify.c (_eddsa_verify): Likewise. + + * eddsa-internal.h (struct ecc_eddsa): Add magic dom string, + needed for ed448. + * ed25519-sha512.c (_nettle_ed25519_sha512): Empty dom string. + * ed448-shake256.c (_nettle_ed448_shake256): New file and + parameter struct. + + * eddsa-hash.c (_eddsa_hash): Add digest_size as input argument. + Handle ed448 digests with two extra bytes. Update callers. + * eddsa-verify.c (_eddsa_verify): Hash dom string. + * eddsa-sign.c (_eddsa_sign_itch): Assert that + _eddsa_compress_itch isn't too large. + (_eddsa_sign): New argument k1, with the hash prefix. Add hashing + of this prefix and the dom string. Update callers. Fix final + reduction, it's different for ed25519, with q slightly larger than + a power of two, and ed448, with q slightly smaller. + * eddsa-pubkey.c (_eddsa_public_key_itch): Assert that + _eddsa_compress_itch isn't too large. + + Implementation of ed448-shake256, based on patch by Daiki Ueno. + * ed448-shake256-pubkey.c (ed448_shake256_public_key): New file + and function. + * ed448-shake256-sign.c (ed448_shake256_sign): New file and function. + * ed448-shake256-verify.c (ed448_shake256_verify): New file and function. + + * Makefile.in (hogweed_SOURCES): Add new ed448 files. + + * testsuite/eddsa-verify-test.c (test_ed448): New function. + (test_main): New ed448 tests. + * testsuite/eddsa-sign-test.c (test_ed448_sign): New function. + (test_main): New ed448 tests. + * testsuite/ed448-test.c: New tests. + * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Add ed448-test.c. + + * nettle.texinfo (Curve 25519 and Curve 448): Document ed448. + +2020-01-01 Niels Möller + + * ecc-448.c (ecc_mod_pow_2kp1): New function. + (ecc_mod_pow_446m224m1): Reduce scratch usage from 6*n to 5*n, at + the cost of one copy operation. Also use ecc_mod_pow_2kp1 where + applicable. + (ECC_448_INV_ITCH): Reduce to 5*ECC_LIMB_SIZE. + (ECC_448_SQRT_ITCH): Reduce to 9*ECC_LIMB_SIZE. + + * testsuite/eddsa-compress-test.c: Test also with curve448. + +2019-12-30 Niels Möller + + Preparation for ed448, based on patch by Daiki Ueno. + * eddsa-internal.h (struct ecc_eddsa): New struct for eddsa + parameters. + * ed25519-sha512.c (_nettle_ed25519_sha512): New parameter struct. + * eddsa-expand.c (_eddsa_expand_key): Replace input + struct nettle_hash with struct ecc_eddsa, and generalize for + ed448. Update all callers. + * eddsa-sign.c (_eddsa_sign): Likewise. + * eddsa-verify.c (_eddsa_verify): Likewise. + * eddsa-compress.c (_eddsa_compress): Store sign bit in most + significant bit of last byte, as specified by RFC 8032. + * eddsa-decompress.c (_eddsa_decompress): Corresponding update. + Also generalize to support ed448, and make validity checks + stricter. + * testsuite/eddsa-sign-test.c (test_ed25519_sign): New function. + (test_main): Use it. + * testsuite/eddsa-verify-test.c (test_ed25519): New function. + (test_main): Use it. + +2019-12-28 Niels Möller + + * bignum.h: Drop unrelated include of nettle-meta.h. + * pss.h: Include nettle-meta.h explicitly. + * eddsa-internal.h: Likewise. + +2019-12-25 Niels Möller + + Support for SHAKE256, based on patch by Daiki Ueno. + * shake256.c (sha3_256_shake): New file and function. + * Makefile.in (nettle_SOURCES): Add shake256.c. + * testsuite/testutils.c (test_hash): Allow arbitrary digest size, + if hash->digest_size == 0. + * testsuite/shake.awk: New script to extract test vectors. + * testsuite/Makefile.in (TS_NETTLE_SOURCES): Add shake256-test.c. + (DISTFILES): Add shake.awk. + * nettle.texinfo (Recommended hash functions): Document SHAKE-256. + + * sha3.c (_sha3_pad): Generalized with an argument for the magic + suffix defining the sha3 instance. + * sha3-internal.h (_sha3_pad_hash): New macro, for SHA3 hashes. + Updated all callers of _sha3_pad. + (_sha3_pad_shake): New macro, using the SHAKE magic byte 0x1f. + +2019-12-19 Niels Möller + + * ecc-mul-a-eh.c (ecc_mul_a_eh) [ECC_MUL_A_EH_WBITS == 0]: Use + add_hh rather than add_hhh. + (table_init) [[ECC_MUL_A_EH_WBITS > 0]: Likewise. + * ecc-internal.h (ECC_MUL_A_EH_ITCH) [ECC_MUL_A_EH_WBITS == 0]: + Reduced from 13*n to 12*n. + +2019-12-18 Niels Möller + + Rename add and dup functions for Edwards curves. + * ecc-dup-th.c (ecc_dup_th): New file, move and rename ecc_dup_eh. + * ecc-add-th.c (ecc_add_th): New file, move and rename ecc_add_eh. + * ecc-add-thh.c (ecc_add_thh): New file, move and rename + ecc_add_ehh. + * ecc-dup-eh.c (ecc_dup_eh_untwisted): Rename to just ecc_dup_eh. + * ecc-add-eh.c (ecc_add_ehh_untwisted): Rename to just ecc_add_eh. + * ecc-add-ehh.c (ecc_add_ehh_untwisted): Rename to just ecc_add_ehh. + * ecc-internal.h (ecc_dup_th, ecc_add_th, ecc_add_thh): Declare + new functions, delete declarations of ecc_*_untwisted variants. + (ECC_DUP_TH_ITCH, ECC_ADD_TH_ITCH, ECC_ADD_THH_ITCH): New macros. + * ecc-25519.c (_nettle_curve25519): Update, use ecc_dup_th and + friends. + * ecc-448.c (_nettle_curve448): Update for rename, without + _untwisted suffix. + * Makefile.in (hogweed_SOURCES): Added ecc-dup-th.c, ecc-add-th.c, + and ecc-add-thh.c + * testsuite/ecc-dup-test.c (test_main): Update asserts. + * testsuite/ecc-add-test.c (test_main): Likewise. + + * eddsa-verify.c (_eddsa_verify): Use function pointer rather than + calling ecc_add_eh directly. Preparation for eddsa over curve448. + +2019-12-17 Niels Möller + + * examples/ecc-benchmark.c (bench_dup_hh): Rename, and use + ecc->dup pointer. + (bench_dup_jj): ... old name. + (bench_add_hh): Rename, and use ecc->addd_hh pointer. + (bench_add_jja): ... old name. + (bench_dup_eh, bench_add_eh): Deleted. + (bench_curve): Update, and delete curve25519 special case. + (main): Update table headers accordingly. + +2019-12-15 Niels Möller + + * ecc-dup-eh.c (ecc_dup_eh): Eliminate one unneeded ecc_modp_add. + +2019-12-14 Niels Möller + + * ecc-mul-m.c (ecc_mul_m): New file and function. Implements + multipliction for curves in Montgomery representation, as used for + curve25519 and curve448. Extracted from curve25519_mul. + * ecc-internal.h (ecc_mul_m): Declare. + (ECC_MUL_M_ITCH): New macro. + * Makefile.in (hogweed_SOURCES): Add ecc-mul-m.c. + + * curve25519-mul.c (curve25519_mul): Use ecc_mul_m. + * curve448-mul.c (curve448_mul): Likewise. + +2019-12-13 Niels Möller + + * Merge curve448 implementation. + +2019-12-09 Niels Möller + + * ecc-internal.h: Revert itch macro changes. We now have + h_to_a_itch <= mul_itch, mul_g_itch. Add asserts at a few places + relying on this. + (ECC_ECDSA_KEYGEN_ITCH, ECC_MAX): Delete macros. + (ECC_ECDSA_SIGN_ITCH): Revert previous change. + + * ecc-448.c (ecc_mod_pow_446m224m1): Reduce scratch space from 9*n + to 6*n. + (ECC_448_INV_ITCH, ECC_448_SQRT_ITCH): Reduce accordingly. + * curve448-mul.c (curve448_mul): Reduce allocation from 14*n to 12*n. + +2019-12-08 Niels Möller + + * x86_64/ecc-curve448-modp.asm (nettle_ecc_curve448_modp): New + assembly function. + * ecc-448.c (ecc_448_modp) [HAVE_NATIVE_ecc_curve448_modp]: Use + native nettle_ecc_curve448_modp if available. + * configure.ac (asm_hogweed_optional_list): Add ecc-curve448-modp.asm. + (HAVE_NATIVE_ecc_curve448_modp): New config.h define. + +2019-12-03 Niels Möller + + * ecc-448.c (ecc_448_modp) [GMP_NUMB_BITS == 64]: New function. + +2019-12-01 Niels Möller + + Curve 448 support contributed by Daiki Ueno. + * eccdata.c (enum ecc_type): Add ECC_TYPE_EDWARDS. + (ecc_add): Support untwisted edwards curves. + (ecc_curve_init): Add curve448 parameters. + * ecc-internal.h (ECC_ECDSA_KEYGEN_ITCH): New macro. + (ECC_ECDSA_SIGN_ITCH): Increased from 12*size to 13*size. + (ECC_MAX): New macro. + * ecc-448.c: New file. + (ecc_mod_pow_2k, ecc_mod_pow_446m224m1, ecc_448_inv) + (ecc_448_zero_p, ecc_448_sqrt): New functions. + (_nettle_curve448): New curve definition. + * curve448.h (CURVE448_SIZE): New constant. + (curve448_mul_g, curve448_mul): Declare new public functions. + * ecc-eh-to-a.c (ecc_eh_to_a): Update assert to allow the curve448 + Edwards curve. + * curve448-mul.c (curve448_mul): New file and function. + * curve448-mul-g.c (curve448_mul_g): New file and function. + * curve448-eh-to-x.c (curve448_eh_to_x): New file and function. + * ecc-dup-eh.c (ecc_dup_eh_untwisted): New function. + * ecc-add-ehh.c (ecc_add_ehh_untwisted): New function. + * ecc-add-eh.c (ecc_add_eh_untwisted): New function. + * ecc-point.c (ecc_point_set): Add point validation for curve448. + * ecc-point-mul.c (ecc_point_mul): Allow h_to_a_itch larger than + mul_itch. + * ecc-point-mul-g.c (ecc_point_mul_g): Allow h_to_a_itch + larger than mul_g_itch. Switch from TMP_DECL/_ALLOC/_FREE to + gmp_alloc_limbs/gmp_free_limbs. + * ecdsa-keygen.c (ecdsa_generate_keypair): Use + ECC_ECDSA_KEYGEN_ITCH. + * Makefile.in (hogweed_SOURCES): Add ecc-448.c, curve448-mul-g.c, + curve448-mul.c, and curve448-eh-to-x.c. + (HEADERS): Add curve448.h. + (ecc-448.h): New generated file. + + * testsuite/testutils.c (ecc_curves): Add _nettle_curve448 to list + of tested curves. + (test_ecc_mul_a): Add curve448. + * testsuite/ecdsa-keygen-test.c (ecc_valid_p): Add curve448 support. + * testsuite/ecdh-test.c (test_main): Add tests for (non-standard) + curve448 diffie-hellman. + * testsuite/ecc-add-test.c (test_main): Update for testing of curve448. + * testsuite/ecc-dup-test.c (test_main): Likewise. + * testsuite/ecc-mul-a-test.c (test_main): Likewise. Also increase + scratch allocation for h_to_a_itch. + * testsuite/ecc-mul-g-test.c (test_main): Likewise. + * testsuite/curve448-dh-test.c: Test for curve448. + * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Add curve448-dh-test.c. + + * examples/ecc-benchmark.c: Add curve448 to list of benchmarked + curves. + + * nettle.texinfo (Curve 25519 and Curve 448): Add docs. + +2019-12-07 Niels Möller + + * ecc-eh-to-a.c (ecc_eh_to_a): Require op == 0, delete code only + used for non-standard ecdsa over curve25519. + * testsuite/ecdsa-sign-test.c (test_main): Delete test of ecdsa + over curve25519. + * testsuite/ecdsa-verify-test.c (test_main): Likewise. + * testsuite/ecdsa-keygen-test.c (test_main): Exclude curve25519 + from test. + +2019-12-05 Niels Möller + + * configure.ac: Use AC_TRY_LINK rather than AC_TRY_COMPILE to + check for __builtin_bswap64. Since calling an non-existing + function typically results in a warning only at compile time, but + fails at link time. Patch contributed by by George Koehler. + +2019-12-04 Niels Möller + + * testsuite/testutils.c (test_cipher_cfb8): Add cast of size_t to + unsigned long for argument to fprintf. + +2019-11-21 Niels Möller + + * eccdata.c (ecc_curve_init_str): Delete unused t and d arguments. + Related to the the edwards_root member of struct ecc_curve, which + was used by ecc_a_to_eh before it was deleted, see 2014-09-17 + entry below. + (ecc_curve_init): Delete corresponding curve25519 constants, and + NULL arguments passed for the other curves. + + * Merge curve448 preparations, from September 2017. + +2017-09-23 Niels Möller + + * eccdata.c: Reorganize curve25519 precomputation to work directly + with the twisted Edwards curve, with new point addition based on a + patch from Daiki Ueno. + * ecc-25519.c (_nettle_curve25519): Update for removed Montgomery + curve constant. + + * ecc-internal.h (struct ecc_curve): Delete unused pointer + edwards_root. Update all instances. + * eccdata.c (output_curve): Don't output it. + + * testsuite/ecc-add-test.c (test_main): Reduce test duplication. + Use ecc->add_hhh_itch. + * testsuite/ecc-dup-test.c (test_main): Reduce test duplication. + Use ecc->dup_itch. + +2017-09-23 Daiki Ueno + + * ecc-eh-to-a.c (ecc_eh_to_a): Use ecc->q.bit_size, instead of + hard-coded value for curve25519. + * eddsa-sign.c (_eddsa_sign): Likewise. + + * ecc-internal.h (ecc_dup_func): New typedef. + (struct ecc_curve): New constants add_hh_itch and dup_itch, new + function pointers add_hh and dup. + * ecc-192.c, ecc-224.c, ecc-256.c, ecc-384.c, ecc-521.c, + ecc-25519.c: Update accordingly. + * ecc-mul-g-eh.c (ecc_mul_g_eh): Use new function pointers. + * ecc-mul-a-eh.c (ecc_mul_a_eh, table_init, ecc_mul_a_eh): + Likewise. + * testsuite/ecc-dup-test.c (test_main): Likewise. + * testsuite/ecc-add-test.c (test_main): Likewise. + +2019-10-01 Niels Möller + + * testsuite/testutils.c (test_cipher_cfb8): Reset destination area + between tests. Encrypt/decrypt final partial block. + + From Daiki Ueno, fixing bug reported by Stephan Mueller: + * cfb.c (cfb8_decrypt): Don't truncate output IV if input is + shorter than block size. + * testsuite/testutils.c (test_cipher_cfb8): Test splitting input + into multiple calls to cfb8_encrypt and cfb8_decrypt. + +2019-09-30 Niels Möller + + * testsuite/siv-test.c (test_cipher_siv): Fix out-of-bounds read. + Trim allocation size for de_data, drop some uses of + SIV_DIGEST_SIZE, call FAIL for unexpected returned values. + (test_compare_results): Delete digest argument. + +2019-09-15 Niels Möller + + From Dmitry Eremin-Solenikov: + * gost28147.c (_gost28147_encrypt_block): New file, encrypt + function and sbox tables moved here. + * gosthash94.c: Update functions to take sbox array as argument. + (gost_block_compress): Use _gost28147_encrypt_block. + (gosthash94cp_update,gosthash94cp_digest): New functions. + * gost28147-internal.h: New file. + * gost28147.h: New file. + * gosthash94-meta.c (nettle_gosthash94cp): New hash algorithm. + * nettle-meta-hashes.c (_nettle_hashes): Add nettle_gosthash94 and + nettle_gosthash94cp. + * hmac-gosthash94.c (hmac_gosthash94_set_key) + (hmac_gosthash94_update, hmac_gosthash94_digest) + (hmac_gosthash94cp_set_key, hmac_gosthash94cp_update) + (hmac_gosthash94cp_digest): New file and functions. + * pbkdf2-hmac-gosthash94.c (pbkdf2_hmac_gosthash94cp): New file + and function. + * testsuite/pbkdf2-test.c (test_main): Add + pbkdf2-hmac-gosthash94cp tests. + * testsuite/hmac-test.c (test_main): Add hmac-gosthash94 tests. + * testsuite/gosthash94-test.c (test_main): Add gosthash94cp tests. + * nettle.texinfo (Legacy hash functions): Document gosthash94cp. + + * testsuite/dlopen-test.c (main): Use libnettle.dylib on MacOS. + +2019-07-08 Niels Möller + + * nettle-types.h (union nettle_block16): Mark w member as deprecated. + * eax.c (block16_xor): Use uint64_t member of nettle_block16. + * gcm.c (gcm_gf_add, gcm_gf_shift, gcm_gf_shift_8): Likewise. + +2019-07-10 Niels Möller + + From Dmitry Eremin-Solenikov: + * cmac64.c (_cmac64_block_mulx, cmac64_set_key, cmac64_init) + (cmac64_update, cmac64_digest): New file, new functions. + * cmac-des3.c (cmac_des3_set_key, cmac_des3_update) + (cmac_des3_digest): New file, new functions. + * cmac.h: Add cmac64 and cmac_des3 declarations. + * Makefile.in (nettle_SOURCES): Add cmac64.c and cmac-des3.c. + * testsuite/cmac-test.c (test_main): Add tests for cmac_des3. + +2019-07-02 Niels Möller + + From Dmitry Eremin-Solenikov: + * testsuite/testutils.c (test_mac): New function. + * testsuite/cmac-test.c (nettle_cmac_aes128, nettle_cmac_aes256): + New algorithm structs. + (test_cmac_aes128, test_cmac_aes256): Use test_mac. + +2019-06-06 Niels Möller + + Update for cmac changes, enabling const for the _message functions. + * siv-cmac.c (_siv_s2v): Take a const struct cmac128_key as argument, + and use a local struct cmac128_ctx for message-specific state. + (siv_cmac_set_key): Take a struct cmac128_key as argument. Updated + callers. + (siv_cmac_encrypt_message, siv_cmac_decrypt_message): Take a const + struct cmac128_key as argument. Updated callers. + + * siv-cmac.h (SIV_CMAC_CTX): Changed to use struct cmac128_key + rather than struct cmac128_ctx. + + * siv-cmac-aes256.c (siv_cmac_aes256_encrypt_message) + (siv_cmac_aes256_decrypt_message): Likewise. + * siv-cmac-aes128.c (siv_cmac_aes128_encrypt_message) + (siv_cmac_aes128_decrypt_message): The ctx argument made const. + +2019-05-15 Niels Möller + + * siv-cmac.h (SIV_CMAC_AES128_KEY_SIZE, SIV_CMAC_AES256_KEY_SIZE): + New constants. + * testsuite/siv-test.c: Simplify tests a little. + + * siv-cmac.h (SIV_MIN_NONCE_SIZE): New constant, 1. + * siv-cmac.c (_siv_s2v): Require non-empty nonce. + * nettle.texinfo (SIV-CMAC): Update documentation. + +2019-05-06 Niels Möller + + SIV-CMAC mode, based on patch by Nikos Mavrogiannopoulos: + * siv-cmac.h (SIV_BLOCK_SIZE, SIV_DIGEST_SIZE): New constants. + (SIV_CMAC_CTX): New macro. + (struct siv_cmac_aes128_ctx, struct siv_cmac_aes256_ctx): New + context structs. + * siv-cmac.c (_siv_s2v, siv_cmac_set_key) + (siv_cmac_encrypt_message) + (siv_cmac_decrypt_message): New file, new functions. + * siv-cmac-aes128.c (siv_cmac_aes128_set_key) + (siv_cmac_aes128_encrypt_message) + (siv_cmac_aes128_decrypt_message): New file, new functions. + * siv-cmac-aes256.c (siv_cmac_aes256_set_key) + (siv_cmac_aes256_encrypt_message) + (siv_cmac_aes256_decrypt_message): New file, new functions. + * Makefile.in (nettle_SOURCES): Add siv-cmac source files. + (HEADERS): Add siv-cmac.h. + * testsuite/siv-test.c: New file. + * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added siv-test.c + * nettle.texinfo (SIV-CMAC): Documentation. + +2019-04-30 Niels Möller + + Based on a patch contributed by Nikos Mavrogiannopoulos. + * cmac.c (_cmac128_block_mulx): Renamed function... + (block_mulx): ... from old name. + * cmac-internal.h (_cmac128_block_mulx): New file, declare function. + * Makefile.in (DISTFILES): Added cmac-internal.h. + +2019-06-26 Niels Möller + + * Released nettle-3.5.1. + + * configure.ac: Update version number to 3.5.1. + + * Makefile.in (distdir): Add x86_64/sha_ni to list of distributed + directories. + + * Released nettle-3.5. + +2019-06-25 Niels Möller + + * config.sub: Update to 2019-05-23 version, from savannah's + config.git. + * config.guess: Update to 2019-06-10 version, from savannah's + config.git. Adds recognition of mips R6 and riscv. + +2019-06-05 Niels Möller + + Further separation of CMAC per-message state from the + message-independent subkeys, analogous to the gcm implementation. + * cmac.h (struct cmac128_ctx): Remove key, instead a struct + cmac128_key should be passed separately to functions that need it. + (CMAC128_CTX): Include both a struct cmac128_key and a struct + cmac128_ctx. + (CMAC128_SET_KEY, CMAC128_DIGEST): Updated accordingly. + + * cmac.c (cmac128_set_key): Change argument type from cmac128_ctx + to cmac128_key. Use a nettle_block16 for the constant zero block. + (cmac128_init): New function, to initialize a cmac128_ctx. + (cmac128_digest): Add cmac128_key argument. Move padding memset + into the block handling a partial block. Call cmac128_init to + reset state. + +2019-06-01 Niels Möller + + * cmac.h (struct cmac128_key): New struct. + * cmac.h (struct cmac128_ctx): Use struct cmac128_key. + * cmac.c (cmac128_set_key, cmac128_digest): Update accordingly. + +2019-05-12 Niels Möller + + Delete old libdes/openssl compatibility interface. + * des-compat.c: Delete file. + * des-compat.h: Delete file. + * testsuite/des-compat-test.c: Delete file. + * nettle.texinfo (Compatibility functions): Delete mention in documentation. + +2019-05-11 Niels Möller + + * NEWS: More updates for Nettle-3.5. + +2019-04-27 Niels Möller + + From Simo Sorce: + * x86_64/poly1305-internal.asm: Add missing EPILOGUE. + * x86_64/serpent-decrypt.asm: Likewise. + * x86_64/serpent-encrypt.asm: Likewise. + +2019-04-14 Niels Möller + + * tools/nettle-pbkdf2.c (main): Check strdup return value. + +2019-03-29 Niels Möller + + * aes.h (struct aes_ctx): Redefine using a union of key-size + specific contexts. + * aes-decrypt.c (aes_decrypt): Use switch on key_size. + * aes-encrypt.c (aes_encrypt): Likewise. + * aes-set-decrypt-key.c (aes_invert_key): Likewise. + * aes-set-encrypt-key.c (aes_set_encrypt_key): Likewise. + +2019-03-27 Niels Möller + + * xts.c (xts_shift): Arrange with a single write to u64[1]. + * cmac.c (block_mulx): Rewrite to work in the same way as + xts_shift, with 64-bit operations. XTS and CMAC use opposite + endianness, but otherwise, these two functions are identical. + +2019-03-24 Niels Möller + + From Simo Sorce: + * xts.h: New file. + * xts.c: New file. + (BE_SHIFT): New macro. + (xts_shift, check_length, xts_encrypt_message) + (xts_decrypt_message): New functions. + * xts-aes128.c (xts_aes128_set_encrypt_key) + (xts_aes128_set_decrypt_key, xts_aes128_encrypt_message) + (xts_aes128_decrypt_message): New file, new functions. + * xts-aes256.c (xts_aes256_set_encrypt_key) + (xts_aes256_set_decrypt_key, xts_aes256_encrypt_message) + (xts_aes256_decrypt_message): New file, new functions. + * nettle.texinfo (XTS): Document XTS mode. + * Makefile.in (nettle_SOURCES): Add xts sourcce files. + (HEADERS): New installed header xts.h. + * testsuite/xts-test.c: New file. + * testsuite/Makefile.in (TS_NETTLE_SOURCES): Add xts-test.c. + +2019-02-06 Niels Möller + + * gosthash94.h (struct gosthash94_ctx): Move block buffer last in + struct. + * md2.h (struct md2_ctx): Likewise. + * md4.h (struct md4_ctx): Likewise. + * md5.h (struct md5_ctx): Likewise. + * ripemd160.h (struct ripemd160_ctx): Likewise. + * sha1.h (struct sha1_ctx): Likewise. + * sha2.h (struct sha256_ctx, struct sha512_ctx): Likewise. + +2019-01-19 Niels Möller + + * examples/Makefile.in (TARGETS): Delete eratosthenes, left over + from earlier change. + + * fat-arm.c: Fix declarations of chacha_core functions. + + From Yuriy M. Kaminskiy: + * fat-setup.h (chacha_core_func): New typedef. + * fat-arm.c (fat_init): Enable choice between + _nettle_chacha_core_c and _nettle_chacha_core_neon. + * configure.ac (asm_nettle_optional_list): Add + chacha-core-internal-2.asm. + * chacha-core-internal.c: Enable fat build with C and asm version. + * arm/fat/chacha-core-internal-2.asm: New file. + +2019-01-12 Niels Möller + + * examples/eratosthenes.c: Deleted program. + * examples/Makefile.in: Delete rule to build and distribute it. + +2019-01-10 Niels Möller + + * testsuite/rsa-compute-root-test.c (test_one): Use %u and + corresponding cast, when printing bit sizes. + +2019-01-09 Niels Möller + + * examples/nettle-benchmark.c (GET_CYCLE_COUNTER): Add volatile to + inline asm. + +2019-01-08 Niels Möller + + * sha512-compress.c: Add missing include of sha2-internal.h. + +2019-01-06 Niels Möller + + * testsuite/rsa-compute-root-test.c (generate_keypair): Fix assert + call with side-effects. + +2019-01-06 Niels Möller + + * nettle-types.h: Don't use nettle-stdint.h, include + directly. + * nettle-write.h: Likewise. + * configure.ac: Delete use of AX_CREATE_STDINT_H. + * aclocal.m4 (AX_CREATE_STDINT_H): Delete. + * Makefile.in (INSTALL_HEADERS, distclean-here): Delete mention of + nettle-stdint.h. + +2018-12-26 Niels Möller + + * examples/hogweed-benchmark.c (make_openssl_rsa_ctx): New helper + function. Call openssl's RSA_generate_key_ex rather then the + deprecated RSA_generate_key. + (bench_openssl_rsa_init, bench_openssl_rsa_tr_init): Use it. + + * eccdata.c (ecc_pippenger_precompute): Check that table size is + at least 2. Intended to silence warning from the clang static + analyzer. + + * configure.ac: Bump package version to 3.5. + (LIBNETTLE_MAJOR): Bump major number, now 7. + (LIBHOGWEED_MAJOR): Bump major number, now 5. + (LIBNETTLE_MINOR, LIBHOGWEED_MINOR): Reset to zero. + + * pkcs1-internal.h: New header file, moved declarations of + _pkcs1_sec_decrypt and _pkcs1_sec_decrypt_variable here. + * rsa-internal.h: ... old location. + * Makefile.in (DISTFILES): Added pkcs1-internal.h. + * pkcs1-decrypt.c: Include new file. + * pkcs1-sec-decrypt.c: Likewise. + * rsa-decrypt-tr.c: Likewise. + * rsa-sec-decrypt.c: Likewise. + * testsuite/pkcs1-sec-decrypt-test.c: Likewise. + + * tools/nettle-pbkdf2.c: Add #define _GNU_SOURCE, needed for + strdup with gcc -std=c89. + * testsuite/ed25519-test.c: Add #define _GNU_SOURCE, needed for + getline with gcc -std=c89. + + * rsa-sign-tr.c (sec_equal): Fix accidental use of C99 for loop. + Reported by Andreas Gustafsson. + * testsuite/rsa-sec-decrypt-test.c (test_main): Likewise. + 2018-12-04 Niels Möller * Released nettle-3.4.1. @@ -124,43 +1738,402 @@ (LIBNETTLE_MINOR): Bump library version to 6.5. (LIBHOGWEED_MINOR): Bump library version to 4.5. +2018-11-17 Niels Möller + + * examples/hogweed-benchmark.c (bench_rsa_verify) + (bench_openssl_rsa_tr_init): New functions. + (alg_list): Benchmark timing-resistant RSA functions, i.e., + including RSA blinding. + (main): Increase width of first column, here and in other + printouts. + +2018-10-10 Dmitry Eremin-Solenikov + + * ctr16.c (_ctr_crypt16): Bugfix for the src == dst case, when + processing more than on full block of size CTR_BUFFER_LIMIT, src + and dst arguments to memxor3 were not properly updated. + +2018-10-10 Niels Möller + + * aes-set-encrypt-key.c: Add missing include of stdlib.h. + * des-compat.c: Likewise. + +2018-09-13 Niels Möller + + * rsa-keygen.c (rsa_generate_keypair): Delete unlikely and + redundant check for p == q. + +2018-08-09 Niels Möller + + * rsa-internal.h (_rsa_blind, _rsa_unblind): Mark with + _NETTLE_ATTRIBUTE_DEPRECATED. + + * nettle-types.h (_NETTLE_ATTRIBUTE_PURE) + (_NETTLE_ATTRIBUTE_DEPRECATED): New macros, for gcc and + lookalikes. + * ecc-curve.h: Include nettle-types.h, and use + _NETTLE_ATTRIBUTE_PURE instead of local definition. + * nettle-meta.h: Use _NETTLE_ATTRIBUTE_PURE, instead of explicit + #ifdefs. + + * aes.h: Mark functions using struct aes_ctx interface as + deprecated. Add #undef _NETTLE_ATTRIBUTE_DEPRECATED in files where + the functions are implemented or tested. + * gcm.h: Similarly mark functions using gcm_aes_ctx as deprecated. + + * nettle-internal.c (des_set_key_wrapper, des3_set_key_wrapper) + (blowfish128_set_key_wrapper): Wrapper functions, to avoid cast + between incompatible function types (which gcc-8 warns about). + Wrappers are expected to compile to a single jmp instruction. + + * des-compat.c (des_compat_des3_encrypt) + (des_compat_des3_decrypt): Change length argument type to size_t. + +2018-08-08 Niels Möller + + * nettle.texinfo (Compatibility): New section on ABI and API + compatibility. + +2018-07-25 Dmitry Eremin-Solenikov + + * examples/nettle-benchmark.c: Add benchmarking for HMAC functions. + +2018-07-13 Niels Möller + + * examples/eratosthenes.c (vector_alloc): Add assert related to + overflow in the size calculation. Fixes a corner case identified + by static analysis. + (vector_init): Analogous assert. + +2018-07-12 Niels Möller + + * examples/eratosthenes.c (main): Don't allocate bitmap storage + for limit == 2 (early exit), closing memory leak at exit. + (main): Fix handling of short -q option. + + * eccdata.c (output_curve): Replace mpz_init_set_ui by mpz_set_ui, + to fix memory leak. + (ecc_curve_clear): New function. + (main): Call it, to deallocate storage before exit. + +2018-07-08 Niels Möller + + * fat-x86_64.c (fat_init): Fix setup for nettle_sha1_compress. + * x86_64/fat/sha1-compress.asm: Add leading underscore to symbol name. + * x86_64/fat/sha1-compress-2.asm: Likewise. + +2018-07-07 Niels Möller + + From Nikos Mavrogiannopoulos. + * sha1-compress.c (nettle_sha1_compress): Renamed, and promoted to + public function, since there's known appliation usage (filezilla). + * sha1.h (_nettle_sha1_compress): Old name, now a preprocessor + alias for the new name. + * md5-compress.c (nettle_md5_compress): Similarly renamed (used by + sogo). + * md5.h (_nettle_md5_compress): Old name,, now a preprocessor + alias for the new name. + + * chacha-internal.h, dsa-internal.h, eddsa-internal.h: + * hogweed-internal.h, ripemd160-internal.h, rsa-internal.h: + * salsa20-internal.h, sha2-internal.h, sha3-internal.h: + * umac-internal.h: Internal declarations moved to new header + files, which are not installed.. + * Makefile.in (DISTFILES): Added above files. + + * libnettle.map.in: Use a different symbol version for _nettle_* + symbols, depending on the minor release. This marks these symbols + explicitly not part of the public Nettle ABI. + * libhogweed.map.in: Analogous change. + 2018-06-17 Niels Möller - Backported from master branch. * aclocal.m4 (NETTLE_CHECK_IFUNC): Fix quoting. Patch contributed by Dmitry Eremin-Solenikov. + * testsuite/symbols-test: Exclude ____chkstk_darwin symbols, produced by Apple's Xcode 10 compiler. Patch contributed by Dominyk Tiller. +2018-03-25 Niels Möller + + From Michael Weiser. + * configure.ac (ASM_WORDS_BIGENDIAN): New substution, set from AC_C_BIGENDIAN. + * config.m4.in: Use it to set WORDS_BIGENDIAN. + * asm.m4 (IF_BE, IF_LE): New macros. + * arm/memxor.asm: Support big-endian ARM. + * arm/memxor3.asm: Likewise. + * arm/neon/chacha-core-internal.asm: Likewise. + * arm/neon/salsa20-core-internal.asm: Likewise. + * arm/neon/umac-nh.asm: Likewise. + * arm/v6/sha1-compress.asm: Likewise. + * arm/v6/sha256-compress.asm: Likewise. + * arm/README: Document big-endian considerations. + +2018-03-17 Niels Möller + + Discourage direct access to data symbols with non-public size. + Direct references to these symbols may result in copy-relocations + like R_X86_64_COPY, which make the symbol size leak into the ABI. + * ecc-curve.h (_nettle_secp_192r1, _nettle_secp_224r1) + (_nettle_secp_256r1, _nettle_secp_384r1, _nettle_secp_521r1): Add + leading underscore on these data symbols. + + * nettle-meta.h (_nettle_ciphers, _nettle_hashes, _nettle_aeads) + (_nettle_armors): Add leading underscore on these data symbols. + Update all internal use. Macros without leading underscore remain, + and expand to access via accessor functions nettle_get_ciphers and + similar. + +2018-03-10 Niels Möller + + * eccdata.c (ecc_table_size): New helper function. + (ecc_pippenger_precompute): Display warning for poor parameters. + + * eccparams.c (main): New program, to list parameter alternatives + for Pippenger's algorithm. + + * Makefile.in: Tweak parameters for ecc tables. + (ecc-192.h): Change parameters from k = 7, c = 6 to k = 8, c = 6. + Reduces table size from 15 KB to 12 KB. Modest speedup, appr. 3% + for ecdsa signatures. + (ecc-224.h): Change parameters from k = 12, c = 6 to k = 16, c = + 7. Table size unchanged (14 KB in 32-bit platforms, 18 KB on + 64-bit platforms. Minor speedup, appr. 1% for ecdsa signatures. + (ecc-256.h): Change parameters from k = 14, c = 6 to k = 11, c = + 6. Table size unchanged, 16 KB. 14% speedup for ecdsa signatures. + (ecc-384.h): Changed parameters from k = 41, c = 6 to k = 32, c = + 6. Table size unchanged. 12% speedup for ecdsa signatures. + (ecc-521.h): Changed parameters from k = 56, c = 6 to k 44, c = 6. + Table size unchanged (17 KB on 32-bit platforms, 18 KB on 64-bit + platforms). 15% speedup for ecdsa signatures. + (ecc-255.h): Change parameters from k = 14, c = 6 to k = 11, c = + 6. Table size unchanged, 16 KB. 24% speedup for eddsa signatures. + +2018-03-14 Niels Möller + + Merge sha256 code using the x86_64 sha_ni instructions, starting + 2018-02-21. + +2018-03-11 Niels Möller + + * x86_64/fat/sha256-compress.asm: New file. + * x86_64/fat/sha256-compress-2.asm: New file. + * fat-x86_64.c (fat_init): Select plain x86_64 assembly version or + sha_ni version for sha256_compress. + +2018-02-21 Niels Möller + + * x86_64/sha_ni/sha256-compress.asm: New implementation using sha_ni + instructions. + +2018-02-20 Niels Möller + + * testsuite/cmac-test.c (test_cmac_hash): Deallocate ctx properly. + +2018-02-19 Niels Möller + + Mostly aesthetic changes. Besides indentation: + * cmac.h (struct cmac128): Rename, to cmac128_ctx. + (CMAC128_CTX): Rename first member from data to ctx. + + * cmac.c: Use const void * as the type for cipher arguments. + (block_mulx): Un-inline. + (cmac128_set_key): Make a constant function local. + + * testsuite/cmac-test.c: Delete local typedefs. + +2018-02-19 Nikos Mavrogiannopoulos + + Add support for CMAC. + * cmac.h: New file. + (struct cmac128): New struct. + * cmac.c (block_mulx, cmac128_set_key, cmac128_update) + (cmac128_digest): New file, new functions. + * cmac-aes128.c (cmac_aes128_set_key, cmac_aes128_update) + (cmac_aes128_digest): New file, new functions. + * cmac-aes256.c (cmac_aes256_set_key, cmac_aes256_update) + (cmac_aes256_digest): New file, new functions. + * Makefile.in (nettle_SOURCES): Added cmac.c cmac-aes128.c cmac-aes256.c. + (HEADERS): Added cmac.h. + + * testsuite/cmac-test.c: New tests. + * testsuite/Makefile.in (TS_NETTLE_SOURCES): Add cmac-test.c. + + * examples/nettle-benchmark.c (time_cmac): New function. + (main): Use it. + + * nettle.texinfo: Document CMAC. + +2018-02-20 Niels Möller + + * testsuite/cbc-test.c (test_cbc_bulk): Use struct + aes256_ctx, instead of the deprecated struct aes_ctx. + * testsuite/cfb-test.c (test_cfb_bulk): Likewise. + * examples/rsa-session.h (struct rsa_session): Likewise. + * examples/rsa-encrypt.c (rsa_session_set_encrypt_key) + (process_file): Use aes256_* functions. + * examples/rsa-decrypt.c (rsa_session_set_decrypt_key) + (process_file): Likewise. + +2018-02-19 Niels Möller + + * nettle-internal.h: Include sha3.h, needed for the definition of + NETTLE_MAX_HASH_CONTEXT_SIZE. + (TMP_DECL_ALIGN, TMP_ALLOC_ALIGN): New macros, to support + allocation of context structs with alignment requirements. + [!HAVE_ALLOCA]: Also use assert, rather than calling abort + directly. + + * pss.c (pss_encode_mgf1, pss_verify_mgf1): Use new macros. + * pss-mgf1.c (pss_mgf1): Likewise. + 2018-02-18 Niels Möller - Backported from master branch. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Moved pss-mgf1-test.c... (TS_HOGWEED_SOURCES): ...to here. Fixes link failure in builds without public-key support. +2018-02-18 Dmitry Eremin-Solenikov + + * examples/nettle-openssl.c): Move expressions with side effects + out of asserts. + +2018-02-17 Dmitry Eremin-Solenikov + + (openssl_evp_set_encrypt_key, openssl_evp_set_decrypt_key): Use + EVP_CipherInit_ex. + * examples/nettle-openssl.c (nettle_openssl_gcm_aes128) + (nettle_openssl_gcm_aes192, nettle_openssl_gcm_aes256): New aead + algorithms, for benchmarking purposes, and supporting wrapper functions. + * nettle-internal.h: Corresponding declarations. + * examples/nettle-benchmark.c (main): Include openssl's gcm aes in + benchmark. + +2018-02-16 Niels Möller + + * nettle.texinfo: Improved index entries. + (Cipher functions): Update CAST128/CAST5 docs. Inconsistencies + spotted by Henrik Rindlöw. + +2018-02-10 Niels Möller + + * configure.ac: New configure option --enable-x86-sha-ni. + +2018-02-07 Niels Möller + + * x86_64/fat/sha1-compress.asm: New file. + * x86_64/fat/sha1-compress-2.asm: New file. + * fat-x86_64.c (fat_init): Select plain x86_64 assembly version or + sha_ni version for sha1_compress. + +2018-02-05 Niels Möller + + * x86_64/sha_ni/sha1-compress.asm: New implementation using sha_ni + instructions. + + * fat-x86_64.c (get_x86_features): Check for sha_ni extension. + + * x86_64/fat/cpuid.asm: Clear %ecx input to cpuid instruction. + +2018-02-01 Nikos Mavrogiannopoulos + + * gcm.c (gcm_fill): New function, for use with _ctr_crypt16. + (gcm_encrypt, gcm_decrypt): Use _ctr_crypt16. 50% speedup of + gcm_aes128, benchmarked on x86_64 with aesni instructions. + +2018-02-01 Niels Möller + + Based on a patch contributed by Nikos Mavrogiannopoulos. + * ctr16.c (_ctr_crypt16): New file, renamed and generalized + function. New function pointer argument, used to fill a block with + counter values. Use nettle_block16 * as the type for the buffer to + be filled. Always process any final and partial block, and return + no value. + * ctr.c (ctr_crypt): ... previous, replaced, function. + (ctr_fill16): Updated to new argument type. + (ctr_crypt): Return immediately after using _ctr_crypt16. + + * ctr-internal.h: New file, declaring _ctr_crypt16. + (nettle_fill16_func): New function typedef. + + * Makefile.in (nettle_SOURCES): Added ctr16.c. + (DISTFILES): Added ctr-internal.h. + +2018-01-30 Niels Möller + + * Makefile.in (clean-here): Don't delete desdata.stamp. + +2018-01-24 Jay Foad + + * Makefile.in (TARGETS): Delete dependencies on aesdata, desdata, + twofishdata, shadata and gcmdata. They are not needed for a normal + build. + (clean-here): Explicitly delete of above files. + (desdata.stamp): New stamp target, to avoid building desdata twice + in a parallell build. + +2018-01-23 Niels Möller + + * configure.ac (asm_path): Recognize "x86", in addition to "i?86", + for 32-bit x86 processors. Reportedly needed for x86 android builds. + +2018-01-20 Niels Möller + + CFB8 support, contributed by Dmitry Eremin-Solenikov. + * cfb.c (cfb8_encrypt, cfb8_decrypt): New functions. + * cfb.h: Declare them. + (CFB8_ENCRYPT, CFB8_DECRYPT): New macros. + * testsuite/cfb-test.c: New tests for CFB8. + * nettle.texinfo (CFB and CFB8): Documentation. + 2018-01-16 Niels Möller - Backported from master branch. * tools/pkcs1-conv.c (convert_file): Add missing break statements. -2018-10-10 Niels Möller +2018-01-09 Niels Möller - Backported from master branch. - * aes-set-encrypt-key.c: Add missing include of stdlib.h. - * des-compat.c: Likewise. + * testsuite/testutils.c (test_cipher_ctr): Test operations with + shorter sizes. -2018-08-09 Niels Möller + * testsuite/ctr-test.c: Additional unofficial test vectors, to + exercise carry propagation in the counter, and block size + different from 16. - Backported from master branch. - * nettle-internal.c (des_set_key_wrapper, des3_set_key_wrapper) - (blowfish128_set_key_wrapper): Wrapper functions, to avoid cast - between incompatible function types (which gcc-8 warns about). - Wrappers are expected to compile to a single jmp instruction. +2018-01-08 Niels Möller - * des-compat.c (des_compat_des3_encrypt) - (des_compat_des3_decrypt): Change length argument type to size_t. + * ctr.c (ctr_crypt16): New function, with optimizations specific + to 16-byte block size. + (ctr_fill16): New helper function, definition depending on + WORDS_BIGENDIAN, and little endian version requiring + HAVE_BUILTIN_BSWAP64. + (ctr_crypt): Use ctr_crypt16, when appropriate. + + * nettle-types.h (union nettle_block16): Add uint64_t field. + + * configure.ac: Check for __builtin_bswap64, define + HAVE_BUILTIN_BSWAP64 if available. + + * ctr.c (ctr_fill): New function. Use in ctr_crypt. + + * ctr.c (ctr_crypt): For in-place operation, increase max buffer + size from 4 blocks to 512 bytes, similarly to CBC and CFB. + Improves in-place aes128 CTR performance by 25% on x86_64. + + * examples/nettle-benchmark.c (time_cipher): Benchmark in-place + operation separately, for cbc_decrypt and ctr_crypt. + + * cbc.c (cbc_decrypt): For in-place operation (src == dst case), + eliminate use of src variable. + * cfb.c (cfb_decrypt): Likewise. + * gcm.c (gcm_crypt): Likewise, and replace one memxor3 by memxor. + +2018-01-03 Niels Möller + + * x86_64/aesni/aes-encrypt-internal.asm: Read subkeys into xmm + registers before the block loop, and completely unroll the round + loop. + * x86_64/aesni/aes-decrypt-internal.asm: Likewise. 2017-11-19 Niels Möller diff -Nru nettle-3.4.1/cmac64.c nettle-3.7.3/cmac64.c --- nettle-3.4.1/cmac64.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/cmac64.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,154 @@ +/* + CMAC-64, NIST SP 800-38B + Copyright (C) Stefan Metzmacher 2012 + Copyright (C) Jeremy Allison 2012 + Copyright (C) Michael Adam 2012 + Copyright (C) 2017, Red Hat Inc. + Copyright (C) 2019, Dmitry Eremin-Solenikov + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include +#include + +#include "cmac.h" + +#include "nettle-internal.h" +#include "block-internal.h" +#include "macros.h" + +void +cmac64_set_key(struct cmac64_key *key, const void *cipher, + nettle_cipher_func *encrypt) +{ + static const union nettle_block8 zero_block; + union nettle_block8 L; + + /* step 1 - generate subkeys k1 and k2 */ + encrypt(cipher, 8, L.b, zero_block.b); + + block8_mulx_be(&key->K1, &L); + block8_mulx_be(&key->K2, &key->K1); +} + +void +cmac64_init(struct cmac64_ctx *ctx) +{ + memset(&ctx->X, 0, sizeof(ctx->X)); + ctx->index = 0; +} + +#define MIN(x,y) ((x)<(y)?(x):(y)) + +void +cmac64_update(struct cmac64_ctx *ctx, const void *cipher, + nettle_cipher_func *encrypt, + size_t msg_len, const uint8_t *msg) +{ + union nettle_block8 Y; + /* + * check if we expand the block + */ + if (ctx->index < 8) + { + size_t len = MIN(8 - ctx->index, msg_len); + memcpy(&ctx->block.b[ctx->index], msg, len); + msg += len; + msg_len -= len; + ctx->index += len; + } + + if (msg_len == 0) { + /* if it is still the last block, we are done */ + return; + } + + /* + * now checksum everything but the last block + */ + block8_xor3(&Y, &ctx->X, &ctx->block); + encrypt(cipher, 8, ctx->X.b, Y.b); + + while (msg_len > 8) + { + block8_xor_bytes(&Y, &ctx->X, msg); + encrypt(cipher, 8, ctx->X.b, Y.b); + msg += 8; + msg_len -= 8; + } + + /* + * copy the last block, it will be processed in + * cmac64_digest(). + */ + memcpy(ctx->block.b, msg, msg_len); + ctx->index = msg_len; +} + +void +cmac64_digest(struct cmac64_ctx *ctx, const struct cmac64_key *key, + const void *cipher, nettle_cipher_func *encrypt, + unsigned length, uint8_t *dst) +{ + union nettle_block8 Y; + + memset(ctx->block.b+ctx->index, 0, sizeof(ctx->block.b)-ctx->index); + + /* re-use ctx->block for memxor output */ + if (ctx->index < 8) + { + ctx->block.b[ctx->index] = 0x80; + block8_xor(&ctx->block, &key->K2); + } + else + { + block8_xor(&ctx->block, &key->K1); + } + + block8_xor3(&Y, &ctx->block, &ctx->X); + + assert(length <= 8); + if (length == 8) + { + encrypt(cipher, 8, dst, Y.b); + } + else + { + encrypt(cipher, 8, ctx->block.b, Y.b); + memcpy(dst, ctx->block.b, length); + } + + /* reset state for re-use */ + memset(&ctx->X, 0, sizeof(ctx->X)); + ctx->index = 0; +} diff -Nru nettle-3.4.1/cmac-aes128.c nettle-3.7.3/cmac-aes128.c --- nettle-3.4.1/cmac-aes128.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/cmac-aes128.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,60 @@ +/* cmac-aes128.c + + CMAC using AES128 as the underlying cipher. + + Copyright (C) 2017 Red Hat, Inc. + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "cmac.h" + +void +cmac_aes128_set_key(struct cmac_aes128_ctx *ctx, const uint8_t *key) +{ + CMAC128_SET_KEY(ctx, aes128_set_encrypt_key, aes128_encrypt, key); +} + +void +cmac_aes128_update (struct cmac_aes128_ctx *ctx, + size_t length, const uint8_t *data) +{ + CMAC128_UPDATE (ctx, aes128_encrypt, length, data); +} + +void +cmac_aes128_digest(struct cmac_aes128_ctx *ctx, + size_t length, uint8_t *digest) +{ + CMAC128_DIGEST(ctx, aes128_encrypt, length, digest); +} diff -Nru nettle-3.4.1/cmac-aes128-meta.c nettle-3.7.3/cmac-aes128-meta.c --- nettle-3.4.1/cmac-aes128-meta.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/cmac-aes128-meta.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,52 @@ +/* cmac-aes128-meta.c + + Copyright (C) 2013, 2014 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "nettle-meta.h" + +#include "cmac.h" + +const struct nettle_mac nettle_cmac_aes128 = +{ + "cmac_aes128", + sizeof(struct cmac_aes128_ctx), + CMAC128_DIGEST_SIZE, + AES128_KEY_SIZE, + + (nettle_set_key_func*) cmac_aes128_set_key, + (nettle_hash_update_func*) cmac_aes128_update, + (nettle_hash_digest_func*) cmac_aes128_digest +}; diff -Nru nettle-3.4.1/cmac-aes256.c nettle-3.7.3/cmac-aes256.c --- nettle-3.4.1/cmac-aes256.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/cmac-aes256.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,60 @@ +/* cmac-aes256.c + + CMAC using AES256 as the underlying cipher. + + Copyright (C) 2017 Red Hat, Inc. + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "cmac.h" + +void +cmac_aes256_set_key(struct cmac_aes256_ctx *ctx, const uint8_t *key) +{ + CMAC128_SET_KEY(ctx, aes256_set_encrypt_key, aes256_encrypt, key); +} + +void +cmac_aes256_update (struct cmac_aes256_ctx *ctx, + size_t length, const uint8_t *data) +{ + CMAC128_UPDATE (ctx, aes256_encrypt, length, data); +} + +void +cmac_aes256_digest(struct cmac_aes256_ctx *ctx, + size_t length, uint8_t *digest) +{ + CMAC128_DIGEST(ctx, aes256_encrypt, length, digest); +} diff -Nru nettle-3.4.1/cmac-aes256-meta.c nettle-3.7.3/cmac-aes256-meta.c --- nettle-3.4.1/cmac-aes256-meta.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/cmac-aes256-meta.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,52 @@ +/* cmac-aes256-meta.c + + Copyright (C) 2013, 2014 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "nettle-meta.h" + +#include "cmac.h" + +const struct nettle_mac nettle_cmac_aes256 = +{ + "cmac_aes256", + sizeof(struct cmac_aes256_ctx), + CMAC128_DIGEST_SIZE, + AES256_KEY_SIZE, + + (nettle_set_key_func*) cmac_aes256_set_key, + (nettle_hash_update_func*) cmac_aes256_update, + (nettle_hash_digest_func*) cmac_aes256_digest +}; diff -Nru nettle-3.4.1/cmac.c nettle-3.7.3/cmac.c --- nettle-3.4.1/cmac.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/cmac.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,153 @@ +/* + AES-CMAC-128 (rfc 4493) + Copyright (C) Stefan Metzmacher 2012 + Copyright (C) Jeremy Allison 2012 + Copyright (C) Michael Adam 2012 + Copyright (C) 2017, Red Hat Inc. + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include +#include + +#include "cmac.h" + +#include "memxor.h" +#include "nettle-internal.h" +#include "block-internal.h" +#include "macros.h" + +void +cmac128_set_key(struct cmac128_key *key, const void *cipher, + nettle_cipher_func *encrypt) +{ + static const union nettle_block16 zero_block; + union nettle_block16 L; + + /* step 1 - generate subkeys k1 and k2 */ + encrypt(cipher, 16, L.b, zero_block.b); + + block16_mulx_be(&key->K1, &L); + block16_mulx_be(&key->K2, &key->K1); +} + +void +cmac128_init(struct cmac128_ctx *ctx) +{ + memset(&ctx->X, 0, sizeof(ctx->X)); + ctx->index = 0; +} + +#define MIN(x,y) ((x)<(y)?(x):(y)) + +void +cmac128_update(struct cmac128_ctx *ctx, const void *cipher, + nettle_cipher_func *encrypt, + size_t msg_len, const uint8_t *msg) +{ + union nettle_block16 Y; + /* + * check if we expand the block + */ + if (ctx->index < 16) + { + size_t len = MIN(16 - ctx->index, msg_len); + memcpy(&ctx->block.b[ctx->index], msg, len); + msg += len; + msg_len -= len; + ctx->index += len; + } + + if (msg_len == 0) { + /* if it is still the last block, we are done */ + return; + } + + /* + * now checksum everything but the last block + */ + block16_xor3(&Y, &ctx->X, &ctx->block); + encrypt(cipher, 16, ctx->X.b, Y.b); + + while (msg_len > 16) + { + block16_xor_bytes (&Y, &ctx->X, msg); + encrypt(cipher, 16, ctx->X.b, Y.b); + msg += 16; + msg_len -= 16; + } + + /* + * copy the last block, it will be processed in + * cmac128_digest(). + */ + memcpy(ctx->block.b, msg, msg_len); + ctx->index = msg_len; +} + +void +cmac128_digest(struct cmac128_ctx *ctx, const struct cmac128_key *key, + const void *cipher, nettle_cipher_func *encrypt, + unsigned length, uint8_t *dst) +{ + union nettle_block16 Y; + + /* re-use ctx->block for memxor output */ + if (ctx->index < 16) + { + ctx->block.b[ctx->index] = 0x80; + memset(ctx->block.b + ctx->index + 1, 0, 16 - 1 - ctx->index); + + block16_xor (&ctx->block, &key->K2); + } + else + { + block16_xor (&ctx->block, &key->K1); + } + + block16_xor3 (&Y, &ctx->block, &ctx->X); + + assert(length <= 16); + if (length == 16) + { + encrypt(cipher, 16, dst, Y.b); + } + else + { + encrypt(cipher, 16, ctx->block.b, Y.b); + memcpy(dst, ctx->block.b, length); + } + + /* reset state for re-use */ + cmac128_init(ctx); +} diff -Nru nettle-3.4.1/cmac-des3.c nettle-3.7.3/cmac-des3.c --- nettle-3.4.1/cmac-des3.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/cmac-des3.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,61 @@ +/* cmac-des3.c + + CMAC using TripleDES as the underlying cipher. + + Copyright (C) 2019 Dmitry Eremin-Solenikov + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "cmac.h" + +void +cmac_des3_set_key (struct cmac_des3_ctx *ctx, const uint8_t *key) +{ + CMAC64_SET_KEY (ctx, des3_set_key, des3_encrypt, key); +} + +void +cmac_des3_update (struct cmac_des3_ctx *ctx, + size_t length, const uint8_t *data) +{ + CMAC64_UPDATE (ctx, des3_encrypt, length, data); +} + +void +cmac_des3_digest (struct cmac_des3_ctx *ctx, + size_t length, uint8_t *digest) +{ + CMAC64_DIGEST (ctx, des3_encrypt, length, digest); +} + diff -Nru nettle-3.4.1/cmac-des3-meta.c nettle-3.7.3/cmac-des3-meta.c --- nettle-3.4.1/cmac-des3-meta.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/cmac-des3-meta.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,52 @@ +/* cmac-des3-meta.c + + Copyright (C) 2020 Dmitry Baryshkov + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "nettle-meta.h" + +#include "cmac.h" + +const struct nettle_mac nettle_cmac_des3 = +{ + "cmac_des3", + sizeof(struct cmac_des3_ctx), + CMAC64_DIGEST_SIZE, + DES3_KEY_SIZE, + + (nettle_set_key_func*) cmac_des3_set_key, + (nettle_hash_update_func*) cmac_des3_update, + (nettle_hash_digest_func*) cmac_des3_digest +}; diff -Nru nettle-3.4.1/cmac.h nettle-3.7.3/cmac.h --- nettle-3.4.1/cmac.h 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/cmac.h 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,237 @@ +/* cmac.h + + CMAC mode, as specified in RFC4493 + + Copyright (C) 2017 Red Hat, Inc. + + Contributed by Nikos Mavrogiannopoulos + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_CMAC_H_INCLUDED +#define NETTLE_CMAC_H_INCLUDED + +#include "aes.h" +#include "des.h" +#include "nettle-types.h" + +#ifdef __cplusplus +extern "C" { +#endif + +#define CMAC128_DIGEST_SIZE 16 +#define CMAC64_DIGEST_SIZE 8 + +#define cmac128_set_key nettle_cmac128_set_key +#define cmac128_init nettle_cmac128_init +#define cmac128_update nettle_cmac128_update +#define cmac128_digest nettle_cmac128_digest +#define cmac_aes128_set_key nettle_cmac_aes128_set_key +#define cmac_aes128_update nettle_cmac_aes128_update +#define cmac_aes128_digest nettle_cmac_aes128_digest +#define cmac_aes256_set_key nettle_cmac_aes256_set_key +#define cmac_aes256_update nettle_cmac_aes256_update +#define cmac_aes256_digest nettle_cmac_aes256_digest + +#define cmac64_set_key nettle_cmac64_set_key +#define cmac64_init nettle_cmac64_init +#define cmac64_update nettle_cmac64_update +#define cmac64_digest nettle_cmac64_digest +#define cmac_des3_set_key nettle_cmac_des3_set_key +#define cmac_des3_update nettle_cmac_des3_update +#define cmac_des3_digest nettle_cmac_des3_digest + +struct cmac128_key +{ + union nettle_block16 K1; + union nettle_block16 K2; +}; + +struct cmac128_ctx +{ + /* MAC state */ + union nettle_block16 X; + + /* Block buffer */ + union nettle_block16 block; + size_t index; +}; + +struct cmac64_key +{ + union nettle_block8 K1; + union nettle_block8 K2; +}; + +struct cmac64_ctx +{ + /* MAC state */ + union nettle_block8 X; + + /* Block buffer */ + union nettle_block8 block; + size_t index; +}; + +void +cmac128_set_key(struct cmac128_key *key, const void *cipher, + nettle_cipher_func *encrypt); + +void +cmac128_init(struct cmac128_ctx *ctx); + +void +cmac128_update(struct cmac128_ctx *ctx, const void *cipher, + nettle_cipher_func *encrypt, + size_t msg_len, const uint8_t *msg); +void +cmac128_digest(struct cmac128_ctx *ctx, const struct cmac128_key *key, + const void *cipher, nettle_cipher_func *encrypt, + unsigned length, uint8_t *digest); + + +#define CMAC128_CTX(type) \ + { struct cmac128_key key; struct cmac128_ctx ctx; type cipher; } + +/* NOTE: Avoid using NULL, as we don't include anything defining it. */ +#define CMAC128_SET_KEY(self, set_key, encrypt, cmac_key) \ + do { \ + (set_key)(&(self)->cipher, (cmac_key)); \ + if (0) (encrypt)(&(self)->cipher, ~(size_t) 0, \ + (uint8_t *) 0, (const uint8_t *) 0); \ + cmac128_set_key(&(self)->key, &(self)->cipher, \ + (nettle_cipher_func *) (encrypt)); \ + cmac128_init(&(self)->ctx); \ + } while (0) + +#define CMAC128_UPDATE(self, encrypt, length, src) \ + (0 ? (encrypt)(&(self)->cipher, ~(size_t) 0, \ + (uint8_t *) 0, (const uint8_t *) 0) \ + : cmac128_update(&(self)->ctx, &(self)->cipher, \ + (nettle_cipher_func *)encrypt, \ + (length), (src))) + +#define CMAC128_DIGEST(self, encrypt, length, digest) \ + (0 ? (encrypt)(&(self)->cipher, ~(size_t) 0, \ + (uint8_t *) 0, (const uint8_t *) 0) \ + : cmac128_digest(&(self)->ctx, &(self)->key, \ + &(self)->cipher, \ + (nettle_cipher_func *) (encrypt), \ + (length), (digest))) + +void +cmac64_set_key(struct cmac64_key *key, const void *cipher, + nettle_cipher_func *encrypt); + +void +cmac64_init(struct cmac64_ctx *ctx); + +void +cmac64_update(struct cmac64_ctx *ctx, const void *cipher, + nettle_cipher_func *encrypt, + size_t msg_len, const uint8_t *msg); + +void +cmac64_digest(struct cmac64_ctx *ctx, const struct cmac64_key *key, + const void *cipher, nettle_cipher_func *encrypt, + unsigned length, uint8_t *digest); + + +#define CMAC64_CTX(type) \ + { struct cmac64_key key; struct cmac64_ctx ctx; type cipher; } + +/* NOTE: Avoid using NULL, as we don't include anything defining it. */ +#define CMAC64_SET_KEY(self, set_key, encrypt, cmac_key) \ + do { \ + (set_key)(&(self)->cipher, (cmac_key)); \ + if (0) (encrypt)(&(self)->cipher, ~(size_t) 0, \ + (uint8_t *) 0, (const uint8_t *) 0); \ + cmac64_set_key(&(self)->key, &(self)->cipher, \ + (nettle_cipher_func *) (encrypt)); \ + cmac64_init(&(self)->ctx); \ + } while (0) + +#define CMAC64_UPDATE(self, encrypt, length, src) \ + (0 ? (encrypt)(&(self)->cipher, ~(size_t) 0, \ + (uint8_t *) 0, (const uint8_t *) 0) \ + : cmac64_update(&(self)->ctx, &(self)->cipher, \ + (nettle_cipher_func *)encrypt, \ + (length), (src))) + +#define CMAC64_DIGEST(self, encrypt, length, digest) \ + (0 ? (encrypt)(&(self)->cipher, ~(size_t) 0, \ + (uint8_t *) 0, (const uint8_t *) 0) \ + : cmac64_digest(&(self)->ctx, &(self)->key, \ + &(self)->cipher, \ + (nettle_cipher_func *) (encrypt), \ + (length), (digest))) + +struct cmac_aes128_ctx CMAC128_CTX(struct aes128_ctx); + +void +cmac_aes128_set_key(struct cmac_aes128_ctx *ctx, const uint8_t *key); + +void +cmac_aes128_update(struct cmac_aes128_ctx *ctx, + size_t length, const uint8_t *data); + +void +cmac_aes128_digest(struct cmac_aes128_ctx *ctx, + size_t length, uint8_t *digest); + +struct cmac_aes256_ctx CMAC128_CTX(struct aes256_ctx); + +void +cmac_aes256_set_key(struct cmac_aes256_ctx *ctx, const uint8_t *key); + +void +cmac_aes256_update(struct cmac_aes256_ctx *ctx, + size_t length, const uint8_t *data); + +void +cmac_aes256_digest(struct cmac_aes256_ctx *ctx, + size_t length, uint8_t *digest); + +struct cmac_des3_ctx CMAC64_CTX(struct des3_ctx); + +void +cmac_des3_set_key(struct cmac_des3_ctx *ctx, const uint8_t *key); + +void +cmac_des3_update(struct cmac_des3_ctx *ctx, + size_t length, const uint8_t *data); + +void +cmac_des3_digest(struct cmac_des3_ctx *ctx, + size_t length, uint8_t *digest); + +#ifdef __cplusplus +} +#endif + +#endif /* CMAC_H_INCLUDED */ diff -Nru nettle-3.4.1/config.guess nettle-3.7.3/config.guess --- nettle-3.4.1/config.guess 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/config.guess 2021-06-06 20:06:29.000000000 +0000 @@ -1,8 +1,8 @@ #! /bin/sh # Attempt to guess a canonical system name. -# Copyright 1992-2014 Free Software Foundation, Inc. +# Copyright 1992-2020 Free Software Foundation, Inc. -timestamp='2014-01-01' +timestamp='2020-01-01' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -15,7 +15,7 @@ # General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, see . +# along with this program; if not, see . # # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a @@ -24,12 +24,12 @@ # program. This Exception is an additional permission under section 7 # of the GNU General Public License, version 3 ("GPLv3"). # -# Originally written by Per Bothner. +# Originally written by Per Bothner; maintained since 2000 by Ben Elliston. # # You can get the latest version of this script from: -# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD +# https://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess # -# Please send patches with a ChangeLog entry to config-patches@gnu.org. +# Please send patches to . me=`echo "$0" | sed -e 's,.*/,,'` @@ -39,7 +39,7 @@ Output the configuration name of the system \`$me' is run on. -Operation modes: +Options: -h, --help print this help, then exit -t, --time-stamp print date of last modification, then exit -v, --version print version number, then exit @@ -50,7 +50,7 @@ GNU config.guess ($timestamp) Originally written by Per Bothner. -Copyright 1992-2014 Free Software Foundation, Inc. +Copyright 1992-2020 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -84,8 +84,6 @@ exit 1 fi -trap 'exit 1' 1 2 15 - # CC_FOR_BUILD -- compiler used by this script. Note that the use of a # compiler to aid in system detection is discouraged as it requires # temporary files to be created and, as you can see below, it is a @@ -96,34 +94,40 @@ # Portable tmp directory creation inspired by the Autoconf team. -set_cc_for_build=' -trap "exitcode=\$?; (rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null) && exit \$exitcode" 0 ; -trap "rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null; exit 1" 1 2 13 15 ; -: ${TMPDIR=/tmp} ; - { tmp=`(umask 077 && mktemp -d "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } || - { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir $tmp) ; } || - { tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir $tmp) && echo "Warning: creating insecure temp directory" >&2 ; } || - { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } ; -dummy=$tmp/dummy ; -tmpfiles="$dummy.c $dummy.o $dummy.rel $dummy" ; -case $CC_FOR_BUILD,$HOST_CC,$CC in - ,,) echo "int x;" > $dummy.c ; - for c in cc gcc c89 c99 ; do - if ($c -c -o $dummy.o $dummy.c) >/dev/null 2>&1 ; then - CC_FOR_BUILD="$c"; break ; - fi ; - done ; - if test x"$CC_FOR_BUILD" = x ; then - CC_FOR_BUILD=no_compiler_found ; - fi - ;; - ,,*) CC_FOR_BUILD=$CC ;; - ,*,*) CC_FOR_BUILD=$HOST_CC ;; -esac ; set_cc_for_build= ;' +tmp= +# shellcheck disable=SC2172 +trap 'test -z "$tmp" || rm -fr "$tmp"' 0 1 2 13 15 + +set_cc_for_build() { + # prevent multiple calls if $tmp is already set + test "$tmp" && return 0 + : "${TMPDIR=/tmp}" + # shellcheck disable=SC2039 + { tmp=`(umask 077 && mktemp -d "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } || + { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir "$tmp" 2>/dev/null) ; } || + { tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir "$tmp" 2>/dev/null) && echo "Warning: creating insecure temp directory" >&2 ; } || + { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } + dummy=$tmp/dummy + case ${CC_FOR_BUILD-},${HOST_CC-},${CC-} in + ,,) echo "int x;" > "$dummy.c" + for driver in cc gcc c89 c99 ; do + if ($driver -c -o "$dummy.o" "$dummy.c") >/dev/null 2>&1 ; then + CC_FOR_BUILD="$driver" + break + fi + done + if test x"$CC_FOR_BUILD" = x ; then + CC_FOR_BUILD=no_compiler_found + fi + ;; + ,,*) CC_FOR_BUILD=$CC ;; + ,*,*) CC_FOR_BUILD=$HOST_CC ;; + esac +} # This is needed to find uname on a Pyramid OSx when run in the BSD universe. # (ghazi@noc.rutgers.edu 1994-08-24) -if (test -f /.attbin/uname) >/dev/null 2>&1 ; then +if test -f /.attbin/uname ; then PATH=$PATH:/.attbin ; export PATH fi @@ -132,14 +136,14 @@ UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown -case "${UNAME_SYSTEM}" in +case "$UNAME_SYSTEM" in Linux|GNU|GNU/*) # If the system lacks a compiler, then just pick glibc. # We could probably try harder. LIBC=gnu - eval $set_cc_for_build - cat <<-EOF > $dummy.c + set_cc_for_build + cat <<-EOF > "$dummy.c" #include #if defined(__UCLIBC__) LIBC=uclibc @@ -149,13 +153,20 @@ LIBC=gnu #endif EOF - eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC'` + eval "`$CC_FOR_BUILD -E "$dummy.c" 2>/dev/null | grep '^LIBC' | sed 's, ,,g'`" + + # If ldd exists, use it to detect musl libc. + if command -v ldd >/dev/null && \ + ldd --version 2>&1 | grep -q ^musl + then + LIBC=musl + fi ;; esac # Note: order is significant - the case branches are not exclusive. -case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in +case "$UNAME_MACHINE:$UNAME_SYSTEM:$UNAME_RELEASE:$UNAME_VERSION" in *:NetBSD:*:*) # NetBSD (nbsd) targets should (where applicable) match one or # more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*, @@ -168,21 +179,31 @@ # Note: NetBSD doesn't particularly care about the vendor # portion of the name. We always set it to "unknown". sysctl="sysctl -n hw.machine_arch" - UNAME_MACHINE_ARCH=`(/sbin/$sysctl 2>/dev/null || \ - /usr/sbin/$sysctl 2>/dev/null || echo unknown)` - case "${UNAME_MACHINE_ARCH}" in + UNAME_MACHINE_ARCH=`(uname -p 2>/dev/null || \ + "/sbin/$sysctl" 2>/dev/null || \ + "/usr/sbin/$sysctl" 2>/dev/null || \ + echo unknown)` + case "$UNAME_MACHINE_ARCH" in armeb) machine=armeb-unknown ;; arm*) machine=arm-unknown ;; sh3el) machine=shl-unknown ;; sh3eb) machine=sh-unknown ;; sh5el) machine=sh5le-unknown ;; - *) machine=${UNAME_MACHINE_ARCH}-unknown ;; + earmv*) + arch=`echo "$UNAME_MACHINE_ARCH" | sed -e 's,^e\(armv[0-9]\).*$,\1,'` + endian=`echo "$UNAME_MACHINE_ARCH" | sed -ne 's,^.*\(eb\)$,\1,p'` + machine="${arch}${endian}"-unknown + ;; + *) machine="$UNAME_MACHINE_ARCH"-unknown ;; esac # The Operating System including object format, if it has switched - # to ELF recently, or will in the future. - case "${UNAME_MACHINE_ARCH}" in + # to ELF recently (or will in the future) and ABI. + case "$UNAME_MACHINE_ARCH" in + earm*) + os=netbsdelf + ;; arm*|i386|m68k|ns32k|sh3*|sparc|vax) - eval $set_cc_for_build + set_cc_for_build if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ELF__ then @@ -197,43 +218,72 @@ os=netbsd ;; esac + # Determine ABI tags. + case "$UNAME_MACHINE_ARCH" in + earm*) + expr='s/^earmv[0-9]/-eabi/;s/eb$//' + abi=`echo "$UNAME_MACHINE_ARCH" | sed -e "$expr"` + ;; + esac # The OS release # Debian GNU/NetBSD machines have a different userland, and # thus, need a distinct triplet. However, they do not need # kernel version information, so it can be replaced with a # suitable tag, in the style of linux-gnu. - case "${UNAME_VERSION}" in + case "$UNAME_VERSION" in Debian*) release='-gnu' ;; *) - release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'` + release=`echo "$UNAME_RELEASE" | sed -e 's/[-_].*//' | cut -d. -f1,2` ;; esac # Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM: # contains redundant information, the shorter form: # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used. - echo "${machine}-${os}${release}" + echo "$machine-${os}${release}${abi-}" exit ;; *:Bitrig:*:*) UNAME_MACHINE_ARCH=`arch | sed 's/Bitrig.//'` - echo ${UNAME_MACHINE_ARCH}-unknown-bitrig${UNAME_RELEASE} + echo "$UNAME_MACHINE_ARCH"-unknown-bitrig"$UNAME_RELEASE" exit ;; *:OpenBSD:*:*) UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'` - echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE} + echo "$UNAME_MACHINE_ARCH"-unknown-openbsd"$UNAME_RELEASE" + exit ;; + *:LibertyBSD:*:*) + UNAME_MACHINE_ARCH=`arch | sed 's/^.*BSD\.//'` + echo "$UNAME_MACHINE_ARCH"-unknown-libertybsd"$UNAME_RELEASE" + exit ;; + *:MidnightBSD:*:*) + echo "$UNAME_MACHINE"-unknown-midnightbsd"$UNAME_RELEASE" exit ;; *:ekkoBSD:*:*) - echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE} + echo "$UNAME_MACHINE"-unknown-ekkobsd"$UNAME_RELEASE" exit ;; *:SolidBSD:*:*) - echo ${UNAME_MACHINE}-unknown-solidbsd${UNAME_RELEASE} + echo "$UNAME_MACHINE"-unknown-solidbsd"$UNAME_RELEASE" + exit ;; + *:OS108:*:*) + echo "$UNAME_MACHINE"-unknown-os108_"$UNAME_RELEASE" exit ;; macppc:MirBSD:*:*) - echo powerpc-unknown-mirbsd${UNAME_RELEASE} + echo powerpc-unknown-mirbsd"$UNAME_RELEASE" exit ;; *:MirBSD:*:*) - echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE} + echo "$UNAME_MACHINE"-unknown-mirbsd"$UNAME_RELEASE" + exit ;; + *:Sortix:*:*) + echo "$UNAME_MACHINE"-unknown-sortix + exit ;; + *:Twizzler:*:*) + echo "$UNAME_MACHINE"-unknown-twizzler + exit ;; + *:Redox:*:*) + echo "$UNAME_MACHINE"-unknown-redox + exit ;; + mips:OSF1:*.*) + echo mips-dec-osf1 exit ;; alpha:OSF1:*:*) case $UNAME_RELEASE in @@ -251,63 +301,54 @@ ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^ The alpha \(.*\) processor.*$/\1/p' | head -n 1` case "$ALPHA_CPU_TYPE" in "EV4 (21064)") - UNAME_MACHINE="alpha" ;; + UNAME_MACHINE=alpha ;; "EV4.5 (21064)") - UNAME_MACHINE="alpha" ;; + UNAME_MACHINE=alpha ;; "LCA4 (21066/21068)") - UNAME_MACHINE="alpha" ;; + UNAME_MACHINE=alpha ;; "EV5 (21164)") - UNAME_MACHINE="alphaev5" ;; + UNAME_MACHINE=alphaev5 ;; "EV5.6 (21164A)") - UNAME_MACHINE="alphaev56" ;; + UNAME_MACHINE=alphaev56 ;; "EV5.6 (21164PC)") - UNAME_MACHINE="alphapca56" ;; + UNAME_MACHINE=alphapca56 ;; "EV5.7 (21164PC)") - UNAME_MACHINE="alphapca57" ;; + UNAME_MACHINE=alphapca57 ;; "EV6 (21264)") - UNAME_MACHINE="alphaev6" ;; + UNAME_MACHINE=alphaev6 ;; "EV6.7 (21264A)") - UNAME_MACHINE="alphaev67" ;; + UNAME_MACHINE=alphaev67 ;; "EV6.8CB (21264C)") - UNAME_MACHINE="alphaev68" ;; + UNAME_MACHINE=alphaev68 ;; "EV6.8AL (21264B)") - UNAME_MACHINE="alphaev68" ;; + UNAME_MACHINE=alphaev68 ;; "EV6.8CX (21264D)") - UNAME_MACHINE="alphaev68" ;; + UNAME_MACHINE=alphaev68 ;; "EV6.9A (21264/EV69A)") - UNAME_MACHINE="alphaev69" ;; + UNAME_MACHINE=alphaev69 ;; "EV7 (21364)") - UNAME_MACHINE="alphaev7" ;; + UNAME_MACHINE=alphaev7 ;; "EV7.9 (21364A)") - UNAME_MACHINE="alphaev79" ;; + UNAME_MACHINE=alphaev79 ;; esac # A Pn.n version is a patched version. # A Vn.n version is a released version. # A Tn.n version is a released field test version. # A Xn.n version is an unreleased experimental baselevel. # 1.2 uses "1.2" for uname -r. - echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` + echo "$UNAME_MACHINE"-dec-osf"`echo "$UNAME_RELEASE" | sed -e 's/^[PVTX]//' | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz`" # Reset EXIT trap before exiting to avoid spurious non-zero exit code. exitcode=$? trap '' 0 exit $exitcode ;; - Alpha\ *:Windows_NT*:*) - # How do we know it's Interix rather than the generic POSIX subsystem? - # Should we change UNAME_MACHINE based on the output of uname instead - # of the specific Alpha model? - echo alpha-pc-interix - exit ;; - 21064:Windows_NT:50:3) - echo alpha-dec-winnt3.5 - exit ;; Amiga*:UNIX_System_V:4.0:*) echo m68k-unknown-sysv4 exit ;; *:[Aa]miga[Oo][Ss]:*:*) - echo ${UNAME_MACHINE}-unknown-amigaos + echo "$UNAME_MACHINE"-unknown-amigaos exit ;; *:[Mm]orph[Oo][Ss]:*:*) - echo ${UNAME_MACHINE}-unknown-morphos + echo "$UNAME_MACHINE"-unknown-morphos exit ;; *:OS/390:*:*) echo i370-ibm-openedition @@ -319,7 +360,7 @@ echo powerpc-ibm-os400 exit ;; arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*) - echo arm-acorn-riscix${UNAME_RELEASE} + echo arm-acorn-riscix"$UNAME_RELEASE" exit ;; arm*:riscos:*:*|arm*:RISCOS:*:*) echo arm-unknown-riscos @@ -346,38 +387,38 @@ sparc) echo sparc-icl-nx7; exit ;; esac ;; s390x:SunOS:*:*) - echo ${UNAME_MACHINE}-ibm-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + echo "$UNAME_MACHINE"-ibm-solaris2"`echo "$UNAME_RELEASE" | sed -e 's/[^.]*//'`" exit ;; sun4H:SunOS:5.*:*) - echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + echo sparc-hal-solaris2"`echo "$UNAME_RELEASE"|sed -e 's/[^.]*//'`" exit ;; sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*) - echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + echo sparc-sun-solaris2"`echo "$UNAME_RELEASE" | sed -e 's/[^.]*//'`" exit ;; i86pc:AuroraUX:5.*:* | i86xen:AuroraUX:5.*:*) - echo i386-pc-auroraux${UNAME_RELEASE} + echo i386-pc-auroraux"$UNAME_RELEASE" exit ;; i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*) - eval $set_cc_for_build - SUN_ARCH="i386" + set_cc_for_build + SUN_ARCH=i386 # If there is a compiler, see if it is configured for 64-bit objects. # Note that the Sun cc does not turn __LP64__ into 1 like gcc does. # This test works for both compilers. - if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then + if [ "$CC_FOR_BUILD" != no_compiler_found ]; then if (echo '#ifdef __amd64'; echo IS_64BIT_ARCH; echo '#endif') | \ - (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ + (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ grep IS_64BIT_ARCH >/dev/null then - SUN_ARCH="x86_64" + SUN_ARCH=x86_64 fi fi - echo ${SUN_ARCH}-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + echo "$SUN_ARCH"-pc-solaris2"`echo "$UNAME_RELEASE"|sed -e 's/[^.]*//'`" exit ;; sun4*:SunOS:6*:*) # According to config.sub, this is the proper way to canonicalize # SunOS6. Hard to guess exactly what SunOS6 will be like, but # it's likely to be more like Solaris than SunOS4. - echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + echo sparc-sun-solaris3"`echo "$UNAME_RELEASE"|sed -e 's/[^.]*//'`" exit ;; sun4*:SunOS:*:*) case "`/usr/bin/arch -k`" in @@ -386,25 +427,25 @@ ;; esac # Japanese Language versions have a version number like `4.1.3-JL'. - echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'` + echo sparc-sun-sunos"`echo "$UNAME_RELEASE"|sed -e 's/-/_/'`" exit ;; sun3*:SunOS:*:*) - echo m68k-sun-sunos${UNAME_RELEASE} + echo m68k-sun-sunos"$UNAME_RELEASE" exit ;; sun*:*:4.2BSD:*) UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null` - test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3 + test "x$UNAME_RELEASE" = x && UNAME_RELEASE=3 case "`/bin/arch`" in sun3) - echo m68k-sun-sunos${UNAME_RELEASE} + echo m68k-sun-sunos"$UNAME_RELEASE" ;; sun4) - echo sparc-sun-sunos${UNAME_RELEASE} + echo sparc-sun-sunos"$UNAME_RELEASE" ;; esac exit ;; aushp:SunOS:*:*) - echo sparc-auspex-sunos${UNAME_RELEASE} + echo sparc-auspex-sunos"$UNAME_RELEASE" exit ;; # The situation for MiNT is a little confusing. The machine name # can be virtually everything (everything which is not @@ -415,44 +456,44 @@ # MiNT. But MiNT is downward compatible to TOS, so this should # be no problem. atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*) - echo m68k-atari-mint${UNAME_RELEASE} + echo m68k-atari-mint"$UNAME_RELEASE" exit ;; atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*) - echo m68k-atari-mint${UNAME_RELEASE} + echo m68k-atari-mint"$UNAME_RELEASE" exit ;; *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*) - echo m68k-atari-mint${UNAME_RELEASE} + echo m68k-atari-mint"$UNAME_RELEASE" exit ;; milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*) - echo m68k-milan-mint${UNAME_RELEASE} + echo m68k-milan-mint"$UNAME_RELEASE" exit ;; hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*) - echo m68k-hades-mint${UNAME_RELEASE} + echo m68k-hades-mint"$UNAME_RELEASE" exit ;; *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*) - echo m68k-unknown-mint${UNAME_RELEASE} + echo m68k-unknown-mint"$UNAME_RELEASE" exit ;; m68k:machten:*:*) - echo m68k-apple-machten${UNAME_RELEASE} + echo m68k-apple-machten"$UNAME_RELEASE" exit ;; powerpc:machten:*:*) - echo powerpc-apple-machten${UNAME_RELEASE} + echo powerpc-apple-machten"$UNAME_RELEASE" exit ;; RISC*:Mach:*:*) echo mips-dec-mach_bsd4.3 exit ;; RISC*:ULTRIX:*:*) - echo mips-dec-ultrix${UNAME_RELEASE} + echo mips-dec-ultrix"$UNAME_RELEASE" exit ;; VAX*:ULTRIX*:*:*) - echo vax-dec-ultrix${UNAME_RELEASE} + echo vax-dec-ultrix"$UNAME_RELEASE" exit ;; 2020:CLIX:*:* | 2430:CLIX:*:*) - echo clipper-intergraph-clix${UNAME_RELEASE} + echo clipper-intergraph-clix"$UNAME_RELEASE" exit ;; mips:*:*:UMIPS | mips:*:*:RISCos) - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c + set_cc_for_build + sed 's/^ //' << EOF > "$dummy.c" #ifdef __cplusplus #include /* for printf() prototype */ int main (int argc, char *argv[]) { @@ -461,23 +502,23 @@ #endif #if defined (host_mips) && defined (MIPSEB) #if defined (SYSTYPE_SYSV) - printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0); + printf ("mips-mips-riscos%ssysv\\n", argv[1]); exit (0); #endif #if defined (SYSTYPE_SVR4) - printf ("mips-mips-riscos%ssvr4\n", argv[1]); exit (0); + printf ("mips-mips-riscos%ssvr4\\n", argv[1]); exit (0); #endif #if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD) - printf ("mips-mips-riscos%sbsd\n", argv[1]); exit (0); + printf ("mips-mips-riscos%sbsd\\n", argv[1]); exit (0); #endif #endif exit (-1); } EOF - $CC_FOR_BUILD -o $dummy $dummy.c && - dummyarg=`echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` && - SYSTEM_NAME=`$dummy $dummyarg` && + $CC_FOR_BUILD -o "$dummy" "$dummy.c" && + dummyarg=`echo "$UNAME_RELEASE" | sed -n 's/\([0-9]*\).*/\1/p'` && + SYSTEM_NAME=`"$dummy" "$dummyarg"` && { echo "$SYSTEM_NAME"; exit; } - echo mips-mips-riscos${UNAME_RELEASE} + echo mips-mips-riscos"$UNAME_RELEASE" exit ;; Motorola:PowerMAX_OS:*:*) echo powerpc-motorola-powermax @@ -503,17 +544,17 @@ AViiON:dgux:*:*) # DG/UX returns AViiON for all architectures UNAME_PROCESSOR=`/usr/bin/uname -p` - if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ] + if [ "$UNAME_PROCESSOR" = mc88100 ] || [ "$UNAME_PROCESSOR" = mc88110 ] then - if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \ - [ ${TARGET_BINARY_INTERFACE}x = x ] + if [ "$TARGET_BINARY_INTERFACE"x = m88kdguxelfx ] || \ + [ "$TARGET_BINARY_INTERFACE"x = x ] then - echo m88k-dg-dgux${UNAME_RELEASE} + echo m88k-dg-dgux"$UNAME_RELEASE" else - echo m88k-dg-dguxbcs${UNAME_RELEASE} + echo m88k-dg-dguxbcs"$UNAME_RELEASE" fi else - echo i586-dg-dgux${UNAME_RELEASE} + echo i586-dg-dgux"$UNAME_RELEASE" fi exit ;; M88*:DolphinOS:*:*) # DolphinOS (SVR3) @@ -530,7 +571,7 @@ echo m68k-tektronix-bsd exit ;; *:IRIX*:*:*) - echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'` + echo mips-sgi-irix"`echo "$UNAME_RELEASE"|sed -e 's/-/_/g'`" exit ;; ????????:AIX?:[12].1:2) # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX. echo romp-ibm-aix # uname -m gives an 8 hex-code CPU id @@ -542,14 +583,14 @@ if [ -x /usr/bin/oslevel ] ; then IBM_REV=`/usr/bin/oslevel` else - IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE} + IBM_REV="$UNAME_VERSION.$UNAME_RELEASE" fi - echo ${UNAME_MACHINE}-ibm-aix${IBM_REV} + echo "$UNAME_MACHINE"-ibm-aix"$IBM_REV" exit ;; *:AIX:2:3) if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c + set_cc_for_build + sed 's/^ //' << EOF > "$dummy.c" #include main() @@ -560,7 +601,7 @@ exit(0); } EOF - if $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy` + if $CC_FOR_BUILD -o "$dummy" "$dummy.c" && SYSTEM_NAME=`"$dummy"` then echo "$SYSTEM_NAME" else @@ -574,26 +615,27 @@ exit ;; *:AIX:*:[4567]) IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'` - if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then + if /usr/sbin/lsattr -El "$IBM_CPU_ID" | grep ' POWER' >/dev/null 2>&1; then IBM_ARCH=rs6000 else IBM_ARCH=powerpc fi - if [ -x /usr/bin/oslevel ] ; then - IBM_REV=`/usr/bin/oslevel` + if [ -x /usr/bin/lslpp ] ; then + IBM_REV=`/usr/bin/lslpp -Lqc bos.rte.libc | + awk -F: '{ print $3 }' | sed s/[0-9]*$/0/` else - IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE} + IBM_REV="$UNAME_VERSION.$UNAME_RELEASE" fi - echo ${IBM_ARCH}-ibm-aix${IBM_REV} + echo "$IBM_ARCH"-ibm-aix"$IBM_REV" exit ;; *:AIX:*:*) echo rs6000-ibm-aix exit ;; - ibmrt:4.4BSD:*|romp-ibm:BSD:*) + ibmrt:4.4BSD:*|romp-ibm:4.4BSD:*) echo romp-ibm-bsd4.4 exit ;; ibmrt:*BSD:*|romp-ibm:BSD:*) # covers RT/PC BSD and - echo romp-ibm-bsd${UNAME_RELEASE} # 4.3 with uname added to + echo romp-ibm-bsd"$UNAME_RELEASE" # 4.3 with uname added to exit ;; # report: romp-ibm BSD 4.3 *:BOSX:*:*) echo rs6000-bull-bosx @@ -608,28 +650,28 @@ echo m68k-hp-bsd4.4 exit ;; 9000/[34678]??:HP-UX:*:*) - HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'` - case "${UNAME_MACHINE}" in - 9000/31? ) HP_ARCH=m68000 ;; - 9000/[34]?? ) HP_ARCH=m68k ;; + HPUX_REV=`echo "$UNAME_RELEASE"|sed -e 's/[^.]*.[0B]*//'` + case "$UNAME_MACHINE" in + 9000/31?) HP_ARCH=m68000 ;; + 9000/[34]??) HP_ARCH=m68k ;; 9000/[678][0-9][0-9]) if [ -x /usr/bin/getconf ]; then sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null` sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` - case "${sc_cpu_version}" in - 523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0 - 528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1 + case "$sc_cpu_version" in + 523) HP_ARCH=hppa1.0 ;; # CPU_PA_RISC1_0 + 528) HP_ARCH=hppa1.1 ;; # CPU_PA_RISC1_1 532) # CPU_PA_RISC2_0 - case "${sc_kernel_bits}" in - 32) HP_ARCH="hppa2.0n" ;; - 64) HP_ARCH="hppa2.0w" ;; - '') HP_ARCH="hppa2.0" ;; # HP-UX 10.20 + case "$sc_kernel_bits" in + 32) HP_ARCH=hppa2.0n ;; + 64) HP_ARCH=hppa2.0w ;; + '') HP_ARCH=hppa2.0 ;; # HP-UX 10.20 esac ;; esac fi - if [ "${HP_ARCH}" = "" ]; then - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c + if [ "$HP_ARCH" = "" ]; then + set_cc_for_build + sed 's/^ //' << EOF > "$dummy.c" #define _HPUX_SOURCE #include @@ -662,13 +704,13 @@ exit (0); } EOF - (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy` + (CCOPTS="" $CC_FOR_BUILD -o "$dummy" "$dummy.c" 2>/dev/null) && HP_ARCH=`"$dummy"` test -z "$HP_ARCH" && HP_ARCH=hppa fi ;; esac - if [ ${HP_ARCH} = "hppa2.0w" ] + if [ "$HP_ARCH" = hppa2.0w ] then - eval $set_cc_for_build + set_cc_for_build # hppa2.0w-hp-hpux* has a 64-bit kernel and a compiler generating # 32-bit code. hppa64-hp-hpux* has the same kernel and a compiler @@ -679,23 +721,23 @@ # $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess # => hppa64-hp-hpux11.23 - if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | + if echo __LP64__ | (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | grep -q __LP64__ then - HP_ARCH="hppa2.0w" + HP_ARCH=hppa2.0w else - HP_ARCH="hppa64" + HP_ARCH=hppa64 fi fi - echo ${HP_ARCH}-hp-hpux${HPUX_REV} + echo "$HP_ARCH"-hp-hpux"$HPUX_REV" exit ;; ia64:HP-UX:*:*) - HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'` - echo ia64-hp-hpux${HPUX_REV} + HPUX_REV=`echo "$UNAME_RELEASE"|sed -e 's/[^.]*.[0B]*//'` + echo ia64-hp-hpux"$HPUX_REV" exit ;; 3050*:HI-UX:*:*) - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c + set_cc_for_build + sed 's/^ //' << EOF > "$dummy.c" #include int main () @@ -720,11 +762,11 @@ exit (0); } EOF - $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy` && + $CC_FOR_BUILD -o "$dummy" "$dummy.c" && SYSTEM_NAME=`"$dummy"` && { echo "$SYSTEM_NAME"; exit; } echo unknown-hitachi-hiuxwe2 exit ;; - 9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* ) + 9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:*) echo hppa1.1-hp-bsd exit ;; 9000/8??:4.3bsd:*:*) @@ -733,7 +775,7 @@ *9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*) echo hppa1.0-hp-mpeix exit ;; - hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* ) + hp7??:OSF1:*:* | hp8?[79]:OSF1:*:*) echo hppa1.1-hp-osf exit ;; hp8??:OSF1:*:*) @@ -741,9 +783,9 @@ exit ;; i*86:OSF1:*:*) if [ -x /usr/sbin/sysversion ] ; then - echo ${UNAME_MACHINE}-unknown-osf1mk + echo "$UNAME_MACHINE"-unknown-osf1mk else - echo ${UNAME_MACHINE}-unknown-osf1 + echo "$UNAME_MACHINE"-unknown-osf1 fi exit ;; parisc*:Lites*:*:*) @@ -768,130 +810,123 @@ echo c4-convex-bsd exit ;; CRAY*Y-MP:*:*:*) - echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + echo ymp-cray-unicos"$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/' exit ;; CRAY*[A-Z]90:*:*:*) - echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \ + echo "$UNAME_MACHINE"-cray-unicos"$UNAME_RELEASE" \ | sed -e 's/CRAY.*\([A-Z]90\)/\1/' \ -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ \ -e 's/\.[^.]*$/.X/' exit ;; CRAY*TS:*:*:*) - echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + echo t90-cray-unicos"$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/' exit ;; CRAY*T3E:*:*:*) - echo alphaev5-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + echo alphaev5-cray-unicosmk"$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/' exit ;; CRAY*SV1:*:*:*) - echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + echo sv1-cray-unicos"$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/' exit ;; *:UNICOS/mp:*:*) - echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + echo craynv-cray-unicosmp"$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/' exit ;; F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) - FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` - FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` - FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` + FUJITSU_PROC=`uname -m | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz` + FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'` + FUJITSU_REL=`echo "$UNAME_RELEASE" | sed -e 's/ /_/'` echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" exit ;; 5000:UNIX_System_V:4.*:*) - FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` - FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'` + FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'` + FUJITSU_REL=`echo "$UNAME_RELEASE" | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/ /_/'` echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" exit ;; i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*) - echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE} + echo "$UNAME_MACHINE"-pc-bsdi"$UNAME_RELEASE" exit ;; sparc*:BSD/OS:*:*) - echo sparc-unknown-bsdi${UNAME_RELEASE} + echo sparc-unknown-bsdi"$UNAME_RELEASE" exit ;; *:BSD/OS:*:*) - echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE} + echo "$UNAME_MACHINE"-unknown-bsdi"$UNAME_RELEASE" + exit ;; + arm:FreeBSD:*:*) + UNAME_PROCESSOR=`uname -p` + set_cc_for_build + if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \ + | grep -q __ARM_PCS_VFP + then + echo "${UNAME_PROCESSOR}"-unknown-freebsd"`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`"-gnueabi + else + echo "${UNAME_PROCESSOR}"-unknown-freebsd"`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`"-gnueabihf + fi exit ;; *:FreeBSD:*:*) UNAME_PROCESSOR=`/usr/bin/uname -p` - case ${UNAME_PROCESSOR} in + case "$UNAME_PROCESSOR" in amd64) - echo x86_64-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; - *) - echo ${UNAME_PROCESSOR}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; + UNAME_PROCESSOR=x86_64 ;; + i386) + UNAME_PROCESSOR=i586 ;; esac + echo "$UNAME_PROCESSOR"-unknown-freebsd"`echo "$UNAME_RELEASE"|sed -e 's/[-(].*//'`" exit ;; i*:CYGWIN*:*) - echo ${UNAME_MACHINE}-pc-cygwin + echo "$UNAME_MACHINE"-pc-cygwin exit ;; *:MINGW64*:*) - echo ${UNAME_MACHINE}-pc-mingw64 + echo "$UNAME_MACHINE"-pc-mingw64 exit ;; *:MINGW*:*) - echo ${UNAME_MACHINE}-pc-mingw32 + echo "$UNAME_MACHINE"-pc-mingw32 exit ;; - i*:MSYS*:*) - echo ${UNAME_MACHINE}-pc-msys - exit ;; - i*:windows32*:*) - # uname -m includes "-pc" on this system. - echo ${UNAME_MACHINE}-mingw32 + *:MSYS*:*) + echo "$UNAME_MACHINE"-pc-msys exit ;; i*:PW*:*) - echo ${UNAME_MACHINE}-pc-pw32 + echo "$UNAME_MACHINE"-pc-pw32 exit ;; *:Interix*:*) - case ${UNAME_MACHINE} in + case "$UNAME_MACHINE" in x86) - echo i586-pc-interix${UNAME_RELEASE} + echo i586-pc-interix"$UNAME_RELEASE" exit ;; authenticamd | genuineintel | EM64T) - echo x86_64-unknown-interix${UNAME_RELEASE} + echo x86_64-unknown-interix"$UNAME_RELEASE" exit ;; IA64) - echo ia64-unknown-interix${UNAME_RELEASE} + echo ia64-unknown-interix"$UNAME_RELEASE" exit ;; esac ;; - [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*) - echo i${UNAME_MACHINE}-pc-mks - exit ;; - 8664:Windows_NT:*) - echo x86_64-pc-mks - exit ;; - i*:Windows_NT*:* | Pentium*:Windows_NT*:*) - # How do we know it's Interix rather than the generic POSIX subsystem? - # It also conflicts with pre-2.0 versions of AT&T UWIN. Should we - # UNAME_MACHINE based on the output of uname instead of i386? - echo i586-pc-interix - exit ;; i*:UWIN*:*) - echo ${UNAME_MACHINE}-pc-uwin + echo "$UNAME_MACHINE"-pc-uwin exit ;; amd64:CYGWIN*:*:* | x86_64:CYGWIN*:*:*) - echo x86_64-unknown-cygwin - exit ;; - p*:CYGWIN*:*) - echo powerpcle-unknown-cygwin + echo x86_64-pc-cygwin exit ;; prep*:SunOS:5.*:*) - echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + echo powerpcle-unknown-solaris2"`echo "$UNAME_RELEASE"|sed -e 's/[^.]*//'`" exit ;; *:GNU:*:*) # the GNU system - echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-${LIBC}`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'` + echo "`echo "$UNAME_MACHINE"|sed -e 's,[-/].*$,,'`-unknown-$LIBC`echo "$UNAME_RELEASE"|sed -e 's,/.*$,,'`" exit ;; *:GNU/*:*:*) # other systems with GNU libc and userland - echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC} + echo "$UNAME_MACHINE-unknown-`echo "$UNAME_SYSTEM" | sed 's,^[^/]*/,,' | tr "[:upper:]" "[:lower:]"``echo "$UNAME_RELEASE"|sed -e 's/[-(].*//'`-$LIBC" exit ;; - i*86:Minix:*:*) - echo ${UNAME_MACHINE}-pc-minix + *:Minix:*:*) + echo "$UNAME_MACHINE"-unknown-minix exit ;; aarch64:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; aarch64_be:Linux:*:*) UNAME_MACHINE=aarch64_be - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; alpha:Linux:*:*) - case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in + case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' /proc/cpuinfo 2>/dev/null` in EV5) UNAME_MACHINE=alphaev5 ;; EV56) UNAME_MACHINE=alphaev56 ;; PCA56) UNAME_MACHINE=alphapca56 ;; @@ -901,129 +936,169 @@ EV68*) UNAME_MACHINE=alphaev68 ;; esac objdump --private-headers /bin/sh | grep -q ld.so.1 - if test "$?" = 0 ; then LIBC="gnulibc1" ; fi - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + if test "$?" = 0 ; then LIBC=gnulibc1 ; fi + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; arc:Linux:*:* | arceb:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; arm*:Linux:*:*) - eval $set_cc_for_build + set_cc_for_build if echo __ARM_EABI__ | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ARM_EABI__ then - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" else if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ARM_PCS_VFP then - echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabi + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC"eabi else - echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabihf + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC"eabihf fi fi exit ;; avr32*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; cris:Linux:*:*) - echo ${UNAME_MACHINE}-axis-linux-${LIBC} + echo "$UNAME_MACHINE"-axis-linux-"$LIBC" exit ;; crisv32:Linux:*:*) - echo ${UNAME_MACHINE}-axis-linux-${LIBC} + echo "$UNAME_MACHINE"-axis-linux-"$LIBC" + exit ;; + e2k:Linux:*:*) + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; frv:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; hexagon:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; i*86:Linux:*:*) - echo ${UNAME_MACHINE}-pc-linux-${LIBC} + echo "$UNAME_MACHINE"-pc-linux-"$LIBC" exit ;; ia64:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" + exit ;; + k1om:Linux:*:*) + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; m32r*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; m68*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; mips:Linux:*:* | mips64:Linux:*:*) - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c + set_cc_for_build + IS_GLIBC=0 + test x"${LIBC}" = xgnu && IS_GLIBC=1 + sed 's/^ //' << EOF > "$dummy.c" #undef CPU - #undef ${UNAME_MACHINE} - #undef ${UNAME_MACHINE}el + #undef mips + #undef mipsel + #undef mips64 + #undef mips64el + #if ${IS_GLIBC} && defined(_ABI64) + LIBCABI=gnuabi64 + #else + #if ${IS_GLIBC} && defined(_ABIN32) + LIBCABI=gnuabin32 + #else + LIBCABI=${LIBC} + #endif + #endif + + #if ${IS_GLIBC} && defined(__mips64) && defined(__mips_isa_rev) && __mips_isa_rev>=6 + CPU=mipsisa64r6 + #else + #if ${IS_GLIBC} && !defined(__mips64) && defined(__mips_isa_rev) && __mips_isa_rev>=6 + CPU=mipsisa32r6 + #else + #if defined(__mips64) + CPU=mips64 + #else + CPU=mips + #endif + #endif + #endif + #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL) - CPU=${UNAME_MACHINE}el + MIPS_ENDIAN=el #else #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB) - CPU=${UNAME_MACHINE} + MIPS_ENDIAN= #else - CPU= + MIPS_ENDIAN= #endif #endif EOF - eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'` - test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; } + eval "`$CC_FOR_BUILD -E "$dummy.c" 2>/dev/null | grep '^CPU\|^MIPS_ENDIAN\|^LIBCABI'`" + test "x$CPU" != x && { echo "$CPU${MIPS_ENDIAN}-unknown-linux-$LIBCABI"; exit; } ;; - or1k:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + mips64el:Linux:*:*) + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; - or32:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + openrisc*:Linux:*:*) + echo or1k-unknown-linux-"$LIBC" + exit ;; + or32:Linux:*:* | or1k*:Linux:*:*) + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; padre:Linux:*:*) - echo sparc-unknown-linux-${LIBC} + echo sparc-unknown-linux-"$LIBC" exit ;; parisc64:Linux:*:* | hppa64:Linux:*:*) - echo hppa64-unknown-linux-${LIBC} + echo hppa64-unknown-linux-"$LIBC" exit ;; parisc:Linux:*:* | hppa:Linux:*:*) # Look for CPU level case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in - PA7*) echo hppa1.1-unknown-linux-${LIBC} ;; - PA8*) echo hppa2.0-unknown-linux-${LIBC} ;; - *) echo hppa-unknown-linux-${LIBC} ;; + PA7*) echo hppa1.1-unknown-linux-"$LIBC" ;; + PA8*) echo hppa2.0-unknown-linux-"$LIBC" ;; + *) echo hppa-unknown-linux-"$LIBC" ;; esac exit ;; ppc64:Linux:*:*) - echo powerpc64-unknown-linux-${LIBC} + echo powerpc64-unknown-linux-"$LIBC" exit ;; ppc:Linux:*:*) - echo powerpc-unknown-linux-${LIBC} + echo powerpc-unknown-linux-"$LIBC" exit ;; ppc64le:Linux:*:*) - echo powerpc64le-unknown-linux-${LIBC} + echo powerpc64le-unknown-linux-"$LIBC" exit ;; ppcle:Linux:*:*) - echo powerpcle-unknown-linux-${LIBC} + echo powerpcle-unknown-linux-"$LIBC" + exit ;; + riscv32:Linux:*:* | riscv64:Linux:*:*) + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; s390:Linux:*:* | s390x:Linux:*:*) - echo ${UNAME_MACHINE}-ibm-linux-${LIBC} + echo "$UNAME_MACHINE"-ibm-linux-"$LIBC" exit ;; sh64*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; sh*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; sparc:Linux:*:* | sparc64:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; tile*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; vax:Linux:*:*) - echo ${UNAME_MACHINE}-dec-linux-${LIBC} + echo "$UNAME_MACHINE"-dec-linux-"$LIBC" exit ;; x86_64:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-pc-linux-"$LIBC" exit ;; xtensa*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; i*86:DYNIX/ptx:4*:*) # ptx 4.0 does uname -s correctly, with DYNIX/ptx in there. @@ -1037,34 +1112,34 @@ # I am not positive that other SVR4 systems won't match this, # I just have to hope. -- rms. # Use sysv4.2uw... so that sysv4* matches it. - echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION} + echo "$UNAME_MACHINE"-pc-sysv4.2uw"$UNAME_VERSION" exit ;; i*86:OS/2:*:*) # If we were able to find `uname', then EMX Unix compatibility # is probably installed. - echo ${UNAME_MACHINE}-pc-os2-emx + echo "$UNAME_MACHINE"-pc-os2-emx exit ;; i*86:XTS-300:*:STOP) - echo ${UNAME_MACHINE}-unknown-stop + echo "$UNAME_MACHINE"-unknown-stop exit ;; i*86:atheos:*:*) - echo ${UNAME_MACHINE}-unknown-atheos + echo "$UNAME_MACHINE"-unknown-atheos exit ;; i*86:syllable:*:*) - echo ${UNAME_MACHINE}-pc-syllable + echo "$UNAME_MACHINE"-pc-syllable exit ;; i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.[02]*:*) - echo i386-unknown-lynxos${UNAME_RELEASE} + echo i386-unknown-lynxos"$UNAME_RELEASE" exit ;; i*86:*DOS:*:*) - echo ${UNAME_MACHINE}-pc-msdosdjgpp + echo "$UNAME_MACHINE"-pc-msdosdjgpp exit ;; - i*86:*:4.*:* | i*86:SYSTEM_V:4.*:*) - UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'` + i*86:*:4.*:*) + UNAME_REL=`echo "$UNAME_RELEASE" | sed 's/\/MP$//'` if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then - echo ${UNAME_MACHINE}-univel-sysv${UNAME_REL} + echo "$UNAME_MACHINE"-univel-sysv"$UNAME_REL" else - echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL} + echo "$UNAME_MACHINE"-pc-sysv"$UNAME_REL" fi exit ;; i*86:*:5:[678]*) @@ -1074,12 +1149,12 @@ *Pentium) UNAME_MACHINE=i586 ;; *Pent*|*Celeron) UNAME_MACHINE=i686 ;; esac - echo ${UNAME_MACHINE}-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION} + echo "$UNAME_MACHINE-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION}" exit ;; i*86:*:3.2:*) if test -f /usr/options/cb.name; then UNAME_REL=`sed -n 's/.*Version //p' /dev/null >/dev/null ; then UNAME_REL=`(/bin/uname -X|grep Release|sed -e 's/.*= //')` (/bin/uname -X|grep i80486 >/dev/null) && UNAME_MACHINE=i486 @@ -1089,9 +1164,9 @@ && UNAME_MACHINE=i686 (/bin/uname -X|grep '^Machine.*Pentium Pro' >/dev/null) \ && UNAME_MACHINE=i686 - echo ${UNAME_MACHINE}-pc-sco$UNAME_REL + echo "$UNAME_MACHINE"-pc-sco"$UNAME_REL" else - echo ${UNAME_MACHINE}-pc-sysv32 + echo "$UNAME_MACHINE"-pc-sysv32 fi exit ;; pc:*:*:*) @@ -1099,7 +1174,7 @@ # uname -m prints for DJGPP always 'pc', but it prints nothing about # the processor, so we play safe by assuming i586. # Note: whatever this is, it MUST be the same as what config.sub - # prints for the "djgpp" host, or else GDB configury will decide that + # prints for the "djgpp" host, or else GDB configure will decide that # this is a cross-build. echo i586-pc-msdosdjgpp exit ;; @@ -1111,9 +1186,9 @@ exit ;; i860:*:4.*:*) # i860-SVR4 if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then - echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4 + echo i860-stardent-sysv"$UNAME_RELEASE" # Stardent Vistra i860-SVR4 else # Add other i860-SVR4 vendors below as they are discovered. - echo i860-unknown-sysv${UNAME_RELEASE} # Unknown i860-SVR4 + echo i860-unknown-sysv"$UNAME_RELEASE" # Unknown i860-SVR4 fi exit ;; mini*:CTIX:SYS*5:*) @@ -1133,9 +1208,9 @@ test -r /etc/.relid \ && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ - && { echo i486-ncr-sysv4.3${OS_REL}; exit; } + && { echo i486-ncr-sysv4.3"$OS_REL"; exit; } /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ - && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;; + && { echo i586-ncr-sysv4.3"$OS_REL"; exit; } ;; 3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*) /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ && { echo i486-ncr-sysv4; exit; } ;; @@ -1144,28 +1219,28 @@ test -r /etc/.relid \ && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ - && { echo i486-ncr-sysv4.3${OS_REL}; exit; } + && { echo i486-ncr-sysv4.3"$OS_REL"; exit; } /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ - && { echo i586-ncr-sysv4.3${OS_REL}; exit; } + && { echo i586-ncr-sysv4.3"$OS_REL"; exit; } /bin/uname -p 2>/dev/null | /bin/grep pteron >/dev/null \ - && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;; + && { echo i586-ncr-sysv4.3"$OS_REL"; exit; } ;; m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*) - echo m68k-unknown-lynxos${UNAME_RELEASE} + echo m68k-unknown-lynxos"$UNAME_RELEASE" exit ;; mc68030:UNIX_System_V:4.*:*) echo m68k-atari-sysv4 exit ;; TSUNAMI:LynxOS:2.*:*) - echo sparc-unknown-lynxos${UNAME_RELEASE} + echo sparc-unknown-lynxos"$UNAME_RELEASE" exit ;; rs6000:LynxOS:2.*:*) - echo rs6000-unknown-lynxos${UNAME_RELEASE} + echo rs6000-unknown-lynxos"$UNAME_RELEASE" exit ;; PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.[02]*:*) - echo powerpc-unknown-lynxos${UNAME_RELEASE} + echo powerpc-unknown-lynxos"$UNAME_RELEASE" exit ;; SM[BE]S:UNIX_SV:*:*) - echo mips-dde-sysv${UNAME_RELEASE} + echo mips-dde-sysv"$UNAME_RELEASE" exit ;; RM*:ReliantUNIX-*:*:*) echo mips-sni-sysv4 @@ -1176,7 +1251,7 @@ *:SINIX-*:*:*) if uname -p 2>/dev/null >/dev/null ; then UNAME_MACHINE=`(uname -p) 2>/dev/null` - echo ${UNAME_MACHINE}-sni-sysv4 + echo "$UNAME_MACHINE"-sni-sysv4 else echo ns32k-sni-sysv fi @@ -1196,23 +1271,23 @@ exit ;; i*86:VOS:*:*) # From Paul.Green@stratus.com. - echo ${UNAME_MACHINE}-stratus-vos + echo "$UNAME_MACHINE"-stratus-vos exit ;; *:VOS:*:*) # From Paul.Green@stratus.com. echo hppa1.1-stratus-vos exit ;; mc68*:A/UX:*:*) - echo m68k-apple-aux${UNAME_RELEASE} + echo m68k-apple-aux"$UNAME_RELEASE" exit ;; news*:NEWS-OS:6*:*) echo mips-sony-newsos6 exit ;; R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*) if [ -d /usr/nec ]; then - echo mips-nec-sysv${UNAME_RELEASE} + echo mips-nec-sysv"$UNAME_RELEASE" else - echo mips-unknown-sysv${UNAME_RELEASE} + echo mips-unknown-sysv"$UNAME_RELEASE" fi exit ;; BeBox:BeOS:*:*) # BeOS running on hardware made by Be, PPC only. @@ -1231,77 +1306,94 @@ echo x86_64-unknown-haiku exit ;; SX-4:SUPER-UX:*:*) - echo sx4-nec-superux${UNAME_RELEASE} + echo sx4-nec-superux"$UNAME_RELEASE" exit ;; SX-5:SUPER-UX:*:*) - echo sx5-nec-superux${UNAME_RELEASE} + echo sx5-nec-superux"$UNAME_RELEASE" exit ;; SX-6:SUPER-UX:*:*) - echo sx6-nec-superux${UNAME_RELEASE} + echo sx6-nec-superux"$UNAME_RELEASE" exit ;; SX-7:SUPER-UX:*:*) - echo sx7-nec-superux${UNAME_RELEASE} + echo sx7-nec-superux"$UNAME_RELEASE" exit ;; SX-8:SUPER-UX:*:*) - echo sx8-nec-superux${UNAME_RELEASE} + echo sx8-nec-superux"$UNAME_RELEASE" exit ;; SX-8R:SUPER-UX:*:*) - echo sx8r-nec-superux${UNAME_RELEASE} + echo sx8r-nec-superux"$UNAME_RELEASE" + exit ;; + SX-ACE:SUPER-UX:*:*) + echo sxace-nec-superux"$UNAME_RELEASE" exit ;; Power*:Rhapsody:*:*) - echo powerpc-apple-rhapsody${UNAME_RELEASE} + echo powerpc-apple-rhapsody"$UNAME_RELEASE" exit ;; *:Rhapsody:*:*) - echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE} + echo "$UNAME_MACHINE"-apple-rhapsody"$UNAME_RELEASE" exit ;; *:Darwin:*:*) - UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown - eval $set_cc_for_build - if test "$UNAME_PROCESSOR" = unknown ; then - UNAME_PROCESSOR=powerpc - fi - if test `echo "$UNAME_RELEASE" | sed -e 's/\..*//'` -le 10 ; then - if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then - if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ - (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ - grep IS_64BIT_ARCH >/dev/null - then - case $UNAME_PROCESSOR in - i386) UNAME_PROCESSOR=x86_64 ;; - powerpc) UNAME_PROCESSOR=powerpc64 ;; - esac - fi + UNAME_PROCESSOR=`uname -p` + case $UNAME_PROCESSOR in + unknown) UNAME_PROCESSOR=powerpc ;; + esac + if command -v xcode-select > /dev/null 2> /dev/null && \ + ! xcode-select --print-path > /dev/null 2> /dev/null ; then + # Avoid executing cc if there is no toolchain installed as + # cc will be a stub that puts up a graphical alert + # prompting the user to install developer tools. + CC_FOR_BUILD=no_compiler_found + else + set_cc_for_build + fi + if [ "$CC_FOR_BUILD" != no_compiler_found ]; then + if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ + (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ + grep IS_64BIT_ARCH >/dev/null + then + case $UNAME_PROCESSOR in + i386) UNAME_PROCESSOR=x86_64 ;; + powerpc) UNAME_PROCESSOR=powerpc64 ;; + esac + fi + # On 10.4-10.6 one might compile for PowerPC via gcc -arch ppc + if (echo '#ifdef __POWERPC__'; echo IS_PPC; echo '#endif') | \ + (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ + grep IS_PPC >/dev/null + then + UNAME_PROCESSOR=powerpc fi elif test "$UNAME_PROCESSOR" = i386 ; then - # Avoid executing cc on OS X 10.9, as it ships with a stub - # that puts up a graphical alert prompting to install - # developer tools. Any system running Mac OS X 10.7 or - # later (Darwin 11 and later) is required to have a 64-bit - # processor. This is not true of the ARM version of Darwin - # that Apple uses in portable devices. - UNAME_PROCESSOR=x86_64 + # uname -m returns i386 or x86_64 + UNAME_PROCESSOR=$UNAME_MACHINE fi - echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE} + echo "$UNAME_PROCESSOR"-apple-darwin"$UNAME_RELEASE" exit ;; *:procnto*:*:* | *:QNX:[0123456789]*:*) UNAME_PROCESSOR=`uname -p` - if test "$UNAME_PROCESSOR" = "x86"; then + if test "$UNAME_PROCESSOR" = x86; then UNAME_PROCESSOR=i386 UNAME_MACHINE=pc fi - echo ${UNAME_PROCESSOR}-${UNAME_MACHINE}-nto-qnx${UNAME_RELEASE} + echo "$UNAME_PROCESSOR"-"$UNAME_MACHINE"-nto-qnx"$UNAME_RELEASE" exit ;; *:QNX:*:4*) echo i386-pc-qnx exit ;; - NEO-?:NONSTOP_KERNEL:*:*) - echo neo-tandem-nsk${UNAME_RELEASE} + NEO-*:NONSTOP_KERNEL:*:*) + echo neo-tandem-nsk"$UNAME_RELEASE" exit ;; NSE-*:NONSTOP_KERNEL:*:*) - echo nse-tandem-nsk${UNAME_RELEASE} + echo nse-tandem-nsk"$UNAME_RELEASE" exit ;; - NSR-?:NONSTOP_KERNEL:*:*) - echo nsr-tandem-nsk${UNAME_RELEASE} + NSR-*:NONSTOP_KERNEL:*:*) + echo nsr-tandem-nsk"$UNAME_RELEASE" + exit ;; + NSV-*:NONSTOP_KERNEL:*:*) + echo nsv-tandem-nsk"$UNAME_RELEASE" + exit ;; + NSX-*:NONSTOP_KERNEL:*:*) + echo nsx-tandem-nsk"$UNAME_RELEASE" exit ;; *:NonStop-UX:*:*) echo mips-compaq-nonstopux @@ -1310,18 +1402,19 @@ echo bs2000-siemens-sysv exit ;; DS/*:UNIX_System_V:*:*) - echo ${UNAME_MACHINE}-${UNAME_SYSTEM}-${UNAME_RELEASE} + echo "$UNAME_MACHINE"-"$UNAME_SYSTEM"-"$UNAME_RELEASE" exit ;; *:Plan9:*:*) # "uname -m" is not consistent, so use $cputype instead. 386 # is converted to i386 for consistency with other x86 # operating systems. - if test "$cputype" = "386"; then + # shellcheck disable=SC2154 + if test "$cputype" = 386; then UNAME_MACHINE=i386 else UNAME_MACHINE="$cputype" fi - echo ${UNAME_MACHINE}-unknown-plan9 + echo "$UNAME_MACHINE"-unknown-plan9 exit ;; *:TOPS-10:*:*) echo pdp10-unknown-tops10 @@ -1342,14 +1435,14 @@ echo pdp10-unknown-its exit ;; SEI:*:*:SEIUX) - echo mips-sei-seiux${UNAME_RELEASE} + echo mips-sei-seiux"$UNAME_RELEASE" exit ;; *:DragonFly:*:*) - echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` + echo "$UNAME_MACHINE"-unknown-dragonfly"`echo "$UNAME_RELEASE"|sed -e 's/[-(].*//'`" exit ;; *:*VMS:*:*) UNAME_MACHINE=`(uname -p) 2>/dev/null` - case "${UNAME_MACHINE}" in + case "$UNAME_MACHINE" in A*) echo alpha-dec-vms ; exit ;; I*) echo ia64-dec-vms ; exit ;; V*) echo vax-dec-vms ; exit ;; @@ -1358,24 +1451,39 @@ echo i386-pc-xenix exit ;; i*86:skyos:*:*) - echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE}` | sed -e 's/ .*$//' + echo "$UNAME_MACHINE"-pc-skyos"`echo "$UNAME_RELEASE" | sed -e 's/ .*$//'`" exit ;; i*86:rdos:*:*) - echo ${UNAME_MACHINE}-pc-rdos + echo "$UNAME_MACHINE"-pc-rdos exit ;; i*86:AROS:*:*) - echo ${UNAME_MACHINE}-pc-aros + echo "$UNAME_MACHINE"-pc-aros exit ;; x86_64:VMkernel:*:*) - echo ${UNAME_MACHINE}-unknown-esx + echo "$UNAME_MACHINE"-unknown-esx + exit ;; + amd64:Isilon\ OneFS:*:*) + echo x86_64-unknown-onefs + exit ;; + *:Unleashed:*:*) + echo "$UNAME_MACHINE"-unknown-unleashed"$UNAME_RELEASE" exit ;; esac -eval $set_cc_for_build -cat >$dummy.c < "$dummy.c" < -# include +#include +#include +#endif +#if defined(ultrix) || defined(_ultrix) || defined(__ultrix) || defined(__ultrix__) +#if defined (vax) || defined (__vax) || defined (__vax__) || defined(mips) || defined(__mips) || defined(__mips__) || defined(MIPS) || defined(__MIPS__) +#include +#if defined(_SIZE_T_) || defined(SIGLOST) +#include +#endif +#endif #endif main () { @@ -1388,22 +1496,14 @@ #include printf ("m68k-sony-newsos%s\n", #ifdef NEWSOS4 - "4" + "4" #else - "" + "" #endif - ); exit (0); + ); exit (0); #endif #endif -#if defined (__arm) && defined (__acorn) && defined (__unix) - printf ("arm-acorn-riscix\n"); exit (0); -#endif - -#if defined (hp300) && !defined (hpux) - printf ("m68k-hp-bsd\n"); exit (0); -#endif - #if defined (NeXT) #if !defined (__ARCHITECTURE__) #define __ARCHITECTURE__ "m68k" @@ -1443,39 +1543,54 @@ #endif #if defined (_SEQUENT_) - struct utsname un; - - uname(&un); - - if (strncmp(un.version, "V2", 2) == 0) { - printf ("i386-sequent-ptx2\n"); exit (0); - } - if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */ - printf ("i386-sequent-ptx1\n"); exit (0); - } - printf ("i386-sequent-ptx\n"); exit (0); + struct utsname un; + uname(&un); + if (strncmp(un.version, "V2", 2) == 0) { + printf ("i386-sequent-ptx2\n"); exit (0); + } + if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */ + printf ("i386-sequent-ptx1\n"); exit (0); + } + printf ("i386-sequent-ptx\n"); exit (0); #endif #if defined (vax) -# if !defined (ultrix) -# include -# if defined (BSD) -# if BSD == 43 - printf ("vax-dec-bsd4.3\n"); exit (0); -# else -# if BSD == 199006 - printf ("vax-dec-bsd4.3reno\n"); exit (0); -# else - printf ("vax-dec-bsd\n"); exit (0); -# endif -# endif -# else - printf ("vax-dec-bsd\n"); exit (0); -# endif -# else - printf ("vax-dec-ultrix\n"); exit (0); -# endif +#if !defined (ultrix) +#include +#if defined (BSD) +#if BSD == 43 + printf ("vax-dec-bsd4.3\n"); exit (0); +#else +#if BSD == 199006 + printf ("vax-dec-bsd4.3reno\n"); exit (0); +#else + printf ("vax-dec-bsd\n"); exit (0); +#endif +#endif +#else + printf ("vax-dec-bsd\n"); exit (0); +#endif +#else +#if defined(_SIZE_T_) || defined(SIGLOST) + struct utsname un; + uname (&un); + printf ("vax-dec-ultrix%s\n", un.release); exit (0); +#else + printf ("vax-dec-ultrix\n"); exit (0); +#endif +#endif +#endif +#if defined(ultrix) || defined(_ultrix) || defined(__ultrix) || defined(__ultrix__) +#if defined(mips) || defined(__mips) || defined(__mips__) || defined(MIPS) || defined(__MIPS__) +#if defined(_SIZE_T_) || defined(SIGLOST) + struct utsname *un; + uname (&un); + printf ("mips-dec-ultrix%s\n", un.release); exit (0); +#else + printf ("mips-dec-ultrix\n"); exit (0); +#endif +#endif #endif #if defined (alliant) && defined (i860) @@ -1486,54 +1601,38 @@ } EOF -$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && SYSTEM_NAME=`$dummy` && +$CC_FOR_BUILD -o "$dummy" "$dummy.c" 2>/dev/null && SYSTEM_NAME=`$dummy` && { echo "$SYSTEM_NAME"; exit; } # Apollos put the system type in the environment. +test -d /usr/apollo && { echo "$ISP-apollo-$SYSTYPE"; exit; } -test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit; } +echo "$0: unable to guess system type" >&2 -# Convex versions that predate uname can use getsysinfo(1) +case "$UNAME_MACHINE:$UNAME_SYSTEM" in + mips:Linux | mips64:Linux) + # If we got here on MIPS GNU/Linux, output extra information. + cat >&2 <&2 < in order to provide the needed -information to handle your system. +If $0 has already been updated, send the following data and any +information you think might be pertinent to config-patches@gnu.org to +provide the necessary information to handle your system. config.guess timestamp = $timestamp @@ -1552,16 +1651,16 @@ /usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null` /usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null` -UNAME_MACHINE = ${UNAME_MACHINE} -UNAME_RELEASE = ${UNAME_RELEASE} -UNAME_SYSTEM = ${UNAME_SYSTEM} -UNAME_VERSION = ${UNAME_VERSION} +UNAME_MACHINE = "$UNAME_MACHINE" +UNAME_RELEASE = "$UNAME_RELEASE" +UNAME_SYSTEM = "$UNAME_SYSTEM" +UNAME_VERSION = "$UNAME_VERSION" EOF exit 1 # Local variables: -# eval: (add-hook 'write-file-hooks 'time-stamp) +# eval: (add-hook 'before-save-hook 'time-stamp) # time-stamp-start: "timestamp='" # time-stamp-format: "%:y-%02m-%02d" # time-stamp-end: "'" diff -Nru nettle-3.4.1/config.h.in nettle-3.7.3/config.h.in --- nettle-3.4.1/config.h.in 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/config.h.in 2021-06-06 20:06:29.000000000 +0000 @@ -18,6 +18,9 @@ */ #undef HAVE_ALLOCA_H +/* Define if __builtin_bswap64 is available */ +#undef HAVE_BUILTIN_BSWAP64 + /* Define if clock_gettime is available */ #undef HAVE_CLOCK_GETTIME @@ -53,19 +56,35 @@ /* Define to 1 each of the following for which a native (ie. CPU specific) implementation of the corresponding routine exists. */ -#undef HAVE_NATIVE_ecc_192_modp -#undef HAVE_NATIVE_ecc_192_redc -#undef HAVE_NATIVE_ecc_224_modp -#undef HAVE_NATIVE_ecc_224_redc -#undef HAVE_NATIVE_ecc_25519_modp -#undef HAVE_NATIVE_ecc_256_modp -#undef HAVE_NATIVE_ecc_256_redc -#undef HAVE_NATIVE_ecc_384_modp -#undef HAVE_NATIVE_ecc_384_redc -#undef HAVE_NATIVE_ecc_521_modp -#undef HAVE_NATIVE_ecc_521_redc +#undef HAVE_NATIVE_aes_decrypt +#undef HAVE_NATIVE_aes_encrypt +#undef HAVE_NATIVE_chacha_core +#undef HAVE_NATIVE_chacha_2core +#undef HAVE_NATIVE_chacha_3core +#undef HAVE_NATIVE_chacha_4core +#undef HAVE_NATIVE_fat_chacha_2core +#undef HAVE_NATIVE_fat_chacha_3core +#undef HAVE_NATIVE_fat_chacha_4core +#undef HAVE_NATIVE_ecc_curve25519_modp +#undef HAVE_NATIVE_ecc_curve448_modp +#undef HAVE_NATIVE_ecc_secp192r1_modp +#undef HAVE_NATIVE_ecc_secp192r1_redc +#undef HAVE_NATIVE_ecc_secp224r1_modp +#undef HAVE_NATIVE_ecc_secp224r1_redc +#undef HAVE_NATIVE_ecc_secp256r1_modp +#undef HAVE_NATIVE_ecc_secp256r1_redc +#undef HAVE_NATIVE_ecc_secp384r1_modp +#undef HAVE_NATIVE_ecc_secp384r1_redc +#undef HAVE_NATIVE_ecc_secp521r1_modp +#undef HAVE_NATIVE_ecc_secp521r1_redc +#undef HAVE_NATIVE_gcm_init_key +#undef HAVE_NATIVE_fat_gcm_init_key +#undef HAVE_NATIVE_gcm_hash +#undef HAVE_NATIVE_fat_gcm_hash #undef HAVE_NATIVE_gcm_hash8 #undef HAVE_NATIVE_salsa20_core +#undef HAVE_NATIVE_salsa20_2core +#undef HAVE_NATIVE_fat_salsa20_2core #undef HAVE_NATIVE_sha1_compress #undef HAVE_NATIVE_sha256_compress #undef HAVE_NATIVE_sha512_compress @@ -127,24 +146,12 @@ /* Define to the version of this package. */ #undef PACKAGE_VERSION -/* The size of `char', as computed by sizeof. */ -#undef SIZEOF_CHAR - -/* The size of `int', as computed by sizeof. */ -#undef SIZEOF_INT - /* The size of `long', as computed by sizeof. */ #undef SIZEOF_LONG -/* The size of `short', as computed by sizeof. */ -#undef SIZEOF_SHORT - /* The size of `size_t', as computed by sizeof. */ #undef SIZEOF_SIZE_T -/* The size of `void*', as computed by sizeof. */ -#undef SIZEOF_VOIDP - /* If using the C implementation of alloca, define if you know the direction of stack growth for your system; otherwise it will be automatically deduced at runtime. diff -Nru nettle-3.4.1/config.m4.in nettle-3.7.3/config.m4.in --- nettle-3.4.1/config.m4.in 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/config.m4.in 2021-06-06 20:06:29.000000000 +0000 @@ -1,12 +1,17 @@ -define(, <<@srcdir@>>)dnl -define(, <@ASM_SYMBOL_PREFIX@><$1>)dnl -define(, <@ASM_ELF_STYLE@>)dnl -define(, <@ASM_COFF_STYLE@>)dnl -define(, <@ASM_TYPE_FUNCTION@>)dnl -define(, <@ASM_TYPE_PROGBITS@>)dnl -define(, <@ASM_ALIGN_LOG@>)dnl -define(, <@W64_ABI@>)dnl -define(, <@ASM_RODATA@>)dnl +define(`srcdir', ``@srcdir@'')dnl +define(`SYMBOL_PREFIX', `@ASM_SYMBOL_PREFIX@'`$1')dnl +define(`ELF_STYLE', `@ASM_ELF_STYLE@')dnl +define(`COFF_STYLE', `@ASM_COFF_STYLE@')dnl +define(`TYPE_FUNCTION', `@ASM_TYPE_FUNCTION@')dnl +define(`TYPE_PROGBITS', `@ASM_TYPE_PROGBITS@')dnl +define(`ALIGN_LOG', `@ASM_ALIGN_LOG@')dnl +define(`W64_ABI', `@W64_ABI@')dnl +define(`RODATA', `@ASM_RODATA@')dnl +define(`WORDS_BIGENDIAN', `@ASM_WORDS_BIGENDIAN@')dnl +define(`ASM_X86_ENDBR',`@ASM_X86_ENDBR@')dnl +define(`ASM_X86_MARK_CET_ALIGN',`@ASM_X86_MARK_CET_ALIGN@')dnl +define(`ASM_PPC_WANT_R_REGISTERS',`@ASM_PPC_WANT_R_REGISTERS@')dnl divert(1) +@ASM_X86_MARK_CET@ @ASM_MARK_NOEXEC_STACK@ divert diff -Nru nettle-3.4.1/config.make.in nettle-3.7.3/config.make.in --- nettle-3.4.1/config.make.in 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/config.make.in 2021-06-06 20:06:29.000000000 +0000 @@ -64,6 +64,10 @@ libdir = @libdir@ includedir = @includedir@ infodir = @infodir@ +abs_top_builddir = @abs_top_builddir@ + +# Absolute name, since some systems require that for LD_LIBRARY_PATH. +TEST_SHLIB_DIR = ${abs_top_builddir}/.lib # PRE_CPPFLAGS and PRE_LDFLAGS lets each Makefile.in prepend its own # flags before CPPFLAGS and LDFLAGS. While EXTRA_CFLAGS are added at the end. @@ -77,17 +81,11 @@ # usual targets. default: all -# For some reason the suffixes list must be set before the rules. -# Otherwise BSD make won't build binaries e.g. aesdata. On the other -# hand, AIX make has the opposite idiosyncrasies to BSD, and the AIX -# compile was broken when .SUFFIXES was moved here from Makefile.in. - +# Don't use any old-fashioned suffix rules. .SUFFIXES: -.SUFFIXES: .asm .c .$(OBJEXT) .html .dvi .info .exe .pdf .ps .texinfo # Disable builtin rule %$(EXEEXT) : %.c -.c: # Keep object files .PRECIOUS: %.o diff -Nru nettle-3.4.1/config.sub nettle-3.7.3/config.sub --- nettle-3.4.1/config.sub 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/config.sub 2021-06-06 20:06:29.000000000 +0000 @@ -1,8 +1,8 @@ #! /bin/sh # Configuration validation subroutine script. -# Copyright 1992-2014 Free Software Foundation, Inc. +# Copyright 1992-2020 Free Software Foundation, Inc. -timestamp='2014-01-01' +timestamp='2020-01-01' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -15,7 +15,7 @@ # General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, see . +# along with this program; if not, see . # # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a @@ -25,7 +25,7 @@ # of the GNU General Public License, version 3 ("GPLv3"). -# Please send patches with a ChangeLog entry to config-patches@gnu.org. +# Please send patches to . # # Configuration subroutine to validate and canonicalize a configuration type. # Supply the specified configuration type as an argument. @@ -33,7 +33,7 @@ # Otherwise, we print the canonical config type on stdout and succeed. # You can get the latest version of this script from: -# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD +# https://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub # This file is supposed to be the same for all GNU packages # and recognize all the CPU types, system types and aliases @@ -53,12 +53,11 @@ me=`echo "$0" | sed -e 's,.*/,,'` usage="\ -Usage: $0 [OPTION] CPU-MFR-OPSYS - $0 [OPTION] ALIAS +Usage: $0 [OPTION] CPU-MFR-OPSYS or ALIAS Canonicalize a configuration name. -Operation modes: +Options: -h, --help print this help, then exit -t, --time-stamp print date of last modification, then exit -v, --version print version number, then exit @@ -68,7 +67,7 @@ version="\ GNU config.sub ($timestamp) -Copyright 1992-2014 Free Software Foundation, Inc. +Copyright 1992-2020 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -90,12 +89,12 @@ - ) # Use stdin as input. break ;; -* ) - echo "$me: invalid option $1$help" + echo "$me: invalid option $1$help" >&2 exit 1 ;; *local*) # First pass through any local machine types. - echo $1 + echo "$1" exit ;; * ) @@ -111,1211 +110,1164 @@ exit 1;; esac -# Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any). -# Here we must recognize all the valid KERNEL-OS combinations. -maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'` -case $maybe_os in - nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \ - linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \ - knetbsd*-gnu* | netbsd*-gnu* | \ - kopensolaris*-gnu* | \ - storm-chaos* | os2-emx* | rtmk-nova*) - os=-$maybe_os - basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'` - ;; - android-linux) - os=-linux-android - basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`-unknown - ;; - *) - basic_machine=`echo $1 | sed 's/-[^-]*$//'` - if [ $basic_machine != $1 ] - then os=`echo $1 | sed 's/.*-/-/'` - else os=; fi - ;; -esac - -### Let's recognize common machines as not being operating systems so -### that things like config.sub decstation-3100 work. We also -### recognize some manufacturers as not being operating systems, so we -### can provide default operating systems below. -case $os in - -sun*os*) - # Prevent following clause from handling this invalid input. - ;; - -dec* | -mips* | -sequent* | -encore* | -pc532* | -sgi* | -sony* | \ - -att* | -7300* | -3300* | -delta* | -motorola* | -sun[234]* | \ - -unicom* | -ibm* | -next | -hp | -isi* | -apollo | -altos* | \ - -convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\ - -c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \ - -harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \ - -apple | -axis | -knuth | -cray | -microblaze*) - os= - basic_machine=$1 - ;; - -bluegene*) - os=-cnk - ;; - -sim | -cisco | -oki | -wec | -winbond) - os= - basic_machine=$1 - ;; - -scout) - ;; - -wrs) - os=-vxworks - basic_machine=$1 - ;; - -chorusos*) - os=-chorusos - basic_machine=$1 - ;; - -chorusrdb) - os=-chorusrdb - basic_machine=$1 - ;; - -hiux*) - os=-hiuxwe2 - ;; - -sco6) - os=-sco5v6 - basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` - ;; - -sco5) - os=-sco3.2v5 - basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` - ;; - -sco4) - os=-sco3.2v4 - basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` - ;; - -sco3.2.[4-9]*) - os=`echo $os | sed -e 's/sco3.2./sco3.2v/'` - basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` - ;; - -sco3.2v[4-9]*) - # Don't forget version if it is 3.2v4 or newer. - basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` - ;; - -sco5v6*) - # Don't forget version if it is 3.2v4 or newer. - basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` - ;; - -sco*) - os=-sco3.2v2 - basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` - ;; - -udk*) - basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` - ;; - -isc) - os=-isc2.2 - basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` - ;; - -clix*) - basic_machine=clipper-intergraph - ;; - -isc*) - basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` - ;; - -lynx*178) - os=-lynxos178 - ;; - -lynx*5) - os=-lynxos5 - ;; - -lynx*) - os=-lynxos +# Split fields of configuration type +# shellcheck disable=SC2162 +IFS="-" read field1 field2 field3 field4 <&2 + exit 1 ;; - -ptx*) - basic_machine=`echo $1 | sed -e 's/86-.*/86-sequent/'` + *-*-*-*) + basic_machine=$field1-$field2 + os=$field3-$field4 ;; - -windowsnt*) - os=`echo $os | sed -e 's/windowsnt/winnt/'` + *-*-*) + # Ambiguous whether COMPANY is present, or skipped and KERNEL-OS is two + # parts + maybe_os=$field2-$field3 + case $maybe_os in + nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc \ + | linux-newlib* | linux-musl* | linux-uclibc* | uclinux-uclibc* \ + | uclinux-gnu* | kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* \ + | netbsd*-eabi* | kopensolaris*-gnu* | cloudabi*-eabi* \ + | storm-chaos* | os2-emx* | rtmk-nova*) + basic_machine=$field1 + os=$maybe_os + ;; + android-linux) + basic_machine=$field1-unknown + os=linux-android + ;; + *) + basic_machine=$field1-$field2 + os=$field3 + ;; + esac ;; - -psos*) - os=-psos + *-*) + # A lone config we happen to match not fitting any pattern + case $field1-$field2 in + decstation-3100) + basic_machine=mips-dec + os= + ;; + *-*) + # Second component is usually, but not always the OS + case $field2 in + # Prevent following clause from handling this valid os + sun*os*) + basic_machine=$field1 + os=$field2 + ;; + # Manufacturers + dec* | mips* | sequent* | encore* | pc533* | sgi* | sony* \ + | att* | 7300* | 3300* | delta* | motorola* | sun[234]* \ + | unicom* | ibm* | next | hp | isi* | apollo | altos* \ + | convergent* | ncr* | news | 32* | 3600* | 3100* \ + | hitachi* | c[123]* | convex* | sun | crds | omron* | dg \ + | ultra | tti* | harris | dolphin | highlevel | gould \ + | cbm | ns | masscomp | apple | axis | knuth | cray \ + | microblaze* | sim | cisco \ + | oki | wec | wrs | winbond) + basic_machine=$field1-$field2 + os= + ;; + *) + basic_machine=$field1 + os=$field2 + ;; + esac + ;; + esac ;; - -mint | -mint[0-9]*) - basic_machine=m68k-atari - os=-mint + *) + # Convert single-component short-hands not valid as part of + # multi-component configurations. + case $field1 in + 386bsd) + basic_machine=i386-pc + os=bsd + ;; + a29khif) + basic_machine=a29k-amd + os=udi + ;; + adobe68k) + basic_machine=m68010-adobe + os=scout + ;; + alliant) + basic_machine=fx80-alliant + os= + ;; + altos | altos3068) + basic_machine=m68k-altos + os= + ;; + am29k) + basic_machine=a29k-none + os=bsd + ;; + amdahl) + basic_machine=580-amdahl + os=sysv + ;; + amiga) + basic_machine=m68k-unknown + os= + ;; + amigaos | amigados) + basic_machine=m68k-unknown + os=amigaos + ;; + amigaunix | amix) + basic_machine=m68k-unknown + os=sysv4 + ;; + apollo68) + basic_machine=m68k-apollo + os=sysv + ;; + apollo68bsd) + basic_machine=m68k-apollo + os=bsd + ;; + aros) + basic_machine=i386-pc + os=aros + ;; + aux) + basic_machine=m68k-apple + os=aux + ;; + balance) + basic_machine=ns32k-sequent + os=dynix + ;; + blackfin) + basic_machine=bfin-unknown + os=linux + ;; + cegcc) + basic_machine=arm-unknown + os=cegcc + ;; + convex-c1) + basic_machine=c1-convex + os=bsd + ;; + convex-c2) + basic_machine=c2-convex + os=bsd + ;; + convex-c32) + basic_machine=c32-convex + os=bsd + ;; + convex-c34) + basic_machine=c34-convex + os=bsd + ;; + convex-c38) + basic_machine=c38-convex + os=bsd + ;; + cray) + basic_machine=j90-cray + os=unicos + ;; + crds | unos) + basic_machine=m68k-crds + os= + ;; + da30) + basic_machine=m68k-da30 + os= + ;; + decstation | pmax | pmin | dec3100 | decstatn) + basic_machine=mips-dec + os= + ;; + delta88) + basic_machine=m88k-motorola + os=sysv3 + ;; + dicos) + basic_machine=i686-pc + os=dicos + ;; + djgpp) + basic_machine=i586-pc + os=msdosdjgpp + ;; + ebmon29k) + basic_machine=a29k-amd + os=ebmon + ;; + es1800 | OSE68k | ose68k | ose | OSE) + basic_machine=m68k-ericsson + os=ose + ;; + gmicro) + basic_machine=tron-gmicro + os=sysv + ;; + go32) + basic_machine=i386-pc + os=go32 + ;; + h8300hms) + basic_machine=h8300-hitachi + os=hms + ;; + h8300xray) + basic_machine=h8300-hitachi + os=xray + ;; + h8500hms) + basic_machine=h8500-hitachi + os=hms + ;; + harris) + basic_machine=m88k-harris + os=sysv3 + ;; + hp300 | hp300hpux) + basic_machine=m68k-hp + os=hpux + ;; + hp300bsd) + basic_machine=m68k-hp + os=bsd + ;; + hppaosf) + basic_machine=hppa1.1-hp + os=osf + ;; + hppro) + basic_machine=hppa1.1-hp + os=proelf + ;; + i386mach) + basic_machine=i386-mach + os=mach + ;; + isi68 | isi) + basic_machine=m68k-isi + os=sysv + ;; + m68knommu) + basic_machine=m68k-unknown + os=linux + ;; + magnum | m3230) + basic_machine=mips-mips + os=sysv + ;; + merlin) + basic_machine=ns32k-utek + os=sysv + ;; + mingw64) + basic_machine=x86_64-pc + os=mingw64 + ;; + mingw32) + basic_machine=i686-pc + os=mingw32 + ;; + mingw32ce) + basic_machine=arm-unknown + os=mingw32ce + ;; + monitor) + basic_machine=m68k-rom68k + os=coff + ;; + morphos) + basic_machine=powerpc-unknown + os=morphos + ;; + moxiebox) + basic_machine=moxie-unknown + os=moxiebox + ;; + msdos) + basic_machine=i386-pc + os=msdos + ;; + msys) + basic_machine=i686-pc + os=msys + ;; + mvs) + basic_machine=i370-ibm + os=mvs + ;; + nacl) + basic_machine=le32-unknown + os=nacl + ;; + ncr3000) + basic_machine=i486-ncr + os=sysv4 + ;; + netbsd386) + basic_machine=i386-pc + os=netbsd + ;; + netwinder) + basic_machine=armv4l-rebel + os=linux + ;; + news | news700 | news800 | news900) + basic_machine=m68k-sony + os=newsos + ;; + news1000) + basic_machine=m68030-sony + os=newsos + ;; + necv70) + basic_machine=v70-nec + os=sysv + ;; + nh3000) + basic_machine=m68k-harris + os=cxux + ;; + nh[45]000) + basic_machine=m88k-harris + os=cxux + ;; + nindy960) + basic_machine=i960-intel + os=nindy + ;; + mon960) + basic_machine=i960-intel + os=mon960 + ;; + nonstopux) + basic_machine=mips-compaq + os=nonstopux + ;; + os400) + basic_machine=powerpc-ibm + os=os400 + ;; + OSE68000 | ose68000) + basic_machine=m68000-ericsson + os=ose + ;; + os68k) + basic_machine=m68k-none + os=os68k + ;; + paragon) + basic_machine=i860-intel + os=osf + ;; + parisc) + basic_machine=hppa-unknown + os=linux + ;; + pw32) + basic_machine=i586-unknown + os=pw32 + ;; + rdos | rdos64) + basic_machine=x86_64-pc + os=rdos + ;; + rdos32) + basic_machine=i386-pc + os=rdos + ;; + rom68k) + basic_machine=m68k-rom68k + os=coff + ;; + sa29200) + basic_machine=a29k-amd + os=udi + ;; + sei) + basic_machine=mips-sei + os=seiux + ;; + sequent) + basic_machine=i386-sequent + os= + ;; + sps7) + basic_machine=m68k-bull + os=sysv2 + ;; + st2000) + basic_machine=m68k-tandem + os= + ;; + stratus) + basic_machine=i860-stratus + os=sysv4 + ;; + sun2) + basic_machine=m68000-sun + os= + ;; + sun2os3) + basic_machine=m68000-sun + os=sunos3 + ;; + sun2os4) + basic_machine=m68000-sun + os=sunos4 + ;; + sun3) + basic_machine=m68k-sun + os= + ;; + sun3os3) + basic_machine=m68k-sun + os=sunos3 + ;; + sun3os4) + basic_machine=m68k-sun + os=sunos4 + ;; + sun4) + basic_machine=sparc-sun + os= + ;; + sun4os3) + basic_machine=sparc-sun + os=sunos3 + ;; + sun4os4) + basic_machine=sparc-sun + os=sunos4 + ;; + sun4sol2) + basic_machine=sparc-sun + os=solaris2 + ;; + sun386 | sun386i | roadrunner) + basic_machine=i386-sun + os= + ;; + sv1) + basic_machine=sv1-cray + os=unicos + ;; + symmetry) + basic_machine=i386-sequent + os=dynix + ;; + t3e) + basic_machine=alphaev5-cray + os=unicos + ;; + t90) + basic_machine=t90-cray + os=unicos + ;; + toad1) + basic_machine=pdp10-xkl + os=tops20 + ;; + tpf) + basic_machine=s390x-ibm + os=tpf + ;; + udi29k) + basic_machine=a29k-amd + os=udi + ;; + ultra3) + basic_machine=a29k-nyu + os=sym1 + ;; + v810 | necv810) + basic_machine=v810-nec + os=none + ;; + vaxv) + basic_machine=vax-dec + os=sysv + ;; + vms) + basic_machine=vax-dec + os=vms + ;; + vsta) + basic_machine=i386-pc + os=vsta + ;; + vxworks960) + basic_machine=i960-wrs + os=vxworks + ;; + vxworks68) + basic_machine=m68k-wrs + os=vxworks + ;; + vxworks29k) + basic_machine=a29k-wrs + os=vxworks + ;; + xbox) + basic_machine=i686-pc + os=mingw32 + ;; + ymp) + basic_machine=ymp-cray + os=unicos + ;; + *) + basic_machine=$1 + os= + ;; + esac ;; esac -# Decode aliases for certain CPU-COMPANY combinations. +# Decode 1-component or ad-hoc basic machines case $basic_machine in - # Recognize the basic CPU types without company name. - # Some are omitted here because they have special meanings below. - 1750a | 580 \ - | a29k \ - | aarch64 | aarch64_be \ - | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \ - | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \ - | am33_2.0 \ - | arc | arceb \ - | arm | arm[bl]e | arme[lb] | armv[2-8] | armv[3-8][lb] | armv7[arm] \ - | avr | avr32 \ - | be32 | be64 \ - | bfin \ - | c4x | c8051 | clipper \ - | d10v | d30v | dlx | dsp16xx \ - | epiphany \ - | fido | fr30 | frv \ - | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \ - | hexagon \ - | i370 | i860 | i960 | ia64 \ - | ip2k | iq2000 \ - | k1om \ - | le32 | le64 \ - | lm32 \ - | m32c | m32r | m32rle | m68000 | m68k | m88k \ - | maxq | mb | microblaze | microblazeel | mcore | mep | metag \ - | mips | mipsbe | mipseb | mipsel | mipsle \ - | mips16 \ - | mips64 | mips64el \ - | mips64octeon | mips64octeonel \ - | mips64orion | mips64orionel \ - | mips64r5900 | mips64r5900el \ - | mips64vr | mips64vrel \ - | mips64vr4100 | mips64vr4100el \ - | mips64vr4300 | mips64vr4300el \ - | mips64vr5000 | mips64vr5000el \ - | mips64vr5900 | mips64vr5900el \ - | mipsisa32 | mipsisa32el \ - | mipsisa32r2 | mipsisa32r2el \ - | mipsisa64 | mipsisa64el \ - | mipsisa64r2 | mipsisa64r2el \ - | mipsisa64sb1 | mipsisa64sb1el \ - | mipsisa64sr71k | mipsisa64sr71kel \ - | mipsr5900 | mipsr5900el \ - | mipstx39 | mipstx39el \ - | mn10200 | mn10300 \ - | moxie \ - | mt \ - | msp430 \ - | nds32 | nds32le | nds32be \ - | nios | nios2 | nios2eb | nios2el \ - | ns16k | ns32k \ - | open8 \ - | or1k | or32 \ - | pdp10 | pdp11 | pj | pjl \ - | powerpc | powerpc64 | powerpc64le | powerpcle \ - | pyramid \ - | rl78 | rx \ - | score \ - | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ - | sh64 | sh64le \ - | sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \ - | sparcv8 | sparcv9 | sparcv9b | sparcv9v \ - | spu \ - | tahoe | tic4x | tic54x | tic55x | tic6x | tic80 | tron \ - | ubicom32 \ - | v850 | v850e | v850e1 | v850e2 | v850es | v850e2v3 \ - | we32k \ - | x86 | xc16x | xstormy16 | xtensa \ - | z8k | z80) - basic_machine=$basic_machine-unknown - ;; - c54x) - basic_machine=tic54x-unknown - ;; - c55x) - basic_machine=tic55x-unknown - ;; - c6x) - basic_machine=tic6x-unknown - ;; - m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | nvptx | picochip) - basic_machine=$basic_machine-unknown - os=-none - ;; - m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | v70 | w65 | z8k) - ;; - ms1) - basic_machine=mt-unknown - ;; - - strongarm | thumb | xscale) - basic_machine=arm-unknown - ;; - xgate) - basic_machine=$basic_machine-unknown - os=-none + # Here we handle the default manufacturer of certain CPU types. It is in + # some cases the only manufacturer, in others, it is the most popular. + w89k) + cpu=hppa1.1 + vendor=winbond + ;; + op50n) + cpu=hppa1.1 + vendor=oki ;; - xscaleeb) - basic_machine=armeb-unknown + op60c) + cpu=hppa1.1 + vendor=oki ;; - - xscaleel) - basic_machine=armel-unknown + ibm*) + cpu=i370 + vendor=ibm ;; - - # We use `pc' rather than `unknown' - # because (1) that's what they normally are, and - # (2) the word "unknown" tends to confuse beginning users. - i*86 | x86_64) - basic_machine=$basic_machine-pc - ;; - # Object if more than one company name word. - *-*-*) - echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2 - exit 1 + orion105) + cpu=clipper + vendor=highlevel ;; - # Recognize the basic CPU types with company name. - 580-* \ - | a29k-* \ - | aarch64-* | aarch64_be-* \ - | alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \ - | alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \ - | alphapca5[67]-* | alpha64pca5[67]-* | arc-* | arceb-* \ - | arm-* | armbe-* | armle-* | armeb-* | armv*-* \ - | avr-* | avr32-* \ - | be32-* | be64-* \ - | bfin-* | bs2000-* \ - | c[123]* | c30-* | [cjt]90-* | c4x-* \ - | c8051-* | clipper-* | craynv-* | cydra-* \ - | d10v-* | d30v-* | dlx-* \ - | elxsi-* \ - | f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \ - | h8300-* | h8500-* \ - | hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \ - | hexagon-* \ - | i*86-* | i860-* | i960-* | ia64-* \ - | ip2k-* | iq2000-* \ - | k1om-* \ - | le32-* | le64-* \ - | lm32-* \ - | m32c-* | m32r-* | m32rle-* \ - | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \ - | m88110-* | m88k-* | maxq-* | mcore-* | metag-* \ - | microblaze-* | microblazeel-* \ - | mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \ - | mips16-* \ - | mips64-* | mips64el-* \ - | mips64octeon-* | mips64octeonel-* \ - | mips64orion-* | mips64orionel-* \ - | mips64r5900-* | mips64r5900el-* \ - | mips64vr-* | mips64vrel-* \ - | mips64vr4100-* | mips64vr4100el-* \ - | mips64vr4300-* | mips64vr4300el-* \ - | mips64vr5000-* | mips64vr5000el-* \ - | mips64vr5900-* | mips64vr5900el-* \ - | mipsisa32-* | mipsisa32el-* \ - | mipsisa32r2-* | mipsisa32r2el-* \ - | mipsisa64-* | mipsisa64el-* \ - | mipsisa64r2-* | mipsisa64r2el-* \ - | mipsisa64sb1-* | mipsisa64sb1el-* \ - | mipsisa64sr71k-* | mipsisa64sr71kel-* \ - | mipsr5900-* | mipsr5900el-* \ - | mipstx39-* | mipstx39el-* \ - | mmix-* \ - | mt-* \ - | msp430-* \ - | nds32-* | nds32le-* | nds32be-* \ - | nios-* | nios2-* | nios2eb-* | nios2el-* \ - | none-* | np1-* | ns16k-* | ns32k-* \ - | open8-* \ - | orion-* \ - | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ - | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \ - | pyramid-* \ - | rl78-* | romp-* | rs6000-* | rx-* \ - | sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \ - | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \ - | sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \ - | sparclite-* \ - | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx?-* \ - | tahoe-* \ - | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \ - | tile*-* \ - | tron-* \ - | ubicom32-* \ - | v850-* | v850e-* | v850e1-* | v850es-* | v850e2-* | v850e2v3-* \ - | vax-* \ - | we32k-* \ - | x86-* | x86_64-* | xc16x-* | xps100-* \ - | xstormy16-* | xtensa*-* \ - | ymp-* \ - | z8k-* | z80-*) - ;; - # Recognize the basic CPU types without company name, with glob match. - xtensa*) - basic_machine=$basic_machine-unknown + mac | mpw | mac-mpw) + cpu=m68k + vendor=apple ;; + pmac | pmac-mpw) + cpu=powerpc + vendor=apple + ;; + # Recognize the various machine names and aliases which stand # for a CPU type and a company and sometimes even an OS. - 386bsd) - basic_machine=i386-unknown - os=-bsd - ;; 3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc) - basic_machine=m68000-att + cpu=m68000 + vendor=att ;; 3b*) - basic_machine=we32k-att - ;; - a29khif) - basic_machine=a29k-amd - os=-udi - ;; - abacus) - basic_machine=abacus-unknown - ;; - adobe68k) - basic_machine=m68010-adobe - os=-scout - ;; - alliant | fx80) - basic_machine=fx80-alliant - ;; - altos | altos3068) - basic_machine=m68k-altos - ;; - am29k) - basic_machine=a29k-none - os=-bsd - ;; - amd64) - basic_machine=x86_64-pc - ;; - amd64-*) - basic_machine=x86_64-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - amdahl) - basic_machine=580-amdahl - os=-sysv - ;; - amiga | amiga-*) - basic_machine=m68k-unknown - ;; - amigaos | amigados) - basic_machine=m68k-unknown - os=-amigaos - ;; - amigaunix | amix) - basic_machine=m68k-unknown - os=-sysv4 - ;; - apollo68) - basic_machine=m68k-apollo - os=-sysv - ;; - apollo68bsd) - basic_machine=m68k-apollo - os=-bsd - ;; - aros) - basic_machine=i386-pc - os=-aros - ;; - aux) - basic_machine=m68k-apple - os=-aux - ;; - balance) - basic_machine=ns32k-sequent - os=-dynix - ;; - blackfin) - basic_machine=bfin-unknown - os=-linux - ;; - blackfin-*) - basic_machine=bfin-`echo $basic_machine | sed 's/^[^-]*-//'` - os=-linux + cpu=we32k + vendor=att ;; bluegene*) - basic_machine=powerpc-ibm - os=-cnk - ;; - c54x-*) - basic_machine=tic54x-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - c55x-*) - basic_machine=tic55x-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - c6x-*) - basic_machine=tic6x-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - c90) - basic_machine=c90-cray - os=-unicos - ;; - cegcc) - basic_machine=arm-unknown - os=-cegcc - ;; - convex-c1) - basic_machine=c1-convex - os=-bsd - ;; - convex-c2) - basic_machine=c2-convex - os=-bsd - ;; - convex-c32) - basic_machine=c32-convex - os=-bsd - ;; - convex-c34) - basic_machine=c34-convex - os=-bsd - ;; - convex-c38) - basic_machine=c38-convex - os=-bsd - ;; - cray | j90) - basic_machine=j90-cray - os=-unicos - ;; - craynv) - basic_machine=craynv-cray - os=-unicosmp - ;; - cr16 | cr16-*) - basic_machine=cr16-unknown - os=-elf - ;; - crds | unos) - basic_machine=m68k-crds - ;; - crisv32 | crisv32-* | etraxfs*) - basic_machine=crisv32-axis - ;; - cris | cris-* | etrax*) - basic_machine=cris-axis - ;; - crx) - basic_machine=crx-unknown - os=-elf - ;; - da30 | da30-*) - basic_machine=m68k-da30 - ;; - decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn) - basic_machine=mips-dec + cpu=powerpc + vendor=ibm + os=cnk ;; decsystem10* | dec10*) - basic_machine=pdp10-dec - os=-tops10 + cpu=pdp10 + vendor=dec + os=tops10 ;; decsystem20* | dec20*) - basic_machine=pdp10-dec - os=-tops20 + cpu=pdp10 + vendor=dec + os=tops20 ;; delta | 3300 | motorola-3300 | motorola-delta \ | 3300-motorola | delta-motorola) - basic_machine=m68k-motorola + cpu=m68k + vendor=motorola ;; - delta88) - basic_machine=m88k-motorola - os=-sysv3 - ;; - dicos) - basic_machine=i686-pc - os=-dicos - ;; - djgpp) - basic_machine=i586-pc - os=-msdosdjgpp - ;; - dpx20 | dpx20-*) - basic_machine=rs6000-bull - os=-bosx - ;; - dpx2* | dpx2*-bull) - basic_machine=m68k-bull - os=-sysv3 - ;; - ebmon29k) - basic_machine=a29k-amd - os=-ebmon - ;; - elxsi) - basic_machine=elxsi-elxsi - os=-bsd + dpx2*) + cpu=m68k + vendor=bull + os=sysv3 ;; encore | umax | mmax) - basic_machine=ns32k-encore + cpu=ns32k + vendor=encore ;; - es1800 | OSE68k | ose68k | ose | OSE) - basic_machine=m68k-ericsson - os=-ose + elxsi) + cpu=elxsi + vendor=elxsi + os=${os:-bsd} ;; fx2800) - basic_machine=i860-alliant + cpu=i860 + vendor=alliant ;; genix) - basic_machine=ns32k-ns - ;; - gmicro) - basic_machine=tron-gmicro - os=-sysv - ;; - go32) - basic_machine=i386-pc - os=-go32 + cpu=ns32k + vendor=ns ;; h3050r* | hiux*) - basic_machine=hppa1.1-hitachi - os=-hiuxwe2 - ;; - h8300hms) - basic_machine=h8300-hitachi - os=-hms - ;; - h8300xray) - basic_machine=h8300-hitachi - os=-xray - ;; - h8500hms) - basic_machine=h8500-hitachi - os=-hms - ;; - harris) - basic_machine=m88k-harris - os=-sysv3 - ;; - hp300-*) - basic_machine=m68k-hp - ;; - hp300bsd) - basic_machine=m68k-hp - os=-bsd - ;; - hp300hpux) - basic_machine=m68k-hp - os=-hpux + cpu=hppa1.1 + vendor=hitachi + os=hiuxwe2 ;; hp3k9[0-9][0-9] | hp9[0-9][0-9]) - basic_machine=hppa1.0-hp + cpu=hppa1.0 + vendor=hp ;; hp9k2[0-9][0-9] | hp9k31[0-9]) - basic_machine=m68000-hp + cpu=m68000 + vendor=hp ;; hp9k3[2-9][0-9]) - basic_machine=m68k-hp + cpu=m68k + vendor=hp ;; hp9k6[0-9][0-9] | hp6[0-9][0-9]) - basic_machine=hppa1.0-hp + cpu=hppa1.0 + vendor=hp ;; hp9k7[0-79][0-9] | hp7[0-79][0-9]) - basic_machine=hppa1.1-hp + cpu=hppa1.1 + vendor=hp ;; hp9k78[0-9] | hp78[0-9]) # FIXME: really hppa2.0-hp - basic_machine=hppa1.1-hp + cpu=hppa1.1 + vendor=hp ;; hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893) # FIXME: really hppa2.0-hp - basic_machine=hppa1.1-hp + cpu=hppa1.1 + vendor=hp ;; hp9k8[0-9][13679] | hp8[0-9][13679]) - basic_machine=hppa1.1-hp + cpu=hppa1.1 + vendor=hp ;; hp9k8[0-9][0-9] | hp8[0-9][0-9]) - basic_machine=hppa1.0-hp - ;; - hppa-next) - os=-nextstep3 - ;; - hppaosf) - basic_machine=hppa1.1-hp - os=-osf - ;; - hppro) - basic_machine=hppa1.1-hp - os=-proelf - ;; - i370-ibm* | ibm*) - basic_machine=i370-ibm + cpu=hppa1.0 + vendor=hp ;; i*86v32) - basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` - os=-sysv32 + cpu=`echo "$1" | sed -e 's/86.*/86/'` + vendor=pc + os=sysv32 ;; i*86v4*) - basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` - os=-sysv4 + cpu=`echo "$1" | sed -e 's/86.*/86/'` + vendor=pc + os=sysv4 ;; i*86v) - basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` - os=-sysv + cpu=`echo "$1" | sed -e 's/86.*/86/'` + vendor=pc + os=sysv ;; i*86sol2) - basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` - os=-solaris2 - ;; - i386mach) - basic_machine=i386-mach - os=-mach - ;; - i386-vsta | vsta) - basic_machine=i386-unknown - os=-vsta + cpu=`echo "$1" | sed -e 's/86.*/86/'` + vendor=pc + os=solaris2 + ;; + j90 | j90-cray) + cpu=j90 + vendor=cray + os=${os:-unicos} ;; iris | iris4d) - basic_machine=mips-sgi + cpu=mips + vendor=sgi case $os in - -irix*) + irix*) ;; *) - os=-irix4 + os=irix4 ;; esac ;; - isi68 | isi) - basic_machine=m68k-isi - os=-sysv - ;; - m68knommu) - basic_machine=m68k-unknown - os=-linux - ;; - m68knommu-*) - basic_machine=m68k-`echo $basic_machine | sed 's/^[^-]*-//'` - os=-linux - ;; - m88k-omron*) - basic_machine=m88k-omron - ;; - magnum | m3230) - basic_machine=mips-mips - os=-sysv - ;; - merlin) - basic_machine=ns32k-utek - os=-sysv - ;; - microblaze*) - basic_machine=microblaze-xilinx - ;; - mingw64) - basic_machine=x86_64-pc - os=-mingw64 - ;; - mingw32) - basic_machine=i686-pc - os=-mingw32 - ;; - mingw32ce) - basic_machine=arm-unknown - os=-mingw32ce - ;; miniframe) - basic_machine=m68000-convergent + cpu=m68000 + vendor=convergent ;; - *mint | -mint[0-9]* | *MiNT | *MiNT[0-9]*) - basic_machine=m68k-atari - os=-mint - ;; - mips3*-*) - basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'` - ;; - mips3*) - basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown - ;; - monitor) - basic_machine=m68k-rom68k - os=-coff - ;; - morphos) - basic_machine=powerpc-unknown - os=-morphos - ;; - msdos) - basic_machine=i386-pc - os=-msdos - ;; - ms1-*) - basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'` - ;; - msys) - basic_machine=i686-pc - os=-msys - ;; - mvs) - basic_machine=i370-ibm - os=-mvs - ;; - nacl) - basic_machine=le32-unknown - os=-nacl - ;; - ncr3000) - basic_machine=i486-ncr - os=-sysv4 - ;; - netbsd386) - basic_machine=i386-unknown - os=-netbsd - ;; - netwinder) - basic_machine=armv4l-rebel - os=-linux - ;; - news | news700 | news800 | news900) - basic_machine=m68k-sony - os=-newsos - ;; - news1000) - basic_machine=m68030-sony - os=-newsos + *mint | mint[0-9]* | *MiNT | *MiNT[0-9]*) + cpu=m68k + vendor=atari + os=mint ;; news-3600 | risc-news) - basic_machine=mips-sony - os=-newsos - ;; - necv70) - basic_machine=v70-nec - os=-sysv - ;; - next | m*-next ) - basic_machine=m68k-next + cpu=mips + vendor=sony + os=newsos + ;; + next | m*-next) + cpu=m68k + vendor=next case $os in - -nextstep* ) + openstep*) + ;; + nextstep*) ;; - -ns2*) - os=-nextstep2 + ns2*) + os=nextstep2 ;; *) - os=-nextstep3 + os=nextstep3 ;; esac ;; - nh3000) - basic_machine=m68k-harris - os=-cxux - ;; - nh[45]000) - basic_machine=m88k-harris - os=-cxux - ;; - nindy960) - basic_machine=i960-intel - os=-nindy - ;; - mon960) - basic_machine=i960-intel - os=-mon960 - ;; - nonstopux) - basic_machine=mips-compaq - os=-nonstopux - ;; np1) - basic_machine=np1-gould - ;; - neo-tandem) - basic_machine=neo-tandem - ;; - nse-tandem) - basic_machine=nse-tandem - ;; - nsr-tandem) - basic_machine=nsr-tandem + cpu=np1 + vendor=gould ;; op50n-* | op60c-*) - basic_machine=hppa1.1-oki - os=-proelf - ;; - openrisc | openrisc-*) - basic_machine=or32-unknown - ;; - os400) - basic_machine=powerpc-ibm - os=-os400 - ;; - OSE68000 | ose68000) - basic_machine=m68000-ericsson - os=-ose - ;; - os68k) - basic_machine=m68k-none - os=-os68k + cpu=hppa1.1 + vendor=oki + os=proelf ;; pa-hitachi) - basic_machine=hppa1.1-hitachi - os=-hiuxwe2 - ;; - paragon) - basic_machine=i860-intel - os=-osf - ;; - parisc) - basic_machine=hppa-unknown - os=-linux - ;; - parisc-*) - basic_machine=hppa-`echo $basic_machine | sed 's/^[^-]*-//'` - os=-linux + cpu=hppa1.1 + vendor=hitachi + os=hiuxwe2 ;; pbd) - basic_machine=sparc-tti + cpu=sparc + vendor=tti ;; pbb) - basic_machine=m68k-tti - ;; - pc532 | pc532-*) - basic_machine=ns32k-pc532 - ;; - pc98) - basic_machine=i386-pc - ;; - pc98-*) - basic_machine=i386-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - pentium | p5 | k5 | k6 | nexgen | viac3) - basic_machine=i586-pc + cpu=m68k + vendor=tti ;; - pentiumpro | p6 | 6x86 | athlon | athlon_*) - basic_machine=i686-pc - ;; - pentiumii | pentium2 | pentiumiii | pentium3) - basic_machine=i686-pc - ;; - pentium4) - basic_machine=i786-pc - ;; - pentium-* | p5-* | k5-* | k6-* | nexgen-* | viac3-*) - basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - pentiumpro-* | p6-* | 6x86-* | athlon-*) - basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - pentiumii-* | pentium2-* | pentiumiii-* | pentium3-*) - basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - pentium4-*) - basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'` + pc532) + cpu=ns32k + vendor=pc532 ;; pn) - basic_machine=pn-gould - ;; - power) basic_machine=power-ibm - ;; - ppc | ppcbe) basic_machine=powerpc-unknown + cpu=pn + vendor=gould ;; - ppc-* | ppcbe-*) - basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - ppcle | powerpclittle | ppc-le | powerpc-little) - basic_machine=powerpcle-unknown - ;; - ppcle-* | powerpclittle-*) - basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - ppc64) basic_machine=powerpc64-unknown - ;; - ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - ppc64le | powerpc64little | ppc64-le | powerpc64-little) - basic_machine=powerpc64le-unknown - ;; - ppc64le-* | powerpc64little-*) - basic_machine=powerpc64le-`echo $basic_machine | sed 's/^[^-]*-//'` + power) + cpu=power + vendor=ibm ;; ps2) - basic_machine=i386-ibm - ;; - pw32) - basic_machine=i586-unknown - os=-pw32 - ;; - rdos | rdos64) - basic_machine=x86_64-pc - os=-rdos - ;; - rdos32) - basic_machine=i386-pc - os=-rdos - ;; - rom68k) - basic_machine=m68k-rom68k - os=-coff + cpu=i386 + vendor=ibm ;; rm[46]00) - basic_machine=mips-siemens + cpu=mips + vendor=siemens ;; rtpc | rtpc-*) - basic_machine=romp-ibm + cpu=romp + vendor=ibm ;; - s390 | s390-*) - basic_machine=s390-ibm + sde) + cpu=mipsisa32 + vendor=sde + os=${os:-elf} + ;; + simso-wrs) + cpu=sparclite + vendor=wrs + os=vxworks ;; - s390x | s390x-*) - basic_machine=s390x-ibm + tower | tower-32) + cpu=m68k + vendor=ncr ;; - sa29200) - basic_machine=a29k-amd - os=-udi + vpp*|vx|vx-*) + cpu=f301 + vendor=fujitsu ;; - sb1) - basic_machine=mipsisa64sb1-unknown + w65) + cpu=w65 + vendor=wdc ;; - sb1el) - basic_machine=mipsisa64sb1el-unknown + w89k-*) + cpu=hppa1.1 + vendor=winbond + os=proelf ;; - sde) - basic_machine=mipsisa32-sde - os=-elf + none) + cpu=none + vendor=none ;; - sei) - basic_machine=mips-sei - os=-seiux + leon|leon[3-9]) + cpu=sparc + vendor=$basic_machine + ;; + leon-*|leon[3-9]-*) + cpu=sparc + vendor=`echo "$basic_machine" | sed 's/-.*//'` + ;; + + *-*) + # shellcheck disable=SC2162 + IFS="-" read cpu vendor <&2 - exit 1 + # Recognize the canonical CPU types that are allowed with any + # company name. + case $cpu in + 1750a | 580 \ + | a29k \ + | aarch64 | aarch64_be \ + | abacus \ + | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] \ + | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] \ + | alphapca5[67] | alpha64pca5[67] \ + | am33_2.0 \ + | amdgcn \ + | arc | arceb \ + | arm | arm[lb]e | arme[lb] | armv* \ + | avr | avr32 \ + | asmjs \ + | ba \ + | be32 | be64 \ + | bfin | bpf | bs2000 \ + | c[123]* | c30 | [cjt]90 | c4x \ + | c8051 | clipper | craynv | csky | cydra \ + | d10v | d30v | dlx | dsp16xx \ + | e2k | elxsi | epiphany \ + | f30[01] | f700 | fido | fr30 | frv | ft32 | fx80 \ + | h8300 | h8500 \ + | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \ + | hexagon \ + | i370 | i*86 | i860 | i960 | ia16 | ia64 \ + | ip2k | iq2000 \ + | k1om \ + | le32 | le64 \ + | lm32 \ + | m32c | m32r | m32rle \ + | m5200 | m68000 | m680[012346]0 | m68360 | m683?2 | m68k \ + | m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x \ + | m88110 | m88k | maxq | mb | mcore | mep | metag \ + | microblaze | microblazeel \ + | mips | mipsbe | mipseb | mipsel | mipsle \ + | mips16 \ + | mips64 | mips64eb | mips64el \ + | mips64octeon | mips64octeonel \ + | mips64orion | mips64orionel \ + | mips64r5900 | mips64r5900el \ + | mips64vr | mips64vrel \ + | mips64vr4100 | mips64vr4100el \ + | mips64vr4300 | mips64vr4300el \ + | mips64vr5000 | mips64vr5000el \ + | mips64vr5900 | mips64vr5900el \ + | mipsisa32 | mipsisa32el \ + | mipsisa32r2 | mipsisa32r2el \ + | mipsisa32r6 | mipsisa32r6el \ + | mipsisa64 | mipsisa64el \ + | mipsisa64r2 | mipsisa64r2el \ + | mipsisa64r6 | mipsisa64r6el \ + | mipsisa64sb1 | mipsisa64sb1el \ + | mipsisa64sr71k | mipsisa64sr71kel \ + | mipsr5900 | mipsr5900el \ + | mipstx39 | mipstx39el \ + | mmix \ + | mn10200 | mn10300 \ + | moxie \ + | mt \ + | msp430 \ + | nds32 | nds32le | nds32be \ + | nfp \ + | nios | nios2 | nios2eb | nios2el \ + | none | np1 | ns16k | ns32k | nvptx \ + | open8 \ + | or1k* \ + | or32 \ + | orion \ + | picochip \ + | pdp10 | pdp11 | pj | pjl | pn | power \ + | powerpc | powerpc64 | powerpc64le | powerpcle | powerpcspe \ + | pru \ + | pyramid \ + | riscv | riscv32 | riscv64 \ + | rl78 | romp | rs6000 | rx \ + | score \ + | sh | shl \ + | sh[1234] | sh[24]a | sh[24]ae[lb] | sh[23]e | she[lb] | sh[lb]e \ + | sh[1234]e[lb] | sh[12345][lb]e | sh[23]ele | sh64 | sh64le \ + | sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet \ + | sparclite \ + | sparcv8 | sparcv9 | sparcv9b | sparcv9v | sv1 | sx* \ + | spu \ + | tahoe \ + | tic30 | tic4x | tic54x | tic55x | tic6x | tic80 \ + | tron \ + | ubicom32 \ + | v70 | v850 | v850e | v850e1 | v850es | v850e2 | v850e2v3 \ + | vax \ + | visium \ + | w65 \ + | wasm32 | wasm64 \ + | we32k \ + | x86 | x86_64 | xc16x | xgate | xps100 \ + | xstormy16 | xtensa* \ + | ymp \ + | z8k | z80) + ;; + + *) + echo Invalid configuration \`"$1"\': machine \`"$cpu-$vendor"\' not recognized 1>&2 + exit 1 + ;; + esac ;; esac # Here we canonicalize certain aliases for manufacturers. -case $basic_machine in - *-digital*) - basic_machine=`echo $basic_machine | sed 's/digital.*/dec/'` +case $vendor in + digital*) + vendor=dec ;; - *-commodore*) - basic_machine=`echo $basic_machine | sed 's/commodore.*/cbm/'` + commodore*) + vendor=cbm ;; *) ;; @@ -1323,197 +1275,244 @@ # Decode manufacturer-specific aliases for certain operating systems. -if [ x"$os" != x"" ] +if [ x$os != x ] then case $os in - # First match some system type aliases - # that might get confused with valid system types. - # -solaris* is a basic system type, with this one exception. - -auroraux) - os=-auroraux + # First match some system type aliases that might get confused + # with valid system types. + # solaris* is a basic system type, with this one exception. + auroraux) + os=auroraux ;; - -solaris1 | -solaris1.*) - os=`echo $os | sed -e 's|solaris1|sunos4|'` + bluegene*) + os=cnk ;; - -solaris) - os=-solaris2 + solaris1 | solaris1.*) + os=`echo $os | sed -e 's|solaris1|sunos4|'` ;; - -svr4*) - os=-sysv4 + solaris) + os=solaris2 ;; - -unixware*) - os=-sysv4.2uw + unixware*) + os=sysv4.2uw ;; - -gnu/linux*) + gnu/linux*) os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'` ;; - # First accept the basic system types. + # es1800 is here to avoid being matched by es* (a different OS) + es1800*) + os=ose + ;; + # Some version numbers need modification + chorusos*) + os=chorusos + ;; + isc) + os=isc2.2 + ;; + sco6) + os=sco5v6 + ;; + sco5) + os=sco3.2v5 + ;; + sco4) + os=sco3.2v4 + ;; + sco3.2.[4-9]*) + os=`echo $os | sed -e 's/sco3.2./sco3.2v/'` + ;; + sco3.2v[4-9]* | sco5v6*) + # Don't forget version if it is 3.2v4 or newer. + ;; + scout) + # Don't match below + ;; + sco*) + os=sco3.2v2 + ;; + psos*) + os=psos + ;; + # Now accept the basic system types. # The portable systems comes first. - # Each alternative MUST END IN A *, to match a version number. - # -sysv* is not here because it comes later, after sysvr4. - -gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \ - | -*vms* | -sco* | -esix* | -isc* | -aix* | -cnk* | -sunos | -sunos[34]*\ - | -hpux* | -unos* | -osf* | -luna* | -dgux* | -auroraux* | -solaris* \ - | -sym* | -kopensolaris* | -plan9* \ - | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \ - | -aos* | -aros* \ - | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ - | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \ - | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \ - | -bitrig* | -openbsd* | -solidbsd* \ - | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \ - | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ - | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ - | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \ - | -chorusos* | -chorusrdb* | -cegcc* \ - | -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ - | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \ - | -linux-newlib* | -linux-musl* | -linux-uclibc* \ - | -uxpv* | -beos* | -mpeix* | -udk* \ - | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \ - | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \ - | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \ - | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \ - | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \ - | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \ - | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es*) + # Each alternative MUST end in a * to match a version number. + # sysv* is not here because it comes later, after sysvr4. + gnu* | bsd* | mach* | minix* | genix* | ultrix* | irix* \ + | *vms* | esix* | aix* | cnk* | sunos | sunos[34]*\ + | hpux* | unos* | osf* | luna* | dgux* | auroraux* | solaris* \ + | sym* | kopensolaris* | plan9* \ + | amigaos* | amigados* | msdos* | newsos* | unicos* | aof* \ + | aos* | aros* | cloudabi* | sortix* | twizzler* \ + | nindy* | vxsim* | vxworks* | ebmon* | hms* | mvs* \ + | clix* | riscos* | uniplus* | iris* | isc* | rtu* | xenix* \ + | knetbsd* | mirbsd* | netbsd* \ + | bitrig* | openbsd* | solidbsd* | libertybsd* | os108* \ + | ekkobsd* | kfreebsd* | freebsd* | riscix* | lynxos* \ + | bosx* | nextstep* | cxux* | aout* | elf* | oabi* \ + | ptx* | coff* | ecoff* | winnt* | domain* | vsta* \ + | udi* | eabi* | lites* | ieee* | go32* | aux* | hcos* \ + | chorusrdb* | cegcc* | glidix* \ + | cygwin* | msys* | pe* | moss* | proelf* | rtems* \ + | midipix* | mingw32* | mingw64* | linux-gnu* | linux-android* \ + | linux-newlib* | linux-musl* | linux-uclibc* \ + | uxpv* | beos* | mpeix* | udk* | moxiebox* \ + | interix* | uwin* | mks* | rhapsody* | darwin* \ + | openstep* | oskit* | conix* | pw32* | nonstopux* \ + | storm-chaos* | tops10* | tenex* | tops20* | its* \ + | os2* | vos* | palmos* | uclinux* | nucleus* \ + | morphos* | superux* | rtmk* | windiss* \ + | powermax* | dnix* | nx6 | nx7 | sei* | dragonfly* \ + | skyos* | haiku* | rdos* | toppers* | drops* | es* \ + | onefs* | tirtos* | phoenix* | fuchsia* | redox* | bme* \ + | midnightbsd* | amdhsa* | unleashed* | emscripten* | wasi* \ + | nsk* | powerunix) # Remember, each alternative MUST END IN *, to match a version number. ;; - -qnx*) - case $basic_machine in - x86-* | i*86-*) + qnx*) + case $cpu in + x86 | i*86) ;; *) - os=-nto$os + os=nto-$os ;; esac ;; - -nto-qnx*) + hiux*) + os=hiuxwe2 ;; - -nto*) - os=`echo $os | sed -e 's|nto|nto-qnx|'` + nto-qnx*) ;; - -sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \ - | -windows* | -osx | -abug | -netware* | -os9* | -beos* | -haiku* \ - | -macos* | -mpw* | -magic* | -mmixware* | -mon960* | -lnews*) + nto*) + os=`echo $os | sed -e 's|nto|nto-qnx|'` ;; - -mac*) - os=`echo $os | sed -e 's|mac|macos|'` + sim | xray | os68k* | v88r* \ + | windows* | osx | abug | netware* | os9* \ + | macos* | mpw* | magic* | mmixware* | mon960* | lnews*) ;; - -linux-dietlibc) - os=-linux-dietlibc + linux-dietlibc) + os=linux-dietlibc ;; - -linux*) + linux*) os=`echo $os | sed -e 's|linux|linux-gnu|'` ;; - -sunos5*) - os=`echo $os | sed -e 's|sunos5|solaris2|'` + lynx*178) + os=lynxos178 ;; - -sunos6*) - os=`echo $os | sed -e 's|sunos6|solaris3|'` + lynx*5) + os=lynxos5 ;; - -opened*) - os=-openedition + lynx*) + os=lynxos ;; - -os400*) - os=-os400 + mac*) + os=`echo "$os" | sed -e 's|mac|macos|'` ;; - -wince*) - os=-wince + opened*) + os=openedition ;; - -osfrose*) - os=-osfrose + os400*) + os=os400 ;; - -osf*) - os=-osf + sunos5*) + os=`echo "$os" | sed -e 's|sunos5|solaris2|'` ;; - -utek*) - os=-bsd + sunos6*) + os=`echo "$os" | sed -e 's|sunos6|solaris3|'` ;; - -dynix*) - os=-bsd + wince*) + os=wince ;; - -acis*) - os=-aos + utek*) + os=bsd ;; - -atheos*) - os=-atheos + dynix*) + os=bsd ;; - -syllable*) - os=-syllable + acis*) + os=aos ;; - -386bsd) - os=-bsd + atheos*) + os=atheos ;; - -ctix* | -uts*) - os=-sysv + syllable*) + os=syllable ;; - -nova*) - os=-rtmk-nova + 386bsd) + os=bsd + ;; + ctix* | uts*) + os=sysv ;; - -ns2 ) - os=-nextstep2 + nova*) + os=rtmk-nova ;; - -nsk*) - os=-nsk + ns2) + os=nextstep2 ;; # Preserve the version number of sinix5. - -sinix5.*) + sinix5.*) os=`echo $os | sed -e 's|sinix|sysv|'` ;; - -sinix*) - os=-sysv4 + sinix*) + os=sysv4 ;; - -tpf*) - os=-tpf + tpf*) + os=tpf ;; - -triton*) - os=-sysv3 + triton*) + os=sysv3 ;; - -oss*) - os=-sysv3 + oss*) + os=sysv3 ;; - -svr4) - os=-sysv4 + svr4*) + os=sysv4 ;; - -svr3) - os=-sysv3 + svr3) + os=sysv3 ;; - -sysvr4) - os=-sysv4 + sysvr4) + os=sysv4 ;; - # This must come after -sysvr4. - -sysv*) + # This must come after sysvr4. + sysv*) ;; - -ose*) - os=-ose + ose*) + os=ose ;; - -es1800*) - os=-ose + *mint | mint[0-9]* | *MiNT | MiNT[0-9]*) + os=mint ;; - -xenix) - os=-xenix + zvmoe) + os=zvmoe ;; - -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*) - os=-mint + dicos*) + os=dicos ;; - -aros*) - os=-aros + pikeos*) + # Until real need of OS specific support for + # particular features comes up, bare metal + # configurations are quite functional. + case $cpu in + arm*) + os=eabi + ;; + *) + os=elf + ;; + esac ;; - -zvmoe) - os=-zvmoe + nacl*) ;; - -dicos*) - os=-dicos + ios) ;; - -nacl*) + none) ;; - -none) + *-eabi) ;; *) - # Get rid of the `-' at the beginning of $os. - os=`echo $os | sed 's/[^-]*-//'` - echo Invalid configuration \`$1\': system \`$os\' not recognized 1>&2 + echo Invalid configuration \`"$1"\': system \`"$os"\' not recognized 1>&2 exit 1 ;; esac @@ -1529,264 +1528,265 @@ # will signal an error saying that MANUFACTURER isn't an operating # system, and we'll never get to this point. -case $basic_machine in +case $cpu-$vendor in score-*) - os=-elf + os=elf ;; spu-*) - os=-elf + os=elf ;; *-acorn) - os=-riscix1.2 + os=riscix1.2 ;; arm*-rebel) - os=-linux + os=linux ;; arm*-semi) - os=-aout + os=aout ;; c4x-* | tic4x-*) - os=-coff + os=coff ;; c8051-*) - os=-elf + os=elf + ;; + clipper-intergraph) + os=clix ;; hexagon-*) - os=-elf + os=elf ;; tic54x-*) - os=-coff + os=coff ;; tic55x-*) - os=-coff + os=coff ;; tic6x-*) - os=-coff + os=coff ;; # This must come before the *-dec entry. pdp10-*) - os=-tops20 + os=tops20 ;; pdp11-*) - os=-none + os=none ;; *-dec | vax-*) - os=-ultrix4.2 + os=ultrix4.2 ;; m68*-apollo) - os=-domain + os=domain ;; i386-sun) - os=-sunos4.0.2 + os=sunos4.0.2 ;; m68000-sun) - os=-sunos3 + os=sunos3 ;; m68*-cisco) - os=-aout + os=aout ;; mep-*) - os=-elf + os=elf ;; mips*-cisco) - os=-elf + os=elf ;; mips*-*) - os=-elf - ;; - or1k-*) - os=-elf + os=elf ;; or32-*) - os=-coff + os=coff ;; *-tti) # must be before sparc entry or we get the wrong os. - os=-sysv3 + os=sysv3 ;; sparc-* | *-sun) - os=-sunos4.1.1 + os=sunos4.1.1 ;; - *-be) - os=-beos + pru-*) + os=elf ;; - *-haiku) - os=-haiku + *-be) + os=beos ;; *-ibm) - os=-aix + os=aix ;; *-knuth) - os=-mmixware + os=mmixware ;; *-wec) - os=-proelf + os=proelf ;; *-winbond) - os=-proelf + os=proelf ;; *-oki) - os=-proelf + os=proelf ;; *-hp) - os=-hpux + os=hpux ;; *-hitachi) - os=-hiux + os=hiux ;; i860-* | *-att | *-ncr | *-altos | *-motorola | *-convergent) - os=-sysv + os=sysv ;; *-cbm) - os=-amigaos + os=amigaos ;; *-dg) - os=-dgux + os=dgux ;; *-dolphin) - os=-sysv3 + os=sysv3 ;; m68k-ccur) - os=-rtu + os=rtu ;; m88k-omron*) - os=-luna + os=luna ;; - *-next ) - os=-nextstep + *-next) + os=nextstep ;; *-sequent) - os=-ptx + os=ptx ;; *-crds) - os=-unos + os=unos ;; *-ns) - os=-genix + os=genix ;; i370-*) - os=-mvs - ;; - *-next) - os=-nextstep3 + os=mvs ;; *-gould) - os=-sysv + os=sysv ;; *-highlevel) - os=-bsd + os=bsd ;; *-encore) - os=-bsd + os=bsd ;; *-sgi) - os=-irix + os=irix ;; *-siemens) - os=-sysv4 + os=sysv4 ;; *-masscomp) - os=-rtu + os=rtu ;; f30[01]-fujitsu | f700-fujitsu) - os=-uxpv + os=uxpv ;; *-rom68k) - os=-coff + os=coff ;; *-*bug) - os=-coff + os=coff ;; *-apple) - os=-macos + os=macos ;; *-atari*) - os=-mint + os=mint + ;; + *-wrs) + os=vxworks ;; *) - os=-none + os=none ;; esac fi # Here we handle the case where we know the os, and the CPU type, but not the # manufacturer. We pick the logical manufacturer. -vendor=unknown -case $basic_machine in - *-unknown) +case $vendor in + unknown) case $os in - -riscix*) + riscix*) vendor=acorn ;; - -sunos*) + sunos*) vendor=sun ;; - -cnk*|-aix*) + cnk*|-aix*) vendor=ibm ;; - -beos*) + beos*) vendor=be ;; - -hpux*) + hpux*) vendor=hp ;; - -mpeix*) + mpeix*) vendor=hp ;; - -hiux*) + hiux*) vendor=hitachi ;; - -unos*) + unos*) vendor=crds ;; - -dgux*) + dgux*) vendor=dg ;; - -luna*) + luna*) vendor=omron ;; - -genix*) + genix*) vendor=ns ;; - -mvs* | -opened*) + clix*) + vendor=intergraph + ;; + mvs* | opened*) vendor=ibm ;; - -os400*) + os400*) vendor=ibm ;; - -ptx*) + ptx*) vendor=sequent ;; - -tpf*) + tpf*) vendor=ibm ;; - -vxsim* | -vxworks* | -windiss*) + vxsim* | vxworks* | windiss*) vendor=wrs ;; - -aux*) + aux*) vendor=apple ;; - -hms*) + hms*) vendor=hitachi ;; - -mpw* | -macos*) + mpw* | macos*) vendor=apple ;; - -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*) + *mint | mint[0-9]* | *MiNT | MiNT[0-9]*) vendor=atari ;; - -vos*) + vos*) vendor=stratus ;; esac - basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"` ;; esac -echo $basic_machine$os +echo "$cpu-$vendor-$os" exit # Local variables: -# eval: (add-hook 'write-file-hooks 'time-stamp) +# eval: (add-hook 'before-save-hook 'time-stamp) # time-stamp-start: "timestamp='" # time-stamp-format: "%:y-%02m-%02d" # time-stamp-end: "'" diff -Nru nettle-3.4.1/configure nettle-3.7.3/configure --- nettle-3.4.1/configure 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/configure 2021-06-06 20:06:29.000000000 +0000 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for nettle 3.4.1. +# Generated by GNU Autoconf 2.69 for nettle 3.7.3. # # Report bugs to . # @@ -580,8 +580,8 @@ # Identity of this package. PACKAGE_NAME='nettle' PACKAGE_TARNAME='nettle' -PACKAGE_VERSION='3.4.1' -PACKAGE_STRING='nettle 3.4.1' +PACKAGE_VERSION='3.7.3' +PACKAGE_STRING='nettle 3.7.3' PACKAGE_BUGREPORT='nettle-bugs@lists.lysator.liu.se' PACKAGE_URL='' @@ -652,7 +652,11 @@ LIBNETTLE_FORLINK LIBNETTLE_MINOR LIBNETTLE_MAJOR +ASM_X86_MARK_CET_ALIGN +ASM_X86_MARK_CET +ASM_X86_ENDBR EMULATOR +ASM_WORDS_BIGENDIAN W64_ABI ASM_ALIGN_LOG ASM_MARK_NOEXEC_STACK @@ -662,8 +666,10 @@ ASM_ELF_STYLE ASM_SYMBOL_PREFIX CCPIC +ASM_PPC_WANT_R_REGISTERS IF_ASM ASM_RODATA +FAT_TEST_LIST OPT_NETTLE_SOURCES OPT_HOGWEED_OBJS OPT_NETTLE_OBJS @@ -675,7 +681,6 @@ CPP DEP_PROCESS DEP_FLAGS -DEP_INCLUDE EXEEXT_FOR_BUILD CC_FOR_BUILD LN_S @@ -768,6 +773,9 @@ enable_fat enable_arm_neon enable_x86_aesni +enable_x86_sha_ni +enable_power_crypto_ext +enable_power_altivec enable_mini_gmp enable_ld_version_script enable_dependency_tracking @@ -1335,7 +1343,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures nettle 3.4.1 to adapt to many kinds of systems. +\`configure' configures nettle 3.7.3 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1401,7 +1409,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of nettle 3.4.1:";; + short | recursive ) echo "Configuration of nettle 3.7.3:";; esac cat <<\_ACEOF @@ -1419,9 +1427,14 @@ --enable-gcov Instrument for gcov (requires a modern gcc) --disable-documentation Omit building and installing the documentation. (default=auto) - --enable-fat Enable fat library build (default=no) + --disable-fat Disable fat library build --enable-arm-neon Enable ARM Neon assembly. (default=auto) --enable-x86-aesni Enable x86_64 aes instructions. (default=no) + --enable-x86-sha-ni Enable x86_64 sha_ni instructions. (default=no) + --enable-power-crypto-ext + Enable POWER crypto extensions. (default=no) + --enable-power-altivec Enable POWER altivec and vsx extensions. + (default=no) --enable-mini-gmp Enable mini-gmp, used instead of libgmp. --enable-ld-version-script enable linker version script (default is enabled @@ -1518,7 +1531,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -nettle configure 3.4.1 +nettle configure 3.7.3 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2162,7 +2175,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by nettle $as_me 3.4.1, which was +It was created by nettle $as_me 3.7.3, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2546,11 +2559,11 @@ ac_config_headers="$ac_config_headers config.h" -LIBNETTLE_MAJOR=6 -LIBNETTLE_MINOR=5 +LIBNETTLE_MAJOR=8 +LIBNETTLE_MINOR=4 -LIBHOGWEED_MAJOR=4 -LIBHOGWEED_MINOR=5 +LIBHOGWEED_MAJOR=6 +LIBHOGWEED_MINOR=4 MAJOR_VERSION=`echo $PACKAGE_VERSION | sed 's/^\([^.]*\)\..*/\1/'` MINOR_VERSION=`echo $PACKAGE_VERSION | sed 's/^[^.]*\.\([0-9]*\).*/\1/'` @@ -2724,7 +2737,7 @@ if test "${enable_fat+set}" = set; then : enableval=$enable_fat; else - enable_fat=no + enable_fat=yes fi @@ -2744,6 +2757,30 @@ fi +# Check whether --enable-x86-sha-ni was given. +if test "${enable_x86_sha_ni+set}" = set; then : + enableval=$enable_x86_sha_ni; +else + enable_x86_sha_ni=no +fi + + +# Check whether --enable-power-crypto-ext was given. +if test "${enable_power_crypto_ext+set}" = set; then : + enableval=$enable_power_crypto_ext; +else + enable_power_crypto_ext=no +fi + + +# Check whether --enable-power-altivec was given. +if test "${enable_power_altivec+set}" = set; then : + enableval=$enable_power_altivec; +else + enable_altivec=no +fi + + # Check whether --enable-mini-gmp was given. if test "${enable_mini_gmp+set}" = set; then : enableval=$enable_mini_gmp; @@ -4627,7 +4664,7 @@ int main () { - exit(0); + return 0; } EOF gmp_compile="$CC_FOR_BUILD conftest.c" @@ -4659,7 +4696,7 @@ int main () { - exit(0); + return 0; } EOF gmp_compile="$HOST_CC conftest.c" @@ -4695,7 +4732,7 @@ int main () { - exit(0); + return 0; } EOF gmp_compile="$i conftest.c" @@ -4745,7 +4782,7 @@ int main () { - exit (0); + return 0; } EOF for i in .exe ,ff8 ""; do @@ -4805,24 +4842,8 @@ fi fi -if test x$enable_dependency_tracking = xyes ; then - DEP_INCLUDE='include ' -else - DEP_INCLUDE='# ' -fi - - - - - -if test x$enable_dependency_tracking = xyes ; then - # Since the makefiles use include to get the dependency files, we must - # make sure that the files exist. We generate some more files than are - # actually needed. - ac_config_commands="$ac_config_commands dummy-dep-files" -fi if test "x$enable_gcov" = "xyes"; then CFLAGS="$CFLAGS -ftest-coverage -fprofile-arcs" @@ -5802,6 +5823,8 @@ fi done + +ASM_WORDS_BIGENDIAN=unknown { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether byte ordering is bigendian" >&5 $as_echo_n "checking whether byte ordering is bigendian... " >&6; } if ${ac_cv_c_bigendian+:} false; then : @@ -6013,9 +6036,10 @@ case $ac_cv_c_bigendian in #( yes) $as_echo "#define WORDS_BIGENDIAN 1" >>confdefs.h -;; #( + + ASM_WORDS_BIGENDIAN=yes;; #( no) - ;; #( + ASM_WORDS_BIGENDIAN=no ;; #( universal) $as_echo "#define AC_APPLE_UNIVERSAL_BUILD 1" >>confdefs.h @@ -6027,6 +6051,44 @@ esac +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for __builtin_bswap64" >&5 +$as_echo_n "checking for __builtin_bswap64... " >&6; } +if ${nettle_cv_c_builtin_bswap64+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include + +int +main () +{ + +uint64_t x = 17; +uint64_t y = __builtin_bswap64(x); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + nettle_cv_c_builtin_bswap64=yes +else + nettle_cv_c_builtin_bswap64=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_c_builtin_bswap64" >&5 +$as_echo "$nettle_cv_c_builtin_bswap64" >&6; } + + +if test "x$nettle_cv_c_builtin_bswap64" = "xyes" ; then + $as_echo "#define HAVE_BUILTIN_BSWAP64 1" >>confdefs.h + +fi + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for __attribute__" >&5 $as_echo_n "checking for __attribute__... " >&6; } if ${lsh_cv_c_attribute+:} false; then : @@ -6071,656 +6133,257 @@ -# According to Simon Josefsson, looking for uint32_t and friends in -# sys/types.h is needed on some systems, in particular cygwin. -# ------ AX CREATE STDINT H ------------------------------------- -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for stdint types" >&5 -$as_echo_n "checking for stdint types... " >&6; } -ac_stdint_h=`echo nettle-stdint.h` -# try to shortcircuit - if the default include path of the compiler -# can find a "stdint.h" header then we assume that all compilers can. -if ${ac_cv_header_stdint_t+:} false; then : +# Check for file locking. We (AC_PROG_CC?) have already checked for +# sys/types.h and unistd.h. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for fcntl file locking" >&5 +$as_echo_n "checking for fcntl file locking... " >&6; } +if ${nettle_cv_fcntl_locking+:} false; then : $as_echo_n "(cached) " >&6 else - -old_CXXFLAGS="$CXXFLAGS" ; CXXFLAGS="" -old_CPPFLAGS="$CPPFLAGS" ; CPPFLAGS="" -old_CFLAGS="$CFLAGS" ; CFLAGS="" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -#include + +#if HAVE_SYS_TYPES_H +# include +#endif +#if HAVE_UNISTD_H +# include +#endif +#include + int main () { -int_least32_t v = 0; + +int op = F_SETLKW; +struct flock fl; + ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : - ac_cv_stdint_result="(assuming C99 compatible system)" - ac_cv_header_stdint_t="stdint.h"; + nettle_cv_fcntl_locking=yes else - ac_cv_header_stdint_t="" + nettle_cv_fcntl_locking=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -CXXFLAGS="$old_CXXFLAGS" -CPPFLAGS="$old_CPPFLAGS" -CFLAGS="$old_CFLAGS" -fi - - -v="... $ac_cv_header_stdint_h" -if test "$ac_stdint_h" = "stdint.h" ; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: (are you sure you want them in ./stdint.h?)" >&5 -$as_echo "(are you sure you want them in ./stdint.h?)" >&6; } -elif test "$ac_stdint_h" = "inttypes.h" ; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: (are you sure you want them in ./inttypes.h?)" >&5 -$as_echo "(are you sure you want them in ./inttypes.h?)" >&6; } -elif test "_$ac_cv_header_stdint_t" = "_" ; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: (putting them into $ac_stdint_h)$v" >&5 -$as_echo "(putting them into $ac_stdint_h)$v" >&6; } -else - ac_cv_header_stdint="$ac_cv_header_stdint_t" - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdint (shortcircuit)" >&5 -$as_echo "$ac_cv_header_stdint (shortcircuit)" >&6; } fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_fcntl_locking" >&5 +$as_echo "$nettle_cv_fcntl_locking" >&6; } -if test "_$ac_cv_header_stdint_t" = "_" ; then # can not shortcircuit.. +if test "x$nettle_cv_fcntl_locking" = "xyes" ; then + $as_echo "#define HAVE_FCNTL_LOCKING 1" >>confdefs.h -inttype_headers=`echo sys/types.h | sed -e 's/,/ /g'` +fi -ac_cv_stdint_result="(no helpful system typedefs seen)" -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for stdint uintptr_t" >&5 -$as_echo_n "checking for stdint uintptr_t... " >&6; } -if ${ac_cv_header_stdint_x+:} false; then : +# Checks for libraries +if test "x$enable_public_key" = "xyes" ; then + if test "x$enable_mini_gmp" = "xno" ; then + # mpn_zero_p was added in GMP-6.1.0 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for __gmpn_zero_p in -lgmp" >&5 +$as_echo_n "checking for __gmpn_zero_p in -lgmp... " >&6; } +if ${ac_cv_lib_gmp___gmpn_zero_p+:} false; then : $as_echo_n "(cached) " >&6 else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lgmp $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ - ac_cv_header_stdint_x="" # the 1997 typedefs (inttypes.h) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: (..)" >&5 -$as_echo "(..)" >&6; } - for i in stdint.h inttypes.h sys/inttypes.h $inttype_headers ; do - unset ac_cv_type_uintptr_t - unset ac_cv_type_uint64_t - ac_fn_c_check_type "$LINENO" "uintptr_t" "ac_cv_type_uintptr_t" "#include <$i> -" -if test "x$ac_cv_type_uintptr_t" = xyes; then : - ac_cv_header_stdint_x=$i +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char __gmpn_zero_p (); +int +main () +{ +return __gmpn_zero_p (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_gmp___gmpn_zero_p=yes else - continue + ac_cv_lib_gmp___gmpn_zero_p=no fi - - ac_fn_c_check_type "$LINENO" "uint64_t" "ac_cv_type_uint64_t" "#include<$i> -" -if test "x$ac_cv_type_uint64_t" = xyes; then : - and64="/uint64_t" -else - and64="" +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gmp___gmpn_zero_p" >&5 +$as_echo "$ac_cv_lib_gmp___gmpn_zero_p" >&6; } +if test "x$ac_cv_lib_gmp___gmpn_zero_p" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBGMP 1 +_ACEOF - ac_cv_stdint_result="(seen uintptr_t$and64 in $i)" - break; - done - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for stdint uintptr_t" >&5 -$as_echo_n "checking for stdint uintptr_t... " >&6; } + LIBS="-lgmp $LIBS" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: GNU MP not found, or too old. GMP-6.1.0 or later is needed, see https://gmplib.org/. + Support for public key algorithms will be unavailable." >&5 +$as_echo "$as_me: WARNING: GNU MP not found, or too old. GMP-6.1.0 or later is needed, see https://gmplib.org/. + Support for public key algorithms will be unavailable." >&2;} + enable_public_key=no fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdint_x" >&5 -$as_echo "$ac_cv_header_stdint_x" >&6; } -if test "_$ac_cv_header_stdint_x" = "_" ; then -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for stdint uint32_t" >&5 -$as_echo_n "checking for stdint uint32_t... " >&6; } -if ${ac_cv_header_stdint_o+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_cv_header_stdint_o="" # the 1995 typedefs (sys/inttypes.h) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: (..)" >&5 -$as_echo "(..)" >&6; } - for i in inttypes.h sys/inttypes.h stdint.h $inttype_headers ; do - unset ac_cv_type_uint32_t - unset ac_cv_type_uint64_t - ac_fn_c_check_type "$LINENO" "uint32_t" "ac_cv_type_uint32_t" "#include <$i> -" -if test "x$ac_cv_type_uint32_t" = xyes; then : - ac_cv_header_stdint_o=$i + # Add -R flags needed to run programs linked with gmp + if test $cross_compiling = no -a "x$RPATHFLAG" != x ; then + ac_success=no + if test "$cross_compiling" = yes; then : + : else - continue -fi - - ac_fn_c_check_type "$LINENO" "uint64_t" "ac_cv_type_uint64_t" "#include<$i> -" -if test "x$ac_cv_type_uint64_t" = xyes; then : - and64="/uint64_t" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +int main(int argc, char **argv) { return 0; } +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + ac_success=yes else - and64="" -fi - - ac_cv_stdint_result="(seen uint32_t$and64 in $i)" - break; - done - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for stdint uint32_t" >&5 -$as_echo_n "checking for stdint uint32_t... " >&6; } - + ac_success=no fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdint_o" >&5 -$as_echo "$ac_cv_header_stdint_o" >&6; } +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext fi -if test "_$ac_cv_header_stdint_x" = "_" ; then -if test "_$ac_cv_header_stdint_o" = "_" ; then -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for stdint u_int32_t" >&5 -$as_echo_n "checking for stdint u_int32_t... " >&6; } -if ${ac_cv_header_stdint_u+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_cv_header_stdint_u="" # the BSD typedefs (sys/types.h) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: (..)" >&5 -$as_echo "(..)" >&6; } - for i in sys/types.h inttypes.h sys/inttypes.h $inttype_headers ; do - unset ac_cv_type_u_int32_t - unset ac_cv_type_u_int64_t - ac_fn_c_check_type "$LINENO" "u_int32_t" "ac_cv_type_u_int32_t" "#include <$i> -" -if test "x$ac_cv_type_u_int32_t" = xyes; then : - ac_cv_header_stdint_u=$i + if test $ac_success = no ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking Running simple test program failed. Trying -R flags" >&5 +$as_echo_n "checking Running simple test program failed. Trying -R flags... " >&6; } + ac_remaining_dirs='' + ac_rpath_save_LDFLAGS="$LDFLAGS" + for d in $RPATH_CANDIDATE_DIRS ; do + if test $ac_success = yes ; then + ac_remaining_dirs="$ac_remaining_dirs $d" + else + LDFLAGS="$RPATHFLAG$d $LDFLAGS" + if test "$cross_compiling" = yes; then : + : else - continue -fi + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +int main(int argc, char **argv) { return 0; } +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + ac_success=yes + ac_rpath_save_LDFLAGS="$LDFLAGS" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: adding $RPATHFLAG$d" >&5 +$as_echo "adding $RPATHFLAG$d" >&6; } - ac_fn_c_check_type "$LINENO" "u_int64_t" "ac_cv_type_u_int64_t" "#include<$i> -" -if test "x$ac_cv_type_u_int64_t" = xyes; then : - and64="/u_int64_t" else - and64="" + ac_remaining_dirs="$ac_remaining_dirs $d" +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext fi - ac_cv_stdint_result="(seen u_int32_t$and64 in $i)" - break; - done - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for stdint u_int32_t" >&5 -$as_echo_n "checking for stdint u_int32_t... " >&6; } + LDFLAGS="$ac_rpath_save_LDFLAGS" + fi + done + RPATH_CANDIDATE_DIRS=$ac_remaining_dirs + fi + if test $ac_success = no ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: failed" >&5 +$as_echo "failed" >&6; } + fi +fi + fi fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdint_u" >&5 -$as_echo "$ac_cv_header_stdint_u" >&6; } -fi fi - -if test "_$ac_cv_header_stdint_x" = "_" ; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for stdint datatype model" >&5 -$as_echo_n "checking for stdint datatype model... " >&6; } - { $as_echo "$as_me:${as_lineno-$LINENO}: result: (..)" >&5 -$as_echo "(..)" >&6; } - # The cast to long int works around a bug in the HP C Compiler -# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects -# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. -# This bug is HP SR number 8606223364. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of char" >&5 -$as_echo_n "checking size of char... " >&6; } -if ${ac_cv_sizeof_char+:} false; then : - $as_echo_n "(cached) " >&6 -else - if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (char))" "ac_cv_sizeof_char" "$ac_includes_default"; then : + +nettle_cv_gmp_numb_bits=0 +if test "x$enable_public_key" = "xyes" ; then + # Check for gmp limb size + if test "x$enable_mini_gmp" = "xyes" ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for mini-gmp limb size" >&5 +$as_echo_n "checking for mini-gmp limb size... " >&6; } + # With mini-gmp, mp_limb_t is always unsigned long. + if ac_fn_c_compute_int "$LINENO" "(sizeof(unsigned long) * CHAR_BIT)" "nettle_cv_gmp_numb_bits" "#include "; then : else - if test "$ac_cv_type_char" = yes; then - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error 77 "cannot compute sizeof (char) +as_fn_error $? "cannot find value of GMP_NUMB_BITS See \`config.log' for more details" "$LINENO" 5; } - else - ac_cv_sizeof_char=0 - fi -fi - fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_char" >&5 -$as_echo "$ac_cv_sizeof_char" >&6; } - -cat >>confdefs.h <<_ACEOF -#define SIZEOF_CHAR $ac_cv_sizeof_char -_ACEOF - - - # The cast to long int works around a bug in the HP C Compiler -# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects -# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. -# This bug is HP SR number 8606223364. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of short" >&5 -$as_echo_n "checking size of short... " >&6; } -if ${ac_cv_sizeof_short+:} false; then : - $as_echo_n "(cached) " >&6 -else - if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (short))" "ac_cv_sizeof_short" "$ac_includes_default"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_gmp_numb_bits bits" >&5 +$as_echo "$nettle_cv_gmp_numb_bits bits" >&6; } + else + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GMP limb size" >&5 +$as_echo_n "checking for GMP limb size... " >&6; } + if ac_fn_c_compute_int "$LINENO" "GMP_NUMB_BITS" "nettle_cv_gmp_numb_bits" "#include "; then : else - if test "$ac_cv_type_short" = yes; then - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error 77 "cannot compute sizeof (short) +as_fn_error $? "cannot find value of GMP_NUMB_BITS See \`config.log' for more details" "$LINENO" 5; } - else - ac_cv_sizeof_short=0 - fi -fi - fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_short" >&5 -$as_echo "$ac_cv_sizeof_short" >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_gmp_numb_bits bits" >&5 +$as_echo "$nettle_cv_gmp_numb_bits bits" >&6; } + fi +fi -cat >>confdefs.h <<_ACEOF -#define SIZEOF_SHORT $ac_cv_sizeof_short -_ACEOF +# Substituted in Makefile, passed on to the eccdata command. +NUMB_BITS="$nettle_cv_gmp_numb_bits" - # The cast to long int works around a bug in the HP C Compiler -# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects -# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. -# This bug is HP SR number 8606223364. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of int" >&5 -$as_echo_n "checking size of int... " >&6; } -if ${ac_cv_sizeof_int+:} false; then : - $as_echo_n "(cached) " >&6 +# Substituted in version.h, used only with mini-gmp. +if test "x$enable_mini_gmp" = "xyes" ; then + GMP_NUMB_BITS="$NUMB_BITS" else - if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (int))" "ac_cv_sizeof_int" "$ac_includes_default"; then : - -else - if test "$ac_cv_type_int" = yes; then - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error 77 "cannot compute sizeof (int) -See \`config.log' for more details" "$LINENO" 5; } - else - ac_cv_sizeof_int=0 - fi -fi - -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_int" >&5 -$as_echo "$ac_cv_sizeof_int" >&6; } - - - -cat >>confdefs.h <<_ACEOF -#define SIZEOF_INT $ac_cv_sizeof_int -_ACEOF - - - # The cast to long int works around a bug in the HP C Compiler -# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects -# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. -# This bug is HP SR number 8606223364. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of long" >&5 -$as_echo_n "checking size of long... " >&6; } -if ${ac_cv_sizeof_long+:} false; then : - $as_echo_n "(cached) " >&6 -else - if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (long))" "ac_cv_sizeof_long" "$ac_includes_default"; then : - -else - if test "$ac_cv_type_long" = yes; then - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error 77 "cannot compute sizeof (long) -See \`config.log' for more details" "$LINENO" 5; } - else - ac_cv_sizeof_long=0 - fi -fi - -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_long" >&5 -$as_echo "$ac_cv_sizeof_long" >&6; } - - - -cat >>confdefs.h <<_ACEOF -#define SIZEOF_LONG $ac_cv_sizeof_long -_ACEOF - - - # The cast to long int works around a bug in the HP C Compiler -# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects -# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. -# This bug is HP SR number 8606223364. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of void*" >&5 -$as_echo_n "checking size of void*... " >&6; } -if ${ac_cv_sizeof_voidp+:} false; then : - $as_echo_n "(cached) " >&6 -else - if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (void*))" "ac_cv_sizeof_voidp" "$ac_includes_default"; then : - -else - if test "$ac_cv_type_voidp" = yes; then - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error 77 "cannot compute sizeof (void*) -See \`config.log' for more details" "$LINENO" 5; } - else - ac_cv_sizeof_voidp=0 - fi -fi - -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_voidp" >&5 -$as_echo "$ac_cv_sizeof_voidp" >&6; } - - - -cat >>confdefs.h <<_ACEOF -#define SIZEOF_VOIDP $ac_cv_sizeof_voidp -_ACEOF - - - ac_cv_stdint_char_model="" - ac_cv_stdint_char_model="$ac_cv_stdint_char_model$ac_cv_sizeof_char" - ac_cv_stdint_char_model="$ac_cv_stdint_char_model$ac_cv_sizeof_short" - ac_cv_stdint_char_model="$ac_cv_stdint_char_model$ac_cv_sizeof_int" - ac_cv_stdint_long_model="" - ac_cv_stdint_long_model="$ac_cv_stdint_long_model$ac_cv_sizeof_int" - ac_cv_stdint_long_model="$ac_cv_stdint_long_model$ac_cv_sizeof_long" - ac_cv_stdint_long_model="$ac_cv_stdint_long_model$ac_cv_sizeof_voidp" - name="$ac_cv_stdint_long_model" - case "$ac_cv_stdint_char_model/$ac_cv_stdint_long_model" in - 122/242) name="$name, IP16 (standard 16bit machine)" ;; - 122/244) name="$name, LP32 (standard 32bit mac/win)" ;; - 122/*) name="$name (unusual int16 model)" ;; - 124/444) name="$name, ILP32 (standard 32bit unixish)" ;; - 124/488) name="$name, LP64 (standard 64bit unixish)" ;; - 124/448) name="$name, LLP64 (unusual 64bit unixish)" ;; - 124/*) name="$name (unusual int32 model)" ;; - 128/888) name="$name, ILP64 (unusual 64bit numeric)" ;; - 128/*) name="$name (unusual int64 model)" ;; - 222/*|444/*) name="$name (unusual dsptype)" ;; - *) name="$name (very unusal model)" ;; - esac - { $as_echo "$as_me:${as_lineno-$LINENO}: result: combined for stdint datatype model... $name" >&5 -$as_echo "combined for stdint datatype model... $name" >&6; } -fi - -if test "_$ac_cv_header_stdint_x" != "_" ; then - ac_cv_header_stdint="$ac_cv_header_stdint_x" -elif test "_$ac_cv_header_stdint_o" != "_" ; then - ac_cv_header_stdint="$ac_cv_header_stdint_o" -elif test "_$ac_cv_header_stdint_u" != "_" ; then - ac_cv_header_stdint="$ac_cv_header_stdint_u" -else - ac_cv_header_stdint="stddef.h" -fi - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for extra inttypes in chosen header" >&5 -$as_echo_n "checking for extra inttypes in chosen header... " >&6; } -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: ($ac_cv_header_stdint)" >&5 -$as_echo "($ac_cv_header_stdint)" >&6; } -unset ac_cv_type_int_least32_t -unset ac_cv_type_int_fast32_t -ac_fn_c_check_type "$LINENO" "int_least32_t" "ac_cv_type_int_least32_t" "#include <$ac_cv_header_stdint> -" -if test "x$ac_cv_type_int_least32_t" = xyes; then : - -fi - -ac_fn_c_check_type "$LINENO" "int_fast32_t" "ac_cv_type_int_fast32_t" "#include<$ac_cv_header_stdint> -" -if test "x$ac_cv_type_int_fast32_t" = xyes; then : - -fi - -ac_fn_c_check_type "$LINENO" "intmax_t" "ac_cv_type_intmax_t" "#include <$ac_cv_header_stdint> -" -if test "x$ac_cv_type_intmax_t" = xyes; then : - -fi - - -fi # shortcircut to system "stdint.h" -# ------------------ PREPARE VARIABLES ------------------------------ -if test "$GCC" = "yes" ; then -ac_cv_stdint_message="using gnu compiler "`$CC --version | head -1` -else -ac_cv_stdint_message="using $CC" -fi - -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: make use of $ac_cv_header_stdint in $ac_stdint_h $ac_cv_stdint_result" >&5 -$as_echo "make use of $ac_cv_header_stdint in $ac_stdint_h $ac_cv_stdint_result" >&6; } - -# ----------------- DONE inttypes.h checks START header ------------- -ac_config_commands="$ac_config_commands $ac_stdint_h" + GMP_NUMB_BITS="n/a" +fi +# Figure out ABI. Currently, configurable only by setting CFLAGS. +ABI=standard -# Check for file locking. We (AC_PROG_CC?) have already checked for -# sys/types.h and unistd.h. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for fcntl file locking" >&5 -$as_echo_n "checking for fcntl file locking... " >&6; } -if ${nettle_cv_fcntl_locking+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext +case "$host_cpu" in + x86_64 | amd64) + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_UNISTD_H -# include +#if defined(__x86_64__) || defined(__arch64__) +#error 64-bit x86 #endif -#include int main () { -int op = F_SETLKW; -struct flock fl; - ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : - nettle_cv_fcntl_locking=yes -else - nettle_cv_fcntl_locking=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_fcntl_locking" >&5 -$as_echo "$nettle_cv_fcntl_locking" >&6; } - - -if test "x$nettle_cv_fcntl_locking" = "xyes" ; then - $as_echo "#define HAVE_FCNTL_LOCKING 1" >>confdefs.h - -fi - -# Checks for libraries -if test "x$enable_public_key" = "xyes" ; then - if test "x$enable_mini_gmp" = "xno" ; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for __gmpn_sec_div_r in -lgmp" >&5 -$as_echo_n "checking for __gmpn_sec_div_r in -lgmp... " >&6; } -if ${ac_cv_lib_gmp___gmpn_sec_div_r+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lgmp $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char __gmpn_sec_div_r (); -int -main () -{ -return __gmpn_sec_div_r (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_gmp___gmpn_sec_div_r=yes -else - ac_cv_lib_gmp___gmpn_sec_div_r=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gmp___gmpn_sec_div_r" >&5 -$as_echo "$ac_cv_lib_gmp___gmpn_sec_div_r" >&6; } -if test "x$ac_cv_lib_gmp___gmpn_sec_div_r" = xyes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_LIBGMP 1 -_ACEOF - LIBS="-lgmp $LIBS" - -else - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: GNU MP not found, or too old. GMP-6.0 or later is needed, see https://gmplib.org/. - Support for public key algorithms will be unavailable." >&5 -$as_echo "$as_me: WARNING: GNU MP not found, or too old. GMP-6.0 or later is needed, see https://gmplib.org/. - Support for public key algorithms will be unavailable." >&2;} - enable_public_key=no -fi - - - # Add -R flags needed to run programs linked with gmp - if test $cross_compiling = no -a "x$RPATHFLAG" != x ; then - ac_success=no - if test "$cross_compiling" = yes; then : - : -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -int main(int argc, char **argv) { return 0; } -_ACEOF -if ac_fn_c_try_run "$LINENO"; then : - ac_success=yes -else - ac_success=no -fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ - conftest.$ac_objext conftest.beam conftest.$ac_ext -fi - - - if test $ac_success = no ; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking Running simple test program failed. Trying -R flags" >&5 -$as_echo_n "checking Running simple test program failed. Trying -R flags... " >&6; } - ac_remaining_dirs='' - ac_rpath_save_LDFLAGS="$LDFLAGS" - for d in $RPATH_CANDIDATE_DIRS ; do - if test $ac_success = yes ; then - ac_remaining_dirs="$ac_remaining_dirs $d" - else - LDFLAGS="$RPATHFLAG$d $LDFLAGS" - if test "$cross_compiling" = yes; then : - : -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -int main(int argc, char **argv) { return 0; } -_ACEOF -if ac_fn_c_try_run "$LINENO"; then : - ac_success=yes - ac_rpath_save_LDFLAGS="$LDFLAGS" - { $as_echo "$as_me:${as_lineno-$LINENO}: result: adding $RPATHFLAG$d" >&5 -$as_echo "adding $RPATHFLAG$d" >&6; } - -else - ac_remaining_dirs="$ac_remaining_dirs $d" -fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ - conftest.$ac_objext conftest.beam conftest.$ac_ext -fi - - LDFLAGS="$ac_rpath_save_LDFLAGS" - fi - done - RPATH_CANDIDATE_DIRS=$ac_remaining_dirs - fi - if test $ac_success = no ; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: failed" >&5 -$as_echo "failed" >&6; } - fi -fi - - fi -fi - -nettle_cv_gmp_numb_bits=0 -if test "x$enable_public_key" = "xyes" ; then - # Check for gmp limb size - if test "x$enable_mini_gmp" = "xyes" ; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for mini-gmp limb size" >&5 -$as_echo_n "checking for mini-gmp limb size... " >&6; } - # With mini-gmp, mp_limb_t is always unsigned long. - if ac_fn_c_compute_int "$LINENO" "(sizeof(unsigned long) * CHAR_BIT)" "nettle_cv_gmp_numb_bits" "#include "; then : - -else - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error $? "cannot find value of GMP_NUMB_BITS -See \`config.log' for more details" "$LINENO" 5; } -fi - - - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_gmp_numb_bits bits" >&5 -$as_echo "$nettle_cv_gmp_numb_bits bits" >&6; } - else - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GMP limb size" >&5 -$as_echo_n "checking for GMP limb size... " >&6; } - if ac_fn_c_compute_int "$LINENO" "GMP_NUMB_BITS" "nettle_cv_gmp_numb_bits" "#include "; then : + ABI=32 else - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error $? "cannot find value of GMP_NUMB_BITS -See \`config.log' for more details" "$LINENO" 5; } -fi - - - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_gmp_numb_bits bits" >&5 -$as_echo "$nettle_cv_gmp_numb_bits bits" >&6; } - fi -fi - -# Substituted in Makefile, passed on to the eccdata command. -NUMB_BITS="$nettle_cv_gmp_numb_bits" + ABI=64 -# Substituted in version.h, used only with mini-gmp. -if test "x$enable_mini_gmp" = "xyes" ; then - GMP_NUMB_BITS="$NUMB_BITS" -else - GMP_NUMB_BITS="n/a" fi - - -# Figure out ABI. Currently, configurable only by setting CFLAGS. -ABI=standard - -case "$host_cpu" in - x86_64 | amd64) +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + ;; + *sparc*) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -#if defined(__x86_64__) || defined(__arch64__) -#error 64-bit x86 +#if defined(__sparcv9) || defined(__arch64__) +#error 64-bit sparc #endif int @@ -6742,12 +6405,12 @@ fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ;; - *sparc*) + *mips*) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -#if defined(__sparcv9) || defined(__arch64__) -#error 64-bit sparc +#if defined(__sgi) && defined(__LP64__) +#error 64-bit mips #endif int @@ -6769,12 +6432,12 @@ fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ;; - *mips*) + *powerpc64*) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -#if defined(__sgi) && defined(__LP64__) -#error 64-bit mips +#if defined(__PPC64__) +#error 64-bit powerpc #endif int @@ -6856,12 +6519,14 @@ fi OPT_NETTLE_SOURCES="" +FAT_TEST_LIST="" +ASM_PPC_WANT_R_REGISTERS="n/a" # Select assembler code asm_path= if test "x$enable_assembler" = xyes ; then case "$host_cpu" in - i?86* | k[5-8]* | pentium* | athlon) + x86 | i?86* | k[5-8]* | pentium* | athlon) asm_path=x86 ;; x86_64 | amd64) @@ -6870,8 +6535,16 @@ if test "x$enable_fat" = xyes ; then asm_path="x86_64/fat $asm_path" OPT_NETTLE_SOURCES="fat-x86_64.c $OPT_NETTLE_SOURCES" - elif test "x$enable_x86_aesni" = xyes ; then - asm_path="x86_64/aesni $asm_path" + # For now, not enabling aesni or sha_ni, since at least + # the latter appears unavailable on te gitlab test machines. + FAT_TEST_LIST="vendor:intel vendor:amd" + else + if test "x$enable_x86_aesni" = xyes ; then + asm_path="x86_64/aesni $asm_path" + fi + if test "x$enable_x86_sha_ni" = xyes ; then + asm_path="x86_64/sha_ni $asm_path" + fi fi else asm_path=x86 @@ -6889,6 +6562,7 @@ if test "x$enable_fat" = xyes ; then asm_path="arm/fat $asm_path" OPT_NETTLE_SOURCES="fat-arm.c $OPT_NETTLE_SOURCES" + FAT_TEST_LIST="arch:5 arch:6,neon" else case "$host_cpu" in armv6* | armv7*) @@ -6941,14 +6615,80 @@ asm_path="arm/v6 arm" - - if test "x$enable_arm_neon" = xyes ; then - asm_path="arm/neon $asm_path" - fi ;; esac + if test "x$enable_arm_neon" = xyes ; then + asm_path="arm/neon $asm_path" + fi + fi + ;; + *powerpc64*) + if test "$ABI" = 64 ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if the assembler needs r on registers" >&5 +$as_echo_n "checking if the assembler needs r on registers... " >&6; } +if ${gmp_cv_asm_powerpc_r_registers+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat >conftest.s <&5 + (eval $gmp_assemble) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + cat conftest.out >&5 + gmp_cv_asm_powerpc_r_registers=yes +else + cat conftest.out >&5 + echo "configure: failed program was:" >&5 + cat conftest.s >&5 + cat >conftest.s <&5 + (eval $gmp_assemble) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + cat conftest.out >&5 + gmp_cv_asm_powerpc_r_registers=no +else + cat conftest.out >&5 + echo "configure: failed program was:" >&5 + cat conftest.s >&5 + as_fn_error $? "neither \"mtctr 6\" nor \"mtctr r6\" works" "$LINENO" 5 +fi +rm -f conftest* + +fi +rm -f conftest* + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $gmp_cv_asm_powerpc_r_registers" >&5 +$as_echo "$gmp_cv_asm_powerpc_r_registers" >&6; } +ASM_PPC_WANT_R_REGISTERS="$gmp_cv_asm_powerpc_r_registers" + + asm_path="powerpc64" + if test "x$enable_fat" = xyes ; then + asm_path="powerpc64/fat $asm_path" + OPT_NETTLE_SOURCES="fat-ppc.c $OPT_NETTLE_SOURCES" + FAT_TEST_LIST="none crypto_ext altivec" + else + if test "$enable_power_crypto_ext" = yes ; then + asm_path="powerpc64/p8 $asm_path" + fi + if test "$enable_power_altivec" = yes ; then + asm_path="powerpc64/p7 $asm_path" + fi + fi fi ;; + *) enable_assembler=no ;; @@ -6968,16 +6708,19 @@ sha3-permute.asm umac-nh.asm umac-nh-n.asm machine.m4" # Assembler files which generate additional object files if they are used. -asm_nettle_optional_list="gcm-hash8.asm cpuid.asm \ +asm_nettle_optional_list="gcm-hash.asm gcm-hash8.asm cpuid.asm \ aes-encrypt-internal-2.asm aes-decrypt-internal-2.asm memxor-2.asm \ - salsa20-core-internal-2.asm sha1-compress-2.asm sha256-compress-2.asm \ + chacha-2core.asm chacha-3core.asm chacha-4core.asm chacha-core-internal-2.asm \ + salsa20-2core.asm salsa20-core-internal-2.asm \ + sha1-compress-2.asm sha256-compress-2.asm \ sha3-permute-2.asm sha512-compress-2.asm \ umac-nh-n-2.asm umac-nh-2.asm" asm_hogweed_optional_list="" if test "x$enable_public_key" = "xyes" ; then - asm_hogweed_optional_list="ecc-192-modp.asm ecc-224-modp.asm \ - ecc-25519-modp.asm ecc-256-redc.asm ecc-384-modp.asm ecc-521-modp.asm" + asm_hogweed_optional_list="ecc-secp192r1-modp.asm ecc-secp224r1-modp.asm \ + ecc-secp256r1-redc.asm ecc-secp384r1-modp.asm ecc-secp521r1-modp.asm \ + ecc-curve25519-modp.asm ecc-curve448-modp.asm" fi OPT_NETTLE_OBJS="" @@ -7068,6 +6811,7 @@ + if test "x$enable_assembler" = xyes ; then IF_ASM='' else @@ -7077,6 +6821,7 @@ + if test "x$enable_pic" = xyes; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking CCPIC" >&5 $as_echo_n "checking CCPIC... " >&6; } @@ -7117,7 +6862,7 @@ int main () { -exit(0); +return 0; ; return 0; } @@ -7208,13 +6953,13 @@ LIBNETTLE_FORLINK=libnettle.so LIBNETTLE_SONAME='$(LIBNETTLE_FORLINK).$(LIBNETTLE_MAJOR)' LIBNETTLE_FILE='$(LIBNETTLE_SONAME).$(LIBNETTLE_MINOR)' - LIBNETTLE_LINK='$(CC) $(CFLAGS) $(LDFLAGS) -G -h $(LIBNETTLE_SONAME)' + LIBNETTLE_LINK='$(CC) $(CFLAGS) $(LDFLAGS) -shared -h $(LIBNETTLE_SONAME)' LIBNETTLE_LIBS='' LIBHOGWEED_FORLINK=libhogweed.so LIBHOGWEED_SONAME='$(LIBHOGWEED_FORLINK).$(LIBHOGWEED_MAJOR)' LIBHOGWEED_FILE='$(LIBHOGWEED_SONAME).$(LIBHOGWEED_MINOR)' - LIBHOGWEED_LINK='$(CC) $(CFLAGS) $(LDFLAGS) -G -h $(LIBHOGWEED_SONAME)' + LIBHOGWEED_LINK='$(CC) $(CFLAGS) $(LDFLAGS) --shared -h $(LIBHOGWEED_SONAME)' LIBHOGWEED_LIBS='libnettle.so $(LIBS)' ;; *) @@ -7467,6 +7212,107 @@ ASM_ALIGN_LOG="$nettle_cv_asm_align_log" fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if Intel CET is enabled" >&5 +$as_echo_n "checking if Intel CET is enabled... " >&6; } +if ${nettle_cv_asm_x86_intel_cet+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#ifndef __CET__ +#error Intel CET is not enabled +#endif + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + nettle_cv_asm_x86_intel_cet=yes +else + nettle_cv_asm_x86_intel_cet=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_asm_x86_intel_cet" >&5 +$as_echo "$nettle_cv_asm_x86_intel_cet" >&6; } +if test "$nettle_cv_asm_x86_intel_cet" = yes; then + case $ABI in + 32|standard) + ASM_X86_ENDBR=endbr32 + ASM_X86_MARK_CET_ALIGN=2 + ;; + 64) + ASM_X86_ENDBR=endbr64 + ASM_X86_MARK_CET_ALIGN=3 + ;; + x32) + ASM_X86_ENDBR=endbr64 + ASM_X86_MARK_CET_ALIGN=2 + ;; + esac + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if .note.gnu.property section is needed" >&5 +$as_echo_n "checking if .note.gnu.property section is needed... " >&6; } +if ${nettle_cv_asm_x86_gnu_property+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#if !defined __ELF__ || !defined __CET__ +#error GNU property is not needed +#endif + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + nettle_cv_asm_x86_gnu_property=yes +else + nettle_cv_asm_x86_gnu_property=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_asm_x86_gnu_property" >&5 +$as_echo "$nettle_cv_asm_x86_gnu_property" >&6; } +else + nettle_cv_asm_x86_gnu_property=no +fi +if test "$nettle_cv_asm_x86_gnu_property" = yes; then + ASM_X86_MARK_CET=' + .pushsection ".note.gnu.property", "a" + .p2align ASM_X86_MARK_CET_ALIGN + .long 1f - 0f + .long 4f - 1f + .long 5 +0: + .asciz "GNU" +1: + .p2align ASM_X86_MARK_CET_ALIGN + .long 0xc0000002 + .long 3f - 2f +2: + .long 3 +3: + .p2align ASM_X86_MARK_CET_ALIGN +4: + .popsection' +fi + + + + + @@ -7772,18 +7618,7 @@ # Set these flags *last*, or else the test programs won't compile if test x$GCC = xyes ; then - # Using -ggdb3 makes (some versions of) Redhat's gcc-2.96 dump core - if $CC --version | grep '^2\.96$' 1>/dev/null 2>&1; then - true - else - CFLAGS="$CFLAGS -ggdb3" - fi - # FIXME: It would be better to actually test if this option works and/or is needed. - # Or perhaps use -funsigned-char. - if $CC --version | grep 'gcc.* 4\.' 1>/dev/null 2>&1; then - CFLAGS="$CFLAGS -Wno-pointer-sign" - fi - CFLAGS="$CFLAGS -Wall -W \ + CFLAGS="$CFLAGS -ggdb3 -Wall -W -Wno-sign-compare \ -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes \ -Wpointer-arith -Wbad-function-cast -Wnested-externs" @@ -8307,7 +8142,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by nettle $as_me 3.4.1, which was +This file was extended by nettle $as_me 3.7.3, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -8335,7 +8170,6 @@ config_files="$ac_config_files" config_headers="$ac_config_headers" config_links="$ac_config_links" -config_commands="$ac_config_commands" _ACEOF @@ -8368,16 +8202,13 @@ Configuration links: $config_links -Configuration commands: -$config_commands - Report bugs to ." _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -nettle config.status 3.4.1 +nettle config.status 3.7.3 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" @@ -8492,28 +8323,6 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 -# -# INIT-COMMANDS -# -# variables for create stdint.h replacement -PACKAGE="$PACKAGE" -VERSION="$VERSION" -ac_stdint_h="$ac_stdint_h" -_ac_stdint_h=`$as_echo "_$PACKAGE-$ac_stdint_h" | $as_tr_cpp` -ac_cv_stdint_message="$ac_cv_stdint_message" -ac_cv_header_stdint_t="$ac_cv_header_stdint_t" -ac_cv_header_stdint_x="$ac_cv_header_stdint_x" -ac_cv_header_stdint_o="$ac_cv_header_stdint_o" -ac_cv_header_stdint_u="$ac_cv_header_stdint_u" -ac_cv_type_uint64_t="$ac_cv_type_uint64_t" -ac_cv_type_u_int64_t="$ac_cv_type_u_int64_t" -ac_cv_stdint_char_model="$ac_cv_stdint_char_model" -ac_cv_stdint_long_model="$ac_cv_stdint_long_model" -ac_cv_type_int_least32_t="$ac_cv_type_int_least32_t" -ac_cv_type_int_fast32_t="$ac_cv_type_int_fast32_t" -ac_cv_type_intmax_t="$ac_cv_type_intmax_t" - - _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 @@ -8523,8 +8332,6 @@ do case $ac_config_target in "config.h") CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;; - "dummy-dep-files") CONFIG_COMMANDS="$CONFIG_COMMANDS dummy-dep-files" ;; - "$ac_stdint_h") CONFIG_COMMANDS="$CONFIG_COMMANDS $ac_stdint_h" ;; "$tmp_f") CONFIG_LINKS="$CONFIG_LINKS $tmp_f:$asm_dir/$tmp_f" ;; "$tmp_n") CONFIG_LINKS="$CONFIG_LINKS $tmp_n:$asm_dir/$tmp_n" ;; "$tmp_h") CONFIG_LINKS="$CONFIG_LINKS $tmp_h:$asm_dir/$tmp_h" ;; @@ -8553,7 +8360,6 @@ test "${CONFIG_FILES+set}" = set || CONFIG_FILES=$config_files test "${CONFIG_HEADERS+set}" = set || CONFIG_HEADERS=$config_headers test "${CONFIG_LINKS+set}" = set || CONFIG_LINKS=$config_links - test "${CONFIG_COMMANDS+set}" = set || CONFIG_COMMANDS=$config_commands fi # Have a temporary directory for convenience. Make it in the build tree @@ -8850,7 +8656,7 @@ fi # test -n "$CONFIG_HEADERS" -eval set X " :F $CONFIG_FILES :H $CONFIG_HEADERS :L $CONFIG_LINKS :C $CONFIG_COMMANDS" +eval set X " :F $CONFIG_FILES :H $CONFIG_HEADERS :L $CONFIG_LINKS " shift for ac_tag do @@ -9125,403 +8931,9 @@ as_fn_error $? "cannot link or copy $ac_source to $ac_file" "$LINENO" 5 fi ;; - :C) { $as_echo "$as_me:${as_lineno-$LINENO}: executing $ac_file commands" >&5 -$as_echo "$as_me: executing $ac_file commands" >&6;} - ;; - esac - - - case $ac_file$ac_mode in - "dummy-dep-files":C) (cd "$srcdir" && find . '(' -name '*.c' -o -name '*.cxx' ')' -print) \ - | sed 's/\.cx*$//' | (while read f; do \ - test -f "$f.o.d" || echo > "$f.o.d"; \ - done) - ;; - "$ac_stdint_h":C) -{ $as_echo "$as_me:${as_lineno-$LINENO}: creating $ac_stdint_h : $_ac_stdint_h" >&5 -$as_echo "$as_me: creating $ac_stdint_h : $_ac_stdint_h" >&6;} -ac_stdint=$tmp/_stdint.h - -echo "#ifndef" $_ac_stdint_h >$ac_stdint -echo "#define" $_ac_stdint_h "1" >>$ac_stdint -echo "#ifndef" _GENERATED_STDINT_H >>$ac_stdint -echo "#define" _GENERATED_STDINT_H '"'$PACKAGE $VERSION'"' >>$ac_stdint -echo "/* generated $ac_cv_stdint_message */" >>$ac_stdint -if test "_$ac_cv_header_stdint_t" != "_" ; then -echo "#define _STDINT_HAVE_STDINT_H" "1" >>$ac_stdint -fi - -cat >>$ac_stdint < -#else -#include - -/* .................... configured part ............................ */ - -STDINT_EOF - -echo "/* whether we have a C99 compatible stdint header file */" >>$ac_stdint -if test "_$ac_cv_header_stdint_x" != "_" ; then - ac_header="$ac_cv_header_stdint_x" - echo "#define _STDINT_HEADER_INTPTR" '"'"$ac_header"'"' >>$ac_stdint -else - echo "/* #undef _STDINT_HEADER_INTPTR */" >>$ac_stdint -fi - -echo "/* whether we have a C96 compatible inttypes header file */" >>$ac_stdint -if test "_$ac_cv_header_stdint_o" != "_" ; then - ac_header="$ac_cv_header_stdint_o" - echo "#define _STDINT_HEADER_UINT32" '"'"$ac_header"'"' >>$ac_stdint -else - echo "/* #undef _STDINT_HEADER_UINT32 */" >>$ac_stdint -fi - -echo "/* whether we have a BSD compatible inet types header */" >>$ac_stdint -if test "_$ac_cv_header_stdint_u" != "_" ; then - ac_header="$ac_cv_header_stdint_u" - echo "#define _STDINT_HEADER_U_INT32" '"'"$ac_header"'"' >>$ac_stdint -else - echo "/* #undef _STDINT_HEADER_U_INT32 */" >>$ac_stdint -fi - -echo "" >>$ac_stdint - -if test "_$ac_header" != "_" ; then if test "$ac_header" != "stddef.h" ; then - echo "#include <$ac_header>" >>$ac_stdint - echo "" >>$ac_stdint -fi fi - -echo "/* which 64bit typedef has been found */" >>$ac_stdint -if test "$ac_cv_type_uint64_t" = "yes" ; then -echo "#define _STDINT_HAVE_UINT64_T" "1" >>$ac_stdint -else -echo "/* #undef _STDINT_HAVE_UINT64_T */" >>$ac_stdint -fi -if test "$ac_cv_type_u_int64_t" = "yes" ; then -echo "#define _STDINT_HAVE_U_INT64_T" "1" >>$ac_stdint -else -echo "/* #undef _STDINT_HAVE_U_INT64_T */" >>$ac_stdint -fi -echo "" >>$ac_stdint - -echo "/* which type model has been detected */" >>$ac_stdint -if test "_$ac_cv_stdint_char_model" != "_" ; then -echo "#define _STDINT_CHAR_MODEL" "$ac_cv_stdint_char_model" >>$ac_stdint -echo "#define _STDINT_LONG_MODEL" "$ac_cv_stdint_long_model" >>$ac_stdint -else -echo "/* #undef _STDINT_CHAR_MODEL // skipped */" >>$ac_stdint -echo "/* #undef _STDINT_LONG_MODEL // skipped */" >>$ac_stdint -fi -echo "" >>$ac_stdint - -echo "/* whether int_least types were detected */" >>$ac_stdint -if test "$ac_cv_type_int_least32_t" = "yes"; then -echo "#define _STDINT_HAVE_INT_LEAST32_T" "1" >>$ac_stdint -else -echo "/* #undef _STDINT_HAVE_INT_LEAST32_T */" >>$ac_stdint -fi -echo "/* whether int_fast types were detected */" >>$ac_stdint -if test "$ac_cv_type_int_fast32_t" = "yes"; then -echo "#define _STDINT_HAVE_INT_FAST32_T" "1" >>$ac_stdint -else -echo "/* #undef _STDINT_HAVE_INT_FAST32_T */" >>$ac_stdint -fi -echo "/* whether intmax_t type was detected */" >>$ac_stdint -if test "$ac_cv_type_intmax_t" = "yes"; then -echo "#define _STDINT_HAVE_INTMAX_T" "1" >>$ac_stdint -else -echo "/* #undef _STDINT_HAVE_INTMAX_T */" >>$ac_stdint -fi -echo "" >>$ac_stdint - - cat >>$ac_stdint <= 199901L -#define _HAVE_UINT64_T -typedef long long int64_t; -typedef unsigned long long uint64_t; - -#elif !defined __STRICT_ANSI__ -#if defined _MSC_VER || defined __WATCOMC__ || defined __BORLANDC__ -#define _HAVE_UINT64_T -typedef __int64 int64_t; -typedef unsigned __int64 uint64_t; - -#elif defined __GNUC__ || defined __MWERKS__ || defined __ELF__ -/* note: all ELF-systems seem to have loff-support which needs 64-bit */ -#if !defined _NO_LONGLONG -#define _HAVE_UINT64_T -typedef long long int64_t; -typedef unsigned long long uint64_t; -#endif - -#elif defined __alpha || (defined __mips && defined _ABIN32) -#if !defined _NO_LONGLONG -typedef long int64_t; -typedef unsigned long uint64_t; -#endif - /* compiler/cpu type to define int64_t */ -#endif -#endif -#endif - -#if defined _STDINT_HAVE_U_INT_TYPES -/* int8_t int16_t int32_t defined by inet code, redeclare the u_intXX types */ -typedef u_int8_t uint8_t; -typedef u_int16_t uint16_t; -typedef u_int32_t uint32_t; - -/* glibc compatibility */ -#ifndef __int8_t_defined -#define __int8_t_defined -#endif -#endif - -#ifdef _STDINT_NEED_INT_MODEL_T -/* we must guess all the basic types. Apart from byte-adressable system, */ -/* there a few 32-bit-only dsp-systems that we guard with BYTE_MODEL 8-} */ -/* (btw, those nibble-addressable systems are way off, or so we assume) */ - - -#if defined _STDINT_BYTE_MODEL -#if _STDINT_LONG_MODEL+0 == 242 -/* 2:4:2 = IP16 = a normal 16-bit system */ -typedef unsigned char uint8_t; -typedef unsigned short uint16_t; -typedef unsigned long uint32_t; -#ifndef __int8_t_defined -#define __int8_t_defined -typedef char int8_t; -typedef short int16_t; -typedef long int32_t; -#endif -#elif _STDINT_LONG_MODEL+0 == 244 || _STDINT_LONG_MODEL == 444 -/* 2:4:4 = LP32 = a 32-bit system derived from a 16-bit */ -/* 4:4:4 = ILP32 = a normal 32-bit system */ -typedef unsigned char uint8_t; -typedef unsigned short uint16_t; -typedef unsigned int uint32_t; -#ifndef __int8_t_defined -#define __int8_t_defined -typedef char int8_t; -typedef short int16_t; -typedef int int32_t; -#endif -#elif _STDINT_LONG_MODEL+0 == 484 || _STDINT_LONG_MODEL+0 == 488 -/* 4:8:4 = IP32 = a 32-bit system prepared for 64-bit */ -/* 4:8:8 = LP64 = a normal 64-bit system */ -typedef unsigned char uint8_t; -typedef unsigned short uint16_t; -typedef unsigned int uint32_t; -#ifndef __int8_t_defined -#define __int8_t_defined -typedef char int8_t; -typedef short int16_t; -typedef int int32_t; -#endif -/* this system has a "long" of 64bit */ -#ifndef _HAVE_UINT64_T -#define _HAVE_UINT64_T -typedef unsigned long uint64_t; -typedef long int64_t; -#endif -#elif _STDINT_LONG_MODEL+0 == 448 -/* LLP64 a 64-bit system derived from a 32-bit system */ -typedef unsigned char uint8_t; -typedef unsigned short uint16_t; -typedef unsigned int uint32_t; -#ifndef __int8_t_defined -#define __int8_t_defined -typedef char int8_t; -typedef short int16_t; -typedef int int32_t; -#endif -/* assuming the system has a "long long" */ -#ifndef _HAVE_UINT64_T -#define _HAVE_UINT64_T -typedef unsigned long long uint64_t; -typedef long long int64_t; -#endif -#else -#define _STDINT_NO_INT32_T -#endif -#else -#define _STDINT_NO_INT8_T -#define _STDINT_NO_INT32_T -#endif -#endif - -/* - * quote from SunOS-5.8 sys/inttypes.h: - * Use at your own risk. As of February 1996, the committee is squarely - * behind the fixed sized types; the "least" and "fast" types are still being - * discussed. The probability that the "fast" types may be removed before - * the standard is finalized is high enough that they are not currently - * implemented. - */ - -#if defined _STDINT_NEED_INT_LEAST_T -typedef int8_t int_least8_t; -typedef int16_t int_least16_t; -typedef int32_t int_least32_t; -#ifdef _HAVE_UINT64_T -typedef int64_t int_least64_t; -#endif - -typedef uint8_t uint_least8_t; -typedef uint16_t uint_least16_t; -typedef uint32_t uint_least32_t; -#ifdef _HAVE_UINT64_T -typedef uint64_t uint_least64_t; -#endif - /* least types */ -#endif - -#if defined _STDINT_NEED_INT_FAST_T -typedef int8_t int_fast8_t; -typedef int int_fast16_t; -typedef int32_t int_fast32_t; -#ifdef _HAVE_UINT64_T -typedef int64_t int_fast64_t; -#endif - -typedef uint8_t uint_fast8_t; -typedef unsigned uint_fast16_t; -typedef uint32_t uint_fast32_t; -#ifdef _HAVE_UINT64_T -typedef uint64_t uint_fast64_t; -#endif - /* fast types */ -#endif - -#ifdef _STDINT_NEED_INTMAX_T -#ifdef _HAVE_UINT64_T -typedef int64_t intmax_t; -typedef uint64_t uintmax_t; -#else -typedef long intmax_t; -typedef unsigned long uintmax_t; -#endif -#endif - -#ifdef _STDINT_NEED_INTPTR_T -#ifndef __intptr_t_defined -#define __intptr_t_defined -/* we encourage using "long" to store pointer values, never use "int" ! */ -#if _STDINT_LONG_MODEL+0 == 242 || _STDINT_LONG_MODEL+0 == 484 -typedef unsigned int uintptr_t; -typedef int intptr_t; -#elif _STDINT_LONG_MODEL+0 == 244 || _STDINT_LONG_MODEL+0 == 444 -typedef unsigned long uintptr_t; -typedef long intptr_t; -#elif _STDINT_LONG_MODEL+0 == 448 && defined _HAVE_UINT64_T -typedef uint64_t uintptr_t; -typedef int64_t intptr_t; -#else /* matches typical system types ILP32 and LP64 - but not IP16 or LLP64 */ -typedef unsigned long uintptr_t; -typedef long intptr_t; -#endif -#endif -#endif - - /* shortcircuit*/ -#endif - /* once */ -#endif -#endif -STDINT_EOF - if cmp -s $ac_stdint_h $ac_stdint 2>/dev/null; then - { $as_echo "$as_me:${as_lineno-$LINENO}: $ac_stdint_h is unchanged" >&5 -$as_echo "$as_me: $ac_stdint_h is unchanged" >&6;} - else - ac_dir=`$as_dirname -- "$ac_stdint_h" || -$as_expr X"$ac_stdint_h" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ - X"$ac_stdint_h" : 'X\(//\)[^/]' \| \ - X"$ac_stdint_h" : 'X\(//\)$' \| \ - X"$ac_stdint_h" : 'X\(/\)' \| . 2>/dev/null || -$as_echo X"$ac_stdint_h" | - sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ - s//\1/ - q - } - /^X\(\/\/\)[^/].*/{ - s//\1/ - q - } - /^X\(\/\/\)$/{ - s//\1/ - q - } - /^X\(\/\).*/{ - s//\1/ - q - } - s/.*/./; q'` - as_dir="$ac_dir"; as_fn_mkdir_p - rm -f $ac_stdint_h - mv $ac_stdint $ac_stdint_h - fi - ;; esac + done # for ac_tag diff -Nru nettle-3.4.1/configure.ac nettle-3.7.3/configure.ac --- nettle-3.4.1/configure.ac 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/configure.ac 2021-06-06 20:06:29.000000000 +0000 @@ -2,7 +2,7 @@ dnl Process this file with autoconf to produce a configure script. -AC_INIT([nettle], [3.4.1], [nettle-bugs@lists.lysator.liu.se]) +AC_INIT([nettle], [3.7.3], [nettle-bugs@lists.lysator.liu.se]) AC_PREREQ(2.61) AC_CONFIG_SRCDIR([arcfour.c]) # Needed to stop autoconf from looking for files in parent directories. @@ -10,11 +10,11 @@ AC_CONFIG_HEADER([config.h]) -LIBNETTLE_MAJOR=6 -LIBNETTLE_MINOR=5 +LIBNETTLE_MAJOR=8 +LIBNETTLE_MINOR=4 -LIBHOGWEED_MAJOR=4 -LIBHOGWEED_MINOR=5 +LIBHOGWEED_MAJOR=6 +LIBHOGWEED_MINOR=4 dnl Note double square brackets, for extra m4 quoting. MAJOR_VERSION=`echo $PACKAGE_VERSION | sed 's/^\([[^.]]*\)\..*/\1/'` @@ -74,8 +74,8 @@ AC_HELP_STRING([--disable-documentation], [Omit building and installing the documentation. (default=auto)]),, [enable_documentation=auto]) -AC_ARG_ENABLE(fat, AC_HELP_STRING([--enable-fat], [Enable fat library build (default=no)]),, - [enable_fat=no]) +AC_ARG_ENABLE(fat, AC_HELP_STRING([--disable-fat], [Disable fat library build]),, + [enable_fat=yes]) AC_ARG_ENABLE(arm-neon, AC_HELP_STRING([--enable-arm-neon], [Enable ARM Neon assembly. (default=auto)]),, @@ -85,6 +85,18 @@ AC_HELP_STRING([--enable-x86-aesni], [Enable x86_64 aes instructions. (default=no)]),, [enable_x86_aesni=no]) +AC_ARG_ENABLE(x86-sha-ni, + AC_HELP_STRING([--enable-x86-sha-ni], [Enable x86_64 sha_ni instructions. (default=no)]),, + [enable_x86_sha_ni=no]) + +AC_ARG_ENABLE(power-crypto-ext, + AC_HELP_STRING([--enable-power-crypto-ext], [Enable POWER crypto extensions. (default=no)]),, + [enable_power_crypto_ext=no]) + +AC_ARG_ENABLE(power-altivec, + AC_HELP_STRING([--enable-power-altivec], [Enable POWER altivec and vsx extensions. (default=no)]),, + [enable_altivec=no]) + AC_ARG_ENABLE(mini-gmp, AC_HELP_STRING([--enable-mini-gmp], [Enable mini-gmp, used instead of libgmp.]),, [enable_mini_gmp=no]) @@ -159,19 +171,6 @@ LSH_DEPENDENCY_TRACKING -if test x$enable_dependency_tracking = xyes ; then - # Since the makefiles use include to get the dependency files, we must - # make sure that the files exist. We generate some more files than are - # actually needed. - - AC_CONFIG_COMMANDS([dummy-dep-files], - [(cd "$srcdir" && find . '(' -name '*.c' -o -name '*.cxx' ')' -print) \ - | sed 's/\.cx*$//' | (while read f; do \ - test -f "$f.o.d" || echo > "$f.o.d"; \ - done) -]) -fi - if test "x$enable_gcov" = "xyes"; then CFLAGS="$CFLAGS -ftest-coverage -fprofile-arcs" fi @@ -201,13 +200,29 @@ # getenv_secure is used for fat overrides, # getline is used in the testsuite AC_CHECK_FUNCS(secure_getenv getline) -AC_C_BIGENDIAN -LSH_GCC_ATTRIBUTES +ASM_WORDS_BIGENDIAN=unknown +AC_C_BIGENDIAN([AC_DEFINE([WORDS_BIGENDIAN], 1) + ASM_WORDS_BIGENDIAN=yes], + [ASM_WORDS_BIGENDIAN=no]) + +AC_CACHE_CHECK([for __builtin_bswap64], + nettle_cv_c_builtin_bswap64, +[AC_TRY_LINK([ +#include +],[ +uint64_t x = 17; +uint64_t y = __builtin_bswap64(x); +], +nettle_cv_c_builtin_bswap64=yes, +nettle_cv_c_builtin_bswap64=no)]) + +AH_TEMPLATE([HAVE_BUILTIN_BSWAP64], [Define if __builtin_bswap64 is available]) +if test "x$nettle_cv_c_builtin_bswap64" = "xyes" ; then + AC_DEFINE(HAVE_BUILTIN_BSWAP64) +fi -# According to Simon Josefsson, looking for uint32_t and friends in -# sys/types.h is needed on some systems, in particular cygwin. -AX_CREATE_STDINT_H([nettle-stdint.h], [sys/types.h]) +LSH_GCC_ATTRIBUTES # Check for file locking. We (AC_PROG_CC?) have already checked for # sys/types.h and unistd.h. @@ -236,9 +251,10 @@ # Checks for libraries if test "x$enable_public_key" = "xyes" ; then if test "x$enable_mini_gmp" = "xno" ; then - AC_CHECK_LIB(gmp, __gmpn_sec_div_r,, + # mpn_zero_p was added in GMP-6.1.0 + AC_CHECK_LIB(gmp, __gmpn_zero_p,, [AC_MSG_WARN( - [GNU MP not found, or too old. GMP-6.0 or later is needed, see https://gmplib.org/. + [GNU MP not found, or too old. GMP-6.1.0 or later is needed, see https://gmplib.org/. Support for public key algorithms will be unavailable.])] enable_public_key=no) @@ -317,6 +333,17 @@ ABI=64 ]) ;; + *powerpc64*) + AC_TRY_COMPILE([ +#if defined(__PPC64__) +#error 64-bit powerpc +#endif + ], [], [ + ABI=32 + ], [ + ABI=64 + ]) + ;; esac if test "x$ABI" != xstandard ; then @@ -375,12 +402,14 @@ fi OPT_NETTLE_SOURCES="" +FAT_TEST_LIST="" +ASM_PPC_WANT_R_REGISTERS="n/a" # Select assembler code asm_path= if test "x$enable_assembler" = xyes ; then case "$host_cpu" in - [i?86* | k[5-8]* | pentium* | athlon]) + [x86 | i?86* | k[5-8]* | pentium* | athlon]) asm_path=x86 ;; [x86_64 | amd64]) @@ -389,8 +418,16 @@ if test "x$enable_fat" = xyes ; then asm_path="x86_64/fat $asm_path" OPT_NETTLE_SOURCES="fat-x86_64.c $OPT_NETTLE_SOURCES" - elif test "x$enable_x86_aesni" = xyes ; then - asm_path="x86_64/aesni $asm_path" + # For now, not enabling aesni or sha_ni, since at least + # the latter appears unavailable on te gitlab test machines. + FAT_TEST_LIST="vendor:intel vendor:amd" + else + if test "x$enable_x86_aesni" = xyes ; then + asm_path="x86_64/aesni $asm_path" + fi + if test "x$enable_x86_sha_ni" = xyes ; then + asm_path="x86_64/sha_ni $asm_path" + fi fi else asm_path=x86 @@ -408,20 +445,39 @@ if test "x$enable_fat" = xyes ; then asm_path="arm/fat $asm_path" OPT_NETTLE_SOURCES="fat-arm.c $OPT_NETTLE_SOURCES" + FAT_TEST_LIST="arch:5 arch:6,neon" else case "$host_cpu" in armv6* | armv7*) NETTLE_CHECK_ARM_NEON asm_path="arm/v6 arm" - - if test "x$enable_arm_neon" = xyes ; then - asm_path="arm/neon $asm_path" - fi ;; esac + if test "x$enable_arm_neon" = xyes ; then + asm_path="arm/neon $asm_path" + fi fi ;; + *powerpc64*) + if test "$ABI" = 64 ; then + GMP_ASM_POWERPC_R_REGISTERS + asm_path="powerpc64" + if test "x$enable_fat" = xyes ; then + asm_path="powerpc64/fat $asm_path" + OPT_NETTLE_SOURCES="fat-ppc.c $OPT_NETTLE_SOURCES" + FAT_TEST_LIST="none crypto_ext altivec" + else + if test "$enable_power_crypto_ext" = yes ; then + asm_path="powerpc64/p8 $asm_path" + fi + if test "$enable_power_altivec" = yes ; then + asm_path="powerpc64/p7 $asm_path" + fi + fi + fi + ;; + *) enable_assembler=no ;; @@ -441,16 +497,19 @@ sha3-permute.asm umac-nh.asm umac-nh-n.asm machine.m4" # Assembler files which generate additional object files if they are used. -asm_nettle_optional_list="gcm-hash8.asm cpuid.asm \ +asm_nettle_optional_list="gcm-hash.asm gcm-hash8.asm cpuid.asm \ aes-encrypt-internal-2.asm aes-decrypt-internal-2.asm memxor-2.asm \ - salsa20-core-internal-2.asm sha1-compress-2.asm sha256-compress-2.asm \ + chacha-2core.asm chacha-3core.asm chacha-4core.asm chacha-core-internal-2.asm \ + salsa20-2core.asm salsa20-core-internal-2.asm \ + sha1-compress-2.asm sha256-compress-2.asm \ sha3-permute-2.asm sha512-compress-2.asm \ umac-nh-n-2.asm umac-nh-2.asm" asm_hogweed_optional_list="" if test "x$enable_public_key" = "xyes" ; then - asm_hogweed_optional_list="ecc-192-modp.asm ecc-224-modp.asm \ - ecc-25519-modp.asm ecc-256-redc.asm ecc-384-modp.asm ecc-521-modp.asm" + asm_hogweed_optional_list="ecc-secp192r1-modp.asm ecc-secp224r1-modp.asm \ + ecc-secp256r1-redc.asm ecc-secp384r1-modp.asm ecc-secp521r1-modp.asm \ + ecc-curve25519-modp.asm ecc-curve448-modp.asm" fi OPT_NETTLE_OBJS="" @@ -533,6 +592,7 @@ AC_SUBST([OPT_NETTLE_OBJS]) AC_SUBST([OPT_HOGWEED_OBJS]) AC_SUBST([OPT_NETTLE_SOURCES]) +AC_SUBST([FAT_TEST_LIST]) AC_SUBST([ASM_RODATA]) if test "x$enable_assembler" = xyes ; then IF_ASM='' @@ -540,23 +600,40 @@ IF_ASM='#' fi AC_SUBST([IF_ASM]) +AC_SUBST([ASM_PPC_WANT_R_REGISTERS]) AH_VERBATIM([HAVE_NATIVE], [/* Define to 1 each of the following for which a native (ie. CPU specific) implementation of the corresponding routine exists. */ -#undef HAVE_NATIVE_ecc_192_modp -#undef HAVE_NATIVE_ecc_192_redc -#undef HAVE_NATIVE_ecc_224_modp -#undef HAVE_NATIVE_ecc_224_redc -#undef HAVE_NATIVE_ecc_25519_modp -#undef HAVE_NATIVE_ecc_256_modp -#undef HAVE_NATIVE_ecc_256_redc -#undef HAVE_NATIVE_ecc_384_modp -#undef HAVE_NATIVE_ecc_384_redc -#undef HAVE_NATIVE_ecc_521_modp -#undef HAVE_NATIVE_ecc_521_redc +#undef HAVE_NATIVE_aes_decrypt +#undef HAVE_NATIVE_aes_encrypt +#undef HAVE_NATIVE_chacha_core +#undef HAVE_NATIVE_chacha_2core +#undef HAVE_NATIVE_chacha_3core +#undef HAVE_NATIVE_chacha_4core +#undef HAVE_NATIVE_fat_chacha_2core +#undef HAVE_NATIVE_fat_chacha_3core +#undef HAVE_NATIVE_fat_chacha_4core +#undef HAVE_NATIVE_ecc_curve25519_modp +#undef HAVE_NATIVE_ecc_curve448_modp +#undef HAVE_NATIVE_ecc_secp192r1_modp +#undef HAVE_NATIVE_ecc_secp192r1_redc +#undef HAVE_NATIVE_ecc_secp224r1_modp +#undef HAVE_NATIVE_ecc_secp224r1_redc +#undef HAVE_NATIVE_ecc_secp256r1_modp +#undef HAVE_NATIVE_ecc_secp256r1_redc +#undef HAVE_NATIVE_ecc_secp384r1_modp +#undef HAVE_NATIVE_ecc_secp384r1_redc +#undef HAVE_NATIVE_ecc_secp521r1_modp +#undef HAVE_NATIVE_ecc_secp521r1_redc +#undef HAVE_NATIVE_gcm_init_key +#undef HAVE_NATIVE_fat_gcm_init_key +#undef HAVE_NATIVE_gcm_hash +#undef HAVE_NATIVE_fat_gcm_hash #undef HAVE_NATIVE_gcm_hash8 #undef HAVE_NATIVE_salsa20_core +#undef HAVE_NATIVE_salsa20_2core +#undef HAVE_NATIVE_fat_salsa20_2core #undef HAVE_NATIVE_sha1_compress #undef HAVE_NATIVE_sha256_compress #undef HAVE_NATIVE_sha512_compress @@ -639,13 +716,13 @@ LIBNETTLE_FORLINK=libnettle.so LIBNETTLE_SONAME='$(LIBNETTLE_FORLINK).$(LIBNETTLE_MAJOR)' LIBNETTLE_FILE='$(LIBNETTLE_SONAME).$(LIBNETTLE_MINOR)' - LIBNETTLE_LINK='$(CC) $(CFLAGS) $(LDFLAGS) -G -h $(LIBNETTLE_SONAME)' + LIBNETTLE_LINK='$(CC) $(CFLAGS) $(LDFLAGS) -shared -h $(LIBNETTLE_SONAME)' LIBNETTLE_LIBS='' LIBHOGWEED_FORLINK=libhogweed.so LIBHOGWEED_SONAME='$(LIBHOGWEED_FORLINK).$(LIBHOGWEED_MAJOR)' LIBHOGWEED_FILE='$(LIBHOGWEED_SONAME).$(LIBHOGWEED_MINOR)' - LIBHOGWEED_LINK='$(CC) $(CFLAGS) $(LDFLAGS) -G -h $(LIBHOGWEED_SONAME)' + LIBHOGWEED_LINK='$(CC) $(CFLAGS) $(LDFLAGS) --shared -h $(LIBHOGWEED_SONAME)' LIBHOGWEED_LIBS='libnettle.so $(LIBS)' ;; *) @@ -787,6 +864,68 @@ ASM_ALIGN_LOG="$nettle_cv_asm_align_log" fi +dnl Define +dnl 1. ASM_X86_ENDBR for endbr32/endbr64. +dnl 2. ASM_X86_MARK_CET to add a .note.gnu.property section to mark +dnl Intel CET support if needed. +dnl 3. ASM_X86_MARK_CET_ALIGN to align ASM_X86_MARK_CET. +AC_CACHE_CHECK([if Intel CET is enabled], + [nettle_cv_asm_x86_intel_cet], + [AC_TRY_COMPILE([ +#ifndef __CET__ +#error Intel CET is not enabled +#endif + ], [], + [nettle_cv_asm_x86_intel_cet=yes], + [nettle_cv_asm_x86_intel_cet=no])]) +if test "$nettle_cv_asm_x86_intel_cet" = yes; then + case $ABI in + 32|standard) + ASM_X86_ENDBR=endbr32 + ASM_X86_MARK_CET_ALIGN=2 + ;; + 64) + ASM_X86_ENDBR=endbr64 + ASM_X86_MARK_CET_ALIGN=3 + ;; + x32) + ASM_X86_ENDBR=endbr64 + ASM_X86_MARK_CET_ALIGN=2 + ;; + esac + AC_CACHE_CHECK([if .note.gnu.property section is needed], + [nettle_cv_asm_x86_gnu_property], + [AC_TRY_COMPILE([ +#if !defined __ELF__ || !defined __CET__ +#error GNU property is not needed +#endif + ], [], + [nettle_cv_asm_x86_gnu_property=yes], + [nettle_cv_asm_x86_gnu_property=no])]) +else + nettle_cv_asm_x86_gnu_property=no +fi +if test "$nettle_cv_asm_x86_gnu_property" = yes; then + ASM_X86_MARK_CET=' + .pushsection ".note.gnu.property", "a" + .p2align ASM_X86_MARK_CET_ALIGN + .long 1f - 0f + .long 4f - 1f + .long 5 +0: + .asciz "GNU" +1: + .p2align ASM_X86_MARK_CET_ALIGN + .long 0xc0000002 + .long 3f - 2f +2: + .long 3 +3: + .p2align ASM_X86_MARK_CET_ALIGN +4: + .popsection' +fi + AC_SUBST(ASM_SYMBOL_PREFIX) AC_SUBST(ASM_ELF_STYLE) AC_SUBST(ASM_COFF_STYLE) @@ -795,7 +934,11 @@ AC_SUBST(ASM_MARK_NOEXEC_STACK) AC_SUBST(ASM_ALIGN_LOG) AC_SUBST(W64_ABI) +AC_SUBST(ASM_WORDS_BIGENDIAN) AC_SUBST(EMULATOR) +AC_SUBST(ASM_X86_ENDBR) +AC_SUBST(ASM_X86_MARK_CET) +AC_SUBST(ASM_X86_MARK_CET_ALIGN) AC_SUBST(LIBNETTLE_MAJOR) AC_SUBST(LIBNETTLE_MINOR) @@ -923,18 +1066,7 @@ # Set these flags *last*, or else the test programs won't compile if test x$GCC = xyes ; then - # Using -ggdb3 makes (some versions of) Redhat's gcc-2.96 dump core - if $CC --version | grep '^2\.96$' 1>/dev/null 2>&1; then - true - else - CFLAGS="$CFLAGS -ggdb3" - fi - # FIXME: It would be better to actually test if this option works and/or is needed. - # Or perhaps use -funsigned-char. - if $CC --version | grep 'gcc.* 4\.' 1>/dev/null 2>&1; then - CFLAGS="$CFLAGS -Wno-pointer-sign" - fi - CFLAGS="$CFLAGS -Wall -W \ + CFLAGS="$CFLAGS -ggdb3 -Wall -W -Wno-sign-compare \ -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes \ -Wpointer-arith -Wbad-function-cast -Wnested-externs" diff -Nru nettle-3.4.1/ctr16.c nettle-3.7.3/ctr16.c --- nettle-3.4.1/ctr16.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/ctr16.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,106 @@ +/* ctr16.c + + Cipher counter mode, optimized for 16-byte blocks. + + Copyright (C) 2005-2018 Niels Möller + Copyright (C) 2018 Red Hat, Inc. + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "ctr.h" + +#include "ctr-internal.h" +#include "memxor.h" +#include "nettle-internal.h" + +#define MIN(a,b) (((a) < (b)) ? (a) : (b)) + +void +_nettle_ctr_crypt16(const void *ctx, nettle_cipher_func *f, + nettle_fill16_func *fill, uint8_t *ctr, + size_t length, uint8_t *dst, + const uint8_t *src) +{ + if (dst != src && !((uintptr_t) dst % sizeof(uint64_t))) + { + size_t blocks = length / 16u; + size_t done; + fill (ctr, blocks, (union nettle_block16 *) dst); + + done = blocks * 16; + f(ctx, done, dst, dst); + memxor (dst, src, done); + + length -= done; + if (length > 0) + { /* Left-over partial block */ + union nettle_block16 block; + dst += done; + src += done; + assert (length < 16); + /* Use fill, to update ctr value in the same way in all cases. */ + fill (ctr, 1, &block); + f (ctx, 16, block.b, block.b); + memxor3 (dst, src, block.b, length); + } + } + else + { + /* Construct an aligned buffer of consecutive counter values, of + size at most CTR_BUFFER_LIMIT. */ + TMP_DECL(buffer, union nettle_block16, CTR_BUFFER_LIMIT / 16); + size_t blocks = (length + 15) / 16u; + size_t i; + TMP_ALLOC(buffer, MIN(blocks, CTR_BUFFER_LIMIT / 16)); + + for (i = 0; blocks >= CTR_BUFFER_LIMIT / 16; + i += CTR_BUFFER_LIMIT, blocks -= CTR_BUFFER_LIMIT / 16) + { + fill (ctr, CTR_BUFFER_LIMIT / 16, buffer); + f(ctx, CTR_BUFFER_LIMIT, buffer->b, buffer->b); + if (length - i < CTR_BUFFER_LIMIT) + goto done; + memxor3 (dst + i, src + i, buffer->b, CTR_BUFFER_LIMIT); + } + + if (blocks > 0) + { + assert (length - i < CTR_BUFFER_LIMIT); + fill (ctr, blocks, buffer); + f(ctx, blocks * 16, buffer->b, buffer->b); + done: + memxor3 (dst + i, src + i, buffer->b, length - i); + } + } +} diff -Nru nettle-3.4.1/ctr.c nettle-3.7.3/ctr.c --- nettle-3.4.1/ctr.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/ctr.c 2021-06-06 20:06:29.000000000 +0000 @@ -41,11 +41,72 @@ #include "ctr.h" +#include "ctr-internal.h" #include "macros.h" #include "memxor.h" #include "nettle-internal.h" -#define NBLOCKS 4 +#define MIN(a,b) (((a) < (b)) ? (a) : (b)) + +static size_t +ctr_fill (size_t block_size, uint8_t *ctr, size_t length, uint8_t *buffer) +{ + size_t i; + for (i = 0; i + block_size <= length; i += block_size) + { + memcpy (buffer + i, ctr, block_size); + INCREMENT(block_size, ctr); + } + return i; +} + +#if WORDS_BIGENDIAN +# define USE_CTR_CRYPT16 1 +static nettle_fill16_func ctr_fill16; +static void +ctr_fill16(uint8_t *ctr, size_t blocks, union nettle_block16 *buffer) +{ + uint64_t hi, lo; + size_t i; + hi = READ_UINT64(ctr); + lo = READ_UINT64(ctr + 8); + + for (i = 0; i < blocks; i++) + { + buffer[i].u64[0] = hi; + buffer[i].u64[1] = lo; + hi += !(++lo); + } + WRITE_UINT64(ctr, hi); + WRITE_UINT64(ctr + 8, lo); +} +#else /* !WORDS_BIGENDIAN */ +# if HAVE_BUILTIN_BSWAP64 +# define USE_CTR_CRYPT16 1 +static nettle_fill16_func ctr_fill16; +static void +ctr_fill16(uint8_t *ctr, size_t blocks, union nettle_block16 *buffer) +{ + uint64_t hi, lo; + size_t i; + /* Read hi in native endianness */ + hi = LE_READ_UINT64(ctr); + lo = READ_UINT64(ctr + 8); + + for (i = 0; i < blocks; i++) + { + buffer[i].u64[0] = hi; + buffer[i].u64[1] = __builtin_bswap64(lo); + if (!++lo) + hi = __builtin_bswap64(__builtin_bswap64(hi) + 1); + } + LE_WRITE_UINT64(ctr, hi); + WRITE_UINT64(ctr + 8, lo); +} +# else /* ! HAVE_BUILTIN_BSWAP64 */ +# define USE_CTR_CRYPT16 0 +# endif +#endif /* !WORDS_BIGENDIAN */ void ctr_crypt(const void *ctx, nettle_cipher_func *f, @@ -53,84 +114,64 @@ size_t length, uint8_t *dst, const uint8_t *src) { - if (src != dst) +#if USE_CTR_CRYPT16 + if (block_size == 16) { - if (length == block_size) - { - f(ctx, block_size, dst, ctr); - INCREMENT(block_size, ctr); - memxor(dst, src, block_size); - } - else + _nettle_ctr_crypt16(ctx, f, ctr_fill16, ctr, length, dst, src); + return; + } +#endif + + if(src != dst) + { + size_t filled = ctr_fill (block_size, ctr, length, dst); + + f(ctx, filled, dst, dst); + memxor(dst, src, filled); + + if (filled < length) { - size_t left; - uint8_t *p; + TMP_DECL(block, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE); + TMP_ALLOC(block, block_size); - for (p = dst, left = length; - left >= block_size; - left -= block_size, p += block_size) - { - memcpy (p, ctr, block_size); - INCREMENT(block_size, ctr); - } - - f(ctx, length - left, dst, dst); - memxor(dst, src, length - left); - - if (left) - { - TMP_DECL(buffer, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE); - TMP_ALLOC(buffer, block_size); - - f(ctx, block_size, buffer, ctr); - INCREMENT(block_size, ctr); - memxor3(dst + length - left, src + length - left, buffer, left); - } + f(ctx, block_size, block, ctr); + INCREMENT(block_size, ctr); + memxor3(dst + filled, src + filled, block, length - filled); } } else { - if (length > block_size) - { - TMP_DECL(buffer, uint8_t, NBLOCKS * NETTLE_MAX_CIPHER_BLOCK_SIZE); - size_t chunk = NBLOCKS * block_size; + /* For in-place CTR, construct a buffer of consecutive counter + values, of size at most CTR_BUFFER_LIMIT. */ + TMP_DECL(buffer, uint8_t, CTR_BUFFER_LIMIT); + + size_t buffer_size; + if (length < block_size) + buffer_size = block_size; + else if (length <= CTR_BUFFER_LIMIT) + buffer_size = length; + else + buffer_size = CTR_BUFFER_LIMIT; - TMP_ALLOC(buffer, chunk); + TMP_ALLOC(buffer, buffer_size); - for (; length >= chunk; - length -= chunk, src += chunk, dst += chunk) - { - unsigned n; - uint8_t *p; - for (n = 0, p = buffer; n < NBLOCKS; n++, p += block_size) - { - memcpy (p, ctr, block_size); - INCREMENT(block_size, ctr); - } - f(ctx, chunk, buffer, buffer); - memxor(dst, buffer, chunk); - } - - if (length > 0) - { - /* Final, possibly partial, blocks */ - for (chunk = 0; chunk < length; chunk += block_size) - { - memcpy (buffer + chunk, ctr, block_size); - INCREMENT(block_size, ctr); - } - f(ctx, chunk, buffer, buffer); - memxor3(dst, src, buffer, length); - } + while (length >= block_size) + { + size_t filled + = ctr_fill (block_size, ctr, MIN(buffer_size, length), buffer); + assert (filled > 0); + f(ctx, filled, buffer, buffer); + memxor(dst, buffer, filled); + length -= filled; + dst += filled; } - else if (length > 0) - { - TMP_DECL(buffer, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE); - TMP_ALLOC(buffer, block_size); + /* Final, possibly partial, block. */ + if (length > 0) + { f(ctx, block_size, buffer, ctr); INCREMENT(block_size, ctr); - memxor3(dst, src, buffer, length); + memxor(dst, buffer, length); } } } diff -Nru nettle-3.4.1/ctr-internal.h nettle-3.7.3/ctr-internal.h --- nettle-3.4.1/ctr-internal.h 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/ctr-internal.h 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,53 @@ +/* ctr-internal.h + + Copyright (C) 2018 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_CTR_INTERNAL_H_INCLUDED +#define NETTLE_CTR_INTERNAL_H_INCLUDED + +#include "nettle-types.h" + +/* Size limit for temporary stack buffers. */ +#define CTR_BUFFER_LIMIT 512 + +/* Fill BUFFER (n blocks) with incrementing CTR values. It would be + nice if CTR was always 64-bit aligned, but it isn't when called + from ctr_crypt. */ +typedef void +nettle_fill16_func(uint8_t *ctr, size_t n, union nettle_block16 *buffer); + +void +_nettle_ctr_crypt16(const void *ctx, nettle_cipher_func *f, + nettle_fill16_func *fill, uint8_t *ctr, + size_t length, uint8_t *dst, + const uint8_t *src); + + +#endif /* NETTLE_CTR_INTERNAL_H_INCLUDED */ diff -Nru nettle-3.4.1/curve25519-eh-to-x.c nettle-3.7.3/curve25519-eh-to-x.c --- nettle-3.4.1/curve25519-eh-to-x.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/curve25519-eh-to-x.c 2021-06-06 20:06:29.000000000 +0000 @@ -50,32 +50,28 @@ #define wp (p + 2*ecc->p.size) #define t0 scratch #define t1 (scratch + ecc->p.size) -#define t2 (scratch + 2*ecc->p.size) +#define tp (scratch + 2*ecc->p.size) const struct ecc_curve *ecc = &_nettle_curve25519; - mp_limb_t cy; - /* If u = U/W and v = V/W are the coordiantes of the point on the + /* If u = U/W and v = V/W are the coordinates of the point on the Edwards curve we get the curve25519 x coordinate as x = (1+v) / (1-v) = (W + V) / (W - V) */ /* NOTE: For the infinity point, this subtraction gives zero (mod p), which isn't invertible. For curve25519, the desired output is - x = 0, and we should be fine, since ecc_modp_inv returns 0 + x = 0, and we should be fine, since ecc_mod_inv for ecc->p returns 0 in this case. */ - ecc_modp_sub (ecc, t0, wp, vp); - /* Needs a total of 5*size storage. */ - ecc->p.invert (&ecc->p, t1, t0, t2 + ecc->p.size); + ecc_mod_sub (&ecc->p, t0, wp, vp); + /* Needs a total of 6*size storage. */ + ecc->p.invert (&ecc->p, t1, t0, tp); - ecc_modp_add (ecc, t0, wp, vp); - ecc_modp_mul (ecc, t2, t0, t1); - - cy = mpn_sub_n (xp, t2, ecc->p.m, ecc->p.size); - cnd_copy (cy, xp, t2, ecc->p.size); + ecc_mod_add (&ecc->p, t0, wp, vp); + ecc_mod_mul_canonical (&ecc->p, xp, t0, t1, tp); #undef vp #undef wp #undef t0 #undef t1 -#undef t2 +#undef tp } diff -Nru nettle-3.4.1/curve25519-mul.c nettle-3.7.3/curve25519-mul.c --- nettle-3.4.1/curve25519-mul.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/curve25519-mul.c 2021-06-06 20:06:29.000000000 +0000 @@ -44,104 +44,21 @@ void curve25519_mul (uint8_t *q, const uint8_t *n, const uint8_t *p) { - const struct ecc_curve *ecc = &_nettle_curve25519; + const struct ecc_modulo *m = &_nettle_curve25519.p; mp_size_t itch; - mp_limb_t *scratch; - int i; - mp_limb_t cy; + mp_limb_t *x; - /* FIXME: Could save some more scratch space, e.g., by letting BB - overlap C, D, and CB overlap A, D. And possibly reusing some of - x2, z2, x3, z3. */ -#define x1 scratch -#define x2 (scratch + ecc->p.size) -#define z2 (scratch + 2*ecc->p.size) -#define x3 (scratch + 3*ecc->p.size) -#define z3 (scratch + 4*ecc->p.size) + itch = m->size + ECC_MUL_M_ITCH(m->size); + x = gmp_alloc_limbs (itch); -#define A (scratch + 5*ecc->p.size) -#define B (scratch + 6*ecc->p.size) -#define C (scratch + 7*ecc->p.size) -#define D (scratch + 8*ecc->p.size) -#define AA (scratch + 9*ecc->p.size) -#define BB (scratch +10*ecc->p.size) -#define E (scratch + 10*ecc->p.size) /* Overlap BB */ -#define DA (scratch + 9*ecc->p.size) /* Overlap AA */ -#define CB (scratch + 10*ecc->p.size) /* Overlap BB */ - - itch = ecc->p.size * 12; - scratch = gmp_alloc_limbs (itch); - - /* Note that 255 % GMP_NUMB_BITS == 0 isn't supported, so x1 always + /* Note that 255 % GMP_NUMB_BITS == 0 isn't supported, so x always holds at least 256 bits. */ - mpn_set_base256_le (x1, ecc->p.size, p, CURVE25519_SIZE); + mpn_set_base256_le (x, m->size, p, CURVE25519_SIZE); /* Clear bit 255, as required by RFC 7748. */ - x1[255/GMP_NUMB_BITS] &= ~((mp_limb_t) 1 << (255 % GMP_NUMB_BITS)); - - /* Initialize, x2 = x1, z2 = 1 */ - mpn_copyi (x2, x1, ecc->p.size); - z2[0] = 1; - mpn_zero (z2+1, ecc->p.size - 1); - - /* Get x3, z3 from doubling. Since bit 254 is forced to 1. */ - ecc_modp_add (ecc, A, x2, z2); - ecc_modp_sub (ecc, B, x2, z2); - ecc_modp_sqr (ecc, AA, A); - ecc_modp_sqr (ecc, BB, B); - ecc_modp_mul (ecc, x3, AA, BB); - ecc_modp_sub (ecc, E, AA, BB); - ecc_modp_addmul_1 (ecc, AA, E, 121665); - ecc_modp_mul (ecc, z3, E, AA); - - for (i = 253; i >= 3; i--) - { - int bit = (n[i/8] >> (i & 7)) & 1; - - cnd_swap (bit, x2, x3, 2*ecc->p.size); - - /* Formulas from draft-turner-thecurve25519function-00-Mont. We - compute new coordinates in memory-address order, since mul - and sqr clobbers higher limbs. */ - ecc_modp_add (ecc, A, x2, z2); - ecc_modp_sub (ecc, B, x2, z2); - ecc_modp_sqr (ecc, AA, A); - ecc_modp_sqr (ecc, BB, B); - ecc_modp_mul (ecc, x2, AA, BB); /* Last use of BB */ - ecc_modp_sub (ecc, E, AA, BB); - ecc_modp_addmul_1 (ecc, AA, E, 121665); - ecc_modp_add (ecc, C, x3, z3); - ecc_modp_sub (ecc, D, x3, z3); - ecc_modp_mul (ecc, z2, E, AA); /* Last use of E and AA */ - ecc_modp_mul (ecc, DA, D, A); /* Last use of D, A. FIXME: could - let CB overlap. */ - ecc_modp_mul (ecc, CB, C, B); - - ecc_modp_add (ecc, C, DA, CB); - ecc_modp_sqr (ecc, x3, C); - ecc_modp_sub (ecc, C, DA, CB); - ecc_modp_sqr (ecc, DA, C); - ecc_modp_mul (ecc, z3, DA, x1); + x[255/GMP_NUMB_BITS] &= ~((mp_limb_t) 1 << (255 % GMP_NUMB_BITS)); - /* FIXME: Could be combined with the loop's initial cnd_swap. */ - cnd_swap (bit, x2, x3, 2*ecc->p.size); - } - /* Do the 3 low zero bits, just duplicating x2 */ - for ( ; i >= 0; i--) - { - ecc_modp_add (ecc, A, x2, z2); - ecc_modp_sub (ecc, B, x2, z2); - ecc_modp_sqr (ecc, AA, A); - ecc_modp_sqr (ecc, BB, B); - ecc_modp_mul (ecc, x2, AA, BB); - ecc_modp_sub (ecc, E, AA, BB); - ecc_modp_addmul_1 (ecc, AA, E, 121665); - ecc_modp_mul (ecc, z2, E, AA); - } - ecc->p.invert (&ecc->p, x3, z2, z3 + ecc->p.size); - ecc_modp_mul (ecc, z3, x2, x3); - cy = mpn_sub_n (x2, z3, ecc->p.m, ecc->p.size); - cnd_copy (cy, x2, z3, ecc->p.size); - mpn_get_base256_le (q, CURVE25519_SIZE, x2, ecc->p.size); + ecc_mul_m (m, 121665, 3, 253, x, n, x, x + m->size); + mpn_get_base256_le (q, CURVE25519_SIZE, x, m->size); - gmp_free_limbs (scratch, itch); + gmp_free_limbs (x, itch); } diff -Nru nettle-3.4.1/curve448-eh-to-x.c nettle-3.7.3/curve448-eh-to-x.c --- nettle-3.4.1/curve448-eh-to-x.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/curve448-eh-to-x.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,70 @@ +/* curve448-eh-to-x.c + + Copyright (C) 2017 Daiki Ueno + Copyright (C) 2017 Red Hat, Inc. + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "curve448.h" + +#include "ecc.h" +#include "ecc-internal.h" + +/* Transform a point on the edwards448 Edwards curve to the curve448 + Montgomery curve, and return the x coordinate. */ +void +curve448_eh_to_x (mp_limb_t *xp, const mp_limb_t *p, mp_limb_t *scratch) +{ +#define up p +#define vp (p + ecc->p.size) +#define t0 scratch +#define tp (scratch + ecc->p.size) + + const struct ecc_curve *ecc = &_nettle_curve448; + + /* If u = U/W and v = V/W are the coordinates of the point on + edwards448 we get the curve448 x coordinate as + + x = v^2 / u^2 = (V/W)^2 / (U/W)^2 = (V/U)^2 + */ + /* Needs a total of 5*size storage. */ + ecc->p.invert (&ecc->p, t0, up, tp); + ecc_mod_mul (&ecc->p, t0, t0, vp, tp); + ecc_mod_sqr_canonical (&ecc->p, xp, t0, tp); + +#undef up +#undef vp +#undef t0 +#undef tp +} diff -Nru nettle-3.4.1/curve448.h nettle-3.7.3/curve448.h --- nettle-3.4.1/curve448.h 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/curve448.h 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,58 @@ +/* curve448.h + + Copyright (C) 2017 Daiki Ueno + Copyright (C) 2017 Red Hat, Inc. + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_CURVE448_H +#define NETTLE_CURVE448_H + +#include "nettle-types.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* Name mangling */ +#define curve448_mul_g nettle_curve448_mul_g +#define curve448_mul nettle_curve448_mul + +#define CURVE448_SIZE 56 + +void +curve448_mul_g (uint8_t *q, const uint8_t *n); + +void +curve448_mul (uint8_t *q, const uint8_t *n, const uint8_t *p); + +#ifdef __cplusplus +} +#endif + +#endif /* NETTLE_CURVE448_H */ diff -Nru nettle-3.4.1/curve448-mul.c nettle-3.7.3/curve448-mul.c --- nettle-3.4.1/curve448-mul.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/curve448-mul.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,61 @@ +/* curve448-mul.c + + Copyright (C) 2017 Daiki Ueno + Copyright (C) 2017 Red Hat, Inc. + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include + +#include "curve448.h" + +#include "ecc.h" +#include "ecc-internal.h" + +/* Intended to be compatible with NaCl's crypto_scalarmult. */ +void +curve448_mul (uint8_t *q, const uint8_t *n, const uint8_t *p) +{ + const struct ecc_modulo *m = &_nettle_curve448.p; + mp_size_t itch; + mp_limb_t *x; + + itch = m->size + ECC_MUL_M_ITCH(m->size); + x = gmp_alloc_limbs (itch); + + mpn_set_base256_le (x, m->size, p, CURVE448_SIZE); + ecc_mul_m (m, 39081, 2, 446, x, n, x, x + m->size); + mpn_get_base256_le (q, CURVE448_SIZE, x, m->size); + + gmp_free_limbs (x, itch); +} diff -Nru nettle-3.4.1/curve448-mul-g.c nettle-3.7.3/curve448-mul-g.c --- nettle-3.4.1/curve448-mul-g.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/curve448-mul-g.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,74 @@ +/* curve448-mul-g.c + + Copyright (C) 2017 Daiki Ueno + Copyright (C) 2017 Red Hat, Inc. + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "curve448.h" + +#include "ecc.h" +#include "ecc-internal.h" + +/* Intended to be compatible with NaCl's crypto_scalarmult_base. */ +void +curve448_mul_g (uint8_t *r, const uint8_t *n) +{ + const struct ecc_curve *ecc = &_nettle_curve448; + uint8_t t[CURVE448_SIZE]; + mp_limb_t *scratch; + mp_size_t itch; + +#define ng scratch +#define x (scratch + 3*ecc->p.size) +#define scratch_out (scratch + 4*ecc->p.size) + + memcpy (t, n, sizeof(t)); + t[0] &= ~3; + t[CURVE448_SIZE-1] = (t[CURVE448_SIZE-1] & 0x7f) | 0x80; + + itch = 5*ecc->p.size + ecc->mul_g_itch; + scratch = gmp_alloc_limbs (itch); + + mpn_set_base256_le (x, ecc->p.size, t, CURVE448_SIZE); + + ecc_mul_g_eh (ecc, ng, x, scratch_out); + curve448_eh_to_x (x, ng, scratch_out); + + mpn_get_base256_le (r, CURVE448_SIZE, x, ecc->p.size); + gmp_free_limbs (scratch, itch); +#undef ng +#undef x +#undef scratch_out +} diff -Nru nettle-3.4.1/debian/changelog nettle-3.7.3/debian/changelog --- nettle-3.4.1/debian/changelog 2020-07-08 06:14:25.000000000 +0000 +++ nettle-3.7.3/debian/changelog 2021-10-29 04:20:18.000000000 +0000 @@ -1,8 +1,128 @@ -nettle (3.4.1-1~16.04.sav0) xenial; urgency=low +nettle (3.7.3-1~16.04.sav0) xenial; urgency=high * Backport to Xenial + * debian/control: Set debhelper-compat (= 10) BD (LP highest for Xenial) + + debian/nettle.info: Add debian/tmp/ prefix (compat level < 11) - -- Rob Savoury Tue, 07 Jul 2020 23:14:25 -0700 + -- Rob Savoury Thu, 28 Oct 2021 21:20:18 -0700 + +nettle (3.7.3-1) unstable; urgency=high + + * New upstream release fixing bugs that could make the RSA decryption + functions crash on invalid inputs [CVE-2021-3580] (Closes: #989631). + + -- Magnus Holmgren Thu, 10 Jun 2021 08:51:41 +0200 + +nettle (3.7.2-3) unstable; urgency=medium + + * libnettle8.symbols: Drop two more (internal) symbols from armel and + armhf. + + -- Magnus Holmgren Mon, 05 Apr 2021 20:49:56 +0200 + +nettle (3.7.2-2) unstable; urgency=medium + + * libnettle8.symbols: Drop two ARM-specific symbols after the ARM Neon + assembly code for doing single-block Salsa20 and Chacha was deleted. + * Mention bug and CVE numbers in previos changelog entry. + + -- Magnus Holmgren Mon, 05 Apr 2021 19:48:52 +0200 + +nettle (3.7.2-1) unstable; urgency=medium + + [ Andreas Metzler ] + * New upstream version, fixing a bug in ECDSA signature verification that + could lead to a denial of service attack (via an assertion failure) or + possibly incorrect results (CVE-2021-20305) (Closes: #985652). + + Drop cherry-picked patches added in previous upload. + + Update copyright file. + + [ Magnus Holmgren ] + * Update symbol files. + + -- Magnus Holmgren Fri, 02 Apr 2021 23:35:53 +0200 + +nettle (3.7-2.1) unstable; urgency=low + + * Non-maintainer upload. + * Fix chacha breakage on ppc64(el). Closes: #982482 + + 0001-Improve-chacha-test-coverage.patch + + 0002-Fix-chacha-counter-update-for-_4core-variants.patch + + -- Andreas Metzler Sat, 13 Feb 2021 08:34:20 +0100 + +nettle (3.7-2) unstable; urgency=low + + * Adjust libnettle8.symbols. + + -- Magnus Holmgren Mon, 01 Feb 2021 00:01:59 +0100 + +nettle (3.7-1) unstable; urgency=low + + * New upstream release. + + -- Magnus Holmgren Sun, 31 Jan 2021 18:47:26 +0100 + +nettle (3.6-2) unstable; urgency=low + + * Upload to unstable. + * Convert version control to git and move to salsa.debian.org. + + -- Magnus Holmgren Wed, 15 Jul 2020 14:12:59 +0200 + +nettle (3.6-1) experimental; urgency=low + + * New upstream release (Closes: #959441). Upload to experimental. New + SONAMEs libnettle8 and libhogweed6. Thanks to Andreas Metzler. + * Only symlink docdir for nettle-bin, allowing future independent + library sonames bumps of nettle and hogweed (Closes: #956524). + * Drop -Wl,--as-needed linker flag; used by default by bullseye + toolchain. + * Convert to dh format and upgrade to compat level 12 + * Drop unnecessary configure flags --enable-shared (enabled by default) and + --disable-dependency-tracking (only relevant to BSD Make) and makeinfo + flag --enable-encoding (enabled by default now). + * No longer exclude *.pdf from dh_compress. + * Build with --enable-fat, this time hopefully with the right symbol + architecture tags. + * Update debian/copyright. + * Drop lintian override. + + -- Magnus Holmgren Mon, 11 May 2020 01:34:26 +0200 + +nettle (3.5.1+really3.5.1-2) unstable; urgency=low + + * Upload to unstable. + + -- Magnus Holmgren Thu, 24 Oct 2019 21:29:22 +0200 + +nettle (3.5.1+really3.5.1-1) experimental; urgency=low + + * Upload 3.5.1 to experimental (Closes: #933266). + * Correctly mark architecture-specific symbols this time. + + -- Magnus Holmgren Sat, 07 Sep 2019 17:18:16 +0200 + +nettle (3.5.1+really3.4.1-1) unstable; urgency=low + + * Revert to 3.4.1 to acquire a transition slot (Closes: #938959). Not + building with --enable-fat either because symbol differences between + platforms need to be checked. + + -- Magnus Holmgren Fri, 30 Aug 2019 21:37:04 +0200 + +nettle (3.5.1-1) unstable; urgency=low + + * New upstream release (Closes: #933266). New SONAMEs libnettle7 and + libhogweed5. + * Drop multiarch_dev.patch; not needed because no stdint header is + generated anymore. + * Try building with --enable-fat (Closes: #861632). + * Change libgmp10-dev build dependency to libgmp-dev, which has been the + real package name since 2011. + * Override lintian warning about -lgmp in hogweed.pc (it's after a #). + + -- Magnus Holmgren Sat, 24 Aug 2019 22:01:56 +0200 nettle (3.4.1-1) unstable; urgency=low diff -Nru nettle-3.4.1/debian/compat nettle-3.7.3/debian/compat --- nettle-3.4.1/debian/compat 2017-09-10 19:24:36.000000000 +0000 +++ nettle-3.7.3/debian/compat 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -9 diff -Nru nettle-3.4.1/debian/control nettle-3.7.3/debian/control --- nettle-3.4.1/debian/control 2017-12-12 18:45:14.000000000 +0000 +++ nettle-3.7.3/debian/control 2021-10-29 04:15:30.000000000 +0000 @@ -2,14 +2,14 @@ Section: libs Priority: optional Maintainer: Magnus Holmgren -Build-Depends: dpkg-dev (>= 1.15.7), debhelper (>= 9.20160114), +Build-Depends: dpkg-dev (>= 1.15.7), debhelper-compat (= 10), libgmp-dev, m4, texinfo Standards-Version: 4.1.2 -Vcs-Svn: svn://svn.kibibyte.se/nettle/trunk -Vcs-Browser: http://svn.kibibyte.se/nettle +Vcs-Git: https://salsa.debian.org/holmgren/nettle.git +Vcs-Browser: https://salsa.debian.org/holmgren/nettle Homepage: http://www.lysator.liu.se/~nisse/nettle/ -Package: libnettle6 +Package: libnettle8 Architecture: any Multi-Arch: same Pre-Depends: ${misc:Pre-Depends} @@ -31,7 +31,7 @@ algorithms. To avoid having this package depend on libgmp, the asymmetric cryptos reside in a separate library, libhogweed. -Package: libhogweed4 +Package: libhogweed6 Architecture: any Multi-Arch: same Pre-Depends: ${misc:Pre-Depends} @@ -57,8 +57,8 @@ Section: libdevel Architecture: any Multi-Arch: same -Depends: libnettle6 (= ${binary:Version}), libhogweed4 (= ${binary:Version}), - libgmp10-dev, dpkg (>= 1.15.4) | install-info, ${misc:Depends} +Depends: libnettle8 (= ${binary:Version}), libhogweed6 (= ${binary:Version}), + libgmp-dev, dpkg (>= 1.15.4) | install-info, ${misc:Depends} Replaces: libnettle-dev Conflicts: libnettle-dev Description: low level cryptographic library (development files) diff -Nru nettle-3.4.1/debian/copyright nettle-3.7.3/debian/copyright --- nettle-3.4.1/debian/copyright 2017-09-10 21:15:50.000000000 +0000 +++ nettle-3.7.3/debian/copyright 2021-06-10 06:51:41.000000000 +0000 @@ -2,135 +2,274 @@ Upstream-Name: Nettle Upstream-Contact: Niels Möller Source: http://www.lysator.liu.se/~nisse/nettle/ -Copyright: © 2001-2011 Niels Möller +Copyright: © 2001-2020 Niels Möller Some parts are Copyright © the Free Software Foundation and various people. See below and source code comments for details. -License: LGPL-2.1+ +License: LGPL-3+ or GPL-2+ Comment: - Nettle is distributed under the GNU Lesser General Public License - (LGPL). A few of the individual files are in the public domain. To + Nettle is dual licenced under the GNU General Public License version + 2 or later, and the GNU Lesser General Public License version 3 or + later. When using Nettle, you must comply fully with all conditions + of at least one of these licenses. A few of the individual files are + licensed under more permissive terms, or in the public domain. To find the current status of particular files, you have to read the copyright notices at the top of the files. . - A list of the supported algorithms, their origins and licenses (from - the manual): + A list of the supported algorithms, their origins, and exceptions to + the above licensing: . AES The implementation of the AES cipher (also known as rijndael) is - written by Rafael Sevilla. Assembler for x86 by Rafael Sevilla and - Niels Möller, Sparc assembler by Niels Möller. Released under the - LGPL. + written by Rafael Sevilla. Assembler for x86 by Rafael Sevilla and + Niels Möller, Sparc assembler by Niels Möller. . ARCFOUR The implementation of the ARCFOUR (also known as RC4) cipher is - written by Niels Möller. Released under the LGPL. + written by Niels Möller. . ARCTWO The implementation of the ARCTWO (also known as RC2) cipher is written by Nikos Mavroyanopoulos and modified by Werner Koch and - Simon Josefsson. Released under the LGPL. + Simon Josefsson. . BLOWFISH The implementation of the BLOWFISH cipher is written by Werner - Koch, copyright owned by the Free Software Foundation. Also hacked - by Simon Josefsson and Niels Möller. Released under the LGPL. + Koch, copyright owned by the Free Software Foundation. Also hacked + by Simon Josefsson and Niels Möller. . CAMELLIA The C implementation is by Nippon Telegraph and Telephone - Corporation (NTT), heavily modified by Niels Möller. Assembler for - x86 and x86_64 by Niels Möller. Released under the LGPL. + Corporation (NTT), heavily modified by Niels Möller. Assembler for + x86 and x86_64 by Niels Möller. . CAST128 The implementation of the CAST128 cipher is written by Steve Reid. Released into the public domain. . + CHACHA + Implemented by Joachim Strömbergson, based on the implementation of + SALSA20 (see below). Assembly for x86_64 by Niels Möller. + . DES The implementation of the DES cipher is written by Dana L. How, and - released under the LGPL. + released under the LGPL, version 2 or later. + . + GOSTHASH94 + The C implementation of the GOST94 message digest is written by + Aleksey Kravchenko and was ported from the rhash library by Nikos + Mavrogiannopoulos. It is released under the MIT license. . MD2 The implementation of MD2 is written by Andrew Kuchling, and hacked - some by Andreas Sigfridsson and Niels Möller. Python Cryptography + some by Andreas Sigfridsson and Niels Möller. Python Cryptography Toolkit license (essentially public domain). . MD4 This is almost the same code as for MD5 below, with modifications - by Marcus Comstedt. Released into the public domain. + by Marcus Comstedt. Released into the public domain. . MD5 The implementation of the MD5 message digest is written by Colin Plumb. It has been hacked some more by Andrew Kuchling and Niels Möller. Released into the public domain. . + PBKDF2 + The C implementation of PBKDF2 is based on earlier work for Shishi + and GnuTLS by Simon Josefsson. + . + RIPEMD160 + The implementation of RIPEMD160 message digest is based on the code + in libgcrypt, copyright owned by the Free Software Foundation. + Ported to Nettle by Andres Mejia. + . + SALSA20 + The C implementation of SALSA20 is based on D. J. Bernstein’s + reference implementation (in the public domain), adapted to Nettle + by Simon Josefsson, and heavily modified by Niels Möller. Assembly + for x86_64 and ARM by Niels Möller. + . SERPENT - The implementation of the SERPENT is based on the code in + The implementation of the SERPENT cipher is based on the code in libgcrypt, copyright owned by the Free Software Foundation. - Adapted to Nettle by Simon Josefsson and heavily modified by - Niels Möller. Assembly for x86_64 by Niels Möller. Released under - the LGPL. + Adapted to Nettle by Simon Josefsson and heavily modified by Niels + Möller. Assembly for x86_64 by Niels Möller. + . + POLY1305 + Based on the implementation by Andrew M. (floodyberry), modified by + Nikos Mavrogiannopoulos and Niels Möller. Assembly for x86_64 by + Niels Möller. . SHA1 The C implementation of the SHA1 message digest is written by Peter Gutmann, and hacked some more by Andrew Kuchling and Niels Möller. - Released into the public domain. Assembler for x86 by Niels Möller, - released under the LGPL. + Released into the public domain. Assembler for x86, x86_64 and ARM + by Niels Möller, released under the LGPL. + . + SHA2 + Written by Niels Möller, using Peter Gutmann’s SHA1 code as a + model. . - SHA224, SHA256, SHA384, and SHA512 - Written by Niels Möller, using Peter Gutmann's SHA1 code as a - model. Released under the LGPL. + SHA3 + Written by Niels Möller. . TWOFISH The implementation of the TWOFISH cipher is written by Ruud de - Rooij. Released under the LGPL. + Rooij. + . + UMAC + Written by Niels Möller. + . + CMAC + Written by Nikos Mavrogiannopoulos, Niels Möller, Jeremy Allison, + Michael Adam and Stefan Metzmacher. . RSA - Written by Niels Möller, released under the LGPL. Uses the GMP - library for bignum operations. + Written by Niels Möller. Uses the GMP library for bignum + operations. . DSA - Written by Niels Möller, released under the LGPL. Uses the GMP - library for bignum operations. + Written by Niels Möller. Uses the GMP library for bignum + operations. + . + ECDSA + Written by Niels Möller. Uses the GMP library for bignum + operations. Development of Nettle’s ECC support was funded by the + .SE Internet Fund. Files: * -Copyright: © 2001-2011 Niels Möller -License: LGPL-2.1+ +Copyright: 2001-2020 Niels Möller +License: LGPL-3+ or GPL-2+ -Files: aes-set-* -Copyright: © 2000, 2001, 2002 Rafael R. Sevilla, Niels Möller -License: LGPL-2.1+ - -Files: arctwo* -Copyright: © 2003 Nikos Mavroyanopoulos - © 2004 Simon Josefsson - © 2004 Free Software Foundation, Inc. - © 2002, 2004 Niels Möller -License: LGPL-2.1+ +Files: aes-invert-internal.c aes-set-decrypt-key.c + aes-set-encrypt-key.c aes-set-key-internal.c +Copyright: 2013, Niels Möller + 2000-2002, Rafael R. Sevilla, Niels Möller +License: LGPL-3+ or GPL-2+ + +Files: x86*/aes-*-internal.asm +Copyright: 2001, 2002, 2005 Rafael R. Sevilla, Niels Möller + 2008, 2013 Niels Möller +License: LGPL-3+ or GPL-2+ + +Files: arctwo.c +Copyright: 2003 Nikos Mavroyanopoulos + 2004 Simon Josefsson + 2004 Free Software Foundation, Inc. + 2002, 2004, 2014 Niels Möller +License: LGPL-3+ or GPL-2+ + +Files: arctwo-meta.c pbkdf2.c + salsa20-128-set-key.c salsa20-256-set-key.c + salsa20-core-internal.c + salsa20-set-key.c salsa20-set-nonce.c +Copyright: 2012-2014 Niels Möller + 2004, 2012 Simon Josefsson +License: LGPL-3+ or GPL-2+ + +Files: arctwo.h + salsa20-internal.h salsa20.h +Copyright: 2004, 2012 Simon Josefsson + 2001, 2002, 2004, 2014 Niels Möller +License: LGPL-3+ or GPL-2+ Files: base64.h base64-meta.c -Copyright: © 2002 Dan Egnor - © 2002 Niels Möller -License: LGPL-2.1+ +Copyright: 2002 Dan Egnor, Niels Möller +License: LGPL-3+ or GPL-2+ + +Files: base64url-decode.c base64url-encode.c +Copyright: 2015 Amos Jeffries, Niels Möller +License: LGPL-3+ or GPL-2+ + +Files: block-internal.h +Copyright: 2019 Dmitry Eremin-Solenikov + 2018 Red Hat, Inc. + 2011 Katholieke Universiteit Leuven + 2011, 2013, 2018 Niels Möller +License: LGPL-3+ or GPL-2+ Files: blowfish.c -Copyright: © 1998, 2001, 2002, 2003 Free Software Foundation, Inc. - © 2010 Simon Josefsson -License: LGPL-2.1+ +Copyright: 1998, 2001, 2002, 2003 Free Software Foundation, Inc. + 2010 Simon Josefsson +License: LGPL-3+ or GPL-2+ Files: blowfish.h -Copyright: © 1998, 2001 Free Software Foundation, Inc. - © 1998, 2001 Ray Dassen - © 1998, 2001 Niels Möller -License: LGPL-2.1+ - -Files: camellia-table.c camellia-crypt-internal.c -Copyright: © 2006, 2007 NTT (Nippon Telegraph and Telephone Corporation) - © 2010 Niels Möller -License: LGPL-2.1+ +Copyright: 1998, 2001 Free Software Foundation, Inc. + 1998, 2001 Ray Dassen + 1998, 2001 Niels Möller +License: LGPL-3+ or GPL-2+ + +Files: camellia-table.c camellia-crypt-internal.c camellia.h camellia-internal.h + camellia128-set-encrypt-key.c camellia256-set-encrypt-key.c camellia-absorb.c +Copyright: 2006, 2007 NTT (Nippon Telegraph and Telephone Corporation) + 2010, 2013 Niels Möller +License: LGPL-3+ or GPL-2+ + +Files: ccm.c ccm.h ccm-aes128.c + ccm-aes192.c ccm-aes256.c +Copyright: 2014 Owen Kirby + 2014 Exegin Technologies Limited +License: LGPL-3+ or GPL-2+ + +Files: cfb.c + cfb.h + ecc-gostdsa-sign.c + ecc-gostdsa-verify.c + gostdsa-sign.c + gostdsa-verify.c +Copyright: 2015, 2017 Dmitry Eremin-Solenikov + 2001, 2011, 2013, 2014 Niels Möller +License: LGPL-3+ or GPL-2+ + +Files: chacha-core-internal.c chacha-crypt.c + chacha-internal.h chacha.h chacha-set-nonce.c +Copyright: 2012 Simon Josefsson + 2013 Joachim Strömbergson + 2012, 2014 Niels Möller +License: LGPL-3+ or GPL-2+ + +Files: cmac-aes128.c cmac-aes256.c + cmac.h hkdf.c hkdf.h + xts-aes128.c xts-aes256.c xts.c +Copyright: 2017, 2018 Red Hat, Inc. +License: LGPL-3+ or GPL-2+ + +Files: cmac-des3-meta.c +Copyright: 2020 Dmitry Baryshkov +License: LGPL-3+ or GPL-2+ + +Files: cmac-des3.c + ecc-gost-gc256b.c ecc-gost-gc512a.c + gost28147-internal.h gostdsa-vko.c + hmac-gosthash94.c pbkdf2-hmac-gosthash94.c +Copyright: 2016-2020 Dmitry Eremin-Solenikov +License: LGPL-3+ or GPL-2+ + +Files: cmac.c cmac64.c +Copyright: 2012 Stefan Metzmacher, Michael Adam, Jeremy Allison + 2017 Red Hat Inc. + 2019 Dmitry Eremin-Solenikov +License: LGPL-3+ or GPL-2+ + +Files: ctr16.c + pkcs1-internal.h pkcs1-sec-decrypt.c + version.h.in xts.h +Copyright: 2015, 2017, 2018 Red Hat, Inc. + 2001, 2002, 2005-2018 Niels Möller +License: LGPL-3+ or GPL-2+ + +Files: curve448-eh-to-x.c curve448.h + curve448-mul-g.c curve448-mul.c + ecc-curve448.c ed448-shake256-pubkey.c + ed448-shake256-sign.c ed448-shake256-verify.c + shake256.c +Copyright: 2017 Red Hat, Inc. + 2017 Daiki Ueno +License: LGPL-3+ or GPL-2+ Files: der2dsa.c -Copyright: © 2005, 2009 Niels Möller - © 2009 Magnus Holmgren -License: LGPL-2.1+ +Copyright: 2005, 2009, 2014 Niels Möller + 2009 Magnus Holmgren +License: LGPL-3+ or GPL-2+ Files: desCode.h descode.README desdata.c desinfo.c Copyright: © 2002 Dana L. How @@ -154,116 +293,240 @@ /usr/share/common-licenses/LGPL-2. Files: des.c des.h -Copyright: © 1992 Dana L. How - © 1997, 2001 Niels Möller -License: LGPL-2.1+ +Copyright: 1992 Dana L. How + 1997, 2001 Niels Möller +License: LGPL-3+ or GPL-2+ + +Files: dsa2sexp.c +Copyright: 2002, 2009, 2014 Niels Möller + 2009 Magnus Holmgren +License: LGPL-3+ or GPL-2+ + +Files: eccdata.c eddsa-hash.c +Copyright: 2017 Red Hat, Inc. + 2017 Daiki Ueno + 2013, 2014, 2017, 2019 Niels Möller +License: LGPL-3+ or GPL-2+ + +Files: examples/base16dec.c examples/base16enc.c + examples/base64dec.c examples/base64enc.c +Copyright: 2006, 2012, Jeronimo Pellegrini, Niels Möller +License: LGPL-3+ or GPL-2+ + +Files: examples/nettle-openssl.c +Copyright: 2015, 2017, 2018, Red Hat, Inc. + 2001, 2002, 2005-2018, Niels Möller +License: LGPL-3+ or GPL-2+ Files: gcm.c gcm.h -Copyright: © 2011 Katholieke Universiteit Leuven - © 2011 Niels Möller -License: LGPL-2.1+ +Copyright: 2011 Katholieke Universiteit Leuven + 2011, 2013, 2018 Niels Möller + 2018 Red Hat, Inc. +License: LGPL-3+ or GPL-2+ + +Files: gmp-glue.c + gmp-glue.h +Copyright: 2013 Red Hat, Niels Möller +License: LGPL-3+ or GPL-2+ + +Files: gost28147.c gosthash94.c +Copyright: 2019 Dmitry Eremin-Solenikov + 2009-2012 Aleksey Kravchenko +License: Expat + +Files: gostdsa.h +Copyright: 2015, Dmity Eremin-Solenikov + 2013, Niels Möller +License: LGPL-3+ or GPL-2+ + +Files: gosthash94-meta.c +Copyright: 2012, Nikos Mavrogiannopoulos, Niels Möller +License: LGPL-3+ or GPL-2+ + +Files: gosthash94.h +Copyright: 2012, Nikos Mavrogiannopoulos, Niels Möller +License: LGPL-3+ or GPL-2+ + +Files: hmac-md5-meta.c hmac-ripemd160-meta.c + hmac-sha1-meta.c hmac-sha224-meta.c + hmac-sha256-meta.c hmac-sha384-meta.c + hmac-sha512-meta.c nettle-meta-macs.c + pss-mgf1.c pss-mgf1.h pss.c pss.h + rsa-pss-sha256-sign-tr.c rsa-pss-sha256-verify.c + rsa-pss-sha512-sign-tr.c rsa-pss-sha512-verify.c +Copyright: 2017, 2020 Daiki Ueno +License: LGPL-3+ or GPL-2+ Files: md2.c -Copyright: © ? Andrew Kuchling - © 2003 Andreas Sigfridsson - © 2003 Niels Möller -License: LGPL-2.1+ +Copyright: ? Andrew Kuchling + 2003 Andreas Sigfridsson + 2003 Niels Möller +License: LGPL-3+ or GPL-2+ Files: md4.c -Copyright: © 2003 Marcus Comstedt - © 2003 Niels Möller -License: LGPL-2.1+ +Copyright: 2003 Marcus Comstedt + 2003 Niels Möller +License: LGPL-3+ or GPL-2+ Files: md5.c md5-compress.c -Copyright: © Colin Plumb, Andrew Kuchling - © 2001 Niels Möller -License: LGPL-2.1+ +Copyright: Colin Plumb, Andrew Kuchling + 2001 Niels Möller +License: LGPL-3+ or GPL-2+ Files: memxor.c -Copyright: © 1991,1993, 1995 Free Software Foundation, Inc. - © 2010 Niels Möller -License: LGPL-2.1+ +Copyright: 1991,1993, 1995 Free Software Foundation, Inc. + 2010 Niels Möller +License: LGPL-3+ or GPL-2+ + +Files: nettle-meta-armors.c + nettle-meta-ciphers.c + nettle-meta-hashes.c +Copyright: 2011 Daniel Kahn Gillmor +License: LGPL-3+ or GPL-2+ + +Files: pbkdf2-hmac-sha1.c + pbkdf2-hmac-sha256.c + pbkdf2.h + salsa20-crypt.c +Copyright: 2012, Simon Josefsson +License: LGPL-3+ or GPL-2+ + +Files: pbkdf2-hmac-sha384.c pbkdf2-hmac-sha512.c +Copyright: 2012 Simon Josefsson + 2021 Nicolas Mora +License: LGPL-3+ or GPL-2+ + +Files: poly1305-aes.c +Copyright: 2014 Niels Möller + 2013 Nikos Mavrogiannopoulos +License: LGPL-3+ or GPL-2+ + +Files: poly1305-internal.c +Copyright: 2013, Nikos Mavrogiannopoulos + 2013 Niels Möller + 2012, 2013 Andrew M. (floodyberry) +License: LGPL-3+ or GPL-2+ + +Files: poly1305-internal.h + poly1305.h +Copyright: 2013, Nikos Mavrogiannopoulos + 2013, 2014, Niels Möller +License: LGPL-3+ or GPL-2+ Files: ripemd160.c ripemd160-compress.c -Copyright: © 1998, 2001, 2002, 2003 Free Software Foundation, Inc. -License: LGPL-2.1+ +Copyright: 1998, 2001, 2002, 2003 Free Software Foundation, Inc. +License: LGPL-3+ or GPL-2+ -Files: ripemd160-meta.c ripemd160.h -Copyright: © 2011 Andres Mejia -License: LGPL-2.1+ - -Files: serpent-encrypt.c serpent-decrypt.c serpent-set-key.c -Copyright: © 1998 Ross Anderson, Eli Biham, Lars Knudsen - © 2003, 2004, 2005 Free Software Foundation, Inc. - © 2010, 2011 Simon Josefsson - © 2011 Niels Möller -License: LGPL-2.1+ - -Files: sha* -Copyright: © 2001, 2004 Peter Gutmann, Andrew Kuchling, Niels Möller -License: LGPL-2.1+ +Files: ripemd160-meta.c ripemd160.h ripemd160-internal.h +Copyright: 2011 Andres Mejia +License: LGPL-3+ or GPL-2+ + +Files: rsa-blind.c rsa-decrypt-tr.c +Copyright: 2001, 2012, Niels Möller, Nikos Mavrogiannopoulos +License: LGPL-3+ or GPL-2+ + +Files: rsa-pkcs1-sign-tr.c salsa20r12-crypt.c + siv-cmac-aes128.c siv-cmac-aes256.c + siv-cmac.c siv-cmac.h +Copyright: 2012, 2013, 2017, 2018, Nikos Mavrogiannopoulos +License: LGPL-3+ or GPL-2+ + +Files: rsa-sec-compute-root.c +Copyright: 2018 Red Hat, Inc + 2018 Niels Möller +License: LGPL-3+ or GPL-2+ + +Files: rsa-sec-decrypt.c +Copyright: 2018, Red Hat, Inc. + 2001, 2012, Niels Möller, Nikos Mavrogiannopoulos +License: LGPL-3+ or GPL-2+ + +Files: rsa-sign-tr.c +Copyright: 2018, Red Hat Inc. + 2012, Nikos Mavrogiannopoulos + 2001, 2015, Niels Möller +License: LGPL-3+ or GPL-2+ + +Files: serpent-encrypt.c serpent-decrypt.c serpent-set-key.c serpent-internal.h +Copyright: 1998 Ross Anderson, Eli Biham, Lars Knudsen + 2003, 2004, 2005 Free Software Foundation, Inc. + 2010, 2011 Simon Josefsson + 2011, 2014 Niels Möller +License: LGPL-3+ or GPL-2+ + +Files: sha1-compress.c +Copyright: 2001, 2004 Peter Gutmann, Andrew Kuchling, Niels Möller +License: LGPL-3+ or GPL-2+ + +Files: sha512.c +Copyright: 2013, 2014 Joachim Strömbergson + 2001, 2010, 2012, 2014 Niels Möller +License: LGPL-3+ or GPL-2+ + +Files: testsuite/arctwo-test.c +Copyright: 2004, 2012 Simon Josefsson + 2001, 2002, 2004, 2014 Niels Möller +License: LGPL-3+ or GPL-2+ + +Files: testsuite/ccm-test.c +Copyright: 2014 Owen Kirby + 2014 Exegin Technologies Limited +License: LGPL-3+ or GPL-2+ + +Files: testsuite/chacha-test.c +Copyright: 2013, 2014 Joachim Strömbergson + 2001, 2010, 2012, 2014 Niels Möller +License: LGPL-3+ or GPL-2+ + +Files: testsuite/curve448-dh-test.c + testsuite/ed448-test.c + testsuite/shake256-test.c +Copyright: 2017, Red Hat, Inc. + 2017, Daiki Ueno +License: LGPL-3+ or GPL-2+ + +Files: testsuite/siv-test.c +Copyright: 2012, 2013, 2017, 2018 Nikos Mavrogiannopoulos +License: LGPL-3+ or GPL-2+ + +Files: texinfo.tex +Copyright: 1985, 1986, 1988, 1990-2009, Free Software Foundation, Inc. +License: GPL-3+ + This texinfo.tex file is free software: you can redistribute it and/or + modify it under the terms of the GNU General Public License as + published by the Free Software Foundation, either version 3 of the + License, or (at your option) any later version. + . + This texinfo.tex file is distributed in the hope that it will be + useful, but WITHOUT ANY WARRANTY; without even the implied warranty + of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program. If not, see . + . + As a special exception, when this file is read by TeX when processing + a Texinfo source document, you may use the result without + restriction. (This has been our intent since Texinfo was invented.) Files: twofish* -Copyright: © 1999 Ruud de Rooij - © 1999 J.H.M. Dassen (Ray) - © 2001 Niels Möller -License: LGPL-2.1+ - -Files: dsa2sexp.c -Copyright: © 2002, 2009 Niels Möller - © 2009 Magnus Holmgren -License: LGPL-2.1+ - -Files: testsuite/des-compat-test.c -Copyright: © 1995-1997 Eric Young (eay@cryptsoft.com) -License: other - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions - are met: - 1. Redistributions of source code must retain the copyright - notice, this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - 3. All advertising materials mentioning features or use of this software - must display the following acknowledgement: - "This product includes cryptographic software written by - Eric Young (eay@cryptsoft.com)" - The word 'cryptographic' can be left out if the rouines from the library - being used are not cryptographic related :-). - 4. If you include any Windows specific code (or a derivative thereof) from - the apps directory (application code) you must include an acknowledgement: - "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - . - THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - SUCH DAMAGE. +Copyright: 1999 Ruud de Rooij + 1999 J.H.M. Dassen (Ray) + 2001 Niels Möller +License: LGPL-3+ or GPL-2+ Files: tools/pkcs1-conv.c -Copyright: © 2005, 2009 Niels Möller - © 2009 Magnus Holmgren -License: LGPL-2.1+ - -Files: x86*/aes-*-internal.asm -Copyright: © 2001, 2002, 2005, 2008 Rafael R. Sevilla - © 2001, 2002, 2005, 2008 Niels Möller -License: LGPL-2.1+ +Copyright: 2005, 2009, 2014 Niels Möller + 2009 Magnus Holmgren +License: LGPL-3+ or GPL-2+ -Files: tools/getopt* -Copyright: © 1987-2001 Free Software Foundation, Inc. +Files: getopt* +Copyright: 1987-2001 Free Software Foundation, Inc. License: GPL-2+ Files: config.guess config.sub -Copyright: © 1992-2003 Free Software Foundation, Inc. -License: GPL-2+ with Autoconf exception +Copyright: © 1992-2020 Free Software Foundation, Inc. +License: GPL-3+ with Autoconf exception As a special exception to the GNU General Public License, if you distribute this file as part of a program that contains a configuration script generated by Autoconf, you may include it under @@ -276,8 +539,8 @@ expression eligible for copyright. Files: debian/sexp-conv.1 -Copyright: © 2002 Timshel Knoll - © 2007 Magnus Holmgren +Copyright: 2002 Timshel Knoll + 2007 Magnus Holmgren License: GPL-2 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -302,26 +565,25 @@ it can be considered released under the same license as LSH itself. Files: debian/pkcs1-conv.1 debian/nettle-lfib-stream.1 -Copyright: © 2007 Magnus Holmgren +Copyright: 2007 Magnus Holmgren License: GAP Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved. -License: LGPL-2.1+ +License: LGPL-3+ The nettle library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by - the Free Software Foundation; either version 2.1 of the License, or (at your + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. . - The nettle library is distributed in the hope that it will be useful, but + GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. . You should have received a copy of the GNU Lesser General Public - License along with this library; if not, write to the Free Software - Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + License along with this library; if not, see http://www.gnu.org/licenses/. . On Debian GNU/Linux systems, the complete text of the newest version of the GNU Lesser General Public License can be found in @@ -333,7 +595,7 @@ the Free Software Foundation; either version 2 of the License, or (at your option) any later version. . - This program is distributed in the hope that it will be useful, + GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. @@ -346,3 +608,23 @@ On Debian GNU/Linux systems, the complete text of the newest version of the GNU General Public License can be found in /usr/share/common-licenses/GPL. + +License: Expat + Permission is hereby granted, free of charge, to any person obtaining a + copy of this software and associated documentation files (the + "Software"), to deal in the Software without restriction, including + without limitation the rights to use, copy, modify, merge, publish, + distribute, sublicense, and/or sell copies of the Software, and to + permit persons to whom the Software is furnished to do so, subject to + the following conditions: + . + The above copyright notice and this permission notice shall be included + in all copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. + IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY + CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, + TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE + SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff -Nru nettle-3.4.1/debian/gbp.conf nettle-3.7.3/debian/gbp.conf --- nettle-3.4.1/debian/gbp.conf 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/debian/gbp.conf 2021-06-10 06:51:41.000000000 +0000 @@ -0,0 +1,3 @@ +[DEFAULT] +pristine-tar = True +upstream-signatures = on diff -Nru nettle-3.4.1/debian/libhogweed4.install nettle-3.7.3/debian/libhogweed4.install --- nettle-3.4.1/debian/libhogweed4.install 2015-04-27 19:59:59.000000000 +0000 +++ nettle-3.7.3/debian/libhogweed4.install 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -usr/lib/*/libhogweed*.so.* diff -Nru nettle-3.4.1/debian/libhogweed4.symbols nettle-3.7.3/debian/libhogweed4.symbols --- nettle-3.4.1/debian/libhogweed4.symbols 2018-12-04 20:45:26.000000000 +0000 +++ nettle-3.7.3/debian/libhogweed4.symbols 1970-01-01 00:00:00.000000000 +0000 @@ -1,265 +0,0 @@ -libhogweed.so.4 libhogweed4 #MINVER# - HOGWEED_4@HOGWEED_4 0 - _nettle_cnd_copy@HOGWEED_4 0 - _nettle_cnd_swap@HOGWEED_4 0 - _nettle_curve25519@HOGWEED_4 0 - _nettle_curve25519_eh_to_x@HOGWEED_4 0 - _nettle_dsa_hash@HOGWEED_4 0 - _nettle_ecc_a_to_j@HOGWEED_4 0 - _nettle_ecc_add_eh@HOGWEED_4 0 - _nettle_ecc_add_ehh@HOGWEED_4 0 - _nettle_ecc_add_jja@HOGWEED_4 0 - _nettle_ecc_add_jjj@HOGWEED_4 0 - _nettle_ecc_dup_eh@HOGWEED_4 0 - _nettle_ecc_dup_jj@HOGWEED_4 0 - _nettle_ecc_eh_to_a@HOGWEED_4 0 - _nettle_ecc_hash@HOGWEED_4 0 - _nettle_ecc_j_to_a@HOGWEED_4 0 - _nettle_ecc_mod@HOGWEED_4 0 - _nettle_ecc_mod_add@HOGWEED_4 0 - _nettle_ecc_mod_addmul_1@HOGWEED_4 0 - _nettle_ecc_mod_inv@HOGWEED_4 0 - _nettle_ecc_mod_mul@HOGWEED_4 0 - _nettle_ecc_mod_mul_1@HOGWEED_4 0 - _nettle_ecc_mod_random@HOGWEED_4 0 - _nettle_ecc_mod_sqr@HOGWEED_4 0 - _nettle_ecc_mod_sub@HOGWEED_4 0 - _nettle_ecc_mod_submul_1@HOGWEED_4 0 - _nettle_ecc_mul_a@HOGWEED_4 0 - _nettle_ecc_mul_a_eh@HOGWEED_4 0 - _nettle_ecc_mul_g@HOGWEED_4 0 - _nettle_ecc_mul_g_eh@HOGWEED_4 0 - _nettle_ecc_pm1_redc@HOGWEED_4 0 - _nettle_ecc_pp1_redc@HOGWEED_4 0 - _nettle_eddsa_compress@HOGWEED_4 0 - _nettle_eddsa_compress_itch@HOGWEED_4 0 - _nettle_eddsa_decompress@HOGWEED_4 0 - _nettle_eddsa_decompress_itch@HOGWEED_4 0 - _nettle_eddsa_expand_key@HOGWEED_4 0 - _nettle_eddsa_hash@HOGWEED_4 0 - _nettle_eddsa_public_key@HOGWEED_4 0 - _nettle_eddsa_public_key_itch@HOGWEED_4 0 - _nettle_eddsa_sign@HOGWEED_4 0 - _nettle_eddsa_sign_itch@HOGWEED_4 0 - _nettle_eddsa_verify@HOGWEED_4 0 - _nettle_eddsa_verify_itch@HOGWEED_4 0 - _nettle_generate_pocklington_prime@HOGWEED_4 0 - _nettle_gmp_alloc@HOGWEED_4 0 - _nettle_gmp_alloc_limbs@HOGWEED_4 0 - _nettle_gmp_free@HOGWEED_4 0 - _nettle_gmp_free_limbs@HOGWEED_4 0 - _nettle_mpn_get_base256@HOGWEED_4 3.4.1~rc1~ - _nettle_mpn_get_base256_le@HOGWEED_4 0 - _nettle_mpn_set_base256@HOGWEED_4 0 - _nettle_mpn_set_base256_le@HOGWEED_4 0 - _nettle_mpz_limbs_cmp@HOGWEED_4 0 - _nettle_mpz_limbs_copy@HOGWEED_4 0 - (optional)_nettle_mpz_limbs_finish@HOGWEED_4 0 - (optional)_nettle_mpz_limbs_modify@HOGWEED_4 0 - (optional)_nettle_mpz_limbs_read@HOGWEED_4 0 - _nettle_mpz_limbs_read_n@HOGWEED_4 0 - (optional)_nettle_mpz_limbs_write@HOGWEED_4 0 - (optional)_nettle_mpz_roinit_n@HOGWEED_4 0 - _nettle_mpz_set_n@HOGWEED_4 0 - _nettle_pkcs1_sec_decrypt@HOGWEED_4 3.4.1~rc1~ - _nettle_pkcs1_sec_decrypt_variable@HOGWEED_4 3.4.1~rc1~ - _nettle_pkcs1_signature_prefix@HOGWEED_4 0 - _nettle_rsa_blind@HOGWEED_4 0 - _nettle_rsa_check_size@HOGWEED_4 0 - _nettle_rsa_sec_compute_root@HOGWEED_4 3.4.1~rc1~ - _nettle_rsa_sec_compute_root_itch@HOGWEED_4 3.4.1~rc1~ - _nettle_rsa_sec_compute_root_tr@HOGWEED_4 3.4.1~rc1~ - _nettle_rsa_unblind@HOGWEED_4 0 - _nettle_rsa_verify@HOGWEED_4 0 - _nettle_rsa_verify_recover@HOGWEED_4 3.4~ - _nettle_sec_add_1@HOGWEED_4 0 - _nettle_sec_sub_1@HOGWEED_4 0 - _nettle_sec_tabselect@HOGWEED_4 0 - nettle_asn1_der_decode_bitstring@HOGWEED_4 0 - nettle_asn1_der_decode_bitstring_last@HOGWEED_4 0 - nettle_asn1_der_decode_constructed@HOGWEED_4 0 - nettle_asn1_der_decode_constructed_last@HOGWEED_4 0 - nettle_asn1_der_get_bignum@HOGWEED_4 0 - nettle_asn1_der_get_uint32@HOGWEED_4 0 - nettle_asn1_der_iterator_first@HOGWEED_4 0 - nettle_asn1_der_iterator_next@HOGWEED_4 0 - nettle_curve25519_mul@HOGWEED_4 0 - nettle_curve25519_mul_g@HOGWEED_4 0 - nettle_dsa_compat_generate_keypair@HOGWEED_4 0 - nettle_dsa_generate_keypair@HOGWEED_4 0 - nettle_dsa_generate_params@HOGWEED_4 0 - nettle_dsa_keypair_from_sexp_alist@HOGWEED_4 0 - nettle_dsa_keypair_to_sexp@HOGWEED_4 0 - nettle_dsa_openssl_private_key_from_der_iterator@HOGWEED_4 0 - nettle_dsa_params_clear@HOGWEED_4 0 - nettle_dsa_params_from_der_iterator@HOGWEED_4 0 - nettle_dsa_params_init@HOGWEED_4 0 - nettle_dsa_private_key_clear@HOGWEED_4 0 - nettle_dsa_private_key_init@HOGWEED_4 0 - nettle_dsa_public_key_clear@HOGWEED_4 0 - nettle_dsa_public_key_from_der_iterator@HOGWEED_4 0 - nettle_dsa_public_key_init@HOGWEED_4 0 - nettle_dsa_sha1_keypair_from_sexp@HOGWEED_4 0 - nettle_dsa_sha1_sign@HOGWEED_4 0 - nettle_dsa_sha1_sign_digest@HOGWEED_4 0 - nettle_dsa_sha1_verify@HOGWEED_4 0 - nettle_dsa_sha1_verify_digest@HOGWEED_4 0 - nettle_dsa_sha256_keypair_from_sexp@HOGWEED_4 0 - nettle_dsa_sha256_sign@HOGWEED_4 0 - nettle_dsa_sha256_sign_digest@HOGWEED_4 0 - nettle_dsa_sha256_verify@HOGWEED_4 0 - nettle_dsa_sha256_verify_digest@HOGWEED_4 0 - nettle_dsa_sign@HOGWEED_4 0 - nettle_dsa_signature_clear@HOGWEED_4 0 - nettle_dsa_signature_from_sexp@HOGWEED_4 0 - nettle_dsa_signature_init@HOGWEED_4 0 - nettle_dsa_verify@HOGWEED_4 0 - (arch=any-amd64 armel armhf)nettle_ecc_192_modp@HOGWEED_4 0 - (arch=any-amd64 armel armhf)nettle_ecc_224_modp@HOGWEED_4 3.1.1~ - (arch=any-amd64)nettle_ecc_25519_modp@HOGWEED_4 0 - (arch=any-amd64 armel armhf)nettle_ecc_256_redc@HOGWEED_4 0 - (arch=any-amd64 armel armhf)nettle_ecc_384_modp@HOGWEED_4 0 - (arch=any-amd64 armel armhf)nettle_ecc_521_modp@HOGWEED_4 3.1.1~ - nettle_ecc_bit_size@HOGWEED_4 0 - nettle_ecc_ecdsa_sign@HOGWEED_4 0 - nettle_ecc_ecdsa_sign_itch@HOGWEED_4 0 - nettle_ecc_ecdsa_verify@HOGWEED_4 0 - nettle_ecc_ecdsa_verify_itch@HOGWEED_4 0 - nettle_ecc_point_clear@HOGWEED_4 0 - nettle_ecc_point_get@HOGWEED_4 0 - nettle_ecc_point_init@HOGWEED_4 0 - nettle_ecc_point_mul@HOGWEED_4 0 - nettle_ecc_point_mul_g@HOGWEED_4 0 - nettle_ecc_point_set@HOGWEED_4 0 - nettle_ecc_scalar_clear@HOGWEED_4 0 - nettle_ecc_scalar_get@HOGWEED_4 0 - nettle_ecc_scalar_init@HOGWEED_4 0 - nettle_ecc_scalar_random@HOGWEED_4 0 - nettle_ecc_scalar_set@HOGWEED_4 0 - nettle_ecc_size@HOGWEED_4 0 - nettle_ecc_size_a@HOGWEED_4 0 - nettle_ecc_size_j@HOGWEED_4 0 - nettle_ecdsa_generate_keypair@HOGWEED_4 0 - nettle_ecdsa_sign@HOGWEED_4 0 - nettle_ecdsa_verify@HOGWEED_4 0 - nettle_ed25519_sha512_public_key@HOGWEED_4 0 - nettle_ed25519_sha512_sign@HOGWEED_4 0 - nettle_ed25519_sha512_verify@HOGWEED_4 0 - nettle_get_secp_192r1@HOGWEED_4 3.4~ - nettle_get_secp_224r1@HOGWEED_4 3.4~ - nettle_get_secp_256r1@HOGWEED_4 3.4~ - nettle_get_secp_384r1@HOGWEED_4 3.4~ - nettle_get_secp_521r1@HOGWEED_4 3.4~ - nettle_mpz_get_str_256@HOGWEED_4 0 - nettle_mpz_init_set_str_256_s@HOGWEED_4 0 - nettle_mpz_init_set_str_256_u@HOGWEED_4 0 - nettle_mpz_random@HOGWEED_4 0 - nettle_mpz_random_size@HOGWEED_4 0 - nettle_mpz_set_sexp@HOGWEED_4 0 - nettle_mpz_set_str_256_s@HOGWEED_4 0 - nettle_mpz_set_str_256_u@HOGWEED_4 0 - nettle_mpz_sizeinbase_256_s@HOGWEED_4 0 - nettle_mpz_sizeinbase_256_u@HOGWEED_4 0 - nettle_openssl_provate_key_from_der@HOGWEED_4 0 - nettle_pgp_armor@HOGWEED_4 0 - nettle_pgp_crc24@HOGWEED_4 0 - nettle_pgp_put_header@HOGWEED_4 0 - nettle_pgp_put_header_length@HOGWEED_4 0 - nettle_pgp_put_length@HOGWEED_4 0 - nettle_pgp_put_mpi@HOGWEED_4 0 - nettle_pgp_put_public_rsa_key@HOGWEED_4 0 - nettle_pgp_put_rsa_sha1_signature@HOGWEED_4 0 - nettle_pgp_put_string@HOGWEED_4 0 - nettle_pgp_put_sub_packet@HOGWEED_4 0 - nettle_pgp_put_uint16@HOGWEED_4 0 - nettle_pgp_put_uint32@HOGWEED_4 0 - nettle_pgp_put_userid@HOGWEED_4 0 - nettle_pgp_sub_packet_end@HOGWEED_4 0 - nettle_pgp_sub_packet_start@HOGWEED_4 0 - nettle_pkcs1_decrypt@HOGWEED_4 0 - nettle_pkcs1_encrypt@HOGWEED_4 0 - nettle_pkcs1_rsa_digest_encode@HOGWEED_4 0 - nettle_pkcs1_rsa_md5_encode@HOGWEED_4 0 - nettle_pkcs1_rsa_md5_encode_digest@HOGWEED_4 0 - nettle_pkcs1_rsa_sha1_encode@HOGWEED_4 0 - nettle_pkcs1_rsa_sha1_encode_digest@HOGWEED_4 0 - nettle_pkcs1_rsa_sha256_encode@HOGWEED_4 0 - nettle_pkcs1_rsa_sha256_encode_digest@HOGWEED_4 0 - nettle_pkcs1_rsa_sha512_encode@HOGWEED_4 0 - nettle_pkcs1_rsa_sha512_encode_digest@HOGWEED_4 0 - nettle_pss_encode_mgf1@HOGWEED_4 3.4~ - nettle_pss_mgf1@HOGWEED_4 3.4~ - nettle_pss_verify_mgf1@HOGWEED_4 3.4~ - nettle_random_prime@HOGWEED_4 0 - nettle_rsa_compute_root@HOGWEED_4 0 - nettle_rsa_compute_root_tr@HOGWEED_4 3.2~ - nettle_rsa_decrypt@HOGWEED_4 0 - nettle_rsa_decrypt_tr@HOGWEED_4 0 - nettle_rsa_encrypt@HOGWEED_4 0 - nettle_rsa_generate_keypair@HOGWEED_4 0 - nettle_rsa_keypair_from_der@HOGWEED_4 0 - nettle_rsa_keypair_from_sexp@HOGWEED_4 0 - nettle_rsa_keypair_from_sexp_alist@HOGWEED_4 0 - nettle_rsa_keypair_to_openpgp@HOGWEED_4 0 - nettle_rsa_keypair_to_sexp@HOGWEED_4 0 - nettle_rsa_md5_sign@HOGWEED_4 0 - nettle_rsa_md5_sign_digest@HOGWEED_4 0 - nettle_rsa_md5_sign_digest_tr@HOGWEED_4 3.2~ - nettle_rsa_md5_sign_tr@HOGWEED_4 3.2~ - nettle_rsa_md5_verify@HOGWEED_4 0 - nettle_rsa_md5_verify_digest@HOGWEED_4 0 - nettle_rsa_pkcs1_sign@HOGWEED_4 0 - nettle_rsa_pkcs1_sign_tr@HOGWEED_4 0 - nettle_rsa_pkcs1_verify@HOGWEED_4 0 - nettle_rsa_private_key_clear@HOGWEED_4 0 - nettle_rsa_private_key_from_der_iterator@HOGWEED_4 0 - nettle_rsa_private_key_init@HOGWEED_4 0 - nettle_rsa_private_key_prepare@HOGWEED_4 0 - nettle_rsa_pss_sha256_sign_digest_tr@HOGWEED_4 3.4~ - nettle_rsa_pss_sha256_verify_digest@HOGWEED_4 3.4~ - nettle_rsa_pss_sha384_sign_digest_tr@HOGWEED_4 3.4~ - nettle_rsa_pss_sha384_verify_digest@HOGWEED_4 3.4~ - nettle_rsa_pss_sha512_sign_digest_tr@HOGWEED_4 3.4~ - nettle_rsa_pss_sha512_verify_digest@HOGWEED_4 3.4~ - nettle_rsa_public_key_clear@HOGWEED_4 0 - nettle_rsa_public_key_from_der_iterator@HOGWEED_4 0 - nettle_rsa_public_key_init@HOGWEED_4 0 - nettle_rsa_public_key_prepare@HOGWEED_4 0 - nettle_rsa_sec_decrypt@HOGWEED_4 3.4.1~rc1~ - nettle_rsa_sha1_sign@HOGWEED_4 0 - nettle_rsa_sha1_sign_digest@HOGWEED_4 0 - nettle_rsa_sha1_sign_digest_tr@HOGWEED_4 3.2~ - nettle_rsa_sha1_sign_tr@HOGWEED_4 3.2~ - nettle_rsa_sha1_verify@HOGWEED_4 0 - nettle_rsa_sha1_verify_digest@HOGWEED_4 0 - nettle_rsa_sha256_sign@HOGWEED_4 0 - nettle_rsa_sha256_sign_digest@HOGWEED_4 0 - nettle_rsa_sha256_sign_digest_tr@HOGWEED_4 3.2~ - nettle_rsa_sha256_sign_tr@HOGWEED_4 3.2~ - nettle_rsa_sha256_verify@HOGWEED_4 0 - nettle_rsa_sha256_verify_digest@HOGWEED_4 0 - nettle_rsa_sha512_sign@HOGWEED_4 0 - nettle_rsa_sha512_sign_digest@HOGWEED_4 0 - nettle_rsa_sha512_sign_digest_tr@HOGWEED_4 3.2~ - nettle_rsa_sha512_sign_tr@HOGWEED_4 3.2~ - nettle_rsa_sha512_verify@HOGWEED_4 0 - nettle_rsa_sha512_verify_digest@HOGWEED_4 0 - nettle_secp_192r1@HOGWEED_4 0 - nettle_secp_224r1@HOGWEED_4 0 - nettle_secp_256r1@HOGWEED_4 0 - nettle_secp_384r1@HOGWEED_4 0 - nettle_secp_521r1@HOGWEED_4 0 - nettle_sexp_format@HOGWEED_4 0 - nettle_sexp_iterator_assoc@HOGWEED_4 0 - nettle_sexp_iterator_check_type@HOGWEED_4 0 - nettle_sexp_iterator_check_types@HOGWEED_4 0 - nettle_sexp_iterator_enter_list@HOGWEED_4 0 - nettle_sexp_iterator_exit_list@HOGWEED_4 0 - nettle_sexp_iterator_first@HOGWEED_4 0 - nettle_sexp_iterator_get_uint32@HOGWEED_4 0 - nettle_sexp_iterator_next@HOGWEED_4 0 - nettle_sexp_iterator_subexpr@HOGWEED_4 0 - nettle_sexp_transport_format@HOGWEED_4 0 - nettle_sexp_transport_iterator_first@HOGWEED_4 0 - nettle_sexp_transport_vformat@HOGWEED_4 0 - nettle_sexp_vformat@HOGWEED_4 0 diff -Nru nettle-3.4.1/debian/libhogweed6.install nettle-3.7.3/debian/libhogweed6.install --- nettle-3.4.1/debian/libhogweed6.install 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/debian/libhogweed6.install 2021-06-10 06:51:41.000000000 +0000 @@ -0,0 +1 @@ +usr/lib/*/libhogweed*.so.* diff -Nru nettle-3.4.1/debian/libhogweed6.symbols nettle-3.7.3/debian/libhogweed6.symbols --- nettle-3.4.1/debian/libhogweed6.symbols 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/debian/libhogweed6.symbols 2021-06-10 06:51:41.000000000 +0000 @@ -0,0 +1,291 @@ +libhogweed.so.6 libhogweed6 #MINVER# +* Build-Depends-Package: nettle-dev + HOGWEED_6@HOGWEED_6 0 + HOGWEED_INTERNAL_6_4@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_cnd_copy@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_curve25519@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_curve25519_eh_to_x@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_curve448@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_curve448_eh_to_x@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_dsa_hash@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_ecc_a_to_j@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_ecc_add_eh@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_ecc_add_ehh@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_ecc_add_jja@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_ecc_add_jjj@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_ecc_add_th@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_ecc_add_thh@HOGWEED_INTERNAL_6_4 3.7.3 + (arch=any-amd64)_nettle_ecc_curve25519_modp@HOGWEED_INTERNAL_6_4 3.7.3 + (arch=any-amd64)_nettle_ecc_curve448_modp@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_ecc_dup_eh@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_ecc_dup_jj@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_ecc_dup_th@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_ecc_eh_to_a@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_ecc_hash@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_ecc_j_to_a@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_ecc_mod@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_ecc_mod_add@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_ecc_mod_addmul_1@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_ecc_mod_inv@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_ecc_mod_mul@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_ecc_mod_mul_1@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_ecc_mod_mul_canonical@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_ecc_mod_pow_2k@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_ecc_mod_pow_2k_mul@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_ecc_mod_random@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_ecc_mod_sqr@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_ecc_mod_sqr_canonical@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_ecc_mod_sub@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_ecc_mod_submul_1@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_ecc_mul_a@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_ecc_mul_a_eh@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_ecc_mul_g@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_ecc_mul_g_eh@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_ecc_mul_m@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_ecc_pm1_redc@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_ecc_pp1_redc@HOGWEED_INTERNAL_6_4 3.7.3 + (arch=any-amd64 armel armhf)_nettle_ecc_secp192r1_modp@HOGWEED_INTERNAL_6_4 3.7.3 + (arch=any-amd64 armel armhf)_nettle_ecc_secp224r1_modp@HOGWEED_INTERNAL_6_4 3.7.3 + (arch=any-amd64 armel armhf)_nettle_ecc_secp256r1_redc@HOGWEED_INTERNAL_6_4 3.7.3 + (arch=any-amd64 armel armhf)_nettle_ecc_secp384r1_modp@HOGWEED_INTERNAL_6_4 3.7.3 + (arch=any-amd64 armel armhf)_nettle_ecc_secp521r1_modp@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_ed25519_sha512@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_ed448_shake256@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_eddsa_compress@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_eddsa_compress_itch@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_eddsa_decompress@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_eddsa_decompress_itch@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_eddsa_expand_key@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_eddsa_hash@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_eddsa_public_key@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_eddsa_public_key_itch@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_eddsa_sign@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_eddsa_sign_itch@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_eddsa_verify@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_eddsa_verify_itch@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_generate_pocklington_prime@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_gmp_alloc@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_gmp_alloc_limbs@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_gmp_free@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_gmp_free_limbs@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_gost_gc256b@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_gost_gc512a@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_gost_hash@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_mpn_get_base256@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_mpn_get_base256_le@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_mpn_set_base256@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_mpn_set_base256_le@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_mpz_limbs_cmp@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_mpz_limbs_copy@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_mpz_limbs_read_n@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_mpz_set_n@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_pkcs1_sec_decrypt@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_pkcs1_sec_decrypt_variable@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_pkcs1_signature_prefix@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_rsa_blind@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_rsa_check_size@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_rsa_sec_compute_root@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_rsa_sec_compute_root_itch@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_rsa_sec_compute_root_tr@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_rsa_unblind@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_rsa_verify@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_rsa_verify_recover@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_sec_add_1@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_sec_sub_1@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_sec_tabselect@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_secp_192r1@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_secp_224r1@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_secp_256r1@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_secp_384r1@HOGWEED_INTERNAL_6_4 3.7.3 + _nettle_secp_521r1@HOGWEED_INTERNAL_6_4 3.7.3 + nettle_asn1_der_decode_bitstring@HOGWEED_6 0 + nettle_asn1_der_decode_bitstring_last@HOGWEED_6 0 + nettle_asn1_der_decode_constructed@HOGWEED_6 0 + nettle_asn1_der_decode_constructed_last@HOGWEED_6 0 + nettle_asn1_der_get_bignum@HOGWEED_6 0 + nettle_asn1_der_get_uint32@HOGWEED_6 0 + nettle_asn1_der_iterator_first@HOGWEED_6 0 + nettle_asn1_der_iterator_next@HOGWEED_6 0 + nettle_curve25519_mul@HOGWEED_6 0 + nettle_curve25519_mul_g@HOGWEED_6 0 + nettle_curve448_mul@HOGWEED_6 0 + nettle_curve448_mul_g@HOGWEED_6 0 + nettle_dsa_compat_generate_keypair@HOGWEED_6 0 + nettle_dsa_generate_keypair@HOGWEED_6 0 + nettle_dsa_generate_params@HOGWEED_6 0 + nettle_dsa_keypair_from_sexp_alist@HOGWEED_6 0 + nettle_dsa_keypair_to_sexp@HOGWEED_6 0 + nettle_dsa_openssl_private_key_from_der_iterator@HOGWEED_6 0 + nettle_dsa_params_clear@HOGWEED_6 0 + nettle_dsa_params_from_der_iterator@HOGWEED_6 0 + nettle_dsa_params_init@HOGWEED_6 0 + nettle_dsa_private_key_clear@HOGWEED_6 0 + nettle_dsa_private_key_init@HOGWEED_6 0 + nettle_dsa_public_key_clear@HOGWEED_6 0 + nettle_dsa_public_key_from_der_iterator@HOGWEED_6 0 + nettle_dsa_public_key_init@HOGWEED_6 0 + nettle_dsa_sha1_keypair_from_sexp@HOGWEED_6 0 + nettle_dsa_sha1_sign@HOGWEED_6 0 + nettle_dsa_sha1_sign_digest@HOGWEED_6 0 + nettle_dsa_sha1_verify@HOGWEED_6 0 + nettle_dsa_sha1_verify_digest@HOGWEED_6 0 + nettle_dsa_sha256_keypair_from_sexp@HOGWEED_6 0 + nettle_dsa_sha256_sign@HOGWEED_6 0 + nettle_dsa_sha256_sign_digest@HOGWEED_6 0 + nettle_dsa_sha256_verify@HOGWEED_6 0 + nettle_dsa_sha256_verify_digest@HOGWEED_6 0 + nettle_dsa_sign@HOGWEED_6 0 + nettle_dsa_signature_clear@HOGWEED_6 0 + nettle_dsa_signature_from_sexp@HOGWEED_6 0 + nettle_dsa_signature_init@HOGWEED_6 0 + nettle_dsa_verify@HOGWEED_6 0 + nettle_ecc_bit_size@HOGWEED_6 0 + nettle_ecc_ecdsa_sign@HOGWEED_6 0 + nettle_ecc_ecdsa_sign_itch@HOGWEED_6 0 + nettle_ecc_ecdsa_verify@HOGWEED_6 0 + nettle_ecc_ecdsa_verify_itch@HOGWEED_6 0 + nettle_ecc_gostdsa_sign@HOGWEED_6 0 + nettle_ecc_gostdsa_sign_itch@HOGWEED_6 0 + nettle_ecc_gostdsa_verify@HOGWEED_6 0 + nettle_ecc_gostdsa_verify_itch@HOGWEED_6 0 + nettle_ecc_point_clear@HOGWEED_6 0 + nettle_ecc_point_get@HOGWEED_6 0 + nettle_ecc_point_init@HOGWEED_6 0 + nettle_ecc_point_mul@HOGWEED_6 0 + nettle_ecc_point_mul_g@HOGWEED_6 0 + nettle_ecc_point_set@HOGWEED_6 0 + nettle_ecc_scalar_clear@HOGWEED_6 0 + nettle_ecc_scalar_get@HOGWEED_6 0 + nettle_ecc_scalar_init@HOGWEED_6 0 + nettle_ecc_scalar_random@HOGWEED_6 0 + nettle_ecc_scalar_set@HOGWEED_6 0 + nettle_ecc_size@HOGWEED_6 0 + nettle_ecc_size_a@HOGWEED_6 0 + nettle_ecc_size_j@HOGWEED_6 0 + nettle_ecdsa_generate_keypair@HOGWEED_6 0 + nettle_ecdsa_sign@HOGWEED_6 0 + nettle_ecdsa_verify@HOGWEED_6 0 + nettle_ed25519_sha512_public_key@HOGWEED_6 0 + nettle_ed25519_sha512_sign@HOGWEED_6 0 + nettle_ed25519_sha512_verify@HOGWEED_6 0 + nettle_ed448_shake256_public_key@HOGWEED_6 0 + nettle_ed448_shake256_sign@HOGWEED_6 0 + nettle_ed448_shake256_verify@HOGWEED_6 0 + nettle_get_gost_gc256b@HOGWEED_6 0 + nettle_get_gost_gc512a@HOGWEED_6 0 + nettle_get_secp_192r1@HOGWEED_6 0 + nettle_get_secp_224r1@HOGWEED_6 0 + nettle_get_secp_256r1@HOGWEED_6 0 + nettle_get_secp_384r1@HOGWEED_6 0 + nettle_get_secp_521r1@HOGWEED_6 0 + nettle_gostdsa_sign@HOGWEED_6 0 + nettle_gostdsa_verify@HOGWEED_6 0 + nettle_gostdsa_vko@HOGWEED_6 0 + nettle_mpz_get_str_256@HOGWEED_6 0 + nettle_mpz_init_set_str_256_s@HOGWEED_6 0 + nettle_mpz_init_set_str_256_u@HOGWEED_6 0 + nettle_mpz_random@HOGWEED_6 0 + nettle_mpz_random_size@HOGWEED_6 0 + nettle_mpz_set_sexp@HOGWEED_6 0 + nettle_mpz_set_str_256_s@HOGWEED_6 0 + nettle_mpz_set_str_256_u@HOGWEED_6 0 + nettle_mpz_sizeinbase_256_s@HOGWEED_6 0 + nettle_mpz_sizeinbase_256_u@HOGWEED_6 0 + nettle_openssl_provate_key_from_der@HOGWEED_6 0 + nettle_pgp_armor@HOGWEED_6 0 + nettle_pgp_crc24@HOGWEED_6 0 + nettle_pgp_put_header@HOGWEED_6 0 + nettle_pgp_put_header_length@HOGWEED_6 0 + nettle_pgp_put_length@HOGWEED_6 0 + nettle_pgp_put_mpi@HOGWEED_6 0 + nettle_pgp_put_public_rsa_key@HOGWEED_6 0 + nettle_pgp_put_rsa_sha1_signature@HOGWEED_6 0 + nettle_pgp_put_string@HOGWEED_6 0 + nettle_pgp_put_sub_packet@HOGWEED_6 0 + nettle_pgp_put_uint16@HOGWEED_6 0 + nettle_pgp_put_uint32@HOGWEED_6 0 + nettle_pgp_put_userid@HOGWEED_6 0 + nettle_pgp_sub_packet_end@HOGWEED_6 0 + nettle_pgp_sub_packet_start@HOGWEED_6 0 + nettle_pkcs1_decrypt@HOGWEED_6 0 + nettle_pkcs1_encrypt@HOGWEED_6 0 + nettle_pkcs1_rsa_digest_encode@HOGWEED_6 0 + nettle_pkcs1_rsa_md5_encode@HOGWEED_6 0 + nettle_pkcs1_rsa_md5_encode_digest@HOGWEED_6 0 + nettle_pkcs1_rsa_sha1_encode@HOGWEED_6 0 + nettle_pkcs1_rsa_sha1_encode_digest@HOGWEED_6 0 + nettle_pkcs1_rsa_sha256_encode@HOGWEED_6 0 + nettle_pkcs1_rsa_sha256_encode_digest@HOGWEED_6 0 + nettle_pkcs1_rsa_sha512_encode@HOGWEED_6 0 + nettle_pkcs1_rsa_sha512_encode_digest@HOGWEED_6 0 + nettle_pss_encode_mgf1@HOGWEED_6 0 + nettle_pss_mgf1@HOGWEED_6 0 + nettle_pss_verify_mgf1@HOGWEED_6 0 + nettle_random_prime@HOGWEED_6 0 + nettle_rsa_compute_root@HOGWEED_6 0 + nettle_rsa_compute_root_tr@HOGWEED_6 0 + nettle_rsa_decrypt@HOGWEED_6 0 + nettle_rsa_decrypt_tr@HOGWEED_6 0 + nettle_rsa_encrypt@HOGWEED_6 0 + nettle_rsa_generate_keypair@HOGWEED_6 0 + nettle_rsa_keypair_from_der@HOGWEED_6 0 + nettle_rsa_keypair_from_sexp@HOGWEED_6 0 + nettle_rsa_keypair_from_sexp_alist@HOGWEED_6 0 + nettle_rsa_keypair_to_openpgp@HOGWEED_6 0 + nettle_rsa_keypair_to_sexp@HOGWEED_6 0 + nettle_rsa_md5_sign@HOGWEED_6 0 + nettle_rsa_md5_sign_digest@HOGWEED_6 0 + nettle_rsa_md5_sign_digest_tr@HOGWEED_6 0 + nettle_rsa_md5_sign_tr@HOGWEED_6 0 + nettle_rsa_md5_verify@HOGWEED_6 0 + nettle_rsa_md5_verify_digest@HOGWEED_6 0 + nettle_rsa_pkcs1_sign@HOGWEED_6 0 + nettle_rsa_pkcs1_sign_tr@HOGWEED_6 0 + nettle_rsa_pkcs1_verify@HOGWEED_6 0 + nettle_rsa_private_key_clear@HOGWEED_6 0 + nettle_rsa_private_key_from_der_iterator@HOGWEED_6 0 + nettle_rsa_private_key_init@HOGWEED_6 0 + nettle_rsa_private_key_prepare@HOGWEED_6 0 + nettle_rsa_pss_sha256_sign_digest_tr@HOGWEED_6 0 + nettle_rsa_pss_sha256_verify_digest@HOGWEED_6 0 + nettle_rsa_pss_sha384_sign_digest_tr@HOGWEED_6 0 + nettle_rsa_pss_sha384_verify_digest@HOGWEED_6 0 + nettle_rsa_pss_sha512_sign_digest_tr@HOGWEED_6 0 + nettle_rsa_pss_sha512_verify_digest@HOGWEED_6 0 + nettle_rsa_public_key_clear@HOGWEED_6 0 + nettle_rsa_public_key_from_der_iterator@HOGWEED_6 0 + nettle_rsa_public_key_init@HOGWEED_6 0 + nettle_rsa_public_key_prepare@HOGWEED_6 0 + nettle_rsa_sec_decrypt@HOGWEED_6 0 + nettle_rsa_sha1_sign@HOGWEED_6 0 + nettle_rsa_sha1_sign_digest@HOGWEED_6 0 + nettle_rsa_sha1_sign_digest_tr@HOGWEED_6 0 + nettle_rsa_sha1_sign_tr@HOGWEED_6 0 + nettle_rsa_sha1_verify@HOGWEED_6 0 + nettle_rsa_sha1_verify_digest@HOGWEED_6 0 + nettle_rsa_sha256_sign@HOGWEED_6 0 + nettle_rsa_sha256_sign_digest@HOGWEED_6 0 + nettle_rsa_sha256_sign_digest_tr@HOGWEED_6 0 + nettle_rsa_sha256_sign_tr@HOGWEED_6 0 + nettle_rsa_sha256_verify@HOGWEED_6 0 + nettle_rsa_sha256_verify_digest@HOGWEED_6 0 + nettle_rsa_sha512_sign@HOGWEED_6 0 + nettle_rsa_sha512_sign_digest@HOGWEED_6 0 + nettle_rsa_sha512_sign_digest_tr@HOGWEED_6 0 + nettle_rsa_sha512_sign_tr@HOGWEED_6 0 + nettle_rsa_sha512_verify@HOGWEED_6 0 + nettle_rsa_sha512_verify_digest@HOGWEED_6 0 + nettle_sexp_format@HOGWEED_6 0 + nettle_sexp_iterator_assoc@HOGWEED_6 0 + nettle_sexp_iterator_check_type@HOGWEED_6 0 + nettle_sexp_iterator_check_types@HOGWEED_6 0 + nettle_sexp_iterator_enter_list@HOGWEED_6 0 + nettle_sexp_iterator_exit_list@HOGWEED_6 0 + nettle_sexp_iterator_first@HOGWEED_6 0 + nettle_sexp_iterator_get_uint32@HOGWEED_6 0 + nettle_sexp_iterator_next@HOGWEED_6 0 + nettle_sexp_iterator_subexpr@HOGWEED_6 0 + nettle_sexp_transport_format@HOGWEED_6 0 + nettle_sexp_transport_iterator_first@HOGWEED_6 0 + nettle_sexp_transport_vformat@HOGWEED_6 0 + nettle_sexp_vformat@HOGWEED_6 0 diff -Nru nettle-3.4.1/debian/libnettle6.docs nettle-3.7.3/debian/libnettle6.docs --- nettle-3.4.1/debian/libnettle6.docs 2017-12-12 18:12:22.000000000 +0000 +++ nettle-3.7.3/debian/libnettle6.docs 1970-01-01 00:00:00.000000000 +0000 @@ -1,2 +0,0 @@ -NEWS -README diff -Nru nettle-3.4.1/debian/libnettle6.install nettle-3.7.3/debian/libnettle6.install --- nettle-3.4.1/debian/libnettle6.install 2015-04-27 19:59:59.000000000 +0000 +++ nettle-3.7.3/debian/libnettle6.install 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -usr/lib/*/libnettle*.so.* diff -Nru nettle-3.4.1/debian/libnettle6.symbols nettle-3.7.3/debian/libnettle6.symbols --- nettle-3.4.1/debian/libnettle6.symbols 2018-12-04 20:45:26.000000000 +0000 +++ nettle-3.7.3/debian/libnettle6.symbols 1970-01-01 00:00:00.000000000 +0000 @@ -1,419 +0,0 @@ -libnettle.so.6 libnettle6 #MINVER# - NETTLE_6@NETTLE_6 0 - _nettle_aes_decrypt@NETTLE_6 0 - _nettle_aes_encrypt@NETTLE_6 0 - _nettle_aes_encrypt_table@NETTLE_6 0 - _nettle_aes_invert@NETTLE_6 0 - _nettle_aes_set_key@NETTLE_6 0 - _nettle_camellia_absorb@NETTLE_6 0 - _nettle_camellia_crypt@NETTLE_6 0 - _nettle_camellia_invert_key@NETTLE_6 0 - _nettle_camellia_table@NETTLE_6 0 - _nettle_chacha_core@NETTLE_6 0 - (arch=any-amd64)_nettle_gcm_hash8@NETTLE_6 0 - _nettle_md5_compress@NETTLE_6 0 - _nettle_poly1305_block@NETTLE_6 0 - _nettle_ripemd160_compress@NETTLE_6 0 - _nettle_salsa20_core@NETTLE_6 0 - _nettle_sha1_compress@NETTLE_6 0 - _nettle_sha256_compress@NETTLE_6 0 - _nettle_sha3_pad@NETTLE_6 0 - _nettle_sha3_update@NETTLE_6 0 - _nettle_sha512_compress@NETTLE_6 0 - _nettle_umac_l2@NETTLE_6 0 - _nettle_umac_l2_final@NETTLE_6 0 - _nettle_umac_l2_init@NETTLE_6 0 - _nettle_umac_l3@NETTLE_6 0 - _nettle_umac_l3_init@NETTLE_6 0 - _nettle_umac_nh@NETTLE_6 0 - _nettle_umac_nh_n@NETTLE_6 0 - _nettle_umac_poly128@NETTLE_6 0 - _nettle_umac_poly64@NETTLE_6 0 - _nettle_umac_set_key@NETTLE_6 0 - _nettle_write_be32@NETTLE_6 0 - _nettle_write_le32@NETTLE_6 0 - _nettle_write_le64@NETTLE_6 0 - nettle_MD5Final@NETTLE_6 0 - nettle_MD5Init@NETTLE_6 0 - nettle_MD5Update@NETTLE_6 0 - nettle_aeads@NETTLE_6 0 - nettle_aes128@NETTLE_6 0 - nettle_aes128_decrypt@NETTLE_6 0 - nettle_aes128_encrypt@NETTLE_6 0 - nettle_aes128_invert_key@NETTLE_6 0 - nettle_aes128_set_decrypt_key@NETTLE_6 0 - nettle_aes128_set_encrypt_key@NETTLE_6 0 - nettle_aes192@NETTLE_6 0 - nettle_aes192_decrypt@NETTLE_6 0 - nettle_aes192_encrypt@NETTLE_6 0 - nettle_aes192_invert_key@NETTLE_6 0 - nettle_aes192_set_decrypt_key@NETTLE_6 0 - nettle_aes192_set_encrypt_key@NETTLE_6 0 - nettle_aes256@NETTLE_6 0 - nettle_aes256_decrypt@NETTLE_6 0 - nettle_aes256_encrypt@NETTLE_6 0 - nettle_aes256_invert_key@NETTLE_6 0 - nettle_aes256_set_decrypt_key@NETTLE_6 0 - nettle_aes256_set_encrypt_key@NETTLE_6 0 - nettle_aes_decrypt@NETTLE_6 0 - nettle_aes_encrypt@NETTLE_6 0 - nettle_aes_invert_key@NETTLE_6 0 - nettle_aes_set_decrypt_key@NETTLE_6 0 - nettle_aes_set_encrypt_key@NETTLE_6 0 - nettle_arcfour128_set_key@NETTLE_6 0 - nettle_arcfour_crypt@NETTLE_6 0 - nettle_arcfour_set_key@NETTLE_6 0 - nettle_arctwo128@NETTLE_6 0 - nettle_arctwo128_set_key@NETTLE_6 0 - nettle_arctwo128_set_key_gutmann@NETTLE_6 0 - nettle_arctwo40@NETTLE_6 0 - nettle_arctwo40_set_key@NETTLE_6 0 - nettle_arctwo64@NETTLE_6 0 - nettle_arctwo64_set_key@NETTLE_6 0 - nettle_arctwo_decrypt@NETTLE_6 0 - nettle_arctwo_encrypt@NETTLE_6 0 - nettle_arctwo_gutmann128@NETTLE_6 0 - nettle_arctwo_set_key@NETTLE_6 0 - nettle_arctwo_set_key_ekb@NETTLE_6 0 - nettle_arctwo_set_key_gutmann@NETTLE_6 0 - nettle_armors@NETTLE_6 0 - nettle_base16@NETTLE_6 0 - nettle_base16_decode_final@NETTLE_6 0 - nettle_base16_decode_init@NETTLE_6 0 - nettle_base16_decode_single@NETTLE_6 0 - nettle_base16_decode_update@NETTLE_6 0 - nettle_base16_encode_single@NETTLE_6 0 - nettle_base16_encode_update@NETTLE_6 0 - nettle_base64@NETTLE_6 0 - nettle_base64_decode_final@NETTLE_6 0 - nettle_base64_decode_init@NETTLE_6 0 - nettle_base64_decode_single@NETTLE_6 0 - nettle_base64_decode_update@NETTLE_6 0 - nettle_base64_encode_final@NETTLE_6 0 - nettle_base64_encode_group@NETTLE_6 0 - nettle_base64_encode_init@NETTLE_6 0 - nettle_base64_encode_raw@NETTLE_6 0 - nettle_base64_encode_single@NETTLE_6 0 - nettle_base64_encode_update@NETTLE_6 0 - nettle_base64url@NETTLE_6 0 - nettle_base64url_decode_init@NETTLE_6 0 - nettle_base64url_encode_init@NETTLE_6 0 - nettle_blowfish128_set_key@NETTLE_6 0 - nettle_blowfish_decrypt@NETTLE_6 0 - nettle_blowfish_encrypt@NETTLE_6 0 - nettle_blowfish_set_key@NETTLE_6 0 - nettle_buffer_clear@NETTLE_6 0 - nettle_buffer_copy@NETTLE_6 0 - nettle_buffer_grow@NETTLE_6 0 - nettle_buffer_init@NETTLE_6 0 - nettle_buffer_init_realloc@NETTLE_6 0 - nettle_buffer_init_size@NETTLE_6 0 - nettle_buffer_reset@NETTLE_6 0 - nettle_buffer_space@NETTLE_6 0 - nettle_buffer_write@NETTLE_6 0 - nettle_camellia128@NETTLE_6 0 - nettle_camellia128_crypt@NETTLE_6 0 - nettle_camellia128_invert_key@NETTLE_6 0 - nettle_camellia128_set_encrypt_key@NETTLE_6 0 - nettle_camellia192@NETTLE_6 0 - nettle_camellia192_set_decrypt_key@NETTLE_6 0 - nettle_camellia192_set_encrypt_key@NETTLE_6 0 - nettle_camellia256@NETTLE_6 0 - nettle_camellia256_crypt@NETTLE_6 0 - nettle_camellia256_invert_key@NETTLE_6 0 - nettle_camellia256_set_decrypt_key@NETTLE_6 0 - nettle_camellia256_set_encrypt_key@NETTLE_6 0 - nettle_camellia_set_decrypt_key@NETTLE_6 0 - nettle_cast128@NETTLE_6 0 - nettle_cast128_decrypt@NETTLE_6 0 - nettle_cast128_encrypt@NETTLE_6 0 - nettle_cast128_set_key@NETTLE_6 0 - nettle_cast5_set_key@NETTLE_6 0 - nettle_cbc_decrypt@NETTLE_6 0 - nettle_cbc_encrypt@NETTLE_6 0 - nettle_ccm_aes128_decrypt@NETTLE_6 0 - nettle_ccm_aes128_decrypt_message@NETTLE_6 0 - nettle_ccm_aes128_digest@NETTLE_6 0 - nettle_ccm_aes128_encrypt@NETTLE_6 0 - nettle_ccm_aes128_encrypt_message@NETTLE_6 0 - nettle_ccm_aes128_set_key@NETTLE_6 0 - nettle_ccm_aes128_set_nonce@NETTLE_6 0 - nettle_ccm_aes128_update@NETTLE_6 0 - nettle_ccm_aes192_decrypt@NETTLE_6 0 - nettle_ccm_aes192_decrypt_message@NETTLE_6 0 - nettle_ccm_aes192_digest@NETTLE_6 0 - nettle_ccm_aes192_encrypt@NETTLE_6 0 - nettle_ccm_aes192_encrypt_message@NETTLE_6 0 - nettle_ccm_aes192_set_key@NETTLE_6 0 - nettle_ccm_aes192_set_nonce@NETTLE_6 0 - nettle_ccm_aes192_update@NETTLE_6 0 - nettle_ccm_aes256_decrypt@NETTLE_6 0 - nettle_ccm_aes256_decrypt_message@NETTLE_6 0 - nettle_ccm_aes256_digest@NETTLE_6 0 - nettle_ccm_aes256_encrypt@NETTLE_6 0 - nettle_ccm_aes256_encrypt_message@NETTLE_6 0 - nettle_ccm_aes256_set_key@NETTLE_6 0 - nettle_ccm_aes256_set_nonce@NETTLE_6 0 - nettle_ccm_aes256_update@NETTLE_6 0 - nettle_ccm_decrypt@NETTLE_6 0 - nettle_ccm_decrypt_message@NETTLE_6 0 - nettle_ccm_digest@NETTLE_6 0 - nettle_ccm_encrypt@NETTLE_6 0 - nettle_ccm_encrypt_message@NETTLE_6 0 - nettle_ccm_set_nonce@NETTLE_6 0 - nettle_ccm_update@NETTLE_6 0 - nettle_cfb_decrypt@NETTLE_6 3.4~ - nettle_cfb_encrypt@NETTLE_6 3.4~ - nettle_chacha_crypt@NETTLE_6 0 - nettle_chacha_poly1305@NETTLE_6 0 - nettle_chacha_poly1305_decrypt@NETTLE_6 0 - nettle_chacha_poly1305_digest@NETTLE_6 0 - nettle_chacha_poly1305_encrypt@NETTLE_6 0 - nettle_chacha_poly1305_set_key@NETTLE_6 0 - nettle_chacha_poly1305_set_nonce@NETTLE_6 0 - nettle_chacha_poly1305_update@NETTLE_6 0 - nettle_chacha_set_key@NETTLE_6 0 - nettle_chacha_set_nonce96@NETTLE_6 0 - nettle_chacha_set_nonce@NETTLE_6 0 - nettle_ciphers@NETTLE_6 0 - nettle_cnd_memcpy@NETTLE_6 3.4.1~rc1~ - nettle_ctr_crypt@NETTLE_6 0 - nettle_des3_decrypt@NETTLE_6 0 - nettle_des3_encrypt@NETTLE_6 0 - nettle_des3_set_key@NETTLE_6 0 - nettle_des_check_parity@NETTLE_6 0 - nettle_des_decrypt@NETTLE_6 0 - nettle_des_encrypt@NETTLE_6 0 - nettle_des_fix_parity@NETTLE_6 0 - nettle_des_set_key@NETTLE_6 0 - nettle_eax_aes128@NETTLE_6 0 - nettle_eax_aes128_decrypt@NETTLE_6 0 - nettle_eax_aes128_digest@NETTLE_6 0 - nettle_eax_aes128_encrypt@NETTLE_6 0 - nettle_eax_aes128_set_key@NETTLE_6 0 - nettle_eax_aes128_set_nonce@NETTLE_6 0 - nettle_eax_aes128_update@NETTLE_6 0 - nettle_eax_decrypt@NETTLE_6 0 - nettle_eax_digest@NETTLE_6 0 - nettle_eax_encrypt@NETTLE_6 0 - nettle_eax_set_key@NETTLE_6 0 - nettle_eax_set_nonce@NETTLE_6 0 - nettle_eax_update@NETTLE_6 0 - nettle_gcm_aes128@NETTLE_6 0 - nettle_gcm_aes128_decrypt@NETTLE_6 0 - nettle_gcm_aes128_digest@NETTLE_6 0 - nettle_gcm_aes128_encrypt@NETTLE_6 0 - nettle_gcm_aes128_set_iv@NETTLE_6 0 - nettle_gcm_aes128_set_key@NETTLE_6 0 - nettle_gcm_aes128_update@NETTLE_6 0 - nettle_gcm_aes192@NETTLE_6 0 - nettle_gcm_aes192_decrypt@NETTLE_6 0 - nettle_gcm_aes192_digest@NETTLE_6 0 - nettle_gcm_aes192_encrypt@NETTLE_6 0 - nettle_gcm_aes192_set_iv@NETTLE_6 0 - nettle_gcm_aes192_set_key@NETTLE_6 0 - nettle_gcm_aes192_update@NETTLE_6 0 - nettle_gcm_aes256@NETTLE_6 0 - nettle_gcm_aes256_decrypt@NETTLE_6 0 - nettle_gcm_aes256_digest@NETTLE_6 0 - nettle_gcm_aes256_encrypt@NETTLE_6 0 - nettle_gcm_aes256_set_iv@NETTLE_6 0 - nettle_gcm_aes256_set_key@NETTLE_6 0 - nettle_gcm_aes256_update@NETTLE_6 0 - nettle_gcm_aes_decrypt@NETTLE_6 0 - nettle_gcm_aes_digest@NETTLE_6 0 - nettle_gcm_aes_encrypt@NETTLE_6 0 - nettle_gcm_aes_set_iv@NETTLE_6 0 - nettle_gcm_aes_set_key@NETTLE_6 0 - nettle_gcm_aes_update@NETTLE_6 0 - nettle_gcm_camellia128@NETTLE_6 0 - nettle_gcm_camellia128_decrypt@NETTLE_6 0 - nettle_gcm_camellia128_digest@NETTLE_6 0 - nettle_gcm_camellia128_encrypt@NETTLE_6 0 - nettle_gcm_camellia128_set_iv@NETTLE_6 0 - nettle_gcm_camellia128_set_key@NETTLE_6 0 - nettle_gcm_camellia128_update@NETTLE_6 0 - nettle_gcm_camellia256@NETTLE_6 0 - nettle_gcm_camellia256_decrypt@NETTLE_6 0 - nettle_gcm_camellia256_digest@NETTLE_6 0 - nettle_gcm_camellia256_encrypt@NETTLE_6 0 - nettle_gcm_camellia256_set_iv@NETTLE_6 0 - nettle_gcm_camellia256_set_key@NETTLE_6 0 - nettle_gcm_camellia256_update@NETTLE_6 0 - nettle_gcm_decrypt@NETTLE_6 0 - nettle_gcm_digest@NETTLE_6 0 - nettle_gcm_encrypt@NETTLE_6 0 - nettle_gcm_set_iv@NETTLE_6 0 - nettle_gcm_set_key@NETTLE_6 0 - nettle_gcm_update@NETTLE_6 0 - nettle_get_aeads@NETTLE_6 3.4~ - nettle_get_armors@NETTLE_6 3.4~ - nettle_get_ciphers@NETTLE_6 3.4~ - nettle_get_hashes@NETTLE_6 3.4~ - nettle_gosthash94@NETTLE_6 0 - nettle_gosthash94_digest@NETTLE_6 0 - nettle_gosthash94_init@NETTLE_6 0 - nettle_gosthash94_update@NETTLE_6 0 - nettle_hashes@NETTLE_6 0 - nettle_hkdf_expand@NETTLE_6 3.4~ - nettle_hkdf_extract@NETTLE_6 3.4~ - nettle_hmac_digest@NETTLE_6 0 - nettle_hmac_md5_digest@NETTLE_6 0 - nettle_hmac_md5_set_key@NETTLE_6 0 - nettle_hmac_md5_update@NETTLE_6 0 - nettle_hmac_ripemd160_digest@NETTLE_6 0 - nettle_hmac_ripemd160_set_key@NETTLE_6 0 - nettle_hmac_ripemd160_update@NETTLE_6 0 - nettle_hmac_set_key@NETTLE_6 0 - nettle_hmac_sha1_digest@NETTLE_6 0 - nettle_hmac_sha1_set_key@NETTLE_6 0 - nettle_hmac_sha1_update@NETTLE_6 0 - nettle_hmac_sha224_digest@NETTLE_6 0 - nettle_hmac_sha224_set_key@NETTLE_6 0 - nettle_hmac_sha256_digest@NETTLE_6 0 - nettle_hmac_sha256_set_key@NETTLE_6 0 - nettle_hmac_sha256_update@NETTLE_6 0 - nettle_hmac_sha384_digest@NETTLE_6 0 - nettle_hmac_sha384_set_key@NETTLE_6 0 - nettle_hmac_sha512_digest@NETTLE_6 0 - nettle_hmac_sha512_set_key@NETTLE_6 0 - nettle_hmac_sha512_update@NETTLE_6 0 - nettle_hmac_update@NETTLE_6 0 - nettle_knuth_lfib_get@NETTLE_6 0 - nettle_knuth_lfib_get_array@NETTLE_6 0 - nettle_knuth_lfib_init@NETTLE_6 0 - nettle_knuth_lfib_random@NETTLE_6 0 - nettle_lookup_hash@NETTLE_6 3.4~ - nettle_md2@NETTLE_6 0 - nettle_md2_digest@NETTLE_6 0 - nettle_md2_init@NETTLE_6 0 - nettle_md2_update@NETTLE_6 0 - nettle_md4@NETTLE_6 0 - nettle_md4_digest@NETTLE_6 0 - nettle_md4_init@NETTLE_6 0 - nettle_md4_update@NETTLE_6 0 - nettle_md5@NETTLE_6 0 - nettle_md5_digest@NETTLE_6 0 - nettle_md5_init@NETTLE_6 0 - nettle_md5_update@NETTLE_6 0 - nettle_memeql_sec@NETTLE_6 3.3~ - nettle_memxor3@NETTLE_6 0 - nettle_memxor@NETTLE_6 0 - nettle_openssl_des_cbc_cksum@NETTLE_6 0 - nettle_openssl_des_cbc_encrypt@NETTLE_6 0 - nettle_openssl_des_check_key@NETTLE_6 0 - nettle_openssl_des_ecb3_encrypt@NETTLE_6 0 - nettle_openssl_des_ecb_encrypt@NETTLE_6 0 - nettle_openssl_des_ede3_cbc_encrypt@NETTLE_6 0 - nettle_openssl_des_is_weak_key@NETTLE_6 0 - nettle_openssl_des_key_sched@NETTLE_6 0 - nettle_openssl_des_ncbc_encrypt@NETTLE_6 0 - nettle_openssl_des_set_odd_parity@NETTLE_6 0 - nettle_pbkdf2@NETTLE_6 0 - nettle_pbkdf2_hmac_sha1@NETTLE_6 0 - nettle_pbkdf2_hmac_sha256@NETTLE_6 0 - nettle_poly1305_aes_digest@NETTLE_6 0 - nettle_poly1305_aes_set_key@NETTLE_6 0 - nettle_poly1305_aes_set_nonce@NETTLE_6 0 - nettle_poly1305_aes_update@NETTLE_6 0 - nettle_poly1305_digest@NETTLE_6 0 - nettle_poly1305_set_key@NETTLE_6 0 - nettle_realloc@NETTLE_6 0 - nettle_ripemd160@NETTLE_6 0 - nettle_ripemd160_digest@NETTLE_6 0 - nettle_ripemd160_init@NETTLE_6 0 - nettle_ripemd160_update@NETTLE_6 0 - nettle_salsa20_128_set_key@NETTLE_6 0 - nettle_salsa20_256_set_key@NETTLE_6 0 - nettle_salsa20_crypt@NETTLE_6 0 - nettle_salsa20_set_key@NETTLE_6 0 - nettle_salsa20_set_nonce@NETTLE_6 0 - nettle_salsa20r12_crypt@NETTLE_6 0 - nettle_serpent128@NETTLE_6 0 - nettle_serpent128_set_key@NETTLE_6 0 - nettle_serpent192@NETTLE_6 0 - nettle_serpent192_set_key@NETTLE_6 0 - nettle_serpent256@NETTLE_6 0 - nettle_serpent256_set_key@NETTLE_6 0 - nettle_serpent_decrypt@NETTLE_6 0 - nettle_serpent_encrypt@NETTLE_6 0 - nettle_serpent_set_key@NETTLE_6 0 - nettle_sha1@NETTLE_6 0 - nettle_sha1_digest@NETTLE_6 0 - nettle_sha1_init@NETTLE_6 0 - nettle_sha1_update@NETTLE_6 0 - nettle_sha224@NETTLE_6 0 - nettle_sha224_digest@NETTLE_6 0 - nettle_sha224_init@NETTLE_6 0 - nettle_sha256@NETTLE_6 0 - nettle_sha256_digest@NETTLE_6 0 - nettle_sha256_init@NETTLE_6 0 - nettle_sha256_update@NETTLE_6 0 - nettle_sha384@NETTLE_6 0 - nettle_sha384_digest@NETTLE_6 0 - nettle_sha384_init@NETTLE_6 0 - nettle_sha3_224@NETTLE_6 0 - nettle_sha3_224_digest@NETTLE_6 0 - nettle_sha3_224_init@NETTLE_6 0 - nettle_sha3_224_update@NETTLE_6 0 - nettle_sha3_256@NETTLE_6 0 - nettle_sha3_256_digest@NETTLE_6 0 - nettle_sha3_256_init@NETTLE_6 0 - nettle_sha3_256_update@NETTLE_6 0 - nettle_sha3_384@NETTLE_6 0 - nettle_sha3_384_digest@NETTLE_6 0 - nettle_sha3_384_init@NETTLE_6 0 - nettle_sha3_384_update@NETTLE_6 0 - nettle_sha3_512@NETTLE_6 0 - nettle_sha3_512_digest@NETTLE_6 0 - nettle_sha3_512_init@NETTLE_6 0 - nettle_sha3_512_update@NETTLE_6 0 - nettle_sha3_permute@NETTLE_6 0 - nettle_sha512@NETTLE_6 0 - nettle_sha512_224@NETTLE_6 0 - nettle_sha512_224_digest@NETTLE_6 0 - nettle_sha512_224_init@NETTLE_6 0 - nettle_sha512_256@NETTLE_6 0 - nettle_sha512_256_digest@NETTLE_6 0 - nettle_sha512_256_init@NETTLE_6 0 - nettle_sha512_digest@NETTLE_6 0 - nettle_sha512_init@NETTLE_6 0 - nettle_sha512_update@NETTLE_6 0 - nettle_twofish128@NETTLE_6 0 - nettle_twofish128_set_key@NETTLE_6 0 - nettle_twofish192@NETTLE_6 0 - nettle_twofish192_set_key@NETTLE_6 0 - nettle_twofish256@NETTLE_6 0 - nettle_twofish256_set_key@NETTLE_6 0 - nettle_twofish_decrypt@NETTLE_6 0 - nettle_twofish_encrypt@NETTLE_6 0 - nettle_twofish_set_key@NETTLE_6 0 - nettle_umac128_digest@NETTLE_6 0 - nettle_umac128_set_key@NETTLE_6 0 - nettle_umac128_set_nonce@NETTLE_6 0 - nettle_umac128_update@NETTLE_6 0 - nettle_umac32_digest@NETTLE_6 0 - nettle_umac32_set_key@NETTLE_6 0 - nettle_umac32_set_nonce@NETTLE_6 0 - nettle_umac32_update@NETTLE_6 0 - nettle_umac64_digest@NETTLE_6 0 - nettle_umac64_set_key@NETTLE_6 0 - nettle_umac64_set_nonce@NETTLE_6 0 - nettle_umac64_update@NETTLE_6 0 - nettle_umac96_digest@NETTLE_6 0 - nettle_umac96_set_key@NETTLE_6 0 - nettle_umac96_set_nonce@NETTLE_6 0 - nettle_umac96_update@NETTLE_6 0 - nettle_version_major@NETTLE_6 3.2~ - nettle_version_minor@NETTLE_6 3.2~ - nettle_xrealloc@NETTLE_6 0 - nettle_yarrow256_fast_reseed@NETTLE_6 0 - nettle_yarrow256_init@NETTLE_6 0 - nettle_yarrow256_is_seeded@NETTLE_6 0 - nettle_yarrow256_needed_sources@NETTLE_6 0 - nettle_yarrow256_random@NETTLE_6 0 - nettle_yarrow256_seed@NETTLE_6 0 - nettle_yarrow256_slow_reseed@NETTLE_6 0 - nettle_yarrow256_update@NETTLE_6 0 - nettle_yarrow_key_event_estimate@NETTLE_6 0 - nettle_yarrow_key_event_init@NETTLE_6 0 diff -Nru nettle-3.4.1/debian/libnettle8.docs nettle-3.7.3/debian/libnettle8.docs --- nettle-3.4.1/debian/libnettle8.docs 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/debian/libnettle8.docs 2021-06-10 06:51:41.000000000 +0000 @@ -0,0 +1,2 @@ +NEWS +README diff -Nru nettle-3.4.1/debian/libnettle8.install nettle-3.7.3/debian/libnettle8.install --- nettle-3.4.1/debian/libnettle8.install 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/debian/libnettle8.install 2021-06-10 06:51:41.000000000 +0000 @@ -0,0 +1 @@ +usr/lib/*/libnettle*.so.* diff -Nru nettle-3.4.1/debian/libnettle8.symbols nettle-3.7.3/debian/libnettle8.symbols --- nettle-3.4.1/debian/libnettle8.symbols 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/debian/libnettle8.symbols 2021-06-10 06:51:41.000000000 +0000 @@ -0,0 +1,554 @@ +libnettle.so.8 libnettle8 #MINVER# +* Build-Depends-Package: nettle-dev + NETTLE_8@NETTLE_8 0 + NETTLE_INTERNAL_8_4@NETTLE_INTERNAL_8_4 3.7.3~ + _nettle_aeads@NETTLE_INTERNAL_8_4 3.7.3~ + _nettle_aes_decrypt@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=any-amd64)_nettle_aes_decrypt_aesni@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=armel armhf)_nettle_aes_decrypt_arm@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=armel armhf)_nettle_aes_decrypt_armv6@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=ppc64 ppc64el)_nettle_aes_decrypt_c@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=ppc64 ppc64el)_nettle_aes_decrypt_ppc64@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=any-amd64)_nettle_aes_decrypt_x86_64@NETTLE_INTERNAL_8_4 3.7.3~ + _nettle_aes_encrypt@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=any-amd64)_nettle_aes_encrypt_aesni@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=armel armhf)_nettle_aes_encrypt_arm@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=armel armhf)_nettle_aes_encrypt_armv6@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=ppc64 ppc64el)_nettle_aes_encrypt_c@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=ppc64 ppc64el)_nettle_aes_encrypt_ppc64@NETTLE_INTERNAL_8_4 3.7.3~ + _nettle_aes_encrypt_table@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=any-amd64)_nettle_aes_encrypt_x86_64@NETTLE_INTERNAL_8_4 3.7.3~ + _nettle_aes_invert@NETTLE_INTERNAL_8_4 3.7.3~ + _nettle_aes_set_key@NETTLE_INTERNAL_8_4 3.7.3~ + _nettle_armors@NETTLE_INTERNAL_8_4 3.7.3~ + _nettle_blowfish_encround@NETTLE_INTERNAL_8_4 3.7.3~ + _nettle_blowfish_initial_ctx@NETTLE_INTERNAL_8_4 3.7.3~ + _nettle_camellia_absorb@NETTLE_INTERNAL_8_4 3.7.3~ + _nettle_camellia_crypt@NETTLE_INTERNAL_8_4 3.7.3~ + _nettle_camellia_invert_key@NETTLE_INTERNAL_8_4 3.7.3~ + _nettle_camellia_table@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=ppc64 ppc64el)_nettle_chacha_2core32@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=ppc64 ppc64el)_nettle_chacha_2core@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=armel armhf)_nettle_chacha_3core32@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=armel armhf)_nettle_chacha_3core@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=ppc64 ppc64el)_nettle_chacha_4core32@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=ppc64 ppc64el)_nettle_chacha_4core@NETTLE_INTERNAL_8_4 3.7.3~ + _nettle_chacha_core@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=ppc64 ppc64el)_nettle_chacha_core_altivec@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=ppc64 ppc64el)_nettle_chacha_core_c@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=armel armhf ppc64 ppc64el)_nettle_chacha_crypt32_1core@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=armel armhf)_nettle_chacha_crypt32_3core@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=ppc64 ppc64el)_nettle_chacha_crypt32_4core@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=armel armhf ppc64 ppc64el)_nettle_chacha_crypt_1core@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=armel armhf)_nettle_chacha_crypt_3core@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=ppc64 ppc64el)_nettle_chacha_crypt_4core@NETTLE_INTERNAL_8_4 3.7.3~ + _nettle_ciphers@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=any-amd64)_nettle_cpuid@NETTLE_INTERNAL_8_4 3.7.3~ + _nettle_ctr_crypt16@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=any-amd64)_nettle_gcm_hash8@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=ppc64 ppc64el)_nettle_gcm_hash@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=ppc64 ppc64el)_nettle_gcm_hash_c@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=ppc64 ppc64el)_nettle_gcm_hash_ppc64@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=ppc64 ppc64el)_nettle_gcm_init_key@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=ppc64 ppc64el)_nettle_gcm_init_key_c@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=ppc64 ppc64el)_nettle_gcm_init_key_ppc64@NETTLE_INTERNAL_8_4 3.7.3~ + _nettle_gost28147_encrypt_block@NETTLE_INTERNAL_8_4 3.7.3~ + _nettle_gost28147_param_CryptoPro_3411@NETTLE_INTERNAL_8_4 3.7.3~ + _nettle_gost28147_param_test_3411@NETTLE_INTERNAL_8_4 3.7.3~ + _nettle_hashes@NETTLE_INTERNAL_8_4 3.7.3~ + _nettle_macs@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=any-amd64)_nettle_memxor_sse2@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=any-amd64)_nettle_memxor_x86_64@NETTLE_INTERNAL_8_4 3.7.3~ + _nettle_poly1305_block@NETTLE_INTERNAL_8_4 3.7.3~ + _nettle_poly1305_digest@NETTLE_INTERNAL_8_4 3.7.3~ + _nettle_poly1305_set_key@NETTLE_INTERNAL_8_4 3.7.3~ + _nettle_ripemd160_compress@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=any-amd64 armel armhf)_nettle_salsa20_2core@NETTLE_INTERNAL_8_4 3.7.3~ + _nettle_salsa20_core@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=any-amd64)_nettle_sha1_compress_sha_ni@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=any-amd64)_nettle_sha1_compress_x86_64@NETTLE_INTERNAL_8_4 3.7.3~ + _nettle_salsa20_crypt@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=armel armhf)_nettle_salsa20_crypt_1core@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=armel armhf)_nettle_salsa20_crypt_2core@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=armel armhf)_nettle_sha1_compress_armv6@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=armel armhf)_nettle_sha1_compress_c@NETTLE_INTERNAL_8_4 3.7.3~ + _nettle_sha256_compress@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=any-amd64)_nettle_sha256_compress_sha_ni@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=any-amd64)_nettle_sha256_compress_x86_64@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=armel armhf)_nettle_sha256_compress_armv6@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=armel armhf)_nettle_sha256_compress_c@NETTLE_INTERNAL_8_4 3.7.3~ + _nettle_sha3_pad@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=armel armhf)_nettle_sha3_permute_c@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=armel armhf)_nettle_sha3_permute_neon@NETTLE_INTERNAL_8_4 3.7.3~ + _nettle_sha3_update@NETTLE_INTERNAL_8_4 3.7.3~ + _nettle_sha512_compress@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=armel armhf)_nettle_sha512_compress_c@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=armel armhf)_nettle_sha512_compress_neon@NETTLE_INTERNAL_8_4 3.7.3~ + _nettle_umac_l2@NETTLE_INTERNAL_8_4 3.7.3~ + _nettle_umac_l2_final@NETTLE_INTERNAL_8_4 3.7.3~ + _nettle_umac_l2_init@NETTLE_INTERNAL_8_4 3.7.3~ + _nettle_umac_l3@NETTLE_INTERNAL_8_4 3.7.3~ + _nettle_umac_l3_init@NETTLE_INTERNAL_8_4 3.7.3~ + _nettle_umac_nh@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=armel armhf)_nettle_umac_nh_c@NETTLE_INTERNAL_8_4 3.7.3~ + _nettle_umac_nh_n@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=armel armhf)_nettle_umac_nh_n_c@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=armel armhf)_nettle_umac_nh_n_neon@NETTLE_INTERNAL_8_4 3.7.3~ + (arch=armel armhf)_nettle_umac_nh_neon@NETTLE_INTERNAL_8_4 3.7.3~ + _nettle_umac_poly128@NETTLE_INTERNAL_8_4 3.7.3~ + _nettle_umac_poly64@NETTLE_INTERNAL_8_4 3.7.3~ + _nettle_umac_set_key@NETTLE_INTERNAL_8_4 3.7.3~ + _nettle_write_be32@NETTLE_INTERNAL_8_4 3.7.3~ + _nettle_write_le32@NETTLE_INTERNAL_8_4 3.7.3~ + _nettle_write_le64@NETTLE_INTERNAL_8_4 3.7.3~ + nettle_MD5Final@NETTLE_8 0 + nettle_MD5Init@NETTLE_8 0 + nettle_MD5Update@NETTLE_8 0 + nettle_aes128@NETTLE_8 0 + nettle_aes128_decrypt@NETTLE_8 0 + nettle_aes128_encrypt@NETTLE_8 0 + nettle_aes128_invert_key@NETTLE_8 0 + nettle_aes128_set_decrypt_key@NETTLE_8 0 + nettle_aes128_set_encrypt_key@NETTLE_8 0 + nettle_aes192@NETTLE_8 0 + nettle_aes192_decrypt@NETTLE_8 0 + nettle_aes192_encrypt@NETTLE_8 0 + nettle_aes192_invert_key@NETTLE_8 0 + nettle_aes192_set_decrypt_key@NETTLE_8 0 + nettle_aes192_set_encrypt_key@NETTLE_8 0 + nettle_aes256@NETTLE_8 0 + nettle_aes256_decrypt@NETTLE_8 0 + nettle_aes256_encrypt@NETTLE_8 0 + nettle_aes256_invert_key@NETTLE_8 0 + nettle_aes256_set_decrypt_key@NETTLE_8 0 + nettle_aes256_set_encrypt_key@NETTLE_8 0 + nettle_aes_decrypt@NETTLE_8 0 + nettle_aes_encrypt@NETTLE_8 0 + nettle_aes_invert_key@NETTLE_8 0 + nettle_aes_set_decrypt_key@NETTLE_8 0 + nettle_aes_set_encrypt_key@NETTLE_8 0 + nettle_arcfour128_set_key@NETTLE_8 0 + nettle_arcfour_crypt@NETTLE_8 0 + nettle_arcfour_set_key@NETTLE_8 0 + nettle_arctwo128@NETTLE_8 0 + nettle_arctwo128_set_key@NETTLE_8 0 + nettle_arctwo128_set_key_gutmann@NETTLE_8 0 + nettle_arctwo40@NETTLE_8 0 + nettle_arctwo40_set_key@NETTLE_8 0 + nettle_arctwo64@NETTLE_8 0 + nettle_arctwo64_set_key@NETTLE_8 0 + nettle_arctwo_decrypt@NETTLE_8 0 + nettle_arctwo_encrypt@NETTLE_8 0 + nettle_arctwo_gutmann128@NETTLE_8 0 + nettle_arctwo_set_key@NETTLE_8 0 + nettle_arctwo_set_key_ekb@NETTLE_8 0 + nettle_arctwo_set_key_gutmann@NETTLE_8 0 + nettle_base16@NETTLE_8 0 + nettle_base16_decode_final@NETTLE_8 0 + nettle_base16_decode_init@NETTLE_8 0 + nettle_base16_decode_single@NETTLE_8 0 + nettle_base16_decode_update@NETTLE_8 0 + nettle_base16_encode_single@NETTLE_8 0 + nettle_base16_encode_update@NETTLE_8 0 + nettle_base64@NETTLE_8 0 + nettle_base64_decode_final@NETTLE_8 0 + nettle_base64_decode_init@NETTLE_8 0 + nettle_base64_decode_single@NETTLE_8 0 + nettle_base64_decode_update@NETTLE_8 0 + nettle_base64_encode_final@NETTLE_8 0 + nettle_base64_encode_group@NETTLE_8 0 + nettle_base64_encode_init@NETTLE_8 0 + nettle_base64_encode_raw@NETTLE_8 0 + nettle_base64_encode_single@NETTLE_8 0 + nettle_base64_encode_update@NETTLE_8 0 + nettle_base64url@NETTLE_8 0 + nettle_base64url_decode_init@NETTLE_8 0 + nettle_base64url_encode_init@NETTLE_8 0 + nettle_blowfish128_set_key@NETTLE_8 0 + nettle_blowfish_bcrypt_hash@NETTLE_8 3.7~ + nettle_blowfish_bcrypt_verify@NETTLE_8 3.7~ + nettle_blowfish_decrypt@NETTLE_8 0 + nettle_blowfish_encrypt@NETTLE_8 0 + nettle_blowfish_set_key@NETTLE_8 0 + nettle_buffer_clear@NETTLE_8 0 + nettle_buffer_copy@NETTLE_8 0 + nettle_buffer_grow@NETTLE_8 0 + nettle_buffer_init@NETTLE_8 0 + nettle_buffer_init_realloc@NETTLE_8 0 + nettle_buffer_init_size@NETTLE_8 0 + nettle_buffer_reset@NETTLE_8 0 + nettle_buffer_space@NETTLE_8 0 + nettle_buffer_write@NETTLE_8 0 + nettle_camellia128@NETTLE_8 0 + nettle_camellia128_crypt@NETTLE_8 0 + nettle_camellia128_invert_key@NETTLE_8 0 + nettle_camellia128_set_encrypt_key@NETTLE_8 0 + nettle_camellia192@NETTLE_8 0 + nettle_camellia192_set_decrypt_key@NETTLE_8 0 + nettle_camellia192_set_encrypt_key@NETTLE_8 0 + nettle_camellia256@NETTLE_8 0 + nettle_camellia256_crypt@NETTLE_8 0 + nettle_camellia256_invert_key@NETTLE_8 0 + nettle_camellia256_set_decrypt_key@NETTLE_8 0 + nettle_camellia256_set_encrypt_key@NETTLE_8 0 + nettle_camellia_set_decrypt_key@NETTLE_8 0 + nettle_cast128@NETTLE_8 0 + nettle_cast128_decrypt@NETTLE_8 0 + nettle_cast128_encrypt@NETTLE_8 0 + nettle_cast128_set_key@NETTLE_8 0 + nettle_cast5_set_key@NETTLE_8 0 + nettle_cbc_decrypt@NETTLE_8 0 + nettle_cbc_encrypt@NETTLE_8 0 + nettle_ccm_aes128_decrypt@NETTLE_8 0 + nettle_ccm_aes128_decrypt_message@NETTLE_8 0 + nettle_ccm_aes128_digest@NETTLE_8 0 + nettle_ccm_aes128_encrypt@NETTLE_8 0 + nettle_ccm_aes128_encrypt_message@NETTLE_8 0 + nettle_ccm_aes128_set_key@NETTLE_8 0 + nettle_ccm_aes128_set_nonce@NETTLE_8 0 + nettle_ccm_aes128_update@NETTLE_8 0 + nettle_ccm_aes192_decrypt@NETTLE_8 0 + nettle_ccm_aes192_decrypt_message@NETTLE_8 0 + nettle_ccm_aes192_digest@NETTLE_8 0 + nettle_ccm_aes192_encrypt@NETTLE_8 0 + nettle_ccm_aes192_encrypt_message@NETTLE_8 0 + nettle_ccm_aes192_set_key@NETTLE_8 0 + nettle_ccm_aes192_set_nonce@NETTLE_8 0 + nettle_ccm_aes192_update@NETTLE_8 0 + nettle_ccm_aes256_decrypt@NETTLE_8 0 + nettle_ccm_aes256_decrypt_message@NETTLE_8 0 + nettle_ccm_aes256_digest@NETTLE_8 0 + nettle_ccm_aes256_encrypt@NETTLE_8 0 + nettle_ccm_aes256_encrypt_message@NETTLE_8 0 + nettle_ccm_aes256_set_key@NETTLE_8 0 + nettle_ccm_aes256_set_nonce@NETTLE_8 0 + nettle_ccm_aes256_update@NETTLE_8 0 + nettle_ccm_decrypt@NETTLE_8 0 + nettle_ccm_decrypt_message@NETTLE_8 0 + nettle_ccm_digest@NETTLE_8 0 + nettle_ccm_encrypt@NETTLE_8 0 + nettle_ccm_encrypt_message@NETTLE_8 0 + nettle_ccm_set_nonce@NETTLE_8 0 + nettle_ccm_update@NETTLE_8 0 + nettle_cfb8_decrypt@NETTLE_8 0 + nettle_cfb8_encrypt@NETTLE_8 0 + nettle_cfb_decrypt@NETTLE_8 0 + nettle_cfb_encrypt@NETTLE_8 0 + nettle_chacha_crypt32@NETTLE_8 0 + nettle_chacha_crypt@NETTLE_8 0 + nettle_chacha_poly1305@NETTLE_8 0 + nettle_chacha_poly1305_decrypt@NETTLE_8 0 + nettle_chacha_poly1305_digest@NETTLE_8 0 + nettle_chacha_poly1305_encrypt@NETTLE_8 0 + nettle_chacha_poly1305_set_key@NETTLE_8 0 + nettle_chacha_poly1305_set_nonce@NETTLE_8 0 + nettle_chacha_poly1305_update@NETTLE_8 0 + nettle_chacha_set_counter32@NETTLE_8 0 + nettle_chacha_set_counter@NETTLE_8 0 + nettle_chacha_set_key@NETTLE_8 0 + nettle_chacha_set_nonce96@NETTLE_8 0 + nettle_chacha_set_nonce@NETTLE_8 0 + nettle_cmac128_digest@NETTLE_8 0 + nettle_cmac128_init@NETTLE_8 0 + nettle_cmac128_set_key@NETTLE_8 0 + nettle_cmac128_update@NETTLE_8 0 + nettle_cmac64_digest@NETTLE_8 0 + nettle_cmac64_init@NETTLE_8 0 + nettle_cmac64_set_key@NETTLE_8 0 + nettle_cmac64_update@NETTLE_8 0 + nettle_cmac_aes128@NETTLE_8 0 + nettle_cmac_aes128_digest@NETTLE_8 0 + nettle_cmac_aes128_set_key@NETTLE_8 0 + nettle_cmac_aes128_update@NETTLE_8 0 + nettle_cmac_aes256@NETTLE_8 0 + nettle_cmac_aes256_digest@NETTLE_8 0 + nettle_cmac_aes256_set_key@NETTLE_8 0 + nettle_cmac_aes256_update@NETTLE_8 0 + nettle_cmac_des3@NETTLE_8 0 + nettle_cmac_des3_digest@NETTLE_8 0 + nettle_cmac_des3_set_key@NETTLE_8 0 + nettle_cmac_des3_update@NETTLE_8 0 + nettle_cnd_memcpy@NETTLE_8 0 + nettle_ctr_crypt@NETTLE_8 0 + nettle_des3_decrypt@NETTLE_8 0 + nettle_des3_encrypt@NETTLE_8 0 + nettle_des3_set_key@NETTLE_8 0 + nettle_des_check_parity@NETTLE_8 0 + nettle_des_decrypt@NETTLE_8 0 + nettle_des_encrypt@NETTLE_8 0 + nettle_des_fix_parity@NETTLE_8 0 + nettle_des_set_key@NETTLE_8 0 + nettle_eax_aes128@NETTLE_8 0 + nettle_eax_aes128_decrypt@NETTLE_8 0 + nettle_eax_aes128_digest@NETTLE_8 0 + nettle_eax_aes128_encrypt@NETTLE_8 0 + nettle_eax_aes128_set_key@NETTLE_8 0 + nettle_eax_aes128_set_nonce@NETTLE_8 0 + nettle_eax_aes128_update@NETTLE_8 0 + nettle_eax_decrypt@NETTLE_8 0 + nettle_eax_digest@NETTLE_8 0 + nettle_eax_encrypt@NETTLE_8 0 + nettle_eax_set_key@NETTLE_8 0 + nettle_eax_set_nonce@NETTLE_8 0 + nettle_eax_update@NETTLE_8 0 + nettle_gcm_aes128@NETTLE_8 0 + nettle_gcm_aes128_decrypt@NETTLE_8 0 + nettle_gcm_aes128_digest@NETTLE_8 0 + nettle_gcm_aes128_encrypt@NETTLE_8 0 + nettle_gcm_aes128_set_iv@NETTLE_8 0 + nettle_gcm_aes128_set_key@NETTLE_8 0 + nettle_gcm_aes128_update@NETTLE_8 0 + nettle_gcm_aes192@NETTLE_8 0 + nettle_gcm_aes192_decrypt@NETTLE_8 0 + nettle_gcm_aes192_digest@NETTLE_8 0 + nettle_gcm_aes192_encrypt@NETTLE_8 0 + nettle_gcm_aes192_set_iv@NETTLE_8 0 + nettle_gcm_aes192_set_key@NETTLE_8 0 + nettle_gcm_aes192_update@NETTLE_8 0 + nettle_gcm_aes256@NETTLE_8 0 + nettle_gcm_aes256_decrypt@NETTLE_8 0 + nettle_gcm_aes256_digest@NETTLE_8 0 + nettle_gcm_aes256_encrypt@NETTLE_8 0 + nettle_gcm_aes256_set_iv@NETTLE_8 0 + nettle_gcm_aes256_set_key@NETTLE_8 0 + nettle_gcm_aes256_update@NETTLE_8 0 + nettle_gcm_aes_decrypt@NETTLE_8 0 + nettle_gcm_aes_digest@NETTLE_8 0 + nettle_gcm_aes_encrypt@NETTLE_8 0 + nettle_gcm_aes_set_iv@NETTLE_8 0 + nettle_gcm_aes_set_key@NETTLE_8 0 + nettle_gcm_aes_update@NETTLE_8 0 + nettle_gcm_camellia128@NETTLE_8 0 + nettle_gcm_camellia128_decrypt@NETTLE_8 0 + nettle_gcm_camellia128_digest@NETTLE_8 0 + nettle_gcm_camellia128_encrypt@NETTLE_8 0 + nettle_gcm_camellia128_set_iv@NETTLE_8 0 + nettle_gcm_camellia128_set_key@NETTLE_8 0 + nettle_gcm_camellia128_update@NETTLE_8 0 + nettle_gcm_camellia256@NETTLE_8 0 + nettle_gcm_camellia256_decrypt@NETTLE_8 0 + nettle_gcm_camellia256_digest@NETTLE_8 0 + nettle_gcm_camellia256_encrypt@NETTLE_8 0 + nettle_gcm_camellia256_set_iv@NETTLE_8 0 + nettle_gcm_camellia256_set_key@NETTLE_8 0 + nettle_gcm_camellia256_update@NETTLE_8 0 + nettle_gcm_decrypt@NETTLE_8 0 + nettle_gcm_digest@NETTLE_8 0 + nettle_gcm_encrypt@NETTLE_8 0 + nettle_gcm_set_iv@NETTLE_8 0 + nettle_gcm_set_key@NETTLE_8 0 + nettle_gcm_update@NETTLE_8 0 + nettle_get_aeads@NETTLE_8 0 + nettle_get_armors@NETTLE_8 0 + nettle_get_ciphers@NETTLE_8 0 + nettle_get_hashes@NETTLE_8 0 + nettle_get_macs@NETTLE_8 0 + nettle_gosthash94@NETTLE_8 0 + nettle_gosthash94_digest@NETTLE_8 0 + nettle_gosthash94_init@NETTLE_8 0 + nettle_gosthash94_update@NETTLE_8 0 + nettle_gosthash94cp@NETTLE_8 0 + nettle_gosthash94cp_digest@NETTLE_8 0 + nettle_gosthash94cp_update@NETTLE_8 0 + nettle_hkdf_expand@NETTLE_8 0 + nettle_hkdf_extract@NETTLE_8 0 + nettle_hmac_digest@NETTLE_8 0 + nettle_hmac_gosthash94_digest@NETTLE_8 0 + nettle_hmac_gosthash94_set_key@NETTLE_8 0 + nettle_hmac_gosthash94_update@NETTLE_8 0 + nettle_hmac_gosthash94cp_digest@NETTLE_8 0 + nettle_hmac_gosthash94cp_set_key@NETTLE_8 0 + nettle_hmac_gosthash94cp_update@NETTLE_8 0 + nettle_hmac_md5@NETTLE_8 0 + nettle_hmac_md5_digest@NETTLE_8 0 + nettle_hmac_md5_set_key@NETTLE_8 0 + nettle_hmac_md5_update@NETTLE_8 0 + nettle_hmac_ripemd160@NETTLE_8 0 + nettle_hmac_ripemd160_digest@NETTLE_8 0 + nettle_hmac_ripemd160_set_key@NETTLE_8 0 + nettle_hmac_ripemd160_update@NETTLE_8 0 + nettle_hmac_set_key@NETTLE_8 0 + nettle_hmac_sha1@NETTLE_8 0 + nettle_hmac_sha1_digest@NETTLE_8 0 + nettle_hmac_sha1_set_key@NETTLE_8 0 + nettle_hmac_sha1_update@NETTLE_8 0 + nettle_hmac_sha224@NETTLE_8 0 + nettle_hmac_sha224_digest@NETTLE_8 0 + nettle_hmac_sha224_set_key@NETTLE_8 0 + nettle_hmac_sha256@NETTLE_8 0 + nettle_hmac_sha256_digest@NETTLE_8 0 + nettle_hmac_sha256_set_key@NETTLE_8 0 + nettle_hmac_sha256_update@NETTLE_8 0 + nettle_hmac_sha384@NETTLE_8 0 + nettle_hmac_sha384_digest@NETTLE_8 0 + nettle_hmac_sha384_set_key@NETTLE_8 0 + nettle_hmac_sha512@NETTLE_8 0 + nettle_hmac_sha512_digest@NETTLE_8 0 + nettle_hmac_sha512_set_key@NETTLE_8 0 + nettle_hmac_sha512_update@NETTLE_8 0 + nettle_hmac_streebog256@NETTLE_8 3.7~ + nettle_hmac_streebog256_digest@NETTLE_8 3.7~ + nettle_hmac_streebog256_set_key@NETTLE_8 3.7~ + nettle_hmac_streebog512@NETTLE_8 3.7~ + nettle_hmac_streebog512_digest@NETTLE_8 3.7~ + nettle_hmac_streebog512_set_key@NETTLE_8 3.7~ + nettle_hmac_streebog512_update@NETTLE_8 3.7~ + nettle_hmac_update@NETTLE_8 0 + nettle_knuth_lfib_get@NETTLE_8 0 + nettle_knuth_lfib_get_array@NETTLE_8 0 + nettle_knuth_lfib_init@NETTLE_8 0 + nettle_knuth_lfib_random@NETTLE_8 0 + nettle_lookup_hash@NETTLE_8 0 + nettle_md2@NETTLE_8 0 + nettle_md2_digest@NETTLE_8 0 + nettle_md2_init@NETTLE_8 0 + nettle_md2_update@NETTLE_8 0 + nettle_md4@NETTLE_8 0 + nettle_md4_digest@NETTLE_8 0 + nettle_md4_init@NETTLE_8 0 + nettle_md4_update@NETTLE_8 0 + nettle_md5@NETTLE_8 0 + nettle_md5_compress@NETTLE_8 0 + nettle_md5_digest@NETTLE_8 0 + nettle_md5_init@NETTLE_8 0 + nettle_md5_update@NETTLE_8 0 + nettle_memeql_sec@NETTLE_8 0 + nettle_memxor3@NETTLE_8 0 + nettle_memxor@NETTLE_8 0 + nettle_pbkdf2@NETTLE_8 0 + nettle_pbkdf2_hmac_gosthash94cp@NETTLE_8 0 + nettle_pbkdf2_hmac_sha1@NETTLE_8 0 + nettle_pbkdf2_hmac_sha256@NETTLE_8 0 + nettle_pbkdf2_hmac_sha384@NETTLE_8 3.7.2~ + nettle_pbkdf2_hmac_sha512@NETTLE_8 3.7.2~ + nettle_poly1305_aes_digest@NETTLE_8 0 + nettle_poly1305_aes_set_key@NETTLE_8 0 + nettle_poly1305_aes_set_nonce@NETTLE_8 0 + nettle_poly1305_aes_update@NETTLE_8 0 + nettle_realloc@NETTLE_8 0 + nettle_ripemd160@NETTLE_8 0 + nettle_ripemd160_digest@NETTLE_8 0 + nettle_ripemd160_init@NETTLE_8 0 + nettle_ripemd160_update@NETTLE_8 0 + nettle_salsa20_128_set_key@NETTLE_8 0 + nettle_salsa20_256_set_key@NETTLE_8 0 + nettle_salsa20_crypt@NETTLE_8 0 + nettle_salsa20_set_key@NETTLE_8 0 + nettle_salsa20_set_nonce@NETTLE_8 0 + nettle_salsa20r12_crypt@NETTLE_8 0 + nettle_serpent128@NETTLE_8 0 + nettle_serpent128_set_key@NETTLE_8 0 + nettle_serpent192@NETTLE_8 0 + nettle_serpent192_set_key@NETTLE_8 0 + nettle_serpent256@NETTLE_8 0 + nettle_serpent256_set_key@NETTLE_8 0 + nettle_serpent_decrypt@NETTLE_8 0 + nettle_serpent_encrypt@NETTLE_8 0 + nettle_serpent_set_key@NETTLE_8 0 + nettle_sha1@NETTLE_8 0 + nettle_sha1_compress@NETTLE_8 0 + nettle_sha1_digest@NETTLE_8 0 + nettle_sha1_init@NETTLE_8 0 + nettle_sha1_update@NETTLE_8 0 + nettle_sha224@NETTLE_8 0 + nettle_sha224_digest@NETTLE_8 0 + nettle_sha224_init@NETTLE_8 0 + nettle_sha256@NETTLE_8 0 + nettle_sha256_digest@NETTLE_8 0 + nettle_sha256_init@NETTLE_8 0 + nettle_sha256_update@NETTLE_8 0 + nettle_sha384@NETTLE_8 0 + nettle_sha384_digest@NETTLE_8 0 + nettle_sha384_init@NETTLE_8 0 + nettle_sha3_224@NETTLE_8 0 + nettle_sha3_224_digest@NETTLE_8 0 + nettle_sha3_224_init@NETTLE_8 0 + nettle_sha3_224_update@NETTLE_8 0 + nettle_sha3_256@NETTLE_8 0 + nettle_sha3_256_digest@NETTLE_8 0 + nettle_sha3_256_init@NETTLE_8 0 + nettle_sha3_256_shake@NETTLE_8 0 + nettle_sha3_256_update@NETTLE_8 0 + nettle_sha3_384@NETTLE_8 0 + nettle_sha3_384_digest@NETTLE_8 0 + nettle_sha3_384_init@NETTLE_8 0 + nettle_sha3_384_update@NETTLE_8 0 + nettle_sha3_512@NETTLE_8 0 + nettle_sha3_512_digest@NETTLE_8 0 + nettle_sha3_512_init@NETTLE_8 0 + nettle_sha3_512_update@NETTLE_8 0 + nettle_sha3_permute@NETTLE_8 0 + nettle_sha512@NETTLE_8 0 + nettle_sha512_224@NETTLE_8 0 + nettle_sha512_224_digest@NETTLE_8 0 + nettle_sha512_224_init@NETTLE_8 0 + nettle_sha512_256@NETTLE_8 0 + nettle_sha512_256_digest@NETTLE_8 0 + nettle_sha512_256_init@NETTLE_8 0 + nettle_sha512_digest@NETTLE_8 0 + nettle_sha512_init@NETTLE_8 0 + nettle_sha512_update@NETTLE_8 0 + nettle_siv_cmac_aes128_decrypt_message@NETTLE_8 0 + nettle_siv_cmac_aes128_encrypt_message@NETTLE_8 0 + nettle_siv_cmac_aes128_set_key@NETTLE_8 0 + nettle_siv_cmac_aes256_decrypt_message@NETTLE_8 0 + nettle_siv_cmac_aes256_encrypt_message@NETTLE_8 0 + nettle_siv_cmac_aes256_set_key@NETTLE_8 0 + nettle_siv_cmac_decrypt_message@NETTLE_8 0 + nettle_siv_cmac_encrypt_message@NETTLE_8 0 + nettle_siv_cmac_set_key@NETTLE_8 0 + nettle_streebog256@NETTLE_8 3.7~ + nettle_streebog256_digest@NETTLE_8 3.7~ + nettle_streebog256_init@NETTLE_8 3.7~ + nettle_streebog512@NETTLE_8 3.7~ + nettle_streebog512_digest@NETTLE_8 3.7~ + nettle_streebog512_init@NETTLE_8 3.7~ + nettle_streebog512_update@NETTLE_8 3.7~ + nettle_twofish128@NETTLE_8 0 + nettle_twofish128_set_key@NETTLE_8 0 + nettle_twofish192@NETTLE_8 0 + nettle_twofish192_set_key@NETTLE_8 0 + nettle_twofish256@NETTLE_8 0 + nettle_twofish256_set_key@NETTLE_8 0 + nettle_twofish_decrypt@NETTLE_8 0 + nettle_twofish_encrypt@NETTLE_8 0 + nettle_twofish_set_key@NETTLE_8 0 + nettle_umac128_digest@NETTLE_8 0 + nettle_umac128_set_key@NETTLE_8 0 + nettle_umac128_set_nonce@NETTLE_8 0 + nettle_umac128_update@NETTLE_8 0 + nettle_umac32_digest@NETTLE_8 0 + nettle_umac32_set_key@NETTLE_8 0 + nettle_umac32_set_nonce@NETTLE_8 0 + nettle_umac32_update@NETTLE_8 0 + nettle_umac64_digest@NETTLE_8 0 + nettle_umac64_set_key@NETTLE_8 0 + nettle_umac64_set_nonce@NETTLE_8 0 + nettle_umac64_update@NETTLE_8 0 + nettle_umac96_digest@NETTLE_8 0 + nettle_umac96_set_key@NETTLE_8 0 + nettle_umac96_set_nonce@NETTLE_8 0 + nettle_umac96_update@NETTLE_8 0 + nettle_version_major@NETTLE_8 0 + nettle_version_minor@NETTLE_8 0 + nettle_xrealloc@NETTLE_8 0 + nettle_xts_aes128_decrypt_message@NETTLE_8 0 + nettle_xts_aes128_encrypt_message@NETTLE_8 0 + nettle_xts_aes128_set_decrypt_key@NETTLE_8 0 + nettle_xts_aes128_set_encrypt_key@NETTLE_8 0 + nettle_xts_aes256_decrypt_message@NETTLE_8 0 + nettle_xts_aes256_encrypt_message@NETTLE_8 0 + nettle_xts_aes256_set_decrypt_key@NETTLE_8 0 + nettle_xts_aes256_set_encrypt_key@NETTLE_8 0 + nettle_xts_decrypt_message@NETTLE_8 0 + nettle_xts_encrypt_message@NETTLE_8 0 + nettle_yarrow256_fast_reseed@NETTLE_8 0 + nettle_yarrow256_init@NETTLE_8 0 + nettle_yarrow256_is_seeded@NETTLE_8 0 + nettle_yarrow256_needed_sources@NETTLE_8 0 + nettle_yarrow256_random@NETTLE_8 0 + nettle_yarrow256_seed@NETTLE_8 0 + nettle_yarrow256_slow_reseed@NETTLE_8 0 + nettle_yarrow256_update@NETTLE_8 0 + nettle_yarrow_key_event_estimate@NETTLE_8 0 + nettle_yarrow_key_event_init@NETTLE_8 0 diff -Nru nettle-3.4.1/debian/nettle-dbg.maintscript nettle-3.7.3/debian/nettle-dbg.maintscript --- nettle-3.4.1/debian/nettle-dbg.maintscript 2015-04-27 19:59:59.000000000 +0000 +++ nettle-3.7.3/debian/nettle-dbg.maintscript 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -dir_to_symlink /usr/share/doc/nettle-dbg libnettle6 2.7.1-5~ nettle-dbg diff -Nru nettle-3.4.1/debian/nettle-dev.doc-base nettle-3.7.3/debian/nettle-dev.doc-base --- nettle-3.4.1/debian/nettle-dev.doc-base 2009-08-02 15:29:28.000000000 +0000 +++ nettle-3.7.3/debian/nettle-dev.doc-base 2021-06-10 06:51:41.000000000 +0000 @@ -13,7 +13,7 @@ Index: /usr/share/doc/nettle-dev/nettle.html Format: PDF -Files: /usr/share/doc/nettle-dev/nettle.pdf +Files: /usr/share/doc/nettle-dev/nettle.pdf.gz Format: Info Files: /usr/share/info/nettle.info.gz diff -Nru nettle-3.4.1/debian/nettle-dev.docs nettle-3.7.3/debian/nettle-dev.docs --- nettle-3.4.1/debian/nettle-dev.docs 2009-08-01 22:41:44.000000000 +0000 +++ nettle-3.7.3/debian/nettle-dev.docs 2021-06-10 06:51:41.000000000 +0000 @@ -1,6 +1,5 @@ README NEWS descore.README -TODO nettle.html nettle.pdf diff -Nru nettle-3.4.1/debian/nettle-dev.info nettle-3.7.3/debian/nettle-dev.info --- nettle-3.4.1/debian/nettle-dev.info 2009-08-01 22:41:44.000000000 +0000 +++ nettle-3.7.3/debian/nettle-dev.info 2021-10-29 04:19:56.000000000 +0000 @@ -1 +1 @@ -nettle.info +debian/tmp/usr/share/info/nettle.info diff -Nru nettle-3.4.1/debian/patches/fPIC.patch nettle-3.7.3/debian/patches/fPIC.patch --- nettle-3.4.1/debian/patches/fPIC.patch 2016-02-06 17:59:39.000000000 +0000 +++ nettle-3.7.3/debian/patches/fPIC.patch 2021-06-10 06:51:41.000000000 +0000 @@ -11,7 +11,7 @@ case "$host_os" in --- a/configure +++ b/configure -@@ -7072,7 +7072,7 @@ else +@@ -6724,7 +6724,7 @@ else solaris*) CCPIC="-fPIC" ;; cygwin*) CCPIC="" ;; mingw32*) CCPIC="" ;; diff -Nru nettle-3.4.1/debian/patches/multiarch_dev.patch nettle-3.7.3/debian/patches/multiarch_dev.patch --- nettle-3.4.1/debian/patches/multiarch_dev.patch 2017-12-12 17:36:33.000000000 +0000 +++ nettle-3.7.3/debian/patches/multiarch_dev.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,28 +0,0 @@ ---- a/aclocal.m4 -+++ b/aclocal.m4 -@@ -856,11 +856,7 @@ AC_CHECK_TYPE(intmax_t,,,[#include <$ac_ - - fi # shortcircut to system "stdint.h" - # ------------------ PREPARE VARIABLES ------------------------------ --if test "$GCC" = "yes" ; then --ac_cv_stdint_message="using gnu compiler "`$CC --version | head -1` --else - ac_cv_stdint_message="using $CC" --fi - - AC_MSG_RESULT([make use of $ac_cv_header_stdint in $ac_stdint_h dnl - $ac_cv_stdint_result]) ---- a/configure -+++ b/configure -@@ -6471,11 +6471,7 @@ fi - - fi # shortcircut to system "stdint.h" - # ------------------ PREPARE VARIABLES ------------------------------ --if test "$GCC" = "yes" ; then --ac_cv_stdint_message="using gnu compiler "`$CC --version | head -1` --else - ac_cv_stdint_message="using $CC" --fi - - { $as_echo "$as_me:${as_lineno-$LINENO}: result: make use of $ac_cv_header_stdint in $ac_stdint_h $ac_cv_stdint_result" >&5 - $as_echo "make use of $ac_cv_header_stdint in $ac_stdint_h $ac_cv_stdint_result" >&6; } diff -Nru nettle-3.4.1/debian/patches/series nettle-3.7.3/debian/patches/series --- nettle-3.4.1/debian/patches/series 2015-08-03 18:02:13.000000000 +0000 +++ nettle-3.7.3/debian/patches/series 2021-06-10 06:51:41.000000000 +0000 @@ -1,2 +1 @@ fPIC.patch -multiarch_dev.patch diff -Nru nettle-3.4.1/debian/rules nettle-3.7.3/debian/rules --- nettle-3.4.1/debian/rules 2017-12-12 18:10:42.000000000 +0000 +++ nettle-3.7.3/debian/rules 2021-06-10 06:51:41.000000000 +0000 @@ -1,96 +1,11 @@ #!/usr/bin/make -f -# -*- makefile -*- -# Sample debian/rules that uses debhelper. -# GNU copyright 1997 to 1999 by Joey Hess. -# Uncomment this to turn on verbose mode. -#export DH_VERBOSE=1 +%: + dh $@ -# These are used for cross-compiling and for saving the configure script -# from having to guess our platform (since we know it already) -DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) -DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) -DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) +override_dh_installdocs: + dh_installdocs -a -Nnettle-bin + dh_installdocs -pnettle-bin --link-doc=libnettle8 -ifeq ($(DEB_BUILD_GNU_TYPE), $(DEB_HOST_GNU_TYPE)) - buildflags = --build=$(DEB_BUILD_GNU_TYPE) -else - buildflags = --build=$(DEB_BUILD_GNU_TYPE) --host=$(DEB_HOST_GNU_TYPE) -endif - -parallel = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) -ifneq (,$(parallel)) -jobsflag = -j$(parallel) -endif - -config.status: configure - dh_testdir - # Add here commands to configure the package. - dh_update_autotools_config - ./configure $(buildflags) \ - --prefix=/usr \ - --libdir=\$${prefix}/lib/$(DEB_HOST_MULTIARCH) \ - --enable-shared \ - --disable-dependency-tracking \ - $(shell DEB_LDFLAGS_MAINT_APPEND=-Wl,--as-needed dpkg-buildflags --export=configure) - - -build: build-stamp -build-stamp: config.status - dh_testdir - - # Add here commands to compile the package. - $(MAKE) $(jobsflag) MAKEINFO='makeinfo --enable-encoding' -ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS))) - $(MAKE) check -endif - - touch build-stamp - -clean: - dh_testdir - dh_testroot - rm -f build-stamp - - # Add here commands to clean up after the build process. - [ ! -f Makefile ] || $(MAKE) distclean - dh_clean - -install: build - dh_testdir - dh_testroot - dh_prep - dh_installdirs - - # Add here commands to install the package into debian/tmp - $(MAKE) install DESTDIR=$(CURDIR)/debian/tmp - -# Build architecture-independent files here. -build-indep: -binary-indep: -# Nothing to do - -# Build architecture-dependent files here. -build-arch: build -binary-arch: build-arch install - dh_testdir - dh_testroot - dh_install -a --sourcedir=debian/tmp - dh_installdocs -a -Nnettle-dev --link-doc=libnettle6 - dh_installdocs -a -pnettle-dev - dh_installchangelogs -a ChangeLog - dh_installexamples -a - dh_installinfo -a - dh_installman -a - dh_strip -a - dh_compress -a -X.pdf - dh_fixperms -a - dh_makeshlibs -a -V - dh_installdeb -a - dh_shlibdeps -a - dh_gencontrol -a - dh_md5sums -a - dh_builddeb -a - -binary: binary-arch -.PHONY: build build-indep build-arch clean clean-patched binary-indep binary-arch binary install +override_dh_auto_configure: + dh_auto_configure -- --enable-fat diff -Nru nettle-3.4.1/des-compat.c nettle-3.7.3/des-compat.c --- nettle-3.4.1/des-compat.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/des-compat.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,231 +0,0 @@ -/* des-compat.c - - The des block cipher, old libdes/openssl-style interface. - - Copyright (C) 2001 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include -#include -#include - -#include "des-compat.h" - -#include "cbc.h" -#include "macros.h" -#include "memxor.h" - -struct des_compat_des3 { const struct des_ctx *keys[3]; }; - -static void -des_compat_des3_encrypt(struct des_compat_des3 *ctx, - size_t length, uint8_t *dst, const uint8_t *src) -{ - nettle_des_encrypt(ctx->keys[0], length, dst, src); - nettle_des_decrypt(ctx->keys[1], length, dst, dst); - nettle_des_encrypt(ctx->keys[2], length, dst, dst); -} - -static void -des_compat_des3_decrypt(struct des_compat_des3 *ctx, - size_t length, uint8_t *dst, const uint8_t *src) -{ - nettle_des_decrypt(ctx->keys[2], length, dst, src); - nettle_des_encrypt(ctx->keys[1], length, dst, dst); - nettle_des_decrypt(ctx->keys[0], length, dst, dst); -} - -void -des_ecb3_encrypt(const_des_cblock *src, des_cblock *dst, - des_key_schedule k1, - des_key_schedule k2, - des_key_schedule k3, int enc) -{ - struct des_compat_des3 keys; - keys.keys[0] = k1; - keys.keys[1] = k2; - keys.keys[2] = k3; - - ((enc == DES_ENCRYPT) ? des_compat_des3_encrypt : des_compat_des3_decrypt) - (&keys, DES_BLOCK_SIZE, *dst, *src); -} - -/* If input is not a integral number of blocks, the final block is - padded with zeros, no length field or anything like that. That's - pretty broken, since it means that "$100" and "$100\0" always have - the same checksum, but I think that's how it's supposed to work. */ -uint32_t -des_cbc_cksum(const uint8_t *src, des_cblock *dst, - long length, des_key_schedule ctx, - const_des_cblock *iv) -{ - /* FIXME: I'm not entirely sure how this function is supposed to - * work, in particular what it should return, and if iv can be - * modified. */ - uint8_t block[DES_BLOCK_SIZE]; - - memcpy(block, *iv, DES_BLOCK_SIZE); - - while (length >= DES_BLOCK_SIZE) - { - memxor(block, src, DES_BLOCK_SIZE); - nettle_des_encrypt(ctx, DES_BLOCK_SIZE, block, block); - - src += DES_BLOCK_SIZE; - length -= DES_BLOCK_SIZE; - } - if (length > 0) - { - memxor(block, src, length); - nettle_des_encrypt(ctx, DES_BLOCK_SIZE, block, block); - } - memcpy(*dst, block, DES_BLOCK_SIZE); - - return LE_READ_UINT32(block + 4); -} - -void -des_ncbc_encrypt(const_des_cblock *src, des_cblock *dst, long length, - des_key_schedule ctx, des_cblock *iv, - int enc) -{ - switch (enc) - { - case DES_ENCRYPT: - nettle_cbc_encrypt(ctx, (nettle_cipher_func *) des_encrypt, - DES_BLOCK_SIZE, *iv, - length, *dst, *src); - break; - case DES_DECRYPT: - nettle_cbc_decrypt(ctx, - (nettle_cipher_func *) des_decrypt, - DES_BLOCK_SIZE, *iv, - length, *dst, *src); - break; - default: - abort(); - } -} - -void -des_cbc_encrypt(const_des_cblock *src, des_cblock *dst, long length, - des_key_schedule ctx, const_des_cblock *civ, - int enc) -{ - des_cblock iv; - - memcpy(iv, civ, DES_BLOCK_SIZE); - - des_ncbc_encrypt(src, dst, length, ctx, &iv, enc); -} - - -void -des_ecb_encrypt(const_des_cblock *src, des_cblock *dst, - des_key_schedule ctx, - int enc) -{ - ((enc == DES_ENCRYPT) ? nettle_des_encrypt : nettle_des_decrypt) - (ctx, DES_BLOCK_SIZE, *dst, *src); -} - -void -des_ede3_cbc_encrypt(const_des_cblock *src, des_cblock *dst, long length, - des_key_schedule k1, - des_key_schedule k2, - des_key_schedule k3, - des_cblock *iv, - int enc) -{ - struct des_compat_des3 keys; - keys.keys[0] = k1; - keys.keys[1] = k2; - keys.keys[2] = k3; - - switch (enc) - { - case DES_ENCRYPT: - nettle_cbc_encrypt(&keys, (nettle_cipher_func *) des_compat_des3_encrypt, - DES_BLOCK_SIZE, *iv, - length, *dst, *src); - break; - case DES_DECRYPT: - nettle_cbc_decrypt(&keys, (nettle_cipher_func *) des_compat_des3_decrypt, - DES_BLOCK_SIZE, *iv, - length, *dst, *src); - break; - default: - abort(); - } -} - -int -des_set_odd_parity(des_cblock *key) -{ - nettle_des_fix_parity(DES_KEY_SIZE, *key, *key); - - /* FIXME: What to return? */ - return 0; -} - - -/* If des_check_key is non-zero, returns - * - * 0 for ok, -1 for bad parity, and -2 for weak keys. - * - * If des_check_key is zero (the default), always returns zero. - */ - -int des_check_key = 0; - -int -des_key_sched(const_des_cblock *key, des_key_schedule ctx) -{ - if (des_check_key && !des_check_parity (DES_KEY_SIZE, *key)) - /* Bad parity */ - return -1; - - if (!nettle_des_set_key(ctx, *key) && des_check_key) - /* Weak key */ - return -2; - - return 0; -} - -int -des_is_weak_key(const_des_cblock *key) -{ - struct des_ctx ctx; - - return !nettle_des_set_key(&ctx, *key); -} diff -Nru nettle-3.4.1/des-compat.h nettle-3.7.3/des-compat.h --- nettle-3.4.1/des-compat.h 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/des-compat.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,162 +0,0 @@ -/* des-compat.h - - The des block cipher, old libdes/openssl-style interface. - - Copyright (C) 2001 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#ifndef NETTLE_DES_COMPAT_H_INCLUDED -#define NETTLE_DES_COMPAT_H_INCLUDED - -/* According to Assar, des_set_key, des_set_key_odd_parity, - * des_is_weak_key, plus the encryption functions (des_*_encrypt and - * des_cbc_cksum) would be a pretty useful subset. */ - -/* NOTE: This is quite experimental, and not all functions are - * implemented. Contributions, in particular test cases are welcome. */ - -#include "des.h" - -#ifdef __cplusplus -extern "C" { -#endif - -/* We use some name mangling, to avoid collisions with either other - * nettle functions or with libcrypto. */ - -#define des_ecb3_encrypt nettle_openssl_des_ecb3_encrypt -#define des_cbc_cksum nettle_openssl_des_cbc_cksum -#define des_ncbc_encrypt nettle_openssl_des_ncbc_encrypt -#define des_cbc_encrypt nettle_openssl_des_cbc_encrypt -#define des_ecb_encrypt nettle_openssl_des_ecb_encrypt -#define des_ede3_cbc_encrypt nettle_openssl_des_ede3_cbc_encrypt -#define des_set_odd_parity nettle_openssl_des_set_odd_parity -#define des_check_key nettle_openssl_des_check_key -#define des_key_sched nettle_openssl_des_key_sched -#define des_is_weak_key nettle_openssl_des_is_weak_key - -/* An extra alias */ -#undef des_set_key -#define des_set_key nettle_openssl_des_key_sched - -enum { DES_DECRYPT = 0, DES_ENCRYPT = 1 }; - -/* Types */ -typedef uint32_t DES_LONG; - -/* Note: Typedef:ed arrays should be avoided, but they're used here - * for compatibility. */ -typedef struct des_ctx des_key_schedule[1]; - -typedef uint8_t des_cblock[DES_BLOCK_SIZE]; -/* Note: The proper definition, - - typedef const uint8_t const_des_cblock[DES_BLOCK_SIZE]; - - would have worked, *if* all the prototypes had used arguments like - foo(const_des_cblock src, des_cblock dst), letting argument arrays - "decay" into pointers of type uint8_t * and const uint8_t *. - - But since openssl's prototypes use *pointers* const_des_cblock *src, - des_cblock *dst, this ends up in type conflicts, and the workaround - is to not use const at all. -*/ -#define const_des_cblock des_cblock - -/* Aliases */ -#define des_ecb2_encrypt(i,o,k1,k2,e) \ - des_ecb3_encrypt((i),(o),(k1),(k2),(k1),(e)) - -#define des_ede2_cbc_encrypt(i,o,l,k1,k2,iv,e) \ - des_ede3_cbc_encrypt((i),(o),(l),(k1),(k2),(k1),(iv),(e)) - -/* Global flag */ -extern int des_check_key; - -/* Prototypes */ - -/* Typing is a little confusing. Since both des_cblock and - des_key_schedule are typedef:ed arrays, it automatically decay to - a pointers. - - But the functions are declared taking pointers to des_cblock, i.e. - pointers to arrays. And on the other hand, they take plain - des_key_schedule arguments, which is equivalent to pointers to - struct des_ctx. */ -void -des_ecb3_encrypt(const_des_cblock *src, des_cblock *dst, - des_key_schedule k1, - des_key_schedule k2, - des_key_schedule k3, int enc); - -/* des_cbc_cksum in libdes returns a 32 bit integer, representing the - * latter half of the output block, using little endian byte order. */ -uint32_t -des_cbc_cksum(const uint8_t *src, des_cblock *dst, - long length, des_key_schedule ctx, - const_des_cblock *iv); - -/* NOTE: Doesn't update iv. */ -void -des_cbc_encrypt(const_des_cblock *src, des_cblock *dst, long length, - des_key_schedule ctx, const_des_cblock *iv, - int enc); - -/* Similar, but updates iv. */ -void -des_ncbc_encrypt(const_des_cblock *src, des_cblock *dst, long length, - des_key_schedule ctx, des_cblock *iv, - int enc); - -void -des_ecb_encrypt(const_des_cblock *src, des_cblock *dst, - des_key_schedule ctx, int enc); - -void -des_ede3_cbc_encrypt(const_des_cblock *src, des_cblock *dst, long length, - des_key_schedule k1, - des_key_schedule k2, - des_key_schedule k3, - des_cblock *iv, - int enc); - -int -des_set_odd_parity(des_cblock *key); - -int -des_key_sched(const_des_cblock *key, des_key_schedule ctx); - -int -des_is_weak_key(const_des_cblock *key); - -#ifdef __cplusplus -} -#endif - -#endif /* NETTLE_DES_COMPAT_H_INCLUDED */ diff -Nru nettle-3.4.1/desdata.stamp nettle-3.7.3/desdata.stamp --- nettle-3.4.1/desdata.stamp 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/desdata.stamp 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1 @@ +stamp diff -Nru nettle-3.4.1/dsa.c nettle-3.7.3/dsa.c --- nettle-3.4.1/dsa.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/dsa.c 2021-06-06 20:06:29.000000000 +0000 @@ -36,6 +36,7 @@ #endif #include "dsa.h" +#include "dsa-internal.h" #include "bignum.h" diff -Nru nettle-3.4.1/dsa-gen-params.c nettle-3.7.3/dsa-gen-params.c --- nettle-3.4.1/dsa-gen-params.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/dsa-gen-params.c 2021-06-06 20:06:29.000000000 +0000 @@ -42,6 +42,7 @@ #include "bignum.h" #include "nettle-internal.h" +#include "hogweed-internal.h" /* Valid sizes, according to FIPS 186-3 are (1024, 160), (2048, 224), diff -Nru nettle-3.4.1/dsa.h nettle-3.7.3/dsa.h --- nettle-3.4.1/dsa.h 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/dsa.h 2021-06-06 20:06:29.000000000 +0000 @@ -59,7 +59,6 @@ #define dsa_public_key_from_der_iterator nettle_dsa_public_key_from_der_iterator #define dsa_openssl_private_key_from_der_iterator nettle_dsa_openssl_private_key_from_der_iterator #define dsa_openssl_private_key_from_der nettle_openssl_provate_key_from_der -#define _dsa_hash _nettle_dsa_hash /* For FIPS approved parameters */ #define DSA_SHA1_MIN_P_BITS 512 @@ -204,11 +203,6 @@ size_t length, const uint8_t *data); -/* Internal functions. */ -void -_dsa_hash (mpz_t h, unsigned bit_size, - size_t length, const uint8_t *digest); - #ifdef __cplusplus } #endif diff -Nru nettle-3.4.1/dsa-hash.c nettle-3.7.3/dsa-hash.c --- nettle-3.4.1/dsa-hash.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/dsa-hash.c 2021-06-06 20:06:29.000000000 +0000 @@ -34,6 +34,7 @@ #endif #include "dsa.h" +#include "dsa-internal.h" #include "bignum.h" @@ -41,8 +42,8 @@ FIPS186-3 allows both larger and smaller q; in the the latter case, the hash must be truncated to the right number of bits. */ void -_dsa_hash (mpz_t h, unsigned bit_size, - size_t length, const uint8_t *digest) +_nettle_dsa_hash (mpz_t h, unsigned bit_size, + size_t length, const uint8_t *digest) { if (length > (bit_size + 7) / 8) diff -Nru nettle-3.4.1/dsa-internal.h nettle-3.7.3/dsa-internal.h --- nettle-3.4.1/dsa-internal.h 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/dsa-internal.h 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,45 @@ +/* dsa-internal.h + + The DSA publickey algorithm. + + Copyright (C) 2002, 2013, 2014 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_DSA_INTERNAL_H_INCLUDED +#define NETTLE_DSA_INTERNAL_H_INCLUDED + +#include "nettle-types.h" + +/* Internal functions. */ +void +_nettle_dsa_hash (mpz_t h, unsigned bit_size, + size_t length, const uint8_t *digest); + + +#endif /* NETTLE_DSA_INTERNAL_H_INCLUDED */ diff -Nru nettle-3.4.1/dsa-sign.c nettle-3.7.3/dsa-sign.c --- nettle-3.4.1/dsa-sign.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/dsa-sign.c 2021-06-06 20:06:29.000000000 +0000 @@ -39,6 +39,7 @@ #include #include "dsa.h" +#include "dsa-internal.h" #include "bignum.h" @@ -75,7 +76,7 @@ /* Compute hash */ mpz_init(h); - _dsa_hash (h, mpz_sizeinbase(params->q, 2), digest_size, digest); + _nettle_dsa_hash (h, mpz_sizeinbase(params->q, 2), digest_size, digest); /* Compute k^-1 (mod q) */ if (mpz_invert(k, k, params->q)) diff -Nru nettle-3.4.1/dsa-verify.c nettle-3.7.3/dsa-verify.c --- nettle-3.4.1/dsa-verify.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/dsa-verify.c 2021-06-06 20:06:29.000000000 +0000 @@ -38,6 +38,7 @@ #include #include "dsa.h" +#include "dsa-internal.h" #include "bignum.h" @@ -77,7 +78,7 @@ mpz_init(v); /* The message digest */ - _dsa_hash (tmp, mpz_sizeinbase (params->q, 2), digest_size, digest); + _nettle_dsa_hash (tmp, mpz_sizeinbase (params->q, 2), digest_size, digest); /* v = g^{w * h (mod q)} (mod p) */ mpz_mul(tmp, tmp, w); diff -Nru nettle-3.4.1/eax.c nettle-3.7.3/eax.c --- nettle-3.4.1/eax.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/eax.c 2021-06-06 20:06:29.000000000 +0000 @@ -40,6 +40,7 @@ #include "eax.h" +#include "block-internal.h" #include "ctr.h" #include "memxor.h" @@ -50,18 +51,6 @@ state->b[EAX_BLOCK_SIZE - 1] = t; } -/* Almost the same as gcm_gf_add */ -static void -block16_xor (union nettle_block16 *dst, const union nettle_block16 *src) -{ - dst->w[0] ^= src->w[0]; - dst->w[1] ^= src->w[1]; -#if SIZEOF_LONG == 4 - dst->w[2] ^= src->w[2]; - dst->w[3] ^= src->w[3]; -#endif -} - static void omac_update (union nettle_block16 *state, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, @@ -93,27 +82,13 @@ f (cipher, EAX_BLOCK_SIZE, state->b, state->b); } -/* Allows r == a */ -static void -gf2_double (uint8_t *r, const uint8_t *a) -{ - unsigned high = - (a[0] >> 7); - unsigned i; - /* Shift left */ - for (i = 0; i < EAX_BLOCK_SIZE - 1; i++) - r[i] = (a[i] << 1) + (a[i+1] >> 7); - - /* Wrap around for x^{128} = x^7 + x^2 + x + 1 */ - r[EAX_BLOCK_SIZE - 1] = (a[EAX_BLOCK_SIZE - 1] << 1) ^ (high & 0x87); -} - void eax_set_key (struct eax_key *key, const void *cipher, nettle_cipher_func *f) { static const union nettle_block16 zero_block; f (cipher, EAX_BLOCK_SIZE, key->pad_block.b, zero_block.b); - gf2_double (key->pad_block.b, key->pad_block.b); - gf2_double (key->pad_partial.b, key->pad_block.b); + block16_mulx_be (&key->pad_block, &key->pad_block); + block16_mulx_be (&key->pad_partial, &key->pad_block); block16_xor (&key->pad_partial, &key->pad_block); } diff -Nru nettle-3.4.1/ecc-192.c nettle-3.7.3/ecc-192.c --- nettle-3.4.1/ecc-192.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/ecc-192.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,178 +0,0 @@ -/* ecc-192.c - - Compile time constant (but machine dependent) tables. - - Copyright (C) 2013, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -/* FIXME: Remove ecc.h include, once prototypes of more internal - functions are moved to ecc-internal.h */ -#include "ecc.h" -#include "ecc-internal.h" - -#define USE_REDC 0 - -#include "ecc-192.h" - -#if HAVE_NATIVE_ecc_192_modp - -#define ecc_192_modp nettle_ecc_192_modp -void -ecc_192_modp (const struct ecc_modulo *m, mp_limb_t *rp); - -/* Use that p = 2^{192} - 2^64 - 1, to eliminate 128 bits at a time. */ - -#elif GMP_NUMB_BITS == 32 -/* p is 6 limbs, p = B^6 - B^2 - 1 */ -static void -ecc_192_modp (const struct ecc_modulo *m UNUSED, mp_limb_t *rp) -{ - mp_limb_t cy; - - /* Reduce from 12 to 9 limbs (top limb small)*/ - cy = mpn_add_n (rp + 2, rp + 2, rp + 8, 4); - cy = sec_add_1 (rp + 6, rp + 6, 2, cy); - cy += mpn_add_n (rp + 4, rp + 4, rp + 8, 4); - assert (cy <= 2); - - rp[8] = cy; - - /* Reduce from 9 to 6 limbs */ - cy = mpn_add_n (rp, rp, rp + 6, 3); - cy = sec_add_1 (rp + 3, rp + 3, 2, cy); - cy += mpn_add_n (rp + 2, rp + 2, rp + 6, 3); - cy = sec_add_1 (rp + 5, rp + 5, 1, cy); - - assert (cy <= 1); - cy = cnd_add_n (cy, rp, ecc_Bmodp, 6); - assert (cy == 0); -} -#elif GMP_NUMB_BITS == 64 -/* p is 3 limbs, p = B^3 - B - 1 */ -static void -ecc_192_modp (const struct ecc_modulo *m UNUSED, mp_limb_t *rp) -{ - mp_limb_t cy; - - /* Reduce from 6 to 5 limbs (top limb small)*/ - cy = mpn_add_n (rp + 1, rp + 1, rp + 4, 2); - cy = sec_add_1 (rp + 3, rp + 3, 1, cy); - cy += mpn_add_n (rp + 2, rp + 2, rp + 4, 2); - assert (cy <= 2); - - rp[4] = cy; - - /* Reduce from 5 to 4 limbs (high limb small) */ - cy = mpn_add_n (rp, rp, rp + 3, 2); - cy = sec_add_1 (rp + 2, rp + 2, 1, cy); - cy += mpn_add_n (rp + 1, rp + 1, rp + 3, 2); - - assert (cy <= 1); - cy = cnd_add_n (cy, rp, ecc_Bmodp, 3); - assert (cy == 0); -} - -#else -#define ecc_192_modp ecc_mod -#endif - -const struct ecc_curve nettle_secp_192r1 = -{ - { - 192, - ECC_LIMB_SIZE, - ECC_BMODP_SIZE, - ECC_REDC_SIZE, - ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), - 0, - - ecc_p, - ecc_Bmodp, - ecc_Bmodp_shifted, - ecc_redc_ppm1, - ecc_pp1h, - - ecc_192_modp, - ecc_192_modp, - ecc_mod_inv, - NULL, - }, - { - 192, - ECC_LIMB_SIZE, - ECC_BMODQ_SIZE, - 0, - ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), - 0, - - ecc_q, - ecc_Bmodq, - ecc_Bmodq_shifted, - NULL, - ecc_qp1h, - - ecc_mod, - ecc_mod, - ecc_mod_inv, - NULL, - }, - - USE_REDC, - ECC_PIPPENGER_K, - ECC_PIPPENGER_C, - - ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE), - ECC_MUL_A_ITCH (ECC_LIMB_SIZE), - ECC_MUL_G_ITCH (ECC_LIMB_SIZE), - ECC_J_TO_A_ITCH (ECC_LIMB_SIZE), - - ecc_add_jjj, - ecc_mul_a, - ecc_mul_g, - ecc_j_to_a, - - ecc_b, - ecc_g, - NULL, - ecc_unit, - ecc_table -}; - -const struct ecc_curve *nettle_get_secp_192r1(void) -{ - return &nettle_secp_192r1; -} diff -Nru nettle-3.4.1/ecc-224.c nettle-3.7.3/ecc-224.c --- nettle-3.4.1/ecc-224.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/ecc-224.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,130 +0,0 @@ -/* ecc-224.c - - Compile time constant (but machine dependent) tables. - - Copyright (C) 2013, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include "ecc.h" -#include "ecc-internal.h" - -#if HAVE_NATIVE_ecc_224_modp - -#define USE_REDC 0 -#define ecc_224_modp nettle_ecc_224_modp -void -ecc_224_modp (const struct ecc_modulo *m, mp_limb_t *rp); - -#else -#define USE_REDC (ECC_REDC_SIZE != 0) -#define ecc_224_modp ecc_mod -#endif - -#include "ecc-224.h" - -#if ECC_REDC_SIZE < 0 -# define ecc_224_redc ecc_pm1_redc -#elif ECC_REDC_SIZE == 0 -# define ecc_224_redc NULL -#else -# error Configuration error -#endif - -const struct ecc_curve nettle_secp_224r1 = -{ - { - 224, - ECC_LIMB_SIZE, - ECC_BMODP_SIZE, - -ECC_REDC_SIZE, - ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), - 0, - - ecc_p, - ecc_Bmodp, - ecc_Bmodp_shifted, - ecc_redc_ppm1, - ecc_pp1h, - - ecc_224_modp, - USE_REDC ? ecc_224_redc : ecc_224_modp, - ecc_mod_inv, - NULL, - }, - { - 224, - ECC_LIMB_SIZE, - ECC_BMODQ_SIZE, - 0, - ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), - 0, - - ecc_q, - ecc_Bmodq, - ecc_Bmodq_shifted, - NULL, - ecc_qp1h, - - ecc_mod, - ecc_mod, - ecc_mod_inv, - NULL, - }, - - USE_REDC, - ECC_PIPPENGER_K, - ECC_PIPPENGER_C, - - ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE), - ECC_MUL_A_ITCH (ECC_LIMB_SIZE), - ECC_MUL_G_ITCH (ECC_LIMB_SIZE), - ECC_J_TO_A_ITCH (ECC_LIMB_SIZE), - - ecc_add_jjj, - ecc_mul_a, - ecc_mul_g, - ecc_j_to_a, - - ecc_b, - ecc_g, - NULL, - ecc_unit, - ecc_table -}; - -const struct ecc_curve *nettle_get_secp_224r1(void) -{ - return &nettle_secp_224r1; -} diff -Nru nettle-3.4.1/ecc-25519.c nettle-3.7.3/ecc-25519.c --- nettle-3.4.1/ecc-25519.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/ecc-25519.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,353 +0,0 @@ -/* ecc-25519.c - - Arithmetic and tables for curve25519, - - Copyright (C) 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "ecc.h" -#include "ecc-internal.h" - -#define USE_REDC 0 - -#include "ecc-25519.h" - -#define PHIGH_BITS (GMP_NUMB_BITS * ECC_LIMB_SIZE - 255) - -#if HAVE_NATIVE_ecc_25519_modp - -#define ecc_25519_modp nettle_ecc_25519_modp -void -ecc_25519_modp (const struct ecc_modulo *m, mp_limb_t *rp); -#else - -#if PHIGH_BITS == 0 -#error Unsupported limb size */ -#endif - -static void -ecc_25519_modp(const struct ecc_modulo *m UNUSED, mp_limb_t *rp) -{ - mp_limb_t hi, cy; - - cy = mpn_addmul_1 (rp, rp + ECC_LIMB_SIZE, ECC_LIMB_SIZE, - (mp_limb_t) 19 << PHIGH_BITS); - hi = rp[ECC_LIMB_SIZE-1]; - cy = (cy << PHIGH_BITS) + (hi >> (GMP_NUMB_BITS - PHIGH_BITS)); - rp[ECC_LIMB_SIZE-1] = (hi & (GMP_NUMB_MASK >> PHIGH_BITS)) - + sec_add_1 (rp, rp, ECC_LIMB_SIZE - 1, 19 * cy); -} -#endif /* HAVE_NATIVE_ecc_25519_modp */ - -#define QHIGH_BITS (GMP_NUMB_BITS * ECC_LIMB_SIZE - 252) - -#if QHIGH_BITS == 0 -#error Unsupported limb size */ -#endif - -static void -ecc_25519_modq (const struct ecc_modulo *q, mp_limb_t *rp) -{ - mp_size_t n; - mp_limb_t cy; - - /* n is the offset where we add in the next term */ - for (n = ECC_LIMB_SIZE; n-- > 0;) - { - cy = mpn_submul_1 (rp + n, - q->B_shifted, ECC_LIMB_SIZE, - rp[n + ECC_LIMB_SIZE]); - /* Top limb of mBmodq_shifted is zero, so we get cy == 0 or 1 */ - assert (cy < 2); - cnd_add_n (cy, rp+n, q->m, ECC_LIMB_SIZE); - } - - cy = mpn_submul_1 (rp, q->m, ECC_LIMB_SIZE, - rp[ECC_LIMB_SIZE-1] >> (GMP_NUMB_BITS - QHIGH_BITS)); - assert (cy < 2); - cnd_add_n (cy, rp, q->m, ECC_LIMB_SIZE); -} - -/* Needs 2*ecc->size limbs at rp, and 2*ecc->size additional limbs of - scratch space. No overlap allowed. */ -static void -ecc_mod_pow_2kp1 (const struct ecc_modulo *m, - mp_limb_t *rp, const mp_limb_t *xp, - unsigned k, mp_limb_t *tp) -{ - if (k & 1) - { - ecc_mod_sqr (m, tp, xp); - k--; - } - else - { - ecc_mod_sqr (m, rp, xp); - ecc_mod_sqr (m, tp, rp); - k -= 2; - } - while (k > 0) - { - ecc_mod_sqr (m, rp, tp); - ecc_mod_sqr (m, tp, rp); - k -= 2; - } - ecc_mod_mul (m, rp, tp, xp); -} - -/* Computes a^{(p-5)/8} = a^{2^{252-3}} mod m. Needs 5 * n scratch - space. */ -static void -ecc_mod_pow_252m3 (const struct ecc_modulo *m, - mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t *scratch) -{ -#define a7 scratch -#define t0 (scratch + ECC_LIMB_SIZE) -#define t1 (scratch + 3*ECC_LIMB_SIZE) - - /* a^{2^252 - 3} = a^{(p-5)/8}, using the addition chain - 2^252 - 3 - = 1 + (2^252-4) - = 1 + 4 (2^250-1) - = 1 + 4 (2^125+1)(2^125-1) - = 1 + 4 (2^125+1)(1+2(2^124-1)) - = 1 + 4 (2^125+1)(1+2(2^62+1)(2^62-1)) - = 1 + 4 (2^125+1)(1+2(2^62+1)(2^31+1)(2^31-1)) - = 1 + 4 (2^125+1)(1+2(2^62+1)(2^31+1)(7+8(2^28-1))) - = 1 + 4 (2^125+1)(1+2(2^62+1)(2^31+1)(7+8(2^14+1)(2^14-1))) - = 1 + 4 (2^125+1)(1+2(2^62+1)(2^31+1)(7+8(2^14+1)(2^7+1)(2^7-1))) - = 1 + 4 (2^125+1)(1+2(2^62+1)(2^31+1)(7+8(2^14+1)(2^7+1)(1+2(2^6-1)))) - = 1 + 4 (2^125+1)(1+2(2^62+1)(2^31+1)(7+8(2^14+1)(2^7+1)(1+2(2^3+1)*7))) - */ - - ecc_mod_pow_2kp1 (m, t0, ap, 1, t1); /* a^3 */ - ecc_mod_sqr (m, rp, t0); /* a^6 */ - ecc_mod_mul (m, a7, rp, ap); /* a^7 */ - ecc_mod_pow_2kp1 (m, rp, a7, 3, t0); /* a^63 = a^{2^6-1} */ - ecc_mod_sqr (m, t0, rp); /* a^{2^7-2} */ - ecc_mod_mul (m, rp, t0, ap); /* a^{2^7-1} */ - ecc_mod_pow_2kp1 (m, t0, rp, 7, t1); /* a^{2^14-1}*/ - ecc_mod_pow_2kp1 (m, rp, t0, 14, t1); /* a^{2^28-1} */ - ecc_mod_sqr (m, t0, rp); /* a^{2^29-2} */ - ecc_mod_sqr (m, t1, t0); /* a^{2^30-4} */ - ecc_mod_sqr (m, t0, t1); /* a^{2^31-8} */ - ecc_mod_mul (m, rp, t0, a7); /* a^{2^31-1} */ - ecc_mod_pow_2kp1 (m, t0, rp, 31, t1); /* a^{2^62-1} */ - ecc_mod_pow_2kp1 (m, rp, t0, 62, t1); /* a^{2^124-1}*/ - ecc_mod_sqr (m, t0, rp); /* a^{2^125-2} */ - ecc_mod_mul (m, rp, t0, ap); /* a^{2^125-1} */ - ecc_mod_pow_2kp1 (m, t0, rp, 125, t1);/* a^{2^250-1} */ - ecc_mod_sqr (m, rp, t0); /* a^{2^251-2} */ - ecc_mod_sqr (m, t0, rp); /* a^{2^252-4} */ - ecc_mod_mul (m, rp, t0, ap); /* a^{2^252-3} */ -#undef t0 -#undef t1 -#undef a7 -} - -/* Needs 5*ECC_LIMB_SIZE scratch space. */ -#define ECC_25519_INV_ITCH (5*ECC_LIMB_SIZE) - -static void ecc_25519_inv (const struct ecc_modulo *p, - mp_limb_t *rp, const mp_limb_t *ap, - mp_limb_t *scratch) -{ -#define t0 scratch - - /* Addition chain - - p - 2 = 2^{255} - 21 - = 1 + 2 (1 + 4 (2^{252}-3)) - */ - ecc_mod_pow_252m3 (p, rp, ap, t0); - ecc_mod_sqr (p, t0, rp); - ecc_mod_sqr (p, rp, t0); - ecc_mod_mul (p, t0, ap, rp); - ecc_mod_sqr (p, rp, t0); - ecc_mod_mul (p, t0, ap, rp); - mpn_copyi (rp, t0, ECC_LIMB_SIZE); /* FIXME: Eliminate copy? */ -#undef t0 -} - -/* First, do a canonical reduction, then check if zero */ -static int -ecc_25519_zero_p (const struct ecc_modulo *p, mp_limb_t *xp) -{ - mp_limb_t cy; - mp_limb_t w; - mp_size_t i; -#if PHIGH_BITS > 0 - mp_limb_t hi = xp[ECC_LIMB_SIZE-1]; - xp[ECC_LIMB_SIZE-1] = (hi & (GMP_NUMB_MASK >> PHIGH_BITS)) - + sec_add_1 (xp, xp, ECC_LIMB_SIZE - 1, 19 * (hi >> (GMP_NUMB_BITS - PHIGH_BITS))); -#endif - cy = mpn_sub_n (xp, xp, p->m, ECC_LIMB_SIZE); - cnd_add_n (cy, xp, p->m, ECC_LIMB_SIZE); - - for (i = 0, w = 0; i < ECC_LIMB_SIZE; i++) - w |= xp[i]; - return w == 0; -} - -/* Compute x such that x^2 = u/v (mod p). Returns one on success, zero - on failure. We use the e = 2 special case of the Shanks-Tonelli - algorithm (see http://www.math.vt.edu/people/brown/doc/sqrts.pdf, - or Henri Cohen, Computational Algebraic Number Theory, 1.5.1). - - To avoid a separate inversion, we also use a trick of djb's, to - compute the candidate root as - - x = (u/v)^{(p+3)/8} = u v^3 (u v^7)^{(p-5)/8}. -*/ -#if ECC_SQRT_E != 2 -#error Broken curve25519 parameters -#endif - -/* Needs 4*n space + scratch for ecc_mod_pow_252m3. */ -#define ECC_25519_SQRT_ITCH (9*ECC_LIMB_SIZE) - -static int -ecc_25519_sqrt(const struct ecc_modulo *p, mp_limb_t *rp, - const mp_limb_t *up, const mp_limb_t *vp, - mp_limb_t *scratch) -{ - int pos, neg; - -#define uv3 scratch -#define uv7 (scratch + ECC_LIMB_SIZE) -#define uv7p (scratch + 2*ECC_LIMB_SIZE) -#define v2 (scratch + 2*ECC_LIMB_SIZE) -#define uv (scratch + 3*ECC_LIMB_SIZE) -#define v4 (scratch + 3*ECC_LIMB_SIZE) - -#define scratch_out (scratch + 4 * ECC_LIMB_SIZE) - -#define x2 scratch -#define vx2 (scratch + ECC_LIMB_SIZE) -#define t0 (scratch + 2*ECC_LIMB_SIZE) - - /* Live values */ - ecc_mod_sqr (p, v2, vp); /* v2 */ - ecc_mod_mul (p, uv, up, vp); /* uv, v2 */ - ecc_mod_mul (p, uv3, uv, v2); /* uv3, v2 */ - ecc_mod_sqr (p, v4, v2); /* uv3, v4 */ - ecc_mod_mul (p, uv7, uv3, v4); /* uv3, uv7 */ - ecc_mod_pow_252m3 (p, uv7p, uv7, scratch_out); /* uv3, uv7p */ - ecc_mod_mul (p, rp, uv7p, uv3); /* none */ - - /* Check sign. If square root exists, have v x^2 = ±u */ - ecc_mod_sqr (p, x2, rp); - ecc_mod_mul (p, vx2, x2, vp); - ecc_mod_add (p, t0, vx2, up); - neg = ecc_25519_zero_p (p, t0); - ecc_mod_sub (p, t0, up, vx2); - pos = ecc_25519_zero_p (p, t0); - - ecc_mod_mul (p, t0, rp, ecc_sqrt_z); - cnd_copy (neg, rp, t0, ECC_LIMB_SIZE); - return pos | neg; - -#undef uv3 -#undef uv7 -#undef uv7p -#undef v2 -#undef v4 -#undef scratch_out -#undef x2 -#undef vx2 -#undef t0 -} - -const struct ecc_curve _nettle_curve25519 = -{ - { - 255, - ECC_LIMB_SIZE, - ECC_BMODP_SIZE, - 0, - ECC_25519_INV_ITCH, - ECC_25519_SQRT_ITCH, - - ecc_p, - ecc_Bmodp, - ecc_Bmodp_shifted, - NULL, - ecc_pp1h, - - ecc_25519_modp, - ecc_25519_modp, - ecc_25519_inv, - ecc_25519_sqrt, - }, - { - 253, - ECC_LIMB_SIZE, - ECC_BMODQ_SIZE, - 0, - ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), - 0, - - ecc_q, - ecc_Bmodq, - ecc_mBmodq_shifted, /* Use q - 2^{252} instead. */ - NULL, - ecc_qp1h, - - ecc_25519_modq, - ecc_25519_modq, - ecc_mod_inv, - NULL, - }, - - 0, /* No redc */ - ECC_PIPPENGER_K, - ECC_PIPPENGER_C, - - ECC_ADD_EHH_ITCH (ECC_LIMB_SIZE), - ECC_MUL_A_EH_ITCH (ECC_LIMB_SIZE), - ECC_MUL_G_EH_ITCH (ECC_LIMB_SIZE), - ECC_EH_TO_A_ITCH (ECC_LIMB_SIZE, ECC_25519_INV_ITCH), - - ecc_add_ehh, - ecc_mul_a_eh, - ecc_mul_g_eh, - ecc_eh_to_a, - - ecc_d, /* Use the Edwards curve constant. */ - ecc_g, - ecc_edwards, - ecc_unit, - ecc_table -}; diff -Nru nettle-3.4.1/ecc-256.c nettle-3.7.3/ecc-256.c --- nettle-3.4.1/ecc-256.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/ecc-256.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,307 +0,0 @@ -/* ecc-256.c - - Compile time constant (but machine dependent) tables. - - Copyright (C) 2013, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "ecc.h" -#include "ecc-internal.h" - -#if HAVE_NATIVE_ecc_256_redc -# define USE_REDC 1 -#else -# define USE_REDC (ECC_REDC_SIZE != 0) -#endif - -#include "ecc-256.h" - -#if HAVE_NATIVE_ecc_256_redc -# define ecc_256_redc nettle_ecc_256_redc -void -ecc_256_redc (const struct ecc_modulo *p, mp_limb_t *rp); -#else /* !HAVE_NATIVE_ecc_256_redc */ -# if ECC_REDC_SIZE > 0 -# define ecc_256_redc ecc_pp1_redc -# elif ECC_REDC_SIZE == 0 -# define ecc_256_redc NULL -# else -# error Configuration error -# endif -#endif /* !HAVE_NATIVE_ecc_256_redc */ - -#if ECC_BMODP_SIZE < ECC_LIMB_SIZE -#define ecc_256_modp ecc_mod -#define ecc_256_modq ecc_mod -#elif GMP_NUMB_BITS == 64 - -static void -ecc_256_modp (const struct ecc_modulo *p, mp_limb_t *rp) -{ - mp_limb_t u1, u0; - mp_size_t n; - - n = 2*p->size; - u1 = rp[--n]; - u0 = rp[n-1]; - - /* This is not particularly fast, but should work well with assembly implementation. */ - for (; n >= p->size; n--) - { - mp_limb_t q2, q1, q0, t, cy; - - /* = v * u1 + , with v = 2^32 - 1: - - +---+---+ - | u1| u0| - +---+---+ - |-u1| - +-+-+-+ - | u1| - +---+-+-+-+-+ - | q2| q1| q0| - +---+---+---+ - */ - q1 = u1 - (u1 > u0); - q0 = u0 - u1; - t = u1 << 32; - q0 += t; - t = (u1 >> 32) + (q0 < t) + 1; - q1 += t; - q2 = q1 < t; - - /* Compute candidate remainder */ - u1 = u0 + (q1 << 32) - q1; - t = -(mp_limb_t) (u1 > q0); - u1 -= t & 0xffffffff; - q1 += t; - q2 += t + (q1 < t); - - assert (q2 < 2); - - /* - n-1 n-2 n-3 n-4 - +---+---+---+---+ - | u1| u0| u low | - +---+---+---+---+ - - | q1(2^96-1)| - +-------+---+ - |q2(2^.)| - +-------+ - - We multiply by two low limbs of p, 2^96 - 1, so we could use - shifts rather than mul. - */ - t = mpn_submul_1 (rp + n - 4, p->m, 2, q1); - t += cnd_sub_n (q2, rp + n - 3, p->m, 1); - t += (-q2) & 0xffffffff; - - u0 = rp[n-2]; - cy = (u0 < t); - u0 -= t; - t = (u1 < cy); - u1 -= cy; - - cy = cnd_add_n (t, rp + n - 4, p->m, 2); - u0 += cy; - u1 += (u0 < cy); - u1 -= (-t) & 0xffffffff; - } - rp[2] = u0; - rp[3] = u1; -} - -static void -ecc_256_modq (const struct ecc_modulo *q, mp_limb_t *rp) -{ - mp_limb_t u2, u1, u0; - mp_size_t n; - - n = 2*q->size; - u2 = rp[--n]; - u1 = rp[n-1]; - - /* This is not particularly fast, but should work well with assembly implementation. */ - for (; n >= q->size; n--) - { - mp_limb_t q2, q1, q0, t, c1, c0; - - u0 = rp[n-2]; - - /* = v * u2 + , same method as above. - - +---+---+ - | u2| u1| - +---+---+ - |-u2| - +-+-+-+ - | u2| - +---+-+-+-+-+ - | q2| q1| q0| - +---+---+---+ - */ - q1 = u2 - (u2 > u1); - q0 = u1 - u2; - t = u2 << 32; - q0 += t; - t = (u2 >> 32) + (q0 < t) + 1; - q1 += t; - q2 = q1 < t; - - /* Compute candidate remainder, - * (2^128 - 2^96 + 2^64 - 1) - + 2^64 q2 + (2^96 - 2^64 + 1) q1 (mod 2^128) - - +---+---+ - | u1| u0| - +---+---+ - | q2| q1| - +---+---+ - |-q1| - +-+-+-+ - | q1| - --+-+-+-+---+ - | u2| u1| - +---+---+ - */ - u2 = u1 + q2 - q1; - u1 = u0 + q1; - u2 += (u1 < q1); - u2 += (q1 << 32); - - t = -(mp_limb_t) (u2 >= q0); - q1 += t; - q2 += t + (q1 < t); - u1 += t; - u2 += (t << 32) + (u1 < t); - - assert (q2 < 2); - - c0 = cnd_sub_n (q2, rp + n - 3, q->m, 1); - c0 += (-q2) & q->m[1]; - t = mpn_submul_1 (rp + n - 4, q->m, 2, q1); - c0 += t; - c1 = c0 < t; - - /* Construct underflow condition. */ - c1 += (u1 < c0); - t = - (mp_limb_t) (u2 < c1); - - u1 -= c0; - u2 -= c1; - - /* Conditional add of p */ - u1 += t; - u2 += (t<<32) + (u1 < t); - - t = cnd_add_n (t, rp + n - 4, q->m, 2); - u1 += t; - u2 += (u1 < t); - } - rp[2] = u1; - rp[3] = u2; -} - -#else -#error Unsupported parameters -#endif - -const struct ecc_curve nettle_secp_256r1 = -{ - { - 256, - ECC_LIMB_SIZE, - ECC_BMODP_SIZE, - ECC_REDC_SIZE, - ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), - 0, - - ecc_p, - ecc_Bmodp, - ecc_Bmodp_shifted, - ecc_redc_ppm1, - - ecc_pp1h, - ecc_256_modp, - USE_REDC ? ecc_256_redc : ecc_256_modp, - ecc_mod_inv, - NULL, - }, - { - 256, - ECC_LIMB_SIZE, - ECC_BMODQ_SIZE, - 0, - ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), - 0, - - ecc_q, - ecc_Bmodq, - ecc_Bmodq_shifted, - NULL, - ecc_qp1h, - - ecc_256_modq, - ecc_256_modq, - ecc_mod_inv, - NULL, - }, - - USE_REDC, - ECC_PIPPENGER_K, - ECC_PIPPENGER_C, - - ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE), - ECC_MUL_A_ITCH (ECC_LIMB_SIZE), - ECC_MUL_G_ITCH (ECC_LIMB_SIZE), - ECC_J_TO_A_ITCH (ECC_LIMB_SIZE), - - ecc_add_jjj, - ecc_mul_a, - ecc_mul_g, - ecc_j_to_a, - - ecc_b, - ecc_g, - NULL, - ecc_unit, - ecc_table -}; - -const struct ecc_curve *nettle_get_secp_256r1(void) -{ - return &nettle_secp_256r1; -} diff -Nru nettle-3.4.1/ecc-384.c nettle-3.7.3/ecc-384.c --- nettle-3.4.1/ecc-384.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/ecc-384.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,215 +0,0 @@ -/* ecc-384.c - - Compile time constant (but machine dependent) tables. - - Copyright (C) 2013, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "ecc.h" -#include "ecc-internal.h" - -#define USE_REDC 0 - -#include "ecc-384.h" - -#if HAVE_NATIVE_ecc_384_modp -#define ecc_384_modp nettle_ecc_384_modp -void -ecc_384_modp (const struct ecc_modulo *m, mp_limb_t *rp); -#elif GMP_NUMB_BITS == 32 - -/* Use that 2^{384} = 2^{128} + 2^{96} - 2^{32} + 1, and eliminate 256 - bits at a time. - - We can get carry == 2 in the first iteration, and I think *only* in - the first iteration. */ - -/* p is 12 limbs, and B^12 - p = B^4 + B^3 - B + 1. We can eliminate - almost 8 at a time. Do only 7, to avoid additional carry - propagation, followed by 5. */ -static void -ecc_384_modp (const struct ecc_modulo *p, mp_limb_t *rp) -{ - mp_limb_t cy, bw; - - /* Reduce from 24 to 17 limbs. */ - cy = mpn_add_n (rp + 4, rp + 4, rp + 16, 8); - cy = sec_add_1 (rp + 12, rp + 12, 3, cy); - - bw = mpn_sub_n (rp + 5, rp + 5, rp + 16, 8); - bw = sec_sub_1 (rp + 13, rp + 13, 3, bw); - - cy += mpn_add_n (rp + 7, rp + 7, rp + 16, 8); - cy = sec_add_1 (rp + 15, rp + 15, 1, cy); - - cy += mpn_add_n (rp + 8, rp + 8, rp + 16, 8); - assert (bw <= cy); - cy -= bw; - - assert (cy <= 2); - rp[16] = cy; - - /* Reduce from 17 to 12 limbs */ - cy = mpn_add_n (rp, rp, rp + 12, 5); - cy = sec_add_1 (rp + 5, rp + 5, 3, cy); - - bw = mpn_sub_n (rp + 1, rp + 1, rp + 12, 5); - bw = sec_sub_1 (rp + 6, rp + 6, 6, bw); - - cy += mpn_add_n (rp + 3, rp + 3, rp + 12, 5); - cy = sec_add_1 (rp + 8, rp + 8, 1, cy); - - cy += mpn_add_n (rp + 4, rp + 4, rp + 12, 5); - cy = sec_add_1 (rp + 9, rp + 9, 3, cy); - - assert (cy >= bw); - cy -= bw; - assert (cy <= 1); - cy = cnd_add_n (cy, rp, p->B, ECC_LIMB_SIZE); - assert (cy == 0); -} -#elif GMP_NUMB_BITS == 64 -/* p is 6 limbs, and B^6 - p = B^2 + 2^32 (B - 1) + 1. Eliminate 3 - (almost 4) limbs at a time. */ -static void -ecc_384_modp (const struct ecc_modulo *p, mp_limb_t *rp) -{ - mp_limb_t tp[6]; - mp_limb_t cy; - - /* Reduce from 12 to 9 limbs */ - tp[0] = 0; /* FIXME: Could use mpn_sub_nc */ - mpn_copyi (tp + 1, rp + 8, 3); - tp[4] = rp[11] - mpn_sub_n (tp, tp, rp + 8, 4); - tp[5] = mpn_lshift (tp, tp, 5, 32); - - cy = mpn_add_n (rp + 2, rp + 2, rp + 8, 4); - cy = sec_add_1 (rp + 6, rp + 6, 2, cy); - - cy += mpn_add_n (rp + 2, rp + 2, tp, 6); - cy += mpn_add_n (rp + 4, rp + 4, rp + 8, 4); - - assert (cy <= 2); - rp[8] = cy; - - /* Reduce from 9 to 6 limbs */ - tp[0] = 0; - mpn_copyi (tp + 1, rp + 6, 2); - tp[3] = rp[8] - mpn_sub_n (tp, tp, rp + 6, 3); - tp[4] = mpn_lshift (tp, tp, 4, 32); - - cy = mpn_add_n (rp, rp, rp + 6, 3); - cy = sec_add_1 (rp + 3, rp + 3, 2, cy); - cy += mpn_add_n (rp, rp, tp, 5); - cy += mpn_add_n (rp + 2, rp + 2, rp + 6, 3); - - cy = sec_add_1 (rp + 5, rp + 5, 1, cy); - assert (cy <= 1); - - cy = cnd_add_n (cy, rp, p->B, ECC_LIMB_SIZE); - assert (cy == 0); -} -#else -#define ecc_384_modp ecc_mod -#endif - -const struct ecc_curve nettle_secp_384r1 = -{ - { - 384, - ECC_LIMB_SIZE, - ECC_BMODP_SIZE, - ECC_REDC_SIZE, - ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), - 0, - - ecc_p, - ecc_Bmodp, - ecc_Bmodp_shifted, - ecc_redc_ppm1, - ecc_pp1h, - - ecc_384_modp, - ecc_384_modp, - ecc_mod_inv, - NULL, - }, - { - 384, - ECC_LIMB_SIZE, - ECC_BMODQ_SIZE, - 0, - ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), - 0, - - ecc_q, - ecc_Bmodq, - ecc_Bmodq_shifted, - NULL, - ecc_qp1h, - - ecc_mod, - ecc_mod, - ecc_mod_inv, - NULL, - }, - - USE_REDC, - ECC_PIPPENGER_K, - ECC_PIPPENGER_C, - - ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE), - ECC_MUL_A_ITCH (ECC_LIMB_SIZE), - ECC_MUL_G_ITCH (ECC_LIMB_SIZE), - ECC_J_TO_A_ITCH (ECC_LIMB_SIZE), - - ecc_add_jjj, - ecc_mul_a, - ecc_mul_g, - ecc_j_to_a, - - ecc_b, - ecc_g, - NULL, - ecc_unit, - ecc_table -}; - -const struct ecc_curve *nettle_get_secp_384r1(void) -{ - return &nettle_secp_384r1; -} diff -Nru nettle-3.4.1/ecc-521.c nettle-3.7.3/ecc-521.c --- nettle-3.4.1/ecc-521.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/ecc-521.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,143 +0,0 @@ -/* ecc-521.c - - Compile time constant (but machine dependent) tables. - - Copyright (C) 2013, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include "ecc.h" -#include "ecc-internal.h" - -#define USE_REDC 0 - -#include "ecc-521.h" - -#if HAVE_NATIVE_ecc_521_modp -#define ecc_521_modp nettle_ecc_521_modp -void -ecc_521_modp (const struct ecc_modulo *m, mp_limb_t *rp); - -#else - -#define B_SHIFT (521 % GMP_NUMB_BITS) -#define BMODP_SHIFT (GMP_NUMB_BITS - B_SHIFT) -#define BMODP ((mp_limb_t) 1 << BMODP_SHIFT) - -/* Result may be *slightly* larger than 2^521 */ -static void -ecc_521_modp (const struct ecc_modulo *m UNUSED, mp_limb_t *rp) -{ - /* FIXME: Should use mpn_addlsh_n_ip1 */ - mp_limb_t hi; - /* Reduce from 2*ECC_LIMB_SIZE to ECC_LIMB_SIZE + 1 */ - rp[ECC_LIMB_SIZE] - = mpn_addmul_1 (rp, rp + ECC_LIMB_SIZE, ECC_LIMB_SIZE, BMODP); - hi = mpn_addmul_1 (rp, rp + ECC_LIMB_SIZE, 1, BMODP); - hi = sec_add_1 (rp + 1, rp + 1, ECC_LIMB_SIZE - 1, hi); - - /* Combine hi with top bits, and add in. */ - hi = (hi << BMODP_SHIFT) | (rp[ECC_LIMB_SIZE-1] >> B_SHIFT); - rp[ECC_LIMB_SIZE-1] = (rp[ECC_LIMB_SIZE-1] - & (((mp_limb_t) 1 << B_SHIFT)-1)) - + sec_add_1 (rp, rp, ECC_LIMB_SIZE - 1, hi); -} -#endif - -const struct ecc_curve nettle_secp_521r1 = -{ - { - 521, - ECC_LIMB_SIZE, - ECC_BMODP_SIZE, - ECC_REDC_SIZE, - ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), - 0, - - ecc_p, - ecc_Bmodp, - ecc_Bmodp_shifted, - ecc_redc_ppm1, - ecc_pp1h, - - ecc_521_modp, - ecc_521_modp, - ecc_mod_inv, - NULL, - }, - { - 521, - ECC_LIMB_SIZE, - ECC_BMODQ_SIZE, - 0, - ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), - 0, - - ecc_q, - ecc_Bmodq, - ecc_Bmodq_shifted, - NULL, - ecc_qp1h, - - ecc_mod, - ecc_mod, - ecc_mod_inv, - NULL, - }, - - USE_REDC, - ECC_PIPPENGER_K, - ECC_PIPPENGER_C, - - ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE), - ECC_MUL_A_ITCH (ECC_LIMB_SIZE), - ECC_MUL_G_ITCH (ECC_LIMB_SIZE), - ECC_J_TO_A_ITCH (ECC_LIMB_SIZE), - - ecc_add_jjj, - ecc_mul_a, - ecc_mul_g, - ecc_j_to_a, - - ecc_b, - ecc_g, - NULL, - ecc_unit, - ecc_table -}; - -const struct ecc_curve *nettle_get_secp_521r1(void) -{ - return &nettle_secp_521r1; -} diff -Nru nettle-3.4.1/ecc-add-eh.c nettle-3.7.3/ecc-add-eh.c --- nettle-3.4.1/ecc-add-eh.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/ecc-add-eh.c 2021-06-06 20:06:29.000000000 +0000 @@ -70,38 +70,38 @@ y3 = z1*G*(D-C) 2 mul F, G z3 = F*G mul */ -#define C (scratch) -#define D (scratch + 1*ecc->p.size) -#define T (scratch + 2*ecc->p.size) -#define E (scratch + 3*ecc->p.size) -#define B (scratch + 4*ecc->p.size) -#define F D +#define T scratch +#define E (scratch + 1*ecc->p.size) #define G E - - ecc_modp_mul (ecc, C, x1, x2); - ecc_modp_mul (ecc, D, y1, y2); - ecc_modp_add (ecc, x3, x1, y1); - ecc_modp_add (ecc, y3, x2, y2); - ecc_modp_mul (ecc, T, x3, y3); - ecc_modp_sub (ecc, T, T, C); - ecc_modp_sub (ecc, T, T, D); - ecc_modp_mul (ecc, x3, C, D); - ecc_modp_mul (ecc, E, x3, ecc->b); - - ecc_modp_add (ecc, C, D, C); /* ! */ - ecc_modp_sqr (ecc, B, z1); - ecc_modp_sub (ecc, F, B, E); - ecc_modp_add (ecc, G, B, E); - - /* x3 */ - ecc_modp_mul (ecc, B, G, T); /* ! */ - ecc_modp_mul (ecc, x3, B, z1); - - /* y3 */ - ecc_modp_mul (ecc, B, F, z1); /* ! */ - ecc_modp_mul (ecc, y3, B, C); /* Clobbers z1 in case r == p. */ - - /* z3 */ - ecc_modp_mul (ecc, B, F, G); - mpn_copyi (z3, B, ecc->p.size); +#define C (scratch + 2*ecc->p.size) +#define D (scratch + 3*ecc->p.size) +#define B D + + /* Use T as scratch, clobber E */ + ecc_mod_mul (&ecc->p, C, x1, x2, T); /* C */ + ecc_mod_mul (&ecc->p, D, y1, y2, T); /* C, D */ + ecc_mod_add (&ecc->p, x3, x1, y1); + ecc_mod_add (&ecc->p, y3, x2, y2); + ecc_mod_mul (&ecc->p, T, x3, y3, T); /* C, D, T */ + ecc_mod_sub (&ecc->p, T, T, C); + ecc_mod_sub (&ecc->p, T, T, D); + /* Can now use x3 as scratch, without breaking in-place operation. */ + ecc_mod_mul (&ecc->p, T, T, z1, x3); + + ecc_mod_mul (&ecc->p, E, C, D, x3); /* C, D, T, E */ + ecc_mod_mul (&ecc->p, E, E, ecc->b, x3); + + ecc_mod_sub (&ecc->p, C, D, C); /* C, T, E */ + ecc_mod_mul (&ecc->p, C, C, z1, x3); + + ecc_mod_sqr (&ecc->p, B, z1, x3); /* C, T, E, B */ + ecc_mod_sub (&ecc->p, x3, B, E); + ecc_mod_add (&ecc->p, G, B, E); /* C, T, G */ + + /* Can now use y3 as scratch, without breaking in-place operation. */ + ecc_mod_mul (&ecc->p, y3, C, G, y3); /* T G */ + + /* Can use C--D as scratch */ + ecc_mod_mul (&ecc->p, z3, x3, G, C); /* T */ + ecc_mod_mul (&ecc->p, x3, x3, T, C); } diff -Nru nettle-3.4.1/ecc-add-ehh.c nettle-3.7.3/ecc-add-ehh.c --- nettle-3.4.1/ecc-add-ehh.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/ecc-add-ehh.c 2021-06-06 20:06:29.000000000 +0000 @@ -70,46 +70,41 @@ x3 = A*F*T 2 mul A, C, G y3 = A*G*(D-C) 2 mul F, G z3 = F*G mul - - But when working with the twist curve, we have to negate the - factor C = x1*x2. We change subtract to add in the y3 - expression, and swap F and G. */ -#define C scratch -#define D (scratch + ecc->p.size) -#define T (scratch + 2*ecc->p.size) -#define E (scratch + 3*ecc->p.size) -#define A (scratch + 4*ecc->p.size) -#define B (scratch + 5*ecc->p.size) -#define F D -#define G E - ecc_modp_mul (ecc, C, x1, x2); - ecc_modp_mul (ecc, D, y1, y2); - ecc_modp_add (ecc, A, x1, y1); - ecc_modp_add (ecc, B, x2, y2); - ecc_modp_mul (ecc, T, A, B); - ecc_modp_sub (ecc, T, T, C); - ecc_modp_sub (ecc, T, T, D); - ecc_modp_mul (ecc, x3, C, D); - ecc_modp_mul (ecc, E, x3, ecc->b); - ecc_modp_add (ecc, C, D, C); /* ! */ - - ecc_modp_mul (ecc, A, z1, z2); - ecc_modp_sqr (ecc, B, A); - - ecc_modp_sub (ecc, F, B, E); - ecc_modp_add (ecc, G, B, E); - - /* x3 */ - ecc_modp_mul (ecc, B, G, T); /* ! */ - ecc_modp_mul (ecc, x3, B, A); - - /* y3 */ - ecc_modp_mul (ecc, B, F, C); /* ! */ - ecc_modp_mul (ecc, y3, B, A); - - /* z3 */ - ecc_modp_mul (ecc, B, F, G); - mpn_copyi (z3, B, ecc->p.size); +#define T scratch +#define E (scratch + 1*ecc->p.size) +#define G E +#define C (scratch + 2*ecc->p.size) +#define D (scratch + 3*ecc->p.size) +#define B D + + /* Use T as scratch, clobber E */ + ecc_mod_mul (&ecc->p, C, x1, x2, T); /* C */ + ecc_mod_mul (&ecc->p, D, y1, y2, T); /* C, D */ + ecc_mod_add (&ecc->p, x3, x1, y1); + ecc_mod_add (&ecc->p, y3, x2, y2); + ecc_mod_mul (&ecc->p, T, x3, y3, T); /* C, D, T */ + ecc_mod_sub (&ecc->p, T, T, C); + ecc_mod_sub (&ecc->p, T, T, D); + + /* Can now use x3 as scratch, without breaking in-place operation. */ + ecc_mod_mul (&ecc->p, E, C, D, x3); /* C, D, T, E */ + ecc_mod_mul (&ecc->p, E, E, ecc->b, x3); + ecc_mod_sub (&ecc->p, C, D, C); /* C, T, E */ + + ecc_mod_mul (&ecc->p, B, z1, z2, x3); /* C, T, E, B */ + ecc_mod_mul (&ecc->p, C, C, B, x3); + ecc_mod_mul (&ecc->p, T, T, B, x3); + ecc_mod_sqr (&ecc->p, B, B, x3); + + ecc_mod_sub (&ecc->p, x3, B, E); + ecc_mod_add (&ecc->p, G, B, E); /* C, T, G */ + + /* Can now use y3 as scratch, without breaking in-place operation. */ + ecc_mod_mul (&ecc->p, y3, C, G, y3); /* T G */ + + /* Can use C--D as scratch */ + ecc_mod_mul (&ecc->p, z3, x3, G, C); /* T */ + ecc_mod_mul (&ecc->p, x3, x3, T, C); } diff -Nru nettle-3.4.1/ecc-add-jja.c nettle-3.7.3/ecc-add-jja.c --- nettle-3.4.1/ecc-add-jja.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/ecc-add-jja.c 2021-06-06 20:06:29.000000000 +0000 @@ -54,6 +54,16 @@ mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch) { +#define x1 p +#define y1 (p + ecc->p.size) +#define z1 (p + 2*ecc->p.size) +#define x2 q +#define y2 (q + ecc->p.size) + +#define x3 r +#define y3 (r + ecc->p.size) +#define z3 (r + 2*ecc->p.size) + /* Formulas, from djb, http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b): @@ -73,53 +83,49 @@ */ #define zz scratch #define h (scratch + ecc->p.size) -#define hh (scratch + 2*ecc->p.size) -#define w (scratch + 3*ecc->p.size) -#define j (scratch + 4*ecc->p.size) -#define v scratch - -#define x1 p -#define y1 (p + ecc->p.size) -#define z1 (p + 2*ecc->p.size) -#define x2 q -#define y2 (q + ecc->p.size) +#define w (scratch + 2*ecc->p.size) +#define hh zz +#define i zz +#define v zz +#define j h +#define tp (scratch + 3*ecc->p.size) /* zz */ - ecc_modp_sqr (ecc, zz, z1); + ecc_mod_sqr (&ecc->p, zz, z1, tp); /* zz */ /* h*/ - ecc_modp_mul (ecc, h, x2, zz); - ecc_modp_sub (ecc, h, h, x1); - /* hh */ - ecc_modp_sqr (ecc, hh, h); + ecc_mod_mul (&ecc->p, h, x2, zz, tp); /* zz, h */ + ecc_mod_sub (&ecc->p, h, h, x1); /* Do z^3 early, store at w. */ - ecc_modp_mul (ecc, w, zz, z1); - /* z_3, use j area for scratch */ - ecc_modp_add (ecc, r + 2*ecc->p.size, p + 2*ecc->p.size, h); - ecc_modp_sqr (ecc, j, r + 2*ecc->p.size); - ecc_modp_sub (ecc, j, j, zz); - ecc_modp_sub (ecc, r + 2*ecc->p.size, j, hh); + ecc_mod_mul (&ecc->p, w, zz, z1, tp); /* zz, h, w */ + /* z_3 */ + ecc_mod_add (&ecc->p, z3, z1, h); + ecc_mod_sqr (&ecc->p, z3, z3, tp); + ecc_mod_sub (&ecc->p, z3, z3, zz); /* h, w */ + /* hh */ + ecc_mod_sqr (&ecc->p, hh, h, tp); /* h, w, hh */ + ecc_mod_sub (&ecc->p, z3, z3, hh); /* w */ - ecc_modp_mul (ecc, j, y2, w); - ecc_modp_sub (ecc, w, j, y1); - ecc_modp_mul_1 (ecc, w, w, 2); + ecc_mod_mul (&ecc->p, w, y2, w, tp); + ecc_mod_sub (&ecc->p, w, w, y1); + ecc_mod_add (&ecc->p, w, w, w); - /* i replaces hh, j */ - ecc_modp_mul_1 (ecc, hh, hh, 4); - ecc_modp_mul (ecc, j, hh, h); - - /* v */ - ecc_modp_mul (ecc, v, x1, hh); - - /* x_3, use (h, hh) as sqratch */ - ecc_modp_sqr (ecc, h, w); - ecc_modp_sub (ecc, r, h, j); - ecc_modp_submul_1 (ecc, r, v, 2); - - /* y_3, use (h, hh) as sqratch */ - ecc_modp_mul (ecc, h, y1, j); /* frees j */ - ecc_modp_sub (ecc, r + ecc->p.size, v, r); - ecc_modp_mul (ecc, j, r + ecc->p.size, w); - ecc_modp_submul_1 (ecc, j, h, 2); - mpn_copyi (r + ecc->p.size, j, ecc->p.size); + /* i replaces hh */ + ecc_mod_mul_1 (&ecc->p, i, hh, 4); /* h, w, i */ + /* j replaces h */ + ecc_mod_mul (&ecc->p, j, i, h, tp); /* w, i, j */ + + /* v replaces i */ + ecc_mod_mul (&ecc->p, v, x1, i, tp); + + /* x_3 */ + ecc_mod_sqr (&ecc->p, x3, w, tp); + ecc_mod_sub (&ecc->p, x3, x3, j); + ecc_mod_submul_1 (&ecc->p, x3, v, 2); + + /* y_3 */ + ecc_mod_mul (&ecc->p, j, y1, j, tp); + ecc_mod_sub (&ecc->p, y3, v, x3); + ecc_mod_mul (&ecc->p, y3, y3, w, tp); + ecc_mod_submul_1 (&ecc->p, y3, j, 2); } diff -Nru nettle-3.4.1/ecc-add-jjj.c nettle-3.7.3/ecc-add-jjj.c --- nettle-3.4.1/ecc-add-jjj.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/ecc-add-jjj.c 2021-06-06 20:06:29.000000000 +0000 @@ -43,6 +43,17 @@ mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch) { +#define x1 p +#define y1 (p + ecc->p.size) +#define z1 (p + 2*ecc->p.size) + +#define x2 q +#define y2 (q + ecc->p.size) +#define z2 (q + 2*ecc->p.size) + +#define x3 r +#define y3 (r + ecc->p.size) +#define z3 (r + 2*ecc->p.size) /* Formulas, from djb, http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl: @@ -63,58 +74,64 @@ X3 = W^2-J-2*V sqr S1, W, J, V Y3 = W*(V-X3)-2*S1*J mul, mul */ - mp_limb_t *z1z1 = scratch; - mp_limb_t *z2z2 = scratch + ecc->p.size; - mp_limb_t *u1 = scratch + 2*ecc->p.size; - mp_limb_t *u2 = scratch + 3*ecc->p.size; - mp_limb_t *s1 = scratch; /* overlap z1z1 */ - mp_limb_t *s2 = scratch + ecc->p.size; /* overlap z2z2 */ - mp_limb_t *i = scratch + 4*ecc->p.size; - mp_limb_t *j = scratch + 5*ecc->p.size; - mp_limb_t *v = scratch + 6*ecc->p.size; - - /* z1^2, z2^2, u1 = x1 x2^2, u2 = x2 z1^2 - u1 */ - ecc_modp_sqr (ecc, z1z1, p + 2*ecc->p.size); - ecc_modp_sqr (ecc, z2z2, q + 2*ecc->p.size); - ecc_modp_mul (ecc, u1, p, z2z2); - ecc_modp_mul (ecc, u2, q, z1z1); - ecc_modp_sub (ecc, u2, u2, u1); /* Store h in u2 */ - - /* z3, use i, j, v as scratch, result at i. */ - ecc_modp_add (ecc, i, p + 2*ecc->p.size, q + 2*ecc->p.size); - ecc_modp_sqr (ecc, v, i); - ecc_modp_sub (ecc, v, v, z1z1); - ecc_modp_sub (ecc, v, v, z2z2); - ecc_modp_mul (ecc, i, v, u2); - /* Delayed write, to support in-place operation. */ - - /* s1 = y1 z2^3, s2 = y2 z1^3, scratch at j and v */ - ecc_modp_mul (ecc, j, z1z1, p + 2*ecc->p.size); /* z1^3 */ - ecc_modp_mul (ecc, v, z2z2, q + 2*ecc->p.size); /* z2^3 */ - ecc_modp_mul (ecc, s1, p + ecc->p.size, v); - ecc_modp_mul (ecc, v, j, q + ecc->p.size); - ecc_modp_sub (ecc, s2, v, s1); - ecc_modp_mul_1 (ecc, s2, s2, 2); - - /* Store z3 */ - mpn_copyi (r + 2*ecc->p.size, i, ecc->p.size); - - /* i, j, v */ - ecc_modp_sqr (ecc, i, u2); - ecc_modp_mul_1 (ecc, i, i, 4); - ecc_modp_mul (ecc, j, u2, i); - ecc_modp_mul (ecc, v, u1, i); - - /* now, u1, u2 and i are free for reuse .*/ - /* x3, use u1, u2 as scratch */ - ecc_modp_sqr (ecc, u1, s2); - ecc_modp_sub (ecc, r, u1, j); - ecc_modp_submul_1 (ecc, r, v, 2); - - /* y3 */ - ecc_modp_mul (ecc, u1, s1, j); /* Frees j */ - ecc_modp_sub (ecc, u2, v, r); /* Frees v */ - ecc_modp_mul (ecc, i, s2, u2); - ecc_modp_submul_1 (ecc, i, u1, 2); - mpn_copyi (r + ecc->p.size, i, ecc->p.size); + +#define h scratch +#define z1z1 (scratch + ecc->p.size) +#define z2z2 z1z1 +#define z1z2 (scratch + 2*ecc->p.size) + +#define w (scratch + ecc->p.size) +#define i (scratch + 2*ecc->p.size) +#define j h +#define v i + +#define tp (scratch + 3*ecc->p.size) + + ecc_mod_sqr (&ecc->p, z2z2, z2, tp); /* z2z2 */ + /* Store u1 at x3 */ + ecc_mod_mul (&ecc->p, x3, x1, z2z2, tp); /* z2z2 */ + + ecc_mod_add (&ecc->p, z1z2, z1, z2); /* z2z2, z1z2 */ + ecc_mod_sqr (&ecc->p, z1z2, z1z2, tp); + ecc_mod_sub (&ecc->p, z1z2, z1z2, z2z2); /* z2z2, z1z2 */ + + /* Do s1 early, store at y3 */ + ecc_mod_mul (&ecc->p, z2z2, z2z2, z2, tp); /* z2z2, z1z2 */ + ecc_mod_mul (&ecc->p, y3, z2z2, y1, tp); /* z1z2 */ + + ecc_mod_sqr (&ecc->p, z1z1, z1, tp); /* z1z1, z1z2 */ + ecc_mod_sub (&ecc->p, z1z2, z1z2, z1z1); + ecc_mod_mul (&ecc->p, h, x2, z1z1, tp); /* z1z1, z1z2, h */ + ecc_mod_sub (&ecc->p, h, h, x3); + + /* z1^3 */ + ecc_mod_mul (&ecc->p, z1z1, z1z1, z1, tp); + + /* z3 <-- h z1 z2 delayed until now, since that may clobber z1. */ + ecc_mod_mul (&ecc->p, z3, z1z2, h, tp); /* z1z1, h */ + /* w = 2 (s2 - s1) */ + ecc_mod_mul (&ecc->p, w, z1z1, y2, tp); /* h, w */ + ecc_mod_sub (&ecc->p, w, w, y3); + ecc_mod_add (&ecc->p, w, w, w); + + /* i = (2h)^2 */ + ecc_mod_add (&ecc->p, i, h, h); /* h, w, i */ + ecc_mod_sqr (&ecc->p, i, i, tp); + + /* j and h can overlap */ + ecc_mod_mul (&ecc->p, j, h, i, tp); /* j, w, i */ + + /* v and i can overlap */ + ecc_mod_mul (&ecc->p, v, x3, i, tp); /* j, w, v */ + + /* x3 <-- w^2 - j - 2v */ + ecc_mod_sqr (&ecc->p, x3, w, tp); + ecc_mod_sub (&ecc->p, x3, x3, j); + ecc_mod_submul_1 (&ecc->p, x3, v, 2); + + /* y3 <-- w (v - x3) - 2 s1 j */ + ecc_mod_mul (&ecc->p, j, j, y3, tp); + ecc_mod_sub (&ecc->p, v, v, x3); + ecc_mod_mul (&ecc->p, y3, v, w, tp); + ecc_mod_submul_1 (&ecc->p, y3, j, 2); } diff -Nru nettle-3.4.1/ecc-add-th.c nettle-3.7.3/ecc-add-th.c --- nettle-3.4.1/ecc-add-th.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/ecc-add-th.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,113 @@ +/* ecc-add-th.c + + Copyright (C) 2014, 2017 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "ecc.h" +#include "ecc-internal.h" + +/* Add two points on a twisted Edwards curve, with result and first point in + homogeneous coordinates. */ +void +ecc_add_th (const struct ecc_curve *ecc, + mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, + mp_limb_t *scratch) +{ +#define x1 p +#define y1 (p + ecc->p.size) +#define z1 (p + 2*ecc->p.size) + +#define x2 q +#define y2 (q + ecc->p.size) + +#define x3 r +#define y3 (r + ecc->p.size) +#define z3 (r + 2*ecc->p.size) + + /* Formulas (from djb, + http://www.hyperelliptic.org/EFD/g1p/auto-twisted-projective.html#addition-madd-2008-bbjlp + + Computation Operation Live variables + + C = x1*x2 mul C + D = y1*y2 mul C, D + T = (x1+y1)*(x2+y2) mul C, D, T + - C - D + E = b*C*D 2 mul C, E, T (Replace C <-- D+C) + B = z1^2 sqr B, C, E, T + F = B - E B, C, E, F, T + G = B + E C, F, G, T + x3 = z1 * F * T 2 mul C, F, G, T + y3 = z1*G*(D+C) 2 mul F, G + z3 = F*G mul + + 10M + 1S + + We have different sign for E, hence swapping F and G, because our + ecc->b corresponds to -b above. + */ +#define T scratch +#define E (scratch + 1*ecc->p.size) +#define F E +#define C (scratch + 2*ecc->p.size) +#define D (scratch + 3*ecc->p.size) +#define B D + + /* Use T as scratch, clobber E */ + ecc_mod_mul (&ecc->p, C, x1, x2, T); /* C */ + ecc_mod_mul (&ecc->p, D, y1, y2, T); /* C, D */ + ecc_mod_add (&ecc->p, x3, x1, y1); + ecc_mod_add (&ecc->p, y3, x2, y2); + ecc_mod_mul (&ecc->p, T, x3, y3, T); /* C, D, T */ + ecc_mod_sub (&ecc->p, T, T, C); + ecc_mod_sub (&ecc->p, T, T, D); + /* Can now use x3 as scratch, without breaking in-place operation. */ + ecc_mod_mul (&ecc->p, T, T, z1, x3); + + ecc_mod_mul (&ecc->p, E, C, D, x3); /* C, D, T, E */ + ecc_mod_mul (&ecc->p, E, E, ecc->b, x3); + + ecc_mod_add (&ecc->p, C, D, C); /* C, T, E */ + ecc_mod_mul (&ecc->p, C, C, z1, x3); + + ecc_mod_sqr (&ecc->p, B, z1, x3); /* C, T, E, B */ + ecc_mod_add (&ecc->p, x3, B, E); + ecc_mod_sub (&ecc->p, F, B, E); /* C, T, F */ + + /* Can now use y3 as scratch, without breaking in-place operation. */ + ecc_mod_mul (&ecc->p, y3, C, F, y3); /* T G */ + + /* Can use C--D as scratch */ + ecc_mod_mul (&ecc->p, z3, x3, F, C); /* T */ + ecc_mod_mul (&ecc->p, x3, x3, T, C); +} diff -Nru nettle-3.4.1/ecc-add-thh.c nettle-3.7.3/ecc-add-thh.c --- nettle-3.4.1/ecc-add-thh.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/ecc-add-thh.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,113 @@ +/* ecc-add-thh.c + + Copyright (C) 2014 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "ecc.h" +#include "ecc-internal.h" + +/* Add two points on an Edwards curve, in homogeneous coordinates */ +void +ecc_add_thh (const struct ecc_curve *ecc, + mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, + mp_limb_t *scratch) +{ +#define x1 p +#define y1 (p + ecc->p.size) +#define z1 (p + 2*ecc->p.size) + +#define x2 q +#define y2 (q + ecc->p.size) +#define z2 (q + 2*ecc->p.size) + +#define x3 r +#define y3 (r + ecc->p.size) +#define z3 (r + 2*ecc->p.size) + + /* Formulas (from djb, + http://www.hyperelliptic.org/EFD/g1p/auto-twisted-projective.html#addition-add-2008-bbjlp): + + Computation Operation Live variables + + C = x1*x2 mul C + D = y1*y2 mul C, D + T = (x1+y1)(x2+y2) - C - D, mul C, D, T + E = b*C*D 2 mul C, E, T (Replace C <-- D - C) + A = z1*z2 mul A, C, E, T + B = A^2 sqr A, B, C, E, T + F = B - E A, B, C, E, F, T + G = B + E A, C, F, G, T + x3 = A*F*T 2 mul A, C, G + y3 = A*G*(D+C) 2 mul F, G + z3 = F*G mul + + 11M + S + + We have different sign for E, hence swapping F and G, because our + ecc->b corresponds to -b above. + */ +#define T scratch +#define E (scratch + 1*ecc->p.size) +#define F E +#define C (scratch + 2*ecc->p.size) +#define D (scratch + 3*ecc->p.size) +#define B D + + /* Use T as scratch, clobber E */ + ecc_mod_mul (&ecc->p, C, x1, x2, T); /* C */ + ecc_mod_mul (&ecc->p, D, y1, y2, T); /* C, D */ + ecc_mod_add (&ecc->p, x3, x1, y1); + ecc_mod_add (&ecc->p, y3, x2, y2); + ecc_mod_mul (&ecc->p, T, x3, y3, T); /* C, D, T */ + + /* Can now use x3 as scratch, without breaking in-place operation. */ + ecc_mod_mul (&ecc->p, E, C, D, x3); /* C, D, T, E */ + ecc_mod_mul (&ecc->p, E, E, ecc->b, x3); + ecc_mod_add (&ecc->p, C, D, C); /* C, T, E */ + ecc_mod_sub (&ecc->p, T, T, C); + + ecc_mod_mul (&ecc->p, B, z1, z2, x3); + ecc_mod_mul (&ecc->p, T, T, B, x3); + ecc_mod_mul (&ecc->p, C, C, B, x3); + ecc_mod_sqr (&ecc->p, B, B, x3); + + ecc_mod_add (&ecc->p, x3, B, E); + ecc_mod_sub (&ecc->p, F, B, E); /* C, T, F */ + + /* Can now use y3 as scratch, without breaking in-place operation. */ + ecc_mod_mul (&ecc->p, y3, C, F, y3); /* T G */ + + /* Can use C--D as scratch */ + ecc_mod_mul (&ecc->p, z3, x3, F, C); /* T */ + ecc_mod_mul (&ecc->p, x3, x3, T, C); +} diff -Nru nettle-3.4.1/ecc-a-to-j.c nettle-3.7.3/ecc-a-to-j.c --- nettle-3.4.1/ecc-a-to-j.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/ecc-a-to-j.c 2021-06-06 20:06:29.000000000 +0000 @@ -47,10 +47,10 @@ mpn_copyd (r + ecc->p.size, p, 2*ecc->p.size); mpn_zero (r, ecc->p.size); - ecc->p.mod (&ecc->p, r); + ecc->p.mod (&ecc->p, r, r); mpn_zero (r + ecc->p.size, ecc->p.size); - ecc->p.mod (&ecc->p, r + ecc->p.size); + ecc->p.mod (&ecc->p, r + ecc->p.size, r + ecc->p.size); } else if (r != p) mpn_copyi (r, p, 2*ecc->p.size); diff -Nru nettle-3.4.1/ecc-curve25519.c nettle-3.7.3/ecc-curve25519.c --- nettle-3.4.1/ecc-curve25519.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/ecc-curve25519.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,325 @@ +/* ecc-curve25519.c + + Arithmetic and tables for curve25519, + + Copyright (C) 2014 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "ecc.h" +#include "ecc-internal.h" + +#define USE_REDC 0 + +#include "ecc-curve25519.h" + +#define PHIGH_BITS (GMP_NUMB_BITS * ECC_LIMB_SIZE - 255) + +#if HAVE_NATIVE_ecc_curve25519_modp + +#define ecc_curve25519_modp _nettle_ecc_curve25519_modp +void +ecc_curve25519_modp (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp); +#else + +#if PHIGH_BITS == 0 +#error Unsupported limb size */ +#endif + +static void +ecc_curve25519_modp(const struct ecc_modulo *m UNUSED, mp_limb_t *rp, mp_limb_t *xp) +{ + mp_limb_t hi, cy; + + cy = mpn_addmul_1 (xp, xp + ECC_LIMB_SIZE, ECC_LIMB_SIZE, + (mp_limb_t) 19 << PHIGH_BITS); + hi = xp[ECC_LIMB_SIZE-1]; + cy = (cy << PHIGH_BITS) + (hi >> (GMP_NUMB_BITS - PHIGH_BITS)); + rp[ECC_LIMB_SIZE-1] = (hi & (GMP_NUMB_MASK >> PHIGH_BITS)) + + sec_add_1 (rp, xp, ECC_LIMB_SIZE - 1, 19 * cy); +} +#endif /* HAVE_NATIVE_ecc_curve25519_modp */ + +#define QHIGH_BITS (GMP_NUMB_BITS * ECC_LIMB_SIZE - 252) + +#if QHIGH_BITS == 0 +#error Unsupported limb size */ +#endif + +static void +ecc_curve25519_modq (const struct ecc_modulo *q, mp_limb_t *rp, mp_limb_t *xp) +{ + mp_size_t n; + mp_limb_t cy; + + /* n is the offset where we add in the next term */ + for (n = ECC_LIMB_SIZE; n-- > 0;) + { + cy = mpn_submul_1 (xp + n, + q->B_shifted, ECC_LIMB_SIZE, + xp[n + ECC_LIMB_SIZE]); + /* Top limb of mBmodq_shifted is zero, so we get cy == 0 or 1 */ + assert (cy < 2); + mpn_cnd_add_n (cy, xp+n, xp+n, q->m, ECC_LIMB_SIZE); + } + + cy = mpn_submul_1 (xp, q->m, ECC_LIMB_SIZE, + xp[ECC_LIMB_SIZE-1] >> (GMP_NUMB_BITS - QHIGH_BITS)); + assert (cy < 2); + mpn_cnd_add_n (cy, rp, xp, q->m, ECC_LIMB_SIZE); +} + +/* Computes a^{(p-5)/8} = a^{2^{252}-3} mod m. Needs 4 * n scratch + space. */ +static void +ecc_mod_pow_252m3 (const struct ecc_modulo *m, + mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t *scratch) +{ +#define a7 scratch +#define t0 (scratch + ECC_LIMB_SIZE) +#define tp (scratch + 2*ECC_LIMB_SIZE) + + /* a^{2^252 - 3} = a^{(p-5)/8}, using the addition chain + 2^252 - 3 + = 1 + (2^252-4) + = 1 + 4 (2^250-1) + = 1 + 4 (2^125+1)(2^125-1) + = 1 + 4 (2^125+1)(1+2(2^124-1)) + = 1 + 4 (2^125+1)(1+2(2^62+1)(2^62-1)) + = 1 + 4 (2^125+1)(1+2(2^62+1)(2^31+1)(2^31-1)) + = 1 + 4 (2^125+1)(1+2(2^62+1)(2^31+1)(7+8(2^28-1))) + = 1 + 4 (2^125+1)(1+2(2^62+1)(2^31+1)(7+8(2^14+1)(2^14-1))) + = 1 + 4 (2^125+1)(1+2(2^62+1)(2^31+1)(7+8(2^14+1)(2^7+1)(2^7-1))) + = 1 + 4 (2^125+1)(1+2(2^62+1)(2^31+1)(7+8(2^14+1)(2^7+1)(1+2(2^6-1)))) + = 1 + 4 (2^125+1)(1+2(2^62+1)(2^31+1)(7+8(2^14+1)(2^7+1)(1+2(2^3+1)*7))) + */ + + ecc_mod_pow_2kp1 (m, a7, ap, 1, tp); /* a^3 */ + ecc_mod_sqr (m, a7, a7, tp); /* a^6 */ + ecc_mod_mul (m, a7, a7, ap, tp); /* a^7 */ + ecc_mod_pow_2kp1 (m, rp, a7, 3, tp); /* a^63 = a^{2^6-1} */ + ecc_mod_sqr (m, rp, rp, tp); /* a^{2^7-2} */ + ecc_mod_mul (m, rp, rp, ap, tp); /* a^{2^7-1} */ + ecc_mod_pow_2kp1 (m, t0, rp, 7, tp); /* a^{2^14-1}*/ + ecc_mod_pow_2kp1 (m, rp, t0, 14, tp); /* a^{2^28-1} */ + ecc_mod_sqr (m, rp, rp, tp); /* a^{2^29-2} */ + ecc_mod_sqr (m, rp, rp, tp); /* a^{2^30-4} */ + ecc_mod_sqr (m, rp, rp, tp); /* a^{2^31-8} */ + ecc_mod_mul (m, rp, rp, a7, tp); /* a^{2^31-1} */ + ecc_mod_pow_2kp1 (m, t0, rp, 31, tp); /* a^{2^62-1} */ + ecc_mod_pow_2kp1 (m, rp, t0, 62, tp); /* a^{2^124-1}*/ + ecc_mod_sqr (m, rp, rp, tp); /* a^{2^125-2} */ + ecc_mod_mul (m, rp, rp, ap, tp); /* a^{2^125-1} */ + ecc_mod_pow_2kp1 (m, t0, rp, 125, tp);/* a^{2^250-1} */ + ecc_mod_sqr (m, rp, t0, tp); /* a^{2^251-2} */ + ecc_mod_sqr (m, rp, rp, tp); /* a^{2^252-4} */ + ecc_mod_mul (m, rp, rp, ap, tp); /* a^{2^252-3} */ +#undef a7 +#undef t0 +#undef tp +} + +/* Scratch as for ecc_mod_pow_252m3 above. */ +#define ECC_25519_INV_ITCH (4*ECC_LIMB_SIZE) + +static void +ecc_curve25519_inv (const struct ecc_modulo *p, + mp_limb_t *rp, const mp_limb_t *ap, + mp_limb_t *scratch) +{ + /* Addition chain + + p - 2 = 2^{255} - 21 + = 1 + 2 (1 + 4 (2^{252}-3)) + */ + ecc_mod_pow_252m3 (p, rp, ap, scratch); + ecc_mod_sqr (p, rp, rp, scratch); + ecc_mod_sqr (p, rp, rp, scratch); + ecc_mod_mul (p, rp, ap, rp, scratch); + ecc_mod_sqr (p, rp, rp, scratch); + ecc_mod_mul (p, rp, ap, rp, scratch); +} + +/* First, do a canonical reduction, then check if zero */ +static int +ecc_curve25519_zero_p (const struct ecc_modulo *p, mp_limb_t *xp) +{ + mp_limb_t cy; + mp_limb_t w; + mp_size_t i; +#if PHIGH_BITS > 0 + mp_limb_t hi = xp[ECC_LIMB_SIZE-1]; + xp[ECC_LIMB_SIZE-1] = (hi & (GMP_NUMB_MASK >> PHIGH_BITS)) + + sec_add_1 (xp, xp, ECC_LIMB_SIZE - 1, 19 * (hi >> (GMP_NUMB_BITS - PHIGH_BITS))); +#endif + cy = mpn_sub_n (xp, xp, p->m, ECC_LIMB_SIZE); + mpn_cnd_add_n (cy, xp, xp, p->m, ECC_LIMB_SIZE); + + for (i = 0, w = 0; i < ECC_LIMB_SIZE; i++) + w |= xp[i]; + return w == 0; +} + +/* Compute x such that x^2 = u/v (mod p). Returns one on success, zero + on failure. We use the e = 2 special case of the Shanks-Tonelli + algorithm (see http://www.math.vt.edu/people/brown/doc/sqrts.pdf, + or Henri Cohen, Computational Algebraic Number Theory, 1.5.1). + + To avoid a separate inversion, we also use a trick of djb's, to + compute the candidate root as + + x = (u/v)^{(p+3)/8} = u v^3 (u v^7)^{(p-5)/8}. +*/ +#if ECC_SQRT_E != 2 +#error Broken curve25519 parameters +#endif + +/* Needs 2*n space + scratch for ecc_mod_pow_252m3. */ +#define ECC_25519_SQRT_ITCH (6*ECC_LIMB_SIZE) + +static int +ecc_curve25519_sqrt(const struct ecc_modulo *p, mp_limb_t *rp, + const mp_limb_t *up, const mp_limb_t *vp, + mp_limb_t *scratch) +{ + int pos, neg; + +#define uv3 scratch +#define uv7 (scratch + ECC_LIMB_SIZE) + +#define v2 uv7 +#define uv uv3 +#define v4 uv7 + +#define scratch_out (scratch + 2 * ECC_LIMB_SIZE) + +#define x2 scratch +#define vx2 (scratch + ECC_LIMB_SIZE) +#define t0 (scratch + 2*ECC_LIMB_SIZE) + + /* Live values */ + ecc_mod_sqr (p, v2, vp, scratch_out); /* v2 */ + ecc_mod_mul (p, uv, up, vp, scratch_out); /* uv, v2 */ + ecc_mod_mul (p, uv3, uv, v2, scratch_out); /* uv3, v2 */ + ecc_mod_sqr (p, v4, v2, scratch_out); /* uv3, v4 */ + ecc_mod_mul (p, uv7, uv3, v4, scratch_out); /* uv7 */ + ecc_mod_pow_252m3 (p, rp, uv7, scratch_out); /* uv3, uv7p */ + ecc_mod_mul (p, rp, rp, uv3, scratch_out); /* none */ + + /* Check sign. If square root exists, have v x^2 = ±u */ + ecc_mod_sqr (p, x2, rp, t0); + ecc_mod_mul (p, vx2, x2, vp, t0); + ecc_mod_add (p, t0, vx2, up); + neg = ecc_curve25519_zero_p (p, t0); + ecc_mod_sub (p, t0, up, vx2); + pos = ecc_curve25519_zero_p (p, t0); + + ecc_mod_mul (p, t0, rp, ecc_sqrt_z, t0); + cnd_copy (neg, rp, t0, ECC_LIMB_SIZE); + return pos | neg; + +#undef uv3 +#undef uv7 +#undef v2 +#undef uv +#undef v4 +#undef scratch_out +#undef x2 +#undef vx2 +#undef t0 +} + +const struct ecc_curve _nettle_curve25519 = +{ + { + 255, + ECC_LIMB_SIZE, + ECC_BMODP_SIZE, + 0, + ECC_25519_INV_ITCH, + ECC_25519_SQRT_ITCH, + + ecc_p, + ecc_Bmodp, + ecc_Bmodp_shifted, + NULL, + ecc_pp1h, + + ecc_curve25519_modp, + ecc_curve25519_modp, + ecc_curve25519_inv, + ecc_curve25519_sqrt, + }, + { + 253, + ECC_LIMB_SIZE, + ECC_BMODQ_SIZE, + 0, + ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), + 0, + + ecc_q, + ecc_Bmodq, + ecc_mBmodq_shifted, /* Use q - 2^{252} instead. */ + NULL, + ecc_qp1h, + + ecc_curve25519_modq, + ecc_curve25519_modq, + ecc_mod_inv, + NULL, + }, + + 0, /* No redc */ + ECC_PIPPENGER_K, + ECC_PIPPENGER_C, + + ECC_ADD_TH_ITCH (ECC_LIMB_SIZE), + ECC_ADD_THH_ITCH (ECC_LIMB_SIZE), + ECC_DUP_TH_ITCH (ECC_LIMB_SIZE), + ECC_MUL_A_EH_ITCH (ECC_LIMB_SIZE), + ECC_MUL_G_EH_ITCH (ECC_LIMB_SIZE), + ECC_EH_TO_A_ITCH (ECC_LIMB_SIZE, ECC_25519_INV_ITCH), + + ecc_add_th, + ecc_add_thh, + ecc_dup_th, + ecc_mul_a_eh, + ecc_mul_g_eh, + ecc_eh_to_a, + + ecc_b, /* Edwards curve constant. */ + ecc_unit, + ecc_table +}; diff -Nru nettle-3.4.1/ecc-curve448.c nettle-3.7.3/ecc-curve448.c --- nettle-3.4.1/ecc-curve448.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/ecc-curve448.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,282 @@ +/* ecc-curve448.c + + Arithmetic and tables for curve448, + + Copyright (C) 2017 Daiki Ueno + Copyright (C) 2017 Red Hat, Inc. + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "ecc.h" +#include "ecc-internal.h" + +#define USE_REDC 0 + +#include "ecc-curve448.h" + +#if HAVE_NATIVE_ecc_curve448_modp +#define ecc_curve448_modp _nettle_ecc_curve448_modp +void +ecc_curve448_modp (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp); +#elif GMP_NUMB_BITS == 64 +static void +ecc_curve448_modp(const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp) +{ + /* Let B = 2^64, b = 2^32 = sqrt(B). + p = B^7 - b B^3 - 1 ==> B^7 = b B^3 + 1 + + We use this to reduce + + {r_{13}, ..., r_0} = + {r_6,...,r_0} + + {r_{10},...,r_7} + + 2 {r_{13},r_{12}, r_{11}} B^4 + + b {r_{10},...,r_7,r_{13},r_{12},r_{11} (mod p) + + or + + +----+----+----+----+----+----+----+ + |r_6 |r_5 |r_4 |r_3 |r_2 |r_1 |r_0 | + +----+----+----+----+----+----+----+ + |r_10|r_9 |r_8 |r_7 | + +----+----+----+----+----+----+----+ + 2 * |r_13|r_12|r_11| + +----+----+----+----+----+----+----+ + + b * |r_10|r_9 |r_8 |r_7 |r_13|r_12|r_11| + -------+----+----+----+----+----+----+----+ + c_7 |r_6 |r_5 |r_4 |r_3 |r_2 |r_1 |r_0 | + +----+----+----+----+----+----+----+ + */ + mp_limb_t c3, c4, c7; + mp_limb_t *tp = xp + 7; + + c4 = mpn_add_n (xp, xp, xp + 7, 4); + c7 = mpn_addmul_1 (xp + 4, xp + 11, 3, 2); + c3 = mpn_addmul_1 (xp, xp + 11, 3, (mp_limb_t) 1 << 32); + c7 += mpn_addmul_1 (xp + 3, xp + 7, 4, (mp_limb_t) 1 << 32); + tp[0] = c7; + tp[1] = tp[2] = 0; + tp[3] = c3 + (c7 << 32); + tp[4] = c4 + (c7 >> 32) + (tp[3] < c3); + tp[5] = tp[6] = 0; + c7 = mpn_add_n (rp, xp, tp, 7); + c7 = mpn_cnd_add_n (c7, rp, rp, m->B, 7); + assert (c7 == 0); +} +#else +#define ecc_curve448_modp ecc_mod +#endif + +/* Computes a^{(p-3)/4} = a^{2^446-2^222-1} mod m. Needs 4 * n scratch + space. */ +static void +ecc_mod_pow_446m224m1 (const struct ecc_modulo *p, + mp_limb_t *rp, const mp_limb_t *ap, + mp_limb_t *scratch) +{ +/* Note overlap: operations writing to t0 clobber t1. */ +#define t0 scratch +#define t1 (scratch + ECC_LIMB_SIZE) +#define tp (scratch + 2*ECC_LIMB_SIZE) + + /* Set t0 = a^7 */ + ecc_mod_sqr (p, t0, ap, tp); /* a^2 */ + ecc_mod_mul (p, t0, ap, t0, tp); /* a^3 */ + ecc_mod_sqr (p, t0, t0, tp); /* a^6 */ + ecc_mod_mul (p, t0, ap, t0, tp); /* a^{2^3-1} */ + + /* Set t0 = a^{2^18-1} */ + ecc_mod_pow_2kp1 (p, rp, t0, 3, tp); /* a^{2^6-1} */ + ecc_mod_pow_2k (p, rp, rp, 3, tp); /* a^{2^9-2^3} */ + ecc_mod_mul (p, rp, rp, t0, tp); /* a^{2^9-1} */ + ecc_mod_pow_2kp1 (p, t0, rp, 9, tp); /* a^{2^18-1} */ + + /* Set t0 = a^{2^37-1} */ + ecc_mod_sqr (p, rp, t0, tp); /* a^{2^19-2} */ + ecc_mod_mul (p, rp, ap, rp, tp); /* a^{2^19-1} */ + ecc_mod_pow_2k (p, t1, rp, 18, tp); /* a^{2^37-2^18} */ + ecc_mod_mul (p, t0, t0, t1, tp); /* a^{2^37-1} */ + + /* Set t0 = a^{2^222-1} */ + ecc_mod_pow_2kp1 (p, rp, t0, 37, tp); /* a^{2^74-1} */ + ecc_mod_pow_2k (p, t1, rp, 37, tp); /* a^{2^111-2^37} */ + ecc_mod_mul (p, t1, t1, t0, tp); /* a^{2^111-1} */ + ecc_mod_pow_2kp1 (p, t0, t1, 111, tp);/* a^{2^222-1} */ + + ecc_mod_sqr (p, rp, t0, tp); /* a^{2^223-2} */ + ecc_mod_mul (p, rp, rp, ap, tp); /* a^{2^223-1} */ + ecc_mod_pow_2k (p, t1, rp, 223, tp); /* a^{2^446-2^223} */ + ecc_mod_mul (p, rp, t1, t0, tp); /* a^{2^446-2^222-1} */ +#undef t0 +#undef t1 +#undef tp +} + +#define ECC_CURVE448_INV_ITCH (4*ECC_LIMB_SIZE) + +static void ecc_curve448_inv (const struct ecc_modulo *p, + mp_limb_t *rp, const mp_limb_t *ap, + mp_limb_t *tp) +{ + ecc_mod_pow_446m224m1 (p, rp, ap, tp);/* a^{2^446-2^222-1} */ + ecc_mod_sqr (p, rp, rp, tp); /* a^{2^447-2^223-2} */ + ecc_mod_sqr (p, rp, rp, tp); /* a^{2^448-2^224-4} */ + ecc_mod_mul (p, rp, ap, rp, tp); /* a^{2^448-2^224-3} */ +} + +/* First, do a canonical reduction, then check if zero */ +static int +ecc_curve448_zero_p (const struct ecc_modulo *p, mp_limb_t *xp) +{ + mp_limb_t cy; + mp_limb_t w; + mp_size_t i; + cy = mpn_sub_n (xp, xp, p->m, ECC_LIMB_SIZE); + mpn_cnd_add_n (cy, xp, xp, p->m, ECC_LIMB_SIZE); + + for (i = 0, w = 0; i < ECC_LIMB_SIZE; i++) + w |= xp[i]; + return w == 0; +} + +/* Compute x such that x^2 = u/v (mod p). Returns one on success, zero + on failure. + + To avoid a separate inversion, we use a trick of djb's, to + compute the candidate root as + + x = (u/v)^{(p+1)/4} = u^3 v (u^5 v^3)^{(p-3)/4}. +*/ + +/* Needs 2*n space + scratch for ecc_mod_pow_446m224m1. */ +#define ECC_CURVE448_SQRT_ITCH (6*ECC_LIMB_SIZE) + +static int +ecc_curve448_sqrt(const struct ecc_modulo *p, mp_limb_t *rp, + const mp_limb_t *up, const mp_limb_t *vp, + mp_limb_t *scratch) +{ +#define uv scratch +#define u3v (scratch + ECC_LIMB_SIZE) +#define u5v3 uv + +#define t0 scratch +#define scratch_out (scratch + 2*ECC_LIMB_SIZE) + /* Live values */ + ecc_mod_mul (p, uv, up, vp, scratch_out); /* uv */ + ecc_mod_sqr (p, u3v, up, scratch_out); /* uv, u3v */ + ecc_mod_mul (p, u3v, u3v, uv, scratch_out); /* uv, u3v */ + + ecc_mod_sqr (p, u5v3, uv, scratch_out); /* u5v3, u3v */ + ecc_mod_mul (p, u5v3, u5v3, u3v, scratch_out);/* u5v3, u3v */ + + ecc_mod_pow_446m224m1 (p, rp, u5v3, scratch_out); /* u3v */ + ecc_mod_mul (p, rp, rp, u3v, scratch_out); + + /* If square root exists, have v x^2 = u */ + ecc_mod_sqr (p, t0, rp, scratch_out); /* x^2 */ + ecc_mod_mul (p, t0, t0, vp, scratch_out); /* v x^2 */ + ecc_mod_sub (p, t0, t0, up); + + return ecc_curve448_zero_p (p, t0); +#undef uv +#undef u3v +#undef u5v3 +#undef t0 +#undef scratch_out +} + +const struct ecc_curve _nettle_curve448 = +{ + { + 448, + ECC_LIMB_SIZE, + ECC_BMODP_SIZE, + 0, + ECC_CURVE448_INV_ITCH, + ECC_CURVE448_SQRT_ITCH, + + ecc_p, + ecc_Bmodp, + ecc_Bmodp_shifted, + NULL, + ecc_pp1h, + + ecc_curve448_modp, + ecc_curve448_modp, + ecc_curve448_inv, + ecc_curve448_sqrt, + }, + { + 446, + ECC_LIMB_SIZE, + ECC_BMODQ_SIZE, + 0, + ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), + 0, + + ecc_q, + ecc_Bmodq, + ecc_Bmodq_shifted, + NULL, + ecc_qp1h, + + ecc_mod, /* FIXME: Implement optimized mod function */ + ecc_mod, /* FIXME: Implement optimized reduce function */ + ecc_mod_inv, + NULL, + }, + + 0, /* No redc */ + ECC_PIPPENGER_K, + ECC_PIPPENGER_C, + + ECC_ADD_EH_ITCH (ECC_LIMB_SIZE), + ECC_ADD_EHH_ITCH (ECC_LIMB_SIZE), + ECC_DUP_EH_ITCH (ECC_LIMB_SIZE), + ECC_MUL_A_EH_ITCH (ECC_LIMB_SIZE), + ECC_MUL_G_EH_ITCH (ECC_LIMB_SIZE), + ECC_EH_TO_A_ITCH (ECC_LIMB_SIZE, ECC_CURVE448_INV_ITCH), + + ecc_add_eh, + ecc_add_ehh, + ecc_dup_eh, + ecc_mul_a_eh, + ecc_mul_g_eh, + ecc_eh_to_a, + + ecc_b, + ecc_unit, + ecc_table +}; diff -Nru nettle-3.4.1/ecc-curve.h nettle-3.7.3/ecc-curve.h --- nettle-3.4.1/ecc-curve.h 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/ecc-curve.h 2021-06-06 20:06:29.000000000 +0000 @@ -34,6 +34,8 @@ #ifndef NETTLE_ECC_CURVE_H_INCLUDED #define NETTLE_ECC_CURVE_H_INCLUDED +#include "nettle-types.h" + #ifdef __cplusplus extern "C" { #endif @@ -41,28 +43,13 @@ /* The contents of this struct is internal. */ struct ecc_curve; -/* FIXME: Rename with leading underscore. Due to ABI subtleties, - applications should not refer to these directly, but use the below - accessor functions. */ -extern const struct ecc_curve nettle_secp_192r1; -extern const struct ecc_curve nettle_secp_224r1; -extern const struct ecc_curve nettle_secp_256r1; -extern const struct ecc_curve nettle_secp_384r1; -extern const struct ecc_curve nettle_secp_521r1; - -#ifdef __GNUC__ -#define NETTLE_PURE __attribute__((pure)) -#else -#define NETTLE_PURE -#endif - -const struct ecc_curve * NETTLE_PURE nettle_get_secp_192r1(void); -const struct ecc_curve * NETTLE_PURE nettle_get_secp_224r1(void); -const struct ecc_curve * NETTLE_PURE nettle_get_secp_256r1(void); -const struct ecc_curve * NETTLE_PURE nettle_get_secp_384r1(void); -const struct ecc_curve * NETTLE_PURE nettle_get_secp_521r1(void); - -#undef NETTLE_PURE +const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gost_gc256b(void); +const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gost_gc512a(void); +const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_192r1(void); +const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_224r1(void); +const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_256r1(void); +const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_384r1(void); +const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_521r1(void); #ifdef __cplusplus } diff -Nru nettle-3.4.1/eccdata.c nettle-3.7.3/eccdata.c --- nettle-3.4.1/eccdata.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/eccdata.c 2021-06-06 20:06:29.000000000 +0000 @@ -2,7 +2,9 @@ Generate compile time constant (but machine dependent) tables. - Copyright (C) 2013, 2014 Niels Möller + Copyright (C) 2013, 2014, 2017 Niels Möller + Copyright (C) 2017 Daiki Ueno + Copyright (C) 2017 Red Hat, Inc. This file is part of GNU Nettle. @@ -53,8 +55,10 @@ { /* y^2 = x^3 - 3x + b (mod p) */ ECC_TYPE_WEIERSTRASS, - /* y^2 = x^3 + b x^2 + x */ - ECC_TYPE_MONTGOMERY + /* x^2 + y^2 = 1 - d x^2 y^2 */ + ECC_TYPE_EDWARDS, + /* -x^2 + y^2 = 1 - d x^2 y^2 */ + ECC_TYPE_TWISTED_EDWARDS, }; struct ecc_curve @@ -73,16 +77,6 @@ mpz_t q; struct ecc_point g; - /* Non-zero if we want elements represented as point s(u, v) on an - equivalent Edwards curve, using - - u = t x / y - v = (x-1) / (x+1) - */ - int use_edwards; - mpz_t d; - mpz_t t; - /* Table for pippenger's algorithm. Element @@ -127,9 +121,11 @@ } static void -ecc_set_zero (struct ecc_point *r) +ecc_set_zero (const struct ecc_curve *ecc, struct ecc_point *r) { r->is_zero = 1; + mpz_set_ui (r->x, 0); + mpz_set_ui (r->y, ecc->type != ECC_TYPE_WEIERSTRASS); } static void @@ -140,13 +136,22 @@ mpz_set (r->y, p->y); } +static void +ecc_add (const struct ecc_curve *ecc, struct ecc_point *r, + const struct ecc_point *p, const struct ecc_point *q); + /* Needs to support in-place operation. */ static void ecc_dup (const struct ecc_curve *ecc, struct ecc_point *r, const struct ecc_point *p) { + if (ecc->type != ECC_TYPE_WEIERSTRASS) + { + ecc_add (ecc, r, p, p); + return; + } if (ecc_zero_p (p)) - ecc_set_zero (r); + ecc_set_zero (ecc, r); else { @@ -161,32 +166,18 @@ mpz_mul_ui (m, p->y, 2); mpz_invert (m, m, ecc->p); - switch (ecc->type) - { - case ECC_TYPE_WEIERSTRASS: - /* t = 3 (x^2 - 1) * m */ - mpz_mul (t, p->x, p->x); - mpz_mod (t, t, ecc->p); - mpz_sub_ui (t, t, 1); - mpz_mul_ui (t, t, 3); - break; - case ECC_TYPE_MONTGOMERY: - /* t = (3 x^2 + 2 b x + 1) m = [x(3x+2b)+1] m */ - mpz_mul_ui (t, ecc->b, 2); - mpz_addmul_ui (t, p->x, 3); - mpz_mul (t, t, p->x); - mpz_mod (t, t, ecc->p); - mpz_add_ui (t, t, 1); - break; - } + /* t = 3 (x^2 - 1) * m */ + mpz_mul (t, p->x, p->x); + mpz_mod (t, t, ecc->p); + mpz_sub_ui (t, t, 1); + mpz_mul_ui (t, t, 3); + mpz_mul (t, t, m); mpz_mod (t, t, ecc->p); /* x' = t^2 - 2 x */ mpz_mul (x, t, t); mpz_submul_ui (x, p->x, 2); - if (ecc->type == ECC_TYPE_MONTGOMERY) - mpz_sub (x, x, ecc->b); mpz_mod (x, x, ecc->p); @@ -208,55 +199,162 @@ } static void -ecc_add (const struct ecc_curve *ecc, - struct ecc_point *r, const struct ecc_point *p, const struct ecc_point *q) +ecc_add (const struct ecc_curve *ecc, struct ecc_point *r, + const struct ecc_point *p, const struct ecc_point *q) { - if (ecc_zero_p (p)) - ecc_set (r, q); + if (ecc->type == ECC_TYPE_WEIERSTRASS) + { + if (ecc_zero_p (p)) + ecc_set (r, q); - else if (ecc_zero_p (q)) - ecc_set (r, p); + else if (ecc_zero_p (q)) + ecc_set (r, p); - else if (mpz_cmp (p->x, q->x) == 0) - { - if (mpz_cmp (p->y, q->y) == 0) - ecc_dup (ecc, r, p); + else if (mpz_cmp (p->x, q->x) == 0) + { + if (mpz_cmp (p->y, q->y) == 0) + ecc_dup (ecc, r, p); + else + ecc_set_zero (ecc, r); + } else - ecc_set_zero (r); + { + mpz_t s, t, x, y; + mpz_init (s); + mpz_init (t); + mpz_init (x); + mpz_init (y); + + /* t = (q_y - p_y) / (q_x - p_x) */ + mpz_sub (t, q->x, p->x); + mpz_invert (t, t, ecc->p); + mpz_sub (s, q->y, p->y); + mpz_mul (t, t, s); + mpz_mod (t, t, ecc->p); + + /* x' = t^2 - p_x - q_x */ + mpz_mul (x, t, t); + mpz_sub (x, x, p->x); + mpz_sub (x, x, q->x); + mpz_mod (x, x, ecc->p); + + /* y' = (x - x') * t - y */ + mpz_sub (y, p->x, x); + mpz_mul (y, y, t); + mpz_sub (y, y, p->y); + mpz_mod (y, y, ecc->p); + + r->is_zero = 0; + mpz_swap (x, r->x); + mpz_swap (y, r->y); + + mpz_clear (s); + mpz_clear (t); + mpz_clear (x); + mpz_clear (y); + } + } + else if (ecc->type == ECC_TYPE_EDWARDS) + { + mpz_t s, t, x, y; + mpz_init (s); + mpz_init (t); + mpz_init (x); + mpz_init (y); + + /* t = d p_x p_y q_x q_y */ + mpz_mul (t, ecc->b, p->x); + mpz_mod (t, t, ecc->p); + mpz_mul (t, t, p->y); + mpz_mod (t, t, ecc->p); + mpz_mul (t, t, q->x); + mpz_mod (t, t, ecc->p); + mpz_mul (t, t, q->y); + mpz_mod (t, t, ecc->p); + + /* x' = (p_x q_y + q_x p_y) / (1 + t) */ + mpz_mul (x, p->x, q->y); + mpz_mod (x, x, ecc->p); + mpz_addmul (x, q->x, p->y); + mpz_mod (x, x, ecc->p); + mpz_add_ui (s, t, 1); + mpz_invert (s, s, ecc->p); + mpz_mul (x, x, s); + mpz_mod (x, x, ecc->p); + + /* y' = (p_y q_y - p_x q_x) / (1 - t) */ + mpz_mul (y, p->y, q->y); + mpz_mod (y, y, ecc->p); + mpz_submul (y, p->x, q->x); + mpz_mod (y, y, ecc->p); + mpz_set_ui (s, 1); + mpz_sub (s, s, t); + mpz_invert (s, s, ecc->p); + mpz_mul (y, y, s); + mpz_mod (y, y, ecc->p); + + mpz_swap (x, r->x); + mpz_swap (y, r->y); + r->is_zero = mpz_cmp_ui (r->x, 0) == 0 && mpz_cmp_ui (r->y, 1) == 0; + + mpz_clear (s); + mpz_clear (t); + mpz_clear (x); + mpz_clear (y); } else { + /* Untwisted: + x = (p_x q_y + p_y q_x) / (1 - d p_x p_y q_x q_y) + y = (p_y q_y - p_x q_x) / (1 + d p_x p_y q_x q_y) + + Twisted: + x = (p_x q_y + p_y q_x) / (1 - d p_x p_y q_x q_y) + y = (p_y q_y + p_x q_x) / (1 + d p_x p_y q_x q_y) + + So they differ only by a sign in the expression for the new y + coordinate. + */ + mpz_t s, t, x, y; mpz_init (s); mpz_init (t); mpz_init (x); mpz_init (y); - /* t = (q_y - p_y) / (q_x - p_x) */ - mpz_sub (t, q->x, p->x); - mpz_invert (t, t, ecc->p); - mpz_sub (s, q->y, p->y); - mpz_mul (t, t, s); + /* t = d p_x p_y q_x q_y */ + mpz_mul (t, ecc->b, p->x); + mpz_mod (t, t, ecc->p); + mpz_mul (t, t, p->y); + mpz_mod (t, t, ecc->p); + mpz_mul (t, t, q->x); + mpz_mod (t, t, ecc->p); + mpz_mul (t, t, q->y); mpz_mod (t, t, ecc->p); - /* x' = t^2 - p_x - q_x */ - mpz_mul (x, t, t); - mpz_sub (x, x, p->x); - mpz_sub (x, x, q->x); - /* This appears to be the only difference between formulas. */ - if (ecc->type == ECC_TYPE_MONTGOMERY) - mpz_sub (x, x, ecc->b); + /* x' = (p_x q_y + q_x p_y) / (1 - t) */ + mpz_mul (x, p->x, q->y); + mpz_mod (x, x, ecc->p); + mpz_addmul (x, q->x, p->y); + mpz_mod (x, x, ecc->p); + mpz_ui_sub (s, 1, t); + mpz_invert (s, s, ecc->p); + mpz_mul (x, x, s); mpz_mod (x, x, ecc->p); - /* y' = (x - x') * t - y */ - mpz_sub (y, p->x, x); - mpz_mul (y, y, t); - mpz_sub (y, y, p->y); + /* y' = (p_y q_y - p_x q_x) / (1 + t) */ + mpz_mul (y, p->y, q->y); + mpz_mod (y, y, ecc->p); + mpz_addmul (y, p->x, q->x); + mpz_mod (y, y, ecc->p); + mpz_add_ui (s, t, 1); + mpz_invert (s, s, ecc->p); + mpz_mul (y, y, s); mpz_mod (y, y, ecc->p); - r->is_zero = 0; mpz_swap (x, r->x); mpz_swap (y, r->y); + r->is_zero = (mpz_cmp_ui (r->x, 0) == 0 && mpz_cmp_ui (r->y, 1) == 0); mpz_clear (s); mpz_clear (t); @@ -316,8 +414,7 @@ static void ecc_curve_init_str (struct ecc_curve *ecc, enum ecc_type type, const char *p, const char *b, const char *q, - const char *gx, const char *gy, - const char *d, const char *t) + const char *gx, const char *gy) { ecc->type = type; @@ -332,24 +429,13 @@ ecc->table = NULL; ecc->ref = NULL; - - mpz_init (ecc->d); - mpz_init (ecc->t); - - ecc->use_edwards = (t != NULL); - if (ecc->use_edwards) - { - mpz_set_str (ecc->t, t, 16); - mpz_set_str (ecc->d, d, 16); - } } static void -ecc_curve_init (struct ecc_curve *ecc, unsigned bit_size) +ecc_curve_init (struct ecc_curve *ecc, const char *curve) { - switch (bit_size) + if (!strcmp (curve, "secp192r1")) { - case 192: ecc_curve_init_str (ecc, ECC_TYPE_WEIERSTRASS, /* p = 2^{192} - 2^{64} - 1 */ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE" @@ -365,8 +451,7 @@ "f4ff0afd82ff1012", "07192b95ffc8da78631011ed6b24cdd5" - "73f977a11e794811", - NULL, NULL); + "73f977a11e794811"); ecc->ref = ecc_alloc (3); ecc_set_str (&ecc->ref[0], /* 2 g */ "dafebf5828783f2ad35534631588a3f629a70fb16982a888", @@ -380,8 +465,9 @@ "35433907297cc378b0015703374729d7a4fe46647084e4ba", "a2649984f2135c301ea3acb0776cd4f125389b311db3be32"); - break; - case 224: + } + else if (!strcmp (curve, "secp224r1")) + { ecc_curve_init_str (ecc, ECC_TYPE_WEIERSTRASS, /* p = 2^{224} - 2^{96} + 1 */ "ffffffffffffffffffffffffffffffff" @@ -397,8 +483,7 @@ "56c21122343280d6115c1d21", "bd376388b5f723fb4c22dfe6cd4375a0" - "5a07476444d5819985007e34", - NULL, NULL); + "5a07476444d5819985007e34"); ecc->ref = ecc_alloc (3); ecc_set_str (&ecc->ref[0], /* 2 g */ @@ -413,8 +498,9 @@ "ae99feebb5d26945b54892092a8aee02912930fa41cd114e40447301", "482580a0ec5bc47e88bc8c378632cd196cb3fa058a7114eb03054c9"); - break; - case 256: + } + else if (!strcmp (curve, "secp256r1")) + { ecc_curve_init_str (ecc, ECC_TYPE_WEIERSTRASS, /* p = 2^{256} - 2^{224} + 2^{192} + 2^{96} - 1 */ "FFFFFFFF000000010000000000000000" @@ -430,8 +516,7 @@ "77037D812DEB33A0F4A13945D898C296", "4FE342E2FE1A7F9B8EE7EB4A7C0F9E16" - "2BCE33576B315ECECBB6406837BF51F5", - NULL, NULL); + "2BCE33576B315ECECBB6406837BF51F5"); ecc->ref = ecc_alloc (3); ecc_set_str (&ecc->ref[0], /* 2 g */ @@ -446,8 +531,9 @@ "e2534a3532d08fbba02dde659ee62bd0031fe2db785596ef509302446b030852", "e0f1575a4c633cc719dfee5fda862d764efc96c3f30ee0055c42c23f184ed8c6"); - break; - case 384: + } + else if (!strcmp (curve, "secp384r1")) + { ecc_curve_init_str (ecc, ECC_TYPE_WEIERSTRASS, /* p = 2^{384} - 2^{128} - 2^{96} + 2^{32} - 1 */ "ffffffffffffffffffffffffffffffff" @@ -468,8 +554,7 @@ "3617de4a96262c6f5d9e98bf9292dc29" "f8f41dbd289a147ce9da3113b5f0b8c0" - "0a60b1ce1d7e819d7a431d7c90ea0e5f", - NULL, NULL); + "0a60b1ce1d7e819d7a431d7c90ea0e5f"); ecc->ref = ecc_alloc (3); ecc_set_str (&ecc->ref[0], /* 2 g */ @@ -484,8 +569,9 @@ "138251cd52ac9298c1c8aad977321deb97e709bd0b4ca0aca55dc8ad51dcfc9d1589a1597e3a5120e1efd631c63e1835", "cacae29869a62e1631e8a28181ab56616dc45d918abc09f3ab0e63cf792aa4dced7387be37bba569549f1c02b270ed67"); - break; - case 521: + } + else if (!strcmp (curve, "secp521r1")) + { ecc_curve_init_str (ecc, ECC_TYPE_WEIERSTRASS, "1ff" /* p = 2^{521} - 1 */ "ffffffffffffffffffffffffffffffff" @@ -515,8 +601,7 @@ "39296a789a3bc0045c8a5fb42c7d1bd9" "98f54449579b446817afbd17273e662c" "97ee72995ef42640c550b9013fad0761" - "353c7086a272c24088be94769fd16650", - NULL, NULL); + "353c7086a272c24088be94769fd16650"); ecc->ref = ecc_alloc (3); ecc_set_str (&ecc->ref[0], /* 2 g */ @@ -531,8 +616,9 @@ "35b5df64ae2ac204c354b483487c9070cdc61c891c5ff39afc06c5d55541d3ceac8659e24afe3d0750e8b88e9f078af066a1d5025b08e5a5e2fbc87412871902f3", "82096f84261279d2b673e0178eb0b4abb65521aef6e6e32e1b5ae63fe2f19907f279f283e54ba385405224f750a95b85eebb7faef04699d1d9e21f47fc346e4d0d"); - break; - case 255: + } + else if (!strcmp (curve, "curve25519")) + { /* curve25519, y^2 = x^3 + 486662 x^2 + x (mod p), with p = 2^{255} - 19. According to http://cr.yp.to/papers.html#newelliptic, this @@ -540,102 +626,284 @@ x^2 + y^2 = 1 + (121665/121666) x^2 y^2 (mod p). - And since the constant is not a square, the Edwards formulas - should be "complete", with no special cases needed for - doubling, neutral element, negatives, etc. + -x^2 + y^2 = 1 - (121665/121666) x^2 y^2, with p = 2^{255} - 19. - Generator is x = 9, with y coordinate - 14781619447589544791020593568409986887264606134616475288964881837755586237401, - according to + The generator is + x = 0x216936d3cd6e53fec0a4e231fdd6dc5c692cc7609525a7b2c9562d608f25d51a + y = 0x6666666666666666666666666666666666666666666666666666666666666658 - x = Mod(9, 2^255-19); sqrt(x^3 + 486662*x^2 + x) + Also birationally equivalent to the curve25519 Montgomery curve, - in PARI/GP. Also, in PARI notation, - - curve25519 = Mod([0, 486662, 0, 1, 0], 2^255-19) - */ - ecc_curve_init_str (ecc, ECC_TYPE_MONTGOMERY, + y^2 = x^3 + 486662 x^2 + x (mod p) + */ + ecc_curve_init_str (ecc, ECC_TYPE_TWISTED_EDWARDS, "7fffffffffffffffffffffffffffffff" "ffffffffffffffffffffffffffffffed", - "76d06", + /* (121665/121666) mod p, from PARI/GP + c = Mod(121665, p); c / (c+1) + */ + "2dfc9311d490018c7338bf8688861767" + "ff8ff5b2bebe27548a14b235eca6874a", /* Order of the subgroup is 2^252 + q_0, where q_0 = 27742317777372353535851937790883648493, 125 bits. */ "10000000000000000000000000000000" "14def9dea2f79cd65812631a5cf5d3ed", - "9", - /* y coordinate from PARI/GP - x = Mod(9, 2^255-19); sqrt(x^3 + 486662*x^2 + x) + /* Generator */ + "216936d3cd6e53fec0a4e231fdd6dc5c" + "692cc7609525a7b2c9562d608f25d51a", + "66666666666666666666666666666666" + "66666666666666666666666666666658"); + + ecc->ref = ecc_alloc (3); + ecc_set_str (&ecc->ref[0], /* 2 g */ + "36ab384c9f5a046c3d043b7d1833e7ac" + "080d8e4515d7a45f83c5a14e2843ce0e", + "2260cdf3092329c21da25ee8c9a21f56" + "97390f51643851560e5f46ae6af8a3c9"); + ecc_set_str (&ecc->ref[1], /* 3 g */ + "67ae9c4a22928f491ff4ae743edac83a" + "6343981981624886ac62485fd3f8e25c", + "1267b1d177ee69aba126a18e60269ef7" + "9f16ec176724030402c3684878f5b4d4"); + + ecc_set_str (&ecc->ref[2], /* 4 g */ + "203da8db56cff1468325d4b87a3520f9" + "1a739ec193ce1547493aa657c4c9f870", + "47d0e827cb1595e1470eb88580d5716c" + "4cf22832ea2f0ff0df38ab61ca32112f"); + } + else if (!strcmp (curve, "gost_gc256b")) + { + ecc_curve_init_str (ecc, ECC_TYPE_WEIERSTRASS, + "ffffffffffffffffffffffffffffffff" + "fffffffffffffffffffffffffffffd97", + + "00000000000000000000000000000000" + "000000000000000000000000000000a6", + + "ffffffffffffffffffffffffffffffff" + "6c611070995ad10045841b09b761b893", + + "00000000000000000000000000000000" + "00000000000000000000000000000001", + + "8d91e471e0989cda27df505a453f2b76" + "35294f2ddf23e3b122acc99c9e9f1e14"); + + ecc->ref = ecc_alloc (3); + ecc_set_str (&ecc->ref[0], /* 2 g */ + "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd95", + "726e1b8e1f676325d820afa5bac0d489cad6b0d220dc1c4edd5336636160df83"); + + ecc_set_str (&ecc->ref[1], /* 3 g */ + "8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38d2c", + "76bcd1ca9a23b041d4d9baf507a6cd821267a94c838768e8486117796b788a51"); + + ecc_set_str (&ecc->ref[2], /* 4 g */ + "f7063e7063e7063e7063e7063e7063e7063e7063e7063e7063e7063e7063e4b7", + "83ccf17ba6706d73625cc3534c7a2b9d6ec1ee6a9a7e07c10d84b388de59f741"); + + } + else if (!strcmp (curve, "gost_gc512a")) + { + ecc_curve_init_str (ecc, ECC_TYPE_WEIERSTRASS, + "ffffffffffffffffffffffffffffffff" + "ffffffffffffffffffffffffffffffff" + "ffffffffffffffffffffffffffffffff" + "fffffffffffffffffffffffffffffdc7", + "e8c2505dedfc86ddc1bd0b2b6667f1da" + "34b82574761cb0e879bd081cfd0b6265" + "ee3cb090f30d27614cb4574010da90dd" + "862ef9d4ebee4761503190785a71c760", + "ffffffffffffffffffffffffffffffff" + "ffffffffffffffffffffffffffffffff" + "27e69532f48d89116ff22b8d4e056060" + "9b4b38abfad2b85dcacdb1411f10b275", + "00000000000000000000000000000000" + "00000000000000000000000000000000" + "00000000000000000000000000000000" + "00000000000000000000000000000003", + "7503cfe87a836ae3a61b8816e25450e6" + "ce5e1c93acf1abc1778064fdcbefa921" + "df1626be4fd036e93d75e6a50e3a41e9" + "8028fe5fc235f5b889a589cb5215f2a4"); + + ecc->ref = ecc_alloc (3); + ecc_set_str (&ecc->ref[0], /* 2 g */ + "3b89dcfc622996ab97a5869dbff15cf51db00954f43a58a5e5f6b0470a132b2f4434bbcd405d2a9516151d2a6a04f2e4375bf48de1fdb21fb982afd9d2ea137c", + "c813c4e2e2e0a8a391774c7903da7a6f14686e98e183e670ee6fb784809a3e92ca209dc631d85b1c7534ed3b37fddf64d854d7e01f91f18bb3fd307591afc051"); + + ecc_set_str (&ecc->ref[1], /* 3 g */ + "a1ff1ab2712a267eb53935ddb5a567f84db156cc096168a1174291d5f488fba543d2840b4d2dd35d764b2f57b308907aec55cfba10544e8416e134687ccb87c3", + "3cb5c4417ec4637f30374f189bb5b984c41e3a48d7f84fbfa3819e3f333f7eb311d3af7e67c4c16eeacfac2fe94c6dd4c6366f711a4fb6c7125cd7ec518d90d6"); + + ecc_set_str (&ecc->ref[2], /* 4 g */ + "b7bfb80956c8670031ba191929f64e301d681634236d47a60e571a4bedc0ef257452ef78b5b98dbb3d9f3129d9349433ce2a3a35cb519c91e2d633d7b373ae16", + "3bee95e29eecc5d5ad2beba941abcbf9f1cad478df0fecf614f63aeebef77850da7efdb93de8f3df80bc25eac09239c14175f5c29704ce9a3e383f1b3ec0e929"); + + } + else if (!strcmp (curve, "curve448")) + { + /* curve448, y^2 = x^3 + 156326 x^2 + x (mod p), with p = 2^{448} - 2^{224} - 1. + + According to RFC 7748, this is 4-isogenious to the Edwards + curve called "edwards448" + + x^2 + y^2 = 1 - 39081 x^2 y^2 (mod p). + + And since the constant is not a square, the Edwards formulas + should be "complete", with no special cases needed for + doubling, neutral element, negatives, etc. + + Generator is x = 5, with y coordinate + 355293926785568175264127502063783334808976399387714271831880898435169088786967410002932673765864550910142774147268105838985595290606362, + according to + + x = Mod(5, 2^448-2^224-1); sqrt(x^3 + 156326*x^2 + x) + + in PARI/GP. Also, in PARI notation, + + curve448 = Mod([0, 156326, 0, 1, 0], 2^448-2^224-1) + */ + ecc_curve_init_str (ecc, ECC_TYPE_EDWARDS, + "fffffffffffffffffffffffffffffff" + "ffffffffffffffffffffffffeffffff" + "fffffffffffffffffffffffffffffff" + "fffffffffffffffffff", + /* -39081 mod p, from PARI/GP + c = Mod(-39081, p) */ - "20ae19a1b8a086b4e01edd2c7748d14c" - "923d4d7e6d7c61b229e9c5a27eced3d9", - /* (121665/121666) mod p, from PARI/GP - c = Mod(121665, p); c / (c+1) + "fffffffffffffffffffffffffffffff" + "ffffffffffffffffffffffffeffffff" + "fffffffffffffffffffffffffffffff" + "fffffffffffffff6756", + /* Order of the subgroup is 2^446 - q_0, where + q_0 = 13818066809895115352007386748515426880336692474882178609894547503885, + 224 bits. */ - "2dfc9311d490018c7338bf8688861767" - "ff8ff5b2bebe27548a14b235eca6874a", - /* A square root of -486664 mod p, PARI/GP - -sqrt(Mod(-486664, p)) in PARI/GP. - - Sign is important to map to the right - generator on the twisted edwards curve - used for EdDSA. */ - "70d9120b9f5ff9442d84f723fc03b081" - "3a5e2c2eb482e57d3391fb5500ba81e7" - ); + "3ffffffffffffffffffffffffffffff" + "fffffffffffffffffffffffff7cca23" + "e9c44edb49aed63690216cc2728dc58" + "f552378c292ab5844f3", + "4f1970c66bed0ded221d15a622bf36d" + "a9e146570470f1767ea6de324a3d3a4" + "6412ae1af72ab66511433b80e18b009" + "38e2626a82bc70cc05e", + "693f46716eb6bc248876203756c9c76" + "24bea73736ca3984087789c1e05a0c2" + "d73ad3ff1ce67c39c4fdbd132c4ed7c" + "8ad9808795bf230fa14"); ecc->ref = ecc_alloc (3); ecc_set_str (&ecc->ref[0], /* 2 g */ - "20d342d51873f1b7d9750c687d157114" - "8f3f5ced1e350b5c5cae469cdd684efb", - "13b57e011700e8ae050a00945d2ba2f3" - "77659eb28d8d391ebcd70465c72df563"); + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" + "aaaaaaaaaaaaaaaaaaaaaaa955555555" + "55555555555555555555555555555555" + "5555555555555555", + "ae05e9634ad7048db359d6205086c2b0" + "036ed7a035884dd7b7e36d728ad8c4b8" + "0d6565833a2a3098bbbcb2bed1cda06b" + "daeafbcdea9386ed"); ecc_set_str (&ecc->ref[1], /* 3 g */ - "1c12bc1a6d57abe645534d91c21bba64" - "f8824e67621c0859c00a03affb713c12", - "2986855cbe387eaeaceea446532c338c" - "536af570f71ef7cf75c665019c41222b"); + "865886b9108af6455bd64316cb694333" + "2241b8b8cda82c7e2ba077a4a3fcfe8d" + "aa9cbf7f6271fd6e862b769465da8575" + "728173286ff2f8f", + "e005a8dbd5125cf706cbda7ad43aa644" + "9a4a8d952356c3b9fce43c82ec4e1d58" + "bb3a331bdb6767f0bffa9a68fed02daf" + "b822ac13588ed6fc"); ecc_set_str (&ecc->ref[2], /* 4 g */ - "79ce98b7e0689d7de7d1d074a15b315f" - "fe1805dfcd5d2a230fee85e4550013ef", - "75af5bf4ebdc75c8fe26873427d275d7" - "3c0fb13da361077a565539f46de1c30"); - - break; - - default: - fprintf (stderr, "No known curve for size %d\n", bit_size); - exit(EXIT_FAILURE); + "49dcbc5c6c0cce2c1419a17226f929ea" + "255a09cf4e0891c693fda4be70c74cc3" + "01b7bdf1515dd8ba21aee1798949e120" + "e2ce42ac48ba7f30", + "d49077e4accde527164b33a5de021b97" + "9cb7c02f0457d845c90dc3227b8a5bc1" + "c0d8f97ea1ca9472b5d444285d0d4f5b" + "32e236f86de51839"); + } + else + { + fprintf (stderr, "No known curve with name %s\n", curve); + exit(EXIT_FAILURE); } - ecc->bit_size = bit_size; + ecc->bit_size = mpz_sizeinbase (ecc->p, 2); } static void -ecc_pippenger_precompute (struct ecc_curve *ecc, unsigned k, unsigned c) +ecc_curve_clear (struct ecc_curve *ecc) { - unsigned p = (ecc->bit_size + k-1) / k; + mpz_clear (ecc->p); + mpz_clear (ecc->b); + mpz_clear (ecc->q); + ecc_clear (&ecc->g); + if (ecc->table) + { + size_t i; + for (i = 0; i < ecc->table_size; i++) + ecc_clear (&ecc->table[i]); + free (ecc->table); + } + if (ecc->ref) + { + size_t i; + for (i = 0; i < 3; i++) + ecc_clear (&ecc->ref[i]); + free (ecc->ref); + } +} + +static unsigned +ecc_table_size(unsigned bits, unsigned k, unsigned c) +{ + unsigned p = (bits + k-1) / k; unsigned M = (p + c-1)/c; + return M; +} + +static void +ecc_pippenger_precompute (struct ecc_curve *ecc, unsigned k, unsigned c) +{ + unsigned M = ecc_table_size (ecc->bit_size, k, c); unsigned i, j; + if (M < 2) + { + fprintf (stderr, "Invalid parameters, implies M = %u\n", M); + exit (EXIT_FAILURE); + } + + if (M == ecc_table_size (ecc->bit_size, k-1, c)) + fprintf(stderr, + "warn: Parameters k = %u, c = %d are suboptimal, could use smaller k\n", + k, c); + ecc->pippenger_k = k; ecc->pippenger_c = c; ecc->table_size = M << c; + assert (ecc->table_size >= 2); ecc->table = ecc_alloc (ecc->table_size); - + /* Compute the first 2^c entries */ - ecc_set_zero (&ecc->table[0]); + ecc_set_zero (ecc, &ecc->table[0]); ecc_set (&ecc->table[1], &ecc->g); for (j = 2; j < (1U<table_size); ecc_dup (ecc, &ecc->table[j], &ecc->table[j/2]); for (i = 1; i < k; i++) ecc_dup (ecc, &ecc->table[j], &ecc->table[j]); for (i = 1; i < j; i++) - ecc_add (ecc, &ecc->table[j + i], &ecc->table[j], &ecc->table[i]); + { + assert (j + i < ecc->table_size); + ecc_add (ecc, &ecc->table[j + i], &ecc->table[j], &ecc->table[i]); + } } for (j = 1<table_size; j++) { @@ -658,7 +926,7 @@ mpz_init (n); mpz_mod (n, n_input, ecc->q); - ecc_set_zero (r); + ecc_set_zero (ecc, r); k = ecc->pippenger_k; c = ecc->pippenger_c; @@ -843,7 +1111,7 @@ } static void -output_point (const char *name, const struct ecc_curve *ecc, +output_point (const struct ecc_curve *ecc, const struct ecc_point *p, int use_redc, unsigned size, unsigned bits_per_limb) { @@ -853,41 +1121,9 @@ mpz_init (y); mpz_init (t); - if (name) - printf("static const mp_limb_t %s[%u] = {", name, 2*size); + mpz_set (x, p->x); + mpz_set (y, p->y); - if (ecc->use_edwards) - { - if (ecc_zero_p (p)) - { - mpz_set_si (x, 0); - mpz_set_si (y, 1); - } - else if (!mpz_sgn (p->y)) - { - assert (!mpz_sgn (p->x)); - mpz_set_si (x, 0); - mpz_set_si (y, -1); - } - else - { - mpz_invert (x, p->y, ecc->p); - mpz_mul (x, x, p->x); - mpz_mul (x, x, ecc->t); - mpz_mod (x, x, ecc->p); - - mpz_sub_ui (y, p->x, 1); - mpz_add_ui (t, p->x, 1); - mpz_invert (t, t, ecc->p); - mpz_mul (y, y, t); - mpz_mod (y, y, ecc->p); - } - } - else - { - mpz_set (x, p->x); - mpz_set (y, p->y); - } if (use_redc) { mpz_mul_2exp (x, x, size * bits_per_limb); @@ -899,9 +1135,6 @@ output_digits (x, size, bits_per_limb); output_digits (y, size, bits_per_limb); - if (name) - printf("\n};\n"); - mpz_clear (x); mpz_clear (y); mpz_clear (t); @@ -945,10 +1178,7 @@ output_bignum ("ecc_p", ecc->p, limb_size, bits_per_limb); output_bignum ("ecc_b", ecc->b, limb_size, bits_per_limb); - if (ecc->use_edwards) - output_bignum ("ecc_d", ecc->d, limb_size, bits_per_limb); output_bignum ("ecc_q", ecc->q, limb_size, bits_per_limb); - output_point ("ecc_g", ecc, &ecc->g, 0, limb_size, bits_per_limb); bits = output_modulo ("ecc_Bmodp", ecc->p, limb_size, bits_per_limb); printf ("#define ECC_BMODP_SIZE %u\n", @@ -1036,9 +1266,6 @@ mpz_fdiv_q_2exp (t, t, 1); output_bignum ("ecc_qp1h", t, limb_size, bits_per_limb); - if (ecc->use_edwards) - output_bignum ("ecc_edwards", ecc->t, limb_size, bits_per_limb); - /* Trailing zeros in p+1 correspond to trailing ones in p. */ redc_limbs = mpz_scan0 (ecc->p, 0) / bits_per_limb; if (redc_limbs > 0) @@ -1125,19 +1352,19 @@ printf ("static const mp_limb_t ecc_table[%lu] = {", (unsigned long) (2*ecc->table_size * limb_size)); for (i = 0; i < ecc->table_size; i++) - output_point (NULL, ecc, &ecc->table[i], 1, limb_size, bits_per_limb); + output_point (ecc, &ecc->table[i], 1, limb_size, bits_per_limb); printf("\n};\n"); printf ("#else\n"); - mpz_init_set_ui (t, 1); + mpz_set_ui (t, 1); output_bignum ("ecc_unit", t, limb_size, bits_per_limb); printf ("static const mp_limb_t ecc_table[%lu] = {", (unsigned long) (2*ecc->table_size * limb_size)); for (i = 0; i < ecc->table_size; i++) - output_point (NULL, ecc, &ecc->table[i], 0, limb_size, bits_per_limb); + output_point (ecc, &ecc->table[i], 0, limb_size, bits_per_limb); printf("\n};\n"); printf ("#endif\n"); @@ -1152,11 +1379,11 @@ if (argc < 4) { - fprintf (stderr, "Usage: %s CURVE-BITS K C [BITS-PER-LIMB]\n", argv[0]); + fprintf (stderr, "Usage: %s CURVE K C [BITS-PER-LIMB]\n", argv[0]); return EXIT_FAILURE; } - ecc_curve_init (&ecc, atoi(argv[1])); + ecc_curve_init (&ecc, argv[1]); ecc_pippenger_precompute (&ecc, atoi(argv[2]), atoi(argv[3])); @@ -1168,5 +1395,6 @@ if (argc > 4) output_curve (&ecc, atoi(argv[4])); + ecc_curve_clear (&ecc); return EXIT_SUCCESS; } diff -Nru nettle-3.4.1/ecc-dup-eh.c nettle-3.7.3/ecc-dup-eh.c --- nettle-3.4.1/ecc-dup-eh.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/ecc-dup-eh.c 2021-06-06 20:06:29.000000000 +0000 @@ -42,11 +42,19 @@ mp_limb_t *r, const mp_limb_t *p, mp_limb_t *scratch) { +#define x1 p +#define y1 (p + ecc->p.size) +#define z1 (p + 2*ecc->p.size) + +#define x2 r +#define y2 (r + ecc->p.size) +#define z2 (r + 2*ecc->p.size) + /* Formulas (from djb, http://www.hyperelliptic.org/EFD/g1p/auto-edwards-projective.html#doubling-dbl-2007-bl): Computation Operation Live variables - + b = (x+y)^2 sqr b c = x^2 sqr b, c d = y^2 sqr b, c, d @@ -56,50 +64,31 @@ x' = (b-e)*j mul c, d, e, j y' = e*(c-d) mul e, j z' = e*j mul - - But for the twisted curve, we need some sign changes. - - b = (x+y)^2 sqr b - c = x^2 sqr b, c - d = y^2 sqr b, c, d - ! e = -c+d b, c, d, e - h = z^2 sqr b, c, d, e, h - ! j = -e+2*h b, c, d, e, j - ! x' = (b-c-d)*j mul c, d, e, j - ! y' = e*(c+d) mul e, j - z' = e*j mul */ -#define b scratch -#define c (scratch + ecc->p.size) -#define d (scratch + 2*ecc->p.size) -#define e (scratch + 3*ecc->p.size) -#define j (scratch + 4*ecc->p.size) - - /* b */ - ecc_modp_add (ecc, e, p, p + ecc->p.size); - ecc_modp_sqr (ecc, b, e); - - /* c */ - ecc_modp_sqr (ecc, c, p); - /* d */ - ecc_modp_sqr (ecc, d, p + ecc->p.size); - /* h, can use r as scratch, even for in-place operation. */ - ecc_modp_sqr (ecc, r, p + 2*ecc->p.size); - /* e, */ - ecc_modp_sub (ecc, e, d, c); - /* b - c - d */ - ecc_modp_sub (ecc, b, b, c); - ecc_modp_sub (ecc, b, b, d); - /* j */ - ecc_modp_add (ecc, r, r, r); - ecc_modp_sub (ecc, j, r, e); - - /* x' */ - ecc_modp_mul (ecc, r, b, j); - /* y' */ - ecc_modp_add (ecc, c, c, d); /* Redundant */ - ecc_modp_mul (ecc, r + ecc->p.size, e, c); - /* z' */ - ecc_modp_mul (ecc, b, e, j); - mpn_copyi (r + 2*ecc->p.size, b, ecc->p.size); +#define C scratch +#define D (scratch + 1*ecc->p.size) +#define B (scratch + 2*ecc->p.size) + +#define E C + + ecc_mod_sqr (&ecc->p, C, x1, C); /* C */ + ecc_mod_sqr (&ecc->p, D, y1, D); /* C, D */ + ecc_mod_add (&ecc->p, B, x1, y1); + ecc_mod_sqr (&ecc->p, B, B, x2); /* C, D, B */ + + /* c-d stored at y' */ + ecc_mod_sub (&ecc->p, y2, C, D); + ecc_mod_add (&ecc->p, E, C, D); /* B, E */ + /* b-e stored at x' */ + ecc_mod_sub (&ecc->p, x2, B, E); /* E */ + + /* Use D as scratch for the following multiplies. */ + ecc_mod_mul (&ecc->p, y2, y2, E, D); + + /* h and j stored at z' */ + ecc_mod_sqr (&ecc->p, z2, z1, D); + ecc_mod_add (&ecc->p, z2, z2, z2); + ecc_mod_sub (&ecc->p, z2, E, z2); + ecc_mod_mul (&ecc->p, x2, x2, z2, D); + ecc_mod_mul (&ecc->p, z2, z2, E, D); } diff -Nru nettle-3.4.1/ecc-dup-jj.c nettle-3.7.3/ecc-dup-jj.c --- nettle-3.4.1/ecc-dup-jj.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/ecc-dup-jj.c 2021-06-06 20:06:29.000000000 +0000 @@ -47,6 +47,14 @@ mp_limb_t *r, const mp_limb_t *p, mp_limb_t *scratch) { +#define x1 p +#define y1 (p + ecc->p.size) +#define z1 (p + 2*ecc->p.size) + +#define x2 r +#define y2 (r + ecc->p.size) +#define z2 (r + 2*ecc->p.size) + /* Formulas (from djb, http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b): @@ -60,51 +68,37 @@ y' = alpha*(4*beta-x')-8*gamma^2 mul, sqr */ -#define delta scratch -#define gamma (scratch + ecc->p.size) -#define beta (scratch + 2*ecc->p.size) -#define g2 (scratch + 3*ecc->p.size) -#define sum (scratch + 4*ecc->p.size) -#define alpha scratch /* Overlap delta */ - -#define xp p -#define yp (p + ecc->p.size) -#define zp (p + 2*ecc->p.size) - - /* delta */ - ecc_modp_sqr (ecc, delta, zp); - - /* gamma */ - ecc_modp_sqr (ecc, gamma, yp); - - /* z'. Can use beta area as scratch. */ - ecc_modp_add (ecc, r + 2*ecc->p.size, yp, zp); - ecc_modp_sqr (ecc, beta, r + 2*ecc->p.size); - ecc_modp_sub (ecc, beta, beta, gamma); - ecc_modp_sub (ecc, r + 2*ecc->p.size, beta, delta); - - /* alpha. Can use beta area as scratch, and overwrite delta. */ - ecc_modp_add (ecc, sum, xp, delta); - ecc_modp_sub (ecc, delta, xp, delta); - ecc_modp_mul (ecc, beta, sum, delta); - ecc_modp_mul_1 (ecc, alpha, beta, 3); - - /* beta */ - ecc_modp_mul (ecc, beta, xp, gamma); - - /* Do gamma^2 and 4*beta early, to get them out of the way. We can - then use the old area at gamma as scratch. */ - ecc_modp_sqr (ecc, g2, gamma); - ecc_modp_mul_1 (ecc, sum, beta, 4); - - /* x' */ - ecc_modp_sqr (ecc, gamma, alpha); /* Overwrites gamma and beta */ - ecc_modp_submul_1 (ecc, gamma, sum, 2); - mpn_copyi (r, gamma, ecc->p.size); - - /* y' */ - ecc_modp_sub (ecc, sum, sum, r); - ecc_modp_mul (ecc, gamma, sum, alpha); - ecc_modp_submul_1 (ecc, gamma, g2, 8); - mpn_copyi (r + ecc->p.size, gamma, ecc->p.size); +#define gamma scratch +#define delta (scratch + ecc->p.size) +#define alpha delta + +#define beta (scratch + 2*ecc->p.size) +#define sum (scratch + 3*ecc->p.size) + + ecc_mod_sqr (&ecc->p, gamma, y1, gamma); /* x, y, z, gamma */ + ecc_mod_sqr (&ecc->p, delta, z1, delta); /* x, y, z, gamma, delta */ + + ecc_mod_add (&ecc->p, sum, z1, y1); /* x, gamma, delta, s */ + ecc_mod_sqr (&ecc->p, sum, sum, y2); /* Can use y-z as scratch */ + ecc_mod_sub (&ecc->p, z2, sum, delta); /* x, z, gamma, delta */ + ecc_mod_sub (&ecc->p, z2, z2, gamma); + + ecc_mod_mul (&ecc->p, beta, x1, gamma, beta); /* x, z, gamma, delta, beta */ + + ecc_mod_add (&ecc->p, sum, x1, delta); /* x, sum, z', gamma, delta, beta */ + ecc_mod_sub (&ecc->p, delta, x1, delta); /* sum, z', gamma, delta, beta */ + /* This multiplication peaks the storage need; can use x-y for scratch. */ + ecc_mod_mul (&ecc->p, alpha, sum, delta, x2); /* z', gamma, alpha, beta */ + ecc_mod_mul_1 (&ecc->p, alpha, alpha, 3); + + ecc_mod_mul_1 (&ecc->p, y2, beta, 4); + + /* From now on, can use beta as scratch. */ + ecc_mod_sqr (&ecc->p, x2, alpha, beta); /* alpha^2 */ + ecc_mod_submul_1 (&ecc->p, x2, y2, 2); /* alpha^2 - 8 beta */ + + ecc_mod_sub (&ecc->p, y2, y2, x2); /* 4 beta - x' */ + ecc_mod_mul (&ecc->p, y2, y2, alpha, beta); + ecc_mod_sqr (&ecc->p, gamma, gamma, beta); + ecc_mod_submul_1 (&ecc->p, y2, gamma, 8); } diff -Nru nettle-3.4.1/ecc-dup-th.c nettle-3.7.3/ecc-dup-th.c --- nettle-3.4.1/ecc-dup-th.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/ecc-dup-th.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,112 @@ +/* ecc-dup-th.c + + Copyright (C) 2014, 2019 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "ecc.h" +#include "ecc-internal.h" + +/* Double a point on a twisted Edwards curve, in homogeneous coordinates */ +void +ecc_dup_th (const struct ecc_curve *ecc, + mp_limb_t *r, const mp_limb_t *p, + mp_limb_t *scratch) +{ +#define x1 p +#define y1 (p + ecc->p.size) +#define z1 (p + 2*ecc->p.size) + +#define x2 r +#define y2 (r + ecc->p.size) +#define z2 (r + 2*ecc->p.size) + + /* Formulas (from djb, + http://www.hyperelliptic.org/EFD/g1p/auto-twisted-projective.html#doubling-dbl-2008-bbjlp): + + B = (X1+Y1)^2 + C = X1^2 + D = Y1^2 + (E = a*C = -C) + F = E+D + H = Z1^2 + J = F-2*H + X3 = (B-C-D)*J + Y3 = F*(E-D) + Z3 = F*J (-C+D)*(-C+D - 2Z1^2) + + In the formula for Y3, we have E - D = -(C+D). To avoid explicit + negation, negate all of X3, Y3, Z3, and use + + Computation Operation Live variables + + B = (X1+Y1)^2 sqr B + C = X1^2 sqr B, C + D = Y1^2 sqr B, C, D + F = -C+D B, C, D, F + H = Z1^2 sqr B, C, D, F, H + J = 2*H - F B, C, D, F, J + X3 = (B-C-D)*J mul C, F, J (Replace C <-- C+D) + Y3 = F*(C+D) mul F, J + Z3 = F*J mul + + 3M+4S + */ + +#define C scratch +#define D (scratch + 1*ecc->p.size) +#define B (scratch + 2*ecc->p.size) + +#define F C + + ecc_mod_sqr (&ecc->p, C, x1, C); /* C */ + ecc_mod_sqr (&ecc->p, D, y1, D); /* C, D */ + ecc_mod_add (&ecc->p, B, x1, y1); + ecc_mod_sqr (&ecc->p, B, B, x2); /* C, D, B */ + + /* C+D stored at y' */ + ecc_mod_add (&ecc->p, y2, C, D); + /* B - C - C stored at x' */ + ecc_mod_sub (&ecc->p, x2, B, y2); + + ecc_mod_sub (&ecc->p, F, D, C); /* F */ + + /* Use D as scratch for the following multiplies. */ + ecc_mod_mul (&ecc->p, y2, y2, F, D); + + /* H and J stored at z' */ + ecc_mod_sqr (&ecc->p, z2, z1, D); + ecc_mod_add (&ecc->p, z2, z2, z2); + ecc_mod_sub (&ecc->p, z2, z2, F); + ecc_mod_mul (&ecc->p, x2, x2, z2, D); + ecc_mod_mul (&ecc->p, z2, z2, F, D); +} diff -Nru nettle-3.4.1/ecc-ecdsa-sign.c nettle-3.7.3/ecc-ecdsa-sign.c --- nettle-3.4.1/ecc-ecdsa-sign.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/ecc-ecdsa-sign.c 2021-06-06 20:06:29.000000000 +0000 @@ -47,7 +47,8 @@ ecc_ecdsa_sign_itch (const struct ecc_curve *ecc) { /* Needs 3*ecc->p.size + scratch for ecc->mul_g. Currently same for - ecc_mul_g and ecc_mul_g_eh. */ + ecc_mul_g. */ + assert (ecc->p.size + ecc->p.invert_itch <= 3*ecc->p.size + ecc->mul_g_itch); return ECC_ECDSA_SIGN_ITCH (ecc->p.size); } @@ -63,7 +64,7 @@ mp_limb_t *scratch) { #define P scratch -#define kinv scratch /* Needs 5*ecc->p.size for computation */ +#define kinv scratch #define hp (scratch + ecc->p.size) /* NOTE: ecc->p.size + 1 limbs! */ #define tp (scratch + 2*ecc->p.size) /* Procedure, according to RFC 6090, "KT-I". q denotes the group @@ -82,17 +83,16 @@ /* x coordinate only, modulo q */ ecc->h_to_a (ecc, 2, rp, P, P + 3*ecc->p.size); - /* Invert k, uses 4 * ecc->p.size including scratch */ - ecc->q.invert (&ecc->q, kinv, kp, tp); /* NOTE: Also clobbers hp */ + /* Invert k, uses up to 7 * ecc->p.size including scratch (for secp384). */ + ecc->q.invert (&ecc->q, kinv, kp, tp); /* Process hash digest */ ecc_hash (&ecc->q, hp, length, digest); - ecc_modq_mul (ecc, tp, zp, rp); - ecc_modq_add (ecc, hp, hp, tp); - ecc_modq_mul (ecc, tp, hp, kinv); + ecc_mod_mul (&ecc->q, tp, zp, rp, tp); + ecc_mod_add (&ecc->q, hp, hp, tp); + ecc_mod_mul_canonical (&ecc->q, sp, hp, kinv, tp); - mpn_copyi (sp, tp, ecc->p.size); #undef P #undef hp #undef kinv diff -Nru nettle-3.4.1/ecc-ecdsa-verify.c nettle-3.7.3/ecc-ecdsa-verify.c --- nettle-3.4.1/ecc-ecdsa-verify.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/ecc-ecdsa-verify.c 2021-06-06 20:06:29.000000000 +0000 @@ -43,20 +43,10 @@ /* Low-level ECDSA verify */ -/* FIXME: Use mpn_zero_p. */ -static int -zero_p (const mp_limb_t *xp, mp_size_t n) -{ - while (n > 0) - if (xp[--n] > 0) - return 0; - return 1; -} - static int ecdsa_in_range (const struct ecc_curve *ecc, const mp_limb_t *xp) { - return !zero_p (xp, ecc->p.size) + return !mpn_zero_p (xp, ecc->p.size) && mpn_cmp (xp, ecc->q.m, ecc->p.size) < 0; } @@ -108,21 +98,21 @@ division, I think), and write an ecc_add_ppp. */ /* Compute sinv */ - ecc->q.invert (&ecc->q, sinv, sp, sinv + 2*ecc->p.size); + ecc->q.invert (&ecc->q, sinv, sp, sinv + ecc->p.size); /* u1 = h / s, P1 = u1 * G */ ecc_hash (&ecc->q, hp, length, digest); - ecc_modq_mul (ecc, u1, hp, sinv); + ecc_mod_mul_canonical (&ecc->q, u1, hp, sinv, u1); /* u2 = r / s, P2 = u2 * Y */ - ecc_modq_mul (ecc, u2, rp, sinv); + ecc_mod_mul_canonical (&ecc->q, u2, rp, sinv, u2); /* Total storage: 5*ecc->p.size + ecc->mul_itch */ ecc->mul (ecc, P2, u2, pp, u2 + ecc->p.size); /* u = 0 can happen only if h = 0 or h = q, which is extremely unlikely. */ - if (!zero_p (u1, ecc->p.size)) + if (!mpn_zero_p (u1, ecc->p.size)) { /* Total storage: 7*ecc->p.size + ecc->mul_g_itch (ecc->p.size) */ ecc->mul_g (ecc, P1, u1, P1 + 3*ecc->p.size); @@ -142,12 +132,12 @@ private key by guessing. */ /* Total storage: 6*ecc->p.size + ecc->add_hhh_itch */ - ecc->add_hhh (ecc, P1, P1, P2, P1 + 3*ecc->p.size); + ecc->add_hhh (ecc, P2, P2, P1, P1 + 3*ecc->p.size); } /* x coordinate only, modulo q */ - ecc->h_to_a (ecc, 2, P2, P1, P1 + 3*ecc->p.size); + ecc->h_to_a (ecc, 2, P1, P2, P1 + 3*ecc->p.size); - return (mpn_cmp (rp, P2, ecc->p.size) == 0); + return (mpn_cmp (rp, P1, ecc->p.size) == 0); #undef P2 #undef P1 #undef sinv diff -Nru nettle-3.4.1/ecc-eh-to-a.c nettle-3.7.3/ecc-eh-to-a.c --- nettle-3.4.1/ecc-eh-to-a.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/ecc-eh-to-a.c 2021-06-06 20:06:29.000000000 +0000 @@ -49,39 +49,15 @@ #define izp scratch #define tp (scratch + ecc->p.size) - #define xp p #define yp (p + ecc->p.size) #define zp (p + 2*ecc->p.size) - mp_limb_t cy; - - /* Needs 2*size + scratch for the invert call. */ - ecc->p.invert (&ecc->p, izp, zp, tp + ecc->p.size); + assert(op == 0); - ecc_modp_mul (ecc, tp, xp, izp); - cy = mpn_sub_n (r, tp, ecc->p.m, ecc->p.size); - cnd_copy (cy, r, tp, ecc->p.size); + /* Needs size + scratch for the invert call. */ + ecc->p.invert (&ecc->p, izp, zp, tp); - if (op) - { - /* Skip y coordinate */ - if (op > 1) - { - /* Reduce modulo q. FIXME: Hardcoded for curve25519, - duplicates end of ecc_25519_modq. FIXME: Is this needed - at all? Full reduction mod p is maybe sufficient. */ - unsigned shift; - assert (ecc->p.bit_size == 255); - shift = 252 - GMP_NUMB_BITS * (ecc->p.size - 1); - cy = mpn_submul_1 (r, ecc->q.m, ecc->p.size, - r[ecc->p.size-1] >> shift); - assert (cy < 2); - cnd_add_n (cy, r, ecc->q.m, ecc->p.size); - } - return; - } - ecc_modp_mul (ecc, tp, yp, izp); - cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size); - cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size); + ecc_mod_mul_canonical (&ecc->p, r, xp, izp, tp); + ecc_mod_mul_canonical (&ecc->p, r + ecc->p.size, yp, izp, tp); } diff -Nru nettle-3.4.1/ecc-gostdsa-sign.c nettle-3.7.3/ecc-gostdsa-sign.c --- nettle-3.4.1/ecc-gostdsa-sign.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/ecc-gostdsa-sign.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,101 @@ +/* ecc-gostdsa-sign.c + + Copyright (C) 2015 Dmitry Eremin-Solenikov + Copyright (C) 2013, 2014 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include + +#include "gostdsa.h" +#include "ecc-internal.h" + +/* Low-level GOST DSA signing */ + +mp_size_t +ecc_gostdsa_sign_itch (const struct ecc_curve *ecc) +{ + /* Needs 3*ecc->p.size + scratch for ecc->mul_g. Currently same for + ecc_mul_g. */ + return ECC_GOSTDSA_SIGN_ITCH (ecc->p.size); +} + +/* NOTE: Caller should check if r or s is zero. */ +void +ecc_gostdsa_sign (const struct ecc_curve *ecc, + const mp_limb_t *zp, + const mp_limb_t *kp, + size_t length, const uint8_t *digest, + mp_limb_t *rp, mp_limb_t *sp, + mp_limb_t *scratch) +{ +#define P scratch +#define hp (scratch + 4*ecc->p.size) +#define tp (scratch + 2*ecc->p.size) +#define t2p scratch + /* Procedure, according to GOST 34.10. q denotes the group + order. + + 1. k <-- uniformly random, 0 < k < q + + 2. C <-- (c_x, c_y) = k g + + 3. r <-- c_x mod q + + 4. s <-- (r*z + k*h) mod q. + */ + + ecc->mul_g (ecc, P, kp, P + 3*ecc->p.size); + /* x coordinate only, modulo q */ + ecc->h_to_a (ecc, 2, rp, P, P + 3*ecc->p.size); + + /* Process hash digest */ + gost_hash (&ecc->q, hp, length, digest); + if (mpn_zero_p (hp, ecc->p.size)) + mpn_add_1 (hp, hp, ecc->p.size, 1); + + ecc_mod_mul (&ecc->q, tp, rp, zp, tp); + ecc_mod_mul (&ecc->q, t2p, kp, hp, t2p); + ecc_mod_add (&ecc->q, sp, tp, t2p); + + /* Also reduce mod ecc->q. It should already be < 2*ecc->q, + * so one subtraction should suffice. */ + + *scratch = mpn_sub_n (tp, sp, ecc->q.m, ecc->p.size); + cnd_copy (*scratch == 0, sp, tp, ecc->p.size); + +#undef P +#undef hp +#undef tp +#undef t2p +} diff -Nru nettle-3.4.1/ecc-gostdsa-verify.c nettle-3.7.3/ecc-gostdsa-verify.c --- nettle-3.4.1/ecc-gostdsa-verify.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/ecc-gostdsa-verify.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,130 @@ +/* ecc-gostdsa-verify.c + + Copyright (C) 2015 Dmitry Eremin-Solenikov + Copyright (C) 2013, 2014 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include + +#include "gostdsa.h" +#include "ecc-internal.h" + +/* Low-level GOST DSA verify */ + +static int +ecdsa_in_range (const struct ecc_curve *ecc, const mp_limb_t *xp) +{ + return !mpn_zero_p (xp, ecc->p.size) + && mpn_cmp (xp, ecc->q.m, ecc->p.size) < 0; +} + +mp_size_t +ecc_gostdsa_verify_itch (const struct ecc_curve *ecc) +{ + /* Largest storage need is for the ecc->mul call. */ + return 5*ecc->p.size + ecc->mul_itch; +} + +/* FIXME: Use faster primitives, not requiring side-channel silence. */ +int +ecc_gostdsa_verify (const struct ecc_curve *ecc, + const mp_limb_t *pp, /* Public key */ + size_t length, const uint8_t *digest, + const mp_limb_t *rp, const mp_limb_t *sp, + mp_limb_t *scratch) +{ + /* Procedure, according to GOST R 34.10. q denotes the group + order. + + 1. Check 0 < r, s < q. + + 2. v <-- h^{-1} (mod q) + + 3. z1 <-- s * v (mod q) + + 4. z2 <-- -r * v (mod q) + + 5. R = u1 G + u2 Y + + 6. Signature is valid if R_x = r (mod q). + */ + +#define hp (scratch) +#define vp (scratch + ecc->p.size) +#define z1 (scratch + 3*ecc->p.size) +#define z2 (scratch + 4*ecc->p.size) + +#define P1 (scratch + 4*ecc->p.size) +#define P2 (scratch) + + + if (! (ecdsa_in_range (ecc, rp) + && ecdsa_in_range (ecc, sp))) + return 0; + + gost_hash (&ecc->q, hp, length, digest); + + if (mpn_zero_p (hp, ecc->p.size)) + mpn_add_1 (hp, hp, ecc->p.size, 1); + + /* Compute v */ + ecc->q.invert (&ecc->q, vp, hp, vp + ecc->p.size); + + /* z1 = s / h, P1 = z1 * G */ + ecc_mod_mul_canonical (&ecc->q, z1, sp, vp, z1); + + /* z2 = - r / h, P2 = z2 * Y */ + mpn_sub_n (hp, ecc->q.m, rp, ecc->p.size); + ecc_mod_mul_canonical (&ecc->q, z2, hp, vp, z2); + + /* Total storage: 5*ecc->p.size + ecc->mul_itch */ + ecc->mul (ecc, P2, z2, pp, z2 + ecc->p.size); + + /* Total storage: 7*ecc->p.size + ecc->mul_g_itch (ecc->p.size) */ + ecc->mul_g (ecc, P1, z1, P1 + 3*ecc->p.size); + + /* Total storage: 6*ecc->p.size + ecc->add_hhh_itch */ + ecc->add_hhh (ecc, P1, P1, P2, P1 + 3*ecc->p.size); + + /* x coordinate only, modulo q */ + ecc->h_to_a (ecc, 2, P2, P1, P1 + 3*ecc->p.size); + + return (mpn_cmp (rp, P2, ecc->p.size) == 0); +#undef P2 +#undef P1 +#undef z2 +#undef z1 +#undef hp +#undef vp +} diff -Nru nettle-3.4.1/ecc-gost-gc256b.c nettle-3.7.3/ecc-gost-gc256b.c --- nettle-3.4.1/ecc-gost-gc256b.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/ecc-gost-gc256b.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,127 @@ +/* ecc-gost-gc256b.c + + Copyright (C) 2016-2020 Dmitry Eremin-Solenikov + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "ecc.h" +#include "ecc-internal.h" + +#define USE_REDC 0 + +#include "ecc-gost-gc256b.h" + +static void +ecc_gost_gc256b_modp (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp) +{ + mp_size_t mn = m->size; + mp_limb_t hi; + + hi = mpn_addmul_1(xp, xp + mn, mn, 0x269); + hi = sec_add_1 (xp, xp, mn, hi * 0x269); + hi = sec_add_1 (rp, xp, mn, hi * 0x269); + assert(hi == 0); +} + +#define ecc_gost_gc256b_modp ecc_gost_gc256b_modp +#define ecc_gost_gc256b_modq ecc_mod + +const struct ecc_curve _nettle_gost_gc256b = +{ + { + 256, + ECC_LIMB_SIZE, + ECC_BMODP_SIZE, + ECC_REDC_SIZE, + ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), + 0, + + ecc_p, + ecc_Bmodp, + ecc_Bmodp_shifted, + ecc_redc_ppm1, + + ecc_pp1h, + ecc_gost_gc256b_modp, + ecc_gost_gc256b_modp, + ecc_mod_inv, + NULL, + }, + { + 256, + ECC_LIMB_SIZE, + ECC_BMODQ_SIZE, + 0, + ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), + 0, + + ecc_q, + ecc_Bmodq, + ecc_Bmodq_shifted, + NULL, + ecc_qp1h, + + ecc_gost_gc256b_modq, + ecc_gost_gc256b_modq, + ecc_mod_inv, + NULL, + }, + + USE_REDC, + ECC_PIPPENGER_K, + ECC_PIPPENGER_C, + + ECC_ADD_JJA_ITCH (ECC_LIMB_SIZE), + ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE), + ECC_DUP_JJ_ITCH (ECC_LIMB_SIZE), + ECC_MUL_A_ITCH (ECC_LIMB_SIZE), + ECC_MUL_G_ITCH (ECC_LIMB_SIZE), + ECC_J_TO_A_ITCH (ECC_LIMB_SIZE, ECC_MOD_INV_ITCH(ECC_LIMB_SIZE)), + + ecc_add_jja, + ecc_add_jjj, + ecc_dup_jj, + ecc_mul_a, + ecc_mul_g, + ecc_j_to_a, + + ecc_b, + ecc_unit, + ecc_table +}; + +const struct ecc_curve *nettle_get_gost_gc256b(void) +{ + return &_nettle_gost_gc256b; +} diff -Nru nettle-3.4.1/ecc-gost-gc512a.c nettle-3.7.3/ecc-gost-gc512a.c --- nettle-3.4.1/ecc-gost-gc512a.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/ecc-gost-gc512a.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,127 @@ +/* ecc-gost-gc512a.c + + Copyright (C) 2016-2020 Dmitry Eremin-Solenikov + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "ecc.h" +#include "ecc-internal.h" + +#define USE_REDC 0 + +#include "ecc-gost-gc512a.h" + +static void +ecc_gost_gc512a_modp (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp) +{ + mp_size_t mn = m->size; + mp_limb_t hi; + + hi = mpn_addmul_1(xp, xp + mn, mn, 0x239); + hi = sec_add_1 (xp, xp, mn, hi * 0x239); + hi = sec_add_1 (rp, xp, mn, hi * 0x239); + assert(hi == 0); +} + +#define ecc_gost_gc512a_modp ecc_gost_gc512a_modp +#define ecc_gost_gc512a_modq ecc_mod + +const struct ecc_curve _nettle_gost_gc512a = +{ + { + 512, + ECC_LIMB_SIZE, + ECC_BMODP_SIZE, + ECC_REDC_SIZE, + ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), + 0, + + ecc_p, + ecc_Bmodp, + ecc_Bmodp_shifted, + ecc_redc_ppm1, + + ecc_pp1h, + ecc_gost_gc512a_modp, + ecc_gost_gc512a_modp, + ecc_mod_inv, + NULL, + }, + { + 512, + ECC_LIMB_SIZE, + ECC_BMODQ_SIZE, + 0, + ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), + 0, + + ecc_q, + ecc_Bmodq, + ecc_Bmodq_shifted, + NULL, + ecc_qp1h, + + ecc_gost_gc512a_modq, + ecc_gost_gc512a_modq, + ecc_mod_inv, + NULL, + }, + + USE_REDC, + ECC_PIPPENGER_K, + ECC_PIPPENGER_C, + + ECC_ADD_JJA_ITCH (ECC_LIMB_SIZE), + ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE), + ECC_DUP_JJ_ITCH (ECC_LIMB_SIZE), + ECC_MUL_A_ITCH (ECC_LIMB_SIZE), + ECC_MUL_G_ITCH (ECC_LIMB_SIZE), + ECC_J_TO_A_ITCH (ECC_LIMB_SIZE, ECC_MOD_INV_ITCH(ECC_LIMB_SIZE)), + + ecc_add_jja, + ecc_add_jjj, + ecc_dup_jj, + ecc_mul_a, + ecc_mul_g, + ecc_j_to_a, + + ecc_b, + ecc_unit, + ecc_table +}; + +const struct ecc_curve *nettle_get_gost_gc512a(void) +{ + return &_nettle_gost_gc512a; +} diff -Nru nettle-3.4.1/ecc-hash.c nettle-3.7.3/ecc-hash.c --- nettle-3.4.1/ecc-hash.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/ecc-hash.c 2021-06-06 20:06:29.000000000 +0000 @@ -62,3 +62,14 @@ /* We got a few extra bits, at the low end. Discard them. */ mpn_rshift (hp, hp, m->size + 1, 8*length - m->bit_size); } + +void +gost_hash (const struct ecc_modulo *m, + mp_limb_t *hp, + size_t length, const uint8_t *digest) +{ + if (length > ((size_t) m->bit_size + 7) / 8) + length = (m->bit_size + 7) / 8; + + mpn_set_base256_le (hp, m->size + 1, digest, length); +} diff -Nru nettle-3.4.1/ecc-internal.h nettle-3.7.3/ecc-internal.h --- nettle-3.4.1/ecc-internal.h 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/ecc-internal.h 2021-06-06 20:06:29.000000000 +0000 @@ -49,10 +49,15 @@ #define ecc_mod_submul_1 _nettle_ecc_mod_submul_1 #define ecc_mod_mul _nettle_ecc_mod_mul #define ecc_mod_sqr _nettle_ecc_mod_sqr +#define ecc_mod_mul_canonical _nettle_ecc_mod_mul_canonical +#define ecc_mod_sqr_canonical _nettle_ecc_mod_sqr_canonical +#define ecc_mod_pow_2k _nettle_ecc_mod_pow_2k +#define ecc_mod_pow_2k_mul _nettle_ecc_mod_pow_2k_mul #define ecc_mod_random _nettle_ecc_mod_random #define ecc_mod _nettle_ecc_mod #define ecc_mod_inv _nettle_ecc_mod_inv #define ecc_hash _nettle_ecc_hash +#define gost_hash _nettle_gost_hash #define ecc_a_to_j _nettle_ecc_a_to_j #define ecc_j_to_a _nettle_ecc_j_to_a #define ecc_eh_to_a _nettle_ecc_eh_to_a @@ -62,22 +67,38 @@ #define ecc_dup_eh _nettle_ecc_dup_eh #define ecc_add_eh _nettle_ecc_add_eh #define ecc_add_ehh _nettle_ecc_add_ehh +#define ecc_dup_th _nettle_ecc_dup_th +#define ecc_add_th _nettle_ecc_add_th +#define ecc_add_thh _nettle_ecc_add_thh #define ecc_mul_g _nettle_ecc_mul_g #define ecc_mul_a _nettle_ecc_mul_a #define ecc_mul_g_eh _nettle_ecc_mul_g_eh #define ecc_mul_a_eh _nettle_ecc_mul_a_eh +#define ecc_mul_m _nettle_ecc_mul_m #define cnd_copy _nettle_cnd_copy #define sec_add_1 _nettle_sec_add_1 #define sec_sub_1 _nettle_sec_sub_1 #define sec_tabselect _nettle_sec_tabselect #define sec_modinv _nettle_sec_modinv #define curve25519_eh_to_x _nettle_curve25519_eh_to_x +#define curve448_eh_to_x _nettle_curve448_eh_to_x + +extern const struct ecc_curve _nettle_secp_192r1; +extern const struct ecc_curve _nettle_secp_224r1; +extern const struct ecc_curve _nettle_secp_256r1; +extern const struct ecc_curve _nettle_secp_384r1; +extern const struct ecc_curve _nettle_secp_521r1; /* Keep this structure internal for now. It's misnamed (since it's really implementing the equivalent twisted Edwards curve, with different coordinates). And we're not quite ready to provide general ecc operations over an arbitrary type of curve. */ extern const struct ecc_curve _nettle_curve25519; +extern const struct ecc_curve _nettle_curve448; + +/* GOST curves, visible with underscore prefix for now */ +extern const struct ecc_curve _nettle_gost_gc256b; +extern const struct ecc_curve _nettle_gost_gc512a; #define ECC_MAX_SIZE ((521 + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS) @@ -94,8 +115,10 @@ /* Reduces from 2*ecc->size to ecc->size. */ /* Required to return a result < 2q. This property is inherited by - mod_mul and mod_sqr. */ -typedef void ecc_mod_func (const struct ecc_modulo *m, mp_limb_t *rp); + mod_mul and mod_sqr. May clobber input xp. rp may point to the + start or the middle of the xp area, but no other overlap is + allowed. */ +typedef void ecc_mod_func (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp); typedef void ecc_mod_inv_func (const struct ecc_modulo *m, mp_limb_t *vp, const mp_limb_t *ap, @@ -107,11 +130,16 @@ const mp_limb_t *up, const mp_limb_t *vp, mp_limb_t *scratch); +/* Allows in-place operation with r == p, but not r == q */ typedef void ecc_add_func (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch); +typedef void ecc_dup_func (const struct ecc_curve *ecc, + mp_limb_t *r, const mp_limb_t *p, + mp_limb_t *scratch); + typedef void ecc_mul_g_func (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *np, mp_limb_t *scratch); @@ -138,7 +166,7 @@ /* B^size mod m. Expected to have at least 32 leading zeros (equality for secp_256r1). */ const mp_limb_t *B; - /* 2^{bit_size} - p, same value as above, but shifted. */ + /* 2^{bit_size} - m, same value as above, but shifted. */ const mp_limb_t *B_shifted; /* m +/- 1, for redc, excluding redc_size low limbs. */ const mp_limb_t *redc_mpm1; @@ -147,6 +175,8 @@ ecc_mod_func *mod; ecc_mod_func *reduce; + /* For moduli where we use redc, the invert and sqrt functions work + with inputs and outputs in redc form. */ ecc_mod_inv_func *invert; ecc_mod_sqrt_func *sqrt; }; @@ -159,7 +189,7 @@ { /* The prime p. */ struct ecc_modulo p; - /* Group order. FIXME: Currently, many fucntions rely on q.size == + /* Group order. FIXME: Currently, many functions rely on q.size == p.size. This has to change for radix-51 implementation of curve25519 mod p arithmetic. */ struct ecc_modulo q; @@ -168,24 +198,22 @@ unsigned short pippenger_k; unsigned short pippenger_c; + unsigned short add_hh_itch; unsigned short add_hhh_itch; + unsigned short dup_itch; unsigned short mul_itch; unsigned short mul_g_itch; unsigned short h_to_a_itch; + ecc_add_func *add_hh; ecc_add_func *add_hhh; + ecc_dup_func *dup; ecc_mul_func *mul; ecc_mul_g_func *mul_g; ecc_h_to_a_func *h_to_a; /* Curve constant */ const mp_limb_t *b; - /* Generator, x coordinate followed by y (affine coordinates). - Currently used only by the test suite. */ - const mp_limb_t *g; - /* If non-NULL, the constant needed for transformation to the - equivalent Edwards curve. */ - const mp_limb_t *edwards_root; /* For redc, same as B mod p, otherwise 1. */ const mp_limb_t *unit; @@ -203,7 +231,6 @@ const mp_limb_t *pippenger_table; }; -/* In-place reduction. */ ecc_mod_func ecc_mod; ecc_mod_func ecc_pp1_redc; ecc_mod_func ecc_pm1_redc; @@ -228,34 +255,48 @@ ecc_mod_submul_1 (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t b); -/* NOTE: mul and sqr needs 2*ecc->size limbs at rp */ +/* The mul and sqr function need 2*m->size limbs at tp. rp may overlap + ap or bp, and may equal tp or tp + m->size, but no other overlap + with tp is allowed. */ void ecc_mod_mul (const struct ecc_modulo *m, mp_limb_t *rp, - const mp_limb_t *ap, const mp_limb_t *bp); + const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp); void ecc_mod_sqr (const struct ecc_modulo *m, mp_limb_t *rp, - const mp_limb_t *ap); + const mp_limb_t *ap, mp_limb_t *tp); -#define ecc_modp_add(ecc, r, a, b) \ - ecc_mod_add (&(ecc)->p, (r), (a), (b)) -#define ecc_modp_sub(ecc, r, a, b) \ - ecc_mod_sub (&(ecc)->p, (r), (a), (b)) -#define ecc_modp_mul_1(ecc, r, a, b) \ - ecc_mod_mul_1 (&(ecc)->p, (r), (a), (b)) -#define ecc_modp_addmul_1(ecc, r, a, b) \ - ecc_mod_addmul_1 (&(ecc)->p, (r), (a), (b)) -#define ecc_modp_submul_1(ecc, r, a, b) \ - ecc_mod_submul_1 (&(ecc)->p, (r), (a), (b)) -#define ecc_modp_mul(ecc, r, a, b) \ - ecc_mod_mul (&(ecc)->p, (r), (a), (b)) -#define ecc_modp_sqr(ecc, r, a) \ - ecc_mod_sqr (&(ecc)->p, (r), (a)) - -#define ecc_modq_add(ecc, r, a, b) \ - ecc_mod_add (&(ecc)->q, (r), (a), (b)) -#define ecc_modq_mul(ecc, r, a, b) \ - ecc_mod_mul (&(ecc)->q, (r), (a), (b)) +/* These mul and sqr functions produce a canonical result, 0 <= R < M. + Requirements on input and output areas are similar to the above + functions, except that it is *not* allowed to pass rp = rp + + m->size. + */ +void +ecc_mod_mul_canonical (const struct ecc_modulo *m, mp_limb_t *rp, + const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp); + +void +ecc_mod_sqr_canonical (const struct ecc_modulo *m, mp_limb_t *rp, + const mp_limb_t *ap, mp_limb_t *tp); + +/* R <-- X^{2^k} mod M. Needs 2*ecc->size limbs of scratch space, same + overlap requirements as mul and sqr above. */ +void +ecc_mod_pow_2k (const struct ecc_modulo *m, + mp_limb_t *rp, const mp_limb_t *xp, + unsigned k, mp_limb_t *tp); + +/* R <-- X^{2^k} Y mod M. Similar requirements as ecc_mod_pow_2k, but + rp and yp can't overlap. */ +void +ecc_mod_pow_2k_mul (const struct ecc_modulo *m, + mp_limb_t *rp, const mp_limb_t *xp, + unsigned k, const mp_limb_t *yp, + mp_limb_t *tp); + +/* R <-- X^{2^k + 1}. Here, rp and xp must not overlap. */ +#define ecc_mod_pow_2kp1(m, rp, xp, k, tp) \ + ecc_mod_pow_2k_mul (m, rp, xp, k, xp, tp) /* mod q operations. */ void @@ -267,6 +308,11 @@ mp_limb_t *hp, size_t length, const uint8_t *digest); +void +gost_hash (const struct ecc_modulo *m, + mp_limb_t *hp, + size_t length, const uint8_t *digest); + /* Converts a point P in affine coordinates into a point R in jacobian coordinates. */ void @@ -275,17 +321,16 @@ /* Converts a point P in jacobian coordinates into a point R in affine coordinates. If op == 1, produce x coordinate only. If op == 2, - produce the x coordiante only, and in also it modulo q. FIXME: For - the public interface, have separate for the three cases, and use - this flag argument only for the internal ecc->h_to_a function. */ + produce the x coordinate only, and also reduce it modulo q. */ void ecc_j_to_a (const struct ecc_curve *ecc, int op, mp_limb_t *r, const mp_limb_t *p, mp_limb_t *scratch); -/* Converts a point P on an Edwards curve to affine coordinates on - the corresponding Montgomery curve. */ +/* Converts a point P in homogeneous coordinates on an Edwards curve + to affine coordinates. Meaning of op is the same as for + ecc_j_to_a. */ void ecc_eh_to_a (const struct ecc_curve *ecc, int op, @@ -319,7 +364,7 @@ mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch); -/* Point doubling on an Edwards curve, with homogeneous +/* Point doubling on a twisted Edwards curve, with homogeneous cooordinates. */ void ecc_dup_eh (const struct ecc_curve *ecc, @@ -336,6 +381,21 @@ mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch); +void +ecc_dup_th (const struct ecc_curve *ecc, + mp_limb_t *r, const mp_limb_t *p, + mp_limb_t *scratch); + +void +ecc_add_th (const struct ecc_curve *ecc, + mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, + mp_limb_t *scratch); + +void +ecc_add_thh (const struct ecc_curve *ecc, + mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, + mp_limb_t *scratch); + /* Computes N * the group generator. N is an array of ecc_size() limbs. It must be in the range 0 < N < group order, then R != 0, and the algorithm can work without any intermediate values getting @@ -364,6 +424,13 @@ mp_limb_t *scratch); void +ecc_mul_m (const struct ecc_modulo *m, + mp_limb_t a24, + unsigned bit_low, unsigned bit_high, + mp_limb_t *qx, const uint8_t *n, const mp_limb_t *px, + mp_limb_t *scratch); + +void cnd_copy (int cnd, mp_limb_t *rp, const mp_limb_t *ap, mp_size_t n); mp_limb_t @@ -381,31 +448,40 @@ curve25519_eh_to_x (mp_limb_t *xp, const mp_limb_t *p, mp_limb_t *scratch); +void +curve448_eh_to_x (mp_limb_t *xp, const mp_limb_t *p, + mp_limb_t *scratch); + /* Current scratch needs: */ -#define ECC_MOD_INV_ITCH(size) (2*(size)) -#define ECC_J_TO_A_ITCH(size) (5*(size)) -#define ECC_EH_TO_A_ITCH(size, inv) (2*(size)+(inv)) -#define ECC_DUP_JJ_ITCH(size) (5*(size)) -#define ECC_DUP_EH_ITCH(size) (5*(size)) -#define ECC_ADD_JJA_ITCH(size) (6*(size)) -#define ECC_ADD_JJJ_ITCH(size) (8*(size)) -#define ECC_ADD_EH_ITCH(size) (6*(size)) -#define ECC_ADD_EHH_ITCH(size) (7*(size)) -#define ECC_MUL_G_ITCH(size) (9*(size)) -#define ECC_MUL_G_EH_ITCH(size) (9*(size)) +#define ECC_MOD_INV_ITCH(size) (3*(size)) +#define ECC_J_TO_A_ITCH(size, inv) ((size)+(inv)) +#define ECC_EH_TO_A_ITCH(size, inv) ((size)+(inv)) +#define ECC_DUP_JJ_ITCH(size) (4*(size)) +#define ECC_DUP_EH_ITCH(size) (3*(size)) +#define ECC_DUP_TH_ITCH(size) (3*(size)) +#define ECC_ADD_JJA_ITCH(size) (5*(size)) +#define ECC_ADD_JJJ_ITCH(size) (5*(size)) +#define ECC_ADD_EH_ITCH(size) (4*(size)) +#define ECC_ADD_EHH_ITCH(size) (4*(size)) +#define ECC_ADD_TH_ITCH(size) (4*(size)) +#define ECC_ADD_THH_ITCH(size) (4*(size)) +#define ECC_MUL_G_ITCH(size) (8*(size)) +#define ECC_MUL_G_EH_ITCH(size) (7*(size)) #if ECC_MUL_A_WBITS == 0 -#define ECC_MUL_A_ITCH(size) (12*(size)) +#define ECC_MUL_A_ITCH(size) (11*(size)) #else #define ECC_MUL_A_ITCH(size) \ - (((3 << ECC_MUL_A_WBITS) + 11) * (size)) + (((3 << ECC_MUL_A_WBITS) + 8) * (size)) #endif #if ECC_MUL_A_EH_WBITS == 0 -#define ECC_MUL_A_EH_ITCH(size) (13*(size)) +#define ECC_MUL_A_EH_ITCH(size) (10*(size)) #else #define ECC_MUL_A_EH_ITCH(size) \ - (((3 << ECC_MUL_A_EH_WBITS) + 10) * (size)) + (((3 << ECC_MUL_A_EH_WBITS) + 7) * (size)) #endif -#define ECC_ECDSA_SIGN_ITCH(size) (12*(size)) +#define ECC_MUL_M_ITCH(size) (8*(size)) +#define ECC_ECDSA_SIGN_ITCH(size) (11*(size)) +#define ECC_GOSTDSA_SIGN_ITCH(size) (11*(size)) #define ECC_MOD_RANDOM_ITCH(size) (size) #define ECC_HASH_ITCH(size) (1+(size)) diff -Nru nettle-3.4.1/ecc-j-to-a.c nettle-3.7.3/ecc-j-to-a.c --- nettle-3.4.1/ecc-j-to-a.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/ecc-j-to-a.c 2021-06-06 20:06:29.000000000 +0000 @@ -45,58 +45,29 @@ mp_limb_t *scratch) { #define izp scratch -#define up (scratch + 2*ecc->p.size) #define iz2p (scratch + ecc->p.size) #define iz3p (scratch + 2*ecc->p.size) -#define izBp (scratch + 3*ecc->p.size) #define tp scratch - mp_limb_t cy; + ecc->p.invert (&ecc->p, izp, p+2*ecc->p.size, izp + ecc->p.size); + ecc_mod_sqr (&ecc->p, iz2p, izp, iz2p); if (ecc->use_redc) { - /* Set v = (r_z / B^2)^-1, - - r_x = p_x v^2 / B^3 = ((v/B * v)/B * p_x)/B - r_y = p_y v^3 / B^4 = (((v/B * v)/B * v)/B * p_y)/B - */ - - mpn_copyi (up, p + 2*ecc->p.size, ecc->p.size); - mpn_zero (up + ecc->p.size, ecc->p.size); - ecc->p.reduce (&ecc->p, up); - mpn_zero (up + ecc->p.size, ecc->p.size); - ecc->p.reduce (&ecc->p, up); - - ecc->p.invert (&ecc->p, izp, up, up + ecc->p.size); - - /* Divide this common factor by B */ - mpn_copyi (izBp, izp, ecc->p.size); - mpn_zero (izBp + ecc->p.size, ecc->p.size); - ecc->p.reduce (&ecc->p, izBp); - - ecc_modp_mul (ecc, iz2p, izp, izBp); + /* Divide this common factor by B, instead of applying redc to + both x and y outputs. */ + mpn_zero (iz2p + ecc->p.size, ecc->p.size); + ecc->p.reduce (&ecc->p, iz2p, iz2p); } - else - { - /* Set s = p_z^{-1}, r_x = p_x s^2, r_y = p_y s^3 */ - - mpn_copyi (up, p+2*ecc->p.size, ecc->p.size); /* p_z */ - ecc->p.invert (&ecc->p, izp, up, up + ecc->p.size); - - ecc_modp_sqr (ecc, iz2p, izp); - } - - ecc_modp_mul (ecc, iz3p, iz2p, p); - /* ecc_modp (and ecc_modp_mul) may return a value up to 2p - 1, so - do a conditional subtraction. */ - cy = mpn_sub_n (r, iz3p, ecc->p.m, ecc->p.size); - cnd_copy (cy, r, iz3p, ecc->p.size); + /* r_x <-- x / z^2 */ + ecc_mod_mul_canonical (&ecc->p, r, iz2p, p, iz3p); if (op) { /* Skip y coordinate */ if (op > 1) { + mp_limb_t cy; /* Also reduce the x coordinate mod ecc->q. It should already be < 2*ecc->q, so one subtraction should suffice. */ @@ -105,14 +76,10 @@ } return; } - ecc_modp_mul (ecc, iz3p, iz2p, izp); - ecc_modp_mul (ecc, tp, iz3p, p + ecc->p.size); - /* And a similar subtraction. */ - cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size); - cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size); + ecc_mod_mul (&ecc->p, iz3p, iz2p, izp, iz3p); + ecc_mod_mul_canonical (&ecc->p, r + ecc->p.size, iz3p, p + ecc->p.size, tp); #undef izp -#undef up #undef iz2p #undef iz3p #undef tp diff -Nru nettle-3.4.1/ecc-mod-arith.c nettle-3.7.3/ecc-mod-arith.c --- nettle-3.4.1/ecc-mod-arith.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/ecc-mod-arith.c 2021-06-06 20:06:29.000000000 +0000 @@ -48,8 +48,8 @@ { mp_limb_t cy; cy = mpn_add_n (rp, ap, bp, m->size); - cy = cnd_add_n (cy, rp, m->B, m->size); - cy = cnd_add_n (cy, rp, m->B, m->size); + cy = mpn_cnd_add_n (cy, rp, rp, m->B, m->size); + cy = mpn_cnd_add_n (cy, rp, rp, m->B, m->size); assert (cy == 0); } @@ -59,8 +59,8 @@ { mp_limb_t cy; cy = mpn_sub_n (rp, ap, bp, m->size); - cy = cnd_sub_n (cy, rp, m->B, m->size); - cy = cnd_sub_n (cy, rp, m->B, m->size); + cy = mpn_cnd_sub_n (cy, rp, rp, m->B, m->size); + cy = mpn_cnd_sub_n (cy, rp, rp, m->B, m->size); assert (cy == 0); } @@ -74,7 +74,7 @@ hi = mpn_mul_1 (rp, ap, m->size, b); hi = mpn_addmul_1 (rp, m->B, m->size, hi); assert (hi <= 1); - hi = cnd_add_n (hi, rp, m->B, m->size); + hi = mpn_cnd_add_n (hi, rp, rp, m->B, m->size); /* Sufficient if b < B^size / p */ assert (hi == 0); } @@ -89,7 +89,7 @@ hi = mpn_addmul_1 (rp, ap, m->size, b); hi = mpn_addmul_1 (rp, m->B, m->size, hi); assert (hi <= 1); - hi = cnd_add_n (hi, rp, m->B, m->size); + hi = mpn_cnd_add_n (hi, rp, rp, m->B, m->size); /* Sufficient roughly if b < B^size / p */ assert (hi == 0); } @@ -104,24 +104,67 @@ hi = mpn_submul_1 (rp, ap, m->size, b); hi = mpn_submul_1 (rp, m->B, m->size, hi); assert (hi <= 1); - hi = cnd_sub_n (hi, rp, m->B, m->size); + hi = mpn_cnd_sub_n (hi, rp, rp, m->B, m->size); /* Sufficient roughly if b < B^size / p */ assert (hi == 0); } -/* NOTE: mul and sqr needs 2*m->size limbs at rp */ void ecc_mod_mul (const struct ecc_modulo *m, mp_limb_t *rp, - const mp_limb_t *ap, const mp_limb_t *bp) + const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp) { - mpn_mul_n (rp, ap, bp, m->size); - m->reduce (m, rp); + mpn_mul_n (tp, ap, bp, m->size); + m->reduce (m, rp, tp); } void ecc_mod_sqr (const struct ecc_modulo *m, mp_limb_t *rp, - const mp_limb_t *ap) + const mp_limb_t *ap, mp_limb_t *tp) +{ + mpn_sqr (tp, ap, m->size); + m->reduce (m, rp, tp); +} + +void +ecc_mod_mul_canonical (const struct ecc_modulo *m, mp_limb_t *rp, + const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp) +{ + mp_limb_t cy; + mpn_mul_n (tp, ap, bp, m->size); + m->reduce (m, tp + m->size, tp); + + cy = mpn_sub_n (rp, tp + m->size, m->m, m->size); + cnd_copy (cy, rp, tp + m->size, m->size); +} + +void +ecc_mod_sqr_canonical (const struct ecc_modulo *m, mp_limb_t *rp, + const mp_limb_t *ap, mp_limb_t *tp) +{ + mp_limb_t cy; + mpn_sqr (tp, ap, m->size); + m->reduce (m, tp + m->size, tp); + + cy = mpn_sub_n (rp, tp + m->size, m->m, m->size); + cnd_copy (cy, rp, tp + m->size, m->size); +} + +void +ecc_mod_pow_2k (const struct ecc_modulo *m, + mp_limb_t *rp, const mp_limb_t *xp, + unsigned k, mp_limb_t *tp) +{ + ecc_mod_sqr (m, rp, xp, tp); + while (--k > 0) + ecc_mod_sqr (m, rp, rp, tp); +} + +void +ecc_mod_pow_2k_mul (const struct ecc_modulo *m, + mp_limb_t *rp, const mp_limb_t *xp, + unsigned k, const mp_limb_t *yp, + mp_limb_t *tp) { - mpn_sqr (rp, ap, m->size); - m->reduce (m, rp); + ecc_mod_pow_2k (m, rp, xp, k, tp); + ecc_mod_mul (m, rp, rp, yp, tp); } diff -Nru nettle-3.4.1/ecc-mod.c nettle-3.7.3/ecc-mod.c --- nettle-3.4.1/ecc-mod.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/ecc-mod.c 2021-06-06 20:06:29.000000000 +0000 @@ -39,9 +39,11 @@ #include "ecc-internal.h" -/* Computes r mod m, input 2*m->size, output m->size. */ +/* Computes r <-- x mod m, input 2*m->size, output m->size. It's + * allowed to have rp == xp or rp == xp + m->size, but no other kind + * of overlap is allowed. */ void -ecc_mod (const struct ecc_modulo *m, mp_limb_t *rp) +ecc_mod (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp) { mp_limb_t hi; mp_size_t mn = m->size; @@ -64,56 +66,51 @@ rn -= sn; for (i = 0; i <= sn; i++) - rp[rn+i-1] = mpn_addmul_1 (rp + rn - mn - 1 + i, m->B, bn, rp[rn+i-1]); - rp[rn-1] = rp[rn+sn-1] - + mpn_add_n (rp + rn - sn - 1, rp + rn - sn - 1, rp + rn - 1, sn); + xp[rn+i-1] = mpn_addmul_1 (xp + rn - mn - 1 + i, m->B, bn, xp[rn+i-1]); + xp[rn-1] = xp[rn+sn-1] + + mpn_add_n (xp + rn - sn - 1, xp + rn - sn - 1, xp + rn - 1, sn); } - goto final_limbs; } else { - /* The loop below always runs at least once. But the analyzer - doesn't realize that, and complains about hi being used later - on without a well defined value. */ -#ifdef __clang_analyzer__ - hi = 0; -#endif - while (rn >= 2 * mn - bn) + while (rn > 2 * mn - bn) { rn -= sn; for (i = 0; i < sn; i++) - rp[rn+i] = mpn_addmul_1 (rp + rn - mn + i, m->B, bn, rp[rn+i]); + xp[rn+i] = mpn_addmul_1 (xp + rn - mn + i, m->B, bn, xp[rn+i]); - hi = mpn_add_n (rp + rn - sn, rp + rn - sn, rp + rn, sn); - hi = cnd_add_n (hi, rp + rn - mn, m->B, mn); + hi = mpn_add_n (xp + rn - sn, xp + rn - sn, xp + rn, sn); + hi = mpn_cnd_add_n (hi, xp + rn - mn, xp + rn - mn, m->B, mn); assert (hi == 0); } } - if (rn > mn) - { - final_limbs: - sn = rn - mn; - - for (i = 0; i < sn; i++) - rp[mn+i] = mpn_addmul_1 (rp + i, m->B, bn, rp[mn+i]); - - hi = mpn_add_n (rp + bn, rp + bn, rp + mn, sn); - hi = sec_add_1 (rp + bn + sn, rp + bn + sn, mn - bn - sn, hi); - } + assert (rn > mn); + rn -= mn; + assert (rn <= sn); + + for (i = 0; i < rn; i++) + xp[mn+i] = mpn_addmul_1 (xp + i, m->B, bn, xp[mn+i]); + + hi = mpn_add_n (xp + bn, xp + bn, xp + mn, rn); + if (rn < sn) + hi = sec_add_1 (xp + bn + rn, xp + bn + rn, sn - rn, hi); shift = m->size * GMP_NUMB_BITS - m->bit_size; if (shift > 0) { /* Combine hi with top bits, add in */ - hi = (hi << shift) | (rp[mn-1] >> (GMP_NUMB_BITS - shift)); - rp[mn-1] = (rp[mn-1] & (((mp_limb_t) 1 << (GMP_NUMB_BITS - shift)) - 1)) - + mpn_addmul_1 (rp, m->B_shifted, mn-1, hi); + hi = (hi << shift) | (xp[mn-1] >> (GMP_NUMB_BITS - shift)); + xp[mn-1] = (xp[mn-1] & (((mp_limb_t) 1 << (GMP_NUMB_BITS - shift)) - 1)) + + mpn_addmul_1 (xp, m->B_shifted, mn-1, hi); + /* FIXME: Can this copying be eliminated? */ + if (rp != xp) + mpn_copyi (rp, xp, mn); } else { - hi = cnd_add_n (hi, rp, m->B_shifted, mn); + hi = mpn_cnd_add_n (hi, rp, xp, m->B, mn); assert (hi == 0); } } diff -Nru nettle-3.4.1/ecc-mod-inv.c nettle-3.7.3/ecc-mod-inv.c --- nettle-3.4.1/ecc-mod-inv.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/ecc-mod-inv.c 2021-06-06 20:06:29.000000000 +0000 @@ -58,7 +58,7 @@ Returns zero if a == 0 (mod m), to be consistent with a^{phi(m)-1}. Also needs (m+1)/2, and m must be odd. - Needs 2n limbs available at rp, and 2n additional scratch limbs. + Needs 3n limbs of scratch space. */ /* FIXME: Could use mpn_sec_invert (in GMP-6), but with a bit more @@ -70,7 +70,7 @@ { #define ap scratch #define bp (scratch + n) -#define up (vp + n) +#define up (scratch + 2*n) mp_size_t n = m->size; /* Avoid the mp_bitcnt_t type for compatibility with older GMP @@ -138,19 +138,19 @@ assert (bp[0] & 1); odd = ap[0] & 1; - swap = cnd_sub_n (odd, ap, bp, n); - cnd_add_n (swap, bp, ap, n); + swap = mpn_cnd_sub_n (odd, ap, ap, bp, n); + mpn_cnd_add_n (swap, bp, bp, ap, n); cnd_neg (swap, ap, ap, n); - cnd_swap (swap, up, vp, n); - cy = cnd_sub_n (odd, up, vp, n); - cy -= cnd_add_n (cy, up, m->m, n); + mpn_cnd_swap (swap, up, vp, n); + cy = mpn_cnd_sub_n (odd, up, up, vp, n); + cy -= mpn_cnd_add_n (cy, up, up, m->m, n); assert (cy == 0); cy = mpn_rshift (ap, ap, n, 1); assert (cy == 0); cy = mpn_rshift (up, up, n, 1); - cy = cnd_add_n (cy, up, m->mp1h, n); + cy = mpn_cnd_add_n (cy, up, up, m->mp1h, n); assert (cy == 0); } assert ( (ap[0] | ap[n-1]) == 0); diff -Nru nettle-3.4.1/ecc-mul-a-eh.c nettle-3.7.3/ecc-mul-a-eh.c --- nettle-3.4.1/ecc-mul-a-eh.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/ecc-mul-a-eh.c 2021-06-06 20:06:29.000000000 +0000 @@ -39,7 +39,7 @@ #include "ecc-internal.h" /* Binary algorithm needs 6*ecc->p.size + scratch for ecc_add_ehh, - total 13 ecc->p.size + total 10 ecc->p.size Window algorithm needs (3<p.size for the table, 3*ecc->p.size for a temporary point, and scratch for @@ -75,8 +75,8 @@ { int digit; - ecc_dup_eh (ecc, r, r, scratch_out); - ecc_add_ehh (ecc, tp, r, pe, scratch_out); + ecc->dup (ecc, r, r, scratch_out); + ecc->add_hh (ecc, tp, r, pe, scratch_out); digit = (w & bit) > 0; /* If we had a one-bit, use the sum. */ @@ -107,8 +107,8 @@ for (j = 2; j < size; j += 2) { - ecc_dup_eh (ecc, TABLE(j), TABLE(j/2), scratch); - ecc_add_ehh (ecc, TABLE(j+1), TABLE(j), TABLE(1), scratch); + ecc->dup (ecc, TABLE(j), TABLE(j/2), scratch); + ecc->add_hh (ecc, TABLE(j+1), TABLE(j), TABLE(1), scratch); } } @@ -163,11 +163,11 @@ bits |= w >> shift; } for (j = 0; j < ECC_MUL_A_EH_WBITS; j++) - ecc_dup_eh (ecc, r, r, scratch_out); + ecc->dup (ecc, r, r, scratch_out); bits &= TABLE_MASK; sec_tabselect (tp, 3*ecc->p.size, table, TABLE_SIZE, bits); - ecc_add_ehh (ecc, r, tp, r, scratch_out); + ecc->add_hhh (ecc, r, r, tp, scratch_out); } #undef table #undef tp diff -Nru nettle-3.4.1/ecc-mul-g.c nettle-3.7.3/ecc-mul-g.c --- nettle-3.4.1/ecc-mul-g.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/ecc-mul-g.c 2021-06-06 20:06:29.000000000 +0000 @@ -45,7 +45,7 @@ const mp_limb_t *np, mp_limb_t *scratch) { /* Scratch need determined by the ecc_add_jja call. Current total is - 9 * ecc->p.size, at most 648 bytes. */ + 8 * ecc->p.size, at most 576 bytes. */ #define tp scratch #define scratch_out (scratch + 3*ecc->p.size) diff -Nru nettle-3.4.1/ecc-mul-g-eh.c nettle-3.7.3/ecc-mul-g-eh.c --- nettle-3.4.1/ecc-mul-g-eh.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/ecc-mul-g-eh.c 2021-06-06 20:06:29.000000000 +0000 @@ -45,7 +45,7 @@ const mp_limb_t *np, mp_limb_t *scratch) { /* Scratch need determined by the ecc_add_eh call. Current total is - 9 * ecc->p.size, at most 648 bytes. */ + 7 * ecc->p.size, at most 392 bytes (for curve448). */ #define tp scratch #define scratch_out (scratch + 3*ecc->p.size) @@ -64,7 +64,7 @@ for (i = k; i-- > 0; ) { - ecc_dup_eh (ecc, r, r, scratch); + ecc->dup (ecc, r, r, scratch); for (j = 0; j * c < bit_rows; j++) { unsigned bits; @@ -93,7 +93,7 @@ + (2*ecc->p.size * (mp_size_t) j << c)), 1<add_hh (ecc, r, r, tp, scratch_out); } } #undef tp diff -Nru nettle-3.4.1/ecc-mul-m.c nettle-3.7.3/ecc-mul-m.c --- nettle-3.4.1/ecc-mul-m.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/ecc-mul-m.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,166 @@ +/* ecc-mul-m.c + + Point multiplication using Montgomery curve representation. + + Copyright (C) 2014 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "ecc.h" +#include "ecc-internal.h" + +void +ecc_mul_m (const struct ecc_modulo *m, + mp_limb_t a24, + unsigned bit_low, unsigned bit_high, + mp_limb_t *qx, const uint8_t *n, const mp_limb_t *px, + mp_limb_t *scratch) +{ + unsigned i; + mp_limb_t swap; + +#define x2 (scratch) +#define z2 (scratch + m->size) +#define x3 (scratch + 2*m->size) +#define z3 (scratch + 3*m->size) + + /* Formulas from RFC 7748: + + A = x_2 + z_2 + AA = A^2 + B = x_2 - z_2 + BB = B^2 + E = AA - BB + C = x_3 + z_3 + D = x_3 - z_3 + DA = D * A + CB = C * B + x_3 = (DA + CB)^2 + z_3 = x_1 * (DA - CB)^2 + x_2 = AA * BB + z_2 = E * (AA + a24 * E) + + For pure doubling, we use: + + A = x_2 + z_2 + AA = A^2 + B = x_2 - z_2 + BB = B^2 + E = AA - BB + x3 = AA * BB + z3 = E * (AA + a24 * E) + */ + +#define A (scratch + 4*m->size) +#define AA A +#define D (scratch + 5*m->size) +#define DA D + +#define tp (scratch + 6*m->size) + + /* For the doubling formulas. */ +#define B D +#define BB D +#define E D + + /* Initialize, x2 = px, z2 = 1 */ + mpn_copyi (x2, px, m->size); + z2[0] = 1; + mpn_zero (z2+1, m->size - 1); + + /* Get x3, z3 from doubling. Since most significant bit is forced to 1. */ + ecc_mod_add (m, A, x2, z2); + ecc_mod_sub (m, B, x2, z2); + ecc_mod_sqr (m, AA, A, tp); + ecc_mod_sqr (m, BB, B, tp); + ecc_mod_mul (m, x3, AA, BB, tp); + ecc_mod_sub (m, E, AA, BB); + ecc_mod_addmul_1 (m, AA, E, a24); + ecc_mod_mul (m, z3, E, AA, tp); + + for (i = bit_high, swap = 0; i >= bit_low; i--) + { + mp_limb_t bit = (n[i/8] >> (i & 7)) & 1; + + mpn_cnd_swap (swap ^ bit, x2, x3, 2*m->size); + swap = bit; + + ecc_mod_add (m, A, x2, z2); + ecc_mod_sub (m, D, x3, z3); + ecc_mod_mul (m, DA, D, A, tp); + ecc_mod_sqr (m, AA, A, tp); + + /* Store B, BB and E at z2 */ + ecc_mod_sub (m, z2, x2, z2); /* B */ + /* Store C and CB at z3 */ + ecc_mod_add (m, z3, x3, z3); /* C */ + ecc_mod_mul (m, z3, z3, z2, tp); /* CB */ + ecc_mod_sqr (m, z2, z2, tp); /* BB */ + + /* Finish x2 */ + ecc_mod_mul (m, x2, AA, z2, tp); + + ecc_mod_sub (m, z2, AA, z2); /* E */ + + /* Finish z2 */ + ecc_mod_addmul_1 (m, AA, z2, a24); + ecc_mod_mul (m, z2, z2, AA, tp); + + /* Finish x3 */ + ecc_mod_add (m, x3, DA, z3); + ecc_mod_sqr (m, x3, x3, tp); + + /* Finish z3 */ + ecc_mod_sub (m, z3, DA, z3); /* DA - CB */ + ecc_mod_sqr (m, z3, z3, tp); + ecc_mod_mul (m, z3, z3, px, tp); + } + mpn_cnd_swap (swap, x2, x3, 2*m->size); + + /* Do the low zero bits, just duplicating x2 */ + for (i = 0; i < bit_low; i++) + { + ecc_mod_add (m, A, x2, z2); + ecc_mod_sub (m, B, x2, z2); + ecc_mod_sqr (m, AA, A, tp); + ecc_mod_sqr (m, BB, B, tp); + ecc_mod_mul (m, x2, AA, BB, tp); + ecc_mod_sub (m, E, AA, BB); + ecc_mod_addmul_1 (m, AA, E, a24); + ecc_mod_mul (m, z2, E, AA, tp); + } + assert (m->invert_itch <= 7 * m->size); + m->invert (m, x3, z2, z3 + m->size); + ecc_mod_mul_canonical (m, qx, x2, x3, z3); +} diff -Nru nettle-3.4.1/ecc-pm1-redc.c nettle-3.7.3/ecc-pm1-redc.c --- nettle-3.4.1/ecc-pm1-redc.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/ecc-pm1-redc.c 2021-06-06 20:06:29.000000000 +0000 @@ -42,7 +42,7 @@ /* Use that 1 = - (p - 1) (mod p), and that at least one low limb of p - 1 is zero. */ void -ecc_pm1_redc (const struct ecc_modulo *m, mp_limb_t *rp) +ecc_pm1_redc (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp) { unsigned i; mp_limb_t hi, cy; @@ -50,10 +50,10 @@ mp_size_t k = m->redc_size; for (i = 0; i < m->size; i++) - rp[i] = mpn_submul_1 (rp + i + k, - m->redc_mpm1, m->size - k, rp[i]); - hi = mpn_sub_n (rp, rp + m->size, rp, m->size); - cy = cnd_add_n (hi, rp, m->m, m->size); + xp[i] = mpn_submul_1 (xp + i + k, + m->redc_mpm1, m->size - k, xp[i]); + hi = mpn_sub_n (xp, xp + m->size, xp, m->size); + cy = mpn_cnd_add_n (hi, rp, xp, m->m, m->size); assert (cy == hi); if (shift > 0) diff -Nru nettle-3.4.1/ecc-point.c nettle-3.7.3/ecc-point.c --- nettle-3.4.1/ecc-point.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/ecc-point.c 2021-06-06 20:06:29.000000000 +0000 @@ -85,6 +85,21 @@ mpz_mul_ui (rhs, rhs, 121665); mpz_clear (x2); } + else if (p->ecc->p.bit_size == 448) + { + /* curve448 special case. FIXME: Do in some cleaner way? */ + mpz_t x2, d; + mpz_init (x2); + mpz_init_set_ui (d, 39081); + mpz_mul (x2, x, x); /* x^2 */ + mpz_mul (d, d, x2); /* 39081 x^2 */ + mpz_set_ui (rhs, 1); + mpz_submul (rhs, d, lhs); /* 1 - 39081 x^2 y^2 */ + /* Check that x^2 + y^2 = 1 - 39081 x^2 y^2 */ + mpz_add (lhs, x2, lhs); /* x^2 + y^2 */ + mpz_clear (d); + mpz_clear (x2); + } else { /* Check that y^2 = x^3 - 3*x + b (mod p) */ diff -Nru nettle-3.4.1/ecc-point-mul.c nettle-3.7.3/ecc-point-mul.c --- nettle-3.4.1/ecc-point-mul.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/ecc-point-mul.c 2021-06-06 20:06:29.000000000 +0000 @@ -51,6 +51,7 @@ assert (n->ecc == ecc); assert (p->ecc == ecc); + assert (ecc->h_to_a_itch <= ecc->mul_itch); ecc->mul (ecc, scratch, n->p, p->p, scratch + 3*size); ecc->h_to_a (ecc, 0, r->p, scratch, scratch + 3*size); diff -Nru nettle-3.4.1/ecc-point-mul-g.c nettle-3.7.3/ecc-point-mul-g.c --- nettle-3.4.1/ecc-point-mul-g.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/ecc-point-mul-g.c 2021-06-06 20:06:29.000000000 +0000 @@ -44,15 +44,15 @@ void ecc_point_mul_g (struct ecc_point *r, const struct ecc_scalar *n) { - TMP_DECL(scratch, mp_limb_t, 3*ECC_MAX_SIZE + ECC_MUL_G_ITCH (ECC_MAX_SIZE)); const struct ecc_curve *ecc = r->ecc; mp_limb_t size = ecc->p.size; mp_size_t itch = 3*size + ecc->mul_g_itch; + mp_limb_t *scratch = gmp_alloc_limbs (itch); assert (n->ecc == ecc); - - TMP_ALLOC (scratch, itch); + assert (ecc->h_to_a_itch <= ecc->mul_g_itch); ecc->mul_g (ecc, scratch, n->p, scratch + 3*size); ecc->h_to_a (ecc, 0, r->p, scratch, scratch + 3*size); + gmp_free_limbs (scratch, itch); } diff -Nru nettle-3.4.1/ecc-pp1-redc.c nettle-3.7.3/ecc-pp1-redc.c --- nettle-3.4.1/ecc-pp1-redc.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/ecc-pp1-redc.c 2021-06-06 20:06:29.000000000 +0000 @@ -42,7 +42,7 @@ /* Use that 1 = p + 1 (mod p), and that at least one low limb of p + 1 is zero. */ void -ecc_pp1_redc (const struct ecc_modulo *m, mp_limb_t *rp) +ecc_pp1_redc (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp) { unsigned i; mp_limb_t hi, cy; @@ -50,9 +50,9 @@ mp_size_t k = m->redc_size; for (i = 0; i < m->size; i++) - rp[i] = mpn_addmul_1 (rp + i + k, - m->redc_mpm1, m->size - k, rp[i]); - hi = mpn_add_n (rp, rp, rp + m->size, m->size); + xp[i] = mpn_addmul_1 (xp + i + k, + m->redc_mpm1, m->size - k, xp[i]); + hi = mpn_add_n (rp, xp, xp + m->size, m->size); if (shift > 0) { hi = (hi << shift) | (rp[m->size - 1] >> (GMP_NUMB_BITS - shift)); @@ -63,7 +63,7 @@ } else { - cy = cnd_sub_n (hi, rp, m->m, m->size); + cy = mpn_cnd_sub_n (hi, rp, rp, m->m, m->size); assert (cy == hi); } } diff -Nru nettle-3.4.1/ecc-secp192r1.c nettle-3.7.3/ecc-secp192r1.c --- nettle-3.4.1/ecc-secp192r1.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/ecc-secp192r1.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,255 @@ +/* ecc-secp192r1.c + + Compile time constant (but machine dependent) tables. + + Copyright (C) 2013, 2014 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +/* FIXME: Remove ecc.h include, once prototypes of more internal + functions are moved to ecc-internal.h */ +#include "ecc.h" +#include "ecc-internal.h" + +#define USE_REDC 0 + +#include "ecc-secp192r1.h" + +#if HAVE_NATIVE_ecc_secp192r1_modp + +#define ecc_secp192r1_modp _nettle_ecc_secp192r1_modp +void +ecc_secp192r1_modp (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp); + +/* Use that p = 2^{192} - 2^64 - 1, to eliminate 128 bits at a time. */ + +#elif GMP_NUMB_BITS == 32 +/* p is 6 limbs, p = B^6 - B^2 - 1 */ +static void +ecc_secp192r1_modp (const struct ecc_modulo *m UNUSED, mp_limb_t *rp, mp_limb_t *xp) +{ + mp_limb_t cy; + + /* Reduce from 12 to 9 limbs (top limb small)*/ + cy = mpn_add_n (xp + 2, xp + 2, xp + 8, 4); + cy = sec_add_1 (xp + 6, xp + 6, 2, cy); + cy += mpn_add_n (xp + 4, xp + 4, xp + 8, 4); + assert (cy <= 2); + + xp[8] = cy; + + /* Reduce from 9 to 6 limbs */ + cy = mpn_add_n (xp, xp, xp + 6, 3); + cy = sec_add_1 (xp + 3, xp + 3, 2, cy); + cy += mpn_add_n (xp + 2, xp + 2, xp + 6, 3); + cy = sec_add_1 (xp + 5, xp + 5, 1, cy); + + assert (cy <= 1); + cy = mpn_cnd_add_n (cy, rp, xp, ecc_Bmodp, 6); + assert (cy == 0); +} +#elif GMP_NUMB_BITS == 64 +/* p is 3 limbs, p = B^3 - B - 1 */ +static void +ecc_secp192r1_modp (const struct ecc_modulo *m UNUSED, mp_limb_t *rp, mp_limb_t *xp) +{ + mp_limb_t cy; + + /* Reduce from 6 to 5 limbs (top limb small)*/ + cy = mpn_add_n (xp + 1, xp + 1, xp + 4, 2); + cy = sec_add_1 (xp + 3, xp + 3, 1, cy); + cy += mpn_add_n (xp + 2, xp + 2, xp + 4, 2); + assert (cy <= 2); + + xp[4] = cy; + + /* Reduce from 5 to 4 limbs (high limb small) */ + cy = mpn_add_n (xp, xp, xp + 3, 2); + cy = sec_add_1 (xp + 2, xp + 2, 1, cy); + cy += mpn_add_n (xp + 1, xp + 1, xp + 3, 2); + + assert (cy <= 1); + cy = mpn_cnd_add_n (cy, rp, xp, ecc_Bmodp, 3); + assert (cy == 0); +} + +#else +#define ecc_secp192r1_modp ecc_mod +#endif + +#define ECC_SECP192R1_INV_ITCH (4*ECC_LIMB_SIZE) + +static void +ecc_secp192r1_inv (const struct ecc_modulo *p, + mp_limb_t *rp, const mp_limb_t *ap, + mp_limb_t *scratch) +{ +#define a62m1 scratch +#define t0 (scratch + ECC_LIMB_SIZE) +#define tp (scratch + 2*ECC_LIMB_SIZE) + + /* Addition chain + + p - 2 = 2^{192} - 2^{64} - 3 + = 1 + 2^{192} - 2^{64} - 4 + = 1 + 2^2 (2^{190} - 2^{62} - 1) + = 1 + 2^2 (2^{62} - 1 + 2^{190} - 2^63) + = 1 + 2^2 (2^{62} - 1 + 2^{63}(2^{127} - 1)) + = 1 + 2^2 (2^{62} - 1 + 2^{63}(1 + 2 (2^{126} - 1))) + = 1 + 2^2 (2^{62} - 1 + 2^{63}(1 + 2 (2^{63} + 1)(2^{63} - 1))) + = 1 + 2^2 (2^{62} - 1 + 2^{63}(1 + 2 (2^{63} + 1)(1 + 2(2^{62} - 1)))) + + 2^{62} - 1 = (2^{31}+1)(2^{31}-1) + = (2^{31}+1)(1 + 2(2^{30} - 1)) + = (2^{31}+1)(1 + 2(2^{15}+1)(2^15-1)) + = (2^{31}+1)(1 + 2(2^{15}+1)(1 + 2(1 + (2^{14}-1)))) + = (2^{31}+1)(1 + 2(2^{15}+1)(1 + 2(1 + (2^7+1)(2^7-1)))) + = (2^{31}+1)(1 + 2(2^{15}+1)(1 + 2(1 + (2^7+1)(1+2(2^3+1)(2^3-1))))) + = (2^{31}+1)(1 + 2(2^{15}+1)(1 + 2(1 + (2^7+1)(1+2(2^3+1)(1 + 2 (2+1)))))) + + This addition chain needs 191 squarings and 14 multiplies. + + Could be improved sligthly as: + + a^7 = 1 + 2 * (2 + 1) + 2^{62} - 1 = (2^{31}+1)(2^{31}-1) + = (2^{31}+1)(1 + 2(2^{30} - 1)) + = (2^{31}+1)(1 + 2(2^{15}+1)(2^15-1)) + = (2^{31}+1)(1 + 2(2^{15}+1)(1 + 2(1 + (2^{14}-1)))) + = (2^{31}+1)(1 + 2(2^{15}+1)(1 + 2(1 + (2^7+1)(2^7-1)))) + = (2^{31}+1)(1 + 2(2^{15}+1)(1 + 2(1 + (2^7+1)(1+2(2^3+1)(2^3-1))))) + 2^{65} - 1 = 2^3 (2^{62} - 1) + 2^3 - 1 + 2^{127} - 1 = 2^{62} (2^{65} - 1) + 2^{62} - 1 + p - 2 = 1 + 2^2 (2^{62} - 1 + 2^{63}(2^{127} - 1)) + + This needs 191 squarings and 13 multiplies, i.e., saving one + multiply, at the cost of additional temporary storage for a^7. + */ + + ecc_mod_sqr (p, rp, ap, tp); /* a^2 */ + ecc_mod_mul (p, rp, rp, ap, tp); /* a^3 */ + ecc_mod_sqr (p, rp, rp, tp); /* a^6 */ + ecc_mod_mul (p, rp, rp, ap, tp); /* a^{2^3-1} */ + ecc_mod_pow_2kp1 (p, t0, rp, 3, tp); /* a^{2^6-1} */ + ecc_mod_sqr (p, rp, t0, tp); /* a^{2^7-2} */ + ecc_mod_mul (p, rp, rp, ap, tp); /* a^{2^7-1} */ + ecc_mod_pow_2kp1 (p, t0, rp, 7, tp); /* a^{2^14-1} */ + ecc_mod_sqr (p, rp, t0, tp); /* a^{2^15-2} */ + ecc_mod_mul (p, rp, ap, rp, tp); /* a^{2^15-1} */ + ecc_mod_pow_2kp1 (p, t0, rp, 15, tp); /* a^{2^30-1} */ + ecc_mod_sqr (p, rp, t0, tp); /* a^{2^31-2} */ + ecc_mod_mul (p, rp, ap, rp, tp); /* a^{2^31-1} */ + ecc_mod_pow_2kp1 (p, a62m1, rp, 31, tp); /* a^{2^62-1} Overlaps t0 */ + + ecc_mod_sqr (p, rp, a62m1, tp); /* a^{2^63-2} */ + ecc_mod_mul (p, rp, rp, ap, tp); /* a^{2^63-1} */ + ecc_mod_pow_2kp1 (p, t0, rp, 63, tp); /* a^{2^126-1} */ + ecc_mod_sqr (p, rp, t0, tp); /* a^{2^127-2} */ + ecc_mod_mul (p, rp, rp, ap, tp); /* a^{2^127-1} Clobbers t1 */ + ecc_mod_pow_2k_mul (p, rp, rp, 63, a62m1, tp); /* a^{2^190 - 2^62 - 1} */ + ecc_mod_sqr (p, rp, rp, tp); /* a^{2^191 - 2^63 - 2} */ + ecc_mod_sqr (p, rp, rp, tp); /* a^{2^192 - 2^64 - 4} */ + ecc_mod_mul (p, rp, rp, ap, tp); +} + +const struct ecc_curve _nettle_secp_192r1 = +{ + { + 192, + ECC_LIMB_SIZE, + ECC_BMODP_SIZE, + ECC_REDC_SIZE, + ECC_SECP192R1_INV_ITCH, + 0, + + ecc_p, + ecc_Bmodp, + ecc_Bmodp_shifted, + ecc_redc_ppm1, + ecc_pp1h, + + ecc_secp192r1_modp, + ecc_secp192r1_modp, + ecc_secp192r1_inv, + NULL, + }, + { + 192, + ECC_LIMB_SIZE, + ECC_BMODQ_SIZE, + 0, + ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), + 0, + + ecc_q, + ecc_Bmodq, + ecc_Bmodq_shifted, + NULL, + ecc_qp1h, + + ecc_mod, + ecc_mod, + ecc_mod_inv, + NULL, + }, + + USE_REDC, + ECC_PIPPENGER_K, + ECC_PIPPENGER_C, + + ECC_ADD_JJA_ITCH (ECC_LIMB_SIZE), + ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE), + ECC_DUP_JJ_ITCH (ECC_LIMB_SIZE), + ECC_MUL_A_ITCH (ECC_LIMB_SIZE), + ECC_MUL_G_ITCH (ECC_LIMB_SIZE), + ECC_J_TO_A_ITCH(ECC_LIMB_SIZE, ECC_SECP192R1_INV_ITCH), + + ecc_add_jja, + ecc_add_jjj, + ecc_dup_jj, + ecc_mul_a, + ecc_mul_g, + ecc_j_to_a, + + ecc_b, + ecc_unit, + ecc_table +}; + +const struct ecc_curve *nettle_get_secp_192r1(void) +{ + return &_nettle_secp_192r1; +} diff -Nru nettle-3.4.1/ecc-secp224r1.c nettle-3.7.3/ecc-secp224r1.c --- nettle-3.4.1/ecc-secp224r1.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/ecc-secp224r1.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,183 @@ +/* ecc-secp224r1.c + + Compile time constant (but machine dependent) tables. + + Copyright (C) 2013, 2014 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "ecc.h" +#include "ecc-internal.h" + +#if HAVE_NATIVE_ecc_secp224r1_modp + +#define USE_REDC 0 +#define ecc_secp224r1_modp _nettle_ecc_secp224r1_modp +void +ecc_secp224r1_modp (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp); + +#else +#define USE_REDC (ECC_REDC_SIZE != 0) +#define ecc_secp224r1_modp ecc_mod +#endif + +#include "ecc-secp224r1.h" + +#if ECC_REDC_SIZE < 0 +# define ecc_secp224r1_redc ecc_pm1_redc +#elif ECC_REDC_SIZE == 0 +# define ecc_secp224r1_redc NULL +#else +# error Configuration error +#endif + +#define ECC_SECP224R1_INV_ITCH (4*ECC_LIMB_SIZE) + +static void +ecc_secp224r1_inv (const struct ecc_modulo *p, + mp_limb_t *rp, const mp_limb_t *ap, + mp_limb_t *scratch) +{ +#define a7 scratch +#define t0 (scratch + 1*ECC_LIMB_SIZE) +#define a31m1 t0 +#define a96m1 a7 +#define tp (scratch + 2*ECC_LIMB_SIZE) + + /* Addition chain for p - 2 = 2^{224} - 2^{96} - 1 + + 7 = 1 + 2 (2+1) 2 S + 2 M + 2^{31} - 1 = 1 + 2 (2^{15} + 1)(1 + 2 (2^7 + 1) (1 + 2 (2^3+1) * 7)) + 28 S + 6 M + 2^{34} - 1 = 2^3 (2^{31} - 1) + 7 3 S + M + 2^{65} - 1 = 2^{31}(2^{34} - 1) + 2^{31} - 1 31 S + M + 2^{96} - 1 = 2^{31}(2^{65} - 1) + 2^{31} - 1 31 S + M + 2^{127} - 1 = 2^{31}(2^{96} - 1) + 2^{31} - 1 31 S + M + + 2^{224} - 2^{96} - 1 97 S + M + = 2^{97}(2^{127} - 1) + 2^{96} - 1 + + This addition chain needs 223 squarings and 13 multiplies. + */ + ecc_mod_sqr (p, rp, ap, tp); /* a^2 */ + ecc_mod_mul (p, rp, rp, ap, tp); /* a^3 */ + ecc_mod_sqr (p, rp, rp, tp); /* a^6 */ + ecc_mod_mul (p, a7, rp, ap, tp); /* a^{2^3-1} a7 */ + + ecc_mod_pow_2kp1 (p, rp, a7, 3, tp); /* a^{2^6 - 1} */ + ecc_mod_sqr (p, rp, rp, tp); /* a^{2^7 - 2} */ + ecc_mod_mul (p, rp, rp, ap, tp); /* a^{2^7 - 1} */ + ecc_mod_pow_2kp1 (p, t0, rp, 7, tp); /* a^{2^14 - 1} */ + ecc_mod_sqr (p, rp, t0, tp); /* a^{2^15 - 2} */ + ecc_mod_mul (p, rp, rp, ap, tp); /* a^{2^15 - 1} */ + ecc_mod_pow_2kp1 (p, t0, rp, 15, tp); /* a^{2^30 - 1} */ + ecc_mod_sqr (p, rp, t0, tp); /* a^{2^31 - 2} */ + ecc_mod_mul (p, a31m1, rp, ap, tp); /* a^{2^31 - 1} a7, a31m1 */ + + ecc_mod_pow_2k_mul (p, rp, a31m1, 3, a7, tp); /* a^{2^34 - 1} a31m1 */ + ecc_mod_pow_2k_mul (p, rp, rp, 31, a31m1, tp); /* a^{2^65 - 1} a31m1 */ + ecc_mod_pow_2k_mul (p, a96m1, rp, 31, a31m1, tp); /* a^{2^96 - 1} a31m1, a96m1 */ + ecc_mod_pow_2k_mul (p, rp, a96m1, 31, a31m1, tp); /* a^{2^{127} - 1} a96m1 */ + ecc_mod_pow_2k_mul (p, rp, rp, 97, a96m1, tp); /* a^{2^{224} - 2^{96} - 1 */ +} + + +const struct ecc_curve _nettle_secp_224r1 = +{ + { + 224, + ECC_LIMB_SIZE, + ECC_BMODP_SIZE, + -ECC_REDC_SIZE, + ECC_SECP224R1_INV_ITCH, + 0, + + ecc_p, + ecc_Bmodp, + ecc_Bmodp_shifted, + ecc_redc_ppm1, + ecc_pp1h, + + ecc_secp224r1_modp, + USE_REDC ? ecc_secp224r1_redc : ecc_secp224r1_modp, + ecc_secp224r1_inv, + NULL, + }, + { + 224, + ECC_LIMB_SIZE, + ECC_BMODQ_SIZE, + 0, + ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), + 0, + + ecc_q, + ecc_Bmodq, + ecc_Bmodq_shifted, + NULL, + ecc_qp1h, + + ecc_mod, + ecc_mod, + ecc_mod_inv, + NULL, + }, + + USE_REDC, + ECC_PIPPENGER_K, + ECC_PIPPENGER_C, + + ECC_ADD_JJA_ITCH (ECC_LIMB_SIZE), + ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE), + ECC_DUP_JJ_ITCH (ECC_LIMB_SIZE), + ECC_MUL_A_ITCH (ECC_LIMB_SIZE), + ECC_MUL_G_ITCH (ECC_LIMB_SIZE), + ECC_J_TO_A_ITCH(ECC_LIMB_SIZE, ECC_SECP224R1_INV_ITCH), + + ecc_add_jja, + ecc_add_jjj, + ecc_dup_jj, + ecc_mul_a, + ecc_mul_g, + ecc_j_to_a, + + ecc_b, + ecc_unit, + ecc_table +}; + +const struct ecc_curve *nettle_get_secp_224r1(void) +{ + return &_nettle_secp_224r1; +} diff -Nru nettle-3.4.1/ecc-secp256r1.c nettle-3.7.3/ecc-secp256r1.c --- nettle-3.4.1/ecc-secp256r1.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/ecc-secp256r1.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,365 @@ +/* ecc-secp256r1.c + + Compile time constant (but machine dependent) tables. + + Copyright (C) 2013, 2014 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "ecc.h" +#include "ecc-internal.h" + +#if HAVE_NATIVE_ecc_secp256r1_redc +# define USE_REDC 1 +#else +# define USE_REDC (ECC_REDC_SIZE != 0) +#endif + +#include "ecc-secp256r1.h" + +#if HAVE_NATIVE_ecc_secp256r1_redc +# define ecc_secp256r1_redc _nettle_ecc_secp256r1_redc +void +ecc_secp256r1_redc (const struct ecc_modulo *p, mp_limb_t *rp, mp_limb_t *xp); +#else /* !HAVE_NATIVE_ecc_secp256r1_redc */ +# if ECC_REDC_SIZE > 0 +# define ecc_secp256r1_redc ecc_pp1_redc +# elif ECC_REDC_SIZE == 0 +# define ecc_secp256r1_redc NULL +# else +# error Configuration error +# endif +#endif /* !HAVE_NATIVE_ecc_secp256r1_redc */ + +#if ECC_BMODP_SIZE < ECC_LIMB_SIZE +#define ecc_secp256r1_modp ecc_mod +#define ecc_secp256r1_modq ecc_mod +#elif GMP_NUMB_BITS == 64 + +static void +ecc_secp256r1_modp (const struct ecc_modulo *p, mp_limb_t *rp, mp_limb_t *xp) +{ + mp_limb_t u1, u0; + mp_size_t n; + + n = 2*p->size; + u1 = xp[--n]; + u0 = xp[n-1]; + + /* This is not particularly fast, but should work well with assembly implementation. */ + for (; n >= p->size; n--) + { + mp_limb_t q2, q1, q0, t, cy; + + /* = v * u1 + , with v = 2^32 - 1: + + +---+---+ + | u1| u0| + +---+---+ + |-u1| + +-+-+-+ + | u1| + +---+-+-+-+-+ + | q2| q1| q0| + +---+---+---+ + */ + q1 = u1 - (u1 > u0); + q0 = u0 - u1; + t = u1 << 32; + q0 += t; + t = (u1 >> 32) + (q0 < t) + 1; + q1 += t; + q2 = q1 < t; + + /* Compute candidate remainder */ + u1 = u0 + (q1 << 32) - q1; + t = -(mp_limb_t) (u1 > q0); + u1 -= t & 0xffffffff; + q1 += t; + q2 += t + (q1 < t); + + assert (q2 < 2); + + /* + n-1 n-2 n-3 n-4 + +---+---+---+---+ + | u1| u0| u low | + +---+---+---+---+ + - | q1(2^96-1)| + +-------+---+ + |q2(2^.)| + +-------+ + + We multiply by two low limbs of p, 2^96 - 1, so we could use + shifts rather than mul. + */ + t = mpn_submul_1 (xp + n - 4, p->m, 2, q1); + t += mpn_cnd_sub_n (q2, xp + n - 3, xp + n - 3, p->m, 1); + t += (-q2) & 0xffffffff; + + u0 = xp[n-2]; + cy = (u0 < t); + u0 -= t; + t = (u1 < cy); + u1 -= cy; + + cy = mpn_cnd_add_n (t, xp + n - 4, xp + n - 4, p->m, 2); + u0 += cy; + u1 += (u0 < cy); + u1 -= (-t) & 0xffffffff; + } + rp[0] = xp[0]; + rp[1] = xp[1]; + rp[2] = u0; + rp[3] = u1; +} + +static void +ecc_secp256r1_modq (const struct ecc_modulo *q, mp_limb_t *rp, mp_limb_t *xp) +{ + mp_limb_t u2, u1, u0; + mp_size_t n; + + n = 2*q->size; + u2 = xp[--n]; + u1 = xp[n-1]; + + /* This is not particularly fast, but should work well with assembly implementation. */ + for (; n >= q->size; n--) + { + mp_limb_t q2, q1, q0, t, c1, c0; + + u0 = xp[n-2]; + + /* = v * u2 + , same method as above. + + +---+---+ + | u2| u1| + +---+---+ + |-u2| + +-+-+-+ + | u2| + +---+-+-+-+-+ + | q2| q1| q0| + +---+---+---+ + */ + q1 = u2 - (u2 > u1); + q0 = u1 - u2; + t = u2 << 32; + q0 += t; + t = (u2 >> 32) + (q0 < t) + 1; + q1 += t; + q2 = q1 < t; + + /* Compute candidate remainder, - * (2^128 - 2^96 + 2^64 - 1) + + 2^64 q2 + (2^96 - 2^64 + 1) q1 (mod 2^128) + + +---+---+ + | u1| u0| + +---+---+ + | q2| q1| + +---+---+ + |-q1| + +-+-+-+ + | q1| + --+-+-+-+---+ + | u2| u1| + +---+---+ + */ + u2 = u1 + q2 - q1; + u1 = u0 + q1; + u2 += (u1 < q1); + u2 += (q1 << 32); + + t = -(mp_limb_t) (u2 >= q0); + q1 += t; + q2 += t + (q1 < t); + u1 += t; + u2 += (t << 32) + (u1 < t); + + assert (q2 < 2); + + c0 = mpn_cnd_sub_n (q2, xp + n - 3, xp + n - 3, q->m, 1); + c0 += (-q2) & q->m[1]; + t = mpn_submul_1 (xp + n - 4, q->m, 2, q1); + c0 += t; + c1 = c0 < t; + + /* Construct underflow condition. */ + c1 += (u1 < c0); + t = - (mp_limb_t) (u2 < c1); + + u1 -= c0; + u2 -= c1; + + /* Conditional add of p */ + u1 += t; + u2 += (t<<32) + (u1 < t); + + t = mpn_cnd_add_n (t, xp + n - 4, xp + n - 4, q->m, 2); + u1 += t; + u2 += (u1 < t); + } + rp[0] = xp[0]; + rp[1] = xp[1]; + rp[2] = u1; + rp[3] = u2; +} + +#else +#error Unsupported parameters +#endif + +#define ECC_SECP256R1_INV_ITCH (4*ECC_LIMB_SIZE) + +static void +ecc_secp256r1_inv (const struct ecc_modulo *p, + mp_limb_t *rp, const mp_limb_t *ap, + mp_limb_t *scratch) +{ +#define a5m1 scratch +#define t0 (scratch + ECC_LIMB_SIZE) +#define a15m1 t0 +#define a32m1 a5m1 +#define tp (scratch + 2*ECC_LIMB_SIZE) +/* + Addition chain for p - 2 = 2^{256} - 2^{224} + 2^{192} + 2^{96} - 3 + + 2^5 - 1 = 1 + 2 (2^4 - 1) = 1 + 2 (2^2+1)(2 + 1) 4 S + 3 M + 2^{15} - 1 = (2^5 - 1) (1 + 2^5 (1 + 2^5) 10 S + 2 M + 2^{16} - 1 = 1 + 2 (2^{15} - 1) S + M + 2^{32} - 1 = (2^{16} + 1) (2^{16} - 1) 16 S + M + 2^{64} - 2^{32} + 1 = 2^{32} (2^{32} - 1) + 1 32 S + M + 2^{192} - 2^{160} + 2^{128} + 2^{32} - 1 + = 2^{128} (2^{64} - 2^{32} + 1) + 2^{32} - 1 128 S + M + 2^{224} - 2^{192} + 2^{160} + 2^{64} - 1 + = 2^{32} (...) + 2^{32} - 1 32 S + M + 2^{239} - 2^{207} + 2^{175} + 2^{79} - 1 + = 2^{15} (...) + 2^{15} - 1 15 S + M + 2^{254} - 2^{222} + 2^{190} + 2^{94} - 1 + = 2^{15} (...) + 2^{15} - 1 15 S + M + p - 2 = 2^2 (...) + 1 2 S M + --------------- + 255 S + 13 M + */ + ecc_mod_sqr (p, rp, ap, tp); /* a^2 */ + ecc_mod_mul (p, rp, rp, ap, tp); /* a^3 */ + ecc_mod_pow_2kp1 (p, t0, rp, 2, tp); /* a^{2^4 - 1} */ + ecc_mod_sqr (p, rp, t0, tp); /* a^{2^5 - 2} */ + ecc_mod_mul (p, a5m1, rp, ap, tp); /* a^{2^5 - 1}, a5m1 */ + + ecc_mod_pow_2kp1 (p, rp, a5m1, 5, tp); /* a^{2^{10} - 1, a5m1*/ + ecc_mod_pow_2k_mul (p, a15m1, rp, 5, a5m1, tp); /* a^{2^{15} - 1}, a5m1 a15m1 */ + ecc_mod_sqr (p, rp, a15m1, tp); /* a^{2^{16} - 2}, a15m1 */ + ecc_mod_mul (p, rp, rp, ap, tp); /* a^{2^{16} - 1}, a15m1 */ + ecc_mod_pow_2kp1 (p, a32m1, rp, 16, tp); /* a^{2^{32} - 1}, a15m1, a32m1 */ + + ecc_mod_pow_2k_mul (p, rp, a32m1, 32, ap, tp);/* a^{2^{64} - 2^{32} + 1 */ + ecc_mod_pow_2k_mul (p, rp, rp, 128, a32m1, tp); /* a^{2^{192} - 2^{160} + 2^{128} + 2^{32} - 1} */ + ecc_mod_pow_2k_mul (p, rp, rp, 32, a32m1, tp);/* a^{2^{224} - 2^{192} + 2^{160} + 2^{64} - 1} */ + ecc_mod_pow_2k_mul (p, rp, rp, 15, a15m1, tp);/* a^{2^{239} - 2^{207} + 2^{175} + 2^{79} - 1} */ + ecc_mod_pow_2k_mul (p, rp, rp, 15, a15m1, tp);/* a^{2^{254} - 2^{222} + 2^{190} + 2^{94} - 1} */ + ecc_mod_pow_2k_mul (p, rp, rp, 2, ap, tp); /* a^{2^{256} - 2^{224} + 2^{192} + 2^{96} - 3} */ +} + +const struct ecc_curve _nettle_secp_256r1 = +{ + { + 256, + ECC_LIMB_SIZE, + ECC_BMODP_SIZE, + ECC_REDC_SIZE, + ECC_SECP256R1_INV_ITCH, + 0, + + ecc_p, + ecc_Bmodp, + ecc_Bmodp_shifted, + ecc_redc_ppm1, + ecc_pp1h, + + ecc_secp256r1_modp, + USE_REDC ? ecc_secp256r1_redc : ecc_secp256r1_modp, + ecc_secp256r1_inv, + NULL, + }, + { + 256, + ECC_LIMB_SIZE, + ECC_BMODQ_SIZE, + 0, + ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), + 0, + + ecc_q, + ecc_Bmodq, + ecc_Bmodq_shifted, + NULL, + ecc_qp1h, + + ecc_secp256r1_modq, + ecc_secp256r1_modq, + ecc_mod_inv, + NULL, + }, + + USE_REDC, + ECC_PIPPENGER_K, + ECC_PIPPENGER_C, + + ECC_ADD_JJA_ITCH (ECC_LIMB_SIZE), + ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE), + ECC_DUP_JJ_ITCH (ECC_LIMB_SIZE), + ECC_MUL_A_ITCH (ECC_LIMB_SIZE), + ECC_MUL_G_ITCH (ECC_LIMB_SIZE), + ECC_J_TO_A_ITCH(ECC_LIMB_SIZE, ECC_SECP256R1_INV_ITCH), + + ecc_add_jja, + ecc_add_jjj, + ecc_dup_jj, + ecc_mul_a, + ecc_mul_g, + ecc_j_to_a, + + ecc_b, + ecc_unit, + ecc_table +}; + +const struct ecc_curve *nettle_get_secp_256r1(void) +{ + return &_nettle_secp_256r1; +} diff -Nru nettle-3.4.1/ecc-secp384r1.c nettle-3.7.3/ecc-secp384r1.c --- nettle-3.4.1/ecc-secp384r1.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/ecc-secp384r1.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,275 @@ +/* ecc-secp384r1.c + + Compile time constant (but machine dependent) tables. + + Copyright (C) 2013, 2014 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "ecc.h" +#include "ecc-internal.h" + +#define USE_REDC 0 + +#include "ecc-secp384r1.h" + +#if HAVE_NATIVE_ecc_secp384r1_modp +#define ecc_secp384r1_modp _nettle_ecc_secp384r1_modp +void +ecc_secp384r1_modp (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp); +#elif GMP_NUMB_BITS == 32 + +/* Use that 2^{384} = 2^{128} + 2^{96} - 2^{32} + 1, and eliminate 256 + bits at a time. + + We can get carry == 2 in the first iteration, and I think *only* in + the first iteration. */ + +/* p is 12 limbs, and B^12 - p = B^4 + B^3 - B + 1. We can eliminate + almost 8 at a time. Do only 7, to avoid additional carry + propagation, followed by 5. */ +static void +ecc_secp384r1_modp (const struct ecc_modulo *p, mp_limb_t *rp, mp_limb_t *xp) +{ + mp_limb_t cy, bw; + + /* Reduce from 24 to 17 limbs. */ + cy = mpn_add_n (xp + 4, xp + 4, xp + 16, 8); + cy = sec_add_1 (xp + 12, xp + 12, 3, cy); + + bw = mpn_sub_n (xp + 5, xp + 5, xp + 16, 8); + bw = sec_sub_1 (xp + 13, xp + 13, 3, bw); + + cy += mpn_add_n (xp + 7, xp + 7, xp + 16, 8); + cy = sec_add_1 (xp + 15, xp + 15, 1, cy); + + cy += mpn_add_n (xp + 8, xp + 8, xp + 16, 8); + assert (bw <= cy); + cy -= bw; + + assert (cy <= 2); + xp[16] = cy; + + /* Reduce from 17 to 12 limbs */ + cy = mpn_add_n (xp, xp, xp + 12, 5); + cy = sec_add_1 (xp + 5, xp + 5, 3, cy); + + bw = mpn_sub_n (xp + 1, xp + 1, xp + 12, 5); + bw = sec_sub_1 (xp + 6, xp + 6, 6, bw); + + cy += mpn_add_n (xp + 3, xp + 3, xp + 12, 5); + cy = sec_add_1 (xp + 8, xp + 8, 1, cy); + + cy += mpn_add_n (xp + 4, xp + 4, xp + 12, 5); + cy = sec_add_1 (xp + 9, xp + 9, 3, cy); + + assert (cy >= bw); + cy -= bw; + assert (cy <= 1); + cy = mpn_cnd_add_n (cy, rp, xp, p->B, ECC_LIMB_SIZE); + assert (cy == 0); +} +#elif GMP_NUMB_BITS == 64 +/* p is 6 limbs, and B^6 - p = B^2 + 2^32 (B - 1) + 1. Eliminate 3 + (almost 4) limbs at a time. */ +static void +ecc_secp384r1_modp (const struct ecc_modulo *p, mp_limb_t *rp, mp_limb_t *xp) +{ + mp_limb_t tp[6]; + mp_limb_t cy; + + /* Reduce from 12 to 9 limbs */ + tp[0] = 0; /* FIXME: Could use mpn_sub_nc */ + mpn_copyi (tp + 1, xp + 8, 3); + tp[4] = xp[11] - mpn_sub_n (tp, tp, xp + 8, 4); + tp[5] = mpn_lshift (tp, tp, 5, 32); + + cy = mpn_add_n (xp + 2, xp + 2, xp + 8, 4); + cy = sec_add_1 (xp + 6, xp + 6, 2, cy); + + cy += mpn_add_n (xp + 2, xp + 2, tp, 6); + cy += mpn_add_n (xp + 4, xp + 4, xp + 8, 4); + + assert (cy <= 2); + xp[8] = cy; + + /* Reduce from 9 to 6 limbs */ + tp[0] = 0; + mpn_copyi (tp + 1, xp + 6, 2); + tp[3] = xp[8] - mpn_sub_n (tp, tp, xp + 6, 3); + tp[4] = mpn_lshift (tp, tp, 4, 32); + + cy = mpn_add_n (xp, xp, xp + 6, 3); + cy = sec_add_1 (xp + 3, xp + 3, 2, cy); + cy += mpn_add_n (xp, xp, tp, 5); + cy += mpn_add_n (xp + 2, xp + 2, xp + 6, 3); + + cy = sec_add_1 (xp + 5, xp + 5, 1, cy); + assert (cy <= 1); + + cy = mpn_cnd_add_n (cy, xp, xp, p->B, ECC_LIMB_SIZE); + assert (cy == 0); + mpn_copyi (rp, xp, ECC_LIMB_SIZE); +} +#else +#define ecc_secp384r1_modp ecc_mod +#endif + +#define ECC_SECP384R1_INV_ITCH (6*ECC_LIMB_SIZE) + +static void +ecc_secp384r1_inv (const struct ecc_modulo *p, + mp_limb_t *rp, const mp_limb_t *ap, + mp_limb_t *scratch) +{ +#define a3 scratch +#define a5m1 (scratch + ECC_LIMB_SIZE) +#define a15m1 (scratch + 2*ECC_LIMB_SIZE) +#define a30m1 a5m1 +#define t0 (scratch + 3*ECC_LIMB_SIZE) +#define tp (scratch + 4*ECC_LIMB_SIZE) + /* + Addition chain for + + p - 2 = 2^{384} - 2^{128} - 2^{96} + 2^{32} - 3 + + 3 = 1 + 2 + 2^4 - 1 = 15 = (2^2 + 1) * 3 + 2^5 - 1 = 1 + 2(2^4 - 1) + 2^{15} - 1 = (1 + 2^5(1 + 2^5)) (2^5-1) + 2^{30} - 1 = (2^{15} + 1) (2^{15} - 1) + 2^{60} - 1 = (2^{30} + 1) (2^{30} - 1) + 2^{120} - 1 = (2^{60} + 1) (2^{60} - 1) + 2^{240} - 1 = (2^{120} + 1)(2^{120} - 1) + 2^{255} - 1 = 2^{15} (2^{240} - 1) + 2^{15} - 1 + 2^{286} - 2^{30} - 1 = 2^{31} (2^{255} - 1) + 2^{30} - 1 + + 2^{288} - 2^{32} - 1 = 2^2 (2^{286} - 2^{30} - 1) + 3 + 2^{382} - 2^{126} - 2^{94} + 2^{30} - 1 + = 2^{94} (2^{288} - 2^{32} - 1) + 2^{30} - 1 + + This addition chain needs 383 squarings and 14 multiplies. + + */ + ecc_mod_sqr (p, rp, ap, tp); /* a^2 */ + ecc_mod_mul (p, a3, rp, ap, tp); /* a^3 */ + ecc_mod_pow_2kp1 (p, rp, a3, 2, tp); /* a^{2^4 - 1}, a3 */ + ecc_mod_sqr (p, rp, rp, tp); /* a^{2^5 - 2} */ + ecc_mod_mul (p, a5m1, rp, ap, tp); /* a^{2^5 - 1}, a3 a5m1 */ + + ecc_mod_pow_2kp1 (p, rp, a5m1, 5, tp); /* a^{2^{10} - 1, a3, a5m1*/ + ecc_mod_pow_2k_mul (p, a15m1, rp, 5, a5m1, tp); /* a^{2^{15} - 1}, a3, a5m1 a15m1 */ + ecc_mod_pow_2kp1 (p, a30m1, a15m1, 15, tp); /* a^{2^{30} - 1}, a3 a15m1 a30m1 */ + + ecc_mod_pow_2kp1 (p, rp, a30m1, 30, tp); /* a^{2^{60} - 1, a3 a15m1 a30m1 */ + ecc_mod_pow_2kp1 (p, t0, rp, 60, tp); /* a^{2^{120} - 1, a3 a15m1 a30m1 */ + ecc_mod_pow_2kp1 (p, rp, t0, 120, tp); /* a^{2^{240} - 1, a3 a15m1 a30m1 */ + ecc_mod_pow_2k_mul (p, rp, rp, 15, a15m1, tp); /* a^{2^{255} - 1, a3 a30m1 */ + ecc_mod_pow_2k_mul (p, rp, rp, 31, a30m1, tp); /* a^{2^{286} - 2^{30} - 1}, a3 a30m1 */ + + ecc_mod_pow_2k_mul (p, rp, rp, 2, a3, tp); /* a^{2^{288} - 2^{32} - 1, a30m1 */ + ecc_mod_pow_2k_mul (p, rp, rp, 94, a30m1, tp); /* a^{2^{392} - 2^{126} - 2^{94} + 2^{30} - 1 */ + ecc_mod_pow_2k_mul (p, rp, rp, 2, ap, tp); +} + +const struct ecc_curve _nettle_secp_384r1 = +{ + { + 384, + ECC_LIMB_SIZE, + ECC_BMODP_SIZE, + ECC_REDC_SIZE, + ECC_SECP384R1_INV_ITCH, + 0, + + ecc_p, + ecc_Bmodp, + ecc_Bmodp_shifted, + ecc_redc_ppm1, + ecc_pp1h, + + ecc_secp384r1_modp, + ecc_secp384r1_modp, + ecc_secp384r1_inv, + NULL, + }, + { + 384, + ECC_LIMB_SIZE, + ECC_BMODQ_SIZE, + 0, + ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), + 0, + + ecc_q, + ecc_Bmodq, + ecc_Bmodq_shifted, + NULL, + ecc_qp1h, + + ecc_mod, + ecc_mod, + ecc_mod_inv, + NULL, + }, + + USE_REDC, + ECC_PIPPENGER_K, + ECC_PIPPENGER_C, + + ECC_ADD_JJA_ITCH (ECC_LIMB_SIZE), + ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE), + ECC_DUP_JJ_ITCH (ECC_LIMB_SIZE), + ECC_MUL_A_ITCH (ECC_LIMB_SIZE), + ECC_MUL_G_ITCH (ECC_LIMB_SIZE), + ECC_J_TO_A_ITCH(ECC_LIMB_SIZE, ECC_SECP384R1_INV_ITCH), + + ecc_add_jja, + ecc_add_jjj, + ecc_dup_jj, + ecc_mul_a, + ecc_mul_g, + ecc_j_to_a, + + ecc_b, + ecc_unit, + ecc_table +}; + +const struct ecc_curve *nettle_get_secp_384r1(void) +{ + return &_nettle_secp_384r1; +} diff -Nru nettle-3.4.1/ecc-secp521r1.c nettle-3.7.3/ecc-secp521r1.c --- nettle-3.4.1/ecc-secp521r1.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/ecc-secp521r1.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,192 @@ +/* ecc-secp521r1.c + + Compile time constant (but machine dependent) tables. + + Copyright (C) 2013, 2014 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "ecc.h" +#include "ecc-internal.h" + +#define USE_REDC 0 + +#include "ecc-secp521r1.h" + +#if HAVE_NATIVE_ecc_secp521r1_modp +#define ecc_secp521r1_modp _nettle_ecc_secp521r1_modp +void +ecc_secp521r1_modp (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp); + +#else + +#define B_SHIFT (521 % GMP_NUMB_BITS) +#define BMODP_SHIFT (GMP_NUMB_BITS - B_SHIFT) +#define BMODP ((mp_limb_t) 1 << BMODP_SHIFT) + +/* Result may be *slightly* larger than 2^521 */ +static void +ecc_secp521r1_modp (const struct ecc_modulo *m UNUSED, mp_limb_t *rp, mp_limb_t *xp) +{ + /* FIXME: Should use mpn_addlsh_n_ip1 */ + mp_limb_t hi; + /* Reduce from 2*ECC_LIMB_SIZE to ECC_LIMB_SIZE + 1 */ + xp[ECC_LIMB_SIZE] + = mpn_addmul_1 (xp, xp + ECC_LIMB_SIZE, ECC_LIMB_SIZE, BMODP); + hi = mpn_addmul_1 (xp, xp + ECC_LIMB_SIZE, 1, BMODP); + hi = sec_add_1 (xp + 1, xp + 1, ECC_LIMB_SIZE - 1, hi); + + /* Combine hi with top bits, and add in. */ + hi = (hi << BMODP_SHIFT) | (xp[ECC_LIMB_SIZE-1] >> B_SHIFT); + rp[ECC_LIMB_SIZE-1] = (xp[ECC_LIMB_SIZE-1] + & (((mp_limb_t) 1 << B_SHIFT)-1)) + + sec_add_1 (rp, xp, ECC_LIMB_SIZE - 1, hi); +} +#endif + +#define ECC_SECP521R1_INV_ITCH (3*ECC_LIMB_SIZE) + +static void +ecc_secp521r1_inv (const struct ecc_modulo *p, + mp_limb_t *rp, const mp_limb_t *ap, + mp_limb_t *scratch) +{ +#define t0 scratch +#define tp (scratch + ECC_LIMB_SIZE) + + /* Addition chain for p - 2: + + 2^{521} - 3 + = 1 + 2^2(2^519 - 1) + = 1 + 2^2(1 + 2 (2^518 - 1) + = 1 + 2^2(1 + 2 (2^259 + 1) (1 + 2(2^258 - 1))) + = 1 + 2^2(1 + 2 (2^259 + 1) (1 + 2(2^129 + 1) (2^129 - 1))) + = 1 + 2^2(1 + 2 (2^259 + 1) (1 + 2(2^129 + 1) (1 + 2 (2^128 - 1)))) + + where + + 2^{128} - 1 = (2^64 + 1) (2^32+1) (2^16 + 1) (2^8 + 1) (2^4 + 1) (2^2 + 1) (2 + 1) + + This addition chain needs 520 squarings and 13 multiplies. + */ + + ecc_mod_sqr (p, rp, ap, tp); /* a^2 */ + ecc_mod_mul (p, rp, ap, rp, tp); /* a^3 = a^{2^2 - 1} */ + ecc_mod_pow_2kp1 (p, t0, rp, 2, tp); /* a^15 = a^{2^4 - 1} */ + ecc_mod_pow_2kp1 (p, rp, t0, 4, tp); /* a^{2^8 - 1} */ + ecc_mod_pow_2kp1 (p, t0, rp, 8, tp); /* a^{2^16 - 1} */ + ecc_mod_pow_2kp1 (p, rp, t0, 16, tp); /* a^{2^32 - 1} */ + ecc_mod_pow_2kp1 (p, t0, rp, 32, tp); /* a^{2^64 - 1} */ + ecc_mod_pow_2kp1 (p, rp, t0, 64, tp); /* a^{2^128 - 1} */ + ecc_mod_sqr (p, rp, rp, tp); /* a^{2^129 - 2} */ + ecc_mod_mul (p, rp, rp, ap, tp); /* a^{2^129 - 1} */ + ecc_mod_pow_2kp1 (p, t0, rp, 129, tp);/* a^{2^258 - 1} */ + ecc_mod_sqr (p, rp, t0, tp); /* a^{2^259 - 2} */ + ecc_mod_mul (p, rp, rp, ap, tp); /* a^{2^259 - 1} */ + ecc_mod_pow_2kp1 (p, t0, rp, 259, tp);/* a^{2^518 - 1} */ + ecc_mod_sqr (p, rp, t0, tp); /* a^{2^519 - 2} */ + ecc_mod_mul (p, rp, rp, ap, tp); /* a^{2^519 - 1} */ + ecc_mod_sqr (p, rp, rp, tp); /* a^{2^520 - 2} */ + ecc_mod_sqr (p, rp, rp, tp); /* a^{2^521 - 4} */ + ecc_mod_mul (p, rp, rp, ap, tp); /* a^{2^519 - 3} */ +} + +const struct ecc_curve _nettle_secp_521r1 = +{ + { + 521, + ECC_LIMB_SIZE, + ECC_BMODP_SIZE, + ECC_REDC_SIZE, + ECC_SECP521R1_INV_ITCH, + 0, + + ecc_p, + ecc_Bmodp, + ecc_Bmodp_shifted, + ecc_redc_ppm1, + ecc_pp1h, + + ecc_secp521r1_modp, + ecc_secp521r1_modp, + ecc_secp521r1_inv, + NULL, + }, + { + 521, + ECC_LIMB_SIZE, + ECC_BMODQ_SIZE, + 0, + ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), + 0, + + ecc_q, + ecc_Bmodq, + ecc_Bmodq_shifted, + NULL, + ecc_qp1h, + + ecc_mod, + ecc_mod, + ecc_mod_inv, + NULL, + }, + + USE_REDC, + ECC_PIPPENGER_K, + ECC_PIPPENGER_C, + + ECC_ADD_JJA_ITCH (ECC_LIMB_SIZE), + ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE), + ECC_DUP_JJ_ITCH (ECC_LIMB_SIZE), + ECC_MUL_A_ITCH (ECC_LIMB_SIZE), + ECC_MUL_G_ITCH (ECC_LIMB_SIZE), + ECC_J_TO_A_ITCH(ECC_LIMB_SIZE, ECC_SECP521R1_INV_ITCH), + + ecc_add_jja, + ecc_add_jjj, + ecc_dup_jj, + ecc_mul_a, + ecc_mul_g, + ecc_j_to_a, + + ecc_b, + ecc_unit, + ecc_table +}; + +const struct ecc_curve *nettle_get_secp_521r1(void) +{ + return &_nettle_secp_521r1; +} diff -Nru nettle-3.4.1/ecdsa-keygen.c nettle-3.7.3/ecdsa-keygen.c --- nettle-3.4.1/ecdsa-keygen.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/ecdsa-keygen.c 2021-06-06 20:06:29.000000000 +0000 @@ -52,6 +52,7 @@ mp_size_t itch = 3*ecc->p.size + ecc->mul_g_itch; assert (key->ecc == ecc); + assert (ecc->h_to_a_itch <= ecc->mul_g_itch); TMP_ALLOC (p, itch); diff -Nru nettle-3.4.1/ed25519-sha512.c nettle-3.7.3/ed25519-sha512.c --- nettle-3.4.1/ed25519-sha512.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/ed25519-sha512.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,52 @@ +/* ed25519-sha512.c + + Copyright (C) 2019 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "eddsa-internal.h" + +#include "nettle-types.h" +#include "sha2.h" + +static nettle_eddsa_dom_func ed25519_dom; + +static void ed25519_dom(void *ctx UNUSED) {} + +const struct ecc_eddsa _nettle_ed25519_sha512 = + { + (nettle_hash_update_func *) sha512_update, + (nettle_hash_digest_func *) sha512_digest, + ed25519_dom, + ~(mp_limb_t) 7, + (mp_limb_t) 1 << (254 % GMP_NUMB_BITS), + }; diff -Nru nettle-3.4.1/ed25519-sha512-pubkey.c nettle-3.7.3/ed25519-sha512-pubkey.c --- nettle-3.4.1/ed25519-sha512-pubkey.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/ed25519-sha512-pubkey.c 2021-06-06 20:06:29.000000000 +0000 @@ -34,6 +34,7 @@ #endif #include "eddsa.h" +#include "eddsa-internal.h" #include "ecc-internal.h" #include "sha2.h" @@ -49,8 +50,8 @@ #define k scratch #define scratch_out (scratch + ecc->q.size) - - _eddsa_expand_key (ecc, &nettle_sha512, &ctx, priv, digest, k); + sha512_init (&ctx); + _eddsa_expand_key (ecc, &_nettle_ed25519_sha512, &ctx, priv, digest, k); _eddsa_public_key (ecc, k, pub, scratch_out); gmp_free_limbs (scratch, itch); diff -Nru nettle-3.4.1/ed25519-sha512-sign.c nettle-3.7.3/ed25519-sha512-sign.c --- nettle-3.4.1/ed25519-sha512-sign.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/ed25519-sha512-sign.c 2021-06-06 20:06:29.000000000 +0000 @@ -34,6 +34,7 @@ #endif #include "eddsa.h" +#include "eddsa-internal.h" #include "ecc-internal.h" #include "sha2.h" @@ -51,14 +52,13 @@ #define scratch_out (scratch + ecc->q.size) struct sha512_ctx ctx; uint8_t digest[SHA512_DIGEST_SIZE]; -#define k1 (digest + ED25519_KEY_SIZE) - _eddsa_expand_key (ecc, &nettle_sha512, &ctx, priv, digest, k2); + sha512_init (&ctx); + _eddsa_expand_key (ecc, &_nettle_ed25519_sha512, &ctx, priv, digest, k2); - sha512_update (&ctx, ED25519_KEY_SIZE, k1); - _eddsa_sign (ecc, &nettle_sha512, pub, - &ctx, - k2, length, msg, signature, scratch_out); + _eddsa_sign (ecc, &_nettle_ed25519_sha512, &ctx, + pub, digest + ED25519_KEY_SIZE, k2, + length, msg, signature, scratch_out); gmp_free_limbs (scratch, itch); #undef k1 diff -Nru nettle-3.4.1/ed25519-sha512-verify.c nettle-3.7.3/ed25519-sha512-verify.c --- nettle-3.4.1/ed25519-sha512-verify.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/ed25519-sha512-verify.c 2021-06-06 20:06:29.000000000 +0000 @@ -36,6 +36,7 @@ #include #include "eddsa.h" +#include "eddsa-internal.h" #include "ecc-internal.h" #include "sha2.h" @@ -52,9 +53,11 @@ int res; #define A scratch #define scratch_out (scratch + 3*ecc->p.size) + + sha512_init (&ctx); res = (_eddsa_decompress (ecc, A, pub, scratch_out) - && _eddsa_verify (ecc, &nettle_sha512, + && _eddsa_verify (ecc, &_nettle_ed25519_sha512, pub, A, &ctx, length, msg, signature, scratch_out)); diff -Nru nettle-3.4.1/ed448-shake256.c nettle-3.7.3/ed448-shake256.c --- nettle-3.4.1/ed448-shake256.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/ed448-shake256.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,60 @@ +/* ed448-shake256.c + + Copyright (C) 2019 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "eddsa-internal.h" + +#include "nettle-types.h" +#include "sha3.h" + +#define DOM_SIZE 10 + +static nettle_eddsa_dom_func ed448_dom; + +static void +ed448_dom(void *ctx) +{ + static const uint8_t dom[DOM_SIZE] = + { 'S', 'i', 'g', 'E', 'd', '4', '4', '8', 0, 0}; + sha3_256_update (ctx, DOM_SIZE, dom); +} + +const struct ecc_eddsa _nettle_ed448_shake256 = + { + (nettle_hash_update_func *) sha3_256_update, + (nettle_hash_digest_func *) sha3_256_shake, + ed448_dom, + ~(mp_limb_t) 3, + (mp_limb_t) 1 << (447 % GMP_NUMB_BITS), + }; diff -Nru nettle-3.4.1/ed448-shake256-pubkey.c nettle-3.7.3/ed448-shake256-pubkey.c --- nettle-3.4.1/ed448-shake256-pubkey.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/ed448-shake256-pubkey.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,61 @@ +/* ed448-shake256-pubkey.c + + Copyright (C) 2017 Daiki Ueno + Copyright (C) 2017 Red Hat, Inc. + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "eddsa.h" + +#include "ecc-internal.h" +#include "eddsa-internal.h" +#include "sha3.h" + +void +ed448_shake256_public_key (uint8_t *pub, const uint8_t *priv) +{ + const struct ecc_curve *ecc = &_nettle_curve448; + struct sha3_256_ctx ctx; + uint8_t digest[ED448_SIGNATURE_SIZE]; + mp_size_t itch = ecc->q.size + _eddsa_public_key_itch (ecc); + mp_limb_t *scratch = gmp_alloc_limbs (itch); + +#define k scratch +#define scratch_out (scratch + ecc->q.size) + sha3_256_init (&ctx); + _eddsa_expand_key (ecc, &_nettle_ed448_shake256, &ctx, priv, digest, k); + _eddsa_public_key (ecc, k, pub, scratch_out); + + gmp_free_limbs (scratch, itch); +#undef k +#undef scratch_out +} diff -Nru nettle-3.4.1/ed448-shake256-sign.c nettle-3.7.3/ed448-shake256-sign.c --- nettle-3.4.1/ed448-shake256-sign.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/ed448-shake256-sign.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,69 @@ +/* ed448-shake256-sign.c + + Copyright (C) 2017 Daiki Ueno + Copyright (C) 2017 Red Hat, Inc. + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "eddsa.h" + +#include "ecc-internal.h" +#include "eddsa-internal.h" +#include "sha3.h" + +void +ed448_shake256_sign (const uint8_t *pub, + const uint8_t *priv, + size_t length, const uint8_t *msg, + uint8_t *signature) +{ + const struct ecc_curve *ecc = &_nettle_curve448; + const struct ecc_eddsa *eddsa = &_nettle_ed448_shake256; + mp_size_t itch = ecc->q.size + _eddsa_sign_itch (ecc); + mp_limb_t *scratch = gmp_alloc_limbs (itch); +#define k2 scratch +#define scratch_out (scratch + ecc->q.size) + struct sha3_256_ctx ctx; + uint8_t digest[ED448_SIGNATURE_SIZE]; + + sha3_256_init (&ctx); + _eddsa_expand_key (ecc, eddsa, &ctx, priv, digest, k2); + + _eddsa_sign (ecc, eddsa, &ctx, + pub, digest + ED448_KEY_SIZE, k2, + length, msg, signature, scratch_out); + + gmp_free_limbs (scratch, itch); +#undef k1 +#undef k2 +#undef scratch_out +} diff -Nru nettle-3.4.1/ed448-shake256-verify.c nettle-3.7.3/ed448-shake256-verify.c --- nettle-3.4.1/ed448-shake256-verify.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/ed448-shake256-verify.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,69 @@ +/* ed448-shake256-verify.c + + Copyright (C) 2017 Daiki Ueno + Copyright (C) 2017 Red Hat, Inc. + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "eddsa.h" + +#include "ecc-internal.h" +#include "eddsa-internal.h" +#include "sha3.h" + +int +ed448_shake256_verify (const uint8_t *pub, + size_t length, const uint8_t *msg, + const uint8_t *signature) +{ + const struct ecc_curve *ecc = &_nettle_curve448; + mp_size_t itch = 3*ecc->p.size + _eddsa_verify_itch (ecc); + mp_limb_t *scratch = gmp_alloc_limbs (itch); + struct sha3_256_ctx ctx; + int res; +#define A scratch +#define scratch_out (scratch + 3*ecc->p.size) + sha3_256_init (&ctx); + + res = (_eddsa_decompress (ecc, + A, pub, scratch_out) + && _eddsa_verify (ecc, &_nettle_ed448_shake256, pub, A, + &ctx, + length, msg, signature, + scratch_out)); + gmp_free_limbs (scratch, itch); + return res; +#undef A +#undef scratch_out +} diff -Nru nettle-3.4.1/eddsa-compress.c nettle-3.7.3/eddsa-compress.c --- nettle-3.4.1/eddsa-compress.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/eddsa-compress.c 2021-06-06 20:06:29.000000000 +0000 @@ -34,6 +34,7 @@ #endif #include "eddsa.h" +#include "eddsa-internal.h" #include "ecc-internal.h" #include "gmp-glue.h" @@ -52,11 +53,11 @@ #define yp (scratch + ecc->p.size) #define scratch_out (scratch + 2*ecc->p.size) + size_t nbytes = 1 + ecc->p.bit_size / 8; ecc->h_to_a (ecc, 0, xp, p, scratch_out); /* Encoding is the y coordinate and an appended "sign" bit, which is - the low bit of x. Bit order is not specified explicitly, but for - little-endian encoding, it makes most sense to append the bit - after the most significant bit of y. */ - mpn_get_base256_le (r, 1 + ecc->p.bit_size / 8, yp, ecc->p.size); - r[ecc->p.bit_size / 8] += (xp[0] & 1) << (ecc->p.bit_size & 7); + the low bit of x. The sign bit is stored as the most significant + bit of the last byte. */ + mpn_get_base256_le (r, nbytes, yp, ecc->p.size); + r[nbytes - 1] += (xp[0] & 1) << 7; } diff -Nru nettle-3.4.1/eddsa-decompress.c nettle-3.7.3/eddsa-decompress.c --- nettle-3.4.1/eddsa-decompress.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/eddsa-decompress.c 2021-06-06 20:06:29.000000000 +0000 @@ -33,7 +33,10 @@ # include "config.h" #endif +#include + #include "eddsa.h" +#include "eddsa-internal.h" #include "ecc-internal.h" #include "gmp-glue.h" @@ -50,6 +53,8 @@ mp_limb_t *scratch) { mp_limb_t sign, cy; + mp_size_t nlimbs; + size_t nbytes; int res; #define xp p @@ -61,23 +66,46 @@ #define tp (scratch + 2*ecc->p.size) #define scratch_out (scratch + 4*ecc->p.size) - sign = cp[ecc->p.bit_size / 8] >> (ecc->p.bit_size & 7); - if (sign > 1) - return 0; - mpn_set_base256_le (yp, ecc->p.size, cp, 1 + ecc->p.bit_size / 8); - /* Clear out the sign bit (if it fits) */ - yp[ecc->p.size - 1] &= ~(mp_limb_t) 0 - >> (ecc->p.size * GMP_NUMB_BITS - ecc->p.bit_size); - ecc_modp_sqr (ecc, y2, yp); - ecc_modp_mul (ecc, vp, y2, ecc->b); - ecc_modp_sub (ecc, vp, vp, ecc->unit); - ecc_modp_sub (ecc, up, ecc->unit, y2); - res = ecc->p.sqrt (&ecc->p, tp, up, vp, scratch_out); + nbytes = 1 + ecc->p.bit_size / 8; + /* By RFC 8032, sign bit is always the most significant bit of the + last byte. */ + sign = cp[nbytes-1] >> 7; + + /* May need an extra limb. */ + nlimbs = (nbytes * 8 + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS; + assert (nlimbs <= ecc->p.size + 1); + mpn_set_base256_le (scratch, nlimbs, cp, nbytes); + + /* Clear out the sign bit */ + scratch[nlimbs - 1] &= + ((mp_limb_t) 1 << ((nbytes * 8 - 1) % GMP_NUMB_BITS)) - 1; + mpn_copyi (yp, scratch, ecc->p.size); + + /* Check range. */ + if (nlimbs > ecc->p.size) + res = (scratch[nlimbs - 1] == 0); + else + res = 1; + + /* For a valid input, y < p, so subtraction should underflow. */ + res &= mpn_sub_n (scratch, scratch, ecc->p.m, ecc->p.size); + + ecc_mod_sqr (&ecc->p, y2, yp, y2); + ecc_mod_mul (&ecc->p, vp, y2, ecc->b, vp); + ecc_mod_sub (&ecc->p, vp, vp, ecc->unit); + /* The sign is different between curve25519 and curve448. */ + if (ecc->p.bit_size == 255) + ecc_mod_sub (&ecc->p, up, ecc->unit, y2); + else + ecc_mod_sub (&ecc->p, up, y2, ecc->unit); + res &= ecc->p.sqrt (&ecc->p, tp, up, vp, scratch_out); cy = mpn_sub_n (xp, tp, ecc->p.m, ecc->p.size); cnd_copy (cy, xp, tp, ecc->p.size); sign ^= xp[0] & 1; mpn_sub_n (tp, ecc->p.m, xp, ecc->p.size); cnd_copy (sign, xp, tp, ecc->p.size); + /* Fails if the square root is zero but (original) sign was 1 */ + res &= mpn_sub_n (tp, xp, ecc->p.m, ecc->p.size); return res; } diff -Nru nettle-3.4.1/eddsa-expand.c nettle-3.7.3/eddsa-expand.c --- nettle-3.4.1/eddsa-expand.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/eddsa-expand.c 2021-06-06 20:06:29.000000000 +0000 @@ -37,16 +37,16 @@ #include #include "eddsa.h" +#include "eddsa-internal.h" #include "ecc.h" #include "ecc-internal.h" -#include "nettle-meta.h" /* Expands a private key, generating the secret scalar K2 and leaving the key K1 for nonce generation, at the end of the digest. */ void _eddsa_expand_key (const struct ecc_curve *ecc, - const struct nettle_hash *H, + const struct ecc_eddsa *eddsa, void *ctx, const uint8_t *key, uint8_t *digest, @@ -54,19 +54,19 @@ { size_t nbytes = 1 + ecc->p.bit_size / 8; - assert (H->digest_size >= 2*nbytes); + eddsa->update (ctx, nbytes, key); + eddsa->digest (ctx, 2*nbytes, digest); - H->init (ctx); - H->update (ctx, nbytes, key); - H->digest (ctx, 2*nbytes, digest); - - mpn_set_base256_le (k2, ecc->p.size, digest, nbytes); - /* Clear low 3 bits */ - k2[0] &= ~(mp_limb_t) 7; - /* Set bit number bit_size - 1 (bit 254 for curve25519) */ - k2[(ecc->p.bit_size - 1) / GMP_NUMB_BITS] - |= (mp_limb_t) 1 << ((ecc->p.bit_size - 1) % GMP_NUMB_BITS); - /* Clear any higher bits. */ - k2[ecc->p.size - 1] &= ~(mp_limb_t) 0 - >> (GMP_NUMB_BITS * ecc->p.size - ecc->p.bit_size); + /* For ed448, ignores the most significant byte. */ + mpn_set_base256_le (k2, ecc->p.size, digest, (ecc->p.bit_size + 7) / 8); + + /* Clear low c bits */ + k2[0] &= eddsa->low_mask; + + /* Clear higher bits. */ + k2[ecc->p.size - 1] &= eddsa->high_bit - 1; + + /* Set bit number bit_size - 1 (bit 254 for curve25519, bit 447 for + curve448) */ + k2[ecc->p.size - 1] |= eddsa->high_bit; } diff -Nru nettle-3.4.1/eddsa.h nettle-3.7.3/eddsa.h --- nettle-3.4.1/eddsa.h 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/eddsa.h 2021-06-06 20:06:29.000000000 +0000 @@ -45,19 +45,9 @@ #define ed25519_sha512_public_key nettle_ed25519_sha512_public_key #define ed25519_sha512_sign nettle_ed25519_sha512_sign #define ed25519_sha512_verify nettle_ed25519_sha512_verify - -#define _eddsa_compress _nettle_eddsa_compress -#define _eddsa_compress_itch _nettle_eddsa_compress_itch -#define _eddsa_decompress _nettle_eddsa_decompress -#define _eddsa_decompress_itch _nettle_eddsa_decompress_itch -#define _eddsa_hash _nettle_eddsa_hash -#define _eddsa_expand_key _nettle_eddsa_expand_key -#define _eddsa_sign _nettle_eddsa_sign -#define _eddsa_sign_itch _nettle_eddsa_sign_itch -#define _eddsa_verify _nettle_eddsa_verify -#define _eddsa_verify_itch _nettle_eddsa_verify_itch -#define _eddsa_public_key_itch _nettle_eddsa_public_key_itch -#define _eddsa_public_key _nettle_eddsa_public_key +#define ed448_shake256_public_key nettle_ed448_shake256_public_key +#define ed448_shake256_sign nettle_ed448_shake256_sign +#define ed448_shake256_verify nettle_ed448_shake256_verify #define ED25519_KEY_SIZE 32 #define ED25519_SIGNATURE_SIZE 64 @@ -76,71 +66,22 @@ size_t length, const uint8_t *msg, const uint8_t *signature); -/* Low-level internal functions */ - -struct ecc_curve; -struct ecc_modulo; +#define ED448_KEY_SIZE 57 +#define ED448_SIGNATURE_SIZE 114 -mp_size_t -_eddsa_compress_itch (const struct ecc_curve *ecc); void -_eddsa_compress (const struct ecc_curve *ecc, uint8_t *r, mp_limb_t *p, - mp_limb_t *scratch); - -mp_size_t -_eddsa_decompress_itch (const struct ecc_curve *ecc); -int -_eddsa_decompress (const struct ecc_curve *ecc, mp_limb_t *p, - const uint8_t *cp, - mp_limb_t *scratch); +ed448_shake256_public_key (uint8_t *pub, const uint8_t *priv); void -_eddsa_hash (const struct ecc_modulo *m, - mp_limb_t *rp, const uint8_t *digest); - -mp_size_t -_eddsa_sign_itch (const struct ecc_curve *ecc); - -void -_eddsa_sign (const struct ecc_curve *ecc, - const struct nettle_hash *H, - const uint8_t *pub, - void *ctx, - const mp_limb_t *k2, - size_t length, - const uint8_t *msg, - uint8_t *signature, - mp_limb_t *scratch); - -mp_size_t -_eddsa_verify_itch (const struct ecc_curve *ecc); +ed448_shake256_sign (const uint8_t *pub, + const uint8_t *priv, + size_t length, const uint8_t *msg, + uint8_t *signature); int -_eddsa_verify (const struct ecc_curve *ecc, - const struct nettle_hash *H, - const uint8_t *pub, - const mp_limb_t *A, - void *ctx, - size_t length, - const uint8_t *msg, - const uint8_t *signature, - mp_limb_t *scratch); - -void -_eddsa_expand_key (const struct ecc_curve *ecc, - const struct nettle_hash *H, - void *ctx, - const uint8_t *key, - uint8_t *digest, - mp_limb_t *k2); - -mp_size_t -_eddsa_public_key_itch (const struct ecc_curve *ecc); - -void -_eddsa_public_key (const struct ecc_curve *ecc, - const mp_limb_t *k, uint8_t *pub, mp_limb_t *scratch); - +ed448_shake256_verify (const uint8_t *pub, + size_t length, const uint8_t *msg, + const uint8_t *signature); #ifdef __cplusplus } diff -Nru nettle-3.4.1/eddsa-hash.c nettle-3.7.3/eddsa-hash.c --- nettle-3.4.1/eddsa-hash.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/eddsa-hash.c 2021-06-06 20:06:29.000000000 +0000 @@ -1,6 +1,8 @@ /* eddsa-hash.c - Copyright (C) 2014 Niels Möller + Copyright (C) 2014, 2019 Niels Möller + Copyright (C) 2017 Daiki Ueno + Copyright (C) 2017 Red Hat, Inc. This file is part of GNU Nettle. @@ -36,16 +38,45 @@ #include #include "eddsa.h" +#include "eddsa-internal.h" #include "ecc.h" #include "ecc-internal.h" #include "nettle-internal.h" +/* Convert hash digest to integer, and reduce canonically modulo q. + Needs space for 2*m->size + 1 at rp. */ void _eddsa_hash (const struct ecc_modulo *m, - mp_limb_t *rp, const uint8_t *digest) + mp_limb_t *rp, size_t digest_size, const uint8_t *digest) { - size_t nbytes = 1 + m->bit_size / 8; - mpn_set_base256_le (rp, 2*m->size, digest, 2*nbytes); - m->mod (m, rp); + mp_size_t nlimbs = (8*digest_size + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS; + mp_limb_t cy; + + mpn_set_base256_le (rp, nlimbs, digest, digest_size); + + if (nlimbs > 2*m->size) + { + /* Special case for Ed448: reduce rp to 2*m->size limbs. + After decoding rp from a hash of size 2*rn: + + rp = r2 || r1 || r0 + + where r0 and r1 have m->size limbs. Reduce this to: + + rp = r1' || r0 + + where r1' has m->size limbs. */ + mp_limb_t hi = rp[2*m->size]; + assert (nlimbs == 2*m->size + 1); + + hi = mpn_addmul_1 (rp + m->size, m->B, m->size, hi); + assert (hi <= 1); + hi = mpn_cnd_add_n (hi, rp + m->size, rp + m->size, m->B, m->size); + assert (hi == 0); + } + m->mod (m, rp + m->size , rp); + /* Ensure canonical reduction. */ + cy = mpn_sub_n (rp, rp + m->size, m->m, m->size); + cnd_copy (cy, rp, rp + m->size, m->size); } diff -Nru nettle-3.4.1/eddsa-internal.h nettle-3.7.3/eddsa-internal.h --- nettle-3.4.1/eddsa-internal.h 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/eddsa-internal.h 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,133 @@ +/* eddsa.h + + Copyright (C) 2014 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_EDDSA_INTERNAL_H +#define NETTLE_EDDSA_INTERNAL_H + +#include "nettle-types.h" +#include "bignum.h" + +#define _eddsa_compress _nettle_eddsa_compress +#define _eddsa_compress_itch _nettle_eddsa_compress_itch +#define _eddsa_decompress _nettle_eddsa_decompress +#define _eddsa_decompress_itch _nettle_eddsa_decompress_itch +#define _eddsa_hash _nettle_eddsa_hash +#define _eddsa_expand_key _nettle_eddsa_expand_key +#define _eddsa_sign _nettle_eddsa_sign +#define _eddsa_sign_itch _nettle_eddsa_sign_itch +#define _eddsa_verify _nettle_eddsa_verify +#define _eddsa_verify_itch _nettle_eddsa_verify_itch +#define _eddsa_public_key_itch _nettle_eddsa_public_key_itch +#define _eddsa_public_key _nettle_eddsa_public_key + +/* Low-level internal functions */ + +struct ecc_curve; +struct ecc_modulo; + +typedef void nettle_eddsa_dom_func(void *ctx); + +struct ecc_eddsa +{ + /* Hash function to use */ + nettle_hash_update_func *update; + nettle_hash_digest_func *digest; + nettle_eddsa_dom_func *dom; + /* For generating the secret scalar */ + mp_limb_t low_mask; + mp_limb_t high_bit; +}; + +extern const struct ecc_eddsa _nettle_ed25519_sha512; +extern const struct ecc_eddsa _nettle_ed448_shake256; + +mp_size_t +_eddsa_compress_itch (const struct ecc_curve *ecc); +void +_eddsa_compress (const struct ecc_curve *ecc, uint8_t *r, mp_limb_t *p, + mp_limb_t *scratch); + +mp_size_t +_eddsa_decompress_itch (const struct ecc_curve *ecc); +int +_eddsa_decompress (const struct ecc_curve *ecc, mp_limb_t *p, + const uint8_t *cp, + mp_limb_t *scratch); + +void +_eddsa_hash (const struct ecc_modulo *m, + mp_limb_t *rp, size_t digest_size, const uint8_t *digest); + +mp_size_t +_eddsa_sign_itch (const struct ecc_curve *ecc); + +void +_eddsa_sign (const struct ecc_curve *ecc, + const struct ecc_eddsa *eddsa, + void *ctx, + const uint8_t *pub, + const uint8_t *k1, + const mp_limb_t *k2, + size_t length, + const uint8_t *msg, + uint8_t *signature, + mp_limb_t *scratch); + +mp_size_t +_eddsa_verify_itch (const struct ecc_curve *ecc); + +int +_eddsa_verify (const struct ecc_curve *ecc, + const struct ecc_eddsa *eddsa, + const uint8_t *pub, + const mp_limb_t *A, + void *ctx, + size_t length, + const uint8_t *msg, + const uint8_t *signature, + mp_limb_t *scratch); + +void +_eddsa_expand_key (const struct ecc_curve *ecc, + const struct ecc_eddsa *eddsa, + void *ctx, + const uint8_t *key, + uint8_t *digest, + mp_limb_t *k2); + +mp_size_t +_eddsa_public_key_itch (const struct ecc_curve *ecc); + +void +_eddsa_public_key (const struct ecc_curve *ecc, + const mp_limb_t *k, uint8_t *pub, mp_limb_t *scratch); + +#endif /* NETTLE_EDDSA_INTERNAL_H */ diff -Nru nettle-3.4.1/eddsa-pubkey.c nettle-3.7.3/eddsa-pubkey.c --- nettle-3.4.1/eddsa-pubkey.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/eddsa-pubkey.c 2021-06-06 20:06:29.000000000 +0000 @@ -33,14 +33,18 @@ # include "config.h" #endif +#include + #include "eddsa.h" +#include "eddsa-internal.h" #include "ecc-internal.h" mp_size_t _eddsa_public_key_itch (const struct ecc_curve *ecc) { - return 3*ecc->p.size + ecc->mul_g_itch; + assert (ecc->mul_g_itch <= _eddsa_compress_itch (ecc)); + return 3*ecc->p.size + _eddsa_compress_itch (ecc); } void diff -Nru nettle-3.4.1/eddsa-sign.c nettle-3.7.3/eddsa-sign.c --- nettle-3.4.1/eddsa-sign.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/eddsa-sign.c 2021-06-06 20:06:29.000000000 +0000 @@ -36,6 +36,7 @@ #include #include "eddsa.h" +#include "eddsa-internal.h" #include "ecc.h" #include "ecc-internal.h" @@ -44,14 +45,16 @@ mp_size_t _eddsa_sign_itch (const struct ecc_curve *ecc) { - return 5*ecc->p.size + ecc->mul_g_itch; + assert (ecc->mul_g_itch <= _eddsa_compress_itch (ecc)); + return 5*ecc->p.size + _eddsa_compress_itch (ecc); } void _eddsa_sign (const struct ecc_curve *ecc, - const struct nettle_hash *H, - const uint8_t *pub, + const struct ecc_eddsa *eddsa, void *ctx, + const uint8_t *pub, + const uint8_t *k1, const mp_limb_t *k2, size_t length, const uint8_t *msg, @@ -60,6 +63,8 @@ { mp_size_t size; size_t nbytes; + mp_limb_t q, cy; + #define rp scratch #define hp (scratch + size) #define P (scratch + 2*size) @@ -70,34 +75,51 @@ size = ecc->p.size; nbytes = 1 + ecc->p.bit_size / 8; - assert (H->digest_size >= 2 * nbytes); + eddsa->dom (ctx); + eddsa->update (ctx, nbytes, k1); + eddsa->update (ctx, length, msg); + eddsa->digest (ctx, 2*nbytes, hash); + _eddsa_hash (&ecc->q, rp, 2*nbytes, hash); - H->update (ctx, length, msg); - H->digest (ctx, 2*nbytes, hash); - _eddsa_hash (&ecc->q, rp, hash); ecc->mul_g (ecc, P, rp, scratch_out); _eddsa_compress (ecc, signature, P, scratch_out); - H->update (ctx, nbytes, signature); - H->update (ctx, nbytes, pub); - H->update (ctx, length, msg); - H->digest (ctx, 2*nbytes, hash); - _eddsa_hash (&ecc->q, hp, hash); - - ecc_modq_mul (ecc, sp, hp, k2); - ecc_modq_add (ecc, sp, sp, rp); /* FIXME: Can be plain add */ - /* FIXME: Special code duplicated in ecc_25519_modq and ecc_eh_to_a. - Define a suitable method? */ - { - unsigned shift; - mp_limb_t cy; - assert (ecc->p.bit_size == 255); - shift = 252 - GMP_NUMB_BITS * (ecc->p.size - 1); - cy = mpn_submul_1 (sp, ecc->q.m, ecc->p.size, - sp[ecc->p.size-1] >> shift); - assert (cy < 2); - cnd_add_n (cy, sp, ecc->q.m, ecc->p.size); - } + eddsa->dom (ctx); + eddsa->update (ctx, nbytes, signature); + eddsa->update (ctx, nbytes, pub); + eddsa->update (ctx, length, msg); + eddsa->digest (ctx, 2*nbytes, hash); + _eddsa_hash (&ecc->q, hp, 2*nbytes, hash); + + ecc_mod_mul (&ecc->q, sp, hp, k2, sp); + ecc_mod_add (&ecc->q, sp, sp, rp); /* FIXME: Can be plain add */ + if (ecc->p.bit_size == 255) + { + /* FIXME: Special code duplicated in ecc_curve25519_modq + Define a suitable method for canonical reduction? */ + + /* q is slightly larger than 2^252, underflow from below + mpn_submul_1 is unlikely. */ + unsigned shift = 252 - GMP_NUMB_BITS * (ecc->p.size - 1); + q = sp[ecc->p.size-1] >> shift; + } + else + { + unsigned shift; + + assert (ecc->p.bit_size == 448); + /* q is slightly smaller than 2^446 */ + shift = 446 - GMP_NUMB_BITS * (ecc->p.size - 1); + /* Add one, then it's possible but unlikely that below + mpn_submul_1 does *not* underflow. */ + q = (sp[ecc->p.size-1] >> shift) + 1; + } + + cy = mpn_submul_1 (sp, ecc->q.m, ecc->p.size, q); + assert (cy < 2); + cy -= mpn_cnd_add_n (cy, sp, sp, ecc->q.m, ecc->p.size); + assert (cy == 0); + mpn_get_base256_le (signature + nbytes, nbytes, sp, ecc->q.size); #undef rp #undef hp diff -Nru nettle-3.4.1/eddsa-verify.c nettle-3.7.3/eddsa-verify.c --- nettle-3.4.1/eddsa-verify.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/eddsa-verify.c 2021-06-06 20:06:29.000000000 +0000 @@ -36,6 +36,7 @@ #include #include "eddsa.h" +#include "eddsa-internal.h" #include "ecc.h" #include "ecc-internal.h" @@ -52,13 +53,8 @@ #define t0 scratch #define t1 (scratch + p->size) - ecc_mod_mul (p, t0, x1, z2); - if (mpn_cmp (t0, p->m, p->size) >= 0) - mpn_sub_n (t0, t0, p->m, p->size); - - ecc_mod_mul (p, t1, x2, z1); - if (mpn_cmp (t1, p->m, p->size) >= 0) - mpn_sub_n (t1, t1, p->m, p->size); + ecc_mod_mul_canonical (p, t0, x1, z2, t0); + ecc_mod_mul_canonical (p, t1, x2, z1, t1); return mpn_cmp (t0, t1, p->size) == 0; @@ -69,12 +65,13 @@ mp_size_t _eddsa_verify_itch (const struct ecc_curve *ecc) { + assert (_eddsa_decompress_itch (ecc) <= ecc->mul_itch); return 8*ecc->p.size + ecc->mul_itch; } int _eddsa_verify (const struct ecc_curve *ecc, - const struct nettle_hash *H, + const struct ecc_eddsa *eddsa, const uint8_t *pub, const mp_limb_t *A, void *ctx, @@ -104,16 +101,16 @@ if (mpn_cmp (sp, ecc->q.m, ecc->q.size) >= 0) return 0; - H->init (ctx); - H->update (ctx, nbytes, signature); - H->update (ctx, nbytes, pub); - H->update (ctx, length, msg); - H->digest (ctx, 2*nbytes, hash); - _eddsa_hash (&ecc->q, hp, hash); + eddsa->dom (ctx); + eddsa->update (ctx, nbytes, signature); + eddsa->update (ctx, nbytes, pub); + eddsa->update (ctx, length, msg); + eddsa->digest (ctx, 2*nbytes, hash); + _eddsa_hash (&ecc->q, hp, 2*nbytes, hash); /* Compute h A + R - s G, which should be the neutral point */ ecc->mul (ecc, P, hp, A, scratch_out); - ecc_add_eh (ecc, P, P, R, scratch_out); + ecc->add_hh (ecc, P, P, R, scratch_out); /* Move out of the way. */ mpn_copyi (hp, sp, ecc->q.size); ecc->mul_g (ecc, S, hp, scratch_out); diff -Nru nettle-3.4.1/examples/ecc-benchmark.c nettle-3.7.3/examples/ecc-benchmark.c --- nettle-3.4.1/examples/ecc-benchmark.c 2018-12-04 20:56:07.000000000 +0000 +++ nettle-3.7.3/examples/ecc-benchmark.c 2021-06-06 20:06:30.000000000 +0000 @@ -139,7 +139,7 @@ { struct ecc_ctx *ctx = (struct ecc_ctx *) p; mpn_copyi (ctx->rp, ctx->ap, 2*ctx->ecc->p.size); - ctx->ecc->p.mod (&ctx->ecc->p, ctx->rp); + ctx->ecc->p.mod (&ctx->ecc->p, ctx->rp, ctx->rp); } static void @@ -147,7 +147,7 @@ { struct ecc_ctx *ctx = (struct ecc_ctx *) p; mpn_copyi (ctx->rp, ctx->ap, 2*ctx->ecc->p.size); - ctx->ecc->p.reduce (&ctx->ecc->p, ctx->rp); + ctx->ecc->p.reduce (&ctx->ecc->p, ctx->rp, ctx->rp); } static void @@ -155,7 +155,7 @@ { struct ecc_ctx *ctx = (struct ecc_ctx *) p; mpn_copyi (ctx->rp, ctx->ap, 2*ctx->ecc->p.size); - ctx->ecc->q.mod(&ctx->ecc->q, ctx->rp); + ctx->ecc->q.mod(&ctx->ecc->q, ctx->rp, ctx->rp); } static void @@ -191,17 +191,17 @@ #endif static void -bench_dup_jj (void *p) +bench_dup_hh (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; - ecc_dup_jj (ctx->ecc, ctx->rp, ctx->ap, ctx->tp); + ctx->ecc->dup (ctx->ecc, ctx->rp, ctx->ap, ctx->tp); } static void -bench_add_jja (void *p) +bench_add_hh (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; - ecc_add_jja (ctx->ecc, ctx->rp, ctx->ap, ctx->bp, ctx->tp); + ctx->ecc->add_hh (ctx->ecc, ctx->rp, ctx->ap, ctx->bp, ctx->tp); } static void @@ -225,20 +225,6 @@ ctx->ecc->mul (ctx->ecc, ctx->rp, ctx->ap, ctx->bp, ctx->tp); } -static void -bench_dup_eh (void *p) -{ - struct ecc_ctx *ctx = (struct ecc_ctx *) p; - ecc_dup_eh (ctx->ecc, ctx->rp, ctx->ap, ctx->tp); -} - -static void -bench_add_eh (void *p) -{ - struct ecc_ctx *ctx = (struct ecc_ctx *) p; - ecc_add_eh (ctx->ecc, ctx->rp, ctx->ap, ctx->bp, ctx->tp); -} - #if NETTLE_USE_MINI_GMP static void mpn_random (mp_limb_t *xp, mp_size_t n) @@ -254,7 +240,7 @@ { struct ecc_ctx ctx; double modp, reduce, modq, modinv, modinv_gcd, modinv_powm, - dup_jj, add_jja, add_hhh, + dup_hh, add_hh, add_hhh, mul_g, mul_a; mp_limb_t mask; @@ -302,17 +288,8 @@ #else modinv_powm = 0; #endif - if (ecc->p.bit_size == 255) - { - /* For now, curve25519 is a special case */ - dup_jj = time_function (bench_dup_eh, &ctx); - add_jja = time_function (bench_add_eh, &ctx); - } - else - { - dup_jj = time_function (bench_dup_jj, &ctx); - add_jja = time_function (bench_add_jja, &ctx); - } + dup_hh = time_function (bench_dup_hh, &ctx); + add_hh = time_function (bench_add_hh, &ctx); add_hhh = time_function (bench_add_hhh, &ctx); mul_g = time_function (bench_mul_g, &ctx); mul_a = time_function (bench_mul_a, &ctx); @@ -325,17 +302,20 @@ printf ("%4d %6.4f %6.4f %6.4f %6.2f %6.3f %6.2f %6.3f %6.3f %6.3f %6.1f %6.1f\n", ecc->p.bit_size, 1e6 * modp, 1e6 * reduce, 1e6 * modq, 1e6 * modinv, 1e6 * modinv_gcd, 1e6 * modinv_powm, - 1e6 * dup_jj, 1e6 * add_jja, 1e6 * add_hhh, + 1e6 * dup_hh, 1e6 * add_hh, 1e6 * add_hhh, 1e6 * mul_g, 1e6 * mul_a); } const struct ecc_curve * const curves[] = { - &nettle_secp_192r1, - &nettle_secp_224r1, + &_nettle_secp_192r1, + &_nettle_secp_224r1, &_nettle_curve25519, - &nettle_secp_256r1, - &nettle_secp_384r1, - &nettle_secp_521r1, + &_nettle_secp_256r1, + &_nettle_secp_384r1, + &_nettle_curve448, + &_nettle_secp_521r1, + &_nettle_gost_gc256b, + &_nettle_gost_gc512a, }; #define numberof(x) (sizeof (x) / sizeof ((x)[0])) @@ -348,7 +328,7 @@ time_init(); printf ("%4s %6s %6s %6s %6s %6s %6s %6s %6s %6s %6s %6s (us)\n", "size", "modp", "reduce", "modq", "modinv", "mi_gcd", "mi_pow", - "dup_jj", "ad_jja", "ad_hhh", + "dup_hh", "add_hh", "ad_hhh", "mul_g", "mul_a"); for (i = 0; i < numberof (curves); i++) bench_curve (curves[i]); diff -Nru nettle-3.4.1/examples/eratosthenes.c nettle-3.7.3/examples/eratosthenes.c --- nettle-3.4.1/examples/eratosthenes.c 2018-12-04 20:56:07.000000000 +0000 +++ nettle-3.7.3/examples/eratosthenes.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,414 +0,0 @@ -/* eratosthenes.c - - An implementation of the sieve of Eratosthenes, to generate a list of primes. - - Copyright (C) 2007 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include -#include -#include -#include - -#include "getopt.h" - -#ifdef SIZEOF_LONG -# define BITS_PER_LONG (CHAR_BIT * SIZEOF_LONG) -# if BITS_PER_LONG > 32 -# define NEED_HANDLE_LARGE_LONG 1 -# else -# define NEED_HANDLE_LARGE_LONG 0 -# endif -#else -# define BITS_PER_LONG (CHAR_BIT * sizeof(unsigned long)) -# define NEED_HANDLE_LARGE_LONG 1 -#endif - - -static void -usage(void) -{ - fprintf(stderr, "Usage: erathostenes [OPTIONS] [LIMIT]\n\n" - "Options:\n" - " -? Display this message.\n" - " -b SIZE Block size.\n" - " -v Verbose output.\n" - " -s No output.\n"); -} - -static unsigned -isqrt(unsigned long n) -{ - unsigned long x; - - /* FIXME: Better initialization. */ - if (n < ULONG_MAX) - x = n; - else - /* Must avoid overflow in the first step. */ - x = n-1; - - for (;;) - { - unsigned long y = (x + n/x) / 2; - if (y >= x) - return x; - - x = y; - } -} - -/* Size is in bits */ -static unsigned long * -vector_alloc(unsigned long size) -{ - unsigned long end = (size + BITS_PER_LONG - 1) / BITS_PER_LONG; - unsigned long *vector = malloc (end * sizeof(*vector)); - - if (!vector) - { - fprintf(stderr, "Insufficient memory.\n"); - exit(EXIT_FAILURE); - } - return vector; -} - -static void -vector_init(unsigned long *vector, unsigned long size) -{ - unsigned long end = (size + BITS_PER_LONG - 1) / BITS_PER_LONG; - unsigned long i; - - for (i = 0; i < end; i++) - vector[i] = ~0UL; -} - -static void -vector_clear_bits (unsigned long *vector, unsigned long step, - unsigned long start, unsigned long size) -{ - unsigned long bit; - - for (bit = start; bit < size; bit += step) - { - unsigned long i = bit / BITS_PER_LONG; - unsigned long mask = 1L << (bit % BITS_PER_LONG); - - vector[i] &= ~mask; - } -} - -static unsigned -find_first_one (unsigned long x) -{ - static const unsigned char table[0x101] = - { - 15, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 14, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 13, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 12, 0, 0, 0, 0, 0, 0, 0,11, 0, 0, 0,10, 0, 9, 8, - 0, 0, 1, 0, 2, 0, 0, 0, 3, 0, 0, 0, 0, 0, 0, 0, - 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 6, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 7, - }; - - unsigned i = 0; - - /* Isolate least significant bit */ - x &= -x; - -#if NEED_HANDLE_LARGE_LONG -#ifndef SIZEOF_LONG - /* Can not be tested by the preprocessor. May generate warnings - when long is 32 bits. */ - if (BITS_PER_LONG > 32) -#endif - while (x >= 0x100000000L) - { - x >>= 32; - i += 32; - } -#endif /* NEED_HANDLE_LARGE_LONG */ - - if (x >= 0x10000) - { - x >>= 16; - i += 16; - } - return i + table[128 + (x & 0xff) - (x >> 8)]; -} - -/* Returns size if there's no more bits set */ -static unsigned long -vector_find_next (const unsigned long *vector, unsigned long bit, unsigned long size) -{ - unsigned long end = (size + BITS_PER_LONG - 1) / BITS_PER_LONG; - unsigned long i = bit / BITS_PER_LONG; - unsigned long mask = 1L << (bit % BITS_PER_LONG); - unsigned long word; - - if (i >= end) - return size; - - for (word = vector[i] & ~(mask - 1); !word; word = vector[i]) - if (++i >= end) - return size; - - /* Next bit is the least significant bit of word */ - return i * BITS_PER_LONG + find_first_one(word); -} - -/* For benchmarking, define to do nothing (otherwise, most of the time - will be spent converting the output to decimal). */ -#define OUTPUT(n) printf("%lu\n", (n)) - -static long -atosize(const char *s) -{ - char *end; - long value = strtol(s, &end, 10); - - if (value <= 0) - return 0; - - /* FIXME: Doesn't check for overflow. */ - switch(*end) - { - default: - return 0; - case '\0': - break; - case 'k': case 'K': - value <<= 10; - break; - case 'M': - value <<= 20; - break; - } - return value; -} - -int -main (int argc, char **argv) -{ - /* Generate all primes p <= limit */ - unsigned long limit; - unsigned long root; - - unsigned long limit_nbits; - - /* Represents numbers up to sqrt(limit) */ - unsigned long sieve_nbits; - unsigned long *sieve; - /* Block for the rest of the sieving. Size should match the cache, - the default value corresponds to 64 KB. */ - unsigned long block_nbits = 64L << 13; - unsigned long block_start_bit; - unsigned long *block; - - unsigned long bit; - int silent = 0; - int verbose = 0; - int c; - - enum { OPT_HELP = 300 }; - static const struct option options[] = - { - /* Name, args, flag, val */ - { "help", no_argument, NULL, OPT_HELP }, - { "verbose", no_argument, NULL, 'v' }, - { "block-size", required_argument, NULL, 'b' }, - { "quiet", required_argument, NULL, 'q' }, - { NULL, 0, NULL, 0} - }; - - while ( (c = getopt_long(argc, argv, "svb:", options, NULL)) != -1) - switch (c) - { - case OPT_HELP: - usage(); - return EXIT_SUCCESS; - case 'b': - block_nbits = CHAR_BIT * atosize(optarg); - if (!block_nbits) - { - usage(); - return EXIT_FAILURE; - } - break; - - case 'q': - silent = 1; - break; - - case 'v': - verbose++; - break; - - case '?': - return EXIT_FAILURE; - - default: - abort(); - } - - argc -= optind; - argv += optind; - - if (argc == 0) - limit = 1000; - else if (argc == 1) - { - limit = atol(argv[0]); - if (limit < 2) - return EXIT_SUCCESS; - } - else - { - usage(); - return EXIT_FAILURE; - } - - root = isqrt(limit); - /* Round down to odd */ - root = (root - 1) | 1; - /* Represents odd numbers from 3 up. */ - sieve_nbits = (root - 1) / 2; - sieve = vector_alloc(sieve_nbits ); - vector_init(sieve, sieve_nbits); - - if (verbose) - fprintf(stderr, "Initial sieve using %lu bits.\n", sieve_nbits); - - if (!silent) - printf("2\n"); - - if (limit == 2) - return EXIT_SUCCESS; - - for (bit = 0; - bit < sieve_nbits; - bit = vector_find_next(sieve, bit + 1, sieve_nbits)) - { - unsigned long n = 3 + 2 * bit; - /* First bit to clear corresponds to n^2, which is bit - - (n^2 - 3) / 2 = (n + 3) * bit + 3 - */ - unsigned long n2_bit = (n+3)*bit + 3; - - if (!silent) - printf("%lu\n", n); - - vector_clear_bits (sieve, n, n2_bit, sieve_nbits); - } - - limit_nbits = (limit - 1) / 2; - - if (sieve_nbits + block_nbits > limit_nbits) - block_nbits = limit_nbits - sieve_nbits; - - if (verbose) - { - double storage = block_nbits / 8.0; - unsigned shift = 0; - const char prefix[] = " KMG"; - - while (storage > 1024 && shift < 3) - { - storage /= 1024; - shift++; - } - fprintf(stderr, "Blockwise sieving using blocks of %lu bits (%.3g %cByte)\n", - block_nbits, storage, prefix[shift]); - } - - block = vector_alloc(block_nbits); - - for (block_start_bit = bit; block_start_bit < limit_nbits; block_start_bit += block_nbits) - { - unsigned long block_start; - - if (block_start_bit + block_nbits > limit_nbits) - block_nbits = limit_nbits - block_start_bit; - - vector_init(block, block_nbits); - - block_start = 3 + 2*block_start_bit; - - if (verbose > 1) - fprintf(stderr, "Next block, n = %lu\n", block_start); - - /* Sieve */ - for (bit = 0; bit < sieve_nbits; - bit = vector_find_next(sieve, bit + 1, sieve_nbits)) - { - unsigned long n = 3 + 2 * bit; - unsigned long sieve_start_bit = (n + 3) * bit + 3; - - if (sieve_start_bit < block_start_bit) - { - unsigned long k = (block_start + n - 1) / (2*n); - sieve_start_bit = n * k + bit; - - assert(sieve_start_bit < block_start_bit + n); - } - assert(sieve_start_bit >= block_start_bit); - - vector_clear_bits(block, n, sieve_start_bit - block_start_bit, block_nbits); - } - for (bit = vector_find_next(block, 0, block_nbits); - bit < block_nbits; - bit = vector_find_next(block, bit + 1, block_nbits)) - { - unsigned long n = block_start + 2 * bit; - if (!silent) - printf("%lu\n", n); - } - } - - free(sieve); - free(block); - - return EXIT_SUCCESS; -} diff -Nru nettle-3.4.1/examples/hogweed-benchmark.c nettle-3.7.3/examples/hogweed-benchmark.c --- nettle-3.4.1/examples/hogweed-benchmark.c 2018-12-04 20:56:07.000000000 +0000 +++ nettle-3.7.3/examples/hogweed-benchmark.c 2021-06-06 20:06:30.000000000 +0000 @@ -47,7 +47,10 @@ #include "dsa.h" #include "rsa.h" +#include "eddsa.h" +#include "gostdsa.h" #include "curve25519.h" +#include "curve448.h" #include "nettle-meta.h" #include "sexp.h" @@ -59,6 +62,7 @@ #if WITH_OPENSSL #include +#include #include #include #include @@ -148,7 +152,7 @@ ctx = alg->init(alg->size); if (ctx == NULL) { - printf("%15s %4d N/A\n", alg->name, alg->size); + printf("%16s %4d N/A\n", alg->name, alg->size); return; } @@ -157,7 +161,7 @@ alg->clear (ctx); - printf("%15s %4d %9.4f %9.4f\n", + printf("%16s %4d %9.4f %9.4f\n", alg->name, alg->size, 1e-3/sign, 1e-3/verify); } @@ -165,6 +169,7 @@ { struct rsa_public_key pub; struct rsa_private_key key; + struct knuth_lfib_ctx lfib; uint8_t *digest; mpz_t s; }; @@ -223,6 +228,7 @@ rsa_public_key_init (&ctx->pub); rsa_private_key_init (&ctx->key); mpz_init (ctx->s); + knuth_lfib_init (&ctx->lfib, 1); /* NOTE: Base64-decodes the strings in-place */ if (size == 1024) @@ -257,6 +263,19 @@ } static void +bench_rsa_sign_tr (void *p) +{ + struct rsa_ctx *ctx = p; + + mpz_t s; + mpz_init (s); + rsa_sha256_sign_digest_tr (&ctx->pub, &ctx->key, + &ctx->lfib, (nettle_random_func *)knuth_lfib_random, + ctx->digest, s); + mpz_clear (s); +} + +static void bench_rsa_verify (void *p) { struct rsa_ctx *ctx = p; @@ -369,7 +388,7 @@ { struct ecc_point pub; struct ecc_scalar key; - struct knuth_lfib_ctx rctx; + struct knuth_lfib_ctx lfib; unsigned digest_size; uint8_t *digest; struct dsa_signature s; @@ -389,12 +408,12 @@ ctx = xalloc (sizeof(*ctx)); dsa_signature_init (&ctx->s); - knuth_lfib_init (&ctx->rctx, 17); + knuth_lfib_init (&ctx->lfib, 17); switch (size) { case 192: - ecc = &nettle_secp_192r1; + ecc = &_nettle_secp_192r1; xs = "8e8e07360350fb6b7ad8370cfd32fa8c6bba785e6e200599"; ys = "7f82ddb58a43d59ff8dc66053002b918b99bd01bd68d6736"; zs = "f2e620e086d658b4b507996988480917640e4dc107808bdd"; @@ -402,7 +421,7 @@ ctx->digest_size = 20; break; case 224: - ecc = &nettle_secp_224r1; + ecc = &_nettle_secp_224r1; xs = "993bf363f4f2bc0f255f22563980449164e9c894d9efd088d7b77334"; ys = "b75fff9849997d02d135140e4d0030944589586e22df1fc4b629082a"; zs = "cdfd01838247f5de3cc70b688418046f10a2bfaca6de9ec836d48c27"; @@ -412,7 +431,7 @@ /* From RFC 4754 */ case 256: - ecc = &nettle_secp_256r1; + ecc = &_nettle_secp_256r1; xs = "2442A5CC 0ECD015F A3CA31DC 8E2BBC70 BF42D60C BCA20085 E0822CB0 4235E970"; ys = "6FC98BD7 E50211A4 A27102FA 3549DF79 EBCB4BF2 46B80945 CDDFE7D5 09BBFD7D"; zs = "DC51D386 6A15BACD E33D96F9 92FCA99D A7E6EF09 34E70975 59C27F16 14C88A7F"; @@ -420,7 +439,7 @@ ctx->digest_size = 32; break; case 384: - ecc = &nettle_secp_384r1; + ecc = &_nettle_secp_384r1; xs = "96281BF8 DD5E0525 CA049C04 8D345D30 82968D10 FEDF5C5A CA0C64E6 465A97EA" "5CE10C9D FEC21797 41571072 1F437922"; ys = "447688BA 94708EB6 E2E4D59F 6AB6D7ED FF9301D2 49FE49C3 3096655F 5D502FAD" @@ -431,7 +450,7 @@ ctx->digest_size = 48; break; case 521: - ecc = &nettle_secp_521r1; + ecc = &_nettle_secp_521r1; xs = "0151518F 1AF0F563 517EDD54 85190DF9 5A4BF57B 5CBA4CF2 A9A3F647 4725A35F" "7AFE0A6D DEB8BEDB CD6A197E 592D4018 8901CECD 650699C9 B5E456AE A5ADD190" "52A8"; @@ -463,7 +482,7 @@ mpz_clear (z); ecdsa_sign (&ctx->key, - &ctx->rctx, (nettle_random_func *) knuth_lfib_random, + &ctx->lfib, (nettle_random_func *) knuth_lfib_random, ctx->digest_size, ctx->digest, &ctx->s); @@ -478,7 +497,7 @@ dsa_signature_init (&s); ecdsa_sign (&ctx->key, - &ctx->rctx, (nettle_random_func *) knuth_lfib_random, + &ctx->lfib, (nettle_random_func *) knuth_lfib_random, ctx->digest_size, ctx->digest, &s); dsa_signature_clear (&s); @@ -491,7 +510,7 @@ if (! ecdsa_verify (&ctx->pub, ctx->digest_size, ctx->digest, &ctx->s)) - die ("Internal error, _ecdsa_verify failed.\n"); + die ("Internal error, ecdsa_verify failed.\n"); } static void @@ -507,6 +526,173 @@ free (ctx); } +struct eddsa_ctx +{ + uint8_t pub[ED448_KEY_SIZE]; + uint8_t key[ED448_KEY_SIZE]; + uint8_t signature[ED448_SIGNATURE_SIZE]; + void (*sign)(const uint8_t *pub, + const uint8_t *priv, + size_t length, const uint8_t *msg, + uint8_t *signature); + int (*verify)(const uint8_t *pub, + size_t length, const uint8_t *msg, + const uint8_t *signature); +}; + +static void * +bench_eddsa_init (unsigned size) +{ + struct knuth_lfib_ctx lfib; + struct eddsa_ctx *ctx; + knuth_lfib_init (&lfib, 17); + + ctx = xalloc (sizeof(*ctx)); + switch (size) { + case 255: + ctx->sign = ed25519_sha512_sign; + ctx->verify = ed25519_sha512_verify; + + knuth_lfib_random (&lfib, ED25519_KEY_SIZE, ctx->key); + ed25519_sha512_public_key (ctx->pub, ctx->key); + break; + case 448: + ctx->sign = ed448_shake256_sign; + ctx->verify = ed448_shake256_verify; + + knuth_lfib_random (&lfib, ED448_KEY_SIZE, ctx->key); + ed448_shake256_public_key (ctx->pub, ctx->key); + break; + default: + abort (); + } + ctx->sign (ctx->pub, ctx->key, 3, (const uint8_t *) "abc", ctx->signature); + + return ctx; +} + +static void +bench_eddsa_sign (void *p) +{ + struct eddsa_ctx *ctx = p; + ctx->sign (ctx->pub, ctx->key, 3, (const uint8_t *) "abc", ctx->signature); +} + +static void +bench_eddsa_verify (void *p) +{ + struct eddsa_ctx *ctx = p; + if (!ctx->verify (ctx->pub, 3, (const uint8_t *) "abc", ctx->signature)) + die ("Internal error, eddsa_verify failed.\n"); +} + +static void +bench_eddsa_clear (void *p) +{ + free (p); +} + +static void * +bench_gostdsa_init (unsigned size) +{ + struct ecdsa_ctx *ctx; + const struct ecc_curve *ecc; + + const char *xs; + const char *ys; + const char *zs; + mpz_t x, y, z; + + ctx = xalloc (sizeof(*ctx)); + + dsa_signature_init (&ctx->s); + knuth_lfib_init (&ctx->lfib, 17); + + switch (size) + { + case 256: + ecc = &_nettle_gost_gc256b; + xs = "971566ceda436ee7678f7e07e84ebb7217406c0b4747aa8fd2ab1453c3d0dfba"; + ys = "ad58736965949f8e59830f8de20fc6c0d177f6ab599874f1e2e24ff71f9ce643"; + zs = "bfcf1d623e5cdd3032a7c6eabb4a923c46e43d640ffeaaf2c3ed39a8fa399924"; + ctx->digest = hash_string (&nettle_sha256, "abc"); + ctx->digest_size = 32; + break; + + case 512: + ecc = &_nettle_gost_gc512a; + xs = "03A36340A95BB5F93D131961B5B1C1B3213DF7FF3B5A30376407E2A65C441BC6" + "D1B34662317083243F007B15A8512B526606D3B172B606DCE86DBD6F82DA3D40"; + ys = "DEAD76318012FED79507809C89CC44848743640EAC9A3C847DA9082E050760A1" + "0679F4B707ABC1872640AD20D7441F66C7A8B3BFF1B8E11B4A076F0A86749F73"; + zs = "3FC01CDCD4EC5F972EB482774C41E66DB7F380528DFE9E67992BA05AEE462435" + "757530E641077CE587B976C8EEB48C48FD33FD175F0C7DE6A44E014E6BCB074B"; + ctx->digest = hash_string (&nettle_sha512, "abc"); + ctx->digest_size = 64; + break; + + default: + die ("Internal error.\n"); + } + ecc_point_init (&ctx->pub, ecc); + ecc_scalar_init (&ctx->key, ecc); + + mpz_init_set_str (x, xs, 16); + mpz_init_set_str (y, ys, 16); + mpz_init_set_str (z, zs, 16); + + ecc_point_set (&ctx->pub, x, y); + ecc_scalar_set (&ctx->key, z); + + mpz_clear (x); + mpz_clear (y); + mpz_clear (z); + + gostdsa_sign (&ctx->key, + &ctx->lfib, (nettle_random_func *) knuth_lfib_random, + ctx->digest_size, ctx->digest, + &ctx->s); + + return ctx; +} + +static void +bench_gostdsa_sign (void *p) +{ + struct ecdsa_ctx *ctx = p; + struct dsa_signature s; + + dsa_signature_init (&s); + gostdsa_sign (&ctx->key, + &ctx->lfib, (nettle_random_func *) knuth_lfib_random, + ctx->digest_size, ctx->digest, + &s); + dsa_signature_clear (&s); +} + +static void +bench_gostdsa_verify (void *p) +{ + struct ecdsa_ctx *ctx = p; + if (! gostdsa_verify (&ctx->pub, + ctx->digest_size, ctx->digest, + &ctx->s)) + die ("Internal error, _gostdsa_verify failed.\n"); +} + +static void +bench_gostdsa_clear (void *p) +{ + struct ecdsa_ctx *ctx = p; + + ecc_point_clear (&ctx->pub); + ecc_scalar_clear (&ctx->key); + dsa_signature_clear (&ctx->s); + free (ctx->digest); + + free (ctx); +} + #if WITH_OPENSSL struct openssl_rsa_ctx { @@ -517,24 +703,40 @@ uint8_t *digest; }; -static void * -bench_openssl_rsa_init (unsigned size) +static struct openssl_rsa_ctx* +make_openssl_rsa_ctx (unsigned size) { struct openssl_rsa_ctx *ctx = xalloc (sizeof (*ctx)); - - ctx->key = RSA_generate_key (size, 65537, NULL, NULL); + BIGNUM *e = BN_new(); + BN_set_word(e, 65537); + ctx->key = RSA_new(); + RSA_generate_key_ex (ctx->key, size, e, NULL); ctx->ref = xalloc (RSA_size (ctx->key)); ctx->signature = xalloc (RSA_size (ctx->key)); ctx->digest = hash_string (&nettle_sha1, "foo"); - RSA_blinding_off(ctx->key); if (! RSA_sign (NID_sha1, ctx->digest, SHA1_DIGEST_SIZE, ctx->ref, &ctx->siglen, ctx->key)) die ("OpenSSL RSA_sign failed.\n"); + BN_free(e); + return ctx; +} + +static void * +bench_openssl_rsa_init (unsigned size) +{ + struct openssl_rsa_ctx *ctx = make_openssl_rsa_ctx (size); + RSA_blinding_off(ctx->key); return ctx; } +static void * +bench_openssl_rsa_tr_init (unsigned size) +{ + return make_openssl_rsa_ctx (size); +} + static void bench_openssl_rsa_sign (void *p) { @@ -652,53 +854,71 @@ } #endif -struct curve25519_ctx +struct curve_ctx { - uint8_t x[CURVE25519_SIZE]; - uint8_t s[CURVE25519_SIZE]; + uint8_t x[CURVE448_SIZE]; + uint8_t s[CURVE448_SIZE]; + void (*mul_g)(uint8_t *q, const uint8_t *n); + void (*mul)(uint8_t *q, const uint8_t *n, const uint8_t *p); }; -static void -bench_curve25519_mul_g (void *p) +static void * +bench_curve_init (unsigned size) { - struct curve25519_ctx *ctx = p; - uint8_t q[CURVE25519_SIZE]; - curve25519_mul_g (q, ctx->s); + struct knuth_lfib_ctx lfib; + struct curve_ctx *ctx = xalloc (sizeof (*ctx)); + knuth_lfib_init (&lfib, 17); + switch (size) + { + case 255: + ctx->mul = curve25519_mul; + ctx->mul_g = curve25519_mul_g; + knuth_lfib_random (&lfib, CURVE25519_SIZE, ctx->s); + break; + case 448: + ctx->mul = curve448_mul; + ctx->mul_g = curve448_mul_g; + knuth_lfib_random (&lfib, CURVE448_SIZE, ctx->s); + break; + default: + abort (); + } + ctx->mul_g (ctx->x, ctx->s); + return ctx; } static void -bench_curve25519_mul (void *p) +bench_curve_mul_g (void *p) { - struct curve25519_ctx *ctx = p; - uint8_t q[CURVE25519_SIZE]; - curve25519_mul (q, ctx->s, ctx->x); + struct curve_ctx *ctx = p; + uint8_t q[CURVE448_SIZE]; + ctx->mul_g (q, ctx->s); } static void -bench_curve25519 (void) +bench_curve_mul (void *p) { - double mul_g; - double mul; - struct knuth_lfib_ctx lfib; - struct curve25519_ctx ctx; - knuth_lfib_init (&lfib, 2); - - knuth_lfib_random (&lfib, sizeof(ctx.s), ctx.s); - curve25519_mul_g (ctx.x, ctx.s); - - mul_g = time_function (bench_curve25519_mul_g, &ctx); - mul = time_function (bench_curve25519_mul, &ctx); + struct curve_ctx *ctx = p; + uint8_t q[CURVE448_SIZE]; + ctx->mul (q, ctx->s, ctx->x); +} - printf("%15s %4d %9.4f %9.4f\n", - "curve25519", 255, 1e-3/mul_g, 1e-3/mul); +static void +bench_curve_clear (void *p) +{ + free (p); } struct alg alg_list[] = { { "rsa", 1024, bench_rsa_init, bench_rsa_sign, bench_rsa_verify, bench_rsa_clear }, { "rsa", 2048, bench_rsa_init, bench_rsa_sign, bench_rsa_verify, bench_rsa_clear }, + { "rsa-tr", 1024, bench_rsa_init, bench_rsa_sign_tr, bench_rsa_verify, bench_rsa_clear }, + { "rsa-tr", 2048, bench_rsa_init, bench_rsa_sign_tr, bench_rsa_verify, bench_rsa_clear }, #if WITH_OPENSSL { "rsa (openssl)", 1024, bench_openssl_rsa_init, bench_openssl_rsa_sign, bench_openssl_rsa_verify, bench_openssl_rsa_clear }, { "rsa (openssl)", 2048, bench_openssl_rsa_init, bench_openssl_rsa_sign, bench_openssl_rsa_verify, bench_openssl_rsa_clear }, + { "rsa-tr (openssl)", 1024, bench_openssl_rsa_tr_init, bench_openssl_rsa_sign, bench_openssl_rsa_verify, bench_openssl_rsa_clear }, + { "rsa-tr (openssl)", 2048, bench_openssl_rsa_tr_init, bench_openssl_rsa_sign, bench_openssl_rsa_verify, bench_openssl_rsa_clear }, #endif { "dsa", 1024, bench_dsa_init, bench_dsa_sign, bench_dsa_verify, bench_dsa_clear }, #if 0 @@ -716,6 +936,12 @@ { "ecdsa (openssl)", 384, bench_openssl_ecdsa_init, bench_openssl_ecdsa_sign, bench_openssl_ecdsa_verify, bench_openssl_ecdsa_clear }, { "ecdsa (openssl)", 521, bench_openssl_ecdsa_init, bench_openssl_ecdsa_sign, bench_openssl_ecdsa_verify, bench_openssl_ecdsa_clear }, #endif + { "eddsa", 255, bench_eddsa_init, bench_eddsa_sign, bench_eddsa_verify, bench_eddsa_clear }, + { "eddsa", 448, bench_eddsa_init, bench_eddsa_sign, bench_eddsa_verify, bench_eddsa_clear }, + { "curve", 255, bench_curve_init, bench_curve_mul_g, bench_curve_mul, bench_curve_clear}, + { "curve", 448, bench_curve_init, bench_curve_mul_g, bench_curve_mul, bench_curve_clear }, + { "gostdsa", 256, bench_gostdsa_init, bench_gostdsa_sign, bench_gostdsa_verify, bench_gostdsa_clear }, + { "gostdsa", 512, bench_gostdsa_init, bench_gostdsa_sign, bench_gostdsa_verify, bench_gostdsa_clear }, }; #define numberof(x) (sizeof (x) / sizeof ((x)[0])) @@ -730,15 +956,12 @@ filter = argv[1]; time_init(); - printf ("%15s %4s %9s %9s\n", + printf ("%16s %4s %9s %9s\n", "name", "size", "sign/ms", "verify/ms"); for (i = 0; i < numberof(alg_list); i++) if (!filter || strstr (alg_list[i].name, filter)) bench_alg (&alg_list[i]); - if (!filter || strstr("curve25519", filter)) - bench_curve25519(); - return EXIT_SUCCESS; } diff -Nru nettle-3.4.1/examples/Makefile.in nettle-3.7.3/examples/Makefile.in --- nettle-3.4.1/examples/Makefile.in 2018-12-04 20:56:07.000000000 +0000 +++ nettle-3.7.3/examples/Makefile.in 2021-06-06 20:06:30.000000000 +0000 @@ -20,11 +20,11 @@ ENC_TARGETS = base16enc$(EXEEXT) base16dec$(EXEEXT) \ base64enc$(EXEEXT) base64dec$(EXEEXT) -TARGETS = nettle-benchmark$(EXEEXT) eratosthenes$(EXEEXT) \ +TARGETS = nettle-benchmark$(EXEEXT) \ $(ENC_TARGETS) @IF_HOGWEED@ $(HOGWEED_TARGETS) SOURCES = nettle-benchmark.c hogweed-benchmark.c ecc-benchmark.c \ - eratosthenes.c random-prime.c \ + random-prime.c \ nettle-openssl.c \ io.c read_rsa_key.c \ rsa-encrypt.c rsa-decrypt.c rsa-keygen.c rsa-sign.c rsa-verify.c \ @@ -40,7 +40,7 @@ all: $(TARGETS) -.c.$(OBJEXT): +%.$(OBJEXT): %.c $(COMPILE) -c $< && $(DEP_PROCESS) # NOTE: If we required GNU make, we could use a single rule with $(@F) @@ -94,9 +94,6 @@ $(LINK) base64dec.$(OBJEXT) io.$(OBJEXT) \ -lnettle $(LIBS) -o base64dec$(EXEEXT) -eratosthenes$(EXEEXT): eratosthenes.$(OBJEXT) $(GETOPT_OBJS) - $(LINK) eratosthenes.$(OBJEXT) $(GETOPT_OBJS) -o eratosthenes$(EXEEXT) - BENCH_OBJS = nettle-benchmark.$(OBJEXT) nettle-openssl.$(OBJEXT) \ $(GETOPT_OBJS) ../nettle-internal.$(OBJEXT) timing.$(OBJEXT) nettle-benchmark$(EXEEXT): $(BENCH_OBJS) @@ -116,9 +113,8 @@ $(TARGETS) : io.$(OBJEXT) ../libnettle.stamp $(HOGWEED_TARGETS): ../libhogweed.stamp -# The PATH update is for windows dlls, DYLD_LIBRARY_PATH is for OSX. check: $(TS_ALL) - LD_LIBRARY_PATH=../.lib PATH="../.lib:$$PATH" DYLD_LIBRARY_PATH=../.lib \ + TEST_SHLIB_DIR="$(TEST_SHLIB_DIR)" \ srcdir="$(srcdir)" EMULATOR="$(EMULATOR)" EXEEXT="$(EXEEXT)" \ "$(top_srcdir)"/run-tests $(TS_ALL) @@ -134,7 +130,7 @@ cp $? $(distdir) clean: - -rm -f $(TARGETS) *.$(OBJEXT) + -rm -f $(TARGETS) *.$(OBJEXT) *.$(OBJEXT).d distclean: clean -rm -f Makefile *.d @@ -142,4 +138,4 @@ tags: etags -o $(srcdir)/TAGS --include $(top_srcdir) $(srcdir)/*.c $(srcdir)/*.h -@DEP_INCLUDE@ $(SOURCES:.c=.$(OBJEXT).d) +-include $(SOURCES:.c=.$(OBJEXT).d) diff -Nru nettle-3.4.1/examples/nettle-benchmark.c nettle-3.7.3/examples/nettle-benchmark.c --- nettle-3.4.1/examples/nettle-benchmark.c 2018-12-04 20:56:07.000000000 +0000 +++ nettle-3.7.3/examples/nettle-benchmark.c 2021-06-06 20:06:30.000000000 +0000 @@ -58,13 +58,16 @@ #include "gcm.h" #include "memxor.h" #include "salsa20.h" +#include "salsa20-internal.h" #include "serpent.h" #include "sha1.h" #include "sha2.h" #include "sha3.h" #include "twofish.h" #include "umac.h" +#include "cmac.h" #include "poly1305.h" +#include "hmac.h" #include "nettle-meta.h" #include "nettle-internal.h" @@ -89,24 +92,24 @@ #if WITH_CYCLE_COUNTER # if defined(__i386__) #define GET_CYCLE_COUNTER(hi, lo) \ - __asm__("xorl %%eax,%%eax\n" \ - "movl %%ebx, %%edi\n" \ - "cpuid\n" \ - "rdtsc\n" \ - "movl %%edi, %%ebx\n" \ - : "=a" (lo), "=d" (hi) \ - : /* No inputs. */ \ - : "%edi", "%ecx", "cc") + __asm__ volatile ("xorl %%eax,%%eax\n" \ + "movl %%ebx, %%edi\n" \ + "cpuid\n" \ + "rdtsc\n" \ + "movl %%edi, %%ebx\n" \ + : "=a" (lo), "=d" (hi) \ + : /* No inputs. */ \ + : "%edi", "%ecx", "cc") # elif defined(__x86_64__) #define GET_CYCLE_COUNTER(hi, lo) \ - __asm__("xorl %%eax,%%eax\n" \ - "mov %%rbx, %%r10\n" \ - "cpuid\n" \ - "rdtsc\n" \ - "mov %%r10, %%rbx\n" \ - : "=a" (lo), "=d" (hi) \ - : /* No inputs. */ \ - : "%r10", "%rcx", "cc") + __asm__ volatile ("xorl %%eax,%%eax\n" \ + "mov %%rbx, %%r10\n" \ + "cpuid\n" \ + "rdtsc\n" \ + "mov %%r10, %%rbx\n" \ + : "=a" (lo), "=d" (hi) \ + : /* No inputs. */ \ + : "%r10", "%rcx", "cc") # endif #define BENCH_ITERATIONS 10 #endif @@ -149,12 +152,6 @@ return elapsed / ncalls - overhead; } -static void -bench_nothing(void *arg UNUSED) -{ - return; -} - struct bench_memxor_info { void *dst; @@ -209,8 +206,9 @@ void *ctx; nettle_cipher_func *crypt; - uint8_t *data; - + const uint8_t *src; + uint8_t *dst; + unsigned block_size; uint8_t *iv; }; @@ -221,7 +219,7 @@ struct bench_cbc_info *info = arg; cbc_encrypt(info->ctx, info->crypt, info->block_size, info->iv, - BENCH_BLOCK, info->data, info->data); + BENCH_BLOCK, info->dst, info->src); } static void @@ -230,7 +228,7 @@ struct bench_cbc_info *info = arg; cbc_decrypt(info->ctx, info->crypt, info->block_size, info->iv, - BENCH_BLOCK, info->data, info->data); + BENCH_BLOCK, info->dst, info->src); } static void @@ -239,7 +237,7 @@ struct bench_cbc_info *info = arg; ctr_crypt(info->ctx, info->crypt, info->block_size, info->iv, - BENCH_BLOCK, info->data, info->data); + BENCH_BLOCK, info->dst, info->src); } struct bench_aead_info @@ -298,7 +296,7 @@ static void header(void) { - printf("%18s %11s Mbyte/s%s\n", + printf("%18s %12s Mbyte/s%s\n", "Algorithm", "mode", frequency > 0.0 ? " cycles/byte cycles/block" : ""); } @@ -307,7 +305,7 @@ display(const char *name, const char *mode, unsigned block_size, double time) { - printf("%18s %11s %7.2f", + printf("%18s %12s %7.2f", name, mode, BENCH_BLOCK / (time * 1048576.0)); if (frequency > 0.0) @@ -329,17 +327,6 @@ return p; } -static void -time_overhead(void) -{ - overhead = time_function(bench_nothing, NULL); - printf("benchmark call overhead: %7f us", overhead * 1e6); - if (frequency > 0.0) - printf("%7.2f cycles\n", overhead * frequency); - printf("\n"); -} - - static void time_memxor(void) @@ -402,7 +389,7 @@ struct umac64_ctx ctx64; struct umac96_ctx ctx96; struct umac128_ctx ctx128; - + uint8_t key[16]; umac32_set_key (&ctx32, key); @@ -439,6 +426,24 @@ } static void +time_cmac(void) +{ + static uint8_t data[BENCH_BLOCK]; + struct bench_hash_info info; + struct cmac_aes128_ctx ctx; + + uint8_t key[16]; + + cmac_aes128_set_key (&ctx, key); + info.ctx = &ctx; + info.update = (nettle_hash_update_func *) cmac_aes128_update; + info.data = data; + + display("cmac-aes128", "update", AES_BLOCK_SIZE, + time_function(bench_hash, &info)); +} + +static void time_poly1305_aes(void) { static uint8_t data[BENCH_BLOCK]; @@ -455,6 +460,147 @@ time_function(bench_hash, &info)); } +struct bench_hmac_info +{ + void *ctx; + nettle_hash_update_func *update; + nettle_hash_digest_func *digest; + size_t length; + size_t digest_length; + const uint8_t *data; +}; + +static void +bench_hmac(void *arg) +{ + struct bench_hmac_info *info = arg; + uint8_t digest[NETTLE_MAX_HASH_DIGEST_SIZE]; + size_t pos, length; + + length = info->length; + for (pos = 0; pos < BENCH_BLOCK; pos += length) + { + size_t single = pos + length < BENCH_BLOCK ? + length : + BENCH_BLOCK - pos; + info->update(info->ctx, single, info->data + pos); + info->digest(info->ctx, info->digest_length, digest); + } +} + +static const struct +{ + size_t length; + const char *msg; +} hmac_tests[] = { + { 64, "64 bytes" }, + { 256, "256 bytes" }, + { 1024, "1024 bytes" }, + { 4096, "4096 bytes" }, + { BENCH_BLOCK, "single msg" }, + { 0, NULL }, +}; + +static void +time_hmac_md5(void) +{ + static uint8_t data[BENCH_BLOCK]; + struct bench_hmac_info info; + struct hmac_md5_ctx md5_ctx; + unsigned int pos; + + init_data(data); + info.data = data; + + hmac_md5_set_key(&md5_ctx, MD5_BLOCK_SIZE, data); + info.ctx = &md5_ctx; + info.update = (nettle_hash_update_func *) hmac_md5_update; + info.digest = (nettle_hash_digest_func *) hmac_md5_digest; + info.digest_length = MD5_DIGEST_SIZE; + + for (pos = 0; hmac_tests[pos].length != 0; pos++) + { + info.length = hmac_tests[pos].length; + display("hmac-md5", hmac_tests[pos].msg, MD5_BLOCK_SIZE, + time_function(bench_hmac, &info)); + } +} + +static void +time_hmac_sha1(void) +{ + static uint8_t data[BENCH_BLOCK]; + struct bench_hmac_info info; + struct hmac_sha1_ctx sha1_ctx; + unsigned int pos; + + init_data(data); + info.data = data; + + hmac_sha1_set_key(&sha1_ctx, SHA1_BLOCK_SIZE, data); + info.ctx = &sha1_ctx; + info.update = (nettle_hash_update_func *) hmac_sha1_update; + info.digest = (nettle_hash_digest_func *) hmac_sha1_digest; + info.digest_length = SHA1_DIGEST_SIZE; + + for (pos = 0; hmac_tests[pos].length != 0; pos++) + { + info.length = hmac_tests[pos].length; + display("hmac-sha1", hmac_tests[pos].msg, SHA1_BLOCK_SIZE, + time_function(bench_hmac, &info)); + } +} + +static void +time_hmac_sha256(void) +{ + static uint8_t data[BENCH_BLOCK]; + struct bench_hmac_info info; + struct hmac_sha256_ctx sha256_ctx; + unsigned int pos; + + init_data(data); + info.data = data; + + hmac_sha256_set_key(&sha256_ctx, SHA256_BLOCK_SIZE, data); + info.ctx = &sha256_ctx; + info.update = (nettle_hash_update_func *) hmac_sha256_update; + info.digest = (nettle_hash_digest_func *) hmac_sha256_digest; + info.digest_length = SHA256_DIGEST_SIZE; + + for (pos = 0; hmac_tests[pos].length != 0; pos++) + { + info.length = hmac_tests[pos].length; + display("hmac-sha256", hmac_tests[pos].msg, SHA256_BLOCK_SIZE, + time_function(bench_hmac, &info)); + } +} + +static void +time_hmac_sha512(void) +{ + static uint8_t data[BENCH_BLOCK]; + struct bench_hmac_info info; + struct hmac_sha512_ctx sha512_ctx; + unsigned int pos; + + init_data(data); + info.data = data; + + hmac_sha512_set_key(&sha512_ctx, SHA512_BLOCK_SIZE, data); + info.ctx = &sha512_ctx; + info.update = (nettle_hash_update_func *) hmac_sha512_update; + info.digest = (nettle_hash_digest_func *) hmac_sha512_digest; + info.digest_length = SHA512_DIGEST_SIZE; + + for (pos = 0; hmac_tests[pos].length != 0; pos++) + { + info.length = hmac_tests[pos].length; + display("hmac-sha512", hmac_tests[pos].msg, SHA512_BLOCK_SIZE, + time_function(bench_hmac, &info)); + } +} + static int prefix_p(const char *prefix, const char *s) { @@ -478,11 +624,13 @@ void *ctx = xalloc(cipher->context_size); uint8_t *key = xalloc(cipher->key_size); + static uint8_t src_data[BENCH_BLOCK]; static uint8_t data[BENCH_BLOCK]; printf("\n"); init_data(data); + init_data(src_data); { /* Decent initializers are a GNU extension, so don't use it here. */ @@ -520,7 +668,8 @@ struct bench_cbc_info info; info.ctx = ctx; info.crypt = cipher->encrypt; - info.data = data; + info.src = src_data; + info.dst = data; info.block_size = cipher->block_size; info.iv = iv; @@ -536,7 +685,8 @@ struct bench_cbc_info info; info.ctx = ctx; info.crypt = cipher->decrypt; - info.data = data; + info.src = src_data; + info.dst = data; info.block_size = cipher->block_size; info.iv = iv; @@ -546,6 +696,12 @@ display(cipher->name, "CBC decrypt", cipher->block_size, time_function(bench_cbc_decrypt, &info)); + + memset(iv, 0, cipher->block_size); + info.src = data; + + display(cipher->name, " (in-place)", cipher->block_size, + time_function(bench_cbc_decrypt, &info)); } /* Do CTR mode */ @@ -553,7 +709,8 @@ struct bench_cbc_info info; info.ctx = ctx; info.crypt = cipher->encrypt; - info.data = data; + info.src = src_data; + info.dst = data; info.block_size = cipher->block_size; info.iv = iv; @@ -563,6 +720,12 @@ display(cipher->name, "CTR", cipher->block_size, time_function(bench_ctr, &info)); + + memset(iv, 0, cipher->block_size); + info.src = data; + + display(cipher->name, " (in-place)", cipher->block_size, + time_function(bench_ctr, &info)); } free(iv); @@ -680,7 +843,7 @@ uint8_t data[SHA1_BLOCK_SIZE]; double t; - TIME_CYCLES (t, _nettle_sha1_compress(state, data)); + TIME_CYCLES (t, nettle_sha1_compress(state, data)); printf("sha1_compress: %.2f cycles\n", t); } @@ -738,6 +901,8 @@ &nettle_sha3_224, &nettle_sha3_256, &nettle_sha3_384, &nettle_sha3_512, &nettle_ripemd160, &nettle_gosthash94, + &nettle_gosthash94cp, &nettle_streebog256, + &nettle_streebog512, NULL }; @@ -760,12 +925,15 @@ const struct nettle_aead *aeads[] = { /* Stream ciphers */ - &nettle_arcfour128, OPENSSL(&nettle_openssl_arcfour128) + &nettle_arcfour128, &nettle_salsa20, &nettle_salsa20r12, &nettle_chacha, /* Proper AEAD algorithme. */ &nettle_gcm_aes128, &nettle_gcm_aes192, &nettle_gcm_aes256, + OPENSSL(&nettle_openssl_gcm_aes128) + OPENSSL(&nettle_openssl_gcm_aes192) + OPENSSL(&nettle_openssl_gcm_aes256) &nettle_gcm_camellia128, &nettle_gcm_camellia256, &nettle_eax_aes128, @@ -792,7 +960,7 @@ /* Fall through */ case OPT_HELP: - printf("Usage: nettle-benchmark [-f clock frequency] [alg]\n"); + printf("Usage: nettle-benchmark [-f clock frequency] [alg...]\n"); return EXIT_SUCCESS; case '?': @@ -802,40 +970,59 @@ abort(); } - alg = argv[optind]; - time_init(); bench_sha1_compress(); bench_salsa20_core(); bench_sha3_permute(); printf("\n"); - time_overhead(); header(); - if (!alg || strstr ("memxor", alg)) + do { - time_memxor(); - printf("\n"); - } - - for (i = 0; hashes[i]; i++) - if (!alg || strstr(hashes[i]->name, alg)) - time_hash(hashes[i]); - - if (!alg || strstr ("umac", alg)) - time_umac(); - - if (!alg || strstr ("poly1305-aes", alg)) - time_poly1305_aes(); - - for (i = 0; ciphers[i]; i++) - if (!alg || strstr(ciphers[i]->name, alg)) - time_cipher(ciphers[i]); - - for (i = 0; aeads[i]; i++) - if (!alg || strstr(aeads[i]->name, alg)) - time_aead(aeads[i]); + alg = argv[optind]; + + if (!alg || strstr ("memxor", alg)) + { + time_memxor(); + printf("\n"); + } + + for (i = 0; hashes[i]; i++) + if (!alg || strstr(hashes[i]->name, alg)) + time_hash(hashes[i]); + + if (!alg || strstr ("umac", alg)) + time_umac(); + + if (!alg || strstr ("cmac", alg)) + time_cmac(); + + if (!alg || strstr ("poly1305-aes", alg)) + time_poly1305_aes(); + + for (i = 0; ciphers[i]; i++) + if (!alg || strstr(ciphers[i]->name, alg)) + time_cipher(ciphers[i]); + + for (i = 0; aeads[i]; i++) + if (!alg || strstr(aeads[i]->name, alg)) + time_aead(aeads[i]); + + if (!alg || strstr ("hmac-md5", alg)) + time_hmac_md5(); + + if (!alg || strstr ("hmac-sha1", alg)) + time_hmac_sha1(); + + if (!alg || strstr ("hmac-sha256", alg)) + time_hmac_sha256(); + + if (!alg || strstr ("hmac-sha512", alg)) + time_hmac_sha512(); + + optind++; + } while (alg && argv[optind]); return 0; } diff -Nru nettle-3.4.1/examples/nettle-openssl.c nettle-3.7.3/examples/nettle-openssl.c --- nettle-3.4.1/examples/nettle-openssl.c 2018-12-04 20:56:07.000000000 +0000 +++ nettle-3.7.3/examples/nettle-openssl.c 2021-06-06 20:06:30.000000000 +0000 @@ -62,6 +62,13 @@ EVP_CIPHER_CTX *evp; }; +/* We use Openssl's EVP api for all openssl hashes. This API selects + platform-specific implementations if appropriate, e.g., using x86 + AES-NI instructions. */ +struct openssl_hash_ctx { + EVP_MD_CTX *evp; +}; + void nettle_openssl_init(void) { @@ -79,8 +86,10 @@ const EVP_CIPHER *cipher) { struct openssl_cipher_ctx *ctx = p; + int ret; ctx->evp = EVP_CIPHER_CTX_new(); - assert(EVP_EncryptInit_ex(ctx->evp, cipher, NULL, key, NULL) == 1); + ret = EVP_CipherInit_ex(ctx->evp, cipher, NULL, key, NULL, 1); + assert(ret == 1); EVP_CIPHER_CTX_set_padding(ctx->evp, 0); } static void @@ -88,8 +97,10 @@ const EVP_CIPHER *cipher) { struct openssl_cipher_ctx *ctx = p; + int ret; ctx->evp = EVP_CIPHER_CTX_new(); - assert(EVP_DecryptInit_ex(ctx->evp, cipher, NULL, key, NULL) == 1); + ret = EVP_CipherInit_ex(ctx->evp, cipher, NULL, key, NULL, 0); + assert(ret == 1); EVP_CIPHER_CTX_set_padding(ctx->evp, 0); } @@ -99,7 +110,8 @@ { const struct openssl_cipher_ctx *ctx = p; int len; - assert(EVP_EncryptUpdate(ctx->evp, dst, &len, src, length) == 1); + int ret = EVP_EncryptUpdate(ctx->evp, dst, &len, src, length); + assert(ret == 1); } static void openssl_evp_decrypt(const void *p, size_t length, @@ -107,7 +119,54 @@ { const struct openssl_cipher_ctx *ctx = p; int len; - assert(EVP_DecryptUpdate(ctx->evp, dst, &len, src, length) == 1); + int ret = EVP_DecryptUpdate(ctx->evp, dst, &len, src, length); + assert(ret == 1); +} + +static void +openssl_evp_set_nonce(void *p, const uint8_t *nonce) +{ + const struct openssl_cipher_ctx *ctx = p; + int ret = EVP_CipherInit_ex(ctx->evp, NULL, NULL, NULL, nonce, -1); + assert(ret == 1); +} + +static void +openssl_evp_update(void *p, size_t length, const uint8_t *src) +{ + const struct openssl_cipher_ctx *ctx = p; + int len; + int ret = EVP_EncryptUpdate(ctx->evp, NULL, &len, src, length); + assert(ret == 1); +} + +/* This will work for encryption only! */ +static void +openssl_evp_gcm_digest(void *p, size_t length, uint8_t *dst) +{ + const struct openssl_cipher_ctx *ctx = p; + int ret = EVP_CIPHER_CTX_ctrl(ctx->evp, EVP_CTRL_GCM_GET_TAG, length, dst); + assert(ret == 1); +} + +static void +openssl_evp_aead_encrypt(void *p, size_t length, + uint8_t *dst, const uint8_t *src) +{ + const struct openssl_cipher_ctx *ctx = p; + int len; + int ret = EVP_EncryptUpdate(ctx->evp, dst, &len, src, length); + assert(ret == 1); +} + +static void +openssl_evp_aead_decrypt(void *p, size_t length, + uint8_t *dst, const uint8_t *src) +{ + const struct openssl_cipher_ctx *ctx = p; + int len; + int ret = EVP_DecryptUpdate(ctx->evp, dst, &len, src, length); + assert(ret == 1); } /* AES */ @@ -175,29 +234,68 @@ openssl_evp_encrypt, openssl_evp_decrypt }; -/* Arcfour */ +/* AES-GCM */ +static void +openssl_gcm_aes128_set_encrypt_key(void *ctx, const uint8_t *key) +{ + openssl_evp_set_encrypt_key(ctx, key, EVP_aes_128_gcm()); +} static void -openssl_arcfour128_set_encrypt_key(void *ctx, const uint8_t *key) +openssl_gcm_aes128_set_decrypt_key(void *ctx, const uint8_t *key) { - openssl_evp_set_encrypt_key(ctx, key, EVP_rc4()); + openssl_evp_set_decrypt_key(ctx, key, EVP_aes_128_gcm()); } static void -openssl_arcfour128_set_decrypt_key(void *ctx, const uint8_t *key) +openssl_gcm_aes192_set_encrypt_key(void *ctx, const uint8_t *key) { - openssl_evp_set_decrypt_key(ctx, key, EVP_rc4()); + openssl_evp_set_encrypt_key(ctx, key, EVP_aes_192_gcm()); +} +static void +openssl_gcm_aes192_set_decrypt_key(void *ctx, const uint8_t *key) +{ + openssl_evp_set_decrypt_key(ctx, key, EVP_aes_192_gcm()); } +static void +openssl_gcm_aes256_set_encrypt_key(void *ctx, const uint8_t *key) +{ + openssl_evp_set_encrypt_key(ctx, key, EVP_aes_256_gcm()); +} +static void +openssl_gcm_aes256_set_decrypt_key(void *ctx, const uint8_t *key) +{ + openssl_evp_set_decrypt_key(ctx, key, EVP_aes_256_gcm()); +} + +const struct nettle_aead +nettle_openssl_gcm_aes128 = { + "openssl gcm_aes128", sizeof(struct openssl_cipher_ctx), + 16, 16, 12, 16, + openssl_gcm_aes128_set_encrypt_key, openssl_gcm_aes128_set_decrypt_key, + openssl_evp_set_nonce, openssl_evp_update, + openssl_evp_aead_encrypt, openssl_evp_aead_decrypt, + openssl_evp_gcm_digest +}; + const struct nettle_aead -nettle_openssl_arcfour128 = { - "openssl arcfour128", sizeof(struct openssl_cipher_ctx), - 1, 16, 0, 0, - openssl_arcfour128_set_encrypt_key, - openssl_arcfour128_set_decrypt_key, - NULL, NULL, - (nettle_crypt_func *)openssl_evp_encrypt, - (nettle_crypt_func *)openssl_evp_decrypt, - NULL, +nettle_openssl_gcm_aes192 = { + "openssl gcm_aes192", sizeof(struct openssl_cipher_ctx), + 16, 24, 12, 16, + openssl_gcm_aes192_set_encrypt_key, openssl_gcm_aes192_set_decrypt_key, + openssl_evp_set_nonce, openssl_evp_update, + openssl_evp_aead_encrypt, openssl_evp_aead_decrypt, + openssl_evp_gcm_digest +}; + +const struct nettle_aead +nettle_openssl_gcm_aes256 = { + "openssl gcm_aes256", sizeof(struct openssl_cipher_ctx), + 16, 32, 12, 16, + openssl_gcm_aes256_set_encrypt_key, openssl_gcm_aes256_set_decrypt_key, + openssl_evp_set_nonce, openssl_evp_update, + openssl_evp_aead_encrypt, openssl_evp_aead_decrypt, + openssl_evp_gcm_digest }; /* Blowfish */ @@ -267,76 +365,47 @@ /* Hash functions */ -/* md5 */ -static nettle_hash_init_func openssl_md5_init; -static void -openssl_md5_init(void *ctx) -{ - MD5_Init(ctx); -} - -static nettle_hash_update_func openssl_md5_update; -static void -openssl_md5_update(void *ctx, - size_t length, - const uint8_t *src) -{ - MD5_Update(ctx, src, length); -} - -static nettle_hash_digest_func openssl_md5_digest; -static void -openssl_md5_digest(void *ctx, - size_t length, uint8_t *dst) -{ - assert(length == SHA_DIGEST_LENGTH); - MD5_Final(dst, ctx); - MD5_Init(ctx); -} - -const struct nettle_hash -nettle_openssl_md5 = { - "openssl md5", sizeof(SHA_CTX), - SHA_DIGEST_LENGTH, SHA_CBLOCK, - openssl_md5_init, - openssl_md5_update, - openssl_md5_digest -}; - -/* sha1 */ -static nettle_hash_init_func openssl_sha1_init; -static void -openssl_sha1_init(void *ctx) -{ - SHA1_Init(ctx); -} - -static nettle_hash_update_func openssl_sha1_update; static void -openssl_sha1_update(void *ctx, +openssl_hash_update(void *p, size_t length, const uint8_t *src) { - SHA1_Update(ctx, src, length); + struct openssl_hash_ctx *ctx = p; + EVP_DigestUpdate(ctx->evp, src, length); } -static nettle_hash_digest_func openssl_sha1_digest; -static void -openssl_sha1_digest(void *ctx, - size_t length, uint8_t *dst) -{ - assert(length == SHA_DIGEST_LENGTH); - SHA1_Final(dst, ctx); - SHA1_Init(ctx); -} - -const struct nettle_hash -nettle_openssl_sha1 = { - "openssl sha1", sizeof(SHA_CTX), - SHA_DIGEST_LENGTH, SHA_CBLOCK, - openssl_sha1_init, - openssl_sha1_update, - openssl_sha1_digest +#define OPENSSL_HASH(NAME, name) \ +static void \ +openssl_##name##_init(void *p) \ +{ \ + struct openssl_hash_ctx *ctx = p; \ + if ((ctx->evp = EVP_MD_CTX_new()) == NULL) \ + return; \ + \ + EVP_DigestInit(ctx->evp, EVP_##name()); \ +} \ + \ +static void \ +openssl_##name##_digest(void *p, \ + size_t length, uint8_t *dst) \ +{ \ + struct openssl_hash_ctx *ctx = p; \ + assert(length == NAME##_DIGEST_LENGTH); \ + \ + EVP_DigestFinal(ctx->evp, dst, NULL); \ + EVP_DigestInit(ctx->evp, EVP_##name()); \ +} \ + \ +const struct nettle_hash \ +nettle_openssl_##name = { \ + "openssl " #name, sizeof(struct openssl_hash_ctx), \ + NAME##_DIGEST_LENGTH, NAME##_CBLOCK, \ + openssl_##name##_init, \ + openssl_hash_update, \ + openssl_##name##_digest \ }; - + +OPENSSL_HASH(MD5, md5) +OPENSSL_HASH(SHA, sha1) + #endif /* WITH_OPENSSL */ diff -Nru nettle-3.4.1/examples/rsa-decrypt.c nettle-3.7.3/examples/rsa-decrypt.c --- nettle-3.4.1/examples/rsa-decrypt.c 2018-12-04 20:56:07.000000000 +0000 +++ nettle-3.7.3/examples/rsa-decrypt.c 2021-06-06 20:06:30.000000000 +0000 @@ -64,7 +64,7 @@ const uint8_t *iv = SESSION_IV(key); const uint8_t *hmac_key = SESSION_HMAC_KEY(key); - aes_set_decrypt_key(&ctx->aes.ctx, AES_KEY_SIZE, aes_key); + aes256_set_decrypt_key(&ctx->aes.ctx, aes_key); CBC_SET_IV(&ctx->aes, iv); hmac_sha1_set_key(&ctx->hmac, SHA1_DIGEST_SIZE, hmac_key); } @@ -109,13 +109,6 @@ return 0; } -struct process_ctx -{ - struct CBC_CTX(struct aes_ctx, AES_BLOCK_SIZE) aes; - struct hmac_sha1_ctx hmac; - struct yarrow256_ctx yarrow; -}; - #define BUF_SIZE (100 * AES_BLOCK_SIZE) /* Trailing data that needs special processing */ @@ -158,7 +151,7 @@ if (size) { - CBC_DECRYPT(&ctx->aes, aes_decrypt, size, buffer, buffer); + CBC_DECRYPT(&ctx->aes, aes256_decrypt, size, buffer, buffer); hmac_sha1_update(&ctx->hmac, size, buffer); if (!write_data(out, size, buffer)) { @@ -171,7 +164,7 @@ while (size == BUF_SIZE); /* Decrypt final block */ - CBC_DECRYPT(&ctx->aes, aes_decrypt, AES_BLOCK_SIZE, buffer, buffer); + CBC_DECRYPT(&ctx->aes, aes256_decrypt, AES_BLOCK_SIZE, buffer, buffer); padding = buffer[AES_BLOCK_SIZE - 1]; if (padding > AES_BLOCK_SIZE) { diff -Nru nettle-3.4.1/examples/rsa-encrypt.c nettle-3.7.3/examples/rsa-encrypt.c --- nettle-3.4.1/examples/rsa-encrypt.c 2018-12-04 20:56:07.000000000 +0000 +++ nettle-3.7.3/examples/rsa-encrypt.c 2021-06-06 20:06:30.000000000 +0000 @@ -63,7 +63,7 @@ const uint8_t *iv = SESSION_IV(key); const uint8_t *hmac_key = SESSION_HMAC_KEY(key); - aes_set_encrypt_key(&ctx->aes.ctx, AES_KEY_SIZE, aes_key); + aes256_set_encrypt_key(&ctx->aes.ctx, aes_key); CBC_SET_IV(&ctx->aes, iv); hmac_sha1_set_key(&ctx->hmac, SHA1_DIGEST_SIZE, hmac_key); } @@ -136,7 +136,7 @@ size += padding; buffer[size - 1] = padding; - CBC_ENCRYPT(&ctx->aes, aes_encrypt, size, buffer, buffer); + CBC_ENCRYPT(&ctx->aes, aes256_encrypt, size, buffer, buffer); assert (size + SHA1_DIGEST_SIZE <= sizeof(buffer)); @@ -151,7 +151,7 @@ return 1; } - CBC_ENCRYPT(&ctx->aes, aes_encrypt, size, buffer, buffer); + CBC_ENCRYPT(&ctx->aes, aes256_encrypt, size, buffer, buffer); if (!write_data(out, size, buffer)) { werror("Writing output failed: %s\n", strerror(errno)); diff -Nru nettle-3.4.1/examples/rsa-session.h nettle-3.7.3/examples/rsa-session.h --- nettle-3.4.1/examples/rsa-session.h 2018-12-04 20:56:07.000000000 +0000 +++ nettle-3.7.3/examples/rsa-session.h 2021-06-06 20:06:30.000000000 +0000 @@ -25,10 +25,10 @@ uint8_t iv[AES_BLOCK_SIZE]; uint8_t hmac_key[SHA1_DIGEST_SIZE]; - of size (4 + AES_KEY_SIZE + AES_BLOCK_SIZE + SHA1_DIGEST_SIZE) = 72 + of size (4 + AES256_KEY_SIZE + AES_BLOCK_SIZE + SHA1_DIGEST_SIZE) = 72 bytes, encrypted using rsa-pkcs1. - The cleartext input is encrypted using aes-cbc. The final block is + The cleartext input is encrypted using aes256-cbc. The final block is padded as | data | random octets | padding length | @@ -39,7 +39,7 @@ struct rsa_session { - struct CBC_CTX(struct aes_ctx, AES_BLOCK_SIZE) aes; + struct CBC_CTX(struct aes256_ctx, AES_BLOCK_SIZE) aes; struct hmac_sha1_ctx hmac; struct yarrow256_ctx yarrow; }; @@ -47,13 +47,13 @@ struct rsa_session_info { /* Version followed by aes key, iv and mac key */ - uint8_t key[4 + AES_KEY_SIZE + AES_BLOCK_SIZE + SHA1_DIGEST_SIZE]; + uint8_t key[4 + AES256_KEY_SIZE + AES_BLOCK_SIZE + SHA1_DIGEST_SIZE]; }; #define SESSION_VERSION(s) ((s)->key) #define SESSION_AES_KEY(s) ((s)->key + 4) -#define SESSION_IV(s) ((s)->key + 4 + AES_KEY_SIZE) -#define SESSION_HMAC_KEY(s) ((s)->key + 4 + AES_KEY_SIZE + AES_BLOCK_SIZE) +#define SESSION_IV(s) ((s)->key + 4 + AES256_KEY_SIZE) +#define SESSION_HMAC_KEY(s) ((s)->key + 4 + AES256_KEY_SIZE + AES_BLOCK_SIZE) void rsa_session_set_encrypt_key(struct rsa_session *ctx, diff -Nru nettle-3.4.1/examples/setup-env nettle-3.7.3/examples/setup-env --- nettle-3.4.1/examples/setup-env 2018-12-04 20:56:07.000000000 +0000 +++ nettle-3.7.3/examples/setup-env 2021-06-06 20:06:30.000000000 +0000 @@ -2,15 +2,6 @@ set -e -# Workaround, it seems difficult to convince wine to put ../lib into PATH. -case "$EMULATOR" in - wine*) - for f in ../.lib/*.dll ; do - ln -sf "$f" . - done - ;; -esac - if [ -x rsa-keygen$EXEEXT ] ; then $EMULATOR ./rsa-keygen -r rsa-decrypt$EXEEXT -o testkey || exit 1 fi diff -Nru nettle-3.4.1/examples/teardown-env nettle-3.7.3/examples/teardown-env --- nettle-3.4.1/examples/teardown-env 2018-12-04 20:56:07.000000000 +0000 +++ nettle-3.7.3/examples/teardown-env 2021-06-06 20:06:30.000000000 +0000 @@ -3,9 +3,3 @@ rm -rf testkey testkey.pub testsignature testsignature2 \ testdata testtmp \ testciphertext testcleartext - -case "$EMULATOR" in - wine*) - find . -type l -name '*.dll' -exec rm -f '{}' ';' - ;; -esac diff -Nru nettle-3.4.1/fat-arm.c nettle-3.7.3/fat-arm.c --- nettle-3.4.1/fat-arm.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/fat-arm.c 2021-06-06 20:06:29.000000000 +0000 @@ -43,6 +43,8 @@ #include "nettle-types.h" #include "aes-internal.h" +#include "chacha-internal.h" +#include "salsa20-internal.h" #include "fat-setup.h" struct arm_features @@ -143,11 +145,11 @@ DECLARE_FAT_FUNC_VAR(aes_decrypt, aes_crypt_internal_func, arm) DECLARE_FAT_FUNC_VAR(aes_decrypt, aes_crypt_internal_func, armv6) -DECLARE_FAT_FUNC(_nettle_salsa20_core, salsa20_core_func) -DECLARE_FAT_FUNC_VAR(salsa20_core, salsa20_core_func, c) -DECLARE_FAT_FUNC_VAR(salsa20_core, salsa20_core_func, neon) +DECLARE_FAT_FUNC(_nettle_salsa20_crypt, salsa20_crypt_func) +DECLARE_FAT_FUNC_VAR(salsa20_crypt, salsa20_crypt_func, 1core) +DECLARE_FAT_FUNC_VAR(salsa20_crypt, salsa20_crypt_func, 2core) -DECLARE_FAT_FUNC(_nettle_sha1_compress, sha1_compress_func) +DECLARE_FAT_FUNC(nettle_sha1_compress, sha1_compress_func) DECLARE_FAT_FUNC_VAR(sha1_compress, sha1_compress_func, c) DECLARE_FAT_FUNC_VAR(sha1_compress, sha1_compress_func, armv6) @@ -171,6 +173,14 @@ DECLARE_FAT_FUNC_VAR(umac_nh_n, umac_nh_n_func, c); DECLARE_FAT_FUNC_VAR(umac_nh_n, umac_nh_n_func, neon); +DECLARE_FAT_FUNC(nettle_chacha_crypt, chacha_crypt_func) +DECLARE_FAT_FUNC_VAR(chacha_crypt, chacha_crypt_func, 1core) +DECLARE_FAT_FUNC_VAR(chacha_crypt, chacha_crypt_func, 3core) + +DECLARE_FAT_FUNC(nettle_chacha_crypt32, chacha_crypt_func) +DECLARE_FAT_FUNC_VAR(chacha_crypt32, chacha_crypt_func, 1core) +DECLARE_FAT_FUNC_VAR(chacha_crypt32, chacha_crypt_func, 3core) + static void CONSTRUCTOR fat_init (void) { @@ -191,7 +201,7 @@ fprintf (stderr, "libnettle: enabling armv6 code.\n"); _nettle_aes_encrypt_vec = _nettle_aes_encrypt_armv6; _nettle_aes_decrypt_vec = _nettle_aes_decrypt_armv6; - _nettle_sha1_compress_vec = _nettle_sha1_compress_armv6; + nettle_sha1_compress_vec = _nettle_sha1_compress_armv6; _nettle_sha256_compress_vec = _nettle_sha256_compress_armv6; } else @@ -200,28 +210,32 @@ fprintf (stderr, "libnettle: not enabling armv6 code.\n"); _nettle_aes_encrypt_vec = _nettle_aes_encrypt_arm; _nettle_aes_decrypt_vec = _nettle_aes_decrypt_arm; - _nettle_sha1_compress_vec = _nettle_sha1_compress_c; + nettle_sha1_compress_vec = _nettle_sha1_compress_c; _nettle_sha256_compress_vec = _nettle_sha256_compress_c; } if (features.have_neon) { if (verbose) fprintf (stderr, "libnettle: enabling neon code.\n"); - _nettle_salsa20_core_vec = _nettle_salsa20_core_neon; + _nettle_salsa20_crypt_vec = _nettle_salsa20_crypt_2core; _nettle_sha512_compress_vec = _nettle_sha512_compress_neon; nettle_sha3_permute_vec = _nettle_sha3_permute_neon; _nettle_umac_nh_vec = _nettle_umac_nh_neon; _nettle_umac_nh_n_vec = _nettle_umac_nh_n_neon; + nettle_chacha_crypt_vec = _nettle_chacha_crypt_3core; + nettle_chacha_crypt32_vec = _nettle_chacha_crypt32_3core; } else { if (verbose) fprintf (stderr, "libnettle: not enabling neon code.\n"); - _nettle_salsa20_core_vec = _nettle_salsa20_core_c; + _nettle_salsa20_crypt_vec = _nettle_salsa20_crypt_1core; _nettle_sha512_compress_vec = _nettle_sha512_compress_c; nettle_sha3_permute_vec = _nettle_sha3_permute_c; _nettle_umac_nh_vec = _nettle_umac_nh_c; _nettle_umac_nh_n_vec = _nettle_umac_nh_n_c; + nettle_chacha_crypt_vec = _nettle_chacha_crypt_1core; + nettle_chacha_crypt32_vec = _nettle_chacha_crypt32_1core; } } @@ -239,11 +253,13 @@ const uint8_t *src), (rounds, keys, T, length, dst, src)) -DEFINE_FAT_FUNC(_nettle_salsa20_core, void, - (uint32_t *dst, const uint32_t *src, unsigned rounds), - (dst, src, rounds)) +DEFINE_FAT_FUNC(_nettle_salsa20_crypt, void, + (struct salsa20_ctx *ctx, unsigned rounds, + size_t length, uint8_t *dst, + const uint8_t *src), + (ctx, rounds, length, dst, src)) -DEFINE_FAT_FUNC(_nettle_sha1_compress, void, +DEFINE_FAT_FUNC(nettle_sha1_compress, void, (uint32_t *state, const uint8_t *input), (state, input)) @@ -267,3 +283,16 @@ unsigned length, const uint8_t *msg), (out, n, key, length, msg)) +DEFINE_FAT_FUNC(nettle_chacha_crypt, void, + (struct chacha_ctx *ctx, + size_t length, + uint8_t *dst, + const uint8_t *src), + (ctx, length, dst, src)) + +DEFINE_FAT_FUNC(nettle_chacha_crypt32, void, + (struct chacha_ctx *ctx, + size_t length, + uint8_t *dst, + const uint8_t *src), + (ctx, length, dst, src)) diff -Nru nettle-3.4.1/fat-ppc.c nettle-3.7.3/fat-ppc.c --- nettle-3.4.1/fat-ppc.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/fat-ppc.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,272 @@ +/* fat-ppc.c + + Copyright (C) 2020 Mamone Tarsha + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#define _GNU_SOURCE + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include +#include +#include + +#if defined(_AIX) +# include +#elif defined(__linux__) && defined(__GLIBC__) && defined(__GLIBC_PREREQ) +# if __GLIBC_PREREQ(2, 16) +# define USE_GETAUXVAL 1 +# include +# include +# endif +#elif defined(__FreeBSD__) +# include +# ifdef PPC_FEATURE2_HAS_VEC_CRYPTO +# define PPC_FEATURE2_VEC_CRYPTO PPC_FEATURE2_HAS_VEC_CRYPTO +# endif +# if __FreeBSD__ >= 12 +# include +# else +# include +# endif +#endif + +#include "nettle-types.h" + +#include "aes-internal.h" +#include "chacha-internal.h" +#include "gcm.h" +#include "gcm-internal.h" +#include "fat-setup.h" + +/* Defines from arch/powerpc/include/uapi/asm/cputable.h in Linux kernel */ +#ifndef PPC_FEATURE_HAS_ALTIVEC +#define PPC_FEATURE_HAS_ALTIVEC 0x10000000 +#endif +#ifndef PPC_FEATURE_HAS_VSX +#define PPC_FEATURE_HAS_VSX 0x00000080 +#endif +#ifndef PPC_FEATURE2_VEC_CRYPTO +#define PPC_FEATURE2_VEC_CRYPTO 0x02000000 +#endif + +struct ppc_features +{ + int have_crypto_ext; + int have_altivec; +}; + +#define MATCH(s, slen, literal, llen) \ + ((slen) == (llen) && memcmp ((s), (literal), llen) == 0) + +static void +get_ppc_features (struct ppc_features *features) +{ + const char *s; + features->have_crypto_ext = 0; + features->have_altivec = 0; + + s = secure_getenv (ENV_OVERRIDE); + if (s) + for (;;) + { + const char *sep = strchr (s, ','); + size_t length = sep ? (size_t) (sep - s) : strlen(s); + + if (MATCH (s, length, "crypto_ext", 10)) + features->have_crypto_ext = 1; + else if (MATCH(s, length, "altivec", 7)) + features->have_altivec = 1; + if (!sep) + break; + s = sep + 1; + } + else + { +#if defined(_AIX) + features->have_crypto_ext + = _system_configuration.implementation >= 0x10000u; + features->have_altivec = _system_configuration.vmx_version > 1; +#else + unsigned long hwcap = 0; + unsigned long hwcap2 = 0; +# if USE_GETAUXVAL + hwcap = getauxval(AT_HWCAP); + hwcap2 = getauxval(AT_HWCAP2); +# elif defined(__FreeBSD__) +# if __FreeBSD__ >= 12 + elf_aux_info(AT_HWCAP, &hwcap, sizeof(hwcap)); + elf_aux_info(AT_HWCAP2, &hwcap2, sizeof(hwcap2)); +# else + size_t len; + len = sizeof(hwcap); + sysctlbyname("hw.cpu_features", &hwcap, &len, NULL, 0); + len = sizeof(hwcap2); + sysctlbyname("hw.cpu_features2", &hwcap2, &len, NULL, 0); +# endif +# endif + features->have_crypto_ext + = ((hwcap2 & PPC_FEATURE2_VEC_CRYPTO) == PPC_FEATURE2_VEC_CRYPTO); + + /* We also need VSX instructions, mainly for load and store. */ + features->have_altivec + = ((hwcap & (PPC_FEATURE_HAS_ALTIVEC | PPC_FEATURE_HAS_VSX)) + == (PPC_FEATURE_HAS_ALTIVEC | PPC_FEATURE_HAS_VSX)); +#endif + } +} + +DECLARE_FAT_FUNC(_nettle_aes_encrypt, aes_crypt_internal_func) +DECLARE_FAT_FUNC_VAR(aes_encrypt, aes_crypt_internal_func, c) +DECLARE_FAT_FUNC_VAR(aes_encrypt, aes_crypt_internal_func, ppc64) + +DECLARE_FAT_FUNC(_nettle_aes_decrypt, aes_crypt_internal_func) +DECLARE_FAT_FUNC_VAR(aes_decrypt, aes_crypt_internal_func, c) +DECLARE_FAT_FUNC_VAR(aes_decrypt, aes_crypt_internal_func, ppc64) + +#if GCM_TABLE_BITS == 8 +DECLARE_FAT_FUNC(_nettle_gcm_init_key, gcm_init_key_func) +DECLARE_FAT_FUNC_VAR(gcm_init_key, gcm_init_key_func, c) +DECLARE_FAT_FUNC_VAR(gcm_init_key, gcm_init_key_func, ppc64) + +DECLARE_FAT_FUNC(_nettle_gcm_hash, gcm_hash_func) +DECLARE_FAT_FUNC_VAR(gcm_hash, gcm_hash_func, c) +DECLARE_FAT_FUNC_VAR(gcm_hash, gcm_hash_func, ppc64) +#endif /* GCM_TABLE_BITS == 8 */ + +DECLARE_FAT_FUNC(_nettle_chacha_core, chacha_core_func) +DECLARE_FAT_FUNC_VAR(chacha_core, chacha_core_func, c); +DECLARE_FAT_FUNC_VAR(chacha_core, chacha_core_func, altivec); + +DECLARE_FAT_FUNC(nettle_chacha_crypt, chacha_crypt_func) +DECLARE_FAT_FUNC_VAR(chacha_crypt, chacha_crypt_func, 1core) +DECLARE_FAT_FUNC_VAR(chacha_crypt, chacha_crypt_func, 3core) + +DECLARE_FAT_FUNC(nettle_chacha_crypt32, chacha_crypt_func) +DECLARE_FAT_FUNC_VAR(chacha_crypt32, chacha_crypt_func, 1core) +DECLARE_FAT_FUNC_VAR(chacha_crypt32, chacha_crypt_func, 3core) + +static void CONSTRUCTOR +fat_init (void) +{ + struct ppc_features features; + int verbose; + + get_ppc_features (&features); + + verbose = getenv (ENV_VERBOSE) != NULL; + if (verbose) + fprintf (stderr, "libnettle: cpu features: %s\n", + features.have_crypto_ext ? "crypto extensions" : ""); + + if (features.have_crypto_ext) + { + if (verbose) + fprintf (stderr, "libnettle: enabling arch 2.07 code.\n"); + _nettle_aes_encrypt_vec = _nettle_aes_encrypt_ppc64; + _nettle_aes_decrypt_vec = _nettle_aes_decrypt_ppc64; +#if GCM_TABLE_BITS == 8 + /* Make sure _nettle_gcm_init_key_vec function is compatible + with _nettle_gcm_hash_vec function e.g. _nettle_gcm_init_key_c() + fills gcm_key table with values that are incompatible with + _nettle_gcm_hash_ppc64() */ + _nettle_gcm_init_key_vec = _nettle_gcm_init_key_ppc64; + _nettle_gcm_hash_vec = _nettle_gcm_hash_ppc64; +#endif /* GCM_TABLE_BITS == 8 */ + } + else + { + _nettle_aes_encrypt_vec = _nettle_aes_encrypt_c; + _nettle_aes_decrypt_vec = _nettle_aes_decrypt_c; +#if GCM_TABLE_BITS == 8 + _nettle_gcm_init_key_vec = _nettle_gcm_init_key_c; + _nettle_gcm_hash_vec = _nettle_gcm_hash_c; +#endif /* GCM_TABLE_BITS == 8 */ + } + if (features.have_altivec) + { + if (verbose) + fprintf (stderr, "libnettle: enabling altivec code.\n"); + _nettle_chacha_core_vec = _nettle_chacha_core_altivec; + nettle_chacha_crypt_vec = _nettle_chacha_crypt_4core; + nettle_chacha_crypt32_vec = _nettle_chacha_crypt32_4core; + } + else + { + _nettle_chacha_core_vec = _nettle_chacha_core_c; + nettle_chacha_crypt_vec = _nettle_chacha_crypt_1core; + nettle_chacha_crypt32_vec = _nettle_chacha_crypt32_1core; + } +} + +DEFINE_FAT_FUNC(_nettle_aes_encrypt, void, + (unsigned rounds, const uint32_t *keys, + const struct aes_table *T, + size_t length, uint8_t *dst, + const uint8_t *src), + (rounds, keys, T, length, dst, src)) + +DEFINE_FAT_FUNC(_nettle_aes_decrypt, void, + (unsigned rounds, const uint32_t *keys, + const struct aes_table *T, + size_t length, uint8_t *dst, + const uint8_t *src), + (rounds, keys, T, length, dst, src)) + +#if GCM_TABLE_BITS == 8 +DEFINE_FAT_FUNC(_nettle_gcm_init_key, void, + (union nettle_block16 *table), + (table)) + +DEFINE_FAT_FUNC(_nettle_gcm_hash, void, + (const struct gcm_key *key, union nettle_block16 *x, + size_t length, const uint8_t *data), + (key, x, length, data)) +#endif /* GCM_TABLE_BITS == 8 */ + +DEFINE_FAT_FUNC(_nettle_chacha_core, void, + (uint32_t *dst, const uint32_t *src, unsigned rounds), + (dst, src, rounds)) + +DEFINE_FAT_FUNC(nettle_chacha_crypt, void, + (struct chacha_ctx *ctx, + size_t length, + uint8_t *dst, + const uint8_t *src), + (ctx, length, dst, src)) + +DEFINE_FAT_FUNC(nettle_chacha_crypt32, void, + (struct chacha_ctx *ctx, + size_t length, + uint8_t *dst, + const uint8_t *src), + (ctx, length, dst, src)) diff -Nru nettle-3.4.1/fat-setup.h nettle-3.7.3/fat-setup.h --- nettle-3.4.1/fat-setup.h 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/fat-setup.h 2021-06-06 20:06:29.000000000 +0000 @@ -93,6 +93,9 @@ #define ENV_VERBOSE "NETTLE_FAT_VERBOSE" #define ENV_OVERRIDE "NETTLE_FAT_OVERRIDE" +struct chacha_ctx; +struct salsa20_ctx; + /* DECLARE_FAT_FUNC(name, ftype) * * name is the public function, e.g., _nettle_aes_encrypt. @@ -159,9 +162,18 @@ size_t length, uint8_t *dst, const uint8_t *src); +struct gcm_key; +typedef void gcm_init_key_func (union nettle_block16 *table); + +typedef void gcm_hash_func (const struct gcm_key *key, union nettle_block16 *x, + size_t length, const uint8_t *data); + typedef void *(memxor_func)(void *dst, const void *src, size_t n); typedef void salsa20_core_func (uint32_t *dst, const uint32_t *src, unsigned rounds); +typedef void salsa20_crypt_func (struct salsa20_ctx *ctx, unsigned rounds, + size_t length, uint8_t *dst, + const uint8_t *src); typedef void sha1_compress_func(uint32_t *state, const uint8_t *input); typedef void sha256_compress_func(uint32_t *state, const uint8_t *input, const uint32_t *k); @@ -174,3 +186,10 @@ typedef uint64_t umac_nh_func (const uint32_t *key, unsigned length, const uint8_t *msg); typedef void umac_nh_n_func (uint64_t *out, unsigned n, const uint32_t *key, unsigned length, const uint8_t *msg); + +typedef void chacha_core_func(uint32_t *dst, const uint32_t *src, unsigned rounds); + +typedef void chacha_crypt_func(struct chacha_ctx *ctx, + size_t length, + uint8_t *dst, + const uint8_t *src); diff -Nru nettle-3.4.1/fat-x86_64.c nettle-3.7.3/fat-x86_64.c --- nettle-3.4.1/fat-x86_64.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/fat-x86_64.c 2021-06-06 20:06:29.000000000 +0000 @@ -52,6 +52,7 @@ { enum x86_vendor { X86_OTHER, X86_INTEL, X86_AMD } vendor; int have_aesni; + int have_sha_ni; }; #define SKIP(s, slen, literal, llen) \ @@ -66,6 +67,7 @@ const char *s; features->vendor = X86_OTHER; features->have_aesni = 0; + features->have_sha_ni = 0; s = secure_getenv (ENV_OVERRIDE); if (s) @@ -84,9 +86,11 @@ } else if (MATCH (s, length, "aesni", 5)) features->have_aesni = 1; + else if (MATCH (s, length, "sha_ni", 6)) + features->have_sha_ni = 1; if (!sep) break; - s = sep + 1; + s = sep + 1; } else { @@ -99,7 +103,11 @@ _nettle_cpuid (1, cpuid_data); if (cpuid_data[2] & 0x02000000) - features->have_aesni = 1; + features->have_aesni = 1; + + _nettle_cpuid (7, cpuid_data); + if (cpuid_data[1] & 0x20000000) + features->have_sha_ni = 1; } } @@ -115,6 +123,14 @@ DECLARE_FAT_FUNC_VAR(memxor, memxor_func, x86_64) DECLARE_FAT_FUNC_VAR(memxor, memxor_func, sse2) +DECLARE_FAT_FUNC(nettle_sha1_compress, sha1_compress_func) +DECLARE_FAT_FUNC_VAR(sha1_compress, sha1_compress_func, x86_64) +DECLARE_FAT_FUNC_VAR(sha1_compress, sha1_compress_func, sha_ni) + +DECLARE_FAT_FUNC(_nettle_sha256_compress, sha256_compress_func) +DECLARE_FAT_FUNC_VAR(sha256_compress, sha256_compress_func, x86_64) +DECLARE_FAT_FUNC_VAR(sha256_compress, sha256_compress_func, sha_ni) + /* This function should usually be called only once, at startup. But it is idempotent, and on x86, pointer updates are atomic, so there's no danger if it is called simultaneously from multiple @@ -135,9 +151,10 @@ { const char * const vendor_names[3] = { "other", "intel", "amd" }; - fprintf (stderr, "libnettle: cpu features: vendor:%s%s\n", + fprintf (stderr, "libnettle: cpu features: vendor:%s%s%s\n", vendor_names[features.vendor], - features.have_aesni ? ",aesni" : ""); + features.have_aesni ? ",aesni" : "", + features.have_sha_ni ? ",sha_ni" : ""); } if (features.have_aesni) { @@ -154,6 +171,20 @@ _nettle_aes_decrypt_vec = _nettle_aes_decrypt_x86_64; } + if (features.have_sha_ni) + { + if (verbose) + fprintf (stderr, "libnettle: using sha_ni instructions.\n"); + nettle_sha1_compress_vec = _nettle_sha1_compress_sha_ni; + _nettle_sha256_compress_vec = _nettle_sha256_compress_sha_ni; + } + else + { + if (verbose) + fprintf (stderr, "libnettle: not using sha_ni instructions.\n"); + nettle_sha1_compress_vec = _nettle_sha1_compress_x86_64; + _nettle_sha256_compress_vec = _nettle_sha256_compress_x86_64; + } if (features.vendor == X86_INTEL) { if (verbose) @@ -185,3 +216,11 @@ DEFINE_FAT_FUNC(nettle_memxor, void *, (void *dst, const void *src, size_t n), (dst, src, n)) + +DEFINE_FAT_FUNC(nettle_sha1_compress, void, + (uint32_t *state, const uint8_t *input), + (state, input)) + +DEFINE_FAT_FUNC(_nettle_sha256_compress, void, + (uint32_t *state, const uint8_t *input, const uint32_t *k), + (state, input, k)) diff -Nru nettle-3.4.1/gcm-aes.c nettle-3.7.3/gcm-aes.c --- nettle-3.4.1/gcm-aes.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/gcm-aes.c 2021-06-06 20:06:29.000000000 +0000 @@ -35,6 +35,9 @@ # include "config.h" #endif +/* This file implements and uses deprecated functions */ +#define _NETTLE_ATTRIBUTE_DEPRECATED + #include "gcm.h" void diff -Nru nettle-3.4.1/gcm.c nettle-3.7.3/gcm.c --- nettle-3.4.1/gcm.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/gcm.c 2021-06-06 20:06:29.000000000 +0000 @@ -6,8 +6,9 @@ See also the gcm paper at http://www.cryptobarn.com/papers/gcm-spec.pdf. - Copyright (C) 2011, 2013 Niels Möller Copyright (C) 2011 Katholieke Universiteit Leuven + Copyright (C) 2011, 2013, 2018 Niels Möller + Copyright (C) 2018 Red Hat, Inc. Contributed by Nikos Mavrogiannopoulos @@ -48,71 +49,24 @@ #include "gcm.h" +#include "gcm-internal.h" #include "memxor.h" #include "nettle-internal.h" #include "macros.h" +#include "ctr-internal.h" +#include "block-internal.h" -#define GHASH_POLYNOMIAL 0xE1UL - -static void -gcm_gf_add (union nettle_block16 *r, - const union nettle_block16 *x, const union nettle_block16 *y) -{ - r->w[0] = x->w[0] ^ y->w[0]; - r->w[1] = x->w[1] ^ y->w[1]; -#if SIZEOF_LONG == 4 - r->w[2] = x->w[2] ^ y->w[2]; - r->w[3] = x->w[3] ^ y->w[3]; -#endif -} -/* Multiplication by 010...0; a big-endian shift right. If the bit - shifted out is one, the defining polynomial is added to cancel it - out. r == x is allowed. */ -static void -gcm_gf_shift (union nettle_block16 *r, const union nettle_block16 *x) -{ - long mask; - - /* Shift uses big-endian representation. */ -#if WORDS_BIGENDIAN -# if SIZEOF_LONG == 4 - mask = - (x->w[3] & 1); - r->w[3] = (x->w[3] >> 1) | ((x->w[2] & 1) << 31); - r->w[2] = (x->w[2] >> 1) | ((x->w[1] & 1) << 31); - r->w[1] = (x->w[1] >> 1) | ((x->w[0] & 1) << 31); - r->w[0] = (x->w[0] >> 1) ^ (mask & (GHASH_POLYNOMIAL << 24)); -# elif SIZEOF_LONG == 8 - mask = - (x->w[1] & 1); - r->w[1] = (x->w[1] >> 1) | ((x->w[0] & 1) << 63); - r->w[0] = (x->w[0] >> 1) ^ (mask & (GHASH_POLYNOMIAL << 56)); -# else -# error Unsupported word size. */ +#if GCM_TABLE_BITS != 8 +/* The native implementations (currently ppc64 only) depend on the + GCM_TABLE_BITS == 8 layout */ +#undef HAVE_NATIVE_gcm_hash +#undef HAVE_NATIVE_gcm_init_key +#undef HAVE_NATIVE_fat_gcm_hash +#undef HAVE_NATIVE_fat_gcm_init_key #endif -#else /* ! WORDS_BIGENDIAN */ -# if SIZEOF_LONG == 4 -#define RSHIFT_WORD(x) \ - ((((x) & 0xfefefefeUL) >> 1) \ - | (((x) & 0x00010101) << 15)) - mask = - ((x->w[3] >> 24) & 1); - r->w[3] = RSHIFT_WORD(x->w[3]) | ((x->w[2] >> 17) & 0x80); - r->w[2] = RSHIFT_WORD(x->w[2]) | ((x->w[1] >> 17) & 0x80); - r->w[1] = RSHIFT_WORD(x->w[1]) | ((x->w[0] >> 17) & 0x80); - r->w[0] = RSHIFT_WORD(x->w[0]) ^ (mask & GHASH_POLYNOMIAL); -# elif SIZEOF_LONG == 8 -#define RSHIFT_WORD(x) \ - ((((x) & 0xfefefefefefefefeUL) >> 1) \ - | (((x) & 0x0001010101010101UL) << 15)) - mask = - ((x->w[1] >> 56) & 1); - r->w[1] = RSHIFT_WORD(x->w[1]) | ((x->w[0] >> 49) & 0x80); - r->w[0] = RSHIFT_WORD(x->w[0]) ^ (mask & GHASH_POLYNOMIAL); -# else -# error Unsupported word size. */ -# endif -# undef RSHIFT_WORD -#endif /* ! WORDS_BIGENDIAN */ -} -#if GCM_TABLE_BITS == 0 +#if !HAVE_NATIVE_gcm_hash +# if GCM_TABLE_BITS == 0 /* Sets x <- x * y mod r, using the plain bitwise algorithm from the specification. y may be shorter than a full block, missing bytes are assumed zero. */ @@ -133,22 +87,22 @@ for (j = 0; j < 8; j++, b <<= 1) { if (b & 0x80) - gcm_gf_add(&Z, &Z, &V); + block16_xor(&Z, &V); - gcm_gf_shift(&V, &V); + block16_mulx_ghash(&V, &V); } } memcpy (x->b, Z.b, sizeof(Z)); } -#else /* GCM_TABLE_BITS != 0 */ +# else /* GCM_TABLE_BITS != 0 */ -# if WORDS_BIGENDIAN -# define W(left,right) (0x##left##right) -# else -# define W(left,right) (0x##right##left) -# endif +# if WORDS_BIGENDIAN +# define W(left,right) (0x##left##right) +# else +# define W(left,right) (0x##right##left) +# endif -# if GCM_TABLE_BITS == 4 +# if GCM_TABLE_BITS == 4 static const uint16_t shift_table[0x10] = { W(00,00),W(1c,20),W(38,40),W(24,60),W(70,80),W(6c,a0),W(48,c0),W(54,e0), @@ -158,45 +112,22 @@ static void gcm_gf_shift_4(union nettle_block16 *x) { - unsigned long *w = x->w; - unsigned long reduce; + uint64_t *u64 = x->u64; + uint64_t reduce; /* Shift uses big-endian representation. */ #if WORDS_BIGENDIAN -# if SIZEOF_LONG == 4 - reduce = shift_table[w[3] & 0xf]; - w[3] = (w[3] >> 4) | ((w[2] & 0xf) << 28); - w[2] = (w[2] >> 4) | ((w[1] & 0xf) << 28); - w[1] = (w[1] >> 4) | ((w[0] & 0xf) << 28); - w[0] = (w[0] >> 4) ^ (reduce << 16); -# elif SIZEOF_LONG == 8 - reduce = shift_table[w[1] & 0xf]; - w[1] = (w[1] >> 4) | ((w[0] & 0xf) << 60); - w[0] = (w[0] >> 4) ^ (reduce << 48); -# else -# error Unsupported word size. */ -#endif + reduce = shift_table[u64[1] & 0xf]; + u64[1] = (u64[1] >> 4) | ((u64[0] & 0xf) << 60); + u64[0] = (u64[0] >> 4) ^ (reduce << 48); #else /* ! WORDS_BIGENDIAN */ -# if SIZEOF_LONG == 4 -#define RSHIFT_WORD(x) \ - ((((x) & 0xf0f0f0f0UL) >> 4) \ - | (((x) & 0x000f0f0f) << 12)) - reduce = shift_table[(w[3] >> 24) & 0xf]; - w[3] = RSHIFT_WORD(w[3]) | ((w[2] >> 20) & 0xf0); - w[2] = RSHIFT_WORD(w[2]) | ((w[1] >> 20) & 0xf0); - w[1] = RSHIFT_WORD(w[1]) | ((w[0] >> 20) & 0xf0); - w[0] = RSHIFT_WORD(w[0]) ^ reduce; -# elif SIZEOF_LONG == 8 -#define RSHIFT_WORD(x) \ - ((((x) & 0xf0f0f0f0f0f0f0f0UL) >> 4) \ - | (((x) & 0x000f0f0f0f0f0f0fUL) << 12)) - reduce = shift_table[(w[1] >> 56) & 0xf]; - w[1] = RSHIFT_WORD(w[1]) | ((w[0] >> 52) & 0xf0); - w[0] = RSHIFT_WORD(w[0]) ^ reduce; -# else -# error Unsupported word size. */ -# endif -# undef RSHIFT_WORD +# define RSHIFT_WORD_4(x) \ + ((((x) & UINT64_C(0xf0f0f0f0f0f0f0f0)) >> 4) \ + | (((x) & UINT64_C(0x000f0f0f0f0f0f0f)) << 12)) + reduce = shift_table[(u64[1] >> 56) & 0xf]; + u64[1] = RSHIFT_WORD_4(u64[1]) | ((u64[0] >> 52) & 0xf0); + u64[0] = RSHIFT_WORD_4(u64[0]) ^ reduce; +# undef RSHIFT_WORD_4 #endif /* ! WORDS_BIGENDIAN */ } @@ -213,20 +144,20 @@ uint8_t b = x->b[i]; gcm_gf_shift_4(&Z); - gcm_gf_add(&Z, &Z, &table[b & 0xf]); + block16_xor(&Z, &table[b & 0xf]); gcm_gf_shift_4(&Z); - gcm_gf_add(&Z, &Z, &table[b >> 4]); + block16_xor(&Z, &table[b >> 4]); } memcpy (x->b, Z.b, sizeof(Z)); } -# elif GCM_TABLE_BITS == 8 -# if HAVE_NATIVE_gcm_hash8 +# elif GCM_TABLE_BITS == 8 +# if HAVE_NATIVE_gcm_hash8 -#define gcm_hash _nettle_gcm_hash8 +#define _nettle_gcm_hash _nettle_gcm_hash8 void _nettle_gcm_hash8 (const struct gcm_key *key, union nettle_block16 *x, size_t length, const uint8_t *data); -# else /* !HAVE_NATIVE_gcm_hash8 */ +# else /* !HAVE_NATIVE_gcm_hash8 */ static const uint16_t shift_table[0x100] = { W(00,00),W(01,c2),W(03,84),W(02,46),W(07,08),W(06,ca),W(04,8c),W(05,4e), @@ -266,38 +197,17 @@ static void gcm_gf_shift_8(union nettle_block16 *x) { - unsigned long *w = x->w; - unsigned long reduce; + uint64_t reduce; /* Shift uses big-endian representation. */ #if WORDS_BIGENDIAN -# if SIZEOF_LONG == 4 - reduce = shift_table[w[3] & 0xff]; - w[3] = (w[3] >> 8) | ((w[2] & 0xff) << 24); - w[2] = (w[2] >> 8) | ((w[1] & 0xff) << 24); - w[1] = (w[1] >> 8) | ((w[0] & 0xff) << 24); - w[0] = (w[0] >> 8) ^ (reduce << 16); -# elif SIZEOF_LONG == 8 - reduce = shift_table[w[1] & 0xff]; - w[1] = (w[1] >> 8) | ((w[0] & 0xff) << 56); - w[0] = (w[0] >> 8) ^ (reduce << 48); -# else -# error Unsupported word size. */ -#endif + reduce = shift_table[x->u64[1] & 0xff]; + x->u64[1] = (x->u64[1] >> 8) | ((x->u64[0] & 0xff) << 56); + x->u64[0] = (x->u64[0] >> 8) ^ (reduce << 48); #else /* ! WORDS_BIGENDIAN */ -# if SIZEOF_LONG == 4 - reduce = shift_table[(w[3] >> 24) & 0xff]; - w[3] = (w[3] << 8) | (w[2] >> 24); - w[2] = (w[2] << 8) | (w[1] >> 24); - w[1] = (w[1] << 8) | (w[0] >> 24); - w[0] = (w[0] << 8) ^ reduce; -# elif SIZEOF_LONG == 8 - reduce = shift_table[(w[1] >> 56) & 0xff]; - w[1] = (w[1] << 8) | (w[0] >> 56); - w[0] = (w[0] << 8) ^ reduce; -# else -# error Unsupported word size. */ -# endif + reduce = shift_table[(x->u64[1] >> 56) & 0xff]; + x->u64[1] = (x->u64[1] << 8) | (x->u64[0] >> 56); + x->u64[0] = (x->u64[0] << 8) ^ reduce; #endif /* ! WORDS_BIGENDIAN */ } @@ -312,23 +222,51 @@ for (i = GCM_BLOCK_SIZE-2; i > 0; i--) { gcm_gf_shift_8(&Z); - gcm_gf_add(&Z, &Z, &table[x->b[i]]); + block16_xor(&Z, &table[x->b[i]]); } gcm_gf_shift_8(&Z); - gcm_gf_add(x, &Z, &table[x->b[0]]); + block16_xor3(x, &Z, &table[x->b[0]]); } -# endif /* ! HAVE_NATIVE_gcm_hash8 */ -# else /* GCM_TABLE_BITS != 8 */ -# error Unsupported table size. -# endif /* GCM_TABLE_BITS != 8 */ +# endif /* ! HAVE_NATIVE_gcm_hash8 */ +# else /* GCM_TABLE_BITS != 8 */ +# error Unsupported table size. +# endif /* GCM_TABLE_BITS != 8 */ + +# undef W +# endif /* GCM_TABLE_BITS != 0 */ +#endif /* !HAVE_NATIVE_gcm_hash */ -#undef W - -#endif /* GCM_TABLE_BITS */ /* Increment the rightmost 32 bits. */ #define INC32(block) INCREMENT(4, (block.b) + GCM_BLOCK_SIZE - 4) +#if !HAVE_NATIVE_gcm_init_key +# if !HAVE_NATIVE_fat_gcm_hash +# define _nettle_gcm_init_key _nettle_gcm_init_key_c +static +# endif +void +_nettle_gcm_init_key_c(union nettle_block16 *table) +{ +#if GCM_TABLE_BITS + /* Middle element if GCM_TABLE_BITS > 0, otherwise the first + element */ + unsigned i = (1<h[0].b, 0, GCM_BLOCK_SIZE); f (cipher, GCM_BLOCK_SIZE, key->h[i].b, key->h[0].b); - -#if GCM_TABLE_BITS - /* Algorithm 3 from the gcm paper. First do powers of two, then do - the rest by adding. */ - while (i /= 2) - gcm_gf_shift(&key->h[i], &key->h[2*i]); - for (i = 2; i < 1<h[i+j], &key->h[i],&key->h[j]); - } -#endif + + _nettle_gcm_init_key(key->h); } -#ifndef gcm_hash -static void -gcm_hash(const struct gcm_key *key, union nettle_block16 *x, - size_t length, const uint8_t *data) +#if !(HAVE_NATIVE_gcm_hash || HAVE_NATIVE_gcm_hash8) +# if !HAVE_NATIVE_fat_gcm_hash +# define _nettle_gcm_hash _nettle_gcm_hash_c +static +# endif +void +_nettle_gcm_hash_c(const struct gcm_key *key, union nettle_block16 *x, + size_t length, const uint8_t *data) { for (; length >= GCM_BLOCK_SIZE; length -= GCM_BLOCK_SIZE, data += GCM_BLOCK_SIZE) @@ -377,7 +308,7 @@ gcm_gf_mul (x, key->h); } } -#endif /* !gcm_hash */ +#endif /* !(HAVE_NATIVE_gcm_hash || HAVE_NATIVE_gcm_hash8) */ static void gcm_hash_sizes(const struct gcm_key *key, union nettle_block16 *x, @@ -391,7 +322,7 @@ WRITE_UINT64 (buffer, auth_size); WRITE_UINT64 (buffer + 8, data_size); - gcm_hash(key, x, GCM_BLOCK_SIZE, buffer); + _nettle_gcm_hash(key, x, GCM_BLOCK_SIZE, buffer); } /* NOTE: The key is needed only if length != GCM_IV_SIZE */ @@ -410,7 +341,7 @@ else { memset(ctx->iv.b, 0, GCM_BLOCK_SIZE); - gcm_hash(key, &ctx->iv, length, iv); + _nettle_gcm_hash(key, &ctx->iv, length, iv); gcm_hash_sizes(key, &ctx->iv, 0, length); } @@ -429,47 +360,68 @@ assert(ctx->auth_size % GCM_BLOCK_SIZE == 0); assert(ctx->data_size == 0); - gcm_hash(key, &ctx->x, length, data); + _nettle_gcm_hash(key, &ctx->x, length, data); ctx->auth_size += length; } +static nettle_fill16_func gcm_fill; +#if WORDS_BIGENDIAN static void -gcm_crypt(struct gcm_ctx *ctx, const void *cipher, nettle_cipher_func *f, - size_t length, uint8_t *dst, const uint8_t *src) +gcm_fill(uint8_t *ctr, size_t blocks, union nettle_block16 *buffer) { - uint8_t buffer[GCM_BLOCK_SIZE]; + uint64_t hi, mid; + uint32_t lo; + size_t i; + hi = READ_UINT64(ctr); + mid = (uint64_t) READ_UINT32(ctr + 8) << 32; + lo = READ_UINT32(ctr + 12); - if (src != dst) + for (i = 0; i < blocks; i++) { - for (; length >= GCM_BLOCK_SIZE; - (length -= GCM_BLOCK_SIZE, - src += GCM_BLOCK_SIZE, dst += GCM_BLOCK_SIZE)) - { - f (cipher, GCM_BLOCK_SIZE, dst, ctx->ctr.b); - memxor (dst, src, GCM_BLOCK_SIZE); - INC32 (ctx->ctr); - } + buffer[i].u64[0] = hi; + buffer[i].u64[1] = mid + lo++; } - else + WRITE_UINT32(ctr + 12, lo); + +} +#elif HAVE_BUILTIN_BSWAP64 +/* Assume __builtin_bswap32 is also available */ +static void +gcm_fill(uint8_t *ctr, size_t blocks, union nettle_block16 *buffer) +{ + uint64_t hi, mid; + uint32_t lo; + size_t i; + hi = LE_READ_UINT64(ctr); + mid = LE_READ_UINT32(ctr + 8); + lo = READ_UINT32(ctr + 12); + + for (i = 0; i < blocks; i++) { - for (; length >= GCM_BLOCK_SIZE; - (length -= GCM_BLOCK_SIZE, - src += GCM_BLOCK_SIZE, dst += GCM_BLOCK_SIZE)) - { - f (cipher, GCM_BLOCK_SIZE, buffer, ctx->ctr.b); - memxor3 (dst, src, buffer, GCM_BLOCK_SIZE); - INC32 (ctx->ctr); - } + buffer[i].u64[0] = hi; + buffer[i].u64[1] = mid + ((uint64_t)__builtin_bswap32(lo) << 32); + lo++; } - if (length > 0) + WRITE_UINT32(ctr + 12, lo); +} +#else +static void +gcm_fill(uint8_t *ctr, size_t blocks, union nettle_block16 *buffer) +{ + uint32_t c; + + c = READ_UINT32(ctr + GCM_BLOCK_SIZE - 4); + + for (; blocks-- > 0; buffer++, c++) { - /* A final partial block */ - f (cipher, GCM_BLOCK_SIZE, buffer, ctx->ctr.b); - memxor3 (dst, src, buffer, length); - INC32 (ctx->ctr); + memcpy(buffer->b, ctr, GCM_BLOCK_SIZE - 4); + WRITE_UINT32(buffer->b + GCM_BLOCK_SIZE - 4, c); } + + WRITE_UINT32(ctr + GCM_BLOCK_SIZE - 4, c); } +#endif void gcm_encrypt (struct gcm_ctx *ctx, const struct gcm_key *key, @@ -478,8 +430,8 @@ { assert(ctx->data_size % GCM_BLOCK_SIZE == 0); - gcm_crypt(ctx, cipher, f, length, dst, src); - gcm_hash(key, &ctx->x, length, dst); + _nettle_ctr_crypt16(cipher, f, gcm_fill, ctx->ctr.b, length, dst, src); + _nettle_gcm_hash(key, &ctx->x, length, dst); ctx->data_size += length; } @@ -491,8 +443,8 @@ { assert(ctx->data_size % GCM_BLOCK_SIZE == 0); - gcm_hash(key, &ctx->x, length, src); - gcm_crypt(ctx, cipher, f, length, dst, src); + _nettle_gcm_hash(key, &ctx->x, length, src); + _nettle_ctr_crypt16(cipher, f, gcm_fill, ctx->ctr.b, length, dst, src); ctx->data_size += length; } diff -Nru nettle-3.4.1/gcm.h nettle-3.7.3/gcm.h --- nettle-3.4.1/gcm.h 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/gcm.h 2021-06-06 20:06:29.000000000 +0000 @@ -261,31 +261,34 @@ gcm_aes256_digest(struct gcm_aes256_ctx *ctx, size_t length, uint8_t *digest); -/* Old aes interface, for backwards compatibility */ +/* Old deprecated aes interface, for backwards compatibility */ struct gcm_aes_ctx GCM_CTX(struct aes_ctx); void gcm_aes_set_key(struct gcm_aes_ctx *ctx, - size_t length, const uint8_t *key); + size_t length, const uint8_t *key) _NETTLE_ATTRIBUTE_DEPRECATED; void gcm_aes_set_iv(struct gcm_aes_ctx *ctx, - size_t length, const uint8_t *iv); + size_t length, const uint8_t *iv) _NETTLE_ATTRIBUTE_DEPRECATED; void gcm_aes_update(struct gcm_aes_ctx *ctx, - size_t length, const uint8_t *data); + size_t length, const uint8_t *data) _NETTLE_ATTRIBUTE_DEPRECATED; void gcm_aes_encrypt(struct gcm_aes_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src); + size_t length, uint8_t *dst, const uint8_t *src) + _NETTLE_ATTRIBUTE_DEPRECATED; void gcm_aes_decrypt(struct gcm_aes_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src); + size_t length, uint8_t *dst, const uint8_t *src) + _NETTLE_ATTRIBUTE_DEPRECATED; void -gcm_aes_digest(struct gcm_aes_ctx *ctx, size_t length, uint8_t *digest); +gcm_aes_digest(struct gcm_aes_ctx *ctx, size_t length, uint8_t *digest) + _NETTLE_ATTRIBUTE_DEPRECATED; struct gcm_camellia128_ctx GCM_CTX(struct camellia128_ctx); diff -Nru nettle-3.4.1/gcm-internal.h nettle-3.7.3/gcm-internal.h --- nettle-3.4.1/gcm-internal.h 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/gcm-internal.h 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,54 @@ +/* gcm-internal.h + + Copyright (C) 2020 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_GCM_INTERNAL_H_INCLUDED +#define NETTLE_GCM_INTERNAL_H_INCLUDED + +/* Functions available only in some configurations */ +void +_nettle_gcm_init_key (union nettle_block16 *table); + +void +_nettle_gcm_hash(const struct gcm_key *key, union nettle_block16 *x, + size_t length, const uint8_t *data); + +#if HAVE_NATIVE_fat_gcm_init_key +void +_nettle_gcm_init_key_c (union nettle_block16 *table); +#endif + +#if HAVE_NATIVE_fat_gcm_hash +void +_nettle_gcm_hash_c (const struct gcm_key *key, union nettle_block16 *x, + size_t length, const uint8_t *data); +#endif + +#endif /* NETTLE_GCM_INTERNAL_H_INCLUDED */ diff -Nru nettle-3.4.1/gmp-glue.c nettle-3.7.3/gmp-glue.c --- nettle-3.4.1/gmp-glue.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/gmp-glue.c 2021-06-06 20:06:29.000000000 +0000 @@ -39,87 +39,54 @@ #include "gmp-glue.h" -#if !GMP_HAVE_mpz_limbs_read - -/* This implementation tries to make a minimal use of GMP internals. - We access and _mp_size and _mp_d, but not _mp_alloc. */ - -/* Use macros compatible with gmp-impl.h. */ -#define ABS(x) ((x) >= 0 ? (x) : -(x)) -#define PTR(x) ((x)->_mp_d) -#define SIZ(x) ((x)->_mp_size) -#define ABSIZ(x) ABS (SIZ (x)) - -#define MPN_NORMALIZE(xp, xn) do { \ - while ( (xn) > 0 && (xp)[xn-1] == 0) \ - (xn)--; \ - } while (0) - -/* NOTE: Makes an unnecessary realloc if allocation is already large - enough, but looking at _mp_alloc may break in future GMP - versions. */ -#define MPZ_REALLOC(x, n) \ - (ABSIZ(x) >= (n) ? PTR(x) : (_mpz_realloc ((x),(n)), PTR (x))) - -#define MPZ_NEWALLOC MPZ_REALLOC - -/* Read access to mpz numbers. */ - -/* Return limb pointer, for read-only operations. Use mpz_size to get - the number of limbs. */ -const mp_limb_t * -mpz_limbs_read (mpz_srcptr x) +#if NETTLE_USE_MINI_GMP +mp_limb_t +mpn_cnd_add_n (mp_limb_t cnd, mp_limb_t *rp, + const mp_limb_t *ap, const mp_limb_t *bp, mp_size_t n) { - return PTR (x); -} - -/* Write access to mpz numbers. */ + mp_limb_t cy, mask; + mp_size_t i; -/* Get a limb pointer for writing, previous contents may be - destroyed. */ -mp_limb_t * -mpz_limbs_write (mpz_ptr x, mp_size_t n) -{ - assert (n > 0); - return MPZ_NEWALLOC (x, n); -} + mask = -(mp_limb_t) (cnd != 0); -/* Get a limb pointer for writing, previous contents is intact. */ -mp_limb_t * -mpz_limbs_modify (mpz_ptr x, mp_size_t n) -{ - assert (n > 0); - return MPZ_REALLOC (x, n); + for (i = 0, cy = 0; i < n; i++) + { + mp_limb_t rl = ap[i] + cy; + mp_limb_t bl = bp[i] & mask; + cy = (rl < cy); + rl += bl; + cy += (rl < bl); + rp[i] = rl; + } + return cy; } -void -mpz_limbs_finish (mpz_ptr x, mp_size_t n) +mp_limb_t +mpn_cnd_sub_n (mp_limb_t cnd, mp_limb_t *rp, + const mp_limb_t *ap, const mp_limb_t *bp, mp_size_t n) { - assert (n >= 0); - MPN_NORMALIZE (PTR(x), n); + mp_limb_t cy, mask; + mp_size_t i; - SIZ (x) = n; -} + mask = -(mp_limb_t) (cnd != 0); -/* Needs some ugly casts. */ -mpz_srcptr -mpz_roinit_n (mpz_ptr x, const mp_limb_t *xp, mp_size_t xs) -{ - mp_size_t xn = ABS (xs); - - MPN_NORMALIZE (xp, xn); - - x->_mp_size = xs < 0 ? -xn : xn; - x->_mp_alloc = 0; - x->_mp_d = (mp_limb_t *) xp; - return x; + for (i = 0, cy = 0; i < n; i++) + { + mp_limb_t al = ap[i]; + mp_limb_t bl = bp[i] & mask; + mp_limb_t sl; + sl = al - cy; + cy = (al < cy) + (sl < bl); + sl -= bl; + rp[i] = sl; + } + return cy; } -#endif /* !GMP_HAVE_mpz_limbs_read */ void -cnd_swap (mp_limb_t cnd, mp_limb_t *ap, mp_limb_t *bp, mp_size_t n) +mpn_cnd_swap (mp_limb_t cnd, volatile mp_limb_t *ap, volatile mp_limb_t *bp, mp_size_t n) { - mp_limb_t mask = - (mp_limb_t) (cnd != 0); + volatile mp_limb_t mask = - (mp_limb_t) (cnd != 0); mp_size_t i; for (i = 0; i < n; i++) { @@ -132,6 +99,8 @@ } } +#endif /* NETTLE_USE_MINI_GMP */ + /* Additional convenience functions. */ int diff -Nru nettle-3.4.1/gmp-glue.h nettle-3.7.3/gmp-glue.h --- nettle-3.4.1/gmp-glue.h 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/gmp-glue.h 2021-06-06 20:06:29.000000000 +0000 @@ -35,22 +35,6 @@ #include "bignum.h" -#ifdef mpz_limbs_read -#define GMP_HAVE_mpz_limbs_read 1 -#else -#define GMP_HAVE_mpz_limbs_read 0 -#endif - -/* Name mangling. */ -#if !GMP_HAVE_mpz_limbs_read -#define mpz_limbs_read _nettle_mpz_limbs_read -#define mpz_limbs_write _nettle_mpz_limbs_write -#define mpz_limbs_modify _nettle_mpz_limbs_modify -#define mpz_limbs_finish _nettle_mpz_limbs_finish -#define mpz_roinit_n _nettle_mpz_roinit_n -#endif - -#define cnd_swap _nettle_cnd_swap #define mpz_limbs_cmp _nettle_mpz_limbs_cmp #define mpz_limbs_read_n _nettle_mpz_limbs_read_n #define mpz_limbs_copy _nettle_mpz_limbs_copy @@ -72,55 +56,22 @@ } while (0) #define TMP_GMP_FREE(name) (gmp_free(name, tmp_##name##_size)) +#if NETTLE_USE_MINI_GMP +mp_limb_t +mpn_cnd_add_n (mp_limb_t cnd, mp_limb_t *rp, + const mp_limb_t *ap, const mp_limb_t *bp, mp_size_t n); + +mp_limb_t +mpn_cnd_sub_n (mp_limb_t cnd, mp_limb_t *rp, + const mp_limb_t *ap, const mp_limb_t *bp, mp_size_t n); -/* Use only in-place operations, so we can fall back to addmul_1/submul_1 */ -#ifdef mpn_cnd_add_n -# define cnd_add_n(cnd, rp, ap, n) mpn_cnd_add_n ((cnd), (rp), (rp), (ap), (n)) -# define cnd_sub_n(cnd, rp, ap, n) mpn_cnd_sub_n ((cnd), (rp), (rp), (ap), (n)) -#else -# define cnd_add_n(cnd, rp, ap, n) mpn_addmul_1 ((rp), (ap), (n), (cnd) != 0) -# define cnd_sub_n(cnd, rp, ap, n) mpn_submul_1 ((rp), (ap), (n), (cnd) != 0) +void +mpn_cnd_swap (mp_limb_t cnd, volatile mp_limb_t *ap, volatile mp_limb_t *bp, mp_size_t n); #endif #define NETTLE_OCTET_SIZE_TO_LIMB_SIZE(n) \ (((n) * 8 + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS) -/* Some functions for interfacing between mpz and mpn code. Signs of - the mpz numbers are generally ignored. */ - -#if !GMP_HAVE_mpz_limbs_read -/* Read access to mpz numbers. */ - -/* Return limb pointer, for read-only operations. Use mpz_size to get - the number of limbs. */ -const mp_limb_t * -mpz_limbs_read (const mpz_srcptr x); - -/* Write access to mpz numbers. */ - -/* Get a limb pointer for writing, previous contents may be - destroyed. */ -mp_limb_t * -mpz_limbs_write (mpz_ptr x, mp_size_t n); - -/* Get a limb pointer for writing, previous contents is intact. */ -mp_limb_t * -mpz_limbs_modify (mpz_ptr x, mp_size_t n); - -/* Update size. */ -void -mpz_limbs_finish (mpz_ptr x, mp_size_t n); - -/* Using an mpn number as an mpz. Can be used for read-only access - only. x must not be cleared or reallocated. */ -mpz_srcptr -mpz_roinit_n (mpz_ptr x, const mp_limb_t *xp, mp_size_t xs); - -#endif /* !GMP_HAVE_mpz_limbs_read */ - -void -cnd_swap (mp_limb_t cnd, mp_limb_t *ap, mp_limb_t *bp, mp_size_t n); - /* Convenience functions */ int mpz_limbs_cmp (mpz_srcptr a, const mp_limb_t *bp, mp_size_t bn); diff -Nru nettle-3.4.1/gost28147.c nettle-3.7.3/gost28147.c --- nettle-3.4.1/gost28147.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/gost28147.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,618 @@ +/* gost28147.c - GOST 28147-89 cipher implementation + * + * based on Russian standard GOST 28147-89 + * For English description, check RFC 5830. + * S-Boxes are expanded from the tables defined in RFC4357: + * https://tools.ietf.org/html/rfc4357 + * + * Copyright: 2019 Dmitry Eremin-Solenikov + * Copyright: 2009-2012 Aleksey Kravchenko + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the + * "Software"), to deal in the Software without restriction, including + * without limitation the rights to use, copy, modify, merge, publish, + * distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to + * the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. + * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY + * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, + * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE + * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + */ + +#if HAVE_CONFIG_H +#include "config.h" +#endif + +#include "macros.h" +#include "gost28147-internal.h" + +/* pre-initialized GOST lookup tables based on rotated S-Box */ +const struct gost28147_param _nettle_gost28147_param_test_3411 = +{ + { + { /* 0 */ + 0x00072000, 0x00075000, 0x00074800, 0x00071000, + 0x00076800, 0x00074000, 0x00070000, 0x00077000, + 0x00073000, 0x00075800, 0x00070800, 0x00076000, + 0x00073800, 0x00077800, 0x00072800, 0x00071800, + 0x0005a000, 0x0005d000, 0x0005c800, 0x00059000, + 0x0005e800, 0x0005c000, 0x00058000, 0x0005f000, + 0x0005b000, 0x0005d800, 0x00058800, 0x0005e000, + 0x0005b800, 0x0005f800, 0x0005a800, 0x00059800, + 0x00022000, 0x00025000, 0x00024800, 0x00021000, + 0x00026800, 0x00024000, 0x00020000, 0x00027000, + 0x00023000, 0x00025800, 0x00020800, 0x00026000, + 0x00023800, 0x00027800, 0x00022800, 0x00021800, + 0x00062000, 0x00065000, 0x00064800, 0x00061000, + 0x00066800, 0x00064000, 0x00060000, 0x00067000, + 0x00063000, 0x00065800, 0x00060800, 0x00066000, + 0x00063800, 0x00067800, 0x00062800, 0x00061800, + 0x00032000, 0x00035000, 0x00034800, 0x00031000, + 0x00036800, 0x00034000, 0x00030000, 0x00037000, + 0x00033000, 0x00035800, 0x00030800, 0x00036000, + 0x00033800, 0x00037800, 0x00032800, 0x00031800, + 0x0006a000, 0x0006d000, 0x0006c800, 0x00069000, + 0x0006e800, 0x0006c000, 0x00068000, 0x0006f000, + 0x0006b000, 0x0006d800, 0x00068800, 0x0006e000, + 0x0006b800, 0x0006f800, 0x0006a800, 0x00069800, + 0x0007a000, 0x0007d000, 0x0007c800, 0x00079000, + 0x0007e800, 0x0007c000, 0x00078000, 0x0007f000, + 0x0007b000, 0x0007d800, 0x00078800, 0x0007e000, + 0x0007b800, 0x0007f800, 0x0007a800, 0x00079800, + 0x00052000, 0x00055000, 0x00054800, 0x00051000, + 0x00056800, 0x00054000, 0x00050000, 0x00057000, + 0x00053000, 0x00055800, 0x00050800, 0x00056000, + 0x00053800, 0x00057800, 0x00052800, 0x00051800, + 0x00012000, 0x00015000, 0x00014800, 0x00011000, + 0x00016800, 0x00014000, 0x00010000, 0x00017000, + 0x00013000, 0x00015800, 0x00010800, 0x00016000, + 0x00013800, 0x00017800, 0x00012800, 0x00011800, + 0x0001a000, 0x0001d000, 0x0001c800, 0x00019000, + 0x0001e800, 0x0001c000, 0x00018000, 0x0001f000, + 0x0001b000, 0x0001d800, 0x00018800, 0x0001e000, + 0x0001b800, 0x0001f800, 0x0001a800, 0x00019800, + 0x00042000, 0x00045000, 0x00044800, 0x00041000, + 0x00046800, 0x00044000, 0x00040000, 0x00047000, + 0x00043000, 0x00045800, 0x00040800, 0x00046000, + 0x00043800, 0x00047800, 0x00042800, 0x00041800, + 0x0000a000, 0x0000d000, 0x0000c800, 0x00009000, + 0x0000e800, 0x0000c000, 0x00008000, 0x0000f000, + 0x0000b000, 0x0000d800, 0x00008800, 0x0000e000, + 0x0000b800, 0x0000f800, 0x0000a800, 0x00009800, + 0x00002000, 0x00005000, 0x00004800, 0x00001000, + 0x00006800, 0x00004000, 0x00000000, 0x00007000, + 0x00003000, 0x00005800, 0x00000800, 0x00006000, + 0x00003800, 0x00007800, 0x00002800, 0x00001800, + 0x0003a000, 0x0003d000, 0x0003c800, 0x00039000, + 0x0003e800, 0x0003c000, 0x00038000, 0x0003f000, + 0x0003b000, 0x0003d800, 0x00038800, 0x0003e000, + 0x0003b800, 0x0003f800, 0x0003a800, 0x00039800, + 0x0002a000, 0x0002d000, 0x0002c800, 0x00029000, + 0x0002e800, 0x0002c000, 0x00028000, 0x0002f000, + 0x0002b000, 0x0002d800, 0x00028800, 0x0002e000, + 0x0002b800, 0x0002f800, 0x0002a800, 0x00029800, + 0x0004a000, 0x0004d000, 0x0004c800, 0x00049000, + 0x0004e800, 0x0004c000, 0x00048000, 0x0004f000, + 0x0004b000, 0x0004d800, 0x00048800, 0x0004e000, + 0x0004b800, 0x0004f800, 0x0004a800, 0x00049800, + }, { /* 1 */ + 0x03a80000, 0x03c00000, 0x03880000, 0x03e80000, + 0x03d00000, 0x03980000, 0x03a00000, 0x03900000, + 0x03f00000, 0x03f80000, 0x03e00000, 0x03b80000, + 0x03b00000, 0x03800000, 0x03c80000, 0x03d80000, + 0x06a80000, 0x06c00000, 0x06880000, 0x06e80000, + 0x06d00000, 0x06980000, 0x06a00000, 0x06900000, + 0x06f00000, 0x06f80000, 0x06e00000, 0x06b80000, + 0x06b00000, 0x06800000, 0x06c80000, 0x06d80000, + 0x05280000, 0x05400000, 0x05080000, 0x05680000, + 0x05500000, 0x05180000, 0x05200000, 0x05100000, + 0x05700000, 0x05780000, 0x05600000, 0x05380000, + 0x05300000, 0x05000000, 0x05480000, 0x05580000, + 0x00a80000, 0x00c00000, 0x00880000, 0x00e80000, + 0x00d00000, 0x00980000, 0x00a00000, 0x00900000, + 0x00f00000, 0x00f80000, 0x00e00000, 0x00b80000, + 0x00b00000, 0x00800000, 0x00c80000, 0x00d80000, + 0x00280000, 0x00400000, 0x00080000, 0x00680000, + 0x00500000, 0x00180000, 0x00200000, 0x00100000, + 0x00700000, 0x00780000, 0x00600000, 0x00380000, + 0x00300000, 0x00000000, 0x00480000, 0x00580000, + 0x04280000, 0x04400000, 0x04080000, 0x04680000, + 0x04500000, 0x04180000, 0x04200000, 0x04100000, + 0x04700000, 0x04780000, 0x04600000, 0x04380000, + 0x04300000, 0x04000000, 0x04480000, 0x04580000, + 0x04a80000, 0x04c00000, 0x04880000, 0x04e80000, + 0x04d00000, 0x04980000, 0x04a00000, 0x04900000, + 0x04f00000, 0x04f80000, 0x04e00000, 0x04b80000, + 0x04b00000, 0x04800000, 0x04c80000, 0x04d80000, + 0x07a80000, 0x07c00000, 0x07880000, 0x07e80000, + 0x07d00000, 0x07980000, 0x07a00000, 0x07900000, + 0x07f00000, 0x07f80000, 0x07e00000, 0x07b80000, + 0x07b00000, 0x07800000, 0x07c80000, 0x07d80000, + 0x07280000, 0x07400000, 0x07080000, 0x07680000, + 0x07500000, 0x07180000, 0x07200000, 0x07100000, + 0x07700000, 0x07780000, 0x07600000, 0x07380000, + 0x07300000, 0x07000000, 0x07480000, 0x07580000, + 0x02280000, 0x02400000, 0x02080000, 0x02680000, + 0x02500000, 0x02180000, 0x02200000, 0x02100000, + 0x02700000, 0x02780000, 0x02600000, 0x02380000, + 0x02300000, 0x02000000, 0x02480000, 0x02580000, + 0x03280000, 0x03400000, 0x03080000, 0x03680000, + 0x03500000, 0x03180000, 0x03200000, 0x03100000, + 0x03700000, 0x03780000, 0x03600000, 0x03380000, + 0x03300000, 0x03000000, 0x03480000, 0x03580000, + 0x06280000, 0x06400000, 0x06080000, 0x06680000, + 0x06500000, 0x06180000, 0x06200000, 0x06100000, + 0x06700000, 0x06780000, 0x06600000, 0x06380000, + 0x06300000, 0x06000000, 0x06480000, 0x06580000, + 0x05a80000, 0x05c00000, 0x05880000, 0x05e80000, + 0x05d00000, 0x05980000, 0x05a00000, 0x05900000, + 0x05f00000, 0x05f80000, 0x05e00000, 0x05b80000, + 0x05b00000, 0x05800000, 0x05c80000, 0x05d80000, + 0x01280000, 0x01400000, 0x01080000, 0x01680000, + 0x01500000, 0x01180000, 0x01200000, 0x01100000, + 0x01700000, 0x01780000, 0x01600000, 0x01380000, + 0x01300000, 0x01000000, 0x01480000, 0x01580000, + 0x02a80000, 0x02c00000, 0x02880000, 0x02e80000, + 0x02d00000, 0x02980000, 0x02a00000, 0x02900000, + 0x02f00000, 0x02f80000, 0x02e00000, 0x02b80000, + 0x02b00000, 0x02800000, 0x02c80000, 0x02d80000, + 0x01a80000, 0x01c00000, 0x01880000, 0x01e80000, + 0x01d00000, 0x01980000, 0x01a00000, 0x01900000, + 0x01f00000, 0x01f80000, 0x01e00000, 0x01b80000, + 0x01b00000, 0x01800000, 0x01c80000, 0x01d80000, + }, { /* 2 */ + 0x30000002, 0x60000002, 0x38000002, 0x08000002, + 0x28000002, 0x78000002, 0x68000002, 0x40000002, + 0x20000002, 0x50000002, 0x48000002, 0x70000002, + 0x00000002, 0x18000002, 0x58000002, 0x10000002, + 0xb0000005, 0xe0000005, 0xb8000005, 0x88000005, + 0xa8000005, 0xf8000005, 0xe8000005, 0xc0000005, + 0xa0000005, 0xd0000005, 0xc8000005, 0xf0000005, + 0x80000005, 0x98000005, 0xd8000005, 0x90000005, + 0x30000005, 0x60000005, 0x38000005, 0x08000005, + 0x28000005, 0x78000005, 0x68000005, 0x40000005, + 0x20000005, 0x50000005, 0x48000005, 0x70000005, + 0x00000005, 0x18000005, 0x58000005, 0x10000005, + 0x30000000, 0x60000000, 0x38000000, 0x08000000, + 0x28000000, 0x78000000, 0x68000000, 0x40000000, + 0x20000000, 0x50000000, 0x48000000, 0x70000000, + 0x00000000, 0x18000000, 0x58000000, 0x10000000, + 0xb0000003, 0xe0000003, 0xb8000003, 0x88000003, + 0xa8000003, 0xf8000003, 0xe8000003, 0xc0000003, + 0xa0000003, 0xd0000003, 0xc8000003, 0xf0000003, + 0x80000003, 0x98000003, 0xd8000003, 0x90000003, + 0x30000001, 0x60000001, 0x38000001, 0x08000001, + 0x28000001, 0x78000001, 0x68000001, 0x40000001, + 0x20000001, 0x50000001, 0x48000001, 0x70000001, + 0x00000001, 0x18000001, 0x58000001, 0x10000001, + 0xb0000000, 0xe0000000, 0xb8000000, 0x88000000, + 0xa8000000, 0xf8000000, 0xe8000000, 0xc0000000, + 0xa0000000, 0xd0000000, 0xc8000000, 0xf0000000, + 0x80000000, 0x98000000, 0xd8000000, 0x90000000, + 0xb0000006, 0xe0000006, 0xb8000006, 0x88000006, + 0xa8000006, 0xf8000006, 0xe8000006, 0xc0000006, + 0xa0000006, 0xd0000006, 0xc8000006, 0xf0000006, + 0x80000006, 0x98000006, 0xd8000006, 0x90000006, + 0xb0000001, 0xe0000001, 0xb8000001, 0x88000001, + 0xa8000001, 0xf8000001, 0xe8000001, 0xc0000001, + 0xa0000001, 0xd0000001, 0xc8000001, 0xf0000001, + 0x80000001, 0x98000001, 0xd8000001, 0x90000001, + 0x30000003, 0x60000003, 0x38000003, 0x08000003, + 0x28000003, 0x78000003, 0x68000003, 0x40000003, + 0x20000003, 0x50000003, 0x48000003, 0x70000003, + 0x00000003, 0x18000003, 0x58000003, 0x10000003, + 0x30000004, 0x60000004, 0x38000004, 0x08000004, + 0x28000004, 0x78000004, 0x68000004, 0x40000004, + 0x20000004, 0x50000004, 0x48000004, 0x70000004, + 0x00000004, 0x18000004, 0x58000004, 0x10000004, + 0xb0000002, 0xe0000002, 0xb8000002, 0x88000002, + 0xa8000002, 0xf8000002, 0xe8000002, 0xc0000002, + 0xa0000002, 0xd0000002, 0xc8000002, 0xf0000002, + 0x80000002, 0x98000002, 0xd8000002, 0x90000002, + 0xb0000004, 0xe0000004, 0xb8000004, 0x88000004, + 0xa8000004, 0xf8000004, 0xe8000004, 0xc0000004, + 0xa0000004, 0xd0000004, 0xc8000004, 0xf0000004, + 0x80000004, 0x98000004, 0xd8000004, 0x90000004, + 0x30000006, 0x60000006, 0x38000006, 0x08000006, + 0x28000006, 0x78000006, 0x68000006, 0x40000006, + 0x20000006, 0x50000006, 0x48000006, 0x70000006, + 0x00000006, 0x18000006, 0x58000006, 0x10000006, + 0xb0000007, 0xe0000007, 0xb8000007, 0x88000007, + 0xa8000007, 0xf8000007, 0xe8000007, 0xc0000007, + 0xa0000007, 0xd0000007, 0xc8000007, 0xf0000007, + 0x80000007, 0x98000007, 0xd8000007, 0x90000007, + 0x30000007, 0x60000007, 0x38000007, 0x08000007, + 0x28000007, 0x78000007, 0x68000007, 0x40000007, + 0x20000007, 0x50000007, 0x48000007, 0x70000007, + 0x00000007, 0x18000007, 0x58000007, 0x10000007, + }, { /* 3 */ + 0x000000e8, 0x000000d8, 0x000000a0, 0x00000088, + 0x00000098, 0x000000f8, 0x000000a8, 0x000000c8, + 0x00000080, 0x000000d0, 0x000000f0, 0x000000b8, + 0x000000b0, 0x000000c0, 0x00000090, 0x000000e0, + 0x000007e8, 0x000007d8, 0x000007a0, 0x00000788, + 0x00000798, 0x000007f8, 0x000007a8, 0x000007c8, + 0x00000780, 0x000007d0, 0x000007f0, 0x000007b8, + 0x000007b0, 0x000007c0, 0x00000790, 0x000007e0, + 0x000006e8, 0x000006d8, 0x000006a0, 0x00000688, + 0x00000698, 0x000006f8, 0x000006a8, 0x000006c8, + 0x00000680, 0x000006d0, 0x000006f0, 0x000006b8, + 0x000006b0, 0x000006c0, 0x00000690, 0x000006e0, + 0x00000068, 0x00000058, 0x00000020, 0x00000008, + 0x00000018, 0x00000078, 0x00000028, 0x00000048, + 0x00000000, 0x00000050, 0x00000070, 0x00000038, + 0x00000030, 0x00000040, 0x00000010, 0x00000060, + 0x000002e8, 0x000002d8, 0x000002a0, 0x00000288, + 0x00000298, 0x000002f8, 0x000002a8, 0x000002c8, + 0x00000280, 0x000002d0, 0x000002f0, 0x000002b8, + 0x000002b0, 0x000002c0, 0x00000290, 0x000002e0, + 0x000003e8, 0x000003d8, 0x000003a0, 0x00000388, + 0x00000398, 0x000003f8, 0x000003a8, 0x000003c8, + 0x00000380, 0x000003d0, 0x000003f0, 0x000003b8, + 0x000003b0, 0x000003c0, 0x00000390, 0x000003e0, + 0x00000568, 0x00000558, 0x00000520, 0x00000508, + 0x00000518, 0x00000578, 0x00000528, 0x00000548, + 0x00000500, 0x00000550, 0x00000570, 0x00000538, + 0x00000530, 0x00000540, 0x00000510, 0x00000560, + 0x00000268, 0x00000258, 0x00000220, 0x00000208, + 0x00000218, 0x00000278, 0x00000228, 0x00000248, + 0x00000200, 0x00000250, 0x00000270, 0x00000238, + 0x00000230, 0x00000240, 0x00000210, 0x00000260, + 0x000004e8, 0x000004d8, 0x000004a0, 0x00000488, + 0x00000498, 0x000004f8, 0x000004a8, 0x000004c8, + 0x00000480, 0x000004d0, 0x000004f0, 0x000004b8, + 0x000004b0, 0x000004c0, 0x00000490, 0x000004e0, + 0x00000168, 0x00000158, 0x00000120, 0x00000108, + 0x00000118, 0x00000178, 0x00000128, 0x00000148, + 0x00000100, 0x00000150, 0x00000170, 0x00000138, + 0x00000130, 0x00000140, 0x00000110, 0x00000160, + 0x000001e8, 0x000001d8, 0x000001a0, 0x00000188, + 0x00000198, 0x000001f8, 0x000001a8, 0x000001c8, + 0x00000180, 0x000001d0, 0x000001f0, 0x000001b8, + 0x000001b0, 0x000001c0, 0x00000190, 0x000001e0, + 0x00000768, 0x00000758, 0x00000720, 0x00000708, + 0x00000718, 0x00000778, 0x00000728, 0x00000748, + 0x00000700, 0x00000750, 0x00000770, 0x00000738, + 0x00000730, 0x00000740, 0x00000710, 0x00000760, + 0x00000368, 0x00000358, 0x00000320, 0x00000308, + 0x00000318, 0x00000378, 0x00000328, 0x00000348, + 0x00000300, 0x00000350, 0x00000370, 0x00000338, + 0x00000330, 0x00000340, 0x00000310, 0x00000360, + 0x000005e8, 0x000005d8, 0x000005a0, 0x00000588, + 0x00000598, 0x000005f8, 0x000005a8, 0x000005c8, + 0x00000580, 0x000005d0, 0x000005f0, 0x000005b8, + 0x000005b0, 0x000005c0, 0x00000590, 0x000005e0, + 0x00000468, 0x00000458, 0x00000420, 0x00000408, + 0x00000418, 0x00000478, 0x00000428, 0x00000448, + 0x00000400, 0x00000450, 0x00000470, 0x00000438, + 0x00000430, 0x00000440, 0x00000410, 0x00000460, + 0x00000668, 0x00000658, 0x00000620, 0x00000608, + 0x00000618, 0x00000678, 0x00000628, 0x00000648, + 0x00000600, 0x00000650, 0x00000670, 0x00000638, + 0x00000630, 0x00000640, 0x00000610, 0x00000660, + } + } +}; + +const struct gost28147_param _nettle_gost28147_param_CryptoPro_3411 = +{ + { + { /* 0 */ + 0x0002d000, 0x0002a000, 0x0002a800, 0x0002b000, + 0x0002c000, 0x00028800, 0x00029800, 0x0002b800, + 0x0002e800, 0x0002e000, 0x0002f000, 0x00028000, + 0x0002c800, 0x00029000, 0x0002d800, 0x0002f800, + 0x0007d000, 0x0007a000, 0x0007a800, 0x0007b000, + 0x0007c000, 0x00078800, 0x00079800, 0x0007b800, + 0x0007e800, 0x0007e000, 0x0007f000, 0x00078000, + 0x0007c800, 0x00079000, 0x0007d800, 0x0007f800, + 0x00025000, 0x00022000, 0x00022800, 0x00023000, + 0x00024000, 0x00020800, 0x00021800, 0x00023800, + 0x00026800, 0x00026000, 0x00027000, 0x00020000, + 0x00024800, 0x00021000, 0x00025800, 0x00027800, + 0x00005000, 0x00002000, 0x00002800, 0x00003000, + 0x00004000, 0x00000800, 0x00001800, 0x00003800, + 0x00006800, 0x00006000, 0x00007000, 0x00000000, + 0x00004800, 0x00001000, 0x00005800, 0x00007800, + 0x00015000, 0x00012000, 0x00012800, 0x00013000, + 0x00014000, 0x00010800, 0x00011800, 0x00013800, + 0x00016800, 0x00016000, 0x00017000, 0x00010000, + 0x00014800, 0x00011000, 0x00015800, 0x00017800, + 0x0006d000, 0x0006a000, 0x0006a800, 0x0006b000, + 0x0006c000, 0x00068800, 0x00069800, 0x0006b800, + 0x0006e800, 0x0006e000, 0x0006f000, 0x00068000, + 0x0006c800, 0x00069000, 0x0006d800, 0x0006f800, + 0x0005d000, 0x0005a000, 0x0005a800, 0x0005b000, + 0x0005c000, 0x00058800, 0x00059800, 0x0005b800, + 0x0005e800, 0x0005e000, 0x0005f000, 0x00058000, + 0x0005c800, 0x00059000, 0x0005d800, 0x0005f800, + 0x0004d000, 0x0004a000, 0x0004a800, 0x0004b000, + 0x0004c000, 0x00048800, 0x00049800, 0x0004b800, + 0x0004e800, 0x0004e000, 0x0004f000, 0x00048000, + 0x0004c800, 0x00049000, 0x0004d800, 0x0004f800, + 0x0000d000, 0x0000a000, 0x0000a800, 0x0000b000, + 0x0000c000, 0x00008800, 0x00009800, 0x0000b800, + 0x0000e800, 0x0000e000, 0x0000f000, 0x00008000, + 0x0000c800, 0x00009000, 0x0000d800, 0x0000f800, + 0x0003d000, 0x0003a000, 0x0003a800, 0x0003b000, + 0x0003c000, 0x00038800, 0x00039800, 0x0003b800, + 0x0003e800, 0x0003e000, 0x0003f000, 0x00038000, + 0x0003c800, 0x00039000, 0x0003d800, 0x0003f800, + 0x00035000, 0x00032000, 0x00032800, 0x00033000, + 0x00034000, 0x00030800, 0x00031800, 0x00033800, + 0x00036800, 0x00036000, 0x00037000, 0x00030000, + 0x00034800, 0x00031000, 0x00035800, 0x00037800, + 0x0001d000, 0x0001a000, 0x0001a800, 0x0001b000, + 0x0001c000, 0x00018800, 0x00019800, 0x0001b800, + 0x0001e800, 0x0001e000, 0x0001f000, 0x00018000, + 0x0001c800, 0x00019000, 0x0001d800, 0x0001f800, + 0x00065000, 0x00062000, 0x00062800, 0x00063000, + 0x00064000, 0x00060800, 0x00061800, 0x00063800, + 0x00066800, 0x00066000, 0x00067000, 0x00060000, + 0x00064800, 0x00061000, 0x00065800, 0x00067800, + 0x00075000, 0x00072000, 0x00072800, 0x00073000, + 0x00074000, 0x00070800, 0x00071800, 0x00073800, + 0x00076800, 0x00076000, 0x00077000, 0x00070000, + 0x00074800, 0x00071000, 0x00075800, 0x00077800, + 0x00055000, 0x00052000, 0x00052800, 0x00053000, + 0x00054000, 0x00050800, 0x00051800, 0x00053800, + 0x00056800, 0x00056000, 0x00057000, 0x00050000, + 0x00054800, 0x00051000, 0x00055800, 0x00057800, + 0x00045000, 0x00042000, 0x00042800, 0x00043000, + 0x00044000, 0x00040800, 0x00041800, 0x00043800, + 0x00046800, 0x00046000, 0x00047000, 0x00040000, + 0x00044800, 0x00041000, 0x00045800, 0x00047800, + }, { /* 1 */ + 0x02380000, 0x02780000, 0x02600000, 0x02700000, + 0x02480000, 0x02200000, 0x02080000, 0x02000000, + 0x02180000, 0x02580000, 0x02280000, 0x02100000, + 0x02300000, 0x02500000, 0x02400000, 0x02680000, + 0x05380000, 0x05780000, 0x05600000, 0x05700000, + 0x05480000, 0x05200000, 0x05080000, 0x05000000, + 0x05180000, 0x05580000, 0x05280000, 0x05100000, + 0x05300000, 0x05500000, 0x05400000, 0x05680000, + 0x03b80000, 0x03f80000, 0x03e00000, 0x03f00000, + 0x03c80000, 0x03a00000, 0x03880000, 0x03800000, + 0x03980000, 0x03d80000, 0x03a80000, 0x03900000, + 0x03b00000, 0x03d00000, 0x03c00000, 0x03e80000, + 0x06380000, 0x06780000, 0x06600000, 0x06700000, + 0x06480000, 0x06200000, 0x06080000, 0x06000000, + 0x06180000, 0x06580000, 0x06280000, 0x06100000, + 0x06300000, 0x06500000, 0x06400000, 0x06680000, + 0x00380000, 0x00780000, 0x00600000, 0x00700000, + 0x00480000, 0x00200000, 0x00080000, 0x00000000, + 0x00180000, 0x00580000, 0x00280000, 0x00100000, + 0x00300000, 0x00500000, 0x00400000, 0x00680000, + 0x07b80000, 0x07f80000, 0x07e00000, 0x07f00000, + 0x07c80000, 0x07a00000, 0x07880000, 0x07800000, + 0x07980000, 0x07d80000, 0x07a80000, 0x07900000, + 0x07b00000, 0x07d00000, 0x07c00000, 0x07e80000, + 0x01380000, 0x01780000, 0x01600000, 0x01700000, + 0x01480000, 0x01200000, 0x01080000, 0x01000000, + 0x01180000, 0x01580000, 0x01280000, 0x01100000, + 0x01300000, 0x01500000, 0x01400000, 0x01680000, + 0x04380000, 0x04780000, 0x04600000, 0x04700000, + 0x04480000, 0x04200000, 0x04080000, 0x04000000, + 0x04180000, 0x04580000, 0x04280000, 0x04100000, + 0x04300000, 0x04500000, 0x04400000, 0x04680000, + 0x07380000, 0x07780000, 0x07600000, 0x07700000, + 0x07480000, 0x07200000, 0x07080000, 0x07000000, + 0x07180000, 0x07580000, 0x07280000, 0x07100000, + 0x07300000, 0x07500000, 0x07400000, 0x07680000, + 0x00b80000, 0x00f80000, 0x00e00000, 0x00f00000, + 0x00c80000, 0x00a00000, 0x00880000, 0x00800000, + 0x00980000, 0x00d80000, 0x00a80000, 0x00900000, + 0x00b00000, 0x00d00000, 0x00c00000, 0x00e80000, + 0x03380000, 0x03780000, 0x03600000, 0x03700000, + 0x03480000, 0x03200000, 0x03080000, 0x03000000, + 0x03180000, 0x03580000, 0x03280000, 0x03100000, + 0x03300000, 0x03500000, 0x03400000, 0x03680000, + 0x02b80000, 0x02f80000, 0x02e00000, 0x02f00000, + 0x02c80000, 0x02a00000, 0x02880000, 0x02800000, + 0x02980000, 0x02d80000, 0x02a80000, 0x02900000, + 0x02b00000, 0x02d00000, 0x02c00000, 0x02e80000, + 0x06b80000, 0x06f80000, 0x06e00000, 0x06f00000, + 0x06c80000, 0x06a00000, 0x06880000, 0x06800000, + 0x06980000, 0x06d80000, 0x06a80000, 0x06900000, + 0x06b00000, 0x06d00000, 0x06c00000, 0x06e80000, + 0x05b80000, 0x05f80000, 0x05e00000, 0x05f00000, + 0x05c80000, 0x05a00000, 0x05880000, 0x05800000, + 0x05980000, 0x05d80000, 0x05a80000, 0x05900000, + 0x05b00000, 0x05d00000, 0x05c00000, 0x05e80000, + 0x04b80000, 0x04f80000, 0x04e00000, 0x04f00000, + 0x04c80000, 0x04a00000, 0x04880000, 0x04800000, + 0x04980000, 0x04d80000, 0x04a80000, 0x04900000, + 0x04b00000, 0x04d00000, 0x04c00000, 0x04e80000, + 0x01b80000, 0x01f80000, 0x01e00000, 0x01f00000, + 0x01c80000, 0x01a00000, 0x01880000, 0x01800000, + 0x01980000, 0x01d80000, 0x01a80000, 0x01900000, + 0x01b00000, 0x01d00000, 0x01c00000, 0x01e80000, + }, { /* 2 */ + 0xb8000003, 0xb0000003, 0xa0000003, 0xd8000003, + 0xc8000003, 0xe0000003, 0x90000003, 0xd0000003, + 0x88000003, 0xc0000003, 0x80000003, 0xf0000003, + 0xf8000003, 0xe8000003, 0x98000003, 0xa8000003, + 0x38000003, 0x30000003, 0x20000003, 0x58000003, + 0x48000003, 0x60000003, 0x10000003, 0x50000003, + 0x08000003, 0x40000003, 0x00000003, 0x70000003, + 0x78000003, 0x68000003, 0x18000003, 0x28000003, + 0x38000001, 0x30000001, 0x20000001, 0x58000001, + 0x48000001, 0x60000001, 0x10000001, 0x50000001, + 0x08000001, 0x40000001, 0x00000001, 0x70000001, + 0x78000001, 0x68000001, 0x18000001, 0x28000001, + 0x38000002, 0x30000002, 0x20000002, 0x58000002, + 0x48000002, 0x60000002, 0x10000002, 0x50000002, + 0x08000002, 0x40000002, 0x00000002, 0x70000002, + 0x78000002, 0x68000002, 0x18000002, 0x28000002, + 0xb8000006, 0xb0000006, 0xa0000006, 0xd8000006, + 0xc8000006, 0xe0000006, 0x90000006, 0xd0000006, + 0x88000006, 0xc0000006, 0x80000006, 0xf0000006, + 0xf8000006, 0xe8000006, 0x98000006, 0xa8000006, + 0xb8000004, 0xb0000004, 0xa0000004, 0xd8000004, + 0xc8000004, 0xe0000004, 0x90000004, 0xd0000004, + 0x88000004, 0xc0000004, 0x80000004, 0xf0000004, + 0xf8000004, 0xe8000004, 0x98000004, 0xa8000004, + 0xb8000007, 0xb0000007, 0xa0000007, 0xd8000007, + 0xc8000007, 0xe0000007, 0x90000007, 0xd0000007, + 0x88000007, 0xc0000007, 0x80000007, 0xf0000007, + 0xf8000007, 0xe8000007, 0x98000007, 0xa8000007, + 0x38000000, 0x30000000, 0x20000000, 0x58000000, + 0x48000000, 0x60000000, 0x10000000, 0x50000000, + 0x08000000, 0x40000000, 0x00000000, 0x70000000, + 0x78000000, 0x68000000, 0x18000000, 0x28000000, + 0x38000005, 0x30000005, 0x20000005, 0x58000005, + 0x48000005, 0x60000005, 0x10000005, 0x50000005, + 0x08000005, 0x40000005, 0x00000005, 0x70000005, + 0x78000005, 0x68000005, 0x18000005, 0x28000005, + 0xb8000000, 0xb0000000, 0xa0000000, 0xd8000000, + 0xc8000000, 0xe0000000, 0x90000000, 0xd0000000, + 0x88000000, 0xc0000000, 0x80000000, 0xf0000000, + 0xf8000000, 0xe8000000, 0x98000000, 0xa8000000, + 0xb8000002, 0xb0000002, 0xa0000002, 0xd8000002, + 0xc8000002, 0xe0000002, 0x90000002, 0xd0000002, + 0x88000002, 0xc0000002, 0x80000002, 0xf0000002, + 0xf8000002, 0xe8000002, 0x98000002, 0xa8000002, + 0xb8000005, 0xb0000005, 0xa0000005, 0xd8000005, + 0xc8000005, 0xe0000005, 0x90000005, 0xd0000005, + 0x88000005, 0xc0000005, 0x80000005, 0xf0000005, + 0xf8000005, 0xe8000005, 0x98000005, 0xa8000005, + 0x38000004, 0x30000004, 0x20000004, 0x58000004, + 0x48000004, 0x60000004, 0x10000004, 0x50000004, + 0x08000004, 0x40000004, 0x00000004, 0x70000004, + 0x78000004, 0x68000004, 0x18000004, 0x28000004, + 0x38000007, 0x30000007, 0x20000007, 0x58000007, + 0x48000007, 0x60000007, 0x10000007, 0x50000007, + 0x08000007, 0x40000007, 0x00000007, 0x70000007, + 0x78000007, 0x68000007, 0x18000007, 0x28000007, + 0x38000006, 0x30000006, 0x20000006, 0x58000006, + 0x48000006, 0x60000006, 0x10000006, 0x50000006, + 0x08000006, 0x40000006, 0x00000006, 0x70000006, + 0x78000006, 0x68000006, 0x18000006, 0x28000006, + 0xb8000001, 0xb0000001, 0xa0000001, 0xd8000001, + 0xc8000001, 0xe0000001, 0x90000001, 0xd0000001, + 0x88000001, 0xc0000001, 0x80000001, 0xf0000001, + 0xf8000001, 0xe8000001, 0x98000001, 0xa8000001, + }, { /* 3 */ + 0x000000e8, 0x000000f0, 0x000000a0, 0x00000088, + 0x000000b8, 0x00000080, 0x000000a8, 0x000000d0, + 0x00000098, 0x000000e0, 0x000000c0, 0x000000f8, + 0x000000b0, 0x00000090, 0x000000c8, 0x000000d8, + 0x000001e8, 0x000001f0, 0x000001a0, 0x00000188, + 0x000001b8, 0x00000180, 0x000001a8, 0x000001d0, + 0x00000198, 0x000001e0, 0x000001c0, 0x000001f8, + 0x000001b0, 0x00000190, 0x000001c8, 0x000001d8, + 0x00000568, 0x00000570, 0x00000520, 0x00000508, + 0x00000538, 0x00000500, 0x00000528, 0x00000550, + 0x00000518, 0x00000560, 0x00000540, 0x00000578, + 0x00000530, 0x00000510, 0x00000548, 0x00000558, + 0x000004e8, 0x000004f0, 0x000004a0, 0x00000488, + 0x000004b8, 0x00000480, 0x000004a8, 0x000004d0, + 0x00000498, 0x000004e0, 0x000004c0, 0x000004f8, + 0x000004b0, 0x00000490, 0x000004c8, 0x000004d8, + 0x000002e8, 0x000002f0, 0x000002a0, 0x00000288, + 0x000002b8, 0x00000280, 0x000002a8, 0x000002d0, + 0x00000298, 0x000002e0, 0x000002c0, 0x000002f8, + 0x000002b0, 0x00000290, 0x000002c8, 0x000002d8, + 0x000005e8, 0x000005f0, 0x000005a0, 0x00000588, + 0x000005b8, 0x00000580, 0x000005a8, 0x000005d0, + 0x00000598, 0x000005e0, 0x000005c0, 0x000005f8, + 0x000005b0, 0x00000590, 0x000005c8, 0x000005d8, + 0x00000268, 0x00000270, 0x00000220, 0x00000208, + 0x00000238, 0x00000200, 0x00000228, 0x00000250, + 0x00000218, 0x00000260, 0x00000240, 0x00000278, + 0x00000230, 0x00000210, 0x00000248, 0x00000258, + 0x000007e8, 0x000007f0, 0x000007a0, 0x00000788, + 0x000007b8, 0x00000780, 0x000007a8, 0x000007d0, + 0x00000798, 0x000007e0, 0x000007c0, 0x000007f8, + 0x000007b0, 0x00000790, 0x000007c8, 0x000007d8, + 0x00000468, 0x00000470, 0x00000420, 0x00000408, + 0x00000438, 0x00000400, 0x00000428, 0x00000450, + 0x00000418, 0x00000460, 0x00000440, 0x00000478, + 0x00000430, 0x00000410, 0x00000448, 0x00000458, + 0x00000368, 0x00000370, 0x00000320, 0x00000308, + 0x00000338, 0x00000300, 0x00000328, 0x00000350, + 0x00000318, 0x00000360, 0x00000340, 0x00000378, + 0x00000330, 0x00000310, 0x00000348, 0x00000358, + 0x000003e8, 0x000003f0, 0x000003a0, 0x00000388, + 0x000003b8, 0x00000380, 0x000003a8, 0x000003d0, + 0x00000398, 0x000003e0, 0x000003c0, 0x000003f8, + 0x000003b0, 0x00000390, 0x000003c8, 0x000003d8, + 0x00000768, 0x00000770, 0x00000720, 0x00000708, + 0x00000738, 0x00000700, 0x00000728, 0x00000750, + 0x00000718, 0x00000760, 0x00000740, 0x00000778, + 0x00000730, 0x00000710, 0x00000748, 0x00000758, + 0x000006e8, 0x000006f0, 0x000006a0, 0x00000688, + 0x000006b8, 0x00000680, 0x000006a8, 0x000006d0, + 0x00000698, 0x000006e0, 0x000006c0, 0x000006f8, + 0x000006b0, 0x00000690, 0x000006c8, 0x000006d8, + 0x00000068, 0x00000070, 0x00000020, 0x00000008, + 0x00000038, 0x00000000, 0x00000028, 0x00000050, + 0x00000018, 0x00000060, 0x00000040, 0x00000078, + 0x00000030, 0x00000010, 0x00000048, 0x00000058, + 0x00000168, 0x00000170, 0x00000120, 0x00000108, + 0x00000138, 0x00000100, 0x00000128, 0x00000150, + 0x00000118, 0x00000160, 0x00000140, 0x00000178, + 0x00000130, 0x00000110, 0x00000148, 0x00000158, + 0x00000668, 0x00000670, 0x00000620, 0x00000608, + 0x00000638, 0x00000600, 0x00000628, 0x00000650, + 0x00000618, 0x00000660, 0x00000640, 0x00000678, + 0x00000630, 0x00000610, 0x00000648, 0x00000658, + } + } +}; + +/* + * A macro that performs a full encryption round of GOST 28147-89. + */ +#define GOST_ENCRYPT_ROUND(l, r, key1, key2, sbox) \ + do { \ + uint32_t round_tmp; \ + \ + round_tmp = (key1) + r; \ + l ^= (sbox)[0][(round_tmp & 0xff)] ^ \ + (sbox)[1][((round_tmp >> 8) & 0xff)] ^ \ + (sbox)[2][((round_tmp >> 16) & 0xff)] ^ \ + (sbox)[3][(round_tmp >> 24)]; \ + round_tmp = (key2) + l; \ + r ^= (sbox)[0][(round_tmp & 0xff)] ^ \ + (sbox)[1][((round_tmp >> 8) & 0xff)] ^ \ + (sbox)[2][((round_tmp >> 16) & 0xff)] ^ \ + (sbox)[3][(round_tmp >> 24)]; \ + } while (0) + +/* encrypt a block with the given key */ +void +_nettle_gost28147_encrypt_block (const uint32_t *key, + const uint32_t sbox[4][256], + const uint32_t *in, uint32_t *out) +{ + uint32_t l, r; + + r = in[0], l = in[1]; + GOST_ENCRYPT_ROUND(l, r, key[0], key[1], sbox); + GOST_ENCRYPT_ROUND(l, r, key[2], key[3], sbox); + GOST_ENCRYPT_ROUND(l, r, key[4], key[5], sbox); + GOST_ENCRYPT_ROUND(l, r, key[6], key[7], sbox); + GOST_ENCRYPT_ROUND(l, r, key[0], key[1], sbox); + GOST_ENCRYPT_ROUND(l, r, key[2], key[3], sbox); + GOST_ENCRYPT_ROUND(l, r, key[4], key[5], sbox); + GOST_ENCRYPT_ROUND(l, r, key[6], key[7], sbox); + GOST_ENCRYPT_ROUND(l, r, key[0], key[1], sbox); + GOST_ENCRYPT_ROUND(l, r, key[2], key[3], sbox); + GOST_ENCRYPT_ROUND(l, r, key[4], key[5], sbox); + GOST_ENCRYPT_ROUND(l, r, key[6], key[7], sbox); + GOST_ENCRYPT_ROUND(l, r, key[7], key[6], sbox); + GOST_ENCRYPT_ROUND(l, r, key[5], key[4], sbox); + GOST_ENCRYPT_ROUND(l, r, key[3], key[2], sbox); + GOST_ENCRYPT_ROUND(l, r, key[1], key[0], sbox); + *out = l, *(out + 1) = r; +} diff -Nru nettle-3.4.1/gost28147-internal.h nettle-3.7.3/gost28147-internal.h --- nettle-3.4.1/gost28147-internal.h 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/gost28147-internal.h 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,51 @@ +/* gost28147-internal.h + + The GOST 28147-89 cipher function, described in RFC 5831. + + Copyright (C) 2019 Dmitry Eremin-Solenikov + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_GOST28147_INTERNAL_H_INCLUDED +#define NETTLE_GOST28147_INTERNAL_H_INCLUDED + +#include + +extern const struct gost28147_param _nettle_gost28147_param_test_3411; +extern const struct gost28147_param _nettle_gost28147_param_CryptoPro_3411; + +struct gost28147_param +{ + uint32_t sbox[4][256]; +}; + +void _nettle_gost28147_encrypt_block (const uint32_t *key, + const uint32_t sbox[4][256], + const uint32_t *in, uint32_t *out); + +#endif /* NETTLE_GOST28147_INTERNAL_H_INCLUDED */ diff -Nru nettle-3.4.1/gostdsa.h nettle-3.7.3/gostdsa.h --- nettle-3.4.1/gostdsa.h 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/gostdsa.h 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,107 @@ +/* gostdsa.h + + Copyright (C) 2015 Dmity Eremin-Solenikov + Copyright (C) 2013 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_GOSTDSA_H_INCLUDED +#define NETTLE_GOSTDSA_H_INCLUDED + +#include "ecc.h" +#include "dsa.h" +#include "ecdsa.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* Name mangling */ +#define gostdsa_sign nettle_gostdsa_sign +#define gostdsa_verify nettle_gostdsa_verify +#define gostdsa_vko nettle_gostdsa_vko +#define ecc_gostdsa_sign nettle_ecc_gostdsa_sign +#define ecc_gostdsa_sign_itch nettle_ecc_gostdsa_sign_itch +#define ecc_gostdsa_verify nettle_ecc_gostdsa_verify +#define ecc_gostdsa_verify_itch nettle_ecc_gostdsa_verify_itch + +/* Just use ECDSA function for key generation */ +#define gostdsa_generate_keypair ecdsa_generate_keypair + +/* High level GOST DSA functions. + * + * A public key is represented as a struct ecc_point, and a private + * key as a struct ecc_scalar. FIXME: Introduce some aliases? */ +void +gostdsa_sign (const struct ecc_scalar *key, + void *random_ctx, nettle_random_func *random, + size_t digest_length, + const uint8_t *digest, + struct dsa_signature *signature); + +int +gostdsa_verify (const struct ecc_point *pub, + size_t length, const uint8_t *digest, + const struct dsa_signature *signature); + +void +gostdsa_vko (const struct ecc_scalar *key, + const struct ecc_point *pub, + size_t ukm_length, const uint8_t *ukm, + uint8_t *out); + +/* Low-level GOSTDSA functions. */ +mp_size_t +ecc_gostdsa_sign_itch (const struct ecc_curve *ecc); + +void +ecc_gostdsa_sign (const struct ecc_curve *ecc, + const mp_limb_t *zp, + /* Random nonce, must be invertible mod ecc group + order. */ + const mp_limb_t *kp, + size_t length, const uint8_t *digest, + mp_limb_t *rp, mp_limb_t *sp, + mp_limb_t *scratch); + +mp_size_t +ecc_gostdsa_verify_itch (const struct ecc_curve *ecc); + +int +ecc_gostdsa_verify (const struct ecc_curve *ecc, + const mp_limb_t *pp, /* Public key */ + size_t length, const uint8_t *digest, + const mp_limb_t *rp, const mp_limb_t *sp, + mp_limb_t *scratch); + + +#ifdef __cplusplus +} +#endif + +#endif /* NETTLE_GOSTDSA_H_INCLUDED */ diff -Nru nettle-3.4.1/gostdsa-sign.c nettle-3.7.3/gostdsa-sign.c --- nettle-3.4.1/gostdsa-sign.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/gostdsa-sign.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,74 @@ +/* gostdsa-sign.c + + Copyright (C) 2015 Dmitry Eremin-Solenikov + Copyright (C) 2013 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include + +#include "gostdsa.h" +#include "ecc-internal.h" +#include "nettle-internal.h" + +void +gostdsa_sign (const struct ecc_scalar *key, + void *random_ctx, nettle_random_func *random, + size_t digest_length, + const uint8_t *digest, + struct dsa_signature *signature) +{ + /* At most 936 bytes. */ + TMP_DECL(k, mp_limb_t, ECC_MAX_SIZE + ECC_GOSTDSA_SIGN_ITCH (ECC_MAX_SIZE)); + mp_limb_t size = key->ecc->p.size; + mp_limb_t *rp = mpz_limbs_write (signature->r, size); + mp_limb_t *sp = mpz_limbs_write (signature->s, size); + + TMP_ALLOC (k, size + ECC_GOSTDSA_SIGN_ITCH (size)); + + /* Timing reveals the number of rounds through this loop, but the + timing is still independent of the secret k finally used. */ + do + { + do + { + ecc_mod_random (&key->ecc->q, k, random_ctx, random, k + size); + } + while (mpn_zero_p(k, size)); + ecc_gostdsa_sign (key->ecc, key->p, k, digest_length, digest, + rp, sp, k + size); + mpz_limbs_finish (signature->r, size); + mpz_limbs_finish (signature->s, size); + } + while (mpz_sgn (signature->r) == 0 || mpz_sgn (signature->s) == 0); +} diff -Nru nettle-3.4.1/gostdsa-verify.c nettle-3.7.3/gostdsa-verify.c --- nettle-3.4.1/gostdsa-verify.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/gostdsa-verify.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,78 @@ +/* gostdsa-verify.c + + Copyright (C) 2015 Dmitry Eremin-Solenikov + Copyright (C) 2013 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include + +#include "gostdsa.h" + +#include "gmp-glue.h" + +int +gostdsa_verify (const struct ecc_point *pub, + size_t length, const uint8_t *digest, + const struct dsa_signature *signature) +{ + mp_limb_t size = ecc_size (pub->ecc); + mp_size_t itch = 2*size + ecc_gostdsa_verify_itch (pub->ecc); + /* For ECC_MUL_A_WBITS == 0, at most 1512 bytes. With + ECC_MUL_A_WBITS == 4, currently needs 67 * ecc->size, at most + 4824 bytes. Don't use stack allocation for this. */ + mp_limb_t *scratch; + int res; + +#define rp scratch +#define sp (scratch + size) +#define scratch_out (scratch + 2*size) + + if (mpz_sgn (signature->r) <= 0 || mpz_size (signature->r) > size + || mpz_sgn (signature->s) <= 0 || mpz_size (signature->s) > size) + return 0; + + scratch = gmp_alloc_limbs (itch); + + mpz_limbs_copy (rp, signature->r, size); + mpz_limbs_copy (sp, signature->s, size); + + res = ecc_gostdsa_verify (pub->ecc, pub->p, length, digest, rp, sp, scratch_out); + + gmp_free_limbs (scratch, itch); + + return res; +#undef rp +#undef sp +#undef scratch_out +} diff -Nru nettle-3.4.1/gostdsa-vko.c nettle-3.7.3/gostdsa-vko.c --- nettle-3.4.1/gostdsa-vko.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/gostdsa-vko.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,96 @@ +/* gostdsa-vko.c + + Copyright (C) 2016 Dmitry Eremin-Solenikov + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include + +#include "ecc-internal.h" +#include "gostdsa.h" + +/* + * Shared key derivation/key agreement for GOST DSA algorithm. + * It is defined in RFC 4357 Section 5.2 and RFC 7836 Section 4.3.1 + * + * output is 2 * curve size: + * 64 bytes for 256 bit curves and 128 bytes for 512 bit ones + * + * Basically shared key is equal to hash(cofactor * ukm * priv * pub). This + * function does multiplication. Caller should do hashing on his own. + * + * UKM is not a secret value (consider it as a nonce). + * + * For supported GOST curves cofactor is equal to 1. + */ +void +gostdsa_vko (const struct ecc_scalar *priv, + const struct ecc_point *pub, + size_t ukm_length, const uint8_t *ukm, + uint8_t *out) +{ + const struct ecc_curve *ecc = priv->ecc; + unsigned bsize = (ecc_bit_size (ecc) + 7) / 8; + mp_size_t size = ecc->p.size; + mp_size_t itch = 4*size + ecc->mul_itch; + mp_limb_t *scratch; + + if (itch < 5*size + ecc->h_to_a_itch) + itch = 5*size + ecc->h_to_a_itch; + + assert (pub->ecc == ecc); + assert (priv->ecc == ecc); + assert (ukm_length <= bsize); + + scratch = gmp_alloc_limbs (itch); + +#define UKM scratch +#define TEMP (scratch + 3*size) +#define XYZ scratch +#define TEMP_Y (scratch + 4*size) + + mpn_set_base256_le (UKM, size, ukm, ukm_length); + + /* If ukm is 0, set it to 1, otherwise the result will be allways equal to 0, + * no matter what private and public keys are. See RFC 4357 referencing GOST + * R 34.10-2001 (RFC 5832) Section 6.1 step 2. */ + if (mpn_zero_p (UKM, size)) + UKM[0] = 1; + + ecc_mod_mul_canonical (&ecc->q, TEMP, priv->p, UKM, TEMP); /* TEMP = UKM * priv */ + ecc->mul (ecc, XYZ, TEMP, pub->p, scratch + 4*size); /* XYZ = UKM * priv * pub */ + ecc->h_to_a (ecc, 0, TEMP, XYZ, scratch + 5*size); /* TEMP = XYZ */ + mpn_get_base256_le (out, bsize, TEMP, size); + mpn_get_base256_le (out+bsize, bsize, TEMP_Y, size); + gmp_free_limbs (scratch, itch); +} diff -Nru nettle-3.4.1/gosthash94.c nettle-3.7.3/gosthash94.c --- nettle-3.4.1/gosthash94.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/gosthash94.c 2021-06-06 20:06:29.000000000 +0000 @@ -1,8 +1,11 @@ -/* gost.c - an implementation of GOST Hash Function +/* gosthash94.c - an implementation of GOST Hash Function + * * based on the Russian Standard GOST R 34.11-94. + * English description in RFC 5831. * See also RFC 4357. * * Copyright: 2009-2012 Aleksey Kravchenko + * Copyright: 2019 Dmitry Eremin-Solenikov * * Permission is hereby granted, free of charge, to any person obtaining a * copy of this software and associated documentation files (the @@ -38,209 +41,7 @@ #include "macros.h" #include "nettle-write.h" #include "gosthash94.h" - -/* pre-initialized GOST lookup tables based on rotated S-Box */ -static const uint32_t gosthash94_sbox[4][256] = { - { - 0x72000, 0x75000, 0x74800, 0x71000, 0x76800, - 0x74000, 0x70000, 0x77000, 0x73000, 0x75800, - 0x70800, 0x76000, 0x73800, 0x77800, 0x72800, - 0x71800, 0x5A000, 0x5D000, 0x5C800, 0x59000, - 0x5E800, 0x5C000, 0x58000, 0x5F000, 0x5B000, - 0x5D800, 0x58800, 0x5E000, 0x5B800, 0x5F800, - 0x5A800, 0x59800, 0x22000, 0x25000, 0x24800, - 0x21000, 0x26800, 0x24000, 0x20000, 0x27000, - 0x23000, 0x25800, 0x20800, 0x26000, 0x23800, - 0x27800, 0x22800, 0x21800, 0x62000, 0x65000, - 0x64800, 0x61000, 0x66800, 0x64000, 0x60000, - 0x67000, 0x63000, 0x65800, 0x60800, 0x66000, - 0x63800, 0x67800, 0x62800, 0x61800, 0x32000, - 0x35000, 0x34800, 0x31000, 0x36800, 0x34000, - 0x30000, 0x37000, 0x33000, 0x35800, 0x30800, - 0x36000, 0x33800, 0x37800, 0x32800, 0x31800, - 0x6A000, 0x6D000, 0x6C800, 0x69000, 0x6E800, - 0x6C000, 0x68000, 0x6F000, 0x6B000, 0x6D800, - 0x68800, 0x6E000, 0x6B800, 0x6F800, 0x6A800, - 0x69800, 0x7A000, 0x7D000, 0x7C800, 0x79000, - 0x7E800, 0x7C000, 0x78000, 0x7F000, 0x7B000, - 0x7D800, 0x78800, 0x7E000, 0x7B800, 0x7F800, - 0x7A800, 0x79800, 0x52000, 0x55000, 0x54800, - 0x51000, 0x56800, 0x54000, 0x50000, 0x57000, - 0x53000, 0x55800, 0x50800, 0x56000, 0x53800, - 0x57800, 0x52800, 0x51800, 0x12000, 0x15000, - 0x14800, 0x11000, 0x16800, 0x14000, 0x10000, - 0x17000, 0x13000, 0x15800, 0x10800, 0x16000, - 0x13800, 0x17800, 0x12800, 0x11800, 0x1A000, - 0x1D000, 0x1C800, 0x19000, 0x1E800, 0x1C000, - 0x18000, 0x1F000, 0x1B000, 0x1D800, 0x18800, - 0x1E000, 0x1B800, 0x1F800, 0x1A800, 0x19800, - 0x42000, 0x45000, 0x44800, 0x41000, 0x46800, - 0x44000, 0x40000, 0x47000, 0x43000, 0x45800, - 0x40800, 0x46000, 0x43800, 0x47800, 0x42800, - 0x41800, 0xA000, 0xD000, 0xC800, 0x9000, - 0xE800, 0xC000, 0x8000, 0xF000, 0xB000, - 0xD800, 0x8800, 0xE000, 0xB800, 0xF800, - 0xA800, 0x9800, 0x2000, 0x5000, 0x4800, - 0x1000, 0x6800, 0x4000, 0x0, 0x7000, - 0x3000, 0x5800, 0x800, 0x6000, 0x3800, - 0x7800, 0x2800, 0x1800, 0x3A000, 0x3D000, - 0x3C800, 0x39000, 0x3E800, 0x3C000, 0x38000, - 0x3F000, 0x3B000, 0x3D800, 0x38800, 0x3E000, - 0x3B800, 0x3F800, 0x3A800, 0x39800, 0x2A000, - 0x2D000, 0x2C800, 0x29000, 0x2E800, 0x2C000, - 0x28000, 0x2F000, 0x2B000, 0x2D800, 0x28800, - 0x2E000, 0x2B800, 0x2F800, 0x2A800, 0x29800, - 0x4A000, 0x4D000, 0x4C800, 0x49000, 0x4E800, - 0x4C000, 0x48000, 0x4F000, 0x4B000, 0x4D800, - 0x48800, 0x4E000, 0x4B800, 0x4F800, 0x4A800, - 0x49800 - }, { - 0x3A80000, 0x3C00000, 0x3880000, 0x3E80000, 0x3D00000, - 0x3980000, 0x3A00000, 0x3900000, 0x3F00000, 0x3F80000, - 0x3E00000, 0x3B80000, 0x3B00000, 0x3800000, 0x3C80000, - 0x3D80000, 0x6A80000, 0x6C00000, 0x6880000, 0x6E80000, - 0x6D00000, 0x6980000, 0x6A00000, 0x6900000, 0x6F00000, - 0x6F80000, 0x6E00000, 0x6B80000, 0x6B00000, 0x6800000, - 0x6C80000, 0x6D80000, 0x5280000, 0x5400000, 0x5080000, - 0x5680000, 0x5500000, 0x5180000, 0x5200000, 0x5100000, - 0x5700000, 0x5780000, 0x5600000, 0x5380000, 0x5300000, - 0x5000000, 0x5480000, 0x5580000, 0xA80000, 0xC00000, - 0x880000, 0xE80000, 0xD00000, 0x980000, 0xA00000, - 0x900000, 0xF00000, 0xF80000, 0xE00000, 0xB80000, - 0xB00000, 0x800000, 0xC80000, 0xD80000, 0x280000, - 0x400000, 0x80000, 0x680000, 0x500000, 0x180000, - 0x200000, 0x100000, 0x700000, 0x780000, 0x600000, - 0x380000, 0x300000, 0x0, 0x480000, 0x580000, - 0x4280000, 0x4400000, 0x4080000, 0x4680000, 0x4500000, - 0x4180000, 0x4200000, 0x4100000, 0x4700000, 0x4780000, - 0x4600000, 0x4380000, 0x4300000, 0x4000000, 0x4480000, - 0x4580000, 0x4A80000, 0x4C00000, 0x4880000, 0x4E80000, - 0x4D00000, 0x4980000, 0x4A00000, 0x4900000, 0x4F00000, - 0x4F80000, 0x4E00000, 0x4B80000, 0x4B00000, 0x4800000, - 0x4C80000, 0x4D80000, 0x7A80000, 0x7C00000, 0x7880000, - 0x7E80000, 0x7D00000, 0x7980000, 0x7A00000, 0x7900000, - 0x7F00000, 0x7F80000, 0x7E00000, 0x7B80000, 0x7B00000, - 0x7800000, 0x7C80000, 0x7D80000, 0x7280000, 0x7400000, - 0x7080000, 0x7680000, 0x7500000, 0x7180000, 0x7200000, - 0x7100000, 0x7700000, 0x7780000, 0x7600000, 0x7380000, - 0x7300000, 0x7000000, 0x7480000, 0x7580000, 0x2280000, - 0x2400000, 0x2080000, 0x2680000, 0x2500000, 0x2180000, - 0x2200000, 0x2100000, 0x2700000, 0x2780000, 0x2600000, - 0x2380000, 0x2300000, 0x2000000, 0x2480000, 0x2580000, - 0x3280000, 0x3400000, 0x3080000, 0x3680000, 0x3500000, - 0x3180000, 0x3200000, 0x3100000, 0x3700000, 0x3780000, - 0x3600000, 0x3380000, 0x3300000, 0x3000000, 0x3480000, - 0x3580000, 0x6280000, 0x6400000, 0x6080000, 0x6680000, - 0x6500000, 0x6180000, 0x6200000, 0x6100000, 0x6700000, - 0x6780000, 0x6600000, 0x6380000, 0x6300000, 0x6000000, - 0x6480000, 0x6580000, 0x5A80000, 0x5C00000, 0x5880000, - 0x5E80000, 0x5D00000, 0x5980000, 0x5A00000, 0x5900000, - 0x5F00000, 0x5F80000, 0x5E00000, 0x5B80000, 0x5B00000, - 0x5800000, 0x5C80000, 0x5D80000, 0x1280000, 0x1400000, - 0x1080000, 0x1680000, 0x1500000, 0x1180000, 0x1200000, - 0x1100000, 0x1700000, 0x1780000, 0x1600000, 0x1380000, - 0x1300000, 0x1000000, 0x1480000, 0x1580000, 0x2A80000, - 0x2C00000, 0x2880000, 0x2E80000, 0x2D00000, 0x2980000, - 0x2A00000, 0x2900000, 0x2F00000, 0x2F80000, 0x2E00000, - 0x2B80000, 0x2B00000, 0x2800000, 0x2C80000, 0x2D80000, - 0x1A80000, 0x1C00000, 0x1880000, 0x1E80000, 0x1D00000, - 0x1980000, 0x1A00000, 0x1900000, 0x1F00000, 0x1F80000, - 0x1E00000, 0x1B80000, 0x1B00000, 0x1800000, 0x1C80000, - 0x1D80000 - }, { - 0x30000002, 0x60000002, 0x38000002, 0x8000002, - 0x28000002, 0x78000002, 0x68000002, 0x40000002, - 0x20000002, 0x50000002, 0x48000002, 0x70000002, - 0x2, 0x18000002, 0x58000002, 0x10000002, - 0xB0000005, 0xE0000005, 0xB8000005, 0x88000005, - 0xA8000005, 0xF8000005, 0xE8000005, 0xC0000005, - 0xA0000005, 0xD0000005, 0xC8000005, 0xF0000005, - 0x80000005, 0x98000005, 0xD8000005, 0x90000005, - 0x30000005, 0x60000005, 0x38000005, 0x8000005, - 0x28000005, 0x78000005, 0x68000005, 0x40000005, - 0x20000005, 0x50000005, 0x48000005, 0x70000005, - 0x5, 0x18000005, 0x58000005, 0x10000005, - 0x30000000, 0x60000000, 0x38000000, 0x8000000, - 0x28000000, 0x78000000, 0x68000000, 0x40000000, - 0x20000000, 0x50000000, 0x48000000, 0x70000000, - 0x0, 0x18000000, 0x58000000, 0x10000000, - 0xB0000003, 0xE0000003, 0xB8000003, 0x88000003, - 0xA8000003, 0xF8000003, 0xE8000003, 0xC0000003, - 0xA0000003, 0xD0000003, 0xC8000003, 0xF0000003, - 0x80000003, 0x98000003, 0xD8000003, 0x90000003, - 0x30000001, 0x60000001, 0x38000001, 0x8000001, - 0x28000001, 0x78000001, 0x68000001, 0x40000001, - 0x20000001, 0x50000001, 0x48000001, 0x70000001, - 0x1, 0x18000001, 0x58000001, 0x10000001, - 0xB0000000, 0xE0000000, 0xB8000000, 0x88000000, - 0xA8000000, 0xF8000000, 0xE8000000, 0xC0000000, - 0xA0000000, 0xD0000000, 0xC8000000, 0xF0000000, - 0x80000000, 0x98000000, 0xD8000000, 0x90000000, - 0xB0000006, 0xE0000006, 0xB8000006, 0x88000006, - 0xA8000006, 0xF8000006, 0xE8000006, 0xC0000006, - 0xA0000006, 0xD0000006, 0xC8000006, 0xF0000006, - 0x80000006, 0x98000006, 0xD8000006, 0x90000006, - 0xB0000001, 0xE0000001, 0xB8000001, 0x88000001, - 0xA8000001, 0xF8000001, 0xE8000001, 0xC0000001, - 0xA0000001, 0xD0000001, 0xC8000001, 0xF0000001, - 0x80000001, 0x98000001, 0xD8000001, 0x90000001, - 0x30000003, 0x60000003, 0x38000003, 0x8000003, - 0x28000003, 0x78000003, 0x68000003, 0x40000003, - 0x20000003, 0x50000003, 0x48000003, 0x70000003, - 0x3, 0x18000003, 0x58000003, 0x10000003, - 0x30000004, 0x60000004, 0x38000004, 0x8000004, - 0x28000004, 0x78000004, 0x68000004, 0x40000004, - 0x20000004, 0x50000004, 0x48000004, 0x70000004, - 0x4, 0x18000004, 0x58000004, 0x10000004, - 0xB0000002, 0xE0000002, 0xB8000002, 0x88000002, - 0xA8000002, 0xF8000002, 0xE8000002, 0xC0000002, - 0xA0000002, 0xD0000002, 0xC8000002, 0xF0000002, - 0x80000002, 0x98000002, 0xD8000002, 0x90000002, - 0xB0000004, 0xE0000004, 0xB8000004, 0x88000004, - 0xA8000004, 0xF8000004, 0xE8000004, 0xC0000004, - 0xA0000004, 0xD0000004, 0xC8000004, 0xF0000004, - 0x80000004, 0x98000004, 0xD8000004, 0x90000004, - 0x30000006, 0x60000006, 0x38000006, 0x8000006, - 0x28000006, 0x78000006, 0x68000006, 0x40000006, - 0x20000006, 0x50000006, 0x48000006, 0x70000006, - 0x6, 0x18000006, 0x58000006, 0x10000006, - 0xB0000007, 0xE0000007, 0xB8000007, 0x88000007, - 0xA8000007, 0xF8000007, 0xE8000007, 0xC0000007, - 0xA0000007, 0xD0000007, 0xC8000007, 0xF0000007, - 0x80000007, 0x98000007, 0xD8000007, 0x90000007, - 0x30000007, 0x60000007, 0x38000007, 0x8000007, - 0x28000007, 0x78000007, 0x68000007, 0x40000007, - 0x20000007, 0x50000007, 0x48000007, 0x70000007, - 0x7, 0x18000007, 0x58000007, 0x10000007 - }, { - 0xE8, 0xD8, 0xA0, 0x88, 0x98, 0xF8, 0xA8, 0xC8, 0x80, 0xD0, - 0xF0, 0xB8, 0xB0, 0xC0, 0x90, 0xE0, 0x7E8, 0x7D8, 0x7A0, 0x788, - 0x798, 0x7F8, 0x7A8, 0x7C8, 0x780, 0x7D0, 0x7F0, 0x7B8, 0x7B0, 0x7C0, - 0x790, 0x7E0, 0x6E8, 0x6D8, 0x6A0, 0x688, 0x698, 0x6F8, 0x6A8, 0x6C8, - 0x680, 0x6D0, 0x6F0, 0x6B8, 0x6B0, 0x6C0, 0x690, 0x6E0, 0x68, 0x58, - 0x20, 0x8, 0x18, 0x78, 0x28, 0x48, 0x0, 0x50, 0x70, 0x38, - 0x30, 0x40, 0x10, 0x60, 0x2E8, 0x2D8, 0x2A0, 0x288, 0x298, 0x2F8, - 0x2A8, 0x2C8, 0x280, 0x2D0, 0x2F0, 0x2B8, 0x2B0, 0x2C0, 0x290, 0x2E0, - 0x3E8, 0x3D8, 0x3A0, 0x388, 0x398, 0x3F8, 0x3A8, 0x3C8, 0x380, 0x3D0, - 0x3F0, 0x3B8, 0x3B0, 0x3C0, 0x390, 0x3E0, 0x568, 0x558, 0x520, 0x508, - 0x518, 0x578, 0x528, 0x548, 0x500, 0x550, 0x570, 0x538, 0x530, 0x540, - 0x510, 0x560, 0x268, 0x258, 0x220, 0x208, 0x218, 0x278, 0x228, 0x248, - 0x200, 0x250, 0x270, 0x238, 0x230, 0x240, 0x210, 0x260, 0x4E8, 0x4D8, - 0x4A0, 0x488, 0x498, 0x4F8, 0x4A8, 0x4C8, 0x480, 0x4D0, 0x4F0, 0x4B8, - 0x4B0, 0x4C0, 0x490, 0x4E0, 0x168, 0x158, 0x120, 0x108, 0x118, 0x178, - 0x128, 0x148, 0x100, 0x150, 0x170, 0x138, 0x130, 0x140, 0x110, 0x160, - 0x1E8, 0x1D8, 0x1A0, 0x188, 0x198, 0x1F8, 0x1A8, 0x1C8, 0x180, 0x1D0, - 0x1F0, 0x1B8, 0x1B0, 0x1C0, 0x190, 0x1E0, 0x768, 0x758, 0x720, 0x708, - 0x718, 0x778, 0x728, 0x748, 0x700, 0x750, 0x770, 0x738, 0x730, 0x740, - 0x710, 0x760, 0x368, 0x358, 0x320, 0x308, 0x318, 0x378, 0x328, 0x348, - 0x300, 0x350, 0x370, 0x338, 0x330, 0x340, 0x310, 0x360, 0x5E8, 0x5D8, - 0x5A0, 0x588, 0x598, 0x5F8, 0x5A8, 0x5C8, 0x580, 0x5D0, 0x5F0, 0x5B8, - 0x5B0, 0x5C0, 0x590, 0x5E0, 0x468, 0x458, 0x420, 0x408, 0x418, 0x478, - 0x428, 0x448, 0x400, 0x450, 0x470, 0x438, 0x430, 0x440, 0x410, 0x460, - 0x668, 0x658, 0x620, 0x608, 0x618, 0x678, 0x628, 0x648, 0x600, 0x650, - 0x670, 0x638, 0x630, 0x640, 0x610, 0x660 - } -}; +#include "gost28147-internal.h" /** * Initialize algorithm context before calculating hash @@ -254,40 +55,6 @@ memset (ctx, 0, sizeof (struct gosthash94_ctx)); } -/* - * A macro that performs a full encryption round of GOST 28147-89. - * Temporary variables tmp assumed and variables r and l for left and right - * blocks. - */ -#define GOST_ENCRYPT_ROUND(key1, key2, sbox) \ - tmp = (key1) + r; \ - l ^= (sbox)[0][tmp & 0xff] ^ (sbox)[1][(tmp >> 8) & 0xff] ^ \ - (sbox)[2][(tmp >> 16) & 0xff] ^ (sbox)[3][tmp >> 24]; \ - tmp = (key2) + l; \ - r ^= (sbox)[0][tmp & 0xff] ^ (sbox)[1][(tmp >> 8) & 0xff] ^ \ - (sbox)[2][(tmp >> 16) & 0xff] ^ (sbox)[3][tmp >> 24]; - -/* encrypt a block with the given key */ -#define GOST_ENCRYPT(result, i, key, hash, sbox) \ - r = hash[i], l = hash[i + 1]; \ - GOST_ENCRYPT_ROUND(key[0], key[1], sbox) \ - GOST_ENCRYPT_ROUND(key[2], key[3], sbox) \ - GOST_ENCRYPT_ROUND(key[4], key[5], sbox) \ - GOST_ENCRYPT_ROUND(key[6], key[7], sbox) \ - GOST_ENCRYPT_ROUND(key[0], key[1], sbox) \ - GOST_ENCRYPT_ROUND(key[2], key[3], sbox) \ - GOST_ENCRYPT_ROUND(key[4], key[5], sbox) \ - GOST_ENCRYPT_ROUND(key[6], key[7], sbox) \ - GOST_ENCRYPT_ROUND(key[0], key[1], sbox) \ - GOST_ENCRYPT_ROUND(key[2], key[3], sbox) \ - GOST_ENCRYPT_ROUND(key[4], key[5], sbox) \ - GOST_ENCRYPT_ROUND(key[6], key[7], sbox) \ - GOST_ENCRYPT_ROUND(key[7], key[6], sbox) \ - GOST_ENCRYPT_ROUND(key[5], key[4], sbox) \ - GOST_ENCRYPT_ROUND(key[3], key[2], sbox) \ - GOST_ENCRYPT_ROUND(key[1], key[0], sbox) \ - result[i] = l, result[i + 1] = r; - /** * The core transformation. Process a 512-bit block. * @@ -295,11 +62,11 @@ * @param block the message block to process */ static void -gost_block_compress (struct gosthash94_ctx *ctx, const uint32_t *block) +gost_block_compress (struct gosthash94_ctx *ctx, const uint32_t *block, + const uint32_t sbox[4][256]) { unsigned i; uint32_t key[8], u[8], v[8], w[8], s[8]; - uint32_t l, r, tmp; /* u := hash, v := <256-bit message block> */ memcpy (u, ctx->hash, sizeof (u)); @@ -341,7 +108,7 @@ ((w[5] & 0xff000000) >> 8) | (w[7] & 0xff000000); /* encryption: s_i := E_{key_i} (h_i) */ - GOST_ENCRYPT (s, i, key, ctx->hash, gosthash94_sbox); + _nettle_gost28147_encrypt_block (key, sbox, &ctx->hash[i], &s[i]); if (i == 0) { @@ -496,7 +263,8 @@ * @param block the 256-bit message block to process */ static void -gost_compute_sum_and_hash (struct gosthash94_ctx *ctx, const uint8_t *block) +gost_compute_sum_and_hash (struct gosthash94_ctx *ctx, const uint8_t *block, + const uint32_t sbox[4][256]) { uint32_t block_le[8]; unsigned i, carry; @@ -512,7 +280,25 @@ } /* update message hash */ - gost_block_compress (ctx, block_le); + gost_block_compress (ctx, block_le, sbox); +} + +#define COMPRESS(ctx, block) gost_compute_sum_and_hash((ctx), (block), sbox); + +/** + * Calculate message hash. + * Can be called repeatedly with chunks of the message to be hashed. + * + * @param ctx the algorithm context containing current hashing state + * @param msg message chunk + * @param size length of the message chunk + */ +static void +gosthash94_update_int (struct gosthash94_ctx *ctx, + size_t length, const uint8_t *msg, + const uint32_t sbox[4][256]) +{ + MD_UPDATE(ctx, length, msg, COMPRESS, ctx->count++); } /** @@ -527,33 +313,24 @@ gosthash94_update (struct gosthash94_ctx *ctx, size_t length, const uint8_t *msg) { - unsigned index = (unsigned) ctx->length & 31; - ctx->length += length; + gosthash94_update_int (ctx, length, msg, + _nettle_gost28147_param_test_3411.sbox); +} - /* fill partial block */ - if (index) - { - unsigned left = GOSTHASH94_BLOCK_SIZE - index; - memcpy (ctx->message + index, msg, (length < left ? length : left)); - if (length < left) - return; - - /* process partial block */ - gost_compute_sum_and_hash (ctx, ctx->message); - msg += left; - length -= left; - } - while (length >= GOSTHASH94_BLOCK_SIZE) - { - gost_compute_sum_and_hash (ctx, msg); - msg += GOSTHASH94_BLOCK_SIZE; - length -= GOSTHASH94_BLOCK_SIZE; - } - if (length) - { - /* save leftovers */ - memcpy (ctx->message, msg, length); - } +/** + * Calculate message hash. + * Can be called repeatedly with chunks of the message to be hashed. + * + * @param ctx the algorithm context containing current hashing state + * @param msg message chunk + * @param size length of the message chunk + */ +void +gosthash94cp_update (struct gosthash94_ctx *ctx, + size_t length, const uint8_t *msg) +{ + gosthash94_update_int (ctx, length, msg, + _nettle_gost28147_param_CryptoPro_3411.sbox); } /** @@ -562,31 +339,47 @@ * @param ctx the algorithm context containing current hashing state * @param result calculated hash in binary form */ -void -gosthash94_digest (struct gosthash94_ctx *ctx, - size_t length, uint8_t *result) +static void +gosthash94_write_digest (struct gosthash94_ctx *ctx, + size_t length, uint8_t *result, + const uint32_t sbox[4][256]) { - unsigned index = ctx->length & 31; - uint32_t msg32[8]; + uint32_t msg32[GOSTHASH94_BLOCK_SIZE / 4]; assert(length <= GOSTHASH94_DIGEST_SIZE); /* pad the last block with zeroes and hash it */ - if (index > 0) + if (ctx->index > 0) { - memset (ctx->message + index, 0, 32 - index); - gost_compute_sum_and_hash (ctx, ctx->message); + memset (ctx->block + ctx->index, 0, GOSTHASH94_BLOCK_SIZE - ctx->index); + gost_compute_sum_and_hash (ctx, ctx->block, sbox); } /* hash the message length and the sum */ - msg32[0] = ctx->length << 3; - msg32[1] = ctx->length >> 29; + msg32[0] = (ctx->count << 8) | (ctx->index << 3); + msg32[1] = ctx->count >> 24; memset (msg32 + 2, 0, sizeof (uint32_t) * 6); - gost_block_compress (ctx, msg32); - gost_block_compress (ctx, ctx->sum); + gost_block_compress (ctx, msg32, sbox); + gost_block_compress (ctx, ctx->sum, sbox); /* convert hash state to result bytes */ _nettle_write_le32(length, result, ctx->hash); gosthash94_init (ctx); } + +void +gosthash94_digest (struct gosthash94_ctx *ctx, + size_t length, uint8_t *result) +{ + gosthash94_write_digest (ctx, length, result, + _nettle_gost28147_param_test_3411.sbox); +} + +void +gosthash94cp_digest (struct gosthash94_ctx *ctx, + size_t length, uint8_t *result) +{ + gosthash94_write_digest (ctx, length, result, + _nettle_gost28147_param_CryptoPro_3411.sbox); +} diff -Nru nettle-3.4.1/gosthash94.h nettle-3.7.3/gosthash94.h --- nettle-3.4.1/gosthash94.h 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/gosthash94.h 2021-06-06 20:06:29.000000000 +0000 @@ -72,18 +72,26 @@ #define gosthash94_update nettle_gosthash94_update #define gosthash94_digest nettle_gosthash94_digest +#define gosthash94cp_update nettle_gosthash94cp_update +#define gosthash94cp_digest nettle_gosthash94cp_digest + #define GOSTHASH94_BLOCK_SIZE 32 #define GOSTHASH94_DIGEST_SIZE 32 /* For backwards compatibility */ #define GOSTHASH94_DATA_SIZE GOSTHASH94_BLOCK_SIZE +#define GOSTHASH94CP_BLOCK_SIZE GOSTHASH94_BLOCK_SIZE +#define GOSTHASH94CP_DIGEST_SIZE GOSTHASH94_DIGEST_SIZE + struct gosthash94_ctx { uint32_t hash[8]; /* algorithm 256-bit state */ uint32_t sum[8]; /* sum of processed message blocks */ - uint8_t message[GOSTHASH94_BLOCK_SIZE]; /* 256-bit buffer for leftovers */ - uint64_t length; /* number of processed bytes */ + uint64_t count; /* Block count */ + unsigned index; /* Into buffer */ + uint8_t block[GOSTHASH94_BLOCK_SIZE]; /* 256-bit buffer for leftovers */ }; +#define gosthash94cp_ctx gosthash94_ctx void gosthash94_init(struct gosthash94_ctx *ctx); void gosthash94_update(struct gosthash94_ctx *ctx, @@ -91,6 +99,12 @@ void gosthash94_digest(struct gosthash94_ctx *ctx, size_t length, uint8_t *result); +#define gosthash94cp_init gosthash94_init +void gosthash94cp_update(struct gosthash94_ctx *ctx, + size_t length, const uint8_t *msg); +void gosthash94cp_digest(struct gosthash94_ctx *ctx, + size_t length, uint8_t *result); + #ifdef __cplusplus } #endif diff -Nru nettle-3.4.1/gosthash94-meta.c nettle-3.7.3/gosthash94-meta.c --- nettle-3.4.1/gosthash94-meta.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/gosthash94-meta.c 2021-06-06 20:06:29.000000000 +0000 @@ -39,3 +39,6 @@ const struct nettle_hash nettle_gosthash94 = _NETTLE_HASH(gosthash94, GOSTHASH94); + +const struct nettle_hash nettle_gosthash94cp += _NETTLE_HASH(gosthash94cp, GOSTHASH94CP); diff -Nru nettle-3.4.1/hmac-gosthash94.c nettle-3.7.3/hmac-gosthash94.c --- nettle-3.4.1/hmac-gosthash94.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/hmac-gosthash94.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,79 @@ +/* hmac-gosthash94.c + + HMAC-GOSTHASH94 message authentication code. + + Copyright (C) 2016 Dmitry Eremin-Solenikov + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "hmac.h" + +void +hmac_gosthash94_set_key(struct hmac_gosthash94_ctx *ctx, + size_t key_length, const uint8_t *key) +{ + HMAC_SET_KEY(ctx, &nettle_gosthash94, key_length, key); +} + +void +hmac_gosthash94_update(struct hmac_gosthash94_ctx *ctx, + size_t length, const uint8_t *data) +{ + gosthash94_update(&ctx->state, length, data); +} + +void +hmac_gosthash94_digest(struct hmac_gosthash94_ctx *ctx, + size_t length, uint8_t *digest) +{ + HMAC_DIGEST(ctx, &nettle_gosthash94, length, digest); +} + +void +hmac_gosthash94cp_set_key(struct hmac_gosthash94cp_ctx *ctx, + size_t key_length, const uint8_t *key) +{ + HMAC_SET_KEY(ctx, &nettle_gosthash94cp, key_length, key); +} + +void +hmac_gosthash94cp_update(struct hmac_gosthash94cp_ctx *ctx, + size_t length, const uint8_t *data) +{ + gosthash94cp_update(&ctx->state, length, data); +} +void +hmac_gosthash94cp_digest(struct hmac_gosthash94cp_ctx *ctx, + size_t length, uint8_t *digest) +{ + HMAC_DIGEST(ctx, &nettle_gosthash94cp, length, digest); +} diff -Nru nettle-3.4.1/hmac.h nettle-3.7.3/hmac.h --- nettle-3.4.1/hmac.h 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/hmac.h 2021-06-06 20:06:29.000000000 +0000 @@ -36,10 +36,12 @@ #include "nettle-meta.h" +#include "gosthash94.h" #include "md5.h" #include "ripemd160.h" #include "sha1.h" #include "sha2.h" +#include "streebog.h" #ifdef __cplusplus extern "C" { @@ -68,6 +70,17 @@ #define hmac_sha512_set_key nettle_hmac_sha512_set_key #define hmac_sha512_update nettle_hmac_sha512_update #define hmac_sha512_digest nettle_hmac_sha512_digest +#define hmac_gosthash94_set_key nettle_hmac_gosthash94_set_key +#define hmac_gosthash94_update nettle_hmac_gosthash94_update +#define hmac_gosthash94_digest nettle_hmac_gosthash94_digest +#define hmac_gosthash94cp_set_key nettle_hmac_gosthash94cp_set_key +#define hmac_gosthash94cp_update nettle_hmac_gosthash94cp_update +#define hmac_gosthash94cp_digest nettle_hmac_gosthash94cp_digest +#define hmac_streebog256_set_key nettle_hmac_streebog256_set_key +#define hmac_streebog256_digest nettle_hmac_streebog256_digest +#define hmac_streebog512_set_key nettle_hmac_streebog512_set_key +#define hmac_streebog512_update nettle_hmac_streebog512_update +#define hmac_streebog512_digest nettle_hmac_streebog512_digest void hmac_set_key(void *outer, void *inner, void *state, @@ -203,6 +216,63 @@ hmac_sha384_digest(struct hmac_sha512_ctx *ctx, size_t length, uint8_t *digest); +/* hmac-gosthash94 */ +struct hmac_gosthash94_ctx HMAC_CTX(struct gosthash94_ctx); + +void +hmac_gosthash94_set_key(struct hmac_gosthash94_ctx *ctx, + size_t key_length, const uint8_t *key); + +void +hmac_gosthash94_update(struct hmac_gosthash94_ctx *ctx, + size_t length, const uint8_t *data); + + void +hmac_gosthash94_digest(struct hmac_gosthash94_ctx *ctx, + size_t length, uint8_t *digest); + +struct hmac_gosthash94cp_ctx HMAC_CTX(struct gosthash94cp_ctx); + +void +hmac_gosthash94cp_set_key(struct hmac_gosthash94cp_ctx *ctx, + size_t key_length, const uint8_t *key); + +void +hmac_gosthash94cp_update(struct hmac_gosthash94cp_ctx *ctx, + size_t length, const uint8_t *data); + +void +hmac_gosthash94cp_digest(struct hmac_gosthash94cp_ctx *ctx, + size_t length, uint8_t *digest); + + +/* hmac-streebog */ +struct hmac_streebog512_ctx HMAC_CTX(struct streebog512_ctx); + +void +hmac_streebog512_set_key(struct hmac_streebog512_ctx *ctx, + size_t key_length, const uint8_t *key); + +void +hmac_streebog512_update(struct hmac_streebog512_ctx *ctx, + size_t length, const uint8_t *data); + +void +hmac_streebog512_digest(struct hmac_streebog512_ctx *ctx, + size_t length, uint8_t *digest); + +#define hmac_streebog256_ctx hmac_streebog512_ctx + +void +hmac_streebog256_set_key(struct hmac_streebog256_ctx *ctx, + size_t key_length, const uint8_t *key); + +#define hmac_streebog256_update hmac_streebog512_update + +void +hmac_streebog256_digest(struct hmac_streebog256_ctx *ctx, + size_t length, uint8_t *digest); + #ifdef __cplusplus } #endif diff -Nru nettle-3.4.1/hmac-md5-meta.c nettle-3.7.3/hmac-md5-meta.c --- nettle-3.4.1/hmac-md5-meta.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/hmac-md5-meta.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,47 @@ +/* hmac-md5-meta.c + + Copyright (C) 2020 Daiki Ueno + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "nettle-meta.h" + +#include "hmac.h" + +static void +hmac_md5_set_key_wrapper (void *ctx, const uint8_t *key) +{ + hmac_md5_set_key (ctx, MD5_DIGEST_SIZE, key); +} + +const struct nettle_mac nettle_hmac_md5 += _NETTLE_HMAC(hmac_md5, MD5); diff -Nru nettle-3.4.1/hmac-ripemd160-meta.c nettle-3.7.3/hmac-ripemd160-meta.c --- nettle-3.4.1/hmac-ripemd160-meta.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/hmac-ripemd160-meta.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,47 @@ +/* hmac-ripemd160-meta.c + + Copyright (C) 2020 Daiki Ueno + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "nettle-meta.h" + +#include "hmac.h" + +static void +hmac_ripemd160_set_key_wrapper (void *ctx, const uint8_t *key) +{ + hmac_ripemd160_set_key (ctx, RIPEMD160_DIGEST_SIZE, key); +} + +const struct nettle_mac nettle_hmac_ripemd160 += _NETTLE_HMAC(hmac_ripemd160, RIPEMD160); diff -Nru nettle-3.4.1/hmac-sha1-meta.c nettle-3.7.3/hmac-sha1-meta.c --- nettle-3.4.1/hmac-sha1-meta.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/hmac-sha1-meta.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,47 @@ +/* hmac-sha1-meta.c + + Copyright (C) 2020 Daiki Ueno + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "nettle-meta.h" + +#include "hmac.h" + +static void +hmac_sha1_set_key_wrapper (void *ctx, const uint8_t *key) +{ + hmac_sha1_set_key (ctx, SHA1_DIGEST_SIZE, key); +} + +const struct nettle_mac nettle_hmac_sha1 += _NETTLE_HMAC(hmac_sha1, SHA1); diff -Nru nettle-3.4.1/hmac-sha224-meta.c nettle-3.7.3/hmac-sha224-meta.c --- nettle-3.4.1/hmac-sha224-meta.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/hmac-sha224-meta.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,47 @@ +/* hmac-sha224-meta.c + + Copyright (C) 2020 Daiki Ueno + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "nettle-meta.h" + +#include "hmac.h" + +static void +hmac_sha224_set_key_wrapper (void *ctx, const uint8_t *key) +{ + hmac_sha224_set_key (ctx, SHA224_DIGEST_SIZE, key); +} + +const struct nettle_mac nettle_hmac_sha224 += _NETTLE_HMAC(hmac_sha224, SHA224); diff -Nru nettle-3.4.1/hmac-sha256-meta.c nettle-3.7.3/hmac-sha256-meta.c --- nettle-3.4.1/hmac-sha256-meta.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/hmac-sha256-meta.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,47 @@ +/* hmac-sha256-meta.c + + Copyright (C) 2020 Daiki Ueno + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "nettle-meta.h" + +#include "hmac.h" + +static void +hmac_sha256_set_key_wrapper (void *ctx, const uint8_t *key) +{ + hmac_sha256_set_key (ctx, SHA256_DIGEST_SIZE, key); +} + +const struct nettle_mac nettle_hmac_sha256 += _NETTLE_HMAC(hmac_sha256, SHA256); diff -Nru nettle-3.4.1/hmac-sha384-meta.c nettle-3.7.3/hmac-sha384-meta.c --- nettle-3.4.1/hmac-sha384-meta.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/hmac-sha384-meta.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,47 @@ +/* hmac-sha384-meta.c + + Copyright (C) 2020 Daiki Ueno + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "nettle-meta.h" + +#include "hmac.h" + +static void +hmac_sha384_set_key_wrapper (void *ctx, const uint8_t *key) +{ + hmac_sha384_set_key (ctx, SHA384_DIGEST_SIZE, key); +} + +const struct nettle_mac nettle_hmac_sha384 += _NETTLE_HMAC(hmac_sha384, SHA384); diff -Nru nettle-3.4.1/hmac-sha512-meta.c nettle-3.7.3/hmac-sha512-meta.c --- nettle-3.4.1/hmac-sha512-meta.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/hmac-sha512-meta.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,47 @@ +/* hmac-sha512-meta.c + + Copyright (C) 2020 Daiki Ueno + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "nettle-meta.h" + +#include "hmac.h" + +static void +hmac_sha512_set_key_wrapper (void *ctx, const uint8_t *key) +{ + hmac_sha512_set_key (ctx, SHA512_DIGEST_SIZE, key); +} + +const struct nettle_mac nettle_hmac_sha512 += _NETTLE_HMAC(hmac_sha512, SHA512); diff -Nru nettle-3.4.1/hmac-streebog.c nettle-3.7.3/hmac-streebog.c --- nettle-3.4.1/hmac-streebog.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/hmac-streebog.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,73 @@ +/* hmac-streebog.c + + HMAC-Streebog message authentication code. + + Copyright (C) 2016 Dmitry Eremin-Solenikov + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "hmac.h" + +void +hmac_streebog512_set_key(struct hmac_streebog512_ctx *ctx, + size_t key_length, const uint8_t *key) +{ + HMAC_SET_KEY(ctx, &nettle_streebog512, key_length, key); +} + +void +hmac_streebog512_update(struct hmac_streebog512_ctx *ctx, + size_t length, const uint8_t *data) +{ + streebog512_update(&ctx->state, length, data); +} + +void +hmac_streebog512_digest(struct hmac_streebog512_ctx *ctx, + size_t length, uint8_t *digest) +{ + HMAC_DIGEST(ctx, &nettle_streebog512, length, digest); +} + +void +hmac_streebog256_set_key(struct hmac_streebog256_ctx *ctx, + size_t key_length, const uint8_t *key) +{ + HMAC_SET_KEY(ctx, &nettle_streebog256, key_length, key); +} + +void +hmac_streebog256_digest(struct hmac_streebog256_ctx *ctx, + size_t length, uint8_t *digest) +{ + HMAC_DIGEST(ctx, &nettle_streebog256, length, digest); +} diff -Nru nettle-3.4.1/hmac-streebog-meta.c nettle-3.7.3/hmac-streebog-meta.c --- nettle-3.4.1/hmac-streebog-meta.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/hmac-streebog-meta.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,56 @@ +/* hmac-streebog-meta.c + + Copyright (C) 2020 Dmitry Baryshkov + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "nettle-meta.h" + +#include "hmac.h" + +static void +hmac_streebog256_set_key_wrapper (void *ctx, const uint8_t *key) +{ + hmac_streebog256_set_key (ctx, STREEBOG256_DIGEST_SIZE, key); +} + +const struct nettle_mac nettle_hmac_streebog256 += _NETTLE_HMAC(hmac_streebog256, STREEBOG256); + +static void +hmac_streebog512_set_key_wrapper (void *ctx, const uint8_t *key) +{ + hmac_streebog512_set_key (ctx, STREEBOG512_DIGEST_SIZE, key); +} + +const struct nettle_mac nettle_hmac_streebog512 += _NETTLE_HMAC(hmac_streebog512, STREEBOG512); diff -Nru nettle-3.4.1/hogweed-internal.h nettle-3.7.3/hogweed-internal.h --- nettle-3.4.1/hogweed-internal.h 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/hogweed-internal.h 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,54 @@ +/* hogweed-internal.h + + Bignum operations that are missing from gmp. + + Copyright (C) 2001 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_HOGWEED_INTERNAL_H_INCLUDED +#define NETTLE_HOGWEED_INTERNAL_H_INCLUDED + +void +_nettle_generate_pocklington_prime (mpz_t p, mpz_t r, + unsigned bits, int top_bits_set, + void *ctx, nettle_random_func *random, + const mpz_t p0, + const mpz_t q, + const mpz_t p0q); + +#define _pkcs1_signature_prefix _nettle_pkcs1_signature_prefix + +uint8_t * +_pkcs1_signature_prefix(unsigned key_size, + uint8_t *buffer, + unsigned id_size, + const uint8_t *id, + unsigned digest_size); + +#endif /* NETTLE_HOGWEED_INTERNAL_H_INCLUDED */ diff -Nru nettle-3.4.1/libhogweed.map.in nettle-3.7.3/libhogweed.map.in --- nettle-3.4.1/libhogweed.map.in 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/libhogweed.map.in 2021-06-06 20:06:29.000000000 +0000 @@ -1,4 +1,4 @@ -# libhogweed.map -- libhogweed linker version script. -*- ld-script -*- +# libhogweed.map.in -- linker version script. -*- ld-script -*- # # The symbol version must be updated on every hogweed @@ -8,11 +8,20 @@ HOGWEED_@LIBHOGWEED_MAJOR@ { global: - nettle_*; - _nettle_*; @HOGWEED_EXTRA_SYMBOLS@ + nettle_*; local: *; }; +# Internal symbols which are to be used only for unit or other +# testing. Compatibility may break across releases. +HOGWEED_INTERNAL_@LIBHOGWEED_MAJOR@_@LIBNETTLE_MINOR@ +{ + global: + _nettle_*; + + local: + *; +}; diff -Nru nettle-3.4.1/libnettle.map.in nettle-3.7.3/libnettle.map.in --- nettle-3.4.1/libnettle.map.in 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/libnettle.map.in 2021-06-06 20:06:29.000000000 +0000 @@ -1,4 +1,4 @@ -# libnettle.map -- libnettle linker version script. -*- ld-script -*- +# libnettle.map.in -- linker version script. -*- ld-script -*- # # The symbol version must be updated on every nettle @@ -9,9 +9,18 @@ { global: nettle_*; - _nettle_*; local: *; }; +# Internal symbols which are to be used only for unit or other +# testing. Compatibility may break across releases. +NETTLE_INTERNAL_@LIBNETTLE_MAJOR@_@LIBNETTLE_MINOR@ +{ + global: + _nettle_*; + + local: + *; +}; diff -Nru nettle-3.4.1/m4-utils.m4 nettle-3.7.3/m4-utils.m4 --- nettle-3.4.1/m4-utils.m4 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/m4-utils.m4 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,445 @@ +divert(-1) + +dnl +dnl m4 macros for gmp assembly code, shared by all CPUs. From gmp/mpn/asm-defs.m4 + +dnl Copyright 1999-2006, 2011 Free Software Foundation, Inc. + +dnl This file is part of the GNU MP Library. +dnl +dnl The GNU MP Library is free software; you can redistribute it and/or modify +dnl it under the terms of either: +dnl +dnl * the GNU Lesser General Public License as published by the Free +dnl Software Foundation; either version 3 of the License, or (at your +dnl option) any later version. +dnl +dnl or +dnl +dnl * the GNU General Public License as published by the Free Software +dnl Foundation; either version 2 of the License, or (at your option) any +dnl later version. +dnl +dnl or both in parallel, as here. +dnl +dnl The GNU MP Library is distributed in the hope that it will be useful, but +dnl WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +dnl or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +dnl for more details. +dnl +dnl You should have received copies of the GNU General Public License and the +dnl GNU Lesser General Public License along with the GNU MP Library. If not, +dnl see https://www.gnu.org/licenses/. + + +dnl These macros are designed for use with any m4 and have been used on +dnl GNU, FreeBSD, NetBSD, OpenBSD and SysV. +dnl +dnl GNU m4 and OpenBSD 2.7 m4 will give filenames and line numbers in error +dnl messages. +dnl +dnl +dnl Macros: +dnl +dnl Most new m4 specific macros have an "m4_" prefix to emphasise they're +dnl m4 expansions. But new defining things like deflit() and defreg() are +dnl named like the builtin define(), and forloop() is named following the +dnl GNU m4 example on which it's based. +dnl +dnl GNU m4 with the -P option uses "m4_" as a prefix for builtins, but that +dnl option isn't going to be used, so there's no conflict or confusion. +dnl +dnl +dnl Comments in output: +dnl +dnl The m4 comment delimiters are left at # and \n, the normal assembler +dnl commenting for most CPUs. m4 passes comment text through without +dnl expanding macros in it, which is generally a good thing since it stops +dnl unexpected expansions and possible resultant errors. +dnl +dnl But note that when a quoted string is being read, a # isn't special, so +dnl apostrophes in comments in quoted strings must be avoided or they'll be +dnl interpreted as a closing quote mark. But when the quoted text is +dnl re-read # will still act like a normal comment, suppressing macro +dnl expansion. +dnl +dnl For example, +dnl +dnl # apostrophes in comments that're outside quotes are ok +dnl # and using macro names like PROLOGUE is ok too +dnl ... +dnl ifdef(`PIC',` +dnl # but apostrophes aren't ok inside quotes +dnl # ^--wrong +dnl ... +dnl # though macro names like PROLOGUE are still ok +dnl ... +dnl ') +dnl +dnl If macro expansion in a comment is wanted, use `#' in the .asm (ie. a +dnl quoted hash symbol), which will turn into # in the .s but get +dnl expansions done on that line. This can make the .s more readable to +dnl humans, but it won't make a blind bit of difference to the assembler. +dnl +dnl All the above applies, mutatis mutandis, when changecom() is used to +dnl select @ ! ; or whatever other commenting. +dnl +dnl +dnl Variations in m4 affecting gmp: +dnl +dnl $# - When a macro is called as "foo" with no brackets, BSD m4 sets $# +dnl to 1, whereas GNU or SysV m4 set it to 0. In all cases though +dnl "foo()" sets $# to 1. This is worked around in various places. +dnl +dnl len() - When "len()" is given an empty argument, BSD m4 evaluates to +dnl nothing, whereas GNU, SysV, and the new OpenBSD, evaluate to 0. +dnl See m4_length() below which works around this. +dnl +dnl translit() - GNU m4 accepts character ranges like A-Z, and the new +dnl OpenBSD m4 does under option -g, but basic BSD and SysV don't. +dnl +dnl popdef() - in BSD and SysV m4 popdef() takes multiple arguments and +dnl pops each, but GNU m4 only takes one argument. +dnl +dnl push back - BSD m4 has some limits on the amount of text that can be +dnl pushed back. The limit is reasonably big and so long as macros +dnl don't gratuitously duplicate big arguments it isn't a problem. +dnl Normally an error message is given, but sometimes it just hangs. +dnl +dnl eval() &,|,^ - GNU and SysV m4 have bitwise operators &,|,^ available, +dnl but BSD m4 doesn't (contrary to what the man page suggests) and +dnl instead ^ is exponentiation. +dnl +dnl eval() ?: - The C ternary operator "?:" is available in BSD m4, but not +dnl in SysV or GNU m4 (as of GNU m4 1.4 and betas of 1.5). +dnl +dnl eval() -2^31 - BSD m4 has a bug where an eval() resulting in -2^31 +dnl (ie. -2147483648) gives "-(". Using -2147483648 within an +dnl expression is ok, it just can't be a final result. "-(" will of +dnl course upset parsing, with all sorts of strange effects. +dnl +dnl eval() <<,>> - SysV m4 doesn't support shift operators in eval() (on +dnl Solaris 7 /usr/xpg4/m4 has them but /usr/ccs/m4 doesn't). See +dnl m4_lshift() and m4_rshift() below for workarounds. +dnl +dnl ifdef() - OSF 4.0 m4 considers a macro defined to a zero value `0' or +dnl `00' etc as not defined. See m4_ifdef below for a workaround. +dnl +dnl m4wrap() sequence - in BSD m4, m4wrap() replaces any previous m4wrap() +dnl string, in SysV m4 it appends to it, and in GNU m4 it prepends. +dnl See m4wrap_prepend() below which brings uniformity to this. +dnl +dnl m4wrap() 0xFF - old versions of BSD m4 store EOF in a C "char" under an +dnl m4wrap() and on systems where char is unsigned by default a +dnl spurious 0xFF is output. This has been observed on recent Cray +dnl Unicos Alpha, Apple MacOS X, and HPUX 11 systems. An autoconf +dnl test is used to check for this, see the m4wrap handling below. It +dnl might work to end the m4wrap string with a dnl to consume the +dnl 0xFF, but that probably induces the offending m4's to read from an +dnl already closed "FILE *", which could be bad on a glibc style +dnl stdio. +dnl +dnl __file__,__line__ - GNU m4 and OpenBSD 2.7 m4 provide these, and +dnl they're used here to make error messages more informative. GNU m4 +dnl gives an unhelpful "NONE 0" in an m4wrap(), but that's worked +dnl around. +dnl +dnl __file__ quoting - OpenBSD m4, unlike GNU m4, doesn't quote the +dnl filename in __file__, so care should be taken that no macro has +dnl the same name as a file, or an unwanted expansion will occur when +dnl printing an error or warning. +dnl +dnl changecom() - BSD m4 changecom doesn't quite work like the man page +dnl suggests, in particular "changecom" or "changecom()" doesn't +dnl disable the comment feature, and multi-character comment sequences +dnl don't seem to work. If the default `#' and newline aren't +dnl suitable it's necessary to change it to something else, +dnl eg. changecom(;). +dnl +dnl OpenBSD 2.6 m4 - in this m4, eval() rejects decimal constants containing +dnl an 8 or 9, making it pretty much unusable. The bug is confined to +dnl version 2.6 (it's not in 2.5, and was fixed in 2.7). +dnl +dnl SunOS /usr/bin/m4 - this m4 lacks a number of desired features, +dnl including $# and $@, defn(), m4exit(), m4wrap(), pushdef(), +dnl popdef(). /usr/5bin/m4 is a SysV style m4 which should always be +dnl available, and "configure" will reject /usr/bin/m4 in favour of +dnl /usr/5bin/m4 (if necessary). +dnl +dnl The sparc code actually has modest m4 requirements currently and +dnl could manage with /usr/bin/m4, but there's no reason to put our +dnl macros through contortions when /usr/5bin/m4 is available or GNU +dnl m4 can be installed. + + + + +dnl -------------------------------------------------------------------------- +dnl Basic error handling things. + + +dnl Usage: m4_dollarhash_1_if_noparen_p +dnl +dnl Expand to 1 if a call "foo" gives $# set to 1 (as opposed to 0 like GNU +dnl and SysV m4 give). + +define(m4_dollarhash_1_if_noparen_test,`$#') +define(m4_dollarhash_1_if_noparen_p, +eval(m4_dollarhash_1_if_noparen_test==1)) +undefine(`m4_dollarhash_1_if_noparen_test') + +define(m4_error, +`errprint($@ +)m4exit(1)') + +dnl Usage: m4_assert_numargs(num) +dnl +dnl Put this unquoted on a line on its own at the start of a macro +dnl definition to add some code to check that num many arguments get passed +dnl to the macro. For example, +dnl +dnl define(foo, +dnl m4_assert_numargs(2) +dnl `something `$1' and `$2' blah blah') +dnl +dnl Then a call like foo(one,two,three) will provoke an error like +dnl +dnl file:10: foo expected 2 arguments, got 3 arguments +dnl +dnl Here are some calls and how many arguments they're interpreted as passing. +dnl +dnl foo(abc,def) 2 +dnl foo(xyz) 1 +dnl foo() 0 +dnl foo -1 +dnl +dnl The -1 for no parentheses at all means a macro that's meant to be used +dnl that way can be checked with m4_assert_numargs(-1). For example, +dnl +dnl define(SPECIAL_SUFFIX, +dnl m4_assert_numargs(-1) +dnl `ifdef(`FOO',`_foo',`_bar')') +dnl +dnl But as an alternative see also deflit() below where parenthesized +dnl expressions following a macro are passed through to the output. +dnl +dnl Note that in BSD m4 there's no way to differentiate calls "foo" and +dnl "foo()", so in BSD m4 the distinction between the two isn't enforced. +dnl (In GNU and SysV m4 it can be checked, and is.) + + +dnl m4_assert_numargs is able to check its own arguments by calling +dnl assert_numargs_internal directly. +dnl +dnl m4_doublequote($`'0) expands to ``$0'', whereas ``$`'0'' would expand +dnl to `$`'0' and do the wrong thing, and likewise for $1. The same is +dnl done in other assert macros. +dnl +dnl $`#' leaves $# in the new macro being defined, and stops # being +dnl interpreted as a comment character. +dnl +dnl `dnl ' means an explicit dnl isn't necessary when m4_assert_numargs is +dnl used. The space means that if there is a dnl it'll still work. + +dnl Usage: m4_doublequote(x) expands to ``x'' +define(m4_doublequote, +`m4_assert_numargs_internal(`$0',1,$#,len(`$1'))``$1''') + +define(m4_assert_numargs, +`m4_assert_numargs_internal(`$0',1,$#,len(`$1'))dnl +`m4_assert_numargs_internal'(m4_doublequote($`'0),$1,$`#',`len'(m4_doublequote($`'1)))`dnl '') + +dnl Called: m4_assert_numargs_internal(`macroname',wantargs,$#,len(`$1')) +define(m4_assert_numargs_internal, +`m4_assert_numargs_internal_check(`$1',`$2',m4_numargs_count(`$3',`$4'))') + +dnl Called: m4_assert_numargs_internal_check(`macroname',wantargs,gotargs) +dnl +dnl If m4_dollarhash_1_if_noparen_p (BSD m4) then gotargs can be 0 when it +dnl should be -1. If wantargs is -1 but gotargs is 0 and the two can't be +dnl distinguished then it's allowed to pass. +dnl +define(m4_assert_numargs_internal_check, +`ifelse(eval($2 == $3 + || ($2==-1 && $3==0 && m4_dollarhash_1_if_noparen_p)),0, +`m4_error(`$1 expected 'm4_Narguments(`$2')`, got 'm4_Narguments(`$3') +)')') + +dnl Called: m4_numargs_count($#,len(`$1')) +dnl If $#==0 then -1 args, if $#==1 but len(`$1')==0 then 0 args, otherwise +dnl $# args. +define(m4_numargs_count, +`ifelse($1,0, -1, +`ifelse(eval($1==1 && $2-0==0),1, 0, $1)')') + +dnl Usage: m4_Narguments(N) +dnl "$1 argument" or "$1 arguments" with the plural according to $1. +define(m4_Narguments, +`$1 argument`'ifelse(`$1',1,,s)') + + +dnl -------------------------------------------------------------------------- +dnl Additional error checking things. + + +dnl Usage: m4_assert_onearg() +dnl +dnl Put this, unquoted, at the start of a macro definition to add some code +dnl to check that one argument is passed to the macro, but with that +dnl argument allowed to be empty. For example, +dnl +dnl define(foo, +dnl m4_assert_onearg() +dnl `blah blah $1 blah blah') +dnl +dnl Calls "foo(xyz)" or "foo()" are accepted. A call "foo(xyz,abc)" fails. +dnl A call "foo" fails too, but BSD m4 can't detect this case (GNU and SysV +dnl m4 can). + +define(m4_assert_onearg, +m4_assert_numargs(0) +`m4_assert_onearg_internal'(m4_doublequote($`'0),$`#')`dnl ') + +dnl Called: m4_assert_onearg(`macroname',$#) +define(m4_assert_onearg_internal, +`ifelse($2,1,, +`m4_error(`$1 expected 1 argument, got 'm4_Narguments(`$2') +)')') + + + +dnl -------------------------------------------------------------------------- +dnl Various generic m4 things. + + +dnl Usage: m4_unquote(macro) +dnl +dnl Allow the argument text to be re-evaluated. This is useful for "token +dnl pasting" like m4_unquote(foo`'bar). + +define(m4_unquote, +m4_assert_onearg() +`$1') + + +dnl Usage: m4_length(string) +dnl +dnl Determine the length of a string. This is the same as len(), but +dnl always expands to a number, working around the BSD len() which +dnl evaluates to nothing given an empty argument. + +define(m4_length, +m4_assert_onearg() +`eval(len(`$1')-0)') + + + +dnl Usage: m4_incr_or_decr(n,last) +dnl +dnl Do an incr(n) or decr(n), whichever is in the direction of "last". +dnl Both n and last must be numbers of course. + +define(m4_incr_or_decr, +m4_assert_numargs(2) +`ifelse(eval($1<$2),1,incr($1),decr($1))') + + +dnl Usage: forloop(i, first, last, statement) +dnl +dnl Based on GNU m4 examples/forloop.m4, but extended. +dnl +dnl statement is expanded repeatedly, with i successively defined as +dnl +dnl first, first+1, ..., last-1, last +dnl +dnl Or if first > last, then it's +dnl +dnl first, first-1, ..., last+1, last +dnl +dnl If first == last, then one expansion is done. +dnl +dnl A pushdef/popdef of i is done to preserve any previous definition (or +dnl lack of definition). first and last are eval()ed and so can be +dnl expressions. +dnl +dnl forloop_first is defined to 1 on the first iteration, 0 on the rest. +dnl forloop_last is defined to 1 on the last iteration, 0 on the others. +dnl Nested forloops are allowed, in which case forloop_first and +dnl forloop_last apply to the innermost loop that's open. +dnl +dnl A simple example, +dnl +dnl forloop(i, 1, 2*2+1, `dnl +dnl iteration number i ... ifelse(forloop_first,1,FIRST) +dnl ') + + +dnl "i" and "statement" are carefully quoted, but "first" and "last" are +dnl just plain numbers once eval()ed. + +define(`forloop', +m4_assert_numargs(4) +`pushdef(`$1',eval(`$2'))dnl +pushdef(`forloop_first',1)dnl +pushdef(`forloop_last',0)dnl +forloop_internal(`$1',eval(`$3'),`$4')`'dnl +popdef(`forloop_first')dnl +popdef(`forloop_last')dnl +popdef(`$1')') + +dnl Called: forloop_internal(`var',last,statement) +define(`forloop_internal', +m4_assert_numargs(3) +`ifelse($1,$2, +`define(`forloop_last',1)$3', +`$3`'dnl +define(`forloop_first',0)dnl +define(`$1',m4_incr_or_decr($1,$2))dnl +forloop_internal(`$1',$2,`$3')')') + +dnl Usage: deflit(name,value) +dnl +dnl Like define(), but "name" expands like a literal, rather than taking +dnl arguments. For example "name(%eax)" expands to "value(%eax)". +dnl +dnl Limitations: +dnl +dnl $ characters in the value part must have quotes to stop them looking +dnl like macro parameters. For example, deflit(reg,`123+$`'4+567'). See +dnl defreg() below for handling simple register definitions like $7 etc. +dnl +dnl "name()" is turned into "name", unfortunately. In GNU and SysV m4 an +dnl error is generated when this happens, but in BSD m4 it will happen +dnl silently. The problem is that in BSD m4 $# is 1 in both "name" or +dnl "name()", so there's no way to differentiate them. Because we want +dnl plain "name" to turn into plain "value", we end up with "name()" +dnl turning into plain "value" too. +dnl +dnl "name(foo)" will lose any whitespace after commas in "foo", for example +dnl "disp(%eax, %ecx)" would become "128(%eax,%ecx)". +dnl +dnl These parentheses oddities shouldn't matter in assembler text, but if +dnl they do the suggested workaround is to write "name ()" or "name (foo)" +dnl to stop the parentheses looking like a macro argument list. If a space +dnl isn't acceptable in the output, then write "name`'()" or "name`'(foo)". +dnl The `' is stripped when read, but again stops the parentheses looking +dnl like parameters. + +dnl Quoting for deflit_emptyargcheck is similar to m4_assert_numargs. The +dnl stuff in the ifelse gives a $#, $1 and $@ evaluated in the new macro +dnl created, not in deflit. +define(deflit, +m4_assert_numargs(2) +`define(`$1', +`deflit_emptyargcheck'(``$1'',$`#',m4_doublequote($`'1))`dnl +$2`'dnl +ifelse(eval($'`#>1 || m4_length('m4_doublequote($`'1)`)!=0),1,($'`@))')') + +dnl Called: deflit_emptyargcheck(macroname,$#,`$1') +define(deflit_emptyargcheck, +`ifelse(eval($2==1 && !m4_dollarhash_1_if_noparen_p && m4_length(`$3')==0),1, +`m4_error(`dont use a deflit as $1() because it loses the brackets (see deflit in asm-defs.m4 for more information) +')')') + + +divert`'dnl diff -Nru nettle-3.4.1/Makefile.in nettle-3.7.3/Makefile.in --- nettle-3.4.1/Makefile.in 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/Makefile.in 2021-06-06 20:06:29.000000000 +0000 @@ -17,6 +17,8 @@ OPT_NETTLE_SOURCES = @OPT_NETTLE_SOURCES@ +FAT_TEST_LIST = @FAT_TEST_LIST@ + SUBDIRS = tools testsuite examples include config.make @@ -34,10 +36,7 @@ internal_SOURCES = nettle-internal.c internal_TARGETS = $(internal_SOURCES:.c=.$(OBJEXT)) -TARGETS = aesdata$(EXEEXT_FOR_BUILD) desdata$(EXEEXT_FOR_BUILD) \ - twofishdata$(EXEEXT_FOR_BUILD) shadata$(EXEEXT_FOR_BUILD) \ - gcmdata$(EXEEXT_FOR_BUILD) \ - $(getopt_TARGETS) $(internal_TARGETS) \ +TARGETS = $(getopt_TARGETS) $(internal_TARGETS) \ $(LIBTARGETS) $(SHLIBTARGETS) DOCTARGETS = @IF_DOCUMENTATION@ nettle.info nettle.html nettle.pdf @@ -58,6 +57,16 @@ check-here: true +# Tries different settings of NETTLE_FAT_OVERRIDE. Note that this +# requires that corresponding processor features are available on the +# test machine. +check-fat: + [ -z "$(FAT_TEST_LIST)" ] || \ + set -e; cd testsuite && for f in $(FAT_TEST_LIST) ; do \ + echo NETTLE_FAT_OVERRIDE=$$f ; \ + NETTLE_FAT_OVERRIDE=$$f $(MAKE) check ; \ + done + # FIXME: Remove. These targets aren't supported, but they are expected by the # automake generated Makefiles in the lsh build. dvi installcheck uninstallcheck: @@ -76,7 +85,7 @@ aes256-set-encrypt-key.c aes256-set-decrypt-key.c \ aes256-meta.c \ arcfour.c arcfour-crypt.c \ - arctwo.c arctwo-meta.c blowfish.c \ + arctwo.c arctwo-meta.c blowfish.c blowfish-bcrypt.c \ base16-encode.c base16-decode.c base16-meta.c \ base64-encode.c base64-decode.c base64-meta.c \ base64url-encode.c base64url-decode.c base64url-meta.c \ @@ -92,11 +101,12 @@ camellia256-meta.c \ cast128.c cast128-meta.c cbc.c \ ccm.c ccm-aes128.c ccm-aes192.c ccm-aes256.c cfb.c \ + siv-cmac.c siv-cmac-aes128.c siv-cmac-aes256.c \ cnd-memcpy.c \ chacha-crypt.c chacha-core-internal.c \ chacha-poly1305.c chacha-poly1305-meta.c \ chacha-set-key.c chacha-set-nonce.c \ - ctr.c des.c des3.c des-compat.c \ + ctr.c ctr16.c des.c des3.c \ eax.c eax-aes128.c eax-aes128-meta.c \ gcm.c gcm-aes.c \ gcm-aes128.c gcm-aes128-meta.c \ @@ -104,21 +114,28 @@ gcm-aes256.c gcm-aes256-meta.c \ gcm-camellia128.c gcm-camellia128-meta.c \ gcm-camellia256.c gcm-camellia256-meta.c \ - gosthash94.c gosthash94-meta.c \ - hmac.c hmac-md5.c hmac-ripemd160.c hmac-sha1.c \ - hmac-sha224.c hmac-sha256.c hmac-sha384.c hmac-sha512.c \ + cmac.c cmac64.c cmac-aes128.c cmac-aes256.c cmac-des3.c \ + cmac-aes128-meta.c cmac-aes256-meta.c cmac-des3-meta.c \ + gost28147.c gosthash94.c gosthash94-meta.c \ + hmac.c hmac-gosthash94.c hmac-md5.c hmac-ripemd160.c \ + hmac-sha1.c hmac-sha224.c hmac-sha256.c hmac-sha384.c \ + hmac-sha512.c hmac-streebog.c \ + hmac-md5-meta.c hmac-ripemd160-meta.c hmac-sha1-meta.c \ + hmac-sha224-meta.c hmac-sha256-meta.c hmac-sha384-meta.c \ + hmac-sha512-meta.c hmac-streebog-meta.c \ knuth-lfib.c hkdf.c \ md2.c md2-meta.c md4.c md4-meta.c \ md5.c md5-compress.c md5-compat.c md5-meta.c \ memeql-sec.c memxor.c memxor3.c \ nettle-lookup-hash.c \ nettle-meta-aeads.c nettle-meta-armors.c \ - nettle-meta-ciphers.c nettle-meta-hashes.c \ - pbkdf2.c pbkdf2-hmac-sha1.c pbkdf2-hmac-sha256.c \ + nettle-meta-ciphers.c nettle-meta-hashes.c nettle-meta-macs.c \ + pbkdf2.c pbkdf2-hmac-gosthash94.c pbkdf2-hmac-sha1.c \ + pbkdf2-hmac-sha256.c pbkdf2-hmac-sha384.c pbkdf2-hmac-sha512.c \ poly1305-aes.c poly1305-internal.c \ realloc.c \ ripemd160.c ripemd160-compress.c ripemd160-meta.c \ - salsa20-core-internal.c \ + salsa20-core-internal.c salsa20-crypt-internal.c \ salsa20-crypt.c salsa20r12-crypt.c salsa20-set-key.c \ salsa20-set-nonce.c \ salsa20-128-set-key.c salsa20-256-set-key.c \ @@ -128,16 +145,19 @@ sha512-224-meta.c sha512-256-meta.c \ sha3.c sha3-permute.c \ sha3-224.c sha3-224-meta.c sha3-256.c sha3-256-meta.c \ - sha3-384.c sha3-384-meta.c sha3-512.c sha3-512-meta.c\ + sha3-384.c sha3-384-meta.c sha3-512.c sha3-512-meta.c \ + shake256.c \ serpent-set-key.c serpent-encrypt.c serpent-decrypt.c \ serpent-meta.c \ + streebog.c streebog-meta.c \ twofish.c twofish-meta.c \ umac-nh.c umac-nh-n.c umac-l2.c umac-l3.c \ umac-poly64.c umac-poly128.c umac-set-key.c \ umac32.c umac64.c umac96.c umac128.c \ version.c \ write-be32.c write-le32.c write-le64.c \ - yarrow256.c yarrow_key_event.c + yarrow256.c yarrow_key_event.c \ + xts.c xts-aes128.c xts-aes256.c hogweed_SOURCES = sexp.c sexp-format.c \ sexp-transport.c sexp-transport-format.c \ @@ -172,33 +192,42 @@ gmp-glue.c cnd-copy.c \ ecc-mod.c ecc-mod-inv.c \ ecc-mod-arith.c ecc-pp1-redc.c ecc-pm1-redc.c \ - ecc-192.c ecc-224.c ecc-256.c ecc-384.c ecc-521.c \ - ecc-25519.c \ + ecc-curve25519.c ecc-curve448.c \ + ecc-gost-gc256b.c ecc-gost-gc512a.c \ + ecc-secp192r1.c ecc-secp224r1.c ecc-secp256r1.c \ + ecc-secp384r1.c ecc-secp521r1.c \ ecc-size.c ecc-j-to-a.c ecc-a-to-j.c \ ecc-dup-jj.c ecc-add-jja.c ecc-add-jjj.c \ ecc-eh-to-a.c \ ecc-dup-eh.c ecc-add-eh.c ecc-add-ehh.c \ - ecc-mul-g-eh.c ecc-mul-a-eh.c \ + ecc-dup-th.c ecc-add-th.c ecc-add-thh.c \ + ecc-mul-g-eh.c ecc-mul-a-eh.c ecc-mul-m.c \ ecc-mul-g.c ecc-mul-a.c ecc-hash.c ecc-random.c \ ecc-point.c ecc-scalar.c ecc-point-mul.c ecc-point-mul-g.c \ ecc-ecdsa-sign.c ecdsa-sign.c \ ecc-ecdsa-verify.c ecdsa-verify.c ecdsa-keygen.c \ + ecc-gostdsa-sign.c gostdsa-sign.c \ + ecc-gostdsa-verify.c gostdsa-verify.c gostdsa-vko.c \ curve25519-mul-g.c curve25519-mul.c curve25519-eh-to-x.c \ + curve448-mul-g.c curve448-mul.c curve448-eh-to-x.c \ eddsa-compress.c eddsa-decompress.c eddsa-expand.c \ eddsa-hash.c eddsa-pubkey.c eddsa-sign.c eddsa-verify.c \ - ed25519-sha512-pubkey.c \ - ed25519-sha512-sign.c ed25519-sha512-verify.c + ed25519-sha512.c ed25519-sha512-pubkey.c \ + ed25519-sha512-sign.c ed25519-sha512-verify.c \ + ed448-shake256.c ed448-shake256-pubkey.c \ + ed448-shake256-sign.c ed448-shake256-verify.c -OPT_SOURCES = fat-x86_64.c fat-arm.c mini-gmp.c +OPT_SOURCES = fat-arm.c fat-ppc.c fat-x86_64.c mini-gmp.c HEADERS = aes.h arcfour.h arctwo.h asn1.h blowfish.h \ base16.h base64.h bignum.h buffer.h camellia.h cast128.h \ cbc.h ccm.h cfb.h chacha.h chacha-poly1305.h ctr.h \ - curve25519.h des.h des-compat.h dsa.h dsa-compat.h eax.h \ + curve25519.h curve448.h des.h dsa.h dsa-compat.h eax.h \ ecc-curve.h ecc.h ecdsa.h eddsa.h \ - gcm.h gosthash94.h hmac.h \ + gcm.h gostdsa.h gosthash94.h hmac.h \ knuth-lfib.h hkdf.h \ macros.h \ + cmac.h siv-cmac.h \ md2.h md4.h \ md5.h md5-compat.h \ memops.h memxor.h \ @@ -206,10 +235,10 @@ pbkdf2.h \ pgp.h pkcs1.h pss.h pss-mgf1.h realloc.h ripemd160.h rsa.h \ salsa20.h sexp.h \ - serpent.h sha.h sha1.h sha2.h sha3.h twofish.h \ - umac.h yarrow.h poly1305.h + serpent.h sha.h sha1.h sha2.h sha3.h streebog.h twofish.h \ + umac.h yarrow.h xts.h poly1305.h -INSTALL_HEADERS = $(HEADERS) nettle-stdint.h version.h @IF_MINI_GMP@ mini-gmp.h +INSTALL_HEADERS = $(HEADERS) version.h @IF_MINI_GMP@ mini-gmp.h SOURCES = $(nettle_SOURCES) $(hogweed_SOURCES) \ $(getopt_SOURCES) $(internal_SOURCES) \ @@ -226,15 +255,19 @@ config.guess config.sub install-sh texinfo.tex \ config.h.in config.m4.in config.make.in Makefile.in \ README CONTRIBUTING.md AUTHORS COPYING.LESSERv3 COPYINGv2 COPYINGv3 \ - INSTALL NEWS TODO ChangeLog \ + INSTALL NEWS ChangeLog \ nettle.pc.in hogweed.pc.in \ - $(des_headers) descore.README \ - aes-internal.h camellia-internal.h serpent-internal.h \ - cast128_sboxes.h desinfo.h desCode.h \ + desdata.stamp $(des_headers) descore.README \ + aes-internal.h block-internal.h blowfish-internal.h camellia-internal.h \ + gcm-internal.h gost28147-internal.h poly1305-internal.h \ + serpent-internal.h cast128_sboxes.h desinfo.h desCode.h \ + ripemd160-internal.h sha2-internal.h \ memxor-internal.h nettle-internal.h nettle-write.h \ - rsa-internal.h \ + ctr-internal.h chacha-internal.h sha3-internal.h \ + salsa20-internal.h umac-internal.h hogweed-internal.h \ + rsa-internal.h pkcs1-internal.h dsa-internal.h eddsa-internal.h \ gmp-glue.h ecc-internal.h fat-setup.h \ - mini-gmp.h asm.m4 \ + mini-gmp.h asm.m4 m4-utils.m4 \ nettle.texinfo nettle.info nettle.html nettle.pdf sha-example.c # Rules building static libraries @@ -256,7 +289,11 @@ $(RANLIB) $@ echo hogweed > libhogweed.stamp -.c.$(OBJEXT): +%.$(OBJEXT): %.asm $(srcdir)/m4-utils.m4 $(srcdir)/asm.m4 config.m4 machine.m4 + $(M4) $(srcdir)/m4-utils.m4 $(srcdir)/asm.m4 config.m4 machine.m4 $< >$*.s + $(COMPILE) -c $*.s + +%.$(OBJEXT): %.c $(COMPILE) -c $< \ && $(DEP_PROCESS) @@ -283,32 +320,12 @@ && $(LN_S) $(LIBHOGWEED_FORLINK) $(LIBHOGWEED_SONAME) ; } ) echo hogweed > libhogweed.stamp -# For Solaris and BSD make, we have to use an explicit rule for each -# executable. Avoid object file targets to make it easy to run the -# right compiler. -aesdata$(EXEEXT_FOR_BUILD): aesdata.c - $(CC_FOR_BUILD) `test -f aesdata.c || echo '$(srcdir)/'`aesdata.c \ - -o aesdata$(EXEEXT_FOR_BUILD) - -desdata$(EXEEXT_FOR_BUILD): desdata.c - $(CC_FOR_BUILD) `test -f desdata.c || echo '$(srcdir)/'`desdata.c \ - -o desdata$(EXEEXT_FOR_BUILD) - -twofishdata$(EXEEXT_FOR_BUILD): twofishdata.c - $(CC_FOR_BUILD) `test -f twofishdata.c || echo '$(srcdir)/'`twofishdata.c \ - -o twofishdata$(EXEEXT_FOR_BUILD) - -shadata$(EXEEXT_FOR_BUILD): shadata.c - $(CC_FOR_BUILD) `test -f shadata.c || echo '$(srcdir)/'`shadata.c -lm \ - -o shadata$(EXEEXT_FOR_BUILD) - -gcmdata$(EXEEXT_FOR_BUILD): gcmdata.c - $(CC_FOR_BUILD) `test -f gcmdata.c || echo '$(srcdir)/'`gcmdata.c \ - -o gcmdata$(EXEEXT_FOR_BUILD) - -eccdata$(EXEEXT_FOR_BUILD): eccdata.c mini-gmp.c mini-gmp.h - $(CC_FOR_BUILD) `test -f eccdata.c || echo '$(srcdir)/'`eccdata.c \ - -o eccdata$(EXEEXT_FOR_BUILD) +# For building the various *data.c programs. -lm needed for shadata. +%$(EXEEXT_FOR_BUILD): %.c + $(CC_FOR_BUILD) $< -lm -o $@ + +# Explicit dependency. +eccdata$(EXEEXT_FOR_BUILD): mini-gmp.c mini-gmp.h # desCore rules # It seems using $(srcdir)/ doesn't work with GNU make 3.79.1 @@ -316,93 +333,118 @@ des_headers = rotors.h keymap.h # Generate DES headers. -$(des_headers): desdata.c - $(MAKE) desdata$(EXEEXT_FOR_BUILD) +$(des_headers): desdata.stamp f="$(srcdir)/`basename $@`"; \ ./desdata$(EXEEXT_FOR_BUILD) $(@F) > $${f}T; \ test -s $${f}T && mv -f $${f}T $$f +desdata.stamp: desdata.c + $(MAKE) desdata$(EXEEXT_FOR_BUILD) + echo stamp > desdata.stamp + des.$(OBJEXT): des.c des.h $(des_headers) -# Generate ECC files. -# Some possible choices for 192: -# k = 15, c = 4, 64 entries, ~3 KB -# k = 20, c = 6, 128 entries, ~6 KB -# k = 10, c = 6, 256 entries, ~12 KB -# k = 7, c = 6, 320 entries, ~15 KB -# k = 9, c = 7, 512 entries, ~24 KB -ecc-192.h: eccdata.stamp - ./eccdata$(EXEEXT_FOR_BUILD) 192 7 6 $(NUMB_BITS) > $@T && mv $@T $@ -# Some possible choices for 224: -# k = 18, c = 4, 64 entries, ~4 KB -# k = 24, c = 6, 128 entries, ~8 KB -# k = 12, c = 6, 256 entries, ~16 KB -# k = 8, c = 6, 320 entries, ~20 KB -# k = 10, c = 7, 512 entries, ~32 KB -ecc-224.h: eccdata.stamp - ./eccdata$(EXEEXT_FOR_BUILD) 224 12 6 $(NUMB_BITS) > $@T && mv $@T $@ -# Some possible choices for 256: -# k = 20, c = 4, 64 entries, ~4 KB -# k = 27, c = 6, 128 entries, ~8 KB -# k = 14, c = 6, 256 entries, ~16 KB -# k = 9, c = 6, 320 entries, ~20 KB -# k = 12, c = 7, 512 entries, ~32 KB -ecc-256.h: eccdata.stamp - ./eccdata$(EXEEXT_FOR_BUILD) 256 14 6 $(NUMB_BITS) > $@T && mv $@T $@ -# Some possible choices for 384: -# k = 31, c = 4, 64 entries, ~6 KB -# k = 41, c = 6, 128 entries, ~12 KB -# k = 20, c = 6, 256 entries, ~24 KB -# k = 14, c = 6, 320 entries, ~30 KB -# k = 18, c = 7, 512 entries, ~48 KB -ecc-384.h: eccdata.stamp - ./eccdata$(EXEEXT_FOR_BUILD) 384 41 6 $(NUMB_BITS) > $@T && mv $@T $@ -# Some possible choices for 521: -# k = 42, c = 4, 64 entries, ~9 KB -# k = 56, c = 6, 128 entries, ~18 KB -# k = 28, c = 6, 256 entries, ~35 KB -# k = 19, c = 6, 320 entries, ~44 KB -# k = 24, c = 7, 512 entries, ~70 KB -ecc-521.h: eccdata.stamp - ./eccdata$(EXEEXT_FOR_BUILD) 521 56 6 $(NUMB_BITS) > $@T && mv $@T $@ +# Generate ECC files, with roughly 16 KB of tables per curve. -ecc-25519.h: eccdata.stamp - ./eccdata$(EXEEXT_FOR_BUILD) 255 14 6 $(NUMB_BITS) > $@T && mv $@T $@ +# Some reasonable choices for 192: +# k = 8, c = 6, S = 256, T = 40 ( 32 A + 8 D) 12 KB +# k = 14, c = 7, S = 256, T = 42 ( 28 A + 14 D) 12 KB +# k = 11, c = 6, S = 192, T = 44 ( 33 A + 11 D) 9 KB +# k = 16, c = 6, S = 128, T = 48 ( 32 A + 16 D) 6 KB +ecc-secp192r1.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) secp192r1 8 6 $(NUMB_BITS) > $@T && mv $@T $@ + +# Some reasonable choices for 224: +# k = 16, c = 7, S = 256, T = 48 ( 32 A + 16 D) ~16 KB +# k = 10, c = 6, S = 256, T = 50 ( 40 A + 10 D) ~16 KB +# k = 13, c = 6, S = 192, T = 52 ( 39 A + 13 D) ~12 KB +# k = 9, c = 5, S = 160, T = 54 ( 45 A + 9 D) ~10 KB +ecc-secp224r1.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) secp224r1 16 7 $(NUMB_BITS) > $@T && mv $@T $@ + +# Some reasonable choices for 256: +# k = 9, c = 6, S = 320, T = 54 ( 45 A + 9 D) 20 KB +# k = 11, c = 6, S = 256, T = 55 ( 44 A + 11 D) 16 KB +# k = 19, c = 7, S = 256, T = 57 ( 38 A + 19 D) 16 KB +# k = 15, c = 6, S = 192, T = 60 ( 45 A + 15 D) 12 KB +ecc-secp256r1.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) secp256r1 11 6 $(NUMB_BITS) > $@T && mv $@T $@ + +# Some reasonable choices for 384: +# k = 16, c = 6, S = 256, T = 80 ( 64 A + 16 D) 24 KB +# k = 28, c = 7, S = 256, T = 84 ( 56 A + 28 D) 24 KB +# k = 11, c = 5, S = 224, T = 88 ( 77 A + 11 D) 21 KB +# k = 22, c = 6, S = 192, T = 88 ( 66 A + 22 D) 18 KB +# k = 13, c = 5, S = 192, T = 91 ( 78 A + 13 D) 18 KB +# k = 16, c = 5, S = 160, T = 96 ( 80 A + 16 D) 15 KB +# k = 32, c = 6, S = 128, T = 96 ( 64 A + 32 D) 12 KB +ecc-secp384r1.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) secp384r1 32 6 $(NUMB_BITS) > $@T && mv $@T $@ + +# Some reasonable choices for 521: +# k = 29, c = 6, S = 192, T = 116 ( 87 A + 29 D) ~27 KB +# k = 21, c = 5, S = 160, T = 126 (105 A + 21 D) ~23 KB +# k = 44, c = 6, S = 128, T = 132 ( 88 A + 44 D) ~18 KB +# k = 35, c = 5, S = 96, T = 140 (105 A + 35 D) ~14 KB +ecc-secp521r1.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) secp521r1 44 6 $(NUMB_BITS) > $@T && mv $@T $@ + +# Parameter choices mostly the same as for ecc-secp256r1.h. +ecc-curve25519.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) curve25519 11 6 $(NUMB_BITS) > $@T && mv $@T $@ + +ecc-curve448.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) curve448 38 6 $(NUMB_BITS) > $@T && mv $@T $@ + +# Some reasonable choices for 256: +# k = 9, c = 6, S = 320, T = 54 ( 45 A + 9 D) 20 KB +# k = 11, c = 6, S = 256, T = 55 ( 44 A + 11 D) 16 KB +# k = 19, c = 7, S = 256, T = 57 ( 38 A + 19 D) 16 KB +# k = 15, c = 6, S = 192, T = 60 ( 45 A + 15 D) 12 KB +ecc-gost-gc256b.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) gost_gc256b 11 6 $(NUMB_BITS) > $@T && mv $@T $@ + +# Some reasonable choices for 512: +# k = 22, c = 6, S = 256, T = 110 ( 88 A + 22 D) 32 KB +# k = 29, c = 6, S = 192, T = 116 ( 87 A + 29 D) 24 KB +# k = 21, c = 5, S = 160, T = 126 (105 A + 21 D) 20 KB +# k = 43, c = 6, S = 128, T = 129 ( 86 A + 43 D) 16 KB +# k = 35, c = 5, S = 96, T = 140 (105 A + 35 D) 12 KB +ecc-gost-gc512a.h: eccdata.stamp + ./eccdata$(EXEEXT_FOR_BUILD) gost_gc512a 43 6 $(NUMB_BITS) > $@T && mv $@T $@ eccdata.stamp: eccdata.c $(MAKE) eccdata$(EXEEXT_FOR_BUILD) echo stamp > eccdata.stamp -ecc-192.$(OBJEXT): ecc-192.h -ecc-224.$(OBJEXT): ecc-224.h -ecc-256.$(OBJEXT): ecc-256.h -ecc-384.$(OBJEXT): ecc-384.h -ecc-521.$(OBJEXT): ecc-521.h -ecc-25519.$(OBJEXT): ecc-25519.h - -.asm.$(OBJEXT): $(srcdir)/asm.m4 machine.m4 config.m4 - $(M4) $(srcdir)/asm.m4 machine.m4 config.m4 $< >$*.s - $(COMPILE) -c $*.s - @echo "$@ : $< $(srcdir)/asm.m4 machine.m4 config.m4" >$@.d +ecc-curve25519.$(OBJEXT): ecc-curve25519.h +ecc-curve448.$(OBJEXT): ecc-curve448.h +ecc-gost-gc256b.$(OBJEXT): ecc-gost-gc256b.h +ecc-gost-gc512a.$(OBJEXT): ecc-gost-gc512a.h +ecc-secp192r1.$(OBJEXT): ecc-secp192r1.h +ecc-secp224r1.$(OBJEXT): ecc-secp224r1.h +ecc-secp256r1.$(OBJEXT): ecc-secp256r1.h +ecc-secp384r1.$(OBJEXT): ecc-secp384r1.h +ecc-secp521r1.$(OBJEXT): ecc-secp521r1.h # Texinfo rules -.texinfo.info: +%.info: %.texinfo cd $(srcdir) && $(MAKEINFO) --output $@ `basename "$<"` -.texinfo.html: +%.html: %.texinfo cd $(srcdir) && $(MAKEINFO) --html --no-split \ --output $@T `basename "$<"` \ && test -s $@T && mv -f $@T $@ -.texinfo.dvi: +%.dvi: %.texinfo cd $(srcdir) && texi2dvi -b `basename "$<"` -.dvi.ps: +%.ps: %.dvi cd $(srcdir) && dvips -Ppdf -G0 -o `basename "$<" .dvi`.ps `basename "$<"` # Avoid rebuilding .dvi and .ps files when the .texinfo source is unchanged. PS2PDFFLAGS=-dCompatibilityLevel=1.3 -dMAxSubsetPct=100 -dSubsetFonts=true -dEmbedAllFonts=true -.texinfo.pdf: +%.pdf: %.texinfo $(MAKE) `basename "$<" .texinfo`.ps cd $(srcdir) && ps2pdf $(PS2PDFFLAGS) `basename "$<" .texinfo`.ps @@ -572,10 +614,11 @@ fi ; \ done set -e; for d in sparc32 sparc64 x86 \ - x86_64 x86_64/aesni x86_64/fat \ - arm arm/neon arm/v6 arm/fat ; do \ + x86_64 x86_64/aesni x86_64/sha_ni x86_64/fat \ + arm arm/neon arm/v6 arm/fat \ + powerpc64 powerpc64/p7 powerpc64/p8 powerpc64/fat ; do \ mkdir "$(distdir)/$$d" ; \ - find "$(srcdir)/$$d" -maxdepth 1 '(' -name '*.asm' -o -name '*.m4' ')' \ + find "$(srcdir)/$$d" -maxdepth 1 '(' -name '*.asm' -o -name '*.m4' -o -name README ')' \ -exec cp '{}' "$(distdir)/$$d" ';' ; \ done set -e; for d in $(SUBDIRS); do \ @@ -630,14 +673,22 @@ $(rm_distcheck) clean-here: - -rm -f $(TARGETS) *.$(OBJEXT) *.s *.so *.dll *.a \ - ecc-192.h ecc-224.h ecc-256.h ecc-384.h ecc-521.h ecc-25519.h \ + -rm -f $(TARGETS) *.$(OBJEXT) *.$(OBJEXT).d *.s *.so *.dll *.a \ + ecc-curve25519.h ecc-curve448.h \ + ecc-gost-gc256b.h ecc-gost-gc512a.h \ + ecc-secp192r1.h ecc-secp224r1.h ecc-secp256r1.h \ + ecc-secp384r1.h ecc-secp521r1.h \ + aesdata$(EXEEXT_FOR_BUILD) \ + desdata$(EXEEXT_FOR_BUILD) \ + twofishdata$(EXEEXT_FOR_BUILD) \ + shadata$(EXEEXT_FOR_BUILD) \ + gcmdata$(EXEEXT_FOR_BUILD) \ eccdata$(EXEEXT_FOR_BUILD) eccdata.stamp -rm -rf .lib libnettle.stamp libhogweed.stamp distclean-here: clean-here -rm -f config.h stamp-h config.log config.status machine.m4 \ - config.make config.m4 Makefile nettle-stdint.h version.h \ + config.make config.m4 Makefile version.h \ nettle.pc hogweed.pc libnettle.map libhogweed.map \ *.asm *.d @@ -648,4 +699,4 @@ etags -o $(srcdir)/TAGS $(srcdir)/*.c $(srcdir)/*.h DEP_FILES = $(SOURCES:.c=.$(OBJEXT).d) -@DEP_INCLUDE@ $(DEP_FILES) +-include $(DEP_FILES) diff -Nru nettle-3.4.1/md2.h nettle-3.7.3/md2.h --- nettle-3.4.1/md2.h 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/md2.h 2021-06-06 20:06:29.000000000 +0000 @@ -54,8 +54,8 @@ { uint8_t C[MD2_BLOCK_SIZE]; uint8_t X[3 * MD2_BLOCK_SIZE]; - uint8_t block[MD2_BLOCK_SIZE]; /* Block buffer */ unsigned index; /* Into buffer */ + uint8_t block[MD2_BLOCK_SIZE]; /* Block buffer */ }; void diff -Nru nettle-3.4.1/md4.h nettle-3.7.3/md4.h --- nettle-3.4.1/md4.h 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/md4.h 2021-06-06 20:06:29.000000000 +0000 @@ -58,8 +58,8 @@ { uint32_t state[_MD4_DIGEST_LENGTH]; uint64_t count; /* Block count */ - uint8_t block[MD4_BLOCK_SIZE]; /* Block buffer */ unsigned index; /* Into buffer */ + uint8_t block[MD4_BLOCK_SIZE]; /* Block buffer */ }; void diff -Nru nettle-3.4.1/md5.c nettle-3.7.3/md5.c --- nettle-3.4.1/md5.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/md5.c 2021-06-06 20:06:29.000000000 +0000 @@ -61,7 +61,7 @@ ctx->index = 0; } -#define COMPRESS(ctx, data) (_nettle_md5_compress((ctx)->state, (data))) +#define COMPRESS(ctx, data) (nettle_md5_compress((ctx)->state, (data))) void md5_update(struct md5_ctx *ctx, @@ -86,7 +86,7 @@ bit_count = (ctx->count << 9) | (ctx->index << 3); LE_WRITE_UINT64(ctx->block + (MD5_BLOCK_SIZE - 8), bit_count); - _nettle_md5_compress(ctx->state, ctx->block); + nettle_md5_compress(ctx->state, ctx->block); _nettle_write_le32(length, digest, ctx->state); md5_init(ctx); diff -Nru nettle-3.4.1/md5-compress.c nettle-3.7.3/md5-compress.c --- nettle-3.4.1/md5-compress.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/md5-compress.c 2021-06-06 20:06:29.000000000 +0000 @@ -79,7 +79,7 @@ * (_MD5_DIGEST_LENGTH) words. */ void -_nettle_md5_compress(uint32_t *digest, const uint8_t *input) +nettle_md5_compress(uint32_t *digest, const uint8_t *input) { uint32_t data[MD5_DATA_LENGTH]; uint32_t a, b, c, d; diff -Nru nettle-3.4.1/md5.h nettle-3.7.3/md5.h --- nettle-3.4.1/md5.h 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/md5.h 2021-06-06 20:06:29.000000000 +0000 @@ -57,8 +57,8 @@ { uint32_t state[_MD5_DIGEST_LENGTH]; uint64_t count; /* Block count */ - uint8_t block[MD5_BLOCK_SIZE]; /* Block buffer */ unsigned index; /* Into buffer */ + uint8_t block[MD5_BLOCK_SIZE]; /* Block buffer */ }; void @@ -77,7 +77,9 @@ /* Internal compression function. STATE points to 4 uint32_t words, and DATA points to 64 bytes of input data, possibly unaligned. */ void -_nettle_md5_compress(uint32_t *state, const uint8_t *data); +nettle_md5_compress(uint32_t *state, const uint8_t *data); + +#define _nettle_md5_compress nettle_md5_compress #ifdef __cplusplus } diff -Nru nettle-3.4.1/mini-gmp.c nettle-3.7.3/mini-gmp.c --- nettle-3.4.1/mini-gmp.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/mini-gmp.c 2021-06-06 20:06:29.000000000 +0000 @@ -2,7 +2,7 @@ Contributed to the GNU project by Niels Möller -Copyright 1991-1997, 1999-2017 Free Software Foundation, Inc. +Copyright 1991-1997, 1999-2020 Free Software Foundation, Inc. This file is part of the GNU MP Library. @@ -50,11 +50,15 @@ #include "mini-gmp.h" +#if !defined(MINI_GMP_DONT_USE_FLOAT_H) +#include +#endif + /* Macros */ #define GMP_LIMB_BITS (sizeof(mp_limb_t) * CHAR_BIT) -#define GMP_LIMB_MAX (~ (mp_limb_t) 0) +#define GMP_LIMB_MAX ((mp_limb_t) ~ (mp_limb_t) 0) #define GMP_LIMB_HIGHBIT ((mp_limb_t) 1 << (GMP_LIMB_BITS - 1)) #define GMP_HLIMB_BIT ((mp_limb_t) 1 << (GMP_LIMB_BITS / 2)) @@ -71,6 +75,12 @@ #define GMP_CMP(a,b) (((a) > (b)) - ((a) < (b))) +#if defined(DBL_MANT_DIG) && FLT_RADIX == 2 +#define GMP_DBL_MANT_BITS DBL_MANT_DIG +#else +#define GMP_DBL_MANT_BITS (53) +#endif + /* Return non-zero if xp,xsize and yp,ysize overlap. If xp+xsize<=yp there's no overlap, or if yp+ysize<=xp there's no overlap. If both these are false, there's an overlap. */ @@ -84,11 +94,13 @@ #define gmp_clz(count, x) do { \ mp_limb_t __clz_x = (x); \ - unsigned __clz_c; \ - for (__clz_c = 0; \ - (__clz_x & ((mp_limb_t) 0xff << (GMP_LIMB_BITS - 8))) == 0; \ - __clz_c += 8) \ - __clz_x <<= 8; \ + unsigned __clz_c = 0; \ + int LOCAL_SHIFT_BITS = 8; \ + if (GMP_LIMB_BITS > LOCAL_SHIFT_BITS) \ + for (; \ + (__clz_x & ((mp_limb_t) 0xff << (GMP_LIMB_BITS - 8))) == 0; \ + __clz_c += 8) \ + { __clz_x <<= LOCAL_SHIFT_BITS; } \ for (; (__clz_x & GMP_LIMB_HIGHBIT) == 0; __clz_c++) \ __clz_x <<= 1; \ (count) = __clz_c; \ @@ -119,27 +131,42 @@ #define gmp_umul_ppmm(w1, w0, u, v) \ do { \ - mp_limb_t __x0, __x1, __x2, __x3; \ - unsigned __ul, __vl, __uh, __vh; \ - mp_limb_t __u = (u), __v = (v); \ + int LOCAL_GMP_LIMB_BITS = GMP_LIMB_BITS; \ + if (sizeof(unsigned int) * CHAR_BIT >= 2 * GMP_LIMB_BITS) \ + { \ + unsigned int __ww = (unsigned int) (u) * (v); \ + w0 = (mp_limb_t) __ww; \ + w1 = (mp_limb_t) (__ww >> LOCAL_GMP_LIMB_BITS); \ + } \ + else if (GMP_ULONG_BITS >= 2 * GMP_LIMB_BITS) \ + { \ + unsigned long int __ww = (unsigned long int) (u) * (v); \ + w0 = (mp_limb_t) __ww; \ + w1 = (mp_limb_t) (__ww >> LOCAL_GMP_LIMB_BITS); \ + } \ + else { \ + mp_limb_t __x0, __x1, __x2, __x3; \ + unsigned __ul, __vl, __uh, __vh; \ + mp_limb_t __u = (u), __v = (v); \ \ - __ul = __u & GMP_LLIMB_MASK; \ - __uh = __u >> (GMP_LIMB_BITS / 2); \ - __vl = __v & GMP_LLIMB_MASK; \ - __vh = __v >> (GMP_LIMB_BITS / 2); \ + __ul = __u & GMP_LLIMB_MASK; \ + __uh = __u >> (GMP_LIMB_BITS / 2); \ + __vl = __v & GMP_LLIMB_MASK; \ + __vh = __v >> (GMP_LIMB_BITS / 2); \ \ - __x0 = (mp_limb_t) __ul * __vl; \ - __x1 = (mp_limb_t) __ul * __vh; \ - __x2 = (mp_limb_t) __uh * __vl; \ - __x3 = (mp_limb_t) __uh * __vh; \ + __x0 = (mp_limb_t) __ul * __vl; \ + __x1 = (mp_limb_t) __ul * __vh; \ + __x2 = (mp_limb_t) __uh * __vl; \ + __x3 = (mp_limb_t) __uh * __vh; \ \ - __x1 += __x0 >> (GMP_LIMB_BITS / 2);/* this can't give carry */ \ - __x1 += __x2; /* but this indeed can */ \ - if (__x1 < __x2) /* did we get it? */ \ - __x3 += GMP_HLIMB_BIT; /* yes, add it in the proper pos. */ \ + __x1 += __x0 >> (GMP_LIMB_BITS / 2);/* this can't give carry */ \ + __x1 += __x2; /* but this indeed can */ \ + if (__x1 < __x2) /* did we get it? */ \ + __x3 += GMP_HLIMB_BIT; /* yes, add it in the proper pos. */ \ \ - (w1) = __x3 + (__x1 >> (GMP_LIMB_BITS / 2)); \ - (w0) = (__x1 << (GMP_LIMB_BITS / 2)) + (__x0 & GMP_LLIMB_MASK); \ + (w1) = __x3 + (__x1 >> (GMP_LIMB_BITS / 2)); \ + (w0) = (__x1 << (GMP_LIMB_BITS / 2)) + (__x0 & GMP_LLIMB_MASK); \ + } \ } while (0) #define gmp_udiv_qrnnd_preinv(q, r, nh, nl, d, di) \ @@ -270,7 +297,7 @@ } static void * -gmp_default_realloc (void *old, size_t old_size, size_t new_size) +gmp_default_realloc (void *old, size_t unused_old_size, size_t new_size) { void * p; @@ -283,7 +310,7 @@ } static void -gmp_default_free (void *p, size_t size) +gmp_default_free (void *p, size_t unused_size) { free (p); } @@ -743,81 +770,83 @@ mp_limb_t mpn_invert_3by2 (mp_limb_t u1, mp_limb_t u0) { - mp_limb_t r, p, m, ql; - unsigned ul, uh, qh; + mp_limb_t r, m; - assert (u1 >= GMP_LIMB_HIGHBIT); + { + mp_limb_t p, ql; + unsigned ul, uh, qh; - /* For notation, let b denote the half-limb base, so that B = b^2. - Split u1 = b uh + ul. */ - ul = u1 & GMP_LLIMB_MASK; - uh = u1 >> (GMP_LIMB_BITS / 2); + /* For notation, let b denote the half-limb base, so that B = b^2. + Split u1 = b uh + ul. */ + ul = u1 & GMP_LLIMB_MASK; + uh = u1 >> (GMP_LIMB_BITS / 2); - /* Approximation of the high half of quotient. Differs from the 2/1 - inverse of the half limb uh, since we have already subtracted - u0. */ - qh = ~u1 / uh; + /* Approximation of the high half of quotient. Differs from the 2/1 + inverse of the half limb uh, since we have already subtracted + u0. */ + qh = (u1 ^ GMP_LIMB_MAX) / uh; - /* Adjust to get a half-limb 3/2 inverse, i.e., we want + /* Adjust to get a half-limb 3/2 inverse, i.e., we want - qh' = floor( (b^3 - 1) / u) - b = floor ((b^3 - b u - 1) / u - = floor( (b (~u) + b-1) / u), + qh' = floor( (b^3 - 1) / u) - b = floor ((b^3 - b u - 1) / u + = floor( (b (~u) + b-1) / u), - and the remainder + and the remainder - r = b (~u) + b-1 - qh (b uh + ul) + r = b (~u) + b-1 - qh (b uh + ul) = b (~u - qh uh) + b-1 - qh ul - Subtraction of qh ul may underflow, which implies adjustments. - But by normalization, 2 u >= B > qh ul, so we need to adjust by - at most 2. - */ - - r = ((~u1 - (mp_limb_t) qh * uh) << (GMP_LIMB_BITS / 2)) | GMP_LLIMB_MASK; - - p = (mp_limb_t) qh * ul; - /* Adjustment steps taken from udiv_qrnnd_c */ - if (r < p) - { - qh--; - r += u1; - if (r >= u1) /* i.e. we didn't get carry when adding to r */ - if (r < p) - { - qh--; - r += u1; - } - } - r -= p; + Subtraction of qh ul may underflow, which implies adjustments. + But by normalization, 2 u >= B > qh ul, so we need to adjust by + at most 2. + */ + + r = ((~u1 - (mp_limb_t) qh * uh) << (GMP_LIMB_BITS / 2)) | GMP_LLIMB_MASK; + + p = (mp_limb_t) qh * ul; + /* Adjustment steps taken from udiv_qrnnd_c */ + if (r < p) + { + qh--; + r += u1; + if (r >= u1) /* i.e. we didn't get carry when adding to r */ + if (r < p) + { + qh--; + r += u1; + } + } + r -= p; - /* Low half of the quotient is + /* Low half of the quotient is ql = floor ( (b r + b-1) / u1). - This is a 3/2 division (on half-limbs), for which qh is a - suitable inverse. */ + This is a 3/2 division (on half-limbs), for which qh is a + suitable inverse. */ - p = (r >> (GMP_LIMB_BITS / 2)) * qh + r; - /* Unlike full-limb 3/2, we can add 1 without overflow. For this to - work, it is essential that ql is a full mp_limb_t. */ - ql = (p >> (GMP_LIMB_BITS / 2)) + 1; + p = (r >> (GMP_LIMB_BITS / 2)) * qh + r; + /* Unlike full-limb 3/2, we can add 1 without overflow. For this to + work, it is essential that ql is a full mp_limb_t. */ + ql = (p >> (GMP_LIMB_BITS / 2)) + 1; - /* By the 3/2 trick, we don't need the high half limb. */ - r = (r << (GMP_LIMB_BITS / 2)) + GMP_LLIMB_MASK - ql * u1; + /* By the 3/2 trick, we don't need the high half limb. */ + r = (r << (GMP_LIMB_BITS / 2)) + GMP_LLIMB_MASK - ql * u1; - if (r >= (p << (GMP_LIMB_BITS / 2))) - { - ql--; - r += u1; - } - m = ((mp_limb_t) qh << (GMP_LIMB_BITS / 2)) + ql; - if (r >= u1) - { - m++; - r -= u1; - } + if (r >= (GMP_LIMB_MAX & (p << (GMP_LIMB_BITS / 2)))) + { + ql--; + r += u1; + } + m = ((mp_limb_t) qh << (GMP_LIMB_BITS / 2)) + ql; + if (r >= u1) + { + m++; + r -= u1; + } + } - /* Now m is the 2/1 invers of u1. If u0 > 0, adjust it to become a + /* Now m is the 2/1 inverse of u1. If u0 > 0, adjust it to become a 3/2 inverse. */ if (u0 > 0) { @@ -930,7 +959,8 @@ if (inv->shift > 0) { - tp = gmp_xalloc_limbs (nn); + /* Shift, reusing qp area if possible. In-place shift if qp == np. */ + tp = qp ? qp : gmp_xalloc_limbs (nn); r = mpn_lshift (tp, np, nn, inv->shift); np = tp; } @@ -947,50 +977,19 @@ if (qp) qp[nn] = q; } - if (inv->shift > 0) + if ((inv->shift > 0) && (tp != qp)) gmp_free (tp); return r >> inv->shift; } -static mp_limb_t -mpn_div_qr_1 (mp_ptr qp, mp_srcptr np, mp_size_t nn, mp_limb_t d) -{ - assert (d > 0); - - /* Special case for powers of two. */ - if ((d & (d-1)) == 0) - { - mp_limb_t r = np[0] & (d-1); - if (qp) - { - if (d <= 1) - mpn_copyi (qp, np, nn); - else - { - unsigned shift; - gmp_ctz (shift, d); - mpn_rshift (qp, np, nn, shift); - } - } - return r; - } - else - { - struct gmp_div_inverse inv; - mpn_div_qr_1_invert (&inv, d); - return mpn_div_qr_1_preinv (qp, np, nn, &inv); - } -} - static void -mpn_div_qr_2_preinv (mp_ptr qp, mp_ptr rp, mp_srcptr np, mp_size_t nn, +mpn_div_qr_2_preinv (mp_ptr qp, mp_ptr np, mp_size_t nn, const struct gmp_div_inverse *inv) { unsigned shift; mp_size_t i; mp_limb_t d1, d0, di, r1, r0; - mp_ptr tp; assert (nn >= 2); shift = inv->shift; @@ -999,11 +998,7 @@ di = inv->di; if (shift > 0) - { - tp = gmp_xalloc_limbs (nn); - r1 = mpn_lshift (tp, np, nn, shift); - np = tp; - } + r1 = mpn_lshift (np, np, nn, shift); else r1 = 0; @@ -1023,30 +1018,15 @@ if (shift > 0) { - assert ((r0 << (GMP_LIMB_BITS - shift)) == 0); + assert ((r0 & (GMP_LIMB_MAX >> (GMP_LIMB_BITS - shift))) == 0); r0 = (r0 >> shift) | (r1 << (GMP_LIMB_BITS - shift)); r1 >>= shift; - - gmp_free (tp); } - rp[1] = r1; - rp[0] = r0; + np[1] = r1; + np[0] = r0; } -#if 0 -static void -mpn_div_qr_2 (mp_ptr qp, mp_ptr rp, mp_srcptr np, mp_size_t nn, - mp_limb_t d1, mp_limb_t d0) -{ - struct gmp_div_inverse inv; - assert (nn >= 2); - - mpn_div_qr_2_invert (&inv, d1, d0); - mpn_div_qr_2_preinv (qp, rp, np, nn, &inv); -} -#endif - static void mpn_div_qr_pi1 (mp_ptr qp, mp_ptr np, mp_size_t nn, mp_limb_t n1, @@ -1121,7 +1101,7 @@ if (dn == 1) np[0] = mpn_div_qr_1_preinv (qp, np, nn, inv); else if (dn == 2) - mpn_div_qr_2_preinv (qp, np, np, nn, inv); + mpn_div_qr_2_preinv (qp, np, nn, inv); else { mp_limb_t nh; @@ -1261,7 +1241,7 @@ l = w << binv->shift; gmp_udiv_qrnnd_preinv (w, r, h, l, binv->d1, binv->di); - assert ( (r << (GMP_LIMB_BITS - binv->shift)) == 0); + assert ((r & (GMP_LIMB_MAX >> (GMP_LIMB_BITS - binv->shift))) == 0); r >>= binv->shift; sp[i] = r; @@ -1429,7 +1409,7 @@ void mpz_init (mpz_t r) { - static const mp_limb_t dummy_limb = 0xc1a0; + static const mp_limb_t dummy_limb = GMP_LIMB_MAX & 0xc1a0; r->_mp_alloc = 0; r->_mp_size = 0; @@ -1487,6 +1467,12 @@ if (x >= 0) mpz_set_ui (r, x); else /* (x < 0) */ + if (GMP_LIMB_BITS < GMP_ULONG_BITS) + { + mpz_set_ui (r, GMP_NEG_CAST (unsigned long int, x)); + mpz_neg (r, r); + } + else { r->_mp_size = -1; MPZ_REALLOC (r, 1)[0] = GMP_NEG_CAST (unsigned long int, x); @@ -1500,6 +1486,15 @@ { r->_mp_size = 1; MPZ_REALLOC (r, 1)[0] = x; + if (GMP_LIMB_BITS < GMP_ULONG_BITS) + { + int LOCAL_GMP_LIMB_BITS = GMP_LIMB_BITS; + while (x >>= LOCAL_GMP_LIMB_BITS) + { + ++ r->_mp_size; + MPZ_REALLOC (r, r->_mp_size)[r->_mp_size - 1] = x; + } + } } else r->_mp_size = 0; @@ -1546,14 +1541,19 @@ int mpz_fits_slong_p (const mpz_t u) { - mp_size_t us = u->_mp_size; + return mpz_cmp_si (u, LONG_MAX) <= 0 && mpz_cmp_si (u, LONG_MIN) >= 0; +} - if (us == 1) - return u->_mp_d[0] < GMP_LIMB_HIGHBIT; - else if (us == -1) - return u->_mp_d[0] <= GMP_LIMB_HIGHBIT; - else - return (us == 0); +static int +mpn_absfits_ulong_p (mp_srcptr up, mp_size_t un) +{ + int ulongsize = GMP_ULONG_BITS / GMP_LIMB_BITS; + mp_limb_t ulongrem = 0; + + if (GMP_ULONG_BITS % GMP_LIMB_BITS != 0) + ulongrem = (mp_limb_t) (ULONG_MAX >> GMP_LIMB_BITS * ulongsize) + 1; + + return un <= ulongsize || (up[ulongsize] < ulongrem && un == ulongsize + 1); } int @@ -1561,22 +1561,60 @@ { mp_size_t us = u->_mp_size; - return (us == (us > 0)); + return us >= 0 && mpn_absfits_ulong_p (u->_mp_d, us); +} + +int +mpz_fits_sint_p (const mpz_t u) +{ + return mpz_cmp_si (u, INT_MAX) <= 0 && mpz_cmp_si (u, INT_MIN) >= 0; +} + +int +mpz_fits_uint_p (const mpz_t u) +{ + return u->_mp_size >= 0 && mpz_cmpabs_ui (u, UINT_MAX) <= 0; +} + +int +mpz_fits_sshort_p (const mpz_t u) +{ + return mpz_cmp_si (u, SHRT_MAX) <= 0 && mpz_cmp_si (u, SHRT_MIN) >= 0; +} + +int +mpz_fits_ushort_p (const mpz_t u) +{ + return u->_mp_size >= 0 && mpz_cmpabs_ui (u, USHRT_MAX) <= 0; } long int mpz_get_si (const mpz_t u) { + unsigned long r = mpz_get_ui (u); + unsigned long c = -LONG_MAX - LONG_MIN; + if (u->_mp_size < 0) - /* This expression is necessary to properly handle 0x80000000 */ - return -1 - (long) ((u->_mp_d[0] - 1) & ~GMP_LIMB_HIGHBIT); + /* This expression is necessary to properly handle -LONG_MIN */ + return -(long) c - (long) ((r - c) & LONG_MAX); else - return (long) (mpz_get_ui (u) & ~GMP_LIMB_HIGHBIT); + return (long) (r & LONG_MAX); } unsigned long int mpz_get_ui (const mpz_t u) { + if (GMP_LIMB_BITS < GMP_ULONG_BITS) + { + int LOCAL_GMP_LIMB_BITS = GMP_LIMB_BITS; + unsigned long r = 0; + mp_size_t n = GMP_ABS (u->_mp_size); + n = GMP_MIN (n, 1 + (mp_size_t) (GMP_ULONG_BITS - 1) / GMP_LIMB_BITS); + while (--n >= 0) + r = (r << LOCAL_GMP_LIMB_BITS) + u->_mp_d[n]; + return r; + } + return u->_mp_size == 0 ? 0 : u->_mp_d[0]; } @@ -1628,11 +1666,19 @@ x->_mp_size = xs < 0 ? -xn : xn; } -mpz_srcptr -mpz_roinit_n (mpz_t x, mp_srcptr xp, mp_size_t xs) +static mpz_srcptr +mpz_roinit_normal_n (mpz_t x, mp_srcptr xp, mp_size_t xs) { x->_mp_alloc = 0; x->_mp_d = (mp_ptr) xp; + x->_mp_size = xs; + return x; +} + +mpz_srcptr +mpz_roinit_n (mpz_t x, mp_srcptr xp, mp_size_t xs) +{ + mpz_roinit_normal_n (x, xp, xs); mpz_limbs_finish (x, xs); return x; } @@ -1666,7 +1712,7 @@ r->_mp_size = 0; return; } - B = 2.0 * (double) GMP_LIMB_HIGHBIT; + B = 4.0 * (double) (GMP_LIMB_HIGHBIT >> 1); Bi = 1.0 / B; for (rn = 1; x >= B; rn++) x *= Bi; @@ -1700,18 +1746,34 @@ double mpz_get_d (const mpz_t u) { + int m; + mp_limb_t l; mp_size_t un; double x; - double B = 2.0 * (double) GMP_LIMB_HIGHBIT; + double B = 4.0 * (double) (GMP_LIMB_HIGHBIT >> 1); un = GMP_ABS (u->_mp_size); if (un == 0) return 0.0; - x = u->_mp_d[--un]; - while (un > 0) - x = B*x + u->_mp_d[--un]; + l = u->_mp_d[--un]; + gmp_clz (m, l); + m = m + GMP_DBL_MANT_BITS - GMP_LIMB_BITS; + if (m < 0) + l &= GMP_LIMB_MAX << -m; + + for (x = l; --un >= 0;) + { + x = B*x; + if (m > 0) { + l = u->_mp_d[un]; + m -= GMP_LIMB_BITS; + if (m < 0) + l &= GMP_LIMB_MAX << -m; + x += l; + } + } if (u->_mp_size < 0) x = -x; @@ -1733,7 +1795,7 @@ { xn = GMP_ABS (xn); - B = 2.0 * (double) GMP_LIMB_HIGHBIT; + B = 4.0 * (double) (GMP_LIMB_HIGHBIT >> 1); Bi = 1.0 / B; /* Scale d so it can be compared with the top limb. */ @@ -1792,14 +1854,12 @@ { mp_size_t usize = u->_mp_size; - if (usize < -1) - return -1; - else if (v >= 0) + if (v >= 0) return mpz_cmp_ui (u, v); else if (usize >= 0) return 1; - else /* usize == -1 */ - return GMP_CMP (GMP_NEG_CAST (mp_limb_t, v), u->_mp_d[0]); + else + return - mpz_cmpabs_ui (u, GMP_NEG_CAST (unsigned long int, v)); } int @@ -1807,12 +1867,10 @@ { mp_size_t usize = u->_mp_size; - if (usize > 1) - return 1; - else if (usize < 0) + if (usize < 0) return -1; else - return GMP_CMP (mpz_get_ui (u), v); + return mpz_cmpabs_ui (u, v); } int @@ -1832,10 +1890,15 @@ int mpz_cmpabs_ui (const mpz_t u, unsigned long v) { - if (GMP_ABS (u->_mp_size) > 1) + mp_size_t un = GMP_ABS (u->_mp_size); + + if (! mpn_absfits_ulong_p (u->_mp_d, un)) return 1; else - return GMP_CMP (mpz_get_ui (u), v); + { + unsigned long uu = mpz_get_ui (u); + return GMP_CMP(uu, v); + } } int @@ -1870,81 +1933,28 @@ /* MPZ addition and subtraction */ -/* Adds to the absolute value. Returns new size, but doesn't store it. */ -static mp_size_t -mpz_abs_add_ui (mpz_t r, const mpz_t a, unsigned long b) -{ - mp_size_t an; - mp_ptr rp; - mp_limb_t cy; - - an = GMP_ABS (a->_mp_size); - if (an == 0) - { - MPZ_REALLOC (r, 1)[0] = b; - return b > 0; - } - - rp = MPZ_REALLOC (r, an + 1); - - cy = mpn_add_1 (rp, a->_mp_d, an, b); - rp[an] = cy; - an += cy; - - return an; -} - -/* Subtract from the absolute value. Returns new size, (or -1 on underflow), - but doesn't store it. */ -static mp_size_t -mpz_abs_sub_ui (mpz_t r, const mpz_t a, unsigned long b) -{ - mp_size_t an = GMP_ABS (a->_mp_size); - mp_ptr rp; - - if (an == 0) - { - MPZ_REALLOC (r, 1)[0] = b; - return -(b > 0); - } - rp = MPZ_REALLOC (r, an); - if (an == 1 && a->_mp_d[0] < b) - { - rp[0] = b - a->_mp_d[0]; - return -1; - } - else - { - gmp_assert_nocarry (mpn_sub_1 (rp, a->_mp_d, an, b)); - return mpn_normalized_size (rp, an); - } -} void mpz_add_ui (mpz_t r, const mpz_t a, unsigned long b) { - if (a->_mp_size >= 0) - r->_mp_size = mpz_abs_add_ui (r, a, b); - else - r->_mp_size = -mpz_abs_sub_ui (r, a, b); + mpz_t bb; + mpz_init_set_ui (bb, b); + mpz_add (r, a, bb); + mpz_clear (bb); } void mpz_sub_ui (mpz_t r, const mpz_t a, unsigned long b) { - if (a->_mp_size < 0) - r->_mp_size = -mpz_abs_add_ui (r, a, b); - else - r->_mp_size = mpz_abs_sub_ui (r, a, b); + mpz_ui_sub (r, b, a); + mpz_neg (r, r); } void mpz_ui_sub (mpz_t r, unsigned long a, const mpz_t b) { - if (b->_mp_size < 0) - r->_mp_size = mpz_abs_add_ui (r, b, a); - else - r->_mp_size = -mpz_abs_sub_ui (r, b, a); + mpz_neg (r, b); + mpz_add_ui (r, r, a); } static mp_size_t @@ -2031,32 +2041,17 @@ mpz_neg (r, r); } else - mpz_mul_ui (r, u, (unsigned long int) v); + mpz_mul_ui (r, u, v); } void mpz_mul_ui (mpz_t r, const mpz_t u, unsigned long int v) { - mp_size_t un, us; - mp_ptr tp; - mp_limb_t cy; - - us = u->_mp_size; - - if (us == 0 || v == 0) - { - r->_mp_size = 0; - return; - } - - un = GMP_ABS (us); - - tp = MPZ_REALLOC (r, un + 1); - cy = mpn_mul_1 (tp, u->_mp_d, un, v); - tp[un] = cy; - - un += (cy > 0); - r->_mp_size = (us < 0) ? - un : un; + mpz_t vv; + mpz_init_set_ui (vv, v); + mpz_mul (r, u, vv); + mpz_clear (vv); + return; } void @@ -2135,8 +2130,8 @@ mpz_addmul_ui (mpz_t r, const mpz_t u, unsigned long int v) { mpz_t t; - mpz_init (t); - mpz_mul_ui (t, u, v); + mpz_init_set_ui (t, v); + mpz_mul (t, u, t); mpz_add (r, r, t); mpz_clear (t); } @@ -2145,8 +2140,8 @@ mpz_submul_ui (mpz_t r, const mpz_t u, unsigned long int v) { mpz_t t; - mpz_init (t); - mpz_mul_ui (t, u, v); + mpz_init_set_ui (t, v); + mpz_mul (t, u, t); mpz_sub (r, r, t); mpz_clear (t); } @@ -2542,56 +2537,20 @@ mpz_div_qr_ui (mpz_t q, mpz_t r, const mpz_t n, unsigned long d, enum mpz_div_round_mode mode) { - mp_size_t ns, qn; - mp_ptr qp; - mp_limb_t rl; - mp_size_t rs; + unsigned long ret; + mpz_t rr, dd; - ns = n->_mp_size; - if (ns == 0) - { - if (q) - q->_mp_size = 0; - if (r) - r->_mp_size = 0; - return 0; - } - - qn = GMP_ABS (ns); - if (q) - qp = MPZ_REALLOC (q, qn); - else - qp = NULL; - - rl = mpn_div_qr_1 (qp, n->_mp_d, qn, d); - assert (rl < d); - - rs = rl > 0; - rs = (ns < 0) ? -rs : rs; - - if (rl > 0 && ( (mode == GMP_DIV_FLOOR && ns < 0) - || (mode == GMP_DIV_CEIL && ns >= 0))) - { - if (q) - gmp_assert_nocarry (mpn_add_1 (qp, qp, qn, 1)); - rl = d - rl; - rs = -rs; - } + mpz_init (rr); + mpz_init_set_ui (dd, d); + mpz_div_qr (q, rr, n, dd, mode); + mpz_clear (dd); + ret = mpz_get_ui (rr); if (r) - { - MPZ_REALLOC (r, 1)[0] = rl; - r->_mp_size = rs; - } - if (q) - { - qn -= (qp[qn-1] == 0); - assert (qn == 0 || qp[qn-1] > 0); - - q->_mp_size = (ns < 0) ? - qn : qn; - } + mpz_swap (r, rr); + mpz_clear (rr); - return rl; + return ret; } unsigned long @@ -2730,22 +2689,16 @@ unsigned long mpz_gcd_ui (mpz_t g, const mpz_t u, unsigned long v) { - mp_size_t un; + mpz_t t; + mpz_init_set_ui(t, v); + mpz_gcd (t, u, t); + if (v > 0) + v = mpz_get_ui (t); - if (v == 0) - { - if (g) - mpz_abs (g, u); - } - else - { - un = GMP_ABS (u->_mp_size); - if (un != 0) - v = mpn_gcd_11 (mpn_div_qr_1 (NULL, u->_mp_d, un, v), v); + if (g) + mpz_swap (t, g); - if (g) - mpz_set_ui (g, v); - } + mpz_clear (t); return v; } @@ -2839,7 +2792,7 @@ signed long sign = mpz_sgn (v); mpz_abs (g, v); if (s) - mpz_set_ui (s, 0); + s->_mp_size = 0; if (t) mpz_set_si (t, sign); return; @@ -2853,7 +2806,7 @@ if (s) mpz_set_si (s, sign); if (t) - mpz_set_ui (t, 0); + t->_mp_size = 0; return; } @@ -2978,8 +2931,9 @@ mpz_sub (s0, s0, s1); mpz_add (t0, t0, t1); } - mpz_divexact_ui (s0, s0, 2); - mpz_divexact_ui (t0, t0, 2); + assert (mpz_even_p (t0) && mpz_even_p (s0)); + mpz_tdiv_q_2exp (s0, s0, 1); + mpz_tdiv_q_2exp (t0, t0, 1); } /* Arrange so that |s| < |u| / 2g */ @@ -3104,7 +3058,10 @@ mpz_ui_pow_ui (mpz_t r, unsigned long blimb, unsigned long e) { mpz_t b; - mpz_pow_ui (r, mpz_roinit_n (b, &blimb, 1), e); + + mpz_init_set_ui (b, blimb); + mpz_pow_ui (r, b, e); + mpz_clear (b); } void @@ -3216,7 +3173,10 @@ mpz_powm_ui (mpz_t r, const mpz_t b, unsigned long elimb, const mpz_t m) { mpz_t e; - mpz_powm (r, b, mpz_roinit_n (e, &elimb, 1), m); + + mpz_init_set_ui (e, elimb); + mpz_powm (r, b, e, m); + mpz_clear (e); } /* x=trunc(y^(1/z)), r=y-x^z */ @@ -3323,7 +3283,7 @@ assert (n > 0); assert (p [n-1] != 0); - return mpz_root (NULL, mpz_roinit_n (t, p, n), 2); + return mpz_root (NULL, mpz_roinit_normal_n (t, p, n), 2); } mp_size_t @@ -3337,7 +3297,7 @@ mpz_init (r); mpz_init (s); - mpz_rootrem (s, r, mpz_roinit_n (u, p, n), 2); + mpz_rootrem (s, r, mpz_roinit_normal_n (u, p, n), 2); assert (s->_mp_size == (n+1)/2); mpn_copyd (sp, s->_mp_d, s->_mp_size); @@ -3352,11 +3312,24 @@ /* Combinatorics */ void -mpz_fac_ui (mpz_t x, unsigned long n) +mpz_mfac_uiui (mpz_t x, unsigned long n, unsigned long m) { mpz_set_ui (x, n + (n == 0)); - while (n > 2) - mpz_mul_ui (x, x, --n); + if (m + 1 < 2) return; + while (n > m + 1) + mpz_mul_ui (x, x, n -= m); +} + +void +mpz_2fac_ui (mpz_t x, unsigned long n) +{ + mpz_mfac_uiui (x, n, 2); +} + +void +mpz_fac_ui (mpz_t x, unsigned long n) +{ + mpz_mfac_uiui (x, n, 1); } void @@ -3372,8 +3345,8 @@ mpz_init (t); mpz_fac_ui (t, k); - for (; k > 0; k--) - mpz_mul_ui (r, r, n--); + for (; k > 0; --k) + mpz_mul_ui (r, r, n--); mpz_divexact (r, r, t); mpz_clear (t); @@ -3381,6 +3354,176 @@ /* Primality testing */ + +/* Computes Kronecker (a/b) with odd b, a!=0 and GCD(a,b) = 1 */ +/* Adapted from JACOBI_BASE_METHOD==4 in mpn/generic/jacbase.c */ +static int +gmp_jacobi_coprime (mp_limb_t a, mp_limb_t b) +{ + int c, bit = 0; + + assert (b & 1); + assert (a != 0); + /* assert (mpn_gcd_11 (a, b) == 1); */ + + /* Below, we represent a and b shifted right so that the least + significant one bit is implicit. */ + b >>= 1; + + gmp_ctz(c, a); + a >>= 1; + + for (;;) + { + a >>= c; + /* (2/b) = -1 if b = 3 or 5 mod 8 */ + bit ^= c & (b ^ (b >> 1)); + if (a < b) + { + if (a == 0) + return bit & 1 ? -1 : 1; + bit ^= a & b; + a = b - a; + b -= a; + } + else + { + a -= b; + assert (a != 0); + } + + gmp_ctz(c, a); + ++c; + } +} + +static void +gmp_lucas_step_k_2k (mpz_t V, mpz_t Qk, const mpz_t n) +{ + mpz_mod (Qk, Qk, n); + /* V_{2k} <- V_k ^ 2 - 2Q^k */ + mpz_mul (V, V, V); + mpz_submul_ui (V, Qk, 2); + mpz_tdiv_r (V, V, n); + /* Q^{2k} = (Q^k)^2 */ + mpz_mul (Qk, Qk, Qk); +} + +/* Computes V_k, Q^k (mod n) for the Lucas' sequence */ +/* with P=1, Q=Q; k = (n>>b0)|1. */ +/* Requires an odd n > 4; b0 > 0; -2*Q must not overflow a long */ +/* Returns (U_k == 0) and sets V=V_k and Qk=Q^k. */ +static int +gmp_lucas_mod (mpz_t V, mpz_t Qk, long Q, + mp_bitcnt_t b0, const mpz_t n) +{ + mp_bitcnt_t bs; + mpz_t U; + int res; + + assert (b0 > 0); + assert (Q <= - (LONG_MIN / 2)); + assert (Q >= - (LONG_MAX / 2)); + assert (mpz_cmp_ui (n, 4) > 0); + assert (mpz_odd_p (n)); + + mpz_init_set_ui (U, 1); /* U1 = 1 */ + mpz_set_ui (V, 1); /* V1 = 1 */ + mpz_set_si (Qk, Q); + + for (bs = mpz_sizeinbase (n, 2) - 1; --bs >= b0;) + { + /* U_{2k} <- U_k * V_k */ + mpz_mul (U, U, V); + /* V_{2k} <- V_k ^ 2 - 2Q^k */ + /* Q^{2k} = (Q^k)^2 */ + gmp_lucas_step_k_2k (V, Qk, n); + + /* A step k->k+1 is performed if the bit in $n$ is 1 */ + /* mpz_tstbit(n,bs) or the bit is 0 in $n$ but */ + /* should be 1 in $n+1$ (bs == b0) */ + if (b0 == bs || mpz_tstbit (n, bs)) + { + /* Q^{k+1} <- Q^k * Q */ + mpz_mul_si (Qk, Qk, Q); + /* U_{k+1} <- (U_k + V_k) / 2 */ + mpz_swap (U, V); /* Keep in V the old value of U_k */ + mpz_add (U, U, V); + /* We have to compute U/2, so we need an even value, */ + /* equivalent (mod n) */ + if (mpz_odd_p (U)) + mpz_add (U, U, n); + mpz_tdiv_q_2exp (U, U, 1); + /* V_{k+1} <-(D*U_k + V_k) / 2 = + U_{k+1} + (D-1)/2*U_k = U_{k+1} - 2Q*U_k */ + mpz_mul_si (V, V, -2*Q); + mpz_add (V, U, V); + mpz_tdiv_r (V, V, n); + } + mpz_tdiv_r (U, U, n); + } + + res = U->_mp_size == 0; + mpz_clear (U); + return res; +} + +/* Performs strong Lucas' test on x, with parameters suggested */ +/* for the BPSW test. Qk is only passed to recycle a variable. */ +/* Requires GCD (x,6) = 1.*/ +static int +gmp_stronglucas (const mpz_t x, mpz_t Qk) +{ + mp_bitcnt_t b0; + mpz_t V, n; + mp_limb_t maxD, D; /* The absolute value is stored. */ + long Q; + mp_limb_t tl; + + /* Test on the absolute value. */ + mpz_roinit_normal_n (n, x->_mp_d, GMP_ABS (x->_mp_size)); + + assert (mpz_odd_p (n)); + /* assert (mpz_gcd_ui (NULL, n, 6) == 1); */ + if (mpz_root (Qk, n, 2)) + return 0; /* A square is composite. */ + + /* Check Ds up to square root (in case, n is prime) + or avoid overflows */ + maxD = (Qk->_mp_size == 1) ? Qk->_mp_d [0] - 1 : GMP_LIMB_MAX; + + D = 3; + /* Search a D such that (D/n) = -1 in the sequence 5,-7,9,-11,.. */ + /* For those Ds we have (D/n) = (n/|D|) */ + do + { + if (D >= maxD) + return 1 + (D != GMP_LIMB_MAX); /* (1 + ! ~ D) */ + D += 2; + tl = mpz_tdiv_ui (n, D); + if (tl == 0) + return 0; + } + while (gmp_jacobi_coprime (tl, D) == 1); + + mpz_init (V); + + /* n-(D/n) = n+1 = d*2^{b0}, with d = (n>>b0) | 1 */ + b0 = mpz_scan0 (n, 0); + + /* D= P^2 - 4Q; P = 1; Q = (1-D)/4 */ + Q = (D & 2) ? (long) (D >> 2) + 1 : -(long) (D >> 2); + + if (! gmp_lucas_mod (V, Qk, Q, b0, n)) /* If Ud != 0 */ + while (V->_mp_size != 0 && --b0 != 0) /* while Vk != 0 */ + /* V <- V ^ 2 - 2Q^k */ + /* Q^{2k} = (Q^k)^2 */ + gmp_lucas_step_k_2k (V, Qk, n); + + mpz_clear (V); + return (b0 != 0); +} + static int gmp_millerrabin (const mpz_t n, const mpz_t nm1, mpz_t y, const mpz_t q, mp_bitcnt_t k) @@ -3442,21 +3585,26 @@ if (mpz_cmpabs_ui (n, 31*31) < 0) return 2; - /* Use Miller-Rabin, with a deterministic sequence of bases, a[j] = - j^2 + j + 41 using Euler's polynomial. We potentially stop early, - if a[j] >= n - 1. Since n >= 31*31, this can happen only if reps > - 30 (a[30] == 971 > 31*31 == 961). */ - mpz_init (nm1); mpz_init (q); - mpz_init (y); /* Find q and k, where q is odd and n = 1 + 2**k * q. */ - nm1->_mp_size = mpz_abs_sub_ui (nm1, n, 1); + mpz_abs (nm1, n); + nm1->_mp_d[0] -= 1; k = mpz_scan1 (nm1, 0); mpz_tdiv_q_2exp (q, nm1, k); - for (j = 0, is_prime = 1; is_prime & (j < reps); j++) + /* BPSW test */ + mpz_init_set_ui (y, 2); + is_prime = gmp_millerrabin (n, nm1, y, q, k) && gmp_stronglucas (n, y); + reps -= 24; /* skip the first 24 repetitions */ + + /* Use Miller-Rabin, with a deterministic sequence of bases, a[j] = + j^2 + j + 41 using Euler's polynomial. We potentially stop early, + if a[j] >= n - 1. Since n >= 31*31, this can happen only if reps > + 30 (a[30] == 971 > 31*31 == 961). */ + + for (j = 0; is_prime & (j < reps); j++) { mpz_set_ui (y, (unsigned long) j*j+j+41); if (mpz_cmp (y, nm1) >= 0) @@ -3524,7 +3672,7 @@ { /* d < 0. Check if any of the bits below is set: If so, our bit must be complemented. */ - if (shift > 0 && (w << (GMP_LIMB_BITS - shift)) > 0) + if (shift > 0 && (mp_limb_t) (w << (GMP_LIMB_BITS - shift)) > 0) return bit ^ 1; while (--limb_index >= 0) if (d->_mp_d[limb_index] > 0) @@ -3631,8 +3779,8 @@ void mpz_com (mpz_t r, const mpz_t u) { - mpz_neg (r, u); - mpz_sub_ui (r, r, 1); + mpz_add_ui (r, u, 1); + mpz_neg (r, r); } void @@ -3855,13 +4003,18 @@ unsigned c; /* Do 16 bits at a time, to avoid limb-sized constants. */ - for (c = 0; x > 0; x >>= 16) + int LOCAL_SHIFT_BITS = 16; + for (c = 0; x > 0;) { - unsigned w = ((x >> 1) & 0x5555) + (x & 0x5555); + unsigned w = x - ((x >> 1) & 0x5555); w = ((w >> 2) & 0x3333) + (w & 0x3333); - w = ((w >> 4) & 0x0f0f) + (w & 0x0f0f); - w = (w >> 8) + (w & 0x00ff); + w = (w >> 4) + w; + w = ((w >> 8) & 0x000f) + (w & 0x000f); c += w; + if (GMP_LIMB_BITS > LOCAL_SHIFT_BITS) + x >>= LOCAL_SHIFT_BITS; + else + x = 0; } return c; } @@ -3972,7 +4125,7 @@ } /* Mask to 0 all bits before starting_bit, thus ignoring them. */ - limb &= (GMP_LIMB_MAX << (starting_bit % GMP_LIMB_BITS)); + limb &= GMP_LIMB_MAX << (starting_bit % GMP_LIMB_BITS); } return mpn_common_scan (limb, i, up, un, ux); @@ -4002,7 +4155,7 @@ limb -= mpn_zero_p (up, i); /* limb = ~(~limb + zero_p) */ /* Mask all bits before starting_bit, thus ignoring them. */ - limb &= (GMP_LIMB_MAX << (starting_bit % GMP_LIMB_BITS)); + limb &= GMP_LIMB_MAX << (starting_bit % GMP_LIMB_BITS); return mpn_common_scan (limb, i, up, un, ux); } @@ -4357,7 +4510,7 @@ ptrdiff_t word_step; /* The current (partial) limb. */ mp_limb_t limb; - /* The number of bytes left to to in this limb. */ + /* The number of bytes left to do in this limb. */ size_t bytes; /* The index where the limb was read. */ mp_size_t i; @@ -4368,10 +4521,15 @@ limb = u->_mp_d[un-1]; assert (limb != 0); - k = 0; - do { - k++; limb >>= CHAR_BIT; - } while (limb != 0); + k = (GMP_LIMB_BITS <= CHAR_BIT); + if (!k) + { + do { + int LOCAL_CHAR_BIT = CHAR_BIT; + k++; limb >>= LOCAL_CHAR_BIT; + } while (limb != 0); + } + /* else limb = 0; */ count = (k + (un-1) * sizeof (mp_limb_t) + size - 1) / size; @@ -4400,17 +4558,28 @@ for (bytes = 0, i = 0, k = 0; k < count; k++, p += word_step) { size_t j; - for (j = 0; j < size; j++, p -= (ptrdiff_t) endian) + for (j = 0; j < size; ++j, p -= (ptrdiff_t) endian) { - if (bytes == 0) + if (sizeof (mp_limb_t) == 1) { if (i < un) - limb = u->_mp_d[i++]; - bytes = sizeof (mp_limb_t); + *p = u->_mp_d[i++]; + else + *p = 0; + } + else + { + int LOCAL_CHAR_BIT = CHAR_BIT; + if (bytes == 0) + { + if (i < un) + limb = u->_mp_d[i++]; + bytes = sizeof (mp_limb_t); + } + *p = limb; + limb >>= LOCAL_CHAR_BIT; + bytes--; } - *p = limb; - limb >>= CHAR_BIT; - bytes--; } } assert (i == un); diff -Nru nettle-3.4.1/mini-gmp.h nettle-3.7.3/mini-gmp.h --- nettle-3.4.1/mini-gmp.h 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/mini-gmp.h 2021-06-06 20:06:29.000000000 +0000 @@ -1,6 +1,6 @@ /* mini-gmp, a minimalistic implementation of a GNU GMP subset. -Copyright 2011-2015 Free Software Foundation, Inc. +Copyright 2011-2015, 2017, 2019 Free Software Foundation, Inc. This file is part of the GNU MP Library. @@ -53,7 +53,11 @@ void *(**) (void *, size_t, size_t), void (**) (void *, size_t)); -typedef unsigned long mp_limb_t; +#ifndef MINI_GMP_LIMB_TYPE +#define MINI_GMP_LIMB_TYPE long +#endif + +typedef unsigned MINI_GMP_LIMB_TYPE mp_limb_t; typedef long mp_size_t; typedef unsigned long mp_bitcnt_t; @@ -217,6 +221,8 @@ int mpz_root (mpz_t, const mpz_t, unsigned long); void mpz_fac_ui (mpz_t, unsigned long); +void mpz_2fac_ui (mpz_t, unsigned long); +void mpz_mfac_uiui (mpz_t, unsigned long, unsigned long); void mpz_bin_uiui (mpz_t, unsigned long, unsigned long); int mpz_probab_prime_p (const mpz_t, int); @@ -238,6 +244,10 @@ int mpz_fits_slong_p (const mpz_t); int mpz_fits_ulong_p (const mpz_t); +int mpz_fits_sint_p (const mpz_t); +int mpz_fits_uint_p (const mpz_t); +int mpz_fits_sshort_p (const mpz_t); +int mpz_fits_ushort_p (const mpz_t); long int mpz_get_si (const mpz_t); unsigned long int mpz_get_ui (const mpz_t); double mpz_get_d (const mpz_t); diff -Nru nettle-3.4.1/nettle.html nettle-3.7.3/nettle.html --- nettle-3.4.1/nettle.html 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/nettle.html 2021-06-06 20:06:29.000000000 +0000 @@ -8,8 +8,9 @@ This manual is placed in the public domain. You may freely copy it, in whole or in part, with or without modification. Attribution is appreciated, but not required. --> - + + Nettle: a low-level cryptographic library @@ -17,7 +18,6 @@ - @@ -72,131 +72,155 @@
  • 3 Conventions
  • 4 Example
  • 5 Linking
    • -
  • 6 Reference +
  • 6 Compatibility
    • +
  • 7 Reference
    • -
  • 7 Traditional Nettle Soup
    • -
  • 8 Installation
    • +
  • 8 Traditional Nettle Soup
    • +
  • 9 Installation
  • Function and Concept Index
    • @@ -237,13 +261,15 @@     - - - - + + - + + + + + + + - + - +
    Linking:  Linking with libnettle and libhogweed.
    Reference:  All Nettle functions and features. +
    Compatibility:  On API and ABI compatibility between versions.
    Nettle soup:  For the serious nettle hacker. +
    Reference:  All Nettle functions and features.
    Installation:  How to install Nettle. +
    Nettle soup:  For the serious nettle hacker.
    Index:  Function and concept index. +
    Installation:  How to install Nettle. +
    Index:  Function and concept index. 
     
@@ -277,6 +303,8 @@
    Recommended hash functions:  
    Miscellaneous hash functions:   +
    Legacy hash functions:  
    nettle_hash abstraction:   @@ -289,12 +317,26 @@
    CTR:  
    CFB:   +
    CFB and CFB8:   +
    XTS:   +
    +
+Authenticated encryption with associated data
+
+
    EAX:  
    GCM:  
    CCM:  
    ChaCha-Poly1305:   +
    SIV-CMAC:   +
    nettle_aead abstraction:   +
     
 Keyed Hash Functions
@@ -303,6 +345,10 @@
    UMAC:  
    CMAC:   +
    Poly1305:   +
     
 Public-key algorithms
@@ -321,7 +367,9 @@
    ECDSA:  
    Curve 25519:   +
    GOSTDSA:   +
    Curve 25519 and Curve 448:   
     
@@ -512,6 +560,10 @@
 
    Written by Niels Möller.
 
    
 
    
+
    CMAC
    
+
    Written by Nikos Mavrogiannopoulos, Niels Möller, Jeremy Allison, Michael Adam and Stefan Metzmacher.
+
    
+
    
 
    RSA
    
 
    Written by Niels Möller. Uses the GMP library for bignum operations.
 
    
@@ -641,7 +693,7 @@
 
 
    
 
    
-Next: , Previous: , Up: Top   [Contents][Index]
    
+Next: , Previous: , Up: Top   [Contents][Index]
    
 
    
 
 
    5 Linking
    
@@ -661,13 +713,83 @@
 will resolve the dependencies automatically.
 
    
 
    
+
+
    
+
    
+Next: , Previous: , Up: Top   [Contents][Index]
    
+
    
+
+
    6 Compatibility
    
+
+
+
+
+
    When you write a program using the Nettle library, it’s desirable to
+have it work together not only with exactly the same version of Nettle
+you had at hand, but with other current and future versions. If a
+different version of Nettle is used at compile time, i.e., you recompile
+it using the header and library files belonging to a different version,
+we talk about API compatibility (for Application Programming Interface).
+If a different version of Nettle isn’t used until link time, we talk
+about ABI compatibility (Application Binary Interface) or binary
+compatibility. ABI compatibility matters mainly when using dynamic
+linking with a shared library. E.g., a user has an executable linking at
+run-time with libnettle.so, and then updates to a later version
+of the shared library, without updating or recompiling the executable.
+
    
+
    Nettle aims to provide backwards compatibility, i.e., a program written
+for a particular version of the Nettle library should usually work fine
+with later version of the library. Note that the opposite is not
+supported: The program should not be expected to work with older
+versions of the Nettle library; and ABI breakage can be unobvious. E.g,
+the later version may define a new library symbol, and let header files
+redefine an old API name as an alias for the new symbol. If the later
+version ensures that the old symbol is still defined in the library,
+this change is backwards compatible: A program compiled using headers
+from the older version can be successfully linked with either version of
+the library. But if you compile the same program using headers from the
+later version of the library, and attempt to link with the older
+version, you’ll get an undefined reference to the new symbol.
+
    
+
    API compatibility is rarely broken; exceptions are noted in the NEWS
+file. For example, the key size argument to the function
+cast128_set_key was dropped in the Nettle-3.0 release, and all
+programs using that function had to be updated to work with the new
+version.
+
    
+
    ABI compatibility is broken occasionally. This is also noted in the NEWS
+file, and the name of the shared library is updated to prevent
+accidental run-time linking with the wrong version. All programs have to
+be recompiled before they can link with the new version. Since names are
+different, multiple versions can be installed on the same system, with a
+mix of programs linking to one version or the other.
+
    
+
    Under some circumstances, it is possible to have a single program
+linking dynamically with two binary incompatible versions of the Nettle
+library, thanks to the use of symbol versioning. Consider a program
+calling functions in both Nettle and GnuTLS. For the direct dependency
+on Nettle, the program is linked with a particular version of the Nettle
+shared library. GnuTLS uses Nettle internally, but does not expose any
+Nettle data structures or the like in its own ABI. In this situation,
+the GnuTLS shared library may link with a different version of the
+Nettle library. Then both versions of the Nettle library will be loaded
+into the program’s address space, and each reference to a symbol will be
+resolved to the correct version.
+
    
+
    Finally, some of Nettle’s symbols are internal. They carry a leading
+underscore, and are not declared in installed header files. They can be
+used for local or experimental purposes, but programs referring directly
+to those symbols get neither API nor ABI compatibility, not even between
+minor versions.
+
    
+
    
 
 
    
 
    
-Next: , Previous: , Up: Top   [Contents][Index]
    
+Next: , Previous: , Up: Top   [Contents][Index]
    
 
    
 
-
    6 Reference
    
+
    7 Reference
    
 
 
    This chapter describes all the Nettle functions, grouped by family.
 
    
@@ -704,7 +826,7 @@
 
 
 
-
    6.1 Hash functions
    
+
    7.1 Hash functions
    
 
 
    A cryptographic hash function is a function that takes variable
 size strings, and maps them to strings of fixed, short, length. There
@@ -743,9 +865,11 @@
 
-
+
-
    
 
    Recommended hash functions:  
 
    Legacy hash functions:  
+
    Miscellaneous hash functions:  
+
    Legacy hash functions:  
 
    nettle_hash abstraction:  
+
    nettle_hash abstraction:  
 
    
 
    
 
@@ -753,17 +877,17 @@
 
 
    
 
    
-Next: , Up: Hash functions   [Contents][Index]
    
+Next: , Up: Hash functions   [Contents][Index]
    
 
    
 
-
    6.1.1 Recommended hash functions
    
+
    7.1.1 Recommended hash functions
    
 
 
    The following hash functions have no known weaknesses, and are suitable
 for new applications. The SHA2 family of hash functions were specified
 by NIST, intended as a replacement for SHA1.
 
    
 
-
    6.1.1.1 SHA256
    
+
    7.1.1.1 SHA256
    
 
 
    SHA256 is a member of the SHA2 family. It outputs hash values of 256
 bits, or 32 octets. Nettle defines SHA256 in <nettle/sha2.h>.
@@ -809,7 +933,7 @@
 compatibility.
 
    
 
-
    6.1.1.2 SHA224
    
+
    7.1.1.2 SHA224
    
 
 
    SHA224 is a variant of SHA256, with a different initial state, and with
 the output truncated to 224 bits, or 28 octets. Nettle defines SHA224 in
@@ -853,7 +977,7 @@
 
    
 
 
-
    6.1.1.3 SHA512
    
+
    7.1.1.3 SHA512
    
 
 
    SHA512 is a larger sibling to SHA256, with a very similar structure but
 with both the output and the internal variables of twice the size. The
@@ -899,7 +1023,7 @@
 
    
 
 
-
    6.1.1.4 SHA384 and other variants of SHA512
    
+
    7.1.1.4 SHA384 and other variants of SHA512
    
 
 
    Several variants of SHA512 have been defined, with a different initial
 state, and with the output truncated to shorter length than 512 bits.
@@ -961,7 +1085,7 @@
 
    
 
 
-
    6.1.1.5 SHA3-224
    
+
    7.1.1.5 SHA3-224
    
 
 
 
    The SHA3 hash functions were specified by NIST in response to weaknesses
@@ -1025,7 +1149,7 @@
 
    
 
 
-
    6.1.1.6 SHA3-256
    
+
    7.1.1.6 SHA3-256
    
 
 
    This is SHA3 with 256-bit output size, and possibly the most useful
 of the SHA3 hash functions.
@@ -1067,7 +1191,7 @@
 
    
 
 
-
    6.1.1.7 SHA3-384
    
+
    7.1.1.7 SHA3-384
    
 
 
    This is SHA3 with 384-bit output size.
 
    
@@ -1108,7 +1232,7 @@
 
    
 
 
-
    6.1.1.8 SHA3-512
    
+
    7.1.1.8 SHA3-512
    
 
 
    This is SHA3 with 512-bit output size.
 
    
@@ -1148,14 +1272,134 @@
 
    This function also resets the context.
 
    
 
+
+
    7.1.1.9 SHAKE-256
    
+
+
+
    In addition to those SHA-3 hash functions, Nettle also provides a SHA-3
+extendable-output function (XOF), SHAKE-256. Unlike SHA-3 hash functions,
+SHAKE can produce an output digest of any desired length.
+
    
+
    To use SHAKE256, the context struct, init and update functions are the
+same as for SHA3-256. To get a SHAKE256 digest, the following function
+is used instead of sha3_256_digest. For an output size of
+SHA3_256_DIGEST_SIZE, security is equivalent to SHA3-256 (but the
+digest is different). Increasing output size further does not increase
+security in terms of collision or preimage resistance. It can be seen as
+a built in pseudorandomness generator.
+
    
+
    
+
    Function: void sha3_256_shake (struct shake256_ctx *ctx, size_t length, uint8_t *digest)
    
+
    Performs final processing and produces a SHAKE256 digest, writing it
+to digest. length can be of arbitrary size.
+
    
+
    This function also resets the context.
+
    
+
+
    
+
+
    
+
    
+Next: , Previous: , Up: Hash functions   [Contents][Index]
    
+
    
+
+
    7.1.2 Miscellaneous hash functions
    
+
+
+
    7.1.2.1 STREEBOG512
    
+
+
    STREEBOG512 is a member of the Streebog (GOST R 34.11-2012) family.  It outputs
+hash values of 512 bits, or 64 octets. Nettle defines STREEBOG512 in
+<nettle/streebog.h>.
+
    
+
    
+
    Context struct: struct streebog512_ctx
    
+
    
+
+
    
+
    Constant: STREEBOG512_DIGEST_SIZE
    
+
    The size of a STREEBOG512 digest, i.e. 64.
+
    
+
+
    
+
    Constant: STREEBOG512_BLOCK_SIZE
    
+
    The internal block size of STREEBOG512. Useful for some special constructions,
+in particular HMAC-STREEBOG512.
+
    
+
+
    
+
    Function: void streebog512_init (struct streebog512_ctx *ctx)
    
+
    Initialize the STREEBOG512 state.
+
    
+
+
    
+
    Function: void streebog512_update (struct streebog512_ctx *ctx, size_t length, const uint8_t *data)
    
+
    Hash some more data.
+
    
+
+
    
+
    Function: void streebog512_digest (struct streebog512_ctx *ctx, size_t length, uint8_t *digest)
    
+
    Performs final processing and extracts the message digest, writing it
+to digest. length may be smaller than
+STREEBOG512_DIGEST_SIZE, in which case only the first length
+octets of the digest are written.
+
    
+
    This function also resets the context in the same way as
+streebog512_init.
+
    
+
+
+
    7.1.2.2 STREEBOG256
    
+
+
    STREEBOG256 is a variant of STREEBOG512, with a different initial state, and with
+the output truncated to 256 bits, or 32 octets. Nettle defines STREEBOG256 in
+<nettle/streebog.h>.
+
    
+
    
+
    Context struct: struct streebog256_ctx
    
+
    
+
+
    
+
    Constant: STREEBOG256_DIGEST_SIZE
    
+
    The size of a STREEBOG256 digest, i.e. 32.
+
    
+
+
    
+
    Constant: STREEBOG256_BLOCK_SIZE
    
+
    The internal block size of STREEBOG256. Useful for some special constructions,
+in particular HMAC-STREEBOG256.
+
    
+
+
    
+
    Function: void streebog256_init (struct streebog256_ctx *ctx)
    
+
    Initialize the STREEBOG256 state.
+
    
+
+
    
+
    Function: void streebog256_update (struct streebog256_ctx *ctx, size_t length, const uint8_t *data)
    
+
    Hash some more data.
+
    
+
+
    
+
    Function: void streebog256_digest (struct streebog256_ctx *ctx, size_t length, uint8_t *digest)
    
+
    Performs final processing and extracts the message digest, writing it
+to digest. length may be smaller than
+STREEBOG256_DIGEST_SIZE, in which case only the first length
+octets of the digest are written.
+
    
+
    This function also resets the context in the same way as
+streebog256_init.
+
    
+
+
 
    
 
 
    
 
    
-Next: , Previous: , Up: Hash functions   [Contents][Index]
    
+Next: , Previous: , Up: Hash functions   [Contents][Index]
    
 
    
 
-
    6.1.2 Legacy hash functions
    
+
    7.1.3 Legacy hash functions
    
 
 
    The hash functions in this section all have some known weaknesses, and
 should be avoided for new applications. These hash functions are mainly
@@ -1168,7 +1412,7 @@
 model.
 
    
 
-
    6.1.2.1 MD5
    
+
    7.1.3.1 MD5
    
 
 
    MD5 is a message digest function constructed by Ronald Rivest, and
 described in RFC 1321. It outputs message digests of 128 bits, or
@@ -1219,7 +1463,7 @@
 
    To start over, you can call md5_init at any time.
 
    
 
-
    6.1.2.2 MD2
    
+
    7.1.3.2 MD2
    
 
 
    MD2 is another hash function of Ronald Rivest’s, described in
 RFC 1319. It outputs message digests of 128 bits, or 16 octets.
@@ -1261,7 +1505,7 @@
 
    
 
 
-
    6.1.2.3 MD4
    
+
    7.1.3.3 MD4
    
 
 
    MD4 is a predecessor of MD5, described in RFC 1320. Like MD5, it
 is constructed by Ronald Rivest. It outputs message digests of 128 bits,
@@ -1305,7 +1549,7 @@
 
    
 
 
-
    6.1.2.4 RIPEMD160
    
+
    7.1.3.4 RIPEMD160
    
 
 
    RIPEMD160 is a hash function designed by Hans Dobbertin, Antoon
 Bosselaers, and Bart Preneel, as a strengthened version of RIPEMD
@@ -1349,7 +1593,7 @@
 
    
 
 
-
    6.1.2.5 SHA1
    
+
    7.1.3.5 SHA1
    
 
 
    SHA1 is a hash function specified by NIST (The U.S. National
 Institute for Standards and Technology). It outputs hash values of 160
@@ -1393,13 +1637,19 @@
 
    
 
 
-
-
    6.1.2.6 GOSTHASH94
    
+
+
    7.1.3.6 GOSTHASH94 and GOSTHASH94CP
    
+
 
-
    The GOST94 or GOST R 34.11-94 hash algorithm is a Soviet-era algorithm 
+
    The GOST94 or GOST R 34.11-94 hash algorithm is a Soviet-era algorithm 
 used in Russian government standards (see RFC 4357).
-It outputs message digests of 256 bits, or 32 octets.
-Nettle defines GOSTHASH94 in <nettle/gosthash94.h>.
+It outputs message digests of 256 bits, or 32 octets. The standard itself
+does not fix the S-box used by the hash algorith, so there are two popular
+variants (the testing S-box from the standard itself and the S-box defined
+by CryptoPro company, see RFC 4357). Nettle provides support for the former
+S-box in the form of GOSTHASH94 hash algorithm and for the latter in the
+form of GOSTHASH94CP hash algorithm.
+Nettle defines GOSTHASH94 and GOSTHASH94CP in <nettle/gosthash94.h>.
 
    
 
    
 
    Context struct: struct gosthash94_ctx
    
@@ -1436,6 +1686,41 @@
 gosthash94_init.
 
    
 
+
    
+
    Context struct: struct gosthash94cp_ctx
    
+
    
+
+
    
+
    Constant: GOSTHASH94CP_DIGEST_SIZE
    
+
    The size of a GOSTHASH94CP digest, i.e. 32.
+
    
+
+
    
+
    Constant: GOSTHASH94CP_BLOCK_SIZE
    
+
    The internal block size of GOSTHASH94CP, i.e., 32.
+
    
+
+
    
+
    Function: void gosthash94cp_init (struct gosthash94cp_ctx *ctx)
    
+
    Initialize the GOSTHASH94CP state.
+
    
+
+
    
+
    Function: void gosthash94cp_update (struct gosthash94cp_ctx *ctx, size_t length, const uint8_t *data)
    
+
    Hash some more data.
+
    
+
+
    
+
    Function: void gosthash94cp_digest (struct gosthash94cp_ctx *ctx, size_t length, uint8_t *digest)
    
+
    Performs final processing and extracts the message digest, writing it
+to digest. length may be smaller than
+GOSTHASH94CP_DIGEST_SIZE, in which case only the first length
+octets of the digest are written.
+
    
+
    This function also resets the context in the same way as
+gosthash94cp_init.
+
    
+
 
    
 
 
    
@@ -1443,10 +1728,8 @@
 Previous: , Up: Hash functions   [Contents][Index]
    
 
    
 
-
    6.1.3 The struct nettle_hash abstraction
    
+
    7.1.4 The struct nettle_hash abstraction
    
 
-
-
 
 
    Nettle includes a struct including information about the supported hash
 functions. It is defined in <nettle/nettle-meta.h>, and is used
@@ -1473,20 +1756,21 @@
 
    Constant Struct: struct nettle_hash nettle_sha512
    
 
    Constant Struct: struct nettle_hash nettle_sha3_256
    
 
    Constant Struct: struct nettle_hash nettle_gosthash94
    
+
    Constant Struct: struct nettle_hash nettle_gosthash94cp
    
 
    These are all the hash functions that Nettle implements.
 
    
 
 
    Nettle also exports a list of all these hashes.
 
    
 
    
-
    Function: const struct nettle_hash **nettle_get_hashes(void)
    
+
    Function: const struct nettle_hash ** nettle_get_hashes (void)
    
 
    Returns a NULL-terminated list of pointers to supported hash functions.
 This list can be used to dynamically enumerate or search the supported
 algorithms.
 
    
 
 
    
-
    Macro: nettle_hashes
    
+
    Macro: nettle_hashes
    
 
    A macro expanding to a call to nettle_get_hashes, so that one could
 write, e.g., nettle_hashes[0]->name for the name of the first
 hash function on the list. In earlier versions, this was not a macro but
@@ -1501,7 +1785,7 @@
 Next: , Previous: , Up: Reference   [Contents][Index]
    
 
 
-
    6.2 Cipher functions
    
+
    7.2 Cipher functions
    
 
 
 
    A cipher is a function that takes a message or plaintext
@@ -1575,7 +1859,9 @@
 decryption.
 
    
 
-
    6.2.1 AES
    
+
    7.2.1 AES
    
+
+
 
    AES is a block cipher, specified by NIST as a replacement for
 the older DES standard. The standard is the result of a competition
 between cipher designers. The winning design, also known as RIJNDAEL,
@@ -1665,7 +1951,9 @@
 
    
 
 
-
    6.2.2 ARCFOUR
    
+
    7.2.2 ARCFOUR
    
+
+
 
    ARCFOUR is a stream cipher, also known under the trade marked name RC4,
 and it is one of the fastest ciphers around. A problem is that the key
 setup of ARCFOUR is quite weak, you should never use keys with
@@ -1732,7 +2020,9 @@
 
    
 
 
-
    6.2.3 ARCTWO
    
+
    7.2.3 ARCTWO
    
+
+
 
    ARCTWO (also known as the trade marked name RC2) is a block cipher
 specified in RFC 2268. Nettle also include a variation of the ARCTWO
 set key operation that lack one step, to be compatible with the
@@ -1802,7 +2092,8 @@
 
    
 
 
-
    6.2.4 BLOWFISH
    
+
    7.2.4 BLOWFISH
    
+
 
 
    BLOWFISH is a block cipher designed by Bruce Schneier. It uses a block
 size of 64 bits (8 octets), and a variable key size, up to 448 bits. It
@@ -1856,8 +2147,81 @@
 
    Analogous to blowfish_encrypt
 
    
 
+
    
+
    Function: int blowfish_bcrypt_hash (char *dst, size_t lenkey, const char *key, size_t lenscheme, const char *scheme, int log2rounds, const uint8_t *salt)
    
+
    Compute the bcrypt password hash.
+The function will return 0 if the hash cannot be computed
+due to invalid input.
+The function will return 1 and store the computed hash
+in the array pointed to by dst.  The hash is computed based
+on the chosen scheme, number of rounds log2rounds and
+specified salt.
+
    
+
    dst must point to a character array of at least
+ BLOWFISH_BCRYPT_HASH_SIZE bytes.
+
    
+
    key contains the plaintext password string of size lenkey.
+
    
+
    scheme is of size lenscheme and contains either just the
+chosen scheme (valid schemes
+are: 2a, 2b, 2x or 2y), or
+(the prefix of) an existing hashed password (typically $2b$10$...).
+
    
+
    log2rounds contains the log2 of the number of encryption rounds
+that must be used to compute the hash.  If it is -1 the value
+will be extracted from scheme.
+
    
+
    salt should point to an array of BLOWFISH_BCRYPT_BINSALT_SIZE
+random bytes to be used to perturb the hash computation.  If it is NULL
+the salt will be extracted from scheme.
+
    
+
    Sample code to generate a bcrypt hash:
+
    
+
    char cleartxtpassword[] = "ExamplePassword";
+char scheme[] = "2b";
+uint8_t salt[BLOWFISH_BCRYPT_BINSALT_SIZE];
+…
+/* Make sure that salt is filled with random bytes */
+…
+char hashedresult[BLOWFISH_BCRYPT_HASH_SIZE];
+int result = blowfish_bcrypt(hashedresult,
+                             sizeof(cleartxtpassword) - 1, cleartxtpassword,
+                             sizeof(scheme) - 1, scheme, 10, salt);
+if (result)
+  printf("%s\n", hashedresult);
+
    
+
    
+
+
    
+
    Function: int blowfish_bcrypt_verify (size_t lenkey, const char *key, size_t lenhashed, const char *hashed)
    
+
    Verifies the bcrypt password hash against the supplied plaintext password.
+The function will return 0 if the password does not match.
+The function will return 1 if the password matches.
+
    
+
    key contains the plaintext password string of size lenkey.
+
    
+
    hashed contains the hashed string of size lenhashed to compare with.
+
    
+
    Sample code to verify a bcrypt hash:
+
    
+
    char cleartxtpassword[] = "ExamplePassword";
+char existinghashed[] =
+           "$2y$"  /* Hash algorithm version */
+           "10"   /* 2^10 hash rounds (strength) */
+           "$"   /* separator */
+           "1b2lPgo4XumibnJGN3r3sO" /* base64 encoded 16-byte salt */
+           "u7wE7xNfYDKlAxZffJDCJdVfFTAyevu"; /* Hashedpart */
+if (blowfish_bcrypt_verify(sizeof(cleartxtpassword) - 1, cleartxtpassword,
+                           sizeof(existinghashed) - 1, existinghashed))
+  printf("Password is correct.");
+else
+  printf("Password is incorrect.");
+
    
+
    
+
 
-
    6.2.5 Camellia
    
+
    7.2.5 Camellia
    
+
 
 
    Camellia is a block cipher developed by Mitsubishi and Nippon Telegraph
 and Telephone Corporation, described in RFC3713. It is
@@ -1947,11 +2311,16 @@
 
    
 
 
-
    6.2.6 CAST128
    
+
    7.2.6 CAST128
    
+
 
 
    CAST-128 is a block cipher, specified in RFC 2144. It uses a 64
-bit (8 octets) block size, and a variable key size of up to 128 bits.
-Nettle defines cast128 in <nettle/cast128.h>.
+bit (8 octets) block size, and a key size of 128 bits. It is possible,
+but discouraged, to use the same algorithm with shorter keys. Nettle
+refers to the variant with variable key size as CAST-5. Keys for CAST-5
+are zero padded to 128 bits, and with very short keys, less than 80
+bits, encryption also uses fewer rounds than CAST128. Nettle defines
+cast128 in <nettle/cast128.h>.
 
    
 
    
 
    Context struct: struct cast128_ctx
    
@@ -1963,22 +2332,23 @@
 
    
 
 
    
-
    Constant: CAST128_MIN_KEY_SIZE
    
-
    Minimum CAST128 key size, 5.
+
    Constant: CAST128_KEY_SIZE
    
+
    The CAST128 key size, 16.
 
    
 
 
    
-
    Constant: CAST128_MAX_KEY_SIZE
    
-
    Maximum CAST128 key size, 16.
+
    Constant: CAST5_MIN_KEY_SIZE
    
+
    Minimum CAST5 key size, 5.
 
    
 
 
    
-
    Constant: CAST128_KEY_SIZE
    
-
    Default CAST128 key size, 16.
+
    Constant: CAST5_MAX_KEY_SIZE
    
+
    Maximum CAST5 key size, 16. With 16 octets key (128 bits), CAST-5 is the
+same as CAST-128.
 
    
 
 
    
-
    Function: void cast128_set_key (struct cast128_ctx *ctx, size_t length, const uint8_t *key)
    
+
    Function: void cast128_set_key (struct cast128_ctx *ctx, const uint8_t *key)
    
 
    Initialize the cipher. The same function is used for both encryption and
 decryption. 
 
    
@@ -1996,8 +2366,16 @@
 
    Analogous to cast128_encrypt
 
    
 
+
    
+
    Function: void cast5_set_key (struct cast128_ctx *ctx, size_t length, const uint8_t *key)
    
+
    Initialize the cipher. This variant of the key setup takes the key size
+as argument. The same function is used for both encryption and
+decryption.
+
    
+
 
-
    6.2.7 ChaCha
    
+
    7.2.7 ChaCha
    
+
 
 
    ChaCha is a variant of the stream cipher Salsa20, also designed by D. J.
 Bernstein. For more information on Salsa20, see below. Nettle defines
@@ -2023,6 +2401,11 @@
 
    
 
 
    
+
    Constant: CHACHA_COUNTER_SIZE
    
+
    Size of the counter, 8.
+
    
+
+
    
 
    Function: void chacha_set_key (struct chacha_ctx *ctx, const uint8_t *key)
    
 
    Initialize the cipher. The same function is used for both encryption and
 decryption. Before using the cipher,
@@ -2037,6 +2420,15 @@
 
    
 
 
    
+
    Function: void chacha_set_counter (struct chacha_ctx *ctx, const uint8_t *counter)
    
+
    Sets the block counter. It is always of size CHACHA_COUNTER_SIZE,
+8 octets. This is rarely needed since chacha_set_nonce
+initializes the block counter to zero. When it is still necessary, this
+function must be called after chacha_set_nonce.
+
    
+
    
+
+
    
 
    Function: void chacha_crypt (struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
    
 
    Encrypts or decrypts the data of a message, using ChaCha. When a
 message is encrypted using a sequence of calls to chacha_crypt,
@@ -2044,8 +2436,46 @@
 CHACHA_BLOCK_SIZE.
 
    
 
+
+
    7.2.7.1 32-bit counter variant
    
+
+
    While the original paper uses 64-bit counter value, the variant defined
+in RFC 8439 uses 32-bit counter value. This variant is
+particularly useful for see ChaCha-Poly1305 AEAD construction, which
+supports 12-octet nonces.
+
    
+
    
+
    Constant: CHACHA_NONCE96_SIZE
    
+
    Size of the nonce, 12.
+
    
+
+
    
+
    Constant: CHACHA_COUNTER32_SIZE
    
+
    Size of the counter, 4.
+
    
+
+
    
+
    Function: void chacha_set_nonce96 (struct chacha_ctx *ctx, const uint8_t *nonce)
    
+
    Sets the nonce. This is similar to the above chacha_set_nonce,
+but the input is always of size CHACHA_NONCE96_SIZE, 12 octets.
+
    
+
+
    
+
    Function: void chacha_set_counter32 (struct chacha_ctx *ctx, const uint8_t *counter)
    
+
    Sets the block counter. This is similar to the above chacha_set_counter,
+but the input is always of size CHACHA_COUNTER32_SIZE, 4 octets.
+
    
+
+
    
+
    Function: void chacha_crypt32 (struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
    
+
    Encrypts or decrypts the data of a message, using ChaCha. This is similar to the
+above chacha_crypt, but it assumes the internal counter value is 32-bit
+long and the nonce is 96-bit long.
+
    
+
 
-
    6.2.8 DES
    
+
    7.2.8 DES
    
+
 
    DES is the old Data Encryption Standard, specified by NIST. It uses a
 block size of 64 bits (8 octets), and a key size of 56 bits. However,
 the key bits are distributed over 8 octets, where the least significant
@@ -2111,7 +2541,11 @@
 
    
 
 
-
    6.2.9 DES3
    
+
    7.2.9 DES3
    
+
+
+
+
 
    The inadequate key size of DES has already been mentioned. One way to
 increase the key size is to pipe together several DES boxes with
 independent keys. It turns out that using two DES ciphers is not as
@@ -2185,7 +2619,8 @@
 
    
 
 
-
    6.2.10 Salsa20
    
+
    7.2.10 Salsa20
    
+
 
    Salsa20 is a fairly recent stream cipher designed by D. J. Bernstein. It
 is built on the observation that a cryptographic hash function can be
 used for encryption: Form the hash input from the secret key and a
@@ -2281,7 +2716,9 @@
 
    
 
 
-
    6.2.11 SERPENT
    
+
    7.2.11 SERPENT
    
+
+
 
    SERPENT is one of the AES finalists, designed by Ross Anderson, Eli
 Biham and Lars Knudsen. Thus, the interface and properties are similar
 to AES’. One peculiarity is that it is quite pointless to use it with
@@ -2333,7 +2770,9 @@
 
 
 
-
    6.2.12 TWOFISH
    
+
    7.2.12 TWOFISH
    
+
+
 
    Another AES finalist, this one designed by Bruce Schneier and others.
 Nettle defines it in <nettle/twofish.h>.
 
    
@@ -2381,10 +2820,8 @@
 
    
 
 
-
    6.2.13 The struct nettle_cipher abstraction
    
+
    7.2.13 The struct nettle_cipher abstraction
    
 
-
-
 
 
    Nettle includes a struct including information about some of the more
 regular cipher functions. It can be useful for applications that need a
@@ -2426,14 +2863,14 @@
 other oddities.
 
    
 
    
-
    Function: const struct nettle_cipher **nettle_get_ciphers(void)
    
+
    Function: const struct nettle_cipher ** nettle_get_ciphers (void)
    
 
    Returns a NULL-terminated list of pointers to supported block ciphers.
 This list can be used to dynamically enumerate or search the supported
 algorithms.
 
    
 
 
    
-
    Macro: nettle_ciphers
    
+
    Macro: nettle_ciphers
    
 
    A macro expanding to a call to nettle_get_ciphers. In earlier versions,
 this was not a macro but the actual array of pointers.
 
    
@@ -2445,7 +2882,7 @@
 Next: , Previous: , Up: Reference   [Contents][Index]
    
 
 
-
    6.3 Cipher modes
    
+
    7.3 Cipher modes
    
 
 
    Cipher modes of operation specifies the procedure to use when encrypting
 a message that is larger than the cipher’s block size. As explained in
@@ -2455,23 +2892,26 @@
 
    
 
    Besides ECB, Nettle provides several other modes of operation:
 Cipher Block Chaining (CBC), Counter mode (CTR), Cipher
-Feedback (CFB) and a couple of AEAD modes
-(see Authenticated encryption).  CBC is widely used, but
+Feedback (CFB and CFB8), XEX-based tweaked-codebook mode
+with ciphertext stealing (XTS) and a couple of AEAD
+modes (see Authenticated encryption).  CBC is widely used, but
 there are a few subtle issues of information leakage, see, e.g.,
 SSH CBC
 vulnerability. Today, CTR is usually preferred over CBC.
 
    
-
    Modes like CBC, CTR and CFB provide no
-message authentication, and should always be used together with a
-MAC (see Keyed hash functions) or signature to authenticate
-the message.
+
    Modes like CBC, CTR, CFB and CFB8
+provide no message authentication, and should always be used together
+with a MAC (see Keyed hash functions) or signature to
+authenticate the message.
 
    
 
-
+
    
 
    CBC:  
 
    
 
    CTR:  
 
    CFB:  
+
    CFB and CFB8:  
+
    XTS:  
 
    
 
    
 
@@ -2482,7 +2922,7 @@
 Next: , Previous: , Up: Cipher modes   [Contents][Index]
    
 
 
-
    6.3.1 Cipher Block Chaining
    
+
    7.3.1 Cipher Block Chaining
    
 
 
 
@@ -2581,10 +3021,10 @@
 
 
    
 
    
-Next: , Previous: , Up: Cipher modes   [Contents][Index]
    
+Next: , Previous: , Up: Cipher modes   [Contents][Index]
    
 
    
 
-
    6.3.2 Counter mode
    
+
    7.3.2 Counter mode
    
 
 
 
@@ -2663,22 +3103,25 @@
 
    
 
 
    
-
+
 
    
 
    
-Previous: , Up: Cipher modes   [Contents][Index]
    
+Next: , Previous: , Up: Cipher modes   [Contents][Index]
    
 
    
 
-
    6.3.3 Cipher Feedback mode
    
+
    7.3.3 Cipher Feedback mode
    
 
 
-
+
+
+
 
-
    Cipher Feedback mode (CFB) being a close relative to both
-CBC mode and CTR mode borrows some characteristics
-from stream ciphers.
+
+
    Cipher Feedback mode (CFB) and Cipher Feedback 8-bit mode
+(CFB8) being close relatives to both CBC mode and
+CTR mode borrow some characteristics from stream ciphers.
 
    
-
    The message is divided into n blocks M_1,…
+
    For CFB the message is divided into n blocks M_1,…
 M_n, where M_n is of size m which may be smaller
 than the block size. Except for the last block, all the message blocks
 must be of size equal to the cipher’s block size.
@@ -2698,10 +3141,31 @@
 C_n = E_k(C_(n - 1)) [1..m] XOR M_n
    -

    Nettle’s includes two functions for applying a block cipher in Cipher -Feedback (CFB) mode, one for encryption and one for -decryption. These functions uses void * to pass cipher contexts -around. +

    Cipher Feedback 8-bit mode (CFB8) transforms block cipher into a stream +cipher. The message is encrypted byte after byte, not requiring any padding. +

    +

    If E_k is the encryption function of a block cipher, b is +E_k block size, IV is the initialization vector, then the +n plaintext bytes are transformed into n ciphertext bytes +C_1,… C_n as follows: +

    +
    +
    I_1 = IV
+C_1 = E_k(I_1) [1..8] XOR M_1
+I_2 = I_1 [9..b] << 8 | C_1
+C_2 = E_k(I_2) [1..8] XOR M_2
+
+…
+
+I_(n-1) = I_(n-2) [9..b] << 8 | C_(n-2)
+C_(n-1) = E_k(I_(n-1)) [1..8] XOR M_(n-1)
+I_n = I_(n-1) [9..b] << 8 | C_(n-1)
+C_n = E_k(I_n) [1..8] XOR M_n
+
    + +

    Nettle’s includes functions for applying a block cipher in Cipher +Feedback (CFB) and Cipher Feedback 8-bit (CFB8) +modes. These functions uses void * to pass cipher contexts around.

    Function: void cfb_encrypt (const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src)
    @@ -2719,6 +3183,19 @@ is a multiple of the block size.

    +
    +
    Function: void cfb8_encrypt (const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src)
    +
    Function: void cfb8_decrypt (const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src)
    +
    +

    Applies the encryption or decryption function f in CFB8 +mode. The final IV block processed is copied into iv +before returning, so that a large message can be processed by a sequence of +calls to cfb8_encrypt. Note that for CFB8 mode internally +uses encryption only function and hence f should always be the +encryption function for the underlying block cipher. +

    +
    +

    Like for CBC, there are also a couple of helper macros.

    @@ -2757,6 +3234,195 @@ operation.

    +
    +
    Macro: CFB8_CTX (context_type, block_size)
    +

    Expands to +

    +
    {
+   context_type ctx;
+   uint8_t iv[block_size];
+}
+
    +
    + +
    +
    Macro: CFB8_SET_IV (ctx, iv)
    +

    First argument is a pointer to a context struct as defined by +CFB8_CTX, and the second is a pointer to an initialization vector +that is copied into that context. +

    + +
    +
    Macro: CFB8_ENCRYPT (ctx, f, length, dst, src)
    +

    A simpler way to invoke cfb8_encrypt. The first argument is a +pointer to a context struct as defined by CFB8_CTX, and the +second argument is an encryption function following Nettle’s +conventions. The last three arguments define the source and destination +area for the operation. +

    + +
    +
    Macro: CFB8_DECRYPT (ctx, f, length, dst, src)
    +

    A simpler way to invoke cfb8_decrypt. The first argument is a +pointer to a context struct as defined by CFB8_CTX, and the +second argument is an encryption function following Nettle’s +conventions. The last three arguments define the source and destination +area for the operation. +

    + +
    + +
    +

    +Previous: , Up: Cipher modes   [Contents][Index]

    +
    + +

    7.3.4 XEX-based tweaked-codebook mode with ciphertext stealing

    + + + + + +

    XEX-based tweaked-codebook mode with ciphertext stealing (XTS) is +a block mode like (CBC) but tweaked to be able to encrypt partial +blocks via a technique called ciphertext stealing, where the last complete +block of ciphertext is split and part returned as the last block and part +used as plaintext for the second to last block. +This mode is principally used to encrypt data at rest where it is not possible +to store additional metadata or blocks larger than the plain text. The most +common usage is for disk encryption. Due to the fact that ciphertext expansion +is not possible, data is not authenticated. This mode should not be used where +authentication is critical. +

    +

    The message is divided into n blocks M_1,… M_n, +where M_n is of size m which may be smaller than the block size. +XTS always uses a fixed blocksize of 128 bit (16 bytes) length. +

    +

    Unlike other modes, the key is double the size of that for the used cipher mode +(for example 256bit for AES-128 and 512bit for AES-256). +

    +

    XTS encryption mode operates given: +

      +
    • A multiplication by a primitive element alpha. +MUL a^j here represents the multiplication, where j is the power +of alpha, and the input value is converted into a 16 bytes array +a_0[k], k = 0,1,..,15. The multiplication is calculated as +a_(j+1)[0] = (2(a_j[0] mod 128)) XOR (135 * floor(a_j[15]/128) +a_(j+1)[k] = (2(a_j[k] mod 128)) XOR (floor(a_j[k-1]/128), k = 1,2,..15 +Note that this operation is practically a 1 bit left shift operation with carry +propagating from one byte to the next, and if the last bit shift results in a +carry the decimal value 135 is XORed into the first byte. + +
    • The encryption key is provided as the Key = K1 | K2, where | +denotes string concatenation. +E_k1 is the encryption function of the block cipher using K1 as +the key, and E_k2 is the same encryption function using K2 + +
    • A 128 bit tweak value is provided as input and is denoted as IV +
    + +

    The n plaintext blocks are transformed into n ciphertext blocks +C_1,… C_n as follows. +

    +

    For a plaintext length that is a perfect multiple of the XTS block size: +

    +
    T_1 = E_k2(IV)
+C_1 = E_k1(P_1 XOR T_1) XOR T_1
+
+…
+
+T_n = T_(n-1) MUL a
+C_n = E_k1(P_n XOR T_n) XOR T_n
+
    + +

    For any other plaintext lengths: +

    +
    T_1 = E_k2(IV)
+C_1 = E_k1(P_1 XOR T_1) XOR T_1
+
+…
+
+T_(n-2) = T_(n-3) MUL a
+C_(n-2) = E_k1(P_(n-2) XOR T_(n-2)) XOR T_(n-2)
+
+T_(n-1) = T_(n-2) MUL a
+CC_(n-1) = E_k1(P_(n-1) XOR T_(n-1)) XOR T_(n-1)
+
+T_n = T_(n-1) MUL a
+PP = [1..m]Pn | [m+1..128]CC_(n-1)
+C_(n-1) = E_k1(PP XOR T_n) XOR T_n
+
+C_n = [1..m]CC_(n-1)
+
    + + +

    7.3.4.1 General (XTS) interface.

    + +

    The two general functions to encrypt and decrypt using the XTS block +cipher mode are the following: +

    +
    +
    Function: void xts_encrypt_message (const void *enc_ctx, const void *twk_ctx, nettle_cipher_func *encf, const uint8_t *tweak, size_t length, uint8_t *dst, const uint8_t *src)
    +
    Function: void xts_decrypt_message (const void *dec_ctx, const void *twk_ctx, nettle_cipher_func *decf, nettle_cipher_func *encf, const uint8_t *tweak, size_t length, uint8_t *dst, const uint8_t *src)
    +
    +

    Applies the encryption function encf or the decryption function +decf in XTS mode. At least one block (16 bytes) worth +of data must be available therefore specifying a length less than 16 +bytes is illegal. +

    +

    The functions encf decf are of type +

    +

    void f (const void *ctx, size_t length, uint8_t *dst, +const uint8_t *src), +

    +

    and the xts_encrypt_message and xts_decrypt_message +functions pass their arguments enc_ctx, twk_ctx and dec_ctx +to the functions encf, decf as ctx. +

    + + +

    7.3.4.2 XTS-AES interface

    + +

    The AES XTS functions provide an API for using the +XTS mode with the AES block ciphers. The parameters +all have the same meaning as the general interface, except that the +enc_ctx, dec_ctx, twk_ctx, encf and decf are +replaced with an AES context structure called ctx, and a +appropriate set-key function must be called before using any of the encryption +or decryption functions in this interface. +

    +
    +
    Context struct: struct xts_aes128_key
    +

    Holds state corresponding to the AES-128 block cipher. +

    + +
    +
    Context struct: struct xts_aes256_key
    +

    Holds state corresponding to the AES-256 block cipher. +

    + +
    +
    Function: void xts_aes128_set_encrypt_key (struct xts_aes128_key *ctx, const uint8_t *key)
    +
    Function: void xts_aes256_set_encrypt_key (struct xts_aes256_key *ctx, const uint8_t *key)
    +
    Function: void xts_aes128_set_decrypt_key (struct xts_aes128_key *ctx, const uint8_t *key)
    +
    Function: void xts_aes256_set_decrypt_key (struct xts_aes256_key *ctx, const uint8_t *key)
    +

    Initializes the encryption or decryption key for the AES block cipher. The +length of the key must be double the size of the key for the corresponding +cipher (256 bits for AES-128 and 512 bits for AES-256). One of +these functions must be called before any of the other functions. +

    + +
    +
    Function: void xts_aes128_encrypt_message(struct xts_aes128_key *ctx, uint8_t *tweak, size_t length, uint8_t *dst, const uint8_t *src)
    +
    Function: void xts_aes256_encrypt_message(struct xts_aes256_key *ctx, uint8_t *tweak, size_t length, uint8_t *dst, const uint8_t *src)
    +
    Function: void xts_aes128_decrypt_message(struct xts_aes128_key *ctx, uint8_t *tweak, size_t length, uint8_t *dst, const uint8_t *src)
    +
    Function: void xts_aes256_decrypt_message(struct xts_aes256_key *ctx, uint8_t *tweak, size_t length, uint8_t *dst, const uint8_t *src)
    +

    These are identical to xts_encrypt_message and +xts_decrypt_message, except that enc_ctx, dec_ctx, +twk_ctx, encf and decf are replaced by the ctx context +structure. +

    +
    @@ -2765,7 +3431,7 @@
    -

    6.4 Authenticated encryption with associated data

    +

    7.4 Authenticated encryption with associated data

    @@ -2842,7 +3508,9 @@
    ChaCha-Poly1305:  
    nettle_aead abstraction:   +
    SIV-CMAC:   +
    nettle_aead abstraction:  
    @@ -2853,9 +3521,9 @@ Next: , Previous: , Up: Authenticated encryption   [Contents][Index]

    -

    6.4.1 EAX

    +

    7.4.1 EAX

    -

    The EAX mode is an AEAD mode whichcombines +

    The EAX mode is an AEAD mode which combines CTR mode encryption, See CTR, with a message authentication based on CBC, See CBC. The implementation in Nettle is restricted to ciphers with a block size of 128 bits (16 octets). @@ -2872,7 +3540,7 @@ interfaces are defined in <nettle/eax.h>

    -

    6.4.1.1 General EAX interface

    +

    7.4.1.1 General EAX interface

    Context struct: struct eax_key
    @@ -2936,7 +3604,7 @@ -

    6.4.1.2 EAX helper macros

    +

    7.4.1.2 EAX helper macros

    The following macros are defined.

    @@ -2982,12 +3650,12 @@
    Macro: EAX_DIGEST (ctx, encrypt, length, digest)
    -

    Extract te authentication tag for the message. +

    Extract the authentication tag for the message.

    -

    6.4.1.3 EAX-AES128 interface

    +

    7.4.1.3 EAX-AES128 interface

    The following functions implement EAX using AES-128 as the underlying cipher. @@ -3037,7 +3705,7 @@ Next: , Previous: , Up: Authenticated encryption   [Contents][Index]

    -

    6.4.2 Galois counter mode

    +

    7.4.2 Galois counter mode

    @@ -3062,7 +3730,7 @@ These interfaces are defined in <nettle/gcm.h>

    -

    6.4.2.1 General GCM interface

    +

    7.4.2.1 General GCM interface

    Context struct: struct gcm_key
    @@ -3139,7 +3807,7 @@ call gcm_set_iv with a new iv.

    -

    6.4.2.2 GCM helper macros

    +

    7.4.2.2 GCM helper macros

    The following macros are defined.

    @@ -3196,7 +3864,7 @@

    -

    6.4.2.3 GCM-AES interface

    +

    7.4.2.3 GCM-AES interface

    The following functions implement the common case of GCM using AES as the underlying cipher. The variants with a specific @@ -3213,7 +3881,7 @@

    Context struct: struct gcm_aes_ctx
    -

    Alternative context struct, usign the old AES interface. +

    Alternative context struct, using the old AES interface.

    @@ -3274,7 +3942,7 @@

    -

    6.4.2.4 GCM-Camellia interface

    +

    7.4.2.4 GCM-Camellia interface

    The following functions implement the case of GCM using Camellia as the underlying cipher. @@ -3334,7 +4002,7 @@ Next: , Previous: , Up: Authenticated encryption   [Contents][Index]

    -

    6.4.3 Counter with CBC-MAC mode

    +

    7.4.3 Counter with CBC-MAC mode

    @@ -3386,12 +4054,12 @@

    CCM mode decryption operates similarly, except that the ciphertext and MAC are first decrypted using CTR mode to -retreive the plaintext and authentication tag. The authentication tag -can then be recalucated from the authenticated data and plantext, and +retrieve the plaintext and authentication tag. The authentication tag +can then be recalculated from the authenticated data and plaintext, and compared to the value in the message to check for authenticity.

    -

    6.4.3.1 General CCM interface

    +

    7.4.3.1 General CCM interface

    For all of the functions in the CCM interface, cipher is the context struct for the underlying cipher and f is the @@ -3472,7 +4140,7 @@ be identical to the MAC in the received message.

    -

    6.4.3.2 CCM message interface

    +

    7.4.3.2 CCM message interface

    The CCM message fuctions provides a simple interface that will perform authentication and message encryption in a single function call. @@ -3501,7 +4169,7 @@

    -

    6.4.3.3 CCM-AES interface

    +

    7.4.3.3 CCM-AES interface

    The AES CCM functions provide an API for using CCM mode with the AES block ciphers. The parameters @@ -3587,25 +4255,20 @@

    -Next: , Previous: , Up: Authenticated encryption   [Contents][Index]

    +Next: , Previous: , Up: Authenticated encryption   [Contents][Index]

    -

    6.4.4 ChaCha-Poly1305

    +

    7.4.4 ChaCha-Poly1305

    ChaCha-Poly1305 is a combination of the ChaCha stream cipher and the poly1305 message authentication code (see Poly1305). It originates from the NaCl cryptographic library by D. J. Bernstein et al, which -defines a similar construction but with Salsa20 instead of ChaCha. +defines a similar construction but with Salsa20 instead of ChaCha.

    -

    Nettle’s implementation ChaCha-Poly1305 should be considered -experimental. At the time of this writing, there is no -authoritative specification for ChaCha-Poly1305, and a couple of -different incompatible variants. Nettle implements it using the original -definition of ChaCha, with 64 bits (8 octets) each for the nonce and the -block counter. Some protocols prefer to use nonces of 12 bytes, and it’s -a small change to ChaCha to use the upper 32 bits of the block counter -as a nonce, instead limiting message size to 2^32 blocks or 256 -GBytes, but that variant is currently not supported. +

    Nettle’s implementation of ChaCha-Poly1305 follows RFC 8439, +where the ChaCha cipher is initialized with a 12-byte nonce and a 4-byte +block counter. This allows up to 256 gigabytes of data to be encrypted +using the same key and nonce.

    For ChaCha-Poly1305, the ChaCha cipher is initialized with a key, of 256 bits, and a per-message nonce. The first block of the key stream @@ -3637,7 +4300,7 @@

    Constant: CHACHA_POLY1305_NONCE_SIZE
    -

    Same as the ChaCha nonce size, 16. +

    ChaCha-Poly1305 nonce size, 12.

    @@ -3682,16 +4345,124 @@

    + +
    +

    +Next: , Previous: , Up: Authenticated encryption   [Contents][Index]

    +
    + +

    7.4.5 Synthetic Initialization Vector AEAD

    + + + + +

    SIV-CMAC mode is a combination of counter mode with message +authentication based on CMAC. Unlike other counter AEAD +modes, it provides protection against accidental nonce misuse, making it +a good choice for stateless-servers that cannot ensure nonce uniqueness. +It is constructed on top of a block cipher which must have a block size of +128 bits. Nettle’s support for SIV-CMAC consists of +a message encryption and authentication interface, for +SIV-CMAC using AES as the underlying block cipher. +When a nonce is re-used with this mode, message authenticity is retained +however an attacker can determine whether the same plaintext was protected +with the two messages sharing the nonce. +These interfaces are defined in <nettle/siv-cmac.h>. +

    +

    Unlike other AEAD mode in SIV-CMAC the initialization +vector serves as the tag. That means that in the generated ciphertext +the tag precedes the ciphertext. +

    +

    Note also, that the SIV-CMAC algorithm, as specified in +RFC 5297, introduces the notion of authenticated data which +consist of multiple components. For example with SIV-CMAC the +authentication tag of data X followed by Y, is different +than the concatenated data X || Y. The interfaces described below +follow the AEAD paradigm and do not allow access to this +feature and also require the use of a non-empty nonce. In the +terminology of the RFC, the input to the S2V function is always a vector +of three elements, where S1 is the authenticated data, S2 is the nonce, +and S3 is the plaintext. +

    + + +

    7.4.5.1 General interface

    + +
    +
    Constant: SIV_BLOCK_SIZE
    +

    SIV-CMAC’s block size, 16. +

    + +
    +
    Constant: SIV_DIGEST_SIZE
    +

    Size of the SIV-CMAC digest or initialization vector, 16. +

    + +
    +
    Constant: SIV_MIN_NONCE_SIZE
    +

    The the minimum size for an SIV-CMAC nonce, 1. +

    + + +

    7.4.5.2 SIV-CMAC-AES interface

    + +

    The AES SIV-CMAC functions provide an API for using +SIV-CMAC mode with the AES block ciphers. The parameters +all have the same meaning as the general and message interfaces, except +that the cipher, f, and ctx parameters are replaced +with an AES context structure, and a set-key function must be +called before using any of the other functions in this interface. +

    +
    +
    Context struct: struct siv_cmac_aes128_ctx
    +

    Holds state corresponding to a particular message encrypted using the +AES-128 block cipher. +

    + +
    +
    Context struct: struct siv_cmac_aes256_ctx
    +

    Holds state corresponding to a particular message encrypted using the +AES-256 block cipher. +

    + +
    +
    Function: void siv_cmac_aes128_set_key (struct siv_cmac_aes128_ctx *ctx, const uint8_t *key)
    +
    Function: void siv_cmac_aes256_set_key (struct siv_cmac_aes256_ctx *ctx, const uint8_t *key)
    +

    Initializes the encryption key for the AES block cipher. One of these +functions must be called before any of the other functions in the +AES SIV-CMAC interface. +

    + +
    +
    Function: void siv_cmac_aes128_encrypt_message (struct siv_cmac_aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t clength, uint8_t *dst, const uint8_t *src)
    +
    Function: void siv_cmac_aes256_encrypt_message (struct siv_cmac_aes256_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t clength, uint8_t *dst, const uint8_t *src)
    +

    Computes the message digest from the adata and src +parameters, encrypts the plaintext from src, prepends the +initialization vector to the ciphertext and outputs it to dst. +The clength variable must be equal to the length of src +plus SIV_DIGEST_SIZE. +

    +
    + +
    +
    Function: int siv_cmac_aes128_decrypt_message (struct siv_cmac_aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t mlength, uint8_t *dst, const uint8_t *src)
    +
    Function: int siv_cmac_aes256_decrypt_message (struct siv_cmac_aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t mlength, uint8_t *dst, const uint8_t *src)
    +

    Decrypts the ciphertext from src, outputs the plaintext to +dst, recalculates the initialization vector from adata and the +plaintext. If the values of the received and calculated initialization vector +are equal, this will return 1 indicating a valid and authenticated +message. Otherwise, this function will return zero. +

    + +

    Previous: , Up: Authenticated encryption   [Contents][Index]

    -

    6.4.5 The struct nettle_aead abstraction

    +

    7.4.6 The struct nettle_aead abstraction

    - -

    Nettle includes a struct including information about the supported hash functions. It is defined in <nettle/nettle-meta.h>. @@ -3718,14 +4489,14 @@

    Nettle also exports a list of all these constructions.

    -
    Function: const struct nettle_aead **nettle_get_aeads(void)
    +
    Function: const struct nettle_aead ** nettle_get_aeads (void)

    Returns a NULL-terminated list of pointers to supported algorithms.This list can be used to dynamically enumerate or search the supported algorithms.

    -
    Macro: nettle_aeads
    +
    Macro: nettle_aeads

    A macro expanding to a call to nettle_get_aeads. In earlier versions, this was not a macro but the actual array of pointers.

    @@ -3737,7 +4508,7 @@ Next: , Previous: , Up: Reference   [Contents][Index]

    -

    6.5 Keyed Hash Functions

    +

    7.5 Keyed Hash Functions

    @@ -3776,7 +4547,9 @@ • UMAC:   -• Poly1305:   +• CMAC:   + +• Poly1305:   @@ -3788,7 +4561,7 @@ -

    6.5.1 HMAC

    +

    7.5.1 HMAC

    One can build keyed hash functions from ordinary hash functions. Older @@ -3894,12 +4667,12 @@ underlying hash function.

    -

    6.5.2 Concrete HMAC functions

    +

    7.5.2 Concrete HMAC functions

    Now we come to the specialized HMAC functions, which are easier to use than the general HMAC functions.

    -

    6.5.2.1 HMAC-MD5

    +

    7.5.2.1 HMAC-MD5

    Context struct: struct hmac_md5_ctx
    @@ -3926,7 +4699,7 @@

    -

    6.5.2.2 HMAC-RIPEMD160

    +

    7.5.2.2 HMAC-RIPEMD160

    Context struct: struct hmac_ripemd160_ctx
    @@ -3953,7 +4726,7 @@

    -

    6.5.2.3 HMAC-SHA1

    +

    7.5.2.3 HMAC-SHA1

    Context struct: struct hmac_sha1_ctx
    @@ -3981,7 +4754,7 @@ -

    6.5.2.4 HMAC-SHA256

    +

    7.5.2.4 HMAC-SHA256

    Context struct: struct hmac_sha256_ctx
    @@ -4009,7 +4782,7 @@ -

    6.5.2.5 HMAC-SHA512

    +

    7.5.2.5 HMAC-SHA512

    Context struct: struct hmac_sha512_ctx
    @@ -4043,7 +4816,7 @@ -

    6.5.3 UMAC

    +

    7.5.3 UMAC

    UMAC is a message authentication code based on universal @@ -4174,13 +4947,115 @@

    - +

    Previous: , Up: Keyed hash functions   [Contents][Index]

    + +

    7.5.4 CMAC

    + + + + +

    CMAC is a message authentication code based on CBC encryption +mode. It is suitable for systems where block ciphers are preferrable +and perform better than hash functions. CMAC-128 is specified in +RFC4493. The block size is always 128 bits (16 octets). +CMAC-64 is specified by +NIST Special Publication 800-38B. The block size is always 64 bits +(8 octets). +

    +

    Nettle provides helper functions for CMAC-128 with +the AES block cipher and for CMAC-64 with +the Tripple-DES block cipher. +

    +

    Nettle defines CMAC in <nettle/cmac.h>. +

    +
    +
    Context struct: struct cmac_aes128_ctx
    +
    Context struct: struct cmac_aes256_ctx
    +
    + +
    +
    Constant: CMAC128_DIGEST_SIZE
    +

    The size of an CMAC-128 digest, 16. +

    + +
    +
    Function: void cmac_aes128_set_key (struct cmac_aes128_ctx *ctx, const uint8_t *key)
    +

    This function initializes the CMAC context struct for AES-128. +

    + +
    +
    Function: void cmac_aes128_update (struct cmac_aes128_ctx *ctx, size_t length, const uint8_t *data)
    +

    This function is called zero or more times to process the message. +

    + +
    +
    Function: void cmac_aes128_digest (struct cmac_aes128_ctx *ctx, size_t length, uint8_t *digest)
    +

    Extracts the MAC of the message, writing it to digest. +length is usually equal to the specified output size, but if you +provide a smaller value, only the first length octets of the +MAC are written. This function resets the context for +processing of a new message with the same key. +

    + +
    +
    Function: void cmac_aes256_set_key (struct cmac_aes256_ctx *ctx, const uint8_t *key)
    +

    This function initializes the CMAC context struct for AES-256. +

    + +
    +
    Function: void cmac_aes256_update (struct cmac_aes256_ctx *ctx, size_t length, const uint8_t *data)
    +

    This function is called zero or more times to process the message. +

    + +
    +
    Function: void cmac_aes256_digest (struct cmac_aes256_ctx *ctx, size_t length, uint8_t *digest)
    +

    Extracts the MAC of the message, writing it to digest. +length is usually equal to the specified output size, but if you +provide a smaller value, only the first length octets of the +MAC are written. This function resets the context for +processing of a new message with the same key. +

    + +
    +
    Context struct: struct cmac_des3_ctx
    +
    + +
    +
    Constant: CMAC64_DIGEST_SIZE
    +

    The size of an CMAC-64 digest, 8. +

    + +
    +
    Function: void cmac_des3_set_key (struct cmac_des3_ctx *ctx, const uint8_t *key)
    +

    This function initializes the CMAC context struct for Tripple-DES. +

    + +
    +
    Function: void cmac_des3_update (struct cmac_des3_ctx *ctx,size_t length, const uint8_t *data)
    +

    This function is called zero or more times to process the message. +

    + +
    +
    Function: void cmac_des3_digest (struct cmac_des3_ctx *ctx, size_t length, uint8_t *digest)
    +

    Extracts the MAC of the message, writing it to digest. +length is usually equal to the specified output size, but if you +provide a smaller value, only the first length octets of the +MAC are written. This function resets the context for +processing of a new message with the same key. +

    + +
    + +
    +

    +Previous: , Up: Keyed hash functions   [Contents][Index]

    +
    -

    6.5.4 Poly1305

    +

    7.5.5 Poly1305

    Poly1305-AES is a message authentication code designed by D. J. Bernstein. It treats the message as a polynomial modulo the prime number @@ -4260,7 +5135,7 @@ Next: , Previous: , Up: Reference   [Contents][Index]

    -

    6.6 Key derivation Functions

    +

    7.6 Key derivation Functions

    A key derivation function (KDF) is a function that from @@ -4271,7 +5146,7 @@ attacks by using salting and expensive computation.

    -

    6.6.1 HKDF: HMAC-based Extract-and-Expand

    +

    7.6.1 HKDF: HMAC-based Extract-and-Expand

    HKDF is a key derivation function used as a building block of @@ -4314,7 +5189,7 @@ -

    6.6.2 PBKDF2

    +

    7.6.2 PBKDF2

    @@ -4327,8 +5202,8 @@ <nettle/pbkdf2.h>. There is an abstract function that operate on any PRF implemented via the nettle_hash_update_func, nettle_hash_digest_func interfaces. There is also helper macros -and concrete functions PBKDF2-HMAC-SHA1 and PBKDF2-HMAC-SHA256. First, -the abstract function: +and concrete functions PBKDF2-HMAC-SHA1, PBKDF2-HMAC-SHA256, PBKDF2-HMAC-SHA384 +and PBKDF2-HMAC-SHA512. First, the abstract function:

    Function: void pbkdf2 (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst)
    @@ -4358,12 +5233,12 @@

    -

    6.6.3 Concrete PBKDF2 functions

    +

    7.6.3 Concrete PBKDF2 functions

    Now we come to the specialized PBKDF2 functions, which are easier to use than the general PBKDF2 function.

    -

    6.6.3.1 PBKDF2-HMAC-SHA1

    +

    7.6.3.1 PBKDF2-HMAC-SHA1

    Function: void pbkdf2_hmac_sha1 (size_t key_length, const uint8_t *key, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst)
    @@ -4375,7 +5250,7 @@

    -

    6.6.3.2 PBKDF2-HMAC-SHA256

    +

    7.6.3.2 PBKDF2-HMAC-SHA256

    Function: void pbkdf2_hmac_sha256 (size_t key_length, const uint8_t *key, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst)
    @@ -4386,6 +5261,30 @@ room for at least length octets.

    + +

    7.6.3.3 PBKDF2-HMAC-SHA384

    + +
    +
    Function: void pbkdf2_hmac_sha384 (size_t key_length, const uint8_t *key, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst)
    +

    PBKDF2 with HMAC-SHA384. Derive length bytes of key into buffer +dst using the password key of length key_length and +salt salt of length salt_length, with iteration counter +iterations (> 0). The output buffer is dst which must have +room for at least length octets. +

    + + +

    7.6.3.4 PBKDF2-HMAC-SHA512

    + +
    +
    Function: void pbkdf2_hmac_sha512 (size_t key_length, const uint8_t *key, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst)
    +

    PBKDF2 with HMAC-SHA512. Derive length bytes of key into buffer +dst using the password key of length key_length and +salt salt of length salt_length, with iteration counter +iterations (> 0). The output buffer is dst which must have +room for at least length octets. +

    +
    @@ -4393,7 +5292,7 @@ Next: , Previous: , Up: Reference   [Contents][Index]

    -

    6.7 Public-key algorithms

    +

    7.7 Public-key algorithms

    Nettle uses GMP, the GNU bignum library, for all calculations with large numbers. In order to use the public-key features of Nettle, @@ -4483,7 +5382,7 @@ Next: , Previous: , Up: Public-key algorithms   [Contents][Index]

    -

    6.7.1 RSA

    +

    7.7.1 RSA

    The RSA algorithm was the first practical digital signature algorithm that was constructed. It was described 1978 in a paper by @@ -4564,7 +5463,7 @@ c^e mod n followed by checking and removing the padding.

    -

    6.7.1.1 Nettle’s RSA support

    +

    7.7.1.1 Nettle’s RSA support

    Nettle represents RSA keys using two structures that contain large numbers (of type mpz_t). @@ -4854,7 +5753,7 @@ Next: , Previous: , Up: Public-key algorithms   [Contents][Index]

    -

    6.7.2 DSA

    +

    7.7.2 DSA

    The DSA digital signature algorithm is more complex than RSA. It was specified during the early 1990s, and in 1994 NIST @@ -4982,7 +5881,7 @@ key.

    -

    6.7.2.1 Nettle’s DSA support

    +

    7.7.2.1 Nettle’s DSA support

    Like for RSA, Nettle represents DSA keys using two structures, containing values of type mpz_t. For information on @@ -5009,7 +5908,7 @@

    Function: int dsa_generate_params (struct dsa_params *params, void *random_ctx, nettle_random_func *random, void *progress_ctx, nettle_progress_func *progress, unsigned p_bits, unsigned q_bits)
    -

    Generates paramaters of a new group. The params struct should be +

    Generates parameters of a new group. The params struct should be initialized before you call this function.

    random_ctx and random is a randomness generator. @@ -5054,8 +5953,8 @@ with it.

    -

    Keys are represented as bignums, of type mpz_t. A public keys -represent a group element, and is of the same size as p, while a +

    Keys are represented as bignums, of type mpz_t. A public key +represents a group element, and is of the same size as p, while a private key is an exponent, of the same size as q.

    @@ -5092,7 +5991,7 @@

    -

    6.7.2.2 Old, deprecated, DSA interface

    +

    7.7.2.2 Old, deprecated, DSA interface

    Versions before nettle-3.0 used a different interface for DSA signatures, where the group parameters and the public key was packed @@ -5201,7 +6100,7 @@ Previous: , Up: Public-key algorithms   [Contents][Index]

    -

    6.7.3 Elliptic curves

    +

    7.7.3 Elliptic curves

    For cryptographic purposes, an elliptic curve is a mathematical group of points, and computing logarithms in this group is computationally @@ -5229,7 +6128,9 @@ • ECDSA:   -• Curve 25519:   +• GOSTDSA:   + +• Curve 25519 and Curve 448:   @@ -5240,7 +6141,7 @@ Next: , Up: Elliptic curves   [Contents][Index]

    -

    6.7.3.1 Side-channel silence

    +

    7.7.3.1 Side-channel silence

    Nettle’s implementation of the elliptic curve operations is intended to @@ -5273,10 +6174,10 @@

    -Next: , Previous: , Up: Elliptic curves   [Contents][Index]

    +Next: , Previous: , Up: Elliptic curves   [Contents][Index]

    -

    6.7.3.2 ECDSA

    +

    7.7.3.2 ECDSA

    ECDSA is a variant of the DSA digital signature scheme (see DSA), which works over an elliptic curve group rather than over a (subgroup @@ -5392,14 +6293,101 @@

    - + +
    +

    +Next: , Previous: , Up: Elliptic curves   [Contents][Index]

    +
    + +

    7.7.3.3 GOSTDSA

    + + +

    GOSTDSA (GOST R 34.10-2001, GOST R 34.10-2012) is a variant of the DSA +(see DSA) and ECDSA (see ECDSA) digital signature schemes, which works +over an elliptic curve group. Original documents are written in Russian. +English translations are provided in RFC 5832 and RFC 7091. +While technically nothing stops one from using GOSTDSA over any curve, it +is defined only over several 256 and 512-bit curves. Like DSA and ECDSA, +creating a signature requires a unique random nonce (repeating the nonce +with two different messages reveals the private key, and any leak or bias +in the generation of the nonce also leaks information about the key). +

    +

    GOST R 34.10-2001 was defined to use GOST R 34.11-94 hash function +(GOSTHASH94 and GOSTHASH94CP, RFC 5831). GOST R 34.10-2012 is +defined to use GOST R 34.11-2012 hash function (Streebog, RFC +6986) of corresponding size (256 or 512) depending on curve size. +

    +

    Nettle defines GOSTDSA in <nettle/gostdsa.h>. GOSTDSA reuses ECDSA +data types (struct ecc_point, struct ecc_scalar) to +represent public and private keys. Also to generate a new GOSTDSA key +pair one has to use ecdsa_generate_keypair() function. +

    +

    To create and verify GOSTDSA signatures, the following functions are used. +

    +
    +
    Function: void gostdsa_sign (const struct ecc_scalar *key, void *random_ctx, nettle_random_func *random, size_t digest_length, const uint8_t *digest, struct dsa_signature *signature)
    +

    Uses the private key key to create a signature on digest. +random_ctx and random is a randomness generator. +random(random_ctx, length, dst) should generate length +random octets and store them at dst. The signature is stored in +signature, in the same was as for plain DSA. +

    + +
    +
    Function: int gostdsa_verify (const struct ecc_point *pub, size_t length, const uint8_t *digest, const struct dsa_signature *signature)
    +

    Uses the public key pub to verify that signature is a valid +signature for the message digest digest (of length octets). +Returns 1 if the signature is valid, otherwise 0. +

    + +

    For historical reason several curve IDs (OIDs) may correspond to a single +curve/generator combination. Following list defines correspondence +between nettle’s view on curves and actual identifiers defined in RFC +4357 and RFC 7836. +

    +
    +
    Function: const struct ecc_curve nettle_get_gost_gc256b(void)
    +

    Returns curve corresponding to following identifiers: +

      +
    • id-GostR3410-2001-CryptoPro-A-ParamSet (RFC 4357) +
    • id-GostR3410-2001-CryptoPro-XchA-ParamSet (RFC 4357) +
    • id-tc26-gost-3410-12-256-paramSetB +
    +
    + +
    +
    Function: const struct ecc_curve nettle_get_gost_gc512a(void)
    +

    Returns curve corresponding to following identifiers: +

      +
    • id-tc26-gost-3410-12-512-paramSetA (RFC 7836) +
    +
    + +

    For GOST key pairs key derivation/key agreement function (VKO) is defined in +RFC 4357 and RFC 7836. Basically shared key is equal to +hash(cofactor * ukm * priv * pub). Nettle library provides a function that does +multiplication. Caller should do hashing on his own (it will be either +GOST R 34.11-94 (see GOSTHASH94CP) or GOST R 34.11-2012, Streebog, which nor part of the library yet). +

    +
    +
    Function: void gostdsa_vko (const struct ecc_scalar *priv, const struct ecc_point *pub, size_t ukm_length, const uint8_t *ukm, uint8_t *out)
    +

    Uses private key priv, public ket pub and shared key material +ukm to generate shared secret, written to buffer out. The buffer +should be of the size equal to 2 private key lengths: 64 bytes for 256 bit +curves and 128 bytes for 512 bit ones. UKM is a shared key material, usually +transferred in cleartext. It does not have to be secret. +

    + +
    +

    Previous: , Up: Elliptic curves   [Contents][Index]

    - -

    6.7.3.3 Curve25519

    + +

    7.7.3.4 Curve25519 and Curve448

    +

    Curve25519 is an elliptic curve of Montgomery type, y^2 = x^3 + @@ -5476,8 +6464,45 @@ crypto_scalar_mult in the NaCl library.

    +

    Similarly, Nettle also implements Curve448, an elliptic curve of +Montgomery type, y^2 = x^3 + 156326 x^2 + x (mod p), with +p = 2^448 - 2^224 - 1. This particular curve was proposed by +Mike Hamburg in 2015, for fast Diffie-Hellman key exchange, and is also +described in RFC 7748. +

    +

    Nettle defines Curve 448 in <nettle/curve448.h>. +

    +
    +
    Constant: CURVE448_SIZE
    +

    The octet length of the strings representing curve448 points and scalars, 56. +

    + +
    +
    Function: void curve448_mul_g (uint8_t *q, const uint8_t *n)
    +

    Computes Q = N G, where G is the group generator and +N is an integer. The input argument n and the output +argument q use a little-endian representation of the scalar and +the x-coordinate, respectively. They are both of size +CURVE448_SIZE. +

    +

    This function is intended to be compatible with the function +crypto_scalar_mult_base in the NaCl library. +

    + +
    +
    Function: void curve448_mul (uint8_t *q, const uint8_t *n, const uint8_t *p)
    +

    Computes Q = N P, where P is an input point and N +is an integer. The input arguments n and p and the output +argument q use a little-endian representation of the scalar and +the x-coordinates, respectively. They are all of size +CURVE448_SIZE. +

    +

    This function is intended to be compatible with the function +crypto_scalar_mult in the NaCl library. +

    + -

    6.7.3.4 EdDSA

    +

    7.7.3.5 EdDSA

    EdDSA is a signature scheme proposed by D. J. Bernstein et al. in 2011. @@ -5528,6 +6553,36 @@ signature is valid, otherwise 0.

    +

    Nettle also provides Ed448, an EdDSA signature scheme based on an +Edwards curve equivalent to curve448. +

    +
    +
    Constant: ED448_KEY_SIZE
    +

    The size of a private or public Ed448 key, 57 octets. +

    + +
    +
    Constant: ED448_SIGNATURE_SIZE
    +

    The size of an Ed448 signature, 114 octets. +

    + +
    +
    Function: void ed448_shake256_public_key (uint8_t *pub, const uint8_t *priv)
    +

    Computes the public key corresponding to the given private key. Both +input and output are of size ED448_KEY_SIZE. +

    + +
    +
    Function: void ed448_shake256_sign (const uint8_t *pub, const uint8_t *priv, size_t length, const uint8_t *msg, uint8_t *signature)
    +

    Signs a message using the provided key pair. +

    + +
    +
    Function: int ed448_shake256_verify (const uint8_t *pub, size_t length, const uint8_t *msg, const uint8_t *signature)
    +

    Verifies a message using the provided public key. Returns 1 if the +signature is valid, otherwise 0. +

    +
    @@ -5535,7 +6590,7 @@ Next: , Previous: , Up: Reference   [Contents][Index]

    -

    6.8 Randomness

    +

    7.8 Randomness

    @@ -5729,7 +6784,7 @@

    The recommended generator to use is Yarrow, described below.

    -

    6.8.1 Yarrow

    +

    7.8.1 Yarrow

    Yarrow is a family of pseudo-randomness generators, designed for cryptographic use, by John Kelsey, Bruce Schneier and Niels Ferguson. @@ -5880,7 +6935,7 @@ Next: , Previous: , Up: Reference   [Contents][Index]

    -

    6.9 ASCII encoding

    +

    7.9 ASCII encoding

    Encryption will transform your data from text into binary format, and that may be a problem if, for example, you want to send the data as if it was @@ -6064,7 +7119,7 @@ Next: , Previous: , Up: Reference   [Contents][Index]

    -

    6.10 Miscellaneous functions

    +

    7.10 Miscellaneous functions

    Function: void * memxor (void *dst, const void *src, size_t n)
    @@ -6098,7 +7153,7 @@ Previous: , Up: Reference   [Contents][Index]

    -

    6.11 Compatibility functions

    +

    7.11 Compatibility functions

    For convenience, Nettle includes alternative interfaces to some algorithms, for compatibility with some other popular crypto toolkits. @@ -6111,18 +7166,6 @@ MD5_CTX, and declares the functions MD5Init, MD5Update and MD5Final.

    -

    Eric Young’s “libdes” (also part of OpenSSL) is a quite popular DES -implementation. Nettle includes a subset if its interface in -<nettle/des-compat.h>. This file defines the typedefs -des_key_schedule and des_cblock, two constants -DES_ENCRYPT and DES_DECRYPT, and declares one global -variable des_check_key, and the functions des_cbc_cksum -des_cbc_encrypt, des_ecb2_encrypt, -des_ecb3_encrypt, des_ecb_encrypt, -des_ede2_cbc_encrypt, des_ede3_cbc_encrypt, -des_is_weak_key, des_key_sched, des_ncbc_encrypt -des_set_key, and des_set_odd_parity. -

    @@ -6130,7 +7173,7 @@ Next: , Previous: , Up: Top   [Contents][Index]

    -

    7 Traditional Nettle Soup

    +

    8 Traditional Nettle Soup

    For the serious nettle hacker, here is a recipe for nettle soup. 4 servings.

      @@ -6163,7 +7206,7 @@ Next: , Previous: , Up: Top   [Contents][Index]

      -

      8 Installation

      +

      9 Installation

      Nettle uses autoconf. To build it, unpack the source and run

      @@ -6217,7 +7260,10 @@

      Function and Concept Index

      -
      Jump to:   A +
      Jump to:   3 +   +
      +A   B   @@ -6249,14 +7295,21 @@   U   +X +   Y  
      + + + + + @@ -6277,8 +7330,11 @@ + + + @@ -6307,12 +7363,17 @@ + + + + + @@ -6329,9 +7390,11 @@ + + @@ -6372,25 +7435,50 @@ - - - - - - - + + + + + + + + + + + + + + + + + + + - + + + + + + + + + + + + + + @@ -6400,11 +7488,16 @@ - - - + + + + + + + + @@ -6466,10 +7559,13 @@ - - - - + + + + + + + @@ -6526,6 +7622,14 @@ + + + + + + + + @@ -6581,17 +7685,16 @@ - - + - - - - - + + + + + + - - + @@ -6604,6 +7707,8 @@ + + @@ -6613,6 +7718,8 @@ + + @@ -6663,12 +7770,14 @@ + + @@ -6690,6 +7799,7 @@ + @@ -6706,13 +7816,27 @@ + + + + + + + + + - - - + + + + + + + + @@ -6736,6 +7860,20 @@ + + + + + + + + + + + + + + @@ -6749,7 +7887,10 @@
      Index Entry  Section
      3
      3DES: Cipher functions
      A
      ABI compatibility: Compatibility
      AEAD: Authenticated encryption
      AES: Cipher functions
      aes128_decrypt: Cipher functions
      aes128_encrypt: Cipher functions
      aes128_invert_key: Cipher functions
      aes_invert_key: Cipher functions
      aes_set_decrypt_key: Cipher functions
      aes_set_encrypt_key: Cipher functions
      API compatibility: Compatibility
      Arcfour: Cipher functions
      arcfour_crypt: Cipher functions
      arcfour_set_key: Cipher functions
      Arctwo: Cipher functions
      arctwo_decrypt: Cipher functions
      arctwo_encrypt: Cipher functions
      arctwo_set_key: Cipher functions
      BASE64_ENCODE_LENGTH: ASCII encoding
      base64_encode_single: ASCII encoding
      base64_encode_update: ASCII encoding
      Binary compatibility: Compatibility
      Block Cipher: Cipher functions
      Blowfish: Cipher functions
      blowfish_bcrypt_hash: Cipher functions
      blowfish_bcrypt_verify: Cipher functions
      blowfish_decrypt: Cipher functions
      blowfish_encrypt: Cipher functions
      blowfish_set_key: Cipher functions
      C
      Camellia: Cipher functions
      camellia128_crypt: Cipher functions
      camellia128_invert_key: Cipher functions
      camellia128_set_decrypt_key: Cipher functions
      camellia_invert_key: Cipher functions
      camellia_set_decrypt_key: Cipher functions
      camellia_set_encrypt_key: Cipher functions
      CAST: Cipher functions
      cast128_decrypt: Cipher functions
      cast128_encrypt: Cipher functions
      cast128_set_key: Cipher functions
      cast5_set_key: Cipher functions
      CBC Mode: CBC
      CBC_CTX: CBC
      cbc_decrypt: CBC
      CCM_MAX_MSG_SIZE: CCM
      ccm_set_nonce: CCM
      ccm_update: CCM
      CFB Mode: CFB
      CFB_CTX: CFB
      cfb_decrypt: CFB
      CFB_DECRYPT: CFB
      cfb_encrypt: CFB
      CFB_ENCRYPT: CFB
      CFB_SET_IV(ctx,: CFB
      CFB Modes: CFB and CFB8
      CFB8 Mode: CFB and CFB8
      CFB8_CTX: CFB and CFB8
      cfb8_decrypt: CFB and CFB8
      CFB8_DECRYPT: CFB and CFB8
      cfb8_encrypt: CFB and CFB8
      CFB8_ENCRYPT: CFB and CFB8
      CFB8_SET_IV: CFB and CFB8
      CFB_CTX: CFB and CFB8
      cfb_decrypt: CFB and CFB8
      CFB_DECRYPT: CFB and CFB8
      cfb_encrypt: CFB and CFB8
      CFB_ENCRYPT: CFB and CFB8
      CFB_SET_IV(ctx,: CFB and CFB8
      ChaCha: Cipher functions
      chacha_crypt: Cipher functions
      chacha_crypt32: Cipher functions
      chacha_poly1305_decrypt: ChaCha-Poly1305
      chacha_poly1305_digest: ChaCha-Poly1305
      chacha_poly1305_encrypt: ChaCha-Poly1305
      chacha_poly1305_set_key: ChaCha-Poly1305
      chacha_poly1305_set_nonce: ChaCha-Poly1305
      chacha_poly1305_update: ChaCha-Poly1305
      chacha_set_counter: Cipher functions
      chacha_set_counter32: Cipher functions
      chacha_set_key: Cipher functions
      chacha_set_nonce: Cipher functions
      chacha_set_nonce96: Cipher functions
      Cipher: Cipher functions
      Cipher Block Chaining: CBC
      Cipher Feedback Mode: CFB
      Cipher Feedback 8-bit Mode: CFB and CFB8
      Cipher Feedback Mode: CFB and CFB8
      CMAC: CMAC
      CMAC-128: CMAC
      CMAC-64: CMAC
      cmac_aes128_digest: CMAC
      cmac_aes128_set_key: CMAC
      cmac_aes128_update: CMAC
      cmac_aes256_digest: CMAC
      cmac_aes256_set_key: CMAC
      cmac_aes256_update: CMAC
      cmac_des3_digest: CMAC
      cmac_des3_set_key: CMAC
      cmac_des3_update: CMAC
      Collision-resistant: Hash functions
      Conditional entropy: Randomness
      Counter Mode: CTR
      CTR_CRYPT: CTR
      CTR_CTX: CTR
      CTR_SET_COUNTER: CTR
      Curve 25519: Curve 25519
      curve25519_mul: Curve 25519
      curve25519_mul_g: Curve 25519
      Curve 25519: Curve 25519 and Curve 448
      Curve 448: Curve 25519 and Curve 448
      curve25519_mul: Curve 25519 and Curve 448
      curve25519_mul_g: Curve 25519 and Curve 448
      curve448_mul: Curve 25519 and Curve 448
      curve448_mul_g: Curve 25519 and Curve 448
      D
      DES: Cipher functions
      DES3: Cipher functions
      des3_decrypt: Cipher functions
      des3_encrypt: Cipher functions
      des3_set_key: Cipher functions
      ecdsa_generate_keypair: ECDSA
      ecdsa_sign: ECDSA
      ecdsa_verify: ECDSA
      ed25519_sha512_public_key: Curve 25519
      ed25519_sha512_sign: Curve 25519
      ed25519_sha512_verify: Curve 25519
      eddsa: Curve 25519
      ed25519_sha512_public_key: Curve 25519 and Curve 448
      ed25519_sha512_sign: Curve 25519 and Curve 448
      ed25519_sha512_verify: Curve 25519 and Curve 448
      ed448_shake256_public_key: Curve 25519 and Curve 448
      ed448_shake256_sign: Curve 25519 and Curve 448
      ed448_shake256_verify: Curve 25519 and Curve 448
      eddsa: Curve 25519 and Curve 448
      Entropy: Randomness
      G
      GCM_SET_KEY: GCM
      gcm_update: GCM
      GCM_UPDATE: GCM
      GOST DSA: GOSTDSA
      GOST hash: Legacy hash functions
      gostdsa_sign: GOSTDSA
      gostdsa_verify: GOSTDSA
      gostdsa_vko: GOSTDSA
      gosthash94cp_digest: Legacy hash functions
      gosthash94cp_init: Legacy hash functions
      gosthash94cp_update: Legacy hash functions
      gosthash94_digest: Legacy hash functions
      gosthash94_init: Legacy hash functions
      gosthash94_update: Legacy hash functions
      N
      nettle_aead: nettle_aead abstraction
      nettle_aeads: nettle_aead abstraction
      nettle_aeads: nettle_aead abstraction
      nettle_aeads: nettle_aead abstraction
      nettle_cipher: Cipher functions
      nettle_ciphers: Cipher functions
      nettle_ciphers: Cipher functions
      nettle_get_aeads: nettle_aead abstraction
      nettle_get_ciphers: Cipher functions
      nettle_get_hashes: nettle_hash abstraction
      nettle_ciphers: Cipher functions
      nettle_get_aeads: nettle_aead abstraction
      nettle_get_ciphers: Cipher functions
      nettle_get_gost_gc256b(void): GOSTDSA
      nettle_get_gost_gc512a(void): GOSTDSA
      nettle_get_hashes: nettle_hash abstraction
      nettle_hash: nettle_hash abstraction
      nettle_hashes: nettle_hash abstraction
      nettle_hashes: nettle_hash abstraction
      nettle_hashes: nettle_hash abstraction
      O
      One-way: Hash functions
      PBKDF2: Key derivation functions
      pbkdf2_hmac_sha1: Key derivation functions
      pbkdf2_hmac_sha256: Key derivation functions
      pbkdf2_hmac_sha384: Key derivation functions
      pbkdf2_hmac_sha512: Key derivation functions
      PKCS #5: Key derivation functions
      poly1305_aes_digest: Poly1305
      poly1305_aes_set_key: Poly1305
      R
      Randomness: Randomness
      RC2: Cipher functions
      RC4: Cipher functions
      ripemd160_digest: Legacy hash functions
      ripemd160_init: Legacy hash functions
      ripemd160_update: Legacy hash functions
      rsa_sha512_verify_digest: RSA
      S
      Salsa20: Cipher functions
      salsa20r12_crypt: Cipher functions
      salsa20_128_set_key: Cipher functions
      salsa20_256_set_key: Cipher functions
      salsa20_crypt: Cipher functions
      salsa20_set_key: Cipher functions
      salsa20_set_nonce: Cipher functions
      Serpent: Cipher functions
      serpent_decrypt: Cipher functions
      serpent_encrypt: Cipher functions
      serpent_set_key: Cipher functions
      sha3_224_update: Recommended hash functions
      sha3_256_digest: Recommended hash functions
      sha3_256_init: Recommended hash functions
      sha3_256_shake: Recommended hash functions
      sha3_256_update: Recommended hash functions
      sha3_384_digest: Recommended hash functions
      sha3_384_init: Recommended hash functions
      sha512_digest: Recommended hash functions
      sha512_init: Recommended hash functions
      sha512_update: Recommended hash functions
      SHAKE: Recommended hash functions
      Side-channel attack: Side-channel silence
      SIV mode: SIV-CMAC
      SIV-CMAC mode: SIV-CMAC
      siv_cmac_aes128_decrypt_message: SIV-CMAC
      siv_cmac_aes128_encrypt_message: SIV-CMAC
      siv_cmac_aes128_set_key: SIV-CMAC
      siv_cmac_aes256_decrypt_message: SIV-CMAC
      siv_cmac_aes256_encrypt_message: SIV-CMAC
      siv_cmac_aes256_set_key: SIV-CMAC
      Stream Cipher: Cipher functions
      struct: nettle_hash abstraction
      struct: Cipher functions
      struct: nettle_aead abstraction
      streebog256_digest: Miscellaneous hash functions
      streebog256_init: Miscellaneous hash functions
      streebog256_update: Miscellaneous hash functions
      streebog512_digest: Miscellaneous hash functions
      streebog512_init: Miscellaneous hash functions
      streebog512_update: Miscellaneous hash functions
      T
      Triple-DES: Cipher functions
      Twofish: Cipher functions
      twofish_decrypt: Cipher functions
      twofish_encrypt: Cipher functions
      twofish_set_key: Cipher functions
      umac96_set_nonce: UMAC
      umac96_update: UMAC
      X
      XEX-based tweaked-codebook mode with ciphertext stealing: XTS
      XTS Mode: XTS
      xts_aes128_decrypt_message(struct: XTS
      xts_aes128_encrypt_message(struct: XTS
      xts_aes128_set_decrypt_key: XTS
      xts_aes128_set_encrypt_key: XTS
      xts_aes256_decrypt_message(struct: XTS
      xts_aes256_encrypt_message(struct: XTS
      xts_aes256_set_decrypt_key: XTS
      xts_aes256_set_encrypt_key: XTS
      xts_decrypt_message: XTS
      xts_encrypt_message: XTS
      Y
      yarrow256_fast_reseed: Randomness
      yarrow256_init: Randomness
      yarrow_key_event_init: Randomness
      -
      Jump to:   A +
      Jump to:   3 +   +
      +A   B   @@ -6781,6 +7922,8 @@   U   +X +   Y  
      diff -Nru nettle-3.4.1/nettle.info nettle-3.7.3/nettle.info --- nettle-3.4.1/nettle.info 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/nettle.info 2021-06-06 20:06:29.000000000 +0000 @@ -1,4 +1,4 @@ -This is nettle.info, produced by makeinfo version 6.3 from +This is nettle.info, produced by makeinfo version 6.5 from nettle.texinfo. This manual is for the Nettle library (version 3.4), a low-level @@ -40,6 +40,7 @@ * Conventions:: General interface conventions. * Example:: An example program. * Linking:: Linking with libnettle and libhogweed. +* Compatibility:: On API and ABI compatibility between versions. * Reference:: All Nettle functions and features. * Nettle soup:: For the serious nettle hacker. * Installation:: How to install Nettle. @@ -49,35 +50,46 @@ Reference -* Hash functions:: -* Cipher functions:: -* Cipher modes:: -* Keyed hash functions:: -* Key derivation functions:: -* Public-key algorithms:: -* Randomness:: -* ASCII encoding:: -* Miscellaneous functions:: -* Compatibility functions:: +* Hash functions:: +* Cipher functions:: +* Cipher modes:: +* Keyed hash functions:: +* Key derivation functions:: +* Public-key algorithms:: +* Randomness:: +* ASCII encoding:: +* Miscellaneous functions:: +* Compatibility functions:: Hash functions * Recommended hash functions:: +* Miscellaneous hash functions:: * Legacy hash functions:: * nettle_hash abstraction:: Cipher modes -* CBC:: -* CTR:: -* CFB:: -* GCM:: -* CCM:: +* CBC:: +* CTR:: +* CFB and CFB8:: +* XTS:: + +Authenticated encryption with associated data + +* EAX:: +* GCM:: +* CCM:: +* ChaCha-Poly1305:: +* SIV-CMAC:: +* nettle_aead abstraction:: Keyed Hash Functions * HMAC:: * UMAC:: +* CMAC:: +* Poly1305:: Public-key algorithms @@ -89,7 +101,8 @@ * Side-channel silence:: * ECDSA:: -* Curve 25519:: +* GOSTDSA:: +* Curve 25519 and Curve 448::  @@ -250,6 +263,10 @@ _UMAC_ Written by Niels Möller. +_CMAC_ + Written by Nikos Mavrogiannopoulos, Niels Möller, Jeremy Allison, + Michael Adam and Stefan Metzmacher. + _RSA_ Written by Niels Möller. Uses the GMP library for bignum operations. @@ -317,29 +334,29 @@ #include #include - + #include - + #define BUF_SIZE 1000 - + static void display_hex(unsigned length, uint8_t *data) { unsigned i; - + for (i = 0; i’, which is now deprecated, but kept for compatibility. -6.1.1.2 SHA224 +7.1.1.2 SHA224 .............. SHA224 is a variant of SHA256, with a different initial state, and with @@ -518,7 +600,7 @@ This function also resets the context in the same way as ‘sha224_init’. -6.1.1.3 SHA512 +7.1.1.3 SHA512 .............. SHA512 is a larger sibling to SHA256, with a very similar structure but @@ -553,7 +635,7 @@ This function also resets the context in the same way as ‘sha512_init’. -6.1.1.4 SHA384 and other variants of SHA512 +7.1.1.4 SHA384 and other variants of SHA512 ........................................... Several variants of SHA512 have been defined, with a different initial @@ -611,7 +693,7 @@ These function also reset the context in the same way as the corresponding init function. -6.1.1.5 SHA3-224 +7.1.1.5 SHA3-224 ................ The SHA3 hash functions were specified by NIST in response to weaknesses @@ -662,7 +744,7 @@ This function also resets the context. -6.1.1.6 SHA3-256 +7.1.1.6 SHA3-256 ................ This is SHA3 with 256-bit output size, and possibly the most useful of @@ -694,7 +776,7 @@ This function also resets the context. -6.1.1.7 SHA3-384 +7.1.1.7 SHA3-384 ................ This is SHA3 with 384-bit output size. @@ -725,7 +807,7 @@ This function also resets the context. -6.1.1.8 SHA3-512 +7.1.1.8 SHA3-512 ................ This is SHA3 with 512-bit output size. @@ -756,10 +838,104 @@ This function also resets the context. +7.1.1.9 SHAKE-256 +................. + +In addition to those SHA-3 hash functions, Nettle also provides a SHA-3 +extendable-output function (XOF), SHAKE-256. Unlike SHA-3 hash +functions, SHAKE can produce an output digest of any desired length. + + To use SHAKE256, the context struct, init and update functions are +the same as for SHA3-256. To get a SHAKE256 digest, the following +function is used instead of ‘sha3_256_digest’. For an output size of +‘SHA3_256_DIGEST_SIZE’, security is equivalent to SHA3-256 (but the +digest is different). Increasing output size further does not increase +security in terms of collision or preimage resistance. It can be seen +as a built in pseudorandomness generator. + + -- Function: void sha3_256_shake (struct shake256_ctx *CTX, size_t + LENGTH, uint8_t *DIGEST) + Performs final processing and produces a SHAKE256 digest, writing + it to DIGEST. LENGTH can be of arbitrary size. + + This function also resets the context. +  -File: nettle.info, Node: Legacy hash functions, Next: nettle_hash abstraction, Prev: Recommended hash functions, Up: Hash functions +File: nettle.info, Node: Miscellaneous hash functions, Next: Legacy hash functions, Prev: Recommended hash functions, Up: Hash functions + +7.1.2 Miscellaneous hash functions +---------------------------------- + +7.1.2.1 STREEBOG512 +................... + +STREEBOG512 is a member of the Streebog (GOST R 34.11-2012) family. It +outputs hash values of 512 bits, or 64 octets. Nettle defines +STREEBOG512 in ‘’. + + -- Context struct: struct streebog512_ctx + + -- Constant: STREEBOG512_DIGEST_SIZE + The size of a STREEBOG512 digest, i.e. 64. + + -- Constant: STREEBOG512_BLOCK_SIZE + The internal block size of STREEBOG512. Useful for some special + constructions, in particular HMAC-STREEBOG512. + + -- Function: void streebog512_init (struct streebog512_ctx *CTX) + Initialize the STREEBOG512 state. + + -- Function: void streebog512_update (struct streebog512_ctx *CTX, + size_t LENGTH, const uint8_t *DATA) + Hash some more data. + + -- Function: void streebog512_digest (struct streebog512_ctx *CTX, + size_t LENGTH, uint8_t *DIGEST) + Performs final processing and extracts the message digest, writing + it to DIGEST. LENGTH may be smaller than + ‘STREEBOG512_DIGEST_SIZE’, in which case only the first LENGTH + octets of the digest are written. + + This function also resets the context in the same way as + ‘streebog512_init’. -6.1.2 Legacy hash functions +7.1.2.2 STREEBOG256 +................... + +STREEBOG256 is a variant of STREEBOG512, with a different initial state, +and with the output truncated to 256 bits, or 32 octets. Nettle defines +STREEBOG256 in ‘’. + + -- Context struct: struct streebog256_ctx + + -- Constant: STREEBOG256_DIGEST_SIZE + The size of a STREEBOG256 digest, i.e. 32. + + -- Constant: STREEBOG256_BLOCK_SIZE + The internal block size of STREEBOG256. Useful for some special + constructions, in particular HMAC-STREEBOG256. + + -- Function: void streebog256_init (struct streebog256_ctx *CTX) + Initialize the STREEBOG256 state. + + -- Function: void streebog256_update (struct streebog256_ctx *CTX, + size_t LENGTH, const uint8_t *DATA) + Hash some more data. + + -- Function: void streebog256_digest (struct streebog256_ctx *CTX, + size_t LENGTH, uint8_t *DIGEST) + Performs final processing and extracts the message digest, writing + it to DIGEST. LENGTH may be smaller than + ‘STREEBOG256_DIGEST_SIZE’, in which case only the first LENGTH + octets of the digest are written. + + This function also resets the context in the same way as + ‘streebog256_init’. + + +File: nettle.info, Node: Legacy hash functions, Next: nettle_hash abstraction, Prev: Miscellaneous hash functions, Up: Hash functions + +7.1.3 Legacy hash functions --------------------------- The hash functions in this section all have some known weaknesses, and @@ -772,7 +948,7 @@ relevant depends on how the hash function is used, and on the threat model. -6.1.2.1 MD5 +7.1.3.1 MD5 ........... MD5 is a message digest function constructed by Ronald Rivest, and @@ -811,7 +987,7 @@ To start over, you can call ‘md5_init’ at any time. -6.1.2.2 MD2 +7.1.3.2 MD2 ........... MD2 is another hash function of Ronald Rivest’s, described in ‘RFC @@ -842,7 +1018,7 @@ This function also resets the context in the same way as ‘md2_init’. -6.1.2.3 MD4 +7.1.3.3 MD4 ........... MD4 is a predecessor of MD5, described in ‘RFC 1320’. Like MD5, it is @@ -875,7 +1051,7 @@ This function also resets the context in the same way as ‘md4_init’. -6.1.2.4 RIPEMD160 +7.1.3.4 RIPEMD160 ................. RIPEMD160 is a hash function designed by Hans Dobbertin, Antoon @@ -909,7 +1085,7 @@ This function also resets the context in the same way as ‘ripemd160_init’. -6.1.2.5 SHA1 +7.1.3.5 SHA1 ............ SHA1 is a hash function specified by “NIST” (The U.S. National Institute @@ -942,13 +1118,18 @@ This function also resets the context in the same way as ‘sha1_init’. -6.1.2.6 GOSTHASH94 -.................. +7.1.3.6 GOSTHASH94 and GOSTHASH94CP +................................... The GOST94 or GOST R 34.11-94 hash algorithm is a Soviet-era algorithm used in Russian government standards (see ‘RFC 4357’). It outputs -message digests of 256 bits, or 32 octets. Nettle defines GOSTHASH94 in -‘’. +message digests of 256 bits, or 32 octets. The standard itself does not +fix the S-box used by the hash algorith, so there are two popular +variants (the testing S-box from the standard itself and the S-box +defined by CryptoPro company, see RFC 4357). Nettle provides support +for the former S-box in the form of GOSTHASH94 hash algorithm and for +the latter in the form of GOSTHASH94CP hash algorithm. Nettle defines +GOSTHASH94 and GOSTHASH94CP in ‘’. -- Context struct: struct gosthash94_ctx @@ -975,10 +1156,35 @@ This function also resets the context in the same way as ‘gosthash94_init’. + -- Context struct: struct gosthash94cp_ctx + + -- Constant: GOSTHASH94CP_DIGEST_SIZE + The size of a GOSTHASH94CP digest, i.e. 32. + + -- Constant: GOSTHASH94CP_BLOCK_SIZE + The internal block size of GOSTHASH94CP, i.e., 32. + + -- Function: void gosthash94cp_init (struct gosthash94cp_ctx *CTX) + Initialize the GOSTHASH94CP state. + + -- Function: void gosthash94cp_update (struct gosthash94cp_ctx *CTX, + size_t LENGTH, const uint8_t *DATA) + Hash some more data. + + -- Function: void gosthash94cp_digest (struct gosthash94cp_ctx *CTX, + size_t LENGTH, uint8_t *DIGEST) + Performs final processing and extracts the message digest, writing + it to DIGEST. LENGTH may be smaller than + ‘GOSTHASH94CP_DIGEST_SIZE’, in which case only the first LENGTH + octets of the digest are written. + + This function also resets the context in the same way as + ‘gosthash94cp_init’. +  File: nettle.info, Node: nettle_hash abstraction, Prev: Legacy hash functions, Up: Hash functions -6.1.3 The ‘struct nettle_hash’ abstraction +7.1.4 The ‘struct nettle_hash’ abstraction ------------------------------------------ Nettle includes a struct including information about the supported hash @@ -1004,11 +1210,12 @@ -- Constant Struct: struct nettle_hash nettle_sha512 -- Constant Struct: struct nettle_hash nettle_sha3_256 -- Constant Struct: struct nettle_hash nettle_gosthash94 + -- Constant Struct: struct nettle_hash nettle_gosthash94cp These are all the hash functions that Nettle implements. Nettle also exports a list of all these hashes. - -- Function: const struct nettle_hash **nettle_get_hashes(void) + -- Function: const struct nettle_hash ** nettle_get_hashes (void) Returns a NULL-terminated list of pointers to supported hash functions. This list can be used to dynamically enumerate or search the supported algorithms. @@ -1024,7 +1231,7 @@  File: nettle.info, Node: Cipher functions, Next: Cipher modes, Prev: Hash functions, Up: Reference -6.2 Cipher functions +7.2 Cipher functions ==================== A “cipher” is a function that takes a message or “plaintext” and a @@ -1094,7 +1301,7 @@ single key setup function that can be used for both encryption and decryption. -6.2.1 AES +7.2.1 AES --------- AES is a block cipher, specified by NIST as a replacement for the older @@ -1187,7 +1394,7 @@ uint8_t *DST, const uint8_t *SRC) Analogous to the encryption functions above. -6.2.2 ARCFOUR +7.2.2 ARCFOUR ------------- ARCFOUR is a stream cipher, also known under the trade marked name RC4, @@ -1243,7 +1450,7 @@ encrypt them one after another. The result is the same as if you had called ‘arcfour_crypt’ only once with all the data. -6.2.3 ARCTWO +7.2.3 ARCTWO ------------ ARCTWO (also known as the trade marked name RC2) is a block cipher @@ -1304,7 +1511,7 @@ LENGTH, uint8_t *DST, const uint8_t *SRC) Analogous to ‘arctwo_encrypt’ -6.2.4 BLOWFISH +7.2.4 BLOWFISH -------------- BLOWFISH is a block cipher designed by Bruce Schneier. It uses a block @@ -1346,7 +1553,72 @@ LENGTH, uint8_t *DST, const uint8_t *SRC) Analogous to ‘blowfish_encrypt’ -6.2.5 Camellia + -- Function: int blowfish_bcrypt_hash (char *DST, size_t LENKEY, const + char *KEY, size_t LENSCHEME, const char *SCHEME, int + LOG2ROUNDS, const uint8_t *SALT) + Compute the bcrypt password hash. The function will return ‘0’ if + the hash cannot be computed due to invalid input. The function + will return ‘1’ and store the computed hash in the array pointed to + by DST. The hash is computed based on the chosen SCHEME, number of + rounds LOG2ROUNDS and specified SALT. + + DST must point to a character array of at least + ‘BLOWFISH_BCRYPT_HASH_SIZE’ bytes. + + KEY contains the plaintext password string of size LENKEY. + + SCHEME is of size LENSCHEME and contains either just the chosen + scheme (valid schemes are: ‘2a’, ‘2b’, ‘2x’ or ‘2y’), or (the + prefix of) an existing hashed password (typically ‘$2b$10$...’). + + LOG2ROUNDS contains the log2 of the number of encryption rounds + that must be used to compute the hash. If it is ‘-1’ the value + will be extracted from SCHEME. + + SALT should point to an array of ‘BLOWFISH_BCRYPT_BINSALT_SIZE’ + random bytes to be used to perturb the hash computation. If it is + ‘NULL’ the salt will be extracted from SCHEME. + + Sample code to generate a bcrypt hash: + char cleartxtpassword[] = "ExamplePassword"; + char scheme[] = "2b"; + uint8_t salt[BLOWFISH_BCRYPT_BINSALT_SIZE]; + ... + /* Make sure that salt is filled with random bytes */ + ... + char hashedresult[BLOWFISH_BCRYPT_HASH_SIZE]; + int result = blowfish_bcrypt(hashedresult, + sizeof(cleartxtpassword) - 1, cleartxtpassword, + sizeof(scheme) - 1, scheme, 10, salt); + if (result) + printf("%s\n", hashedresult); + + -- Function: int blowfish_bcrypt_verify (size_t LENKEY, const char + *KEY, size_t LENHASHED, const char *HASHED) + Verifies the bcrypt password hash against the supplied plaintext + password. The function will return ‘0’ if the password does not + match. The function will return ‘1’ if the password matches. + + KEY contains the plaintext password string of size LENKEY. + + HASHED contains the hashed string of size LENHASHED to compare + with. + + Sample code to verify a bcrypt hash: + char cleartxtpassword[] = "ExamplePassword"; + char existinghashed[] = + "$2y$" /* Hash algorithm version */ + "10" /* 2^10 hash rounds (strength) */ + "$" /* separator */ + "1b2lPgo4XumibnJGN3r3sO" /* base64 encoded 16-byte salt */ + "u7wE7xNfYDKlAxZffJDCJdVfFTAyevu"; /* Hashedpart */ + if (blowfish_bcrypt_verify(sizeof(cleartxtpassword) - 1, cleartxtpassword, + sizeof(existinghashed) - 1, existinghashed)) + printf("Password is correct."); + else + printf("Password is incorrect."); + +7.2.5 Camellia -------------- Camellia is a block cipher developed by Mitsubishi and Nippon Telegraph @@ -1436,29 +1708,34 @@ more than one block, the data is processed in ECB mode. ‘src’ and ‘dst’ may be equal, but they must not overlap in any other way. -6.2.6 CAST128 +7.2.6 CAST128 ------------- CAST-128 is a block cipher, specified in ‘RFC 2144’. It uses a 64 bit -(8 octets) block size, and a variable key size of up to 128 bits. -Nettle defines cast128 in ‘’. +(8 octets) block size, and a key size of 128 bits. It is possible, but +discouraged, to use the same algorithm with shorter keys. Nettle refers +to the variant with variable key size as CAST-5. Keys for CAST-5 are +zero padded to 128 bits, and with very short keys, less than 80 bits, +encryption also uses fewer rounds than CAST128. Nettle defines cast128 +in ‘’. -- Context struct: struct cast128_ctx -- Constant: CAST128_BLOCK_SIZE The CAST128 block-size, 8. - -- Constant: CAST128_MIN_KEY_SIZE - Minimum CAST128 key size, 5. + -- Constant: CAST128_KEY_SIZE + The CAST128 key size, 16. - -- Constant: CAST128_MAX_KEY_SIZE - Maximum CAST128 key size, 16. + -- Constant: CAST5_MIN_KEY_SIZE + Minimum CAST5 key size, 5. - -- Constant: CAST128_KEY_SIZE - Default CAST128 key size, 16. + -- Constant: CAST5_MAX_KEY_SIZE + Maximum CAST5 key size, 16. With 16 octets key (128 bits), CAST-5 + is the same as CAST-128. - -- Function: void cast128_set_key (struct cast128_ctx *CTX, size_t - LENGTH, const uint8_t *KEY) + -- Function: void cast128_set_key (struct cast128_ctx *CTX, const + uint8_t *KEY) Initialize the cipher. The same function is used for both encryption and decryption. @@ -1473,7 +1750,13 @@ LENGTH, uint8_t *DST, const uint8_t *SRC) Analogous to ‘cast128_encrypt’ -6.2.7 ChaCha + -- Function: void cast5_set_key (struct cast128_ctx *CTX, size_t + LENGTH, const uint8_t *KEY) + Initialize the cipher. This variant of the key setup takes the key + size as argument. The same function is used for both encryption + and decryption. + +7.2.7 ChaCha ------------ ChaCha is a variant of the stream cipher Salsa20, also designed by D. J. @@ -1491,6 +1774,9 @@ -- Constant: CHACHA_NONCE_SIZE Size of the nonce, 8. + -- Constant: CHACHA_COUNTER_SIZE + Size of the counter, 8. + -- Function: void chacha_set_key (struct chacha_ctx *CTX, const uint8_t *KEY) Initialize the cipher. The same function is used for both @@ -1503,6 +1789,14 @@ octets. This function also initializes the block counter, setting it to zero. + -- Function: void chacha_set_counter (struct chacha_ctx *CTX, const + uint8_t *COUNTER) + Sets the block counter. It is always of size + ‘CHACHA_COUNTER_SIZE’, 8 octets. This is rarely needed since + ‘chacha_set_nonce’ initializes the block counter to zero. When it + is still necessary, this function must be called after + ‘chacha_set_nonce’. + -- Function: void chacha_crypt (struct chacha_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encrypts or decrypts the data of a message, using ChaCha. When a @@ -1510,7 +1804,38 @@ all but the last call _must_ use a length that is a multiple of ‘CHACHA_BLOCK_SIZE’. -6.2.8 DES +7.2.7.1 32-bit counter variant +.............................. + +While the original paper uses 64-bit counter value, the variant defined +in ‘RFC 8439’ uses 32-bit counter value. This variant is particularly +useful for *note ChaCha-Poly1305:: AEAD construction, which supports +12-octet nonces. + + -- Constant: CHACHA_NONCE96_SIZE + Size of the nonce, 12. + + -- Constant: CHACHA_COUNTER32_SIZE + Size of the counter, 4. + + -- Function: void chacha_set_nonce96 (struct chacha_ctx *CTX, const + uint8_t *NONCE) + Sets the nonce. This is similar to the above ‘chacha_set_nonce’, + but the input is always of size ‘CHACHA_NONCE96_SIZE’, 12 octets. + + -- Function: void chacha_set_counter32 (struct chacha_ctx *CTX, const + uint8_t *COUNTER) + Sets the block counter. This is similar to the above + ‘chacha_set_counter’, but the input is always of size + ‘CHACHA_COUNTER32_SIZE’, 4 octets. + + -- Function: void chacha_crypt32 (struct chacha_ctx *CTX, size_t + LENGTH, uint8_t *DST, const uint8_t *SRC) + Encrypts or decrypts the data of a message, using ChaCha. This is + similar to the above ‘chacha_crypt’, but it assumes the internal + counter value is 32-bit long and the nonce is 96-bit long. + +7.2.8 DES --------- DES is the old Data Encryption Standard, specified by NIST. It uses a @@ -1565,7 +1890,7 @@ agreement protocol, and want to use it as a DES key. DST and SRC may be equal. -6.2.9 DES3 +7.2.9 DES3 ---------- The inadequate key size of DES has already been mentioned. One way to @@ -1631,7 +1956,7 @@ uint8_t *DST, const uint8_t *SRC) Analogous to ‘des_encrypt’ -6.2.10 Salsa20 +7.2.10 Salsa20 -------------- Salsa20 is a fairly recent stream cipher designed by D. J. Bernstein. @@ -1717,7 +2042,7 @@ Encrypts or decrypts the data of a message, using salsa20 reduced to 12 rounds. -6.2.11 SERPENT +7.2.11 SERPENT -------------- SERPENT is one of the AES finalists, designed by Ross Anderson, Eli @@ -1756,7 +2081,7 @@ LENGTH, uint8_t *DST, const uint8_t *SRC) Analogous to ‘serpent_encrypt’ -6.2.12 TWOFISH +7.2.12 TWOFISH -------------- Another AES finalist, this one designed by Bruce Schneier and others. @@ -1792,7 +2117,7 @@ LENGTH, uint8_t *DST, const uint8_t *SRC) Analogous to ‘twofish_encrypt’ -6.2.13 The ‘struct nettle_cipher’ abstraction +7.2.13 The ‘struct nettle_cipher’ abstraction --------------------------------------------- Nettle includes a struct including information about some of the more @@ -1837,7 +2162,7 @@ Nettle also exports a list of all these ciphers without weak keys or other oddities. - -- Function: const struct nettle_cipher **nettle_get_ciphers(void) + -- Function: const struct nettle_cipher ** nettle_get_ciphers (void) Returns a NULL-terminated list of pointers to supported block ciphers. This list can be used to dynamically enumerate or search the supported algorithms. @@ -1849,7 +2174,7 @@  File: nettle.info, Node: Cipher modes, Next: Authenticated encryption, Prev: Cipher functions, Up: Reference -6.3 Cipher modes +7.3 Cipher modes ================ Cipher modes of operation specifies the procedure to use when encrypting @@ -1859,26 +2184,29 @@ Book mode, ECB), leaks information. Besides ECB, Nettle provides several other modes of operation: Cipher -Block Chaining (CBC), Counter mode (CTR), Cipher Feedback (CFB) and a -couple of AEAD modes (*note Authenticated encryption::). CBC is widely -used, but there are a few subtle issues of information leakage, see, -e.g., SSH CBC vulnerability (http://www.kb.cert.org/vuls/id/958563). -Today, CTR is usually preferred over CBC. - - Modes like CBC, CTR and CFB provide _no_ message authentication, and -should always be used together with a MAC (*note Keyed hash functions::) -or signature to authenticate the message. +Block Chaining (CBC), Counter mode (CTR), Cipher Feedback (CFB and +CFB8), XEX-based tweaked-codebook mode with ciphertext stealing (XTS) +and a couple of AEAD modes (*note Authenticated encryption::). CBC is +widely used, but there are a few subtle issues of information leakage, +see, e.g., SSH CBC vulnerability +(http://www.kb.cert.org/vuls/id/958563). Today, CTR is usually +preferred over CBC. + + Modes like CBC, CTR, CFB and CFB8 provide _no_ message +authentication, and should always be used together with a MAC (*note +Keyed hash functions::) or signature to authenticate the message. * Menu: -* CBC:: -* CTR:: -* CFB:: +* CBC:: +* CTR:: +* CFB and CFB8:: +* XTS::  File: nettle.info, Node: CBC, Next: CTR, Prev: Cipher modes, Up: Cipher modes -6.3.1 Cipher Block Chaining +7.3.1 Cipher Block Chaining --------------------------- When using CBC mode, plaintext blocks are not encrypted independently of @@ -1959,9 +2287,9 @@ ‘struct aes_ctx’ context with the ‘des_encrypt’ function.  -File: nettle.info, Node: CTR, Next: CFB, Prev: CBC, Up: Cipher modes +File: nettle.info, Node: CTR, Next: CFB and CFB8, Prev: CBC, Up: Cipher modes -6.3.2 Counter mode +7.3.2 Counter mode ------------------ Counter mode (CTR) uses the block cipher as a keyed pseudo-random @@ -2026,18 +2354,19 @@ the operation.  -File: nettle.info, Node: CFB, Prev: CTR, Up: Cipher modes +File: nettle.info, Node: CFB and CFB8, Next: XTS, Prev: CTR, Up: Cipher modes -6.3.3 Cipher Feedback mode +7.3.3 Cipher Feedback mode -------------------------- -Cipher Feedback mode (CFB) being a close relative to both CBC mode and -CTR mode borrows some characteristics from stream ciphers. - - The message is divided into ‘n’ blocks ‘M_1’,... ‘M_n’, where ‘M_n’ -is of size ‘m’ which may be smaller than the block size. Except for the -last block, all the message blocks must be of size equal to the cipher’s -block size. +Cipher Feedback mode (CFB) and Cipher Feedback 8-bit mode (CFB8) being +close relatives to both CBC mode and CTR mode borrow some +characteristics from stream ciphers. + + For CFB the message is divided into ‘n’ blocks ‘M_1’,... ‘M_n’, where +‘M_n’ is of size ‘m’ which may be smaller than the block size. Except +for the last block, all the message blocks must be of size equal to the +cipher’s block size. If ‘E_k’ is the encryption function of a block cipher, ‘IV’ is the initialization vector, then the ‘n’ plaintext blocks are transformed @@ -2051,9 +2380,30 @@ C_(n-1) = E_k(C_(n - 2)) XOR M_(n-1) C_n = E_k(C_(n - 1)) [1..m] XOR M_n - Nettle’s includes two functions for applying a block cipher in Cipher -Feedback (CFB) mode, one for encryption and one for decryption. These -functions uses ‘void *’ to pass cipher contexts around. + Cipher Feedback 8-bit mode (CFB8) transforms block cipher into a +stream cipher. The message is encrypted byte after byte, not requiring +any padding. + + If ‘E_k’ is the encryption function of a block cipher, ‘b’ is ‘E_k’ +block size, ‘IV’ is the initialization vector, then the ‘n’ plaintext +bytes are transformed into ‘n’ ciphertext bytes ‘C_1’,... ‘C_n’ as +follows: + + I_1 = IV + C_1 = E_k(I_1) [1..8] XOR M_1 + I_2 = I_1 [9..b] << 8 | C_1 + C_2 = E_k(I_2) [1..8] XOR M_2 + + ... + + I_(n-1) = I_(n-2) [9..b] << 8 | C_(n-2) + C_(n-1) = E_k(I_(n-1)) [1..8] XOR M_(n-1) + I_n = I_(n-1) [9..b] << 8 | C_(n-1) + C_n = E_k(I_n) [1..8] XOR M_n + + Nettle’s includes functions for applying a block cipher in Cipher +Feedback (CFB) and Cipher Feedback 8-bit (CFB8) modes. These functions +uses ‘void *’ to pass cipher contexts around. -- Function: void cfb_encrypt (const void *CTX, nettle_cipher_func *F, size_t BLOCK_SIZE, uint8_t *IV, size_t LENGTH, uint8_t *DST, @@ -2073,6 +2423,20 @@ ‘cfb_encrypt’, all but the last call _must_ use a length that is a multiple of the block size. + -- Function: void cfb8_encrypt (const void *CTX, nettle_cipher_func *F, + size_t BLOCK_SIZE, uint8_t *IV, size_t LENGTH, uint8_t *DST, + const uint8_t *SRC) + -- Function: void cfb8_decrypt (const void *CTX, nettle_cipher_func *F, + size_t BLOCK_SIZE, uint8_t *IV, size_t LENGTH, uint8_t *DST, + const uint8_t *SRC) + + Applies the encryption or decryption function F in CFB8 mode. The + final IV block processed is copied into IV before returning, so + that a large message can be processed by a sequence of calls to + ‘cfb8_encrypt’. Note that for CFB8 mode internally uses encryption + only function and hence F should always be the encryption function + for the underlying block cipher. + Like for CBC, there are also a couple of helper macros. -- Macro: CFB_CTX (CONTEXT_TYPE, BLOCK_SIZE) @@ -2101,10 +2465,184 @@ The last three arguments define the source and destination area for the operation. + -- Macro: CFB8_CTX (CONTEXT_TYPE, BLOCK_SIZE) + Expands to + { + context_type ctx; + uint8_t iv[block_size]; + } + + -- Macro: CFB8_SET_IV (CTX, IV) + First argument is a pointer to a context struct as defined by + ‘CFB8_CTX’, and the second is a pointer to an initialization vector + that is copied into that context. + + -- Macro: CFB8_ENCRYPT (CTX, F, LENGTH, DST, SRC) + A simpler way to invoke ‘cfb8_encrypt’. The first argument is a + pointer to a context struct as defined by ‘CFB8_CTX’, and the + second argument is an encryption function following Nettle’s + conventions. The last three arguments define the source and + destination area for the operation. + + -- Macro: CFB8_DECRYPT (CTX, F, LENGTH, DST, SRC) + A simpler way to invoke ‘cfb8_decrypt’. The first argument is a + pointer to a context struct as defined by ‘CFB8_CTX’, and the + second argument is an encryption function following Nettle’s + conventions. The last three arguments define the source and + destination area for the operation. + + +File: nettle.info, Node: XTS, Prev: CFB and CFB8, Up: Cipher modes + +7.3.4 XEX-based tweaked-codebook mode with ciphertext stealing +-------------------------------------------------------------- + +XEX-based tweaked-codebook mode with ciphertext stealing (XTS) is a +block mode like (CBC) but tweaked to be able to encrypt partial blocks +via a technique called ciphertext stealing, where the last complete +block of ciphertext is split and part returned as the last block and +part used as plaintext for the second to last block. This mode is +principally used to encrypt data at rest where it is not possible to +store additional metadata or blocks larger than the plain text. The +most common usage is for disk encryption. Due to the fact that +ciphertext expansion is not possible, data is not authenticated. This +mode should not be used where authentication is critical. + + The message is divided into ‘n’ blocks ‘M_1’,... ‘M_n’, where ‘M_n’ +is of size ‘m’ which may be smaller than the block size. XTS always +uses a fixed blocksize of 128 bit (16 bytes) length. + + Unlike other modes, the key is double the size of that for the used +cipher mode (for example 256bit for AES-128 and 512bit for AES-256). + + XTS encryption mode operates given: + • A multiplication by a primitive element alpha. ‘MUL a^j’ here + represents the multiplication, where ‘j’ is the power of alpha, and + the input value is converted into a 16 bytes array ‘a_0[k], k = + 0,1,..,15’. The multiplication is calculated as ‘a_(j+1)[0] = + (2(a_j[0] mod 128)) XOR (135 * floor(a_j[15]/128)’ ‘a_(j+1)[k] = + (2(a_j[k] mod 128)) XOR (floor(a_j[k-1]/128), k = 1,2,..15’ Note + that this operation is practically a 1 bit left shift operation + with carry propagating from one byte to the next, and if the last + bit shift results in a carry the decimal value 135 is XORed into + the first byte. + + • The encryption key is provided as the ‘Key = K1 | K2’, where ‘|’ + denotes string concatenation. ‘E_k1’ is the encryption function of + the block cipher using ‘K1’ as the key, and ‘E_k2’ is the same + encryption function using ‘K2’ + + • A 128 bit tweak value is provided as input and is denoted as ‘IV’ + + The ‘n’ plaintext blocks are transformed into ‘n’ ciphertext blocks +‘C_1’,... ‘C_n’ as follows. + + For a plaintext length that is a perfect multiple of the XTS block +size: + T_1 = E_k2(IV) + C_1 = E_k1(P_1 XOR T_1) XOR T_1 + + ... + + T_n = T_(n-1) MUL a + C_n = E_k1(P_n XOR T_n) XOR T_n + + For any other plaintext lengths: + T_1 = E_k2(IV) + C_1 = E_k1(P_1 XOR T_1) XOR T_1 + + ... + + T_(n-2) = T_(n-3) MUL a + C_(n-2) = E_k1(P_(n-2) XOR T_(n-2)) XOR T_(n-2) + + T_(n-1) = T_(n-2) MUL a + CC_(n-1) = E_k1(P_(n-1) XOR T_(n-1)) XOR T_(n-1) + + T_n = T_(n-1) MUL a + PP = [1..m]Pn | [m+1..128]CC_(n-1) + C_(n-1) = E_k1(PP XOR T_n) XOR T_n + + C_n = [1..m]CC_(n-1) + +7.3.4.1 General (XTS) interface. +................................ + +The two general functions to encrypt and decrypt using the XTS block +cipher mode are the following: + + -- Function: void xts_encrypt_message (const void *ENC_CTX, const void + *TWK_CTX, nettle_cipher_func *ENCF, const uint8_t *TWEAK, + size_t LENGTH, uint8_t *DST, const uint8_t *SRC) + -- Function: void xts_decrypt_message (const void *DEC_CTX, const void + *TWK_CTX, nettle_cipher_func *DECF, nettle_cipher_func *ENCF, + const uint8_t *TWEAK, size_t LENGTH, uint8_t *DST, const + uint8_t *SRC) + + Applies the encryption function ENCF or the decryption function + DECF in XTS mode. At least one block (16 bytes) worth of data must + be available therefore specifying a length less than 16 bytes is + illegal. + + The functions ENCF DECF are of type + + ‘void f (const void *CTX, size_t LENGTH, uint8_t *DST, const + uint8_t *SRC)’, + + and the ‘xts_encrypt_message’ and ‘xts_decrypt_message’ functions + pass their arguments ENC_CTX, TWK_CTX and DEC_CTX to the functions + ENCF, DECF as CTX. + +7.3.4.2 XTS-AES interface +......................... + +The AES XTS functions provide an API for using the XTS mode with the AES +block ciphers. The parameters all have the same meaning as the general +interface, except that the ENC_CTX, DEC_CTX, TWK_CTX, ENCF and DECF are +replaced with an AES context structure called CTX, and a appropriate +set-key function must be called before using any of the encryption or +decryption functions in this interface. + + -- Context struct: struct xts_aes128_key + Holds state corresponding to the AES-128 block cipher. + + -- Context struct: struct xts_aes256_key + Holds state corresponding to the AES-256 block cipher. + + -- Function: void xts_aes128_set_encrypt_key (struct xts_aes128_key + *CTX, const uint8_t *KEY) + -- Function: void xts_aes256_set_encrypt_key (struct xts_aes256_key + *CTX, const uint8_t *KEY) + -- Function: void xts_aes128_set_decrypt_key (struct xts_aes128_key + *CTX, const uint8_t *KEY) + -- Function: void xts_aes256_set_decrypt_key (struct xts_aes256_key + *CTX, const uint8_t *KEY) + Initializes the encryption or decryption key for the AES block + cipher. The length of the key must be double the size of the key + for the corresponding cipher (256 bits for AES-128 and 512 bits for + AES-256). One of these functions must be called before any of the + other functions. + + -- Function: void xts_aes128_encrypt_message(struct xts_aes128_key + *CTX, uint8_t *TWEAK, size_t LENGTH, uint8_t *DST, const + uint8_t *SRC) + -- Function: void xts_aes256_encrypt_message(struct xts_aes256_key + *CTX, uint8_t *TWEAK, size_t LENGTH, uint8_t *DST, const + uint8_t *SRC) + -- Function: void xts_aes128_decrypt_message(struct xts_aes128_key + *CTX, uint8_t *TWEAK, size_t LENGTH, uint8_t *DST, const + uint8_t *SRC) + -- Function: void xts_aes256_decrypt_message(struct xts_aes256_key + *CTX, uint8_t *TWEAK, size_t LENGTH, uint8_t *DST, const + uint8_t *SRC) + These are identical to ‘xts_encrypt_message’ and + ‘xts_decrypt_message’, except that ENC_CTX, DEC_CTX, TWK_CTX, ENCF + and DECF are replaced by the CTX context structure. +  File: nettle.info, Node: Authenticated encryption, Next: Keyed hash functions, Prev: Cipher modes, Up: Reference -6.4 Authenticated encryption with associated data +7.4 Authenticated encryption with associated data ================================================= Since there are some subtle design choices to be made when combining a @@ -2168,19 +2706,20 @@ * Menu: -* EAX:: -* GCM:: -* CCM:: +* EAX:: +* GCM:: +* CCM:: * ChaCha-Poly1305:: +* SIV-CMAC:: * nettle_aead abstraction::  File: nettle.info, Node: EAX, Next: GCM, Prev: Authenticated encryption, Up: Authenticated encryption -6.4.1 EAX +7.4.1 EAX --------- -The EAX mode is an AEAD mode whichcombines CTR mode encryption, *Note +The EAX mode is an AEAD mode which combines CTR mode encryption, *Note CTR::, with a message authentication based on CBC, *Note CBC::. The implementation in Nettle is restricted to ciphers with a block size of 128 bits (16 octets). EAX was defined as a reaction to the CCM mode, @@ -2194,7 +2733,7 @@ some convenience macros, and specific functions for EAX using AES-128 as the underlying cipher. These interfaces are defined in ‘’ -6.4.1.1 General EAX interface +7.4.1.1 General EAX interface ............................. -- Context struct: struct eax_key @@ -2250,7 +2789,7 @@ is smaller than ‘EAX_DIGEST_SIZE’, only the first LENGTH octets of the digest are written. -6.4.1.2 EAX helper macros +7.4.1.2 EAX helper macros ......................... The following macros are defined. @@ -2283,9 +2822,9 @@ Process message data for encryption or decryption. -- Macro: EAX_DIGEST (CTX, ENCRYPT, LENGTH, DIGEST) - Extract te authentication tag for the message. + Extract the authentication tag for the message. -6.4.1.3 EAX-AES128 interface +7.4.1.3 EAX-AES128 interface ............................ The following functions implement EAX using AES-128 as the underlying @@ -2326,7 +2865,7 @@  File: nettle.info, Node: GCM, Next: CCM, Prev: EAX, Up: Authenticated encryption -6.4.2 Galois counter mode +7.4.2 Galois counter mode ------------------------- Galois counter mode is an AEAD constructions combining counter mode with @@ -2349,7 +2888,7 @@ Camellia as the underlying cipher. These interfaces are defined in ‘’ -6.4.2.1 General GCM interface +7.4.2.1 General GCM interface ............................. -- Context struct: struct gcm_key @@ -2414,7 +2953,7 @@ block cipher). To process a new message, using the same key, call ‘gcm_set_iv’ with a new iv. -6.4.2.2 GCM helper macros +7.4.2.2 GCM helper macros ......................... The following macros are defined. @@ -2455,7 +2994,7 @@ argument, ENCRYPT, is the encryption function of the underlying cipher. -6.4.2.3 GCM-AES interface +7.4.2.3 GCM-AES interface ......................... The following functions implement the common case of GCM using AES as @@ -2469,7 +3008,7 @@ Context structs, defined using ‘GCM_CTX’. -- Context struct: struct gcm_aes_ctx - Alternative context struct, usign the old AES interface. + Alternative context struct, using the old AES interface. -- Function: void gcm_aes128_set_key (struct gcm_aes128_ctx *CTX, const uint8_t *KEY) @@ -2541,7 +3080,7 @@ provide a smaller value, only the first LENGTH octets of the digest are written. -6.4.2.4 GCM-Camellia interface +7.4.2.4 GCM-Camellia interface .............................. The following functions implement the case of GCM using Camellia as the @@ -2601,7 +3140,7 @@  File: nettle.info, Node: CCM, Next: ChaCha-Poly1305, Prev: GCM, Up: Authenticated encryption -6.4.3 Counter with CBC-MAC mode +7.4.3 Counter with CBC-MAC mode ------------------------------- CCM mode is a combination of counter mode with message authentication @@ -2647,12 +3186,12 @@ counter of ‘IC+1’. CCM mode decryption operates similarly, except that the ciphertext -and MAC are first decrypted using CTR mode to retreive the plaintext and -authentication tag. The authentication tag can then be recalucated from -the authenticated data and plantext, and compared to the value in the -message to check for authenticity. +and MAC are first decrypted using CTR mode to retrieve the plaintext and +authentication tag. The authentication tag can then be recalculated +from the authenticated data and plaintext, and compared to the value in +the message to check for authenticity. -6.4.3.1 General CCM interface +7.4.3.1 General CCM interface ............................. For all of the functions in the CCM interface, CIPHER is the context @@ -2721,7 +3260,7 @@ the encrypted MAC which should be identical to the MAC in the received message. -6.4.3.2 CCM message interface +7.4.3.2 CCM message interface ............................. The CCM message fuctions provides a simple interface that will perform @@ -2751,7 +3290,7 @@ valid and authenticated message. Otherwise, this function will return zero. -6.4.3.3 CCM-AES interface +7.4.3.3 CCM-AES interface ......................... The AES CCM functions provide an API for using CCM mode with the AES @@ -2857,9 +3396,9 @@ context structure.  -File: nettle.info, Node: ChaCha-Poly1305, Next: nettle_aead abstraction, Prev: CCM, Up: Authenticated encryption +File: nettle.info, Node: ChaCha-Poly1305, Next: SIV-CMAC, Prev: CCM, Up: Authenticated encryption -6.4.4 ChaCha-Poly1305 +7.4.4 ChaCha-Poly1305 --------------------- ChaCha-Poly1305 is a combination of the ChaCha stream cipher and the @@ -2867,15 +3406,10 @@ from the NaCl cryptographic library by D. J. Bernstein et al, which defines a similar construction but with Salsa20 instead of ChaCha. - Nettle’s implementation ChaCha-Poly1305 should be considered -*experimental*. At the time of this writing, there is no authoritative -specification for ChaCha-Poly1305, and a couple of different -incompatible variants. Nettle implements it using the original -definition of ChaCha, with 64 bits (8 octets) each for the nonce and the -block counter. Some protocols prefer to use nonces of 12 bytes, and -it’s a small change to ChaCha to use the upper 32 bits of the block -counter as a nonce, instead limiting message size to 2^32 blocks or 256 -GBytes, but that variant is currently not supported. + Nettle’s implementation of ChaCha-Poly1305 follows ‘RFC 8439’, where +the ChaCha cipher is initialized with a 12-byte nonce and a 4-byte block +counter. This allows up to 256 gigabytes of data to be encrypted using +the same key and nonce. For ChaCha-Poly1305, the ChaCha cipher is initialized with a key, of 256 bits, and a per-message nonce. The first block of the key stream @@ -2902,7 +3436,7 @@ ChaCha-Poly1305 key size, 32. -- Constant: CHACHA_POLY1305_NONCE_SIZE - Same as the ChaCha nonce size, 16. + ChaCha-Poly1305 nonce size, 12. -- Constant: CHACHA_POLY1305_DIGEST_SIZE Digest size, 16. @@ -2938,9 +3472,107 @@ LENGTH octets of the digest are written.  +File: nettle.info, Node: SIV-CMAC, Next: nettle_aead abstraction, Prev: ChaCha-Poly1305, Up: Authenticated encryption + +7.4.5 Synthetic Initialization Vector AEAD +------------------------------------------ + +SIV-CMAC mode is a combination of counter mode with message +authentication based on CMAC. Unlike other counter AEAD modes, it +provides protection against accidental nonce misuse, making it a good +choice for stateless-servers that cannot ensure nonce uniqueness. It is +constructed on top of a block cipher which must have a block size of 128 +bits. Nettle’s support for SIV-CMAC consists of a message encryption +and authentication interface, for SIV-CMAC using AES as the underlying +block cipher. When a nonce is re-used with this mode, message +authenticity is retained however an attacker can determine whether the +same plaintext was protected with the two messages sharing the nonce. +These interfaces are defined in ‘’. + + Unlike other AEAD mode in SIV-CMAC the initialization vector serves +as the tag. That means that in the generated ciphertext the tag +precedes the ciphertext. + + Note also, that the SIV-CMAC algorithm, as specified in ‘RFC 5297’, +introduces the notion of authenticated data which consist of multiple +components. For example with SIV-CMAC the authentication tag of data +‘X’ followed by ‘Y’, is different than the concatenated data ‘X || Y’. +The interfaces described below follow the AEAD paradigm and do not allow +access to this feature and also require the use of a non-empty nonce. +In the terminology of the RFC, the input to the S2V function is always a +vector of three elements, where S1 is the authenticated data, S2 is the +nonce, and S3 is the plaintext. + +7.4.5.1 General interface +......................... + + -- Constant: SIV_BLOCK_SIZE + SIV-CMAC’s block size, 16. + + -- Constant: SIV_DIGEST_SIZE + Size of the SIV-CMAC digest or initialization vector, 16. + + -- Constant: SIV_MIN_NONCE_SIZE + The the minimum size for an SIV-CMAC nonce, 1. + +7.4.5.2 SIV-CMAC-AES interface +.............................. + +The AES SIV-CMAC functions provide an API for using SIV-CMAC mode with +the AES block ciphers. The parameters all have the same meaning as the +general and message interfaces, except that the CIPHER, F, and CTX +parameters are replaced with an AES context structure, and a set-key +function must be called before using any of the other functions in this +interface. + + -- Context struct: struct siv_cmac_aes128_ctx + Holds state corresponding to a particular message encrypted using + the AES-128 block cipher. + + -- Context struct: struct siv_cmac_aes256_ctx + Holds state corresponding to a particular message encrypted using + the AES-256 block cipher. + + -- Function: void siv_cmac_aes128_set_key (struct siv_cmac_aes128_ctx + *CTX, const uint8_t *KEY) + -- Function: void siv_cmac_aes256_set_key (struct siv_cmac_aes256_ctx + *CTX, const uint8_t *KEY) + Initializes the encryption key for the AES block cipher. One of + these functions must be called before any of the other functions in + the AES SIV-CMAC interface. + + -- Function: void siv_cmac_aes128_encrypt_message (struct + siv_cmac_aes128_ctx *CTX, size_t NLENGTH, const uint8_t + *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t CLENGTH, + uint8_t *DST, const uint8_t *SRC) + -- Function: void siv_cmac_aes256_encrypt_message (struct + siv_cmac_aes256_ctx *CTX, size_t NLENGTH, const uint8_t + *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t CLENGTH, + uint8_t *DST, const uint8_t *SRC) + Computes the message digest from the ADATA and SRC parameters, + encrypts the plaintext from SRC, prepends the initialization vector + to the ciphertext and outputs it to DST. The CLENGTH variable must + be equal to the length of SRC plus ‘SIV_DIGEST_SIZE’. + + -- Function: int siv_cmac_aes128_decrypt_message (struct + siv_cmac_aes128_ctx *CTX, size_t NLENGTH, const uint8_t + *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t MLENGTH, + uint8_t *DST, const uint8_t *SRC) + -- Function: int siv_cmac_aes256_decrypt_message (struct + siv_cmac_aes128_ctx *CTX, size_t NLENGTH, const uint8_t + *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t MLENGTH, + uint8_t *DST, const uint8_t *SRC) + Decrypts the ciphertext from SRC, outputs the plaintext to DST, + recalculates the initialization vector from ADATA and the + plaintext. If the values of the received and calculated + initialization vector are equal, this will return 1 indicating a + valid and authenticated message. Otherwise, this function will + return zero. + + File: nettle.info, Node: nettle_aead abstraction, Prev: ChaCha-Poly1305, Up: Authenticated encryption -6.4.5 The ‘struct nettle_aead’ abstraction +7.4.6 The ‘struct nettle_aead’ abstraction ------------------------------------------ Nettle includes a struct including information about the supported hash @@ -2965,7 +3597,7 @@ Nettle also exports a list of all these constructions. - -- Function: const struct nettle_aead **nettle_get_aeads(void) + -- Function: const struct nettle_aead ** nettle_get_aeads (void) Returns a NULL-terminated list of pointers to supported algorithms.This list can be used to dynamically enumerate or search the supported algorithms. @@ -2977,7 +3609,7 @@  File: nettle.info, Node: Keyed hash functions, Next: Key derivation functions, Prev: Authenticated encryption, Up: Reference -6.5 Keyed Hash Functions +7.5 Keyed Hash Functions ======================== A “keyed hash function”, or “Message Authentication Code” (MAC) is a @@ -3010,12 +3642,13 @@ * HMAC:: * UMAC:: +* CMAC:: * Poly1305::  File: nettle.info, Node: HMAC, Next: UMAC, Prev: Keyed hash functions, Up: Keyed hash functions -6.5.1 HMAC +7.5.1 HMAC ---------- One can build keyed hash functions from ordinary hash functions. Older @@ -3102,13 +3735,13 @@ function directly, or the update function of the underlying hash function. -6.5.2 Concrete HMAC functions +7.5.2 Concrete HMAC functions ----------------------------- Now we come to the specialized HMAC functions, which are easier to use than the general HMAC functions. -6.5.2.1 HMAC-MD5 +7.5.2.1 HMAC-MD5 ................ -- Context struct: struct hmac_md5_ctx @@ -3130,7 +3763,7 @@ This function also resets the context for processing new messages, with the same key. -6.5.2.2 HMAC-RIPEMD160 +7.5.2.2 HMAC-RIPEMD160 ...................... -- Context struct: struct hmac_ripemd160_ctx @@ -3152,7 +3785,7 @@ This function also resets the context for processing new messages, with the same key. -6.5.2.3 HMAC-SHA1 +7.5.2.3 HMAC-SHA1 ................. -- Context struct: struct hmac_sha1_ctx @@ -3174,7 +3807,7 @@ This function also resets the context for processing new messages, with the same key. -6.5.2.4 HMAC-SHA256 +7.5.2.4 HMAC-SHA256 ................... -- Context struct: struct hmac_sha256_ctx @@ -3196,7 +3829,7 @@ This function also resets the context for processing new messages, with the same key. -6.5.2.5 HMAC-SHA512 +7.5.2.5 HMAC-SHA512 ................... -- Context struct: struct hmac_sha512_ctx @@ -3221,7 +3854,7 @@  File: nettle.info, Node: UMAC, Next: Poly1305, Prev: HMAC, Up: Keyed hash functions -6.5.3 UMAC +7.5.3 UMAC ---------- UMAC is a message authentication code based on universal hashing, and @@ -3342,9 +3975,87 @@ explicitly for each message.  -File: nettle.info, Node: Poly1305, Prev: UMAC, Up: Keyed hash functions +File: nettle.info, Node: CMAC, Prev: UMAC, Up: Keyed hash functions + +7.5.4 CMAC +---------- + +CMAC is a message authentication code based on CBC encryption mode. It +is suitable for systems where block ciphers are preferrable and perform +better than hash functions. CMAC-128 is specified in ‘RFC4493’. The +block size is always 128 bits (16 octets). CMAC-64 is specified by NIST +Special Publication 800-38B +(https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38B.pdf). +The block size is always 64 bits (8 octets). + + Nettle provides helper functions for CMAC-128 with the AES block +cipher and for CMAC-64 with the Tripple-DES block cipher. + + Nettle defines CMAC in ‘’. -6.5.4 Poly1305 + -- Context struct: struct cmac_aes128_ctx + -- Context struct: struct cmac_aes256_ctx + + -- Constant: CMAC128_DIGEST_SIZE + The size of an CMAC-128 digest, 16. + + -- Function: void cmac_aes128_set_key (struct cmac_aes128_ctx *CTX, + const uint8_t *KEY) + This function initializes the CMAC context struct for AES-128. + + -- Function: void cmac_aes128_update (struct cmac_aes128_ctx *CTX, + size_t LENGTH, const uint8_t *DATA) + This function is called zero or more times to process the message. + + -- Function: void cmac_aes128_digest (struct cmac_aes128_ctx *CTX, + size_t LENGTH, uint8_t *DIGEST) + Extracts the MAC of the message, writing it to DIGEST. LENGTH is + usually equal to the specified output size, but if you provide a + smaller value, only the first LENGTH octets of the MAC are written. + This function resets the context for processing of a new message + with the same key. + + -- Function: void cmac_aes256_set_key (struct cmac_aes256_ctx *CTX, + const uint8_t *KEY) + This function initializes the CMAC context struct for AES-256. + + -- Function: void cmac_aes256_update (struct cmac_aes256_ctx *CTX, + size_t LENGTH, const uint8_t *DATA) + This function is called zero or more times to process the message. + + -- Function: void cmac_aes256_digest (struct cmac_aes256_ctx *CTX, + size_t LENGTH, uint8_t *DIGEST) + Extracts the MAC of the message, writing it to DIGEST. LENGTH is + usually equal to the specified output size, but if you provide a + smaller value, only the first LENGTH octets of the MAC are written. + This function resets the context for processing of a new message + with the same key. + + -- Context struct: struct cmac_des3_ctx + + -- Constant: CMAC64_DIGEST_SIZE + The size of an CMAC-64 digest, 8. + + -- Function: void cmac_des3_set_key (struct cmac_des3_ctx *CTX, const + uint8_t *KEY) + This function initializes the CMAC context struct for Tripple-DES. + + -- Function: void cmac_des3_update (struct cmac_des3_ctx *CTX,size_t + LENGTH, const uint8_t *DATA) + This function is called zero or more times to process the message. + + -- Function: void cmac_des3_digest (struct cmac_des3_ctx *CTX, size_t + LENGTH, uint8_t *DIGEST) + Extracts the MAC of the message, writing it to DIGEST. LENGTH is + usually equal to the specified output size, but if you provide a + smaller value, only the first LENGTH octets of the MAC are written. + This function resets the context for processing of a new message + with the same key. + + +File: nettle.info, Node: Poly1305, Prev: CMAC, Up: Keyed hash functions + +7.5.5 Poly1305 -------------- Poly1305-AES is a message authentication code designed by D. J. @@ -3407,7 +4118,7 @@  File: nettle.info, Node: Key derivation functions, Next: Public-key algorithms, Prev: Keyed hash functions, Up: Reference -6.6 Key derivation Functions +7.6 Key derivation Functions ============================ A “key derivation function” (KDF) is a function that from a given @@ -3417,7 +4128,7 @@ and protect against certain pre-computation attacks by using salting and expensive computation. -6.6.1 HKDF: HMAC-based Extract-and-Expand +7.6.1 HKDF: HMAC-based Extract-and-Expand ----------------------------------------- HKDF is a key derivation function used as a building block of @@ -3459,7 +4170,7 @@ output length LENGTH. The output buffer is DST which must have room for at least LENGTH octets. -6.6.2 PBKDF2 +7.6.2 PBKDF2 ------------ The most well known PBKDF is the ‘PKCS #5 PBKDF2’ described in ‘RFC @@ -3468,8 +4179,9 @@ Nettle’s PBKDF2 functions are defined in ‘’. There is an abstract function that operate on any PRF implemented via the ‘nettle_hash_update_func’, ‘nettle_hash_digest_func’ interfaces. There -is also helper macros and concrete functions PBKDF2-HMAC-SHA1 and -PBKDF2-HMAC-SHA256. First, the abstract function: +is also helper macros and concrete functions PBKDF2-HMAC-SHA1, +PBKDF2-HMAC-SHA256, PBKDF2-HMAC-SHA384 and PBKDF2-HMAC-SHA512. First, +the abstract function: -- Function: void pbkdf2 (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, @@ -3497,13 +4209,13 @@ desired derived output length LENGTH. The output buffer is DST which must have room for at least LENGTH octets. -6.6.3 Concrete PBKDF2 functions +7.6.3 Concrete PBKDF2 functions ------------------------------- Now we come to the specialized PBKDF2 functions, which are easier to use than the general PBKDF2 function. -6.6.3.1 PBKDF2-HMAC-SHA1 +7.6.3.1 PBKDF2-HMAC-SHA1 ........................ -- Function: void pbkdf2_hmac_sha1 (size_t KEY_LENGTH, const uint8_t @@ -3514,7 +4226,7 @@ SALT_LENGTH, with iteration counter ITERATIONS (> 0). The output buffer is DST which must have room for at least LENGTH octets. -6.6.3.2 PBKDF2-HMAC-SHA256 +7.6.3.2 PBKDF2-HMAC-SHA256 .......................... -- Function: void pbkdf2_hmac_sha256 (size_t KEY_LENGTH, const uint8_t @@ -3526,10 +4238,34 @@ output buffer is DST which must have room for at least LENGTH octets. +7.6.3.3 PBKDF2-HMAC-SHA384 +.......................... + + -- Function: void pbkdf2_hmac_sha384 (size_t KEY_LENGTH, const uint8_t + *KEY, unsigned ITERATIONS, size_t SALT_LENGTH, const uint8_t + *SALT, size_t LENGTH, uint8_t *DST) + PBKDF2 with HMAC-SHA384. Derive LENGTH bytes of key into buffer + DST using the password KEY of length KEY_LENGTH and salt SALT of + length SALT_LENGTH, with iteration counter ITERATIONS (> 0). The + output buffer is DST which must have room for at least LENGTH + octets. + +7.6.3.4 PBKDF2-HMAC-SHA512 +.......................... + + -- Function: void pbkdf2_hmac_sha512 (size_t KEY_LENGTH, const uint8_t + *KEY, unsigned ITERATIONS, size_t SALT_LENGTH, const uint8_t + *SALT, size_t LENGTH, uint8_t *DST) + PBKDF2 with HMAC-SHA512. Derive LENGTH bytes of key into buffer + DST using the password KEY of length KEY_LENGTH and salt SALT of + length SALT_LENGTH, with iteration counter ITERATIONS (> 0). The + output buffer is DST which must have room for at least LENGTH + octets. +  File: nettle.info, Node: Public-key algorithms, Next: Randomness, Prev: Key derivation functions, Up: Reference -6.7 Public-key algorithms +7.7 Public-key algorithms ========================= Nettle uses GMP, the GNU bignum library, for all calculations with large @@ -3606,7 +4342,7 @@  File: nettle.info, Node: RSA, Next: DSA, Prev: Public-key algorithms, Up: Public-key algorithms -6.7.1 RSA +7.7.1 RSA --------- The RSA algorithm was the first practical digital signature algorithm @@ -3679,7 +4415,7 @@ To decrypt the message, one needs the private key to compute ‘m = c^e mod n’ followed by checking and removing the padding. -6.7.1.1 Nettle’s RSA support +7.7.1.1 Nettle’s RSA support ............................ Nettle represents RSA keys using two structures that contain large @@ -4006,7 +4742,7 @@  File: nettle.info, Node: DSA, Next: Elliptic curves, Prev: RSA, Up: Public-key algorithms -6.7.2 DSA +7.7.2 DSA --------- The DSA digital signature algorithm is more complex than RSA. It was @@ -4115,7 +4851,7 @@ source is a serious disadvantage. If you ever use the same ‘k’ (and ‘r’) for two different message, you leak your private key. -6.7.2.1 Nettle’s DSA support +7.7.2.1 Nettle’s DSA support ............................ Like for RSA, Nettle represents DSA keys using two structures, @@ -4138,7 +4874,7 @@ *RANDOM_CTX, nettle_random_func *RANDOM, void *PROGRESS_CTX, nettle_progress_func *PROGRESS, unsigned P_BITS, unsigned Q_BITS) - Generates paramaters of a new group. The PARAMS struct should be + Generates parameters of a new group. The PARAMS struct should be initialized before you call this function. RANDOM_CTX and RANDOM is a randomness generator. @@ -4176,8 +4912,8 @@ signature, and call ‘dsa_signature_clear’ when you are finished with it. - Keys are represented as bignums, of type ‘mpz_t’. A public keys -represent a group element, and is of the same size as ‘p’, while a + Keys are represented as bignums, of type ‘mpz_t’. A public key +represents a group element, and is of the same size as ‘p’, while a private key is an exponent, of the same size as ‘q’. -- Function: int dsa_sign (const struct dsa_params *PARAMS, const mpz_t @@ -4213,7 +4949,7 @@ octets and store them at ‘dst’. For advice, see *Note Randomness::. -6.7.2.2 Old, deprecated, DSA interface +7.7.2.2 Old, deprecated, DSA interface ...................................... Versions before nettle-3.0 used a different interface for DSA @@ -4326,7 +5062,7 @@  File: nettle.info, Node: Elliptic curves, Prev: DSA, Up: Public-key algorithms -6.7.3 Elliptic curves +7.7.3 Elliptic curves --------------------- For cryptographic purposes, an elliptic curve is a mathematical group of @@ -4352,12 +5088,13 @@ * Side-channel silence:: * ECDSA:: -* Curve 25519:: +* GOSTDSA:: +* Curve 25519 and Curve 448::  File: nettle.info, Node: Side-channel silence, Next: ECDSA, Up: Elliptic curves -6.7.3.1 Side-channel silence +7.7.3.1 Side-channel silence ............................ Nettle’s implementation of the elliptic curve operations is intended to @@ -4385,9 +5122,9 @@ in several of the building blocks.  -File: nettle.info, Node: ECDSA, Next: Curve 25519, Prev: Side-channel silence, Up: Elliptic curves +File: nettle.info, Node: ECDSA, Next: GOSTDSA, Prev: Side-channel silence, Up: Elliptic curves -6.7.3.2 ECDSA +7.7.3.2 ECDSA ............. ECDSA is a variant of the DSA digital signature scheme (*note DSA::), @@ -4490,10 +5227,88 @@ Randomness::.  -File: nettle.info, Node: Curve 25519, Prev: ECDSA, Up: Elliptic curves +File: nettle.info, Node: GOSTDSA, Next: Curve 25519 and Curve 448, Prev: ECDSA, Up: Elliptic curves + +7.7.3.3 GOSTDSA +............... + +GOSTDSA (GOST R 34.10-2001, GOST R 34.10-2012) is a variant of the DSA +(*note DSA::) and ECDSA (*note ECDSA::) digital signature schemes, which +works over an elliptic curve group. Original documents are written in +Russian. English translations are provided in ‘RFC 5832’ and ‘RFC +7091’. While technically nothing stops one from using GOSTDSA over any +curve, it is defined only over several 256 and 512-bit curves. Like DSA +and ECDSA, creating a signature requires a unique random nonce +(repeating the nonce with two different messages reveals the private +key, and any leak or bias in the generation of the nonce also leaks +information about the key). + + GOST R 34.10-2001 was defined to use GOST R 34.11-94 hash function +(GOSTHASH94 and GOSTHASH94CP, ‘RFC 5831’). GOST R 34.10-2012 is defined +to use GOST R 34.11-2012 hash function (Streebog, ‘RFC 6986’) of +corresponding size (256 or 512) depending on curve size. + + Nettle defines GOSTDSA in ‘’. GOSTDSA reuses ECDSA +data types (‘struct ecc_point’, ‘struct ecc_scalar’) to represent public +and private keys. Also to generate a new GOSTDSA key pair one has to +use ‘ecdsa_generate_keypair()’ function. + + To create and verify GOSTDSA signatures, the following functions are +used. + + -- Function: void gostdsa_sign (const struct ecc_scalar *KEY, void + *RANDOM_CTX, nettle_random_func *RANDOM, size_t DIGEST_LENGTH, + const uint8_t *DIGEST, struct dsa_signature *SIGNATURE) + Uses the private key KEY to create a signature on DIGEST. + RANDOM_CTX and RANDOM is a randomness generator. + ‘random(random_ctx, length, dst)’ should generate ‘length’ random + octets and store them at ‘dst’. The signature is stored in + SIGNATURE, in the same was as for plain DSA. + + -- Function: int gostdsa_verify (const struct ecc_point *PUB, size_t + LENGTH, const uint8_t *DIGEST, const struct dsa_signature + *SIGNATURE) + Uses the public key PUB to verify that SIGNATURE is a valid + signature for the message digest DIGEST (of LENGTH octets). + Returns 1 if the signature is valid, otherwise 0. + + For historical reason several curve IDs (OIDs) may correspond to a +single curve/generator combination. Following list defines +correspondence between nettle’s view on curves and actual identifiers +defined in ‘RFC 4357’ and ‘RFC 7836’. + + -- Function: const struct ecc_curve nettle_get_gost_gc256b(void) + Returns curve corresponding to following identifiers: + • id-GostR3410-2001-CryptoPro-A-ParamSet (‘RFC 4357’) + • id-GostR3410-2001-CryptoPro-XchA-ParamSet (‘RFC 4357’) + • id-tc26-gost-3410-12-256-paramSetB + + -- Function: const struct ecc_curve nettle_get_gost_gc512a(void) + Returns curve corresponding to following identifiers: + • id-tc26-gost-3410-12-512-paramSetA (‘RFC 7836’) + + For GOST key pairs key derivation/key agreement function (VKO) is +defined in ‘RFC 4357’ and ‘RFC 7836’. Basically shared key is equal to +hash(cofactor * ukm * priv * pub). Nettle library provides a function +that does multiplication. Caller should do hashing on his own (it will +be either GOST R 34.11-94 (*note GOSTHASH94CP::) or GOST R 34.11-2012, +Streebog, which nor part of the library yet). + + -- Function: void gostdsa_vko (const struct ecc_scalar *PRIV, const + struct ecc_point *PUB, size_t UKM_LENGTH, const uint8_t *UKM, + uint8_t *OUT) + Uses private key PRIV, public ket PUB and shared key material UKM + to generate shared secret, written to buffer OUT. The buffer + should be of the size equal to 2 private key lengths: 64 bytes for + 256 bit curves and 128 bytes for 512 bit ones. UKM is a shared key + material, usually transferred in cleartext. It does not have to be + secret. + + +File: nettle.info, Node: Curve 25519 and Curve 448, Prev: ECDSA, Up: Elliptic curves -6.7.3.3 Curve25519 -.................. +7.7.3.4 Curve25519 and Curve448 +............................... Curve25519 is an elliptic curve of Montgomery type, y^2 = x^3 + 486662 x^2 + x (mod p), with p = 2^255 - 19. Montgomery curves have the @@ -4559,7 +5374,38 @@ This function is intended to be compatible with the function ‘crypto_scalar_mult’ in the NaCl library. -6.7.3.4 EdDSA + Similarly, Nettle also implements Curve448, an elliptic curve of +Montgomery type, y^2 = x^3 + 156326 x^2 + x (mod p), with p = 2^448 - +2^224 - 1. This particular curve was proposed by Mike Hamburg in 2015, +for fast Diffie-Hellman key exchange, and is also described in ‘RFC +7748’. + + Nettle defines Curve 448 in ‘’. + + -- Constant: CURVE448_SIZE + The octet length of the strings representing curve448 points and + scalars, 56. + + -- Function: void curve448_mul_g (uint8_t *Q, const uint8_t *N) + Computes Q = N G, where G is the group generator and N is an + integer. The input argument N and the output argument Q use a + little-endian representation of the scalar and the x-coordinate, + respectively. They are both of size ‘CURVE448_SIZE’. + + This function is intended to be compatible with the function + ‘crypto_scalar_mult_base’ in the NaCl library. + + -- Function: void curve448_mul (uint8_t *Q, const uint8_t *N, const + uint8_t *P) + Computes Q = N P, where P is an input point and N is an integer. + The input arguments N and P and the output argument Q use a + little-endian representation of the scalar and the x-coordinates, + respectively. They are all of size ‘CURVE448_SIZE’. + + This function is intended to be compatible with the function + ‘crypto_scalar_mult’ in the NaCl library. + +7.7.3.5 EdDSA ............. EdDSA is a signature scheme proposed by D. J. Bernstein et al. in 2011. @@ -4604,10 +5450,34 @@ Verifies a message using the provided public key. Returns 1 if the signature is valid, otherwise 0. + Nettle also provides Ed448, an EdDSA signature scheme based on an +Edwards curve equivalent to curve448. + + -- Constant: ED448_KEY_SIZE + The size of a private or public Ed448 key, 57 octets. + + -- Constant: ED448_SIGNATURE_SIZE + The size of an Ed448 signature, 114 octets. + + -- Function: void ed448_shake256_public_key (uint8_t *PUB, const + uint8_t *PRIV) + Computes the public key corresponding to the given private key. + Both input and output are of size ‘ED448_KEY_SIZE’. + + -- Function: void ed448_shake256_sign (const uint8_t *PUB, const + uint8_t *PRIV, size_t LENGTH, const uint8_t *MSG, uint8_t + *SIGNATURE) + Signs a message using the provided key pair. + + -- Function: int ed448_shake256_verify (const uint8_t *PUB, size_t + LENGTH, const uint8_t *MSG, const uint8_t *SIGNATURE) + Verifies a message using the provided public key. Returns 1 if the + signature is valid, otherwise 0. +  File: nettle.info, Node: Randomness, Next: ASCII encoding, Prev: Public-key algorithms, Up: Reference -6.8 Randomness +7.8 Randomness ============== A crucial ingredient in many cryptographic contexts is randomness: Let @@ -4780,7 +5650,7 @@ The recommended generator to use is Yarrow, described below. -6.8.1 Yarrow +7.8.1 Yarrow ------------ Yarrow is a family of pseudo-randomness generators, designed for @@ -4910,7 +5780,7 @@  File: nettle.info, Node: ASCII encoding, Next: Miscellaneous functions, Prev: Randomness, Up: Reference -6.9 ASCII encoding +7.9 ASCII encoding ================== Encryption will transform your data from text into binary format, and @@ -5058,7 +5928,7 @@  File: nettle.info, Node: Miscellaneous functions, Next: Compatibility functions, Prev: ASCII encoding, Up: Reference -6.10 Miscellaneous functions +7.10 Miscellaneous functions ============================ -- Function: void * memxor (void *DST, const void *SRC, size_t N) @@ -5084,7 +5954,7 @@  File: nettle.info, Node: Compatibility functions, Prev: Miscellaneous functions, Up: Reference -6.11 Compatibility functions +7.11 Compatibility functions ============================ For convenience, Nettle includes alternative interfaces to some @@ -5097,20 +5967,10 @@ ‘’. This file defines the typedef ‘MD5_CTX’, and declares the functions ‘MD5Init’, ‘MD5Update’ and ‘MD5Final’. - Eric Young’s “libdes” (also part of OpenSSL) is a quite popular DES -implementation. Nettle includes a subset if its interface in -‘’. This file defines the typedefs -‘des_key_schedule’ and ‘des_cblock’, two constants ‘DES_ENCRYPT’ and -‘DES_DECRYPT’, and declares one global variable ‘des_check_key’, and the -functions ‘des_cbc_cksum’ ‘des_cbc_encrypt’, ‘des_ecb2_encrypt’, -‘des_ecb3_encrypt’, ‘des_ecb_encrypt’, ‘des_ede2_cbc_encrypt’, -‘des_ede3_cbc_encrypt’, ‘des_is_weak_key’, ‘des_key_sched’, -‘des_ncbc_encrypt’ ‘des_set_key’, and ‘des_set_odd_parity’. -  File: nettle.info, Node: Nettle soup, Next: Installation, Prev: Reference, Up: Top -7 Traditional Nettle Soup +8 Traditional Nettle Soup ************************* For the serious nettle hacker, here is a recipe for nettle soup. 4 @@ -5139,7 +5999,7 @@  File: nettle.info, Node: Installation, Next: Index, Prev: Nettle soup, Up: Top -8 Installation +9 Installation ************** Nettle uses ‘autoconf’. To build it, unpack the source and run @@ -5185,8 +6045,11 @@ [index] * Menu: +* 3DES: Cipher functions. (line 665) +* ABI compatibility: Compatibility. (line 6) * AEAD: Authenticated encryption. (line 6) +* AES: Cipher functions. (line 76) * aes128_decrypt: Cipher functions. (line 156) * aes128_encrypt: Cipher functions. (line 143) * aes128_invert_key: Cipher functions. (line 126) @@ -5207,8 +6070,11 @@ * aes_invert_key: Cipher functions. (line 132) * aes_set_decrypt_key: Cipher functions. (line 122) * aes_set_encrypt_key: Cipher functions. (line 120) +* API compatibility: Compatibility. (line 6) +* Arcfour: Cipher functions. (line 169) * arcfour_crypt: Cipher functions. (line 214) * arcfour_set_key: Cipher functions. (line 209) +* Arctwo: Cipher functions. (line 225) * arctwo_decrypt: Cipher functions. (line 279) * arctwo_encrypt: Cipher functions. (line 272) * arctwo_set_key: Cipher functions. (line 256) @@ -5236,29 +6102,36 @@ * BASE64_ENCODE_LENGTH: ASCII encoding. (line 51) * base64_encode_single: ASCII encoding. (line 47) * base64_encode_update: ASCII encoding. (line 55) +* Binary compatibility: Compatibility. (line 6) * Block Cipher: Cipher functions. (line 12) +* Blowfish: Cipher functions. (line 286) +* blowfish_bcrypt_hash: Cipher functions. (line 325) +* blowfish_bcrypt_verify: Cipher functions. (line 365) * blowfish_decrypt: Cipher functions. (line 321) * blowfish_encrypt: Cipher functions. (line 314) * blowfish_set_key: Cipher functions. (line 304) -* camellia128_crypt: Cipher functions. (line 402) -* camellia128_invert_key: Cipher functions. (line 388) -* camellia128_set_decrypt_key: Cipher functions. (line 372) -* camellia128_set_encrypt_key: Cipher functions. (line 370) -* camellia192_crypt: Cipher functions. (line 404) -* camellia192_invert_key: Cipher functions. (line 390) -* camellia192_set_decrypt_key: Cipher functions. (line 376) -* camellia192_set_encrypt_key: Cipher functions. (line 374) -* camellia256_crypt: Cipher functions. (line 406) -* camellia256_invert_key: Cipher functions. (line 392) -* camellia256_set_decrypt_key: Cipher functions. (line 380) -* camellia256_set_encrypt_key: Cipher functions. (line 378) -* camellia_crypt: Cipher functions. (line 408) -* camellia_invert_key: Cipher functions. (line 394) -* camellia_set_decrypt_key: Cipher functions. (line 384) -* camellia_set_encrypt_key: Cipher functions. (line 382) -* cast128_decrypt: Cipher functions. (line 448) -* cast128_encrypt: Cipher functions. (line 441) -* cast128_set_key: Cipher functions. (line 436) +* Camellia: Cipher functions. (line 393) +* camellia128_crypt: Cipher functions. (line 467) +* camellia128_invert_key: Cipher functions. (line 453) +* camellia128_set_decrypt_key: Cipher functions. (line 437) +* camellia128_set_encrypt_key: Cipher functions. (line 435) +* camellia192_crypt: Cipher functions. (line 469) +* camellia192_invert_key: Cipher functions. (line 455) +* camellia192_set_decrypt_key: Cipher functions. (line 441) +* camellia192_set_encrypt_key: Cipher functions. (line 439) +* camellia256_crypt: Cipher functions. (line 471) +* camellia256_invert_key: Cipher functions. (line 457) +* camellia256_set_decrypt_key: Cipher functions. (line 445) +* camellia256_set_encrypt_key: Cipher functions. (line 443) +* camellia_crypt: Cipher functions. (line 473) +* camellia_invert_key: Cipher functions. (line 459) +* camellia_set_decrypt_key: Cipher functions. (line 449) +* camellia_set_encrypt_key: Cipher functions. (line 447) +* CAST: Cipher functions. (line 483) +* cast128_decrypt: Cipher functions. (line 518) +* cast128_encrypt: Cipher functions. (line 511) +* cast128_set_key: Cipher functions. (line 506) +* cast5_set_key: Cipher functions. (line 522) * CBC Mode: CBC. (line 6) * CBC_CTX: CBC. (line 51) * cbc_decrypt: CBC. (line 34) @@ -5299,25 +6172,50 @@ * CCM_MAX_MSG_SIZE: CCM. (line 76) * ccm_set_nonce: CCM. (line 80) * ccm_update: CCM. (line 86) -* CFB Mode: CFB. (line 6) -* CFB_CTX: CFB. (line 50) -* cfb_decrypt: CFB. (line 33) -* CFB_DECRYPT: CFB. (line 69) -* cfb_encrypt: CFB. (line 30) -* CFB_ENCRYPT: CFB. (line 62) -* CFB_SET_IV(CTX,: CFB. (line 57) -* chacha_crypt: Cipher functions. (line 482) -* chacha_poly1305_decrypt: ChaCha-Poly1305. (line 68) -* chacha_poly1305_digest: ChaCha-Poly1305. (line 74) -* chacha_poly1305_encrypt: ChaCha-Poly1305. (line 66) -* chacha_poly1305_set_key: ChaCha-Poly1305. (line 53) -* chacha_poly1305_set_nonce: ChaCha-Poly1305. (line 58) -* chacha_poly1305_update: ChaCha-Poly1305. (line 62) -* chacha_set_key: Cipher functions. (line 470) -* chacha_set_nonce: Cipher functions. (line 476) +* CFB Modes: CFB and CFB8. (line 6) +* CFB8 Mode: CFB and CFB8. (line 6) +* CFB8_CTX: CFB and CFB8. (line 112) +* cfb8_decrypt: CFB and CFB8. (line 73) +* CFB8_DECRYPT: CFB and CFB8. (line 131) +* cfb8_encrypt: CFB and CFB8. (line 70) +* CFB8_ENCRYPT: CFB and CFB8. (line 124) +* CFB8_SET_IV: CFB and CFB8. (line 119) +* CFB_CTX: CFB and CFB8. (line 86) +* cfb_decrypt: CFB and CFB8. (line 55) +* CFB_DECRYPT: CFB and CFB8. (line 105) +* cfb_encrypt: CFB and CFB8. (line 52) +* CFB_ENCRYPT: CFB and CFB8. (line 98) +* CFB_SET_IV(CTX,: CFB and CFB8. (line 93) +* ChaCha: Cipher functions. (line 531) +* chacha_crypt: Cipher functions. (line 569) +* chacha_crypt32: Cipher functions. (line 601) +* chacha_poly1305_decrypt: ChaCha-Poly1305. (line 63) +* chacha_poly1305_digest: ChaCha-Poly1305. (line 69) +* chacha_poly1305_encrypt: ChaCha-Poly1305. (line 61) +* chacha_poly1305_set_key: ChaCha-Poly1305. (line 48) +* chacha_poly1305_set_nonce: ChaCha-Poly1305. (line 53) +* chacha_poly1305_update: ChaCha-Poly1305. (line 57) +* chacha_set_counter: Cipher functions. (line 561) +* chacha_set_counter32: Cipher functions. (line 595) +* chacha_set_key: Cipher functions. (line 549) +* chacha_set_nonce: Cipher functions. (line 555) +* chacha_set_nonce96: Cipher functions. (line 590) * Cipher: Cipher functions. (line 6) * Cipher Block Chaining: CBC. (line 6) -* Cipher Feedback Mode: CFB. (line 6) +* Cipher Feedback 8-bit Mode: CFB and CFB8. (line 6) +* Cipher Feedback Mode: CFB and CFB8. (line 6) +* CMAC: CMAC. (line 6) +* CMAC-128: CMAC. (line 6) +* CMAC-64: CMAC. (line 6) +* cmac_aes128_digest: CMAC. (line 33) +* cmac_aes128_set_key: CMAC. (line 25) +* cmac_aes128_update: CMAC. (line 29) +* cmac_aes256_digest: CMAC. (line 49) +* cmac_aes256_set_key: CMAC. (line 41) +* cmac_aes256_update: CMAC. (line 45) +* cmac_des3_digest: CMAC. (line 70) +* cmac_des3_set_key: CMAC. (line 62) +* cmac_des3_update: CMAC. (line 66) * Collision-resistant: Hash functions. (line 18) * Conditional entropy: Randomness. (line 51) * Counter Mode: CTR. (line 6) @@ -5327,17 +6225,28 @@ * CTR_CRYPT: CTR. (line 60) * CTR_CTX: CTR. (line 48) * CTR_SET_COUNTER: CTR. (line 55) -* Curve 25519: Curve 25519. (line 6) -* curve25519_mul: Curve 25519. (line 60) -* curve25519_mul_g: Curve 25519. (line 51) -* des3_decrypt: Cipher functions. (line 606) -* des3_encrypt: Cipher functions. (line 599) -* des3_set_key: Cipher functions. (line 588) -* des_check_parity: Cipher functions. (line 533) -* des_decrypt: Cipher functions. (line 529) -* des_encrypt: Cipher functions. (line 522) -* des_fix_parity: Cipher functions. (line 537) -* des_set_key: Cipher functions. (line 515) +* Curve 25519: Curve 25519 and Curve 448. + (line 6) +* Curve 448: Curve 25519 and Curve 448. + (line 6) +* curve25519_mul: Curve 25519 and Curve 448. + (line 60) +* curve25519_mul_g: Curve 25519 and Curve 448. + (line 51) +* curve448_mul: Curve 25519 and Curve 448. + (line 91) +* curve448_mul_g: Curve 25519 and Curve 448. + (line 82) +* DES: Cipher functions. (line 610) +* DES3: Cipher functions. (line 665) +* des3_decrypt: Cipher functions. (line 724) +* des3_encrypt: Cipher functions. (line 717) +* des3_set_key: Cipher functions. (line 706) +* des_check_parity: Cipher functions. (line 651) +* des_decrypt: Cipher functions. (line 647) +* des_encrypt: Cipher functions. (line 640) +* des_fix_parity: Cipher functions. (line 655) +* des_set_key: Cipher functions. (line 633) * dsa_compat_generate_keypair: DSA. (line 300) * dsa_generate_keypair: DSA. (line 198) * dsa_generate_params: DSA. (line 131) @@ -5389,10 +6298,20 @@ * ecdsa_generate_keypair: ECDSA. (line 93) * ecdsa_sign: ECDSA. (line 75) * ecdsa_verify: ECDSA. (line 84) -* ed25519_sha512_public_key: Curve 25519. (line 100) -* ed25519_sha512_sign: Curve 25519. (line 105) -* ed25519_sha512_verify: Curve 25519. (line 110) -* eddsa: Curve 25519. (line 73) +* ed25519_sha512_public_key: Curve 25519 and Curve 448. + (line 131) +* ed25519_sha512_sign: Curve 25519 and Curve 448. + (line 136) +* ed25519_sha512_verify: Curve 25519 and Curve 448. + (line 141) +* ed448_shake256_public_key: Curve 25519 and Curve 448. + (line 155) +* ed448_shake256_sign: Curve 25519 and Curve 448. + (line 160) +* ed448_shake256_verify: Curve 25519 and Curve 448. + (line 165) +* eddsa: Curve 25519 and Curve 448. + (line 104) * Entropy: Randomness. (line 51) * Galois Counter Mode: GCM. (line 6) * GCM: GCM. (line 6) @@ -5447,12 +6366,24 @@ * GCM_SET_KEY: GCM. (line 111) * gcm_update: GCM. (line 55) * GCM_UPDATE: GCM. (line 120) +* GOST DSA: GOSTDSA. (line 6) +* GOST hash: Legacy hash functions. + (line 189) +* gostdsa_sign: GOSTDSA. (line 30) +* gostdsa_verify: GOSTDSA. (line 39) +* gostdsa_vko: GOSTDSA. (line 68) +* gosthash94cp_digest: Legacy hash functions. + (line 239) +* gosthash94cp_init: Legacy hash functions. + (line 232) +* gosthash94cp_update: Legacy hash functions. + (line 235) * gosthash94_digest: Legacy hash functions. - (line 209) + (line 214) * gosthash94_init: Legacy hash functions. - (line 202) + (line 207) * gosthash94_update: Legacy hash functions. - (line 205) + (line 210) * Hash function: Hash functions. (line 6) * HKDF: Key derivation functions. (line 16) @@ -5519,23 +6450,20 @@ * nettle_aead: nettle_aead abstraction. (line 6) * nettle_aeads: nettle_aead abstraction. - (line 6) -* nettle_aeads <1>: nettle_aead abstraction. (line 33) -* nettle_cipher: Cipher functions. (line 774) -* nettle_ciphers: Cipher functions. (line 774) -* nettle_ciphers <1>: Cipher functions. (line 821) +* nettle_cipher: Cipher functions. (line 892) +* nettle_ciphers: Cipher functions. (line 939) * nettle_get_aeads: nettle_aead abstraction. - (line 6) -* nettle_get_ciphers: Cipher functions. (line 774) + (line 28) +* nettle_get_ciphers: Cipher functions. (line 934) +* nettle_get_gost_gc256b(void): GOSTDSA. (line 51) +* nettle_get_gost_gc512a(void): GOSTDSA. (line 57) * nettle_get_hashes: nettle_hash abstraction. - (line 6) + (line 34) * nettle_hash: nettle_hash abstraction. (line 6) * nettle_hashes: nettle_hash abstraction. - (line 6) -* nettle_hashes <1>: nettle_hash abstraction. - (line 38) + (line 39) * One-way: Hash functions. (line 14) * One-way function: Public-key algorithms. (line 18) @@ -5544,13 +6472,17 @@ * PBKDF: Key derivation functions. (line 58) * pbkdf2: Key derivation functions. - (line 67) + (line 68) * PBKDF2: Key derivation functions. - (line 83) + (line 84) * pbkdf2_hmac_sha1: Key derivation functions. - (line 102) + (line 103) * pbkdf2_hmac_sha256: Key derivation functions. - (line 113) + (line 114) +* pbkdf2_hmac_sha384: Key derivation functions. + (line 126) +* pbkdf2_hmac_sha512: Key derivation functions. + (line 138) * PKCS #5: Key derivation functions. (line 58) * poly1305_aes_digest: Poly1305. (line 56) @@ -5560,6 +6492,8 @@ * Public Key Cryptography: Public-key algorithms. (line 18) * Randomness: Randomness. (line 6) +* RC2: Cipher functions. (line 225) +* RC4: Cipher functions. (line 169) * ripemd160_digest: Legacy hash functions. (line 143) * ripemd160_init: Legacy hash functions. @@ -5611,15 +6545,17 @@ * rsa_sha512_sign_tr(const: RSA. (line 158) * rsa_sha512_verify: RSA. (line 250) * rsa_sha512_verify_digest: RSA. (line 262) -* salsa20r12_crypt: Cipher functions. (line 691) -* salsa20_128_set_key: Cipher functions. (line 656) -* salsa20_256_set_key: Cipher functions. (line 658) -* salsa20_crypt: Cipher functions. (line 676) -* salsa20_set_key: Cipher functions. (line 660) -* salsa20_set_nonce: Cipher functions. (line 670) -* serpent_decrypt: Cipher functions. (line 731) -* serpent_encrypt: Cipher functions. (line 724) -* serpent_set_key: Cipher functions. (line 719) +* Salsa20: Cipher functions. (line 731) +* salsa20r12_crypt: Cipher functions. (line 809) +* salsa20_128_set_key: Cipher functions. (line 774) +* salsa20_256_set_key: Cipher functions. (line 776) +* salsa20_crypt: Cipher functions. (line 794) +* salsa20_set_key: Cipher functions. (line 778) +* salsa20_set_nonce: Cipher functions. (line 788) +* Serpent: Cipher functions. (line 817) +* serpent_decrypt: Cipher functions. (line 849) +* serpent_encrypt: Cipher functions. (line 842) +* serpent_set_key: Cipher functions. (line 837) * sha1_digest: Legacy hash functions. (line 177) * sha1_init: Legacy hash functions. @@ -5656,6 +6592,8 @@ (line 244) * sha3_256_init: Recommended hash functions. (line 237) +* sha3_256_shake: Recommended hash functions. + (line 330) * sha3_256_update: Recommended hash functions. (line 240) * sha3_384_digest: Recommended hash functions. @@ -5688,17 +6626,36 @@ (line 96) * sha512_update: Recommended hash functions. (line 99) +* SHAKE: Recommended hash functions. + (line 318) * Side-channel attack: Side-channel silence. (line 6) +* SIV mode: SIV-CMAC. (line 6) +* SIV-CMAC mode: SIV-CMAC. (line 6) +* siv_cmac_aes128_decrypt_message: SIV-CMAC. (line 83) +* siv_cmac_aes128_encrypt_message: SIV-CMAC. (line 70) +* siv_cmac_aes128_set_key: SIV-CMAC. (line 62) +* siv_cmac_aes256_decrypt_message: SIV-CMAC. (line 87) +* siv_cmac_aes256_encrypt_message: SIV-CMAC. (line 74) +* siv_cmac_aes256_set_key: SIV-CMAC. (line 64) * Stream Cipher: Cipher functions. (line 12) -* struct: nettle_hash abstraction. - (line 33) -* struct <1>: Cipher functions. (line 816) -* struct <2>: nettle_aead abstraction. - (line 28) -* twofish_decrypt: Cipher functions. (line 767) -* twofish_encrypt: Cipher functions. (line 760) -* twofish_set_key: Cipher functions. (line 755) +* streebog256_digest: Miscellaneous hash functions. + (line 62) +* streebog256_init: Miscellaneous hash functions. + (line 55) +* streebog256_update: Miscellaneous hash functions. + (line 58) +* streebog512_digest: Miscellaneous hash functions. + (line 29) +* streebog512_init: Miscellaneous hash functions. + (line 22) +* streebog512_update: Miscellaneous hash functions. + (line 25) +* Triple-DES: Cipher functions. (line 665) +* Twofish: Cipher functions. (line 856) +* twofish_decrypt: Cipher functions. (line 885) +* twofish_encrypt: Cipher functions. (line 878) +* twofish_set_key: Cipher functions. (line 873) * UMAC: UMAC. (line 6) * umac128_digest: UMAC. (line 113) * umac128_set_key: UMAC. (line 76) @@ -5716,6 +6673,19 @@ * umac96_set_key: UMAC. (line 74) * umac96_set_nonce: UMAC. (line 85) * umac96_update: UMAC. (line 100) +* XEX-based tweaked-codebook mode with ciphertext stealing: XTS. + (line 6) +* XTS Mode: XTS. (line 6) +* xts_aes128_decrypt_message(struct: XTS. (line 138) +* xts_aes128_encrypt_message(struct: XTS. (line 132) +* xts_aes128_set_decrypt_key: XTS. (line 122) +* xts_aes128_set_encrypt_key: XTS. (line 118) +* xts_aes256_decrypt_message(struct: XTS. (line 141) +* xts_aes256_encrypt_message(struct: XTS. (line 135) +* xts_aes256_set_decrypt_key: XTS. (line 124) +* xts_aes256_set_encrypt_key: XTS. (line 120) +* xts_decrypt_message: XTS. (line 83) +* xts_encrypt_message: XTS. (line 80) * yarrow256_fast_reseed: Randomness. (line 274) * yarrow256_init: Randomness. (line 223) * yarrow256_is_seeded: Randomness. (line 264) @@ -5731,48 +6701,55 @@  Tag Table: Node: Top543 -Node: Introduction2677 -Node: Copyright4256 -Node: Conventions9106 -Node: Example11260 -Node: Linking12510 -Node: Reference13371 -Node: Hash functions13919 -Node: Recommended hash functions15453 -Node: Legacy hash functions26984 -Node: nettle_hash abstraction34838 -Node: Cipher functions37000 -Node: Cipher modes72964 -Node: CBC74100 -Node: CTR77492 -Node: CFB80105 -Node: Authenticated encryption83270 -Node: EAX86623 -Node: GCM92796 -Node: CCM105633 -Node: ChaCha-Poly1305118419 -Node: nettle_aead abstraction122294 -Node: Keyed hash functions123981 -Node: HMAC125623 -Node: UMAC133643 -Node: Poly1305139518 -Node: Key derivation functions142175 -Node: Public-key algorithms148301 -Node: RSA152372 -Node: RSA-Footnotes172969 -Ref: RSA-Footnote-1173022 -Node: DSA173200 -Node: Elliptic curves188680 -Node: Side-channel silence190039 -Node: ECDSA191486 -Node: Curve 25519196234 -Node: Randomness201752 -Node: ASCII encoding217107 -Node: Miscellaneous functions223834 -Node: Compatibility functions224994 -Node: Nettle soup226342 -Node: Installation227339 -Node: Index228715 +Node: Introduction2768 +Node: Copyright4347 +Node: Conventions9318 +Node: Example11472 +Node: Linking12771 +Node: Compatibility13636 +Node: Reference17262 +Node: Hash functions17713 +Node: Recommended hash functions19280 +Node: Miscellaneous hash functions31803 +Node: Legacy hash functions34411 +Ref: GOSTHASH94CP41165 +Node: nettle_hash abstraction43595 +Node: Cipher functions45819 +Node: Cipher modes87187 +Node: CBC88370 +Node: CTR91762 +Node: CFB and CFB894384 +Node: XTS100166 +Node: Authenticated encryption106537 +Node: EAX109828 +Node: GCM116003 +Node: CCM128840 +Node: ChaCha-Poly1305141628 +Node: SIV-CMAC145132 +Node: nettle_aead abstraction149881 +Node: Keyed hash functions151570 +Node: HMAC153221 +Node: UMAC161241 +Node: CMAC167116 +Node: Poly1305170423 +Node: Key derivation functions173080 +Node: Public-key algorithms180318 +Node: RSA184389 +Node: RSA-Footnotes204986 +Ref: RSA-Footnote-1205039 +Node: DSA205217 +Node: Elliptic curves220697 +Node: Side-channel silence222082 +Node: ECDSA223529 +Node: GOSTDSA228273 +Node: Curve 25519 and Curve 448232269 +Node: Randomness240182 +Node: ASCII encoding255537 +Node: Miscellaneous functions262264 +Node: Compatibility functions263424 +Node: Nettle soup264113 +Node: Installation265110 +Node: Index266486  End Tag Table diff -Nru nettle-3.4.1/nettle-internal.h nettle-3.7.3/nettle-internal.h --- nettle-3.4.1/nettle-internal.h 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/nettle-internal.h 2021-06-06 20:06:29.000000000 +0000 @@ -35,20 +35,41 @@ #ifndef NETTLE_INTERNAL_H_INCLUDED #define NETTLE_INTERNAL_H_INCLUDED +#include + #include "nettle-meta.h" +/* For definition of NETTLE_MAX_HASH_CONTEXT_SIZE. */ +#include "sha3.h" + /* Temporary allocation, for systems that don't support alloca. Note * that the allocation requests should always be reasonably small, so * that they can fit on the stack. For non-alloca systems, we use a - * fix maximum size, and abort if we ever need anything larger. */ + * fix maximum size + an assert. + * + * TMP_DECL and TMP_ALLOC allocate an array of the given type, and + * take the array size (not byte size) as argument. + * + * TMP_DECL_ALIGN and TMP_ALLOC_ALIGN are intended for context + * structs, which need proper alignment. They take the size in bytes, + * and produce a void *. On systems without alloca, implemented as an + * array of uint64_t, to ensure alignment. Since it is used as void * + * argument, no type casts are needed. + */ #if HAVE_ALLOCA # define TMP_DECL(name, type, max) type *name # define TMP_ALLOC(name, size) (name = alloca(sizeof (*name) * (size))) +# define TMP_DECL_ALIGN(name, max) void *name +# define TMP_ALLOC_ALIGN(name, size) (name = alloca(size)) #else /* !HAVE_ALLOCA */ # define TMP_DECL(name, type, max) type name[max] # define TMP_ALLOC(name, size) \ - do { if ((size) > (sizeof(name) / sizeof(name[0]))) abort(); } while (0) + do { assert((size_t)(size) <= (sizeof(name) / sizeof(name[0]))); } while (0) +# define TMP_DECL_ALIGN(name, max) \ + uint64_t name[((max) + (sizeof(uint64_t) - 1))/ sizeof(uint64_t)] +# define TMP_ALLOC_ALIGN(name, size) \ + do { assert((size_t)(size) <= (sizeof(name))); } while (0) #endif /* Arbitrary limits which apply to systems that don't have alloca */ @@ -76,6 +97,9 @@ extern const struct nettle_aead nettle_chacha; extern const struct nettle_aead nettle_salsa20; extern const struct nettle_aead nettle_salsa20r12; +extern const struct nettle_aead nettle_openssl_gcm_aes128; +extern const struct nettle_aead nettle_openssl_gcm_aes192; +extern const struct nettle_aead nettle_openssl_gcm_aes256; /* Glue to openssl, for comparative benchmarking. Code in * examples/nettle-openssl.c. */ @@ -86,9 +110,10 @@ extern const struct nettle_cipher nettle_openssl_blowfish128; extern const struct nettle_cipher nettle_openssl_des; extern const struct nettle_cipher nettle_openssl_cast128; -extern const struct nettle_aead nettle_openssl_arcfour128; extern const struct nettle_hash nettle_openssl_md5; extern const struct nettle_hash nettle_openssl_sha1; +extern const struct nettle_hash * const _nettle_hashes[]; + #endif /* NETTLE_INTERNAL_H_INCLUDED */ diff -Nru nettle-3.4.1/nettle-lookup-hash.c nettle-3.7.3/nettle-lookup-hash.c --- nettle-3.4.1/nettle-lookup-hash.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/nettle-lookup-hash.c 2021-06-06 20:06:29.000000000 +0000 @@ -37,15 +37,14 @@ #include #include "nettle-meta.h" - -#undef nettle_hashes +#include "nettle-internal.h" const struct nettle_hash * nettle_lookup_hash (const char *name) { unsigned i; - for (i = 0; nettle_hashes[i]; i++) - if (!strcmp (name, nettle_hashes[i]->name)) - return nettle_hashes[i]; + for (i = 0; _nettle_hashes[i]; i++) + if (!strcmp (name, _nettle_hashes[i]->name)) + return _nettle_hashes[i]; return NULL; } diff -Nru nettle-3.4.1/nettle-meta-aeads.c nettle-3.7.3/nettle-meta-aeads.c --- nettle-3.4.1/nettle-meta-aeads.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/nettle-meta-aeads.c 2021-06-06 20:06:29.000000000 +0000 @@ -37,9 +37,7 @@ #include "nettle-meta.h" -#undef nettle_aeads - -const struct nettle_aead * const nettle_aeads[] = { +const struct nettle_aead * const _nettle_aeads[] = { &nettle_gcm_aes128, &nettle_gcm_aes192, &nettle_gcm_aes256, @@ -53,5 +51,5 @@ const struct nettle_aead * const * nettle_get_aeads (void) { - return nettle_aeads; + return _nettle_aeads; } diff -Nru nettle-3.4.1/nettle-meta-armors.c nettle-3.7.3/nettle-meta-armors.c --- nettle-3.4.1/nettle-meta-armors.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/nettle-meta-armors.c 2021-06-06 20:06:29.000000000 +0000 @@ -36,9 +36,7 @@ #include #include "nettle-meta.h" -#undef nettle_armors - -const struct nettle_armor * const nettle_armors[] = { +const struct nettle_armor * const _nettle_armors[] = { &nettle_base64, &nettle_base64url, &nettle_base16, @@ -48,5 +46,5 @@ const struct nettle_armor * const * nettle_get_armors (void) { - return nettle_armors; + return _nettle_armors; } diff -Nru nettle-3.4.1/nettle-meta-ciphers.c nettle-3.7.3/nettle-meta-ciphers.c --- nettle-3.4.1/nettle-meta-ciphers.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/nettle-meta-ciphers.c 2021-06-06 20:06:29.000000000 +0000 @@ -36,9 +36,7 @@ #include #include "nettle-meta.h" -#undef nettle_ciphers - -const struct nettle_cipher * const nettle_ciphers[] = { +const struct nettle_cipher * const _nettle_ciphers[] = { &nettle_aes128, &nettle_aes192, &nettle_aes256, @@ -62,5 +60,5 @@ const struct nettle_cipher * const * nettle_get_ciphers (void) { - return nettle_ciphers; + return _nettle_ciphers; } diff -Nru nettle-3.4.1/nettle-meta.h nettle-3.7.3/nettle-meta.h --- nettle-3.4.1/nettle-meta.h 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/nettle-meta.h 2021-06-06 20:06:29.000000000 +0000 @@ -2,7 +2,7 @@ Information about algorithms. - Copyright (C) 2002, 2014 Niels Möller + Copyright (C) 2002, 2014, 2020 Niels Möller This file is part of GNU Nettle. @@ -60,16 +60,8 @@ nettle_cipher_func *decrypt; }; -/* FIXME: Rename with leading underscore, but keep current name (and - size!) for now, for ABI compatibility with nettle-3.1, soname - libnettle.so.6. */ /* null-terminated list of ciphers implemented by this version of nettle */ -extern const struct nettle_cipher * const nettle_ciphers[]; - -const struct nettle_cipher * const * -#ifdef __GNUC__ -__attribute__((pure)) -#endif +const struct nettle_cipher * const * _NETTLE_ATTRIBUTE_PURE nettle_get_ciphers (void); #define nettle_ciphers (nettle_get_ciphers()) @@ -125,16 +117,8 @@ (nettle_hash_digest_func *) name##_digest \ } -/* FIXME: Rename with leading underscore, but keep current name (and - size!) for now, for ABI compatibility with nettle-3.1, soname - libnettle.so.6. */ /* null-terminated list of digests implemented by this version of nettle */ -extern const struct nettle_hash * const nettle_hashes[]; - -const struct nettle_hash * const * -#ifdef __GNUC__ -__attribute__((pure)) -#endif +const struct nettle_hash * const * _NETTLE_ATTRIBUTE_PURE nettle_get_hashes (void); #define nettle_hashes (nettle_get_hashes()) @@ -146,6 +130,7 @@ extern const struct nettle_hash nettle_md4; extern const struct nettle_hash nettle_md5; extern const struct nettle_hash nettle_gosthash94; +extern const struct nettle_hash nettle_gosthash94cp; extern const struct nettle_hash nettle_ripemd160; extern const struct nettle_hash nettle_sha1; extern const struct nettle_hash nettle_sha224; @@ -158,6 +143,26 @@ extern const struct nettle_hash nettle_sha3_256; extern const struct nettle_hash nettle_sha3_384; extern const struct nettle_hash nettle_sha3_512; +extern const struct nettle_hash nettle_streebog256; +extern const struct nettle_hash nettle_streebog512; + +struct nettle_mac +{ + const char *name; + + /* Size of the context struct */ + unsigned context_size; + + /* Size of digests */ + unsigned digest_size; + + /* Key size */ + unsigned key_size; + + nettle_set_key_func *set_key; + nettle_hash_update_func *update; + nettle_hash_digest_func *digest; +}; struct nettle_aead { @@ -180,17 +185,9 @@ nettle_hash_digest_func *digest; }; -/* FIXME: Rename with leading underscore, but keep current name (and - size!) for now, for ABI compatibility with nettle-3.1, soname - libnettle.so.6. */ /* null-terminated list of aead constructions implemented by this version of nettle */ -extern const struct nettle_aead * const nettle_aeads[]; - -const struct nettle_aead * const * -#ifdef __GNUC__ -__attribute__((pure)) -#endif +const struct nettle_aead * const * _NETTLE_ATTRIBUTE_PURE nettle_get_aeads (void); #define nettle_aeads (nettle_get_aeads()) @@ -252,16 +249,8 @@ (nettle_armor_decode_final_func *) name##_decode_final, \ } -/* FIXME: Rename with leading underscore, but keep current name (and - size!) for now, for ABI compatibility with nettle-3.1, soname - libnettle.so.6. */ /* null-terminated list of armor schemes implemented by this version of nettle */ -extern const struct nettle_armor * const nettle_armors[]; - -const struct nettle_armor * const * -#ifdef __GNUC__ -__attribute__((pure)) -#endif +const struct nettle_armor * const * _NETTLE_ATTRIBUTE_PURE nettle_get_armors (void); #define nettle_armors (nettle_get_armors()) @@ -270,6 +259,38 @@ extern const struct nettle_armor nettle_base64url; extern const struct nettle_armor nettle_base16; +#define _NETTLE_HMAC(name, HASH) { \ + #name, \ + sizeof(struct name##_ctx), \ + HASH##_DIGEST_SIZE, \ + HASH##_DIGEST_SIZE, \ + name##_set_key_wrapper, \ + (nettle_hash_update_func *) name##_update, \ + (nettle_hash_digest_func *) name##_digest, \ +} + +/* null-terminated list of macs implemented by this + version of nettle */ +const struct nettle_mac * const * _NETTLE_ATTRIBUTE_PURE +nettle_get_macs (void); + +#define nettle_macs (nettle_get_macs()) + +extern const struct nettle_mac nettle_cmac_aes128; +extern const struct nettle_mac nettle_cmac_aes256; +extern const struct nettle_mac nettle_cmac_des3; + +/* HMAC variants with key size = digest size */ +extern const struct nettle_mac nettle_hmac_md5; +extern const struct nettle_mac nettle_hmac_ripemd160; +extern const struct nettle_mac nettle_hmac_sha1; +extern const struct nettle_mac nettle_hmac_sha224; +extern const struct nettle_mac nettle_hmac_sha256; +extern const struct nettle_mac nettle_hmac_sha384; +extern const struct nettle_mac nettle_hmac_sha512; +extern const struct nettle_mac nettle_hmac_streebog256; +extern const struct nettle_mac nettle_hmac_streebog512; + #ifdef __cplusplus } #endif diff -Nru nettle-3.4.1/nettle-meta-hashes.c nettle-3.7.3/nettle-meta-hashes.c --- nettle-3.4.1/nettle-meta-hashes.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/nettle-meta-hashes.c 2021-06-06 20:06:29.000000000 +0000 @@ -37,9 +37,9 @@ #include "nettle-meta.h" -#undef nettle_hashes - -const struct nettle_hash * const nettle_hashes[] = { +const struct nettle_hash * const _nettle_hashes[] = { + &nettle_gosthash94, + &nettle_gosthash94cp, &nettle_md2, &nettle_md4, &nettle_md5, @@ -53,11 +53,13 @@ &nettle_sha3_256, &nettle_sha3_384, &nettle_sha3_512, + &nettle_streebog256, + &nettle_streebog512, NULL }; const struct nettle_hash * const * nettle_get_hashes (void) { - return nettle_hashes; + return _nettle_hashes; } diff -Nru nettle-3.4.1/nettle-meta-macs.c nettle-3.7.3/nettle-meta-macs.c --- nettle-3.4.1/nettle-meta-macs.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/nettle-meta-macs.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,60 @@ +/* nettle-meta-macs.c + + Copyright (C) 2020 Daiki Ueno + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "nettle-meta.h" + +const struct nettle_mac * const _nettle_macs[] = { + &nettle_cmac_aes128, + &nettle_cmac_aes256, + &nettle_cmac_des3, + &nettle_hmac_md5, + &nettle_hmac_ripemd160, + &nettle_hmac_sha1, + &nettle_hmac_sha224, + &nettle_hmac_sha256, + &nettle_hmac_sha384, + &nettle_hmac_sha512, + &nettle_hmac_streebog256, + &nettle_hmac_streebog512, + NULL +}; + +const struct nettle_mac * const * +nettle_get_macs (void) +{ + return _nettle_macs; +} Binary files /tmp/tmp35z_hsg2/hP6co4JvyK/nettle-3.4.1/nettle.pdf and /tmp/tmp35z_hsg2/6vYqF7z5Tg/nettle-3.7.3/nettle.pdf differ diff -Nru nettle-3.4.1/nettle.texinfo nettle-3.7.3/nettle.texinfo --- nettle-3.4.1/nettle.texinfo 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/nettle.texinfo 2021-06-06 20:06:29.000000000 +0000 @@ -62,6 +62,7 @@ * Conventions:: General interface conventions. * Example:: An example program. * Linking:: Linking with libnettle and libhogweed. +* Compatibility:: On API and ABI compatibility between versions. * Reference:: All Nettle functions and features. * Nettle soup:: For the serious nettle hacker. * Installation:: How to install Nettle. @@ -86,21 +87,32 @@ Hash functions * Recommended hash functions:: +* Miscellaneous hash functions:: * Legacy hash functions:: * nettle_hash abstraction:: Cipher modes -* CBC:: -* CTR:: -* CFB:: +* CBC:: +* CTR:: +* CFB and CFB8:: +* XTS:: + +Authenticated encryption with associated data + +* EAX:: * GCM:: * CCM:: +* ChaCha-Poly1305:: +* SIV-CMAC:: +* nettle_aead abstraction:: Keyed Hash Functions * HMAC:: * UMAC:: +* CMAC:: +* Poly1305:: Public-key algorithms @@ -112,7 +124,8 @@ * Side-channel silence:: * ECDSA:: -* Curve 25519:: +* GOSTDSA:: +* Curve 25519 and Curve 448:: @end detailmenu @end menu @@ -271,6 +284,9 @@ @item UMAC Written by @value{AUTHOR}. +@item CMAC +Written by Nikos Mavrogiannopoulos, @value{AUTHOR}, Jeremy Allison, Michael Adam and Stefan Metzmacher. + @item RSA Written by @value{AUTHOR}. Uses the GMP library for bignum operations. @@ -344,7 +360,7 @@ gcc sha-example.c -o sha-example -lnettle @end example -@node Linking, Reference, Example, Top +@node Linking, Compatibility, Example, Top @comment node-name, next, previous, up @chapter Linking @@ -362,7 +378,72 @@ may be sufficient to link with just @code{-lhogweed}, and the loader will resolve the dependencies automatically. -@node Reference, Nettle soup, Linking, Top +@node Compatibility, Reference, Linking, Top +@comment node-name, next, previous, up +@chapter Compatibility +@cindex ABI compatibility +@cindex API compatibility +@cindex Binary compatibility + +When you write a program using the Nettle library, it's desirable to +have it work together not only with exactly the same version of Nettle +you had at hand, but with other current and future versions. If a +different version of Nettle is used at compile time, i.e., you recompile +it using the header and library files belonging to a different version, +we talk about API compatibility (for Application Programming Interface). +If a different version of Nettle isn't used until link time, we talk +about ABI compatibility (Application Binary Interface) or binary +compatibility. ABI compatibility matters mainly when using dynamic +linking with a shared library. E.g., a user has an executable linking at +run-time with @file{libnettle.so}, and then updates to a later version +of the shared library, without updating or recompiling the executable. + +Nettle aims to provide backwards compatibility, i.e., a program written +for a particular version of the Nettle library should usually work fine +with later version of the library. Note that the opposite is not +supported: The program should @emph{not} be expected to work with older +versions of the Nettle library; and ABI breakage can be unobvious. E.g, +the later version may define a new library symbol, and let header files +redefine an old API name as an alias for the new symbol. If the later +version ensures that the old symbol is still defined in the library, +this change is backwards compatible: A program compiled using headers +from the older version can be successfully linked with either version of +the library. But if you compile the same program using headers from the +later version of the library, and attempt to link with the older +version, you'll get an undefined reference to the new symbol. + +API compatibility is rarely broken; exceptions are noted in the NEWS +file. For example, the key size argument to the function +@code{cast128_set_key} was dropped in the Nettle-3.0 release, and all +programs using that function had to be updated to work with the new +version. + +ABI compatibility is broken occasionally. This is also noted in the NEWS +file, and the name of the shared library is updated to prevent +accidental run-time linking with the wrong version. All programs have to +be recompiled before they can link with the new version. Since names are +different, multiple versions can be installed on the same system, with a +mix of programs linking to one version or the other. + +Under some circumstances, it is possible to have a single program +linking dynamically with two binary incompatible versions of the Nettle +library, thanks to the use of symbol versioning. Consider a program +calling functions in both Nettle and GnuTLS. For the direct dependency +on Nettle, the program is linked with a particular version of the Nettle +shared library. GnuTLS uses Nettle internally, but does not expose any +Nettle data structures or the like in its own ABI. In this situation, +the GnuTLS shared library may link with a different version of the +Nettle library. Then both versions of the Nettle library will be loaded +into the program's address space, and each reference to a symbol will be +resolved to the correct version. + +Finally, some of Nettle's symbols are internal. They carry a leading +underscore, and are not declared in installed header files. They can be +used for local or experimental purposes, but programs referring directly +to those symbols get neither API nor ABI compatibility, not even between +minor versions. + +@node Reference, Nettle soup, Compatibility, Top @comment node-name, next, previous, up @chapter Reference @@ -422,11 +503,12 @@ @menu * Recommended hash functions:: +* Miscellaneous hash functions:: * Legacy hash functions:: * nettle_hash abstraction:: @end menu -@node Recommended hash functions, Legacy hash functions,, Hash functions +@node Recommended hash functions, Miscellaneous hash functions,, Hash functions @comment node-name, next, previous, up @subsection Recommended hash functions @@ -763,7 +845,106 @@ This function also resets the context. @end deftypefun -@node Legacy hash functions, nettle_hash abstraction, Recommended hash functions, Hash functions +@subsubsection @acronym{SHAKE-256} +@cindex SHAKE + +In addition to those SHA-3 hash functions, Nettle also provides a SHA-3 +extendable-output function (XOF), SHAKE-256. Unlike SHA-3 hash functions, +SHAKE can produce an output digest of any desired length. + +To use SHAKE256, the context struct, init and update functions are the +same as for SHA3-256. To get a SHAKE256 digest, the following function +is used instead of @code{sha3_256_digest}. For an output size of +@code{SHA3_256_DIGEST_SIZE}, security is equivalent to SHA3-256 (but the +digest is different). Increasing output size further does not increase +security in terms of collision or preimage resistance. It can be seen as +a built in pseudorandomness generator. + +@deftypefun void sha3_256_shake (struct shake256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) +Performs final processing and produces a SHAKE256 digest, writing it +to @var{digest}. @var{length} can be of arbitrary size. + +This function also resets the context. +@end deftypefun + +@node Miscellaneous hash functions, Legacy hash functions, Recommended hash functions, Hash functions +@comment node-name, next, previous, up +@subsection Miscellaneous hash functions + +@subsubsection @acronym{STREEBOG512} + +STREEBOG512 is a member of the Streebog (GOST R 34.11-2012) family. It outputs +hash values of 512 bits, or 64 octets. Nettle defines STREEBOG512 in +@file{}. + +@deftp {Context struct} {struct streebog512_ctx} +@end deftp + +@defvr Constant STREEBOG512_DIGEST_SIZE +The size of a STREEBOG512 digest, i.e. 64. +@end defvr + +@defvr Constant STREEBOG512_BLOCK_SIZE +The internal block size of STREEBOG512. Useful for some special constructions, +in particular HMAC-STREEBOG512. +@end defvr + +@deftypefun void streebog512_init (struct streebog512_ctx *@var{ctx}) +Initialize the STREEBOG512 state. +@end deftypefun + +@deftypefun void streebog512_update (struct streebog512_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) +Hash some more data. +@end deftypefun + +@deftypefun void streebog512_digest (struct streebog512_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) +Performs final processing and extracts the message digest, writing it +to @var{digest}. @var{length} may be smaller than +@code{STREEBOG512_DIGEST_SIZE}, in which case only the first @var{length} +octets of the digest are written. + +This function also resets the context in the same way as +@code{streebog512_init}. +@end deftypefun + +@subsubsection @acronym{STREEBOG256} + +STREEBOG256 is a variant of STREEBOG512, with a different initial state, and with +the output truncated to 256 bits, or 32 octets. Nettle defines STREEBOG256 in +@file{}. + +@deftp {Context struct} {struct streebog256_ctx} +@end deftp + +@defvr Constant STREEBOG256_DIGEST_SIZE +The size of a STREEBOG256 digest, i.e. 32. +@end defvr + +@defvr Constant STREEBOG256_BLOCK_SIZE +The internal block size of STREEBOG256. Useful for some special constructions, +in particular HMAC-STREEBOG256. +@end defvr + +@deftypefun void streebog256_init (struct streebog256_ctx *@var{ctx}) +Initialize the STREEBOG256 state. +@end deftypefun + +@deftypefun void streebog256_update (struct streebog256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) +Hash some more data. +@end deftypefun + +@deftypefun void streebog256_digest (struct streebog256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) +Performs final processing and extracts the message digest, writing it +to @var{digest}. @var{length} may be smaller than +@code{STREEBOG256_DIGEST_SIZE}, in which case only the first @var{length} +octets of the digest are written. + +This function also resets the context in the same way as +@code{streebog256_init}. +@end deftypefun + + +@node Legacy hash functions, nettle_hash abstraction, Miscellaneous hash functions, Hash functions @comment node-name, next, previous, up @subsection Legacy hash functions @@ -968,12 +1149,19 @@ @end deftypefun -@subsubsection @acronym{GOSTHASH94} +@subsubsection @acronym{GOSTHASH94 and GOSTHASH94CP} +@cindex GOST hash +@anchor{GOSTHASH94CP} The GOST94 or GOST R 34.11-94 hash algorithm is a Soviet-era algorithm used in Russian government standards (see @cite{RFC 4357}). -It outputs message digests of 256 bits, or 32 octets. -Nettle defines GOSTHASH94 in @file{}. +It outputs message digests of 256 bits, or 32 octets. The standard itself +does not fix the S-box used by the hash algorith, so there are two popular +variants (the testing S-box from the standard itself and the S-box defined +by CryptoPro company, see RFC 4357). Nettle provides support for the former +S-box in the form of GOSTHASH94 hash algorithm and for the latter in the +form of GOSTHASH94CP hash algorithm. +Nettle defines GOSTHASH94 and GOSTHASH94CP in @file{}. @deftp {Context struct} {struct gosthash94_ctx} @end deftp @@ -1004,12 +1192,39 @@ @code{gosthash94_init}. @end deftypefun +@deftp {Context struct} {struct gosthash94cp_ctx} +@end deftp + +@defvr Constant GOSTHASH94CP_DIGEST_SIZE +The size of a GOSTHASH94CP digest, i.e. 32. +@end defvr + +@defvr Constant GOSTHASH94CP_BLOCK_SIZE +The internal block size of GOSTHASH94CP, i.e., 32. +@end defvr + +@deftypefun void gosthash94cp_init (struct gosthash94cp_ctx *@var{ctx}) +Initialize the GOSTHASH94CP state. +@end deftypefun + +@deftypefun void gosthash94cp_update (struct gosthash94cp_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) +Hash some more data. +@end deftypefun + +@deftypefun void gosthash94cp_digest (struct gosthash94cp_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) +Performs final processing and extracts the message digest, writing it +to @var{digest}. @var{length} may be smaller than +@code{GOSTHASH94CP_DIGEST_SIZE}, in which case only the first @var{length} +octets of the digest are written. + +This function also resets the context in the same way as +@code{gosthash94cp_init}. +@end deftypefun + @node nettle_hash abstraction,, Legacy hash functions, Hash functions @comment node-name, next, previous, up @subsection The @code{struct nettle_hash} abstraction @cindex nettle_hash -@cindex nettle_hashes -@cindex nettle_get_hashes Nettle includes a struct including information about the supported hash functions. It is defined in @file{}, and is used @@ -1035,12 +1250,13 @@ @deftypevrx {Constant Struct} {struct nettle_hash} nettle_sha512 @deftypevrx {Constant Struct} {struct nettle_hash} nettle_sha3_256 @deftypevrx {Constant Struct} {struct nettle_hash} nettle_gosthash94 +@deftypevrx {Constant Struct} {struct nettle_hash} nettle_gosthash94cp These are all the hash functions that Nettle implements. @end deftypevr Nettle also exports a list of all these hashes. -@deftypefun const struct nettle_hash **nettle_get_hashes(void) +@deftypefun {const struct nettle_hash **} nettle_get_hashes (void) Returns a NULL-terminated list of pointers to supported hash functions. This list can be used to dynamically enumerate or search the supported algorithms. @@ -1131,6 +1347,8 @@ decryption. @subsection AES +@cindex AES + AES is a block cipher, specified by NIST as a replacement for the older DES standard. The standard is the result of a competition between cipher designers. The winning design, also known as RIJNDAEL, @@ -1211,6 +1429,8 @@ @end deftypefun @subsection ARCFOUR +@cindex Arcfour +@cindex RC4 ARCFOUR is a stream cipher, also known under the trade marked name RC4, and it is one of the fastest ciphers around. A problem is that the key setup of ARCFOUR is quite weak, you should never use keys with @@ -1271,6 +1491,8 @@ @end deftypefun @subsection ARCTWO +@cindex Arctwo +@cindex RC2 ARCTWO (also known as the trade marked name RC2) is a block cipher specified in RFC 2268. Nettle also include a variation of the ARCTWO set key operation that lack one step, to be compatible with the @@ -1332,6 +1554,7 @@ @end deftypefun @subsection BLOWFISH +@cindex Blowfish BLOWFISH is a block cipher designed by Bruce Schneier. It uses a block size of 64 bits (8 octets), and a variable key size, up to 448 bits. It @@ -1377,7 +1600,78 @@ Analogous to @code{blowfish_encrypt} @end deftypefun +@deftypefun int blowfish_bcrypt_hash (char *@var{dst}, size_t @var{lenkey}, const char *@var{key}, size_t @var{lenscheme}, const char *@var{scheme}, int @var{log2rounds}, const uint8_t *@var{salt}) +Compute the bcrypt password hash. +The function will return @code{0} if the hash cannot be computed +due to invalid input. +The function will return @code{1} and store the computed hash +in the array pointed to by @var{dst}. The hash is computed based +on the chosen @var{scheme}, number of rounds @var{log2rounds} and +specified @var{salt}. + +@var{dst} must point to a character array of at least + @code{BLOWFISH_BCRYPT_HASH_SIZE} bytes. + +@var{key} contains the plaintext password string of size @var{lenkey}. + +@var{scheme} is of size @var{lenscheme} and contains either just the +chosen scheme (valid schemes +are: @code{2a}, @code{2b}, @code{2x} or @code{2y}), or +(the prefix of) an existing hashed password (typically @code{$2b$10$...}). + +@var{log2rounds} contains the log2 of the number of encryption rounds +that must be used to compute the hash. If it is @code{-1} the value +will be extracted from @var{scheme}. + +@var{salt} should point to an array of @code{BLOWFISH_BCRYPT_BINSALT_SIZE} +random bytes to be used to perturb the hash computation. If it is @code{NULL} +the salt will be extracted from @var{scheme}. + +Sample code to generate a bcrypt hash: +@example +char cleartxtpassword[] = "ExamplePassword"; +char scheme[] = "2b"; +uint8_t salt[BLOWFISH_BCRYPT_BINSALT_SIZE]; +@dots{} +/* Make sure that salt is filled with random bytes */ +@dots{} +char hashedresult[BLOWFISH_BCRYPT_HASH_SIZE]; +int result = blowfish_bcrypt(hashedresult, + sizeof(cleartxtpassword) - 1, cleartxtpassword, + sizeof(scheme) - 1, scheme, 10, salt); +if (result) + printf("%s\n", hashedresult); +@end example +@end deftypefun + +@deftypefun int blowfish_bcrypt_verify (size_t @var{lenkey}, const char *@var{key}, size_t @var{lenhashed}, const char *@var{hashed}) +Verifies the bcrypt password hash against the supplied plaintext password. +The function will return @code{0} if the password does not match. +The function will return @code{1} if the password matches. + +@var{key} contains the plaintext password string of size @var{lenkey}. + +@var{hashed} contains the hashed string of size @var{lenhashed} to compare with. + +Sample code to verify a bcrypt hash: +@example +char cleartxtpassword[] = "ExamplePassword"; +char existinghashed[] = + "$2y$" /* Hash algorithm version */ + "10" /* 2^10 hash rounds (strength) */ + "$" /* separator */ + "1b2lPgo4XumibnJGN3r3sO" /* base64 encoded 16-byte salt */ + "u7wE7xNfYDKlAxZffJDCJdVfFTAyevu"; /* Hashedpart */ +if (blowfish_bcrypt_verify(sizeof(cleartxtpassword) - 1, cleartxtpassword, + sizeof(existinghashed) - 1, existinghashed)) + printf("Password is correct."); +else + printf("Password is incorrect."); +@end example +@end deftypefun + @subsection Camellia +@cindex Camellia Camellia is a block cipher developed by Mitsubishi and Nippon Telegraph and Telephone Corporation, described in @cite{RFC3713}. It is @@ -1459,10 +1753,15 @@ @end deftypefun @subsection CAST128 +@cindex CAST CAST-128 is a block cipher, specified in @cite{RFC 2144}. It uses a 64 -bit (8 octets) block size, and a variable key size of up to 128 bits. -Nettle defines cast128 in @file{}. +bit (8 octets) block size, and a key size of 128 bits. It is possible, +but discouraged, to use the same algorithm with shorter keys. Nettle +refers to the variant with variable key size as CAST-5. Keys for CAST-5 +are zero padded to 128 bits, and with very short keys, less than 80 +bits, encryption also uses fewer rounds than CAST128. Nettle defines +cast128 in @file{}. @deftp {Context struct} {struct cast128_ctx} @end deftp @@ -1471,19 +1770,20 @@ The CAST128 block-size, 8. @end defvr -@defvr Constant CAST128_MIN_KEY_SIZE -Minimum CAST128 key size, 5. +@defvr Constant CAST128_KEY_SIZE +The CAST128 key size, 16. @end defvr -@defvr Constant CAST128_MAX_KEY_SIZE -Maximum CAST128 key size, 16. +@defvr Constant CAST5_MIN_KEY_SIZE +Minimum CAST5 key size, 5. @end defvr -@defvr Constant CAST128_KEY_SIZE -Default CAST128 key size, 16. +@defvr Constant CAST5_MAX_KEY_SIZE +Maximum CAST5 key size, 16. With 16 octets key (128 bits), CAST-5 is the +same as CAST-128. @end defvr -@deftypefun void cast128_set_key (struct cast128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) +@deftypefun void cast128_set_key (struct cast128_ctx *@var{ctx}, const uint8_t *@var{key}) Initialize the cipher. The same function is used for both encryption and decryption. @end deftypefun @@ -1499,7 +1799,14 @@ Analogous to @code{cast128_encrypt} @end deftypefun +@deftypefun void cast5_set_key (struct cast128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) +Initialize the cipher. This variant of the key setup takes the key size +as argument. The same function is used for both encryption and +decryption. +@end deftypefun + @subsection ChaCha +@cindex ChaCha ChaCha is a variant of the stream cipher Salsa20, also designed by D. J. Bernstein. For more information on Salsa20, see below. Nettle defines @@ -1520,6 +1827,10 @@ Size of the nonce, 8. @end defvr +@defvr Constant CHACHA_COUNTER_SIZE +Size of the counter, 8. +@end defvr + @deftypefun void chacha_set_key (struct chacha_ctx *@var{ctx}, const uint8_t *@var{key}) Initialize the cipher. The same function is used for both encryption and decryption. Before using the cipher, @@ -1532,6 +1843,14 @@ zero. @end deftypefun +@deftypefun void chacha_set_counter (struct chacha_ctx *@var{ctx}, const uint8_t *@var{counter}) +Sets the block counter. It is always of size @code{CHACHA_COUNTER_SIZE}, +8 octets. This is rarely needed since @code{chacha_set_nonce} +initializes the block counter to zero. When it is still necessary, this +function must be called after @code{chacha_set_nonce}. + +@end deftypefun + @deftypefun void chacha_crypt (struct chacha_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts or decrypts the data of a message, using ChaCha. When a message is encrypted using a sequence of calls to @code{chacha_crypt}, @@ -1539,7 +1858,39 @@ @code{CHACHA_BLOCK_SIZE}. @end deftypefun +@subsubsection 32-bit counter variant + +While the original paper uses 64-bit counter value, the variant defined +in @cite{RFC 8439} uses 32-bit counter value. This variant is +particularly useful for @pxref{ChaCha-Poly1305} AEAD construction, which +supports 12-octet nonces. + +@defvr Constant CHACHA_NONCE96_SIZE +Size of the nonce, 12. +@end defvr + +@defvr Constant CHACHA_COUNTER32_SIZE +Size of the counter, 4. +@end defvr + +@deftypefun void chacha_set_nonce96 (struct chacha_ctx *@var{ctx}, const uint8_t *@var{nonce}) +Sets the nonce. This is similar to the above @code{chacha_set_nonce}, +but the input is always of size @code{CHACHA_NONCE96_SIZE}, 12 octets. +@end deftypefun + +@deftypefun void chacha_set_counter32 (struct chacha_ctx *@var{ctx}, const uint8_t *@var{counter}) +Sets the block counter. This is similar to the above @code{chacha_set_counter}, +but the input is always of size @code{CHACHA_COUNTER32_SIZE}, 4 octets. +@end deftypefun + +@deftypefun void chacha_crypt32 (struct chacha_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +Encrypts or decrypts the data of a message, using ChaCha. This is similar to the +above @code{chacha_crypt}, but it assumes the internal counter value is 32-bit +long and the nonce is 96-bit long. +@end deftypefun + @subsection DES +@cindex DES DES is the old Data Encryption Standard, specified by NIST. It uses a block size of 64 bits (8 octets), and a key size of 56 bits. However, the key bits are distributed over 8 octets, where the least significant @@ -1597,6 +1948,10 @@ @end deftypefun @subsection DES3 +@cindex DES3 +@cindex 3DES +@cindex Triple-DES + The inadequate key size of DES has already been mentioned. One way to increase the key size is to pipe together several DES boxes with independent keys. It turns out that using two DES ciphers is not as @@ -1664,6 +2019,7 @@ @end deftypefun @subsection Salsa20 +@cindex Salsa20 Salsa20 is a fairly recent stream cipher designed by D. J. Bernstein. It is built on the observation that a cryptographic hash function can be used for encryption: Form the hash input from the secret key and a @@ -1750,6 +2106,8 @@ @end deftypefun @subsection SERPENT +@cindex Serpent + SERPENT is one of the AES finalists, designed by Ross Anderson, Eli Biham and Lars Knudsen. Thus, the interface and properties are similar to AES'. One peculiarity is that it is quite pointless to use it with @@ -1793,6 +2151,8 @@ @subsection TWOFISH +@cindex Twofish + Another AES finalist, this one designed by Bruce Schneier and others. Nettle defines it in @file{}. @@ -1831,12 +2191,10 @@ Analogous to @code{twofish_encrypt} @end deftypefun -@c @node nettle_cipher, Cipher Block Chaining, Cipher functions, Reference +@c @node nettle_cipher abstraction, , Cipher functions, Cipher functions @c @comment node-name, next, previous, up @subsection The @code{struct nettle_cipher} abstraction @cindex nettle_cipher -@cindex nettle_ciphers -@cindex nettle_get_ciphers Nettle includes a struct including information about some of the more regular cipher functions. It can be useful for applications that need a @@ -1881,7 +2239,7 @@ Nettle also exports a list of all these ciphers without weak keys or other oddities. -@deftypefun const struct nettle_cipher **nettle_get_ciphers(void) +@deftypefun {const struct nettle_cipher **} nettle_get_ciphers (void) Returns a NULL-terminated list of pointers to supported block ciphers. This list can be used to dynamically enumerate or search the supported algorithms. @@ -1904,21 +2262,23 @@ Besides @acronym{ECB}, Nettle provides several other modes of operation: Cipher Block Chaining (@acronym{CBC}), Counter mode (@acronym{CTR}), Cipher -Feedback (@acronym{CFB}) and a couple of @acronym{AEAD} modes -(@pxref{Authenticated encryption}). @acronym{CBC} is widely used, but +Feedback (@acronym{CFB} and @acronym{CFB8}), XEX-based tweaked-codebook mode +with ciphertext stealing (@acronym{XTS}) and a couple of @acronym{AEAD} +modes (@pxref{Authenticated encryption}). @acronym{CBC} is widely used, but there are a few subtle issues of information leakage, see, e.g., @uref{http://www.kb.cert.org/vuls/id/958563, @acronym{SSH} @acronym{CBC} vulnerability}. Today, @acronym{CTR} is usually preferred over @acronym{CBC}. -Modes like @acronym{CBC}, @acronym{CTR} and @acronym{CFB} provide @emph{no} -message authentication, and should always be used together with a -@acronym{MAC} (@pxref{Keyed hash functions}) or signature to authenticate -the message. +Modes like @acronym{CBC}, @acronym{CTR}, @acronym{CFB} and @acronym{CFB8} +provide @emph{no} message authentication, and should always be used together +with a @acronym{MAC} (@pxref{Keyed hash functions}) or signature to +authenticate the message. @menu * CBC:: * CTR:: -* CFB:: +* CFB and CFB8:: +* XTS:: @end menu @node CBC, CTR, Cipher modes, Cipher modes @@ -2014,7 +2374,7 @@ the types of @var{f} and @var{ctx} don't match, e.g. if you try to use an @code{struct aes_ctx} context with the @code{des_encrypt} function. -@node CTR, CFB, CBC, Cipher modes +@node CTR, CFB and CFB8, CBC, Cipher modes @comment node-name, next, previous, up @subsection Counter mode @@ -2090,18 +2450,21 @@ operation. @end deffn -@node CFB, , CTR, Cipher modes +@node CFB and CFB8, XTS, CTR, Cipher modes @comment node-name, next, previous, up @subsection Cipher Feedback mode @cindex Cipher Feedback Mode -@cindex CFB Mode +@cindex Cipher Feedback 8-bit Mode +@cindex CFB Modes +@cindex CFB8 Mode -Cipher Feedback mode (@acronym{CFB}) being a close relative to both -@acronym{CBC} mode and @acronym{CTR} mode borrows some characteristics -from stream ciphers. -The message is divided into @code{n} blocks @code{M_1},@dots{} +Cipher Feedback mode (@acronym{CFB}) and Cipher Feedback 8-bit mode +(@acronym{CFB8}) being close relatives to both @acronym{CBC} mode and +@acronym{CTR} mode borrow some characteristics from stream ciphers. + +For CFB the message is divided into @code{n} blocks @code{M_1},@dots{} @code{M_n}, where @code{M_n} is of size @code{m} which may be smaller than the block size. Except for the last block, all the message blocks must be of size equal to the cipher's block size. @@ -2121,10 +2484,31 @@ C_n = E_k(C_(n - 1)) [1..m] XOR M_n @end example -Nettle's includes two functions for applying a block cipher in Cipher -Feedback (@acronym{CFB}) mode, one for encryption and one for -decryption. These functions uses @code{void *} to pass cipher contexts -around. +Cipher Feedback 8-bit mode (@acronym{CFB8}) transforms block cipher into a stream +cipher. The message is encrypted byte after byte, not requiring any padding. + +If @code{E_k} is the encryption function of a block cipher, @code{b} is +@code{E_k} block size, @code{IV} is the initialization vector, then the +@code{n} plaintext bytes are transformed into @code{n} ciphertext bytes +@code{C_1},@dots{} @code{C_n} as follows: + +@example +I_1 = IV +C_1 = E_k(I_1) [1..8] XOR M_1 +I_2 = I_1 [9..b] << 8 | C_1 +C_2 = E_k(I_2) [1..8] XOR M_2 + +@dots{} + +I_(n-1) = I_(n-2) [9..b] << 8 | C_(n-2) +C_(n-1) = E_k(I_(n-1)) [1..8] XOR M_(n-1) +I_n = I_(n-1) [9..b] << 8 | C_(n-1) +C_n = E_k(I_n) [1..8] XOR M_n +@end example + +Nettle's includes functions for applying a block cipher in Cipher +Feedback (@acronym{CFB}) and Cipher Feedback 8-bit (@acronym{CFB8}) +modes. These functions uses @code{void *} to pass cipher contexts around. @deftypefun {void} cfb_encrypt (const void *@var{ctx}, nettle_cipher_func *@var{f}, size_t @var{block_size}, uint8_t *@var{iv}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx {void} cfb_decrypt (const void *@var{ctx}, nettle_cipher_func *@var{f}, size_t @var{block_size}, uint8_t *@var{iv}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @@ -2141,6 +2525,18 @@ is a multiple of the block size. @end deftypefun +@deftypefun {void} cfb8_encrypt (const void *@var{ctx}, nettle_cipher_func *@var{f}, size_t @var{block_size}, uint8_t *@var{iv}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefunx {void} cfb8_decrypt (const void *@var{ctx}, nettle_cipher_func *@var{f}, size_t @var{block_size}, uint8_t *@var{iv}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) + +Applies the encryption or decryption function @var{f} in @acronym{CFB8} +mode. The final IV block processed is copied into @var{iv} +before returning, so that a large message can be processed by a sequence of +calls to @code{cfb8_encrypt}. Note that for @acronym{CFB8} mode internally +uses encryption only function and hence @var{f} should always be the +encryption function for the underlying block cipher. + +@end deftypefun + Like for @acronym{CBC}, there are also a couple of helper macros. @deffn Macro CFB_CTX (@var{context_type}, @var{block_size}) @@ -2175,6 +2571,179 @@ operation. @end deffn +@deffn Macro CFB8_CTX (@var{context_type}, @var{block_size}) +Expands to +@example +@{ + context_type ctx; + uint8_t iv[block_size]; +@} +@end example +@end deffn + +@deffn Macro CFB8_SET_IV (@var{ctx}, @var{iv}) +First argument is a pointer to a context struct as defined by +@code{CFB8_CTX}, and the second is a pointer to an initialization vector +that is copied into that context. +@end deffn + +@deffn Macro CFB8_ENCRYPT (@var{ctx}, @var{f}, @var{length}, @var{dst}, @var{src}) +A simpler way to invoke @code{cfb8_encrypt}. The first argument is a +pointer to a context struct as defined by @code{CFB8_CTX}, and the +second argument is an encryption function following Nettle's +conventions. The last three arguments define the source and destination +area for the operation. +@end deffn + +@deffn Macro CFB8_DECRYPT (@var{ctx}, @var{f}, @var{length}, @var{dst}, @var{src}) +A simpler way to invoke @code{cfb8_decrypt}. The first argument is a +pointer to a context struct as defined by @code{CFB8_CTX}, and the +second argument is an encryption function following Nettle's +conventions. The last three arguments define the source and destination +area for the operation. +@end deffn + +@node XTS, , CFB and CFB8, Cipher modes +@comment node-name, next, previous, up +@subsection XEX-based tweaked-codebook mode with ciphertext stealing + +@cindex XEX-based tweaked-codebook mode with ciphertext stealing +@cindex XTS Mode + + +XEX-based tweaked-codebook mode with ciphertext stealing (@acronym{XTS}) is +a block mode like (@acronym{CBC}) but tweaked to be able to encrypt partial +blocks via a technique called ciphertext stealing, where the last complete +block of ciphertext is split and part returned as the last block and part +used as plaintext for the second to last block. +This mode is principally used to encrypt data at rest where it is not possible +to store additional metadata or blocks larger than the plain text. The most +common usage is for disk encryption. Due to the fact that ciphertext expansion +is not possible, data is not authenticated. This mode should not be used where +authentication is critical. + +The message is divided into @code{n} blocks @code{M_1},@dots{} @code{M_n}, +where @code{M_n} is of size @code{m} which may be smaller than the block size. +XTS always uses a fixed blocksize of 128 bit (16 bytes) length. + +Unlike other modes, the key is double the size of that for the used cipher mode +(for example 256bit for AES-128 and 512bit for AES-256). + +@acronym{XTS} encryption mode operates given: +@itemize +@item A multiplication by a primitive element alpha. +@code{MUL a^j} here represents the multiplication, where @code{j} is the power +of alpha, and the input value is converted into a 16 bytes array +@code{a_0[k], k = 0,1,..,15}. The multiplication is calculated as +@code{a_(j+1)[0] = (2(a_j[0] mod 128)) XOR (135 * floor(a_j[15]/128)} +@code{a_(j+1)[k] = (2(a_j[k] mod 128)) XOR (floor(a_j[k-1]/128), k = 1,2,..15} +Note that this operation is practically a 1 bit left shift operation with carry +propagating from one byte to the next, and if the last bit shift results in a +carry the decimal value 135 is XORed into the first byte. + +@item The encryption key is provided as the @code{Key = K1 | K2}, where @code{|} +denotes string concatenation. +@code{E_k1} is the encryption function of the block cipher using @code{K1} as +the key, and @code{E_k2} is the same encryption function using @code{K2} + +@item A 128 bit tweak value is provided as input and is denoted as @code{IV} +@end itemize + +The @code{n} plaintext blocks are transformed into @code{n} ciphertext blocks +@code{C_1},@dots{} @code{C_n} as follows. + +For a plaintext length that is a perfect multiple of the XTS block size: +@example +T_1 = E_k2(IV) +C_1 = E_k1(P_1 XOR T_1) XOR T_1 + +@dots{} + +T_n = T_(n-1) MUL a +C_n = E_k1(P_n XOR T_n) XOR T_n +@end example + +For any other plaintext lengths: +@example +T_1 = E_k2(IV) +C_1 = E_k1(P_1 XOR T_1) XOR T_1 + +@dots{} + +T_(n-2) = T_(n-3) MUL a +C_(n-2) = E_k1(P_(n-2) XOR T_(n-2)) XOR T_(n-2) + +T_(n-1) = T_(n-2) MUL a +CC_(n-1) = E_k1(P_(n-1) XOR T_(n-1)) XOR T_(n-1) + +T_n = T_(n-1) MUL a +PP = [1..m]Pn | [m+1..128]CC_(n-1) +C_(n-1) = E_k1(PP XOR T_n) XOR T_n + +C_n = [1..m]CC_(n-1) +@end example + +@subsubsection General (@acronym{XTS}) interface. + +The two general functions to encrypt and decrypt using the @acronym{XTS} block +cipher mode are the following: + +@deftypefun void xts_encrypt_message (const void *@var{enc_ctx}, const void *@var{twk_ctx}, nettle_cipher_func *@var{encf}, const uint8_t *@var{tweak}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefunx void xts_decrypt_message (const void *@var{dec_ctx}, const void *@var{twk_ctx}, nettle_cipher_func *@var{decf}, nettle_cipher_func *@var{encf}, const uint8_t *@var{tweak}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) + +Applies the encryption function @var{encf} or the decryption function +@var{decf} in @acronym{XTS} mode. At least one block (16 bytes) worth +of data must be available therefore specifying a length less than 16 +bytes is illegal. + +The functions @var{encf} @var{decf} are of type + +@code{void f (const void *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, +const uint8_t *@var{src})}, + +@noindent and the @code{xts_encrypt_message} and @code{xts_decrypt_message} +functions pass their arguments @var{enc_ctx}, @var{twk_ctx} and @var{dec_ctx} +to the functions @var{encf}, @var{decf} as @var{ctx}. +@end deftypefun + +@subsubsection @acronym{XTS}-@acronym{AES} interface + +The @acronym{AES} @acronym{XTS} functions provide an API for using the +@acronym{XTS} mode with the @acronym{AES} block ciphers. The parameters +all have the same meaning as the general interface, except that the +@var{enc_ctx}, @var{dec_ctx}, @var{twk_ctx}, @var{encf} and @var{decf} are +replaced with an @acronym{AES} context structure called @var{ctx}, and a +appropriate set-key function must be called before using any of the encryption +or decryption functions in this interface. + +@deftp {Context struct} {struct xts_aes128_key} +Holds state corresponding to the AES-128 block cipher. +@end deftp + +@deftp {Context struct} {struct xts_aes256_key} +Holds state corresponding to the AES-256 block cipher. +@end deftp + +@deftypefun void xts_aes128_set_encrypt_key (struct xts_aes128_key *@var{ctx}, const uint8_t *@var{key}) +@deftypefunx void xts_aes256_set_encrypt_key (struct xts_aes256_key *@var{ctx}, const uint8_t *@var{key}) +@deftypefunx void xts_aes128_set_decrypt_key (struct xts_aes128_key *@var{ctx}, const uint8_t *@var{key}) +@deftypefunx void xts_aes256_set_decrypt_key (struct xts_aes256_key *@var{ctx}, const uint8_t *@var{key}) +Initializes the encryption or decryption key for the AES block cipher. The +length of the key must be double the size of the key for the corresponding +cipher (256 bits for AES-128 and 512 bits for AES-256). One of +these functions must be called before any of the other functions. +@end deftypefun + +@deftypefun void xts_aes128_encrypt_message(struct xts_aes128_key *@var{ctx}, uint8_t *@var{tweak}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefunx void xts_aes256_encrypt_message(struct xts_aes256_key *@var{ctx}, uint8_t *@var{tweak}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefunx void xts_aes128_decrypt_message(struct xts_aes128_key *@var{ctx}, uint8_t *@var{tweak}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefunx void xts_aes256_decrypt_message(struct xts_aes256_key *@var{ctx}, uint8_t *@var{tweak}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +These are identical to @code{xts_encrypt_message} and +@code{xts_decrypt_message}, except that @var{enc_ctx}, @var{dec_ctx}, +@var{twk_ctx}, @var{encf} and @var{decf} are replaced by the @var{ctx} context +structure. +@end deftypefun + @node Authenticated encryption, Keyed hash functions, Cipher modes, Reference @comment node-name, next, previous, up @@ -2257,6 +2826,7 @@ * GCM:: * CCM:: * ChaCha-Poly1305:: +* SIV-CMAC:: * nettle_aead abstraction:: @end menu @@ -2264,7 +2834,7 @@ @comment node-name, next, previous, up @subsection EAX -The @acronym{EAX} mode is an @acronym{AEAD} mode whichcombines +The @acronym{EAX} mode is an @acronym{AEAD} mode which combines @acronym{CTR} mode encryption, @xref{CTR}, with a message authentication based on @acronym{CBC}, @xref{CBC}. The implementation in Nettle is restricted to ciphers with a block size of 128 bits (16 octets). @@ -2374,7 +2944,7 @@ @end deffn @deffn Macro EAX_DIGEST (@var{ctx}, @var{encrypt}, @var{length}, @var{digest}) -Extract te authentication tag for the message. +Extract the authentication tag for the message. @end deffn @@ -2574,7 +3144,7 @@ @end deftp @deftp {Context struct} {struct gcm_aes_ctx} -Alternative context struct, usign the old @acronym{AES} interface. +Alternative context struct, using the old @acronym{AES} interface. @end deftp @deftypefun void gcm_aes128_set_key (struct gcm_aes128_ctx *@var{ctx}, const uint8_t *@var{key}) @@ -2730,8 +3300,8 @@ @acronym{CCM} mode decryption operates similarly, except that the ciphertext and @acronym{MAC} are first decrypted using CTR mode to -retreive the plaintext and authentication tag. The authentication tag -can then be recalucated from the authenticated data and plantext, and +retrieve the plaintext and authentication tag. The authentication tag +can then be recalculated from the authenticated data and plaintext, and compared to the value in the message to check for authenticity. @subsubsection General @acronym{CCM} interface @@ -2904,24 +3474,19 @@ except that @var{cipher} and @var{f} are replaced with a context structure. @end deftypefun -@node ChaCha-Poly1305, nettle_aead abstraction, CCM, Authenticated encryption +@node ChaCha-Poly1305, SIV-CMAC, CCM, Authenticated encryption @comment node-name, next, previous, up @subsection ChaCha-Poly1305 ChaCha-Poly1305 is a combination of the ChaCha stream cipher and the poly1305 message authentication code (@pxref{Poly1305}). It originates from the NaCl cryptographic library by D. J. Bernstein et al, which -defines a similar construction but with Salsa20 instead of ChaCha. +defines a similar construction but with Salsa20 instead of ChaCha. -Nettle's implementation ChaCha-Poly1305 should be considered -@strong{experimental}. At the time of this writing, there is no -authoritative specification for ChaCha-Poly1305, and a couple of -different incompatible variants. Nettle implements it using the original -definition of ChaCha, with 64 bits (8 octets) each for the nonce and the -block counter. Some protocols prefer to use nonces of 12 bytes, and it's -a small change to ChaCha to use the upper 32 bits of the block counter -as a nonce, instead limiting message size to @math{2^32} blocks or 256 -GBytes, but that variant is currently not supported. +Nettle's implementation of ChaCha-Poly1305 follows @cite{RFC 8439}, +where the ChaCha cipher is initialized with a 12-byte nonce and a 4-byte +block counter. This allows up to 256 gigabytes of data to be encrypted +using the same key and nonce. For ChaCha-Poly1305, the ChaCha cipher is initialized with a key, of 256 bits, and a per-message nonce. The first block of the key stream @@ -2950,7 +3515,7 @@ @end defvr @defvr Constant CHACHA_POLY1305_NONCE_SIZE -Same as the ChaCha nonce size, 16. +ChaCha-Poly1305 nonce size, 12. @end defvr @defvr Constant CHACHA_POLY1305_DIGEST_SIZE @@ -2987,12 +3552,105 @@ @var{length} octets of the digest are written. @end deftypefun +@node SIV-CMAC, nettle_aead abstraction, ChaCha-Poly1305, Authenticated encryption +@comment node-name, next, previous, up +@subsection Synthetic Initialization Vector AEAD + +@cindex SIV mode +@cindex SIV-CMAC mode + +@acronym{SIV-CMAC} mode is a combination of counter mode with message +authentication based on @acronym{CMAC}. Unlike other counter @acronym{AEAD} +modes, it provides protection against accidental nonce misuse, making it +a good choice for stateless-servers that cannot ensure nonce uniqueness. +It is constructed on top of a block cipher which must have a block size of +128 bits. Nettle's support for @acronym{SIV-CMAC} consists of +a message encryption and authentication interface, for +@acronym{SIV-CMAC} using AES as the underlying block cipher. +When a nonce is re-used with this mode, message authenticity is retained +however an attacker can determine whether the same plaintext was protected +with the two messages sharing the nonce. +These interfaces are defined in @file{}. + +Unlike other @acronym{AEAD} mode in @acronym{SIV-CMAC} the initialization +vector serves as the tag. That means that in the generated ciphertext +the tag precedes the ciphertext. + +Note also, that the @acronym{SIV-CMAC} algorithm, as specified in +@cite{RFC 5297}, introduces the notion of authenticated data which +consist of multiple components. For example with @acronym{SIV-CMAC} the +authentication tag of data @code{X} followed by @code{Y}, is different +than the concatenated data @code{X || Y}. The interfaces described below +follow the @acronym{AEAD} paradigm and do not allow access to this +feature and also require the use of a non-empty nonce. In the +terminology of the RFC, the input to the S2V function is always a vector +of three elements, where S1 is the authenticated data, S2 is the nonce, +and S3 is the plaintext. + + +@subsubsection General interface + +@defvr Constant SIV_BLOCK_SIZE +@acronym{SIV-CMAC}'s block size, 16. +@end defvr + +@defvr Constant SIV_DIGEST_SIZE +Size of the @acronym{SIV-CMAC} digest or initialization vector, 16. +@end defvr + +@defvr Constant SIV_MIN_NONCE_SIZE +The the minimum size for an @acronym{SIV-CMAC} nonce, 1. +@end defvr + +@subsubsection @acronym{SIV-CMAC}-@acronym{AES} interface + +The @acronym{AES} @acronym{SIV-CMAC} functions provide an API for using +@acronym{SIV-CMAC} mode with the @acronym{AES} block ciphers. The parameters +all have the same meaning as the general and message interfaces, except +that the @var{cipher}, @var{f}, and @var{ctx} parameters are replaced +with an @acronym{AES} context structure, and a set-key function must be +called before using any of the other functions in this interface. + +@deftp {Context struct} {struct siv_cmac_aes128_ctx} +Holds state corresponding to a particular message encrypted using the +AES-128 block cipher. +@end deftp + +@deftp {Context struct} {struct siv_cmac_aes256_ctx} +Holds state corresponding to a particular message encrypted using the +AES-256 block cipher. +@end deftp + +@deftypefun void siv_cmac_aes128_set_key (struct siv_cmac_aes128_ctx *@var{ctx}, const uint8_t *@var{key}) +@deftypefunx void siv_cmac_aes256_set_key (struct siv_cmac_aes256_ctx *@var{ctx}, const uint8_t *@var{key}) +Initializes the encryption key for the AES block cipher. One of these +functions must be called before any of the other functions in the +@acronym{AES} @acronym{SIV-CMAC} interface. +@end deftypefun + +@deftypefun void siv_cmac_aes128_encrypt_message (struct siv_cmac_aes128_ctx *@var{ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{clength}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefunx void siv_cmac_aes256_encrypt_message (struct siv_cmac_aes256_ctx *@var{ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{clength}, uint8_t *@var{dst}, const uint8_t *@var{src}) +Computes the message digest from the @var{adata} and @var{src} +parameters, encrypts the plaintext from @var{src}, prepends the +initialization vector to the ciphertext and outputs it to @var{dst}. +The @var{clength} variable must be equal to the length of @var{src} +plus @code{SIV_DIGEST_SIZE}. + +@end deftypefun + +@deftypefun int siv_cmac_aes128_decrypt_message (struct siv_cmac_aes128_ctx *@var{ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{mlength}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefunx int siv_cmac_aes256_decrypt_message (struct siv_cmac_aes128_ctx *@var{ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{mlength}, uint8_t *@var{dst}, const uint8_t *@var{src}) +Decrypts the ciphertext from @var{src}, outputs the plaintext to +@var{dst}, recalculates the initialization vector from @var{adata} and the +plaintext. If the values of the received and calculated initialization vector +are equal, this will return 1 indicating a valid and authenticated +message. Otherwise, this function will return zero. +@end deftypefun + @node nettle_aead abstraction, , ChaCha-Poly1305, Authenticated encryption @comment node-name, next, previous, up @subsection The @code{struct nettle_aead} abstraction @cindex nettle_aead -@cindex nettle_aeads -@cindex nettle_get_aeads Nettle includes a struct including information about the supported hash functions. It is defined in @file{}. @@ -3016,7 +3674,7 @@ Nettle also exports a list of all these constructions. -@deftypefun const struct nettle_aead **nettle_get_aeads(void) +@deftypefun {const struct nettle_aead **} nettle_get_aeads (void) Returns a NULL-terminated list of pointers to supported algorithms.This list can be used to dynamically enumerate or search the supported algorithms. @@ -3066,6 +3724,7 @@ @menu * HMAC:: * UMAC:: +* CMAC:: * Poly1305:: @end menu @@ -3408,7 +4067,91 @@ @code{_set_nonce} function explicitly for each message. @end deftypefun -@node Poly1305,, UMAC, Keyed hash functions +@node CMAC,, UMAC, Keyed hash functions +@subsection @acronym{CMAC} +@cindex CMAC +@cindex CMAC-128 +@cindex CMAC-64 + +@acronym{CMAC} is a message authentication code based on CBC encryption +mode. It is suitable for systems where block ciphers are preferrable +and perform better than hash functions. @acronym{CMAC-128} is specified in +@cite{RFC4493}. The block size is always 128 bits (16 octets). +@acronym{CMAC-64} is specified by +@uref{https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38B.pdf, +NIST Special Publication 800-38B}. The block size is always 64 bits +(8 octets). + +Nettle provides helper functions for @acronym{CMAC-128} with +the @acronym{AES} block cipher and for @acronym{CMAC-64} with +the @acronym{Tripple-DES} block cipher. + +Nettle defines @acronym{CMAC} in @file{}. + +@deftp {Context struct} {struct cmac_aes128_ctx} +@deftpx {Context struct} {struct cmac_aes256_ctx} +@end deftp + +@defvr Constant CMAC128_DIGEST_SIZE +The size of an CMAC-128 digest, 16. +@end defvr + +@deftypefun void cmac_aes128_set_key (struct cmac_aes128_ctx *@var{ctx}, const uint8_t *@var{key}) +This function initializes the @acronym{CMAC} context struct for AES-128. +@end deftypefun + +@deftypefun void cmac_aes128_update (struct cmac_aes128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) +This function is called zero or more times to process the message. +@end deftypefun + +@deftypefun void cmac_aes128_digest (struct cmac_aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) +Extracts the @acronym{MAC} of the message, writing it to @var{digest}. +@var{length} is usually equal to the specified output size, but if you +provide a smaller value, only the first @var{length} octets of the +@acronym{MAC} are written. This function resets the context for +processing of a new message with the same key. +@end deftypefun + +@deftypefun void cmac_aes256_set_key (struct cmac_aes256_ctx *@var{ctx}, const uint8_t *@var{key}) +This function initializes the @acronym{CMAC} context struct for AES-256. +@end deftypefun + +@deftypefun void cmac_aes256_update (struct cmac_aes256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) +This function is called zero or more times to process the message. +@end deftypefun + +@deftypefun void cmac_aes256_digest (struct cmac_aes256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) +Extracts the @acronym{MAC} of the message, writing it to @var{digest}. +@var{length} is usually equal to the specified output size, but if you +provide a smaller value, only the first @var{length} octets of the +@acronym{MAC} are written. This function resets the context for +processing of a new message with the same key. +@end deftypefun + +@deftp {Context struct} {struct cmac_des3_ctx} +@end deftp + +@defvr Constant CMAC64_DIGEST_SIZE +The size of an CMAC-64 digest, 8. +@end defvr + +@deftypefun void cmac_des3_set_key (struct cmac_des3_ctx *@var{ctx}, const uint8_t *@var{key}) +This function initializes the @acronym{CMAC} context struct for @acronym{Tripple-DES}. +@end deftypefun + +@deftypefun void cmac_des3_update (struct cmac_des3_ctx *@var{ctx},size_t @var{length}, const uint8_t *@var{data}) +This function is called zero or more times to process the message. +@end deftypefun + +@deftypefun void cmac_des3_digest (struct cmac_des3_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) +Extracts the @acronym{MAC} of the message, writing it to @var{digest}. +@var{length} is usually equal to the specified output size, but if you +provide a smaller value, only the first @var{length} octets of the +@acronym{MAC} are written. This function resets the context for +processing of a new message with the same key. +@end deftypefun + +@node Poly1305,, CMAC, Keyed hash functions @comment node-name, next, previous, up @subsection Poly1305 @@ -3540,8 +4283,8 @@ @file{}. There is an abstract function that operate on any PRF implemented via the @code{nettle_hash_update_func}, @code{nettle_hash_digest_func} interfaces. There is also helper macros -and concrete functions PBKDF2-HMAC-SHA1 and PBKDF2-HMAC-SHA256. First, -the abstract function: +and concrete functions PBKDF2-HMAC-SHA1, PBKDF2-HMAC-SHA256, PBKDF2-HMAC-SHA384 +and PBKDF2-HMAC-SHA512. First, the abstract function: @deftypefun void pbkdf2 (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst) Derive symmetric key from a password according to PKCS #5 PBKDF2. The @@ -3592,6 +4335,26 @@ room for at least @var{length} octets. @end deftypefun +@subsubsection @acronym{PBKDF2-HMAC-SHA384} + +@deftypefun void pbkdf2_hmac_sha384 (size_t @var{key_length}, const uint8_t *@var{key}, unsigned @var{iterations}, size_t @var{salt_length}, const uint8_t *@var{salt}, size_t @var{length}, uint8_t *@var{dst}) +PBKDF2 with HMAC-SHA384. Derive @var{length} bytes of key into buffer +@var{dst} using the password @var{key} of length @var{key_length} and +salt @var{salt} of length @var{salt_length}, with iteration counter +@var{iterations} (> 0). The output buffer is @var{dst} which must have +room for at least @var{length} octets. +@end deftypefun + +@subsubsection @acronym{PBKDF2-HMAC-SHA512} + +@deftypefun void pbkdf2_hmac_sha512 (size_t @var{key_length}, const uint8_t *@var{key}, unsigned @var{iterations}, size_t @var{salt_length}, const uint8_t *@var{salt}, size_t @var{length}, uint8_t *@var{dst}) +PBKDF2 with HMAC-SHA512. Derive @var{length} bytes of key into buffer +@var{dst} using the password @var{key} of length @var{key_length} and +salt @var{salt} of length @var{salt_length}, with iteration counter +@var{iterations} (> 0). The output buffer is @var{dst} which must have +room for at least @var{length} octets. +@end deftypefun + @node Public-key algorithms, Randomness, Key derivation functions, Reference @comment node-name, next, previous, up @section Public-key algorithms @@ -4171,7 +4934,7 @@ @end deftypefun @deftypefun int dsa_generate_params (struct dsa_params *@var{params}, void *@var{random_ctx}, nettle_random_func *@var{random}, void *@var{progress_ctx}, nettle_progress_func *@var{progress}, unsigned @var{p_bits}, unsigned @var{q_bits}) -Generates paramaters of a new group. The @var{params} struct should be +Generates parameters of a new group. The @var{params} struct should be initialized before you call this function. @var{random_ctx} and @var{random} is a randomness generator. @@ -4214,8 +4977,8 @@ with it. @end deftypefun -Keys are represented as bignums, of type @code{mpz_t}. A public keys -represent a group element, and is of the same size as @code{p}, while a +Keys are represented as bignums, of type @code{mpz_t}. A public key +represents a group element, and is of the same size as @code{p}, while a private key is an exponent, of the same size as @code{q}. @deftypefun int dsa_sign (const struct dsa_params *@var{params}, const mpz_t @var{x}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{digest_size}, const uint8_t *@var{digest}, struct dsa_signature *@var{signature}) @@ -4371,7 +5134,8 @@ @menu * Side-channel silence:: * ECDSA:: -* Curve 25519:: +* GOSTDSA:: +* Curve 25519 and Curve 448:: @end menu @node Side-channel silence, ECDSA, , Elliptic curves @@ -4405,7 +5169,7 @@ memory, not on the actual data bits. This implies a performance penalty in several of the building blocks. -@node ECDSA, Curve 25519, Side-channel silence, Elliptic curves +@node ECDSA, GOSTDSA, Side-channel silence, Elliptic curves @comment node-name, next, previous, up @subsubsection ECDSA @@ -4509,10 +5273,87 @@ @xref{Randomness}. @end deftypefun -@node Curve 25519, , ECDSA, Elliptic curves +@node GOSTDSA, Curve 25519 and Curve 448, ECDSA, Elliptic curves @comment node-name, next, previous, up -@subsubsection Curve25519 +@subsubsection GOSTDSA +@cindex GOST DSA + +GOSTDSA (GOST R 34.10-2001, GOST R 34.10-2012) is a variant of the DSA +(@pxref{DSA}) and ECDSA (@pxref{ECDSA}) digital signature schemes, which works +over an elliptic curve group. Original documents are written in Russian. +English translations are provided in @cite{RFC 5832} and @cite{RFC 7091}. +While technically nothing stops one from using GOSTDSA over any curve, it +is defined only over several 256 and 512-bit curves. Like DSA and ECDSA, +creating a signature requires a unique random nonce (repeating the nonce +with two different messages reveals the private key, and any leak or bias +in the generation of the nonce also leaks information about the key). + +GOST R 34.10-2001 was defined to use GOST R 34.11-94 hash function +(GOSTHASH94 and GOSTHASH94CP, @cite{RFC 5831}). GOST R 34.10-2012 is +defined to use GOST R 34.11-2012 hash function (Streebog, @cite{RFC +6986}) of corresponding size (256 or 512) depending on curve size. + +Nettle defines GOSTDSA in @file{}. GOSTDSA reuses ECDSA +data types (@code{struct ecc_point}, @code{struct ecc_scalar}) to +represent public and private keys. Also to generate a new GOSTDSA key +pair one has to use @code{ecdsa_generate_keypair()} function. + +To create and verify GOSTDSA signatures, the following functions are used. + +@deftypefun void gostdsa_sign (const struct ecc_scalar *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{digest_length}, const uint8_t *@var{digest}, struct dsa_signature *@var{signature}) +Uses the private key @var{key} to create a signature on @var{digest}. +@var{random_ctx} and @var{random} is a randomness generator. +@code{random(random_ctx, length, dst)} should generate @code{length} +random octets and store them at @code{dst}. The signature is stored in +@var{signature}, in the same was as for plain DSA. +@end deftypefun + +@deftypefun int gostdsa_verify (const struct ecc_point *@var{pub}, size_t @var{length}, const uint8_t *@var{digest}, const struct dsa_signature *@var{signature}) +Uses the public key @var{pub} to verify that @var{signature} is a valid +signature for the message digest @var{digest} (of @var{length} octets). +Returns 1 if the signature is valid, otherwise 0. +@end deftypefun + +For historical reason several curve IDs (OIDs) may correspond to a single +curve/generator combination. Following list defines correspondence +between nettle's view on curves and actual identifiers defined in @cite{RFC +4357} and @cite{RFC 7836}. + +@deftypefun {const struct ecc_curve} nettle_get_gost_gc256b(void) +Returns curve corresponding to following identifiers: +@itemize +@item id-GostR3410-2001-CryptoPro-A-ParamSet (@cite{RFC 4357}) +@item id-GostR3410-2001-CryptoPro-XchA-ParamSet (@cite{RFC 4357}) +@item id-tc26-gost-3410-12-256-paramSetB +@end itemize +@end deftypefun + +@deftypefun {const struct ecc_curve} nettle_get_gost_gc512a(void) +Returns curve corresponding to following identifiers: +@itemize +@item id-tc26-gost-3410-12-512-paramSetA (@cite{RFC 7836}) +@end itemize +@end deftypefun + +For GOST key pairs key derivation/key agreement function (VKO) is defined in +@cite{RFC 4357} and @cite{RFC 7836}. Basically shared key is equal to +hash(cofactor * ukm * priv * pub). Nettle library provides a function that does +multiplication. Caller should do hashing on his own (it will be either +GOST R 34.11-94 (@pxref{GOSTHASH94CP}) or GOST R 34.11-2012, Streebog, which nor part of the library yet). + +@deftypefun void gostdsa_vko (const struct ecc_scalar *@var{priv}, const struct ecc_point *@var{pub}, size_t @var{ukm_length}, const uint8_t *@var{ukm}, uint8_t *@var{out}) +Uses private key @var{priv}, public ket @var{pub} and shared key material +@var{ukm} to generate shared secret, written to buffer @var{out}. The buffer +should be of the size equal to 2 private key lengths: 64 bytes for 256 bit +curves and 128 bytes for 512 bit ones. UKM is a shared key material, usually +transferred in cleartext. It does not have to be secret. +@end deftypefun + +@node Curve 25519 and Curve 448, , ECDSA, Elliptic curves +@comment node-name, next, previous, up +@subsubsection Curve25519 and Curve448 @cindex Curve 25519 +@cindex Curve 448 @c FIXME: Make 2^255 pretty in all output formats. Use @sup? @c There are other places too (2^32, 2^130). @@ -4587,6 +5428,40 @@ @code{crypto_scalar_mult} in the NaCl library. @end deftypefun +Similarly, Nettle also implements Curve448, an elliptic curve of +Montgomery type, @math{y^2 = x^3 + 156326 x^2 + x @pmod{p}}, with +@math{p = 2^448 - 2^224 - 1}. This particular curve was proposed by +Mike Hamburg in 2015, for fast Diffie-Hellman key exchange, and is also +described in @cite{RFC 7748}. + +Nettle defines Curve 448 in @file{}. + +@defvr Constant CURVE448_SIZE +The octet length of the strings representing curve448 points and scalars, 56. +@end defvr + +@deftypefun void curve448_mul_g (uint8_t *@var{q}, const uint8_t *@var{n}) +Computes @math{Q = N G}, where @math{G} is the group generator and +@math{N} is an integer. The input argument @var{n} and the output +argument @var{q} use a little-endian representation of the scalar and +the x-coordinate, respectively. They are both of size +@code{CURVE448_SIZE}. + +This function is intended to be compatible with the function +@code{crypto_scalar_mult_base} in the NaCl library. +@end deftypefun + +@deftypefun void curve448_mul (uint8_t *@var{q}, const uint8_t *@var{n}, const uint8_t *@var{p}) +Computes @math{Q = N P}, where @math{P} is an input point and @math{N} +is an integer. The input arguments @var{n} and @var{p} and the output +argument @var{q} use a little-endian representation of the scalar and +the x-coordinates, respectively. They are all of size +@code{CURVE448_SIZE}. + +This function is intended to be compatible with the function +@code{crypto_scalar_mult} in the NaCl library. +@end deftypefun + @subsubsection EdDSA @cindex eddsa @@ -4633,6 +5508,31 @@ signature is valid, otherwise 0. @end deftypefun +Nettle also provides Ed448, an EdDSA signature scheme based on an +Edwards curve equivalent to curve448. + +@defvr Constant ED448_KEY_SIZE +The size of a private or public Ed448 key, 57 octets. +@end defvr + +@defvr Constant ED448_SIGNATURE_SIZE +The size of an Ed448 signature, 114 octets. +@end defvr + +@deftypefun void ed448_shake256_public_key (uint8_t *@var{pub}, const uint8_t *@var{priv}) +Computes the public key corresponding to the given private key. Both +input and output are of size @code{ED448_KEY_SIZE}. +@end deftypefun + +@deftypefun void ed448_shake256_sign (const uint8_t *@var{pub}, const uint8_t *@var{priv}, size_t @var{length}, const uint8_t *@var{msg}, uint8_t *@var{signature}) +Signs a message using the provided key pair. +@end deftypefun + +@deftypefun int ed448_shake256_verify (const uint8_t *@var{pub}, size_t @var{length}, const uint8_t *@var{msg}, const uint8_t *@var{signature}) +Verifies a message using the provided public key. Returns 1 if the +signature is valid, otherwise 0. +@end deftypefun + @node Randomness, ASCII encoding, Public-key algorithms, Reference @comment node-name, next, previous, up @section Randomness @@ -5152,18 +6052,6 @@ @code{MD5_CTX}, and declares the functions @code{MD5Init}, @code{MD5Update} and @code{MD5Final}. -Eric Young's ``libdes'' (also part of OpenSSL) is a quite popular DES -implementation. Nettle includes a subset if its interface in -@file{}. This file defines the typedefs -@code{des_key_schedule} and @code{des_cblock}, two constants -@code{DES_ENCRYPT} and @code{DES_DECRYPT}, and declares one global -variable @code{des_check_key}, and the functions @code{des_cbc_cksum} -@code{des_cbc_encrypt}, @code{des_ecb2_encrypt}, -@code{des_ecb3_encrypt}, @code{des_ecb_encrypt}, -@code{des_ede2_cbc_encrypt}, @code{des_ede3_cbc_encrypt}, -@code{des_is_weak_key}, @code{des_key_sched}, @code{des_ncbc_encrypt} -@code{des_set_key}, and @code{des_set_odd_parity}. - @node Nettle soup, Installation, Reference, Top @comment node-name, next, previous, up @chapter Traditional Nettle Soup diff -Nru nettle-3.4.1/nettle-types.h nettle-3.7.3/nettle-types.h --- nettle-3.4.1/nettle-types.h 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/nettle-types.h 2021-06-06 20:06:29.000000000 +0000 @@ -34,10 +34,24 @@ /* For size_t */ #include +#include -/* Pretend these types always exists. Nettle doesn't use them. */ -#define _STDINT_HAVE_INT_FAST32_T 1 -#include "nettle-stdint.h" +/* Attributes we want to use in installed header files, and hence + can't rely on config.h. */ +#ifdef __GNUC__ + +#define _NETTLE_ATTRIBUTE_PURE __attribute__((pure)) +#ifndef _NETTLE_ATTRIBUTE_DEPRECATED +/* Variant without message is supported since gcc-3.1 or so. */ +#define _NETTLE_ATTRIBUTE_DEPRECATED __attribute__((deprecated)) +#endif + +#else /* !__GNUC__ */ + +#define _NETTLE_ATTRIBUTE_PURE +#define _NETTLE_ATTRIBUTE_DEPRECATED + +#endif /* !__GNUC__ */ #ifdef __cplusplus extern "C" { @@ -47,7 +61,14 @@ union nettle_block16 { uint8_t b[16]; - unsigned long w[16 / sizeof(unsigned long)]; + unsigned long w[16 / sizeof(unsigned long)] _NETTLE_ATTRIBUTE_DEPRECATED; + uint64_t u64[2]; +}; + +union nettle_block8 +{ + uint8_t b[8]; + uint64_t u64; }; /* Randomness. Used by key generation and dsa signature creation. */ diff -Nru nettle-3.4.1/nettle-write.h nettle-3.7.3/nettle-write.h --- nettle-3.4.1/nettle-write.h 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/nettle-write.h 2021-06-06 20:06:29.000000000 +0000 @@ -36,8 +36,7 @@ /* For size_t */ #include - -#include "nettle-stdint.h" +#include /* Write the word array at SRC to the byte array at DST, using little endian (le) or big endian (be) byte order, and truncating the diff -Nru nettle-3.4.1/NEWS nettle-3.7.3/NEWS --- nettle-3.4.1/NEWS 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/NEWS 2021-06-06 20:06:29.000000000 +0000 @@ -1,3 +1,384 @@ +NEWS for the Nettle 3.7.3 release + + This is bugfix release, fixing bugs that could make the RSA + decryption functions crash on invalid inputs. + + Upgrading to the new version is strongly recommended. For + applications that want to support older versions of Nettle, + the bug can be worked around by adding a check that the RSA + ciphertext is in the range 0 < ciphertext < n, before + attempting to decrypt it. + + Thanks to Paul Schaub and Justus Winter for reporting these + problems. + + The new version is intended to be fully source and binary + compatible with Nettle-3.6. The shared library names are + libnettle.so.8.4 and libhogweed.so.6.4, with sonames + libnettle.so.8 and libhogweed.so.6. + + Bug fixes: + + * Fix crash for zero input to rsa_sec_decrypt and + rsa_decrypt_tr. Potential denial of service vector. + + * Ensure that all of rsa_decrypt_tr and rsa_sec_decrypt return + failure for out of range inputs, instead of either crashing, + or silently reducing input modulo n. Potential denial of + service vector. + + * Ensure that rsa_decrypt returns failure for out of range + inputs, instead of silently reducing input modulo n. + + * Ensure that rsa_sec_decrypt returns failure if the message + size is too large for the given key. Unlike the other bugs, + this would typically be triggered by invalid local + configuration, rather than by processing untrusted remote + data. + +NEWS for the Nettle 3.7.2 release + + This is a bugfix release, fixing a bug in ECDSA signature + verification that could lead to a denial of service attack + (via an assertion failure) or possibly incorrect results. It + also fixes a few related problems where scalars are required + to be canonically reduced modulo the ECC group order, but in + fact may be slightly larger. + + Upgrading to the new version is strongly recommended. + + Even when no assert is triggered in ecdsa_verify, ECC point + multiplication may get invalid intermediate values as input, + and produce incorrect results. It's trivial to construct + alleged signatures that result in invalid intermediate values. + It appears difficult to construct an alleged signature that + makes the function misbehave in such a way that an invalid + signature is accepted as valid, but such attacks can't be + ruled out without further analysis. + + Thanks to Guido Vranken for setting up the fuzzer tests that + uncovered this problem. + + The new version is intended to be fully source and binary + compatible with Nettle-3.6. The shared library names are + libnettle.so.8.3 and libhogweed.so.6.3, with sonames + libnettle.so.8 and libhogweed.so.6. + + Bug fixes: + + * Fixed bug in ecdsa_verify, and added a corresponding test + case. + + * Similar fixes to ecc_gostdsa_verify and gostdsa_vko. + + * Similar fixes to eddsa signatures. The problem is less severe + for these curves, because (i) the potentially out or range + value is derived from output of a hash function, making it + harder for the attacker to to hit the narrow range of + problematic values, and (ii) the ecc operations are + inherently more robust, and my current understanding is that + unless the corresponding assert is hit, the verify + operation should complete with a correct result. + + * Fix to ecdsa_sign, which with a very low probability could + return out of range signature values, which would be + rejected immediately by a verifier. + +NEWS for the Nettle 3.7.1 release + + This is primarily a bug fix release, fixing a couple of + problems found in Nettle-3.7. + + The new version is intended to be fully source and binary + compatible with Nettle-3.6. The shared library names are + libnettle.so.8.2 and libhogweed.so.6.2, with sonames + libnettle.so.8 and libhogweed.so.6. + + Bug fixes: + + * Fix bug in chacha counter update logic. The problem affected + ppc64 and ppc64el, with the new altivec assembly code + enabled. Reported by Andreas Metzler, after breakage in + GnuTLS tests on ppc64. + + * Support for big-endian ARM platforms has been restored. + Fixes contributed by Michael Weiser. + + * Fix build problem on OpenBSD/powerpc64, reported by Jasper + Lievisse Adriaanse. + + * Fix corner case bug in ECDSA verify, it would produce + incorrect result in the unlikely case of an all-zero + message hash. Reported by Guido Vranken. + + New features: + + * Support for pbkdf2_hmac_sha384 and pbkdf2_hmac_sha512, + contributed by Nicolas Mora. + + Miscellaneous: + + * Poorly performing ARM Neon code for doing single-block + Salsa20 and Chacha has been deleted. The code to do two or + three blocks in parallel, introduced in Nettle-3.7, is + unchanged. + +NEWS for the Nettle 3.7 release + + This release adds one new feature, the bcrypt password hashing + function, and lots of optimizations. There's also one + important change to how Nettle is configured: Fat builds are + now on by default. + + The release adds PowerPC64 assembly for a few algorithms, + resulting in great speedups. Benchmarked on a Power9 machine, + speedup was 13 times for AES256-CTR and AES256-GCM, and 3.5 + times for Chacha. For fat builds (now the default), the new + code is used automatically, on processors supporting the needed + instruction set extensions. + + The new version is intended to be fully source and binary + compatible with Nettle-3.6. The shared library names are + libnettle.so.8.1 and libhogweed.so.6.1, with sonames + libnettle.so.8 and libhogweed.so.6. + + New features: + + * Support for bcrypt, contributed by Stephen R. van den Berg. + + Optimizations: + + * Much faster AES and GCM on PowerPC64 processors supporting + the corresponding crypto extensions. Contributed by Mamone + Tarsha. + + * Speed of Chacha improved on PowerPC64, x86_64 and ARM Neon. + + * Speed of Salsa20 improved on x86_64 and ARM Neon. + + * Overhaul of some elliptic curve primitives, improving ECDSA + signature speed. + + Configure: + + * Fat builds are enabled by default on the architectures where + it is supported (x86_64, arm and powerpc64). To disable + runtime selection, and instead specify the processor flavor + at configure time, you need to pass --disable-fat to the + configure script. + + Known issues: + + * The ARM assembly code in this release doesn't work correctly + on big-endian ARM systems. This will hopefully be fixed in a + later release. + + Miscellaneous: + + * Use a few more gmp-6.1 functions: mpn_cnd_add_n, + mpn_cnd_sub_n, mpn_cnd_swap. Delete corresponding internal + Nettle functions. + + * Convert all assembly files to use the default m4 quote + characters. + +NEWS for the Nettle 3.6 release + + This release adds a couple of new features, most notable being + support for ED448 signatures. + + It is not binary compatible with earlier releases. The shared + library names are libnettle.so.8.0 and libhogweed.so.6.0, with + sonames libnettle.so.8 and libhogweed.so.6. The changed + sonames are mainly to avoid upgrade problems with recent + GnuTLS versions, that depend on Nettle internals outside of + the advertised ABI. But also because of the removal of + internal poly1305 functions which were undocumented but + declared in an installed header file, see Interface changes + below. + + New features: + + * Support for Curve448 and ED448 signatures. Contributed by + Daiki Ueno. + + * Support for SHAKE256 (SHA3 variant with arbitrary output + size). Contributed by Daiki Ueno. + + * Support for SIV-CMAC (Synthetic Initialization Vector) mode, + contributed by Nikos Mavrogiannopoulos. + + * Support for CMAC64, contributed by Dmitry Baryshkov. + + * Support for the "CryptoPro" variant of the GOST hash + function, as gosthash94cp. Contributed by Dmitry Baryshkov. + + * Support for GOST DSA signatures, including GOST curves + gc256b and gc512a. Contributed by Dmitry Baryshkov. + + * Support for Intel CET in x86 and x86_64 assembly files, if + enabled via CFLAGS (gcc --fcf-protection=full). Contributed + by H.J. Lu and Simo Sorce. + + * A few new functions to improve support for the Chacha + variant with 96-bit nonce and 32-bit block counter (the + existing functions use nonce and counter of 64-bit each), + and functions to set the counter. Contributed by Daiki Ueno. + + * New interface, struct nettle_mac, for MAC (message + authentication code) algorithms. This abstraction is only + for MACs that don't require a per-message nonce. For HMAC, + the key size is fixed, and equal the digest size of the + underlying hash function. + + Bug fixes: + + * Fix bug in cfb8_decrypt. Previously, the IV was not updated + correctly in the case of input data shorter than the block + size. Reported by Stephan Mueller, fixed by Daiki Ueno. + + * Fix configure check for __builtin_bswap64, the incorrect + check would result in link errors on platforms missing this + function. Patch contributed by George Koehler. + + * All use of old-fashioned suffix rules in the Makefiles have + been replaced with %-pattern rules. Nettle's use of suffix + rules in earlier versions depended on undocumented GNU make + behavior, which is being deprecated in GNU make 4.3. + + Building with other make programs than GNU make is untested + and unsupported. (Building with BSD make or Solaris make + used to work years ago, but has not been tested recently). + + Interface changes: + + * Declarations of internal poly1305.h functions have been + removed from the header file poly1305.h, to make it clear + that they are not part of the advertised API or ABI. + + Miscellaneous: + + * Building the public key support of nettle now requires GMP + version 6.1.0 or later (unless --enable-mini-gmp is used). + + * A fair amount of changes to ECC internals, with a few + deleted and a few new fields in the internal struct + ecc_curve. Files and functions have been renamed to more + consistently match the curve name, e.g., ecc-256.c has been + renamed to ecc-secp256r1.c. + + * Documentation for chacha-poly1305 updated. It is no longer + experimental. The implementation was updated to follow RFC + 8439 in Nettle-3.1, but that was not documented or announced + at the time. + +NEWS for the Nettle 3.5.1 release + + The Nettle-3.5.1 corrects a packaging mistake in Nettle-3.5. + The new directory x86_64/sha_ni were missing in the tar file, + breaking x86_64 builds with --enable-fat, and producing worse + performance than promised for builds with --enable-x86-sha-ni. + Also a few unused in-progress assembly files were accidentally + included in the tar file. + + These problems are corrected in Nettle-3.5.1. There are no + other changes, and also the library version numbers are + unchanged. + +NEWS for the Nettle 3.5 release + + This release adds a couple of new features and optimizations, + and deletes or deprecates a few obsolete features. It is *not* + binary (ABI) compatible with earlier versions. Except for + deprecations listed below, it is intended to be fully + source-level (API) compatible with Nettle-3.4.1. + + The shared library names are libnettle.so.7.0 and + libhogweed.so.5.0, with sonames libnettle.so.7 and + libhogweed.so.5. + + Changes in behavior: + + * Nettle's gcm_crypt will now call the underlying block cipher + to process more than one block at a time. This is not a + change to the documented behavior, but unfortunately breaks + assumptions accidentally made in GnuTLS, up to and including + version 3.6.1. + + New features: + + * Support for CFB8 (Cipher Feedback Mode, processing a single + octet per block cipher operation), contributed by Dmitry + Eremin-Solenikov. + + * Support for CMAC (RFC 4493), contributed by Nikos + Mavrogiannopoulos. + + * Support for XTS mode, contributed by Simo Sorce. + + Optimizations: + + * Improved performance of the x86_64 AES implementation using + the aesni instructions. Gives a large speedup for operations + processing multiple blocks at a time (including CTR mode, + GCM mode, and CBC decrypt, but *not* CBC encrypt). + + * Improved performance for CTR mode, for the common case of + 16-byte block size. Pass more data at a time to underlying + block cipher, and fill the counter blocks more efficiently. + Extension to also handle GCM mode efficiently contributed + by Nikos Mavrogiannopoulos. + + * New x86_64 implementation of sha1 and sha256, for processors + supporting the sha_ni instructions. Speedup of 3-5 times on + affected processors. + + * Improved parameters for the precomputation of tables used + for ecc signatures. Roughly 10%-15% speedup of the ecdsa + sign operation using the secp_256r1, secp_384r1 and + secp_521r1 curves, and 25% speedup of ed25519 sign + operation, benchmarked on x86_64. Table sizes unchanged, + around 16 KB per curve. + + * In ARM fat builds, automatically select Neon implementation + of Chacha, where possible. Contributed by Yuriy M. + Kaminskiy. + + Deleted features: + + * The header file des-compat.h and everything declared therein + has been deleted, as announced earlier. This file provided a + subset of the old libdes/ssleay/openssl interface for DES + and triple-DES. DES is still supported, via the functions + declared in des.h. + + * Functions using the old struct aes_ctx have been marked as + deprecated. Use the fixed key size interface instead, e.g., + struct aes256_ctx, introduced in Nettle-3.0. + + * The header file nettle-stdint.h, and corresponding autoconf + tests, have been deleted. Nettle now requires that the + compiler/libc provides . + + Miscellaneous: + + * Support for big-endian ARM systems, contributed by Michael + Weiser. + + * The programs aesdata, desdata, twofishdata, shadata and + gcmdata are no longer built by default. Makefile + improvements contributed by Jay Foad. + + * The "example" program examples/eratosthenes.c has been + deleted. + + * The contents of hash context structs, and the deprecated + aes_ctx struct, have been reorganized, to enable later + optimizations. + + The shared library names are libnettle.so.7.0 and + libhogweed.so.5.0. + NEWS for the Nettle 3.4.1 release This release fixes a few bugs, and makes the RSA private key diff -Nru nettle-3.4.1/pbkdf2.h nettle-3.7.3/pbkdf2.h --- nettle-3.4.1/pbkdf2.h 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/pbkdf2.h 2021-06-06 20:06:29.000000000 +0000 @@ -45,6 +45,9 @@ #define pbkdf2 nettle_pbkdf2 #define pbkdf2_hmac_sha1 nettle_pbkdf2_hmac_sha1 #define pbkdf2_hmac_sha256 nettle_pbkdf2_hmac_sha256 +#define pbkdf2_hmac_sha384 nettle_pbkdf2_hmac_sha384 +#define pbkdf2_hmac_sha512 nettle_pbkdf2_hmac_sha512 +#define pbkdf2_hmac_gosthash94cp nettle_pbkdf2_hmac_gosthash94cp void pbkdf2 (void *mac_ctx, @@ -78,6 +81,24 @@ size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst); +void +pbkdf2_hmac_sha384 (size_t key_length, const uint8_t *key, + unsigned iterations, + size_t salt_length, const uint8_t *salt, + size_t length, uint8_t *dst); + +void +pbkdf2_hmac_sha512 (size_t key_length, const uint8_t *key, + unsigned iterations, + size_t salt_length, const uint8_t *salt, + size_t length, uint8_t *dst); + +void +pbkdf2_hmac_gosthash94cp (size_t key_length, const uint8_t *key, + unsigned iterations, + size_t salt_length, const uint8_t *salt, + size_t length, uint8_t *dst); + #ifdef __cplusplus } #endif diff -Nru nettle-3.4.1/pbkdf2-hmac-gosthash94.c nettle-3.7.3/pbkdf2-hmac-gosthash94.c --- nettle-3.4.1/pbkdf2-hmac-gosthash94.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/pbkdf2-hmac-gosthash94.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,53 @@ +/* pbkdf2-hmac-gosthash94.c + + PKCS #5 PBKDF2 used with HMAC-GOSTHASH94CP. + + Copyright (C) 2016 Dmitry Eremin-Solenikov + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "pbkdf2.h" + +#include "hmac.h" + +void +pbkdf2_hmac_gosthash94cp (size_t key_length, const uint8_t *key, + unsigned iterations, + size_t salt_length, const uint8_t *salt, + size_t length, uint8_t *dst) +{ + struct hmac_gosthash94cp_ctx gosthash94cpctx; + + hmac_gosthash94cp_set_key (&gosthash94cpctx, key_length, key); + PBKDF2 (&gosthash94cpctx, hmac_gosthash94cp_update, hmac_gosthash94cp_digest, + GOSTHASH94CP_DIGEST_SIZE, iterations, salt_length, salt, length, dst); +} diff -Nru nettle-3.4.1/pbkdf2-hmac-sha384.c nettle-3.7.3/pbkdf2-hmac-sha384.c --- nettle-3.4.1/pbkdf2-hmac-sha384.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/pbkdf2-hmac-sha384.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,52 @@ +/* pbkdf2-hmac-sha384.c + + Copyright (C) 2012 Simon Josefsson + Copyright (C) 2021 Nicolas Mora + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "pbkdf2.h" + +#include "hmac.h" + +void +pbkdf2_hmac_sha384 (size_t key_length, const uint8_t *key, + unsigned iterations, + size_t salt_length, const uint8_t *salt, + size_t length, uint8_t *dst) +{ + struct hmac_sha384_ctx sha384ctx; + + hmac_sha384_set_key (&sha384ctx, key_length, key); + PBKDF2 (&sha384ctx, hmac_sha384_update, hmac_sha384_digest, + SHA384_DIGEST_SIZE, iterations, salt_length, salt, length, dst); +} diff -Nru nettle-3.4.1/pbkdf2-hmac-sha512.c nettle-3.7.3/pbkdf2-hmac-sha512.c --- nettle-3.4.1/pbkdf2-hmac-sha512.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/pbkdf2-hmac-sha512.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,52 @@ +/* pbkdf2-hmac-sha512.c + + Copyright (C) 2012 Simon Josefsson + Copyright (C) 2021 Nicolas Mora + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "pbkdf2.h" + +#include "hmac.h" + +void +pbkdf2_hmac_sha512 (size_t key_length, const uint8_t *key, + unsigned iterations, + size_t salt_length, const uint8_t *salt, + size_t length, uint8_t *dst) +{ + struct hmac_sha512_ctx sha512ctx; + + hmac_sha512_set_key (&sha512ctx, key_length, key); + PBKDF2 (&sha512ctx, hmac_sha512_update, hmac_sha512_digest, + SHA512_DIGEST_SIZE, iterations, salt_length, salt, length, dst); +} diff -Nru nettle-3.4.1/pkcs1.c nettle-3.7.3/pkcs1.c --- nettle-3.4.1/pkcs1.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/pkcs1.c 2021-06-06 20:06:29.000000000 +0000 @@ -39,6 +39,7 @@ #include #include "pkcs1.h" +#include "hogweed-internal.h" /* Formats the PKCS#1 padding, of the form * diff -Nru nettle-3.4.1/pkcs1-decrypt.c nettle-3.7.3/pkcs1-decrypt.c --- nettle-3.4.1/pkcs1-decrypt.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/pkcs1-decrypt.c 2021-06-06 20:06:29.000000000 +0000 @@ -38,10 +38,10 @@ #include #include "pkcs1.h" +#include "pkcs1-internal.h" #include "bignum.h" #include "gmp-glue.h" -#include "rsa-internal.h" int pkcs1_decrypt (size_t key_size, diff -Nru nettle-3.4.1/pkcs1.h nettle-3.7.3/pkcs1.h --- nettle-3.4.1/pkcs1.h 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/pkcs1.h 2021-06-06 20:06:29.000000000 +0000 @@ -42,7 +42,6 @@ #endif /* Name mangling */ -#define _pkcs1_signature_prefix _nettle_pkcs1_signature_prefix #define pkcs1_rsa_digest_encode nettle_pkcs1_rsa_digest_encode #define pkcs1_rsa_md5_encode nettle_pkcs1_rsa_md5_encode #define pkcs1_rsa_md5_encode_digest nettle_pkcs1_rsa_md5_encode_digest @@ -60,13 +59,6 @@ struct sha256_ctx; struct sha512_ctx; -uint8_t * -_pkcs1_signature_prefix(unsigned key_size, - uint8_t *buffer, - unsigned id_size, - const uint8_t *id, - unsigned digest_size); - int pkcs1_encrypt (size_t key_size, /* For padding */ diff -Nru nettle-3.4.1/pkcs1-internal.h nettle-3.7.3/pkcs1-internal.h --- nettle-3.4.1/pkcs1-internal.h 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/pkcs1-internal.h 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,53 @@ +/* pkcs1-internal.h + + Copyright (C) 2018 Niels Möller + Copyright (C) 2018 Red Hat, Inc. + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_PKCS1_INTERNAL_H_INCLUDED +#define NETTLE_PKCS1_INTERNAL_H_INCLUDED + +#include "nettle-types.h" + +#define _pkcs1_sec_decrypt _nettle_pkcs1_sec_decrypt +#define _pkcs1_sec_decrypt_variable _nettle_pkcs1_sec_decrypt_variable + +/* additional resistance to memory access side-channel attacks. + * Note: message buffer is returned unchanged on error */ +int +_pkcs1_sec_decrypt (size_t length, uint8_t *message, + size_t padded_message_length, + const volatile uint8_t *padded_message); + +int +_pkcs1_sec_decrypt_variable(size_t *length, uint8_t *message, + size_t padded_message_length, + const volatile uint8_t *padded_message); + +#endif /* NETTLE_PKCS1_INTERNAL_H_INCLUDED */ diff -Nru nettle-3.4.1/pkcs1-rsa-digest.c nettle-3.7.3/pkcs1-rsa-digest.c --- nettle-3.4.1/pkcs1-rsa-digest.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/pkcs1-rsa-digest.c 2021-06-06 20:06:29.000000000 +0000 @@ -34,10 +34,10 @@ #endif #include "pkcs1.h" - #include "bignum.h" #include "gmp-glue.h" #include "nettle-internal.h" +#include "hogweed-internal.h" int pkcs1_rsa_digest_encode(mpz_t m, size_t key_size, diff -Nru nettle-3.4.1/pkcs1-rsa-md5.c nettle-3.7.3/pkcs1-rsa-md5.c --- nettle-3.4.1/pkcs1-rsa-md5.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/pkcs1-rsa-md5.c 2021-06-06 20:06:29.000000000 +0000 @@ -43,6 +43,7 @@ #include "bignum.h" #include "pkcs1.h" +#include "hogweed-internal.h" #include "gmp-glue.h" diff -Nru nettle-3.4.1/pkcs1-rsa-sha1.c nettle-3.7.3/pkcs1-rsa-sha1.c --- nettle-3.4.1/pkcs1-rsa-sha1.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/pkcs1-rsa-sha1.c 2021-06-06 20:06:29.000000000 +0000 @@ -43,6 +43,7 @@ #include "bignum.h" #include "pkcs1.h" +#include "hogweed-internal.h" #include "gmp-glue.h" diff -Nru nettle-3.4.1/pkcs1-rsa-sha256.c nettle-3.7.3/pkcs1-rsa-sha256.c --- nettle-3.4.1/pkcs1-rsa-sha256.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/pkcs1-rsa-sha256.c 2021-06-06 20:06:29.000000000 +0000 @@ -43,6 +43,7 @@ #include "bignum.h" #include "pkcs1.h" +#include "hogweed-internal.h" #include "gmp-glue.h" diff -Nru nettle-3.4.1/pkcs1-rsa-sha512.c nettle-3.7.3/pkcs1-rsa-sha512.c --- nettle-3.4.1/pkcs1-rsa-sha512.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/pkcs1-rsa-sha512.c 2021-06-06 20:06:29.000000000 +0000 @@ -43,6 +43,7 @@ #include "bignum.h" #include "pkcs1.h" +#include "hogweed-internal.h" #include "gmp-glue.h" diff -Nru nettle-3.4.1/pkcs1-sec-decrypt.c nettle-3.7.3/pkcs1-sec-decrypt.c --- nettle-3.4.1/pkcs1-sec-decrypt.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/pkcs1-sec-decrypt.c 2021-06-06 20:06:29.000000000 +0000 @@ -43,8 +43,7 @@ #include "memops.h" #include "gmp-glue.h" -#include "rsa.h" -#include "rsa-internal.h" +#include "pkcs1-internal.h" /* Inputs are always cast to uint32_t values. But all values used in this * function should never exceed the maximum value of a uint32_t anyway. @@ -64,7 +63,9 @@ volatile int ok; size_t i, t; - assert (padded_message_length >= length); + /* Message independent branch */ + if (length + 11 > padded_message_length) + return 0; t = padded_message_length - length - 1; @@ -100,8 +101,8 @@ /* length is discovered in a side-channel silent way. * not_found goes to 0 when the terminator is found. - * offset strts at 3 as it includes the terminator and - * the fomat bytes already */ + * offset starts at 3 as it includes the terminator and + * the format bytes already */ offset = 3; for (i = 2; i < padded_message_length; i++) { diff -Nru nettle-3.4.1/poly1305-aes.c nettle-3.7.3/poly1305-aes.c --- nettle-3.4.1/poly1305-aes.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/poly1305-aes.c 2021-06-06 20:06:29.000000000 +0000 @@ -38,13 +38,14 @@ #include #include "poly1305.h" +#include "poly1305-internal.h" #include "macros.h" void poly1305_aes_set_key (struct poly1305_aes_ctx *ctx, const uint8_t * key) { aes128_set_encrypt_key(&ctx->aes, (key)); - poly1305_set_key(&ctx->pctx, (key+16)); + _nettle_poly1305_set_key(&ctx->pctx, (key+16)); ctx->index = 0; } @@ -55,7 +56,7 @@ memcpy (ctx->nonce, nonce, POLY1305_AES_NONCE_SIZE); } -#define COMPRESS(ctx, data) _poly1305_block(&(ctx)->pctx, (data), 1) +#define COMPRESS(ctx, data) _nettle_poly1305_block(&(ctx)->pctx, (data), 1) void poly1305_aes_update (struct poly1305_aes_ctx *ctx, @@ -78,11 +79,11 @@ memset (ctx->block + ctx->index + 1, 0, POLY1305_BLOCK_SIZE - 1 - ctx->index); - _poly1305_block (&ctx->pctx, ctx->block, 0); + _nettle_poly1305_block (&ctx->pctx, ctx->block, 0); } aes128_encrypt(&ctx->aes, POLY1305_BLOCK_SIZE, s.b, ctx->nonce); - poly1305_digest (&ctx->pctx, &s); + _nettle_poly1305_digest (&ctx->pctx, &s); memcpy (digest, s.b, length); INCREMENT (16, ctx->nonce); diff -Nru nettle-3.4.1/poly1305.h nettle-3.7.3/poly1305.h --- nettle-3.4.1/poly1305.h 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/poly1305.h 2021-06-06 20:06:29.000000000 +0000 @@ -42,10 +42,6 @@ #endif /* Name mangling */ -#define poly1305_set_key nettle_poly1305_set_key -#define poly1305_digest nettle_poly1305_digest -#define _poly1305_block _nettle_poly1305_block - #define poly1305_aes_set_key nettle_poly1305_aes_set_key #define poly1305_aes_set_nonce nettle_poly1305_aes_set_nonce #define poly1305_aes_update nettle_poly1305_aes_update @@ -53,9 +49,7 @@ /* Low level functions/macros for the poly1305 construction. */ -#define POLY1305_DIGEST_SIZE 16 #define POLY1305_BLOCK_SIZE 16 -#define POLY1305_KEY_SIZE 16 struct poly1305_ctx { /* Key, 128-bit value and some cached multiples. */ @@ -76,14 +70,6 @@ } h; }; -/* Low-level internal interface. */ -void poly1305_set_key(struct poly1305_ctx *ctx, const uint8_t key[POLY1305_KEY_SIZE]); -/* Extracts digest, and adds it to s, the encrypted nonce. */ -void poly1305_digest (struct poly1305_ctx *ctx, union nettle_block16 *s); -/* Internal function. Process one block. */ -void _poly1305_block (struct poly1305_ctx *ctx, const uint8_t *m, - unsigned high); - /* poly1305-aes */ #define POLY1305_AES_KEY_SIZE 32 diff -Nru nettle-3.4.1/poly1305-internal.c nettle-3.7.3/poly1305-internal.c --- nettle-3.4.1/poly1305-internal.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/poly1305-internal.c 2021-06-06 20:06:29.000000000 +0000 @@ -63,6 +63,7 @@ #include #include "poly1305.h" +#include "poly1305-internal.h" #include "macros.h" @@ -85,7 +86,7 @@ #define h4 hh void -poly1305_set_key(struct poly1305_ctx *ctx, const uint8_t key[16]) +_nettle_poly1305_set_key(struct poly1305_ctx *ctx, const uint8_t key[16]) { uint32_t t0,t1,t2,t3; @@ -113,7 +114,7 @@ } void -_poly1305_block (struct poly1305_ctx *ctx, const uint8_t *m, unsigned t4) +_nettle_poly1305_block (struct poly1305_ctx *ctx, const uint8_t *m, unsigned t4) { uint32_t t0,t1,t2,t3; uint32_t b; @@ -148,7 +149,7 @@ /* Adds digest to the nonce */ void -poly1305_digest (struct poly1305_ctx *ctx, union nettle_block16 *s) +_nettle_poly1305_digest (struct poly1305_ctx *ctx, union nettle_block16 *s) { uint32_t b, nb; uint64_t f0,f1,f2,f3; diff -Nru nettle-3.4.1/poly1305-internal.h nettle-3.7.3/poly1305-internal.h --- nettle-3.4.1/poly1305-internal.h 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/poly1305-internal.h 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,61 @@ +/* poly1305-internal.h + + Poly1305 message authentication code. + + Copyright (C) 2013 Nikos Mavrogiannopoulos + Copyright (C) 2013, 2014 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_POLY1305_INTERNAL_H_INCLUDED +#define NETTLE_POLY1305_INTERNAL_H_INCLUDED + +#include "poly1305.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* Low level functions/macros for the poly1305 construction. */ + +#define POLY1305_DIGEST_SIZE 16 +#define POLY1305_KEY_SIZE 16 + +/* Low-level internal interface. */ +void _nettle_poly1305_set_key(struct poly1305_ctx *ctx, const uint8_t key[POLY1305_KEY_SIZE]); +/* Extracts digest, and adds it to s, the encrypted nonce. */ +void _nettle_poly1305_digest (struct poly1305_ctx *ctx, union nettle_block16 *s); +/* Process one block. */ +void _nettle_poly1305_block (struct poly1305_ctx *ctx, const uint8_t *m, + unsigned high); + +#ifdef __cplusplus +} +#endif + +#endif /* NETTLE_POLY1305_INTERNAL_H_INCLUDED */ diff -Nru nettle-3.4.1/powerpc64/fat/aes-decrypt-internal-2.asm nettle-3.7.3/powerpc64/fat/aes-decrypt-internal-2.asm --- nettle-3.4.1/powerpc64/fat/aes-decrypt-internal-2.asm 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/powerpc64/fat/aes-decrypt-internal-2.asm 2021-06-06 20:06:30.000000000 +0000 @@ -0,0 +1,37 @@ +C powerpc64/fat/aes-decrypt-internal-2.asm + + +ifelse(` + Copyright (C) 2020 Mamone Tarsha + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +') + +dnl PROLOGUE(_nettle_aes_decrypt) picked up by configure + +define(`fat_transform', `$1_ppc64') +include_src(`powerpc64/p8/aes-decrypt-internal.asm') diff -Nru nettle-3.4.1/powerpc64/fat/aes-encrypt-internal-2.asm nettle-3.7.3/powerpc64/fat/aes-encrypt-internal-2.asm --- nettle-3.4.1/powerpc64/fat/aes-encrypt-internal-2.asm 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/powerpc64/fat/aes-encrypt-internal-2.asm 2021-06-06 20:06:30.000000000 +0000 @@ -0,0 +1,37 @@ +C powerpc64/fat/aes-encrypt-internal-2.asm + + +ifelse(` + Copyright (C) 2020 Mamone Tarsha + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +') + +dnl PROLOGUE(_nettle_aes_encrypt) picked up by configure + +define(`fat_transform', `$1_ppc64') +include_src(`powerpc64/p8/aes-encrypt-internal.asm') diff -Nru nettle-3.4.1/powerpc64/fat/chacha-2core.asm nettle-3.7.3/powerpc64/fat/chacha-2core.asm --- nettle-3.4.1/powerpc64/fat/chacha-2core.asm 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/powerpc64/fat/chacha-2core.asm 2021-06-06 20:06:30.000000000 +0000 @@ -0,0 +1,36 @@ +C powerpc64/fat/chacha-2core.asm + + +ifelse(` + Copyright (C) 2020 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +') + +dnl PROLOGUE(_nettle_fat_chacha_2core) picked up by configure + +include_src(`powerpc64/p7/chacha-2core.asm') diff -Nru nettle-3.4.1/powerpc64/fat/chacha-4core.asm nettle-3.7.3/powerpc64/fat/chacha-4core.asm --- nettle-3.4.1/powerpc64/fat/chacha-4core.asm 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/powerpc64/fat/chacha-4core.asm 2021-06-06 20:06:30.000000000 +0000 @@ -0,0 +1,36 @@ +C powerpc64/fat/chacha-4core.asm + + +ifelse(` + Copyright (C) 2020 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +') + +dnl PROLOGUE(_nettle_fat_chacha_4core) picked up by configure + +include_src(`powerpc64/p7/chacha-4core.asm') diff -Nru nettle-3.4.1/powerpc64/fat/chacha-core-internal-2.asm nettle-3.7.3/powerpc64/fat/chacha-core-internal-2.asm --- nettle-3.4.1/powerpc64/fat/chacha-core-internal-2.asm 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/powerpc64/fat/chacha-core-internal-2.asm 2021-06-06 20:06:30.000000000 +0000 @@ -0,0 +1,37 @@ +C powerpc64/fat/chacha-core-internal-2.asm + + +ifelse(` + Copyright (C) 2020 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +') + +dnl PROLOGUE(_nettle_chacha_core) picked up by configure + +define(`fat_transform', `$1_altivec') +include_src(`powerpc64/p7/chacha-core-internal.asm') diff -Nru nettle-3.4.1/powerpc64/fat/gcm-hash.asm nettle-3.7.3/powerpc64/fat/gcm-hash.asm --- nettle-3.4.1/powerpc64/fat/gcm-hash.asm 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/powerpc64/fat/gcm-hash.asm 2021-06-06 20:06:30.000000000 +0000 @@ -0,0 +1,39 @@ +C powerpc64/fat/gcm-hash.asm + + +ifelse(` + Copyright (C) 2020 Mamone Tarsha + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +') + +dnl picked up by configure +dnl PROLOGUE(_nettle_fat_gcm_init_key) +dnl PROLOGUE(_nettle_fat_gcm_hash) + +define(`fat_transform', `$1_ppc64') +include_src(`powerpc64/p8/gcm-hash.asm') diff -Nru nettle-3.4.1/powerpc64/machine.m4 nettle-3.7.3/powerpc64/machine.m4 --- nettle-3.4.1/powerpc64/machine.m4 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/powerpc64/machine.m4 2021-06-06 20:06:30.000000000 +0000 @@ -0,0 +1,53 @@ +define(`PROLOGUE', +`.globl C_NAME($1) +DECLARE_FUNC(C_NAME($1)) +ifelse(WORDS_BIGENDIAN,no, +`ifdef(`FUNC_ALIGN',`.align FUNC_ALIGN') +C_NAME($1): +addis 2,12,(.TOC.-C_NAME($1))@ha +addi 2,2,(.TOC.-C_NAME($1))@l +.localentry C_NAME($1), .-C_NAME($1)', +`.section ".opd","aw" +.align 3 +C_NAME($1): +.quad .C_NAME($1),.TOC.@tocbase,0 +.previous +ifdef(`FUNC_ALIGN',`.align FUNC_ALIGN') +.C_NAME($1):') +undefine(`FUNC_ALIGN')') + +define(`EPILOGUE', +`ifelse(WORDS_BIGENDIAN,no, +`.size C_NAME($1), . - C_NAME($1)', +`.size .C_NAME($1), . - .C_NAME($1) +.size C_NAME($1), . - .C_NAME($1)')') + +C Get vector-scalar register from vector register +C VSR(VR) +define(`VSR',`ifelse(substr($1,0,1),`v', +``vs'eval(32+substr($1,1,len($1)))', +`eval(32+$1)')') + +C Load the quadword in DATA_SRC storage into +C VEC_DST. GPR is general-purpose register +C used to obtain the effective address of +C DATA_SRC storage. +C DATA_LOAD_VEC(VEC_DST, DATA_SRC, GPR) +define(`DATA_LOAD_VEC', +`addis $3,r2,$2@got@ha +ld $3,$2@got@l($3) +lvx $1,0,$3') + +dnl Usage: r0 ... r31, cr0 ... cr7 +dnl +dnl Registers names, either left as "r0" etc or mapped to plain 0 etc, +dnl according to the result of the ASM_PPC_WANT_R_REGISTERS configure +dnl test. + +ifelse(ASM_PPC_WANT_R_REGISTERS,no,` +forloop(i,0,31,`deflit(`r'i,i)') +forloop(i,0,31,`deflit(`v'i,i)') +forloop(i,0,63,`deflit(`vs'i,i)') +forloop(i,0,31,`deflit(`f'i,i)') +forloop(i,0,7, `deflit(`cr'i,i)') +') diff -Nru nettle-3.4.1/powerpc64/p7/chacha-2core.asm nettle-3.7.3/powerpc64/p7/chacha-2core.asm --- nettle-3.4.1/powerpc64/p7/chacha-2core.asm 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/powerpc64/p7/chacha-2core.asm 2021-06-06 20:06:30.000000000 +0000 @@ -0,0 +1,264 @@ +C powerpc64/p7/chacha-2core.asm + +ifelse(` + Copyright (C) 2020 Niels Möller and Torbjörn Granlund + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +') + +C Register usage: + +C Argments +define(`DST', `r3') +define(`SRC', `r4') +define(`ROUNDS', `r5') + +C State, even elements in X, odd elements in Y +define(`X0', `v0') +define(`X1', `v1') +define(`X2', `v2') +define(`X3', `v3') +define(`Y0', `v4') +define(`Y1', `v5') +define(`Y2', `v6') +define(`Y3', `v7') + +define(`ROT16', `v8') +define(`ROT12', `v9') +define(`ROT8', `v10') +define(`ROT7', `v11') + +C Original input state +define(`S0', `v12') +define(`S1', `v13') +define(`S2', `v14') +define(`S3', `v15') +define(`S3p1', `v16') + +define(`T0', `v17') + + .text + C _chacha_2core(uint32_t *dst, const uint32_t *src, unsigned rounds) + +define(`FUNC_ALIGN', `5') +PROLOGUE(_nettle_chacha_2core) + + li r8, 0x30 C offset for x3 + vspltisw X1, 1 C {1,1,...,1} + vspltisw X0, 0 C {0,0,...,0} + vsldoi X1, X1, X0, 12 C {1,0,...,0} + + lxvw4x VSR(X3), r8, SRC + + vaddcuw Y3, X3, X1 C Counter carry out + vsldoi Y3, Y3, Y3, 12 + vor Y3, Y3, X1 + +.Lshared_entry: + vadduwm Y3, Y3, X3 + + li r6, 0x10 C set up some... + li r7, 0x20 C ...useful... + lxvw4x VSR(X0), 0, SRC + lxvw4x VSR(X1), r6, SRC + lxvw4x VSR(X2), r7, SRC + + vor S0, X0, X0 + vor S1, X1, X1 + vor S2, X2, X2 + vor S3, X3, X3 + vor S3p1, Y3, Y3 + + vmrgow Y0, X0, X0 C 1 1 3 3 + vmrgew X0, X0, X0 C 0 0 2 2 + vmrgow Y1, X1, X1 C 5 5 7 7 + vmrgew X1, X1, X1 C 4 4 6 6 + vmrgow Y2, X2, X2 C 9 9 11 11 + vmrgew X2, X2, X2 C 8 8 10 10 + vmrgow Y3, X3, S3p1 C 13 13 15 15 + vmrgew X3, X3, S3p1 C 12 12 14 14 + + vspltisw ROT16, -16 C -16 instead of 16 actually works! + vspltisw ROT12, 12 + vspltisw ROT8, 8 + vspltisw ROT7, 7 + + srdi ROUNDS, ROUNDS, 1 + mtctr ROUNDS +.Loop: +C Register layout (A is first block, B is second block) +C +C X0: A0 B0 A2 B2 Y0: A1 B1 A3 B3 +C X1: A4 B4 A6 B6 Y1: A5 B5 A7 B7 +C X2: A8 B8 A10 B10 Y2: A9 B9 A11 B11 +C X3: A12 B12 A14 B14 Y3: A13 B13 A15 B15 + vadduwm X0, X0, X1 + vadduwm Y0, Y0, Y1 + vxor X3, X3, X0 + vxor Y3, Y3, Y0 + vrlw X3, X3, ROT16 + vrlw Y3, Y3, ROT16 + + vadduwm X2, X2, X3 + vadduwm Y2, Y2, Y3 + vxor X1, X1, X2 + vxor Y1, Y1, Y2 + vrlw X1, X1, ROT12 + vrlw Y1, Y1, ROT12 + + vadduwm X0, X0, X1 + vadduwm Y0, Y0, Y1 + vxor X3, X3, X0 + vxor Y3, Y3, Y0 + vrlw X3, X3, ROT8 + vrlw Y3, Y3, ROT8 + + vadduwm X2, X2, X3 + vadduwm Y2, Y2, Y3 + vxor X1, X1, X2 + vxor Y1, Y1, Y2 + vrlw X1, X1, ROT7 + vrlw Y1, Y1, ROT7 + + vsldoi X1, X1, X1, 8 + vsldoi X2, X2, X2, 8 + vsldoi Y2, Y2, Y2, 8 + vsldoi Y3, Y3, Y3, 8 + +C Register layout: +C X0: A0 B0 A2 B2 Y0: A1 B1 A3 B3 +C Y1: A5 B5 A7 B7 X1: A6 B6 A4 B4 (X1 swapped) +C X2: A10 B10 A8 B8 Y2: A11 A11 A9 B9 (X2, Y2 swapped) +C Y3 A15 B15 A13 B13 X3 A12 B12 A14 B14 (Y3 swapped) + + vadduwm X0, X0, Y1 + vadduwm Y0, Y0, X1 + vxor Y3, Y3, X0 + vxor X3, X3, Y0 + vrlw Y3, Y3, ROT16 + vrlw X3, X3, ROT16 + + vadduwm X2, X2, Y3 + vadduwm Y2, Y2, X3 + vxor Y1, Y1, X2 + vxor X1, X1, Y2 + vrlw Y1, Y1, ROT12 + vrlw X1, X1, ROT12 + + vadduwm X0, X0, Y1 + vadduwm Y0, Y0, X1 + vxor Y3, Y3, X0 + vxor X3, X3, Y0 + vrlw Y3, Y3, ROT8 + vrlw X3, X3, ROT8 + + vadduwm X2, X2, Y3 + vadduwm Y2, Y2, X3 + vxor Y1, Y1, X2 + vxor X1, X1, Y2 + vrlw Y1, Y1, ROT7 + vrlw X1, X1, ROT7 + + vsldoi X1, X1, X1, 8 + vsldoi X2, X2, X2, 8 + vsldoi Y2, Y2, Y2, 8 + vsldoi Y3, Y3, Y3, 8 + + bdnz .Loop + + vmrgew T0, X0, Y0 + vmrgow Y0, X0, Y0 + + vmrgew X0, X1, Y1 + vmrgow Y1, X1, Y1 + + vmrgew X1, X2, Y2 + vmrgow Y2, X2, Y2 + + vmrgew X2, X3, Y3 + vmrgow Y3, X3, Y3 + + vadduwm T0, T0, S0 + vadduwm Y0, Y0, S0 + vadduwm X0, X0, S1 + vadduwm Y1, Y1, S1 + vadduwm X1, X1, S2 + vadduwm Y2, Y2, S2 + vadduwm X2, X2, S3 + vadduwm Y3, Y3, S3p1 + +IF_BE(` + C Output always stored in little-endian byte order. + C Can reuse S0 and S1 to construct permutation mask. + li r9, 0 + lvsl S0, r9, r9 C 00 01 02 03 ... 0c 0d 0e 0f + vspltisb S1, 0x03 C 03 03 03 03 ... 03 03 03 03 + vxor S1, S1, S0 C 03 02 01 00 ... 0f 0e 0d 0c + + vperm T0, T0, T0, S1 + vperm X0, X0, X0, S1 + vperm X1, X1, X1, S1 + vperm X2, X2, X2, S1 + vperm Y0, Y0, Y0, S1 + vperm Y1, Y1, Y1, S1 + vperm Y2, Y2, Y2, S1 + vperm Y3, Y3, Y3, S1 +') + stxvw4x VSR(T0), 0, DST + stxvw4x VSR(X0), r6, DST + stxvw4x VSR(X1), r7, DST + stxvw4x VSR(X2), r8, DST + + addi DST, DST, 64 + + stxvw4x VSR(Y0), 0, DST + stxvw4x VSR(Y1), r6, DST + stxvw4x VSR(Y2), r7, DST + stxvw4x VSR(Y3), r8, DST + blr +EPILOGUE(_nettle_chacha_2core) + +define(`FUNC_ALIGN', `5') +PROLOGUE(_nettle_chacha_2core32) + li r8, 0x30 C offset for x3 + vspltisw Y3, 1 C {1,1,...,1} + vspltisw X0, 0 C {0,0,...,0} + vsldoi Y3, Y3, X0, 12 C {1,0,...,0} + lxvw4x VSR(X3), r8, SRC + b .Lshared_entry +EPILOGUE(_nettle_chacha_2core32) + +divert(-1) +define core2state +p/x $vs32.v4_int32 +p/x $vs33.v4_int32 +p/x $vs34.v4_int32 +p/x $vs35.v4_int32 +p/x $vs36.v4_int32 +p/x $vs37.v4_int32 +p/x $vs38.v4_int32 +p/x $vs39.v4_int32 +end diff -Nru nettle-3.4.1/powerpc64/p7/chacha-4core.asm nettle-3.7.3/powerpc64/p7/chacha-4core.asm --- nettle-3.4.1/powerpc64/p7/chacha-4core.asm 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/powerpc64/p7/chacha-4core.asm 2021-06-06 20:06:30.000000000 +0000 @@ -0,0 +1,279 @@ +C powerpc64/chacha-4core.asm + +ifelse(` + Copyright (C) 2020 Niels Möller and Torbjörn Granlund + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +') + +C Register usage: + +define(`SP', `r1') +define(`TOCP', `r2') + +C Argments +define(`DST', `r3') +define(`SRC', `r4') +define(`ROUNDS', `r5') + +C Working state in v0,...,v15 + +define(`ROT16', v16) +define(`ROT12', v17) +define(`ROT8', v18) +define(`ROT7', v19) + +C During the loop, used to save the original values for last 4 words +C of each block. Also used as temporaries for transpose. +define(`T0', `v20') +define(`T1', `v21') +define(`T2', `v22') +define(`T3', `v23') + +C Main loop for round +define(`QR',` + vadduwm $1, $1, $2 + vadduwm $5, $5, $6 + vadduwm $9, $9, $10 + vadduwm $13, $13, $14 + vxor $4, $4, $1 + vxor $8, $8, $5 + vxor $12, $12, $9 + vxor $16, $16, $13 + vrlw $4, $4, ROT16 + vrlw $8, $8, ROT16 + vrlw $12, $12, ROT16 + vrlw $16, $16, ROT16 + + vadduwm $3, $3, $4 + vadduwm $7, $7, $8 + vadduwm $11, $11, $12 + vadduwm $15, $15, $16 + vxor $2, $2, $3 + vxor $6, $6, $7 + vxor $10, $10, $11 + vxor $14, $14, $15 + vrlw $2, $2, ROT12 + vrlw $6, $6, ROT12 + vrlw $10, $10, ROT12 + vrlw $14, $14, ROT12 + + vadduwm $1, $1, $2 + vadduwm $5, $5, $6 + vadduwm $9, $9, $10 + vadduwm $13, $13, $14 + vxor $4, $4, $1 + vxor $8, $8, $5 + vxor $12, $12, $9 + vxor $16, $16, $13 + vrlw $4, $4, ROT8 + vrlw $8, $8, ROT8 + vrlw $12, $12, ROT8 + vrlw $16, $16, ROT8 + + vadduwm $3, $3, $4 + vadduwm $7, $7, $8 + vadduwm $11, $11, $12 + vadduwm $15, $15, $16 + vxor $2, $2, $3 + vxor $6, $6, $7 + vxor $10, $10, $11 + vxor $14, $14, $15 + vrlw $2, $2, ROT7 + vrlw $6, $6, ROT7 + vrlw $10, $10, ROT7 + vrlw $14, $14, ROT7 +') + +define(`TRANSPOSE',` + vmrghw T0, $1, $3 C A0 A2 B0 B2 + vmrghw T1, $2, $4 C A1 A3 B1 B3 + vmrglw T2, $1, $3 C C0 C2 D0 D2 + vmrglw T3, $2, $4 C C1 C3 D1 D3 + + vmrghw $1, T0, T1 C A0 A1 A2 A3 + vmrglw $2, T0, T1 C B0 B1 B2 B3 + vmrghw $3, T2, T3 C C0 C2 C1 C3 + vmrglw $4, T2, T3 C D0 D1 D2 D3 +') + + C _chacha_4core(uint32_t *dst, const uint32_t *src, unsigned rounds) +define(`FUNC_ALIGN', `5') +PROLOGUE(_nettle_chacha_4core) + + vspltisw T2, 1 C Apply counter carries + +.Lshared_entry: + + li r6, 0x10 C set up some... + li r7, 0x20 C ...useful... + li r8, 0x30 C ...offsets + + C Save callee-save registers. Use the "protected zone", max + C 228 bytes, below the stack pointer, accessed via r10. + addi r10, SP, -0x40 + stvx v20, 0, r10 + stvx v21, r6, r10 + stvx v22, r7, r10 + stvx v23, r8, r10 + + vspltisw ROT16, -16 C -16 instead of 16 actually works! + vspltisw ROT12, 12 + vspltisw ROT8, 8 + vspltisw ROT7, 7 + +C Load state and splat + lxvw4x VSR(v0), 0, SRC C "expa ..." + lxvw4x VSR(v4), r6, SRC C key + lxvw4x VSR(v8), r7, SRC C key + lxvw4x VSR(v12), r8, SRC C cnt and nonce + + vspltw v1, v0, 1 + vspltw v2, v0, 2 + vspltw v3, v0, 3 + vspltw v0, v0, 0 + vspltw v5, v4, 1 + vspltw v6, v4, 2 + vspltw v7, v4, 3 + vspltw v4, v4, 0 + vspltw v9, v8, 1 + vspltw v10, v8, 2 + vspltw v11, v8, 3 + vspltw v8, v8, 0 + vspltw v13, v12, 1 + vspltw v14, v12, 2 + vspltw v15, v12, 3 + vspltw v12, v12, 0 + + addis r9, r2, .Lcnts@got@ha + ld r9, .Lcnts@got@l(r9) + lxvw4x VSR(T0), 0, r9 C increments + vaddcuw T1, v12, T0 C compute carry-out + vadduwm v12, v12, T0 C low adds + vand T1, T1, T2 C discard carries for 32-bit counter variant + vadduwm v13, v13, T1 C apply carries + + C Save all 4x4 of the last words. + vor T0, v12, v12 + vor T1, v13, v13 + vor T2, v14, v14 + vor T3, v15, v15 + + srdi ROUNDS, ROUNDS, 1 + mtctr ROUNDS +.Loop: + QR(v0, v4, v8, v12, v1, v5, v9, v13, v2, v6, v10, v14, v3, v7, v11, v15) + QR(v0, v5, v10, v15, v1, v6, v11, v12, v2, v7, v8, v13, v3, v4, v9, v14) + bdnz .Loop + + C Add in saved original words, including counters, before + C transpose. + vadduwm v12, v12, T0 + vadduwm v13, v13, T1 + vadduwm v14, v14, T2 + vadduwm v15, v15, T3 + + TRANSPOSE(v0, v1,v2, v3) + TRANSPOSE(v4, v5, v6, v7) + TRANSPOSE(v8, v9, v10, v11) + TRANSPOSE(v12, v13, v14, v15) + + lxvw4x VSR(T0), 0, SRC + lxvw4x VSR(T1), r6, SRC + lxvw4x VSR(T2), r7, SRC + + vadduwm v0, v0, T0 + vadduwm v1, v1, T0 + vadduwm v2, v2, T0 + vadduwm v3, v3, T0 + + vadduwm v4, v4, T1 + vadduwm v5, v5, T1 + vadduwm v6, v6, T1 + vadduwm v7, v7, T1 + + vadduwm v8, v8, T2 + vadduwm v9, v9, T2 + vadduwm v10, v10, T2 + vadduwm v11, v11, T2 + +IF_BE(` + C Output always stored in little-endian byte order. + C Can reuse T0 and T1 to construct permutation mask. + li r9, 0 + lvsl T0, r9, r9 C 00 01 02 03 ... 0c 0d 0e 0f + vspltisb T1, 0x03 C 03 03 03 03 ... 03 03 03 03 + vxor T1, T1, T0 C 03 02 01 00 ... 0f 0e 0d 0c + + forloop(i, 0, 15, ` + vperm m4_unquote(v`'i), m4_unquote(v`'i), m4_unquote(v`'i), T1 + ') +') + + stxvw4x VSR(v0), 0, DST + stxvw4x VSR(v4), r6, DST + stxvw4x VSR(v8), r7, DST + stxvw4x VSR(v12), r8, DST + + addi DST, DST, 64 + + stxvw4x VSR(v1), 0, DST + stxvw4x VSR(v5), r6, DST + stxvw4x VSR(v9), r7, DST + stxvw4x VSR(v13), r8, DST + + addi DST, DST, 64 + + stxvw4x VSR(v2), 0, DST + stxvw4x VSR(v6), r6, DST + stxvw4x VSR(v10), r7, DST + stxvw4x VSR(v14), r8, DST + + addi DST, DST, 64 + + stxvw4x VSR(v3), 0, DST + stxvw4x VSR(v7), r6, DST + stxvw4x VSR(v11), r7, DST + stxvw4x VSR(v15), r8, DST + + C Restore callee-save registers + lvx v20, 0, r10 + lvx v21, r6, r10 + lvx v22, r7, r10 + lvx v23, r8, r10 + + blr +EPILOGUE(_nettle_chacha_4core) + +define(`FUNC_ALIGN', `5') +PROLOGUE(_nettle_chacha_4core32) + vspltisw T2, 0 C Ignore counter carries + b .Lshared_entry +EPILOGUE(_nettle_chacha_4core32) + + .section .rodata + ALIGN(16) +.Lcnts: .long 0,1,2,3 C increments diff -Nru nettle-3.4.1/powerpc64/p7/chacha-core-internal.asm nettle-3.7.3/powerpc64/p7/chacha-core-internal.asm --- nettle-3.4.1/powerpc64/p7/chacha-core-internal.asm 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/powerpc64/p7/chacha-core-internal.asm 2021-06-06 20:06:30.000000000 +0000 @@ -0,0 +1,160 @@ +C powerpc64/p7/chacha-core-internal.asm + +ifelse(` + Copyright (C) 2020 Niels Möller and Torbjörn Granlund + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +') + +C Register usage: + +C Argments +define(`DST', `r3') +define(`SRC', `r4') +define(`ROUNDS', `r5') + +C Working state +define(`X0', `v0') +define(`X1', `v1') +define(`X2', `v2') +define(`X3', `v3') + +define(`ROT16', `v4') +define(`ROT12', `v5') +define(`ROT8', `v6') +define(`ROT7', `v7') + +C Original input state +define(`S0', `v8') +define(`S1', `v9') +define(`S2', `v10') +define(`S3', `v11') + +C Big-endian working state +define(`LE_MASK', `v12') +define(`LE_TEMP', `v13') + +C QROUND(X0, X1, X2, X3) +define(`QROUND', ` + C x0 += x1, x3 ^= x0, x3 lrot 16 + C x2 += x3, x1 ^= x2, x1 lrot 12 + C x0 += x1, x3 ^= x0, x3 lrot 8 + C x2 += x3, x1 ^= x2, x1 lrot 7 + + vadduwm $1, $1, $2 + vxor $4, $4, $1 + vrlw $4, $4, ROT16 + + vadduwm $3, $3, $4 + vxor $2, $2, $3 + vrlw $2, $2, ROT12 + + vadduwm $1, $1, $2 + vxor $4, $4, $1 + vrlw $4, $4, ROT8 + + vadduwm $3, $3, $4 + vxor $2, $2, $3 + vrlw $2, $2, ROT7 +') + +C LE_SWAP32(X0, X1, X2, X3) +define(`LE_SWAP32', `IF_BE(` + vperm X0, X0, X0, LE_MASK + vperm X1, X1, X1, LE_MASK + vperm X2, X2, X2, LE_MASK + vperm X3, X3, X3, LE_MASK +')') + + .text + C _chacha_core(uint32_t *dst, const uint32_t *src, unsigned rounds) + +define(`FUNC_ALIGN', `5') +PROLOGUE(_nettle_chacha_core) + + li r6, 0x10 C set up some... + li r7, 0x20 C ...useful... + li r8, 0x30 C ...offsets + + vspltisw ROT16, -16 C -16 instead of 16 actually works! + vspltisw ROT12, 12 + vspltisw ROT8, 8 + vspltisw ROT7, 7 +IF_BE(` + li r9, 0 + lvsl LE_MASK, r9, r9 C 00 01 02 03 ... 0c 0d 0e 0f + vspltisb LE_TEMP, 0x03 C 03 03 03 03 ... 03 03 03 03 + vxor LE_MASK, LE_MASK, LE_TEMP C 03 02 01 00 ... 0f 0e 0d 0c +') + + lxvw4x VSR(X0), 0, SRC + lxvw4x VSR(X1), r6, SRC + lxvw4x VSR(X2), r7, SRC + lxvw4x VSR(X3), r8, SRC + + vor S0, X0, X0 + vor S1, X1, X1 + vor S2, X2, X2 + vor S3, X3, X3 + + srdi ROUNDS, ROUNDS, 1 + mtctr ROUNDS + +.Loop: + QROUND(X0, X1, X2, X3) + C Rotate rows, to get + C 0 1 2 3 + C 5 6 7 4 <<< 1 + C 10 11 8 9 <<< 2 + C 15 12 13 14 <<< 3 + + vsldoi X1, X1, X1, 4 + vsldoi X2, X2, X2, 8 + vsldoi X3, X3, X3, 12 + + QROUND(X0, X1, X2, X3) + + C Inverse rotation + vsldoi X1, X1, X1, 12 + vsldoi X2, X2, X2, 8 + vsldoi X3, X3, X3, 4 + + bdnz .Loop + + vadduwm X0, X0, S0 + vadduwm X1, X1, S1 + vadduwm X2, X2, S2 + vadduwm X3, X3, S3 + + LE_SWAP32(X0, X1, X2, X3) + + stxvw4x VSR(X0), 0, DST + stxvw4x VSR(X1), r6, DST + stxvw4x VSR(X2), r7, DST + stxvw4x VSR(X3), r8, DST + + blr +EPILOGUE(_nettle_chacha_core) diff -Nru nettle-3.4.1/powerpc64/p8/aes-decrypt-internal.asm nettle-3.7.3/powerpc64/p8/aes-decrypt-internal.asm --- nettle-3.4.1/powerpc64/p8/aes-decrypt-internal.asm 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/powerpc64/p8/aes-decrypt-internal.asm 2021-06-06 20:06:30.000000000 +0000 @@ -0,0 +1,356 @@ +C powerpc64/p8/aes-decrypt-internal.asm + +ifelse(` + Copyright (C) 2020 Mamone Tarsha + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +') + +C Register usage: + +define(`SP', `r1') +define(`TOCP', `r2') + +define(`ROUNDS', `r3') +define(`KEYS', `r4') +define(`LENGTH', `r6') +define(`DST', `r7') +define(`SRC', `r8') + +define(`swap_mask', `v0') + +define(`K', `v1') +define(`S0', `v2') +define(`S1', `v3') +define(`S2', `v4') +define(`S3', `v5') +define(`S4', `v6') +define(`S5', `v7') +define(`S6', `v8') +define(`S7', `v9') + +C ZERO vector register is used in place of RoundKey +C for vncipher instruction because the order of InvMixColumns +C and Xor processes are flipped in that instruction. +C The Xor process with RoundKey is executed afterward. +define(`ZERO', `v10') + +.file "aes-decrypt-internal.asm" + +.text + + C _aes_decrypt(unsigned rounds, const uint32_t *keys, + C const struct aes_table *T, + C size_t length, uint8_t *dst, + C uint8_t *src) + +define(`FUNC_ALIGN', `5') +PROLOGUE(_nettle_aes_decrypt) + vxor ZERO,ZERO,ZERO + + DATA_LOAD_VEC(swap_mask,.swap_mask,r5) + + subi ROUNDS,ROUNDS,1 + srdi LENGTH,LENGTH,4 + + srdi r5,LENGTH,3 #8x loop count + cmpldi r5,0 + beq L4x + + std r25,-56(SP); + std r26,-48(SP); + std r27,-40(SP); + std r28,-32(SP); + std r29,-24(SP); + std r30,-16(SP); + std r31,-8(SP); + + li r25,0x10 + li r26,0x20 + li r27,0x30 + li r28,0x40 + li r29,0x50 + li r30,0x60 + li r31,0x70 + +.align 5 +Lx8_loop: + lxvd2x VSR(K),0,KEYS + vperm K,K,K,swap_mask + + lxvd2x VSR(S0),0,SRC + lxvd2x VSR(S1),r25,SRC + lxvd2x VSR(S2),r26,SRC + lxvd2x VSR(S3),r27,SRC + lxvd2x VSR(S4),r28,SRC + lxvd2x VSR(S5),r29,SRC + lxvd2x VSR(S6),r30,SRC + lxvd2x VSR(S7),r31,SRC + +IF_LE(`vperm S0,S0,S0,swap_mask + vperm S1,S1,S1,swap_mask + vperm S2,S2,S2,swap_mask + vperm S3,S3,S3,swap_mask + vperm S4,S4,S4,swap_mask + vperm S5,S5,S5,swap_mask + vperm S6,S6,S6,swap_mask + vperm S7,S7,S7,swap_mask') + + vxor S0,S0,K + vxor S1,S1,K + vxor S2,S2,K + vxor S3,S3,K + vxor S4,S4,K + vxor S5,S5,K + vxor S6,S6,K + vxor S7,S7,K + + mtctr ROUNDS + li r10,0x10 +.align 5 +L8x_round_loop: + lxvd2x VSR(K),r10,KEYS + vperm K,K,K,swap_mask + vncipher S0,S0,ZERO + vncipher S1,S1,ZERO + vncipher S2,S2,ZERO + vncipher S3,S3,ZERO + vncipher S4,S4,ZERO + vncipher S5,S5,ZERO + vncipher S6,S6,ZERO + vncipher S7,S7,ZERO + vxor S0,S0,K + vxor S1,S1,K + vxor S2,S2,K + vxor S3,S3,K + vxor S4,S4,K + vxor S5,S5,K + vxor S6,S6,K + vxor S7,S7,K + addi r10,r10,0x10 + bdnz L8x_round_loop + + lxvd2x VSR(K),r10,KEYS + vperm K,K,K,swap_mask + vncipherlast S0,S0,K + vncipherlast S1,S1,K + vncipherlast S2,S2,K + vncipherlast S3,S3,K + vncipherlast S4,S4,K + vncipherlast S5,S5,K + vncipherlast S6,S6,K + vncipherlast S7,S7,K + +IF_LE(`vperm S0,S0,S0,swap_mask + vperm S1,S1,S1,swap_mask + vperm S2,S2,S2,swap_mask + vperm S3,S3,S3,swap_mask + vperm S4,S4,S4,swap_mask + vperm S5,S5,S5,swap_mask + vperm S6,S6,S6,swap_mask + vperm S7,S7,S7,swap_mask') + + stxvd2x VSR(S0),0,DST + stxvd2x VSR(S1),r25,DST + stxvd2x VSR(S2),r26,DST + stxvd2x VSR(S3),r27,DST + stxvd2x VSR(S4),r28,DST + stxvd2x VSR(S5),r29,DST + stxvd2x VSR(S6),r30,DST + stxvd2x VSR(S7),r31,DST + + addi SRC,SRC,0x80 + addi DST,DST,0x80 + subic. r5,r5,1 + bne Lx8_loop + + ld r25,-56(SP); + ld r26,-48(SP); + ld r27,-40(SP); + ld r28,-32(SP); + ld r29,-24(SP); + ld r30,-16(SP); + ld r31,-8(SP); + + clrldi LENGTH,LENGTH,61 + +L4x: + srdi r5,LENGTH,2 + cmpldi r5,0 + beq L2x + + lxvd2x VSR(K),0,KEYS + vperm K,K,K,swap_mask + + lxvd2x VSR(S0),0,SRC + li r9,0x10 + lxvd2x VSR(S1),r9,SRC + addi r9,r9,0x10 + lxvd2x VSR(S2),r9,SRC + addi r9,r9,0x10 + lxvd2x VSR(S3),r9,SRC + +IF_LE(`vperm S0,S0,S0,swap_mask + vperm S1,S1,S1,swap_mask + vperm S2,S2,S2,swap_mask + vperm S3,S3,S3,swap_mask') + + vxor S0,S0,K + vxor S1,S1,K + vxor S2,S2,K + vxor S3,S3,K + + mtctr ROUNDS + li r10,0x10 +.align 5 +L4x_round_loop: + lxvd2x VSR(K),r10,KEYS + vperm K,K,K,swap_mask + vncipher S0,S0,ZERO + vncipher S1,S1,ZERO + vncipher S2,S2,ZERO + vncipher S3,S3,ZERO + vxor S0,S0,K + vxor S1,S1,K + vxor S2,S2,K + vxor S3,S3,K + addi r10,r10,0x10 + bdnz L4x_round_loop + + lxvd2x VSR(K),r10,KEYS + vperm K,K,K,swap_mask + vncipherlast S0,S0,K + vncipherlast S1,S1,K + vncipherlast S2,S2,K + vncipherlast S3,S3,K + +IF_LE(`vperm S0,S0,S0,swap_mask + vperm S1,S1,S1,swap_mask + vperm S2,S2,S2,swap_mask + vperm S3,S3,S3,swap_mask') + + stxvd2x VSR(S0),0,DST + li r9,0x10 + stxvd2x VSR(S1),r9,DST + addi r9,r9,0x10 + stxvd2x VSR(S2),r9,DST + addi r9,r9,0x10 + stxvd2x VSR(S3),r9,DST + + addi SRC,SRC,0x40 + addi DST,DST,0x40 + + clrldi LENGTH,LENGTH,62 + +L2x: + srdi r5,LENGTH,1 + cmpldi r5,0 + beq L1x + + lxvd2x VSR(K),0,KEYS + vperm K,K,K,swap_mask + + lxvd2x VSR(S0),0,SRC + li r9,0x10 + lxvd2x VSR(S1),r9,SRC + +IF_LE(`vperm S0,S0,S0,swap_mask + vperm S1,S1,S1,swap_mask') + + vxor S0,S0,K + vxor S1,S1,K + + mtctr ROUNDS + li r10,0x10 +.align 5 +L2x_round_loop: + lxvd2x VSR(K),r10,KEYS + vperm K,K,K,swap_mask + vncipher S0,S0,ZERO + vncipher S1,S1,ZERO + vxor S0,S0,K + vxor S1,S1,K + addi r10,r10,0x10 + bdnz L2x_round_loop + + lxvd2x VSR(K),r10,KEYS + vperm K,K,K,swap_mask + vncipherlast S0,S0,K + vncipherlast S1,S1,K + +IF_LE(`vperm S0,S0,S0,swap_mask + vperm S1,S1,S1,swap_mask') + + stxvd2x VSR(S0),0,DST + li r9,0x10 + stxvd2x VSR(S1),r9,DST + + addi SRC,SRC,0x20 + addi DST,DST,0x20 + + clrldi LENGTH,LENGTH,63 + +L1x: + cmpldi LENGTH,0 + beq Ldone + + lxvd2x VSR(K),0,KEYS + vperm K,K,K,swap_mask + + lxvd2x VSR(S0),0,SRC + +IF_LE(`vperm S0,S0,S0,swap_mask') + + vxor S0,S0,K + + mtctr ROUNDS + li r10,0x10 +.align 5 +L1x_round_loop: + lxvd2x VSR(K),r10,KEYS + vperm K,K,K,swap_mask + vncipher S0,S0,ZERO + vxor S0,S0,K + addi r10,r10,0x10 + bdnz L1x_round_loop + + lxvd2x VSR(K),r10,KEYS + vperm K,K,K,swap_mask + vncipherlast S0,S0,K + +IF_LE(`vperm S0,S0,S0,swap_mask') + + stxvd2x VSR(S0),0,DST + +Ldone: + blr +EPILOGUE(_nettle_aes_decrypt) + + .data + .align 4 +.swap_mask: +IF_LE(`.byte 8,9,10,11,12,13,14,15,0,1,2,3,4,5,6,7') +IF_BE(`.byte 3,2,1,0,7,6,5,4,11,10,9,8,15,14,13,12') diff -Nru nettle-3.4.1/powerpc64/p8/aes-encrypt-internal.asm nettle-3.7.3/powerpc64/p8/aes-encrypt-internal.asm --- nettle-3.4.1/powerpc64/p8/aes-encrypt-internal.asm 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/powerpc64/p8/aes-encrypt-internal.asm 2021-06-06 20:06:30.000000000 +0000 @@ -0,0 +1,333 @@ +C powerpc64/p8/aes-encrypt-internal.asm + +ifelse(` + Copyright (C) 2020 Mamone Tarsha + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +') + +C Register usage: + +define(`SP', `r1') +define(`TOCP', `r2') + +define(`ROUNDS', `r3') +define(`KEYS', `r4') +define(`LENGTH', `r6') +define(`DST', `r7') +define(`SRC', `r8') + +define(`swap_mask', `v0') + +define(`K', `v1') +define(`S0', `v2') +define(`S1', `v3') +define(`S2', `v4') +define(`S3', `v5') +define(`S4', `v6') +define(`S5', `v7') +define(`S6', `v8') +define(`S7', `v9') + +.file "aes-encrypt-internal.asm" + +.text + + C _aes_encrypt(unsigned rounds, const uint32_t *keys, + C const struct aes_table *T, + C size_t length, uint8_t *dst, + C uint8_t *src) + +define(`FUNC_ALIGN', `5') +PROLOGUE(_nettle_aes_encrypt) + DATA_LOAD_VEC(swap_mask,.swap_mask,r5) + + subi ROUNDS,ROUNDS,1 + srdi LENGTH,LENGTH,4 + + srdi r5,LENGTH,3 #8x loop count + cmpldi r5,0 + beq L4x + + std r25,-56(SP); + std r26,-48(SP); + std r27,-40(SP); + std r28,-32(SP); + std r29,-24(SP); + std r30,-16(SP); + std r31,-8(SP); + + li r25,0x10 + li r26,0x20 + li r27,0x30 + li r28,0x40 + li r29,0x50 + li r30,0x60 + li r31,0x70 + +.align 5 +Lx8_loop: + lxvd2x VSR(K),0,KEYS + vperm K,K,K,swap_mask + + lxvd2x VSR(S0),0,SRC + lxvd2x VSR(S1),r25,SRC + lxvd2x VSR(S2),r26,SRC + lxvd2x VSR(S3),r27,SRC + lxvd2x VSR(S4),r28,SRC + lxvd2x VSR(S5),r29,SRC + lxvd2x VSR(S6),r30,SRC + lxvd2x VSR(S7),r31,SRC + +IF_LE(`vperm S0,S0,S0,swap_mask + vperm S1,S1,S1,swap_mask + vperm S2,S2,S2,swap_mask + vperm S3,S3,S3,swap_mask + vperm S4,S4,S4,swap_mask + vperm S5,S5,S5,swap_mask + vperm S6,S6,S6,swap_mask + vperm S7,S7,S7,swap_mask') + + vxor S0,S0,K + vxor S1,S1,K + vxor S2,S2,K + vxor S3,S3,K + vxor S4,S4,K + vxor S5,S5,K + vxor S6,S6,K + vxor S7,S7,K + + mtctr ROUNDS + li r10,0x10 +.align 5 +L8x_round_loop: + lxvd2x VSR(K),r10,KEYS + vperm K,K,K,swap_mask + vcipher S0,S0,K + vcipher S1,S1,K + vcipher S2,S2,K + vcipher S3,S3,K + vcipher S4,S4,K + vcipher S5,S5,K + vcipher S6,S6,K + vcipher S7,S7,K + addi r10,r10,0x10 + bdnz L8x_round_loop + + lxvd2x VSR(K),r10,KEYS + vperm K,K,K,swap_mask + vcipherlast S0,S0,K + vcipherlast S1,S1,K + vcipherlast S2,S2,K + vcipherlast S3,S3,K + vcipherlast S4,S4,K + vcipherlast S5,S5,K + vcipherlast S6,S6,K + vcipherlast S7,S7,K + +IF_LE(`vperm S0,S0,S0,swap_mask + vperm S1,S1,S1,swap_mask + vperm S2,S2,S2,swap_mask + vperm S3,S3,S3,swap_mask + vperm S4,S4,S4,swap_mask + vperm S5,S5,S5,swap_mask + vperm S6,S6,S6,swap_mask + vperm S7,S7,S7,swap_mask') + + stxvd2x VSR(S0),0,DST + stxvd2x VSR(S1),r25,DST + stxvd2x VSR(S2),r26,DST + stxvd2x VSR(S3),r27,DST + stxvd2x VSR(S4),r28,DST + stxvd2x VSR(S5),r29,DST + stxvd2x VSR(S6),r30,DST + stxvd2x VSR(S7),r31,DST + + addi SRC,SRC,0x80 + addi DST,DST,0x80 + subic. r5,r5,1 + bne Lx8_loop + + ld r25,-56(SP); + ld r26,-48(SP); + ld r27,-40(SP); + ld r28,-32(SP); + ld r29,-24(SP); + ld r30,-16(SP); + ld r31,-8(SP); + + clrldi LENGTH,LENGTH,61 + +L4x: + srdi r5,LENGTH,2 + cmpldi r5,0 + beq L2x + + lxvd2x VSR(K),0,KEYS + vperm K,K,K,swap_mask + + lxvd2x VSR(S0),0,SRC + li r9,0x10 + lxvd2x VSR(S1),r9,SRC + addi r9,r9,0x10 + lxvd2x VSR(S2),r9,SRC + addi r9,r9,0x10 + lxvd2x VSR(S3),r9,SRC + +IF_LE(`vperm S0,S0,S0,swap_mask + vperm S1,S1,S1,swap_mask + vperm S2,S2,S2,swap_mask + vperm S3,S3,S3,swap_mask') + + vxor S0,S0,K + vxor S1,S1,K + vxor S2,S2,K + vxor S3,S3,K + + mtctr ROUNDS + li r10,0x10 +.align 5 +L4x_round_loop: + lxvd2x VSR(K),r10,KEYS + vperm K,K,K,swap_mask + vcipher S0,S0,K + vcipher S1,S1,K + vcipher S2,S2,K + vcipher S3,S3,K + addi r10,r10,0x10 + bdnz L4x_round_loop + + lxvd2x VSR(K),r10,KEYS + vperm K,K,K,swap_mask + vcipherlast S0,S0,K + vcipherlast S1,S1,K + vcipherlast S2,S2,K + vcipherlast S3,S3,K + +IF_LE(`vperm S0,S0,S0,swap_mask + vperm S1,S1,S1,swap_mask + vperm S2,S2,S2,swap_mask + vperm S3,S3,S3,swap_mask') + + stxvd2x VSR(S0),0,DST + li r9,0x10 + stxvd2x VSR(S1),r9,DST + addi r9,r9,0x10 + stxvd2x VSR(S2),r9,DST + addi r9,r9,0x10 + stxvd2x VSR(S3),r9,DST + + addi SRC,SRC,0x40 + addi DST,DST,0x40 + + clrldi LENGTH,LENGTH,62 + +L2x: + srdi r5,LENGTH,1 + cmpldi r5,0 + beq L1x + + lxvd2x VSR(K),0,KEYS + vperm K,K,K,swap_mask + + lxvd2x VSR(S0),0,SRC + li r9,0x10 + lxvd2x VSR(S1),r9,SRC + +IF_LE(`vperm S0,S0,S0,swap_mask + vperm S1,S1,S1,swap_mask') + + vxor S0,S0,K + vxor S1,S1,K + + mtctr ROUNDS + li r10,0x10 +.align 5 +L2x_round_loop: + lxvd2x VSR(K),r10,KEYS + vperm K,K,K,swap_mask + vcipher S0,S0,K + vcipher S1,S1,K + addi r10,r10,0x10 + bdnz L2x_round_loop + + lxvd2x VSR(K),r10,KEYS + vperm K,K,K,swap_mask + vcipherlast S0,S0,K + vcipherlast S1,S1,K + +IF_LE(`vperm S0,S0,S0,swap_mask + vperm S1,S1,S1,swap_mask') + + stxvd2x VSR(S0),0,DST + li r9,0x10 + stxvd2x VSR(S1),r9,DST + + addi SRC,SRC,0x20 + addi DST,DST,0x20 + + clrldi LENGTH,LENGTH,63 + +L1x: + cmpldi LENGTH,0 + beq Ldone + + lxvd2x VSR(K),0,KEYS + vperm K,K,K,swap_mask + + lxvd2x VSR(S0),0,SRC + +IF_LE(`vperm S0,S0,S0,swap_mask') + + vxor S0,S0,K + + mtctr ROUNDS + li r10,0x10 +.align 5 +L1x_round_loop: + lxvd2x VSR(K),r10,KEYS + vperm K,K,K,swap_mask + vcipher S0,S0,K + addi r10,r10,0x10 + bdnz L1x_round_loop + + lxvd2x VSR(K),r10,KEYS + vperm K,K,K,swap_mask + vcipherlast S0,S0,K + +IF_LE(`vperm S0,S0,S0,swap_mask') + + stxvd2x VSR(S0),0,DST + +Ldone: + blr +EPILOGUE(_nettle_aes_encrypt) + + .data + .align 4 +.swap_mask: +IF_LE(`.byte 8,9,10,11,12,13,14,15,0,1,2,3,4,5,6,7') +IF_BE(`.byte 3,2,1,0,7,6,5,4,11,10,9,8,15,14,13,12') diff -Nru nettle-3.4.1/powerpc64/p8/gcm-hash.asm nettle-3.7.3/powerpc64/p8/gcm-hash.asm --- nettle-3.4.1/powerpc64/p8/gcm-hash.asm 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/powerpc64/p8/gcm-hash.asm 2021-06-06 20:06:30.000000000 +0000 @@ -0,0 +1,499 @@ +C powerpc64/p8/gcm-hash.asm + +ifelse(` + Copyright (C) 2020 Niels Möller and Mamone Tarsha + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +') + +C gcm_set_key() assigns H value in the middle element of the table +define(`H_Idx', `128') + +C Register usage: + +define(`SP', `r1') +define(`TOCP', `r2') + +define(`TABLE', `r3') + +define(`ZERO', `v0') +define(`B1', `v1') +define(`EMSB', `v16') +define(`POLY', `v17') +define(`POLY_L', `v1') + +define(`H', `v2') +define(`H2', `v3') +define(`H3', `v4') +define(`H4', `v5') +define(`H1M', `v6') +define(`H1L', `v7') +define(`H2M', `v8') +define(`H2L', `v9') +define(`Hl', `v10') +define(`Hm', `v11') +define(`Hp', `v12') +define(`Hl2', `v13') +define(`Hm2', `v14') +define(`Hp2', `v15') +define(`R', `v13') +define(`F', `v14') +define(`T', `v15') +define(`R2', `v16') +define(`F2', `v17') +define(`T2', `v18') + +define(`LE_TEMP', `v18') +define(`LE_MASK', `v19') + +.file "gcm-hash.asm" + +.text + + C void gcm_init_key (union gcm_block *table) + +C This function populates the gcm table as the following layout +C ******************************************************************************* +C | H1M = (H1 div x⁶⁴)||((H1 mod x⁶⁴) × (x⁶⁴+x⁶³+x⁶²+x⁵⁷)) div x⁶⁴ | +C | H1L = (H1 mod x⁶⁴)||(((H1 mod x⁶⁴) × (x⁶³+x⁶²+x⁵⁷)) mod x⁶⁴) + (H1 div x⁶⁴) | +C | | +C | H2M = (H2 div x⁶⁴)||((H2 mod x⁶⁴) × (x⁶⁴+x⁶³+x⁶²+x⁵⁷)) div x⁶⁴ | +C | H2L = (H2 mod x⁶⁴)||(((H2 mod x⁶⁴) × (x⁶³+x⁶²+x⁵⁷)) mod x⁶⁴) + (H2 div x⁶⁴) | +C | | +C | H3M = (H3 div x⁶⁴)||((H3 mod x⁶⁴) × (x⁶⁴+x⁶³+x⁶²+x⁵⁷)) div x⁶⁴ | +C | H3L = (H3 mod x⁶⁴)||(((H3 mod x⁶⁴) × (x⁶³+x⁶²+x⁵⁷)) mod x⁶⁴) + (H3 div x⁶⁴) | +C | | +C | H4M = (H3 div x⁶⁴)||((H4 mod x⁶⁴) × (x⁶⁴+x⁶³+x⁶²+x⁵⁷)) div x⁶⁴ | +C | H4L = (H3 mod x⁶⁴)||(((H4 mod x⁶⁴) × (x⁶³+x⁶²+x⁵⁷)) mod x⁶⁴) + (H4 div x⁶⁴) | +C ******************************************************************************* + +define(`FUNC_ALIGN', `5') +PROLOGUE(_nettle_gcm_init_key) + DATA_LOAD_VEC(POLY,.polynomial,r7) C 0xC2000000000000000000000000000001 +IF_LE(` + li r8,0 + lvsl LE_MASK,0,r8 C 0x000102030405060708090A0B0C0D0E0F + vspltisb LE_TEMP,0x07 C 0x07070707070707070707070707070707 + vxor LE_MASK,LE_MASK,LE_TEMP C 0x07060504030201000F0E0D0C0B0A0908 +') + + C 'H' is assigned by gcm_set_key() to the middle element of the table + li r10,H_Idx*16 + lxvd2x VSR(H),r10,TABLE C load 'H' + C byte-reverse of each doubleword permuting on little-endian mode +IF_LE(` + vperm H,H,H,LE_MASK +') + + C --- calculate H = H << 1 mod P(X), P(X) = (x¹²⁸+x¹²⁷+x¹²⁶+x¹²¹+1) --- + + vupkhsb EMSB,H C extend most significant bit to first byte + vspltisb B1,1 C 0x01010101010101010101010101010101 + vspltb EMSB,EMSB,0 C first byte quadword-extend + vsl H,H,B1 C H = H << 1 + vand EMSB,EMSB,POLY C EMSB &= 0xC2000000000000000000000000000001 + vxor ZERO,ZERO,ZERO C 0x00000000000000000000000000000000 + vxor H,H,EMSB C H ^= EMSB + + C --- calculate H^2 = H*H --- + + xxmrghd VSR(POLY_L),VSR(ZERO),VSR(POLY) C 0x0000000000000000C200000000000000 + + C --- Hp = (H mod x⁶⁴) / x⁶⁴ mod P(X) --- + C --- Hp = (H mod x⁶⁴) × (x⁶⁴+x⁶³+x⁶²+x⁵⁷) mod P(X), deg(Hp) ≤ 127 --- + C --- Hp = (H mod x⁶⁴) × (x⁶⁴+x⁶³+x⁶²+x⁵⁷) --- + vpmsumd Hp,H,POLY_L C Hp = (H mod x⁶⁴) × (x⁶³+x⁶²+x⁵⁷) + xxswapd VSR(Hm),VSR(H) + xxmrgld VSR(Hl),VSR(H),VSR(ZERO) C Hl = (H mod x⁶⁴) × x⁶⁴ + vxor Hm,Hm,Hp C Hm = Hm + Hp + vxor Hl,Hl,Hp C Hl = Hl + Hp + xxmrgld VSR(H1L),VSR(H),VSR(Hm) C H1L = (H mod x⁶⁴)||(Hl mod x⁶⁴) + xxmrghd VSR(H1M),VSR(H),VSR(Hl) C H1M = (H div x⁶⁴)||(Hl div x⁶⁴) + + vpmsumd F,H1L,H C F = (H1Lh × Hh) + (H1Ll × Hl) + vpmsumd R,H1M,H C R = (H1Mh × Hh) + (H1Ml × Hl) + + C --- rduction --- + vpmsumd T,F,POLY_L C T = (F mod x⁶⁴) × (x⁶³+x⁶²+x⁵⁷) + xxswapd VSR(H2),VSR(F) + vxor R,R,T C R = R + T + vxor H2,R,H2 + + xxmrgld VSR(Hl),VSR(H2),VSR(ZERO) + xxswapd VSR(Hm),VSR(H2) + vpmsumd Hp,H2,POLY_L + vxor Hl,Hl,Hp + vxor Hm,Hm,Hp + xxmrghd VSR(H2M),VSR(H2),VSR(Hl) + xxmrgld VSR(H2L),VSR(H2),VSR(Hm) + + C store H1M, H1L, H2M, H2L + li r8,1*16 + li r9,2*16 + li r10,3*16 + stxvd2x VSR(H1M),0,TABLE + stxvd2x VSR(H1L),r8,TABLE + stxvd2x VSR(H2M),r9,TABLE + stxvd2x VSR(H2L),r10,TABLE + + C --- calculate H^3 = H^1*H^2, H^4 = H^2*H^2 --- + + vpmsumd F,H1L,H2 + vpmsumd F2,H2L,H2 + vpmsumd R,H1M,H2 + vpmsumd R2,H2M,H2 + + vpmsumd T,F,POLY_L + vpmsumd T2,F2,POLY_L + xxswapd VSR(H3),VSR(F) + xxswapd VSR(H4),VSR(F2) + vxor R,R,T + vxor R2,R2,T2 + vxor H3,R,H3 + vxor H4,R2,H4 + + xxmrgld VSR(Hl),VSR(H3),VSR(ZERO) + xxmrgld VSR(Hl2),VSR(H4),VSR(ZERO) + xxswapd VSR(Hm),VSR(H3) + xxswapd VSR(Hm2),VSR(H4) + vpmsumd Hp,H3,POLY_L + vpmsumd Hp2,H4,POLY_L + vxor Hl,Hl,Hp + vxor Hl2,Hl2,Hp2 + vxor Hm,Hm,Hp + vxor Hm2,Hm2,Hp2 + xxmrghd VSR(H1M),VSR(H3),VSR(Hl) + xxmrghd VSR(H2M),VSR(H4),VSR(Hl2) + xxmrgld VSR(H1L),VSR(H3),VSR(Hm) + xxmrgld VSR(H2L),VSR(H4),VSR(Hm2) + + C store H3M, H3L, H4M, H4L + li r7,4*16 + li r8,5*16 + li r9,6*16 + li r10,7*16 + stxvd2x VSR(H1M),r7,TABLE + stxvd2x VSR(H1L),r8,TABLE + stxvd2x VSR(H2M),r9,TABLE + stxvd2x VSR(H2L),r10,TABLE + + blr +EPILOGUE(_nettle_gcm_init_key) + +define(`TABLE', `r3') +define(`X', `r4') +define(`LENGTH', `r5') +define(`DATA', `r6') + +define(`ZERO', `v16') +define(`POLY', `v17') +define(`POLY_L', `v0') + +define(`D', `v1') +define(`C0', `v2') +define(`C1', `v3') +define(`C2', `v4') +define(`C3', `v5') +define(`H1M', `v6') +define(`H1L', `v7') +define(`H2M', `v8') +define(`H2L', `v9') +define(`H3M', `v10') +define(`H3L', `v11') +define(`H4M', `v12') +define(`H4L', `v13') +define(`R', `v14') +define(`F', `v15') +define(`R2', `v16') +define(`F2', `v17') +define(`T', `v18') +define(`R3', `v20') +define(`F3', `v21') +define(`R4', `v22') +define(`F4', `v23') + +define(`LE_TEMP', `v18') +define(`LE_MASK', `v19') + + C void gcm_hash (const struct gcm_key *key, union gcm_block *x, + C size_t length, const uint8_t *data) + +define(`FUNC_ALIGN', `5') +PROLOGUE(_nettle_gcm_hash) + vxor ZERO,ZERO,ZERO + DATA_LOAD_VEC(POLY,.polynomial,r7) +IF_LE(` + li r8,0 + lvsl LE_MASK,0,r8 + vspltisb LE_TEMP,0x07 + vxor LE_MASK,LE_MASK,LE_TEMP +') + xxmrghd VSR(POLY_L),VSR(ZERO),VSR(POLY) + + lxvd2x VSR(D),0,X C load 'X' pointer + C byte-reverse of each doubleword permuting on little-endian mode +IF_LE(` + vperm D,D,D,LE_MASK +') + + C --- process 4 blocks '128-bit each' per one loop --- + + srdi. r7,LENGTH,6 C 4-blocks loop count 'LENGTH / (4 * 16)' + beq L2x + + mtctr r7 C assign counter register to loop count + + C store non-volatile vector registers + addi r8,SP,-64 + stvx v20,0,r8 + addi r8,r8,16 + stvx v21,0,r8 + addi r8,r8,16 + stvx v22,0,r8 + addi r8,r8,16 + stvx v23,0,r8 + + C load table elements + li r8,1*16 + li r9,2*16 + li r10,3*16 + lxvd2x VSR(H1M),0,TABLE + lxvd2x VSR(H1L),r8,TABLE + lxvd2x VSR(H2M),r9,TABLE + lxvd2x VSR(H2L),r10,TABLE + li r7,4*16 + li r8,5*16 + li r9,6*16 + li r10,7*16 + lxvd2x VSR(H3M),r7,TABLE + lxvd2x VSR(H3L),r8,TABLE + lxvd2x VSR(H4M),r9,TABLE + lxvd2x VSR(H4L),r10,TABLE + + li r8,0x10 + li r9,0x20 + li r10,0x30 +.align 5 +L4x_loop: + C input loading + lxvd2x VSR(C0),0,DATA C load C0 + lxvd2x VSR(C1),r8,DATA C load C1 + lxvd2x VSR(C2),r9,DATA C load C2 + lxvd2x VSR(C3),r10,DATA C load C3 + +IF_LE(` + vperm C0,C0,C0,LE_MASK + vperm C1,C1,C1,LE_MASK + vperm C2,C2,C2,LE_MASK + vperm C3,C3,C3,LE_MASK +') + + C previous digest combining + vxor C0,C0,D + + C polynomial multiplication + vpmsumd F2,H3L,C1 + vpmsumd R2,H3M,C1 + vpmsumd F3,H2L,C2 + vpmsumd R3,H2M,C2 + vpmsumd F4,H1L,C3 + vpmsumd R4,H1M,C3 + vpmsumd F,H4L,C0 + vpmsumd R,H4M,C0 + + C deferred recombination of partial products + vxor F3,F3,F4 + vxor R3,R3,R4 + vxor F,F,F2 + vxor R,R,R2 + vxor F,F,F3 + vxor R,R,R3 + + C reduction + vpmsumd T,F,POLY_L + xxswapd VSR(D),VSR(F) + vxor R,R,T + vxor D,R,D + + addi DATA,DATA,0x40 + bdnz L4x_loop + + C restore non-volatile vector registers + addi r8,SP,-64 + lvx v20,0,r8 + addi r8,r8,16 + lvx v21,0,r8 + addi r8,r8,16 + lvx v22,0,r8 + addi r8,r8,16 + lvx v23,0,r8 + + clrldi LENGTH,LENGTH,58 C 'set the high-order 58 bits to zeros' +L2x: + C --- process 2 blocks --- + + srdi. r7,LENGTH,5 C 'LENGTH / (2 * 16)' + beq L1x + + C load table elements + li r8,1*16 + li r9,2*16 + li r10,3*16 + lxvd2x VSR(H1M),0,TABLE + lxvd2x VSR(H1L),r8,TABLE + lxvd2x VSR(H2M),r9,TABLE + lxvd2x VSR(H2L),r10,TABLE + + C input loading + li r10,0x10 + lxvd2x VSR(C0),0,DATA C load C0 + lxvd2x VSR(C1),r10,DATA C load C1 + +IF_LE(` + vperm C0,C0,C0,LE_MASK + vperm C1,C1,C1,LE_MASK +') + + C previous digest combining + vxor C0,C0,D + + C polynomial multiplication + vpmsumd F2,H1L,C1 + vpmsumd R2,H1M,C1 + vpmsumd F,H2L,C0 + vpmsumd R,H2M,C0 + + C deferred recombination of partial products + vxor F,F,F2 + vxor R,R,R2 + + C reduction + vpmsumd T,F,POLY_L + xxswapd VSR(D),VSR(F) + vxor R,R,T + vxor D,R,D + + addi DATA,DATA,0x20 + clrldi LENGTH,LENGTH,59 C 'set the high-order 59 bits to zeros' +L1x: + C --- process 1 block --- + + srdi. r7,LENGTH,4 C 'LENGTH / (1 * 16)' + beq Lmod + + C load table elements + li r8,1*16 + lxvd2x VSR(H1M),0,TABLE + lxvd2x VSR(H1L),r8,TABLE + + C input loading + lxvd2x VSR(C0),0,DATA C load C0 + +IF_LE(` + vperm C0,C0,C0,LE_MASK +') + + C previous digest combining + vxor C0,C0,D + + C polynomial multiplication + vpmsumd F,H1L,C0 + vpmsumd R,H1M,C0 + + C reduction + vpmsumd T,F,POLY_L + xxswapd VSR(D),VSR(F) + vxor R,R,T + vxor D,R,D + + addi DATA,DATA,0x10 + clrldi LENGTH,LENGTH,60 C 'set the high-order 60 bits to zeros' +Lmod: + C --- process the modulo bytes, padding the low-order bytes with zeros --- + + cmpldi LENGTH,0 + beq Ldone + + C load table elements + li r8,1*16 + lxvd2x VSR(H1M),0,TABLE + lxvd2x VSR(H1L),r8,TABLE + + C push every modulo byte to the stack and load them with padding into vector register + vxor ZERO,ZERO,ZERO + addi r8,SP,-16 + stvx ZERO,0,r8 +Lstb_loop: + subic. LENGTH,LENGTH,1 + lbzx r7,LENGTH,DATA + stbx r7,LENGTH,r8 + bne Lstb_loop + lxvd2x VSR(C0),0,r8 + +IF_LE(` + vperm C0,C0,C0,LE_MASK +') + + C previous digest combining + vxor C0,C0,D + + C polynomial multiplication + vpmsumd F,H1L,C0 + vpmsumd R,H1M,C0 + + C reduction + vpmsumd T,F,POLY_L + xxswapd VSR(D),VSR(F) + vxor R,R,T + vxor D,R,D + +Ldone: + C byte-reverse of each doubleword permuting on little-endian mode +IF_LE(` + vperm D,D,D,LE_MASK +') + stxvd2x VSR(D),0,X C store digest 'D' + + blr +EPILOGUE(_nettle_gcm_hash) + +.data + C 0xC2000000000000000000000000000001 +.polynomial: +.align 4 +IF_BE(` +.byte 0xC2 +.rept 14 +.byte 0x00 +.endr +.byte 0x01 +',` +.byte 0x01 +.rept 14 +.byte 0x00 +.endr +.byte 0xC2 +') diff -Nru nettle-3.4.1/powerpc64/README nettle-3.7.3/powerpc64/README --- nettle-3.4.1/powerpc64/README 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/powerpc64/README 2021-06-06 20:06:30.000000000 +0000 @@ -0,0 +1,73 @@ +General-Purpose Register Conventions + +Register Status Use + +GPR0 volatile In function prologs. +GPR1 dedicated Stack pointer. +GPR2 dedicated Table of Contents (TOC) pointer. +GPR3 volatile First word of a function's argument list; + first word of a scalar function return. +GPR4 volatile Second word of a function's argument list; + second word of a scalar function return. +GPR5 volatile Third word of a function's argument list. +GPR6 volatile Fourth word of a function's argument list. +GPR7 volatile Fifth word of a function's argument list. +GPR8 volatile Sixth word of a function's argument list. +GPR9 volatile Seventh word of a function's argument list. +GPR10 volatile Eighth word of a function's argument list. +GPR11 volatile In calls by pointer and as an environment pointer + for languages that require it (for example, PASCAL). +GPR12 volatile For special exception handling required by certain + languages and in glink code. +GPR13 reserved Reserved under 64-bit environment; + not restored across system calls. +GPR14:GPR31 nonvolatile These registers must be preserved across + a function call. + +Vector Register Conventions + +Register Status + +VR0:V19 Volatile +VR20:VR31 Nonvolatile (extended ABI mode) their values are preserved + across function calls + +Addressing memory + +There are many ways to reference data, to maintain support of +position-independent code the current implementations use GOT-indirect +addressing (Accessing data through the global offset table): +1. Define data in .data section +2. Load the address of data into register from the global offset table + Use 32-bit offset (medium or large code model) to get maximum addressing + reach of 4 GB e.g. addis r7, r2, my_var@got@ha + ld r7, my_var@got@l(r7) +3. Use the address to load the value of data into register + e.g. ld r3, 0(r7) +Refer to [2] for more information about referencing data + +VSX instructions "lxvd2x/stxvd2x" are used to load and store data to +memory instead of VR instructions "lvx/stvx" as it produces a fewer +instructions "lvx/stvx" can be used to load/store data into storage +operands but additional instructions are needed to access unaligned +storage operands, refer to "6.4.1 Accessing Unaligned Storage Operands" +in [3] to see an example of accessing unaligned storage operands. +"lxvd2x/stxvd2x" can be used to load/store data into unaligned storage +operands but permuting is needed for loading and storing data in +little-endian mode VSX registers are defined with "X" suffix + +Function Prologue + +Big-endian systems only support ELFv1 ABI which requires the following +steps in the function prologue: +1. Write the "official procedure descriptor" in ".opd","aw" section +2. Write procedure description for .my_func in my_func label +3. Switch back to ".text" section for program code +4. Label the beginning of the code .my_func +Refer to [1] for more information +Little-endian systems are compatible with ELFv2 ABI, an example of +function prologue for ELFv2 ABI can be seen in [2] + +[1] http://www.ibm.com/developerworks/linux/library/l-powasm1.html +[2] https://openpowerfoundation.org/?resource_lib=64-bit-elf-v2-abi-specification-power-architecture +[3] https://openpowerfoundation.org/?resource_lib=ibm-power-isa-version-2-07-b diff -Nru nettle-3.4.1/pss.c nettle-3.7.3/pss.c --- nettle-3.4.1/pss.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/pss.c 2021-06-06 20:06:29.000000000 +0000 @@ -67,12 +67,12 @@ const uint8_t *digest) { TMP_GMP_DECL(em, uint8_t); - TMP_DECL(state, uint8_t, NETTLE_MAX_HASH_CONTEXT_SIZE); + TMP_DECL_ALIGN(state, NETTLE_MAX_HASH_CONTEXT_SIZE); size_t key_size = (bits + 7) / 8; size_t j; TMP_GMP_ALLOC(em, key_size); - TMP_ALLOC(state, hash->context_size); + TMP_ALLOC_ALIGN(state, hash->context_size); if (key_size < hash->digest_size + salt_length + 2) { @@ -127,7 +127,7 @@ { TMP_GMP_DECL(em, uint8_t); TMP_DECL(h2, uint8_t, NETTLE_MAX_HASH_DIGEST_SIZE); - TMP_DECL(state, uint8_t, NETTLE_MAX_HASH_CONTEXT_SIZE); + TMP_DECL_ALIGN(state, NETTLE_MAX_HASH_CONTEXT_SIZE); uint8_t *h, *db, *salt; size_t key_size = (bits + 7) / 8; size_t j; @@ -138,7 +138,7 @@ TMP_GMP_ALLOC(em, key_size * 2); TMP_ALLOC(h2, hash->digest_size); - TMP_ALLOC(state, hash->context_size); + TMP_ALLOC_ALIGN(state, hash->context_size); if (key_size < hash->digest_size + salt_length + 2) goto cleanup; diff -Nru nettle-3.4.1/pss.h nettle-3.7.3/pss.h --- nettle-3.4.1/pss.h 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/pss.h 2021-06-06 20:06:29.000000000 +0000 @@ -34,7 +34,7 @@ #ifndef NETTLE_PSS_H_INCLUDED #define NETTLE_PSS_H_INCLUDED -#include "nettle-types.h" +#include "nettle-meta.h" #include "bignum.h" #ifdef __cplusplus diff -Nru nettle-3.4.1/pss-mgf1.c nettle-3.7.3/pss-mgf1.c --- nettle-3.4.1/pss-mgf1.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/pss-mgf1.c 2021-06-06 20:06:29.000000000 +0000 @@ -48,12 +48,12 @@ size_t length, uint8_t *mask) { TMP_DECL(h, uint8_t, NETTLE_MAX_HASH_DIGEST_SIZE); - TMP_DECL(state, uint8_t, NETTLE_MAX_HASH_CONTEXT_SIZE); + TMP_DECL_ALIGN(state, NETTLE_MAX_HASH_CONTEXT_SIZE); size_t i; uint8_t c[4]; TMP_ALLOC(h, hash->digest_size); - TMP_ALLOC(state, hash->context_size); + TMP_ALLOC_ALIGN(state, hash->context_size); for (i = 0;; i++, mask += hash->digest_size, length -= hash->digest_size) diff -Nru nettle-3.4.1/README nettle-3.7.3/README --- nettle-3.4.1/README 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/README 2021-06-06 20:06:29.000000000 +0000 @@ -30,7 +30,9 @@ If you have downloaded a Nettle release, build it with the usual ./configure && make && make check && make install (see the INSTALL -file for further instructions). +file for further instructions). Using GNU make is strongly +recommended. Nettle's support for public key algorithms, such as RSA +and ECDSA, depends on the GNU GMP library. You can also get Nettle from git, see http://www.lysator.liu.se/~nisse/nettle/ for current instructions. In diff -Nru nettle-3.4.1/ripemd160.c nettle-3.7.3/ripemd160.c --- nettle-3.4.1/ripemd160.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/ripemd160.c 2021-06-06 20:06:29.000000000 +0000 @@ -40,6 +40,7 @@ #include #include "ripemd160.h" +#include "ripemd160-internal.h" #include "macros.h" #include "nettle-write.h" diff -Nru nettle-3.4.1/ripemd160-compress.c nettle-3.7.3/ripemd160-compress.c --- nettle-3.4.1/ripemd160-compress.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/ripemd160-compress.c 2021-06-06 20:06:29.000000000 +0000 @@ -40,6 +40,7 @@ #include #include "ripemd160.h" +#include "ripemd160-internal.h" #include "macros.h" diff -Nru nettle-3.4.1/ripemd160.h nettle-3.7.3/ripemd160.h --- nettle-3.4.1/ripemd160.h 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/ripemd160.h 2021-06-06 20:06:29.000000000 +0000 @@ -59,8 +59,8 @@ { uint32_t state[_RIPEMD160_DIGEST_LENGTH]; uint64_t count; /* 64-bit block count */ - uint8_t block[RIPEMD160_BLOCK_SIZE]; unsigned int index; + uint8_t block[RIPEMD160_BLOCK_SIZE]; }; void @@ -76,11 +76,6 @@ size_t length, uint8_t *digest); -/* Internal compression function. STATE points to 5 uint32_t words, - and DATA points to 64 bytes of input data, possibly unaligned. */ -void -_nettle_ripemd160_compress(uint32_t *state, const uint8_t *data); - #ifdef __cplusplus } #endif diff -Nru nettle-3.4.1/ripemd160-internal.h nettle-3.7.3/ripemd160-internal.h --- nettle-3.4.1/ripemd160-internal.h 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/ripemd160-internal.h 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,43 @@ +/* ripemd160-internal.h + + RIPEMD-160 hash function. + + Copyright (C) 2011 Andres Mejia + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_RIPEMD160_INTERNAL_H_INCLUDED +#define NETTLE_RIPEMD160_INTERNAL_H_INCLUDED + + +/* Internal compression function. STATE points to 5 uint32_t words, + and DATA points to 64 bytes of input data, possibly unaligned. */ +void +_nettle_ripemd160_compress(uint32_t *state, const uint8_t *data); + +#endif /* NETTLE_RIPEMD160_INTERNAL_H_INCLUDED */ diff -Nru nettle-3.4.1/rsa-blind.c nettle-3.7.3/rsa-blind.c --- nettle-3.4.1/rsa-blind.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/rsa-blind.c 2021-06-06 20:06:29.000000000 +0000 @@ -36,6 +36,7 @@ #endif #include "rsa.h" +#include "rsa-internal.h" #include "bignum.h" diff -Nru nettle-3.4.1/rsa.c nettle-3.7.3/rsa.c --- nettle-3.4.1/rsa.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/rsa.c 2021-06-06 20:06:29.000000000 +0000 @@ -36,6 +36,7 @@ #endif #include "rsa.h" +#include "rsa-internal.h" #include "bignum.h" diff -Nru nettle-3.4.1/rsa-decrypt.c nettle-3.7.3/rsa-decrypt.c --- nettle-3.4.1/rsa-decrypt.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/rsa-decrypt.c 2021-06-06 20:06:29.000000000 +0000 @@ -48,6 +48,16 @@ int res; mpz_init(m); + + /* First check that input is in range. Since we don't have the + public key available here, we need to reconstruct n. */ + mpz_mul (m, key->p, key->q); + if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, m) >= 0) + { + mpz_clear (m); + return 0; + } + rsa_compute_root(key, m, gibberish); res = pkcs1_decrypt (key->size, m, length, message); diff -Nru nettle-3.4.1/rsa-decrypt-tr.c nettle-3.7.3/rsa-decrypt-tr.c --- nettle-3.4.1/rsa-decrypt-tr.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/rsa-decrypt-tr.c 2021-06-06 20:06:29.000000000 +0000 @@ -36,8 +36,8 @@ # include "config.h" #endif -#include "rsa.h" #include "rsa-internal.h" +#include "pkcs1-internal.h" #include "gmp-glue.h" int @@ -52,14 +52,17 @@ mp_size_t key_limb_size; int res; - key_limb_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size); + /* First check that input is in range. */ + if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, pub->n) >= 0) + return 0; + + key_limb_size = mpz_size(pub->n); TMP_GMP_ALLOC (m, key_limb_size); TMP_GMP_ALLOC (em, key->size); + mpz_limbs_copy(m, gibberish, key_limb_size); - res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m, - mpz_limbs_read(gibberish), - mpz_size(gibberish)); + res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m, m); mpn_get_base256 (em, key->size, m, key_limb_size); diff -Nru nettle-3.4.1/rsa-encrypt.c nettle-3.7.3/rsa-encrypt.c --- nettle-3.4.1/rsa-encrypt.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/rsa-encrypt.c 2021-06-06 20:06:29.000000000 +0000 @@ -36,6 +36,7 @@ #endif #include "rsa.h" +#include "rsa-internal.h" #include "pkcs1.h" diff -Nru nettle-3.4.1/rsa.h nettle-3.7.3/rsa.h --- nettle-3.4.1/rsa.h 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/rsa.h 2021-06-06 20:06:29.000000000 +0000 @@ -99,11 +99,6 @@ #define rsa_private_key_from_der_iterator nettle_rsa_private_key_from_der_iterator #define rsa_keypair_from_der nettle_rsa_keypair_from_der #define rsa_keypair_to_openpgp nettle_rsa_keypair_to_openpgp -#define _rsa_verify _nettle_rsa_verify -#define _rsa_verify_recover _nettle_rsa_verify_recover -#define _rsa_check_size _nettle_rsa_check_size -#define _rsa_blind _nettle_rsa_blind -#define _rsa_unblind _nettle_rsa_unblind /* This limit is somewhat arbitrary. Technically, the smallest modulo which makes sense at all is 15 = 3*5, phi(15) = 8, size 4 bits. But @@ -433,13 +428,14 @@ size_t length, uint8_t *message, const mpz_t gibberish); -/* Compute x, the e:th root of m. Calling it with x == m is allowed. */ +/* Compute x, the e:th root of m. Calling it with x == m is allowed. + It is required that 0 <= m < n. */ void rsa_compute_root(const struct rsa_private_key *key, mpz_t x, const mpz_t m); /* Safer variant, using RSA blinding, and checking the result after - CRT. */ + CRT. It is required that 0 <= m < n. */ int rsa_compute_root_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, @@ -534,28 +530,6 @@ /* A single user id. NUL-terminated utf8. */ const char *userid); -/* Internal functions. */ -int -_rsa_verify(const struct rsa_public_key *key, - const mpz_t m, - const mpz_t s); - -int -_rsa_verify_recover(const struct rsa_public_key *key, - mpz_t m, - const mpz_t s); - -size_t -_rsa_check_size(mpz_t n); - -/* _rsa_blind and _rsa_unblind are deprecated, unused in the library, - and will likely be removed with the next ABI break. */ -void -_rsa_blind (const struct rsa_public_key *pub, - void *random_ctx, nettle_random_func *random, - mpz_t c, mpz_t ri); -void -_rsa_unblind (const struct rsa_public_key *pub, mpz_t c, const mpz_t ri); #ifdef __cplusplus } diff -Nru nettle-3.4.1/rsa-internal.h nettle-3.7.3/rsa-internal.h --- nettle-3.4.1/rsa-internal.h 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/rsa-internal.h 2021-06-06 20:06:29.000000000 +0000 @@ -34,15 +34,40 @@ #ifndef NETTLE_RSA_INTERNAL_H_INCLUDED #define NETTLE_RSA_INTERNAL_H_INCLUDED -#include "nettle-types.h" - #include "rsa.h" +#define _rsa_verify _nettle_rsa_verify +#define _rsa_verify_recover _nettle_rsa_verify_recover +#define _rsa_check_size _nettle_rsa_check_size +#define _rsa_blind _nettle_rsa_blind +#define _rsa_unblind _nettle_rsa_unblind #define _rsa_sec_compute_root_itch _nettle_rsa_sec_compute_root_itch #define _rsa_sec_compute_root _nettle_rsa_sec_compute_root #define _rsa_sec_compute_root_tr _nettle_rsa_sec_compute_root_tr -#define _pkcs1_sec_decrypt _nettle_pkcs1_sec_decrypt -#define _pkcs1_sec_decrypt_variable _nettle_pkcs1_sec_decrypt_variable + +/* Internal functions. */ +int +_rsa_verify(const struct rsa_public_key *key, + const mpz_t m, + const mpz_t s); + +int +_rsa_verify_recover(const struct rsa_public_key *key, + mpz_t m, + const mpz_t s); + +size_t +_rsa_check_size(mpz_t n); + +/* _rsa_blind and _rsa_unblind are deprecated, unused in the library, + and will likely be removed with the next ABI break. */ +void +_rsa_blind (const struct rsa_public_key *pub, + void *random_ctx, nettle_random_func *random, + mpz_t c, mpz_t ri) _NETTLE_ATTRIBUTE_DEPRECATED; +void +_rsa_unblind (const struct rsa_public_key *pub, mpz_t c, const mpz_t ri) + _NETTLE_ATTRIBUTE_DEPRECATED; /* side-channel silent root computation */ mp_size_t @@ -53,23 +78,11 @@ mp_limb_t *scratch); /* Safe side-channel silent variant, using RSA blinding, and checking the - * result after CRT. */ + * result after CRT. In-place calls, with x == m, is allowed. */ int _rsa_sec_compute_root_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, - mp_limb_t *x, const mp_limb_t *m, size_t mn); - -/* additional resistance to memory access side-channel attacks. - * Note: message buffer is returned unchanged on error */ -int -_pkcs1_sec_decrypt (size_t length, uint8_t *message, - size_t padded_message_length, - const volatile uint8_t *padded_message); - -int -_pkcs1_sec_decrypt_variable(size_t *length, uint8_t *message, - size_t padded_message_length, - const volatile uint8_t *padded_message); + mp_limb_t *x, const mp_limb_t *m); #endif /* NETTLE_RSA_INTERNAL_H_INCLUDED */ diff -Nru nettle-3.4.1/rsa-keygen.c nettle-3.7.3/rsa-keygen.c --- nettle-3.4.1/rsa-keygen.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/rsa-keygen.c 2021-06-06 20:06:29.000000000 +0000 @@ -39,6 +39,7 @@ #include #include "rsa.h" +#include "rsa-internal.h" #include "bignum.h" #ifndef DEBUG @@ -103,7 +104,7 @@ mpz_sub_ui(p1, key->p, 1); - /* If e was given, we must chose p such that p-1 has no factors in + /* If e was given, we must choose p such that p-1 has no factors in * common with e. */ if (e_size) break; @@ -125,13 +126,9 @@ random_ctx, random, progress_ctx, progress); - /* Very unlikely. */ - if (mpz_cmp (key->q, key->p) == 0) - continue; - mpz_sub_ui(q1, key->q, 1); - /* If e was given, we must chose q such that q-1 has no factors in + /* If e was given, we must choose q such that q-1 has no factors in * common with e. */ if (e_size) break; diff -Nru nettle-3.4.1/rsa-md5-sign.c nettle-3.7.3/rsa-md5-sign.c --- nettle-3.4.1/rsa-md5-sign.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/rsa-md5-sign.c 2021-06-06 20:06:29.000000000 +0000 @@ -38,6 +38,7 @@ #include #include "rsa.h" +#include "rsa-internal.h" #include "bignum.h" #include "pkcs1.h" diff -Nru nettle-3.4.1/rsa-md5-sign-tr.c nettle-3.7.3/rsa-md5-sign-tr.c --- nettle-3.4.1/rsa-md5-sign-tr.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/rsa-md5-sign-tr.c 2021-06-06 20:06:29.000000000 +0000 @@ -38,6 +38,7 @@ #include #include "rsa.h" +#include "rsa-internal.h" #include "bignum.h" #include "pkcs1.h" diff -Nru nettle-3.4.1/rsa-md5-verify.c nettle-3.7.3/rsa-md5-verify.c --- nettle-3.4.1/rsa-md5-verify.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/rsa-md5-verify.c 2021-06-06 20:06:29.000000000 +0000 @@ -38,6 +38,7 @@ #include #include "rsa.h" +#include "rsa-internal.h" #include "bignum.h" #include "pkcs1.h" diff -Nru nettle-3.4.1/rsa-pkcs1-sign.c nettle-3.7.3/rsa-pkcs1-sign.c --- nettle-3.4.1/rsa-pkcs1-sign.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/rsa-pkcs1-sign.c 2021-06-06 20:06:29.000000000 +0000 @@ -36,6 +36,7 @@ #endif #include "rsa.h" +#include "rsa-internal.h" #include "pkcs1.h" diff -Nru nettle-3.4.1/rsa-pkcs1-sign-tr.c nettle-3.7.3/rsa-pkcs1-sign-tr.c --- nettle-3.4.1/rsa-pkcs1-sign-tr.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/rsa-pkcs1-sign-tr.c 2021-06-06 20:06:29.000000000 +0000 @@ -35,6 +35,7 @@ # include "config.h" #endif #include "rsa.h" +#include "rsa-internal.h" #include "pkcs1.h" diff -Nru nettle-3.4.1/rsa-pkcs1-verify.c nettle-3.7.3/rsa-pkcs1-verify.c --- nettle-3.4.1/rsa-pkcs1-verify.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/rsa-pkcs1-verify.c 2021-06-06 20:06:29.000000000 +0000 @@ -36,6 +36,7 @@ #endif #include "rsa.h" +#include "rsa-internal.h" #include "pkcs1.h" diff -Nru nettle-3.4.1/rsa-pss-sha256-sign-tr.c nettle-3.7.3/rsa-pss-sha256-sign-tr.c --- nettle-3.4.1/rsa-pss-sha256-sign-tr.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/rsa-pss-sha256-sign-tr.c 2021-06-06 20:06:29.000000000 +0000 @@ -36,6 +36,7 @@ #endif #include "rsa.h" +#include "rsa-internal.h" #include "bignum.h" #include "pss.h" diff -Nru nettle-3.4.1/rsa-pss-sha256-verify.c nettle-3.7.3/rsa-pss-sha256-verify.c --- nettle-3.4.1/rsa-pss-sha256-verify.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/rsa-pss-sha256-verify.c 2021-06-06 20:06:29.000000000 +0000 @@ -36,6 +36,7 @@ #endif #include "rsa.h" +#include "rsa-internal.h" #include "bignum.h" #include "pss.h" diff -Nru nettle-3.4.1/rsa-pss-sha512-sign-tr.c nettle-3.7.3/rsa-pss-sha512-sign-tr.c --- nettle-3.4.1/rsa-pss-sha512-sign-tr.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/rsa-pss-sha512-sign-tr.c 2021-06-06 20:06:29.000000000 +0000 @@ -36,6 +36,7 @@ #endif #include "rsa.h" +#include "rsa-internal.h" #include "bignum.h" #include "pss.h" diff -Nru nettle-3.4.1/rsa-pss-sha512-verify.c nettle-3.7.3/rsa-pss-sha512-verify.c --- nettle-3.4.1/rsa-pss-sha512-verify.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/rsa-pss-sha512-verify.c 2021-06-06 20:06:29.000000000 +0000 @@ -36,6 +36,7 @@ #endif #include "rsa.h" +#include "rsa-internal.h" #include "bignum.h" #include "pss.h" diff -Nru nettle-3.4.1/rsa-sec-compute-root.c nettle-3.7.3/rsa-sec-compute-root.c --- nettle-3.4.1/rsa-sec-compute-root.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/rsa-sec-compute-root.c 2021-06-06 20:06:29.000000000 +0000 @@ -184,7 +184,7 @@ sec_mod_mul (scratch_out, r_mod_q, qn, mpz_limbs_read (key->c), cn, pp, pn, scratch_out + cn + qn); cy = mpn_sub_n (r_mod_p, r_mod_p, scratch_out, pn); - cnd_add_n (cy, r_mod_p, pp, pn); + mpn_cnd_add_n (cy, r_mod_p, r_mod_p, pp, pn); /* Finally, compute x = r_mod_q + q r_mod_p' */ sec_mul (scratch_out, qp, qn, r_mod_p, pn, scratch_out + pn + qn); diff -Nru nettle-3.4.1/rsa-sec-decrypt.c nettle-3.7.3/rsa-sec-decrypt.c --- nettle-3.4.1/rsa-sec-decrypt.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/rsa-sec-decrypt.c 2021-06-06 20:06:29.000000000 +0000 @@ -39,6 +39,7 @@ #endif #include "rsa.h" +#include "pkcs1-internal.h" #include "rsa-internal.h" #include "gmp-glue.h" @@ -54,12 +55,19 @@ TMP_GMP_DECL (em, uint8_t); int res; + /* First check that input is in range. */ + if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, pub->n) >= 0) + return 0; + TMP_GMP_ALLOC (m, mpz_size(pub->n)); TMP_GMP_ALLOC (em, key->size); - res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m, - mpz_limbs_read(gibberish), - mpz_size(gibberish)); + /* We need a copy because m can be shorter than key_size, + * but _rsa_sec_compute_root_tr expect all inputs to be + * normalized to a key_size long buffer length */ + mpz_limbs_copy(m, gibberish, mpz_size(pub->n)); + + res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m, m); mpn_get_base256 (em, key->size, m, mpz_size(pub->n)); diff -Nru nettle-3.4.1/rsa-sha1-sign.c nettle-3.7.3/rsa-sha1-sign.c --- nettle-3.4.1/rsa-sha1-sign.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/rsa-sha1-sign.c 2021-06-06 20:06:29.000000000 +0000 @@ -38,6 +38,7 @@ #include #include "rsa.h" +#include "rsa-internal.h" #include "bignum.h" #include "pkcs1.h" diff -Nru nettle-3.4.1/rsa-sha1-sign-tr.c nettle-3.7.3/rsa-sha1-sign-tr.c --- nettle-3.4.1/rsa-sha1-sign-tr.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/rsa-sha1-sign-tr.c 2021-06-06 20:06:29.000000000 +0000 @@ -38,6 +38,7 @@ #include #include "rsa.h" +#include "rsa-internal.h" #include "bignum.h" #include "pkcs1.h" diff -Nru nettle-3.4.1/rsa-sha1-verify.c nettle-3.7.3/rsa-sha1-verify.c --- nettle-3.4.1/rsa-sha1-verify.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/rsa-sha1-verify.c 2021-06-06 20:06:29.000000000 +0000 @@ -38,6 +38,7 @@ #include #include "rsa.h" +#include "rsa-internal.h" #include "bignum.h" #include "pkcs1.h" diff -Nru nettle-3.4.1/rsa-sha256-sign.c nettle-3.7.3/rsa-sha256-sign.c --- nettle-3.4.1/rsa-sha256-sign.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/rsa-sha256-sign.c 2021-06-06 20:06:29.000000000 +0000 @@ -38,6 +38,7 @@ #include #include "rsa.h" +#include "rsa-internal.h" #include "bignum.h" #include "pkcs1.h" diff -Nru nettle-3.4.1/rsa-sha256-sign-tr.c nettle-3.7.3/rsa-sha256-sign-tr.c --- nettle-3.4.1/rsa-sha256-sign-tr.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/rsa-sha256-sign-tr.c 2021-06-06 20:06:29.000000000 +0000 @@ -38,6 +38,7 @@ #include #include "rsa.h" +#include "rsa-internal.h" #include "bignum.h" #include "pkcs1.h" diff -Nru nettle-3.4.1/rsa-sha256-verify.c nettle-3.7.3/rsa-sha256-verify.c --- nettle-3.4.1/rsa-sha256-verify.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/rsa-sha256-verify.c 2021-06-06 20:06:29.000000000 +0000 @@ -38,6 +38,7 @@ #include #include "rsa.h" +#include "rsa-internal.h" #include "bignum.h" #include "pkcs1.h" diff -Nru nettle-3.4.1/rsa-sha512-sign.c nettle-3.7.3/rsa-sha512-sign.c --- nettle-3.4.1/rsa-sha512-sign.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/rsa-sha512-sign.c 2021-06-06 20:06:29.000000000 +0000 @@ -38,6 +38,7 @@ #include #include "rsa.h" +#include "rsa-internal.h" #include "bignum.h" #include "pkcs1.h" diff -Nru nettle-3.4.1/rsa-sha512-sign-tr.c nettle-3.7.3/rsa-sha512-sign-tr.c --- nettle-3.4.1/rsa-sha512-sign-tr.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/rsa-sha512-sign-tr.c 2021-06-06 20:06:29.000000000 +0000 @@ -38,6 +38,7 @@ #include #include "rsa.h" +#include "rsa-internal.h" #include "bignum.h" #include "pkcs1.h" diff -Nru nettle-3.4.1/rsa-sha512-verify.c nettle-3.7.3/rsa-sha512-verify.c --- nettle-3.4.1/rsa-sha512-verify.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/rsa-sha512-verify.c 2021-06-06 20:06:29.000000000 +0000 @@ -38,6 +38,7 @@ #include #include "rsa.h" +#include "rsa-internal.h" #include "bignum.h" #include "pkcs1.h" diff -Nru nettle-3.4.1/rsa-sign-tr.c nettle-3.7.3/rsa-sign-tr.c --- nettle-3.4.1/rsa-sign-tr.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/rsa-sign-tr.c 2021-06-06 20:06:29.000000000 +0000 @@ -131,35 +131,34 @@ _rsa_sec_compute_root_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, - mp_limb_t *x, const mp_limb_t *m, size_t mn) + mp_limb_t *x, const mp_limb_t *m) { + mp_size_t nn; mpz_t mz; mpz_t xz; int res; - mpz_init(mz); mpz_init(xz); - mpn_copyi(mpz_limbs_write(mz, mn), m, mn); - mpz_limbs_finish(mz, mn); + nn = mpz_size (pub->n); - res = rsa_compute_root_tr(pub, key, random_ctx, random, xz, mz); + res = rsa_compute_root_tr(pub, key, random_ctx, random, xz, + mpz_roinit_n(mz, m, nn)); if (res) - mpz_limbs_copy(x, xz, mpz_size(pub->n)); + mpz_limbs_copy(x, xz, nn); - mpz_clear(mz); mpz_clear(xz); return res; } #else /* Blinds m, by computing c = m r^e (mod n), for a random r. Also - returns the inverse (ri), for use by rsa_unblind. */ + returns the inverse (ri), for use by rsa_unblind. Must have c != m, + no in-place operation.*/ static void rsa_sec_blind (const struct rsa_public_key *pub, void *random_ctx, nettle_random_func *random, - mp_limb_t *c, mp_limb_t *ri, const mp_limb_t *m, - mp_size_t mn) + mp_limb_t *c, mp_limb_t *ri, const mp_limb_t *m) { const mp_limb_t *ep = mpz_limbs_read (pub->e); const mp_limb_t *np = mpz_limbs_read (pub->n); @@ -177,15 +176,15 @@ /* c = m*(r^e) mod n */ itch = mpn_sec_powm_itch(nn, ebn, nn); - i2 = mpn_sec_mul_itch(nn, mn); + i2 = mpn_sec_mul_itch(nn, nn); itch = MAX(itch, i2); - i2 = mpn_sec_div_r_itch(nn + mn, nn); + i2 = mpn_sec_div_r_itch(2*nn, nn); itch = MAX(itch, i2); i2 = mpn_sec_invert_itch(nn); itch = MAX(itch, i2); - TMP_GMP_ALLOC (tp, nn + mn + itch); - scratch = tp + nn + mn; + TMP_GMP_ALLOC (tp, 2*nn + itch); + scratch = tp + 2*nn; /* ri = r^(-1) */ do @@ -198,9 +197,8 @@ while (!mpn_sec_invert (ri, tp, np, nn, 2 * nn * GMP_NUMB_BITS, scratch)); mpn_sec_powm (c, rp, nn, ep, ebn, np, nn, scratch); - /* normally mn == nn, but m can be smaller in some cases */ - mpn_sec_mul (tp, c, nn, m, mn, scratch); - mpn_sec_div_r (tp, nn + mn, np, nn, scratch); + mpn_sec_mul (tp, c, nn, m, nn, scratch); + mpn_sec_div_r (tp, 2*nn, np, nn, scratch); mpn_copyi(c, tp, nn); TMP_GMP_FREE (r); @@ -208,7 +206,7 @@ TMP_GMP_FREE (tp); } -/* m = c ri mod n */ +/* m = c ri mod n. Allows x == c. */ static void rsa_sec_unblind (const struct rsa_public_key *pub, mp_limb_t *x, mp_limb_t *ri, const mp_limb_t *c) @@ -239,8 +237,9 @@ sec_equal(const mp_limb_t *a, const mp_limb_t *b, size_t limbs) { volatile mp_limb_t z = 0; + size_t i; - for (size_t i = 0; i < limbs; i++) + for (i = 0; i < limbs; i++) { z |= (a[i] ^ b[i]); } @@ -298,7 +297,7 @@ _rsa_sec_compute_root_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, - mp_limb_t *x, const mp_limb_t *m, size_t mn) + mp_limb_t *x, const mp_limb_t *m) { TMP_GMP_DECL (c, mp_limb_t); TMP_GMP_DECL (ri, mp_limb_t); @@ -306,7 +305,7 @@ size_t key_limb_size; int ret; - key_limb_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size); + key_limb_size = mpz_size(pub->n); /* mpz_powm_sec handles only odd moduli. If p, q or n is even, the key is invalid and rejected by rsa_private_key_prepare. However, @@ -320,19 +319,18 @@ } assert(mpz_size(pub->n) == key_limb_size); - assert(mn <= key_limb_size); TMP_GMP_ALLOC (c, key_limb_size); TMP_GMP_ALLOC (ri, key_limb_size); TMP_GMP_ALLOC (scratch, _rsa_sec_compute_root_itch(key)); - rsa_sec_blind (pub, random_ctx, random, x, ri, m, mn); + rsa_sec_blind (pub, random_ctx, random, c, ri, m); - _rsa_sec_compute_root(key, c, x, scratch); + _rsa_sec_compute_root(key, x, c, scratch); - ret = rsa_sec_check_root(pub, c, x); + ret = rsa_sec_check_root(pub, x, c); - rsa_sec_unblind(pub, x, ri, c); + rsa_sec_unblind(pub, x, ri, x); cnd_mpn_zero(1 - ret, x, key_limb_size); @@ -356,17 +354,17 @@ mpz_t x, const mpz_t m) { TMP_GMP_DECL (l, mp_limb_t); + mp_size_t nn = mpz_size(pub->n); int res; - mp_size_t l_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size); - TMP_GMP_ALLOC (l, l_size); + TMP_GMP_ALLOC (l, nn); + mpz_limbs_copy(l, m, nn); - res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, l, - mpz_limbs_read(m), mpz_size(m)); + res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, l, l); if (res) { - mp_limb_t *xp = mpz_limbs_write (x, l_size); - mpn_copyi (xp, l, l_size); - mpz_limbs_finish (x, l_size); + mp_limb_t *xp = mpz_limbs_write (x, nn); + mpn_copyi (xp, l, nn); + mpz_limbs_finish (x, nn); } TMP_GMP_FREE (l); diff -Nru nettle-3.4.1/rsa-verify.c nettle-3.7.3/rsa-verify.c --- nettle-3.4.1/rsa-verify.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/rsa-verify.c 2021-06-06 20:06:29.000000000 +0000 @@ -36,6 +36,7 @@ #endif #include "rsa.h" +#include "rsa-internal.h" #include "bignum.h" diff -Nru nettle-3.4.1/run-tests nettle-3.7.3/run-tests --- nettle-3.4.1/run-tests 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/run-tests 2021-06-06 20:06:29.000000000 +0000 @@ -1,6 +1,6 @@ #! /bin/sh -# Copyright (C) 2000, 2001, 2002, 2004, 2005, 2011, 2012 Niels Möller +# Copyright (C) 2000-2002, 2004, 2005, 2011, 2012, 2016, 2020 Niels Möller # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -28,6 +28,22 @@ export srcdir +if [ -n "$TEST_SHLIB_DIR" ] ; then + # Prepend to LD_LIBRARY_PATH, if it is alredy set. + LD_LIBRARY_PATH="${TEST_SHLIB_DIR}${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}" + # For MACOS + DYLD_LIBRARY_PATH="$TEST_SHLIB_DIR" + # For Windows + PATH="${TEST_SHLIB_DIR}:${PATH}" + # For Wine + WINEPATH="${TEST_SHLIB_DIR}${WINEPATH:+;$WINEPATH}" + + export LD_LIBRARY_PATH + export DYLD_LIBRARY_PATH + export PATH + export WINEPATH +fi + # When used in make rules, we sometimes get the filenames VPATH # expanded, but usually not. find_program () { @@ -38,6 +54,8 @@ *) if [ -x "$1" ] ; then echo "./$1" + elif [ -x "$1.exe" ] ; then + echo "./$1.exe" else echo "$srcdir/$1" fi @@ -100,11 +118,7 @@ shift done -if [ $# -eq 0 ] ; then - for f in *-test; do test_program "./$f"; done -else - for f in "$@" ; do test_program `find_program "$f"`; done -fi +for f in "$@" ; do test_program `find_program "$f"`; done if [ $failed -eq 0 ] ; then banner="All $all tests passed" diff -Nru nettle-3.4.1/salsa20-core-internal.c nettle-3.7.3/salsa20-core-internal.c --- nettle-3.4.1/salsa20-core-internal.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/salsa20-core-internal.c 2021-06-06 20:06:29.000000000 +0000 @@ -45,6 +45,7 @@ #include #include "salsa20.h" +#include "salsa20-internal.h" #include "macros.h" @@ -93,7 +94,7 @@ } while(0) void -_salsa20_core(uint32_t *dst, const uint32_t *src, unsigned rounds) +_nettle_salsa20_core(uint32_t *dst, const uint32_t *src, unsigned rounds) { uint32_t x[_SALSA20_INPUT_LENGTH]; unsigned i; diff -Nru nettle-3.4.1/salsa20-crypt.c nettle-3.7.3/salsa20-crypt.c --- nettle-3.4.1/salsa20-crypt.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/salsa20-crypt.c 2021-06-06 20:06:29.000000000 +0000 @@ -41,12 +41,8 @@ # include "config.h" #endif -#include - #include "salsa20.h" - -#include "macros.h" -#include "memxor.h" +#include "salsa20-internal.h" void salsa20_crypt(struct salsa20_ctx *ctx, @@ -56,26 +52,6 @@ { if (!length) return; - - for (;;) - { - uint32_t x[_SALSA20_INPUT_LENGTH]; - - _salsa20_core (x, ctx->input, 20); - - ctx->input[9] += (++ctx->input[8] == 0); - - /* stopping at 2^70 length per nonce is user's responsibility */ - - if (length <= SALSA20_BLOCK_SIZE) - { - memxor3 (c, m, x, length); - return; - } - memxor3 (c, m, x, SALSA20_BLOCK_SIZE); - length -= SALSA20_BLOCK_SIZE; - c += SALSA20_BLOCK_SIZE; - m += SALSA20_BLOCK_SIZE; - } + _nettle_salsa20_crypt (ctx, 20, length, c, m); } diff -Nru nettle-3.4.1/salsa20-crypt-internal.c nettle-3.7.3/salsa20-crypt-internal.c --- nettle-3.4.1/salsa20-crypt-internal.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/salsa20-crypt-internal.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,111 @@ +/* salsa20-crypt-internal.c + + The Salsa20 stream cipher. + + Copyright (C) 2012 Simon Josefsson + Copyright (C) 2020 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "salsa20.h" +#include "salsa20-internal.h" + +#include "macros.h" +#include "memxor.h" + +#if HAVE_NATIVE_salsa20_2core +#define _nettle_salsa20_crypt_2core _nettle_salsa20_crypt +#elif !HAVE_NATIVE_fat_salsa20_2core +#define _nettle_salsa20_crypt_1core _nettle_salsa20_crypt +#endif + +#if HAVE_NATIVE_salsa20_2core || HAVE_NATIVE_fat_salsa20_2core +void +_nettle_salsa20_crypt_2core(struct salsa20_ctx *ctx, unsigned rounds, + size_t length, uint8_t *dst, + const uint8_t *src) +{ + uint32_t x[2*_SALSA20_INPUT_LENGTH]; + while (length > SALSA20_BLOCK_SIZE) + { + _nettle_salsa20_2core (x, ctx->input, rounds); + ctx->input[8] += 2; + ctx->input[9] += (ctx->input[8] < 2); + if (length <= 2 * SALSA20_BLOCK_SIZE) + { + memxor3 (dst, src, x, length); + return; + } + memxor3 (dst, src, x, 2*SALSA20_BLOCK_SIZE); + + length -= 2*SALSA20_BLOCK_SIZE; + dst += 2*SALSA20_BLOCK_SIZE; + src += 2*SALSA20_BLOCK_SIZE; + } + _nettle_salsa20_core (x, ctx->input, rounds); + ctx->input[9] += (++ctx->input[8] == 0); + memxor3 (dst, src, x, length); +} +#endif + +#if !HAVE_NATIVE_salsa20_2core +void +_nettle_salsa20_crypt_1core(struct salsa20_ctx *ctx, unsigned rounds, + size_t length, + uint8_t *dst, + const uint8_t *src) +{ + for (;;) + { + uint32_t x[_SALSA20_INPUT_LENGTH]; + + _nettle_salsa20_core (x, ctx->input, rounds); + + ctx->input[9] += (++ctx->input[8] == 0); + + /* stopping at 2^70 length per nonce is user's responsibility */ + + if (length <= SALSA20_BLOCK_SIZE) + { + memxor3 (dst, src, x, length); + return; + } + memxor3 (dst, src, x, SALSA20_BLOCK_SIZE); + + length -= SALSA20_BLOCK_SIZE; + dst += SALSA20_BLOCK_SIZE; + src += SALSA20_BLOCK_SIZE; + } +} +#endif diff -Nru nettle-3.4.1/salsa20.h nettle-3.7.3/salsa20.h --- nettle-3.4.1/salsa20.h 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/salsa20.h 2021-06-06 20:06:29.000000000 +0000 @@ -47,7 +47,6 @@ #define salsa20_256_set_key nettle_salsa20_256_set_key #define salsa20_set_nonce nettle_salsa20_set_nonce #define salsa20_crypt nettle_salsa20_crypt -#define _salsa20_core _nettle_salsa20_core #define salsa20r12_crypt nettle_salsa20r12_crypt @@ -104,9 +103,6 @@ size_t length, uint8_t *dst, const uint8_t *src); -void -_salsa20_core(uint32_t *dst, const uint32_t *src, unsigned rounds); - #ifdef __cplusplus } #endif diff -Nru nettle-3.4.1/salsa20-internal.h nettle-3.7.3/salsa20-internal.h --- nettle-3.4.1/salsa20-internal.h 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/salsa20-internal.h 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,62 @@ +/* salsa20-internal.h + + The Salsa20 stream cipher. + + Copyright (C) 2012 Simon Josefsson + Copyright (C) 2001 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_SALSA20_INTERNAL_H_INCLUDED +#define NETTLE_SALSA20_INTERNAL_H_INCLUDED + +#include "nettle-types.h" +#include "salsa20.h" + +void +_nettle_salsa20_core(uint32_t *dst, const uint32_t *src, unsigned rounds); + +void +_nettle_salsa20_crypt(struct salsa20_ctx *ctx, unsigned rounds, + size_t length, uint8_t *dst, + const uint8_t *src); + +/* Functions available only in some configurations */ +void +_nettle_salsa20_2core(uint32_t *dst, const uint32_t *src, unsigned rounds); + +void +_nettle_salsa20_crypt_1core(struct salsa20_ctx *ctx, unsigned rounds, + size_t length, uint8_t *dst, + const uint8_t *src); +void +_nettle_salsa20_crypt_2core(struct salsa20_ctx *ctx, unsigned rounds, + size_t length, uint8_t *dst, + const uint8_t *src); + +#endif /* NETTLE_SALSA20_INTERNAL_H_INCLUDED */ diff -Nru nettle-3.4.1/salsa20r12-crypt.c nettle-3.7.3/salsa20r12-crypt.c --- nettle-3.4.1/salsa20r12-crypt.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/salsa20r12-crypt.c 2021-06-06 20:06:29.000000000 +0000 @@ -41,12 +41,8 @@ # include "config.h" #endif -#include - #include "salsa20.h" - -#include "macros.h" -#include "memxor.h" +#include "salsa20-internal.h" void salsa20r12_crypt(struct salsa20_ctx *ctx, @@ -54,29 +50,8 @@ uint8_t *c, const uint8_t *m) { - uint32_t x[_SALSA20_INPUT_LENGTH]; - if (!length) return; - - for (;;) - { - - _salsa20_core (x, ctx->input, 12); - - ctx->input[9] += (++ctx->input[8] == 0); - - /* stopping at 2^70 length per nonce is user's responsibility */ - - if (length <= SALSA20_BLOCK_SIZE) - { - memxor3 (c, m, x, length); - return; - } - memxor3 (c, m, x, SALSA20_BLOCK_SIZE); - length -= SALSA20_BLOCK_SIZE; - c += SALSA20_BLOCK_SIZE; - m += SALSA20_BLOCK_SIZE; - } + _nettle_salsa20_crypt (ctx, 12, length, c, m); } diff -Nru nettle-3.4.1/sha1.c nettle-3.7.3/sha1.c --- nettle-3.4.1/sha1.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/sha1.c 2021-06-06 20:06:29.000000000 +0000 @@ -68,7 +68,7 @@ ctx->index = 0; } -#define COMPRESS(ctx, data) (_nettle_sha1_compress((ctx)->state, data)) +#define COMPRESS(ctx, data) (nettle_sha1_compress((ctx)->state, data)) void sha1_update(struct sha1_ctx *ctx, @@ -93,7 +93,7 @@ /* append the 64 bit count */ WRITE_UINT64(ctx->block + (SHA1_BLOCK_SIZE - 8), bit_count); - _nettle_sha1_compress(ctx->state, ctx->block); + nettle_sha1_compress(ctx->state, ctx->block); _nettle_write_be32(length, digest, ctx->state); sha1_init(ctx); diff -Nru nettle-3.4.1/sha1-compress.c nettle-3.7.3/sha1-compress.c --- nettle-3.4.1/sha1-compress.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/sha1-compress.c 2021-06-06 20:06:29.000000000 +0000 @@ -133,7 +133,7 @@ #if HAVE_NATIVE_sha1_compress void _nettle_sha1_compress_c(uint32_t *state, const uint8_t *input); -#define _nettle_sha1_compress _nettle_sha1_compress_c +#define nettle_sha1_compress _nettle_sha1_compress_c #endif /* Perform the SHA transformation. Note that this code, like MD5, seems to @@ -142,7 +142,7 @@ sections, e.g. based on the four subrounds. */ void -_nettle_sha1_compress(uint32_t *state, const uint8_t *input) +nettle_sha1_compress(uint32_t *state, const uint8_t *input) { uint32_t data[SHA1_DATA_LENGTH]; uint32_t A, B, C, D, E; /* Local vars */ diff -Nru nettle-3.4.1/sha1.h nettle-3.7.3/sha1.h --- nettle-3.4.1/sha1.h 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/sha1.h 2021-06-06 20:06:29.000000000 +0000 @@ -59,8 +59,8 @@ { uint32_t state[_SHA1_DIGEST_LENGTH]; /* State variables */ uint64_t count; /* 64-bit block count */ - uint8_t block[SHA1_BLOCK_SIZE]; /* SHA1 data buffer */ unsigned int index; /* index into buffer */ + uint8_t block[SHA1_BLOCK_SIZE]; /* SHA1 data buffer */ }; void @@ -79,7 +79,9 @@ /* Internal compression function. STATE points to 5 uint32_t words, and DATA points to 64 bytes of input data, possibly unaligned. */ void -_nettle_sha1_compress(uint32_t *state, const uint8_t *data); +nettle_sha1_compress(uint32_t *state, const uint8_t *data); + +#define _nettle_sha1_compress nettle_sha1_compress #ifdef __cplusplus } diff -Nru nettle-3.4.1/sha256.c nettle-3.7.3/sha256.c --- nettle-3.4.1/sha256.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/sha256.c 2021-06-06 20:06:29.000000000 +0000 @@ -43,6 +43,7 @@ #include #include "sha2.h" +#include "sha2-internal.h" #include "macros.h" #include "nettle-write.h" diff -Nru nettle-3.4.1/sha256-compress.c nettle-3.7.3/sha256-compress.c --- nettle-3.4.1/sha256-compress.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/sha256-compress.c 2021-06-06 20:06:29.000000000 +0000 @@ -53,6 +53,7 @@ #include #include "sha2.h" +#include "sha2-internal.h" #include "macros.h" diff -Nru nettle-3.4.1/sha2.h nettle-3.7.3/sha2.h --- nettle-3.4.1/sha2.h 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/sha2.h 2021-06-06 20:06:29.000000000 +0000 @@ -74,8 +74,8 @@ { uint32_t state[_SHA256_DIGEST_LENGTH]; /* State variables */ uint64_t count; /* 64-bit block count */ - uint8_t block[SHA256_BLOCK_SIZE]; /* SHA256 data buffer */ unsigned int index; /* index into buffer */ + uint8_t block[SHA256_BLOCK_SIZE]; /* SHA256 data buffer */ }; void @@ -91,12 +91,6 @@ size_t length, uint8_t *digest); -/* Internal compression function. STATE points to 8 uint32_t words, - DATA points to 64 bytes of input data, possibly unaligned, and K - points to the table of constants. */ -void -_nettle_sha256_compress(uint32_t *state, const uint8_t *data, const uint32_t *k); - /* SHA224, a truncated SHA256 with different initial state. */ @@ -127,8 +121,8 @@ { uint64_t state[_SHA512_DIGEST_LENGTH]; /* State variables */ uint64_t count_low, count_high; /* 128-bit block count */ - uint8_t block[SHA512_BLOCK_SIZE]; /* SHA512 data buffer */ unsigned int index; /* index into buffer */ + uint8_t block[SHA512_BLOCK_SIZE]; /* SHA512 data buffer */ }; void @@ -144,12 +138,6 @@ size_t length, uint8_t *digest); -/* Internal compression function. STATE points to 8 uint64_t words, - DATA points to 128 bytes of input data, possibly unaligned, and K - points to the table of constants. */ -void -_nettle_sha512_compress(uint64_t *state, const uint8_t *data, const uint64_t *k); - /* SHA384, a truncated SHA512 with different initial state. */ diff -Nru nettle-3.4.1/sha2-internal.h nettle-3.7.3/sha2-internal.h --- nettle-3.4.1/sha2-internal.h 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/sha2-internal.h 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,52 @@ +/* sha2-internal.h + + The sha2 family of hash functions. + + Copyright (C) 2001, 2012 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_SHA2_INTERNAL_H_INCLUDED +#define NETTLE_SHA2_INTERNAL_H_INCLUDED + +#include "nettle-types.h" + +/* Internal compression function. STATE points to 8 uint32_t words, + DATA points to 64 bytes of input data, possibly unaligned, and K + points to the table of constants. */ +void +_nettle_sha256_compress(uint32_t *state, const uint8_t *data, const uint32_t *k); + +/* Internal compression function. STATE points to 8 uint64_t words, + DATA points to 128 bytes of input data, possibly unaligned, and K + points to the table of constants. */ +void +_nettle_sha512_compress(uint64_t *state, const uint8_t *data, const uint64_t *k); + + +#endif /* NETTLE_SHA2_INTERNAL_H_INCLUDED */ diff -Nru nettle-3.4.1/sha3-224.c nettle-3.7.3/sha3-224.c --- nettle-3.4.1/sha3-224.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/sha3-224.c 2021-06-06 20:06:29.000000000 +0000 @@ -39,6 +39,7 @@ #include #include "sha3.h" +#include "sha3-internal.h" #include "nettle-write.h" @@ -53,8 +54,9 @@ size_t length, const uint8_t *data) { - ctx->index = _sha3_update (&ctx->state, SHA3_224_BLOCK_SIZE, ctx->block, - ctx->index, length, data); + ctx->index = _nettle_sha3_update (&ctx->state, + SHA3_224_BLOCK_SIZE, ctx->block, + ctx->index, length, data); } void @@ -62,7 +64,7 @@ size_t length, uint8_t *digest) { - _sha3_pad (&ctx->state, SHA3_224_BLOCK_SIZE, ctx->block, ctx->index); + _sha3_pad_hash (&ctx->state, SHA3_224_BLOCK_SIZE, ctx->block, ctx->index); _nettle_write_le64 (length, digest, ctx->state.a); sha3_224_init (ctx); } diff -Nru nettle-3.4.1/sha3-224-meta.c nettle-3.7.3/sha3-224-meta.c --- nettle-3.4.1/sha3-224-meta.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/sha3-224-meta.c 2021-06-06 20:06:29.000000000 +0000 @@ -36,6 +36,7 @@ #include "nettle-meta.h" #include "sha3.h" +#include "sha3-internal.h" const struct nettle_hash nettle_sha3_224 = _NETTLE_HASH(sha3_224, SHA3_224); diff -Nru nettle-3.4.1/sha3-256.c nettle-3.7.3/sha3-256.c --- nettle-3.4.1/sha3-256.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/sha3-256.c 2021-06-06 20:06:29.000000000 +0000 @@ -39,6 +39,7 @@ #include #include "sha3.h" +#include "sha3-internal.h" #include "nettle-write.h" @@ -53,8 +54,9 @@ size_t length, const uint8_t *data) { - ctx->index = _sha3_update (&ctx->state, SHA3_256_BLOCK_SIZE, ctx->block, - ctx->index, length, data); + ctx->index = _nettle_sha3_update (&ctx->state, + SHA3_256_BLOCK_SIZE, ctx->block, + ctx->index, length, data); } void @@ -62,7 +64,7 @@ size_t length, uint8_t *digest) { - _sha3_pad (&ctx->state, SHA3_256_BLOCK_SIZE, ctx->block, ctx->index); + _sha3_pad_hash (&ctx->state, SHA3_256_BLOCK_SIZE, ctx->block, ctx->index); _nettle_write_le64 (length, digest, ctx->state.a); sha3_256_init (ctx); } diff -Nru nettle-3.4.1/sha3-256-meta.c nettle-3.7.3/sha3-256-meta.c --- nettle-3.4.1/sha3-256-meta.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/sha3-256-meta.c 2021-06-06 20:06:29.000000000 +0000 @@ -36,6 +36,7 @@ #include "nettle-meta.h" #include "sha3.h" +#include "sha3-internal.h" const struct nettle_hash nettle_sha3_256 = _NETTLE_HASH(sha3_256, SHA3_256); diff -Nru nettle-3.4.1/sha3-384.c nettle-3.7.3/sha3-384.c --- nettle-3.4.1/sha3-384.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/sha3-384.c 2021-06-06 20:06:29.000000000 +0000 @@ -39,6 +39,7 @@ #include #include "sha3.h" +#include "sha3-internal.h" #include "nettle-write.h" @@ -53,8 +54,9 @@ size_t length, const uint8_t *data) { - ctx->index = _sha3_update (&ctx->state, SHA3_384_BLOCK_SIZE, ctx->block, - ctx->index, length, data); + ctx->index = _nettle_sha3_update (&ctx->state, + SHA3_384_BLOCK_SIZE, ctx->block, + ctx->index, length, data); } void @@ -62,7 +64,7 @@ size_t length, uint8_t *digest) { - _sha3_pad (&ctx->state, SHA3_384_BLOCK_SIZE, ctx->block, ctx->index); + _sha3_pad_hash (&ctx->state, SHA3_384_BLOCK_SIZE, ctx->block, ctx->index); _nettle_write_le64 (length, digest, ctx->state.a); sha3_384_init (ctx); } diff -Nru nettle-3.4.1/sha3-384-meta.c nettle-3.7.3/sha3-384-meta.c --- nettle-3.4.1/sha3-384-meta.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/sha3-384-meta.c 2021-06-06 20:06:29.000000000 +0000 @@ -36,6 +36,7 @@ #include "nettle-meta.h" #include "sha3.h" +#include "sha3-internal.h" const struct nettle_hash nettle_sha3_384 = _NETTLE_HASH(sha3_384, SHA3_384); diff -Nru nettle-3.4.1/sha3-512.c nettle-3.7.3/sha3-512.c --- nettle-3.4.1/sha3-512.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/sha3-512.c 2021-06-06 20:06:29.000000000 +0000 @@ -39,6 +39,7 @@ #include #include "sha3.h" +#include "sha3-internal.h" #include "nettle-write.h" @@ -53,8 +54,9 @@ size_t length, const uint8_t *data) { - ctx->index = _sha3_update (&ctx->state, SHA3_512_BLOCK_SIZE, ctx->block, - ctx->index, length, data); + ctx->index = _nettle_sha3_update (&ctx->state, + SHA3_512_BLOCK_SIZE, ctx->block, + ctx->index, length, data); } void @@ -62,7 +64,7 @@ size_t length, uint8_t *digest) { - _sha3_pad (&ctx->state, SHA3_512_BLOCK_SIZE, ctx->block, ctx->index); + _sha3_pad_hash (&ctx->state, SHA3_512_BLOCK_SIZE, ctx->block, ctx->index); _nettle_write_le64 (length, digest, ctx->state.a); sha3_512_init (ctx); } diff -Nru nettle-3.4.1/sha3-512-meta.c nettle-3.7.3/sha3-512-meta.c --- nettle-3.4.1/sha3-512-meta.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/sha3-512-meta.c 2021-06-06 20:06:29.000000000 +0000 @@ -36,6 +36,7 @@ #include "nettle-meta.h" #include "sha3.h" +#include "sha3-internal.h" const struct nettle_hash nettle_sha3_512 = _NETTLE_HASH(sha3_512, SHA3_512); diff -Nru nettle-3.4.1/sha3.c nettle-3.7.3/sha3.c --- nettle-3.4.1/sha3.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/sha3.c 2021-06-06 20:06:29.000000000 +0000 @@ -39,6 +39,7 @@ #include #include "sha3.h" +#include "sha3-internal.h" #include "macros.h" #include "memxor.h" @@ -61,10 +62,10 @@ } unsigned -_sha3_update (struct sha3_state *state, - unsigned block_size, uint8_t *block, - unsigned pos, - size_t length, const uint8_t *data) +_nettle_sha3_update (struct sha3_state *state, + unsigned block_size, uint8_t *block, + unsigned pos, + size_t length, const uint8_t *data) { if (pos > 0) { @@ -90,11 +91,11 @@ } void -_sha3_pad (struct sha3_state *state, - unsigned block_size, uint8_t *block, unsigned pos) +_nettle_sha3_pad (struct sha3_state *state, + unsigned block_size, uint8_t *block, unsigned pos, uint8_t magic) { assert (pos < block_size); - block[pos++] = 6; + block[pos++] = magic; memset (block + pos, 0, block_size - pos); block[block_size - 1] |= 0x80; diff -Nru nettle-3.4.1/sha3.h nettle-3.7.3/sha3.h --- nettle-3.4.1/sha3.h 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/sha3.h 2021-06-06 20:06:29.000000000 +0000 @@ -42,14 +42,13 @@ /* Name mangling */ #define sha3_permute nettle_sha3_permute -#define _sha3_update _nettle_sha3_update -#define _sha3_pad _nettle_sha3_pad #define sha3_224_init nettle_sha3_224_init #define sha3_224_update nettle_sha3_224_update #define sha3_224_digest nettle_sha3_224_digest #define sha3_256_init nettle_sha3_256_init #define sha3_256_update nettle_sha3_256_update #define sha3_256_digest nettle_sha3_256_digest +#define sha3_256_shake nettle_sha3_256_shake #define sha3_384_init nettle_sha3_384_init #define sha3_384_update nettle_sha3_384_update #define sha3_384_digest nettle_sha3_384_digest @@ -75,15 +74,6 @@ void sha3_permute (struct sha3_state *state); -unsigned -_sha3_update (struct sha3_state *state, - unsigned block_size, uint8_t *block, - unsigned pos, - size_t length, const uint8_t *data); -void -_sha3_pad (struct sha3_state *state, - unsigned block_size, uint8_t *block, unsigned pos); - /* The "capacity" is set to 2*(digest size), 512 bits or 64 octets. The "rate" is the width - capacity, or width - 2 * (digest size). */ @@ -146,6 +136,13 @@ size_t length, uint8_t *digest); +/* Alternative digest function implementing shake256, with arbitrary + digest size */ +void +sha3_256_shake(struct sha3_256_ctx *ctx, + size_t length, + uint8_t *digest); + struct sha3_384_ctx { struct sha3_state state; diff -Nru nettle-3.4.1/sha3-internal.h nettle-3.7.3/sha3-internal.h --- nettle-3.4.1/sha3-internal.h 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/sha3-internal.h 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,60 @@ +/* sha3-internal.h + + The sha3 hash function (aka Keccak). + + Copyright (C) 2012 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_SHA3_INTERNAL_H_INCLUDED +#define NETTLE_SHA3_INTERNAL_H_INCLUDED + +#include "nettle-types.h" + +#define SHA3_HASH_MAGIC 6 +#define SHA3_SHAKE_MAGIC 0x1f + +unsigned +_nettle_sha3_update (struct sha3_state *state, + unsigned block_size, uint8_t *block, + unsigned pos, + size_t length, const uint8_t *data); + + +void +_nettle_sha3_pad (struct sha3_state *state, + unsigned block_size, uint8_t *block, unsigned pos, uint8_t magic); + +#define _sha3_pad_hash(state, block_size, block, pos) \ + _nettle_sha3_pad (state, block_size, block, pos, SHA3_HASH_MAGIC) + +#define _sha3_pad_shake(state, block_size, block, pos) \ + _nettle_sha3_pad (state, block_size, block, pos, SHA3_SHAKE_MAGIC) + + +#endif diff -Nru nettle-3.4.1/sha3-permute.c nettle-3.7.3/sha3-permute.c --- nettle-3.4.1/sha3-permute.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/sha3-permute.c 2021-06-06 20:06:29.000000000 +0000 @@ -36,6 +36,7 @@ #endif #include "sha3.h" +#include "sha3-internal.h" #include "macros.h" diff -Nru nettle-3.4.1/sha512.c nettle-3.7.3/sha512.c --- nettle-3.4.1/sha512.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/sha512.c 2021-06-06 20:06:29.000000000 +0000 @@ -44,6 +44,7 @@ #include #include "sha2.h" +#include "sha2-internal.h" #include "macros.h" diff -Nru nettle-3.4.1/sha512-compress.c nettle-3.7.3/sha512-compress.c --- nettle-3.4.1/sha512-compress.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/sha512-compress.c 2021-06-06 20:06:29.000000000 +0000 @@ -53,6 +53,7 @@ #include #include "sha2.h" +#include "sha2-internal.h" #include "macros.h" diff -Nru nettle-3.4.1/shake256.c nettle-3.7.3/shake256.c --- nettle-3.4.1/shake256.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/shake256.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,63 @@ +/* shake256.c + + The SHAKE256 hash function, arbitrary length output. + + Copyright (C) 2017 Daiki Ueno + Copyright (C) 2017 Red Hat, Inc. + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include + +#include "sha3.h" +#include "sha3-internal.h" + +#include "nettle-write.h" + +void +sha3_256_shake (struct sha3_256_ctx *ctx, + size_t length, + uint8_t *dst) +{ + _sha3_pad_shake (&ctx->state, SHA3_256_BLOCK_SIZE, ctx->block, ctx->index); + while (length > SHA3_256_BLOCK_SIZE) + { + _nettle_write_le64 (SHA3_256_BLOCK_SIZE, dst, ctx->state.a); + length -= SHA3_256_BLOCK_SIZE; + dst += SHA3_256_BLOCK_SIZE; + sha3_permute (&ctx->state); + } + _nettle_write_le64 (length, dst, ctx->state.a); + + sha3_256_init (ctx); +} diff -Nru nettle-3.4.1/siv-cmac-aes128.c nettle-3.7.3/siv-cmac-aes128.c --- nettle-3.4.1/siv-cmac-aes128.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/siv-cmac-aes128.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,76 @@ +/* siv-cmac-aes128.c + + AES-SIV, RFC5297 + + Copyright (C) 2017 Nikos Mavrogiannopoulos + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include + +#include "aes.h" +#include "siv-cmac.h" +#include "cmac.h" +#include "ctr.h" +#include "memxor.h" +#include "memops.h" + +void +siv_cmac_aes128_set_key(struct siv_cmac_aes128_ctx *ctx, const uint8_t *key) +{ + siv_cmac_set_key(&ctx->cmac_key, &ctx->cmac_cipher, &ctx->ctr_cipher, &nettle_aes128, key); +} + +void +siv_cmac_aes128_encrypt_message(const struct siv_cmac_aes128_ctx *ctx, + size_t nlength, const uint8_t *nonce, + size_t alength, const uint8_t *adata, + size_t clength, uint8_t *dst, const uint8_t *src) +{ + siv_cmac_encrypt_message(&ctx->cmac_key, &ctx->cmac_cipher, + &nettle_aes128, &ctx->ctr_cipher, + nlength, nonce, alength, adata, + clength, dst, src); +} + +int +siv_cmac_aes128_decrypt_message(const struct siv_cmac_aes128_ctx *ctx, + size_t nlength, const uint8_t *nonce, + size_t alength, const uint8_t *adata, + size_t mlength, uint8_t *dst, const uint8_t *src) +{ + return siv_cmac_decrypt_message(&ctx->cmac_key, &ctx->cmac_cipher, + &nettle_aes128, &ctx->ctr_cipher, + nlength, nonce, alength, adata, + mlength, dst, src); +} diff -Nru nettle-3.4.1/siv-cmac-aes256.c nettle-3.7.3/siv-cmac-aes256.c --- nettle-3.4.1/siv-cmac-aes256.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/siv-cmac-aes256.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,76 @@ +/* siv-cmac-aes256.c + + AES-SIV, RFC5297 + + Copyright (C) 2017 Nikos Mavrogiannopoulos + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include + +#include "aes.h" +#include "siv-cmac.h" +#include "cmac.h" +#include "ctr.h" +#include "memxor.h" +#include "memops.h" + +void +siv_cmac_aes256_set_key(struct siv_cmac_aes256_ctx *ctx, const uint8_t *key) +{ + siv_cmac_set_key(&ctx->cmac_key, &ctx->cmac_cipher, &ctx->ctr_cipher, &nettle_aes256, key); +} + +void +siv_cmac_aes256_encrypt_message(const struct siv_cmac_aes256_ctx *ctx, + size_t nlength, const uint8_t *nonce, + size_t alength, const uint8_t *adata, + size_t clength, uint8_t *dst, const uint8_t *src) +{ + siv_cmac_encrypt_message(&ctx->cmac_key, &ctx->cmac_cipher, + &nettle_aes256, &ctx->ctr_cipher, + nlength, nonce, alength, adata, + clength, dst, src); +} + +int +siv_cmac_aes256_decrypt_message(const struct siv_cmac_aes256_ctx *ctx, + size_t nlength, const uint8_t *nonce, + size_t alength, const uint8_t *adata, + size_t mlength, uint8_t *dst, const uint8_t *src) +{ + return siv_cmac_decrypt_message(&ctx->cmac_key, &ctx->cmac_cipher, + &nettle_aes256, &ctx->ctr_cipher, + nlength, nonce, alength, adata, + mlength, dst, src); +} diff -Nru nettle-3.4.1/siv-cmac.c nettle-3.7.3/siv-cmac.c --- nettle-3.4.1/siv-cmac.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/siv-cmac.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,165 @@ +/* siv-cmac.c + + SIV-CMAC, RFC5297 + + Copyright (C) 2017 Nikos Mavrogiannopoulos + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +#include "config.h" +#endif + +#include +#include + +#include "aes.h" +#include "siv-cmac.h" +#include "cmac.h" +#include "ctr.h" +#include "memxor.h" +#include "memops.h" +#include "nettle-internal.h" +#include "block-internal.h" + +/* This is an implementation of S2V for the AEAD case where + * vectors if zero, are considered as S empty components */ +static void +_siv_s2v (const struct nettle_cipher *nc, + const struct cmac128_key *cmac_key, + const void *cmac_cipher, + size_t alength, const uint8_t * adata, + size_t nlength, const uint8_t * nonce, + size_t plength, const uint8_t * pdata, uint8_t * v) +{ + union nettle_block16 D, S, T; + static const union nettle_block16 const_zero = {.b = 0 }; + struct cmac128_ctx cmac_ctx; + assert (nlength >= SIV_MIN_NONCE_SIZE); + + cmac128_init(&cmac_ctx); + cmac128_update (&cmac_ctx, cmac_cipher, nc->encrypt, 16, const_zero.b); + cmac128_digest (&cmac_ctx, cmac_key, cmac_cipher, nc->encrypt, 16, D.b); + + block16_mulx_be (&D, &D); + cmac128_update (&cmac_ctx, cmac_cipher, nc->encrypt, alength, adata); + cmac128_digest (&cmac_ctx, cmac_key, cmac_cipher, nc->encrypt, 16, S.b); + block16_xor (&D, &S); + + block16_mulx_be (&D, &D); + cmac128_update (&cmac_ctx, cmac_cipher, nc->encrypt, nlength, nonce); + cmac128_digest (&cmac_ctx, cmac_key, cmac_cipher, nc->encrypt, 16, S.b); + block16_xor (&D, &S); + + /* Sn */ + if (plength >= 16) + { + cmac128_update (&cmac_ctx, cmac_cipher, nc->encrypt, plength - 16, pdata); + + pdata += plength - 16; + + block16_xor_bytes (&T, &D, pdata); + } + else + { + union nettle_block16 pad; + + block16_mulx_be (&T, &D); + memcpy (pad.b, pdata, plength); + pad.b[plength] = 0x80; + if (plength + 1 < 16) + memset (&pad.b[plength + 1], 0, 16 - plength - 1); + + block16_xor (&T, &pad); + } + + cmac128_update (&cmac_ctx, cmac_cipher, nc->encrypt, 16, T.b); + cmac128_digest (&cmac_ctx, cmac_key, cmac_cipher, nc->encrypt, 16, v); +} + +void +siv_cmac_set_key (struct cmac128_key *cmac_key, void *cmac_cipher, void *siv_cipher, + const struct nettle_cipher *nc, const uint8_t * key) +{ + nc->set_encrypt_key (cmac_cipher, key); + cmac128_set_key (cmac_key, cmac_cipher, nc->encrypt); + nc->set_encrypt_key (siv_cipher, key + nc->key_size); +} + +void +siv_cmac_encrypt_message (const struct cmac128_key *cmac_key, + const void *cmac_cipher, + const struct nettle_cipher *nc, + const void *ctr_cipher, + size_t nlength, const uint8_t * nonce, + size_t alength, const uint8_t * adata, + size_t clength, uint8_t * dst, const uint8_t * src) +{ + union nettle_block16 siv; + size_t slength; + + assert (clength >= SIV_DIGEST_SIZE); + slength = clength - SIV_DIGEST_SIZE; + + /* create CTR nonce */ + _siv_s2v (nc, cmac_key, cmac_cipher, alength, adata, nlength, nonce, slength, src, siv.b); + + memcpy (dst, siv.b, SIV_DIGEST_SIZE); + siv.b[8] &= ~0x80; + siv.b[12] &= ~0x80; + + ctr_crypt (ctr_cipher, nc->encrypt, AES_BLOCK_SIZE, siv.b, slength, + dst + SIV_DIGEST_SIZE, src); +} + +int +siv_cmac_decrypt_message (const struct cmac128_key *cmac_key, + const void *cmac_cipher, + const struct nettle_cipher *nc, + const void *ctr_cipher, + size_t nlength, const uint8_t * nonce, + size_t alength, const uint8_t * adata, + size_t mlength, uint8_t * dst, const uint8_t * src) +{ + union nettle_block16 siv; + union nettle_block16 ctr; + + memcpy (ctr.b, src, SIV_DIGEST_SIZE); + ctr.b[8] &= ~0x80; + ctr.b[12] &= ~0x80; + + ctr_crypt (ctr_cipher, nc->encrypt, AES_BLOCK_SIZE, ctr.b, + mlength, dst, src + SIV_DIGEST_SIZE); + + /* create CTR nonce */ + _siv_s2v (nc, + cmac_key, cmac_cipher, alength, adata, + nlength, nonce, mlength, dst, siv.b); + + return memeql_sec (siv.b, src, SIV_DIGEST_SIZE); +} diff -Nru nettle-3.4.1/siv-cmac.h nettle-3.7.3/siv-cmac.h --- nettle-3.4.1/siv-cmac.h 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/siv-cmac.h 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,134 @@ +/* siv-cmac.h + + AES-SIV, RFC5297 + + Copyright (C) 2017 Nikos Mavrogiannopoulos + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_SIV_H_INCLUDED +#define NETTLE_SIV_H_INCLUDED + +#include "nettle-types.h" +#include "nettle-meta.h" +#include "cmac.h" +#include "aes.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* Name mangling */ +#define siv_cmac_set_key nettle_siv_cmac_set_key +#define siv_cmac_encrypt_message nettle_siv_cmac_encrypt_message +#define siv_cmac_decrypt_message nettle_siv_cmac_decrypt_message +#define siv_cmac_aes128_set_key nettle_siv_cmac_aes128_set_key +#define siv_cmac_aes128_encrypt_message nettle_siv_cmac_aes128_encrypt_message +#define siv_cmac_aes128_decrypt_message nettle_siv_cmac_aes128_decrypt_message +#define siv_cmac_aes256_set_key nettle_siv_cmac_aes256_set_key +#define siv_cmac_aes256_encrypt_message nettle_siv_cmac_aes256_encrypt_message +#define siv_cmac_aes256_decrypt_message nettle_siv_cmac_aes256_decrypt_message + +/* For SIV, the block size of the underlying cipher shall be 128 bits. */ +#define SIV_BLOCK_SIZE 16 +#define SIV_DIGEST_SIZE 16 +#define SIV_MIN_NONCE_SIZE 1 + +void +siv_cmac_set_key(struct cmac128_key *cmac_key, void *cmac_cipher, void *ctr_cipher, + const struct nettle_cipher *nc, + const uint8_t *key); + +void +siv_cmac_encrypt_message(const struct cmac128_key *cmac_key, const void *cmac_cipher_ctx, + const struct nettle_cipher *nc, + const void *ctr_ctx, + size_t nlength, const uint8_t *nonce, + size_t alength, const uint8_t *adata, + size_t clength, uint8_t *dst, const uint8_t *src); + +int +siv_cmac_decrypt_message(const struct cmac128_key *cmac_key, const void *cmac_cipher, + const struct nettle_cipher *nc, + const void *ctr_cipher, + size_t nlength, const uint8_t *nonce, + size_t alength, const uint8_t *adata, + size_t mlength, uint8_t *dst, const uint8_t *src); + +/* + * SIV mode requires the aad and plaintext when building the IV, which + * prevents streaming processing and it incompatible with the AEAD API. + */ + +#define SIV_CMAC_CTX(type) { struct cmac128_key cmac_key; type cmac_cipher; type ctr_cipher; } + +/* SIV_CMAC_AES128 */ +#define SIV_CMAC_AES128_KEY_SIZE 32 + +struct siv_cmac_aes128_ctx SIV_CMAC_CTX(struct aes128_ctx); + +void +siv_cmac_aes128_set_key(struct siv_cmac_aes128_ctx *ctx, const uint8_t *key); + +void +siv_cmac_aes128_encrypt_message(const struct siv_cmac_aes128_ctx *ctx, + size_t nlength, const uint8_t *nonce, + size_t alength, const uint8_t *adata, + size_t clength, uint8_t *dst, const uint8_t *src); + +int +siv_cmac_aes128_decrypt_message(const struct siv_cmac_aes128_ctx *ctx, + size_t nlength, const uint8_t *nonce, + size_t alength, const uint8_t *adata, + size_t mlength, uint8_t *dst, const uint8_t *src); + +/* SIV_CMAC_AES256 */ +#define SIV_CMAC_AES256_KEY_SIZE 64 + +struct siv_cmac_aes256_ctx SIV_CMAC_CTX(struct aes256_ctx); + +void +siv_cmac_aes256_set_key(struct siv_cmac_aes256_ctx *ctx, const uint8_t *key); + +void +siv_cmac_aes256_encrypt_message(const struct siv_cmac_aes256_ctx *ctx, + size_t nlength, const uint8_t *nonce, + size_t alength, const uint8_t *adata, + size_t clength, uint8_t *dst, const uint8_t *src); + +int +siv_cmac_aes256_decrypt_message(const struct siv_cmac_aes256_ctx *ctx, + size_t nlength, const uint8_t *nonce, + size_t alength, const uint8_t *adata, + size_t mlength, uint8_t *dst, const uint8_t *src); + +#ifdef __cplusplus +} +#endif + +#endif /* NETTLE_SIV_H_INCLUDED */ diff -Nru nettle-3.4.1/sparc32/aes-decrypt-internal.asm nettle-3.7.3/sparc32/aes-decrypt-internal.asm --- nettle-3.4.1/sparc32/aes-decrypt-internal.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/sparc32/aes-decrypt-internal.asm 2021-06-06 20:06:29.000000000 +0000 @@ -1,6 +1,6 @@ C sparc32/aes-decrypt-internal.asm -ifelse(< +ifelse(` Copyright (C) 2002, 2005, 2013 Niels Möller This file is part of GNU Nettle. @@ -28,33 +28,33 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') -include_src() +include_src(`sparc32/aes.m4') C Arguments -define(,<%i0>) -define(, <%i1>) -define(, <%i2>) -define(,<%i3>) -define(, <%i4>) -define(, <%i5>) +define(`ROUNDS',`%i0') +define(`KEYS', `%i1') +define(`T', `%i2') +define(`LENGTH',`%i3') +define(`DST', `%i4') +define(`SRC', `%i5') C AES state, two copies for unrolling -define(, <%l0>) -define(, <%l1>) -define(, <%l2>) -define(, <%l3>) - -define(, <%l4>) -define(, <%l5>) -define(, <%l6>) -define(, <%l7>) +define(`W0', `%l0') +define(`W1', `%l1') +define(`W2', `%l2') +define(`W3', `%l3') + +define(`X0', `%l4') +define(`X1', `%l5') +define(`X2', `%l6') +define(`X3', `%l7') C %o0-%03 are used for loop invariants T0-T3 -define(, <%o4>) -define(, <%o5>) +define(`KEY', `%o4') +define(`COUNT', `%o5') C %g1, %g2, %g3 are TMP1, TMP2 and TMP3 @@ -63,7 +63,7 @@ C %fp - 4: OS-dependent link field C %fp - 8: OS-dependent link field C %fp - 104: OS register save area. -define(, 104) +define(`FRAME_SIZE', 104) .file "aes-decrypt-internal.asm" diff -Nru nettle-3.4.1/sparc32/aes-encrypt-internal.asm nettle-3.7.3/sparc32/aes-encrypt-internal.asm --- nettle-3.4.1/sparc32/aes-encrypt-internal.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/sparc32/aes-encrypt-internal.asm 2021-06-06 20:06:29.000000000 +0000 @@ -1,6 +1,6 @@ C sparc32/aes-encrypt-internal.asm -ifelse(< +ifelse(` Copyright (C) 2002, 2005, 2013 Niels Möller This file is part of GNU Nettle. @@ -28,33 +28,33 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') -include_src() +include_src(`sparc32/aes.m4') C Arguments -define(,<%i0>) -define(, <%i1>) -define(, <%i2>) -define(,<%i3>) -define(, <%i4>) -define(, <%i5>) +define(`ROUNDS',`%i0') +define(`KEYS', `%i1') +define(`T', `%i2') +define(`LENGTH',`%i3') +define(`DST', `%i4') +define(`SRC', `%i5') C AES state, two copies for unrolling -define(, <%l0>) -define(, <%l1>) -define(, <%l2>) -define(, <%l3>) - -define(, <%l4>) -define(, <%l5>) -define(, <%l6>) -define(, <%l7>) +define(`W0', `%l0') +define(`W1', `%l1') +define(`W2', `%l2') +define(`W3', `%l3') + +define(`X0', `%l4') +define(`X1', `%l5') +define(`X2', `%l6') +define(`X3', `%l7') C %o0-%03 are used for loop invariants T0-T3 -define(, <%o4>) -define(, <%o5>) +define(`KEY', `%o4') +define(`COUNT', `%o5') C %g1, %g2, %g3 are TMP1, TMP2 and TMP3 @@ -68,7 +68,7 @@ C %fp - 4: OS-dependent link field C %fp - 8: OS-dependent link field C %fp - 104: OS register save area -define(, 104) +define(`FRAME_SIZE', 104) .file "aes-encrypt-internal.asm" diff -Nru nettle-3.4.1/sparc32/aes.m4 nettle-3.7.3/sparc32/aes.m4 --- nettle-3.4.1/sparc32/aes.m4 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/sparc32/aes.m4 2021-06-06 20:06:29.000000000 +0000 @@ -1,16 +1,16 @@ C Used as temporaries by the AES macros -define(, <%g1>) -define(, <%g2>) -define(, <%g3>) +define(`TMP1', `%g1') +define(`TMP2', `%g2') +define(`TMP3', `%g3') C Loop invariants used by AES_ROUND -define(, <%o0>) -define(, <%o1>) -define(, <%o2>) -define(, <%o3>) +define(`T0', `%o0') +define(`T1', `%o1') +define(`T2', `%o2') +define(`T3', `%o3') C AES_LOAD(i, src, key, res) -define(, < +define(`AES_LOAD', ` ldub [$2 + 4*$1], $4 ldub [$2 + 4*$1 + 1], TMP1 ldub [$2 + 4*$1 + 2], TMP2 @@ -25,14 +25,14 @@ C Get subkey ld [$3 + 4*$1], TMP2 or $4, TMP1, $4 - xor $4, TMP2, $4>)dnl + xor $4, TMP2, $4')dnl C AES_ROUND(i, a, b, c, d, key, res) C Computes one word of the AES round C FIXME: Could use registers pointing directly to the four tables C FIXME: Needs better instruction scheduling, and perhaps more temporaries C Alternatively, we can use a single table and some rotations -define(, < +define(`AES_ROUND', ` and $2, 0xff, TMP1 C 0 srl $3, 6, TMP2 C 1 sll TMP1, 2, TMP1 C 0 @@ -50,12 +50,12 @@ ld [T3 + TMP2], TMP2 C 3 xor $7, TMP1, $7 C 4 E4 xor $7, TMP2, $7 C 3 E3 ->)dnl +')dnl C AES_FINAL_ROUND(i, T, a, b, c, d, key, dst) C Compute one word in the final round function. Output is converted to C octets and stored at dst. Relies on AES_SBOX being zero. -define(, < +define(`AES_FINAL_ROUND', ` C Load subkey ld [$7 + 4*$1], TMP3 @@ -80,4 +80,4 @@ stb TMP1, [$8 + 4*$1 + 2] C 2 E2 xor TMP3, TMP2, TMP2 C 3 stb TMP2, [$8 + 4*$1 + 3] C 3 E3 ->) +') diff -Nru nettle-3.4.1/sparc32/arcfour-crypt.asm nettle-3.7.3/sparc32/arcfour-crypt.asm --- nettle-3.4.1/sparc32/arcfour-crypt.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/sparc32/arcfour-crypt.asm 2021-06-06 20:06:29.000000000 +0000 @@ -1,6 +1,6 @@ C sparc32/arcfour-crypt.asm -ifelse(< +ifelse(` Copyright (C) 2002, 2005 Niels Möller This file is part of GNU Nettle. @@ -28,36 +28,36 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') C Define to YES, to enable the complex code to special case SRC C and DST with compatible alignment. -define(, ) +define(`WITH_ALIGN', `YES') C Registers -define(, <%i0>) -define(,<%i1>) -define(, <%i2>) -define(, <%i3>) - -define(, <%i4>) -define(, <%i5>) -define(, <%g1>) -define(, <%g2>) -define(, <%g3>) -define(, <%o0>) -define(, <%o1>) -define(, <%o2>) -define(, <%o3>) +define(`CTX', `%i0') +define(`LENGTH',`%i1') +define(`DST', `%i2') +define(`SRC', `%i3') + +define(`I1', `%i4') +define(`I2', `%i5') +define(`J', `%g1') +define(`SI', `%g2') +define(`SJ', `%g3') +define(`TMP', `%o0') +define(`TMP2', `%o1') +define(`N', `%o2') +define(`DATA', `%o3') C Computes the next byte of the key stream. As input, i must C already point to the index for the current access, the index C for the next access is stored in ni. The resulting key byte is C stored in res. C ARCFOUR_BYTE(i, ni, res) -define(, < +define(`ARCFOUR_BYTE', ` ldub [CTX + $1], SI add $1, 1, $2 add J, SI, J @@ -69,10 +69,10 @@ and SI, 0xff, SI stb SJ, [CTX + $1] ldub [CTX + SI], $3 ->)dnl +')dnl C FIXME: Consider using the callers window -define(, 104) +define(`FRAME_SIZE', 104) .file "arcfour-crypt.asm" diff -Nru nettle-3.4.1/sparc64/aes-decrypt-internal.asm nettle-3.7.3/sparc64/aes-decrypt-internal.asm --- nettle-3.4.1/sparc64/aes-decrypt-internal.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/sparc64/aes-decrypt-internal.asm 2021-06-06 20:06:29.000000000 +0000 @@ -1,6 +1,6 @@ C sparc64/aes-decrypt-internal.asm -ifelse(< +ifelse(` Copyright (C) 2002, 2005, 2013 Niels Möller This file is part of GNU Nettle. @@ -28,7 +28,7 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') C The only difference between this code and the sparc32 code is the C frame offsets, and the magic BIAS when accessing the stack (which @@ -36,31 +36,31 @@ C Use the same AES macros as on sparc32. -include_src() +include_src(`sparc32/aes.m4') C Arguments -define(,<%i0>) -define(, <%i1>) -define(, <%i2>) -define(,<%i3>) -define(, <%i4>) -define(, <%i5>) +define(`ROUNDS',`%i0') +define(`KEYS', `%i1') +define(`T', `%i2') +define(`LENGTH',`%i3') +define(`DST', `%i4') +define(`SRC', `%i5') C AES state, two copies for unrolling -define(, <%l0>) -define(, <%l1>) -define(, <%l2>) -define(, <%l3>) - -define(, <%l4>) -define(, <%l5>) -define(, <%l6>) -define(, <%l7>) +define(`W0', `%l0') +define(`W1', `%l1') +define(`W2', `%l2') +define(`W3', `%l3') + +define(`X0', `%l4') +define(`X1', `%l5') +define(`X2', `%l6') +define(`X3', `%l7') C %o0-%03 are used for loop invariants T0-T3 -define(, <%o4>) -define(, <%o5>) +define(`KEY', `%o4') +define(`COUNT', `%o5') C %g1, %g2, %g3 are TMP1, TMP2 and TMP3 @@ -69,7 +69,7 @@ C %fp - 8: OS-dependent link field C %fp - 16: OS-dependent link field C %fp - 192: OS register save area (22*8 == 176 bytes) -define(, 192) +define(`FRAME_SIZE', 192) .file "aes-decrypt-internal.asm" diff -Nru nettle-3.4.1/sparc64/aes-encrypt-internal.asm nettle-3.7.3/sparc64/aes-encrypt-internal.asm --- nettle-3.4.1/sparc64/aes-encrypt-internal.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/sparc64/aes-encrypt-internal.asm 2021-06-06 20:06:29.000000000 +0000 @@ -1,6 +1,6 @@ C sparc64/aes-encrypt-internal.asm -ifelse(< +ifelse(` Copyright (C) 2002, 2005, 2013 Niels Möller This file is part of GNU Nettle. @@ -28,7 +28,7 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') C The only difference between this code and the sparc32 code is the C frame offsets, and the magic BIAS when accessing the stack (which @@ -36,31 +36,31 @@ C Use the same AES macros as on sparc32. -include_src() +include_src(`sparc32/aes.m4') C Arguments -define(,<%i0>) -define(, <%i1>) -define(, <%i2>) -define(,<%i3>) -define(, <%i4>) -define(, <%i5>) +define(`ROUNDS',`%i0') +define(`KEYS', `%i1') +define(`T', `%i2') +define(`LENGTH',`%i3') +define(`DST', `%i4') +define(`SRC', `%i5') C AES state, two copies for unrolling -define(, <%l0>) -define(, <%l1>) -define(, <%l2>) -define(, <%l3>) - -define(, <%l4>) -define(, <%l5>) -define(, <%l6>) -define(, <%l7>) +define(`W0', `%l0') +define(`W1', `%l1') +define(`W2', `%l2') +define(`W3', `%l3') + +define(`X0', `%l4') +define(`X1', `%l5') +define(`X2', `%l6') +define(`X3', `%l7') C %o0-%03 are used for loop invariants T0-T3 -define(, <%o4>) -define(, <%o5>) +define(`KEY', `%o4') +define(`COUNT', `%o5') C %g1, %g2, %g3 are TMP1, TMP2 and TMP3 @@ -69,7 +69,7 @@ C %fp - 8: OS-dependent link field C %fp - 16: OS-dependent link field C %fp - 192: OS register save area (22*8 == 176 bytes) -define(, 192) +define(`FRAME_SIZE', 192) .file "aes-encrypt-internal.asm" diff -Nru nettle-3.4.1/sparc64/arcfour-crypt.asm nettle-3.7.3/sparc64/arcfour-crypt.asm --- nettle-3.4.1/sparc64/arcfour-crypt.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/sparc64/arcfour-crypt.asm 2021-06-06 20:06:29.000000000 +0000 @@ -1,6 +1,6 @@ C sparc64/arcfour-crypt.asm -ifelse(< +ifelse(` Copyright (C) 2002, 2005 Niels Möller This file is part of GNU Nettle. @@ -28,36 +28,36 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') C Define to YES, to enable the complex code to special case SRC C and DST with compatible alignment. -define(, ) +define(`WITH_ALIGN', `YES') C Registers -define(, <%i0>) -define(,<%i1>) -define(, <%i2>) -define(, <%i3>) - -define(, <%i4>) -define(, <%i5>) -define(, <%g1>) -define(, <%g2>) -define(, <%g3>) -define(, <%o0>) -define(, <%o1>) -define(, <%o2>) -define(, <%o3>) +define(`CTX', `%i0') +define(`LENGTH',`%i1') +define(`DST', `%i2') +define(`SRC', `%i3') + +define(`I1', `%i4') +define(`I2', `%i5') +define(`J', `%g1') +define(`SI', `%g2') +define(`SJ', `%g3') +define(`TMP', `%o0') +define(`TMP2', `%o1') +define(`N', `%o2') +define(`DATA', `%o3') C Computes the next byte of the key stream. As input, i must C already point to the index for the current access, the index C for the next access is stored in ni. The resulting key byte is C stored in res. C ARCFOUR_BYTE(i, ni, res) -define(, < +define(`ARCFOUR_BYTE', ` ldub [CTX + $1], SI add $1, 1, $2 add J, SI, J @@ -69,9 +69,9 @@ and SI, 0xff, SI stb SJ, [CTX + $1] ldub [CTX + SI], $3 ->)dnl +')dnl -define(, 192) +define(`FRAME_SIZE', 192) .file "arcfour-crypt.asm" diff -Nru nettle-3.4.1/sparc64/machine.m4 nettle-3.7.3/sparc64/machine.m4 --- nettle-3.4.1/sparc64/machine.m4 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/sparc64/machine.m4 2021-06-06 20:06:29.000000000 +0000 @@ -1,4 +1,4 @@ -define(, 2047) C Magic stack bias for the Sparc64 ABI +define(`BIAS', 2047) C Magic stack bias for the Sparc64 ABI .register %g2,#scratch .register %g3,#scratch diff -Nru nettle-3.4.1/streebog.c nettle-3.7.3/streebog.c --- nettle-3.4.1/streebog.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/streebog.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,1317 @@ +/* streebog.c - GOST R 34.11-2012 (Streebog) hash function + See RFC 6986 for the English translation of the standard + + Copyright (C) 2020 Dmitry Baryshkov + + Based on my code in libgcrypt. + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. + */ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include +#include + +#include "streebog.h" + +#include "macros.h" +#include "nettle-write.h" + + +/* Pre-computed results of multiplication of bytes on A and reordered with + Pi[]. */ +static const uint64_t streebog_table[8][256] = +{ + /* 0 */ + { 0xd01f715b5c7ef8e6ULL, 0x16fa240980778325ULL, + 0xa8a42e857ee049c8ULL, 0x6ac1068fa186465bULL, + 0x6e417bd7a2e9320bULL, 0x665c8167a437daabULL, + 0x7666681aa89617f6ULL, 0x4b959163700bdcf5ULL, + 0xf14be6b78df36248ULL, 0xc585bd689a625cffULL, + 0x9557d7fca67d82cbULL, 0x89f0b969af6dd366ULL, + 0xb0833d48749f6c35ULL, 0xa1998c23b1ecbc7cULL, + 0x8d70c431ac02a736ULL, 0xd6dfbc2fd0a8b69eULL, + 0x37aeb3e551fa198bULL, 0x0b7d128a40b5cf9cULL, + 0x5a8f2008b5780cbcULL, 0xedec882284e333e5ULL, + 0xd25fc177d3c7c2ceULL, 0x5e0f5d50b61778ecULL, + 0x1d873683c0c24cb9ULL, 0xad040bcbb45d208cULL, + 0x2f89a0285b853c76ULL, 0x5732fff6791b8d58ULL, + 0x3e9311439ef6ec3fULL, 0xc9183a809fd3c00fULL, + 0x83adf3f5260a01eeULL, 0xa6791941f4e8ef10ULL, + 0x103ae97d0ca1cd5dULL, 0x2ce948121dee1b4aULL, + 0x39738421dbf2bf53ULL, 0x093da2a6cf0cf5b4ULL, + 0xcd9847d89cbcb45fULL, 0xf9561c078b2d8ae8ULL, + 0x9c6a755a6971777fULL, 0xbc1ebaa0712ef0c5ULL, + 0x72e61542abf963a6ULL, 0x78bb5fde229eb12eULL, + 0x14ba94250fceb90dULL, 0x844d6697630e5282ULL, + 0x98ea08026a1e032fULL, 0xf06bbea144217f5cULL, + 0xdb6263d11ccb377aULL, 0x641c314b2b8ee083ULL, + 0x320e96ab9b4770cfULL, 0x1ee7deb986a96b85ULL, + 0xe96cf57a878c47b5ULL, 0xfdd6615f8842feb8ULL, + 0xc83862965601dd1bULL, 0x2ea9f83e92572162ULL, + 0xf876441142ff97fcULL, 0xeb2c455608357d9dULL, + 0x5612a7e0b0c9904cULL, 0x6c01cbfb2d500823ULL, + 0x4548a6a7fa037a2dULL, 0xabc4c6bf388b6ef4ULL, + 0xbade77d4fdf8bebdULL, 0x799b07c8eb4cac3aULL, + 0x0c9d87e805b19cf0ULL, 0xcb588aac106afa27ULL, + 0xea0c1d40c1e76089ULL, 0x2869354a1e816f1aULL, + 0xff96d17307fbc490ULL, 0x9f0a9d602f1a5043ULL, + 0x96373fc6e016a5f7ULL, 0x5292dab8b3a6e41cULL, + 0x9b8ae0382c752413ULL, 0x4f15ec3b7364a8a5ULL, + 0x3fb349555724f12bULL, 0xc7c50d4415db66d7ULL, + 0x92b7429ee379d1a7ULL, 0xd37f99611a15dfdaULL, + 0x231427c05e34a086ULL, 0xa439a96d7b51d538ULL, + 0xb403401077f01865ULL, 0xdda2aea5901d7902ULL, + 0x0a5d4a9c8967d288ULL, 0xc265280adf660f93ULL, + 0x8bb0094520d4e94eULL, 0x2a29856691385532ULL, + 0x42a833c5bf072941ULL, 0x73c64d54622b7eb2ULL, + 0x07e095624504536cULL, 0x8a905153e906f45aULL, + 0x6f6123c16b3b2f1fULL, 0xc6e55552dc097bc3ULL, + 0x4468feb133d16739ULL, 0xe211e7f0c7398829ULL, + 0xa2f96419f7879b40ULL, 0x19074bdbc3ad38e9ULL, + 0xf4ebc3f9474e0b0cULL, 0x43886bd376d53455ULL, + 0xd8028beb5aa01046ULL, 0x51f23282f5cdc320ULL, + 0xe7b1c2be0d84e16dULL, 0x081dfab006dee8a0ULL, + 0x3b33340d544b857bULL, 0x7f5bcabc679ae242ULL, + 0x0edd37c48a08a6d8ULL, 0x81ed43d9a9b33bc6ULL, + 0xb1a3655ebd4d7121ULL, 0x69a1eeb5e7ed6167ULL, + 0xf6ab73d5c8f73124ULL, 0x1a67a3e185c61fd5ULL, + 0x2dc91004d43c065eULL, 0x0240b02c8fb93a28ULL, + 0x90f7f2b26cc0eb8fULL, 0x3cd3a16f114fd617ULL, + 0xaae49ea9f15973e0ULL, 0x06c0cd748cd64e78ULL, + 0xda423bc7d5192a6eULL, 0xc345701c16b41287ULL, + 0x6d2193ede4821537ULL, 0xfcf639494190e3acULL, + 0x7c3b228621f1c57eULL, 0xfb16ac2b0494b0c0ULL, + 0xbf7e529a3745d7f9ULL, 0x6881b6a32e3f7c73ULL, + 0xca78d2bad9b8e733ULL, 0xbbfe2fc2342aa3a9ULL, + 0x0dbddffecc6381e4ULL, 0x70a6a56e2440598eULL, + 0xe4d12a844befc651ULL, 0x8c509c2765d0ba22ULL, + 0xee8c6018c28814d9ULL, 0x17da7c1f49a59e31ULL, + 0x609c4c1328e194d3ULL, 0xb3e3d57232f44b09ULL, + 0x91d7aaa4a512f69bULL, 0x0ffd6fd243dabbccULL, + 0x50d26a943c1fde34ULL, 0x6be15e9968545b4fULL, + 0x94778fea6faf9fdfULL, 0x2b09dd7058ea4826ULL, + 0x677cd9716de5c7bfULL, 0x49d5214fffb2e6ddULL, + 0x0360e83a466b273cULL, 0x1fc786af4f7b7691ULL, + 0xa0b9d435783ea168ULL, 0xd49f0c035f118cb6ULL, + 0x01205816c9d21d14ULL, 0xac2453dd7d8f3d98ULL, + 0x545217cc3f70aa64ULL, 0x26b4028e9489c9c2ULL, + 0xdec2469fd6765e3eULL, 0x04807d58036f7450ULL, + 0xe5f17292823ddb45ULL, 0xf30b569b024a5860ULL, + 0x62dcfc3fa758aefbULL, 0xe84cad6c4e5e5aa1ULL, + 0xccb81fce556ea94bULL, 0x53b282ae7a74f908ULL, + 0x1b47fbf74c1402c1ULL, 0x368eebf39828049fULL, + 0x7afbeff2ad278b06ULL, 0xbe5e0a8cfe97caedULL, + 0xcfd8f7f413058e77ULL, 0xf78b2bc301252c30ULL, + 0x4d555c17fcdd928dULL, 0x5f2f05467fc565f8ULL, + 0x24f4b2a21b30f3eaULL, 0x860dd6bbecb768aaULL, + 0x4c750401350f8f99ULL, 0x0000000000000000ULL, + 0xecccd0344d312ef1ULL, 0xb5231806be220571ULL, + 0xc105c030990d28afULL, 0x653c695de25cfd97ULL, + 0x159acc33c61ca419ULL, 0xb89ec7f872418495ULL, + 0xa9847693b73254dcULL, 0x58cf90243ac13694ULL, + 0x59efc832f3132b80ULL, 0x5c4fed7c39ae42c4ULL, + 0x828dabe3efd81cfaULL, 0xd13f294d95ace5f2ULL, + 0x7d1b7a90e823d86aULL, 0xb643f03cf849224dULL, + 0x3df3f979d89dcb03ULL, 0x7426d836272f2ddeULL, + 0xdfe21e891fa4432aULL, 0x3a136c1b9d99986fULL, + 0xfa36f43dcd46add4ULL, 0xc025982650df35bbULL, + 0x856d3e81aadc4f96ULL, 0xc4a5e57e53b041ebULL, + 0x4708168b75ba4005ULL, 0xaf44bbe73be41aa4ULL, + 0x971767d029c4b8e3ULL, 0xb9be9feebb939981ULL, + 0x215497ecd18d9aaeULL, 0x316e7e91dd2c57f3ULL, + 0xcef8afe2dad79363ULL, 0x3853dc371220a247ULL, + 0x35ee03c9de4323a3ULL, 0xe6919aa8c456fc79ULL, + 0xe05157dc4880b201ULL, 0x7bdbb7e464f59612ULL, + 0x127a59518318f775ULL, 0x332ecebd52956ddbULL, + 0x8f30741d23bb9d1eULL, 0xd922d3fd93720d52ULL, + 0x7746300c61440ae2ULL, 0x25d4eab4d2e2eefeULL, + 0x75068020eefd30caULL, 0x135a01474acaea61ULL, + 0x304e268714fe4ae7ULL, 0xa519f17bb283c82cULL, + 0xdc82f6b359cf6416ULL, 0x5baf781e7caa11a8ULL, + 0xb2c38d64fb26561dULL, 0x34ce5bdf17913eb7ULL, + 0x5d6fb56af07c5fd0ULL, 0x182713cd0a7f25fdULL, + 0x9e2ac576e6c84d57ULL, 0x9aaab82ee5a73907ULL, + 0xa3d93c0f3e558654ULL, 0x7e7b92aaae48ff56ULL, + 0x872d8ead256575beULL, 0x41c8dbfff96c0e7dULL, + 0x99ca5014a3cc1e3bULL, 0x40e883e930be1369ULL, + 0x1ca76e95091051adULL, 0x4e35b42dbab6b5b1ULL, + 0x05a0254ecabd6944ULL, 0xe1710fca8152af15ULL, + 0xf22b0e8dcb984574ULL, 0xb763a82a319b3f59ULL, + 0x63fca4296e8ab3efULL, 0x9d4a2d4ca0a36a6bULL, + 0xe331bfe60eeb953dULL, 0xd5bf541596c391a2ULL, + 0xf5cb9bef8e9c1618ULL, 0x46284e9dbc685d11ULL, + 0x2074cffa185f87baULL, 0xbd3ee2b6b8fcedd1ULL, + 0xae64e3f1f23607b0ULL, 0xfeb68965ce29d984ULL, + 0x55724fdaf6a2b770ULL, 0x29496d5cd753720eULL, + 0xa75941573d3af204ULL, 0x8e102c0bea69800aULL, + 0x111ab16bc573d049ULL, 0xd7ffe439197aab8aULL, + 0xefac380e0b5a09cdULL, 0x48f579593660fbc9ULL, + 0x22347fd697e6bd92ULL, 0x61bc1405e13389c7ULL, + 0x4ab5c975b9d9c1e1ULL, 0x80cd1bcf606126d2ULL, + 0x7186fd78ed92449aULL, 0x93971a882aabccb3ULL, + 0x88d0e17f66bfce72ULL, 0x27945a985d5bd4d6ULL }, + /* 1 */ + { 0xde553f8c05a811c8ULL, 0x1906b59631b4f565ULL, + 0x436e70d6b1964ff7ULL, 0x36d343cb8b1e9d85ULL, + 0x843dfacc858aab5aULL, 0xfdfc95c299bfc7f9ULL, + 0x0f634bdea1d51fa2ULL, 0x6d458b3b76efb3cdULL, + 0x85c3f77cf8593f80ULL, 0x3c91315fbe737cb2ULL, + 0x2148b03366ace398ULL, 0x18f8b8264c6761bfULL, + 0xc830c1c495c9fb0fULL, 0x981a76102086a0aaULL, + 0xaa16012142f35760ULL, 0x35cc54060c763cf6ULL, + 0x42907d66cc45db2dULL, 0x8203d44b965af4bcULL, + 0x3d6f3cefc3a0e868ULL, 0xbc73ff69d292bda7ULL, + 0x8722ed0102e20a29ULL, 0x8f8185e8cd34deb7ULL, + 0x9b0561dda7ee01d9ULL, 0x5335a0193227fad6ULL, + 0xc9cecc74e81a6fd5ULL, 0x54f5832e5c2431eaULL, + 0x99e47ba05d553470ULL, 0xf7bee756acd226ceULL, + 0x384e05a5571816fdULL, 0xd1367452a47d0e6aULL, + 0xf29fde1c386ad85bULL, 0x320c77316275f7caULL, + 0xd0c879e2d9ae9ab0ULL, 0xdb7406c69110ef5dULL, + 0x45505e51a2461011ULL, 0xfc029872e46c5323ULL, + 0xfa3cb6f5f7bc0cc5ULL, 0x031f17cd8768a173ULL, + 0xbd8df2d9af41297dULL, 0x9d3b4f5ab43e5e3fULL, + 0x4071671b36feee84ULL, 0x716207e7d3e3b83dULL, + 0x48d20ff2f9283a1aULL, 0x27769eb4757cbc7eULL, + 0x5c56ebc793f2e574ULL, 0xa48b474f9ef5dc18ULL, + 0x52cbada94ff46e0cULL, 0x60c7da982d8199c6ULL, + 0x0e9d466edc068b78ULL, 0x4eec2175eaf865fcULL, + 0x550b8e9e21f7a530ULL, 0x6b7ba5bc653fec2bULL, + 0x5eb7f1ba6949d0ddULL, 0x57ea94e3db4c9099ULL, + 0xf640eae6d101b214ULL, 0xdd4a284182c0b0bbULL, + 0xff1d8fbf6304f250ULL, 0xb8accb933bf9d7e8ULL, + 0xe8867c478eb68c4dULL, 0x3f8e2692391bddc1ULL, + 0xcb2fd60912a15a7cULL, 0xaec935dbab983d2fULL, + 0xf55ffd2b56691367ULL, 0x80e2ce366ce1c115ULL, + 0x179bf3f8edb27e1dULL, 0x01fe0db07dd394daULL, + 0xda8a0b76ecc37b87ULL, 0x44ae53e1df9584cbULL, + 0xb310b4b77347a205ULL, 0xdfab323c787b8512ULL, + 0x3b511268d070b78eULL, 0x65e6e3d2b9396753ULL, + 0x6864b271e2574d58ULL, 0x259784c98fc789d7ULL, + 0x02e11a7dfabb35a9ULL, 0x8841a6dfa337158bULL, + 0x7ade78c39b5dcdd0ULL, 0xb7cf804d9a2cc84aULL, + 0x20b6bd831b7f7742ULL, 0x75bd331d3a88d272ULL, + 0x418f6aab4b2d7a5eULL, 0xd9951cbb6babdaf4ULL, + 0xb6318dfde7ff5c90ULL, 0x1f389b112264aa83ULL, + 0x492c024284fbaec0ULL, 0xe33a0363c608f9a0ULL, + 0x2688930408af28a4ULL, 0xc7538a1a341ce4adULL, + 0x5da8e677ee2171aeULL, 0x8c9e92254a5c7fc4ULL, + 0x63d8cd55aae938b5ULL, 0x29ebd8daa97a3706ULL, + 0x959827b37be88aa1ULL, 0x1484e4356adadf6eULL, + 0xa7945082199d7d6bULL, 0xbf6ce8a455fa1cd4ULL, + 0x9cc542eac9edcae5ULL, 0x79c16f0e1c356ca3ULL, + 0x89bfab6fdee48151ULL, 0xd4174d1830c5f0ffULL, + 0x9258048415eb419dULL, 0x6139d72850520d1cULL, + 0x6a85a80c18ec78f1ULL, 0xcd11f88e0171059aULL, + 0xcceff53e7ca29140ULL, 0xd229639f2315af19ULL, + 0x90b91ef9ef507434ULL, 0x5977d28d074a1be1ULL, + 0x311360fce51d56b9ULL, 0xc093a92d5a1f2f91ULL, + 0x1a19a25bb6dc5416ULL, 0xeb996b8a09de2d3eULL, + 0xfee3820f1ed7668aULL, 0xd7085ad5b7ad518cULL, + 0x7fff41890fe53345ULL, 0xec5948bd67dde602ULL, + 0x2fd5f65dbaaa68e0ULL, 0xa5754affe32648c2ULL, + 0xf8ddac880d07396cULL, 0x6fa491468c548664ULL, + 0x0c7c5c1326bdbed1ULL, 0x4a33158f03930fb3ULL, + 0x699abfc19f84d982ULL, 0xe4fa2054a80b329cULL, + 0x6707f9af438252faULL, 0x08a368e9cfd6d49eULL, + 0x47b1442c58fd25b8ULL, 0xbbb3dc5ebc91769bULL, + 0x1665fe489061eac7ULL, 0x33f27a811fa66310ULL, + 0x93a609346838d547ULL, 0x30ed6d4c98cec263ULL, + 0x1dd9816cd8df9f2aULL, 0x94662a03063b1e7bULL, + 0x83fdd9fbeb896066ULL, 0x7b207573e68e590aULL, + 0x5f49fc0a149a4407ULL, 0x343259b671a5a82cULL, + 0xfbc2bb458a6f981fULL, 0xc272b350a0a41a38ULL, + 0x3aaf1fd8ada32354ULL, 0x6cbb868b0b3c2717ULL, + 0xa2b569c88d2583feULL, 0xf180c9d1bf027928ULL, + 0xaf37386bd64ba9f5ULL, 0x12bacab2790a8088ULL, + 0x4c0d3b0810435055ULL, 0xb2eeb9070e9436dfULL, + 0xc5b29067cea7d104ULL, 0xdcb425f1ff132461ULL, + 0x4f122cc5972bf126ULL, 0xac282fa651230886ULL, + 0xe7e537992f6393efULL, 0xe61b3a2952b00735ULL, + 0x709c0a57ae302ce7ULL, 0xe02514ae416058d3ULL, + 0xc44c9dd7b37445deULL, 0x5a68c5408022ba92ULL, + 0x1c278cdca50c0bf0ULL, 0x6e5a9cf6f18712beULL, + 0x86dce0b17f319ef3ULL, 0x2d34ec2040115d49ULL, + 0x4bcd183f7e409b69ULL, 0x2815d56ad4a9a3dcULL, + 0x24698979f2141d0dULL, 0x0000000000000000ULL, + 0x1ec696a15fb73e59ULL, 0xd86b110b16784e2eULL, + 0x8e7f8858b0e74a6dULL, 0x063e2e8713d05fe6ULL, + 0xe2c40ed3bbdb6d7aULL, 0xb1f1aeca89fc97acULL, + 0xe1db191e3cb3cc09ULL, 0x6418ee62c4eaf389ULL, + 0xc6ad87aa49cf7077ULL, 0xd6f65765ca7ec556ULL, + 0x9afb6c6dda3d9503ULL, 0x7ce05644888d9236ULL, + 0x8d609f95378feb1eULL, 0x23a9aa4e9c17d631ULL, + 0x6226c0e5d73aac6fULL, 0x56149953a69f0443ULL, + 0xeeb852c09d66d3abULL, 0x2b0ac2a753c102afULL, + 0x07c023376e03cb3cULL, 0x2ccae1903dc2c993ULL, + 0xd3d76e2f5ec63bc3ULL, 0x9e2458973356ff4cULL, + 0xa66a5d32644ee9b1ULL, 0x0a427294356de137ULL, + 0x783f62be61e6f879ULL, 0x1344c70204d91452ULL, + 0x5b96c8f0fdf12e48ULL, 0xa90916ecc59bf613ULL, + 0xbe92e5142829880eULL, 0x727d102a548b194eULL, + 0x1be7afebcb0fc0ccULL, 0x3e702b2244c8491bULL, + 0xd5e940a84d166425ULL, 0x66f9f41f3e51c620ULL, + 0xabe80c913f20c3baULL, 0xf07ec461c2d1edf2ULL, + 0xf361d3ac45b94c81ULL, 0x0521394a94b8fe95ULL, + 0xadd622162cf09c5cULL, 0xe97871f7f3651897ULL, + 0xf4a1f09b2bba87bdULL, 0x095d6559b2054044ULL, + 0x0bbc7f2448be75edULL, 0x2af4cf172e129675ULL, + 0x157ae98517094bb4ULL, 0x9fda55274e856b96ULL, + 0x914713499283e0eeULL, 0xb952c623462a4332ULL, + 0x74433ead475b46a8ULL, 0x8b5eb112245fb4f8ULL, + 0xa34b6478f0f61724ULL, 0x11a5dd7ffe6221fbULL, + 0xc16da49d27ccbb4bULL, 0x76a224d0bde07301ULL, + 0x8aa0bca2598c2022ULL, 0x4df336b86d90c48fULL, + 0xea67663a740db9e4ULL, 0xef465f70e0b54771ULL, + 0x39b008152acb8227ULL, 0x7d1e5bf4f55e06ecULL, + 0x105bd0cf83b1b521ULL, 0x775c2960c033e7dbULL, + 0x7e014c397236a79fULL, 0x811cc386113255cfULL, + 0xeda7450d1a0e72d8ULL, 0x5889df3d7a998f3bULL, + 0x2e2bfbedc779fc3aULL, 0xce0eef438619a4e9ULL, + 0x372d4e7bf6cd095fULL, 0x04df34fae96b6a4fULL, + 0xf923a13870d4adb6ULL, 0xa1aa7e050a4d228dULL, + 0xa8f71b5cb84862c9ULL, 0xb52e9a306097fde3ULL, + 0x0d8251a35b6e2a0bULL, 0x2257a7fee1c442ebULL, + 0x73831d9a29588d94ULL, 0x51d4ba64c89ccf7fULL, + 0x502ab7d4b54f5ba5ULL, 0x97793dce8153bf08ULL, + 0xe5042de4d5d8a646ULL, 0x9687307efc802bd2ULL, + 0xa05473b5779eb657ULL, 0xb4d097801d446939ULL, + 0xcff0e2f3fbca3033ULL, 0xc38cbee0dd778ee2ULL, + 0x464f499c252eb162ULL, 0xcad1dbb96f72cea6ULL, + 0xba4dd1eec142e241ULL, 0xb00fa37af42f0376ULL }, + /* 2 */ + { 0xcce4cd3aa968b245ULL, 0x089d5484e80b7fafULL, + 0x638246c1b3548304ULL, 0xd2fe0ec8c2355492ULL, + 0xa7fbdf7ff2374eeeULL, 0x4df1600c92337a16ULL, + 0x84e503ea523b12fbULL, 0x0790bbfd53ab0c4aULL, + 0x198a780f38f6ea9dULL, 0x2ab30c8f55ec48cbULL, + 0xe0f7fed6b2c49db5ULL, 0xb6ecf3f422cadbdcULL, + 0x409c9a541358df11ULL, 0xd3ce8a56dfde3fe3ULL, + 0xc3e9224312c8c1a0ULL, 0x0d6dfa58816ba507ULL, + 0xddf3e1b179952777ULL, 0x04c02a42748bb1d9ULL, + 0x94c2abff9f2decb8ULL, 0x4f91752da8f8acf4ULL, + 0x78682befb169bf7bULL, 0xe1c77a48af2ff6c4ULL, + 0x0c5d7ec69c80ce76ULL, 0x4cc1e4928fd81167ULL, + 0xfeed3d24d9997b62ULL, 0x518bb6dfc3a54a23ULL, + 0x6dbf2d26151f9b90ULL, 0xb5bc624b05ea664fULL, + 0xe86aaa525acfe21aULL, 0x4801ced0fb53a0beULL, + 0xc91463e6c00868edULL, 0x1027a815cd16fe43ULL, + 0xf67069a0319204cdULL, 0xb04ccc976c8abce7ULL, + 0xc0b9b3fc35e87c33ULL, 0xf380c77c58f2de65ULL, + 0x50bb3241de4e2152ULL, 0xdf93f490435ef195ULL, + 0xf1e0d25d62390887ULL, 0xaf668bfb1a3c3141ULL, + 0xbc11b251f00a7291ULL, 0x73a5eed47e427d47ULL, + 0x25bee3f6ee4c3b2eULL, 0x43cc0beb34786282ULL, + 0xc824e778dde3039cULL, 0xf97d86d98a327728ULL, + 0xf2b043e24519b514ULL, 0xe297ebf7880f4b57ULL, + 0x3a94a49a98fab688ULL, 0x868516cb68f0c419ULL, + 0xeffa11af0964ee50ULL, 0xa4ab4ec0d517f37dULL, + 0xa9c6b498547c567aULL, 0x8e18424f80fbbbb6ULL, + 0x0bcdc53bcf2bc23cULL, 0x137739aaea3643d0ULL, + 0x2c1333ec1bac2ff0ULL, 0x8d48d3f0a7db0625ULL, + 0x1e1ac3f26b5de6d7ULL, 0xf520f81f16b2b95eULL, + 0x9f0f6ec450062e84ULL, 0x0130849e1deb6b71ULL, + 0xd45e31ab8c7533a9ULL, 0x652279a2fd14e43fULL, + 0x3209f01e70f1c927ULL, 0xbe71a770cac1a473ULL, + 0x0e3d6be7a64b1894ULL, 0x7ec8148cff29d840ULL, + 0xcb7476c7fac3be0fULL, 0x72956a4a63a91636ULL, + 0x37f95ec21991138fULL, 0x9e3fea5a4ded45f5ULL, + 0x7b38ba50964902e8ULL, 0x222e580bbde73764ULL, + 0x61e253e0899f55e6ULL, 0xfc8d2805e352ad80ULL, + 0x35994be3235ac56dULL, 0x09add01af5e014deULL, + 0x5e8659a6780539c6ULL, 0xb17c48097161d796ULL, + 0x026015213acbd6e2ULL, 0xd1ae9f77e515e901ULL, + 0xb7dc776a3f21b0adULL, 0xaba6a1b96eb78098ULL, + 0x9bcf4486248d9f5dULL, 0x582666c536455efdULL, + 0xfdbdac9bfeb9c6f1ULL, 0xc47999be4163cdeaULL, + 0x765540081722a7efULL, 0x3e548ed8ec710751ULL, + 0x3d041f67cb51bac2ULL, 0x7958af71ac82d40aULL, + 0x36c9da5c047a78feULL, 0xed9a048e33af38b2ULL, + 0x26ee7249c96c86bdULL, 0x900281bdeba65d61ULL, + 0x11172c8bd0fd9532ULL, 0xea0abf73600434f8ULL, + 0x42fc8f75299309f3ULL, 0x34a9cf7d3eb1ae1cULL, + 0x2b838811480723baULL, 0x5ce64c8742ceef24ULL, + 0x1adae9b01fd6570eULL, 0x3c349bf9d6bad1b3ULL, + 0x82453c891c7b75c0ULL, 0x97923a40b80d512bULL, + 0x4a61dbf1c198765cULL, 0xb48ce6d518010d3eULL, + 0xcfb45c858e480fd6ULL, 0xd933cbf30d1e96aeULL, + 0xd70ea014ab558e3aULL, 0xc189376228031742ULL, + 0x9262949cd16d8b83ULL, 0xeb3a3bed7def5f89ULL, + 0x49314a4ee6b8cbcfULL, 0xdcc3652f647e4c06ULL, + 0xda635a4c2a3e2b3dULL, 0x470c21a940f3d35bULL, + 0x315961a157d174b4ULL, 0x6672e81dda3459acULL, + 0x5b76f77a1165e36eULL, 0x445cb01667d36ec8ULL, + 0xc5491d205c88a69bULL, 0x456c34887a3805b9ULL, + 0xffddb9bac4721013ULL, 0x99af51a71e4649bfULL, + 0xa15be01cbc7729d5ULL, 0x52db2760e485f7b0ULL, + 0x8c78576eba306d54ULL, 0xae560f6507d75a30ULL, + 0x95f22f6182c687c9ULL, 0x71c5fbf54489aba5ULL, + 0xca44f259e728d57eULL, 0x88b87d2ccebbdc8dULL, + 0xbab18d32be4a15aaULL, 0x8be8ec93e99b611eULL, + 0x17b713e89ebdf209ULL, 0xb31c5d284baa0174ULL, + 0xeeca9531148f8521ULL, 0xb8d198138481c348ULL, + 0x8988f9b2d350b7fcULL, 0xb9e11c8d996aa839ULL, + 0x5a4673e40c8e881fULL, 0x1687977683569978ULL, + 0xbf4123eed72acf02ULL, 0x4ea1f1b3b513c785ULL, + 0xe767452be16f91ffULL, 0x7505d1b730021a7cULL, + 0xa59bca5ec8fc980cULL, 0xad069eda20f7e7a3ULL, + 0x38f4b1bba231606aULL, 0x60d2d77e94743e97ULL, + 0x9affc0183966f42cULL, 0x248e6768f3a7505fULL, + 0xcdd449a4b483d934ULL, 0x87b59255751baf68ULL, + 0x1bea6d2e023d3c7fULL, 0x6b1f12455b5ffcabULL, + 0x743555292de9710dULL, 0xd8034f6d10f5fddfULL, + 0xc6198c9f7ba81b08ULL, 0xbb8109aca3a17edbULL, + 0xfa2d1766ad12cabbULL, 0xc729080166437079ULL, + 0x9c5fff7b77269317ULL, 0x0000000000000000ULL, + 0x15d706c9a47624ebULL, 0x6fdf38072fd44d72ULL, + 0x5fb6dd3865ee52b7ULL, 0xa33bf53d86bcff37ULL, + 0xe657c1b5fc84fa8eULL, 0xaa962527735cebe9ULL, + 0x39c43525bfda0b1bULL, 0x204e4d2a872ce186ULL, + 0x7a083ece8ba26999ULL, 0x554b9c9db72efbfaULL, + 0xb22cd9b656416a05ULL, 0x96a2bedea5e63a5aULL, + 0x802529a826b0a322ULL, 0x8115ad363b5bc853ULL, + 0x8375b81701901eb1ULL, 0x3069e53f4a3a1fc5ULL, + 0xbd2136cfede119e0ULL, 0x18bafc91251d81ecULL, + 0x1d4a524d4c7d5b44ULL, 0x05f0aedc6960daa8ULL, + 0x29e39d3072ccf558ULL, 0x70f57f6b5962c0d4ULL, + 0x989fd53903ad22ceULL, 0xf84d024797d91c59ULL, + 0x547b1803aac5908bULL, 0xf0d056c37fd263f6ULL, + 0xd56eb535919e58d8ULL, 0x1c7ad6d351963035ULL, + 0x2e7326cd2167f912ULL, 0xac361a443d1c8cd2ULL, + 0x697f076461942a49ULL, 0x4b515f6fdc731d2dULL, + 0x8ad8680df4700a6fULL, 0x41ac1eca0eb3b460ULL, + 0x7d988533d80965d3ULL, 0xa8f6300649973d0bULL, + 0x7765c4960ac9cc9eULL, 0x7ca801adc5e20ea2ULL, + 0xdea3700e5eb59ae4ULL, 0xa06b6482a19c42a4ULL, + 0x6a2f96db46b497daULL, 0x27def6d7d487edccULL, + 0x463ca5375d18b82aULL, 0xa6cb5be1efdc259fULL, + 0x53eba3fef96e9cc1ULL, 0xce84d81b93a364a7ULL, + 0xf4107c810b59d22fULL, 0x333974806d1aa256ULL, + 0x0f0def79bba073e5ULL, 0x231edc95a00c5c15ULL, + 0xe437d494c64f2c6cULL, 0x91320523f64d3610ULL, + 0x67426c83c7df32ddULL, 0x6eefbc99323f2603ULL, + 0x9d6f7be56acdf866ULL, 0x5916e25b2bae358cULL, + 0x7ff89012e2c2b331ULL, 0x035091bf2720bd93ULL, + 0x561b0d22900e4669ULL, 0x28d319ae6f279e29ULL, + 0x2f43a2533c8c9263ULL, 0xd09e1be9f8fe8270ULL, + 0xf740ed3e2c796fbcULL, 0xdb53ded237d5404cULL, + 0x62b2c25faebfe875ULL, 0x0afd41a5d2c0a94dULL, + 0x6412fd3ce0ff8f4eULL, 0xe3a76f6995e42026ULL, + 0x6c8fa9b808f4f0e1ULL, 0xc2d9a6dd0f23aad1ULL, + 0x8f28c6d19d10d0c7ULL, 0x85d587744fd0798aULL, + 0xa20b71a39b579446ULL, 0x684f83fa7c7f4138ULL, + 0xe507500adba4471dULL, 0x3f640a46f19a6c20ULL, + 0x1247bd34f7dd28a1ULL, 0x2d23b77206474481ULL, + 0x93521002cc86e0f2ULL, 0x572b89bc8de52d18ULL, + 0xfb1d93f8b0f9a1caULL, 0xe95a2ecc4724896bULL, + 0x3ba420048511ddf9ULL, 0xd63e248ab6bee54bULL, + 0x5dd6c8195f258455ULL, 0x06a03f634e40673bULL, + 0x1f2a476c76b68da6ULL, 0x217ec9b49ac78af7ULL, + 0xecaa80102e4453c3ULL, 0x14e78257b99d4f9aULL }, + /* 3 */ + { 0x20329b2cc87bba05ULL, 0x4f5eb6f86546a531ULL, + 0xd4f44775f751b6b1ULL, 0x8266a47b850dfa8bULL, + 0xbb986aa15a6ca985ULL, 0xc979eb08f9ae0f99ULL, + 0x2da6f447a2375ea1ULL, 0x1e74275dcd7d8576ULL, + 0xbc20180a800bc5f8ULL, 0xb4a2f701b2dc65beULL, + 0xe726946f981b6d66ULL, 0x48e6c453bf21c94cULL, + 0x42cad9930f0a4195ULL, 0xefa47b64aacccd20ULL, + 0x71180a8960409a42ULL, 0x8bb3329bf6a44e0cULL, + 0xd34c35de2d36daccULL, 0xa92f5b7cbc23dc96ULL, + 0xb31a85aa68bb09c3ULL, 0x13e04836a73161d2ULL, + 0xb24dfc4129c51d02ULL, 0x8ae44b70b7da5acdULL, + 0xe671ed84d96579a7ULL, 0xa4bb3417d66f3832ULL, + 0x4572ab38d56d2de8ULL, 0xb1b47761ea47215cULL, + 0xe81c09cf70aba15dULL, 0xffbdb872ce7f90acULL, + 0xa8782297fd5dc857ULL, 0x0d946f6b6a4ce4a4ULL, + 0xe4df1f4f5b995138ULL, 0x9ebc71edca8c5762ULL, + 0x0a2c1dc0b02b88d9ULL, 0x3b503c115d9d7b91ULL, + 0xc64376a8111ec3a2ULL, 0xcec199a323c963e4ULL, + 0xdc76a87ec58616f7ULL, 0x09d596e073a9b487ULL, + 0x14583a9d7d560dafULL, 0xf4c6dc593f2a0cb4ULL, + 0xdd21d19584f80236ULL, 0x4a4836983ddde1d3ULL, + 0xe58866a41ae745f9ULL, 0xf591a5b27e541875ULL, + 0x891dc05074586693ULL, 0x5b068c651810a89eULL, + 0xa30346bc0c08544fULL, 0x3dbf3751c684032dULL, + 0x2a1e86ec785032dcULL, 0xf73f5779fca830eaULL, + 0xb60c05ca30204d21ULL, 0x0cc316802b32f065ULL, + 0x8770241bdd96be69ULL, 0xb861e18199ee95dbULL, + 0xf805cad91418fcd1ULL, 0x29e70dccbbd20e82ULL, + 0xc7140f435060d763ULL, 0x0f3a9da0e8b0cc3bULL, + 0xa2543f574d76408eULL, 0xbd7761e1c175d139ULL, + 0x4b1f4f737ca3f512ULL, 0x6dc2df1f2fc137abULL, + 0xf1d05c3967b14856ULL, 0xa742bf3715ed046cULL, + 0x654030141d1697edULL, 0x07b872abda676c7dULL, + 0x3ce84eba87fa17ecULL, 0xc1fb0403cb79afdfULL, + 0x3e46bc7105063f73ULL, 0x278ae987121cd678ULL, + 0xa1adb4778ef47cd0ULL, 0x26dd906c5362c2b9ULL, + 0x05168060589b44e2ULL, 0xfbfc41f9d79ac08fULL, + 0x0e6de44ba9ced8faULL, 0x9feb08068bf243a3ULL, + 0x7b341749d06b129bULL, 0x229c69e74a87929aULL, + 0xe09ee6c4427c011bULL, 0x5692e30e725c4c3aULL, + 0xda99a33e5e9f6e4bULL, 0x353dd85af453a36bULL, + 0x25241b4c90e0fee7ULL, 0x5de987258309d022ULL, + 0xe230140fc0802984ULL, 0x93281e86a0c0b3c6ULL, + 0xf229d719a4337408ULL, 0x6f6c2dd4ad3d1f34ULL, + 0x8ea5b2fbae3f0aeeULL, 0x8331dd90c473ee4aULL, + 0x346aa1b1b52db7aaULL, 0xdf8f235e06042aa9ULL, + 0xcc6f6b68a1354b7bULL, 0x6c95a6f46ebf236aULL, + 0x52d31a856bb91c19ULL, 0x1a35ded6d498d555ULL, + 0xf37eaef2e54d60c9ULL, 0x72e181a9a3c2a61cULL, + 0x98537aad51952fdeULL, 0x16f6c856ffaa2530ULL, + 0xd960281e9d1d5215ULL, 0x3a0745fa1ce36f50ULL, + 0x0b7b642bf1559c18ULL, 0x59a87eae9aec8001ULL, + 0x5e100c05408bec7cULL, 0x0441f98b19e55023ULL, + 0xd70dcc5534d38aefULL, 0x927f676de1bea707ULL, + 0x9769e70db925e3e5ULL, 0x7a636ea29115065aULL, + 0x468b201816ef11b6ULL, 0xab81a9b73edff409ULL, + 0xc0ac7de88a07bb1eULL, 0x1f235eb68c0391b7ULL, + 0x6056b074458dd30fULL, 0xbe8eeac102f7ed67ULL, + 0xcd381283e04b5fbaULL, 0x5cbefecec277c4e3ULL, + 0xd21b4c356c48ce0dULL, 0x1019c31664b35d8cULL, + 0x247362a7d19eea26ULL, 0xebe582efb3299d03ULL, + 0x02aef2cb82fc289fULL, 0x86275df09ce8aaa8ULL, + 0x28b07427faac1a43ULL, 0x38a9b7319e1f47cfULL, + 0xc82e92e3b8d01b58ULL, 0x06ef0b409b1978bcULL, + 0x62f842bfc771fb90ULL, 0x9904034610eb3b1fULL, + 0xded85ab5477a3e68ULL, 0x90d195a663428f98ULL, + 0x5384636e2ac708d8ULL, 0xcbd719c37b522706ULL, + 0xae9729d76644b0ebULL, 0x7c8c65e20a0c7ee6ULL, + 0x80c856b007f1d214ULL, 0x8c0b40302cc32271ULL, + 0xdbcedad51fe17a8aULL, 0x740e8ae938dbdea0ULL, + 0xa615c6dc549310adULL, 0x19cc55f6171ae90bULL, + 0x49b1bdb8fe5fdd8dULL, 0xed0a89af2830e5bfULL, + 0x6a7aadb4f5a65bd6ULL, 0x7e22972988f05679ULL, + 0xf952b3325566e810ULL, 0x39fecedadf61530eULL, + 0x6101c99f04f3c7ceULL, 0x2e5f7f6761b562ffULL, + 0xf08725d226cf5c97ULL, 0x63af3b54860fef51ULL, + 0x8ff2cb10ef411e2fULL, 0x884ab9bb35267252ULL, + 0x4df04433e7ba8daeULL, 0x9afd8866d3690741ULL, + 0x66b9bb34de94abb3ULL, 0x9baaf18d92171380ULL, + 0x543c11c5f0a064a5ULL, 0x17a1b1bdbed431f1ULL, + 0xb5f58eeaf3a2717fULL, 0xc355f6c849858740ULL, + 0xec5df044694ef17eULL, 0xd83751f5dc6346d4ULL, + 0xfc4433520dfdacf2ULL, 0x0000000000000000ULL, + 0x5a51f58e596ebc5fULL, 0x3285aaf12e34cf16ULL, + 0x8d5c39db6dbd36b0ULL, 0x12b731dde64f7513ULL, + 0x94906c2d7aa7dfbbULL, 0x302b583aacc8e789ULL, + 0x9d45facd090e6b3cULL, 0x2165e2c78905aec4ULL, + 0x68d45f7f775a7349ULL, 0x189b2c1d5664fdcaULL, + 0xe1c99f2f030215daULL, 0x6983269436246788ULL, + 0x8489af3b1e148237ULL, 0xe94b702431d5b59cULL, + 0x33d2d31a6f4adbd7ULL, 0xbfd9932a4389f9a6ULL, + 0xb0e30e8aab39359dULL, 0xd1e2c715afcaf253ULL, + 0x150f43763c28196eULL, 0xc4ed846393e2eb3dULL, + 0x03f98b20c3823c5eULL, 0xfd134ab94c83b833ULL, + 0x556b682eb1de7064ULL, 0x36c4537a37d19f35ULL, + 0x7559f30279a5ca61ULL, 0x799ae58252973a04ULL, + 0x9c12832648707ffdULL, 0x78cd9c6913e92ec5ULL, + 0x1d8dac7d0effb928ULL, 0x439da0784e745554ULL, + 0x413352b3cc887dcbULL, 0xbacf134a1b12bd44ULL, + 0x114ebafd25cd494dULL, 0x2f08068c20cb763eULL, + 0x76a07822ba27f63fULL, 0xeab2fb04f25789c2ULL, + 0xe3676de481fe3d45ULL, 0x1b62a73d95e6c194ULL, + 0x641749ff5c68832cULL, 0xa5ec4dfc97112cf3ULL, + 0xf6682e92bdd6242bULL, 0x3f11c59a44782bb2ULL, + 0x317c21d1edb6f348ULL, 0xd65ab5be75ad9e2eULL, + 0x6b2dd45fb4d84f17ULL, 0xfaab381296e4d44eULL, + 0xd0b5befeeeb4e692ULL, 0x0882ef0b32d7a046ULL, + 0x512a91a5a83b2047ULL, 0x963e9ee6f85bf724ULL, + 0x4e09cf132438b1f0ULL, 0x77f701c9fb59e2feULL, + 0x7ddb1c094b726a27ULL, 0x5f4775ee01f5f8bdULL, + 0x9186ec4d223c9b59ULL, 0xfeeac1998f01846dULL, + 0xac39db1ce4b89874ULL, 0xb75b7c21715e59e0ULL, + 0xafc0503c273aa42aULL, 0x6e3b543fec430bf5ULL, + 0x704f7362213e8e83ULL, 0x58ff0745db9294c0ULL, + 0x67eec2df9feabf72ULL, 0xa0facd9ccf8a6811ULL, + 0xb936986ad890811aULL, 0x95c715c63bd9cb7aULL, + 0xca8060283a2c33c7ULL, 0x507de84ee9453486ULL, + 0x85ded6d05f6a96f6ULL, 0x1cdad5964f81ade9ULL, + 0xd5a33e9eb62fa270ULL, 0x40642b588df6690aULL, + 0x7f75eec2c98e42b8ULL, 0x2cf18dace3494a60ULL, + 0x23cb100c0bf9865bULL, 0xeef3028febb2d9e1ULL, + 0x4425d2d394133929ULL, 0xaad6d05c7fa1e0c8ULL, + 0xad6ea2f7a5c68cb5ULL, 0xc2028f2308fb9381ULL, + 0x819f2f5b468fc6d5ULL, 0xc5bafd88d29cfffcULL, + 0x47dc59f357910577ULL, 0x2b49ff07392e261dULL, + 0x57c59ae5332258fbULL, 0x73b6f842e2bcb2ddULL, + 0xcf96e04862b77725ULL, 0x4ca73dd8a6c4996fULL, + 0x015779eb417e14c1ULL, 0x37932a9176af8bf4ULL }, + /* 4 */ + { 0x190a2c9b249df23eULL, 0x2f62f8b62263e1e9ULL, + 0x7a7f754740993655ULL, 0x330b7ba4d5564d9fULL, + 0x4c17a16a46672582ULL, 0xb22f08eb7d05f5b8ULL, + 0x535f47f40bc148ccULL, 0x3aec5d27d4883037ULL, + 0x10ed0a1825438f96ULL, 0x516101f72c233d17ULL, + 0x13cc6f949fd04eaeULL, 0x739853c441474bfdULL, + 0x653793d90d3f5b1bULL, 0x5240647b96b0fc2fULL, + 0x0c84890ad27623e0ULL, 0xd7189b32703aaea3ULL, + 0x2685de3523bd9c41ULL, 0x99317c5b11bffefaULL, + 0x0d9baa854f079703ULL, 0x70b93648fbd48ac5ULL, + 0xa80441fce30bc6beULL, 0x7287704bdc36ff1eULL, + 0xb65384ed33dc1f13ULL, 0xd36417343ee34408ULL, + 0x39cd38ab6e1bf10fULL, 0x5ab861770a1f3564ULL, + 0x0ebacf09f594563bULL, 0xd04572b884708530ULL, + 0x3cae9722bdb3af47ULL, 0x4a556b6f2f5cbaf2ULL, + 0xe1704f1f76c4bd74ULL, 0x5ec4ed7144c6dfcfULL, + 0x16afc01d4c7810e6ULL, 0x283f113cd629ca7aULL, + 0xaf59a8761741ed2dULL, 0xeed5a3991e215facULL, + 0x3bf37ea849f984d4ULL, 0xe413e096a56ce33cULL, + 0x2c439d3a98f020d1ULL, 0x637559dc6404c46bULL, + 0x9e6c95d1e5f5d569ULL, 0x24bb9836045fe99aULL, + 0x44efa466dac8ecc9ULL, 0xc6eab2a5c80895d6ULL, + 0x803b50c035220cc4ULL, 0x0321658cba93c138ULL, + 0x8f9ebc465dc7ee1cULL, 0xd15a5137190131d3ULL, + 0x0fa5ec8668e5e2d8ULL, 0x91c979578d1037b1ULL, + 0x0642ca05693b9f70ULL, 0xefca80168350eb4fULL, + 0x38d21b24f36a45ecULL, 0xbeab81e1af73d658ULL, + 0x8cbfd9cae7542f24ULL, 0xfd19cc0d81f11102ULL, + 0x0ac6430fbb4dbc90ULL, 0x1d76a09d6a441895ULL, + 0x2a01573ff1cbbfa1ULL, 0xb572e161894fde2bULL, + 0x8124734fa853b827ULL, 0x614b1fdf43e6b1b0ULL, + 0x68ac395c4238cc18ULL, 0x21d837bfd7f7b7d2ULL, + 0x20c714304a860331ULL, 0x5cfaab726324aa14ULL, + 0x74c5ba4eb50d606eULL, 0xf3a3030474654739ULL, + 0x23e671bcf015c209ULL, 0x45f087e947b9582aULL, + 0xd8bd77b418df4c7bULL, 0xe06f6c90ebb50997ULL, + 0x0bd96080263c0873ULL, 0x7e03f9410e40dcfeULL, + 0xb8e94be4c6484928ULL, 0xfb5b0608e8ca8e72ULL, + 0x1a2b49179e0e3306ULL, 0x4e29e76961855059ULL, + 0x4f36c4e6fcf4e4baULL, 0x49740ee395cf7bcaULL, + 0xc2963ea386d17f7dULL, 0x90d65ad810618352ULL, + 0x12d34c1b02a1fa4dULL, 0xfa44258775bb3a91ULL, + 0x18150f14b9ec46ddULL, 0x1491861e6b9a653dULL, + 0x9a1019d7ab2c3fc2ULL, 0x3668d42d06fe13d7ULL, + 0xdcc1fbb25606a6d0ULL, 0x969490dd795a1c22ULL, + 0x3549b1a1bc6dd2efULL, 0xc94f5e23a0ed770eULL, + 0xb9f6686b5b39fdcbULL, 0xc4d4f4a6efeae00dULL, + 0xe732851a1fff2204ULL, 0x94aad6de5eb869f9ULL, + 0x3f8ff2ae07206e7fULL, 0xfe38a9813b62d03aULL, + 0xa7a1ad7a8bee2466ULL, 0x7b6056c8dde882b6ULL, + 0x302a1e286fc58ca7ULL, 0x8da0fa457a259bc7ULL, + 0xb3302b64e074415bULL, 0x5402ae7eff8b635fULL, + 0x08f8050c9cafc94bULL, 0xae468bf98a3059ceULL, + 0x88c355cca98dc58fULL, 0xb10e6d67c7963480ULL, + 0xbad70de7e1aa3cf3ULL, 0xbfb4a26e320262bbULL, + 0xcb711820870f02d5ULL, 0xce12b7a954a75c9dULL, + 0x563ce87dd8691684ULL, 0x9f73b65e7884618aULL, + 0x2b1e74b06cba0b42ULL, 0x47cec1ea605b2df1ULL, + 0x1c698312f735ac76ULL, 0x5fdbcefed9b76b2cULL, + 0x831a354c8fb1cdfcULL, 0x820516c312c0791fULL, + 0xb74ca762aeadabf0ULL, 0xfc06ef821c80a5e1ULL, + 0x5723cbf24518a267ULL, 0x9d4df05d5f661451ULL, + 0x588627742dfd40bfULL, 0xda8331b73f3d39a0ULL, + 0x17b0e392d109a405ULL, 0xf965400bcf28fba9ULL, + 0x7c3dbf4229a2a925ULL, 0x023e460327e275dbULL, + 0x6cd0b55a0ce126b3ULL, 0xe62da695828e96e7ULL, + 0x42ad6e63b3f373b9ULL, 0xe50cc319381d57dfULL, + 0xc5cbd729729b54eeULL, 0x46d1e265fd2a9912ULL, + 0x6428b056904eeff8ULL, 0x8be23040131e04b7ULL, + 0x6709d5da2add2ec0ULL, 0x075de98af44a2b93ULL, + 0x8447dcc67bfbe66fULL, 0x6616f655b7ac9a23ULL, + 0xd607b8bded4b1a40ULL, 0x0563af89d3a85e48ULL, + 0x3db1b4ad20c21ba4ULL, 0x11f22997b8323b75ULL, + 0x292032b34b587e99ULL, 0x7f1cdace9331681dULL, + 0x8e819fc9c0b65affULL, 0xa1e3677fe2d5bb16ULL, + 0xcd33d225ee349da5ULL, 0xd9a2543b85aef898ULL, + 0x795e10cbfa0af76dULL, 0x25a4bbb9992e5d79ULL, + 0x78413344677b438eULL, 0xf0826688cef68601ULL, + 0xd27b34bba392f0ebULL, 0x551d8df162fad7bcULL, + 0x1e57c511d0d7d9adULL, 0xdeffbdb171e4d30bULL, + 0xf4feea8e802f6caaULL, 0xa480c8f6317de55eULL, + 0xa0fc44f07fa40ff5ULL, 0x95b5f551c3c9dd1aULL, + 0x22f952336d6476eaULL, 0x0000000000000000ULL, + 0xa6be8ef5169f9085ULL, 0xcc2cf1aa73452946ULL, + 0x2e7ddb39bf12550aULL, 0xd526dd3157d8db78ULL, + 0x486b2d6c08becf29ULL, 0x9b0f3a58365d8b21ULL, + 0xac78cdfaadd22c15ULL, 0xbc95c7e28891a383ULL, + 0x6a927f5f65dab9c3ULL, 0xc3891d2c1ba0cb9eULL, + 0xeaa92f9f50f8b507ULL, 0xcf0d9426c9d6e87eULL, + 0xca6e3baf1a7eb636ULL, 0xab25247059980786ULL, + 0x69b31ad3df4978fbULL, 0xe2512a93cc577c4cULL, + 0xff278a0ea61364d9ULL, 0x71a615c766a53e26ULL, + 0x89dc764334fc716cULL, 0xf87a638452594f4aULL, + 0xf2bc208be914f3daULL, 0x8766b94ac1682757ULL, + 0xbbc82e687cdb8810ULL, 0x626a7a53f9757088ULL, + 0xa2c202f358467a2eULL, 0x4d0882e5db169161ULL, + 0x09e7268301de7da8ULL, 0xe897699c771ac0dcULL, + 0xc8507dac3d9cc3edULL, 0xc0a878a0a1330aa6ULL, + 0x978bb352e42ba8c1ULL, 0xe9884a13ea6b743fULL, + 0x279afdbabecc28a2ULL, 0x047c8c064ed9eaabULL, + 0x507e2278b15289f4ULL, 0x599904fbb08cf45cULL, + 0xbd8ae46d15e01760ULL, 0x31353da7f2b43844ULL, + 0x8558ff49e68a528cULL, 0x76fbfc4d92ef15b5ULL, + 0x3456922e211c660cULL, 0x86799ac55c1993b4ULL, + 0x3e90d1219a51da9cULL, 0x2d5cbeb505819432ULL, + 0x982e5fd48cce4a19ULL, 0xdb9c1238a24c8d43ULL, + 0xd439febecaa96f9bULL, 0x418c0bef0960b281ULL, + 0x158ea591f6ebd1deULL, 0x1f48e69e4da66d4eULL, + 0x8afd13cf8e6fb054ULL, 0xf5e1c9011d5ed849ULL, + 0xe34e091c5126c8afULL, 0xad67ee7530a398f6ULL, + 0x43b24dec2e82c75aULL, 0x75da99c1287cd48dULL, + 0x92e81cdb3783f689ULL, 0xa3dd217cc537cecdULL, + 0x60543c50de970553ULL, 0x93f73f54aaf2426aULL, + 0xa91b62737e7a725dULL, 0xf19d4507538732e2ULL, + 0x77e4dfc20f9ea156ULL, 0x7d229ccdb4d31dc6ULL, + 0x1b346a98037f87e5ULL, 0xedf4c615a4b29e94ULL, + 0x4093286094110662ULL, 0xb0114ee85ae78063ULL, + 0x6ff1d0d6b672e78bULL, 0x6dcf96d591909250ULL, + 0xdfe09e3eec9567e8ULL, 0x3214582b4827f97cULL, + 0xb46dc2ee143e6ac8ULL, 0xf6c0ac8da7cd1971ULL, + 0xebb60c10cd8901e4ULL, 0xf7df8f023abcad92ULL, + 0x9c52d3d2c217a0b2ULL, 0x6b8d5cd0f8ab0d20ULL, + 0x3777f7a29b8fa734ULL, 0x011f238f9d71b4e3ULL, + 0xc1b75b2f3c42be45ULL, 0x5de588fdfe551ef7ULL, + 0x6eeef3592b035368ULL, 0xaa3a07ffc4e9b365ULL, + 0xecebe59a39c32a77ULL, 0x5ba742f8976e8187ULL, + 0x4b4a48e0b22d0e11ULL, 0xddded83dcb771233ULL, + 0xa59feb79ac0c51bdULL, 0xc7f5912a55792135ULL }, + /* 5 */ + { 0x6d6ae04668a9b08aULL, 0x3ab3f04b0be8c743ULL, + 0xe51e166b54b3c908ULL, 0xbe90a9eb35c2f139ULL, + 0xb2c7066637f2bec1ULL, 0xaa6945613392202cULL, + 0x9a28c36f3b5201ebULL, 0xddce5a93ab536994ULL, + 0x0e34133ef6382827ULL, 0x52a02ba1ec55048bULL, + 0xa2f88f97c4b2a177ULL, 0x8640e513ca2251a5ULL, + 0xcdf1d36258137622ULL, 0xfe6cb708dedf8ddbULL, + 0x8a174a9ec8121e5dULL, 0x679896036b81560eULL, + 0x59ed033395795feeULL, 0x1dd778ab8b74edafULL, + 0xee533ef92d9f926dULL, 0x2a8c79baf8a8d8f5ULL, + 0x6bcf398e69b119f6ULL, 0xe20491742fafdd95ULL, + 0x276488e0809c2aecULL, 0xea955b82d88f5cceULL, + 0x7102c63a99d9e0c4ULL, 0xf9763017a5c39946ULL, + 0x429fa2501f151b3dULL, 0x4659c72bea05d59eULL, + 0x984b7fdccf5a6634ULL, 0xf742232953fbb161ULL, + 0x3041860e08c021c7ULL, 0x747bfd9616cd9386ULL, + 0x4bb1367192312787ULL, 0x1b72a1638a6c44d3ULL, + 0x4a0e68a6e8359a66ULL, 0x169a5039f258b6caULL, + 0xb98a2ef44edee5a4ULL, 0xd9083fe85e43a737ULL, + 0x967f6ce239624e13ULL, 0x8874f62d3c1a7982ULL, + 0x3c1629830af06e3fULL, 0x9165ebfd427e5a8eULL, + 0xb5dd81794ceeaa5cULL, 0x0de8f15a7834f219ULL, + 0x70bd98ede3dd5d25ULL, 0xaccc9ca9328a8950ULL, + 0x56664eda1945ca28ULL, 0x221db34c0f8859aeULL, + 0x26dbd637fa98970dULL, 0x1acdffb4f068f932ULL, + 0x4585254f64090fa0ULL, 0x72de245e17d53afaULL, + 0x1546b25d7c546cf4ULL, 0x207e0ffffb803e71ULL, + 0xfaaad2732bcf4378ULL, 0xb462dfae36ea17bdULL, + 0xcf926fd1ac1b11fdULL, 0xe0672dc7dba7ba4aULL, + 0xd3fa49ad5d6b41b3ULL, 0x8ba81449b216a3bcULL, + 0x14f9ec8a0650d115ULL, 0x40fc1ee3eb1d7ce2ULL, + 0x23a2ed9b758ce44fULL, 0x782c521b14fddc7eULL, + 0x1c68267cf170504eULL, 0xbcf31558c1ca96e6ULL, + 0xa781b43b4ba6d235ULL, 0xf6fd7dfe29ff0c80ULL, + 0xb0a4bad5c3fad91eULL, 0xd199f51ea963266cULL, + 0x414340349119c103ULL, 0x5405f269ed4dadf7ULL, + 0xabd61bb649969dcdULL, 0x6813dbeae7bdc3c8ULL, + 0x65fb2ab09f8931d1ULL, 0xf1e7fae152e3181dULL, + 0xc1a67cef5a2339daULL, 0x7a4feea8e0f5bba1ULL, + 0x1e0b9acf05783791ULL, 0x5b8ebf8061713831ULL, + 0x80e53cdbcb3af8d9ULL, 0x7e898bd315e57502ULL, + 0xc6bcfbf0213f2d47ULL, 0x95a38e86b76e942dULL, + 0x092e94218d243cbaULL, 0x8339debf453622e7ULL, + 0xb11be402b9fe64ffULL, 0x57d9100d634177c9ULL, + 0xcc4e8db52217cbc3ULL, 0x3b0cae9c71ec7aa2ULL, + 0xfb158ca451cbfe99ULL, 0x2b33276d82ac6514ULL, + 0x01bf5ed77a04bde1ULL, 0xc5601994af33f779ULL, + 0x75c4a3416cc92e67ULL, 0xf3844652a6eb7fc2ULL, + 0x3487e375fdd0ef64ULL, 0x18ae430704609eedULL, + 0x4d14efb993298efbULL, 0x815a620cb13e4538ULL, + 0x125c354207487869ULL, 0x9eeea614ce42cf48ULL, + 0xce2d3106d61fac1cULL, 0xbbe99247bad6827bULL, + 0x071a871f7b1c149dULL, 0x2e4a1cc10db81656ULL, + 0x77a71ff298c149b8ULL, 0x06a5d9c80118a97cULL, + 0xad73c27e488e34b1ULL, 0x443a7b981e0db241ULL, + 0xe3bbcfa355ab6074ULL, 0x0af276450328e684ULL, + 0x73617a896dd1871bULL, 0x58525de4ef7de20fULL, + 0xb7be3dcab8e6cd83ULL, 0x19111dd07e64230cULL, + 0x842359a03e2a367aULL, 0x103f89f1f3401fb6ULL, + 0xdc710444d157d475ULL, 0xb835702334da5845ULL, + 0x4320fc876511a6dcULL, 0xd026abc9d3679b8dULL, + 0x17250eee885c0b2bULL, 0x90dab52a387ae76fULL, + 0x31fed8d972c49c26ULL, 0x89cba8fa461ec463ULL, + 0x2ff5421677bcabb7ULL, 0x396f122f85e41d7dULL, + 0xa09b332430bac6a8ULL, 0xc888e8ced7070560ULL, + 0xaeaf201ac682ee8fULL, 0x1180d7268944a257ULL, + 0xf058a43628e7a5fcULL, 0xbd4c4b8fbbce2b07ULL, + 0xa1246df34abe7b49ULL, 0x7d5569b79be9af3cULL, + 0xa9b5a705bd9efa12ULL, 0xdb6b835baa4bc0e8ULL, + 0x05793bac8f147342ULL, 0x21c1512881848390ULL, + 0xfdb0556c50d357e5ULL, 0x613d4fcb6a99ff72ULL, + 0x03dce2648e0cda3eULL, 0xe949b9e6568386f0ULL, + 0xfc0f0bbb2ad7ea04ULL, 0x6a70675913b5a417ULL, + 0x7f36d5046fe1c8e3ULL, 0x0c57af8d02304ff8ULL, + 0x32223abdfcc84618ULL, 0x0891caf6f720815bULL, + 0xa63eeaec31a26fd4ULL, 0x2507345374944d33ULL, + 0x49d28ac266394058ULL, 0xf5219f9aa7f3d6beULL, + 0x2d96fea583b4cc68ULL, 0x5a31e1571b7585d0ULL, + 0x8ed12fe53d02d0feULL, 0xdfade6205f5b0e4bULL, + 0x4cabb16ee92d331aULL, 0x04c6657bf510cea3ULL, + 0xd73c2cd6a87b8f10ULL, 0xe1d87310a1a307abULL, + 0x6cd5be9112ad0d6bULL, 0x97c032354366f3f2ULL, + 0xd4e0ceb22677552eULL, 0x0000000000000000ULL, + 0x29509bde76a402cbULL, 0xc27a9e8bd42fe3e4ULL, + 0x5ef7842cee654b73ULL, 0xaf107ecdbc86536eULL, + 0x3fcacbe784fcb401ULL, 0xd55f90655c73e8cfULL, + 0xe6c2f40fdabf1336ULL, 0xe8f6e7312c873b11ULL, + 0xeb2a0555a28be12fULL, 0xe4a148bc2eb774e9ULL, + 0x9b979db84156bc0aULL, 0x6eb60222e6a56ab4ULL, + 0x87ffbbc4b026ec44ULL, 0xc703a5275b3b90a6ULL, + 0x47e699fc9001687fULL, 0x9c8d1aa73a4aa897ULL, + 0x7cea3760e1ed12ddULL, 0x4ec80ddd1d2554c5ULL, + 0x13e36b957d4cc588ULL, 0x5d2b66486069914dULL, + 0x92b90999cc7280b0ULL, 0x517cc9c56259deb5ULL, + 0xc937b619ad03b881ULL, 0xec30824ad997f5b2ULL, + 0xa45d565fc5aa080bULL, 0xd6837201d27f32f1ULL, + 0x635ef3789e9198adULL, 0x531f75769651b96aULL, + 0x4f77530a6721e924ULL, 0x486dd4151c3dfdb9ULL, + 0x5f48dafb9461f692ULL, 0x375b011173dc355aULL, + 0x3da9775470f4d3deULL, 0x8d0dcd81b30e0ac0ULL, + 0x36e45fc609d888bbULL, 0x55baacbe97491016ULL, + 0x8cb29356c90ab721ULL, 0x76184125e2c5f459ULL, + 0x99f4210bb55edbd5ULL, 0x6f095cf59ca1d755ULL, + 0x9f51f8c3b44672a9ULL, 0x3538bda287d45285ULL, + 0x50c39712185d6354ULL, 0xf23b1885dcefc223ULL, + 0x79930ccc6ef9619fULL, 0xed8fdc9da3934853ULL, + 0xcb540aaa590bdf5eULL, 0x5c94389f1a6d2cacULL, + 0xe77daad8a0bbaed7ULL, 0x28efc5090ca0bf2aULL, + 0xbf2ff73c4fc64cd8ULL, 0xb37858b14df60320ULL, + 0xf8c96ec0dfc724a7ULL, 0x828680683f329f06ULL, + 0x941cd051cd6a29ccULL, 0xc3c5c05cae2b5e05ULL, + 0xb601631dc2e27062ULL, 0xc01922382027843bULL, + 0x24b86a840e90f0d2ULL, 0xd245177a276ffc52ULL, + 0x0f8b4de98c3c95c6ULL, 0x3e759530fef809e0ULL, + 0x0b4d2892792c5b65ULL, 0xc4df4743d5374a98ULL, + 0xa5e20888bfaeb5eaULL, 0xba56cc90c0d23f9aULL, + 0x38d04cf8ffe0a09cULL, 0x62e1adafe495254cULL, + 0x0263bcb3f40867dfULL, 0xcaeb547d230f62bfULL, + 0x6082111c109d4293ULL, 0xdad4dd8cd04f7d09ULL, + 0xefec602e579b2f8cULL, 0x1fb4c4187f7c8a70ULL, + 0xffd3e9dfa4db303aULL, 0x7bf0b07f9af10640ULL, + 0xf49ec14dddf76b5fULL, 0x8f6e713247066d1fULL, + 0x339d646a86ccfbf9ULL, 0x64447467e58d8c30ULL, + 0x2c29a072f9b07189ULL, 0xd8b7613f24471ad6ULL, + 0x6627c8d41185ebefULL, 0xa347d140beb61c96ULL, + 0xde12b8f7255fb3aaULL, 0x9d324470404e1576ULL, + 0x9306574eb6763d51ULL, 0xa80af9d2c79a47f3ULL, + 0x859c0777442e8b9bULL, 0x69ac853d9db97e29ULL }, + /* 6 */ + { 0xc3407dfc2de6377eULL, 0x5b9e93eea4256f77ULL, + 0xadb58fdd50c845e0ULL, 0x5219ff11a75bed86ULL, + 0x356b61cfd90b1de9ULL, 0xfb8f406e25abe037ULL, + 0x7a5a0231c0f60796ULL, 0x9d3cd216e1f5020bULL, + 0x0c6550fb6b48d8f3ULL, 0xf57508c427ff1c62ULL, + 0x4ad35ffa71cb407dULL, 0x6290a2da1666aa6dULL, + 0xe284ec2349355f9fULL, 0xb3c307c53d7c84ecULL, + 0x05e23c0468365a02ULL, 0x190bac4d6c9ebfa8ULL, + 0x94bbbee9e28b80faULL, 0xa34fc777529cb9b5ULL, + 0xcc7b39f095bcd978ULL, 0x2426addb0ce532e3ULL, + 0x7e79329312ce4fc7ULL, 0xab09a72eebec2917ULL, + 0xf8d15499f6b9d6c2ULL, 0x1a55b8babf8c895dULL, + 0xdb8add17fb769a85ULL, 0xb57f2f368658e81bULL, + 0x8acd36f18f3f41f6ULL, 0x5ce3b7bba50f11d3ULL, + 0x114dcc14d5ee2f0aULL, 0xb91a7fcded1030e8ULL, + 0x81d5425fe55de7a1ULL, 0xb6213bc1554adeeeULL, + 0x80144ef95f53f5f2ULL, 0x1e7688186db4c10cULL, + 0x3b912965db5fe1bcULL, 0xc281715a97e8252dULL, + 0x54a5d7e21c7f8171ULL, 0x4b12535ccbc5522eULL, + 0x1d289cefbea6f7f9ULL, 0x6ef5f2217d2e729eULL, + 0xe6a7dc819b0d17ceULL, 0x1b94b41c05829b0eULL, + 0x33d7493c622f711eULL, 0xdcf7f942fa5ce421ULL, + 0x600fba8b7f7a8ecbULL, 0x46b60f011a83988eULL, + 0x235b898e0dcf4c47ULL, 0x957ab24f588592a9ULL, + 0x4354330572b5c28cULL, 0xa5f3ef84e9b8d542ULL, + 0x8c711e02341b2d01ULL, 0x0b1874ae6a62a657ULL, + 0x1213d8e306fc19ffULL, 0xfe6d7c6a4d9dba35ULL, + 0x65ed868f174cd4c9ULL, 0x88522ea0e6236550ULL, + 0x899322065c2d7703ULL, 0xc01e690bfef4018bULL, + 0x915982ed8abddaf8ULL, 0xbe675b98ec3a4e4cULL, + 0xa996bf7f82f00db1ULL, 0xe1daf8d49a27696aULL, + 0x2effd5d3dc8986e7ULL, 0xd153a51f2b1a2e81ULL, + 0x18caa0ebd690adfbULL, 0x390e3134b243c51aULL, + 0x2778b92cdff70416ULL, 0x029f1851691c24a6ULL, + 0x5e7cafeacc133575ULL, 0xfa4e4cc89fa5f264ULL, + 0x5a5f9f481e2b7d24ULL, 0x484c47ab18d764dbULL, + 0x400a27f2a1a7f479ULL, 0xaeeb9b2a83da7315ULL, + 0x721c626879869734ULL, 0x042330a2d2384851ULL, + 0x85f672fd3765aff0ULL, 0xba446b3a3e02061dULL, + 0x73dd6ecec3888567ULL, 0xffac70ccf793a866ULL, + 0xdfa9edb5294ed2d4ULL, 0x6c6aea7014325638ULL, + 0x834a5a0e8c41c307ULL, 0xcdba35562fb2cb2bULL, + 0x0ad97808d06cb404ULL, 0x0f3b440cb85aee06ULL, + 0xe5f9c876481f213bULL, 0x98deee1289c35809ULL, + 0x59018bbfcd394bd1ULL, 0xe01bf47220297b39ULL, + 0xde68e1139340c087ULL, 0x9fa3ca4788e926adULL, + 0xbb85679c840c144eULL, 0x53d8f3b71d55ffd5ULL, + 0x0da45c5dd146caa0ULL, 0x6f34fe87c72060cdULL, + 0x57fbc315cf6db784ULL, 0xcee421a1fca0fddeULL, + 0x3d2d0196607b8d4bULL, 0x642c8a29ad42c69aULL, + 0x14aff010bdd87508ULL, 0xac74837beac657b3ULL, + 0x3216459ad821634dULL, 0x3fb219c70967a9edULL, + 0x06bc28f3bb246cf7ULL, 0xf2082c9126d562c6ULL, + 0x66b39278c45ee23cULL, 0xbd394f6f3f2878b9ULL, + 0xfd33689d9e8f8cc0ULL, 0x37f4799eb017394fULL, + 0x108cc0b26fe03d59ULL, 0xda4bd1b1417888d6ULL, + 0xb09d1332ee6eb219ULL, 0x2f3ed975668794b4ULL, + 0x58c0871977375982ULL, 0x7561463d78ace990ULL, + 0x09876cff037e82f1ULL, 0x7fb83e35a8c05d94ULL, + 0x26b9b58a65f91645ULL, 0xef20b07e9873953fULL, + 0x3148516d0b3355b8ULL, 0x41cb2b541ba9e62aULL, + 0x790416c613e43163ULL, 0xa011d380818e8f40ULL, + 0x3a5025c36151f3efULL, 0xd57095bdf92266d0ULL, + 0x498d4b0da2d97688ULL, 0x8b0c3a57353153a5ULL, + 0x21c491df64d368e1ULL, 0x8f2f0af5e7091bf4ULL, + 0x2da1c1240f9bb012ULL, 0xc43d59a92ccc49daULL, + 0xbfa6573e56345c1fULL, 0x828b56a8364fd154ULL, + 0x9a41f643e0df7cafULL, 0xbcf843c985266aeaULL, + 0x2b1de9d7b4bfdce5ULL, 0x20059d79dedd7ab2ULL, + 0x6dabe6d6ae3c446bULL, 0x45e81bf6c991ae7bULL, + 0x6351ae7cac68b83eULL, 0xa432e32253b6c711ULL, + 0xd092a9b991143cd2ULL, 0xcac711032e98b58fULL, + 0xd8d4c9e02864ac70ULL, 0xc5fc550f96c25b89ULL, + 0xd7ef8dec903e4276ULL, 0x67729ede7e50f06fULL, + 0xeac28c7af045cf3dULL, 0xb15c1f945460a04aULL, + 0x9cfddeb05bfb1058ULL, 0x93c69abce3a1fe5eULL, + 0xeb0380dc4a4bdd6eULL, 0xd20db1e8f8081874ULL, + 0x229a8528b7c15e14ULL, 0x44291750739fbc28ULL, + 0xd3ccbd4e42060a27ULL, 0xf62b1c33f4ed2a97ULL, + 0x86a8660ae4779905ULL, 0xd62e814a2a305025ULL, + 0x477703a7a08d8addULL, 0x7b9b0e977af815c5ULL, + 0x78c51a60a9ea2330ULL, 0xa6adfb733aaae3b7ULL, + 0x97e5aa1e3199b60fULL, 0x0000000000000000ULL, + 0xf4b404629df10e31ULL, 0x5564db44a6719322ULL, + 0x9207961a59afec0dULL, 0x9624a6b88b97a45cULL, + 0x363575380a192b1cULL, 0x2c60cd82b595a241ULL, + 0x7d272664c1dc7932ULL, 0x7142769faa94a1c1ULL, + 0xa1d0df263b809d13ULL, 0x1630e841d4c451aeULL, + 0xc1df65ad44fa13d8ULL, 0x13d2d445bcf20bacULL, + 0xd915c546926abe23ULL, 0x38cf3d92084dd749ULL, + 0xe766d0272103059dULL, 0xc7634d5effde7f2fULL, + 0x077d2455012a7ea4ULL, 0xedbfa82ff16fb199ULL, + 0xaf2a978c39d46146ULL, 0x42953fa3c8bbd0dfULL, + 0xcb061da59496a7dcULL, 0x25e7a17db6eb20b0ULL, + 0x34aa6d6963050fbaULL, 0xa76cf7d580a4f1e4ULL, + 0xf7ea10954ee338c4ULL, 0xfcf2643b24819e93ULL, + 0xcf252d0746aeef8dULL, 0x4ef06f58a3f3082cULL, + 0x563acfb37563a5d7ULL, 0x5086e740ce47c920ULL, + 0x2982f186dda3f843ULL, 0x87696aac5e798b56ULL, + 0x5d22bb1d1f010380ULL, 0x035e14f7d31236f5ULL, + 0x3cec0d30da759f18ULL, 0xf3c920379cdb7095ULL, + 0xb8db736b571e22bbULL, 0xdd36f5e44052f672ULL, + 0xaac8ab8851e23b44ULL, 0xa857b3d938fe1fe2ULL, + 0x17f1e4e76eca43fdULL, 0xec7ea4894b61a3caULL, + 0x9e62c6e132e734feULL, 0xd4b1991b432c7483ULL, + 0x6ad6c283af163acfULL, 0x1ce9904904a8e5aaULL, + 0x5fbda34c761d2726ULL, 0xf910583f4cb7c491ULL, + 0xc6a241f845d06d7cULL, 0x4f3163fe19fd1a7fULL, + 0xe99c988d2357f9c8ULL, 0x8eee06535d0709a7ULL, + 0x0efa48aa0254fc55ULL, 0xb4be23903c56fa48ULL, + 0x763f52caabbedf65ULL, 0xeee1bcd8227d876cULL, + 0xe345e085f33b4dccULL, 0x3e731561b369bbbeULL, + 0x2843fd2067adea10ULL, 0x2adce5710eb1ceb6ULL, + 0xb7e03767ef44ccbdULL, 0x8db012a48e153f52ULL, + 0x61ceb62dc5749c98ULL, 0xe85d942b9959eb9bULL, + 0x4c6f7709caef2c8aULL, 0x84377e5b8d6bbda3ULL, + 0x30895dcbb13d47ebULL, 0x74a04a9bc2a2fbc3ULL, + 0x6b17ce251518289cULL, 0xe438c4d0f2113368ULL, + 0x1fb784bed7bad35fULL, 0x9b80fae55ad16efcULL, + 0x77fe5e6c11b0cd36ULL, 0xc858095247849129ULL, + 0x08466059b97090a2ULL, 0x01c10ca6ba0e1253ULL, + 0x6988d6747c040c3aULL, 0x6849dad2c60a1e69ULL, + 0x5147ebe67449db73ULL, 0xc99905f4fd8a837aULL, + 0x991fe2b433cd4a5aULL, 0xf09734c04fc94660ULL, + 0xa28ecbd1e892abe6ULL, 0xf1563866f5c75433ULL, + 0x4dae7baf70e13ed9ULL, 0x7ce62ac27bd26b61ULL, + 0x70837a39109ab392ULL, 0x90988e4b30b3c8abULL, + 0xb2020b63877296bfULL, 0x156efcb607d6675bULL }, + /* 7 */ + { 0xe63f55ce97c331d0ULL, 0x25b506b0015bba16ULL, + 0xc8706e29e6ad9ba8ULL, 0x5b43d3775d521f6aULL, + 0x0bfa3d577035106eULL, 0xab95fc172afb0e66ULL, + 0xf64b63979e7a3276ULL, 0xf58b4562649dad4bULL, + 0x48f7c3dbae0c83f1ULL, 0xff31916642f5c8c5ULL, + 0xcbb048dc1c4a0495ULL, 0x66b8f83cdf622989ULL, + 0x35c130e908e2b9b0ULL, 0x7c761a61f0b34fa1ULL, + 0x3601161cf205268dULL, 0x9e54ccfe2219b7d6ULL, + 0x8b7d90a538940837ULL, 0x9cd403588ea35d0bULL, + 0xbc3c6fea9ccc5b5aULL, 0xe5ff733b6d24aeedULL, + 0xceed22de0f7eb8d2ULL, 0xec8581cab1ab545eULL, + 0xb96105e88ff8e71dULL, 0x8ca03501871a5eadULL, + 0x76ccce65d6db2a2fULL, 0x5883f582a7b58057ULL, + 0x3f7be4ed2e8adc3eULL, 0x0fe7be06355cd9c9ULL, + 0xee054e6c1d11be83ULL, 0x1074365909b903a6ULL, + 0x5dde9f80b4813c10ULL, 0x4a770c7d02b6692cULL, + 0x5379c8d5d7809039ULL, 0xb4067448161ed409ULL, + 0x5f5e5026183bd6cdULL, 0xe898029bf4c29df9ULL, + 0x7fb63c940a54d09cULL, 0xc5171f897f4ba8bcULL, + 0xa6f28db7b31d3d72ULL, 0x2e4f3be7716eaa78ULL, + 0x0d6771a099e63314ULL, 0x82076254e41bf284ULL, + 0x2f0fd2b42733df98ULL, 0x5c9e76d3e2dc49f0ULL, + 0x7aeb569619606cdbULL, 0x83478b07b2468764ULL, + 0xcfadcb8d5923cd32ULL, 0x85dac7f05b95a41eULL, + 0xb5469d1b4043a1e9ULL, 0xb821ecbbd9a592fdULL, + 0x1b8e0b0e798c13c8ULL, 0x62a57b6d9a0be02eULL, + 0xfcf1b793b81257f8ULL, 0x9d94ea0bd8fe28ebULL, + 0x4cea408aeb654a56ULL, 0x23284a47e888996cULL, + 0x2d8f1d128b893545ULL, 0xf4cbac3132c0d8abULL, + 0xbd7c86b9ca912ebaULL, 0x3a268eef3dbe6079ULL, + 0xf0d62f6077a9110cULL, 0x2735c916ade150cbULL, + 0x89fd5f03942ee2eaULL, 0x1acee25d2fd16628ULL, + 0x90f39bab41181bffULL, 0x430dfe8cde39939fULL, + 0xf70b8ac4c8274796ULL, 0x1c53aeaac6024552ULL, + 0x13b410acf35e9c9bULL, 0xa532ab4249faa24fULL, + 0x2b1251e5625a163fULL, 0xd7e3e676da4841c7ULL, + 0xa7b264e4e5404892ULL, 0xda8497d643ae72d3ULL, + 0x861ae105a1723b23ULL, 0x38a6414991048aa4ULL, + 0x6578dec92585b6b4ULL, 0x0280cfa6acbaeaddULL, + 0x88bdb650c273970aULL, 0x9333bd5ebbff84c2ULL, + 0x4e6a8f2c47dfa08bULL, 0x321c954db76cef2aULL, + 0x418d312a72837942ULL, 0xb29b38bfffcdf773ULL, + 0x6c022c38f90a4c07ULL, 0x5a033a240b0f6a8aULL, + 0x1f93885f3ce5da6fULL, 0xc38a537e96988bc6ULL, + 0x39e6a81ac759ff44ULL, 0x29929e43cee0fce2ULL, + 0x40cdd87924de0ca2ULL, 0xe9d8ebc8a29fe819ULL, + 0x0c2798f3cfbb46f4ULL, 0x55e484223e53b343ULL, + 0x4650948ecd0d2fd8ULL, 0x20e86cb2126f0651ULL, + 0x6d42c56baf5739e7ULL, 0xa06fc1405ace1e08ULL, + 0x7babbfc54f3d193bULL, 0x424d17df8864e67fULL, + 0xd8045870ef14980eULL, 0xc6d7397c85ac3781ULL, + 0x21a885e1443273b1ULL, 0x67f8116f893f5c69ULL, + 0x24f5efe35706cff6ULL, 0xd56329d076f2ab1aULL, + 0x5e1eb9754e66a32dULL, 0x28d2771098bd8902ULL, + 0x8f6013f47dfdc190ULL, 0x17a993fdb637553cULL, + 0xe0a219397e1012aaULL, 0x786b9930b5da8606ULL, + 0x6e82e39e55b0a6daULL, 0x875a0856f72f4ec3ULL, + 0x3741ff4fa458536dULL, 0xac4859b3957558fcULL, + 0x7ef6d5c75c09a57cULL, 0xc04a758b6c7f14fbULL, + 0xf9acdd91ab26ebbfULL, 0x7391a467c5ef9668ULL, + 0x335c7c1ee1319acaULL, 0xa91533b18641e4bbULL, + 0xe4bf9a683b79db0dULL, 0x8e20faa72ba0b470ULL, + 0x51f907737b3a7ae4ULL, 0x2268a314bed5ec8cULL, + 0xd944b123b949edeeULL, 0x31dcb3b84d8b7017ULL, + 0xd3fe65279f218860ULL, 0x097af2f1dc8ffab3ULL, + 0x9b09a6fc312d0b91ULL, 0xcc6ded78a3c4520fULL, + 0x3481d9ba5ebfcc50ULL, 0x4f2a667f1182d56bULL, + 0xdfd9fdd4509ace94ULL, 0x26752045fbbc252bULL, + 0xbffc491f662bc467ULL, 0xdd593272fc202449ULL, + 0x3cbbc218d46d4303ULL, 0x91b372f817456e1fULL, + 0x681faf69bc6385a0ULL, 0xb686bbeebaa43ed4ULL, + 0x1469b5084cd0ca01ULL, 0x98c98009cbca94acULL, + 0x6438379a73d8c354ULL, 0xc2caba2dc0c5fe26ULL, + 0x3e3b0dbe78d7a9deULL, 0x50b9ee202d670f04ULL, + 0x4590b27b37eab0e5ULL, 0x6025b4cb36b10af3ULL, + 0xfb2c1237079c0162ULL, 0xa12f28130c936be8ULL, + 0x4b37e52e54eb1cccULL, 0x083a1ba28ad28f53ULL, + 0xc10a9cd83a22611bULL, 0x9f1425ad7444c236ULL, + 0x069d4cf7e9d3237aULL, 0xedc56899e7f621beULL, + 0x778c273680865fcfULL, 0x309c5aeb1bd605f7ULL, + 0x8de0dc52d1472b4dULL, 0xf8ec34c2fd7b9e5fULL, + 0xea18cd3d58787724ULL, 0xaad515447ca67b86ULL, + 0x9989695a9d97e14cULL, 0x0000000000000000ULL, + 0xf196c63321f464ecULL, 0x71116bc169557cb5ULL, + 0xaf887f466f92c7c1ULL, 0x972e3e0ffe964d65ULL, + 0x190ec4a8d536f915ULL, 0x95aef1a9522ca7b8ULL, + 0xdc19db21aa7d51a9ULL, 0x94ee18fa0471d258ULL, + 0x8087adf248a11859ULL, 0xc457f6da2916dd5cULL, + 0xfa6cfb6451c17482ULL, 0xf256e0c6db13fbd1ULL, + 0x6a9f60cf10d96f7dULL, 0x4daaa9d9bd383fb6ULL, + 0x03c026f5fae79f3dULL, 0xde99148706c7bb74ULL, + 0x2a52b8b6340763dfULL, 0x6fc20acd03edd33aULL, + 0xd423c08320afdefaULL, 0xbbe1ca4e23420dc0ULL, + 0x966ed75ca8cb3885ULL, 0xeb58246e0e2502c4ULL, + 0x055d6a021334bc47ULL, 0xa47242111fa7d7afULL, + 0xe3623fcc84f78d97ULL, 0x81c744a11efc6db9ULL, + 0xaec8961539cfb221ULL, 0xf31609958d4e8e31ULL, + 0x63e5923ecc5695ceULL, 0x47107ddd9b505a38ULL, + 0xa3afe7b5a0298135ULL, 0x792b7063e387f3e6ULL, + 0x0140e953565d75e0ULL, 0x12f4f9ffa503e97bULL, + 0x750ce8902c3cb512ULL, 0xdbc47e8515f30733ULL, + 0x1ed3610c6ab8af8fULL, 0x5239218681dde5d9ULL, + 0xe222d69fd2aaf877ULL, 0xfe71783514a8bd25ULL, + 0xcaf0a18f4a177175ULL, 0x61655d9860ec7f13ULL, + 0xe77fbc9dc19e4430ULL, 0x2ccff441ddd440a5ULL, + 0x16e97aaee06a20dcULL, 0xa855dae2d01c915bULL, + 0x1d1347f9905f30b2ULL, 0xb7c652bdecf94b34ULL, + 0xd03e43d265c6175dULL, 0xfdb15ec0ee4f2218ULL, + 0x57644b8492e9599eULL, 0x07dda5a4bf8e569aULL, + 0x54a46d71680ec6a3ULL, 0x5624a2d7c4b42c7eULL, + 0xbebca04c3076b187ULL, 0x7d36f332a6ee3a41ULL, + 0x3b6667bc6be31599ULL, 0x695f463aea3ef040ULL, + 0xad08b0e0c3282d1cULL, 0xb15b1e4a052a684eULL, + 0x44d05b2861b7c505ULL, 0x15295c5b1a8dbfe1ULL, + 0x744c01c37a61c0f2ULL, 0x59c31cd1f1e8f5b7ULL, + 0xef45a73f4b4ccb63ULL, 0x6bdf899c46841a9dULL, + 0x3dfb2b4b823036e3ULL, 0xa2ef0ee6f674f4d5ULL, + 0x184e2dfb836b8cf5ULL, 0x1134df0a5fe47646ULL, + 0xbaa1231d751f7820ULL, 0xd17eaa81339b62bdULL, + 0xb01bf71953771daeULL, 0x849a2ea30dc8d1feULL, + 0x705182923f080955ULL, 0x0ea757556301ac29ULL, + 0x041d83514569c9a7ULL, 0x0abad4042668658eULL, + 0x49b72a88f851f611ULL, 0x8a3d79f66ec97dd7ULL, + 0xcd2d042bf59927efULL, 0xc930877ab0f0ee48ULL, + 0x9273540deda2f122ULL, 0xc797d02fd3f14261ULL, + 0xe1e2f06a284d674aULL, 0xd2be8c74c97cfd80ULL, + 0x9a494faf67707e71ULL, 0xb3dbd1eca9908293ULL, + 0x72d14d3493b2e388ULL, 0xd6a30f258c153427ULL }, +}; + +static const uint64_t C16[12][8] = +{ + { 0xdd806559f2a64507ULL, 0x05767436cc744d23ULL, + 0xa2422a08a460d315ULL, 0x4b7ce09192676901ULL, + 0x714eb88d7585c4fcULL, 0x2f6a76432e45d016ULL, + 0xebcb2f81c0657c1fULL, 0xb1085bda1ecadae9ULL }, + { 0xe679047021b19bb7ULL, 0x55dda21bd7cbcd56ULL, + 0x5cb561c2db0aa7caULL, 0x9ab5176b12d69958ULL, + 0x61d55e0f16b50131ULL, 0xf3feea720a232b98ULL, + 0x4fe39d460f70b5d7ULL, 0x6fa3b58aa99d2f1aULL }, + { 0x991e96f50aba0ab2ULL, 0xc2b6f443867adb31ULL, + 0xc1c93a376062db09ULL, 0xd3e20fe490359eb1ULL, + 0xf2ea7514b1297b7bULL, 0x06f15e5f529c1f8bULL, + 0x0a39fc286a3d8435ULL, 0xf574dcac2bce2fc7ULL }, + { 0x220cbebc84e3d12eULL, 0x3453eaa193e837f1ULL, + 0xd8b71333935203beULL, 0xa9d72c82ed03d675ULL, + 0x9d721cad685e353fULL, 0x488e857e335c3c7dULL, + 0xf948e1a05d71e4ddULL, 0xef1fdfb3e81566d2ULL }, + { 0x601758fd7c6cfe57ULL, 0x7a56a27ea9ea63f5ULL, + 0xdfff00b723271a16ULL, 0xbfcd1747253af5a3ULL, + 0x359e35d7800fffbdULL, 0x7f151c1f1686104aULL, + 0x9a3f410c6ca92363ULL, 0x4bea6bacad474799ULL }, + { 0xfa68407a46647d6eULL, 0xbf71c57236904f35ULL, + 0x0af21f66c2bec6b6ULL, 0xcffaa6b71c9ab7b4ULL, + 0x187f9ab49af08ec6ULL, 0x2d66c4f95142a46cULL, + 0x6fa4c33b7a3039c0ULL, 0xae4faeae1d3ad3d9ULL }, + { 0x8886564d3a14d493ULL, 0x3517454ca23c4af3ULL, + 0x06476983284a0504ULL, 0x0992abc52d822c37ULL, + 0xd3473e33197a93c9ULL, 0x399ec6c7e6bf87c9ULL, + 0x51ac86febf240954ULL, 0xf4c70e16eeaac5ecULL }, + { 0xa47f0dd4bf02e71eULL, 0x36acc2355951a8d9ULL, + 0x69d18d2bd1a5c42fULL, 0xf4892bcb929b0690ULL, + 0x89b4443b4ddbc49aULL, 0x4eb7f8719c36de1eULL, + 0x03e7aa020c6e4141ULL, 0x9b1f5b424d93c9a7ULL }, + { 0x7261445183235adbULL, 0x0e38dc92cb1f2a60ULL, + 0x7b2b8a9aa6079c54ULL, 0x800a440bdbb2ceb1ULL, + 0x3cd955b7e00d0984ULL, 0x3a7d3a1b25894224ULL, + 0x944c9ad8ec165fdeULL, 0x378f5a541631229bULL }, + { 0x74b4c7fb98459cedULL, 0x3698fad1153bb6c3ULL, + 0x7a1e6c303b7652f4ULL, 0x9fe76702af69334bULL, + 0x1fffe18a1b336103ULL, 0x8941e71cff8a78dbULL, + 0x382ae548b2e4f3f3ULL, 0xabbedea680056f52ULL }, + { 0x6bcaa4cd81f32d1bULL, 0xdea2594ac06fd85dULL, + 0xefbacd1d7d476e98ULL, 0x8a1d71efea48b9caULL, + 0x2001802114846679ULL, 0xd8fa6bbbebab0761ULL, + 0x3002c6cd635afe94ULL, 0x7bcd9ed0efc889fbULL }, + { 0x48bc924af11bd720ULL, 0xfaf417d5d9b21b99ULL, + 0xe71da4aa88e12852ULL, 0x5d80ef9d1891cc86ULL, + 0xf82012d430219f9bULL, 0xcda43c32bcdf1d77ULL, + 0xd21380b00449b17aULL, 0x378ee767f11631baULL }, +}; + +#define strido(out, temp, i) do { \ + uint64_t t; \ + t = streebog_table[0][(temp[0] >> (i * 8)) & 0xff]; \ + t ^= streebog_table[1][(temp[1] >> (i * 8)) & 0xff]; \ + t ^= streebog_table[2][(temp[2] >> (i * 8)) & 0xff]; \ + t ^= streebog_table[3][(temp[3] >> (i * 8)) & 0xff]; \ + t ^= streebog_table[4][(temp[4] >> (i * 8)) & 0xff]; \ + t ^= streebog_table[5][(temp[5] >> (i * 8)) & 0xff]; \ + t ^= streebog_table[6][(temp[6] >> (i * 8)) & 0xff]; \ + t ^= streebog_table[7][(temp[7] >> (i * 8)) & 0xff]; \ + out[i] = t; } while(0) + +static void LPSX (uint64_t *out, const uint64_t *a, const uint64_t *b) +{ + uint64_t temp[8]; + temp[0] = a[0] ^ b[0]; + temp[1] = a[1] ^ b[1]; + temp[2] = a[2] ^ b[2]; + temp[3] = a[3] ^ b[3]; + temp[4] = a[4] ^ b[4]; + temp[5] = a[5] ^ b[5]; + temp[6] = a[6] ^ b[6]; + temp[7] = a[7] ^ b[7]; + strido (out, temp, 0); + strido (out, temp, 1); + strido (out, temp, 2); + strido (out, temp, 3); + strido (out, temp, 4); + strido (out, temp, 5); + strido (out, temp, 6); + strido (out, temp, 7); +} + +static inline void g (uint64_t *h, uint64_t *m, uint64_t *N) +{ + uint64_t K[8]; + uint64_t T[8]; + int i; + + LPSX (K, h, N); + + LPSX (T, K, m); + LPSX (K, K, C16[0]); + for (i = 1; i < 12; i++) + { + LPSX (T, K, T); + LPSX (K, K, C16[i]); + } + + h[0] ^= T[0] ^ K[0] ^ m[0]; + h[1] ^= T[1] ^ K[1] ^ m[1]; + h[2] ^= T[2] ^ K[2] ^ m[2]; + h[3] ^= T[3] ^ K[3] ^ m[3]; + h[4] ^= T[4] ^ K[4] ^ m[4]; + h[5] ^= T[5] ^ K[5] ^ m[5]; + h[6] ^= T[6] ^ K[6] ^ m[6]; + h[7] ^= T[7] ^ K[7] ^ m[7]; +} + + +static void +streebog512_compress (struct streebog512_ctx *ctx, const uint8_t *input, uint64_t count) +{ + uint64_t M[8]; + uint64_t cf; + int i; + + for (i = 0; i < 8; i++, input += 8) + M[i] = LE_READ_UINT64(input); + + g (ctx->state, M, ctx->count); + ctx->count[0] += count; + if (ctx->count[0] < count) + { /* overflow */ + for (i = 1; i < 8; i++) + { + ctx->count[i]++; + if (ctx->count[i] != 0) + break; + } + } + + ctx->sigma[0] += M[0]; + cf = (ctx->sigma[0] < M[0]); + for (i = 1; i < 7; i++) + { + ctx->sigma[i] += cf; + cf = (ctx->sigma[i] < cf); + ctx->sigma[i] += M[i]; + cf |= (ctx->sigma[i] < M[i]); + } + ctx->sigma[7] += M[7] + cf; +} + +static void +streebog_final (struct streebog512_ctx *ctx) +{ + uint64_t Z[8] = {}; + unsigned int i; + + /* PAD. It does not count towards message length */ + i = ctx->index; + /* We have at least one byte free) */ + ctx->block[i++] = 1; + while (i < 64) + ctx->block[i++] = 0; + streebog512_compress (ctx, ctx->block, ctx->index * 8); + + g (ctx->state, ctx->count, Z); + g (ctx->state, ctx->sigma, Z); +} + +#define COMPRESS(ctx, data) (streebog512_compress((ctx), (data), 64 * 8)) + +void +streebog512_init(struct streebog512_ctx *ctx) +{ + memset(ctx->state, 0, sizeof(ctx->state)); + memset(ctx->count, 0, sizeof(ctx->count)); + memset(ctx->sigma, 0, sizeof(ctx->sigma)); + + /* Initialize buffer */ + ctx->index = 0; +} + +void +streebog512_update(struct streebog512_ctx *ctx, + size_t length, const uint8_t *data) +{ + MD_UPDATE (ctx, length, data, COMPRESS, (void)0); +} + +static void +streebog512_write_digest(struct streebog512_ctx *ctx, + size_t offset, size_t length, + uint8_t *digest) +{ + assert(offset + length <= STREEBOG512_DIGEST_SIZE); + + streebog_final(ctx); + + _nettle_write_le64(length, digest, ctx->state + offset); +} + +void +streebog512_digest(struct streebog512_ctx *ctx, + size_t length, + uint8_t *digest) +{ + assert(length <= STREEBOG512_DIGEST_SIZE); + + streebog512_write_digest(ctx, 0, length, digest); + streebog512_init(ctx); +} + +void +streebog256_init(struct streebog256_ctx *ctx) +{ + memset(ctx->state, 1, sizeof(ctx->state)); + memset(ctx->count, 0, sizeof(ctx->count)); + memset(ctx->sigma, 0, sizeof(ctx->sigma)); + + /* Initialize buffer */ + ctx->index = 0; +} + +void +streebog256_digest(struct streebog256_ctx *ctx, + size_t length, + uint8_t *digest) +{ + assert(length <= STREEBOG256_DIGEST_SIZE); + + streebog512_write_digest(ctx, + 4, + length, + digest); + streebog256_init(ctx); +} diff -Nru nettle-3.4.1/streebog.h nettle-3.7.3/streebog.h --- nettle-3.4.1/streebog.h 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/streebog.h 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,99 @@ +/* streebog.h + + The Streebog family of hash functions. + + Copyright (C) 2020 Dmitry Baryshkov + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_STREEBOG_H_INCLUDED +#define NETTLE_STREEBOG_H_INCLUDED + +#include "nettle-types.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* Name mangling */ +#define streebog256_init nettle_streebog256_init +#define streebog256_digest nettle_streebog256_digest +#define streebog512_init nettle_streebog512_init +#define streebog512_update nettle_streebog512_update +#define streebog512_digest nettle_streebog512_digest + +/* STREEBOG512 */ + +#define STREEBOG512_DIGEST_SIZE 64 +#define STREEBOG512_BLOCK_SIZE 64 + +/* Digest is kept internally as 8 64-bit words. */ +#define _STREEBOG512_DIGEST_LENGTH 8 + +struct streebog512_ctx +{ + uint64_t state[_STREEBOG512_DIGEST_LENGTH]; /* State variables */ + uint64_t count[_STREEBOG512_DIGEST_LENGTH]; + uint64_t sigma[_STREEBOG512_DIGEST_LENGTH]; + unsigned int index; /* index into buffer */ + uint8_t block[STREEBOG512_BLOCK_SIZE]; /* STREEBOG512 data buffer */ +}; + +void +streebog512_init(struct streebog512_ctx *ctx); + +void +streebog512_update(struct streebog512_ctx *ctx, + size_t length, + const uint8_t *data); + +void +streebog512_digest(struct streebog512_ctx *ctx, + size_t length, + uint8_t *digest); + + +#define STREEBOG256_DIGEST_SIZE 32 +#define STREEBOG256_BLOCK_SIZE STREEBOG512_BLOCK_SIZE +#define streebog256_ctx streebog512_ctx + +void +streebog256_init(struct streebog256_ctx *ctx); + +#define streebog256_update nettle_streebog512_update + +void +streebog256_digest(struct streebog256_ctx *ctx, + size_t length, + uint8_t *digest); + +#ifdef __cplusplus +} +#endif + +#endif /* NETTLE_STREEBOG_H_INCLUDED */ diff -Nru nettle-3.4.1/streebog-meta.c nettle-3.7.3/streebog-meta.c --- nettle-3.4.1/streebog-meta.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/streebog-meta.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,44 @@ +/* streebog-meta.c + + Copyright (C) 2020 Dmitry Baryshkov + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "nettle-meta.h" + +#include "streebog.h" + +const struct nettle_hash nettle_streebog512 += _NETTLE_HASH(streebog512, STREEBOG512); + +const struct nettle_hash nettle_streebog256 += _NETTLE_HASH(streebog256, STREEBOG256); diff -Nru nettle-3.4.1/testsuite/aes-test.c nettle-3.7.3/testsuite/aes-test.c --- nettle-3.4.1/testsuite/aes-test.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/testsuite/aes-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -1,3 +1,6 @@ +/* This file tests deprecated functions */ +#define _NETTLE_ATTRIBUTE_DEPRECATED + #include "testutils.h" #include "aes.h" #include "nettle-internal.h" diff -Nru nettle-3.4.1/testsuite/bcrypt-test.c nettle-3.7.3/testsuite/bcrypt-test.c --- nettle-3.4.1/testsuite/bcrypt-test.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/testsuite/bcrypt-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -0,0 +1,54 @@ +#include "testutils.h" +#include "blowfish.h" + +static void +test_bcrypt(int succeed, const struct tstring *key, + const struct tstring *hash) +{ + if (succeed != blowfish_bcrypt_verify(key->length, key->data, + hash->length, hash->data)) + { + fprintf(stderr, "blowfish_bcrypt_verify failed:\nKey:"); + tstring_print_hex(key); + fprintf(stderr, "\nHash: "); + tstring_print_hex(hash); + fprintf(stderr, "\n"); + FAIL(); + } +} + +void +test_main(void) +{ + /* Tests for BSD-style bcrypt. + From John the Ripper 1.7.9 via Phpass */ + test_bcrypt(1, SDATA("U*U"), SDATA("$2a$05$CCCCCCCCCCCCCCCCCCCCC.E5YPO9kmyuRGyh0XouQYb4YMJKvyOeW")); + test_bcrypt(1, SDATA("U*U*"), SDATA("$2a$05$CCCCCCCCCCCCCCCCCCCCC.VGOzA784oUp/Z0DY336zx7pLYAy0lwK")); + test_bcrypt(1, SDATA("U*U*U"), SDATA("$2a$05$XXXXXXXXXXXXXXXXXXXXXOAcXxm9kjPGEMsLznoKqmqw7tc8WCx4a")); + test_bcrypt(1, SDATA(""), SDATA("$2a$05$CCCCCCCCCCCCCCCCCCCCC.7uG0VCzI2bS7j6ymqJi9CdcdxiRTWNy")); + test_bcrypt(1, SDATA("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789chars after 72 are ignored"), SDATA("$2a$05$abcdefghijklmnopqrstuu5s2v8.iXieOjg/.AySBTTZIIVFJeBui")); + test_bcrypt(1, SDATA("\xa3"), SDATA("$2x$05$/OK.fbVrR/bpIqNJ5ianF.CE5elHaaO4EbggVDjb8P19RukzXSM3e")); + test_bcrypt(1, SDATA("\xa3"), SDATA("$2y$05$/OK.fbVrR/bpIqNJ5ianF.Sa7shbm4.OzKpvFnX1pQLmQW96oUlCq")); + test_bcrypt(1, SDATA("\xd1\x91"), SDATA("$2x$05$6bNw2HLQYeqHYyBfLMsv/OiwqTymGIGzFsA4hOTWebfehXHNprcAS")); + test_bcrypt(1, SDATA("\xd0\xc1\xd2\xcf\xcc\xd8"), SDATA("$2x$05$6bNw2HLQYeqHYyBfLMsv/O9LIGgn8OMzuDoHfof8AQimSGfcSWxnS")); + test_bcrypt(1, SDATA("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa""chars after 72 are ignored as usual"), SDATA("$2a$05$/OK.fbVrR/bpIqNJ5ianF.swQOIzjOiJ9GHEPuhEkvqrUyvWhEMx6")); + test_bcrypt(1, SDATA("\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55"), SDATA("$2a$05$/OK.fbVrR/bpIqNJ5ianF.R9xrDjiycxMbQE2bp.vgqlYpW5wx2yy")); + test_bcrypt(1, SDATA(""), SDATA("$2a$05$CCCCCCCCCCCCCCCCCCCCC.7uG0VCzI2bS7j6ymqJi9CdcdxiRTWNy")); + test_bcrypt(1, SDATA("\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff"), SDATA("$2a$05$/OK.fbVrR/bpIqNJ5ianF.9tQZzcJfm3uj2NvJ/n5xkhpqLrMpWCe")); + /* From Openwall's crypt v1.2 via Phpass */ + test_bcrypt(0, SDATA(""), SDATA("$2a$03$CCCCCCCCCCCCCCCCCCCCC.")); + test_bcrypt(0, SDATA(""), SDATA("$2a$32$CCCCCCCCCCCCCCCCCCCCC.")); + test_bcrypt(0, SDATA(""), SDATA("$2z$05$CCCCCCCCCCCCCCCCCCCCC.")); + test_bcrypt(0, SDATA(""), SDATA("$2`$05$CCCCCCCCCCCCCCCCCCCCC.")); + test_bcrypt(0, SDATA(""), SDATA("$2{$05$CCCCCCCCCCCCCCCCCCCCC.")); + /* Stephen's personal tests */ + test_bcrypt(1, SDATA("yawinpassword"), + SDATA("$2a$04$MzVXtd4o0y4DOlyHMMLMDeE4/eezrsT5Xad.2lmGr/NkCpwBgvn3e")); + test_bcrypt(0, SDATA("xawinpassword"), + SDATA("$2a$04$MzVXtd4o0y4DOlyHMMLMDeE4/eezrsT5Xad.2lmGr/NkCpwBgvn3e")); + test_bcrypt(1, SDATA("Bootq9sH5"), + SDATA("$2y$10$1b2lPgo4XumibnJGN3r3sOsXFfVVYlebFjlw47qpaslC4KIwu9dAK")); + test_bcrypt(0, SDATA("Bootq9sH6"), + SDATA("$2y$10$1b2lPgo4XumibnJGN3r3sOsXFfVVYlebFjlw47qpaslC4KIwu9dAK")); + test_bcrypt(0, SDATA("1234"), SDATA("$2y$")); +} diff -Nru nettle-3.4.1/testsuite/cbc-test.c nettle-3.7.3/testsuite/cbc-test.c --- nettle-3.4.1/testsuite/cbc-test.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/testsuite/cbc-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -22,7 +22,7 @@ const uint8_t *start_iv = H("11adbff119749103 207619cfa0e8d13a"); const uint8_t *end_iv = H("c7a42a569b421224 d0c23e52f46f97f5"); - struct CBC_CTX(struct aes_ctx, AES_BLOCK_SIZE) aes; + struct CBC_CTX(struct aes256_ctx, AES_BLOCK_SIZE) aes; knuth_lfib_init(&random, CBC_BULK_DATA); knuth_lfib_random(&random, CBC_BULK_DATA, clear); @@ -30,10 +30,10 @@ /* Byte that should not be overwritten */ cipher[CBC_BULK_DATA] = 17; - aes_set_encrypt_key(&aes.ctx, 32, key); + aes256_set_encrypt_key(&aes.ctx, key); CBC_SET_IV(&aes, start_iv); - CBC_ENCRYPT(&aes, aes_encrypt, CBC_BULK_DATA, cipher, clear); + CBC_ENCRYPT(&aes, aes256_encrypt, CBC_BULK_DATA, cipher, clear); ASSERT(cipher[CBC_BULK_DATA] == 17); @@ -47,9 +47,9 @@ ASSERT(MEMEQ(AES_BLOCK_SIZE, aes.iv, end_iv)); /* Decrypt, in place */ - aes_set_decrypt_key(&aes.ctx, 32, key); + aes256_set_decrypt_key(&aes.ctx, key); CBC_SET_IV(&aes, start_iv); - CBC_DECRYPT(&aes, aes_decrypt, CBC_BULK_DATA, cipher, cipher); + CBC_DECRYPT(&aes, aes256_decrypt, CBC_BULK_DATA, cipher, cipher); ASSERT(cipher[CBC_BULK_DATA] == 17); diff -Nru nettle-3.4.1/testsuite/cfb-test.c nettle-3.7.3/testsuite/cfb-test.c --- nettle-3.4.1/testsuite/cfb-test.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/testsuite/cfb-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -6,6 +6,7 @@ /* Test with more data and inplace decryption, to check that the * cfb_decrypt buffering works. */ #define CFB_BULK_DATA 10000 +#define CFB8_BULK_DATA CFB_BULK_DATA static void test_cfb_bulk(void) @@ -22,7 +23,7 @@ const uint8_t *start_iv = H("11adbff119749103 207619cfa0e8d13a"); const uint8_t *end_iv = H("1fd0a9189b8480b7 b06a2b36ef5943ba"); - struct CFB_CTX(struct aes_ctx, AES_BLOCK_SIZE) aes; + struct CFB_CTX(struct aes256_ctx, AES_BLOCK_SIZE) aes; knuth_lfib_init(&random, CFB_BULK_DATA); knuth_lfib_random(&random, CFB_BULK_DATA, clear); @@ -30,10 +31,10 @@ /* Byte that should not be overwritten */ cipher[CFB_BULK_DATA] = 17; - aes_set_encrypt_key(&aes.ctx, 32, key); + aes256_set_encrypt_key(&aes.ctx, key); CFB_SET_IV(&aes, start_iv); - CFB_ENCRYPT(&aes, aes_encrypt, CFB_BULK_DATA, cipher, clear); + CFB_ENCRYPT(&aes, aes256_encrypt, CFB_BULK_DATA, cipher, clear); ASSERT(cipher[CFB_BULK_DATA] == 17); @@ -47,9 +48,9 @@ ASSERT(MEMEQ(AES_BLOCK_SIZE, aes.iv, end_iv)); /* Decrypt, in place */ - aes_set_encrypt_key(&aes.ctx, 32, key); + aes256_set_encrypt_key(&aes.ctx, key); CFB_SET_IV(&aes, start_iv); - CFB_DECRYPT(&aes, aes_encrypt, CFB_BULK_DATA, cipher, cipher); + CFB_DECRYPT(&aes, aes256_encrypt, CFB_BULK_DATA, cipher, cipher); ASSERT(cipher[CFB_BULK_DATA] == 17); @@ -64,12 +65,113 @@ ASSERT (MEMEQ(CFB_BULK_DATA, clear, cipher)); } +static void +test_cfb8_bulk(void) +{ + struct knuth_lfib_ctx random; + + uint8_t clear[CFB8_BULK_DATA]; + + uint8_t cipher[CFB8_BULK_DATA + 1]; + + const uint8_t *key = H("966c7bf00bebe6dc 8abd37912384958a" + "743008105a08657d dcaad4128eee38b3"); + + const uint8_t *start_iv = H("11adbff119749103 207619cfa0e8d13a"); + const uint8_t *end_iv = H("f84bfd48206f5803 6ef86f4e69e9aec0"); + + struct CFB8_CTX(struct aes256_ctx, AES_BLOCK_SIZE) aes; + + knuth_lfib_init(&random, CFB8_BULK_DATA); + knuth_lfib_random(&random, CFB8_BULK_DATA, clear); + + /* Byte that should not be overwritten */ + cipher[CFB8_BULK_DATA] = 17; + + aes256_set_encrypt_key(&aes.ctx, key); + CFB8_SET_IV(&aes, start_iv); + + CFB8_ENCRYPT(&aes, aes256_encrypt, CFB8_BULK_DATA, cipher, clear); + + ASSERT(cipher[CFB8_BULK_DATA] == 17); + + if (verbose) + { + printf("IV after bulk encryption: "); + print_hex(AES_BLOCK_SIZE, aes.iv); + printf("\n"); + } + + ASSERT(MEMEQ(AES_BLOCK_SIZE, aes.iv, end_iv)); + + /* Decrypt, in place */ + aes256_set_encrypt_key(&aes.ctx, key); + CFB8_SET_IV(&aes, start_iv); + CFB8_DECRYPT(&aes, aes256_encrypt, CFB8_BULK_DATA, cipher, cipher); + + ASSERT(cipher[CFB8_BULK_DATA] == 17); + + if (verbose) + { + printf("IV after bulk decryption: "); + print_hex(AES_BLOCK_SIZE, aes.iv); + printf("\n"); + } + + ASSERT (MEMEQ(AES_BLOCK_SIZE, aes.iv, end_iv)); + ASSERT (MEMEQ(CFB8_BULK_DATA, clear, cipher)); +} + void test_main(void) { /* From NIST spec 800-38a on AES modes. * * F.3 CFB Example Vectors + * F.3.7 CFB8-AES128.Encrypt + */ + + test_cipher_cfb8(&nettle_aes128, + SHEX("2b7e151628aed2a6abf7158809cf4f3c"), + SHEX("6bc1bee22e409f96e93d7e117393172a" + "ae2d"), + SHEX("3b79424c9c0dd436bace9e0ed4586a4f" + "32b9"), + SHEX("000102030405060708090a0b0c0d0e0f")); + + /* From NIST spec 800-38a on AES modes. + * + * F.3 CFB Example Vectors + * F.3.9 CFB8-AES192.Encrypt + */ + + test_cipher_cfb8(&nettle_aes192, + SHEX("8e73b0f7da0e6452c810f32b809079e5" + "62f8ead2522c6b7b"), + SHEX("6bc1bee22e409f96e93d7e117393172a" + "ae2d"), + SHEX("cda2521ef0a905ca44cd057cbf0d47a0" + "678a"), + SHEX("000102030405060708090a0b0c0d0e0f")); + + /* From NIST spec 800-38a on AES modes. + * + * F.3 CFB Example Vectors + * F.3.11 CFB8-AES256.Encrypt + */ + + test_cipher_cfb8(&nettle_aes256, + SHEX("603deb1015ca71be2b73aef0857d7781" + "1f352c073b6108d72d9810a30914dff4"), + SHEX("6bc1bee22e409f96e93d7e117393172a" + "ae2d"), + SHEX("dc1f1a8520a64db55fcc8ac554844e88" + "9700"), + SHEX("000102030405060708090a0b0c0d0e0f")); + + /* From NIST spec 800-38a on AES modes. + * + * F.3 CFB Example Vectors * F.3.13 CFB128-AES128.Encrypt */ @@ -139,6 +241,7 @@ SHEX("000102030405060708090a0b0c0d0e0f")); test_cfb_bulk(); + test_cfb8_bulk(); } /* diff -Nru nettle-3.4.1/testsuite/chacha-test.c nettle-3.7.3/testsuite/chacha-test.c --- nettle-3.4.1/testsuite/chacha-test.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/testsuite/chacha-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -35,149 +35,261 @@ #include "testutils.h" #include "chacha.h" +#include "chacha-internal.h" +static int +memzero_p (const uint8_t *p, size_t n) +{ + size_t i; + for (i = 0; i < n; i++) + if (p[i]) + return 0; + return 1; +} + +/* Test with simple structure of the salsa20 input, to aid + debugging. */ static void -test_chacha(const struct tstring *key, const struct tstring *nonce, - const struct tstring *expected, unsigned rounds) +test_chacha_core(void) +{ + const uint32_t input[16] = + { + 0, 1, 2, 3, + 4, 5, 6, 7, + 8, 9, 10, 11, + /* Second block will have carry from first counter word propagate + to next word. */ + 0xffffffff, 13, 14, 15, + }; + const struct tstring *expected + = SHEX("32f216b0eddeee3b bade2bf5a4c0b3b3" + "0aab2d67b09b2a63 6127fc965d831b2c" + "ddc9e25ca7841f3e 938e3566a7702a0b" + "7f80559e639ef6da 6d39627abc7da6b1" + "0090a54241e68b6b d870f3b60adcaf89" + "09d3c7b8a8c76aa3 941d726c649636db" + "d6c3f0490fd38a46 070b77a757972126" + "6323aa95eef9d68c 7eac86e913caa80c" + "17dd18ae19b0b72e 0ef6e66a58c0791e" + "e574e44162c99484 68085365916e0fee" + "e3d0a5d3d2b93b4a ff245cb557af3ead" + "2395f5cc7a00e25a 4f69a17969360781"); + + const struct tstring *expected_32 /* For 32-bit counter */ + = SHEX("32f216b0eddeee3b bade2bf5a4c0b3b3" + "0aab2d67b09b2a63 6127fc965d831b2c" + "ddc9e25ca7841f3e 938e3566a7702a0b" + "7f80559e639ef6da 6d39627abc7da6b1" + "ea56196ace461eeb f898ade2f51c425f" + "ff0452d728f13505 e23a1d017b40becd" + "6482114a4586f48a 85c5cb9f92333de6" + "9c248f2a809275fa 4786d5d6854fd7d7" + "77dd6b03073f9dbf 294eabd6affa3104" + "fccb19c3182a330c af2fdf0c43ebfa52" + "7f845ffc0a897bea 2cf27a3dfc6f31af" + "7db66563de442b71 f6d51f96930587ef"); + + struct chacha_ctx ctx; + uint8_t output[192]; + + ASSERT (expected->length == 192); + ASSERT (expected_32->length == 192); + + /* Three blocks, to exercises _chacha_3core, if available. */ + memcpy (&ctx, input, sizeof(ctx)); + chacha_crypt (&ctx, 192, output, expected->data); + + if (!memzero_p (output, 192)) + { + fprintf(stderr, "chacha_crypt failed:\n"); + fprintf(stderr, "\nOutput: "); + print_hex(192, output); + fprintf(stderr, "\n"); + FAIL(); + } + + memcpy (&ctx, input, sizeof(ctx)); + chacha_crypt32 (&ctx, 192, output, expected_32->data); + + if (!memzero_p (output, 192)) + { + fprintf(stderr, "chacha_crypt32 failed:\n"); + fprintf(stderr, "\nOutput: "); + print_hex(192, output); + fprintf(stderr, "\n"); + FAIL(); + } +} + +/* For tests with non-standard number of rounds, calling + _nettle_chacha_core directly. */ +static void +test_chacha_rounds(const struct tstring *key, const struct tstring *nonce, + const struct tstring *expected, unsigned rounds) { struct chacha_ctx ctx; + uint32_t out[_CHACHA_STATE_LENGTH]; + ASSERT (expected->length == CHACHA_BLOCK_SIZE); ASSERT (key->length == CHACHA_KEY_SIZE); chacha_set_key (&ctx, key->data); - if (rounds == 20) + ASSERT (nonce->length == CHACHA_NONCE_SIZE); + chacha_set_nonce(&ctx, nonce->data); + + _nettle_chacha_core (out, ctx.state, rounds); + + if (!MEMEQ(CHACHA_BLOCK_SIZE, out, expected->data)) { - uint8_t *data = xalloc (expected->length + 2); - size_t length; - data++; + printf("Error, expected:\n"); + tstring_print_hex (expected); + printf("Got:\n"); + print_hex(CHACHA_BLOCK_SIZE, (uint8_t *) out); + FAIL (); + } - for (length = 1; length <= expected->length; length++) - { - data[-1] = 17; - memset (data, 0, length); - data[length] = 17; - if (nonce->length == CHACHA_NONCE_SIZE) - chacha_set_nonce(&ctx, nonce->data); - else if (nonce->length == CHACHA_NONCE96_SIZE) - { - chacha_set_nonce96(&ctx, nonce->data); - /* Use initial counter 1, for - draft-irtf-cfrg-chacha20-poly1305-08 test cases. */ - ctx.state[12]++; - } - else - die ("Bad nonce size %u.\n", (unsigned) nonce->length); + if (verbose) + { + printf("Result after encryption:\n"); + print_hex(CHACHA_BLOCK_SIZE, (uint8_t *) out); + } +} - chacha_crypt (&ctx, length, data, data); +static void +_test_chacha(const struct tstring *key, const struct tstring *nonce, + const struct tstring *expected, const struct tstring *counter) +{ + struct chacha_ctx ctx; + nettle_set_key_func *set_nonce; + nettle_set_key_func *set_counter; + nettle_crypt_func *crypt; + uint8_t *data = xalloc (expected->length + 2); + size_t length; + data++; - ASSERT (data[-1] == 17); - ASSERT (data[length] == 17); - if (!MEMEQ(length, data, expected->data)) - { - printf("Error, length %u, expected:\n", (unsigned) length); - print_hex (length, expected->data); - printf("Got:\n"); - print_hex(length, data); - FAIL (); - } - } - if (verbose) - { - printf("Result after encryption:\n"); - print_hex(expected->length, data); - } - free (data - 1); + ASSERT (key->length == CHACHA_KEY_SIZE); + chacha_set_key (&ctx, key->data); + + switch (nonce->length) + { + case CHACHA_NONCE_SIZE: + set_nonce = (nettle_set_key_func *) chacha_set_nonce; + set_counter = (nettle_set_key_func *) chacha_set_counter; + crypt = (nettle_crypt_func *) chacha_crypt; + if (counter) + ASSERT (counter->length == CHACHA_COUNTER_SIZE); + break; + case CHACHA_NONCE96_SIZE: + set_nonce = (nettle_set_key_func *) chacha_set_nonce96; + set_counter = (nettle_set_key_func *) chacha_set_counter32; + crypt = (nettle_crypt_func *) chacha_crypt32; + if (counter) + ASSERT (counter->length == CHACHA_COUNTER32_SIZE); + break; + default: + die ("Bad nonce size %u.\n", (unsigned) nonce->length); } - else + + for (length = 1; length <= expected->length; length++) { - /* Uses the _chacha_core function to be able to test different - numbers of rounds. */ - uint32_t out[_CHACHA_STATE_LENGTH]; - ASSERT (expected->length == CHACHA_BLOCK_SIZE); - ASSERT (nonce->length == CHACHA_NONCE_SIZE); + size_t offset; + + data[-1] = 17; + memset (data, 0, length); + data[length] = 17; - chacha_set_nonce(&ctx, nonce->data); - _chacha_core (out, ctx.state, rounds); + set_nonce (&ctx, nonce->data); - if (!MEMEQ(CHACHA_BLOCK_SIZE, out, expected->data)) + if (counter) + set_counter (&ctx, counter->data); + + crypt (&ctx, length, data, data); + + ASSERT (data[-1] == 17); + ASSERT (data[length] == 17); + if (!MEMEQ(length, data, expected->data)) { - printf("Error, expected:\n"); - tstring_print_hex (expected); + printf("Error, length %u, expected:\n", (unsigned) length); + print_hex (length, expected->data); printf("Got:\n"); - print_hex(CHACHA_BLOCK_SIZE, (uint8_t *) out); + print_hex(length, data); FAIL (); } - - if (verbose) + /* Round up to next block boundary. */ + offset = (length + CHACHA_BLOCK_SIZE - 1) & -CHACHA_BLOCK_SIZE; + if (offset < expected->length) { - printf("Result after encryption:\n"); - print_hex(CHACHA_BLOCK_SIZE, (uint8_t *) out); + memset(data, 0, expected->length - offset); + data[expected->length - offset] = 17; + crypt (&ctx, expected->length - offset, data, data); + if (!MEMEQ(expected->length - offset, data, expected->data + offset)) + { + printf("Error, length %u, offset %u, remaining %u, expected:\n", + (unsigned) length, (unsigned) offset, + (unsigned) (expected->length - offset)); + print_hex (expected->length - offset, expected->data + offset); + printf("Got:\n"); + print_hex(expected->length - offset, data); + FAIL (); + } } } + if (verbose) + { + printf("Result after encryption:\n"); + print_hex(expected->length, data); + } + free (data - 1); } -void -test_main(void) +static void +test_chacha(const struct tstring *key, const struct tstring *nonce, + const struct tstring *expected) { - /* Test vectors from draft-strombergson-chacha-test-vectors */ -#if 0 - /* TC1: All zero key and IV. 128 bit key and 8 rounds. */ - test_chacha (SHEX("0000000000000000 0000000000000000"), - SHEX("0000000000000000"), - SHEX("e28a5fa4a67f8c5d efed3e6fb7303486" - "aa8427d31419a729 572d777953491120" - "b64ab8e72b8deb85 cd6aea7cb6089a10" - "1824beeb08814a42 8aab1fa2c816081b"), - 8); + _test_chacha(key, nonce, expected, NULL); +} - test_chacha (SHEX("0000000000000000 0000000000000000"), - SHEX("0000000000000000"), - SHEX("e1047ba9476bf8ff 312c01b4345a7d8c" - "a5792b0ad467313f 1dc412b5fdce3241" - "0dea8b68bd774c36 a920f092a04d3f95" - "274fbeff97bc8491 fcef37f85970b450"), - 12); +static void +test_chacha_with_counter(const struct tstring *key, const struct tstring *nonce, + const struct tstring *expected, + const struct tstring *counter) +{ + _test_chacha(key, nonce, expected, counter); +} - test_chacha (SHEX("0000000000000000 0000000000000000"), - SHEX("0000000000000000"), - SHEX("89670952608364fd 00b2f90936f031c8" - "e756e15dba04b849 3d00429259b20f46" - "cc04f111246b6c2c e066be3bfb32d9aa" - "0fddfbc12123d4b9 e44f34dca05a103f" - - "6cd135c2878c832b 5896b134f6142a9d" - "4d8d0d8f1026d20a 0a81512cbce6e975" - "8a7143d021978022 a384141a80cea306" - "2f41f67a752e66ad 3411984c787e30ad"), - 20); -#endif - test_chacha (SHEX("0000000000000000 0000000000000000" - "0000000000000000 0000000000000000"), - SHEX("0000000000000000"), - SHEX("3e00ef2f895f40d6 7f5bb8e81f09a5a1" - "2c840ec3ce9a7f3b 181be188ef711a1e" - "984ce172b9216f41 9f445367456d5619" - "314a42a3da86b001 387bfdb80e0cfe42" - - /* "d2aefa0deaa5c151 bf0adb6c01f2a5ad" - "c0fd581259f9a2aa dcf20f8fd566a26b" - "5032ec38bbc5da98 ee0c6f568b872a65" - "a08abf251deb21bb 4b56e5d8821e68aa" */), - 8); +void +test_main(void) +{ + test_chacha_core(); - test_chacha (SHEX("0000000000000000 0000000000000000" - "0000000000000000 0000000000000000"), - SHEX("0000000000000000"), - SHEX("9bf49a6a0755f953 811fce125f2683d5" - "0429c3bb49e07414 7e0089a52eae155f" - "0564f879d27ae3c0 2ce82834acfa8c79" - "3a629f2ca0de6919 610be82f411326be" - - /* "0bd58841203e74fe 86fc71338ce0173d" - "c628ebb719bdcbcc 151585214cc089b4" - "42258dcda14cf111 c602b8971b8cc843" - "e91e46ca905151c0 2744a6b017e69316" */), - 12); + /* Test vectors from draft-strombergson-chacha-test-vectors */ + test_chacha_rounds (SHEX("0000000000000000 0000000000000000" + "0000000000000000 0000000000000000"), + SHEX("0000000000000000"), + SHEX("3e00ef2f895f40d6 7f5bb8e81f09a5a1" + "2c840ec3ce9a7f3b 181be188ef711a1e" + "984ce172b9216f41 9f445367456d5619" + "314a42a3da86b001 387bfdb80e0cfe42" + + /* "d2aefa0deaa5c151 bf0adb6c01f2a5ad" + "c0fd581259f9a2aa dcf20f8fd566a26b" + "5032ec38bbc5da98 ee0c6f568b872a65" + "a08abf251deb21bb 4b56e5d8821e68aa" */), + 8); + + test_chacha_rounds (SHEX("0000000000000000 0000000000000000" + "0000000000000000 0000000000000000"), + SHEX("0000000000000000"), + SHEX("9bf49a6a0755f953 811fce125f2683d5" + "0429c3bb49e07414 7e0089a52eae155f" + "0564f879d27ae3c0 2ce82834acfa8c79" + "3a629f2ca0de6919 610be82f411326be" + + /* "0bd58841203e74fe 86fc71338ce0173d" + "c628ebb719bdcbcc 151585214cc089b4" + "42258dcda14cf111 c602b8971b8cc843" + "e91e46ca905151c0 2744a6b017e69316" */), + 12); test_chacha (SHEX("0000000000000000 0000000000000000" "0000000000000000 0000000000000000"), @@ -190,57 +302,26 @@ "9f07e7be5551387a 98ba977c732d080d" "cb0f29a048e36569 12c6533e32ee7aed" "29b721769ce64e43 d57133b074d839d5" - "31ed1f28510afb45 ace10a1f4b794d6f"), - 20); + "31ed1f28510afb45 ace10a1f4b794d6f")); /* TC2: Single bit in key set. All zero IV */ -#if 0 - test_chacha (SHEX("0100000000000000 0000000000000000"), - SHEX("0000000000000000"), - SHEX("03a7669888605a07 65e8357475e58673" - "f94fc8161da76c2a 3aa2f3caf9fe5449" - "e0fcf38eb882656a f83d430d410927d5" - "5c972ac4c92ab9da 3713e19f761eaa14"), - 8); - - test_chacha (SHEX("0100000000000000 0000000000000000"), - SHEX("0000000000000000"), - SHEX("2a865a3b8999fa83 ae8aacf33fc6be4f" - "32c8aa9762738d26 963270052f4eef8b" - "86af758f7867560a f6d0eeb973b5542b" - "b24c8abceac8b1f3 6d026963d6c8a9b2"), - 12); - - test_chacha (SHEX("0100000000000000 0000000000000000"), - SHEX("0000000000000000"), - SHEX("ae56060d04f5b597 897ff2af1388dbce" - "ff5a2a4920335dc1 7a3cb1b1b10fbe70" - "ece8f4864d8c7cdf 0076453a8291c7db" - "eb3aa9c9d10e8ca3 6be4449376ed7c42" - - "fc3d471c34a36fbb f616bc0a0e7c5230" - "30d944f43ec3e78d d6a12466547cb4f7" - "b3cebd0a5005e762 e562d1375b7ac445" - "93a991b85d1a60fb a2035dfaa2a642d5"), - 20); -#endif - test_chacha (SHEX("0100000000000000 0000000000000000" - "0000000000000000 0000000000000000"), - SHEX("0000000000000000"), - SHEX("cf5ee9a0494aa961 3e05d5ed725b804b" - "12f4a465ee635acc 3a311de8740489ea" - "289d04f43c7518db 56eb4433e498a123" - "8cd8464d3763ddbb 9222ee3bd8fae3c8"), - 8); - - test_chacha (SHEX("0100000000000000 0000000000000000" - "0000000000000000 0000000000000000"), - SHEX("0000000000000000"), - SHEX("12056e595d56b0f6 eef090f0cd25a209" - "49248c2790525d0f 930218ff0b4ddd10" - "a6002239d9a454e2 9e107a7d06fefdfe" - "f0210feba044f9f2 9b1772c960dc29c0"), - 12); + test_chacha_rounds (SHEX("0100000000000000 0000000000000000" + "0000000000000000 0000000000000000"), + SHEX("0000000000000000"), + SHEX("cf5ee9a0494aa961 3e05d5ed725b804b" + "12f4a465ee635acc 3a311de8740489ea" + "289d04f43c7518db 56eb4433e498a123" + "8cd8464d3763ddbb 9222ee3bd8fae3c8"), + 8); + + test_chacha_rounds (SHEX("0100000000000000 0000000000000000" + "0000000000000000 0000000000000000"), + SHEX("0000000000000000"), + SHEX("12056e595d56b0f6 eef090f0cd25a209" + "49248c2790525d0f 930218ff0b4ddd10" + "a6002239d9a454e2 9e107a7d06fefdfe" + "f0210feba044f9f2 9b1772c960dc29c0"), + 12); test_chacha (SHEX("0100000000000000 0000000000000000" "0000000000000000 0000000000000000"), @@ -253,57 +334,26 @@ "10f656e6d1fd5505 3e50c4875c9930a3" "3f6d0263bd14dfd6 ab8c70521c19338b" "2308b95cf8d0bb7d 202d2102780ea352" - "8f1cb48560f76b20 f382b942500fceac"), - 20); + "8f1cb48560f76b20 f382b942500fceac")); /* TC3: Single bit in IV set. All zero key */ -#if 0 - test_chacha (SHEX("0000000000000000 0000000000000000"), - SHEX("0100000000000000"), - SHEX("25f5bec6683916ff 44bccd12d102e692" - "176663f4cac53e71 9509ca74b6b2eec8" - "5da4236fb2990201 2adc8f0d86c8187d" - "25cd1c486966930d 0204c4ee88a6ab35"), - 8); - - test_chacha (SHEX("0000000000000000 0000000000000000"), - SHEX("0100000000000000"), - SHEX("91cdb2f180bc89cf e86b8b6871cd6b3a" - "f61abf6eba01635d b619c40a0b2e19ed" - "fa8ce5a9bd7f53cc 2c9bcfea181e9754" - "a9e245731f658cc2 82c2ae1cab1ae02c"), - 12); - - test_chacha (SHEX("0000000000000000 0000000000000000"), - SHEX("0100000000000000"), - SHEX("1663879eb3f2c994 9e2388caa343d361" - "bb132771245ae6d0 27ca9cb010dc1fa7" - "178dc41f8278bc1f 64b3f12769a24097" - "f40d63a86366bdb3 6ac08abe60c07fe8" - - "b057375c89144408 cc744624f69f7f4c" - "cbd93366c92fc4df cada65f1b959d8c6" - "4dfc50de711fb464 16c2553cc60f21bb" - "fd006491cb17888b 4fb3521c4fdd8745"), - 20); -#endif - test_chacha (SHEX("0000000000000000 0000000000000000" - "0000000000000000 0000000000000000"), - SHEX("0100000000000000"), - SHEX("2b8f4bb3798306ca 5130d47c4f8d4ed1" - "3aa0edccc1be6942 090faeeca0d7599b" - "7ff0fe616bb25aa0 153ad6fdc88b9549" - "03c22426d478b97b 22b8f9b1db00cf06"), - 8); - - test_chacha (SHEX("0000000000000000 0000000000000000" - "0000000000000000 0000000000000000"), - SHEX("0100000000000000"), - SHEX("64b8bdf87b828c4b 6dbaf7ef698de03d" - "f8b33f635714418f 9836ade59be12969" - "46c953a0f38ecffc 9ecb98e81d5d99a5" - "edfc8f9a0a45b9e4 1ef3b31f028f1d0f"), - 12); + test_chacha_rounds (SHEX("0000000000000000 0000000000000000" + "0000000000000000 0000000000000000"), + SHEX("0100000000000000"), + SHEX("2b8f4bb3798306ca 5130d47c4f8d4ed1" + "3aa0edccc1be6942 090faeeca0d7599b" + "7ff0fe616bb25aa0 153ad6fdc88b9549" + "03c22426d478b97b 22b8f9b1db00cf06"), + 8); + + test_chacha_rounds (SHEX("0000000000000000 0000000000000000" + "0000000000000000 0000000000000000"), + SHEX("0100000000000000"), + SHEX("64b8bdf87b828c4b 6dbaf7ef698de03d" + "f8b33f635714418f 9836ade59be12969" + "46c953a0f38ecffc 9ecb98e81d5d99a5" + "edfc8f9a0a45b9e4 1ef3b31f028f1d0f"), + 12); test_chacha (SHEX("0000000000000000 0000000000000000" "0000000000000000 0000000000000000"), @@ -316,57 +366,26 @@ "5305e5e44aff19b2 35936144675efbe4" "409eb7e8e5f1430f 5f5836aeb49bb532" "8b017c4b9dc11f8a 03863fa803dc71d5" - "726b2b6b31aa3270 8afe5af1d6b69058"), - 20); + "726b2b6b31aa3270 8afe5af1d6b69058")); /* TC4: All bits in key and IV are set. */ -#if 0 - test_chacha (SHEX("ffffffffffffffff ffffffffffffffff"), - SHEX("ffffffffffffffff"), - SHEX("2204d5b81ce66219 3e00966034f91302" - "f14a3fb047f58b6e 6ef0d72113230416" - "3e0fb640d76ff9c3 b9cd99996e6e38fa" - "d13f0e31c82244d3 3abbc1b11e8bf12d"), - 8); - - test_chacha (SHEX("ffffffffffffffff ffffffffffffffff"), - SHEX("ffffffffffffffff"), - SHEX("60e349e60c38b328 c4baab90d44a7c72" - "7662770d36350d65 a1433bd92b00ecf4" - "83d5597d7a616258 ec3c5d5b30e1c5c8" - "5c5dfe2f92423b8e 36870f3185b6add9"), - 12); - - test_chacha (SHEX("ffffffffffffffff ffffffffffffffff"), - SHEX("ffffffffffffffff"), - SHEX("992947c3966126a0 e660a3e95db048de" - "091fb9e0185b1e41 e41015bb7ee50150" - "399e4760b262f9d5 3f26d8dd19e56f5c" - "506ae0c3619fa67f b0c408106d0203ee" - - "40ea3cfa61fa32a2 fda8d1238a2135d9" - "d4178775240f9900 7064a6a7f0c731b6" - "7c227c52ef796b6b ed9f9059ba0614bc" - "f6dd6e38917f3b15 0e576375be50ed67"), - 20); -#endif - test_chacha (SHEX("ffffffffffffffff ffffffffffffffff" - "ffffffffffffffff ffffffffffffffff"), - SHEX("ffffffffffffffff"), - SHEX("e163bbf8c9a739d1 8925ee8362dad2cd" - "c973df05225afb2a a26396f2a9849a4a" - "445e0547d31c1623 c537df4ba85c70a9" - "884a35bcbf3dfab0 77e98b0f68135f54"), - 8); - - test_chacha (SHEX("ffffffffffffffff ffffffffffffffff" - "ffffffffffffffff ffffffffffffffff"), - SHEX("ffffffffffffffff"), - SHEX("04bf88dae8e47a22 8fa47b7e6379434b" - "a664a7d28f4dab84 e5f8b464add20c3a" - "caa69c5ab221a23a 57eb5f345c96f4d1" - "322d0a2ff7a9cd43 401cd536639a615a"), - 12); + test_chacha_rounds (SHEX("ffffffffffffffff ffffffffffffffff" + "ffffffffffffffff ffffffffffffffff"), + SHEX("ffffffffffffffff"), + SHEX("e163bbf8c9a739d1 8925ee8362dad2cd" + "c973df05225afb2a a26396f2a9849a4a" + "445e0547d31c1623 c537df4ba85c70a9" + "884a35bcbf3dfab0 77e98b0f68135f54"), + 8); + + test_chacha_rounds (SHEX("ffffffffffffffff ffffffffffffffff" + "ffffffffffffffff ffffffffffffffff"), + SHEX("ffffffffffffffff"), + SHEX("04bf88dae8e47a22 8fa47b7e6379434b" + "a664a7d28f4dab84 e5f8b464add20c3a" + "caa69c5ab221a23a 57eb5f345c96f4d1" + "322d0a2ff7a9cd43 401cd536639a615a"), + 12); test_chacha (SHEX("ffffffffffffffff ffffffffffffffff" "ffffffffffffffff ffffffffffffffff"), @@ -379,57 +398,26 @@ "5bac2acd86a836c5 dc98c116c1217ec3" "1d3a63a9451319f0 97f3b4d6dab07787" "19477d24d24b403a 12241d7cca064f79" - "0f1d51ccaff6b166 7d4bbca1958c4306"), - 20); + "0f1d51ccaff6b166 7d4bbca1958c4306")); /* TC5: Every even bit set in key and IV. */ -#if 0 - test_chacha (SHEX("5555555555555555 5555555555555555"), - SHEX("5555555555555555"), - SHEX("f0a23bc36270e18e d0691dc384374b9b" - "2c5cb60110a03f56 fa48a9fbbad961aa" - "6bab4d892e96261b 6f1a0919514ae56f" - "86e066e17c71a417 6ac684af1c931996"), - 8); - - test_chacha (SHEX("5555555555555555 5555555555555555"), - SHEX("5555555555555555"), - SHEX("90ec7a49ee0b20a8 08af3d463c1fac6c" - "2a7c897ce8f6e60d 793b62ddbebcf980" - "ac917f091e52952d b063b1d2b947de04" - "aac087190ca99a35 b5ea501eb535d570"), - 12); - - test_chacha (SHEX("5555555555555555 5555555555555555"), - SHEX("5555555555555555"), - SHEX("357d7d94f966778f 5815a2051dcb0413" - "3b26b0ead9f57dd0 9927837bc3067e4b" - "6bf299ad81f7f50c 8da83c7810bfc17b" - "b6f4813ab6c32695 7045fd3fd5e19915" - - "ec744a6b9bf8cbdc b36d8b6a5499c68a" - "08ef7be6cc1e93f2 f5bcd2cad4e47c18" - "a3e5d94b5666382c 6d130d822dd56aac" - "b0f8195278e7b292 495f09868ddf12cc"), - 20); -#endif - test_chacha (SHEX("5555555555555555 5555555555555555" - "5555555555555555 5555555555555555"), - SHEX("5555555555555555"), - SHEX("7cb78214e4d3465b 6dc62cf7a1538c88" - "996952b4fb72cb61 05f1243ce3442e29" - "75a59ebcd2b2a598 290d7538491fe65b" - "dbfefd060d887981 20a70d049dc2677d"), - 8); - - test_chacha (SHEX("5555555555555555 5555555555555555" - "5555555555555555 5555555555555555"), - SHEX("5555555555555555"), - SHEX("a600f07727ff93f3 da00dd74cc3e8bfb" - "5ca7302f6a0a2944 953de00450eecd40" - "b860f66049f2eaed 63b2ef39cc310d2c" - "488f5d9a241b615d c0ab70f921b91b95"), - 12); + test_chacha_rounds (SHEX("5555555555555555 5555555555555555" + "5555555555555555 5555555555555555"), + SHEX("5555555555555555"), + SHEX("7cb78214e4d3465b 6dc62cf7a1538c88" + "996952b4fb72cb61 05f1243ce3442e29" + "75a59ebcd2b2a598 290d7538491fe65b" + "dbfefd060d887981 20a70d049dc2677d"), + 8); + + test_chacha_rounds (SHEX("5555555555555555 5555555555555555" + "5555555555555555 5555555555555555"), + SHEX("5555555555555555"), + SHEX("a600f07727ff93f3 da00dd74cc3e8bfb" + "5ca7302f6a0a2944 953de00450eecd40" + "b860f66049f2eaed 63b2ef39cc310d2c" + "488f5d9a241b615d c0ab70f921b91b95"), + 12); test_chacha (SHEX("5555555555555555 5555555555555555" "5555555555555555 5555555555555555"), @@ -442,57 +430,26 @@ "e0b8f676e644216f 4d2a3422d7fa36c6" "c4931aca950e9da4 2788e6d0b6d1cd83" "8ef652e97b145b14 871eae6c6804c700" - "4db5ac2fce4c68c7 26d004b10fcaba86"), - 20); + "4db5ac2fce4c68c7 26d004b10fcaba86")); /* TC6: Every odd bit set in key and IV. */ -#if 0 - test_chacha (SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), - SHEX("aaaaaaaaaaaaaaaa"), - SHEX("312d95c0bc38eff4 942db2d50bdc500a" - "30641ef7132db1a8 ae838b3bea3a7ab0" - "3815d7a4cc09dbf5 882a3433d743aced" - "48136ebab7329950 6855c0f5437a36c6"), - 8); - - test_chacha (SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), - SHEX("aaaaaaaaaaaaaaaa"), - SHEX("057fe84fead13c24 b76bb2a6fdde66f2" - "688e8eb6268275c2 2c6bcb90b85616d7" - "fe4d3193a1036b70 d7fb864f01453641" - "851029ecdb60ac38 79f56496f16213f4"), - 12); - - test_chacha (SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), - SHEX("aaaaaaaaaaaaaaaa"), - SHEX("fc79acbd58526103 862776aab20f3b7d" - "8d3149b2fab65766 299316b6e5b16684" - "de5de548c1b7d083 efd9e3052319e0c6" - "254141da04a6586d f800f64d46b01c87" - - "1f05bc67e07628eb e6f6865a2177e0b6" - "6a558aa7cc1e8ff1 a98d27f7071f8335" - "efce4537bb0ef7b5 73b32f32765f2900" - "7da53bba62e7a44d 006f41eb28fe15d6"), - 20); -#endif - test_chacha (SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" - "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), - SHEX("aaaaaaaaaaaaaaaa"), - SHEX("40f9ab86c8f9a1a0 cdc05a75e5531b61" - "2d71ef7f0cf9e387 df6ed6972f0aae21" - "311aa581f816c90e 8a99de990b6b95aa" - "c92450f4e1127126 67b804c99e9c6eda"), - 8); - - test_chacha (SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" - "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), - SHEX("aaaaaaaaaaaaaaaa"), - SHEX("856505b01d3b47aa e03d6a97aa0f033a" - "9adcc94377babd86 08864fb3f625b6e3" - "14f086158f9f725d 811eeb953b7f7470" - "76e4c3f639fa841f ad6c9a709e621397"), - 12); + test_chacha_rounds (SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" + "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), + SHEX("aaaaaaaaaaaaaaaa"), + SHEX("40f9ab86c8f9a1a0 cdc05a75e5531b61" + "2d71ef7f0cf9e387 df6ed6972f0aae21" + "311aa581f816c90e 8a99de990b6b95aa" + "c92450f4e1127126 67b804c99e9c6eda"), + 8); + + test_chacha_rounds (SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" + "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), + SHEX("aaaaaaaaaaaaaaaa"), + SHEX("856505b01d3b47aa e03d6a97aa0f033a" + "9adcc94377babd86 08864fb3f625b6e3" + "14f086158f9f725d 811eeb953b7f7470" + "76e4c3f639fa841f ad6c9a709e621397"), + 12); test_chacha (SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), @@ -505,57 +462,26 @@ "72184489440545d0 21d97ef6b693dfe5" "b2c132d47e6f041c 9063651f96b623e6" "2a11999a23b6f7c4 61b2153026ad5e86" - "6a2e597ed07b8401 dec63a0934c6b2a9"), - 20); + "6a2e597ed07b8401 dec63a0934c6b2a9")); /* TC7: Sequence patterns in key and IV. */ -#if 0 - test_chacha (SHEX("0011223344556677 8899aabbccddeeff"), - SHEX("0f1e2d3c4b5a6978"), - SHEX("29560d280b452840 0a8f4b795369fb3a" - "01105599e9f1ed58 279cfc9ece2dc5f9" - "9f1c2e52c98238f5 42a5c0a881d850b6" - "15d3acd9fbdb026e 9368565da50e0d49"), - 8); - - test_chacha (SHEX("0011223344556677 8899aabbccddeeff"), - SHEX("0f1e2d3c4b5a6978"), - SHEX("5eddc2d9428fceee c50a52a964eae0ff" - "b04b2de006a9b04c ff368ffa921116b2" - "e8e264babd2efa0d e43ef2e3b6d065e8" - "f7c0a17837b0a40e b0e2c7a3742c8753"), - 12); - - test_chacha (SHEX("0011223344556677 8899aabbccddeeff"), - SHEX("0f1e2d3c4b5a6978"), - SHEX("d1abf630467eb4f6 7f1cfb47cd626aae" - "8afedbbe4ff8fc5f e9cfae307e74ed45" - "1f1404425ad2b545 69d5f18148939971" - "abb8fafc88ce4ac7 fe1c3d1f7a1eb7ca" - - "e76ca87b61a97135 41497760dd9ae059" - "350cad0dcedfaa80 a883119a1a6f987f" - "d1ce91fd8ee08280 34b411200a9745a2" - "85554475d12afc04 887fef3516d12a2c"), - 20); -#endif - test_chacha (SHEX("0011223344556677 8899aabbccddeeff" - "ffeeddccbbaa9988 7766554433221100"), - SHEX("0f1e2d3c4b5a6978"), - SHEX("db43ad9d1e842d12 72e4530e276b3f56" - "8f8859b3f7cf6d9d 2c74fa53808cb515" - "7a8ebf46ad3dcc4b 6c7dadde131784b0" - "120e0e22f6d5f9ff a7407d4a21b695d9"), - 8); - - test_chacha (SHEX("0011223344556677 8899aabbccddeeff" - "ffeeddccbbaa9988 7766554433221100"), - SHEX("0f1e2d3c4b5a6978"), - SHEX("7ed12a3a63912ae9 41ba6d4c0d5e862e" - "568b0e5589346935 505f064b8c2698db" - "f7d850667d8e67be 639f3b4f6a16f92e" - "65ea80f6c7429445 da1fc2c1b9365040"), - 12); + test_chacha_rounds (SHEX("0011223344556677 8899aabbccddeeff" + "ffeeddccbbaa9988 7766554433221100"), + SHEX("0f1e2d3c4b5a6978"), + SHEX("db43ad9d1e842d12 72e4530e276b3f56" + "8f8859b3f7cf6d9d 2c74fa53808cb515" + "7a8ebf46ad3dcc4b 6c7dadde131784b0" + "120e0e22f6d5f9ff a7407d4a21b695d9"), + 8); + + test_chacha_rounds (SHEX("0011223344556677 8899aabbccddeeff" + "ffeeddccbbaa9988 7766554433221100"), + SHEX("0f1e2d3c4b5a6978"), + SHEX("7ed12a3a63912ae9 41ba6d4c0d5e862e" + "568b0e5589346935 505f064b8c2698db" + "f7d850667d8e67be 639f3b4f6a16f92e" + "65ea80f6c7429445 da1fc2c1b9365040"), + 12); test_chacha (SHEX("0011223344556677 8899aabbccddeeff" "ffeeddccbbaa9988 7766554433221100"), @@ -568,57 +494,26 @@ "fbfd29cf7bc1d279 eddf25dd316bb884" "3d6edee0bd1ef121 d12fa17cbc2c574c" "ccab5e275167b08b d686f8a09df87ec3" - "ffb35361b94ebfa1 3fec0e4889d18da5"), - 20); + "ffb35361b94ebfa1 3fec0e4889d18da5")); /* TC8: hashed string patterns */ -#if 0 - test_chacha(SHEX("c46ec1b18ce8a878 725a37e780dfb735"), - SHEX("1ada31d5cf688221"), - SHEX("6a870108859f6791 18f3e205e2a56a68" - "26ef5a60a4102ac8 d4770059fcb7c7ba" - "e02f5ce004a6bfbb ea53014dd82107c0" - "aa1c7ce11b7d78f2 d50bd3602bbd2594"), - 8); - - test_chacha(SHEX("c46ec1b18ce8a878 725a37e780dfb735"), - SHEX("1ada31d5cf688221"), - SHEX("b02bd81eb55c8f68 b5e9ca4e307079bc" - "225bd22007eddc67 02801820709ce098" - "07046a0d2aa552bf dbb49466176d56e3" - "2d519e10f5ad5f27 46e241e09bdf9959"), - 12); - - test_chacha(SHEX("c46ec1b18ce8a878 725a37e780dfb735"), - SHEX("1ada31d5cf688221"), - SHEX("826abdd84460e2e9 349f0ef4af5b179b" - "426e4b2d109a9c5b b44000ae51bea90a" - "496beeef62a76850 ff3f0402c4ddc99f" - "6db07f151c1c0dfa c2e56565d6289625" - - "5b23132e7b469c7b fb88fa95d44ca5ae" - "3e45e848a4108e98 bad7a9eb15512784" - "a6a9e6e591dce674 120acaf9040ff50f" - "f3ac30ccfb5e1420 4f5e4268b90a8804"), - 20); -#endif - test_chacha(SHEX("c46ec1b18ce8a878 725a37e780dfb735" - "1f68ed2e194c79fb c6aebee1a667975d"), - SHEX("1ada31d5cf688221"), - SHEX("838751b42d8ddd8a 3d77f48825a2ba75" - "2cf4047cb308a597 8ef274973be374c9" - "6ad848065871417b 08f034e681fe46a9" - "3f7d5c61d1306614 d4aaf257a7cff08b"), - 8); - - test_chacha(SHEX("c46ec1b18ce8a878 725a37e780dfb735" - "1f68ed2e194c79fb c6aebee1a667975d"), - SHEX("1ada31d5cf688221"), - SHEX("1482072784bc6d06 b4e73bdc118bc010" - "3c7976786ca918e0 6986aa251f7e9cc1" - "b2749a0a16ee83b4 242d2e99b08d7c20" - "092b80bc466c8728 3b61b1b39d0ffbab"), - 12); + test_chacha_rounds (SHEX("c46ec1b18ce8a878 725a37e780dfb735" + "1f68ed2e194c79fb c6aebee1a667975d"), + SHEX("1ada31d5cf688221"), + SHEX("838751b42d8ddd8a 3d77f48825a2ba75" + "2cf4047cb308a597 8ef274973be374c9" + "6ad848065871417b 08f034e681fe46a9" + "3f7d5c61d1306614 d4aaf257a7cff08b"), + 8); + + test_chacha_rounds (SHEX("c46ec1b18ce8a878 725a37e780dfb735" + "1f68ed2e194c79fb c6aebee1a667975d"), + SHEX("1ada31d5cf688221"), + SHEX("1482072784bc6d06 b4e73bdc118bc010" + "3c7976786ca918e0 6986aa251f7e9cc1" + "b2749a0a16ee83b4 242d2e99b08d7c20" + "092b80bc466c8728 3b61b1b39d0ffbab"), + 12); test_chacha(SHEX("c46ec1b18ce8a878 725a37e780dfb735" "1f68ed2e194c79fb c6aebee1a667975d"), @@ -631,16 +526,264 @@ "e5fbc34e60a1d9a9 db17345b0a402736" "853bf910b060bdf1 f897b6290f01d138" "ae2c4c90225ba9ea 14d518f55929dea0" - "98ca7a6ccfe61227 053c84e49a4a3332"), - 20); + "98ca7a6ccfe61227 053c84e49a4a3332")); - /* From draft-irtf-cfrg-chacha20-poly1305-08, with 96-bit nonce */ - test_chacha(SHEX("0001020304050607 08090a0b0c0d0e0f" - "1011121314151617 18191a1b1c1d1e1f"), - SHEX("000000090000004a 00000000"), - SHEX("10f1e7e4d13b5915 500fdd1fa32071c4" - "c7d1f4c733c06803 0422aa9ac3d46c4e" - "d2826446079faa09 14c2d705d98b02a2" - "b5129cd1de164eb9 cbd083e8a2503c4e"), - 20); + /* From draft-irtf-cfrg-chacha20-poly1305-08, with 96-bit nonce. Manually + sets the 32-bit counter value to 1. */ + test_chacha_with_counter(SHEX("0001020304050607 08090a0b0c0d0e0f" + "1011121314151617 18191a1b1c1d1e1f"), + SHEX("000000090000004a 00000000"), + SHEX("10f1e7e4d13b5915 500fdd1fa32071c4" + "c7d1f4c733c06803 0422aa9ac3d46c4e" + "d2826446079faa09 14c2d705d98b02a2" + "b5129cd1de164eb9 cbd083e8a2503c4e"), + SHEX("01000000")); + + /* This is identical to the above 96-bit nonce test, but it manually + sets the 64-bit counter value */ + test_chacha_with_counter(SHEX("0001020304050607 08090a0b0c0d0e0f" + "1011121314151617 18191a1b1c1d1e1f"), + SHEX("0000004a00000000"), + SHEX("10f1e7e4d13b5915 500fdd1fa32071c4" + "c7d1f4c733c06803 0422aa9ac3d46c4e" + "d2826446079faa09 14c2d705d98b02a2" + "b5129cd1de164eb9 cbd083e8a2503c4e"), + SHEX("0100000000000009")); + + /* Tests with long message, 16 blocks. */ + test_chacha (SHEX("8c34799cd41aaece 303d33eeaac74e6b" + "09742e5a6858def1 c1413425719ba204"), + SHEX("f9a864f273cc10fe baf531d7"), + SHEX("3bed2adca04c96c8 d74e08aff4d5d9e0" + "836209a15db7ea25 87c61d61a3472c4f" + "b09ec92d020a25fd 183eb31870bf01c2" + "9a87c2280ca12718 2af7a0b626ba4906" + + "51268430b180c7f9 5bb680bacf4a84e7" + "dadd67bb6e2aa32d 22fb99ae4dfac283" + "acb0f596f75518f9 3227448d63048f1a" + "20108699cc0504e5 524e11e71f05d3f9" + + "b37725c68260448d dd61b690f614571b" + "a57a848f6f2b0e10 5c044986d9d2f7ca" + "10177a27c5ccbb94 ffefcb87d836b02a" + "e6c312ebd5862520 c67d05259326a1d5" + + "645a6f4cdda94de2 8d5d8069d95263e7" + "037c4fbe1322fcb5 cf5ab14237039b76" + "f76134345777d647 799f248b7f8c9a94" + "713e5678bfdef4f2 7285a34be8800146" + + "1f9cffbf24228377 d583f34ddb9c6010" + "8c035f7e5285953c 74b56e1508531705" + "f49398b409d94276 435814ee76232b57" + "0b461913fa88381f 238a241afa7042f0" + + "35e796cb4a058dfc 4098b614464ad230" + "9c6e7719d940e26b 8d77472d357230f5" + "cb35cfa86bf46324 eafb305ae2d50509" + "0e635ebe9e4a090a 41c8e9e931d7bf5f" + + "22a59d75130c62e3 a4829fc38d07d458" + "072956a6282b9a90 f9a491e064dcc689" + "28e47fd1c7131e97 6f755027fbf190cf" + "977de188faa80a7c 83921745bb14f534" + + "3cbc9d86d01379f3 d59fa5b454ed8855" + "46f34b9e419dfe08 9879cae4b297a3d8" + "28367da777756aaa 9de2005e0ad1af6f" + "af6daf9c14aedc39 fcbf95863a128816" + + "93f22a580c96ca98 da6c13166cd17b22" + "2c468df637bf2961 e6b7692c6ed3463b" + "84a1837108de1ea4 20c0a890c92768b8" + "ac6732645a1a609c 28345d5e69f9475c" + + "21401fe2b7504230 ce4866d09484ffdc" + "0bdd08f193993b26 083808e88f109d3b" + "753d61a4391b1461 fe3a9bc07e2fee7b" + "b37c9997c8f3d081 d6d145fb060da3f2" + + "28a31a2be1a35c6c 4c6181bac0f1119e" + "e87bc230512e0fb4 38040e89e8af7452" + "71530ae0e34bca8e 0cfbe5bbad577bea" + "bc1c9c673d197185 7033822cd0ea21ed" + + "ccfdf4788f62c26b bd2718e576db61f5" + "4ebef978884c7fe7 b4934918cb89e3a2" + "df3b5c664ab9ff09 0c016ba84ebbbd73" + "8cf905fc8ca95dee 757a901ea27a33d2" + + "813f0a17692c5646 6f9690cddb3e15f7" + "1020f9321bd45ccb 49c41deb49103a7d" + "b8535b705e4d3389 f4495ee49f96dc5d" + "c7eab39129652078 8b3876576f5dadb0" + + "a674bdad75a9f581 d48fbc2e6de734f0" + "73f78ed77b041a09 760ef6eb754cc60e" + "8fabd6e1b3ce02bb b302f8a73be42ddf" + "1dae4d8b251320d2 184adaf92eb76b12" + + "37d169621de761fb cb6942a7b9972cca" + "9d35d58b2779523b ad584c27bb991acd" + "a0be4174dcd85ffe fe16abf2235829c5" + "0ac49897e2b2a7ef b1c5c07e80d7fce1" + + "c4f5596231ad3436 0c75cd60b5088281" + "83c74ffc805177f7 c687454582a3cbc3" + "79180c9a90680eda 68499e0ee435c7c6" + "e028d305299b43dd eb68c387ae694a53")); + + test_chacha (SHEX("8c34799cd41aaece 303d33eeaac74e6b" + "09742e5a6858def1 c1413425719ba204"), + SHEX("f9a864f273cc10fe"), + SHEX("bd11678b8300a275 60dadbde311b1660" + "edf6ec14eff4b553 418c7a99c8a0512b" + "f79cfbf853f0df4f daa806dd6ac12aea" + "bc92f8d4964f4d86 e12934589e46b6f3" + + "cb00ac786355852a f066f1ca2485f7bb" + "232096e5a6042498 149600c6d438598a" + "8b89bf6b3adcbbd8 010e91148c01c06d" + "4f5b651333f32292 0e149f6fe2dcc8a4" + + "98744655d32732f8 69a88b5cf80761a8" + "218888d5ba5788c8 7eef9340e2f03b0c" + "b1caf7cfe0d9cde6 434d615a7f1c603e" + "1302e311cadb7c69 95ca53981ae58aac" + + "40718e7dc61eabe3 35c253988217fc10" + "1a1633b9bce6fbc9 b9fd9c9a2ab319a5" + "9ba134ef7505e64c c35cccbb320bec09" + "4dc950849b49d86d 572f795c1a24dbe3" + + "2d51e61a7291375a 85b150f0530f53c1" + "3c987c0beedb2107 49c847c774523858" + "dbeb997609cf89ad cf7433e668a460bc" + "52cfa00951daac95 e5edc8baf32a867e" + + "81c3d7de7f34ea28 f74339985f2643cc" + "9b5d30d76872d20e fb18d914a58f0083" + "d5d322f5cdd5a3dd 63148988bb79e97a" + "1e8a9595e1f4cccd 8910a043f1b07cd1" + + "bcb8e7c4c8018de9 8ff65b2787304751" + "333b94ae56dbbb36 4e9ed750dc77d9ce" + "c9c5a440663b78a6 0dba2ac3b5e7fcf1" + "c1f14cd1a9794c49 ff082df137a4a35d" + + "bee8409979b49275 3a4a32825b6c9903" + "28440e2c7d2c2cae 4bdd5769dc0cc31f" + "4bd5b8d090ec6cbe d743b44bf62531c5" + "f12e1bbb68cca686 36953a259c9d4b9b" + + "c1ec206c8a506f49 9a13a2e60c026f53" + "61bd34428f9d6fa7 207c63589d1efd5f" + "161cc957275a7f00 992c7e1dfda6f913" + "9d35ae670cff55da 1dba6a2f13424b3f" + + "61c68580885eba6a f2aecb29d138b209" + "1c7227902aceddfb d4761f7cbae75d89" + "aaca5808a4704410 448a6eb13cf4b4f6" + "cd7c37341ae80b23 6affef543aef78aa" + + "15a4581380cb19b8 e684ddd3efaea4e6" + "bb88c07aa9325398 cb67e241a59732d0" + "dfe999532b53d255 fb34a937aa55ae4d" + "02b7850831b7b669 1e4ee269c5d38a9d" + + "80133265072ab3f3 af627298a265d7c0" + "1fe95f895b08d4c8 7dd4f6f7a6ce1393" + "de4225fedd1bf3c1 fe76a171f99d5e3f" + "975e31ca21d58fa6 daf580dcb46379a6" + + "8a6a65e72b4df392 d3f94697f352286e" + "0f00ce97f2656011 4ccf17bdcedc9589" + "a9c8041e9f3daf9c f5c222d6ddbd2cfc" + "b26065a9f85592d5 e6f85a46e0e9fd79" + + "f25197451c8d18d3 ed15cac7ba27870f" + "8f0cbe7c17409a4e 66e95adde633d2d6" + "270e0d17ca774efa 1ce9908e03baf208" + "cfee33add11dcd9e 032db6fbb7b209a6" + + "30ac76c88e695413 a3c75d885a2fe9c4" + "50236bf7a59110d5 62c77bc046afeb0d" + "a8210a75a79e6732 9e49a225bee17b84" + "bf24bdd32f77fdf4 05fd06955b0802d9" + + "7a4f115b8b052184 1a80620b2d66e572" + "41d137cbcb2131c5 c8cbabe8a1b0ca25" + "d760f988e68843ef ddc7449daf2b18ce" + "5825cc4f79aaf7ac 659c77a1ad294b51")); + + /* From https://github.com/weidai11/cryptopp/blob/master/TestVectors/chacha.txt */ + test_chacha_with_counter (SHEX("0000000000000000 0000000000000000" + "0000000000000000 0000000000000000"), + SHEX("0000000000000000"), + SHEX("032CC123482C3171 1F94C941AF5AB1F4" + "155784332ED5348F E79AEC5EAD4C06C3" + "F13C280D8CC49925 E4A6A5922EC80E13" + "A4CDFA840C70A142 7A3CB699166991A5" + "ACE4CD09E294D191 2D4AD205D06F95D9" + "C2F2BFCF453E8753 F128765B62215F4D" + "92C74F2F626C6A64 0C0B1284D839EC81" + "F1696281DAFC3E68 4593937023B58B1D" + "3DB41D3AA0D32928 5DE6F225E6E24BD5" + "9C9A17006943D5C9 B680E3873BDC683A" + "5819469899989690 C281CD17C96159AF" + "0682B5B903468A61 F50228CF09622B5A" + "46F0F6EFEE15C8F1 B198CB49D92B9908" + "67905159440CC723 916DC00128269810" + "39CE1766AA2542B0 5DB3BD809AB14248" + "9D5DBFE1273E7399 637B4B3213768AAA" + "89B1889375E99FE2 442C4F68ADF54158" + "F4B8135713D00999 B92B38E3AAFE5FF4" + "959B1834BE3DC54F C36AA9D32EB121E0" + "F688B90E7C7E2649 F4AAEF407BDD2B94" + "09EFEC03114CB5D4 FFD1788E0FE1897B" + "D176C1311E368368 C657A5EE55C9CA03" + "CC71744F030822D5 3A0486A97B9D9824" + "0274FADEAF262BD8 1B58BCE3DFA98414" + "C24B5BC517FD9199 3A6B2E6232B05021" + "25C6F48A6921E2DD A8EB6B3C4ECF2AAE" + "889602AD90B5D253 7FF45DF525C67B98" + "3B51DBD23E1280AA 656EAE85B63CC42D" + "E8C70E7C19C1D66E 3F902BEA9D1ACFD3" + "326B5985AD7C8CAB D431ACBC62976CE5" + "23C938EA447D4AF0 F560DC52B0AB1D7D" + "66A42AB8272E2C40 BD66470FE6F68846" + "12A11D899A0B7EB5 4907BBEDD6483EFC" + "ED1F15621D4673FF 928C5AAB5F465257" + "123679EF17C39648 C537E150108E0F66" + "08732E9F5B240689 EEB5402FA04CCB89" + "B7CA9649A361C526 B41ED110402D9497" + "715B03441118BC49 53FCBEF395267570" + "BD43EC0EEF7B6167 F14FED205EB81290" + "7D0C134DC49FA5B1 8F5A3A3A9BD0A71B" + "2FFE445EE4FABEB4 054CC922BA360E45" + "89B681F01E2A43B5 A0C0F0C39A5ADB94" + "B3BC2D20FF7F287F DF17F53B7CB5E3A1" + "ABD46FC0819A3559 C03C6B4106603066" + "359A4A09B468B6DF EF8A363C7B31D9E8" + "8ABB85914F4A27C3 0E9915C66AAC3576" + "9E481C87AEE4C313 8CF40F288ED3C172" + "FFC17D3D78F8D32C 3C756C13CFBFB95F" + "3ECCE6D8B54344D7 8998F58148C4B43B" + "1A6201ABFF3D4FB4 B76E3BBA104CFAA5" + "5D8DA4319A9E0606 644B07DC204E9635" + "502186C1EF9E4332 2EFD69F86D4DA1F6" + "A98BF0B800BA04BD 9FBA5C5BE8EC49D4" + "8D9EECBADEE669EF 69C9522C730110BB" + "8339AF0E45185262 C9183307C5EEA59D" + "E5095CAC26E8428D 4CA9E44DCF8FC7B4" + "1F9624A2DBA36F44 415BAC489BF46CB6" + "BB1BD2B70D719772 FDABB3B166EA615A" + "BDF208C39BA8A708 D933CBC8A3236D4A" + "15629FCAA35E00C2 B361527326E7AB51" + "409A7DE42C909334 6E41D3A3C4529D95" + "57BBC01EEFF927F1 052B5E02F74542B0" + "4E78F1E933C67DBC 2C9187527C86DA77" + "F045D4B07CF646BA 9547646905F1F117"), + SHEX("feffffff00000000")); /* 32-bit overflow */ } diff -Nru nettle-3.4.1/testsuite/cmac-test.c nettle-3.7.3/testsuite/cmac-test.c --- nettle-3.4.1/testsuite/cmac-test.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/testsuite/cmac-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -0,0 +1,95 @@ +#include "testutils.h" +#include "nettle-internal.h" +#include "cmac.h" + +#define test_cmac_aes128(key, msg, ref) \ + test_mac(&nettle_cmac_aes128, key, msg, ref) + +#define test_cmac_aes256(key, msg, ref) \ + test_mac(&nettle_cmac_aes256, key, msg, ref) + +#define test_cmac_des3(key, msg, ref) \ + test_mac(&nettle_cmac_des3, key, msg, ref) + +void +test_main(void) +{ + /* + * CMAC-AES Test Vectors from RFC4493. + */ + test_cmac_aes128 (SHEX("2b7e151628aed2a6abf7158809cf4f3c"), + SDATA(""), + SHEX("bb1d6929e95937287fa37d129b756746")); + + test_cmac_aes128 (SHEX("2b7e151628aed2a6abf7158809cf4f3c"), + SHEX("6bc1bee22e409f96e93d7e117393172a"), + SHEX("070a16b46b4d4144f79bdd9dd04a287c")); + + test_cmac_aes128 (SHEX("2b7e151628aed2a6abf7158809cf4f3c"), + SHEX("6bc1bee22e409f96e93d7e117393172a" + "ae2d8a571e03ac9c9eb76fac45af8e51" + "30c81c46a35ce411"), + SHEX("dfa66747de9ae63030ca32611497c827")); + + test_cmac_aes128 (SHEX("2b7e151628aed2a6abf7158809cf4f3c"), + SHEX("6bc1bee22e409f96e93d7e117393172a" + "ae2d8a571e03ac9c9eb76fac45af8e51" + "30c81c46a35ce411e5fbc1191a0a52ef" + "f69f2445df4f9b17ad2b417be66c3710"), + SHEX("51f0bebf7e3b9d92fc49741779363cfe")); + + /* Additional tests with different keys (same plaintext) + * to check all variants of set_key() */ + test_cmac_aes128 (SHEX("2b7e151628aed2a8abf7158809cf4f3c"), + SHEX("6bc1bee22e409f96e93d7e117393172a" + "ae2d8a571e03ac9c9eb76fac45af8e51" + "30c81c46a35ce411"), + SHEX("87dd33c2945a4e228028690ae8954945")); + + test_cmac_aes128 (SHEX("2b7e1ab628aed2a8abf7158809cf4f3c"), + SHEX("6bc1bee22e409f96e93d7e117393172a" + "ae2d8a571e03ac9c9eb76fac45af8e51" + "30c81c46a35ce411"), + SHEX("f0dc613a88886c7ed76eeb51f1c5e8d3")); + + test_cmac_aes128 (SHEX("2b7e1ab628aed2a8abf7158809cf4f3d"), + SHEX("6bc1bee22e409f96e93d7e117393172a" + "ae2d8a571e03ac9c9eb76fac45af8e51" + "30c81c46a35ce411"), + SHEX("b9d092dc387a9e42cdfeb9f9930cf567")); + + /* CMAC-AES256 vectors taken from phplib */ + test_cmac_aes256 (SHEX("603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4"), + SDATA(""), + SHEX("028962f61b7bf89efc6b551f4667d983")); + + test_cmac_aes256 (SHEX("603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4"), + SHEX("6bc1bee22e409f96e93d7e117393172a"), + SHEX("28a7023f452e8f82bd4bf28d8c37c35c")); + + test_cmac_aes256 (SHEX("603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4"), + SHEX("6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411"), + SHEX("aaf3d8f1de5640c232f5b169b9c911e6")); + + test_cmac_aes256 (SHEX("603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4"), + SHEX("6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710"), + SHEX("e1992190549f6ed5696a2c056c315410")); + + /* CMAC-3DES vectors from NIST SP800-38B examples */ + test_cmac_des3 (SHEX("0123456789abcdef23456789abcdef01456789abcdef0123"), + SDATA(""), + SHEX("7db0d37df936c550")); + + test_cmac_des3 (SHEX("0123456789abcdef23456789abcdef01456789abcdef0123"), + SHEX("6bc1bee22e409f96e93d7e117393172a"), + SHEX("30239cf1f52e6609")); + + test_cmac_des3 (SHEX("0123456789abcdef23456789abcdef01456789abcdef0123"), + SHEX("6bc1bee22e409f96e93d7e117393172aae2d8a57"), + SHEX("6c9f3ee4923f6be2")); + + + test_cmac_des3 (SHEX("0123456789abcdef23456789abcdef01456789abcdef0123"), + SHEX("6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"), + SHEX("99429bd0bf7904e5")); +} diff -Nru nettle-3.4.1/testsuite/ctr-test.c nettle-3.7.3/testsuite/ctr-test.c --- nettle-3.4.1/testsuite/ctr-test.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/testsuite/ctr-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -1,6 +1,5 @@ #include "testutils.h" -#include "aes.h" -#include "ctr.h" +#include "nettle-internal.h" void test_main(void) @@ -58,6 +57,95 @@ "2b0930daa23de94ce87017ba2d84988d" "dfc9c58db67aada613c2dd08457941a6"), SHEX("f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff")); + + /* Test carry propagation in the counter. Unofficial test vectors. */ + test_cipher_ctr(&nettle_aes128, /* 2 */ + SHEX("2b7e151628aed2a6abf7158809cf4f3c"), + SHEX("6bc1bee22e409f96e93d7e117393172a" + "ae2d8a571e03ac9c9eb76fac45af8e51" + "30c81c46a35ce411e5fbc1191a0a52ef" + "f69f2445df4f9b17ad2b417be66c3710"), + SHEX("fc5a51074aa08a8a 8fce0373557c8de7" + "b2ddc0e45c6e15d3 7d7e2b238a7d200c" + "d108ffc93fd4e2ef 0ee447dd77a891f4" + "a12bf17ea1f0be04 75908308a585d9bd"), + SHEX("0102030405060708090a0b0c0d0efffe")); + + test_cipher_ctr(&nettle_aes128, /* 7 */ + SHEX("2b7e151628aed2a6abf7158809cf4f3c"), + SHEX("6bc1bee22e409f96e93d7e117393172a" + "ae2d8a571e03ac9c9eb76fac45af8e51" + "30c81c46a35ce411e5fbc1191a0a52ef" + "f69f2445df4f9b17ad2b417be66c3710"), + SHEX("afaf63875aae5fb4 49e39377c8b972ed" + "f55c5da552429ba8 b30fa1b1edd18269" + "d6cc0ca8a964504c 9519f11ab462985b" + "16e3c7c12cf4a556 d28433500e07ab7b"), + SHEX("010203040506070809fffffffffffffe")); + + test_cipher_ctr(&nettle_aes128, /* 8 */ + SHEX("2b7e151628aed2a6abf7158809cf4f3c"), + SHEX("6bc1bee22e409f96e93d7e117393172a" + "ae2d8a571e03ac9c9eb76fac45af8e51" + "30c81c46a35ce411e5fbc1191a0a52ef" + "f69f2445df4f9b17ad2b417be66c3710"), + SHEX("b34ceeb036a0a71f eabd6bf64e2f70f8" + "35eb1751c4989fa9 71d747e18a45c0c6" + "2379e536ccfbdecd 0a26af9640a73e10" + "19626834910ff917 eb05a8f1a33b6d4a"), + SHEX("0102030405060708fffffffffffffffe")); + + test_cipher_ctr(&nettle_aes128, /* 9 */ + SHEX("2b7e151628aed2a6abf7158809cf4f3c"), + SHEX("6bc1bee22e409f96e93d7e117393172a" + "ae2d8a571e03ac9c9eb76fac45af8e51" + "30c81c46a35ce411e5fbc1191a0a52ef" + "f69f2445df4f9b17ad2b417be66c3710"), + SHEX("3891a1de2c0f71b9 b90a1f84a1d712bf" + "0ca6339a5839385f 170784fb612f15a5" + "6593433e1c21191c e042c7a695a7f65a" + "f4334fafdb372b64 0862ebb1b6bbcc7a"), + SHEX("01020304050607fffffffffffffffffe")); + + test_cipher_ctr(&nettle_aes128, /* 15 */ + SHEX("2b7e151628aed2a6abf7158809cf4f3c"), + SHEX("6bc1bee22e409f96e93d7e117393172a" + "ae2d8a571e03ac9c9eb76fac45af8e51" + "30c81c46a35ce411e5fbc1191a0a52ef" + "f69f2445df4f9b17ad2b417be66c3710"), + SHEX("91e64f693763258a aae861412d4250e2" + "963b5b8d4ccea79e ac2558295268de85" + "2f78de7d71554880 fb186a93378fb922" + "8c05c84f8d4f3edd a40a43bcc1c474db"), + SHEX("01fffffffffffffffffffffffffffffe")); + + test_cipher_ctr(&nettle_aes128, /* 16 */ + SHEX("2b7e151628aed2a6abf7158809cf4f3c"), + SHEX("6bc1bee22e409f96e93d7e117393172a" + "ae2d8a571e03ac9c9eb76fac45af8e51" + "30c81c46a35ce411e5fbc1191a0a52ef" + "f69f2445df4f9b17ad2b417be66c3710"), + SHEX("ba76aa54d5b56067 c1a7903b3fddfa89" + "24df0c565cf42a68 978713b67ad124fd" + "4d3f774ab9e47da2 dbb9315ea3110680" + "a18d5905ebfe25a8 03df27c2211e58d6"), + SHEX("fffffffffffffffffffffffffffffffe")); + + /* Unofficial test vector for CTR mode with triple-des, to exercise + block size different from 16. */ + test_cipher_ctr(&nettle_des3, + SHEX("3e 0b 10 b0 5d 49 c2 54" + "6b 46 e0 75 8a 91 61 85" + "cb 04 07 d3 20 16 cb a2"), + SHEX("6bc1bee22e409f96e93d7e117393172a" + "ae2d8a571e03ac9c9eb76fac45af8e51" + "30c81c46a35ce411e5fbc1191a0a52ef" + "f69f2445df4f9b17ad2b417be66c3710"), + SHEX("bb41303df94d0bca b881fb57e7132271" + "820f70c0d53b3f5a 686943680303b37d" + "5bbcfbd4fb283ef3 8078d0660c60121f" + "41e0f1e4c2a4fe12 a676ec05b7fc4d8f"), + SHEX("f8f9fafbfcfdfeff")); } /* diff -Nru nettle-3.4.1/testsuite/curve448-dh-test.c nettle-3.7.3/testsuite/curve448-dh-test.c --- nettle-3.4.1/testsuite/curve448-dh-test.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/testsuite/curve448-dh-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -0,0 +1,100 @@ +/* curve448-dh-test.c + + Copyright (C) 2017 Daiki Ueno + Copyright (C) 2017 Red Hat, Inc. + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#include "testutils.h" + +#include "curve448.h" + +static void +test_g (const uint8_t *s, const uint8_t *r) +{ + uint8_t p[CURVE448_SIZE]; + curve448_mul_g (p, s); + if (!MEMEQ (CURVE448_SIZE, p, r)) + { + printf ("curve448_mul_g failure:\ns = "); + print_hex (CURVE448_SIZE, s); + printf ("\np = "); + print_hex (CURVE448_SIZE, p); + printf (" (bad)\nr = "); + print_hex (CURVE448_SIZE, r); + printf (" (expected)\n"); + abort (); + } +} + +static void +test_a (const uint8_t *s, const uint8_t *b, const uint8_t *r) +{ + uint8_t p[CURVE448_SIZE]; + curve448_mul (p, s, b); + if (!MEMEQ (CURVE448_SIZE, p, r)) + { + printf ("curve448_mul failure:\ns = "); + print_hex (CURVE448_SIZE, s); + printf ("\nb = "); + print_hex (CURVE448_SIZE, b); + printf ("\np = "); + print_hex (CURVE448_SIZE, p); + printf (" (bad)\nr = "); + print_hex (CURVE448_SIZE, r); + printf (" (expected)\n"); + abort (); + } +} + +void +test_main (void) +{ + /* From RFC 7748. */ + test_g (H("9a8f4925d1519f5775cf46b04b5800d4ee9ee8bae8bc5565d498c28d" + "d9c9baf574a9419744897391006382a6f127ab1d9ac2d8c0a598726b"), + H("9b08f7cc31b7e3e67d22d5aea121074a273bd2b83de09c63faa73d2c" + "22c5d9bbc836647241d953d40c5b12da88120d53177f80e532c41fa0")); + test_g (H("1c306a7ac2a0e2e0990b294470cba339e6453772b075811d8fad0d1d" + "6927c120bb5ee8972b0d3e21374c9c921b09d1b0366f10b65173992d"), + H("3eb7a829b0cd20f5bcfc0b599b6feccf6da4627107bdb0d4f345b430" + "27d8b972fc3e34fb4232a13ca706dcb57aec3dae07bdc1c67bf33609")); + + test_a (H("9a8f4925d1519f5775cf46b04b5800d4ee9ee8bae8bc5565d498c28d" + "d9c9baf574a9419744897391006382a6f127ab1d9ac2d8c0a598726b"), + H("3eb7a829b0cd20f5bcfc0b599b6feccf6da4627107bdb0d4f345b430" + "27d8b972fc3e34fb4232a13ca706dcb57aec3dae07bdc1c67bf33609"), + H("07fff4181ac6cc95ec1c16a94a0f74d12da232ce40a77552281d282b" + "b60c0b56fd2464c335543936521c24403085d59a449a5037514a879d")); + test_a (H("1c306a7ac2a0e2e0990b294470cba339e6453772b075811d8fad0d1d" + "6927c120bb5ee8972b0d3e21374c9c921b09d1b0366f10b65173992d"), + H("9b08f7cc31b7e3e67d22d5aea121074a273bd2b83de09c63faa73d2c" + "22c5d9bbc836647241d953d40c5b12da88120d53177f80e532c41fa0"), + H("07fff4181ac6cc95ec1c16a94a0f74d12da232ce40a77552281d282b" + "b60c0b56fd2464c335543936521c24403085d59a449a5037514a879d")); +} diff -Nru nettle-3.4.1/testsuite/des-compat-test.c nettle-3.7.3/testsuite/des-compat-test.c --- nettle-3.4.1/testsuite/des-compat-test.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/testsuite/des-compat-test.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,876 +0,0 @@ -/* crypto/des/destest.c */ -/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include -#include -#include - -#include "des-compat.h" -#include "testutils.h" - -/* tisk tisk - the test keys don't all have odd parity :-( */ -/* test data */ -#define NUM_TESTS 34 -static const_des_cblock key_data[NUM_TESTS] = { - {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, - {0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF}, - {0x30,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, - {0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11}, - {0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF}, - {0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11}, - {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, - {0xFE,0xDC,0xBA,0x98,0x76,0x54,0x32,0x10}, - {0x7C,0xA1,0x10,0x45,0x4A,0x1A,0x6E,0x57}, - {0x01,0x31,0xD9,0x61,0x9D,0xC1,0x37,0x6E}, - {0x07,0xA1,0x13,0x3E,0x4A,0x0B,0x26,0x86}, - {0x38,0x49,0x67,0x4C,0x26,0x02,0x31,0x9E}, - {0x04,0xB9,0x15,0xBA,0x43,0xFE,0xB5,0xB6}, - {0x01,0x13,0xB9,0x70,0xFD,0x34,0xF2,0xCE}, - {0x01,0x70,0xF1,0x75,0x46,0x8F,0xB5,0xE6}, - {0x43,0x29,0x7F,0xAD,0x38,0xE3,0x73,0xFE}, - {0x07,0xA7,0x13,0x70,0x45,0xDA,0x2A,0x16}, - {0x04,0x68,0x91,0x04,0xC2,0xFD,0x3B,0x2F}, - {0x37,0xD0,0x6B,0xB5,0x16,0xCB,0x75,0x46}, - {0x1F,0x08,0x26,0x0D,0x1A,0xC2,0x46,0x5E}, - {0x58,0x40,0x23,0x64,0x1A,0xBA,0x61,0x76}, - {0x02,0x58,0x16,0x16,0x46,0x29,0xB0,0x07}, - {0x49,0x79,0x3E,0xBC,0x79,0xB3,0x25,0x8F}, - {0x4F,0xB0,0x5E,0x15,0x15,0xAB,0x73,0xA7}, - {0x49,0xE9,0x5D,0x6D,0x4C,0xA2,0x29,0xBF}, - {0x01,0x83,0x10,0xDC,0x40,0x9B,0x26,0xD6}, - {0x1C,0x58,0x7F,0x1C,0x13,0x92,0x4F,0xEF}, - {0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01}, - {0x1F,0x1F,0x1F,0x1F,0x0E,0x0E,0x0E,0x0E}, - {0xE0,0xFE,0xE0,0xFE,0xF1,0xFE,0xF1,0xFE}, - {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, - {0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF}, - {0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF}, - {0xFE,0xDC,0xBA,0x98,0x76,0x54,0x32,0x10}}; - -static unsigned char plain_data[NUM_TESTS][8]={ - {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, - {0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF}, - {0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x01}, - {0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11}, - {0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11}, - {0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF}, - {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, - {0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF}, - {0x01,0xA1,0xD6,0xD0,0x39,0x77,0x67,0x42}, - {0x5C,0xD5,0x4C,0xA8,0x3D,0xEF,0x57,0xDA}, - {0x02,0x48,0xD4,0x38,0x06,0xF6,0x71,0x72}, - {0x51,0x45,0x4B,0x58,0x2D,0xDF,0x44,0x0A}, - {0x42,0xFD,0x44,0x30,0x59,0x57,0x7F,0xA2}, - {0x05,0x9B,0x5E,0x08,0x51,0xCF,0x14,0x3A}, - {0x07,0x56,0xD8,0xE0,0x77,0x47,0x61,0xD2}, - {0x76,0x25,0x14,0xB8,0x29,0xBF,0x48,0x6A}, - {0x3B,0xDD,0x11,0x90,0x49,0x37,0x28,0x02}, - {0x26,0x95,0x5F,0x68,0x35,0xAF,0x60,0x9A}, - {0x16,0x4D,0x5E,0x40,0x4F,0x27,0x52,0x32}, - {0x6B,0x05,0x6E,0x18,0x75,0x9F,0x5C,0xCA}, - {0x00,0x4B,0xD6,0xEF,0x09,0x17,0x60,0x62}, - {0x48,0x0D,0x39,0x00,0x6E,0xE7,0x62,0xF2}, - {0x43,0x75,0x40,0xC8,0x69,0x8F,0x3C,0xFA}, - {0x07,0x2D,0x43,0xA0,0x77,0x07,0x52,0x92}, - {0x02,0xFE,0x55,0x77,0x81,0x17,0xF1,0x2A}, - {0x1D,0x9D,0x5C,0x50,0x18,0xF7,0x28,0xC2}, - {0x30,0x55,0x32,0x28,0x6D,0x6F,0x29,0x5A}, - {0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF}, - {0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF}, - {0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF}, - {0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF}, - {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, - {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, - {0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF}}; - -static unsigned char cipher_data[NUM_TESTS][8]={ - {0x8C,0xA6,0x4D,0xE9,0xC1,0xB1,0x23,0xA7}, - {0x73,0x59,0xB2,0x16,0x3E,0x4E,0xDC,0x58}, - {0x95,0x8E,0x6E,0x62,0x7A,0x05,0x55,0x7B}, - {0xF4,0x03,0x79,0xAB,0x9E,0x0E,0xC5,0x33}, - {0x17,0x66,0x8D,0xFC,0x72,0x92,0x53,0x2D}, - {0x8A,0x5A,0xE1,0xF8,0x1A,0xB8,0xF2,0xDD}, - {0x8C,0xA6,0x4D,0xE9,0xC1,0xB1,0x23,0xA7}, - {0xED,0x39,0xD9,0x50,0xFA,0x74,0xBC,0xC4}, - {0x69,0x0F,0x5B,0x0D,0x9A,0x26,0x93,0x9B}, - {0x7A,0x38,0x9D,0x10,0x35,0x4B,0xD2,0x71}, - {0x86,0x8E,0xBB,0x51,0xCA,0xB4,0x59,0x9A}, - {0x71,0x78,0x87,0x6E,0x01,0xF1,0x9B,0x2A}, - {0xAF,0x37,0xFB,0x42,0x1F,0x8C,0x40,0x95}, - {0x86,0xA5,0x60,0xF1,0x0E,0xC6,0xD8,0x5B}, - {0x0C,0xD3,0xDA,0x02,0x00,0x21,0xDC,0x09}, - {0xEA,0x67,0x6B,0x2C,0xB7,0xDB,0x2B,0x7A}, - {0xDF,0xD6,0x4A,0x81,0x5C,0xAF,0x1A,0x0F}, - {0x5C,0x51,0x3C,0x9C,0x48,0x86,0xC0,0x88}, - {0x0A,0x2A,0xEE,0xAE,0x3F,0xF4,0xAB,0x77}, - {0xEF,0x1B,0xF0,0x3E,0x5D,0xFA,0x57,0x5A}, - {0x88,0xBF,0x0D,0xB6,0xD7,0x0D,0xEE,0x56}, - {0xA1,0xF9,0x91,0x55,0x41,0x02,0x0B,0x56}, - {0x6F,0xBF,0x1C,0xAF,0xCF,0xFD,0x05,0x56}, - {0x2F,0x22,0xE4,0x9B,0xAB,0x7C,0xA1,0xAC}, - {0x5A,0x6B,0x61,0x2C,0xC2,0x6C,0xCE,0x4A}, - {0x5F,0x4C,0x03,0x8E,0xD1,0x2B,0x2E,0x41}, - {0x63,0xFA,0xC0,0xD0,0x34,0xD9,0xF7,0x93}, - {0x61,0x7B,0x3A,0x0C,0xE8,0xF0,0x71,0x00}, - {0xDB,0x95,0x86,0x05,0xF8,0xC8,0xC6,0x06}, - {0xED,0xBF,0xD1,0xC6,0x6C,0x29,0xCC,0xC7}, - {0x35,0x55,0x50,0xB2,0x15,0x0E,0x24,0x51}, - {0xCA,0xAA,0xAF,0x4D,0xEA,0xF1,0xDB,0xAE}, - {0xD5,0xD4,0x4F,0xF7,0x20,0x68,0x3D,0x0D}, - {0x2A,0x2B,0xB0,0x08,0xDF,0x97,0xC2,0xF2}}; - -static unsigned char cipher_ecb2[NUM_TESTS-1][8]={ - {0x92,0x95,0xB5,0x9B,0xB3,0x84,0x73,0x6E}, - {0x19,0x9E,0x9D,0x6D,0xF3,0x9A,0xA8,0x16}, - {0x2A,0x4B,0x4D,0x24,0x52,0x43,0x84,0x27}, - {0x35,0x84,0x3C,0x01,0x9D,0x18,0xC5,0xB6}, - {0x4A,0x5B,0x2F,0x42,0xAA,0x77,0x19,0x25}, - {0xA0,0x6B,0xA9,0xB8,0xCA,0x5B,0x17,0x8A}, - {0xAB,0x9D,0xB7,0xFB,0xED,0x95,0xF2,0x74}, - {0x3D,0x25,0x6C,0x23,0xA7,0x25,0x2F,0xD6}, - {0xB7,0x6F,0xAB,0x4F,0xBD,0xBD,0xB7,0x67}, - {0x8F,0x68,0x27,0xD6,0x9C,0xF4,0x1A,0x10}, - {0x82,0x57,0xA1,0xD6,0x50,0x5E,0x81,0x85}, - {0xA2,0x0F,0x0A,0xCD,0x80,0x89,0x7D,0xFA}, - {0xCD,0x2A,0x53,0x3A,0xDB,0x0D,0x7E,0xF3}, - {0xD2,0xC2,0xBE,0x27,0xE8,0x1B,0x68,0xE3}, - {0xE9,0x24,0xCF,0x4F,0x89,0x3C,0x5B,0x0A}, - {0xA7,0x18,0xC3,0x9F,0xFA,0x9F,0xD7,0x69}, - {0x77,0x2C,0x79,0xB1,0xD2,0x31,0x7E,0xB1}, - {0x49,0xAB,0x92,0x7F,0xD0,0x22,0x00,0xB7}, - {0xCE,0x1C,0x6C,0x7D,0x85,0xE3,0x4A,0x6F}, - {0xBE,0x91,0xD6,0xE1,0x27,0xB2,0xE9,0x87}, - {0x70,0x28,0xAE,0x8F,0xD1,0xF5,0x74,0x1A}, - {0xAA,0x37,0x80,0xBB,0xF3,0x22,0x1D,0xDE}, - {0xA6,0xC4,0xD2,0x5E,0x28,0x93,0xAC,0xB3}, - {0x22,0x07,0x81,0x5A,0xE4,0xB7,0x1A,0xAD}, - {0xDC,0xCE,0x05,0xE7,0x07,0xBD,0xF5,0x84}, - {0x26,0x1D,0x39,0x2C,0xB3,0xBA,0xA5,0x85}, - {0xB4,0xF7,0x0F,0x72,0xFB,0x04,0xF0,0xDC}, - {0x95,0xBA,0xA9,0x4E,0x87,0x36,0xF2,0x89}, - {0xD4,0x07,0x3A,0xF1,0x5A,0x17,0x82,0x0E}, - {0xEF,0x6F,0xAF,0xA7,0x66,0x1A,0x7E,0x89}, - {0xC1,0x97,0xF5,0x58,0x74,0x8A,0x20,0xE7}, - {0x43,0x34,0xCF,0xDA,0x22,0xC4,0x86,0xC8}, - {0x08,0xD7,0xB4,0xFB,0x62,0x9D,0x08,0x85}}; - -static const_des_cblock cbc_key = {0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef}; -static const_des_cblock cbc2_key = {0xf0,0xe1,0xd2,0xc3,0xb4,0xa5,0x96,0x87}; -static const_des_cblock cbc3_key = {0xfe,0xdc,0xba,0x98,0x76,0x54,0x32,0x10}; -static const_des_cblock cbc_iv = {0xfe,0xdc,0xba,0x98,0x76,0x54,0x32,0x10}; -static const_des_cblock cbc_data[4] ={ "7654321 ", "Now is t", "he time ", "for " }; - -static unsigned char cbc_ok[32]={ - 0xcc,0xd1,0x73,0xff,0xab,0x20,0x39,0xf4, - 0xac,0xd8,0xae,0xfd,0xdf,0xd8,0xa1,0xeb, - 0x46,0x8e,0x91,0x15,0x78,0x88,0xba,0x68, - 0x1d,0x26,0x93,0x97,0xf7,0xfe,0x62,0xb4}; - -#if 0 -static unsigned char xcbc_ok[32]={ - 0x86,0x74,0x81,0x0D,0x61,0xA4,0xA5,0x48, - 0xB9,0x93,0x03,0xE1,0xB8,0xBB,0xBD,0xBD, - 0x64,0x30,0x0B,0xB9,0x06,0x65,0x81,0x76, - 0x04,0x1D,0x77,0x62,0x17,0xCA,0x2B,0xD2, - }; -#endif - -static unsigned char cbc3_ok[32]={ - 0x3F,0xE3,0x01,0xC9,0x62,0xAC,0x01,0xD0, - 0x22,0x13,0x76,0x3C,0x1C,0xBD,0x4C,0xDC, - 0x79,0x96,0x57,0xC0,0x64,0xEC,0xF5,0xD4, - 0x1C,0x67,0x38,0x12,0xCF,0xDE,0x96,0x75}; - -#if 0 -static unsigned char pcbc_ok[32]={ - 0xcc,0xd1,0x73,0xff,0xab,0x20,0x39,0xf4, - 0x6d,0xec,0xb4,0x70,0xa0,0xe5,0x6b,0x15, - 0xae,0xa6,0xbf,0x61,0xed,0x7d,0x9c,0x9f, - 0xf7,0x17,0x46,0x3b,0x8a,0xb3,0xcc,0x88}; -#endif - -#if 0 -static unsigned char cfb_key[8]={0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef}; -static unsigned char cfb_iv[8]={0x12,0x34,0x56,0x78,0x90,0xab,0xcd,0xef}; -static unsigned char cfb_buf1[40],cfb_buf2[40],cfb_tmp[8]; -static unsigned char plain[24]= - { - 0x4e,0x6f,0x77,0x20,0x69,0x73, - 0x20,0x74,0x68,0x65,0x20,0x74, - 0x69,0x6d,0x65,0x20,0x66,0x6f, - 0x72,0x20,0x61,0x6c,0x6c,0x20 - }; -static unsigned char cfb_cipher8[24]= { - 0xf3,0x1f,0xda,0x07,0x01,0x14, 0x62,0xee,0x18,0x7f,0x43,0xd8, - 0x0a,0x7c,0xd9,0xb5,0xb0,0xd2, 0x90,0xda,0x6e,0x5b,0x9a,0x87 }; -static unsigned char cfb_cipher16[24]={ - 0xF3,0x09,0x87,0x87,0x7F,0x57, 0xF7,0x3C,0x36,0xB6,0xDB,0x70, - 0xD8,0xD5,0x34,0x19,0xD3,0x86, 0xB2,0x23,0xB7,0xB2,0xAD,0x1B }; -static unsigned char cfb_cipher32[24]={ - 0xF3,0x09,0x62,0x49,0xA4,0xDF, 0xA4,0x9F,0x33,0xDC,0x7B,0xAD, - 0x4C,0xC8,0x9F,0x64,0xE4,0x53, 0xE5,0xEC,0x67,0x20,0xDA,0xB6 }; -static unsigned char cfb_cipher48[24]={ - 0xF3,0x09,0x62,0x49,0xC7,0xF4, 0x30,0xB5,0x15,0xEC,0xBB,0x85, - 0x97,0x5A,0x13,0x8C,0x68,0x60, 0xE2,0x38,0x34,0x3C,0xDC,0x1F }; -static unsigned char cfb_cipher64[24]={ - 0xF3,0x09,0x62,0x49,0xC7,0xF4, 0x6E,0x51,0xA6,0x9E,0x83,0x9B, - 0x1A,0x92,0xF7,0x84,0x03,0x46, 0x71,0x33,0x89,0x8E,0xA6,0x22 }; - -static unsigned char ofb_key[8]={0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef}; -static unsigned char ofb_iv[8]={0x12,0x34,0x56,0x78,0x90,0xab,0xcd,0xef}; -static unsigned char ofb_buf1[24],ofb_buf2[24],ofb_tmp[8]; -static unsigned char ofb_cipher[24]= - { - 0xf3,0x09,0x62,0x49,0xc7,0xf4,0x6e,0x51, - 0x35,0xf2,0x4a,0x24,0x2e,0xeb,0x3d,0x3f, - 0x3d,0x6d,0x5b,0xe3,0x25,0x5a,0xf8,0xc3 - }; -#endif - -DES_LONG cbc_cksum_ret=0xB462FEF7L; -unsigned char cbc_cksum_data[8]={0x1D,0x26,0x93,0x97,0xf7,0xfe,0x62,0xb4}; - -#ifndef NOPROTO -static char *pt(const unsigned char *p); -#if 0 -static int cfb_test(int bits, unsigned char *cfb_cipher); -static int cfb64_test(unsigned char *cfb_cipher); -static int ede_cfb64_test(unsigned char *cfb_cipher); -#endif -#else -static char *pt(); -static int cfb_test(); -static int cfb64_test(); -static int ede_cfb64_test(); -#endif - -void -test_main(void) - { - int i,j,err=0; - des_cblock in, out, outin, iv3; - des_key_schedule ks,ks2,ks3; - des_cblock cbc_in[5]; - des_cblock cbc_out[5]; - DES_LONG cs; - unsigned char cret[8]; -#if 0 - unsigned char qret[4][4]; - DES_LONG lqret[4]; - int num; - char *str; -#endif - if (verbose) printf("Doing ecb\n"); - for (i=0; i>4)&0xf]; - ret[i*2+1]=f[p[i]&0xf]; - } - ret[16]='\0'; - return(ret); - } - -#ifndef LIBDES_LIT -#if 0 -static int cfb_test(bits, cfb_cipher) -int bits; -unsigned char *cfb_cipher; - { - des_key_schedule ks; - int i,err=0; - - des_key_sched((C_Block *)cfb_key,ks); - memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv)); - des_cfb_encrypt(plain,cfb_buf1,bits,(long)sizeof(plain),ks, - (C_Block *)cfb_tmp,DES_ENCRYPT); - if (memcmp(cfb_cipher,cfb_buf1,sizeof(plain)) != 0) - { - err=1; - printf("cfb_encrypt encrypt error\n"); - for (i=0; i<24; i+=8) - printf("%s\n",pt(&(cfb_buf1[i]))); - } - memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv)); - des_cfb_encrypt(cfb_buf1,cfb_buf2,bits,(long)sizeof(plain),ks, - (C_Block *)cfb_tmp,DES_DECRYPT); - if (memcmp(plain,cfb_buf2,sizeof(plain)) != 0) - { - err=1; - printf("cfb_encrypt decrypt error\n"); - for (i=0; i<24; i+=8) - printf("%s\n",pt(&(cfb_buf1[i]))); - } - return(err); - } - -static int cfb64_test(cfb_cipher) -unsigned char *cfb_cipher; - { - des_key_schedule ks; - int err=0,i,n; - - des_key_sched((C_Block *)cfb_key,ks); - memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv)); - n=0; - des_cfb64_encrypt(plain,cfb_buf1,(long)12,ks, - (C_Block *)cfb_tmp,&n,DES_ENCRYPT); - des_cfb64_encrypt(&(plain[12]),&(cfb_buf1[12]), - (long)sizeof(plain)-12,ks, - (C_Block *)cfb_tmp,&n,DES_ENCRYPT); - if (memcmp(cfb_cipher,cfb_buf1,sizeof(plain)) != 0) - { - err=1; - printf("cfb_encrypt encrypt error\n"); - for (i=0; i<24; i+=8) - printf("%s\n",pt(&(cfb_buf1[i]))); - } - memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv)); - n=0; - des_cfb64_encrypt(cfb_buf1,cfb_buf2,(long)17,ks, - (C_Block *)cfb_tmp,&n,DES_DECRYPT); - des_cfb64_encrypt(&(cfb_buf1[17]),&(cfb_buf2[17]), - (long)sizeof(plain)-17,ks, - (C_Block *)cfb_tmp,&n,DES_DECRYPT); - if (memcmp(plain,cfb_buf2,sizeof(plain)) != 0) - { - err=1; - printf("cfb_encrypt decrypt error\n"); - for (i=0; i<24; i+=8) - printf("%s\n",pt(&(cfb_buf2[i]))); - } - return(err); - } - -static int ede_cfb64_test(cfb_cipher) -unsigned char *cfb_cipher; - { - des_key_schedule ks; - int err=0,i,n; - - des_key_sched((C_Block *)cfb_key,ks); - memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv)); - n=0; - des_ede3_cfb64_encrypt(plain,cfb_buf1,(long)12,ks,ks,ks, - (C_Block *)cfb_tmp,&n,DES_ENCRYPT); - des_ede3_cfb64_encrypt(&(plain[12]),&(cfb_buf1[12]), - (long)sizeof(plain)-12,ks,ks,ks, - (C_Block *)cfb_tmp,&n,DES_ENCRYPT); - if (memcmp(cfb_cipher,cfb_buf1,sizeof(plain)) != 0) - { - err=1; - printf("ede_cfb_encrypt encrypt error\n"); - for (i=0; i<24; i+=8) - printf("%s\n",pt(&(cfb_buf1[i]))); - } - memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv)); - n=0; - des_ede3_cfb64_encrypt(cfb_buf1,cfb_buf2,(long)17,ks,ks,ks, - (C_Block *)cfb_tmp,&n,DES_DECRYPT); - des_ede3_cfb64_encrypt(&(cfb_buf1[17]),&(cfb_buf2[17]), - (long)sizeof(plain)-17,ks,ks,ks, - (C_Block *)cfb_tmp,&n,DES_DECRYPT); - if (memcmp(plain,cfb_buf2,sizeof(plain)) != 0) - { - err=1; - printf("ede_cfb_encrypt decrypt error\n"); - for (i=0; i<24; i+=8) - printf("%s\n",pt(&(cfb_buf2[i]))); - } - return(err); - } -#endif -#endif /* LIBDES_LIT */ - diff -Nru nettle-3.4.1/testsuite/dlopen-test.c nettle-3.7.3/testsuite/dlopen-test.c --- nettle-3.4.1/testsuite/dlopen-test.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/testsuite/dlopen-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -5,11 +5,17 @@ #include #endif +#ifdef __APPLE__ +#define SO_EXT "dylib" +#else +#define SO_EXT "so" +#endif + int main (int argc UNUSED, char **argv UNUSED) { #if HAVE_LIBDL - void *handle = dlopen ("../libnettle.so", RTLD_NOW); + void *handle = dlopen ("../libnettle." SO_EXT, RTLD_NOW); int (*get_version)(void); if (!handle) { diff -Nru nettle-3.4.1/testsuite/ecc-add-test.c nettle-3.7.3/testsuite/ecc-add-test.c --- nettle-3.4.1/testsuite/ecc-add-test.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/testsuite/ecc-add-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -1,4 +1,5 @@ #include "testutils.h" +#include void test_main (void) @@ -12,74 +13,61 @@ mp_limb_t *g2 = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *g3 = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *p = xalloc_limbs (ecc_size_j (ecc)); - mp_limb_t *scratch = xalloc_limbs (ECC_ADD_JJJ_ITCH(ecc->p.size)); + mp_limb_t *scratch = xalloc_limbs (ecc->add_hhh_itch); - if (ecc->p.bit_size == 255) + ASSERT (ecc->dup_itch <= ecc->add_hhh_itch); + + test_ecc_get_g (i, g); + + if (ecc->p.bit_size == 255 || ecc->p.bit_size == 448) { mp_limb_t *z = xalloc_limbs (ecc_size_j (ecc)); + + ASSERT (ecc->add_hh_itch <= ecc->add_hhh_itch); + /* Zero point has x = 0, y = 1, z = 1 */ mpn_zero (z, 3*ecc->p.size); z[ecc->p.size] = z[2*ecc->p.size] = 1; - - ecc_a_to_j (ecc, g, ecc->g); - ecc_add_ehh (ecc, p, z, z, scratch); + ecc->add_hhh (ecc, p, z, z, scratch); test_ecc_mul_h (i, 0, p); - ecc_add_eh (ecc, p, z, z, scratch); + ecc->add_hh (ecc, p, z, z, scratch); test_ecc_mul_h (i, 0, p); - ecc_add_ehh (ecc, p, g, p, scratch); + ecc->add_hhh (ecc, p, p, g, scratch); test_ecc_mul_h (i, 1, p); - ecc_add_eh (ecc, p, z, g, scratch); + ecc->add_hh (ecc, p, z, g, scratch); test_ecc_mul_h (i, 1, p); - ecc_add_ehh (ecc, g2, g, p, scratch); + ecc->add_hhh (ecc, g2, g, p, scratch); test_ecc_mul_h (i, 2, g2); - ecc_add_eh (ecc, g2, g, g, scratch); + ecc->add_hh (ecc, g2, g, g, scratch); test_ecc_mul_h (i, 2, g2); - ecc_add_ehh (ecc, g3, g, g2, scratch); - test_ecc_mul_h (i, 3, g3); - - ecc_add_eh (ecc, g3, g2, g, scratch); - test_ecc_mul_h (i, 3, g3); - - ecc_add_ehh (ecc, p, g, g3, scratch); - test_ecc_mul_h (i, 4, p); - - ecc_add_eh (ecc, p, g3, g, scratch); - test_ecc_mul_h (i, 4, p); - - ecc_add_ehh (ecc, p, g2, g2, scratch); - test_ecc_mul_h (i, 4, p); - free (z); } - else - { - ecc_a_to_j (ecc, g, ecc->g); - ecc_dup_jj (ecc, g2, g, scratch); - test_ecc_mul_h (i, 2, g2); + ecc->dup (ecc, g2, g, scratch); + test_ecc_mul_h (i, 2, g2); - ecc_add_jjj (ecc, g3, g, g2, scratch); - test_ecc_mul_h (i, 3, g3); + ecc->add_hhh (ecc, g3, g, g2, scratch); + test_ecc_mul_h (i, 3, g3); - ecc_add_jjj (ecc, g3, g2, g, scratch); - test_ecc_mul_h (i, 3, g3); + ecc->add_hhh (ecc, g3, g2, g, scratch); + test_ecc_mul_h (i, 3, g3); - ecc_add_jjj (ecc, p, g, g3, scratch); - test_ecc_mul_h (i, 4, p); + ecc->add_hhh (ecc, p, g, g3, scratch); + test_ecc_mul_h (i, 4, p); - ecc_add_jjj (ecc, p, g3, g, scratch); - test_ecc_mul_h (i, 4, p); + ecc->add_hhh (ecc, p, g3, g, scratch); + test_ecc_mul_h (i, 4, p); + + ecc->dup (ecc, p, g2, scratch); + test_ecc_mul_h (i, 4, p); - ecc_dup_jj (ecc, p, g2, scratch); - test_ecc_mul_h (i, 4, p); - } free (g); free (g2); free (g3); diff -Nru nettle-3.4.1/testsuite/ecc-dup-test.c nettle-3.7.3/testsuite/ecc-dup-test.c --- nettle-3.4.1/testsuite/ecc-dup-test.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/testsuite/ecc-dup-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -10,37 +10,30 @@ const struct ecc_curve *ecc = ecc_curves[i]; mp_limb_t *g = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *p = xalloc_limbs (ecc_size_j (ecc)); - mp_limb_t *scratch = xalloc_limbs (ECC_DUP_EH_ITCH(ecc->p.size));; + mp_limb_t *scratch = xalloc_limbs (ecc->dup_itch); - if (ecc->p.bit_size == 255) + test_ecc_get_g (i, g); + + if (ecc->p.bit_size == 255 || ecc->p.bit_size == 448) { mp_limb_t *z = xalloc_limbs (ecc_size_j (ecc)); + /* Zero point has x = 0, y = 1, z = 1 */ mpn_zero (z, 3*ecc->p.size); z[ecc->p.size] = z[2*ecc->p.size] = 1; - ecc_a_to_j (ecc, g, ecc->g); - - ecc_dup_eh (ecc, p, z, scratch); + ecc->dup (ecc, p, z, scratch); test_ecc_mul_h (i, 0, p); - ecc_dup_eh (ecc, p, g, scratch); - test_ecc_mul_h (i, 2, p); - - ecc_dup_eh (ecc, p, p, scratch); - test_ecc_mul_h (i, 4, p); free (z); } - else - { - ecc_a_to_j (ecc, g, ecc->g); - ecc_dup_jj (ecc, p, g, scratch); - test_ecc_mul_h (i, 2, p); + ecc->dup (ecc, p, g, scratch); + test_ecc_mul_h (i, 2, p); + + ecc->dup (ecc, p, p, scratch); + test_ecc_mul_h (i, 4, p); - ecc_dup_jj (ecc, p, p, scratch); - test_ecc_mul_h (i, 4, p); - } free (p); free (g); free (scratch); diff -Nru nettle-3.4.1/testsuite/ecc-modinv-test.c nettle-3.7.3/testsuite/ecc-modinv-test.c --- nettle-3.4.1/testsuite/ecc-modinv-test.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/testsuite/ecc-modinv-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -1,7 +1,8 @@ #include "testutils.h" static int -ref_modinv (mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *mp, mp_size_t mn) +ref_modinv (mp_limb_t *rp, const mp_limb_t *ap, + const mp_limb_t *mp, mp_size_t mn, int use_redc) { mpz_t g, s, a, m; int res; @@ -19,12 +20,18 @@ mpz_add (s, s, m); ASSERT (mpz_sgn (s) > 0); } - mpz_limbs_copy (rp, s, mn); res = 1; } else res = 0; + if (use_redc) + { + mpz_mul_2exp (s, s, 2 * mn * GMP_NUMB_BITS); + mpz_mod (s, s, m); + } + + mpz_limbs_copy (rp, s, mn); mpz_clear (g); mpz_clear (s); return res; @@ -37,12 +44,19 @@ || mpn_cmp (xp, m->m, m->size) == 0; } +static int +mod_eq_p (const struct ecc_modulo *m, const mp_limb_t *a, const mp_limb_t *b, + mp_limb_t *scratch) { + ecc_mod_sub (m, scratch, a, b); + return zero_p (m, scratch); +} + #define MAX_ECC_SIZE (1 + 521 / GMP_NUMB_BITS) #define COUNT 500 static void test_modulo (gmp_randstate_t rands, const char *name, - const struct ecc_modulo *m) + const struct ecc_modulo *m, int use_redc) { mp_limb_t *a; mp_limb_t *ai; @@ -99,7 +113,7 @@ mpz_limbs_copy (a, r, m->size); - if (!ref_modinv (ref, a, m->m, m->size)) + if (!ref_modinv (ref, a, m->m, m->size, use_redc)) { if (verbose) fprintf (stderr, "Test %u (bit size %u) not invertible mod %s.\n", @@ -107,7 +121,7 @@ continue; } m->invert (m, ai, a, scratch); - if (mpn_cmp (ref, ai, m->size)) + if (!mod_eq_p (m, ai, ref, scratch)) { fprintf (stderr, "%s->invert failed (test %u, bit size %u):\n", name, j, m->bit_size); @@ -119,6 +133,7 @@ mpn_out_str (stderr, 16, ai, m->size); fprintf (stderr, " (bad)\nr = "); mpn_out_str (stderr, 16, ref, m->size); + printf ("\n"); abort (); } @@ -141,8 +156,8 @@ for (i = 0; ecc_curves[i]; i++) { - test_modulo (rands, "p", &ecc_curves[i]->p); - test_modulo (rands, "q", &ecc_curves[i]->q); + test_modulo (rands, "p", &ecc_curves[i]->p, ecc_curves[i]->use_redc); + test_modulo (rands, "q", &ecc_curves[i]->q, 0); } gmp_randclear (rands); } diff -Nru nettle-3.4.1/testsuite/ecc-mod-test.c nettle-3.7.3/testsuite/ecc-mod-test.c --- nettle-3.4.1/testsuite/ecc-mod-test.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/testsuite/ecc-mod-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -19,6 +19,15 @@ #define MAX_SIZE (2*MAX_ECC_SIZE) #define COUNT 50000 +/* Destructively normalize tp, then compare */ +static int +mod_equal(const struct ecc_modulo *m, const mp_limb_t *ref, mp_limb_t *tp) +{ + if (mpn_cmp (tp, m->m, m->size) >= 0) + mpn_sub_n (tp, tp, m->m, m->size); + return mpn_cmp (ref, tp, m->size) == 0; +} + static void test_one(const char *name, const struct ecc_modulo *m, @@ -33,13 +42,10 @@ ref_mod (ref, a, m->m, m->size); mpn_copyi (t, a, 2*m->size); - m->mod (m, t); - if (mpn_cmp (t, m->m, m->size) >= 0) - mpn_sub_n (t, t, m->m, m->size); - - if (mpn_cmp (t, ref, m->size)) + m->mod (m, t, t); + if (!mod_equal (m, ref, t)) { - fprintf (stderr, "m->mod %s failed: bit_size = %u\n", + fprintf (stderr, "m->mod %s failed: bit_size = %u, rp == xp\n", name, m->bit_size); fprintf (stderr, "a = "); @@ -52,16 +58,30 @@ abort (); } + mpn_copyi (t, a, 2*m->size); + m->mod (m, t + m->size, t); + if (!mod_equal (m, ref, t + m->size)) + { + fprintf (stderr, "m->mod %s failed: bit_size = %u, rp == xp + size\n", + name, m->bit_size); + + fprintf (stderr, "a = "); + mpn_out_str (stderr, 16, a, 2*m->size); + fprintf (stderr, "\nt = "); + mpn_out_str (stderr, 16, t + m->size, m->size); + fprintf (stderr, " (bad)\nref = "); + mpn_out_str (stderr, 16, ref, m->size); + fprintf (stderr, "\n"); + abort (); + } + if (m->B_size < m->size) { mpn_copyi (t, a, 2*m->size); - ecc_mod (m, t); - if (mpn_cmp (t, m->m, m->size) >= 0) - mpn_sub_n (t, t, m->m, m->size); - - if (mpn_cmp (t, ref, m->size)) + ecc_mod (m, t, t); + if (!mod_equal (m, ref, t)) { - fprintf (stderr, "ecc_mod %s failed: bit_size = %u\n", + fprintf (stderr, "ecc_mod %s failed: bit_size = %u, rp == xp\n", name, m->bit_size); fprintf (stderr, "a = "); mpn_out_str (stderr, 16, a, 2*m->size); @@ -72,6 +92,22 @@ fprintf (stderr, "\n"); abort (); } + + mpn_copyi (t, a, 2*m->size); + ecc_mod (m, t + m->size, t); + if (!mod_equal (m, ref, t + m->size)) + { + fprintf (stderr, "ecc_mod %s failed: bit_size = %u, rp == xp + size\n", + name, m->bit_size); + fprintf (stderr, "a = "); + mpn_out_str (stderr, 16, a, 2*m->size); + fprintf (stderr, "\nt = "); + mpn_out_str (stderr, 16, t + m->size, m->size); + fprintf (stderr, " (bad)\nref = "); + mpn_out_str (stderr, 16, ref, m->size); + fprintf (stderr, "\n"); + abort (); + } } } @@ -105,23 +141,23 @@ /* Triggered a bug reported by Hanno Böck. */ mpz_set_str (r, "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFF001C2C00", 16); mpz_mul_2exp (r, r, 256); - test_one ("p", &nettle_secp_256r1.p, r); - test_one ("q", &nettle_secp_256r1.q, r); + test_one ("p", &_nettle_secp_256r1.p, r); + test_one ("q", &_nettle_secp_256r1.q, r); mpz_set_str (r, "ffffffff00000001fffffffeffffffffffffffffffffffffffffffc0000000000007ffffffffffffffffffffffffffff00000000000000000fffffffffffffff", 16); - test_one ("p", &nettle_secp_256r1.p, r); - test_one ("q", &nettle_secp_256r1.q, r); + test_one ("p", &_nettle_secp_256r1.p, r); + test_one ("q", &_nettle_secp_256r1.q, r); /* Triggered a bug reported by Hanno Böck. */ mpz_set_str (r, "4c9000000000000000000000000000000000000000000000004a604db486e000000000000000000000000000000000000000121025be29575adb2c8ffffffffffffffffffffffffffffffffffffffffffffffffffffffff", 16); - test_one ("p", &nettle_secp_384r1.p, r); - test_one ("q", &nettle_secp_384r1.q, r); + test_one ("p", &_nettle_secp_384r1.p, r); + test_one ("q", &_nettle_secp_384r1.q, r); /* Triggered a carry bug in development version. */ mpz_set_str (r, "e64a84643150260640e4677c19ffc4faef06042132b86af6e9ee33fe1850222e57a514d5f1d6d444008bb896a96a43d5629945e57548f5e12f66be132b24110cbb2df6d7d3dd3aaadc98b0bbf29573843ad72e57f59fc5d4f56cc599da18bb99", 16); - test_one ("p", &nettle_secp_384r1.p, r); - test_one ("q", &nettle_secp_384r1.q, r); + test_one ("p", &_nettle_secp_384r1.p, r); + test_one ("q", &_nettle_secp_384r1.q, r); mpz_clear (r); } diff -Nru nettle-3.4.1/testsuite/ecc-mul-a-test.c nettle-3.7.3/testsuite/ecc-mul-a-test.c --- nettle-3.4.1/testsuite/ecc-mul-a-test.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/testsuite/ecc-mul-a-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -14,42 +14,34 @@ { const struct ecc_curve *ecc = ecc_curves[i]; mp_size_t size = ecc_size (ecc); + mp_limb_t *g = xalloc_limbs (ecc_size_a (ecc)); mp_limb_t *p = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *q = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *n = xalloc_limbs (size); mp_limb_t *scratch = xalloc_limbs (ecc->mul_itch); unsigned j; + test_ecc_get_ga (i, g); mpn_zero (n, size); - n[0] = 1; - ecc->mul (ecc, p, n, ecc->g, scratch); - ecc->h_to_a (ecc, 0, p, p, scratch); - - if (mpn_cmp (p, ecc->g, 2*size) != 0) - die ("curve %d: ecc->mul with n = 1 failed.\n", ecc->p.bit_size); - - for (n[0] = 2; n[0] <= 4; n[0]++) + for (n[0] = 1; n[0] <= 4; n[0]++) { - ecc->mul (ecc, p, n, ecc->g, scratch); + ecc->mul (ecc, p, n, g, scratch); test_ecc_mul_h (i, n[0], p); } /* (order - 1) * g = - g */ mpn_sub_1 (n, ecc->q.m, size, 1); - ecc->mul (ecc, p, n, ecc->g, scratch); + ecc->mul (ecc, p, n, g, scratch); ecc->h_to_a (ecc, 0, p, p, scratch); - if (ecc->p.bit_size == 255) + if (ecc->p.bit_size == 255 || ecc->p.bit_size == 448) /* For edwards curves, - (x,y ) == (-x, y). FIXME: Swap x and y, to get identical negation? */ mpn_sub_n (p, ecc->p.m, p, size); else mpn_sub_n (p + size, ecc->p.m, p + size, size); - if (mpn_cmp (p, ecc->g, 2*size) != 0) - { - fprintf (stderr, "ecc->mul with n = order - 1 failed.\n"); - abort (); - } + + test_ecc_ga (i, p); mpn_zero (n, size); @@ -64,7 +56,7 @@ mpz_limbs_copy (n, r, size); n[size - 1] %= ecc->q.m[size - 1]; - ecc->mul (ecc, p, n, ecc->g, scratch); + ecc->mul (ecc, p, n, g, scratch); ecc->h_to_a (ecc, 0, p, p, scratch); ecc->mul_g (ecc, q, n, scratch); @@ -92,6 +84,7 @@ abort (); } } + free (g); free (n); free (p); free (q); diff -Nru nettle-3.4.1/testsuite/ecc-mul-g-test.c nettle-3.7.3/testsuite/ecc-mul-g-test.c --- nettle-3.4.1/testsuite/ecc-mul-g-test.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/testsuite/ecc-mul-g-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -25,11 +25,7 @@ ecc->mul_g (ecc, p, n, scratch); ecc->h_to_a (ecc, 0, p, p, scratch); - if (mpn_cmp (p, ecc->g, 2*size) != 0) - { - fprintf (stderr, "ecc->mul_g with n = 1 failed.\n"); - abort (); - } + test_ecc_ga (i, p); for (n[0] = 2; n[0] <= 4; n[0]++) { @@ -41,17 +37,14 @@ mpn_sub_1 (n, ecc->q.m, size, 1); ecc->mul_g (ecc, p, n, scratch); ecc->h_to_a (ecc, 0, p, p, scratch); - if (ecc->p.bit_size == 255) + if (ecc->p.bit_size == 255 || ecc->p.bit_size == 448) /* For edwards curves, - (x,y ) == (-x, y). FIXME: Swap x and y, to get identical negation? */ mpn_sub_n (p, ecc->p.m, p, size); else mpn_sub_n (p + size, ecc->p.m, p + size, size); - if (mpn_cmp (p, ecc->g, 2*size) != 0) - { - fprintf (stderr, "ecc->mul_g with n = order - 1 failed.\n"); - abort (); - } + + test_ecc_ga (i, p); free (n); free (p); diff -Nru nettle-3.4.1/testsuite/ecc-redc-test.c nettle-3.7.3/testsuite/ecc-redc-test.c --- nettle-3.4.1/testsuite/ecc-redc-test.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/testsuite/ecc-redc-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -27,6 +27,15 @@ mpz_clear (t); } +/* Destructively normalize tp, then compare */ +static int +mod_equal(const struct ecc_modulo *m, const mp_limb_t *ref, mp_limb_t *tp) +{ + if (mpn_cmp (tp, m->m, m->size) >= 0) + mpn_sub_n (tp, tp, m->m, m->size); + return mpn_cmp (ref, tp, m->size) == 0; +} + #define MAX_ECC_SIZE (1 + 521 / GMP_NUMB_BITS) #define MAX_SIZE (2*MAX_ECC_SIZE) #define COUNT 50000 @@ -64,13 +73,10 @@ if (ecc->p.reduce != ecc->p.mod) { mpn_copyi (m, a, 2*ecc->p.size); - ecc->p.reduce (&ecc->p, m); - if (mpn_cmp (m, ecc->p.m, ecc->p.size) >= 0) - mpn_sub_n (m, m, ecc->p.m, ecc->p.size); - - if (mpn_cmp (m, ref, ecc->p.size)) + ecc->p.reduce (&ecc->p, m, m); + if (!mod_equal (&ecc->p, ref, m)) { - fprintf (stderr, "ecc->p.reduce failed: bit_size = %u\n", + fprintf (stderr, "ecc->p.reduce failed: bit_size = %u, rp == xp\n", ecc->p.bit_size); fprintf (stderr, "a = "); mpn_out_str (stderr, 16, a, 2*ecc->p.size); @@ -81,19 +87,31 @@ fprintf (stderr, "\n"); abort (); } + mpn_copyi (m, a, 2*ecc->p.size); + ecc->p.reduce (&ecc->p, m + ecc->p.size, m); + if (!mod_equal (&ecc->p, ref, m + ecc->p.size)) + { + fprintf (stderr, "ecc->p.reduce failed: bit_size = %u, rp == xp + size\n", + ecc->p.bit_size); + fprintf (stderr, "a = "); + mpn_out_str (stderr, 16, a, 2*ecc->p.size); + fprintf (stderr, "\nm = "); + mpn_out_str (stderr, 16, m + ecc->p.size, ecc->p.size); + fprintf (stderr, " (bad)\nref = "); + mpn_out_str (stderr, 16, ref, ecc->p.size); + fprintf (stderr, "\n"); + abort (); + } } if (ecc->p.redc_size != 0) { mpn_copyi (m, a, 2*ecc->p.size); if (ecc->p.m[0] == 1) - ecc_pm1_redc (&ecc->p, m); + ecc_pm1_redc (&ecc->p, m, m); else - ecc_pp1_redc (&ecc->p, m); - - if (mpn_cmp (m, ecc->p.m, ecc->p.size) >= 0) - mpn_sub_n (m, m, ecc->p.m, ecc->p.size); + ecc_pp1_redc (&ecc->p, m, m); - if (mpn_cmp (m, ref, ecc->p.size)) + if (!mod_equal (&ecc->p, ref, m)) { fprintf (stderr, "ecc_p%c1_redc failed: bit_size = %u\n", (ecc->p.m[0] == 1) ? 'm' : 'p', ecc->p.bit_size); @@ -104,6 +122,26 @@ fprintf (stderr, " (bad)\nref = "); mpn_out_str (stderr, 16, ref, ecc->p.size); fprintf (stderr, "\n"); + abort (); + } + + mpn_copyi (m, a, 2*ecc->p.size); + if (ecc->p.m[0] == 1) + ecc_pm1_redc (&ecc->p, m + ecc->p.size, m); + else + ecc_pp1_redc (&ecc->p, m + ecc->p.size, m); + + if (!mod_equal (&ecc->p, ref, m + ecc->p.size)) + { + fprintf (stderr, "ecc_p%c1_redc failed: bit_size = %u\n", + (ecc->p.m[0] == 1) ? 'm' : 'p', ecc->p.bit_size); + fprintf (stderr, "a = "); + mpn_out_str (stderr, 16, a, 2*ecc->p.size); + fprintf (stderr, "\nm = "); + mpn_out_str (stderr, 16, m + ecc->p.size, ecc->p.size); + fprintf (stderr, " (bad)\nref = "); + mpn_out_str (stderr, 16, ref, ecc->p.size); + fprintf (stderr, "\n"); abort (); } } diff -Nru nettle-3.4.1/testsuite/ecdh-test.c nettle-3.7.3/testsuite/ecdh-test.c --- nettle-3.4.1/testsuite/ecdh-test.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/testsuite/ecdh-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -31,27 +31,29 @@ #include "testutils.h" -static void -set_point (struct ecc_point *p, - const char *x, const char *y) +static int +set_point (struct ecc_point *p, const char *x, const char *y) { mpz_t X, Y; + int ret; + mpz_init_set_str (X, x, 0); mpz_init_set_str (Y, y, 0); - if (!ecc_point_set (p, X, Y)) - die ("Test point not on curve!\n"); + ret = ecc_point_set (p, X, Y); mpz_clear (X); mpz_clear (Y); + return ret; } - + static void set_scalar (struct ecc_scalar *s, const char *x) { mpz_t X; mpz_init_set_str (X, x, 0); - ecc_scalar_set (s, X); + if (!ecc_scalar_set (s, X)) + abort (); mpz_clear (X); } @@ -102,15 +104,15 @@ ecc_scalar_init (&A_priv, ecc); set_scalar (&A_priv, a_priv); ecc_point_init (&A, ecc); - set_point (&A, ax, ay); + ASSERT (set_point (&A, ax, ay)); ecc_scalar_init (&B_priv, ecc); set_scalar (&B_priv, b_priv); ecc_point_init (&B, ecc); - set_point (&B, bx, by); + ASSERT (set_point (&B, bx, by)); ecc_point_init (&S, ecc); - set_point (&S, sx, sy); + ASSERT (set_point (&S, sx, sy)); ecc_point_init (&T, ecc); @@ -135,10 +137,49 @@ ecc_point_clear (&T); } +static void +test_public_key (const char *label, const struct ecc_curve *ecc, + const char *x, const char *y, int expect_success) +{ + struct ecc_point P; + int ret; + + ecc_point_init (&P, ecc); + ret = set_point (&P, x, y); + + if (!ret && expect_success) + die ("Test point '%s' not on curve!\n", label); + + if (ret && !expect_success) + die ("Expected failure to set point '%s'!", label); + + ecc_point_clear (&P); +} + void test_main(void) { - test_dh ("secp-192r1", &nettle_secp_192r1, + test_public_key ("(0,0) with secp-192r1", &_nettle_secp_192r1, "0", "0", 0); + test_public_key ( + "(P,0) with secp-192r1", &_nettle_secp_192r1, + "6277101735386680763835789423207666416083908700390324961279", + "0", 0); + test_public_key ( + "(0,P) with secp-192r1", &_nettle_secp_192r1, "0", + "6277101735386680763835789423207666416083908700390324961279", + 0); + test_public_key ( + "(P,P) with secp-192r1", &_nettle_secp_192r1, + "6277101735386680763835789423207666416083908700390324961279", + "6277101735386680763835789423207666416083908700390324961279", + 0); + test_public_key ("(1,2) with secp-192r1", &_nettle_secp_192r1, "1", "2", 0); + test_public_key ("(X,Y) with secp-192r1", &_nettle_secp_192r1, + "1050363442265225480786760666329560655512990381040021438562", + "5298249600854377235107392014200406283816103564916230704184", + 1); + + test_dh ("secp-192r1", &_nettle_secp_192r1, "3406157206141798348095184987208239421004566462391397236532", "1050363442265225480786760666329560655512990381040021438562", "5298249600854377235107392014200406283816103564916230704184", @@ -148,7 +189,7 @@ "149293809021051532782730990145509724807636529827149481690", "2891131861147398318714693938158856874319184314120776776192"); - test_dh ("secp-224r1", &nettle_secp_224r1, + test_dh ("secp-224r1", &_nettle_secp_224r1, "1321072106881784386340709783538698930880431939595776773514895067682", "6768311794185371282972144247871764855860666277647541840973645586477", "2880077809069104378181313860274147139049600284805670362929579614547", @@ -158,7 +199,7 @@ "8330362698029245839097779050425944245826040430538860338085968752913", "24167244512472228715617822000878192535267113543393576038737592837010"); - test_dh ("secp-256r1", &nettle_secp_256r1, + test_dh ("secp-256r1", &_nettle_secp_256r1, "94731533361265297353914491124013058635674217345912524033267198103710636378786", "22441589863306126152768848344973918725077248391248404659242620344938484650846", "8673475622926171928656873398933611700804732317466515884933832073457396747355", @@ -168,7 +209,7 @@ "102958799567030688009123101477538973715497039396202015119148334812951370853564", "29188877854984806245046208182450375893010623119030341548941791125497546766367"); - test_dh ("secp-384r1", &nettle_secp_384r1, + test_dh ("secp-384r1", &_nettle_secp_384r1, "39086550219018474560700767788227987514008150214902287969462741484831311917159729009715909108606822193356890811565070", "15536343869384820642787280162462493474000839389760580357050317691132784247078954166759523572989472049798969369413707", "23268351460749985365652822073294615614961429585671989812206213135127969284347174876010177880230302801199500921999966", @@ -178,7 +219,7 @@ "27780263733159299625371532605243698753833039933618994121416145881861678645978369807598146716869504289033472077532789", "12327518461490664021199432424728005314646140038116972426756705356672414772151215711157356913456651047992140493843405"); - test_dh ("secp-521r1", &nettle_secp_521r1, + test_dh ("secp-521r1", &_nettle_secp_521r1, "1177787298234877762125077260641419691552146813662613924864132680693789861345339466386194840381422980702458955378518702648732728796955434922249345867267377826", "3168153642368000846168628288850857848098131369578410603904155841373678828215434925507474033105518841999665785152501356092020415699294327720257651796364374116", "278603899104240796379373331240296114411332466119196525390128418935585486485808560319073463912513286987331907013829243645911963547435764718505394265715321106", @@ -200,4 +241,17 @@ "38072138078045635808869930165213470653418146012939584392304609812494425185763", "10481077163111981870382976851703705086808805457403127024129174358161599078055", "29260211489972704256554624312266763530759418996739976957020673870747051409679"); + + /* NOTE: This isn't the standard way to do curve448 + diffie-hellman, but it tests that the ecc_point interface works + also with curve448. */ + test_dh ("curve448", &_nettle_curve448, + "129458936807933142766404648460937163205634163580407624950524900086792185737444124895392953822100034523565454893159084960036749128566328", + "23903108874160330022289088207864530114505726115081678533913226179385920277612083777349117962138808929878378666596532036566924169949084", + "693683143993815499711046966874265987454661213870193324674425656110752379002105414428569086535475560314058341102862207145978150379762153", + "66424594649188102315894632429895338306697492782714758296415311427244880255966850729749965592839835963032731282879151354354178946253531", + "411851112596680430188999894591634506976361833537024658040418853047370769553774913299417695327870642536912872558385293694714169201128264", + "337433451779159274143076131600929733721586133908369086734805607026091240174740218929467625260731556550599267570314197354864315711490353", + "224725768629972498035446273711269105191383993674106563435257119903436206484342709996926420948730961128941009070083709026343858723205213", + "514544926219850986487923720424370435708360925070646212523588162169142573918197583804309386017625350764529605929374479238949748203847320"); } diff -Nru nettle-3.4.1/testsuite/ecdsa-keygen-test.c nettle-3.7.3/testsuite/ecdsa-keygen-test.c --- nettle-3.4.1/testsuite/ecdsa-keygen-test.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/testsuite/ecdsa-keygen-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -40,6 +40,22 @@ mpz_clear (x2); } + else if (pub->ecc->p.bit_size == 448) + { + /* Check that + x^2 + y^2 = 1 - 39081 x^2 y^2 */ + mpz_t x2, d; + mpz_init (x2); + mpz_init_set_ui (d, 39081); + mpz_mul (x2, x, x); /* x^2 */ + mpz_mul (d, d, x2); /* 39081 x^2 */ + mpz_set_ui (rhs, 1); + mpz_submul (rhs, d, lhs); /* 1 - 39081 x^2 y^2 */ + mpz_add (lhs, x2, lhs); /* x^2 + y^2 */ + + mpz_clear (d); + mpz_clear (x2); + } else { /* Check y^2 = x^3 - 3 x + b */ @@ -78,6 +94,10 @@ struct ecc_point pub; struct ecc_scalar key; + if (ecc->p.bit_size == 255 || ecc->p.bit_size == 448) + /* Exclude curve25519 and curve448, not supported with ECDSA. */ + continue; + if (verbose) fprintf (stderr, "Curve %d\n", ecc->p.bit_size); diff -Nru nettle-3.4.1/testsuite/ecdsa-sign-test.c nettle-3.7.3/testsuite/ecdsa-sign-test.c --- nettle-3.4.1/testsuite/ecdsa-sign-test.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/testsuite/ecdsa-sign-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -58,9 +58,22 @@ void test_main (void) { + /* Producing the signature for corresponding test in + ecdsa-verify-test.c, with special u1 and u2. */ + test_ecdsa (&_nettle_secp_224r1, + "99b5b787484def12894ca507058b3bf5" + "43d72d82fa7721d2e805e5e6", + "2", + SHEX("cdb887ac805a3b42e22d224c85482053" + "16c755d4a736bb2032c92553"), + "706a46dc76dcb76798e60e6d89474788" + "d16dc18032d268fd1a704fa6", /* r */ + "3a41e1423b1853e8aa89747b1f987364" + "44705d6d6d8371ea1f578f2e"); /* s */ + /* Test cases for the smaller groups, verified with a proof-of-concept implementation done for Yubico AB. */ - test_ecdsa (&nettle_secp_192r1, + test_ecdsa (&_nettle_secp_192r1, "DC51D3866A15BACDE33D96F992FCA99D" "A7E6EF0934E70975", /* z */ @@ -76,7 +89,7 @@ "a91fb738f9f175d72f9c98527e881c36" "8de68cb55ffe589"); /* s */ - test_ecdsa (&nettle_secp_224r1, + test_ecdsa (&_nettle_secp_224r1, "446df0a771ed58403ca9cb316e617f6b" "158420465d00a69601e22858", /* z */ @@ -93,7 +106,7 @@ "f2715c38a95c31a2b486995f"); /* s */ /* From RFC 4754 */ - test_ecdsa (&nettle_secp_256r1, + test_ecdsa (&_nettle_secp_256r1, "DC51D386 6A15BACD E33D96F9 92FCA99D" "A7E6EF09 34E70975 59C27F16 14C88A7F", /* z */ @@ -108,7 +121,7 @@ "86FA3BB4 E26CAD5B F90B7F81 899256CE" "7594BB1E A0C89212 748BFF3B 3D5B0315"); /* s */ - test_ecdsa (&nettle_secp_384r1, + test_ecdsa (&_nettle_secp_384r1, "0BEB6466 34BA8773 5D77AE48 09A0EBEA" "865535DE 4C1E1DCB 692E8470 8E81A5AF" "62E528C3 8B2A81B3 5309668D 73524D9F", /* z */ @@ -128,7 +141,7 @@ "09F417BC A112674C 528262A4 0A629AF1" "CBB9F516 CE0FA7D2 FF630863 A00E8B9F"); /* s*/ - test_ecdsa (&nettle_secp_521r1, + test_ecdsa (&_nettle_secp_521r1, "0065FDA3 409451DC AB0A0EAD 45495112" "A3D813C1 7BFD34BD F8C1209D 7DF58491" "20597779 060A7FF9 D704ADF7 8B570FFA" @@ -156,18 +169,4 @@ "97536710 1F67D1CF 9BCCBF2F 3D239534" "FA509E70 AAC851AE 01AAC68D 62F86647" "2660"); /* s */ - - /* Non-standard ecdsa using curve25519. Not interop-tested with - anything else. */ - test_ecdsa (&_nettle_curve25519, - "1db511101b8fd16f e0212c5679ef53f3" - "323bde77f9efa442 617314d576d1dbcb", /* z */ - "aa2fa8facfdc3a99 ec466d41a2c9211c" - "e62e1706f54037ff 8486e26153b0fa79", /* k */ - SHEX("e99df2a098c3c590 ea1e1db6d9547339" - "ae760d5331496119 5d967fd881e3b0f5"), /* h */ - " 515c3a485f57432 0daf3353a0d08110" - "64157c556296de09 4132f74865961b37", /* r */ - " 78f23367291b01 3fc430fb09322d95" - "4384723649868d8e 88effc7ac8b141d7"); /* s */ } diff -Nru nettle-3.4.1/testsuite/ecdsa-verify-test.c nettle-3.7.3/testsuite/ecdsa-verify-test.c --- nettle-3.4.1/testsuite/ecdsa-verify-test.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/testsuite/ecdsa-verify-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -46,7 +46,7 @@ mpz_combit (signature.r, ecc->p.bit_size / 3); if (ecdsa_verify (&pub, h->length, h->data, &signature)) { - fprintf (stderr, "ecdsa_verify unexpectedly succeeded with invalid signature.\n"); + fprintf (stderr, "ecdsa_verify unexpectedly succeeded with invalid signature (r modified).\n"); goto fail; } mpz_combit (signature.r, ecc->p.bit_size / 3); @@ -54,7 +54,7 @@ mpz_combit (signature.s, 4*ecc->p.bit_size / 5); if (ecdsa_verify (&pub, h->length, h->data, &signature)) { - fprintf (stderr, "ecdsa_verify unexpectedly succeeded with invalid signature.\n"); + fprintf (stderr, "ecdsa_verify unexpectedly succeeded with invalid signature (s modified).\n"); goto fail; } mpz_combit (signature.s, 4*ecc->p.bit_size / 5); @@ -62,7 +62,7 @@ h->data[2*h->length / 3] ^= 0x40; if (ecdsa_verify (&pub, h->length, h->data, &signature)) { - fprintf (stderr, "ecdsa_verify unexpectedly succeeded with invalid signature.\n"); + fprintf (stderr, "ecdsa_verify unexpectedly succeeded with invalid signature (h modified).\n"); goto fail; } h->data[2*h->length / 3] ^= 0x40; @@ -81,8 +81,36 @@ void test_main (void) { + /* Corresponds to nonce k = 2 and private key z = + 0x99b5b787484def12894ca507058b3bf543d72d82fa7721d2e805e5e6. z and + hash are chosen so that intermediate scalars in the verify + equations are u1 = 0x6b245680e700, u2 = + 259da6542d4ba7d21ad916c3bd57f811. These values require canonical + reduction of the scalars. Bug caused by missing canonical + reduction reported by Guido Vranken. */ + test_ecdsa (&_nettle_secp_224r1, + "9e7e6cc6b1bdfa8ee039b66ad85e5490" + "7be706a900a3cba1c8fdd014", /* x */ + "74855db3f7c1b4097ae095745fc915e3" + "8a79d2a1de28f282eafb22ba", /* y */ + + SHEX("cdb887ac805a3b42e22d224c85482053" + "16c755d4a736bb2032c92553"), + "706a46dc76dcb76798e60e6d89474788" + "d16dc18032d268fd1a704fa6", /* r */ + "3a41e1423b1853e8aa89747b1f987364" + "44705d6d6d8371ea1f578f2e"); /* s */ + + /* Test case provided by Guido Vranken, from oss-fuzz */ + test_ecdsa (&_nettle_secp_192r1, + "14683086 f1734c6d e68743a6 48181b54 a74d4c5b 383eb6a8", /* x */ + " 1e2584 2ab8b2b0 4017f655 1b5e4058 a2aa0612 2dae9344", /* y */ + SHEX("00"), /* h == 0 corner case*/ + "952800792ed19341fdeeec047f2514f3b0f150d6066151fb", /* r */ + "ec5971222014878b50d7a19d8954bc871e7e65b00b860ffb"); /* s */ + /* From RFC 4754 */ - test_ecdsa (&nettle_secp_256r1, + test_ecdsa (&_nettle_secp_256r1, "2442A5CC 0ECD015F A3CA31DC 8E2BBC70" "BF42D60C BCA20085 E0822CB0 4235E970", /* x */ @@ -97,7 +125,7 @@ "86FA3BB4 E26CAD5B F90B7F81 899256CE" "7594BB1E A0C89212 748BFF3B 3D5B0315"); /* s */ - test_ecdsa (&nettle_secp_384r1, + test_ecdsa (&_nettle_secp_384r1, "96281BF8 DD5E0525 CA049C04 8D345D30" "82968D10 FEDF5C5A CA0C64E6 465A97EA" "5CE10C9D FEC21797 41571072 1F437922", /* x */ @@ -117,7 +145,7 @@ "09F417BC A112674C 528262A4 0A629AF1" "CBB9F516 CE0FA7D2 FF630863 A00E8B9F"); /* s*/ - test_ecdsa (&nettle_secp_521r1, + test_ecdsa (&_nettle_secp_521r1, "0151518F 1AF0F563 517EDD54 85190DF9" "5A4BF57B 5CBA4CF2 A9A3F647 4725A35F" "7AFE0A6D DEB8BEDB CD6A197E 592D4018" @@ -145,17 +173,4 @@ "97536710 1F67D1CF 9BCCBF2F 3D239534" "FA509E70 AAC851AE 01AAC68D 62F86647" "2660"); /* s */ - - test_ecdsa (&_nettle_curve25519, - /* Public key corresponding to the key in ecdsa-sign-test */ - "59f8f317fd5f4e82 c02f8d4dec665fe1" - "230f83b8572638e1 b2ac34a30028e24d", /* x */ - "1902a72dc1a6525a 811b9c1845978d56" - "fd97dce5e278ebdd ec695349d7e41498", /* y */ - SHEX("e99df2a098c3c590 ea1e1db6d9547339" - "ae760d5331496119 5d967fd881e3b0f5"), /* h */ - " 515c3a485f57432 0daf3353a0d08110" - "64157c556296de09 4132f74865961b37", /* r */ - " 78f23367291b01 3fc430fb09322d95" - "4384723649868d8e 88effc7ac8b141d7"); /* s */ } diff -Nru nettle-3.4.1/testsuite/ed25519-test.c nettle-3.7.3/testsuite/ed25519-test.c --- nettle-3.4.1/testsuite/ed25519-test.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/testsuite/ed25519-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -29,6 +29,8 @@ not, see http://www.gnu.org/licenses/. */ +#define _GNU_SOURCE + #include "testutils.h" #include diff -Nru nettle-3.4.1/testsuite/ed448-test.c nettle-3.7.3/testsuite/ed448-test.c --- nettle-3.4.1/testsuite/ed448-test.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/testsuite/ed448-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -0,0 +1,242 @@ +/* ed448-test.c + + Copyright (C) 2017 Daiki Ueno + Copyright (C) 2017 Red Hat, Inc. + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#define _GNU_SOURCE + +#include "testutils.h" + +#include + +#include "eddsa.h" + +#include "base16.h" + +static void +decode_hex (size_t length, uint8_t *dst, const char *src) +{ + struct base16_decode_ctx ctx; + size_t out_size; + base16_decode_init (&ctx); + ASSERT (base16_decode_update (&ctx, &out_size, dst, 2*length, src)); + ASSERT (out_size == length); + ASSERT (base16_decode_final (&ctx)); +} + +/* Processes a single line in the format of + http://ed25519.cr.yp.to/python/sign.input: + + sk pk : pk : m : s m : + + where sk (secret key) and pk (public key) are 57 bytes each, m is + variable size, and s is 114 bytes. All values hex encoded. +*/ +static void +test_one (const char *line) +{ + const char *p; + const char *mp; + uint8_t sk[ED448_KEY_SIZE]; + uint8_t pk[ED448_KEY_SIZE]; + uint8_t t[ED448_KEY_SIZE]; + uint8_t s[ED448_SIGNATURE_SIZE]; + uint8_t *msg; + size_t msg_size; + uint8_t s2[ED448_SIGNATURE_SIZE]; + + decode_hex (ED448_KEY_SIZE, sk, line); + + p = strchr (line, ':'); + ASSERT (p == line + 228); + p++; + decode_hex (ED448_KEY_SIZE, pk, p); + p = strchr (p, ':'); + ASSERT (p == line + 343); + mp = ++p; + p = strchr (p, ':'); + ASSERT (p); + ASSERT ((p - mp) % 2 == 0); + msg_size = (p - mp) / 2; + + decode_hex (ED448_SIGNATURE_SIZE, s, p+1); + + msg = xalloc (msg_size + 1); + msg[msg_size] = 'x'; + + decode_hex (msg_size, msg, mp); + + ed448_shake256_public_key (t, sk); + ASSERT (MEMEQ(ED448_KEY_SIZE, t, pk)); + + ed448_shake256_sign (pk, sk, msg_size, msg, s2); + ASSERT (MEMEQ (ED448_SIGNATURE_SIZE, s, s2)); + + ASSERT (ed448_shake256_verify (pk, msg_size, msg, s)); + + s2[ED448_SIGNATURE_SIZE/3] ^= 0x40; + ASSERT (!ed448_shake256_verify (pk, msg_size, msg, s2)); + + memcpy (s2, s, ED448_SIGNATURE_SIZE); + s2[2*ED448_SIGNATURE_SIZE/3] ^= 0x40; + ASSERT (!ed448_shake256_verify (pk, msg_size, msg, s2)); + + ASSERT (!ed448_shake256_verify (pk, msg_size + 1, msg, s)); + + if (msg_size > 0) + { + msg[msg_size-1] ^= 0x20; + ASSERT (!ed448_shake256_verify (pk, msg_size, msg, s)); + } + free (msg); +} + +#ifndef HAVE_GETLINE +static ssize_t +getline(char **lineptr, size_t *n, FILE *f) +{ + size_t i; + int c; + if (!*lineptr) + { + *n = 500; + *lineptr = xalloc (*n); + } + + i = 0; + do + { + c = getc(f); + if (c < 0) + { + if (i > 0) + break; + return -1; + } + + (*lineptr) [i++] = c; + if (i == *n) + { + *n *= 2; + *lineptr = realloc (*lineptr, *n); + if (!*lineptr) + die ("Virtual memory exhausted.\n"); + } + } while (c != '\n'); + + (*lineptr) [i] = 0; + return i; +} +#endif + +void +test_main(void) +{ + const char *input = getenv ("ED448_SIGN_INPUT"); + if (input) + { + size_t buf_size; + char *buf; + FILE *f = fopen (input, "r"); + if (!f) + die ("Opening input file '%s' failed: %s\n", + input, strerror (errno)); + + for (buf = NULL; getline (&buf, &buf_size, f) >= 0; ) + test_one (buf); + + free (buf); + fclose (f); + } + else + { + /* Test vectors from RFC 8032. */ + /* Blank */ + test_one ("6c82a562cb808d10d632be89c8513ebf6c929f34ddfa8c9f63c9960ef6e348a3528c8a3fcc2f044e39a3fc5b94492f8f032e7549a20098f95b" + "5fd7449b59b461fd2ce787ec616ad46a1da1342485a70e1f8a0ea75d80e96778edf124769b46c7061bd6783df1e50f6cd1fa1abeafe8256180:" + "5fd7449b59b461fd2ce787ec616ad46a1da1342485a70e1f8a0ea75d80e96778edf124769b46c7061bd6783df1e50f6cd1fa1abeafe8256180:" + ":" + "533a37f6bbe457251f023c0d88f976ae2dfb504a843e34d2074fd823d41a591f2b233f034f628281f2fd7a22ddd47d7828c59bd0a21bfd3980ff0d2028d4b18a9df63e006c5d1c2d345b925d8dc00b4104852db99ac5c7cdda8530a113a0f4dbb61149f05a7363268c71d95808ff2e652600" + ":"); + /* 1 octet */ + test_one ("c4eab05d357007c632f3dbb48489924d552b08fe0c353a0d4a1f00acda2c463afbea67c5e8d2877c5e3bc397a659949ef8021e954e0a12274e" + "43ba28f430cdff456ae531545f7ecd0ac834a55d9358c0372bfa0c6c6798c0866aea01eb00742802b8438ea4cb82169c235160627b4c3a9480:" + "43ba28f430cdff456ae531545f7ecd0ac834a55d9358c0372bfa0c6c6798c0866aea01eb00742802b8438ea4cb82169c235160627b4c3a9480:" + "03:" + "26b8f91727bd62897af15e41eb43c377efb9c610d48f2335cb0bd0087810f4352541b143c4b981b7e18f62de8ccdf633fc1bf037ab7cd779805e0dbcc0aae1cbcee1afb2e027df36bc04dcecbf154336c19f0af7e0a6472905e799f1953d2a0ff3348ab21aa4adafd1d234441cf807c03a00" + "03:"); + /* 11 octets */ + test_one ("cd23d24f714274e744343237b93290f511f6425f98e64459ff203e8985083ffdf60500553abc0e05cd02184bdb89c4ccd67e187951267eb328" + "dcea9e78f35a1bf3499a831b10b86c90aac01cd84b67a0109b55a36e9328b1e365fce161d71ce7131a543ea4cb5f7e9f1d8b00696447001400:" + "dcea9e78f35a1bf3499a831b10b86c90aac01cd84b67a0109b55a36e9328b1e365fce161d71ce7131a543ea4cb5f7e9f1d8b00696447001400:" + "0c3e544074ec63b0265e0c:" + "1f0a8888ce25e8d458a21130879b840a9089d999aaba039eaf3e3afa090a09d389dba82c4ff2ae8ac5cdfb7c55e94d5d961a29fe0109941e00b8dbdeea6d3b051068df7254c0cdc129cbe62db2dc957dbb47b51fd3f213fb8698f064774250a5028961c9bf8ffd973fe5d5c206492b140e00" + "0c3e544074ec63b0265e0c:"); + /* 12 octets */ + test_one ("258cdd4ada32ed9c9ff54e63756ae582fb8fab2ac721f2c8e676a72768513d939f63dddb55609133f29adf86ec9929dccb52c1c5fd2ff7e21b" + "3ba16da0c6f2cc1f30187740756f5e798d6bc5fc015d7c63cc9510ee3fd44adc24d8e968b6e46e6f94d19b945361726bd75e149ef09817f580:" + "3ba16da0c6f2cc1f30187740756f5e798d6bc5fc015d7c63cc9510ee3fd44adc24d8e968b6e46e6f94d19b945361726bd75e149ef09817f580:" + "64a65f3cdedcdd66811e2915:" + "7eeeab7c4e50fb799b418ee5e3197ff6bf15d43a14c34389b59dd1a7b1b85b4ae90438aca634bea45e3a2695f1270f07fdcdf7c62b8efeaf00b45c2c96ba457eb1a8bf075a3db28e5c24f6b923ed4ad747c3c9e03c7079efb87cb110d3a99861e72003cbae6d6b8b827e4e6c143064ff3c00" + "64a65f3cdedcdd66811e2915:"); + /* 13 octets */ + test_one ("7ef4e84544236752fbb56b8f31a23a10e42814f5f55ca037cdcc11c64c9a3b2949c1bb60700314611732a6c2fea98eebc0266a11a93970100e" + "b3da079b0aa493a5772029f0467baebee5a8112d9d3a22532361da294f7bb3815c5dc59e176b4d9f381ca0938e13c6c07b174be65dfa578e80:" + "b3da079b0aa493a5772029f0467baebee5a8112d9d3a22532361da294f7bb3815c5dc59e176b4d9f381ca0938e13c6c07b174be65dfa578e80:" + "64a65f3cdedcdd66811e2915e7:" + "6a12066f55331b6c22acd5d5bfc5d71228fbda80ae8dec26bdd306743c5027cb4890810c162c027468675ecf645a83176c0d7323a2ccde2d80efe5a1268e8aca1d6fbc194d3f77c44986eb4ab4177919ad8bec33eb47bbb5fc6e28196fd1caf56b4e7e0ba5519234d047155ac727a1053100" + "64a65f3cdedcdd66811e2915e7:"); + /* 64 octets */ + test_one ("d65df341ad13e008567688baedda8e9dcdc17dc024974ea5b4227b6530e339bff21f99e68ca6968f3cca6dfe0fb9f4fab4fa135d5542ea3f01" + "df9705f58edbab802c7f8363cfe5560ab1c6132c20a9f1dd163483a26f8ac53a39d6808bf4a1dfbd261b099bb03b3fb50906cb28bd8a081f00:" + "df9705f58edbab802c7f8363cfe5560ab1c6132c20a9f1dd163483a26f8ac53a39d6808bf4a1dfbd261b099bb03b3fb50906cb28bd8a081f00:" + "bd0f6a3747cd561bdddf4640a332461a4a30a12a434cd0bf40d766d9c6d458e5512204a30c17d1f50b5079631f64eb3112182da3005835461113718d1a5ef944:" + "554bc2480860b49eab8532d2a533b7d578ef473eeb58c98bb2d0e1ce488a98b18dfde9b9b90775e67f47d4a1c3482058efc9f40d2ca033a0801b63d45b3b722ef552bad3b4ccb667da350192b61c508cf7b6b5adadc2c8d9a446ef003fb05cba5f30e88e36ec2703b349ca229c2670833900" + "bd0f6a3747cd561bdddf4640a332461a4a30a12a434cd0bf40d766d9c6d458e5512204a30c17d1f50b5079631f64eb3112182da3005835461113718d1a5ef944:"); + /* 256 octets */ + test_one ("2ec5fe3c17045abdb136a5e6a913e32ab75ae68b53d2fc149b77e504132d37569b7e766ba74a19bd6162343a21c8590aa9cebca9014c636df5" + "79756f014dcfe2079f5dd9e718be4171e2ef2486a08f25186f6bff43a9936b9bfe12402b08ae65798a3d81e22e9ec80e7690862ef3d4ed3a00:" + "79756f014dcfe2079f5dd9e718be4171e2ef2486a08f25186f6bff43a9936b9bfe12402b08ae65798a3d81e22e9ec80e7690862ef3d4ed3a00:" + "15777532b0bdd0d1389f636c5f6b9ba734c90af572877e2d272dd078aa1e567cfa80e12928bb542330e8409f3174504107ecd5efac61ae7504dabe2a602ede89e5cca6257a7c77e27a702b3ae39fc769fc54f2395ae6a1178cab4738e543072fc1c177fe71e92e25bf03e4ecb72f47b64d0465aaea4c7fad372536c8ba516a6039c3c2a39f0e4d832be432dfa9a706a6e5c7e19f397964ca4258002f7c0541b590316dbc5622b6b2a6fe7a4abffd96105eca76ea7b98816af0748c10df048ce012d901015a51f189f3888145c03650aa23ce894c3bd889e030d565071c59f409a9981b51878fd6fc110624dcbcde0bf7a69ccce38fabdf86f3bef6044819de11:" + "c650ddbb0601c19ca11439e1640dd931f43c518ea5bea70d3dcde5f4191fe53f00cf966546b72bcc7d58be2b9badef28743954e3a44a23f880e8d4f1cfce2d7a61452d26da05896f0a50da66a239a8a188b6d825b3305ad77b73fbac0836ecc60987fd08527c1a8e80d5823e65cafe2a3d00" + "15777532b0bdd0d1389f636c5f6b9ba734c90af572877e2d272dd078aa1e567cfa80e12928bb542330e8409f3174504107ecd5efac61ae7504dabe2a602ede89e5cca6257a7c77e27a702b3ae39fc769fc54f2395ae6a1178cab4738e543072fc1c177fe71e92e25bf03e4ecb72f47b64d0465aaea4c7fad372536c8ba516a6039c3c2a39f0e4d832be432dfa9a706a6e5c7e19f397964ca4258002f7c0541b590316dbc5622b6b2a6fe7a4abffd96105eca76ea7b98816af0748c10df048ce012d901015a51f189f3888145c03650aa23ce894c3bd889e030d565071c59f409a9981b51878fd6fc110624dcbcde0bf7a69ccce38fabdf86f3bef6044819de11:"); + /* 1023 octets */ + test_one ("872d093780f5d3730df7c212664b37b8a0f24f56810daa8382cd4fa3f77634ec44dc54f1c2ed9bea86fafb7632d8be199ea165f5ad55dd9ce8" + "a81b2e8a70a5ac94ffdbcc9badfc3feb0801f258578bb114ad44ece1ec0e799da08effb81c5d685c0c56f64eecaef8cdf11cc38737838cf400:" + "a81b2e8a70a5ac94ffdbcc9badfc3feb0801f258578bb114ad44ece1ec0e799da08effb81c5d685c0c56f64eecaef8cdf11cc38737838cf400:" + "6ddf802e1aae4986935f7f981ba3f0351d6273c0a0c22c9c0e8339168e675412a3debfaf435ed651558007db4384b650fcc07e3b586a27a4f7a00ac8a6fec2cd86ae4bf1570c41e6a40c931db27b2faa15a8cedd52cff7362c4e6e23daec0fbc3a79b6806e316efcc7b68119bf46bc76a26067a53f296dafdbdc11c77f7777e972660cf4b6a9b369a6665f02e0cc9b6edfad136b4fabe723d2813db3136cfde9b6d044322fee2947952e031b73ab5c603349b307bdc27bc6cb8b8bbd7bd323219b8033a581b59eadebb09b3c4f3d2277d4f0343624acc817804728b25ab797172b4c5c21a22f9c7839d64300232eb66e53f31c723fa37fe387c7d3e50bdf9813a30e5bb12cf4cd930c40cfb4e1fc622592a49588794494d56d24ea4b40c89fc0596cc9ebb961c8cb10adde976a5d602b1c3f85b9b9a001ed3c6a4d3b1437f52096cd1956d042a597d561a596ecd3d1735a8d570ea0ec27225a2c4aaff263" + "06d1526c1af3ca6d9cf5a2c98f47e1c46db9a33234cfd4d81f2c98538a09ebe76998d0d8fd25997c7d255c6d66ece6fa56f11144950f027795e653008f4bd7ca2dee85d8e90f3dc315130ce2a00375a318c7c3d97be2c8ce5b6db41a6254ff264fa6155baee3b0773c0f497c573f19bb4f4240281f0b1f4f7be857a4e59d416c06b4c50fa09e1810ddc6b1467baeac5a3668d11b6ecaa901440016f389f80acc4db977025e7f5924388c7e340a732e554440e76570f8dd71b7d640b3450d1fd5f0410a18f9a3494f707c717b79b4bf75c98400b096b21653b5d217cf3565c9597456f70703497a078763829bc01bb1cbc8fa04eadc9a6e3f6699587a9e75c94e5bab0036e0b2e711392cff0047d0d6b05bd2a588bc109718954259f1d86678a579a3120f19cfb2963f177aeb70f2d4844826262e51b80271272068ef5b3856fa8535aa2a88b2d41f2a0e2fda7624c2850272ac4a2f561f8f2f7a318bfd5c" + "af9696149e4ac824ad3460538fdc25421beec2cc6818162d06bbed0c40a387192349db67a118bada6cd5ab0140ee273204f628aad1c135f770279a651e24d8c14d75a6059d76b96a6fd857def5e0b354b27ab937a5815d16b5fae407ff18222c6d1ed263be68c95f32d908bd895cd76207ae726487567f9a67dad79abec316f683b17f2d02bf07e0ac8b5bc6162cf94697b3c27cd1fea49b27f23ba2901871962506520c392da8b6ad0d99f7013fbc06c2c17a569500c8a7696481c1cd33e9b14e40b82e79a5f5db82571ba97bae3ad3e0479515bb0e2b0f3bfcd1fd33034efc6245eddd7ee2086ddae2600d8ca73e214e8c2b0bdb2b047c6a464a562ed77b73d2d841c4b34973551257713b753632efba348169abc90a68f42611a40126d7cb21b58695568186f7e569d2ff0f9e745d0487dd2eb997cafc5abf9dd102e62ff66cba87:" + "e301345a41a39a4d72fff8df69c98075a0cc082b802fc9b2b6bc503f926b65bddf7f4c8f1cb49f6396afc8a70abe6d8aef0db478d4c6b2970076c6a0484fe76d76b3a97625d79f1ce240e7c576750d295528286f719b413de9ada3e8eb78ed573603ce30d8bb761785dc30dbc320869e1a00" + "6ddf802e1aae4986935f7f981ba3f0351d6273c0a0c22c9c0e8339168e675412a3debfaf435ed651558007db4384b650fcc07e3b586a27a4f7a00ac8a6fec2cd86ae4bf1570c41e6a40c931db27b2faa15a8cedd52cff7362c4e6e23daec0fbc3a79b6806e316efcc7b68119bf46bc76a26067a53f296dafdbdc11c77f7777e972660cf4b6a9b369a6665f02e0cc9b6edfad136b4fabe723d2813db3136cfde9b6d044322fee2947952e031b73ab5c603349b307bdc27bc6cb8b8bbd7bd323219b8033a581b59eadebb09b3c4f3d2277d4f0343624acc817804728b25ab797172b4c5c21a22f9c7839d64300232eb66e53f31c723fa37fe387c7d3e50bdf9813a30e5bb12cf4cd930c40cfb4e1fc622592a49588794494d56d24ea4b40c89fc0596cc9ebb961c8cb10adde976a5d602b1c3f85b9b9a001ed3c6a4d3b1437f52096cd1956d042a597d561a596ecd3d1735a8d570ea0ec27225a2c4aaff263" + "06d1526c1af3ca6d9cf5a2c98f47e1c46db9a33234cfd4d81f2c98538a09ebe76998d0d8fd25997c7d255c6d66ece6fa56f11144950f027795e653008f4bd7ca2dee85d8e90f3dc315130ce2a00375a318c7c3d97be2c8ce5b6db41a6254ff264fa6155baee3b0773c0f497c573f19bb4f4240281f0b1f4f7be857a4e59d416c06b4c50fa09e1810ddc6b1467baeac5a3668d11b6ecaa901440016f389f80acc4db977025e7f5924388c7e340a732e554440e76570f8dd71b7d640b3450d1fd5f0410a18f9a3494f707c717b79b4bf75c98400b096b21653b5d217cf3565c9597456f70703497a078763829bc01bb1cbc8fa04eadc9a6e3f6699587a9e75c94e5bab0036e0b2e711392cff0047d0d6b05bd2a588bc109718954259f1d86678a579a3120f19cfb2963f177aeb70f2d4844826262e51b80271272068ef5b3856fa8535aa2a88b2d41f2a0e2fda7624c2850272ac4a2f561f8f2f7a318bfd5c" + "af9696149e4ac824ad3460538fdc25421beec2cc6818162d06bbed0c40a387192349db67a118bada6cd5ab0140ee273204f628aad1c135f770279a651e24d8c14d75a6059d76b96a6fd857def5e0b354b27ab937a5815d16b5fae407ff18222c6d1ed263be68c95f32d908bd895cd76207ae726487567f9a67dad79abec316f683b17f2d02bf07e0ac8b5bc6162cf94697b3c27cd1fea49b27f23ba2901871962506520c392da8b6ad0d99f7013fbc06c2c17a569500c8a7696481c1cd33e9b14e40b82e79a5f5db82571ba97bae3ad3e0479515bb0e2b0f3bfcd1fd33034efc6245eddd7ee2086ddae2600d8ca73e214e8c2b0bdb2b047c6a464a562ed77b73d2d841c4b34973551257713b753632efba348169abc90a68f42611a40126d7cb21b58695568186f7e569d2ff0f9e745d0487dd2eb997cafc5abf9dd102e62ff66cba87:"); + } +} diff -Nru nettle-3.4.1/testsuite/eddsa-compress-test.c nettle-3.7.3/testsuite/eddsa-compress-test.c --- nettle-3.4.1/testsuite/eddsa-compress-test.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/testsuite/eddsa-compress-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -32,81 +32,91 @@ #include "testutils.h" #include "eddsa.h" +#include "eddsa-internal.h" #define COUNT 1000 void test_main (void) { - const struct ecc_curve *ecc = &_nettle_curve25519; gmp_randstate_t rands; - mp_size_t size, itch; - mpz_t zp, t; - mp_limb_t *s; - mp_limb_t *p; - mp_limb_t *pa1; - mp_limb_t *pa2; - mp_limb_t *scratch; - size_t clen; - uint8_t *c; - unsigned j; + unsigned i; gmp_randinit_default (rands); - size = ecc_size (ecc); - clen = 1 + ecc->p.bit_size / 8; - - mpz_roinit_n (zp, ecc->p.m, size); - - mpz_init (t); - s = xalloc_limbs (size); - p = xalloc_limbs (ecc_size_j (ecc)); - pa1 = xalloc_limbs (ecc_size_a (ecc)); - pa2 = xalloc_limbs (ecc_size_a (ecc)); - c = xalloc (clen); - - itch = _eddsa_decompress_itch (ecc); - if (itch < ecc->mul_g_itch) - itch = ecc->mul_g_itch; - - scratch = xalloc_limbs (itch); - - for (j = 0; j < COUNT; j++) + for (i = 0; ecc_curves[i]; i++) { - mpz_t x1, y1, x2, y2; + const struct ecc_curve *ecc = ecc_curves[i]; + mp_size_t size, itch; + mpz_t zp, t; + mp_limb_t *s; + mp_limb_t *p; + mp_limb_t *pa1; + mp_limb_t *pa2; + mp_limb_t *scratch; + size_t clen; + uint8_t *c; + unsigned j; + + if (!(ecc->p.bit_size == 255 || ecc->p.bit_size == 448)) + continue; + + size = ecc_size (ecc); + clen = 1 + ecc->p.bit_size / 8; + + mpz_roinit_n (zp, ecc->p.m, size); + + mpz_init (t); + s = xalloc_limbs (size); + p = xalloc_limbs (ecc_size_j (ecc)); + pa1 = xalloc_limbs (ecc_size_a (ecc)); + pa2 = xalloc_limbs (ecc_size_a (ecc)); + c = xalloc (clen); + + itch = _eddsa_decompress_itch (ecc); + if (itch < ecc->mul_g_itch) + itch = ecc->mul_g_itch; + ASSERT (_eddsa_compress_itch (ecc) <= itch); + + scratch = xalloc_limbs (itch); - mpz_urandomb (t, rands, ecc->q.bit_size); - mpz_limbs_copy (s, t, ecc->q.size); - ecc->mul_g (ecc, p, s, scratch); - _eddsa_compress (ecc, c, p, scratch); - ecc->h_to_a (ecc, 0, pa1, p, scratch); - _eddsa_decompress (ecc, pa2, c, scratch); - mpz_roinit_n (x1, pa1, size); - mpz_roinit_n (y1, pa1 + size, size); - mpz_roinit_n (x2, pa2, size); - mpz_roinit_n (y2, pa2 + size, size); - if (!(mpz_congruent_p (x1, x2, zp) - && mpz_congruent_p (y1, y2, zp))) + for (j = 0; j < COUNT; j++) { - fprintf (stderr, "eddsa compression failed:\nc = "); - print_hex (clen, c); - fprintf (stderr, "\np1 = 0x"); - mpz_out_str (stderr, 16, x1); - fprintf (stderr, ",\n 0x"); - mpz_out_str (stderr, 16, y1); - fprintf (stderr, "\np2 = 0x"); - mpz_out_str (stderr, 16, x2); - fprintf (stderr, ",\n 0x"); - mpz_out_str (stderr, 16, y2); - fprintf (stderr, "\n"); - abort (); + mpz_t x1, y1, x2, y2; + + mpz_urandomb (t, rands, ecc->q.bit_size); + mpz_limbs_copy (s, t, ecc->q.size); + ecc->mul_g (ecc, p, s, scratch); + _eddsa_compress (ecc, c, p, scratch); + ecc->h_to_a (ecc, 0, pa1, p, scratch); + _eddsa_decompress (ecc, pa2, c, scratch); + mpz_roinit_n (x1, pa1, size); + mpz_roinit_n (y1, pa1 + size, size); + mpz_roinit_n (x2, pa2, size); + mpz_roinit_n (y2, pa2 + size, size); + if (!(mpz_congruent_p (x1, x2, zp) + && mpz_congruent_p (y1, y2, zp))) + { + fprintf (stderr, "eddsa compression failed:\nc = "); + print_hex (clen, c); + fprintf (stderr, "\np1 = 0x"); + mpz_out_str (stderr, 16, x1); + fprintf (stderr, ",\n 0x"); + mpz_out_str (stderr, 16, y1); + fprintf (stderr, "\np2 = 0x"); + mpz_out_str (stderr, 16, x2); + fprintf (stderr, ",\n 0x"); + mpz_out_str (stderr, 16, y2); + fprintf (stderr, "\n"); + FAIL(); + } } + mpz_clear (t); + free (s); + free (p); + free (c); + free (pa1); + free (pa2); + free (scratch); } - mpz_clear (t); - free (s); - free (p); - free (c); - free (pa1); - free (pa2); - free (scratch); gmp_randclear (rands); } diff -Nru nettle-3.4.1/testsuite/eddsa-sign-test.c nettle-3.7.3/testsuite/eddsa-sign-test.c --- nettle-3.4.1/testsuite/eddsa-sign-test.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/testsuite/eddsa-sign-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -32,10 +32,13 @@ #include "testutils.h" #include "eddsa.h" +#include "eddsa-internal.h" +#include "sha3.h" static void test_eddsa_sign (const struct ecc_curve *ecc, - const struct nettle_hash *H, + const struct ecc_eddsa *eddsa, + void *ctx, const struct tstring *public, const struct tstring *private, const struct tstring *msg, @@ -44,7 +47,6 @@ mp_limb_t *scratch = xalloc_limbs (_eddsa_sign_itch (ecc)); size_t nbytes = 1 + ecc->p.bit_size / 8; uint8_t *signature = xalloc (2*nbytes); - void *ctx = xalloc (H->context_size); uint8_t *public_out = xalloc (nbytes); uint8_t *digest = xalloc (2*nbytes); const uint8_t *k1 = digest + nbytes; @@ -54,7 +56,7 @@ ASSERT (private->length == nbytes); ASSERT (ref->length == 2*nbytes); - _eddsa_expand_key (ecc, H, ctx, private->data, + _eddsa_expand_key (ecc, eddsa, ctx, private->data, digest, k2); _eddsa_public_key (ecc, k2, public_out, scratch); @@ -68,9 +70,8 @@ fprintf (stderr, "\n"); abort (); } - H->update (ctx, nbytes, k1); - - _eddsa_sign (ecc, H, public->data, ctx, k2, + _eddsa_sign (ecc, eddsa, ctx, + public->data, k1, k2, msg->length, msg->data, signature, scratch); if (!MEMEQ (2*nbytes, signature, ref->data)) @@ -94,50 +95,128 @@ free (scratch); free (signature); - free (ctx); free (digest); free (k2); free (public_out); } -void test_main (void) +static void +test_ed25519_sign (const struct tstring *public, + const struct tstring *private, + const struct tstring *msg, + const struct tstring *ref) +{ + struct sha512_ctx ctx; + + sha512_init (&ctx); + test_eddsa_sign (&_nettle_curve25519, &_nettle_ed25519_sha512, &ctx, + public, private, msg, ref); +} + +static void +test_ed448_sign (const struct tstring *public, + const struct tstring *private, + const struct tstring *msg, + const struct tstring *ref) +{ + struct sha3_256_ctx ctx; + + sha3_256_init (&ctx); + test_eddsa_sign (&_nettle_curve448, &_nettle_ed448_shake256, &ctx, + public, private, msg, ref); +} + +void +test_main (void) { /* Based on a few of the test vectors at http://ed25519.cr.yp.to/python/sign.input */ - test_eddsa_sign (&_nettle_curve25519, &nettle_sha512, - SHEX("d75a980182b10ab7 d54bfed3c964073a" - "0ee172f3daa62325 af021a68f707511a"), - SHEX("9d61b19deffd5a60 ba844af492ec2cc4" - "4449c5697b326919 703bac031cae7f60"), + test_ed25519_sign (SHEX("d75a980182b10ab7 d54bfed3c964073a" + "0ee172f3daa62325 af021a68f707511a"), + SHEX("9d61b19deffd5a60 ba844af492ec2cc4" + "4449c5697b326919 703bac031cae7f60"), + SHEX(""), + SHEX("e5564300c360ac72 9086e2cc806e828a" + "84877f1eb8e5d974 d873e06522490155" + "5fb8821590a33bac c61e39701cf9b46b" + "d25bf5f0595bbe24 655141438e7a100b")); + test_ed25519_sign (SHEX("3d4017c3e843895a 92b70aa74d1b7ebc" + "9c982ccf2ec4968c c0cd55f12af4660c"), + SHEX("4ccd089b28ff96da 9db6c346ec114e0f" + "5b8a319f35aba624 da8cf6ed4fb8a6fb"), + SHEX("72"), + SHEX("92a009a9f0d4cab8 720e820b5f642540" + "a2b27b5416503f8f b3762223ebdb69da" + "085ac1e43e15996e 458f3613d0f11d8c" + "387b2eaeb4302aee b00d291612bb0c00")); + test_ed25519_sign (SHEX("1ed506485b09a645 0be7c9337d9fe87e" + "f99c96f8bd11cd63 1ca160d0fd73067e"), + SHEX("f215d34fe2d757cf f9cf5c05430994de" + "587987ce45cb0459 f61ec6c825c62259"), + SHEX("fbed2a7df418ec0e 8036312ec239fcee" + "6ef97dc8c2df1f2e 14adee287808b788" + "a6072143b851d975 c8e8a0299df846b1" + "9113e38cee83da71 ea8e9bd6f57bdcd3" + "557523f4feb616ca a595aea01eb0b3d4" + "90b99b525ea4fbb9 258bc7fbb0deea8f" + "568cb2"), + SHEX("cbef65b6f3fd5809 69fc3340cfae4f7c" + "99df1340cce54626 183144ef46887163" + "4b0a5c0033534108 e1c67c0dc99d3014" + "f01084e98c95e101 4b309b1dbb2e6704")); + /* Based on a few of the test vectors from RFC 8032 */ + test_ed448_sign (SHEX("5fd7449b59b461fd 2ce787ec616ad46a" + "1da1342485a70e1f 8a0ea75d80e96778" + "edf124769b46c706 1bd6783df1e50f6c" + "d1fa1abeafe82561 80"), + SHEX("6c82a562cb808d10 d632be89c8513ebf" + "6c929f34ddfa8c9f 63c9960ef6e348a3" + "528c8a3fcc2f044e 39a3fc5b94492f8f" + "032e7549a20098f9 5b"), SHEX(""), - SHEX("e5564300c360ac72 9086e2cc806e828a" - "84877f1eb8e5d974 d873e06522490155" - "5fb8821590a33bac c61e39701cf9b46b" - "d25bf5f0595bbe24 655141438e7a100b")); - test_eddsa_sign (&_nettle_curve25519, &nettle_sha512, - SHEX("3d4017c3e843895a 92b70aa74d1b7ebc" - "9c982ccf2ec4968c c0cd55f12af4660c"), - SHEX("4ccd089b28ff96da 9db6c346ec114e0f" - "5b8a319f35aba624 da8cf6ed4fb8a6fb"), - SHEX("72"), - SHEX("92a009a9f0d4cab8 720e820b5f642540" - "a2b27b5416503f8f b3762223ebdb69da" - "085ac1e43e15996e 458f3613d0f11d8c" - "387b2eaeb4302aee b00d291612bb0c00")); - test_eddsa_sign (&_nettle_curve25519, &nettle_sha512, - SHEX("1ed506485b09a645 0be7c9337d9fe87e" - "f99c96f8bd11cd63 1ca160d0fd73067e"), - SHEX("f215d34fe2d757cf f9cf5c05430994de" - "587987ce45cb0459 f61ec6c825c62259"), - SHEX("fbed2a7df418ec0e 8036312ec239fcee" - "6ef97dc8c2df1f2e 14adee287808b788" - "a6072143b851d975 c8e8a0299df846b1" - "9113e38cee83da71 ea8e9bd6f57bdcd3" - "557523f4feb616ca a595aea01eb0b3d4" - "90b99b525ea4fbb9 258bc7fbb0deea8f" - "568cb2"), - SHEX("cbef65b6f3fd5809 69fc3340cfae4f7c" - "99df1340cce54626 183144ef46887163" - "4b0a5c0033534108 e1c67c0dc99d3014" - "f01084e98c95e101 4b309b1dbb2e6704")); + SHEX("533a37f6bbe45725 1f023c0d88f976ae" + "2dfb504a843e34d2 074fd823d41a591f" + "2b233f034f628281 f2fd7a22ddd47d78" + "28c59bd0a21bfd39 80ff0d2028d4b18a" + "9df63e006c5d1c2d 345b925d8dc00b41" + "04852db99ac5c7cd da8530a113a0f4db" + "b61149f05a736326 8c71d95808ff2e65" + "2600")); + test_ed448_sign (SHEX("43ba28f430cdff45 6ae531545f7ecd0a" + "c834a55d9358c037 2bfa0c6c6798c086" + "6aea01eb00742802 b8438ea4cb82169c" + "235160627b4c3a94 80"), + SHEX("c4eab05d357007c6 32f3dbb48489924d" + "552b08fe0c353a0d 4a1f00acda2c463a" + "fbea67c5e8d2877c 5e3bc397a659949e" + "f8021e954e0a1227 4e"), + SHEX("03"), + SHEX("26b8f91727bd6289 7af15e41eb43c377" + "efb9c610d48f2335 cb0bd0087810f435" + "2541b143c4b981b7 e18f62de8ccdf633" + "fc1bf037ab7cd779 805e0dbcc0aae1cb" + "cee1afb2e027df36 bc04dcecbf154336" + "c19f0af7e0a64729 05e799f1953d2a0f" + "f3348ab21aa4adaf d1d234441cf807c0" + "3a00")); + test_ed448_sign (SHEX("df9705f58edbab80 2c7f8363cfe5560a" + "b1c6132c20a9f1dd 163483a26f8ac53a" + "39d6808bf4a1dfbd 261b099bb03b3fb5" + "0906cb28bd8a081f 00"), + SHEX("d65df341ad13e008 567688baedda8e9d" + "cdc17dc024974ea5 b4227b6530e339bf" + "f21f99e68ca6968f 3cca6dfe0fb9f4fa" + "b4fa135d5542ea3f 01"), + SHEX("bd0f6a3747cd561b dddf4640a332461a" + "4a30a12a434cd0bf 40d766d9c6d458e5" + "512204a30c17d1f5 0b5079631f64eb31" + "12182da300583546 1113718d1a5ef944"), + SHEX("554bc2480860b49e ab8532d2a533b7d5" + "78ef473eeb58c98b b2d0e1ce488a98b1" + "8dfde9b9b90775e6 7f47d4a1c3482058" + "efc9f40d2ca033a0 801b63d45b3b722e" + "f552bad3b4ccb667 da350192b61c508c" + "f7b6b5adadc2c8d9 a446ef003fb05cba" + "5f30e88e36ec2703 b349ca229c267083" + "3900")); } diff -Nru nettle-3.4.1/testsuite/eddsa-verify-test.c nettle-3.7.3/testsuite/eddsa-verify-test.c --- nettle-3.4.1/testsuite/eddsa-verify-test.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/testsuite/eddsa-verify-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -32,10 +32,13 @@ #include "testutils.h" #include "eddsa.h" +#include "eddsa-internal.h" +#include "sha3.h" static void test_eddsa (const struct ecc_curve *ecc, - const struct nettle_hash *H, + const struct ecc_eddsa *eddsa, + void *ctx, const uint8_t *pub, const struct tstring *msg, const uint8_t *signature) @@ -45,13 +48,12 @@ size_t nbytes = 1 + ecc->p.bit_size / 8; uint8_t *cmsg = xalloc (msg->length); uint8_t *csignature = xalloc (2*nbytes); - void *ctx = xalloc (H->context_size); if (!_eddsa_decompress (ecc, A, pub, scratch)) die ("Invalid eddsa public key.\n"); memcpy (csignature, signature, 2*nbytes); - if (!_eddsa_verify (ecc, H, pub, A, ctx, + if (!_eddsa_verify (ecc, eddsa, pub, A, ctx, msg->length, msg->data, csignature, scratch)) { fprintf (stderr, "eddsa_verify failed with valid signature.\n"); @@ -68,7 +70,7 @@ memcpy (csignature, signature, 2*nbytes); csignature[nbytes/3] ^= 0x40; - if (_eddsa_verify (ecc, H, pub, A, ctx, + if (_eddsa_verify (ecc, eddsa, pub, A, ctx, msg->length, msg->data, csignature, scratch)) { fprintf (stderr, @@ -79,7 +81,7 @@ memcpy (csignature, signature, 2*nbytes); csignature[5*nbytes/3] ^= 0x8; - if (_eddsa_verify (ecc, H, pub, A, ctx, + if (_eddsa_verify (ecc, eddsa, pub, A, ctx, msg->length, msg->data, csignature, scratch)) { fprintf (stderr, @@ -89,7 +91,7 @@ if (msg->length == 0) { - if (_eddsa_verify (ecc, H, pub, A, ctx, + if (_eddsa_verify (ecc, eddsa, pub, A, ctx, LDATA("foo"), signature, scratch)) { fprintf (stderr, @@ -99,7 +101,7 @@ } else { - if (_eddsa_verify (ecc, H, pub, A, ctx, + if (_eddsa_verify (ecc, eddsa, pub, A, ctx, msg->length - 1, msg->data, signature, scratch)) { @@ -109,7 +111,7 @@ } memcpy (cmsg, msg->data, msg->length); cmsg[2*msg->length / 3] ^= 0x20; - if (_eddsa_verify (ecc, H, pub, A, ctx, + if (_eddsa_verify (ecc, eddsa, pub, A, ctx, msg->length, cmsg, signature, scratch)) { fprintf (stderr, @@ -121,40 +123,103 @@ free (scratch); free (cmsg); free (csignature); - free (ctx); +} + +static void +test_ed25519 (const uint8_t *pub, + const struct tstring *msg, + const uint8_t *signature) +{ + struct sha512_ctx ctx; + + sha512_init (&ctx); + test_eddsa (&_nettle_curve25519, &_nettle_ed25519_sha512, &ctx, + pub, msg, signature); +} + +static void +test_ed448 (const uint8_t *pub, + const struct tstring *msg, + const uint8_t *signature) +{ + struct sha3_256_ctx ctx; + + sha3_256_init (&ctx); + test_eddsa (&_nettle_curve448, &_nettle_ed448_shake256, &ctx, + pub, msg, signature); } void test_main (void) { - test_eddsa (&_nettle_curve25519, &nettle_sha512, - H("d75a980182b10ab7 d54bfed3c964073a" - "0ee172f3daa62325 af021a68f707511a"), + test_ed25519 (H("d75a980182b10ab7 d54bfed3c964073a" + "0ee172f3daa62325 af021a68f707511a"), + SHEX(""), + H("e5564300c360ac72 9086e2cc806e828a" + "84877f1eb8e5d974 d873e06522490155" + "5fb8821590a33bac c61e39701cf9b46b" + "d25bf5f0595bbe24 655141438e7a100b")); + test_ed25519 (H("3d4017c3e843895a 92b70aa74d1b7ebc" + "9c982ccf2ec4968c c0cd55f12af4660c"), + SHEX("72"), + H("92a009a9f0d4cab8 720e820b5f642540" + "a2b27b5416503f8f b3762223ebdb69da" + "085ac1e43e15996e 458f3613d0f11d8c" + "387b2eaeb4302aee b00d291612bb0c00")); + test_ed25519 (H("1ed506485b09a645 0be7c9337d9fe87e" + "f99c96f8bd11cd63 1ca160d0fd73067e"), + SHEX("fbed2a7df418ec0e 8036312ec239fcee" + "6ef97dc8c2df1f2e 14adee287808b788" + "a6072143b851d975 c8e8a0299df846b1" + "9113e38cee83da71 ea8e9bd6f57bdcd3" + "557523f4feb616ca a595aea01eb0b3d4" + "90b99b525ea4fbb9 258bc7fbb0deea8f" + "568cb2"), + H("cbef65b6f3fd5809 69fc3340cfae4f7c" + "99df1340cce54626 183144ef46887163" + "4b0a5c0033534108 e1c67c0dc99d3014" + "f01084e98c95e101 4b309b1dbb2e6704")); + /* Based on a few of the test vectors from RFC 8032 */ + test_ed448 (H("5fd7449b59b461fd 2ce787ec616ad46a" + "1da1342485a70e1f 8a0ea75d80e96778" + "edf124769b46c706 1bd6783df1e50f6c" + "d1fa1abeafe82561 80"), SHEX(""), - H("e5564300c360ac72 9086e2cc806e828a" - "84877f1eb8e5d974 d873e06522490155" - "5fb8821590a33bac c61e39701cf9b46b" - "d25bf5f0595bbe24 655141438e7a100b")); - test_eddsa (&_nettle_curve25519, &nettle_sha512, - H("3d4017c3e843895a 92b70aa74d1b7ebc" - "9c982ccf2ec4968c c0cd55f12af4660c"), - SHEX("72"), - H("92a009a9f0d4cab8 720e820b5f642540" - "a2b27b5416503f8f b3762223ebdb69da" - "085ac1e43e15996e 458f3613d0f11d8c" - "387b2eaeb4302aee b00d291612bb0c00")); - test_eddsa (&_nettle_curve25519, &nettle_sha512, - H("1ed506485b09a645 0be7c9337d9fe87e" - "f99c96f8bd11cd63 1ca160d0fd73067e"), - SHEX("fbed2a7df418ec0e 8036312ec239fcee" - "6ef97dc8c2df1f2e 14adee287808b788" - "a6072143b851d975 c8e8a0299df846b1" - "9113e38cee83da71 ea8e9bd6f57bdcd3" - "557523f4feb616ca a595aea01eb0b3d4" - "90b99b525ea4fbb9 258bc7fbb0deea8f" - "568cb2"), - H("cbef65b6f3fd5809 69fc3340cfae4f7c" - "99df1340cce54626 183144ef46887163" - "4b0a5c0033534108 e1c67c0dc99d3014" - "f01084e98c95e101 4b309b1dbb2e6704")); + H("533a37f6bbe45725 1f023c0d88f976ae" + "2dfb504a843e34d2 074fd823d41a591f" + "2b233f034f628281 f2fd7a22ddd47d78" + "28c59bd0a21bfd39 80ff0d2028d4b18a" + "9df63e006c5d1c2d 345b925d8dc00b41" + "04852db99ac5c7cd da8530a113a0f4db" + "b61149f05a736326 8c71d95808ff2e65" + "2600")); + test_ed448 (H("43ba28f430cdff45 6ae531545f7ecd0a" + "c834a55d9358c037 2bfa0c6c6798c086" + "6aea01eb00742802 b8438ea4cb82169c" + "235160627b4c3a94 80"), + SHEX("03"), + H("26b8f91727bd6289 7af15e41eb43c377" + "efb9c610d48f2335 cb0bd0087810f435" + "2541b143c4b981b7 e18f62de8ccdf633" + "fc1bf037ab7cd779 805e0dbcc0aae1cb" + "cee1afb2e027df36 bc04dcecbf154336" + "c19f0af7e0a64729 05e799f1953d2a0f" + "f3348ab21aa4adaf d1d234441cf807c0" + "3a00")); + test_ed448 (H("df9705f58edbab80 2c7f8363cfe5560a" + "b1c6132c20a9f1dd 163483a26f8ac53a" + "39d6808bf4a1dfbd 261b099bb03b3fb5" + "0906cb28bd8a081f 00"), + SHEX("bd0f6a3747cd561b dddf4640a332461a" + "4a30a12a434cd0bf 40d766d9c6d458e5" + "512204a30c17d1f5 0b5079631f64eb31" + "12182da300583546 1113718d1a5ef944"), + H("554bc2480860b49e ab8532d2a533b7d5" + "78ef473eeb58c98b b2d0e1ce488a98b1" + "8dfde9b9b90775e6 7f47d4a1c3482058" + "efc9f40d2ca033a0 801b63d45b3b722e" + "f552bad3b4ccb667 da350192b61c508c" + "f7b6b5adadc2c8d9 a446ef003fb05cba" + "5f30e88e36ec2703 b349ca229c267083" + "3900")); } diff -Nru nettle-3.4.1/testsuite/gcm-test.c nettle-3.7.3/testsuite/gcm-test.c --- nettle-3.4.1/testsuite/gcm-test.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/testsuite/gcm-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -1,3 +1,6 @@ +/* This file tests deprecated functions */ +#define _NETTLE_ATTRIBUTE_DEPRECATED + #include "testutils.h" #include "nettle-internal.h" #include "gcm.h" @@ -167,6 +170,29 @@ "16aedbf5a0de6a57a637b39b"), SHEX("619cc5aefffe0bfa462af43c1699d050")); + /* Test 128 bytes */ + test_aead(&nettle_gcm_aes128, NULL, + SHEX("feffe9928665731c6d6a8f9467308308"), + SHEX(""), + SHEX("d9313225f88406e5a55909c5aff5269a" + "86a7a9531534f7da2e4c303d8a318a72" + "1c3c0c95956809532fcf0e2449a6b525" + "b16aedf5aa0de657ba637b391aafd255" + "5ae376bc5e9f6a1b08e34db7a6ee0736" + "9ba662ea12f6f197e6bc3ed69d2480f3" + "ea5691347f2ba69113eb37910ebc18c8" + "0f697234582016fa956ca8f63ae6b473"), + SHEX("42831ec2217774244b7221b784d0d49c" + "e3aa212f2c02a4e035c17e2329aca12e" + "21d514b25466931c7d8f6a5aac84aa05" + "1ba30b396a0aac973d58e091473f5985" + "874b1178906ddbeab04ab2fe6cce8c57" + "8d7e961bd13fd6a8c56b66ca5e576492" + "1a48cd8bda04e66343e73055118b69b9" + "ced486813846958a11e602c03cfc232b"), + SHEX("cafebabefacedbaddecaf888"), + SHEX("796836f1246c9d735c5e1be0a715ccc3")); + /* Test case 7 */ test_aead(&nettle_gcm_aes192, NULL, SHEX("00000000000000000000000000000000" diff -Nru nettle-3.4.1/testsuite/gostdsa-keygen-test.c nettle-3.7.3/testsuite/gostdsa-keygen-test.c --- nettle-3.4.1/testsuite/gostdsa-keygen-test.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/testsuite/gostdsa-keygen-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -0,0 +1,155 @@ +#include "testutils.h" +#include "gostdsa.h" +#include "knuth-lfib.h" + +/* Check if y^2 = x^3 - 3x + b */ +static int +ecc_valid_p (struct ecc_point *pub) +{ + mpz_t t, x, y; + mpz_t lhs, rhs; + int res; + mp_size_t size; + + size = pub->ecc->p.size; + + /* First check range */ + if (mpn_cmp (pub->p, pub->ecc->p.m, size) >= 0 + || mpn_cmp (pub->p + size, pub->ecc->p.m, size) >= 0) + return 0; + + mpz_init (lhs); + mpz_init (rhs); + + mpz_roinit_n (x, pub->p, size); + mpz_roinit_n (y, pub->p + size, size); + + mpz_mul (lhs, y, y); + + if (pub->ecc->p.bit_size == 255) + { + /* Check that + 121666 (1 + x^2 - y^2) = 121665 x^2 y^2 */ + mpz_t x2; + mpz_init (x2); + mpz_mul (x2, x, x); /* x^2 */ + mpz_mul (rhs, x2, lhs); /* x^2 y^2 */ + mpz_sub (lhs, x2, lhs); /* x^2 - y^2 */ + mpz_add_ui (lhs, lhs, 1); /* 1 + x^2 - y^2 */ + mpz_mul_ui (lhs, lhs, 121666); + mpz_mul_ui (rhs, rhs, 121665); + + mpz_clear (x2); + } + else if (pub->ecc->p.bit_size == 448) + { + /* Check that + x^2 + y^2 = 1 - 39081 x^2 y^2 */ + mpz_t x2, d; + mpz_init (x2); + mpz_init_set_ui (d, 39081); + mpz_mul (x2, x, x); /* x^2 */ + mpz_mul (d, d, x2); /* 39081 x^2 */ + mpz_set_ui (rhs, 1); + mpz_submul (rhs, d, lhs); /* 1 - 39081 x^2 y^2 */ + mpz_add (lhs, x2, lhs); /* x^2 + y^2 */ + + mpz_clear (d); + mpz_clear (x2); + } + else + { + /* Check y^2 = x^3 - 3 x + b */ + mpz_mul (rhs, x, x); + mpz_sub_ui (rhs, rhs, 3); + mpz_mul (rhs, rhs, x); + mpz_add (rhs, rhs, mpz_roinit_n (t, pub->ecc->b, size)); + } + res = mpz_congruent_p (lhs, rhs, mpz_roinit_n (t, pub->ecc->p.m, size)); + + mpz_clear (lhs); + mpz_clear (rhs); + + return res; +} + +void +test_main (void) +{ + unsigned i; + struct knuth_lfib_ctx rctx; + struct dsa_signature signature; + + struct tstring *digest; + + knuth_lfib_init (&rctx, 4711); + dsa_signature_init (&signature); + + digest = SHEX (/* sha256("abc") */ + "BA7816BF 8F01CFEA 414140DE 5DAE2223" + "B00361A3 96177A9C B410FF61 F20015AD"); + + for (i = 0; ecc_curves[i]; i++) + { + const struct ecc_curve *ecc = ecc_curves[i]; + struct ecc_point pub; + struct ecc_scalar key; + + if (ecc->p.bit_size == 255 || ecc->p.bit_size == 448) + /* Exclude curve25519 and curve448, not supported with GOSTDSA. */ + continue; + + if (verbose) + fprintf (stderr, "Curve %d\n", ecc->p.bit_size); + + ecc_point_init (&pub, ecc); + ecc_scalar_init (&key, ecc); + + ecdsa_generate_keypair (&pub, &key, + &rctx, + (nettle_random_func *) knuth_lfib_random); + + if (verbose) + { + fprintf (stderr, "Public key:\nx = "); + write_mpn (stderr, 16, pub.p, ecc->p.size); + fprintf (stderr, "\ny = "); + write_mpn (stderr, 16, pub.p + ecc->p.size, ecc->p.size); + fprintf (stderr, "\nPrivate key: "); + write_mpn (stderr, 16, key.p, ecc->p.size); + fprintf (stderr, "\n"); + } + if (!ecc_valid_p (&pub)) + die ("gostdsa_generate_keypair produced an invalid point.\n"); + + gostdsa_sign (&key, + &rctx, (nettle_random_func *) knuth_lfib_random, + digest->length, digest->data, + &signature); + + if (!gostdsa_verify (&pub, digest->length, digest->data, + &signature)) + die ("gostdsa_verify failed.\n"); + + digest->data[3] ^= 17; + if (gostdsa_verify (&pub, digest->length, digest->data, + &signature)) + die ("gostdsa_verify returned success with invalid digest.\n"); + digest->data[3] ^= 17; + + mpz_combit (signature.r, 117); + if (gostdsa_verify (&pub, digest->length, digest->data, + &signature)) + die ("gostdsa_verify returned success with invalid signature.r.\n"); + + mpz_combit (signature.r, 117); + mpz_combit (signature.s, 93); + if (gostdsa_verify (&pub, digest->length, digest->data, + &signature)) + die ("gostdsa_verify returned success with invalid signature.s.\n"); + + ecc_point_clear (&pub); + ecc_scalar_clear (&key); + } + dsa_signature_clear (&signature); +} diff -Nru nettle-3.4.1/testsuite/gostdsa-sign-test.c nettle-3.7.3/testsuite/gostdsa-sign-test.c --- nettle-3.4.1/testsuite/gostdsa-sign-test.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/testsuite/gostdsa-sign-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -0,0 +1,88 @@ +#include "testutils.h" +#include "gostdsa.h" + +static void +test_gostdsa (const struct ecc_curve *ecc, + /* Private key */ + const char *sz, + /* Random nonce */ + const char *sk, + /* Hash */ + const struct tstring *h, + /* Expected signature */ + const char *r, const char *s) +{ + struct dsa_signature ref; + mpz_t z; + mpz_t k; + mp_limb_t *rp = xalloc_limbs (ecc->p.size); + mp_limb_t *sp = xalloc_limbs (ecc->p.size); + mp_limb_t *scratch = xalloc_limbs (ecc_gostdsa_sign_itch (ecc)); + + dsa_signature_init (&ref); + + mpz_init_set_str (z, sz, 16); + mpz_init_set_str (k, sk, 16); + + ecc_gostdsa_sign (ecc, mpz_limbs_read_n (z, ecc->p.size), + mpz_limbs_read_n (k, ecc->p.size), + h->length, h->data, rp, sp, scratch); + + mpz_set_str (ref.r, r, 16); + mpz_set_str (ref.s, s, 16); + + if (mpz_limbs_cmp (ref.r, rp, ecc->p.size) != 0 + || mpz_limbs_cmp (ref.s, sp, ecc->p.size) != 0) + { + fprintf (stderr, "_gostdsa_sign failed, bit_size = %u\n", ecc->p.bit_size); + fprintf (stderr, "r = "); + write_mpn (stderr, 16, rp, ecc->p.size); + fprintf (stderr, "\ns = "); + write_mpn (stderr, 16, sp, ecc->p.size); + fprintf (stderr, "\nref.r = "); + mpz_out_str (stderr, 16, ref.r); + fprintf (stderr, "\nref.s = "); + mpz_out_str (stderr, 16, ref.s); + fprintf (stderr, "\n"); + abort(); + } + + free (rp); + free (sp); + free (scratch); + + dsa_signature_clear (&ref); + mpz_clear (k); + mpz_clear (z); +} + +void +test_main (void) +{ + test_gostdsa (nettle_get_gost_gc256b(), + "BFCF1D623E5CDD3032A7C6EABB4A923C46E43D640FFEAAF2C3ED39A8FA399924", /* z */ + + "5782C53F110C596F9155D35EBD25A06A89C50391850A8FEFE33B0E270318857C", /* k */ + + SHEX("1C067E20EA6CB183F22EFB0F3C6FD2A4E6A02821CB7A1B17FACD5E1F7AA76F70"), /* h */ + + "E9323A5E88DD87FB7C724383BFFE7CECD4B9FFA2AC33BEEF73A5A1F743404F6B", /* r */ + + "5E5B9B805B01147A8492C4A162643AC615DC777B9174108F3DC276A41F987AF3"); /* s */ + + test_gostdsa (nettle_get_gost_gc512a(), + "3FC01CDCD4EC5F972EB482774C41E66DB7F380528DFE9E67992BA05AEE462435" + "757530E641077CE587B976C8EEB48C48FD33FD175F0C7DE6A44E014E6BCB074B", /* z */ + + "72ABB44536656BF1618CE10BF7EADD40582304A51EE4E2A25A0A32CB0E773ABB" + "23B7D8FDD8FA5EEE91B4AE452F2272C86E1E2221215D405F51B5D5015616E1F6", /* k */ + + SHEX("EDC257BED45FDDE4F1457B7F5B19017A8F204184366689D938532CDBAA5CB29A" + "1D369DA57F8B983BE272219BD2C9A4FC57ECF7A77F34EE2E8AA553976A4766C0"), /* h */ + + "891AA75C2A6F3B4DE27E3903F61CBB0F3F85A4E3C62F39A6E4E84A7477679C6E" + "45008DC2774CA2FF64C12C0606FF918CAE3A50115440E9BF2971B627A882A1E8", /* r */ + + "31065479996DDBDEE180AFE22CA3CDC44B45CE4C6C83909D1D3B702922A32441" + "A9E11DCFBEA3D847C06B1A8A38EB1671D6C82FA21B79C99BE2EA809B10DAA5DF"); /* s */ +} diff -Nru nettle-3.4.1/testsuite/gostdsa-verify-test.c nettle-3.7.3/testsuite/gostdsa-verify-test.c --- nettle-3.4.1/testsuite/gostdsa-verify-test.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/testsuite/gostdsa-verify-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -0,0 +1,111 @@ +#include "testutils.h" +#include "gostdsa.h" + +static void +test_gostdsa (const struct ecc_curve *ecc, + /* Public key */ + const char *xs, const char *ys, + /* Hash */ + struct tstring *h, + /* Valid signature */ + const char *r, const char *s) +{ + struct ecc_point pub; + struct dsa_signature signature; + mpz_t x, y; + + ecc_point_init (&pub, ecc); + dsa_signature_init (&signature); + + mpz_init_set_str (x, xs, 16); + mpz_init_set_str (y, ys, 16); + + if (!ecc_point_set (&pub, x, y)) + die ("ecc_point_set failed.\n"); + + mpz_set_str (signature.r, r, 16); + mpz_set_str (signature.s, s, 16); + + if (!gostdsa_verify (&pub, h->length, h->data, &signature)) + { + fprintf (stderr, "gostdsa_verify failed with valid signature.\n"); + fail: + fprintf (stderr, "bit_size = %u\nx = ", ecc->p.bit_size); + mpz_out_str (stderr, 16, x); + fprintf (stderr, "\ny = "); + mpz_out_str (stderr, 16, y); + fprintf (stderr, "\ndigest "); + print_hex (h->length, h->data); + fprintf (stderr, "r = "); + mpz_out_str (stderr, 16, signature.r); + fprintf (stderr, "\ns = "); + mpz_out_str (stderr, 16, signature.s); + fprintf (stderr, "\n"); + abort(); + } + + mpz_combit (signature.r, ecc->p.bit_size / 3); + if (gostdsa_verify (&pub, h->length, h->data, &signature)) + { + fprintf (stderr, "gostdsa_verify unexpectedly succeeded with invalid signature.\n"); + goto fail; + } + mpz_combit (signature.r, ecc->p.bit_size / 3); + + mpz_combit (signature.s, 4*ecc->p.bit_size / 5); + if (gostdsa_verify (&pub, h->length, h->data, &signature)) + { + fprintf (stderr, "gostdsa_verify unexpectedly succeeded with invalid signature.\n"); + goto fail; + } + mpz_combit (signature.s, 4*ecc->p.bit_size / 5); + + h->data[2*h->length / 3] ^= 0x40; + if (gostdsa_verify (&pub, h->length, h->data, &signature)) + { + fprintf (stderr, "gostdsa_verify unexpectedly succeeded with invalid signature.\n"); + goto fail; + } + h->data[2*h->length / 3] ^= 0x40; + if (!gostdsa_verify (&pub, h->length, h->data, &signature)) + { + fprintf (stderr, "gostdsa_verify failed, internal testsuite error.\n"); + goto fail; + } + + ecc_point_clear (&pub); + dsa_signature_clear (&signature); + mpz_clear (x); + mpz_clear (y); +} + +void +test_main (void) +{ + test_gostdsa (nettle_get_gost_gc256b(), + "971566CEDA436EE7678F7E07E84EBB7217406C0B4747AA8FD2AB1453C3D0DFBA", /* x */ + + "AD58736965949F8E59830F8DE20FC6C0D177F6AB599874F1E2E24FF71F9CE643", /* y */ + + SHEX("1C067E20EA6CB183F22EFB0F3C6FD2A4E6A02821CB7A1B17FACD5E1F7AA76F70"), /* h */ + + "E9323A5E88DD87FB7C724383BFFE7CECD4B9FFA2AC33BEEF73A5A1F743404F6B", /* r */ + + "5E5B9B805B01147A8492C4A162643AC615DC777B9174108F3DC276A41F987AF3"); /* s */ + + test_gostdsa (nettle_get_gost_gc512a(), + "03A36340A95BB5F93D131961B5B1C1B3213DF7FF3B5A30376407E2A65C441BC6" + "D1B34662317083243F007B15A8512B526606D3B172B606DCE86DBD6F82DA3D40", /* x */ + + "DEAD76318012FED79507809C89CC44848743640EAC9A3C847DA9082E050760A1" + "0679F4B707ABC1872640AD20D7441F66C7A8B3BFF1B8E11B4A076F0A86749F73", /* y */ + + SHEX("EDC257BED45FDDE4F1457B7F5B19017A8F204184366689D938532CDBAA5CB29A" + "1D369DA57F8B983BE272219BD2C9A4FC57ECF7A77F34EE2E8AA553976A4766C0"), /* h */ + + "891AA75C2A6F3B4DE27E3903F61CBB0F3F85A4E3C62F39A6E4E84A7477679C6E" + "45008DC2774CA2FF64C12C0606FF918CAE3A50115440E9BF2971B627A882A1E8", /* r */ + + "31065479996DDBDEE180AFE22CA3CDC44B45CE4C6C83909D1D3B702922A32441" + "A9E11DCFBEA3D847C06B1A8A38EB1671D6C82FA21B79C99BE2EA809B10DAA5DF"); /* s */ +} diff -Nru nettle-3.4.1/testsuite/gostdsa-vko-test.c nettle-3.7.3/testsuite/gostdsa-vko-test.c --- nettle-3.4.1/testsuite/gostdsa-vko-test.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/testsuite/gostdsa-vko-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -0,0 +1,136 @@ +#include "testutils.h" +#include "gostdsa.h" +#include "streebog.h" + +static void +test_vko (const struct ecc_curve *ecc, + const char *priv, + const char *x, + const char *y, + const struct tstring *ukm, + const struct nettle_hash *hash, + void * hash_ctx, + const struct tstring *res) +{ + struct ecc_scalar ecc_key; + struct ecc_point ecc_pub; + mpz_t temp1, temp2; + uint8_t out[128]; + size_t out_len = ((ecc_bit_size(ecc) + 7) / 8) * 2; + + ASSERT(out_len <= sizeof(out)); + + ecc_point_init (&ecc_pub, ecc); + mpz_init_set_str (temp1, x, 16); + mpz_init_set_str (temp2, y, 16); + ASSERT (ecc_point_set (&ecc_pub, temp1, temp2) != 0); + + ecc_scalar_init (&ecc_key, ecc); + mpz_set_str (temp1, priv, 16); + ASSERT (ecc_scalar_set (&ecc_key, temp1) != 0); + + mpz_clear (temp1); + mpz_clear (temp2); + + gostdsa_vko (&ecc_key, &ecc_pub, + ukm->length, ukm->data, + out); + + ecc_scalar_clear (&ecc_key); + ecc_point_clear (&ecc_pub); + + if (hash) + { + hash->init (hash_ctx); + hash->update (hash_ctx, out_len, out); + hash->digest (hash_ctx, hash->digest_size, out); + + ASSERT (hash->digest_size == res->length); + ASSERT (MEMEQ (res->length, out, res->data)); + } + else + { + ASSERT (out_len == res->length); + ASSERT (MEMEQ (res->length, out, res->data)); + } +} + +void +test_main (void) +{ + struct streebog256_ctx ctx_256; + struct streebog256_ctx ctx_512; + + /* RFC 7836, App B, provides test vectors, values there are little endian. + * + * However those test vectors depend on the availability of Streebog hash + * functions, which is not available (yet). So these test vectors capture + * the VKO value just before hash function. One can verify them by + * calculating the Streeebog function and comparing the result with RFC + * 7836, App B. */ + test_vko(nettle_get_gost_gc512a(), + "67b63ca4ac8d2bb32618d89296c7476dbeb9f9048496f202b1902cf2ce41dbc2f847712d960483458d4b380867f426c7ca0ff5782702dbc44ee8fc72d9ec90c9", + "51a6d54ee932d176e87591121cce5f395cb2f2f147114d95f463c8a7ed74a9fc5ecd2325a35fb6387831ea66bc3d2aa42ede35872cc75372073a71b983e12f19", + "793bde5bf72840ad22b02a363ae4772d4a52fc08ba1a20f7458a222a13bf98b53be002d1973f1e398ce46c17da6d00d9b6d0076f8284dcc42e599b4c413b8804", + SHEX("1d 80 60 3c 85 44 c7 27"), + NULL, + NULL, + SHEX("5fb5261b61e872f9 3efc03200f47378e f039aa89b993a274 a25dec5e5d49ed59" + "84b7dfdf5970c3f7 3059a26d08f7bbc5 0830799bda18b533 499c4f00c21cff3e" + "3b8e53a1ea920eb1 d7f3d08aa9e47595 4a53ac018c210b48 15451b7accc4a797" + "a2b8faf3d89ee717 d07a857794b9b053 f8e0fd5456ccfcc2 2fd081c873416a3f")); + + test_vko(nettle_get_gost_gc512a(), + "dbd09213a592da5bbfd8ed068cccccbbfbeda4feac96b9b4908591440b0714803b9eb763ef932266d4c0181a9b73eacf9013efc65ec07c888515f1b6f759c848", + "a7c0adb12743c10c3c1beb97c8f631242f7937a1deb6bce5e664e49261baccd3f5dc56ec53b2abb90ca1eb703078ba546655a8b99f79188d2021ffaba4edb0aa", + "5adb1c63a4e4465e0bbefd897fb9016475934cfa0f8c95f992ea402d47921f46382d00481b720314b19d8c878e75d81b9763358dd304b2ed3a364e07a3134691", + SHEX("1d 80 60 3c 85 44 c7 27"), + NULL, + NULL, + SHEX("5fb5261b61e872f9 3efc03200f47378e f039aa89b993a274 a25dec5e5d49ed59" + "84b7dfdf5970c3f7 3059a26d08f7bbc5 0830799bda18b533 499c4f00c21cff3e" + "3b8e53a1ea920eb1 d7f3d08aa9e47595 4a53ac018c210b48 15451b7accc4a797" + "a2b8faf3d89ee717 d07a857794b9b053 f8e0fd5456ccfcc2 2fd081c873416a3f")); + + /* RFC 7836, App B, 7), values there are little endian, calculation for size A */ + test_vko(nettle_get_gost_gc512a(), + "67b63ca4ac8d2bb32618d89296c7476dbeb9f9048496f202b1902cf2ce41dbc2f847712d960483458d4b380867f426c7ca0ff5782702dbc44ee8fc72d9ec90c9", + "51a6d54ee932d176e87591121cce5f395cb2f2f147114d95f463c8a7ed74a9fc5ecd2325a35fb6387831ea66bc3d2aa42ede35872cc75372073a71b983e12f19", + "793bde5bf72840ad22b02a363ae4772d4a52fc08ba1a20f7458a222a13bf98b53be002d1973f1e398ce46c17da6d00d9b6d0076f8284dcc42e599b4c413b8804", + SHEX("1d 80 60 3c 85 44 c7 27"), + &nettle_streebog256, + &ctx_256, + SHEX("c9 a9 a7 73 20 e2 cc 55 9e d7 2d ce 6f 47 e2 19 2c ce a9 5f a6 48 67 05 82 c0 54 c0 ef 36 c2 21")); + + /* RFC 7836, App B, 7), values there are little endian, calculation for size B */ + test_vko(nettle_get_gost_gc512a(), + "dbd09213a592da5bbfd8ed068cccccbbfbeda4feac96b9b4908591440b0714803b9eb763ef932266d4c0181a9b73eacf9013efc65ec07c888515f1b6f759c848", + "a7c0adb12743c10c3c1beb97c8f631242f7937a1deb6bce5e664e49261baccd3f5dc56ec53b2abb90ca1eb703078ba546655a8b99f79188d2021ffaba4edb0aa", + "5adb1c63a4e4465e0bbefd897fb9016475934cfa0f8c95f992ea402d47921f46382d00481b720314b19d8c878e75d81b9763358dd304b2ed3a364e07a3134691", + SHEX("1d 80 60 3c 85 44 c7 27"), + &nettle_streebog256, + &ctx_256, + SHEX("c9 a9 a7 73 20 e2 cc 55 9e d7 2d ce 6f 47 e2 19 2c ce a9 5f a6 48 67 05 82 c0 54 c0 ef 36 c2 21")); + + /* RFC 7836, App B, 8), values there are little endian, calculation for size A */ + test_vko(nettle_get_gost_gc512a(), + "67b63ca4ac8d2bb32618d89296c7476dbeb9f9048496f202b1902cf2ce41dbc2f847712d960483458d4b380867f426c7ca0ff5782702dbc44ee8fc72d9ec90c9", + "51a6d54ee932d176e87591121cce5f395cb2f2f147114d95f463c8a7ed74a9fc5ecd2325a35fb6387831ea66bc3d2aa42ede35872cc75372073a71b983e12f19", + "793bde5bf72840ad22b02a363ae4772d4a52fc08ba1a20f7458a222a13bf98b53be002d1973f1e398ce46c17da6d00d9b6d0076f8284dcc42e599b4c413b8804", + SHEX("1d 80 60 3c 85 44 c7 27"), + &nettle_streebog512, + &ctx_512, + SHEX("79 f0 02 a9 69 40 ce 7b de 32 59 a5 2e 01 52 97 ad aa d8 45 97 a0 d2 05 b5 0e 3e 17 19 f9 7b fa" + "7e e1 d2 66 1f a9 97 9a 5a a2 35 b5 58 a7 e6 d9 f8 8f 98 2d d6 3f c3 5a 8e c0 dd 5e 24 2d 3b df")); + + /* RFC 7836, App B, 8), values there are little endian, calculation for size B */ + test_vko(nettle_get_gost_gc512a(), + "dbd09213a592da5bbfd8ed068cccccbbfbeda4feac96b9b4908591440b0714803b9eb763ef932266d4c0181a9b73eacf9013efc65ec07c888515f1b6f759c848", + "a7c0adb12743c10c3c1beb97c8f631242f7937a1deb6bce5e664e49261baccd3f5dc56ec53b2abb90ca1eb703078ba546655a8b99f79188d2021ffaba4edb0aa", + "5adb1c63a4e4465e0bbefd897fb9016475934cfa0f8c95f992ea402d47921f46382d00481b720314b19d8c878e75d81b9763358dd304b2ed3a364e07a3134691", + SHEX("1d 80 60 3c 85 44 c7 27"), + &nettle_streebog512, + &ctx_512, + SHEX("79 f0 02 a9 69 40 ce 7b de 32 59 a5 2e 01 52 97 ad aa d8 45 97 a0 d2 05 b5 0e 3e 17 19 f9 7b fa" + "7e e1 d2 66 1f a9 97 9a 5a a2 35 b5 58 a7 e6 d9 f8 8f 98 2d d6 3f c3 5a 8e c0 dd 5e 24 2d 3b df")); +} diff -Nru nettle-3.4.1/testsuite/gosthash94-test.c nettle-3.7.3/testsuite/gosthash94-test.c --- nettle-3.4.1/testsuite/gosthash94-test.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/testsuite/gosthash94-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -17,4 +17,16 @@ test_hash(&nettle_gosthash94, SDATA(""), SHEX("ce85b99cc46752fffee35cab9a7b0278abb4c2d2055cff685af4912c49490f8d")); + + test_hash(&nettle_gosthash94cp, SDATA("The quick brown fox jumps over the lazy dog"), + SHEX("9004294a361a508c586fe53d1f1b02746765e71b765472786e4770d565830a76")); + + test_hash(&nettle_gosthash94cp, SDATA("message digest"), + SHEX("bc6041dd2aa401ebfa6e9886734174febdb4729aa972d60f549ac39b29721ba0")); + + test_hash(&nettle_gosthash94cp, SDATA("a"), + SHEX("e74c52dd282183bf37af0079c9f78055715a103f17e3133ceff1aacf2f403011")); + + test_hash(&nettle_gosthash94cp, SDATA(""), + SHEX("981e5f3ca30c841487830f84fb433e13ac1101569b9c13584ac483234cd656c0")); } diff -Nru nettle-3.4.1/testsuite/hmac-test.c nettle-3.7.3/testsuite/hmac-test.c --- nettle-3.4.1/testsuite/hmac-test.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/testsuite/hmac-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -24,12 +24,11 @@ /* Test vectors for md5, from RFC-2202 */ /* md5 - 1 */ - HMAC_TEST(md5, + test_mac (&nettle_hmac_md5, SHEX("0b0b0b0b0b0b0b0b 0b0b0b0b0b0b0b0b"), SDATA("Hi There"), SHEX("9294727a3638bb1c 13f48ef8158bfc9d")); - /* md5 - 2 */ HMAC_TEST(md5, SDATA("Jefe"), @@ -37,7 +36,7 @@ SHEX("750c783e6ab0b503 eaa86e310a5db738")); /* md5 - 3 */ - HMAC_TEST(md5, + test_mac(&nettle_hmac_md5, SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), SHEX("dddddddddddddddd dddddddddddddddd" "dddddddddddddddd dddddddddddddddd" @@ -56,7 +55,7 @@ SHEX("697eaf0aca3a3aea 3a75164746ffaa79")); /* md5 - 5 */ - HMAC_TEST(md5, + test_mac(&nettle_hmac_md5, SHEX("0c0c0c0c0c0c0c0c 0c0c0c0c0c0c0c0c"), SDATA("Test With Truncation"), SHEX("56461ef2342edc00 f9bab995")); @@ -125,73 +124,73 @@ /* Test vectors for ripemd160, from http://homes.esat.kuleuven.be/~bosselae/ripemd160.html */ - HMAC_TEST(ripemd160, + test_mac(&nettle_hmac_ripemd160, SHEX("00112233445566778899aabbccddeeff01234567"), SDATA(""), SHEX("cf387677bfda8483e63b57e06c3b5ecd8b7fc055")); - HMAC_TEST(ripemd160, + test_mac(&nettle_hmac_ripemd160, SHEX("00112233445566778899aabbccddeeff01234567"), SDATA("a"), SHEX("0d351d71b78e36dbb7391c810a0d2b6240ddbafc")); - HMAC_TEST(ripemd160, + test_mac(&nettle_hmac_ripemd160, SHEX("00112233445566778899aabbccddeeff01234567"), SDATA("abc"), SHEX("f7ef288cb1bbcc6160d76507e0a3bbf712fb67d6")); - HMAC_TEST(ripemd160, + test_mac(&nettle_hmac_ripemd160, SHEX("00112233445566778899aabbccddeeff01234567"), SDATA("message digest"), SHEX("f83662cc8d339c227e600fcd636c57d2571b1c34")); - HMAC_TEST(ripemd160, + test_mac(&nettle_hmac_ripemd160, SHEX("00112233445566778899aabbccddeeff01234567"), SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("843d1c4eb880ac8ac0c9c95696507957d0155ddb")); - HMAC_TEST(ripemd160, + test_mac(&nettle_hmac_ripemd160, SHEX("00112233445566778899aabbccddeeff01234567"), SDATA("abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"), SHEX("60f5ef198a2dd5745545c1f0c47aa3fb5776f881")); - HMAC_TEST(ripemd160, + test_mac(&nettle_hmac_ripemd160, SHEX("00112233445566778899aabbccddeeff01234567"), SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"), SHEX("e49c136a9e5627e0681b808a3b97e6a6e661ae79")); /* Other key */ - HMAC_TEST(ripemd160, + test_mac(&nettle_hmac_ripemd160, SHEX("0123456789abcdeffedcba987654321000112233"), SDATA(""), SHEX("fe69a66c7423eea9c8fa2eff8d9dafb4f17a62f5")); - HMAC_TEST(ripemd160, + test_mac(&nettle_hmac_ripemd160, SHEX("0123456789abcdeffedcba987654321000112233"), SDATA("a"), SHEX("85743e899bc82dbfa36faaa7a25b7cfd372432cd")); - HMAC_TEST(ripemd160, + test_mac(&nettle_hmac_ripemd160, SHEX("0123456789abcdeffedcba987654321000112233"), SDATA("abc"), SHEX("6e4afd501fa6b4a1823ca3b10bd9aa0ba97ba182")); - HMAC_TEST(ripemd160, + test_mac(&nettle_hmac_ripemd160, SHEX("0123456789abcdeffedcba987654321000112233"), SDATA("message digest"), SHEX("2e066e624badb76a184c8f90fba053330e650e92")); - HMAC_TEST(ripemd160, + test_mac(&nettle_hmac_ripemd160, SHEX("0123456789abcdeffedcba987654321000112233"), SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("07e942aa4e3cd7c04dedc1d46e2e8cc4c741b3d9")); - HMAC_TEST(ripemd160, + test_mac(&nettle_hmac_ripemd160, SHEX("0123456789abcdeffedcba987654321000112233"), SDATA("abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"), SHEX("b6582318ddcfb67a53a67d676b8ad869aded629a")); - HMAC_TEST(ripemd160, + test_mac(&nettle_hmac_ripemd160, SHEX("0123456789abcdeffedcba987654321000112233"), SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"), SHEX("f1be3ee877703140d34f97ea1ab3a07c141333e2")); @@ -199,7 +198,7 @@ /* Test vectors for sha1, from RFC-2202 */ /* sha1 - 1 */ - HMAC_TEST(sha1, + test_mac(&nettle_hmac_sha1, SHEX("0b0b0b0b0b0b0b0b 0b0b0b0b0b0b0b0b 0b0b0b0b"), SDATA("Hi There"), SHEX("b617318655057264 e28bc0b6fb378c8e f146be00")); @@ -211,7 +210,7 @@ SHEX("effcdf6ae5eb2fa2 d27416d5f184df9c 259a7c79")); /* sha1 - 3 */ - HMAC_TEST(sha1, + test_mac(&nettle_hmac_sha1, SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa aaaaaaaa"), SHEX("dddddddddddddddd dddddddddddddddd" "dddddddddddddddd dddddddddddddddd" @@ -230,7 +229,7 @@ SHEX("4c9007f4026250c6 bc8414f9bf50c86c 2d7235da")); /* sha1 - 5 */ - HMAC_TEST(sha1, + test_mac(&nettle_hmac_sha1, SHEX("0c0c0c0c0c0c0c0c 0c0c0c0c0c0c0c0c 0c0c0c0c"), SDATA("Test With Truncation"), SHEX("4c1a03424b55e07f e7f27be1")); @@ -256,47 +255,6 @@ "Than One Block-Size Data"), SHEX("e8e99d0f45237d78 6d6bbaa7965c7808 bbff1a91")); - /* Additional test vectors, from Daniel Kahn Gillmor */ - HMAC_TEST(md5, - SDATA("monkey monkey monkey monkey"), - SDATA(""), - SHEX("e84db42a188813f30a15e611d64c7869")); - - HMAC_TEST(md5, - SDATA("monkey monkey monkey monkey"), - SDATA("a"), - SHEX("123662062e67c2aab371cc49db0df134")); - - HMAC_TEST(md5, - SDATA("monkey monkey monkey monkey"), - SDATA("38"), - SHEX("0a46cc10a49d4b7025c040c597bf5d76")); - - HMAC_TEST(md5, - SDATA("monkey monkey monkey monkey"), - SDATA("abc"), - SHEX("d1f4d89f0e8b2b6ed0623c99ec298310")); - - HMAC_TEST(md5, - SDATA("monkey monkey monkey monkey"), - SDATA("message digest"), - SHEX("1627207b9bed5009a4f6e9ca8d2ca01e")); - - HMAC_TEST(md5, - SDATA("monkey monkey monkey monkey"), - SDATA("abcdefghijklmnopqrstuvwxyz"), - SHEX("922aae6ab3b3a29202e21ce5f916ae9a")); - - HMAC_TEST(md5, - SDATA("monkey monkey monkey monkey"), - SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"), - SHEX("ede9cb83679ba82d88fbeae865b3f8fc")); - - HMAC_TEST(md5, - SDATA("monkey monkey monkey monkey"), - SDATA("12345678901234567890123456789012345678901234567890123456789012345678901234567890"), - SHEX("939dd45512ee3a594b6654f6b8de27f7")); - /* Test vectors for sha224, from RFC 4231 */ HMAC_TEST(sha224, SHEX("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b" @@ -490,7 +448,7 @@ draft-ietf-ipsec-ciph-sha-256-01.txt */ /* Test Case #1: HMAC-SHA-256 with 3-byte input and 32-byte key */ - HMAC_TEST(sha256, + test_mac(&nettle_hmac_sha256, SHEX("0102030405060708 090a0b0c0d0e0f10" "1112131415161718 191a1b1c1d1e1f20"), SDATA("abc"), @@ -498,7 +456,7 @@ "7f98cc131cb16a66 92759021cfab8181")); /* Test Case #2: HMAC-SHA-256 with 56-byte input and 32-byte key */ - HMAC_TEST(sha256, + test_mac(&nettle_hmac_sha256, SHEX("0102030405060708 090a0b0c0d0e0f10" "1112131415161718 191a1b1c1d1e1f20"), SDATA("abcdbcdecdefdefgefghfghighijhijk" @@ -508,7 +466,7 @@ /* Test Case #3: HMAC-SHA-256 with 112-byte (multi-block) input and 32-byte key */ - HMAC_TEST(sha256, + test_mac(&nettle_hmac_sha256, SHEX("0102030405060708 090a0b0c0d0e0f10" "1112131415161718 191a1b1c1d1e1f20"), SDATA("abcdbcdecdefdefgefghfghighijhijk" @@ -519,7 +477,7 @@ "73acf0fd060447a5 eb4595bf33a9d1a3")); /* Test Case #4: HMAC-SHA-256 with 8-byte input and 32-byte key */ - HMAC_TEST(sha256, + test_mac(&nettle_hmac_sha256, SHEX("0b0b0b0b0b0b0b0b 0b0b0b0b0b0b0b0b" "0b0b0b0b0b0b0b0b 0b0b0b0b0b0b0b0b"), SDATA("Hi There"), @@ -527,7 +485,7 @@ "ba0aa3f3d9ae3c1c 7a3b1696a0b68cf7")); /* Test Case #6: HMAC-SHA-256 with 50-byte input and 32-byte key */ - HMAC_TEST(sha256, + test_mac(&nettle_hmac_sha256, SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), SHEX("dddddddddddddddd dddddddddddddddd" @@ -550,7 +508,7 @@ "6ec4af55ef079985 41468eb49bd2e917")); /* Test Case #8: HMAC-SHA-256 with 20-byte input and 32-byte key */ - HMAC_TEST(sha256, + test_mac(&nettle_hmac_sha256, SHEX("0c0c0c0c0c0c0c0c 0c0c0c0c0c0c0c0c" "0c0c0c0c0c0c0c0c 0c0c0c0c0c0c0c0c"), SDATA("Test With Truncation"), @@ -855,7 +813,7 @@ draft-kelly-ipsec-ciph-sha2-01.txt */ /* Test case AUTH512-1: */ - HMAC_TEST(sha512, + test_mac(&nettle_hmac_sha512, SHEX("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b" "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b" "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b" @@ -879,7 +837,7 @@ "fa0ffb93466cfcceaae38c833b7dba38")); /* Test case AUTH512-3: */ - HMAC_TEST(sha512, + test_mac(&nettle_hmac_sha512, SHEX("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" @@ -894,4 +852,35 @@ "b1ff68a1de45509fbe4da9a433922655")); /* Test case AUTH512-3 from same document seems broken. */ + + HMAC_TEST(gosthash94, + SHEX("000102030405060708090a0b0c0d0e0f" + "101112131415161718191a1b1c1d1e1f"), + SHEX("0126bdb87800af214341456563780100"), + SHEX("bfebe25f051bfef6ac858babb0abc409" + "bfd2e334ab847bc0b0d056517c7d94c5")); + + HMAC_TEST(gosthash94cp, + SHEX("000102030405060708090a0b0c0d0e0f" + "101112131415161718191a1b1c1d1e1f"), + SHEX("0126bdb87800af214341456563780100"), + SHEX("bad70b61c41095bc47e1141cfaed4272" + "6a5ceebd62ce75dbbb9ad76cda9f72f7")); + + /* RFC 7836 */ + HMAC_TEST(streebog512, + SHEX("000102030405060708090a0b0c0d0e0f" + "101112131415161718191a1b1c1d1e1f"), + SHEX("0126bdb87800af214341456563780100"), + SHEX("a59bab22ecae19c65fbde6e5f4e9f5d8" + "549d31f037f9df9b905500e171923a77" + "3d5f1530f2ed7e964cb2eedc29e9ad2f" + "3afe93b2814f79f5000ffc0366c251e6")); + + HMAC_TEST(streebog256, + SHEX("000102030405060708090a0b0c0d0e0f" + "101112131415161718191a1b1c1d1e1f"), + SHEX("0126bdb87800af214341456563780100"), + SHEX("a1aa5f7de402d7b3d323f2991c8d4534" + "013137010a83754fd0af6d7cd4922ed9")); } diff -Nru nettle-3.4.1/testsuite/Makefile.in nettle-3.7.3/testsuite/Makefile.in --- nettle-3.4.1/testsuite/Makefile.in 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/testsuite/Makefile.in 2021-06-06 20:06:30.000000000 +0000 @@ -11,11 +11,11 @@ PRE_LDFLAGS = -L.. TS_NETTLE_SOURCES = aes-test.c arcfour-test.c arctwo-test.c \ - blowfish-test.c cast128-test.c \ + blowfish-test.c bcrypt-test.c cast128-test.c \ base16-test.c base64-test.c \ camellia-test.c chacha-test.c \ cnd-memcpy-test.c \ - des-test.c des3-test.c des-compat-test.c \ + des-test.c des3-test.c \ md2-test.c md4-test.c md5-test.c md5-compat-test.c \ memeql-test.c memxor-test.c gosthash94-test.c \ ripemd160-test.c hkdf-test.c \ @@ -24,14 +24,17 @@ sha384-test.c sha512-test.c sha512-224-test.c sha512-256-test.c \ sha3-permute-test.c sha3-224-test.c sha3-256-test.c \ sha3-384-test.c sha3-512-test.c \ + shake256-test.c streebog-test.c \ serpent-test.c twofish-test.c version-test.c \ knuth-lfib-test.c \ cbc-test.c cfb-test.c ctr-test.c gcm-test.c eax-test.c ccm-test.c \ + cmac-test.c siv-test.c \ poly1305-test.c chacha-poly1305-test.c \ hmac-test.c umac-test.c \ meta-hash-test.c meta-cipher-test.c\ - meta-aead-test.c meta-armor-test.c \ - buffer-test.c yarrow-test.c pbkdf2-test.c + meta-aead-test.c meta-armor-test.c meta-mac-test.c \ + buffer-test.c yarrow-test.c xts-test.c pbkdf2-test.c \ + x86-ibt-test.c TS_HOGWEED_SOURCES = sexp-test.c sexp-format-test.c \ rsa2sexp-test.c sexp2rsa-test.c \ @@ -43,7 +46,7 @@ rsa-sec-decrypt-test.c \ rsa-compute-root-test.c \ dsa-test.c dsa-keygen-test.c \ - curve25519-dh-test.c \ + curve25519-dh-test.c curve448-dh-test.c \ ecc-mod-test.c ecc-modinv-test.c ecc-redc-test.c \ ecc-sqrt-test.c \ ecc-dup-test.c ecc-add-test.c \ @@ -51,7 +54,9 @@ ecdsa-sign-test.c ecdsa-verify-test.c \ ecdsa-keygen-test.c ecdh-test.c \ eddsa-compress-test.c eddsa-sign-test.c \ - eddsa-verify-test.c ed25519-test.c + eddsa-verify-test.c ed25519-test.c ed448-test.c \ + gostdsa-sign-test.c gostdsa-verify-test.c \ + gostdsa-keygen-test.c gostdsa-vko-test.c TS_SOURCES = $(TS_NETTLE_SOURCES) $(TS_HOGWEED_SOURCES) CXX_SOURCES = cxx-test.cxx @@ -70,18 +75,16 @@ # Includes all C source files, regardless of configuration SOURCES = $(TS_SOURCES) $(EXTRA_SOURCES) testutils.c dlopen-test.c -DISTFILES = $(SOURCES) $(CXX_SOURCES) Makefile.in .test-rules.make \ - test-rules.stamp \ - $(TS_SH) setup-env teardown-env \ +DISTFILES = $(SOURCES) $(CXX_SOURCES) Makefile.in \ + $(TS_SH) teardown-env \ gold-bug.txt testutils.h sha3.awk all: $(EXTRA_TARGETS) -.c.$(OBJEXT): +%.$(OBJEXT): %.c $(COMPILE) -c $< && $(DEP_PROCESS) -.SUFFIXES: .cxx -.cxx.$(OBJEXT): +%.$(OBJEXT): %.cxx $(COMPILE_CXX) -c $< && $(DEP_PROCESS) # BSD (and Solaris) make doesn't allow extra dependencies together one @@ -89,9 +92,9 @@ # to use suffix rules to build the test executables. So we use an # explicit rule for each and every executable. +TEST_OBJS = testutils.$(OBJEXT) ../nettle-internal.$(OBJEXT) LIB_HOGWEED = @IF_HOGWEED@ -lhogweed -TEST_OBJS = testutils.$(OBJEXT) ../nettle-internal.$(OBJEXT) \ - $(LIB_HOGWEED) -lnettle $(LIBS) +TEST_LIBS = $(LIB_HOGWEED) -lnettle $(LIBS) ../nettle-internal.$(OBJEXT): ( cd .. && $(MAKE) nettle-internal.$(OBJEXT) ) @@ -100,28 +103,12 @@ dlopen-test$(EXEEXT): dlopen-test.$(OBJEXT) testutils.$(OBJEXT) $(LINK) dlopen-test.$(OBJEXT) -ldl -o dlopen-test$(EXEEXT) -.PHONY: test-rules -test-rules: - (for f in $(TS_NETTLE) $(TS_HOGWEED) $(EXTRA_TARGETS) ; do \ - echo $$f'$$(EXEEXT): '$$f'.$$(OBJEXT)' ; \ - echo ' $$(LINK) '$$f'.$$(OBJEXT) $$(TEST_OBJS) -o '$$f'$$(EXEEXT)' ; \ - echo ; \ - done ; \ - for f in $(TS_CXX) ; do \ - echo $$f'$$(EXEEXT): '$$f'.$$(OBJEXT)' ; \ - echo ' $$(LINK_CXX) '$$f'.$$(OBJEXT) $$(TEST_OBJS) -o '$$f'$$(EXEEXT)' ; \ - echo ; \ - done) > $(srcdir)/.test-rules.make - -$(srcdir)/.test-rules.make: $(srcdir)/test-rules.stamp - -# Updates the stamp file *first*, so that this rule isn't triggered -# again and again by the recursive $(MAKE). -$(srcdir)/test-rules.stamp: Makefile.in - echo stamp > $(srcdir)/test-rules.stamp - $(MAKE) test-rules +# Special target, using C++ linking +cxx-test$(EXEEXT): cxx-test.$(OBJEXT) + $(LINK_CXX) $< $(TEST_OBJS) $(TEST_LIBS) -o $@ -include $(srcdir)/.test-rules.make +%$(EXEEXT): %.$(OBJEXT) + $(LINK) $< $(TEST_OBJS) $(TEST_LIBS) -o $@ $(TARGETS) $(EXTRA_TARGETS): testutils.$(OBJEXT) ../nettle-internal.$(OBJEXT) \ ../libnettle.stamp @IF_HOGWEED@ ../libhogweed.stamp @@ -135,9 +122,8 @@ # data. VALGRIND = valgrind --error-exitcode=1 --leak-check=full --show-reachable=yes @IF_ASM@ --partial-loads-ok=yes -# The PATH update is for windows dlls, DYLD_LIBRARY_PATH is for OSX. check: $(TS_ALL) - LD_LIBRARY_PATH=../.lib PATH="../.lib:$$PATH" DYLD_LIBRARY_PATH=../.lib \ + TEST_SHLIB_DIR="$(TEST_SHLIB_DIR)" \ srcdir="$(srcdir)" \ EMULATOR="$(EMULATOR)" NM="$(NM)" EXEEXT="$(EXEEXT)" \ $(top_srcdir)/run-tests $(TS_ALL) @@ -154,7 +140,7 @@ clean: -rm -f $(TARGETS) $(EXTRA_TARGETS) dlopen-test$(EXEEXT) \ - *.o test.in test1.out test2.out + *.$(OBJEXT) *.$(OBJEXT).d test.in test1.out test2.out distclean: clean -rm -f Makefile *.d @@ -165,4 +151,4 @@ # Includes dependency files for everything, including objects which # the current configuration will not build. DEP_FILES = $(SOURCES:.c=.$(OBJEXT).d) $(CXX_SOURCES:.cxx=.$(OBJEXT).d) -@DEP_INCLUDE@ $(DEP_FILES) +-include $(DEP_FILES) diff -Nru nettle-3.4.1/testsuite/meta-hash-test.c nettle-3.7.3/testsuite/meta-hash-test.c --- nettle-3.4.1/testsuite/meta-hash-test.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/testsuite/meta-hash-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -5,6 +5,8 @@ #include "sha3.h" const char* hashes[] = { + "gosthash94", + "gosthash94cp", "md2", "md4", "md5", @@ -18,6 +20,8 @@ "sha3_256", "sha3_384", "sha3_512", + "streebog256", + "streebog512" }; void diff -Nru nettle-3.4.1/testsuite/meta-mac-test.c nettle-3.7.3/testsuite/meta-mac-test.c --- nettle-3.4.1/testsuite/meta-mac-test.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/testsuite/meta-mac-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -0,0 +1,35 @@ +#include "testutils.h" +#include "nettle-meta.h" + +const char* macs[] = { + "cmac_aes128", + "cmac_aes256", + "cmac_des3", + "hmac_md5", + "hmac_ripemd160", + "hmac_sha1", + "hmac_sha224", + "hmac_sha256", + "hmac_sha384", + "hmac_sha512", + "hmac_streebog256", + "hmac_streebog512", +}; + +void +test_main(void) +{ + int i, j; + int count = sizeof(macs)/sizeof(*macs); + for (i = 0; i < count; i++) { + for (j = 0; NULL != nettle_macs[j]; j++) { + if (0 == strcmp(macs[i], nettle_macs[j]->name)) + break; + } + ASSERT(NULL != nettle_macs[j]); /* make sure we found a matching mac */ + } + i = 0; + while (NULL != nettle_macs[i]) + i++; + ASSERT(i == count); /* we are not missing testing any macs */ +} diff -Nru nettle-3.4.1/testsuite/pbkdf2-test.c nettle-3.7.3/testsuite/pbkdf2-test.c --- nettle-3.4.1/testsuite/pbkdf2-test.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/testsuite/pbkdf2-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -19,7 +19,8 @@ ASSERT(dk[expect->length] == 17); \ } while (0) -#define MAX_DKLEN SHA512_DIGEST_SIZE +/* Streebog test has particularly long testcase */ +#define MAX_DKLEN 100 void test_main (void) @@ -28,6 +29,9 @@ struct hmac_sha1_ctx sha1ctx; struct hmac_sha256_ctx sha256ctx; struct hmac_sha512_ctx sha512ctx; + struct hmac_gosthash94cp_ctx gosthash94cpctx; + struct hmac_streebog512_ctx streebog512ctx; + struct hmac_streebog256_ctx streebog256ctx; /* Test vectors for PBKDF2 from RFC 6070. */ @@ -110,4 +114,59 @@ PBKDF2_HMAC_TEST(pbkdf2_hmac_sha256, LDATA("passwd"), 1, LDATA("salt"), SHEX("55ac046e56e3089fec1691c22544b605")); + PBKDF2_HMAC_TEST(pbkdf2_hmac_sha384, LDATA("passwd"), 1, LDATA("salt"), + SHEX("cd3443723a41cf1460cca9efeede428a")); + + PBKDF2_HMAC_TEST(pbkdf2_hmac_sha512, LDATA("passwd"), 1, LDATA("salt"), + SHEX("c74319d99499fc3e9013acff597c23c5")); + + /* From TC26 document, MR 26.2.001-2012 */ + + hmac_gosthash94cp_set_key (&gosthash94cpctx, LDATA("password")); + PBKDF2_TEST (&gosthash94cpctx, hmac_gosthash94cp_update, hmac_gosthash94cp_digest, + GOSTHASH94CP_DIGEST_SIZE, 1, LDATA("salt"), + SHEX("7314e7c04fb2e662c543674253f68bd0b73445d07f241bed872882da21662d58")); + + PBKDF2_TEST (&gosthash94cpctx, hmac_gosthash94cp_update, hmac_gosthash94cp_digest, + GOSTHASH94CP_DIGEST_SIZE, 4096, LDATA("salt"), + SHEX("1f1829a94bdff5be10d0aeb36af498e7a97467f3b31116a5a7c1afff9deadafe")); + + hmac_gosthash94cp_set_key (&gosthash94cpctx, LDATA("passwordPASSWORDpassword")); + PBKDF2_TEST (&gosthash94cpctx, hmac_gosthash94cp_update, hmac_gosthash94cp_digest, + GOSTHASH94CP_DIGEST_SIZE, 4096, LDATA("saltSALTsaltSALTsaltSALTsaltSALTsalt"), + SHEX("788358c69cb2dbe251a7bb17d5f4241f265a792a35becde8d56f326b49c85047b7638acb4764b1fd")); + + hmac_gosthash94cp_set_key (&gosthash94cpctx, LDATA("pass\0word")); + PBKDF2_TEST (&gosthash94cpctx, hmac_gosthash94cp_update, hmac_gosthash94cp_digest, + GOSTHASH94CP_DIGEST_SIZE, 4096, LDATA("sa\0lt"), + SHEX("43e06c5590b08c0225242373127edf9c8e9c3291")); + + PBKDF2_HMAC_TEST (pbkdf2_hmac_gosthash94cp, LDATA("password"), 1, LDATA("salt"), + SHEX("7314e7c04fb2e662c543674253f68bd0b73445d07f241bed872882da21662d58")); + + /* From TC26 document R 50.1.111-2016 */ + hmac_streebog512_set_key (&streebog512ctx, LDATA("password")); + PBKDF2_TEST (&streebog512ctx, hmac_streebog512_update, hmac_streebog512_digest, + STREEBOG512_DIGEST_SIZE, 1, LDATA("salt"), + SHEX("64770af7f748c3b1c9ac831dbcfd85c26111b30a8a657ddc3056b80ca73e040d2854fd36811f6d825cc4ab66ec0a68a490a9e5cf5156b3a2b7eecddbf9a16b47")); + PBKDF2_TEST (&streebog512ctx, hmac_streebog512_update, hmac_streebog512_digest, + STREEBOG512_DIGEST_SIZE, 4096, LDATA("salt"), + SHEX("e52deb9a2d2aaff4e2ac9d47a41f34c20376591c67807f0477e32549dc341bc7867c09841b6d58e29d0347c996301d55df0d34e47cf68f4e3c2cdaf1d9ab86c3")); + + hmac_streebog512_set_key (&streebog512ctx, LDATA("passwordPASSWORDpassword")); + PBKDF2_TEST (&streebog512ctx, hmac_streebog512_update, hmac_streebog512_digest, + STREEBOG512_DIGEST_SIZE, 4096, LDATA("saltSALTsaltSALTsaltSALTsaltSALTsalt"), + SHEX("b2d8f1245fc4d29274802057e4b54e0a0753aa22fc53760b301cf008679e58fe4bee9addcae99ba2b0b20f431a9c5e50f395" + "c89387d0945aedeca6eb4015dfc2bd2421ee9bb71183ba882ceebfef259f33f9e27dc6178cb89dc37428cf9cc52a2baa2d3a")); + + hmac_streebog512_set_key (&streebog512ctx, LDATA("pass\0word")); + PBKDF2_TEST (&streebog512ctx, hmac_streebog512_update, hmac_streebog512_digest, + STREEBOG512_DIGEST_SIZE, 4096, LDATA("sa\0lt"), + SHEX("50df062885b69801a3c10248eb0a27ab6e522ffeb20c991c660f001475d73a4e167f782c18e97e92976d9c1d970831ea78ccb879f67068cdac1910740844e830")); + + /* Generated */ + hmac_streebog256_set_key (&streebog256ctx, LDATA("password")); + PBKDF2_TEST (&streebog256ctx, hmac_streebog256_update, hmac_streebog256_digest, + STREEBOG256_DIGEST_SIZE, 1, LDATA("salt"), + SHEX("d789458d143b9abebc4ef63ca8e576c72b13c7d4289db23fc1e946f84cd605bc")); } diff -Nru nettle-3.4.1/testsuite/pkcs1-sec-decrypt-test.c nettle-3.7.3/testsuite/pkcs1-sec-decrypt-test.c --- nettle-3.4.1/testsuite/pkcs1-sec-decrypt-test.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/testsuite/pkcs1-sec-decrypt-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -1,7 +1,6 @@ #include "testutils.h" -#include "rsa.h" -#include "rsa-internal.h" +#include "pkcs1-internal.h" #if HAVE_VALGRIND_MEMCHECK_H # include diff -Nru nettle-3.4.1/testsuite/pkcs1-test.c nettle-3.7.3/testsuite/pkcs1-test.c --- nettle-3.4.1/testsuite/pkcs1-test.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/testsuite/pkcs1-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -1,6 +1,7 @@ #include "testutils.h" #include "pkcs1.h" +#include "hogweed-internal.h" void test_main(void) diff -Nru nettle-3.4.1/testsuite/rsa-compute-root-test.c nettle-3.7.3/testsuite/rsa-compute-root-test.c --- nettle-3.4.1/testsuite/rsa-compute-root-test.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/testsuite/rsa-compute-root-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -37,11 +37,11 @@ if (mpz_cmp (plaintext, decrypted)) { fprintf (stderr, "rsa_compute_root_tr failed\n"); - fprintf(stderr, "Public key: size=%lu\n n:", pub->size); + fprintf(stderr, "Public key: size=%u\n n:", (unsigned) pub->size); mpz_out_str (stderr, 10, pub->n); fprintf(stderr, "\n e:"); mpz_out_str (stderr, 10, pub->e); - fprintf(stderr, "\nPrivate key: size=%lu\n p:", key->size); + fprintf(stderr, "\nPrivate key: size=%u\n p:", (unsigned) key->size); mpz_out_str (stderr, 10, key->p); fprintf(stderr, "\n q:"); mpz_out_str (stderr, 10, key->q); @@ -55,13 +55,13 @@ mpz_out_str (stderr, 10, key->d); fprintf(stderr, "\n"); - fprintf (stderr, "plaintext(%lu) = ", mpz_sizeinbase (plaintext, 2)); + fprintf (stderr, "plaintext(%u) = ", (unsigned) mpz_sizeinbase (plaintext, 2)); mpz_out_str (stderr, 10, plaintext); fprintf (stderr, "\n"); - fprintf (stderr, "ciphertext(%lu) = ", mpz_sizeinbase (ciphertext, 2)); + fprintf (stderr, "ciphertext(%u) = ", (unsigned) mpz_sizeinbase (ciphertext, 2)); mpz_out_str (stderr, 10, ciphertext); fprintf (stderr, "\n"); - fprintf (stderr, "decrypted(%lu) = ", mpz_sizeinbase (decrypted, 2)); + fprintf (stderr, "decrypted(%u) = ", (unsigned) mpz_sizeinbase (decrypted, 2)); mpz_out_str (stderr, 10, decrypted); fprintf (stderr, "\n"); abort(); @@ -86,6 +86,7 @@ mpz_t q1; mpz_t phi; mpz_t tmp; + int res; mpz_init (p1); mpz_init (q1); @@ -124,7 +125,8 @@ } mpz_mul(phi, p1, q1); - assert (mpz_invert(key->d, pub->e, phi)); + res = mpz_invert(key->d, pub->e, phi); + assert (res); mpz_fdiv_r (key->a, key->d, p1); mpz_fdiv_r (key->b, key->d, q1); diff -Nru nettle-3.4.1/testsuite/rsa-encrypt-test.c nettle-3.7.3/testsuite/rsa-encrypt-test.c --- nettle-3.4.1/testsuite/rsa-encrypt-test.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/testsuite/rsa-encrypt-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -19,10 +19,12 @@ uint8_t after; mpz_t gibberish; + mpz_t bad_input; rsa_private_key_init(&key); rsa_public_key_init(&pub); mpz_init(gibberish); + mpz_init(bad_input); knuth_lfib_init(&lfib, 17); @@ -101,6 +103,42 @@ ASSERT(decrypted[decrypted_length] == after); ASSERT(decrypted[0] == 'A'); + /* Test zero input. */ + mpz_set_ui (bad_input, 0); + decrypted_length = msg_length; + ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input)); + ASSERT(!rsa_decrypt_tr(&pub, &key, + &lfib, (nettle_random_func *) knuth_lfib_random, + &decrypted_length, decrypted, bad_input)); + ASSERT(!rsa_sec_decrypt(&pub, &key, + &lfib, (nettle_random_func *) knuth_lfib_random, + decrypted_length, decrypted, bad_input)); + ASSERT(decrypted_length == msg_length); + + /* Test input that is slightly larger than n */ + mpz_add(bad_input, gibberish, pub.n); + decrypted_length = msg_length; + ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input)); + ASSERT(!rsa_decrypt_tr(&pub, &key, + &lfib, (nettle_random_func *) knuth_lfib_random, + &decrypted_length, decrypted, bad_input)); + ASSERT(!rsa_sec_decrypt(&pub, &key, + &lfib, (nettle_random_func *) knuth_lfib_random, + decrypted_length, decrypted, bad_input)); + ASSERT(decrypted_length == msg_length); + + /* Test input that is considerably larger than n */ + mpz_mul_2exp (bad_input, pub.n, 100); + mpz_add (bad_input, bad_input, gibberish); + decrypted_length = msg_length; + ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input)); + ASSERT(!rsa_decrypt_tr(&pub, &key, + &lfib, (nettle_random_func *) knuth_lfib_random, + &decrypted_length, decrypted, bad_input)); + ASSERT(!rsa_sec_decrypt(&pub, &key, + &lfib, (nettle_random_func *) knuth_lfib_random, + decrypted_length, decrypted, bad_input)); + ASSERT(decrypted_length == msg_length); /* Test invalid key. */ mpz_add_ui (key.q, key.q, 2); @@ -112,6 +150,6 @@ rsa_private_key_clear(&key); rsa_public_key_clear(&pub); mpz_clear(gibberish); + mpz_clear(bad_input); free(decrypted); } - diff -Nru nettle-3.4.1/testsuite/rsa-sec-decrypt-test.c nettle-3.7.3/testsuite/rsa-sec-decrypt-test.c --- nettle-3.4.1/testsuite/rsa-sec-decrypt-test.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/testsuite/rsa-sec-decrypt-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -55,6 +55,7 @@ #endif #define PAYLOAD_SIZE 50 +#define DECRYPTED_SIZE 256 void test_main(void) { @@ -63,11 +64,12 @@ struct knuth_lfib_ctx random_ctx; uint8_t plaintext[PAYLOAD_SIZE]; - uint8_t decrypted[PAYLOAD_SIZE]; + uint8_t decrypted[DECRYPTED_SIZE]; uint8_t verifybad[PAYLOAD_SIZE]; unsigned n_size = 1024; mpz_t gibberish; mpz_t garbage; + size_t size; rsa_private_key_init(&key); rsa_public_key_init(&pub); @@ -78,7 +80,7 @@ memset(verifybad, 'A', PAYLOAD_SIZE); - for (size_t size = 1; size < 51; size++) + for (size = 1; size < 51; size++) { ASSERT (rsa_generate_keypair(&pub, &key, &random_ctx, (nettle_random_func *) knuth_lfib_random, @@ -98,6 +100,20 @@ PAYLOAD_SIZE, decrypted, gibberish) == 1); ASSERT (MEMEQ (PAYLOAD_SIZE, plaintext, decrypted)); + ASSERT (pub.size > 10); + ASSERT (pub.size <= DECRYPTED_SIZE); + + /* Check that too large message length is rejected, largest + valid size is pub.size - 11. */ + ASSERT (!rsa_decrypt_for_test (&pub, &key, &random_ctx, + (nettle_random_func *) knuth_lfib_random, + pub.size - 10, decrypted, gibberish)); + + /* This case used to result in arithmetic underflow and a crash. */ + ASSERT (!rsa_decrypt_for_test (&pub, &key, &random_ctx, + (nettle_random_func *) knuth_lfib_random, + pub.size, decrypted, gibberish)); + /* bad one */ memcpy(decrypted, verifybad, PAYLOAD_SIZE); nettle_mpz_random_size(garbage, &random_ctx, diff -Nru nettle-3.4.1/testsuite/salsa20-test.c nettle-3.7.3/testsuite/salsa20-test.c --- nettle-3.4.1/testsuite/salsa20-test.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/testsuite/salsa20-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -118,6 +118,74 @@ } } +/* Test with simple structure of the salsa20 input, to aid + debugging. */ +static void +test_salsa20_core(void) +{ + const uint32_t input[16] = + { + 0, 1, 2, 3, + 4, 5, 6, 7, + /* Second block will have carry from first counter word propagate + to next word. */ + 0xffffffff, 9, 10, 11, + 12, 13, 14, 15 + }; + + const struct tstring *expected_12 + = SHEX("c456dd00835121fa 2f3f818adea91c66" + "c024ec78191dbef8 4e828fde71420f4f" + "2edb91cc7ae72fe6 1c6d96d1169241f5" + "8d34bec538389247 1b2f71089992fd2b" + "a1194b4875788ee5 731f27c32481450b" + "4cc7b2a3f8ac7f43 6f42bd16a71cb721" + "299f6d9481e4bc87 23b5c0a2f142e507" + "34b7fe35fe292f2f 1bf9ae5296afdbeb"); + + const struct tstring *expected_20 + = SHEX( + "02e02587e69cd380 3e5f3c53f0c29173" + "d3becef2da8da494 e8d1d4294270fc5e" + "a2c2001a6a45dc71 a3699e6594af795f" + "299814ae4f73650b e1d13040031dbfef" + "46b5b8ce5dc5b255 78b2695eb61fa816" + "7e22958311e2d585 826f4ebf1c7b3c98" + "a2857c3e4edc6f9e ed4312d698ddad55" + "57d13942292f8713 63eb7a5ab07a707e"); + + struct salsa20_ctx ctx; + uint8_t output[128]; + + ASSERT (expected_12->length == 128); + ASSERT (expected_20->length == 128); + + /* Two blocks, to exercises _salsa20_2core, if available. */ + memcpy (&ctx, input, sizeof(ctx)); + salsa20r12_crypt (&ctx, 128, output, expected_12->data); + + if (!memzero_p (output, 128)) + { + fprintf(stderr, "salsa20r12_crypt failed:\n"); + fprintf(stderr, "\nOutput: "); + print_hex(128, output); + fprintf(stderr, "\n"); + FAIL(); + } + + memcpy (&ctx, input, sizeof(ctx)); + salsa20_crypt (&ctx, 128, output, expected_20->data); + + if (!memzero_p (output, 128)) + { + fprintf(stderr, "salsa20_crypt failed:\n"); + fprintf(stderr, "\nOutput: "); + print_hex(128, output); + fprintf(stderr, "\n"); + FAIL(); + } +} + typedef void salsa20_func(struct salsa20_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); @@ -191,6 +259,8 @@ void test_main(void) { + test_salsa20_core(); + /* http://www.ecrypt.eu.org/stream/svn/viewcvs.cgi/ecrypt/trunk/submissions/salsa20/reduced/12-rounds/verified.test-vectors?logsort=rev&rev=210&view=markup */ test_salsa20r12(SHEX("80000000 00000000 00000000 00000000"), SHEX("00000000 00000000"), diff -Nru nettle-3.4.1/testsuite/setup-env nettle-3.7.3/testsuite/setup-env --- nettle-3.4.1/testsuite/setup-env 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/testsuite/setup-env 1970-01-01 00:00:00.000000000 +0000 @@ -1,12 +0,0 @@ -#! /bin/sh - -set -e - -# Workaround, it seems difficult to convince wine to put ../lib into PATH. -case "$EMULATOR" in - wine*) - for f in ../.lib/*.dll ; do - ln -sf "$f" . - done - ;; -esac diff -Nru nettle-3.4.1/testsuite/sha3-permute-test.c nettle-3.7.3/testsuite/sha3-permute-test.c --- nettle-3.4.1/testsuite/sha3-permute-test.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/testsuite/sha3-permute-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -1,6 +1,7 @@ #include "testutils.h" #include "sha3.h" +#include "sha3-internal.h" static void display (const struct sha3_state *state) diff -Nru nettle-3.4.1/testsuite/shake256-test.c nettle-3.7.3/testsuite/shake256-test.c --- nettle-3.4.1/testsuite/shake256-test.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/testsuite/shake256-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -0,0 +1,5940 @@ +/* shake256-test.c + + Copyright (C) 2017 Daiki Ueno + Copyright (C) 2017 Red Hat, Inc. + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#include "testutils.h" + +#include "sha3.h" + +const struct nettle_hash nettle_shake256 = + { + "shake256", + sizeof(struct sha3_256_ctx), + 0, + SHA3_256_BLOCK_SIZE, + (nettle_hash_init_func *) sha3_256_init, + (nettle_hash_update_func *) sha3_256_update, + (nettle_hash_digest_func *) sha3_256_shake, + }; + +void +test_main(void) +{ + /* Extracted from ShortMsgKAT_SHAKE256.txt. */ + test_hash (&nettle_shake256, /* 0 octets */ + SHEX(""), + SHEX("46B9DD2B0BA88D13233B3FEB743EEB243FCD52EA62B81B82B50" + "C27646ED5762FD75DC4DDD8C0F200CB05019D67B592F6FC821C" + "49479AB48640292EACB3B7C4BE141E96616FB13957692CC7EDD" + "0B45AE3DC07223C8E92937BEF84BC0EAB862853349EC75546F5" + "8FB7C2775C38462C5010D846C185C15111E595522A6BCD16CF8" + "6F3D122109E3B1FDD943B6AEC468A2D621A7C06C6A957C62B54" + "DAFC3BE87567D677231395F6147293B68CEAB7A9E0C58D864E8" + "EFDE4E1B9A46CBE854713672F5CAAAE314ED9083DAB4B099F8E" + "300F01B8650F1F4B1D8FCF3F3CB53FB8E9EB2EA203BDC970F50" + "AE55428A91F7F53AC266B28419C3778A15FD248D339EDE785FB" + "7F5A1AAA96D313EACC890936C173CDCD0FAB882C45755FEB3AE" + "D96D477FF96390BF9A66D1368B208E21F7C10D04A3DBD4E3606" + "33E5DB4B602601C14CEA737DB3DCF722632CC77851CBDDE2AAF" + "0A33A07B373445DF490CC8FC1E4160FF118378F11F0477DE055" + "A81A9EDA57A4A2CFB0C83929D310912F729EC6CFA36C6AC6A75" + "837143045D791CC85EFF5B21932F23861BCF23A52B5DA67EAF7" + "BAAE0F5FB1369DB78F3AC45F8C4AC5671D85735CDDDB09D2B1E" + "34A1FC066FF4A162CB263D6541274AE2FCC865F618ABE27C124" + "CD8B074CCD516301B91875824D09958F341EF274BDAB0BAE316" + "339894304E35877B0C28A9B1FD166C796B9CC258A064A8F57E2" + "7F2A")); + test_hash (&nettle_shake256, /* 1 octets */ + SHEX("CC"), + SHEX("DDBF55DBF65977E3E2A3674D33E479F78163D592666BC576FEB" + "5E4C404EA5E5329C3A416BE758687DE1A55E23D9E48A7D3F3CE" + "6D8F0B2006A935800ECA9C9FC903D86F065367221067658B4D7" + "473ED54800D196FBE1089811DD9B47F21E3698B1573653ADAD2" + "31C39F145B586D6C0133378416138E4423F7AF7DACFFE965706" + "A3C49024002B53BA05871E3F066694B163630B0053BE41FA45D" + "4317EAA84214254038A37A9C83D62EB9EA6E6ACAFA6BBFE5AF9" + "F389690D5A9E27BF97C1B93D93ECF36DF6DA212E12B24481541" + "56E94687336B6DA91E368512B9F34C616166542923F3618640D" + "930F922A3DDDD2F87920378541446F2223F593931BD1BA02E29" + "07CE3404621F26B900D05A1119A9E4934A7CD818DD9237445BF" + "50475A011EA0078788801D21DFECB7A2BB294E4956DFA71D8CC" + "472405342BF80120FE18A551D88D6ABC24D83F077BFB25EBDE5" + "F4B03678D677EE646DCE3496D5138BE108782CA5A00AAFF3CB4" + "BB873EC0F2E932DD74847033EC5F07254E3027B0AC12DB7D6D3" + "F90B53D8A5BD63B99C3BF5CD38B453D7CB12D0AE2BF1CFD3EE8" + "8AF71BB6606B0B791DEFC2D762C8641BB8319FE17321EBA407E" + "B744699D92B35ABD79F5B9A85408C93D61233FECE638023875A" + "A02B9EDBACC84003A28CCA2D55A0742D635FDA888905986CA01" + "C1E6420D49EC25224D84E915DFD1638A492282F1FD053770168" + "953C")); + test_hash (&nettle_shake256, /* 2 octets */ + SHEX("41FB"), + SHEX("B64ECACD5F7499ACC085C908D35DCC1FC0131816F28D360592E" + "1265079F92A5F844C4BF6AA50D98D52720797E8C992F43C76A7" + "3FD95F9BC4CD272157842ADA2518190FCA342DC20D0C57CDDF0" + "1B3DDF77977EDED63445E40BE82DF8D26DB629A2D307EE9FE28" + "D2FE557E3971858C6D67C42BE2CF44DD7570521CE0647446742" + "5B7AAAE39DB90945BAD388009ED5715C684BB4E4981EEA324EC" + "F66584AD08D9F27C6A4DCF615591857BC7364E8A7C136661AE5" + "FFE828C734DD5EA5A071276E8477B8525E02B7B445D91CC6E37" + "D58740DC2B069BE6D92E7DF95C1AB52B76F7761AE34328962EA" + "C7156E460B3C04FFECAEC8722A56E7373285E42D4CAC5498F8D" + "7DD5ECDA9F9973A32F8D425171E1390BFC812C9EE4D4AB8FA9A" + "0D93AA90A4C258FC64D77BBCF49977E87C3810C80C458516899" + "6A31F446F9391A193B888CD321E22E9368F4F11495FE124141C" + "04015532345D7CB0A13A4DD9007D737B3A176A88E5FC153D4AC" + "2E8CD641C40C4261BBA70E1B87114030FF67CB22ACEC90AC288" + "D6B59D25B00038468B4780254FAC4EF158EC2CD52C0AB9217EE" + "D1ED0A5E7B4C4B3A64B1824E2B27AA53398765D5352BD1ED0E9" + "C7B3FB264D141741659F7D8FD0EEEC9F9163C42AFDB540D5F2C" + "87833880A0C942AE4CCEA7FFF2F4C798B8AAF24C33BE8054A09" + "459A3AF7200D555334241709A18ECF88CE93C99234D6AB02859" + "16AE")); + test_hash (&nettle_shake256, /* 3 octets */ + SHEX("1F877C"), + SHEX("F6BF0397DBFBB20E4AE30F0A47FE976CD109B3AA09B0E3F29F5" + "60E4ED333C0D083326B03F6EAEB57E277BBFE1CCE36C499434D" + "838CB4C8CD8B02A87790F4A6717B22D46F9220391C420A1A1BF" + "AA9ED5B85116BA1D9E17FF16F6BCE6704C80A49FD9AC42689DB" + "0996C6BD3266694077C6DE120043A827D44979CE8CCC6AA7E53" + "08EBA64ACF9FFFF51D36BC4401F8117D4B96340C62D106B0A64" + "45F01987F9C4C0A420E1A9BAEB594BCB1BDBFE59B6065EB91CB" + "EB252473C7858ECA475E1C81E8425C7E2C1706C4C4ABB3AEAE3" + "9332479ECDEFDFA93C60EC4007A51C5DD093B527264155F2202" + "E01D2083D27D71A6F6C92D839E6EA7D24AFDB5C43630F1BD06E" + "2B45B2C0D0AD70BDA111363298AB9754F26DB00A3FD93D72981" + "DD463DEFD286320A274F5422E9400DC6E7C78D75534C75AF6B0" + "398596EEE5048919B8FE33467C2B7C227BC88994B28819815D8" + "21DC27BAD0458D57F40B12A8A933729A0F6BAE74DBD150325D1" + "4C302835AB95DABDE87A2ACEE9347609A6175DBB538FDFB278B" + "E0B3D5F062768F9E0EB1AC9C36B4E05E3ADFCA73981CEBAF6E0" + "47A18196EA78846D9A782B6E1CEE2036866DBCA749644E74EF5" + "A4538D4AFB1706B360F734814313D20A1AC626BEE7AC0FE9F27" + "7D48BC50816AC9743A61E32F8B26CA6F4DC81FE7F3558AA2F18" + "586D89A8E3070868C76B4CA4727F541072DCDAB3D547D52ABB6" + "F356")); + test_hash (&nettle_shake256, /* 4 octets */ + SHEX("C1ECFDFC"), + SHEX("CE7FBC15503986E3B84530D84A16EF64332A6EA57E354E9F205" + "4BFC2AA8891F94B4FDD42FD227C94B33F9AD45CF3982239F81F" + "BC2CBAC7809F01E1C294073AD6D2821C1283C5C427F41FD4645" + "5EF7B4EA0D6D5E249AF95FAC80A8678C1A5318443E63122DDFE" + "D2591FC690527F97A09920941B02439AF3BA36B17FD588E187F" + "CBC1FF109AB4A9ECFC671926EF0CC9C82EE06EC6759E2758A88" + "59B8FA9DDF46D6C049621FF589F3FF56C9419D6F48A68B68FEF" + "D068ABEC24824D7FC150277C2439BF78D15D59DBAA2CB17E528" + "2E6E9ED744841F4A4BBB778CFEAB0471CE850B2A2F948DB3926" + "F733EF7B3AA9AB8EA84278DCA62B0691F5DD13EA11660A8E2FB" + "5CD8BA74A352C044E7219E750F29B62F94ED268A68029B94B64" + "F3D4F2193A7FC69ED34A59657471F04C4961084EBB581ABCC9D" + "50E3674A7DEBB285FC7215BF6606DB1392A7F1619B347A4D07D" + "230DA07811FDE2AEBE45A70178CF841C619F712EF26BEEECC41" + "83A1040076E73FCF6FABE5C25A4B71D564A97CF3C88F1856D9C" + "8B42E94F746CE4605D2AAEB56D1DA5527598E17E5680D309788" + "E09910BEB74DF7D3C3CD4EC680083F5845F4A1C15070E57979C" + "01B89DF7BE64435EA4817BC0AD23ACCA6CB878F7131F02F9215" + "E2D5C12CF3B4D24B29620C891A54AC8BE6E3DEC08397887DE0E" + "A86B81A5459B968FBAE18B4B0324DE7E7C1AEEFC7598644CE1F" + "F8F9")); + test_hash (&nettle_shake256, /* 5 octets */ + SHEX("21F134AC57"), + SHEX("BB8A8447517BA9CA7FA34EC99A80004F228AB282472841EB3D3" + "A76225C9DBE77F7E40A066776D32C74941202F9F4AA43D12C62" + "64AFA59639C44E11F5E14F1E5695208DB78F37CF3AC172469DE" + "67B80014D1A4B968A56F855BAF35A275B8EC77B9CA591257AA2" + "EF048663CD05D76B72CF3A9D2BB44B154B16E95EB8B61BD8415" + "A867367F0031BFF5D49237157C197473309FDAAFC8146AB9FCD" + "4254477B052AB306BB575ECA6872863B5F43F026C2BE3289E85" + "7D50441330EC02F6AB4C6329B18D3AF0A1ED9DB70F34016EA0C" + "AFF1F0EF08BA6D26566DF6CCE9A457E1900FBA3338A771E40CF" + "B39581F16019D521E4F398539C4A6F2CA22ECF9158B96064C0F" + "26B8A076E58B5F0BA3187342A5C9A5569E6D08A2AC27258CF04" + "26D995724579C723A0FA8269B4239026A08D88738156943F1DF" + "F6E0FFF5E4696149436CD97732424366626CE7B67A3BBE480E4" + "25B51872AAE7CE59E70995C194E00FEE82119A4320A4B91158D" + "B65B83195C9B799D3EAF3CBF8593D11DC67EE8C0CD7CA4FAE69" + "D9F46A7E70186A33DFAAD510D8DEF82AA5710B0ABB70DFC396E" + "CFD33F56F66957B82A220D1ECA09166F72358A71054A179C196" + "1B64F26A3D7AAFB030C28A73337862E8364D3F562B324CA2EBE" + "F58B7A8F089213178C8D0ADDB5A18022154CF010C722C279AE6" + "0AA984597EC6542EE1ABDCAAE8D5545FF45E781ABC7145AE2A3" + "1249")); + test_hash (&nettle_shake256, /* 6 octets */ + SHEX("C6F50BB74E29"), + SHEX("69401EBF1D4C7EA500BE60EF06783DCB009A13B4FCD8B341E5F" + "2E40F39E732237E86716F26873C1820BC36D20F6D5E64A9C5E6" + "36855305CBC3F4BE4A9905B5F79FB769A794299EAFA8E81FFA5" + "1BB4D602480B1C40F9EE9BEE017D5D7F6DE68C8A79EE92A20B9" + "DA5BD3D01BC565CDD3E5786FC4D48F719C01CD6D3CAFCD500F4" + "F768600E6891102FFC10F1394E3A40A1BD54381775BB400EE6E" + "20B95420FCB2C86BBFCF380BC95EEFCA33BC8DE823E13B4B04A" + "7AE1FDEB8279F3EF3E4FD50B2FDE530B0D4C8DABDA6F225A412" + "1A79FED79D8A013C9DF1103ABF081294FCBBC5ABF20BA38E007" + "5169A9C13CFFF94AEB271A46875710A60CD78915C33892D7FCD" + "6C97A1C74846ADDA847F58ADCE8EF762D11C4F15FF8B97F9BED" + "C97E1A8AE554C0B9E66BA1D48BCFAD0D56F91B65E25B03A5E48" + "CF4DB0DBC467BBBC1E037743991AC72B4B259D65013A2708EB8" + "25DFDC65093A4F4F5E98427DE7C60138467D8900ADFCE1F2740" + "8638DC66957D27CB774BBAFF0BEDEE0F6553BCBAC9724A20E8E" + "D0CE6B2F764E4F0D80E4521788A5CC88C3D36F19925AC2F205C" + "F6EB7E6D6888EEFD0BE49BC8BFD8A80B9E05DC7513BEBA7BE52" + "D39BF9BD2B2DCD03FDC8F8E7F90A83DAB2AD85F51D040BA0F1C" + "0A9DC38E929A50DB7F99A26836612E601C6E4346E5E895EF4CC" + "FCD6A5CC3777FC11FA64A9AC27D2CDA67E29CB18A7E99E2CA07" + "30C6")); + test_hash (&nettle_shake256, /* 7 octets */ + SHEX("119713CC83EEEF"), + SHEX("C02561C12CCDD167CA959D9756CC70946F7FED8BA705E3EDC43" + "3D3C45D9299D0AEFE9E8E25D602C4DB0D14ECAEFDFDFED2DE13" + "4AC5D0C4DFC02ABEFFFDD7667A434936151D529A93CB266100B" + "94AD0449597B1590398A1A63C42649385B4CFAA828C89037E0F" + "97BEDA8450A68520143889A92C258645664EB57CBA01C3B1134" + "318E11A1848D912D0D2CBAEBD59A71B52495671C548522F4013" + "94FE48DB49956C03044CAFBD40371EF657F1AA86E4969459BBB" + "D21DEA563A51482A47147EF85487A5CCDBC532BC2AEBC3265E7" + "1BD8D56F4521CD93354A73D175FCCF5AABEF2768DE2D8E851D4" + "FC21FF032829411DB2668300853BA5F8BB1FFDCE3FF59197BD1" + "833D2ABFB8C3027B36B21969F7E36C3B6F3FABA9454ADDECDAF" + "C213D347A44B0D364997A9E608BCFF3D2004139CD05005B9BD8" + "FEC09E5976EAB977B5DE8E39373C10D9EE2D2EC196B33689783" + "EF3ABC3DBCECA9BF33E8DEE9A1AFDEAA71A2FE42A3B0C60781C" + "9A2D5714278CC7CB349A3B6E7251B96E4E2FAC606B459C28AE8" + "1B551168D28ACD01D4A08416B6714D8F82485A1C6D5348F7DC4" + "981AA38E7F39EDABC981022C4CD3345383D8C25C929FBF66026" + "F91664998BC34F9689375D06FF95D208D4ACC7791633B222ACF" + "D3EA26F8B5C4858997A1FF77050F280AC7B7E5325ABE9E55FC2" + "7EA8ED1D9D32194B0C5D8807F94AE6F737276065CA08C323E9E" + "D421")); + test_hash (&nettle_shake256, /* 8 octets */ + SHEX("4A4F202484512526"), + SHEX("8A804FC3A4FEE6CEF6808C756A17BCDF6B235808493FC78E797" + "01E59A9E9A67D60F0F256AA69DC0258A2510F9936AEE2BCBD0F" + "679696F439F37BF9AFB170D44A58DBCF71EFF14CEC1E624D3D8" + "F1DDDDD3E33421B1E305C794C2C88FCADF9D7C51F52E4352BF9" + "C9C895AA457F5449E82FB36E2A64D1AA69771EF3D675F09030A" + "95653837AB2237DAA7FCEC36651355B2507713CC6A2186E950D" + "E82DC699122644193F8F231C607BA7F3BDD0A214B4EC0155D30" + "517F681FDC2A89D3143040BE0E0B6DC7E5185C723464CCAA2FE" + "321AF3B4174283355FE3D1CED518E00B6063DDD607B166BA388" + "978294244EA8EC773A528003A04914B76E9BE3337D806CA20C5" + "84B2BB66AFCD144417E3D93243F185D26DBA90EA39259C7F23B" + "8A6427AA8A7622F277605F4A463F78A0C189C8DE2C553AE2077" + "3D7CB4F7E26A13F4204B3752D9CEDDF29849798479A4BD0D7CE" + "4D22CC51F88127435BD161F026B1811A723E786DB1DC01F921F" + "E076C3532FA969EF1F8993E0A4FB6C17597D8DB38DD7AF259E3" + "22751CC0A1CCA2EE4940F4EA56CE9179941CF4696256CD04AB8" + "53266D12E7E679377D54E2C2F24832974C573192DD2FDD4DA5E" + "FD72114109248B03F0AE03123252FFFF977BDE87AF8D8022C4C" + "51DA68EFB87ABEEDA7A72EB4D0D1A2EB65EA4CEBC7CCABF3787" + "B9BE98E14E4A273635F69E3E4BA557A1A42D1BF69EBD359B895" + "320A")); + test_hash (&nettle_shake256, /* 9 octets */ + SHEX("1F66AB4185ED9B6375"), + SHEX("7B5562ABA86E6329693CE1CAAB2506AF93AD28BE4DE045E66A7" + "B277C4DC3C2C9E698AD5F6D8826230A38FCE87142DD83B28F05" + "5FA7A9212F5017374A7EAC5BB7824C1540597DE34BE9EC894EA" + "BCF751BFD5DE029A1CADA7E599D433BAC0499AAD9782579D282" + "23A5D16264EFBF55EB1370748E7DAC4B56255468FA9694A93C4" + "B3759F691D9A4A08B53A15F61FAA1268E38AAEB43B3FCDBF0BA" + "003E2037EB52C8E9931DB9C60FFC1D1FCEE7663D1017AB6DCC1" + "B92472A88A3D568AF5AFF930AEADBAE751753CBF2F987338DEB" + "1AA822FE28788866073319662438B6CAF6BD8D79DE14FDB6D30" + "F7983F5711177765D7D5E1EFB610FAFC9DE733C9DB3FD2F1C35" + "421D29CB96F87A0DD1E83AD19ACDC7C2BF7A6F047994A96E6D9" + "1BEC34AAAF18AAB7B32A0B379A60F12AFC697770CC6039031C1" + "3B5DD66E0D368609D3018ACCFB02FA4973BDA707CDA096D712F" + "AF59B43BE3EF5EB7C227530C987DC4991955796B2F588359112" + "B9E7566CA785CC5706AC333D12E2DA37A97A13B69540084D1A5" + "908ED3BAF73A0E1C55A6BD036F1342F8EC671593B9B555DEFBA" + "BB3364914E4396D6E2B2ADFA951A6A263AADA6D879B4FF330F8" + "48D2598CB418E530BC63BB11E7A247C5A2C21D5C2A34D237219" + "55567E4452DF9F5E2108C1FEA8FBF672422BB3B85C7C5664B91" + "8D3F3644339367CEFBE609A9B00C250111801C3F365BA752709" + "B76E")); + test_hash (&nettle_shake256, /* 10 octets */ + SHEX("EED7422227613B6F53C9"), + SHEX("C92FDFEA927EEEE73162C436C6A3FB97291C33787BF7C2CD80D" + "ECF6004C043BC4509A2CFAC1FBEEB0BCBC7C2974B168AF3291D" + "EE1AF2D0826935DA79C5BF7CF3A211F347C2A44630DCC20E964" + "E3BE24A20766A2EC50310F4B1990A3987FD8D144D3A6F091C6F" + "8ECB7B2069905A7A1BCE8A49A9779E9132BAE521FC44689F786" + "1B7C735815448984D6809C2138ED64A45C4320E09BF459A985A" + "41D024DC4CE0D95681DC9379FC4DEE3C024436E7A949589A74B" + "434F6B5D5742501D1E4761E0DF89F4F1943614C5682086D31F6" + "EB2B65A005FCA29B48777748132A15BCE74228E5CDCB95C05F5" + "1730E8E27E9DE71D582A95AD3E78E64B978D872B91A88C6175E" + "C3F92D5AAC14BCEFD0F6D8D5E2E19DE467C530FDE86AAF6FA5A" + "E0254EA01D70860278C24BE7F7C52669AEEEC52C606FE664D7A" + "8E857EB64948D663DC11E9DE33A410DCB3EB61FDF6E9622B66B" + "9B9F4A39C4B578A8D346906D14AA713D2B266DB5B85AED05186" + "CCB2809B38BBB3C9F99C2861793FC70D972B51F2199674E734D" + "46FE0E8EB675777AC9E4B578A7DE4DCFB5AC1E7A2EB0067237B" + "985050D66885F85CE3410467B5CA374A9F420D8CE5DA4A4934F" + "E78065541C53D071C88F0FF132EEADEFBDAC5E98251C597930C" + "DB32D79656EB44F95C78BBDAFAA59B7E36DA08A58AF3DAEE995" + "36EFB56319643FF422CFB53D152EA302A6458F58B5EB9F2C81C" + "31C4")); + test_hash (&nettle_shake256, /* 11 octets */ + SHEX("EAEED5CDFFD89DECE455F1"), + SHEX("F772DECEFF020D1BE280E7F93DF5056577E78D104CB1E2AFD42" + "2B021C6206D94AF56EB9404F8294403173E4A6932A1576BCC47" + "580B6CE2CC80B20FFB274FAC017FA05B3D804A6CD8E874CF258" + "E5D46CCFE06D76DCC18C9874CD3B7543973EBE3367AD38E51F0" + "A46B92D47A68018A819F2D90724EA9F5FC51F444003757B028F" + "BF96F5413296AA9BB8532773EB8CB7CFC803578FAF52082D4BB" + "8AF606301FA927A94FB62A73E2E9FE367E782351185516C181A" + "A674E19301A38D1375E1658A181DBF927973C02207BAC3A0B65" + "C0C6904E8195A3C6550D13CFD46C1885987263E82CE56485759" + "BFFB2647F420625F2B483C2750FB0B4707A2014FF57B1A42375" + "B37B444B0811CED4CB93D5C45551D5E1C8DF20BCCD9437B7E43" + "9156DD9AD4D905393AFAC1347AB2979811CD1BEAC7C454C4B71" + "66B85BFE52FF6C4905C55D83C15C3A9A7760BDA9FC4B90EC4AA" + "BF9CB3660A883BE7137733A1477971D479049268ADD74E0C821" + "0B1A9FABA84FB940F62B1193CCAAC3F020D10CE14DD8C058C46" + "BC35846C07A10DAE9C03C3EDC323CBCC83987DF1FB2ABD141C7" + "C0694624AA68DF9C306D2E179FB4D603F42C99EA369C90C1764" + "95104FA7DE772EA71A9FB014B467CA220F9C004F287F8F0786B" + "3D47C9DAF3FEEE80B2CE4A92AEB0FF8E8C09448DAD76F5FB01D" + "6997EBB139D7FA5DF8C0BF12BBE0AF2B6E354C4089F32B8C529" + "4634")); + test_hash (&nettle_shake256, /* 12 octets */ + SHEX("5BE43C90F22902E4FE8ED2D3"), + SHEX("00F3525289B33FB3C179398EC76F2E31B824A532B2AA6B2DA6F" + "FAD5287E07F9F9A2FDD2F2032AC202119CA0A01B7C9C6DE7248" + "77FFC874D5E578066A4BE43757BC2D9B09AA7B483749E0F8858" + "2CF9CC3D47B8A0A98D70AC793326FC5EB6533F00EEC34BFAB35" + "18FF4E98B79582621C2BC7BB7AC8AFAA8D60DF3F072FCAAF514" + "FA7FD9EFE2B1FCD3CB96A7F70A87436922584B93EF74BB03254" + "16EEFEC14EFD150432366C1C1E5F7949C2573CDE16A24C42918" + "C919ABD988F8951207149F873F78D2793FD642F3B3E93041B88" + "55B8CCF62A2F6A2B8ECE4DC704CF693069BC789D470FC4938AD" + "23D5B5DD20D13E31345B2169F750E69C4913E3DFA1F1E54A301" + "9A8333B6648659A6A2E93882FC4F8AE0234FD149123D831F148" + "213F578E8961DD07CEDF94907ABADF7EFD84500E501BF2588E3" + "B155E7D24815DA9584595EFD2FC6F1768F651C1EB10E0029553" + "4F89A8DDE9D37C05F7E4EF9EA236B615F82BFD07E7F6FEB1C62" + "DFCDD4F598BDFB3CBB0FC3259ED96D52AE156B20F0F6EBB0891" + "27CF98F045BDCB12DB84C2EE47800CE36AB10F982231FE746D3" + "2FC5002700E264AAA6432E7BC6BF4F4AF41E82E256C3DD6DDED" + "B24B3607015CDDF78BC1AC56F835D03D8297BDEE57F87EFFBD0" + "66C3DE372F285EB2E7D7359684BD2072B090BB78C3EE71A45A0" + "CB7C22EB4081CEB3CDB89CBAF3D124AD86A9A830457E273C8AB" + "8B33")); + test_hash (&nettle_shake256, /* 13 octets */ + SHEX("A746273228122F381C3B46E4F1"), + SHEX("1CF1698F0702653368463A9EEF102E8588FD5E711F4BA16E379" + "8D7C7730ACDCE6C65EA3849CDCA9D08437BEE09F78D52397C92" + "D0F00ACC9D5E9450213F337B9A75697E8FBBDDCA67CCBB7F8B2" + "CAB1209397A4EDA1BA9AB1B44366E4F7A0D2DB47D5480247194" + "D486D63D72FCFECEAC8CFBDB7F8784D4CC9214B3893FC7EEBC9" + "7A33B9DDEC9605484C96BB77CAE4D212F16229DD507622A01C8" + "61043320D9C06373E1E0D9649D95B42A990B0B447ADFBD307DA" + "D1394C30D12E010AD5F6C8ACC729904CCDFCA2162C32C5EE565" + "4316E10A97A192EC23BAAF594B711277A301FE6EEB4B54903D1" + "BB736D4788F65DBEFECB4761685C683DB56C05D0F26F179010C" + "B323C2FC8B9A44DD4A172BE2228C6B0A0779B0637E6B5DE0477" + "76597A17FE94D86AAED911A1DDD27F8F61710CCA8C5F38504A5" + "0F01304B559419F06B5F043DFE984B4DEA2DB6090C1A836F26C" + "0728048C0D89401722B9576577F11700BBC5A6BBF1C23C687BB" + "478112DA0DDA52C1ED622D0227382F76EDAE51DB2FF14C098BA" + "E8D25A2A53D98508DA98C99AECDDB7EAD8DA98AE41BF21A59B3" + "FE4B3DD68F0FB15242EF3056FBF77462D4FF67E0B344BE02CCF" + "03FB98F6DD5F6D306A4C2B2451EC8AA2933172689BD11A7E391" + "1B236905D6D8CE1C030E754A0B493CFBAA39123B0DC4B7085F9" + "FE5988B0447B706CF226EDD34B644BCB591A002A08CBA030F6B" + "1927")); + test_hash (&nettle_shake256, /* 14 octets */ + SHEX("3C5871CD619C69A63B540EB5A625"), + SHEX("413131ADD0DBA2B0A48443D3399896AD65BF5F4426D234AE20C" + "9D2DB3D9DFAB81401D7722842A58312F837E7DE13069802F58C" + "7CE9A3AD1703E9C7170D1AE751023147464CF8694515AB5E268" + "36B935ED493B9D66D9229BB0B66F1C5AC721D8AEC1F883DEC33" + "D0380BA79BE198A6AA1F2CF555818D54CD28C0682EB44FA0F18" + "10DF50A8F005557C9BA52F02D70EF769EE7724B852A94E1710C" + "6758307FFEE309C8F884DD0597012679F7C97CF59F8A41B06A8" + "45CCDEFD5CBDA268885A2781FEE48FE4ECF4D0559868607F352" + "4AA25D1A5CBE5C33FE0E8E8E47B6705203D49CAE7F1749DA49C" + "BC469B8870C1CD7D029F6398CF7AA0D3114F56F78885093A59C" + "0C188ADAA40976827AE1000BD6AB4C7A2154D80AC6786CC23AD" + "EF333A2C538152584045A87E942B8033C565506BD319AD99C85" + "A4655F6E47979F55B5F9F9822F9A338CFBAA50D580E27953BA9" + "D13BDB3FDB480226EDD2A8F8F56C75015714A51EA63C73FFFAC" + "63DC3FC6FB8D509BC40B87B9332FA37DAAA441D05984BA56781" + "AE25D324E508B300E6B07629EE5BD2DE33D3BBE6FDDB699E35C" + "324FDB521CDEFCE30D01570AE82803B0B54A7C1AF4B45121461" + "A848477C11F535B700633D88A68AD2ABD9AFD09A4DDC1BE5511" + "B574CA6E525EAC7A6CD7C26EED3E5656142AB8B24D97A76FAB9" + "4EDD8AF21CA7170A98660A5CBDA15925E67C5C579363DC4F697" + "0C95")); + test_hash (&nettle_shake256, /* 15 octets */ + SHEX("FA22874BCC068879E8EF11A69F0722"), + SHEX("2FEAF391D45B2B8632EA10806E35D465F2F767DCCEA9304502A" + "4CF9CFD85F7CD46BF0E5CDF2C31A43C6AADEB0C4683B3FE54E0" + "42C014457D0542A8AC09529C1931FD1CEEB0EEF6C5A1D28F7FD" + "1E7998537D78B9DCEAD530B0AB257E273432D3D7205E451CEFC" + "6906451DDDC6B3B0DA1D1F2DF3F043396858E7619B8A420D0CB" + "2CDFBBE43E19BD2BC670E2F5DA51A1B8141F7FA0FA79538FC90" + "9D31847C46653C8184114505C51C49C844EC18AE5C6EF782040" + "0D0859B3820FED6B023D1A3455C2BD6E1A7D25169B58BB71A82" + "107893F27E994BA04C79D209ED97E359D02B991E402CF0D14EB" + "61D4C1ED931B4526D63E9E9517FAA5BC83A23521620FB5B9E9A" + "C1CDF45536AF54E567F5D9BC31196D23C58C0C70939497A3E11" + "FA544A37991B5C06B8D7F57D3057E83C3EAF1758EBD0F569E5A" + "8979D340740A9FA1ADE5A9D956F171D9A0D0EFA871E98AE8D5F" + "3D5733FDF0388FD8D9564E6C267C6438F0F78D7A224DBADF7E6" + "E645EC6952B96A9D6FB441CDD640B576B2C92BC7C5FB11CE767" + "B0105DE7907DC00DD4F8F25DC85B6A84083500F3127708ECC12" + "50AA15D350437664D0D6ED61E83DBEB951260C1746C0F06423C" + "4B84FE75A752E7F034B2584920288EE697926B9BC87FD086299" + "2C3D9934876A978744043D8949273A3583A7C5DDBC25DDC0C7B" + "EFBDA1F306C9EF7A2F21E15543EBD5EF87C39814C91E1B60B07" + "9700")); + test_hash (&nettle_shake256, /* 16 octets */ + SHEX("52A608AB21CCDD8A4457A57EDE782176"), + SHEX("57119C4507F975AD0E9EA4F1166E5F9B590BF2671AAEB41D130" + "D2C570BAFC579B0B9EC485CC736A0A848BBC886CBAA79FFCD06" + "7CE64B3B410741AB011C54422568089405BF1E8DDD9E3BCEFE1" + "A713DDA18CC2B73FDE0EB323FA7518DE2808C875A6C55111BE3" + "E0CD20663B794048F5FF44638EF871FBA0F4C2ED41A96D36216" + "06740935E9EA1ABEFE15A1A3BD55C8AE6B2C021CC772B34DA21" + "9115C8F6072A09F2B718E26ECD2538E5F12068F577ED7D03A2B" + "BCC7CA7DB81D2CBAEF2AC8F33B1355798576CD3545B9DC792FD" + "BB9C8D1C123EE0407C6328E09103FA6CE1B4DC9FFB0BE7236DA" + "B3ABD29E704D0C352C524FAC14E12FB61929D98DED973D7E878" + "5A8ACF52AF56C01CE62AD93660C93B683FC22088D7302F72D0D" + "AE54553B0C3E6DA7C498BEB3AA46E7459779A1B0E1FB19556A7" + "1635B404C0BBBF3F34536F2776FA12206513FBB1F2A11CE9683" + "460D22778867ABA7335210D817B720B3D8A8C48243D128EA2A4" + "BA8996D160351194C0AD3988ED0AC5ED61C1F576A33C914C2BE" + "BEE0EEBE55878E2B43A51E510251068E3C0F7C7292189573EB6" + "AF979CDAEBA8B8E359E6B632BABAFE3528773CDD4A1861B7AB2" + "532113F2B259D45598A76D54C739DC2F4AF2700F3B5CF22431E" + "D9F73D53CAF41D134F5CC67ECF8F99549C091CA6697FF20E08B" + "F6AE9B6BE74BC77F26DB50D25F48E67A94DD705521F02D3CBD5" + "FD56")); + test_hash (&nettle_shake256, /* 17 octets */ + SHEX("82E192E4043DDCD12ECF52969D0F807EED"), + SHEX("87F2A509E9D42B0F595662CC93094F26F06A86D79D98398B7F8" + "7EE2BB5FB25384F9FE3F7A72AB5DE21CB3B7836F73618307242" + "D53937C67CC5F36A7552F917DB12A4364736B08671314EBCD3F" + "34C670E0BB066D3E8792ACE223608F5A152ECBF9FCB4242FEDC" + "1E27143835F0C06320174E7EEEEB60F6B5A8DC9AAE97ECA494D" + "79B3DDFDDBE91D3294AB4C3B3CBD1341EA4917733FB13A15BA3" + "4B46F0D5981C9DC457A123C4152776E15B37870C24EDC0BD9CB" + "73CFA5D290739C17289C2DE3A71ABA0DFACE3B76DF71CDB6769" + "7321772357587E3C2319C15D867A76F5C7BF5CA2F523265D411" + "8EAD7F96BB30349F5C4373D5E4FAB4076CEB6AB8C11CCDA6B72" + "72121A11F00F67D7D5AE31E86EDAB458BCDE042C58E3D3368DC" + "485BDABD40A3F6B7294C038B8ED3026E70ECC9EC7D6060504F9" + "31AABA816D5AA5EC9FA7CEFEC123E71C5135178F252885A7153" + "A4714E0D9C95AF171A6AAB936F0B464AB07E32AAF29CD4D9315" + "62F700CA1419BCA2ED1243F8EE1B442CDB1F5252225954136E2" + "E80A7FBAF9095108647AFF7F31D4C4CAA050EB1A90AB1D1AC0F" + "67B9F411006A4B76D5CB4B48D2154DA87303ED37C9F911064E4" + "D2F0531474E98F3F96B1A0A008DDD0AF4B86435F8B26BFC7693" + "C338C6AF5823FF7A9BEFA57D72E2F1BB2982DA356A8B3D08D4C" + "19355FD6EFB35D68B3A41144B49713A470BF61D0CA05E520447" + "68CD")); + test_hash (&nettle_shake256, /* 18 octets */ + SHEX("75683DCB556140C522543BB6E9098B21A21E"), + SHEX("20561970BF01E4108BC498DA4B8F900A0FA378770DAAE9703E1" + "66898874A1821AB0432D7CB1D0A7006E5461DD3049387C41163" + "27D1D3E0755CDE00A3C40BB5FCFBDE5AD0A7E46650AE7CB37DC" + "2F0E4F506DBA47437EEEC9F823ACD89F3EAEF767AEB39D38F88" + "00DA54790F362A3C183CB9BC420047EE86B3EC22E2B2F4C029E" + "F64A5270C21255D39363894AEE6478788436C758E4101F2096C" + "D7F13FE76E54CC5CD85C9183E6E1A1A3A218379997AEF9DA643" + "D8012F402FBBF88E6D0AE991EC4645F3118FEF0F66D7C8EE745" + "28D622E1E9EF1A69E39CA7EA0E045BB568980D4659ED20F0CE6" + "8503620A94ED7D5C9337DC20805D2DA7D0F14B5AB3B93637F77" + "1C9E63D0B57AAEE353AFF672596C4660CB39381A9010600CE93" + "197CC6A06219A3778B89B0F6AE003B5F9BEF76CCF6D551B852E" + "076A678A74E75E408E1D4D6B1960488FF21B6F6B7C308205F93" + "BD9DA1C6DA1DE9707307410BD7AE22FF24E24BBFDAE849FFE26" + "66B1BDBCA2E08CF9D0F3F7698C4F983D4B92EE28B5B4B8BD98C" + "317AEFCB41E56DD5534F59DA6C84B3D21587D2EE740F54A0C7F" + "AD62A63B98AF747237B68F78A39CBA4596F81A223367D345576" + "88B324B5335CFAA67E78A8095C92D70802A2AA76129DEE69B91" + "D175BDC0A485A58C91CB8EF326B2C8D1D82325C4ABE4A0F764F" + "C01A9F0A743E7F107CE384DC223D7AD7481AC8AB7BB273237CD" + "735E")); + test_hash (&nettle_shake256, /* 19 octets */ + SHEX("06E4EFE45035E61FAAF4287B4D8D1F12CA97E5"), + SHEX("F29097E10DE56C3A4A24746EE4E7A6507050D18E40F1CB8C701" + "B5E589FB645A4E400A3FD2C9C4D48E57BB9E146ABB1EF98D0BB" + "C6375C266754C7F1CF62682F0C6A6D6B11E2E0AEA41533DCDC8" + "51319A34FB197D56F4A35D3B82C3D314ECA59E03774E84391E8" + "846D236D0CC51E7A5591205C6C1738B746E616B2A8267709103" + "F51D0ACF3156BA42CB226BE3E94F2293E9E0FBC19BDF5717633" + "E17B5944A02505CC53B01325D1D77965295EA6B6B50E1294176" + "7F7288B9F4E6CCF3F567A1EA3D17379BD1DDC357039FB356D94" + "57956A8E149E30AA5092A4F85DBEE2083A62610F04FD28A5A18" + "80183366211287E9CDBE8B261E93557A38F6EC2D13FCDDB5DD9" + "05599B5469257F3F2E83125DAE5F30E8E7514D55241121D9685" + "08D1FB55C8F339530A437BDBBE04C42B6B229666763400F5493" + "E31CAAB061A67ACCF41954C2AA0A7FA0087A4B828A1AFBC62BA" + "09E91A3AA44FA4A74652882B7FF38C9C1692BF83FBAAA17F32D" + "EE6D25518FA0721463334FADFC6D050E0CB195E477150CA1198" + "EBE4D19ECAE1B1321003823BF04D8F9D4866BA3013C9A47FF0B" + "53FA6C70F57D220D86E8BFE71A61354F099245004487B65E7C4" + "5E090630E6F73FDC56B2EFE6B3469BD31D23384CD4A830A716D" + "50C7A91DD09A45A79F47D73BB32D14BBE85CFB56BBAAC47D973" + "A6F3F9FC23EDD774A31B533FCF7E78A2A75872C5954788097E0" + "4845")); + test_hash (&nettle_shake256, /* 20 octets */ + SHEX("E26193989D06568FE688E75540AEA06747D9F851"), + SHEX("BF4EEE53BAECA39E2884780A1F007B5069E7A90F1ABBD12EF77" + "C77A4038CA56609D52B9BEE113536D8FEC7D264F2951072FADB" + "F2D3A0B21690ED5478A540C02D903B3675787929AC44A2BDC65" + "97B2EF2956B3640B3771EDB189E98FBE8FB4CDDC8C641ADC707" + "D47EA2DBE17616AA0ACB4AF8D7197626577A5AB5A71AF722332" + "7FE96C4472B3F21FBA242416A266BD863BE3598D57DD910A265" + "335D17A7B51F59DEBF9F4049ABEA37CAD33B8F2032A4FD5FC6F" + "124044FBF2A9E47421FD6C1488DF87B942CF01F9FC7F13F7824" + "C7C09AAF6D739F4E3876B383546EC682DEAA6F633E630101646" + "BD1456CC22A7BAC50190548EE56C5FB0115809BE6B1D7CF5488" + "A26660E0A80DCA89EF655A963E8013A61CE27DA232430183D41" + "C9C9AF96C14E846ADDF3684782E207916820F57E04C60E99934" + "0F9630E8505C98F467E2A122FEFD1031D67789F890BE96D7B62" + "9828CDA153F9CC19BF8B6D0B0716F931F17014D9AC4B6D983DD" + "41EDFFABCF33693F7558DAB690F669C53C21A4D8DE7BC32ACA6" + "CC45225A2C980AEF2307A7097995D97EE060005CB965512CC85" + "CC81A75D3F2F0975183D9CEE293BC69A06C896634962369E01F" + "475098C62D574A0D6A57A5FDAB004DDD8C3D96AEFACB39B3E4E" + "1523447BC8FE397B488D8A5DA6E4978AED897AD0A2FB88C5ECF" + "86CCA7A67438B988C04F3C14A754A74ED3D03D478CE9EFD752C" + "0531")); + test_hash (&nettle_shake256, /* 21 octets */ + SHEX("D8DC8FDEFBDCE9D44E4CBAFE78447BAE3B5436102A"), + SHEX("A697F36886208CFBD55C3CC1C407C3F978A31574E4B9A790716" + "E601C6EE0ABC421AA5E5488B57E293CAD8AF40065C161407D0D" + "CDFCBD172FFE700B60D7EFA289C4755733FA535365DB90082EE" + "E0B812442E367BCD4451F152FCD54687DE4AE20F7FC60FCB3DC" + "D1C419EDF74251EC84471D35E4EA43E684995101ACAACDC0D8E" + "CF5F39840850557C70BE1477A2F168CBE97FEA85EA188594A4B" + "DB583EF9DD2C5B682774E7E7E0CC85C1723CF91603793C711E2" + "DA65869BE3A24D481C032A8674C1E0CD91A267302CC084B53C8" + "4AF3D0A7D350BB62A2F3B9027E1F253C24D481A34AB8D8B164A" + "78B0A60C95C13454BC4AE87C5E4E101B7D04C6C3F00E6BC4B4B" + "B922F39C87A4AD843704E125F5CFCFD8A1E8E894230CDD7DBD7" + "BD40A9CABABEB5BAE9CC49DB656AC90EBEE4AFBE3897B0F7A64" + "059BB331A4767983403DF36C919759AD6BFA379920594D0F775" + "BA2390A522C3FA7B0348781155EDD29BE53891B41F44E16BC5C" + "290C1CF31EC33E66E588ADDD70E79FB26EEE21DFDF40A3C54D8" + "E1CD79F2848B4238F7B803891EC01623AD92E53D3EA22197DF2" + "9BB6554AEA8CF2D29EC4B673FAA0A0C64675F3BDCE07288EED0" + "3D980C36E4D10689DD5E525F34DF78B1E76CD87F8FAC22DA1DB" + "1FD9533F58577D136FE161A688F3FB9CFB42D909EFB98085FEF" + "BD8D26498A847C9493E02E5364290CBFE45570BA39BCE1415DD" + "5BCC")); + test_hash (&nettle_shake256, /* 22 octets */ + SHEX("57085FD7E14216AB102D8317B0CB338A786D5FC32D8F"), + SHEX("DA7660020D2EFF07955C3724CF85B1B9533278FFD2EC05522B8" + "A876DB92C7F9998F0F029B2156D630DF390B3F8F5A31A8E74B9" + "43D6B36E1C97BC4F059408DE495462A8E039F590D5FCBC3965A" + "663F33BE332F9E56BF37D9108554DC9FCDEA2E771A5E22EDE61" + "AD5476153969D1ECF5ABB108BBAAF6323D7E570B2747EC04C35" + "E7DE5EA2AC0306042CAECF38B0060984460D000DDD3DCABCDCA" + "CC83414E56EE2C44F6D6DCF4875EEDCC4EED761B62E1A338697" + "0571EE127D84563034F1BA93D2A84310956C532F0EC4414BB01" + "AD19BEDA20C714125176EC202A9F8F9917359794239DDF0376F" + "AB51A5160F0FC5CD16E7B7DFB0943CD524064104BD1CCE97A34" + "2035FA47138C27DD9FB00F6528409E10BEC016503B17687C66F" + "2A00072B6245EC061598DA570F36B9FE8F4C35E3E8FCB3CA1A8" + "D913FEAB1890C8AEDE727E63C6085B5C196E82BBF872906C814" + "40EC8B0A65B2271285616C7111C702964E3232AC34E7CD4AD5F" + "5568C9E30B813941C02466B817CB1523D6717E58B4ECCBCD74A" + "923E806D82AF352395F22526E06A71585B71569E87C3D1AAFE8" + "C06098204042CB2E41E92117E4264ECD229A7F2BF2A9188A532" + "64195766707430B432FC332E160D786A9415A0260DFD91482B6" + "83AEC0E62B0D1A480650041EB7CDCFFDC9601AB353D9197CA15" + "604351FC226BD574C3B66B1C6227B7CF6577DF01520214A961D" + "0403")); + test_hash (&nettle_shake256, /* 23 octets */ + SHEX("A05404DF5DBB57697E2C16FA29DEFAC8AB3560D6126FA0"), + SHEX("F887A018985C64AB3D5609BE2121E73F7AB70D4A90BF47660E5" + "35B72DFC0A1DF20EC0C372862BBDD1C74DB76A0ED12BBC03228" + "3AA5FA615AF320E1C15315EA171EB224184691D13D38EF39DEB" + "FA2629DF136FEE74C49D61282DB8DBFD0CAC30B135330DD4F25" + "644B73FE8276C66325BA588C7178D39EAD3C8DB5BFB6A5F30F5" + "90181C84C6B88C421A4ADE52B6DFB74D1F1D82EB206FBF8678D" + "95442DB8292189EA349D3335C8A4B57E88C4F91B12CD0A3FB10" + "830783869ACC88BA943ACD63ACDDFA8634FED8339626233614E" + "FCE39D60DD2D8B1F6BC87799C4B7EBBB7D407C5621E56CB2E8D" + "3952E07D5560544F810B2BBC56054DCFA0731A9B67067CD1C8C" + "4951FB2AD6466098DA17C9547BC5831646AC73BBD06E596AEDC" + "C57804B01EB817EDAF9D46E3728F003D286B95664317361EF0B" + "5ADC00DCB1F6368295656DF2A41C950367BDD25BA8DB2B6B7AE" + "EB1161FD089D02E35BB9188E7A91415DBA172F906264905BE8E" + "E1E9DA5AF53B3ACFFB44437157DC275D26323402C07C77070D4" + "79CC89AFBA181029FB97F9F0C9DF1B4BE0F0B000A218E380CB8" + "4A40ABDD79E267578EE379C3B674A25A30E902400B0BFA6A69C" + "B7AB96661781E7CF05A6F225F301065B59C033C5D873A5BE330" + "7B6E59708599595FAB5D2A91C601FC75E97DAF27B9453BFE950" + "29ED5B7F2B95C35377E5153DE2FE9AFC847A82888E9469E8DDC" + "F4E7")); + test_hash (&nettle_shake256, /* 24 octets */ + SHEX("AECBB02759F7433D6FCB06963C74061CD83B5B3FFA6F13C6"), + SHEX("2DBE1B6F378F1C56AACB5F9A71A12EB3516942F2D45CD4628E2" + "D6DBAAA4CA282D640806C927C93B3DC6D1C96D528FC2FBDC91D" + "7773BDBC26B2E5429063889F0842640D4EB0A69F2C705A11FD4" + "0484F16A0248077897C8039C575C1A1C7BCCA09952EBB491457" + "6C9A9D35B2043C7A5ADE1EC97B6D46CD647815941164BCD8D11" + "7E5C4892B6A5A5155B066BCA61A9293E705EDD00DED6402F12D" + "0DAFCCF608391F24657283102C30E71777B7B9F39F069B90B44" + "A6E84D87660D1BCF9587A25EB59F814CFFA8CBCE7D7EAC35B27" + "E8707F65F5B78FB16BE7C17812857B8CB6A447BAFC1CDF793F8" + "3B6D29824B3C355ECD204631EF1E176B53A6B82FDAF3D224851" + "FC7BC0F6B83A6D05D0432FB34567A48BE56368272D2012C0F29" + "6324BA45B7438F13759A4A1AF293C244C5B326D6C68D28A5A3F" + "CEF1AE25CEEC38D866D747D62CB9B5F8CB38B047151192FF44F" + "FE1B35B5D08E95344E09BD7194CAC4D66722C9E365F3C0B7B48" + "FE0A2293E478B4E6C8E6B7C93F41637BB0FD15FDC24E6443595" + "FAAC6C342E8DEF79F01DFD96E624A8954B0AE93591375B8FA6D" + "7EDA21578A51AE0EB69D97DE7AFC1F4FA797FA6D11D5C2663A8" + "B09665463770000249DB5A23233BF83D36C7A15D3E8673F52DC" + "C06270B246086E5AD0648236C68EFBF04A311A9A090C72A6A79" + "116EBBA4BACFE7F46B5630F27C99F257A3C563B864933B8FC36" + "72A3")); + test_hash (&nettle_shake256, /* 25 octets */ + SHEX("AAFDC9243D3D4A096558A360CC27C8D862F0BE73DB5E88AA55"), + SHEX("59425FE5B259EAD7E04232543C65EB5ABD0C4DB6F9E03C18492" + "8E877805B9E7EC156D8C1BD0EE27E4FA931832B41781DAD3C7D" + "23BEA681C74251B1EC51A90077356D3C5CA2A2779BDE6F45BE6" + "ADC20FE6DD0BC489B3D6E43DEC4FF6E33A24C62421A20B8740B" + "A1E13BD6447E2D6CCEDACB692A4468C898F815DF88B8A3E0240" + "BCD64D2277D8456642CB129F8627EBA5380A9329932977021DF" + "D641498B40F8D75DB5A4F9F62ED2EFE831EBA92EA600BC95152" + "B3E2FDA2873F54800C15C2256768099BA5ACAD759734533E8F4" + "B5C729B42FCACCFEA0D6C7B5DEAD8A5A1D0D115836D63476EB3" + "C90325F3FFC48C964F69B2957E121D9501405ECF5CDF5C78270" + "19BF4A92417B1E44C444D8B714EE85154BAD6462317515CF1B6" + "80AADCCAD3F3B69D70875020FA770A0F7A969E4B1672DCA70CC" + "DB8D7122A7E8AE77CA7E0819D6CEE706D71F0732DD1AEF5106C" + "65AD8C66FD350C13F2D02237D2B4B9AC3DDA52E3771FE5473C4" + "7C77BF84DD90EF38104D8571AE25F6B7AE6B292708F0B967A99" + "8A6D8F66429C1C81CE5C03843877AE4C56F14FE4F5A24C8F930" + "72CE79E3A3BE409D902881B73D9BDD3AA0C8EDA88F0511E98EB" + "93B271FF5F244B956B1DA8C7A8F377F39C803355F1D70D55775" + "C7FBA96CC98C02999A47EEFD94E52811FAF30C099078C7C1C50" + "772057FE65E954FBF28CC414CBD5C2EB12AE86A0912D3812A04" + "ADFD")); + test_hash (&nettle_shake256, /* 26 octets */ + SHEX("7BC84867F6F9E9FDC3E1046CAE3A52C77ED485860EE260E30B15"), + SHEX("48612B3A4374024BF509409FBC6B12E049F2F5065A0CC31C49E" + "EDD57FFD19F1C1AF6263ADE73B4C29AA77E5C05BC0AAD40C904" + "106A19A8FD55DB489AC77904569ACD0D62F18BAC28A287299EF" + "6CACD0B342760ABAE5A35A2E67F85E854DF55C5BFE831408C14" + "EA2B0A3C0FFDF29D8B9FEA747EDB856DF6591B3CC76D3F4BC77" + "70E38FCF603F4455C9B5019B7D8A2C939340BEC5247E597CFCE" + "386A458BDD4BA5007D03BC82BF310B4A8CD328A62E2FA1E8FAE" + "543736C10633B3C70B21B98C769ADF07567C3F6D89A006BE4B2" + "AD21643BEC00DE1EC9F7CA7CA733ECDBCE3C58B45119E5F593D" + "CDC5C95BD07082CF5D9B9A1AA11530E302E1FC8D6D2FC3B0FA8" + "34AE3B2E98B428853C8A1B9266AEB7B8436543BFFAF69467D7E" + "ECE47F2DBC790FCF2EFE2791213482B641388D58B5045774308" + "78EF15485E437A4A1F2FEBCD994C088283D92C90975C976331D" + "051EA2C2EA887A20DF5C90E4FC77A9370306152FD2CA6C6410F" + "BD529BF9CA22B4C8FFD4444EEF136EF0B61276E42B0D0424F26" + "82F291C7A704ACA96B355AEDA4D382C16B3AD879BC6B6881972" + "94203661F21E3E881BBF4265C6B71431B5DC29F614E090D723B" + "A086B23051B00B7E81AE8D2315C41A90E1205CE8A1C5A744F82" + "B7582A099D61FC5FA6B2E9A28920E503B32A84F4831201DAF2B" + "AEA8CB98E034F7AB63655E670952EEA74E3DDBED01EA9DCA953" + "3184")); + test_hash (&nettle_shake256, /* 27 octets */ + SHEX("FAC523575A99EC48279A7A459E98FF901918A475034327EFB55843"), + SHEX("775025E1E1E0A1C865E2B57B7B43ED67FF002DF27DE0A62AC17" + "76F894E1DBDB2921029AFE631201298CD5D51B9A2A6E49717E6" + "8A180EB27B9954A807667E4D24024DC3A60A60A819EDF287026" + "0AEA535698F9B5D83B820013547E570847EF9F4563931138791" + "B44AD298217000F039A9933FF02B99AB66A571D2D5E16507DCA" + "9EEF54B1910E26EF361887512D646CBAD74F99DEB082F7AD971" + "E2E9EE37AF77B80B2A763DE07D91229E8B5A0E9BF220B0C15DC" + "939253BDF45CAF4A8172AFDA5D096B47793461654341D08599B" + "FAEE496369D5D6E37562F9AAC399A413FF892F9DC07E624DDBA" + "B1C72FA0F2D1AA98EC442BB1BBF7609074E61ED16D25367869A" + "5F54E33B52DEE5020B9ACE4DFE5115ED049A6CE62227661BDDE" + "DDBF77AC1D45114CB734D9CABC634908FF540C2AC162CBAAB65" + "5CB35138CBDF81CF5318E92516EC9C4CF05E14547CADD180937" + "55458621C0903FE6ABC29AD174187F0D5D6B314CAE5A4F95860" + "12D396BBC69D81A66927352A9F4B926E1CAE962A73401587FFB" + "C6D9FAFA35ECC1B678D0D050F790BD8CF4B6EA3C3B663CD77FC" + "6004C257328256F26205EA41EF7A423CC757E81BD7BC408988D" + "AB45E8D632B669DCAD4585DCF6348C8C5D2DC651A4AC1806F3A" + "55DBE5FAE59D50E2B9F25F89200DD88BAAC59C14EA0798194B9" + "0641642B425317BDE993AD1467200432B1EBF23440D0F789EA5" + "A83D")); + test_hash (&nettle_shake256, /* 28 octets */ + SHEX("0F8B2D8FCFD9D68CFFC17CCFB117709B53D26462A3F346FB7C79B85E"), + SHEX("36DA0700FD13A62A128D5C87F69863A9EE8DFC65E5E1F97C495" + "A675ED8253CADE4F79D45D9E34C8FCD3D5AF760344FA76B271A" + "916A539D467F9FEA26DF0CB98DCA0409602910D7F298D6E9360" + "0EAE6447CD2EDE4A76526014FB58ABD4A48ABB38DA5ACCA349F" + "140CBB391A6705E4E153C87A80C93E912C912B9C97CB89B101E" + "6BCD0B739CF89D18B522A1FFB858B837C643240DCC8F8553508" + "596EDBA0282847EA724B5D25CE6704CD3DF3EF40E5410D0C674" + "6F97F390DCD77F69E6C41CB009FFCC9EF3C6F9B2DAA646DD07F" + "CE398A9603BC223AA22AF0676931D4FDD5D2C06C6F2F4D31D48" + "54F72E44EA149ED172BF152CDD08D33AF58878B8E268CE44E82" + "46360AD41076FC4E9BD9F460CF5AD24EA05F4E32EE2AF4B1F56" + "B8813599F23DDDA7FBD9195A40C5683988D1A84FBFC951D3613" + "AB6FF84D372AA4A0EB2B68FFF9B37AD1ABF88725A5479E77E55" + "F320BD8BF69A2E174F715B10D8FF4E8CA72F2E29AB501F9A74C" + "D4DDFFA99522D1C48C619B1669ACF555F5E5221D34C7B36C56C" + "53C3EA3AC302C197D74735A1FB295A39AE38D87F451F86C327B" + "67C16A1D1BE50C453F3CA5C9BBC5F78D7C46F5FBE1B44C36615" + "9AF8797FBD29C6B025894B66266332078860D083A58873B8EDD" + "E27300B4177F4B1A70EF2557610F19B2FD8DF4692FA548A018A" + "014F55B90D77ED357987A033ED8E83E07A5D5D3648612854EB1" + "0430")); + test_hash (&nettle_shake256, /* 29 octets */ + SHEX("A963C3E895FF5A0BE4824400518D81412F875FA50521E26E85EAC90C04"), + SHEX("4D2453D01B5B3FBF0FBC4E6F7D2F28914EFDE730877568F3DA9" + "CA256C3252560DC9F9AC94AC203AB2A3829A3202E6F4D385D21" + "5B843D64B52B3CC28B11E3876248B4CC692D4F7DDD46C36FB72" + "92794875D8353D945438BFF037737E3E9133FB6559CF65E7129" + "B98644141A1E5870B22751076F4AF9A14F2B0D198FF4772B91F" + "4F5329B5BF9326FE39D5BEA9B6D4CD19BEEE8A6B8FE1CF3EA3E" + "256C7E1A6A95C5B9336AC8CD2AF6D35C776B5563563CC59906A" + "BF1ACFA707AE71E6E52D6A77CBA9E960BCE2D3C11E7A6AD2378" + "74F6316D982207CD5CDEAAB3C5EAE28A3E5364626891555721F" + "81068F60301B1DB9CC8D8FE00D9949EF2998273BCEDF012A982" + "4B5942831AFD4922908624F4C2D3D218FD440652F59F536F8B3" + "3EC88CC3E9DB8A4513EB8880B95F29876C4747A8F83D089879B" + "29350DCB6CAB4497A8EB14AFA848432310C213D7439968D4942" + "CDA32B5E6DF26D29F42BCD98FE7C67020804380D0D9E4A931EF" + "9AA117F872C7C0AFF2E5F11451AF753C383144E60E661D6DB11" + "FA78E542FD2C9DF493DA608CDEAD669E0AE4ACD76744CFA6808" + "8420FA24A43B6E2C1706A10DB468D8A7B6E18CE68C4EAF1CB1B" + "9D794AF9457292C2999DC18337531ADCA5BE1225BE1825B3142" + "7EFA14BE2B500C0174333CBD3553E05AD1E4E27858BCA6F2BF2" + "A966A8EAA6012F4ECF1F3387F3E3409D3986F2E2BF7DD239832" + "C9FB")); + test_hash (&nettle_shake256, /* 30 octets */ + SHEX("03A18688B10CC0EDF83ADF0A84808A9718383C4070C6C4F295098699AC2C"), + SHEX("2D46D78B2BD91664CF875974D2CFDB0AE27E00FAEDEC3370C5C" + "B83129EBE05EC438A0A02232601C33AD623162B8BB160F5D8F5" + "C892BBA4606D1937A1E4F90782205CF7EDEF07C0EDACEDD95F4" + "86157A0C64E0303D30029CEF36894100E79693F3E794596CE99" + "ADBAF2E3D4B4ADA5D43B9735DE4B24520EA9C8041CACEA8AC65" + "9699DF823C7BE9AE82D52BCB294A43A751A71F6E0B939BF9F08" + "31443026A292058B62817FC9EB139DD0637B7EFA73344858078" + "AED6FE93A6F22E1E14B92E87CC3CB5C4FD7170413C4949E5D06" + "DDD44FE90AC4EBEAE413A7BAAB1FD2B99BAFF442E155E94EB49" + "D75EFDDD9C0BBB6C1EC6AC6496145C755788DFEB766CA0256DF" + "9C658B7BC660808F875E9E38B3E297543D2C9032B454161F9CE" + "E80B0A7F9F49039728D2F12142EA22C4708307B6593CFD0EF5F" + "38A1E29FE43058A735BA02D4EDC010C02F4B625AAF832030949" + "E81264B213AA8A16BFB10D35C5A369B86CBBF4EEE8DF699B302" + "B052315AB495B9B287E9883B05C6273B4C32FCA1D186D2DF481" + "F54355DA3AF3E7EAB49C1406857CB9F590E7B1B8EA5B7A0C5DB" + "B7FD778A4FB570BE2CB735F21CA599AF8903596E80F8379B517" + "D6A0F7F7D5125A7D4375BD90175EFCF5316F13C8B09219BC840" + "52B7FD2BC1D55656FDB9CF1918997717C6E2AA0FDB46530C271" + "14263E017FE5D91153FDDA221DD63F14C25E3439E05F5DDDB3A" + "C966")); + test_hash (&nettle_shake256, /* 31 octets */ + SHEX("84FB51B517DF6C5ACCB5D022F8F28DA09B10232D42320FFC32DBECC3835B29"), + SHEX("B3DC434BAD278ECE68C6DFBAC1416BF47FB37645AC6E6B7E4DF" + "D79E4605EE32B9795ED18683FCB56F910E223704FF1200F015E" + "AFB2EE06181E9EAB1BA17BC5D84BC22A2D5C134991C906A71D8" + "B20F6ECD6BBC27FE715EDABDCF1C4E1A374B15AB4D76EA6AC58" + "0904BC66010CD8352CAF365DA80094F461070CFFA34A86DF705" + "B87CC277D80196C86C602326E8E3AACE1BE7F0136C0988FAA11" + "A2FF91AE941799EC4DE96E9F167E4088C822BBACC46DFA327DF" + "7210C9B31A9F7306AE753152A86F9E0ECB03FDEB7415C9ADBA6" + "D61FCA7F4D3C776EE6FBE6901860292FCC6CB89FB45A68F6165" + "E36885DD40671EE372283591BC90C2B4A542282B13BEE71EBBA" + "4E12797DF59FE47649A27AF116DA9F41E0F0B6B962F7260DFA2" + "F569A97BF47405A4EC4A6463680E3903CC7C3CA2F39E9366FCE" + "CA8031DA89E447B37F3B80769FDC0449291FAF1BB8F9CECED3C" + "175062DAE783F51637581E913104C7042BC328E1F2571CAA557" + "2E75EE3F5A0F559B50191F3ECBC1FFC039BD3DBA90F7007AADE" + "D690FF35D8D84FD0A9D427B2171072F1ED51A8EA9AA8A066FEF" + "6B88915265D80CA283EAB1056B6BCA093D60BFE288E3B9029E5" + "AA395C9F3E3913D4B22BADA270A282FF83C963E97F1F7543AA9" + "2B5F419973671EE03A79D1392C40EE57265FDAF75977C9F0E98" + "C2CEDDD7F7C52B4122A4E517280C9547DF99FFB30692ED39929" + "FA16")); + test_hash (&nettle_shake256, /* 32 octets */ + SHEX("9F2FCC7C90DE090D6B87CD7E9718C1EA6CB21118FC2D5DE9F97E5DB6AC1E9C10"), + SHEX("BF7A4FFF6C7B53893BFBA9505594DFFF317A09278C3A59221B8" + "DFBDBAFD08EE237FCC272ECB1C7672B41B8DEC7D54B988B4CCA" + "65CF297E1D54DA65A176350AC489947359E11E34AB3E4D6744E" + "AD1775DF90BD5BE0712BD54EF46DC279587527976461D6B8F9D" + "0C0FE14B10372550ECF74B3CB30C463F25090ABF7DB84D32F51" + "E8AEE7298C49607E4D3DD79B9348E33F2E58A7D0D76394C0B1C" + "79642CF2C3077CA0764F291FF48A8CD723C953276A829CC1E7B" + "798BECA33E8B0FC0BD44224CAB89BA334E52D6943A1ECAC72CA" + "3BC825BD61DC4CAEE1A12E053EF31115456DA434747AA8D6DEF" + "E56E35FE67D5E761881D681AD8EFD3AD5C69430FF75794FAEA5" + "553FD91A4ECF7730EE8205AAAA0DB99AEDE2C52591696514AED" + "17F7B8942026AE16D67588A943E5D13BF47F15F1A458F06ED83" + "A48641941DAB491594DD02C681950B84718CAEF0E6187F23C89" + "FE46A40D5C22AE297A05E8B613B264D204334BE5922A6DEDFF5" + "B978767233AC58925C672F4F4B0B77326A5B283CB1DF217BDDF" + "DFBF12E4FEBA42E23C18675E0FBF0269E2D53A024B4286FA906" + "85C2D8E67E3A60BE0D7072C3AD8BE9F4A389FBBAFE191CF06EF" + "F95605A89C3C668BAAB7657A90F23B6B791421D214767736CB6" + "17BF1481CE103768E5A8A3384978EAA8F56A6F2E729D6307973" + "ED19B270247867E5861172467821A22872E52657BA2FFDDF605" + "2025")); + test_hash (&nettle_shake256, /* 33 octets */ + SHEX("DE8F1B3FAA4B7040ED4563C3B8E598253178E87E4D0DF75E4FF2F2DEDD5A0BE046"), + SHEX("2EA40CA6662A79D253A43DB2845535098F8F4D791E45EF610B4" + "7F90D0F28309EC047BF1C565F799253E32A3C538EC6AD842406" + "D9BF127CC56AEBC442B4B8FBB5DA5C759E1BE0C201246B96032" + "4A087B3A3093EF07CDF45D915C2A4B0FF70D64C1611C17C629B" + "E9852CC408AFE212FC303C196F422A085A72684C10460E294FB" + "60CE9F2D5E2A599E4F1E3FAB86740F61EE2DCDAF7E1C8D8BC29" + "8F40B993CBD0A8EDBBE0EB8715B6A58D2CECD21FC637B02E05B" + "AD75E3B8EF0C2BDB157288F763F0B190468016C186A94503257" + "2E71952325D30D2DCDE2A915169C51D0C448644D785AC658B0F" + "0132B3CC96884C41DDEAD9B57425FDC013D067697C0FDE6A2DD" + "31AFE31CCCF9D85B46325D6CEDD80B70EC717278D70C4344757" + "088906A577C2EB030F8AD2B18A1A196DE26648915560D228F70" + "2956B27046ED63EA6BB863F797CDE111A02B19A6F49BDC7EAB2" + "0E040938B9977D534BDD01D19B15781235C249A24EC832770A7" + "6520F5C0E5F5ACC6E6DF757FDE79DE7AD8C43028515B82614D0" + "DA808400C574E5A982D0CF9461BD25EB6521064152DC7BF3295" + "595B7A16410012FB01AEF4ED6ECF22C209FCE011888E29B8C3F" + "84CB29F42AE0EC1C4C6D4C02619F90BAAAF7219BE0F2129723E" + "AD133ECA7E0D50478DE346F90089BAED5D1D04563F64E3A3D5E" + "228988D71DA3DF85D906C9AFC972CA6314482BA62C557CE7CE8" + "986E")); + test_hash (&nettle_shake256, /* 34 octets */ + SHEX("62F154EC394D0BC757D045C798C8B87A00E0655D0481A7D2D9FB58D93AEDC676B5A0"), + SHEX("489A2DA0386AD9F87188CEF4BC2B22186F74B1561D79D8ADE98" + "EC2190003B99795DAFEFE1851276ECF233EC9ACC0142DBAA3FF" + "1D94692430F67C2B1D809A88A683B73E00BBD678D3728EA98DC" + "1A751FD5839B8EFAD1F4CB45009411B8F9B9442AC797B55E182" + "7B0B6FD2A4B1E9F078FD43D9553399B9A52E7567CDCE4A27647" + "820D8483F16360104A7AC8F3594CD786F51A9ED172443BCAC49" + "E1F4B32E4E915A3CBD7AC18FE691E4B9BF35F31D1E8FA401EA3" + "7458EBBB1CB6C4E99C6B031C6C6981D95422EC1A9AF5E74C021" + "8F403AB62D54E28AA116FF96CE0D6E8076420846DCCF95C9AAC" + "FAB3A4864F93B5D3869A7DADA5BBF8197411966166B2F4F52E3" + "150FE802C96C47AFD6A9F64F7554FE3D52B79BDACD6C95401C9" + "A78F11594347E77F727ACD5E0131CF898C4F36DBB067EE05E43" + "8B6FAA70D8B7720EB94728440147B159577CB5CFCCFE9A9EC32" + "1081D429FF88C4ABE02C7BEA2B10B61E521889E5CCC29470DC1" + "6132489FB43092B6C9EFC9517CCDC0B0824A95501D74B445606" + "62141114F0EB6C7A0B469CCABD358546CF1DF37DEA67E3946AC" + "D70A504A787ACF86B07298938882D0B67EE67D69A8CABD0B835" + "152633BCA5A76C2E6DB958FDA265756669D1105A67889F83C01" + "918398BD296ED801A0B5F0FC8AEFDD5205793ADB85A8D6EA15C" + "FBB6A82153EE69C10C2C92CB38C90CE0E73E32489522994096F" + "08D4")); + test_hash (&nettle_shake256, /* 35 octets */ + SHEX("B2DCFE9FF19E2B23CE7DA2A4207D3E5EC7C6112A8A22AEC9675A886378E14E5BFBAD4E"), + SHEX("578B2D3B14B19C349DCE30CAD612BC2FD7CE8D6F034FBF4D328" + "E7A570EADEF3F9624B65251F992132D25E5363BD653122D5257" + "002F806DCE93D0B15919FF9EF2C303C748D9782588C90E3B236" + "D51B69B1EAA1301A703B8B6EAFB6C200745D5B08A07A69B6204" + "BE3DB36CF6127E5F8399E5901318F9F0C18CEF9201CBD31324D" + "87CE630A64518AA7042AB3E2C64F39231AC3DE7BBE859CD3A4D" + "90109B2955FBE75A38F45C4B841C7E1E32F22EB69DB97F6AA4D" + "45D12EC5180AFF7863C17FE1CB7DFF337DA46F7F5B0DBEF813B" + "40DD67F985C978B9ECCC5685E059F55E503B5BE924769A11FE1" + "873EA406AC79242FFD6D45334D7C51FD4D1D5EAA28E1388E3BC" + "EB4D67320D9723D060EFF815766587FC11C13675DCC53F30EA1" + "660DC8C20332A3FF05E2E70AC821E0CD250132A59DCC4F40ABB" + "C8783690FAB8BD7693BF106E8F8C7A6D59495FB7301390819C8" + "7C86BD94442185DE8B4CC784A690D742A439F73AE7E8252A3D5" + "C0E4C0410FE919CD7A53F85F522C138A3D654D9B947963BCF29" + "3BEC3D253DBAB8FD39A48A340F8AFD75C97519BFF4506550BE8" + "F1C1C7C345C89EDAA8A56F128AF2DA8E86A19A6494BC33DAD41" + "2E6DDDE813E3338D16C4C34D40C2E6E1CA61FAECB934D4ED0BB" + "0A19D3AB88EA32F7E277BF8521AA733D7240394733A3A1FD762" + "3463857E1633F0FACE8BB83437DCC308E4F6791D8790A54FF8E" + "06F8")); + test_hash (&nettle_shake256, /* 36 octets */ + SHEX("47F5697AC8C31409C0868827347A613A3562041C633CF1F1F86865A576E02835ED2C2492"), + SHEX("ABED83F7273F3C7A73A700565F16AECBB0E03D278594A29FAC8" + "3B38689AE49A72411CB6FCA5D636EBA8C560CC038B47DA87442" + "9BE7C50A9215B5098F94110EF4E38F88D8DB1C483D3EA4728F4" + "3B25D94E0C89BB50C66CFA25A62FBF536EBE3D8E7E71529EC53" + "33A2823DE42C50F02414C99CFC61B1E7B4C767828748216BF6B" + "14658C114C52B7A53C52A3F8BB35048343B19C5B19FA11FCF5D" + "78769F1712E6F8FB5B31C017D3E23091B1E8184752ED0669AB3" + "8E890D3D7880A71B0B22149038E81AF04C4CC7CCBA848702790" + "8CF2F50EF3D6563141DBB9B898D06B7253B4057E9A69D026A27" + "F5DF48BBF2FEE2B603240D44B9453FF485B2212828061CEB54C" + "DDC17C8DE430D2E86045C790B23C84499C6BB04151BEA457C8A" + "18DCF0094F969365AE1F25032AE0524C2A09B69F71BD3EF46E8" + "871AAD3B58C92BC4B694BD5D47A8A80CA8DAEBA6584E5D5B4D6" + "B5671C823E6F78D8B67A6745236BF675E28A17C2F8CACB4B5D1" + "67991D27813C5500951A5E78086EB87C18D0E26863260F69199" + "89F5EB180EA48DE6A3750B9E2C1F780230E0070E216D373D3E0" + "ED3DAA0F668A8810DA759CFF1494E3BD17B369EA71DE73CF0E7" + "EB3912515E454544BE78178DB41F9FBC4BE73D1EAC8C015496B" + "08839344D963F070E5AEFDBF29BD056B77C2B98826AE397ECE0" + "701DCA8AA45245F26D718D9F46C90F34AD8EF70972ACC600BF5" + "EEA9")); + test_hash (&nettle_shake256, /* 37 octets */ + SHEX("512A6D292E67ECB2FE486BFE92660953A75484FF4C4F2ECA2B0AF0EDCDD4339C6B2EE4E542"), + SHEX("A9D48CDDE90093FF80DC7846BAECF4C7D6F876703AA4404BE05" + "0345BF7D2F9FF3F93CE132E38EBEA01AB691BAC9F8943CB33AA" + "E7887E9783E0A11EBA2D139A615DF8A62EE4AB9E57BCE1F7FA1" + "9C3B3F6AA88B547F0BD5AC0E2237B514145173AE8DEEB6F606C" + "AF1545C9F442D84D36080BA514759E3C0D1D3688A3D8B7C28DD" + "8404AA5E09AAC0AF3C14792D78434762169CAA935E2AED3264A" + "1C0A005C359B3B58BB5F9B9A6E5ECE5186F9DC26C952A298B76" + "C49138D20798BFCB843D06CF20AA1D540111BCD50C6D39DFC23" + "EF7A8AA8E93526690C8608623A109B1554C840F15E670DC4C33" + "E3BD81784287C3FE98FFCDE6AEF5DA5C0038E31D111C333F48A" + "D6634ECB47C45213F23AC0C5787CB9665D3B31EC2A0FF9C597A" + "4372DF2CE34D443A86B8091729049C4EE58E4ED17EC95033607" + "39C966B1B3A005237C668A6258E67CF9B5B3611A91AB5779D62" + "82ADCB74958B7D45C06819E78E904B4C557BEC431704FFC563F" + "40321E64A7CC456211B5C981C6C987469FCE101A81076DDABE2" + "2408E949E86457658E07F61F5BE6BFC68B968FFFE044BFD278B" + "D91180A05A40FE65F26D907D205411B880D3EB4945652FC0C11" + "2525E06C4795C01F4B67BE8868594E617BDA761465D7BEEBB2C" + "564AB66FBF976D38521F83B8DF85A203197F0B6AEA473D3CF39" + "46E4DC87739A418101AEF50D1A4355B1E8E5E1D638191DD815A" + "5445")); + test_hash (&nettle_shake256, /* 38 octets */ + SHEX("973CF2B4DCF0BFA872B41194CB05BB4E16760A1840D8343301802576197EC19E2A1493D8F4FB"), + SHEX("41CD43AF243BE7F0580A9B406AA597E72958D24E45F52A2E1A5" + "9BC535C207EFCBC9D8B65A567CA05DA450458C2FFD58CA8CA3B" + "01617AB6DF19A4C384294AA174D728CB93D6D82BC135EC92F13" + "870DCD556DB4421C1C6563803EEE5EBDBCF14B3AD79EDB4E062" + "970BAFB3E801D5DE4ACAF052A6E07B0235B0CFA4CDDE1E54C3A" + "0CEC7E8401A4D38E12193E7CBD66213B7C7B0B8046220FFAFE8" + "68E31CE93FE8BB7EAD861D96CC5A3EDD4820BC2C62DD8A4D449" + "FE9B938F1A55262E7CC25BDE92315E329D8F612DF71649EE0AA" + "A3983FB4984B6E1127188EA9F3D40590D854F5BE570543ADDD8" + "E330BBA204919D7911E56702EFBA881793087ECF5CEA975A88D" + "B706FB08AA8A10BA5F72D2302DB1A01BF15FCC3B05C96937005" + "0CAC51F54990D57D9A37790B5E26D08B56DE0AAFA61EB238687" + "D4396B2899FF6D250F92B1DD2ACBEDBCC1C0A194BA00DA478D0" + "BB659D901009FF593F6A4F66092F67238909056E1A0EE1C8D51" + "CD39BA3794CA92786AAB18D03C13CFC41F08373D1275D75FC58" + "A9314133E62C14E05467EC5829967856817E7AF85DC0A83AF3E" + "87097210E71D7325748022E25194512E54B9B18697C3B70B96C" + "A8D572861D25178CBA90E503B84930BF714AAFCE91CECC995B2" + "623C63F15A1F0F50849F57F5037BEEC1056D4163D728C59BDE6" + "F526F331DF17B5A34177D7B05103735461CD325EEC332FE02A8" + "5B15")); + test_hash (&nettle_shake256, /* 39 octets */ + SHEX("80BEEBCD2E3F8A9451D4499961C9731AE667CDC24EA020CE3B9AA4BBC0A7F79E30A934467DA4B0"), + SHEX("A0B529DD351C0F7C539BFAC5A3302F5E88906A29E665DAF3057" + "1447C3DCE7BCDEA802E364B65B3037903C5EDBDA2412E084CBC" + "D4F51A4024CA6E154DA70C4781DCFC7836F06E5E4606D16D2E1" + "BED0D60FB36B84F582EAFB152191CF804D121F0F69324156B73" + "3DBC79E1355B9B4D1726E393C22C82BF1EE85372CF04A594018" + "C63A02EDFBB2892221875F20DC73330EDCEE0E62CB57D2BA43F" + "A1E8AF7ADF157A79861FB48ED49C97104C6D89D290061229D51" + "BDFABA62CB77C498A8D71F627372244452549D4F7469ACE1E29" + "EC39E60E8563D3FFBACA5804D6660C7C1559879FF1804CF864A" + "E8D1C8EF258B41B21B48400ADF439A76C0BDD62FBBC2607D85F" + "4295AA0875601FCC1C3BE531B526ED081188DA38B0E40F7FF4D" + "7A41C4CBDBF8DB3F46C00D2DA9D7F8FA3459F60C7419AC6F691" + "473136ECED7C342D3EB5A39F611EEDBB0DDB3EB12AD67F1BE69" + "6795B951A7308DF5FDB83BE7BF1B650C1C9222C22677A4B37EF" + "E0CCE03D7237699FCA345A31238067F83547C5442946FAB4E12" + "9BDDD409F8A0176CE87A341BBC353CF8A3EB72E5C7AA696B12B" + "16E12C13FCD597D864771C43777E8433899F157A0DD21117839" + "D2BA21E85FF2E09FA0ED73C9AF26173B9C3B8AC5B1FC4BF7C87" + "F06B5AF7626CA15EEF79D529454ACD23A7643F91811365146FB" + "18CD0DDC3D46C72C7D1E97E4414225A76B55A19B226D5A77FB1" + "B5D4")); + test_hash (&nettle_shake256, /* 40 octets */ + SHEX("7ABAA12EC2A7347674E444140AE0FB659D08E1C66DECD8D6EAE925FA451D65F3C0308E29446B8ED3"), + SHEX("5EB982A2754FE46D19D8CBF86B4D594D14B421C8AB3AE447624" + "47E9F789271F5A1175CA9B6C604FE8046A9A8C11A9FF9354BDC" + "91BDF051AB6FA1F6A44D0E42977897F5342958ADBCC1E612A49" + "B46EE66420E34F2233E8AD857359EA92E3FBE3F84191127833D" + "6BDFF88019BA5B6982F446326877B3D3662767C6E91B0A6F9D2" + "888BEA239B25F1B6A248A6CDAC1775976958FA9624EDFA7DE30" + "50CB73602D24D13763C2D67A016308BF4C53D9C7B4A95AB5425" + "49944B74A2EB30F688B1FC9138B57FB76AB320AC7BD48727CF4" + "CE4BD34FC3B0C2EC0E95BDDD0EF0F5F70FD34C6C89098297861" + "3D2132FCCF37541042415FDDE4AF368A207D59251F50E14D7A5" + "310BBBD378781DF611B425495FC69A2A6644FC6B29ACCFA9918" + "EBE05436EE9E191946AF9CBF15011BB53CCED508C4CEC0BC4E1" + "56D0884347AA46A902F216ED6577E56129B441EFE731CF6C0EE" + "AF378F5A29586F5A62D10BAB2778F106FC6C3EFBF2452C75045" + "D578C38222E14247DB42FA60FA6D909E0AEC09EDFFF90CC41B3" + "2A9725714E41FFA9F350FF3C1008511534337DECE84A0F3D5DF" + "085993BD3D5C755B95E6ED4B36FCEE70B68AF427C3C80386983" + "920307878C1A01C5D782AF85C89C8BCBB0EDB2274BF7172DBF1" + "6AE9BA1CDD7A97D6B2BC2D06F20BD0431618115097621A36C41" + "C9788DC68B95955EA5E097177D66B0897C7BFDAED8487A79E14" + "DCDA")); + test_hash (&nettle_shake256, /* 41 octets */ + SHEX("C88DEE9927679B8AF422ABCBACF283B904FF31E1CAC58C7819809F65D5807D46723B20F67BA610C2B7"), + SHEX("78C7D0D0FDB5FFBCFE55AC06F0E6E58C805FBF76FC2D13911B6" + "B63888088CBED5F7E2071F7BBC12063DE085394A691DEE09DD1" + "DAE2EEE0DD9491C23B0949C870102EAEE2F39E20A62D9AE95B0" + "426C0FA05545C0F128FB53E0B8BE090C1C82F0B66DF4D7CD0F6" + "3C9A85E17844988523296849AF7105F845E0F26200A26091212" + "8FE7F2265C9E41D7FE587BECD50B8B729EC445C7CE9135C9591" + "4C6C9686F43A56CF652A6DD275CA6A883651F78E8FCB8168E8D" + "D8FD780735F087203EE1A30B5A13D5F6B7CEA34CCCA3BD336B2" + "08DAC5878E85BF147B0B4E70D87F73DE0487BCAFB6ED9C3002E" + "2DF56F215B78C7020A1BC9F433161BA7FC94B4CE3679EE955D8" + "0363420768C9C7E3C6696E94ECCB0A748FC1F1F402EBEC06807" + "8862F1E2DFC8CD6FC23FE1051E51DFE3D65B3779CDE8824BFBA" + "8AB63FEF474D648FE4A8F9C083EE0E6CF8FF6768D1F54F31370" + "5F4A3D7568192D91E9F0408E8EBB101CBE97AD9FF76A1F347FF" + "152F45D9B20AEB7DE7CC2047E47635032953FC5CC5CE45D66AC" + "D2E11C77FAD0DA8DCF15FF123365DC9F35DE92838173EBCBDA9" + "DA15FA35D10B64E7BB71539708D8806145A1892FBD4176B2E99" + "31514BEC17FDA5CDD82C8EF9F6EB4E2900D039115D5B1E940E8" + "796FA8FD74127FA53990639F130732EB48CF50620A9DDCFB01F" + "D69490A8B5105CFC7A3EA274006F51221C2356212581FB16963" + "E7EA")); + test_hash (&nettle_shake256, /* 42 octets */ + SHEX("01E43FE350FCEC450EC9B102053E6B5D56E09896E0DDD9074FE138E6038210270C834CE6EADC2BB86BF6"), + SHEX("832BEFAECA90FEF41577649B6348182753EBEE32EA688306DBE" + "EF8665D6FFC6C5A26EC69EC8C90A0FEA854893C0C4885A2DCA4" + "AE77243F735048FF31B80D1A4C84F055DEB1C11F76BF45DAD95" + "16899555AAFEA86A129C4EED1D4CFC7604045D22120C8E06F67" + "793644533202A69B683B2ECB19AED3DB158397C922DC3A90B64" + "A8825541BA5DD9AFD7F82DBC603F156B9F619A83C7132A0D8AD" + "71205C83AA4A52B6223507493E0F9FAB9530762A190C9FC5968" + "0C961B08CF36DEB67A9A472FF93698FDB84DCF3CFF84C6E9D48" + "804ABEB6AA47AD62DC9463C131BFFDB127F9F63F8FF88D9EADE" + "CC6B0E00C657CE54E7BF800B9A35173DFC6669BB54A069D9EE6" + "2BAFE9B3C791DD51A21994CEE03FA37FAA5D56518A6B65572C1" + "B3A17EF52F642C7B2CEE065282FE742E5F9C9BA5003BF1676AB" + "07439CCCFFF7D7B76DF84E3D99FAA269F0475CB5EA7DB25D3BE" + "BEE36B96634B58596AC788C5F31B8DABA35211D4708EB1F778C" + "A38ADB4C15A831D8769AA16110DDFC406B05BCF25B456113196" + "03C17A40A24CB2C38079E5684B473DBDFB98877FFE06298C333" + "37326CC2AD1BAEEF678BDBFFD89BB1E35827CE296E20B0084EE" + "AA0AB1FC647EFCC0231DF9B9B5ADED6DAB34C75E6CBE206DEE3" + "E794AA42500FBD837B6F6AA015BB4C923F8F1F769B049888933" + "773CD24B688B0F787A2B74AD15275AD6C4C336CDFB1BD929ACE" + "58CE")); + test_hash (&nettle_shake256, /* 43 octets */ + SHEX("337023370A48B62EE43546F17C4EF2BF8D7ECD1D49F90BAB604B839C2E6E5BD21540D29BA27AB8E309A4B7"), + SHEX("0CB8AB1E6149F41D29171DBB444B0F3C07FEFDE56D9CBD1150F" + "C43E29009E0F5EDC50F89EA7CC0EA6C9E23236C6AAC72BB3321" + "A51AFCB32F9AB5D1051ED244E2A8D417431863649699077079E" + "1687B36F75C995D6A78B87A9E949A56A2CFBCC15CEFCAA6C2CB" + "51F054072A05C12FBA86B10D303B3EFEAC18F8515BFCDDB1172" + "D56B8C92C1AFD4AD5DE2476CF073B7FB4B7DDB8FB2C4BA8AB0C" + "53474857F1FF47CD3B1060612F7C564988D2881189248CD13D5" + "EA347F10E1F21E299294651342EBDBA1657862306844E274D7B" + "2DC9DC6D92F395AF2F5BD01B13FC7C7AFF630E854DB63EC517F" + "D3251D12C10B5F6C17DCB8990FB39CF1AD3B65F2F019B24591B" + "813D56D661A904405DD814AAE4334A8EEF7CFA455C994C3E31B" + "9507FC0E2DE00A1A0AF4DBCCBCDBF393391C5AEC9E3B4D3C8E5" + "F879D8E75F63078E686A1BDD5E6358C5807A669F89F90D4EBB3" + "1B7396C0152D5DBF665D28BC59327BBFEB466F1E7570462ED89" + "8A31E386DE5538DB505FBD1B9020C984A49BC39968A69D5B3E2" + "B9A9B61D6776D5349D4334C3042C0317A2A34234E8CB64B89D2" + "9E3A8B6E8799822F57C3C6C739B3C263CB4B283EF0F859305C8" + "4D11A9DD0DEE36CC8976E6EA1BCD04451B0E0EFE343634DFEC7" + "868AD52EBC551D5CFC0277B15B854614FAD548337F20467D175" + "EF3DBB135FC37367B916CA35E714B998C3553D5F494903A8B9A" + "4B7E")); + test_hash (&nettle_shake256, /* 44 octets */ + SHEX("6892540F964C8C74BD2DB02C0AD884510CB38AFD4438AF31FC912756F3EFEC6B32B58EBC38FC2A6B913596A8"), + SHEX("9FA49C101D9901053C789B01A505853C8370FDD00F7FEC13ABF" + "FC91C7B06E1211DC293FC0D52911CC12AA9CED634B398284F38" + "70E82B7F5AF9C3298D53BCFC3A3DE488985CD1047318C2319B9" + "E2AC85752B3B0BA2C151FCD08C99E1176CA599557D3A63F4F1E" + "BF2FA31CCF9AFB729713387A7CEFFB6F61FF8162B1CD943D915" + "4ECB362E6ECC6E2669F746B1422904A3DCD93313E4031238B6E" + "B117166B374FA8AE8440A358C1EA7B11B88FDDBDE5737083664" + "4B72C0219747A0FE793A1D77F42E66D2D695BC1D9567CF1A1B7" + "43C33EE309CB4956BFC426B06FE20FFCE98A72FCDAD31EC5DED" + "9EA45D494C89AE577BCB79967CB532B97CCC1708EB2AE8E830C" + "AC0953C34ED28BE988E89992C9F0C8FC58FD5E7346DB2F24BBB" + "57606302B0520D7AAE54F3492DF6040916AF04B30F7F2480B22" + "B93AC47FC5DE2CCDEB27A47C25045695AE9F3E54FB27052CB58" + "141918105E0621156FF4BAD6A35DF5BCAA0FBA8D67A18130F11" + "7A09FF90B8760A7027614BE569FB67659BF0DCD1F3B7D13222A" + "338F9E5736D5DAD6032189E149D22D56861B72A561A9DA575D7" + "20F56C365C5C8BD0455C18B7B73DFA4652C1D570A338A5B1D2A" + "2D00A4387613D11BAA57160A513F4B64D91739E032ED72BB2DC" + "FAFE6BA6136FB381857071250CF63051059F9BA3719305D33EF" + "9DC8D33FD6D427402EE348324C78920278D6E5B2678C1C4FD40" + "8760")); + test_hash (&nettle_shake256, /* 45 octets */ + SHEX("F5961DFD2B1FFFFDA4FFBF30560C165BFEDAB8CE0BE525845DEB8DC61004B7DB38467205F5DCFB34A2ACFE96C0"), + SHEX("7818EC8E1A13963C319BD2199294E1459323556D3E1CA05EA11" + "081FD706655C1CAD1A9270495E550DD34A71D6D6B2554C2CCE9" + "776B30BF0CB151ED0A87CD09735CEBBB03A188EB8A1D62EC0FB" + "614BB8D1D67418F91DF9E7FEF2EA9971CD46A1E6AD52D2433DF" + "FE98DD59E0C9F32A4A493ACCE9E6B2D946A56DA432A43E45A79" + "14959AF23F1D08F5CC55B3C06669308021C004F0AFB3DF5BC10" + "A7F19A7ED2DCA14297281D49952D067B094A4068493E7DF9940" + "3063AD007CE8CE76E2A7ED02F7023543E43E9CFECE94601379A" + "048A73663A9B06B04704D59FDB6DEBA49799D3E8052C1AB3430" + "2A2A2392B53A5FB9547628ED4F8F157DB8D795CDEA73F992122" + "97512A04269B0D5F418E2795BFE76E939F8BC9F2137141DA25C" + "F095F2B754F6D0CFD84B3901A903445B7A71612539F4F736DFC" + "1D4DA1B9A8CFA87F15E34D4A813808CCFE2C9A9A710A1B97521" + "66996EDE550E14B55DAD529C8A99BB9FE2688CF2CF294245707" + "15C49EAF94C0EA0BFF227ED445435E3626F31CD5E887CF1490A" + "9A2B7951AD42EBA5B24B02EE726F95E1E6862DC30636983C88D" + "C915361F209DD5603672C9B4D4ADA1703F56955015B9128FF7C" + "0547DFEDF772E63AD7EC847B946A66B6E4D3DC8A8EC3B50745F" + "F7841318BD115BA649B662C99B973F4E7C26CB1604D407AE95C" + "E967406E70396558CA27ABD91FA7190A5D0F4AC89A070F45B85" + "8B86")); + test_hash (&nettle_shake256, /* 46 octets */ + SHEX("CA061A2EB6CEED8881CE2057172D869D73A1951E63D57261384B80CEB5451E77B06CF0F5A0EA15CA907EE1C27EBA"), + SHEX("5F6539A11001926EF3E0DFFB0142588D4E48ED4A212753128C4" + "C944CC6503E5FD4111583D67FBFD4B2ED2D82447E985DD03CB4" + "DA9CCD8ECF25069E84B4741A4C5756D6295E55075601098D996" + "A375DFC3156D5F56E28FD8F3BD4793601603BC999BF93659D63" + "F3B95AD0AF1F5E1749DF5197C95AEB05C683DCF37E9F362DB1D" + "D64578E8ED9C1CCF0A3AD93E69B82FAC004ABB2489B0734C4CA" + "C5B1A9316CC30F44AC42914AE696698862938DD0DBB3D8FA6A5" + "3D1F70D25A175CF810AD901D29DC3BE40E4F19A5308CCB795F4" + "4F2EC364946D99F59D2DC1DC21C5DD162B7C8CD5BBE8F4CA8F6" + "06A0EF5B4619EA93B278DCDC2E943455F178ED62FA747193215" + "D76C8F76077F9209A9311F1F848009483C82A82BE1A9FA17EE6" + "9D1DE59AA305DA992F709F2C9A1EFB33DBC8108A7D22AD38934" + "D2995A3A5D58DCDB8E435D18099D9B3A5F9CAB18B940F9E1B2D" + "B9BC9768B6D29C2098273BE3EB77D07DC6E48868CEED85484A4" + "6D94A3807CED72C292FD699ACFB6B1DA030EABFF5456FCDFAAE" + "70E851BA49142CA528D91D00CE148758B54F0293E6C53C7540B" + "55288322B015B6067DD16C0CB711C63970CC16BAFA980A8C3D8" + "DA5FF2236D8DAB951A2FAFE29FC72257AD99409F418E405858F" + "BD1A9EAB6930977C034B3D020A86C25586F8524D6577557D732" + "68D225CB8E38892D3E7F0095F68A98C1B7355B5E331D69BD487" + "FE4F")); + test_hash (&nettle_shake256, /* 47 octets */ + SHEX("1743A77251D69242750C4F1140532CD3C33F9B5CCDF7514E8584D4A5F9FBD730BCF84D0D4726364B9BF95AB251D9BB"), + SHEX("B3120C516E7A7039B7F8D2A886B4774FA9E14B80A7F7B1F33D1" + "B4FAAAD74D549E2195E5B6345B19AFCDEBA3ACD5ADE7200500B" + "CB9C94D6848357D6FA88CF9125E59D0CBCE876D681A68B6AE4E" + "25DD5994D496B7C64F0B9124BEAC30348EA6B80803FF17C0846" + "E19F9ACEE413E07E6FF849801C131DAF7A36F2EDE51CF9D21CC" + "0ED6300EC5D6B64E6FB9F2A9B909DEB4069738D60D6F9F6CC50" + "D749AA7EF264E2BBD6DC680823C45AA8D3A349255823EFBE4CA" + "C62C0D38A4388B1FED31EFDC5BD3D6227106FE03B4A40F21F3F" + "0411405A4A80E92F3CC045C7967CB7AF2F33879DCF9DA5E7ADF" + "813091EB357EC9C0DD097B868FE2D715C124AD0A44E2B6DADF5" + "B360FAF6A727448D5D7B76AB2C716543A09E2F75D570103A8E9" + "589AE58D01904ACFA0DF54E6FFF01ED725266F7E52B992FB341" + "44568173065E406A1E98D8DDE1889D0B7274011CA00357BCD07" + "D4CF8323F103D682B272A98395A60A95237482F00DDD5220433" + "2947D4708D9B8697F9CE529ADF3599C440E2B435F4F6D039B35" + "1FBB198BF360D3A184616B86573E7E32113B1A5E1EB52A1D15B" + "EBB3C49407AD6282EE2551859F9CF87D0D8F0AB362A439EC535" + "40B4B024EB49B525ED29626DB292D1333F579B1896A6357F9D0" + "B51BD283718D2A7ABD8F3786A7DF2B512070A2C9A1B53457F27" + "C6B859A2C6956BFF50AA7906D546C67786B68EC1DF3E93CC60C" + "6968")); + test_hash (&nettle_shake256, /* 48 octets */ + SHEX("D8FABA1F5194C4DB5F176FABFFF856924EF627A37CD08CF55608BBA8F1E324D7C7F157298EABC4DCE7D89CE5162499F9"), + SHEX("F59933F9E9FC474342B7BCB8B4DD6BA7B02AF5EDD2C1824B227" + "BBD2A56287267804534E943EA69B571990EAD3AD5DAD06CA9C0" + "BF97FEA1F3878824782E244D77407E3E83D5F527A1F5BFD8C74" + "7FC08C5170E4F6CB114A9CC34E96AC2758782344451BFDCB090" + "2EC52A9FC82087195CD1019A8E5B03E496A42762FDCCBA6EC57" + "3D5C0740391697D95934F983231ED9642A0C6A2F92198B49670" + "AA7F76C1715F3C80648E606B97CF708596AB9D8DDC7D039DEA1" + "F4DE4D22E6ED297790AD73D9EBC2B1BC55315BB60E90EC7A2FA" + "9A7922FA5A4E824BE742EDF41693F595571CA33EEAFF4EFDF58" + "FBC0B9B1CB610AB2E658CAF31FE6E0AE74064DB62CE339C1F43" + "9A55FDA0F594635573C511D040CB59F2BEF552F38D87F31AF2E" + "98B59E9F0E67BC57D59F51204663511865BFFE1CFC42B00AC0D" + "69487AABCC648BDD8201362A43AE19A9570DEF75BCFFA6D0009" + "62E931AD32E36A9118D74C777F9A6D853496E9638332C3E6D7B" + "0A5F030B2B4198C9B31A82CE117412C144914E784D9B0DBCB8A" + "3320FF22C4F4F4810D5885C7DF3D0FEF30B4F2272230278C600" + "834133C4E11AE65BCAE2069FDC1C863CDD701DB750DAE4CDF37" + "A2314E39DBA691ED7D4A0087B8057EE27B3F6AF14AC0A742826" + "FEADA8C5B5D52557952DA2FFE45E7C328E04C3CD61A5D8F5E11" + "B3ACB6667A08498AE0582FE0E06105101CCEC61C63FF3CDE8BD" + "1798")); + test_hash (&nettle_shake256, /* 49 octets */ + SHEX("BE9684BE70340860373C9C482BA517E899FC81BAAA12E5C6D7727975D1D41BA8BEF788CDB5CF4606C9C1C7F61AED59F97D"), + SHEX("5DB567B895164625131B8049728A0A66BCDD2B27D37828AF413" + "53DF5AFA10DF9FCCCCC110DDA3071A35319EF50821CF1796B5C" + "319D4FAE433E8A2599325C511C3C03E6EBB7C10E3BE35451756" + "75F7AB719E906640DFECCDADF77C345DD798AC7E2B7EE83C98D" + "D194CA19BC1131200494A4B67428C23061CDC4000762C12565F" + "A1C731A574530D282C2502356A75F03685A4FD08D1E938BCC2D" + "6E7EEE748DD1391950A44AFD63B73ED549895F0CB38F7D29269" + "7994520DE110F782B0CF47BFB07CFFBCCA6D476D468B227B340" + "6F44CBF3C6EF6920B293FAC69927DCB2D153350C7C8BA2D84D4" + "11E3CA70EDD9321CC0387A6DFB84221915094EEE0A272F267DC" + "111F18E46C6D82CD6B98933261B5A880FEDFD23AB2F7B6CE349" + "789EDE97CC034D0E0408E3E3B75D951D7DF039700629CE147BF" + "B2E2772EA80C8681D6DB87667A63E3FF358E74AB45712F0BC1C" + "747551DD96F72A6290C5E9679A45F37934E7E22378A2BB4A031" + "52DFD450B98D76C233E107C57142B72389350072027BCDF9BD1" + "82A304E8B255F28459D96687083765E46F9B4BB14DBC374BB40" + "1EA0DA7557ACB2684A96F2791E1B8DB0919365820CD315B730E" + "F8BB83124577E55A139DE4C9236182B885ADFF4CA2298F157FC" + "460972D6BD67D538CBA7E32F9051AFCC00FCDF797FC8231360B" + "A6B7ECD5C4D647338F23E1F578469E1558F49F87FEFE28CD761" + "BDE6")); + test_hash (&nettle_shake256, /* 50 octets */ + SHEX("7E15D2B9EA74CA60F66C8DFAB377D9198B7B16DEB6A1BA0EA3C7EE2042F89D3786E779CF053C77785AA9E692F821F14A7F51"), + SHEX("B3D7178BC88BD577C5D95A67B110545C8ACF8F6FB56B5DA15F5" + "738785E6C950347905B928DCA2E70CD2A5E574811DDBC894EF7" + "FA8EC3446C7897B2BB2D68A61763A892632A3C5C6A3764AA0F5" + "76717ADA5CCDA30BACCDAF71740316910CC08E8272B67521292" + "FE1749026FADDEA743358421EAB011087D10D4208FAE8D5D607" + "EE0D89976BCD79A12F4ED8B1C5D0189B0E2ED5B0B396C85B277" + "63BDBF52D56B92E015CF080DF4F2EC80398DFBD733519F3915D" + "3F102D0066D425EF9FE1AA3AFC8584C8F4D594ABA86AD52E71F" + "A77893266C4C606A63891C41A679964A5E3AEF1C277D6D35D41" + "0ECA6156F8CFED13DADF8022AC9159F913C4838AE1AF73EC268" + "F9D3BF085639D69F2CC51C39EA594948FCD238D093A799F266F" + "BD90B07F4619E342E38AFD178864760AB109CB4949E518305B8" + "2ADCD68FE6E922D1ABAB2D132D10E0AABDAF78F0CFB74DEEF78" + "CBCB422BBDE5083E57F016F4C5679E9D5010D4091B3FE615458" + "86A65AFA49716EF8CB5A6C0EBBA4A2386A6591BCEDB3563BDA7" + "F0E792CF28D257BD066D44E3AEAE8478D093FA9482FC26C77D7" + "3DD3150D53D9F1A030063122916FDA66BAC51C69CEAE533F7A1" + "569A3B9536CD35067EB190D2812EB2CD089D3E1DB98F2DFE5A6" + "839F5B04B6EDCA6732837D23F985E1CC9444AC04DF0B2BBDBB4" + "4E24D39DF2F447D72FFB90B7E9C68A46329ED630CDAE9470770" + "4428")); + test_hash (&nettle_shake256, /* 51 octets */ + SHEX("9A219BE43713BD578015E9FDA66C0F2D83CAC563B776AB9F38F3E4F7EF229CB443304FBA401EFB2BDBD7ECE939102298651C86"), + SHEX("341AA5C875EB43F10E8DE28505858865870E62A9A4FF45BF977" + "B947D0BE17B2DCB74D5880FB5316C5C0B5E1C7DA24D8C8C72E5" + "CDA4A9405912D12EC5316611EB40AE84A903703F67D3817BB73" + "AC7C2C449D4D6D737CBE06C144A20F99DFFC12A8F104DF9E448" + "A96DE38DC6D7F83324FB3A2626BC91405EE5917F3765D9F2288" + "7777226BE829584D6E0F6544B5E1C25F939FC9136BA2E0C0D6F" + "6EE5F4EA97DE937352D9428222667D974F4840FEE0770657DAE" + "58BBADB5F47EB9C88232FB7BCC6F1FEDA76600FA2659F7E8311" + "29B3E3856ACA6D78E0D7C582852503A67876877DC6599C10D42" + "DBB81E6AFD2919A18E4EC01EC7A032ACF2A8320C5AE348D28CA" + "B36C85CD256DB5C30BA1F8891005E68F91D7B0CB0AC4476937D" + "1748F2ACE0A1C512AD07514E31CB0CFD743E5C29633C2646AD1" + "882176BA15E7CC8427FA20B2295100621A6E01F7FF4F27A6AC0" + "766F9C25934E64546F16F61B5CEC865028BD0D7DCAFDB3D6912" + "C5786372E1E4ADC6CC8DD3E0A0F299B65BEAC5FAE69E8219787" + "A8EFFEFCB50E40C8BC1C3D033742D98FF30D64D72D089AEEE28" + "489791F6099CE354385DB83256150A1F9B6CC7444665BB95614" + "AE6E6F511CEE0C49288B3EB31F9C7D04B3D126A1535531505F0" + "C2710CF6CE7A6DB31F043C7C535F89467CE1F6E85A10AAF5486" + "A3A6953CD351D865F818FE959E6E74F2DE42C1FD6E219DEB606" + "6C86")); + test_hash (&nettle_shake256, /* 52 octets */ + SHEX("C8F2B693BD0D75EF99CAEBDC22ADF4088A95A3542F637203E283BBC3268780E787D68D28CC3897452F6A22AA8573CCEBF245972A"), + SHEX("BA270D4DAD10865DF673F0DBB9D72EF788689673116CDC469A8" + "CB9C89E6D8D511DBFFF6FA38E29257C9A5820781094300C088C" + "DDA2A17AFBF164D13E360EC04FA44AE98CBFB972A68D35E6FEE" + "E3AE61CC217487D7461F7315449E201D707F8CD0E9FBC64D920" + "12B22175E677A304D903E556A5D1FEFAF8177A8EC3E50635449" + "6CD693531ADB22BE09BA71B4710549BCDD6D5EE1ED3975258C7" + "7760725D1C4416EF3F3B45DD8210433BB44882667A2154D4179" + "2A37F2B7C5C85DFF707BC2A89AFD652D83904EC084D1E03496A" + "7F402FEBA9F77254772904580CFFB1E7A0A8D489B6CAD6D97C9" + "A5824545FDA36FCFA2E0A6F7E11710A8BEC33767303FE884319" + "5E9F17B1B75A4625C67E39FDADECADA6A7E7755DA7742548B79" + "7662B6A24194E07CE2E0302FEFF4671E6CD972324173F14F5A6" + "0D443F6162CF2D6A3E2E0A7F2A6BBADACEC5F4B43D4AAD80900" + "3722982FC7AF821AE4143D123AEA6B7D8550541DA9D704D81D9" + "E12820EC03E8443866EAA80A534A5983581F1DAFC7F124915D4" + "2F9A24887207C2232B5EF9D8DED3A3ADCB4D493FA2FDD6061F3" + "9F28CA3B489676CCE7E0600DFAE247A62E96BE8A63ABB977A4F" + "35F8361B71C8578BDD63F35D17CEA1463AE0709353F4667367F" + "0FA0B6B6B6EEBFA049BE6133350F71E9CC1B157ED18C9D90A1A" + "4D134E553165549C18004279ABA0C4EAD5F342CC05039DAE1C9" + "CFAF")); + test_hash (&nettle_shake256, /* 53 octets */ + SHEX("EC0F99711016C6A2A07AD80D16427506CE6F441059FD269442BAAA28C6CA037B22EEAC49D5D894C0BF66219F2C08E9D0E8AB21DE52"), + SHEX("C2911768C4579E3876B6ABF0A4A30646D8271FCBF3DC682C48C" + "10E41A878609301F10073F3EA87BFD934854147D129DEBA9124" + "FC69B6E29C271062CC8B3A5785367FDEC382D365D4D60E7E63E" + "946154F948B55E7E31A0CAB5D25BEA7CDCC82D8B6E200C28C7B" + "4946B4CA30B46970EBB415FC18D9BB60C4F81A308BECFB2E40F" + "796B8D6F914FA7F134664B8EEF9FFCA684B296D26BBA051BF45" + "F3EDB68ACC5D0C79C08724BC7EACF702633C99C47DBF4E08AF4" + "3A48A51A25620C1F16BBFE4CE1A52A60B4DD603524DE38ACC2B" + "E65240F51E36C6533D85A7B0FB06FDAE420A7E84C4644B943E5" + "CC4AC48505CF042ECE8FBB4AB90B16B7AF3ADE3E24F871DA2D8" + "6813A100C82E62F949C3570FB117407AB71A660BB4284A114B1" + "F6817621EEFE246CC0169CA7C09FE6684A9709BB5E7C5C09A35" + "B4D5E109E133D23CEFFF9E438BE621577A98D9B49B0F30740E7" + "E3038C8BCF07E88ACB767F9A43B60DA387B617D6FFF8A8D8784" + "513D649EF3A142ABAC0BCD8159F4FB65DB24616225FB4FC636D" + "6C1D94DB757E647934BA77C946BB7D010AE5C78E05157466590" + "CBDA903630809649BEF7F0D27000A9156B2D05DB89AC90A91F4" + "D1F295D296D7783E6872FACCB70CBCCD244BF620D5499382421" + "C8CB3829E756E6B415AF3C26F952539D14BBBE56C034B58124A" + "D973A726676B7F278E7D4111701D69681412BDF08731C4CB14E" + "ABFB")); + test_hash (&nettle_shake256, /* 54 octets */ + SHEX("0DC45181337CA32A8222FE7A3BF42FC9F89744259CFF653504D6051FE84B1A7FFD20CB47D4696CE212A686BB9BE9A8AB1C697B6D6A33"), + SHEX("C2AFC53CC5DBE46697F64D5B6B37BF1DB7DDD06D54EE9DA7873" + "C77D91DE47377DBC5D525BA8C14D5F24A2BDD473DE53FB1BCBA" + "E0ADF93B4525C0A77D1952A21BA5E575AB9AA889A19D85A02A1" + "AE4D420613BBEB7BD2A7032137F196E0566C284CD11822EF938" + "C191763BEB392EAE3FD6FAD77EA7252EE72798E5B4318961EF6" + "7E595BFE0BE036C478C88B80C50C3F7BD047066F4CBE031A867" + "644529AFBBE607C6FA77602ACEF9A635DE3B1FBD6C967B61330" + "40D1A6649F1FF5598CE0E76AF8ACE89406FC02F2818EF8C29FA" + "FF1F46A551B534BCE2C30E6FCA6F62DF3BDDDE56FFD8550466F" + "48C0D14BEBB386F5BADCA240D848EFB66AC2D339A54AA1ACCB5" + "C753B081F0B6F782388E7B82C77304F30E03B5D3BFCE0F1B515" + "8AEDECAB4749C17305DCF231A04EA2436F423F5A818C461E90D" + "65EDA69DDC5D977B19F26E4C9DB874F2602A3F5BE5AB8C5C70C" + "DBC57E5BF757037768E1962D0AC697645B598C46D639C7A0DD3" + "1B7CCFB88E4745BF2776505308C28FDDB084F67618B84D0451A" + "B2AA45437202474ABAA0780935EE78D47EBB4E07C6466D3F8E8" + "3C1B27EFFC1064FE01880D2A7D571A955DCD4F55D631DFBB3CB" + "550E3541254C0D4041479FBB331EC591F8AFE5B644F6DF9F430" + "0375805BED126EB96893BCAB7FC5AC5CCAD3596D8C011258F3E" + "D269A6B0A6C4736D467BEE9D495D414B475D9354174B36E9756" + "55C8")); + test_hash (&nettle_shake256, /* 55 octets */ + SHEX("DE286BA4206E8B005714F80FB1CDFAEBDE91D29F84603E4A3EBC04686F99A46C9E880B96C574825582E8812A26E5A857FFC6579F63742F"), + SHEX("B9E75F5D4B74FFBD244CD9566DF861526B5DE9584D3280BA5A6" + "84EAC9D44C91C0DCEC5827DA4EC0FA7F60D29286D348F576F4E" + "2FA03AC5BE8F27E9F9912BF500D0CD549F5E5799697C61F0403" + "C264C4B2D986DDBFFE72FD8CA6439FC01D1F7138A92947364D5" + "86D67C300F27EC2E3E75F9088A5B787490494EBE0C42D00401A" + "2ABA6374CB3E33BBD737ECFBF80EE24D4985F6D11FE24FEDBEF" + "B387D4EDBF4AE1F409E67F10719F47397968E406A51B0DABB4E" + "9391FEF03F9F7BC47193215205386914FADE37017EDFB0DFE8C" + "51B4C35C0AEB6F8A8E6D4D69FB538ECDBF65CF92325A7F280E8" + "069CF9FCFCDE610BD024CBA87827E92CAF22482413C694F9F1A" + "DE65B67F8E1D32E4B5D51F038C2FA9D89FDB2BC1848E3E7B54C" + "4CD4D021F4C8BAFF61875899B79EF4A1468B0443691981FABC9" + "5D076070BBD5890EFAEE194A6484E584364BAC001FCB37C2285" + "8F74E1A01EA8EEBD49D9A55A19F5967B898C5B71D5F2CE93F4E" + "52CE4B4D00D7C42E58D71C174E9326C5AE1E40BFBD8BD37DBCE" + "9369062124CB47D683DB245A4F289F052F89812440BE2ED28B4" + "0049A9DBC75B3FB1003BE8A1B996BE44270A83DC20A38D62C59" + "71D09D06FFDC3F89379A99923F2BE2FB6651407EE37F4BC8073" + "E396887166AD4F0A4E156C72463A524EDBF462F62AAB251E321" + "59CB3D79A2CB3A8FCBC196721642682646A83EE60425DD7207F" + "7360")); + test_hash (&nettle_shake256, /* 56 octets */ + SHEX("EEBCC18057252CBF3F9C070F1A73213356D5D4BC19AC2A411EC8CDEEE7A571E2E20EAF61FD0C33A0FFEB297DDB77A97F0A415347DB66BCAF"), + SHEX("EB24ECB6C9CCCDA1E8AB1CA26683B63A43CA864E23AA7681A49" + "27AFFBD8ADEE82704B24B321D6C909A1CBFCB453AC084557FE8" + "4AB25E044885ED8051A0EBBB457D9821E9C132230FF27C4F279" + "51432DA415D90D59CF7148569CBA02AF32A8F4B774D5E4667AE" + "594C2CC4776AEBA2CA7D5F678C522A03B426AB2325127E56A40" + "57837CFEE2607207DEA5F913CD64BED09E7FA723148ACA13F52" + "2B584AF9A36E74E86415F7C064C7575176488895F0EE6A6795B" + "51729AC947BF09668A9ADEEC199592B77227D62205857B75E01" + "E62E3D2757F02C4892A9E9C2A9187F7F3DDB16B7ADC28C33F58" + "89F87F949EB0A61E5FE431A3C11191DA6D127BFC899CDA0787E" + "B269D0296F31F3580D9F630E0693F292D2B9954444E56A82D6C" + "81319CD99D5DDB2F042E9242244455D5D9F59CE9DADF0BE7804" + "94FDCABC72AEE397F13CBD656D246B6240A1C21BAD6E0126CAE" + "A1C93096A41CF648BC0ED7A051E03DCB51E2C48AE32C8818863" + "4021A4B64ADC4B2CA9A5118D4B6698E87C1E3D4C2666996F875" + "4242214F3B07806C8EAC8CB63AFCE0A03B64D63D46AD53F0345" + "DC3A9FE550D43E9E569F8C2BABB2C025D843F7D568DEE6BC762" + "D3B4DB80B8A3119DCB19A17CF5FE1639CA313FC74EACEAB5F9B" + "AC2E546C36DD7C292B959A2C9CA98CD143C5822BC94179DEF33" + "D146A16091688CE192BF03A7E334BD033DB66A3D544A8FE17D2" + "F5CB")); + test_hash (&nettle_shake256, /* 57 octets */ + SHEX("416B5CDC9FE951BD361BD7ABFC120A5054758EBA88FDD68FD84E39D3B09AC25497D36B43CBE7B85A6A3CEBDA8DB4E5549C3EE51BB6FCB6AC1E"), + SHEX("75102A95654D885655B910E6778F8A72B263B0854442230F8D8" + "923AFCC92C5BC98EE5F2E8D53EE1EB7F7A85A7562FB96535AF6" + "C78F0491EB11B4BE2CC71CCAD0442DBA422B84FB16ED529278C" + "57A543A3B8910D17232B2B7FC4B81BEA56A6E99F64A50DD73AC" + "D26E506EDD60A788548DBA27AA66BF6D41C8CA0CC603D8CA515" + "F3BC948AFEE2E7EC3F8CEBC56A01682E66A082846E8EDD0CED8" + "5A6D5ADA77A9567424C73F049DBB2CDC180E6DD85AD73D624BF" + "E10BA0CE3609771E50B51004BD62029259300E333D18697A3DD" + "0408D37C5E275CC8A4C6C5AD85040365B3A427F21BFF9F1660D" + "AD79D439C5DAD6855E75840577B6AA822F614B42CF57561A70E" + "E8216F9CCDD8B10F36455A2677CF93756A3E30E2E177029C4E0" + "A3860CC01619549AAB73B52E7E5340B42EBAE37478CD899B71F" + "9FBAF7DDE36C57450CB5793E371C903EDE8143F9CA3C8EA2231" + "BF5F3191A49681EE8F45374D81A774E9F8C6EE5465B567BCCE1" + "C77E8289C72411A1C8F5402906046F42CAFE88B54A5E8C7FBC5" + "311B1A7C43A1094047935A27B2D89E9470EA28569211F1E6D99" + "E9FCD1AEA301A6271F90F51DDAB660E90A50D10003BF425858C" + "FB0D67ED630F74D6FF46E57FFB7236D55703A55531F89D92EEA" + "C17C6A050F56B46BD0466A0A918EC972E0947A991B024AF21D9" + "F92B6147155A1EF08EBF620FBB65C309863A25F3BD1D9ECD818" + "E354")); + test_hash (&nettle_shake256, /* 58 octets */ + SHEX("5C5FAF66F32E0F8311C32E8DA8284A4ED60891A5A7E50FB2956B3CBAA79FC66CA376460E100415401FC2B8518C64502F187EA14BFC9503759705"), + SHEX("603CFB5E53D83CCDECB22C5C75E67F5DFA0DB7D874E6D280DE0" + "14555B1300192D9B769482878950ACDB484E87C26F366D2DB04" + "9FFE8C92799954FE31DDE56A061E2F80A5DA15B65A0C9382C77" + "90EBEE8E676373405BC1BCFBE974797CBAA998A0315CD9051BF" + "669E00611880AEDD88DC690192D8D485726B47879861A85349C" + "2017D9892692DE8DF315EC3EB4E6C508B85002FC7E6D7812FC7" + "E025FCA92F14EE57EC9F507EC05FB8D143DB2EF6B83B8785289" + "C2FABA51E962B77754C0081CC1253DE4CF8C36D2150B263FA01" + "E19E5157EAC5521E29414407FBCB604A442FDCE7DE9C99D46D7" + "1F78D1B9931033AF38940D70651884B766762605EAE11457A60" + "F44BF5CEED9C0E9A9C600DA70B87B57E4B5C280E3AA568BC6E3" + "988B5481006298BCF9239583F39C5EF439E551B6166DAF31970" + "DDF7BB6B7E068DAE50C15D7A1B3D4F3587A91BDEAA59DC66622" + "0C2DFD238BEF11F99DD47B87DBA8C60598B531013468EA5F15E" + "DB0E2F43D4F4EFA673E88AADF4572A50C25B3B7953C4FF0CA8F" + "32D374FDC3C130CCF67E95ABDD315FE7390D5160F6B307F3A20" + "497C76F69CCF18151E5995452F01ADF1D55BF3A678D0ACFF44C" + "50852F940DA91AA3FA8A5BC8CC72DF7AF11AF0E19C167F6031D" + "C780DF8583F290059F5ABEC6917F7EF54339538424234454004" + "BE4398CD0CA6CD1E71D0372F2229591F7647142C13C5B089780" + "6F30")); + test_hash (&nettle_shake256, /* 59 octets */ + SHEX("7167E1E02BE1A7CA69D788666F823AE4EEF39271F3C26A5CF7CEE05BCA83161066DC2E217B330DF821103799DF6D74810EED363ADC4AB99F36046A"), + SHEX("724E26AD36068E3825E1F997CFED8AD10194B96E76EF425BD34" + "7254BF19BB862DD449E0182E9B8E20C8CB5440E34CB7391935B" + "6F5D49F3319A984E313A9F4ED7107C43D737F016BD20D7F454A" + "670199566CAB98C4D05F0D31B2811A48EBA4DF019936B0C6E98" + "3C3557DCFFD42238885A7CBA1376CDAD15BC2FEF1E75013CD3A" + "CA86FDE4B616F2BFE310131AA5EE826F5B0451D4DFC0F0EBDEA" + "CB36A8B6AB96D7D81B2A21F7E09C5E908FCACFA763DED4361E2" + "D9EC86559DF71A827662EF692D503C72987CC9F5A9FD69F9AAC" + "4231BF27E8C64ADE3F9B51FF7DF4775B966A6C2FA6F913FD191" + "F9B79DDDFC077363E1E62810F9D82C82A0CA9FD45B9267B1799" + "8C2FB7E812195CAFB0A08831CA47857E00E329072037B3A96DC" + "9780FDB52379E7180ED0E84866D42779D89F56F94A8D86C0600" + "302A09255F838EFABBD08FA7B342EBCE887CBDE92743A36C14F" + "61386BC9FA5662F7A2E39E0CD165E0E0F635478EB28217C1E97" + "EE7DF96D6E6143918C7CFE29236E9911D10C756871E749E2CA7" + "21DC4F1D0DAFB1715591F3708971409A54712588AF7CEA3FD2D" + "0D06C036CAE4F76B885F50B3FE11A39F304C9702BF5F24DD5A2" + "006E9FE6AD23AEC9598E34B4B043B092CAED032C3FA42306064" + "805E73FE03560ACE3BD87D974C8FB95DA0C68E0EC4B245C849B" + "BD06B94A319209514707BF5447113EE3B14AFCA06A6BF308DBE" + "03A8")); + test_hash (&nettle_shake256, /* 60 octets */ + SHEX("2FDA311DBBA27321C5329510FAE6948F03210B76D43E7448D1689A063877B6D14C4F6D0EAA96C150051371F7DD8A4119F7DA5C483CC3E6723C01FB7D"), + SHEX("D0F92C3953C2696FC132FA48BA36EB7576D34C5BACFA4E9D9F6" + "DEA8F7B0B6B746F6F7914EE8B9C25EBCA91D601E781B29C99D0" + "DA92A1C8670918927A45B2AF16E9BF00CE9A877E361E797F951" + "1B9A116AB72209D7E8DBF0E299991B173E4C654021517A94F9F" + "4CBFE6FC4BB3C3EB5171435219EC0D80BE57E3900BCE9327D10" + "DFDCE70BCD32C129FD5D5BCC54C4BC972F67562796466F9BCC7" + "399DB8444C2EE896ECDA88E0F9ED729985992F0BD707ED3ECE9" + "7064480AA1D10D4BB176F65DB3327A0F34D3CC32140A95594DA" + "7707F565849D1258435285C1B9828723EF42C475D30040AAFB3" + "237A759141EDE73070E8995D2FF72C727B1F8A215AF3E511385" + "2FEBC029413C2D2F21849CCFF5269B8D188C147D4FE3843D195" + "0FC09409BA0E5FD2C5567F11F0DD098810924E56463CE5B6C74" + "37163C6201A9252DC484800303FACF0D6B004CC856BC68AEDEC" + "5496021B37A667B02F5F7E7234484B531F07ED78B6EB747CF59" + "5367EC3EF33DF41D25424A858F50A63D5D503EFEB895334466F" + "C3B01DA6246A5801B9D06071D765A65E64F2214F93B6F072115" + "343D711697EF2E1463E021CF3ED9CFCBE5A81E54DAB729D52F2" + "F309BECF754E3D420CF0CA060C7BE4589D748B84028517AF792" + "3767833858A35B26B0AB5C5E3B14E68BBF50AC28A3129F6AE08" + "6BF783612749DAF4CFE87E75A4C89DEF988064E32D616F1CCC1" + "7D46")); + test_hash (&nettle_shake256, /* 61 octets */ + SHEX("95D1474A5AAB5D2422ACA6E481187833A6212BD2D0F91451A67DD786DFC91DFED51B35F47E1DEB8A8AB4B9CB67B70179CC26F553AE7B569969CE151B8D"), + SHEX("F31DE8CAD77A334C3480D93E3B30844DF1EC344A8D44CDD277B" + "0099F28001239EB0DA5B566FDC383F0E1577F67EDD2BC0F11DE" + "67F3E7A4D97C56C9F3BB0FCB4D3E4D08F7F3D5C30FBD2D964CD" + "45F36826F614668193554A33BF0170AC3E64C10E4E3570EEF84" + "DF387944A6436A814DCC53645D01968C4EBD1BD0BDD76354580" + "805BFADAC96470FD354BA2630F7FF8F7AB29282ABA946B1A9E0" + "63C316A6D337A7CEC2FB4B562B899F626418BB61EB4F9E9BD7B" + "294C7ECA75AB522D642CE495640E4BB1E2B14A10775704DCE5A" + "DC7D7E3C091520B48DD18A291841CECE5EF56E1969915FB4979" + "60D011A8F46A5B08EB39232283EF332F7AB0D8FDBD900BC2001" + "83186BE31A6EFF7F5F4CD27C12BBEEDB0715A0E6E1F6E35753F" + "E7F3996C75AE34D2E8E76E43F49EBDD505DEE66536E5F2332DA" + "F4EE462B7B524F3BED1293BC45DF9511FC03D2734DA036EB3F8" + "C62BB0E623031939E83745744F7DBE93E57ED65EAC1016E4147" + "15B54AE83A15FAC6E76057D77C3811491F390C0B4EA0BCE2923" + "72A8633E26C10C11E301E57983109903DBBF4D08434A6287B8D" + "F665BDBFB03957CEA7AE4EEF506AB1F7AF1358EB48E7FFFC960" + "6C266E6CD903C75772E2E88E954585DE90111A250EE62FC12D7" + "5C5C58CB7C03C9C06C2AAC9EDBFEB02A1207AE5F9A92D32DCE6" + "528A13725EDBE757F309449A40E93286388D8C09F9BFBF49E5F" + "B826")); + test_hash (&nettle_shake256, /* 62 octets */ + SHEX("C71BD7941F41DF044A2927A8FF55B4B467C33D089F0988AA253D294ADDBDB32530C0D4208B10D9959823F0C0F0734684006DF79F7099870F6BF53211A88D"), + SHEX("A3D9ECECA03A1016A8546AD75C7B35102D5ABB0021FB5F2B1F5" + "3B591624EF0F6C199F64DBCF325E37F4A361368CF60F3BDA9F1" + "1BCF5FF2EB1A4C0B0546B5E898204EA5E4117F519F72F2F5DE1" + "017B2BAE0723D91A430B2B3C1987FDD24FF0D0F1CDE2483A22F" + "C37F296CE16998C12994603CFAB4B496D3333B25ED48ADB1EC9" + "26A44CD5DB14C2072588F15EA752A31A8A3AA559A35EBC900FC" + "E948111AF7522AFBDF7C56065B196CDD00FDBAADE3A80D2DB10" + "271BDF6418F0F817FE991EC055CCA474B61E1AF6BE6FF6396AB" + "04716809433BC8AF75369049E605C1C0028A0D370E7CD0C1EB5" + "71FB379B757E8BD21AA61C2E2F2B0D0DBD2D73ACB2DD0887923" + "B840079BC74F6C69682118B2B3DFD3FE94D3A76EB8BD68CFA94" + "034DF0B5419104675B9F5E56F8C6E0EFF12D9B20E27535A09E9" + "FA103803B62C66D7AE09F8E39A5F505F3BF93D27EEE1B16546F" + "97AF0616BD4923425A1F0FEA1655334A528C5DA469850A02574" + "96C820A351D826EEDAB469A3871182B8435615E8CB1C8C81D34" + "F8904DF7F81D48FFDE990B69F0608E6B05AC130709D3DFA9E8D" + "9F343622991BC686E80B4F0877C03D9B1E0A190D4C33C11246A" + "20CFB297E127FC359AFD037B1A90C040D9E10F77A3F6D9FC45A" + "2877711559C8B09348B203FC49A1770730D1206DD03B9E64C39" + "0A308BC27896309BE2EBCED1A7ADE8D7187E8F6F9A76523FC82" + "0E30")); + test_hash (&nettle_shake256, /* 63 octets */ + SHEX("F57C64006D9EA761892E145C99DF1B24640883DA79D9ED5262859DCDA8C3C32E05B03D984F1AB4A230242AB6B78D368DC5AAA1E6D3498D53371E84B0C1D4BA"), + SHEX("46F35DCE4FF3A34E944AC51B64AB60D314E30C2CA9C5B4675D7" + "59E1E852835977B6E247C025A8FF0248C622C492A04B87C5A2C" + "906B2C1CC8F9CF2E03DBBE046644ED26F37B2C4EB2D16B558D8" + "2E2A3400EA2BEE9B4D0A3641B7065FCBC34ABD67EABDF5AB7B3" + "F278C47D24EE127515A2C94BA955A01A098BEFB59261082F233" + "83210FE82208574B95763FCA6132AFB3E644461B1D78F3C8E04" + "D860FB0952F9A33A7E56C1AEC1CD3CA913CA62FD35FBCFF62B0" + "032484ED07AB9C510C589F62965D676382EC7E55E359F5BFA71" + "24A54B83C245725AD796987EF4E9186C74E8B1B53CF02753334" + "1278B0A6B621D7FC68B556F0B3E1A95312F4FD3471EF1BF3C3C" + "5ECE8269B29A51470ADE59A3F15F2600B858EAF8B6B109339CF" + "1B15B0EDF36E0004992BED6E1B187BA60ED3E92A542A83753E1" + "4E0CA85A0DF441E5B03A9709EB1AE714615C7C5F2F54C373BC5" + "ABE342124BCA909BD4F6696950E0483BC798059A94CD8D852D6" + "C5E596A6CE12FF053874F459E68062C5650ECC934EEDE1E7206" + "BDE104CF33C95FE103D279108B60B4078DB9522F2CEB28B77DE" + "F8E4E59C93552B8C09C0D74E8AECB3B6C50BE0C123E2EB39470" + "908BB7288E451C51F6F7154143DC78D5F5C4ED402217A3B6146" + "6CE80CCA2257D77DBB99B6069FDC6CDCA949BCF279B3E4DE579" + "68DD0EF83C19C5E1A07B19B85FC60E593600470C3F4603178BA" + "08CA")); + test_hash (&nettle_shake256, /* 64 octets */ + SHEX("E926AE8B0AF6E53176DBFFCC2A6B88C6BD765F939D3D178A9BDE9EF3AA131C61E31C1E42CDFAF4B4DCDE579A37E150EFBEF5555B4C1CB40439D835A724E2FAE7"), + SHEX("77B7496ED08C3933BD75983C0C0494BDD8262493A4B55DDCCC6" + "4167E67EAC0F6E6307ACC15C33F3963744E26CA6C504D393B3E" + "E8165E4D49EB3B6E649207653048F8B822FF884DC74937443B1" + "C4A888C7A768C63D5B5D29E7446873923B9D7A56FA5D9E90760" + "AB86D5718E3464821B79EB46D169141FF16120BFB650C76D4B3" + "E5B3F6CE61FEBDBE09AED7F4C91066D903AF6E56531E8FF7154" + "9508B6E420CAC6BEDFE0CBEAE6BC228476BC8C00EAE43D40C82" + "CBDF6B460C376D7C11648EB2815B6506ABD4339B25D58D45CDD" + "0A0B9E35A88E251FDC34D4810D659D179F59EBD03717FD31A63" + "94CE12CD5569066E138885CB2BDEBBA06367557CE849EB869F3" + "CAC38800D51C22B666AE2701E580796394DFA02F4910BF5F86A" + "AB53951233364EA20CDA35AFBAB445BE7F686643856F825394B" + "E7B4B6D2C918D0151F46FB9AEE8A7BA2D706E48CB0BC429B064" + "262C1A0EB3524FF14632F5184575C15F6F4A3446E93CB4E86B6" + "A931BA268409CE30B4595FD2059A27183B3BA8D0ACE8E482866" + "D5C7D5B03DB8DBD24B99D59EB6EEFFD209E124535D154B98F99" + "91D84FE1AA763C5133D41ECC233930957DCEB7896AF70F735A2" + "F5C1E79480AFD50943BC5014BCF0A7354AA7F713163B55A1E41" + "BDD05FBBA9C1DB2C69043ED9EEA4FA45C990CCB4A8DC41AFAB1" + "8164018E54C47AC5BD6980FD796ACF0DDB42C7042A4877E8BE3" + "DE29")); + test_hash (&nettle_shake256, /* 65 octets */ + SHEX("16E8B3D8F988E9BB04DE9C96F2627811C973CE4A5296B4772CA3EEFEB80A652BDF21F50DF79F32DB23F9F73D393B2D57D9A0297F7A2F2E79CFDA39FA393DF1AC00"), + SHEX("8229BFC635A769D86656396B7723FB46BBA9868712F27C37792" + "5CA6B358B8391E0AD8C30DA71FC8F0716BB95ACB0DA00C61F3A" + "7BC8DF1315715E925F1EBFBFB5D72CB3E098F0C014A80E88A44" + "231DDA194DFA8E35E359F60EA5D7A5E0D1E64A8FDE294F4ED2E" + "3E98294DAB838B2C6B3FAFCB2995AC17AF67669A24FB7131823" + "3A82DC8B934C8693B3DF784A5BB34CE9CB3FDE79AFCBFA66C07" + "D1202C954E849DADC0C1D5BA79BFA74919C1C6FFFDBB834287C" + "852522A65AE3D32E337C2BF16C3B5E22D4577F5B05F1B872185" + "32041B9692B0EC561881479C924BA92E154B57A1AFBA6214F68" + "FD067D109A92A9B0E127A0A6B78E85808268567CBD1A2653201" + "233B4E80BE103EB951748A1D1F8A205856A650C58DF15E8E1C7" + "6644E52614AB4DABF51A2320A98D259F8295412291464E1D918" + "C9BB8F5282301BE5F91DCC507F140D8642B7A6FD37327CF38F5" + "10679845853CFA039FF4CBF749D48032D6650BC7AC2BECAEFC5" + "672CA7C61A8F6A1BD69D321D2AC1E6095B3AF7111F509BE0062" + "707617C62DA3336C3086C39B2DCB9DA7F23BE732EF32F906243" + "250CE4D38668ACC8CEEBEE87C43F077DF2DF1EA4F6345477490" + "FE37725ECCB8D4F47B14A85B0D36FEEADD4A020DA3DDA4A4889" + "5DDAA45B5EF8499E937D06BFE6DF88897A828DC19D9AD93C622" + "E0263E74F818F921C4200856C9EC9D36CC99A6B0BD59FCCCE72" + "CE3D")); + test_hash (&nettle_shake256, /* 66 octets */ + SHEX("FC424EEB27C18A11C01F39C555D8B78A805B88DBA1DC2A42ED5E2C0EC737FF68B2456D80EB85E11714FA3F8EABFB906D3C17964CB4F5E76B29C1765DB03D91BE37FC"), + SHEX("66126E27DA8C1600B68D0ED65E9F47C4165FAA43DC4EB1B99FF" + "EDDC33E61E20B01B160C84740B0F9FE29FDA1FB5EFF2819D98C" + "047CDD0CF8A0D396864E54A34657BD0C0355C75C77E5C3D9AD2" + "03E71FC2785A83D254B953277B262EE0A5BB7D0C24ED57FAED4" + "FDB96D5FD7820E6EFEEB5A9E9DF48C619C4872CF3B2516DBB28" + "073273E2693544E271D6F0F64BE8DC236ECD021C00039FD362A" + "843DC3681B166CBC2407495E18903E469403807FE623F3648F7" + "99F18FBD60FFF7705D07464E801E0AED4F2F0642B9A2C5CDD0C" + "902B59B1DA19A09375C1C13175B618091B8882A0E7205EE63A9" + "219ECBCFA943A10D2D9A50C8C0B5D43B003F67EF0D52ADBF9F6" + "59BB62FA6E00678BB8D4449648872A99EECDBB3DC381B5199FD" + "500912AFA93C63A6B23D00D0A416468FDAB93AEDD9115265BE3" + "A4440DD4029FF7F88D9755623E77F9430B934DAE529BE9A6B30" + "7B1B292AB5918EB24B14598554B4CC6269419C701494B7CBA5B" + "3D69F6CDCD5181FD03E0748D08E1E0AA5C4EC62C47877C10858" + "73C016EF24E7E45DA71D3DB9DB23B153CCEDA9A9AB5CCD8C546" + "6CEF29810098E976E4867075601F83A2D2CDA1A476A1E990CE0" + "4C4567FFB99AAC428922D9D8B25AF68C36463D3AA4F689CD778" + "F79E743E0BB5F935E6D45F978DCB2AED12DFCDCA469556556E1" + "9F25D4C959C98785FB471D4BD1675D3B84742766D5BA4BFF2A3" + "F912")); + test_hash (&nettle_shake256, /* 67 octets */ + SHEX("ABE3472B54E72734BDBA7D9158736464251C4F21B33FBBC92D7FAC9A35C4E3322FF01D2380CBAA4EF8FB07D21A2128B7B9F5B6D9F34E13F39C7FFC2E72E47888599BA5"), + SHEX("EFAEE039C0412FCE8F55F6E7772889EC18D0604FB18040DC1E5" + "783596CD820B421A0DCAA528C8A62B17A22164430672DA6D818" + "E2E555AA8E79665A6F8F5721A4E17FE8FEDA551ACC9116F1F50" + "E95839FFF2427DC1D988B0269838102547D4D46C11D2548BE3F" + "885111D53F3061A74972C56579C681C20BD5D47A4C2A9523BCE" + "154068FDF3813F5D45A8D446758C212614E3A6E80EBCFEF81E4" + "4034E0F2D02FCD0AE5E6B10DC24EA09B94DBC47873768C0DC6C" + "F2991B9477448540924CB57D3582D7B8E453E946C57129285B5" + "48FCC831B3E311CFFFA3161941689E3CD649C3F47D96037804D" + "0C6A4FA8C09B11A7D5A35F6C4AB89B64C735153422A3E529E19" + "B9AD7F7CC346F904912E1A6C098CCED3BE9755137A26907CFD7" + "F7AEB1A573A971C4A5760CA5399CBE642F0106497AA1D364DDC" + "DABF375C547BDDB6011F26B564D0CCF4E055DC0869BC280391E" + "5C0203005D92246E377DC560D16F3A9588068473B14FE7E39F9" + "C25108EA279D98DF21902E60DD4EB03266E873D3B0C24DD3306" + "6991386C4311E58197F24AF80FA150068407821C2327E900340" + "550E7826B2F510AC65D4B21E9336610945A0E5A0EC8D132D694" + "316F2B8A21CC24520C6204EF036116B2FE66A79CBB202F65E1D" + "1782AE10CC71BE51DD44718E2FE9D229C705B94B9BA6B27A392" + "5E55DA290875588C8EDB8A1866FAC9EFB7FB292F69A89ED772C" + "C68D")); + test_hash (&nettle_shake256, /* 68 octets */ + SHEX("36F9F0A65F2CA498D739B944D6EFF3DA5EBBA57E7D9C41598A2B0E4380F3CF4B479EC2348D015FFE6256273511154AFCF3B4B4BF09D6C4744FDD0F62D75079D440706B05"), + SHEX("F64CB396701785B64767D4F17A768EE198297A74E5D1617FF74" + "A3323C096579C0279E351C2407BB889CD4AE718B09ABA711FE3" + "AC14AE7D7DE0072E8BB0B6A1F92A1C93DDB46DE891CFB1F3681" + "4E585F672BA871601E817BCD6327F3A7FA7DE35AF6A0948DCF3" + "DEDBC8A7154CE8529033F67FC656F95FD47B60E49681895EBE0" + "824DF50F8EA0480B50EB3264243A88BEF29F5F4FBA012B86A5D" + "FC98054AF4D15248CDADCB160193DE7068CE71EB76E32ACDD0D" + "D94F6B27B5158D9E63EB25831219768454C8A951E9678F41EF6" + "F654CAACB0F2AB5DD614BF0BBD932DE06FC31D7259309B23DF8" + "B5864322EB2D8F39A07E5A3F324B64876612BE4A1C47B06F7C5" + "BB814169D94B78CE22AEB7249C96A29C52BDB5550C7B292C96E" + "A9ED6700F5D3032D2A81CD68ED3A6DE8FCAF9379ED0D95C94BC" + "B0082915FF7DB5EA1BC25645EF3B546A728AFF4CA20C6F8288F" + "F0FF4B7DBF838E1A3EC5463AB88CC827D03A748FBB924797A98" + "D309BAC09E73215BF8BE798C151D322D6110C280D85B45785D8" + "54DA39A80F64897918C169BD7E1FC52D003999C084BF69B696E" + "6D747E859DD2D6EC6FA1339A395858477BC49241B302FC74E01" + "88A2A8138507331923C357AB4EED3F64FFA908CDAD9116039A4" + "69229F9A62070799026097EC7F5A71A7FB01B5473E8035D383B" + "9F236F2FAA0E06DBB135A939EF9CB31AF1E312F47C6C9BE1F50" + "DA36")); + test_hash (&nettle_shake256, /* 69 octets */ + SHEX("ABC87763CAE1CA98BD8C5B82CABA54AC83286F87E9610128AE4DE68AC95DF5E329C360717BD349F26B872528492CA7C94C2C1E1EF56B74DBB65C2AC351981FDB31D06C77A4"), + SHEX("CD85DEB9DA581AF66C0B3125B697371F16EE34606A577AD6D8A" + "C7E4E4A948B36C844EC9EA85EB168D7A5A1EB4B72A685AEB80A" + "75075B420C9B53B963D960F7BC88DCED631C734114C28B2E20F" + "0657D9256AB01B1AFEDDA9B9F85FD30D0DE3B98DB38AB90DE60" + "045836CFB12C41E5BDAE57B937B637C11ED47F7DE242EB9F72D" + "3253C5D883B22333F181FFAD60A541DA08601791FC0F8D9F44A" + "94B551B1A879B76FC2B7931A2F4301D121A4E6861F5C84FFCB0" + "139FC37268B5F8A4C3FD490809CF44F68BC1E665B369D4D74DD" + "0BDEA71ED0514C37A47124CE146927274D95067C80036ED9F1A" + "5B0A10AE71E837A09DBE4DC358DF4687392D99B2ACE8BEADA96" + "56677518B1607C8E13B7F45100BFCEFA1D4E38B9BB29EB23D17" + "B9CC66F70635A6C531BE9CB890AE833CD7CE35498CC9F81C576" + "493913BAD87532B711F3F88873E9ED48A83B6B2C503E096A33F" + "824FEB4CCC702E82CEF00FBD938FF9BEF6E3F80E149EB343381" + "6A1D3FE7F005734192CCB5A8B0D7D43327B535547A9CC7F5FA2" + "86F9EAC26E9E6A1CFB86DB35831F75A9902A3E78F6BF9B47288" + "36C81B3C614923C3EA88D6C5F55449A83EBA0F5FF7B4F070842" + "06D4590BF817C1FEB43595462037AFB6969A91EEB963BD244AD" + "B1B654FC98A0B0BE99029B3D5BDD69D2158939D677B054CE55D" + "ECF0F332851E0A74EAF2BF3EB672D4CB1F467D0E5391F98501F" + "EC2E")); + test_hash (&nettle_shake256, /* 70 octets */ + SHEX("94F7CA8E1A54234C6D53CC734BB3D3150C8BA8C5F880EAB8D25FED13793A9701EBE320509286FD8E422E931D99C98DA4DF7E70AE447BAB8CFFD92382D8A77760A259FC4FBD72"), + SHEX("A90053A8F738A68C18CB87FBAA8370BD14270412D0014C5DE80" + "08FBB74E619182A0442C121F7E2449A5B019DC0CE597BF1D7D3" + "E64D1184946D45208A864723A73CC1E242F7187811C522F880A" + "CF53056D835BD150FCB7DB61363D22074349FF54A3E5FF25712" + "72910A7333959D8CC29F69B540E5ECCA50DF7799236338E2925" + "5656930E22679A3A585E32B88C27452BE75BDE73789B45623E6" + "95FB7408DC51891D50A3BF84C5088C5F6FBB1B740DEB7FE38BC" + "A05F1A3BBB516E9AFED0A41F8FCE94411CB84D8BFD51EF91718" + "4A66C56B31A190AE02B86F62CDA2FD7471EC030E94EDB56C144" + "025A1BA9B792A515DBBF402D33BB6451825E52A87B7B82C44CE" + "E32669F96F3D8DAAC5923127B51AB5C5ED43E5A9344B32C5A37" + "05345EE98CCC5259C9D3342CC10D660274DD628F1C2C031FE9E" + "D282500D5C3982C7976620FB46190C57856E519C6FC1760A306" + "C3497F2E001C7113248F53EA1A4BF9DB370285EE441E4B43459" + "B6F8690CF10BC1785138F8855DF859BCF1AA581DB4A6EFB576D" + "938FC273E7D126CAAB7FBCBAD62DBED1FE2C33F24640AFA899D" + "EF2825AC2C0FE928DF223B1043117C061F1C7EEC723C5CBFA83" + "14E1B18EA6CB63C02B9D6FA3B27929B4D42F1D785813FEFE124" + "9F65B725D4DE59AE071A4F6A40AAA26935F4DEFDFA3760C98CB" + "E805A50DEBB3011E006015FBE8400CFB1B6B3D2162014D675DF" + "4246")); + test_hash (&nettle_shake256, /* 71 octets */ + SHEX("13BD2811F6ED2B6F04FF3895ACEED7BEF8DCD45EB121791BC194A0F806206BFFC3B9281C2B308B1A729CE008119DD3066E9378ACDCC50A98A82E20738800B6CDDBE5FE9694AD6D"), + SHEX("27BF218A01125514BB1B78E582AAD16720267373BB27FF96A59" + "4B7F10CC1D0A393FA753F50437C89301542D27C12C03F53FF77" + "1CD0DF4B38F40B607B67CF419020D34C18F5BD3BD424D39F47D" + "118C84A53A635E17365F84FA0340BE3212056C155FD227D3B52" + "F9BE75538FC23287B5DEEC0E5737C8484ABBA0BE6CC43D956F1" + "7A41CF81DCE5E78326633CF09326E0004B172763089A593DFBB" + "C1A0960A16F207F464F9EA2AFFE732208E970E00AA0BF122863" + "4E98031155B61F6EE509648D4B0BF58FC9CDDD0B470B95A0AED" + "8A3A96DEB2F7FCF65CE08A826300D4E48A681019C5A8EED66E7" + "FD5FF098308138B4E11886528AA9ED32617392B0F6E133A9968" + "3DADDAC328838008BEFE9DC680720BF4231E88848660C8EF4A2" + "973046D8E70D8EE8D8497AED8A748B3185A77B238B5650C9909" + "5D8702209C0C31FE1770042FE3BDC2582F5FB841EB5A234CB4C" + "9B637FB4C5DD9F90225DB4C62DA420F3D1895FB2EB05E3A3D67" + "67F73FDBC8B94D48A555CE4CDE5045BF5325B782E0C242FB3CD" + "27D963A9EF014DDBA4B0608F2627FCABB2EDF570A49AD5377B1" + "BC7193D9CCCC23F5D35C2DB59D05DF8D4A8E5146298B6EBE1DE" + "25BA1089DC746EFEF6BCE22B43FB99EEABDDAA76566452F544E" + "AA85CE4559BA683A122CE76927242050FB236BDA091480AB1B9" + "ADCA148B639F986A3E936BBA565B54F727A0D45F369DF25B9AE" + "8528")); + test_hash (&nettle_shake256, /* 72 octets */ + SHEX("1EED9CBA179A009EC2EC5508773DD305477CA117E6D569E66B5F64C6BC64801CE25A8424CE4A26D575B8A6FB10EAD3FD1992EDDDEEC2EBE7150DC98F63ADC3237EF57B91397AA8A7"), + SHEX("2FCE215362A523D7B76FB836EB458667099C58BC51D7EE6F6DE" + "B9894B6A337576B0DAF9A806488C3D238762B7A2E7B12AACD1D" + "696517EED142AA5DC5A0747F08E5E39A2486D75F497CBD6C489" + "9D6F5BF2AAAC9189A6ABC6E787B0D9C5283C840E518C6AB0393" + "CF60337369251DF935A02DE0463DBFA4DCDC1DE9034FC9C21FF" + "B9DBD7C48384DFF31012BD5F5A9CDFDB7139C3C35F560913D64" + "3DDB728910413F1267BF1BF1586C5EE69DAD26B53154934762D" + "4C80C34D511BDD8A391F83D224F9F8F83B61DAA046C542BC78F" + "153A3AED27E1268058F6952258D274F11C8D9634A5BDD4E69C6" + "0DCF1F89DF2238EADFE783CBA652A554186D9E8307C7773722D" + "1049C3815526F583612BBD8F6C587D058B80FBD38113957E602" + "12777A9F67B612312583FEFB67533C065286CF371001440B1A7" + "A43DE2405E5E92D633F12A63EE2EBC408164545DF22803FF239" + "DEE66EAA20780D103D940880E8BF68B9D815EFCF16F59E0D858" + "AF33FE4D287A2B8E61C6EBF26E16E354B3EF63774EE01A14691" + "B149D81F010A655F308E966C990E1BEFCB6E4253FF43BF473AF" + "A78AA88C36EBBE735B6B2F92BA9D07A738E000C9B42BF8A3A4D" + "8FB6C38AA36B3329F909676183FBB520196D0DEDC80DC6BA0DB" + "4D72AC6544551CC38B23AFE000A91F10A89956D2120494543E3" + "FF5D7D1B2791207860A0B921DEBBAE769E55713A1D611F6B117" + "5BD0")); + test_hash (&nettle_shake256, /* 73 octets */ + SHEX("BA5B67B5EC3A3FFAE2C19DD8176A2EF75C0CD903725D45C9CB7009A900C0B0CA7A2967A95AE68269A6DBF8466C7B6844A1D608AC661F7EFF00538E323DB5F2C644B78B2D48DE1A08AA"), + SHEX("992E831E9BF5FD994A73F17699CA0ACAEF65E8212E5C4A49556" + "9654B5DB523BB04431B7910A343FF254F4432485B4A6A88701A" + "FA889B11C45C53B4A1C4A1872FC685D644DEB5DE2340511F29D" + "062F6CF0F39803BC333044CDE83103155A49F77FF8946A77FB0" + "92D1CF1715F02297ED4F6B0A43254863641C4C244DB87FE486A" + "3EB78DD3B57CCE06722CCBBF53ECCC862A8256625AB03563FE4" + "730F74C8F78037BDE37D538DA822AE9141B8098A8B57D74FCEA" + "A072746DBED8C4B23F91B3DE8B9B733D06CCFA2FC18747590C9" + "AC01A9FA675D8CB51505098F8993C494592C2561F8F2FEE3B26" + "7D8FB77A1AB853432850F90B8C52D08E23A19226A61E0589842" + "ECEB48059F8F1B749D563E2C652B70C426B91B8B0E19EF2B319" + "F2D7DFC25F0D712A76CA9332F92BB38CF89DED9802BB7AD5654" + "B2357325CB1CF6F1C9FB364EF41EE8B0A8BAF5FF9E8878E56BA" + "4BEEAE384BDF029E4911DF8E84F5B570704D53B67D6BB1AEF37" + "976B38F405D9AEA67C6A6D77370E37BD78034645A9B64056723" + "66DC061BF384EB0E9E73466FF5D018C9BA52DD262DC97970CB4" + "B8AB467847C23DA0FB101F5A7B9EBA51ACE6C0119ED03C7A14A" + "FCA676BED44922EDCBACBC79B6DB231C60DCD4ABBBFA0C13C0A" + "B3D680AECA78EB9BF0F71CE6886AFF6C309594A9DF2D01692C5" + "6265A6E9256C366C4C53B6C0FC38B6EF18ED8C571D94EE27E85" + "0D4C")); + test_hash (&nettle_shake256, /* 74 octets */ + SHEX("0EFA26AC5673167DCACAB860932ED612F65FF49B80FA9AE65465E5542CB62075DF1C5AE54FBA4DB807BE25B070033EFA223BDD5B1D3C94C6E1909C02B620D4B1B3A6C9FED24D70749604"), + SHEX("47CB72FC64AEB3F76085626534EA346A2B4797B5D61839BD7A1" + "5DF05D5E3552C2751C697BC2C532E2B3A8934B9ACD898567145" + "0DB65D6F44D9B6E27972FBE050E6A76537EED3E9FB15849ED61" + "C3B2F6E30A8523DF8E95BFAE3A93BB306343212F1C288113594" + "42759C85C3E6829A179C03F86A442DBABF49940297DE3F29CA9" + "F6EE25EEF49B9C7B37DC4499A9D16D3B32DA2AB391AC1E6BA6F" + "3967532FA18E50B1E52D6D3EB2447EE20CE459ED970D71E33D8" + "0A20E933F09E494A753D15590A29B15733FBC93217B47B36851" + "00AA31D5029DB16FD7E293C51C55E54E15457F99009590EF8C7" + "B7BE110453B73B4652B2F9C048BD7F2EA2590D33ECC5508BD62" + "BE3A0918C174D99C5939FEE9C48592CFC220F59F28F57777DDD" + "43AAACBD23A61A8473D4CCF01389E982877282E8694F03683EB" + "B44406C798104B9F3223B0DF50EC964665492EEE586CBDED57A" + "75F17762A2903604F8120FD1D981AFED7D6AEA59FE70DDCE738" + "A41F53F611B927EC3DD3AB7E89A0B0B3943EAA2A74FA2C02098" + "4DCEB577F6B3E7AE98CBB81F3CD9780E52D44BDEFFAF466FDAC" + "7A4429BC89295204B0FBB9C8A22A5F202E8536542C244CBF300" + "0C0CC1CBB0C4E18A29CC92697B0E58AB1AE77AE10B1D3EC92EB" + "697364CA69279C4EEEF39D27C06E63DAC76028DF7A5A974F8C9" + "7AF5C7AA31B5BB5F1F4DB2E63B3D4C9F6849129084C77ADE975" + "62B6")); + test_hash (&nettle_shake256, /* 75 octets */ + SHEX("BBFD933D1FD7BF594AC7F435277DC17D8D5A5B8E4D13D96D2F64E771ABBD51A5A8AEA741BECCBDDB177BCEA05243EBD003CFDEAE877CCA4DA94605B67691919D8B033F77D384CA01593C1B"), + SHEX("458FF16E716EE4C47F3B60B3E473D91157767621E9E3A200EA0" + "BA18B511B00C9BA311C7D542289D03F07ADFA6110675DCB43D5" + "D8EC69C0EEF6AAF4664F917E01FF8DC5F203E89540EB96640FF" + "807ED60D761C4D3D92F55604EFA648C5CABA130731FC2BB5351" + "46EF6EA4FF3A7CF388647EC25C3879671874BA259C6ABB31B4A" + "8090BEA5AA7D6B05F5647CAEADA7BA35B45FEEEE744BC0E76D8" + "EA6B84CC4103D358192BACB126800CB5A6E114709E7DA7766B7" + "61B6FD0A83203B82B74E87D426E71AC1AFAE590F4F06008537E" + "79E2025007CF2F5ECD0BC1A0E14C5CB8384B9DAEC501CD985C9" + "858212CE2B9AB2422F6F7EE0E081FDA987AA90A6D51DDC1173C" + "CBEE0592E970CD3DDA52431C57FA323758AC0A4E47D049EF3C5" + "1211A4F9312614312B6DC119336D7BEBBF325C2C4D24727E290" + "9058543BE4065C58F4E9E3F3F0ED88B8C392CBF610680123210" + "D5214650EF8DE411B7F6EBBCF2DD95F7FEACD074A29516E42EF" + "BE37C239E9AAAE6E0E1E1C61B418BFF50F0D7D56347579A75AC" + "A891D51CB5299987734EE208F0D85512C846AED6DB2A2F453B1" + "10FE2475852C92FF1BB3439D9D6F3EB76B49E239F72883D067B" + "F9D1BFFBB1B668D677F940940B9D042C06EDFA9256B6AFAA37F" + "918A99309E4E40CD3D374DB5A37BB43DA60682FFD1D01CD1EBF" + "9E90971FE16176DFFDA5867150FB83F271E4402ED52C1DF78F2" + "BF52")); + test_hash (&nettle_shake256, /* 76 octets */ + SHEX("90078999FD3C35B8AFBF4066CBDE335891365F0FC75C1286CDD88FA51FAB94F9B8DEF7C9AC582A5DBCD95817AFB7D1B48F63704E19C2BAA4DF347F48D4A6D603013C23F1E9611D595EBAC37C"), + SHEX("021F06C7138F663522BCD444E597C2B78F4C8369C88747A1550" + "80005E09A68C6A73C4F8D1C7C088D3CDA2B48F310D5371F336B" + "C261697542028D48FF92523DD78C100CD858FC5FD1F49181424" + "47E11281881D9C22680800DAC76D690444458D53E35D263B2E0" + "81F470C9E8577565EF7F8C530F78AEF2039A0B253A28E29E6C3" + "0FD26FFF9677E65121B5175822D0942D0DBBA9F764514FB9363" + "69F74324E8F950BFCC192A30921F04552245EE79CBFA319063E" + "4DEC133E10EC6B02002FA61EBC288B8404DE81D9A513FA7FE6D" + "B2C61BC4ADA6DFDDB4B49B5CAEE1D7CCF5BA6F40A39AF92EA26" + "222850D4F4FA9079F79365806440B89663C705A247629C8E28E" + "77FD17D39ACB37BDA2DEF7847C12D7F180A67BC788795D6AE91" + "87E6AEDF164E282C1E76322A8F38856C6D95460977FE8F6A760" + "F49111400467E7E0EAA5AD7E9C5F9A17B462CC8B45F308CBA67" + "71CAB434F407CA6CCA371A6C7313CAC055A13D5C79195DBD949" + "A4FC9C176C26E6D5ECF343B199E478A25DDA55FEC4FD416E270" + "8AF001BB8AC3773E7824BBAC1C0656953984B1109F1F95DB0AA" + "DE0CB53BE77E88CA83A86563E1E87011E718FB3616BA3E54A2B" + "F9DFF761A42EE1E809DD1A431C7A832442461DA90E7AD5FCD58" + "1827BFB2C8FDB0A046F09D30773FBC1481DA0FBB92A6AFD073B" + "A96811ACDEEEDAADAFCE7C70E4CE75421C85E9C1AFB270D120E" + "186A")); + test_hash (&nettle_shake256, /* 77 octets */ + SHEX("64105ECA863515C20E7CFBAA0A0B8809046164F374D691CDBD6508AAABC1819F9AC84B52BAFC1B0FE7CDDBC554B608C01C8904C669D8DB316A0953A4C68ECE324EC5A49FFDB59A1BD6A292AA0E"), + SHEX("DBC0350CCAAEE7F6E18576E435CAFC7CC65EBC81B27DA2F18A8" + "88ADEE19418BF6F4D1B3088E5824BF663028A690354F4A953AE" + "73CDCE6B095A835CD45ED5752D72E699ACF031529D73348218E" + "AB5DD6F98D675E33880F6E79D0FB3A78E843F26E018F543872A" + "313560F8024A6756013DB3AB13FB23661D33EF9520EA60A0467" + "5454B5F3069230447000ED2A879A1B342F560A8AD2F37AFAA80" + "668E90001D315BA266D03152E714434FB0F52E287A235EF5DC4" + "252AABC8722B6920A069C98F69C64BFC31B1E13D01DD0052440" + "1D4F8494111137EE283EFE82C2215FEA54304C3297E6A1A88E4" + "6F000084AD090551A994308165AA2D0D96585DD4C826554CE80" + "D3C00344140D4387322650F857350812C6C4E660D2E3EE5DEC7" + "3D27A6455D6170569FB0F56313A561BC6FD1BB6FC11BC6A830F" + "32847050EAC3451E153C00BDAB83D8CEF319894DB18DD80F111" + "2E560E2353DE9C2DB6BFD428327AABA644C218FABF3D75CC42B" + "3773DB2113D037588AF31F1B1F21D076F285F1F5CAFE5312E7C" + "2FCA07AF2E6FE3651AEFA91BEA2740AFD1C2AC77EF03BBCCEA3" + "6940AA9A7D733289F9575E9E14617AAE7402DD7847114C75EB4" + "432FFC2D3D0BD56117F9286609DC91E9CA63E1E064F09F2653B" + "A905CB12C8AB6D7772203B0AFE6332C4E9F73BA4B652FF16E97" + "59FB70AD5F548540C7ECF6C6DD7D17C5D2A9B45C548B7EC8819" + "E8A5")); + test_hash (&nettle_shake256, /* 78 octets */ + SHEX("D4654BE288B9F3B711C2D02015978A8CC57471D5680A092AA534F7372C71CEAAB725A383C4FCF4D8DEAA57FCA3CE056F312961ECCF9B86F14981BA5BED6AB5B4498E1F6C82C6CAE6FC14845B3C8A"), + SHEX("7AC057C0DDA89D3A001AB997F2E405B4C1D1906191C3A50399A" + "9A49B2E01CB2C3D20DB6618A7AEC42F8143C580505145E60D6E" + "1D4559FE3F46F5AA1373502EB0661A608C31839BC4D7FA44AD6" + "586FBB53FBAD598C05B9443D6CAD708C8664079FB276947C4EF" + "022C1BC7267B41C1764B249C8E7B347BF006DF1498E31CC9EF2" + "558F96F7F7AE323D6A633E1BF23312C1E9E2146676730954648" + "727B61A5DB507F1959250D49A52F9804668AB3A56ECB6C49EA7" + "819D093E85A0A1335CCD4F54360466F7C37DF0F65CE52F7B396" + "B49D39A3AAAA0FE33F053EA711351BFEC78A1E05F55954D7056" + "B7380430B45275E2CF57AC13F7FE332B760D8BD793CE4F88613" + "0C3E4581A5995F865DF2C68CB2FC01B558997A54AB8A684F5BD" + "67855972CB3BD54A9620F71CFD3C9F0FF260B80CB14CFE4FA9D" + "61583CFABB12BE42C4C64C85D1F26D3B0645AC60065F9E85C70" + "883BE7F06B9376737F83313DEBECAAC3F1146B050F8B360A614" + "B6C72EC91A3E44B196713F5754F1249F6DCEEBAEA8049FF32F3" + "08513F9C0C2353C9814C0E67CAD64A1F332624490A39DF8F9BC" + "FA61C315CF2563031429567334038F1D086BE0B9A4BADCD9C4A" + "0840348BD476C00A7CDFD8862E80EB9A833BD2BB56D88CB55D3" + "D064326B8FA084F92F3DC2D8CDFBA3E3A0E3EB9E44B1EFE0563" + "BC7A75F9A736A87A89A15A6812110FE92ABF5B8F77EA88C2207" + "517F")); + test_hash (&nettle_shake256, /* 79 octets */ + SHEX("12D9394888305AC96E65F2BF0E1B18C29C90FE9D714DD59F651F52B88B3008C588435548066EA2FC4C101118C91F32556224A540DE6EFDDBCA296EF1FB00341F5B01FECFC146BDB251B3BDAD556CD2"), + SHEX("F0C453711D0CE1B3A120BFAF25570E3E949207F575782FFBEB8" + "A6600D7CAA9938D28EC6872D1FC914BF8BB02331C40728D3BE5" + "31197694CE644DDD148D0EF54C077D56B6506A4A941B087A61D" + "3D57B8AE53824DA8D8CF069D1CF5DF46E309108D74F318D38FE" + "1968F1550AD7921D976ED5ABC60953E4FD073A3AE7FA378A105" + "E0FC3BCCB3CE3469A536EFA3F9E5C8590F19EC7E8708AF92A9C" + "A35CAEC1743F2284DA30E613AFB371507EC61C5574771BD7436" + "583415D8E4406EF39150E50CBE233A781E8867639DD491B1F53" + "217FDE1FC5B93671C1B6931E07966DE705D162F14EF3C95E67C" + "40AB1C0841380F9A9165C5222477FEB97E9A3C88104D7CEE9B3" + "EC6876A0ECF0198D258B9E308083B826F32FEE17E2A59FC2004" + "6CA815FE0955CA88A81FB56A7C90BC922136AB0B3F3E034B626" + "34FC830837F2DFD86798A11B335D5FBA27398E5023CDE6F1340" + "241509E92C6A4B298B3BD330ECB2012B8F95DEDF67B68D5309F" + "A1AC9DB856561D6E81666A49AADE4DE719E1A4B519AECE0BD49" + "41A36492E0B79CB7EFEFADF4EDC6A344C4B0640A17F0E7F70E9" + "0E77DDE40A82457DCD58658316B4B9378BF058B05AE39D0C750" + "692B92BB2D16B5F43200DEF81CCC61B2A26CCE991BF939534D6" + "1592328BFBA68AA8C9F51F3A04466759D7D1B966789FCBA85EE" + "120C66A8F3C308E6A1533220E4A38C21DDAA4B2FC51FB49F59C" + "84B3")); + test_hash (&nettle_shake256, /* 80 octets */ + SHEX("871A0D7A5F36C3DA1DFCE57ACD8AB8487C274FAD336BC137EBD6FF4658B547C1DCFAB65F037AA58F35EF16AFF4ABE77BA61F65826F7BE681B5B6D5A1EA8085E2AE9CD5CF0991878A311B549A6D6AF230"), + SHEX("23F75EDBCD5D5F329F01E45502B66995CFB9A5F0748E9E1BCB3" + "44B639873BBA79D21EF36B8CC1BD8A2357D8DFBF3C32BA6C0C2" + "E8936FB968389D8D1388C20B9F572BF9CEF93891C643D672C86" + "55BD67ECC3D0EC9452C6D1A0789AD3C734B926188E4A1B3D684" + "F14C0A5D9E72CD2A10C5CFA8BEDC0BA5F3AC6B5150A256F2B94" + "5586981F8092E0827294FB846986D3885F38BC6F945B900EBB5" + "46094E29FACDEAB1BDC1D7FE1C6C83E562D09E08319E2BCA1F3" + "EBD4A82B9ECBD8E6B38906D861E2E0704EE4F55DED4E7A74F18" + "8210EE439183E80DFA8795A1F75F0EFD49A4FCEFEB97F187360" + "69BCA02273FF542ADBB6EEC13128F1D74C87D6C6B45726F62EA" + "57ED49321BE6FA516B1AA2349B3C85A5F971C4E15715BADEAFD" + "2E8A217D1188129CF49A54FD85803EBB361D73F0D8D0A7D557D" + "0E17C8D83C27DDCE473908A1CF9ECF0F8085E77FDA3DC89C826" + "09A647E25FFA8D2FC86194B2A793C7B32B4C893115EAB9A7040" + "85047F9225A29236C6188F017AD4972661C796A3258ED494935" + "33BEF9A59A27DCBCF614AEAAF20BEF156AD261BFA23FBEE2D84" + "D76AF0E721739AF02DF710D020CB80E895BF20685D3AE61DECA" + "82D34206351870AABBCE23CDA3567DC1AFFEF9319BB1A212D52" + "BAAD92D069A332BD020420FD34E6FB6F97102C9AF3C877ABD9A" + "790BDAB7E7940B1CC01702D2E4CEEA1A3A2F20E3B4027BDDC6E" + "2FE0")); + test_hash (&nettle_shake256, /* 81 octets */ + SHEX("E90B4FFEF4D457BC7711FF4AA72231CA25AF6B2E206F8BF859D8758B89A7CD36105DB2538D06DA83BAD5F663BA11A5F6F61F236FD5F8D53C5E89F183A3CEC615B50C7C681E773D109FF7491B5CC22296C5"), + SHEX("0AF273F2384078BF8BECF3731049A763753EDB89CA1AE2BA03B" + "82EF5DDE8C5E23E692982C524035D406DBAD8FB897AF5D7DB96" + "1652A0D6F5C18D71EF1F1A541D0A29085AAA1D26D2C4366DA7E" + "41781C34FA40A3FC7E9132C3F0CFFFF267E2BC771DD29266E2C" + "649A94F3F15FBC71A561968E0A755D4D0AC7540B9E674539AA4" + "D15D2FE81AE969EE492CE89104F994C6201EAB2F6A726D9AB88" + "479E324789BFD003EABC2944C43BC061C1E24B7DDFE1C980F65" + "DD598C33942482475F4D717DEAE78BA3D8A7A887120D9A814D5" + "81BE9D593422AB033A1776C3C7A6DA30D4D83E8E120AC733303" + "C401B68D1CA76B2A20AF4FF0FE49780E25B43850D495BA91AA7" + "27DBE6E28B677C8C7DDABFEBCFAAF67B8ECD8BE1B459BDD68B4" + "29E7B25B6B0A02DD2BF0ACEFC5CBCFE5CD07C814E3266027EAE" + "612C39077C810E766A872A79D68BC8FE8EDFA04CE2C80325C2F" + "EB03B5C838425860B24A6BB2D91BFA5F67102A3F6ACD3DD6C93" + "37BDE3E94699F3B3431D8293F793886238228BDDF4B38F229FE" + "244ABE471B16A1BCC73BB7BAE6A93788DE0D349CB75729D422A" + "FB32CAECCEFFC42B7BD0694B154286F4CDA4517534D0C2FA7B9" + "8E72AEF0E2B8D8E0BB6A5FA82EB802C27511256C1352B20D2E5" + "9D0D3D63FF5EC33670FA27CA69D2F586826D3A1EA098CD9CCA9" + "231E74B91E999EFDA12F63FA8076A44894B40840FDBC4D25DFE" + "1CF7")); + test_hash (&nettle_shake256, /* 82 octets */ + SHEX("E728DE62D75856500C4C77A428612CD804F30C3F10D36FB219C5CA0AA30726AB190E5F3F279E0733D77E7267C17BE27D21650A9A4D1E32F649627638DBADA9702C7CA303269ED14014B2F3CF8B894EAC8554"), + SHEX("7FC1F7FC27223766C8F4310087A3C54A5A8AA061EB20D367194" + "243BB62C7D90099684BBF368CB6BB71802C62C9F3258992C0C9" + "79557622A5FB15CA0E50A26891E73790EA3DF4859829B4F683C" + "7F5C2DB0FE08ECF76B9D4E897AB80530D9F1D1242B42170C198" + "C7852566DFADAC5740D61A52C4882F46E29AFE2C7335C5A1157" + "E5B93610D0A8E4529D8473330547EFE22DD9757503C7A67ADA4" + "E9B2CEAB8AC5B383F2D6170D6D6A17C03EA9F9B9399FD6C1CBA" + "624E7911DEE9892B31D463B3A44946FBF246D773629EA484CD2" + "0B03D8AC428BC8AE87CC8182D96F8D220A7312DDBF191F45849" + "3769691E7585CCD740C30FE7D63101023867C9A3F02D999BC0A" + "D653B71DC9A611BE56A44D4DF2DBDE402A0B7B6D7644B5754D5" + "0DC81F59FB17F7C38E62427A844DB406846BC74DAE737E24FF8" + "06505C5C4351A54AA920CAD01DDD8A5960AE143F476608A6DB6" + "168FD5D72453EA010B1139417277E6C5116D1D32008A40CB300" + "6FB65EE9D4F5F9AAB1648B3990F5B9DD338836460075B8BC504" + "B4DD2FC04EC57DBC63D32CA39C07EC7C2348A459FDE1533B30F" + "496F84502367BE809D0AB0C6E86474EB2D7A3A4CE29CC8D0ECF" + "B87B4662FDD789A99034A64C5B40F763D098888FB32346EB644" + "C28FD6BD6BB62E0D5AADAFFEF0BF0BDB801A809F76D79B84606" + "183067B5056528CFFF3ABA4F0EC0DC926FFCFC2377035C8B5F1" + "0D57")); + test_hash (&nettle_shake256, /* 83 octets */ + SHEX("6348F229E7B1DF3B770C77544E5166E081850FA1C6C88169DB74C76E42EB983FACB276AD6A0D1FA7B50D3E3B6FCD799EC97470920A7ABED47D288FF883E24CA21C7F8016B93BB9B9E078BDB9703D2B781B616E"), + SHEX("1BDC443B8F1E6A47C575A1158C00EC9E69048BE22AC067CDC12" + "33171A69E773B6319B0BFE0281F0CABB4DA1F75C583320A96A6" + "2FE8DDF10D0C3F7871023562177E827FE0B58A02D38C5A4903B" + "7CD8B0CA80012238372DC5DDA701A4287D071FA2B29771F7054" + "8CE43ACB0F2E5A49313FC76EBAFE8B75E121F0294E417323EC9" + "BCA9FAFFA81FED2AA775AA2D2C641D7BE624EA861BD5C24CCFD" + "AC1FFDFAC4627C3985A41EE5EB57E229E1A1B9312C6FDA42916" + "05D26BA4401EF106DFB5BEFA7DEB27500F11A09617E8CFFBD39" + "AE95D9EEE736EBA41AE469988947A863FF6BFEEA212EEA29297" + "025F96453DC3AD935E75F12C5A7F0E6C12213BD7BE910D70EB9" + "78624843CA772959B5918E29AA377A7B4413946A97E546A9A05" + "BF107C881C9499B9E907A667CCD1B3C64D674E3A5796EC33F6D" + "6E4A2AE7D114D744BEE7729773A627C063133AEEEC4757F999E" + "A7F01298A783C32934D29FEE45E2048322AA3FBAF20F9D70C1D" + "8A0183A630E3E73CB2EB1C934DB4DC9101C949C46C1954D95A1" + "7B7D362B87FC51BE9FE98FB76B19B7FE9D1D76104D3D49FA7F1" + "CAFC252F2E4FF32C3CA43A23947EEDD4B88EA640E58DE625CB0" + "A9E11212EC1FBB24BCCB39B06AC90973BBDD279578666E4D169" + "290B0321C5B2197B6A5759FCCFD8CFA820ABA055F81F1030840" + "F3BEF889E8ECFF87D0EE1C53DB99F67827710DD0CF59346F2CD" + "53DB")); + test_hash (&nettle_shake256, /* 84 octets */ + SHEX("4B127FDE5DE733A1680C2790363627E63AC8A3F1B4707D982CAEA258655D9BF18F89AFE54127482BA01E08845594B671306A025C9A5C5B6F93B0A39522DC877437BE5C2436CBF300CE7AB6747934FCFC30AEAAF6"), + SHEX("78FA82E4172CD8CF41CAD3D431E39EA0C6A88544402B5CAD9FF" + "3D8CD6DC8890260D989AEE087DAB49C092A94975EE3D5B8706D" + "0F1F522E5AC350306B01B4B19A81377667B20C201241315C3C0" + "5A9F7484EBB70E79588EEAD5D9BEBE5ACC3E226B807B46192D6" + "4A2CB886E4B811817CF7F219934C57D5DC2D00E3EE234B579B6" + "B6E2D5346D3876CDB3752624E65434E88D55E1284297CAE6249" + "95B1B37671B89C57E876FB361ED8AC6345693D82BDEBE00AC37" + "DE6617239205AEF566C1619F406F4CB1C9777AF2C07F693E35E" + "4289ACBD91C59F067C502446F21CA1602D10CB1D78D18DCB043" + "C4B4E06972178BAB4C90062342FF3646CEC8120A5CD14E19715" + "F66EC6F619DA0EDBF1C9D9BADA80F0BB210F09476085CDF3832" + "06FCDEB987623CD69D591F301D8DB94018EA3F90B8F067C3E14" + "7771F148A60B440CA6BE7A1943F544375D50D45DB2BAF339441" + "90F19446F7A1F04F7E45D59B9548E01EAF6E4D6D525B37A6576" + "9D280DB6DB391F27A9D84E4D97C7CE0AFCA3BCCA7A97636FF37" + "56C6CBA855DD5C625574277ECA6A2195027705827C0E4FF945A" + "A57E25EFBB65F5128D312145C5A8DA0A4D46D805C3F6ACFFB15" + "1B0484EF811770BDD87935CDDE0444276CC8B64E84B877A31D8" + "17E95963F3621AFE6FCE57D94D50771F91CD0AB1BC61DD97BCF" + "03EBCBC2C2EC687B705A2BCC5D0DEB20CBE6459644D14633C65" + "B256")); + test_hash (&nettle_shake256, /* 85 octets */ + SHEX("08461F006CFF4CC64B752C957287E5A0FAABC05C9BFF89D23FD902D324C79903B48FCB8F8F4B01F3E4DDB483593D25F000386698F5ADE7FAADE9615FDC50D32785EA51D49894E45BAA3DC707E224688C6408B68B11"), + SHEX("414EADC6832F91A04B7700E668AA487E63DB05151E29EF1718C" + "7D9F4C6EDD1C88B05910F23D8A854B94C7156C421126272EDB7" + "3A6E158350EC7A39980DA19316346D1F330C3FB987D7B4C46B6" + "469B7A59EB6B1649BBB7BC0E074C00A152517624F22A4A58800" + "447E7505D55F687F08FB939D1AA6DF8E73BAC6CE88467B30976" + "150636146526031BAC9F6667AA71516F9C5F70E502D7D18868F" + "6DD359D8D026A040AF3CAB533EA5A95DD7CB2006552796C5E1E" + "B2C3B46DBD9F2481F1B428CFDD1287299E7C7129B377E3954AE" + "0EE96F955B7F0354610B84652705A0594C045C3CDBD1B564BEC" + "43FDB5928B905023B1BA41B448E39E649C0B65CABE745C1DABE" + "9352D05F165BBED160DC2C52794C5D0F07D1E18F47CB94F2F97" + "190944BE08C4BAE53755B30D062B3D697575AD56FD4C75ED40C" + "F7C239941F7B052500EE5CA7CEDAA9190988F47A21216E907A6" + "3C795D2292CE926D541F331CBFFA9F16516D54999DFC9911310" + "CF564D8F1F00B92BD9FAC0AAC99A951EAE3175AD20558E8B934" + "E05FF58351056466A61EC5CF4F11A01E3FE0CD6EA280E278388" + "99BCAF7FBD8CD4308098E2EE71A4E9EC258D03118F0BC4619C6" + "6E52F35F1AAD2378D82BDA8ADB750313705D41263CF2FDEBA1A" + "D5E025FC76DC620CDC3B684ECDE0283F9A7D69A8463B58F4AC7" + "F5B1E2F3F580CA7F4188F32706D722BE4543E8E0942B3169603" + "49B3")); + test_hash (&nettle_shake256, /* 86 octets */ + SHEX("68C8F8849B120E6E0C9969A5866AF591A829B92F33CD9A4A3196957A148C49138E1E2F5C7619A6D5EDEBE995ACD81EC8BB9C7B9CFCA678D081EA9E25A75D39DB04E18D475920CE828B94E72241F24DB72546B352A0E4"), + SHEX("0CF9AA0F0478443DF90BEDFC2457009F3E58B06EFB22D1F282D" + "A4A2320623A250D584F27E2D45F708DA667A9BCC26E35C19C55" + "B16A993AE9D98948FF2366D8A0AA06915EE5712D137D46D48C5" + "36DB9A25BDF88F99A941683E342B5541AE481B1BA6A889B7ACB" + "E9A6593C53349C1B7D6FC8FC66627A2FAF7811C0F0A49D90424" + "6B95E9B668E8BB25D521F0905841B7B2AC64B2E359FB48FF29D" + "7A314B1D2E7E01B0D210986664C249DC711346449FC77BAEE4D" + "F54344CC18A816AD9C980BD0D9D01C4AD4EF0C702CFD8780510" + "3910E81CD3F6CF4D13D1398E755E5470E23ACCA6B510CA59FFA" + "0B523A9D7FF7A5D85FBAEB3E5A9C11D947AC5FDAC04B0B77E4A" + "E7943F696849DF0FF931E2300CB099F0DEF86D835A8AF4B53FC" + "6C3D38BA33158A1F95690E8C5560C060B0E48783AF1E2001BB0" + "4CB4399CD27280715AA0EDA7AE754B8A13F84916B003F87DCEE" + "BAB5938FC4342167EFAA2A889C48CF92F6892BD9BA41B61CD1B" + "3BF94D612C2ED603687DE8644613605FE9F066E4FCD8FF75DA8" + "FBC9C63C37D1828C173BC4AC668AACD20AB1E3F449A7BC4F4EF" + "0A6AB8D5B0A70CC2D706B6C6821771DEAD7CB29F2332F4292DF" + "7E397BDEE393D57B06A1AAD3DA51CB8F1D11E43D2FDBE72F69F" + "951D0FD9217F4462CBE5C701FFF1025515829CEBBAED488FC26" + "798BEE9AD6CE88F33029061A588E177BC1CBB24EB393481F3B6" + "1616")); + test_hash (&nettle_shake256, /* 87 octets */ + SHEX("B8D56472954E31FB54E28FCA743F84D8DC34891CB564C64B08F7B71636DEBD64CA1EDBDBA7FC5C3E40049CE982BBA8C7E0703034E331384695E9DE76B5104F2FBC4535ECBEEBC33BC27F29F18F6F27E8023B0FBB6F563C"), + SHEX("2B8F5423A417D9B827D98AC1D21EB7C1CDF4348F28FF08B6F06" + "389E4CC2311C5721509A5888DF03F7F4B94D42CB66F3B885EA8" + "B130934A1025220769D1C352F72D378F3A63CEA1E762ACEA574" + "66C3AF188772872C16D889F06BF0AA321170FC1AA842B413BFF" + "9FA32FC1E060F868A370434C99FE586E8DF4C6DF1D167912F35" + "E7BB983D668225DFE5A00241A1050702A5CEF8CB5EC957B779D" + "6CA1C9F6858ACEB4E927E104A1DC59C5E90B31F4A6E27623B46" + "D40D472D6D4B6EA6CE8BA4721A5A765DE104C4ED808B4EBD73D" + "60A56363727CE0273710E63FB8A2D565C49823823F7B001E44C" + "8571B885AAC4E14F8651CC95C11EDB3599BD85989C931F866B7" + "C63F80EFF135DB2FE1B17D5DFF147959606FACA0FE22E5BFC88" + "D43F6057DB91EB0AD0C5491B66B2EC9B20EA01E215F40922F41" + "ED4ED64616960272617F32D62F28897BA03C5A8657B1DD4ADBF" + "0F8E53492998922A47BB2D7897502F8687C465C8A7615089062" + "108D70164677E11E1F63917A4F230E8C577346F880B7B8ECD06" + "40D10622131731CF447662AFEBBB230C902B28D8445C5F3EA03" + "1AE7AF04F5B22D3AE7CE58C6CB4EC4158DCA5266AF0C50F609B" + "12C5F4527F836F8804777BD6C80F5D7D9B0F317CB5A663D3B7F" + "3225361EA81415CD5AF56BF24629D511A80ECD169AAF9558AF4" + "87D46A569495A70C76CFE83462733BF58B2A7C78A7EA1FD0561" + "1DDF")); + test_hash (&nettle_shake256, /* 88 octets */ + SHEX("0D58AC665FA84342E60CEFEE31B1A4EACDB092F122DFC68309077AED1F3E528F578859EE9E4CEFB4A728E946324927B675CD4F4AC84F64DB3DACFE850C1DD18744C74CECCD9FE4DC214085108F404EAB6D8F452B5442A47D"), + SHEX("C52001EE31F26ADB120EAD7699EE35AC178D71FB5B073129955" + "2B57DF2A4F521A021CC56D54F2B43D18D7726FA977FEC221F68" + "19B5B7F933BEE2EC643B67E16BCC26A7DC1BB1DA3B40F2FE026" + "45CF5BDF3140E89ABACE926E710ABF0F07205291A336187AAEC" + "AD9371DA35867EE8D8845E09FB47269ED94D04B47A3B6C460BF" + "419F13AD2F65D63824805ED264AFFCA9E7EC9774C4E36695806" + "86C0A02ECCD98277365940F4CBEA5DD5B0BC84F981C16FA6CF2" + "D6F1A292EC956C7D0714C6895E96A7C884173E662CE5DB1018F" + "B512CE773ED4752CFABF9045269922D11718C572A94ACCA1EDC" + "04CE16D533B064B416684D921D46A8F2859E7D09660F620DAFC" + "C232029A20886A552D29CCC30509A3941847244609911CA6C59" + "6E2FD915FA8BE37D7EB41D403043683AE9C74DC7D6F4770086C" + "F8C6E101E989FD6A5C60E34183C4EF08EA869FE2AF0FE5EF701" + "A6A64EE0D0F813A14E574D504E219292C103469F9A11DE75083" + "2C2BDE0261475856D5C9FB4727CA49EA81908A1F7FAA20248C7" + "39179CC09D93E4901ED63F14A57B20EF9190176A27BC07F912C" + "C62DD1328B032B893642118EF3426B1A8B95A0E36FCB8A77570" + "25606E9E485B56E84D0E691234E072AD64FB8E836118634074F" + "D8362405DBEC4D8AA12E9E84068EE3B29B7F573CE1B52649CA0" + "DC1F758C1D4F5E2B72A861D6326F01084B6B49E478FB4CD8EE9" + "2750")); + test_hash (&nettle_shake256, /* 89 octets */ + SHEX("1755E2D2E5D1C1B0156456B539753FF416651D44698E87002DCF61DCFA2B4E72F264D9AD591DF1FDEE7B41B2EB00283C5AEBB3411323B672EAA145C5125185104F20F335804B02325B6DEA65603F349F4D5D8B782DD3469CCD"), + SHEX("386C3B1A524F2EC39C33FB31CDD3981FDD57F1E33D04FAC5482" + "8C54F42EF763856B72202799D4CDF4AECF073B8B9EAC39F0F69" + "54545BF60DD55CE2FAB4558DECD7E1A5A40B87A293D35394DA6" + "4A4F606956213326FF4D8849A3F19781AFA9DBC0AD0E0BED551" + "164275D4FC11638AF3ACF95C86994C27AB72F0E5EE366CA8EF3" + "9C000661BDDF23551AA368F347B4526474496CE14C30503C251" + "3501404987446A193DAE20C4B384D0D9926814BAAA863320946" + "B9759C7BF1BC890F88826DA59E028F641CFDF7223DB20B34B63" + "89B048CBB85C4A0E4E84DC5C5241D2DAEAA82E9092ED266971F" + "D185D3B661971160C05C4B42BA8E1E8E31FE588C0BAA81A2BF2" + "017B1E0B99BC360FAF13315CE88CE653C20BBCFAAA8ED013EB8" + "9FA5DA39FC49D99E3C050E622122B7E393BD933B72C5392B165" + "E60538BB6E29DE30A5947053D4A23038AAEFB13DB8BA4FB3B1A" + "65B474D94E4CF985B2402BF22CA7FB723DCDD83BA875DF3C603" + "50886CAB6A1BD02FAB32F1DCA0CCD879B351196E1F8BCC3531A" + "C653604932B69E7365B8B61E557585B7A836379D0229844F6B5" + "D2C4F31A6BA2CF4A2585B7153C6005D10526DBC144189B0747C" + "BE58EDF2F4FFCA80FF99A4BD7C8CCE3BCAC36AA5D0D7DC2B231" + "A5B888198AD71042CDA93C5AEF246CF3FBE7A663FE60BC04CEC" + "70480CC2D83C847371FF5347A93D54059926B6B8F52CE6AFD2E" + "5630")); + test_hash (&nettle_shake256, /* 90 octets */ + SHEX("B180DE1A611111EE7584BA2C4B020598CD574AC77E404E853D15A101C6F5A2E5C801D7D85DC95286A1804C870BB9F00FD4DCB03AA8328275158819DCAD7253F3E3D237AEAA7979268A5DB1C6CE08A9EC7C2579783C8AFC1F91A7"), + SHEX("6BB18C45BE71508441EE815061ED782F4BB5ACF5393BC9BB825" + "FC79CAD025C6D970D615F4285185696CE226969D5E06E1643F8" + "BA93F5617AFB096ABF46DE2EE7D32BBAA335628C41F1FF30841" + "8556C51E6DA30639BA5DA36A14976DFDC013551F632133723AA" + "9555B8B11BF0594457A6B288B01185927A48412019E58621806" + "FAA968CA26366B884C428607D2D6FE9E8924E6D8D769A7D2DE9" + "0195AB6DEE4896ABAC3119FD15EE61251FCAB1D3858527E2E6E" + "1B8EC05BF8659EA345E519CADEDD779E40D2508BC6EAC6FB531" + "DE15CF7F3478A4288DF556D4B6C9DDC5F1B6071FEDF3C4F9A96" + "0B18F8301064B4F83620F2402614C600EA80FB2B24BB9B8B777" + "BBA3010AC1FBE61AE18BFFF9502F66111B8CA1E0DF671C311A6" + "F11697DD8C245C4B946B8DB03D6C07EF14C45CFFC328E6C1294" + "8D4137D6803469E996C1D84C3C1DBB8CFCE592217155DC8F9E1" + "E558CB58693620F57F5F81578F060B23A1A75ABE8010FC53852" + "4DC1B5543D84F5F28CDE4AA509B8A034522F2F61F8E3A683EAD" + "34ECE04EE84663475D65D6DB75CD6FBE011D6F1994D76BE3566" + "04D93311CD0410D3B022FC328CC850D7BCC1BB96AE45E8B4C9E" + "53904FD8BB8B0FA1D8AAB9BBEBBA0724DBA6A2C71F28AD705FB" + "E6BFD958FE493AC47D70A1C4B3BD738C519558DF9F66130C688" + "31A7D748B7B382023810865CD9989735E25186690FA187E8E24" + "B77B")); + test_hash (&nettle_shake256, /* 91 octets */ + SHEX("CF3583CBDFD4CBC17063B1E7D90B02F0E6E2EE05F99D77E24E560392535E47E05077157F96813544A17046914F9EFB64762A23CF7A49FE52A0A4C01C630CFE8727B81FB99A89FF7CC11DCA5173057E0417B8FE7A9EFBA6D95C555F"), + SHEX("51F3DE30531335B02C0A8CDA5285FBEF9AF618E433142E9E971" + "3388602B0486A99707BE420AEAB53DCFACA68CC6CC6A3133075" + "A518D2EB1C500F0AC2E0B8A91D3303594BB38FFC45B80AFB8E2" + "5C4304A85280E6124891E739FC9DF8E34ABD9262DCB4330C2C0" + "F22E78447B3FA67677ACC1F3D8E836EEA94AEA4D616132650C9" + "288804C3CCA5F1C0139624E198643D52C42960052FBBCF89AF0" + "0D58600A9597BD12A39A33AECEEB161EE527398BD915ABF6427" + "46E4C965A77E916E700CA905CB70222A3A8B8C5DE3ACF75A9A0" + "065681497F27AEE6B1F4402EA711CE6B24592BC637F83BAF912" + "D3E10E0A7E03CE9314FB264E5FFDC3564307362837C28AFBE2C" + "94BD89AD3CD4A48C1A2EC38090C38E6CB4174149CF0D5841049" + "C1D7DDA1E51DF8F3216CAA119A9E3229CAA062039EB165F4D5D" + "E68FCB76ED32F1E191166BE83CB6384FEC4528588D8A3188A9D" + "A7BC1F5DE68C42D9E2934CC1010DC535EC87804810C009982BE" + "6646B3C50DCAB7EAF4DC7786503F29EB3F1558A7341E49348F7" + "3479A2D3EE6B8AC076BF5AD17375D81F9E4DBB365B2489F17C4" + "0B9A4CC10F6DE034B4B81A3D4F81475BABB9581C4BFEE62C562" + "6FC436983570D5C6144FDD5A55E1898919A8BE4CE3780FB2548" + "32CCA90F988004D12039A947502216651775160D987DF82F432" + "75FC7B8A308C63DB7C28959AD9D8E6D27A5A551E685B6639744" + "65D9")); + test_hash (&nettle_shake256, /* 92 octets */ + SHEX("072FC02340EF99115BAD72F92C01E4C093B9599F6CFC45CB380EE686CB5EB019E806AB9BD55E634AB10AA62A9510CC0672CD3EDDB589C7DF2B67FCD3329F61B1A4441ECA87A33C8F55DA4FBBAD5CF2B2527B8E983BB31A2FADEC7523"), + SHEX("41143CE195B170FC23ED53D7AE8CA61F397CDBB72F261750A7B" + "D26CFF56212AC7BB1B18D002493F418185ACC703DF4417F44B9" + "3F4A7684D3D68F8F042A73C3841B6B5FA0079163D4881C39BCE" + "CAA548A50237E3F8DF20F986552978ADA9C4EB2E57062DB8D91" + "564BA4EB96503B932B5FBE3D88EFABF452A03EECE5B3E78492D" + "C555ECC95714A1C5C1B201CB42E10852C9A5FE101ECD53FC6AC" + "D7E1D0D6EFECF81BA76582E6E9CF80E70E52C0384EE05978A31" + "234DDD1C2D501DEC0BF1F26706F1C6AF4A6DCFE1E7245D7BFBB" + "96DA619EF27B4CD67527BD6B5117E4E55297B9474A5BCD251F0" + "F17B10F196CFA95ED3CE61458ACC55CC2BA83904796AADD71E9" + "78D4615E6588954F7D48B1BC705B497E073DFE2ABD5224792EC" + "A6C09D611C311C544BB332B2C9D144D24950F3A27857B9F9AD1" + "DB4DFB9AEF65BCE2C224EE9FE9785593CC9CC74D076BB5DC575" + "B4EA65FA59A6DFCE634EF83072CBBABC5AAA53AEF5CB4D2C19A" + "613D0054EDA3954BE7E649C2C38CFA9F7746941E2B77DEB63E6" + "2A9FFEC59D15329CD7D02FCE7006406F3119CF579E1F6F0A1F4" + "FC74C7031894D240B5BCC9A7306754AF9B43DF80005C7B62F88" + "5574AE9C44B90D5CFB93990CAB41FC3E9962CD0F8047CA1AEB1" + "399FAAFC6D6FCCF66B2F02CFB9532899CCE1AA8E822EE9498A6" + "7C3972407DFE98969F9DF9CE328A4B9A1DAE1651BAFB32AE29B" + "F666")); + test_hash (&nettle_shake256, /* 93 octets */ + SHEX("76EECF956A52649F877528146DE33DF249CD800E21830F65E90F0F25CA9D6540FDE40603230ECA6760F1139C7F268DEBA2060631EEA92B1FFF05F93FD5572FBE29579ECD48BC3A8D6C2EB4A6B26E38D6C5FBF2C08044AEEA470A8F2F26"), + SHEX("1B0D344DE5A414960E67D684D301901D8E89C25EBDF7494DB9A" + "1FFED44E5D688207F4533CADD09FC8BD428FDC3592959E90956" + "13BD808797BFEF5130FBFCC1FC72B58D93BC4A291284115D5EB" + "47911FBC0A4AA5875AA2B6EE1E1BCB296507183AA5399AE8192" + "EC6AE579D9AD172F72F5A1957BA10B0FA4E9666FEE9611B0487" + "30275A0F4D6D48F98D860939936C9B41D1AF5D729B11C930853" + "46D8769C141B81FED9F17FD85C0197380482483C5F45B3D8BEA" + "2C2E90EEF2EB489B6986A891BC0F29EE7E2943355E4223C2414" + "27C49D7A897C956323ED10B074132449FB6371A9BFFDAB8D113" + "282016AF1F7E8E26807A0B0B4809BC035BAE86F476F7FFE002B" + "BE7E30B4C06B00E712F1D54E954D59AF083DA123034E73B9854" + "B45E9BC2EFBBB7282743DC5942BF372D94432379EBEA4A65699" + "7088004A5C2AEFD6A4CE6FE94C2A06C8A0446495DF224269E31" + "0F1DC184DD37ECE4EE46038369C031FF90AD3787331AB6BB1CB" + "AAB7A0194FBA947FC6485B371A684E7E1CCF4E9F4D272158A36" + "B559451E48095B3C09328DBB52C7659C7E163504587962D87A5" + "E60BB3C4868CEBC204238FA08B97AF71DE9ABE7F409AD0D2945" + "5E1CE59433685EFEAAECCBE01462B1760FE25BACE44CFA6E1B5" + "C28DCA00790D96D2B6FAE377CE4BAC7CE64A97AF68EE913C331" + "07E4A62EFD4CC752DADB23877B54795A43A7AF8593E085480F9" + "B43C")); + test_hash (&nettle_shake256, /* 94 octets */ + SHEX("7ADC0B6693E61C269F278E6944A5A2D8300981E40022F839AC644387BFAC9086650085C2CDC585FEA47B9D2E52D65A2B29A7DC370401EF5D60DD0D21F9E2B90FAE919319B14B8C5565B0423CEFB827D5F1203302A9D01523498A4DB10374"), + SHEX("69271E30637CE53639A9A80582F8E9D91E0A19AF1C25A4E316A" + "4ACBFC4534D7B6DB55BBDEA37F2526E5CA0407D0A39D06E2AFB" + "6538C125B3390A860E033378440419FF91634BCA42EEC9AD80E" + "55E65D43147358146038C9BAEBAB808C1A9B2D796BF22BAAA54" + "D92298212E7101E56D1A0A229CBCF9E08791C6BD464EB997164" + "502445C2993B1D2A6AC4242D1F4108C2AE4DBF48FC403FB8F35" + "3C5CA3EDC09C5D4993048962D1DDB474928BFEE27DF6AF8BEAE" + "B264EDD09DB4950AC5E12561751BD3ABC41C9A81F6C5C339AA9" + "F7266CB4A28EE26F29571A7F4C9B350974BEB0AAAD642D9934E" + "9EFF77ED136BF825A845041B9C01F0559BB1987FD6FC951322E" + "4A4B4EE50C7A7CC43324391603D689BD19ADA54982E03A2BD12" + "610A09BD076C0C3F6D6E0CA348110D8DC5DAA5C842198AC5EC9" + "2A79099ADEA1FDA0DF0B35E8871373B312D61554391DBC9E1C5" + "F9007C9D3799C24DC4A0894E175706DF7D04EB2D69D90BAB571" + "17E04B681FB24945F3BA3DD7F1912171556464500D4FBB90840" + "08A79EAC50D8BF59163AFBA8E0F1E5F82E15255398F62890C95" + "21A0571813210FCCB582818A6D1747A31822DB55C4B6BF15A19" + "076B7D6349873C88E86BD87D08E0058A212780C86915CA559E5" + "81EC3DC7D5BFAB9C5403661F09484F908DFB2D98B65F8543FB3" + "F102C2C5D0B89B15E565E9B04E07F7141E35102BDB056801100" + "B160")); + test_hash (&nettle_shake256, /* 95 octets */ + SHEX("E1FFFA9826CCE8B86BCCEFB8794E48C46CDF372013F782ECED1E378269B7BE2B7BF51374092261AE120E822BE685F2E7A83664BCFBE38FE8633F24E633FFE1988E1BC5ACF59A587079A57A910BDA60060E85B5F5B6F776F0529639D9CCE4BD"), + SHEX("2730675F5F4DB76D342EAE88CF856B370982277E24A1F95E071" + "EB0C28D6655D9517CBA67DDE32BA6A4A322D37AD4A4EEF90A60" + "E2FE3A568417BE75432F57964BB1DD7A5A165C24F38F4085CC4" + "551C35BD0E2663198DF04EE86803D75EE5ECBB14D7BA6166934" + "32B0FFC83F27E82016D7E3436C2384D1A7AB87E4CE758A5A83A" + "4FD63831D6F88E4E80D1CD257ED4B418FE1BB498004D1CE8CDA" + "CEDE429A53F06EB77D0A6AB47BEEAEE12FEBEB07D434E26A719" + "57E55F4F3284BA0F8157DE3F1C8E0E4874DB4E65E5243982BFD" + "57A9E70D18BE390834A9C3791E6AB6341739A963A946E1DA81A" + "4D9B3722BAC231191EAA013E424C2B965967AE986D50426D983" + "0E92499E0808FD6EA92A8A1054F93A0F84C11BF417DE01A7B0B" + "A5890172BCAABB3D2CC23853822960E666558B2B4695F38A22B" + "576757C0A1A84437E7B627989A4053B14954ECA09DF2221D6C6" + "E88654EEA2A741DF3BBD6EF2A8C463D797222E72DE8E44C8C6F" + "2FEB44E3D2310ECBB139AAF3FE2C4B2BC9D7142C0291BF9FC97" + "71178A484417202DC721876800E010E53F1972E3630B5DCE021" + "6351E687552AF2FABA699A4E3E0C5385D80DC367FD0D07258DD" + "59A6BA5D2E0FFAE60A5E0C48243794913CACDFC14D20001CD9A" + "097A9CC57D313006E0B8945ADE9791812B63E98A291CB009E89" + "9DFCC7BDF9F58F3866F6C33AE77718081A517720C34DAEEFA52" + "7641")); + test_hash (&nettle_shake256, /* 96 octets */ + SHEX("69F9ABBA65592EE01DB4DCE52DBAB90B08FC04193602792EE4DAA263033D59081587B09BBE49D0B49C9825D22840B2FF5D9C5155F975F8F2C2E7A90C75D2E4A8040FE39F63BBAFB403D9E28CC3B86E04E394A9C9E8065BD3C85FA9F0C7891600"), + SHEX("DF6FD8F4E768031B0CE25C199F02EC29053EA8200B7EB306E80" + "2C8DF23CB213CFA06C37630A3B14570968948C5269A67706225" + "27C87D432098F0CBCCB733A5D28B035CADA562BD0FCC032D2F4" + "5DB8D2C948FB341AC2B0C5C699C62BAB551553099E8A21518AF" + "F800C8ED42B44DE7C30F29E691C1435CE72CB67060307D1B1C3" + "8192FE198AD3D20E9E12A8C9529F8A134A0CCAC8DE552AF3FC0" + "5D48FE2E3ED1DE5ADFA0B7C324320E262232A14D3A7163A0498" + "0CFBF087BEC24E356DFD8AE4DE9B0620BFFD1FF904E58B39085" + "22AC13D1D541F662D95008B1F8C52DA67829B7CD208BC9B8A3B" + "6927E575BFBF7E29F1CAD832D9D01ED41E5512ACE419B92F71F" + "A0CF5F79E33016D5E19EEFF561C94827584623118EA367D768B" + "C24927C92FC19999FEFF28E3A09D2F266B28433CDCD51589571" + "1FC081F8B1D143323B680E8B7469EB0FDD467143C292C8D822C" + "C16111E9AB2A0C9EAD40B2867303686FF4B9BB4DEC4C8B552E3" + "796CD91443AF8C4542897769EADEAEA39A366E91D65E92F06CD" + "6554A1F6CA905996F5F62CFD559D1B300D912E6FF9166853488" + "0E6A8C414FAD3C107A180BE3E0BBF4F33CDA343032D01C98C63" + "20F6DE582DAB7B15FDD6E75AC3AC7FD079B191233D872AB351A" + "E1A56F0A4CCA8D0215CA1FD5F9C45EE171F4BC72D18E78ED6D9" + "D651E40AA77522F6E3451995FBC3207FC0F30D1B39EE836F937" + "1A36")); + test_hash (&nettle_shake256, /* 97 octets */ + SHEX("38A10A352CA5AEDFA8E19C64787D8E9C3A75DBF3B8674BFAB29B5DBFC15A63D10FAE66CD1A6E6D2452D557967EAAD89A4C98449787B0B3164CA5B717A93F24EB0B506CEB70CBBCB8D72B2A72993F909AAD92F044E0B5A2C9AC9CB16A0CA2F81F49"), + SHEX("3C891240ED9F62F45658B5C1D3E4D77975E45CFB10C45513927" + "EA9D911B3E41414DC0EEA38C8A6868A9E0AF20F96BAC833C1DA" + "F71D0BFEABF41B8C26C011495F8DEC94D72ACB5C5C9ABB1C372" + "F8B779BE741C860E722A0F85CAAC3D21C6C9EBE61C6489FF558" + "1ADF5650B6416E0E88A889CA60CC641052D601D491057BEF36B" + "4DC3B5B76BAF0DE4E7248A40D9BE6D55A7E8C26663828D08495" + "DB33F94ACC7E7E49A7A61F352816D8C4C0E23F36540418AE6DC" + "009FAB33C945C6E48ED60BC466478788002220DA9A5560425A6" + "162AA03AFD5700CEBFAE439D20A85F2CB826CC8814940F2CF25" + "E34754D8DF03DE448FD1D1AB38BBC2B1577BB1BC39DA7B91B7E" + "63F78C5F43A875C427BB110E0D5FF07E004AC9D810D333300A2" + "778A06369B7CD684AC86AEBC97D7B9C09442C35E66925BB0E4C" + "04C5B3D11267F0F3812A5BEE8E18653D98B6B586D5735D4D3C9" + "2E3B76DB5BE509AB32060E954D97FC8B6A428509EA98E4F8210" + "F42DB3229E07E1EEDA684B47911556A8C34FB0DCC0998A781FB" + "CA574FA891C24B35251C9D0D8429763468CBF0214B2D1EC94AB" + "3FAE82E57C748122531C615BDBD4CDA56ABF319D6EAFF738BDA" + "7683BA4CDD78737941DCAC4FC45E379BD6512EAB6D14C4F3D57" + "48A3CF45713792D314F81F1D1F5ACED67A0A9AA026433F32053" + "0632E5F72122B63ACF01F2BCCDA9BD4FC579E6DDC1371DFCBF7" + "347B")); + test_hash (&nettle_shake256, /* 98 octets */ + SHEX("6D8C6E449BC13634F115749C248C17CD148B72157A2C37BF8969EA83B4D6BA8C0EE2711C28EE11495F43049596520CE436004B026B6C1F7292B9C436B055CBB72D530D860D1276A1502A5140E3C3F54A93663E4D20EDEC32D284E25564F624955B52"), + SHEX("201561B1D68F1AFB93098777B7D95E56B790194F45057B3B50F" + "08EA89436E54BAC9A5E945BD1CBB51ACFBB0D61E539D1B3E896" + "A1BC1426C1FA408B5D16D706457C35E3D67377AB2817127A852" + "DA463FE06D2EFDD25016521F19B8D5E54014A54E297014230C8" + "1C917A983FE4429B47F6A460FCC4AA5A4E1E322CF74A9DAFD30" + "D313D2C0F9EBD1A8468A300F12E6CDC0E971BB7BFF172593C7D" + "B286F467899B9A23ED3E222BD6124CB9C4FE2AFAC157CF81FF0" + "98F021B95F1069D7609963621C368AFD3EEAF84A17F1469AEED" + "DAEC2DB5BFFFBCC39A73AA2A62578775100A92AD74DDCE3A0DC" + "B27A740A6E7C0F4C3E36E4AE55B04F04CB7D9527176BCD94DF3" + "B884FD4CC2EAD608CAA016EDA2E2232D0AF888A3ADD12CDE0D8" + "488650EC6047199842056744B77FA806BBBB96A47ED253192D4" + "6B47D828EEDB9DC0CB38D576735E870826F829D76F58CA7F3A8" + "0FCAEA1CAC1BC38A6339C307F23DC25E3231094211FC867B0F0" + "BD9D1584FBFF5A52EC3B5624DC814208E484B5D069B78A577EC" + "CC017FEDBBD139C13B50B395AD16CC551430229B56B4D75A145" + "88A765728774CC234D1DC46F0E64E7845CF237330C3D2422CDE" + "F5CB1D741741DA30F39D99035D7F7C49D6A3149D02DD061F853" + "23D6E0054DB7395AB8FC496418B7770355B854FD36FC1DE72CE" + "F330976C2FA6FC73469B71B80F5D9B5CAD008C38746A54578C3" + "D195")); + test_hash (&nettle_shake256, /* 99 octets */ + SHEX("6EFCBCAF451C129DBE00B9CEF0C3749D3EE9D41C7BD500ADE40CDC65DEDBBBADB885A5B14B32A0C0D087825201E303288A733842FA7E599C0C514E078F05C821C7A4498B01C40032E9F1872A1C925FA17CE253E8935E4C3C71282242CB716B2089CCC1"), + SHEX("42A5915CC1DBAC56FF74825DB482AFB8752991EDD5B8F5D040F" + "E45B30161C75178D5D56F8A6FE9B11A71E19D0EE241A656171E" + "BD9501AA4B5F2CF0344FBD23EA5035D9A2C42FCFACB5F13D921" + "2805F353932169A0628D015644ED450E8F8717A1901D5A21FD9" + "F8360054946A29CA31DEBE683956FCC9F862BB5AB04F07AB11F" + "751FC8D7CDB0FA9C616DF691794C6D26CC1A18A45847FEA7601" + "7D57D9BD6BFD1E5CEA4C92604ACC860252DD0F53886C48D0187" + "054BDFE1939A2E6D5C570A82C300A6553BEE5E107EE319435F0" + "AD18B92552ED9B4FFFD472CC482DF76B6DAAE5432D17C247544" + "4BB76CD79313CD14620C1D2B3487D91C25A47ADE446E1DEFA7C" + "6D2C2ECA3163106F10EDA5779EA6C21F8D778C29CA3601FE5F4" + "56B74DD08C7ECDE8FF599B26540624BAB26314453247A945612" + "4F680E68CB91B8247E0E5A06CD366E46055F31712DCBA81B590" + "FBA34C8E619C8F3EFD39D2B69CCC6C3D184FD058A9BED65148C" + "E65680F31715373526C509EFF8DDF378A0127E1482809CA13A8" + "34FB3A1B00231F6B69A8523F72EF580150A4805981F9B1A7488" + "AC880BC4018105545707B85F24569E4F864C30E66E750AE2065" + "BFCEAA2DB440250568C6909590AFAC5C1DF88D3E6F02D2B4D60" + "9460A6BF76FF7994EB5F64B00831C849F7851A3E743DAED3866" + "8FD1548B333A01568140B1DCAA00E180429EC6BFEF620B06C98" + "DDAD")); + test_hash (&nettle_shake256, /* 100 octets */ + SHEX("433C5303131624C0021D868A30825475E8D0BD3052A022180398F4CA4423B98214B6BEAAC21C8807A2C33F8C93BD42B092CC1B06CEDF3224D5ED1EC29784444F22E08A55AA58542B524B02CD3D5D5F6907AFE71C5D7462224A3F9D9E53E7E0846DCBB4CE"), + SHEX("BDA93EAFDEDDE22B029F4618B2135E9F7AFA583C8BAFC3B62CC" + "667C4704CBCDD4AC6620361A0690AB8E857335C150C2D70FAC2" + "C2F2D60D6472AE760C082775D54C8EEC450421D536B1A94A5DA" + "5D803D951709A7F5BFFE63454306D7B229CCD3A89DBF9436C9C" + "91C01A1D0964D86DE868B4FEAE6E3B88592A85E2BDC82CD5C52" + "968C85F429B08A2E61E1FAAC0945606EC462EA7B2AF859609EA" + "AE3025E43B4489F7B1274922FA72619B9EADE2F6C04D5863B03" + "EF76189A81B9BED9A47BCC53501E96C2367067012036D07B95A" + "C0604FB0E6A793881CD81D9577BF495FF769B72DC8B0D554CE7" + "0FED81FD3AED5426525241924423A4B11391D3AB16C02577ADE" + "31301960A579833C3FF5F9DC0EC068C3C92234B9DE3051B5833" + "0AD87D0BB6F704B210E1C5A167684025AF9791757CB0DA0517E" + "4A271C89AEEEEBE529609529B69E9A53C1631AB89AFA3D0FDC5" + "82E923E5F2293903B75A4C321117BBECF2E114BE505DE8CAC60" + "8C1DEAC6FA33C658D72454FC5C3784989803A839D565DA08436" + "E700F3BC8DF99BD3465CB4C1E8886FB20354E132A629FC964B1" + "0714F006978121E9737D70A77DC73FF77830E2DFB3ADBAABC83" + "657D8700206AF318714867A1BA3BDCB8354B91F4F1A8B09BF54" + "805BA01BC303E5F9887210584913C5130B643F15AB603ADCA3D" + "918C3D5F15E97EC27FDA51E4E6CB73402AFAD08678217E46B0E" + "2283")); + test_hash (&nettle_shake256, /* 101 octets */ + SHEX("A873E0C67CA639026B6683008F7AA6324D4979550E9BCE064CA1E1FB97A30B147A24F3F666C0A72D71348EDE701CF2D17E2253C34D1EC3B647DBCEF2F879F4EB881C4830B791378C901EB725EA5C172316C6D606E0AF7DF4DF7F76E490CD30B2BADF45685F"), + SHEX("E4D90A392BAB78DD363C8747C586035358F051EE8909762C3D9" + "AB4B2F1B7EB50B4738423C4A5087A5B12A9DEEFE186D0086F4D" + "D0F9131ACCE891E43D131627316AE63C4E7D1250D809E78F94D" + "276EF45C3C8EF4A37AC5910F1DD5F95989C938C98C55771B6DE" + "1AE68F3A9015C1FBF2447F3F72C15847EB55E0296B711881E0C" + "8518995BD7F75C3AA9C1193F3F7B47B9C133AF09CF53E1F55C1" + "7CD96318C821DB4A6C7E79DD718684CD83D43E3EAAD165FE26F" + "A204B797C59F33589E92C43E7E799E5A857ACEE310E66F1C99A" + "2406CF4D2690DAEC060CC7E3019CC4A842881657E58818BA193" + "E4C8B8113EA7B3BA930ABD58A7965F4A176CD5EA1447B417476" + "94FB36775FA90999D1898949F8CB5943013A9CBE7654FC5D7BD" + "7C915C1D251A22D6D8F7671D77417459366581C5587065C55AA" + "EAEAC19488876ED0D5E5F2F3F0A07006500D03EF8CC151AB6B4" + "6D587DFF8930AC8EDC3845BD2596387A56825A0036E1FEFE70E" + "2A53A4C19B5E45AF6AD1C463042EEE139B244A7751DAACD4CA7" + "C5CA075D2B639FB6AEE355DDD4FEC35F13C74E822E5F2C23A52" + "EB2C2E209B62106195BDB80F19EF1636CA813E2FDD96425C971" + "B6D0ED6B468A5E8F462D521E41586D7C848FE3103559D65B388" + "A0D0F84FF6C4A48318BA3860CE5F2C419696931CD89F41733BA" + "B732FCF8551B4ED28A3FD2F1DD14D2BD570048FABD6026C984E" + "CBC8")); + test_hash (&nettle_shake256, /* 102 octets */ + SHEX("006917B64F9DCDF1D2D87C8A6173B64F6587168E80FAA80F82D84F60301E561E312D9FBCE62F39A6FB476E01E925F26BCC91DE621449BE6504C504830AAE394096C8FC7694651051365D4EE9070101EC9B68086F2EA8F8AB7B811EA8AD934D5C9B62C60A4771"), + SHEX("AB362A6667C3143E58DB5D5E18294445643F1FB212FAAFCEA65" + "6B4C9C9DA509609E7B99AB0BC1C7F782CC8BDD2C2C49A029910" + "9F842442A6433D9515BADCB9E961C0EAA0CD90906C2970171EF" + "25193CD49FFBE6609BC0F5702CC3FF1CAA859B50E59ED6407D9" + "DA7AD2D44EA36BCF8B3F48AAB75C1EAF0C2A8A41E33135358EA" + "ED3C5005CDF6114D35E4EA2B14E2F8EE6B995CA73FD75E281C3" + "A145309C620B66718E058E171740649DBF4786E8B83C19A5CD0" + "FE67B68E3FE2509662D968F4212224B466D04E4878C70B47409" + "E5FB56FF2A5F324A96E799CCFC6613B28DF7787A6D967056968" + "7D8345FF1F187DEB2A909C66F5B890CBCDFE18594DD52328F5E" + "1D3B15F6398F9C3B880AF4D314B1924CF2FC30F96B45869E40E" + "4A147D94A4BD92E3CBF64CCCA69B3476477B79B571FC5F91152" + "9E151C3DD2FAEA561E9FDDF7DE4C93E5CE3BF3B90D25642EF62" + "740EEAFA53CB4356CD598E9CF40339CD8166FE3CBEFC35B5990" + "E642D5E2578D893C0A46505AF49280D544CE6865733C1AB75BB" + "F194A4B6AB0447EE0F33FDBE80A41E860D80026A2D0C3FC2274" + "C9A1BE2C07C57482B3E3982CE5495BFA0F9B5A10D2BC46F5DC7" + "8E78168B552CE4D6FC9EFFC0FAA5CBA0CFB66AE078E6DC8DB24" + "59C127F970B379E87A267C3A0A5E1672B5A16C93E8E239C9C3E" + "51A96EC777361D0583010D4A0773921DC48B63BA3155DA483C0" + "3D5C")); + test_hash (&nettle_shake256, /* 103 octets */ + SHEX("F13C972C52CB3CC4A4DF28C97F2DF11CE089B815466BE88863243EB318C2ADB1A417CB1041308598541720197B9B1CB5BA2318BD5574D1DF2174AF14884149BA9B2F446D609DF240CE335599957B8EC80876D9A085AE084907BC5961B20BF5F6CA58D5DAB38ADB"), + SHEX("D5D2074E7D45403D43D0FCE78C3AB81E2BD601A0337B163AB2E" + "2E11CC4F0E73BC0E41ADEAECB5CE2B0422EE97DDD18869BCFDF" + "9B4CFA9CDFF5DDFDE53B05D65B5ED250911B83BE8B9E5865568" + "5A8D33C72826A1EBC1F244A433A9440B24DCFC691D9A78F3237" + "9BD8BBDF4F8E2F8EDA7CA1CF74FC4E8C3C07349DE823980D9EC" + "8229A3C43BEA5FEB0BB8F25610127ED1FA1741F90CF25DFE733" + "15D440088C3523D9D5BE12431EB81E23EF5F5E9CB1571F08DD2" + "4A7EB421CAA74C374F7CCDCDDEB4ED57297222210FA4930888C" + "9AAEF06E36C78C43BF9196848CB07E1D941C719CBFB6AF8A501" + "4EDA9DF9B205DC905B28EF6F29E2C29CF457317E01BB34ACD8E" + "34C67F468CF41729BEE3532833D147CE4E5618855F28936D3A4" + "EB6E0382049614A5DE0B05B317240A6E091CEF8A26C7E13280E" + "02D19A6635033633EFB03FCD57AE2678C639B262F016647C61C" + "E5DED0151951C7EB1FA1E3BBD1808210A3D22ABA98835A686DF" + "3612AE6536D2180DE2DB5103E4BE1B2D74A8482450BF1B9F4FA" + "91861505F5739F64D7C8CB8C5A3A2F864161F9B495445A1F668" + "EB9A86E0C25D1BD0C50FA6431C4D4BEED9F53B6E918008B3DCE" + "F98B484161A8DAC12C642DF9278601CCD80F789B770F05E8359" + "495DDEF5D6FE54086827FFA8E7B2BDF03A33397CA2898214DE5" + "A36D18AC33EE1CC0EE0FC4416A86815C7B98EA08C63D23CEEA1" + "977D")); + test_hash (&nettle_shake256, /* 104 octets */ + SHEX("E35780EB9799AD4C77535D4DDB683CF33EF367715327CF4C4A58ED9CBDCDD486F669F80189D549A9364FA82A51A52654EC721BB3AAB95DCEB4A86A6AFA93826DB923517E928F33E3FBA850D45660EF83B9876ACCAFA2A9987A254B137C6E140A21691E1069413848"), + SHEX("8A80E00C325A49D17ACBB96FD41E874EAF00A0D141CB59DD136" + "3365DB060F20C1015929E88E0BA0589FB35CA348B3F02CB256C" + "D5FAFC7B1D1A7445C238167F325A2611F7C5E2B7ED44395938A" + "5CE501D6CF78C9B9560D8F84210ECA3AC12ED40954EA0C8EF36" + "2DE08CF11FCF47C34A3D56F271453BD62F74578F06B1C3958BE" + "6D87331D8128070C244900B6DDE1423B2561504156FBC045755" + "E1B591234960E1A44FA54CACB1795AD8EEAAD38FAAAC0A4EB84" + "6A18B42A526018EAC0A5041DD1200C4169124590ACF93F2F26D" + "B5D173608FB0B6C3C83F5C0B01349C558ED0E5851C9DE615CEB" + "684A3C9C663119444008DA4A12E9386C98E15CF23CFEEB2F863" + "2EBF15381D17268A5F92FD15D464D9E1F6EF896828420C9367B" + "14C2B7E886F42C439801E0F119D1086F2A99B5E402E786B8C5A" + "3B7902D2274FF1B5CB706AE0B5DA9CE63EA943B8AD8743C0AF4" + "CACFA6EC9A2BFB45EF680385568AACC518755B7A2C4ED40F276" + "E25BE1447F1131D064A5C54F3BDB80D4E6E1338108251B8294C" + "BE4D3F182F3F462B3983ABB7F25B4D9AC8A3E2F3CCA397148EB" + "CC154DE7DBA5A4820C677FADDCB502B6A67AF0DC0602CDE5BA9" + "83C7BE0235C8BEDF1916F51433D80AD87B4815C6C397A9906B2" + "D075BFC0F72431DA10F04AAE61545A62364F336754248606AB0" + "62799988E6B0D71C2DBF907E211C963A3823332D6ABF4450D31" + "1080")); + test_hash (&nettle_shake256, /* 105 octets */ + SHEX("64EC021C9585E01FFE6D31BB50D44C79B6993D72678163DB474947A053674619D158016ADB243F5C8D50AA92F50AB36E579FF2DABB780A2B529370DAA299207CFBCDD3A9A25006D19C4F1FE33E4B1EAEC315D8C6EE1E730623FD1941875B924EB57D6D0C2EDC4E78D6"), + SHEX("B645903F62E2A0394B7D98A526CE6C1725A03F4B35CAB927AD4" + "FC2831F460CA6EB0959BDC5D90BB37E1D0E3DDC6CBDBB8F61D9" + "21B7CC496D903A92166BAB4A436BBE6E9230DD0F91A6ED79188" + "9B67727338EA636F54AFFE59D52CAD1B0D26ABA8A29C92874B5" + "D6276369FC45769A3323C9788A7AB268081689614622BED3DFA" + "207A0382680219D24B2854EEF3024A34DE3FD4ACC827D52FF2F" + "1A4B40F1E957729609F8D3AFEF23A94D9E3EFBFA3E66BC1ED44" + "C426D27ED4FDA0B4BBBAC6050DC71D064DE236DD800D0E24188" + "EA0B1899AB6D0AC16986034BB1C8A21C7AD7F069E706730450F" + "046D5F9B3C066C6CBF98C5151E5B45D6B0F3ECEF0377AEE19D8" + "3941CAD4484AD07338E7DA24439EE38875498207CFD01349A3C" + "B8BCAB058C70B48827C22278667026ACCE65A8F643BDA30A3A6" + "FEBB5EB7B981963CF07F6FDF20AED8769C8EC35425C4366EEEA" + "26AB28BF43E7FDC8B4F762A2CAC06D10E1A8C6EE35BDA64C6F7" + "1CC02675EA4CD20B112B6E12D45DF6D37D83F04CE55DADB9F54" + "C8A68E2C76AC55AAFB1A3231C277AE27BF2742D08FFEDF08DF3" + "F098C5C60B59D2A89D2AF150B3FC73E399EF94B5002DC0AD109" + "7767F47BA07F442D4DF4A4D72E5AECA7B2A37899F50FA3CDED9" + "1474DA106FCC96B28D8418EA340BC983344BB58F244ED6755AC" + "342B9E6B00CB19F9AFEEB3135E0374CE803CDA44E316EAA0B6E" + "1E93")); + test_hash (&nettle_shake256, /* 106 octets */ + SHEX("5954BAB512CF327D66B5D9F296180080402624AD7628506B555EEA8382562324CF452FBA4A2130DE3E165D11831A270D9CB97CE8C2D32A96F50D71600BB4CA268CF98E90D6496B0A6619A5A8C63DB6D8A0634DFC6C7EC8EA9C006B6C456F1B20CD19E781AF20454AC880"), + SHEX("B15D1DCC49B25B2ECD567E1D0F46732CAD3F9559EFCFBBD1793" + "DA46A5D9BCFAD723E504B12B7C1B65EAFB9647DC35A48448534" + "4B9DEC5C378DDE04227F7224CFE6F06A962F380AE104146DBC2" + "425FEE1D7AE7305E2D2C4E2F91D9188BC88799B730ABF3647A4" + "365562ACDA20CBCC7DFDC5C6DEA8DDDB20443B9253466E4E215" + "360F4066D918D938FDD204CA826E4A3358D169FB34410D45F8E" + "783E7FCBF97A9CF0168E8EE6402C8B627DE5BC4DFFD8AE2C880" + "7F863D10EDD57503A99A46035173A20DC10DF3E6BDA62B518E5" + "8E94E5624659890F1174B3B7D798206691D3FFA692494829382" + "1616184E160F237C1241F11779CDEB4FDD858B73F3DF45F05F4" + "3BC81E0EAD584999DA04F71EA4914F8D8AE17DE086CDF69C31F" + "CCB48B528781FBF8DCFC710AC421D28E93EA95DB4A6D38C1D47" + "C800FCB3F816E36C86D6B3E5D6BB31C325C7A0DCA4D395867F4" + "36F077C6711BB96DCBA9A6DEC6318FB9BAB829AE40BF70C5514" + "6B87D9FAD9A839CEF462249BDC49B8022926E3C664D66595231" + "23A6EE980B69BEA87437322DA1DD6235A74163968C0994AC0C2" + "1156476D83F2B8697A1B510795D936DBFC2CFE67ED401CE708C" + "7531F1B4DE75E8506DB082FD9B3B24673938242FFF4F30BE97C" + "AD8ECD2F88BB5F497A8F154465921C9469B70FBA1F45D76C9A4" + "0228A93D67836CB7CFE2F25A5F56C216084521484A7224A7A97" + "6323")); + test_hash (&nettle_shake256, /* 107 octets */ + SHEX("03D9F92B2C565709A568724A0AFF90F8F347F43B02338F94A03ED32E6F33666FF5802DA4C81BDCE0D0E86C04AFD4EDC2FC8B4141C2975B6F07639B1994C973D9A9AFCE3D9D365862003498513BFA166D2629E314D97441667B007414E739D7FEBF0FE3C32C17AA188A8683"), + SHEX("7AF1CD3572930B440F871CC3388678A1C612D6A590CD2B8692E" + "0B96010AB4E122CF856925DC84AA0A87C7FB1661C5C74B08114" + "88D3D486014E81B0D29B73450A0670A6F8223DF95B542590B3F" + "6506CC18949FB6593F1A552E064B4E1576AD7A7CF202E0B8F90" + "EAF90147D44EF16031D390940DA5D74C35A269B4ADF4A663584" + "292007DA777B04C15C03F7635BEF56C1CA807D1CB3A8DAE8218" + "821C44C7E6275CBF64D82453F764B458ACEB881816234494F71" + "7F5240CFADDB3F11C1AF02B269F0F76B9DBC8ED643FB3B7C9F8" + "A540A453C1EC85ABF9E8417B1E4DE9DC65181EE32802ABD6170" + "A581AA2DD01188752C73D406461892D0D0909C5D3FE0ECBCA3D" + "28F65B905A2DFF142E61CB088F9086D3C492E73C0EFF3AFBC37" + "216EE98533B236406D80797933E54D3C21AE6B1B81F459FFD7B" + "8BD1EB872FD62CC0B95F5384668A1BF91A474BFB97335DBD8C4" + "761F3BB936E2032365256B534F98E9F4B3C50B4034478EFA268" + "E9ED9EB9864044E90DCEDF4A2ECB9E8617C4E4ABE7CB4990511" + "43C30BF73D397836E422A2CCD222A299603A3E4EAEA9BD2C3D6" + "4A0ECB3CC7C0BC3D867C79231BBBC8C2ED4212EDC8B25C04C57" + "E9A3EE8C103AEE4AD6AF025016C1A177288F4A17FE20A2E210B" + "24A7AAB63D3FB4E687ED3BA2BC163F17C9067D07C18204D0AF9" + "6A41CDF5BE9C6B89502D7CF1283E82410B11537CC931443076D" + "60CD")); + test_hash (&nettle_shake256, /* 108 octets */ + SHEX("F31E8B4F9E0621D531D22A380BE5D9ABD56FAEC53CBD39B1FAB230EA67184440E5B1D15457BD25F56204FA917FA48E669016CB48C1FFC1E1E45274B3B47379E00A43843CF8601A5551411EC12503E5AAC43D8676A1B2297EC7A0800DBFEE04292E937F21C005F17411473041"), + SHEX("6B1B8AAC47F782208F50AF3F977EAF8F2D69FC02390EE17BF17" + "61ECB73D1088D236A5345380B6297AD1FDCD5117D16A3C410AE" + "EA092D9892AE95C7B977930655C75CF7834C101F69D2E33A1A1" + "7A489E040C5DB3F83A5216ED5778D391630D17405EE0A96FD7B" + "834448FE0BC61CEC5014A6AF9B0F85827832E7469869B087249" + "7033822D3419D43379AEB6C31406AFD1199ABAECF3AC8E2546B" + "9736F8C4E399C8698B674DF5CF6BE81C73E52DCA979D3281200" + "B9DF8D99BB6C65A7B6F620E1E4E6538A918C99CDE6CB33150F0" + "896BB75421B8265AABC241C02D93E63476C351396E5B86DC66A" + "05C74AE2EC87EA1D175D15A12ADF18F9792970DE3B9E30890D8" + "896309815D57AE238895AA7E76DD6A46019F005F193C737B452" + "D32649A8F39B1ED00AB8961A6EB04F699EA62357B7A38C423BA" + "9D421529266459EF292B324A16062538E8C6550F822C2C14081" + "6340F907D5D10B563198BB1539B82E5BEDE700F7FAB66EB8DA0" + "45B23035DECD3F8DF11DF98A297A49F5B896A3536BB5A3E17A9" + "DA1B266EE18FF6D4A6E59AF619306BF30316FDCCB7FBF580091" + "6C18832F4CD21659774411F105DED35DE8B0D4B0B54755440E2" + "6230E519B66319696E6ABD180FF5314EE184D3B2781F338FDD3" + "E3935855F4C8B4021154EAFE67497599D0AE393A516673A970C" + "FB9B7058826D7F0FC29F3ED34ED31F45790A63E5AC7918A4C3C" + "B494")); + test_hash (&nettle_shake256, /* 109 octets */ + SHEX("758EA3FEA738973DB0B8BE7E599BBEF4519373D6E6DCD7195EA885FC991D896762992759C2A09002912FB08E0CB5B76F49162AEB8CF87B172CF3AD190253DF612F77B1F0C532E3B5FC99C2D31F8F65011695A087A35EE4EEE5E334C369D8EE5D29F695815D866DA99DF3F79403"), + SHEX("F76B436C25E0BF2D75A0DF0152D04117ED8DC0AE55B13A2CF83" + "9E41A90C6070415EB8EF70A90BF205B0BB330435ABB41BB3329" + "D015E9E56E86418BD671D0375E3AF8056EB882AE4191F82E062" + "339D5505526AB42BF6CD54F0D36251A78EF274CBC797B89672C" + "A224CB9B94E36648B362338D4981821B0B388E08CE97253B5E8" + "C776E9B3AEA33DFC3815B5929A3800BB83543D42E0F331C264B" + "1855AD3C002BD80D035932268DFE4CD6600F2B1F215F1670D7A" + "4512E89C3D1509271ABB42E2608D7B4A900E00593E0509F7C88" + "2AB0008AA83F5879F30D95A319A4058987804E5014212D415BA" + "0E1C2407B9AA7B80945CF460E60609AC885BD7D639C9BCC961D" + "6C32A96F041528B64747B5AB9557971EADA1EBEAC47F78B3992" + "EEF2BF2806213952489934E7F5410602ED0987D8470AF3728A7" + "F5BA326B77835694E32675E463C604C18DB4E4F5E1ABD056689" + "66B8D102172E232B4EAEDB3C73E7A406C36DDC641469350D593" + "336E9E5C8BA3C246154BD3CAC8E14CD60C9EA724FF059C931B7" + "78B00A3C6E1016C1C41B3002F01D937499518A969D02AD08B5A" + "B385A60CF5D018EF405DF9CAA63BC49015407B04AEBBE02F206" + "DAB67E72388022D99D5BA4F6D57695186873276770452D60263" + "5AEBBC988B7718F6EE99F9F05A6028E074BCE86FC134ABA4CB8" + "2E1529ACC2E50E53F466B9B38FD3FC7181163D9A3B58F143AAB" + "6297")); + test_hash (&nettle_shake256, /* 110 octets */ + SHEX("47C6E0C2B74948465921868804F0F7BD50DD323583DC784F998A93CD1CA4C6EF84D41DC81C2C40F34B5BEE6A93867B3BDBA0052C5F59E6F3657918C382E771D33109122CC8BB0E1E53C4E3D13B43CE44970F5E0C079D2AD7D7A3549CD75760C21BB15B447589E86E8D76B1E9CED2"), + SHEX("C870CCF74F9A979827E1D0FF8E1DAC93A2E0F10A0BA7A4DE041" + "853915DB7D86C65010DB41421201025D3465FF1267EA5DFC8E9" + "0CDB4D933FA58F5A5E830C646A74E5BF807495D973929CD2D47" + "63A0615902B8DF2D04A9D2553BCA94696DB2A332EC56B5612DE" + "10CBD2E117AB226769A0F5E12E380E890489C4CEE3156B4CF1D" + "4FA2FE55E20DB06D84DBB0F9833A3364F64481567C74049517D" + "B8D75F6607467EFED0D8976ADC7C7F265371A552767BF6DDF87" + "F88DD1BD326C46CC7C9A895D1D88D4452A1D72E7ADBFF6C02C5" + "114ED5799C4E75944294BFF16DC782D529341BD289DA6136E0A" + "4223F27E886D8AD057446E6BD41AB8EFD676B5084084A313E0B" + "BA30C1DBC3C461AFD8B5C0EE02AA0D1BFD0A1ACE35369F78D55" + "31286FB268F94D4EF50BA6A502C2EB2B744651B71B59974202A" + "8088780CDEBCAF18AB8CA8E5AE928309EFDB5D5A639D7C83BEF" + "87E5AAB4D403F7A9D22EDD1CBCD409B822F33225F05AE21C2BB" + "E9E7A0B116B502DA93D6547E3931763F4FBE1507DC031CBAFDB" + "08F4492396D4D32FDF8936D0BD082D45E70B3CDF8B807D974A7" + "0BF17FC54A4A034BCD7F5DDA8C1002B92A641DA7E717D8C742B" + "7F22FAB4918B1B3929C2CF7533666121184383746FC5FBB06E2" + "796EEE83E6387DC610717FE4C7FF316D87367F6236E36524CF5" + "25691D656F77732B4989D87FBADCC67886E151F7A61FC9141AF" + "81B4")); + test_hash (&nettle_shake256, /* 111 octets */ + SHEX("F690A132AB46B28EDFA6479283D6444E371C6459108AFD9C35DBD235E0B6B6FF4C4EA58E7554BD002460433B2164CA51E868F7947D7D7A0D792E4ABF0BE5F450853CC40D85485B2B8857EA31B5EA6E4CCFA2F3A7EF3380066D7D8979FDAC618AAD3D7E886DEA4F005AE4AD05E5065F"), + SHEX("7AA373D1AD451F79A4B17BC9D3E2EC4D43457C6251E958E44F8" + "D5EF360EB256CE5ED5082B938095DF2EC30DEAC299EEA526894" + "6CC240AE0CFC0B8565235A77BED4B58560F111FA5630996AD51" + "065A6A957979344C26C0FBC9843251B64C899ABA1DBE5124A21" + "A604E706A50478DB8E93F239CD11D53B2F168A946E979AEF98D" + "6A3CEAE032713C241B8176F1F32A7F132ECECE3FC57309F6F0D" + "C9876B9327C4C03C42A74EC216E0DBE026DD167EE94FE8B0032" + "F9BA033ED3E6BEF8DCDDCB288CE5F8D1B4DBC01A5BF51FD7252" + "06283C7028D8013A170F0DC4AB107A442C95B0214A71D3BD7A2" + "7CC48CABE6BDE4A5AA4698F56258E175BA1C6F7BE6D7EE60CB5" + "BC4926CEC0D94A422554FECD2D7666462E125FA3C2FB84E98F2" + "095B119AC492EF8EB3666A3BBE51A6E4CE3CFD1375A21D1570B" + "E8A1CD22009E8261B3CD6F2E2085443A6AA76C91A349A7C49CF" + "5F477FC017AD18439C580DBAFC94E96739732DDADF4829F9DA5" + "FCFB6851AFA968E208D4090AD99F61F9657EE958698FDD1DD5E" + "F21543D238D05C4C604E26D21DCCC8C878344EA888F12737221" + "8A4511B803E3E6EA03CDDB2574E636EB40CA242FB31698290EB" + "9C017D326A35D884A88C98B89C33E8656B717DD734223EE76B5" + "EB147AF7521BF1F827827B37A6563E601AFDC3796D8DA4D1084" + "FA462CD4AF969A800F522375E2C754BF20104F13A95FF2DADA5" + "674F")); + test_hash (&nettle_shake256, /* 112 octets */ + SHEX("58D6A99BC6458824B256916770A8417040721CCCFD4B79EACD8B65A3767CE5BA7E74104C985AC56B8CC9AEBD16FEBD4CDA5ADB130B0FF2329CC8D611EB14DAC268A2F9E633C99DE33997FEA41C52A7C5E1317D5B5DAED35EBA7D5A60E45D1FA7EAABC35F5C2B0A0F2379231953322C4E"), + SHEX("A1D00913CC206BE2D1C38C22B6C732A05368C8AAB30865BE534" + "3BE3C73AA6B7E8AFF69A544257DB1E6B6677E6CCDB6EB358A0E" + "D096BC9FFF0DBF89B1E5345037864132FA7B820DDDDD5A88B95" + "3CE834F1AA89BF56FBB02670DFC9FA29892FFFE61DABA419585" + "0CA669F6E4AE00687AE4AF3A15B27A4E489A4AA01AE62E23FA0" + "12CFE38BB601B343095B5DA20CC2B48352CB245C5306A2FA9F6" + "CFB324B6DEBDA6513221197B24EB1EC2564E2527491B539289E" + "AF593912458D835E3F8F46E058CD6B3B85D0833DE691A1E08CD" + "6742E7B2957DDCD0E04858FD64987C66B6BAFA7A082F32D5158" + "52E931A382792AB4FFE17B39D8918CFF002CB01C0CB1E1FD32B" + "B8B02DF964752523E64DF6C74B8442719C3D7DC75CE9DCE5474" + "AD6F235280CBD1F0268F19E695549016E948A7141FF4602330A" + "096C67699B29DDBBB8F6600770CBD0E398B013932B04526A055" + "B51D92F0AE8535A7E91936BF21AE70368E09005B14F3FD9E363" + "5F35960D89E134E9B1447971B0D1CACF554845AE74CD93F73FA" + "FE94189BC22D1DB9815A65B414DDE694FD053AECCE3BBC3CE73" + "62F353A9434A49FABCDFD7E3CBE73ECE064DECA30E4BE01B113" + "5FF6303E45E8065EF415BEFEFA948ADF42DCEF4520C2772C8E8" + "438B60113919975CA0DCD2798BB026D4B59D3904FBCA4998533" + "ADED822B15CCC86457E8507AAADC7E3EE221543472A87B730F4" + "E5C2")); + test_hash (&nettle_shake256, /* 113 octets */ + SHEX("BEFAB574396D7F8B6705E2D5B58B2C1C820BB24E3F4BAE3E8FBCD36DBF734EE14E5D6AB972AEDD3540235466E825850EE4C512EA9795ABFD33F330D9FD7F79E62BBB63A6EA85DE15BEAEEA6F8D204A28956059E2632D11861DFB0E65BC07AC8A159388D5C3277E227286F65FF5E5B5AEC1"), + SHEX("E28D36BD926B9E8C105FE0099CFF1957ED7ACCB9618027421FE" + "BF9DDD3129F4E6713376B3B7EE710430EF381CB12B831C80C7B" + "1B93765F7693506733A75AC0E8FB5D3C30C6F4DC735C4C35991" + "61ED02F4ABB5CDB174E53D93D91E1321EDFD79C0F63C92C7E5A" + "253C1B8C4842F053CED0033405FAE5F16E2DC30024A6B1663A8" + "6829ABFF72DE6F2A91C1CFE5955CFB584F8C65B9334590C9C46" + "8A9B0FAC172792AA152F7DEDEAA4FA22FA7BA44131A1143F790" + "53C7E2CB5AAF8ADCCB6AC72300892F792590BF5A1A9745FE593" + "4C712CED382A316C487EFE0E6F146C8A562E6B40834FE20C362" + "E495FE9E5CC871EDD2D61361492EE60CEF26ED38B4DA0480B4D" + "FA66F5E71D44F10159016093841E02C34001800C5CDAAD0F9CD" + "2A3144911031139CD6C54443A1D82405921B86DEB03E8F0C1EC" + "D58F63B88944182F034BD07B0D021EBB7447F660E66BBC0A821" + "C7852D183B806F0855AE194D80073280F3D07C2DC03571D5C6D" + "0F0675AFD58ECFB211EA27733E870A6E86AE5108D8C1C3524B9" + "9648541B61935746310FC6E99935E7C9A5D144E0735F2CC32B6" + "DC42B34679052203A777AECF26D9461946699F834940BD34F8F" + "CAC7C22E29B2B0CECC60183C44A5A63078127C10C1C14112226" + "520CEBF9D47A7FBD4002AD482CDE289E7DAD3AA891BBA0B6B2B" + "2FA378D26D629B4CE428F375BAE3FEA5E5C6B048928EC92099F" + "3C3E")); + test_hash (&nettle_shake256, /* 114 octets */ + SHEX("8E58144FA9179D686478622CE450C748260C95D1BA43B8F9B59ABECA8D93488DA73463EF40198B4D16FB0B0707201347E0506FF19D01BEA0F42B8AF9E71A1F1BD168781069D4D338FDEF00BF419FBB003031DF671F4A37979564F69282DE9C65407847DD0DA505AB1641C02DEA4F0D834986"), + SHEX("E3E693B2585C32926882C97BEA160D46ACE5ABF0FA47A9084FC" + "FDB22DE3C65F43717358C2C2CE680D6D132443D478478A30471" + "1BE3C5795F3EB0A7BF043CAE06E84443EB599DC259B3CE1F418" + "4ABF1E6794556E9F2ABA99E5363DBC7E9C2C802976C87FDD7E0" + "E3884B971AB33DA6CAFB65CCABD6CE492A59D359BC17D221638" + "1AD838989DE9FE82245CE07CCB1239FA5A3D664D5B8F2E3410C" + "023066AA47E030FC73BE5EBA27D83D656106401BEA73E36CC09" + "F8A78BC0F4FD7C4B2B4E7D36F4E3CC31867D1EE207A7936FB3D" + "5FCF512669AF63B9F01E4188ED39B1142CAF6578F788B53C3D6" + "303C25C545DCE3F0B037456E3E7870392F43051FB2E8FDE663C" + "80350F94F7A52D511A56CC268335D1ED24C9948C6E0426AEDBE" + "1E082C0F075863E3DC0269BE5C83ACE9A98AF1EE45C79BA263A" + "A81902E11F880205B7BBCDBA54F766150E744BD1E2C97E64B4A" + "50A179B940C01A7AEFEA23E22DC3443D655E31FFAFA67FC5557" + "27C8D02C3FB3DE7D6C13438F6323B89B7C975FC5B90D80BE8EF" + "D41BBCE90F636CA01FFBE3AB39AA0F43460F33DFA492718A411" + "711E9E7D38EAB956655314F35D36120237BEA48EEEDC5492560" + "90DDEE8AB4BF2669131CFB590C65BBCE018CEEA3CE349A8CB83" + "E3518CE8F353EB07F9007600C206C7F6B6B1DA24F1A263F0397" + "73EF5F99FAE6D9B2B3160199F17D49AD69D51BF66915451F43E" + "CDF4")); + test_hash (&nettle_shake256, /* 115 octets */ + SHEX("B55C10EAE0EC684C16D13463F29291BF26C82E2FA0422A99C71DB4AF14DD9C7F33EDA52FD73D017CC0F2DBE734D831F0D820D06D5F89DACC485739144F8CFD4799223B1AFF9031A105CB6A029BA71E6E5867D85A554991C38DF3C9EF8C1E1E9A7630BE61CAABCA69280C399C1FB7A12D12AEFC"), + SHEX("A178F3B574A841C88EF21B6A20A100625334F4FEE5966AB2164" + "686151AB9FED082CA4A9115A0B5F099C5DD4BE4EF1082D53321" + "2BB862F084225655D8856E29F279418DE6FB723ED15C341CE31" + "0B53E695C08689F776E4474FB6DBDB7DA46A9A2DFB7BC374AF8" + "6984E1E10AD9D48B744A5FA98A0B161738468E06EE4E836BB71" + "8BEFA381CABE18E9973FF07DCE1920B19DD797F84CDDC52DBD4" + "9B4A462FD1A12ACD364804A290BEAB30AF0376CA098D44E5D14" + "1D1636F6073569F2CE7213F6407EE376680E8D676942211A9EF" + "B756EF9DCA40574AAD2084FAE0B617D727D7951C1321616F265" + "69D96DE5ADA8EE101BCFD2C43C338F8957DEC234E23F5A1A0F6" + "63EBECB98C35102DE1C101B99E8F42BD8EE7C528B1651099545" + "F7BC9BC315C8861FD7EBF26B97A519931A63E0B06A73B14CD23" + "65383B44A2107FE1AF0998F1574D9FA8818DC51D642240DBD0C" + "104E89393B2C381944308D828720564763D3BFEE221BFA99D97" + "6701717D4214CCE2FC25763C1B25EF67286BB7E497593B1A077" + "912E3AF76993A4E20D4E8ADD7AEF4F715E5F1C8BD68E8913D9D" + "8057447F273FC41F70A0290A5EBFDCE46209090032801F2CEF4" + "4C8015E865D75759C7B2117C6E8EB6B57398B992B0E073C1FAC" + "374C819B7AE16C464AB5019A45E7A6AD57B75380FF42D35339F" + "23436A0D58497F7A12E4C3EB34816C4AAB9A2D3655079C12E05" + "EA36")); + test_hash (&nettle_shake256, /* 116 octets */ + SHEX("2EEEA693F585F4ED6F6F8865BBAE47A6908AECD7C429E4BEC4F0DE1D0CA0183FA201A0CB14A529B7D7AC0E6FF6607A3243EE9FB11BCF3E2304FE75FFCDDD6C5C2E2A4CD45F63C962D010645058D36571404A6D2B4F44755434D76998E83409C3205AA1615DB44057DB991231D2CB42624574F545"), + SHEX("11C57A7AF45809863E024835F2A86BCB81763412DBCEB53F311" + "53730FDFDC32A8ADBE3A8BD6D4778EA33AFC063D9767BC9E3AF" + "EEA3C78FFAF5FA3023093C798F39111A182516218F0BC78C030" + "7C75EB212B0EDAD184500261E00823F423D84BC2DAD3FFC6C2A" + "B675A24CCFDF0DE5F669D1EAF91973071D50EC7D2C0CC4B6E42" + "552199CAC4B65938F7E704248CBFF272C647E953FB9719FA8AA" + "9C319FCC45E4FAD0752E7416F9DF0063F1A8BF43E316533C046" + "C4F2E7254A02FEEAEBDCD4DF19B01C18B8DFEC1D291FD670BA6" + "D434B41EB6068A365973082107ABD6DFB62FD428B9B183E1FCF" + "CB654A6C7A55B91E0615658529FA4F6178FA4F5CEF329376169" + "AF143B137B9B81B273796CD26CFD8372AC3184600EBCB2DCE06" + "AA7F22C055A7B622717DB8E15571ACC61D94D8DA250FB8E6354" + "9528CB53050322520925FE7FCD065BDEF0EC79AA38F1F105348" + "614A57605C94BCD50DF80E692D1117C13BA3563AFB44E91117C" + "9F6E4E7FA35397DFC58FE7F2DAADCDFC756EDAF5BDA38D6E1EB" + "819A1080CF354F2AB779F63E2BCC763C8AC73C6D811AE2B5252" + "E6FDEC79E2E97D8971D1EF39E2A144E84EE8087C673AADF3C46" + "C4E6C1D9832E68BCAFF8C1E4DF1A5454D3A677040413BA32BED" + "431B2F7D3F356CB060431A7F5B1B6CFBD5709736A408EF6CEF1" + "B455EA74191F09FEEF230A1A0296807E8AB33403A9E3EA1650C" + "D2AF")); + test_hash (&nettle_shake256, /* 117 octets */ + SHEX("DAB11DC0B047DB0420A585F56C42D93175562852428499F66A0DB811FCDDDAB2F7CDFFED1543E5FB72110B64686BC7B6887A538AD44C050F1E42631BC4EC8A9F2A047163D822A38989EE4AAB01B4C1F161B062D873B1CFA388FD301514F62224157B9BEF423C7783B7AAC8D30D65CD1BBA8D689C2D"), + SHEX("8E03C6B48B4E91BF5364CF9311172442253B6ED58B95D147A46" + "74BCA639D75820FFE93509AB08FBE7EBA70544A9331C3BA3347" + "B0B44E0FE36F9B799963212514AB2E673133EA5D9CF3181FFAC" + "7F79475971369F7A0188F1A3687792258617C7521CF2EC97924" + "1D8E9345B9205243A1CDA692418F8855BA61B57C75CE8A7B2D0" + "19880D2C56C61DC0E3CACA0CD632E8819DCAFF9336498E1D573" + "C16269D2D56509BECED579C80C3F09E4165081EA7910BB8D13F" + "0373FA802F498AF190EBF8D7565A93A771AFCC8C417EA460E67" + "F4AEA898C73ECCE5B17EBCF6EEF8A6E31D160038604499B3996" + "5212588826D1F896915500497BF4F949E2CCC4C3439315E7AAC" + "C2904A77AC0113A2AEFE64F6D625A7EF547E99FDCF9374300A1" + "CC15373494BC1210B8DD5B5CE04B190A824566A9AE4A02DFC70" + "FF8DF3191528A91E97DAD97057AAFB0357AE7F509FF7E464675" + "124D0D23399AB6DB37B80397BCAAE48B8520860B79EFD72D955" + "F53611E8D782A28C729F51D3174850E4FD61A4328709DE8170D" + "1BB7B5A811BC3E0FD06F20F03CE1567CCDC5891673CD8E65947" + "2015EE6A557D89B104E22E70315B40701B49C76BA0196F68A92" + "55EEF2623E531D73D151A7F321409BDD8183CAAFFC18C6DD63C" + "1EBA47F07B5B3D404C2203373EF356CD26D89DFD8F5BA2F7006" + "46507AF3CF63DB907F9F70DDCB125259F28275CE8F41B63D140" + "58C3")); + test_hash (&nettle_shake256, /* 118 octets */ + SHEX("42E99A2F80AEE0E001279A2434F731E01D34A44B1A8101726921C0590C30F3120EB83059F325E894A5AC959DCA71CE2214799916424E859D27D789437B9D27240BF8C35ADBAFCECC322B48AA205B293962D858652ABACBD588BCF6CBC388D0993BD622F96ED54614C25B6A9AA527589EAAFFCF17DDF7"), + SHEX("845E0DD7FCEA5E19E5DBC6CD03D58C2BAC4B81CE809BA7D0C75" + "CB867DA6ECDC9CEBCA177AB9C3273C8EAD7B8C9F571D6D1D14E" + "D0CAF6FFAAE4F1B7EBE653443E9BF099DD54CE3A021E0944BB1" + "F8B34CB8CF199ED9B23FFC94E2FCB6FBA03D50D0C84C2C943F1" + "7C1BD9EEC662420EE42ACD5C5F18223B92AC269B320BC190355" + "0C1D55B7AE5804EAEB6F67C57537161EF8460E45E34FAB823AC" + "0EEFA232404C7907DB88E4B1D74AF7DA5A2E38F82F96A86A506" + "DF1E717E636AF1FA85BCA3259C78FE7CDE8FF56CD2461997FF8" + "D3B31BE985B73E4EB0DBF36D39923CBA9982870DDEB52ACC02A" + "97CAE8688E230364D5637170C328175208F8D225E2B19289A29" + "205A9568F426FDBDA7BB04224808B2F21E4E80E2F18F4E79065" + "4E0D6E486340464B6FA48C95F99A4106E95A6A378458B863655" + "6C700D79FC45697C09A84D2EC41BCFD560F0A147ECE64006071" + "3A86516ECC642396E16A63203CCE11809E7DADB5BDE418348E9" + "1E30DC65E66242E29B69B9CEC5548D4BEF3E15A6CD4937C492B" + "2F0FF83DD3ACEF224EF66AA27726161A418820196738EBD9569" + "B49D51D1583129AFAEE4F9128C55813151895A046E4D5B4E7D1" + "695B0D47BC657EF7795107148B165D0484F346C9C49A8DEE187" + "E3C1F28A6D57FC3B7DA49042B37250DD02BC9807FE1AF57D5A3" + "1664C90D5371542B28965E805224651F96836147E0300C2A938" + "639E")); + test_hash (&nettle_shake256, /* 119 octets */ + SHEX("3C9B46450C0F2CAE8E3823F8BDB4277F31B744CE2EB17054BDDC6DFF36AF7F49FB8A2320CC3BDF8E0A2EA29AD3A55DE1165D219ADEDDB5175253E2D1489E9B6FDD02E2C3D3A4B54D60E3A47334C37913C5695378A669E9B72DEC32AF5434F93F46176EBF044C4784467C700470D0C0B40C8A088C815816"), + SHEX("EF1A40B1819AC20C49EE1F31E36B853619C8E960DA1A5BC8667" + "4C5720C0F255E8099CD4572D09FA5B8F035ABEE5FCA1725F988" + "954513E2E7FDCA92A55A757145B0E1A223A7CD4E0D18D3EC7C8" + "BB33221B24AEDEA4A08F01B2130D58E19570272456697DF883A" + "B29F4D4F86DDBFD1D97F1018277F84FFB615451190762B9B725" + "56677591E6EBA3FE45F8769072E234602E222C77DFD8CC095B7" + "3D1B231F3F09B89C2ECDCB741FED58085CD763E2B016623BF23" + "92631984B6E4D2FE558B7F17973A8F58BE66D73AFAE5DE5C5B4" + "6A6205E15F8A7F5B3ECCE65985EDBFE4C86D3830E642C99E44E" + "F35AA55B834696DC519635240D6A693AC09CB3D567105420449" + "664EB7B6BC367C482CB2682B1A34A9A051470EE3DAF8045B0DE" + "FAE0EF10581830A1C21F75045D1297C9EF4B874E9004D4BF86F" + "D770B820A9AA1FE967388215AAF00DDAC57F9B3B9CF0A67FC81" + "E27565F1F3378A620C9A99B50AF301359E98D31EAD034DCB033" + "4BF45D3CECAE0A95E4F0F0D60B0725F97AAF0EC1C4EA1D7D062" + "D5B13A69B68CE5FB382FF7E25A219C7FE8CD1D78B47660319F6" + "EA04418970EB3B5FA6778D84EBD4377C8B3DB2632CB616631DB" + "82CF68CC4A03A44768B082F8A5FB606FBEDE8AC366B9D0813BB" + "58017098A9B2D5BAF9C5313451F7FC5144F8A89EC34DA3CDDAC" + "B079A963BAD7E08A4D68DE34612B116A0587731F4DF81355999" + "40B3")); + test_hash (&nettle_shake256, /* 120 octets */ + SHEX("D1E654B77CB155F5C77971A64DF9E5D34C26A3CAD6C7F6B300D39DEB1910094691ADAA095BE4BA5D86690A976428635D5526F3E946F7DC3BD4DBC78999E653441187A81F9ADCD5A3C5F254BC8256B0158F54673DCC1232F6E918EBFC6C51CE67EAEB042D9F57EEC4BFE910E169AF78B3DE48D137DF4F2840"), + SHEX("B9A11246D631A7C9F33911215F36281030AA4959E598F2E3660" + "2AD66E236F4EADC9E87A662FBB5E30555F7F2048571DB711D9B" + "28389525DC1BFF502C1766BF7EC7A26688CF30EAA16A23D00BD" + "408E11756BF0E9DC3265ABED5B83643260DA0F7B58919078EDC" + "C9F62B2D14029657426407CFE5B514E17410F3351C401EE163D" + "1897525441D6738ECCB5976C16EBF309ABE15FC5B15B3623385" + "16BB8FC50DC69EBFD5E3CFC7B79571C7DCA79D57970AE090454" + "7677B30CDD7D09A0973AE65D6E00F3F9205BA0D806CF3DDB5AC" + "BFB5AC1DEF3AA8766E4921B42DF7B9E3AD5299747300C9D2640" + "6CF195DCA47A673E232454DC80031FDAA0E3DA4B66DA9DF72B0" + "40893378AEDD6911D35D3E007828EB749BED4E16657E9D33867" + "E0319E6D4BADA0F16C466F3B1B8502BDC2584BCBD7128A976C6" + "C8BF2D553D38AB28B982802D1E626C47B5EE08530FF22A9852A" + "C113C560DDEF6931F6E6145C3E525F5E6269E7DFCD4C0517C16" + "884C681B1BD78D4A415039439BC5947C65CC35BD52E7E2D0FE0" + "C88B2C92C903A0DB75D5BAC3D3D6A5A323CAEE0E55C61E8BBC1" + "113A7D8AED0B031020CD7C50346B2C9EEFE61C20C14AB947CDB" + "7B3D153172D5F32BD267B4D77A7606CFB5080058F56E51CE9F7" + "3E7D75C94A46A4E917BF575827D37773F2F9EB5A552420AEAD9" + "8DF822A7EED212538E2B27DF5EE2188561775BD862902F3DD19" + "A9C6")); + test_hash (&nettle_shake256, /* 121 octets */ + SHEX("626F68C18A69A6590159A9C46BE03D5965698F2DAC3DE779B878B3D9C421E0F21B955A16C715C1EC1E22CE3EB645B8B4F263F60660EA3028981EEBD6C8C3A367285B691C8EE56944A7CD1217997E1D9C21620B536BDBD5DE8925FF71DEC6FBC06624AB6B21E329813DE90D1E572DFB89A18120C3F606355D25"), + SHEX("EA756978CE1BC77F9C84A151604F37CED854B00328DF4A486E9" + "626C7DA6098F1A6380EFD8434FA59B037AB18C3488B404C03A4" + "838A9E6C60B37C9348AA2CC3E09F016B1F07FED8D4A0B93BFD9" + "121B4200A706887297A91AE12E1B385830536A88AFADDA80D4B" + "14FC5CC9C49916CCCBB47F970378AEB5EA6F6F583D131E53AA7" + "08196F749644DD153A3177F424921254A7FC92CA5CA241D54C6" + "A1E565298D2BAFFCB173D22160241A535D34358FD0B54640CFF" + "9E04890BDF23BDA5DC770240FEBB778D1D0B4B3C98CA7AFD251" + "2596EBDF02F8E1EE5C74BA26A35E1482784F6284D0D5FA17CBC" + "695508026CD49F30D82FE5819378DE13150805555406B8EBB6B" + "BB8DEBF55A28B5F1350EF5AF18DAC71C9A02E76054EAF28E2D1" + "259EE670492E75E1B3BE45492D6E3BC5096BA2952E7B1E97DBF" + "5E18618EE7B197E6FC3B0A31B2F071376F6C55CEA08BBDFA37C" + "F676A24DE82F23878566B48269141C17C7304D6252952158078" + "B481FA4270C2DD631AFEE7D7518D1F1DF43B9841F10871D3B80" + "E4680DBB89CE8C4CDAF4E16A4892A83F927AC7E4EA692C6EF1F" + "E6A6B2FED3C8393A5100DDEF4B56FD158E45A95844E2195160C" + "3D3E02FBF51A715C0117627C783D503CB241C636DDE3443ADFD" + "AD82F5D9226D49921FF60788295A47B0D76AF43977FCAFEA4D6" + "1DAD09E2318EA16E32C44B14AAAB6224193C3B9EEF105057A2B" + "AE72")); + test_hash (&nettle_shake256, /* 122 octets */ + SHEX("651A6FB3C4B80C7C68C6011675E6094EB56ABF5FC3057324EBC6477825061F9F27E7A94633ABD1FA598A746E4A577CAF524C52EC1788471F92B8C37F23795CA19D559D446CAB16CBCDCE90B79FA1026CEE77BF4AB1B503C5B94C2256AD75B3EAC6FD5DCB96ACA4B03A834BFB4E9AF988CECBF2AE597CB9097940"), + SHEX("609D7E2F634D0457E311972039E1645E66392CDBD1414D5A8C8" + "39F8B22618AC73BE81A745B9E2B83814A527F78D588119F7464" + "CFB235E56D9E2F794A5BD510008689ECE3EE818707BE101A3B8" + "A5E1211E3116AC0E9746F79A01AB9DCD01783E961C316EF4EE9" + "08CD69C7C2B0E3560FB6DD5649896403D07F021539F8ADF22CA" + "4E3535A81EF643AC230A0C94913E9584FD8AF77926360D280FE" + "CA2283F8097DD843D509C5E34A9FA8B02BBA9015753D3F728AE" + "F7053407A90DC48F15EA272DF1F478B967DA4C02C8D4F2903F9" + "A98F90CA1589BEE5590195E0F6B24913641C2FFB42DA043B454" + "8D82F8F0F580356E9946022B06DDB0BDE4947D4A25767C65D1C" + "A02148954D1F33F07ED0886552C23286696067FACDF37B5D468" + "B1A5F29126A2805BCBA687F61D920C53B8346579EE0D312691D" + "FDA9E53B3A0EBDA1CE213C78DE4CDAA3C5D9C6D5A4C66A5B532" + "37A7E5D80E8C1DB49656E28B2DF50C02E9BC580A62EE5E6F72D" + "9681435BAA70C0B51AFD2CCC109D0D45634072BD404964FB44D" + "2107A68E1A9CD60E63B847EA9C75EF14D19101E391D8F80D05F" + "6BF0966C949DA6D9C8E2C865C0468C825E29BFB9CA2070518AD" + "838A6B1530723F6261277EC7D1291104049503198B6C3B95D1D" + "0EFCE786D5982F6D0120D9AB2D1C0DD9EA89644103442A76E68" + "04A57B54FCA199E6D714576D631422BDA28C2A7F8838CEFF879" + "E0D3")); + test_hash (&nettle_shake256, /* 123 octets */ + SHEX("8AAF072FCE8A2D96BC10B3C91C809EE93072FB205CA7F10ABD82ECD82CF040B1BC49EA13D1857815C0E99781DE3ADBB5443CE1C897E55188CEAF221AA9681638DE05AE1B322938F46BCE51543B57ECDB4C266272259D1798DE13BE90E10EFEC2D07484D9B21A3870E2AA9E06C21AA2D0C9CF420080A80A91DEE16F"), + SHEX("F5D0630D6BD21787A4101E2287550ADED2C2BAEB0CA91D24CB6" + "1EACCF83B0D15700C6A95E643D8EA2383929D23DE5A1819EB75" + "71F38CE173F378AB7275776A771380443B0CC1CFE1B9EFBAA85" + "79FE6E002FE75B80FDC73AD20C727B003B6281A8BEFB7F7CB25" + "45F42586AB879C9FF523D6ACF70F24994342EBADBDA27D3168A" + "755C2DFC3C99360FE377C8A19F1465F6157CFF76A1D7C8A6FB9" + "91058D582D5F2E19ED583136320C4DA569D9EBA4692E0BB19E6" + "20C600260BFB0C95F7A8FA4560B1B715727CB04A8D37410DABE" + "2ADC5CAB24465BBFB41AEC1E946BE1C50ECA676F47EA99D217D" + "68F6B8F3536E879FDE16A355E71857143F7D07C9A207F4D61B8" + "9B82354F0A0273AECA1361C3F949EFC2A45BEC3933E8A6E7A86" + "E90E0EFE5D11F6A20ED9811A1CCA507E33CF47FEA26D7E67FA8" + "8D374245B1A24D8F5C584DAE932BE1EE25ECC5EE61D31111A3D" + "1EEBF220665EC401E28BB85B93D615B64EAD0FEF0E6AF725CA5" + "EA8454B571A784EF95A020251FE236952D130692D81702B16F8" + "DCF03CD82A809877B08774635A4859E1A516E9C4135FB415100" + "359CA6DA69426D4139E90F00EFCADD155F85A4AB1CE154F8CBC" + "84EFDFA7603FF48D5D1EE94A4D27DC9A450E35C60D9CF43594C" + "9182B69FE9DF540F498C5C92DB68065F2ECDC52EE7D22736561" + "FA617970375F6EA3D01FF39E2E22C979AB58DF80FFDB75B4258" + "F49A")); + test_hash (&nettle_shake256, /* 124 octets */ + SHEX("53F918FD00B1701BD504F8CDEA803ACCA21AC18C564AB90C2A17DA592C7D69688F6580575395551E8CD33E0FEF08CA6ED4588D4D140B3E44C032355DF1C531564D7F4835753344345A6781E11CD5E095B73DF5F82C8AE3AD00877936896671E947CC52E2B29DCD463D90A0C9929128DA222B5A211450BBC0E02448E2"), + SHEX("F3B73032FBC450B21DB7C6C263ABA819ACCB297B724CD95C552" + "80FB7F4E6A5100181FDD6E010964C62FC51C0FB540794CD3BAC" + "D695A082B20016E1BE1F8FD89E77AADA0747AFAD6ACB2F963BB" + "476F1B515CC0604CE5A7B18506BFEB875BF483189D268255146" + "FAB7B7820A26DFFE97C737A7D5BEE677524C4B64539CE760CB4" + "AB6D03FBA155D05130A50D5C1EA81873C8A45F1FB83C2EBC11A" + "2A1BDDD45AABBCC572D9E93611C4A1429B802EAF44EE19A4172" + "43C069C99825959093A9E0E5BFF186C757A7270E33D02B81768" + "D94014F17EFFAA3B2D92FEF370E552C8A8EF2B3557C2F930B7C" + "79E9F6C0573BFFD8585000954D9264611E3D6BB305B08973D05" + "83C7C2C5B2B0B5AA1B0ED46877FB02646472672121A60424194" + "81D4A0A5EE001E1E067F6A7EE1EA4B880D00F7815FA9658AD9D" + "D643139A37B3FEBB46585A2A74BE0EC2B8BCEBFD8F63672F2C1" + "F213511E611C677CD92B2D6C4E43792CE3709AE1CACA3103F7D" + "267940A0CA5868AFE6296458811BA67205A5BD4B27F96573F8B" + "88F8DF2733B83C420CB2015DBECC6E0146657CDAE3C7A2D2DE5" + "EAF8BC9EBD0A7FAB0FA37B24206B6118CC56087B0F573FBEE9B" + "D0C4B70512EA4784D85D8A89E75E08F86D204A4A03D4C247CBF" + "9AF7C20FD532A65D0C89311246CB572C77A35CBC9C65BE40FD7" + "EA2D41A3F5A4AEF0BE01C4DF6AEF0190171932B03EB960172A3" + "8101")); + test_hash (&nettle_shake256, /* 125 octets */ + SHEX("A64599B8A61B5CCEC9E67AED69447459C8DA3D1EC6C7C7C82A7428B9B584FA67E90F68E2C00FBBED4613666E5168DA4A16F395F7A3C3832B3B134BFC9CBAA95D2A0FE252F44AC6681EB6D40AB91C1D0282FED6701C57463D3C5F2BB8C6A7301FB4576AA3B5F15510DB8956FF77478C26A7C09BEA7B398CFC83503F538E"), + SHEX("FBBA34F9B8B88C9851E1B6A8613641A26E5E6944788449E7F78" + "C66F32AAB088229599E67B048058A2BB6713C84033A2177B563" + "407BF832D136FBA8A506B3E0C3AC8632F8C6DD058E1D242A247" + "54D64D8A0E8DB424000561EA5298EDF2E5620237F4297CD4B2E" + "48C87AF4ABB28167662B032F617D89C4CBBF064EF09AC2A1227" + "85D55C411970A610ADE46475CC0E371ACE344B3BEE172D73E9F" + "A4CFFD1806070E7CF48B722DCEC0756EB1EA059E8481DEF23BD" + "F94A0050CE2848AF21B49B59320D5F4EDFBF2C1A653306BE31F" + "3634E5871156C44D15F8C39C7F50FCEBB93C61DF9258F81941A" + "EE98C0AAE76D92560FC4987C0CA8CBF07CDD9B96E1F24E83F59" + "77A2C561870D6FD4752796900CC41AA4F2B256988403065A9C5" + "06FA78C50E0B5B9592A4116FDE380EE9E6C7FC67FFCB5123FCE" + "3B27A6D71EB875E88E0A8F20ACB50B3F2D46963913FCE830FB5" + "E01BAF0F2FEDFA8E9717576B96F788FF8F8734C33C3CD9595EC" + "2F6270BE920AA2A4FD56F83442141C1C1834820C1A41A51DA30" + "8F5CB8457E6C835C4F075706051A7CDB3901413FB9B42DD9E0A" + "2B8664BE7490CB4043ACAD67CC806886EA5C41BC8D81E00EA1C" + "C7AFB5BC34E150EC26E4D6D8D5F0C5A362A28C98ED6B3915A09" + "35D7A237BB24AA18D41DB5271BE154F4F51DC25AF823A978B8D" + "41F46AE142470ADC4D008B260928F7382BB08C320F4802705AF" + "6EED")); + test_hash (&nettle_shake256, /* 126 octets */ + SHEX("0E3AB0E054739B00CDB6A87BD12CAE024B54CB5E550E6C425360C2E87E59401F5EC24EF0314855F0F56C47695D56A7FB1417693AF2A1ED5291F2FEE95F75EED54A1B1C2E81226FBFF6F63ADE584911C71967A8EB70933BC3F5D15BC91B5C2644D9516D3C3A8C154EE48E118BD1442C043C7A0DBA5AC5B1D5360AAE5B9065"), + SHEX("DD4FC79F3B1D5201767CE9A0F89D3AD0A3949BD75668744B955" + "23562A5107CF45ADFB39B5999D79CD3CBDB1F622B2B250C8664" + "7A45419A243ADF4E7FBCFE227FFA2995BA39FDBC5BAE183B786" + "704D8631EFF1F88CCB8563F112440DC48D87B97BF8E8CD8B894" + "CEED6B43C857627AD1EFA81045CE505FEE7F370CFA478BCB4A4" + "174D133D9A7057702E7122229F53CE03D281771CFE58EBD825C" + "4285B4D7AAC7CB00A835FA094683F503E92B690A4A35D0E4F5F" + "01DEDE83FC829E4F3C5F783737A68DFC9EAA3CCE682E3D52786" + "75D17A2469FB0A814BF71FC212D7162ED80707AAA514CD5B682" + "B95B948A8A9D79EE3CE1B9AD44D3E6E6EB455CF198927072D8F" + "28950AAE0B5FDB628ED5280695E7A83665C94A23EBD16353679" + "7EE6733166AF631F21F6C1FF398D8D363D6F7ED518FEAC9EEA1" + "F98E9E3976706F2EBB3430AF64CB788A2461B736D91876FD481" + "F5F0135B458B57CC00959BCC1D145B2B776D7B5B1BD0ED154DF" + "B602F78C8D567F30ACF34341C9356BE887DC85E9415602E19DB" + "053E965601CE5DB866C1A9EDE8C12A81850F1A46CDC15411256" + "0A1E38C40A014E1109195FF23054954F463AA825FFE1A377D3C" + "B1DB279D2E5BC7FEA045CF3B2681170CF42D4C0518BC9E51C3F" + "854052263D31C50867426552E6CAEFE37267A7725A4460FE2A7" + "F2D951DDCF55A66AB59DE1A66A7FD15169BFEE7339428308C04" + "77B0")); + test_hash (&nettle_shake256, /* 127 octets */ + SHEX("A62FC595B4096E6336E53FCDFC8D1CC175D71DAC9D750A6133D23199EAAC288207944CEA6B16D27631915B4619F743DA2E30A0C00BBDB1BBB35AB852EF3B9AEC6B0A8DCC6E9E1ABAA3AD62AC0A6C5DE765DE2C3711B769E3FDE44A74016FFF82AC46FA8F1797D3B2A726B696E3DEA5530439ACEE3A45C2A51BC32DD055650B"), + SHEX("FE149A9560E60DD76DAC07CD65722403AC64637033653BD6005" + "3F3958D0DF1EF1DAEB343FF6488587F49945A19479820A98DF8" + "484CEC8E3608A8C7D15594F61FAF8547FB0BA643ABA3FE942E1" + "91D61E2A84A548A4B76E0144B71E061D01E5B46629DC585EDA2" + "1696B6F716ECD7D98E54FE49692B5FF7E74ED15183C4A4728A6" + "A4FDC85FA56D49615E0141C65614DE51776C73A46D19E2EDA71" + "226B5716FFD83C06813B631CDEF6BAC2B5F480CB59FB54DBD0E" + "0FFF0539FF70FC1F5872D8B78B3E03335675925E2A6FB7FDC93" + "78D3202F396F05DFCD0A2193FFA3DA954EB44486C054D7D8BC2" + "2194612047F2F8C5FD5423504D6A06F0FCD4E611880C74BC84D" + "7D5C3B66E017DCC79EF5EE41F9322F7DD863AA5428439D8E5ED" + "3222F2346E305759B46826E039FFA8A2B0C7147C2AA44060262" + "6FB79B0699ED15ED9CA54125603E9A9525DB238A518708E7870" + "9D5CEE0F3A196B4CAB52198ED5A58C98775EECBDE3EC721214D" + "B7A981C81D419F013F1DB230746BA5EBF30CE37882376DF8785" + "ADCA0E04E9E18D0EC75778369F7516F5215AE92D67C4C475109" + "0246A8F3A719BF83E3B310D61FADDB911B2080266D2B43F31FC" + "9E3A5D9747EEBFC8816F63E398C9F506C00821D0F1097349FEC" + "C2DC05FC420FE673F5398FFE828CB99B3EEEBE817EAB6208803" + "339D8D905C845FC934487F51FFCDB4E83D8E337DACBCDC57F86" + "7EBD")); + test_hash (&nettle_shake256, /* 128 octets */ + SHEX("2B6DB7CED8665EBE9DEB080295218426BDAA7C6DA9ADD2088932CDFFBAA1C14129BCCDD70F369EFB149285858D2B1D155D14DE2FDB680A8B027284055182A0CAE275234CC9C92863C1B4AB66F304CF0621CD54565F5BFF461D3B461BD40DF28198E3732501B4860EADD503D26D6E69338F4E0456E9E9BAF3D827AE685FB1D817"), + SHEX("E38785ED93686FA741FBB6E5BE64933963C3C872F7A4E8C8D54" + "0EC3F82284605625D32A24BCE8B40264EB51B164DD86F318ACF" + "D9867F3BF23998275042AAF23BDA01F602622448957B81E5147" + "5F15CDB31A9297EE390F681E460EC01A024F183110C728BB09A" + "12DDE89E6F5DE2B4F8C17D981E3E9C531E6D4C19448A4A6BE28" + "853AFA2FBA216F7C8E2CE4E4DE31F6B0E129CB5DA118B4A5956" + "9A439C1095EB50C51CD83105B1A12B3F7086947EA7381969A78" + "308F8FDDAC8B2D87F4540A8E7CAC8932CA76201F86561ADD09D" + "833361851CEB9759AD1EEED4E00ED19C642BC6D0AED034276B6" + "6D818E8791A7C1F42F8604E8B026D4635E3BDB27CA0FB28E751" + "7BF662BB99AE3A3C698AD0AA2F02408E76A5F93ABFC933B1691" + "A89EE3EBCA2885EA633D0FEA4DBCD03B05B68E0F4D267144FDC" + "0898DE46011832ADC872F4A7F0D8933CDD482CA54FFA81774BA" + "083D3D9FE07DE94F8E03FF66D9F1BFE7504E8A497591BA8F527" + "58F92E0A4CA6A93979CD1F55EE9DBA17BAC6C69E83DDED4CE2D" + "BFFB0B48C0C6AED657405DE18E7891B3C854127459E89FE5442" + "CA6D5C223B046147BFDEE435CF4EFAEFD705373DC87E20B7D31" + "C7D37907D30B8B32054BB9ECA80D0AFABB5EC5053D94D517F15" + "8EA958C7458CF71FCA85B607A352A9A3B8F4F161E3B8853F6BB" + "61864BAD12DD9B57ECDA507A3CAA63A1DEC726B518CB4FDDEED" + "6A34")); + test_hash (&nettle_shake256, /* 129 octets */ + SHEX("10DB509B2CDCABA6C062AE33BE48116A29EB18E390E1BBADA5CA0A2718AFBCD23431440106594893043CC7F2625281BF7DE2655880966A23705F0C5155C2F5CCA9F2C2142E96D0A2E763B70686CD421B5DB812DACED0C6D65035FDE558E94F26B3E6DDE5BD13980CC80292B723013BD033284584BFF27657871B0CF07A849F4AE2"), + SHEX("66FB94B62645F96FD55EA261E08A93AABE783F160AAFFE07253" + "A1C3D45DC65F6AFDE9DF121A894A1A13CED4E5D492675BDA359" + "26A1B147D5317D3CC09D4D34EBC1BB223663B349D3F66F05DDE" + "7A66616E7F89B0BC6859A3EB8402B881890B21979BE6F60CFDB" + "9F6C2FDE570D79CA9D24099820E433DD995E4C2271EB269937C" + "BB96839A03BA7AF726ADF23B7FA2F86348C0489E09A559D0FEB" + "FFCBF33D77CED28A439F09E2EFAA7D6334A783075B588134C69" + "433AEF0F8665C05E97EC2AFE49336EE2CEC0724842A64123C7F" + "43689D1EE88873F89AAAE9730B1A29768BE0E49A87B52C1F5AD" + "08D700EF9B57A20F5DCC7C238A5E56CEA3A0EE1F9BDE550F279" + "2741F607E81744855A5F109FE91887BC580199966DFE28A30FD" + "1FBEA9AC4259E7BDF7135E4A9D83234F9D7ABE3BFB1F264E23A" + "67F456096E27F540FBBD5DF0E8DDB5A6A455ECE063D4D528C25" + "82BE8F111E1F7C7F204B82D40F60C2AF6099DBDFD64DF85899B" + "A2A02A26870E3FECA6C07E99AD43F93D21DC275E1AFD1E136D2" + "F49142B4D208EC865F91DDBA5822148C6884B7CB283DE5AACC4" + "E8BB66BE3B08804246C808569B2DF0AEB08BD4C255AE1829AA6" + "2AE9495A89D238DD93E2BDF5D14159E48510FC82B572402302C" + "63956CD215341A1D367135623C644094CD845B08ABC7A8CBD4F" + "3B66F48375DF7155BC5A781E69272EC1B3AE4E3CFA1D8D39BF0" + "B4B1")); + test_hash (&nettle_shake256, /* 130 octets */ + SHEX("9334DE60C997BDA6086101A6314F64E4458F5FF9450C509DF006E8C547983C651CA97879175AABA0C539E82D05C1E02C480975CBB30118121061B1EBAC4F8D9A3781E2DB6B18042E01ECF9017A64A0E57447EC7FCBE6A7F82585F7403EE2223D52D37B4BF426428613D6B4257980972A0ACAB508A7620C1CB28EB4E9D30FC41361EC"), + SHEX("295E0FBF3C5B510D6B244381BEDF20F8BC3D915CFA4BF9FC42D" + "BF6932F44DCA91744D812CB9F639A9C3D376C49CE3C7DA90D26" + "7D794805A61D20D00C79F42C37BE018C67857B6A02E46B6D6A1" + "47506210651E31B280043610584A1440A07BDC8540AC46E637F" + "7D947792A65ADCE3B790636FE1794E90598CA6340982EC58F3B" + "24AE1C703FBB91412F1AE7C23A3CAF78C4BBBF32C90C365726E" + "D4832016C5A19E94685A7CCEE376184A10BEED6DA7E26D1A426" + "0EFFB7E9F7A0A0C71D7F164CC967C7526A0F1EDF1FF54AEB114" + "109F7B34361DB5AAEF9EAD31A4D4896CB86556D2619DE0ACE07" + "C133B14006119BD4BC8CF4F8EC09CD2ED91B4E524012261EC95" + "37B3BC4C67100102293836E22AB5524C979F1C1AF51FBAA2ABF" + "3F0EFE6818BDAF37CEC4D6CDDC98A994BFF1AC458637D528BA5" + "F701DE0BF4E4E9E691149A6CD4677BBD9821511DDFA6561C419" + "B473D2BA019CF1B83B7AAA3BBEE141E2FA38F032635AA559CA6" + "29068DD4639CCF579118496A903BA7DDE88FF54806AE89BA397" + "4B9DC0AC520241BEE278E3EBA1B3DF1C026A8E5F0D5F28C35C5" + "B04145B570D2F06D25F45BEBF4DE2785D75B0BC9F1E6F9AEBE2" + "AE510D422180CEF13F6B0C8A0CAF76609A158FB6F3B17E7282E" + "168DCBA19E76DB7841E384B54F3AB29D78C86861560CDD934CD" + "B63742933253D7BB82B453CF829F33B99B8E56B906C86131BD6" + "4F64")); + test_hash (&nettle_shake256, /* 131 octets */ + SHEX("E88AB086891693AA535CEB20E64C7AB97C7DD3548F3786339897A5F0C39031549CA870166E477743CCFBE016B4428D89738E426F5FFE81626137F17AECFF61B72DBEE2DC20961880CFE281DFAB5EE38B1921881450E16032DE5E4D55AD8D4FCA609721B0692BAC79BE5A06E177FE8C80C0C83519FB3347DE9F43D5561CB8107B9B5EDC"), + SHEX("9E8438CFFC23A52D75838690E7074D2C713B1188375D1A77F8F" + "C8C24A4B89CA5979F58692D90DB14DFBFCAA5EF0AC0C2D16F3E" + "84E6F771ADC26FA9081F3B10E02A3EE1A3DE40DB5DE17F7628B" + "A3E20E5563BAD66BC32BBFB1CEBA7598AA4480C86A0C4ED1036" + "08CCEB103AA13182F48D9FB363913000BA6559C855652B4EC29" + "D06BC99148569B66C77F58A757B75C3BD5EF2FF832FAE020EC1" + "C9E19C1117A107F0529EA66F0607A499DB0C32966A95D882699" + "B96C4949912380150F951991AE7768E5A26267A8A43CA76AE9C" + "5EDF31D7C52F2B09C9EB15E1CF47F85B20BD55CA47FEC048B8D" + "F899A08DBE2E9C2F72BFDF3BB803AF10B5A1BBCD7B4E1915E09" + "9C22307154012C67A39FA77720D7006B86A1ED4F095B6644AF9" + "72CED451453B3DE57B1FAD8B4280AC62E1ED09E219873B92BFB" + "50646343C46CD3C42E84E9C7F05F1AA5AFD583F685A20F996B7" + "C0683002691CD28D454F71334C2387DFC43D32E633900699C8F" + "C5E3A3F6494CA0BBA96EF10B7F367DD31623DDC14E9907F9FFC" + "2C65DA666D06987DB1DF8ADCE1C74BDA7BC6C6D5263E3CD777A" + "78B9020DB37D331A16C38D7419EC5036FD95B896373461E6B83" + "84B2ACF96E46C7C9AB6D43C6EEEBF62B7BE5F95F8AB6B2AA5E0" + "5D66BC4DF8A2FA1AD9C3CD9362CD183C10C8CCE216FE48AAB2B" + "1C4F6FFA39CA9F8D7B14AC5BBD8C71F55776F6C0EA8583ACCD1" + "956A")); + test_hash (&nettle_shake256, /* 132 octets */ + SHEX("FD19E01A83EB6EC810B94582CB8FBFA2FCB992B53684FB748D2264F020D3B960CB1D6B8C348C2B54A9FCEA72330C2AAA9A24ECDB00C436ABC702361A82BB8828B85369B8C72ECE0082FE06557163899C2A0EFA466C33C04343A839417057399A63A3929BE1EE4805D6CE3E5D0D0967FE9004696A5663F4CAC9179006A2CEB75542D75D68"), + SHEX("07024716B8E95D104783A37F82E66D4F5B0BAE8897F1EF6C45D" + "ABF3A59253261300371A4FD20601503F6D187CED1067AECB11B" + "4A4B5A31FDBDF4A2B1BA9C0EEB0C2BE7730178FE435905C1B80" + "AFD9CD27BCC631C57A10F3BF3F285BB80D9C4F1C70ED3099694" + "1D1ED225386B7F4777C18A01EFB5F1086BE223EFDD082E01755" + "ED517AD6A3E423E924147761C95B74F6BD338F1DC0E53715AA3" + "1BAC84F7E5BEDDCAF56574626B23DC247D0AEE8ED77760F53E7" + "FFE467564AA3159AA300AD159159259DC3252D95942215C81ED" + "5FAFE0CB065758F72366E50DF7FE6F2B41E36371408503C5E23" + "A4CA0C93460C0ED713872F35CC71D1B71A34A80210069B12CCA" + "79CBBB04836E6D9A15E78A638B0879F74034339BB4FB39EED0C" + "8D6684A67DD89B201B46010FA73CE5FBAEE87FD89D4B5C40F04" + "D9CEC8510BDC3D07539C82031FE9734826CF36BB41B30426D32" + "A10225209C24B631A071FEB2A9B834810E81B6F87A6128F6781" + "5E4AF6A6582EA36D9BE5DCBB1D7FD0BDA2D583D1F6BC2AED7A5" + "34C33A8D183D5EDF42F3080BD07CE9D78647DF008D417D0DED5" + "021D7B6996D6B541DE75DD175E820728037B531521851C9743E" + "D03F8DAF292846B2EC019238655256EE960E0981DB7B65A3692" + "B50F62033FD79A29F4A36C27BBE7A3B7BD1E813F3A2EDA1CEBB" + "29979D91720CCD125D0C43D708892BC38D0D297047637447A19" + "CB09")); + test_hash (&nettle_shake256, /* 133 octets */ + SHEX("59AE20B6F7E0B3C7A989AFB28324A40FCA25D8651CF1F46AE383EF6D8441587AA1C04C3E3BF88E8131CE6145CFB8973D961E8432B202FA5AF3E09D625FAAD825BC19DA9B5C6C20D02ABDA2FCC58B5BD3FE507BF201263F30543819510C12BC23E2DDB4F711D087A86EDB1B355313363A2DE996B891025E147036087401CCF3CA7815BF3C49"), + SHEX("585F27AF67FEE2446767B05CE40627BB06D403430D94A62719D" + "AE2864CD44E7A8EEA340B98DAD0520D8C16C1BB1AB562C0FDCF" + "E6F1DE4F8A0601EB9A73FFDBAB82444E77487213D17BA31E2BC" + "39FEC719979080A501C8E15932AD588000959A18447B98735C7" + "3A2A8F4A949A8FF187520E6A9901647F47DB442BFB2772E8E8E" + "22FD759F88722A98D24D01308B15A0BC715ABE9568A34201B86" + "75204BF68AFEAE8CB063D6CC9EA68AF9E4CD692F9718FB5EAB2" + "70A2B74AB623B521B4B085700CACE113168F56A994A639517F3" + "6E3165029BF100A6F19162A8696B858A0B0716751430DB7BF07" + "480427C2CDA01070F5E78E3DED7471874DDB05D2944BFB04487" + "629A98E06CC4C984AE8C5F7695248D01CEE11D75A9C7F545CF8" + "6BA745B8AD5564F33B0A8B72E78954A7FB253C07EC8FB3D3BDE" + "29DDD91DBBD94D332FE9B7438937018E8243C2D2C30657959EA" + "4D23A319854FB2CB994CED4286836E83324FEA54C58DB55A969" + "165A1755D965C416E1D67468ABC701925F4A80BBD9AA9DA82D1" + "48A26158712C2B9830804A4CD1CA14A2B246DFE8E8A12EAC9C1" + "07E8CBBF34EF9517674350973E75799A251E72A352D2700291C" + "C3F1AAD40ADC9050BEF9881170EACD3207AC0C573E238B65500" + "B997DCEB347B94FCD5069CF43BF15AEEF15E4C135DD21B4046B" + "201F411513AEA9629B9887D21CDC43768FC1C1B12EA4CA4595A" + "D463")); + test_hash (&nettle_shake256, /* 134 octets */ + SHEX("77EE804B9F3295AB2362798B72B0A1B2D3291DCEB8139896355830F34B3B328561531F8079B79A6E9980705150866402FDC176C05897E359A6CB1A7AB067383EB497182A7E5AEF7038E4C96D133B2782917417E391535B5E1B51F47D8ED7E4D4025FE98DC87B9C1622614BFF3D1029E68E372DE719803857CA52067CDDAAD958951CB2068CC6"), + SHEX("E57DD7DF74504F52D00B8079631F542A532610D77DDB4BFF891" + "5BDFBC9B8F25352AA3D9A2D00CA2E14C77FF661B3AA44E30BCD" + "3D4B110A8CEB65E150DFD9109EE948FFF11CD01F6A98C0100D2" + "323F52E323E32E9FE7BBA6D4411EEE3CCF70122DA5BFEC8B92E" + "72119D4B1CB1A1626DC0CB79FB4E4C938A4A7CAA7962B04A112" + "9B4A0A9C457FF38E8D3379044E4B65B82336709B95401CD0CA6" + "4C10F5D22A226678A1EA4E2C54509085ABDC41AEEAD761C7946" + "F33140AB775D61F7B001F141D00F5209081B11FC2ACE5D9143F" + "BCB710176BCC8AEE25D0182461AC1A446F3A94788B3513B88DD" + "DF5DB0BEEFCB331CD2553416A3606F44B5CF36318C72501FA20" + "07F76BA506EC510508B27D692CFDDEBF075B39E531BA243F3E2" + "71B5F70EA6B58AFEAA0B8264202BA2C430C33D1409693AC5251" + "9F44B001ABFA9C5595C0726DD1ED36C8B7CD2F29FAA912E2613" + "D1C51E2D0C6F8B27FBCDD6137307ABDFC54C0E6C6FCE0630386" + "2A8EFECEE12EB87CBF8423BFEF01C6FB87225DC467CA7A0B024" + "3CA9D531811A5E5090351313FA6F73D413755551F6E7187057F" + "DF4CB58A1B3B3A63F28A17339A835A73BF21EC013EF4B2BF89C" + "B3BF1369A87239A546A6816D8B06EC5B1D5A179E67A86665EEF" + "CF439D667F5F9890DA8B9E1E7E1AD08F757CB0E3EC6D8CB8FD4" + "A140846E3768076D342FDF0BE4CB135D68FAF5C93FAFBA48137" + "86D1")); + test_hash (&nettle_shake256, /* 135 octets */ + SHEX("B771D5CEF5D1A41A93D15643D7181D2A2EF0A8E84D91812F20ED21F147BEF732BF3A60EF4067C3734B85BC8CD471780F10DC9E8291B58339A677B960218F71E793F2797AEA349406512829065D37BB55EA796FA4F56FD8896B49B2CD19B43215AD967C712B24E5032D065232E02C127409D2ED4146B9D75D763D52DB98D949D3B0FED6A8052FBB"), + SHEX("6C60955DCB8A663B6DC7F5EF7E069CA8FE3DA99A66DF6596925" + "D557FED91F47091407D6FDE32023B57E2EE4C6AC97B077624FA" + "C25F6E13F4191696B40A4DF75F61CD5521D982C6D09D8342C17" + "A366EC6346E3528B26CFF915BE9442B9EBCC30FF2F6ADD0E82B" + "A904C73700CC99ACFF480CAF0487CEE54CBA3753B6A5DD6F0DF" + "E6571F0115E8737B071031023B6BB0D79864C3F33162E78269C" + "EE23FCE47B91B4FDF91F98464A1D21E799D17F76C1BB807DEE6" + "67B0B273054BE298299BD12B7A80FB354CE3E6D1ACF98443879" + "A554ECA6B96DF061D04A117C98AEEC1CDE1AFA9CEF62DD686DA" + "91BB2B1F12379BBDC9FA32A6B6998B77E8EB0B50507862AFA77" + "99D018E272091F51CADD81ADB587EF67BA67618C45D1F3D559D" + "BD299ABC26EC712DA8FA34BA33BFF400D1F0F8B6345CF57269B" + "858578C0072A91A63EF85F9D378900CD1A55D2BD4630DB829EB" + "484D89CE7A414ACA173C52534AD5F9355E80E395E79156D751A" + "930F7F8B5D9F4D5A2C9A753723083C5E8EC6CB24D8EF93C8FEF" + "2D1BE4ECA222C6E6C2ACFD684893CEA65CBF5B096B3D8660071" + "36126A33EF496BF2310F293BFA4C93AB826821E2B93259C464E" + "0AEB06D6DF8FFA30B1C1E7E384C7E427A2BA3D99FF8A666380C" + "5C1B678F742C57B0C3B08849FD65300DF13499DD894EFC33116" + "E7D0774064331FDD407487417D13BBA4285299AF650D3065D95" + "1131")); + test_hash (&nettle_shake256, /* 136 octets */ + SHEX("B32D95B0B9AAD2A8816DE6D06D1F86008505BD8C14124F6E9A163B5A2ADE55F835D0EC3880EF50700D3B25E42CC0AF050CCD1BE5E555B23087E04D7BF9813622780C7313A1954F8740B6EE2D3F71F768DD417F520482BD3A08D4F222B4EE9DBD015447B33507DD50F3AB4247C5DE9A8ABD62A8DECEA01E3B87C8B927F5B08BEB37674C6F8E380C04"), + SHEX("CC2EAA04EEF8479CDAE8566EB8FFA1100A407995BF999AE97ED" + "E526681DC3490616F28442D20DA92124CE081588B81491AEDF6" + "5CAAF0D27E82A4B0E1D1CAB23833328F1B8DA430C8A08766A86" + "370FA848A79B5998DB3CFFD057B96E1E2EE0EF229ECA133C155" + "48F9839902043730E44BC52C39FADC1DDEEAD95F9939F220CA3" + "00661540DF7EDD9AF378A5D4A19B2B93E6C78F49C353343A0B5" + "F119132B5312D004831D01769A316D2F51BF64CCB20A21C2CF7" + "AC8FB6F6E90706126BDAE0611DD13962E8B53D6EAE26C7B0D25" + "51DAF6248E9D65817382B04D23392D108E4D3443DE5ADC7273C" + "721A8F8320ECFE8177AC067CA8A50169A6E73000EBCDC1E4EE6" + "339FC867C3D7AEAB84146398D7BADE121D1989FA457335564E9" + "75770A3A00259CA08706108261AA2D34DE00F8CAC7D45D35E5A" + "A63EA69E1D1A2F7DAB3900D51E0BC65348A25554007039A52C3" + "C309980D17CAD20F1156310A39CD393760CFE58F6F8ADE42131" + "288280A35E1DB8708183B91CFAF5827E96B0F774C45093B417A" + "FF9DD6417E59964A01BD2A612FFCFBA18A0F193DB297B9A6CC1" + "D270D97AAE8F8A3A6B26695AB66431C202E139D63DD3A247786" + "76CEFE3E21B02EC4E8F5CFD66587A12B44078FCD39EEE44BBEF" + "4A949A63C0DFD58CF2FB2CD5F002E2B0219266CFC031817486D" + "E70B4285A8A70F3D38A61D3155D99AAF4C25390D73645AB3E8D" + "80F0")); + test_hash (&nettle_shake256, /* 137 octets */ + SHEX("04410E31082A47584B406F051398A6ABE74E4DA59BB6F85E6B49E8A1F7F2CA00DFBA5462C2CD2BFDE8B64FB21D70C083F11318B56A52D03B81CAC5EEC29EB31BD0078B6156786DA3D6D8C33098C5C47BB67AC64DB14165AF65B44544D806DDE5F487D5373C7F9792C299E9686B7E5821E7C8E2458315B996B5677D926DAC57B3F22DA873C601016A0D"), + SHEX("1279A95CB87B1CDF2F8A8A47CE55F0DA3766E35EC58CF921E07" + "B43B176CFD6CE8508A208C9D6F5412515E0235C95397A47D2A4" + "B13A357DB4882F69B9C910C985A5F82187BFCC46BD48CDDDA7F" + "65C3E95481A37202EFF9C116BB3F784BD46574FBD49E19B45E5" + "E2D18F57BE7DAC826A447ECA6E2A6BB44B0061930DF56864C37" + "8E020A183DEEE8445648EC2F95EE5F09CFB196E3D8090535664" + "46FCA6BC36896215BCE115B0AEE55737A4421316D2058F24C36" + "D46279B458E901D3A8062300024068D99D8C1B8BFB6F3E5883B" + "FEF3C1AED55989151C2CAD1EB940CC82398DEA1E5A92351F0D5" + "AA7D47E16A949F396194EAE2EBEA1FB731BEC12D2734C2F1E74" + "64CA2FE27F036BFB28A32A9657C75EAEE79F86F2CE5EFF1AADB" + "68DA0B32A4BF88A37F1D66D13DF4ECE65059BD4ABF91A3EBF98" + "2A1F5E9A6DA639623D0C8E5FC5C0C8071965221C4B79CDE7D44" + "FC258F20CABE3C38862851952741FC9E9E87C06AB0CF8B8FED6" + "C18666C5C70EA25973FED36D90429C54B157174A2583E142E26" + "F2ED492A9FA74F1985FE52A421C2F97F94B73EC7D881F0D0B0F" + "930461FB896B1806C704307CEF682834CB583B6E996BD31A6F1" + "D8586D416FD8C91EBA59935FEB12A1E77D0F3E05F80842B14F3" + "4F27ADD947EE3CA2E54BBE018FB8CA27FFD1C24227572CC277F" + "723535CBA0133E359217D5522676485181ABBEFDBC31C8164F1" + "7847")); + test_hash (&nettle_shake256, /* 138 octets */ + SHEX("8B81E9BADDE026F14D95C019977024C9E13DB7A5CD21F9E9FC491D716164BBACDC7060D882615D411438AEA056C340CDF977788F6E17D118DE55026855F93270472D1FD18B9E7E812BAE107E0DFDE7063301B71F6CFE4E225CAB3B232905A56E994F08EE2891BA922D49C3DAFEB75F7C69750CB67D822C96176C46BD8A29F1701373FB09A1A6E3C7158F"), + SHEX("7A2DFE06B3AFA54B49414379BB9C7A80EFBC8D0630B8CA170F6" + "B22CF65BFF168F2BA6E32806E6E7D9D366D53A319BC2C8B8AAC" + "7CF8158128617229D76AE594AD71C0E0541B86078A62D71E299" + "2E555EE6FBEA906CCFE58FDC7101964EE8C3C05D0C2C7D8A01B" + "7E1629BCF62233C0487E36E1C25474E129B72F1F9BAFD6E0F7C" + "9FDE8DD44DDC1DD9668840294C5B39C408AA1BD1395D1F4A236" + "8D9D1E5168093A63732545FE594B32EE91F89B297E3A33F53BE" + "9A1A00642C17DA7061C10D1525F34180D04C78BABF6B1C866A8" + "AC1D19FC17C24F13CA4032D650DDA748E2A09D3D97A2125D52E" + "670C1DA4AFE56E60DD789608F50E914317EBDAF125BCCA849CE" + "37F38EEFE8998BB2B1B10CC1B28AEAD1FC48FBF1C95B2A0F063" + "7609CD569050BB5F3711024CDE92BBEFF1C73C9B6C8DBA71B2A" + "A238AA26B4007978EFB346D3FE0031C391A70F362C4C5FE1DA2" + "D3C73E4BC52A400E5998660D8C127C46CC7FD589DB2C952D2F0" + "77E4001B2B6B46EE5E56A44578B4B8DC1AFA33C3994CE7CE49B" + "4D8181195076B938BF605F61A74F9C505C64C2A75601E7EC3A9" + "4B22157308BBD481553ABFD8ED5575B828CF247F6D321FF25FB" + "AA245F9B30B39171E1CFF354B9F20D55196EF66D32C4693FDF2" + "49F528C86EB82779B5FEA03F8A95F31DC0579B1CBF178B23B27" + "6E5618941760B117AF65B83374C919D6D423B575C5C459B5AAD" + "6A2D")); + test_hash (&nettle_shake256, /* 139 octets */ + SHEX("FA6EED24DA6666A22208146B19A532C2EC9BA94F09F1DEF1E7FC13C399A48E41ACC2A589D099276296348F396253B57CB0E40291BD282773656B6E0D8BEA1CDA084A3738816A840485FCF3FB307F777FA5FEAC48695C2AF4769720258C77943FB4556C362D9CBA8BF103AEB9034BAA8EA8BFB9C4F8E6742CE0D52C49EA8E974F339612E830E9E7A9C29065"), + SHEX("FBA46834A6995933AADDF85B59F60EB3B77B5AD38BC21A86207" + "9D8D2227CB9B3CE3ECE89D90C70B990F7507D5C3A565974446B" + "54D43288ADCCE2BFBA8914EB498DC6001BA169417AF6DA3ACF6" + "85DCBE3CFA0C59963F0F0AB94D39F05A69D5DFD320EF409DE76" + "FF85E01636F57DB9B2DF436D94EC2845F0C0D1959DB6308941E" + "40C946F4C3B3277A065847C9E3CCDCF113DEC5DCBEF5AAA1C5B" + "91C19E05EEB66F6E698178B7B02FE00B89DCC98526FA0E7B2C6" + "247E1C175A21EA34F5260B0C0A625D7AEE1680B20B4667B44F7" + "2F1353BC71DF6CCA4346EB54306DE3C380438A9B8E6CC47E6D1" + "8D84FBECBF9A6132F63C191635999105967C2E171B74615F456" + "D2E111E7FEE5DF00217B49BB49270BEFE5BDFCE1486C13C6A94" + "E31A20C1D377C410324C08A17C2D04710CA267E85A2CC1E17AD" + "A367C0F65AC3A70AA5FE14378371132026169657D1BC1B84C19" + "08AB46689494C3E8A34835F4DC43D19E9328ED0A16341E5E9AB" + "B80BDDEF1BF5FEB5DDEA560253532A6607E2E128480DEE2083A" + "F54C67E971CC6B56383A564B0BBD2D802C6FAA7BC62629595B1" + "7D04C3AE20F73B35A9AE4D356D401345E0A0D5174BC457256DB" + "BD844F9A4BFCE0DD48F35C5F8A915E61A23899C40FA63A51F0D" + "1160E16260BF4DA1902AF01C67E8997B2AAFE1989D013846CF9" + "85164C03418930E61FD06F9D30F06897460DFA1987D4B5D73B6" + "8CAF")); + test_hash (&nettle_shake256, /* 140 octets */ + SHEX("9BB4AF1B4F09C071CE3CAFA92E4EB73CE8A6F5D82A85733440368DEE4EB1CBC7B55AC150773B6FE47DBE036C45582ED67E23F4C74585DAB509DF1B83610564545642B2B1EC463E18048FC23477C6B2AA035594ECD33791AF6AF4CBC2A1166ABA8D628C57E707F0B0E8707CAF91CD44BDB915E0296E0190D56D33D8DDE10B5B60377838973C1D943C22ED335E"), + SHEX("4B60950081987C82C2F1A1BB9EBAA9A72E125557E296BCE9895" + "561C6A959371EB1AC9A13914F4419B4A0A1048B3D422B53261B" + "0AC26EB9852E9933251E154996DEC6219A7063D87228A8D72F1" + "3FE94A0E75485C8F23DB2341EE7439FAF87A1B359CEAFE42903" + "19F4705B49CBA0ADC24DB4FE8800AE05664C544D53EE119CF4F" + "1572DAA355E48DB605695BDAE5BF22CFFB60C019934F2AA9529" + "18B388EDD9C53DC8FAC2186CA0F77AC6543AC379B1ACEE9913C" + "D75CA8E0F9D89616383C9541603430AA548E9A9DD8F90F64263" + "FE42A9B8F66991CB2B8B45AAF683F51D194A01098A10D4BA110" + "7C56173825AFD79EE0A334CE739915D4F046C814412DF526ADF" + "F4F23811BF1C6A254372E8E46F0008F6332637980417043BAB8" + "FC21E3715B713AB4BD1DDB3D50FB9D5D6AEBF94FFDA51D3BD4E" + "25C82B295BADC7F8F11CA787DCA045DE2B52A79226ABB945F69" + "732A1D0DA3A3228D44D8F43828D8958E621851F4824590C0719" + "982CDBB3602465C28A97CD4CFA33D6EBA65A3F6428ACD37D669" + "67B8C996969D866A02FF6EFC1B6240AB557321260EB4C9D233F" + "F4E1C293ECCA825DAC943DD1B9A624AC37ACD1A818D2F74AB99" + "B2883F0837F77D4D00A52DE0924EF55C7536916677D2AB4FAA8" + "F19E8DCE97C05690570FF0117C32A3F500C2FE817AD651DF2E3" + "C28F5E867083F607E8D0509745588ADD19F1BB7482087A50821" + "7DAA")); + test_hash (&nettle_shake256, /* 141 octets */ + SHEX("2167F02118CC62043E9091A647CADBED95611A521FE0D64E8518F16C808AB297725598AE296880A773607A798F7C3CFCE80D251EBEC6885015F9ABF7EAABAE46798F82CB5926DE5C23F44A3F9F9534B3C6F405B5364C2F8A8BDC5CA49C749BED8CE4BA48897062AE8424CA6DDE5F55C0E42A95D1E292CA54FB46A84FBC9CD87F2D0C9E7448DE3043AE22FDD229"), + SHEX("5CBBC93FED206474A11100E1973984D5BC5D06AD92996FC8928" + "C1E6BFDCFAD5E32665F4743EAE8FD28289DD226A0136ABBD5ED" + "BA5016E975381D4C3CC95065FA4CDAC2336B39342BE8070AB2B" + "59DBABDC77B8742E4B3C86F1EE9ED0C2B5030FE1ADBE28F8271" + "11FB137C180B9994FE150B1F5144081AD59131A6017CEB8FB07" + "15DD2DE6B3BBECD2FDA4C3E9E8A652B5DAB4D0B39CAF6841383" + "8CB1960241AF59A46C8B5FCA40552693CEDA564862DF42C5827" + "EB371311FEF9231FE1B23ED07F72DB6410172597EAFB5D077AE" + "D168197F20C3B01CC3C52A94546B722B4AB56211B48192F908E" + "7E7A7B7020A8F6370A0B73E046E3211DF3352DEB1D59E4940E4" + "5129A6667F160D2ED6EB703EF962683540E3A9C7C94A61875CA" + "C09C4E22ECCED9E2CA6DC519698042F67AA518EAF3D338C5ACC" + "D5C2DE5C3DF6B4A2273A0FB8880CF3F81D046AD8B24E73A8F3B" + "D7CA65CD21AC2D950A7E36D0A25362788F1AA26B71CA434AD14" + "EF3B002BAF6327D4A5293D91CB838E4212949675DF185B70D8B" + "42C0C01F289478F0A9FF736E6838EEC5E54413CA6F7F22F51AA" + "DA7F3E9C69B9009599BC437C0D806BAEDE6DC1B2FB9BBBA43FC" + "3BFB5CFB408A9D8EC1C1DD1528CC2AAF144FBF9079F86577A4A" + "042A085975BB1CB5DDBCD728DF6BA69CB23A8BDA0368924466A" + "89DA791D4328DC55800FE8639987EFC172BB29836A901B3F4F3" + "FE9F")); + test_hash (&nettle_shake256, /* 142 octets */ + SHEX("94B7FA0BC1C44E949B1D7617D31B4720CBE7CA57C6FA4F4094D4761567E389ECC64F6968E4064DF70DF836A47D0C713336B5028B35930D29EB7A7F9A5AF9AD5CF441745BAEC9BB014CEEFF5A41BA5C1CE085FEB980BAB9CF79F2158E03EF7E63E29C38D7816A84D4F71E0F548B7FC316085AE38A060FF9B8DEC36F91AD9EBC0A5B6C338CBB8F6659D342A24368CF"), + SHEX("CA9CF74ADED61A4BC20BA078E8053702BC1A444CEF69AB058B9" + "C0F586286C138CF02AA36CB69E0CBCC52F455623D27B9597C93" + "68EA5DAEC4278E75AD5E3FBCD480DDF8EF39B3D10808D202470" + "D18118A215838A0F6C547D324FAAB761F7C8CEF462BE150DD49" + "A26DF4E453F997C31FCD27280E846B15F640FF8C39BE270DF9E" + "44CE57CA82F6F6762777089276A3E67D8EAB0E4A0C2E1946FB0" + "8B3FDD3FAE438CC2E9EC8BC1754275FCF4060E31428B9F08E95" + "3F9FB4F80560F2040E4B6CC7BFD6C278FF01ABA41F43549DC0A" + "A0407E5C8346543B1F1C24D1E05475327A48821C1C1058850C1" + "80776EAD66996DD5A02865702E0E4705E8E2E7D4D25F058528A" + "C980EB831D6B70E7CC06EDA314D80E1433B2A63EEC405BEE2AC" + "B18CAC238ABDF254DDBBE72640C8C609F70D04C77D2BE9190F7" + "8C8E448035A9206841C55CF9152AE5F7CACD798AC696299551A" + "5D45ED113C94CD862197EE118CAD47B8C08BF4FA1C6270A61DE" + "6D538D608E126C0FFBEBC7F44D418BB87E557E550CDDA20C2C4" + "7F2CF635411189D30DEDDBB9075FA6F0521D2C4FF0E4D641006" + "CF5EEA1231A87D020664366EBA5C5610B63EE5B5A50C2C8CA6D" + "7EB8CDCBDDC34AED08ED7E0EE437E235449D4C1CF095514E581" + "E3C8A15EAFDAEF19FDEB31DE6619BEE6B17B31A96140CDEBF75" + "34E0C277EE33C54319B140AF0135D6F91F7D2166026C67C71A2" + "1287")); + test_hash (&nettle_shake256, /* 143 octets */ + SHEX("EA40E83CB18B3A242C1ECC6CCD0B7853A439DAB2C569CFC6DC38A19F5C90ACBF76AEF9EA3742FF3B54EF7D36EB7CE4FF1C9AB3BC119CFF6BE93C03E208783335C0AB8137BE5B10CDC66FF3F89A1BDDC6A1EED74F504CBE7290690BB295A872B9E3FE2CEE9E6C67C41DB8EFD7D863CF10F840FE618E7936DA3DCA5CA6DF933F24F6954BA0801A1294CD8D7E66DFAFEC"), + SHEX("9FB76F906CEF4A8C7A9CDDE3254E6D4581DCF745B26995FCBC1" + "23E716F079E0A0B9F7C8CCD9DC5AF8894B2D9783395F7BC05D9" + "5E20419C15D74EEAFB23B6F1BA427B4B20BAE38C2F6812B74A7" + "A671384235DF3618A7531123412113D57B9C2924EE4AFDB9CC0" + "55070485A2960E8E5CF1971171F604781865624B075C3C01FA2" + "7F9B602C29E257821ED92B35F7941637C2BC6F0048A579E3845" + "03182CA8498AE7493D398476727A2AD321785D2273F9F548F6A" + "CA80FA7F1ACC1144EAE7C0AE58C3C4BCA20EEDC93C3742954F2" + "E2963282084853AF5C8F30A1A4333374B4A66188DE73F773FF6" + "A576A0A0DF3C690CC59521378CADB123BD673A04FAFB26DB9D6" + "53D60A87F2834683D97F5D6E23FF2ACE2AD0A5FCAC71CB00320" + "39EE01A2C3E37B3E1C14ACE44A5A6E43B1E1A0FBC8AFB0C811C" + "911F2853C85F10D06253D29362D08523834273961E37C4BB0EA" + "D4F79E33D77EBD0D843709B121F8B509C24396549D2187DF52C" + "996EEA9805C4A3C4F7729003D7BD7FFAFD6384779D6B6163AD7" + "C632A408922507188EA22D685E05C8851EA9C6E625D9461EF06" + "AF864E93F9B4544F00244264DC57F4A91920FEC0120357B5430" + "4ECD0A45DD8A6879EE01F66F222C6CBEBE8617FC06B28805F48" + "0CBFE90D42A38D1981A4176985775CC92E3AA632CF4D5A49B20" + "1EAE275628A3CA7BBD4992A39ED5737CE0B4C32ED4C4D84D9E1" + "5A46")); + test_hash (&nettle_shake256, /* 144 octets */ + SHEX("157D5B7E4507F66D9A267476D33831E7BB768D4D04CC3438DA12F9010263EA5FCAFBDE2579DB2F6B58F911D593D5F79FB05FE3596E3FA80FF2F761D1B0E57080055C118C53E53CDB63055261D7C9B2B39BD90ACC32520CBBDBDA2C4FD8856DBCEE173132A2679198DAF83007A9B5C51511AE49766C792A29520388444EBEFE28256FB33D4260439CBA73A9479EE00C63"), + SHEX("D512EF86B19C0FAB408DF09A8CEFF07E8259CDCCBF0C060CFEF" + "D8FCD3951BED94BCC30005DAD8002227AC4524A8E6270961266" + "6F54866074F2272E6CCA23A88D5A05DD5B44DCF411E137F4464" + "5187BF03D8CA19DB835974CE314ED8F3F1CB3407CC48650A61A" + "8352FA34C4C307B8DC438634C292E91871A5DC55775BA740B8E" + "1085C14BC779A0260288B48C80AB4B2CEFF645FC47751D6DFD3" + "039246A5E7F8B1D66FAE0E2B71172C24D599CD5836FAF10B567" + "CBB834804C16D111B56D8961EC67CE6DDC989B0AC0FB3975581" + "D3BD70043725331685B959E22AF6509D4C9CBB8D4E10C9876DD" + "F6460D62AB09A97A220038952F7025993F3F3C5EAAEDC9D9AB2" + "AE948F56F956CCFA1DC670C47CE1946EBBC7F1F537CBDDD3938" + "686E65E58F1573806EE42DB6E22E1D5070820787198F27B8424" + "09B337BF0A5647C63DD0355838F52971616FD7318164CF33164" + "1FAB6E3B2282547288A76BBA5B973E138E4182783FADB159CDB" + "1141DC950B70EF4609055076E7EFB532C9A944C419BAEE914EB" + "EEEF7E1890B292F27ECB8B7DA25B0C7DEBC52FA75F50247BB67" + "1087A0DFC15FF3DFF6A3E57791F2471889F356D44A3A10228DB" + "2C3CE778ECBAC53F127DE3F4621E6D83F8714C0D66763460A01" + "1958101123E9CE31F5562B73EBD4F08947475E62C6D815BD02A" + "3BCB12B8D058DEF7A9DE8B4A70A00D039381D61DC6C0317A0DE" + "62AA")); + test_hash (&nettle_shake256, /* 145 octets */ + SHEX("836B34B515476F613FE447A4E0C3F3B8F20910AC89A3977055C960D2D5D2B72BD8ACC715A9035321B86703A411DDE0466D58A59769672AA60AD587B8481DE4BBA552A1645779789501EC53D540B904821F32B0BD1855B04E4848F9F8CFE9EBD8911BE95781A759D7AD9724A7102DBE576776B7C632BC39B9B5E19057E226552A5994C1DBB3B5C7871A11F5537011044C53"), + SHEX("FBE450F412E4DEA6DF16609A1C5513DDC550F7D7FBEFC4F5F9F" + "193F3AC88351CCFB1C25955818DFFE5DF50AD08B3DFAFACFD7B" + "FD484A628F6C9BB4E32F271F4846BFB90BE00B80572C12457AD" + "35541C7FE0FCAF156AB66548A7D90458713F8E10E725C575908" + "6D33685D43F3ED682B1F53453707FE17F0D389D0A8497E25856" + "6E93062B31E3538ED95691CE730B1DF2F498F010A2C2DE04DC6" + "98410A3D4669329E685827DEAE4BAF2C15DBBE975C9DAA13430" + "C440543AD94624501AA63AC4D012EDAE314DF68D7D4954D4119" + "C5B9505D566B8AB9B54007F4B8D92D9FEEC562B9E0E37FD8643" + "907D8E7B6FDE785195650580373D3FC69619FDD039606064E84" + "C6C6E44118E4921A2DBD185E7DE90508FFE7380ED1C9917E0E3" + "8DE26D8941D6AB0D0B4FA213DB4B075A362B314BC7C3CF21A83" + "41C611551057F9E07492C8D923D54336F3F0AA44422C423E2DB" + "0D598216889753280B08103417F431658F1EBE267237802E1EB" + "FCA862027A29AEBADF8ED9A603983E0BDBBE84B3D9A5F862ABB" + "F5E18E5552C0D3E7577B96916123B4504AAF2107F643067B88A" + "DE293F5B3FD3F6955CCD9AD7E134C9F5EE60F6DA78032AD1C85" + "D710BC21939008111602147E0BF1D79F7F5302686729D44E44A" + "7A6521B8270CC57CC8A6F16770BA66EDE8FA823FA088BB7DA7E" + "EE980C6C947D7F510DEB93BF0B5F4380390408823AA8EB980CE" + "0F04")); + test_hash (&nettle_shake256, /* 146 octets */ + SHEX("CC7784A4912A7AB5AD3620AAB29BA87077CD3CB83636ADC9F3DC94F51EDF521B2161EF108F21A0A298557981C0E53CE6CED45BDF782C1EF200D29BAB81DD6460586964EDAB7CEBDBBEC75FD7925060F7DA2B853B2B089588FA0F8C16EC6498B14C55DCEE335CB3A91D698E4D393AB8E8EAC0825F8ADEBEEE196DF41205C011674E53426CAA453F8DE1CBB57932B0B741D4C6"), + SHEX("6658EB2FEB9A739FF1724FE1526089D0AE807945741C2C6CB63" + "0E8F5B9C88F3455017BD81A5ED8F441AFD50414ED0B9C267E52" + "7786041C4E3F8DACCF1DB60A0ADE7199F689C8F0C04CC846318" + "F0B8C34B122BB98386F48B0E69317938DF76C9C6D502BFAE1FD" + "A37DDBA108AF9E2D07CFEB50BB79D828FD5A67C9C3771FFAA07" + "C7A47FA681A1358611BA76B079F4FE14DAB9A0D3A4E5D2AC41F" + "4F1374319FF9B81D970511464F5DA9AE9D6312FA8BAF22FCECA" + "2B4BEC1A8D887F47811F1E7ACC1884DEE4740AB2F6E2B4F8C11" + "C81C7E40BE19F90F27FD1722AB95BAA214B4096B4B11A1A9B55" + "3C4ECD789AED9F22FCE58AE1963A62E450D754CB048C68EEF0E" + "7D2C2A146300A902C56ED8D149BB5C36566CB8A3DFA8582562A" + "48927DDEC45BE750F639881CBC33D3B48C128D91108F2A55724" + "BDC5162B652CC03D5F591E96F4BB40A571E1B22F504A6BB6D8D" + "897A73884057E1D2EB15DE0D3585BC14CDDFAFCE3AD5D6A861D" + "7CF82B5F1AF784637A99B79F91528C4976720F34A3A12BA0A4B" + "C84975CEE3167D4E72292E9295629503D642A29196B934E71C6" + "3425AD701820E79DDC9220DA7C7A2AAAFFB852793E822B69157" + "34FEC8B93344BBBC66C5192B7F1AB6BCC63713B11CC23D54144" + "1C04428ED11444BB2F7EA981603ED4103F86E6623014FF97CD3" + "2DA3C6E1CCC22EA8BBF3B6853764A733E61397302A96434ABF2" + "905F")); + test_hash (&nettle_shake256, /* 147 octets */ + SHEX("7639B461FFF270B2455AC1D1AFCE782944AEA5E9087EB4A39EB96BB5C3BAAF0E868C8526D3404F9405E79E77BFAC5FFB89BF1957B523E17D341D7323C302EA7083872DD5E8705694ACDDA36D5A1B895AAA16ECA6104C82688532C8BFE1790B5DC9F4EC5FE95BAED37E1D287BE710431F1E5E8EE105BC42ED37D74B1E55984BF1C09FE6A1FA13EF3B96FAEAED6A2A1950A12153"), + SHEX("CF7D80DED88E700DED518B2F0049405AEA695691924B4EF0620" + "5DD2849E7A0090647C3A23407CD4EBD5B582C32B6554C506E41" + "6B9D13903A3AD69234826E36E3C5862BAEF9BD93EF345125678" + "E32EBD5BAE0961935232D5BE54AC721FD75FE1165341A41FD88" + "0D239DE12065471AEE6CF970CB6A0F02ADDEA861FEFFF91E6C2" + "E482EA9BC255FB00CCE1FE8CE3DA479EB28768F356C2EF83F40" + "0A0F0CE859606F3862A3579E609DE48F1CED3C86A9EA302462D" + "E9A27B0F251798F9D0ACB22E6C71011F0DD45B11E8E33543A32" + "75B24B6464980A5B6FFAB2E9C8055CDA16BE6C60FB616A8F3E8" + "B759552A2DF2B05B846BEAE18A01DCAB1E92545B0B3CC2DC251" + "34379021DD7DC294BD97A775C174A04F2F67591841E080308C5" + "87E208D1B497E229220C38469944EF41F61A64C83E06A4390BC" + "F318E53E4A6E9214F943D1EE957B71E8580E0A183C6B05924CF" + "32809772CDBA700EA369448AB56F399385D4B8D851CC8D6E800" + "3F1035C6E739C91E03F1FCD9662AC99E372B45FC08610265E53" + "0F53FF726F599C33820AB468E6BC2C551204260271FE46C0A29" + "75A18BCCFD87A53B2A7EEE2095A180B0A5BC7D64D57FF8EFA62" + "8349E00C84B271DDFE13EB009387B1055F3B0E7B556CE6A738B" + "9DC880B22E79666148A6C4D97B2CA581864FF4400749750BAB0" + "3AF9232815BD21A1A6460483505C34F282D59863B9F491A39D0" + "28D5")); + test_hash (&nettle_shake256, /* 148 octets */ + SHEX("EB6513FC61B30CFBA58D4D7E80F94D14589090CF1D80B1DF2E68088DC6104959BA0D583D585E9578AB0AEC0CF36C48435EB52ED9AB4BBCE7A5ABE679C97AE2DBE35E8CC1D45B06DDA3CF418665C57CBEE4BBB47FA4CAF78F4EE656FEC237FE4EEBBAFA206E1EF2BD0EE4AE71BD0E9B2F54F91DAADF1FEBFD7032381D636B733DCB3BF76FB14E23AFF1F68ED3DBCF75C9B99C6F26"), + SHEX("FDB4CBEF885524710F96F1B489099A8E5F9F5EF2BCCCC23B6A6" + "19BC81F9DBFF63B9AC609BD5DA0FA7AFAC0E67BB96A54A1A64B" + "4B943E0A492A5BFFF399CC9A1FDDB5787434F5034A30CA767CD" + "8A31B69276435C99C64F3C567EBAF3C69FBCEC540CB2FB671CA" + "3835ECD228C7C7649410107D399EDD661BC8947D43D5BC441AB" + "2EF39AFAC6788BCCDAC5462D5698F60616114A8346707606D15" + "01C834447031CFEA921A85AC882194750FB8E4D22573A27F290" + "1B75C6887D085A6B47E2BED5AF785C9B60DA38BC9F61750F16B" + "2E06CAA1CC77CAD2B95C5D583D0E1BCD7E10B0D8FA8DA7E0975" + "07D11873395166E3591BAB851EF4CD7E1F05CD8401AE4967378" + "94EC50DA4EF475424485BE599A4E8387B0309629D5B634BD70C" + "4C95BE723932EFC24CA8FF978CD31B08666F2F6DF9E94A6F8AF" + "CDDE6C6A01AECB63950A4B4BCFB4ECBC1FEAF3B54454CBC7292" + "A65282C9B0D7C6A053FFC11F6888DA2BBCD6496CA74CFAF0F49" + "A6F5F56E14E51955B73994015313404D46BCF0CA0854407707C" + "176F36C3AE5986F67984A33F252B86B2758CDB7D2FBD63606B2" + "E43F7BF0919CBF97D2E38F01ACA8B3983421CA447A78BA415AD" + "D0580FE56E391817783F11533C8D70E3B8FFC4A3CCDEC56297E" + "D51F80215BE98C26B343736196F5C68A65B308835C869328006" + "1865435383272A77397DD6FC3249B2CE17AB3417AC9DDA62EE7" + "4C43")); + test_hash (&nettle_shake256, /* 149 octets */ + SHEX("1594D74BF5DDE444265D4C04DAD9721FF3E34CBF622DAF341FE16B96431F6C4DF1F760D34F296EB97D98D560AD5286FEC4DCE1724F20B54FD7DF51D4BF137ADD656C80546FB1BF516D62EE82BAA992910EF4CC18B70F3F8698276FCFB44E0EC546C2C39CFD8EE91034FF9303058B4252462F86C823EB15BF481E6B79CC3A02218595B3658E8B37382BD5048EAED5FD02C37944E73B"), + SHEX("748DE9C6E6A8886E9C34D67A5B2625315D8B0057766CE2853F8" + "DD047A3B58A410B2327E56234572DB7EA886C90F6DF31B795E9" + "3AF95A4C52632D7E03D255668255F54C0DC1264EE989E25DD0E" + "A77A8855BC74EA1066F201C999C0BE63D1817DF33DB624F540E" + "BF463C4B48569136E891C1082A37E6ADD6922C08FE512D92563" + "9CC37536A324F3850932B474F313647E65FBF28CC1804D2EF15" + "492CE09E84413A465C69FCA84014F15F2FF3FF5BFA6A9C38CB6" + "9E75D66145BCBDC462E3A6FCDBD7835C44B9D95E1F6D72C1A7A" + "F0E9E9730559499553715B0A7EDEB6E5C8C5A3536CABA0B67F6" + "19AB317AA8F60A005860599BD1A1ED20FFD191CF7AD26B63264" + "CE022E1CA0EEC821D6A4BFC1E97482CC33A14BE20D3F6EF96A4" + "7DA800CE1A8FD6939069DF50C10145BEE28799F8A1C43D37CAA" + "377AEAE5A2A19E6DA2F173124CED0AA5652AA34632BE11CFEB8" + "FC3C9A0B4C45A7933B671432AA666FAFFE679562D727F786960" + "609A91D0972C35B4B9AD27DADA6A24E00589CB1EB9E4706A476" + "C5BF749091DF4370CF99FF6ADBE1B029505BBAD815AD50EBDCF" + "22208937FBA80A453A99CA49004706A3CC3A95CFAB7F0C2FD2E" + "03617F379FDFB8A91442754DE62805797ADB4CDAFDFB7A69F2B" + "0CE9DC530A9EC8C741E892758512C4AAC208564935791713B49" + "B95A9DF215FDD74F906F8EAA7B13A0EAA443D78A482364ABB88" + "3813")); + test_hash (&nettle_shake256, /* 150 octets */ + SHEX("4CFA1278903026F66FEDD41374558BE1B585D03C5C55DAC94361DF286D4BD39C7CB8037ED3B267B07C346626449D0CC5B0DD2CF221F7E4C3449A4BE99985D2D5E67BFF2923357DDEAB5ABCB4619F3A3A57B2CF928A022EB27676C6CF805689004FCA4D41EA6C2D0A4789C7605F7BB838DD883B3AD3E6027E775BCF262881428099C7FFF95B14C095EA130E0B9938A5E22FC52650F591"), + SHEX("1060697962EA79B9519FE3AAEF385C997B2E8028D68DEB08AB3" + "B76F71CE161EADE98C89D223EF0384232AB3AF3A6CB1D43EF5D" + "20C1B3BB819423C026BEF0BF54F4800CBF8E9E2D40F9A4C6CBE" + "7487600BF451783A378558BA27268A5074AF0630F5F2CB890BD" + "A971A4AB65CDC37C0215DB1C09BA96240BE066F95F158CF863C" + "C18346866522529503E615E4CFEF990F49583EDE896BEB63B14" + "89B6A62BBAD9330D5C3DEB673D42151ED98A3854C1E80E0868E" + "27D8CBCDB90DBF3505610FE170537919EC7C191579148E06D7D" + "89BE3F5C88C430E38FD36D820DB5A941680E08B5D1859EA327C" + "82EF50ADB1D8E6E5184652064CAE2C617337ED36CBD1ED42CDF" + "3ED0C411CBE1A9E92E0F4ECD3CF84CB6C07093D51CD4D5E7C75" + "43D385B9F420248749675CABE9FBB87F56C865325B826C4D32E" + "28B1E4BF1889F2D00BA87EF01720D73EEFBC38828CA76027C65" + "6E3758DDD1CE730E2AAAC0354EA71E79D53C0D3526ED8FC024B" + "B8CD675AB290FEED6CEDA91A29A71F5C128473EC94EE59A29A3" + "81E5046EFEFA8BE3AF7FF0858DD54065B41FDE35F618235D522" + "1AABE2B4BE62C1E7FDE8BEAD94F7BDDBAFB8A471199B3BC099E" + "77D8190029CC7508D576DB31F362B09E5C1131B0572D86D4A7D" + "4B533737EB4D7E504DD0852E079F2A1B2B3A526175948227EA2" + "511ECD4385F616B3BB086C54F191046BD1782EEE96257960104" + "93B3")); + test_hash (&nettle_shake256, /* 151 octets */ + SHEX("D3E65CB92CFA79662F6AF493D696A07CCF32AAADCCEFF06E73E8D9F6F909209E66715D6E978788C49EFB9087B170ECF3AA86D2D4D1A065AE0EFC8924F365D676B3CB9E2BEC918FD96D0B43DEE83727C9A93BF56CA2B2E59ADBA85696546A815067FC7A78039629D4948D157E7B0D826D1BF8E81237BAB7321312FDAA4D521744F988DB6FDF04549D0FDCA393D639C729AF716E9C8BBA48"), + SHEX("F31639CA0F9455E11389937E9E58792E3D73B9CB950ADBE8066" + "07B1AD53D80F2A199F577E278137035136AD2AFE7F8FAFFCF0E" + "60F0B2A71E0BD9B938B28FCBA94A912F249FB9AE1779F87BB1A" + "A714D1FCC57D4BFB899A233B99586F81F4885DE6693DCE78D9B" + "6631957F1689E843C1463045CDA6B921173054E14BE9DBD0688" + "90DF88932F68ECEFAB3AD3EECAC1B4C398292446B17E826AA8E" + "35F6067C908AFCE46FD92899726677E2C0589F525AE021A22A6" + "01839BEAFED00F6A8FF6223FC5A92EBCF6207341B63FA2E66E9" + "DEE2FEF1217D9D39915924E522BB52FD29501247B1A7B9DBC06" + "678C5F29AF7CEA3D8722374446992A4BFFB0E3E623E881EFA7F" + "957DB1946496C2EAAE98F0929EF3DF633E67730D06483770197" + "B9DD17C7C9838AA5003C5BDB4BC54E7389D453E769765879485" + "ABB3D565749C8CD5E50DA9C4517F31ABBA38F1D7A0FAE0D2816" + "CA0BA1DFFE569DF4215D215676DE0FCF55A75FA5F7E899F045A" + "4B6051DD9355032DAC56FC56C4988A4C082FB85B74A4C8A407C" + "E1A06C344B2E833281CA64C2F23FD8A9F996C563E9AF8742137" + "617C0E46C5168E0B43877446E07563DEB3D7654D9EA3C8AE3DE" + "C58C5753F34FDED605A49236336F0B355E95DEF3BEA7A367507" + "F19F4E0A6DD03ED3090C285F761C48A3D3C5795CF277A87FCA6" + "88495EFFDF5D10FBE07840C3F202D85044FA3BC41CDEC4D0AAF" + "59BB")); + test_hash (&nettle_shake256, /* 152 octets */ + SHEX("842CC583504539622D7F71E7E31863A2B885C56A0BA62DB4C2A3F2FD12E79660DC7205CA29A0DC0A87DB4DC62EE47A41DB36B9DDB3293B9AC4BAAE7DF5C6E7201E17F717AB56E12CAD476BE49608AD2D50309E7D48D2D8DE4FA58AC3CFEAFEEE48C0A9EEC88498E3EFC51F54D300D828DDDCCB9D0B06DD021A29CF5CB5B2506915BEB8A11998B8B886E0F9B7A80E97D91A7D01270F9A7717"), + SHEX("F04B251F8F1A9FE87E9F8B0BD8A641566174CD2157ADFBA255A" + "4DDB7A001ECD9B479B7877C38E487DFF1D830D01DAB9684F143" + "8C4812BEF8DA03ECFE57E7EB68A68E4FEFD3E0A70D607EC7710" + "2538D5535C293339532953138995CB4F23AF709F5C103E662E7" + "EDC447995FE5BC716C7BC482CD0CD13F17AB48D33C8BFAA67AB" + "6AD30482B6DB8BA5B1290656BE81E1B543793D47C1D0EE7BC95" + "3C812E187535A0659B2CAE6BE47284419744C6AA66B9E53F76B" + "9F90D4AEF8DFCB04A98C82FB434C0946E5B98F2C3BF25C128CE" + "F77EFB9F6412EB11F36E484FAF2043A40CF44C6C3D28761F9CB" + "7149C3DB4620D09B220720767AE41BB097C865720185C19A474" + "E4C3D706A636E42050A23766C2FF3A21C4E9DD7AF62F47ECA67" + "1F473E2B487A65ABBFCA74CED063E33F75955E9958240BC3907" + "BB90EC6F49F384DF5E936AE14FCB308F8ACC1F7A406DA680E4E" + "FDC2D2BB74B922C7B49E4972E388596B4F05FBA68ADF9A22FE1" + "6737394DFDFFE2F0D32F1283EA81996B8309C2D10D4E32D4B7B" + "C3D88484BAB364D0B7E35FF5647053CB34180E037A66349A254" + "AE2AA8F81CC7FB5514E76D9A01F96394E3A0044039C452ECF0F" + "DF5B8A57A2A5600AB31AFFD1E15D4642F1A37DECA0EC60EF753" + "797AD668B7D9F2BC02DE248C719311E5696E11688DDDDF71F2F" + "1994331CBCFBB9FF22438825620033734C27F9FE72766BD9C7F" + "B021")); + test_hash (&nettle_shake256, /* 153 octets */ + SHEX("6C4B0A0719573E57248661E98FEBE326571F9A1CA813D3638531AE28B4860F23C3A3A8AC1C250034A660E2D71E16D3ACC4BF9CE215C6F15B1C0FC7E77D3D27157E66DA9CEEC9258F8F2BF9E02B4AC93793DD6E29E307EDE3695A0DF63CBDC0FC66FB770813EB149CA2A916911BEE4902C47C7802E69E405FE3C04CEB5522792A5503FA829F707272226621F7C488A7698C0D69AA561BE9F378"), + SHEX("8728A95B55D97271B701B1BF2C2987AB3045D39FE0978C9467C" + "41D44C006486CF3CA11B8C0D22C619A8E4652AEBE67FE9FD7D3" + "5357633C8E11B865BD4C55571D764E6F92E29B5C93606273522" + "A958EEE0CB2315E89A1B5C45E763B145B1166A4717784E993E4" + "A7A699FAC6385957AA914BFC856E8CCC62DD39159F0FA5D2F4C" + "74A4C9E1F3A1BF04F8D73BA5A3133243973562AFE874C403310" + "86E7A9705AC76CE8482B7B029278CA61CF74B5AED280A6E7959" + "06C4C3F525C5CB382E55AF0AC5C9EAFDC520B0AC74F14E0203F" + "1209FE6641D1D971C76370204FC14BCD6A8223E30CA81B7D9E9" + "4F35DC53634646A21C28E873BAF741705E4862AB6945653A312" + "125F534A75B6F2D1CD4409D8F842DBDFF9FEA090F6677937DAF" + "354F6130ED77C32711AA0C7CD448D92075909ED7CFED67BBD5C" + "CEDFA34495624EE4373D66FC2F3B25B78AD6A1A9E9FA9A714EA" + "24240161C8CD88F24FE72CC3160D5F68F2387347B580E945F40" + "1B0B025A21E97FEEC0D4DCC412D2597504489B3CC20E3C883C0" + "D88F26591AB840799B5E9B253FE02656CA6AE1A1EF1BE5F1961" + "F29CDBE35A40BDAF2760C7BBF051ECB62322DD178753B3922AF" + "4CEF0AFF4955C32F32AC28D3A44B7F1E8CF93FE6547E8C3DD35" + "159E92A9F3C6E4CF2A75C97CACC0D732B984A8B7A6AF9B81898" + "96FEC2DBBEA60C3B94904F154BDC8FC291E027ED03EEECFED06" + "7969")); + test_hash (&nettle_shake256, /* 154 octets */ + SHEX("51B7DBB7CE2FFEB427A91CCFE5218FD40F9E0B7E24756D4C47CD55606008BDC27D16400933906FD9F30EFFDD4880022D081155342AF3FB6CD53672AB7FB5B3A3BCBE47BE1FD3A2278CAE8A5FD61C1433F7D350675DD21803746CADCA574130F01200024C6340AB0CC2CF74F2234669F34E9009EF2EB94823D62B31407F4BA46F1A1EEC41641E84D77727B59E746B8A671BEF936F05BE820759FA"), + SHEX("B0EE2D0215F195934D2937D523D38F1AF153FC142C04E5D6848" + "34596F3B909241938A56209D414BD1AE0CB43EB2B46C314C1A0" + "A0B155D432947C318642FE5C5B4FD6D0E4C21A9DC594DB20530" + "7B41EFFD14141454EE55DAD5667CC7459D0283CA6652CD5092E" + "F8BC35C908ADD07FD5DAED66AFC6740BAEC7FCD64B838368A8F" + "F0DCFE25B0D46FEE0B842F9E9F59EEE18D73C2549CCE009C388" + "B5A8EBBD54B35676B6140DEED07EFD4624D5A7F816189DFA779" + "929C5F6B1B9489E27492AD0F1BD085EE890794529B75E10BA00" + "6C1B66F3F662C30DF8B1295E1FFC301DC7060010862CAA14D7F" + "A09817F0D91E928ECD89FD8E76E69B3EF4986A15DFFCEDC9AC2" + "4E5E28783667731F07998F8A36DA512BB5BA0CE50640A1A5328" + "FE037F5872A85288158CD5C66B6C03F1925C12258AC4B5E675A" + "CD73716AEAC389F9C235B02FE363A98CB10D9A0B44FEED935AB" + "067C2EEB499CA83FEDE967F576681A13C999FC7C1C0FDE2754D" + "FBA713453545C6AE722F4FACA5F5F2647378BA9308DC27D91BD" + "1538624F459D0769F303AE818CC52647AC15E2AF9BEC6476A23" + "2C1AE81BA4B355C9DBCD37323D125228A53086E0AFDC98C95F5" + "6E12A48843170E9CAE703F5001B52DA42C0AC9D285C8A13AD72" + "0104244F19C30B38CCD620EF8453401CA0FEEBC8B58025BBC6E" + "6C2C788899871D3A5A363D51D8991B5CB5085F8AD525A71E985" + "B3DE")); + test_hash (&nettle_shake256, /* 155 octets */ + SHEX("83599D93F5561E821BD01A472386BC2FF4EFBD4AED60D5821E84AAE74D8071029810F5E286F8F17651CD27DA07B1EB4382F754CD1C95268783AD09220F5502840370D494BEB17124220F6AFCE91EC8A0F55231F9652433E5CE3489B727716CF4AEBA7DCDA20CD29AA9A859201253F948DD94395ABA9E3852BD1D60DDA7AE5DC045B283DA006E1CBAD83CC13292A315DB5553305C628DD091146597"), + SHEX("19E39F7444A4A0E1C003631423A621C055D0E07F0E11EF5BE18" + "36B71690CB0DE1565684C355EE9F2E6E65983B8101B5100F391" + "57DDB8C8D92C736604693ABC56491C58CD66BD66498143554D0" + "CE34D601072BF9D0E18EA1B018A7ED9A65EDBD0B81212EC13AB" + "745728ED3A328EA157B9C4B3195F8CB8BAD94A977015B94FE80" + "50F37A0BC14E58EEC7654B336A9E30BAAD27C441CF8AFE09313" + "2234CE47CE3FB3722990F6C5916468B50A13C611B194D148A15" + "1B9AC97A89539D1EFD2F9C6F72F56A8D22A557B23EC7D932A6E" + "41B3F2C177CA9F2ECC2A1EAD4061DDFC04AB1198DB0E26C4B00" + "301E35B18754DF79332A46190ECF89C0DA6834731CD19E2C8DA" + "3A09ED16813D2A41F7A0A4ABE02C93F7307FEC1537ABA546865" + "A3130D38ECC496E548A8EBD2858EC00A57E15E307C1A35D1355" + "B8B97E9DECE5A63AD7CBC97B30F2C9DE69E4975DBACC31E04F1" + "5A8C02E5D23ED01506AEFEE60A449DE20C5A50F1208097BDDED" + "F6D2CB34036DA708BA53DFF7BD6A1E41057E05BB57B3F756197" + "9EB69C40348DEF728BFA8382F5BC8DB63FBC08E6506AD80BCE0" + "C71FC94036EEAB1C0C89A2C8AF4002BD15617834A901FFA42AA" + "249F7EA700E6FF4B211F7B052ED5BDE9B242C9874ECF39B318A" + "3713F1DC3066425ABE76C4AD47F43ECFEDC86A45E1E93544989" + "CE7ADEA7E4CB3CF91047C4F9EAD7C98AE963F34E99874B4002E" + "3FF1")); + test_hash (&nettle_shake256, /* 156 octets */ + SHEX("2BE9BF526C9D5A75D565DD11EF63B979D068659C7F026C08BEA4AF161D85A462D80E45040E91F4165C074C43AC661380311A8CBED59CC8E4C4518E80CD2C78AB1CABF66BFF83EAB3A80148550307310950D034A6286C93A1ECE8929E6385C5E3BB6EA8A7C0FB6D6332E320E71CC4EB462A2A62E2BFE08F0CCAD93E61BEDB5DD0B786A728AB666F07E0576D189C92BF9FB20DCA49AC2D3956D47385E2"), + SHEX("18AF27FE1B4AE8A470778480F2586A370C93640BCDDC33453E6" + "F3EA1346B5A4ED3EA3E2EA43B143A22FC66501DD52DF724C0E8" + "F222380B4BA8BC23F2967D0A56EC241A0574E2783A461098F26" + "3533389D503B5D8550C8F60FD6FE953C5631635B6990434F8C6" + "8F8E9AC3701B3600C2D80F5B12D14218481904D1F15A776CFE1" + "FA745103B995F9CA8E8E2CA062C5A3F1FDC848BFB0DE4A47EEA" + "DA11C51C743CD15C32BF921D07F242B83086660605B29FC36AE" + "394C215251B49E9777A93AD91179CFB0551E113DC372F992674" + "ADBCC2D90AEBC572B4C82B454CEB33910B60CF81B1BA558C2E0" + "1EC1D837FEE34B86124E15D7BEB7155E5456DC94D2427F7D916" + "B9C34D24312EB2610A48002415182037AFE89B29DDF5DD7E70B" + "28BEC4A1F3FEBD72CCFEE8360E838FD787D0AA2AF3A502D6454" + "33AEB1CFF47E8E6769834CF0A2A85BAFE9A89B43302BBC64C88" + "AB6FE4712F3181A056921F6AC281C872E3EB21590C50B915F38" + "172849CC8415BAD8161DFE0A39C2532A34551441D78825FE790" + "4B3FEBD8F645BE5AA6F7DCC6EEF96431086781C17615141D415" + "9D6DA40A3A5C22631BDDB7F00040F0D39107BB366D827478515" + "48F3ED3DBD028E3261561C8D7FCC077D3905FF42BF3CAA9E351" + "207137F7E8271EE970117E56D30B35294E8B91588DD9D990027" + "4DBA4108BE1595833284047739DC4E90F9E20BA5EFB2B736DE6" + "548C")); + test_hash (&nettle_shake256, /* 157 octets */ + SHEX("CA76D3A12595A817682617006848675547D3E8F50C2210F9AF906C0E7CE50B4460186FE70457A9E879E79FD4D1A688C70A347361C847BA0DD6AA52936EAF8E58A1BE2F5C1C704E20146D366AEB3853BED9DE9BEFE9569AC8AAEA37A9FB7139A1A1A7D5C748605A8DEFB297869EBEDD71D615A5DA23496D11E11ABBB126B206FA0A7797EE7DE117986012D0362DCEF775C2FE145ADA6BDA1CCB326BF644"), + SHEX("AE82057AC5EA69CC1B5EBAC395B0EFF26850C394AF8178B55AD" + "808879AD634569BFD8D0C5F34F9A3B26821F63082C5D2C322F3" + "47FA6976AA88ACFA9ED8393E126F7F47DFB523C0560DA535793" + "7A74488B51FA67583C7A7E1230C015FB5F233E25B744F2FB683" + "0278B123F7784C4F6070C8F905F96486B2D5FE137BE8D57150F" + "47CC7DCC0011FD99F35DF4D9E15F0F937762C87153AC17645ED" + "67581B38E2B34899A7D726A9ECC1CF2E5198ED5AFF13F2544AA" + "A1A069CE8A30CB66E1B984002D20F769C0F94C95F99F914D324" + "02741D5C4D631B9D6E561D32D1ADBD1F1DD692BB89F48C6BC4F" + "88B669FE4BD2922CE6A3184605053322952E113C98B330385D6" + "C4B6527303563DCDF099BC2102F915DDF3BE0989EC8BCEB029C" + "E61974AC41A26D6DC7F53405A4F3A9130C5CCEAF71F828B3F7F" + "58117EB476A46263423F68ECC3427D9A94C292EF7C4C1D67B32" + "3FE15F69894DF362E54B441BA5C94D3E0B56B772AFB5FCBF8CE" + "62647DFFD78BA7F48DEDD2E457AE9FEE60580084A05F318907D" + "FB90FAAEB9F4D9C160259A6F8523AF77C8CD8AF344F41DD511E" + "46C699A8F9A5A85EACA57780005AF313705820D8051D780506D" + "02A09B04470398D0AD323ADBAA8B3DBF61AF68D9FD9DF29A76E" + "0A37678C08C9D102BA960DB0B5D20B6BCDAD7750D3F8CDE6E99" + "4267E190D7F3DA06C36CF7539B6B574034B43F55EF8DD370F72" + "7B97")); + test_hash (&nettle_shake256, /* 158 octets */ + SHEX("F76B85DC67421025D64E93096D1D712B7BAF7FB001716F02D33B2160C2C882C310EF13A576B1C2D30EF8F78EF8D2F465007109AAD93F74CB9E7D7BEF7C9590E8AF3B267C89C15DB238138C45833C98CC4A471A7802723EF4C744A853CF80A0C2568DD4ED58A2C9644806F42104CEE53628E5BDF7B63B0B338E931E31B87C24B146C6D040605567CEEF5960DF9E022CB469D4C787F4CBA3C544A1AC91F95F"), + SHEX("39B12FE62B75D707C8E18FE1C8CD23D3C1E15B7F46FFCB24C70" + "A1D86604FE6BBC36282595346A3374B0B2305F60CEBD77DE112" + "5373F5230535AB0E4BA011C6154F65216CE58A65856C7EF6091" + "2877E44ED2527C3038CA202B5445E97BF817BB6419725ABE41E" + "A1529B6DDC64920DD8396A7FE3B26054C09E310465BF65AA7B5" + "6B1877D949DDA06057B7373023EB09E4CA1790D66A773BF34F1" + "B9D4011322E08BBB7139B1750278C2DCE88626AB16813803E32" + "0515640DDD9D6A7C5B0DFF8FDB445CD65D6BB454EDF83D6BF4F" + "3387CC98E381C65AD3811C8DC3B6A42C203FD2AD6BC464783B0" + "73C1A9D37C1D29F85061E9C426DD195A98DF3EB0C2584219628" + "57EF89D643F8BB18DB27F339BA178E85144040BBEFEEB116088" + "2C3EF2A1C4950873AC4E5C853E48DD7788250DAB58A06BEEE19" + "03C2E68FF0F8D7E8F55AEB58CB0D65F5E74FB5E301BAE225831" + "4D5B82E3C0D7C7782AA1B34E80BEF2EB258E0BD322451097B0D" + "F4532A717E2F0FC166817E2A9E24A318E6A4DB618B6A8382A1B" + "D1A600918CA08EBBC224AE9A7C1CCC8978759F512D7A97E4D1F" + "05173B33F670BF3C40E2807128F752FD2995EC3A60891575427" + "5EBD215821A4F04AD21DD823341B15A484D0C12BB3D829BF99E" + "182FE774D2EFC726EB37638CBBB521FF14E10D73C7FFBBD8B79" + "EB86470DA14236C087EC3BDD336E8244E780454DA1A8E70524A" + "19DA")); + test_hash (&nettle_shake256, /* 159 octets */ + SHEX("25B8C9C032EA6BCD733FFC8718FBB2A503A4EA8F71DEA1176189F694304F0FF68E862A8197B839957549EF243A5279FC2646BD4C009B6D1EDEBF24738197ABB4C992F6B1DC9BA891F570879ACCD5A6B18691A93C7D0A8D38F95B639C1DAEB48C4C2F15CCF5B9D508F8333C32DE78781B41850F261B855C4BEBCC125A380C54D501C5D3BD07E6B52102116088E53D76583B0161E2A58D0778F091206AABD5A1"), + SHEX("939D443F3AAF7809342B2EC600A9D1A47E0C4195C9E1D95CE22" + "F95CB98AA970F4FDD29A7EC9DE471A1C342D4830D20DFC5ABFA" + "98F8BFD4CDF752E00BFF151D7CA44D5BBE7AC18A9ECC1157354" + "B2055AB08B1AE7B304623D643F6D471F23A82C2E1C67F11D527" + "985208C5494138815C3CF6227A6A6FACC9E2A1E3D58B32E2964" + "15E5889E58E1DC8657B0324BD1EAC60FF8DB83674B75683348D" + "69978F04697A1D1D3E6D29D02094C277CF034D8203DC4D705DF" + "8EAB7046C4811C18F2EC906B735BFD1C2AA3306FA0C9AA47E16" + "0B6EAB89E0B390F37E53B92A1A160560E9A30EA3F005D100F05" + "21AFF20A2DE0ADE53BCBEFC517647C81AB8684B2754FD62E5ED" + "A0EBBF56AEED4F4992A0FD4D26AEC29BD186B2E254DA07E1C5A" + "D03F8194AB350510998A3BC11F08EF33C61069D1CB7D271F7D7" + "C799057E6C2ACC1D3FD8DD666E1B2C2E15CA2F99E55163BB01B" + "CA7F9D53F6389704874B3E5DBE6E74D91F110CF8A4D5EACC7A5" + "19F664C962B11A48E022CF65D4DB4E4E506951513D83669C786" + "FDF84A79AEFDAD75414A6CC82EA84EB3A173E887D39230631B6" + "CC2AD26C55C938C6C82181F57820FE88DEA96AEA2B20E330C29" + "C09A645134472B1B1303B1F46DA40901A63C079689DB2C84E46" + "FC548270FE88A4A2FB5EA27C58A4374F72849B9C5C7C18AE207" + "5546868A05EEDC3D867F9601C5C8EE585F14A1E3A84E2FE9A1A" + "99A0")); + test_hash (&nettle_shake256, /* 160 octets */ + SHEX("21CFDC2A7CCB7F331B3D2EEFFF37E48AD9FA9C788C3F3C200E0173D99963E1CBCA93623B264E920394AE48BB4C3A5BB96FFBC8F0E53F30E22956ADABC2765F57FB761E147ECBF8567533DB6E50C8A1F894310A94EDF806DD8CA6A0E141C0FA7C9FAE6C6AE65F18C93A8529E6E5B553BF55F25BE2E80A9882BD37F145FECBEB3D447A3C4E46C21524CC55CDD62F521AB92A8BA72B897996C49BB273198B7B1C9E"), + SHEX("FE0E80E36E66E0610581835D69A73908F1D951A81DE93FD2BC5" + "F10736DEF8A887EEFEDE8BB6074862EEA4BB0F131E48D2C3FDC" + "8B8B8B93AEF4C06BF97214F4D0C9000940F81664E04D88316F3" + "732B39E7F9685BE377B90FD7343947E7A79FEE7BDF5757C386D" + "E6D02035FD4082735CE2FE898F18BDF00F3DF5BD160D792D3A1" + "56584EEE92B273F9A52ED221831942EB0F148DFBBDBC2196006" + "4D0E9E1CFE4E08C7927FDF1F0956288419B0372D3DFF7D1A252" + "8062D31D97D17F7F8CB09ACE01187710E9DC2CD842CC8C09A0D" + "1FE34424283FCE75E64446608CAE796C1F6385F989FC93B31F1" + "EDC36BD2C3EF3B71D14F25048B2E30A5F279180FF3FD0B8308C" + "A93F4D1E72F7F45C7313AB6315D1F0B198F8D5B47742E94EDBD" + "33643397661391A82832744EF99CAB293F26C8E9B0F9D6C9C82" + "BEEEE0A4B4E6ED3EF2E7395FEF4222F3DF7B032EA28430478C0" + "38E45D36379DFD182877F827D86081647DB55B2A05067913DE6" + "94F84EE85BCCB1F60902F787CE27407F14C445EB5159BBF643E" + "F6195DF2F23B0BC41ED595665D47B91223740709DBC82A86E35" + "F615897BCDE5F597FE05047A6CEFD2529394CB85C4945F4188A" + "078693C56A6124E040070771A4E509036DF1C9B24E2185908A4" + "3E4FF81ADC7D10D5578B00A6DB9FB56CEA6D51590B1CDA9BCEE" + "86CBD8263557AAAFB7F81418FB9DCEB0DD67EE6EE7BC761920E" + "F784")); + test_hash (&nettle_shake256, /* 161 octets */ + SHEX("4E452BA42127DCC956EF4F8F35DD68CB225FB73B5BC7E1EC5A898BBA2931563E74FAFF3B67314F241EC49F4A7061E3BD0213AE826BAB380F1F14FAAB8B0EFDDD5FD1BB49373853A08F30553D5A55CCBBB8153DE4704F29CA2BDEEF0419468E05DD51557CCC80C0A96190BBCC4D77ECFF21C66BDF486459D427F986410F883A80A5BCC32C20F0478BB9A97A126FC5F95451E40F292A4614930D054C851ACD019CCF"), + SHEX("083A1EBA0EE14492AF390762E0673F2B41C1179C8616870FA5A" + "A69C40236A6CFF19F322A4FB8AEBDD659C5FFB5F1A953E65FC8" + "8C42C12E37FBFFD6184035F0F31AD80F7E257FB2E898C9E5DAA" + "5A20603A0EA41FAE59E7684646A826C4501F0A7A8C622CF5A27" + "D37E998ED954F0DFDA36A86CE59C8A8DF3DA65DA575DF054192" + "69438F0DC0F41FB34064E48BC4EFEEC93BBA805B5DC97F7AEDF" + "F9E08E3D4B7E2AAF58747255F09A4B53658D7AE61D97EF42396" + "161CBC2080DC7BB7392BFB348AEF7F4B2925CDF9F641F3BFFA3" + "F140C0142D0E61CBE3D1DF06B016579A748B56C89D5BA88466D" + "B79E891CFA7B70532A4D6649C4176FC21531F62F7BAF5D9EF29" + "76227ED6EB614DC44CA99F9580C82418FF886E169506F8BBED5" + "68FAEA7CE2551346EFCF70FD5C32B6A30572BB72C87C62B8992" + "EDB3DB0B4C3EF8CA466B5144658BC4148909BD8D9E1AB5CE3A1" + "801D15F93946217CE9D8C0ED536B3C2E75C17B7FEA2E99820C9" + "01E80EFEB0FF7FB8226CAD685CD768A41B8CDE2C5CC8BC44B67" + "3CE5C44F63840C99E557F3B45C9EC92981CFDB3E20EE040AF13" + "A92DF41E8A0877D0559F6FF5D9DBCA2F53A4E2A8B47218CFAD9" + "CA6AE3892F21A0D9C0FE91A4F027BC25985947AF0C906537E82" + "7B3C79BBA1F37EE38F2897CBE9ABA9438CCE9D972EC262D358C" + "33E2E6F2F814F0E28B4709C2ED119B50594BE98F594CCD2B7D5" + "6F03")); + test_hash (&nettle_shake256, /* 162 octets */ + SHEX("FA85671DF7DADF99A6FFEE97A3AB9991671F5629195049880497487867A6C446B60087FAC9A0F2FCC8E3B24E97E42345B93B5F7D3691829D3F8CCD4BB36411B85FC2328EB0C51CB3151F70860AD3246CE0623A8DC8B3C49F958F8690F8E3860E71EB2B1479A5CEA0B3F8BEFD87ACAF5362435EAECCB52F38617BC6C5C2C6E269EAD1FBD69E941D4AD2012DA2C5B21BCFBF98E4A77AB2AF1F3FDA3233F046D38F1DC8"), + SHEX("AF0FF42EE50B300F202648FBE2DC08423944429568354570F78" + "7B96531A0045C76189E453369381CB7B0A537B9EC05AA22679E" + "96C7BD7CA55793DDC73B6C3FAA3A0D2B03D7561D321FCB377A1" + "BA87C098D9FCD1C03D7B7BBA6262687D71B1B608BF148694673" + "9A69DBE87B95F0E7010103AF17A6B0C50DB308DE00442641B51" + "C5852E91E621133EB561C24655C9D59C22B6AEA470E4D235350" + "46FB88105E7DDFC08339E99D8A750B641E81EAAB46A18CAE3EF" + "AA493790A9E942EEB6990EB0E14BEB6FCDDAAA0BDC5D67BEE8F" + "DDF1931201F18D0B0EA4227D1E89BCEE6C293EEAC60D3A724FA" + "6FDDA3AF62D5C4C5200E14E2D40F3E031E71A8DE27CE3D3956C" + "ABE9C6A5BCD67C0FE25DBBDEB5720B823777815EC277B594C91" + "4F07C989824CF0B1060ED0D4B3ECE3FB65A5AE726412E6EB6FC" + "F3047C6326922A0BD1BA7604830DC4D4981FF12B0364435544D" + "4836505719EEF8BCD246A326CA1A756193FA0A94EBE98A632CE" + "5A0D88E115A4CCD1B030EA7B1651F43F22D2D2A530E2821F238" + "0857E916920FAB974AEB69FDD7C3AF313B46F2DBD14D5B4BEA5" + "14041E015EC93A6A633BD6477DE78B51E592B3D87A708B831A3" + "7B70AC70730C606A7C880CE3FBC11B727E25849F2BE6586D32C" + "F7F31E20A739CCB25B62C03C1DB5AFA7B1C00B003DD9C5BFA49" + "606830CD5A9B9204E1A51EFA571688496D5A49F4733DAAA295A" + "EE26")); + test_hash (&nettle_shake256, /* 163 octets */ + SHEX("E90847AE6797FBC0B6B36D6E588C0A743D725788CA50B6D792352EA8294F5BA654A15366B8E1B288D84F5178240827975A763BC45C7B0430E8A559DF4488505E009C63DA994F1403F407958203CEBB6E37D89C94A5EACF6039A327F6C4DBBC7A2A307D976AA39E41AF6537243FC218DFA6AB4DD817B6A397DF5CA69107A9198799ED248641B63B42CB4C29BFDD7975AC96EDFC274AC562D0474C60347A078CE4C25E88"), + SHEX("95D216D4FB11C900CB83674FCD99D4A0B0909B307A2020BB00D" + "6D6A5590B6F82268D377E255BDDD9179249C3769AB3EA09D935" + "7447E99F9C8E924FA8C39B378790CB629C46C914EC79BDB4AEF" + "7C4D0ED5092B620A3CB3BF6D19DCB0ED4ECFDAFC9C049E7A8ED" + "ACD6C91A3C15D7587C58669E0AC51E151B613503DB2AFCA0AE8" + "1782CA58BEA22467B9FE7CF5F095B376BADFD9EBC0BDAEDBCC0" + "832D80AECDD6919AB2D31646D9426CC46DA1E5398DD475E94FD" + "FBA98129C8997AB4EDE6A204C17CAF9B1691160FA4362909B1C" + "1BE81420092A8F5005A3FCD26FE0FCDEAD650665E4ED9CD22DB" + "75382D898075BD2E68D240E13BC340C6E4A59AE944A626349A3" + "E27F9C82F4DEE5B593CBBEBA0A2BA46A5C0FEBC5290675B2FB6" + "36EE868AFEBE35F7BD08F1137ACB12C6D8376CC8E737827F199" + "C899B3D8AAA937349CC04B3C64691931DC13F10EC5C57F4D5A1" + "3A38E26614302C23E30F28AE09669C4A01F7FAC9FF0B2E10683" + "43862364E799C63D74C7BFBC5F7CFFE79C24A58BC2CE1041045" + "FB01653157C9945B626B3CD315D9D25CB0B694074AE8F29D372" + "067C308F6BF0C44CECBE47E5528E0EF9E373DB63E554FDA5212" + "E35898975D708652AD71C14A51C6E5E8A04CD9B7365ABD43F61" + "FC7B3EFBE60715574C0AD0BCB0C1D53DBF51172E669E35B19F3" + "33A3CAEDBC4E08617C47E51AB3863D61A13A8A2B2D5FB54190A" + "0B80")); + test_hash (&nettle_shake256, /* 164 octets */ + SHEX("F6D5C2B6C93954FC627602C00C4CA9A7D3ED12B27173F0B2C9B0E4A5939398A665E67E69D0B12FB7E4CEB253E8083D1CEB724AC07F009F094E42F2D6F2129489E846EAFF0700A8D4453EF453A3EDDC18F408C77A83275617FABC4EA3A2833AA73406C0E966276079D38E8E38539A70E194CC5513AAA457C699383FD1900B1E72BDFB835D1FD321B37BA80549B078A49EA08152869A918CA57F5B54ED71E4FD3AC5C06729"), + SHEX("C2C5A2155AB4FBD3A3997BD00ED2EA8F049205A6E0668DA09E0" + "DAAC49484B0168E6767AD78868347272E6D8C97EEF06AD0A3CB" + "9FF91678DEC7385124AAC34817A6DD435A0A88DB8E19A4FC75E" + "8F9EB34376E8C1CC7951623171DB22DB1CC5DF9D3D607E5FB17" + "E450C15A20A748C340A56142289E0B1EC83CE82D7706DDBA124" + "759E895CB7B91522BC46E011B4EB98927D860D09BA48EAF80D1" + "FFDF9CCA026B5360AC8C2F04E9B0C30582611B8E8085B8E986D" + "28C330BCFE80DCF11246D3544F4AE7C655E46654DC5151242CF" + "A7B620C429757B1D527071FEE890C73EABF1BD1630DC5BB4621" + "ED4C5C6FF7F41F4BCED4D31B215DD2BE6A5952BD06DADC42A35" + "5F628616DB922DB19CEC424BFCB893F948F1364AE7BE1F79413" + "A879FA372EFBD59F62FC3879FBA03622CF947D0FD2C02460D1D" + "735E41ECE1A2AB970FA9784DC67F0F7C2A3A0A5460F1B31029F" + "B65D1A9A6809B4F2AE29F3A68CC2C780D0000F0790998C0FEBF" + "AA59A1A56CED99F752684AF6DFCE832901B998156C73E007C77" + "BF401CFDAB4E6BC582B6CD477FCCBB1549C870FD6E62633B90E" + "D103EDB47D749D04C39D2DCAA3DD4793957EFD12D78B73F58D4" + "3087F456833432124E312D499779CDAE6332EE8D884F5719D07" + "786A7C85A9642FEC61B66834F98C25E0A802B3F84DDE862D912" + "7923E3A20E5A20E184984F8661058D53FFAA70C5ABBBCAB51CA" + "8E0F")); + test_hash (&nettle_shake256, /* 165 octets */ + SHEX("CF8562B1BED89892D67DDAAF3DEEB28246456E972326DBCDB5CF3FB289ACA01E68DA5D59896E3A6165358B071B304D6AB3D018944BE5049D5E0E2BB819ACF67A6006111089E6767132D72DD85BEDDCBB2D64496DB0CC92955AB4C6234F1EEA24F2D51483F2E209E4589BF9519FAC51B4D061E801125E605F8093BB6997BC163D551596FE4AB7CFAE8FB9A90F6980480CE0C229FD1675409BD788354DAF316240CFE0AF93EB"), + SHEX("B3CC34C482E9402EA5A209CCAF5D017BC118F61E52BEDEE634F" + "D56C7616E6ADAED42D02F072AB4EE1D8BCCB8038B00FF3072DC" + "D971616FD6A2B0012581638F835E5441842631D12FE303D6E53" + "3D22EAB7CFCB702E4BDA509C832BBB5C24EC62A468CA885AB7E" + "4E3B951C5380A30CB6F132408D31FADDEC570800B8EB58AAED9" + "EBD8A0D6618D439B46F83116715568A5957D2DB94E0C2CDCF98" + "21D86A71A96C622BA5C0F7C214375686E71F4AE74FCF5A75A6D" + "B5F8EB274E6D93B52A2A5110C0B77A1E21E599ED0ABB78A93A5" + "469747A6D1FC4E3E3BAECF8EF33580F00D55CDF9124E2BEEDB8" + "814C8F5D5171CF6596DE35AFCE94CEC25FE5D6877F40DAC4B2D" + "2FDAA0E98FC08DB03FDAFC3A4A2A98D0E865C99B766F55349B6" + "88506D7B701BB01BB06F80D6BE98DD374BD84211C61112DD0B9" + "A25EFA21F9804D724154881906A7BF815F206F4AA1175348212" + "C54538BEE673B56582501A659061A157444DCE84C226936E99E" + "51252418498DFEB02F2DC665B8CC4622C0326978FA7A7A8D171" + "D445CEE519A32D81721F99DF529614BF09E4273B24A6809CFAB" + "9A1E81E5280C84ED3CBA6D4B232080BDD034F1895F4010BAEF4" + "62074898949A1CD5892AEF5DCB2B09D46201509847179505980" + "A2846E58DDB22EA9FA0FCBE3AD9DFFAAA42F4FEF4A9DD839149" + "5BA470A2EB80D5992DA78DCC8E893C1BA2C909CF8208A18C31E" + "BACC")); + test_hash (&nettle_shake256, /* 166 octets */ + SHEX("2ACE31ABB0A2E3267944D2F75E1559985DB7354C6E605F18DC8470423FCA30B7331D9B33C4A4326783D1CAAE1B4F07060EFF978E4746BF0C7E30CD61040BD5EC2746B29863EB7F103EBDA614C4291A805B6A4C8214230564A0557BC7102E0BD3ED23719252F7435D64D210EE2AAFC585BE903FA41E1968C50FD5D5367926DF7A05E3A42CF07E656FF92DE73B036CF8B19898C0CB34557C0C12C2D8B84E91181AF467BC75A9D1"), + SHEX("1A2EB5A7E3266CDADC696D082DBAD5D9F73777F5B95DAD3E9C6" + "A936271F12762FF3E8D1D959ABBAC6933BB19D2A0125AD59477" + "611F9F912F935D662ADE6E1E40412BDE3E00A99C06A4906B908" + "55AF6095DD7E6114EA48DDC1A76F3C8FFFFDE5AC246F5C0F854" + "831EE7B48DF6A32CECEC0E4243A792CE3FCE40BD5AB22838DEC" + "6155C817D272F3AD602F58EF870D0126EA18AFD1F1527931C32" + "1A8D6DA1BF60665D077AD15EF615584A249ECF7D3728C0E9D3F" + "C09BF8D3FBB9D260FA4FF13BBD4DBA6835590D67EABFAFB92CB" + "3B0435F26E7EC265F7E2077446E1580FD1747E871D7AD1E992C" + "1A909E068CA3F8B8A927053CF31EF7E071D5C7B4044F2CF61DD" + "D48E7B7115AE0CC2861DB7E26302DF02CAD460358D06ACB7E2D" + "07615C0F3786BA02000893FEBD088584ACA9FBE9F14F85C8894" + "3671D24E9CD0B8FA46601C2E40D3177EEB500E8AA2931473DC3" + "BC46F71C749C281E02B67D8F0B3D012DE4942B1B3C60A2595E8" + "45CA454028489417842D9A6C4706424C5C0A073BFD080E5F820" + "CCCEE99CC4FD372B0BBC447C5F3F54D87755C0A59C986D98E31" + "6F8F1899821CFAE312B9416A4622786B2910910B86D19692C8A" + "7ED50D63E252A3A5655D6E49AF3082BDBBD07690DC6D4EA42F8" + "A7BC57DB816929B9FF8375C4596F57D9359F9FCDF8A3FAB33AE" + "27624265296A093DBCBDEA292450D345B8116B86FC54A0B4B55" + "F12F")); + test_hash (&nettle_shake256, /* 167 octets */ + SHEX("0D8D09AED19F1013969CE5E7EB92F83A209AE76BE31C754844EA9116CEB39A22EBB6003017BBCF26555FA6624185187DB8F0CB3564B8B1C06BF685D47F3286EDA20B83358F599D2044BBF0583FAB8D78F854FE0A596183230C5EF8E54426750EAF2CC4E29D3BDD037E734D863C2BD9789B4C243096138F7672C232314EFFDFC6513427E2DA76916B5248933BE312EB5DDE4CF70804FB258AC5FB82D58D08177AC6F4756017FFF5"), + SHEX("1E67E9FBB0568660EBA48D1C701D75653D97D9A94E770C355E2" + "F3F6DD9B7C3CDC771FE82EC87BEFE4AAB21BA7C689FACF51593" + "CB278F7A8A4D81B9CE798CC2FBA50145EEB0DE079F016362FDE" + "491620CB0A3C26CB5D5FB09980E783774C8FD2C9D8900EBB103" + "D73F0BAB02D0A8E2827D2471DB29F3D6EE5D9D620D4D13D8925" + "F1933B1C66869BF74EF967204238E095927961ED5925D1A271B" + "9277AB9DD7A30DE1FECD4C6BD9615618BF79850EE7E247121C9" + "28AC9BE6F81D2B41378E984F4BA494180D7E45CB7ABB6DE308D" + "B53804BCF43DACC10AB3A98157285FBAC9B183AA49EC18E98E9" + "B40D12B022F40B213641CB2E18E3303E4C9078DA836466DB8E2" + "E85962E5520E9FF66CF99F96E7699212816124313E5BA6347F9" + "9DA7109940081419B4EED3F4ED2763D655A00EC6D183CA87907" + "4F237BBC49D40D598FF2BD8F47D0D69F2E41397042B4398D4FE" + "449CF553F6096BA25C1A2185A13BCE5545FD0DEFE4D11168BD8" + "1B85CA5B0502233C43B6E863447578EB6F074EE2EEFBBE6C52D" + "0E8B1046F304DE2CAF6484AC24783DD77774F0FAFEBAC731E42" + "9DBACB0D95BE662ED9C71FDD6C0E6595CA063C748ECFF992064" + "41F8E96C96063EF61D741B4D622B6EF6A6D547B738AB27B50FA" + "D2EC5C479EA8069B9D67654C2F12D8232AB8A97C83AF190B8F0" + "9E2B8F62B7DAA334DC8F26A3EA62A999433FBA70A27B9CF7FCB" + "61A2")); + test_hash (&nettle_shake256, /* 168 octets */ + SHEX("C3236B73DEB7662BF3F3DAA58F137B358BA610560EF7455785A9BEFDB035A066E90704F929BD9689CEF0CE3BDA5ACF4480BCEB8D09D10B098AD8500D9B6071DFC3A14AF6C77511D81E3AA8844986C3BEA6F469F9E02194C92868CD5F51646256798FF0424954C1434BDFED9FACB390B07D342E992936E0F88BFD0E884A0DDB679D0547CCDEC6384285A45429D115AC7D235A717242021D1DC35641F5F0A48E8445DBA58E6CB2C8EA"), + SHEX("7204F8652F37D125BF692544B8BA0C8859BEAE66E4B04ADA568" + "5C6B4C3C1B8A3825B2AD6BCB2F5443B4C28ADF57388FCFF481C" + "A629934CABF872354E4A33942B738CCD4E1941621524E895188" + "D2ACC9EFC69DE7A170BC974C430B9830E25DF96097B3785A2F6" + "B86F39E59574E1D9C2B91EED2231D4D1AEFBD5DCEE3E5FAA424" + "72949D0D19DA8980BFC6276E41DDD600DDF78E82393EEE5A9AE" + "0C87578071D667B886EABBE6757A52AF9826F65E7CA80529825" + "23F61184B5892465B3F82BAE68FE2FEC1577EB935309EDE8041" + "63DEE46EFBF5C93E7A9DC3BA79CD9A866966BA1FC0A721CA4AD" + "17364C3A4033E805616FAA6075672DD6FAE31A67D891646B74D" + "D8AA916E078BA7736A9B00F73DF90B09732A42E38FE3EC9F8FC" + "907A5868CA170C669ABAF99571D14771B91F46C68F57DC6215B" + "94DC0BB03F890BDE02DD41CE5D0F8F48E4FDAEAD1F0A05DA9A4" + "56DA80B82F44EFA53DB9899F42BA31CECD9D7CE6A5DE33B70DD" + "6427D3A9B31C83ADEE1EE073E06EC4238FEE4EA0029876FE6EC" + "A5DE76E4D32B65564EFCAA326AF3519EDA46EB3E443A85E78A8" + "E26D21B158328A56AF40B07AD19734E341A45A5F43D1EC2C9EF" + "FBC7C5DD92ACEF61607F3CFDA8BC72D33C045A6B883972CF4FD" + "1282A0ADE3978D1803EE78BC6F6FD297EC9E3052460483DBF79" + "E6C35AFDBC10FA87D769AE6A4E2849AD112EDDEC1135CDEC2EC" + "FB6C")); + test_hash (&nettle_shake256, /* 169 octets */ + SHEX("B39FEB8283EADC63E8184B51DF5AE3FD41AAC8A963BB0BE1CD08AA5867D8D910C669221E73243360646F6553D1CA05A84E8DC0DE05B6419EC349CA994480193D01C92525F3FB3DCEFB08AFC6D26947BDBBFD85193F53B50609C6140905C53A6686B58E53A319A57B962331EDE98149AF3DE3118A819DA4D76706A0424B4E1D2910B0ED26AF61D150EBCB46595D4266A0BD7F651BA47D0C7F179CA28545007D92E8419D48FDFBD744CE"), + SHEX("A3D5CFCDCC03334632027FA1B1ADB97C740F9C5D33F0B6D8468" + "B4AA9B37A5EAE697D6DE7717B6F7C3E872DCC4A62682DDD76D8" + "7657096D143DEDF97F2B9BA36734B9FF5816E247243B1F32F5C" + "A122AB49647FDA690B83AE0FEE45625B4A2606C8E366CD5031A" + "0C938407CC9421414CE4631477C3D4494570916BB41C60FC05A" + "C125A3E81346759DCA0CEBDD763B61493997B774A582475D226" + "1F6F8500D2C51C70DE11123756EB6B958EE5F20FB4A49429358" + "D743E4B62D76904D23FD5DAC9ECBFF14854BF27DDA819B3F524" + "21329B0576CC399EAC734D73FD9BB8729168E35E2A3490D7BFA" + "A39E53E54340457AEC4C5C8F4C0FEE9339053646E4D74EF1A14" + "06EBA208822B8E66DE410CFCD49A464D9FF545604C26CAA4FE8" + "4B018C69BE18112B5C3D7325481078C712979DC88842E2842DF" + "19F39025D28FDF45A5DD6E8FD2D12BF27D227E79210F6266B86" + "CDC7BC6F81DB57AF57AA252C5BB95A235746B9C869BA7F8C90E" + "0AD3F5DED409947173D071DE216ED1B137846752653CC6CFA3C" + "52A32AD6CA0BCE29A5B12475C049488F0A79ADF5ADC4510E646" + "8E714BBA37C0005A9CFA3DDB24363290A04BAFBBA92BBB2C2E1" + "6CDD9D40707C56F49C05C5276C89BEAC3B239DE284867611CA3" + "DD8250E8C7FDF522E0E84EA47A3A06554DFFF6B7DA13349A5F3" + "6CA447499C45DA4C491DFC113892672B036507FF3A1E7E07B43" + "FB95")); + test_hash (&nettle_shake256, /* 170 octets */ + SHEX("A983D54F503803E8C7999F4EDBBE82E9084F422143A932DDDDC47A17B0B7564A7F37A99D0786E99476428D29E29D3C197A72BFAB1342C12A0FC4787FD7017D7A6174049EA43B5779169EF7472BDBBD941DCB82FC73AAC45A8A94C9F2BD3477F61FD3B796F02A1B8264A214C6FEA74B7051B226C722099EC7883A462B83B6AFDD4009248B8A237F605FE5A08FE7D8B45321421EBBA67BD70A0B00DDBF94BAAB7F359D5D1EEA105F28DCFB"), + SHEX("23397CF5C6041FCA9F1503B12A47F1389C4C35301F1747D574B" + "48DEB270CC2FD79DA5718D0D5ACB78A7F30782617AA2E03B9F4" + "6736620E512A6AA4E55E2B94537A74357E5C1E6216BDA724677" + "BFC4CCAC3E3DCF4AE21D7E56D55ED2EFE6FB50A2222E98139DF" + "C739FC759BE57963D8427D0B5D2093CF5F42347A6D9832E1FEB" + "B4576935FA18E93DDB20E8CEF2F2EBA33C66F1E5741171BB64C" + "49F128A7B0A9F095A35F5A20A996A3F9D7A68AB3B0D0F84E8F4" + "FD43078A80266377D0D7020DE67E18DE20656BD59B86726C99B" + "1DC8FA25B83A1FC8B7C256DDAFCC67540C1287CC377AC10D392" + "88CE00839AF31A1C078B403A863171CC669DD72ABF4D48CC72A" + "F222FE939A2D75CD7F195D3BD8CF8069F6557F1FB37BC8F9B67" + "7865E0D23BDD29C9B240CD2993874FBDD5FD3B8CC57B6226C40" + "890057994A2E13129F4613D3ED31EA5804006F5753047F1128F" + "9B8C0A7ABA719A1449B3A2D02ACFA0877E81306179F9AB717AC" + "84819029006D73D48EE55CA13A3D39ED293AD0AFC8EAC8F8D41" + "971242877788EC1286ED35F06330683FE33042A6255835CD54A" + "A07C0166350B851F98F2AD2A06FDA56B180F11B9616BB51ED98" + "A2FED5BC2F9EEF7046A38754B91543EBE97B8375A81B7FE9CE5" + "8DE4DCAFCDF8183541E44CC96F855CAD024C24EA87313DC05EA" + "A1D933D6E238E9B3A0B9628239344E8E81B5341D615B63D881F" + "FE45")); + test_hash (&nettle_shake256, /* 171 octets */ + SHEX("E4D1C1897A0A866CE564635B74222F9696BF2C7F640DD78D7E2ACA66E1B61C642BB03EA7536AAE597811E9BF4A7B453EDE31F97B46A5F0EF51A071A2B3918DF16B152519AE3776F9F1EDAB4C2A377C3292E96408359D3613844D5EB393000283D5AD3401A318B12FD1474B8612F2BB50FB6A8B9E023A54D7DDE28C43D6D8854C8D9D1155935C199811DBFC87E9E0072E90EB88681CC7529714F8FB8A2C9D88567ADFB974EE205A9BF7B848"), + SHEX("3753866FC2D045059FA925412D3FF0FD1254724DEC38E00F109" + "6AF36D0A7603903089900F95CF9BCFECEC4CEA14B7D80CB324C" + "56E60569AAD9E0F45D3A726F87E6F18559701EE6AE0E7A8622B" + "45DCC6991A1FF15DE6B78BBCB96F976089F26A38EF190EE0C60" + "9DB54F443F5F1014762F336F62EB5F7CB7B102E99FABD87F36A" + "ED3359EB0DBF739DF4EEC4AAC458546C00D16D412841142ACD2" + "E08CAADBDDE86843ADD14E3D28426295762E564E1F4854E7C61" + "7F48EB6F2FAC79FFA8CDDB09FA09A8DD73EC389285036A52440" + "41DBD60AB71F8FB59EB73629BB4A827A7584B20C12B96FB1F0B" + "950BD3C87117DA69C7EDA0C1645B6C8C81DA8A6397DD821A983" + "DE84390B1CA902F135160DB58F9F7B7AC9D010CE8D6BF713627" + "0FAE0D3994F80612BB12916993AA73F22FAE642784D75E1CB5A" + "CDBCC20A3AB148D6F3F171402391121BB404F8F576EEFC9ACD1" + "903BF9AD2CD4EB1208F143DC84643E52570D406BA31F8DC9F32" + "83B2691F826C4ADBAF431EB2F1DE1E860F9B4C0153C9F002C80" + "9822875F915F7131EF63262ABBD8BF4A5D9D1699D893435C731" + "DE48756C8D03C94D11D1D484DDDBC5C35660B3318468FEFD827" + "78CF907FF52D652BCDF68C20349F64006C640E7A544DEC1FE17" + "09056FFD9EA7D41590F84F653AD4F7474D008765BFAEFFBA015" + "DE99D523A56A6C989BA11AFAE097F4D5FA63F04AE0917212E4E" + "AF48")); + test_hash (&nettle_shake256, /* 172 octets */ + SHEX("B10C59723E3DCADD6D75DF87D0A1580E73133A9B7D00CB95EC19F5547027323BE75158B11F80B6E142C6A78531886D9047B08E551E75E6261E79785366D7024BD7CD9CF322D9BE7D57FB661069F2481C7BB759CD71B4B36CA2BC2DF6D3A328FAEBDB995A9794A8D72155ED551A1F87C80BF6059B43FC764900B18A1C2441F7487743CF84E565F61F8DD2ECE6B6CCC9444049197AAAF53E926FBEE3BFCA8BE588EC77F29D211BE89DE18B15F6"), + SHEX("2381AA1E335043C1F7360D64C703FCF6190747A616C550F787C" + "33A573B2F9E83DE427AD8EE50610A2FBB07AC92E4F912B3E5C1" + "0001044FA2CC3FF1C2182C672BC03183AF502D6530443D890AF" + "4571611DF65A2FC50879D08E9D664D78D5F81D74957D38726CA" + "EE5451AB88DF8853CC4A034065C532346A4F0D548D65745AB64" + "9683CFE185C649CEEA12D79E0904E2C059549F895DCB1ED12D1" + "CDF00D530D4653B56EF9FCF8D3BCC70FA91397B87F34FF839D3" + "C0DEB053D46FDFF9262219004961AF9D03F50E1016E737605F3" + "5EDED16ED51F4AA8FFE0A253AA21011DC002C5C0E0B1AC706E5" + "3DBFDDCB1B02C0148C3AFA9D69B6CF7A72B1F793EDAC9A99ACC" + "99F988EBEE210EE108093CE8EED146FBD98436299B159760EDF" + "3D07BFEC6A9C1D844E98DD632B1E773D93B9604CB635457E33C" + "063991D2A6D4DD8AA72883FDD742E34ECA12975AFDBFA2EB997" + "609F91CB4BD53CA40BA4793B9849ABD509A2B6C01094400526C" + "493FF33E0F8F1908BBF783E0DFD92105830947338537C9F7B6B" + "2D193CB2923F95CAF113C9248C601EB39147661F7C639FB0528" + "1E0728B916C59D98F36DAEC1F61FAD84E7292B6A5821009FCC3" + "0EE7267969243B36134675F3C8F1F18E9C341AFEB5377426BB0" + "4517D1498FA7A271029936FFBBB4248A786EAB072387B991222" + "017025BB84EB4DC084781F21251CD8D8CCEA15EA2C37C89632B" + "B67E")); + test_hash (&nettle_shake256, /* 173 octets */ + SHEX("DB11F609BABA7B0CA634926B1DD539C8CBADA24967D7ADD4D9876F77C2D80C0F4DCEFBD7121548373582705CCA2495BD2A43716FE64ED26D059CFB566B3364BD49EE0717BDD9810DD14D8FAD80DBBDC4CAFB37CC60FB0FE2A80FB4541B8CA9D59DCE457738A9D3D8F641AF8C3FD6DA162DC16FC01AAC527A4A0255B4D231C0BE50F44F0DB0B713AF03D968FE7F0F61ED0824C55C4B5265548FEBD6AAD5C5EEDF63EFE793489C39B8FD29D104CE"), + SHEX("325A6883E6918057ACC4D7E6863D245ED59957957AF4E8E59EC" + "6ECA35EB380641BD39550268A68EBAD703A51F9B47DD05CA256" + "81BDC853EF0897CBD4A0DA6BE9E911C26E801DA8F5360140FEA" + "2EE9276747E1AD0879FD741E52A7DC8F0EE3CB199826F9C1D39" + "7E150641E8EC348300BA4F7EA7746ED0E94520577FDD253E04C" + "47223521661A308D1C996A90DF8A9AD18418193D590E75F0F17" + "FE0443B5B130C1AABE9F60E538E6193A19690368A2C17516D7F" + "EBC3DF95DED8445ECC260BA46156C88B5218E582FEE9EBC4F28" + "CC4171936F7C5BEF008D7AD76A70BE3CD3F0701791702A23716" + "0798223EEFBFEED7BC108E9C793CC42F93381BB9D5F97103499" + "BDA63610303A55088FEF10FEE330C4F35D0A4D0F36C1CA06CD0" + "8496DB0D06553BD612848212539DE0D698A530DC287F2FBADDE" + "DBAAEF0195E050E3968850FE8E1C72F8E3F11F24BCAC475593A" + "A28AB2CC69C3FE6F3ED03A38D8B278FD678697A3F6DFED6CD52" + "AFA4E9947CA56D1CDF10ECEF90BA6EF87D9C2765F2777C14323" + "25C464C685557129808CE3B91310C301547B673D498A4105833" + "4562074A3BD3C64FC8B02BEE8EA642B12783ED71E990CA90B95" + "B7020D5458FFAC57BD93F882F3EADD4707C98591CAA667BB0DA" + "EE9880C3549FE9DDF7C9314387A85D308516C64FF98CCE50E25" + "3CDC710927DDA784DEEC547C4442A0818045696F4D4BA4E0D72" + "9D13")); + test_hash (&nettle_shake256, /* 174 octets */ + SHEX("BEBD4F1A84FC8B15E4452A54BD02D69E304B7F32616AADD90537937106AE4E28DE9D8AAB02D19BC3E2FDE1D651559E296453E4DBA94370A14DBBB2D1D4E2022302EE90E208321EFCD8528AD89E46DC839EA9DF618EA8394A6BFF308E7726BAE0C19BCD4BE52DA6258E2EF4E96AA21244429F49EF5CB486D7FF35CAC1BACB7E95711944BCCB2AB34700D42D1EB38B5D536B947348A458EDE3DC6BD6EC547B1B0CAE5B257BE36A7124E1060C170FFA"), + SHEX("0E479E6C1C78B597DE67FF30F0BE1D251DC86FF0AB0F4D5C6F6" + "4BDEFDCD6A77DAF29B772FCAB3EED9344D32BC3ED616C10F69C" + "F4AB3B34709F3941F3951FCA1A173CA2CD707FA41B8E4586343" + "77596865BEF5CC8A3CF52C0ECDA7CCC0DFD8AA8CE0CD7CC1917" + "A7BB9A3BC9084AFE456E5DC02569B3FA4D9B9DA03B8E4B223F7" + "CF033C1A8BBD6002B3A457C0DE35A222A30A0E86F3EF9C9F255" + "D449CE4EF5AFB51577391574F8271E07EA98820E0308EE56B1E" + "EA91B35058030AB6AFDE356CC83D526BDAE2E55B1AD4E4D8016" + "FEF14247BC7D95C34F06DAB7D9FFD1A9FEF761AE01F8DEE1D46" + "75172C1F0CA15361CBA994EF062596BB767C52A275792F48B19" + "1B1078968C1793A9D274166DB592267E1822585FCB1A9734D4B" + "503F5E1CB0754A7D9F47359CC91E0646C4A2E754A29584363ED" + "4C8C806797FD102D6220DE1814E665409104D32BE7A346D3B12" + "6FCD51F55E5625A6BCAAB74F0E69BA1F75A4D5C4625E2F5AE12" + "4CEC4EA6A702858A3B03CBCB0B014D3D841CD7A87D02C622F96" + "AAF3AAD96A62939602A2AA1F9D88DC555038560217BAAB657EE" + "87367E05345E1612532F9B6D83043DB59837E1F75D82B8149B9" + "3F1105BE13BF51E20F18CECD5DF87067A0716D3F860DE8C998A" + "487C8A197149E7C8AF4B414217B8579C314F698FD6A3B612B2D" + "D67FF6E3471856FD9F66799FCEE14627293EA94D1C32D915CB8" + "1C5C")); + test_hash (&nettle_shake256, /* 175 octets */ + SHEX("5ACA56A03A13784BDC3289D9364F79E2A85C12276B49B92DB0ADAA4F206D5028F213F678C3510E111F9DC4C1C1F8B6ACB17A6413AA227607C515C62A733817BA5E762CC6748E7E0D6872C984D723C9BB3B117EB8963185300A80BFA65CDE495D70A46C44858605FCCBED086C2B45CEF963D33294DBE9706B13AF22F1B7C4CD5A001CFEC251FBA18E722C6E1C4B1166918B4F6F48A98B64B3C07FC86A6B17A6D0480AB79D4E6415B520F1C484D675B1"), + SHEX("0A5995025C3DD9437884196FF09C0B92B5B0B51B59D0C3C9041" + "AB172A1685DDCB3B0324186F11E2D7DCB6851F888ADE6805249" + "7BD16C4F1D98DC468D833E4AFDD2A9E3DADCFD188C9B1E35BA9" + "FB9549F88C8C7C74352A7B420C1019D2E7CDF02601E5609635E" + "AD96CC57FE29A5AD98B2FFF301B3640BA441CBBED877477C0DC" + "1D6143454456C0EFEA8C4038281E97C02774A7ED709A446941A" + "2819F3372E18BC1A6C119EB24CD16A623CBF91816CF2921D2FC" + "65DEAC91F3E0EF24F97CA518D167F295454AF8208AB25540228" + "A9AB1BFD0ED0C8D09AE579B7116389B9BAA6EE388612F323D1E" + "1627D1667F4E524C562B0993A807BAA0E81D02241049A4C0BC8" + "EC95701E9CB045A91C4340D8C3067686347867D4FD94D48C566" + "672DA8C89468D71B488F7D5E1409B3F1AA17B019C57D5A94C01" + "53A887EA366253DAD36E9ECBB20DE67E5F09F4516DAF9376170" + "0BB4E094B88ED56CF935F9D0E5454D2168FE5F5CE0682838386" + "AD55B4C664526B48138EC270BE30135ED84A63FE04CFB99DBCE" + "6B70CBDB32110F954491044970D3AAFB62B5123F2B43F3B8275" + "CD2D1034068864A94A1B63532F31D2E65B9C197E13199F86638" + "808D17DC9E3D914AC6E078CDE60A1EF9DB9F94E56C29F385418" + "AAB5F5D5CC324F0B1E2B9F9CC9259971FC57A2BD18686045E04" + "A3A74C3606B8EDE2E2E49E2B3F01CEB4B4516E695388AE331CE" + "C186")); + test_hash (&nettle_shake256, /* 176 octets */ + SHEX("A5AAD0E4646A32C85CFCAC73F02FC5300F1982FABB2F2179E28303E447854094CDFC854310E5C0F60993CEFF54D84D6B46323D930ADB07C17599B35B505F09E784BCA5985E0172257797FB53649E2E9723EFD16865C31B5C3D5113B58BB0BFC8920FABDDA086D7537E66D709D050BD14D0C960873F156FAD5B3D3840CDFCDC9BE6AF519DB262A27F40896AB25CC39F96984D650611C0D5A3080D5B3A1BF186ABD42956588B3B58CD948970D298776060"), + SHEX("9FF0E63D6E1BD2C9B671298EF08FB86024EECF3A41662D465D8" + "011E44C55E4312A2F4680A92984471B885FD730A3C3AAA6329C" + "CC06E9684350543475D8CFE2F18079DAFAB03B9AA1368AAFD26" + "5C5ED3D0D160EF317BF5CA211642F7C86D4C59504C8E6D8EF5D" + "52C7770659C91AE1121EABCE4318D58F2644DF56D18909EC977" + "D75D27D25D291EC706A39A3EB13E49691F6C3188C300B827E3A" + "D1F6F8088318DA476D07666AE4192C08D4AB797E53445239CEA" + "485704F0266C49ACD7ED67D24DA7333AF799B40B301AAD88837" + "03F03869628F8F1513629FF0888656782C23D43D435962A022B" + "D19FD7E4AF8BE40CF34ABDB1D0DBAC698079312CDFD5B01D166" + "E6933DE574914A62472C5B2954740A5A26217E9A67329CF4720" + "5701D8BAF5E660E231E16BB87EFDFCCA4E982F44CAD53B2893A" + "83DFE251ACE8C49B225C3E929221D4FBE452CBBEE2F6E59F786" + "8F876E20AF55F8B1DCB4AD5CCE9F0B8966D51128D08698AD8FB" + "267D3164023985F5F5E48A237F4B638437E074FA4CF83030DA5" + "846E64E03A23ED2EE12EE42646D1075B8F91B861D6DAA8BBDB0" + "7FBD56AC72FE8675031C1CD0622AFFDFC9227F4DCBB642146F8" + "7D2930B859181CF5AD7D6AFCC87BB905AD387AC8B8A7DA70CE6" + "26CBE3E13E115572780D38DCE4F3AA6A95641842109B9750AD3" + "FB5F711E1F1363119BEA84B4589D0B7287BB4CD094564DB6325" + "1CFD")); + test_hash (&nettle_shake256, /* 177 octets */ + SHEX("06CBBE67E94A978203EAD6C057A1A5B098478B4B4CBEF5A97E93C8E42F5572713575FC2A884531D7622F8F879387A859A80F10EF02708CD8F7413AB385AFC357678B9578C0EBF641EF076A1A30F1F75379E9DCB2A885BDD295905EE80C0168A62A9597D10CF12DD2D8CEE46645C7E5A141F6E0E23AA482ABE5661C16E69EF1E28371E2E236C359BA4E92C25626A7B7FF13F6EA4AE906E1CFE163E91719B1F750A96CBDE5FBC953D9E576CD216AFC90323A"), + SHEX("9EC7D516BB276EE7BE68912E86FCD71EE08EA4BCB5A44B9520E" + "84F7433811160E5A742BF8E444329F4FBE22D72F002F82459DD" + "538D7C26401399B8882463CBCBF2457A7080F8ECC02A05F357B" + "AF6BF8DE31984ABBFF66AD082CB995A180D7455BDFBAFAA83B7" + "4CD95488CD8F5CFCE16EBB2D9F08E54BA341345648D0FC55700" + "2487FE6F0D0418858698CAA9FD4171CCF3880FC0A9E751BFB56" + "6BA907E13BB78A19E7D0CC543F9B7303C74BD957149BC505530" + "B246A8D41638023B83B84BEEC79A91CD21D3982B7E57582780C" + "92BE8CA813218B287C280A42E73DEB3A84F1027010F79EA2CE9" + "D4EE57DE696DD1D4A13F099E4E1CF4BC7CCEAE2C7A454775628" + "D09FDCDC55C6B38F545566682D3546A6F6AA8B57D44EDC36B0C" + "4B9C1B92CC2465B6BC7091EB78CA0030DB7D7E31805AB459040" + "494DF1120307A2DE8315C3CE802491EBB0FF3F83FCF2F99D9F5" + "69D3E3F32F0CAF2D7D6057FFB6183D274919B9D4B4CBEB125C9" + "002A816A83941ABB5120AD9AF40A76398D31B07E464482FAAC7" + "67BFEC63CC221DB2A54860BED4D5E9405821CB176B47838249C" + "689FF1D9990CB3CEC4EF1A0D9280F35E8F23246537313B77F26" + "D517221F0A21E7E6D4D28D88632B44D7F1C381F8E7442A71C0B" + "0473F7BC702326364489A943B6A0CD0A8B868F21D7F26A1AA3B" + "8C7A4C7CEB574FC2B266CD8067D83A53AD469DFFCA9088ECE43" + "9207")); + test_hash (&nettle_shake256, /* 178 octets */ + SHEX("F1C528CF7739874707D4D8AD5B98F7C77169DE0B57188DF233B2DC8A5B31EDA5DB4291DD9F68E6BAD37B8D7F6C9C0044B3BF74BBC3D7D1798E138709B0D75E7C593D3CCCDC1B20C7174B4E692ADD820ACE262D45CCFAE2077E878796347168060A162ECCA8C38C1A88350BD63BB539134F700FD4ADDD5959E255337DAA06BC86358FABCBEFDFB5BC889783D843C08AADC6C4F6C36F65F156E851C9A0F917E4A367B5AD93D874812A1DE6A7B93CD53AD97232"), + SHEX("045E2BEF203B8E72121FC29E68F01176B8AD2E0F24352FE555C" + "9F0B70FFB38AAFDDAE1B2FA04C3BC2DABAF4BF3BACDF7658A62" + "3446FD6840536572EFF9393F5AB66C080A68D2341AF34AA2A13" + "B6EB57D8DC6CAACCABAEA593970B4D91A3B861AEE0B6E53F326" + "3DA68DDF75CDE76E5BD94AFB4AC78ABED89788BA89804D6F199" + "7684CFFED40B3761A782E3EC1F1A1FF12F8151E91A935A088D2" + "AA2311C43FD731CEF31503C775781EF5724508B910976DD89EC" + "BFE79B17F1813B01B82B6DCCEAADD6615CFB8D2EEA27EC7377F" + "8911A39E9A15E622F3A91F88333811CDA86007E57EE652797BF" + "9177C898CD8951B8C123B8188BDB2E60D32493F4E94C34B9FF3" + "A00893795AE0028061050E9C03A53AC787787A332DD4C75FECC" + "1B7AC1E6DA30E69A46DC94C87368C2150EEB3717582D5E5851B" + "B5695CCB416E4D8462F0448E0D711B42F1B6FA0DBAD40E96C6B" + "69E67BB1907B460DC319B8F01591867C73655F8A28F594EA245" + "8E163EF0D562B36580AABC8E9FCCE61D09CD83BC4DEC826C8F7" + "DBD76028588BC905777AB6B5A5DBE81665971B23C94DBAE8B51" + "3AFD7DF0B6C83469ACD22CBEF596359BA0203C6F320983A5527" + "4812B49E7663A6F48B420748AB10062EBCA4DCE4440D1EF9B72" + "BF4E121B76075D209EB82DE30C074CFFF86CC28E464A6959691" + "C66DB995C279BF50CE2ABECB94CBC850A33315E4ECF650FFC27" + "1DAD")); + test_hash (&nettle_shake256, /* 179 octets */ + SHEX("9D9F3A7ECD51B41F6572FD0D0881E30390DFB780991DAE7DB3B47619134718E6F987810E542619DFAA7B505C76B7350C6432D8BF1CFEBDF1069B90A35F0D04CBDF130B0DFC7875F4A4E62CDB8E525AADD7CE842520A482AC18F09442D78305FE85A74E39E760A4837482ED2F437DD13B2EC1042AFCF9DECDC3E877E50FF4106AD10A525230D11920324A81094DA31DEAB6476AA42F20C84843CFC1C58545EE80352BDD3740DD6A16792AE2D86F11641BB717C2"), + SHEX("7FD29D970989B8F0DAD5286CD8CE7F5E793B80EF8F62506F75A" + "119FB3ACB39D726CDBE6F4914F8A5930D30A0AC1E36E285AED4" + "90CD30FE63A2713AB0DD473A7A764A19A70BBD9AD5BCB2B2A0A" + "D63A84FAD80466D1C9F513D4336E3D6C7F93645C3FA30AC5A54" + "B46205322265D3EDBE4C8C58B5D8AEA1856D2FA81C81E12F27E" + "ADE6958F014ED3FA3C844A65321EAF484A2E7543D362627F2CB" + "C4A83415FA3CA616B9CD7EA8CD1724F426C0161AE41CE8175F0" + "598FE4AAE91A3F12D6C8659B063FF5C64FED548C206329F0C5D" + "A4AEFBAD704D16A1B67A38D807E64F03A3A9DAE4B464C78462B" + "842B0DAE0036EB466AC7CBDA234F2DE626D14764F6F49A8AFEB" + "062402CC9DBA983268333225A6678D2FD9E506ECE66135E6AFE" + "7A9DC3A16295F71440ED04E8E391EDC134E91C1699F0D31F81F" + "CA6105F485566C13A93A2DB218DBE8D64F4B2E242462A67FE3A" + "98A785BF276E510ADA824E88C5ADBD9889EF2857D5347544E43" + "1603E717EC7A7D17C98A7C326C0A4A83955C7EE31379B241C2F" + "2ABE038B2357D3A9D940D875F2A5634CB47255DC92FF11AB7DA" + "C4D675E13134C24FF7B058C2F99C985840287CB3009B6CC3D75" + "AA5E79C29C68DFFD9D95E37592B6036A4CEEC5E34EEC8DE7EBC" + "A4B80F0E103CF07D46E73734C831C0CC2B6E31C14F304D88D77" + "D433699FFEA902058F8F4ED0FC7AFBC4874CD6786E6D82A9689" + "3A68")); + test_hash (&nettle_shake256, /* 180 octets */ + SHEX("5179888724819FBAD3AFA927D3577796660E6A81C52D98E9303261D5A4A83232F6F758934D50AA83FF9E20A5926DFEBAAC49529D006EB923C5AE5048ED544EC471ED7191EDF46363383824F915769B3E688094C682B02151E5EE01E510B431C8865AFF8B6B6F2F59CB6D129DA79E97C6D2B8FA6C6DA3F603199D2D1BCAB547682A81CD6CF65F6551121391D78BCC23B5BD0E922EC6D8BF97C952E84DD28AEF909ABA31EDB903B28FBFC33B7703CD996215A11238"), + SHEX("EFA2939B59DC8F3527C78E384B1CF12C7E184687A0C3A1FD9FF" + "B9797D72F13DF8E199B2916A6BA82FD7A914703687EE707C6F8" + "7845442DECA59F08E1D5DEF48BCC43BB1A64744D4DD020C8666" + "27AE212E5FF4EF9F63C14D2D1CFBB404E03573F9D110001ABD1" + "56754EF41A4C48E664E31B5922A27BBA26D2B3AC79F57720A41" + "90AE55A5634AF6E43CDFB87450EE8CC690749A45367250A44B0" + "7E54FC1CA8EC1CACCC979751544568F0117AEBBE6F5415A3524" + "4A9255FB023E7C30B013D6C47DE992141929F25B3A43DA91CF8" + "853EC88BA42DA3B17CF27351785BB16849E6BA680745F0294A8" + "5601D5A08CC924BB962CD8B67EE0667AF1E118E2E5144169DA0" + "FBF03C974ECB202FFC473315185723B57521737CDFBCE99DDB8" + "1F88D81C71C5F02AC5DB801437D46DAF31BB9308074A21DA98F" + "6899F6280E449C1B55CEB3E04522D038307AABE964B720AB331" + "A172A53CCEF174A82F046F42820D11947D1B316EDF390C86EAB" + "E22408E0008F396A0E7F3D51B9988CD2FFBC49869FE0EC03A33" + "8A1A8E0A663246A37DEA111DE5249196114996102223D628AB7" + "0FB7F53B842B60F375DD6779D9426AEBAEE547662B6962E3610" + "09C83CDCEF6D8BC6311CC1760E784CB3CF6241257EBE14FD955" + "0EC8316D95508390909BCD23EF9F78CDCB485E4C403671E5F20" + "E7EAF4E0C06344D54E157791FC1B581AAC0C4EF947ACCB642E7" + "8CFB")); + test_hash (&nettle_shake256, /* 181 octets */ + SHEX("576EF3520D30B7A4899B8C0D5E359E45C5189ADD100E43BE429A02FB3DE5FF4F8FD0E79D9663ACCA72CD29C94582B19292A557C5B1315297D168FBB54E9E2ECD13809C2B5FCE998EDC6570545E1499DBE7FB74D47CD7F35823B212B05BF3F5A79CAA34224FDD670D335FCB106F5D92C3946F44D3AFCBAE2E41AC554D8E6759F332B76BE89A0324AA12C5482D1EA3EE89DED4936F3E3C080436F539FA137E74C6D3389BDF5A45074C47BC7B20B0948407A66D855E2F"), + SHEX("97922E827163B8869D9A7654AE4532EA26F9895625152012F14" + "7BE1E818DF802689D96B469C8B0E9010D0423DA90AB6EED2C83" + "5A01CA4C386C630A22D885B511F12799EACEA96D157A4432A32" + "0F3EC1CBBB6B8EFEDE3E92D99B1E79389B93AF7ACB27D7DC97C" + "F88485DE6C85400A2DD88ACA540B3C921180002847B34A45446" + "5D014F4742815EC64F5FBFED6229294BA5EA89211E35327CDBA" + "C7CE85565EB8F23C4154AFEC0DEE188E9D854ED56BCA174E14F" + "EFCD0ED039B8DDAC3A3242CEB72D9116482F8B750A126505397" + "ED261D7CDFE88F8E2F4E4A80628D66A7676E28D4E68C3E97A47" + "C3844FB06692E5F4664B8A583A1836ADA9AEC095D011F12B3AD" + "6688B0039B1B74D016F1BD477C932DDC1944B5F301F4D5690E2" + "12E45D26908BA09C52D6CA22098B7A080B0056F0CB891411D0B" + "041CEA27030A2F9066AAF58CA5357344DD9AEA0B0D80932E98E" + "205EE315312D19413240B2EC4B854C21BC2DC16040718D25095" + "15BD45B6557083677C1882D48F687EA0EA86B05CC3F5E330DD4" + "BCC17E5B4F2CC4F2C64773EDF3045FA48C53081929ECF31E84A" + "905586D3AFB3120031FF75ABD8CDAD7CEE66386A7A718A90B98" + "EE970864A167FA48BB7A3F78ADCC2105E0FEB27414B1B6C59C7" + "BE5F7509E55D561C32523FC8C1C12628EE642D9A69F7D300B49" + "A5B6551B487655B21FDC690F865196A35F138BB8E69571280FE" + "F496")); + test_hash (&nettle_shake256, /* 182 octets */ + SHEX("0DF2152FA4F4357C8741529DD77E783925D3D76E95BAFA2B542A2C33F3D1D117D159CF473F82310356FEE4C90A9E505E70F8F24859656368BA09381FA245EB6C3D763F3093F0C89B972E66B53D59406D9F01AEA07F8B3B615CAC4EE4D05F542E7D0DAB45D67CCCCD3A606CCBEB31EA1FA7005BA07176E60DAB7D78F6810EF086F42F08E595F0EC217372B98970CC6321576D92CE38F7C397A403BADA1548D205C343AC09DECA86325373C3B76D9F32028FEA8EB32515"), + SHEX("289C52C39044BCE5CE8D320E2AC43DDF8DBB4A5E6698D536E30" + "4424CDDC251F7B181F58AD4948360972835CFA265E9B658F6F7" + "D4B7BD92D68E75F0DA84F47C969C7F12CF5170117B7EEED8B77" + "E3AEF06E52ADBF8F0EE6AD01DE3EC5E726BAE631A68F6FF364B" + "AA1754D928386496010F0EE59390E041CC0A6EB8F3864087BF7" + "BA5A57A116808BD496632081400B89CCB2A8A8EC795BF07C609" + "51B46815E6BA72DB555B9CC03CAAC4BB8D60BAD5EC6C5E48D66" + "F4C5B2D1669115E0F0BC80106EF06D48BA29E2899C0EF4D5C5F" + "4E29CB29C8F578A824CD462A4018E889B67DA31A90BC58178D9" + "04C43296E4D3F4977F0CC1009FE51F37B2F8979C97DACC92C8D" + "0E0FC45A004928F96260FE2A6F27DA15307AF55EFFBAC4814C9" + "F4446253064897FA1E1747FE65E4C406A3879F8E2EBE5CFDE37" + "65F2D7A2065A6E0D38B6B6A5F9FC3EC3CB1B35D33386EA75EDC" + "E250D5917A17A6CB9D1517684472FCDF27D61BD03F4BB43C3A6" + "359286E73B67D1A618A75EFC9AE2212BB507DD1BCB12D0B11FE" + "2030BAC84DEC40D04324C8354C3F3C6ED79D7257B8A189C565A" + "41F72AE3585A9BD91C9FD43184814BD64F7303607CD02B6613B" + "E736BD13B3AA8C668F91F398A8F5AA6BF8EF4D9058637FAA3F0" + "F0710ED60C2FA0F6DCE8EF0675EFA719EB03FEA27ABDE60C5B3" + "81EF4026FCEF49AC245483DA8B9B50DADCC310CD15C61E7A0AE" + "AA6F")); + test_hash (&nettle_shake256, /* 183 octets */ + SHEX("3E15350D87D6EBB5C8AD99D42515CFE17980933C7A8F6B8BBBF0A63728CEFAAD2052623C0BD5931839112A48633FB3C2004E0749C87A41B26A8B48945539D1FF41A4B269462FD199BFECD45374756F55A9116E92093AC99451AEFB2AF9FD32D6D7F5FBC7F7A540D5097C096EBC3B3A721541DE073A1CC02F7FB0FB1B9327FB0B1218CA49C9487AB5396622A13AE546C97ABDEF6B56380DDA7012A8384091B6656D0AB272D363CEA78163FF765CDD13AB1738B940D16CAE"), + SHEX("03E492E2E4C353A74245745981AEE10CB10ECD72015FC37621D" + "2E07411AAB55DAAEAE78EC376CB20F268FE40392876A29B4163" + "C3F1732FB58FBE26379F88C4388513C9E65DFB7A4B76DBA139B" + "28673EA6691096EC526DE0084FBC516360B07ADC853A690264E" + "C8C6E7F200D71B593FAAE6723C0A08B7CAC263D7F7DC5376B51" + "A2C7C640359721FA93A950A7A1F07F366B0FCD5C79471EE237D" + "11936B763840173710FB8CFE41DA287F61D13FBB174B451F30D" + "A1A1FB0F02C2B34689A725B1F86A96247E6F48897E524E84D91" + "BCC9F08DEAF189EFA84AF2A32DA7480ADA982E579A832FC3CB1" + "FED55E8D0D4AA710EA5B0B779CF0667ECBE9F5827FD0ADF6FA6" + "D98DEFDC0A3F3E84D5AE28D676CE703E1F060E4BAE4C0D931F8" + "4A76C2777D71B02F0DFD3DD00604C6EBB32642A9EBE9D34601F" + "B78AE60145E32B6AD2A362BFF609CB2EFCDC66781B5AE2976F0" + "249FDA97DCC06A8F7CEBDB32A2849B61142A7E55CD15FF51A82" + "1D233B3C35D9F69D47ABB6D2B55169AEA211A67475FD48D39B6" + "863EF6E4ADAE89530B0A84F6D6AA9B0475289C084AE2E607878" + "5289E03C6440DBEE352B9D39D11C9300730E4D224FE008696B8" + "F27F6A9261C30C577B48401B2E90ED5830BD38C13416D19F9B6" + "EC96F235F7A0571961F18C0F3A977740E9F5CC9CE62F695F9A9" + "F797A33A2FB247A62BC635449E4FFEB2F24298BDB152E777226" + "0F9E")); + test_hash (&nettle_shake256, /* 184 octets */ + SHEX("C38D6B0B757CB552BE40940ECE0009EF3B0B59307C1451686F1A22702922800D58BCE7A636C1727EE547C01B214779E898FC0E560F8AE7F61BEF4D75EAA696B921FD6B735D171535E9EDD267C192B99880C87997711002009095D8A7A437E258104A41A505E5EF71E5613DDD2008195F0C574E6BA3FE40099CFA116E5F1A2FA8A6DA04BADCB4E2D5D0DE31FDC4800891C45781A0AAC7C907B56D631FCA5CE8B2CDE620D11D1777ED9FA603541DE794DDC5758FCD5FAD78C0"), + SHEX("6C937D60095B762B69A69116DDE17251B6FC76117D2173E0702" + "408BFD8A215A057F25D720FAB9410BF39EC033D68CC87572C7F" + "C8B3C920C720C0A34FF468711F32753E8E6813D9D8ABC30AC3A" + "5EA3F6509A22E01A389399FA09052465316BE70501B70CEBC21" + "B5CE57FD935F7A265FB101232E95289E4234B43AC0BB45BFB8A" + "29489E7C3410F4A64028CA7BDEB97B327193A30FCC54F1A9835" + "E5BF497E0BBDE269E3F01BAD497AC3E09425B7E4D5D5A345B9C" + "DC256683C3D73722B6B33F525DFDF21106574ED3A1B38990C0A" + "18AEAA51621C6D603D58AAE2B1D89F57E802E66F8A7122BF4C4" + "C1DF38FF9B147BBD4D084E119298C9C4AF1BC6390AAC20BD1DB" + "5E68EAA7361601A40119A51EF26E2328F6CD52874E6F24B3460" + "A7D531DBC5DE94B0D62C35C6F56D4E8984B20BE06A248E59754" + "3E29C314D67DB0B112E158321E6BC9494E14C9E33705E678AF9" + "A6DC44BB567146E6D03AE590CF76C76398A4D5BFB9F0F12CB70" + "7EC79BB52B5488DBCF1A19623C9777F30F153C3E71E5F9A4841" + "E1F53E88421947903C9DBB58CDF75CAD297755B704E6919F25E" + "BF43520CEF6D71FD41AAD277AAB2BBC86B997B6A35C4C1A8B8C" + "04E6C7741E88CE198A650841997287E53CF24A2FD939F1AEF79" + "AC90DC787789AE0B344B658BF493F6DA6EF59112EF76FD39A8E" + "0CF7973E002FC7AC455CC4FD98C0030C7C76178D1EDD1AB12E3" + "493E")); + test_hash (&nettle_shake256, /* 185 octets */ + SHEX("8D2DE3F0B37A6385C90739805B170057F091CD0C7A0BC951540F26A5A75B3E694631BB64C7635EED316F51318E9D8DE13C70A2ABA04A14836855F35E480528B776D0A1E8A23B547C8B8D6A0D09B241D3BE9377160CCA4E6793D00A515DC2992CB7FC741DACA171431DA99CCE6F7789F129E2AC5CF65B40D703035CD2185BB936C82002DAF8CBC27A7A9E554B06196630446A6F0A14BA155ED26D95BD627B7205C072D02B60DB0FD7E49EA058C2E0BA202DAFF0DE91E845CF79"), + SHEX("176C854006AC910006248F1CEFFCF0BCA14015B7939B0065E59" + "A838F213B9ED46C68A377AC3110DD08AE358D4C3C926D262A49" + "06C196822D2D2031990D1F02B472B635EBD7B48AD7469671EA8" + "5683328A949C4B01E9AFDD0E780EC10F2A6EECD0524B77E6C98" + "93416EB73C53286CD52DCE11550E96B70154F0A06521195B7BF" + "6B260AD67D85FD2D3BA79D96B3C84D2EAF96350342FB33CBF5E" + "4DC12D7F7B6C5AA0F82AE2864A38026B6392DEB539637D323C5" + "A246EBB7A87EC7048DFCEC1DCA98D3239FF560598AC31D0E722" + "9EE0A36BD7500B991BADC5F7275BD650DE740DAE8421E1A7230" + "13C9E52AF448E21919EC70FCF5D4C5FD888B96676E65B6C52D2" + "353FE5D3D1423A73410234A2FF632CB09E922656FC233BE050F" + "BAB499D3B0864439F79B56DF983CC67FC460B027AD14B8E112F" + "898771545061DDF52652DD14AA034137764DEE5F896E3FCCA26" + "F70B63B37CD8D8DF7106876F4EAECF211875D4A3392E09B8E42" + "19326BA939DF7500183C3F039D1586D00BD36FBB97835FC4C73" + "845DAB9639A0231C27E3C3815B4478780CD646F1157BBDA4725" + "77FAA829F8B13E2C8DA1F7685719F8B979E895996DD05D1BC5F" + "0ED8F8F302E38E44A0F5174FCEB3253EE9CEA73315A1DD655E9" + "A6BB59A3B67F5F15F41A8E483D8C98733916638D5E8EFBEA8C5" + "BBA2000D2DDF330EAF3DB1E9A6072E5BBFDD5FD201F8A13800E" + "7719")); + test_hash (&nettle_shake256, /* 186 octets */ + SHEX("C464BBDAD275C50DCD983B65AD1019B9FF85A1E71C807F3204BB2C921DC31FBCD8C5FC45868AE9EF85B6C9B83BBA2A5A822201ED68586EC5EC27FB2857A5D1A2D09D09115F22DCC39FE61F5E1BA0FF6E8B4ACB4C6DA748BE7F3F0839739394FF7FA8E39F7F7E84A33C3866875C01BCB1263C9405D91908E9E0B50E7459FABB63D8C6BBB73D8E3483C099B55BC30FF092FF68B6ADEDFD477D63570C9F5515847F36E24BA0B705557130CEC57EBAD1D0B31A378E91894EE26E3A04"), + SHEX("F59CA6ABC514DF7EE5AF9B918A5355CAE65ADDCA95C80866EDE" + "16594F5147DED549BB9187E4F51535D3EEFC20F59703E1EF74B" + "86ADC45F8DE3265207B5A3B4223C3B70E9A9B24F08C2B1F15F8" + "58763381C89F2AB14AEC657E7E4CCADB9EAE9348B26450E9CAB" + "F9B54A56893796B2D4C04AA2B3B741D6F85E9A8CB6FBB0DD91F" + "FB91E9B179D5692F9C689C4315ACE33C2E7934D49183A5305B8" + "F50051242D73A225C557D787BAC8894D5987C8B4C91502C295F" + "DEBB492285561286262DA7A78A87F068E07B4CBF82344E6FBA3" + "C8B70A7CAE9023BB004C18A446DF8432C895A531DCAAB8D910C" + "5623651A362C4E2034A314F00154A421DA604CBAAB56B40F9F3" + "242E8F61CC9A9AB4C91304588AF9805180C8ADBFCD727C20D38" + "F2DFDC24CC1A84FFFF83CDE8F94359AC5D1848D3385B419EAFA" + "F09EF0317F99409F732EBAF75A7FCC74A4F0B7D038626078C8A" + "775B1EE75591C6CF99EE2754EEEEA7DC9FB382F25F55D030293" + "D53ED2F9D9DDAECB41172387FB19731639B37E3A26AF58B033E" + "850880FFCA4EBACB945F7D445983042FD3EBF4F70DC2BF0E95A" + "7CA9DA3C8F094BC937568A03486EBC127ABF44D150AC6DC0B70" + "80A41884102172D6E6B6D819AB088CA55287D6912018B5D7F4C" + "0C2A6973E532B40F9D0402C1525B2E7E11A948A5C833EFD7788" + "B3CDA4501DD7884AEACD53B503313500C3D4ADAFFFFC69A2EAA" + "EEDC")); + test_hash (&nettle_shake256, /* 187 octets */ + SHEX("8B8D68BB8A75732FE272815A68A1C9C5AA31B41DEDC8493E76525D1D013D33CEBD9E21A5BB95DB2616976A8C07FCF411F5F6BC6F7E0B57ACA78CC2790A6F9B898858AC9C79B165FF24E66677531E39F572BE5D81EB3264524181115F32780257BFB9AEEC6AF12AF28E587CAC068A1A2953B59AD680F4C245B2E3EC36F59940D37E1D3DB38E13EDB29B5C0F404F6FF87F80FC8BE7A225FF22FBB9C8B6B1D7330C57840D24BC75B06B80D30DAD6806544D510AF6C4785E823AC3E0B8"), + SHEX("A8C3DD2CB2C0B8CD01C2550A1C20308B3A4280AAF80447484DC" + "DFC69B5C2C2FBA310272E606D1CFB61D078E2D860F1A056A3E0" + "86AF9D7485611D64D1CE5F850B91920E778010A23390033DC15" + "E372AF077611C9B5A945981CD27801C9B701D892143DA0F882C" + "5D8F7F06B72B7107FBD22A4D890D1B00857FDE7E9B188088CCC" + "9A67BC12B0A496F3FAC72789E7E52ED7CBF36BC7B846F0B4D3A" + "221A8297A4BE76A1658A1547B32F534FD13C466BF1803C13005" + "93F8C53CB5530632DABC03ACB369D7E87CDD61EA7DB6D5980C6" + "8F00AD5D28F50B5B499A373DAE132811C5DAFBBEDCA231E7461" + "0271BCD0E733A59D5ED6A6EE77AB4EE0D64CB00AC7EC586AD30" + "F1F3BF5066268519209A9EE408B0DBB1E6E7CAFB63BCA7742A5" + "A7C78D7933B30CDCE0F8B502E3666FBA0C2CAAB6CB0826641A7" + "4C02E5F9DF0616C001273487487C2EB693E8818A281CB58D10E" + "0F911FA8EDA5DEF3CEA2136197E79A17F58E56C4262F3BDDD87" + "D9BD40AA21762C43F7091659693D2BF5D8BC03632EAD0C680B6" + "EBE53EADFED63727143FE47684188ADA6391EFEDB6A59770DA4" + "06B00905C124680B3B23D54C0255967C3BA8722DDF064F10F32" + "53972C0A4FF5B1BA17F8B9247E2D81FA1E4F7E3BD064E71A3F4" + "F18858D040027B45CBFBAE7CC6F04C125B867CCF3513C40F008" + "C2C961020B597F864BFF2347B8ECDCBF4AE460B1915A5A5EB98" + "AD31")); + test_hash (&nettle_shake256, /* 188 octets */ + SHEX("6B018710446F368E7421F1BC0CCF562D9C1843846BC8D98D1C9BF7D9D6FCB48BFC3BF83B36D44C4FA93430AF75CD190BDE36A7F92F867F58A803900DF8018150384D85D82132F123006AC2AEBA58E02A037FE6AFBD65ECA7C44977DD3DC74F48B6E7A1BFD5CC4DCF24E4D52E92BD4455848E4928B0EAC8B7476FE3CC03E862AA4DFF4470DBFED6DE48E410F25096487ECFC32A27277F3F5023B2725ADE461B1355889554A8836C9CF53BD767F5737D55184EEA1AB3F53EDD0976C485"), + SHEX("066F28311FEED21D06D61EEF566DEEC1F88E8D99DA9F6AE33E5" + "0321FBF7C1C458DB1E0C85C2685E806C583336F5620F44FF355" + "96A725D37B1A7F149B30EEE6EDF2C46EE8F7FF1B51D5ABBC09E" + "AD9AEF74188FBA0EFEB82DF86C304BF505FB02FF05B1797A7EB" + "3549EB9E74BF685B15FE615BC7FAB569A2E8EAC5136F97E3939" + "7E091F97D7C11D8E6B6390961C0A1A08D2A75D00CB679C87087" + "9C24A4AD0FB4EEF187E60297668634F06B7F2D98B85CDCEEC84" + "2DB321CC7B7823D8F332FF5AB7C44D9F862B61D3423ACA66392" + "9EEA2B47C9C78F890D50A4FD04079D4F77A9B303FBCA8A852D5" + "CBE0B09DF7DCD2178C8450370F60CE76AFECCFD3B4B346C7963" + "1439D879109357FAB4ADE37832D42D70B6390176FD864251FC6" + "5B695DB788F535B76077E3F69B1B2BB2BD26BBC0D1273109F71" + "199A58053A8AB6D33C9A75B8C7D4423A330D03C5BF6A2B2CE43" + "F27536AAC58D9D7CA8397BAE7C6C96D7279C19ACE6F7487412C" + "7370992FAFCE97342E145795D7CD22F2135D627F5BD528FA351" + "1B3EFCAA28ADA12B8F229BB594E802615A213D21CFDA091B736" + "DAA0B18D9E77E9AD98441F23926F6C06DECA62BB91F6430352E" + "857AA1488B82820F3624BE30E7ABD2785E8E9D6A3CBA0A926AE" + "425253E1417AD70F80C1CFE49C730E1B287EF47FE65255AAEF1" + "408C66F622CD1B6484FEC1675F1A74AFCC349EF4746B4468DAB" + "F577")); + test_hash (&nettle_shake256, /* 189 octets */ + SHEX("C9534A24714BD4BE37C88A3DA1082EDA7CABD154C309D7BD670DCCD95AA535594463058A29F79031D6ECAA9F675D1211E9359BE82669A79C855EA8D89DD38C2C761DDD0EC0CE9E97597432E9A1BEAE062CDD71EDFDFD464119BE9E69D18A7A7FD7CE0E2106F0C8B0ABF4715E2CA48EF9F454DC203C96656653B727083513F8EFB86E49C513BB758B3B052FE21F1C05BB33C37129D6CC81F1AEF6ADC45B0E8827A830FE545CF57D0955802C117D23CCB55EA28F95C0D8C2F9C5A242B33F"), + SHEX("DC2A3560C3644C4ED659240CC9B275B7163F5C88B28839FA74F" + "CA4A055B265E8E8DE186EC35097511D12F125B9EDAC4665EFE2" + "E41DEFFFD4FECA65386D9A5B06DDE6B1AD1F70772ECC871C445" + "29D413C603D7D8BF2CFDDC72C11D3B9684CDF4696EBEE1A88F9" + "39A997802AEE46BBE7ABE0915C4DF68C43EB06A1412C690EDEF" + "8FD21F94D16EC47D42168C30B8A3C2A87E348352200040CEC76" + "97835DD66A8E0596DB943ACD2BA8424A7D031C5AD0322C913AA" + "9B11C4C1E09ACCF8B941FDA2CEFFAC3F38BD43FEB3E67D002E8" + "D45D9C091D287A5F6C4B70A58129867C46FF1E98D402202C27E" + "088DA5063157E0BE4A7C82638EB623947A59D15B1FBC965A734" + "49711FEEEF521B61C4F94B7AFB015185BC7C696200F10C2657E" + "233F643C0B20A72EE57E7E17EC806B0B4A128F9F0F6BAF129CC" + "D82B19FCC72F62FA10456CBE37317BDE49BA0EE9FD83559E322" + "04387CBB5D26064127448D2F2702CB37C3CA5B49989C7B90385" + "4907E1A748FD9E589A01EEDA6FB374178CE57C6027334399A78" + "96C91FBA3F8C2EC917F2FDE3942D60FD37BEFDA64909A34F5D8" + "BDEEEC6DEDAD93894E9C6A894637B8193895973C5DD8424326B" + "592723C06583F683281AA90C3FB3A754AC8AEF614DC30DC608A" + "D26EAAB42B4899137F4D42E4142F93706F88C8C98BB6B15E099" + "2834785A27FFCC9FC2037A3A3B4B3C262ADE59E3A6718C79A8C" + "0C82")); + test_hash (&nettle_shake256, /* 190 octets */ + SHEX("07906C87297B867ABF4576E9F3CC7F82F22B154AFCBF293B9319F1B0584DA6A40C27B32E0B1B7F412C4F1B82480E70A9235B12EC27090A5A33175A2BB28D8ADC475CEFE33F7803F8CE27967217381F02E67A3B4F84A71F1C5228E0C2AD971373F6F672624FCEA8D1A9F85170FAD30FA0BBD25035C3B41A6175D467998BD1215F6F3866F53847F9CF68EF3E2FBB54BC994DE2302B829C5EEA68EC441FCBAFD7D16AE4FE9FFF98BF00E5BC2AD54DD91FF9FDA4DD77B6C754A91955D1FBAAD0"), + SHEX("5D5AE597772925F37C5D78176E15392BD53FB65B2925BF589DD" + "F97D92EE412F2847ACE1B5A4A22515C910A0A7479AD4CFF5948" + "C4A736EF021F062850383EA778389BF5F33C5357CE1D11D11DE" + "27BDD076720692737E5887B0FC6B8FA46F2675650072848E26D" + "94D596B921280649389A9C1621037AE9D91D460BDA8FEBDA762" + "7C181F8EBB77F43DE66F9D64EF1D7CB66622E13FACEEBC7AB34" + "6C0C71A1FAA0DF2659D980AE4ACF04317379B81DBF8E9206F66" + "7EBCD2A8D736766D2FC64EA442A4BA0E331E7D3EC0AB1618BD9" + "0A9B97A4AB6556EB09DA3C551AC3F2714BE4CB094AC454F0DEB" + "D1964ECF15118F677464C60108A87E8895046269DB21168E35E" + "C4DFF11487E93B49A8FAEE8EE6C3FF05394D1D0C9030123CBFB" + "9576C9015C30F9DA04331C995101F4589D27CE664D2D6928C80" + "3EE6ED655B661F286F12499427B0B3D4C19A870CC6065528D0D" + "482FAE121766275ACD12731B127C454D17BBD32F779BDFD59D2" + "221CC923764A023D48A109F259C2C4D9213E35411A7E4F03C18" + "78E576F9AF4B84A983F64ED1255EE7CA9A4696762701950C97F" + "374F207ACF4023C0E42651C650C330EBA2A7773AF833A9A7B1C" + "9360BEC7FD788DB63AF83B699E1BAC014A86AE976F15809E4DF" + "C8EB8225DE57C97CCCD0683ED0BEB67B752A6BD5EF128D9BC6A" + "D343B04AEAE8C76D7A24E3025D436ECD9F03432991A19D1B164" + "2AF5")); + test_hash (&nettle_shake256, /* 191 octets */ + SHEX("588E94B9054ABC2189DF69B8BA34341B77CDD528E7860E5DEFCAA79B0C9A452AD4B82AA306BE84536EB7CEDCBE058D7B84A6AEF826B028B8A0271B69AC3605A9635EA9F5EA0AA700F3EB7835BC54611B922964300C953EFE7491E3677C2CEBE0822E956CD16433B02C68C4A23252C3F9E151A416B4963257B783E038F6B4D5C9F110F871652C7A649A7BCEDCBCCC6F2D0725BB903CC196BA76C76AA9F10A190B1D1168993BAA9FFC96A1655216773458BEC72B0E39C9F2C121378FEAB4E76A"), + SHEX("B34E968BDD16E68C71ED69202A38C554F8362FA382F1DECCF89" + "536B0D2FFA7CF8725CEC1D2D7AF57665496B643E8206566F8CB" + "E4CBC42DB65481750319BBF37D9DEF13D050B2DAC53E163AC36" + "5E81AAE03BDB40B67D0786EDEFC2B339FEE7176DEDC90C92B16" + "A726E61A3E4AB5B29741869A4E8FF254D335C62053EE9FCB5BA" + "D309B11B916EDE9BA5D1594B0ABBCF73A7A231B4104037D10C3" + "2433F99DC35A356088F90298BB9BD150FC8252017BECF06111D" + "AEEAC705BCCF25E8098995A8F7EFCBB10FD2C443223325FAC91" + "72BE8B5FEF5FBCCC8D9361DEB61B361FBEA3D5CF13F4731E8AD" + "4F567BBEF2655A79213193131020123E5FADC2782E8224208EB" + "98C736FA9AF25EA3D00CAFDA04EB8F0544B58B29DA5D438A969" + "14CA1D47F2A729128F60E56F5634A73133C1A0435A40FB7FF6F" + "88105BA307B4B6479D0DCBB80A5F1A71954EE049E99B944E41E" + "E89DE4B78A78786660A1516A3BF64779DF724BD82045245413C" + "D82890340D29D07879C000934FBE4B4FEDA2EB4CD795C528E83" + "BA11A92C9476E3273DD5D4553798489B8FFE76104EF154FECE0" + "5E4BE9775256F278DEB61552266745FC21DFD699DB5A34F4DAE" + "4FB3E23146DB6767561F15EA776B67240C92C695EC83EE10978" + "FCDAB7A57C692861F15E5E6AE0E3DC2C58489445DEF81F884A5" + "0DF8E78CE67C23967B27B419F36B905DC2D9EF1D27BFC94B456" + "836A")); + test_hash (&nettle_shake256, /* 192 octets */ + SHEX("08959A7E4BAAE874928813364071194E2939772F20DB7C3157078987C557C2A6D5ABE68D520EEF3DC491692E1E21BCD880ADEBF63BB4213B50897FA005256ED41B5690F78F52855C8D9168A4B666FCE2DA2B456D7A7E7C17AB5F2FB1EE90B79E698712E963715983FD07641AE4B4E9DC73203FAC1AE11FA1F8C7941FCC82EAB247ADDB56E2638447E9D609E610B60CE086656AAEBF1DA3C8A231D7D94E2FD0AFE46B391FF14A72EAEB3F44AD4DF85866DEF43D4781A0B3578BC996C87970B132"), + SHEX("2D48CAA033F0273CEE712401A35D143C7E91216139682A77CA7" + "75F08BA77620DD02EA885667355740363D95DA3CEFD3E9F8D05" + "75A41213C1E7F2A6C4B7212DD617C9B0A41D48674B6A19C63C1" + "AB3F2CE7F1A0FA694CA8401A0121077F281CD5D6A5424AC1D3A" + "11AA97F88783722E68ABDD3684907F63EE045D7F3E10545F33B" + "84C30200DE3B135B4BE5033B854084E5912F17B14F2AC16D027" + "FD02FCFF1AE096C983F0F4FCE7D6B641D2280DFB90D8A066D8C" + "F53E2A5A1620DC50008CA375743C416C379FDC5AED3DE23244D" + "E23AADC33BFD9609702DA4776881A1F588EE1FD98602FB831C8" + "D857CB73DA50C99ACB34DC79D0F32FABE25FEFB54DBD494014A" + "24EC55B4D4ECEF9D4B7A98A8BDE06E324E6B2BDBE7BEEE6A45E" + "4FE8948D331561090B737CE14D302C9CB1D7EE3E78D0B7CDA6F" + "D12CF038F8B92E35F7BD6E1664A5F4F75EE569F67C41A434330" + "DFC06F8C6C7156208A11BD6708B22F3115E5D4D99F54451D967" + "BB7935FC937AB2EE21C3DA93B1A3DF94DDD600D6AE8F43A35F8" + "5794E3BDABD82D4ECC923B0BC91EA85C3A2599F492495E8AAE9" + "70E1605FB642B6B93E3947B45D78ED6A563FA9D10CDFF934C61" + "D78B46AEB754CFFECF00AED06839365D1A4B7D9CC5852A4F755" + "F01723C8E3961C92F320A43EC23D8292C4F44336E78424A4E65" + "0D74BC47EC05EA8D692560206B9DC2310C893598370E5DF5D93" + "ACB6")); + test_hash (&nettle_shake256, /* 193 octets */ + SHEX("CB2A234F45E2ECD5863895A451D389A369AAB99CFEF0D5C9FFCA1E6E63F763B5C14FB9B478313C8E8C0EFEB3AC9500CF5FD93791B789E67EAC12FD038E2547CC8E0FC9DB591F33A1E4907C64A922DDA23EC9827310B306098554A4A78F050262DB5B545B159E1FF1DCA6EB734B872343B842C57EAFCFDA8405EEDBB48EF32E99696D135979235C3A05364E371C2D76F1902F1D83146DF9495C0A6C57D7BF9EE77E80F9787AEE27BE1FE126CDC9EF893A4A7DCBBC367E40FE4E1EE90B42EA25AF01"), + SHEX("6F7549D58E91D97F0C1243C519EB6AD2CD72AE27E3C5DA2C6B9" + "2407823D1275210ED93B95692880015BBC14E72892A36D4D492" + "4A48DBDD2E774ED36B739F587D200D9A789FF56542061AB4DE0" + "06B08749C31BAC057DDAFA581C6F756BC3FF23BBC43C1048BD2" + "848204588C89E6C3199EC38DC9F4BB10BCEC5A5D236AB28113E" + "4E43D529DE8424F118CB14A5FB02BA721BA4650CFFA35663820" + "148E00A2A8C0B8F4C20DBBE20C146E4B5294A17C99C2DF7EA62" + "F9107ACD5FEEB01ECDC064F2911A466BC1024B1AFE10F3DD784" + "3BDEB8682339A95F7A0E615A216C89AE7E8A688926884F82BC2" + "A487CB2695C658DB670EC286E63AFB5B244950497BE33081CCA" + "0FD14A4958AE4EC94B642E3A9BFECA9481FEEDCEE34B6C13F30" + "1CFAF882105C14F20679B5E7E4263C29397F62B094490BDE56C" + "BB1CFFEC550819E0ADD12DA85935AF2A9C08537ED3034D39933" + "B80471D98B1562BA12C9B98A462093E79D247BFE4EE59CDF9F6" + "533DAE9C2ABB66437B90D845B16C5318D0D12EC5CE30AA63B8A" + "754CA93F04A3E3013A197A34DD8AF463A7AAE48D51C7EEEDC45" + "B5BD4F9E5BE06D47C7991956E7BD828DEE21A4C4A69C3BCBEB9" + "14FB93832BE8A986A077FC3A990301532CEDB59CC03A0EFBE5F" + "F88413F0DB07481D134B77200E05341C21C43A7FC0EF20F254A" + "4438F9F49C28136EB7FF5D64E8812D4137CB3410B2482D3289A" + "CC07")); + test_hash (&nettle_shake256, /* 194 octets */ + SHEX("D16BEADF02AB1D4DC6F88B8C4554C51E866DF830B89C06E786A5F8757E8909310AF51C840EFE8D20B35331F4355D80F73295974653DDD620CDDE4730FB6C8D0D2DCB2B45D92D4FBDB567C0A3E86BD1A8A795AF26FBF29FC6C65941CDDB090FF7CD230AC5268AB4606FCCBA9EDED0A2B5D014EE0C34F0B2881AC036E24E151BE89EEB6CD9A7A790AFCCFF234D7CB11B99EBF58CD0C589F20BDAC4F9F0E28F75E3E04E5B3DEBCE607A496D848D67FA7B49132C71B878FD5557E082A18ECA1FBDA94D4B"), + SHEX("2D534DC9501C6B18F9662128E227E3C7D8BC7F6773945B8CA65" + "3BF93F9B07BFBAD84F195CCFEAF35FFE97E1109212DDAF5701B" + "F2F81A72B51A66FC1590534823172927BC3EA342A96DF9B0CF5" + "952690804C37814BAD3A41849D71AACE71304183A4477D31365" + "4C731CB0A9AF39CAC8A8E4B6883AF7C4F94720A5919C2371C1A" + "E472724F7062E47754066976B583CDFF98CB41796664C9B0C76" + "3C4530FB62DC22AE7B3C6B4DB593942F6144DA79AAC3F3CD53F" + "90B7B634CAB679ED27341C83A3F9DE8763A0D083C4EA4EB3B8C" + "189967E6970178CE26A3F2D43D1A62E4D26D61636257DB145A8" + "9EEEFB8C38AA9D69F0630B99B4FFAF9395A6AED9C63E78A7F8C" + "EAF4884E4663E7C9E39F737703F5D1C73B2E846FA5AF03528C7" + "F1D1378C9AC7CE02599278455FA6E1B7BEDF453ECD680A89A8C" + "77FB727A688AC573A5ECB545218F5DDAB304DFB786219451467" + "4A52F2F0EB2151BD936974FB5B677F621FF9E92A10C76E3B6A3" + "4E4279BF2E395743EC8FEEE4F4BB1D951AF744F9BB923A13C1D" + "6F159F96B90D0371B135A8F64351DC8C9DFC0AF38098D3A8583" + "DDA8978103B25495BFAB2B144E4D82774C06C4CCEBE085A5B90" + "2DC391B60035F4EA929DE8A56DB1EFECFB928BE97C23E6DACC7" + "9EF2C05D5C08F2CB3ECA5CF7626F13A95F29239AC8F457DCE85" + "815BA83F099B1DCE79A32C6E04280B8CEFE8EC213E2375553D2" + "214D")); + test_hash (&nettle_shake256, /* 195 octets */ + SHEX("8F65F6BC59A85705016E2BAE7FE57980DE3127E5AB275F573D334F73F8603106EC3553016608EF2DD6E69B24BE0B7113BF6A760BA6E9CE1C48F9E186012CF96A1D4849D75DF5BB8315387FD78E9E153E76F8BA7EC6C8849810F59FB4BB9B004318210B37F1299526866F44059E017E22E96CBE418699D014C6EA01C9F0038B10299884DBEC3199BB05ADC94E955A1533219C1115FED0E5F21228B071F40DD57C4240D98D37B73E412FE0FA4703120D7C0C67972ED233E5DEB300A22605472FA3A3BA86"), + SHEX("4D0E55472FAEDA7E9F092EC4A561E835E261935BA5E6D115E9D" + "4C4021725E7831C5B7F102F2D1494B019FFE9BF5525822C4978" + "83F0E5194B0B0989DBDAC834CBFCFDD31294DAE5752ADB56C23" + "D45668F370963219D3A9BE504D8E93721242DB7D4D1CCD22F84" + "687E3945E2037BA24670649913712FE6B5D99BB6C8492C3B853" + "E481CA9C32B3E601D31C60D6B5F43A240B0711FDFCFC0AAC6A6" + "E5F881B2AE1123F7568663D8415DB5ECB3000AAB268256888DD" + "47C0FBB5C95AAA9450947244EE4CBCFABD76326D2D079C9F1BC" + "4F3D43AE1D01028FC1705F74CD16132C79D3A43539D2A842DF2" + "B69243CD37491CDAB57AC7E4E00350F8C08737B6CCB8A7C48DD" + "50365A85C07A525C15AF65EC3B2AC1C73AA6B3433483D5EC77E" + "D832B73A30C672E9DBF0778DBC20BA5A3513EC93B4165A60E68" + "717AAABED5041D9EE445611EBDDC8597FDA3BA05245228D7C56" + "7BE1CE5D2BA75A256361E8259F43F3402E09B96A14014389B8C" + "E19461A6512A4DD7F866E73ED26B1C454E014F901DD313D5E72" + "14CE7A62C476DD28E4152EEEE89F309161C8F494F0BEE613B72" + "696F496BB41659A3804683729B40682DE5D0F17AFC0FA9C27B2" + "C96B55A05C536D283957783BB93C8F3E021A30D6051C9839DC4" + "8A70C127611449823B06F0DD460CA1DD990AEBCF3FCA9732D01" + "2E9650907BFC44729DF2827AE4055FCCA246ED3D75DC3B69DDB" + "3666")); + test_hash (&nettle_shake256, /* 196 octets */ + SHEX("84891E52E0D451813210C3FD635B39A03A6B7A7317B221A7ABC270DFA946C42669AACBBBDF801E1584F330E28C729847EA14152BD637B3D0F2B38B4BD5BF9C791C58806281103A3EABBAEDE5E711E539E6A8B2CF297CF351C078B4FA8F7F35CF61BEBF8814BF248A01D41E86C5715EA40C63F7375379A7EB1D78F27622FB468AB784AAABA4E534A6DFD1DF6FA15511341E725ED2E87F98737CCB7B6A6DFAE416477472B046BF1811187D151BFA9F7B2BF9ACDB23A3BE507CDF14CFDF517D2CB5FB9E4AB6"), + SHEX("C7EAAAE0CA10AA1CB0225920A8F2288EEC0E5889ABEB096A983" + "10782D918AF4CB8C0A41384D8E0C408950EEA95DE8CA6EB87F5" + "E86780FB91293C5D14A798DAD9B77EA8A5B50E17C19EF37ACC5" + "166A74A1B37712290CFCF98AE6349DBD4842D8ABEC6735ECD39" + "2D59591824963D403B2804135BD46D17E26D5C498FD7111BF27" + "82F758802A20AE6A169AA65CB0D6640396E982E30126C37F68E" + "19CAE5FF9AE3743E38F902D306D8FEC8042DD914003F960625E" + "8F2104C369CEC0CB8D3847C28D050802EEB53C5AF08D70EC029" + "79019700E182B7127661DF869807C16F309EB08F376C5C30B01" + "89F1B4B32423BE060402C1EC9B1E7AF2432FAFC09E4EFF7DC6F" + "55A52108C5599BBD5A07F433B3EB4D439D43EA79407FA711132" + "CA9A5E2F528E18821F38B894F624EE42400832F8C85AAAD0FEA" + "54261E2B55647D9FF5F31AC212E7C38CC96689C72A4F543A256" + "7D8EA79913727DAC3172F69CB16694E5D4EED7C16494A297C87" + "6C73256F6B30F88B6E180E8E62DB68458F2CA416C4A0317F70A" + "3E2465BC543FB07AE518B6571664FE9C2E49E2AAD57AD933869" + "C04A1CAB60903F9AB1C14E4FB3B6502F387B30693AE4A85A172" + "FE6813C42026DE57291B3D854A191F553893B3D4A79C84B08C3" + "7E80C1ABDF03FAB58966410C2B8B950A275F68852F006B2B38A" + "49E09165AAE5BA74B934A6B7133E431F01099F930B5FAD2790F" + "126E")); + test_hash (&nettle_shake256, /* 197 octets */ + SHEX("FDD7A9433A3B4AFABD7A3A5E3457E56DEBF78E84B7A0B0CA0E8C6D53BD0C2DAE31B2700C6128334F43981BE3B213B1D7A118D59C7E6B6493A86F866A1635C12859CFB9AD17460A77B4522A5C1883C3D6ACC86E6162667EC414E9A104AA892053A2B1D72165A855BACD8FAF8034A5DD9B716F47A0818C09BB6BAF22AA503C06B4CA261F557761989D2AFBD88B6A678AD128AF68672107D0F1FC73C5CA740459297B3292B281E93BCEB761BDE7221C3A55708E5EC84472CDDCAA84ECF23723CC0991355C6280"), + SHEX("CF55585AD2CF64217E5CA23319EBA00C4EC74B7B9A453D1D7C1" + "44E8B68FA8EAA16B853344ABC905EEC90B35B681FD8A4A52460" + "999BEE62489C467151EA5C0D7C8EF2B9959FD44D171D530AD4A" + "576A0C76B147127921817B167FB43050D7F2F552F8E77ED5161" + "AB00907599AB80FC546C859DBDC04F2CA3E38A7593DCD22EC89" + "E73C4924152C7D1B5281699154A3325196E97E73DA29251F60B" + "C68706885462002C126517E00D02DA6A23B0CA9410EB916C19F" + "EC76DE9A907447A8DC1F8304EEBB6E38D0694821EE03865A5BE" + "DE036E01AD74AB397AFBEF6C62C5DC211A47BCDCDDECB48B17B" + "F5336FF831DB7EF9CE7643B285504D495161D4E864B6FEE67D0" + "EFAD2888C04A8992F019E52A6632F72539FD65271E81537AFBE" + "9E7795C658AA0C3B2C64EB34BDD0E5F19EA217B6EC9520FCDE4" + "46C2207C9AEE94A6AAFF4F1F39A91927DAFDC37BCA8173034A5" + "4FD535BF03212995975240F3002446DA1D111C0F97C92E395D9" + "6E120B958F643CB4EC52C6D2C148E6A0A497323565500AB1174" + "21C4A0CF0A055DC8B4D287F66FCF7EDAF931B614589EF6C6F46" + "84A80A9DBFBAAAD85059B9399CE2617B55E04C2112B32A210D7" + "530A3C58678B1D48EF24E2FB6B6F90D4FC605805B903085198B" + "2C50432D9A99454B68AEF0C9D0D81931123D7D14C0DCFF84A54" + "F3D4DCDC9E232BED26E2EF3334220F7B39EFADAB2CB9E247EE4" + "E880")); + test_hash (&nettle_shake256, /* 198 octets */ + SHEX("70A40BFBEF92277A1AAD72F6B79D0177197C4EBD432668CFEC05D099ACCB651062B5DFF156C0B27336687A94B26679CFDD9DAF7AD204338DD9C4D14114033A5C225BD11F217B5F4732DA167EE3F939262D4043FC9CBA92303B7B5E96AEA12ADDA64859DF4B86E9EE0B58E39091E6B188B408AC94E1294A8911245EE361E60E601EFF58D1D37639F3753BEC80EBB4EFDE25817436076623FC65415FE51D1B0280366D12C554D86743F3C3B6572E400361A60726131441BA493A83FBE9AFDA90F7AF1AE717238D"), + SHEX("85225E389DF45458881A78277858D3B12EC5527BEE0D03F41EF" + "BA24671F1C245EF33BC8CECF3CFB7EA82263EF8F5F4E2C0D033" + "D1DF6AD35F1ECAEB2E40F22ED9F4CD0D1B9FB1FF5AFC3ED6054" + "9F1836E325AD6641E4444913A9AEACF36067A7E6EAFAE4F5D17" + "38F4B42F5185AF334FEEE2838FAEA6203032F3C5C3D22863C02" + "783D1562E12B0C73DF3098CEC208BC855BF84A9C231021AD5F1" + "FBBE51A21E2BB66BC555612500822F43DB5594D0D60532B726E" + "3A430C26D9E5BCCD57F83CD1CE3A5A31DDCC21DFD8A76D03A10" + "6FC77EB55EDF19A46023B5D70835C865952C463475769067FAB" + "2BA2A11FBF7F29D6400D10A34B1DB497B5B1D8D8A30A5C4DFC4" + "0EBDD1BDC992380074ACCAC904DC24F22547A99E7F5ACC53BB8" + "3BF94A522E595D9AB54C4E7EE052ABF95FC5FF52967CA2FBB92" + "7ACF7127349BA7FD26AC820C380107B0E341866A9F57852DF4C" + "E28C2989F04A40FF14033B3D36AE7D24A8E377AA40BABFB8502" + "B0B9B12DF9B42C2A9982AA29697A2ED522E344814E59D91132F" + "39AA537A521BB4B781CBCB5E1503354FE6A25072A52C54D248E" + "13F8253FCAF93E849597C23F6952D0F7F38D1A4E7D08FAFAEF3" + "ACBFC4371779C6795D1CAC6BF86C34FB227AAEF0AB51C480C45" + "10C9F1F463CE311CF931E8219D71BCD3FB55D3A8E9A6C86710D" + "18F9FEF6A00D1FB878069AD4A4E32653B0EE15866268D5772BD" + "4990")); + test_hash (&nettle_shake256, /* 199 octets */ + SHEX("74356E449F4BF8644F77B14F4D67CB6BD9C1F5AE357621D5B8147E562B65C66585CAF2E491B48529A01A34D226D436959153815380D5689E30B35357CDAC6E08D3F2B0E88E200600D62BD9F5EAF488DF86A4470EA227006182E44809009868C4C280C43D7D64A5268FA719074960087B3A6ABC837882F882C837834535929389A12B2C78187E2EA07EF8B8EEF27DC85002C3AE35F1A50BEE6A1C48BA7E175F3316670B27983472AA6A61EED0A683A39EE323080620EA44A9F74411AE5CE99030528F9AB49C79F2"), + SHEX("561A3E8D8D57E0E32D7E9EA8AB6F58AEEA509CCE8740FE54E8D" + "B9AABBB14AD782BA33C7F9A5007796CA2BA9089F525BCF80BCE" + "DF4C09E24E8D14F1766AA97A82B807FB1ADF65430BBF5F87AF0" + "A7FF26578C97AB50148B6B15711311FEE962A8B9C3D1ABAF624" + "41CEB100DF3A8E588DFE3F6A356B348E312CA017C94143B3DF1" + "7F255DFAD5A7341B163C0562D24897FE9E4B99262FE5BF6920B" + "79ABBAF856CE38AFC756A77F2BFD5C3A039C08480BAC81D641F" + "8B955B22B66B455BC0637DD49A1218C4E8CA73BDB68B8849D21" + "48C021C75BF8470D36167AC32FC88128C4E0568724BB2D631E7" + "FEDFABB91F0343D267BF3A57BBCA57C21D56E339CB13DFA5E56" + "F3A90F0241DBC0D0D73F40BA282ABD5E031364ABAF427713463" + "EC5072B7AECCA62E074097BD0CB3169DDC06243F08B62527921" + "F5FDC9332E99B2E6903D65BF809DCA706C5C0F93AF85B9BFEEA" + "40504A3DBB390C6A417203979687A7C86CFE5AD3F0737DA1B90" + "7F8F941EDF44F8367B65EA8BB92B5285A3ED8E1F7EB0FC00536" + "C15005E4F6D9F2969AD96721BFE7A6A4824A37159EF08B0FC60" + "C68518FD4CE54E4033C41ADE6CB218CD7DAEE76622B711A1609" + "168BC115AD4F6219EAFBC492E35BDC446E866433C7446506692" + "94E8D1827A2500F3E30893C14820DC24E36B3B451E9459BFDCA" + "E62168706228BCD9C3EA22C4F1D0286367C7939DF31E28E7A2B" + "28CF")); + test_hash (&nettle_shake256, /* 200 octets */ + SHEX("8C3798E51BC68482D7337D3ABB75DC9FFE860714A9AD73551E120059860DDE24AB87327222B64CF774415A70F724CDF270DE3FE47DDA07B61C9EF2A3551F45A5584860248FABDE676E1CD75F6355AA3EAEABE3B51DC813D9FB2EAA4F0F1D9F834D7CAD9C7C695AE84B329385BC0BEF895B9F1EDF44A03D4B410CC23A79A6B62E4F346A5E8DD851C2857995DDBF5B2D717AEB847310E1F6A46AC3D26A7F9B44985AF656D2B7C9406E8A9E8F47DCB4EF6B83CAACF9AEFB6118BFCFF7E44BEF6937EBDDC89186839B77"), + SHEX("3340B37AEDD2F0C66F2483ABDC66C97B45055275231F1C7A925" + "687B946C9135BB75AAB2D11E6463073A1A8CED0EA83A42736AE" + "85D1B99D1D2EE9AAFB6FB9F4E7ABACB39BC9F6D59883A9D1B0D" + "F86C259394A05842684E8A4573F1A3CEB46ECE59DF77259A0B0" + "25B831C2CC0DAE259551C86DB7DE0C434FCBC35328810201903" + "B92802CD5DACF9A6F4ADCB05EC5E0629A3FA99BDF2A5CBDA2AF" + "81CBD1438821A319408D67E5995342BF9BB4DA85BDCF43C5A2E" + "AD9CB4FA26542EAC044DC70857FF1B1CF95026B6464B96A46F3" + "A138FCB26B525E6A09F71ED05E57ADF4A3FAB611CD8069E016F" + "ED7B9F2F14C38102612D66803EF0854B2C7678E870AE7BE6CE4" + "3EDF447E476C0AD407F0D1AEAE1265521F43AD6CCF1F2E0C82E" + "5395ABFC41E08AAB436A806083E246CAC452513BF8E9C9E47DE" + "645055AE184D988D0D3CC1E5DFF6AA98B3EED26E788EA342C6B" + "1914269113248B15D0B79A6BD71EEA6C0BF9D89698A2B943AE2" + "4F843B00B34620DEE9DE5AE1FA1E00677D8FD9716CF43EA1EBD" + "BBFC2984FB1B27D444AF3B2D01A86412A32090A45385A912F39" + "4373F0610AF7D3C06D8564FAFAAD3B88C70196A1DEDF247AB51" + "5E5FCC8490A889F974E12D8DD5FDDDF8DE55500CDAF60FF2B70" + "E7D26B481389C2232FDEE43AE99B221893FB7CDB688C0648657" + "1A09B9A9B5D2DAC509BA166D0C5F5D8EAC363324234C657678A" + "0CD7")); + test_hash (&nettle_shake256, /* 201 octets */ + SHEX("FA56BF730C4F8395875189C10C4FB251605757A8FECC31F9737E3C2503B02608E6731E85D7A38393C67DE516B85304824BFB135E33BF22B3A23B913BF6ACD2B7AB85198B8187B2BCD454D5E3318CACB32FD6261C31AE7F6C54EF6A7A2A4C9F3ECB81CE3555D4F0AD466DD4C108A90399D70041997C3B25345A9653F3C9A6711AB1B91D6A9D2216442DA2C973CBD685EE7643BFD77327A2F7AE9CB283620A08716DFB462E5C1D65432CA9D56A90E811443CD1ECB8F0DE179C9CB48BA4F6FEC360C66F252F6E64EDC96B"), + SHEX("FC9C58940908E1F78AA90E888879C9EF903CD450DB94E5BEE0D" + "8ACF6A4E453A32A610C6209D9F5A44ECABD634D45D04F5D946B" + "CD388E2943D00AD8A6C4682D985F45D796ABEA85F419D3990BB" + "DC5A21294970FD42B6D06363E18EF7C00250E96AA96FF730DE2" + "D92E69BD19C2EC40BA78F94B7D120CECE0B0A44890CC17529A0" + "54EDC97C25BF7AB6BC3C955466F656FE450BB25C34997DA9425" + "8A4473128DDBBF6EFBA41C1843F69AC2B86A5F13EA652EC19CA" + "A10FD0D605B4F31CE170F9FF1D6C7DC064EB4106C6F4F54C88A" + "463EA9B97206E567B370DCE4DCA5B998831362DE38D8DCBC0FE" + "04E87BA9EC6CA571E6A3BDC246D316A55FAB5CE8AB0B71E0E8E" + "DD9790B26E3482A95C732A304C1DD48A3955ED995DDB86AA7B4" + "E6406D08E189596BC8C5A5F61A2AD336E39D94F6188DA5A1E4F" + "2CC9593E92B0D89E12CB4E6FDF89C5C24ED83D66F5AC6BB0A6A" + "3C88B151C35123DE2F3D2D18D8D302FB10299F68F65C9EA2E55" + "21AED6CB9FF5E357DDC1B9D4D5BD7B13DC9B4FF63941BEC300C" + "C787FA6DD0BC617F5389EB6058D05BFCAA16F08393F4F1DC5FD" + "4226542F49F771E5E93D87E06C4E663ACFB2CC365F3F7901635" + "6656F92EE52DC6DDE14482E2CC8A9EDA71189E3C5A431EFE0A8" + "768D014F05D45685E472BF22E359B8A6C8429D8F048314BFEF4" + "9AF2637108E774D5E41D6B38FDA700FA2145B0235E1DBA03BC8" + "DBF3")); + test_hash (&nettle_shake256, /* 202 octets */ + SHEX("B6134F9C3E91DD8000740D009DD806240811D51AB1546A974BCB18D344642BAA5CD5903AF84D58EC5BA17301D5EC0F10CCD0509CBB3FD3FFF9172D193AF0F782252FD1338C7244D40E0E42362275B22D01C4C3389F19DD69BDF958EBE28E31A4FFE2B5F18A87831CFB7095F58A87C9FA21DB72BA269379B2DC2384B3DA953C7925761FED324620ACEA435E52B424A7723F6A2357374157A34CD8252351C25A1B232826CEFE1BD3E70FFC15A31E7C0598219D7F00436294D11891B82497BC78AA5363892A2495DF8C1EEF"), + SHEX("F723334037CE684CDEBEEE3F14B0D109B075EDE85C489EDF798" + "1B3BF88B946E2851C9453B0E891349080405BC3B16A99879FD6" + "3AD7314FB7D26C050061D3A2F971E2A79C4B23338FC92E21466" + "C27BEABB1FE045A0A10F33516BD77E7D87C49003F1CC173B61D" + "4ABAE5151D5A723C2E6571B0B7039FCFDA72C149744512D5FA2" + "0DB8C736A70FC009211FDBE0D7245C5C26DD878CE52DA760AA9" + "0D45A5501EFA74677B85A736B2860876B23424D1CC47660040E" + "919DDEE1F67314FD902A1D5C1DC69B70BAEA890B5691322C81B" + "210DDCAA3CAABCC770E68B1BBA5B08C3D7676771608924A853F" + "D770B2AEDD8D42B1E7CA6CC0499E22646732EDAEFB94761405B" + "76C3A58D5CDD1439ED1BB06CEDEC79DCDF38E373ED17798A51B" + "80665C026DC2BBA3EEAB43CB9024FF6F04B371C07423CE2D0B2" + "E2A800B213D9FE193403FE868180569EBD002591959B8687E09" + "F81C9B2B8DE7672D173F8EBD0794ACD309A2629ED0AA7E14B58" + "635115A58CEAD5BE08D3105E2E65429D1F7823BD8DAB99084E1" + "D63BBC637EE37AD4627E57E15DE35CA52FB8407760BD2AED167" + "B6EA65B0C72B9B53C58A16D030A227CD92F19F14BA5AD6BB00A" + "5775E4A091D7844AD2DE44CB9D866154127CA1B1A2422483A14" + "6C729AEB85E67D597EC6F700C9DC615F2BDFA6A1C9AB038B81A" + "D0307DAEEFF021EBE7ABBA47BA002C27C2A07611027FC69C9B6" + "3992")); + test_hash (&nettle_shake256, /* 203 octets */ + SHEX("C941CDB9C28AB0A791F2E5C8E8BB52850626AA89205BEC3A7E22682313D198B1FA33FC7295381354858758AE6C8EC6FAC3245C6E454D16FA2F51C4166FAB51DF272858F2D603770C40987F64442D487AF49CD5C3991CE858EA2A60DAB6A65A34414965933973AC2457089E359160B7CDEDC42F29E10A91921785F6B7224EE0B349393CDCFF6151B50B377D609559923D0984CDA6000829B916AB6896693EF6A2199B3C22F7DC5500A15B8258420E314C222BC000BC4E5413E6DD82C993F8330F5C6D1BE4BC79F08A1A0A46"), + SHEX("37A534CC68DE78F87B85212464858780E143A5E0DC7D46419EB" + "17E45E1872186DF8051353A6AF703C167B9233612ED68E95352" + "44DD99A613FB43F277C833588F7A2ADF2EAD15ADA2D6ED7CCA6" + "AC786741B7453EED605C7F8EA3A8E2AA8D5688D72EDF964C085" + "42422DE589D402DA18E10E7ECBBD132A10FE382A7EA0A94C9E5" + "C7F31C7BDF018F44BB6693EC64B266E1AEF1A3A941E336E479E" + "FBE2BC897C93576F5F1BC9C6D4F6E948A14464287D1E82DFDD1" + "E0CF0A68E9FF696B5D5392F4C46845DF19AD5BBF2B158659E85" + "6BBF6732A9AC0ED722BB5EB2C25D35FF83B892DD30BB01FE20F" + "49A28C52B6F28550FE56D176790AE2D96648C66E389569BC2D4" + "7D0A5775E0F6F1B7AB8F999415B3EEE8AAE8A3B663F13E0EDE5" + "C81CD001307FFB5AEA2801CAFCD1B09D31182220F52D39855E1" + "DF732F1CF2671538AE37726B3B47760830B391EDBBAE70B52F1" + "F2116762C685FB8523742D90A427C991F80DB823E3496994566" + "10720744BD2E4FB9C40D1371DEBDC7D01B2F5BE45C0231D297D" + "E09D66616509BBDB854D84A2D7C140E8489884794D3679FF8E2" + "4F7F04CD72058EC305EC21823AB5A47AE9AF8D10EFDBE2642A9" + "7DADD44F174622597E4BD88698FA75F24314E82ACA60B42F66F" + "84602C831FB9FA73E95955151F931841F1B9DE7C3F95DD78689" + "3B45DDF66045AAE6533AAA59060B415FE392BC585EB4C39115C" + "C163")); + test_hash (&nettle_shake256, /* 204 octets */ + SHEX("4499EFFFAC4BCEA52747EFD1E4F20B73E48758BE915C88A1FFE5299B0B005837A46B2F20A9CB3C6E64A9E3C564A27C0F1C6AD1960373036EC5BFE1A8FC6A435C2185ED0F114C50E8B3E4C7ED96B06A036819C9463E864A58D6286F785E32A804443A56AF0B4DF6ABC57ED5C2B185DDEE8489EA080DEEEE66AA33C2E6DAB36251C402682B6824821F998C32163164298E1FAFD31BABBCFFB594C91888C6219079D907FDB438ED89529D6D96212FD55ABE20399DBEFD342248507436931CDEAD496EB6E4A80358ACC78647D043"), + SHEX("60C681E527396D6C9DC1E5FD71842F760F9873621A9BF2B9B98" + "C5DF450DC7194379991D7A94397A206913AE1821259D308A5DC" + "4D53E552DBF2287B8694F0B6184B737D5E32E1258CD7FF58E5A" + "A9B5F37571413395B833CCC5620E37B0A64112968D4D7ACFFA3" + "A66E044C36E23363F1A09EEE48EB6713FBACEA29ED63AF0DB94" + "ED2BB22CC01B89D05391C1BC8844BE8BF105448925AD2373D46" + "D3417F920046E8E4AFA0C11A8057B4A42FA4CAFEC592F8C2F8F" + "1E2D603612FA38DFC3D3FD768EF7317802342E76E70D30745FB" + "AFC0BD007EFF874CB32761D700C88E27DBEDB57CBFEEA688E0F" + "06801847C1046CBF47E2C12EC0A4016D5E8238916DA887DEAB8" + "25F965F936C79A7316465B48A2B8BD5889BD04580FF7DC91C50" + "DE8EB60AF74E74BB4F896FF73CD3D1C55948C19DC0ABC841D7B" + "C3384AE4D60BD855F24BD2E402FAF5E47D66DDD2F0533F9A73F" + "D483E3965E967C979382F643CDA535C4AE3AECBBDAA51CD7A89" + "C8B2D9EBC0B7F9CC1C1EA355F9FECCB62345BE39A7D1073CBA7" + "C5C46F2163DBC1E9A6190EF620D6053B88586E73B18E816206A" + "72F297EF946C8B302A6E3FC92A3E7A9AA87E26C1466251CE1BB" + "D204BBA7D08FEB28F99CF27BDB3E8479C9C57FAB8F00797938D" + "471D53A1666156B66853C067E64695978D2E9AD5250FFF6CD14" + "91F7BAC09B77ABF42249FBBD63DEB5919A1FC96A4E26DB9D789" + "320A")); + test_hash (&nettle_shake256, /* 205 octets */ + SHEX("EECBB8FDFA4DA62170FD06727F697D81F83F601FF61E478105D3CB7502F2C89BF3E8F56EDD469D049807A38882A7EEFBC85FC9A950952E9FA84B8AFEBD3CE782D4DA598002827B1EB98882EA1F0A8F7AA9CE013A6E9BC462FB66C8D4A18DA21401E1B93356EB12F3725B6DB1684F2300A98B9A119E5D27FF704AFFB618E12708E77E6E5F34139A5A41131FD1D6336C272A8FC37080F041C71341BEE6AB550CB4A20A6DDB6A8E0299F2B14BC730C54B8B1C1C487B494BDCCFD3A53535AB2F231590BF2C4062FD2AD58F906A2D0D"), + SHEX("D8EF59E48FE97B07649929B9194BCC57EAD8E0EF010FD65031C" + "18B4CFCC0933152054AE17841D06C36BC375CB1F98D83E2F9C3" + "DFD54B88312AE71D7A00590A759E4B8D524124CF480BCEC6816" + "FCEECABC9E13356F99ADA2319C3EB0CC9E3BB504EDDCF7D3839" + "511BA0B412A72C3A8C49F7964A4F2EED7B814722A487E3EA6E3" + "47CDC2585090130B4DC535C3FA98E085F107FA43222B167EBDF" + "2BBD65ACE691D8C23D64DE52F966983A3D4479CEAC8AAB17794" + "7079656A454B7BA4548BCD5762974264C7BEB17DCB4FDAE572B" + "D67067F304990611E7C7F4D50BBD2B29D19C02D51918D5BE6E8" + "56BFD8DCECEAB2EA9F82F5BE53E57D4B00AC371436EFF3898E9" + "30193DD1A21C5B54506C6C91EA665D0D9992BE999F1DC434BA5" + "87DA4EF05BB296087314C4408CE0C5851660D0B5D1746232E03" + "1934284F85B7AA38420FA6EB469171FAABE88F85CE64A7FEF84" + "20ADA1F9BAAA4BC93D779C5A268A3F1F8A57CD2FD3B19CDD4E6" + "48E622552C1F16455F32631A3D91EC2F7A882DFD0EB13C4B85B" + "0A23E2477B53E0FE5E174F058268F6A24BA3CFA38D090AE6088" + "339957863733E1DA245432AB0394EAC05ED82428C4418DDEA00" + "C45E57A1719C7D2D04A781F8D0187C7C33117A3FF5473BD5C12" + "11476FB4EB64AEDE5A9E2DBFEE00671E7A9CCFEF7624E1F688B" + "77CBC755B95B6EC391D8E9DD0B65CFF4E1FC22F566F0B598BF7" + "ED6E")); + test_hash (&nettle_shake256, /* 206 octets */ + SHEX("E64F3E4ACE5C8418D65FEC2BC5D2A303DD458034736E3B0DF719098BE7A206DEAF52D6BA82316CAF330EF852375188CDE2B39CC94AA449578A7E2A8E3F5A9D68E816B8D16889FBC0EBF0939D04F63033AE9AE2BDAB73B88C26D6BD25EE460EE1EF58FB0AFA92CC539F8C76D3D097E7A6A63EBB9B5887EDF3CF076028C5BBD5B9DB3211371AD3FE121D4E9BF44229F4E1ECF5A0F9F0EBA4D5CEB72878AB22C3F0EB5A625323AC66F7061F4A81FAC834471E0C59553F108475FE290D43E6A055AE3EE46FB67422F814A68C4BE3E8C9"), + SHEX("984570A811CB6B53213280F8C06C69FF1D17E767B163F8AFD76" + "674AC018A1CAFDA4D94B69BCF58F3AE8A53B107976ABEA6C616" + "D85AEB98BC10F29177A3590BFE943F53D2512323E5E79D64F9F" + "1319D47D6BA84C7EA37392BD15224D94BB16D99E0E1E7062FBC" + "3EDD7C81418D816E875FBC9D7434249D89A6002BB777E367F79" + "219BC7FACA03E1B9488307DEA98F304258FBCC53C58A483A6FC" + "C78D9D9B28D99DB3709E32C1EE91FE305F72B041933C8CAE6F6" + "8C6229658D591CE9B1100D6974706BC21A45224778D12DFBA63" + "CBE9A1A3FE9680A34771D9BAE39B4DC9C191C0A4E092F8EE92A" + "F2A02C95242CBB24580E04774AB41B07FCB6F61ECC6ACB2E48A" + "77E544AD9F25EC0ED7F440C26B8C9D25C7CF4494AF0802C4B48" + "2DA80251F7D1572DAE337725B9A976F70BB70B5037F333D53BC" + "3C252AD9AA13EAA7C9DE1AE4B24F6C91D17A489AC9D392038B8" + "0EF7679E75CA6994821F153C62D6CD7EF58927636EDF95EF6F0" + "5520025C4BBBA23685A862F244AB3802AE1D842184A5F5F344D" + "1193E1239990C331488C1A8B98F1707C389C05AFA919F5C17EA" + "C158064350ADFB9532EB0AC9111E256251B11D082DB28206AF2" + "AC514707D956A35E26495EDE4E98C2578427B48BC99B9AEB29B" + "0FCBE44A0E51CE9BB37864DEDC30BBB5FF9A055423D8BBD453A" + "65AB54E65CDF773CA695303FFD4767193D65F26706FED1CF35E" + "740C")); + test_hash (&nettle_shake256, /* 207 octets */ + SHEX("D2CB2D733033F9E91395312808383CC4F0CA974E87EC68400D52E96B3FA6984AC58D9AD0938DDE5A973008D818C49607D9DE2284E7618F1B8AED8372FBD52ED54557AF4220FAC09DFA8443011699B97D743F8F2B1AEF3537EBB45DCC9E13DFB438428EE190A4EFDB3CAEB7F3933117BF63ABDC7E57BEB4171C7E1AD260AB0587806C4D137B6316B50ABC9CCE0DFF3ACADA47BBB86BE777E617BBE578FF4519844DB360E0A96C6701290E76BB95D26F0F804C8A4F2717EAC4E7DE9F2CFF3BBC55A17E776C0D02856032A6CD10AD2838"), + SHEX("2C2E6AFFFDC10D54F74AFAAD553CCA0DDA3AE5A5EDE3BEB611E" + "4C1441AD4E51B67EAA2306ABBB39115457FDF15FCE9607EBCF0" + "537E4F9AA2703D222A2B5FE602F87F6B54CC7A9427807A10E56" + "BE5B29BC3DD91FED0322F291D87F563BAF5B705534AE8BAC35D" + "4AF68A23963C040F4A1AED9B3E51124303DFEBBAEDBAB35D7CC" + "BD38D482EE45E261BCEFC53D0A25DFCA5DFB60CB2672D34CD41" + "54873F92B33FAFB8068A95458BC1166B36C3977643BA159B655" + "654D1755FD5E396AB9690718266EF6AE670452FBE332BE84750" + "BF7A26778E555FDB59AE0F48D6EC3FF4A1FEABF2FF7F1CE4DBF" + "3269DCD91E3CA9962D88DB9C527874DF15F7A6DB9682B1F0D90" + "4AA875D29A8885AE63E90461C69B688046FC771321FD6A61A6F" + "1A93FC95FAC72BF86ED76EEBDFF0CD6960D72FC460753ABA032" + "4F2D7CD7372F413D4A49E761CADE4F5911D18F7C712F61CE1A5" + "C9F07ED2B042D5C86B4DB97E1B7ABA57E2F2DB98CCB4041A16E" + "E21E08ACE213412C6D61CD3C42BB5D8DABD7B5A945FE512F2E6" + "4C3B1817D9BC5840D6E16F7E5E2AC36585BF8107ADDD0C269B8" + "510DFE11222DE1BE13CCC2A5BA8536887A11A0A733EB81D9372" + "9D487481655F531BF4AAE624918401097EC0951F7FC535CBD85" + "691E0E0EEEAC4A5848A61AE8D6D6121D3FBCBA345AB755C4E84" + "41ED7853FF46CAA48090728A7AC39496C3002BAA99DC90F049E" + "FE4C")); + test_hash (&nettle_shake256, /* 208 octets */ + SHEX("F2998955613DD414CC111DF5CE30A995BB792E260B0E37A5B1D942FE90171A4AC2F66D4928D7AD377F4D0554CBF4C523D21F6E5F379D6F4B028CDCB9B1758D3B39663242FF3CB6EDE6A36A6F05DB3BC41E0D861B384B6DEC58BB096D0A422FD542DF175E1BE1571FB52AE66F2D86A2F6824A8CFAACBAC4A7492AD0433EEB15454AF8F312B3B2A577750E3EFBD370E8A8CAC1582581971FBA3BA4BD0D76E718DACF8433D33A59D287F8CC92234E7A271041B526E389EFB0E40B6A18B3AAF658E82ED1C78631FD23B4C3EB27C3FAEC8685"), + SHEX("E36806AC60D67682D34D80AD11A1415901FCCC216D7548DE3F2" + "428B1963023A9394BC0E1766E279AE3509AE85D773D11DC8F11" + "AE65C5C0D6401575CB33835081492C2B657F34514ED6B0DFCC2" + "639FB758B5FDDF638576A64BD34759D629FF133112CC5200267" + "D8C9997E1538D602CA356E821F06EF84C3125D8466673312C69" + "03CE166FB97FCB3EAC9D30D61E13A1DEABB922DA6E5675DC897" + "6CD4426EDF7A7A797DED8936E0A3E721DE5C4D956E8287C4B05" + "D1210BBD36CE0E36B7F2A31945FCA6BAC1CAAB3C46D4C8245E3" + "E589DBDDBD00A3B99D8DFE33783235026C1A990F1C383CF71C7" + "55446D8F5DF4A114B9004541065BDB81AB81B98ED47A1D05595" + "AD5E168159EC620B1DA439C6CCB6C4D57A2ADB33A0E113FD0D8" + "ACBFF5C759BFFA29B36E8416EBA1B8F45285EF3F496F6946EE1" + "DDE798CF8F5BB78900E59785597101DAC9EC5E5F5CE0F0D6B17" + "3B6418A75BE30A84140FAC4899C4EB8DDCF87A0F78F22E23780" + "6E0871CDA9976DA0E7E42C4AD73FA49D3F9C257ED1CC6C38980" + "6BB2C32B1F7744DDCA53BA515237F1588F5FA7C636360B6B8D9" + "8DAFA7175DB320A1A3FD1B3A092D9E8A4466971B87E5B051898" + "29AD8D3B407F3C5E4265026C8B801C391BE0F9C9DBAB2F56362" + "F820384D859EAE1ED9B291F5F03F14F12D0FF8ADDAC128988A5" + "9707FACBE23814873246C99DB793099E6DC79712C612D41302F" + "8B59")); + test_hash (&nettle_shake256, /* 209 octets */ + SHEX("447797E2899B72A356BA55BF4DF3ACCA6CDB1041EB477BD1834A9F9ACBC340A294D729F2F97DF3A610BE0FF15EDB9C6D5DB41644B9874360140FC64F52AA03F0286C8A640670067A84E017926A70438DB1BB361DEFEE7317021425F8821DEF26D1EFD77FC853B818545D055ADC9284796E583C76E6FE74C9AC2587AA46AA8F8804F2FEB5836CC4B3ABABAB8429A5783E17D5999F32242EB59EF30CD7ADABC16D72DBDB097623047C98989F88D14EAF02A7212BE16EC2D07981AAA99949DDF89ECD90333A77BC4E1988A82ABF7C7CAF3291"), + SHEX("939F4A4B5E37B675450782B0E8554BD6A2821EC805CE07FD4F5" + "A3BC3816A2305F2353FFAF15883E760A3DEA064DF1583CFF5ED" + "83A97A62DF9D174AA80958E7649460FB4880DFA21DD7C00F373" + "AA9F010EBD1DE7E1AA73F51F84DF36BD2DCE6B37D7A1112C6C6" + "9EFB734CCE2AB12517FAE38F0F3592A4693251CB4F41AF7E820" + "F1E6F432CB9F88B82FCF579B2A5FD0E9A5B3C28542ABDAA9C65" + "1EF1A05A385051682B3238262475AEEB53894B8274EF37B223F" + "66A32C0D3DF45F3F191414FC0E8878E3D58852B4CDBD826D236" + "A7010CA49C43095786CDE671070EDE3F5BB74F34DFFACEEE281" + "042EAF3D2B39E53C25A61F3B0B2D79E4305B9A17C47787747D3" + "CCA46E88BE79464BDFD16BB44EC7D862503077D3E4E3C55BA1A" + "1FCDA217D53F5C22A35F883FBD0E786AF38276B341733F82BEE" + "BC4118D486C32A3E7A460E24951BFBE760556E36981805B40B8" + "37B514FAC3E8213937ECB018449319AD3FE1C0EC19B502E8E03" + "99398F3F8C74601F61A9BA3021F153ED45A99BC150AA886BF09" + "0B0134DA25B2740EE5156CFE28151EDA24A2C758303F505E465" + "F9D6A409651D4705A80B3FF660B2D66AD061960A3C6B81FA8D8" + "31659830C5243AAE26334917660FFFF3B977FBDA3730313753F" + "ACF7E319CDFEFC064F2072AF7195A70EA74DB24E5FBD36D6FA7" + "8C0D0D1085D05E81A62D3449F16007D3CCA29E4403DCE5DE01D" + "579B")); + test_hash (&nettle_shake256, /* 210 octets */ + SHEX("9F2C18ADE9B380C784E170FB763E9AA205F64303067EB1BCEA93DF5DAC4BF5A2E00B78195F808DF24FC76E26CB7BE31DC35F0844CDED1567BBA29858CFFC97FB29010331B01D6A3FB3159CC1B973D255DA9843E34A0A4061CABDB9ED37F241BFABB3C20D32743F4026B59A4CCC385A2301F83C0B0A190B0F2D01ACB8F0D41111E10F2F4E149379275599A52DC089B35FDD5234B0CFB7B6D8AEBD563CA1FA653C5C021DFD6F5920E6F18BFAFDBECBF0AB00281333ED50B9A999549C1C8F8C63D7626C48322E9791D5FF72294049BDE91E73F8"), + SHEX("3C78C3BD49493560231A71A867BBB666536B22562F150224599" + "1E3FF28E6F058264B382BBD61F9A16D4DDA0B3A72F84606F97E" + "7CE53F4A57C132A920FE738F818E987095C1292D9873A772E12" + "F74BF42EE1281F408DC2ED7BCEEB2FA6FD856B7A01A95535058" + "2C111B2CFBB65E26B745939E1DD4781A0265EC5AD4BDAFDE1EA" + "40AD504EFB0E9F34E15E1526B1873F251D33C280F9CAD71BCA1" + "7C4925AF9C3DBD4C6798BD393625017C5D3B03666FBC3AEE276" + "AE669AF2E9E10AE2D608247F3DCE876A8EA3BEE6EE001C3D5F8" + "47FC92A2A9CD0FDDEAD45C1F92414B23722005AAF8A7A0159D9" + "1B77F4A0E44DEBB9A0967977B04072633B4588DF0D699C8F990" + "D60FF5A2E09690A624DBE88B998424620B5634ACDC02C75DED6" + "DBA9431AA7A0FEBC01CC5DAA3094CDC818B2A6CA4D808901134" + "08565A714558B6BDC3E1735BD1FC9FE84210D7D78E0C50E8961" + "C39725F68F083094277B7B7ED3300A1FBF42F72AC9A79FF927E" + "4F76ABF0BA233A9E82E535C32D7054078A6A4A63F1EA454C6AA" + "33C5A2299DF7BECB5F911C25BD74532EDC882FF4312D2AE0ADD" + "4D0F67958A520011851988F9D3846C0100B4C119EA818062A3C" + "69401344CF94F49AB995C286F441D8241F60A73863628AD8AE1" + "CC780EA99CEFF0DC18A3D85E16CA00756627F6A1B7546359451" + "20890313EE136438E01A41593B6EFD26926F48309122CF1DD80" + "6C8C")); + test_hash (&nettle_shake256, /* 211 octets */ + SHEX("AE159F3FA33619002AE6BCCE8CBBDD7D28E5ED9D61534595C4C9F43C402A9BB31F3B301CBFD4A43CE4C24CD5C9849CC6259ECA90E2A79E01FFBAC07BA0E147FA42676A1D668570E0396387B5BCD599E8E66AAED1B8A191C5A47547F61373021FA6DEADCB55363D233C24440F2C73DBB519F7C9FA5A8962EFD5F6252C0407F190DFEFAD707F3C7007D69FF36B8489A5B6B7C557E79DD4F50C06511F599F56C896B35C917B63BA35C6FF8092BAF7D1658E77FC95D8A6A43EEB4C01F33F03877F92774BE89C1114DD531C011E53A34DC248A2F0E6"), + SHEX("1A73A838FBE2AEAC592433B7CAABFD17068510B165896F00217" + "A1F9E2093591A77330E656FC53D1223BC9446C11D329673B418" + "6A85DC6091140C070843760EFFA56918F414A9C6F2D198E7D0C" + "19F44AD19D1E89E25365CEF40890987D255A616524AD68574C3" + "C284825A48C3BCB0B48D41EE284B53BE97127DECF90402E8FE1" + "317263D179814177B79DF92B9C71EFE9C3C2F3CBF8329BD9711" + "E6393457F076C8BCF16A70E854DAF7BCE58C31F55B4D0E9681B" + "39FDC19D0703A795C234016C5879857F25A64EAF0700C681E59" + "0B6D29605311F1BDBEA47762BBFB012BF103D34C2CAB53D53E1" + "962BA6850B779B8673BA280B0FB79CC387E2559105DDBA2884F" + "E493B85EE0F0747436013CED0ACE7280854E9BED8A42FC98DCF" + "1AE5F845B677F4B802D01AEF9529FFFB6ACFBA047429D4DE318" + "1FA959A3B74AEB5934E3F25498CCC850BFAED46738736DB5E5B" + "DA73AC03162923D310A1F91658D15CFC5268FD5BCD9AE6F9D56" + "52558F74C1DD85696233AB9EFEF5CEEE75F0A3489F46867B0BB" + "1344CE24E5BE88ABB706CB49A07FEE3DD5911DCC0486B58FF2B" + "024F844C3773A1C03CE35F02256157A6A2E6616569FB751ECC3" + "E4CF01EF99BB0EA61E4AEFEBCC65450EF2999505427B23C7CB9" + "278E27AB58C5FA2D5B0A432A6172CB1C23DAC420C92631495DC" + "30DBE0AF3B6944F1E101D1566F0A1F4BA06B82C36A7CD068864" + "FD3B")); + test_hash (&nettle_shake256, /* 212 octets */ + SHEX("3B8E97C5FFC2D6A40FA7DE7FCEFC90F3B12C940E7AB415321E29EE692DFAC799B009C99DCDDB708FCE5A178C5C35EE2B8617143EDC4C40B4D313661F49ABDD93CEA79D117518805496FE6ACF292C4C2A1F76B403A97D7C399DAF85B46AD84E16246C67D6836757BDE336C290D5D401E6C1386AB32797AF6BB251E9B2D8FE754C47482B72E0B394EAB76916126FD68EA7D65EB93D59F5B4C5AC40F7C3B37E7F3694F29424C24AF8C8F0EF59CD9DBF1D28E0E10F799A6F78CAD1D45B9DB3D7DEE4A7059ABE99182714983B9C9D44D7F5643596D4F3"), + SHEX("674343644B198DA1CB0709F842239CA1559AB643E48F8EEDB37" + "3671473CA24A99A74E20AC6368B661BA1824AF92985B3E7F957" + "F9C935C715531703A6B8B5113A364F52C7DF7C5488997A3FF71" + "873FDACB1A6F4AC3B631A3341BC36CB742F8100B28029ED6C44" + "FCB41E93B6F171A064B0F13B2F83B1790330DEF22A387C52CEF" + "7F16D1E398123CA0231B76494D708CC694A28E281B34ED163B7" + "931312DAA56752080C4966F8638134680CB96C4F815AC678106" + "FB243ED3B9C9A5599D3851BF3D89CB7BA463C71A868F74D07F0" + "C6F9C6F940F53D88E18892EE6CFE5FE9C17B92569E5C1222FEE" + "87792987663757459C35630CB355F445630826807909BB5CBC4" + "F5C8E0BC669BE6C705C12BCB2B39552D4AF42204D237FAC5BEC" + "56EF9AE6F60BA836AD865983DF2F25A1F8C3F5DF93F87EB7647" + "2DBEBDB20FDF894C0167287EF1A6355040C4D4A6949F4886974" + "98529217E4532A445CDED47687CFAA14DB98260DE9321A16FE8" + "4E4D82D2B1B0C2EE639B2ABA48D85E4D06A369CDD9B03A0A846" + "EBF83ECD5ED257876BD5E3E7838108FB3B86B6558F8BB454F1E" + "76FABE18F3B66CA1448C1B02DAB1BCD485E709CA800D5271952" + "602E9B1BD585F61936D8DD678C900407892756A08730B891C15" + "4B33D83BCD1B2F441F1DFA79AF235316BE9A3E20ECEB4EB23AB" + "76D9E9564C367BC27424DAE397E35BA16A8CD4BA15CFB7D9EEE" + "2B82")); + test_hash (&nettle_shake256, /* 213 octets */ + SHEX("3434EC31B10FAFDBFEEC0DD6BD94E80F7BA9DCA19EF075F7EB017512AF66D6A4BCF7D16BA0819A1892A6372F9B35BCC7CA8155EE19E8428BC22D214856ED5FA9374C3C09BDE169602CC219679F65A1566FC7316F4CC3B631A18FB4449FA6AFA16A3DB2BC4212EFF539C67CF184680826535589C7111D73BFFCE431B4C40492E763D9279560AAA38EB2DC14A212D723F994A1FE656FF4DD14551CE4E7C621B2AA5604A10001B2878A897A28A08095C325E10A26D2FB1A75BFD64C250309BB55A44F23BBAC0D5516A1C687D3B41EF2FBBF9CC56D4739"), + SHEX("791BE2551F426CD350322EB1AC0E6902996546D446C229E03D7" + "4E25CDFCAD06CD99BDD3658026EDBE8708AD18DB91305770245" + "0BAA457EE767B7F6085B0F1D35A86D8C5C62A35E5A11B81D409" + "C12C8AD5777E245ACC369ABB5EA9D8D9517AE7FB4033EFBBBCB" + "B70FD6CC1E55187AA8A27C75E5116EBA46DE2C8378997504A82" + "390E6B085A45C5FAE52FC314E876DA7A7F90226CEDD3C4E9858" + "87F162513BDDAC323E85737F3954DC58D12E986BB1840D0EB04" + "6102C01381DB2915981B23DECE4987661B41B56D30C35A13DA2" + "1C6D2AB0BB7951F04804986DC2127F7F33C4937D27427C7B706" + "2EF7EDE944EFD0015681C2FA0C115B67652A7EF1AAD03C0FC45" + "42BADE7CDA11F0AFC57D8E2C6DF0E5BB5440C2B3ED2807C2798" + "CADC6F371A2D6F2D647936B82936BA4B19A16F599689814AC4D" + "E20CC7CD05A3452D9286B345037ABD23850F22A56BBA707B1D9" + "CF299ED3EA21943882669735F69D25F240F87F3B34CD794B0C6" + "353681006AAC5AD75CF46BC6464579BF5B715AC741CD1CC06CD" + "CA6E8D579F2FF839E263C94588CCD268B1D375E5DF5BFC8B7A8" + "9FD72CFBF9BF5400EFEF53186B50497D942963EEDCD6A742678" + "4F38F8808C50F867D22C10FA4D7DEDB4F5354FE1EB1484C9F64" + "5397582838F1C78076891C5E1E44959B5C74E28D7BCC3F6ACEE" + "4E5393A5CE24E97CDBE1B22AE853C567068ACEE03CDB3157A3E" + "F657")); + test_hash (&nettle_shake256, /* 214 octets */ + SHEX("7C7953D81C8D208FD1C97681D48F49DD003456DE60475B84070EF4847C333B74575B1FC8D2A186964485A3B8634FEAA3595AAA1A2F4595A7D6B6153563DEE31BBAC443C8A33EED6D5D956A980A68366C2527B550EE950250DFB691EACBD5D56AE14B970668BE174C89DF2FEA43AE52F13142639C884FD62A3683C0C3792F0F24AB1318BCB27E21F4737FAB62C77EA38BC8FD1CF41F7DAB64C13FEBE7152BF5BB7AB5A78F5346D43CC741CB6F72B7B8980F268B68BF62ABDFB1577A52438FE14B591498CC95F071228460C7C5D5CEB4A7BDE588E7F21C"), + SHEX("7C0247B191C924335D843B81614C0F1A6A9AB1ADB6C28692239" + "7D8C1B26220A35C13C7151E35FF9B3653A086DA339EA1F05881" + "F414E7A16C61B1453287F924C48EA933995000A9C9B0EBD5E8B" + "EF2C92820CCF9BB6CB0F465AAC124B5E794FDBCC60584B05CC3" + "BAD06D41CF9DD5D3D3B7FE1CEF634DE558B6642E591BC2F69AB" + "EAE61EF5DA27BEDF291D2A4106B3DA946FB57328E827C8D4EE1" + "C3665AF79F96CC290F924348C30205D75B01BB05AA9DFC317CF" + "DDEEB7E3764589C003E2AA1DDF60A3C98ADDE4517E40D08CF80" + "646205EC9FC6E9A3E1B64B2EAD561957C3E2710DFF720BD7E58" + "41481D9E1A048D1C76A3E1A08BF010428C8FD2A6F2DCA4FDE7C" + "8CF59C826E6DF246CDE77D5823DD1E0C0759AF8356E89ED4C03" + "276A37EBBA73DC196E7915B57BAADE13A7A276AAA4456E23E44" + "54D44260D9EADD748D4E7E1857B6D2D9C301AF6118270859ACC" + "43603C79A2F6D698871FD5384DAF43B16FEE4ECE1146ED54E1C" + "A28EAAF2D94306383609BFB26D6634DF00198E0D19500215E17" + "8D77329F7504AF80DC6B727EA7791305FB38FDDB1CEF7F626A4" + "9AC6E34C3A6ED630F9310F890392704A2CDE00CC850FF7CE9F0" + "E1F0CB4B1D0C161CA3B812309CB3C9E9D071024D61E5265A71E" + "7ADC58A3D47A567F5B19F9E13FDCDCD34F3DEB12DA3151FE817" + "E5844F5FCE12805B064895671F0C3767AF5A3D203D095BE306D" + "4A26")); + test_hash (&nettle_shake256, /* 215 octets */ + SHEX("7A6A4F4FDC59A1D223381AE5AF498D74B7252ECF59E389E49130C7EAEE626E7BD9897EFFD92017F4CCDE66B0440462CDEDFD352D8153E6A4C8D7A0812F701CC737B5178C2556F07111200EB627DBC299CAA792DFA58F35935299FA3A3519E9B03166DFFA159103FFA35E8577F7C0A86C6B46FE13DB8E2CDD9DCFBA85BDDDCCE0A7A8E155F81F712D8E9FE646153D3D22C811BD39F830433B2213DD46301941B59293FD0A33E2B63ADBD95239BC01315C46FDB678875B3C81E053A40F581CFBEC24A1404B1671A1B88A6D06120229518FB13A74CA0AC5AE"), + SHEX("73F5EDF85CBE959CDFBEABBE2A96A1812134EC9D3CCB72D6039" + "D4FCDEF0B57BB72A782B76963C97AE0C2713CA657B9424851DC" + "903CC0488A169538A0DB3EC58E67C4EEA1C18ABDB2036C79381" + "E76F5C9F6CF1F830E0DAD77D2EB90F120EFBA42B20B15B8C8CE" + "8532C5B668464AD4986A281E75E4FB2CBC59ABF886A8540622C" + "2458FEFD190908A09FCD7F16B6E5BCC7E950917794FED485C82" + "CEEF7FE0FE4665E0922406AE1F8D34E5F77BFC0AF8B4C881BF9" + "F76C78A233898D120981BE96F67D135723407ED252432928C7F" + "2580FB80000CB51E3EE8DB02D4EF4FCDBABB704DB0CDB9E31FB" + "E76930D285702D91A74DB806DACCC01A15C0129A7F7D4712668" + "ED633462A6A036A9EC2C4A7E4AACD4D62DF9DA1FE959DB9ACD0" + "FB6F01A75F95CD9768F408AAB1760EDAD70E936EEC344E9506A" + "586B9D42DB99EF828E58D281128FB0EAC1185BE704CC9D16E35" + "9EE3BC1361A776DE4803132822F99F7E477764C9408B0457451" + "50AB8A7481D266995C91EACA7A9497F4CA1848828FB5ED127B7" + "A4A5FA0F23614165A8E4DE1E619A40D4E55AC28075AB2FF1BD4" + "2BEE19F2F9D63630CAC85EECA329A0A1877E848FB2A64176411" + "A7FCC2DD63D6CA19452780BBE4EAB208B0FA7B25F21F17BE1CF" + "7C5415A04FCAB687B7D4BA2F657E39D5EFC17F36A1A0E3DE461" + "0788ECC43CBE70BA2DDC33ABF4C335940DD53891FB6DCE20DD0" + "39AC")); + test_hash (&nettle_shake256, /* 216 octets */ + SHEX("D9FAA14CEBE9B7DE551B6C0765409A33938562013B5E8E0E1E0A6418DF7399D0A6A771FB81C3CA9BD3BB8E2951B0BC792525A294EBD1083688806FE5E7F1E17FD4E3A41D00C89E8FCF4A363CAEDB1ACB558E3D562F1302B3D83BB886ED27B76033798131DAB05B4217381EAAA7BA15EC820BB5C13B516DD640EAEC5A27D05FDFCA0F35B3A5312146806B4C0275BCD0AAA3B2017F346975DB566F9B4D137F4EE10644C2A2DA66DEECA5342E236495C3C6280528BFD32E90AF4CD9BB908F34012B52B4BC56D48CC8A6B59BAB014988EABD12E1A0A1C2E170E7"), + SHEX("9F303DECCEA9369400C533CE2E162818957E18F65C05A675404" + "CF8637FDB57F3251FDC2844CA194ED97CD021416E764E072598" + "106E9D97D420087087DCF5F8ACF1047A7B4518E683E5AC6DF1E" + "F1BA7EC7A418F12E386DFB7A4A5EDD9898CAE54D645AB319398" + "2F4363DA670F1FBC7AAA1194A03BB76391A78DAE7E4FFF733A6" + "F19393E9C4CC5EB3F5503D8B1CEFEEB7038B0565F29D6CD4460" + "090FC63E3C4DBC7D5D3D107F8E905B21CC9B9EF3C535AA0D8EB" + "CF787631744F80A05CACA3E50968A05F85E9CB0D775DAFCC714" + "FD6D93C8B110E58F9AD1F8077CC80427515FC5C0CF081DE5FD4" + "CFE6EA6DD2F33A2DF212918A3F86BBB8ABA45D808BBC2CAD8DD" + "09E7B9AF1C33B0E58B988268DB39118B2B2090EABADEC0B84FD" + "836DB6944E8E27B5F4F3B2876077D52B4648885EF55DFFF266C" + "7264C46EF5A3CB63588D1A86C82D19449E0C93D968619CA4D33" + "BCADCB21E6787A5E41F0D4E95E2B47E422FCFE5BD7EBC65A302" + "3479330E989B3EDC8320EDC868FB122DF078470B0373732E187" + "110D3964B6E7757E84F177106C2BFAC5BCC43A13DC40BA8AD5C" + "1E772C58DF0F32FF0F10348686CF0662F2F30D41BA48B121E1A" + "146C70E6131E13080CD8B63AB79869AF74E64B9899855C81D20" + "F753F22C67F1E4DE2450740944CDF4FDEDED59927F92A9568DB" + "95E5B8515C07BF4E9ADF952D4AD498F3DC19A2205640A8378A0" + "FD5F")); + test_hash (&nettle_shake256, /* 217 octets */ + SHEX("2D8427433D0C61F2D96CFE80CF1E932265A191365C3B61AAA3D6DCC039F6BA2AD52A6A8CC30FC10F705E6B7705105977FA496C1C708A277A124304F1FC40911E7441D1B5E77B951AAD7B01FD5DB1B377D165B05BBF898042E39660CAF8B279FE5229D1A8DB86C0999ED65E53D01CCBC4B43173CCF992B3A14586F6BA42F5FE30AFA8AE40C5DF29966F9346DA5F8B35F16A1DE3AB6DE0F477D8D8660918060E88B9B9E9CA6A4207033B87A812DBF5544D39E4882010F82B6CE005F8E8FF6FE3C3806BC2B73C2B83AFB704345629304F9F86358712E9FAE3CA3E"), + SHEX("1CC30597732904C49C0F6EAF777F82B1C33B4CF00FA720C7DB8" + "473139266E7304D81999F322AE6803736D242E7408DBB8955D8" + "F1C0B14C6F7678CACDF2F3CC2A17208033E8C70BC5141A072F4" + "1E759AD8EEDFF745DF0162C2EA877A7D673BC63D80C0F1DB765" + "F9F5CDEB2EFF214411F95AD7C3C41F6AFEC798E001D31AE2243" + "2A54BADC751F7F713B4A3693267BE3CDD3A1DDE1A5E638143A2" + "FAE59A2A359E197CF4E5E1D933DAD9F99773F164173E3E81898" + "7F19D122AAB725AF24497CA116EC201B2482F0539EC454292DF" + "4D018E286247F8C857B53816E9623D580D69FAEF60009FE72F2" + "5B4609E8DAD73A06C006280EDB0137A25D5462368B18B8F3752" + "5C2C74FFEB4A7942683B86ACA6FB1D773E9C92311C4E197C546" + "6CE90CF01C661EC2D928EE0D35A2FCF0EF1A87FA7D298747E44" + "DBAA4C90C655348B8C2771F378FBAF0702EF9CB4B42CD5B2601" + "6D8F5FAC1B79A49F8022A180F04F8988B5895822404D346A036" + "22A5DF8AD2E3F6841AB14644F6074A72DCDA253D7C9423DF9FC" + "15D98F49E3B2A1DF2011CEAA61BB7DCEB3860B9B66DF3926A1E" + "79E73EF6C4429AA9F344ADCE7D9A7451AD97D0C9653B916B029" + "C4971E6756FBA775F191751416C3B0587C2FC5043F38D2B6205" + "804C47DA3E85A99B47F1AAF42D9C709F21BEA94B8CA7340FBB8" + "B262DE6C47B79DE5222AFEE7B1C994ED526AD4D5641136F5227" + "A5BB")); + test_hash (&nettle_shake256, /* 218 octets */ + SHEX("5E19D97887FCAAC0387E22C6F803C34A3DACD2604172433F7A8A7A526CA4A2A1271ECFC5D5D7BE5AC0D85D921095350DFC65997D443C21C8094E0A3FEFD2961BCB94AED03291AE310CCDA75D8ACE4BC7D89E7D3E5D1650BDA5D668B8B50BFC8E608E184F4D3A9A2BADC4FF5F07E0C0BC8A9F2E0B2A26FD6D8C550008FAAAB75FD71AF2A424BEC9A7CD9D83FAD4C8E9319115656A8717D3B523A68FF8004258B9990ED362308461804BA3E3A7E92D8F2FFAE5C2FBA55BA5A3C27C0A2F71BD711D2FE1799C2ADB31B200035481E9EE5C4ADF2AB9C0FA50B23975CF"), + SHEX("6D96D224006DFBE8EEC28892FD2BF888FF543501F2F8AE5B6BE" + "B67713173C88671E4B3804D695730FDD0CB04FFD873B0E40110" + "3DFAE8F014FFB0EA382333E33985D1037403029F0C642323183" + "AC8668907DE791BDB0BF7112FD2C8BA5D3B933273B51082810C" + "7515C78173DAB93C7AFC48B0A76D5488B76CA0E5DA2226B669A" + "2EFA56F0A2041CC4A60212B2B4F4B02749B211856839868CCC0" + "A935DB1F7305EF356024FC78795690B69CBEA01EC0B5AA8B3C4" + "AC2D1815176B57062DC4742DEFA68081F21384FC875339F4098" + "5E85DEBF3AE9EF80CFCA746375492614FE5E76A96E506403FE2" + "CF5BCB43AE6E4E697E86237E825BDB16087EB32D3DBCCF2AF2B" + "624ACB4A960E0781E7C686B0B3A8A0E4BEB1F904E0D84B00038" + "788A02CE66BAA59EF185E2678598013C60208E5CEB50B701BDD" + "2694A24837F786931027AC0D64A229400B5783BF29AB39DF9AE" + "CED0CC8B9D6FEA52DE3E9220575B4F3AF6E2DF155A20D87FF3F" + "5ECDC0437CF7A8A648A0BE9C81F0EC3457BBA5D5948149C3FF2" + "411053549AC24DFFC65B54BB89B227499E35226FD9E1A85EBF5" + "DD534852921BEB63BF850EDB495F9DC1876C6A481E9B774E6D4" + "368974BD5A7BA7A16E90D078BD651F128CA7AC160EEC05CB8F3" + "AE3CEE4BF998579B84418D7A70DA95E65E4DA9933EF8E399359" + "D6D1993E5D9753CFD1B10737F6930FF0CBA3510D3BD9CF78F5F" + "79DD")); + test_hash (&nettle_shake256, /* 219 octets */ + SHEX("C8E976AB4638909387CE3B8D4E510C3230E5690E02C45093B1D297910ABC481E56EEA0F296F98379DFC9080AF69E73B2399D1C143BEE80AE1328162CE1BA7F6A8374679B20AACD380EB4E61382C99998704D62701AFA914F9A2705CDB065885F50D086C3EB5753700C387118BB142F3E6DA1E988DFB31AC75D7368931E45D1391A274B22F83CEB072F9BCABC0B216685BFD789F5023971024B1878A205442522F9EA7D8797A4102A3DF41703768251FD5E017C85D1200A464118AA35654E7CA39F3C375B8EF8CBE7534DBC64BC20BEFB417CF60EC92F63D9EE7397"), + SHEX("E0335CBFA877DA0DDD79072BD7F46EA6313144E633BA2C207CB" + "D6948237CC32A39DB06F951A1A4B9B0B91011158D38938ADC1E" + "42408A2D8A95C3EAC579C922943155624F6318E12BE7EB6A836" + "79508E0910FB6E85A84998F0FBE06B087EFC6EC91EEE277B48D" + "289DD6E12C820D0909E206750C82995DB86031E71B0D005CE89" + "8F1CF7C782F10B8CED5370CF27B74C6822910B653BBDD328AE5" + "A4921478A4072B8C7C89B446E057F6DC4692186CAC39CF08E3C" + "3F0C9457FF44DA73B88CE131A1E2B4C6A235DD464E4777B069D" + "39A9EE2A5877E07E8669B0D610513102B00F8E2A7EC210C403F" + "2E398EFF22E193A66376D0D08AB3013AEA4D508EE88EDD361FD" + "A5AA4E17BA899632CB7222EDDD5B320AF686C80F2777D94FA2A" + "3428A47AE7340054D2DEC1C42569A5EEE01759846FD10AF9D2A" + "D2AE9F6FADFF825D184EAF7E8AB9D7C7C64AE07CD5A95F2B24C" + "C3857BB239F5C0824EA7CA0C84CCCD9601580EA7A4C89370086" + "17468B9122B466624D51AF29AE1B66D14C332F2535BD7C3603D" + "E07A0B25C6A260E9E70EBD2DA622ACBCA660D425DE2E44B7E62" + "42A83077BD24025ABD5F0F2F21743F80D9A6F1552C3957B2200" + "88D861F3E25823548BDCB448D19B3CFA14FC8F11CEAC5BB2623" + "64F100655D5099D564041F113503AEC817BB03CCB9A6E021967" + "06FBB836C28421AFE0AB276772150FD0677ACE7655EA6214F61" + "D2A6")); + test_hash (&nettle_shake256, /* 220 octets */ + SHEX("7145FA124B7429A1FC2231237A949BA7201BCC1822D3272DE005B682398196C25F7E5CC2F289FBF44415F699CB7FE6757791B1443410234AE061EDF623359E2B4E32C19BF88450432DD01CAA5EB16A1DC378F391CA5E3C4E5F356728BDDD4975DB7C890DA8BBC84CC73FF244394D0D48954978765E4A00B593F70F2CA082673A261ED88DBCEF1127728D8CD89BC2C597E9102CED6010F65FA75A14EBE467FA57CE3BD4948B6867D74A9DF5C0EC6F530CBF2EE61CE6F06BC8F2864DFF5583776B31DF8C7FFCB61428A56BF7BD37188B4A5123BBF338393AF46EDA85E6"), + SHEX("74B8E6A2245E18432DB073B046FA0D6F63C85A05B9FB3B3098C" + "8F2AAAD938CEC8A8232AC2CC4CD7EA85A29BBB4A2D03311CFA7" + "F1ED8107DA574E659358408C60B1CDAE6A4BA6F3091574DFF99" + "8C97CA31E410B4132013AFAE543076BACA1989E7B5DA17E654E" + "664C856A00D7DE43EB3A2C5B8E347EA3B18A94D534C0448671F" + "E2C360034550F145F911ACB7C245A99FE37CA167EB8AE0FF5E9" + "D0B65F255D24DE4239BA87C2E8B757192020B3A28D53861D29C" + "845D4E4A21604ED2D5DC8E4C107CD47501847B50CE2452A3168" + "5012C5949E0CB630088178AAA5C9B0EAA6394E00096CDAFDC78" + "1833F37C64EE2955DB09F1C3B3767A0F0928863567513D5B02A" + "3D24E66A79EA590D5DBEF5E8B5D9953ED9F72610C0D4F5EAD67" + "B3421E90710138E09BB15959DFE9AE408AFA9ACFFCA19DD083B" + "DF508D8FBA9F75A18F6229A9850DE36653A0A39987781EAE3F7" + "40E2CE387C004D47811E3F8B5F8DA9ECAFE90C5AF4ACE449FF7" + "AF57B271B0C3059AE42180A1746EB3AABA944DBA5BF3946907A" + "18B1D94DF4819872A24DEEDDA3AF7A3787AB6B3D5F128D0C3CC" + "AB6AD0C34371BB76DAA321E36F6FF935FD58B590858F894B54B" + "F9997DF8B73939919AF342D6593F31F76C3251AB3812E27F00F" + "3AAE0C0535A8CBF9C6A9D20E26E619D6899ECA8A46526D7205A" + "3F2F3971C60E432CE438F40C2CBEF0F2AD7253B18AD53C3BD8F" + "108B")); + test_hash (&nettle_shake256, /* 221 octets */ + SHEX("7FDFADCC9D29BAD23AE038C6C65CDA1AEF757221B8872ED3D75FF8DF7DA0627D266E224E812C39F7983E4558BFD0A1F2BEF3FEB56BA09120EF762917B9C093867948547AEE98600D10D87B20106878A8D22C64378BF634F7F75900C03986B077B0BF8B740A82447B61B99FEE5376C5EB6680EC9E3088F0BDD0C56883413D60C1357D3C811950E5890E7600103C916341B80C743C6A852B7B4FB60C3BA21F3BC15B8382437A68454779CF3CD7F9F90CCC8EF28D0B706535B1E4108EB5627BB45D719CB046839AEE311CA1ABDC8319E050D67972CB35A6B1601B25DBF487"), + SHEX("10B27D45E1E91C3568B990F306D4D0338380C4A24C543DB7905" + "AD8C20B9C469A79E50F7FE705C03D2D1CFF9E2C35FCE1E6E203" + "5D3F464B6D2861EED223C32E960BB223F21193CD4734F36422C" + "1DE6F0F81791D6A5E9DB7BA8C2CA1F2B7FEF2F94C5392869591" + "3471B5E1B02B75FB9B0DA1FEB46520F3E8558E03427BF371180" + "EBACC91F3989F849B4EAB233C529006EE02050D85B548344C09" + "CC7A6C6C40FCE5C55348E1BEB801482BA70D6CC5A24B3B0C9A3" + "258B0934C3A41FBF07EF50460E2BDA507711954C83FFB91CF2B" + "2827D5FCC6DAE70DF5882689C573F159A9B45694458D0FB8A50" + "00B109BEA868160FCA781F50DB7B5EE56AE55BAE1FBEABDC155" + "EC46C0EB16314851FE0446AC2BF171D99FBCFBE2ADFBAE4A638" + "7B42FE41C5EE8E2AD1819D7F80BB1B4EC2DAFCD1D06C2C9750A" + "600EE6627F62089B2EE59EA461E0DCF47188D1A8DC80B029447" + "9C7EB03953C425D6EB3CAC6FFC34E484A35127B605CABFA5971" + "2141C4FA0840FB520A1D0A8DB4B298D24DE2A7246F28E036B51" + "1DB91794E35B75DAEBCB3B8833794B764F936200E7784348AE5" + "0B95363C027F3AF85762F3B8E6F31B7C2D8BD18814A723C0DE5" + "17F7B3937AF574A3FB5F52DE8A10A2055E8EB4281D383797DF4" + "B8D5DD5266C5D438A10DE4BAD00E4C0B252110CF368707AA2FE" + "785F518CC2F3DA5221634B52118348F231AAE0712DE096D70A4" + "3929")); + test_hash (&nettle_shake256, /* 222 octets */ + SHEX("988638219FD3095421F826F56E4F09E356296B628C3CE6930C9F2E758FD1A80C8273F2F61E4DAAE65C4F110D3E7CA0965AC7D24E34C0DC4BA2D6FF0BF5BBE93B3585F354D7543CB542A1AA54674D375077F2D360A8F4D42F3DB131C3B7AB7306267BA107659864A90C8C909460A73621D1F5D9D3FD95BEB19B23DB1CB6C0D0FBA91D36891529B8BD8263CAA1BAB56A4AFFAED44962DF096D8D5B1EB845EF31188B3E10F1AF811A13F156BEB7A288AAE593EBD1471B624AA1A7C6ADF01E2200B3D72D88A3AED3100C88231E41EFC376906F0B580DC895F080FDA5741DB1CB"), + SHEX("69304677315720D586605521E24D32745DFAB082D2BC23A3165" + "C419831C19468A088D972AC672D7BAAB907005A0AE3910D4F06" + "F0BC5ADF6AAF9E1D8CD7CB85DD166D0FB9703CDC7D45DAFAC48" + "05612137D4720FB3FCE90D69864403E6C456FBD87677312ED7C" + "AD9A28F7A98753265294F4820FA50868CFEA157EBA50DC5763E" + "223238FB2032DBC6DC00C3710B6976F16034A9D851CD1BADDEC" + "6071CADF10C8F9FA123FC0EB81ECAF4C16B8D52A6C1FFE330D1" + "14D71CEADE28BB0422855AA1E7E838A93523315BD0F8384361A" + "58529A2264D66D65806659C49B7F80D95474A7965A0733D3DA4" + "FE317C5AE6180746BD8DC70589F97B15E0FEF29D34D6BE4416A" + "CB3F9EBA2F3E34F8E636A6B111DFD4ACEB2C9DE051B942EF021" + "C78E0671F771058C4B59D34991DD2EFC6943C6E0156CC0E3FEA" + "D10968F77BF4DA82B9FD3AB73B43E2890BC8AEB02D7178FAEB2" + "FE1A0A194B1581F6322D817AFF2DE7DAA96F4A725EBBD8C9FC9" + "C815D0A8E9FAC425F278F121084AD98AF9BB119235FFFDF1751" + "AB6A805FA80F43A5682C2FD5BF9241FCA866DE6B5EFD36E6923" + "13F51FA8DD64B52DC2FC33C56687417C942680676143A459068" + "401690DF9213E18604058E74011B111F1410531FBED32567AF7" + "A0319B5A4A717F580D16D9E9341E78F717E27258A84A2CDBBB9" + "CA118FD0F81568639F40176A1754C743B4B5E377DBB0175D160" + "B414")); + test_hash (&nettle_shake256, /* 223 octets */ + SHEX("5AAB62756D307A669D146ABA988D9074C5A159B3DE85151A819B117CA1FF6597F6156E80FDD28C9C3176835164D37DA7DA11D94E09ADD770B68A6E081CD22CA0C004BFE7CD283BF43A588DA91F509B27A6584C474A4A2F3EE0F1F56447379240A5AB1FB77FDCA49B305F07BA86B62756FB9EFB4FC225C86845F026EA542076B91A0BC2CDD136E122C659BE259D98E5841DF4C2F60330D4D8CDEE7BF1A0A244524EECC68FF2AEF5BF0069C9E87A11C6E519DE1A4062A10C83837388F7EF58598A3846F49D499682B683C4A062B421594FAFBC1383C943BA83BDEF515EFCF10D"), + SHEX("B32E9585694532B1018B05B9DFDB23B8924025786F5733769B4" + "913B73B0FC35513D4C0FA1A1A5019DB5FC807ABADCD4589B4C5" + "658A854FC919105A5F08799F7CBA3B8DFE72DE84027B341CB19" + "46D6A4A907D6FFBC15B6A00805ABE25047476B99D53A6AABE9C" + "758B3BF4476DFEFEF2E366617A1407853B0D0278DF42FB7003B" + "B1610DA2AD52422A0ECCC74818EBB4DF264D0ADB9623B9EE0C5" + "371E9F0E73D7FD31A2B41F9DA8C9955310166FCAE6BE9AA75D3" + "F7C532F1502BEACFCD81A034B5D4A87647A5B9E2C49B7BF055A" + "0F4BC3F555FEF5147BB7B9BD75772878FDDCFFD58FF2B09A61D" + "6067C0F3498EFBB5FCB736813F798E213102E47A3DD61A6BF99" + "DB2834DB63BEFDA6E290EA953A8B96FA37650DF510082294891" + "C86892215850A34AF1EE0659694431DA636C9BDC854AB98FC79" + "6C28BD6272C9C5DF1D199CE9F55BB575786EBCD6851DAC97924" + "AAFB102491BF4B80351AFD26EF027C745F98607C19ACF96B66E" + "CFACD4C512BCC9A8E609DE5FFCDE0DF0E77760D8D44F1230133" + "6247F53CBED8894831765D12221C902127B65DD549E6C32124E" + "0CA555586FCA8043097B9AE3D9BCF899FA06EE5D0A17EC0A2E6" + "57E37CF5D4A55CF4C99E9F10691602412D27F9B8DB5C4C2644F" + "C822E11833B32168AC89F2D591748D12B527FD5EAB2291F2015" + "79A48AA9C370979DC2265B873AD65266E98FF668579B0F4274C" + "73F9")); + test_hash (&nettle_shake256, /* 224 octets */ + SHEX("47B8216AA0FBB5D67966F2E82C17C07AA2D6327E96FCD83E3DE7333689F3EE79994A1BF45082C4D725ED8D41205CB5BCDF5C341F77FACB1DA46A5B9B2CBC49EADF786BCD881F371A95FA17DF73F606519AEA0FF79D5A11427B98EE7F13A5C00637E2854134691059839121FEA9ABE2CD1BCBBBF27C74CAF3678E05BFB1C949897EA01F56FFA4DAFBE8644611685C617A3206C7A7036E4AC816799F693DAFE7F19F303CE4EBA09D21E03610201BFC665B72400A547A1E00FA9B7AD8D84F84B34AEF118515E74DEF11B9188BD1E1F97D9A12C30132EC2806339BDADACDA2FD8B78"), + SHEX("E6BBDDC5B154ABAB888F4E00C2BFC18A200DB6DED8EBAD70ECE" + "03D10D123C52D4B5124CDFDE2D5A803B8BE98C646E29F64F2BD" + "D55492531B2741C6040FC51F7DF18106D9AAE62F1930BAB26FD" + "5167D516C4E4AFD3035D6AFDDD06DAA59B56BE3F188CBC11529" + "909F6CA0618C321349B1B918C1CEE491C8D7996F10B02E0A085" + "CE790648C586710D4916A528398FAC1E1FA71971EC85B203B83" + "721AA006D7026C2647CEC53296E80EE3FBB6B880BD296D6B9DF" + "FDF40C5537551EB0DDE86E85A72FD280888C08D67A9839EA618" + "49B47FB010540BAA15530495CC8BF941F82B4B3114F6AE055C8" + "52B0978ECAA67108AECEB12E78C339071CA058FA4A534558899" + "D71ED36C2164DE0C92612F07CF465F92C0A1987F7462AD303DE" + "358DC9C9929AC205F366FE564C0B32B1E4D65EF4E0B45B2AAEA" + "6A93C5626ED40C597B54A2074F255FC6C33F7DE535B5041F320" + "85274EBDE9D7ACE9B458E7E7CC47193428A8873560C561230B0" + "3A72D993100B73FDC24231A39C227B05630B328645349E0025E" + "F02002C34E6A7EF07AC5F7E299CFE0ECCCF01E1DFBDAC9BBC95" + "B09B2EA505D8E74C85B9BC8E939363F3F062260711C44C132E1" + "F3663123EC0B0A253DE7DB1DC2A08481571F64BAC3FCD9EAC73" + "7BDB42AA4D392DDF9547126191DDCB2F88A5705BEC9BE7C8D88" + "E9521EF7BF9753155F6F3A75ACD4C9C913785CBFF81761DA8DD" + "73B8")); + test_hash (&nettle_shake256, /* 225 octets */ + SHEX("8CFF1F67FE53C098896D9136389BD8881816CCAB34862BB67A656E3D98896F3CE6FFD4DA73975809FCDF9666760D6E561C55238B205D8049C1CEDEEF374D1735DAA533147BFA960B2CCE4A4F254176BB4D1BD1E89654432B8DBE1A135C42115B394B024856A2A83DC85D6782BE4B444239567CCEC4B184D4548EAE3FF6A192F343292BA2E32A0F267F31CC26719EB85245D415FB897AC2DA433EE91A99424C9D7F1766A44171D1651001C38FC79294ACCC68CEB5665D36218454D3BA169AE058A831338C17743603F81EE173BFC0927464F9BD728DEE94C6AEAB7AAE6EE3A627E8"), + SHEX("F40B4A6A7D88482C5BA65D17038D68184E1AAD676D340300301" + "7A4348A7E3ABFE89804EF65D96EA5A467CAA938702071918452" + "8944AAD358960B66A0E78F2E4C19F244C82CB0D10BD1DF49CFB" + "89C24FBCE8AF1DC6B13DC61F40116ED3D1B51B80ACF08A7A9BA" + "DC6318DA75EB4CABBF4798923D639C2C3C24778660089384DE3" + "3F0EE7F957C78D4BF8D74EE1E3EA5E330C350584C319298166C" + "DAFFE0C7ACE6A50D1551B30FA386A0ED5C20DA31DC35FE2DDB7" + "FF030AEF1C0F2ECB0C1915554722DDD5A38DF758E321048FC46" + "43FDFAF54AE558F9B40EB38DBE516256E8D97701022B68E1F09" + "83A14D7DBEFB59DAC5073062DE8698BEB9C94DAE0A49FD51A66" + "1FA6AA84FE1088EB4E0F964953625A898B03993ECB248EFD5E6" + "6380667C2ED185FC568AE58E15B5A57ABFD84966094EE5C8528" + "4F3248C92E1300DB80CD6AE08662412D01503D598A1FCDB0EF8" + "CA773EADACE543B867BADE24EFB25518E59E27FC921D8DB6D3A" + "C286BD1ABA53D48983DF63D493F95B88610CBCF6DE2130AD63F" + "B9860A839C3F98F5532B90225D1ADAD79B478F5C9D836435A9C" + "9C0EBE229FA494B5F4253DA92C7382AB388C4F052911E9FF28C" + "C43415C8A82065433D8CDAB9152CC13191F1729EA95693B4BBE" + "BC3B03F298EF6B3739A0F34A545198FF5D2B4292AA8D6A04271" + "463DF95145C99EC769167761690C97361984A665B0D5C2169AD" + "DED2")); + test_hash (&nettle_shake256, /* 226 octets */ + SHEX("EACD07971CFF9B9939903F8C1D8CBB5D4DB1B548A85D04E037514A583604E787F32992BF2111B97AC5E8A938233552731321522AB5E8583561260B7D13EBEEF785B23A41FD8576A6DA764A8ED6D822D4957A545D5244756C18AA80E1AAD4D1F9C20D259DEE1711E2CC8FD013169FB7CC4CE38B362F8E0936AE9198B7E838DCEA4F7A5B9429BB3F6BBCF2DC92565E3676C1C5E6EB3DD2A0F86AA23EDD3D0891F197447692794B3DFA269611AD97F72B795602B4FDB198F3FD3EB41B415064256E345E8D8C51C555DC8A21904A9B0F1AD0EFFAB7786AAC2DA3B196507E9F33CA356427"), + SHEX("92951EAA72195331ACDD63572FE112E0DF4B43CA1B67BA5C918" + "4DA5667A8439E3AFD8784461010EB80178B07F278C0BD52582C" + "EF5B4D869D77E764342651ACE52F1F5DBB5316A36CBE2D6FA45" + "5403A8FF0480A5DF002396B8E444B9005A9A97D301529F5FAEF" + "77C0FC04C3B01C7C4907F197927904BC56DA2F850A0767E91C5" + "B77D8A41CAFCBDD5CC768E220E844786093CE425BCB3BF6CF3F" + "E9CCCBF6A5CB84D46AED8BEB079AC0F12F68836A71D8C9D738F" + "9BE5A8311299EEC2AE86AB774D0D8345C6FA7A341223A43DBB8" + "5AD5274806B23A3BBE312723BED548F4C64353EE2875A44A8A3" + "7153DAFBE98E96EFAA402E7A68BCA09EDA8A744C3BB8FCDAEDD" + "7EC54CA4066B69B4828AFE6285B6909BC2AE96CD62F3A523898" + "7279F206C2593FD2BF4D5A643484A5155FFF290253650387C7B" + "DC0B3FD749EB1A84F7A11790AFCDD3FC72FAE3BBB1C55596584" + "B7246E77D0712562AEAFF1C5316A698DB9AA3524DC4AF4AA461" + "9C5F9CBBE41AA1FF2A0BAD12F17ECF7C90E6FBC20EBF374D633" + "5EF245BF449E3EE5870651587727D35BBED64885A8D375E43CC" + "350E398C3D5DE83CE92354C08E16A6AC69AF10EFAEC2F0268CB" + "7F998CEB45DB988B193C8D35E89A387DE6C212A2D2D5A9FFEC3" + "D4DFF92D66992563C85E4E707730BDB669783357E5ED038ACEA" + "7D8214313FC027733D51B2D21F47666DAB6C6F3E50A335E83C7" + "2ABD")); + test_hash (&nettle_shake256, /* 227 octets */ + SHEX("23AC4E9A42C6EF45C3336CE6DFC2FF7DE8884CD23DC912FEF0F7756C09D335C189F3AD3A23697ABDA851A81881A0C8CCAFC980AB2C702564C2BE15FE4C4B9F10DFB2248D0D0CB2E2887FD4598A1D4ACDA897944A2FFC580FF92719C95CF2AA42DC584674CB5A9BC5765B9D6DDF5789791D15F8DD925AA12BFFAFBCE60827B490BB7DF3DDA6F2A143C8BF96ABC903D83D59A791E2D62814A89B8080A28060568CF24A80AE61179FE84E0FFAD00388178CB6A617D37EFD54CC01970A4A41D1A8D3DDCE46EDBBA4AB7C90AD565398D376F431189CE8C1C33E132FEAE6A8CD17A61C630012"), + SHEX("9107BC54F9AE29BD282C37CF4BE15D2EDC4B5A20FCD8C131620" + "CEE6C9326AF25896BD25550CC3B46C19BB58D825A7156A4AAC0" + "AE72E38601AA6AAEDC4DDC578D145AE8A0AF4E630914B49FCD3" + "9C41924A19ED6E52EC150D1BDFBFE2717B9B46D6BE9BD637876" + "1F167C1133EE31981F9B681D674E267B3A01B0F455F9A0C86B7" + "E6BB3EDEDC2DD86C8EF6F6BF736BA9CFC4A20E602779F0CC626" + "E0F3513807C8BC71546DD1E0E5210A6ABDBDB284F90EAEBFAE9" + "70CEE9EB8C58A5F0F197FEB3292AA8EE814DF5D86D6B1F43AD7" + "87E82AB6D1C01CF44F3B32522609CC51967FA9D2417A8B91461" + "B41A5390BDAEE3763E152A2DB2E8B7842A73F1E05A05F7A7D19" + "FC88F576B049F87E85835EA4DBED141AC1321B47AEDBFD285B6" + "488B7613206E483559A8B0725D3091A04F10736EA1920FE2346" + "58AEC2A5FD0F85F50BED9EEA3E5513EE3B45F0CAEE09A1CA3DD" + "8E96EBB408EC6A31F07ACEC024097C20038A6DB8B5A10396C6F" + "3532D8B356BD664A9C3C153D2248F9D8587D21AD3ADB20D06C0" + "20F5AEA40E96C776202A17740F59BAC12195B49E19ABB87F693" + "BA0B1B414C4C83DD7474FB212F0F8015D0019D33250BB890079" + "278E027F0191B1A92FC40004050C4E88D1CD3469B656A2F6D1A" + "B9E49118B18701FA85A5B1497F1FD0D3C999567F99D05CD8F20" + "DBC05333F547598615FEE2452861AF0CDE27ACC4D763074DE84" + "0004")); + test_hash (&nettle_shake256, /* 228 octets */ + SHEX("0172DF732282C9D488669C358E3492260CBE91C95CFBC1E3FEA6C4B0EC129B45F242ACE09F152FC6234E1BEE8AAB8CD56E8B486E1DCBA9C05407C2F95DA8D8F1C0AF78EE2ED82A3A79EC0CB0709396EE62AADB84F8A4EE8A7CCCA3C1EE84E302A09EA802204AFECF04097E67D0F8E8A9D2651126C0A598A37081E42D168B0AE8A71951C524259E4E2054E535B779679BDADE566FE55700858618E626B4A0FAF895BCCE9011504A49E05FD56127EAE3D1F8917AFB548ECADABDA1020111FEC9314C413498A360B08640549A22CB23C731ACE743252A8227A0D2689D4C6001606678DFB921"), + SHEX("02D21B8FEE4BB59B4D39D88DF91B675762640994D3A300BD725" + "9A3E97DED831112D27339FC4F59C7F17DABEED310EE901D829A" + "2193421C4D828DF1248A68F6AB928EE87AFD727DDC2766DE071" + "103B144040F9EF22592599A0FA6CEDC2FCD9A774BEF862D2D51" + "C8E2538D1DECE789A6756A1F9034C0949C3FF13190A141F3DD4" + "F015A89DE643D65E5EC4AB25300739892A81911E3C48D8A5823" + "9203C7E828E8867230E46BB8BEFD018E9ACE92061E2BAA09B0F" + "B8C0CFA7FD5024CC65826AA96BDDA6E21ECB7D0D77FE651CC25" + "EC260C1C41F4D0DFA82963A2EEEF0AC0C6123D9726A02396A06" + "12E8BA6CD4988C132E7CAB1B5097174B6BCA798C7B04E5F7175" + "A3A5BFAA9D23DFCF5E531557BE9BA6F4B5D806287BCDF1CB503" + "4FF94F709544E81D856CD8A1380774C5361710460D52CDFEAE9" + "AF4AF3E9DAF7E6B679A6B881A378A1254DE7105396DB2449737" + "3430C36D24BD49425E7613FAF651747217EFC4E24A761CB4694" + "A2AB3E0B43A8A4CDA5EBC9D7299B27EB600122C7EF54703E48F" + "51DB2A5A8F3EB59A2C174DF966AD728DF0BC2E94418775E0186" + "D3A527F86547980C8998B32F0365D9E430D33A92CF081A15258" + "92FCCF3D8FB4DB1E0A728A856F2E2CC8EC4A08FEFF53DB85C66" + "20CC8B57106097A96B668F97C3BDE8CFDC9600419B46EA24839" + "D27A574BF63147A97B2B48CEE1C6FDA32F3B945E36FC03EAB48" + "5B4B")); + test_hash (&nettle_shake256, /* 229 octets */ + SHEX("3875B9240CF3E0A8B59C658540F26A701CF188496E2C2174788B126FD29402D6A75453BA0635284D08835F40051A2A9683DC92AFB9383719191231170379BA6F4ADC816FECBB0F9C446B785BF520796841E58878B73C58D3EBB097CE4761FDEABE15DE2F319DFBAF1742CDEB389559C788131A6793E193856661376C81CE9568DA19AA6925B47FFD77A43C7A0E758C37D69254909FF0FBD415EF8EB937BCD49F91468B49974C07DC819ABD67395DB0E05874FF83DDDAB895344ABD0E7111B2DF9E58D76D85AD98106B36295826BE04D435615595605E4B4BB824B33C4AFEB5E7BB0D19F909"), + SHEX("76919B60D28A57717EC190FC9990E32020E6436828D90D8A2F4" + "A7AD21F18A4F5F1CA753ADCB0AA010D40334D1E58B8BD165B01" + "51E631925055F4800DC01D466D11E88AE945545365B7F6072B3" + "6E11CB6F15DA6BA3B53E12473BEED09C5AA275CAD795E03838A" + "EBF74A6B1A3371344C1E3104CDE3C768026963DE2ACC8935F51" + "62D1D09C966B5FE2943CC723E8007559C0537126400F1A4C3D9" + "004DF88126A23F9051630DE9FCAC524BF4A109CCCF5CD7F7972" + "B64FCB5A8E5A78A85EE82FE553AB90754CD12EC77E2E3CC09AA" + "1F172963DA44D29FC7F95F0C7C1207BDC858FE8B9785EAB55B6" + "EE33612863FCFD1668A2FB13715F7910968708F22A9A88D97F8" + "4EF4212551D8FCB05992670AAFC9EF5CC34F0843246241C9EE0" + "11470131E0E6B56C9EF6A0E38423943BA502EC9D08C39F70797" + "BD85F6D9207684022CADC282EED833B43CE450445075013F1B3" + "270492AA6E412CCE8E9D9534C0A380B45CAD9328610EF3FACEA" + "7FF5199F1E4D0342163B16961B0F98E46E8615AE2CD74D92E2D" + "F30A3DF00BBBA2AE43A67F51EC52CDB37E00D979ACE6AF3AFA3" + "4A58B8CFC07DDC3C98FBE4A5E18539D03ACFA18152F4CD32CBD" + "84AC30A99C325EBD57EF2870F36C711900CC23539BE7C19DC94" + "F75457BDFF28B9B5DF876B5576CC37FB30B291DBF44904B36C3" + "D96747DCD92A1550CF9323F358D15471FDFD35C2F4C4B104CC9" + "1FBA")); + test_hash (&nettle_shake256, /* 230 octets */ + SHEX("747CC1A59FEFBA94A9C75BA866C30DC5C1CB0C0F8E9361D98484956DD5D1A40F6184AFBE3DAC9F76028D1CAECCFBF69199C6CE2B4C092A3F4D2A56FE5A33A00757F4D7DEE5DFB0524311A97AE0668A47971B95766E2F6DD48C3F57841F91F04A00AD5EA70F2D479A2620DC5CD78EAAB3A3B011719B7E78D19DDF70D9423798AF77517EBC55392FCD01FC600D8D466B9E7A7A85BF33F9CC5419E9BD874DDFD60981150DDAF8D7FEBAA4374F0872A5628D318000311E2F5655365AD4D407C20E5C04DF17A222E7DEEC79C5AB1116D8572F91CD06E1CCC7CED53736FC867FD49ECEBE6BF8082E8A"), + SHEX("72A343DF2C1854005653E1EC9C8F9492AF9EF7FACF46DF729AD" + "910FA3A8B830971D22D5E017ECD515C0E972197C87968FD05D5" + "9C570634A3864DFEA159229746A967A2847F0F4E3C48DBDB21E" + "BFA400E18BF289A2B146758EAEE64AA200287F7F55E57817ECE" + "0470C35531D35BE824AD7E825E7A1FCA07CE5325DE6E27D6C6B" + "F1602EC1069117E230ED9A0873D6538881992FDBCE93A4E1201" + "3A56F4D22F5846B4E04BD15E9AE9590C703EE7AE346B860D1B4" + "B181A963C1DCD36AD485AA484CE534138789C2874AB5888B70E" + "278E30534ACDF0D9798A44E1701D9447B5D6FD212344603A269" + "A9D2E0437304F5153FBEB7BB5A1E437B63014ED6F01D4F6135E" + "F189EE290E30C25DC2F63B7D8CF19E9D7959EB2F61703842E0C" + "89EA487441B9C17FA6800A63C411F1D3FF4C35F1E89BB820D60" + "B25CB1AD71E6583390E753934759A5467680405B1C9B6E391D6" + "DDC4510FF24496559FE2604C038A5DF6638FD7F7880E0847B88" + "0C1628F47BEF49689D0C31C4867BAF6FCA08FEA898056DCB171" + "6C95341ACA367BCD9BB372A93D2FCE947B5CAB707E744F15FBB" + "85230FE7F86A9EF7C36069CA79D781D1CC76193D423229E51CE" + "0612A2D61680D35CFD5AA482739442F94D205D72080BEC7A259" + "B23B8D9B4F76F2A75235CC3BBD6738FD870905FA21BFE1315B0" + "C678D7DB5F4DF36F5D43D04C11F3BCE3FB71B3B7AE410AD51CD" + "E033")); + test_hash (&nettle_shake256, /* 231 octets */ + SHEX("57AF971FCCAEC97435DC2EC9EF0429BCEDC6B647729EA168858A6E49AC1071E706F4A5A645CA14E8C7746D65511620682C906C8B86EC901F3DDED4167B3F00B06CBFAC6AEE3728051B3E5FF10B4F9ED8BD0B8DA94303C833755B3CA3AEDDF0B54BC8D6632138B5D25BAB03D17B3458A9D782108006F5BB7DE75B5C0BA854B423D8BB801E701E99DC4FEAAD59BC1C7112453B04D33EA3635639FB802C73C2B71D58A56BBD671B18FE34ED2E3DCA38827D63FDB1D4FB3285405004B2B3E26081A8FF08CD6D2B08F8E7B7E90A2AB1ED7A41B1D0128522C2F8BFF56A7FE67969422CE839A9D4608F03"), + SHEX("AD4DD99AA71DBDEABF22FC7C82BB839F910A22E4CEBF8317899" + "D0AF87279EBB321C442DFB9083C4676C16506C4006F18E8BF84" + "EA9024B1DEEE4ABE6F90DBE0EFFCEBF4CB7B94D8A8B107C5BC3" + "198277BEF87C9760AE2BEA86AC50C39A666AB09F276F2FA4C1E" + "B5B8C37ADC3B4C9DE4BDC28074FF4B997518B44FE49B0D4E4F8" + "3CFE9E12EF7389625766A54BEA82DB3FB57276F47C418BDD5F2" + "0C8146C792DCB8E42C7ABF09331F599318265776CBB19C65BAC" + "6DC4A683956C052AE5CEA02F1E4EA690F9E5D3BF3A06A726F0E" + "FB6DAB5350753FFA7ADC477E9AE454C5E18F9D64EDEF0157D1F" + "01FA78BF281468F14D79C39405D2B5B604C0EE116731C52C243" + "2488C45A3E56D3F999855631381B5EF3C99A0352C16B92812A4" + "889C1B8A72C84273A90ABF29C7EAD82F2E7C6DE67E7369DC02F" + "B0F1D62BB8D245030A6D26E930476171547F33B9C9DBCD542F0" + "4C97B0A278D24E2BFEEA0209FA83D634AFE65EC9E7A5550774E" + "DEDFFA36250DC5A400AE5FD6696F20E5FC6AFB15F54C7240A24" + "CF11BF16730B8E676F948304D3EABF315E95B723FFBDE6D931E" + "CF3BE6C69D8CC82F31D1F499BBAD8ADA9654630E7185BF6C1D8" + "82DD700F7F1B1ABBF384F58994D55C9E831ACA847B8F654B070" + "F424267685103BB339A4CD43DF94894E912B64ACB15AAC65FD4" + "96424FDF02BE7A96E161CB6A0034997DDC918F6FB604D6DD55B" + "4D92")); + test_hash (&nettle_shake256, /* 232 octets */ + SHEX("04E16DEDC1227902BAAF332D3D08923601BDD64F573FAA1BB7201918CFE16B1E10151DAE875DA0C0D63C59C3DD050C4C6A874011B018421AFC4623AB0381831B2DA2A8BA42C96E4F70864AC44E106F94311051E74C77C1291BF5DB9539E69567BF6A11CF6932BBBAD33F8946BF5814C066D851633D1A513510039B349939BFD42B858C21827C8FF05F1D09B1B0765DC78A135B5CA4DFBA0801BCADDFA175623C8B647EACFB4444B85A44F73890607D06D507A4F8393658788669F6EF4DEB58D08C50CA0756D5E2F49D1A7AD73E0F0B3D3B5F090ACF622B1878C59133E4A848E05153592EA81C6FBF"), + SHEX("7623AEA16ED0AC8AF23A7911BE015D44F93F3329AD1C0023BB9" + "A6E486477D9CF5307B358527BF479FDAA473FE60CDCE59C33C4" + "D1DB930057438CACB4006D2E6C327B3FB033BE384FF07EB40A4" + "4AE4D39EA9794C29C9F3A91F679EF4690C41422B193929654D0" + "0D44D06FCE9B35E5FEEA5C20CC02FD104A74764F3BBFF273086" + "023AF4AFB3A29F9F9836C17C5A883BFA0FC4D8FCC9808FEBD82" + "DF88F7DFC3F715C8B07DB1F2B61403CB6F4F7B18F898FEF9741" + "E016CA0CB3A4B8F54F57DB2F2BB63289AA38A7A9FEBDE32089E" + "4B479D9CF184F7D1C418B648CFE7E6079F7DC1CC35F22E31E62" + "0704736B44FE1E3A677CAFF61FD956883E6F6CB278284A05BF2" + "B4CD9B832DE2058FAB356052C55B03D245BAAD53B8641444101" + "0767ABEA201E26F270649EA35B0479A66ADB9439C57A77E84B7" + "54A7E328E4AED0618742CD49AEF0AF116462F3A5B24343E141F" + "C51F6B9FF376A30989B17BF4CA9DC2ACEBD4F22D8EAB082E62F" + "FF99CFC55CA5E7C4B86613356F1CF05A9A3E8FD79123FB19627" + "A75810D3AF44213DFDA590245FB22B48E8EC5F58EE1D51BEEE4" + "D6BE0BDF7E8D18AEB37995D602E1EA1FC25D0D47D64D8A88B27" + "3FA8CC649C017A63F34C140A1D801F2558C8639FBEAACD1D961" + "893E111450B85ECA907CB3B66027587FE9B39D635D01C4C3695" + "89B9D8907D54A9B73FDE7FFCED9FD443B18892F29FDEFD7B3E7" + "17B5")); + test_hash (&nettle_shake256, /* 233 octets */ + SHEX("7C815C384EEE0F288ECE27CCED52A01603127B079C007378BC5D1E6C5E9E6D1C735723ACBBD5801AC49854B2B569D4472D33F40BBB8882956245C366DC3582D71696A97A4E19557E41E54DEE482A14229005F93AFD2C4A7D8614D10A97A9DFA07F7CD946FA45263063DDD29DB8F9E34DB60DAA32684F0072EA2A9426ECEBFA5239FB67F29C18CBAA2AF6ED4BF4283936823AC1790164FEC5457A9CBA7C767CA59392D94CAB7448F50EB34E9A93A80027471CE59736F099C886DEA1AB4CBA4D89F5FC7AE2F21CCD27F611ECA4626B2D08DC22382E92C1EFB2F6AFDC8FDC3D2172604F5035C46B8197D3"), + SHEX("A2CD7AE2955E2C2CFDCC374AD99E46F29FCE072E2C085E0F022" + "81A4A85A822A2424546410466299CCA501BA5A86C12085320D2" + "D0116196CD31E67E175BFAB909E279846C8FA2CDA475B0C9D60" + "4942D6332F3ED46E81D3DCA880527DEBABE55BCAE22C98EC428" + "22BD1874561E7F8E8CC8092DC461577F2AE548580FAAB59AFDF" + "EBF359847DEE5271C2E972C12D13424A50A9B3DC3DE5FA6F5B1" + "90F3DC060481118A595A8859ECDAC8C57FB16FD4DB9802C7BF3" + "44A68A0A91CA8629DD0A8FBB26FBA0E21C4D953626F66C0B33D" + "30C2569D73BBEF7ED708212B2F66DDB9AEAC459A11C9862CB56" + "74885619D240BABE380BBF23564F6D946D03AA544E348943A48" + "8C0FD223B36DB5B0EFBBE5C4E1253C3FF6C058AA95A80925523" + "749BD228D89BF99F5CC681237FDCC8C872F652DAE6306A20D94" + "22818A8DE2FA68C5A334EFE828A20A48CBC49EB6D7ED779B00D" + "F50751446D0C850FF1F096FC50A03A8C407B8362CE03690D2D5" + "699C70313B4F2D39E18ABE998EE73DE38308DCBACA27B8F6CBB" + "3305B35C98B620A811C94AAE44B5DFA2F8664FB678FB1D73DDD" + "F9FC27CF693DB9D5CF3B46C185B72C33E3BD0F6FFC01108C8A6" + "5772ACFC13DEFAF21596F2C9B9512F369588F6F8767FF61436A" + "C67ECA3DE25D6C5A9746AFB3B3464A49F3A583740C432ED806B" + "FD16EAB27D59A12975D7D09F7ECCD67C2527333FA95509F7209" + "DFCC")); + test_hash (&nettle_shake256, /* 234 octets */ + SHEX("E29D505158DBDD937D9E3D2145658EE6F5992A2FC790F4F608D9CDB44A091D5B94B88E81FAC4FDF5C49442F13B911C55886469629551189EAFF62488F1A479B7DB11A1560E198DDCCCCF50159093425FF7F1CB8D1D1246D0978764087D6BAC257026B090EFAE8CEC5F22B6F21C59ACE1AC7386F5B8837CA6A12B6FBF5534DD0560EF05CA78104D3B943DDB220FEAEC89AA5E692A00F822A2AB9A2FE60350D75E7BE16FF2526DC643872502D01F42F188ABED0A6E9A6F5FD0D1CE7D5755C9FFA66B0AF0B20BD806F08E06156690D81AC811778CA3DAC2C249B96002017FCE93E507E3B953ACF99964B847"), + SHEX("A74B8704CCA1F4234742A5C8AD6B138E58D56281C98D95F76BF" + "C0A0AE309D3DC227543F9AEE711C85021B89F259D002188F4E7" + "53DDDC4340DCA27B84445AFA007A1E502A1903A857583796BB1" + "24DDFD64B5C91B69CD9B230F27DFA5D22A09B07FCA1D860DCF3" + "16C22E57DA3589FB0F07ECF671DCB150913CE8606DA9CE39A58" + "57B8382853056A5930F25E3647015B77B2DF4954314F1F8B1C7" + "74DE0BCD1842CAD3BFCAF5DAE8AB9D77290DDD2112AB060F5B0" + "17630C318A1A3DF5C15E6F8AA348EE3F3C171C4E8B98CB4A295" + "6FA240EB289561E7CA30EEAA9CF79683DB7A2B0F28B3B1BF30B" + "D5A62C96ECC8BD74D1F2D131295597C668838A8D3B20CE1A4EE" + "4D1103DE547AC21F6442DF2CA10181319C76AE5827FD60EABA7" + "C788CB369591E429B5DBBCD95049BFEE2A5829FFA0417772DB1" + "BBFAC2EAF112B9712A02C1ECE830E17B22696AA6688E08BC705" + "EA7F7010684D7006BC0A017BBAAB1D6119B1B589B326F1936C8" + "2C470245298F2167D884398ED408814323D369BD1126031DFEB" + "56A160F90359054400DB3B3D267D42FFDA5BB710643721871DD" + "4DE52446004AF00BA55706C93BEAF01F8D77664AF27AAD65C6D" + "61FAE24E65FEB4310AFE6CA5322EE4DD2A55CA5FD7E651AC8D3" + "118C0FDDAE4B2E42862AACCD8CD2134340DDD760BC7918A461B" + "16ECABB601861B58EDEE6E78AC3FF75055997ABA8C0C57878AB" + "A5A7")); + test_hash (&nettle_shake256, /* 235 octets */ + SHEX("D85588696F576E65ECA0155F395F0CFACD83F36A99111ED5768DF2D116D2121E32357BA4F54EDE927F189F297D3A97FAD4E9A0F5B41D8D89DD7FE20156799C2B7B6BF9C957BA0D6763F5C3BC5129747BBB53652B49290CFF1C87E2CDF2C4B95D8AAEE09BC8FBFA6883E62D237885810491BFC101F1D8C636E3D0EDE838AD05C207A3DF4FAD76452979EB99F29AFAECEDD1C63B8D36CF378454A1BB67A741C77AC6B6B3F95F4F02B64DABC15438613EA49750DF42EE90101F115AA9ABB9FF64324DDE9DABBB01054E1BD6B4BCDC7930A44C2300D87CA78C06924D0323AD7887E46C90E8C4D100ACD9EED21E"), + SHEX("4E12A03995768C80408869A5C45B174783EA2FB5E4C153A2C01" + "4A3FB8AB968D74C9B835D9C4C5FC304B5E68CF9AA72C2ADFC2D" + "E961CC9A90E1D515A3234BB79DA1D5FA330C03DEFF46D304F0F" + "0378324BE4FEC285758B2DE3788E71EDCD05754366C71B783A2" + "6D105A48BBF51C4F4E769BDD19CA477D80FA55695A04B06A097" + "0B98BE48EF1E861F17B9540E63F54B6156FC2996B2D2CA69326" + "E0CB7A4A5761B39FE089017322BF23B7B5DDBA1490541843BF7" + "03508F5512117370253248F23F30DCCF27061B8F81C1090CC8E" + "D866263FB50AD6F3A027EFBDAAD7760EAFCEC0928BA40173A50" + "C61596B75AA4D72986A8BACBA61DADDA139374D17843735136C" + "8DC0E14C2EBCBC9EB110A682CB77A72E790C68E11848431441F" + "F70CBBC513A9D389D349A63AAD6A948A42DD798F1A576DF57ED" + "0613FFF5F569CE5D24061A386B2A5B4B1FDE6E3359CE4125241" + "628B9A882CCFD34F266BD8B7806392D52DC8CCED80C52ECB632" + "1CF3B3C911D206809FAF8FDA3F918F93FF507089CA4BD647AD4" + "B5498F0FFCC7563FE5DB7BCD613B84EDF4A95A4F8D29E3ABE0C" + "39C8A76B6FB5DB51DB09A21A48D3E2C0786B6A13351715F8DCA" + "25EF288C46631B25D55A7473E5059D6A16661F948D8A7C1B4D7" + "A21B531F915FC5A18305B6FDAADBC1F201C9A09DE221ADA6DE8" + "BAEDFA4614E578156137FBF43896CB61CE38EF386FB68D55311" + "C63C")); + test_hash (&nettle_shake256, /* 236 octets */ + SHEX("3A12F8508B40C32C74492B66323375DCFE49184C78F73179F3314B79E63376B8AC683F5A51F1534BD729B02B04D002F55CBD8E8FC9B5EC1EA6BBE6A0D0E7431518E6BA45D124035F9D3DCE0A8BB7BF1430A9F657E0B4EA9F20EB20C786A58181A1E20A96F1628F8728A13BDF7A4B4B32FC8AA7054CC4881AE7FA19AFA65C6C3EE1B3ADE3192AF42054A8A911B8EC1826865D46D93F1E7C5E2B7813C92A506E53886F3D4701BB93D2A681AD109C845904BB861AF8AF0646B6E399B38B614051D34F6842563A0F37EC00CB3D865FC5D746C4987DE2A65071100883A2A9C7A2BFE1E2DD603D9EA24DC7C5FD06BE"), + SHEX("8BB1E121FC89EA0F3D79EA823D876EAA74B6CCFAB369E7E4783" + "CBCD3701875F1BE59B0F8B48C2587E7001B6E7ED1821E264906" + "9E84201583B2562E5945AF5CF734E2F0C6090DC8281969CC95C" + "861ECAEECB1CDA78E8FE119B60B05C54484BAC951B7784ED025" + "FB878E29215916C5886B85B24BB2521FEEBEC3B8766BA14FE47" + "EE0E81DAD68B238905377AFDBD55E41364A12181D46D2E272BB" + "F1FBF41A83C29ED88361435396614A23730D84684D3F5A622A2" + "33FF1AD5583FA707DB008E3EED5A9716219EBF3571FB1CE9842" + "D4A37B519767B7392F008193DE676F0CD192CD6D0CF651EE5F8" + "331B0982F150A7DCC264C1465177AB98CC590BCA81E981AD2E9" + "8E47D2D855C0A74895970A96994700A5D55CBBAEA2472C4160D" + "A0EF3AEDE987A99065948ADC558E7CB9A952495F70CEDE70CE0" + "E3DECCB798EB58941F38C4B13C28B2E5CA4FE3A7CF3C973EB33" + "91B705B9E9E7689E264F878396F438C393EB49E70D6A2BB0A6A" + "92F80FDC2C2F70AFBB2A1DF1EC4634BC0CFDC9D1239182DFCFF" + "D30096E11FC4A32BB44CF510A44D35EC3CBFC354E088E0B5393" + "2D0DE4DF83A963D902971392B74D95C475D26184559F6F9F5F9" + "1502A07011B9070F8E9BE5F5D1E599634E3BCED756A49AC7CB2" + "73396F7ACDFFB3BE1E441E8D8ED0588D0931353736DC1D9E889" + "650B503A4FDBF5DF7B5708D4218404306B0E11AA08067B7DBE6" + "3E8C")); + test_hash (&nettle_shake256, /* 237 octets */ + SHEX("1861EDCE46FA5AD17E1FF1DEAE084DEC580F97D0A67885DFE834B9DFAC1AE076742CE9E267512CA51F6DF5A455AF0C5FD6ABF94ACEA103A3370C354485A7846FB84F3AC7C2904B5B2FBF227002CE512133BB7E1C4E50057BFD1E44DB33C7CDB969A99E284B184F50A14B068A1FC5009D9B298DBE92239572A7627AAC02ABE8F3E3B473417F36D4D2505D16B7577F4526C9D94A270A2DFE450D06DA8F6FA956879A0A55CFE99E742EA555EA477BA3E9B44CCD508C375423611AF92E55345DC215779B2D5119EBA49C71D49B9FE3F1569FA24E5CA3E332D042422A8B8158D3EC66A80012976F31FFDF305F0C9C5E"), + SHEX("1887576149594F7FCD27145B5F535219BBC4313E62E7ABB6393" + "D6015E8E45B48A211300F8303FB9BF370FE0A117D268624BB74" + "1E0BC343487015872E14F84B1EC1E2FAEB828F521ECE9E7E5EF" + "B281DFEF05D86BD8EB0B51CF4C46D94EE0AFC72DA29C3D77EAE" + "E07E24035A68792E8EAB1E0B96282E1D95B1B9D36B09D6A2E0E" + "DD37227B0D29F9E490F1D6156DFCE1554E69A49B7660D288CCB" + "6FAEF9A40F656A90A825A07C5EE0730926CEE14FF2694A3BD10" + "5D889C88A8CA1D271727DD0FCC0DDD1CA2EE955D02CF8CDA7F9" + "E3A00B4362C69AC631523345DABD396354AD862458736D1BEFC" + "4BC35EF4775F02F017BA2EB9FFF9229292432AB5603BA20342E" + "627D380824050FF61C23B5E789DF2E835FD56C65FEBD001EE69" + "60C782B627F90A7087EE24D32A85D0D780A8911945F3719C5CE" + "EB9C7024DCB112C0FCDD72237040C5E964CA57EE504849E3015" + "C200C44CA3A0EEC097BF718F6959C4D3E39455976F98DB5FD84" + "F01EACBC1B2B57B6483C9E3D58EF76E18F8FBFA341E6399A3D9" + "86834E315A2762D239DBB6D1EFBD60BA4EE974523D2EC7A9F0A" + "171484D3F09D59019FCBB6A480ABEBFC06A21DC5AF8FBF1B538" + "8278CF84311E56329A6FC3A9426517C3CC581C8C8EADA1C656E" + "568BF108F66287FB66A405EB307EDA530C18DB2CDEE78D8DE9D" + "CB8E93F195F54086F875935F7736C7C85EAAC106F00D28D6753" + "843C")); + test_hash (&nettle_shake256, /* 238 octets */ + SHEX("08D0FFDE3A6E4EF65608EA672E4830C12943D7187CCFF08F4941CFC13E545F3B9C7AD5EEBBE2B01642B486CAF855C2C73F58C1E4E3391DA8E2D63D96E15FD84953AE5C231911B00AD6050CD7AAFDAAC9B0F663AE6AAB45519D0F5391A541707D479034E73A6AD805AE3598096AF078F1393301493D663DD71F83869CA27BA508B7E91E81E128C1716DC3ACFE3084B2201E04CF8006617EECF1B640474A5D45CFDE9F4D3EF92D6D055B909892194D8A8218DB6D8203A84261D200D71473D7488F3427416B6896C137D455F231071CACBC86E0415AB88AEC841D96B7B8AF41E05BB461A40645BF176601F1E760DE5F"), + SHEX("EA520B7CEA0750C8F1AE4D7E5C80E95140D5A980D68F48807E0" + "408A0D17DD084575191EC17A8D5B3D7A458774C453124509AEE" + "866183DFCA7636D743B6B5798C4D62951D7DB5640D1F4467D87" + "03E08411270F3493241AEF38FB757F00F0EE6A66C732F138294" + "076DE25F0811E8E1BAF602E9F38CF92E96ACF630EBECCD62C28" + "37DC0F361C014698B3CCF586D372BB0591AAFE68D138E1FBF05" + "D205A6124B0AE5F483BBB429EB1BD517C799FBD2B9A154FDB7F" + "687DD320106793D95D2ACECFCB4811C627B3287490116C5F5A3" + "082B0C2BB3B703FB2BD92B65E1CC07C61E1AD67C0F5B45C33C9" + "81E56CEBD6C12D00D9D33C5DAC18A41C1025AD24798DE28518E" + "5FAA6CECA295CD13254367F04CAC72FE0A0FE87214103FBDCD9" + "AF3FDE362D6B7C0997B86CDDAB824210D1896DEB7C75A3EB92B" + "E415F450CD62CAA1FE4D7A9DA2E8B57F2C31999F81CA8A22936" + "684133DDDE9FBEC522C92B928191220E75F8FD20C29A1DA6624" + "55FE7B94A2292006052B354DB4F03375ACB65044C2FDAEB977C" + "A8E81318D2EA95C3981CE76DD9292678BC5F05351D2B4A4A410" + "DEC6790DCFA90AB7D9F8D7FE71B1A1E22BFC3EF06F21C7C99F0" + "1E11060ABD9122DD3FFA6F0C2B402D15C6D4E8F8524A5AE6F12" + "48B6878170F8B4A7D95C85B04587066E340156D80B20E708F54" + "70801F4A5F46A74DEE3332FB0ADF0472CCD592B2462EAE969AC" + "5140")); + test_hash (&nettle_shake256, /* 239 octets */ + SHEX("D782ABB72A5BE3392757BE02D3E45BE6E2099D6F000D042C8A543F50ED6EBC055A7F133B0DD8E9BC348536EDCAAE2E12EC18E8837DF7A1B3C87EC46D50C241DEE820FD586197552DC20BEEA50F445A07A38F1768A39E2B2FF05DDDEDF751F1DEF612D2E4D810DAA3A0CC904516F9A43AF660315385178A529E51F8AAE141808C8BC5D7B60CAC26BB984AC1890D0436EF780426C547E94A7B08F01ACBFC4A3825EAE04F520A9016F2FB8BF5165ED12736FC71E36A49A73614739EAA3EC834069B1B40F1350C2B3AB885C02C640B9F7686ED5F99527E41CFCD796FE4C256C9173186C226169FF257954EBDA81C0E5F99"), + SHEX("AA38A2AA24D83C0055C05A4D8E5FD6E538DDECDDBC6876D8169" + "00F4329A5E6D00A25B14CA626F3C9185590A151E438CEC7164B" + "D7135BF60AFB78AA0C4148FEBB606C50A0449360952C1BD6C46" + "54804102521315E457AFDFA185565D96B6B230A4B36E0DBF215" + "B19FB9B0BB3CFD6A8CC2E4ABD6A1A50D978EBB5D351F7A65D39" + "855E9AE57D7343E8FF7EB6FE7974791EDF14861F30A428CFA9F" + "A08E3EC4C4F1C6C5CF29A06D777459AECC379BF17E89A54B753" + "FCBF3846835CEE9FA834CB294AE3699893ADC7DE63D96F1F7CB" + "60739E7D672A9D70078F9903F6617EAD83EC5847424EBDB89B9" + "A07762887F3A4CE8B7A839F0FFDEE21822DDF92A73E85F112D2" + "A6E023C620056E97E3435CCC172E768A195BA50F0238AD3A474" + "FDDAD6ECD5B90262170DD026826F69CC2ACE1D7D9AABA9F14C7" + "3C6F114ED5E5F75679679B7A2ECC81432BCBA993C4E1CAAD6DB" + "7D9908B56E1404EE5080641A4D261D488457A1DA7D5E1F09BFE" + "9DB23E3CD4BE23B8FA84C93011958D57588A06D8DF433428AA1" + "3CEFD6EC348A52E0076564F0DC849058A601137835F90478B41" + "BD58D24ED9B5E4EE5940A0963BB4FD7A2F5817BE1903AB7D960" + "F58EF88A310675AC0452AC6D1EE0CD65E2114865C4ADF78B983" + "EB7E894F28A716ABBC766A1BAB1858641C8CBA3A18BA55584A1" + "FDC2F80A61C36A9A56CD0289257CA0402ED99BC680AADCB2928" + "7119")); + test_hash (&nettle_shake256, /* 240 octets */ + SHEX("5FCE8109A358570E40983E1184E541833BB9091E280F258CFB144387B05D190E431CB19BAA67273BA0C58ABE91308E1844DCD0B3678BAA42F335F2FA05267A0240B3C718A5942B3B3E3BFA98A55C25A1466E8D7A603722CB2BBF03AFA54CD769A99F310735EE5A05DAE2C22D397BD95635F58C48A67F90E1B73AAFCD3F82117F0166657838691005B18DA6F341D6E90FC1CDB352B30FAE45D348294E501B63252DE14740F2B85AE5299DDEC3172DE8B6D0BA219A20A23BB5E10FF434D39DB3F583305E9F5C039D98569E377B75A70AB837D1DF269B8A4B566F40BB91B577455FD3C356C914FA06B9A7CE24C7317A172D"), + SHEX("42DB17A940111F1A93B0D583F6173991252286BC5098E136D27" + "196697AE45B878767E17AA8E826DCDE186CD76F2024E6772A0D" + "EC4C4A8DB71959D75CFEF0F20CBCCD85F15AB5960C0CCDA5F14" + "BA0F02958752A0494D4B50E2CC67C554196BFC061F651440C68" + "12CF5319639F93DF1FE51D1511DF6A3A6AA6538F46EA2D00A3A" + "0F64B25CC9EE8AD05E321649987C36387E2D31DA77EDC1AFA96" + "32D77EE2D4ED54992BD51490A34DD743DCEC567DE957D55505D" + "1D8DD43BE3309F25AE61275203BD9743F3027B9F34B34DB7504" + "C2D7FD1AA99B936E7284F9E252DF2E3359D868C0C83AB140E14" + "C01B4B650D99AC6DC54AB35DD825116EA96C5FE88822B2D7182" + "FBE9B3F3CFBEDEE129EF0814C171A207FC9793E1EB72EDCD605" + "C3E3B1534106093AA550BC8CFF8DE3C5D7152F18C87E161DA0F" + "C90594161F03B0FF9F9EDD41F360DB7347B067D8FE1E901D78A" + "77F1EC44E33ED7AADD463C7D676E50B03A92B5417628CF986D5" + "F93197333BFEB5D7B6A7C7863707B7EC032E3F5C62CA6A02938" + "313140E62479842F4CF68A54A14AE0AB35538025920F3170391" + "69636F35F02A8E05C344E15492EA02164C62392B0795D4889F7" + "AB68AC969B3B096C21CFE179833BA5FB857751C4713FC928B46" + "23DB593C9458AA36BA3B3693E07C3C5C84470F77E5CBDFD9770" + "877A0999DCF8FF1AE27F51B65AAEF9754E8A71739AC00BE0F94" + "58E0")); + test_hash (&nettle_shake256, /* 241 octets */ + SHEX("6172F1971A6E1E4E6170AFBAD95D5FEC99BF69B24B674BC17DD78011615E502DE6F56B86B1A71D3F4348087218AC7B7D09302993BE272E4A591968AEF18A1262D665610D1070EE91CC8DA36E1F841A69A7A682C580E836941D21D909A3AFC1F0B963E1CA5AB193E124A1A53DF1C587470E5881FB54DAE1B0D840F0C8F9D1B04C645BA1041C7D8DBF22030A623AA15638B3D99A2C400FF76F3252079AF88D2B37F35EE66C1AD7801A28D3D388AC450B97D5F0F79E4541755356B3B1A5696B023F39AB7AB5F28DF4202936BC97393B93BC915CB159EA1BD7A0A414CB4B7A1AC3AF68F50D79F0C9C7314E750F7D02FAA58BFA"), + SHEX("82F8C16B8487E008284598FED9C5670C86FE35C8DEA51AC59D3" + "8722829C94094BB2766AA4CDA3139A15DD2AC0309253EC1A15B" + "2969F84899637D3E2A5D55ED1E87561A546A2A7C190008BCF3B" + "EC233EBD1DD55242D7FAC3A522C6016E62670F66EDB6290AFE8" + "01630E2BCCABB450E4D44A9BD8F63D4B04E9F280A2A0972AB22" + "9351906F5F32DE714867E8F04D276488F2AA5E62DB8B6342874" + "04A73723ABB7E152107A6DA60F0C7EFAA953DB706398A09835E" + "5EDD99393DB5A162FE3E564298395FCDAAE8FA7E7A9081B8E14" + "FA0E99E433E0D44326DC2E9E33378EA719EF780D303589F0A63" + "841B5D5D74EC6E2BB073B55287A6419BC6AF759D13F8C8875C3" + "72C12D392D7F80608412EB9A92A786048BF9A6F03D11C48F48B" + "96FBE8BBA329268242A5463C49B112AD71B8EC42A9A7F272F25" + "819509E5C7A10D9C9F1A386E034BE2A89AE28917CF014156211" + "C795D9D6EFB267D8F2BC48B5AA767CF8269A6E349701E77EF69" + "F03FBB56C8E2A0C90905F1FDA649B75D716C67894E932C63B13" + "911C80339A1DF4B7AE2035C7572BBB599E66E7CD9CF447F4F1F" + "1DEB63F64508EBE19485DB3EB98607F3C87DEA60FAA331310FB" + "4BA5730CE4024E07B4B134286472BC7B6C816C3F680618941F9" + "6539B81DF82CD15EDD426206F363A9E487C9FADBBB9DB90DA8F" + "2D73E940C515A7B4FFA07443D35CAA0C89EE9E511D66C2C8FE2" + "F0FF")); + test_hash (&nettle_shake256, /* 242 octets */ + SHEX("5668ECD99DFBE215C4118398AC9C9EAF1A1433FAB4CCDD3968064752B625EA944731F75D48A27D047D67547F14DD0FFAA55FA5E29F7AF0D161D85EAFC4F2029B717C918EAB9D304543290BDBA7158B68020C0BA4E079BC95B5BC0FC044A992B94B4CCD3BD66D0EABB5DBBAB904D62E00752C4E3B0091D773BCF4C14B4377DA3EFFF824B1CB2FA01B32D1E46C909E626ED2DAE920F4C7DBEB635BC754FACBD8D49BEBA3F23C1C41CCBFCD0EE0C114E69737F5597C0BF1D859F0C767E18002AE8E39C26261FFDE2920D3D0BAF0E906138696CFE5B7E32B600F45DF3AAA39932F3A7DF95B60FA8712A2271FCAF3911CE7B511B1"), + SHEX("706CA15167517D46C47844D044D0FC94CAC5D23B90BDB64CE0A" + "2DF052AB37C967E57A476FA23C4D3C160C47371CBADC07A48D6" + "A7C0E0B8CE8B337CAC62E74E10B68C6FBB109B03547CE998780" + "B605429D6E3061334C702B218C1D6686E3E8C7FCC2C4DEC034B" + "9FE68572B45E58DE9661216D6A232D13A0EDDDA45892A4ABAB6" + "66CB528694DE50A50D1368BE99D257BC8C245429FE55000D3C9" + "CC861FE9228E6EBFB7DDC53148B530E2FFE153B8F40007ED321" + "B4464C0BD5DE00C9791073B199AD57F6C242F7CB772FF05A06D" + "010D156AD35DD0ED74C9593855576B1C7A4360770AA88BBF56B" + "65395B163471E4057D27B59B554EECCD9AB8F24F457E400150C" + "5F83B55D703620D68ECD7A01A9B3FEC468B75C0F8BBBB083883" + "18D50D38BECDCD30F8644A2EBD11FD8E1D103AF5F9B64D92BEC" + "64FDDEFFC73D9932871CCD1DC62515F0EFA438393109C638F5C" + "11405FD923D784B217F3417BEC855A7CA290253CDD902802EBF" + "400015CC2AF646AEF63684ABB39BB98AA598AB767AC4DF96CDF" + "631D0500BC61DC822F2C54D761F0C926E023310AC11F3748E8A" + "75564FBDB7039CDD3A42B601339BE64BBDA4B3F70899700FBDA" + "55D1337F5E33F5B00DF97E6CA218D212EB771ECFE27B265A8EE" + "8AC9D9F34BAF279C49B318EBFBA497CE77233CAC4A9146EF5DF" + "7B93672A553A3EC46DAFE8B7F93F233161FB91F5BCA89DB4D5F" + "2C42")); + test_hash (&nettle_shake256, /* 243 octets */ + SHEX("03D625488354DF30E3F875A68EDFCF340E8366A8E1AB67F9D5C5486A96829DFAC0578289082B2A62117E1CF418B43B90E0ADC881FC6AE8105C888E9ECD21AEA1C9AE1A4038DFD17378FED71D02AE492087D7CDCD98F746855227967CB1AB4714261EE3BEAD3F4DB118329D3EBEF4BC48A875C19BA763966DA0EBEA800E01B2F50B00E9DD4CACA6DCB314D00184EF71EA2391D760C950710DB4A70F9212FFC54861F9DC752CE18867B8AD0C48DF8466EF7231E7AC567F0EB55099E622EBB86CB237520190A61C66AD34F1F4E289CB3282AE3EAAC6152ED24D2C92BAE5A7658252A53C49B7B02DFE54FDB2E90074B6CF310AC661"), + SHEX("A90A149C4B7BA649888F90721E9FF91CC3589E2094B07909959" + "C9A15FF010C610824F7A49AD3CA2864089E93AD7075C1966033" + "AB55E9263871DDD56943D568FE0867221034994B74A3F855544" + "E77E313A29EFBA367F309243DB8A3027EB4DA5371439CF39C21" + "EB57823E1E6C73C0707356B68828AAC6C8FD05F222F4C58B33C" + "EA1AA6344DC33FA88D9A5BECC263B7CBF00045378910814C77C" + "2224E56D913D2CBDC48EA6700DE0E0306B499A3888F53527406" + "9E7ED493C12D46D23B7344CDC11B3433E39ED9CFAEA6787704F" + "FD63BEE0072BA60F526FB52DADDB41EC7E8216AC2A79BBE27E3" + "15A2E2824E1DD0BC2943F92393550AA6DC75F1C9755E5D8F811" + "CEDBC2139805D5599C1E1F6D4F56AAD38E91FFB529A4820F260" + "D752A93D7BE57BC2F75234FA615AC72AFEC7619E0F26071D8A3" + "C90F1FB486497D5AF0EE45FD9D0B4AA0E07201B9E5F277E73D4" + "8EDFBF75DF8C3F1A635A733591615C392CE37738851D2AE847C" + "6EB9AB5D91DCDA7E953041CC6CF02F0E6604E8AE5756DE52864" + "5FEAA0E8F1C5F6F0C53ABB72F84D0397A39A7FA3C7E8BC72B23" + "7E0D8B81C91ED18E09273CA20B763D34B779BB79D95C3749AAA" + "703DE53FD7FCFB361E2D3E13068FA076021C1373CE99DDA0DDF" + "931D2BEDD095A3F95E41A0B09C56D01253F29558348D6F84190" + "8984E3096A7A0DA6DE77A5DB124AA442EDC394126C2F67B1B4A" + "0DEE")); + test_hash (&nettle_shake256, /* 244 octets */ + SHEX("2EDC282FFB90B97118DD03AAA03B145F363905E3CBD2D50ECD692B37BF000185C651D3E9726C690D3773EC1E48510E42B17742B0B0377E7DE6B8F55E00A8A4DB4740CEE6DB0830529DD19617501DC1E9359AA3BCF147E0A76B3AB70C4984C13E339E6806BB35E683AF8527093670859F3D8A0FC7D493BCBA6BB12B5F65E71E705CA5D6C948D66ED3D730B26DB395B3447737C26FAD089AA0AD0E306CB28BF0ACF106F89AF3745F0EC72D534968CCA543CD2CA50C94B1456743254E358C1317C07A07BF2B0ECA438A709367FAFC89A57239028FC5FECFD53B8EF958EF10EE0608B7F5CB9923AD97058EC067700CC746C127A61EE3"), + SHEX("FCD5FEF0DE750C6BE7615BCB850676E9E83299C522BDC14FBAC" + "162F927B0AA4EA6DD76E43B1500C72BE0D569566B57054B9340" + "216904D518ECDB25EF39A62891290A1034F262A5E2C0FB37333" + "BBD24323730CFD40FC161EDC37EEB7C69769D3AB1F1454560CA" + "78FB96CF133689EF8E75F57C2442E2CBAE4F5C648666BFC7FA5" + "DA87E7C0DD4816292DFD56B2BCB383B3FF971185B724430F959" + "6F3509C767E159873614B1D4EC45FA8586EC2321B791560785E" + "5E3CE13AD5E8E1550A3290175ACF2D78CDD17C0EA205ED7C139" + "6BF9DC0844168BA3A66B4CB01C22629C80577DE68D72EDB44B4" + "19B13A2DB6D67877D9CC0A0201C14DAD69F25C88C3418AC45EA" + "0D7ADA58A02BB7DD0C276DFAB29164E1844BAD901ACB6374AB7" + "5E21BFE2F3591B2C8F111A4606C8C52D85B4C073FDBBF25FC81" + "758214CA172FBFE1C6B14476532F35F981C312739CE435F7AD3" + "D0785DCD648E2A5391B64525A8785F3E06446C6BC1E09BFA19C" + "7CE52651BFE1A2E355CD7C1C9CED6540D33194A2212B2A8768E" + "7347042B560F68B4E22E42ED8F51C38375F9FA45C133A90D4F6" + "F17CD5BF19DC9E1035DF78F7E0077411BFD0FDA23E6759388AF" + "C45485BF271C8FDB316A32B898C3D6DCC0738B3AA043ACD1848" + "FB7C6FE86A844FC764953D392569520E78FA11BCD6B0AF3BE8E" + "7BCB0006F56881889CDDE27870FE7C9E703F57B6CBE0D6372F2" + "322B")); + test_hash (&nettle_shake256, /* 245 octets */ + SHEX("90B28A6AA1FE533915BCB8E81ED6CACDC10962B7FF82474F845EEB86977600CF70B07BA8E3796141EE340E3FCE842A38A50AFBE90301A3BDCC591F2E7D9DE53E495525560B908C892439990A2CA2679C5539FFDF636777AD9C1CDEF809CDA9E8DCDB451ABB9E9C17EFA4379ABD24B182BD981CAFC792640A183B61694301D04C5B3EAAD694A6BD4CC06EF5DA8FA23B4FA2A64559C5A68397930079D250C51BCF00E2B16A6C49171433B0AADFD80231276560B80458DD77089B7A1BBCC9E7E4B9F881EACD6C92C4318348A13F4914EB27115A1CFC5D16D7FD94954C3532EFACA2CAB025103B2D02C6FD71DA3A77F417D7932685888A"), + SHEX("D4C1F39098D123B0DD88504FF6AB424E31F5D3726EFBF86500C" + "E730BAE87EC671C97F768F9593C8411B57E306B0CB394F33B86" + "6493BBFC3F089FA4E875858FBCE814DEBB905FA7249F7DBE737" + "F5F6725CF76D2A50B319D96BFCD55E03A6E923B01003E6D5976" + "A66AA5250C337C9C4C402B9733C8F626789FB23FF1043494A73" + "960297CA9110D23DEF1D72B601F6C42CF83938003B3A386CDDE" + "D4A70B24975C958597894FD6E2C412CDC6E32EA7F398242F84D" + "4F4BD469DEE9AD10B717EBAA26F2481224F47135219231279C3" + "6867751A476AF60AC4AF8F151F301CACF5D7890D62A135B4414" + "9CC7405208212B7547EC0617ABF96A7741EB2E08D18AAA17357" + "B4F2DDAB92257E893CFCB91BDD73DFF3F8E6C28FDF38DC89094" + "C719E69508AF7ABEE4D1403E0F139348632A45708AAB27D4403" + "F5D5B85A81AC72EDE9E2448F1FB87571CCA3631BDA9F9D0DC06" + "0000B03450FBC7D98AF74F0B0A8A1BBDEED01C4C8300B05E05C" + "F7AF7824B246666EB53119FCFAAD3C7AAEEFE0274A55ABC01AB" + "F0A38189E46CD3CE56F0A4DB8E9B498EEC68E03DB7FDC917723" + "0DFC72F45A41A7064F42F3C527A5E5473B2F68D1C8BA960BD3B" + "458BE2BEF2C3623B38A66266EACEA3CC93C09F4CF566327E78E" + "C39CE5541E48142FEF380AF5161ED9C63724FA16384F574B1D1" + "CBC3F1C852028CB9A8D1F411D6AC119E11E6202E566B49341D4" + "0D19")); + test_hash (&nettle_shake256, /* 246 octets */ + SHEX("2969447D175490F2AA9BB055014DBEF2E6854C95F8D60950BFE8C0BE8DE254C26B2D31B9E4DE9C68C9ADF49E4EE9B1C2850967F29F5D08738483B417BB96B2A56F0C8ACA632B552059C59AAC3F61F7B45C966B75F1D9931FF4E596406378CEE91AAA726A3A84C33F37E9CDBE626B5745A0B06064A8A8D56E53AAF102D23DD9DF0A3FDF7A638509A6761A33FA42FA8DDBD8E16159C93008B53765019C3F0E9F10B144CE2AC57F5D7297F9C9949E4FF68B70D339F87501CE8550B772F32C6DA8AD2CE2100A895D8B08FA1EEAD7C376B407709703C510B50F87E73E43F8E7348F87C3832A547EF2BBE5799ABEDCF5E1F372EA809233F006"), + SHEX("D6FC1E61D2BC27CA5DD5ACD290C2831070E66C38F03D2DC9118" + "4AA9EAEAF03A28E009A1AE1C775F4274B3AE6B5491C9B0C838C" + "F90D185FE94C49EF46ABABA62D6ED1F550D83466EFC6B97789C" + "A36AD1A6A3E6703A5DA9764E47F29C8096E3D317FC7AFF0B79B" + "1C278610AFE3F5E7FA7FD52FD36CC9E7000DA809346281EEBA1" + "EE9BB06AAD61F3E02CF4A5BB7B211E2437ED21437FAE78378F2" + "8B14184B7DE7E80E845837A483C0C6DF8E233687F71F0F9745D" + "585411F103356A0C474F9238403E40960F63A3418199325EA6E" + "8EADA31C94F78CFF1B83A2EFA4E49045E0CE34A5C6102539932" + "8CD7F79A1E4CC792D8AE9F1AA954235B515158BE5F4064B889C" + "14A3A83AB59CF26945DBBF70F3A5F3BDBE8674546D6DF384C40" + "D56B286D309A114871BC18E144D2334C88C32F141F6DFA70859" + "A9FF7D4996BD3FABA0299794E861DB8BE8A324822C4B1DFBFA7" + "0F8D9149C3DC01E0E556DC744C98FC2F92C8600C856BD174759" + "AF467D6618C4347366CE04D06A0EE4FEB9A27B79BED01BEB7DE" + "E41859C1306939D55B0E319DD2E0E001F6174361CB804CD3AC3" + "332B8D8A1D8204D5255F81FAA0BDC29AE71693586C987E35C81" + "E314A3848B03CF7B37EAEE2AD6ED4736E1F20A098DDAEC612AE" + "E17294313DA16453D7901CF80FC729962206AD4820B00E8EF0D" + "999857832256E5B784E8A89DFDDD38F6E15DE081A82E19A2A05" + "D417")); + test_hash (&nettle_shake256, /* 247 octets */ + SHEX("721645633A44A2C78B19024EAECF58575AB23C27190833C26875DC0F0D50B46AEA9C343D82EA7D5B3E50EC700545C615DAEAEA64726A0F05607576DCD396D812B03FB6551C641087856D050B10E6A4D5577B82A98AFB89CEE8594C9DC19E79FEFF0382FCFD127F1B803A4B9946F4AC9A4378E1E6E041B1389A53E3450CD32D9D2941B0CBABDB50DA8EA2513145164C3AB6BCBD251C448D2D4B087AC57A59C2285D564F16DA4ED5E607ED979592146FFB0EF3F3DB308FB342DF5EB5924A48256FC763141A278814C82D6D6348577545870AE3A83C7230AC02A1540FE1798F7EF09E335A865A2AE0949B21E4F748FB8A51F44750E213A8FB"), + SHEX("F61115AE2FD5442877D08E39A57DF8D4A5F117D57C2688617A8" + "DA64F9482F5A817E0D3DFE41A9CFF331F4D5E3240DA38E43B7B" + "87925FE378512CD83172FC3CC2396A8ACDBF5010CA576603581" + "BF7DF6D7529423709B30DB81620B9F660B5AA82EA6C98656DA2" + "7B4709DA85D364EC015C2EAAF2AADEDA2C040BADFAB16F7C2AE" + "39DA6A1691057301B7C3252884CD9EE079E68857D6D3B7F4F85" + "556140DB03421F09E98B80A8422500A349B5C0D8FFB25433A41" + "21B7682F8517500930E5F2766C687846553C9F76DE38A0EE41F" + "76D3A22696B95774BD5EB747F6445D8044147EE38B127892F4B" + "0B1932470B454F8F1BB697A2F6659AB13F3E2003C97D292A787" + "8E12CE47AA9619FCFE2135D8890710B2733DF40FC75DAD57B99" + "042E4F54AEA9332ED52CAB8FFDE5195EDA05368B09E9FD55731" + "DA20012A7D255AAA33D74E22917E58BD546EE90947A16044B14" + "DFFFAB05916C382D1F038B63D2F20DC09C117C8724A4DB3970B" + "7CB143B1522D010881FE6663410DB3400DB33B62A6E70DFD48C" + "2FE773054E1494944B60FC5D3BC803027C4B12E6A230FE41CA4" + "D072F3628D20782CD7DE4E98A29DF083FEF503E46EEFA787F8B" + "0E9B1E7C884B9122977532BD71FB63120C1069156516D265FE3" + "559B18965E968B9BBD653484866847E76262D0CCBEE8FB0314A" + "8C40B8C35725337CA4A241592E47D5B8981D3212C62AE7E25F2" + "7495")); + test_hash (&nettle_shake256, /* 248 octets */ + SHEX("6B860D39725A14B498BB714574B4D37CA787404768F64C648B1751B353AC92BAC2C3A28EA909FDF0423336401A02E63EC24325300D823B6864BB701F9D7C7A1F8EC9D0AE3584AA6DD62EA1997CD831B4BABD9A4DA50932D4EFDA745C61E4130890E156AEE6113716DAF95764222A91187DB2EFFEA49D5D0596102D619BD26A616BBFDA8335505FBB0D90B4C180D1A2335B91538E1668F9F9642790B4E55F9CAB0FE2BDD2935D001EE6419ABAB5457880D0DBFF20ED8758F4C20FE759EFB33141CF0E892587FE8187E5FBC57786B7E8B089612C936DFC03D27EFBBE7C8673F1606BD51D5FF386F4A7AB68EDF59F385EB1291F117BFE717399"), + SHEX("3BBF30FAF9241C9E3E27EC2C17AB24AA3673799371528CB98A6" + "D9B91E553553680505D7CD6590377AB54E5DC7D7C72035300AF" + "651AB0EA52ABA9FE1D490EE5C95B146138F61F957C5CEC8D463" + "3175C99A00590DDB987D2E032547D99C691B32C12D7392742A5" + "AE47D03B5A08A544548BBEC45B9580DE1CECB7B9F06A88614DA" + "A116D7200DC8E81EF3C7C5A716044133D2A66FFBFA35E1668FE" + "D9C1045DA77DF92564F60087D173F71B75F040BC6CC14923465" + "9C1213BEEF18C53CDEFEF2FF466A2F16823D7659E04AD61F6B2" + "3DDCA8BF35AF892BFB8A952DF4ED254FFAC52CF71F4C872EF15" + "EF11FAE9967FC8F1C218E7CABA5382936F4CBBDF7F41AA2A239" + "BCF36FE158B7D771BECF8981DDAAAC31F744D949396623CB3BB" + "754189FB5E78DD94171C1BD6AD3953DDA6D4DACD3B57D37B1B7" + "3FAB0D2CAA0B5B3F6A2C9F324F4B93C912991E50F8872BC2764" + "51969FF379AAEFC3C710DE16128136AE0D1268D106BBCE2AA4D" + "2DB0C5EDB171DFF104DF4F7D49FE017C82083DD1E9F7DEE489B" + "B38CE091C222C3A0898F17A0DA1D4B2830C7B7C3C372FDF2A4E" + "9CD7B468107513D6E3ADCC91F662218A7364A7340966A4D692C" + "F394443203DCE8B33503AEE6C1259BBCF36351AF93EF01764BE" + "4863759ED0ABCA9E59CA6004F2E5738AF7EFC7BE8F9A1E10655" + "1B77AEFBFF9DBE99ED5ABB12207CF38F7FB9BA77D776FA0DF3B" + "FAAC")); + test_hash (&nettle_shake256, /* 249 octets */ + SHEX("6A01830AF3889A25183244DECB508BD01253D5B508AB490D3124AFBF42626B2E70894E9B562B288D0A2450CFACF14A0DDAE5C04716E5A0082C33981F6037D23D5E045EE1EF2283FB8B6378A914C5D9441627A722C282FF452E25A7EA608D69CEE4393A0725D17963D0342684F255496D8A18C2961145315130549311FC07F0312FB78E6077334F87EAA873BEE8AA95698996EB21375EB2B4EF53C14401207DEB4568398E5DD9A7CF97E8C9663E23334B46912F8344C19EFCF8C2BA6F04325F1A27E062B62A58D0766FC6DB4D2C6A1928604B0175D872D16B7908EBC041761187CC785526C2A3873FEAC3A642BB39F5351550AF9770C328AF7B"), + SHEX("32FFBC063291BD2C957DCDC76632DD1BCE0DBFCAC549228D277" + "D81B6ABBA904D43330EF8081E164D8FCAF520E12B388C401682" + "95A63D365B57A7694D4C50812B99C86E036116A07F0164B7088" + "537688D4BAF1E0FCDC84C6DA8D92789466A606F1EE25CE7461F" + "A65DF04BDEBC24A3A4BAC3B02B469C8E85F53D9481DBE244DC6" + "7B8BCE84CC7175113D4D7B2413601E9140B7802D9FB712938E9" + "C5034CEEA753B7C77C08BC1C03D511ED0B4D5007BBAC38EE76B" + "675B73AEF8623CA9CCD579E28BAE7D695BE25FBDB673F3401A7" + "5D5A57D142034A7BEE554ED30CC7F03CBB363C10A54F818937A" + "E468F5845ADA4F9A2A1BF6887105879DA745AAE64D87F26F489" + "A622370405ADA3D3688697DB8F04557736C51725ACA02E4B76F" + "6A9E88DC6D52D5A63806BBA1BD687FAAC522D7B5B0A8D607328" + "3659056E784320822EAF70666180ADFDBA2675B4EAD6F6B2EF8" + "26E7598BBD8C1956A15C1864D249368900D82498297C3E77A19" + "EBE20A111D13FC03CA88D9332F919EA4AD15BE8E397ABA0A4E2" + "BA85F3FA5999EB553780F0D2F35D76A63B0106406FC3B455047" + "6572E1464C986870027849ADA0F164B48B839ECD3CA9AFEADEE" + "3F63AA6CA06C635990922995DB0BB99A4AC4B7F3AAC52069F31" + "30660AE0F074FBAA1D103A086B59AEE4DA3188CCA3227670FD4" + "3597ABFC1A2F6CFA67FA24EF0B20B4AADE9CE8E68CAB34111D1" + "0464")); + test_hash (&nettle_shake256, /* 250 octets */ + SHEX("B3C5E74B69933C2533106C563B4CA20238F2B6E675E8681E34A389894785BDADE59652D4A73D80A5C85BD454FD1E9FFDAD1C3815F5038E9EF432AAC5C3C4FE840CC370CF86580A6011778BBEDAF511A51B56D1A2EB68394AA299E26DA9ADA6A2F39B9FAFF7FBA457689B9C1A577B2A1E505FDF75C7A0A64B1DF81B3A356001BF0DF4E02A1FC59F651C9D585EC6224BB279C6BEBA2966E8882D68376081B987468E7AED1EF90EBD090AE825795CDCA1B4F09A979C8DFC21A48D8A53CDBB26C4DB547FC06EFE2F9850EDD2685A4661CB4911F165D4B63EF25B87D0A96D3DFF6AB0758999AAD214D07BD4F133A6734FDE445FE474711B69A98F7E2B"), + SHEX("BA2B1CEC1BBB46EA19AF7A869FDC73CB3791708DEFDF530DC99" + "99E9510FCB02AEF571B3C5E7258D86DC80EDB53B71644110B9E" + "82C239FF17EF523840E6AF4D597D814D4E5EC2EA98E451C0531" + "8402D5BFF6E6E573565AB640E00BF6F8C3646B3F6656047C60E" + "D43393AF7F2D8DF8915A0F6F44D69FE193DD5617FE39BDA638E" + "4DDDA771B0E771318A53ADECBDBFF07D6CFEAA04A837034C6EA" + "0E70C8FC244304804E0E890F31F951007A2F897BF3F00221B63" + "EA3DD8D9D1DD3608596EF7817190D56D36EB99266F83B7F1A20" + "80F7A5405CDE86017948BF977C6CC78565B3EEC570B36FC0656" + "6909951F31CAD6094F296F759E858BF7AA9298B2F4F7F5C3167" + "C145EC126C40F6E5DCCD87C82489400FF8B9B79B19E47259661" + "8EED3FBC6FE5545BB3276ED710CA128A3C2FA9B831FA6FA3B12" + "6380C4BAED23D9186FAC830891F98C81D401A6513E139F6546F" + "065E8AF6E1A9595218A025D8292176F8ACC4ACAEE6308C08DB5" + "215FC0064D7279FF6165033E0946FB7C10BF5DEC2D26950B2AB" + "DF71AE2B5BAB856386A25117214D5830B7D5E250FDF200CC5EE" + "A0085648FA2AAB6EEC363DA41AFD82E14EDA957EA3AB7C65100" + "F4A8071ACA6F1891B5465B7C46CAA9612CCB0875369CEC4BCF9" + "D99BE35E03AE57C83FC80903AFE25ECF23D016CF6989EDA5B90" + "0EFCF59C529FD299CF155A1310B239CD364301F520D16C74E27" + "0D0D")); + test_hash (&nettle_shake256, /* 251 octets */ + SHEX("83AF34279CCB5430FEBEC07A81950D30F4B66F484826AFEE7456F0071A51E1BBC55570B5CC7EC6F9309C17BF5BEFDD7C6BA6E968CF218A2B34BD5CF927AB846E38A40BBD81759E9E33381016A755F699DF35D660007B5EADF292FEEFB735207EBF70B5BD17834F7BFA0E16CB219AD4AF524AB1EA37334AA66435E5D397FC0A065C411EBBCE32C240B90476D307CE802EC82C1C49BC1BEC48C0675EC2A6C6F3ED3E5B741D13437095707C565E10D8A20B8C20468FF9514FCF31B4249CD82DCEE58C0A2AF538B291A87E3390D737191A07484A5D3F3FB8C8F15CE056E5E5F8FEBE5E1FB59D6740980AA06CA8A0C20F5712B4CDE5D032E92AB89F0AE1"), + SHEX("481CF76E2ED1A1EB74050E9632A3BCE4913D2D516E251816A2D" + "55706314D6483B955B87B0A6EE013F248E2AB4517B800E23C8A" + "D85926C36EABAB1F2C36625D0492C7F001760E3715EBA80AA91" + "2F5E3E1A7918D1EDE2FA7FDCBBAE23FF75ADB2BD88527BCE6F0" + "2FEF73175487781F26C7C7DBFD04143B70D636217ABF7EF6936" + "4B8B7C493C64434DD1CCB523E5CBCC81211A64FEFA9F41FFDB3" + "8D9D8D5E0A9E51BE38DCCE5225652CAB5A0EF8D8EE7DD175B92" + "9ABA19480299176D7122CE1A763345A091AEB8C5DF8AB37CD4D" + "96C3230E8EA847C1D28986D3398DEA80F2C48C3B4406524BCD4" + "850DC02621B470AC7DF27372D95822795E8A2D81AACCD72F535" + "110FA01FDF0CABD7D848960603B80758406FFA78FB6C68DB4FD" + "F40C146318C2D296CD1A5BD7C1E11EA967B72792A3A7FBAC908" + "9588D3FB555F122F7AFB499AA3B3C43E07BD3D8F9FE980213C1" + "74D37DB9FBC8ECD318CC207689766A327614ED6B01BB0A5A2CF" + "04F5B54EDD97BE72E5F894328EE86A1C9D2FFB65C9FD0FEA4BA" + "865D0EA4F16DEF67CE1D6D42095C1C8488376A4326396FE3448" + "484754153B2D4A94C442BDE7CF67E8B9994E958D3CC17D5B0FD" + "7A4F203024EC29CEBF40B549F2936CC6C196AB83EC8C4585D28" + "E31D3ECF5BB59AB24B2CC6908E51A9BCD5BBCFA92C02E61B08C" + "A7E3AAAED73C450909C8B9BDB422CCAB0A86C5A5C3C10A634B1" + "7332")); + test_hash (&nettle_shake256, /* 252 octets */ + SHEX("A7ED84749CCC56BB1DFBA57119D279D412B8A986886D810F067AF349E8749E9EA746A60B03742636C464FC1EE233ACC52C1983914692B64309EDFDF29F1AB912EC3E8DA074D3F1D231511F5756F0B6EEAD3E89A6A88FE330A10FACE267BFFBFC3E3090C7FD9A850561F363AD75EA881E7244F80FF55802D5EF7A1A4E7B89FCFA80F16DF54D1B056EE637E6964B9E0FFD15B6196BDD7DB270C56B47251485348E49813B4EB9ED122A01B3EA45AD5E1A929DF61D5C0F3E77E1FDC356B63883A60E9CBB9FC3E00C2F32DBD469659883F690C6772E335F617BC33F161D6F6984252EE12E62B6000AC5231E0C9BC65BE223D8DFD94C5004A101AF9FD6C0FB"), + SHEX("47929C7D0C4DB7F9EBAEF5EA93BBC7B255C8E249EDF893257C7" + "AEB996CC8EEAB1A6CA4520F4D4257144CD5A9A850A372BD00DC" + "CA339C4781479E976B7508688DC63783CA9EC7A9FB8196721C8" + "C24AFF5BF9385453E9B85A1F7FC75A029E09D45910DC24F1304" + "D1E51EC702E79DC731B6120596BF3DF30DC0F756834AC0BB94F" + "99243EAC8910015D10DC618252A77D8B900C4141CFF2461C408" + "C19B978D1B58E690815C0C07B901137A45F045ABBD85428ACF5" + "1410135EB27128EC6725062665D1E6A6B8EBAD3B81D36770B0C" + "D14303B9264D25DFEE14B27798E22B46A77ADF456FDAFEB6D59" + "7F7E3152AAD40E29AB7E7808A4E46F43E18856518CE6D716062" + "029024AFE0EF0A7F3783F755977F8B10EEC658AABC20B2EE0E8" + "D3ADE73E2A7E78E4CEC3C09ADA3089247C678238580891ADA46" + "0D60DA297A4EB7DDBA67D117E21E7461BCE7CFC7573352696B4" + "643D6D9C9EC97EB431F6159AC438479BC6547BA04552748171F" + "4AEAAA2EF0DD7ECCB4ABDB2E07AB536F0183516B1DCBF0E12FD" + "134F9AD85B854AFDCCE14C1C52D0BF1EE1E52A12FDD63632D9D" + "F1B78E7899B03527DA8597124AE3C8797E6832138508AB89069" + "BF692A9E5D102CA20807A4BD5033D7BF7C918998D3D52B240B8" + "449D12B402EE7F50B211F597F1BD39B69A4DFF9A0E6DBE347AC" + "1137B3631DD15F97217A5BFE2C6579BC3C44F8789DED23EFEC5" + "1A64")); + test_hash (&nettle_shake256, /* 253 octets */ + SHEX("A6FE30DCFCDA1A329E82AB50E32B5F50EB25C873C5D2305860A835AECEE6264AA36A47429922C4B8B3AFD00DA16035830EDB897831C4E7B00F2C23FC0B15FDC30D85FB70C30C431C638E1A25B51CAF1D7E8B050B7F89BFB30F59F0F20FECFF3D639ABC4255B3868FC45DD81E47EB12AB40F2AAC735DF5D1DC1AD997CEFC4D836B854CEE9AC02900036F3867FE0D84AFFF37BDE3308C2206C62C4743375094108877C73B87B2546FE05EA137BEDFC06A2796274099A0D554DA8F7D7223A48CBF31B7DECAA1EBC8B145763E3673168C1B1B715C1CD99ECD3DDB238B06049885ECAD9347C2436DFF32C771F34A38587A44A82C5D3D137A03CAA27E66C8FF6"), + SHEX("401A2897FCA682A6949D88F939ECF943140ECA42F90D86D2DC3" + "01EFEA2DBD4C03998D686DCEC124334F0C5BA7674F25CDBF36F" + "B9480E8DB2111BA4E78221D1855893A526F97535936AAC3D88D" + "8908786BF5A9334EEE1A4D9B346A95573993DB7C9C7A75CE692" + "DF5118963083B778865396501845E12E4DDDE82035B03A6C436" + "97CDB2B1C5C4EB24D0D484ACB105549290B9FCD5C8B4EE31D4E" + "B542A2C9637D8E34687B18AB2DCF92A826877F9F1766ECBC43E" + "3879E481C4B6AD994586F110818A20B6F93C8CED8C1FBC0B545" + "72714EF722E83046A93CE23D118E494969D5BD1A9E9C744C5A5" + "6D193D2BC7054A4A0BB22987AA2CA672E69C2B733C860F292C4" + "F218557B7B921C4367B611E1D7FE30CF454EEBF09990C5ACD7B" + "43A174A92E0B8D8180DFD409261274FF09F55013A7F58242D29" + "330426BD4D8EF8365E4DE86469C436FC0FDC3B858EEE3E29C2E" + "D6F650266A7B34D2A0E5ED438E60891DF92FE6B950D95BB99F9" + "0344FC5EF5B210692059E9F859A476A3AFF4BB478F5DDA80629" + "E236AFD3742E35F46046BDF1522590562C8337C39FD38B8F57C" + "EDD49198F8242D951330FC4D0BDF5413345BB7315EEB67E4B1D" + "561D185FADF23C0979B036D885391643D7514B3FABCD16382CC" + "C49E6B7C0707B90AC0F86176DCF9D7F1DCD270374D2AB8E1E9F" + "AFB7DEC0F952FBD4456C9E7FCDA80CF0A46CE98AF6E9B588A37" + "0741")); + test_hash (&nettle_shake256, /* 254 octets */ + SHEX("83167FF53704C3AA19E9FB3303539759C46DD4091A52DDAE9AD86408B69335989E61414BC20AB4D01220E35241EFF5C9522B079FBA597674C8D716FE441E566110B6211531CECCF8FD06BC8E511D00785E57788ED9A1C5C73524F01830D2E1148C92D0EDC97113E3B7B5CD3049627ABDB8B39DD4D6890E0EE91993F92B03354A88F52251C546E64434D9C3D74544F23FB93E5A2D2F1FB15545B4E1367C97335B0291944C8B730AD3D4789273FA44FB98D78A36C3C3764ABEEAC7C569C1E43A352E5B770C3504F87090DEE075A1C4C85C0C39CF421BDCC615F9EFF6CB4FE6468004AECE5F30E1ECC6DB22AD9939BB2B0CCC96521DFBF4AE008B5B46BC006E"), + SHEX("8E756B09EE1679DFB957AEBC5B55CCCA4414AEAD58229106040" + "A1A58F4768D241A0869A3A7D682DD937FB13352F635EC3D5783" + "8469BA6AB93A9DC86EF3598F53E044FEA98301971A2182A1725" + "C32BF5529FCE04665C9F2C1275D484543E038E964D855E1D919" + "83EA34F7D66E19E27B6F59B23E9690C291432793167A5E8A9B4" + "4AEB9ECBAA500E2616AC32AF6B6ACFB6C2B4A485BE4FE5072BD" + "1F0E08AE343BF0C5CB241111F894BFD4BE6A26DBC7ED352D717" + "44BD9A4D51F149AC4EA5AD323B063D93E56AE12B81D88EB0830" + "24D3D164C0FD7B4BCE8A800F69CB7C66594D7AB20818DC79F01" + "853FEE81B345210CDF2964C3A25A0934ECE6B13029B5FDC3B78" + "0CD85A46E54495328F0BAA63078B3948172443B57D8571A82C7" + "17A4D93A6FD9ADA3A1EFC41F3697600D02FCB555EEF1D5162B3" + "46D892EABC60251B048979F49E3855FD5A49520A60D099ED2F5" + "A5C8764875A4EA242407856B5DC393BA1E71FD04C53181572AD" + "90E0184934D7B65E0EA56A8521A284E6A5B98BC704AD92E658A" + "8B4C64CF67157AC0673159B9E2A9EA9D94C6FB3E5BD963DFCAA" + "D484CF06BE75E3F23A11287B82BC6618B6EDA760D29D1D8400C" + "41EC3B42A24EC1E070BCE0EEC7DC6C6F19E2A6BA7FAAB72DD81" + "F31814A18CE984C7AAE6D9CAAA800318418F56871C8CFD8778F" + "AA7DAD3426849E10B041D6190EB445410F5F5E476068579FEDC" + "5869")); + test_hash (&nettle_shake256, /* 255 octets */ + SHEX("3A3A819C48EFDE2AD914FBF00E18AB6BC4F14513AB27D0C178A188B61431E7F5623CB66B23346775D386B50E982C493ADBBFC54B9A3CD383382336A1A0B2150A15358F336D03AE18F666C7573D55C4FD181C29E6CCFDE63EA35F0ADF5885CFC0A3D84A2B2E4DD24496DB789E663170CEF74798AA1BBCD4574EA0BBA40489D764B2F83AADC66B148B4A0CD95246C127D5871C4F11418690A5DDF01246A0C80A43C70088B6183639DCFDA4125BD113A8F49EE23ED306FAAC576C3FB0C1E256671D817FC2534A52F5B439F72E424DE376F4C565CCA82307DD9EF76DA5B7C4EB7E085172E328807C02D011FFBF33785378D79DC266F6A5BE6BB0E4A92ECEEBAEB1"), + SHEX("8A5199B4A7E133E264A86202720655894D48CFF344A928CF834" + "7F48379CEF347DFC5BCFFAB99B27B1F89AA2735E23D30088FFA" + "03B9EDB02B9635470AB9F1038985D55F9CA774572DD006470EA" + "65145469609F9FA0831BF1FFD842DC24ACADE27BD9816E3B5BF" + "2876CB112232A0EB4475F1DFF9F5C713D9FFD4CCB89AE5607FE" + "35731DF06317949EEF646E9591CF3BE53ADD6B7DD2B6096E2B3" + "FB06E662EC8B2D77422DAAD9463CD155204ACDBD38E319613F3" + "9F99B6DFB35CA9365160066DB19835888C2241FF9A731A4ACBB" + "5663727AAC34A401247FBAA7499E7D5EE5B69D31025E63D04C3" + "5C798BCA1262D5673A9CF0930B5AD89BD485599DC184528DA47" + "90F088EBD170B635D9581632D2FF90DB79665CED430089AF13C" + "9F21F6D443A818064F17AEC9E9C5457001FA8DC6AFBADBE3138" + "F388D89D0E6F22F66671255B210754ED63D81DCE75CE8F189B5" + "34E6D6B3539AA51E837C42DF9DF59C71E6171CD4902FE1BDC73" + "FB1775B5C754A1ED4EA7F3105FC543EE0418DAD256F3F6118EA" + "77114A16C15355B42877A1DB2A7DF0E155AE1D8670ABCEC3450" + "F4E2EEC9838F895423EF63D261138BAAF5D9F104CB5A957AEA0" + "6C0B9B8C78B0D441796DC0350DDEABB78A33B6F1F9E68EDE3D1" + "805C7B7E2CFD54E0FAD62F0D8CA67A775DC4546AF9096F2EDB2" + "21DB42843D65327861282DC946A0BA01A11863AB2D1DFD16E39" + "73D4")); +} diff -Nru nettle-3.4.1/testsuite/siv-test.c nettle-3.7.3/testsuite/siv-test.c --- nettle-3.4.1/testsuite/siv-test.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/testsuite/siv-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -0,0 +1,375 @@ +/* siv-test.c + + Self-test and vectors for AES-SIV mode ciphers + + Copyright (C) 2018 Nikos Mavrogiannopoulos + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +/* The + * test vectors have been collected from the following standards: + * RFC5297 + */ + +#include "testutils.h" +#include "aes.h" +#include "nettle-types.h" +#include "siv-cmac.h" +#include "knuth-lfib.h" + +/* AEAD ciphers */ +typedef void +nettle_encrypt_message_func(void *ctx, + size_t nlength, const uint8_t *nonce, + size_t alength, const uint8_t *adata, + size_t clength, uint8_t *dst, const uint8_t *src); + +typedef int +nettle_decrypt_message_func(void *ctx, + size_t nlength, const uint8_t *nonce, + size_t alength, const uint8_t *adata, + size_t mlength, uint8_t *dst, const uint8_t *src); + +static void +test_compare_results(const char *name, + const struct tstring *adata, + /* Expected results. */ + const struct tstring *e_clear, + const struct tstring *e_cipher, + /* Actual results. */ + const void *clear, + const void *cipher) +{ + if (!MEMEQ(e_cipher->length, e_cipher->data, cipher)) + { + fprintf(stderr, "%s: encryption failed\nAdata: ", name); + tstring_print_hex(adata); + fprintf(stderr, "\nInput: "); + tstring_print_hex(e_clear); + fprintf(stderr, "\nOutput: "); + print_hex(e_cipher->length, cipher); + fprintf(stderr, "\nExpected:"); + tstring_print_hex(e_cipher); + fprintf(stderr, "\n"); + FAIL(); + } + if (!MEMEQ(e_clear->length, e_clear->data, clear)) + { + fprintf(stderr, "%s decrypt failed:\nAdata:", name); + tstring_print_hex(adata); + fprintf(stderr, "\nInput: "); + tstring_print_hex(e_cipher); + fprintf(stderr, "\nOutput: "); + print_hex(e_clear->length, clear); + fprintf(stderr, "\nExpected:"); + tstring_print_hex(e_clear); + fprintf(stderr, "\n"); + FAIL(); + } +} /* test_compare_results */ + +static void +test_cipher_siv(const char *name, + nettle_set_key_func *siv_set_key, + nettle_encrypt_message_func *siv_encrypt, + nettle_decrypt_message_func *siv_decrypt, + size_t context_size, size_t key_size, + const struct tstring *key, + const struct tstring *nonce, + const struct tstring *authdata, + const struct tstring *cleartext, + const struct tstring *ciphertext) +{ + void *ctx = xalloc(context_size); + uint8_t *en_data; + uint8_t *de_data; + int ret; + + ASSERT (key->length == key_size); + ASSERT (cleartext->length + SIV_DIGEST_SIZE == ciphertext->length); + + de_data = xalloc(cleartext->length); + en_data = xalloc(ciphertext->length); + + /* Ensure we get the same answers using the all-in-one API. */ + memset(de_data, 0, cleartext->length); + memset(en_data, 0, ciphertext->length); + + siv_set_key(ctx, key->data); + siv_encrypt(ctx, nonce->length, nonce->data, + authdata->length, authdata->data, + ciphertext->length, en_data, cleartext->data); + + ret = siv_decrypt(ctx, nonce->length, nonce->data, + authdata->length, authdata->data, + cleartext->length, de_data, ciphertext->data); + + if (ret != 1) + { + fprintf(stderr, "siv_decrypt_message failed to validate message\n"); + FAIL(); + } + test_compare_results(name, authdata, + cleartext, ciphertext, de_data, en_data); + + /* Ensure that we can detect corrupted message or tag data. */ + en_data[0] ^= 1; + ret = siv_decrypt(ctx, nonce->length, nonce->data, + authdata->length, authdata->data, + cleartext->length, de_data, en_data); + if (ret != 0) + { + fprintf(stderr, "siv_decrypt_message failed to detect corrupted message\n"); + FAIL(); + } + + /* Ensure we can detect corrupted adata. */ + if (authdata->length) { + en_data[0] ^= 1; + ret = siv_decrypt(ctx, nonce->length, nonce->data, + authdata->length-1, authdata->data, + cleartext->length, de_data, en_data); + if (ret != 0) + { + fprintf(stderr, "siv_decrypt_message failed to detect corrupted message\n"); + FAIL(); + } + } + + free(ctx); + free(en_data); + free(de_data); +} + +#define test_siv_aes128(name, key, nonce, authdata, cleartext, ciphertext) \ + test_cipher_siv(name, (nettle_set_key_func*)siv_cmac_aes128_set_key, \ + (nettle_encrypt_message_func*)siv_cmac_aes128_encrypt_message, \ + (nettle_decrypt_message_func*)siv_cmac_aes128_decrypt_message, \ + sizeof(struct siv_cmac_aes128_ctx), SIV_CMAC_AES128_KEY_SIZE, \ + key, nonce, authdata, cleartext, ciphertext) + +#define test_siv_aes256(name, key, nonce, authdata, cleartext, ciphertext) \ + test_cipher_siv(name, (nettle_set_key_func*)siv_cmac_aes256_set_key, \ + (nettle_encrypt_message_func*)siv_cmac_aes256_encrypt_message, \ + (nettle_decrypt_message_func*)siv_cmac_aes256_decrypt_message, \ + sizeof(struct siv_cmac_aes256_ctx), SIV_CMAC_AES256_KEY_SIZE, \ + key, nonce, authdata, cleartext, ciphertext) + +void +test_main(void) +{ + /* The following tests were checked for interoperability against libaes_siv */ + + /* + * Example with small nonce, no AD and no plaintext + */ + test_siv_aes128("SIV_CMAC_AES128", + SHEX("fffefdfc fbfaf9f8 f7f6f5f4 f3f2f1f0" + "f0f1f2f3 f4f5f6f7 f8f9fafb fcfdfeff"), + SHEX("01"), + SHEX(""), + SHEX(""), + SHEX("c696f84f df92aba3 c31c23d5 f2087513")); + /* + * Example with small nonce, no AD and plaintext + */ + test_siv_aes128("SIV_CMAC_AES128", + SHEX("fffefdfc fbfaf9f8 f7f6f5f4 f3f2f1f0" + "f0f1f2f3 f4f5f6f7 f8f9fafb fcfdfeff"), + SHEX("02"), + SHEX(""), + SHEX("00112233 44556677 8899aabb ccddeeff"), + SHEX("5027b101 589747b8 865a9790 d3fd51d7" + "1f259d40 5bfa260b 9ba1d60a a287fd0b")); + + /* + * Example with length < 16 + */ + test_siv_aes128("SIV_CMAC_AES128", + SHEX("fffefdfc fbfaf9f8 f7f6f5f4 f3f2f1f0" + "f0f1f2f3 f4f5f6f7 f8f9fafb fcfdfeff"), + SHEX("02"), + SHEX("10111213 14151617 18191a1b 1c1d1e1f" + "20212223 24252627"), + SHEX("11223344 55667788 99aabbcc ddee"), + SHEX("7300cd9b 3f514a44 ed660db6 14157f59" + "f0382e23 ae0e6e62 27a03dd3 2619")); + + /* + * Example with length > 16 + */ + test_siv_aes128("SIV_CMAC_AES128", + SHEX("7f7e7d7c 7b7a7978 77767574 73727170" + "40414243 44454647 48494a4b 4c4d4e4f"), + SHEX("020304"), + SHEX("00112233 44556677 8899aabb ccddeeff" + "deaddada deaddada ffeeddcc bbaa9988" + "77665544 33221100"), + SHEX("74686973 20697320 736f6d65 20706c61" + "696e7465 78742074 6f20656e 63727970" + "74207573 696e6720 5349562d 414553"), + SHEX("f1dba33d e5b3369e 883f67b6 fc823cee" + "a4ffb87f dba97c89 44a62325 f133b4e0" + "1ca55276 e2261c1a 1d1d4248 d1da30ba" + "52b9c8d7 955d65c8 d2ce6eb7 e367d0")); + + /* + * Example with single AAD, length > 16 + */ + test_siv_aes128("SIV_CMAC_AES128", + SHEX("7f7e7d7c 7b7a7978 77767574 73727170" + "40414243 44454647 48494a4b 4c4d4e4f"), + SHEX("09f91102 9d74e35b d84156c5 635688c0"), + SHEX("00112233 44556677 8899aabb ccddeeff" + "deaddada deaddada ffeeddcc bbaa9988" + "77665544 33221100"), + SHEX("74686973 20697320 736f6d65 20706c61" + "696e7465 78742074 6f20656e 63727970" + "74207573 696e6720 5349562d 414553"), + SHEX("85825e22 e90cf2dd da2c548d c7c1b631" + "0dcdaca0 cebf9dc6 cb90583f 5bf1506e" + "02cd4883 2b00e4e5 98b2b22a 53e6199d" + "4df0c166 6a35a043 3b250dc1 34d776")); + + /* + * Example with single AAD, length < 16 + */ + test_siv_aes128("SIV_CMAC_AES128", + SHEX("7f7e7d7c 7b7a7978 77767574 73727170" + "40414243 44454647 48494a4b 4c4d4e4f"), + SHEX("09f91102 9d74e35b d84156c5 635688c0"), + SHEX("00112233 44556677 8899aabb ccddeeff" + "deaddada deaddada ffeeddcc bbaa9988" + "77665544 33221100"), + SHEX("11223344 55667788 99aabbcc ddee"), + SHEX("15f83882 14bdc94e 3ec4c7c3 69863746" + "cd72d317 4b20a1e4 a0894fb7 cd78")); + + /* AES-SIV-CMAC-512 (AES-256) from dchest/siv repo + */ + test_siv_aes256("SIV_CMAC_AES256", + SHEX("fffefdfc fbfaf9f8 f7f6f5f4 f3f2f1f0" + "6f6e6d6c 6b6a6968 67666564 63626160" + "f0f1f2f3 f4f5f6f7 f8f9fafb fcfdfeff" + "00010203 04050607 08090a0b 0c0d0e0f"), + SHEX("02"), + SHEX("10111213 14151617 18191a1b 1c1d1e1f" + "20212223 24252627"), + SHEX("11223344 55667788 99aabbcc ddee"), + SHEX("6f740b42 1e2972d8 5e76189e 99842843" + "ad9e6ff1 4ea97c32 ab315e67 464c")); + + + /* AES-SIV-CMAC-512 (AES-256) + */ + test_siv_aes256("SIV_CMAC_AES256", + SHEX("c27df2fd aec35d4a 2a412a50 c3e8c47d" + "2d568e91 a38e5414 8abdc0b6 e86caf87" + "695c0a8a df4c5f8e b2c6c8b1 36529864" + "f3b84b3a e8e3676c e760c461 f3a13e83"), + SHEX("02"), + SHEX("10111213 14151617 18191a1b 1c1d1e1f" + "20212223 24252627"), + SHEX("11223344 55667788 99aabbcc ddee"), + SHEX("c3366ef8 92911eac 3d17f29a 37d4ebad" + "ddc1219e bbde06d1 ee893e55 a39f")); + + /* + * Example with length > 16 + */ + test_siv_aes256("SIV_CMAC_AES256", + SHEX("c27df2fd aec35d4a 2a412a50 c3e8c47d" + "2d568e91 a38e5414 8abdc0b6 e86caf87" + "695c0a8a df4c5f8e b2c6c8b1 36529864" + "f3b84b3a e8e3676c e760c461 f3a13e83"), + SHEX("02"), + SHEX("00112233 44556677 8899aabb ccddeeff" + "deaddada deaddada ffeeddcc bbaa9988" + "77665544 33221100"), + SHEX("74686973 20697320 736f6d65 20706c61" + "696e7465 78742074 6f20656e 63727970" + "74207573 696e6720 5349562d 414553"), + SHEX("bbe4751a 549d2fce 410c2efd e0df4d13" + "1a6eac0d 030028f8 dc16b6c4 3a557d4e" + "3e846ad7 52c5a030 c75a85ff 8b07ff10" + "71b133f5 edac3c60 8bb6eb13 dd1fd9")); + + /* + * Example with single AAD, length > 16 + */ + test_siv_aes256("SIV_CMAC_AES256", + SHEX("c27df2fd aec35d4a 2a412a50 c3e8c47d" + "2d568e91 a38e5414 8abdc0b6 e86caf87" + "695c0a8a df4c5f8e b2c6c8b1 36529864" + "f3b84b3a e8e3676c e760c461 f3a13e83"), + SHEX("09f91102 9d74e35b d84156c5 635688c0"), + SHEX("00112233 44556677 8899aabb ccddeeff" + "deaddada deaddada ffeeddcc bbaa9988" + "77665544 33221100"), + SHEX("74686973 20697320 736f6d65 20706c61" + "696e7465 78742074 6f20656e 63727970" + "74207573 696e6720 5349562d 414553"), + SHEX("5a979b0d a58fde80 51621ae6 bf96feda" + "50933da8 047bc306 fabaf0c3 d9fa8471" + "c70a7def 39a2f91d 68a2021c 99ac7e2a" + "24535a13 4ba23ec1 5787cebe 5c53cc")); + + /* The following tests were checked for interoperability against miscreant.js */ + + /* + * Example from miscreant.js with no AD + * https://github.com/miscreant/miscreant.js/blob/master/vectors/aes_siv_aead.tjson + */ + test_siv_aes128("SIV_CMAC_AES128", + SHEX("fffefdfc fbfaf9f8 f7f6f5f4 f3f2f1f0" + "f0f1f2f3 f4f5f6f7 f8f9fafb fcfdfeff"), + SHEX("10111213 1415161718191a1b1 c1d1e1f2" + "02122232 4252627"), + SHEX(""), + SHEX("11223344 55667788 99aabbcc ddee"), + SHEX("4b3d0f15 ae9ffa9e 65b94942 1582ef70" + "e410910d 6446c775 9ebff9b5 385a")); + + /* + * Example from miscreant.js with AD + */ + test_siv_aes128("SIV_CMAC_AES128", + SHEX("7f7e7d7c 7b7a7978 77767574 73727170" + "40414243 44454647 48494a4b 4c4d4e4f"), + SHEX("09f91102 9d74e35b d84156c5 635688c0"), + SHEX("00112233 44556677 8899aabb ccddeeff" + "deaddada deaddada ffeeddcc bbaa9988" + "77665544 33221100"), + SHEX("74686973 20697320 736f6d65 20706c61" + "696e7465 78742074 6f20656e 63727970" + "74207573 696e6720 5349562d 414553"), + SHEX("85825e22 e90cf2dd da2c548d c7c1b631" + "0dcdaca0 cebf9dc6 cb90583f 5bf1506e" + "02cd4883 2b00e4e5 98b2b22a 53e6199d" + "4df0c166 6a35a043 3b250dc1 34d776")); +} diff -Nru nettle-3.4.1/testsuite/streebog-test.c nettle-3.7.3/testsuite/streebog-test.c --- nettle-3.4.1/testsuite/streebog-test.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/testsuite/streebog-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -0,0 +1,90 @@ +#include "testutils.h" +#include "streebog.h" + +void +test_main(void) +{ + /* Using test vectors from the standard itself */ + + /* RFC 6986 provides all data in "Integer" big-endian format, while all + * constructs expects the data in little-endian format. Thus these examples + * (as the rest of the code) has data buffers reversed compared to the RFC + * 6986. */ + /* 10.1.1 */ + test_hash(&nettle_streebog512, + SDATA("012345678901234567890123456789012345678901234567890123456789012"), + SHEX("1b54d01a4af5b9d5 cc3d86d68d285462" + "b19abc2475222f35 c085122be4ba1ffa" + "00ad30f8767b3a82 384c6574f024c311" + "e2a481332b08ef7f 41797891c1646f48")); + + /* 10.1.2 */ + test_hash(&nettle_streebog256, + SDATA("012345678901234567890123456789012345678901234567890123456789012"), + SHEX("9d151eefd8590b89 daa6ba6cb74af927" + "5dd051026bb149a4 52fd84e5e57b5500")); + + /* 10.2.1 */ + test_hash(&nettle_streebog512, + SHEX("d1e520e2e5f2f0e82c20d1f2f0e8e1ee" + "e6e820e2edf3f6e82c20e2e5fef2fa20" + "f120eceef0ff20f1f2f0e5ebe0ece820" + "ede020f5f0e0e1f0fbff20efebfaeafb" + "20c8e3eef0e5e2fb"), + SHEX("1e88e62226bfca6f 9994f1f2d51569e0" + "daf8475a3b0fe61a 5300eee46d961376" + "035fe83549ada2b8 620fcd7c496ce5b3" + "3f0cb9dddc2b6460 143b03dabac9fb28")); + + /* 10.2.2 */ + test_hash(&nettle_streebog256, + SHEX("d1e520e2e5f2f0e82c20d1f2f0e8e1ee" + "e6e820e2edf3f6e82c20e2e5fef2fa20" + "f120eceef0ff20f1f2f0e5ebe0ece820" + "ede020f5f0e0e1f0fbff20efebfaeafb" + "20c8e3eef0e5e2fb"), + SHEX("9dd2fe4e90409e5d a87f53976d7405b0" + "c0cac628fc669a74 1d50063c557e8f50")); + + /* Additional tests to verify long integer addition with carry */ + test_hash(&nettle_streebog512, + SHEX("eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee" + "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee" + "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee" + "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee" + "16111111111111111111111111111111" + "11111111111111111111111111111111" + "11111111111111111111111111111111" + "11111111111111111111111111111116"), + SHEX("8b06f41e59907d9636e892caf5942fcd" + "fb71fa31169a5e70f0edb873664df41c" + "2cce6e06dc6755d15a61cdeb92bd607c" + "c4aaca6732bf3568a23a210dd520fd41")); + + test_hash(&nettle_streebog256, + SHEX("eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee" + "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee" + "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee" + "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee" + "16111111111111111111111111111111" + "11111111111111111111111111111111" + "11111111111111111111111111111111" + "11111111111111111111111111111116"), + SHEX("81bb632fa31fcc38b4c379a662dbc58b" + "9bed83f50d3a1b2ce7271ab02d25babb")); + + test_hash(&nettle_streebog512, + SHEX("ffffffffffffffffffffffffffffffff" + "ffffffffffffffffffffffffffffffff" + "ffffffffffffffffffffffffffffffff" + "ffffffffffffffffffffffffffffffff" + "ffffffffffffffffffffffffffffffff" + "ffffffffffffffffffffffffffffffff" + "ffffffffffffffffffffffffffffffff" + "ffffffffffffffffffffffffffffffff"), + SHEX("90a161d12ad309498d3fe5d48202d8a4" + "e9c406d6a264aeab258ac5ecc37a7962" + "aaf9587a5abb09b6bb81ec4b3752a3ff" + "5a838ef175be5772056bc5fe54fcfc7e")); + +} diff -Nru nettle-3.4.1/testsuite/teardown-env nettle-3.7.3/testsuite/teardown-env --- nettle-3.4.1/testsuite/teardown-env 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/testsuite/teardown-env 2021-06-06 20:06:30.000000000 +0000 @@ -1,9 +1,3 @@ #! /bin/sh rm -rf testkey.priv testkey.pub testtmp testsignature testsignature2 - -case "$EMULATOR" in - wine*) - find . -type l -name '*.dll' -exec rm -f '{}' ';' - ;; -esac diff -Nru nettle-3.4.1/testsuite/.test-rules.make nettle-3.7.3/testsuite/.test-rules.make --- nettle-3.4.1/testsuite/.test-rules.make 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/testsuite/.test-rules.make 1970-01-01 00:00:00.000000000 +0000 @@ -1,282 +0,0 @@ -aes-test$(EXEEXT): aes-test.$(OBJEXT) - $(LINK) aes-test.$(OBJEXT) $(TEST_OBJS) -o aes-test$(EXEEXT) - -arcfour-test$(EXEEXT): arcfour-test.$(OBJEXT) - $(LINK) arcfour-test.$(OBJEXT) $(TEST_OBJS) -o arcfour-test$(EXEEXT) - -arctwo-test$(EXEEXT): arctwo-test.$(OBJEXT) - $(LINK) arctwo-test.$(OBJEXT) $(TEST_OBJS) -o arctwo-test$(EXEEXT) - -blowfish-test$(EXEEXT): blowfish-test.$(OBJEXT) - $(LINK) blowfish-test.$(OBJEXT) $(TEST_OBJS) -o blowfish-test$(EXEEXT) - -cast128-test$(EXEEXT): cast128-test.$(OBJEXT) - $(LINK) cast128-test.$(OBJEXT) $(TEST_OBJS) -o cast128-test$(EXEEXT) - -base16-test$(EXEEXT): base16-test.$(OBJEXT) - $(LINK) base16-test.$(OBJEXT) $(TEST_OBJS) -o base16-test$(EXEEXT) - -base64-test$(EXEEXT): base64-test.$(OBJEXT) - $(LINK) base64-test.$(OBJEXT) $(TEST_OBJS) -o base64-test$(EXEEXT) - -camellia-test$(EXEEXT): camellia-test.$(OBJEXT) - $(LINK) camellia-test.$(OBJEXT) $(TEST_OBJS) -o camellia-test$(EXEEXT) - -chacha-test$(EXEEXT): chacha-test.$(OBJEXT) - $(LINK) chacha-test.$(OBJEXT) $(TEST_OBJS) -o chacha-test$(EXEEXT) - -cnd-memcpy-test$(EXEEXT): cnd-memcpy-test.$(OBJEXT) - $(LINK) cnd-memcpy-test.$(OBJEXT) $(TEST_OBJS) -o cnd-memcpy-test$(EXEEXT) - -des-test$(EXEEXT): des-test.$(OBJEXT) - $(LINK) des-test.$(OBJEXT) $(TEST_OBJS) -o des-test$(EXEEXT) - -des3-test$(EXEEXT): des3-test.$(OBJEXT) - $(LINK) des3-test.$(OBJEXT) $(TEST_OBJS) -o des3-test$(EXEEXT) - -des-compat-test$(EXEEXT): des-compat-test.$(OBJEXT) - $(LINK) des-compat-test.$(OBJEXT) $(TEST_OBJS) -o des-compat-test$(EXEEXT) - -md2-test$(EXEEXT): md2-test.$(OBJEXT) - $(LINK) md2-test.$(OBJEXT) $(TEST_OBJS) -o md2-test$(EXEEXT) - -md4-test$(EXEEXT): md4-test.$(OBJEXT) - $(LINK) md4-test.$(OBJEXT) $(TEST_OBJS) -o md4-test$(EXEEXT) - -md5-test$(EXEEXT): md5-test.$(OBJEXT) - $(LINK) md5-test.$(OBJEXT) $(TEST_OBJS) -o md5-test$(EXEEXT) - -md5-compat-test$(EXEEXT): md5-compat-test.$(OBJEXT) - $(LINK) md5-compat-test.$(OBJEXT) $(TEST_OBJS) -o md5-compat-test$(EXEEXT) - -memeql-test$(EXEEXT): memeql-test.$(OBJEXT) - $(LINK) memeql-test.$(OBJEXT) $(TEST_OBJS) -o memeql-test$(EXEEXT) - -memxor-test$(EXEEXT): memxor-test.$(OBJEXT) - $(LINK) memxor-test.$(OBJEXT) $(TEST_OBJS) -o memxor-test$(EXEEXT) - -gosthash94-test$(EXEEXT): gosthash94-test.$(OBJEXT) - $(LINK) gosthash94-test.$(OBJEXT) $(TEST_OBJS) -o gosthash94-test$(EXEEXT) - -ripemd160-test$(EXEEXT): ripemd160-test.$(OBJEXT) - $(LINK) ripemd160-test.$(OBJEXT) $(TEST_OBJS) -o ripemd160-test$(EXEEXT) - -hkdf-test$(EXEEXT): hkdf-test.$(OBJEXT) - $(LINK) hkdf-test.$(OBJEXT) $(TEST_OBJS) -o hkdf-test$(EXEEXT) - -salsa20-test$(EXEEXT): salsa20-test.$(OBJEXT) - $(LINK) salsa20-test.$(OBJEXT) $(TEST_OBJS) -o salsa20-test$(EXEEXT) - -sha1-test$(EXEEXT): sha1-test.$(OBJEXT) - $(LINK) sha1-test.$(OBJEXT) $(TEST_OBJS) -o sha1-test$(EXEEXT) - -sha224-test$(EXEEXT): sha224-test.$(OBJEXT) - $(LINK) sha224-test.$(OBJEXT) $(TEST_OBJS) -o sha224-test$(EXEEXT) - -sha256-test$(EXEEXT): sha256-test.$(OBJEXT) - $(LINK) sha256-test.$(OBJEXT) $(TEST_OBJS) -o sha256-test$(EXEEXT) - -sha384-test$(EXEEXT): sha384-test.$(OBJEXT) - $(LINK) sha384-test.$(OBJEXT) $(TEST_OBJS) -o sha384-test$(EXEEXT) - -sha512-test$(EXEEXT): sha512-test.$(OBJEXT) - $(LINK) sha512-test.$(OBJEXT) $(TEST_OBJS) -o sha512-test$(EXEEXT) - -sha512-224-test$(EXEEXT): sha512-224-test.$(OBJEXT) - $(LINK) sha512-224-test.$(OBJEXT) $(TEST_OBJS) -o sha512-224-test$(EXEEXT) - -sha512-256-test$(EXEEXT): sha512-256-test.$(OBJEXT) - $(LINK) sha512-256-test.$(OBJEXT) $(TEST_OBJS) -o sha512-256-test$(EXEEXT) - -sha3-permute-test$(EXEEXT): sha3-permute-test.$(OBJEXT) - $(LINK) sha3-permute-test.$(OBJEXT) $(TEST_OBJS) -o sha3-permute-test$(EXEEXT) - -sha3-224-test$(EXEEXT): sha3-224-test.$(OBJEXT) - $(LINK) sha3-224-test.$(OBJEXT) $(TEST_OBJS) -o sha3-224-test$(EXEEXT) - -sha3-256-test$(EXEEXT): sha3-256-test.$(OBJEXT) - $(LINK) sha3-256-test.$(OBJEXT) $(TEST_OBJS) -o sha3-256-test$(EXEEXT) - -sha3-384-test$(EXEEXT): sha3-384-test.$(OBJEXT) - $(LINK) sha3-384-test.$(OBJEXT) $(TEST_OBJS) -o sha3-384-test$(EXEEXT) - -sha3-512-test$(EXEEXT): sha3-512-test.$(OBJEXT) - $(LINK) sha3-512-test.$(OBJEXT) $(TEST_OBJS) -o sha3-512-test$(EXEEXT) - -serpent-test$(EXEEXT): serpent-test.$(OBJEXT) - $(LINK) serpent-test.$(OBJEXT) $(TEST_OBJS) -o serpent-test$(EXEEXT) - -twofish-test$(EXEEXT): twofish-test.$(OBJEXT) - $(LINK) twofish-test.$(OBJEXT) $(TEST_OBJS) -o twofish-test$(EXEEXT) - -version-test$(EXEEXT): version-test.$(OBJEXT) - $(LINK) version-test.$(OBJEXT) $(TEST_OBJS) -o version-test$(EXEEXT) - -knuth-lfib-test$(EXEEXT): knuth-lfib-test.$(OBJEXT) - $(LINK) knuth-lfib-test.$(OBJEXT) $(TEST_OBJS) -o knuth-lfib-test$(EXEEXT) - -cbc-test$(EXEEXT): cbc-test.$(OBJEXT) - $(LINK) cbc-test.$(OBJEXT) $(TEST_OBJS) -o cbc-test$(EXEEXT) - -cfb-test$(EXEEXT): cfb-test.$(OBJEXT) - $(LINK) cfb-test.$(OBJEXT) $(TEST_OBJS) -o cfb-test$(EXEEXT) - -ctr-test$(EXEEXT): ctr-test.$(OBJEXT) - $(LINK) ctr-test.$(OBJEXT) $(TEST_OBJS) -o ctr-test$(EXEEXT) - -gcm-test$(EXEEXT): gcm-test.$(OBJEXT) - $(LINK) gcm-test.$(OBJEXT) $(TEST_OBJS) -o gcm-test$(EXEEXT) - -eax-test$(EXEEXT): eax-test.$(OBJEXT) - $(LINK) eax-test.$(OBJEXT) $(TEST_OBJS) -o eax-test$(EXEEXT) - -ccm-test$(EXEEXT): ccm-test.$(OBJEXT) - $(LINK) ccm-test.$(OBJEXT) $(TEST_OBJS) -o ccm-test$(EXEEXT) - -poly1305-test$(EXEEXT): poly1305-test.$(OBJEXT) - $(LINK) poly1305-test.$(OBJEXT) $(TEST_OBJS) -o poly1305-test$(EXEEXT) - -chacha-poly1305-test$(EXEEXT): chacha-poly1305-test.$(OBJEXT) - $(LINK) chacha-poly1305-test.$(OBJEXT) $(TEST_OBJS) -o chacha-poly1305-test$(EXEEXT) - -hmac-test$(EXEEXT): hmac-test.$(OBJEXT) - $(LINK) hmac-test.$(OBJEXT) $(TEST_OBJS) -o hmac-test$(EXEEXT) - -umac-test$(EXEEXT): umac-test.$(OBJEXT) - $(LINK) umac-test.$(OBJEXT) $(TEST_OBJS) -o umac-test$(EXEEXT) - -meta-hash-test$(EXEEXT): meta-hash-test.$(OBJEXT) - $(LINK) meta-hash-test.$(OBJEXT) $(TEST_OBJS) -o meta-hash-test$(EXEEXT) - -meta-cipher-test$(EXEEXT): meta-cipher-test.$(OBJEXT) - $(LINK) meta-cipher-test.$(OBJEXT) $(TEST_OBJS) -o meta-cipher-test$(EXEEXT) - -meta-aead-test$(EXEEXT): meta-aead-test.$(OBJEXT) - $(LINK) meta-aead-test.$(OBJEXT) $(TEST_OBJS) -o meta-aead-test$(EXEEXT) - -meta-armor-test$(EXEEXT): meta-armor-test.$(OBJEXT) - $(LINK) meta-armor-test.$(OBJEXT) $(TEST_OBJS) -o meta-armor-test$(EXEEXT) - -buffer-test$(EXEEXT): buffer-test.$(OBJEXT) - $(LINK) buffer-test.$(OBJEXT) $(TEST_OBJS) -o buffer-test$(EXEEXT) - -yarrow-test$(EXEEXT): yarrow-test.$(OBJEXT) - $(LINK) yarrow-test.$(OBJEXT) $(TEST_OBJS) -o yarrow-test$(EXEEXT) - -pbkdf2-test$(EXEEXT): pbkdf2-test.$(OBJEXT) - $(LINK) pbkdf2-test.$(OBJEXT) $(TEST_OBJS) -o pbkdf2-test$(EXEEXT) - -sexp-test$(EXEEXT): sexp-test.$(OBJEXT) - $(LINK) sexp-test.$(OBJEXT) $(TEST_OBJS) -o sexp-test$(EXEEXT) - -sexp-format-test$(EXEEXT): sexp-format-test.$(OBJEXT) - $(LINK) sexp-format-test.$(OBJEXT) $(TEST_OBJS) -o sexp-format-test$(EXEEXT) - -rsa2sexp-test$(EXEEXT): rsa2sexp-test.$(OBJEXT) - $(LINK) rsa2sexp-test.$(OBJEXT) $(TEST_OBJS) -o rsa2sexp-test$(EXEEXT) - -sexp2rsa-test$(EXEEXT): sexp2rsa-test.$(OBJEXT) - $(LINK) sexp2rsa-test.$(OBJEXT) $(TEST_OBJS) -o sexp2rsa-test$(EXEEXT) - -bignum-test$(EXEEXT): bignum-test.$(OBJEXT) - $(LINK) bignum-test.$(OBJEXT) $(TEST_OBJS) -o bignum-test$(EXEEXT) - -random-prime-test$(EXEEXT): random-prime-test.$(OBJEXT) - $(LINK) random-prime-test.$(OBJEXT) $(TEST_OBJS) -o random-prime-test$(EXEEXT) - -pkcs1-test$(EXEEXT): pkcs1-test.$(OBJEXT) - $(LINK) pkcs1-test.$(OBJEXT) $(TEST_OBJS) -o pkcs1-test$(EXEEXT) - -pkcs1-sec-decrypt-test$(EXEEXT): pkcs1-sec-decrypt-test.$(OBJEXT) - $(LINK) pkcs1-sec-decrypt-test.$(OBJEXT) $(TEST_OBJS) -o pkcs1-sec-decrypt-test$(EXEEXT) - -pss-test$(EXEEXT): pss-test.$(OBJEXT) - $(LINK) pss-test.$(OBJEXT) $(TEST_OBJS) -o pss-test$(EXEEXT) - -rsa-sign-tr-test$(EXEEXT): rsa-sign-tr-test.$(OBJEXT) - $(LINK) rsa-sign-tr-test.$(OBJEXT) $(TEST_OBJS) -o rsa-sign-tr-test$(EXEEXT) - -pss-mgf1-test$(EXEEXT): pss-mgf1-test.$(OBJEXT) - $(LINK) pss-mgf1-test.$(OBJEXT) $(TEST_OBJS) -o pss-mgf1-test$(EXEEXT) - -rsa-pss-sign-tr-test$(EXEEXT): rsa-pss-sign-tr-test.$(OBJEXT) - $(LINK) rsa-pss-sign-tr-test.$(OBJEXT) $(TEST_OBJS) -o rsa-pss-sign-tr-test$(EXEEXT) - -rsa-test$(EXEEXT): rsa-test.$(OBJEXT) - $(LINK) rsa-test.$(OBJEXT) $(TEST_OBJS) -o rsa-test$(EXEEXT) - -rsa-encrypt-test$(EXEEXT): rsa-encrypt-test.$(OBJEXT) - $(LINK) rsa-encrypt-test.$(OBJEXT) $(TEST_OBJS) -o rsa-encrypt-test$(EXEEXT) - -rsa-keygen-test$(EXEEXT): rsa-keygen-test.$(OBJEXT) - $(LINK) rsa-keygen-test.$(OBJEXT) $(TEST_OBJS) -o rsa-keygen-test$(EXEEXT) - -rsa-sec-decrypt-test$(EXEEXT): rsa-sec-decrypt-test.$(OBJEXT) - $(LINK) rsa-sec-decrypt-test.$(OBJEXT) $(TEST_OBJS) -o rsa-sec-decrypt-test$(EXEEXT) - -rsa-compute-root-test$(EXEEXT): rsa-compute-root-test.$(OBJEXT) - $(LINK) rsa-compute-root-test.$(OBJEXT) $(TEST_OBJS) -o rsa-compute-root-test$(EXEEXT) - -dsa-test$(EXEEXT): dsa-test.$(OBJEXT) - $(LINK) dsa-test.$(OBJEXT) $(TEST_OBJS) -o dsa-test$(EXEEXT) - -dsa-keygen-test$(EXEEXT): dsa-keygen-test.$(OBJEXT) - $(LINK) dsa-keygen-test.$(OBJEXT) $(TEST_OBJS) -o dsa-keygen-test$(EXEEXT) - -curve25519-dh-test$(EXEEXT): curve25519-dh-test.$(OBJEXT) - $(LINK) curve25519-dh-test.$(OBJEXT) $(TEST_OBJS) -o curve25519-dh-test$(EXEEXT) - -ecc-mod-test$(EXEEXT): ecc-mod-test.$(OBJEXT) - $(LINK) ecc-mod-test.$(OBJEXT) $(TEST_OBJS) -o ecc-mod-test$(EXEEXT) - -ecc-modinv-test$(EXEEXT): ecc-modinv-test.$(OBJEXT) - $(LINK) ecc-modinv-test.$(OBJEXT) $(TEST_OBJS) -o ecc-modinv-test$(EXEEXT) - -ecc-redc-test$(EXEEXT): ecc-redc-test.$(OBJEXT) - $(LINK) ecc-redc-test.$(OBJEXT) $(TEST_OBJS) -o ecc-redc-test$(EXEEXT) - -ecc-sqrt-test$(EXEEXT): ecc-sqrt-test.$(OBJEXT) - $(LINK) ecc-sqrt-test.$(OBJEXT) $(TEST_OBJS) -o ecc-sqrt-test$(EXEEXT) - -ecc-dup-test$(EXEEXT): ecc-dup-test.$(OBJEXT) - $(LINK) ecc-dup-test.$(OBJEXT) $(TEST_OBJS) -o ecc-dup-test$(EXEEXT) - -ecc-add-test$(EXEEXT): ecc-add-test.$(OBJEXT) - $(LINK) ecc-add-test.$(OBJEXT) $(TEST_OBJS) -o ecc-add-test$(EXEEXT) - -ecc-mul-g-test$(EXEEXT): ecc-mul-g-test.$(OBJEXT) - $(LINK) ecc-mul-g-test.$(OBJEXT) $(TEST_OBJS) -o ecc-mul-g-test$(EXEEXT) - -ecc-mul-a-test$(EXEEXT): ecc-mul-a-test.$(OBJEXT) - $(LINK) ecc-mul-a-test.$(OBJEXT) $(TEST_OBJS) -o ecc-mul-a-test$(EXEEXT) - -ecdsa-sign-test$(EXEEXT): ecdsa-sign-test.$(OBJEXT) - $(LINK) ecdsa-sign-test.$(OBJEXT) $(TEST_OBJS) -o ecdsa-sign-test$(EXEEXT) - -ecdsa-verify-test$(EXEEXT): ecdsa-verify-test.$(OBJEXT) - $(LINK) ecdsa-verify-test.$(OBJEXT) $(TEST_OBJS) -o ecdsa-verify-test$(EXEEXT) - -ecdsa-keygen-test$(EXEEXT): ecdsa-keygen-test.$(OBJEXT) - $(LINK) ecdsa-keygen-test.$(OBJEXT) $(TEST_OBJS) -o ecdsa-keygen-test$(EXEEXT) - -ecdh-test$(EXEEXT): ecdh-test.$(OBJEXT) - $(LINK) ecdh-test.$(OBJEXT) $(TEST_OBJS) -o ecdh-test$(EXEEXT) - -eddsa-compress-test$(EXEEXT): eddsa-compress-test.$(OBJEXT) - $(LINK) eddsa-compress-test.$(OBJEXT) $(TEST_OBJS) -o eddsa-compress-test$(EXEEXT) - -eddsa-sign-test$(EXEEXT): eddsa-sign-test.$(OBJEXT) - $(LINK) eddsa-sign-test.$(OBJEXT) $(TEST_OBJS) -o eddsa-sign-test$(EXEEXT) - -eddsa-verify-test$(EXEEXT): eddsa-verify-test.$(OBJEXT) - $(LINK) eddsa-verify-test.$(OBJEXT) $(TEST_OBJS) -o eddsa-verify-test$(EXEEXT) - -ed25519-test$(EXEEXT): ed25519-test.$(OBJEXT) - $(LINK) ed25519-test.$(OBJEXT) $(TEST_OBJS) -o ed25519-test$(EXEEXT) - -sha1-huge-test$(EXEEXT): sha1-huge-test.$(OBJEXT) - $(LINK) sha1-huge-test.$(OBJEXT) $(TEST_OBJS) -o sha1-huge-test$(EXEEXT) - -cxx-test$(EXEEXT): cxx-test.$(OBJEXT) - $(LINK_CXX) cxx-test.$(OBJEXT) $(TEST_OBJS) -o cxx-test$(EXEEXT) - diff -Nru nettle-3.4.1/testsuite/test-rules.stamp nettle-3.7.3/testsuite/test-rules.stamp --- nettle-3.4.1/testsuite/test-rules.stamp 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/testsuite/test-rules.stamp 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -stamp diff -Nru nettle-3.4.1/testsuite/testutils.c nettle-3.7.3/testsuite/testutils.c --- nettle-3.4.1/testsuite/testutils.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/testsuite/testutils.c 2021-06-06 20:06:30.000000000 +0000 @@ -424,6 +424,210 @@ } void +test_cipher_cfb8(const struct nettle_cipher *cipher, + const struct tstring *key, + const struct tstring *cleartext, + const struct tstring *ciphertext, + const struct tstring *iiv) +{ + void *ctx = xalloc(cipher->context_size); + uint8_t *data, *data2; + uint8_t *iv = xalloc(cipher->block_size); + size_t length; + size_t block; + + ASSERT (cleartext->length == ciphertext->length); + length = cleartext->length; + + ASSERT (key->length == cipher->key_size); + ASSERT (iiv->length == cipher->block_size); + + data = xalloc(length + 1); + data2 = xalloc(length + 1); + + for (block = 1; block <= length; block++) + { + size_t i; + + cipher->set_encrypt_key(ctx, key->data); + memcpy(iv, iiv->data, cipher->block_size); + + memset(data, 0x17, length + 1); + for (i = 0; i + block <= length; i += block) + { + cfb8_encrypt(ctx, cipher->encrypt, + cipher->block_size, iv, + block, data + i, cleartext->data + i); + } + cfb8_encrypt(ctx, cipher->encrypt, + cipher->block_size, iv, + length - i, data + i, cleartext->data + i); + + if (!MEMEQ(length, data, ciphertext->data)) + { + fprintf(stderr, "CFB8 encrypt failed, block size %lu:\nInput:", + (unsigned long) block); + tstring_print_hex(cleartext); + fprintf(stderr, "\nOutput: "); + print_hex(length, data); + fprintf(stderr, "\nExpected:"); + tstring_print_hex(ciphertext); + fprintf(stderr, "\n"); + FAIL(); + } + ASSERT (data[length] == 0x17); + + cipher->set_encrypt_key(ctx, key->data); + memcpy(iv, iiv->data, cipher->block_size); + + memset(data2, 0x17, length + 1); + for (i = 0; i + block <= length; i += block) + { + cfb8_decrypt(ctx, cipher->encrypt, + cipher->block_size, iv, + block, data2 + i, data + i); + } + cfb8_decrypt(ctx, cipher->encrypt, + cipher->block_size, iv, + length - i, data2 + i, data + i); + + if (!MEMEQ(length, data2, cleartext->data)) + { + fprintf(stderr, "CFB8 decrypt failed, block size %lu:\nInput:", + (unsigned long) block); + tstring_print_hex(ciphertext); + fprintf(stderr, "\nOutput: "); + print_hex(length, data2); + fprintf(stderr, "\nExpected:"); + tstring_print_hex(cleartext); + fprintf(stderr, "\n"); + FAIL(); + } + ASSERT (data[length] == 0x17); + } + + cipher->set_encrypt_key(ctx, key->data); + memcpy(iv, iiv->data, cipher->block_size); + memcpy(data, cleartext->data, length); + + cfb8_encrypt(ctx, cipher->encrypt, + cipher->block_size, iv, + length, data, data); + + if (!MEMEQ(length, data, ciphertext->data)) + { + fprintf(stderr, "CFB8 inplace encrypt failed:\nInput:"); + tstring_print_hex(cleartext); + fprintf(stderr, "\nOutput: "); + print_hex(length, data); + fprintf(stderr, "\nExpected:"); + tstring_print_hex(ciphertext); + fprintf(stderr, "\n"); + FAIL(); + } + cipher->set_encrypt_key(ctx, key->data); + memcpy(iv, iiv->data, cipher->block_size); + + cfb8_decrypt(ctx, cipher->encrypt, + cipher->block_size, iv, + length, data, data); + + if (!MEMEQ(length, data, cleartext->data)) + { + fprintf(stderr, "CFB8 inplace decrypt failed:\nInput:"); + tstring_print_hex(ciphertext); + fprintf(stderr, "\nOutput: "); + print_hex(length, data); + fprintf(stderr, "\nExpected:"); + tstring_print_hex(cleartext); + fprintf(stderr, "\n"); + FAIL(); + } + + /* Repeat all tests with incomplete last block */ + length -= 1; + + cipher->set_encrypt_key(ctx, key->data); + memcpy(iv, iiv->data, cipher->block_size); + + cfb8_encrypt(ctx, cipher->encrypt, + cipher->block_size, iv, + length, data, cleartext->data); + + if (!MEMEQ(length, data, ciphertext->data)) + { + fprintf(stderr, "CFB8 encrypt failed:\nInput:"); + print_hex(length, cleartext->data); + fprintf(stderr, "\nOutput: "); + print_hex(length, data); + fprintf(stderr, "\nExpected:"); + print_hex(length, ciphertext->data); + fprintf(stderr, "\n"); + FAIL(); + } + cipher->set_encrypt_key(ctx, key->data); + memcpy(iv, iiv->data, cipher->block_size); + + cfb8_decrypt(ctx, cipher->encrypt, + cipher->block_size, iv, + length, data2, data); + + if (!MEMEQ(length, data2, cleartext->data)) + { + fprintf(stderr, "CFB8 decrypt failed:\nInput:"); + print_hex(length, ciphertext->data); + fprintf(stderr, "\nOutput: "); + print_hex(length, data2); + fprintf(stderr, "\nExpected:"); + print_hex(length, cleartext->data); + fprintf(stderr, "\n"); + FAIL(); + } + cipher->set_encrypt_key(ctx, key->data); + memcpy(iv, iiv->data, cipher->block_size); + memcpy(data, cleartext->data, length); + + cfb8_encrypt(ctx, cipher->encrypt, + cipher->block_size, iv, + length, data, data); + + if (!MEMEQ(length, data, ciphertext->data)) + { + fprintf(stderr, "CFB8 inplace encrypt failed:\nInput:"); + print_hex(length, cleartext->data); + fprintf(stderr, "\nOutput: "); + print_hex(length, data); + fprintf(stderr, "\nExpected:"); + print_hex(length, ciphertext->data); + fprintf(stderr, "\n"); + FAIL(); + } + cipher->set_encrypt_key(ctx, key->data); + memcpy(iv, iiv->data, cipher->block_size); + + cfb8_decrypt(ctx, cipher->encrypt, + cipher->block_size, iv, + length, data, data); + + if (!MEMEQ(length, data, cleartext->data)) + { + fprintf(stderr, "CFB8 inplace decrypt failed:\nInput:"); + print_hex(length, ciphertext->data); + fprintf(stderr, "\nOutput: "); + print_hex(length, data); + fprintf(stderr, "\nExpected:"); + print_hex(length, cleartext->data); + fprintf(stderr, "\n"); + FAIL(); + } + + free(ctx); + free(data); + free(data2); + free(iv); +} + +void test_cipher_ctr(const struct nettle_cipher *cipher, const struct tstring *key, const struct tstring *cleartext, @@ -436,6 +640,7 @@ uint8_t *octr = xalloc(cipher->block_size); size_t length, nblocks; unsigned low; + size_t i; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; @@ -457,22 +662,29 @@ data = xalloc(length); cipher->set_encrypt_key(ctx, key->data); - memcpy(ctr, ictr->data, cipher->block_size); - - ctr_crypt(ctx, cipher->encrypt, - cipher->block_size, ctr, - length, data, cleartext->data); - if (!MEMEQ(length, data, ciphertext->data)) + for (i = 0; i <= length; i++) { - fprintf(stderr, "CTR encrypt failed:\nInput:"); - tstring_print_hex(cleartext); - fprintf(stderr, "\nOutput: "); - print_hex(length, data); - fprintf(stderr, "\nExpected:"); - tstring_print_hex(ciphertext); - fprintf(stderr, "\n"); - FAIL(); + memcpy(ctr, ictr->data, cipher->block_size); + memset(data, 17, length); + + ctr_crypt(ctx, cipher->encrypt, + cipher->block_size, ctr, + i, data, cleartext->data); + + if (!MEMEQ(i, data, ciphertext->data) + || (i < length && data[i] != 17)) + { + fprintf(stderr, "CTR encrypt failed (length %d of %d):\nInput:", + (int) i, (int) length); + tstring_print_hex(cleartext); + fprintf(stderr, "\nOutput: "); + print_hex(length, data); + fprintf(stderr, "\nExpected:"); + tstring_print_hex(ciphertext); + fprintf(stderr, "\n"); + FAIL(); + } } ASSERT (MEMEQ (cipher->block_size, ctr, octr)); @@ -654,33 +866,36 @@ const struct tstring *digest) { void *ctx = xalloc(hash->context_size); - uint8_t *buffer = xalloc(hash->digest_size); + uint8_t *buffer = xalloc(digest->length); uint8_t *input; unsigned offset; - ASSERT (digest->length == hash->digest_size); + /* Here, hash->digest_size zero means arbitrary size. */ + if (hash->digest_size) + ASSERT (digest->length == hash->digest_size); hash->init(ctx); hash->update(ctx, msg->length, msg->data); - hash->digest(ctx, hash->digest_size, buffer); + hash->digest(ctx, digest->length, buffer); - if (MEMEQ(hash->digest_size, digest->data, buffer) == 0) + if (MEMEQ(digest->length, digest->data, buffer) == 0) { fprintf(stdout, "\nGot:\n"); - print_hex(hash->digest_size, buffer); + print_hex(digest->length, buffer); fprintf(stdout, "\nExpected:\n"); - print_hex(hash->digest_size, digest->data); + print_hex(digest->length, digest->data); abort(); } - memset(buffer, 0, hash->digest_size); + memset(buffer, 0, digest->length); hash->update(ctx, msg->length, msg->data); - hash->digest(ctx, hash->digest_size - 1, buffer); + ASSERT(digest->length > 0); + hash->digest(ctx, digest->length - 1, buffer); - ASSERT(MEMEQ(hash->digest_size - 1, digest->data, buffer)); + ASSERT(MEMEQ(digest->length - 1, digest->data, buffer)); - ASSERT(buffer[hash->digest_size - 1] == 0); + ASSERT(buffer[digest->length - 1] == 0); input = xalloc (msg->length + 16); for (offset = 0; offset < 16; offset++) @@ -688,13 +903,13 @@ memset (input, 0, msg->length + 16); memcpy (input + offset, msg->data, msg->length); hash->update (ctx, msg->length, input + offset); - hash->digest (ctx, hash->digest_size, buffer); - if (MEMEQ(hash->digest_size, digest->data, buffer) == 0) + hash->digest (ctx, digest->length, buffer); + if (MEMEQ(digest->length, digest->data, buffer) == 0) { fprintf(stdout, "hash input address: %p\nGot:\n", input + offset); - print_hex(hash->digest_size, buffer); + print_hex(digest->length, buffer); fprintf(stdout, "\nExpected:\n"); - print_hex(hash->digest_size, digest->data); + print_hex(digest->length, digest->data); abort(); } } @@ -739,6 +954,69 @@ } void +test_mac(const struct nettle_mac *mac, + const struct tstring *key, + const struct tstring *msg, + const struct tstring *digest) +{ + void *ctx = xalloc(mac->context_size); + uint8_t *hash = xalloc(mac->digest_size); + unsigned i; + + ASSERT (digest->length <= mac->digest_size); + ASSERT (key->length == mac->key_size); + mac->set_key (ctx, key->data); + mac->update (ctx, msg->length, msg->data); + mac->digest (ctx, digest->length, hash); + + if (!MEMEQ (digest->length, digest->data, hash)) + { + fprintf (stderr, "test_mac failed, msg: "); + print_hex (msg->length, msg->data); + fprintf(stderr, "Output:"); + print_hex (mac->digest_size, hash); + fprintf(stderr, "Expected:"); + tstring_print_hex(digest); + fprintf(stderr, "\n"); + FAIL(); + } + + /* attempt to re-use the structure */ + mac->update (ctx, msg->length, msg->data); + mac->digest (ctx, digest->length, hash); + if (!MEMEQ (digest->length, digest->data, hash)) + { + fprintf (stderr, "test_mac: failed on re-use, msg: "); + print_hex (msg->length, msg->data); + fprintf(stderr, "Output:"); + print_hex (mac->digest_size, hash); + fprintf(stderr, "Expected:"); + tstring_print_hex(digest); + fprintf(stderr, "\n"); + FAIL(); + } + + /* attempt byte-by-byte hashing */ + mac->set_key (ctx, key->data); + for (i=0;ilength;i++) + mac->update (ctx, 1, msg->data+i); + mac->digest (ctx, digest->length, hash); + if (!MEMEQ (digest->length, digest->data, hash)) + { + fprintf (stderr, "cmac_hash failed on byte-by-byte, msg: "); + print_hex (msg->length, msg->data); + fprintf(stderr, "Output:"); + print_hex (16, hash); + fprintf(stderr, "Expected:"); + tstring_print_hex(digest); + fprintf(stderr, "\n"); + FAIL(); + } + free (ctx); + free (hash); +} + +void test_armor(const struct nettle_armor *armor, size_t data_length, const uint8_t *data, @@ -785,19 +1063,6 @@ #if WITH_HOGWEED -#ifndef mpn_zero_p -int -mpn_zero_p (mp_srcptr ap, mp_size_t n) -{ - while (--n >= 0) - { - if (ap[n] != 0) - return 0; - } - return 1; -} -#endif - void mpn_out_str (FILE *f, int base, const mp_limb_t *xp, mp_size_t xn) { @@ -1391,12 +1656,15 @@ } const struct ecc_curve * const ecc_curves[] = { - &nettle_secp_192r1, - &nettle_secp_224r1, - &nettle_secp_256r1, - &nettle_secp_384r1, - &nettle_secp_521r1, + &_nettle_secp_192r1, + &_nettle_secp_224r1, + &_nettle_secp_256r1, + &_nettle_secp_384r1, + &_nettle_secp_521r1, &_nettle_curve25519, + &_nettle_curve448, + &_nettle_gost_gc256b, + &_nettle_gost_gc512a, NULL }; @@ -1430,8 +1698,8 @@ if (! (test_mpn (ref->x, p, ecc->p.size) && test_mpn (ref->y, p + ecc->p.size, ecc->p.size) )) { - fprintf (stderr, "Incorrect point!\n" - "got: x = "); + fprintf (stderr, "Incorrect point, curve bits %d!\n" + "got: x = ", ecc->p.bit_size); write_mpn (stderr, 16, p, ecc->p.size); fprintf (stderr, "\n" " y = "); @@ -1444,80 +1712,140 @@ } } -void -test_ecc_mul_a (unsigned curve, unsigned n, const mp_limb_t *p) -{ - /* For each curve, the points 2 g, 3 g and 4 g */ - static const struct ecc_ref_point ref[6][3] = { - { { "dafebf5828783f2ad35534631588a3f629a70fb16982a888", +/* For each curve, the points g, 2 g, 3 g and 4 g */ +static const struct ecc_ref_point ecc_ref[9][4] = { + { { "188da80eb03090f67cbf20eb43a18800f4ff0afd82ff1012", + "07192b95ffc8da78631011ed6b24cdd573f977a11e794811" }, + { "dafebf5828783f2ad35534631588a3f629a70fb16982a888", "dd6bda0d993da0fa46b27bbc141b868f59331afa5c7e93ab" }, - { "76e32a2557599e6edcd283201fb2b9aadfd0d359cbb263da", + { "76e32a2557599e6edcd283201fb2b9aadfd0d359cbb263da", "782c37e372ba4520aa62e0fed121d49ef3b543660cfd05fd" }, - { "35433907297cc378b0015703374729d7a4fe46647084e4ba", + { "35433907297cc378b0015703374729d7a4fe46647084e4ba", "a2649984f2135c301ea3acb0776cd4f125389b311db3be32" } - }, - { { "706a46dc76dcb76798e60e6d89474788d16dc18032d268fd1a704fa6", + }, + { { "b70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21", + "bd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34" }, + { "706a46dc76dcb76798e60e6d89474788d16dc18032d268fd1a704fa6", "1c2b76a7bc25e7702a704fa986892849fca629487acf3709d2e4e8bb" }, - { "df1b1d66a551d0d31eff822558b9d2cc75c2180279fe0d08fd896d04", + { "df1b1d66a551d0d31eff822558b9d2cc75c2180279fe0d08fd896d04", "a3f7f03cadd0be444c0aa56830130ddf77d317344e1af3591981a925" }, - { "ae99feebb5d26945b54892092a8aee02912930fa41cd114e40447301", + { "ae99feebb5d26945b54892092a8aee02912930fa41cd114e40447301", "482580a0ec5bc47e88bc8c378632cd196cb3fa058a7114eb03054c9" }, - }, - { { "7cf27b188d034f7e8a52380304b51ac3c08969e277f21b35a60b48fc47669978", + }, + { { "6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", + "4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5" }, + { "7cf27b188d034f7e8a52380304b51ac3c08969e277f21b35a60b48fc47669978", "7775510db8ed040293d9ac69f7430dbba7dade63ce982299e04b79d227873d1" }, - { "5ecbe4d1a6330a44c8f7ef951d4bf165e6c6b721efada985fb41661bc6e7fd6c", + { "5ecbe4d1a6330a44c8f7ef951d4bf165e6c6b721efada985fb41661bc6e7fd6c", "8734640c4998ff7e374b06ce1a64a2ecd82ab036384fb83d9a79b127a27d5032" }, - { "e2534a3532d08fbba02dde659ee62bd0031fe2db785596ef509302446b030852", + { "e2534a3532d08fbba02dde659ee62bd0031fe2db785596ef509302446b030852", "e0f1575a4c633cc719dfee5fda862d764efc96c3f30ee0055c42c23f184ed8c6" }, - }, - { { "8d999057ba3d2d969260045c55b97f089025959a6f434d651d207d19fb96e9e" + }, + { { "aa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a38" + "5502f25dbf55296c3a545e3872760ab7", + "3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c0" + "0a60b1ce1d7e819d7a431d7c90ea0e5f" }, + { "8d999057ba3d2d969260045c55b97f089025959a6f434d651d207d19fb96e9e" "4fe0e86ebe0e64f85b96a9c75295df61", "8e80f1fa5b1b3cedb7bfe8dffd6dba74b275d875bc6cc43e904e505f256ab425" "5ffd43e94d39e22d61501e700a940e80" }, - { "77a41d4606ffa1464793c7e5fdc7d98cb9d3910202dcd06bea4f240d3566da6" + { "77a41d4606ffa1464793c7e5fdc7d98cb9d3910202dcd06bea4f240d3566da6" "b408bbae5026580d02d7e5c70500c831", "c995f7ca0b0c42837d0bbe9602a9fc998520b41c85115aa5f7684c0edc111eac" "c24abd6be4b5d298b65f28600a2f1df1" }, - { "138251cd52ac9298c1c8aad977321deb97e709bd0b4ca0aca55dc8ad51dcfc9d" + { "138251cd52ac9298c1c8aad977321deb97e709bd0b4ca0aca55dc8ad51dcfc9d" "1589a1597e3a5120e1efd631c63e1835", "cacae29869a62e1631e8a28181ab56616dc45d918abc09f3ab0e63cf792aa4dc" "ed7387be37bba569549f1c02b270ed67" }, - }, - { { "43" + }, + { { "c6" + "858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dba" + "a14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66", + "118" + "39296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c" + "97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650" }, + { "43" "3c219024277e7e682fcb288148c282747403279b1ccc06352c6e5505d769be97" "b3b204da6ef55507aa104a3a35c5af41cf2fa364d60fd967f43e3933ba6d783d", "f4" "bb8cc7f86db26700a7f3eceeeed3f0b5c6b5107c4da97740ab21a29906c42dbb" "b3e377de9f251f6b93937fa99a3248f4eafcbe95edc0f4f71be356d661f41b02" - }, - { "1a7" + }, + { "1a7" "3d352443de29195dd91d6a64b5959479b52a6e5b123d9ab9e5ad7a112d7a8dd1" "ad3f164a3a4832051da6bd16b59fe21baeb490862c32ea05a5919d2ede37ad7d", "13e" "9b03b97dfa62ddd9979f86c6cab814f2f1557fa82a9d0317d2f8ab1fa355ceec" "2e2dd4cf8dc575b02d5aced1dec3c70cf105c9bc93a590425f588ca1ee86c0e5" }, - { "35" + { "35" "b5df64ae2ac204c354b483487c9070cdc61c891c5ff39afc06c5d55541d3ceac" "8659e24afe3d0750e8b88e9f078af066a1d5025b08e5a5e2fbc87412871902f3", "82" "096f84261279d2b673e0178eb0b4abb65521aef6e6e32e1b5ae63fe2f19907f2" "79f283e54ba385405224f750a95b85eebb7faef04699d1d9e21f47fc346e4d0d" }, - }, - { { "36ab384c9f5a046c3d043b7d1833e7ac080d8e4515d7a45f83c5a14e2843ce0e", + }, + { { "216936d3cd6e53fec0a4e231fdd6dc5c692cc7609525a7b2c9562d608f25d51a", + "6666666666666666666666666666666666666666666666666666666666666658" }, + { "36ab384c9f5a046c3d043b7d1833e7ac080d8e4515d7a45f83c5a14e2843ce0e", "2260cdf3092329c21da25ee8c9a21f5697390f51643851560e5f46ae6af8a3c9" }, - { "67ae9c4a22928f491ff4ae743edac83a6343981981624886ac62485fd3f8e25c", + { "67ae9c4a22928f491ff4ae743edac83a6343981981624886ac62485fd3f8e25c", "1267b1d177ee69aba126a18e60269ef79f16ec176724030402c3684878f5b4d4" }, - { "203da8db56cff1468325d4b87a3520f91a739ec193ce1547493aa657c4c9f870", + { "203da8db56cff1468325d4b87a3520f91a739ec193ce1547493aa657c4c9f870", "47d0e827cb1595e1470eb88580d5716c4cf22832ea2f0ff0df38ab61ca32112f" }, - } - }; - assert (curve < 6); + }, + { { "4f1970c66bed0ded221d15a622bf36da9e146570470f1767ea6de324a3d3a46412ae1af72ab66511433b80e18b00938e2626a82bc70cc05e", + "693f46716eb6bc248876203756c9c7624bea73736ca3984087789c1e05a0c2d73ad3ff1ce67c39c4fdbd132c4ed7c8ad9808795bf230fa14" }, + { "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa955555555555555555555555555555555555555555555555555555555", + "ae05e9634ad7048db359d6205086c2b0036ed7a035884dd7b7e36d728ad8c4b80d6565833a2a3098bbbcb2bed1cda06bdaeafbcdea9386ed" }, + { "865886b9108af6455bd64316cb6943332241b8b8cda82c7e2ba077a4a3fcfe8daa9cbf7f6271fd6e862b769465da8575728173286ff2f8f", + "e005a8dbd5125cf706cbda7ad43aa6449a4a8d952356c3b9fce43c82ec4e1d58bb3a331bdb6767f0bffa9a68fed02dafb822ac13588ed6fc" }, + { "49dcbc5c6c0cce2c1419a17226f929ea255a09cf4e0891c693fda4be70c74cc301b7bdf1515dd8ba21aee1798949e120e2ce42ac48ba7f30", + "d49077e4accde527164b33a5de021b979cb7c02f0457d845c90dc3227b8a5bc1c0d8f97ea1ca9472b5d444285d0d4f5b32e236f86de51839" }, + }, + { { "0000000000000000000000000000000000000000000000000000000000000001", + "8d91e471e0989cda27df505a453f2b7635294f2ddf23e3b122acc99c9e9f1e14" }, + { "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd95", + "726e1b8e1f676325d820afa5bac0d489cad6b0d220dc1c4edd5336636160df83" }, + { "8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38d2c", + "76bcd1ca9a23b041d4d9baf507a6cd821267a94c838768e8486117796b788a51" }, + { "f7063e7063e7063e7063e7063e7063e7063e7063e7063e7063e7063e7063e4b7", + "83ccf17ba6706d73625cc3534c7a2b9d6ec1ee6a9a7e07c10d84b388de59f741" }, + }, + { { "0000000000000000000000000000000000000000000000000000000000000000" + "0000000000000000000000000000000000000000000000000000000000000003", + "7503cfe87a836ae3a61b8816e25450e6ce5e1c93acf1abc1778064fdcbefa921" + "df1626be4fd036e93d75e6a50e3a41e98028fe5fc235f5b889a589cb5215f2a4" }, + { "3b89dcfc622996ab97a5869dbff15cf51db00954f43a58a5e5f6b0470a132b2f" + "4434bbcd405d2a9516151d2a6a04f2e4375bf48de1fdb21fb982afd9d2ea137c", + "c813c4e2e2e0a8a391774c7903da7a6f14686e98e183e670ee6fb784809a3e92" + "ca209dc631d85b1c7534ed3b37fddf64d854d7e01f91f18bb3fd307591afc051" }, + { "a1ff1ab2712a267eb53935ddb5a567f84db156cc096168a1174291d5f488fba5" + "43d2840b4d2dd35d764b2f57b308907aec55cfba10544e8416e134687ccb87c3", + "3cb5c4417ec4637f30374f189bb5b984c41e3a48d7f84fbfa3819e3f333f7eb3" + "11d3af7e67c4c16eeacfac2fe94c6dd4c6366f711a4fb6c7125cd7ec518d90d6" }, + { "b7bfb80956c8670031ba191929f64e301d681634236d47a60e571a4bedc0ef25" + "7452ef78b5b98dbb3d9f3129d9349433ce2a3a35cb519c91e2d633d7b373ae16", + "3bee95e29eecc5d5ad2beba941abcbf9f1cad478df0fecf614f63aeebef77850" + "da7efdb93de8f3df80bc25eac09239c14175f5c29704ce9a3e383f1b3ec0e929" }, + } +}; + +void +test_ecc_ga (unsigned curve, const mp_limb_t *p) +{ + return test_ecc_point (ecc_curves[curve], &ecc_ref[curve][0], p); +} + +void +test_ecc_mul_a (unsigned curve, unsigned n, const mp_limb_t *p) +{ + assert (curve < 9); assert (n <= 4); if (n == 0) { /* Makes sense for curve25519 only */ const struct ecc_curve *ecc = ecc_curves[curve]; - assert (ecc->p.bit_size == 255); + assert (ecc->p.bit_size == 255 || ecc->p.bit_size == 448); if (!mpn_zero_p (p, ecc->p.size) || mpn_cmp (p + ecc->p.size, ecc->unit, ecc->p.size) != 0) { @@ -1531,29 +1859,8 @@ abort(); } } - else if (n == 1) - { - const struct ecc_curve *ecc = ecc_curves[curve]; - if (mpn_cmp (p, ecc->g, 2*ecc->p.size) != 0) - { - fprintf (stderr, "Incorrect point (expected g)!\n" - "got: x = "); - write_mpn (stderr, 16, p, ecc->p.size); - fprintf (stderr, "\n" - " y = "); - write_mpn (stderr, 16, p + ecc->p.size, ecc->p.size); - fprintf (stderr, "\n" - "ref: x = "); - write_mpn (stderr, 16, ecc->g, ecc->p.size); - fprintf (stderr, "\n" - " y = "); - write_mpn (stderr, 16, ecc->g + ecc->p.size, ecc->p.size); - fprintf (stderr, "\n"); - abort(); - } - } else - test_ecc_point (ecc_curves[curve], &ref[curve][n-2], p); + test_ecc_point (ecc_curves[curve], &ecc_ref[curve][n-1], p); } void @@ -1570,5 +1877,46 @@ free (scratch); } +void +test_ecc_get_g (unsigned curve, mp_limb_t *rp) +{ + const struct ecc_curve *ecc = ecc_curves[curve]; + mpz_t x; + mpz_t y; + mpz_init_set_str (x, ecc_ref[curve][0].x, 16); + mpz_init_set_str (y, ecc_ref[curve][0].y, 16); + + if (ecc->use_redc) + { + mpz_t t; + mpz_mul_2exp (x, x, ecc->p.size * GMP_NUMB_BITS); + mpz_mod (x, x, mpz_roinit_n (t, ecc->p.m, ecc->p.size)); + mpz_mul_2exp (y, y, ecc->p.size * GMP_NUMB_BITS); + mpz_mod (y, y, mpz_roinit_n (t, ecc->p.m, ecc->p.size)); + } + mpz_limbs_copy (rp, x, ecc->p.size); + mpz_limbs_copy (rp + ecc->p.size, y, ecc->p.size); + mpn_copyi (rp + 2*ecc->p.size, ecc->unit, ecc->p.size); + + mpz_clear (x); + mpz_clear (y); +} + +void +test_ecc_get_ga (unsigned curve, mp_limb_t *rp) +{ + const struct ecc_curve *ecc = ecc_curves[curve]; + mpz_t x; + mpz_t y; + mpz_init_set_str (x, ecc_ref[curve][0].x, 16); + mpz_init_set_str (y, ecc_ref[curve][0].y, 16); + + mpz_limbs_copy (rp, x, ecc->p.size); + mpz_limbs_copy (rp + ecc->p.size, y, ecc->p.size); + + mpz_clear (x); + mpz_clear (y); +} + #endif /* WITH_HOGWEED */ diff -Nru nettle-3.4.1/testsuite/testutils.h nettle-3.7.3/testsuite/testutils.h --- nettle-3.4.1/testsuite/testutils.h 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/testsuite/testutils.h 2021-06-06 20:06:30.000000000 +0000 @@ -79,35 +79,6 @@ extern int verbose; -/* FIXME: When interface stabilizes, move to nettle-meta.h */ -struct nettle_mac -{ - const char *name; - - /* Size of the context struct */ - unsigned context_size; - - /* Size of digests */ - unsigned digest_size; - - /* Suggested key size; other sizes are sometimes possible. */ - unsigned key_size; - - nettle_set_key_func *set_key; - nettle_hash_update_func *update; - nettle_hash_digest_func *digest; -}; - -#define _NETTLE_HMAC(name, NAME, keysize) { \ - #name, \ - sizeof(struct hmac_##name##_ctx), \ - NAME##_DIGEST_SIZE, \ - NAME##_DIGEST_SIZE, \ - hmac_##name##_set_key, \ - hmac_##name##_update, \ - hmac_##name##_digest, \ -} - /* Test functions deallocate their inputs when finished.*/ void test_cipher(const struct nettle_cipher *cipher, @@ -130,6 +101,13 @@ const struct tstring *iv); void +test_cipher_cfb8(const struct nettle_cipher *cipher, + const struct tstring *key, + const struct tstring *cleartext, + const struct tstring *ciphertext, + const struct tstring *iv); + +void test_cipher_ctr(const struct nettle_cipher *cipher, const struct tstring *key, const struct tstring *cleartext, @@ -164,6 +142,12 @@ const struct tstring *digest); void +test_mac(const struct nettle_mac *mac, + const struct tstring *key, + const struct tstring *msg, + const struct tstring *digest); + +void test_armor(const struct nettle_armor *armor, size_t data_length, const uint8_t *data, @@ -180,17 +164,8 @@ /* This is cheating */ #define mpz_rrandomb mpz_urandomb -/* mini-gmp defines this function (in the GMP library, it was added in - gmp in version 6.1.0). */ -#define mpn_zero_p mpn_zero_p - #endif /* NETTLE_USE_MINI_GMP */ -#ifndef mpn_zero_p -int -mpn_zero_p (mp_srcptr ap, mp_size_t n); -#endif - void mpn_out_str (FILE *f, int base, const mp_limb_t *xp, mp_size_t xn); @@ -278,6 +253,19 @@ void test_ecc_mul_h (unsigned curve, unsigned n, const mp_limb_t *p); +/* Checks that p == g (affine coordinates) */ +void +test_ecc_ga (unsigned curve, const mp_limb_t *p); + +/* Gets the curve generator, with coordinates in redc form, if + appropriate, and with an appended z = 1 coordinate. */ +void +test_ecc_get_g (unsigned curve, mp_limb_t *rp); + +/* Variant with only two coordinates, and no redc. */ +void +test_ecc_get_ga (unsigned curve, mp_limb_t *rp); + #endif /* WITH_HOGWEED */ /* String literal of type unsigned char. The GNUC version is safer. */ diff -Nru nettle-3.4.1/testsuite/version-test.c nettle-3.7.3/testsuite/version-test.c --- nettle-3.4.1/testsuite/version-test.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/testsuite/version-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -30,6 +30,7 @@ */ #include "testutils.h" +#include "version.h" void test_main (void) diff -Nru nettle-3.4.1/testsuite/x86-ibt-test.c nettle-3.7.3/testsuite/x86-ibt-test.c --- nettle-3.4.1/testsuite/x86-ibt-test.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/testsuite/x86-ibt-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -0,0 +1,69 @@ +#include "testutils.h" +#if defined(__GNUC__) && (defined(__i386__) || defined(__x86_64__)) \ + && defined(__CET__) && defined(__linux__) +#include + +static void +segfault_handler(int signo) +{ + exit(0); +} + +static void +ibt_violation(void) +{ +#ifdef __i386__ + unsigned int reg; + asm volatile("lea 1f, %0\n\t" + "jmp *%0\n" + "1:" : "=r" (reg)); +#else + unsigned long long reg; + asm volatile("lea 1f(%%rip), %0\n\t" + "jmp *%0\n" + "1:" : "=r" (reg)); +#endif +} + +#ifdef __i386__ +static unsigned int +_get_ssp(void) +{ + unsigned int ssp; + asm volatile("xor %0, %0\n\trdsspd %0" : "=r" (ssp)); + return ssp; +} +#else +static unsigned long long +_get_ssp(void) +{ + unsigned long long ssp; + asm volatile("xor %0, %0\n\trdsspq %0" : "=r" (ssp)); + return ssp; +} +#endif + +void +test_main(void) +{ + /* NB: This test should trigger SIGSEGV on CET platforms. _get_ssp + returns the address of shadow stack pointer. If the address of + shadow stack pointer is 0, SHSTK is disabled and we assume that + IBT is also disabled. */ + if (_get_ssp() == 0) + { + ibt_violation(); + SKIP(); + } + + signal(SIGSEGV, segfault_handler); + ibt_violation(); + FAIL(); +} +#else +void +test_main(void) +{ + SKIP(); +} +#endif diff -Nru nettle-3.4.1/testsuite/xts-test.c nettle-3.7.3/testsuite/xts-test.c --- nettle-3.4.1/testsuite/xts-test.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/testsuite/xts-test.c 2021-06-06 20:06:30.000000000 +0000 @@ -0,0 +1,173 @@ +#include "testutils.h" +#include "aes.h" +#include "xts.h" +#include "nettle-internal.h" + +static void +test_check_data(const char *operation, + const uint8_t *input, const uint8_t *output, + const uint8_t *expected, size_t length) +{ + if (!MEMEQ(length, output, expected)) + { + fprintf(stderr, "XTS %s failed:\nInput:", operation); + print_hex(length, input); + fprintf(stderr, "\nOutput: "); + print_hex(length, output); + fprintf(stderr, "\nExpected:"); + print_hex(length, expected); + fprintf(stderr, "\n"); + FAIL(); + } +} + +static void +test_cipher_xts(const struct nettle_cipher *cipher, + const struct tstring *key, + const struct tstring *tweak, + const struct tstring *cleartext, + const struct tstring *ciphertext) +{ + void *twk_ctx = xalloc(cipher->context_size); + void *ctx = xalloc(cipher->context_size); + uint8_t *data, *data2; + size_t length = cleartext->length; + + ASSERT (cleartext->length == ciphertext->length); + ASSERT (key->length == cipher->key_size * 2); + ASSERT (tweak->length == XTS_BLOCK_SIZE); + + data = xalloc(length); + data2 = xalloc(length); + + cipher->set_encrypt_key(ctx, key->data); + cipher->set_encrypt_key(twk_ctx, &key->data[key->length / 2]); + xts_encrypt_message(ctx, twk_ctx, cipher->encrypt, + tweak->data, length, data, cleartext->data); + test_check_data("encrypt", cleartext->data, data, ciphertext->data, length); + + cipher->set_decrypt_key(ctx, key->data); + cipher->set_encrypt_key(twk_ctx, &key->data[key->length / 2]); + xts_decrypt_message(ctx, twk_ctx, cipher->decrypt, cipher->encrypt, + tweak->data, length, data2, data); + test_check_data("decrypt", data, data2, cleartext->data, length); + + memcpy(data, cleartext->data, length); + + cipher->set_encrypt_key(ctx, key->data); + cipher->set_encrypt_key(twk_ctx, &key->data[key->length / 2]); + xts_encrypt_message(ctx, twk_ctx, cipher->encrypt, + tweak->data, length, data, data); + test_check_data("inplace encrypt", + cleartext->data, data, ciphertext->data, length); + + cipher->set_decrypt_key(ctx, key->data); + cipher->set_encrypt_key(twk_ctx, &key->data[key->length / 2]); + xts_decrypt_message(ctx, twk_ctx, cipher->decrypt, cipher->encrypt, + tweak->data, length, data, data); + test_check_data("inplace decrypt", data, data, cleartext->data, length); + + /* make sure AES128 specific functions also works the same */ + if (cipher == &nettle_aes128) { + struct xts_aes128_key xts_key; + + xts_aes128_set_encrypt_key(&xts_key, key->data); + xts_aes128_encrypt_message(&xts_key, tweak->data, length, data, + cleartext->data); + test_check_data("encrypt", + cleartext->data, data, ciphertext->data, length); + + xts_aes128_set_decrypt_key(&xts_key, key->data); + xts_aes128_decrypt_message(&xts_key, tweak->data, length, data, + ciphertext->data); + test_check_data("decrypt", + ciphertext->data, data, cleartext->data, length); + } + + /* make sure AES256 specific functions also works the same */ + if (cipher == &nettle_aes256) { + struct xts_aes256_key xts_key; + + xts_aes256_set_encrypt_key(&xts_key, key->data); + xts_aes256_encrypt_message(&xts_key, tweak->data, length, data, + cleartext->data); + test_check_data("encrypt", + cleartext->data, data, ciphertext->data, length); + + xts_aes256_set_decrypt_key(&xts_key, key->data); + xts_aes256_decrypt_message(&xts_key, tweak->data, length, data, + ciphertext->data); + test_check_data("decrypt", + ciphertext->data, data, cleartext->data, length); + } + + free(twk_ctx); + free(ctx); + free(data); + free(data2); +} + +void +test_main(void) +{ + /* From NIST CAVS 11.0, + * + * https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/aes/XTSTestVectors.zip + * + * Selection of testing vectors from the above CAVS set + */ + + /* AES-128 single block - exact block size multiple */ + test_cipher_xts(&nettle_aes128, + SHEX("a1b90cba3f06ac353b2c343876081762" + "090923026e91771815f29dab01932f2f"), + SHEX("4faef7117cda59c66e4b92013e768ad5"), + SHEX("ebabce95b14d3c8d6fb350390790311c"), + SHEX("778ae8b43cb98d5a825081d5be471c63")); + + /* AES-128 two blocks - exact block size multiple */ + test_cipher_xts(&nettle_aes128, + SHEX("750372c3d82f63382867be6662acfa4a" + "259be3fa9bc662a1154ffaaed8b448a5"), + SHEX("93a29254c47e4260669621307d4f5cd3"), + SHEX("d8e3a56559a436ce0d8b212c80a88b23" + "af62b0e598f208e03c1f2e9fa563a54b"), + SHEX("495f7855535efd133464dc9a9abf8a0f" + "28facbce21bd3c22178ec489b799e491")); + + /* AES-128 partial second block */ + test_cipher_xts(&nettle_aes128, + SHEX("394c97881abd989d29c703e48a72b397" + "a7acf51b59649eeea9b33274d8541df4"), + SHEX("4b15c684a152d485fe9937d39b168c29"), + SHEX("2f3b9dcfbae729583b1d1ffdd16bb6fe" + "2757329435662a78f0"), + SHEX("f3473802e38a3ffef4d4fb8e6aa266eb" + "de553a64528a06463e")); + + /* AES-256 two blocks - exact block size multiple */ + test_cipher_xts(&nettle_aes256, + SHEX("1ea661c58d943a0e4801e42f4b094714" + "9e7f9f8e3e68d0c7505210bd311a0e7c" + "d6e13ffdf2418d8d1911c004cda58da3" + "d619b7e2b9141e58318eea392cf41b08"), + SHEX("adf8d92627464ad2f0428e84a9f87564"), + SHEX("2eedea52cd8215e1acc647e810bbc364" + "2e87287f8d2e57e36c0a24fbc12a202e"), + SHEX("cbaad0e2f6cea3f50b37f934d46a9b13" + "0b9d54f07e34f36af793e86f73c6d7db")); + + /* AES-256 three blocks - exact block size multiple */ + test_cipher_xts(&nettle_aes256, + SHEX("266c336b3b01489f3267f52835fd92f6" + "74374b88b4e1ebd2d36a5f457581d9d0" + "42c3eef7b0b7e5137b086496b4d9e6ac" + "658d7196a23f23f036172fdb8faee527"), + SHEX("06b209a7a22f486ecbfadb0f3137ba42"), + SHEX("ca7d65ef8d3dfad345b61ccddca1ad81" + "de830b9e86c7b426d76cb7db766852d9" + "81c6b21409399d78f42cc0b33a7bbb06"), + SHEX("c73256870cc2f4dd57acc74b5456dbd7" + "76912a128bc1f77d72cdebbf270044b7" + "a43ceed29025e1e8be211fa3c3ed002d")); +} diff -Nru nettle-3.4.1/TODO nettle-3.7.3/TODO --- nettle-3.4.1/TODO 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/TODO 1970-01-01 00:00:00.000000000 +0000 @@ -1,17 +0,0 @@ -Public key support, analogous to that provided by RSAREF. Suggested by -Dan Egnor. Signatures are done now, but RSA encryption is still -missing. References: - - http://download.gale.org/rsaref20.tar.Z - http://www.openssl.org/docs/crypto/evp.html - http://www.openssl.org/docs/crypto/rsa.html - -More feedback modes, in order of decreasing priority: CBC-MAC, OFB, -and CFB. Suggested by Rafael 'Dido' Sevilla. References: - - http://csrc.nist.gov/encryption/modes/Recommendation/Modes01.pdf - -Valgrind reports errors on the des-compat test program. Investigate. - -The make rules for building position independent *_p.o files doesn't -get dependencies right. diff -Nru nettle-3.4.1/tools/Makefile.in nettle-3.7.3/tools/Makefile.in --- nettle-3.4.1/tools/Makefile.in 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/tools/Makefile.in 2021-06-06 20:06:30.000000000 +0000 @@ -56,7 +56,7 @@ $(LINK) $(nettle_pbkdf2_OBJS) -lnettle -o $@ -.c.$(OBJEXT): +%.$(OBJEXT): %.c $(COMPILE) -c $< && $(DEP_PROCESS) # NOTE: If we required GNU make, we could use a single rule with $(@F) @@ -89,7 +89,7 @@ cp $? $(distdir) clean: - -rm -f $(TARGETS) *.o + -rm -f $(TARGETS) *.$(OBJEXT) *.$(OBJEXT).d distclean: clean -rm -f Makefile *.d @@ -97,4 +97,4 @@ tags: etags -o $(srcdir)/TAGS --include $(top_srcdir) $(srcdir)/*.c $(srcdir)/*.h -@DEP_INCLUDE@ $(SOURCES:.c=.$(OBJEXT).d) +-include $(SOURCES:.c=.$(OBJEXT).d) diff -Nru nettle-3.4.1/tools/nettle-pbkdf2.c nettle-3.7.3/tools/nettle-pbkdf2.c --- nettle-3.4.1/tools/nettle-pbkdf2.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/tools/nettle-pbkdf2.c 2021-06-06 20:06:30.000000000 +0000 @@ -31,6 +31,8 @@ not, see http://www.gnu.org/licenses/. */ +#define _GNU_SOURCE + #if HAVE_CONFIG_H # include "config.h" #endif @@ -142,6 +144,9 @@ } salt = strdup (argv[0]); + if (!salt) + die ("strdup failed: Virtual memory exhausted.\n"); + salt_length = strlen(argv[0]); if (hex_salt) diff -Nru nettle-3.4.1/tools/sexp-conv.c nettle-3.7.3/tools/sexp-conv.c --- nettle-3.4.1/tools/sexp-conv.c 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/tools/sexp-conv.c 2021-06-06 20:06:30.000000000 +0000 @@ -217,6 +217,7 @@ match_argument(const char *given, const char *name) { /* FIXME: Allow abbreviations */ + assert(given != NULL && name != NULL); return !strcmp(given, name); } @@ -279,7 +280,10 @@ case 'w': { char *end; - int width = strtol(optarg, &end , 0); + int width; + assert(optarg != NULL); + + width = strtol(optarg, &end , 0); if (!*optarg || *end || width < 0) die("sexp-conv: Invalid width `%s'.\n", optarg); diff -Nru nettle-3.4.1/umac128.c nettle-3.7.3/umac128.c --- nettle-3.4.1/umac128.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/umac128.c 2021-06-06 20:06:29.000000000 +0000 @@ -37,14 +37,15 @@ #include #include "umac.h" +#include "umac-internal.h" #include "macros.h" void umac128_set_key (struct umac128_ctx *ctx, const uint8_t *key) { - _umac_set_key (ctx->l1_key, ctx->l2_key, ctx->l3_key1, ctx->l3_key2, - &ctx->pdf_key, key, 4); + _nettle_umac_set_key (ctx->l1_key, ctx->l2_key, ctx->l3_key1, ctx->l3_key2, + &ctx->pdf_key, key, 4); /* Clear nonce */ memset (ctx->nonce, 0, sizeof(ctx->nonce)); @@ -69,12 +70,12 @@ #define UMAC128_BLOCK(ctx, block) do { \ uint64_t __umac128_y[4]; \ - _umac_nh_n (__umac128_y, 4, ctx->l1_key, UMAC_BLOCK_SIZE, block); \ + _nettle_umac_nh_n (__umac128_y, 4, ctx->l1_key, UMAC_BLOCK_SIZE, block); \ __umac128_y[0] += 8*UMAC_BLOCK_SIZE; \ __umac128_y[1] += 8*UMAC_BLOCK_SIZE; \ __umac128_y[2] += 8*UMAC_BLOCK_SIZE; \ __umac128_y[3] += 8*UMAC_BLOCK_SIZE; \ - _umac_l2 (ctx->l2_key, ctx->l2_state, 4, ctx->count++, __umac128_y); \ + _nettle_umac_l2 (ctx->l2_key, ctx->l2_state, 4, ctx->count++, __umac128_y); \ } while (0) void @@ -102,12 +103,12 @@ unsigned pad = (ctx->index > 0) ? 31 & - ctx->index : 32; memset (ctx->block + ctx->index, 0, pad); - _umac_nh_n (y, 4, ctx->l1_key, ctx->index + pad, ctx->block); + _nettle_umac_nh_n (y, 4, ctx->l1_key, ctx->index + pad, ctx->block); y[0] += 8 * ctx->index; y[1] += 8 * ctx->index; y[2] += 8 * ctx->index; y[3] += 8 * ctx->index; - _umac_l2 (ctx->l2_key, ctx->l2_state, 4, ctx->count++, y); + _nettle_umac_l2 (ctx->l2_key, ctx->l2_state, 4, ctx->count++, y); } assert (ctx->count > 0); @@ -116,10 +117,10 @@ INCREMENT (ctx->nonce_length, ctx->nonce); - _umac_l2_final (ctx->l2_key, ctx->l2_state, 4, ctx->count); + _nettle_umac_l2_final (ctx->l2_key, ctx->l2_state, 4, ctx->count); for (i = 0; i < 4; i++) - tag[i] ^= ctx->l3_key2[i] ^ _umac_l3 (ctx->l3_key1 + 8*i, - ctx->l2_state + 2*i); + tag[i] ^= ctx->l3_key2[i] ^ _nettle_umac_l3 (ctx->l3_key1 + 8*i, + ctx->l2_state + 2*i); memcpy (digest, tag, length); diff -Nru nettle-3.4.1/umac32.c nettle-3.7.3/umac32.c --- nettle-3.4.1/umac32.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/umac32.c 2021-06-06 20:06:29.000000000 +0000 @@ -37,14 +37,15 @@ #include #include "umac.h" +#include "umac-internal.h" #include "macros.h" void umac32_set_key (struct umac32_ctx *ctx, const uint8_t *key) { - _umac_set_key (ctx->l1_key, ctx->l2_key, ctx->l3_key1, ctx->l3_key2, - &ctx->pdf_key, key, 1); + _nettle_umac_set_key (ctx->l1_key, ctx->l2_key, ctx->l3_key1, ctx->l3_key2, + &ctx->pdf_key, key, 1); /* Clear nonce */ memset (ctx->nonce, 0, sizeof(ctx->nonce)); @@ -72,9 +73,9 @@ #define UMAC32_BLOCK(ctx, block) do { \ uint64_t __umac32_y \ - = _umac_nh (ctx->l1_key, UMAC_BLOCK_SIZE, block) \ + = _nettle_umac_nh (ctx->l1_key, UMAC_BLOCK_SIZE, block) \ + 8*UMAC_BLOCK_SIZE ; \ - _umac_l2 (ctx->l2_key, ctx->l2_state, 1, ctx->count++, &__umac32_y); \ + _nettle_umac_l2 (ctx->l2_key, ctx->l2_state, 1, ctx->count++, &__umac32_y); \ } while (0) void @@ -101,9 +102,9 @@ unsigned pad = (ctx->index > 0) ? 31 & - ctx->index : 32; memset (ctx->block + ctx->index, 0, pad); - y = _umac_nh (ctx->l1_key, ctx->index + pad, ctx->block) + y = _nettle_umac_nh (ctx->l1_key, ctx->index + pad, ctx->block) + 8 * ctx->index; - _umac_l2 (ctx->l2_key, ctx->l2_state, 1, ctx->count++, &y); + _nettle_umac_l2 (ctx->l2_key, ctx->l2_state, 1, ctx->count++, &y); } assert (ctx->count > 0); if ( !(ctx->nonce_low & _UMAC_NONCE_CACHED)) @@ -128,8 +129,8 @@ INCREMENT (i, ctx->nonce); } - _umac_l2_final (ctx->l2_key, ctx->l2_state, 1, ctx->count); - pad ^= ctx->l3_key2[0] ^ _umac_l3 (ctx->l3_key1, ctx->l2_state); + _nettle_umac_l2_final (ctx->l2_key, ctx->l2_state, 1, ctx->count); + pad ^= ctx->l3_key2[0] ^ _nettle_umac_l3 (ctx->l3_key1, ctx->l2_state); memcpy (digest, &pad, length); /* Reinitialize */ diff -Nru nettle-3.4.1/umac64.c nettle-3.7.3/umac64.c --- nettle-3.4.1/umac64.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/umac64.c 2021-06-06 20:06:29.000000000 +0000 @@ -37,14 +37,15 @@ #include #include "umac.h" +#include "umac-internal.h" #include "macros.h" void umac64_set_key (struct umac64_ctx *ctx, const uint8_t *key) { - _umac_set_key (ctx->l1_key, ctx->l2_key, ctx->l3_key1, ctx->l3_key2, - &ctx->pdf_key, key, 2); + _nettle_umac_set_key (ctx->l1_key, ctx->l2_key, ctx->l3_key1, ctx->l3_key2, + &ctx->pdf_key, key, 2); /* Clear nonce */ memset (ctx->nonce, 0, sizeof(ctx->nonce)); @@ -72,10 +73,10 @@ #define UMAC64_BLOCK(ctx, block) do { \ uint64_t __umac64_y[2]; \ - _umac_nh_n (__umac64_y, 2, ctx->l1_key, UMAC_BLOCK_SIZE, block); \ + _nettle_umac_nh_n (__umac64_y, 2, ctx->l1_key, UMAC_BLOCK_SIZE, block); \ __umac64_y[0] += 8*UMAC_BLOCK_SIZE; \ __umac64_y[1] += 8*UMAC_BLOCK_SIZE; \ - _umac_l2 (ctx->l2_key, ctx->l2_state, 2, ctx->count++, __umac64_y); \ + _nettle_umac_l2 (ctx->l2_key, ctx->l2_state, 2, ctx->count++, __umac64_y); \ } while (0) void @@ -103,10 +104,10 @@ unsigned pad = (ctx->index > 0) ? 31 & - ctx->index : 32; memset (ctx->block + ctx->index, 0, pad); - _umac_nh_n (y, 2, ctx->l1_key, ctx->index + pad, ctx->block); + _nettle_umac_nh_n (y, 2, ctx->l1_key, ctx->index + pad, ctx->block); y[0] += 8 * ctx->index; y[1] += 8 * ctx->index; - _umac_l2 (ctx->l2_key, ctx->l2_state, 2, ctx->count++, y); + _nettle_umac_l2 (ctx->l2_key, ctx->l2_state, 2, ctx->count++, y); } assert (ctx->count > 0); if ( !(ctx->nonce_low & _UMAC_NONCE_CACHED)) @@ -130,11 +131,11 @@ INCREMENT (i, ctx->nonce); } - _umac_l2_final (ctx->l2_key, ctx->l2_state, 2, ctx->count); - tag[0] = pad[0] ^ ctx->l3_key2[0] ^ _umac_l3 (ctx->l3_key1, - ctx->l2_state); - tag[1] = pad[1] ^ ctx->l3_key2[1] ^ _umac_l3 (ctx->l3_key1 + 8, - ctx->l2_state + 2); + _nettle_umac_l2_final (ctx->l2_key, ctx->l2_state, 2, ctx->count); + tag[0] = pad[0] ^ ctx->l3_key2[0] ^ _nettle_umac_l3 (ctx->l3_key1, + ctx->l2_state); + tag[1] = pad[1] ^ ctx->l3_key2[1] ^ _nettle_umac_l3 (ctx->l3_key1 + 8, + ctx->l2_state + 2); memcpy (digest, tag, length); /* Reinitialize */ diff -Nru nettle-3.4.1/umac96.c nettle-3.7.3/umac96.c --- nettle-3.4.1/umac96.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/umac96.c 2021-06-06 20:06:29.000000000 +0000 @@ -37,14 +37,15 @@ #include #include "umac.h" +#include "umac-internal.h" #include "macros.h" void umac96_set_key (struct umac96_ctx *ctx, const uint8_t *key) { - _umac_set_key (ctx->l1_key, ctx->l2_key, ctx->l3_key1, ctx->l3_key2, - &ctx->pdf_key, key, 3); + _nettle_umac_set_key (ctx->l1_key, ctx->l2_key, ctx->l3_key1, ctx->l3_key2, + &ctx->pdf_key, key, 3); /* Clear nonce */ memset (ctx->nonce, 0, sizeof(ctx->nonce)); @@ -69,11 +70,11 @@ #define UMAC96_BLOCK(ctx, block) do { \ uint64_t __umac96_y[3]; \ - _umac_nh_n (__umac96_y, 3, ctx->l1_key, UMAC_BLOCK_SIZE, block); \ + _nettle_umac_nh_n (__umac96_y, 3, ctx->l1_key, UMAC_BLOCK_SIZE, block); \ __umac96_y[0] += 8*UMAC_BLOCK_SIZE; \ __umac96_y[1] += 8*UMAC_BLOCK_SIZE; \ __umac96_y[2] += 8*UMAC_BLOCK_SIZE; \ - _umac_l2 (ctx->l2_key, ctx->l2_state, 3, ctx->count++, __umac96_y); \ + _nettle_umac_l2 (ctx->l2_key, ctx->l2_state, 3, ctx->count++, __umac96_y); \ } while (0) void @@ -101,11 +102,11 @@ unsigned pad = (ctx->index > 0) ? 31 & - ctx->index : 32; memset (ctx->block + ctx->index, 0, pad); - _umac_nh_n (y, 3, ctx->l1_key, ctx->index + pad, ctx->block); + _nettle_umac_nh_n (y, 3, ctx->l1_key, ctx->index + pad, ctx->block); y[0] += 8 * ctx->index; y[1] += 8 * ctx->index; y[2] += 8 * ctx->index; - _umac_l2 (ctx->l2_key, ctx->l2_state, 3, ctx->count++, y); + _nettle_umac_l2 (ctx->l2_key, ctx->l2_state, 3, ctx->count++, y); } assert (ctx->count > 0); @@ -114,10 +115,10 @@ INCREMENT (ctx->nonce_length, ctx->nonce); - _umac_l2_final (ctx->l2_key, ctx->l2_state, 3, ctx->count); + _nettle_umac_l2_final (ctx->l2_key, ctx->l2_state, 3, ctx->count); for (i = 0; i < 3; i++) - tag[i] ^= ctx->l3_key2[i] ^ _umac_l3 (ctx->l3_key1 + 8*i, - ctx->l2_state + 2*i); + tag[i] ^= ctx->l3_key2[i] ^ _nettle_umac_l3 (ctx->l3_key1 + 8*i, + ctx->l2_state + 2*i); memcpy (digest, tag, length); diff -Nru nettle-3.4.1/umac.h nettle-3.7.3/umac.h --- nettle-3.4.1/umac.h 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/umac.h 2021-06-06 20:06:29.000000000 +0000 @@ -55,16 +55,6 @@ #define umac64_digest nettle_umac64_digest #define umac96_digest nettle_umac96_digest #define umac128_digest nettle_umac128_digest -#define _umac_set_key _nettle_umac_set_key -#define _umac_nh _nettle_umac_nh -#define _umac_nh_n _nettle_umac_nh_n -#define _umac_poly64 _nettle_umac_poly64 -#define _umac_poly128 _nettle_umac_poly128 -#define _umac_l2_init _nettle_umac_l2_init -#define _umac_l2 _nettle_umac_l2 -#define _umac_l2_final _nettle_umac_l2_final -#define _umac_l3_init _nettle_umac_l3_init -#define _umac_l3 _nettle_umac_l3 #include "nettle-types.h" #include "aes.h" @@ -201,51 +191,6 @@ #define UMAC_P128_HI (~(uint64_t) 0) #define UMAC_P128_LO (-(uint64_t) UMAC_P128_OFFSET) -void -_umac_set_key (uint32_t *l1_key, uint32_t *l2_key, - uint64_t *l3_key1, uint32_t *l3_key2, - struct aes128_ctx *pad, const uint8_t *key, unsigned n); - -uint64_t -_umac_nh (const uint32_t *key, unsigned length, const uint8_t *msg); - -/* Equivalent to - - for (i = 0; i < n; i++) - out[i] = _umac_nh (key + 4*i, length, msg); - - but processing input only once. -*/ -void -_umac_nh_n (uint64_t *out, unsigned n, const uint32_t *key, - unsigned length, const uint8_t *msg); - -/* Returns y*k + m (mod p), including "marker" processing. Return - value is *not* in canonical representation, and must be normalized - before the output is used. */ -uint64_t -_umac_poly64 (uint32_t kh, uint32_t kl, uint64_t y, uint64_t m); - -void -_umac_poly128 (const uint32_t *k, uint64_t *y, uint64_t mh, uint64_t ml); - -void -_umac_l2_init (unsigned size, uint32_t *k); - -void -_umac_l2(const uint32_t *key, uint64_t *state, unsigned n, - uint64_t count, const uint64_t *m); - -void -_umac_l2_final(const uint32_t *key, uint64_t *state, unsigned n, - uint64_t count); - -void -_umac_l3_init (unsigned size, uint64_t *k); - -uint32_t -_umac_l3 (const uint64_t *key, const uint64_t *m); - #ifdef __cplusplus } #endif diff -Nru nettle-3.4.1/umac-internal.h nettle-3.7.3/umac-internal.h --- nettle-3.4.1/umac-internal.h 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/umac-internal.h 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,84 @@ +/* umac-internal.h + + UMAC message authentication code (RFC-4418). + + Copyright (C) 2013 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_UMAC_INTERNAL_H_INCLUDED +#define NETTLE_UMAC_INTERNAL_H_INCLUDED + +#include "nettle-types.h" + +void +_nettle_umac_set_key (uint32_t *l1_key, uint32_t *l2_key, + uint64_t *l3_key1, uint32_t *l3_key2, + struct aes128_ctx *pad, const uint8_t *key, unsigned n); + +uint64_t +_nettle_umac_nh (const uint32_t *key, unsigned length, const uint8_t *msg); + +/* Equivalent to + + for (i = 0; i < n; i++) + out[i] = _umac_nh (key + 4*i, length, msg); + + but processing input only once. +*/ +void +_nettle_umac_nh_n (uint64_t *out, unsigned n, const uint32_t *key, + unsigned length, const uint8_t *msg); + +/* Returns y*k + m (mod p), including "marker" processing. Return + value is *not* in canonical representation, and must be normalized + before the output is used. */ +uint64_t +_nettle_umac_poly64 (uint32_t kh, uint32_t kl, uint64_t y, uint64_t m); + +void +_nettle_umac_poly128 (const uint32_t *k, uint64_t *y, uint64_t mh, uint64_t ml); + +void +_nettle_umac_l2_init (unsigned size, uint32_t *k); + +void +_nettle_umac_l2(const uint32_t *key, uint64_t *state, unsigned n, + uint64_t count, const uint64_t *m); + +void +_nettle_umac_l2_final(const uint32_t *key, uint64_t *state, unsigned n, + uint64_t count); + +void +_nettle_umac_l3_init (unsigned size, uint64_t *k); + +uint32_t +_nettle_umac_l3 (const uint64_t *key, const uint64_t *m); + +#endif /* NETTLE_UMAC_INTERNAL_H_INCLUDED */ diff -Nru nettle-3.4.1/umac-l2.c nettle-3.7.3/umac-l2.c --- nettle-3.4.1/umac-l2.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/umac-l2.c 2021-06-06 20:06:29.000000000 +0000 @@ -37,6 +37,7 @@ #include #include "umac.h" +#include "umac-internal.h" #include "macros.h" @@ -52,7 +53,7 @@ #endif void -_umac_l2_init (unsigned size, uint32_t *k) +_nettle_umac_l2_init (unsigned size, uint32_t *k) { unsigned i; for (i = 0; i < size; i++) @@ -64,8 +65,8 @@ } void -_umac_l2(const uint32_t *key, uint64_t *state, unsigned n, - uint64_t count, const uint64_t *m) +_nettle_umac_l2(const uint32_t *key, uint64_t *state, unsigned n, + uint64_t count, const uint64_t *m) { uint64_t *prev = state + 2*n; unsigned i; @@ -75,12 +76,12 @@ else if (count == 1) for (i = 0; i < n; i++, key += 6) { - uint64_t y = _umac_poly64 (key[0], key[1], 1, prev[i]); - state[2*i+1] = _umac_poly64 (key[0], key[1], y, m[i]); + uint64_t y = _nettle_umac_poly64 (key[0], key[1], 1, prev[i]); + state[2*i+1] = _nettle_umac_poly64 (key[0], key[1], y, m[i]); } else if (count < UMAC_POLY64_BLOCKS) for (i = 0; i < n; i++, key += 6) - state[2*i+1] = _umac_poly64 (key[0], key[1], state[2*i+1], m[i]); + state[2*i+1] = _nettle_umac_poly64 (key[0], key[1], state[2*i+1], m[i]); else if (count % 2 == 0) { if (count == UMAC_POLY64_BLOCKS) @@ -92,18 +93,18 @@ state[2*i] = 0; state[2*i+1] = 1; - _umac_poly128 (key, state + 2*i, 0, y); + _nettle_umac_poly128 (key, state + 2*i, 0, y); } memcpy (prev, m, n * sizeof(*m)); } else for (i = 0, key += 2; i < n; i++, key += 6) - _umac_poly128 (key, state + 2*i, prev[i], m[i]); + _nettle_umac_poly128 (key, state + 2*i, prev[i], m[i]); } void -_umac_l2_final(const uint32_t *key, uint64_t *state, unsigned n, - uint64_t count) +_nettle_umac_l2_final(const uint32_t *key, uint64_t *state, unsigned n, + uint64_t count) { uint64_t *prev = state + 2*n; unsigned i; @@ -131,10 +132,10 @@ uint64_t pad = (uint64_t) 1 << 63; if (count % 2 == 1) for (i = 0, key += 2; i < n; i++, key += 6) - _umac_poly128 (key, state + 2*i, prev[i], pad); + _nettle_umac_poly128 (key, state + 2*i, prev[i], pad); else for (i = 0, key += 2; i < n; i++, key += 6) - _umac_poly128 (key, state + 2*i, pad, 0); + _nettle_umac_poly128 (key, state + 2*i, pad, 0); for (i = 0; i < n; i++, state += 2) { diff -Nru nettle-3.4.1/umac-l3.c nettle-3.7.3/umac-l3.c --- nettle-3.4.1/umac-l3.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/umac-l3.c 2021-06-06 20:06:29.000000000 +0000 @@ -34,6 +34,7 @@ #endif #include "umac.h" +#include "umac-internal.h" #include "macros.h" @@ -55,7 +56,7 @@ #endif void -_umac_l3_init (unsigned size, uint64_t *k) +_nettle_umac_l3_init (unsigned size, uint64_t *k) { unsigned i; for (i = 0; i < size; i++) @@ -82,7 +83,7 @@ } uint32_t -_umac_l3 (const uint64_t *key, const uint64_t *m) +_nettle_umac_l3 (const uint64_t *key, const uint64_t *m) { uint32_t y = (umac_l3_word (key, m[0]) + umac_l3_word (key + 4, m[1])) % P; diff -Nru nettle-3.4.1/umac-nh.c nettle-3.7.3/umac-nh.c --- nettle-3.4.1/umac-nh.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/umac-nh.c 2021-06-06 20:06:29.000000000 +0000 @@ -36,6 +36,7 @@ #include #include "umac.h" +#include "umac-internal.h" #include "macros.h" /* For fat builds */ @@ -46,7 +47,7 @@ #endif uint64_t -_umac_nh (const uint32_t *key, unsigned length, const uint8_t *msg) +_nettle_umac_nh (const uint32_t *key, unsigned length, const uint8_t *msg) { uint64_t y; diff -Nru nettle-3.4.1/umac-nh-n.c nettle-3.7.3/umac-nh-n.c --- nettle-3.4.1/umac-nh-n.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/umac-nh-n.c 2021-06-06 20:06:29.000000000 +0000 @@ -37,6 +37,7 @@ #include #include "umac.h" +#include "umac-internal.h" #include "macros.h" /* For fat builds */ @@ -48,8 +49,8 @@ #endif void -_umac_nh_n (uint64_t *out, unsigned n, const uint32_t *key, - unsigned length, const uint8_t *msg) +_nettle_umac_nh_n (uint64_t *out, unsigned n, const uint32_t *key, + unsigned length, const uint8_t *msg) { assert (length > 0); assert (length <= 1024); diff -Nru nettle-3.4.1/umac-poly128.c nettle-3.7.3/umac-poly128.c --- nettle-3.4.1/umac-poly128.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/umac-poly128.c 2021-06-06 20:06:29.000000000 +0000 @@ -36,6 +36,7 @@ #include #include "umac.h" +#include "umac-internal.h" #define HI(x) (x >> 32) #define LO(x) (x & 0xffffffffUL) @@ -104,7 +105,7 @@ } void -_umac_poly128 (const uint32_t *k, uint64_t *y, uint64_t mh, uint64_t ml) +_nettle_umac_poly128 (const uint32_t *k, uint64_t *y, uint64_t mh, uint64_t ml) { uint64_t yh, yl, cy; diff -Nru nettle-3.4.1/umac-poly64.c nettle-3.7.3/umac-poly64.c --- nettle-3.4.1/umac-poly64.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/umac-poly64.c 2021-06-06 20:06:29.000000000 +0000 @@ -36,6 +36,7 @@ #include #include "umac.h" +#include "umac-internal.h" static uint64_t poly64_mul (uint32_t kh, uint32_t kl, uint64_t y) @@ -62,7 +63,7 @@ } uint64_t -_umac_poly64 (uint32_t kh, uint32_t kl, uint64_t y, uint64_t m) +_nettle_umac_poly64 (uint32_t kh, uint32_t kl, uint64_t y, uint64_t m) { if ( (m >> 32) == 0xffffffff) { diff -Nru nettle-3.4.1/umac-set-key.c nettle-3.7.3/umac-set-key.c --- nettle-3.4.1/umac-set-key.c 2018-12-04 20:56:05.000000000 +0000 +++ nettle-3.7.3/umac-set-key.c 2021-06-06 20:06:29.000000000 +0000 @@ -36,6 +36,7 @@ #include #include "umac.h" +#include "umac-internal.h" #include "macros.h" @@ -77,9 +78,9 @@ #endif void -_umac_set_key (uint32_t *l1_key, uint32_t *l2_key, - uint64_t *l3_key1, uint32_t *l3_key2, - struct aes128_ctx *aes, const uint8_t *key, unsigned n) +_nettle_umac_set_key (uint32_t *l1_key, uint32_t *l2_key, + uint64_t *l3_key1, uint32_t *l3_key2, + struct aes128_ctx *aes, const uint8_t *key, unsigned n) { unsigned size; uint8_t buffer[UMAC_KEY_SIZE]; @@ -92,11 +93,11 @@ size = 6*n; umac_kdf (aes, 2, size * sizeof(uint32_t), (uint8_t *) l2_key); - _umac_l2_init (size, l2_key); + _nettle_umac_l2_init (size, l2_key); size = 8*n; umac_kdf (aes, 3, size * sizeof(uint64_t), (uint8_t *) l3_key1); - _umac_l3_init (size, l3_key1); + _nettle_umac_l3_init (size, l3_key1); /* No need to byteswap these subkeys. */ umac_kdf (aes, 4, n * sizeof(uint32_t), (uint8_t *) l3_key2); diff -Nru nettle-3.4.1/x86/aes-decrypt-internal.asm nettle-3.7.3/x86/aes-decrypt-internal.asm --- nettle-3.4.1/x86/aes-decrypt-internal.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86/aes-decrypt-internal.asm 2021-06-06 20:06:29.000000000 +0000 @@ -1,6 +1,6 @@ C x86/aes-decrypt-internal.asm -ifelse(< +ifelse(` Copyright (C) 2001, 2002, 2005, Rafael R. Sevilla, Niels Möller Copyright (C) 2008, 2013 Niels Möller @@ -29,35 +29,35 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') -include_src() +include_src(`x86/aes.m4') C Register usage: C AES state -define(,<%eax>) -define(,<%ebx>) -define(,<%ecx>) -define(,<%edx>) +define(`SA',`%eax') +define(`SB',`%ebx') +define(`SC',`%ecx') +define(`SD',`%edx') C Primary use of these registers. They're also used temporarily for other things. -define(,<%ebp>) -define(,<%edi>) -define(,<%esi>) - -define(, <40(%esp)>) -define(, <44(%esp)>) -define(, <48(%esp)>) -define(, <52(%esp)>) -define(, <56(%esp)>) -define(, <60(%esp)>) - -define(, <16(%esp)>) -define(, <12(%esp)>) -define(, <8(%esp)>) -define(, <4(%esp)>) -define(, <(%esp)>) +define(`T',`%ebp') +define(`TMP',`%edi') +define(`KEY',`%esi') + +define(`PARAM_ROUNDS', `40(%esp)') +define(`PARAM_KEYS', `44(%esp)') +define(`PARAM_TABLE', `48(%esp)') +define(`PARAM_LENGTH', `52(%esp)') +define(`PARAM_DST', `56(%esp)') +define(`PARAM_SRC', `60(%esp)') + +define(`FRAME_KEY', `16(%esp)') +define(`FRAME_COUNT', `12(%esp)') +define(`TA', `8(%esp)') +define(`TB', `4(%esp)') +define(`TC', `(%esp)') C The aes state is kept in %eax, %ebx, %ecx and %edx C diff -Nru nettle-3.4.1/x86/aes-encrypt-internal.asm nettle-3.7.3/x86/aes-encrypt-internal.asm --- nettle-3.4.1/x86/aes-encrypt-internal.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86/aes-encrypt-internal.asm 2021-06-06 20:06:29.000000000 +0000 @@ -1,6 +1,6 @@ C x86/aes-encrypt-internal.asm -ifelse(< +ifelse(` Copyright (C) 2001, 2002, 2005, Rafael R. Sevilla, Niels Möller Copyright (C) 2008, 2013 Niels Möller @@ -29,35 +29,35 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') -include_src() +include_src(`x86/aes.m4') C Register usage: C AES state -define(,<%eax>) -define(,<%ebx>) -define(,<%ecx>) -define(,<%edx>) +define(`SA',`%eax') +define(`SB',`%ebx') +define(`SC',`%ecx') +define(`SD',`%edx') C Primary use of these registers. They're also used temporarily for other things. -define(,<%ebp>) -define(,<%edi>) -define(,<%esi>) - -define(, <40(%esp)>) -define(, <44(%esp)>) -define(, <48(%esp)>) -define(, <52(%esp)>) -define(, <56(%esp)>) -define(, <60(%esp)>) - -define(, <16(%esp)>) -define(, <12(%esp)>) -define(, <8(%esp)>) -define(, <4(%esp)>) -define(, <(%esp)>) +define(`T',`%ebp') +define(`TMP',`%edi') +define(`KEY',`%esi') + +define(`PARAM_ROUNDS', `40(%esp)') +define(`PARAM_KEYS', `44(%esp)') +define(`PARAM_TABLE', `48(%esp)') +define(`PARAM_LENGTH', `52(%esp)') +define(`PARAM_DST', `56(%esp)') +define(`PARAM_SRC', `60(%esp)') + +define(`FRAME_KEY', `16(%esp)') +define(`FRAME_COUNT', `12(%esp)') +define(`TA', `8(%esp)') +define(`TB', `4(%esp)') +define(`TC', `(%esp)') C The aes state is kept in %eax, %ebx, %ecx and %edx C diff -Nru nettle-3.4.1/x86/aes.m4 nettle-3.7.3/x86/aes.m4 --- nettle-3.4.1/x86/aes.m4 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86/aes.m4 2021-06-06 20:06:29.000000000 +0000 @@ -3,7 +3,7 @@ dnl to by key. dnl Note that x86 allows unaligned accesses. dnl Would it be preferable to interleave the loads and stores? -define(, < +define(`AES_LOAD', ` movl ($5),$1 movl 4($5),$2 movl 8($5),$3 @@ -12,14 +12,14 @@ xorl ($6),$1 xorl 4($6),$2 xorl 8($6),$3 - xorl 12($6),$4>)dnl + xorl 12($6),$4')dnl dnl AES_STORE(a, b, c, d, key, dst) dnl Adds the subkey to a, b, c, d, dnl and stores the result in the area pointed to by dst. dnl Note that x86 allows unaligned accesses. dnl Would it be preferable to interleave the loads and stores? -define(, < +define(`AES_STORE', ` xorl ($5),$1 xorl 4($5),$2 xorl 8($5),$3 @@ -28,58 +28,58 @@ movl $1,($6) movl $2,4($6) movl $3,8($6) - movl $4,12($6)>)dnl + movl $4,12($6)')dnl dnl AES_ROUND(table,a,b,c,d,out,ptr) dnl Computes one word of the AES round. Leaves result in $6. -define(, < +define(`AES_ROUND', ` movzbl LREG($2), $7 movl AES_TABLE0 ($1, $7, 4),$6 movzbl HREG($3), $7 xorl AES_TABLE1 ($1, $7, 4),$6 movl $4,$7 - shrl <$>16,$7 - andl <$>0xff,$7 + shrl `$'16,$7 + andl `$'0xff,$7 xorl AES_TABLE2 ($1, $7, 4),$6 movl $5,$7 - shrl <$>24,$7 - xorl AES_TABLE3 ($1, $7, 4),$6>)dnl + shrl `$'24,$7 + xorl AES_TABLE3 ($1, $7, 4),$6')dnl dnl AES_FINAL_ROUND(a, b, c, d, table, out, tmp) dnl Computes one word of the final round. dnl Note that we have to quote $ in constants. -define(, < +define(`AES_FINAL_ROUND', ` movzbl LREG($1),$6 movzbl ($5, $6), $6 movl $2,$7 - andl <$>0x0000ff00,$7 + andl `$'0x0000ff00,$7 orl $7, $6 movl $3,$7 - andl <$>0x00ff0000,$7 + andl `$'0x00ff0000,$7 orl $7, $6 movl $4,$7 - andl <$>0xff000000,$7 + andl `$'0xff000000,$7 orl $7, $6 - roll <$>8, $6>)dnl + roll `$'8, $6')dnl dnl AES_SUBST_BYTE(A, B, C, D, table, ptr) dnl Substitutes the least significant byte of dnl each of eax, ebx, ecx and edx, and also rotates dnl the words one byte to the left. dnl Uses that AES_SBOX == 0 -define(, < +define(`AES_SUBST_BYTE', ` movzbl LREG($1),$6 movb ($5, $6),LREG($1) - roll <$>8,$1 + roll `$'8,$1 movzbl LREG($2),$6 movb ($5, $6),LREG($2) - roll <$>8,$2 + roll `$'8,$2 movzbl LREG($3),$6 movb ($5, $6),LREG($3) - roll <$>8,$3 + roll `$'8,$3 movzbl LREG($4),$6 movb ($5, $6),LREG($4) - roll <$>8,$4>)dnl + roll `$'8,$4')dnl diff -Nru nettle-3.4.1/x86/arcfour-crypt.asm nettle-3.7.3/x86/arcfour-crypt.asm --- nettle-3.4.1/x86/arcfour-crypt.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86/arcfour-crypt.asm 2021-06-06 20:06:29.000000000 +0000 @@ -1,6 +1,6 @@ C x86/arcfour-crypt.asm -ifelse(< +ifelse(` Copyright (C) 2004, Niels Möller This file is part of GNU Nettle. @@ -28,7 +28,7 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') .file "arcfour-crypt.asm" diff -Nru nettle-3.4.1/x86/camellia-crypt-internal.asm nettle-3.7.3/x86/camellia-crypt-internal.asm --- nettle-3.4.1/x86/camellia-crypt-internal.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86/camellia-crypt-internal.asm 2021-06-06 20:06:29.000000000 +0000 @@ -1,6 +1,6 @@ C x86/camellia-crypt-internal.asm -ifelse(< +ifelse(` Copyright (C) 2010, Niels Möller This file is part of GNU Nettle. @@ -28,58 +28,58 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') C Register usage: C Camellia state, 128-bit value in little endian order. C L0, H0 corresponds to D1 in the spec and i0 in the C implementation. C while L1, H1 corresponds to D2/i1. -define(,<%eax>) -define(,<%ebx>) -define(,<%ecx>) -define(

      ,<%edx>) - -define(,<%ebp>) -define(,<%esi>) -define(,<%edi>) +define(`L0',`%eax') +define(`H0',`%ebx') +define(`L1',`%ecx') +define(`H1',`%edx') + +define(`TMP',`%ebp') +define(`KEY',`%esi') +define(`T',`%edi') C Locals on the stack -define(, <(%esp)>) -define(, <4(%esp)>) -define(, <8(%esp)>) -define(, <12(%esp)>) -define(, <16(%esp)>) +define(`FRAME_L0', `(%esp)') +define(`FRAME_H0', `4(%esp)') +define(`FRAME_L1', `8(%esp)') +define(`FRAME_H1', `12(%esp)') +define(`FRAME_CNT', `16(%esp)') C Arguments on stack. -define(, <40(%esp)>) -define(, <44(%esp)>) -define(, <48(%esp)>) -define(, <52(%esp)>) -define(, <56(%esp)>) -define(, <60(%esp)>) - -define(, <(T,$1,4)>) -define(, <1024(T,$1,4)>) -define(, <2048(T,$1,4)>) -define(, <3072(T,$1,4)>) +define(`FRAME_NKEYS', `40(%esp)') +define(`FRAME_KEYS', `44(%esp)') +define(`FRAME_TABLE', `48(%esp)') +define(`FRAME_LENGTH', `52(%esp)') +define(`FRAME_DST', `56(%esp)') +define(`FRAME_SRC', `60(%esp)') + +define(`SP1110', `(T,$1,4)') +define(`SP0222', `1024(T,$1,4)') +define(`SP3033', `2048(T,$1,4)') +define(`SP4404', `3072(T,$1,4)') C ROUND(xl, xh, yl, yh, key-offset) C xl and xh are rotated 16 bits at the end C yl and yh are read from stack, and left in registers -define(, < +define(`ROUND', ` movzbl LREG($1), TMP movl SP1110(TMP), $4 movzbl HREG($1), TMP xorl SP4404(TMP), $4 - roll <$>16, $1 + roll `$'16, $1 movzbl LREG($2), TMP movl SP4404(TMP), $3 movzbl HREG($2), TMP xorl SP3033(TMP), $3 - roll <$>16, $2 + roll `$'16, $2 movzbl LREG($1), TMP xorl SP3033(TMP), $4 @@ -95,58 +95,58 @@ xorl $5 + 4(KEY), $3 xorl $3, $4 - rorl <$>8, $3 + rorl `$'8, $3 xorl $4, $3 xorl FRAME_$3, $3 xorl FRAME_$4, $4 ->) +') C Six rounds, with inputs and outputs in registers. -define(, < +define(`ROUND6', ` movl L0, FRAME_L0 movl H0, FRAME_H0 movl L1, FRAME_L1 movl H1, FRAME_H1 - ROUND(L0,H0,,

      ,0) + ROUND(L0,H0,`L1',`H1',0) movl L1, FRAME_L1 movl H1, FRAME_H1 - ROUND(L1,H1,,,8) + ROUND(L1,H1,`L0',`H0',8) movl L0, FRAME_L0 movl H0, FRAME_H0 - ROUND(L0,H0,,

      ,16) + ROUND(L0,H0,`L1',`H1',16) movl L1, FRAME_L1 movl H1, FRAME_H1 - ROUND(L1,H1,,,24) + ROUND(L1,H1,`L0',`H0',24) movl L0, FRAME_L0 movl H0, FRAME_H0 - ROUND(L0,H0,,

      ,32) - ROUND(L1,H1,,,40) - roll <$>16, L1 - roll <$>16, H1 ->) + ROUND(L0,H0,`L1',`H1',32) + ROUND(L1,H1,`L0',`H0',40) + roll `$'16, L1 + roll `$'16, H1 +') C FL(x0, x1, key-offset) -define(, < +define(`FL', ` movl $3 + 4(KEY), TMP andl $2, TMP - roll <$>1, TMP + roll `$'1, TMP xorl TMP, $1 movl $3(KEY), TMP orl $1, TMP xorl TMP, $2 ->) +') C FLINV(x0, x1, key-offset) -define(, < +define(`FLINV', ` movl $3(KEY), TMP orl $1, TMP xorl TMP, $2 movl $3 + 4(KEY), TMP andl $2, TMP - roll <$>1, TMP + roll `$'1, TMP xorl TMP, $1 ->) +') .file "camellia-crypt-internal.asm" diff -Nru nettle-3.4.1/x86/machine.m4 nettle-3.7.3/x86/machine.m4 --- nettle-3.4.1/x86/machine.m4 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86/machine.m4 2021-06-06 20:06:29.000000000 +0000 @@ -1,16 +1,16 @@ C OFFSET(i) C Expands to 4*i, or to the empty string if i is zero -define(, ) +define(`OFFSET', `ifelse($1,0,,eval(4*$1))') dnl LREG(reg) gives the 8-bit register corresponding to the given 32-bit register. -define(,)dnl + $1, %edx, %dl)')dnl -define(,)dnl + $1, %edx, %dh)')dnl diff -Nru nettle-3.4.1/x86/md5-compress.asm nettle-3.7.3/x86/md5-compress.asm --- nettle-3.4.1/x86/md5-compress.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86/md5-compress.asm 2021-06-06 20:06:29.000000000 +0000 @@ -1,6 +1,6 @@ C x86/md5-compress.asm -ifelse(< +ifelse(` Copyright (C) 2005, Niels Möller This file is part of GNU Nettle. @@ -28,61 +28,61 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') C Register usage -define(,<%eax>) -define(,<%ebx>) -define(,<%ecx>) -define(,<%edx>) -define(,<%ebp>) -define(,<%esi>) +define(`SA',`%eax') +define(`SB',`%ebx') +define(`SC',`%ecx') +define(`SD',`%edx') +define(`TMP',`%ebp') +define(`INPUT',`%esi') C %edi is unused C F1(x,y,z) = (z ^ (x & (y ^ z))) -define(, < +define(`F1', ` movl $3, TMP xorl $2, TMP andl $1, TMP - xorl $3, TMP>) + xorl $3, TMP') -define(,) +define(`F2',`F1($3, $1, $2)') C F3(x,y,z) = x ^ y ^ z -define(,< +define(`F3',` movl $1, TMP xorl $2, TMP - xorl $3, TMP>) + xorl $3, TMP') C F4(x,y,z) = y ^ (x | ~z) -define(,< +define(`F4',` movl $3, TMP notl TMP orl $1, TMP - xorl $2, TMP>) + xorl $2, TMP') -define(,) +define(`REF',`OFFSET($1)(INPUT)') C ROUND(f, w, x, y, z, k, data, s): C w += f(x,y,z) + data + k C w <<< s C w += x -define(,< +define(`ROUND',` addl $7, $2 $1($3, $4, $5) addl $6, $2 addl TMP, $2 - roll <$>$8, $2 - addl $3, $2>) + roll `$'$8, $2 + addl $3, $2') .file "md5-compress.asm" - C _nettle_md5_compress(uint32_t *state, uint8_t *data) + C nettle_md5_compress(uint32_t *state, uint8_t *data) .text ALIGN(16) -PROLOGUE(_nettle_md5_compress) +PROLOGUE(nettle_md5_compress) C save all registers that need to be saved C 24(%esp) input @@ -104,73 +104,73 @@ C Note that if unaligned, we suffer unaligned accesses movl 24(%esp), INPUT - ROUND(, SA, SB, SC, SD, REF( 0), $0xd76aa478, 7) - ROUND(, SD, SA, SB, SC, REF( 1), $0xe8c7b756, 12) - ROUND(, SC, SD, SA, SB, REF( 2), $0x242070db, 17) - ROUND(, SB, SC, SD, SA, REF( 3), $0xc1bdceee, 22) - ROUND(, SA, SB, SC, SD, REF( 4), $0xf57c0faf, 7) - ROUND(, SD, SA, SB, SC, REF( 5), $0x4787c62a, 12) - ROUND(, SC, SD, SA, SB, REF( 6), $0xa8304613, 17) - ROUND(, SB, SC, SD, SA, REF( 7), $0xfd469501, 22) - ROUND(, SA, SB, SC, SD, REF( 8), $0x698098d8, 7) - ROUND(, SD, SA, SB, SC, REF( 9), $0x8b44f7af, 12) - ROUND(, SC, SD, SA, SB, REF(10), $0xffff5bb1, 17) - ROUND(, SB, SC, SD, SA, REF(11), $0x895cd7be, 22) - ROUND(, SA, SB, SC, SD, REF(12), $0x6b901122, 7) - ROUND(, SD, SA, SB, SC, REF(13), $0xfd987193, 12) - ROUND(, SC, SD, SA, SB, REF(14), $0xa679438e, 17) - ROUND(, SB, SC, SD, SA, REF(15), $0x49b40821, 22) + ROUND(`F1', SA, SB, SC, SD, REF( 0), $0xd76aa478, 7) + ROUND(`F1', SD, SA, SB, SC, REF( 1), $0xe8c7b756, 12) + ROUND(`F1', SC, SD, SA, SB, REF( 2), $0x242070db, 17) + ROUND(`F1', SB, SC, SD, SA, REF( 3), $0xc1bdceee, 22) + ROUND(`F1', SA, SB, SC, SD, REF( 4), $0xf57c0faf, 7) + ROUND(`F1', SD, SA, SB, SC, REF( 5), $0x4787c62a, 12) + ROUND(`F1', SC, SD, SA, SB, REF( 6), $0xa8304613, 17) + ROUND(`F1', SB, SC, SD, SA, REF( 7), $0xfd469501, 22) + ROUND(`F1', SA, SB, SC, SD, REF( 8), $0x698098d8, 7) + ROUND(`F1', SD, SA, SB, SC, REF( 9), $0x8b44f7af, 12) + ROUND(`F1', SC, SD, SA, SB, REF(10), $0xffff5bb1, 17) + ROUND(`F1', SB, SC, SD, SA, REF(11), $0x895cd7be, 22) + ROUND(`F1', SA, SB, SC, SD, REF(12), $0x6b901122, 7) + ROUND(`F1', SD, SA, SB, SC, REF(13), $0xfd987193, 12) + ROUND(`F1', SC, SD, SA, SB, REF(14), $0xa679438e, 17) + ROUND(`F1', SB, SC, SD, SA, REF(15), $0x49b40821, 22) - ROUND(, SA, SB, SC, SD, REF( 1), $0xf61e2562, 5) - ROUND(, SD, SA, SB, SC, REF( 6), $0xc040b340, 9) - ROUND(, SC, SD, SA, SB, REF(11), $0x265e5a51, 14) - ROUND(, SB, SC, SD, SA, REF( 0), $0xe9b6c7aa, 20) - ROUND(, SA, SB, SC, SD, REF( 5), $0xd62f105d, 5) - ROUND(, SD, SA, SB, SC, REF(10), $0x02441453, 9) - ROUND(, SC, SD, SA, SB, REF(15), $0xd8a1e681, 14) - ROUND(, SB, SC, SD, SA, REF( 4), $0xe7d3fbc8, 20) - ROUND(, SA, SB, SC, SD, REF( 9), $0x21e1cde6, 5) - ROUND(, SD, SA, SB, SC, REF(14), $0xc33707d6, 9) - ROUND(, SC, SD, SA, SB, REF( 3), $0xf4d50d87, 14) - ROUND(, SB, SC, SD, SA, REF( 8), $0x455a14ed, 20) - ROUND(, SA, SB, SC, SD, REF(13), $0xa9e3e905, 5) - ROUND(, SD, SA, SB, SC, REF( 2), $0xfcefa3f8, 9) - ROUND(, SC, SD, SA, SB, REF( 7), $0x676f02d9, 14) - ROUND(, SB, SC, SD, SA, REF(12), $0x8d2a4c8a, 20) - - ROUND(, SA, SB, SC, SD, REF( 5), $0xfffa3942, 4) - ROUND(, SD, SA, SB, SC, REF( 8), $0x8771f681, 11) - ROUND(, SC, SD, SA, SB, REF(11), $0x6d9d6122, 16) - ROUND(, SB, SC, SD, SA, REF(14), $0xfde5380c, 23) - ROUND(, SA, SB, SC, SD, REF( 1), $0xa4beea44, 4) - ROUND(, SD, SA, SB, SC, REF( 4), $0x4bdecfa9, 11) - ROUND(, SC, SD, SA, SB, REF( 7), $0xf6bb4b60, 16) - ROUND(, SB, SC, SD, SA, REF(10), $0xbebfbc70, 23) - ROUND(, SA, SB, SC, SD, REF(13), $0x289b7ec6, 4) - ROUND(, SD, SA, SB, SC, REF( 0), $0xeaa127fa, 11) - ROUND(, SC, SD, SA, SB, REF( 3), $0xd4ef3085, 16) - ROUND(, SB, SC, SD, SA, REF( 6), $0x04881d05, 23) - ROUND(, SA, SB, SC, SD, REF( 9), $0xd9d4d039, 4) - ROUND(, SD, SA, SB, SC, REF(12), $0xe6db99e5, 11) - ROUND(, SC, SD, SA, SB, REF(15), $0x1fa27cf8, 16) - ROUND(, SB, SC, SD, SA, REF( 2), $0xc4ac5665, 23) - - ROUND(, SA, SB, SC, SD, REF( 0), $0xf4292244, 6) - ROUND(, SD, SA, SB, SC, REF( 7), $0x432aff97, 10) - ROUND(, SC, SD, SA, SB, REF(14), $0xab9423a7, 15) - ROUND(, SB, SC, SD, SA, REF( 5), $0xfc93a039, 21) - ROUND(, SA, SB, SC, SD, REF(12), $0x655b59c3, 6) - ROUND(, SD, SA, SB, SC, REF( 3), $0x8f0ccc92, 10) - ROUND(, SC, SD, SA, SB, REF(10), $0xffeff47d, 15) - ROUND(, SB, SC, SD, SA, REF( 1), $0x85845dd1, 21) - ROUND(, SA, SB, SC, SD, REF( 8), $0x6fa87e4f, 6) - ROUND(, SD, SA, SB, SC, REF(15), $0xfe2ce6e0, 10) - ROUND(, SC, SD, SA, SB, REF( 6), $0xa3014314, 15) - ROUND(, SB, SC, SD, SA, REF(13), $0x4e0811a1, 21) - ROUND(, SA, SB, SC, SD, REF( 4), $0xf7537e82, 6) - ROUND(, SD, SA, SB, SC, REF(11), $0xbd3af235, 10) - ROUND(, SC, SD, SA, SB, REF( 2), $0x2ad7d2bb, 15) - ROUND(, SB, SC, SD, SA, REF( 9), $0xeb86d391, 21) + ROUND(`F2', SA, SB, SC, SD, REF( 1), $0xf61e2562, 5) + ROUND(`F2', SD, SA, SB, SC, REF( 6), $0xc040b340, 9) + ROUND(`F2', SC, SD, SA, SB, REF(11), $0x265e5a51, 14) + ROUND(`F2', SB, SC, SD, SA, REF( 0), $0xe9b6c7aa, 20) + ROUND(`F2', SA, SB, SC, SD, REF( 5), $0xd62f105d, 5) + ROUND(`F2', SD, SA, SB, SC, REF(10), $0x02441453, 9) + ROUND(`F2', SC, SD, SA, SB, REF(15), $0xd8a1e681, 14) + ROUND(`F2', SB, SC, SD, SA, REF( 4), $0xe7d3fbc8, 20) + ROUND(`F2', SA, SB, SC, SD, REF( 9), $0x21e1cde6, 5) + ROUND(`F2', SD, SA, SB, SC, REF(14), $0xc33707d6, 9) + ROUND(`F2', SC, SD, SA, SB, REF( 3), $0xf4d50d87, 14) + ROUND(`F2', SB, SC, SD, SA, REF( 8), $0x455a14ed, 20) + ROUND(`F2', SA, SB, SC, SD, REF(13), $0xa9e3e905, 5) + ROUND(`F2', SD, SA, SB, SC, REF( 2), $0xfcefa3f8, 9) + ROUND(`F2', SC, SD, SA, SB, REF( 7), $0x676f02d9, 14) + ROUND(`F2', SB, SC, SD, SA, REF(12), $0x8d2a4c8a, 20) + + ROUND(`F3', SA, SB, SC, SD, REF( 5), $0xfffa3942, 4) + ROUND(`F3', SD, SA, SB, SC, REF( 8), $0x8771f681, 11) + ROUND(`F3', SC, SD, SA, SB, REF(11), $0x6d9d6122, 16) + ROUND(`F3', SB, SC, SD, SA, REF(14), $0xfde5380c, 23) + ROUND(`F3', SA, SB, SC, SD, REF( 1), $0xa4beea44, 4) + ROUND(`F3', SD, SA, SB, SC, REF( 4), $0x4bdecfa9, 11) + ROUND(`F3', SC, SD, SA, SB, REF( 7), $0xf6bb4b60, 16) + ROUND(`F3', SB, SC, SD, SA, REF(10), $0xbebfbc70, 23) + ROUND(`F3', SA, SB, SC, SD, REF(13), $0x289b7ec6, 4) + ROUND(`F3', SD, SA, SB, SC, REF( 0), $0xeaa127fa, 11) + ROUND(`F3', SC, SD, SA, SB, REF( 3), $0xd4ef3085, 16) + ROUND(`F3', SB, SC, SD, SA, REF( 6), $0x04881d05, 23) + ROUND(`F3', SA, SB, SC, SD, REF( 9), $0xd9d4d039, 4) + ROUND(`F3', SD, SA, SB, SC, REF(12), $0xe6db99e5, 11) + ROUND(`F3', SC, SD, SA, SB, REF(15), $0x1fa27cf8, 16) + ROUND(`F3', SB, SC, SD, SA, REF( 2), $0xc4ac5665, 23) + + ROUND(`F4', SA, SB, SC, SD, REF( 0), $0xf4292244, 6) + ROUND(`F4', SD, SA, SB, SC, REF( 7), $0x432aff97, 10) + ROUND(`F4', SC, SD, SA, SB, REF(14), $0xab9423a7, 15) + ROUND(`F4', SB, SC, SD, SA, REF( 5), $0xfc93a039, 21) + ROUND(`F4', SA, SB, SC, SD, REF(12), $0x655b59c3, 6) + ROUND(`F4', SD, SA, SB, SC, REF( 3), $0x8f0ccc92, 10) + ROUND(`F4', SC, SD, SA, SB, REF(10), $0xffeff47d, 15) + ROUND(`F4', SB, SC, SD, SA, REF( 1), $0x85845dd1, 21) + ROUND(`F4', SA, SB, SC, SD, REF( 8), $0x6fa87e4f, 6) + ROUND(`F4', SD, SA, SB, SC, REF(15), $0xfe2ce6e0, 10) + ROUND(`F4', SC, SD, SA, SB, REF( 6), $0xa3014314, 15) + ROUND(`F4', SB, SC, SD, SA, REF(13), $0x4e0811a1, 21) + ROUND(`F4', SA, SB, SC, SD, REF( 4), $0xf7537e82, 6) + ROUND(`F4', SD, SA, SB, SC, REF(11), $0xbd3af235, 10) + ROUND(`F4', SC, SD, SA, SB, REF( 2), $0x2ad7d2bb, 15) + ROUND(`F4', SB, SC, SD, SA, REF( 9), $0xeb86d391, 21) C Update the state vector movl 20(%esp),TMP @@ -184,4 +184,4 @@ popl %ebp popl %ebx ret -EPILOGUE(_nettle_md5_compress) +EPILOGUE(nettle_md5_compress) diff -Nru nettle-3.4.1/x86/sha1-compress.asm nettle-3.7.3/x86/sha1-compress.asm --- nettle-3.4.1/x86/sha1-compress.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86/sha1-compress.asm 2021-06-06 20:06:29.000000000 +0000 @@ -1,6 +1,6 @@ C x86/sha1-compress.asm -ifelse(< +ifelse(` Copyright (C) 2004, 2009 Niels Möller This file is part of GNU Nettle. @@ -28,31 +28,31 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') C Register usage -define(,<%eax>) -define(,<%ebx>) -define(,<%ecx>) -define(,<%edx>) -define(,<%ebp>) -define(,<%esp>) -define(,<%edi>) -define(,<%esi>) +define(`SA',`%eax') +define(`SB',`%ebx') +define(`SC',`%ecx') +define(`SD',`%edx') +define(`SE',`%ebp') +define(`DATA',`%esp') +define(`T1',`%edi') +define(`T2',`%esi') C Constants -define(, <0x5A827999>) C Rounds 0-19 -define(, <0x6ED9EBA1>) C Rounds 20-39 -define(, <0x8F1BBCDC>) C Rounds 40-59 -define(, <0xCA62C1D6>) C Rounds 60-79 +define(`K1VALUE', `0x5A827999') C Rounds 0-19 +define(`K2VALUE', `0x6ED9EBA1') C Rounds 20-39 +define(`K3VALUE', `0x8F1BBCDC') C Rounds 40-59 +define(`K4VALUE', `0xCA62C1D6') C Rounds 60-79 C Reads the input via T2 into register, byteswaps it, and stores it in the DATA array. C SWAP(index, register) -define(, < +define(`SWAP', ` movl OFFSET($1)(T2), $2 bswap $2 movl $2, OFFSET($1) (DATA) ->)dnl +')dnl C The f functions, C @@ -79,27 +79,27 @@ C b <<<= 30 dnl ROUND_F1(a, b, c, d, e, i) -define(, < +define(`ROUND_F1', ` mov OFFSET(eval($6 % 16)) (DATA), T1 xor OFFSET(eval(($6 + 2) % 16)) (DATA), T1 xor OFFSET(eval(($6 + 8) % 16)) (DATA), T1 xor OFFSET(eval(($6 + 13) % 16)) (DATA), T1 - rol <$>1, T1 + rol `$'1, T1 mov T1, OFFSET(eval($6 % 16)) (DATA) mov $4, T2 xor $3, T2 and $2, T2 xor $4, T2 - rol <$>30, $2 + rol `$'30, $2 lea K1VALUE (T1, $5), $5 mov $1, T1 - rol <$>5, T1 + rol `$'5, T1 add T1, $5 add T2, $5 ->) +') dnl ROUND_F1_NOEXP(a, b, c, d, e, i) -define(, < +define(`ROUND_F1_NOEXP', ` mov $4, T2 xor $3, T2 mov $1, T1 @@ -107,37 +107,37 @@ add OFFSET($6) (DATA), $5 xor $4, T2 add T2, $5 - rol <$>30, $2 - rol <$>5, T1 + rol `$'30, $2 + rol `$'5, T1 lea K1VALUE (T1, $5), $5 ->) +') dnl ROUND_F2(a, b, c, d, e, i, k) -define(, < +define(`ROUND_F2', ` mov OFFSET(eval($6 % 16)) (DATA), T1 xor OFFSET(eval(($6 + 2) % 16)) (DATA), T1 xor OFFSET(eval(($6 + 8) % 16)) (DATA), T1 xor OFFSET(eval(($6 + 13) % 16)) (DATA), T1 - rol <$>1, T1 + rol `$'1, T1 mov T1, OFFSET(eval($6 % 16)) (DATA) mov $4, T2 xor $3, T2 xor $2, T2 - rol <$>30, $2 + rol `$'30, $2 lea $7 (T1, $5), $5 mov $1, T1 - rol <$>5, T1 + rol `$'5, T1 add T1, $5 add T2, $5 ->) +') dnl ROUND_F3(a, b, c, d, e, i) -define(, < +define(`ROUND_F3', ` mov OFFSET(eval($6 % 16)) (DATA), T1 xor OFFSET(eval(($6 + 2) % 16)) (DATA), T1 xor OFFSET(eval(($6 + 8) % 16)) (DATA), T1 xor OFFSET(eval(($6 + 13) % 16)) (DATA), T1 - rol <$>1, T1 + rol `$'1, T1 mov T1, OFFSET(eval($6 % 16)) (DATA) mov $4, T2 and $3, T2 @@ -146,20 +146,20 @@ xor $3, T1 and $2, T1 add T2, $5 - rol <$>30, $2 + rol `$'30, $2 mov $1, T2 - rol <$>5, T2 + rol `$'5, T2 add T1, $5 add T2, $5 ->) +') .file "sha1-compress.asm" - C _nettle_sha1_compress(uint32_t *state, uint8_t *data) + C nettle_sha1_compress(uint32_t *state, uint8_t *data) .text -PROLOGUE(_nettle_sha1_compress) +PROLOGUE(nettle_sha1_compress) C save all registers that need to be saved C 88(%esp) data C 84(%esp) state @@ -1540,7 +1540,7 @@ popl %ebp popl %ebx ret -EPILOGUE(_nettle_sha1_compress) +EPILOGUE(nettle_sha1_compress) C TODO: diff -Nru nettle-3.4.1/x86_64/aes-decrypt-internal.asm nettle-3.7.3/x86_64/aes-decrypt-internal.asm --- nettle-3.4.1/x86_64/aes-decrypt-internal.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86_64/aes-decrypt-internal.asm 2021-06-06 20:06:29.000000000 +0000 @@ -1,6 +1,6 @@ C x86_64/aes-decrypt-internal.asm -ifelse(< +ifelse(` Copyright (C) 2001, 2002, 2005, Rafael R. Sevilla, Niels Möller Copyright (C) 2008, 2013 Niels Möller @@ -29,37 +29,37 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') -include_src() +include_src(`x86_64/aes.m4') C Register usage: C AES state, use two of them -define(,<%eax>) -define(,<%ebx>) -define(,<%ecx>) -define(,<%edx>) - -define(,<%r10d>) -define(,<%r11d>) -define(,<%r12d>) +define(`SA',`%eax') +define(`SB',`%ebx') +define(`SC',`%ecx') +define(`SD',`%edx') + +define(`TA',`%r10d') +define(`TB',`%r11d') +define(`TC',`%r12d') C Input argument -define(, <%rdi>) -define(, <%rsi>) -define(, <%rdx>) -define(,<%rcx>) -define(, <%r8>) -define(, <%r9>) - -define(, <%r13>) -define(,<%r14>) -define(, <%r15>) +define(`ROUNDS', `%rdi') +define(`KEYS', `%rsi') +define(`PARAM_TABLE', `%rdx') +define(`PARAM_LENGTH',`%rcx') +define(`DST', `%r8') +define(`SRC', `%r9') + +define(`TABLE', `%r13') +define(`LENGTH',`%r14') +define(`KEY', `%r15') C Must correspond to an old-style register, for movzb from %ah--%dh to C work. -define(,<%rbp>) +define(`TMP',`%rbp') .file "aes-decrypt-internal.asm" diff -Nru nettle-3.4.1/x86_64/aes-encrypt-internal.asm nettle-3.7.3/x86_64/aes-encrypt-internal.asm --- nettle-3.4.1/x86_64/aes-encrypt-internal.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86_64/aes-encrypt-internal.asm 2021-06-06 20:06:29.000000000 +0000 @@ -1,7 +1,7 @@ C x86_64/aes-encrypt-internal.asm -ifelse(< +ifelse(` Copyright (C) 2001, 2002, 2005, Rafael R. Sevilla, Niels Möller Copyright (C) 2008, 2013 Niels Möller @@ -30,37 +30,37 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') -include_src() +include_src(`x86_64/aes.m4') C Register usage: C AES state, use two of them -define(,<%eax>) -define(,<%ebx>) -define(,<%ecx>) -define(,<%edx>) - -define(,<%r10d>) -define(,<%r11d>) -define(,<%r12d>) +define(`SA',`%eax') +define(`SB',`%ebx') +define(`SC',`%ecx') +define(`SD',`%edx') + +define(`TA',`%r10d') +define(`TB',`%r11d') +define(`TC',`%r12d') C Input argument -define(, <%rdi>) -define(, <%rsi>) -define(, <%rdx>) -define(,<%rcx>) -define(, <%r8>) -define(, <%r9>) - -define(
      , <%r13>) -define(,<%r14>) -define(, <%r15>) +define(`ROUNDS', `%rdi') +define(`KEYS', `%rsi') +define(`PARAM_TABLE', `%rdx') +define(`PARAM_LENGTH',`%rcx') +define(`DST', `%r8') +define(`SRC', `%r9') + +define(`TABLE', `%r13') +define(`LENGTH',`%r14') +define(`KEY', `%r15') C Must correspond to an old-style register, for movzb from %ah--%dh to C work. -define(,<%rbp>) +define(`TMP',`%rbp') .file "aes-encrypt-internal.asm" diff -Nru nettle-3.4.1/x86_64/aes.m4 nettle-3.7.3/x86_64/aes.m4 --- nettle-3.4.1/x86_64/aes.m4 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86_64/aes.m4 2021-06-06 20:06:29.000000000 +0000 @@ -1,5 +1,5 @@ dnl LREG(reg) gives the 8-bit register corresponding to the given 32-bit register. -define(,)dnl + $1, %r15d, %r15b)')dnl -define(,) + error)') -define(,)dnl + $1, %r15,%r15d)')dnl dnl AES_LOAD(a, b, c, d, src, key) dnl Loads the next block of data from src, and add the subkey pointed dnl to by key. dnl Note that x86 allows unaligned accesses. dnl Would it be preferable to interleave the loads and stores? -define(, < +define(`AES_LOAD', ` movl ($5),$1 movl 4($5),$2 movl 8($5),$3 @@ -56,14 +56,14 @@ xorl ($6),$1 xorl 4($6),$2 xorl 8($6),$3 - xorl 12($6),$4>)dnl + xorl 12($6),$4')dnl dnl AES_STORE(a, b, c, d, key, dst) dnl Adds the subkey to a, b, c, d, dnl and stores the result in the area pointed to by dst. dnl Note that x86 allows unaligned accesses. dnl Would it be preferable to interleave the loads and stores? -define(, < +define(`AES_STORE', ` xorl ($5),$1 xorl 4($5),$2 xorl 8($5),$3 @@ -72,59 +72,59 @@ movl $1,($6) movl $2,4($6) movl $3,8($6) - movl $4,12($6)>)dnl + movl $4,12($6)')dnl dnl AES_ROUND(table,a,b,c,d,out,ptr) dnl Computes one word of the AES round. Leaves result in $6. -define(, < +define(`AES_ROUND', ` movzb LREG($2), $7 movl AES_TABLE0 ($1, $7, 4),$6 movzb HREG($3), XREG($7) xorl AES_TABLE1 ($1, $7, 4),$6 movl $4,XREG($7) - shr <$>16,$7 - and <$>0xff,$7 + shr `$'16,$7 + and `$'0xff,$7 xorl AES_TABLE2 ($1, $7, 4),$6 movl $5,XREG($7) - shr <$>24,$7 - xorl AES_TABLE3 ($1, $7, 4),$6>)dnl + shr `$'24,$7 + xorl AES_TABLE3 ($1, $7, 4),$6')dnl dnl AES_FINAL_ROUND(a, b, c, d, table, out, tmp) dnl Computes one word of the final round. Leaves result in $6. Also dnl performs the first substitution step, on the least significant dnl byte, and rotates 8 bits. -define(, < +define(`AES_FINAL_ROUND', ` movzb LREG($1),$7 movzbl ($5, $7), $6 movl $2,XREG($7) - andl <$>0x0000ff00,XREG($7) + andl `$'0x0000ff00,XREG($7) orl XREG($7), $6 movl $3,XREG($7) - andl <$>0x00ff0000,XREG($7) + andl `$'0x00ff0000,XREG($7) orl XREG($7), $6 movl $4,XREG($7) - andl <$>0xff000000,XREG($7) + andl `$'0xff000000,XREG($7) orl XREG($7), $6 - roll <$>8, $6>)dnl + roll `$'8, $6')dnl dnl AES_SUBST_BYTE(A, B, C, D, table, tmp) dnl Substitutes the least significant byte of dnl each of eax, ebx, ecx and edx, and also rotates dnl the words one byte to the left. dnl Uses that AES_SBOX == 0 -define(, < +define(`AES_SUBST_BYTE', ` movzb LREG($1),$6 movb ($5, $6),LREG($1) - roll <$>8,$1 + roll `$'8,$1 movzb LREG($2),$6 movb ($5, $6),LREG($2) - roll <$>8,$2 + roll `$'8,$2 movzb LREG($3),$6 movb ($5, $6),LREG($3) - roll <$>8,$3 + roll `$'8,$3 movzb LREG($4),$6 movb ($5, $6),LREG($4) - roll <$>8,$4>)dnl + roll `$'8,$4')dnl diff -Nru nettle-3.4.1/x86_64/aesni/aes-decrypt-internal.asm nettle-3.7.3/x86_64/aesni/aes-decrypt-internal.asm --- nettle-3.4.1/x86_64/aesni/aes-decrypt-internal.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86_64/aesni/aes-decrypt-internal.asm 2021-06-06 20:06:29.000000000 +0000 @@ -1,8 +1,8 @@ C x86_64/aesni/aes-decrypt-internal.asm -ifelse(< - Copyright (C) 2015 Niels Möller +ifelse(` + Copyright (C) 2015, 2018 Niels Möller This file is part of GNU Nettle. @@ -29,25 +29,32 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') C Input argument -define(, <%rdi>) -define(, <%rsi>) -C define(
      , <%rdx>) C Unused here -define(,<%rcx>) -define(, <%r8>) -define(, <%r9>) - -C Round counter -define(, <%rdx>) -C Subkey pointer -define(, <%rax>) - -dnl aesdec %xmm1, %xmm0 -define(, <.byte 0x66, 0x0f, 0x38, 0xde, 0xc1>) -dnl aesdeclast %xmm1, %xmm0 -define(, <.byte 0x66, 0x0f, 0x38, 0xdf, 0xc1>) +define(`ROUNDS', `%rdi') +define(`KEYS', `%rsi') +C define(`TABLE', `%rdx') C Unused here +define(`LENGTH',`%rcx') +define(`DST', `%r8') +define(`SRC', `%r9') + +define(`KEY0', `%xmm0') +define(`KEY1', `%xmm1') +define(`KEY2', `%xmm2') +define(`KEY3', `%xmm3') +define(`KEY4', `%xmm4') +define(`KEY5', `%xmm5') +define(`KEY6', `%xmm6') +define(`KEY7', `%xmm7') +define(`KEY8', `%xmm8') +define(`KEY9', `%xmm9') +define(`KEY10', `%xmm10') +define(`KEY11', `%xmm11') +define(`KEY12', `%xmm12') +define(`KEY13', `%xmm13') +define(`KEYLAST', `%xmm14') +define(`BLOCK', `%xmm15') .file "aes-decrypt-internal.asm" @@ -58,43 +65,70 @@ .text ALIGN(16) PROLOGUE(_nettle_aes_decrypt) - W64_ENTRY(6, 2) + W64_ENTRY(6, 16) shr $4, LENGTH test LENGTH, LENGTH jz .Lend - decl XREG(ROUNDS) + movups (KEYS), KEY0 + movups 16(KEYS), KEY1 + movups 32(KEYS), KEY2 + movups 48(KEYS), KEY3 + movups 64(KEYS), KEY4 + movups 80(KEYS), KEY5 + movups 96(KEYS), KEY6 + movups 112(KEYS), KEY7 + movups 128(KEYS), KEY8 + movups 144(KEYS), KEY9 + lea 160(KEYS), KEYS + sub $10, XREG(ROUNDS) C Also clears high half + je .Lkey_last + + movups (KEYS), KEY10 + movups 16(KEYS), KEY11 + lea (KEYS, ROUNDS, 8), KEYS + lea (KEYS, ROUNDS, 8), KEYS + + cmpl $2, XREG(ROUNDS) + je .Lkey_last + movups -32(KEYS), KEY12 + movups -16(KEYS), KEY13 + +.Lkey_last: + movups (KEYS), KEYLAST .Lblock_loop: - mov ROUNDS, CNT - mov KEYS, KEY - movups (SRC), %xmm0 - C FIXME: Better alignment of subkeys, so we can use movaps. - movups (KEY), %xmm1 - pxor %xmm1, %xmm0 - - C FIXME: Could use some unrolling. Also all subkeys fit in - C registers, so they could be loaded once (on W64 we would - C need to save and restore some xmm registers, though). - -.Lround_loop: - add $16, KEY - - movups (KEY), %xmm1 - AESDEC C %xmm1, %xmm0 - decl XREG(CNT) - jnz .Lround_loop + movups (SRC), BLOCK + pxor KEY0, BLOCK + aesdec KEY1, BLOCK + aesdec KEY2, BLOCK + aesdec KEY3, BLOCK + aesdec KEY4, BLOCK + aesdec KEY5, BLOCK + aesdec KEY6, BLOCK + aesdec KEY7, BLOCK + aesdec KEY8, BLOCK + aesdec KEY9, BLOCK + testl XREG(ROUNDS), XREG(ROUNDS) + je .Lblock_end + aesdec KEY10, BLOCK + aesdec KEY11, BLOCK + cmpl $2, XREG(ROUNDS) + je .Lblock_end + + aesdec KEY12, BLOCK + aesdec KEY13, BLOCK - movups 16(KEY), %xmm1 - AESDECLAST C %xmm1, %xmm0 +.Lblock_end: + aesdeclast KEYLAST, BLOCK - movups %xmm0, (DST) + movups BLOCK, (DST) add $16, SRC add $16, DST dec LENGTH jnz .Lblock_loop .Lend: - W64_EXIT(6, 2) + W64_EXIT(6, 16) ret EPILOGUE(_nettle_aes_decrypt) diff -Nru nettle-3.4.1/x86_64/aesni/aes-encrypt-internal.asm nettle-3.7.3/x86_64/aesni/aes-encrypt-internal.asm --- nettle-3.4.1/x86_64/aesni/aes-encrypt-internal.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86_64/aesni/aes-encrypt-internal.asm 2021-06-06 20:06:29.000000000 +0000 @@ -1,8 +1,8 @@ C x86_64/aesni/aes-encrypt-internal.asm -ifelse(< - Copyright (C) 2015 Niels Möller +ifelse(` + Copyright (C) 2015, 2018 Niels Möller This file is part of GNU Nettle. @@ -29,26 +29,33 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') C Input argument -define(, <%rdi>) -define(, <%rsi>) -C define(
      , <%rdx>) C Unused here -define(,<%rcx>) -define(, <%r8>) -define(, <%r9>) - -C Round counter -define(, <%rdx>) -C Subkey pointer -define(, <%rax>) - -dnl aesenc %xmm1, %xmm0 -define(, <.byte 0x66, 0x0f, 0x38, 0xdc, 0xc1>) -dnl aesenclast %xmm1, %xmm0 -define(, <.byte 0x66, 0x0f, 0x38, 0xdd, 0xc1>) - +define(`ROUNDS', `%rdi') +define(`KEYS', `%rsi') +C define(`TABLE', `%rdx') C Unused here +define(`LENGTH',`%rcx') +define(`DST', `%r8') +define(`SRC', `%r9') + +define(`KEY0', `%xmm0') +define(`KEY1', `%xmm1') +define(`KEY2', `%xmm2') +define(`KEY3', `%xmm3') +define(`KEY4', `%xmm4') +define(`KEY5', `%xmm5') +define(`KEY6', `%xmm6') +define(`KEY7', `%xmm7') +define(`KEY8', `%xmm8') +define(`KEY9', `%xmm9') +define(`KEY10', `%xmm10') +define(`KEY11', `%xmm11') +define(`KEY12', `%xmm12') +define(`KEY13', `%xmm13') +define(`KEYLAST', `%xmm14') +define(`BLOCK', `%xmm15') + .file "aes-encrypt-internal.asm" C _aes_encrypt(unsigned rounds, const uint32_t *keys, @@ -58,43 +65,70 @@ .text ALIGN(16) PROLOGUE(_nettle_aes_encrypt) - W64_ENTRY(6, 2) + W64_ENTRY(6, 16) shr $4, LENGTH test LENGTH, LENGTH jz .Lend - decl XREG(ROUNDS) + movups (KEYS), KEY0 + movups 16(KEYS), KEY1 + movups 32(KEYS), KEY2 + movups 48(KEYS), KEY3 + movups 64(KEYS), KEY4 + movups 80(KEYS), KEY5 + movups 96(KEYS), KEY6 + movups 112(KEYS), KEY7 + movups 128(KEYS), KEY8 + movups 144(KEYS), KEY9 + lea 160(KEYS), KEYS + sub $10, XREG(ROUNDS) C Also clears high half + je .Lkey_last + + movups (KEYS), KEY10 + movups 16(KEYS), KEY11 + lea (KEYS, ROUNDS, 8), KEYS + lea (KEYS, ROUNDS, 8), KEYS + + cmpl $2, XREG(ROUNDS) + je .Lkey_last + movups -32(KEYS), KEY12 + movups -16(KEYS), KEY13 + +.Lkey_last: + movups (KEYS), KEYLAST .Lblock_loop: - mov ROUNDS, CNT - mov KEYS, KEY - movups (SRC), %xmm0 - C FIXME: Better alignment of subkeys, so we can use movaps. - movups (KEY), %xmm1 - pxor %xmm1, %xmm0 - - C FIXME: Could use some unrolling. Also all subkeys fit in - C registers, so they could be loaded once (on W64 we would - C need to save and restore some xmm registers, though). - -.Lround_loop: - add $16, KEY - - movups (KEY), %xmm1 - AESENC C %xmm1, %xmm0 - decl XREG(CNT) - jnz .Lround_loop + movups (SRC), BLOCK + pxor KEY0, BLOCK + aesenc KEY1, BLOCK + aesenc KEY2, BLOCK + aesenc KEY3, BLOCK + aesenc KEY4, BLOCK + aesenc KEY5, BLOCK + aesenc KEY6, BLOCK + aesenc KEY7, BLOCK + aesenc KEY8, BLOCK + aesenc KEY9, BLOCK + testl XREG(ROUNDS), XREG(ROUNDS) + je .Lblock_end + aesenc KEY10, BLOCK + aesenc KEY11, BLOCK + cmpl $2, XREG(ROUNDS) + je .Lblock_end + + aesenc KEY12, BLOCK + aesenc KEY13, BLOCK - movups 16(KEY), %xmm1 - AESENCLAST C %xmm1, %xmm0 +.Lblock_end: + aesenclast KEYLAST, BLOCK - movups %xmm0, (DST) + movups BLOCK, (DST) add $16, SRC add $16, DST dec LENGTH jnz .Lblock_loop .Lend: - W64_EXIT(6, 2) + W64_EXIT(6, 16) ret EPILOGUE(_nettle_aes_encrypt) diff -Nru nettle-3.4.1/x86_64/camellia-crypt-internal.asm nettle-3.7.3/x86_64/camellia-crypt-internal.asm --- nettle-3.4.1/x86_64/camellia-crypt-internal.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86_64/camellia-crypt-internal.asm 2021-06-06 20:06:29.000000000 +0000 @@ -1,6 +1,6 @@ C x86_64/camellia-crypt-internal.asm -ifelse(< +ifelse(` Copyright (C) 2010, Niels Möller This file is part of GNU Nettle. @@ -28,7 +28,7 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') C Performance, cycles per block C @@ -39,94 +39,94 @@ C Register usage: -define(, <%rdi>) -define(, <%rsi>) -define(
      , <%rdx>) -define(, <%rcx>) -define(, <%r8>) -define(, <%r9>) +define(`NKEYS', `%rdi') +define(`KEYS', `%rsi') +define(`TABLE', `%rdx') +define(`LENGTH', `%rcx') +define(`DST', `%r8') +define(`SRC', `%r9') C Camellia state -define(, <%rax>) -define(, <%rbx>) C callee-save -define(, <%r13>) C callee-save -define(, <%rbp>) C callee-save -define(, <%r10>) -define(, <%r11>) -define(, <%r12>) C callee-save - -define(, <(TABLE,$1,4)>) -define(, <1024(TABLE,$1,4)>) -define(, <2048(TABLE,$1,4)>) -define(, <3072(TABLE,$1,4)>) +define(`I0', `%rax') +define(`I1', `%rbx') C callee-save +define(`KEY', `%r13') C callee-save +define(`TMP', `%rbp') C callee-save +define(`CNT', `%r10') +define(`IL', `%r11') +define(`IR', `%r12') C callee-save + +define(`SP1110', `(TABLE,$1,4)') +define(`SP0222', `1024(TABLE,$1,4)') +define(`SP3033', `2048(TABLE,$1,4)') +define(`SP4404', `3072(TABLE,$1,4)') C ROUND(x, y, key-offset) -define(, < +define(`ROUND', ` C Byte 0,1 movzbl LREG($1), XREG(TMP) movl SP1110(TMP), XREG(IR) movzbl HREG($1), XREG(TMP) xorl SP4404(TMP), XREG(IR) - ror <$>32, $1 + ror `$'32, $1 C Byte 4,5 movzbl LREG($1), XREG(TMP) movl SP4404(TMP), XREG(IL) movzbl HREG($1), XREG(TMP) xorl SP3033(TMP), XREG(IL) - rol <$>16, $1 + rol `$'16, $1 C Byte 2,3 movzbl LREG($1), XREG(TMP) xorl SP3033(TMP), XREG(IR) movzbl HREG($1), XREG(TMP) xorl SP0222(TMP), XREG(IR) - ror <$>32, $1 + ror `$'32, $1 C Byte 6,7 movzbl LREG($1), XREG(TMP) xorl SP0222(TMP), XREG(IL) movzbl HREG($1), XREG(TMP) xorl SP1110(TMP), XREG(IL) - ror <$>16, $1 + ror `$'16, $1 C 76543210 xorl XREG(IL), XREG(IR) - rorl <$>8, XREG(IL) + rorl `$'8, XREG(IL) xorl XREG(IR), XREG(IL) - shl <$>32, IR + shl `$'32, IR or IL, IR xor $3(KEY), $2 xor IR, $2 ->) +') C FL(x, key-offset) -define(, < +define(`FL', ` mov $1, TMP - shr <$>32, TMP + shr `$'32, TMP andl $2 + 4(KEY), XREG(TMP) - roll <$>1, XREG(TMP) + roll `$'1, XREG(TMP) C xorl XREG(TMP), XREG($1) xor TMP, $1 movl $2(KEY), XREG(TMP) orl XREG($1), XREG(TMP) - shl <$>32, TMP + shl `$'32, TMP xor TMP, $1 ->) +') C FLINV(x0, key-offset) -define(, < +define(`FLINV', ` movl $2(KEY), XREG(TMP) orl XREG($1), XREG(TMP) - shl <$>32, TMP + shl `$'32, TMP xor TMP, $1 mov $1, TMP - shr <$>32, TMP + shr `$'32, TMP andl $2 + 4(KEY), XREG(TMP) - roll <$>1, XREG(TMP) + roll `$'1, XREG(TMP) C xorl XREG(TMP), XREG($1) xor TMP, $1 ->) +') .file "camellia-crypt-internal.asm" diff -Nru nettle-3.4.1/x86_64/chacha-core-internal.asm nettle-3.7.3/x86_64/chacha-core-internal.asm --- nettle-3.4.1/x86_64/chacha-core-internal.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86_64/chacha-core-internal.asm 2021-06-06 20:06:29.000000000 +0000 @@ -1,6 +1,6 @@ C x86_64/chacha-core-internal.asm -ifelse(< +ifelse(` Copyright (C) 2012, 2014 Niels Möller This file is part of GNU Nettle. @@ -28,60 +28,60 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') -define(, <%rdi>) -define(, <%rsi>) -define(, <%rdx>) -define(, <%xmm0>) -define(, <%xmm1>) -define(, <%xmm2>) -define(, <%xmm3>) -define(, <%xmm4>) -define(, <%xmm5>) +define(`DST', `%rdi') +define(`SRC', `%rsi') +define(`COUNT', `%rdx') +define(`X0', `%xmm0') +define(`X1', `%xmm1') +define(`X2', `%xmm2') +define(`X3', `%xmm3') +define(`T0', `%xmm4') +define(`T1', `%xmm5') -define(, ) +define(`USE_PSHUFW', `yes') C ROTL_BY_16(REG, TMP) -ifelse(USE_PSHUFW, , < -define(, < - pshufhw <$>0xb1, $1, $1 - pshuflw <$>0xb1, $1, $1 ->)>, < -define(, < - pslld <$>16, $1 - psrld <$>16, $2 +ifelse(USE_PSHUFW, `yes', ` +define(`ROTL_BY_16', ` + pshufhw `$'0xb1, $1, $1 + pshuflw `$'0xb1, $1, $1 +')', ` +define(`ROTL_BY_16', ` + pslld `$'16, $1 + psrld `$'16, $2 por $2, $1 ->) ->) -C QROUND -define(, < - paddd X1, X0 - pxor X0, X3 - movaps X3, T0 - ROTL_BY_16(X3, T0) - - paddd X3, X2 - pxor X2, X1 - movaps X1, T0 - pslld <$>12, X1 - psrld <$>20, T0 - por T0, X1 - - paddd X1, X0 - pxor X0, X3 - movaps X3, T0 - pslld <$>8, X3 - psrld <$>24, T0 - por T0, X3 +') +') +C QROUND(x0, x1, x2, x3) +define(`QROUND', ` + paddd $2, $1 + pxor $1, $4 + movaps $4, T0 + ROTL_BY_16($4, T0) + + paddd $4, $3 + pxor $3, $2 + movaps $2, T0 + pslld `$'12, $2 + psrld `$'20, T0 + por T0, $2 + + paddd $2, $1 + pxor $1, $4 + movaps $4, T0 + pslld `$'8, $4 + psrld `$'24, T0 + por T0, $4 - paddd X3, X2 - pxor X2, X1 - movaps X1, T0 - pslld <$>7, X1 - psrld <$>25, T0 - por T0, X1 ->) + paddd $4, $3 + pxor $3, $2 + movaps $2, T0 + pslld `$'7, $2 + psrld `$'25, T0 + por T0, $2 +') C _chacha_core(uint32_t *dst, const uint32_t *src, unsigned rounds) .text diff -Nru nettle-3.4.1/x86_64/ecc-192-modp.asm nettle-3.7.3/x86_64/ecc-192-modp.asm --- nettle-3.4.1/x86_64/ecc-192-modp.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86_64/ecc-192-modp.asm 1970-01-01 00:00:00.000000000 +0000 @@ -1,88 +0,0 @@ -C x86_64/ecc-192-modp.asm - -ifelse(< - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - - .file "ecc-192-modp.asm" - -define(, <%rsi>) -define(, <%rdi>) C Overlaps unused modulo input -define(, <%rcx>) -define(, <%rdx>) -define(, <%r8>) -define(, <%r9>) -define(, <%r10>) -define(, <%r11>) - - C ecc_192_modp (const struct ecc_modulo *m, mp_limb_t *rp) - .text - ALIGN(16) -PROLOGUE(nettle_ecc_192_modp) - W64_ENTRY(2, 0) - mov 16(RP), T2 - mov 24(RP), T3 - mov 40(RP), H - xor C1, C1 - xor C2, C2 - - add H, T2 - adc H, T3 - C Carry to be added in at T1 and T2 - setc LREG(C2) - - mov 8(RP), T1 - mov 32(RP), H - adc H, T1 - adc H, T2 - C Carry to be added in at T0 and T1 - setc LREG(C1) - - mov (RP), T0 - adc T3, T0 - adc T3, T1 - adc $0, C2 - - C Add in C1 and C2 - add C1, T1 - adc C2, T2 - setc LREG(C1) - - C Fold final carry. - adc $0, T0 - adc C1, T1 - adc $0, T2 - - mov T0, (RP) - mov T1, 8(RP) - mov T2, 16(RP) - - W64_EXIT(2, 0) - ret -EPILOGUE(nettle_ecc_192_modp) diff -Nru nettle-3.4.1/x86_64/ecc-224-modp.asm nettle-3.7.3/x86_64/ecc-224-modp.asm --- nettle-3.4.1/x86_64/ecc-224-modp.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86_64/ecc-224-modp.asm 1970-01-01 00:00:00.000000000 +0000 @@ -1,131 +0,0 @@ -C x86_64/ecc-224-modp.asm - -ifelse(< - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - - .file "ecc-224-modp.asm" - -GMP_NUMB_BITS(64) - -define(, <%rsi>) -define(, <%rdi>) C Overlaps unused modulo input -define(, <%rcx>) -define(, <%rax>) -define(

      , <%rdx>) -define(

      , <%r8>) -define(, <%r9>) -define(, <%r10>) -define(, <%r11>) - - C ecc_224_modp (const struct ecc_modulo *m, mp_limb_t *rp) -PROLOGUE(nettle_ecc_224_modp) - W64_ENTRY(2, 0) - mov 48(RP), H0 - mov 56(RP), H1 - C Set (F2,F1,F0) <-- (H1,H0) << 32 - mov H0, F0 - mov H0, F1 - shl $32, F0 - shr $32, F1 - mov H1, F2 - mov H1, T0 - shl $32, T0 - shr $32, F2 - or T0, F1 - - xor H2, H2 - mov 16(RP), T0 - mov 24(RP), T1 - sub F0, T0 - sbb F1, T1 - sbb F2, H0 - sbb $0, H1 C No further borrow - - adc 32(RP), H0 - adc 40(RP), H1 - adc $0, H2 - - C Set (F2,F1,F0) <-- (H2,H1,H0) << 32 - C To free registers, add in T1, T0 as soon as H0, H1 have been copied - mov H0, F0 - mov H0, F1 - add T0, H0 - mov H1, F2 - mov H1, T0 - adc T1, H1 - mov H2, T1 - adc $0, H2 - - C Shift 32 bits - shl $32, F0 - shr $32, F1 - shl $32, T0 - shr $32, F2 - shl $32, T1 - or T0, F1 - or T1, F2 - - mov (RP), T0 - mov 8(RP), T1 - sub F0, T0 - sbb F1, T1 - sbb F2, H0 - sbb $0, H1 - sbb $0, H2 - - C We now have H2, H1, H0, T1, T0, with 33 bits left to reduce - C Set F0 <-- (H2, H1) >> 32 - C Set (F2,F1) <-- (H2, H1 & 0xffffffff00000000) - C H1 <-- H1 & 0xffffffff - - mov H1, F0 - mov H1, F1 - mov H2, F2 - movl XREG(H1), XREG(H1) C Clears high 32 bits - sub H1, F1 C Clears low 32 bits - shr $32, F0 - shl $32, H2 - or H2, F0 - - sub F0, T0 - sbb $0, F1 - sbb $0, F2 - add F1, T1 - adc F2, H0 - adc $0, H1 - - mov T0, (RP) - mov T1, 8(RP) - mov H0, 16(RP) - mov H1, 24(RP) - - W64_EXIT(2, 0) - ret -EPILOGUE(nettle_ecc_224_modp) diff -Nru nettle-3.4.1/x86_64/ecc-25519-modp.asm nettle-3.7.3/x86_64/ecc-25519-modp.asm --- nettle-3.4.1/x86_64/ecc-25519-modp.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86_64/ecc-25519-modp.asm 1970-01-01 00:00:00.000000000 +0000 @@ -1,94 +0,0 @@ -C x86_64/ecc-25519-modp.asm - -ifelse(< - Copyright (C) 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - - .file "ecc-25519-modp.asm" - -define(, <%rsi>) -define(, <%rdi>) C Overlaps unused modulo input -define(, <%rcx>) -define(, <%r8>) -define(, <%r9>) -define(, <%r10>) -define(, <%r11>) -define(, <%rbx>) - -PROLOGUE(nettle_ecc_25519_modp) - W64_ENTRY(2, 0) - push %rbx - - C First fold the limbs affecting bit 255 - mov 56(RP), %rax - mov $38, M - mul M - mov 24(RP), U3 - xor T0, T0 - add %rax, U3 - adc %rdx, T0 - - mov 40(RP), %rax C Do this early as possible - mul M - - add U3, U3 - adc T0, T0 - shr U3 C Undo shift, clear high bit - - C Fold the high limb again, together with RP[5] - imul $19, T0 - - mov (RP), U0 - mov 8(RP), U1 - mov 16(RP), U2 - add T0, U0 - adc %rax, U1 - mov 32(RP), %rax - adc %rdx, U2 - adc $0, U3 - - C Fold final two limbs, RP[4] and RP[6] - mul M - mov %rax, T0 - mov 48(RP), %rax - mov %rdx, T1 - mul M - add T0, U0 - mov U0, (RP) - adc T1, U1 - mov U1, 8(RP) - adc %rax, U2 - mov U2, 16(RP) - adc %rdx, U3 - mov U3, 24(RP) - - pop %rbx - W64_EXIT(2, 0) - ret -EPILOGUE(nettle_ecc_25519_modp) diff -Nru nettle-3.4.1/x86_64/ecc-25519-modp-mul.asm nettle-3.7.3/x86_64/ecc-25519-modp-mul.asm --- nettle-3.4.1/x86_64/ecc-25519-modp-mul.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86_64/ecc-25519-modp-mul.asm 1970-01-01 00:00:00.000000000 +0000 @@ -1,268 +0,0 @@ -C x86_64/ecc-25519-modp-mul.asm - -ifelse(< - Copyright (C) 2016 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - - .file "ecc-25519-modp-mul.asm" - -C Input parameters (curve pointer in %rdi is ignored) -define(, <%rsi>) -define(, <%rdx> -define(, <%rcx> - -define(, <%rbp>) -define(, <%rdi>) -define(, <%r8>) -define(, <%r9>) -define(, <%r10>) -define(, <%r11>) -define(

      , <%r12>) -define(

      , <%r13>) - -define(, <%r14>) -define(, <%r15>) -define(, <%rsi>) C Overlaps RP - -C modp_mul (curve, rp, ap, bp) -PROLOGUE(nettle_ecc_25519_modp_mul) - W64_ENTRY(4, 0) - push %rbx - push %rbp - push %r12 - push %r13 - push %r14 - push %r15 - push RP - - C Accumulate {H2, R4} = a0 b4 + a1 b3 + a2 b2 + a3 b1 + a4 b0 - C {H1, R3} = a0 b3 + a1 b2 + a2 b1 + a3 b0 + 19 a4 b4 - C {H0, R2} = a0 b2 + a1 b1 + a2 b0 + 19 (a3 b4 + a4 b3) - mov (AP), T - mov 32(BP), %rax - mul T - mov %rax, R4 - mov %rdx, H2 - mov 24(BP), %rax - mul T - mov %rax, R3, - mov %rdx, H1 - mov 16(BP), %rax - mul T - mov %rax, R2 - mov %rdx, H0 - - mov 8(AP), T - mov 24(BP), %rax - mul T - add %rax, R4 - adc %rdx, H2 - mov 16(BP), %rax - mul T - add %rax, R3 - adc %rdx, H1 - mov 8(BP), %rax - mul T - add %rax, R2 - adc %rdx, H0 - - mov 16(AP), T - mov 16(BP), %rax - mul T - add %rax, R4 - adc %rdx, H2 - mov 8(BP), %rax - mul T - add %rax, R3 - adc %rdx, H1 - mov (BP), %rax - mul T - add %rax, R2 - adc %rdx, H0 - - mov 24(AP), A3 - mov 8(BP), %rax - mul A3 - add %rax, R4 - adc %rdx, H2 - mov (BP), %rax - mul A3 - imul $19, A3 - add %rax, R3 - adc %rdx, H1 - mov 32(BP), %rax - mul A3 - add %rax, R2 - adc %rdx, H0 - - mov 32(AP), A4 - mov (BP), %rax - mul A4 - imul $19, a4 - add %rax, R4 - adc %rdx, H2 - mov 32(BP), %rax - mul A4 - add %rax, R3 - adc %rdx, H1 - mov 24(BP), %rax - mul A4 - add %rax, R2 - adc %rdx, H0 - - C Propagate R2, H0 - mov R2, T - shr $51, T - shl $13, H0 - or T, H0 - add H0, R3 - adc $0, H1 - - C Propagate R3, H1 - mov R3, T - shr $51, T - shl $13, H1 - or T, H1 - add H1, R4 - adc $0, H2 - - C Propagate R4, H2, and fold into R0 - mov R4, R0 - shr $51, R0 - shl $13, H2 - or H2, R0 - imul $19, R0 - - C Accumulate {H1, R1} = a0 b1 + a1 b0 + 19 (a2 b4 + a3 b3 + a4 b2) - C {H0, R0} = a0 b0 + 19 (a1 b4 + a2 b3 + a3 b2 + a4 b1) - C + folded high part of R4 - - mov (AP), T - mov 8(BP), %rax - mul T - mov %rax, R1 - mov %rdx, H1 - mov (BP), %rax - mul T - xor H0, H0 - add %rax, R0 - adc %rdx, H0 - - mov 8(AP), T - mov (BP), %rax - mul T - imul $19, T - add %rax, R1 - adc %rdx, H1 - mov 32(BP), %rax - mul T - add %rax, R0 - adc %rdx, H0 - - mov 16(AP), T - imul $19, T - mov 32(BP), %rax - mul T - add %rax, R1 - adc %rdx, H1 - mov 24(BP), %rax - mul T - add %rax, R0 - adc %rdx, H0 - - mov 24(BP), %rax - mul A3 - add %rax, R1 - adc %rdx, H1 - mov 16(BP), %rax - mul A3 - add %rax, R0 - adc %rdx, H0 - - mov 16(BP), %rax - mul A4 - add %rax, R1 - adc %rdx, H1 - mov 8(BP), %rax - mul A4 - add %rax, R0 - adc %rdx, H0 - - C Propagate R0, H0 - mov R0, T - shr $51, T - shl $13, H0 - or H0, T - add T, R1 - adc $0, H1 - - C Load mask, use H0 - mov $0x7ffffffffffff, H0 - C Mask out high parts of R2, R3 and R4, already propagated. - and H0, R2 - and H0, R3 - and H0, R4 - - C Propagate R1, H1 - mov R1, T - shr $51, T - shl $13, H1 - or H1, T - add T, R2 - - pop RP C Overlapped T, which is no longer used. - - C H1 is a larger than 51 bits, so keep propagating. - mov R2, H2 - shr $51, H2 - add H2, R3 - - C R3 might be slightly above 51 bits. - - and H0, R0 - mov R0, (RP) - and H0, R1 - mov R1, 8(RP) - and H0, R2 - mov R2, 16(RP) - mov R3, 24(RP) - mov r4, 32(RP) - - pop %r15 - pop %r14 - pop %r13 - pop %r12 - pop %rbp - pop %rbx - W64_EXIT(4, 0) - ret -EPILOGUE(nettle_ecc_25519_modp_mul) -PROLOGUE(nettle_ecc_25519_modp_sqr) - -EPILOGUE(nettle_ecc_25519_modp_sqr) diff -Nru nettle-3.4.1/x86_64/ecc-256-redc.asm nettle-3.7.3/x86_64/ecc-256-redc.asm --- nettle-3.4.1/x86_64/ecc-256-redc.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86_64/ecc-256-redc.asm 1970-01-01 00:00:00.000000000 +0000 @@ -1,129 +0,0 @@ -C x86_64/ecc-256-redc.asm - -ifelse(< - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - - .file "ecc-256-redc.asm" - -define(, <%rsi>) -define(, <%rdi>) C Overlaps unused modulo input -define(, <%rcx>) -define(, <%rax>) -define(, <%rdx>) -define(, <%r8>) -define(, <%r9>) -define(, <%r10>) -define(, <%r11>) -define(, <%r12>) -define(, <%rbx>) -define(, <%rbp>) - -C FOLD(x), sets (F3,F2,F1,F0) <-- (x << 224) - (x << 128) - (x<<32) -define(, < - mov $1, F2 - mov $1, F3 - shl <$>32, F2 - shr <$>32, F3 - xor F0,F0 - xor F1,F1 - sub F2, F0 - sbb F3, F1 - sbb $1, F2 - sbb <$>0, F3 ->) -PROLOGUE(nettle_ecc_256_redc) - W64_ENTRY(2, 0) - C save all registers that need to be saved - push %rbx - push %rbp - push %r12 - - mov (RP), U0 - FOLD(U0) - mov 8(RP), U1 - mov 16(RP), U2 - mov 24(RP), U3 - sub F0, U1 - sbb F1, U2 - sbb F2, U3 - sbb F3, U0 C Add in later - - FOLD(U1) - mov 32(RP), U4 - sub F0, U2 - sbb F1, U3 - sbb F2, U4 - sbb F3, U1 - - FOLD(U2) - mov 40(RP), U5 - sub F0, U3 - sbb F1, U4 - sbb F2, U5 - sbb F3, U2 - - FOLD(U3) - mov 48(RP), U6 - sub F0, U4 - sbb F1, U5 - sbb F2, U6 - sbb F3, U3 - - add U4, U0 - adc U5, U1 - adc U6, U2 - adc 56(RP), U3 - - C If carry, we need to add in - C 2^256 - p = <0xfffffffe, 0xff..ff, 0xffffffff00000000, 1> - sbb F2, F2 - mov F2, F0 - mov F2, F1 - mov XREG(F2), XREG(F3) - neg F0 - shl $32, F1 - and $-2, XREG(F3) - - add F0, U0 - mov U0, (RP) - adc F1, U1 - mov U1, 8(RP) - adc F2, U2 - mov U2, 16(RP) - adc F3, U3 - - mov U3, 24(RP) - - pop %r12 - pop %rbp - pop %rbx - W64_EXIT(2, 0) - ret -EPILOGUE(nettle_ecc_256_redc) diff -Nru nettle-3.4.1/x86_64/ecc-384-modp.asm nettle-3.7.3/x86_64/ecc-384-modp.asm --- nettle-3.4.1/x86_64/ecc-384-modp.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86_64/ecc-384-modp.asm 1970-01-01 00:00:00.000000000 +0000 @@ -1,234 +0,0 @@ -C x86_64/ecc-384-modp.asm - -ifelse(< - Copyright (C) 2013, 2015 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - - .file "ecc-384-modp.asm" - -define(, <%rsi>) -define(, <%rax>) -define(, <%rbx>) -define(, <%rcx>) -define(, <%rdx>) -define(, <%rbp>) -define(, <%rdi>) -define(, <%r8>) -define(, <%r9>) -define(

      , <%r10>) -define(

      , <%r11>) -define(

      , <%r12>) -define(

      , <%r13>) -define(

      , <%r14>) -define(, <%r15>) -define(, H5) C Overlap -define(, RP) C Overlap - - -PROLOGUE(nettle_ecc_384_modp) - W64_ENTRY(2, 0) - - push %rbx - push %rbp - push %r12 - push %r13 - push %r14 - push %r15 - - C First get top 2 limbs, which need folding twice. - C B^10 = B^6 + B^4 + 2^32 (B-1)B^4. - C We handle the terms as follow: - C - C B^6: Folded immediatly. - C - C B^4: Delayed, added in in the next folding. - C - C 2^32(B-1) B^4: Low half limb delayed until the next - C folding. Top 1.5 limbs subtracted and shifter now, resulting - C in 2.5 limbs. The low limb saved in D5, high 1.5 limbs added - C in. - - mov 80(RP), H4 - mov 88(RP), H5 - C Shift right 32 bits, into H1, H0 - mov H4, H0 - mov H5, H1 - mov H5, D5 - shr $32, H1 - shl $32, D5 - shr $32, H0 - or D5, H0 - - C H1 H0 - C - H1 H0 - C -------- - C H1 H0 D5 - mov H0, D5 - neg D5 - sbb H1, H0 - sbb $0, H1 - - xor C2, C2 - add H4, H0 - adc H5, H1 - adc $0, C2 - - C Add in to high part - add 48(RP), H0 - adc 56(RP), H1 - adc $0, C2 C Do C2 later - - C +1 term - mov (RP), T0 - add H0, T0 - mov 8(RP), T1 - adc H1, T1 - mov 16(RP), T2 - mov 64(RP), H2 - adc H2, T2 - mov 24(RP), T3 - mov 72(RP), H3 - adc H3, T3 - mov 32(RP), T4 - adc H4, T4 - mov 40(RP), T5 - adc H5, T5 - sbb C0, C0 - neg C0 C FIXME: Switch sign of C0? - - push RP - - C +B^2 term - add H0, T2 - adc H1, T3 - adc H2, T4 - adc H3, T5 - adc $0, C0 - - C Shift left, including low half of H4 - mov H3, TMP - shl $32, H4 - shr $32, TMP - or TMP, H4 - - mov H2, TMP - shl $32, H3 - shr $32, TMP - or TMP, H3 - - mov H1, TMP - shl $32, H2 - shr $32, TMP - or TMP, H2 - - mov H0, TMP - shl $32, H1 - shr $32, TMP - or TMP, H1 - - shl $32, H0 - - C H4 H3 H2 H1 H0 0 - C - H4 H3 H2 H1 H0 - C --------------- - C H4 H3 H2 H1 H0 TMP - - mov H0, TMP - neg TMP - sbb H1, H0 - sbb H2, H1 - sbb H3, H2 - sbb H4, H3 - sbb $0, H4 - - add TMP, T0 - adc H0, T1 - adc H1, T2 - adc H2, T3 - adc H3, T4 - adc H4, T5 - adc $0, C0 - - C Remains to add in C2 and C0 - C Set H1, H0 = (2^96 - 2^32 + 1) C0 - mov C0, H0 - mov C0, H1 - shl $32, H1 - sub H1, H0 - sbb $0, H1 - - C Set H3, H2 = (2^96 - 2^32 + 1) C2 - mov C2, H2 - mov C2, H3 - shl $32, H3 - sub H3, H2 - sbb $0, H3 - add C0, H2 C No carry. Could use lea trick - - xor C0, C0 - add H0, T0 - adc H1, T1 - adc H2, T2 - adc H3, T3 - adc C2, T4 - adc D5, T5 C Value delayed from initial folding - adc $0, C0 C Use sbb and switch sign? - - C Final unlikely carry - mov C0, H0 - mov C0, H1 - shl $32, H1 - sub H1, H0 - sbb $0, H1 - - pop RP - - add H0, T0 - mov T0, (RP) - adc H1, T1 - mov T1, 8(RP) - adc C0, T2 - mov T2, 16(RP) - adc $0, T3 - mov T3, 24(RP) - adc $0, T4 - mov T4, 32(RP) - adc $0, T5 - mov T5, 40(RP) - - pop %r15 - pop %r14 - pop %r13 - pop %r12 - pop %rbp - pop %rbx - - W64_EXIT(2, 0) - ret -EPILOGUE(nettle_ecc_384_modp) diff -Nru nettle-3.4.1/x86_64/ecc-521-modp.asm nettle-3.7.3/x86_64/ecc-521-modp.asm --- nettle-3.4.1/x86_64/ecc-521-modp.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86_64/ecc-521-modp.asm 1970-01-01 00:00:00.000000000 +0000 @@ -1,158 +0,0 @@ -C x86_64/ecc-521-modp.asm - -ifelse(< - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - - .file "ecc-521-modp.asm" - -GMP_NUMB_BITS(64) - -define(, <%rsi>) -define(, <%rax>) -define(, <%rbx>) -define(, <%rcx>) -define(, <%rdx>) -define(, <%rbp>) -define(, <%rdi>) -define(, <%r8>) -define(, <%r9>) -define(, <%r10>) -define(, <%r11>) -define(, <%r12>) -define(, <%r13>) - -PROLOGUE(nettle_ecc_521_modp) - W64_ENTRY(2, 0) - push %rbx - push %rbp - push %r12 - push %r13 - - C Read top 17 limbs, shift left 55 bits - mov 72(RP), U1 - mov U1, U0 - shl $55, U0 - shr $9, U1 - - mov 80(RP), U2 - mov U2, T0 - shr $9, U2 - shl $55, T0 - or T0, U1 - - mov 88(RP), U3 - mov U3, T0 - shr $9, U3 - shl $55, T0 - or T0, U2 - - mov 96(RP), U4 - mov U4, T0 - shr $9, U4 - shl $55, T0 - or T0, U3 - - mov 104(RP), U5 - mov U5, T0 - shr $9, U5 - shl $55, T0 - or T0, U4 - - mov 112(RP), U6 - mov U6, T0 - shr $9, U6 - shl $55, T0 - or T0, U5 - - mov 120(RP), U7 - mov U7, T0 - shr $9, U7 - shl $55, T0 - or T0, U6 - - mov 128(RP), U8 - mov U8, T0 - shr $9, U8 - shl $55, T0 - or T0, U7 - - mov 136(RP), U9 - mov U9, T0 - shr $9, U9 - shl $55, T0 - or T0, U8 - - add (RP), U0 - adc 8(RP), U1 - adc 16(RP), U2 - adc 24(RP), U3 - adc 32(RP), U4 - adc 40(RP), U5 - adc 48(RP), U6 - adc 56(RP), U7 - adc 64(RP), U8 - adc $0, U9 - - C Top limbs are . Keep low 9 bits of 8, and fold the - C top bits (at most 65 bits). - mov U8, T0 - shr $9, T0 - and $0x1ff, U8 - mov U9, T1 - shl $55, U9 - shr $9, T1 - or U9, T0 - - add T0, U0 - mov U0, (RP) - adc T1, U1 - mov U1, 8(RP) - adc $0, U2 - mov U2, 16(RP) - adc $0, U3 - mov U3, 24(RP) - adc $0, U4 - mov U4, 32(RP) - adc $0, U5 - mov U5, 40(RP) - adc $0, U6 - mov U6, 48(RP) - adc $0, U7 - mov U7, 56(RP) - adc $0, U8 - mov U8, 64(RP) - - pop %r13 - pop %r12 - pop %rbp - pop %rbx - W64_EXIT(2, 0) - ret -EPILOGUE(nettle_ecc_521_modp) diff -Nru nettle-3.4.1/x86_64/ecc-curve25519-modp.asm nettle-3.7.3/x86_64/ecc-curve25519-modp.asm --- nettle-3.4.1/x86_64/ecc-curve25519-modp.asm 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/x86_64/ecc-curve25519-modp.asm 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,100 @@ +C x86_64/ecc-25519-modp.asm + +ifelse(` + Copyright (C) 2014 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +') + + .file "ecc-25519-modp.asm" + +define(`RP', `%rsi') +define(`XP', `%rdx') C Overlaps with mul register +define(`U0', `%rdi') C Overlaps unused modulo input +define(`U1', `%rcx') +define(`U2', `%r8') +define(`U3', `%r9') +define(`T0', `%r10') +define(`T1', `%r11') +define(`M', `%rbx') + +PROLOGUE(_nettle_ecc_curve25519_modp) + W64_ENTRY(3, 0) + push %rbx + push RP + mov XP, RP + + C First fold the limbs affecting bit 255 + mov 56(RP), %rax + mov $38, M + mul M + mov 24(RP), U3 + xor T0, T0 + add %rax, U3 + adc %rdx, T0 + + mov 40(RP), %rax C Do this early as possible + mul M + + add U3, U3 + adc T0, T0 + shr U3 C Undo shift, clear high bit + + C Fold the high limb again, together with RP[5] + imul $19, T0 + + mov (RP), U0 + mov 8(RP), U1 + mov 16(RP), U2 + add T0, U0 + adc %rax, U1 + mov 32(RP), %rax + adc %rdx, U2 + adc $0, U3 + + C Fold final two limbs, RP[4] and RP[6] + mul M + mov %rax, T0 + mov 48(RP), %rax + mov %rdx, T1 + mul M + + pop RP + + add T0, U0 + mov U0, (RP) + adc T1, U1 + mov U1, 8(RP) + adc %rax, U2 + mov U2, 16(RP) + adc %rdx, U3 + mov U3, 24(RP) + + pop %rbx + W64_EXIT(3, 0) + ret +EPILOGUE(_nettle_ecc_curve25519_modp) diff -Nru nettle-3.4.1/x86_64/ecc-curve448-modp.asm nettle-3.7.3/x86_64/ecc-curve448-modp.asm --- nettle-3.4.1/x86_64/ecc-curve448-modp.asm 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/x86_64/ecc-curve448-modp.asm 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,147 @@ +C x86_64/ecc-curve448-modp.asm + +ifelse(` + Copyright (C) 2019 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +') + + .file "ecc-curve448-modp.asm" + +define(`RP', `%rsi') +define(`XP', `%rdx') +define(`X0', `%rax') +define(`X1', `%rbx') +define(`X2', `%rcx') +define(`X3', `%rbp') +define(`X4', `%rdi') +define(`X5', `%r8') +define(`X6', `%r9') +define(`X7', `%r10') +define(`T0', `%r11') +define(`T1', `%r12') +define(`T2', `%r13') + +PROLOGUE(_nettle_ecc_curve448_modp) + W64_ENTRY(3, 0) + + push %rbx + push %rbp + push %r12 + push %r13 + + C First load the values to be shifted by 32. + mov 88(XP), X1 + mov X1, X0 + mov 96(XP), X2 + mov X1, T0 + mov 104(XP), X3 + mov X2, T1 + mov 56(XP), X4 + mov X3, T2 + mov 64(XP), X5 + mov 72(XP), X6 + mov 80(XP), X7 + + C Multiply by 2^32 + shl $32, X0 + shrd $32, X2, X1 + shrd $32, X3, X2 + shrd $32, X4, X3 + shrd $32, X5, X4 + shrd $32, X6, X5 + shrd $32, X7, X6 + shr $32, X7 + + C Multiply by 2 + add T0, T0 + adc T1, T1 + adc T2, T2 + adc $0, X7 + + C Main additions + add 56(XP), X0 + adc 64(XP), X1 + adc 72(XP), X2 + adc 80(XP), X3 + adc T0, X4 + adc T1, X5 + adc T2, X6 + adc $0, X7 + + add (XP), X0 + adc 8(XP), X1 + adc 16(XP), X2 + adc 24(XP), X3 + adc 32(XP), X4 + adc 40(XP), X5 + adc 48(XP), X6 + adc $0, X7 + + C X7 wraparound + mov X7, T0 + mov X7, T1 + shl $32, T0 + shr $32, T1 + xor T2, T2 + add X7, X0 + adc $0, X1 + adc $0, X2 + adc T0, X3 + adc T1, X4 + adc $0, X5 + adc $0, X6 + adc $0, T2 + + C Final carry wraparound. Carry T2 > 0 only if + C X6 is zero, so carry is absorbed. + mov T2, T0 + shl $32, T0 + + add T2, X0 + mov X0, (RP) + adc $0, X1 + mov X1, 8(RP) + adc $0, X2 + mov X2, 16(RP) + adc T0, X3 + mov X3, 24(RP) + adc $0, X4 + mov X4, 32(RP) + adc $0, X5 + mov X5, 40(RP) + adc $0, X6 + mov X6, 48(RP) + + pop %r13 + pop %r12 + pop %rbp + pop %rbx + + W64_EXIT(3, 0) + ret +EPILOGUE(_nettle_ecc_curve448_modp) diff -Nru nettle-3.4.1/x86_64/ecc-secp192r1-modp.asm nettle-3.7.3/x86_64/ecc-secp192r1-modp.asm --- nettle-3.4.1/x86_64/ecc-secp192r1-modp.asm 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/x86_64/ecc-secp192r1-modp.asm 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,90 @@ +C x86_64/ecc-secp192r1-modp.asm + +ifelse(` + Copyright (C) 2013 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +') + + .file "ecc-secp192r1-modp.asm" + +define(`RP', `%rsi') +define(`XP', `%rdx') + +define(`T0', `%rdi') C Overlaps unused modulo input +define(`T1', `%rcx') +define(`T2', `%rax') +define(`T3', `%r8') +define(`H', `%r9') +define(`C1', `%r10') +define(`C2', `%r11') + + C ecc_secp192r1_modp (const struct ecc_modulo *m, mp_limb_t *rp) + .text + ALIGN(16) +PROLOGUE(_nettle_ecc_secp192r1_modp) + W64_ENTRY(3, 0) + mov 16(XP), T2 + mov 24(XP), T3 + mov 40(XP), H + xor C1, C1 + xor C2, C2 + + add H, T2 + adc H, T3 + C Carry to be added in at T1 and T2 + setc LREG(C2) + + mov 8(XP), T1 + mov 32(XP), H + adc H, T1 + adc H, T2 + C Carry to be added in at T0 and T1 + setc LREG(C1) + + mov (XP), T0 + adc T3, T0 + adc T3, T1 + adc $0, C2 + + C Add in C1 and C2 + add C1, T1 + adc C2, T2 + setc LREG(C1) + + C Fold final carry. + adc $0, T0 + adc C1, T1 + adc $0, T2 + + mov T0, (RP) + mov T1, 8(RP) + mov T2, 16(RP) + + W64_EXIT(3, 0) + ret +EPILOGUE(_nettle_ecc_secp192r1_modp) diff -Nru nettle-3.4.1/x86_64/ecc-secp224r1-modp.asm nettle-3.7.3/x86_64/ecc-secp224r1-modp.asm --- nettle-3.4.1/x86_64/ecc-secp224r1-modp.asm 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/x86_64/ecc-secp224r1-modp.asm 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,135 @@ +C x86_64/ecc-secp224r1-modp.asm + +ifelse(` + Copyright (C) 2013 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +') + + .file "ecc-secp224r1-modp.asm" + +GMP_NUMB_BITS(64) + +define(`RP', `%rsi') +define(`XP', `%rdx') +define(`T0', `%rdi') C Overlaps unused modulo input +define(`T1', `%rcx') +define(`H0', `%rax') +define(`H1', `%r8') +define(`H2', `%r9') +define(`F0', `%rsi') C Overlaps RP +define(`F1', `%r10') +define(`F2', `%r11') + + C ecc_secp224r1_modp (const struct ecc_modulo *m, mp_limb_t *rp) +PROLOGUE(_nettle_ecc_secp224r1_modp) + W64_ENTRY(3, 0) + push RP + + mov 48(XP), H0 + mov 56(XP), H1 + C Set (F2,F1,F0) <-- (H1,H0) << 32 + mov H0, F0 + mov H0, F1 + shl $32, F0 + shr $32, F1 + mov H1, F2 + mov H1, T0 + shl $32, T0 + shr $32, F2 + or T0, F1 + + xor H2, H2 + mov 16(XP), T0 + mov 24(XP), T1 + sub F0, T0 + sbb F1, T1 + sbb F2, H0 + sbb $0, H1 C No further borrow + + adc 32(XP), H0 + adc 40(XP), H1 + adc $0, H2 + + C Set (F2,F1,F0) <-- (H2,H1,H0) << 32 + C To free registers, add in T1, T0 as soon as H0, H1 have been copied + mov H0, F0 + mov H0, F1 + add T0, H0 + mov H1, F2 + mov H1, T0 + adc T1, H1 + mov H2, T1 + adc $0, H2 + + C Shift 32 bits + shl $32, F0 + shr $32, F1 + shl $32, T0 + shr $32, F2 + shl $32, T1 + or T0, F1 + or T1, F2 + + mov (XP), T0 + mov 8(XP), T1 + sub F0, T0 + sbb F1, T1 + sbb F2, H0 + sbb $0, H1 + sbb $0, H2 + + C We now have H2, H1, H0, T1, T0, with 33 bits left to reduce + C Set F0 <-- (H2, H1) >> 32 + C Set (F2,F1) <-- (H2, H1 & 0xffffffff00000000) + C H1 <-- H1 & 0xffffffff + + mov H1, F0 + mov H1, F1 + mov H2, F2 + movl XREG(H1), XREG(H1) C Clears high 32 bits + sub H1, F1 C Clears low 32 bits + shr $32, F0 + shl $32, H2 + or H2, F0 + + sub F0, T0 + sbb $0, F1 + sbb $0, F2 + add F1, T1 + adc F2, H0 + adc $0, H1 + + pop RP + mov T0, (RP) + mov T1, 8(RP) + mov H0, 16(RP) + mov H1, 24(RP) + + W64_EXIT(3, 0) + ret +EPILOGUE(_nettle_ecc_secp224r1_modp) diff -Nru nettle-3.4.1/x86_64/ecc-secp256r1-redc.asm nettle-3.7.3/x86_64/ecc-secp256r1-redc.asm --- nettle-3.4.1/x86_64/ecc-secp256r1-redc.asm 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/x86_64/ecc-secp256r1-redc.asm 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,133 @@ +C x86_64/ecc-secp256r1-redc.asm + +ifelse(` + Copyright (C) 2013 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +') + + .file "ecc-secp256r1-redc.asm" + +define(`RP', `%rsi') +define(`XP', `%rdx') + +define(`U0', `%rdi') C Overlaps unused modulo input +define(`U1', `%rcx') +define(`U2', `%rax') +define(`U3', `%r8') +define(`U4', `%r9') +define(`U5', `%r10') +define(`U6', `%r11') +define(`F0', `%r12') +define(`F1', `%r13') +define(`F2', `%rbx') +define(`F3', `%rbp') + +C FOLD(x), sets (F3,F2,F1,F0) <-- (x << 224) - (x << 128) - (x<<32) +define(`FOLD', ` + mov $1, F2 + mov $1, F3 + shl `$'32, F2 + shr `$'32, F3 + xor F0,F0 + xor F1,F1 + sub F2, F0 + sbb F3, F1 + sbb $1, F2 + sbb `$'0, F3 +') +PROLOGUE(_nettle_ecc_secp256r1_redc) + W64_ENTRY(3, 0) + C save all registers that need to be saved + push %rbx + push %rbp + push %r12 + push %r13 + + mov (XP), U0 + FOLD(U0) + mov 8(XP), U1 + mov 16(XP), U2 + mov 24(XP), U3 + sub F0, U1 + sbb F1, U2 + sbb F2, U3 + sbb F3, U0 C Add in later + + FOLD(U1) + mov 32(XP), U4 + sub F0, U2 + sbb F1, U3 + sbb F2, U4 + sbb F3, U1 + + FOLD(U2) + mov 40(XP), U5 + sub F0, U3 + sbb F1, U4 + sbb F2, U5 + sbb F3, U2 + + FOLD(U3) + mov 48(XP), U6 + sub F0, U4 + sbb F1, U5 + sbb F2, U6 + sbb F3, U3 + + add U4, U0 + adc U5, U1 + adc U6, U2 + adc 56(XP), U3 + + C If carry, we need to add in + C 2^256 - p = <0xfffffffe, 0xff..ff, 0xffffffff00000000, 1> + sbb F2, F2 + mov F2, F0 + mov F2, F1 + mov XREG(F2), XREG(F3) + neg F0 + shl $32, F1 + and $-2, XREG(F3) + + add F0, U0 + mov U0, (RP) + adc F1, U1 + mov U1, 8(RP) + adc F2, U2 + mov U2, 16(RP) + adc F3, U3 + + mov U3, 24(RP) + + pop %r13 + pop %r12 + pop %rbp + pop %rbx + W64_EXIT(3, 0) + ret +EPILOGUE(_nettle_ecc_secp256r1_redc) diff -Nru nettle-3.4.1/x86_64/ecc-secp384r1-modp.asm nettle-3.7.3/x86_64/ecc-secp384r1-modp.asm --- nettle-3.4.1/x86_64/ecc-secp384r1-modp.asm 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/x86_64/ecc-secp384r1-modp.asm 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,238 @@ +C x86_64/ecc-secp384r1-modp.asm + +ifelse(` + Copyright (C) 2013, 2015 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +') + + .file "ecc-secp384r1-modp.asm" + +C Input arguments: +C %rdi (unused) +define(`RP', `%rsi') +define(`XP', `%rdx') + +define(`D5', `%rax') +define(`T0', `%rbx') +define(`T1', `%rcx') +define(`T2', `%rdi') +define(`T3', `%rbp') +define(`T4', `%rsi') +define(`T5', `%r8') +define(`H0', `%r9') +define(`H1', `%r10') +define(`H2', `%r11') +define(`H3', `%r12') +define(`H4', `%r13') +define(`H5', `%r14') +define(`C2', `%r15') +define(`C0', H5) C Overlap +define(`TMP', XP) C Overlap + + C void ecc_secp384r1_modp (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp) + +PROLOGUE(_nettle_ecc_secp384r1_modp) + W64_ENTRY(3, 0) + + push %rbx + push %rbp + push %r12 + push %r13 + push %r14 + push %r15 + + push RP C Output pointer + C First get top 2 limbs, which need folding twice. + C B^10 = B^6 + B^4 + 2^32 (B-1)B^4. + C We handle the terms as follow: + C + C B^6: Folded immediatly. + C + C B^4: Delayed, added in in the next folding. + C + C 2^32(B-1) B^4: Low half limb delayed until the next + C folding. Top 1.5 limbs subtracted and shifter now, resulting + C in 2.5 limbs. The low limb saved in D5, high 1.5 limbs added + C in. + + mov 80(XP), H4 + mov 88(XP), H5 + C Shift right 32 bits, into H1, H0 + mov H4, H0 + mov H5, H1 + mov H5, D5 + shr $32, H1 + shl $32, D5 + shr $32, H0 + or D5, H0 + + C H1 H0 + C - H1 H0 + C -------- + C H1 H0 D5 + mov H0, D5 + neg D5 + sbb H1, H0 + sbb $0, H1 + + xor C2, C2 + add H4, H0 + adc H5, H1 + adc $0, C2 + + C Add in to high part + add 48(XP), H0 + adc 56(XP), H1 + adc $0, C2 C Do C2 later + + C +1 term + mov (XP), T0 + add H0, T0 + mov 8(XP), T1 + adc H1, T1 + mov 16(XP), T2 + mov 64(XP), H2 + adc H2, T2 + mov 24(XP), T3 + mov 72(XP), H3 + adc H3, T3 + mov 32(XP), T4 + adc H4, T4 + mov 40(XP), T5 + adc H5, T5 + sbb C0, C0 + neg C0 C FIXME: Switch sign of C0? + + C +B^2 term + add H0, T2 + adc H1, T3 + adc H2, T4 + adc H3, T5 + adc $0, C0 + + C Shift left, including low half of H4 + mov H3, TMP + shl $32, H4 + shr $32, TMP + or TMP, H4 + + mov H2, TMP + shl $32, H3 + shr $32, TMP + or TMP, H3 + + mov H1, TMP + shl $32, H2 + shr $32, TMP + or TMP, H2 + + mov H0, TMP + shl $32, H1 + shr $32, TMP + or TMP, H1 + + shl $32, H0 + + C H4 H3 H2 H1 H0 0 + C - H4 H3 H2 H1 H0 + C --------------- + C H4 H3 H2 H1 H0 TMP + + mov H0, TMP + neg TMP + sbb H1, H0 + sbb H2, H1 + sbb H3, H2 + sbb H4, H3 + sbb $0, H4 + + add TMP, T0 + adc H0, T1 + adc H1, T2 + adc H2, T3 + adc H3, T4 + adc H4, T5 + adc $0, C0 + + C Remains to add in C2 and C0 + C Set H1, H0 = (2^96 - 2^32 + 1) C0 + mov C0, H0 + mov C0, H1 + shl $32, H1 + sub H1, H0 + sbb $0, H1 + + C Set H3, H2 = (2^96 - 2^32 + 1) C2 + mov C2, H2 + mov C2, H3 + shl $32, H3 + sub H3, H2 + sbb $0, H3 + add C0, H2 C No carry. Could use lea trick + + xor C0, C0 + add H0, T0 + adc H1, T1 + adc H2, T2 + adc H3, T3 + adc C2, T4 + adc D5, T5 C Value delayed from initial folding + adc $0, C0 C Use sbb and switch sign? + + C Final unlikely carry + mov C0, H0 + mov C0, H1 + shl $32, H1 + sub H1, H0 + sbb $0, H1 + + pop XP C Original RP argument + + add H0, T0 + mov T0, (XP) + adc H1, T1 + mov T1, 8(XP) + adc C0, T2 + mov T2, 16(XP) + adc $0, T3 + mov T3, 24(XP) + adc $0, T4 + mov T4, 32(XP) + adc $0, T5 + mov T5, 40(XP) + + pop %r15 + pop %r14 + pop %r13 + pop %r12 + pop %rbp + pop %rbx + + W64_EXIT(3, 0) + ret +EPILOGUE(_nettle_ecc_secp384r1_modp) diff -Nru nettle-3.4.1/x86_64/ecc-secp521r1-modp.asm nettle-3.7.3/x86_64/ecc-secp521r1-modp.asm --- nettle-3.4.1/x86_64/ecc-secp521r1-modp.asm 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/x86_64/ecc-secp521r1-modp.asm 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,162 @@ +C x86_64/ecc-secp521r1-modp.asm + +ifelse(` + Copyright (C) 2013 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +') + + .file "ecc-secp521r1-modp.asm" + +GMP_NUMB_BITS(64) + +define(`RP', `%rsi') +define(`XP', `%rdx') + +define(`U0', `%rax') +define(`U1', `%rbx') +define(`U2', `%rcx') +define(`U3', `%rbp') +define(`U4', `%rdi') +define(`U5', `%r8') +define(`U6', `%r9') +define(`U7', `%r10') +define(`U8', `%r11') +define(`U9', `%r12') +define(`T0', `%r13') +define(`T1', `%r14') + +PROLOGUE(_nettle_ecc_secp521r1_modp) + W64_ENTRY(3, 0) + push %rbx + push %rbp + push %r12 + push %r13 + push %r14 + + C Read top 17 limbs, shift left 55 bits + mov 72(XP), U1 + mov U1, U0 + shl $55, U0 + shr $9, U1 + + mov 80(XP), U2 + mov U2, T0 + shr $9, U2 + shl $55, T0 + or T0, U1 + + mov 88(XP), U3 + mov U3, T0 + shr $9, U3 + shl $55, T0 + or T0, U2 + + mov 96(XP), U4 + mov U4, T0 + shr $9, U4 + shl $55, T0 + or T0, U3 + + mov 104(XP), U5 + mov U5, T0 + shr $9, U5 + shl $55, T0 + or T0, U4 + + mov 112(XP), U6 + mov U6, T0 + shr $9, U6 + shl $55, T0 + or T0, U5 + + mov 120(XP), U7 + mov U7, T0 + shr $9, U7 + shl $55, T0 + or T0, U6 + + mov 128(XP), U8 + mov U8, T0 + shr $9, U8 + shl $55, T0 + or T0, U7 + + mov 136(XP), U9 + mov U9, T0 + shr $9, U9 + shl $55, T0 + or T0, U8 + + add (XP), U0 + adc 8(XP), U1 + adc 16(XP), U2 + adc 24(XP), U3 + adc 32(XP), U4 + adc 40(XP), U5 + adc 48(XP), U6 + adc 56(XP), U7 + adc 64(XP), U8 + adc $0, U9 + + C Top limbs are . Keep low 9 bits of 8, and fold the + C top bits (at most 65 bits). + mov U8, T0 + shr $9, T0 + and $0x1ff, U8 + mov U9, T1 + shl $55, U9 + shr $9, T1 + or U9, T0 + + add T0, U0 + mov U0, (RP) + adc T1, U1 + mov U1, 8(RP) + adc $0, U2 + mov U2, 16(RP) + adc $0, U3 + mov U3, 24(RP) + adc $0, U4 + mov U4, 32(RP) + adc $0, U5 + mov U5, 40(RP) + adc $0, U6 + mov U6, 48(RP) + adc $0, U7 + mov U7, 56(RP) + adc $0, U8 + mov U8, 64(RP) + + pop %r14 + pop %r13 + pop %r12 + pop %rbp + pop %rbx + W64_EXIT(3, 0) + ret +EPILOGUE(_nettle_ecc_secp521r1_modp) diff -Nru nettle-3.4.1/x86_64/fat/aes-decrypt-internal-2.asm nettle-3.7.3/x86_64/fat/aes-decrypt-internal-2.asm --- nettle-3.4.1/x86_64/fat/aes-decrypt-internal-2.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86_64/fat/aes-decrypt-internal-2.asm 2021-06-06 20:06:29.000000000 +0000 @@ -1,7 +1,7 @@ C x86_64/fat/aes-decrypt-internal-2.asm -ifelse(< +ifelse(` Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. @@ -29,7 +29,7 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') -define(, <$1_aesni>) -include_src() +define(`fat_transform', `$1_aesni') +include_src(`x86_64/aesni/aes-decrypt-internal.asm') diff -Nru nettle-3.4.1/x86_64/fat/aes-decrypt-internal.asm nettle-3.7.3/x86_64/fat/aes-decrypt-internal.asm --- nettle-3.4.1/x86_64/fat/aes-decrypt-internal.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86_64/fat/aes-decrypt-internal.asm 2021-06-06 20:06:29.000000000 +0000 @@ -1,7 +1,7 @@ C x86_64/fat/aes-decrypt-internal.asm -ifelse(< +ifelse(` Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. @@ -29,7 +29,7 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') -define(, <$1_x86_64>) -include_src() +define(`fat_transform', `$1_x86_64') +include_src(`x86_64/aes-decrypt-internal.asm') diff -Nru nettle-3.4.1/x86_64/fat/aes-encrypt-internal-2.asm nettle-3.7.3/x86_64/fat/aes-encrypt-internal-2.asm --- nettle-3.4.1/x86_64/fat/aes-encrypt-internal-2.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86_64/fat/aes-encrypt-internal-2.asm 2021-06-06 20:06:29.000000000 +0000 @@ -1,7 +1,7 @@ C x86_64/fat/aes-encrypt-internal-2.asm -ifelse(< +ifelse(` Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. @@ -29,7 +29,7 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') -define(, <$1_aesni>) -include_src() +define(`fat_transform', `$1_aesni') +include_src(`x86_64/aesni/aes-encrypt-internal.asm') diff -Nru nettle-3.4.1/x86_64/fat/aes-encrypt-internal.asm nettle-3.7.3/x86_64/fat/aes-encrypt-internal.asm --- nettle-3.4.1/x86_64/fat/aes-encrypt-internal.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86_64/fat/aes-encrypt-internal.asm 2021-06-06 20:06:29.000000000 +0000 @@ -1,7 +1,7 @@ C x86_64/fat/aes-encrypt-internal.asm -ifelse(< +ifelse(` Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. @@ -29,7 +29,7 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') -define(, <$1_x86_64>) -include_src() +define(`fat_transform', `$1_x86_64') +include_src(`x86_64/aes-encrypt-internal.asm') diff -Nru nettle-3.4.1/x86_64/fat/cpuid.asm nettle-3.7.3/x86_64/fat/cpuid.asm --- nettle-3.4.1/x86_64/fat/cpuid.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86_64/fat/cpuid.asm 2021-06-06 20:06:29.000000000 +0000 @@ -1,6 +1,6 @@ C x86_64/fat/cpuid.asm -ifelse(< +ifelse(` Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. @@ -28,7 +28,7 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') C Input argument C cpuid input: %edi @@ -43,8 +43,9 @@ PROLOGUE(_nettle_cpuid) W64_ENTRY(2) push %rbx - + movl %edi, %eax + xorl %ecx, %ecx C Information we need use ecx = 0 cpuid mov %eax, (%rsi) mov %ebx, 4(%rsi) diff -Nru nettle-3.4.1/x86_64/fat/memxor-2.asm nettle-3.7.3/x86_64/fat/memxor-2.asm --- nettle-3.4.1/x86_64/fat/memxor-2.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86_64/fat/memxor-2.asm 2021-06-06 20:06:29.000000000 +0000 @@ -1,7 +1,7 @@ C x86_64/fat/memxor-2.asm -ifelse(< +ifelse(` Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. @@ -29,8 +29,8 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') -define(, <_$1_sse2>) -define(, ) -include_src() +define(`fat_transform', `_$1_sse2') +define(`USE_SSE2', `yes') +include_src(`x86_64/memxor.asm') diff -Nru nettle-3.4.1/x86_64/fat/memxor.asm nettle-3.7.3/x86_64/fat/memxor.asm --- nettle-3.4.1/x86_64/fat/memxor.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86_64/fat/memxor.asm 2021-06-06 20:06:29.000000000 +0000 @@ -1,7 +1,7 @@ C x86_64/fat/memxor.asm -ifelse(< +ifelse(` Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. @@ -29,7 +29,7 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') -define(, <_$1_x86_64>) -include_src() +define(`fat_transform', `_$1_x86_64') +include_src(`x86_64/memxor.asm') diff -Nru nettle-3.4.1/x86_64/fat/sha1-compress-2.asm nettle-3.7.3/x86_64/fat/sha1-compress-2.asm --- nettle-3.4.1/x86_64/fat/sha1-compress-2.asm 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/x86_64/fat/sha1-compress-2.asm 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,34 @@ +C x86_64/fat/sha1-compress-2.asm + +ifelse(` + Copyright (C) 2018 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +') + +define(`fat_transform', `_$1_sha_ni') +include_src(`x86_64/sha_ni/sha1-compress.asm') diff -Nru nettle-3.4.1/x86_64/fat/sha1-compress.asm nettle-3.7.3/x86_64/fat/sha1-compress.asm --- nettle-3.4.1/x86_64/fat/sha1-compress.asm 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/x86_64/fat/sha1-compress.asm 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,34 @@ +C x86_64/fat/sha1-compress.asm + +ifelse(` + Copyright (C) 2018 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +') + +define(`fat_transform', `_$1_x86_64') +include_src(`x86_64/sha1-compress.asm') diff -Nru nettle-3.4.1/x86_64/fat/sha256-compress-2.asm nettle-3.7.3/x86_64/fat/sha256-compress-2.asm --- nettle-3.4.1/x86_64/fat/sha256-compress-2.asm 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/x86_64/fat/sha256-compress-2.asm 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,34 @@ +C x86_64/fat/sha256-compress-2.asm + +ifelse(` + Copyright (C) 2018 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +') + +define(`fat_transform', `$1_sha_ni') +include_src(`x86_64/sha_ni/sha256-compress.asm') diff -Nru nettle-3.4.1/x86_64/fat/sha256-compress.asm nettle-3.7.3/x86_64/fat/sha256-compress.asm --- nettle-3.4.1/x86_64/fat/sha256-compress.asm 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/x86_64/fat/sha256-compress.asm 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,34 @@ +C x86_64/fat/sha256-compress.asm + +ifelse(` + Copyright (C) 2018 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +') + +define(`fat_transform', `$1_x86_64') +include_src(`x86_64/sha256-compress.asm') diff -Nru nettle-3.4.1/x86_64/gcm-hash8.asm nettle-3.7.3/x86_64/gcm-hash8.asm --- nettle-3.4.1/x86_64/gcm-hash8.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86_64/gcm-hash8.asm 2021-06-06 20:06:29.000000000 +0000 @@ -1,6 +1,6 @@ C x86_64/gcm-hash8.asm -ifelse(< +ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. @@ -28,23 +28,23 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') C Register usage: -define(, <%rdi>) -define(, <%rsi>) -define(, <%rdx>) -define(, <%rcx>) -define(, <%rax>) -define(, <%rbx>) -define(, <%ebp>) -define(, <%r8>) -define(, <%r9>) -define(, <%r10>) -define(, <%r11>) -define(, <%r12>) -define(, <%r13>) +define(`KEY', `%rdi') +define(`XP', `%rsi') +define(`LENGTH', `%rdx') +define(`SRC', `%rcx') +define(`X0', `%rax') +define(`X1', `%rbx') +define(`CNT', `%ebp') +define(`T0', `%r8') +define(`T1', `%r9') +define(`T2', `%r10') +define(`Z0', `%r11') +define(`Z1', `%r12') +define(`SHIFT_TABLE', `%r13') .file "gcm-hash8.asm" @@ -200,7 +200,7 @@ ret EPILOGUE(_nettle_gcm_hash8) -define(, <0x$2$1>) +define(`W', `0x$2$1') RODATA ALIGN(2) C NOTE: Sun/Oracle assembler doesn't support ".short". diff -Nru nettle-3.4.1/x86_64/machine.m4 nettle-3.7.3/x86_64/machine.m4 --- nettle-3.4.1/x86_64/machine.m4 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86_64/machine.m4 2021-06-06 20:06:29.000000000 +0000 @@ -1,13 +1,13 @@ C OFFSET(i) C Expands to 4*i, or to the empty string if i is zero -define(, ) +define(`OFFSET', `ifelse($1,0,,eval(4*$1))') C OFFSET64(i) C Expands to 8*i, or to the empty string if i is zero -define(, ) +define(`OFFSET64', `ifelse($1,0,,eval(8*$1))') dnl LREG(reg) gives the 8-bit register corresponding to the given 64-bit register. -define(,)dnl + $1, %r15, %r15b)')dnl -define(,)dnl + $1, %rdx, %dh)')dnl -define(,)dnl + $1, %r15, %r15w)')dnl -define(,)dnl + $1, %r15, %r15d)')dnl dnl W64_ENTRY(nargs, xmm_used) -define(, < - changequote([,])dnl - ifelse(<<<<<<<<<<<<<<<<<< ignored; only for balancing) - ifelse(W64_ABI,yes,[ +define(`W64_ENTRY', ` + ifelse(W64_ABI,yes,` dnl unconditionally push %rdi, making %rsp 16-byte aligned push %rdi dnl Save %xmm6, ..., if needed - ifelse(eval($2 > 6), 1, [ - sub [$]eval(16*($2 - 6)), %rsp + ifelse(eval($2 > 6), 1, ` + sub `$'eval(16*($2 - 6)), %rsp movdqa %xmm6, 0(%rsp) - ]) - ifelse(eval($2 > 7), 1, [ + ') + ifelse(eval($2 > 7), 1, ` movdqa %xmm7, 16(%rsp) - ]) - ifelse(eval($2 > 8), 1, [ + ') + ifelse(eval($2 > 8), 1, ` movdqa %xmm8, 32(%rsp) - ]) - ifelse(eval($2 > 9), 1, [ + ') + ifelse(eval($2 > 9), 1, ` movdqa %xmm9, 48(%rsp) - ]) - ifelse(eval($2 > 10), 1, [ + ') + ifelse(eval($2 > 10), 1, ` movdqa %xmm10, 64(%rsp) - ]) - ifelse(eval($2 > 11), 1, [ + ') + ifelse(eval($2 > 11), 1, ` movdqa %xmm11, 80(%rsp) - ]) - ifelse(eval($2 > 12), 1, [ + ') + ifelse(eval($2 > 12), 1, ` movdqa %xmm12, 96(%rsp) - ]) - ifelse(eval($2 > 13), 1, [ + ') + ifelse(eval($2 > 13), 1, ` movdqa %xmm13, 112(%rsp) - ]) - ifelse(eval($2 > 14), 1, [ + ') + ifelse(eval($2 > 14), 1, ` movdqa %xmm14, 128(%rsp) - ]) - ifelse(eval($2 > 15), 1, [ + ') + ifelse(eval($2 > 15), 1, ` movdqa %xmm15, 144(%rsp) - ]) + ') dnl Move around arguments - ifelse(eval($1 >= 1), 1, [ + ifelse(eval($1 >= 1), 1, ` mov %rcx, %rdi - ]) - ifelse(eval($1 >= 2), 1, [ + ') + ifelse(eval($1 >= 2), 1, ` dnl NOTE: Breaks 16-byte %rsp alignment push %rsi mov %rdx, %rsi - ]) - ifelse(eval($1 >= 3), 1, [ + ') + ifelse(eval($1 >= 3), 1, ` mov %r8, %rdx - ]) - ifelse(eval($1 >= 4), 1, [ + ') + ifelse(eval($1 >= 4), 1, ` mov %r9, %rcx - ]) - ifelse(eval($1 >= 5), 1, [ + ') + ifelse(eval($1 >= 5), 1, ` mov ifelse(eval($2 > 6), 1, eval(16*($2-6)+56),56)(%rsp), %r8 - ]) - ifelse(eval($1 >= 6), 1, [ + ') + ifelse(eval($1 >= 6), 1, ` mov ifelse(eval($2 > 6), 1, eval(16*($2-6)+64),64)(%rsp), %r9 - ]) - ]) - changequote(<,>)dnl ->) + ') + ') +') dnl W64_EXIT(nargs, xmm_used) -define(, < - changequote([,])dnl - ifelse(<<<<<<<<<<< ignored; only for balancing) - ifelse(W64_ABI,yes,[ - ifelse(eval($1 >= 2), 1, [ +define(`W64_EXIT', ` + ifelse(W64_ABI,yes,` + ifelse(eval($1 >= 2), 1, ` pop %rsi - ]) - ifelse(eval($2 > 15), 1, [ + ') + ifelse(eval($2 > 15), 1, ` movdqa 144(%rsp), %xmm15 - ]) - ifelse(eval($2 > 14), 1, [ + ') + ifelse(eval($2 > 14), 1, ` movdqa 128(%rsp), %xmm14 - ]) - ifelse(eval($2 > 13), 1, [ + ') + ifelse(eval($2 > 13), 1, ` movdqa 112(%rsp), %xmm13 - ]) - ifelse(eval($2 > 12), 1, [ + ') + ifelse(eval($2 > 12), 1, ` movdqa 96(%rsp), %xmm12 - ]) - ifelse(eval($2 > 11), 1, [ + ') + ifelse(eval($2 > 11), 1, ` movdqa 80(%rsp), %xmm11 - ]) - ifelse(eval($2 > 10), 1, [ + ') + ifelse(eval($2 > 10), 1, ` movdqa 64(%rsp), %xmm10 - ]) - ifelse(eval($2 > 9), 1, [ + ') + ifelse(eval($2 > 9), 1, ` movdqa 48(%rsp), %xmm9 - ]) - ifelse(eval($2 > 8), 1, [ + ') + ifelse(eval($2 > 8), 1, ` movdqa 32(%rsp), %xmm8 - ]) - ifelse(eval($2 > 7), 1, [ + ') + ifelse(eval($2 > 7), 1, ` movdqa 16(%rsp), %xmm7 - ]) - ifelse(eval($2 > 6), 1, [ + ') + ifelse(eval($2 > 6), 1, ` movdqa (%rsp), %xmm6 - add [$]eval(16*($2 - 6)), %rsp - ]) + add `$'eval(16*($2 - 6)), %rsp + ') pop %rdi - ]) - changequote(<,>)dnl ->) + ') +') diff -Nru nettle-3.4.1/x86_64/md5-compress.asm nettle-3.7.3/x86_64/md5-compress.asm --- nettle-3.4.1/x86_64/md5-compress.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86_64/md5-compress.asm 2021-06-06 20:06:29.000000000 +0000 @@ -1,6 +1,6 @@ C x86_64/md5-compress.asm -ifelse(< +ifelse(` Copyright (C) 2005, 2013 Niels Möller This file is part of GNU Nettle. @@ -28,61 +28,61 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') C Registers: -define(, <%rdi>) -define(, <%rsi>) -define(,<%rax>) -define(,<%rbx>) -define(,<%rcx>) -define(,<%rbp>) -define(, <%r8>) +define(`STATE', `%rdi') +define(`INPUT', `%rsi') +define(`SA',`%rax') +define(`SB',`%rbx') +define(`SC',`%rcx') +define(`SD',`%rbp') +define(`TMP', `%r8') C F1(x,y,z) = (z ^ (x & (y ^ z))) -define(, < +define(`F1', ` movl XREG($3), XREG(TMP) xorl XREG($2), XREG(TMP) andl XREG($1), XREG(TMP) - xorl XREG($3), XREG(TMP)>) + xorl XREG($3), XREG(TMP)') -define(,) +define(`F2',`F1($3, $1, $2)') C F3(x,y,z) = x ^ y ^ z -define(,< +define(`F3',` movl XREG($1), XREG(TMP) xorl XREG($2), XREG(TMP) - xorl XREG($3), XREG(TMP)>) + xorl XREG($3), XREG(TMP)') C F4(x,y,z) = y ^ (x | ~z) -define(,< +define(`F4',` movl XREG($3), XREG(TMP) notl XREG(TMP) orl XREG($1), XREG(TMP) - xorl XREG($2), XREG(TMP)>) + xorl XREG($2), XREG(TMP)') C Index to 4*i, or to the empty string if zero -define(,) +define(`REF',`ifelse($1,0,,eval(4*$1))(INPUT)') C ROUND(f, w, x, y, z, k, data, s): C w += f(x,y,z) + data + k C w <<< s C w += x -define(,< - addl <$>$7, XREG($2) +define(`ROUND',` + addl `$'$7, XREG($2) $1($3, $4, $5) addl $6, XREG($2) addl XREG(TMP), XREG($2) - roll <$>$8, XREG($2) - addl XREG($3), XREG($2)>) + roll `$'$8, XREG($2) + addl XREG($3), XREG($2)') .file "md5-compress.asm" - C _nettle_md5_compress(uint32_t *state, uint8_t *input) + C nettle_md5_compress(uint32_t *state, uint8_t *input) .text ALIGN(16) -PROLOGUE(_nettle_md5_compress) +PROLOGUE(nettle_md5_compress) W64_ENTRY(2,0) C save all registers that need to be saved push %rbp @@ -94,73 +94,73 @@ movl 8(STATE), XREG(SC) movl 12(STATE), XREG(SD) - ROUND(, SA, SB, SC, SD, REF( 0), 0xd76aa478, 7) - ROUND(, SD, SA, SB, SC, REF( 1), 0xe8c7b756, 12) - ROUND(, SC, SD, SA, SB, REF( 2), 0x242070db, 17) - ROUND(, SB, SC, SD, SA, REF( 3), 0xc1bdceee, 22) - ROUND(, SA, SB, SC, SD, REF( 4), 0xf57c0faf, 7) - ROUND(, SD, SA, SB, SC, REF( 5), 0x4787c62a, 12) - ROUND(, SC, SD, SA, SB, REF( 6), 0xa8304613, 17) - ROUND(, SB, SC, SD, SA, REF( 7), 0xfd469501, 22) - ROUND(, SA, SB, SC, SD, REF( 8), 0x698098d8, 7) - ROUND(, SD, SA, SB, SC, REF( 9), 0x8b44f7af, 12) - ROUND(, SC, SD, SA, SB, REF(10), 0xffff5bb1, 17) - ROUND(, SB, SC, SD, SA, REF(11), 0x895cd7be, 22) - ROUND(, SA, SB, SC, SD, REF(12), 0x6b901122, 7) - ROUND(, SD, SA, SB, SC, REF(13), 0xfd987193, 12) - ROUND(, SC, SD, SA, SB, REF(14), 0xa679438e, 17) - ROUND(, SB, SC, SD, SA, REF(15), 0x49b40821, 22) - - ROUND(, SA, SB, SC, SD, REF( 1), 0xf61e2562, 5) - ROUND(, SD, SA, SB, SC, REF( 6), 0xc040b340, 9) - ROUND(, SC, SD, SA, SB, REF(11), 0x265e5a51, 14) - ROUND(, SB, SC, SD, SA, REF( 0), 0xe9b6c7aa, 20) - ROUND(, SA, SB, SC, SD, REF( 5), 0xd62f105d, 5) - ROUND(, SD, SA, SB, SC, REF(10), 0x02441453, 9) - ROUND(, SC, SD, SA, SB, REF(15), 0xd8a1e681, 14) - ROUND(, SB, SC, SD, SA, REF( 4), 0xe7d3fbc8, 20) - ROUND(, SA, SB, SC, SD, REF( 9), 0x21e1cde6, 5) - ROUND(, SD, SA, SB, SC, REF(14), 0xc33707d6, 9) - ROUND(, SC, SD, SA, SB, REF( 3), 0xf4d50d87, 14) - ROUND(, SB, SC, SD, SA, REF( 8), 0x455a14ed, 20) - ROUND(, SA, SB, SC, SD, REF(13), 0xa9e3e905, 5) - ROUND(, SD, SA, SB, SC, REF( 2), 0xfcefa3f8, 9) - ROUND(, SC, SD, SA, SB, REF( 7), 0x676f02d9, 14) - ROUND(, SB, SC, SD, SA, REF(12), 0x8d2a4c8a, 20) - - ROUND(, SA, SB, SC, SD, REF( 5), 0xfffa3942, 4) - ROUND(, SD, SA, SB, SC, REF( 8), 0x8771f681, 11) - ROUND(, SC, SD, SA, SB, REF(11), 0x6d9d6122, 16) - ROUND(, SB, SC, SD, SA, REF(14), 0xfde5380c, 23) - ROUND(, SA, SB, SC, SD, REF( 1), 0xa4beea44, 4) - ROUND(, SD, SA, SB, SC, REF( 4), 0x4bdecfa9, 11) - ROUND(, SC, SD, SA, SB, REF( 7), 0xf6bb4b60, 16) - ROUND(, SB, SC, SD, SA, REF(10), 0xbebfbc70, 23) - ROUND(, SA, SB, SC, SD, REF(13), 0x289b7ec6, 4) - ROUND(, SD, SA, SB, SC, REF( 0), 0xeaa127fa, 11) - ROUND(, SC, SD, SA, SB, REF( 3), 0xd4ef3085, 16) - ROUND(, SB, SC, SD, SA, REF( 6), 0x04881d05, 23) - ROUND(, SA, SB, SC, SD, REF( 9), 0xd9d4d039, 4) - ROUND(, SD, SA, SB, SC, REF(12), 0xe6db99e5, 11) - ROUND(, SC, SD, SA, SB, REF(15), 0x1fa27cf8, 16) - ROUND(, SB, SC, SD, SA, REF( 2), 0xc4ac5665, 23) - - ROUND(, SA, SB, SC, SD, REF( 0), 0xf4292244, 6) - ROUND(, SD, SA, SB, SC, REF( 7), 0x432aff97, 10) - ROUND(, SC, SD, SA, SB, REF(14), 0xab9423a7, 15) - ROUND(, SB, SC, SD, SA, REF( 5), 0xfc93a039, 21) - ROUND(, SA, SB, SC, SD, REF(12), 0x655b59c3, 6) - ROUND(, SD, SA, SB, SC, REF( 3), 0x8f0ccc92, 10) - ROUND(, SC, SD, SA, SB, REF(10), 0xffeff47d, 15) - ROUND(, SB, SC, SD, SA, REF( 1), 0x85845dd1, 21) - ROUND(, SA, SB, SC, SD, REF( 8), 0x6fa87e4f, 6) - ROUND(, SD, SA, SB, SC, REF(15), 0xfe2ce6e0, 10) - ROUND(, SC, SD, SA, SB, REF( 6), 0xa3014314, 15) - ROUND(, SB, SC, SD, SA, REF(13), 0x4e0811a1, 21) - ROUND(, SA, SB, SC, SD, REF( 4), 0xf7537e82, 6) - ROUND(, SD, SA, SB, SC, REF(11), 0xbd3af235, 10) - ROUND(, SC, SD, SA, SB, REF( 2), 0x2ad7d2bb, 15) - ROUND(, SB, SC, SD, SA, REF( 9), 0xeb86d391, 21) + ROUND(`F1', SA, SB, SC, SD, REF( 0), 0xd76aa478, 7) + ROUND(`F1', SD, SA, SB, SC, REF( 1), 0xe8c7b756, 12) + ROUND(`F1', SC, SD, SA, SB, REF( 2), 0x242070db, 17) + ROUND(`F1', SB, SC, SD, SA, REF( 3), 0xc1bdceee, 22) + ROUND(`F1', SA, SB, SC, SD, REF( 4), 0xf57c0faf, 7) + ROUND(`F1', SD, SA, SB, SC, REF( 5), 0x4787c62a, 12) + ROUND(`F1', SC, SD, SA, SB, REF( 6), 0xa8304613, 17) + ROUND(`F1', SB, SC, SD, SA, REF( 7), 0xfd469501, 22) + ROUND(`F1', SA, SB, SC, SD, REF( 8), 0x698098d8, 7) + ROUND(`F1', SD, SA, SB, SC, REF( 9), 0x8b44f7af, 12) + ROUND(`F1', SC, SD, SA, SB, REF(10), 0xffff5bb1, 17) + ROUND(`F1', SB, SC, SD, SA, REF(11), 0x895cd7be, 22) + ROUND(`F1', SA, SB, SC, SD, REF(12), 0x6b901122, 7) + ROUND(`F1', SD, SA, SB, SC, REF(13), 0xfd987193, 12) + ROUND(`F1', SC, SD, SA, SB, REF(14), 0xa679438e, 17) + ROUND(`F1', SB, SC, SD, SA, REF(15), 0x49b40821, 22) + + ROUND(`F2', SA, SB, SC, SD, REF( 1), 0xf61e2562, 5) + ROUND(`F2', SD, SA, SB, SC, REF( 6), 0xc040b340, 9) + ROUND(`F2', SC, SD, SA, SB, REF(11), 0x265e5a51, 14) + ROUND(`F2', SB, SC, SD, SA, REF( 0), 0xe9b6c7aa, 20) + ROUND(`F2', SA, SB, SC, SD, REF( 5), 0xd62f105d, 5) + ROUND(`F2', SD, SA, SB, SC, REF(10), 0x02441453, 9) + ROUND(`F2', SC, SD, SA, SB, REF(15), 0xd8a1e681, 14) + ROUND(`F2', SB, SC, SD, SA, REF( 4), 0xe7d3fbc8, 20) + ROUND(`F2', SA, SB, SC, SD, REF( 9), 0x21e1cde6, 5) + ROUND(`F2', SD, SA, SB, SC, REF(14), 0xc33707d6, 9) + ROUND(`F2', SC, SD, SA, SB, REF( 3), 0xf4d50d87, 14) + ROUND(`F2', SB, SC, SD, SA, REF( 8), 0x455a14ed, 20) + ROUND(`F2', SA, SB, SC, SD, REF(13), 0xa9e3e905, 5) + ROUND(`F2', SD, SA, SB, SC, REF( 2), 0xfcefa3f8, 9) + ROUND(`F2', SC, SD, SA, SB, REF( 7), 0x676f02d9, 14) + ROUND(`F2', SB, SC, SD, SA, REF(12), 0x8d2a4c8a, 20) + + ROUND(`F3', SA, SB, SC, SD, REF( 5), 0xfffa3942, 4) + ROUND(`F3', SD, SA, SB, SC, REF( 8), 0x8771f681, 11) + ROUND(`F3', SC, SD, SA, SB, REF(11), 0x6d9d6122, 16) + ROUND(`F3', SB, SC, SD, SA, REF(14), 0xfde5380c, 23) + ROUND(`F3', SA, SB, SC, SD, REF( 1), 0xa4beea44, 4) + ROUND(`F3', SD, SA, SB, SC, REF( 4), 0x4bdecfa9, 11) + ROUND(`F3', SC, SD, SA, SB, REF( 7), 0xf6bb4b60, 16) + ROUND(`F3', SB, SC, SD, SA, REF(10), 0xbebfbc70, 23) + ROUND(`F3', SA, SB, SC, SD, REF(13), 0x289b7ec6, 4) + ROUND(`F3', SD, SA, SB, SC, REF( 0), 0xeaa127fa, 11) + ROUND(`F3', SC, SD, SA, SB, REF( 3), 0xd4ef3085, 16) + ROUND(`F3', SB, SC, SD, SA, REF( 6), 0x04881d05, 23) + ROUND(`F3', SA, SB, SC, SD, REF( 9), 0xd9d4d039, 4) + ROUND(`F3', SD, SA, SB, SC, REF(12), 0xe6db99e5, 11) + ROUND(`F3', SC, SD, SA, SB, REF(15), 0x1fa27cf8, 16) + ROUND(`F3', SB, SC, SD, SA, REF( 2), 0xc4ac5665, 23) + + ROUND(`F4', SA, SB, SC, SD, REF( 0), 0xf4292244, 6) + ROUND(`F4', SD, SA, SB, SC, REF( 7), 0x432aff97, 10) + ROUND(`F4', SC, SD, SA, SB, REF(14), 0xab9423a7, 15) + ROUND(`F4', SB, SC, SD, SA, REF( 5), 0xfc93a039, 21) + ROUND(`F4', SA, SB, SC, SD, REF(12), 0x655b59c3, 6) + ROUND(`F4', SD, SA, SB, SC, REF( 3), 0x8f0ccc92, 10) + ROUND(`F4', SC, SD, SA, SB, REF(10), 0xffeff47d, 15) + ROUND(`F4', SB, SC, SD, SA, REF( 1), 0x85845dd1, 21) + ROUND(`F4', SA, SB, SC, SD, REF( 8), 0x6fa87e4f, 6) + ROUND(`F4', SD, SA, SB, SC, REF(15), 0xfe2ce6e0, 10) + ROUND(`F4', SC, SD, SA, SB, REF( 6), 0xa3014314, 15) + ROUND(`F4', SB, SC, SD, SA, REF(13), 0x4e0811a1, 21) + ROUND(`F4', SA, SB, SC, SD, REF( 4), 0xf7537e82, 6) + ROUND(`F4', SD, SA, SB, SC, REF(11), 0xbd3af235, 10) + ROUND(`F4', SC, SD, SA, SB, REF( 2), 0x2ad7d2bb, 15) + ROUND(`F4', SB, SC, SD, SA, REF( 9), 0xeb86d391, 21) C Update the state vector addl XREG(SA), (STATE) @@ -173,4 +173,4 @@ W64_EXIT(2,0) ret -EPILOGUE(_nettle_md5_compress) +EPILOGUE(nettle_md5_compress) diff -Nru nettle-3.4.1/x86_64/memxor3.asm nettle-3.7.3/x86_64/memxor3.asm --- nettle-3.4.1/x86_64/memxor3.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86_64/memxor3.asm 2021-06-06 20:06:29.000000000 +0000 @@ -1,6 +1,6 @@ C x86_64/memxor3.asm -ifelse(< +ifelse(` Copyright (C) 2010, 2014 Niels Möller This file is part of GNU Nettle. @@ -28,20 +28,20 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') C Register usage: -define(, <%rax>) C Originally in %rdi -define(, <%rsi>) -define(, <%rdx>) -define(, <%r10>) -define(, <%r8>) -define(, <%r9>) -define(, <%rdi>) -define(, <%r11>) -define(, <%rdi>) C Overlaps with CNT +define(`DST', `%rax') C Originally in %rdi +define(`AP', `%rsi') +define(`BP', `%rdx') +define(`N', `%r10') +define(`TMP', `%r8') +define(`TMP2', `%r9') +define(`CNT', `%rdi') +define(`S0', `%r11') +define(`S1', `%rdi') C Overlaps with CNT -define(, ) +define(`USE_SSE2', `no') .file "memxor3.asm" @@ -83,10 +83,10 @@ jnz .Lalign_loop .Laligned: -ifelse(USE_SSE2, yes, < +ifelse(USE_SSE2, yes, ` cmp $16, N jnc .Lsse2_case ->) +') C Check for the case that AP and BP have the same alignment, C but different from DST. mov AP, TMP @@ -223,7 +223,7 @@ W64_EXIT(4, 0) ret -ifelse(USE_SSE2, yes, < +ifelse(USE_SSE2, yes, ` .Lsse2_case: lea (DST, N), TMP @@ -257,7 +257,7 @@ C ENTRY might have been 3 args, too, but it doesn't matter for the exit W64_EXIT(4, 0) ret ->) +') EPILOGUE(nettle_memxor3) diff -Nru nettle-3.4.1/x86_64/memxor.asm nettle-3.7.3/x86_64/memxor.asm --- nettle-3.4.1/x86_64/memxor.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86_64/memxor.asm 2021-06-06 20:06:29.000000000 +0000 @@ -1,6 +1,6 @@ C x86_64/memxor.asm -ifelse(< +ifelse(` Copyright (C) 2010, 2014, Niels Möller This file is part of GNU Nettle. @@ -28,19 +28,19 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') C Register usage: -define(, <%rax>) C Originally in %rdi -define(, <%rsi>) -define(, <%rdx>) -define(, <%r8>) -define(, <%r9>) -define(, <%rdi>) -define(, <%r11>) -define(, <%rdi>) C Overlaps with CNT +define(`DST', `%rax') C Originally in %rdi +define(`SRC', `%rsi') +define(`N', `%rdx') +define(`TMP', `%r8') +define(`TMP2', `%r9') +define(`CNT', `%rdi') +define(`S0', `%r11') +define(`S1', `%rdi') C Overlaps with CNT -define(, ) +define(`USE_SSE2', `no') .file "memxor.asm" @@ -79,10 +79,10 @@ jnz .Lalign_loop .Laligned: -ifdef(, < +ifdef(`USE_SSE2', ` cmp $16, N jnc .Lsse2_case ->) +') C Next destination word is -8(DST, N) C Setup for unrolling @@ -135,7 +135,7 @@ W64_EXIT(3, 0) ret -ifdef(, < +ifdef(`USE_SSE2', ` .Lsse2_case: lea (DST, N), TMP @@ -168,6 +168,6 @@ W64_EXIT(3, 0) ret ->) +') EPILOGUE(nettle_memxor) diff -Nru nettle-3.4.1/x86_64/poly1305-internal.asm nettle-3.7.3/x86_64/poly1305-internal.asm --- nettle-3.4.1/x86_64/poly1305-internal.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86_64/poly1305-internal.asm 2021-06-06 20:06:29.000000000 +0000 @@ -1,6 +1,6 @@ C x86_64/poly1305-internal.asm -ifelse(< +ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. @@ -28,27 +28,27 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') .file "poly1305-internal.asm" C Registers mainly used by poly1305_block -define(, <%rdi>) -define(, <%rcx>) -define(, <%rsi>) -define(, <%r8>) -define(, <%r9>) -define(

      , <%r10>) -define(

      , <%r11>) +define(`CTX', `%rdi') +define(`T0', `%rcx') +define(`T1', `%rsi') +define(`T2', `%r8') +define(`H0', `%r9') +define(`H1', `%r10') +define(`H2', `%r11') - C poly1305_set_key(struct poly1305_ctx *ctx, const uint8_t key[16]) + C _poly1305_set_key(struct poly1305_ctx *ctx, const uint8_t key[16]) .text C Registers: C %rdi: ctx C %rsi: key C %r8: mask ALIGN(16) -PROLOGUE(nettle_poly1305_set_key) +PROLOGUE(_nettle_poly1305_set_key) W64_ENTRY(2,0) mov $0x0ffffffc0fffffff, %r8 mov (%rsi), %rax @@ -69,7 +69,7 @@ W64_EXIT(2,0) ret -EPILOGUE(nettle_poly1305_set_key) +EPILOGUE(_nettle_poly1305_set_key) C 64-bit multiplication mod 2^130 - 5 C @@ -142,12 +142,12 @@ ret EPILOGUE(_nettle_poly1305_block) - C poly1305_digest (struct poly1305_ctx *ctx, uint8_t *s) + C _poly1305_digest (struct poly1305_ctx *ctx, uint8_t *s) C Registers: C %rdi: ctx C %rsi: s -PROLOGUE(nettle_poly1305_digest) +PROLOGUE(_nettle_poly1305_digest) W64_ENTRY(2, 0) mov P1305_H0 (CTX), H0 @@ -162,7 +162,7 @@ adc $0, XREG(H2) C Use %rax instead of %rsi -define(, <%rax>) +define(`T1', `%rax') C Add 5, use result if >= 2^130 mov $5, T0 xor T1, T1 @@ -182,4 +182,5 @@ mov XREG(%rax), P1305_H2 (CTX) W64_EXIT(2, 0) ret +EPILOGUE(_nettle_poly1305_digest) diff -Nru nettle-3.4.1/x86_64/README nettle-3.7.3/x86_64/README --- nettle-3.4.1/x86_64/README 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/x86_64/README 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,71 @@ +ABI, according to http://www.x86-64.org/documentation/abi-0.99.pdf: + +Up to 6 integer and pointer arguments are passed in registers. Nine +registers, %rax, %rcx, %rdx, %rsi, %rdi and %r8-%r11 can be used +freely. Integers and pointers are returned in %rax. + +At entry, it is required that %rsp == 8 (mod 16). + +Registers May be Argument + clobbered number + +%rax Y +%rbx +%rcx Y 4 +%rdx Y 3 +%rbp +%rsi Y 2 +%rdi Y 1 +%rsp (SP) +%r8 Y 5 +%r9 Y 6 +%r10 Y +%r11 Y +%r12 +%r13 +%r14 +%r15 + +W64 ABI, according to +http://msdn.microsoft.com/en-us/library/9z1stfyw.aspx: + +Registers May be Argument + clobbered number + +%rax Y +%rbx +%rcx Y 1 +%rdx Y 2 +%rbp +%rsi +%rdi +%rsp (SP) +%r8 Y 3 +%r9 Y 4 +%r10 Y +%r11 Y +%r12 +%r13 +%r14 +%r15 + +Additional arguments are passed on the stack. "backing store" on the +stack for the four register arguments is also required. %xmm6 to +%xmm15 are callee-saved. The "long" type is just 32 bits. + +If we have six arguments, and push the additional callee-save +registers %rdi and %rsi on the stack, we get a stack frame like + +64(%rsp): Sixth argument +56(%rsp): Fifth argument +48(%rsp): Space for fourth argument +40(%rsp): Space for third argument +32(%rsp): Space for second argument +24(%rsp): Space for first argument +16(%rsp): Return address +8(%rsp) : Saved %rdi +(%rsp): Saved %rsi + +If, in addition, we use more than 6 %xmm registers, we push them +*after* %rdi (but before %rsi), so that they are stored at 16-byte +aligned addresses. diff -Nru nettle-3.4.1/x86_64/salsa20-2core.asm nettle-3.7.3/x86_64/salsa20-2core.asm --- nettle-3.4.1/x86_64/salsa20-2core.asm 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/x86_64/salsa20-2core.asm 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,318 @@ +C x86_64/salsa20-2core.asm + +ifelse(` + Copyright (C) 2012, 2020 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +') + +define(`DST', `%rdi') +define(`SRC', `%rsi') +define(`COUNT', `%rdx') + +C State, even elements in X, odd elements in Y +define(`X0', `%xmm0') +define(`X1', `%xmm1') +define(`X2', `%xmm2') +define(`X3', `%xmm3') +define(`Y0', `%xmm4') +define(`Y1', `%xmm5') +define(`Y2', `%xmm6') +define(`Y3', `%xmm7') + +define(`T0', `%xmm8') +define(`T1', `%xmm9') +define(`T2', `%xmm10') +define(`T3', `%xmm11') + +define(`M0011', `%xmm12') + +include_src(`x86_64/salsa20.m4') + + .text + ALIGN(16) + C _salsa20_2core(uint32_t *dst, const uint32_t *src, unsigned rounds) +PROLOGUE(_nettle_salsa20_2core) + W64_ENTRY(3, 13) + + movups (SRC), T0 C [0, 1, 2, 3] + movups 16(SRC), T1 C [4, 5, 6, 7] + movups 32(SRC), T2 C [8, 9, 10, 11] + movups 48(SRC), T3 C [12, 13, 14, 15] + + pshufd $0xa0, T0, X0 C X0: [0,0,2,2] + pshufd $0xf5, T0, Y3 C Y3: [1,1,3,3] + pshufd $0xa0, T1, X1 C X1: [4,4,6,6] + pshufd $0xf5, T1, Y0 C Y0: [5,5,7,7] + pshufd $0xa0, T2, X2 C X2: [8,8,10,10] + pshufd $0xf5, T2, Y1 C Y1: [9,9,11,11] + pshufd $0xa0, T3, X3 C [12,12,14,14] + pshufd $0xf5, T3, Y2 C [13,13,15,15] + + C Complicated counter increment. Could be done with + C mov $1, %eax; movd %eax, TMP; paddq T2, TMP + C earlier, but then it gets more complicated to construct X2 and Y1. + + mov $1, %eax + movd %eax, T0 C [1,0,0,0] + pshufd $0x51, T0, T0 C [0,1,0,0] + pxor T1, T1 + paddd T0, X2 + pcmpeqd X2, T1 + pand T0, T1 + paddd T1, Y1 + + C Load mask registers + mov $-1, %eax + movd %eax, M0011 + pshufd $0x09, M0011, M0011 C 01 01 00 00 + + C Swap, to get + C X0: 0 10 Y0: 5 15 + C X1: 4 14 Y1: 9 3 + C X2: 8 2 Y2: 13 7 + C X3: 12 6 Y3: 1 11 + SWAP(X0, X2, M0011) + SWAP(X1, X3, M0011) + SWAP(Y0, Y2, M0011) + SWAP(Y1, Y3, M0011) + + shrl $1, XREG(COUNT) + + ALIGN(16) + +.Loop: +C Register layout (A is first block, B is second block) +C +C X0: A0 B0 A10 B10 Y0: A5 A5 A15 B15 +C X1: A4 B4 A14 B14 Y1: A9 B9 A3 B3 +C X2: A8 B8 A2 B2 Y2: A13 B13 A7 B7 +C X3: A12 B12 A6 B6 Y3: A1 B1 A11 B11 + + movaps X0, T0 + paddd X3, T0 + movaps T0, T1 + movaps Y0, T2 + pslld $7, T0 + paddd Y3, T2 + psrld $25, T1 + movaps T2, T3 + pxor T0, X1 + pslld $7, T2 + pxor T1, X1 + psrld $25, T3 + + movaps X0, T0 + pxor T2, Y1 + paddd X1, T0 + pxor T3, Y1 + movaps T0, T1 + movaps Y0, T2 + pslld $9, T0 + paddd Y1, T2 + psrld $23, T1 + movaps T2, T3 + pxor T0, X2 + pslld $9, T2 + pxor T1, X2 + psrld $23, T3 + + movaps X1, T0 + pxor T2, Y2 + paddd X2, T0 + pxor T3, Y2 + movaps T0, T1 + movaps Y1, T2 + pslld $13, T0 + paddd Y2, T2 + psrld $19, T1 + movaps T2, T3 + pxor T0, X3 + pslld $13, T2 + pxor T1, X3 + psrld $19, T3 + + movaps X2, T0 + pxor T2, Y3 + paddd X3, T0 + pxor T3, Y3 + movaps T0, T1 + movaps Y2, T2 + pslld $18, T0 + paddd Y3, T2 + psrld $14, T1 + movaps T2, T3 + pxor T0, X0 + pslld $18, T2 + pxor T1, X0 + psrld $14, T3 + pxor T2, Y0 + pxor T3, Y0 + +C Register layout: +C X0: A0 B0 A10 B10 Y0: A5 A5 A15 B15 +C Y1: A3 B3 A9 B9 X1: A4 B4 A14 B14 (Y1 swapped) +C X2: A2 B2 A8 B8 Y2: A7 B7 A13 B13 (X2, Y2 swapped) +C Y3: A1 B1 A11 B11 X3: A6 B6 A12 B12 (X3 swapped) + + pshufd $0x4e, Y1, Y1 C 10 11 00 01 + pshufd $0x4e, X2, X2 + pshufd $0x4e, Y2, Y2 + pshufd $0x4e, X3, X3 + + movaps X0, T0 + paddd Y1, T0 + movaps T0, T1 + movaps Y0, T2 + pslld $7, T0 + paddd X1, T2 + psrld $25, T1 + movaps T2, T3 + pxor T0, Y3 + pslld $7, T2 + pxor T1, Y3 + psrld $25, T3 + + movaps Y3, T0 + pxor T2, X3 + paddd X0, T0 + pxor T3, X3 + movaps T0, T1 + movaps X3, T2 + pslld $9, T0 + paddd Y0, T2 + psrld $23, T1 + movaps T2, T3 + pxor T0, X2 + pslld $9, T2 + pxor T1, X2 + psrld $23, T3 + + movaps X2, T0 + pxor T2, Y2 + paddd Y3, T0 + pxor T3, Y2 + movaps T0, T1 + movaps Y2, T2 + pslld $13, T0 + paddd X3, T2 + psrld $19, T1 + movaps T2, T3 + pxor T0, Y1 + pslld $13, T2 + pxor T1, Y1 + psrld $19, T3 + + movaps Y1, T0 + pxor T2, X1 + paddd X2, T0 + pxor T3, X1 + movaps T0, T1 + movaps X1, T2 + pslld $18, T0 + paddd Y2, T2 + psrld $14, T1 + movaps T2, T3 + pxor T0, X0 + pslld $18, T2 + pxor T1, X0 + psrld $14, T3 + pxor T2, Y0 + pxor T3, Y0 + + pshufd $0x4e, Y1, Y1 C 10 11 00 01 + pshufd $0x4e, X2, X2 + pshufd $0x4e, Y2, Y2 + pshufd $0x4e, X3, X3 + + decl XREG(COUNT) + jnz .Loop + + SWAP(X0, X2, M0011) + SWAP(X1, X3, M0011) + SWAP(Y0, Y2, M0011) + SWAP(Y1, Y3, M0011) + + movaps X0, T0 + punpckldq Y3, X0 C [A0, A1, B0, B1] + punpckhdq Y3, T0 C [A2, A3, B2, B3] + movaps X0, Y3 + punpcklqdq T0, X0 C [A0, A1, A2, A3] + punpckhqdq T0, Y3 C [B0, B1, B2, B3] + + movups (SRC), T0 + paddd T0, X0 + paddd T0, Y3 + + movaps X1, T1 + punpckldq Y0, X1 C [A4, A5, B4, B5] + punpckhdq Y0, T1 C [A6, A7, B6, B7] + movaps X1, Y0 + punpcklqdq T1, X1 C [A4, A5, A6, A7] + punpckhqdq T1, Y0 C [B4, B5, B6, B7] + + movups 16(SRC), T1 + paddd T1, X1 + paddd T1, Y0 + + movaps X2, T2 + punpckldq Y1, X2 C [A8, A9, B8, B9] + punpckhdq Y1, T2 C [A10, A11, B10, B11] + movaps X2, Y1 + punpcklqdq T2, X2 C [A8, A9, A10, A11] + punpckhqdq T2, Y1 C [B8, B9, B10, B11] + + movups 32(SRC), T2 + paddd T2, X2 + mov $1, %eax + movd %eax, M0011 + paddq M0011, T2 + paddd T2, Y1 + + movaps X3, T3 + punpckldq Y2, X3 C [A12, A13, B12, B13] + punpckhdq Y2, T3 C [A14, A15, B14, B15] + movaps X3, Y2 + punpcklqdq T3, X3 C [A12, A13, A14, A15] + punpckhqdq T3, Y2 C [B12, B13, B14, B15] + + movups 48(SRC), T3 + paddd T3, X3 + paddd T3, Y2 + + movups X0,(DST) + movups X1,16(DST) + movups X2,32(DST) + movups X3,48(DST) + movups Y3,64(DST) + movups Y0,80(DST) + movups Y1,96(DST) + movups Y2,112(DST) + + W64_EXIT(3, 13) + ret +EPILOGUE(_nettle_salsa20_2core) diff -Nru nettle-3.4.1/x86_64/salsa20-core-internal.asm nettle-3.7.3/x86_64/salsa20-core-internal.asm --- nettle-3.4.1/x86_64/salsa20-core-internal.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86_64/salsa20-core-internal.asm 2021-06-06 20:06:29.000000000 +0000 @@ -1,6 +1,6 @@ C x86_64/salsa20-core-internal.asm -ifelse(< +ifelse(` Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. @@ -28,22 +28,22 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') -define(, <%rdi>) -define(, <%rsi>) -define(, <%rdx>) -define(, <%xmm0>) -define(, <%xmm1>) -define(, <%xmm2>) -define(, <%xmm3>) -define(, <%xmm4>) -define(, <%xmm5>) -define(, <%xmm6>) -define(, <%xmm7>) -define(, <%xmm8>) +define(`DST', `%rdi') +define(`SRC', `%rsi') +define(`COUNT', `%rdx') +define(`X0', `%xmm0') +define(`X1', `%xmm1') +define(`X2', `%xmm2') +define(`X3', `%xmm3') +define(`T0', `%xmm4') +define(`T1', `%xmm5') +define(`M0101', `%xmm6') +define(`M0110', `%xmm7') +define(`M0011', `%xmm8') -include_src() +include_src(`x86_64/salsa20.m4') C _salsa20_core(uint32_t *dst, const uint32_t *src, unsigned rounds) .text diff -Nru nettle-3.4.1/x86_64/salsa20-crypt.asm nettle-3.7.3/x86_64/salsa20-crypt.asm --- nettle-3.4.1/x86_64/salsa20-crypt.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86_64/salsa20-crypt.asm 1970-01-01 00:00:00.000000000 +0000 @@ -1,247 +0,0 @@ -C x86_64/salsa20-crypt.asm - -ifelse(< - Copyright (C) 2012 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - -define(, <%rdi>) -define(, <%rsi>) -define(, <%rdx>) -define(, <%rcx>) -define(, <%r8>) -define(, <%r9>) -define(, <%xmm0>) -define(, <%xmm1>) -define(, <%xmm2>) -define(, <%xmm3>) -define(, <%xmm4>) -define(, <%xmm5>) -define(, <%xmm6>) -define(, <%xmm7>) -define(, <%xmm8>) -define(, <%rax>) - -include_src() - -C Possible improvements: -C -C Do two blocks (or more) at a time in parallel, to avoid limitations -C due to data dependencies. -C -C Avoid redoing the permutation of the input for each block (all but -C the two counter words are constant). Could also keep the input in -C registers. - - .file "salsa20-crypt.asm" - - C salsa20_crypt(struct salsa20_ctx *ctx, size_t length, - C uint8_t *dst, const uint8_t *src) - .text - ALIGN(16) -PROLOGUE(nettle_salsa20_crypt) - W64_ENTRY(4, 9) - - test LENGTH, LENGTH - jz .Lend - - C Load mask registers - mov $-1, XREG(COUNT) - movd XREG(COUNT), M0101 - pshufd $0x09, M0101, M0011 C 01 01 00 00 - pshufd $0x41, M0101, M0110 C 01 00 00 01 - pshufd $0x22, M0101, M0101 C 01 00 01 00 - -.Lblock_loop: - movups (CTX), X0 - movups 16(CTX), X1 - movups 32(CTX), X2 - movups 48(CTX), X3 - - C On input, each xmm register is one row. We start with - C - C 0 1 2 3 C K K K - C 4 5 6 7 K C I I - C 8 9 10 11 B B C K - C 12 13 14 15 K K K C - C - C Diagrams are in little-endian order, with least significant word to - C the left. We rotate the columns, to get instead - C - C 0 5 10 15 C C C C - C 4 9 14 3 K B K K - C 8 13 2 7 B K K I - C 12 1 6 11 K K I K - C - C The original rows are now diagonals. - SWAP(X0, X1, M0101) - SWAP(X2, X3, M0101) - SWAP(X1, X3, M0110) - SWAP(X0, X2, M0011) - - movl $10, XREG(COUNT) - ALIGN(16) -.Loop: - QROUND(X0, X1, X2, X3) - C For the row operations, we first rotate the rows, to get - C - C 0 5 10 15 - C 3 4 9 14 - C 2 7 8 13 - C 1 6 11 12 - C - C Now the original rows are turned into into columns. (This - C SIMD hack described in djb's papers). - - pshufd $0x93, X1, X1 C 11 00 01 10 (least sign. left) - pshufd $0x4e, X2, X2 C 10 11 00 01 - pshufd $0x39, X3, X3 C 01 10 11 00 - - QROUND(X0, X3, X2, X1) - - C Inverse rotation of the rows - pshufd $0x39, X1, X1 C 01 10 11 00 - pshufd $0x4e, X2, X2 C 10 11 00 01 - pshufd $0x93, X3, X3 C 11 00 01 10 - - decl XREG(COUNT) - jnz .Loop - - SWAP(X0, X2, M0011) - SWAP(X1, X3, M0110) - SWAP(X0, X1, M0101) - SWAP(X2, X3, M0101) - - movups (CTX), T0 - movups 16(CTX), T1 - paddd T0, X0 - paddd T1, X1 - movups 32(CTX), T0 - movups 48(CTX), T1 - paddd T0, X2 - paddd T1, X3 - - C Increment block counter - incq 32(CTX) - - cmp $64, LENGTH - jc .Lfinal_xor - - movups 48(SRC), T1 - pxor T1, X3 - movups X3, 48(DST) -.Lxor3: - movups 32(SRC), T0 - pxor T0, X2 - movups X2, 32(DST) -.Lxor2: - movups 16(SRC), T1 - pxor T1, X1 - movups X1, 16(DST) -.Lxor1: - movups (SRC), T0 - pxor T0, X0 - movups X0, (DST) - - lea 64(SRC), SRC - lea 64(DST), DST - sub $64, LENGTH - ja .Lblock_loop -.Lend: - W64_EXIT(4, 9) - ret - -.Lfinal_xor: - cmp $32, LENGTH - jz .Lxor2 - jc .Llt32 - cmp $48, LENGTH - jz .Lxor3 - jc .Llt48 - movaps X3, T0 - call .Lpartial - jmp .Lxor3 -.Llt48: - movaps X2, T0 - call .Lpartial - jmp .Lxor2 -.Llt32: - cmp $16, LENGTH - jz .Lxor1 - jc .Llt16 - movaps X1, T0 - call .Lpartial - jmp .Lxor1 -.Llt16: - movaps X0, T0 - call .Lpartial - jmp .Lend - -.Lpartial: - mov LENGTH, POS - and $-16, POS - test $8, LENGTH - jz .Llt8 - C This "movd" instruction should assemble to - C 66 49 0f 7e e0 movq %xmm4,%r8 - C Apparently, assemblers treat movd and movq (with the - C arguments we use) in the same way, except for osx, which - C barfs at movq. - movd T0, T64 - xor (SRC, POS), T64 - mov T64, (DST, POS) - lea 8(POS), POS - pshufd $0xee, T0, T0 C 10 11 10 11 -.Llt8: - C And this is also really a movq. - movd T0, T64 - test $4, LENGTH - jz .Llt4 - mov XREG(T64), XREG(COUNT) - xor (SRC, POS), XREG(COUNT) - mov XREG(COUNT), (DST, POS) - lea 4(POS), POS - shr $32, T64 -.Llt4: - test $2, LENGTH - jz .Llt2 - mov WREG(T64), WREG(COUNT) - xor (SRC, POS), WREG(COUNT) - mov WREG(COUNT), (DST, POS) - lea 2(POS), POS - shr $16, XREG(T64) -.Llt2: - test $1, LENGTH - jz .Lret - xor (SRC, POS), LREG(T64) - mov LREG(T64), (DST, POS) - -.Lret: - ret - -EPILOGUE(nettle_salsa20_crypt) diff -Nru nettle-3.4.1/x86_64/salsa20.m4 nettle-3.7.3/x86_64/salsa20.m4 --- nettle-3.4.1/x86_64/salsa20.m4 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86_64/salsa20.m4 2021-06-06 20:06:29.000000000 +0000 @@ -1,45 +1,45 @@ C Needs T0 and T1 C QROUND(x0, x1, x2, x3) -define(, < +define(`QROUND', ` movaps $4, T0 C 0 paddd $1, T0 C 1 movaps T0, T1 C 2 - pslld <$>7, T0 C 2 - psrld <$>25, T1 C 3 + pslld `$'7, T0 C 2 + psrld `$'25, T1 C 3 pxor T0, $2 C 3 pxor T1, $2 C 4 movaps $1, T0 C 0 paddd $2, T0 C 5 movaps T0, T1 C 6 - pslld <$>9, T0 C 6 - psrld <$>23, T1 C 7 + pslld `$'9, T0 C 6 + psrld `$'23, T1 C 7 pxor T0, $3 C 7 pxor T1, $3 C 8 movaps $2, T0 C 0 paddd $3, T0 C 9 movaps T0, T1 C 10 - pslld <$>13, T0 C 10 - psrld <$>19, T1 C 11 + pslld `$'13, T0 C 10 + psrld `$'19, T1 C 11 pxor T0, $4 C 11 pxor T1, $4 C 12 movaps $3, T0 C 0 paddd $4, T0 C 13 movaps T0, T1 C 14 - pslld <$>18, T0 C 14 - psrld <$>14, T1 C 15 + pslld `$'18, T0 C 14 + psrld `$'14, T1 C 15 pxor T0, $1 C 15 pxor T1, $1 C 16 ->) +') C SWAP(x0, x1, mask) C Swaps bits in x0 and x1, with bits selected by the mask -define(, < +define(`SWAP', ` movaps $1, T0 pxor $2, $1 pand $3, $1 pxor $1, $2 pxor T0, $1 ->) +') diff -Nru nettle-3.4.1/x86_64/serpent-decrypt.asm nettle-3.7.3/x86_64/serpent-decrypt.asm --- nettle-3.4.1/x86_64/serpent-decrypt.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86_64/serpent-decrypt.asm 2021-06-06 20:06:29.000000000 +0000 @@ -1,6 +1,6 @@ C x86_64/serpent-decrypt.asm -ifelse(< +ifelse(` Copyright (C) 2011 Niels Möller This file is part of GNU Nettle. @@ -28,52 +28,52 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') -include_src() +include_src(`x86_64/serpent.m4') C Register usage: C Single block serpent state, two copies -define(, <%eax>) -define(, <%ebx>) -define(, <%ebp>) -define(, <%r8d>) - -define(, <%r9d>) -define(, <%r10d>) -define(, <%r11d>) -define(, <%r12d>) +define(`x0', `%eax') +define(`x1', `%ebx') +define(`x2', `%ebp') +define(`x3', `%r8d') + +define(`y0', `%r9d') +define(`y1', `%r10d') +define(`y2', `%r11d') +define(`y3', `%r12d') C Quadruple block serpent state, two copies -define(, <%xmm0>) -define(, <%xmm1>) -define(, <%xmm2>) -define(, <%xmm3>) - -define(, <%xmm4>) -define(, <%xmm5>) -define(, <%xmm6>) -define(, <%xmm7>) - -define(, <%xmm8>) -define(, <%xmm9>) -define(, <%xmm10>) -define(, <%xmm11>) -define(, <%xmm12>) +define(`X0', `%xmm0') +define(`X1', `%xmm1') +define(`X2', `%xmm2') +define(`X3', `%xmm3') + +define(`Y0', `%xmm4') +define(`Y1', `%xmm5') +define(`Y2', `%xmm6') +define(`Y3', `%xmm7') + +define(`MINUS1', `%xmm8') +define(`T0', `%xmm9') +define(`T1', `%xmm10') +define(`T2', `%xmm11') +define(`T3', `%xmm12') C Arguments -define(, <%rdi>) -define(, <%rsi>) -define(, <%rdx>) -define(, <%rcx>) +define(`CTX', `%rdi') +define(`N', `%rsi') +define(`DST', `%rdx') +define(`SRC', `%rcx') -define(, <%r13>) -define(, <%r14d>) +define(`CNT', `%r13') +define(`TMP32', `%r14d') C SBOX macros. Inputs $1 - $4 (destroyed), outputs $5 - $8 -define(, < +define(`SBOX0I', ` mov $1, $5 xor $3, $5 mov $1, $7 @@ -98,9 +98,9 @@ xor $4, $8 or $4, $2 xor $2, $5 ->) +') -define(, < +define(`SBOX1I', ` mov $2, $6 or $4, $6 xor $3, $6 @@ -123,9 +123,9 @@ xor $3, $5 or $7, $1 xor $1, $5 ->) +') -define(, < +define(`SBOX2I', ` mov $1, $5 xor $4, $5 mov $3, $7 @@ -150,9 +150,9 @@ mov $5, $7 xor $6, $7 xor $3, $7 ->) +') -define(, < +define(`SBOX3I', ` mov $3, $8 or $4, $8 mov $2, $5 @@ -174,9 +174,9 @@ and $7, $1 or $2, $1 xor $1, $8 ->) +') -define(, < +define(`SBOX4I', ` mov $3, $6 xor $4, $6 mov $3, $7 @@ -198,9 +198,9 @@ xor $1, $5 xor $2, $1 xor $1, $7 ->) +') -define(, < +define(`SBOX5I', ` mov $1, $6 and $4, $6 mov $3, $8 @@ -223,9 +223,9 @@ not $2 or $1, $2 xor $2, $8 ->) +') -define(, < +define(`SBOX6I', ` mov $1, $7 xor $3, $7 not $3 @@ -250,9 +250,9 @@ and $5, $2 xor $2, $7 xor $4, $7 ->) +') -define(, < +define(`SBOX7I', ` mov $1, $8 and $2, $8 mov $2, $7 @@ -276,34 +276,34 @@ xor $1, $6 or $6, $4 xor $4, $5 ->) +') -define(, < - rol <$>10, $3 - rol <$>27, $1 +define(`LTI', ` + rol `$'10, $3 + rol `$'27, $1 mov $2, TMP32 - shl <$>7, TMP32 + shl `$'7, TMP32 xor $4, $3 xor TMP32, $3 xor $2, $1 xor $4, $1 - rol <$>25, $4 - rol <$>31, $2 + rol `$'25, $4 + rol `$'31, $2 mov $1, TMP32 - shl <$>3, TMP32 + shl `$'3, TMP32 xor $3, $4 xor TMP32, $4 xor $1, $2 xor $3, $2 - rol <$>29, $3 - rol <$>19, $1 ->) + rol `$'29, $3 + rol `$'19, $1 +') -define(, < +define(`PNOT', ` pxor MINUS1, $1 ->) +') -define(, < +define(`WSBOX0I', ` movdqa $1, $5 pxor $3, $5 movdqa $1, $7 @@ -328,9 +328,9 @@ pxor $4, $8 por $4, $2 pxor $2, $5 ->) +') -define(, < +define(`WSBOX1I', ` movdqa $2, $6 por $4, $6 pxor $3, $6 @@ -353,9 +353,9 @@ pxor $3, $5 por $7, $1 pxor $1, $5 ->) +') -define(, < +define(`WSBOX2I', ` movdqa $1, $5 pxor $4, $5 movdqa $3, $7 @@ -380,9 +380,9 @@ movdqa $5, $7 pxor $6, $7 pxor $3, $7 ->) +') -define(, < +define(`WSBOX3I', ` movdqa $3, $8 por $4, $8 movdqa $2, $5 @@ -404,9 +404,9 @@ pand $7, $1 por $2, $1 pxor $1, $8 ->) +') -define(, < +define(`WSBOX4I', ` movdqa $3, $6 pxor $4, $6 movdqa $3, $7 @@ -428,9 +428,9 @@ pxor $1, $5 pxor $2, $1 pxor $1, $7 ->) +') -define(, < +define(`WSBOX5I', ` movdqa $1, $6 pand $4, $6 movdqa $3, $8 @@ -453,9 +453,9 @@ PNOT($2) por $1, $2 pxor $2, $8 ->) +') -define(, < +define(`WSBOX6I', ` movdqa $1, $7 pxor $3, $7 PNOT($3) @@ -480,9 +480,9 @@ pand $5, $2 pxor $2, $7 pxor $4, $7 ->) +') -define(, < +define(`WSBOX7I', ` movdqa $1, $8 pand $2, $8 movdqa $2, $7 @@ -506,13 +506,13 @@ pxor $1, $6 por $6, $4 pxor $4, $5 ->) +') -define(, < +define(`WLTI', ` WROL(10, $3) WROL(27, $1) movdqa $2, T0 - pslld <$>7, T0 + pslld `$'7, T0 pxor $4, $3 pxor T0, $3 pxor $2, $1 @@ -520,14 +520,14 @@ WROL(25, $4) WROL(31, $2) movdqa $1, T0 - pslld <$>3, T0 + pslld `$'3, T0 pxor $3, $4 pxor T0, $4 pxor $1, $2 pxor $3, $2 WROL(29, $3) WROL(19, $1) ->) +') .file "serpent-decrypt.asm" @@ -713,3 +713,4 @@ pop %rbx W64_EXIT(4, 13) ret +EPILOGUE(nettle_serpent_decrypt) diff -Nru nettle-3.4.1/x86_64/serpent-encrypt.asm nettle-3.7.3/x86_64/serpent-encrypt.asm --- nettle-3.4.1/x86_64/serpent-encrypt.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86_64/serpent-encrypt.asm 2021-06-06 20:06:29.000000000 +0000 @@ -1,6 +1,6 @@ C x86_64/serpent-encrypt.asm -ifelse(< +ifelse(` Copyright (C) 2011 Niels Möller This file is part of GNU Nettle. @@ -28,52 +28,52 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') -include_src() +include_src(`x86_64/serpent.m4') C Register usage: C Single block serpent state, two copies -define(, <%eax>) -define(, <%ebx>) -define(, <%ebp>) -define(, <%r8d>) - -define(, <%r9d>) -define(, <%r10d>) -define(, <%r11d>) -define(, <%r12d>) +define(`x0', `%eax') +define(`x1', `%ebx') +define(`x2', `%ebp') +define(`x3', `%r8d') + +define(`y0', `%r9d') +define(`y1', `%r10d') +define(`y2', `%r11d') +define(`y3', `%r12d') C Quadruple block serpent state, two copies -define(, <%xmm0>) -define(, <%xmm1>) -define(, <%xmm2>) -define(, <%xmm3>) - -define(, <%xmm4>) -define(, <%xmm5>) -define(, <%xmm6>) -define(, <%xmm7>) - -define(, <%xmm8>) -define(, <%xmm9>) -define(, <%xmm10>) -define(, <%xmm11>) -define(, <%xmm12>) +define(`X0', `%xmm0') +define(`X1', `%xmm1') +define(`X2', `%xmm2') +define(`X3', `%xmm3') + +define(`Y0', `%xmm4') +define(`Y1', `%xmm5') +define(`Y2', `%xmm6') +define(`Y3', `%xmm7') + +define(`MINUS1', `%xmm8') +define(`T0', `%xmm9') +define(`T1', `%xmm10') +define(`T2', `%xmm11') +define(`T3', `%xmm12') C Arguments -define(, <%rdi>) -define(, <%rsi>) -define(, <%rdx>) -define(, <%rcx>) +define(`CTX', `%rdi') +define(`N', `%rsi') +define(`DST', `%rdx') +define(`SRC', `%rcx') -define(, <%r13>) -define(, <%r14d>) +define(`CNT', `%r13') +define(`TMP32', `%r14d') C SBOX macros. Inputs $1 - $4 (destroyed), outputs $5 - $8 -define(, < +define(`SBOX0', ` mov $2, $8 C y3 = x1 ^ x2 xor $3, $8 mov $1, $5 C y0 = x0 | x3 @@ -98,9 +98,9 @@ mov $5, $6 C y1 = y0 ^ x1 xor $2, $6 xor $4, $6 C y1 ^= x3 ->) +') -define(, < +define(`SBOX1', ` mov $1, $6 C y1 = x0 | x3 or $4, $6 mov $3, $7 C y2 = x2 ^ x3 @@ -127,9 +127,9 @@ not $8 C y3 = ~y3 and $4, $5 C y0 &= x3 xor $3, $5 C y0 ^= x2 ->) +') -define(, < +define(`SBOX2', ` mov $1, $7 C y2 = x1 | x2 or $3, $7 mov $1, $6 @@ -152,9 +152,9 @@ xor $2, $7 not $8 xor $4, $7 ->) +') -define(, < +define(`SBOX3', ` mov $1, $6 xor $3, $6 mov $1, $5 @@ -180,9 +180,9 @@ and $4, $2 mov $1, $5 xor $2, $5 ->) +') -define(, < +define(`SBOX4', ` mov $1, $8 or $2, $8 mov $2, $7 @@ -206,9 +206,9 @@ and $4, $5 xor $3, $5 not $5 ->) +') -define(, < +define(`SBOX5', ` mov $2, $5 or $4, $5 xor $3, $5 @@ -231,9 +231,9 @@ xor $7, $6 or $4, $7 xor $2, $7 ->) +') -define(, < +define(`SBOX6', ` mov $1, $5 xor $4, $5 mov $1, $6 @@ -257,9 +257,9 @@ not $7 xor $7, $5 xor $1, $5 ->) +') -define(, < +define(`SBOX7', ` mov $1, $5 and $3, $5 mov $2, $8 @@ -287,39 +287,39 @@ not $4 C t02 or $4, $5 xor $3, $5 ->) +') -define(, < - rol <$>13, $1 - rol <$>3, $3 +define(`LT', ` + rol `$'13, $1 + rol `$'3, $3 xor $1, $2 xor $3, $2 mov $1, TMP32 - shl <$>3, TMP32 + shl `$'3, TMP32 xor $3, $4 xor TMP32, $4 rol $2 - rol <$>7, $4 + rol `$'7, $4 xor $2, $1 xor $4, $1 mov $2, TMP32 - shl <$>7, TMP32 + shl `$'7, TMP32 xor $4, $3 xor TMP32, $3 - rol <$>5, $1 - rol <$>22, $3 ->) + rol `$'5, $1 + rol `$'22, $3 +') C Parallel operation on four blocks at a time. C pnot instruction is missing. For lack of a spare register, XOR with C constant in memory. -define(, < +define(`PNOT', ` pxor MINUS1, $1 ->) +') -define(, < +define(`WSBOX0', ` movdqa $2, $8 C y3 = x1 ^ x2 pxor $3, $8 movdqa $1, $5 C y0 = x0 | x3 @@ -344,9 +344,9 @@ movdqa $5, $6 C y1 = y0 ^ x1 pxor $2, $6 pxor $4, $6 C y1 ^= x3 ->) +') -define(, < +define(`WSBOX1', ` movdqa $1, $6 C y1 = x0 | x3 por $4, $6 movdqa $3, $7 C y2 = x2 ^ x3 @@ -373,9 +373,9 @@ PNOT($8) C y3 = ~y3 pand $4, $5 C y0 &= x3 pxor $3, $5 C y0 ^= x2 ->) +') -define(, < +define(`WSBOX2', ` movdqa $1, $7 C y2 = x1 | x2 por $3, $7 movdqa $1, $6 @@ -398,9 +398,9 @@ pxor $2, $7 PNOT($8) pxor $4, $7 ->) +') -define(, < +define(`WSBOX3', ` movdqa $1, $6 pxor $3, $6 movdqa $1, $5 @@ -426,9 +426,9 @@ pand $4, $2 movdqa $1, $5 pxor $2, $5 ->) +') -define(, < +define(`WSBOX4', ` movdqa $1, $8 por $2, $8 movdqa $2, $7 @@ -452,9 +452,9 @@ pand $4, $5 pxor $3, $5 PNOT($5) ->) +') -define(, < +define(`WSBOX5', ` movdqa $2, $5 por $4, $5 pxor $3, $5 @@ -477,9 +477,9 @@ pxor $7, $6 por $4, $7 pxor $2, $7 ->) +') -define(, < +define(`WSBOX6', ` movdqa $1, $5 pxor $4, $5 movdqa $1, $6 @@ -503,9 +503,9 @@ PNOT($7) pxor $7, $5 pxor $1, $5 ->) +') -define(, < +define(`WSBOX7', ` movdqa $1, $5 pand $3, $5 movdqa $2, $8 @@ -532,16 +532,16 @@ PNOT($4) C t02 por $4, $5 pxor $3, $5 ->) +') C WLT(x0, x1, x2, x3) -define(, < +define(`WLT', ` WROL(13, $1) WROL(3, $3) pxor $1, $2 pxor $3, $2 movdqa $1, T0 - pslld <$>3, T0 + pslld `$'3, T0 pxor $3, $4 pxor T0, $4 WROL(1, $2) @@ -549,12 +549,12 @@ pxor $2, $1 pxor $4, $1 movdqa $2, T0 - pslld <$>7, T0 + pslld `$'7, T0 pxor $4, $3 pxor T0, $3 WROL(5, $1) WROL(22, $3) ->) +') .file "serpent-encrypt.asm" @@ -748,3 +748,4 @@ pop %rbx W64_EXIT(4, 13) ret +EPILOGUE(nettle_serpent_encrypt) diff -Nru nettle-3.4.1/x86_64/serpent.m4 nettle-3.7.3/x86_64/serpent.m4 --- nettle-3.4.1/x86_64/serpent.m4 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86_64/serpent.m4 2021-06-06 20:06:29.000000000 +0000 @@ -1,6 +1,6 @@ C x86_64/serpent.m4 -ifelse(< +ifelse(` Copyright (C) 2011 Niels Möller This file is part of GNU Nettle. @@ -28,15 +28,15 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') C WROL(count, w) -define(, < +define(`WROL', ` movdqa $2, T0 - pslld <$>$1, $2 - psrld <$>eval(32 - $1), T0 + pslld `$'$1, $2 + psrld `$'eval(32 - $1), T0 por T0, $2 ->) +') C Note: Diagrams use little-endian representation, with least C significant word to the left. @@ -56,18 +56,18 @@ C x3: | a3 | b3 | c3 | d3 | C +----+----+----+----+ -define(, < +define(`WTRANSPOSE', ` movdqa $1, T0 punpcklqdq $3, T0 C |a0 a1 c0 c1| punpckhqdq $3, $1 C |a2 a3 c2 c3| - pshufd <$>0xd8, T0, T0 C |a0 c0 a1 c1| - pshufd <$>0xd8, $1, T1 C |a2 c2 a3 c3| + pshufd `$'0xd8, T0, T0 C |a0 c0 a1 c1| + pshufd `$'0xd8, $1, T1 C |a2 c2 a3 c3| movdqa $2, T2 punpcklqdq $4, T2 C |b0 b1 d0 11| punpckhqdq $4, $2 C |b2 b3 d2 d3| - pshufd <$>0xd8, T2, T2 C |b0 d0 b1 d1| - pshufd <$>0xd8, $2, T3 C |b2 d2 b3 d3| + pshufd `$'0xd8, T2, T2 C |b0 d0 b1 d1| + pshufd `$'0xd8, $2, T3 C |b2 d2 b3 d3| movdqa T0, $1 punpckldq T2, $1 C |a0 b0 c0 d0| @@ -78,17 +78,17 @@ punpckldq T3, $3 C |a2 b2 c2 d2| movdqa T1, $4 punpckhdq T3, $4 C |a3 b3 c3 d3| ->) +') C FIXME: Arrange 16-byte alignment, so we can use movaps? -define(, < +define(`WKEYXOR', ` movups $1(CTX, CNT), T0 - pshufd <$>0x55, T0, T1 - pshufd <$>0xaa, T0, T2 + pshufd `$'0x55, T0, T1 + pshufd `$'0xaa, T0, T2 pxor T1, $3 pxor T2, $4 - pshufd <$>0xff, T0, T1 - pshufd <$>0x00, T0, T0 + pshufd `$'0xff, T0, T1 + pshufd `$'0x00, T0, T0 pxor T1, $5 pxor T0, $2 ->) +') diff -Nru nettle-3.4.1/x86_64/sha1-compress.asm nettle-3.7.3/x86_64/sha1-compress.asm --- nettle-3.4.1/x86_64/sha1-compress.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86_64/sha1-compress.asm 2021-06-06 20:06:29.000000000 +0000 @@ -1,6 +1,6 @@ C x86_64/sha1-compress.asm -ifelse(< +ifelse(` Copyright (C) 2004, 2008, 2013 Niels Möller This file is part of GNU Nettle. @@ -28,36 +28,36 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') C Register usage. KVALUE and INPUT share a register. -define(,<%eax>)dnl -define(,<%r8d>)dnl -define(,<%ecx>)dnl -define(,<%edx>)dnl -define(,<%r9d>)dnl -define(,<%rsp>)dnl -define(,<%r10d>)dnl -define(,<%r11d>)dnl -define(, <%esi>)dnl +define(`SA',`%eax')dnl +define(`SB',`%r8d')dnl +define(`SC',`%ecx')dnl +define(`SD',`%edx')dnl +define(`SE',`%r9d')dnl +define(`DATA',`%rsp')dnl +define(`T1',`%r10d')dnl +define(`T2',`%r11d')dnl +define(`KVALUE', `%esi')dnl C Arguments -define(,<%rdi>)dnl -define(,<%rsi>)dnl +define(`STATE',`%rdi')dnl +define(`INPUT',`%rsi')dnl C Constants -define(, <<$>0x5A827999>)dnl C Rounds 0-19 -define(, <<$>0x6ED9EBA1>)dnl C Rounds 20-39 -define(, <<$>0x8F1BBCDC>)dnl C Rounds 40-59 -define(, <<$>0xCA62C1D6>)dnl C Rounds 60-79 +define(`K1VALUE', ``$'0x5A827999')dnl C Rounds 0-19 +define(`K2VALUE', ``$'0x6ED9EBA1')dnl C Rounds 20-39 +define(`K3VALUE', ``$'0x8F1BBCDC')dnl C Rounds 40-59 +define(`K4VALUE', ``$'0xCA62C1D6')dnl C Rounds 60-79 C Reads the input into register, byteswaps it, and stores it in the DATA array. C SWAP(index, register) -define(, < +define(`SWAP', ` movl OFFSET($1)(INPUT), $2 bswap $2 movl $2, OFFSET($1) (DATA) ->)dnl +')dnl C The f functions, C @@ -91,28 +91,28 @@ C b <<<= 30 dnl ROUND_F1(a, b, c, d, e, i) -define(, < +define(`ROUND_F1', ` movl OFFSET(eval($6 % 16)) (DATA), T1 xorl OFFSET(eval(($6 + 2) % 16)) (DATA), T1 xorl OFFSET(eval(($6 + 8) % 16)) (DATA), T1 xorl OFFSET(eval(($6 + 13) % 16)) (DATA), T1 - roll <$>1, T1 + roll `$'1, T1 movl T1, OFFSET(eval($6 % 16)) (DATA) movl $4, T2 xorl $3, T2 andl $2, T2 xorl $4, T2 - roll <$>30, $2 + roll `$'30, $2 addl T1, $5 addl KVALUE, $5 movl $1, T1 - roll <$>5, T1 + roll `$'5, T1 addl T1, $5 addl T2, $5 ->) +') dnl ROUND_F1_NOEXP(a, b, c, d, e, i) -define(, < +define(`ROUND_F1_NOEXP', ` movl $4, T2 xorl $3, T2 movl $1, T1 @@ -120,39 +120,39 @@ addl OFFSET($6) (DATA), $5 xorl $4, T2 addl T2, $5 - roll <$>30, $2 - roll <$>5, T1 + roll `$'30, $2 + roll `$'5, T1 addl T1, $5 addl KVALUE, $5 ->) +') dnl ROUND_F2(a, b, c, d, e, i) -define(, < +define(`ROUND_F2', ` movl OFFSET(eval($6 % 16)) (DATA), T1 xorl OFFSET(eval(($6 + 2) % 16)) (DATA), T1 xorl OFFSET(eval(($6 + 8) % 16)) (DATA), T1 xorl OFFSET(eval(($6 + 13) % 16)) (DATA), T1 - roll <$>1, T1 + roll `$'1, T1 movl T1, OFFSET(eval($6 % 16)) (DATA) movl $4, T2 xorl $3, T2 xorl $2, T2 - roll <$>30, $2 + roll `$'30, $2 addl T1, $5 addl KVALUE, $5 movl $1, T1 - roll <$>5, T1 + roll `$'5, T1 addl T1, $5 addl T2, $5 ->) +') dnl ROUND_F3(a, b, c, d, e, i) -define(, < +define(`ROUND_F3', ` movl OFFSET(eval($6 % 16)) (DATA), T1 xorl OFFSET(eval(($6 + 2) % 16)) (DATA), T1 xorl OFFSET(eval(($6 + 8) % 16)) (DATA), T1 xorl OFFSET(eval(($6 + 13) % 16)) (DATA), T1 - roll <$>1, T1 + roll `$'1, T1 movl T1, OFFSET(eval($6 % 16)) (DATA) movl $4, T2 andl $3, T2 @@ -162,20 +162,20 @@ xorl $3, T1 andl $2, T1 addl T2, $5 - roll <$>30, $2 + roll `$'30, $2 movl $1, T2 - roll <$>5, T2 + roll `$'5, T2 addl T1, $5 addl T2, $5 ->) +') .file "sha1-compress.asm" - C _nettle_sha1_compress(uint32_t *state, uint8_t *input) + C nettle_sha1_compress(uint32_t *state, uint8_t *input) .text ALIGN(16) -PROLOGUE(_nettle_sha1_compress) +PROLOGUE(nettle_sha1_compress) C save all registers that need to be saved W64_ENTRY(2, 0) @@ -304,4 +304,4 @@ add $64, %rsp W64_EXIT(2, 0) ret -EPILOGUE(_nettle_sha1_compress) +EPILOGUE(nettle_sha1_compress) diff -Nru nettle-3.4.1/x86_64/sha1-compress-sse.asm nettle-3.7.3/x86_64/sha1-compress-sse.asm --- nettle-3.4.1/x86_64/sha1-compress-sse.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86_64/sha1-compress-sse.asm 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -C x86_64/sha1-compress.asm - -ifelse(< - Copyright (C) 2004, 2008, 2013, 2018 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - -C Register usage. - -C Arguments -define(,<%rdi>)dnl -define(,<%rsi>)dnl - -C Constants -define(, <0x5A827999>)dnl C Rounds 0-19 -define(, <0x6ED9EBA1>)dnl C Rounds 20-39 -define(, <0x8F1BBCDC>)dnl C Rounds 40-59 -define(, <0xCA62C1D6>)dnl C Rounds 60-79 - - .file "sha1-compress.asm" - - C _nettle_sha1_compress(uint32_t *state, uint8_t *input) - - .text - ALIGN(16) -PROLOGUE(_nettle_sha1_compress) - C save all registers that need to be saved XXX - movups (INPUT), W0 - movups 16(INPUT), W1 - movups 32(INPUT), W2 - movups 48(INPUT), W3 - - ret -EPILOGUE(_nettle_sha1_compress) - diff -Nru nettle-3.4.1/x86_64/sha256-compress.asm nettle-3.7.3/x86_64/sha256-compress.asm --- nettle-3.4.1/x86_64/sha256-compress.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86_64/sha256-compress.asm 2021-06-06 20:06:29.000000000 +0000 @@ -1,6 +1,6 @@ C x86_64/sha256-compress.asm -ifelse(< +ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. @@ -28,46 +28,46 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') .file "sha256-compress.asm" -define(, <%rdi>) -define(, <%rsi>) -define(, <%rdx>) -define(, <%eax>) -define(, <%ebx>) -define(, <%ecx>) -define(, <%r8d>) -define(, <%r9d>) -define(, <%r10d>) -define(, <%r11d>) -define(, <%r12d>) -define(, <%r13d>) -define(, <%edi>) C Overlap STATE -define(, <%r14>) -define(, <%r15d>) +define(`STATE', `%rdi') +define(`INPUT', `%rsi') +define(`K', `%rdx') +define(`SA', `%eax') +define(`SB', `%ebx') +define(`SC', `%ecx') +define(`SD', `%r8d') +define(`SE', `%r9d') +define(`SF', `%r10d') +define(`SG', `%r11d') +define(`SH', `%r12d') +define(`T0', `%r13d') +define(`T1', `%edi') C Overlap STATE +define(`COUNT', `%r14') +define(`W', `%r15d') -define(, < +define(`EXPN', ` movl OFFSET($1)(%rsp), W movl OFFSET(eval(($1 + 14) % 16))(%rsp), T0 movl T0, T1 - shrl <$>10, T0 - roll <$>13, T1 + shrl `$'10, T0 + roll `$'13, T1 xorl T1, T0 - roll <$>2, T1 + roll `$'2, T1 xorl T1, T0 addl T0, W movl OFFSET(eval(($1 + 1) % 16))(%rsp), T0 movl T0, T1 - shrl <$>3, T0 - roll <$>14, T1 + shrl `$'3, T0 + roll `$'14, T1 xorl T1, T0 - roll <$>11, T1 + roll `$'11, T1 xorl T1, T0 addl T0, W addl OFFSET(eval(($1 + 9) % 16))(%rsp), W movl W, OFFSET($1)(%rsp) ->) +') C ROUND(A,B,C,D,E,F,G,H,K) C @@ -82,13 +82,13 @@ C Choice (E, F, G) = G^(E&(F^G)) C Majority (A,B,C) = (A&B) + (C&(A^B)) -define(, < +define(`ROUND', ` movl $5, T0 movl $5, T1 - roll <$>7, T0 - roll <$>21, T1 + roll `$'7, T0 + roll `$'21, T1 xorl T0, T1 - roll <$>19, T0 + roll `$'19, T0 xorl T0, T1 addl W, $8 addl T1, $8 @@ -102,10 +102,10 @@ movl $1, T0 movl $1, T1 - roll <$>10, T0 - roll <$>19, T1 + roll `$'10, T0 + roll `$'19, T1 xorl T0, T1 - roll <$>20, T0 + roll `$'20, T0 xorl T0, T1 addl T1, $8 movl $1, T0 @@ -115,13 +115,13 @@ addl T0, $8 andl $3, T1 addl T1, $8 ->) +') -define(, < +define(`NOEXPN', ` movl OFFSET($1)(INPUT, COUNT, 4), W bswapl W movl W, OFFSET($1)(%rsp, COUNT, 4) ->) +') C void C _nettle_sha256_compress(uint32_t *state, const uint8_t *input, const uint32_t *k) diff -Nru nettle-3.4.1/x86_64/sha3-permute.asm nettle-3.7.3/x86_64/sha3-permute.asm --- nettle-3.4.1/x86_64/sha3-permute.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86_64/sha3-permute.asm 2021-06-06 20:06:29.000000000 +0000 @@ -1,6 +1,6 @@ C x86_64/sha3-permute.asm -ifelse(< +ifelse(` Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. @@ -28,80 +28,80 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') -define(, <%rdi>) C 25 64-bit values, 200 bytes. -define(, <%r8>) C Avoid clobbering %rsi, for W64. +define(`CTX', `%rdi') C 25 64-bit values, 200 bytes. +define(`COUNT', `%r8') C Avoid clobbering %rsi, for W64. -define(, <%rax>) -define(, <%xmm0>) -define(, <%xmm1>) - -define(, <%rcx>) -define(, <%xmm2>) -define(, <%xmm3>) +define(`A00', `%rax') +define(`A0102', `%xmm0') +define(`A0304', `%xmm1') + +define(`A05', `%rcx') +define(`A0607', `%xmm2') +define(`A0809', `%xmm3') -define(, <%rdx>) -define(, <%xmm4>) -define(, <%xmm5>) - -define(, <%rbp>) -define(, <%xmm6>) -define(, <%xmm7>) +define(`A10', `%rdx') +define(`A1112', `%xmm4') +define(`A1314', `%xmm5') + +define(`A15', `%rbp') +define(`A1617', `%xmm6') +define(`A1819', `%xmm7') -define(, <%r9>) -define(, <%xmm8>) -define(, <%xmm9>) - -define(, <%r10>) -define(, <%xmm10>) -define(, <%xmm11>) - -define(, <%r11>) -define(, <%xmm12>) -define(, <%xmm13>) +define(`A20', `%r9') +define(`A2122', `%xmm8') +define(`A2324', `%xmm9') + +define(`C0', `%r10') +define(`C12', `%xmm10') +define(`C34', `%xmm11') + +define(`D0', `%r11') +define(`D12', `%xmm12') +define(`D34', `%xmm13') C Wide temporaries -define(, <%xmm14>) -define(, <%xmm15>) -define(, <%xmm12>) C Overlap D12 -define(, <%xmm13>) C Overlap D34 +define(`W0', `%xmm14') +define(`W1', `%xmm15') +define(`W2', `%xmm12') C Overlap D12 +define(`W3', `%xmm13') C Overlap D34 -define(, <%r12>) -define(, <%r13>) -define(, <%r11>) C Overlap D0 -define(, <%r10>) C Overlap C0 +define(`T0', `%r12') +define(`T1', `%r13') +define(`T2', `%r11') C Overlap D0 +define(`T3', `%r10') C Overlap C0 -define(, <%r14>) +define(`RC', `%r14') -define(, ) -define(, ) +define(`OFFSET', `ifelse($1,0,,eval(8*$1))') +define(`STATE', `OFFSET($1)(CTX)') -define(, 0x4e,>) +define(`SWAP64', `pshufd `$'0x4e,') -define(, ) +define(`DIRECT_MOVQ', `no') C MOVQ(src, dst), for moves between a general register and an xmm C register. -ifelse(DIRECT_MOVQ, yes, < +ifelse(DIRECT_MOVQ, yes, ` C movq calls that are equal to the corresponding movd, C where the Apple assembler requires them to be written as movd. -define(, ) ->, < +define(`MOVQ', `movd $1, $2') +', ` C Moving via (cached) memory is generally faster. -define(, < +define(`MOVQ', ` movq $1, (CTX) movq (CTX), $2 ->)>) +')') C ROTL64(rot, register, temp) C Caller needs to or together the result. -define(, < +define(`ROTL64', ` movdqa $2, $3 - psllq <$>$1, $2 - psrlq <$>eval(64-$1), $3 ->) + psllq `$'$1, $2 + psrlq `$'eval(64-$1), $3 +') .file "sha3-permute.asm" diff -Nru nettle-3.4.1/x86_64/sha512-compress.asm nettle-3.7.3/x86_64/sha512-compress.asm --- nettle-3.4.1/x86_64/sha512-compress.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86_64/sha512-compress.asm 2021-06-06 20:06:29.000000000 +0000 @@ -1,6 +1,6 @@ C x86_64/sha512-compress.asm -ifelse(< +ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. @@ -28,46 +28,46 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') .file "sha512-compress.asm" -define(, <%rdi>) -define(, <%rsi>) -define(, <%rdx>) -define(, <%rax>) -define(, <%rbx>) -define(, <%rcx>) -define(, <%r8>) -define(, <%r9>) -define(, <%r10>) -define(, <%r11>) -define(, <%r12>) -define(, <%r13>) -define(, <%rdi>) C Overlap STATE -define(, <%r14>) -define(, <%r15>) +define(`STATE', `%rdi') +define(`INPUT', `%rsi') +define(`K', `%rdx') +define(`SA', `%rax') +define(`SB', `%rbx') +define(`SC', `%rcx') +define(`SD', `%r8') +define(`SE', `%r9') +define(`SF', `%r10') +define(`SG', `%r11') +define(`SH', `%r12') +define(`T0', `%r13') +define(`T1', `%rdi') C Overlap STATE +define(`COUNT', `%r14') +define(`W', `%r15') -define(, < +define(`EXPN', ` mov OFFSET64($1)(%rsp), W mov OFFSET64(eval(($1 + 14) % 16))(%rsp), T0 mov T0, T1 - shr <$>6, T0 - rol <$>3, T1 + shr `$'6, T0 + rol `$'3, T1 xor T1, T0 - rol <$>42, T1 + rol `$'42, T1 xor T1, T0 add T0, W mov OFFSET64(eval(($1 + 1) % 16))(%rsp), T0 mov T0, T1 - shr <$>7, T0 - rol <$>56, T1 + shr `$'7, T0 + rol `$'56, T1 xor T1, T0 - rol <$>7, T1 + rol `$'7, T1 xor T1, T0 add T0, W add OFFSET64(eval(($1 + 9) % 16))(%rsp), W mov W, OFFSET64($1)(%rsp) ->) +') C ROUND(A,B,C,D,E,F,G,H,K) C @@ -82,13 +82,13 @@ C Choice (E, F, G) = G^(E&(F^G)) C Majority (A,B,C) = (A&B) + (C&(A^B)) -define(, < +define(`ROUND', ` mov $5, T0 mov $5, T1 - rol <$>23, T0 - rol <$>46, T1 + rol `$'23, T0 + rol `$'46, T1 xor T0, T1 - rol <$>27, T0 + rol `$'27, T0 xor T0, T1 add W, $8 add T1, $8 @@ -102,10 +102,10 @@ mov $1, T0 mov $1, T1 - rol <$>25, T0 - rol <$>30, T1 + rol `$'25, T0 + rol `$'30, T1 xor T0, T1 - rol <$>11, T0 + rol `$'11, T0 xor T0, T1 add T1, $8 mov $1, T0 @@ -115,13 +115,13 @@ add T0, $8 and $3, T1 add T1, $8 ->) +') -define(, < +define(`NOEXPN', ` mov OFFSET64($1)(INPUT, COUNT, 8), W bswap W mov W, OFFSET64($1)(%rsp, COUNT, 8) ->) +') C void C _nettle_sha512_compress(uint64_t *state, const uint8_t *input, const uint64_t *k) diff -Nru nettle-3.4.1/x86_64/sha_ni/sha1-compress.asm nettle-3.7.3/x86_64/sha_ni/sha1-compress.asm --- nettle-3.4.1/x86_64/sha_ni/sha1-compress.asm 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/x86_64/sha_ni/sha1-compress.asm 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,148 @@ +C x86_64/sha_ni/sha1-compress.asm + +ifelse(` + Copyright (C) 2018 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +') + +C Register usage. + +C Arguments +define(`STATE',`%rdi')dnl +define(`INPUT',`%rsi')dnl + +define(`MSG0',`%xmm0') +define(`MSG1',`%xmm1') +define(`MSG2',`%xmm2') +define(`MSG3',`%xmm3') +define(`ABCD',`%xmm4') +define(`E0',`%xmm5') +define(`E1',`%xmm6') +define(`ABCD_ORIG', `%xmm7') +define(`E_ORIG', `%xmm8') +define(`SWAP_MASK',`%xmm9') + +C QROUND(M0, M1, M2, M3, E0, E1, TYPE) +define(`QROUND', ` + sha1nexte $1, $5 + movdqa ABCD, $6 + sha1msg2 $1, $2 + sha1rnds4 `$'$7, $5, ABCD + sha1msg1 $1, $4 + pxor $1, $3 +') + + .file "sha1-compress.asm" + + C nettle_sha1_compress(uint32_t *state, uint8_t *input) + + .text + ALIGN(16) +.Lswap_mask: + .byte 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0 +PROLOGUE(nettle_sha1_compress) + C save all registers that need to be saved + W64_ENTRY(2, 10) + movups (STATE), ABCD + movd 16(STATE), E0 + movups (INPUT), MSG0 + movdqa .Lswap_mask(%rip), SWAP_MASK + pshufd $0x1b, ABCD, ABCD + pshufd $0x1b, E0, E0 + movdqa ABCD, ABCD_ORIG + movdqa E0, E_ORIG + pshufb SWAP_MASK, MSG0 + + paddd MSG0, E0 + movdqa ABCD, E1 + sha1rnds4 $0, E0, ABCD C Rounds 0-3 + + movups 16(INPUT), MSG1 + pshufb SWAP_MASK, MSG1 + + sha1nexte MSG1, E1 + movdqa ABCD, E0 + sha1rnds4 $0, E1, ABCD C Rounds 4-7 + sha1msg1 MSG1, MSG0 + + movups 32(INPUT), MSG2 + pshufb SWAP_MASK, MSG2 + + sha1nexte MSG2, E0 + movdqa ABCD, E1 + sha1rnds4 $0, E0, ABCD C Rounds 8-11 + sha1msg1 MSG2, MSG1 + pxor MSG2, MSG0 + + movups 48(INPUT), MSG3 + pshufb SWAP_MASK, MSG3 + + QROUND(MSG3, MSG0, MSG1, MSG2, E1, E0, 0) C Rounds 12-15 + QROUND(MSG0, MSG1, MSG2, MSG3, E0, E1, 0) C Rounds 16-19 + + QROUND(MSG1, MSG2, MSG3, MSG0, E1, E0, 1) C Rounds 20-23 + QROUND(MSG2, MSG3, MSG0, MSG1, E0, E1, 1) C Rounds 24-27 + QROUND(MSG3, MSG0, MSG1, MSG2, E1, E0, 1) C Rounds 28-31 + QROUND(MSG0, MSG1, MSG2, MSG3, E0, E1, 1) C Rounds 32-35 + QROUND(MSG1, MSG2, MSG3, MSG0, E1, E0, 1) C Rounds 36-39 + + QROUND(MSG2, MSG3, MSG0, MSG1, E0, E1, 2) C Rounds 40-43 + QROUND(MSG3, MSG0, MSG1, MSG2, E1, E0, 2) C Rounds 44-47 + QROUND(MSG0, MSG1, MSG2, MSG3, E0, E1, 2) C Rounds 48-51 + QROUND(MSG1, MSG2, MSG3, MSG0, E1, E0, 2) C Rounds 52-55 + QROUND(MSG2, MSG3, MSG0, MSG1, E0, E1, 2) C Rounds 56-59 + + QROUND(MSG3, MSG0, MSG1, MSG2, E1, E0, 3) C Rounds 60-63 + QROUND(MSG0, MSG1, MSG2, MSG3, E0, E1, 3) C Rounds 64-67 + + sha1nexte MSG1, E1 + movdqa ABCD, E0 + sha1msg2 MSG1, MSG2 + sha1rnds4 $3, E1, ABCD C Rounds 68-71 + pxor MSG1, MSG3 + + sha1nexte MSG2, E0 + movdqa ABCD, E1 + sha1msg2 MSG2, MSG3 + sha1rnds4 $3, E0, ABCD C Rounds 72-75 + + sha1nexte MSG3, E1 + movdqa ABCD, E0 + sha1rnds4 $3, E1, ABCD C Rounds 76-79 + + sha1nexte E_ORIG, E0 + paddd ABCD_ORIG, ABCD + + pshufd $0x1b, ABCD, ABCD + movups ABCD, (STATE) + pshufd $0x1b, E0, E0 + movd E0, 16(STATE) + + W64_EXIT(2, 10) + ret +EPILOGUE(nettle_sha1_compress) diff -Nru nettle-3.4.1/x86_64/sha_ni/sha256-compress.asm nettle-3.7.3/x86_64/sha_ni/sha256-compress.asm --- nettle-3.4.1/x86_64/sha_ni/sha256-compress.asm 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/x86_64/sha_ni/sha256-compress.asm 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,175 @@ +C x86_64/sha_ni/sha256-compress.asm + +ifelse(` + Copyright (C) 2018 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +') + + .file "sha256-compress.asm" +define(`STATE', `%rdi') +define(`INPUT', `%rsi') +define(`K', `%rdx') + +define(`MSGK',`%xmm0') C Implicit operand of sha256rnds2 +define(`MSG0',`%xmm1') +define(`MSG1',`%xmm2') +define(`MSG2',`%xmm3') +define(`MSG3',`%xmm4') +define(`ABEF',`%xmm5') +define(`CDGH',`%xmm6') +define(`ABEF_ORIG',`%xmm7') +define(`CDGH_ORIG', `%xmm8') +define(`SWAP_MASK',`%xmm9') +define(`TMP', `%xmm9') C Overlaps SWAP_MASK + +C QROUND(M0, M1, M2, M3, R) +define(`QROUND', ` + movdqa eval($5*4)(K), MSGK + paddd $1, MSGK + sha256rnds2 ABEF, CDGH + pshufd `$'0xe, MSGK, MSGK + sha256rnds2 CDGH, ABEF + movdqa $1, TMP + palignr `$'4, $4, TMP + paddd TMP, $2 + sha256msg2 $1, $2 + sha256msg1 $1, $4 + ') + +C FIXME: Do something more clever, taking the pshufd into account. +C TRANSPOSE(ABCD, EFGH, scratch) --> untouched, ABEF, CDGH +define(`TRANSPOSE', ` + movdqa $2, $3 + punpckhqdq $1, $2 + punpcklqdq $1, $3 +') + + C void + C _nettle_sha256_compress(uint32_t *state, const uint8_t *input, const uint32_t *k) + + .text + ALIGN(16) +.Lswap_mask: + .byte 3,2,1,0,7,6,5,4,11,10,9,8,15,14,13,12 +PROLOGUE(_nettle_sha256_compress) + W64_ENTRY(3, 10) + movups (STATE), TMP + movups 16(STATE), ABEF + + pshufd $0x1b, TMP, TMP + pshufd $0x1b, ABEF, ABEF + + TRANSPOSE(TMP, ABEF, CDGH) + + movdqa .Lswap_mask(%rip), SWAP_MASK + + movdqa ABEF, ABEF_ORIG + movdqa CDGH, CDGH_ORIG + + movups (INPUT), MSG0 + pshufb SWAP_MASK, MSG0 + + movdqa (K), MSGK + paddd MSG0, MSGK + sha256rnds2 ABEF, CDGH C Round 0-1 + pshufd $0xe, MSGK, MSGK + sha256rnds2 CDGH, ABEF C Round 2-3 + + movups 16(INPUT), MSG1 + pshufb SWAP_MASK, MSG1 + + movdqa 16(K), MSGK + paddd MSG1, MSGK + sha256rnds2 ABEF, CDGH C Round 4-5 + pshufd $0xe, MSGK, MSGK + sha256rnds2 CDGH, ABEF C Round 6-7 + sha256msg1 MSG1, MSG0 + + movups 32(INPUT), MSG2 + pshufb SWAP_MASK, MSG2 + + movdqa 32(K), MSGK + paddd MSG2, MSGK + sha256rnds2 ABEF, CDGH C Round 8-9 + pshufd $0xe, MSGK, MSGK + sha256rnds2 CDGH, ABEF C Round 10-11 + sha256msg1 MSG2, MSG1 + + movups 48(INPUT), MSG3 + pshufb SWAP_MASK, MSG3 + + QROUND(MSG3, MSG0, MSG1, MSG2, 12) C Round 12-15 + QROUND(MSG0, MSG1, MSG2, MSG3, 16) + QROUND(MSG1, MSG2, MSG3, MSG0, 20) + QROUND(MSG2, MSG3, MSG0, MSG1, 24) + QROUND(MSG3, MSG0, MSG1, MSG2, 28) + QROUND(MSG0, MSG1, MSG2, MSG3, 32) + QROUND(MSG1, MSG2, MSG3, MSG0, 36) + QROUND(MSG2, MSG3, MSG0, MSG1, 40) + QROUND(MSG3, MSG0, MSG1, MSG2, 44) + QROUND(MSG0, MSG1, MSG2, MSG3, 48) + + movdqa 208(K), MSGK + paddd MSG1, MSGK + sha256rnds2 ABEF, CDGH C Round 52-53 + pshufd $0xe, MSGK, MSGK + sha256rnds2 CDGH, ABEF C Round 54-55 + movdqa MSG1, TMP + palignr $4, MSG0, TMP + paddd TMP, MSG2 + sha256msg2 MSG1, MSG2 + + movdqa 224(K), MSGK + paddd MSG2, MSGK + sha256rnds2 ABEF, CDGH C Round 56-57 + pshufd $0xe, MSGK, MSGK + sha256rnds2 CDGH, ABEF C Round 58-59 + movdqa MSG2, TMP + palignr $4, MSG1, TMP + paddd TMP, MSG3 + sha256msg2 MSG2, MSG3 + + movdqa 240(K), MSGK + paddd MSG3, MSGK + sha256rnds2 ABEF, CDGH C Round 60-61 + pshufd $0xe, MSGK, MSGK + sha256rnds2 CDGH, ABEF C Round 62-63 + + paddd ABEF_ORIG, ABEF + paddd CDGH_ORIG, CDGH + + TRANSPOSE(ABEF, CDGH, TMP) + + pshufd $0x1b, CDGH, CDGH + pshufd $0x1b, TMP, TMP + movups CDGH, 0(STATE) + movups TMP, 16(STATE) + + W64_EXIT(3, 10) + ret +EPILOGUE(_nettle_sha256_compress) diff -Nru nettle-3.4.1/x86_64/umac-nh.asm nettle-3.7.3/x86_64/umac-nh.asm --- nettle-3.4.1/x86_64/umac-nh.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86_64/umac-nh.asm 2021-06-06 20:06:29.000000000 +0000 @@ -1,6 +1,6 @@ C x86_64/umac-nh.asm -ifelse(< +ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. @@ -28,19 +28,19 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') -define(, <%rdi>) -define(, <%rsi>) -define(, <%rdx>) - -define(, <%xmm0>) -define(, <%xmm1>) -define(, <%xmm2>) -define(, <%xmm3>) -define(, <%xmm4>) -define(, <%xmm5>) -define(, <%xmm6>) +define(`KEY', `%rdi') +define(`LENGTH', `%rsi') +define(`MSG', `%rdx') + +define(`XA', `%xmm0') +define(`XB', `%xmm1') +define(`XK0', `%xmm2') +define(`XK1', `%xmm3') +define(`XY', `%xmm4') +define(`XT0', `%xmm5') +define(`XT1', `%xmm6') C FIXME: Would be nice if we could force the key array to be 16-byte C aligned. diff -Nru nettle-3.4.1/x86_64/umac-nh-n.asm nettle-3.7.3/x86_64/umac-nh-n.asm --- nettle-3.4.1/x86_64/umac-nh-n.asm 2018-12-04 20:56:06.000000000 +0000 +++ nettle-3.7.3/x86_64/umac-nh-n.asm 2021-06-06 20:06:29.000000000 +0000 @@ -1,6 +1,6 @@ C x86_64/umac-nh-n.asm -ifelse(< +ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. @@ -28,31 +28,31 @@ You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ->) +') -define(, <%rdi>) -define(, <%rsi>) -define(, <%rdx>) -define(, <%rcx>) -define(, <%r8>) - -define(, <%xmm0>) -define(, <%xmm1>) -define(, <%xmm2>) -define(, <%xmm3>) -define(, <%xmm4>) -define(, <%xmm5>) -define(, <%xmm6>) -define(, <%xmm7>) -define(, <%xmm8>) -define(, <%xmm9>) -define(, <%xmm10>) -define(, <%xmm11>) -define(, <%xmm12>) -define(, <%xmm13>) +define(`OUT', `%rdi') +define(`ITERS', `%rsi') +define(`KEY', `%rdx') +define(`LENGTH', `%rcx') +define(`MSG', `%r8') + +define(`XM0', `%xmm0') +define(`XM1', `%xmm1') +define(`XM2', `%xmm2') +define(`XM3', `%xmm3') +define(`XK0', `%xmm4') +define(`XK1', `%xmm5') +define(`XK2', `%xmm6') +define(`XK3', `%xmm7') +define(`XT0', `%xmm8') +define(`XT1', `%xmm9') +define(`XT2', `%xmm10') +define(`XT3', `%xmm11') +define(`XY0', `%xmm12') +define(`XY1', `%xmm13') C Copy [0,1,2,3] to [1,1,3,3] -define(, 0xf5,>) +define(`HI2LO', `pshufd `$'0xf5,') C FIXME: Would be nice if we could force the key array to be 16-byte C aligned. diff -Nru nettle-3.4.1/xts-aes128.c nettle-3.7.3/xts-aes128.c --- nettle-3.4.1/xts-aes128.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/xts-aes128.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,77 @@ +/* xts-aes128.c + + XTS Mode using AES128 as the underlying cipher. + + Copyright (C) 2018 Red Hat, Inc. + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "aes.h" +#include "xts.h" + + +void +xts_aes128_set_encrypt_key(struct xts_aes128_key *xts_key, const uint8_t *key) +{ + aes128_set_encrypt_key(&xts_key->cipher, key); + aes128_set_encrypt_key(&xts_key->tweak_cipher, &key[AES128_KEY_SIZE]); +} + +void +xts_aes128_set_decrypt_key(struct xts_aes128_key *xts_key, const uint8_t *key) +{ + aes128_set_decrypt_key(&xts_key->cipher, key); + aes128_set_encrypt_key(&xts_key->tweak_cipher, &key[AES128_KEY_SIZE]); +} + +void +xts_aes128_encrypt_message(struct xts_aes128_key *xts_key, + const uint8_t *tweak, size_t length, + uint8_t *dst, const uint8_t *src) +{ + xts_encrypt_message(&xts_key->cipher, &xts_key->tweak_cipher, + (nettle_cipher_func *) aes128_encrypt, + tweak, length, dst, src); +} + +void +xts_aes128_decrypt_message(struct xts_aes128_key *xts_key, + const uint8_t *tweak, size_t length, + uint8_t *dst, const uint8_t *src) +{ + xts_decrypt_message(&xts_key->cipher, &xts_key->tweak_cipher, + (nettle_cipher_func *) aes128_decrypt, + (nettle_cipher_func *) aes128_encrypt, + tweak, length, dst, src); +} diff -Nru nettle-3.4.1/xts-aes256.c nettle-3.7.3/xts-aes256.c --- nettle-3.4.1/xts-aes256.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/xts-aes256.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,77 @@ +/* xts-aes256.c + + XTS Mode using AES256 as the underlying cipher. + + Copyright (C) 2018 Red Hat, Inc. + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "aes.h" +#include "xts.h" + + +void +xts_aes256_set_encrypt_key(struct xts_aes256_key *xts_key, const uint8_t *key) +{ + aes256_set_encrypt_key(&xts_key->cipher, key); + aes256_set_encrypt_key(&xts_key->tweak_cipher, &key[AES256_KEY_SIZE]); +} + +void +xts_aes256_set_decrypt_key(struct xts_aes256_key *xts_key, const uint8_t *key) +{ + aes256_set_decrypt_key(&xts_key->cipher, key); + aes256_set_encrypt_key(&xts_key->tweak_cipher, &key[AES256_KEY_SIZE]); +} + +void +xts_aes256_encrypt_message(struct xts_aes256_key *xts_key, + const uint8_t *tweak, size_t length, + uint8_t *dst, const uint8_t *src) +{ + xts_encrypt_message(&xts_key->cipher, &xts_key->tweak_cipher, + (nettle_cipher_func *) aes256_encrypt, + tweak, length, dst, src); +} + +void +xts_aes256_decrypt_message(struct xts_aes256_key *xts_key, + const uint8_t *tweak, size_t length, + uint8_t *dst, const uint8_t *src) +{ + xts_decrypt_message(&xts_key->cipher, &xts_key->tweak_cipher, + (nettle_cipher_func *) aes256_decrypt, + (nettle_cipher_func *) aes256_encrypt, + tweak, length, dst, src); +} diff -Nru nettle-3.4.1/xts.c nettle-3.7.3/xts.c --- nettle-3.4.1/xts.c 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/xts.c 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,173 @@ +/* xts.c + + XEX-based tweaked-codebook mode with ciphertext stealing (XTS) + + Copyright (C) 2018 Red Hat, Inc. + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include +#include + +#include "xts.h" + +#include "macros.h" +#include "memxor.h" +#include "nettle-internal.h" +#include "block-internal.h" + +static void +check_length(size_t length, uint8_t *dst) +{ + assert(length >= XTS_BLOCK_SIZE); + /* asserts may be compiled out, try to save the user by zeroing the dst in + * case the buffer contains sensitive data (like the clear text for inplace + * encryption) */ + if (length < XTS_BLOCK_SIZE) + memset(dst, '\0', length); +} + +/* works also for inplace encryption/decryption */ + +void +xts_encrypt_message(const void *enc_ctx, const void *twk_ctx, + nettle_cipher_func *encf, + const uint8_t *tweak, size_t length, + uint8_t *dst, const uint8_t *src) +{ + union nettle_block16 T; + union nettle_block16 P; + + check_length(length, dst); + + encf(twk_ctx, XTS_BLOCK_SIZE, T.b, tweak); + + /* the zeroth power of alpha is the initial ciphertext value itself, so we + * skip shifting and do it at the end of each block operation instead */ + for (;length >= 2 * XTS_BLOCK_SIZE || length == XTS_BLOCK_SIZE; + length -= XTS_BLOCK_SIZE, src += XTS_BLOCK_SIZE, dst += XTS_BLOCK_SIZE) + { + memxor3(P.b, src, T.b, XTS_BLOCK_SIZE); /* P -> PP */ + encf(enc_ctx, XTS_BLOCK_SIZE, dst, P.b); /* CC */ + memxor(dst, T.b, XTS_BLOCK_SIZE); /* CC -> C */ + + /* shift T for next block if any */ + if (length > XTS_BLOCK_SIZE) + block16_mulx_le(&T, &T); + } + + /* if the last block is partial, handle via stealing */ + if (length) + { + /* S Holds the real C(n-1) (Whole last block to steal from) */ + union nettle_block16 S; + + memxor3(P.b, src, T.b, XTS_BLOCK_SIZE); /* P -> PP */ + encf(enc_ctx, XTS_BLOCK_SIZE, S.b, P.b); /* CC */ + memxor(S.b, T.b, XTS_BLOCK_SIZE); /* CC -> S */ + + /* shift T for next block */ + block16_mulx_le(&T, &T); + + length -= XTS_BLOCK_SIZE; + src += XTS_BLOCK_SIZE; + + memxor3(P.b, src, T.b, length); /* P |.. */ + /* steal ciphertext to complete block */ + memxor3(P.b + length, S.b + length, T.b + length, + XTS_BLOCK_SIZE - length); /* ..| S_2 -> PP */ + + encf(enc_ctx, XTS_BLOCK_SIZE, dst, P.b); /* CC */ + memxor(dst, T.b, XTS_BLOCK_SIZE); /* CC -> C(n-1) */ + + /* Do this after we read src so inplace operations do not break */ + dst += XTS_BLOCK_SIZE; + memcpy(dst, S.b, length); /* S_1 -> C(n) */ + } +} + +void +xts_decrypt_message(const void *dec_ctx, const void *twk_ctx, + nettle_cipher_func *decf, nettle_cipher_func *encf, + const uint8_t *tweak, size_t length, + uint8_t *dst, const uint8_t *src) +{ + union nettle_block16 T; + union nettle_block16 C; + + check_length(length, dst); + + encf(twk_ctx, XTS_BLOCK_SIZE, T.b, tweak); + + for (;length >= 2 * XTS_BLOCK_SIZE || length == XTS_BLOCK_SIZE; + length -= XTS_BLOCK_SIZE, src += XTS_BLOCK_SIZE, dst += XTS_BLOCK_SIZE) + { + memxor3(C.b, src, T.b, XTS_BLOCK_SIZE); /* c -> CC */ + decf(dec_ctx, XTS_BLOCK_SIZE, dst, C.b); /* PP */ + memxor(dst, T.b, XTS_BLOCK_SIZE); /* PP -> P */ + + /* shift T for next block if any */ + if (length > XTS_BLOCK_SIZE) + block16_mulx_le(&T, &T); + } + + /* if the last block is partial, handle via stealing */ + if (length) + { + union nettle_block16 T1; + /* S Holds the real P(n) (with part of stolen ciphertext) */ + union nettle_block16 S; + + /* we need the last T(n) and save the T(n-1) for later */ + block16_mulx_le(&T1, &T); + + memxor3(C.b, src, T1.b, XTS_BLOCK_SIZE); /* C -> CC */ + decf(dec_ctx, XTS_BLOCK_SIZE, S.b, C.b); /* PP */ + memxor(S.b, T1.b, XTS_BLOCK_SIZE); /* PP -> S */ + + /* process next block (Pn-1) */ + length -= XTS_BLOCK_SIZE; + src += XTS_BLOCK_SIZE; + + /* Prepare C, P holds the real P(n) */ + memxor3(C.b, src, T.b, length); /* C_1 |.. */ + memxor3(C.b + length, S.b + length, T.b + length, + XTS_BLOCK_SIZE - length); /* ..| S_2 -> CC */ + decf(dec_ctx, XTS_BLOCK_SIZE, dst, C.b); /* PP */ + memxor(dst, T.b, XTS_BLOCK_SIZE); /* PP -> P(n-1) */ + + /* Do this after we read src so inplace operations do not break */ + dst += XTS_BLOCK_SIZE; + memcpy(dst, S.b, length); /* S_1 -> P(n) */ + } +} diff -Nru nettle-3.4.1/xts.h nettle-3.7.3/xts.h --- nettle-3.4.1/xts.h 1970-01-01 00:00:00.000000000 +0000 +++ nettle-3.7.3/xts.h 2021-06-06 20:06:29.000000000 +0000 @@ -0,0 +1,123 @@ +/* xts.h + + XEX-based tweaked-codebook mode with ciphertext stealing (XTS) + + Copyright (C) 2005 Niels Möller + Copyright (C) 2018 Red Hat, Inc. + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + + +#ifndef NETTLE_XTS_H_INCLUDED +#define NETTLE_XTS_H_INCLUDED + +#include "nettle-types.h" +#include "aes.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* Name mangling */ +#define xts_encrypt_message nettle_xts_encrypt_message +#define xts_decrypt_message nettle_xts_decrypt_message +#define xts_aes128_set_encrypt_key nettle_xts_aes128_set_encrypt_key +#define xts_aes128_set_decrypt_key nettle_xts_aes128_set_decrypt_key +#define xts_aes128_encrypt_message nettle_xts_aes128_encrypt_message +#define xts_aes128_decrypt_message nettle_xts_aes128_decrypt_message +#define xts_aes256_set_encrypt_key nettle_xts_aes256_set_encrypt_key +#define xts_aes256_set_decrypt_key nettle_xts_aes256_set_decrypt_key +#define xts_aes256_encrypt_message nettle_xts_aes256_encrypt_message +#define xts_aes256_decrypt_message nettle_xts_aes256_decrypt_message + +#define XTS_BLOCK_SIZE 16 + +void +xts_encrypt_message(const void *enc_ctx, const void *twk_ctx, + nettle_cipher_func *encf, + const uint8_t *tweak, size_t length, + uint8_t *dst, const uint8_t *src); +void +xts_decrypt_message(const void *dec_ctx, const void *twk_ctx, + nettle_cipher_func *decf, nettle_cipher_func *encf, + const uint8_t *tweak, size_t length, + uint8_t *dst, const uint8_t *src); + +/* XTS Mode with AES-128 */ +struct xts_aes128_key { + struct aes128_ctx cipher; + struct aes128_ctx tweak_cipher; +}; + +void +xts_aes128_set_encrypt_key(struct xts_aes128_key *xts_key, + const uint8_t *key); + +void +xts_aes128_set_decrypt_key(struct xts_aes128_key *xts_key, + const uint8_t *key); + +void +xts_aes128_encrypt_message(struct xts_aes128_key *xtskey, + const uint8_t *tweak, size_t length, + uint8_t *dst, const uint8_t *src); + +void +xts_aes128_decrypt_message(struct xts_aes128_key *xts_key, + const uint8_t *tweak, size_t length, + uint8_t *dst, const uint8_t *src); + +/* XTS Mode with AES-256 */ +struct xts_aes256_key { + struct aes256_ctx cipher; + struct aes256_ctx tweak_cipher; +}; + +void +xts_aes256_set_encrypt_key(struct xts_aes256_key *xts_key, + const uint8_t *key); + +void +xts_aes256_set_decrypt_key(struct xts_aes256_key *xts_key, + const uint8_t *key); + +void +xts_aes256_encrypt_message(struct xts_aes256_key *xts_key, + const uint8_t *tweak, size_t length, + uint8_t *dst, const uint8_t *src); + +void +xts_aes256_decrypt_message(struct xts_aes256_key *xts_key, + const uint8_t *tweak, size_t length, + uint8_t *dst, const uint8_t *src); + +#ifdef __cplusplus +} +#endif + +#endif /* NETTLE_XTS_H_INCLUDED */